I'm starting this thread based on our conversations in Slack [1].
This is a sensitive aspect, at least 2 folds:
1. Container isolation. making sure action containers can't invoke other
containers directly, nor other system components directly (db, kafka, kube api,
mesos api). What are the best ways to achieve this ?
2. Protecting restricted data on transit: securing the data plane
communication via SSL from controller -> kafka -> invoker -> action container.
Do we want to build this into the project, or treat it optional and only
document it ? Either way, it would be great to brainstorm together on what are
the best approaches. WDYT ?
Let's share our thoughts here, and then create issues for the items that we
want to implement in OpenWhisk; if we want to treat some aspects optional, we
can at least open issues to document possible approaches ?
Thanks,
dragos
[1] - https://openwhisk-team.slack.com/archives/C3TPCAQG1/p150670440446