Skip to content
Examples
PerObjective

PerObjective

This example shows the current PerObjective path, including the container name that keeps one objective identity tied to one container selection.

As in the other examples, the Gateway API Inference Extension (GAIE) snippets focus on the fields kleym-operator currently consumes. Your cluster may require additional GAIE fields. For full GAIE schema details, see InferenceObjective and InferencePool. Reference docs: SPIFFE overview, SPIRE concepts, and ClusterSPIFFEID CRD.

Input 

apiVersion: inference.networking.k8s.io/v1
kind: InferencePool
metadata:
  name: pool-a
  namespace: default
spec:
  selector:
    matchLabels:
      app: model-server
---
apiVersion: inference.networking.k8s.io/v1
kind: InferenceObjective
metadata:
  name: objective-a
  namespace: default
spec:
  poolRef:
    name: pool-a
---
apiVersion: kleym.sonda.red/v1alpha1
kind: InferenceIdentityBinding
metadata:
  name: objective-a
  namespace: default
spec:
  poolRef:
    name: pool-a
  objectiveRef:
    name: objective-a
  serviceAccountName: inference-sa
  mode: PerObjective
  containerName: main

Expected Outcome

The binding should reconcile to a managed ClusterSPIFFEID with:

  • SPIFFE ID spiffe://kleym.sonda.red/ns/default/objective/objective-a
  • the pool-derived pod selector for app=model-server
  • workload selectors including:
    • k8s:ns:default
    • k8s:sa:inference-sa
    • k8s:pod-label:app:model-server
    • k8s:container-name:main

Relevant output shape:

apiVersion: spire.spiffe.io/v1alpha1
kind: ClusterSPIFFEID
metadata:
  labels:
    kleym.sonda.red/managed-by: kleym
    kleym.sonda.red/binding-name: objective-a
    kleym.sonda.red/binding-namespace: default
spec:
  spiffeIDTemplate: spiffe://kleym.sonda.red/ns/default/objective/objective-a
  podSelector:
    matchLabels:
      app: model-server
  workloadSelectorTemplates:
    - k8s:container-name:main
    - k8s:ns:default
    - k8s:pod-label:app:model-server
    - k8s:sa:inference-sa

The binding status should report Ready=True and Conflict=False.

Collision Example

If another PerObjective binding in the same namespace resolves to the same pool selector and uses the same container name, both bindings currently enter conflict.

Example conflicting binding:

apiVersion: kleym.sonda.red/v1alpha1
kind: InferenceIdentityBinding
metadata:
  name: objective-b
  namespace: default
spec:
  poolRef:
    name: pool-a
  objectiveRef:
    name: objective-b
  serviceAccountName: inference-sa
  mode: PerObjective
  containerName: main

Expected conflict outcome:

  • both bindings report Conflict=True
  • both bindings report Ready=False
  • managed ClusterSPIFFEID resources for the colliding bindings are removed until the collision is fixed
Last updated on
Basic Binding