在ACK上运行生成式AI服务时,为实现内容合规性审查,可利用Gateway API推理扩展配置ACKTrafficFilter插件对接阿里云内容安全审核服务,从而在网关层自动拦截不当内容,满足相关监管和法规要求。
工作原理
在ACK集群中基于AI推理增强型网关(Gateway with Inference Extension),集成ACKTrafficFilter内容审核插件来调用阿里云内容安全审核服务,可实现对请求内容及AI生成结果的审查,并将违规内容替换为安全提示。
操作步骤
步骤一:安装网关推理扩展插件
登录容器服务管理控制台,在左侧导航栏选择集群列表。
在集群列表页面,单击目标集群名称,然后在左侧导航栏,单击组件管理。
在组件管理页面,搜索Gateway with Inference Extension,在组件卡片中单击安装,在弹出的对话框中勾选启用Gateway API推理扩展,按提示完成安装操作。
步骤二:安装ACKTrafficFilter插件服务
将
<ALIYUN_ACCESS_KEY_ID>
、<ALIYUN_ACCESS_KEY_SECRET>
替换成目标账号的AccessKey ID及AccessKey Secret,<ENDPOINT>
替换成下表中集群所在地域的内网接入地址(如目标地域与表中不匹配,可以切换为就近地域的外网接入地址)。然后将内容保存为acktrafficfilter.yaml
文件。如使用RAM用户的AccessKey,请确保已为用户授权
AliyunYundunGreenWebFullAccess
。apiVersion: inferenceextension.alibabacloud.com/v1alpha1 kind: ACKTrafficFilter metadata: name: content-security-filter spec: aiContentSecurity: accessKey: <ALIYUN_ACCESS_KEY_ID> secretKey: <ALIYUN_ACCESS_KEY_SECRET> aliyunEndpoint: <ENDPOINT>
地域
外网接入地址
内网接入地址
华北2(北京)
green-cip.cn-beijing.aliyuncs.com
green-cip-vpc.cn-beijing.aliyuncs.com
华东2(上海)
green-cip.cn-shanghai.aliyuncs.com
green-cip-vpc.cn-shanghai.aliyuncs.com
华东1(杭州)
green-cip.cn-hangzhou.aliyuncs.com
green-cip-vpc.cn-hangzhou.aliyuncs.com
华南1(深圳)
green-cip.cn-shenzhen.aliyuncs.com
green-cip-vpc.cn-shenzhen.aliyuncs.com
西南1(成都)
green-cip.cn-chengdu.aliyuncs.com
暂无
创建acktrafficfilter插件。
kubectl apply -f acktrafficfilter.yaml
步骤三:验证内容审查效果
以下步骤将创建一个名为mock-gateway的网关,并部署一个模拟大模型的示例应用,然后为该示例应用配置转发路由,最后发起测试请求。
创建后端AI服务。将以下YAML内容保存为mock-vllm.yaml文件,然后执行
kubectl apply -f mock-vllm.yaml
命令。apiVersion: apps/v1 kind: Deployment metadata: name: mock-vllm spec: replicas: 2 selector: matchLabels: app: mock-vllm template: metadata: labels: app: mock-vllm spec: containers: - args: - --model - mock - --port - "8000" image: registry-cn-hangzhou.ack.aliyuncs.com/dev/mock-vllm:v0.2.3-g053679d-aliyun imagePullPolicy: IfNotPresent name: vllm-sim ports: - containerPort: 8000 name: http protocol: TCP --- apiVersion: inference.networking.x-k8s.io/v1alpha2 kind: InferencePool metadata: name: mock-pool spec: extensionRef: group: "" kind: Service name: mock-ext-proc selector: app: mock-vllm targetPortNumber: 8000 --- apiVersion: inference.networking.x-k8s.io/v1alpha2 kind: InferenceModel metadata: name: mock-model spec: criticality: Critical modelName: mock poolRef: group: inference.networking.x-k8s.io kind: InferencePool name: mock-pool targetModels: - name: mock weight: 100
创建网关并配置路由转发。将以下YAML内容保存为mock-gateway.yaml文件,然后执行
kubectl apply -f mock-gateway.yaml
命令。apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: mock-gateway spec: gatewayClassName: ack-gateway listeners: - name: llm-gw protocol: HTTP port: 8080 --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: mock-route spec: parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: mock-gateway sectionName: llm-gw rules: - backendRefs: - group: inference.networking.x-k8s.io kind: InferencePool name: mock-pool filters: - type: ExtensionRef extensionRef: group: inferenceextension.alibabacloud.com kind: ACKTrafficFilter name: content-security-filter # 引用ACKTrafficFilter实例 matches: - path: type: PathPrefix value: /
修改
<请求内容>
,并发起请求,验证ACKTrafficFilter内容审查效果。export GATEWAY_ADDRESS=$(kubectl get gateway/mock-gateway -o jsonpath='{.status.addresses[0].value}') curl -X POST ${GATEWAY_ADDRESS}:8080/v1/chat/completions \ -H 'Content-Type: application/json' -H "host: example.com" -v -d '{ "model": "mock", "max_completion_tokens": 100, "temperature": 0, "messages": [ { "role": "user", "content": "<请求内容>" } ] }'
内容审查通过输出
{ "id": "chatcmpl-9bffeb49-057e-4c42-97e5-6fd62e3e996e", "created": 1759057516, "model": "mock", "usage": { "prompt_tokens": 1, "completion_tokens": 7, "total_tokens": 8 }, "object": "chat.completion", "choices": [ { "index": 0, "finish_reason": "stop", "message": { "role": "assistant", "content": "Today is a nice sunny day." } } ] }
内容审查不通过输出
HTTP响应
403 Forbidden
,且响应内容content
被替换为安全提示。{ "id": "chatcmpl-uuFxPpxMo63DFt4lxiUjFY70kwgVs", "object": "chat.completion", "model": "from-security-guard", "choices": [ { "index": 0, "message": { "role": "assistant", "content": "很抱歉,我是一个人工智能语言模型,我不会参与或促进任何色情内容的讨论。我只能提供有关教育、文化、历史等合法和道德的问题解答。如果您有其他问题需要帮助,请随时告诉我。" }, "logprobs": null, "finish_reason": "stop" } ], "usage": { "prompt_tokens": 0, "completion_tokens": 0, "total_tokens": 0 } }
步骤四:环境清理
集群资源清理:
# 删除网关和路由 kubectl delete -f mock-gateway.yaml # 删除内容安全插件 kubectl delete -f acktrafficfilter.yaml # 删除后端应用 kubectl delete -f mock-vllm.yaml
在组件管理页面,搜索Gateway with Inference Extension,在组件卡片中单击卸载。