Charmed Kubeflow Namespace Switching

Hi there,

I have charmed kubeflow 1.6 configured with OpenLDAP authentication.

When I use the static dex-auth user I can only see the admin name space.

Is there a way to create an admin account that can access other users namespaces?

Thanks

1 Like

Is there also a way to create multiple namespaces for an account that uses the LDAP connector?

Hi @ollienuk!

I think this page in the Kubeflow docs may help here. Kubeflow allows for:

  • a single user to “own” multiple Profiles (see Manual profile creation for an example of how to do it. I do not believe there’s a way in the UI to do this
  • Any user to share their Profiles with each other. In the Kubeflow UI that is handled in Manage Contributors. If user1 adds user2 as a contributor to their namespace, then user2 will see user1 in the dropdown at the top and can switch between the Profiles. user2 can then access anything user1 owns, start jobs/notebooks as if they’re user1, etc

If you want an admin account that can see all Profiles, one way would be to add admin as a contributor to all Profiles. I think that is the most “native” way to do it. There are also some ClusterRoles for administrators that Kubeflow creates, but they’re not bound to anything by default. You might be able to use those and manually attach them to an administrator account, but I’m not sure if that would work well in the UI. It might just mean that, behind the scenes, that administrator has broad access (eg: to the kubernetes resources themselves)

1 Like

Hi @ca-scribner,

Thanks for the information.

There doesn’t appear to be any user roles created by Kubeflow:

Perhaps I’m not looking in the right place?

Hi @ollienuk,

I think they would be unbound ClusterRoles. Do you see any ClusterRoles that include “admin” in their names in kubectl get clusterrole?

Thanks for your help. I did find the cluster roles but as you mentioned they only granted me rights on Kubernetes - not in kubeflow directly unfortunately.

Hi @ca-scribner, after I tried to follow the LDAP guide, however, I’m not so sure how to create a profile for each user in LDAP, so that when the type in their username/password, they can access their profile in Charmed Kubeflow? Can you share any docs how to create user/profile in Charmed Kubeflow?

Btw, as I understand the OpenLDAP guide would setup two user with username/password:

  • user1/s3cretPassw0rd
  • user2/s3cretPassw0rd

However, when I try to type in those credentials, I met this Internal Server Error.

Hey @hoangtnm-ubuntu as I understand you would have to setup a user with its respecitve password in LDAP. Once you login the first time in Kubeflow the Profile and namespace for it will be created automatically.

For using minio correctly you will have to apply the following steps:

#allow-minio.yaml
apiVersion: kubeflow.org/v1alpha1
kind: PodDefault
metadata:
 name: access-minio
spec:
 desc: Allow access to Minio
 selector:
   matchLabels:
     access-minio: "true"
 env:
   - name: AWS_ACCESS_KEY_ID
     valueFrom:
       secretKeyRef:
         name: mlpipeline-minio-artifact
         key: accesskey
         optional: false
   - name: AWS_SECRET_ACCESS_KEY
     valueFrom:
       secretKeyRef:
         name: mlpipeline-minio-artifact
         key: secretkey
         optional: false
   - name: MINIO_ENDPOINT_URL
     value: http://minio.kubeflow.svc.cluster.local:9000
 
#Apply it
kubectl apply -f allow-minio.yaml -n <user-namespace>

Additionally, if you want to deploy SeldonDeployments in your user namespace you will have to copy its secret into the namespace:

#optional delete
kubectl delete secret seldon-init-container-secret -n <user-namespace>
 
#copy from kubeflow namespace
kubectl get secret seldon-init-container-secret --namespace=kubeflow -o yaml | sed 's/namespace: .*/namespace: <user-namespace>/' | kubectl apply -f -

Improving this experience and automating some of these steps, is one of our next Roadmap items.

Hi @dominik.f, I actually followed every step in the LDAP guide even with the same username and password, but the

Internal Server Error

Login error: failed to connect: LDAP Result Code 200 "Network Error": dial tcp: lookup asgard on 10.152.183.10:53: no such host

error still happens as I click the Login button. I created a github issue so that you can track this problem.