Security & Authentication#
As a developer, you are responsible for securing access to any application using the NeMo ecosystem, including an authentication layer between users and your application and securing communication between services in your application.
Rate Limiting#
The NIM do not impose rate limits. If you want to restrict access to your application, it is your responsibility to implement a strategy.
Ports#
The NIM uses multiple ports, but only the HTTP API Port needs to be accessible outside of the cluster. The service port is set at start up based on the NIM_HTTP_API_PORT
environment variable (default: 8000).
Additional Security Reminders#
As a Developer, you must secure your own API endpoints. We suggest using a proxy as well as HTTPS/TLS 1.2.
Incident Response#
Secrets#
If you deploy a Text Embedding NIM component using Helm charts, you will need at least two secrets to set up in that namespace:
An image pull secret for NGC
An NGC API key secret
If your cluster requires additional image pull secrets for custom init containers, you’ll need those also.
Create the secrets according to your organization’s requirements and Kubernetes secrets best practices, but for POCs and to set up secrets quickly like you can use the following, where NAMESPACE is the name of your namespace:
kubectl \
--create secret -n NAMESPACE docker-registry ngc-secret \
--docker-server=nvcr.io --docker-username='$oauthtoken' \
--docker-password=$NGC_API_KEY
kubectl \
--create secret -n NAMESPACE generic ngc-api-secret \
--from-literal=NGC_API_KEY=$NGC_API_KEY
NeMo Retriever uses connection strings that may contain credentials. It is recommended to store this connection string in a secret management solution. For additional information, see NeMo Retriever documentation.
Logging#
Use the following command to view the service log messages using Docker.
docker logs <container-id> -f
Alternatively, use the following command to view the service log messages for a container deployed on Kubernetes.
kubectl logs -n <namespace> <pod-name> -f
Tip
Additional information on logging can be found in the Logging section.
See Docker security for information about securing your Docker container, including your log files.