Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pipelines: Follow up on connecting to KFP in multi-user mode. #3022

Merged
merged 2 commits into from
Oct 14, 2021
Merged

pipelines: Follow up on connecting to KFP in multi-user mode. #3022

merged 2 commits into from
Oct 14, 2021

Conversation

zijianjoy
Copy link
Contributor

To address the comments in #2905:

  • Process about process of AuthN and AuthZ
  • Cross-namespace section title
  • ServiceAccountToken explanation.
  • Overall doc structure.

cc @bartgras @shuesc1

@google-cla google-cla bot added the cla: yes label Oct 12, 2021
@google-oss-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: zijianjoy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

shuesc1
shuesc1 reviewed Oct 12, 2021
View reviewed changes
content/en/docs/components/pipelines/sdk/connect-api.md Outdated Show resolved Hide resolved
content/en/docs/components/pipelines/sdk/connect-api.md Outdated
[projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection).
Simply put, the token is first being injected into a Pod (e.g. Jupyter notebook's).
Then Kubeflow Pipelines SDK uses this token to authorize against Kubeflow Pipelines API.
When using Kubeflow Pipelines SDK in the same cluster, it authenticates as default-editor in your namespace using ServiceAccountToken
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"When using Kubeflow Pipelines SDK in the same cluster, [it] authenticates as default-editor.."

Could we be more explicit about the situation and what "it" refers to? For example:

"When multiple users employ the Kubeflow Pipelines SDK in the same cluster, the [service/SDK] authenticates the [namespace/role/user?] as default editor..."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reworded to following:

When calling Kubeflow Pipelines API in the same cluster, Kubeflow Pipelines SDK authenticates itself as default-editor in your namespace using ServiceAccountToken projection.

Hope it is a bit clearer.

@bartgras
Copy link
Contributor

@zijianjoy Please correct me if I'm wrong but is it the token from default-editor that KFP SDK uses to authenticate against KFP API?
As far as I understand, the Pod itself uses default-editor but separate, projected token is being used by KFP SDK.

Quote from the comment:

How does the client find a ServiceAccountToken to use?

Kubernetes has built-in ways to project tokens with specific audience for the ServiceAccount of a pod.
Each container of a pod mounts the token similarly to how it would mount some volume.
The kubelet generates a token and stores it in a file. Then, to retrieve the token, it's just a matter of reading this file.

The KFP client should have a seamless way to

retrieve the path where the token is mounted,
read it, and
use it in request headers.

... and (to my knowledge) the token SDK retrieves is the one from /var/run/secrets/kubeflow/pipelines/token

Also, have a look at this jupyter Pod (namespace has been already configured with PodDefault):

apiVersion: v1
kind: Pod
[ ... ]
spec:
  containers:
  - env:
    - name: KF_PIPELINES_SA_TOKEN_PATH
      value: /var/run/secrets/kubeflow/pipelines/token
    image: public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-scipy:v1.4-rc.0
    imagePullPolicy: IfNotPresent
    name: test-jupyter-server
    volumeMounts:
    [ ... ]
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-46h49
      readOnly: true
    - mountPath: /var/run/secrets/kubeflow/pipelines
      name: volume-kf-pipeline-token
      readOnly: true
    workingDir: /home/jovyan
  [ ... ]
  volumes:
  [ ... ]
  - name: kube-api-access-46h49
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
  - name: volume-kf-pipeline-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: pipelines.kubeflow.org
          expirationSeconds: 7200
          path: token

@Bobgy
Copy link
Contributor

Bobgy commented Oct 14, 2021

@bartgras the documentation in https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection wasn't very clear on this.

To answer your question, the projected token is a derived token from the service account token (e.g. default-editor here), the projected token has an audience of pipelines.kubeflow.org, so that only the pipelines service will accept the projected token and authenticate you as default-editor.
It is not the same as service account token, but it represents the service account identity too.

this is a follow up on #2905 (comment)

Bobgy
Bobgy reviewed Oct 14, 2021
View reviewed changes
content/en/docs/components/pipelines/sdk/connect-api.md
[projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection).
Simply put, the token is first being injected into a Pod (e.g. Jupyter notebook's).
Then Kubeflow Pipelines SDK uses this token to authorize against Kubeflow Pipelines API.
When calling Kubeflow Pipelines API in the same cluster, Kubeflow Pipelines SDK authenticates itself as `default-editor` in your namespace using ServiceAccountToken
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: instead of default-editor, it's more accurate to say "your Pod's service account" (or any other words with the same meaning), because the example is using default-editor, but people can configure auth with any other service accounts too.

@Bobgy
Copy link
Contributor

Bobgy commented Oct 14, 2021

Thanks for the update!
/lgtm

@google-oss-robot google-oss-robot merged commit 6a22143 into kubeflow:master Oct 14, 2021
@Bobgy
Copy link
Contributor

Bobgy commented Oct 14, 2021

Ohh, I didn't intend to merge the PR right away. Feel free to leave more comments.

@bartgras
Copy link
Contributor

Thanks for clarifying @Bobgy

That made me realize that Pod manifest in section "Access Kubeflow Pipelines from within any Pod" is
missing in spec: serviceAccountName: default-editor
(and has to be run from namespace that already has default-editor declared)

@zijianjoy zijianjoy mentioned this pull request Oct 19, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Bobgy Bobgy Bobgy left review comments

@shuesc1 shuesc1 shuesc1 left review comments

@andreyvelich andreyvelich Awaiting requested review from andreyvelich

@alfsuse alfsuse Awaiting requested review from alfsuse

@joeliedtke joeliedtke Awaiting requested review from joeliedtke

Assignees

@Bobgy Bobgy

Labels
approved cla: yes lgtm size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@zijianjoy @google-oss-robot @bartgras @Bobgy @shuesc1