Migrate to v1.6.0-rc.1 #378
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Identity-Aware Proxy (IAP) Ingress | ||
|
|
||
| [IAP](https://cloud.google.com/iap) establishes a central authorization layer via HTTPS and enables application-level access control. Your kubeflow cluster can only be accessed through the proxy by users, who have the correct Identity and Access Management (IAM) role. When you grant a user access by IAP, they're subject to the fine-grained access controls without requiring a VPN. When a user tries to access the kubeflow cluster, IAP performs authentication and authorization checks. | ||
|
|
||
| IAP is [integrated through Ingress](https://cloud.google.com/iap/docs/enabling-kubernetes-howto). The incoming traffic is handled by [HTTPS Load Balancing](https://cloud.google.com/load-balancing/docs/https), a component of Cloud Load Balancing, configured by the Ingress controller. The Ingress controller gets configuration information from an [Ingress](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress) object (**envoy-ingress**) that is associated with one or more Service objects. Each Service object holds routing information that is used to direct an incoming request to a particular Pod and port. The Ingress controller reads configuration information from the BackendConfig (**iap-backendconfig**) and sets up the load balancer accordingly. **iap-backendconfig** holds configuration information that is specific to Cloud Load Balancing. | ||
|
|
||
| To create a fully qualified domain name (FQDN) for the kubeflow cluster and expose it through HTTPS, we employ [Cloud Endpoints](https://cloud.google.com/endpoints). Cloud Endpoints is an API management system that helps you secure, monitor, analyze, and set quotas on your APIs using the same infrastructure Google uses for its own APIs. Endpoints works with the Extensible Service Proxy (ESP) and the Extensible Service Proxy V2 (ESPv2) to provide API management. Endpoints supports version 2 of the OpenAPI Specification (formerly known as the [Swagger spec](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/2.0.md)) — the industry standard for defining REST APIs. If you are unfamiliar with the OpenAPI Specification, see [OpenAPI Overview](https://cloud.google.com/endpoints/docs/openapi/openapi-overview). | ||
|
|
||
| ## iap-enabler | ||
|
|
||
| [IAP uses](https://cloud.google.com/iap/docs/signed-headers-howto) JSON Web Tokens ([JWT](https://jwt.io/introduction)) to make sure that a request to kubeflow is authorized. This protects kubeflow from IAP being accidentally disabled, misconfigured firewalls, and access from within the project. This *Deployment* applies a RequestAuthentication (**ingress-jwt**) to the kubeflow cluster based on the [policy.yaml template](./base/policy.yaml). | ||
|
|
||
| ## backend-updater | ||
|
|
||
| HTTPS Load Balancing requires a [health check](https://cloud.google.com/load-balancing/docs/health-check-concepts) to determine if backend (**istio-ingressgateway**) responds to traffic. This *StatefulSet* updates the **iap-backendconfig** with the appropriate backend port and backend path for the corresponding health check. | ||
|
|
||
| ## cloud-endpoints-enabler | ||
|
|
||
| This *Deployment* is introduced to replace cloud-endpoints-controller. It [establishes a cloud endpoint](https://cloud.google.com/endpoints/docs/openapi/get-started-kubernetes-engine-espv2) using OpenAPI specification. It uses [swagger_template.yaml](./base/swagger_template.yaml) to build an appropriate OpenAPI spec. This template was used in the original [cloud-endpoint-controller](https://github.com/danisla/cloud-endpoints-controller) (deprecated) in Kubeflow 1.5.1 and earlier. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -180,7 +180,7 @@ data: | |
| sleep 3600 | ||
| done | ||
| setup_cloudendpoints.sh: | | ||
| #!/bin/bash | ||
| # | ||
| # A simple shell script to configure a cloud endpoint | ||
| set -x | ||
|
|
@@ -236,24 +236,25 @@ data: | |
| echo BACKEND_ID=${BACKEND_ID} | ||
|
|
||
| JWT_AUDIENCE="/projects/${PROJECT_NUM}/global/backendServices/${BACKEND_ID}" | ||
|
|
||
| # We use a regular expression to obtain the IP address of the target Ingress, assuming IPv4 standard. | ||
| INGRESS_TARGET_IP=$(kubectl get ingress --all-namespaces | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") | ||
gkcalat marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| echo "[DEBUG] ENDPOINT_NAME = ${ENDPOINT_NAME}" | ||
| echo "[DEBUG] INGRESS_TARGET_IP = ${INGRESS_TARGET_IP}" | ||
| echo "[DEBUG] JWT_AUDIENCE = ${JWT_AUDIENCE}" | ||
|
|
||
| # Create OpenAPI specification for the RESTful Cloud Endpoint | ||
| sed "s|JWT_AUDIENCE|${JWT_AUDIENCE}|;s|ENDPOINT_NAME|${ENDPOINT_NAME}|;s|INGRESS_TARGET_IP|${INGRESS_TARGET_IP}|" /var/envoy-config/swagger_template.yaml > openapi.yaml | ||
|
|
||
| # Deploy and enable the endpoint | ||
| gcloud endpoints services deploy openapi.yaml | ||
|
There was a problem hiding this comment. In my setup, the admin SA does not have enough permissions to execute this. Perhaps we need a new entry in There was a problem hiding this comment. After solving the permission issue above, I have a new endpoint deployed every 30 secs
Is this expected ? There was a problem hiding this comment. Hi @fabito. The purpose of cloud-endpoints-enabler is to create and activate a cloud endpoint during deployment. It's supposed to be deleted at the end of As per permissions, I was not able to reproduce the error you mentioned. Could you create a separate issue with details about your GKE cluster? Current approach clearly has room for improvement. Your contributions are very welcome! |
||
| gcloud services enable ${ENDPOINT_NAME} | ||
|
|
||
| # Create IAM resources used by the endpoint | ||
| gcloud endpoints services add-iam-policy-binding ${ENDPOINT_NAME} \ | ||
| --member serviceAccount:${SERVICE_ACCOUNTNAME} \ | ||
| --role roles/servicemanagement.serviceController | ||
| gcloud projects add-iam-policy-binding ${PROJECT} \ | ||
|
There was a problem hiding this comment. Why do we need apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: KUBEFLOW-NAME-admin-cloudtraceagent # kpt-set: ${name}-admin-cloudtraceagent
spec:
member: serviceAccount:[email protected] # kpt-set: serviceAccount:${name}-admin@${gcloud.core.project}.iam.gserviceaccount.com
role: roles/cloudtrace.agent
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
external: projects/PROJECT # kpt-set: projects/${gcloud.core.project}
There was a problem hiding this comment. This is to enable Cloud Trace for troubleshooting, which we might actually disable for now as it doesn't seem to be a necessary feature. Your suggestion on moving it to the YAML file SGTM though. Thank you for your feedback! |
||
| --member serviceAccount:${SERVICE_ACCOUNTNAME} \ | ||
| --role roles/cloudtrace.agent | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very good writeup! As an additional information, you can share the link to kubeflow/common/iap-ingress/base/config-map.yaml where people can view and update iap-enabler/backend-updater/cloud-endpoints-enabler.