Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use encrypted/authenticated connections between controller <-> sidecar #96

Open
nixpanic opened this issue Jan 20, 2022 · 1 comment
Open
Labels
enhancement New feature or request

Comments

@nixpanic
Copy link
Collaborator

nixpanic commented Jan 20, 2022

The certificates.k8s.io API or some Kubernetes native certificate manager should be used for the connections between the controller and sidecar. The sidecar should have the ability to verify that the incoming connection is from a valid controller.

The controller should probably use a client certificate, and the sidecar should check verify that the owner has permissions to connect.

@nixpanic nixpanic added the enhancement New feature or request label Jan 20, 2022
nixpanic pushed a commit to nixpanic/kubernetes-csi-addons that referenced this issue Jan 12, 2024
Syncing latest changes from main for kubernetes-csi-addons
@nixpanic
Copy link
Collaborator Author

nixpanic commented Apr 5, 2024

https://github.com/brancz/kube-rbac-proxy/blob/master/examples/non-resource-url/README.md can probably be used. The CSI-Addons controller can have a ServiceAccount with RBAC that contains a rule to connect to the gRPC server running on the CSI-Addons sidecar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant