Securing the Kubeflow authentication with HTTPS
How to secure the Kubeflow authentication with HTTPS using the network load balancer
This guide describes how to secure the Kubeflow authentication with HTTPS. You can enable HTTPS for Kubeflow dashboard (and other web UIs) using the network load balancer (NLB) feature of the IBM Cloud Kubernetes service—choose the classic
worker nodes provider in the Setting environment variables section of the Create an IBM Cloud cluster guide.
Note: For details on NLB, go to the official Classic: About network load balancers guide.
Prerequisites
- Install and configure the IBM Cloud CLI.
- Install multi-user, auth-enabled Kubeflow.
Setting up an NLB
To set up an NLB for your Kubernetes cluster, follow the official Classic: Setting up basic load balancing with an NLB 1.0 guide. Notice that the setup process for a multi-zone cluster differs from that of a single-zone cluster. For details, go to Setting up an NLB 1.0 in a multi-zone cluster.
To use the existing Istio ingress gateway (instead of creating a new service), you need to update the service type of
istio-ingressgateway
toLoadBalancer
fromNodePort
. Run the following command:kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"type":"LoadBalancer"}}'
Verify that the NLB was created successfully. It might take a few minutes for the service to be created and an IP address to be made available. Run the command below and check if you can see the
LoadBalancer Ingress
IP address:kubectl describe service istio-ingressgateway -n istio-system | grep "LoadBalancer Ingress"
Store the external IP of the
istio-ingressgateway
service in an environment variable:export INGRESS_GATEWAY_IP=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
Exposing the Kubeflow dashboard with DNS and TLS termination
The following instructions use the Kubeflow dashboard as an example. However, they apply to other web UI applications, since they all go through the Istio ingress gateway.
Store the Kubernetes cluster name in an environment variable by running the following command:
export CLUSTER_NAME=<cluster_name>
Create a DNS domain and certificates for the IP of the service
istio-ingressgateway
in namespaceistio-system
:ibmcloud ks nlb-dns create classic --cluster $CLUSTER_NAME --ip $INGRESS_GATEWAY_IP --secret-namespace istio-system
List the registered domain names:
ibmcloud ks nlb-dns ls --cluster $CLUSTER_NAME
Wait until the status of the certificate—the fourth field—of the new domain name becomes
created
. Then, save the value of the columnSSL Cert Secret Name
in environment variables by running these commands (replace{SECRET_NAME}
with the secret’s name as shown in theSSL Cert Secret Name
column):export INGRESS_GATEWAY_SECRET={SECRET_NAME}
Note: If there is more than one entry in the output, choose the one that matches the IP address from
LoadBalancer Ingress
(step 2) of serviceistio-ingressgateway
.Create a secret named
istio-ingressgateway-certs
for theistio-ingressgateway
pods in namespaceistio-system
:kubectl get secret $INGRESS_GATEWAY_SECRET -o yaml > istio-ingressgateway-certs.yaml
Update the
istio-ingressgateway-certs.yaml
file by changing the value ofmetadata.name
toistio-ingressgateway-certs
and the value ofmetadata.namespace
toistio-system
. Then, run the following commands:kubectl apply -f istio-ingressgateway-certs.yaml -n istio-system
kubectl rollout restart deploy istio-ingressgateway -n istio-system
rm istio-ingressgateway-certs.yaml
Update the gateway
kubeflow-gateway
to expose port443
. Create a resource filekubeflow-gateway.yaml
as follows by replacing<hostname>
with the value of the columnHostname
in step 4:apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: kubeflow-gateway
namespace: kubeflow
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '<hostname>'
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: SIMPLE
privateKey: /etc/istio/ingressgateway-certs/tls.key
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
Verify that the traffic is routed via HTTPS by using the value of above-mentioned
Hostname
in your browser. It should redirect traffic from an HTTP address to HTTPS address automatically.
Note: The certificates for the NLB DNS host secret expire every 90 days. The secret in the default
namespace is automatically renewed by IBM Cloud Kubernetes Service 37 days before it expires. After this secret is updated, you must manually copy it to the istio-ingressgateway-certs
secret by repeating commands in step 5 and 6.
Last modified 06.11.2020: Uses AppID for multi-user installation on IKS (#2327) (9a094895)