使用Gateway with Inference Extension实现AI内容审查

ACK上运行生成式AI服务时,为实现内容合规性审查,可利用Gateway API推理扩展配置ACKTrafficFilter插件对接阿里云内容安全审核服务,从而在网关层自动拦截不当内容,满足相关监管和法规要求。

工作原理

ACK集群中基于AI推理增强型网关(Gateway with Inference Extension),集成ACKTrafficFilter内容审核插件来调用阿里云内容安全审核服务,可实现对请求内容及AI生成结果的审查,并将违规内容替换为安全提示。

image

操作步骤

步骤一:安装网关推理扩展插件

  1. 登录容器服务管理控制台,在左侧导航栏选择集群列表

  2. 集群列表页面,单击目标集群名称,然后在左侧导航栏,单击组件管理

  3. 组件管理页面,搜索Gateway with Inference Extension,在组件卡片中单击安装,在弹出的对话框中勾选启用Gateway API推理扩展,按提示完成安装操作。

步骤二:安装ACKTrafficFilter插件服务

  1. 开通阿里云内容安全审核服务

  2. <ALIYUN_ACCESS_KEY_ID><ALIYUN_ACCESS_KEY_SECRET>替换成目标账号的AccessKey IDAccessKey Secret<ENDPOINT>替换成下表中集群所在地域的内网接入地址(如目标地域与表中不匹配,可以切换为就近地域的外网接入地址)。然后将内容保存为acktrafficfilter.yaml文件。

    如使用RAM用户的AccessKey,请确保已为用户授权AliyunYundunGreenWebFullAccess
    apiVersion: inferenceextension.alibabacloud.com/v1alpha1
    kind: ACKTrafficFilter
    metadata:
      name: content-security-filter
    spec:
      aiContentSecurity:
        accessKey: <ALIYUN_ACCESS_KEY_ID>   
        secretKey: <ALIYUN_ACCESS_KEY_SECRET>
        aliyunEndpoint: <ENDPOINT>

    地域

    外网接入地址

    内网接入地址

    华北2(北京)

    green-cip.cn-beijing.aliyuncs.com

    green-cip-vpc.cn-beijing.aliyuncs.com

    华东2(上海)

    green-cip.cn-shanghai.aliyuncs.com

    green-cip-vpc.cn-shanghai.aliyuncs.com

    华东1(杭州)

    green-cip.cn-hangzhou.aliyuncs.com

    green-cip-vpc.cn-hangzhou.aliyuncs.com

    华南1(深圳)

    green-cip.cn-shenzhen.aliyuncs.com

    green-cip-vpc.cn-shenzhen.aliyuncs.com

    西南1(成都)

    green-cip.cn-chengdu.aliyuncs.com

    暂无

  3. 创建acktrafficfilter插件。

    kubectl apply -f acktrafficfilter.yaml

步骤三:验证内容审查效果

以下步骤将创建一个名为mock-gateway的网关,并部署一个模拟大模型的示例应用,然后为该示例应用配置转发路由,最后发起测试请求。

  1. 创建后端AI服务。将以下YAML内容保存为mock-vllm.yaml文件,然后执行kubectl apply -f mock-vllm.yaml命令。

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: mock-vllm
    spec:
      replicas: 2
      selector:
        matchLabels:
          app: mock-vllm
      template:
        metadata:
          labels:
            app: mock-vllm
        spec:
          containers:
          - args:
            - --model
            - mock
            - --port
            - "8000"
            image: registry-cn-hangzhou.ack.aliyuncs.com/dev/mock-vllm:v0.2.3-g053679d-aliyun
            imagePullPolicy: IfNotPresent
            name: vllm-sim
            ports:
            - containerPort: 8000
              name: http
              protocol: TCP
    ---
    apiVersion: inference.networking.x-k8s.io/v1alpha2
    kind: InferencePool
    metadata:
      name: mock-pool
    spec:
      extensionRef:
        group: ""
        kind: Service
        name: mock-ext-proc
      selector:
        app: mock-vllm
      targetPortNumber: 8000
    ---
    apiVersion: inference.networking.x-k8s.io/v1alpha2
    kind: InferenceModel
    metadata:
      name: mock-model
    spec:
      criticality: Critical
      modelName: mock
      poolRef:
        group: inference.networking.x-k8s.io
        kind: InferencePool
        name: mock-pool
      targetModels:
      - name: mock
        weight: 100
  2. 创建网关并配置路由转发。将以下YAML内容保存为mock-gateway.yaml文件,然后执行kubectl apply -f mock-gateway.yaml命令。

    apiVersion: gateway.networking.k8s.io/v1
    kind: Gateway
    metadata:
      name: mock-gateway
    spec:
      gatewayClassName: ack-gateway
      listeners:
      - name: llm-gw
        protocol: HTTP
        port: 8080
    ---
    apiVersion: gateway.networking.k8s.io/v1
    kind: HTTPRoute
    metadata:
      name: mock-route
    spec:
      parentRefs:
      - group: gateway.networking.k8s.io
        kind: Gateway
        name: mock-gateway
        sectionName: llm-gw
      rules:
      - backendRefs:
        - group: inference.networking.x-k8s.io
          kind: InferencePool
          name: mock-pool
        filters:
        - type: ExtensionRef
          extensionRef:
            group: inferenceextension.alibabacloud.com
            kind: ACKTrafficFilter
            name: content-security-filter  # 引用ACKTrafficFilter实例
        matches:
        - path:
            type: PathPrefix
            value: /
  3. 修改<请求内容>,并发起请求,验证ACKTrafficFilter内容审查效果。

    export GATEWAY_ADDRESS=$(kubectl get gateway/mock-gateway -o jsonpath='{.status.addresses[0].value}')
    curl -X POST ${GATEWAY_ADDRESS}:8080/v1/chat/completions \
      -H 'Content-Type: application/json' -H "host: example.com" -v -d '{
        "model": "mock",
        "max_completion_tokens": 100,
        "temperature": 0,
        "messages": [
          {
            "role": "user",
            "content": "<请求内容>"
          }
        ]
    }'

    内容审查通过输出

    {
        "id": "chatcmpl-9bffeb49-057e-4c42-97e5-6fd62e3e996e",
        "created": 1759057516,
        "model": "mock",
        "usage": {
            "prompt_tokens": 1,
            "completion_tokens": 7,
            "total_tokens": 8
        },
        "object": "chat.completion",
        "choices": [
            {
                "index": 0,
                "finish_reason": "stop",
                "message": {
                    "role": "assistant",
                    "content": "Today is a nice sunny day."
                }
            }
        ]
    }

    内容审查不通过输出

    HTTP响应403 Forbidden,且响应内容content被替换为安全提示。

    {
        "id": "chatcmpl-uuFxPpxMo63DFt4lxiUjFY70kwgVs",
        "object": "chat.completion",
        "model": "from-security-guard",
        "choices": [
            {
                "index": 0,
                "message": {
                    "role": "assistant",
                    "content": "很抱歉,我是一个人工智能语言模型,我不会参与或促进任何色情内容的讨论。我只能提供有关教育、文化、历史等合法和道德的问题解答。如果您有其他问题需要帮助,请随时告诉我。"
                },
                "logprobs": null,
                "finish_reason": "stop"
            }
        ],
        "usage": {
            "prompt_tokens": 0,
            "completion_tokens": 0,
            "total_tokens": 0
        }
    }

步骤四:环境清理

  • 集群资源清理:

    # 删除网关和路由
    kubectl delete -f mock-gateway.yaml
    # 删除内容安全插件
    kubectl delete -f acktrafficfilter.yaml
    # 删除后端应用
    kubectl delete -f mock-vllm.yaml
  • 组件管理页面,搜索Gateway with Inference Extension,在组件卡片中单击卸载

相关文档

快速体验Gateway with Inference Extension