Skip to content

feat(allowlist): support both v1 and v1alpha2 InferencePool APIs with flag #474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 27, 2025
Merged

feat(allowlist): support both v1 and v1alpha2 InferencePool APIs with flag #474

merged 1 commit into from
Nov 27, 2025

Conversation

@googs1025
Copy link
Contributor

@googs1025 googs1025 commented Nov 21, 2025
edited
Loading

add new pool-group flag to choose which inferencepool to support

fix: #462

pierDipi
pierDipi approved these changes Nov 21, 2025
View reviewed changes
Copy link
Member

@pierDipi pierDipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

pkg/sidecar/proxy/allowlist.go Outdated
if errors.IsNotFound(err) {
return false, nil // GroupVersion not supported
}
return false, fmt.Errorf("failed to discover resources for %s: %w", gvr.GroupVersion(), err)
Copy link
Member

@pierDipi pierDipi Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: as the function is generic and doesn't necessarily assume InfPool resource

Suggested change
return false, fmt.Errorf("failed to discover resources for %s: %w", gvr.GroupVersion(), err)
return false, fmt.Errorf("failed to discover resources for %s: %w", gvr.String(), err)

Copy link
Contributor Author

@googs1025 googs1025 Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@googs1025 googs1025 force-pushed the fix/allowlistValidator branch 3 times, most recently from 70ebbf1 to cf90c1e Compare November 21, 2025 12:57
@shmuelk
Copy link
Collaborator

shmuelk commented Nov 23, 2025

@googs1025 If I understand this PR correctly, it is trying to figure which version of the InferencePool CRD is installed.

What happens if both CRDs are installed? I believe make env-dev-kind installs both versions of the InferencePool CRD. It actually uses the v1 version, but both CRDs are installed.

@googs1025
Copy link
Contributor Author

googs1025 commented Nov 24, 2025

@googs1025 If I understand this PR correctly, it is trying to figure which version of the InferencePool CRD is installed.

What happens if both CRDs are installed? I believe make env-dev-kind installs both versions of the InferencePool CRD. It actually uses the v1 version, but both CRDs are installed.

@shmuelk thanks for feed back.

This PR handles that scenario explicitly by using a prioritized candidate list:

var candidateGVRs = []schema.GroupVersionResource{
	{Group: "inference.networking.k8s.io", Version: "v1", Resource: inferencePoolResource},                // ← Preferred
	{Group: "inference.networking.x-k8s.io", Version: "v1alpha2", Resource: inferencePoolResource}, // ← Fallback
}

This logic use this list in order and picks the first GVR that is supported by the cluster. So if both CRDs exist, it will always prefer v1 API (inference.networking.k8s.io/v1) and only fall back to v1alpha2 if v1 is not present.

This matches the behavior of upstream components like the Ingress Gateway (IGW), which also support both versions but prioritize the stable one.

@googs1025 googs1025 force-pushed the fix/allowlistValidator branch 2 times, most recently from 5da9581 to 5403cbf Compare November 24, 2025 05:49
zdtsw
zdtsw reviewed Nov 25, 2025
View reviewed changes
pkg/sidecar/proxy/allowlist.go Outdated
//
// This approach aligns with upstream Ingress Gateway (IGW) behavior, which also supports
// both API versions concurrently (see issue #462).
var candidateGVRs = []schema.GroupVersionResource{
Copy link
Contributor

@zdtsw zdtsw Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isGVRSupported() is generic function, should candidateGVRs be more specific as it is only on inferencepools for now

Copy link
Contributor Author

@googs1025 googs1025 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change to inferencePoolGVRCandidates

@googs1025 googs1025 force-pushed the fix/allowlistValidator branch from 5403cbf to 24df901 Compare November 26, 2025 00:42
@zdtsw
Copy link
Contributor

zdtsw commented Nov 26, 2025

/lgtm

@github-actions
Copy link

github-actions bot commented Nov 26, 2025

Cannot apply the lgtm label because Error: zdtsw is not included in the reviewers role in the OWNERS file

shmuelk
shmuelk requested changes Nov 26, 2025
View reviewed changes
pkg/sidecar/proxy/allowlist.go
Resource: inferencePoolResource,
}
av.logger.Info("starting SSRF protection allowlist validator",
"namespace", av.namespace, "poolName", av.poolName, "gvr", av.gvr.String())
Copy link
Collaborator

@shmuelk shmuelk Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

av.gvr is never set

Copy link
Contributor Author

@googs1025 googs1025 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh... my bad. done

@shmuelk
Copy link
Collaborator

shmuelk commented Nov 26, 2025

@googs1025 Thank you for your continued efforts on this PR.

I added an additional comment on the code as it seemed that something was missing in the code.

Additionally, I have an issue with the overall design of the code.

You check what CRDs are installed. If the InferencePool V1 CRD is installed, you watch on V1 InferencePool objects. If that CRD isn't installed, you will watch on v1alpha2 InferencePool objects. Bottom line you watch on one of the two possible types.

The problem is in the case where the user has both CRDs installed and for a variety of reasons is still using the v1alpha2 version of the InferencePool.

I see two possible solutions:

  1. Create watcher's on all version's of the InferencePool that are found.
  2. Remove the discovery code and simply add a command line parameter in which the user tells you which InferencePool type they are using. The default should be the V1 version. This BTW is exactly what the GIE does.

@googs1025 googs1025 force-pushed the fix/allowlistValidator branch from 24df901 to 29a9d31 Compare November 26, 2025 13:31
@googs1025
Copy link
Contributor Author

googs1025 commented Nov 26, 2025
edited
Loading

@googs1025 Thank you for your continued efforts on this PR.

I added an additional comment on the code as it seemed that something was missing in the code.

Additionally, I have an issue with the overall design of the code.

You check what CRDs are installed. If the InferencePool V1 CRD is installed, you watch on V1 InferencePool objects. If that CRD isn't installed, you will watch on v1alpha2 InferencePool objects. Bottom line you watch on one of the two possible types.

The problem is in the case where the user has both CRDs installed and for a variety of reasons is still using the v1alpha2 version of the InferencePool.

I see two possible solutions:

  1. Create watcher's on all version's of the InferencePool that are found.
  2. Remove the discovery code and simply add a command line parameter in which the user tells you which InferencePool type they are using. The default should be the V1 version. This BTW is exactly what the GIE does.

thanks for this great feed back 😄 this make more sense to me. We should align with GIE upstream.
use option 2.

  1. Remove the discovery code and simply add a command line parameter in which the user tells you which InferencePool type they are using. The default should be the V1 version. This BTW is exactly what the GIE does.

@googs1025 googs1025 changed the title feat(allowlist): support both v1 and v1alpha2 InferencePool APIs with auto-discovery feat(allowlist): support both v1 and v1alpha2 InferencePool APIs with flag Nov 27, 2025
@googs1025 googs1025 force-pushed the fix/allowlistValidator branch from 29a9d31 to a6ceb58 Compare November 27, 2025 03:56
@shmuelk
Copy link
Collaborator

shmuelk commented Nov 27, 2025

@googs1025 This looks much better. You have a lint failure. Please add a comment for the exported field.

@googs1025
feat(allowlist): support both v1 and v1alpha2 InferencePool APIs with…
2a65147 
… auto-discovery

Signed-off-by: CYJiang <googs1025@gmail.com>
@googs1025 googs1025 force-pushed the fix/allowlistValidator branch from a6ceb58 to 2a65147 Compare November 27, 2025 11:30
@shmuelk
Copy link
Collaborator

shmuelk commented Nov 27, 2025

/lgtm
/approve

@github-actions github-actions bot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 27, 2025
@github-actions github-actions bot merged commit e11b6f1 into llm-d:main Nov 27, 2025
6 checks passed
@github-project-automation github-project-automation bot moved this from In review to Done in llm-d-inference-scheduler Nov 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shmuelk shmuelk shmuelk approved these changes

@github-actions github-actions[bot] github-actions[bot] approved these changes

+2 more reviewers

@zdtsw zdtsw zdtsw left review comments

@pierDipi pierDipi pierDipi approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

lgtm "Looks good to me", indicates that a PR is ready to be merged.

Projects

llm-d-inference-scheduler
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Should AllowlistValidator support both inference.networking.x-k8s.io/v1alpha2 and inference.networking.k8s.io/v1, or migrate exclusively to the new API?

4 participants

@googs1025 @shmuelk @zdtsw @pierDipi