Implement an authorization layer for operator-to-workspace communication

[EronWright]

It is important to protect the RPC endpoint from unauthorized use. For authentication, one option is to use the operator's service account token (a projected volume) as a bearer token. For authorization, one could use the Kubernetes API server (SubjectAccessReview). This together would be an effective alternative to using a shared secret and developing a custom authorization layer.

To implement the above, either:

1. place the kube-rbac-proxy in front of the RPC server (as a sidecar container) in gRPC mode
2. implement kubernetes authn/authz directly in the RPC server as an interceptor

The latter option is a more coupled solution but is less complex at runtime. Option (1) also has the complication of needing another image and worrying about whether it is compatible with the restricted security profile.

Question: is TLS needed on the gRPC endpoint to support a token-based authentication?

[cleverguy25]

Added to epic https://github.com/pulumi/pulumi-kubernetes-operator/issues/586

[EronWright]

A reference for developing grpc security plugins: https://github.com/grpc-ecosystem/go-grpc-middleware?tab=readme-ov-file