Authenticate Kubeflow users with Custom Password or Entra Id
Authenticating Kubeflow users on AKS with Custom Password or Entra Id
Categories:
Background
In this lab, you will update the Kubeflow vanilla installation option to configure authentication using either custom users and passwords or Azure Entra ID.
Change default password
⚠️ Warning: Always Update the default password before making Kubeflow deployment accessible from outside the cluster.
To change the default password for the Kubeflow dashboard, you need to update the Dex configuration.
- First generate Password/Hashes by following steps described in
kubeflowdocs using python to generate bcrypt hash. Or for simplicity you can use an online tool like bcrypt-generator to create a new hash.
pip3 install passlib
python3 -c 'from passlib.hash import bcrypt; import getpass; print(bcrypt.using(rounds=12, ident="2y").hash(getpass.getpass()))'
Password: ***
$2y$12$XXXXXXXXXXXXXXXXXXX
- Delete existing password
kubectl delete secret dex-passwords -n auth
- Create new password secret
kubectl create secret generic dex-passwords --from-literal=DEX_USER_PASSWORD='REPLACE_WITH_HASH' -n auth
- Restart the Dex deployment to pick up the new password secret:
kubectl rollout restart deployment dex -n auth
To add more users
- update
dexconfig mapdeployments/vanilla/dex-config-map.yamlwith more entries in user array:
staticPasswords:
- email: user@example.com
hashFromEnv: DEX_USER_PASSWORD
username: user
userID: "15841185641784"
# Add more users here
- email: user2@example.com
hashFromEnv: DEX_USER2_PASSWORD
username: user2
userID: "15841185641785"
- Update
DEX_USER2_PASSWORDwith the new password hash.
kubectl patch secret dex-passwords -n auth --type='json' -p='[{"op": "replace", "path": "/data/DEX_USER2_PASSWORD", "value":"'$(echo -n 'REPLACE_WITH_HASH' | base64)'"}]'
- Apply config map and restart deployment
kubectl apply -f deployments/vanilla/dex-config-map.yaml
kubectl rollout restart deployment dex -n auth
Note: if need to update the default email address, change the params file located at manifests\common\user-namespace\base\params.env before installing Kubeflow.