Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal for rootless Kubeflow #2527

Merged
merged 13 commits into from
Sep 21, 2023
35 changes: 35 additions & 0 deletions proposals/20200913-rootlessKubeflow.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Rootless Kubeflow

### Goals

We want to run Kubeflow 99 % rootless accoring to CNCF/Kubernetes best practices.
juliusvonkohout marked this conversation as resolved.
Show resolved Hide resolved

The main steps are adding an additional profile for istio-cni or ambient mesh, updating the documentation and manifest generation process.
juliusvonkohout marked this conversation as resolved.
Show resolved Hide resolved
Then adding the baseline and restricted PSS as kustomize component to /contrib and extending the profile controller to annotate user namespaces with configurable PSS labels.
juliusvonkohout marked this conversation as resolved.
Show resolved Hide resolved

We want to use a staged approach.
First Stage:

1. Implement Istio 1.17.5 and use it by default. This is important for the Kubeflow 1.8 feature freeze
juliusvonkohout marked this conversation as resolved.
Show resolved Hide resolved
2. Implement istio-cni (--set components.cni.enabled=true --set components.cni.namespace=kube-system) as second option.
3. Add simple tests similar to tests/gh-actions/install_istio.sh and tests/gh-actions/install_knative.sh for istio-cni and support both rootfull and rootless istio at the same time and give users one release to test

Second stage in a second PR:
4. Add pod security standards (https://kubernetes.io/docs/concepts/security/pod-security-standards/) base/restricted to manifests/contrib
5. Add istio-ambient as an option to Kubeflow 1.9
juliusvonkohout marked this conversation as resolved.
Show resolved Hide resolved
6. Enforce PSS baseline (here you can still build OCI containers via Podman and buildah) in Kubeflow 1.9. It works with any istio
7. Warning for violations of restricted PSS
8. Optionally Enforce PSS restricted (this is where minor corner cases are affected) in Kubeflow 1.10
juliusvonkohout marked this conversation as resolved.
Show resolved Hide resolved

Third stage:
10. Upgrade Istio to 1.19 and use ambient service mesh by default in Kubeflow 1.10
juliusvonkohout marked this conversation as resolved.
Show resolved Hide resolved

### Non-Goals
THis does not cover Application level CVEs, only cluster level security.

### Does this break any existing functionality?
So far not. Only PSS restricted may block Docker in Docker. In PSS baseline you can still build OCI images with Podman
juliusvonkohout marked this conversation as resolved.
Show resolved Hide resolved

### Does this fix/solve any outstanding issues?
We are not following best practices and this is forbidden in most enterprise environments.
The progress is tracked in https://github.com/kubeflow/manifests/issues/2528