Profile¶
To disable automatic profile creation, change registration-flow
value to false in the kubeflow/parameters
config map.
apiVersion: v1
data:
clusterDomain: cluster.local
registration-flow: "true"
userid-header: X-Goog-Authenticated-User-Email
userid-prefix: "accounts.google.com:"
kind: ConfigMap
metadata:
annotations: {}
labels:
app.kubernetes.io/component: centraldashboard
app.kubernetes.io/instance: centraldashboard-v1.0.0
app.kubernetes.io/managed-by: kfctl
app.kubernetes.io/name: centraldashboard
app.kubernetes.io/part-of: kubeflow
app.kubernetes.io/version: v1.0.0
kustomize.component: centraldashboard
name: parameters
namespace: kubeflow
Manually Create Profiles¶
To manually create the profiles for a user, apply the following Yaml¶
apiVersion: kubeflow.org/v1beta1
kind: Profile
metadata:
name: profileName # replace with the name of profile you want, this will be user's namespace name
spec:
owner:
kind: User
name: userid@email.com # replace with the email of the user
resourceQuotaSpec: # resource quota can be set optionally
hard:
cpu: "2"
memory: 2Gi
requests.nvidia.com/gpu: "1"
persistentvolumeclaims: "1"
requests.storage: "5Gi"
kubectl create -f profile.yaml
kubectl apply -f profile.yaml #if you are modifying the profile
- The above yaml creates a profile named profileName.
- The profile owner is userid@email.com and has view and modify access to that profile.
Create anew profile without quota¶
---
apiVersion: kubeflow.org/v1
kind: Profile
metadata:
name: jeevandk
spec:
owner:
kind: User
name: kailasamnadar.jeevanandam@gene.com
resourceQuotaSpec: {}
The following resources are created as part of the profile creation:¶
- A Kubernetes namespace that shares the same name with the corresponding profile.
- Kubernetes RBAC (Role-based access control) role binding for the namespace: Admin. This makes the profile owner the namespace administrator, thus giving them access to the namespace using kubectl (via the Kubernetes API)
kg rolebinding -n chongb
NAME ROLE AGE
default-editor ClusterRole/kubeflow-edit 21d
default-viewer ClusterRole/kubeflow-view 21d
namespaceAdmin ClusterRole/kubeflow-admin 21d
- Istio namespace-scoped
AuthorizationPolicy
: user-userid-email-com-clusterrole-edit. This allows the user to access data belonging to the namespace the AuthorizationPolicy was created in - Namespace-scoped service-accounts
default-editor
anddefault-viewer
to be used by user-created pods in the namespace. - Namespace scoped resource quota (ResourceQuota) limits will be placed.
Note
Due to a one-to-one correspondence of profiles with Kubernetes namespaces, the terms profile and namespace are sometimes used interchangably in the documentation
Listing and describing profiles¶
An administrator can list the existing profiles in the system:
$ kubectl get profiles
and describe a specific profile using:
$ kubectl describe profile profileName
Deleting an existing profile¶
An administrator can delete an existing profile using:
$ kubectl delete profile profileName
This will delete the profile, the corresponding namespace and any Kubernetes resources associated with the profile. The profile’s owner or other users with access to the profile will no longer have access to the profile and will not see it in the dropdown list on the central dashboard.
Managing contributors manually¶
An administrator can manually add contributors to an existing profile as described below.
Create a rolebinding.yaml file with the following content on your local machine:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
role: edit
user: kailasamnadar.jeevanandam@gene.com # replace with the email of the user from your Active Directory case sensitive
name: user-kailasamnadar-jeevanandam-gene-com-clusterrole-edit
# Ex: if the user email is lalith.vaka@kp.org the name should be user-lalith-vaka-kp-org-clusterrole-edit
# Note: if the user email is Lalith.Vaka@kp.org from your Active Directory, the name should be user-lalith-vaka-kp-org-clusterrole-edit
namespace: profileName # replace with the namespace/profile name that you are adding contributors to
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubeflow-edit
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kailasamnadar.jeevanandam@gene.com # replace with the email of the user from your Active Directory case sensitive
Create an authenticationpolicy.yaml file with the following content on your local machine:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
annotations:
role: edit
user: kailasamnadar.jeevanandam@gene.com # replace with the email of the user from your Active Directory case sensitive
name: user-kailasamnadar-jeevanandam-gene-com-clusterrole-edit
namespace: profileName # replace with the namespace/profile name that you are adding contributors to
spec:
action: ALLOW
rules:
- when:
- key: request.headers[kubeflow-userid] # for GCP, use x-goog-authenticated-user-email instead of kubeflow-userid for authentication purpose
values:
- kailasamnadar.jeevanandam@gene.com # replace with the email of the user from your Active Directory case sensitive
Run the following command to create the corresponding contributor resources:
kubectl create -f rolebinding.yaml
kubectl create -f authenticationpolicy.yaml
Old Document. Not used anymore
---
apiVersion: rbac.istio.io/v1alpha1
kind: ServiceRoleBinding
metadata:
annotations:
role: edit
user: kailasamnadar.jeevanandam@gene.com
generation: 1
name: user-jeeva-kailasam-clusterrole-edit
namespace: hanumaiah-vinay
spec:
roleRef:
kind: ServiceRole
name: ns-access-istio
subjects:
- properties:
request.headers[kubeflow-userid]: kailasamnadar.jeevanandam@gene.com
status: {}