我的书签
添加书签
移除书签Design for Multi-user Isolation
In-depth design for supporting multi-user isolation
This Kubeflow component has stable status. See theKubeflow versioning policies.
Design overview
Kubeflow multi-tenancy is currently built around user namespaces.Specifically, Kubeflow defines user-specific namespaces and uses Kubernetesrole-based access control (RBAC) policiesto manage user access.
This feature enables users to share access to their workspaces.Workspace owners can share/revoke workspace access with other users through Kubeflow UI.Once invited, users will have permissions to edit the workspace and operate kubeflow customresources.
Kubeflow multi-tenancy is self-served - new user can self-register to create and owntheir workspace through the UI.
Kubeflow uses Istio to control in-cluster traffic. By default, requests to userworkspaces are denied unless allowed by Istio RBAC. In-bound user requests areidentified using an identity provider (for example, Identity Aware Proxy (IAP) onGoogle Cloud or Dex for on-premises deployments), and then validated by Istio RBAC rules.
Internally, Kubeflow uses the Profile custom resource to control all policies, roles, and bindings involved,and to guarantee consistency. Kubeflow also offers a plugin interface to manage external resource/policy outside Kubernetes,for example interfacing with Amazon Web Services APIs for identity management.
The following diagram illustrates a Kubeflow multi-tenancy cluster with two user-access routes:via the Kubeflow central dashboard and via the kubectl command-line interface (CLI).
Feature requirements
- Kubeflow uses Istio to apply access control over in-cluster traffic.
- Kubeflow profile controller needs
cluster adminpermission. - Kubeflow UI needs to be served behind an identity aware proxy. The identity aware proxy and Kubernetesmaster should share the same identity management.
- The Kubeflow installation on Google Cloud uses GKE and IAP.
- On-premises installations of Kubeflow make use of Dex, a flexible OpenID Connect (OIDC) provider.
Supported platforms
- Kubeflow multi-tenancy is enabled by default if you deploy Kubeflow on GCP with IAP.
- If you are not on GCP, you can deploy multi-tenancy to your existing cluster.
Next steps
- Learn how to use multi-user isolation and profiles.
- Read more about Istio in Kubeflow.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified 18.02.2020: Refactor multiuser guides (#1682) (688286b9)
