Harden the istio 1.16 configuration #2357
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Jan 18, 2023
|
Thanks! /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: juliusvonkohout, kimwnasptd The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
2 tasks
jsitu777
added a commit
to awslabs/kubeflow-manifests
that referenced
this pull request
Feb 23, 2023
…ated Istio Service Spec Type: ClusterIP (#570) **Description of your changes:** - Newer version of kubeflow upstream uses istio 1-16 which update its service spec type from NodePort to ClusterIP for security purpose (kubeflow/manifests#2357) - Default target-type was set to `instance` for ingress resource which require service type to be nodeport. To deal with this issue, a target-type annotation was added to set it to be `ip` instead (https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/ingress/annotations/#target-type) **Testing:** - [ ] Unit tests pass - [x] e2e tests pass
kevin85421
pushed a commit
to juliusvonkohout/manifests
that referenced
this pull request
Feb 28, 2023
* Update service.yaml * Update kustomization.yaml * Create disable-debugging.yaml * Update service.yaml
2 tasks
jsitu777
added a commit
to awslabs/kubeflow-manifests
that referenced
this pull request
Mar 21, 2023
**Description of your changes:** There are occasional times when installing dex we see the following error message: ``` The Service "dex" is invalid: spec.ports[0].nodePort: Invalid value: 32000: provided port is already allocated ``` It indicates that there is already a service using port 32000 on the same node trying to create the "dex" service. Dex service was modified to be exposed as ClusterIP instead of NodePort in the new release KF v1.7.0 along with Istio for security upgrade (kubeflow/manifests#2357) This is a mirror patch from the above PR to change Dex service from NodePort to ClusterIP to solve the error message seen. **Testing:** - [ ] Unit tests pass - [x] e2e tests pass - Details about new tests (If this PR adds a new feature) - Details about any manual tests performed By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
styoung89
added a commit
to Hyperfine/kubeflow-manifests
that referenced
this pull request
Jun 15, 2023
* Update website links to v1.6.1 (awslabs#487) Update website links to v1.6.1 * Update git clone command (awslabs#488) Update git clone command * Katib S3-only Helm Path cherrypick (awslabs#507) Cherry pick the helm path installation config fix for s3-only deployment. Co-authored-by: Pei Ran Li <prli@users.noreply.github.com> * Cherry-pick Kserve with IRSA and Notebook culling Doc (awslabs#512) * Cherry-pick Kserve with IRSA and Notebook culling Doc into v1.6.1 release * Cherrypick: Add permission configuration steps to SageMaker KFP docs (awslabs#506) (awslabs#528) **Which issue is resolved by this Pull Request:** Resolves # **Description of your changes:** - Adds required permission steps for using Sagemaker v1/v2 integration with KFP **Testing:** - [ ] Unit tests pass - [ ] e2e tests pass - Details about new tests (If this PR adds a new feature) - Details about any manual tests performed By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. * New blog/workshop update - 1.6 (awslabs#533) By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. * docsearch backport 1.6 (awslabs#534) docsearch first integration By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. * 1.6 * helm provider * blueprints * fix oidc * Cherry-Pick terraform bug fixes (awslabs#590) **Which issue is resolved by this Pull Request:** **Description of your changes:** Update RDS version awslabs#584 Update AWS blueprints - gpu bug awslabs#516 **Testing:** Cognito-rds-s3 passed `6 passed, 13 warnings in 4594.63s (1:16:34)` rds-s3 passed `7 passed, 49 warnings in 4490.15s (1:14:50)` - [ ] Unit tests pass - [x] e2e tests pass By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Shadab Hussain <shadab.entrepreneur@outlook.com> Co-authored-by: Gerhard Häring <gh@ghaering.de> * Updating website to reflect latest version (awslabs#596) **Which issue is resolved by this Pull Request:** Resolves # **Description of your changes:** **Testing:** - [ ] Unit tests pass - [ ] e2e tests pass - Details about new tests (If this PR adds a new feature) - Details about any manual tests performed By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Ubuntu <ubuntu@ip-172-31-58-39.us-west-2.compute.internal> * Cherry pick sagemaker fix and move of kfp SM test (awslabs#619) **Which issue is resolved by this Pull Request:** Resolves # **Description of your changes:** Cherry pick sagemaker fix and move of kfp SM test **Testing:** - [ ] Unit tests pass - [ ] e2e tests pass - Details about new tests (If this PR adds a new feature) - Details about any manual tests performed By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. * fix secrets * [Cherry pick] Change Dex Service from Nodeport to ClusterIP (awslabs#630) **Description of your changes:** There are occasional times when installing dex we see the following error message: ``` The Service "dex" is invalid: spec.ports[0].nodePort: Invalid value: 32000: provided port is already allocated ``` It indicates that there is