[Cherry-Pick]regarding e2e fixes for predictor/path_based_routing (#514)

* add networkpolicy for kserve namespace

Signed-off-by: Jooho Lee <[email protected]>

* comment out runAsUser for e2e test in openshift

Signed-off-by: Jooho Lee <[email protected]>

* cherrypick upstream 4276

Signed-off-by: Jooho Lee <[email protected]>

---------

Signed-off-by: Jooho Lee <[email protected]>

Author: Jooho

config/runtimes/kserve-torchserve.yaml

@@ -27,7 +27,8 @@ spec:
         - name: "TS_SERVICE_ENVELOPE"
           value: "{{.Labels.serviceEnvelope}}"
       securityContext:
-        runAsUser: 1000    # User ID is not defined in the Dockerfile, so we need to set it here to run as non-root
+        # In OpenShift, the UID is automatically assigned by the platform, so comment this field not to interfere with E2E tests.
+        # runAsUser: 1000    # User ID is not defined in the Dockerfile, so we need to set it here to run as non-root
         allowPrivilegeEscalation: false
         privileged: false
         runAsNonRoot: true

config/runtimes/kserve-tritonserver.yaml

@@ -43,7 +43,8 @@ spec:
         - --allow-grpc=true
         - --allow-http=true
       securityContext:
-        runAsUser: 1000    # https://docs.nvidia.com/deeplearning/triton-inference-server/user-guide/docs/customization_guide/deploy.html#run-as-a-non-root-user
+        # In OpenShift, the UID is automatically assigned by the platform, so comment this field not to interfere with E2E tests.
+        # runAsUser: 1000    # https://docs.nvidia.com/deeplearning/triton-inference-server/user-guide/docs/customization_guide/deploy.html#run-as-a-non-root-user
         allowPrivilegeEscalation: false
         privileged: false
         runAsNonRoot: true

test/e2e/predictor/test_autoscaling.py

@@ -225,7 +225,7 @@ async def test_sklearn_scale_raw(rest_v1_client):
 @pytest.mark.asyncio(scope="session")
 async def test_sklearn_rolling_update():
     service_name = "isvc-sklearn-rolling-update"
-    min_replicas = 4
+    min_replicas = 2
     predictor = V1beta1PredictorSpec(
         min_replicas=min_replicas,
         scale_metric="cpu",
@@ -277,14 +277,14 @@ async def test_sklearn_rolling_update():
     kserve_client.wait_isvc_ready(service_name, namespace=KSERVE_TEST_NAMESPACE)
 
     kserve_client.patch(service_name, updated_isvc)
-    deployment = kserve_client.app_api.list_namespaced_deployment(
-        namespace=KSERVE_TEST_NAMESPACE,
-        label_selector="serving.kserve.io/test=rolling-update",
-    )
     kserve_client.wait_isvc_ready(
         service_name, namespace=KSERVE_TEST_NAMESPACE, timeout_seconds=600
     )
 
+    deployment = kserve_client.app_api.list_namespaced_deployment(
+        namespace=KSERVE_TEST_NAMESPACE,
+        label_selector="serving.kserve.io/test=rolling-update",
+    )
     # Check if the deployment replicas still remain the same as min_replicas
     assert deployment.items[0].spec.replicas == min_replicas
     kserve_client.delete(service_name, KSERVE_TEST_NAMESPACE)

test/scripts/openshift-ci/setup-e2e-tests.sh

@@ -172,4 +172,24 @@ kustomize build $PROJECT_ROOT/config/overlays/test/clusterresources |
 # no effect, because of missing Knative
 oc annotate servingruntimes -n kserve-ci-e2e-test --all serving.knative.openshift.io/enablePassthrough=true
 
+
+# Allow all traffic to the kserve namespace. Without this networkpolicy, webhook will return 500
+# error msg: 'http: server gave HTTP response to HTTPS client"}]},"code":500}'
+cat <<EOF | oc apply -f -
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all
+  namespace: kserve
+spec:
+  podSelector: {} 
+  ingress:
+  - {}  
+  egress:
+  - {}  
+  policyTypes:
+  - Ingress
+  - Egress
+EOF
+
 echo "Setup complete"