feat: KFP multi user mode PR1 - enable multi user mode without istio authorization #1342
Conversation
|
/assign @jlewi |
| @@ -0,0 +1,274 @@ | |||
| # Copyright 2020 Google LLC | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
There was a problem hiding this comment.
Why is this blocked on #1136? It looks like your controller is just creating a bunch of K8s resources in the namespace in which KFP is going to be used.
Could you just create a kustomize package containing those resources and then tell users that to setup a namespace to
use KFP they need to do something like
<kustomize it for their namespace; e.g. using kpt or >
kustomize build | kubectl apply -f -
There was a problem hiding this comment.
I think current profile controller provides self service, everyone coming can just use right away. It makes more sense if the deployment is done automatically for them.
I understand customization needs exist for sure, #1136 will likely be the best way forward. I need some time to think about it. Efforts lacking is setting up the package and some documentation to use them. I'd want to avoid doing too much things in one step.
My personal priority is getting this PR and a second PR with istio authorization in, so that previously designed KFP multi user mode is working properly first. Then I can start thinking about substantial improvements like the approach in #1136 .
| "namespace": namespace, | ||
| }, | ||
| "data": { | ||
| "accesskey": "bWluaW8=", # base64 for minio |
There was a problem hiding this comment.
Are we really checking in access keys? Is this safe?
There was a problem hiding this comment.
Yes, it would be recommended to customize it after deployment.
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jlewi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Thanks @jlewi ! |
| hooks: | ||
| sync: | ||
| webhook: | ||
| url: http://kubeflow-pipelines-profile-controller/sync |
There was a problem hiding this comment.
@Bobgy This will likely fail on other platforms or on-prem installations, I had to point to the internal service name:
url: http://kubeflow-pipelines-profile-controller.kubeflow.svc.cluster.local:80/sync
Perhaps this can be configurable via Kustomize vars. I think of the use of the name prefix just makes it a bit harder.
There was a problem hiding this comment.
Thanks.
is using prefix a GCP specific thing?
I thought it's kubernetes standard behavior.
let me investigate
|
@Bobgy Multi-user manifest changes will only in pipeline/installs? Any plans to add support for non-v3 manifest? https://github.com/kubeflow/manifests/tree/master/pipeline |
@Jeffwan The next PR of enabling istio authorization will add sth to |
…authorization (kubeflow#1342) * Add argo to stacks/generic * Pull pipelines manifest from upstream * Updated kfp * Minio v3 manifests * Rename minio configmap * Add generic minio install * Generate new test data * Mysql kustomize v3 manifest - generic install * Add mysql gcp pd install * Generate test data * Pipelines kustomize v3 manifests * Add kfp ui virtual service * Add metadata deployment to stacks/generic * Use common cluster domain * Deploy metadata writer * Add kfp cache server * Update test data * Enable KFP multi user mode without istio security * Fix persistence agent watch namespace * Fix namespace env for some deployments * Fix cluster roles and bindings * fix rename * Fix pipelines ui role * Updated kfp to rc2 * simplify pipeline v3 manifest using updated kfp rc2 manifest * Fix pipeline-install-config * remove redundant configmap * update tests * updated to kfp 1.0.0-rc.3 * Adapt to kfp 1.0rc3 refactoring * update test snapshots * fix pull kfp script to detect empty dir * fix example ref * update snapshot * fix gcp pd manifest * Update stacks ref * revert alice example to gcp stack * update snapshot * fix profile controller iam binding * Update kfp profile controller can be configured to different images and istio sidecar * add missing viewer controller cluster roles * Use python3 for sync.py * Revert gcp stack back to use non multi user kfp * revert unintended changes * revert upstream changes
* feat: KFP multi user mode PR1 - enable multi user mode without istio authorization (#1342) * Add argo to stacks/generic * Pull pipelines manifest from upstream * Updated kfp * Minio v3 manifests * Rename minio configmap * Add generic minio install * Generate new test data * Mysql kustomize v3 manifest - generic install * Add mysql gcp pd install * Generate test data * Pipelines kustomize v3 manifests * Add kfp ui virtual service * Add metadata deployment to stacks/generic * Use common cluster domain * Deploy metadata writer * Add kfp cache server * Update test data * Enable KFP multi user mode without istio security * Fix persistence agent watch namespace * Fix namespace env for some deployments * Fix cluster roles and bindings * fix rename * Fix pipelines ui role * Updated kfp to rc2 * simplify pipeline v3 manifest using updated kfp rc2 manifest * Fix pipeline-install-config * remove redundant configmap * update tests * updated to kfp 1.0.0-rc.3 * Adapt to kfp 1.0rc3 refactoring * update test snapshots * fix pull kfp script to detect empty dir * fix example ref * update snapshot * fix gcp pd manifest * Update stacks ref * revert alice example to gcp stack * update snapshot * fix profile controller iam binding * Update kfp profile controller can be configured to different images and istio sidecar * add missing viewer controller cluster roles * Use python3 for sync.py * Revert gcp stack back to use non multi user kfp * revert unintended changes * revert upstream changes * Use kubeflow userid header and prefix config for KFP servers (#1365) * feat: KFP multi user mode PR2 - secure KFP with istio mTLS and authz (#1368) * Add argo to stacks/generic * Pull pipelines manifest from upstream * Updated kfp * Minio v3 manifests * Rename minio configmap * Add generic minio install * Generate new test data * Mysql kustomize v3 manifest - generic install * Add mysql gcp pd install * Generate test data * Pipelines kustomize v3 manifests * Add kfp ui virtual service * Add metadata deployment to stacks/generic * Use common cluster domain * Deploy metadata writer * Add kfp cache server * Update test data * Enable KFP multi user mode without istio security * Fix persistence agent watch namespace * Fix namespace env for some deployments * Fix cluster roles and bindings * fix rename * Fix pipelines ui role * Updated kfp to rc2 * simplify pipeline v3 manifest using updated kfp rc2 manifest * Fix pipeline-install-config * remove redundant configmap * update tests * updated to kfp 1.0.0-rc.3 * Adapt to kfp 1.0rc3 refactoring * update test snapshots * fix pull kfp script to detect empty dir * fix example ref * update snapshot * fix gcp pd manifest * Update stacks ref * revert alice example to gcp stack * update snapshot * fix profile controller iam binding * Update kfp profile controller can be configured to different images and istio sidecar * add missing viewer controller cluster roles * Use python3 for sync.py * Revert gcp stack back to use non multi user kfp * revert unintended changes * revert upstream changes * Secure kfp multi user mode with istio authorization * patch minio to disable istio sidecar injection * fix cache server istio authz * enable istio sidecar for profiles deploy * enable istio sidecar for centraldashboard * Do not protect profile controller with istio * Allow admission webhook traffic to cache-server * revert gcp stack back to pipeline generic * Reuse minio generic install as base for gcp-pd and ibm * update snapshot * refactor: pipelines profile controller should get minio access keys from the secret (#1372) * refactor: pipelines profile controller should get minio access keys from the secret * do not print secrets in log * feat: Use KFP multi user mode for GCP (#1373) * refactor: pipelines profile controller should get minio access keys from the secret * do not print secrets in log * use kfp multi user mode for gcp stacks * update snapshot * feat: Add application and common labels to KFP and various fixes (#1374) * Add common labels to kfp components * Add KFP application * update snapshot * Use json format for json patch, because yaml will look like a resource and fail tests * Remove part of label * update snapshots * Fix profile controller deployment version * update snapshot * Fix userid-header for gcp * update snapshot * Fix b64encode exception * update snapshot * update snapshot
Which issue is resolved by this Pull Request:
Resolves kubeflow/pipelines#4159
Description of your changes:
This is the first step of enabling KFP multi user mode.
This makes all KFP multi user features available, but not all in-cluster traffic are protected by istio.
This is a good intermediate state to break up the work of enabling multi user mode.
Changes:
pipeline/installs/multi-userwhich is a drop-in replacement forpipeline/install/generic, but multi user mode enabled.Note,
stacks/gcpis still pointing topipeline/installs/genericbecause we need to discuss how KFP multi user mode should be released -- as the single option or allow users to choose from both.Checklist:
cd manifests/testsmake generate-changed-onlymake test