You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, any resource can be deployed to any provider. The operator simply reads the specified provider on the resource spec and performs any provider operation it needs to perform (e.g. creating a training pipeline or schedule).
This raises security concerns, because it means any user can create and manage resources on any provider, without any checks to confirm if that user is allowed to use the specified provider.
We want to control which resources can be deployed to which providers, similarly to how NetworkPolicies are used to control which namespaces a service can accept requests from.
We also want to be aware of when resources attempt to access a provider that they are not allowed to use, to make incorrectly-configured resources/providers visible.
Acceptance Criteria
Argo Workflows that perform provider CRUD operations can only be submitted for resources in namespaces permitted to use the specified provider
If a resource attempts to use a provider it's not permitted to use, the resource should go into a failed state and the user should receive an informative message
Attempts to use a provider that a resource is not permitted to use should increment a metric which can be used to detect if providers are being used maliciously or incorrectly configured
Technical Details
Every time a request changes (created, updated, deleted) the following happens:
The operator receives a reconciliation request
The operator submits an Argo Workflow to the namespace the provider specified on the resource spec lives
The necessary operations are carried out in the specified provider (e.g. creating a training pipeline or a schedule)
Our goal is to only perform step 2 if the resource is in a namespace which is allowed to use the provider specified on the resource spec.
To do this we will add a list of allowed namespaces on Provider resources, which the operator will check against before submitting a Workflow to the specified provider. Something like the following (example taken from the KFP Operator website):
Overview
Currently, any resource can be deployed to any provider. The operator simply reads the specified provider on the resource spec and performs any provider operation it needs to perform (e.g. creating a training pipeline or schedule).
This raises security concerns, because it means any user can create and manage resources on any provider, without any checks to confirm if that user is allowed to use the specified provider.
We want to control which resources can be deployed to which providers, similarly to how
NetworkPolicies
are used to control which namespaces a service can accept requests from.We also want to be aware of when resources attempt to access a provider that they are not allowed to use, to make incorrectly-configured resources/providers visible.
Acceptance Criteria
Technical Details
Every time a request changes (created, updated, deleted) the following happens:
Our goal is to only perform step 2 if the resource is in a namespace which is allowed to use the provider specified on the resource spec.
To do this we will add a list of allowed namespaces on
Provider
resources, which the operator will check against before submitting a Workflow to the specified provider. Something like the following (example taken from the KFP Operator website):The text was updated successfully, but these errors were encountered: