Update manifests to enable authorization check mechanisms for katib-UI in kubeflow mode #2041
Conversation
|
@kimwnasptd @andreyvelich @johnugeorge In this PR I introduce the required manifest changes only for the This would require additional Furthermore, in some cases we could apply narrower policies for hardening the security even more (e.g allow only As mentioned in #1983 (comment) and #1983 (comment) we need to test sidecar changes carefully. Should we outline a full list of requirements for this effort? |
apo-ger
force-pushed
the
feature-authz-kf-katib
branch
from
b46c954
to
3d2c9d4
Compare
apo-ger
changed the title
apo-ger
force-pushed
the
feature-authz-kf-katib
branch
2 times, most recently
from
699066e
to
4590203
Compare
|
@apo-ger We don't have a mechanism to test these changes. Did you test all workflows from Kubeflow dashboard? |
|
Hi @johnugeorge, apologies for the late reply.
Enabling Istio sicecar injection for all Katib components would require us to introduce appropriate
I have tested that the above |
|
Can you fix lint? Also, which rule is responsible for |
apo-ger
force-pushed
the
feature-authz-kf-katib
branch
from
4590203
to
a7a137f
Compare
apo-ger
force-pushed
the
feature-authz-kf-katib
branch
from
a7a137f
to
d4101cd
Compare
apo-ger
force-pushed
the
feature-authz-kf-katib
branch
2 times, most recently
from
0d793ad
to
0e86177
Compare
|
@apo-ger Please can we post-pone changes for other components ( E.g. When Early Stopping is enabled, early stopping container queries data from the Katib DB: https://github.com/kubeflow/katib/blob/master/pkg/earlystopping/v1beta1/medianstop/service.py#L151. |
|
@apo-ger Can you update with Katib-UI changes in this PR and take other changes in a separate PR? |
Changes to install-with-kubeflow manifests: * Enable istio sidecar injection for katib-ui component * Add AuthorizationPolicy to allow only istio-ingressgateway to talk to katib-ui [user traffic]. * Set APP_DISABLE_AUTH ENV var to false when in kubeflow-mode to enable authorization checks in UI's backend * Extend the RBAC persmissions of katib-ui so it can crate SAR objects when in kubeflow-mode Signed-off-by: Apostolos Gerakaris <[email protected]>
Introduce authn/authz checks in the backend Signed-off-by: Apostolos Gerakaris <[email protected]>
apo-ger
force-pushed
the
feature-authz-kf-katib
branch
from
0e86177
to
d3728da
Compare
|
I updated this PR to keep only the changes related to the katib-ui component as mentioned in #2041 (comment) |
Signed-off-by: Apostolos Gerakaris <[email protected]>
manifests/v1beta1/installs/katib-with-kubeflow/kustomization.yaml
Outdated
Show resolved
Hide resolved
|
@apo-ger Thanks for submitting this PR. |
Signed-off-by: Apostolos Gerakaris <[email protected]>
apo-ger
force-pushed
the
feature-authz-kf-katib
branch
from
5b572d5
to
aad7db8
Compare
|
LGTM |
|
/lgtm |
|
@andreyvelich PTAL. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andreyvelich, apo-ger The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
What this PR does / why we need it:
This is a follow-up PR from: #1983
Currently, in kubeflow mode, any workload/pod can set the
kubeflow-useridheader and communicate with the backend of the Katib UI. Since the code for securing the backend is merged we need to provide a way to enable this feature.Changes to
install-with-kubeflowmanifests:katib-ui: Allow traffic only from theistio-ingressgatewaytowards the UI backend. We can trustIGWas we are sure it's setting the user header correctly.katib-uibackend (setAPP_DISABLE_AUTHENV var to false)ClusterRoleto provide RBAC persmissions for thekatib-uiso it can createSubjectAccessReviewobjectsRefs: #1547