Create Privileged Notebook Server¶
This guide will walk you through granting elevated privileges to all new and existing notebooks servers in a namespace of your choice.
Overview
What You’ll Need¶
- A configured management environment.
- An existing Arrikto EKF deployment.
Procedure¶
Specify the Kubernetes namespace where you want to be deploying privileged notebook servers:
root@rok-tools:~# export NAMESPACE=<NAMESPACE>Replace
<NAMESPACE>
with the Kubernetes namespace, for example:root@rok-tools:~# export NAMESPACE=kubeflow-adminSpecify the Kubernetes service account that the notebook servers will be using:
root@rok-tools:~# export SERVICE_ACCOUNT=default-editorSpecify the name of the Kubernetes cluster role that you want to provide to the service account:
root@rok-tools:~# export CLUSTER_ROLE=cluster-adminGrant the cluster role to the service account:
root@rok-tools:~# kubectl create clusterrolebinding \ > --serviceaccount ${NAMESPACE?}:${SERVICE_ACCOUNT?} \ > --clusterrole ${CLUSTER_ROLE?} \ > ${CLUSTER_ROLE?}-${NAMESPACE?}-${SERVICE_ACCOUNT?}Go to the Kubeflow Dashboard and switch to the namespace you specified in step-1.
Navigate to the Notebooks page.
Click on the New Notebook button, to create a new notebook. Alternatively, click on the Connect button to connect to an existing one.
Verify¶
Go to the Kubeflow Dashboard and switch to the namespace you specified in step-1.
Navigate to the Notebooks page.
Connect to any notebook server.
Start a new terminal inside the notebook.
Verify that the notebook has the necessary privileges:
jovyan@mynotebook-0:~$ kubectl get namespaces kubeflow-admin ...Troubleshooting
Forbidden
If the above command fails with an error message similar to the following:
Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:kubeflow-user:default-editor" cannot list resource "namespaces" in API group "" at the cluster scopeit means that the service account of your notebook server does not match the service account that you granted privileges to.
To proceed, repeat the procedure using the correct service account and namespace.
Summary¶
You have successfully granted elevated privileges to all new and existing notebook servers in a namespace of your choice.
What’s Next¶
You can check out the rest of the maintenance operations that you can perform on your cluster.