This article explains how to delete old unused profile from an EKF cluster >=1.4. Please note that when connected to OIDC, access to the cluster is managed by OIDC group or individual settings. This document only describe how to remove a user profile which was already removed/revoked from your OIDC provider.
1. List the user profiles of your Cluster:
root@rok-tools:~/ops/deployments (release-1.4)# kubectl get profiles
NAME AGE
kubeflow-user1 23m
kubeflow-user2 21m
kubeflow-user3 20m
2. Delete the user profile that you wish to remove
root@rok-tools:~/ops/deployments (release-1.4)# kubectl delete profile <PROFILE-NAME>
for example:
root@rok-tools:~/ops/deployments (release-1.4)# kubectl delete profile kubeflow-user2
WARNING 1: Deleting a user profile will not prevent this user from logging in again with their credentials. If such a user logs in again, then the Kubeflow Reception will create a new profile for this user.
WARNING 2: Ensure that the user profile that you wish to delete belongs to an old not-required user. If you delete the user profile of an active user, then they will no longer be able to view or edit their work.
Verify
1. Ensure that the profile is removed:
root@rok-tools:~/ops/deployments (release-1.4)# kubectl get profiles
NAME AGE
kubeflow-user1 23m
kubeflow-user3 20m
For details of what happens behind the scene, here is how Kubeflow Reception creates a profile for a user that just logged in:
1. Client: Request the reception endpoint with the UserID header and the cookie.
2. Istio Gateway: Forward this request to AuthService.
3. AuthService: Verify that the request can proceed.
4. Istio Gateway: Forward the response to Kubeflow Reception.
5. Reception: Retrieve the UserID from the header and generate the profile name for this client.
6. Reception: If there is not a profile for this profile name then request from the Kubernetes API Server to create a resource of type Profile
for this client.
7. Kubernetes: Create a resource of type Profile
.
8. Profile Controller: Watch Kubernetes API Server for Profile
resources.
9. Profile Controller: Create a new namespace for this new Profile
resource. Create two Service Accounts for this client. Create the respective RoleBindings to enforce the proper permissions for this client.
10. Kubernetes: Create the requested Service Accounts and the RoleBindings.
11. Reception: Wait for the client to be bound to the new profile.
12. Reception: Retrieve the original URL that the client attempted to request (before logging in) from the ?next
query parameter of the URL. Redirect the client to this URL.
13. Istio Gateway: Forward the response to the client.
Comments
0 comments
Please sign in to leave a comment.