Kubeflow

  • Kubeflow Charmers | bundle
  • Cloud
Channel Revision Published
latest/candidate 294 24 Jan 2022
latest/beta 430 30 Aug 2024
latest/edge 423 26 Jul 2024
1.9/stable 432 03 Dec 2024
1.9/beta 420 19 Jul 2024
1.9/edge 431 03 Dec 2024
1.8/stable 414 22 Nov 2023
1.8/beta 411 22 Nov 2023
1.8/edge 413 22 Nov 2023
1.7/stable 409 27 Oct 2023
1.7/beta 408 27 Oct 2023
1.7/edge 407 27 Oct 2023
juju deploy kubeflow --channel 1.9/stable
Show information

Platform:

This guide describes how to enable Istio CNI plugin on Charmed Kubeflow (CKF).

By default, Istio injects an init container in all Pods inside the service mesh, which configures each Pod's network traffic redirection to and from the Istio sidecar proxy. This operation requires elevated permissions: Kubernetes (K8s) RBAC permissions to deploy containers with the NET_ADMIN and NET_RAW capabilities, which can conflict with some organisations’ security policies.

The Istio CNI plugin is a replacement of that init container that resolves the security concerns by avoiding the need for elevated permissions while providing the same functionality.

Requirements

  • A running Istio control plane deployed by istio-operators > 1.17/*.

The Istio CNI plugin is only available in > 1.17/*. See Upgrading istio-pilot for upgrading instructions.

Enable the plugin

You can enable the Istio CNI plugin by setting the following configuration values for the istio-pilot charm:

  • cni-bin-dir: the path where the CNI binaries, which implement the CNI specification, are located in the host system where the Kubernetes control plane is deployed
  • cni-conf-dir: the path where the CNI’s conflist files (in JSON format) are located in the host system where the Kubernetes control plane is deployed

Set both of these to enable the plugin:

  • juju config istio-pilot cni-bin-dir=<path to cni bin dir in host>
  • juju config istio-pilot cni-conf-dir=<path to cni conf dir in host>

Before configuring these options, make sure the paths are correct and exist. Otherwise the Istio control plane installation could fail.

These values vary on each K8s installation and depends on the CNI’s configuration. The defaults for some installations are /opt/cni/bin and /etc/cni/net.d respectively.

For example, in microk8s, these values are /var/snap/microk8s/current/opt/cni/bin and /var/snap/microk8s/current/args/cni-network. Refer to MicroK8s CNI configuration for more details.

Enabling the Istio CNI plugin only affects Pods that are created in a namespace with automatic sidecar injection after the plugin has been installed in the control plane.

See Network Plugins and CNI for further information.