Reputation: 11
how to install kubeflow on existing on prem kubernetes cluster
I am installing kubeflow on kubernetes cluster via "Kubeflow Deployment with kfctl_k8s_istio" and it is giving below error.
WARN[0303] Encountered error applying application kubeflow-apps: (kubeflow.error): Code 500 with message: Apply.Run : error when creating "/tmp/kout497340857": CustomResourceDefinition.apiextensions.k8s.io "seldondeployments.machinelearning.seldon.io" is invalid: [spec.validation.openAPIV3Schema.properties[spec].properties[predictors].items.properties[componentSpecs].items.properties[spec].properties[containers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property, spec.validation.openAPIV3Schema.properties[spec].properties[predictors].items.properties[componentSpecs].items.properties[spec].properties[initContainers].items.properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property, spec.validation.openAPIV3Schema.properties[spec].properties[predictors].items.properties[explainer].properties[containerSpec].properties[ports].items.properties[protocol].default: Required value: this property is in x-kubernetes-list-map-keys, so it must have a default or be a required property] filename="kustomize/kustomize.go:266"
Some Istio PODs are not starting and giving below error on kubernetes dashboard.
"MountVolume.SetUp failed for volume "istio-token" : failed to fetch token: the API server does not have TokenRequest endpoints enabled"
Please support.
Upvotes: 1
Views: 2370
Answers (1)
Reputation: 8830
Issue
Why do we see this error?
"MountVolume.SetUp failed for volume "istio-token" : failed to fetch token: the API server does not have TokenRequest endpoints enabled"
As mentioned here
To authenticate with the Istio control plane, the Istio proxy will use a Service Account token. Kubernetes supports two forms of these tokens:
- Third party tokens, which have a scoped audience and expiration.
- First party tokens, which have no expiration and are mounted into all pods.
Because the properties of the first party token are less secure, Istio will default to using third party tokens. However, this feature is not enabled on all Kubernetes platforms.
While most cloud providers support this feature now, many local development tools and custom installations may not.
Solution
If you use minikube
You can specify that with values.global.jwtPolicy
istioctl manifest generate --set profile=demo --set values.global.jwtPolicy=first-party-jwt
There is related github issue about that.
If you use microk8s
You can try to change these 2 lines to /var/snap/microk8s/current/args/kube-apiserver as mentioned here by @tomalbrecht.
--service-account-signing-key-file=${SNAP_DATA}/certs/serviceaccount.key
--service-account-issuer=kubernetes.default.svc
There is related github issue about that.
If you use kubeadm
You can try with this.
Upvotes: 1
Related Questions
- Execute pipeline/run of Kubeflow from command line
- Kubeflow setup on baremetal setup?
- Kubeflow pipeline fail to create container
- Installing Kubernetes in Docker container
- Instantiate and Shutdown Kubeflow pods
- dsl.ContainerOp with python
- Kubeflow-kale :- How to integrate kubeflow-kale extension to run pipelines on a seperate standalone cluster of Kubeflow pipelines
- Install Kubeflow on specific node of Kubernetes cluster
- MLflow Kubernetes Pod Deployment
- Installing Kubeflow without cluster admin privileges