Allow the user to disable/enable the admin kubeconfig

[petersutter]

What would you like to be added:
The static admin kubeconfig for shoot clusters can now be disabled by setting .spec.kubernetes.enableAdminKubeconfig=false in the specification of the Shoot resource. The respective <shoot-name>.kubeconfig secret in the project namespace in the garden cluster will be deleted.
There should be an option on the dashboard to do this for new and already existing clusters. Ref gardener/gardener#5649

UPDATE: the filed has changed to .spec.kubernetes.enableStaticTokenKubeconfig

Why is this needed:
gardener/gardener#3138

[petersutter]

@rfranzke should we already disable the admin kubeconfig for new shoots as default?

[vlerenc]

I didn't notice. @rfranzke Why do we call this enableAdminKubeconfig? Would staticTokenKubeconfig be more expressive / name what it really is / more clearly show the security benefit? Anyway, I guess this cannot be changed anymore.

[rfranzke]

@petersutter Not yet, but you could display a hint/note or add a checkbox to the shoot details/create page so that end-users get aware of this.

@vlerenc I'm not sure whether we should encode implementation details into the API. "AdminKubeconfig" is general enough and fits all cases (there might be even old clusters which don't have such static token yet, and end-users are not even aware of what this is). It could still be changed, but I would vote for keeping the name.

[vlerenc]

@rfranzke I am not pushing. However, I do not share this opinion.

Yes, some end users may not be aware, but that is no good reason. Would you drop PDBs, just because some end users don't know what they are or that they exist?

The reason we do all these things and why it's important to understand what it is this flag influences is to comply with security standards and to give end users the information how secure their clusters are. Most product standards mandate that --token-auth-file is not set, see e.g. point 1.2.2 CIS Kubernetes Benchmark: "Ensure that the --token-auth-file parameter is not set".

And didn't, back then, also GKE, when it still offered it, call it static token (and basic auth when that was still a thing) or am I misremembering? Maybe, anyway...

That you get cluster-admin access is not the relevant part here, but that it's basic auth or static token is what matters in the security context and why it's important to know, wouldn't you agree? As end user I wanted (back then) to disable basic auth (now it's not a thing anymore, but this too was a security obligation once) and disable static tokens (that's still a thing).

Calling it enableAdminKubeconfig isn't really telling the story and is actually also somewhat misleading (the cluster role cluster-admin that I think about when I read that is not touched and of course it will be possible to gain access having that role/binding that role).

So, I think it's 1.) a somewhat confusing misnomer and 2.) hides what is actually switched off here (static tokens cluster-admin access).

[rfranzke]

@ary1992 will rename the field to enableStaticTokenKubeconfig

[vlerenc]

Thanks @rfranzke @ary1992 , so it wasn't yet too late? I really didn't want to push. All good?

[rfranzke]

The PR wasn't merged yet (and even if, it will only be released next week), so it was still in-time. As you were the only one with a strong opinion regarding the naming, we simply changed it

[vlerenc]

Thanks.