Checks
Motivation
Configuration complexity of the Profile Controller and future modifications to support Istio Ambient mode and the Gateway API.
Implementation
At this moment, the Profile controller creates hardcoded resources, such as roles, role bindings, and authorization policies. To implement Istio Ambient, we need to add additional Istio resources, such as a Gateway with the istio-waypoint class.
My proposal is to add configuration options, such as an ENV_FLAG, or improve plugins to create additional Kubernetes resources with a default configuration stored in a ConfigMap.
kind: ConfigMap
metadata:
name: profile-options
data:
namespace: |
metadata:
labels:
additional-label: some-value
annotations:
additional-annotation: some-value
serviceAccounts: |
- name: default-editor
metadata:
labels:
custom-label: custom-value
annotations:
custom-annotation: custom-value
roles:
- roleRef:
kind: ClusterRole
name: kubeflow-view
- name: default-viewer
roles:
- roleRef:
kind: ClusterRole
name: kubeflow-edit
gateway: |
metadata:
name: waypoint
spec:
selector:
istio.io/rev: ambient
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
authorizationPolicy: |
metadata:
name: profile-authorization-policy
spec:
selector:
matchLabels:
istio.io/rev: ambient
rules:
- from:
- source:
principals:
- cluster.local/ns/kubeflow/sa/kubeflow-profile-controller
to:
- operation:
methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
action: ALLOW
I would like to implement a new specification for the Profile object to add an option to override hardcoded resources:
kind: Profile
metadata:
name: test-user-profile
spec:
owner:
kind: User
name: test-user@kubeflow.org
roles:
- roleRef:
kind: ClusterRole
name: kubeflow-admin
serviceAccounts:
- name: default-editor
metadata:
labels:
custom-label: custom-value
annotations:
custom-annotation: custom-value
roles:
- roleRef:
kind: ClusterRole
name: kubeflow-view
- name: default-viewer
roles:
- roleRef:
kind: ClusterRole
name: kubeflow-edit
Are you willing & able to help?
Checks
kubeflow/dashboardrepository.Motivation
Configuration complexity of the Profile Controller and future modifications to support Istio Ambient mode and the Gateway API.
Implementation
At this moment, the Profile controller creates hardcoded resources, such as roles, role bindings, and authorization policies. To implement Istio Ambient, we need to add additional Istio resources, such as a Gateway with the istio-waypoint class.
My proposal is to add configuration options, such as an ENV_FLAG, or improve plugins to create additional Kubernetes resources with a default configuration stored in a ConfigMap.
I would like to implement a new specification for the Profile object to add an option to override hardcoded resources:
Are you willing & able to help?