diff --git a/docs/guidance/ingress.md b/docs/guidance/ingress.md index 435a99c349..96fdca8999 100644 --- a/docs/guidance/ingress.md +++ b/docs/guidance/ingress.md @@ -5,6 +5,9 @@ Here we provide some examples to show how to use ingress to access your Ray clus * [Example: AWS Application Load Balancer (ALB) Ingress support on AWS EKS](#example-aws-application-load-balancer-alb-ingress-support-on-aws-eks) * [Example: Manually setting up NGINX Ingress on KinD](#example-manually-setting-up-nginx-ingress-on-kind) + +> :warning: **Only expose Ingresses to authorized users.** The Ray Dashboard provides read and write access to the Ray Cluster. Anyone with access to this Ingress can execute arbitrary code on the Ray Cluster. + ### Example: AWS Application Load Balancer (ALB) Ingress support on AWS EKS #### Prerequisite * Follow the document [Getting started with Amazon EKS – AWS Management Console and AWS CLI](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html#eks-configure-kubectl) to create an EKS cluster. diff --git a/docs/index.md b/docs/index.md index 3298af58ce..a5cb78144b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -54,6 +54,8 @@ by some organizations to back user interfaces for KubeRay resource management. ## Security +**Security and isolation must be enforced outside of the Ray Cluster.** Restrict network access with Kubernetes or other external controls. Refer to [**Ray security documentation**](https://docs.ray.io/en/master/ray-security/index.html) for more guidance on what controls to implement. + Please report security issues to security@anyscale.com. ## The Ray docs diff --git a/ray-operator/config/samples/ray-cluster-alb-ingress.yaml b/ray-operator/config/samples/ray-cluster-alb-ingress.yaml index e7eb586075..603299eae8 100644 --- a/ray-operator/config/samples/ray-cluster-alb-ingress.yaml +++ b/ray-operator/config/samples/ray-cluster-alb-ingress.yaml @@ -3,7 +3,10 @@ kind: Ingress metadata: name: ray-cluster-ingress annotations: - alb.ingress.kubernetes.io/scheme: internet-facing + # WARNING: Do not expose this ALB publicly without additional authentication/authorization. + # The Ray Dashboard provides read and write access to the cluster. Anyone with access to the + # ALB can launch arbitrary code execution on the Ray Cluster. + alb.ingress.kubernetes.io/scheme: internal alb.ingress.kubernetes.io/tags: Environment=dev,Team=test # See `ingress.md` for more details about how to choose subnets. alb.ingress.kubernetes.io/subnets: subnet-0930d6b677fb40a74, subnet-0066ab2e15925618c diff --git a/ray-operator/config/samples/ray-cluster.separate-ingress.yaml b/ray-operator/config/samples/ray-cluster.separate-ingress.yaml index 5e262b07b9..f923585ec9 100644 --- a/ray-operator/config/samples/ray-cluster.separate-ingress.yaml +++ b/ray-operator/config/samples/ray-cluster.separate-ingress.yaml @@ -36,6 +36,9 @@ spec: name: client --- # Ingress for raycluster +# WARNING: Nginx must handle authentcation/access control. The Ray Dashboard provides +# read and write access to the cluster. Anyone with access through Nginx can launch +# arbitrary code execution on the Ray Cluster. apiVersion: networking.k8s.io/v1 kind: Ingress metadata: