Profiles and Namespaces

About Kubeflow Profiles and Namespaces for multi-user isolation

What is a Kubeflow Profile?

A Profile is a Kubernetes CRD introduced by Kubeflow that wraps a Kubernetes Namespace. Profile are owned by a single user, and can have multiple contributors with view or modify access. The owner of a profile can add and remove contributors (this can also be done by the cluster administrator).

Profiles and their child Namespaces are reconciled by the Kubeflow Profile Controller and contributors (not owners) are managed by the Kubeflow Access Management API (KFAM).

Central Dashboard

Select the active profile with the drop-down found in the top bar of Kubeflow Central Dashboard. Most Kubeflow components use the active profile to determine which resources to display, and what permissions to grant.

Users can only see profiles to which they have owner, contributor (read + write), or viewer (read) access.

Kubeflow Central Dashboard - Profile Selector

Automatic Profile Creation

Kubeflow supports automatic profile creation for users who log into Kubeflow for the first time.

The CD_REGISTRATION_FLOW environment variable on the central-dashboard Deployment controls whether automatic profile creation is enabled. By default, automatic profile creation is disabled. When CD_REGISTRATION_FLOW is true, if a user logs into Kubeflow, and is not already a profile owner, they will be prompted to create a profile.

Here is an example of the automatic profile creation flow:

  1. A new user logs into Kubeflow for the first time:

Kubeflow Central Dashboard - Automatic Profile Creation - Step 1

  1. The user can name their profile and click Finish:

Kubeflow Central Dashboard - Automatic Profile Creation - Step 2

Profile Resources

The following resources are created for each profile:

  • A Kubernetes Namespace that shares the same name as the profile.
  • Kubernetes RBAC for Users:
    • For profile owner, a RoleBinding named namespaceAdmin to ClusterRole/kubeflow-admin
    • For each contributor, a RoleBinding named user-{EMAIL}-clusterrole-{ROLE} to ClusterRole/kubeflow-{ROLE}
      • {EMAIL} is the email of the contributor, special characters replaced with -, cast to lowercase.
      • {ROLE} is the role of the contributor, either edit or view
  • Kubernetes RBAC for ServiceAccounts:
    • For ServiceAcount/default-editor, a RoleBinding named default-editor to ClusterRole/kubeflow-edit
    • For ServiceAcount/default-viewer, a RoleBinding named default-viewer to ClusterRole/kubeflow-view
  • Istio AuthorizationPolicies:
    • For the profile owner, an AuthorizationPolicy named ns-owner-access-istio
    • For each contributor, an AuthorizationPolicy named user-{EMAIL}-clusterrole-{ROLE}
      • {EMAIL} is the email of the contributor, special characters replaced with -, cast to lowercase
      • {ROLE} is the role of the contributor, either edit or view

Manage Profiles

Because a Profile is a Kubernetes CRD, a cluster administrator can use kubectl commands to manage profiles.

Create a Profile

A cluster administrator can create a new profile with kubectl commands.

First, create a file named my-profile.yaml with the following structure:

apiVersion: kubeflow.org/v1
kind: Profile
metadata:
  ## the profile name will be the namespace name
  ## WARNING: unexpected behavior may occur if the namespace already exists
  name: my-profile
spec:
  ## the owner of the profile
  ## NOTE: you may wish to make a global super-admin the owner of all profiles
  ##       and only give end-users view or modify access to profiles to prevent
  ##       them from adding/removing contributors
  owner:
    kind: User
    name: admin@example.com

  ## plugins extend the functionality of the profile
  ## https://github.com/kubeflow/kubeflow/tree/master/components/profile-controller#plugins
  plugins: []
  
  ## optionally create a ResourceQuota for the profile
  ## https://github.com/kubeflow/kubeflow/tree/master/components/profile-controller#resourcequotaspec
  ## https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/resource-quota-v1/#ResourceQuotaSpec
  resourceQuotaSpec: {}

Next, run the following command to create the profile:

kubectl apply -f my-profile.yaml

List all Profiles

A cluster administrator can list existing profiles using the following command:

kubectl get profiles

Describe a Profile

A cluster administrator can describe a specific profile using the following command:

kubectl describe profile MY_PROFILE_NAME

Delete a Profile

A cluster administrator can delete an existing profile using the following command:

kubectl delete profile MY_PROFILE_NAME

Manage Profile Contributors

Profile contributors are defined by the presence of specific RoleBinding and AuthorizationPolicy resources in the profile namespace.

Manage Contributors with Central Dashboard

The owner of a profile can use the Manage Contributors tab in the Kubeflow Central Dashboard to add or remove contributors.

Kubeflow Central Dashboard - Manage Contributors Link

Contributors are managed with the “Contributors to your namespace” field.

Kubeflow Central Dashboard - Manage Contributors

Manage Contributors Manually

An administrator can manually add contributors to an existing profile by creating the required RoleBinding and AuthorizationPolicy resources in the profile namespace.

Create Contributor RoleBinding

The RoleBinding which grants a user access to a profile is structured as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: user-<SAFE_USER_EMAIL>-clusterrole-<USER_ROLE>
  namespace: <PROFILE_NAME>
  annotations:
    role: <USER_ROLE>
    user: <RAW_USER_EMAIL>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubeflow-<USER_ROLE>
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: <RAW_USER_EMAIL>

Where the following variables are replaced with the appropriate values:

  • <RAW_USER_EMAIL> the email of the user (case-sensitive)
  • <SAFE_USER_EMAIL> the email of the user (special characters replaced with -, and cast to lowercase)
  • <USER_ROLE> the role of the user, either edit or view
  • <PROFILE_NAME> the name of the profile

Create Contributor AuthorizationPolicy

The AuthorizationPolicy which grants a user access to a profile is structured as follows:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: user-<SAFE_USER_EMAIL>-clusterrole-<USER_ROLE>
  namespace: <PROFILE_NAME>
  annotations:
    role: <USER_ROLE>
    user: <RAW_USER_EMAIL>
spec:
  rules:
    - from:
        - source:
            ## for more information see the KFAM code:
            ## https://github.com/kubeflow/kubeflow/blob/v1.8.0/components/access-management/kfam/bindings.go#L79-L110
            principals:
              ## required for kubeflow notebooks
              ## TEMPLATE: "cluster.local/ns/<ISTIO_GATEWAY_NAMESPACE>/sa/<ISTIO_GATEWAY_SERVICE_ACCOUNT>"
              - "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"

              ## required for kubeflow pipelines
              ## TEMPLATE: "cluster.local/ns/<KUBEFLOW_NAMESPACE>/sa/<KFP_UI_SERVICE_ACCOUNT>"
              - "cluster.local/ns/kubeflow/sa/ml-pipeline-ui"
      when:
        - key: request.headers[kubeflow-userid]
          values:
            - <RAW_USER_EMAIL>

Where the following variables are replaced with the appropriate values:

  • <RAW_USER_EMAIL> the email of the user (case-sensitive)
  • <SAFE_USER_EMAIL> the email of the user (special characters replaced with -, and cast to lowercase)
  • <USER_ROLE> the role of the user, either edit or view
  • <PROFILE_NAME> the name of the profile
  • <KUBEFLOW_NAMESPACE> the namespace where Kubeflow is installed
  • <KFP_UI_SERVICE_ACCOUNT> the name of the ServiceAccount used by ml-pipeline-ui Pod
  • <ISTIO_GATEWAY_NAMESPACE> the namespace containing the Istio Gateway Deployment
  • <ISTIO_GATEWAY_SERVICE_ACCOUNT> the name of the ServiceAccount used by the Istio Gateway Pods

Feedback

Was this page helpful?