From 42550f90abef0be845f65e7e322d91dfce2caf50 Mon Sep 17 00:00:00 2001 From: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Mon, 21 Oct 2024 11:41:02 +0200 Subject: [PATCH] further documentation improvements Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --- README.md | 27 ++++----------------------- common/oauth2-proxy/README.md | 4 ++-- 2 files changed, 6 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index db54056b1..6743c64a4 100755 --- a/README.md +++ b/README.md @@ -243,7 +243,8 @@ kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' #kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=cluster-jwks-proxy' --timeout=180s -n istio-system ``` -If you want to use OAuth2 Proxy without DEX and conenct it to your own IDP, you can refer to this [document](common/oauth2-proxy/README.md#change-default-authentication-from-dex--oauth2-proxy-to-oauth2-proxy-only) +If you want to use OAuth2 Proxy without Dex and conenct it directly to your own IDP, you can refer to this [document](common/oauth2-proxy/README.md#change-default-authentication-from-dex--oauth2-proxy-to-oauth2-proxy-only). But you can also keep Dex and extend it with connectors to your own IDP. +TODO: rough guidance on how to connect Dex to a generic IDP with OIDC. #### Dex @@ -256,7 +257,7 @@ echo "Installing Dex..." kustomize build common/dex/overlays/oauth2-proxy | kubectl apply -f - kubectl wait --for=condition=ready pods --all --timeout=180s -n auth ``` - + #### Knative Knative is used by the KServe official Kubeflow component. @@ -322,27 +323,7 @@ Install the [Multi-User Kubeflow Pipelines](https://www.kubeflow.org/docs/compon ```sh kustomize build apps/pipeline/upstream/env/cert-manager/platform-agnostic-multi-user | kubectl apply -f - ``` -This installs argo with the runasnonroot emissary executor. Please note that you are still responsible to analyze the security issues that arise when containers are run with root access and to decide if the kubeflow pipeline main containers are run as runasnonroot. It is in general strongly recommended that all user-accessible OCI containers run with Pod Security Standards [restricted] -(https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) - -**Multi-User Kubeflow Pipelines dependencies** - -* Istio -* Kubeflow Roles -* OIDC Auth Service (or cloud provider specific auth service) -* Profiles + KFAM - -**Alternative: Kubeflow Pipelines Standalone** - -You can install [Kubeflow Pipelines Standalone](https://www.kubeflow.org/docs/components/pipelines/installation/standalone-deployment/) which - -* does not support multi user separation -* has no dependencies on the other services mentioned here - -You can learn more about their differences in [Installation Options for Kubeflow Pipelines -](https://www.kubeflow.org/docs/components/pipelines/installation/overview/). - -Besides installation instructions in Kubeflow Pipelines Standalone documentation, you need to apply two virtual services to expose [Kubeflow Pipelines UI](https://github.com/kubeflow/pipelines/blob/1.7.0/manifests/kustomize/base/installs/multi-user/virtual-service.yaml) and [Metadata API](https://github.com/kubeflow/pipelines/blob/1.7.0/manifests/kustomize/base/metadata/options/istio/virtual-service.yaml) in kubeflow-gateway. +This installs argo with the runasnonroot emissary executor. Please note that you are still responsible to analyze the security issues that arise when containers are run with root access and to decide if the kubeflow pipeline main containers are run as runasnonroot. It is in general strongly recommended that all user-accessible OCI containers run with Pod Security Standards [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). #### KServe diff --git a/common/oauth2-proxy/README.md b/common/oauth2-proxy/README.md index 968488e53..3ebe06c27 100644 --- a/common/oauth2-proxy/README.md +++ b/common/oauth2-proxy/README.md @@ -67,7 +67,7 @@ when a client calls the API to list the KF Pipeline runs: ### Authentication and Authorization analysis diagram for Kubeflow Pipelines ![Kubeflow Auth Diagram](./components/kubeflow_auth_diagram.svg) -### Change the default authentication from "dex + oauth2-proxy" to "oauth2-proxy" only +### Change the default authentication from "Dex + Oauth2-proxy" to "Oauth2-proxy" only The authentication in Kubeflow evolved over time and we dropped envoyfilters and oidc-authservice in favor of RequestAuthentication and Oauth2-proxy in Kubeflow 1.9. ![auth-flow](components/oauth2-flow.svg) @@ -77,7 +77,7 @@ You can adjust OAuth2 Proxy to directly connect to your own IDP(Identity Provide 1. Create an application on your IdP (purple line) 2. Change your [OAuth2 Proxy issuer](https://github.com/kubeflow/manifests/blob/35539f162ea7fafc8c5035d8df0d8d8cf5a9d327/common/oauth2-proxy/base/oauth2-proxy-config.yaml#L10) to your IdP. Of course never ever directly, but with kustomize overlays and components. 3. In the istio-system namespace is a RequestAuthentication resource. You need to change its issuer to your own IdP, or even better create an additional one. -4. Finally, you can now directly issue a token from your IdP and use this token to access your Kubeflow platform. +4. You can now directly issue a token from your IdP and use this token to access your Kubeflow platform. This feature is useful when you need to integrate kubeflow with you current CI/CD platform (GitHub Actions, Jenkins) via machine-to-machine authentication.