Charmed Kubeflow Namespace Switching

Hi there,

I have charmed kubeflow 1.6 configured with OpenLDAP authentication.

When I use the static dex-auth user I can only see the admin name space.

Is there a way to create an admin account that can access other users namespaces?

Thanks

Is there also a way to create multiple namespaces for an account that uses the LDAP connector?

Hi @ollienuk!

I think this page in the Kubeflow docs may help here. Kubeflow allows for:

  • a single user to “own” multiple Profiles (see Manual profile creation for an example of how to do it. I do not believe there’s a way in the UI to do this
  • Any user to share their Profiles with each other. In the Kubeflow UI that is handled in Manage Contributors. If user1 adds user2 as a contributor to their namespace, then user2 will see user1 in the dropdown at the top and can switch between the Profiles. user2 can then access anything user1 owns, start jobs/notebooks as if they’re user1, etc

If you want an admin account that can see all Profiles, one way would be to add admin as a contributor to all Profiles. I think that is the most “native” way to do it. There are also some ClusterRoles for administrators that Kubeflow creates, but they’re not bound to anything by default. You might be able to use those and manually attach them to an administrator account, but I’m not sure if that would work well in the UI. It might just mean that, behind the scenes, that administrator has broad access (eg: to the kubernetes resources themselves)

Hi @ca-scribner,

Thanks for the information.

There doesn’t appear to be any user roles created by Kubeflow:

Perhaps I’m not looking in the right place?

Hi @ollienuk,

I think they would be unbound ClusterRoles. Do you see any ClusterRoles that include “admin” in their names in kubectl get clusterrole?

Thanks for your help. I did find the cluster roles but as you mentioned they only granted me rights on Kubernetes - not in kubeflow directly unfortunately.