Share Namespace with OIDC Group

This section describes how to share a namespace among users that belong to a group inherited from the OIDC provider. It makes use of namespace-permissions base kustomization and it will create an overlay using existing templates.

Important

This feature is under active development.

When you share a namespace with a group, you allow users to access resources on the target namespace directly via the browser.

The users cannot currently

  • View Kubeflow Pipelines on the shared namespace.
  • List Notebooks on the shared namespace.

What You'll Need

Procedure

  1. Specify the namespace you want to share with a group:

    root@rok-tools:~# export NAMESPACE=<NAMESPACE>
    

    Replace <NAMESPACE> with the name of the Kubeflow namespace that you want to share, for example:

    root@rok-tools:~# export NAMESPACE=kubeflow-shared
    

    Note

    Repeat the procedure below for every group you wish to grant access to this namespace.

  2. Specify the group you want to grant access to this namespace:

    root@rok-tools:~# export GROUP=<GROUP_ID>
    

    Replace <GROUP_ID> with the ID of the group you want to grant access to, for example:

    root@rok-tools:~# export GROUP=group
    
  3. Specify the role that the user will have inside that namespace:

    root@rok-tools:~# export ROLE=<ROLE>
    

    Replace <ROLE> with the role you want the user to have in the namespace, for example:

    root@rok-tools:~# export ROLE=edit
    

    Note

    ROLE can be one of view/edit/admin.

  4. Set the name prefix for the Kubernetes resources that you will generate:

    root@rok-tools:~# export NAME=${GROUP//[^a-zA-Z0-9\-]/-}-$ROLE
    root@rok-tools:~# export OVERLAY=$NAMESPACE-group-$NAME
    

    Note

    The name (prefix) should be unique and compatible with DNS-1123. The above command replaces all non-valid characters of GROUP with a dash (-).

  5. Switch to the kubeflow/manifests/common directory of your GitOps repository:

    root@rok-tools:~# cd ~/ops/deployments/kubeflow/manifests/common
    
  6. Create a directory for the new overlay:

    root@rok-tools:~ops/deployments/kubeflow/manifests/common# mkdir -p namespace-permissions/overlays/$OVERLAY
    
  7. Create the new overlay:

    root@rok-tools:~ops/deployments/kubeflow/manifests/common# j2 namespace-permissions/templates/group/kustomization.yaml.j2 \
    > -o namespace-permissions/overlays/$OVERLAY/kustomization.yaml
    
    root@rok-tools:~ops/deployments/kubeflow/manifests/common# j2 namespace-permissions/templates/group/params.env.j2 \
    > -o namespace-permissions/overlays/$OVERLAY/params.env
    
  8. Stage changes for commit:

    root@rok-tools:~ops/deployments/kubeflow/manifests/common# git add namespace-permissions/overlays/$OVERLAY
    
  9. Commit your changes:

    root@rok-tools:~ops/deployments/kubeflow/manifests/common# git commit -m "Assign '$ROLE' access on namespace '$NAMESPACE' to group '$GROUP'"
    
  10. Apply the kustomization:

    root@rok-tools:~ops/deployments/kubeflow/manifests/common# rok-deploy --apply namespace-permissions/overlays/$OVERLAY
    

Summary

You have successfully shared a namespace between Kubeflow users that belong to a group inherited from the OIDC provider.

What's Next

Check out the rest of the operations you can perform on your Kubeflow deployment.