Profiles
Kubeflow Profiles
A Kubeflow Profile is a unique configuration for a user that determines their access privileges and is defined by the Administrator. Kubeflow uses Profiles to control all policies, roles, and bindings involved, and to guarantee consistency. Resources belonging to a Profile are contained within a Profile namespace.
Profile plugins
Use Profile Plugins
to interface with the Identity and Access Management (IAM) services that manage permissions for external resources outside of Kubernetes.
The AwsIamForServiceAccount
plugin allows the use of AWS IAM access control for Profile users in order to grant or limit access to AWS resources and services.
IAM roles for service accounts
In order for the Profile controller to get the necessary permissions, the Profile controller pod must be recognized as an entity that can interface with AWS IAM. This is done by using IAM roles for service accounts (IRSA).
IRSA allows the use of AWS IAM permission boundaries at the Kubernetes pod level. A Kubernetes service account (SA) is associated with an IAM role with a role policy that scopes the IAM permissions (e.g. S3 read/write access, etc.). When a pod in the SA namespace is annotated with the SA name, EKS injects the IAM role ARN and a token is used to get the credentials so that the pod can make requests to AWS services within the scope of the role policy associated with the IRSA.
For more information, see Amazon EKS IAM roles for service accounts.
Admin considerations
- Kubeflow admins will need to create an IAM role for each Profile with the desired scoped permissions.
- The Profile controller does not have the permissions specified in the Profile roles.
- The Profile controller has permissions to modify the Profile roles, which it will do to grant assume role permissions to the
default-editor
service account (SA) present in the Profile’s namespace. - A
default-editor
SA exists in every Profile’s namespace and will be annotated with the role ARN created for the profile. Pods annotated with the SA name will be granted the Profile role permissions. - The
default-editor
SA is used by various services in Kubeflow to launch resources in Profile namespaces. However, not all services do this by default.
Component-level implementations
The following components have been tested to work with the AwsIamForServiceAccount
plugin:
- Notebooks
- Kubeflow Pipelines SDK
Integration with the AwsIamForServiceAccount
plugin is actively being worked on for all components with Profile-level support.
You can find documentation about the AwsIamForServiceAccount
plugin for specific components in the individual component guides. Read on for general configuration instructions.
Configuration steps
After installing Kubeflow on AWS with one of the available deployment options, you can configure Kubeflow Profiles with the following steps:
-
Define the following environment variables:
export CLUSTER_NAME=<your cluster name> export CLUSTER_REGION=<your region> export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) export PROFILE_NAME=<the name of the profile to be created> export PROFILE_CONTROLLER_POLICY_NAME=<the name of the profile controller policy to be created>
-
Create an IAM policy using the IAM Profile controller policy file.
aws iam create-policy \ --region $CLUSTER_REGION \ --policy-name ${PROFILE_CONTROLLER_POLICY_NAME} \ --policy-document file://awsconfigs/infra_configs/iam_profile_controller_policy.json
As a principle of least privilege, we recommend scoping the resources in the IAM Profile controller policy to the specific policy arns of the policies created in step 6.
-
Associate IAM OIDC with your cluster.
aws --region $CLUSTER_REGION eks update-kubeconfig --name $CLUSTER_NAME eksctl utils associate-iam-oidc-provider --cluster $CLUSTER_NAME --region $CLUSTER_REGION --approve
-
Create an IRSA for the Profile controller using the policy.
eksctl create iamserviceaccount \ --cluster=$CLUSTER_NAME \ --name="profiles-controller-service-account" \ --namespace=kubeflow \ --attach-policy-arn="arn:aws:iam::${AWS_ACCOUNT_ID}:policy/${PROFILE_CONTROLLER_POLICY_NAME}" \ --region=$CLUSTER_REGION \ --override-existing-serviceaccounts \ --approve
-
Create an IAM trust policy to authorize federated requests from the OIDC provider.
export OIDC_URL=$(aws eks describe-cluster --region $CLUSTER_REGION --name $CLUSTER_NAME --query "cluster.identity.oidc.issuer" --output text | cut -c9-) cat <<EOF > trust.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_URL}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OIDC_URL}:aud": "sts.amazonaws.com" } } } ] } EOF
-
Create an IAM policy to scope the permissions for the Profile. For simplicity, we will use the
arn:aws:iam::aws:policy/AmazonS3FullAccess
policy as an example. -
Create an IAM role for the Profile using the scoped policy from the previous step.
aws iam create-role --role-name $PROFILE_NAME-$CLUSTER_NAME-role --assume-role-policy-document file://trust.json aws iam attach-role-policy --role-name $PROFILE_NAME-$CLUSTER_NAME-role --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
-
Create a user in your configured auth provider (e.g. Cognito or Dex) or use an existing user.
Export the user as an environment variable. For simplicity, we will use the
user@example.com
user that is created by default by most of our provided deployment options.export PROFILE_USER="user@example.com"
-
Create a Profile using the
PROFILE_NAME
.cat <<EOF > profile_iam.yaml apiVersion: kubeflow.org/v1 kind: Profile metadata: name: ${PROFILE_NAME} spec: owner: kind: User name: ${PROFILE_USER} plugins: - kind: AwsIamForServiceAccount spec: awsIamRole: $(aws iam get-role --role-name $PROFILE_NAME-$CLUSTER_NAME-role --output text --query 'Role.Arn') EOF kubectl apply -f profile_iam.yaml
Use Kubeflow Profiles with Notebooks
Verify your configuration by creating and running a Kubeflow Notebook.