I want to setup a kubernetes cluster on an untrusted network. Therefore validating the node's serving certificate is not an option.
In the documentation it is written, that currently there is a replacement in development.
Does anyone know what this replacement will be and maybe where to contribute?
Kubernetes master-to-cluster communication doesn’t get as much attention as the opposite direction, yet many critical features (kubectl proxy, logs, exec, …) rely on it to function. In order to support secure communications from Kube API Server running on the control network to nodes running on a cluster network, SSH Tunnels were developed. This technology complicates the API Server in a manner which is neither extensible nor popular. The new proposed gRPC based proxy service abstracts this complexity away from the API Server, while providing a greater degree of extensibility. In this talk, we will see how SSH tunnels are implemented right now, what the new proxy service looks like, and how it opens the door to future extensions for use cases like auditing and multi-network support KAS Proxy Service
We (SIG API MACHINERY,SIG NETWORKING and SIG CLOUD PROVIDER) are adding a configurable, extensible proxy service for connections outbound from the K8s API Server.
Here is the GitHub repo apiserver-network-proxy
Here is the K8s Enhancement Proposal -Network-proxy