Skip to content

Profile

To disable automatic profile creation, change registration-flow value to false in the kubeflow/parameters config map.

apiVersion: v1
data:
  clusterDomain: cluster.local
  registration-flow: "true"
  userid-header: X-Goog-Authenticated-User-Email
  userid-prefix: "accounts.google.com:"
kind: ConfigMap
metadata:
  annotations: {}
  labels:
    app.kubernetes.io/component: centraldashboard
    app.kubernetes.io/instance: centraldashboard-v1.0.0
    app.kubernetes.io/managed-by: kfctl
    app.kubernetes.io/name: centraldashboard
    app.kubernetes.io/part-of: kubeflow
    app.kubernetes.io/version: v1.0.0
    kustomize.component: centraldashboard
  name: parameters
  namespace: kubeflow

Manually Create Profiles

To manually create the profiles for a user, apply the following Yaml

apiVersion: kubeflow.org/v1beta1
kind: Profile
metadata:
  name: profileName # replace with the name of profile you want, this will be user's namespace name
spec:
  owner:
    kind: User
    name: userid@email.com # replace with the email of the user

  resourceQuotaSpec: # resource quota can be set optionally
    hard:
      cpu: "2"
      memory: 2Gi
      requests.nvidia.com/gpu: "1"
      persistentvolumeclaims: "1"
      requests.storage: "5Gi"
kubectl create -f profile.yaml

kubectl apply -f profile.yaml  #if you are modifying the profile
  • The above yaml creates a profile named profileName.
  • The profile owner is userid@email.com and has view and modify access to that profile.

Create anew profile without quota

---
apiVersion: kubeflow.org/v1
kind: Profile
metadata:
  name: jeevandk
spec:
  owner:
    kind: User
    name: kailasamnadar.jeevanandam@gene.com
  resourceQuotaSpec: {}

The following resources are created as part of the profile creation:

  • A Kubernetes namespace that shares the same name with the corresponding profile.
  • Kubernetes RBAC (Role-based access control) role binding for the namespace: Admin. This makes the profile owner the namespace administrator, thus giving them access to the namespace using kubectl (via the Kubernetes API)
kg rolebinding -n chongb
NAME             ROLE                         AGE
default-editor   ClusterRole/kubeflow-edit    21d
default-viewer   ClusterRole/kubeflow-view    21d
namespaceAdmin   ClusterRole/kubeflow-admin   21d
  • Istio namespace-scoped AuthorizationPolicy: user-userid-email-com-clusterrole-edit. This allows the user to access data belonging to the namespace the AuthorizationPolicy was created in
  • Namespace-scoped service-accounts default-editor and default-viewer to be used by user-created pods in the namespace.
  • Namespace scoped resource quota (ResourceQuota) limits will be placed.

Note

Due to a one-to-one correspondence of profiles with Kubernetes namespaces, the terms profile and namespace are sometimes used interchangably in the documentation

Listing and describing profiles

An administrator can list the existing profiles in the system:

$ kubectl get profiles
and describe a specific profile using:

$ kubectl describe profile profileName

Deleting an existing profile

An administrator can delete an existing profile using:

$ kubectl delete profile profileName

This will delete the profile, the corresponding namespace and any Kubernetes resources associated with the profile. The profile’s owner or other users with access to the profile will no longer have access to the profile and will not see it in the dropdown list on the central dashboard.

Managing contributors manually

An administrator can manually add contributors to an existing profile as described below.

Create a rolebinding.yaml file with the following content on your local machine:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    role: edit
    user: kailasamnadar.jeevanandam@gene.com # replace with the email of the user from your Active Directory case sensitive
  name: user-kailasamnadar-jeevanandam-gene-com-clusterrole-edit
  # Ex: if the user email is lalith.vaka@kp.org the name should be user-lalith-vaka-kp-org-clusterrole-edit
  # Note: if the user email is Lalith.Vaka@kp.org from your Active Directory, the name should be user-lalith-vaka-kp-org-clusterrole-edit
  namespace: profileName # replace with the namespace/profile name that you are adding contributors to
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubeflow-edit
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: kailasamnadar.jeevanandam@gene.com # replace with the email of the user from your Active Directory case sensitive

Create an authenticationpolicy.yaml file with the following content on your local machine:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  annotations:
    role: edit
    user: kailasamnadar.jeevanandam@gene.com # replace with the email of the user from your Active Directory case sensitive
  name: user-kailasamnadar-jeevanandam-gene-com-clusterrole-edit
  namespace: profileName # replace with the namespace/profile name that you are adding contributors to
spec:
  action: ALLOW
  rules:
    - when:
        - key: request.headers[kubeflow-userid] # for GCP, use x-goog-authenticated-user-email instead of kubeflow-userid for authentication purpose
          values:
            - kailasamnadar.jeevanandam@gene.com # replace with the email of the user from your Active Directory case sensitive

Run the following command to create the corresponding contributor resources:

kubectl create -f rolebinding.yaml
kubectl create -f authenticationpolicy.yaml

Old Document. Not used anymore

---
apiVersion: rbac.istio.io/v1alpha1
kind: ServiceRoleBinding
metadata:
  annotations:
    role: edit
    user: kailasamnadar.jeevanandam@gene.com
  generation: 1
  name: user-jeeva-kailasam-clusterrole-edit
  namespace: hanumaiah-vinay
spec:
  roleRef:
    kind: ServiceRole
    name: ns-access-istio
  subjects:
    - properties:
        request.headers[kubeflow-userid]: kailasamnadar.jeevanandam@gene.com
status: {}