-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Core feature] Make Flyte work with GCP Identity Aware Proxy (IAP) #3965
Comments
There is one important design choice I made: There are two ways clients can authenticate with IAP. Let's say we have an ID token valid for IAP:
While the first option would be a deeper integration of IAP into Flyte (admin), I chose - as a first step - to go for option 2. Reasoning:
Finally, I see this as the first step in integrating Flyte with IAP in order to fulfil a need that we have. I found the TL;DR: I chose to add logic that can be reused for other proxies on the client side instead of adding non-reusable logic pertaining to a specific managed cloud service to the server side. |
Motivation: Why do you think this is important?
GCP Identity Aware Proxy (IAP) is a managed service that makes it easy to protect applications deployed on GCP by verifying user identity and using context to determine whether a user should be granted access.
Because requests to applications protected with IAP first have to pass IAP before they can reach the protected application, IAP provides a convenient way to implement a zero-trust access model.
(In contrast, if applications are protected using their own auth mechanism, unauthenticated requests typically first hit the application which only then redirects to e.g. a google login page. With IAP, no unauthenticated request can ever hit the application.)
Since IAP makes it very easy to implement a zero-trust model, many organizations using GCP have a security policy that any internal tool has to be protected with it.
Goal: What should the final outcome look like, ideally?
Flyte currently does not work with IAP but there is a need in the community to enable this integration:
Describe alternatives you've considered
In organizations where there is a security policy to use IAP, workarounds typically include 1) deploying flyte itself without authentication enabled and instead with IAP in front of flyteconsole and 2) port-forwarding flyteadmin's gRPC server to localhost or interacting with it only from within the cluster/the VPC (as
pyflyte
andflytectl
cannot reach flyteadmin through IAP).None of this is great.
Propose: Link/Inline OR Additional context
This issue tracks the integration of flyte with IAP, consisting of the following tickets:
Feat: Add plugin for generating GCP IAP ID tokens via external command flytekit#1795
Adding a plugin, providing a CLI that can be used by
flytekit
(andflytectl
) as an external command to generate access tokens for IAP (see here for "external command" authentication in flyte).To create this token, the plugin performs a standard OAuth 2.0 flow with
https://accounts.google.com
(not with flyteadmin).Feat: Enable
flytekit
to authenticate with proxy in front of FlyteAdmin flytekit#1787Giving
flytekit
'sRemote
(used bypyflyte
) the ability to send"proxy-authorization"
headers valid for IAP (generated with the new plugin) with every request, including the unauthenticated requests during the authentication flow with flyteadmin.In flyte's client config this will look as follows:
If a request, even one that is not yet authenticated with flyteadmin (via
"authorization"
headers), includes a valid"proxy-authorization"
header, IAP strips this"proxy-authorization"
header and forwards the request to flyteadmin without touching the"authorization"
header used by Flyte.If no valid
"proxy-authorization"
is included, the request is denied at the load balancer.This means that the existing authentication flow
flytekit
'sRemote
performs withflyteadmin
is not modified.flyteadmin
itself is not aware that it is protected with IAP.Implementing the same for
flytectl
. The external command can of course be reused.Feat: Enable proxy-authorization in admin client flyteidl#437
(Fixing a bug in the flyte helm chart that breaks deployments with the GCE ingress controller (instead of nginx) as IAP only works with GCE ingresses. Fix: Set flyteadmin gRPC port to 80 in ingress if using TLS between load balancer and backend #3964) <- Not needed anymore, see reason
Adding documentation on how to deploy the flyte helm chart with a GCE ingress, GCP managed certificate, and IAP. The guide is currently documented in the
README.md
of the flytekit iap plugin added in Feat: Add plugin for generating GCP IAP ID tokens via external command flytekit#1795 (It could be moved from there.)Are you sure this issue hasn't been raised already?
Have you read the Code of Conduct?
The text was updated successfully, but these errors were encountered: