It is important to protect the RPC endpoint from unauthorized use. For authentication, one option is to use the operator's service account token (a projected volume) as a bearer token. For authorization, one could use the Kubernetes API server (SubjectAccessReview). This together would be an effective alternative to using a shared secret and developing a custom authorization layer.
implement kubernetes authn/authz directly in the RPC server as an interceptor
The latter option is a more coupled solution but is less complex at runtime. Option (1) also has the complication of needing another image and worrying about whether it is compatible with the restricted security profile.
Question: is TLS needed on the gRPC endpoint to support a token-based authentication?
It is important to protect the RPC endpoint from unauthorized use. For authentication, one option is to use the operator's service account token (a projected volume) as a bearer token. For authorization, one could use the Kubernetes API server (SubjectAccessReview). This together would be an effective alternative to using a shared secret and developing a custom authorization layer.
To implement the above, either:
The latter option is a more coupled solution but is less complex at runtime. Option (1) also has the complication of needing another image and worrying about whether it is compatible with the restricted security profile.
Question: is TLS needed on the gRPC endpoint to support a token-based authentication?