From 98af702f6ab0850de8c28cdf3b74d6141321a304 Mon Sep 17 00:00:00 2001 From: Cyber Nagle Date: Tue, 8 Oct 2024 10:37:21 +0800 Subject: [PATCH] feat: move oauth2 proxy doc to common/oauth2-proxy/README.md. Signed-off-by: Cyber Nagle --- README.md | 61 ++------------------------------- common/oauth2-proxy/README.md | 63 ++++++++++++++++++++++++++++++++++- 2 files changed, 64 insertions(+), 60 deletions(-) diff --git a/README.md b/README.md index fc597fced7..9a0b755dd5 100755 --- a/README.md +++ b/README.md @@ -244,6 +244,8 @@ kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' It supports user sessions as well as proper token-based machine to machine authentication. +Also, if you need to use OAuth2 Proxy only for the Kubeflow Platform, you can refer to this [doc](common/oauth2-proxy/README.md#change-default-authentication-from-dex--oauth2-proxy-to-oauth2-proxy-only) + #### Dex Dex is an OpenID Connect Identity (OIDC) with multiple authentication backends. In this default installation, it includes a static user with email `user@example.com`. By default, the user's password is `12341234`. For any production Kubeflow deployment, you should change the default password by following [the relevant section](#change-default-user-password). @@ -559,65 +561,6 @@ For example, running the above command locally with required packages like _pass 4. Try to login using the new dex password. -### Change default authentication from "dex + oauth2-proxy" to "oauth2-proxy" only - -![auth-flow](common/oauth2-proxy/components/oauth2-flow.svg) - -kubeflow platform is using Istio Ingress Gateway as its entrypoint. - -For the authentication part ,it used Envoy Filter to forward request to Dex(blue lines), and Dex was used as a proxy to retrieve JWT tokens and perform authentication. - -With Kubeflow 1.8 , it integrates with OAuth2 Proxy in Istio Provider, as the Istio Provider is now an industry standard. - -For out-of-the-box purposes, it still uses Dex as an identity provider, but you are now able to use OAuth2 Proxy to directly connect -to your own IdP(Identity Provider: GCP, [AWS](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html), Azure and so on) - -To do so, what you need to do is as follows: -1. create an application on your IdP(purple line) -2. change your [OAuth2 Proxy issuer](https://github.com/kubeflow/manifests/blob/35539f162ea7fafc8c5035d8df0d8d8cf5a9d327/common/oauth2-proxy/base/oauth2-proxy-config.yaml#L10) to your IdP. -3. Under the istio-system namespace, there is a RequestAuthentication resource , you also need to change its issuer to your own IdP.(or you can just directly write a new one) -4. Finally, you can now directly issue a token from your IdP and use this token to access your Kubeflow platform. - -This feature is useful when you need to integrate kubeflow with you current CI/CD platform(eg.,Jenkins), you can now perform M2M(machine-to-machine) authentication. below is a Python code example to use it. - - -get JWT token From your IDP - -``` -import requests - -# idp configuration -token_url = "https://your-idp.com/oauth/token" -client_id = "YOUR_CLIENT_ID" -client_secret = "YOUR_CLIENT_SECRET" -username = "YOUR_USERNAME" -password = "YOUR_PASSWORD" -# request header -headers = { - "Content-Type": "application/x-www-form-urlencoded" -} -data = { - "grant_type": "password", - "client_id": client_id, - "client_secret": client_secret, - "username": username, - "password": password, - "scope": "openid profile email" #change your scope -} -response = requests.post(token_url, headers=headers, data=data) -TOKEN = response.json()['access_token'] -``` - -use token to call kubeflow -``` -import kfp -kubeflow_host="https://your_host" -pipeline_host = kubeflow_host + "/pipeline" - -client = kfp.Client(host=pipeline_host, existing_token=TOKEN) - -print(client.list_runs(namespace="your-profile-name")) -``` ## Upgrading and extending diff --git a/common/oauth2-proxy/README.md b/common/oauth2-proxy/README.md index 2110e0b7a0..7f341018e1 100644 --- a/common/oauth2-proxy/README.md +++ b/common/oauth2-proxy/README.md @@ -77,9 +77,70 @@ when client calls API to list the KF Pipeline Runs: ``` ### Auth analysis diagram for Kubeflow Pipelines - ![Kubeflow Auth Diagram](./components/kubeflow_auth_diagram.svg) +### Change default authentication from "dex + oauth2-proxy" to "oauth2-proxy" only + +![auth-flow](components/oauth2-flow.svg) + +kubeflow platform is using Istio Ingress Gateway as its entrypoint. + +For the authentication part ,it used Envoy Filter to forward request to Dex(blue lines), and Dex was used as a proxy to retrieve JWT tokens and perform authentication. + +With Kubeflow 1.8 , it integrates with OAuth2 Proxy in Istio Provider, as the Istio Provider is now an industry standard. + +For out-of-the-box purposes, it still uses Dex as an identity provider, but you are now able to use OAuth2 Proxy to directly connect +to your own IdP(Identity Provider: GCP, [AWS](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html), Azure and so on) + +To do so, what you need to do is as follows: +1. create an application on your IdP(purple line) +2. change your [OAuth2 Proxy issuer](https://github.com/kubeflow/manifests/blob/35539f162ea7fafc8c5035d8df0d8d8cf5a9d327/common/oauth2-proxy/base/oauth2-proxy-config.yaml#L10) to your IdP. +3. Under the istio-system namespace, there is a RequestAuthentication resource , you also need to change its issuer to your own IdP.(or you can just directly write a new one) +4. Finally, you can now directly issue a token from your IdP and use this token to access your Kubeflow platform. + +This feature is useful when you need to integrate kubeflow with you current CI/CD platform(eg.,Jenkins), you can now perform M2M(machine-to-machine) authentication. below is a Python code example to use it. + + +get JWT token From your IDP + +``` +import requests + +# idp configuration +token_url = "https://your-idp.com/oauth/token" +client_id = "YOUR_CLIENT_ID" +client_secret = "YOUR_CLIENT_SECRET" +username = "YOUR_USERNAME" +password = "YOUR_PASSWORD" +# request header +headers = { + "Content-Type": "application/x-www-form-urlencoded" +} +data = { + "grant_type": "password", + "client_id": client_id, + "client_secret": client_secret, + "username": username, + "password": password, + "scope": "openid profile email" #change your scope +} +response = requests.post(token_url, headers=headers, data=data) +TOKEN = response.json()['access_token'] +``` + +use token to call kubeflow +``` +import kfp +kubeflow_host="https://your_host" +pipeline_host = kubeflow_host + "/pipeline" + +client = kfp.Client(host=pipeline_host, existing_token=TOKEN) + +print(client.list_runs(namespace="your-profile-name")) +``` + + + ## Kubeflow Notebooks User and M2M Authentication and Authorization The underlying mechanism is the same as in Kubeflow Pipelines.