Currently nslcd sockets are mounted in kubernetes containers in Toolforge in order to provide permissions for NFS and so forth. That mechanism won't work under sssd, and it is somewhat fragile anyway (see T166949).
Find a way to replace either the mechanism or the need for it in the new cluster we are building.
As was discovered in T224558, current toolforge K8s nodes use LDAP and some restrictions using admission controllers to restrict k8s users to their actual LDAP accounts which is not terribly possible with sssd since we mount the nslcd socket currently. Since the new cluster is going to be on Debian Buster, and we are trying to not use nscd/nslcd (and are using security contexts and PSPs instead of admission controllers), it may be possible to deliberately not use LDAP.