Authentication using OIDC in Azure

Authentication and authorization support through OIDC for Kubeflow in Azure

This section shows the how to set up Kubeflow with authentication and authorization support through OIDC in Azure using Azure Active Directory.

Prerequisites

Kubeflow configuration

  1. Download the kfctl v1.1.0 release from the Kubeflow releases page.

  2. Unpack the tar ball:

    1. tar -xvf kfctl_v1.1.0_<platform>.tar.gz
  3. Run the below commands to build configuration files before deploying Kubeflow. The code below includes an optional command to add the binary kfctl to your path - if you don’t add it, you must use the full path to the kfctl binary each time you run it.

    1. # The following command is optional, to make kfctl binary easier to use.
    2. export PATH=$PATH:<path to where kfctl was unpacked>
    3. # Set KF_NAME to the name of your Kubeflow deployment. This also becomes the
    4. # name of the directory containing your configuration.
    5. # For example, your deployment name can be 'my-kubeflow' or 'kf-test'.
    6. export KF_NAME=<your choice of name for the Kubeflow deployment>
    7. # Set the path to the base directory where you want to store one or more
    8. # Kubeflow deployments. For example, '/opt/'.
    9. # Then set the Kubeflow application directory for this deployment.
    10. export BASE_DIR=<path to a base directory>
    11. export KF_DIR=${BASE_DIR}/${KF_NAME}
    12. # Set the configuration file to use, such as the file specified below:
    13. export CONFIG_URI="https://raw.githubusercontent.com/kubeflow/manifests/v1.1-branch/kfdef/kfctl_azure_aad.v1.1.0.yaml"
    14. # Generate and deploy Kubeflow:
    15. mkdir -p ${KF_DIR}
    16. cd ${KF_DIR}
    17. kfctl build -V -f ${CONFIG_URI}
    • ${KF_NAME} - The name of your Kubeflow deployment. If you want a custom deployment name, specify that name here. For example, my-kubeflow or kf-test. The value of KF_NAME must consist of lower case alphanumeric characters or ‘-‘, and must start and end with an alphanumeric character. The value of this variable cannot be greater than 25 characters. It must contain just a name, not a directory path. This value also becomes the name of the directory where your Kubeflow configurations are stored, that is, the Kubeflow application directory.

    • ${KF_DIR} - The full path to your Kubeflow application directory.

  4. Configure OIDC Auth service settings:

    In /manifests/stacks/azure/application/oidc-authservice/kustomization.yaml update the settings with values corresponding your app registration as follows:

    1. - client_id=<client_id>
    2. - oidc_provider=https://login.microsoftonline.com/<tenant_id>/v2.0
    3. - oidc_redirect_uri=https://<load_balancer_ip> or dns_name>/login/oidc
    4. - oidc_auth_url=https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/authorize
    5. - application_secret=<client_secret>
    6. - skip_auth_uri=
    7. - namespace=istio-system
    8. - userid-header=kubeflow-userid
    9. - userid-prefix=
  5. Configure OIDC scopes:

    In /manifests/istio/oidc-authservice/base/statefulset.yaml update OIDC scopes to remove groups and keep profile and email.

    1. - name: OIDC_SCOPES
    2. value: "profile email"
  6. Deploy Kubeflow:

    1. kfctl apply -V -f ${CONFIG_URI}
  7. Check that the resources were deployed correctly in namespace kubeflow:

    1. kubectl get all -n kubeflow

Expose Kubeflow securely over HTTPS

  1. Update Istio Gateway to expose port 443 with HTTPS and make port 80 redirect to 443:

    1. kubectl edit -n kubeflow gateways.networking.istio.io kubeflow-gateway

    The Gateway spec should look like the following:

