Secure proxy #11
Comments
|
I was told by someone at Redhat that ISTIO's egress functionality might provide a solution that doesn't involve a reverse proxy. |
|
Also relevant https://github.com/PalmStoneGames/kube-cert-manager cert-manager in combination with external DNS were mentioned as one way to secure TLS services. /cc @elsonrodriguez |
|
One question that has come up is why not use JupyterHub's built in support for TLS and OAuth authentication. I think that would only be a partial solution because we have lots of web services (e.g TfJob UI, Argo UI, TensorBoard, etc...) that we need to secure in addition to JupyterHub. The pattern in K8s seems to be to use a common sidecar which can serve as a secure proxy that sits in front of insecure web services. I think ISTIO's envoy recently added JWT validation. I was told that this was still in the early stages though and not production ready. /cc @yuvipanda |
|
Related: also at least some consideration should be taken into where to store the JWT token, cookie or local storage? This has some clear pros and cons and tradeoff points to take. |
To provide secure ingress to the services running on the cluster we will use https -> reverse proxy and the reverse proxy will enforce authentication by checking JWTs. This PR adds a reverse proxy and JWT validation based on Envoy. Envoy can't validate JWT's created by IAP because of a couple of blocking issues. * istio/proxy#941 * istio/proxy#939 * istio/proxy#929 * istio/proxy#930 Nontheless, this PR allows us to turn on IAP and a reverse proxy. We can use this to continue developing our story for secure access to services in the cluster (e.g. TensorBoard and TF models) While this PR focuses on GCP's IAP most of this code will work just as well for non GCP; see #11 for more details. We make Kubespawner configurable so that when using IAP we use the user's Google identity as verified by IAP and do not make the user login to JupyterHub This requires building a new JupyterHub image with the jhub_remote_user_authenticator added. Related to #60 and #11 regarding secure ingress
Ambassdor provides a reverse proxy that can be dynamically configured; we can mappings just by creating K8s services and anotating them with the prefix we want to serve the path on. Ambassador makes it really easy to configure our reverse proxy to direct traffic to an ephemeral service (e.g. a Tensorboard instance serving data for a particular job). This PR adds Ambassador and adds some default routes; e.g. we add a route to serve the K8s dashboard at /k8s/ui/ In follow on PRs we can annotate other services (like the TFJobs UI) and TensorBoard deployments so that we can create mappings for those servers as well. Related to: #11 Secure Proxy #60 IAP on GKE #154 Contour vs. Ambassador.
|
Istio could provide east-west security to Ambassador's north-south. There are slightly different options available for the sidecar injection depending on the minimum kube requirement (1.8->manual injection; 1.9->automatic via mutating webhooks). |
|
I wonder if a simple initial solution (maybe in time for our 0.1 release) would be to use Ambassador's external authentication and use basic http auth. |
|
@jlewi I work on Ambassador with @kflynn and I'm looking for your thoughts on this... It would be fairly easy to write an Ambassador HTTP Basic Authentication extauth module. The implementation reads the contents of password database and compares a given password with the hashed value in the database to determine whether a user has access to a protected resource. Password Database Schema
---
users:
${user_id}:
password: ${bcrypt_password}Algorithm doesn't have to be Extra Tooling
Theory of OperationDeployment
Add / Remove User
RuntimeIf the user and password hash matches then Extauth returns a |
|
@plombardi89 I would love this! I think this gives us a very simple story that works anywhere. |
|
@jlewi We are scheduling some engineering time to work on this during our upcoming two week engineering cycle. |
|
We've begun work on this in https://github.com/datawire/ambassador-auth-httpbasic |
|
@jlewi We released 0.1.1 of https://github.com/datawire/ambassador-auth-httpbasic . Please give it a spin! |
|
Thank you so much. |
|
Would HTTP auth behind https be useful for any of the other K8s distributions (e.g. Azure, Openshift, or Canonical)? Is anyone interested in taking this on? |
|
Thanks @bhack looks like someone created an OIDC plugin for Ambassador that uses keycloak |
|
OpenShift makes use of sidecar proxies for securing endpoints that are otherwise insecure |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
* adds ambassador and argo components to manifests * removes ksonnet labels * removed unused stubs for overlays * adds jupyter web app * adds notebook-controller * adds swiftdiaries to OWNERS
Signed-off-by: Ce Gao <gaoce@caicloud.io>
[pull] master from kubeflow:master
Opening this issue to track addition of a secure proxy.
Kubeflow will consist of many applications running insecure web apps. Already the stack contains Juptyer notebooks and TensorBoard.
It would be nice if Kubeflow included a secure proxy so that a user could access Kubeflow components at URLs like
https://my-kubeflow.my-domain.io/juptyerhub
https://my-kubeflow.my-domain.io/tf-jobs/my-job/tensorboard
Some issues to consider.
* TfJob spins up a TensorBoard instance whose lifetime is tied to the life time of the job. So we'd like to dynamically add routes.
* For example, on GKE we'd like to use IAP
I think we can use Ambassador to do this
Here's a diagram illustrating what this would like
Using Ambassador everything sits behind a single ingress point. The ingress would be configured differently on different clouds but everything else should be the same.
On GKE we can secure the ingress using IAP
Some open questions
* Do people use VPN? Do we need an IAP equivalent?
* This could authenticate the request using a variety of providers (Github, Google, Facebook) and provide a signed JWT. At which point the solution is largely the same as in the GKE case (i.e. use Envoy to validate JWT and reject traffic without a JWT)
* i think we'd want to integrate oauth-proxy into our envoy proxy
* Ambassador already has support for external auth (but not oauth-proxy)
* Not sure about contour
Alternatives
Not sure what the benefits of Contour vs. Ambassador might be. Anyone have an opinion?
The text was updated successfully, but these errors were encountered: