-
Notifications
You must be signed in to change notification settings - Fork 885
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Promote networkpolicies out of /contrib #2385
Comments
Thanks for creating the issue! Before deciding on promoting them to be added as an extra layer in Kubeflow I'd like to understand if they offer something that we currently can't achieve with Istio. In both the above cases for the missing sidecar and the unprotected KFAM the issue was with an incorrect misconfiguration in Istio's auth mechanism (AuthorizationPolicies and sidecars). Personally for Notebooks WG I'd like to avoid adding another layer of complexity in the KF stack, which will add a small burden on debugging and maintaining this logic, if this can already be achieved with Istio. In my mind securing who can talk to who is the responsibility of the service mesh, that's why I keep on bringing Istio. Is there a scenario that we currently can't secure with Istio and for which we need explicitly NetworkPolicies? let's also bring this to the attention of the rest of the WG leads, since such a change would affect other WGs as well |
@kimwnasptd i do not think that all components support istio yet and it is also useful for isolating user namespaces where sometimes not everything uses istio. If we get to a perfect world in 2 years and really do not need it anymore we can always think about deprecation. Also for it administrators that have to specify network flows and satisfy enterprise guidelines it comes in quite handy. Furthermore i do not see debugging problems and it is used by some other companies as well. I can maintain it for the next years, although there is not much to do. |
And again something that would have been prevented by networkpolicies kubeflow/kubeflow#7032. In the long term i also want to protect the usernamespaces with networkpolicies as done in another PR. |
Hello! 👋 |
@rawc0der I think there are still missing details we need to define before merging #2456 There are 2 questions that I think are not clear regarding this:
|
For 1. we could list the exploits so far that have been or would have been prevented by networkpolicies in the kubeflow and or user namespaces. For 2. I think the security related stuff has to be mostly in one place. This is also valid for podsecuritypolicies / standards. It would take years to get this into all WGs anyway. But if this is your long term goal we should have it in manifests and migrate it step by step in the WGs. |
Hi @kimwnasptd!
|
Hi @rawc0der. Regarding the first point I see the following two problems:
|
Regarding the second point, that @juliusvonkohout is also talking about: Right now the Manifests repo is just a place for gathering the components maintained by the KF WGs and providing some third-party ones for folks to deploy a whole solution. Adding NetworkPolicies to We currently don't have such an agreed process right now (but, by all means let's continue the discussion to establish one). And for me this is how it should look like, for efforts need to affect all components:
Lastly, to @juliusvonkohout's point
I wouldn't want the manifests repo to be a place where functionality gets added because the WGs don't accept a change or discussions take too long. The bug in this case is how features are agreed and discussed in WGs. But the solution to this bug is not to have a "backdoor" for pushing efforts in a central place in order to avoid interactions with WGs and impose decisions on them. |
Hi @kimwnasptd, Thanks for raising up these points and for trying to describe the decision process from a WG Lead perspective. Decision making is tough and comes with some risk, but the community needs to figure out how to move forward and try to come to some conclusions.
Istio
This is something I can't answer, but because of different conditions whre security is enforced, you can have edge cases yes. This is what keeps some people up at night :D.
Well, I believe since the functionality added by NP is security related the responsibility and ownership should fall under Security WG Team (once process, official channels and core members are established). Until then seems that Manifest WG responsibilities are a bit all-over the place, stretching from
I strongly believe that multiple WG should commit to maintain clean in structure the same repository, having all files (kustomize manifests) in one place makes sense and corresponding WG should maintain the parts they are concerned with. Obviously there needs to be some synergy between Security/Manifests WG - so let's keep the discussion alive to bring these ideas to life. |
@andreyvelich @johnugeorge @jbottum this is probably a decision for the KSC or TOC |
…beflow#2457) * Move networkpolicies out of /contrib into /common (kubeflow#2385) * extend OWNERS file * disable seldon NP * enable seldon NP * add rawc0der as Reviewer * Remove rawc0der reviewer * remove the duplicate resource
Follow up of #2311 (comment)
@kimwnasptd @annajung @TobiasGoerke
Yes, we should promote it even for 1.7. It is a second security barrier and best practice. It prevented some of the latest security flaws that we had in Kubeflow with missing sidecars or before that the unprotected KFAM.
@kimwnasptd common/networkpolicies is the right place and we should include it in the example installation file https://github.com/kubeflow/manifests/blob/master/example/kustomization.yaml
It would also make sense to add me to the root owner file then, since istio-cni is the next topic.in /common
The text was updated successfully, but these errors were encountered: