search

jupyter-server / gateway_provisioners

Provides remote kernel provisioners for various resource-managed clusters.
https://gateway-provisioners.readthedocs.io
Other
33 stars 15 forks source link

More flexible kubernetes cluster auth #4

Closed elibixby closed 2 years ago

elibixby commented 2 years ago

Hey thanks for the great package.

It would be nice if there were more flexible options for authenticating to the k8s master for the KubernetesProvisioner.

For example, in my deployment I have developers login to Jupyterhub with OAuth, and then I use KubeSpawner.auth_state_hook to propegate their access token to their jupyterhub server where I use it authenticate to the GKE master (since GKE lets you manage RBAC with Google IAM).

You could borrow from a bunch of other tools (like dask_kubernetes and use ~/.kube/config profiles to authenticate (an env var naming the profile.)

I may work on this if I get some time, and you're interested.

kevin-bates commented 2 years ago

Hi @elibixby - thank you for your interest. Yes, I would imagine there's lots of room here for improvement.

What I'd like us to keep in mind is that we do not go down a road dedicated to a particular use-case (like hub-based applications) or Kernel-as-a-service apps and I suspect this is where parameterization will be key (if we can ever get that off the ground).

If you're able to tolerate the roughness of this repo, then, by all means, add what you need and, based on that, we'll look at massaging things into a workable framework as best we can.

elibixby commented 2 years ago

Hey, don't think this is a particularly use-case specific capability. Maybe I wasn't clear, just proposing allowing for ~/.kube/config to provide the auth, rather than a cluster service account.

Provided changes that I think should work in #5 I'll be testing it out in the next week sometime.

kevin-bates commented 2 years ago

Closed as implemented via #5.