Skip to content
Permalink
Browse files

More editorial suggestions on AWS docs.

  • Loading branch information...
nrdlngr authored and sarahmaddox committed Apr 24, 2019
1 parent 9165810 commit 19cd6e8e3cae52c30db26c017d0dd43248c6acdf
@@ -12,7 +12,7 @@ External Traffic → [ Ingress → Istio ingress gateway → ambassador ]

When you generate and apply kubernetes resources, an ingress is created to manage external traffic to Kubernetes services. The AWS ALB Ingress Controller will provision an Application Load balancer for that ingress. By default, TLS and authentication are not enabled at creation time.

The Kubeflow community plans to move from [Ambassador](https://www.getambassador.io/) to [Istio](https://istio.io/) to manage internal traffic, see [issue](https://github.com/kubeflow/kubeflow/issues/2261). Currently, [Ambassador](https://www.getambassador.io/) still plays the role of an API gateway. TLS, authentication, and authorization either can be done at the ALB or Istio layer for the AWS platform, and we plan to have Istio forward ingress traffic to the Istio gateway and then on to Ambassador when this happens. Once receive a clear direction from the community, we will enable TLS and authentication by default.
The Kubeflow community plans to move from [Ambassador](https://www.getambassador.io/) to [Istio](https://istio.io/) to manage internal traffic (see [this issue](https://github.com/kubeflow/kubeflow/issues/2261)). Currently, [Ambassador](https://www.getambassador.io/) still plays the role of an API gateway. TLS, authentication, and authorization either can be done at the ALB or Istio layer for the AWS platform, and we plan to have Istio forward ingress traffic to the Istio gateway and then on to Ambassador when this happens. Once receive a clear direction from the community, we will enable TLS and authentication by default.


## Enable TLS and Authentication
@@ -21,7 +21,7 @@ Right now, certificates for ALB public DNS names are not supported. Instead, you

[AWS Certificate Manager](https://aws.amazon.com/certificate-manager/) is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

To get TLS support from the ALB Ingress Controller, you need to follow [tutorial](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) to request a certificate in AWS Certificate Manager. After successful validation, you will get a certificate ARN to use with the ALB Ingress Controller.
To get TLS support from the ALB Ingress Controller, you need to follow [this tutorial](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) to request a certificate in AWS Certificate Manager. After successful validation, you will get a certificate ARN to use with the ALB Ingress Controller.

<img src="/docs/images/aws/cognito-certarn.png"
alt="Cognito Certificate ARN"
@@ -57,7 +57,7 @@ After your ingress DNS is ready, you need to create a `CNAME` in your DNS record
alt="Custom Domain CNAME"
class="mt-3 mb-3 border border-info rounded">

Then you can visit `https://www.shanjiaxin.com`, which is a custom domain we use in this case, it will redirect you to an authentication page. We added a user `kubeflow-test-user` in the cognito setting and we can use this user for the login service.
Then you can visit `https://www.shanjiaxin.com`, which is a custom domain we use in this case, it will redirect you to an authentication page. We added a user `kubeflow-test-user` in the Cognito setting and we can use this user for the login service.

<img src="/docs/images/aws/authentication.png"
alt="Cognito Authentication pop-up"
@@ -77,10 +77,10 @@ nodeGroups:
```

### Customize Private Access
Please see [section](/docs/aws/private-access)
Please see [this section](/docs/aws/private-access)

### Customize Logging
Please see [section](/docs/aws/logging)
Please see [this section](/docs/aws/logging)

### Customize Authentication
Please see [section](/docs/aws/authentication)
Please see [this section](/docs/aws/authentication)
@@ -12,7 +12,7 @@ This is one step of [installing Kubeflow](/docs/aws/deploy/install-kubeflow), pl
If you would like to deploy Kubeflow on existing Amazon EKS cluster, the only difference in setup is when you initialize the platform setup. Since you manage your own cluster resources, you need to provide `AWS_CLUSTER_NAME` and `AWS_NODE_GROUP_ROLE_NAMES`.


1. Retrieve your Amazon EKS cluster region, name and the IAM role name for your worker nodes. Set these values to the following environment variables.
1. Retrieve the Amazon EKS cluster name, AWS Region, and IAM role name for your worker nodes. Set these values to the following environment variables.

```shell
export KFAPP=kfapp
@@ -56,9 +56,9 @@ Your Kubeflow `app` directory contains the following files and directories:
* You can use ksonnet to customize Kubeflow.


