Identity-based authentication

[leoluk]

(originally reported by @lorenz in T762)

Concept:

• Workloads don't hold tokens or any other authentication themselves
• Access to resources is governed by the labels the asking pod has
• Trust is delegated to the platform entirely

Possible implementations:

• Socket passed into workloads where the application can send in nonces and get back a signed statement containing its workload labels to pass as authentication.
• IPv6 Flow Labels injected on the veth interface as security group carrier (would require OOB signalling)

Further security improvements:

• Add support for Kubernetes scheduler integration so that nodes cannot fake identities for workloads not scheduled onto them

[q3k]

Scope is TBD, that's the first part of @lorenz's work.

[lorenz]

Part 1: #266