Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue for Multiple admins for a single profile: The Extra admin failed to manage contributors #1199

Open
sagittariuslee opened this issue Jan 20, 2025 · 2 comments
Open

Issue for Multiple admins for a single profile: The Extra admin failed to manage contributors #1199

sagittariuslee opened this issue Jan 20, 2025 · 2 comments
Labels
bug Something isn't working

Comments

@sagittariuslee
Copy link

sagittariuslee commented Jan 20, 2025
edited
Loading

Bug Description

After creating extra admins (not the owner) for a profile, they (the admins) are NOT able to manage contributors

To Reproduce

  1. Deploy a new KF env
    juju deploy kubeflow --trust --channel=1.9/stable

  2. Deploy a new ldap, and add a few users (userx, usery, and userz)

  3. Create a profile with owner usery

apiVersion: kubeflow.org/v1
kind: Profile
metadata:
  finalizers:
  - profile-finalizer
  generation: 1
  labels:
    app.juju.is/created-by: kubeflow-profiles
  name: profile-usery
spec:
  owner:
    kind: User
    name: [email protected]
  resourceQuotaSpec:
    hard:
      cpu: "32"
      memory: 32Gi
  1. Create an extra admin (userx) via RoleBinding .
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: profile-admin-userx 
  namespace: profile-usery
  annotations:
    role: admin
    user: [email protected]
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubeflow-admin
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: [email protected]
  1. login kubeflow UI with userx and try to manage contributors

Environment

~$ juju status
Model     Controller        Cloud/Region     Version  SLA          Timestamp
kubeflow  myk8s-controller  myk8s/localhost  3.5.5    unsupported  13:39:57Z

App                      Version                  Status       Scale  Charm                    Channel          Rev  Address         Exposed  Message
admission-webhook                                 active           1  admission-webhook        1.9/stable       344  10.152.183.95   no       
argo-controller                                   active           1  argo-controller          3.4/stable       617  10.152.183.189  no       
dex-auth                                          active           1  dex-auth                 2.39/stable      588  10.152.183.29   no       
envoy                                             active           1  envoy                    2.2/stable       310  10.152.183.188  no       
istio-ingressgateway                              active           1  istio-gateway            1.22/stable     1280  10.152.183.213  no       
istio-pilot                                       active           1  istio-pilot              1.22/stable     1169  10.152.183.253  no       
jupyter-controller                                active           1  jupyter-controller       1.9/stable      1083  10.152.183.48   no       
jupyter-ui                                        active           1  jupyter-ui               1.9/stable       961  10.152.183.92   no       
katib-controller                                  active           1  katib-controller         0.17/stable      813  10.152.183.233  no       
katib-db                 8.0.39-0ubuntu0.22.04.1  active           1  mysql-k8s                8.0/stable       210  10.152.183.56   no       
katib-db-manager                                  active           1  katib-db-manager         0.17/stable      713  10.152.183.176  no       
katib-ui                                          active           1  katib-ui                 0.17/stable      713  10.152.183.162  no       
kfp-api                                           active           1  kfp-api                  2.3/stable      1743  10.152.183.77   no       
kfp-db                   8.0.39-0ubuntu0.22.04.1  active           1  mysql-k8s                8.0/stable       210  10.152.183.174  no       
kfp-metadata-writer                               maintenance      1  kfp-metadata-writer      2.3/stable       825  10.152.183.62   no       Reconciling charm: executing component kfp-metadata-writer-pebble-service
kfp-persistence                                   maintenance      1  kfp-persistence          2.3/stable      1756  10.152.183.117  no       Reconciling charm: executing component container:persistenceagent
kfp-profile-controller                            active           1  kfp-profile-controller   2.3/stable      1715  10.152.183.215  no       
kfp-schedwf                                       active           1  kfp-schedwf              2.3/stable      1765  10.152.183.153  no       
kfp-ui                                            active           1  kfp-ui                   2.3/stable      1752  10.152.183.129  no       
kfp-viewer                                        active           1  kfp-viewer               2.3/stable      1781  10.152.183.137  no       
kfp-viz                                           active           1  kfp-viz                  2.3/stable      1700  10.152.183.17   no       
knative-eventing                                  active           1  knative-eventing         1.12/stable      459  10.152.183.36   no       
knative-operator                                  active           1  knative-operator         1.12/stable      533  10.152.183.75   no       
knative-serving                                   active           1  knative-serving          1.12/stable      487  10.152.183.184  no       
kserve-controller                                 active           1  kserve-controller        0.13/stable      655  10.152.183.79   no       
kubeflow-dashboard                                active           1  kubeflow-dashboard       1.9/stable       659  10.152.183.178  no       
kubeflow-profiles                                 active           1  kubeflow-profiles        1.9/stable       458  10.152.183.50   no       
kubeflow-roles                                    active           1  kubeflow-roles           1.9/stable       240  10.152.183.23   no       
kubeflow-volumes                                  active           1  kubeflow-volumes         1.9/stable       348  10.152.183.190  no       
metacontroller-operator                           active           1  metacontroller-operator  3.0/stable       352  10.152.183.151  no       
minio                    res:oci-image@220b31a    active           1  minio                    ckf-1.9/stable   383  10.152.183.165  no       
mlmd                                              active           1  mlmd                     ckf-1.9/stable   213  10.152.183.32   no       
oidc-gatekeeper                                   active           1  oidc-gatekeeper          ckf-1.9/stable   423  10.152.183.237  no       
pvcviewer-operator                                active           1  pvcviewer-operator       1.9/stable       204  10.152.183.138  no       
tensorboard-controller                            active           1  tensorboard-controller   1.9/stable       355  10.152.183.149  no       
tensorboards-web-app                              active           1  tensorboards-web-app     1.9/stable       343  10.152.183.179  no       
training-operator                                 active           1  training-operator        1.8/stable       545  10.152.183.247  no

