Open nixpanic opened 2 years ago
https://github.com/brancz/kube-rbac-proxy/blob/master/examples/non-resource-url/README.md can probably be used. The CSI-Addons controller can have a ServiceAccount with RBAC that contains a rule to connect to the gRPC server running on the CSI-Addons sidecar.
The
certificates.k8s.io
API or some Kubernetes native certificate manager should be used for the connections between the controller and sidecar. The sidecar should have the ability to verify that the incoming connection is from a valid controller.The controller should probably use a client certificate, and the sidecar should check verify that the owner has permissions to connect.