The provisioning scripts can either bring up a new cluster and install kubeflow on it, or just install kubeflow on your existing cluster. We recommend that you create a new cluster for better isolation.
The provisioning scripts can either bring up a new cluster and install Kubeflow on it, or you can install Kubeflow on your existing cluster. We recommend that you create a new cluster for better isolation.

If you meet any problems in the middle, please check [troubleshooting guidance](/docs/aws/troubleshooting-aws)
If you experience any issues running these scripts, see the [troubleshooting guidance](/docs/aws/troubleshooting-aws) for more information.


## Kubeflow Installation
@@ -75,11 +75,11 @@ If you meet any problems in the middle, please check [troubleshooting guidance](

* KUBEFLOW_SRC - Full path to your preferred download directory. Please use the full absolute path, for example `/tmp/kubeflow-aws`

1. Run the following commands to setup environment and initialize the cluster.
1. Run the following commands to set up your environment and initialize the cluster.

> Note: If you like to install kubeflow on your existing EKS cluster, please skip this step
> and follow steps instead [setup](/docs/aws/deploy/existing-cluster).
> Once you're done, please go to next step directly.
> Note: If you would like to install Kubeflow on your existing EKS cluster, please skip this step
> and follow follow these instructions instead [setup](/docs/aws/deploy/existing-cluster).
> When you are finished, return here and resume with the next step.

```shell
@@ -93,18 +93,18 @@ If you meet any problems in the middle, please check [troubleshooting guidance](
```


* AWS_CLUSTER_NAME - Specify a unique name for your Amazon EKS.
* KFAPP - Use a relative directory name here rather than absolute path, like `kfapp`
* AWS_CLUSTER_NAME - Specify a unique name for your Amazon EKS cluster.
* KFAPP - Use a relative directory name here rather than absolute path, such as `kfapp`.
* REGION - Use the AWS Region you want to create your cluster in.

1. Generate and apply platform changes.

You can customize your cluster configuration, control plane logging, and private cluster endpoint access before you `apply platform`, please check [Customizing Kubeflow on AWS](/docs/aws/customizing-aws) for details.
You can customize your cluster configuration, control plane logging, and private cluster endpoint access before you `apply platform`, please see [Customizing Kubeflow on AWS](/docs/aws/customizing-aws) for more information.

```shell
cd ${KFAPP}
${KUBEFLOW_SRC}/scripts/kfctl.sh generate platform
# Customize your Amazon EKS cluster configuration before next step
# Customize your Amazon EKS cluster configuration before following the next step
${KUBEFLOW_SRC}/scripts/kfctl.sh apply platform
```

@@ -114,11 +114,11 @@ If you meet any problems in the middle, please check [troubleshooting guidance](
${KUBEFLOW_SRC}/scripts/kfctl.sh generate k8s
```

__*Important!!!*__ By default, the scripts create an AWS Application Load Balancer for Kubeflow that is open to public. This is good for development testing and for short term use, but we do not recommend that you use this configuration for production workloads.
__*Important!!!*__ By default, these scripts create an AWS Application Load Balancer for Kubeflow that is open to public. This is good for development testing and for short term use, but we do not recommend that you use this configuration for production workloads.

To secure your installation, you have two options:

* Disable ingress before you `apply k8s`. Open `${KUBEFLOW_SRC}/${KFAPP}/env.sh` and edit `KUBEFLOW_COMPONENTS` environment variable. Delete `,\"alb-ingress-controller\",\"istio-ingress\"` and save the file.
* Disable ingress before you `apply k8s`. Open `${KUBEFLOW_SRC}/${KFAPP}/env.sh` and edit the `KUBEFLOW_COMPONENTS` environment variable. Delete `,\"alb-ingress-controller\",\"istio-ingress\"` and save the file.

* Follow the [instructions](/docs/aws/authentication) to add authentication before you `apply k8s`

@@ -14,7 +14,7 @@ weight = 100
bash: line 1: 404:: command not found
```

Please remove backslash around `{KUBEFLOW_TAG}`.
Please remove the escape backslashes surrounding `{KUBEFLOW_TAG}`.


### Environment File Not Found
@@ -89,7 +89,7 @@ Error from server (NotFound): namespaces "kubeflow" not found
+ echo 'namespace kubeflow successfully deleted.'
```
You can ignore kubernetes resource not found issues in the deletion phase.
You can ignore any Kubernetes "resource not found" errors that occur during the deletion phase.
### InvalidParameterException in UpdateCluster

0 comments on commit 19cd6e8

Please sign in to comment.
You can’t perform that action at this time.