-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate to v1.6.0-rc.1 #378
Changes from 2 commits
b09010d
2118483
8ebfe96
5c4e4e5
80469f5
0f2662f
ee585c8
4221c30
fc3bc45
76dde6f
5e08f5d
fc735cf
3444e76
b0f60ab
3b05197
994a11e
26cf798
fa8491e
4e5e319
49877d3
d491a3b
c3e640c
9411955
cbe4366
5407621
c9d293b
f430ef7
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Identity-Aware Proxy (IAP) Ingress | ||
|
||
[IAP](https://cloud.google.com/iap) establishes a central authorization layer via HTTPS and enables application-level access control. Your kubeflow cluster can only be accessed through the proxy by users, who have the correct Identity and Access Management (IAM) role. When you grant a user access by IAP, they're subject to the fine-grained access controls without requiring a VPN. When a user tries to access the kubeflow cluster, IAP performs authentication and authorization checks. | ||
|
||
IAP is [integrated through Ingress](https://cloud.google.com/iap/docs/enabling-kubernetes-howto). The incoming traffic is handled by [HTTPS Load Balancing](https://cloud.google.com/load-balancing/docs/https), a component of Cloud Load Balancing, configured by the Ingress controller. The Ingress controller gets configuration information from an [Ingress](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress) object (**envoy-ingress**) that is associated with one or more Service objects. Each Service object holds routing information that is used to direct an incoming request to a particular Pod and port. The Ingress controller reads configuration information from the BackendConfig (**iap-backendconfig**) and sets up the load balancer accordingly. **iap-backendconfig** holds configuration information that is specific to Cloud Load Balancing. | ||
|
||
To create a fully qualified domain name (FQDN) for the kubeflow cluster and expose it through HTTPS, we employ [Cloud Endpoints](https://cloud.google.com/endpoints). Cloud Endpoints is an API management system that helps you secure, monitor, analyze, and set quotas on your APIs using the same infrastructure Google uses for its own APIs. Endpoints works with the Extensible Service Proxy (ESP) and the Extensible Service Proxy V2 (ESPv2) to provide API management. Endpoints supports version 2 of the OpenAPI Specification (formerly known as the [Swagger spec](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/2.0.md)) — the industry standard for defining REST APIs. If you are unfamiliar with the OpenAPI Specification, see [OpenAPI Overview](https://cloud.google.com/endpoints/docs/openapi/openapi-overview). | ||
|
||
## iap-enabler | ||
|
||
[IAP uses](https://cloud.google.com/iap/docs/signed-headers-howto) JSON Web Tokens ([JWT](https://jwt.io/introduction)) to make sure that a request to kubeflow is authorized. This protects kubeflow from IAP being accidentally disabled, misconfigured firewalls, and access from within the project. This *Deployment* applies a RequestAuthentication (**ingress-jwt**) to the kubeflow cluster based on the [policy.yaml template](./base/policy.yaml). | ||
|
||
## backend-updater | ||
|
||
HTTPS Load Balancing requires a [health check](https://cloud.google.com/load-balancing/docs/health-check-concepts) to determine if backend (**istio-ingressgateway**) responds to traffic. This *StatefulSet* updates the **iap-backendconfig** with the appropriate backend port and backend path for the corresponding health check. | ||
|
||
## cloud-endpoints-enabler | ||
|
||
This *Deployment* is introduced to replace cloud-endpoints-controller. It [establishes a cloud endpoint](https://cloud.google.com/endpoints/docs/openapi/get-started-kubernetes-engine-espv2) using OpenAPI specification. It uses [swagger_template.yaml](./base/swagger_template.yaml) to build an appropriate OpenAPI spec. This template was used in the original [cloud-endpoint-controller](https://github.com/danisla/cloud-endpoints-controller) (deprecated) in Kubeflow 1.5.1 and earlier. | ||
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -180,7 +180,7 @@ data: | |
sleep 3600 | ||
done | ||
setup_cloudendpoints.sh: | | ||
#!/usr/bin/env bash | ||
#!/bin/bash | ||
# | ||
# A simple shell script to configure a cloud endpoint | ||
set -x | ||
|
@@ -236,24 +236,25 @@ data: | |
echo BACKEND_ID=${BACKEND_ID} | ||
|
||
JWT_AUDIENCE="/projects/${PROJECT_NUM}/global/backendServices/${BACKEND_ID}" | ||
|
||
# We use a regular expression to obtain the IP address of the target Ingress, assuming IPv4 standard. | ||
INGRESS_TARGET_IP=$(kubectl get ingress --all-namespaces | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)") | ||
gkcalat marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
echo "[DEBUG] ENDPOINT_NAME = ${ENDPOINT_NAME}" | ||
echo "[DEBUG] INGRESS_TARGET_IP = ${INGRESS_TARGET_IP}" | ||
echo "[DEBUG] JWT_AUDIENCE = ${JWT_AUDIENCE}" | ||
|
||
# Create OpenAPI specification for the RESTful Cloud Endpoint | ||
sed "s|JWT_AUDIENCE|${JWT_AUDIENCE}|;s|ENDPOINT_NAME|${ENDPOINT_NAME}|;s|INGRESS_TARGET_IP|${INGRESS_TARGET_IP}|" /var/envoy-config/swagger_template.yaml > openapi.yaml | ||
|
||
# Deploy and enable the endpoint | ||
gcloud endpoints services deploy openapi.yaml | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In my setup, the admin SA does not have enough permissions to execute this. Perhaps we need a new entry in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hi @fabito. The purpose of cloud-endpoints-enabler is to create and activate a cloud endpoint during deployment. It's supposed to be deleted at the end of As per permissions, I was not able to reproduce the error you mentioned. Could you create a separate issue with details about your GKE cluster? Current approach clearly has room for improvement. Your contributions are very welcome! |
||
|
||
gcloud services enable servicemanagement.googleapis.com | ||
gcloud services enable servicecontrol.googleapis.com | ||
gcloud services enable endpoints.googleapis.com | ||
|
||
gcloud services enable ${ENDPOINT_NAME} | ||
|
||
# Create IAM resources used by the endpoint | ||
gcloud endpoints services add-iam-policy-binding ${ENDPOINT_NAME} \ | ||
--member serviceAccount:${SERVICE_ACCOUNTNAME} \ | ||
--role roles/servicemanagement.serviceController | ||
|
||
gcloud projects add-iam-policy-binding ${PROJECT} \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why do we need apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
name: KUBEFLOW-NAME-admin-cloudtraceagent # kpt-set: ${name}-admin-cloudtraceagent
spec:
member: serviceAccount:[email protected] # kpt-set: serviceAccount:${name}-admin@${gcloud.core.project}.iam.gserviceaccount.com
role: roles/cloudtrace.agent
resourceRef:
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
external: projects/PROJECT # kpt-set: projects/${gcloud.core.project}
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is to enable Cloud Trace for troubleshooting, which we might actually disable for now as it doesn't seem to be a necessary feature. Your suggestion on moving it to the YAML file SGTM though. Thank you for your feedback! |
||
--member serviceAccount:${SERVICE_ACCOUNTNAME} \ | ||
--role roles/cloudtrace.agent | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very good writeup! As an additional information, you can share the link to kubeflow/common/iap-ingress/base/config-map.yaml where people can view and update iap-enabler/backend-updater/cloud-endpoints-enabler.