Kubeflow uses different components to provide authentication:
- Istio as ingress gateway
- OIDC as identity layer
The starting point for the authentication is the Istio ingress gateway, which then uses an external authentication provider. This has the advantage of outsourcing all the authentication logic to an external provider and not having to deal with it in Kubeflow itself.
The following two sections describe the OpenID Connect flow used in Kubeflow and the authentication providers more in detail.
The general authentication is based on the OpenID Connect Protocol(OIDC).
The whole OIDC flow for Kubeflow uses the following components:
- Istio gateway: Acts as ingress gateway. Allows or denies the request and acts only as control pane
- Envoy: acts as OIDC client. Envoy does the actual authentication request for Istio. Uses Filters to forward requests to the authorization service
- A request get's either Accepted, rejected or redirected by Envoy
- Authorization service: Handles JWT logic of verifying the token. Example implementation to use: https:/ajmyyra/ambassador-auth-oidc
- Dex: Acts as identity service. Is used to connect and use an external identity provider
- Authentication providers. Provides the actual authentication information.
Flow:
- If JWT needs to be requested : 1-8(Outer rectangle):
In this case, a user is not authenticated. Therefore, the request gets forwarded to the respective authentication provider. If the credentials are correct, the user get's a JWT token it can use for further requests.
- If the passed JWT just needs to be verified: 1-2-7-8(Inner rectangle):
In this case, a user is already authenticated. Therefore, the JWT only needs to be verified by the authorization service for it's legitimacy. If successful, the user can access it's Kubeflow profile.
┌────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ ┌───────────────────────────────────────────┐ │
│ │ │ │
│ │ ┌─────────────┐ │ │
│ │ │Istio gateway│ │ │
│ │ └──────┬──────┘ │ │
│ │ ▼ 1 ▲ 8 7 │ 6 5 │
│ │ ┌────────────┴┐ ◄──┌─────────────────────│ ◄─┌────────────────┐ ◄───────┌────────────────────────┐ │
│ │ │ Envoy │ │Authorization service│ │Identity service│ │Authentication providers│ │
│ │ └─────────────┘───►└─────────────────────│──►└────────────────┘────────►└────────────────────────┘ │
│ │ 2 │ 3 4 │
│ │ │ ▲ │
│ └───────────────────────────────────────────┘ │ │
│ Only needed, if JWT needs to be requested! │
└────────────────────────────────────────────────────────────────────────────────────────────────────────┘
The following image shows the described components at a high level overview:
To use in the context of an On-Prem system, there are different possibilities regarding the provider:
- Use LDAP/AD and OpenID connect:
- No authentication logic on our side
- No user management. For example deactivating account(Access) after leaving project.
- Implement simple authentication system. Useful for guests.
- Kratos: "cloud native Identity and User Management System"
- Additional component
- Management overhead