The Profile State Controller applies labels to Kubeflow Profiles and Kubernetes namespaces that indicate certain properties of users in those namespaces.
The purpose of this controller is to ensure that profiles/namespaces are correctly labelled so that other applications in the cluster can make allow/deny decisions based on these labels.
The sections below detail specific labels and the logic they use.
The initial implementation involved the bundling of features into either employee or non-employee features, but the addition of exception lists introduced the requirement for more fine-grain discretionary access control. This means we have a label for each feature.
This controller adds the state.aaw.statcan.gc.ca/has-sas-notebook-feature and state.aaw.statcan.gc.ca/exists-non-sas-notebook-user labels to the Profiles based on the Pods and users in that namespace.
If any Pods in that namespace are using a SAS image, it will set the state.aaw.statcan.gc.ca/has-sas-notebook-feature label in the Profile to true, otherwise false.
If any users in that namespace are not permitted to use SAS (i.e external users and not in exception list), it will set the state.aaw.statcan.gc.ca/exists-non-sas-notebook-user label in the Profile to true, otherwise false.
The Gatekeeper Policies check for these labels in the Profile and allow objects to be created or denied accordingly. More information about these policies and how the objects interact can be found in their README in the Gatekeeper Policies repository (linked below).
- Deny External Users Policy
state.aaw.statcan.gc.ca/has-sas-notebook-featureaffects RoleBinding and AuthorizationPolicy objects - which allows or denies adding external contributors- Checks to see if there are any pods with the SAS image running. If there are, then it will only allow the RoleBinding and AuthorizationPolicy to be created for internal users.
- Employee-Only Features Policy
state.aaw.statcan.gc.ca/exists-non-sas-notebook-useraffects Pod and Notebook objects - which allows or denies creation of SAS Notebook Servers- Checks to see if there are any external users in a namespace through a Profile label. If there are and they aren't in the exception list, then it will not allow the SAS Pod and Notebook to be created.
-
If any pod in a list of pods contains a SAS image,
hasSasNotebookFeatureshould returntrue. -
If no pod in a list of pods contains a SAS image,
hasSasNotebookFeatureshould returnfalse. -
If an empty list is passed to
hasSasNotebookFeature, it should returnfalse. -
If any rolebinding in a list of rolebindings contains a non-employee user,
existsNonSasUsershould returntrue. -
If no rolebinding in a list of rolebindings contains a non-employee user,
existsNonSasUsershould returnfalse. -
If an empty list is passed to
existsNonSasUser, it should returnfalse.
This controller also adds the state.aaw.statcan.gc.ca/non-employee-users label to the Profiles based on the RoleBindings in that namespace.
When the owner of a Kubeflow Profile adds a contributor to their namespace, a rolebinding is created in that namespace, binding the new contributor to the kubeflow-edit role in that namespace.
Specifically, contributors are named by their email address (emails with a StatCan domain are considered employees and all other domains are considered non-employees).
If at any point a contributor with an external email address is added to a Kubeflow Profile, the Profile State Controller sets the label state.aaw.statcan.gc.ca/non-employee-users=true on both the Kubeflow Profile and the corresponding namespace.
If the RoleBinding shows that the user is external (email does not end with an accepted domain), it will set the label in the Profile to true otherwise false.
Other applications on the cluster can use this label to make decisions based on whether namespaces contain non-employee users.
The FDI storage can be either an external or internal storage container. The controller uses the naming convention of the PVC to determine whether or not the containers are internal. If they are, it will set the label state.aaw.statcan.gc.ca/exists-internal-blob-storage to true. This label is used by the KFAM module in Kubeflow and prevents the addition of external users to the profile.
See
for the unit tests and relavent documentation.Add an External Contributor with a SAS image on your namespace
- Create a new notebook server with a custom SAS image
- If you go to Manage Contributors and try to add an external user then it will give you an error so you will not be allowed to add them as a contributor to your namespace.
*If you want to add the external contributor, you will have to delete the notebook server with the SAS image first and then add retry adding them a contributor.
Try to create a notebook with a SAS image when you have an external contributor on your namespace
- Add external user as a contributor (make sure you have no SAS images to do this).
- If you try to create a new notebook server with a custom SAS image (k8scc01covidacr.azurecr.io/sas:latest), you will get the following error, stopping you from creating it:
*If you want to create the SAS notebook, you will have to remove the external contributor from your namespace first and then retry creating the notebook.
**Sometimes it will take a few seconds in between removing/adding a contributor and notebook for the policies to take effect
Try to add an external users when you have an internal DAS common storage container mounted to your namespace
- check that the internal storage is mounted
- If you try to add a contributor with an email domain not in
statcan.gc.caorcloud.statcan.ca, you will receive an error.
See CONTRIBUTING.md
Unless otherwise noted, the source code of this project is covered under Crown Copyright, Government of Canada, and is distributed under the MIT License.
The Canada wordmark and related graphics associated with this distribution are protected under trademark law and copyright law. No permission is granted to use them outside the parameters of the Government of Canada's corporate identity program. For more information, see Federal identity requirements.