Red Hat SummitManaging model registries
Managing model registries in Red Hat OpenShift AI Self-Managed
Abstract
Preface
As an OpenShift AI administrator, you can create, delete, and manage permissions for model registries in OpenShift AI.
Chapter 1. Overview of the model catalog and model registries
The model catalog provides a curated library where data scientists and AI engineers can discover and evaluate the available generative AI (gen AI) models to find the best fit for their use cases.
A model registry acts as a central repository for administrators, data scientists, and AI engineers to register, version, and manage the lifecycle of AI models before configuring them for deployment. A model registry is a key component for AI model governance.
1.1. Model catalog
Data scientists and AI engineers can use the model catalog to discover and evaluate the gen AI models that are available and ready for their organization to register, deploy, and customize.
The model catalog provides models from different providers that you can search, discover, and evaluate before you register models in a model registry and deploy them to a model serving runtime. Third-party gen AI models are benchmarked by Red Hat for performance and quality by using open-source evaluation datasets. You can compare performance metrics for specific hardware configurations and determine the most suitable option for deployment.
OpenShift AI provides a default model catalog, which includes models from providers such as Red Hat, IBM, Meta, Nvidia, Mistral AI, and Google. OpenShift AI administrators can configure the available repository sources for models displayed in the model catalog.
For more information about how data scientists and AI engineers can use the model catalog, see Working with the model catalog.
1.2. Model registry
A model registry is an important component in the lifecycle of an artificial intelligence/machine learning (AI/ML) model, and is a vital part of any machine learning operations (MLOps) platform or workflow. A model registry acts as a central repository, storing metadata related to machine learning models from development to deployment. This metadata ranges from high-level information like the deployment environment and project, to specific details like training hyperparameters, performance metrics, and deployment events.
A model registry acts as a bridge between model experimentation and serving, offering a secure, collaborative metadata store interface for stakeholders in the ML lifecycle. Model registries provide a structured and organized way to store, share, version, deploy, and track models.
OpenShift AI administrators can create model registries in OpenShift AI and grant model registry access to data scientists and AI engineers. For more information, see Managing model registries.
Data scientists and AI engineers with access to a model registry can use it to store, share, version, deploy, and track models. For more information, see Working with model registries.
Chapter 2. Creating a model registry
You can create a model registry to store, share, version, deploy, and track your models.
Prerequisites
- You have logged in to OpenShift AI as a user with OpenShift AI administrator privileges.
- The model registry component is enabled in your OpenShift AI deployment. For more information, see Enabling the model registry component.
- You have access to an external MySQL database which uses at least MySQL version 5.x. However, Red Hat recommends that you use MySQL version 8.x.
Procedure
- From the OpenShift AI dashboard, click Settings → Model resources and operations → Model registry settings.
Click Create model registry.
The Create model registry dialog opens.
- In the Name field, enter a name for the model registry.
Optional: Click Edit resource name, and then enter a specific resource name for the model registry in the Resource name field. By default, the resource name will match the name of the model registry.
ImportantResource names are what your resources are labeled as in OpenShift. Your resource name cannot exceed 253 characters, must consist of lowercase alphanumeric characters or -, and must start and end with an alphanumeric character. Resource names are not editable after creation.
The resource name must not match the name of any other model registry resource in your OpenShift cluster.
- Optional: In the Description field, enter a description for the model registry.
In the Connect to external MySQL database section, enter the information for the external database where your model data is stored.
In the Host field, enter the database hostname.
-
If the database is running in the
rhoai-model-registriesnamespace, enter only the hostname for the database. -
If the database is running in a different namespace from
rhoai-model-registries, enter the database hostname details in<hostname>.<namespace>.svc.cluster.localformat.
-
If the database is running in the
- In the Port field, enter the port number for the database.
- In the Username field, enter the default user name that is connected to the database.
- In the Password field, enter the password for the default user account.
- In the Database field, enter the database name.
