Introduction to Multi-user Isolation

What does multi-user isolation mean?

This Kubeflow component has stable status. See theKubeflow versioning policies.

In a production environment, it is often necessary to share the same poolof resources across different teams and users. These different users needa reliable way to isolate and protect their own resources, without accidentallyviewing or changing each other’s resources.

Kubeflow v1.0 supports multi-user isolation, which appliesaccess control over namespaces and user-createdresources in a deployment. It provides the users with theconvenience of clutter-free browsing of notebooks, training jobs, servingdeployments and other resources. The isolation mechanisms also preventaccidental deletion/modification of resources of other users in the deployment.

Note that the isolation support in Kubeflow doesn’t provide any hard securityguarantees against malicious attempts by users to infiltrate other user’sprofiles.

Key concepts

administrator: An administrator is someone who creates and maintains the Kubeflow cluster.This person has the permission to grant access permissions to others.

user: A user is someone who has access to some set of resources in the cluster. A userneeds to be granted access permissions by the administrator.

profile: A profile is a grouping of all Kubernetes clusters owned by a user.

Current integration and limitations

The Jupyter notebooks service is the first application to be fully integrated withmulti-user isolation. Access to the notebooks and the creation of notebooks iscontrolled by the profile access policies set by the Administrator or the ownersof the profiles. Resources created by the notebooks (eg. training jobs anddeployments) will also inherit the same access.

Metadata and Pipelines or any other applications currently don’t have fullfledged integration with isolation, though they will have access to the useridentity through the headers of the incoming requests. It’s upto the individualapplications to leverage the available identity and create isolation storiesthat make sense for them.

On GCP, the authentication and identify token is generated by GCP IAM and carriedthrough the requests as a JWT Token in header. Other cloud providers can have asimilar header to provide identity information.

For on-premises deployments, Kubeflow leverages Dex as a federated OpenID connectionprovider and can be integrated with LDAP or Active Directory to provide authenticationand identity services.

Next steps

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified 18.02.2020: Refactor multiuser guides (#1682) (688286b9)