Update docs for connecting to Kubeflow Pipelines from the same cluster in multi-user mode

[bartgras]

Changes requested in issue, comment .

[google-cla]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.

---

What to do if you already signed the CLA

Individual signers

• It's possible we don't have your GitHub username or you're using a different email address on your commit. Check your existing CLA data and verify that your email is set on your git commits.

Corporate signers

• Your company has a Point of Contact who decides which employees are authorized to participate. Ask your POC to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the Google project maintainer to go/cla#troubleshoot (Public version).
• The email used to register you as an authorized contributor must be the email used for the Git commit. Check your existing CLA data and verify that your email is set on your git commits.
• The email used to register you as an authorized contributor must also be attached to your GitHub account.

ℹ️ Googlers: Go here for more info.

[google-oss-robot]

Hi @bartgras. Thanks for your PR.

I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Arhell]

@bartgras please sign CLA

[bartgras]

@googlebot I signed it!

[andreyvelich]

Thank you for updating this @bartgras, it's very useful!
@zijianjoy @Bobgy @RFMVasconcelos Please take a look.

[Bobgy]

Thank you for the contribution!
The content looks great, I will spare some time for more detailed comments.

[thesuperzapper]

@Bobgy @bartgras I have left some comments.

[thesuperzapper]

@bartgras I think there is an important piece of information missing, namely how to allow cross-namespaces access to the pipelines API.

For example, giving Notebook Pods in namespace-1 access to namespace-2 Pipelines can be done by giving, namespace-1:ServiceAccount/default-editor the ClusterRole/kubeflow-edit in namespace-2.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubeflow-edit-namespace-1
  namespace: namespace-2
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubeflow-edit
subjects:
- kind: ServiceAccount
  name: default-editor
  namespace: namespace-1

[bartgras]

I was under assumption that users would use "Manage Contributors" to achieve the same result without additional RBAC settings.

Specifically, both namespace-1 and namespace-2 would require PodDefaults and then namespace-2 would add namespace-2 through contributors. I admit I didn't test if that's enough to get the access.If not, I can extend docs with your comment.

[Bobgy]

Both options should work, it's useful to introduce rbac when users want to configure on their own, probably with different granularity.

[thesuperzapper]

I think it's important to explain how this works, as most users will have never seen this feature of Kubernetes.

Also, we should clarify that this serviceAccountToken method respects the Pipelines RBAC, and does not allow access beyond what the ServiceAcount running the notebook Pod has.

[bartgras]

I didn't want to overflow users with details some of them might not find important if their goal is just to have in-cluster access to pipelines working.
Would adding something like this be enough, or you want to provide more info:
"More details about PodDefault can be found here".

[Bobgy]

+1 for the detailed info, because they need the details to understand how to access KFP API from any pod.

I think your argument about focusing on the minimum they need to know is also valid. What about adding a section at the end of the page to introduce the details.

[yhwang]

"More details about PodDefault can be found here".

It should be good enough for me

[thesuperzapper]

This could be put first in this section, explaining that KF_PIPELINES_SA_TOKEN_PATH is what the kfp.Client() is looking for, and then how serviceAccountToken actually works. (From an auth-flow perspective)

[thesuperzapper]

I'm not sure we have a concept of "generic" @Bobgy what do you think?

[bartgras]

I agree. I wasn't sure what would be the right wording in this case. Could not find any other name in docs.

[Bobgy]

Maybe we can start with non-multi-user mode?

[thesuperzapper]

I know it's not 100% related to this PR, but we should expand how to connect to the Pipelines endpoint from outside the cluster. Right now, (when using Dex) we don't document how people can access their https://kubeflow.example.com/pipelines endpoint from outside the cluster.

NOTE: The default manifests use "dex + oidc-authservice" with a very web-UI-focused authentication-flow.

Therefore, we should document how to use a "kubeflow service account" + "kubeflow token" to access the Kubeflow Pipelines REST API, with a fully configured Dex (that might use LDAP/OAUTH for normal users).

@Bobgy what do you think?

[thesuperzapper]

@Bobgy @bartgras I have raised a separate issue for this discussion: #2916

[thesuperzapper]

While this is a GKE-specific doc, we might want to explain this generically rather than remove it.

[bartgras]

The link I added explains it for GKE and other platforms.

[thesuperzapper]

We probably want to keep some preamble like this (possibly reworded), about how the Istio auth is setup in Kubeflow.

For example, most users may not realize that the istio-ingressgateway is how Kubeflow APIs are exposed external to the clsuter.

[bartgras]

I searched the term "ingress gateway" on kubeflow.org and found that it's often mentioned in distribution-specific installation steps.

Istio ingress gateway is not being used exclusively by Kubeflow Pipelines. If we want to give more details about access etc. then something like Traffic Flow section could serve as a starting point and would probably fit better on Overview page. If you agree, I could create separate issue+PR for that.

[andreyvelich]

/ok-to-test

[Bobgy]

nit: can also access Kubeflow Pipelines API through the public endpoint.

[Bobgy]

nit: Kubeflow Pipelines

[Bobgy]

contains an additional option

[Bobgy]

Do users need to know these?

[Bobgy]

Maybe we can start with non-multi-user mode?

[bartgras]

@thesuperzapper @Bobgy Thanks for suggestions. Would these changes be enough?

[andreyvelich]

/lgtm

Are we ready to merge this PR ?
/cc @Bobgy @thesuperzapper

[andreyvelich]

@zijianjoy what do you think about this PR ?

[thesuperzapper]

@bartgras @andreyvelich there are still some unresolved comments, if we resolve them, I think we are happy to merge.

[bartgras]

@thesuperzapper I thought I addressed them all in my last push.
I'd appreciate it you point out which require more changes.

[zijianjoy]

NIT: Jupyter instead of Juputer

[Bobgy]

Maybe I misunderstood sth, I think the setting below allows default-editor service account in namespace-1 to call KFP API and create pipelines/runs in namespace-2. (it also allows access to notebooks, but we won't use a service account to access notebooks, the goal here is to grant namespaced pipeline creation permission to a notebook in a separate namespace)

@thesuperzapper is this what you wanted to convey?

[zijianjoy]

/lgtm

Thank you for the PR! It looks good to me, pending @Bobgy for approval.

[capri-xiyue]

/lgtm

[bartgras]

I've just noticed this comment from @juliusvonkohout .
If we merge 2 PRs he mentioned, then documentation should be updated as well.
I can make necessary changes but first would like to hear your opinion.

[Bobgy]

I've just noticed this comment from @juliusvonkohout . If we merge 2 PRs he mentioned, then documentation should be updated as well. I can make necessary changes but first would like to hear your opinion.

Sorry for the delay,
We can merge this documentation update first, the technical details section is necessary anyway.

[Bobgy]

Thank you again for the great documentation contribution!
I love the new content you are adding.

Some general comments:

• regarding content, I'd argue that the main documentation should be written without dependency on PodDefault. I agree PodDefault is a nice to have, but I don't want people to treat it as a hard dependency of KFP.
• also, can we also introduce how a general Pod can be configured to access KFP API, besides the documentation for accessing KFP API from Kubeflow notebooks?
• I feel like the overall tech writing quality needs some improvement. Are there anyone who want to help polish the doc here?

What do you all think?
@andreyvelich @thesuperzapper @bartgras @zijianjoy @capri-xiyue

[Bobgy]

nit: do you think moving this section before "multi-user" mode help users absorb the knowledge gradually?

Per my imagination, first reading some simple general introduction for how to connect,
and then dive into the complex configuration for how to authenticate in multi-user mode sounds like a better learning experience.

[zijianjoy]

+1, it is helpful to start with simple approach. If user cannot resolve their need with simple approach, then they will keep reading for more guidance, which naturally leads to the change in new section.

[Bobgy]

Suggested change

	##### How in-cluster authentication works
	##### How Multi-User mode in-cluster authentication works

[Bobgy]

nit: what text should we enter in the contributor UI textbox when adding namespace-1 default-editor service account?

[Bobgy]

Do you think it's helpful emphasizing on the two steps: authenticate and then authorize?

1. service account token projection allows you to authenticate as the service account (default-editor in your namespace)
2. KFP API will verify whether your authenticated identity has the right permissions to do certain actions (RBAC)

[bartgras]

My understanding is that projected token is separate from the Pod's (e.g. default-editor) service account.
I've modified this paragraph to:
"Authentication uses ServiceAccountToken projection. Simply put, the token is first being injected into a Pod (e.g. Jupyter notebook's). Then Kubeflow Pipelines SDK uses this token to authorize against Kubeflow Pipelines API."

