From a2f4089d45563d92417e11518e9c997766dd146b Mon Sep 17 00:00:00 2001 From: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:09:35 +0100 Subject: [PATCH 1/6] add Dex connector guidance Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --- README.md | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 65 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 16a084d5f..21375bf35 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ used from the different projects of Kubeflow: ## Installation -This is for the installation from scratch. For the in-place upgrade guide please jump to the upgrading and extending section. +This is for the installation from scratch. For the in-place upgrade guide please jump to the [Upgrading and extending](#upgrading-and-extending) section. The Manifests WG provides two options for installing Kubeflow official components and common services with kustomize. The aim is to help end users install easily and to help distribution owners build their opinionated distributions from a tested starting point: @@ -234,16 +234,21 @@ echo "Installing oauth2-proxy..." kustomize build common/oauth2-proxy/overlays/m2m-dex-only/ | kubectl apply -f - kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy -# Option 2: works on Kind/K3D and other clusters with the proper configuration, and allows K8s service account tokens to be used +# Option 2: works on Kind/K3D and many other clusters with the proper configuration, and allows K8s service account tokens to be used # from outside the cluster via the Istio ingress-gateway. For example for automation with github actions. +# In the end you need to patch the issuer and jwksUri fields in the requestauthentication resource in the istio-system namespace +# as for example done in /common/oauth2-proxy/overlays/m2m-dex-and-kind/kustomization.yaml +# Please follow the guidelines in the section Upgrading and extending below for patching. +# curl --insecure -H "Authorization: Bearer `cat /var/run/secrets/kubernetes.io/serviceaccount/token`" https://kubernetes.default/.well-known/openid-configuration +# from a pod in the cluster should provide you with the issuer of your cluster. # #kustomize build common/oauth2-proxy/overlays/m2m-dex-and-kind/ | kubectl apply -f - #kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy #kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=cluster-jwks-proxy' --timeout=180s -n istio-system ``` -If you want to use OAuth2 Proxy without Dex and conenct it directly to your own IDP, you can refer to this [document](common/oauth2-proxy/README.md#change-default-authentication-from-dex--oauth2-proxy-to-oauth2-proxy-only). But you can also keep Dex and extend it with connectors to your own IDP. -TODO: rough guidance on how to connect Dex to a generic IDP with OIDC. +If you want to use OAuth2 Proxy without Dex and conenct it directly to your own IDP, you can refer to this [document](common/oauth2-proxy/README.md#change-default-authentication-from-dex--oauth2-proxy-to-oauth2-proxy-only). But you can also keep Dex and extend it with connectors to your own IDP as explained in the Dex section below. + #### Dex @@ -257,6 +262,62 @@ kustomize build common/dex/overlays/oauth2-proxy | kubectl apply -f - kubectl wait --for=condition=ready pods --all --timeout=180s -n auth ``` +To connect to your desired identity providers (LDAP,GitHub,Google,Microsoft,Bitbucket Cloud,LinkedIn,OIDC,SAML,GitLab) please take a look at https://dexidp.io/docs/connectors/oidc/. +We recommend to use OIDC in general, since it is compatible with most providers as for example azure in the following example. +You need to modify https://github.com/kubeflow/manifests/blob/master/common/dex/overlays/oauth2-proxy/config-map.yaml and add some environment variables in https://github.com/kubeflow/manifests/blob/master/common/dex/base/deployment.yaml by adding a patch section in your main Kustomization file. For guidance please check out [Upgrading and extending](#upgrading-and-extending). + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: dex +data: + config.yaml: | + issuer: http://dex.auth.svc.cluster.local:5556/dex + storage: + type: kubernetes + config: + inCluster: true + web: + http: 0.0.0.0:5556 + logger: + level: "debug" + format: text + oauth2: + skipApprovalScreen: true + enablePasswordDB: true + #### WARNING YOU SHOULD NOT USE THE DEFAULT STATIC PASSWORDS + #### and patch /common/dex/base/dex-passwords.yaml in a Kustomize overlay or remove it + staticPasswords: + - email: user@example.com + hashFromEnv: DEX_USER_PASSWORD + username: user + userID: "15841185641784" + staticClients: + # https://github.com/dexidp/dex/pull/1664 + - idEnv: OIDC_CLIENT_ID + redirectURIs: ["/oauth2/callback"] + name: 'Dex Login Application' + secretEnv: OIDC_CLIENT_SECRET + #### Here come the connectors to OIDC providers such as Azure, GCP, GitHub, GitLab etc. + #### Connector config values starting with a "$" will read from the environment. + connectors: + - type: oidc + id: azure + name: azure + config: + issuer: https://login.microsoftonline.com/$TENANT_ID/v2.0 + redirectURI: https://$KUBEFLOW_INGRESS_URL/dex/callback + clientID: $AZURE_CLIENT_ID + clientSecret: $AZURE_CLIENT_SECRET + insecureSkipEmailVerified: true + scopes: + - openid + - profile + - email + #- groups # groups might be used in the future +``` + #### Knative Knative is used by the KServe official Kubeflow component. From 7043cc44773eb5c68b71934ffc10efc607689164 Mon Sep 17 00:00:00 2001 From: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:19:26 +0100 Subject: [PATCH 2/6] add Dex, oauth2 and k8s token guidance Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --- README.md | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 21375bf35..1fd2285b5 100644 --- a/README.md +++ b/README.md @@ -228,13 +228,13 @@ echo "Installing oauth2-proxy..." # Only uncomment ONE of the following overlays, they are mutually exclusive, # see `common/oauth2-proxy/overlays/` for more options. -# OPTION 1: works on most clusters, does NOT allow K8s service account +# OPTION 1: works on most clusters, does NOT allow K8s service account # tokens to be used from outside the cluster via the Istio ingress-gateway. # kustomize build common/oauth2-proxy/overlays/m2m-dex-only/ | kubectl apply -f - kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy -# Option 2: works on Kind/K3D and many other clusters with the proper configuration, and allows K8s service account tokens to be used +# Option 2: works on Kind, K3D, Rancher, GKE and many other clusters with the proper configuration, and allows K8s service account tokens to be used # from outside the cluster via the Istio ingress-gateway. For example for automation with github actions. # In the end you need to patch the issuer and jwksUri fields in the requestauthentication resource in the istio-system namespace # as for example done in /common/oauth2-proxy/overlays/m2m-dex-and-kind/kustomization.yaml @@ -245,6 +245,23 @@ kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' #kustomize build common/oauth2-proxy/overlays/m2m-dex-and-kind/ | kubectl apply -f - #kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy #kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=cluster-jwks-proxy' --timeout=180s -n istio-system + +# OPTION 3: works on most EKS clusters with K8s service account +# tokens to be used from outside the cluster via the Istio ingress-gateway. +# +#kustomize build common/oauth2-proxy/overlays/m2m-dex-and-eks/ | kubectl apply -f - +#kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy +``` + +If and after you have finished the installation with Kubernetes serviceaccount token support you should be able to create and use the tokens: +```sh +kubectl port-forward svc/istio-ingressgateway -n istio-system 8080:80 +TOKEN="$(kubectl -n $KF_PROFILE_NAMESPACE create token default-editor)" +client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token) +curl -v \ + --silent --output /dev/stderr --write-out "%{http_code}" \ + "localhost:8080/jupyter/api/namespaces/${$KF_PROFILE_NAMESPACE}/notebooks" \ + -H "Authorization: Bearer ${TOKEN}" ``` If you want to use OAuth2 Proxy without Dex and conenct it directly to your own IDP, you can refer to this [document](common/oauth2-proxy/README.md#change-default-authentication-from-dex--oauth2-proxy-to-oauth2-proxy-only). But you can also keep Dex and extend it with connectors to your own IDP as explained in the Dex section below. From bf378b513bdf987e161eb932f6482c82c5e793fd Mon Sep 17 00:00:00 2001 From: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:24:57 +0100 Subject: [PATCH 3/6] add Dex, oauth2 and k8s token guidance Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1fd2285b5..836e6f65d 100644 --- a/README.md +++ b/README.md @@ -248,6 +248,7 @@ kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' # OPTION 3: works on most EKS clusters with K8s service account # tokens to be used from outside the cluster via the Istio ingress-gateway. +# You have to adjust AWS_REGION and CLUSTER_ID in common/oauth2-proxy/overlays/m2m-dex-and-eks/ first. # #kustomize build common/oauth2-proxy/overlays/m2m-dex-and-eks/ | kubectl apply -f - #kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy From 41b13e30dfcd3c0506eb4ebfa19f1b0b54aba2dd Mon Sep 17 00:00:00 2001 From: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:26:26 +0100 Subject: [PATCH 4/6] add Dex, oauth2 and k8s token guidance Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --- README.