Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl: none from centraldashboard to profiles which cause rbac access denied #7505

Closed
emilyyujieli opened this issue Mar 12, 2024 · 4 comments
Closed

ssl: none from centraldashboard to profiles which cause rbac access denied #7505

emilyyujieli opened this issue Mar 12, 2024 · 4 comments

Comments

@emilyyujieli
Copy link

emilyyujieli commented Mar 12, 2024
edited
Loading

Background
We install kubeflow:v1.8.0 and an individual istio:1.20.3.

Issue
When we use DEX to do OIDC authentication and login kubeflow successfully, it will got a rbac access denied error in UI.
We enable RBAC debug log and get log info from profiles-kfam pod.
istioctl pc log --level "rbac:debug" profiles-kfam-*.kubeflow
k logs -f profiles-kfam-*
Then find out that's because traffic from centraldashboard to profiles without ssl and not able to get principals info(cluster.local/ns/kubeflow/sa/centraldashboard) so the authorizationpolicy** profiles-kfam** doesn't work.

Any idea how to fix this issue?
@kubeflow-bot kubeflow-bot added this to To Do in Needs Triage Mar 12, 2024
@ReggieCarey
Copy link

ReggieCarey commented Mar 14, 2024
edited
Loading

Did you enable TLS in your Istio service mesh?

@emilyyujieli
Copy link
Author

Did you enable TLS in your Istio service mesh?

Yes,l saw the traffic is from centraldashboard to profile,so l created two destinationrule on centraldashboard & profile to enable MTLS. But it still ssl.
centraldashboard

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  labels:
    app: centraldashboard
    kustomize.component: centraldashboard
  name: centraldashboard
  namespace: kubeflow
spec:
  host: centraldashboard.kubeflow.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

profile

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  labels:
    app: profiles
    kustomize.component: profiles
  name: profiles-kfam
  namespace: kubeflow
spec:
  host: profiles-kfam.kubeflow.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

@juliusvonkohout
Copy link
Member

I think that is for kubeflow/manifests

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform. You can also find there our biweekly meetings, including the commentable Agenda.

/close

Needs Triage automation moved this from To Do to Closed Jun 25, 2024
@google-oss-prow Google OSS Prow
Copy link

@juliusvonkohout: Closing this issue.

In response to this:

I think that is for kubeflow/manifests

You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform. You can also find there our biweekly meetings, including the commentable Agenda.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kubeflow-bot kubeflow-bot removed this from Closed in Needs Triage Jun 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ReggieCarey @emilyyujieli @juliusvonkohout