Please @Bobgy @elikatsis @andreyvelich @thesuperzapper correct me if I'm wrong.

[Bobgy]

Maybe I misunderstood sth, I think the setting below allows default-editor service account in namespace-1 to call KFP API and create pipelines/runs in namespace-2. (it also allows access to notebooks, but we won't use a service account to access notebooks, the goal here is to grant namespaced pipeline creation permission to a notebook in a separate namespace)

@thesuperzapper is this what you wanted to convey?

[andreyvelich]

regarding content, I'd argue that the main documentation should be written without dependency on PodDefault. I agree PodDefault is a nice to have, but I don't want people to treat it as a hard dependency of KFP.

I think it's good to have instructions for PodDefault until we don't have any other options to inject environments and volumeMounts to the Notebook's Pod from the Kubeflow Notebook UI.

also, can we also introduce how a general Pod can be configured to access KFP API, besides the documentation for accessing KFP API from Kubeflow notebooks?

That is a good point. @bartgras What do you think about it ?

@Bobgy Since this doc PR is very important for using KFP from the Kubeflow Notebook, should we try to merge the initial doc changes before the Kubeflow 1.4 will be released ?
We can address your comments in the following PRs and improve this documentation.

What do you think ?

[zijianjoy]

I think it's good to have instructions for PodDefault until we don't have any other options to inject environments and volumeMounts to the Notebook's Pod from the Kubeflow Notebook UI.

I propose to organize the doc structure as followed:

Remove the following section heading but keep the text content within it, because the whole page is about using SDK client, so we don't need to have a duplicate heading.
## Connect to Kubeflow Pipelines using SDK

## Before you begin

## Connect from outside your cluster

## Connect from a Pod within cluster

(the content here is pulled from `Non-multi-user mode` section in current PR)

## Configure SDK client by environment variables

## Connect from Jupyter Notebook in multi-user mode

How do you think?

[shuesc1]

add period at end

[shuesc1]

"additional per namespace (profile) manifest is required" -> "an additional per-namespace (profile) manifest is required"

[shuesc1]

Jupyter notebook server link not working for me (but maybe I'm missing something)

[shuesc1]

"newly created Jupyter notebook contains an additional option in section configurations" -> "the newly created Jupyter notebook contains an additional option in the configurations section"

[shuesc1]

"configurations on" -> "configurations in the"

[shuesc1]

Jupyter

[shuesc1]

"Note, examples below assume that namespace-1 is a namespace (profile) that will be granted access to Kubeflow Pipelines API through namespace-2 Jupyter notebook server. namespace-2 is already configured to access Kubeflow Pipelines API."
->
"Note, the examples below assume that namespace-1 is a namespace (profile) that will be granted access to Kubeflow Pipelines API
through the namespace-2 Jupyter notebook server. The namespace-2 server should already be configured to access Kubeflow Pipelines API."

[shuesc1]

Unless this wording is used elsewhere preference for something clearer like:

Managing access to Kubeflow Pipelines API across namespaces

[shuesc1]

Cross-namespace access can be achieved in two ways:

[shuesc1]

confusing-- consider breaking this up for clarity. Something like:

"Authentication uses ServiceAccountToken projection. This is where a verifiable (by Kubeflow Pipelines API) token with a limited lifetime is being injected into a Pod (e.g. Jupyter notebook's)."

[bartgras]

Thank you @Bobgy @zijianjoy @shuesc1 @andreyvelich for detailed feedback. Summary of the changes:

• I've incorporated all nitpicks
• Moved "Non-multi-user mode" above "Multi-User mode"
• Added @shuesc1 suggestions

@Bobgy @andreyvelich

also, can we also introduce how a general Pod can be configured to access KFP API, besides the documentation for accessing KFP API from Kubeflow notebooks?

That is a good point. @bartgras What do you think about it ?

Previous version already mentioned general Pod case but it was only briefly mentioned at the end of "Access Kubeflow Pipelines from Jupyter notebook" section. Now it's split into 2 sections, one that addresses notebooks and the other that addresses Pods in general.

[zijianjoy]

/lgtm
/approve

@bartgras Thank you so much for your contributions to this doc PR! Since most comments have been addressed, let's merge this PR first and follow up for any remaining items in a separate PR.

[google-oss-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bartgras, zijianjoy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/docs/components/pipelines/OWNERS [zijianjoy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment