From 1da1834c5b7225ee4bca15b602e8bf65aa6be130 Mon Sep 17 00:00:00 2001 From: Ian Rodney Date: Wed, 13 Sep 2023 12:55:53 -0400 Subject: [PATCH] [docs] Update KubeRay Ingress Docs (#39635) Incorporates changes made in [Docs] Update Security Guidance on Dashboard Ingress kuberay#1413 about ensuring that Ingresses are not publicly exposed. Signed-off-by: Ian Rodney --- .../cluster/kubernetes/k8s-ecosystem/ingress.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/doc/source/cluster/kubernetes/k8s-ecosystem/ingress.md b/doc/source/cluster/kubernetes/k8s-ecosystem/ingress.md index 493e8f1625590..d90f09e416183 100644 --- a/doc/source/cluster/kubernetes/k8s-ecosystem/ingress.md +++ b/doc/source/cluster/kubernetes/k8s-ecosystem/ingress.md @@ -8,6 +8,13 @@ Three examples show how to use ingress to access your Ray cluster: * [GKE Ingress support](kuberay-gke-ingress) * [Manually setting up NGINX Ingress on Kind](kuberay-nginx) + +```{admonition} Warning +:class: warning +**Only expose Ingresses to authorized users.** The Ray Dashboard provides read and write access to the Ray Cluster. Anyone with access to this Ingress can execute arbitrary code on the Ray Cluster. +``` + + (kuberay-aws-alb)= ## AWS Application Load Balancer (ALB) Ingress support on AWS EKS @@ -54,7 +61,7 @@ kubectl describe ingress ray-cluster-ingress # ---- ---- -------- # * # / ray-cluster-kuberay-head-svc:8265 (192.168.185.157:8265) -# Annotations: alb.ingress.kubernetes.io/scheme: internet-facing +# Annotations: alb.ingress.kubernetes.io/scheme: internal # alb.ingress.kubernetes.io/subnets: ${SUBNET_1},${SUBNET_2} # alb.ingress.kubernetes.io/tags: Environment=dev,Team=test # alb.ingress.kubernetes.io/target-type: ip @@ -82,6 +89,8 @@ kubectl delete ingress ray-cluster-ingress * Create a GKE cluster and ensure that you have the kubectl tool installed and authenticated to communicate with your GKE cluster. See [this tutorial](kuberay-gke-gpu-cluster-setup) for an example of how to create a GKE cluster with GPUs. (GPUs are not necessary for this section.) +* If you are using a `gce-internal` ingress, create a [Proxy-Only subnet](https://cloud.google.com/load-balancing/docs/proxy-only-subnets#proxy_only_subnet_create) in the same region as your GKE cluster. + * It may be helpful to understand the concepts at . ### Instructions @@ -93,7 +102,7 @@ kind: Ingress metadata: name: ray-cluster-ingress annotations: - kubernetes.io/ingress.class: "gce" + kubernetes.io/ingress.class: "gce-internal" spec: rules: - http: