Sample config setting Kubeflow with custom OIDC provider

Question

Is there any step-by-step guides/tutorials on how to implement Kubeflow with custom OIDC providers?

I want to install Kubeflow in region Jakarta with EKS, but Cognito is not available in region JKT (ap-southeast-3), so alternatively I'm looking to use Dex and custom OIDC provider (Github or Google workspace).

I've tried to do some research but can't figure out how to set it:

- There is this vanilla installation guide for AWS Kubeflow distribution: https://awslabs.github.io/kubeflow-manifests/docs/deployment/vanilla/guide/, but it only contains sample on changing static user password
- I've tried to look at the code from https://github.com/awslabs/kubeflow-manifests.git at `upstream/common/dex`, but I'm not sure what and where to change. I'm not familiar with `Kustomize` either
- I found this docs: https://v1-2-branch.kubeflow.org/docs/aws/authentication-oidc/#enable-tls-and-authentication but it seems to be old (deprecated?) version of Kubeflow distribution on AWS

Accepted Answer

In specific case of AWS region Jakarta, the ALB at the time of writing this answer only supports authentication with OIDC.

To work with Kubeflow, we can configure the ALB to authenticate directly with [auth-idp-oidc](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/ingress/annotations/#auth-idp-oidc). We will have to get endpoints, client ID, and client secret from our OIDC idP, and specify it as annotations to the ALB ingress, and we'll also need an envoy filter to pass authenticated user data to Kubeflow.

For step-by-step sample, you can try to follow [this guide](https://github.com/rizadiawan/kubeflow-manifests/blob/custom-oidc-idp-auth/website/content/en/docs/deployment/oidc-idp/guide.md).

Answer

You can use Cognito in another region. There, you can federate your custom OIDC through the `Identity Providers` section of Cognito.

Cognito is integrated nicely with the EC2 Load Balancers, which sit in front of the EKS ingress gateway, used by the ui for ml-pipelines, notebooks, model serving, etc. So, all requests ending to your Kubeflow environment through that ingress, are authorised. Furthermore, the ALB access logs for your Kubeflow traffic are stored in S3 by the ALB properties, externally to EKS. That makes it agnostic to Kubeflow and hence a best practice for security auditing.

Sample config setting Kubeflow with custom OIDC provider

Relevant content