Securing the Kubeflow authentication with HTTPS

    This guide describes how to secure the Kubeflow authentication with HTTPS. You can enable HTTPS for Kubeflow dashboard (and other web UIs) using the network load balancer (NLB) feature of the IBM Cloud Kubernetes service—choose the worker nodes provider in the Setting environment variables section of the Create an IBM Cloud cluster guide.

    Note: For details on NLB, go to the official guide.

    To set up an NLB for your Kubernetes cluster, follow the official Classic: Setting up basic load balancing with an NLB 1.0 guide. Notice that the setup process for a multi-zone cluster differs from that of a single-zone cluster. For details, go to .

    1. To use the existing Istio ingress gateway (instead of creating a new service), you need to update the service type of istio-ingressgateway to LoadBalancer from NodePort. Run the following command:

    2. Verify that the NLB was created successfully. It might take a few minutes for the service to be created and an IP address to be made available. Run the command below and check if you can see the LoadBalancer Ingress IP address:

        1. export INGRESS_GATEWAY_IP=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')

      The following instructions use the Kubeflow dashboard as an example. However, they apply to other web UI applications, since they all go through the Istio ingress gateway.

      1. Store the Kubernetes cluster name in an environment variable by running the following command:

      2. Create a DNS domain and certificates for the IP of the service istio-ingressgateway in namespace istio-system:

        1. ibmcloud ks nlb-dns create classic --cluster $CLUSTER_NAME --ip $INGRESS_GATEWAY_IP --secret-namespace istio-system

      3. List the registered domain names:

        1. ibmcloud ks nlb-dns ls --cluster $CLUSTER_NAME

      4. Create a secret named istio-ingressgateway-certs for the istio-ingressgateway pods in namespace istio-system:

        1. kubectl get secret $INGRESS_GATEWAY_SECRET -o yaml > istio-ingressgateway-certs.yaml

      5. Update the istio-ingressgateway-certs.yaml file by changing the value of metadata.name to and the value of metadata.namespace to istio-system. Then, run the following commands:

        1. kubectl apply -f istio-ingressgateway-certs.yaml -n istio-system
        2. kubectl rollout restart deploy istio-ingressgateway -n istio-system
        3. rm istio-ingressgateway-certs.yaml

      6. Update the gateway kubeflow-gateway to expose port 443. Create a resource file kubeflow-gateway.yaml as follows by replacing <hostname> with the value of the column Hostname in step 4:

      Note: The certificates for the NLB DNS host secret expire every 90 days. The secret in the namespace is automatically renewed by IBM Cloud Kubernetes Service 37 days before it expires. After this secret is updated, you must manually copy it to the istio-ingressgateway-certs secret by repeating commands in step 5 and 6.