Skip to content

Commit

Permalink
Add docs for networking visibility
Browse files Browse the repository at this point in the history 
This adds documentations on how to configure as public or private
InferenceServices and InferenceGraphs. References from the OCI guide
(modelcars) are fixed.

Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
  • Loading branch information
@israel-hdez
israel-hdez committed Feb 11, 2025
1 parent 428f1ac commit d5f23fb
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 2 deletions.
67 changes: 67 additions & 0 deletions docs/odh/networking-visibility.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# Configuring services as public or private

The InferenceServices and InferenceGraphs can be configured as public or
private. The private services are only reachable from within the cluster. The
public services are accessible by clients external to the cluster.

## Configuring InferenceServices as public or private

In ODH project, the default network visibility of InferenceServices depends on
its deployment mode:
* InferenceServices deployed in **Serverless** mode are public by default
* InferenceServices deployed in **Raw** mode are private by default. Notice this
is different from the upstream KServe project which configures Raw
InferenceServices as public by default.

Public InferenceServices in _Serverless_ mode are exposed via OpenShift Routes
that are created in the namespace of the Service Mesh Control Plane, which is
usually the `istio-system` namespace.

An InferenceService deployed in **Serverless** mode can be configured as private
by adding the `networking.knative.dev/visibility=cluster-local` label to the
InferenceService. The following is a YAML snippet showing how to configure the
label:

```yaml
apiVersion: serving.kserve.io/v1beta1
kind: InferenceService
metadata:
labels:
networking.knative.dev/visibility: cluster-local
```
You can also run `oc label isvc ${your_isvc_name}
networking.knative.dev/visibility=cluster-local` to add the label to an existing
InferenceService in _Serverless_ mode to reconfigure it as private.

InferenceServices deployed in **Raw** mode use a different label. By adding the
`networking.kserve.io/visibility=exposed` label, the InferenceService will be
configured as public. The following is a YAML snippet showing how to configure
the label:

```yaml
apiVersion: serving.kserve.io/v1beta1
kind: InferenceService
metadata:
labels:
networking.kserve.io/visibility: exposed
```

You can also run `oc label isvc ${your_isvc_name}
networking.kserve.io/visibility=exposed` to add the label to an existing
InferenceService in _Raw_ mode to reconfigure it as private.

Public InferenceServices in _Raw_ mode are exposed via OpenShift Routes
that are created in the same namespace as the InferenceService.

## Configuring InferenceGraphs as public or private

In ODH project, the default network visibility of InferenceGraphs is _public_
regardless of the deployment mode.

Similarly to InferenceServices, the InferenceGraphs that are deployed in
**Serverless** mode can be configured as private by adding the
`networking.knative.dev/visibility=cluster-local` label to the resource.

InferenceGraphs that are deployed in **Raw** mode, currently, do not offer a way
for switching to private. This is work in progress.
4 changes: 2 additions & 2 deletions docs/odh/oci-model-storage.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ sample-isvc-using-oci https://sample-isvc-using-oci-oci-model-example.example
> [!IMPORTANT]
> Remember that, by default, models are exposed outside the cluster and not
> protected with authorization. Read the [authorization guide](authorization.md#deploying-a-protected-inferenceservice)
> and the [private services guide (TODO)](#TODO) to learn how to privately deploy
> and the [networking visibility](networking-visibility.md) to learn how to privately deploy
> models and how to protect them with authorization.

Test the model is working:
Expand Down Expand Up @@ -360,7 +360,7 @@ sample-isvc-using-oci https://sample-isvc-using-oci-oci-model-example.example
> [!IMPORTANT]
> Remember that, by default, models are exposed outside the cluster and not
> protected with authorization. Read the [authorization guide](authorization.md#deploying-a-protected-inferenceservice)
> and the [private services guide (TODO)](#TODO) to learn how to privately deploy
> and the [networking visibility](networking-visibility.md) to learn how to privately deploy
> models and how to protect them with authorization.

## Deploying a model stored in an OCI image from a private repository
Expand Down

0 comments on commit d5f23fb

Please sign in to comment.