Model on how to handle resource sharing between different users on a shared Kubeflow system
To facilitate sharing and isolation of resources, Kubeflow uses Kubernetes namespaces. Each namespace represents a Kubeflow profile, which in turn has the needed Kubernetes resources to do it's work. To access resources for a specific profile through the Web UI, Kubeflow uses json web tokens(JWT). These are passed with every authenticated request and contain the needed authorization information for the profile.
There are two ways a user can access resources in Kubeflow. Through low and high level services:
- Low level services : Here, the user uses
kubectland applies custom resource definitions directly to it's resources.- For example through
kubectl:kubectl apply -f tfjob
- For example through
- High level services : Here, the user uses the Kubeflow web UI to access resources.
- For example the jupyter notebook UI
Footnotes
-
In depth authentication and authorization walk through: https://youtu.be/qyUyYLvmKHY ↩