Squashed commit of the following:

commit 373df43 Author: Lucian Carata <[email protected]> Date: Thu Dec 12 01:09:30 2024 +0000 feat(k6): add scenario with multiple stages ramping up/down RPS (SeldonIO#6031) The added load test scenario allows one to configure an arbitrary number of stages, with each consisting of a linear ramp-up/down to the desired requests per second and a hold/plateau time. Within each stage, the duration for which the inference RPS is held constant is configured via one element in the `CONSTANT_RATE_DURATIONS_SECONDS` environment variable (a vector of comma separated values), with the ramp-up/ down duration preceding it being 1/3rd of the hold time. commit 34cf313 Author: paulb-seldon <[email protected]> Date: Wed Dec 11 16:59:20 2024 +0000 fix(docs): Docs on upgrading from 2.7 - 2.8 (SeldonIO#6143) * Docs on upgrading from 2.7 - 2.8 * Wording update commit 1c40f62 Author: Sherif Akoush <[email protected]> Date: Wed Dec 11 14:32:40 2024 +0000 fix: Add timeout to contexts in client calls (SeldonIO#6125) * add timeout context from infer call for modelgateway * add timeout context to pipeline gateway * set timeout context on process request * add a test for grpc call timeout * add agent k8s api call timeout * add context timeout for shutting down services * add timeout for controller k8s api calls * add timeout for control plane context * add timeout context to reconcile logic * pr comments commit 74032a4 Author: paulb-seldon <[email protected]> Date: Tue Dec 10 17:17:14 2024 +0000 Format spaces in install docs (SeldonIO#6140) commit 7e6c8f1 Author: Sherif Akoush <[email protected]> Date: Tue Dec 10 16:32:37 2024 +0000 fix(docs): add a table for core 2 dependencies in docs (SeldonIO#6139) * add table for core 2 deps in dosc * review comments commit c1d320e Author: Niall D <[email protected]> Date: Tue Dec 10 16:16:55 2024 +0000 feat(scheduler): account for multiple instances of a model per server when scheduling (SeldonIO#6054) * just checking in whatever I have * testing all the code * remove comment * linting * document unused param * changing the proto around * use parallelWorkers instead of instanceCount for mlserver * comma * rename ModelConfig * use modelWithVersion as param commit a7bfb00 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Dec 9 21:35:13 2024 +0000 Bump grafana/grafana from 11.3.1 to 11.4.0 in /scheduler (SeldonIO#6133) Bumps grafana/grafana from 11.3.1 to 11.4.0. --- updated-dependencies: - dependency-name: grafana/grafana dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> commit f129bd1 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Dec 9 21:33:47 2024 +0000 Bump envoyproxy/envoy from v1.32.1 to v1.32.2 in /scheduler (SeldonIO#6134) Bumps envoyproxy/envoy from v1.32.1 to v1.32.2. --- updated-dependencies: - dependency-name: envoyproxy/envoy dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> commit 208791b Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon Dec 9 21:31:49 2024 +0000 Bump google.golang.org/grpc from 1.68.0 to 1.68.1 in /hodometer (SeldonIO#6136) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.68.0 to 1.68.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.68.0...v1.68.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> commit 2abeb80 Author: Rajakavitha Kodhandapani <[email protected]> Date: Mon Dec 9 18:31:14 2024 +0530 fix(docs): first draft of the securing endpoints (SeldonIO#5991) * first draft of the securing endpoints * added the output * updated the policy name * added a note * Added context, minor grammar edits * Update docs-gb/models/securing-endpoints.md Co-authored-by: Rajakavitha Kodhandapani <[email protected]> * incorporate review suggestions * fixing the links * added an example for all models * removed the example to create a vs for all models * fixed formatting * formatting changes * Update securing-endpoints.md * added a link to the services meshes main docs page --------- Co-authored-by: Rakavitha Kodhandapani <[email protected]> Co-authored-by: Paul Bridi <[email protected]> Co-authored-by: paulb-seldon <[email protected]> commit 4125273 Author: Niall D <[email protected]> Date: Fri Dec 6 13:52:35 2024 +0000 refactor(envoy): moving envoy/resources headers to util (SeldonIO#6129) * moving headers to util * removing a newline * lint commit f284b4a Author: Sherif Akoush <[email protected]> Date: Fri Dec 6 09:45:15 2024 +0000 fix(cli): Kafka inspect output formatting (SeldonIO#6130) * add kafka inspect consumer timeout (-d) as parameter * add formatting commit 6d89d57 Author: Lucian Carata <[email protected]> Date: Fri Dec 6 01:51:54 2024 +0000 feat(docs): improve HPA documentation (SeldonIO#6091) * highlight constraints and limitations of a HPA-based approach * remove note on statefulsets being created sequentially - we are specifically configuring k8s to allow for parallel creation of statefulset pods. * highlight importance of the `metrics-relist-interval` setting * simplify config example to no longer use regex metric matches * clarify example using HPA label selectors * clarify the need to use the `AverageValue` target type * clarify the relation between query rate window size and prometheus scrape interval Merge branch 'v2' into INFRA-1420/add-clusters-before-updating-routes-part-2
driev · Dec 12, 2024 · 55b526b · 55b526b
2 parents 7c67fd6 + 373df43
commit 55b526b
Show file tree

