Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there a way to make open profile for every ldap users? #2619

Open
korjwl1 opened this issue Feb 13, 2024 · 4 comments
Open

Is there a way to make open profile for every ldap users? #2619

korjwl1 opened this issue Feb 13, 2024 · 4 comments
Projects
Needs Triage

Comments

@korjwl1
Copy link

korjwl1 commented Feb 13, 2024

Our group is using Kubeflow with LDAP login right now.
I let every user to make their own namespaces but then have some problem.
Since we are using very limited gpu nodes, it is quite hard to know whether there is any gpu nodes left or not.
The best solution I think is to make every user to use a single profile.
Is there any way to make a open profile so that every ldap users will be joined automatically even when a new ldap user comes in?
@kubeflow-bot kubeflow-bot added this to To Do in Needs Triage Feb 13, 2024
@juliusvonkohout
Copy link
Member

Hello, please run this trough a spell checker first. I cannot decipher what you want to say in English.

@korjwl1
Copy link
Author

korjwl1 commented Feb 14, 2024

Hello, please run this trough a spell checker first. I cannot decipher what you want to say in English.

So what I want is to make a Profile(Namespace) that every ldap users can use.
(Include the previously created ldap user accounts & newly created ldap users in the future)

@juliusvonkohout
Copy link
Member

That is propably something that you have to handle in LDAP outside of Kubeflow.

@kromanow94
Copy link
Contributor

@korjwl1 AFAIK, currently this is not possible in KF. But, if you were able to get a full list of emails of every user that should have access to this open KF Profile, you can engineer something that will create a RoleBinding and AuthorizationPolicy for each of those users in this open KF Profile.

Considering you're allowing every user to have their own KF Profile, each of your users can be represented by the instance of Profile CRD. You could create some minimalist K8s Controller that for every KF Profile will create instances of RoleBinding and AuthorizationPolicy for given user.

Alternatively, if not every KF User have their own KF Profile, your controller could list every RoleBinding in every KF Profile, filter over those with prefix user- and create corresponding RoleBindings in the open KF Profile.

Or, you could develop a controller that has RO access to your LDAP with logic to create RoleBindings and AuthorizationPolicies for every user in given group(s) (you would have to map somehow the LDAP Group <-> KF Profile though in your controller). This would be like an in-house developed KF Group Management functionality (although based on a workaround).

Please note that all of the ideas in this comment are based on a workaround and something you'd have to develop on your own, although you may receive some guidance. I have experience in writing such tools and K8s Controllers in general so I could provide some help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Needs Triage
To Do
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kromanow94 @juliusvonkohout @korjwl1