Clarified port forwarding and auth for GCP (#1083)

* Clarifies port forwarding and auth for GCP.

* Fixed formatting.

* Addressed review comments.

Author: sarahmaddox

content/docs/gke/deploy/deploy-cli.md

@@ -148,8 +148,6 @@ Follow these steps to deploy Kubeflow:
      [Cloud DNS](https://cloud.google.com/dns/docs/)
      then you can configure this process to be much faster.
      See [kubeflow/kubeflow#731](https://github.com/kubeflow/kubeflow/issues/731).
-   * While you wait you can access Kubeflow services by using `kubectl proxy` 
-     and `kubectl port-forward` to connect to services in the cluster.
 
 1. We recommend that you check in the contents of your **${KFAPP}** directory
   into source control.

content/docs/gke/deploy/deploy-ui.md

@@ -32,11 +32,7 @@ Follow these steps to open the deployment UI and deploy Kubeflow on GCP:
 
     * **Project:** Enter your GCP project ID.
     * **Deployment name:** Enter a short name that you can use to recognize this 
-      deployment of Kubeflow. If you plan to use [Cloud Identity-Aware Proxy
-      (Cloud IAP)](https://cloud.google.com/iap/docs/) for access control (see
-      the next option below), make sure you use the same deployment name 
-      on the deployment UI and when [creating the OAuth 
-      client ID](/docs/gke/deploy/oauth-setup/).
+      deployment of Kubeflow.
       The maximum length for the deployment name is 25 characters.
     * **Choose how to connect to Kubeflow:** You can choose one of the
       following options:
@@ -49,9 +45,9 @@ Follow these steps to open the deployment UI and deploy Kubeflow on GCP:
       * **Login with Username Password:** Choose this option if you want to
         allow users to access Kubeflow with a username and password, that is,
         with basic authentication. See more details [below](#basic-auth).
-      * **Setup Endpoint later:** Choose this option if you want to skip
-        the authentication process and set up the URI for the Kubeflow UI later.
-        See more details [below](#later-auth).
+      * **Setup Endpoint later:** *(Not recommended.)* Choose this option if you 
+        want to skip the authentication process and set up the URI for the 
+        Kubeflow UI later. See more details [below](#later-auth).
 
     * **GKE zone:** Enter the 
       [GCP zone](https://cloud.google.com/compute/docs/regions-zones/) in which 
@@ -120,16 +116,12 @@ password) to control access to Kubeflow.
 1. Click **Kubeflow Service Endpoint** to access your Kubeflow URI.
 
 <a id="later-auth"></a>
-## Setting up your endpoint later
+## Setting up your endpoint later (not recommended)
 
 You can choose to deploy Kubeflow without creating an endpoint for the Kubeflow
 service.
 
 1. Choose the **Setup Endpoint later** option on the Kubeflow deployment UI.
-1. Click **Port Forward** to set up port forwarding and access your Kubeflow 
-  cluster at `http://localhost:8080/`. For more information about port 
-  forwarding, see the guide to 
-  [accessing the Kubeflow UIs](/docs/other-guides/accessing-uis/).
 1. Finish the setup later by inserting your OAuth client into the
   Kubeflow cluster. Read more about 
   [customizing Kubeflow](/docs/gke/customizing-gke/) and

content/docs/gke/pipelines-tutorial.md

@@ -121,9 +121,7 @@ Set up the following environment variables for use throughout the tutorial:
 
 1. If you want a custom name for your Kubeflow deployment, set the 
    `DEPLOYMENT_NAME` environment variable. The deployment name must be 
-   **4-20 characters** in length. Note that the name must be the same 
-   as the one you use in later steps of this tutorial when configuring the 
-   **redirect URI** for the OAuth client credentials. If you don't set this 
+   **4-20 characters** in length. If you don't set this 
    environment variable, your deployment gets the default name of `kubeflow`:
 
     ```
@@ -212,11 +210,10 @@ Notes:
 
 * It can take 10-15 minutes for the URI to become available. Kubeflow needs
   to provision a signed SSL certificate and register a DNS name.
-    * If you own/manage the domain or a subdomain with [Cloud DNS][dns]
-      then you can configure this process to be much faster. See 
-      [kubeflow/kubeflow#731](https://github.com/kubeflow/kubeflow/issues/731).
-    * While you wait you can access Kubeflow services by using `kubectl proxy`
-      and `kubectl port-forward` to connect to services in the cluster.
+
+    If you own/manage the domain or a subdomain with [Cloud DNS][dns]
+    then you can configure this process to be much faster. See 
+    [kubeflow/kubeflow#731](https://github.com/kubeflow/kubeflow/issues/731).
 
 ### Create a Cloud Storage bucket
 

content/docs/gke/troubleshooting-gke.md

@@ -283,9 +283,6 @@ Events:
 
 ### Fixing the problem
 
-Note: You can ignore the error you have not enabled Cloud IAP for the cluster,
-that is, if you are connecting via a port-forward.
-
 If you have any redundant Kubeflow deployments, you can delete them using
 the [Deployment Manager](https://cloud.google.com/deployment-manager/docs/).
 

content/docs/other-guides/accessing-uis.md

@@ -7,17 +7,9 @@ weight = 1
 Kubeflow includes a number of web user interfaces (UIs). This document provides
 instructions on how to connect to them.
 
-To access the Kubeflow UI's you need to connect to the 
-[ISTIO gateway](https://istio.io/docs/concepts/traffic-management/#gateways) that 
-provides access to the Kubeflow 
-[service mesh](https://istio.io/docs/concepts/what-is-istio/#what-is-a-service-mesh).
-
-How you access the ISTIO gateway will vary depending on how you've configured it.
+## Overview of Kubeflow UIs
 
-
-## Accessing Kubeflow web UIs
-
-The Kubeflow web UIs include the following:
+The Kubeflow UIs include the following:
 
 * A central **Kubeflow** UI for navigation between the Kubeflow applications.
 * **Pipelines** for a Kubeflow Pipelines dashboard
@@ -36,6 +28,15 @@ The central UI dashboard looks like this:
   alt="Kubeflow central UI"
   class="mt-3 mb-3 border border-info rounded">
 
+## Overview of accessing the Kubeflow UIs
+
+To access the Kubeflow UIs, you need to connect to the 
+[Istio gateway](https://istio.io/docs/concepts/traffic-management/#gateways) that 
+provides access to the Kubeflow 
+[service mesh](https://istio.io/docs/concepts/what-is-istio/#what-is-a-service-mesh).
+
+How you access the Istio gateway varies depending on how you've configured it.
+
 ## URL pattern with Google Cloud Platform (GCP)
 
 If you followed the guide to [deploying Kubeflow on GCP](/docs/gke/deploy/), 
@@ -56,14 +57,22 @@ guide to
 ## Using kubectl and port-forwarding
 
 If you didn't configure Kubeflow to integrate with an identity provider and perform 
-any authorization then you can port-forward directly to the ISTIO gateway.
+any authorization then you can port-forward directly to the Istio gateway.
+
+Port-forwarding typically does not work if any of the following are true:
 
-Port-forwarding typically won't work if any of the following are true
+  * You've deployed Kubeflow on GCP using the 
+    [GCP deployment UI](/docs/gke/deploy/deploy-ui/) or the default settings 
+    with the [CLI deployment](/docs/gke/deploy/deploy-cli/). (If you want to
+    use port forwarding, you must deploy Kubeflow on an existing Kubernetes 
+    cluster using the [`kfctl_k8s_istio` 
+    configuration](/docs/started/k8s/kfctl-k8s-istio/).)
 
-  * you've configured the ISTIO ingress to only accept 
-HTTPS traffic on a specific domain or IP address
+  * You've configured the Istio ingress to only accept 
+    HTTPS traffic on a specific domain or IP address.
 
-  * you've configured the ISTIO ingress to perform an authorization check (e.g. using IAP or Dex)
+  * You've configured the Istio ingress to perform an authorization check 
+    (for example, using Cloud IAP or [Dex](https://github.com/dexidp/dex)).
 
 
 You can access Kubeflow via `kubectl` and port-forwarding as follows:
@@ -76,7 +85,7 @@ You can access Kubeflow via `kubectl` and port-forwarding as follows:
     installation guide](https://kubernetes.io/docs/tasks/tools/install-kubectl/).
 
 1. Use the following command to set up port forwarding to the
-  [ISTIO gateway](https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/).
+  [Istio gateway](https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/).
 
     {{% code-webui-port-forward %}}
 
@@ -86,8 +95,6 @@ You can access Kubeflow via `kubectl` and port-forwarding as follows:
     http://localhost:8080/
     ```
 
-  * Port-forwarding will not work if you're using basic authentication with GCP. 
-
   * Depending on how you've configured Kubeflow, not all UIs work behind 
     port-forwarding to the reverse proxy.