App Level Authentication

Configure App Level Authentication for Seldon Deploy

Seldon Deploy can the setup with an app level authentication with an OIDC provider. This would be particularly useful when a gateway level authentication is not setup for the kubernetes cluster.

This feature can be activated by configuring the values file of the Seldon deploy helm chart. This is done by setting the variable enableAppAuth boolean to “true” and further providing the OIDC configurations as env variables to connect to OIDC providers like Keycloak or Dex.

# boolean to enable app-level auth (defaults to "false")
enableAppAuth: true

Add config / env variables

Before we run deploy intall using the helm chart, we need to make sure that add the OIDC configuration to the env section:

  OIDC_PROVIDER: ...     # oidc providerURL
  CLIENT_ID: ...         # oidc client ID
  CLIENT_SECRET: ...     # oidc client secret
  REDIRECT_URL: ...      # `${oidc_redirect_url}/seldon-deploy/auth/callback`
  OIDC_SCOPES: ...       # oidc scopes (defaults to "profile email groups")
  USERID_CLAIM_KEY: ...  # claim to be used as userid (defaults to "preferred_username")

Keycloak reference installation

The keycloak reference installation is included with scripts under the following directory


However, customisation of created users, passwords and tokens is highly recommended. Following reverence installation this should be the configuration values:

  CLIENT_ID: "deploy-server"
  CLIENT_SECRET: "deploy-secret"
  OIDC_PROVIDER: "http://${YOUR_INGRESS}/auth/realms/deploy-realm"
  REDIRECT_URL: "http://${YOUR_INGRESS}/seldon-deploy/auth/callback"

With Istio ingress may be obtained with

ISTIO_INGRESS=$(kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
ISTIO_INGRESS+=$(kubectl get svc -n istio-system istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')

Last modified September 14, 2020: add kfserving installation instructions (a73fd87)