如何在 KServe 的 InferenceService 中引用 S3(Minio) Secret 并注入到整个 pipeline?
使用 Secret 直接注入
需要一个单独的 Secret 来管理 S3(Minio) 连接
这里的注解千万不能少,否则 S3 连接信息不会注入到 pod 中,尤其是 storage-initializer 阶段需要用到 S3 连接信息从 模型仓库拿到模型文件。
尤其要注意:模型仓库的连接信息
uri必须是以/结尾,比如:s3://models/ovms/yolo11n/,一定不能是s3://models/ovms/yolo11n
apiVersion: v1
data:
AWS_ACCESS_KEY_ID: bWluaW8=
AWS_SECRET_ACCESS_KEY: bWluaW8xMjM=
kind: Secret
metadata:
annotations:
serving.kserve.io/s3-endpoint: minio-service.kubeflow.svc.cluster.local:9000
serving.kserve.io/s3-region: east
serving.kserve.io/s3-useanoncredential: 'false'
serving.kserve.io/s3-usehttps: '0'
name: minio-secret
namespace: yiqisoft
type: Opaque创建 KServe 的 InferenceService 时需要引入注解
最关键的就是这个注解:"serving.kserve.io/storageSecretName": "minio-secret"
完整的代码
from kubernetes import client
import kserve
isvc = kserve.V1beta1InferenceService(
api_version=kserve.constants.KSERVE_GROUP + "/v1beta1",
kind=kserve.constants.KSERVE_KIND,
metadata=client.V1ObjectMeta(
name=f"{DET_MODEL_NAME}",
namespace=kserve.utils.get_default_target_namespace(),
labels={
"modelregistry/registered-model-id": model.id,
"modelregistry/model-version-id": version.id,
},
annotations={
"serving.kserve.io/storageSecretName": "minio-secret"
},
),
spec=kserve.V1beta1InferenceServiceSpec(
predictor=kserve.V1beta1PredictorSpec(
model=kserve.V1beta1ModelSpec(
storage_uri=art.uri,
model_format=kserve.V1beta1ModelFormat(
name=art.model_format_name, version=art.model_format_version,
),
runtime="kserve-ovms"
),
)
),
)
ks_client = kserve.KServeClient()
ks_client.create(isvc)最后,在 pod 中就出现了这些 env
这些 env 怎么来的我还没有完全搞清楚。反正 secret 里面的内容都注入成功。
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: AWS_ACCESS_KEY_ID
name: minio-secret
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: AWS_SECRET_ACCESS_KEY
name: minio-secret
- name: S3_USE_HTTPS
value: '0'
- name: S3_ENDPOINT
value: minio-service.kubeflow.svc.cluster.local:9000
- name: AWS_ENDPOINT_URL
value: http://minio-service.kubeflow.svc.cluster.local:9000
- name: awsAnonymousCredential
value: 'false'
- name: AWS_DEFAULT_REGION
value: east使用 ServiceAccount 注入
创建 S3(Minio) 连接 Secret
需要在 Secret 中创建 S3 的连接信息注解,便于 Kserve controller 解析
apiVersion: v1
data:
AWS_ACCESS_KEY_ID: bWluaW8=
AWS_SECRET_ACCESS_KEY: bWluaW8xMjM=
kind: Secret
metadata:
annotations:
serving.kserve.io/s3-endpoint: minio-service.kubeflow.svc.cluster.local:9000
serving.kserve.io/s3-region: east
serving.kserve.io/s3-useanoncredential: 'false'
serving.kserve.io/s3-usehttps: '0'
name: s3creds
namespace: yiqisoft
type: Opaque创建 ServiceAccount 并引用 上面的 Secret
apiVersion: v1
kind: ServiceAccount
metadata:
name: sa
namespace: yiqisoft
secrets:
- name: s3creds创建 InferenceService 时引用 ServiceAccount
这行代码特别要注意,不能少 service_account_name="sa"
from kubernetes import client
import kserve
isvc = kserve.V1beta1InferenceService(
api_version=kserve.constants.KSERVE_GROUP + "/v1beta1",
kind=kserve.constants.KSERVE_KIND,
metadata=client.V1ObjectMeta(
name=f"{DET_MODEL_NAME}",
namespace=kserve.utils.get_default_target_namespace(),
labels={
"modelregistry/registered-model-id": model.id,
"modelregistry/model-version-id": version.id,
}
),
spec=kserve.V1beta1InferenceServiceSpec(
predictor=kserve.V1beta1PredictorSpec(
model=kserve.V1beta1ModelSpec(
storage_uri=art.uri,
model_format=kserve.V1beta1ModelFormat(
name=art.model_format_name, version=art.model_format_version,
),
runtime="kserve-ovms"
),
service_account_name="sa"
)
),
)
ks_client = kserve.KServeClient()
ks_client.create(isvc)问题
KubeFlow 默认已经生成了一个 mlpipeline-minio-artifact Secret ,如何才能复用里面的内容呢?由于关键字不一样,无法完成注入。