Toolforge kubernetes uses x509 certificates as the main authentication mechanism. But as of today, it cannot revoke such certs, or check a CRL, as documented in various places upstream, and in the internet:
- https://kubernetes.io/docs/concepts/security/hardening-guide/authentication-mechanisms/#x509-client-certificate-authentication
- https://github.com/kubernetes/kubernetes/issues/18982
- https://www.tremolosecurity.com/post/kubernetes-dont-use-certificates-for-authentication
We should keep this in mind when dealing with stuff like T363983: [toolforge] Investigate authentication.
Some options we could explore to mitigate the consequences of this limitation include:
- issue x509 certs with a very short lifetime, like 1 day -- this will put some additional pressure on maintain-kubeusers
- maybe we can instrument a poor-man CRL-like mechanism via Custom Admission controllers, or Kyverno -- this is unknown as of today