Introduction to Multi-user Isolation

    This Kubeflow component has stable status. See theKubeflow versioning policies.

    In a production environment, it is often necessary to share the same poolof resources across different teams and users. These different users needa reliable way to isolate and protect their own resources, without accidentallyviewing or changing each other’s resources.

    Kubeflow v1.0 supports multi-user isolation, which appliesaccess control over namespaces and user-createdresources in a deployment. It provides the users with theconvenience of clutter-free browsing of notebooks, training jobs, servingdeployments and other resources. The isolation mechanisms also preventaccidental deletion/modification of resources of other users in the deployment.

    Note that the isolation support in Kubeflow doesn’t provide any hard securityguarantees against malicious attempts by users to infiltrate other user’sprofiles.

    user: A user is someone who has access to some set of resources in the cluster. A userneeds to be granted access permissions by the administrator.

    profile: A profile is a grouping of all Kubernetes clusters owned by a user.

    The Jupyter notebooks service is the first application to be fully integrated withmulti-user isolation. Access to the notebooks and the creation of notebooks iscontrolled by the profile access policies set by the Administrator or the ownersof the profiles. Resources created by the notebooks (eg. training jobs anddeployments) will also inherit the same access.

    Metadata and Pipelines or any other applications currently don’t have fullfledged integration with isolation, though they will have access to the useridentity through the headers of the incoming requests. It’s upto the individualapplications to leverage the available identity and create isolation storiesthat make sense for them.

    For on-premises deployments, Kubeflow leverages Dex as a federated OpenID connectionprovider and can be integrated with LDAP or Active Directory to provide authenticationand identity services.

    • Understand the of Kubeflow’s multi-user isolation feature.

    Was this page helpful?

    Glad to hear it! Please tell us how we can improve.

    Sorry to hear that. Please .