Hide file tree

Showing 54 changed files with 1,715 additions and 604 deletions.
diff --git a/apis/go/mlops/agent/agent.pb.go b/apis/go/mlops/agent/agent.pb.go
diff --git a/apis/mlops/agent/agent.proto b/apis/mlops/agent/agent.proto
@@ -27,6 +27,7 @@ message ModelEventMessage {
   Event event = 5;
   string message = 6;
   uint64 availableMemoryBytes = 7;
+  ModelRuntimeInfo runtimeInfo = 8;
 }
 
 message ModelEventResponse {
@@ -92,8 +93,29 @@ message ModelOperationMessage {
 message ModelVersion {
   scheduler.Model model = 1;
   uint32 version = 2;
+  ModelRuntimeInfo runtimeInfo = 3;
 }
 
+message ModelRuntimeInfo {
+  oneof modelRuntimeInfo {
+    MLServerModelSettings mlserver = 1; 
+    TritonModelConfig triton = 2;
+    }
+}
+
+message MLServerModelSettings {
+  uint32 parallelWorkers = 1;
+}
+
+message TritonModelConfig {
+  repeated TritonCPU cpu = 1;
+}
+
+message TritonCPU {
+  uint32 instanceCount = 1;
+  }
+
+
 // [END Messages]
 
 // [START Services]

diff --git a/docs-gb/SUMMARY.md b/docs-gb/SUMMARY.md
@@ -77,6 +77,7 @@
   * [rClone](models/rclone.md)
   * [Parameterized Models](models/parameterized-models/README.md)
   * [Pandas Query](models/parameterized-models/pandasquery.md)
+  * [Securing Endpoints](models/securing-endpoints.md)
 * [Metrics](metrics/README.md)
   * [Usage](metrics/usage.md)
   * [Operational](metrics/operational.md)

diff --git a/docs-gb/getting-started/kubernetes-installation/README.md b/docs-gb/getting-started/kubernetes-installation/README.md
@@ -2,9 +2,29 @@
 
 ## Prerequisites
 
-* Ensure that the version of the Kubernetes cluster is v1.27 or later. Seldon Core 2 supports Kubernetes versions 1.27, 1.28, 1.29, 1.30, and 1.31. You can create a [KinD](https://kind.sigs.k8s.io/docs/user/quick-start/#installation) cluster on your local computer for testing with [Ansible](ansible.md). 
+* Ensure that the version of the Kubernetes cluster meets the requirement listed below. You can create a [KinD](https://kind.sigs.k8s.io/docs/user/quick-start/#installation) cluster on your local computer for testing with [Ansible](ansible.md). 
 * Install the ecosystem components using [Ansible](ansible.md).
 
