access-management

command module

v0.0.0-...-bd7f250 Latest Latest Go to latest Published: Mar 14, 2024 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubeflow/kubeflow

Links

Open Source Insights

README ¶

Kubeflow Access Management API

Kubeflow Access Management API provides fine-grain user-namespace level access control. The goal is to support multi-tenancy kubeflow cluster / services.

Resources under management

Profile

Profile contains owner which refers to a k8s user.
Profile will create a namespace with same name and make profile owner the namespace owner.
Profile will create necessary k8s resources to enable owner access to kubeflow services under multi-tenancy mode.
After the namespace is created, the owner can grant access to additional users or groups using the API or by creating RBAC roles & bindings directly.
Delete profile will delete namespace and other k8s resources owned by this profile.

Binding

Binding contains a user-namespace pair.
Binding will give user edit access to referred namespace.
Delete binding will revoke user's access in binding.

Use Cases

Case 1: Self serve Kubeflow

A Kubeflow admin would like to grant a set of users the ability to create/delete a namespace in which they can consume Kubeflow. The resulting namespace should only be accessible to the user who created it; or people they grant access to. RBAC doesn't directly support this. So we provide a service on top of RBAC which will enforce this based on the user's identity

We will not grant user permission to edit cluster-scoped CRD resources. Then to enable user editting their own resources, we provide update / share / delete APIs and perform permission check on every coming request.

APIs

#####/v1/profiles

create: create new profile;
- called when new user self-register.

#####/v1/profiles/{profile}

delete: delete profile;
- called when admin or owner delete profile / namespace.

#####/v1/bindings

create: create new binding;
- called when admin or owner share namespace access with other users.
get: get bindings;
- called when query for binding status.
- filter by user=... | namespace=... | role=owner/editor to query permissions related to a user / namespace.
- For example filter by "user=abc@def.com" when need to list namespaces for user "abc@def.com"; called when need to list namespaces for an user (list namespaces on notebook spawner for current user)
- For example filter by "namespace=abc" when need to list users of a namespace "abc"; called when need to list users of namespace "abc".
delete: delete binding;
- called when admin or owner revoke namespace access.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
kfam
pkg
apis/kubeflow/v1beta1 Package v1alpha1 contains API Schema definitions for the kubeflow v1alpha1 API group +k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:conversion-gen=github.com/kubeflow/kubeflow/components/profile-controller/pkg/apis/kubeflow +k8s:defaulter-gen=TypeMeta +groupName=kubeflow.org	Package v1alpha1 contains API Schema definitions for the kubeflow v1alpha1 API group +k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:conversion-gen=github.com/kubeflow/kubeflow/components/profile-controller/pkg/apis/kubeflow +k8s:defaulter-gen=TypeMeta +groupName=kubeflow.org

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL