[docs] Update KubeRay Ingress Docs (#39635)

Incorporates changes made in [Docs] Update Security Guidance on Dashboard Ingress kuberay#1413 about ensuring that Ingresses are not publicly exposed. Signed-off-by: Ian Rodney <ian.rodney@gmail.com>
ray-project · Sep 13, 2023 · 1da1834 · 1da1834
1 parent 3e49f5d
commit 1da1834
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/doc/source/cluster/kubernetes/k8s-ecosystem/ingress.md b/doc/source/cluster/kubernetes/k8s-ecosystem/ingress.md
@@ -8,6 +8,13 @@ Three examples show how to use ingress to access your Ray cluster:
   * [GKE Ingress support](kuberay-gke-ingress)
   * [Manually setting up NGINX Ingress on Kind](kuberay-nginx)
 
+
+```{admonition} Warning
+:class: warning
+**Only expose Ingresses to authorized users.** The Ray Dashboard provides read and write access to the Ray Cluster. Anyone with access to this Ingress can execute arbitrary code on the Ray Cluster.
+```
+
+
 (kuberay-aws-alb)=
 ## AWS Application Load Balancer (ALB) Ingress support on AWS EKS
 
@@ -54,7 +61,7 @@ kubectl describe ingress ray-cluster-ingress
 #  ----        ----  --------
 #  *
 #              /   ray-cluster-kuberay-head-svc:8265 (192.168.185.157:8265)
-# Annotations: alb.ingress.kubernetes.io/scheme: internet-facing
+# Annotations: alb.ingress.kubernetes.io/scheme: internal
 #              alb.ingress.kubernetes.io/subnets: ${SUBNET_1},${SUBNET_2}
 #              alb.ingress.kubernetes.io/tags: Environment=dev,Team=test
 #              alb.ingress.kubernetes.io/target-type: ip
@@ -82,6 +89,8 @@ kubectl delete ingress ray-cluster-ingress
 
 * Create a GKE cluster and ensure that you have the kubectl tool installed and authenticated to communicate with your GKE cluster.  See [this tutorial](kuberay-gke-gpu-cluster-setup) for an example of how to create a GKE cluster with GPUs.  (GPUs are not necessary for this section.)
 
+* If you are using a `gce-internal` ingress, create a [Proxy-Only subnet](https://cloud.google.com/load-balancing/docs/proxy-only-subnets#proxy_only_subnet_create) in the same region as your GKE cluster.
+
 * It may be helpful to understand the concepts at <https://cloud.google.com/kubernetes-engine/docs/concepts/ingress>.
 
 ### Instructions
@@ -93,7 +102,7 @@ kind: Ingress
 metadata:
   name: ray-cluster-ingress
   annotations:
-    kubernetes.io/ingress.class: "gce"
+    kubernetes.io/ingress.class: "gce-internal"
 spec:
   rules:
     - http: