Charmed Kubeflow is a Juju bundle consisting of several charms integrated using Juju relations. See Kubeflow bundle for more details.
Below is an overview of all cryptographic processes handled by the charms integrated in the Kubeflow bundle.
The charms within the Kubeflow bundle that are not mentioned in this guide do not involve any cryptography in their logic.
admission-webhook
This charm is responsible for applying Kubeflow PodDefaults to newly created pods, and thus creates a MutatingWebhookConfiguration object for registering a webhook.
The charm code generates a self-signed X.509 certificate, so that the Kubernetes API server can confirm the workload container identity.
dex-auth
This charm is an operator for Dex, which provides authentication to Charmed Kubeflow. If the Dex builtin connector is used, the user password in the static_password
field is hashed with the bcrypt
library before being stored in the Dex configuration.
Additionally, the stored charm state is salted with bcrypt
to prevent reverse engineering.
istio-pilot
Charmed Kubeflow uses the Istio service mesh to enable end-to-end authentication and access control. The workload container of istio-pilot
is responsible for distributing an X.509 certificate using sha25withRSAEncryption
to every sidecar container in the following path: /var/run/secrets/istio/root-cerm.pem
.
When a workload container, i.e., the client, sends a request to another workload container, i.e., the server:
- Istio reroutes the outbound traffic to the client’s sidecar.
- The client’s sidecar starts an mTLS handshake with the server’s sidecar.
- The two sidecars establish an mTLS connection, and Istio forwards the traffic from the client to the server.
- The server sidecar authorises the request, and forwards the traffic to the backend service through local TCP connections.
The minimum required version of TLS is TLSv1_2
.
See Istio Mutual TLS authentication for more details.
Additionally, the charm uses the cert-handler library to generate an X.509 certificate for the Istio Gateway
object.
katib-controller
This charm creates a MutatingWebhookConfiguration
object that calls a webhook whenever a new Kubeflow experiment is created or updated.
Similar to the other charms that create MutatingWebhookConfiguration
objects, katib-controller
generates a self-signed X.509 certificate so that the Kubernetes API server can confirm the workload container identity.
kfp-persistence
This charm creates a service account token that is used to verify requests to the Kubeflow Pipelines service.
kserve-controller
This charm creates a MutatingWebhookConfiguration
object that calls a webhook whenever a new KServe InferenceService is created or updated.
Similar to the other charms that create MutatingWebhookConfiguration
objects, this charm generates a self-signed X.509 certificate so that the Kubernetes API server can confirm the workload container identity.
minio
This charm is an operator for MinIO, which provides S3 object storage. It uses a field in the object-storage
interface named secret-key
. Its value is created from a randomly generated 30-character string.
Additionally, the charm adds a randomly generated salt to its configuration before it is hashed with SHA-256, to prevent reverse engineering the secret-key
field.
oidc-gatekeeper
This charm uses the client-name
and client-secret
configuration options for the OpenID Connect client. Similarly to minio
, the value of secret-key
is created from a randomly generated 30-character string.
pvc-viewer
This charm creates a MutatingWebhookConfiguration
object that calls a webhook whenever a new PVCViewer is created or updated.
Similar to the other charms that create MutatingWebhookConfiguration
objects, this charm generates a self-signed X.509 certificate so that the Kubernetes API server can confirm the workload container identity.
Charm libraries
Some charms used in the Kubeflow bundle make use of the Grafana, Loki, and Prometheus libraries. These libraries are developed for the Canonical Observability Stack (COS). See COS-Lite cryptographic documentation for more details.
Last updated a month ago.