Blair Drummond

@wg102 We already have the code for this done, do we have a PR for that? CC @HassanOuda , I believe the code is here https://github.com/StatCan/kubeflow/commit/01a17e6b4ac2520327d95eea6a414a234f11db5e#diff-7b12be43febc6e18259dd77c004315b4143d570234e0f15acf5f9d7b79c371b5 

You can accomplish this my mounting an image pull secret and setting DOCKER_CONFIG to the folder containing its config.json file. Note that I rename the secret data here so that...

I think Kyverno covers this use-case somewhat https://kyverno.io/policies/other/resolve_image_to_digest/resolve-image-to-digest/

Plain postgres auth will probably be ok (instead of spiffe)! We might want the controller to create postgres secrets and possibly rotate those secrets on occasion (fixed interval).

a) KF 1.3 will not be affected, @cboin1996 is independent of that b) Yeah this is in-part to do unclassified & protected-b c) Yes, Gitlab will be removed d) @sylus...

@brendangadd @chritter I am realizing, this shared postgres + namespaced deployment setup, would enable MLFlow very very quickly. You could basically copy-paste the deployment for MLFlow.

CoreDNS might be able to save the day. If you map gitlab.k8s.cloud.statcan.ca to the internal service url, then forward the traffic to the upstream service, I think you'll have the...

This might be of interest, too https://github.com/GoogleCloudPlatform/gke-fqdnnetworkpolicies-golang

Just some loose thoughts: | DNS (and matching certificate) | Internet reachable | Gateway | Scope | Example Service | |:-----|:----|:-----|:-----|:-----| | *.aaw.cloud.statcan.ca | Yes | public gateway | accessible...

@brendangadd @Collinbrown95 Chapter 9 in this book explains why we have this trafficPolicy: local business. Might be worth a skim https://www.tigera.io/lp/kubernetes-security-and-observability-ebook/