+## Core 2 Dependencies
+
+Here is a list of components that Seldon Core 2 depends on, with minimum and maximum supported versions.
+
+| Component | Minimum Version | Maximum Version | Notes |
+| - | - | - | - |
+| Kubernetes | 1.27 | 1.31 | Required |
+| Envoy`*` | 1.32.2 | 1.32.2 | Required |
+| Rclone`*` | 1.68.2 | 1.68.2 | Required |
+| Kafka`**` | 3.4 | 3.8 | Optional |
+| Prometheus | 2.0 | 2.x | Optional |
+| Grafana | 10.0 | `***` | Optional |
+| Prometheus-adapter | 0.12 | 0.12 | Optional |
+| Opentelemetry Collector | 0.68 | `***` | Optional |
+
+`*` These components are shipped as part of Seldon Core 2 docker images set, users should not install them separately but they need to be aware of the configuration options that are supported by these versions.  
+`**` Kafka is only required to operate Seldon Core 2 dataflow Pipelines. If not required then users should not install seldon-modelgateway, seldon-pipelinegateway, and seldon-dataflow-engine.  
+`***` Not hard limit on the maximum version to be used.  
+
+
 ## Install Ecosystem Components
 
 You also need to install our ecosystem components. For this we provide directions for [Ansible](ansible.md) to install these.
@@ -22,8 +42,8 @@ You also need to install our ecosystem components. For this we provide direction
 
 To install Seldon Core 2 from the [source repository](https://github.com/SeldonIO/seldon-core), you can choose one of the following methods:
 
-* [Helm](helm.md)(recommended for production systems)
-* [Ansible](ansible.md)(recommended for testing, development, or trial)
+* [Helm](helm.md) (recommended for production systems)
+* [Ansible](ansible.md) (recommended for testing, development, or trial)
 
 The Kubernetes operator that is installed runs in namespaced mode so any resources you create
 need to be in the same namespace as you installed into.

diff --git a/docs-gb/kubernetes/hpa-rps-autoscaling.md b/docs-gb/kubernetes/hpa-rps-autoscaling.md
diff --git a/docs-gb/kubernetes/service-meshes/istio.md b/docs-gb/kubernetes/service-meshes/istio.md
@@ -49,7 +49,7 @@ spec:
       privateKey: /etc/istio/ingressgateway-certs/tls.key
       serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
 ---
-apiVersion: networking.istio.io/v1beta1
+apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
   name: iris-route

