Environment:Kubeflow Kubeflow Istio Certmanager Dex Environment
| Knowledge Sources | |
|---|---|
| Domains | Infrastructure, Service_Mesh, Security, Authentication |
| Last Updated | 2026-02-13 00:00 GMT |
Overview
Core infrastructure environment providing Istio (service mesh), cert-manager (TLS automation), and Dex (OIDC authentication) for the Kubeflow platform.
Description
This environment defines the infrastructure services that must be running inside the Kubernetes cluster before Kubeflow application components can be deployed. Istio provides the service mesh, ingress gateway, and mTLS between services. cert-manager automates TLS certificate issuance and renewal. Dex provides the OIDC identity provider for Kubeflow multi-user authentication. These services are deployed via kustomize overlays from the kubeflow/manifests repository.
Starting with Kubeflow 1.10, the Istio deployment uses the istio-cni plugin instead of the istio-init container for compatibility with Kubernetes PodSecurityStandards. This is a breaking change from earlier releases.
Usage
Use this environment after the Kubernetes cluster is provisioned and CLI tools are validated. This is the second phase of the Platform Deployment workflow. All Kubeflow application components (Notebooks, Pipelines, Trainer, Katib, KServe, Model Registry, Dashboard) depend on these infrastructure services being healthy.
System Requirements
| Category | Requirement | Notes |
|---|---|---|
| Kubernetes Cluster | >= 1.25 | Must be operational before installing these services |
| Istio | 1.22+ | Deployed via kubeflow/manifests kustomize overlays |
| cert-manager | 1.12+ | Deployed via kubeflow/manifests kustomize overlays |
| Dex | 2.36+ | OIDC provider deployed in the auth namespace |
| Namespaces | istio-system, cert-manager, auth | Created automatically by the kustomize overlays |
| Network | Ingress gateway | LoadBalancer or NodePort for external access |
Dependencies
Cluster Services
- Istio control plane (istiod) in istio-system namespace
- Istio ingress gateway (istio-ingressgateway) in istio-system namespace
- Istio CNI plugin (for PodSecurityStandards compliance, Kubeflow 1.10+)
- cert-manager controller, webhook, and cainjector in cert-manager namespace
- Dex OIDC provider in auth namespace
Kustomize Overlays
common/cert-manager/cert-manager/basecommon/istio-1-22/istio-crds/basecommon/istio-1-22/istio-namespace/basecommon/istio-1-22/istio-install/overlays/helmcommon/dex/overlays/istio
Credentials
The following credentials must be configured:
- DEX_CLIENT_ID: OAuth2 client ID for Kubeflow (default: kubeflow-oidc-authservice)
- DEX_CLIENT_SECRET: OAuth2 client secret for the OIDC client
- DEX_ISSUER_URL: The OIDC issuer URL (e.g., http://dex.auth.svc.cluster.local:5556/dex)
- Static user password: Default Dex static user credentials configured in the Dex ConfigMap (change from defaults in production)
Quick Install
# Clone manifests repository
git clone https://github.com/kubeflow/manifests.git && cd manifests
# Deploy cert-manager
kustomize build common/cert-manager/cert-manager/base | kubectl apply -f -
kubectl wait --for=condition=ready pod -l app=cert-manager -n cert-manager --timeout=180s
# Deploy Istio
kustomize build common/istio-1-22/istio-crds/base | kubectl apply -f -
kustomize build common/istio-1-22/istio-namespace/base | kubectl apply -f -
kustomize build common/istio-1-22/istio-install/overlays/helm | kubectl apply -f -
kubectl wait --for=condition=ready pod -l app=istiod -n istio-system --timeout=300s
# Deploy Dex
kustomize build common/dex/overlays/istio | kubectl apply -f -
kubectl wait --for=condition=ready pod -l app=dex -n auth --timeout=180s
Code Evidence
Sequential deployment with health checks from Istio_Certmanager_Dex_Setup implementation:
# Phase 1: Deploy cert-manager
kustomize build common/cert-manager/cert-manager/base | kubectl apply -f -
kubectl wait --for=condition=ready pod -l app=cert-manager -n cert-manager --timeout=180s
# Phase 2: Deploy Istio CRDs, namespace, and control plane
kustomize build common/istio-1-22/istio-crds/base | kubectl apply -f -
kustomize build common/istio-1-22/istio-namespace/base | kubectl apply -f -
kustomize build common/istio-1-22/istio-install/overlays/helm | kubectl apply -f -
# Phase 3: Deploy Dex OIDC provider
kustomize build common/dex/overlays/istio | kubectl apply -f -
Istio CNI migration from ROADMAP.md:L33:
* Switch from Istio to Istio-cni and enable Pod Security standards
OIDC authentication requirement from ROADMAP.md (v0.6 section):
* ISTIO used as the service mesh
* Dex provides a reference implementation for AuthN
Common Errors
| Error Message | Cause | Solution |
|---|---|---|
cert-manager webhook not ready |
cert-manager pods not fully started | Wait for cert-manager pods: kubectl wait --for=condition=ready pod -l app=cert-manager -n cert-manager --timeout=180s
|
no matching resources found (Istio CRDs) |
Istio CRDs not applied before Istio install | kubectl apply -f - |
Dex: failed to connect to issuer |
Dex not running or misconfigured issuer URL | Verify Dex pod: kubectl get pods -n auth and check ConfigMap
|
PodSecurityPolicy not found |
Using old Istio config on Kubernetes 1.25+ | Use istio-cni overlay and Kubeflow 1.10+ manifests |
Compatibility Notes
- Istio versions: Kubeflow manifests pin Istio to a specific minor version (e.g., 1.22). Do not use a different Istio version unless the manifests have been updated to match.
- Istio CNI vs init: Kubeflow 1.10+ uses istio-cni for PodSecurityStandards compliance. Older Kubeflow versions use the istio-init container which requires privileged permissions.
- External identity providers: Dex can be configured to federate with external OIDC providers (Google, GitHub, LDAP). The default configuration uses static users for development.
- ISTIO requirement: Istio has been required since Kubeflow 1.0 (ROADMAP.md: "ISTIO will be required as a service mesh and for AuthN and AuthZ support").