Open jmcarp opened 2 years ago
/assign @zijianjoy
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Feature Area
What feature would you like to see?
I would like to use the Google IAP as an auth proxy for the KFP UI. As a secondary security measure, Google recommends verifying the JWT header from IAP at the application layer: https://cloud.google.com/iap/docs/signed-headers-howto. As discussed in https://kubeflow.slack.com/archives/CE10KS9M4/p1629833793108400, we can do this in KFP using a custom middleware that's used if the user enables IAP verification using environment variables. I'm planning to send in a draft PR for this.
What is the use case or pain point?
The use case is to expose the KFP UI at a stable url (unlike the long, random urls used by AI Platform Pipelines) with a secure auth proxy in front.
Is there a workaround currently?
It's possible to configure IAP without verifying headers at the application layer, but it would be more secure to verify headers.
Love this idea? Give it a 👍. We prioritize fulfilling features with the most 👍.