Disable public IP access by default

[ogrisel]

For security reasons, I think that the default configuration should not map the jupyter / scheduler services on a public IP address (even if jupyter notebook asks for a password, passing a password over HTTP without TLS is unsafe).

It would be better to advertise the use of:

kubectl port-forward name-of-service localport:serviceport

We could even have some dask-kubernetes helper commands to do that automatically and open the notebook and other HTTP status pages on http://localhost:localport instead.

[ogrisel]

More details on port forwarding in:

https://kubernetes.io/docs/tasks/access-application-cluster/port-forward-access-application-cluster/

[martindurant]

A pretty common use case has been for sharing to share the scheduler or notebook - which would not work well with port forwarding/proxy. (proxying is already used for the dashboard command) It would be relatively easy to make the service creation optional and provide forward/proxy options - it would take a little effort, and complicate the CLI, perhaps.

Are you aware of the more recent and parallel daskernetes effort, and general chartification conversations?

[ogrisel]

@mrocklin just told me about daskernetes. I will have a look at it in the coming days.