I am trying to use Kubeflow serving (kserve) but my model (sidecar) giving 403 RBAC issues. Below is AuthorizationPolicy rules
rules:
- from:
- source:
principals:
- >-
cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
- cluster.local/ns/kubeflow/sa/ml-pipeline-ui
when:
- key: request.headers[kubeflow-userid]
values:
- [email protected]
- when:
- key: source.namespace
values:
- kubeflow-user-example-com
- to:
- operation:
paths:
- /healthz
- /metrics
- /wait-for-drain
- from:
- source:
principals:
- cluster.local/ns/kubeflow/sa/notebook-controller-service-account
to:
- operation:
methods:
- GET
paths:
- '*/api/kernels'
My request is going through istio-ingressgateway & it has the proper cookie. oidc-authservice can find a user & it is adding kubeflow-userid in the header. But when a request is going to the actual model, the sidecar in that pod gives 403.