🐋Implement k8s authorization

[gikaragia]

Fixes #616

Summary

Similarly with the old cluster agent, we now check that the pods making a request have the proper rights.

Changes

• Adds a new struct, the authorizer which is responsible for communicating with the k8s to confirm the requests are authorized.

Testing instructions

• Observe first that everything is still working
• Go to kubetail.yaml and remove the watch or list verb from the kubetail-cli cluster role:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubetail-cli
  labels:
    app.kubernetes.io/name: kubetail
    app.kubernetes.io/component: cli
rules:
  - apiGroups: [""]
    resources: [nodes]
-    verbs: [get, list, watch]
+   verbs: [get, watch]
  - apiGroups: ["", apps, batch]
    resources:
      - cronjobs
      - daemonsets
      - deployments
      - jobs
      - pods
      - replicasets
      - statefulsets
    verbs: [get, list, watch]
  - apiGroups: [""]
    resources: [pods/log]
-   verbs: [list, watch]
+  verbs: [ watch]

• Observe that now the dashboard is broken

Submitter checklist

• Add the correct emoji to the PR title
• Link the issue number, if any, to Fixes #
• Add summary and explain changes in the PR description
• Rebase branch to HEAD
• Squash changes into one signed, single commit ¹

Footnotes

1. See suggested commit format ↩

[gikaragia]

There are a couple of issues with this implementation.

• First, the ideal way to implement such functionality is with an interceptor (middleware). The problem is that tonic does not support async interceptors out of the box, and I would need to use a custom crate for this functionality. I chose not to use an interceptor.
• Secondly, the ideal way to stub the authorizer in the tests would be to use dependency injection. However, this made the types very complicated, so I think that using #[cfg] directives is preferable

[amorey]

Makes sense. When we switch over to treating the Cluster API as a "Kubernetes API extension" then authentication will work with impersonation headers rather than tokens so I think doing things quick-and-simple like this for now sounds good. When we have a better idea of how auth will work long-term we can revisit it.

[amorey]

🔒