Kubeflow

  • Kubeflow Charmers | bundle
  • Cloud
Channel Revision Published
latest/candidate 294 24 Jan 2022
latest/beta 430 30 Aug 2024
latest/edge 423 26 Jul 2024
1.9/stable 426 31 Jul 2024
1.9/beta 420 19 Jul 2024
1.9/edge 425 31 Jul 2024
1.8/stable 414 22 Nov 2023
1.8/beta 411 22 Nov 2023
1.8/edge 413 22 Nov 2023
1.7/stable 409 27 Oct 2023
1.7/beta 408 27 Oct 2023
1.7/edge 407 27 Oct 2023
juju deploy kubeflow --channel 1.9/edge
Show information

Platform:

In Charmed Kubeflow (CKF), authentication is based on Dex. This guide describes the authentication flow for various scenarios.

Unauthenticated request

The authentication flow for an unauthenticated request consists of these steps:

  • User makes an unauthenticated request
    • Redirected to /dex
  • User logs in via Dex
  • Redirected to gatekeeper callback endpoint
    • Sets a cookie with auth token for future requests
  • Redirected back to original page, with authorization token

The flow of an unauthenticated request is shown here:

dex-unauthenticated

  • A user makes a request that goes through Ambassador. To learn more about Ambassador authentication solutions, see here.
  • Ambassador checks with the gatekeeper service before allowing any request to go through
  • The gatekeeper service responds to Ambassador that the request is unauthenticated, and a redirect URL
  • Ambassador returns an HTTP 301 redirecting user to Dex

Logging in

dex-login

  • User makes request to /dex
  • Ambassador is configured to not check with the gatekeeper for requests to /dex
  • Dex presents a login page to the user
  • The user submits their credentials
  • Dex uses the configured connector to authenticate the user against an external auth service
    • Dex may also be configured with basic username/password support. This is the default in Charmed Kubeflow.
    • See the dex configuration section for more information on how to configure Dex with other connectors.
  • Dex redirects the user to a callback URL managed by the gatekeeper

Receive token

dex-callback

  • User makes request to callback URL
  • Ambassador sends request to gatekeeper service
  • Gatekeeper service generates JWT token in the Set-Cookie response header

Authenticated request

dex-authenticated

  • User makes authenticated request
  • Ambassador checks with the gatekeeper service to see if request is authenticated
  • Gatekeeper service affirms request is authenticated by looking at JWT token
  • Ambassador communicates with Kubeflow service for requested endpoint
  • Ambassador returns requested endpoint to user