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/README.md b/README.md index 836e6f65d..fc08e20ff 100644 --- a/README.md +++ b/README.md @@ -259,10 +259,7 @@ If and after you have finished the installation with Kubernetes serviceaccount t kubectl port-forward svc/istio-ingressgateway -n istio-system 8080:80 TOKEN="$(kubectl -n $KF_PROFILE_NAMESPACE create token default-editor)" client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token) -curl -v \ - --silent --output /dev/stderr --write-out "%{http_code}" \ - "localhost:8080/jupyter/api/namespaces/${$KF_PROFILE_NAMESPACE}/notebooks" \ - -H "Authorization: Bearer ${TOKEN}" +curl -v "localhost:8080/jupyter/api/namespaces/${$KF_PROFILE_NAMESPACE}/notebooks" -H "Authorization: Bearer ${TOKEN}" ``` If you want to use OAuth2 Proxy without Dex and conenct it directly to your own IDP, you can refer to this [document](common/oauth2-proxy/README.md#change-default-authentication-from-dex--oauth2-proxy-to-oauth2-proxy-only). But you can also keep Dex and extend it with connectors to your own IDP as explained in the Dex section below. From 7df84ab6538022fea0eb7f233b28ccd5840e6de6 Mon Sep 17 00:00:00 2001 From: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:52:15 +0100 Subject: [PATCH 5/6] add Dex, oauth2 and k8s token guidance Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fc08e20ff..5e36878c4 100644 --- a/README.md +++ b/README.md @@ -569,7 +569,9 @@ For security reasons, we don't want to use the default username and email for th ### Change default user password -For security reasons, we don't want to use the default password for the default Kubeflow user when installing in security-sensitive environments. Instead, you should define your own password and apply it either **before creating the cluster** or **after creating the cluster**. +If you have an identy provider (LDAP,GitHub,Google,Microsoft,Bitbucket Cloud,LinkedIn,OIDC,SAML,GitLab) available you should use that instead of static passwords and connect it to oauth2-proxy or Dex as explained in the sections above. This is best practices instead of using static passwords. + +For security reasons, we don't want to use the default static password for the default Kubeflow user when installing in security-sensitive environments. Instead, you should define your own password and apply it either **before creating the cluster** or **after creating the cluster**. Pick a password for the default user, with email `user@example.com`, and hash it using `bcrypt`: From a3d1fb399c16f00a3b5ebf4e99b7f75e6567917e Mon Sep 17 00:00:00 2001 From: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:53:23 +0100 Subject: [PATCH 6/6] add Dex, oauth2 and k8s token guidance Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5e36878c4..541bb6ac5 100644 --- a/README.md +++ b/README.md @@ -277,7 +277,7 @@ kustomize build common/dex/overlays/oauth2-proxy | kubectl apply -f - kubectl wait --for=condition=ready pods --all --timeout=180s -n auth ``` -To connect to your desired identity providers (LDAP,GitHub,Google,Microsoft,Bitbucket Cloud,LinkedIn,OIDC,SAML,GitLab) please take a look at https://dexidp.io/docs/connectors/oidc/. +To connect to your desired identity providers (LDAP,GitHub,Google,Microsoft,OIDC,SAML,GitLab) please take a look at https://dexidp.io/docs/connectors/oidc/. We recommend to use OIDC in general, since it is compatible with most providers as for example azure in the following example. You need to modify https://github.com/kubeflow/manifests/blob/master/common/dex/overlays/oauth2-proxy/config-map.yaml and add some environment variables in https://github.com/kubeflow/manifests/blob/master/common/dex/base/deployment.yaml by adding a patch section in your main Kustomization file. For guidance please check out [Upgrading and extending](#upgrading-and-extending). @@ -569,7 +569,7 @@ For security reasons, we don't want to use the default username and email for th ### Change default user password -If you have an identy provider (LDAP,GitHub,Google,Microsoft,Bitbucket Cloud,LinkedIn,OIDC,SAML,GitLab) available you should use that instead of static passwords and connect it to oauth2-proxy or Dex as explained in the sections above. This is best practices instead of using static passwords. +If you have an identy provider (LDAP,GitHub,Google,Microsoft,OIDC,SAML,GitLab) available you should use that instead of static passwords and connect it to oauth2-proxy or Dex as explained in the sections above. This is best practices instead of using static passwords. For security reasons, we don't want to use the default static password for the default Kubeflow user when installing in security-sensitive environments. Instead, you should define your own password and apply it either **before creating the cluster** or **after creating the cluster**.