Cryptography

Charmed Kubeflow is a Juju bundle consisting of several charms integrated using Juju relations. See Kubeflow bundle for more details.

Below is an overview of all cryptographic processes handled by the charms integrated in the Kubeflow bundle.

admission-webhook

This charm is responsible for applying Kubeflow PodDefaults to newly created pods, and thus creates a MutatingWebhookConfiguration object for registering a webhook.

The charm code generates a self-signed X.509 certificate, so that the Kubernetes API server can confirm the workload container identity.

dex-auth

This charm is an operator for Dex, which provides authentication to Charmed Kubeflow. If the Dex builtin connector is used, the user password in the static_password field is hashed with the bcrypt library before being stored in the Dex configuration.

Additionally, the stored charm state is salted with bcrypt to prevent reverse engineering.

istio-pilot

Charmed Kubeflow uses the Istio service mesh to enable end-to-end authentication and access control. The workload container of istio-pilot is responsible for distributing an X.509 certificate using sha25withRSAEncryption to every sidecar container in the following path: /var/run/secrets/istio/root-cerm.pem.

When a workload container, i.e., the client, sends a request to another workload container, i.e., the server:

• Istio reroutes the outbound traffic to the client’s sidecar.
• The client’s sidecar starts an mTLS handshake with the server’s sidecar.
• The two sidecars establish an mTLS connection, and Istio forwards the traffic from the client to the server.
• The server sidecar authorises the request, and forwards the traffic to the backend service through local TCP connections.

See Istio Mutual TLS authentication for more details.

Additionally, the charm uses the cert-handler library to generate an X.509 certificate for the Istio Gateway object.

katib-controller

This charm creates a MutatingWebhookConfiguration object that calls a webhook whenever a new Kubeflow experiment is created or updated.

Similar to the other charms that create MutatingWebhookConfiguration objects, katib-controller generates a self-signed X.509 certificate so that the Kubernetes API server can confirm the workload container identity.

kfp-persistence

This charm creates a service account token that is used to verify requests to the Kubeflow Pipelines service.

kserve-controller

This charm creates a MutatingWebhookConfiguration object that calls a webhook whenever a new KServe InferenceService is created or updated.

Similar to the other charms that create MutatingWebhookConfiguration objects, this charm generates a self-signed X.509 certificate so that the Kubernetes API server can confirm the workload container identity.

minio

This charm is an operator for MinIO, which provides S3 object storage. It uses a field in the object-storage interface named secret-key. Its value is created from a randomly generated 30-character string.

Additionally, the charm adds a randomly generated salt to its configuration before it is hashed with SHA-256, to prevent reverse engineering the secret-key field.

oidc-gatekeeper

This charm uses the client-name and client-secret configuration options for the OpenID Connect client. Similarly to minio, the value of secret-key is created from a randomly generated 30-character string.

pvc-viewer

This charm creates a MutatingWebhookConfiguration object that calls a webhook whenever a new PVCViewer is created or updated.

Similar to the other charms that create MutatingWebhookConfiguration objects, this charm generates a self-signed X.509 certificate so that the Kubernetes API server can confirm the workload container identity.

Charm libraries

Some charms used in the Kubeflow bundle make use of the Grafana, Loki, and Prometheus libraries. These libraries are developed for the Canonical Observability Stack (COS). See COS-Lite cryptographic documentation for more details.