Skip to content
For Self-Managed AI Platform users running v11.1, see the on-premise platform documentation

TLS requirements

DataRobot strongly recommends securing all network traffic in your Kubernetes cluster using TLS. General cluster security best practices include:

備考

These cluster-level security measures are outside the scope of the DataRobot installation; they are the responsibility of your organization.

Issuers and certificates

For issuing and managing TLS certificates, DataRobot supports the following methods:

  1. (Recommended) Automated issuance and management using cert-manager.
  2. Manual management using a custom Certificate Authority (CA) issuer to sign TLS certificates.

There are several important reasons for using cert-manager, including:

  • It is a Cloud Native Computing Foundation (CNCF) member project and the industry standard for managing TLS within Kubernetes clusters.
  • It automatically issues, renews, and rotates TLS certificates within the cluster with zero downtime.
  • It supports many third-party issuers from Public CAs, as well as configurable Private CA issuers.
  • It is proven to securely automate certificate management at scale within DataRobot's multi-tenant and single-tenant SaaS environments.
  • It provides open-source Helm charts that are easy to install, with vendor support from Jetstack.
  • It provides Long Term Support (LTS) releases, commercial support, and FIPS-validated builds are available from Venafi if your organization prefers vendor support.

cert-manager requires cluster-level RBAC admin permissions to create cluster-level resources such as Custom Resource Definitions (CRDs) and ClusterRoles/ClusterRoleBindings. However, the certificates themselves are namespace-scoped and are managed without cluster-level permissions.

If you prefer to manage certificates manually instead of installing cert-manager, see the following for details:

Trust bundles

For establishing trust via Certificate Authorities (CAs), DataRobot platform supports:

  • Public CA (recommended)
  • Private CA
  • Self-signed certificates (not recommended, with limitations)

Public CAs such as Let's Encrypt and Verisign are supported as issuers in cert-manager and are typically contained within the operating system's root trust store.

If your organization has its own Public Key Infrastructure (PKI) or uses a Private CA for signing TLS certificates, you can configure a Custom CA bundle. This bundle, containing all Public and Private CA root certificates, is mounted over the system trust store for all workloads in the platform. 詳細については、以下を参照してください。

自己署名証明書

Using self-signed certificates for services within the cluster is not supported.

For a subset of external services (e.g., an object storage provider or a private container registry) that have been configured with self-signed certificates, you can configure the DataRobot platform to use TLS with these services, however, you must disable TLS verification.

For more information, see self-signed certificates.