Kubeflow Profile
Kubeflow Profile CRD is designed to solve access management within multi-user kubernetes cluster.
Profile access management provides namespace level isolation based on:
- Kubernetes RBAC
- Istio AuthorizationPolicy
Resources managed by profile CRD:
Each profile CRD will manage one namespace (with same name as profile CRD) and
will have one owner.
Specifically, each profile CRD will manage following resources:
- Namespace reserved for profile owner.
- K8s RBAC RoleBinding
namespaceAdmin
: make profile owner the namespace admin, allow access to above namespace via k8s API (kubectl).
- Istio namespace-scoped ServiceRole
ns-access-istio
: allow access to all services in target namespace via Istio routing.
- Istio namespace-scoped ServiceRoleBinding
owner-binding-istio
: bind ServiceRole ns-access-istio
to profile owner.
So profile owner can access services in above namespace via Istio (browser).
- Setup namespace-scoped service-accounts
editor
and viewer
to be used by user-created pods in above namespace.
- Resource Quota (since v1beta1)
- Custom Plugins (since v1beta1)
GCP
- All users should have IAM permission
Kubernetes Engine Cluster Viewer
- This is needed in order to get cluster access by
gcloud container clusters get-credentials
- kubeflow cluster with version v0.6.2+
- kubeflow cluster ingress is setup with GCP IAP
Manage access control and resources
Detailed document for Kubeflow Multi-Tenancy
manual access management by admin
Cluster admin can manage access management for cluster users:
To create an isolated namespace test-user-profile
for user test-user@kubeflow.org
- Admin can create a profile via kubectl:
kubectl create -f /path/to/profile/config
To revoke access to namespace test-user-profile
from user test-user@kubeflow.org
and delete namespace test-user-profile
- Admin can delete profile test-user-profile:
kubectl delete profile test-user-profile
Self-serve kfam UI
Users with access to cluster API server should be able to register and use kubeflow cluster without admin manual approve.
Profile v1beta1:
Profile v1beta1 introduced 2 new customizable fields:
ResourceQuotaSpec
Profile now support configuring ResourceQuotaSpec
as part of profile CR.
Plugins
Plugins field is introduced to support customized actions based on k8s cluster's surrounding platform.
Consider adding a plugin when you want to have platform-specific logics like managing resources outside k8s cluster.
Plugin interface is defined as:
type Plugin interface {
// Called when profile CR is created / updated
ApplyPlugin(*ProfileReconciler, *profilev1beta1.Profile) error
// Called when profile CR is deleted, to cleanup any non-k8s resources created via ApplyPlugin
RevokePlugin(*ProfileReconciler, *profilev1beta1.Profile) error
}
Plugin owners have full control over plugin spec struct and implementation.
Available plugins:
Deployment
Install the profiles.kubeflow.org
CRD:
make install
Deploy the profile controller manager:
make deploy
Verify that the controller is running in the profiles-system
namespace:
kubectl get pods -l kustomize.component=profiles -n profiles-system
Clean-up
Uninstall the profile controller manager:
make undeploy
Uninstall the profiles.kubeflow.org
CRD:
make uninstall
Running the controller locally
In order for the custom Notebook Controller to be functional from your local machine, the admins must:
- Set the number of replicas to zero:
kubectl edit deployment profiles-deployment -n=kubeflow
- Start the manager locally:
make run