Namespace Setup

Setting up kubernetes namespaces

Namespaces can have various features. A basic configuration can be done first. This is enough to use many features. Further features such as gitops can be added later.

Basic Namespace Setup

With namespace labels

By default Seldon Deploy does not show any namespaces that are not explicitly labelled.

You can make a namespace globally available to all users by providing the following label to the namespace:

seldon.restricted: "false"

This is the minimum needed to use a namespace.

With authorization policies

With OPA enabled you can make namespaces globally visible by giving read and write permissions to that namespace to all users (*). An example policy will look like this:

{
  "role_grants": {},
  "user_grants": {
    "*": [
      {
        "action": "read",
        "resource": "namespace/seldon"
      },
      {
        "action": "write",
        "resource": "namespace/seldon"
      }
    ]
  }
}

This policy file is a bare minimum which will allow all users to see the seldon namespace.

Namespace Filtering

With namespace labels

If the label seldon.restricted is set to “true” then visibility of the namespace can be narrowed by group or by user.

For details of this, see Namespace Visibility

With authorization policies

With OPA enabled non-global namespaces are supported by both group and user based policies.

For details of this, see Namespace Visibility

Batch Jobs Permissions

Batch jobs use argo as a workflow engine. Argo needs a service account in the namespace and this has to be given permissions to create necessary resources. This is explained in the Argo section

Object Storage Secrets

The Seldon Deploy demos use models hosted in public buckets. To use private buckets, a secret containing environment variables should be setup in the namespace. An example is provided in the Argo section.

Models should reference the secret in the envFrom section of the wizard.

Gitops

A GitOps setup utilizes argocd to manage namespace contents in git. This requires setup for git, argocd and per-namespace. Each of these elements is covered in the gitops section

Multi-tenant Permissions (Only Used for Multi-tenant Installations)

In a multi-tenant setup, deploy is not automatically set up with permissions to work with multiple namespaces. Each namespace then needs further permissions. Details on this are in the multitenant section

Seldon-logs namespace (a special namespace)

The seldon-logs namespace is used for request logging. It is a special namespace and its setup is covered in the request logging section. It can be setup as a gitops namespace but this is optional. ML models do not go in this namespace.