How to access model microservice deployed behind Istio and Dex?

Question

I built a deploy pipeline to serve ML models using Kubeflow (v0.6) and Seldon Core, but now that models are deployed I can't figure out how to pass the auth. layer and consume the services.

My kubernetes instance is on bare-metal and setup is identical to this: https://www.kubeflow.org/docs/started/getting-started-k8s/

I was able to follow these instructions launch example-app and issue an IDToken for a staticClient, but when I pass the token as 'Authorization: Bearer' I get redirected to dex logon page.

(part of) Dex configMap:

staticClients:
- id: kubeflow-authservice-oidc
  redirectURIs:
  # After authenticating and giving consent, dex will redirect to
  # this url for the specific client.
  - https://10.50.11.180/login/oidc
  name: 'Kubeflow AuthService OIDC'
  secret: [secret]
- id: model-consumer-1
  secret: [secret]
  redirectURIs:
  - 'http://127.0.0.1:5555/callback'

When I try to access the service:

curl -H "Authorization: Bearer $token" -k https://10.50.11.180/seldon/kubeflow/machine-failure-classifier-6e462a70-a995-11e9-b30b-080027dfd9f4/api/v0.1/predictions

<a href="https://10.50.11.180:5556/dex/auth?client_id=kubeflow-authservice-oidc&amp;redirect_uri=https%3A%2F%2F10.50.11.180%2Flogin%2Foidc&amp;response_type=code&amp;scope=openid+profile+email+groups&amp;state=X40FJuKC">Found</a>.

What am I missing? :(

score 0 · Answer 1 · answered Jul 22 '19 at 10:59

I found out that serving seldon models with Istio worked better if they were in a namespace other than 'kubeflow'.

I Followed these instructions: https://docs.seldon.io/projects/seldon-core/en/latest/examples/istio_canary.html, (created new gateway and namespaces) and was able to bypass Dex.

score 0 · Answer 2 · answered Jul 30 '19 at 18:30

Have you tried VirtualService?

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: <name-of-your-choice>
spec:
  gateways:
  - <your-gateway>
  hosts:
  - <your-host>
  http:
  - match:
    - uri:
        prefix: "<your-api-path-uri>"
    rewrite:
      uri: "<your-rewrite-logic>"
    route:
    - destination:
        host: <name-of-your-service>.<namespace>.svc.<cluster-domain>
        port: <port-of-the-service>

Virtual service will help you route traffic as specified.

GigliOneiric · Answer 3 · 2022-10-17T18:11:58.673

0

I'm three years to late. Try to get your cookie from the dashboard in the developer mode

document.cookie

Replace XXX with your cookie.

curl -H -k https://10.50.11.180/seldon/kubeflow/machine-failure-classifier-6e462a70-a995-11e9-b30b-080027dfd9f4/api/v0.1/predictions --data-urlencode 'json={"data":{"ndarray":[["try to stop flask from using multiple threads"]]}}' -H "Cookie: authservice_session=XXX" -v

edited Oct 17 '22 at 18:11

answered Oct 17 '22 at 17:28

GigliOneiric

59
6

How to access model microservice deployed behind Istio and Dex?

3 Answers3