...
- UI / API for job submission... make this friendlier?
- DES has a nice interface for Celery job submission
- Why not use NFS instead of GLFS?
- DES uses PersistentVolumes backed by read-only NFS
- Allow for SMB mounts on a per-user basis to cover permissions?
- Use DaemonSet for pre-pulling images on all nodes
- Allow user to launch jobs directly from within containers? (i.e. HTCondor, Sparq, etc)
- Auth + RBAC + Kubedash > our current UI... discuss this
- Gluster client / kubectl security... can users just install gluster client and mount anything they want?
- Look into volume security - our current GLFS is likely very insecure
- UID mapping - not running as root vs actual proper permissions
- Running as a "real user" does not necessarily adress all security concerns
- Image security - how do we determine whether an image is trusted?
- docker history to see the layers involved in building the image?
- public data vs secret data... public data likely leads to lax security
- General security: protecting infrastructure vs protecting data
- How will these security protocols affect performance
- The old "Anyone can access etcd from anywhere" problem
- Flannel vs Calico - supposedly calico has better network isolation features
- Private registry doesn't seem to come with kubespray
- it would be nice to have a place to push private images
- OpenShift as a replacement for DES Labs?
- Swarm vs Kubernetes
- Kubernetes is a better "nanny" when it comes to watching services
- Minio allows users to pull directly from S3
- This would be more secure and likely less maintainence than an NFS-like approach
- How to manage/limit user kubectl access?
- Deploying for multi-tenancy is a pain