[k8s] Fix incluster auth after multi-context support

[romilbhardwaj]

In-cluster auth broke after our recent multi-context support. This is because incluster auth does not have any kubeconfig (and consequently, does not have any contexts) and relies solely on mounted service accounts.

As a result, SkyServe controller (and sky jobs controller) was not able to launch replicas.

This PR fixes it by making context optional throughout our codebase, and using the in-cluster auth when context is not detected.

Note: we probably need to update our docs/elsewhere to mention that multiple contexts may not work when the controller runs in a Kubernetes cluster.

Tested

• sky serve up -n http http_server.yaml
• sky launch -c test --cloud kubernetes -- echo hi
• Above, but with allowed_contexts set in config.yaml.

[concretevitamin]

Shall we add such a smoke test?

[romilbhardwaj]

This would have been caught by test_skyserve_kubernetes_http, but the full suite of smoke tests were not run for #3968.

[Michaelvll]

Thanks for fixing this @romilbhardwaj! Just wondering, when we are running things through controller, do we need to pop the allowed_contexts from the config.yaml being used for the jobs or services as well?

https://github.com/skypilot-org/skypilot/blob/master/sky/utils/controller_utils.py#L359-L370

[Michaelvll]

Can we rename this SINGLETON_REGION to some thing else, such as IN_CLUSTER_CONTEXT?

[Michaelvll]

Also, should we just make the value of SINGLETON_REGION = '_in-cluster' or something like that?

[romilbhardwaj]

Good idea - updated to in-cluster.

If running from within a cluster, it now looks like this:

(base) sky@test-2ea4-head:~$ sky launch -c wow --cloud kubernetes -- echo hi
Task from command: echo hi
I 09-28 03:39:33 optimizer.py:719] == Optimizer ==
I 09-28 03:39:33 optimizer.py:742] Estimated cost: $0.0 / hour
I 09-28 03:39:33 optimizer.py:742]
I 09-28 03:39:33 optimizer.py:867] Considered resources (1 node):
I 09-28 03:39:33 optimizer.py:937] ---------------------------------------------------------------------------------------------
I 09-28 03:39:33 optimizer.py:937]  CLOUD        INSTANCE    vCPUs   Mem(GB)   ACCELERATORS   REGION/ZONE   COST ($)   CHOSEN
I 09-28 03:39:33 optimizer.py:937] ---------------------------------------------------------------------------------------------
I 09-28 03:39:33 optimizer.py:937]  Kubernetes   2CPU--2GB   2       2         -              in-cluster    0.00          ✔
I 09-28 03:39:33 optimizer.py:937] ---------------------------------------------------------------------------------------------
I 09-28 03:39:33 optimizer.py:937]
Launching a new cluster 'wow'. Proceed? [Y/n]:

[romilbhardwaj]

Thanks @Michaelvll - updated the PR and ran tests again.

Tested

• sky serve up -n http http_server.yaml
• sky launch -c test --cloud kubernetes -- echo hi
• Above, but with allowed_contexts set in config.yaml.
• pytest tests/test_smoke.py::test_skyserve_kubernetes_http --kubernetes

[Michaelvll]

Thanks for the quick fix @romilbhardwaj! LGTM.

[Michaelvll]

Ahh, actually, is it possible that directly return a [None] for the get_all_kube_config_context_names() when we detect it is actually within a cluster, and still return an empty list of context if is not in a cluster. Otherwise, it seems to mix the two situations (able to access kubernetes cluster or not) when all_contexts is None which feels unintuitive.

[romilbhardwaj]

I see your point. I've updated get_all_kube_config_context_names() to return [None] if incluster and [] if no kubeconfig is detected, so the caller can distinguish between these two cases.

[Michaelvll]

It seems a bit more complicated, since if the controller is running on a cloud, it can be fine and correct to set the allowed_contexts. How about we add a TODO here?

[romilbhardwaj]

Thanks @Michaelvll! Re-running above tests after the changes to verify correctness, will merge after tests pass.