Skip to content

MinIO Administration⚓︎

Minio is using policy based access control (PBAC) for buckets and objects. All other parts of the platform are using RBAC for their resources, therefore we need to link each MinIO policy to a role.

For administration, use the MinIO web UI accessible under https://<your-domain>/minio or via the link in the sidebar of the Kubeflow central dashboard.

Login to MinIO using the Single Sign On (SSO) of you prokube platform. Make sure to log in with a member of the pk-admin group to be able to administer MinIO. Follow the User Management section if you need to grant these privileges to a new user.

MinIO Login Page

Create Bucket⚓︎

Warning

Services like Kubeflow Pipelines and Jupyter Notebooks will only have access to buckets created by default. Users might have more privileges than these services. If you like to grant these services additional privileges you have to create a new service account and replace the s3creds in the profile namespace with updated access tokens

In the menu on the left you can find the Buckets tab. This is the place where you can manage all MinIO buckets. Click on the Create Bucket button in the top right corner.

MinIO Create Bucket

It is advisable to choose a descriptive name and only create buckets with sensible resource quotas. This can help during disaster recovery once the storage is full. There are a number of measures in place to prevent this, like alerting and monitoring, nevertheless it is a good precaution to take.

Create Policy⚓︎

MinIO uses policies to manage fine-grained permissions on objects and buckets. For a deeper look into MinIO's access management take a look at the official documentation.

  • Open the Policy tab and click on the Create Policy button.
  • Give the policy a descriptive name. Since the realm role has to have the same name it is recommended to use a prefix to indicate that this role is bound to a minio bucket. Consider using s3: as a prefix.
  • Write your policy and create it.

As an example, this policy gives read write access to all objects in the example-bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadWriteBuckets",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteBucket",
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::example-bucket"
            ]
        },
        {
            "Sid": "ReadWriteObjects",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::example-bucket/*"
            ]
        }
    ]
}

Grant Access to Bucket⚓︎

To give user access to a bucket we need to do two things:

  1. Create a policy that grants the required privileges.
  2. Create a realm role in Keycloak and assign it to the User or Group that is supposed to have access. The realm role must have the same name as the policy.

Lifecycle rules⚓︎

MinIO supports different kind of lifecycle rules to manage your objects. For example, you can set up rules to automatically delete old objects using Object Expiration. This can be helpful to automatically delete artifacts from pipeline runs older than a certain age.