-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make user-gcp-sa secret optional on GCP #2589
Comments
/cc @rmgogogo |
The SDK extension method is probably still useful, but I agree that the samples should be cleaned.
|
Using default SA is not considered a good practice https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform#why_use_service_accounts
|
Efforts are paused because we agreed that KFP will eventually move all deployments to workload identity. When that happens, we have no need for taking credentials. On-prem will still need this, but it's not our priority. We can revisit the issue later. |
Updated description to better reflect current status. Bumped to p0 because it blocks both multi user efforts and marketplace efforts. |
Migrate standalone deployment to workload identity on GCP #2619 removes all |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
We are generally recommending workload identity now because it reached GA. Closing the issue. |
* adding prometheus serverless and model name labels Signed-off-by: alexagriffith <agriffith50@bloomberg.net> * adding sanitize func Signed-off-by: alexagriffith <agriffith50@bloomberg.net> * cleaning up tests Signed-off-by: alexagriffith <agriffith50@bloomberg.net> * remove error log Signed-off-by: alexagriffith <agriffith50@bloomberg.net> * go mod tidy Signed-off-by: alexagriffith <agriffith50@bloomberg.net> Signed-off-by: alexagriffith <agriffith50@bloomberg.net>
UPDATE:
When GKE provides application default credentials with enough permission through one of the following three ways:
There's no need to set
user-gcp-sa
in https://github.com/kubeflow/pipelines/blob/master/manifests/gcp_marketplace/guide.md#gcp-service-account-credentials. This allows zero config on-boarding experience.This issue tracks various efforts towards making user-gcp-sa optional.
Pipeline samples:
If user-gcp-sa is not present, drop GOOGLE_APPLICATION_CREDENTIALS env in pipelines api server before running it. Drop GCP credentials env if user-gcp-sa secret is not present #2643This PR is abandoned to avoid making short-term workarounds that we need to remove in the future too.With the above done, we no longer need to change all pipeline samples with GCP auth usage
Hidden links to samples
* [ ] https://github.com/kubeflow/pipelines/blob/d5e27e291fbe09cfa63a9de0f5b4fdea65af7c6f/sdk/python/kfp/gcp.py#L18* [ ] https://github.com/kubeflow/pipelines/tree/master/samples/core/xgboost_training_cm
* [ ] https://github.com/kubeflow/pipelines/tree/master/samples/contrib/parameterized_tfx_oss
* [ ] [tfx sample](https://github.com/tensorflow/tfx/blob/6b6a2f9b69c93ce8a889c48d9e02354ed52c3f89/tfx/orchestration/kubeflow/kubeflow_dag_runner.py#L109)
Servers
The text was updated successfully, but these errors were encountered: