Authenticate users, define and authenticate user roles e.g. DAQ 
shifter, detector expert etc., propagate access authorisation to 
CCM subsystems

Authorisation:
==============
Using Role-based access control (RBAC) makes defining roles and
associating different access levels to different rols fairly easy.

  Already have examples of RBAC applied to service accounts in cvmfs
manifests.

  Roles can be confined to specific namespaces or whole cluster
        can be assigned to users or groups

  Several predefined Roles that maybe useful
   e.g. "admin" may be assigned to detector expert,
        "edit" for DAQ shifter

  Custom Role for DAQ expert may allow exec to run command in running
pod whereas others may only be allowed to create/delete

rules:
- apiGroups: ['']
  resources: ['pods','pods/exec']
  verbs:     ['get','list','create','delete']


Authentication:
===============
  Many options.
   X509 certificate:
     Fairly easy to create certificates. 
     End up stored in kubeconfig file for use with kubectl
     Maybe less attractive for browser based access
   Authenticating Proxy
     Maybe better suited for web interface
     API server trusts headers identifying user/group identity

 Other options involve Bearer Tokens:
   OpenID Connect Tokens:
     Allows use of OAuth2 providers that support OpenID connect
    discovery such as Apple,Google and MS.
     Only allows one specified provider.
     New CERN auth system supports OIDC, does FNAL use OIDC?
   Webhook Token Authenticator
     Sends token to another server for verification
   Client-go Credential Plugins:
     Intended for LDAP, kerberos etc. 
     Not sure what plugins exist
     Looks like it uses Webhook Token Authenticator mechanism 

 None of the authentication options involve uid/gid info 

Propagation of auth info:
=========================
  Do not see any way that Pod/Container can access authentication info