I’ve deployed Jupyterhub on AWS EKS using a docker image pushed to AWS ECR and a jupyterhub_config.py file. Im using Kubespawner with a custom image for my user environments.
Hub version 5.2.1
Jupyterhub-singleuser/ lab version 4.0.2
Typically when deploying on Kuberenetes i know we should use Helm but that wasnt in option in this specific case.
The custom user environments is built off of the Scipy notebook. What I am looking to do is restrict users from being able to use an unrestricted bash which currently allows them to run commands like wget, curl, vi, etc.
I tried setting the PATH environment variable the just the directory for restricted bash but the pods would fail most likley due to needing various commands at Runtime in order to build the container on startup.
I also tried uninstalling these tools but a user can easily run apt-get in a terminal in order to install them again. What are the options when it comes to resticting users ability to run these commands?
Another question: Given the current setup and permission issues explained above, what configuration would be necessary so that a users pod cannot access other pods outsides of purely connecting the the Hub pod? Is this is option or useful?
Thanks in advance!
This is the docker file used for KubeSpawner with the Base image being the Scipy notebook
FROM $BASE_IMAGE
# Proxy authentication arguments
ARG HTTP_PROXY
ARG HTTPS_PROXY
# Configure env vars for proxy
ENV HTTP_PROXY=${HTTP_PROXY}
ENV HTTPS_PROXY=${HTTPS_PROXY}
ENV http_proxy=${HTTP_PROXY}
ENV https_proxy=${HTTPS_PROXY}
COPY .npmrc /root/.npmrc
RUN pip install --upgrade pip && \
pip install --upgrade jupyterlab && \
pip install notebook
#install extensions
RUN pip install jupyterlab-tabular-data-editor
RUN pip uninstall -y jupyterlab-git
# Install kernals and widgets
RUN conda install -y -c conda-forge nb_conda_kernels ipywidgets
# Create conda environments all users will have access to
RUN conda update -y -n base -c conda-forge conda
RUN conda create -y -n basic python ipykernel pandas oracledb openpyxl && \
conda create -y -n da-env python ipykernel pandas oracledb scipy statsmodels matplotlib seaborn dash plotly pvlib dash-ag-grid openpyxl
# install kernels and widgets for the conda environments
RUN conda install -y -c conda-forge nb_conda_kernels ipywidgets
# swith to root to disable extensions and use restricted bash
USER root
#Enable the extension but disble the extension manager
RUN jupyter labextension enable --py jupyterlab_tabular_data_editor && \
jupyter labextension disable --py jupyterlab_dash && \
jupyter labextension disable @plotly/dash-jupyterlab && \
jupyter labextension disable @jupyterlab/git && \
jupyter labextension disable @jupyterlab/extensionmanager-extension
# Use restricted bash for security
RUN sed -i 's|/bin/bash|/bin/rbash|' /etc/passwd
RUN mkdir -p /home/jovyan/rbin && \
cp /bin/ls /home/jovyan/rbin/
RUN fix-permissions /home/jovyan
# uninstall git
RUN apt-get remove -y git && apt-get autoremove -y
# uninstall wget, curl and VI
RUN apt-get remove -y wget && apt-get autoremove -y
RUN apt-get remove -y curl && apt-get autoremove -y
RUN apt-get remove -y vim && apt-get autoremove -y
USER jovyan
# Register conda environments as Jupyter kernels
# & rename the kernels to be more descriptive
RUN python -m ipykernel install --user --name base --display-name "Base Python Env" && \
/opt/conda/envs/basic/bin/python -m ipykernel install --user --name basic --display-name "General Python" && \
/opt/conda/envs/da-env/bin/python -m ipykernel install --user --name da-env --display-name "Data Analysis"
# Remove the proxies to ensure proper communication with the JupyterHub
ENV HTTP_PROXY=""
ENV HTTPS_PROXY=""
ENV http_proxy=""
ENV https_proxy=""
# Set Environment paths
# We start with /home/jovyan/.conda/envs because it is the default path
# for conda env created by a user in a jupyterLab. Their Envs will
# persist across sessions
ENV CONDA_ENVS_PATH "/home/jovyan/.conda/envs:/opt/conda/envs"
ENV PATH="/home/jovyan/rbin:$PATH"
ENV SHELL=/bin/rbash
RUN echo "c.ServerApp.terminals_enabled = False" >> /etc/jupyter/jupyter_server_config.py
EXPOSE 8888
WORKDIR /home/jovyan