Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubeflow Multiuser Isolation for pipeline runs: Read-only access #5006

Closed
kd303 opened this issue Jan 19, 2021 · 2 comments
Closed

Kubeflow Multiuser Isolation for pipeline runs: Read-only access #5006

kd303 opened this issue Jan 19, 2021 · 2 comments
Labels
area/authentication kind/feature

Comments

@kd303
Copy link

kd303 commented Jan 19, 2021
edited
Loading

Question:

Please note this as advised by in question, I am reopening this question as per suggestions in # 5510

We are trying to create a separate namespace where the different runs can be submitted, I understand from the documentation currently that pipelines have restrictions about namespaces, however our use-case is the runs where this is happening we want to allocate the GPU resources in that namespace, so users can submit their jobs to a queue and we deploy these jobs from a queue as and when the resources are available.

My Questions are:

  1. What is the way we can ensure the users have read-only access to above namespace (e.g. training namespace )? Is this possible? so that they are able to view their runs, status of it, logs and metrics generated (I am aware as of 1.1 pipelines are not isolated from users, for which we are okay to live with)

  2. At the sametime they should not be able to create resources in that specific namespaces - for example Notebook servers, running other pipelines or deploy a kf-serving model (for this forum - consider pipeline runs)

  3. Managing above scenario via contributors is not great as it will allow the access of all resource in the common namespace

We are trying to ensure we utilize the GPUs (with all the sharing disabled in Kubernetes, its becoming all the more required) in best possible manner and resources are not stuck to a specific team/individual..

Please provide any updates/link or direction using which we can solve this. Unfortunately the documentation is not great on this aspect so I am not able to proceed (I have read through - Issue # 3513 it odes not look complete yet.)

KFP version: 1.0
Kubeflow version 1.1
KFP SDK version: NA

Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

/kind bug
@kd303 kd303 mentioned this issue Jan 19, 2021
Closed
@parthmishra
Copy link
Contributor

parthmishra commented Jan 21, 2021
edited
Loading

I'm interested in something like this too, mostly to have a public namespace that everyone can see without having to manually add via contributors UI. Until support for RBAC groups in the Profile controller comes along, it's not easy. As for your use case, I haven't tried this out, but I'd suggest the following:

  • Apply a resource quota for GPUs on the non-shared profiles to disallow GPU (see the docs on where to put these)
  • Create a custom Role with the specific permissions you need and add RoleBindings for your users in the training namespace

side note: is this really a bug? seems like more of a feature and/or documentation request

@Bobgy
Copy link
Contributor

Bobgy commented Jan 29, 2021
edited
Loading

What you requested is in scope of Issue #3513.
It will be released in the next Kubeflow release. So you can wait for it.

@Bobgy Bobgy closed this as completed Jan 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/authentication kind/feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@parthmishra @Bobgy @kd303 @hilcj @k8s-ci-robot