    1. apiVersion: networking.istio.io/v1alpha3
    2. kind: Gateway
    3. metadata:
    4. name: kubeflow-gateway
    5. namespace: kubeflow
    6. spec:
    7. selector:
    8. istio: ingressgateway
    9. servers:
    10. - hosts:
    11. - '*'
    12. port:
    13. name: http
    14. number: 80
    15. protocol: HTTP
    16. # Upgrade HTTP to HTTPS
    17. tls:
    18. httpsRedirect: true
    19. - hosts:
    20. - '*'
    21. port:
    22. name: https
    23. number: 443
    24. protocol: HTTPS
    25. tls:
    26. mode: SIMPLE
    27. privateKey: /etc/istio/ingressgateway-certs/tls.key
    28. serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
  2. Expose Kubeflow with a load balancer service:

    To expose Kubeflow with a load balancer service, change the type of the istio-ingressgateway service to LoadBalancer.

    1. kubectl patch service -n istio-system istio-ingressgateway -p '{"spec": {"type": "LoadBalancer"}}'

    After that, obtain the LoadBalancer IP address or Hostname from its status and create the necessary certificate.

    1. kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0]}'

    Note: If you are exposing Ingress gateway through public IP, make sure it matches the IP address of the OIDC REDIRECT_URL by running:

    1. kubectl get statefulset authservice -n istio-system -o yaml

    If it doesn’t match, update REDIRECT_URL in the StatefulSet to be the public IP address from the last step, by running:

    1. kubectl edit statefulset authservice -n istio-system
    2. kubectl rollout restart statefulset authservice -n istio-system
  3. Create a self-signed Certificate with cert-manager:

    Create a new file certficate.yaml with the YAML below to create a self-signed Certificate with cert-manager. For production environments, you should use appropriate trusted CA Certificate.

    1. apiVersion: cert-manager.io/v1alpha2
    2. kind: Certificate
    3. metadata:
    4. name: istio-ingressgateway-certs
    5. namespace: istio-system
    6. spec:
    7. commonName: istio-ingressgateway.istio-system.svc
    8. # Use ipAddresses if your LoadBalancer issues an IP address
    9. ipAddresses:
    10. - <LoadBalancer IP>
    11. # Use dnsNames if your LoadBalancer issues a hostname
    12. dnsNames:
    13. - <LoadBalancer HostName>
    14. isCA: true
    15. issuerRef:
    16. kind: ClusterIssuer
    17. name: kubeflow-self-signing-issuer
    18. secretName: istio-ingressgateway-certs

    Apply certificate.yaml in istio-system namespace

    1. kubectl apply -f certificate.yaml -n istio-system

    After applying the above Certificate, cert-manager will generate the TLS certificate inside the istio-ingressgateway-certs secrets. The istio-ingressgateway-certs secret is mounted on the istio-ingressgateway deployment and used to serve HTTPS.

  4. Configure Redirect URI for your registered App

    Add the redirect URI below to the app registered with Microsoft Identity:

    https://<YOUR_LOADBALANCER_IP_ADDRESS_OR_DNS_NAME>/login/oidc

    Note: Make sure the app’s redirect URI matches the oidc_redirect_uri value in OIDC auth service settings.

    Navigate to https://<YOUR_LOADBALANCER_IP_ADDRESS_OR_DNS_NAME>/ and start using Kubeflow.

Authenticate Kubeflow pipelines using Kubeflow Pipelines SDK

Perform interactive login from browser by visitng https://<YOUR_LOADBALANCER_IP_ADDRESS_OR_DNS_NAME>/ and copy the value of cookie authservice_session to authenticate using SDK with below code:

  1. import kfp
  2. authservice_session_cookie='authservice_session=<cookie>'
  3. client = kfp.Client(host='https://<YOUR_LOADBALANCER_IP_ADDRESS_OR_DNS_NAME>/pipeline',
  4. cookies=authservice_session_cookie)
  5. client.list_experiments(namespace='<your_namespace>')

Limitation: The current OIDC auth service in Kubeflow system supports only Authorization Code Flow.

Last modified 06.11.2020: Update Azure OIDC guidance to verify statefulset and also lint the yaml to be the same as the autherservice (#2323) (a734f606)