Skip to content

# Fix: Add driver pod labels/annotations configuration support #12306

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

# Fix: Add driver pod labels/annotations configuration support #12306

wants to merge 3 commits into from

Conversation

@thc1006
Copy link

@thc1006 thc1006 commented Oct 1, 2025

Description

This PR addresses issue #12015 by adding the ability to configure driver pod labels and annotations at the KFP API server level. This enables driver pods to work properly with Istio service mesh in STRICT mTLS mode and other infrastructure requirements.

Problem

When Istio STRICT mTLS is enabled across the mesh, KFP driver pods cannot connect to in-mesh services (MinIO, MLMD) because they lack the necessary sidecar injection labels. This causes "connection reset by peer" errors and prevents pipeline execution.

Solution

Implement admin-level configuration for driver pod metadata through:

  • Environment variables (DRIVER_POD_LABELS, DRIVER_POD_ANNOTATIONS)
  • ConfigMap-based configuration
  • Pre-configured Istio overlay for production deployments

Changes

Backend

  • ✅ Added driver_config.go with configuration reader supporting JSON and k=v formats
  • ✅ Added comprehensive unit tests (37 test cases) in driver_config_test.go
  • ✅ Modified Argo compiler to apply labels/annotations to driver pod templates
  • ✅ Implemented graceful degradation and reserved label protection

Deployment

  • ✅ Updated ml-pipeline-apiserver-deployment.yaml with optional ConfigMap references
  • ✅ Added ConfigMap generator in base kustomization
  • ✅ Created Istio STRICT mTLS overlay with optimized configuration
  • ✅ Added PeerAuthentication and AuthorizationPolicy for service mesh security

Testing

  • ✅ Unit tests for configuration parsing and validation
  • ✅ E2E test suite for Istio STRICT mTLS scenarios
  • ✅ Test coverage for edge cases and error handling

Documentation

  • ✅ Comprehensive configuration guide with examples
  • ✅ Istio integration documentation
  • ✅ Troubleshooting guide and migration instructions

Usage

Basic Configuration

# Set driver pod labels for Istio sidecar injection
export DRIVER_POD_LABELS='{"sidecar.istio.io/inject":"true"}'
export DRIVER_POD_ANNOTATIONS='{"proxy.istio.io/config":"{\"holdApplicationUntilProxyStarts\":true}"}'

Production Deployment (Istio)

# Deploy with Istio overlay
kubectl apply -k manifests/kustomize/overlays/istio-strict-mtls

Testing

Run Unit Tests

cd backend/src/apiserver/config
go test -v ./...

Run E2E Tests

python test/e2e/test_istio_strict_mtls.py

Checklist

  • The title for your pull request (PR) should follow our title convention. Learn more about our title convention.
  • If submitting a bugfix or a user-facing feature, please include a release note. Learn more about release notes.
  • DCO signed (using git commit -s)
  • Tests added/updated
  • Documentation added/updated
  • Backward compatibility maintained

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Related Issues

Impact

  • Positive: Enables KFP to work with Istio STRICT mTLS and other service mesh configurations
  • Positive: Provides admin-level control without requiring SDK changes
  • Neutral: No impact on existing deployments (fully backward compatible)
  • Minimal: <1ms overhead during compilation when configured

Release Notes

Added driver pod labels and annotations configuration support. Administrators can now configure custom labels and annotations for driver pods through environment variables or ConfigMap, enabling integration with Istio service mesh (STRICT mTLS) and other infrastructure requirements. This is a non-breaking change that maintains full backward compatibility.

Signed-off-by: thc1006 [email protected]

thc1006 added 2 commits October 1, 2025 12:11
@thc1006
feat(backend): Add driver pod labels/annotations configuration support
c82070f 
Fixes kubeflow#12015

Add the ability to specify driver pod labels and annotations as a KFP API server
configuration to support Istio STRICT mTLS and other infrastructure requirements.

Changes:
- Add driver configuration reader in apiserver/config
- Modify Argo compiler to apply labels/annotations to driver pods
- Update deployment manifests with ConfigMap support
- Add Istio STRICT mTLS overlay configuration
- Add E2E tests for Istio integration
- Add comprehensive documentation

This allows administrators to configure driver pods with custom labels and
annotations at deployment time, enabling proper sidecar injection for service
mesh environments without requiring SDK changes.

Signed-off-by: thc1006 <[email protected]>
@thc1006
fix: Remove unused json import from dag.go
9ca4f74 
Signed-off-by: thc1006 <[email protected]>
@google-oss-prow
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign james-jwu for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow
Copy link

Hi @thc1006. Thanks for your PR.

I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-actions
Copy link

github-actions bot commented Oct 1, 2025

🚫 This command cannot be processed. Only organization members or owners can use the commands.

@thc1006
Copy link
Author

thc1006 commented Oct 4, 2025

Dear @HumairAK @mprahl @droctothorpe @gmfrasca requested for review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@droctothorpe droctothorpe Awaiting requested review from droctothorpe

@gmfrasca gmfrasca Awaiting requested review from gmfrasca

@HumairAK HumairAK Awaiting requested review from HumairAK

@mprahl mprahl Awaiting requested review from mprahl

Assignees

No one assigned

Labels

needs-ok-to-test size/XXL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[backend] Add the ability to specify driver labels/annotations as a KFP api server configuration

1 participant

@thc1006