Kubeflow
- Kubeflow Charmers | bundle
- Cloud
Channel | Revision | Published |
---|---|---|
latest/candidate | 294 | 24 Jan 2022 |
latest/beta | 430 | 30 Aug 2024 |
latest/edge | 423 | 26 Jul 2024 |
1.9/stable | 426 | 31 Jul 2024 |
1.9/beta | 420 | 19 Jul 2024 |
1.9/edge | 425 | 31 Jul 2024 |
1.8/stable | 414 | 22 Nov 2023 |
1.8/beta | 411 | 22 Nov 2023 |
1.8/edge | 413 | 22 Nov 2023 |
1.7/stable | 409 | 27 Oct 2023 |
1.7/beta | 408 | 27 Oct 2023 |
1.7/edge | 407 | 27 Oct 2023 |
juju deploy kubeflow --channel 1.9/edge
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
In Charmed Kubeflow (CKF), authentication is based on Dex. This guide describes the authentication flow for various scenarios.
Unauthenticated request
The authentication flow for an unauthenticated request consists of these steps:
- User makes an unauthenticated request
- Redirected to /dex
- User logs in via Dex
- Redirected to gatekeeper callback endpoint
- Sets a cookie with auth token for future requests
- Redirected back to original page, with authorization token
The flow of an unauthenticated request is shown here:
- A user makes a request that goes through Ambassador. To learn more about Ambassador authentication solutions, see here.
- Ambassador checks with the gatekeeper service before allowing any request to go through
- The gatekeeper service responds to Ambassador that the request is unauthenticated, and a redirect URL
- Ambassador returns an HTTP 301 redirecting user to Dex
Logging in
- User makes request to /dex
- Ambassador is configured to not check with the gatekeeper for requests to /dex
- Dex presents a login page to the user
- The user submits their credentials
- Dex uses the configured connector to authenticate the user against an external auth service
- Dex may also be configured with basic username/password support. This is the default in Charmed Kubeflow.
- See the dex configuration section for more information on how to configure Dex with other connectors.
- Dex redirects the user to a callback URL managed by the gatekeeper
Receive token
- User makes request to callback URL
- Ambassador sends request to gatekeeper service
- Gatekeeper service generates JWT token in the
Set-Cookie
response header
Authenticated request
- User makes authenticated request
- Ambassador checks with the gatekeeper service to see if request is authenticated
- Gatekeeper service affirms request is authenticated by looking at JWT token
- Ambassador communicates with Kubeflow service for requested endpoint
- Ambassador returns requested endpoint to user