Managing users and namespaces

  • Updated on Jul 28, 2025
  • Published on Jul 28, 2025
  • 1 minute(s) read
Prev Next

Cake manages user access building on Kubeflow Profiles. A profile corresponds to a Kubernetes namespace and has a corresponding AWS IAM role or GCP Service Account that can be assigned additional permissions and resources. Because changes to profiles have security implications, Profiles are managed through GitOps.

A profile is either private or shared:

  • private profiles belong to one user

  • shared profiles are typically used as deployment environments and can be accessed by multiple users

In the future, Cake will offer a convenient self-serve UI to manage profiles and namespaces.

Setup

Cake uses cookiecutter to generate Kubernetes manifests from a single YAML configuration file for the entire deployment of the Cake platform. The script is written in Python. We recommend setting up a fresh virtual environment to run the script locally.

cd /path/to/your/ops/repo
pip install -r platform/scripts/gen_deploy/requirements.in

You can test that your environment is set up correctly by running the script that rebuilds all existing deployments using the cookiecutter template. If you have not made any changes directly in the generated files, we expect this operation to be a no-op:

platform/scripts/reconcile_existing_deploys.sh

Creating new deploy namespaces

Deploy namespaces are shared Kubeflow profiles. Creating a new deployment involves quite a few steps.

  1. Edit the gen_deploy vars file corresponding to your deployment of Cake:

    $EDITOR platform/scripts/gen_deploy/vars/<environment>-<region>.yaml

    Look for a list under users and deploy_namespaces and simply add a new name. To grant existing users access to the namespace, be sure to add the same name to each user under users.users[].allowed_namespaces.

  2. After editing the config, run the reconcile script to regenerate the deployment:

    platform/scripts/reconcile_existing_deploys.sh

  3. Commit all of these changes to a branch, and open a pull request/merge request.

    git switch -c new-deploy-namespace
git add -A
git commit
git push -u

  4. Once your PR is approved and merged, log into ArgoCD and sync the user-namespace app or ask your Cake support engineer to sync. It may take a few tries to sync since some resources depend on the namespace to exist first and will fail on the first try.

Adding new users

Adding new users is similar to Creating new deploy namespaces, except instead of editing users.deployments we edit users.users. Here are some general guidelines:

  • Ensure the email matches the value returned by your identity provider. This field is case sensitive.

  • Follow existing conventions for username .

  • For roles, consider the following:

    • cake-admin can manage deploy namespaces and users

    • cake-user can simply use the Cake platform within any assigned apps and namespaces

Related articles