Create Privileged Notebook Server

This guide will walk you through granting elevated privileges to all new and existing notebooks servers in a namespace of your choice.

What You’ll Need

Procedure

  1. Specify the Kubernetes namespace where you want to be deploying privileged notebook servers:

    root@rok-tools:~# export NAMESPACE=<NAMESPACE>

    Replace <NAMESPACE> with the Kubernetes namespace, for example:

    root@rok-tools:~# export NAMESPACE=kubeflow-admin
  2. Specify the Kubernetes service account that the notebook servers will be using:

    root@rok-tools:~# export SERVICE_ACCOUNT=default-editor
  3. Specify the name of the Kubernetes cluster role that you want to provide to the service account:

    root@rok-tools:~# export CLUSTER_ROLE=cluster-admin
  4. Grant the cluster role to the service account:

    root@rok-tools:~# kubectl create clusterrolebinding \ > --serviceaccount ${NAMESPACE?}:${SERVICE_ACCOUNT?} \ > --clusterrole ${CLUSTER_ROLE?} \ > ${CLUSTER_ROLE?}-${NAMESPACE?}-${SERVICE_ACCOUNT?}
  5. Go to the Kubeflow Dashboard and switch to the namespace you specified in step-1.

  6. Navigate to the Notebooks page.

  7. Click on the New Notebook button, to create a new notebook. Alternatively, click on the Connect button to connect to an existing one.

Verify

  1. Go to the Kubeflow Dashboard and switch to the namespace you specified in step-1.

  2. Navigate to the Notebooks page.

  3. Connect to any notebook server.

  4. Start a new terminal inside the notebook.

  5. Verify that the notebook has the necessary privileges:

    jovyan@mynotebook-0:~$ kubectl get namespaces kubeflow-admin ...

    Troubleshooting

    Forbidden

    If the above command fails with an error message similar to the following:

    Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:kubeflow-user:default-editor" cannot list resource "namespaces" in API group "" at the cluster scope

    it means that the service account of your notebook server does not match the service account that you granted privileges to.

    To proceed, repeat the procedure using the correct service account and namespace.

Summary

You have successfully granted elevated privileges to all new and existing notebook servers in a namespace of your choice.

What’s Next

You can check out the rest of the maintenance operations that you can perform on your cluster.