search

kubeflow / pipelines

Machine Learning Pipelines for Kubeflow
https://www.kubeflow.org/docs/components/pipelines/
Apache License 2.0
3.5k stars 1.58k forks source link

[feature] Validate IAP JWT header #6445

Open jmcarp opened 2 years ago

jmcarp commented 2 years ago

Feature Area

What feature would you like to see?

I would like to use the Google IAP as an auth proxy for the KFP UI. As a secondary security measure, Google recommends verifying the JWT header from IAP at the application layer: https://cloud.google.com/iap/docs/signed-headers-howto. As discussed in https://kubeflow.slack.com/archives/CE10KS9M4/p1629833793108400, we can do this in KFP using a custom middleware that's used if the user enables IAP verification using environment variables. I'm planning to send in a draft PR for this.

What is the use case or pain point?

The use case is to expose the KFP UI at a stable url (unlike the long, random urls used by AI Platform Pipelines) with a secure auth proxy in front.

Is there a workaround currently?

It's possible to configure IAP without verifying headers at the application layer, but it would be more secure to verify headers.

Love this idea? Give it a 👍. We prioritize fulfilling features with the most 👍.

zijianjoy commented 2 years ago

/assign @zijianjoy

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] commented 2 weeks ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.