Allow kubernetes executor to specify bearer token for worker pods
Description
The kubernetes executor should take an actual bearer token from the project secret variables and use it to run the kubernetes API calls for the job worker pods.
Proposal
Currently, it is possible to pass a KUBERNETES_NAMESPACE_OVERWRITE
and KUBERNETES_SERVICE_ACCOUNT_OVERWRITE
variables to run workers in different namespaces with different service accounts. This is inadequate in an environment where namespace isolation is required. If the author of a project simply knows or can infer the service account name, they are able to create pods in whatever namespace is allowed by namespace_overwrite_allowed
This is not secure.
If, however, that author knew the bearer-token/serviceaccount token of the service account within the namespace he wanted to deploy, he would be able to deploy there. No users without the knowledge of the token could create pods in the specified namespace.