diff --git a/README.md b/README.md index 17e026ddb4..13c9203be8 100755 --- a/README.md +++ b/README.md @@ -559,6 +559,67 @@ For example, running the above command locally with required packages like _pass 4. Try to login using the new dex password. +### Change default authtication from "dex + oauth2-proxy" to "oauth2-proxy" only + +![auth-flow](common/oauth2-proxy/components/oauth2-flow.svg) + +kubeflow platform are using istio ingress gateway as it's entrypoint. + +for the authentication part ,it used to be use envoy filter to forward reqeust to dex(blue lines), and using dex as a proxy to retrive JWT token and do authentication. + +with kubeflow 1.8 , it integrate with oauth2 proxy since istio provider now is indestry standard. + +for the purpose of out of box, it still use dex as a identity provider, but , actually , you are now able to using oauth2 proxy to directly connect +to your own IdP(Identity Provider: gcp, [aws](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html), gcp, azure and so on) + +to do so , what you need to is follows: +1. create a application on you IdP(purple line) +2. change your [oauth2 proxy issuer](https://github.com/kubeflow/manifests/blob/35539f162ea7fafc8c5035d8df0d8d8cf5a9d327/common/oauth2-proxy/base/oauth2-proxy-config.yaml#L10) to your IdP. +3. under istio-system namespace, there is a requestauthentication , you also need change it issuer to your own IdP.( or you can just directly write a new one) +4. finally , now you can directly use issue a token from your IdP. and take thit token to access you kubeflow platform. + +this feature is useful when you need to integrate kubeflow with you corrent CI/CD platform for example: Jenkins, you can now able to do m2m authentication. below is Python code example to use it. + + +get JWT token From your IDP + +``` +import requests + +# idp configuration +token_url = "https://your-idp.com/oauth/token" +client_id = "YOUR_CLIENT_ID" +client_secret = "YOUR_CLIENT_SECRET" +username = "YOUR_USERNAME" +password = "YOUR_PASSWORD" +# request header +headers = { + "Content-Type": "application/x-www-form-urlencoded" +} +data = { + "grant_type": "password", + "client_id": client_id, + "client_secret": client_secret, + "username": username, + "password": password, + "scope": "openid profile email" #change your scope +} +response = requests.post(token_url, headers=headers, data=data) +TOKEN = response.json()['access_token'] +``` + +use token to call kubeflow +``` +import kfp +kubeflow_host="https://your_host" +pipeline_host = kubeflow_host + "/pipeline" + +client = kfp.Client(host=pipeline_host, existing_token=TOKEN) + +print(client.list_runs(namespace="your-profile-name")) +``` + + ## Upgrading and extending For modifications and in place upgrades of the Kubeflow platform we provide a rough description for advanced users: diff --git a/common/oauth2-proxy/components/oauth2-flow.svg b/common/oauth2-proxy/components/oauth2-flow.svg new file mode 100644 index 0000000000..eee8551ada --- /dev/null +++ b/common/oauth2-proxy/components/oauth2-flow.svg @@ -0,0 +1,13 @@ + + + + + + + + istio ingress gatewaydexenvoy filteroauth2proxyauth policyIdentityProviderbefore kubeflow 1.8kubeflow 1.9 with oauth2 proxydirectly use oauth2 proxy \ No newline at end of file