[Feature] Authn and Authz support for KubeRay API server and CLI

[daikeshi]

Search before asking

• [X] I had searched in the issues and found no similar feature requirement.

Description

There's no Authn and Authz support for KubeRay in the current design. Internally, we use GCP IAM role and k8s RBAC to manage user's access to k8s namespaces on GKE. I'm curious about what's KubeRay's plan regarding Authn and Authz story.

In our case, we don't expect users to interact with KubeRay API sever directly. API server will be used by our internal platform service and client, and they will handle the authn and authz.

On the other hand, users will be likely to use CLI to interact with Ray related resources. I wonder if KubeRay CLI could support k8s authn and authz, so they can only operate in their own namespaces.

Use case

When user runs ./kuberay cluster create/get/list/delete -n foo, kuberay should only allow users to perform the operations based on their permisions they have been granted in namespace foo, which should be identical as they use kubectl

Related issues

No response

Are you willing to submit a PR?

• [ ] Yes I am willing to submit a PR!

[davidxia]

outline of an approach:

We can add an option to enable authorization in the API which defaults to false for backwards compatibility. kuberay can forward the K8s credentials, and the API can use K8s RBAC to determine if the request should be fulfilled?

@Jeffwan what's required for an RFC? Are there good examples of previous ones?