Add New Roles
Role-Based Access Control (RBAC) is a critical security feature in Kubeflow that allows administrators to define granular permissions for users. Instead of assigning permissions directly, you create Roles that contain a set of rules, and then bind those roles to users. This guide details the end-to-end process of creating a new custom role, defining its permissions, and managing it through the Kubeflow user interface.
Navigate to the Roles Management Page
To begin, you must access the central area for role administration.
Click on the "Settings" icon in the main navigation sidebar.
On the Settings page, you will see a secondary navigation menu. Select the "Roles" option to proceed to the roles management dashboard.
Initiate the Role Creation Process
The Roles dashboard displays all existing roles within the namespace. To create a new one, click the “Create Role” button, typically located in the upper right corner of the page.
This action will launch the “Create New Role” dialog box, where you will define the role's name and its specific permissions.
Define the Role Name and Policy Rules
In the dialog box, you must first provide a descriptive “Role Name”. This name should clearly represent the persona or function of the users who will be assigned this role. For this example, we will name the role “Data Scientist”.
Next, you will configure the “Policy Rules”. A policy rule is the core of a role, defining what actions a user can perform on specific Kubeflow resources. Each rule consists of two parts:
Resources: These are the Kubeflow objects that the role can interact with (e.g., Notebooks, Pipelines, TFJobs). You can select one or more resources for a single rule.
Verbs: These are the permitted actions that can be performed on the selected resources (e.g., get, list, create, delete).
For our “Data Scientist” role, we will configure three distinct rules to grant a specific set of permissions. Use the “+ Add Rule” button to create additional rules.
Rule 1: Full Control over Notebooks
Resources: Select Notebooks.
Verbs: Check the boxes for create, get, list, and delete. This gives the user full lifecycle control over their notebook servers.
Rule 2: Permission to Run and View Pipelines
Resources: Select both Runs and Pipelines.
Verbs: Check the boxes for get, list, and create. This allows the user to view existing pipelines and execute new runs, but not delete them.
Rule 3: Read-Only Access to Training Jobs
Resources: Select both TFJobs and PyTorchJobs.
Verbs: Check the boxes for get and list. This allows the user to monitor and view the details of training jobs without being able to create or delete them.
Once all the rules are configured, click the “Create Role” button to finalize the process.
Verify and Manage the New Role
After successful creation, you will be returned to the Roles dashboard. The new “Data Scientist” role will now appear in the “Existing Roles” list.
In the “Actions” column on the right side of the list, you will find two icons for managing the role:
a. Role Details (Eye Icon): Clicking the eye icon opens a detailed view of the role. This page displays Basic Information (Name, Namespace, Creation Date) and lists all the Policy Rules you configured, providing a clear audit trail of the role's permissions.
b. Bind Role to User (Chain Icon): Clicking the chain icon allows you to assign this role to a specific user. A dialog box will appear containing the "Role Name" and "Namespace". You simply need to select the desired "User" from the dropdown list. Once selected, click the “Bind User” button. This action creates a RoleBinding, officially granting the user all the permissions defined in the role.
Last updated