Added security to the API server #1677

blublinsky · 2023-11-22T17:42:17Z

Why are these changes needed?

Right now API server access is completely opened. This defines the approach to secure API server and provides a very simple implementation.

Securing API server endpoint

Related issue number

Closes #1376

Checks

[ x] I've made sure the tests are passing.
Testing Strategy
- [ x] Unit tests
- [ x] Manual tests
- This PR is not tested :(

blublinsky · 2023-11-22T17:43:52Z

@astefanutti , @z103cb , please take a look

cc: @kevin85421 , @architkulkarni

apiserver/SecuringImplementation.md

apiserver/cmd/proxy/proxy.go

apiserver/deploy/base/apiserver_secure.yaml

helm-chart/kuberay-apiserver/values.yaml

apiserver/cmd/apiserver/main.go

apiserver/deploy/base/apiserver_secure.yaml

apiserver/Dockerfile_proxy

apiserver/Dockerfile

apiserver/SecuringImplementation.md

z103cb

I believe that we should be covering the newly added code with some unit tests.

blublinsky · 2023-11-27T19:42:21Z

I believe that we should be covering the newly added code with some unit tests.

These are available in this project https://github.com/blublinsky/auth-reverse-proxy

blublinsky · 2023-11-27T19:50:40Z

@tedhtchang can you take a look

tedhtchang

@blublinsky The instruction worked w/ some changes. In addition, is it possible to have helm optionally deployed the sidecar with --set security.enable=true ?

apiserver/SecuringImplementation.md

helm-chart/kuberay-apiserver/values.yaml

helm-chart/kuberay-apiserver/templates/deployment.yaml

blublinsky · 2023-11-28T08:02:35Z

@kevin85421 I think its ready for you

astefanutti

LGTM overall, once we find an appropriate place to land the reverse proxy parts (in the security directory and the associated workflows) instead to have them in-tree.

@kevin85421 we'd like to have your advice / guidance where you think this could be maintained. Could this be in a dedicated repository in the ray-project organisation? I could also propose we create a ray-contrib organisation, if the former is not an option, to hosts incubating or extension projects.

kevin85421 · 2023-11-28T18:51:16Z

@kevin85421 we'd like to have your advice / guidance where you think this could be maintained. Could this be in a dedicated repository in the ray-project organisation? I could also propose we create a ray-contrib organisation, if the former is not an option, to hosts incubating or extension projects.

cc @architkulkarni do you have any suggestions?

architkulkarni · 2023-11-28T20:06:10Z

I don't have any special insight here but I can check with the Ray maintainers. What's the main advantage of having the security directory in a separate repository? Sorry if I missed some of the previous discussion around this.

blublinsky · 2023-11-28T21:18:01Z

@kevin85421 @architkulkarni The reason for the question is that security directory contains a very simple implementation, that is easily breakable and as such should never be used in production. The point of PR is to show how the security fits in the overall API server implementation. So provided implementation is really for people to experiment with and then roll out their own implementation. We discussed that on one hand we wanted to give people something to try security with but wanted to make sure that they understand, that this is a very simple "toy" example.

architkulkarni · 2023-11-28T21:36:09Z

Gotcha! That makes sense, but couldn't we convey that by putting it in an experimental/ folder and adding a prominent warning in a code comment or readme?

blublinsky · 2023-11-29T08:25:55Z

This will work for me. We were looking for your suggestion on the matter

astefanutti · 2023-11-29T08:59:02Z

@kevin85421 @architkulkarni @blublinsky besides the maturity level of this reverse-proxy component, it's also that it's completely independent from KubeRay. Even if it would become mature enough (which is not the goal as @blublinsky stressed), it would still be as if a project like oauth2-proxy would be pull in-tree into KubeRay.

That being said, that was more to raise awareness so you guys can decide, and if you don't have any objections to having it in-tree, moving that component into an experimental folder sounds like a good compromise as @architkulkarni suggested, and this can still be revisited in the future anyway.

z103cb · 2023-11-29T09:03:38Z

@kevin85421 @architkulkarni @blublinsky besides the maturity level of this reverse-proxy component, it's also that it's completely independent from KubeRay. Even if it would become mature enough (which is not the goal as @blublinsky stressed), it would still be as if a project like oauth2-proxy would be pull in-tree into KubeRay.

That being said, that was more to raise awareness so you guys can decide, and if you don't have any objections to having it in-tree, moving that component into an experimental folder sounds like a good compromise as @architkulkarni suggested, and this can still be revisited in the future anyway.

I agree with @astefanutti's comments. Using the experimental folder name is slightly better than using the security folder name. I will be fine with your decision @architkulkarni and @kevin85421.

blublinsky · 2023-11-29T14:29:28Z

@kevin85421 @architkulkarni, please let me know final decision and I will update the PR, which is otherwise ready to merge

architkulkarni · 2023-11-29T23:00:57Z

Thanks for the clarification! We're okay with keeping it in tree, so let's go with the experimental folder for now. Once that's done, we can merge the PR.

blublinsky · 2023-11-30T10:32:14Z

@kevin85421 @architkulkarni, you can merge it now

architkulkarni

Stamp

z103cb reviewed Nov 23, 2023

View reviewed changes