Optional: Select the Add CA certificate to secure database connection to use a certificate with your database connection.
ImportantIf your external database is configured to enforce Transport Layer Security (TLS), then you must add a Certificate Authority (CA) certificate.
-
Click Use cluster-wide CA bundle to use the
ca-bundle.crtbundle in theodh-trusted-ca-bundleConfigMap. -
Click Use Red Hat OpenShift AI CA bundle to use the
odh-ca-bundle.crtbundle in theodh-trusted-ca-bundleConfigMap. Click Choose from existing certificates to select an existing certificate. You can select the key of any ConfigMap or secret in the
rhoai-model-registriesnamespace.- From the Resource list, select a ConfigMap or secret.
- From the Key list, select a key.
Click Upload new certificate to upload a new certificate as a ConfigMap.
Drag and drop the PEM file for your certificate into the Certificate field, or click Upload to select a file from your local machine’s file system.
NoteUploading a certificate creates the
db-credentialConfigMap with theca.crtkey.To upload a certificate as a secret, you must create a secret in the OpenShift
rhoai-model-registriesnamespace, and then select it as an existing certificate when you create your model registry.For more information about creating secrets, see Providing sensitive data to pods by using secrets in the OpenShift Container Platform documentation.
-
Click Use cluster-wide CA bundle to use the
- Click Create.
To find the resource name or type of a model registry, click the help icon
beside the registry name. Resource names and types are used to find your resources in OpenShift.
Verification
- The new model registry is displayed on the Model registry settings page.
- You can edit the model registry by clicking the action menu (⋮) beside it, and then clicking Edit model registry.
- You can register a model with the model registry from the Model registry tab. For more information about working with model registries, see Working with model registries.
Chapter 3. Editing a model registry
You can edit the details of existing model registries, such as the model registry name, description, and database connection details.
Prerequisites
- You have logged in to OpenShift AI as a user with OpenShift AI administrator privileges.
- The model registry component is enabled in your OpenShift AI deployment. For more information, see Enabling the model registry component.
- Your OpenShift AI deployment contains at least 1 model registry.
Procedure
- From the OpenShift AI dashboard, click Settings → Model resources and operations → Model registry settings.
Click the action menu (⋮) beside the model registry that you want to edit, and then click Edit model registry.
The Edit model registry dialog opens.
- Optional: In the Name field, edit the name of the model registry.
- Optional: In the Description field, edit the description of the model registry.
Optional: In the Connect to external MySQL database section, edit the information for the external database where model data for the registry is stored.
In the Host field, enter the database hostname.
-
If the database is running in the
rhoai-model-registriesnamespace, enter only the hostname for the database. -
If the database is running in a different namespace from
rhoai-model-registries, enter the database hostname details in<hostname>.<namespace>.svc.cluster.localformat.
-
If the database is running in the
- In the Port field, enter the port number for the database.
- In the Username field, enter the default user name that is connected to the database.
- In the Password field, enter the password for the default user account.
- In the Database field, enter the database name.
Optional: Select the Add CA certificate to secure database connection to use a certificate with your database connection.
ImportantIf your external database is configured to enforce Transport Layer Security (TLS), then you must add a Certificate Authority (CA) certificate.
-
Click Use cluster-wide CA bundle to use the
ca-bundle.crtbundle in theodh-trusted-ca-bundleConfigMap. -
Click Use Red Hat OpenShift AI CA bundle to use the
odh-ca-bundle.crtbundle in theodh-trusted-ca-bundleConfigMap. Click Choose from existing certificates to select an existing certificate. You can select the key of any ConfigMap or secret in the
rhoai-model-registriesnamespace.- From the Resource list, select a ConfigMap or secret.
- From the Key list, select a key.
Click Upload new certificate to upload a new certificate as a ConfigMap.
Drag and drop the PEM file for your certificate into the Certificate field, or click Upload to select a file from your local machine’s file system.
NoteUploading a certificate creates the
db-credentialConfigMap with theca.crtkey.To upload a certificate as a secret, you must create a secret in the OpenShift
rhoai-model-registriesnamespace, and then select it as an existing certificate when you create your model registry.For more information about creating secrets, see Providing sensitive data to pods by using secrets in the OpenShift Container Platform documentation.
-
Click Use cluster-wide CA bundle to use the
- Click Update.
Verification
- The model registry is displayed with updated details on the Model registry settings page.
Chapter 4. Managing model registry permissions
You can manage access to a model registry for individual users and user groups in your organization, and for service accounts in a project.
OpenShift AI creates the <model-registry-name>-users group automatically for use with model registries. You can add users to this group in OpenShift, or ask the cluster administrator to do so.
The model registry operator uses OpenShift Role-Based Access Control (RBAC), and creates various RBAC resources in the rhoai-model-registries namespace.
For each model registry instance, the operator creates a registry-users-<model registry instance name> role and an OpenShift group called <model registry instance name>-users. To grant an individual user, service account, or group access to a model registry instance, your cluster administrator must create a role binding to the registry-users-<model registry instance name> role for the instance.
The <model registry instance name>-users group has a role binding to the registry-users-<model registry instance name> role. Your cluster administrator can add users to this group to grant them access to the model registry instance without needing to create a role binding for each user.
For more information about managing RBAC in OpenShift, see Using RBAC to define and apply permissions.
Prerequisites
- You have logged in to OpenShift AI as a user with OpenShift AI administrator privileges.
- An available model registry exists in your deployment.
- The users and groups that you want to provide access to already exist in OpenShift. For more information, see Managing users and groups.
Procedure
- From the OpenShift AI dashboard, click Settings → Model resources and operations → Model registry settings.
Click Manage permissions beside the model registry that you want to manage access for.
The permissions page for the model registry opens.
Provide one or more OpenShift groups with access to the project.
- On the Users tab, in the Groups section, click Add group.
From the Select a group drop-down list, select a group.
NoteTo enable access for all cluster users, add
system:authenticatedto the group list.-
To confirm your entry, click Confirm (
).
- Optional: To add an additional group, click Add group and repeat the process.
Provide one or more users with access to the model registry.
- On the Users tab, in the Users section, click Add user.
- In the Type username field, enter the username of the user to whom you want to provide access.
-
To confirm your entry, click Confirm (
).
- Optional: To add an additional user, click Add user and repeat the process.
Provide all service accounts in a project with access to the model registry.
- On the Projects tab, in the Projects section, click Add project.
- In the Select or enter a project field, select or enter the name of the project to which you want to provide access.
-
To confirm your entry, click Confirm (
).
- Optional: To add an additional project, click Add project and repeat the process.
Verification
- Users, groups, and accounts that were granted access to a model registry can register, view, edit, version, deploy, delete, archive, and restore models in that registry.
- The Users and Groups sections on the Permissions tab show the respective users and groups that you granted access to the model registry.
- The Projects sections on the Projects tab show the projects that you granted access to the model registry.
After you provide access to a model registry, users with access can store, share, version, deploy, and track models using the model registry feature. For more information, see Working with model registries.
Chapter 5. Deleting a model registry
You can delete model registries that you no longer require.
When you delete a model registry, databases connected to the model registry will not be removed. To remove any remaining databases, contact your cluster administrator.
Prerequisites
- You have logged in to OpenShift AI as a user with OpenShift AI administrator privileges.
- An available model registry exists in your deployment.
Procedure
- From the OpenShift AI dashboard, click Settings → Model resources and operations → Model registry settings.
- Click the action menu (⋮) beside the model registry that you want to delete.
- Click Delete model registry.
- In the Delete model registry? dialog that opens, enter the name of the model registry in the text field to confirm that you intend to delete it.
- Click Delete model registry.
Verification
- The model registry is no longer displayed on the Model registry settings page.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}