profile-controller

module

v2.0.0-...-0fbcd37 Latest Latest Go to latest Published: Oct 2, 2019 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubeflow/kubeflow

README ¶

Profile CRD

Kubeflow Profile CRD is designed to solve access management within multi-user kubernetes cluster.

Profile access management provides namespace level isolation based on:

k8s rbac access control
Istio rbac access control

Resources managed by profile CRD:

Each profile CRD will manage one namespace (with same name as profile CRD), and will have one owner. Specifically, each profile CRD will manage following resources:

Namespace reserved for profile owner.
K8s rbac Rolebinding namespaceAdmin: make profile owner the namespace admin, allow access to above namespace via k8s API (kubectl).
Istio namespace-scoped ServiceRole ns-access-istio: allow access to all services in target namespace via Istio routing.
Istio namespace-scoped ServiceRoleBinding owner-binding-istio: bind ServiceRole ns-access-istio to profile owner. So profile owner can access services in above namespace via Istio (browser).
Setup namespace-scoped service-accounts editor and viewer to be used by user-created pods in above namespace.
resource quota management (coming)

Supported platforms and prerequisites:

GCP

All users should have IAM permission Kubernetes Engine Cluster Viewer
- This is needed in order to get cluster access by gcloud container clusters get-credentials
kubeflow cluster with version v0.6

Manage access control and resources

manual access management by admin

Cluster admin will manage access management for cluster users:

To create and reserve namespace ns1 for user abc@def.com

Admin need to create profile via kubectl:

apiVersion: kubeflow.org/v1alpha1
kind: Profile
metadata:
  name: ns1
spec:
  owner:
    kind: User
    name: abc@def.com

To revoke access to namespace ns1 from user abc@def.com and delete namespace ns1

Admin can delete profile ns1:

kubectl delete profile ns1

Self-serve kfam UI

Users with access to cluster API server should be able to resiger and use kubeflow cluster without admin manual approve.

Coming

Dev Instruction

How to generate Istio rbac CRD types

We use kube builder https://book.kubebuilder.io/quick_start.html

kubebuilder init --domain istio.io --license apache2 --owner "The Kubernetes Authors"
kubebuilder create api --group rbac --version v1alpha1 --kind ServiceRole
kubebuilder create api --group rbac --version v1alpha1 --kind ServiceRoleBinding

Then copy ServiceRole / ServiceRoleBinding schema from Istio release version https://github.com/istio/istio/releases/tag/1.1.6 to pkg/apis/istiorbac/v1alpha1/*_types.go
Run make to update code.

Directories ¶

Path	Synopsis
cmd
manager
pkg
apis Package apis contains Kubernetes API groups.	Package apis contains Kubernetes API groups.
apis/istiorbac/v1alpha1 Package v1alpha1 contains API Schema definitions for the kubeflow v1alpha1 API group +k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:conversion-gen=github.com/kubeflow/kubeflow/components/profile-controller/v2/pkg/apis/kubeflow +k8s:defaulter-gen=TypeMeta +groupName=kubeflow.org Package v1alpha1 contains API Schema definitions for the kubeflow v1alpha1 API group +k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:conversion-gen=github.com/kubeflow/kubeflow/components/profile-controller/v2/pkg/apis/kubeflow +k8s:defaulter-gen=TypeMeta +groupName=kubeflow.org	Package v1alpha1 contains API Schema definitions for the kubeflow v1alpha1 API group +k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:conversion-gen=github.com/kubeflow/kubeflow/components/profile-controller/v2/pkg/apis/kubeflow +k8s:defaulter-gen=TypeMeta +groupName=kubeflow.org Package v1alpha1 contains API Schema definitions for the kubeflow v1alpha1 API group +k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:conversion-gen=github.com/kubeflow/kubeflow/components/profile-controller/v2/pkg/apis/kubeflow +k8s:defaulter-gen=TypeMeta +groupName=kubeflow.org
apis/kubeflow Package kubeflow contains kubeflow API versions	Package kubeflow contains kubeflow API versions
apis/kubeflow/v1alpha1 Package v1alpha1 contains API Schema definitions for the kubeflow v1alpha1 API group +k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:conversion-gen=github.com/kubeflow/kubeflow/components/profile-controller/v2/pkg/apis/kubeflow +k8s:defaulter-gen=TypeMeta +groupName=kubeflow.org Package v1alpha1 contains API Schema definitions for the kubeflow v1alpha1 API group +k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:conversion-gen=github.com/kubeflow/kubeflow/components/profile-controller/v2/pkg/apis/kubeflow +k8s:defaulter-gen=TypeMeta +groupName=kubeflow.org	Package v1alpha1 contains API Schema definitions for the kubeflow v1alpha1 API group +k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:conversion-gen=github.com/kubeflow/kubeflow/components/profile-controller/v2/pkg/apis/kubeflow +k8s:defaulter-gen=TypeMeta +groupName=kubeflow.org Package v1alpha1 contains API Schema definitions for the kubeflow v1alpha1 API group +k8s:openapi-gen=true +k8s:deepcopy-gen=package,register +k8s:conversion-gen=github.com/kubeflow/kubeflow/components/profile-controller/v2/pkg/apis/kubeflow +k8s:defaulter-gen=TypeMeta +groupName=kubeflow.org
controller
controller/profile
webhook

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL