☂️ [GEP-26] Workload Identity - Trust Based Authentication

[vpnachev]

How to categorize this issue?

/area security
/kind enhancement

This is an umbrella issue for implementing the changes proposed in GEP-26

Tasks

• Documentation

API Server

• API spec for WorkloadIdentity [GEP-26] Add WorkloadIdentity API #9780
• API spec for CredentialsBinding [GEP-26] Add CredentialsBinding API #9626
• API spec for TokenRequest [GEP-26] Add TokenRequest API and workloadidentities/token subresource  #9813
• Implement quotas and all other features of SecretBinding for CredentialsBinding.
• Allow shoots to use CredentialsBinding instead of SecretBinding
• Implement provider agnostic static validation of WorkloadIdentity [GEP-26] Add WorkloadIdentity API #9780
• Implement token issuer with verification of the provided context, if any
• Implement minimal, default, and maximal token duration configurations
• Write sub claim value into WorkloadIdentity status [GEP-26] Add WorkloadIdentity API #9780
• Deprecate SecretBinding in favor of CredentialsBinding
• Extend Shoot API to allow extensions to use workload identity
• Extend Seed API to use workload identity for credentials instead of secrets

Admission Controller

• Extend Seed Authorizer to allow gardenlets to request workload identity tokens only for WorkloadIdentity that they are responsible for

Gardenlet

• Update current reconciliation loops to create/update secrets with the workload identity annotations and metadata in the seed clusters
• Implement gardenlet controller that reconciles the workload identity secrets and maintain the token valid
• Support manual rotation of the workload identity token when the refering resource is annotated with gardener.cloud/operation=renew-workload-identity-token

Operator

• Genereta and rotate key pairs, advertise public keys before the respective pair is activated to sign tokens
• Adapt gardener-apiserver deployment

Extensions

• Validation disallowing usage of WorkloadIdentity when the extenstion provider has not implemented support yet.

AWS

• Enhance MCM to use credentials mounted as volume
• Validation of the WorkloadIdentity resource
• Infrastructure controller to write the token on unique filepath per
• Extension admission controller adjusts the secret with the token and metadata cluster

Azure

• Enhance MCM to use credentials mounted as volume
• Validation of the WorkloadIdentity resource
• Infrastructure controller to write the token on unique filepath per cluster
• Extension admission controller adjusts the secret with the token and metadata

GCP

• Enhance MCM to use credentials mounted as volume
• Validation of the WorkloadIdentity resource
• Infrastructure controller to write the token on unique filepath per cluster
• Extension admission controller adjusts the secret with the token and metadata

Alicloud

• Enhance MCM to use credentials mounted as volume
• Validation of the WorkloadIdentity resource
• Infrastructure controller to write the token on unique filepath per cluster
• Extension admission controller adjusts the secret with the token and metadata

Discovery Server

• Publish the public OIDC discovery documents via the GEP-24 discovery server

[vpnachev]

/assign @vpnachev

[vpnachev]

/kind epic