Implementation:Kubeflow Kubeflow Profile CRD RBAC Setup
| Knowledge Sources | |
|---|---|
| Domains | Kubeflow, Platform Deployment, Multi-Tenancy, RBAC |
| Last Updated | 2026-02-13 00:00 GMT |
Overview
Concrete tool for configuring multi-tenant namespaces and RBAC isolation provided by the Kubeflow Profile Controller and kubectl.
Description
This implementation uses the Profile CRD to create per-user namespaces with RBAC isolation. The Profile Controller (deployed as part of the Kubeflow component deployment step) watches for Profile custom resources and automatically provisions namespaces, creates RoleBindings, and configures Istio AuthorizationPolicies. Administrators create Profile YAML manifests and apply them with kubectl, or enable self-serve mode so users can create their own namespaces through the Central Dashboard.
Usage
Use this implementation after all Kubeflow components and the Profile Controller have been deployed and verified. Profiles should be created for each user or team that needs access to the Kubeflow platform.
Code Reference
Source Location
- Repository: kubeflow/dashboard
- File: apps/profiles/upstream/
Signature
# Create a Profile custom resource
kubectl apply -f profile.yaml
# Profile Controller reconciles automatically, creating:
# - Namespace matching the Profile name
# - RoleBinding for the owner
# - Istio AuthorizationPolicy
Import
# The Profile Controller is deployed as part of Component Deployment.
# No additional import is needed. Verify it is running:
kubectl get pods -n kubeflow -l kustomize.component=profiles
I/O Contract
Inputs
| Name | Type | Required | Description |
|---|---|---|---|
| Profile.metadata.name | string | Yes | Name of the Profile (becomes the namespace name) |
| Profile.spec.owner.kind | string | Yes | Always set to "User" |
| Profile.spec.owner.name | string | Yes | OIDC email of the profile owner (e.g., user@example.com) |
| Profile.spec.resourceQuotaSpec | object | No | Optional resource quotas for CPU, memory, and GPU limits |
| Contributors | list | No | Additional users granted access to the namespace |
| Self-serve mode | boolean | No | Whether users can create their own Profiles via the Dashboard UI |
Outputs
| Name | Type | Description |
|---|---|---|
| Kubernetes namespace | namespace | Dedicated namespace matching the Profile name |
| Owner RoleBinding | RoleBinding | Grants kubeflow-edit ClusterRole to the profile owner in the namespace |
| Istio AuthorizationPolicy | AuthorizationPolicy | Enforces OIDC-based access control for the namespace |
| ServiceAccount | ServiceAccount | Default service account in the namespace for running workloads |
| Central Dashboard access | UI | The namespace appears in the Central Dashboard namespace selector for the owner |
Usage Examples
Basic Usage
# Create a Profile YAML file for a user
cat > profile-alice.yaml << 'PROFILE_EOF'
apiVersion: kubeflow.org/v1
kind: Profile
metadata:
name: alice-workspace
spec:
owner:
kind: User
name: alice@example.com
resourceQuotaSpec:
hard:
cpu: "8"
memory: "16Gi"
nvidia.com/gpu: "1"
PROFILE_EOF
# Apply the Profile
kubectl apply -f profile-alice.yaml
# Verify the namespace was created
kubectl get namespace alice-workspace
# Verify the RoleBinding was created
kubectl get rolebinding -n alice-workspace
# Verify the Profile status
kubectl get profile alice-workspace -o yaml
# Add a contributor to an existing Profile
cat > profile-alice-updated.yaml << 'PROFILE_EOF'
apiVersion: kubeflow.org/v1
kind: Profile
metadata:
name: alice-workspace
spec:
owner:
kind: User
name: alice@example.com
contributors:
- kind: User
name: bob@example.com
resourceQuotaSpec:
hard:
cpu: "8"
memory: "16Gi"
nvidia.com/gpu: "1"
PROFILE_EOF
kubectl apply -f profile-alice-updated.yaml
# List all Profiles in the cluster
kubectl get profiles
# Enable self-serve mode (configure in the Central Dashboard ConfigMap)
kubectl edit configmap centraldashboard-config -n kubeflow
# Set CD_REGISTRATION_FLOW=true to enable self-serve namespace creation