-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve isolation of Che theia and che-machine-exec components #15651
Comments
Currently yes, but the linked issue is a plan to split workspaces into multiple pods (provided RWX volumes are available) -- some thought should be given how this change would affect future plans. If JWT proxy continues to require ~128Mi of memory, we could be looking at 300-500Mi of overhead if workspaces are split. |
I would say that anyway we should at least allow the JWT proxy to be run inside the POD as a default option. |
I could make this work by moving the jwtproxy to the workspace pod and make it proxy the secure servers by resending the traffic to 127.0.0.1 and appropriate secure server port. While this works, it has at least two consequences:
This is solvable in two ways IMHO:
@skabashnyuk @sleshchenko @l0rd WDYT? |
right?
It's a bit confusing to have public and private attibutes at the same time, like
So, my personal +1 for
in case |
I am +1 for solution n.1 |
Implemented in #15890, eclipse-che/che-plugin-registry#378 and eclipse-che/che-theia#626. |
Note that the PR in che-docs that clarifies the assumptions about the secure servers is still open: eclipse-che/che-docs#1075 |
Based on discussion today, current status is:
|
This issue is "closed" and has label "in progress". So I'm reopening it. |
#16053 is implemented so this is now complete IMHO. |
Is your task related to a problem? Please describe.
Under some conditions, there is a possibility to reach the port of one workspace from another workspace. To improve the isolation of the major Eclipse Che components we would like to.
Describe the solution you'd like
Describe alternatives you've considered
n/a
Additional context
n/a
The text was updated successfully, but these errors were encountered: