kubernetes-csi-addons icon indicating copy to clipboard operation
kubernetes-csi-addons copied to clipboard

Published 20 hours ago verified publisher icon csi-addons

Use encrypted/authenticated connections between controller <-> sidecar

Open nixpanic opened this issue 3 years ago • 1 comments

The certificates.k8s.io API or some Kubernetes native certificate manager should be used for the connections between the controller and sidecar. The sidecar should have the ability to verify that the incoming connection is from a valid controller.

The controller should probably use a client certificate, and the sidecar should check verify that the owner has permissions to connect.

nixpanic avatar Jan 20 '22 11:01 nixpanic

https://github.com/brancz/kube-rbac-proxy/blob/master/examples/non-resource-url/README.md can probably be used. The CSI-Addons controller can have a ServiceAccount with RBAC that contains a rule to connect to the gRPC server running on the CSI-Addons sidecar.

nixpanic avatar Apr 05 '24 07:04 nixpanic