REP: Kubernetes Native Ray Authentication #51
Conversation
|
|
||
| The sidecar authenticator will use the TokenReview API to authenticate tokens passed into the authorization headers of each request. | ||
| Tokens can be created from Kubernetes ServiceAccounts or an external identity provider as long as the Kubernetes API Server is configured with an external authorizer. | ||
| Each RayCluster will be provisioned a default ServiceAccount that KubeRay Operator will use when authenticating to the Ray head (specifically for RayJob and RayService). |
There was a problem hiding this comment.
It may be useful for the implementation phase, to explicitly mention here the case of RayJobs with submission mode set to K8sJobMode, for which the Ray CLI command executed in the submission Job will have to be authenticated as well.
There was a problem hiding this comment.
Good point, will add that!
| 3. A ServiceAccount is created per RayCluster resource | ||
|
|
||
| The sidecar ensures only requests with the correct authorization tokens can access the Ray head. More details on how tokens are authenticated below. | ||
| For the MVP, the sidecar will be implemented using Envoy configured with an [External Authorizer](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter). |
There was a problem hiding this comment.
I also chatted with some users about this project. They have their own internal authentication solution. We should make the interface extensible and not be too opinionated about Envoy.
There was a problem hiding this comment.
I agree, I don't feel too strongly about using Envoy.
I also think implementing from scratch wouldn't be that difficult, we can consider a new binary / image for the auth server.
|
This PR looks good to me. Maybe we can organize a community design review meeting for this REP. |
|
cc @thomasdesr would you mind reviewing this PR? Thanks! |
andrewsykim
force-pushed
the
ray-authentication
branch
from
e9eac24
to
552e6ce
Compare
| ... | ||
| spec: | ||
| enableAuthentication: true | ||
| authenticationOptions: |
There was a problem hiding this comment.
In some organisations, RayCluster resources will be created by the "data scientist" / end-user persona, while the security aspect will be owned by the platform administrator. The current proposal makes it difficult to enforce that model with Kubernetes RBAC.
The API surface of that new feature should ideally follow usual API graduation. Including it into the RayCluster API, that's v1, will make it difficult to iterate on it and make it evolve, by complying to v1 guarantees.
The RayCluster API has already a large surface. Could the proposal explore the solution space, and research a more modular approach for the configurability aspect, that'd be more symmetrical to the sidecar implementation proposal, i.e. non intrusive, and generally try to keep the single-responsibility principle for the RayCluster API as much as possible.
There was a problem hiding this comment.
In some organisations, RayCluster resources will be created by the "data scientist" / end-user persona, while the security aspect will be owned by the platform administrator. The current proposal makes it difficult to enforce that model with Kubernetes RBAC.
My assumption is that a platform admin can grant role / rolebindings that give data scientists namespace-wide access to RayClusters (both creating them and accessing them) so they don't need to manage security on a per-cluster basis. You can also make this a ClusterRole to give access to all RayClusters in the cluster. In organizations where data scientists also create RayClusters, they also have the option to by-pass the RBAC check with the fixed list of allowed users (allowedPrincipals).
The API surface of that new feature should ideally follow usual API graduation. Including it into the RayCluster API, that's v1, will make it difficult to iterate on it and make it evolve, by complying to v1 guarantees.
I think this is more of a concern around feature gates and gating changes to v1 APIs that might not be mature yet. I will try to explore adding Kubernetes-like feature gates to KubeRay as we implement this. FYI @kevin85421
The RayCluster API has already a large surface. Could the proposal explore the solution space, and research a more modular approach for the configurability aspect, that'd be more symmetrical to the sidecar implementation proposal, i.e. non intrusive, and generally try to keep the single-responsibility principle for the RayCluster API as much as possible.
Let me give this more thought and let's revisit during code review? In theory the addition of a sidecar is already modular because RayCluster lets you override the entire pod template. So my initial thinking is that enabling authentication in KubeRay should default to a solution that will work for most users out of the box (with something like kube-rbac-proxy)
There was a problem hiding this comment.
We can discuss more during code review about the API.
andrewsykim
force-pushed
the
ray-authentication
branch
from
552e6ce
to
e31faa3
Compare
andrewsykim
changed the title
| ## Access Control with TokenReview API | ||
|
|
||
| The sidecar authenticator will use the TokenReview API to authenticate tokens passed into the authorization headers of each request. | ||
| Tokens can be created from Kubernetes ServiceAccounts or an external identity provider as long as the Kubernetes API Server is configured with an external authorizer. |
There was a problem hiding this comment.
