REP: Ray Token Authentication #63
Conversation
andrewsykim
changed the title
andrewsykim
force-pushed
the
ray-k8s-auth
branch
3 times, most recently
from
d38b396 to
b78f29a
Compare
andrewsykim
requested review from
edoakes,
richo-anyscale and
sampan-s-nayak
|
Some feedback I got from an internal security review at Google (cc @mtaufen, @vinayakankugoyal):
|
Future-Outlier
left a comment
Future-Outlier
left a comment
There was a problem hiding this comment.
Can we include the GCS Server RBAC requirements shown in
PR #58497's test script: ray-project/ray#58497 (comment)?
thank you!
| ### Raylet Identity with Kubernetes Service Accounts | ||
|
|
||
| By default, the identity of the Raylet will be bound to the Service Account token of the Pod. | ||
| However, the Raylet will not use the default token in `/var/run/kubernetes.io/serviceaccount/token`. | ||
| Instead, a dedicated token in path `/var/run/ray.io/serviceaccount/token` will be mounted using |
There was a problem hiding this comment.
Can we also mention the autoscaler sidecar and wait-gcs init container?
thank you!!
|
@sampan-s-nayak and @edoakes suggested updating this REP to include the fulll scope of token authentication, including the k8s integration. We'll update the REP once it's ready |
|
Directionally, this feels reasonable to me. I skimmed this when you first pinged me, and have hazy memories of this stipulating a lot more about RBAC in Ray? The reason I bring it up is that I think bridging the K8s permission model into Ray is an obvious win and good first step, I think attaching logical RBAC to Ray, whether driven by K8s or without it, is a pretty huge undertaking, especially given that workloads can be scheduled on privileged nodes. Does it make sense to break this up into two proposals, one dependant on the other? |
|
Agreed that introducing RBAC in Ray is something worth pursuing. I don't think we need the same set of verbs as Kubernetes though (get, list, create, update, patch, delete, etc), however I think we can start with a more minimal set of verbs like
I got feedback from Edward that we should update this enhancement to include the full scope of token authentcation, I can take a stab at also including a section on how we would introduce read/write verbs and how it would integrate with Kubernetes RBAC. If it gets too long we can break it into a separate proposal. |
|
I think I misunderstood your last comment, but after speaking with Edward it seems like we should defer adding additional verbs into Ray for now and revisit it later. |
|
That makes a lot of sense. I think to clarify where I'm coming from: Making Ray awares of the k8s authentication primitives and wiring them up I think is obviously good and shouldn't be particularly controversial. I just saw your followup, but also I probably wrote RBAC where I meant fine grained authorization which likely muddled things up a little bit as well. It sounds like we're mostly in agreement. |
andrewsykim
changed the title
andrewsykim
force-pushed
the
ray-k8s-auth
branch
from
d8f925c to
c4da662
Compare
Signed-off-by: Andrew Sy Kim <[email protected]> Co-authored-by: Sampan S Nayak <[email protected]>
…uce read/write verbs Signed-off-by: Andrew Sy Kim <[email protected]> Co-authored-by: Sampan S Nayak <[email protected]>
Signed-off-by: Andrew Sy Kim <[email protected]> Co-authored-by: Sampan S Nayak <[email protected]>
andrewsykim
force-pushed
the
ray-k8s-auth
branch
from
c4da662 to
d14017d
Compare
3 participants
Co-authored-by: Sampan S Nayak [email protected]