[Multi User] Integrate KFP multi user with KF 1.1 #3241
Comments
|
@nrchakradhar Thanks for bringing this up, we have addressed it in #2665 (but we are putting together all pieces of multi user support, you cannot use it right now). This issue is meant to track efforts that need to be merged into Kubeflow, so this particular issue isn't tracked here. |
|
@Bobgy Thanks for the reference. |
|
@Bobgy I see code reference to multi-user but have not tested it. There're also a few issues still opening. just like to know do we have a timeline or milestone when multi-user in pipeline will be available? |
|
Hi @Jeffwan! Please see the main issue tracker for progress: #1223. |
Cool. I will have a check on phase I first and leave some feedbacks |
|
@Bobgy Could you please clarify what this issue is tracking? What is the remaining work? You asked me #1223 (comment) |
|
@jlewi This tracks remaining work to merge manifests to kubeflow manifests master. The unchecked items above are remaining. (I guess you'd want a breakdown for Enable multi user mode for Kubeflow Pipelines, I'll keep updating this when working on this.) |
|
I'm now using https://github.com/kubeflow/pipelines/projects/5 to track efforts merging multi user mode to KF 1.1. Closes this. |
|
In fact, this issue is still clearer on the steps. Keep using this one |
Bobgy
changed the title
|
TODO: I also need to cherry pick a bunch of multi user mode PRs to 1.1 branch. |
|
@Bobgy Do we have an ETA for when all of the PRs will be on the 1.1 branch? |
|
@jlewi GoogleCloudPlatform/kubeflow-distribution#80 and kubeflow/manifests#1374 are the only ones left. |
|
GoogleCloudPlatform/kubeflow-distribution#80 Per comment in this issue turning on istio-sidecar injection in the kubeflow namespace is a pretty big change. Do we really need to it this late in the release cycle? |
|
@jlewi oooops, I just realized ASM 1.4 doesn't support RBAC v1alpha1: https://cloud.google.com/service-mesh/docs/archive/1.4/docs/supported-features#authorization_policy. I'll port the istio RBAC policies to Authorization v1beta1. EDIT: I tried in the cluster, servicerole and servicerolebinding CRDs exist in the cluster, but they don't have any real effect. Requests not satisfying these requirements also just pass through. |
|
It will be the same problem for any component that use |
Hmmmm, I was wrong. I tried a notebook, when accessing it from another account without permission. I got |
|
OK, I found the culprit, it's knative's istio rule: https://github.com/kubeflow/manifests/blob/c300ee9ca30d8b606cd9713d120721f36e86b0ec/knative/knative-serving-install/base/service-role-binding.yaml#L11. It basically allowed any network access from any user to any services in the namespace knative was deployed to. But knative was already moved to its own namespace, so this should no longer be a problem, we can test latest version. |
|
/cc @jlewi |
|
I'll keep this open until verified on GCP platform |
|
UPDATE: verified KFP 1.0.0 with multi user mode working properly on GCP platform. |
Part of #1223 (that's the main issue tracker).
I'm using this issue as a tracker for all the efforts of merging KFP multi user related changes to upstream kubeflow repo.
/priority p0
/assign @Bobgy
/kind feature
My fork to merge kfp multi user manifests with KF 1.0: https://github.com/Bobgy/manifests/tree/kfp-multi-user-master
The text was updated successfully, but these errors were encountered: