create a self-serve component for data-scientists #1872
Conversation
…tacontroller latest
|
/assign @jlewi |
|
/assign @lluunn |
|
Thanks. Could we also add an option to the Profile to use a user account/IAM rather than ServiceAccount? I'd like to be able to create a profile for user bob@acme.com and just have the RBacBinding defined in terms of that user so that if I'm running kubectl on my laptop, I can already access K8s resources using bob@acme.com. I think I'd still like the profile to define / create an appropriate service account. This would be used as a robot account by resources (TFJobs, Argo Workflows, etc...) that user bob might create. e.g. User Bob might create an Argo workflow that used ServiceAccount "bobs-robot" so that the running ArgoWorkflow I think it would be reasonable to filing issues for some of this and doing it in follow on work. |
Will incorporate. Thanks. |
|
@jlewi Ready for review.
owner: {
kind: ServiceAccount
name: joe
namespace: kubeflow
}or owner: {
kind: User
name: joe
apiGroup: rbac.authorization.k8s.io
}and I verified that this works when I submitted a Profile that looks like apiVersion: kubeflow.org/v1alpha1
kind: Profile
metadata:
name: tfoob
namespace: kubeflow
spec:
template:
metadata:
namespace: tfoob
spec:
owner:
apiGroup: rbac.authorization.k8s.io
kind: User
name: kam.d.kasravi@intel.comand one that looks like apiVersion: kubeflow.org/v1alpha1
kind: Profile
metadata:
name: cats
namespace: kubeflow
spec:
template:
metadata:
namespace: cats
spec:
owner:
kind: ServiceAccount
name: dean
namespace: kubeflowThe schema for subject is almost the same as the swagger definition for 10.1: owner: {
type: "object",
required: [
"kind",
"name",
],
properties: {
apiGroup: {
type: "string",
},
kind: {
enum: [
"ServiceAccount",
"User",
],
},
namespace: {
type: "string",
},
name: {
type: "string",
},
},
} |
|
/retest |
|
Woo Hoo. /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jlewi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* initial checkin of projects
* pass params in to get namespace
* fix format
* replaced decoratorcontroller with compositecontroller, upgraded to metacontroller latest
* added cli scripts/kfws
* /retest
* /retest
* /retest
* {Projects, Workspaces} => {Ensembles, Compositions}
* projects=>ensembles
* terminology {profiles,targets}
* fixes for metacontroller, profiles
* fix
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* tag stable
* /retest
* removed Target CRD, added subject as IAM (email) | ServiceAccount
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* initial checkin of projects
* pass params in to get namespace
* fix format
* replaced decoratorcontroller with compositecontroller, upgraded to metacontroller latest
* added cli scripts/kfws
* /retest
* /retest
* /retest
* {Projects, Workspaces} => {Ensembles, Compositions}
* projects=>ensembles
* terminology {profiles,targets}
* fixes for metacontroller, profiles
* fix
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
* tag stable
* /retest
* removed Target CRD, added subject as IAM (email) | ServiceAccount
* /retest
* /retest
* /retest
* /retest
* /retest
* /retest
fixes #1842
See the README.md in this PR under kubeflow/profiles/prototypes
This change is