diff --git a/docs-gb/models/securing-endpoints.md b/docs-gb/models/securing-endpoints.md
@@ -0,0 +1,110 @@
+# Securing model endpoints
+
+In enterprise use cases, you may need to control who can access the endpoints for deployed models or pipelines. You can leverage existing authentication mechanisms in your cluster or environment, such as service mesh-level controls, or use cloud provider solutions like Apigee on GCP, Amazon API Gateway on AWS, or a provider-agnostic gateway like Gravitee. Seldon Core 2 integrates with various [service meshes](../kubernetes/service-meshes/) that support these requirements. Though Seldon Core 2 is service-mesh agnostic, the example on this page demonstrates how to set up authentication and authorization to secure a model endpoint using the Istio service mesh.
+
+## Securing Endpoints with Istio
+
+Service meshes offer a flexible way of defining authentication and authorization rules for your models. With Istio, for example, you can configure multiple layers of security within an Istio Gateway, such as a [TLS for HTTPS at the gateway](https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-a-single-host) level, [mutual TLS (mTLS) for secure internal communication](https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-mutual-tls-ingress-gateway), as well as [AuthorizationPolicies](https://istio.io/latest/docs/reference/config/security/authorization-policy/) and [RequestAuthentication](https://istio.io/latest/docs/reference/config/security/request_authentication/) policies to enforce both authentication and authorization controls.
+
+**Prerequisites**
+* [Deploy a model](../kubernetes/service-meshes/istio.md)
+* [Configure a gateway](../kubernetes/service-meshes/istio.md)
+* [Create a virtual service to expose the REST and gRPC endpoints](../kubernetes/service-meshes/istio.md)
+* Configure a OIDC provider to authenticate. Obtain the `issuer` url, `jwksUri`, and the `Access token` from the OIDC provider.
+{% hint style="info" %}
+**Note** There are many types of authorization policies that you can configure to enable access control on workloads in the mesh. 
+{% endhint %}
+
+In the following example, you can secure the endpoint such that any requests to the endpoint without the access token are denied.
+
+To secure the endpoints of a model, you need to:
+1. Create a `RequestAuthentication` resource named `ingress-jwt-auth` in the `istio-system namespace`. Replace `<OIDC_TOKEN_ISSUER>` and `<OIDC_TOKEN_ISSUER_JWKS>` with your OIDC provider’s specific issuer URL and JWKS (JSON Web Key Set) URI.
+
+```yaml
+apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: ingress-jwt-auth
+  namespace: istio-system  # This is the namespace where Istio Ingress Gateway usually resides
+spec:
+  selector:
+    matchLabels:
+      istio: istio-ingressgateway  # Apply to Istio Ingress Gateway pods
+  jwtRules:
+    - issuer: <OIDC_TOKEN_ISSUER>
+      jwksUri: <OIDC_TOKEN_ISSUER_JWKS>
+```
+Create the resource using `kubectl apply -f ingress-jwt-auth.yaml`.
+
+2. Create an authorization policy `deny-empty-jwt` in the namespace `istio-system`.
+
+```yaml
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: deny-empty-jwt
+  namespace: istio-system
+spec:
+  action: DENY
+  rules:
+    - from:
+        - source:
+            notRequestPrincipals:
+              - '*'  # Denies requests without a valid JWT principal
+      to:
+        - operation:
+            paths:
+              - /v2/*  # Applies to requests with this path pattern
+  selector:
+    matchLabels:
+      app: istio-ingressgateway  # Applies to Istio Ingress Gateway pods
+```
+Create the resource using `kubectl apply -f deny-empty-jwt.yaml`.
+
+3. To verify that the requests without an access token are denied send this request:
+   ```bash
+    curl -i http://$MESH_IP/v2/models/iris/infer \
+    -H "Content-Type: application/json" \
+    -H "seldon-model":iris \
+    -d '{"inputs": [{"name": "predict", "shape": [1, 4], "datatype": "FP32", "data": [[1, 2, 3, 4]]}]}'
+    ``` 
+  The output is similar to:
+  ```bash
+  HTTP/1.1 403 Forbidden
+  content-length: 19
+  content-type: text/plain  
+  date: Fri, 25 Oct 2024 11:14:33 GMT
+  server: istio-envoy
+  connection: close
+  Closing connection 0
+  RBAC: access denied
+  ```
+  Now, send the same request with an access token:
+  ```bash
+  curl -i http://$MESH_IP/v2/models/iris/infer \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer $ACCESS_TOKEN" \
+  -H "seldon-model":iris \
+  -d '{"inputs": [{"name": "predict", "shape": [1, 4], "datatype": "FP32", "data": [[1, 2, 3, 4]]}]}'
+  ```
+  The output is similar to:
+  ```bash
+  HTTP/1.1 200 OK
+  ce-endpoint: iris_1
+  ce-id: 2fb8a086-ee22-4285-9826-9d38111cbb9e
+  ce-inferenceservicename: mlserver
+  ce-modelid: iris_1
+  ce-namespace: seldon-mesh
+  ce-requestid: 2fb8a086-ee22-4285-9826-9d38111cbb9e
+  ce-source: io.seldon.serving.deployment.mlserver.seldon-mesh
+  ce-specversion: 0.3
+  ce-type: io.seldon.serving.inference.response
+  content-length: 213
+  content-type: application/json
+  date: Fri, 25 Oct 2024 11:44:49 GMT
+  server: envoy
+  x-request-id: csdo9cbc2nks73dtlk3g
+  x-envoy-upstream-service-time: 9
+  x-seldon-route: :iris_1:
+  ```
+
diff --git a/docs-gb/upgrading.md b/docs-gb/upgrading.md
@@ -1,5 +1,14 @@
 # Upgrading
 
+## Upgrading from 2.7 - 2.8
+
+Core 2.8 introduces several new fields in our CRDs:
+* `statefulSetPersistentVolumeClaimRetentionPolicy` enables users to configure the cleaning of PVC on their **servers**. This field is set to **retain** as default.
+* `Status.selector` was introduced as a mandatory field for **models** in 2.8.4 and made optional in 2.8.5. This field enables autoscaling with HPA.
+* `PodSpec` in the `OverrideSpec` for **SeldonRuntimes** enables users to customize how Seldon Core 2 pods are created. In particular, this also allows for setting custom taints/tolerations, adding additional containers to our pods, configuring custom security settings.
+
+These added fields do not result in breaking changes, apart from 2.8.4 which required the setting of the `Status.selector` upon upgrading. This field was however changed to optional in the subsequent 2.8.5 release. Updating the CRDs (e.g. via helm) will enable users to benefit from the associated functionality.
+
 ## Upgrading from 2.6 - 2.7
 
