Skip to content

PerObjective

This example shows the current PerObjective path, including the container discriminator that keeps one objective identity tied to one container selection.

As in the other examples, the GAIE snippets focus on the fields kleym currently consumes. Your cluster may require additional GAIE fields.

Input

apiVersion: inference.networking.k8s.io/v1
kind: InferencePool
metadata:
  name: pool-a
  namespace: default
spec:
  selector:
    matchLabels:
      app: model-server
---
apiVersion: inference.networking.k8s.io/v1
kind: InferenceObjective
metadata:
  name: objective-a
  namespace: default
spec:
  poolRef:
    name: pool-a
---
apiVersion: kleym.sonda.red/v1alpha1
kind: InferenceIdentityBinding
metadata:
  name: objective-a
  namespace: default
spec:
  targetRef:
    name: objective-a
  selectorSource: DerivedFromPool
  workloadSelectorTemplates:
    - k8s:ns:default
    - k8s:sa:inference-sa
  mode: PerObjective
  containerDiscriminator:
    type: ContainerName
    value: main

Expected Outcome

The binding should reconcile to a managed ClusterSPIFFEID with:

  • SPIFFE ID spiffe://kleym.sonda.red/ns/default/objective/objective-a
  • the pool-derived pod selector for app=model-server
  • workload selectors including:
  • k8s:ns:default
  • k8s:sa:inference-sa
  • k8s:pod-label:app:model-server
  • k8s:container-name:main

Relevant output shape:

apiVersion: spire.spiffe.io/v1alpha1
kind: ClusterSPIFFEID
metadata:
  labels:
    kleym.sonda.red/managed-by: kleym
    kleym.sonda.red/binding-name: objective-a
    kleym.sonda.red/binding-namespace: default
spec:
  spiffeIDTemplate: spiffe://kleym.sonda.red/ns/default/objective/objective-a
  podSelector:
    matchLabels:
      app: model-server
  workloadSelectorTemplates:
    - k8s:container-name:main
    - k8s:ns:default
    - k8s:pod-label:app:model-server
    - k8s:sa:inference-sa

The binding status should report Ready=True and Conflict=False.

Collision Example

If another PerObjective binding in the same namespace resolves to the same pool selector and uses the same container discriminator, both bindings currently enter conflict.

Example conflicting binding:

apiVersion: kleym.sonda.red/v1alpha1
kind: InferenceIdentityBinding
metadata:
  name: objective-b
  namespace: default
spec:
  targetRef:
    name: objective-b
  selectorSource: DerivedFromPool
  workloadSelectorTemplates:
    - k8s:ns:default
    - k8s:sa:inference-sa
  mode: PerObjective
  containerDiscriminator:
    type: ContainerName
    value: main

Expected conflict outcome:

  • both bindings report Conflict=True
  • both bindings report Ready=False
  • managed ClusterSPIFFEID resources for the colliding bindings are removed until the collision is fixed