Use encrypted/authenticated connections between controller <-> sidecar

csi-addons / kubernetes-csi-addons

CSI-Addons implementation and APIs for Kubernetes

Apache License 2.0

17 stars 35 forks source link

Use encrypted/authenticated connections between controller <-> sidecar #96

Open nixpanic opened 2 years ago

nixpanic commented 2 years ago

The certificates.k8s.io API or some Kubernetes native certificate manager should be used for the connections between the controller and sidecar. The sidecar should have the ability to verify that the incoming connection is from a valid controller.

The controller should probably use a client certificate, and the sidecar should check verify that the owner has permissions to connect.

nixpanic commented 5 months ago

https://github.com/brancz/kube-rbac-proxy/blob/master/examples/non-resource-url/README.md can probably be used. The CSI-Addons controller can have a ServiceAccount with RBAC that contains a rule to connect to the gRPC server running on the CSI-Addons sidecar.