Skip to content

Prevent Kubeflow Pipelines from pulling arbitrary images #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ca-scribner opened this issue May 13, 2020 · 16 comments · Fixed by StatCan/aaw-kubeflow-manifests#17
Closed

Prevent Kubeflow Pipelines from pulling arbitrary images #51

ca-scribner opened this issue May 13, 2020 · 16 comments · Fixed by StatCan/aaw-kubeflow-manifests#17
Assignees
@zachomedia @justbert
Labels
area/security component/kubeflow Kubeflow Related kind/bug Something isn't working priority/soon

Comments

@ca-scribner
Copy link
Contributor

Currently this code run on our notebook servers successfully pulls an arbitrary image:

BASE_IMAGE = "scribby182/demo-kfp-pipeline-authoring:latest"

def concat_string(a, b) -> str:
    return f"({a} | {b})"

concat_string = func_to_container_op(concat_string,
                                               base_image=BASE_IMAGE
                                               )

@dsl.pipeline(
    name="Pipeline that pulls arbitrary image",
)
def pipeline(str1, str2, str3):
    concat_result_1 = concat_string_component(str1, str2)
    concat_result_2 = concat_string_component(concat_result_1.output, str3)

kfp.Client().create_run_from_pipeline_func(
    pipeline,
    arguments={'str1': 'String 1', 'str2': 'String 2', 'str3': 'String 3'},
    experiment_name=experiment_name
)

Need to prevent this (ideally enforcing the same or similar whitelist as done with kubeflow in general?). @brendangadd, @blairdrummond knew the details of what we've done there better.

If possible, including tensorflow/tensorflow:1.13.2-py3 in the whitelist would be helpful as func_to_container_op() defaults to use that image if base_image is not specified
@brendangadd
Copy link
Contributor

@zachomedia: I remember reading your OPA whitelist for images. It would prevent this type of image pull from happening, and I thought it had a cluster-wide scope. Any insight into how these images can sneak into pipelines?

@zachomedia
Copy link

@brendangadd There are two things going on about this:

  1. We have an issue where Azure's Kubernetes Service where is randomly removing the Gatekeeper custom resource definitions - we have open support ticket with them about this.
  2. The kubeflow namespace was accidentally whitelisted from enforcement, I'm working on clearing that from the whitelist and then the image restriction will be enforced

@blairdrummond
Copy link
Contributor

Is this still open?

@ca-scribner
Copy link
Contributor Author

Yes. I just tried pulling from an arbitrary container and it still does it successfully.

@blairdrummond
Copy link
Contributor

CC @justbert @zachomedia ?

@justbert
Copy link

@ca-scribner You made a pod with an arbitrary container?

The policy is still there but the CRDs are gone again. @zachomedia is waiting on a ticket from Microsoft.

@justbert
Copy link

@ca-scribner Fixed! I redeployed the ConstraintTemplates. Hopefully, Microsoft gets back to us with why they keep on killing them!

@justbert
Copy link

Assigned to @zachomedia so that we can coordinate the lifecycle of this ticket with the Azure Support ticket.

@ca-scribner
Copy link
Contributor Author

@justbert from your side does it still look fixed? I just tried again now and can still run arbitrary containers.

I also made sure this was a new container just in case it was using a cached version. Definitely pulled a new container from my dockerhub and ran fine.

@justbert
Copy link

@ca-scribner Was the image scribby182/demo-kfp-pipeline-authoring:v2?

The infrastructure to deny this IS still in place.

@ca-scribner
Copy link
Contributor Author

ca-scribner commented May 27, 2020 via email

@justbert
Copy link

Ok, so it SAYS that it denied the image pull...

Whitelist is here

@justbert
Copy link

justbert commented May 27, 2020
edited
Loading

Looks like a control-plane label was added to the kubeflow namespace again. Removing it worked got the GateKeeper policy to be enforced once again.

Checking to see where it's being repopulated from.

Thanks @ca-scribner for testing!

@justbert
Copy link

From @zachomedia
Issue is with kfctl continually readding the control-plane label to the namespace. Others are having similar issues to ours.

We may need to open up a discussion with the Kubeflow team to see if there could be a way to rectify this conflict.

@sylus
Copy link
Member

sylus commented May 29, 2020

@justbert we going to use a manual patch to fix this? Then can get this one closed ^_^

@justbert
Copy link

We could! Could we add a kustomize at the end of the CI to remove it?

@justbert justbert mentioned this issue May 31, 2020
Merged
@wg102 wg102 mentioned this issue Jul 12, 2022
Closed
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zachomedia zachomedia

@justbert justbert

Labels
area/security component/kubeflow Kubeflow Related kind/bug Something isn't working priority/soon
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update build.yml StatCan/aaw-kubeflow-manifests
6 participants
@zachomedia @sylus @brendangadd @justbert @blairdrummond @ca-scribner