 All pods provisioned through the operator i.e. `SeldonRuntime` and `Server` resources now have the

diff --git a/hodometer/go.mod b/hodometer/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/seldonio/seldon-core/components/tls/v2 v2.0.0-00010101000000-000000000000
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0
-	google.golang.org/grpc v1.68.0
+	google.golang.org/grpc v1.68.1
 	k8s.io/apimachinery v0.29.2
 	k8s.io/client-go v0.29.2
 )

diff --git a/hodometer/go.sum b/hodometer/go.sum
@@ -239,8 +239,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0=
-google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA=
+google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0=
+google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

diff --git a/operator/cmd/seldon/cli/pipeline_inspect.go b/operator/cmd/seldon/cli/pipeline_inspect.go
@@ -11,6 +11,7 @@ package cli
 
 import (
 	"fmt"
+	"time"
 
 	"github.com/spf13/cobra"
 	"k8s.io/utils/env"
@@ -24,7 +25,7 @@ const (
 	flagOutputFormat   = "format"
 	flagTruncate       = "truncate"
 	flagNamespace      = "namespace"
-	flagTimeoutDefault = int64(60)
+	flagTimeoutDefault = int64(5)
 )
 
 func createPipelineInspect() *cobra.Command {
@@ -74,12 +75,16 @@ func createPipelineInspect() *cobra.Command {
 			if err != nil {
 				return err
 			}
+			timeoutSecs, err := flags.GetInt64(flagTimeout)
+			if err != nil {
+				return err
+			}
 			kc, err := cli.NewKafkaClient(kafkaBroker, kafkaBrokerIsSet, schedulerHost, schedulerHostIsSet, kafkaConfigPath)
 			if err != nil {
 				return err
 			}
 			data := []byte(args[0])
-			err = kc.InspectStep(string(data), offset, requestId, format, verbose, truncateData, namespace)
+			err = kc.InspectStep(string(data), offset, requestId, format, verbose, truncateData, namespace, time.Duration(timeoutSecs)*time.Second)
 			return err
 		},
 	}
@@ -94,5 +99,6 @@ func createPipelineInspect() *cobra.Command {
 	flags.BoolP(flagVerbose, "v", false, "display more details, such as headers")
 	flags.BoolP(flagTruncate, "t", false, "truncate data")
 	flags.String(flagKafkaConfigPath, env.GetString(envKafkaConfigPath, ""), "path to kafka config file")
+	flags.Int64P(flagTimeout, "d", flagTimeoutDefault, "timeout seconds for kafka operations")
 	return cmd
 }
diff --git a/operator/controllers/mlops/experiment_controller.go b/operator/controllers/mlops/experiment_controller.go
@@ -44,7 +44,7 @@ func (r *ExperimentReconciler) handleFinalizer(ctx context.Context, logger logr.
 		// Add our finalizer
 		if !utils.ContainsStr(experiment.ObjectMeta.Finalizers, constants.ExperimentFinalizerName) {
 			experiment.ObjectMeta.Finalizers = append(experiment.ObjectMeta.Finalizers, constants.ExperimentFinalizerName)
-			if err := r.Update(context.Background(), experiment); err != nil {
+			if err := r.Update(ctx, experiment); err != nil {
 				return true, err
 			}
 		}
@@ -84,6 +84,8 @@ func (r *ExperimentReconciler) handleFinalizer(ctx context.Context, logger logr.
 // - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *ExperimentReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	logger := log.FromContext(ctx).WithName("Reconcile")
+	ctx, cancel := context.WithTimeout(ctx, constants.ReconcileTimeout)
+	defer cancel()
 
 	experiment := &mlopsv1alpha1.Experiment{}
 	if err := r.Get(ctx, req.NamespacedName, experiment); err != nil {

diff --git a/operator/controllers/mlops/model_controller.go b/operator/controllers/mlops/model_controller.go
@@ -46,7 +46,7 @@ func (r *ModelReconciler) handleFinalizer(ctx context.Context, logger logr.Logge
 		// Add our finalizer
 		if !utils.ContainsStr(model.ObjectMeta.Finalizers, constants.ModelFinalizerName) {
 			model.ObjectMeta.Finalizers = append(model.ObjectMeta.Finalizers, constants.ModelFinalizerName)
-			if err := r.Update(context.Background(), model); err != nil {
+			if err := r.Update(ctx, model); err != nil {
 				return true, err
 			}
 		}
@@ -78,6 +78,8 @@ func (r *ModelReconciler) handleFinalizer(ctx context.Context, logger logr.Logge
 
