The gcp-kubeflow-kserve stack recipe deploys the mlflow tracking server which is exposed with a Nginx Ingress. The deployed tracking server is configured to use only basic authentication (username + password) but does so over plain http without TLS encryption. This is dangerous (see here, here) since the credentials which are sent with every request when using basic auth are then not encrypted.
Hi @fg91! Thanks for raising concern on the security of the MLflow tracking server. Right now, the setup is very basic as you pointed out but I'm open to hearing any suggestions you have to make it better.
The
gcp-kubeflow-kserve
stack recipe deploys the mlflow tracking server which is exposed with a Nginx Ingress. The deployed tracking server is configured to use only basic authentication (username + password) but does so over plain http without TLS encryption. This is dangerous (see here, here) since the credentials which are sent with every request when using basic auth are then not encrypted.