Share Namespace with OIDC Group¶
This section describes how to share a namespace among users that belong to a
group inherited from the OIDC provider. It makes use of
namespace-permissions
base kustomization and it will create an
overlay using existing templates.
Important
This feature is under active development.
When you share a namespace with a group, you allow users to access resources on the target namespace directly via the browser.
The users cannot currently
- View Kubeflow Pipelines on the shared namespace.
- List Notebooks on the shared namespace.
What You'll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubeflow deployment.
- An existing Kubeflow namespace.
Procedure¶
Specify the namespace you want to share with a group:
root@rok-tools:~# export NAMESPACE=<NAMESPACE>
Replace
<NAMESPACE>
with the name of the Kubeflow namespace that you want to share, for example:root@rok-tools:~# export NAMESPACE=kubeflow-shared
Note
Repeat the procedure below for every group you wish to grant access to this namespace.
Specify the group you want to grant access to this namespace:
root@rok-tools:~# export GROUP=<GROUP_ID>
Replace
<GROUP_ID>
with the ID of the group you want to grant access to, for example:root@rok-tools:~# export GROUP=group
Specify the role that the user will have inside that namespace:
root@rok-tools:~# export ROLE=<ROLE>
Replace
<ROLE>
with the role you want the user to have in the namespace, for example:root@rok-tools:~# export ROLE=edit
Note
ROLE can be one of
view
/edit
/admin
.Set the name prefix for the Kubernetes resources that you will generate:
root@rok-tools:~# export NAME=${GROUP//[^a-zA-Z0-9\-]/-}-$ROLE root@rok-tools:~# export OVERLAY=$NAMESPACE-group-$NAME
Note
The name (prefix) should be unique and compatible with DNS-1123. The above command replaces all non-valid characters of
GROUP
with a dash (-).Switch to the
kubeflow/manifests/common
directory of your GitOps repository:root@rok-tools:~# cd ~/ops/deployments/kubeflow/manifests/common
Create a directory for the new overlay:
root@rok-tools:~ops/deployments/kubeflow/manifests/common# mkdir -p namespace-permissions/overlays/$OVERLAY
Create the new overlay:
root@rok-tools:~ops/deployments/kubeflow/manifests/common# j2 namespace-permissions/templates/group/kustomization.yaml.j2 \ > -o namespace-permissions/overlays/$OVERLAY/kustomization.yaml
root@rok-tools:~ops/deployments/kubeflow/manifests/common# j2 namespace-permissions/templates/group/params.env.j2 \ > -o namespace-permissions/overlays/$OVERLAY/params.env
Stage changes for commit:
root@rok-tools:~ops/deployments/kubeflow/manifests/common# git add namespace-permissions/overlays/$OVERLAY
Commit your changes:
root@rok-tools:~ops/deployments/kubeflow/manifests/common# git commit -m "Assign '$ROLE' access on namespace '$NAMESPACE' to group '$GROUP'"
Apply the kustomization:
root@rok-tools:~ops/deployments/kubeflow/manifests/common# rok-deploy --apply namespace-permissions/overlays/$OVERLAY
Summary¶
You have successfully shared a namespace between Kubeflow users that belong to a group inherited from the OIDC provider.
What's Next¶
Check out the rest of the operations you can perform on your Kubeflow deployment.