Investigate alternative authentication mechanisms

[Danil-Grigorev]

There are ways to reduce number of resources provisioned by agent for authentication in a Rancher cluster, by employing different authentication methods.

Investigate possible approaches.

Initial set:

• Agent can issue a CSR request, which will be approved by Rancher to approve agent authentication, with a short spec.expirationSeconds value to allow revoking access.
• Agent can connect via a single set of SA, RoleBinding and Role, using certificate and a token.

[Danil-Grigorev]

Upon investigation of the system-agent functionality, the initial approach required larger set of changes.

Number of required resources to allow access and execution of the system-agent plans in Rancher can be decreased to 2 per cluster machine.

• 1 ServiceAccount per cluster
• 1 Role per cluster (namespaced)
• 1 RoleBinding per cluster
• 2 Secrets per each cluster machine
  • 1 bootstrap Secret - connection info + kubeconfig
  • 1 system-agent Plan secret for the machine

Depending on the authentication model, this can be decreased further to 1 secret per machine. With usage of a TokenRequest, JWT expiration can be bound to the Plan secret lifecycle, allowing to remove bootstrap secret after node bootstrap completion.

Original: 25 resources for cluster with 5 machines Current: 10 resources for cluster with 5 machines TokenRequest based: 5 resources (plan secrets) for cluster with 5 machines.

Further improvements are possible only with changes to sytem-agent.