Proxy K8S app delegating authentication of requests from other pods

Kubernetes Authentication model represents a way how the particular user or service account can be entitled in k8s cluster, however Authorization methods determine whether initial request from the cluster visitor, aimed to do some action on cluster resources/objects, has sufficient permissions to make that possible.

Due to the fact that you've used specific service accounts per each Pod entire the cluster and granting them specific RBAC rules, it might be possible to use SelfSubjectAccessReview API in order to inspect requests to k8s REST API and determine whether the client's Pod service account has appropriate permission to perform any action on target's Pod namespace.

That can be achievable using kubectl auth can-i subcommand by submitting essential information for user impersonation.

I assume that you might also be able to query k8s authorization API group within HTTP request schema and then parse structured data from JSON/YAML format, like in the example below:

Regular kubectl auth can-i command to check whether default SA can retrieve data about Pods in default namespace:

kubectl auth can-i get pod --as system:serviceaccount:default:default

Equivalent method via HTTP call to k8s REST API using JSON type of content within Bearer Token authentication:

curl -k \    -X POST \    -d @- \    -H "Authorization: Bearer $MY_TOKEN" \    -H 'Accept: application/json' \    -H "Impersonate-User: system:serviceaccount:default:default" \    -H 'Content-Type: application/json' \    https://<API-Server>/apis/authorization.k8s.io/v1/selfsubjectaccessreviews <<'EOF'{  "kind": "SelfSubjectAccessReview",  "apiVersion": "authorization.k8s.io/v1",  "spec":{"resourceAttributes":{"namespace":"default","verb":"get","resource":"pods"}}}EOF

Output:

.... "status": { "allowed": true, "reason": "RBAC: allowed by RoleBinding ....