Do a Proof of Concept experiment for component isolation with istio to ensure our goal makes sense

[ca-scribner]

Context

We are working toward doing network isolation of Kubeflow components using an istio service mesh, where we put all charm pods onto the mesh and add a deny-all policy in the cluster. We should implement a POC of this setup manually on Charmed Kubeflow or some subset of it to prove our planned architecture works (mainly that we are controlling network traffic as needed, and that charms still function (can reach k8s api, etc)).

What needs to get done

1. deploy the simplest possible POC environment. Can be manually set up (eg: manually modify statefulsets to get sidecars), but should include a global deny-all, authorizationpolicies for necessary traffic, and istio deployed in the istio-system namespace
2. test that:
   i. charms can talk to k8s api (test a charm that creates a k8s object)
   i. charms can talk to each other (test adding a new relation)
   i. communication that shouldn't happen, doesnt (maybe ping from a pod off mesh, or relate a charm off mesh to one on mesh?)

Definition of Done

1. Testing is completed in an environment that is close enough to the goal to add confidence
2. any issues are documented to influence the design

[syncronize-issues-to-jira]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-5245.

This message was autogenerated