Relevant Log Output

[2025-01-10T21:50:06.993Z] "GET /api/workgroup/get-contributors/userx HTTP/1.1" 304 - via_upstream - "-" 0 0 4 3 "192.168.10.3" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "8e1cea09-e029-464d-9b22-0623cf0daeb7" "192.168.10.10:8888" "10.1.7.168:8082" outbound|8082||kubeflow-dashboard.kubeflow.svc.cluster.local 10.1.7.154:33678 10.1.7.154:8080 192.168.10.3:13435 - -

[2025-01-10T21:50:18.827Z] "POST /api/workgroup/add-contributor/profile-usery HTTP/1.1" 403 - via_upstream - "-" 30 81 11 9 "192.168.10.3" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36" "53a5b121-2d75-4fc7-9e6b-6efcce2de23f" "192.168.10.10:8888" "10.1.7.168:8082" outbound|8082||kubeflow-dashboard.kubeflow.svc.cluster.local 10.1.7.154:46396 10.1.7.154:8080 192.168.10.3:13435 - -

Additional Context

No response
@sagittariuslee sagittariuslee added the bug Something isn't working label Jan 20, 2025
@syncronize-issues-to-jira Syncronize issues to Jira
Copy link

Thank you for reporting your feedback to us!

The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-6765.

This message was autogenerated

@sagittariuslee
Copy link
Author

sagittariuslee commented Jan 20, 2025
edited
Loading

I also tried creating AuthorizationPolicy and tested, but not helping:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: userx-ok-com-clusterrole-authpolicy
  namespace: profile-usery
  annotations:
    role: admin
    user: [email protected]
spec:
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/kubeflow/sa/istio-ingressgateway-workload-service-account
        - cluster.local/ns/kubeflow/sa/kfp-ui-sa
    when:
    - key: request.headers[kubeflow-userid]
      values:
      - [email protected]
    to:
    - operation:
        methods:
        - POST
        paths:
        - /kfam/v1/bindings

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sagittariuslee