already a service using port 32000 on the same node trying to create the "dex" service. Dex service was modified to be exposed as ClusterIP instead of NodePort in the new release KF v1.7.0 along with Istio for security upgrade (kubeflow/manifests#2357) This is a mirror patch from the above PR to change Dex service from NodePort to ClusterIP to solve the error message seen. **Testing:** - [ ] Unit tests pass - [x] e2e tests pass - Details about new tests (If this PR adds a new feature) - Details about any manual tests performed By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. * [Cherry-Pick] increase cert-manager wait time for kubeflow-issuer to be install (awslabs#632) Cherry pick this commit from main to temporarily solve: ``` : Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "[https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s](https://cert-manager-webhook.cert-manager.svc/mutate?timeout=10s)": context deadline exceeded ``` * variables * [Cherry Pick] Enable canary report generation (awslabs#634) -enable canary report generation after each canary run. * Update blog content (awslabs#638) **Description of your changes:** - Remove Trainium (pending future release) - Update link to AWS Docs (was localhost) - Update ordered list numbering **Testing:** - Tested local Hugo build By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Suraj Kota <surakota@amazon.com> * add pipeline pd * [Cherry-pick] Push Canary Success Rate to Cloudwatch Metric (awslabs#662) - cherry-pick pushing success_rate into cloudwatch metrics * Release v1.6.1 aws b1.0.2 (awslabs#666) **Which issue is resolved by this Pull Request:** Resolves # **Description of your changes:** Note: As a result of the depreciation of k8s.gcr.io, images have moved to registry.k8s.io. This only effects csi-secrets-driver for those who have installed either RDS-S3/Cognito-RDS-S3. To update your pulled image source run the following kubectl commands ``` kubectl set image daemonset/csi-secrets-store node-driver-registrar=registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.3.0 -n kube-system kubectl set image daemonset/csi-secrets-store secrets-store=registry.k8s.io/csi-secrets-store/driver:v1.0.0-rc.1 -n kube-system kubectl set image daemonset/csi-secrets-store liveness-probe=registry.k8s.io/sig-storage/livenessprobe:v2.4.0 -n kube-system ``` **Testing:** - [ ] Unit tests pass - [ ] e2e tests pass - Details about new tests (If this PR adds a new feature) - Details about any manual tests performed By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. * update website to release-v1.6.1-aws-b1.0.2 (awslabs#667) **Which issue is resolved by this Pull Request:** Resolves # **Description of your changes:** Points toml and documentation to latest release version **Testing:** - [ ] Unit tests pass - [ ] e2e tests pass - Details about new tests (If this PR adds a new feature) - Details about any manual tests performed By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. * Update config.toml for v1.6.1 (awslabs#705) - change version from `latest` to `1.6` * [Cherry pick] Kserve Indentation doc fix v1.6.1 (awslabs#721) - cherry-pick for this PR awslabs#719 - Keep empty AWS credential strings * fix evictions * value needed for defaults * Website changes for release branch (awslabs#758) **Which issue is resolved by this Pull Request:** Resolves # **Description of your changes:** - Same as title By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. * refactor --------- Co-authored-by: Kartik Kalamadi <kalamadi@amazon.com> Co-authored-by: jsitu777 <59303945+jsitu777@users.noreply.github.com> Co-authored-by: Pei Ran Li <prli@users.noreply.github.com> Co-authored-by: ryansteakley <37981995+ryansteakley@users.noreply.github.com> Co-authored-by: Nadege PEPIN <5490706+npepin-hub@users.noreply.github.com> Co-authored-by: ananth102 <abashyam@amazon.com> Co-authored-by: Shadab Hussain <shadab.entrepreneur@outlook.com> Co-authored-by: Gerhard Häring <gh@ghaering.de> Co-authored-by: Ubuntu <ubuntu@ip-172-31-58-39.us-west-2.compute.internal> Co-authored-by: Kevin Hoyt <parkerkrhoyt@gmail.com> Co-authored-by: Suraj Kota <surakota@amazon.com>
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The istio nodeport (loadbalancer)instead of a proper ClusterIP seems dangerous to me https://oteemo.com/think-nodeport-kubernetes/ and i apply the official istio best practices https://istio.io/latest/docs/ops/best-practices/security/#control-plane
Fixes #2285
@kimwnasptd
i had to create this from #2296 since the master branch switched to 1.16.
It does definitely not affect port 80 which serves the istio-ingressgateway and therefore centraldashboard. It was tested for several months on istio-cni. https://istio.io/latest/docs/ops/best-practices/security/#control-plane says "Port 8080 exposes the debug interface, which offers read access to a variety of details about the clusters state. This can be disabled by set the environment variable ENABLE_DEBUG_ON_HTTP=false on Istiod. Warning: many istioctl commands depend on this interface and will not function if it is disabled."
Checklist:
Make sure you have installed kustomize == 3.2.1
make generate-changed-onlymake test