For those of you familiar with Kubeflow you’ve probably worked with the form below. This is the screen you get when creating a custom Jupyter notebook server. Here you can dictate all the pieces of information required to deploy the jupyter notebook via Kubeflow.

In the documentation for Kubeflow notebooks step 12 discusses setting up customer configurations which would allow you to add volumes or Kubernetes secrets (DB creds, etc.) to your notebook before deploying it. This is great if you have credentials you’d like to keep safe while also allowing to access to DBs containing the information you need to perform your analysis.

The instructions discuss creating a PodDefault (similar to a Kubernetes PodPreset) which will allow for Kubeflow to inject the configuration variables into the Pod when it deploys. However I believe this explanation is a little light on the important details and I would like to elaborate a little more on how to get this setup correctly.

First thing to know is that these secrets / volumes and the PodDefault must be created in the namespace which will run the notebook server. For Kubeflow v1.0 you can isolate users into their own namespaces and this is the namespace which you must deploy these resources in order for the Jupyter web app to recognize them.

Image you have a Kubernetes secret like the one below:

apiVersion: v1
kind: Secret
metadata:
  name: kf-mysql-secret
  namespace: <user's namespace>
type: Opaque
stringData:
  mysql_user: "xxxx"
  mysql_password: "xxxx"
  mysql_host: "xxxx"
  mysql_port: "xxxx"

Now we need to create a PodDefault to go along with this Kubrenetes secret:

apiVersion: "kubeflow.org/v1alpha1"
kind: PodDefault
metadata:
  name: add-mysql-secret
  namespace: <user's namespace>
spec:
  selector:
    matchLabels:
      add-mysql-secret: "true"
  desc: "Adds creds for MySQL DB"
  env:
  - name: DB_USER
    valueFrom:
      secretKeyRef:
        name: kf-mysql-secret
        key: mysql_user
  - name: DB_PWD
    valueFrom:
      secretKeyRef:
        name: kf-mysql-secret
        key: mysql_password
  - name: DB_HOST
    valueFrom:
      secretKeyRef:
        name: kf-mysql-secret
        key: mysql_host
  - name: DB_PORT
    valueFrom:
      secretKeyRef:
        name: kf-mysql-secret
        key: mysql_port

The “matchLabels” above is how Kubeflow selects which Pods it will inject the DB creds into.

Now that we have a Secret and a PodDefault both created in the user’s namespace we next have to update the configmap for the Jupyter web app. We can do that using the command below:

kubectl edit configmap jupyter-web-app-config -n kubeflow

For linking up the PodDefaults you only have to modify the piece I have highlighted below. However there are a ton of other useful configurations here you might want to play around with as well.

Once you have updated the configmap be sure to restart the deployment with the following command:

kubectl rollout restart deployment jupyter-web-app-deployment -n kubeflow

And there you go! The configuration should now be there for you to select.