PrimeHub
v4.1
v4.1
  • Introduction
  • Installation
  • Tiers and Licenses
  • End-to-End Tutorial
    • 1 - MLOps Introduction and Scoping the Project
    • 2 - Train and Manage the Model
    • 3 - Compare, Register and Deploy the Model
    • 4 - Build the Web Application
    • 5 - Summary
  • User Guide
    • User Portal
    • Notebook
      • Notebook Tips
      • Advanced Settings
      • PrimeHub Notebook Extension
      • Submit Notebook as Job
    • Jobs
      • Job Artifacts
      • Tutorial
        • (Part1) MNIST classifier training
        • (Part2) MNIST classifier training
        • (Advanced) Use Job Submission to Tune Hyperparameters
        • (Advanced) Model Serving by Seldon
        • Job Artifacts Simple Usecase
    • Models
      • Manage and Deploy Model
      • Model Management Configuration
    • Deployments
      • Pre-packaged servers
        • TensorFlow server
        • PyTorch server
        • SKLearn server
        • Customize Pre-packaged Server
        • Run Pre-packaged Server Locally
      • Package from Language Wrapper
        • Model Image for Python
        • Model Image for R
        • Reusable Base Image
      • Prediction APIs
      • Model URI
      • Tutorial
        • Model by Pre-packaged Server
        • Model by Pre-packaged Server (PHFS)
        • Model by Image built from Language Wrapper
    • Shared Files
    • Datasets
    • Apps
      • Label Studio
      • MATLAB
      • MLflow
      • Streamlit
      • Tutorial
        • Create Your Own App
        • Create an MLflow server
        • Label Dataset by Label Studio
        • Code Server
    • Group Admin
      • Images
      • Settings
    • Generate an PrimeHub API Token
    • Python SDK
    • SSH Server Feature
      • VSCode SSH Notebook Remotely
      • Generate SSH Key Pair
      • Permission Denied
      • Connection Refused
    • Advanced Tutorial
      • Labeling the data
      • Notebook as a Job
      • Custom build the Seldon server
      • PrimeHub SDK/CLI Tools
  • Administrator Guide
    • Admin Portal
      • Create User
      • Create Group
      • Assign Group Admin
      • Create/Plan Instance Type
      • Add InfuseAI Image
      • Add Image
      • Build Image
      • Gitsync Secret for GitHub
      • Pull Secret for GitLab
    • System Settings
    • User Management
    • Group Management
    • Instance Type Management
      • NodeSelector
      • Toleration
    • Image Management
      • Custom Image Guideline
    • Volume Management
      • Upload Server
    • Secret Management
    • App Settings
    • Notebooks Admin
    • Usage Reports
  • Reference
    • Jupyter Images
      • repo2docker image
      • RStudio image
    • InfuseAI Images List
    • Roadmap
  • Developer Guide
    • GitHub
    • Design
      • PrimeHub File System (PHFS)
      • PrimeHub Store
      • Log Persistence
      • PrimeHub Apps
      • Admission
      • Notebook with kernel process
      • JupyterHub
      • Image Builder
      • Volume Upload
      • Job Scheduler
      • Job Submission
      • Job Monitoring
      • Install Helper
      • User Portal
      • Meta Chart
      • PrimeHub Usage
      • Job Artifact
      • PrimeHub Apps
    • Concept
      • Architecture
      • Data Model
      • CRDs
      • GraphQL
      • Persistence Storages
      • Persistence
      • Resources Quota
      • Privilege
    • Configuration
      • How to configure PrimeHub
      • Multiple Jupyter Notebook Kernels
      • Configure SSH Server
      • Configure Job Submission
      • Configure Custom Image Build
      • Configure Model Deployment
      • Setup Self-Signed Certificate for PrimeHub
      • Chart Configuration
      • Configure PrimeHub Store
    • Environment Variables
Powered by GitBook
On this page
  • Admission Configuration
  • cluster configuration
  1. Developer Guide
  2. Design

Admission

PreviousPrimeHub AppsNextNotebook with kernel process

After primehub 1.7 (alpha), we start to use admission webhooks to handle kubernetes objects mutation and validation:

  • hub group quota (1.7): a mutation/validation webhook to verify the usage of a hub user in a group

  • airgap image replacer (1.8): a mutation webhook to replace container image url defined in a pod

Currently, we use the hub group quota admission for resources validation. And airgap image replacer is not turn on by default (not label any namespaces).

An admission webhook is grouped by:

  1. admission configuration

  2. service (it is called by kube-apiserver)

  3. a secret to keep certificates for https

  4. a deployment where an admission lives

Admission Configuration

There are two kinds of configrations for dynamic webhook in the Admission Controller.

  • MutatingWebhookConfiguration

  • ValidatingWebhookConfiguration

Both of them use the same structure to define a configuration, but they are invoked in a different api lifecycle before a kubernetes object persisted into the etcd.

You can find a introducion at

For users, they should care about the namespaceSelector in a configuraion. We made an admission webhook only working with labeled namespaces.

hub group quota

  • kind: MutatingWebhookConfiguration

  • namespaceSelector: primehub.io/resources-validation-webhook: "enabled"

In order to make sure pods have valid quota, users should aware when hub group quota admission is not working normally.

Therefore, when a pod created from jupyterhub, it has a initContainer which has a wrong image name called admission-is-not-found. Hub group quota takes the responsibility to remove this initContainer. Otherwise, users will see the error messages due to not existed image and fail to spawn a jupyter server. (One thing to noted is that jupyterhub will be restarted if there are 5 consecutive spawn failures)

For other pods which are not created from jupyterhub, they will just pass because the failurePolicy is set to Ignore.

airgap image replacer

  • kind: MutatingWebhookConfiguration

  • namespaceSelector: primehub.io/image-mutation-webhook: "enabled"

cluster configuration

In order to sign a certificate for https, the kubernetes cluster should enable ca-signer (certificate controller). The administrator could checkt it by:

$ ./modules/support/operation_script/ca-signer-vendor-test.sh

here is a output example:

namespace/vendor-test created
try to issue a CA
creating certs in tmpdir /var/folders/g_/01sz14td6qsdt7l2x_y4brmw0000gn/T/tmp.v2ylRksc
Generating RSA private key, 2048 bit long modulus
..............................................................+++
............................................+++
e is 65537 (0x10001)
certificatesigningrequest.certificates.k8s.io/vendor-test-svc.vendor-test created
NAME                          AGE   REQUESTOR           CONDITION
vendor-test-svc.vendor-test   0s    qrtt1@infuseai.io   Pending
certificatesigningrequest.certificates.k8s.io/vendor-test-svc.vendor-test approved
secret/vendor-test-secret created

ca-signer is working.

clean up
certificatesigningrequest.certificates.k8s.io "vendor-test-svc.vendor-test" deleted
namespace "vendor-test" deleted
A Guide to Kubernetes Admission Controllers