pipelines icon indicating copy to clipboard operation
pipelines copied to clipboard

Published 20 hours ago verified publisher icon kubeflow

Why is certificates.k8s.io/v1 used in Cache Deployer instead of OpenSSL?

Open konsloiz opened this issue 2 years ago • 2 comments

Caching is one of the most crucial features of KFP. Each time a pipeline step is the same as an already executed, the results are loaded from the cache server. Caching is accomplished in KFP via two interdependent modules: the cache deployer and the cache server.

While trying to set up the modules in an enterprise cluster (Mercedes-Benz AG), it was noted that the installation couldn’t be completed. The reason was that the cache deployer is built to generate a Signed Certificate for the cache server by referring to the Kubernetes Certificate-SigningRequest API.

...

# create  server cert/key CSR and  send to k8s API
cat <<EOF | kubectl create -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: ${csrName}
spec:
  groups:
  - system:authenticated
  request: $(cat ${tmpdir}/server.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kubelet-serving
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

..

The usage of API server certificates in our enterprise environment is restricted because those allow permission escalation. The security risk is critical, as by using this API, users can order certificates that let them impersonate both Kubernetes control plane and cluster team access.

To adjust the cache deployer’s certificate generation process without affecting the actual functionality to avoid loosening the security restrictions, we used the widely-known OpenSSL.

Is there any specific reason for using the K8s API? If not, would the community be interested in an upstream contribution?

konsloiz avatar Mar 18 '22 08:03 konsloiz

Could you please discuss the problem in this issue? https://github.com/kubeflow/manifests/issues/2165

Linchin avatar Mar 24 '22 22:03 Linchin

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar May 07 '24 07:05 github-actions[bot]

This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it.

github-actions[bot] avatar May 29 '24 07:05 github-actions[bot]