profile-controller

command module

v0.0.0-...-bd7f250 Latest Latest Go to latest Published: Mar 14, 2024 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubeflow/kubeflow

Links

Open Source Insights

README ¶

Kubeflow Profile

Kubeflow Profile CRD is designed to solve access management within multi-user kubernetes cluster.

Profile access management provides namespace level isolation based on:

Kubernetes RBAC
Istio AuthorizationPolicy

Resources managed by profile CRD:

Each profile CRD will manage one namespace (with same name as profile CRD) and will have one owner. Specifically, each profile CRD will manage following resources:

Namespace reserved for profile owner.
K8s RBAC RoleBinding namespaceAdmin: make profile owner the namespace admin, allow access to above namespace via k8s API (kubectl).
Istio namespace-scoped ServiceRole ns-access-istio: allow access to all services in target namespace via Istio routing.
Istio namespace-scoped ServiceRoleBinding owner-binding-istio: bind ServiceRole ns-access-istio to profile owner. So profile owner can access services in above namespace via Istio (browser).
Setup namespace-scoped service-accounts editor and viewer to be used by user-created pods in above namespace.
Resource Quota (since v1beta1)
Custom Plugins (since v1beta1)

Supported platforms and prerequisites

GCP

All users should have IAM permission Kubernetes Engine Cluster Viewer
- This is needed in order to get cluster access by gcloud container clusters get-credentials
kubeflow cluster with version v0.6.2+
kubeflow cluster ingress is setup with GCP IAP

Manage access control and resources

Detailed document for Kubeflow Multi-Tenancy

manual access management by admin

Cluster admin can manage access management for cluster users:

To create an isolated namespace test-user-profile for user test-user@kubeflow.org

Admin can create a profile via kubectl:

kubectl create -f /path/to/profile/config

To revoke access to namespace test-user-profile from user test-user@kubeflow.org and delete namespace test-user-profile

Admin can delete profile test-user-profile:

kubectl delete profile test-user-profile

Self-serve kfam UI

Users with access to cluster API server should be able to register and use kubeflow cluster without admin manual approve.

Profile v1beta1:

Profile v1beta1 introduced 2 new customizable fields:

ResourceQuotaSpec

Profile now support configuring ResourceQuotaSpec as part of profile CR.

ResourceQuotaSpec field will accept standard k8s ResourceQuotaSpec
A resource quota will be created in target namespace.
Example

Plugins

Plugins field is introduced to support customized actions based on k8s cluster's surrounding platform.

Consider adding a plugin when you want to have platform-specific logics like managing resources outside k8s cluster.

Plugin interface is defined as:

type Plugin interface {
	// Called when profile CR is created / updated
	ApplyPlugin(*ProfileReconciler, *profilev1beta1.Profile) error
	// Called when profile CR is deleted, to cleanup any non-k8s resources created via ApplyPlugin
	RevokePlugin(*ProfileReconciler, *profilev1beta1.Profile) error
}

Plugin owners have full control over plugin spec struct and implementation.

Available plugins:

WorkloadIdentity
- Platform: GKE
- Type: credential binding
- WorkloadIdentity plugin will bind k8s service account to GCP service account, so pods in profile namespace can talk to GCP APIs as GCP service account identity.

IAMForServiceAccount

Platform: EKS
Type: credential binding
IAM For Service Account plugin will grant k8s service account permission of IAM role, so pods in profile namespace can authenticate AWS services as IAM role.
The CRD is detailed below

apiVersion: kubeflow.org/v1
kind: Profile
metadata:
  name: test-profile
spec:
  owner:
    kind: User
    name: user@example.com
  plugins:
  - kind: AwsIamForServiceAccount
    spec:
      awsIamRole: arn:aws:iam::1234567890:role/test-profile
      ### Boolean which defaults to false. If set to true IAM roles and policy will not be mutated
      annotateOnly: true

Deployment

Install the profiles.kubeflow.org CRD:

make install

Deploy the profile controller manager:

make deploy

Verify that the controller is running in the profiles-system namespace:

kubectl get pods -l kustomize.component=profiles -n profiles-system

Clean-up

Uninstall the profile controller manager:

make undeploy

Uninstall the profiles.kubeflow.org CRD:

make uninstall

Running the controller locally

In order for the custom Notebook Controller to be functional from your local machine, the admins must:

Set the number of replicas to zero:

kubectl edit deployment profiles-deployment -n=kubeflow

Start the manager locally:

make run

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
api
v1 Package v1 contains API Schema definitions for the v1 API group +kubebuilder:object:generate=true +groupName=kubeflow.org	Package v1 contains API Schema definitions for the v1 API group +kubebuilder:object:generate=true +groupName=kubeflow.org
v1beta1 Package v1beta1 contains API Schema definitions for the v1beta1 API group +kubebuilder:object:generate=true +groupName=kubeflow.org	Package v1beta1 contains API Schema definitions for the v1beta1 API group +kubebuilder:object:generate=true +groupName=kubeflow.org
controllers

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL