-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added security to the API server #1677
Added security to the API server #1677
Conversation
@astefanutti , @z103cb , please take a look cc: @kevin85421 , @architkulkarni |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe that we should be covering the newly added code with some unit tests.
4b5b81e
to
b372a0a
Compare
These are available in this project https://github.com/blublinsky/auth-reverse-proxy |
@tedhtchang can you take a look |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@blublinsky The instruction worked w/ some changes. In addition, is it possible to have helm optionally deployed the sidecar with --set security.enable=true
?
@kevin85421 I think its ready for you |
439a509
to
663a972
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall, once we find an appropriate place to land the reverse proxy parts (in the security
directory and the associated workflows) instead to have them in-tree.
@kevin85421 we'd like to have your advice / guidance where you think this could be maintained. Could this be in a dedicated repository in the ray-project organisation? I could also propose we create a ray-contrib
organisation, if the former is not an option, to hosts incubating or extension projects.
cc @architkulkarni do you have any suggestions? |
I don't have any special insight here but I can check with the Ray maintainers. What's the main advantage of having the |
@kevin85421 @architkulkarni The reason for the question is that |
Gotcha! That makes sense, but couldn't we convey that by putting it in an |
This will work for me. We were looking for your suggestion on the matter |
@kevin85421 @architkulkarni @blublinsky besides the maturity level of this reverse-proxy component, it's also that it's completely independent from KubeRay. Even if it would become mature enough (which is not the goal as @blublinsky stressed), it would still be as if a project like oauth2-proxy would be pull in-tree into KubeRay. That being said, that was more to raise awareness so you guys can decide, and if you don't have any objections to having it in-tree, moving that component into an |
I agree with @astefanutti's comments. Using the |
@kevin85421 @architkulkarni, please let me know final decision and I will update the PR, which is otherwise ready to merge |
Thanks for the clarification! We're okay with keeping it in tree, so let's go with the |
0b9b49d
to
849707e
Compare
@kevin85421 @architkulkarni, you can merge it now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Stamp
Why are these changes needed?
Right now API server access is completely opened. This defines the approach to secure API server and provides a very simple implementation.
Securing API server endpoint
Related issue number
Closes #1376
Checks