Istio
Learn about installing Istio ingress controller in a Kubernetes cluster running Seldon Enterprise Platform.
Istio implements the Kubernetes ingress resource to expose a service and make it accessible from outside the cluster. You can install Istio in either a self-hosted Kubernetes cluster or a managed Kubernetes service provided by a cloud provider that is running the Seldon Enterprise Platform.
Prerequisites
Install Seldon Enterprise Platform.
Ensure that you install a version of Istio that is compatible with your Kubernetes cluster version. For detailed information on supported versions, refer to the Istio Compatibility Matrix.
Installing Istio ingress controller
Installing Istio ingress controller in a Kubernetes cluster running Seldon Enterprise Platform involves these tasks:
Install Istio
Download the Istio installation package for the version you want to use. In the following command replace
<version>
with the version of Istio that you downloaded:curl -L https://istio.io/downloadIstio | sh - cd istio-<version> export PATH=$PWD/bin:$PATH
Install the Istio Custom Resource Definitions (CRDs) and Istio components in your cluster using the
istioctl
command line tool:istioctl install --set profile=default -y
Create a namespace where you want to enable Istio automatic sidecar injection. For example in the namespace
istio-system
:kubectl label namespace istio-system istio-injection=enabled
Install Istio Ingress Gateway
Verify that Istio Ingress Gateway is installed:
kubectl get svc istio-ingressgateway -n istio-system
This should return details of the Istio Ingress Gateway, including the external IP address.
Create a YAML file to specify Gateway resource in the
istio-system
namespace to expose your application. For example, create theistio-seldon-gateway.yaml
file. Use your preferred text editor to create and save the file with the following content:apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: my-gateway namespace: istio-system spec: selector: istio: ingressgateway # Use Istio's default ingress gateway servers: - port: number: 80 name: http protocol: HTTP hosts: - "*"
Change to the directory that contains
istio-seldon-gateway.yaml
file and apply the configuration:kubectl apply -f istio-seldon-gateway.yaml
When the configuration is applied, you should see this:
gateway.networking.istio.io/seldon-gateway created
Find the IP address of the Seldon Enterprise Platform instance running with Istio:
ISTIO_INGRESS=$(kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}') ISTIO_INGRESS+=$(kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') echo "Seldon Enterprise Platform: http://$ISTIO_INGRESS/seldon-deploy/"
Expose Seldon mesh service
It is important to expose seldon-service
service to enable communication between deployed machine learning models and external clients or services. The Seldon Core 2 inference API is exposed through the seldon-mesh
service in the seldon
namespace. If you install Core 2 in multiple namespaces, you need to expose the seldon-mesh
service in each of namespace.
Verify if the
seldon-mesh
service is running for example, in the namespaceseldon
.kubectl get svc -n seldon
When the services are running you should see something similar to this:
mlserver-0 ClusterIP None <none> 9000/TCP,9500/TCP,9005/TCP 43m seldon-mesh LoadBalancer 34.118.225.130 34.90.213.15 80:32228/TCP,9003:31265/TCP 45m seldon-pipelinegateway ClusterIP None <none> 9010/TCP,9011/TCP 45m seldon-scheduler LoadBalancer 34.118.225.138 35.204.34.162 9002:32099/TCP,9004:32100/TCP,9044:30342/TCP,9005:30473/TCP,9055:32732/TCP,9008:32716/TCP 45m triton-0 ClusterIP None <none> 9000/TCP,9500/TCP,9005/TCP
Create a YAML file to create a VirtualService Seldon Core 2
seldon-mesh
. For example, create theseldon-mesh-vs.yaml
file. Use your preferred text editor to create and save the file with the following content:apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: seldon-mesh namespace: seldon spec: gateways: - istio-system/seldon-gateway hosts: - "*" http: - name: "data-plane-seldon" match: - authority: exact: "seldon.inference.seldon" route: - destination: host: "seldon-mesh.seldon.svc.cluster.local" port: number: 80 - name: "control-plane-seldon" match: - authority: exact: "seldon.admin.seldon" route: - destination: host: "seldon-scheduler.seldon.svc.cluster.local" port: number: 9004
Create a virtual service to expose the
seldon-mesh
service.kubectl apply -f seldon-mesh-vs.yaml
When the virtual service is created, you should see this:
virtualservice.networking.istio.io/seldon-mesh created
Install Seldon Enterprise Platform with Istio ingress controller
Update the configurations in the
install-values.yaml
file you created during the Seldon Enterprise installation. Replace<ip_address>
with the IP address noted during the Istio Ingress Gateway installation in the following values and save the file:ingressGateway: seldonIngressService: "istio-ingressgateway" ingressNamespace: "istio-system" virtualService: create: true gateways: - istio-system/seldon-gateway seldon: curlForm: | curl -k https://<ip_address>/seldon/{{ .Namespace }}/{{ .ModelName }}/api/v0.1/predictions \<br/> -H "{{ .TokenHeader }}: {{ .Token }}" \<br/> -H "Content-Type: application/json" \<br/> -d '{{ .Payload }}' tensorFlowCurlForm: | curl -k https://<ip_address>/seldon/{{ .Namespace }}/{{ .ModelName }}/v1/models/:predict \<br/> -H "{{ .TokenHeader }}: {{ .Token }}" \<br/> -H "Content-Type: application/json" \<br/> -d '{{ .Payload }}' seldonCoreV2: curlForm: | curl -k https://<ip_address>/v2/models/{{ .ModelName }}/infer \<br/> -H "Host: {{ .Namespace }}.inference.seldon" \<br/> -H "Content-Type: application/json" \<br/> -H "Seldon-Model: {{ .ModelName }}.pipeline" \<br/> -d '{{ .Payload }}' enabled: true requestForm: '{{ .SeldonProtocol }}://seldon-mesh.{{ .Namespace }}.svc.cluster.local/v2/pipelines/{{ .ModelName }}/infer'
Change to the directory that contains the
install-values.yaml
file and then upgrade the Seldon Enterprise Platform installation in the namespaceseldon-system
.helm upgrade seldon-enterprise seldon-charts/seldon-deploy --namespace seldon-system -f install-values.yaml --version 2.4.0 --install
Check the status of the installation seldon-enterprise-seldon-deploy.
kubectl rollout status deployment/seldon-enterprise-seldon-deploy -n seldon-system
When the installation is complete you should see this:
deployment "seldon-enterprise-seldon-deploy" successfully rolled out
Access Seldon Enterprise Platform.
Get the Pod that is running Seldon Enterprise Platform in the cluster and save it as
$POD_NAME.
export POD_NAME=$(kubectl get pods --namespace seldon-system -l "app.kubernetes.io/name=seldon-deploy,app.kubernetes.io/instance=seldon-enterprise" -o jsonpath="{.items[0].metadata.name}")
You can use port-forwarding to access your application locally.
kubectl port-forward $POD_NAME 8000:8000 --namespace seldon-system
Open your browser and navigate to
http://127.0.0.1:8000/seldon-deploy/
to access Seldon Enterprise Platform.
Optional: Enable HTTPS/TLS
To secure your Ingress with HTTPS, you can configure TLS settings in the Gateway
resource using a certificate and key. This involves additional steps like creating Kubernetes secrets for your certificates.
Additional Resources
Last updated
Was this helpful?