-
Task
-
Resolution: Done
-
Undefined
-
None
For each Ray cluster created in the context of Distributed Workloads, a NetworkPolicy should be created, that blocks all ingress traffic to that Ray cluster head node HTTP / REST API / Dashboard endpoint, except:
- From Pods within the local Ray cluster namespace
- From the KubeRay controller deployed in the RHOAI application namespace
That should be done in the DW RayCluster controller.
Acceptance criteria:
- As a data scientist, I can create a Ray cluster, with "zero-trust" security enabled by default, and:
- Access the dashboard, after login from the Web browser
- Connect to my cluster from within the notebook using the CodeFlare SDK and submit jobs
- As a data scientist, I can create a RayJob resource, and that RayJob runs successfully in the target Ray cluster
- As a platform admin, given I create a Pod in a different namespace that the previously created Ray cluster, and I exec into that Pod, I cannot access any of the Ray cluster endpoints (client, dashboard, GCS, metrics)