Securing the Kubeflow authentication with HTTPS
This guide describes how to secure the Kubeflow authentication with HTTPS.
You can enable HTTPS for Kubeflow dashboard (and other web UIs) using the
network load balancer (NLB) feature of the IBM Cloud Kubernetes service—choose
the classic
worker nodes provider in the
Setting environment variables
section of the Create an IBM Cloud cluster guide.
Note: For details on NLB, go to the official Classic: About network load balancers guide.
Prerequisites
- Install and configure the IBM Cloud CLI.
- Install multi-user, auth-enabled Kubeflow.
Setting up an NLB
To set up an NLB for your Kubernetes cluster, follow the official Classic: Setting up basic load balancing with an NLB 1.0 guide. Notice that the setup process for a multi-zone cluster differs from that of a single-zone cluster. For details, go to Setting up an NLB 1.0 in a multi-zone cluster.
-
To use the existing Istio ingress gateway (instead of creating a new service), you need to update the service type of
istio-ingressgateway
toLoadBalancer
fromNodePort
. Run the following command:kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"type":"LoadBalancer"}}'
-
Verify that the NLB was created successfully. It might take a few minutes for the service to be created and an IP address to be made available. Run the command below and check if you can see the
LoadBalancer Ingress
IP address:kubectl describe service istio-ingressgateway -n istio-system | grep "LoadBalancer Ingress"
-
Store the external IP of the
istio-ingressgateway
service in an environment variable:export INGRESS_GATEWAY_IP=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
Exposing the Kubeflow dashboard with DNS and TLS termination
The following instructions use the Kubeflow dashboard as an example. However, they apply to other web UI applications, since they all go through the Istio ingress gateway.
-
Store the Kubernetes cluster name in an environment variable by running the following command:
export CLUSTER_NAME=<cluster_name>
-
Create a DNS domain and certificates for the IP of the service
istio-ingressgateway
in namespaceistio-system
:ibmcloud ks nlb-dns create classic --cluster $CLUSTER_NAME --ip $INGRESS_GATEWAY_IP --secret-namespace istio-system
-
List the registered domain names:
ibmcloud ks nlb-dns ls --cluster $CLUSTER_NAME
-
Wait until the status of the certificate—the fourth field—of the new domain name becomes
created
. Then, save the value of the columnSSL Cert Secret Name
in environment variables by running these commands (replace{SECRET_NAME}
with the secret’s name as shown in theSSL Cert Secret Name
column):export INGRESS_GATEWAY_SECRET={SECRET_NAME}
Note: If there is more than one entry in the output, choose the one that matches the IP address from
LoadBalancer Ingress
(step 2) of serviceistio-ingressgateway
. -
Create a secret named
istio-ingressgateway-certs
for theistio-ingressgateway
pods in namespaceistio-system
:kubectl get secret $INGRESS_GATEWAY_SECRET -o yaml > istio-ingressgateway-certs.yaml
-
Update the
istio-ingressgateway-certs.yaml
file by changing the value ofmetadata.name
toistio-ingressgateway-certs
and the value ofmetadata.namespace
toistio-system
. Then, run the following commands:kubectl apply -f istio-ingressgateway-certs.yaml -n istio-system kubectl rollout restart deploy istio-ingressgateway -n istio-system rm istio-ingressgateway-certs.yaml
-
Update the gateway
kubeflow-gateway
to expose port443
. Create a resource filekubeflow-gateway.yaml
as follows by replacing<hostname>
with the value of the columnHostname
in step 4:apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: kubeflow-gateway namespace: kubeflow spec: selector: istio: ingressgateway servers: - hosts: - '<hostname>' port: name: https number: 443 protocol: HTTPS tls: mode: SIMPLE privateKey: /etc/istio/ingressgateway-certs/tls.key serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
-
Verify that the traffic is routed via HTTPS by using the value of above-mentioned
Hostname
in your browser. It should redirect traffic from an HTTP address to HTTPS address automatically.
Note: The certificates for the NLB DNS host secret expire every 90 days.
The secret in the default
namespace is automatically renewed by IBM Cloud
Kubernetes Service 37 days before it expires. After this secret is updated, you
must manually copy it to the istio-ingressgateway-certs
secret by repeating
commands in step 5 and 6.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.