For KSA tokens, the sidecar should require them to have audiences that do not intersect with the audiences accepted by kube-apiserver. We don't want KSA tokens that grant API access included in requests destined for anywhere other than kube-apiserver. Note that audiences can be specified for mounted tokens using projected volumes: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection
There was a problem hiding this comment.
thanks, added a note about KSA requiring audiences
| apiVersion: authentication.k8s.io/v1 | ||
| kind: TokenReview | ||
| spec: | ||
| token: <your_token_here> |
There was a problem hiding this comment.
+1 to requiring a ray-specific audience here
There was a problem hiding this comment.
thanks, added a note about KSA requiring audiences
| apiVersion: authentication.k8s.io/v1 | ||
| kind: TokenReview | ||
| status: | ||
| authenticated: true |
There was a problem hiding this comment.
the tokenreview response status must contain the audience the token is good for, and should be verified to intersect with the audience requested in the tokenreview spec
There was a problem hiding this comment.
thanks, updated the status example to include an audience that will be verified with the audience in the spec
andrewsykim
force-pushed
the
ray-authentication
branch
from
e31faa3
to
45a0b68
Compare
|
|
||
| The sidecar authenticator will use the TokenReview API to authenticate tokens passed into the authorization headers of each request. | ||
| Tokens can be created from Kubernetes ServiceAccounts or an external identity provider as long as the Kubernetes API Server is configured with an external authorizer. | ||
| Tokens from Kubernetes Service Accounts are required to specify an audience. For now the placeholder audience is "ray.io". |
There was a problem hiding this comment.
Ideally, audiences are globally unique; a token meant for interacting with ray cluster A should not be accepted by Ray cluster B
Perhaps the audience should be something like ray.io/cluster-name/foo, where foo is somehow derived from the RayCluster resource?
There was a problem hiding this comment.
good point, updated to require unique auidences
|
|
||
| When submitting jobs using the Ray job CLI: | ||
| ``` | ||
| export RAY_JOB_HEADERS="Authorization: Bearer $(kubectl create token ray-cluster)" |
There was a problem hiding this comment.
The user will need to be given impersonation permissions for the service account default/ray-cluster. If multiple users are using the cluster, then all their access will be laundered through this service account.
The recommended usage should probably be the one from line 69, where the user authenticates to the ray cluster using the same credential they use to authenticate to the Kubernetes cluster.
There was a problem hiding this comment.
The recommended usage should probably be the one from line 69, where the user authenticates to the ray cluster using the same credential they use to authenticate to the Kubernetes cluster.
Yes, we will likely recommend this for most cases, the KSA case is only supported for two cases:
- For KubeRay operator itself that needs to connect to Ray clusters
- For clusters that don't have external identity providers
| ``` | ||
| export RAY_JOB_HEADERS="Authorization: Bearer $(kubectl create token ray-cluster)" | ||
| OR | ||
| export RAY_JOB_HEADERS="Authorization: Bearer $(gcloud auth print-access-token)" # example external identity provider |
There was a problem hiding this comment.
I was surprised that this would work, but it does seem like TokenReview will understand external tokens by calling the Webhook Token Authenticator, if one is configured.
We'll need to think about how to make this mesh with the audiences from above. GCP (and presumably AWS, Azure, etc) access tokens don't carry scopes, so they won't pass the scope check by default.
There was a problem hiding this comment.
I was surprised that this would work, but it does seem like TokenReview will understand external tokens by calling the Webhook Token Authenticator, if one is configured.
I was also pleasantly surprised as well :)
We'll need to think about how to make this mesh with the audiences from above. GCP (and presumably AWS, Azure, etc) access tokens don't carry scopes, so they won't pass the scope check by default.
From my testing w/ GKE, the returned audience is something like:
audiences:
- https://container.googleapis.com/v1/projects/<project>/locations/us-east4-c/clusters/<cluster>
Perhaps we need to specify a list of allowed audiences in the RayCluster if we are required to verify the audience?
There was a problem hiding this comment.
OK, yes, that seems like it would work.
andrewsykim
force-pushed
the
ray-authentication
branch
from
45a0b68
to
90a383c
Compare
SubjectAccessReview API Signed-off-by: Andrew Sy Kim <[email protected]>
andrewsykim
force-pushed
the
ray-authentication
branch
from
90a383c
to
ad2b545
Compare
|
We had an in-depth review meeting on this feature on June 4. The vote on ray-committers has also just passed. I'm going to merge this REP Thanks @andrewsykim for the great contribution and @kevin85421 for shepherding 
|
Add REP for supporting authentication for Ray clusters created by KubeRay using the Kubernetes TokenReview API