-
Notifications
You must be signed in to change notification settings - Fork 670
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Inject user identity as pod label in K8s plugin #4637
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #4637 +/- ##
==========================================
- Coverage 58.10% 58.08% -0.03%
==========================================
Files 626 626
Lines 53834 53836 +2
==========================================
- Hits 31280 31270 -10
- Misses 20048 20058 +10
- Partials 2506 2508 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
For documentation purposes: One can set the following e.g. in the default flyte pod template in order to use the execution identity as a pod template: apiVersion: v1
kind: PodTemplate
template:
spec:
containers:
- env:
- name: EXECUTION_IDENTITY
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.labels['execution_identity'] |
@fg91 this looks great. I agree, the metadata is the correct place to inject this. My first question here is whether this should be behind a configuration flag? Is there a scenario where we would not want the execution identity available? I'm assuming that if a user has Flyte configured to inject user IDs from middleware, it would be beneficial to include this information in k8s resources, thoughts? cc. @ByronHsu |
I can't come up with such a scenario tbh. I first proposed a configuration flag as the most conservative change because I wasn't sure how others feel about this. I'm happy to remove the flag though @hamersaw! a9652e8 115c23d
Injecting user ids from middleware in flyteadmin is not behind a config flag (see here) so users don't have to opt in. |
8c9cf96
to
77f2d7a
Compare
flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very useful, can we clean up the unit tests?
flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go
Outdated
Show resolved
Hide resolved
Signed-off-by: Fabio Graetz <[email protected]>
Signed-off-by: Fabio Graetz <[email protected]>
Signed-off-by: Fabio Graetz <[email protected]>
Signed-off-by: Fabio Graetz <[email protected]>
Signed-off-by: Fabio Graetz <[email protected]>
…pod labels" This reverts commit c42a4a0. Signed-off-by: Fabio Graetz <[email protected]>
Signed-off-by: Fabio Graetz <[email protected]>
Signed-off-by: Fabio Graetz <[email protected]>
Signed-off-by: Fabio M. Graetz, Ph.D. <[email protected]> Signed-off-by: Fabio Graetz <[email protected]>
2a6a3a6
to
4437c4c
Compare
Signed-off-by: Fabio Graetz <[email protected]>
Signed-off-by: Fabio Graetz <[email protected]>
Done ✅ |
…label (#4637) * Add option in K8s plugin config to inject user identity into pod labels Signed-off-by: Fabio Graetz <[email protected]> * Inject user identity into TaskExecutionMetadata labels Signed-off-by: Fabio Graetz <[email protected]> * Add unit tests Signed-off-by: Fabio Graetz <[email protected]> * Remove duplicate labels injection Signed-off-by: Fabio Graetz <[email protected]> * Lint Signed-off-by: Fabio Graetz <[email protected]> * Revert "Add option in K8s plugin config to inject user identity into pod labels" This reverts commit c42a4a0. Signed-off-by: Fabio Graetz <[email protected]> * Always inject user identity as pod label if known Signed-off-by: Fabio Graetz <[email protected]> * Use hyphen instead of underscore in pod label Signed-off-by: Fabio Graetz <[email protected]> * Update flytepropeller/pkg/controller/nodes/task/k8s/task_exec_context.go Signed-off-by: Fabio M. Graetz, Ph.D. <[email protected]> Signed-off-by: Fabio Graetz <[email protected]> * Fix tests Signed-off-by: Fabio Graetz <[email protected]> * Remove duplicate unit test logic Signed-off-by: Fabio Graetz <[email protected]> --------- Signed-off-by: Fabio Graetz <[email protected]> Signed-off-by: Fabio M. Graetz, Ph.D. <[email protected]> Co-authored-by: Dan Rammer <[email protected]>
Why are the changes needed?
@ByronHsu recently implemented middleware to inject the user identity into the flyte workflow's
ExecutionSpec
: flyteorg/flyteadmin#549Building on this, we would like to inject the user identity (not credentials, just the information who started the execution) into the task pod as an additional label in order to enable the following user stories:
What changes were proposed in this pull request?
I propose to add a new flag to the k8s plugin config, specifying whether the execution identity is injected as a label. The default isfalse
to make this opt in.I propose to inject the additional execution identity label in
newTaskExecutionMetadata
where we also inject labels and annotations for secrets.Because of the following reasons I believe that this is a good place but I'm looking for feedback on this:
The
TaskExecutionMetadata
type returned by this function has the following doc stringI find this fitting the proposed use case.
Injecting the label here means that it is automatically injected not only for normal python tasks but also for plugins like kubeflow distributed training tasks.
How was this patch tested?
Check all the applicable boxes