3

I have followed the steps in Kubernetes Engine for Kubeflow.

The deployment went fine and all pods/services are up, including the endpoint at https://<name>.endpoints.<project>.cloud.goog/, with the correct <name> and <project> of course.

When I went to the above url, I was redirected to a "Sign in with Google" page. I assumed that OAuth was also configured correctly.

However, after signing in, I was shown an Access Denied page below.

Is there another way to provide access? I thought it was handled by OAuth.

Access Denied

sdcbr
  • 7,021
  • 3
  • 27
  • 44
Azmi Kamis
  • 891
  • 5
  • 20
  • I would recommend trying to sign in via incognito window and see if this works. Also please ensure that the oauth credentials are configured properly as shown in this [link](https://www.kubeflow.org/docs/started/getting-started-gke/). – Patrick W Dec 10 '18 at 18:28
  • Please make sure to use to sign in to Kubeflow browser using a GCP account with admin privileges for your GCP project as stated in the [tutorial](https://www.kubeflow.org/docs/started/getting-started-gke/). – Patrick W Dec 10 '18 at 18:28
  • I forgot to mention that I was following "Deploy Kubeflow on GKE using the command line". Your 2nd comment was for "Deploy Kubeflow on GKE using the UI" which I tried and it works. I must have missed a step and I suspect it is related to IAP. – Azmi Kamis Dec 11 '18 at 02:21

1 Answers1

3

The deployment created by kfctl.sh in "Deploy Kubeflow on GKE using the command line" also creates a load balancer resource for the ingress into the cluster and secures it using Cloud Identity-Aware Proxy (IAP).

To allow access to the resource for new users, go to:

Google Cloud Console > IAM & Admin > Identity-Aware Proxy

Select the desired resource and click "Add Member".

Fill in the user in the "Access Denied" page and select "Cloud IAP > IAP-Secured Web App User" for role.

Once the policy change is propagated, the user will be able to access the URL successfully.

Azmi Kamis
  • 891
  • 5
  • 20