Lightning Talk: Secure Multi User HPC Jobs in Kubernetes with Kyverno

The presentation discusses the use of Kubernetes for interactive HPC jobs and the implementation of Kyverno for secure multi-user access.

• Ohio Supercomputer Center uses Open OnDemand and Kubernetes for virtual classrooms running RStudio Server and Jupyter
• Challenges include shared file system access and ensuring user processes run with correct uid and gid
• Design patterns include user pods in namespaces with user prefix and access control roles
• Kyverno policies ensure uid and gid match user's LDAP record, restrict host path access, disallow privilege escalation, and enforce max resource requests and runtime
• An anecdote is not provided in the presentation

Sites running traditional High Performance Computing workloads are more frequently also deploying Kubernetes for infrastructure. By leveraging the Kubernetes infrastructure, HPC centers can supplement their HPC batch environment with Kubernetes for some very specific use cases, such as interactive HPC jobs. This approach to securely using Kubernetes to support many user’s interactive workloads has been presented and well received at HPC conferences such as Supercomputing 2021. The Ohio Supercomputer Center is currently using Open OnDemand and Kubernetes to securely support virtual classrooms that require running RStudio Server and Jupyter. The benefits of multi-user Kubernetes workloads can also benefit sites who are not traditional HPC but maybe wanting to allow staff a secure place to run containers themselves without necessarily involving the team who maintains Kubernetes.Click here to view captioning/translation in the MeetingPlay platform!