 func (r *ModelReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	logger := log.FromContext(ctx).WithName("Reconcile")
+	ctx, cancel := context.WithTimeout(ctx, constants.ReconcileTimeout)
+	defer cancel()
 
 	model := &mlopsv1alpha1.Model{}
 	if err := r.Get(ctx, req.NamespacedName, model); err != nil {

diff --git a/operator/controllers/mlops/pipeline_controller.go b/operator/controllers/mlops/pipeline_controller.go
@@ -49,7 +49,7 @@ func (r *PipelineReconciler) handleFinalizer(
 		// Add our finalizer
 		if !utils.ContainsStr(pipeline.ObjectMeta.Finalizers, constants.PipelineFinalizerName) {
 			pipeline.ObjectMeta.Finalizers = append(pipeline.ObjectMeta.Finalizers, constants.PipelineFinalizerName)
-			if err := r.Update(context.Background(), pipeline); err != nil {
+			if err := r.Update(ctx, pipeline); err != nil {
 				return true, err
 			}
 		}
@@ -94,6 +94,8 @@ func (r *PipelineReconciler) handleFinalizer(
 // - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *PipelineReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	logger := log.FromContext(ctx).WithName("Reconcile")
+	ctx, cancel := context.WithTimeout(ctx, constants.ReconcileTimeout)
+	defer cancel()
 
 	pipeline := &mlopsv1alpha1.Pipeline{}
 	if err := r.Get(ctx, req.NamespacedName, pipeline); err != nil {

diff --git a/operator/controllers/mlops/seldonruntime_controller.go b/operator/controllers/mlops/seldonruntime_controller.go
@@ -65,7 +65,7 @@ func (r *SeldonRuntimeReconciler) handleFinalizer(ctx context.Context, logger lo
 		// Add our finalizer
 		if !utils.ContainsStr(runtime.ObjectMeta.Finalizers, constants.RuntimeFinalizerName) {
 			runtime.ObjectMeta.Finalizers = append(runtime.ObjectMeta.Finalizers, constants.RuntimeFinalizerName)
-			if err := r.Update(context.Background(), runtime); err != nil {
+			if err := r.Update(ctx, runtime); err != nil {
 				return true, err
 			}
 		}
@@ -120,6 +120,8 @@ func (r *SeldonRuntimeReconciler) handleFinalizer(ctx context.Context, logger lo
 // - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *SeldonRuntimeReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	logger := log.FromContext(ctx).WithName("Reconcile")
+	ctx, cancel := context.WithTimeout(ctx, constants.ReconcileTimeout)
+	defer cancel()
 
 	seldonRuntime := &mlopsv1alpha1.SeldonRuntime{}
 	if err := r.Get(ctx, req.NamespacedName, seldonRuntime); err != nil {
@@ -214,9 +216,11 @@ func (r *SeldonRuntimeReconciler) updateStatus(seldonRuntime *mlopsv1alpha1.Seld
 // Find SeldonRuntimes that reference the changes SeldonConfig
 // TODO: pass an actual context from the caller to be used here
 func (r *SeldonRuntimeReconciler) mapSeldonRuntimesFromSeldonConfig(_ context.Context, obj client.Object) []reconcile.Request {
-	logger := log.FromContext(context.Background()).WithName("mapSeldonRuntimesFromSeldonConfig")
+	ctx, cancel := context.WithTimeout(context.Background(), constants.K8sAPICallsTxTimeout)
+	defer cancel()
+	logger := log.FromContext(ctx).WithName("mapSeldonRuntimesFromSeldonConfig")
 	var seldonRuntimes mlopsv1alpha1.SeldonRuntimeList
-	if err := r.Client.List(context.Background(), &seldonRuntimes); err != nil {
+	if err := r.Client.List(ctx, &seldonRuntimes); err != nil {
 		logger.Error(err, "error listing seldonRuntimes")
 		return nil
 	}