Security considerations
The following security issues must be considered before installing KubeFlow on your Kubernetes setup:
- Kubeflow has full access to Kubernetes. Consider running other services with caution.
- Dex Kubernetes Authenticator is used in Kubeflow, and is unable to distinguish between users in different groups. All users configured in LDAP will have access to Kubeflow.
- Kubeflow is unable to operate on a cluster with an enabled PSP (pod security policy).
- Users of Kubeflow are free to create any resource, including running root-owned processes in pods that are able to mount any path from the host.
Installation process
1. Make sure your cluster is configured with the default storage class:
# kubectl get storageclass
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
local-path (default) rancher.io/local-path Delete WaitForFirstConsumer false 5d20h
2. Configure additional options for the kube-api service:
cmsh -c ‘configurationoverlay; use kube-default-master; roles; use kubernetes::apiserver; append options "--service-account-signing-key-file=/cm/local/apps/kubernetes/var/etc/sa-default.key"; append options "--service-account-issuer=kubernetes.default.svc"; commit;’
3. Download the tarball and unpack it. The tarball has a customized config:
cd /root
wget https://support.brightcomputing.com/kb-articles/kubeflow/kubeflow-1.2.0.tar.gz
tar -xzf kubeflow-1.2.0.tar.gz
4. Run the installation:
./kubeflow-1.2.0/install.sh
5. Check all containers have been downloaded and are running:
eval 'kubectl get pods -n '{kubeflow,istio-system,auth,cert-manager,knative-serving}'| grep -v Running;'
6. Login to the web-interface at: http://node-name:31380