I faced the issue stated in this previous discussion.
I understood the solution to enable the feature in control panel to make python udf working in pipeline builder however I have few questions:
what are the potential risk to enable this feature on the enrollment?
Is there any upside cost associated to this feature enablement ?
what if I just want to allow python udf but no other docker images, how can I restrict foundry for that only?
Hi there! Containerized workflows have some software / hardware requirements for your enrollment’s underlying stack. Additionally, there are some security considerations when allowing containerized workflows. For more information, please refer to our documentation on container governance.
^ I hope that helps to answer you question for the first two points. On the third, I don’t believe there is a way to restrict Foundry to only allowing python UDFs but no other containerized workflows. As mentioned in the documentation, there are some controls for user-uploaded containers if you wanted to monitor and prevent this sort of workflow.
Enabling Python UDFs in Foundry Pipeline Builder does open up powerful capabilities but comes with trade-offs, such as increased demand on your infrastructure and potential security risks tied to containerized workflows.
If your concern is about restricting usage to Python UDFs only, consider implementing governance policies at the container registry level to monitor and block non-Python images while still allowing vetted Python workflows.
Upside costs are minimal unless you’re scaling infrastructure to meet new resource demands, but it’s a good idea to evaluate your stack for compatibility.
This answer is also speaking from other people’s experience, I personally haven’t faced it - but it seems typical across the board.