Comments (6)
Interesting, mind sharing what scenario you have this for system components? How are they impacted when scaling is not happening?
from keda.
We have a real scenario requires this 'cross namespace search' feature
As a platform service provider, we put managed component in one namespace and cx workload in another.
Some features require extra backend services, like our metrics collector.
- When there are pods emit metrics, we need a pod to collect and emit metrics.
- When no user pod enable the metrics flag, we don't need that pod.
Currently the watched resource & scaledobject & the target deployment must stay in the same namespace.
from keda.
@SpiritZhou for the proposed options, I prefer option 2.
And should the 'workload' include more resource, not only the pods? like deployment, and even CRDs.
from keda.
We discussed limiting or not the scope to the namespace or not, and just to share the reasons behind the limitation, we basically saw a potential vector attack for getting sensible information about workloads running on other namespaces where you could not have access by your own RBAC.
My concerns related with extending the resources you can query or the namespaces have to be authorized by cluster admins somehow or a malicious attacker can use KEDA for getting information about resources which wouldn't be accessible to them.
I see the advantages of supporting this, but we should be aware about how to secure it too
from keda.
@JorTurFer Could you provide more details or some specific scenario regarding the security concern? One of the scenario is that a ScaledObject in namespace A could use a label selector to retrieve the number of resources in namespace B through KEDA. We can explore potential solutions to address this issue.
from keda.
I can start a DDoS attack, adding an attacker pod per victim pod. I can do brute force attacks for receiving information about the pods in the cluster, for example, I can get information about if the cluster uses an specific service I know is vulnerable querying about its common labels, and then start an attack based on that specific vulnerability.
An example of this, let's say that cert-manager has a know vulnerability in the version 1.12.0, I can use the fact of cert-manager chart sets some specific labels to detect which version is deployed in the cluster just adding a selector like:
app.kubernetes.io/instance=cert-manager,helm.sh/chart=cert-manager-v1.12.0
.
This is a potential risk IMHO
from keda.
Related Issues (20)
- ScaledObject downscales deployment to 0 replicas outside specified timeframe in cron trigger
- Increase operator resiliency to unexpected scaler failures HOT 1
- Introduce authentication CRD that is not scoped to just triggers
- Colocating metrics provider along with the operator causes HPA delays if not configured properly HOT 9
- Reconciler crashes with ScaledObject postgres trigger and Vault for authenticationRef HOT 2
- Scalers for Azure Function Apps running under AKS are not really supported - although the documentation make it seem like they HOT 1
- Trying to integrate with Azure Managed Prometheus but getting Unauthorised issue HOT 6
- Enhance Security and Self-Service by Allowing Service Account Specification in Target Namespace for Workload Identity HOT 2
- Missing parameters 'rate' and 'count' for GCP Stackdriver Scaler alignment HOT 1
- KEDA Operator Not Exposing kube_horizontalpodautoscaler_status_current_replicas Metric HOT 2
- Restart of keda-operator causes ScaledJob object to be updated HOT 1
- Keep hpa active when one of triggers failed HOT 4
- Keda 2.13.1 Sysdig scan Vulnerabilities CVE-2024-27304 CVE-2024-24786 CVE-2024-28110 CVE-2024-28180 HOT 6
- Add Prometheus metrics related to ScaledObject readiness HOT 4
- ERROR scale_handler error getting scale decision {"scaledObject.Namespace": "elasticsearch", "scaledObject.Name": "dp-search-cluster-es-data-node", "scaler": "prometheusScaler", "error": "prometheus query api returned error. status: 403 response: {\"message\":\"Credential should be scoped to a valid region. HOT 1
- The replica count of target pods fluctuates when fallback is triggered in scaling-modifier HOT 11
- RabbitMQ HTTP Triggers ignore provided TLS Configuration HOT 2
- Multiple namespaces passed to WATCH_NAMESPACE
- Release: 2.14 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from keda.