This section explains what credentials are and how to create and use them.
Credentials are workload assets that simplify the complexities of Kubernetes secrets. They consist of and mask sensitive access information, such as passwords, tokens, and access keys, which are necessary for gaining access to various resources.
Credentials are crucial for the security of AI workloads and the resources they require, as they restrict access to authorized users, verify identities, and ensure secure interactions. By enforcing the protection of sensitive data, credentials help organizations comply with industry regulations, fostering a secure environment overall.
Essentially, credentials enable AI practitioners to access relevant protected resources, such as private data sources and Docker images, thereby streamlining the workload submission process.
The Credentials table can be found under Workload manager in the NVIDIA Run:ai User interface.
The Credentials table provides a list of all the credentials defined in the platform and allows you to manage them.
The Credentials table comprises the following columns:
The name of the credential
A description of the credential
The type of credential, e.g., Docker registry
The different lifecycle phases and representation of the credential's condition
The scope of this compute resource within the organizational tree. Click the name of the scope to view the organizational tree diagram
The unique name of the credential's Kubernetes name as it appears in the cluster
The environment(s) that are associated with the credential
The private data source(s) that are accessed using the credential
The user who created the credential
The timestamp of when the credential were created
The cluster with which the credential are associated
The following table describes the credentials’ condition and whether they were created successfully for the selected scope.
No issues were found while creating the credential (this status may change while propagating the credential to the selected scope)
Issues found while propagating the credential
Failed to access the cluster
Credential is being created
Credential is being deleted
When the credential's scope is an account, or the current version of the cluster is not up to date, the status cannot be displayed
Customizing the Table ViewFilter - Click ADD FILTER, select the column to filter by, and enter the filter values
Search - Click SEARCH and type the value to search by
Sort - Click each column header to sort by
Column selection - Click COLUMNS and select the columns to display in the table
Download table - Click MORE and then click ‘Download as CSV’. Export to CSV is limited to 20,000 rows.
Refresh - Click REFRESH to update the table with the latest data
Creating credentials is limited to specific roles.
To add a new credential:
Go to the Credentials table
Select the credential type from the list Follow the step-by-step guide for each credential type:
These credentials allow users to authenticate and pull images from a Docker registry, enabling access to containerized applications and services.
After creating the credential, it is used automatically when pulling images.
Enter a name for the credential. The name must be unique.
Optional: Provide a description of the credential
Set how the credential is created
Existing secret (in the cluster) This option applies when the purpose is to create the credential based on an existing secret
New secret (recommended) A new secret is created together with the credential. New secrets are not added to the list of existing secrets.
Enter the username, password, and Docker registry URL
After the credential is created, check the status to monitor proper creation across the selected scope.
Access keyThese credentials are unique identifiers used to authenticate and authorize access to cloud services or APIs, ensuring secure communication between applications. They typically consist of two parts:
The purpose of this credential type is to allow access to restricted data.
Enter a name for the credential. The name must be unique.
Optional: Provide a description of the credential
Set how the credential is created
Existing secret (in the cluster) This option applies when the purpose is to create the credential based on an existing secret
New secret (recommended) A new secret is created together with the credential. New secrets are not added to the list of existing secrets.
Enter the Access key and Access secret
After the credential is created, check the status to monitor proper creation across the selected scope.
Username & passwordThese credentials require a username and corresponding password to access various resources, ensuring that only authorized users can log in.
The purpose of this credential type is to allow access to restricted data.
Enter a name for the credential. The name must be unique.
Optional: Provide a description of the credential
Set how the credential is created
Existing secret (in the cluster) This option applies when the purpose is to create the credential based on an existing secret
New secret (recommended) A new secret is created together with the credential. New secrets are not added to the list of existing secrets.
Enter the username and password
After the credential is created, check the status to monitor proper creation across the selected scope.
Generic secretThese credentials are a flexible option that consists of multiple keys & values and can store various sensitive information, such as API keys or configuration data, to be used securely within applications.
The purpose of this credential type is to allow access to restricted data.
Enter a name for the credential. The name must be unique.
Optional: Provide a description of the credential
Set how the credential is created
Existing secret (in the cluster) This option applies when the purpose is to create the credential based on an existing secret
New secret (recommended) A new secret is created together with the credential. New secrets are not added to the list of existing secrets.
Click +KEY & VALUE - to add key/value pairs to store in the new secret
To rename a credential:
Select the credential from the table
Click Rename to edit its name and description
To delete a credential:
Select the credential you want to delete
In the dialog, click DELETE to confirm
Note
Credentials cannot be deleted if they are being used by a workload and template.
You can use credentials (secrets) in various ways within the system
Access Private Data SourcesTo access private data sources, attach credentials to data sources of the following types: Git, S3 Bucket
Use Directly Within the ContainerTo use the secret directly from within the container, you can choose between the following options
Get the secret mounted to the file system by using the Generic secret data source
Get the secret as an environment variable injected into the container. There are two equivalent ways to inject the environment variable.
a. By adding it to the Environment asset. b. By adding it ad-hoc as part of the workload.
Add secrets in advance to be used when creating credentials via the NVIDIA Run:ai UI. Follow the steps below for each required scope:
Create the secret in the NVIDIA Run:ai namespace (runai)
To authorize NVIDIA Run:ai to use the secret, label it: run.ai/cluster-wide: "true"
Label the secret with the correct credential type:
Docker registry - run.ai/resource: "docker-registry"
Access key - run.ai/resource: "access-key"
Username and password - run.ai/resource: "password"
Generic secret - run.ai/resource: "generic"
The secret is now displayed for that scope in the list of existing secrets.
Create the secret in the NVIDIA Run:ai namespace (runai)
To authorize NVIDIA Run:ai to use the secret, label it: run.ai/department: "<department_id>"
Label the secret with the correct credential type:
Docker registry - run.ai/resource: "docker-registry"
Access key - run.ai/resource: "access-key"
Username and password - run.ai/resource: "password"
Generic secret - run.ai/resource: "generic"
The secret is now displayed for that scope in the list of existing secrets.
Create the secret in the project’s namespace
Label the secret with the correct credential type:
Docker registry - run.ai/resource: "docker-registry"
Access key - run.ai/resource: "access-key"
Username and password - run.ai/resource: "password"
Generic secret - run.ai/resource: "generic"
To view the available actions, go to the Credentials API reference
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4