Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kubeflow Platform (Manifests & Security WG) roadmap for KF 1.10 #2763

Open
19 of 35 tasks
juliusvonkohout opened this issue Jun 25, 2024 · 4 comments
Open
19 of 35 tasks
Assignees
Labels
help wanted Extra attention is needed

Comments

@juliusvonkohout
Copy link
Member

juliusvonkohout commented Jun 25, 2024

Describe your issue

Tracker for 1.10 @rimolive @kimwnasptd
Follow up of #2598 and #2592

We are looking for volunteers and I already mentored over 20 people, so please reach out if you want to help.

Organizational:

Security external:

Performance / Denial of service:

Security JWTs:

Rootless Kubeflow & Istio:

  • Rootless Kubeflow #2528
  • Make istio CNI the default and set the kserve-needed annotation across all Pods. We should use the new "Values.gateways.seccompProfile" and securitycontext to get rid of the manual patch at
    - name: Configure istio init container with seccompProfile attribute
    run: |
    kubectl get cm istio-sidecar-injector -n istio-system -o yaml > temporary_patch.yaml
    sed -i '0,/runAsNonRoot: true/{s//&\n seccompProfile:\n type: RuntimeDefault/}' temporary_patch.yaml
    sed -i '/runAsNonRoot: true/{N; /runAsUser: {{ .ProxyUID | default "1337" }}/a\
    seccompProfile:\n type: RuntimeDefault
    }' temporary_patch.yaml
    kubectl apply -f temporary_patch.yaml
    rm temporary_patch.yaml
    . First PR: istio-cni by default #2907
  • Istio Ambient support #2676

Rest:

@juliusvonkohout juliusvonkohout changed the title Kubeflow Platform (Manifests & Security WG) roadmap for KF 1.9 Kubeflow Platform (Manifests & Security WG) roadmap for KF 1.10 Jun 25, 2024
@kimwnasptd
Copy link
Member

(Orthogonal question, but why is this called Kubeflow Platform and includes Manifests and Security WGs in it?

Especially once we'll have the repos broken up after the discussion in kubeflow/kubeflow#7549 (comment)

@thesuperzapper
Copy link
Member

Similar to what @kimwnasptd said, it's hard to imagine that "Kubeflow Platform" should not also involve the distribution owners? I am not sure we should be calling the meetings "Kubeflow Platform" if they are only referring to Manifests/Security WGs.

@andreyvelich
Copy link
Member

(Orthogonal question, but why is this called Kubeflow Platform and includes Manifests and Security WGs in it?

Especially once we'll have the repos broken up after the discussion in kubeflow/kubeflow#7549 (comment)

@kimwnasptd The main motivation is to identify contributors who can maintain Kubeflow Platform components. E.g. Kubeflow Manifests, Profile Controller, KFAM, Central Dashboard, etc. So if users have any questions about these components they can join the Kubeflow Platform community calls.
Since @juliusvonkohout was driving the security effort around Kubeflow ecosystem, he included the security roadmap to the Kubeflow Platform discussion.

From my perspective, distributions should certainly join those meetings since they are main consumers of Kubeflow Manifests.

@juliusvonkohout
Copy link
Member Author

@kimwnasptd it is in line with kubeflow/community#725 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed
Projects
Status: To Do
Development

No branches or pull requests

6 participants