m/n/kubernetes: implement Metropolis authenticating proxy
This implements an authenticating proxy for K8s which can authenticate
Metropolis credentials and passes the extracted identity information
back to the Kubernetes API server. It currently only handles user
authentication, machine-to-machine authentication is still done by the
API server itself. It also adds a role binding to allow full access
to the owner as we do not have an identity system yet.
Change-Id: I02043924bb7ce7a1acdb826dad2d27a4c2008136
Reviewed-on: https://review.monogon.dev/c/monogon/+/509
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
diff --git a/metropolis/node/kubernetes/pki/kubernetes.go b/metropolis/node/kubernetes/pki/kubernetes.go
index 0c795f2..542c614 100644
--- a/metropolis/node/kubernetes/pki/kubernetes.go
+++ b/metropolis/node/kubernetes/pki/kubernetes.go
@@ -76,6 +76,9 @@
// https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/#ca-reusage-and-conflicts
AggregationCA KubeCertificateName = "aggregation-ca"
FrontProxyClient KubeCertificateName = "front-proxy-client"
+ // The Metropolis authentication proxy needs to be able to proxy requests
+ // and assert the established identity to the Kubernetes API server.
+ MetropolisAuthProxyClient KubeCertificateName = "metropolis-auth-proxy-client"
)
const (
@@ -149,6 +152,7 @@
Mode: opki.CertificateManaged,
}
make(AggregationCA, FrontProxyClient, opki.Client("front-proxy-client", nil))
+ make(AggregationCA, MetropolisAuthProxyClient, opki.Client("metropolis-auth-proxy-client", nil))
return &pki
}