Add support for group membership via the front-proxy

[ncdc]

For setups where an identity provider does not necessarily provide user groups that align with the workspace hierarchy in kcp, it would be nice to have a stop-gap solution to manage group membership in kcp itself.

The idea we'd like to explore is modifying the front proxy so it can read group membership data from somewhere with kcp itself, such as one or more configmaps. When a user makes a request to the front proxy, the proxy looks up group membership for the user and includes any groups found in the --requestheader-group-headers header on the request. See https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authenticating-proxy for more details.

[ncdc]

cc @s-urbaniak

[stevekuznetsov]

cc @csams

[csams]

I'm working on this in redhat-cps/front-proxy#3

[kcp-ci-bot]

Issues go stale after 90d of inactivity.
After a furter 30 days, they will turn rotten.
Mark the issue as fresh with /remove-lifecycle stale.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[kcp-ci-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

/lifecycle rotten

[kcp-ci-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

[kcp-ci-bot]

@kcp-ci-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.