m/n/kubernetes: implement Metropolis authenticating proxy
This implements an authenticating proxy for K8s which can authenticate
Metropolis credentials and passes the extracted identity information
back to the Kubernetes API server. It currently only handles user
authentication, machine-to-machine authentication is still done by the
API server itself. It also adds a role binding to allow full access
to the owner as we do not have an identity system yet.
Change-Id: I02043924bb7ce7a1acdb826dad2d27a4c2008136
Reviewed-on: https://review.monogon.dev/c/monogon/+/509
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
diff --git a/metropolis/node/ports.go b/metropolis/node/ports.go
index e7adfb7..c90e7dc 100644
--- a/metropolis/node/ports.go
+++ b/metropolis/node/ports.go
@@ -37,6 +37,9 @@
// KubernetesAPIPort is the TCP port on which the Kubernetes API is
// exposed.
KubernetesAPIPort Port = 6443
+ // KubernetesAPIWrappedPort is the TCP port on which the Metropolis
+ // authenticating proxy for the Kubernetes API is exposed.
+ KubernetesAPIWrappedPort Port = 6444
// DebuggerPort is the port on which the delve debugger runs (on debug
// builds only). Not to be confused with DebugServicePort.
DebuggerPort Port = 2345
@@ -54,6 +57,8 @@
return "wireguard"
case KubernetesAPIPort:
return "kubernetes-api"
+ case KubernetesAPIWrappedPort:
+ return "kubernetes-api-wrapped"
case DebuggerPort:
return "delve"
}