Make principals dynamic in Profiles Controller (kubeflow#7310)

* Make principals dynamic in Profiles Controller Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> * review: Use dynamic principal of IGW in KFAM Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> * review: Add env vars to manifests Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> * review: Add pipelines-ui principal Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> * Update golang to 1.19 for unit tests to succeed Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> * review: Include KFP UI principle in profiles/kfam Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com> --------- Signed-off-by: Kimonas Sotirchos <kimwnasptd@gmail.com>
jiridanek · Oct 12, 2023 · 51becc7 · 51becc7
1 parent 52a9e32
commit 51becc7
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 10 deletions.
diff --git a/.github/workflows/prof_controller_unit_test.yaml b/.github/workflows/prof_controller_unit_test.yaml
@@ -14,7 +14,7 @@ jobs:
     - name: Install Go
       uses: actions/setup-go@v3
       with:
-        go-version: '1.17'
+        go-version: '1.19'
         check-latest: true
 
     - name: Run unit tests

diff --git a/components/access-management/kfam/bindings.go b/components/access-management/kfam/bindings.go
@@ -77,6 +77,14 @@ func getBindingName(binding *Binding) (string, error) {
 }
 
 func getAuthorizationPolicy(binding *Binding, userIdHeader string, userIdPrefix string) istioSecurity.AuthorizationPolicy {
+	istioIGWPrincipal := GetEnvDefault(
+		"ISTIO_INGRESS_GATEWAY_PRINCIPAL",
+		"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account")
+
+	kfpUIPrincipal := GetEnvDefault(
+		"KFP_UI_PRINCIPAL",
+		"cluster.local/ns/kubeflow/sa/ml-pipeline-ui")
+
 	return istioSecurity.AuthorizationPolicy{
 		Rules: []*istioSecurity.Rule{
 			{
@@ -91,7 +99,8 @@ func getAuthorizationPolicy(binding *Binding, userIdHeader string, userIdPrefix
 				From: []*istioSecurity.Rule_From{{
 					Source: &istioSecurity.Source{
 						Principals: []string{
-							"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account",
+							istioIGWPrincipal,
+							kfpUIPrincipal,
 						},
 					},
 				}},

diff --git a/components/access-management/kfam/utils.go b/components/access-management/kfam/utils.go
@@ -13,3 +13,13 @@
 // limitations under the License.
 
 package kfam
+
+import "os"
+
+func GetEnvDefault(variable string, defaultVal string) string {
+	envVar := os.Getenv(variable)
+	if len(envVar) == 0 {
+		return defaultVal
+	}
+	return envVar
+}
diff --git a/components/profile-controller/config/manager/kustomization.yaml b/components/profile-controller/config/manager/kustomization.yaml
@@ -8,4 +8,7 @@ configMapGenerator:
   - WORKLOAD_IDENTITY=
   - USERID_HEADER="kubeflow-userid"
   - USERID_PREFIX=
-  name: config
+  - ISTIO_INGRESS_GATEWAY_PRINCIPAL="cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account")
+  - NOTEBOOK_CONTROLLER_PRINCIPAL="cluster.local/ns/kubeflow/sa/notebook-controller-service-account")
+  - KFP_UI_PRINCIPAL="cluster.local/ns/kubeflow/sa/ml-pipeline-ui"
+  name: config
diff --git a/components/profile-controller/controllers/profile_controller.go b/components/profile-controller/controllers/profile_controller.go
@@ -417,12 +417,17 @@ func (r *ProfileReconciler) SetupWithManager(mgr ctrl.Manager) error {
 }
 
 func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile) istioSecurity.AuthorizationPolicy {
+	nbControllerPrincipal := GetEnvDefault(
+		"NOTEBOOK_CONTROLLER_PRINCIPAL",
+		"cluster.local/ns/kubeflow/sa/notebook-controller-service-account")
 
-	clusterDomain := "cluster.local"
-	if clusterDomainFromEnv, ok := os.LookupEnv("CLUSTER_DOMAIN"); ok {
-		clusterDomain = clusterDomainFromEnv
-	}
-	principals := fmt.Sprintf("%s/ns/kubeflow/sa/notebook-controller-service-account", clusterDomain)
+	istioIGWPrincipal := GetEnvDefault(
+		"ISTIO_INGRESS_GATEWAY_PRINCIPAL",
+		"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account")
+
+	kfpUIPrincipal := GetEnvDefault(
+		"KFP_UI_PRINCIPAL",
+		"cluster.local/ns/kubeflow/sa/ml-pipeline-ui")
 
 	return istioSecurity.AuthorizationPolicy{
 		Action: istioSecurity.AuthorizationPolicy_ALLOW,
@@ -443,7 +448,8 @@ func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile
 				From: []*istioSecurity.Rule_From{{
 					Source: &istioSecurity.Source{
 						Principals: []string{
-							"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account",
+							istioIGWPrincipal,
+							kfpUIPrincipal,
 						},
 					},
 				}},
@@ -480,7 +486,7 @@ func (r *ProfileReconciler) getAuthorizationPolicy(profileIns *profilev1.Profile
 				From: []*istioSecurity.Rule_From{
 					{
 						Source: &istioSecurity.Source{
-							Principals: []string{principals},
+							Principals: []string{nbControllerPrincipal},
 						},
 					},
 				},
@@ -782,3 +788,11 @@ func (r *ProfileReconciler) readDefaultLabelsFromFile(path string) map[string]st
 	}
 	return labels
 }
+
+func GetEnvDefault(variable string, defaultVal string) string {
+	envVar := os.Getenv(variable)
+	if len(envVar) == 0 {
+		return defaultVal
+	}
+	return envVar
+}