Kubeflow Pipelines on AWS

Kubeflow Pipelines on Amazon EKS

Authenticate Kubeflow Pipeline using SDK inside cluster

In v1.1.0, in-cluster communication from notebook to Kubeflow Pipeline is not supported in this phase. In order to use kfp as previous, user needs to pass a cookie to KFP for communication as a workaround.

You can follow following steps to get cookie from your browser after you login Kubeflow. Following examples uses Chrome browser.

Note: You have to use images in AWS Jupyter Notebook because it includes a critical SDK fix here.

KFP SDK Browser Cookie

KFP SDK Browser Cookie Detail

Once you get cookie, you can easily authenticate kfp by passing the cookies. Please look at code snippets based on the manifest you use.

To get <aws_alb_host>, please run kubectl get ingress -n istio-system and get value from ADDRESS field.

import kfp
authservice_session='authservice_session=<cookie>'
client = kfp.Client(host='http://<aws_alb_host>/pipeline', cookies=authservice_session)
client.list_experiments(namespace="<your_namespace>")
import kfp
alb_session_cookie0='AWSELBAuthSessionCookie-0=<cookie0>'
alb_session_cookie1='AWSELBAuthSessionCookie-1=<cookie1>'
client = kfp.Client(host='https://<aws_alb_host>/pipeline', cookies=f"{alb_session_cookie0};{alb_session_cookie1}")
client.list_experiments(namespace="<your_namespace>")

Authenticate Kubeflow Pipeline using SDK outside cluster

To do programmatic authentication with Dex, refer to the following comments under the #140 issue in the kfctl repository: #140 (comment) and #140 (comment).

You can still retrieve session cookie and pass to backend like we do [here] (#authenticate-kubeflow-pipeline-using-sdk-inside-cluster)

If you are looking for end to end experience, this is working in progress. Once feat(sdk): Enable AWS ALB authentication in KFP SDK Client PR is merged, user can pass Cognito user username and password to authenticate KFP via AWS Application Load Balancer.

S3 Access from Kubeflow Pipelines

Currently, it’s still recommended to use aws credentials or kube2iam to managed S3 access from Kubeflow Pipelines. IAM Role for Service Accounts requires applications to use latest AWS SDK to support assume-web-identity-role, we are still working on it. Track progress in issue #3405

A Kubernetes Secret is required by Kubeflow Pipelines and applications to access S3. Make sure it has S3 read and write access.

apiVersion: v1
kind: Secret
metadata:
  name: aws-secret
  namespace: kubeflow
type: Opaque
data:
  AWS_ACCESS_KEY_ID: <YOUR_BASE64_ACCESS_KEY>
  AWS_SECRET_ACCESS_KEY: <YOUR_BASE64_SECRET_ACCESS>
  • YOUR_BASE64_ACCESS_KEY: Base64 string of AWS_ACCESS_KEY_ID
  • YOUR_BASE64_SECRET_ACCESS: Base64 string of AWS_SECRET_ACCESS_KEY

Note: To get base64 string, run echo -n $AWS_ACCESS_KEY_ID | base64

Configure containers to use AWS credentials

If you write any files to S3 in your application, use use_aws_secret to attach an AWS secret to access S3.

import kfp
from kfp import components
from kfp import dsl
from kfp.aws import use_aws_secret

def iris_comp():
    return kfp.dsl.ContainerOp(
        .....
        output_artifact_paths={'mlpipeline-ui-metadata': '/mlpipeline-ui-metadata.json'}
    )

@dsl.pipeline(
    name='IRIS Classification pipeline',
    description='IRIS Classification using LR in SKLEARN'
)
def iris_pipeline():
    iris_task = iris_comp().apply(use_aws_secret('aws-secret', 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY'))

Support S3 Artifact Store

Kubeflow Pipelines supports different artifact viewers. You can create files in S3 and reference them in output artifacts in your application as follows:

metadata = {
        'outputs' : [
          {
              'source': 's3://bucket/kubeflow/README.md',
              'type': 'markdown',
          },
          {
              'type': 'confusion_matrix',
              'format': 'csv',
              'schema': [
                  {'name': 'target', 'type': 'CATEGORY'},
                  {'name': 'predicted', 'type': 'CATEGORY'},
                  {'name': 'count', 'type': 'NUMBER'},
              ],
              'source': s3://bucket/confusion_matrics.csv,
              # Convert vocab to string because for bealean values we want "True|False" to match csv data.
              'labels': list(map(str, vocab)),
          },
          {
              'type': 'tensorboard',
              'source': s3://bucket/tb-events,
          }
        ]
    }

with file_io.FileIO('/tmp/mlpipeline-ui-metadata.json', 'w') as f:
    json.dump(metadata, f)

In order for ml-pipeline-ui to read these artifacts:

  1. Create a Kubernetes secret aws-secret in kubeflow namespace. Follow instructions here.

  2. Update deployment ml-pipeline-ui to use AWS credential environment variables by running kubectl edit deployment ml-pipeline-ui -n kubeflow.

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: ml-pipeline-ui
      namespace: kubeflow
      ...
    spec:
      template:
        spec:
          containers:
          - env:
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  key: AWS_ACCESS_KEY_ID
                  name: aws-secret
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  key: AWS_SECRET_ACCESS_KEY
                  name: aws-secret
            ....
            image: gcr.io/ml-pipeline/frontend:0.2.0
            name: ml-pipeline-ui
    

Here’s an example. Kubeflow Pipelines viewer tensorboard

Support TensorBoard in Kubeflow Pipelines

TensorBoard needs some extra settings on AWS like below:

  1. Create a Kubernetes secret aws-secret in the kubeflow namespace. Follow instructions here.

  2. Create a ConfigMap to store the configuration of TensorBoard on your cluster. Replace <your_region> with your S3 region.

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: ml-pipeline-ui-viewer-template
    data:
      viewer-tensorboard-template.json: |
        {
            "spec": {
                "containers": [
                    {
                        "env": [
                            {
                                "name": "AWS_ACCESS_KEY_ID",
                                "valueFrom": {
                                    "secretKeyRef": {
                                        "name": "aws-secret",
                                        "key": "AWS_ACCESS_KEY_ID"
                                    }
                                }
                            },
                            {
                                "name": "AWS_SECRET_ACCESS_KEY",
                                "valueFrom": {
                                    "secretKeyRef": {
                                        "name": "aws-secret",
                                        "key": "AWS_SECRET_ACCESS_KEY"
                                    }
                                }
                            },
                            {
                                "name": "AWS_REGION",
                                "value": "<your_region>"
                            }
                        ]
                    }
                ]
            }
        }
    
  3. Update the ml-pipeline-ui deployment to use the ConfigMap by running kubectl edit deployment ml-pipeline-ui -n kubeflow.

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: ml-pipeline-ui
      namespace: kubeflow
      ...
    spec:
      template:
        spec:
          containers:
          - env:
            - name: VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH
              value: /etc/config/viewer-tensorboard-template.json
            ....
            volumeMounts:
            - mountPath: /etc/config
              name: config-volume
          .....
          volumes:
          - configMap:
              defaultMode: 420
              name: ml-pipeline-ui-viewer-template
            name: config-volume