Kubeflow

In Charmed Kubeflow (CKF), authentication is based on Dex. This guide describes the authentication flow for various scenarios.

Unauthenticated request

The authentication flow for an unauthenticated request consists of these steps:

• User makes an unauthenticated request
  • Redirected to /dex
• User logs in via Dex
• Redirected to gatekeeper callback endpoint
  • Sets a cookie with auth token for future requests
• Redirected back to original page, with authorization token

The flow of an unauthenticated request is shown here:

• A user makes a request that goes through Ambassador. To learn more about Ambassador authentication solutions, see here.
• Ambassador checks with the gatekeeper service before allowing any request to go through
• The gatekeeper service responds to Ambassador that the request is unauthenticated, and a redirect URL
• Ambassador returns an HTTP 301 redirecting user to Dex

Logging in

• User makes request to /dex
• Ambassador is configured to not check with the gatekeeper for requests to /dex
• Dex presents a login page to the user
• The user submits their credentials
• Dex uses the configured connector to authenticate the user against an external auth service
  • Dex may also be configured with basic username/password support. This is the default in Charmed Kubeflow.
  • See the dex configuration section for more information on how to configure Dex with other connectors.
• Dex redirects the user to a callback URL managed by the gatekeeper

Receive token

• User makes request to callback URL
• Ambassador sends request to gatekeeper service
• Gatekeeper service generates JWT token in the Set-Cookie response header

Authenticated request

• User makes authenticated request
• Ambassador checks with the gatekeeper service to see if request is authenticated
• Gatekeeper service affirms request is authenticated by looking at JWT token
• Ambassador communicates with Kubeflow service for requested endpoint
• Ambassador returns requested endpoint to user