Implement token auth for cp/dp connections #380

kate-osborn · 2023-01-17T21:56:48Z

Parent issue: #292

The data plane should authenticate with the control plane upon connection using a long-lived Kubernetes token. The control plane should verify the token using Kubernetes TokenReview API. For more information, see https://github.com/nginxinc/nginx-kubernetes-gateway/blob/main/design/control-data-plane-separation/design.md#authorization.

A/C:

The data plane agent attaches its long-lived Kubernetes Service Account Token to its connection request to the control plane
The control plane verifies that the agent's token is valid and corresponds to the expected Kubernetes Service account
If the token is not valid, the control plane does not register the agent and returns an error
If the token is valid, the control plane allows the agent to register

kate-osborn added the proposal label Jan 17, 2023

kate-osborn mentioned this issue Jan 17, 2023

Separate control and data planes #292

Closed

mpstefan added enhancement New feature or request and removed proposal labels Jun 9, 2023

mpstefan added the backlog Currently unprioritized work. May change with user feedback or as the product progresses. label Jul 20, 2023

kate-osborn closed this as completed Dec 15, 2023

Provide feedback