0

I tried the kserve example and faced the problem of RBAC: Access Denied.

  1. add user

    $ kubectl -n auth edit cm dex

    add example infomation in staticPasswords

        - email: my_email@gmail.com
      hash: my_ps_hash
      userID: "myuserid"
      username: myusername

    $ kubectl rollout restart deployment dex -n auth

  2. add profile for create namespace

    $ vi profile.yaml

    apiVersion: kubeflow.org/v1beta1
kind: Profile
metadata:
  name: test-namespace
spec:
  owner:
    kind: User
    name: my_email@gmail.com
  resourceQuotaSpec: {}

    kubectl apply -f profile.yaml

  3. Serving exam model

    kubeflow Central Dashboard - Models - +NEW MODEL SERVER

    apiVersion: "serving.kserve.io/v1beta1"
kind: "InferenceService"
metadata:
  annotations:
    isdecar.istio.is/inject: "false"
  name: "sklearn-iris"
spec:
  predictor:
    sklearn:
      image: "kserve/sklearnserver:v0.9.0"
      storageUri: "gs://kfserving-examples/models/sklearn/1.0/model"

    $ kubectl get InferenceService -n test-namespace

    NAME                 URL                                                      READY   PREV   LATEST   PREVROLLEDOUTREVISION   LATESTREADYREVISION                          AGE
sklearn-iris   http://sklearn-iris-test2.test-namespace.example.com   True           100                              sklearn-iris-predictor-default-00001   81m

    READY: True

  4. Add New Notebook

    kubeflow Central Dashboard - Notebooks - +New Notebook

    and run code

    from kserve import (utils, KServeClient)
import requests
import json

sklear_iris_input = dict(instances = [
        [6.8, 2.8, 4.8, 1.4],
        [6.0, 3.4, 4.5, 1.6]
    ])

namespace = utils.get_default_target_namespace()     # Get namespace.  It's worked
service_name = "sklearn-iris"

kserve = KServeClient()
isvc_resp = kserve.get(service_name, namespace = namespace)      # It's worked
# http://sklearn-iris.test-namespace.svc.cluster.local/v1/models/sklearn-iris-test2:predict
isvc_url = isvc_resp['status']['address']['url'] 

response = requests.post(isvc_url, json = json.dumps(sklear_iris_input))        

print(response.text) 

    RBAC: access denied

  • env:

    kserve: 0.9.0

    kubeflow: 1.6.0

    kubernetes: v1.22.13 and run master node(already disable taint)

Why is this message(RBAC: access denied) occurring?

Your help is of great help to me. Help me!

TaeUk Noh
  • 96
  • 5
  • "RBAC denied" is an istio auth error, check if authorization policy at the target is allowing source? source here would be istio gateway as per my understanding – Deepak Deore Mar 23 '23 at 10:21

0 Answers0