- Newest
- Most votes
- Most comments
In specific case of AWS region Jakarta, the ALB at the time of writing this answer only supports authentication with OIDC.
To work with Kubeflow, we can configure the ALB to authenticate directly with auth-idp-oidc. We will have to get endpoints, client ID, and client secret from our OIDC idP, and specify it as annotations to the ALB ingress, and we'll also need an envoy filter to pass authenticated user data to Kubeflow.
For step-by-step sample, you can try to follow this guide.
You can use Cognito in another region. There, you can federate your custom OIDC through the Identity Providers
section of Cognito.
Cognito is integrated nicely with the EC2 Load Balancers, which sit in front of the EKS ingress gateway, used by the ui for ml-pipelines, notebooks, model serving, etc. So, all requests ending to your Kubeflow environment through that ingress, are authorised. Furthermore, the ALB access logs for your Kubeflow traffic are stored in S3 by the ALB properties, externally to EKS. That makes it agnostic to Kubeflow and hence a best practice for security auditing.
Relevant content
- asked 5 months ago
- asked a year ago
- asked 5 years ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago