Skip to main content

How to delete the old unused user profiles in EKF1.4

Arvind Gupta
  • Updated

 

This article explains how to delete old unused profile from an EKF cluster >=1.4. Please note that when connected to OIDC, access to the cluster is managed by OIDC group or individual settings. This document only describe how to remove a user profile which was already removed/revoked from your OIDC provider.

 

1. List the user profiles of your Cluster: 

root@rok-tools:~/ops/deployments (release-1.4)# kubectl get profiles
NAME           AGE
kubeflow-user1 23m
kubeflow-user2 21m
kubeflow-user3 20m

2. Delete the user profile that you wish to remove

root@rok-tools:~/ops/deployments (release-1.4)# kubectl delete profile <PROFILE-NAME>

for example: 

root@rok-tools:~/ops/deployments (release-1.4)# kubectl delete profile kubeflow-user2

 

WARNING 1: Deleting a user profile will not prevent this user from logging in again with their credentials. If such a user logs in again, then the Kubeflow Reception will create a new profile for this user.

WARNING 2: Ensure that the user profile that you wish to delete belongs to an old not-required user. If you delete the user profile of an active user, then they will no longer be able to view or edit their work.

 

Verify
1. Ensure that the profile is removed:

root@rok-tools:~/ops/deployments (release-1.4)# kubectl get profiles 
NAME AGE 
kubeflow-user1 23m 
kubeflow-user3 20m


 For details of what happens behind the scene, here is how Kubeflow Reception creates a profile for a user that just logged in:
1. Client: Request the reception endpoint with the UserID header and the cookie.
2. Istio Gateway: Forward this request to AuthService.
3. AuthService: Verify that the request can proceed.
4. Istio Gateway: Forward the response to Kubeflow Reception.
5. Reception: Retrieve the UserID from the header and generate the profile name for this client.
6. Reception: If there is not a profile for this profile name then request from the Kubernetes API Server to create a resource of type Profile for this client.
7. Kubernetes: Create a resource of type Profile.
8. Profile Controller: Watch Kubernetes API Server for Profile resources.
9. Profile Controller: Create a new namespace for this new Profile resource. Create two Service Accounts for this client. Create the respective RoleBindings to enforce the proper permissions for this client.
10. Kubernetes: Create the requested Service Accounts and the RoleBindings.
11. Reception: Wait for the client to be bound to the new profile.
12. Reception: Retrieve the original URL that the client attempted to request (before logging in) from the ?next query parameter of the URL. Redirect the client to this URL.
13. Istio Gateway: Forward the response to the client.

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.