►
From YouTube: [SIG Auth] Bi-weekly Meeting for 20220216
Description
[SIG Auth] Bi-weekly Meeting for 20220216
A
B
D
C
All
right,
can
you
see
my
terminal
yep,
all
right
cool,
so
as
part
of
the
work
around
migrating
to
bound
service
account
tokens.
We
wanted
to
make
sure
that
we
had
a
good
user
experience,
and
so
we
spent
a
lot
of
time
in
past
releases
working
on
the
aspects
where
secret
or
tokens
are
mounted
into
running
pods,
and
so
that
that
went
pretty.
C
C
If
I
output
this
to
something
that
is
not
an
interactive
terminal,
it
actually
drops
the
new
line
as
well,
so
we
avoid
the
like
trailing.
New
line
gets
picked
up
and
passed
in
the
header
values
anyway,
but
because
this
is
a
standard,
cue
control
create
command.
We
can
also
output
the
api
response.
So
if
we
wanted
to
see
other
parts
of
the
api
response,
we
can
say
output
yaml
and
we
can
see
all
the
information
about
it
right.
We
can
see
what
our
request
was.
C
We
can
see
the
expiration
timestamp
that
the
server
set
on
the
token,
and
then
we
can
see
you
know
the
token
and
so
just
to
prove
that
this
is
actually
doing
a
thing.
I'm
going
to
capture
that
into
a
environment
variable
and
then
curl
the
server,
and
it
correctly
authenticates
me
this
service
account.
Doesn't
happen
to
be
authorized
to
do
anything,
but
it
is
authenticating
me
as
that
user,
so
authentication
is
working
a
couple.
Other
things
you
can
do.
The
create
command
supports
the
options
that
the
api
object
supports.
C
C
One
thing
that
I
added
to
the
server
while
I
was
doing
this
was
a
warning.
If
you
ask
for
an
expiration
longer
than
what
the
server
will
allow.
So
we've
always
said
the
request
is
advisory.
The
server
can
shorten
it
at
its
discretion,
but
now,
if
you
submit
a
request,
that
is
longer,
I
have
my
server
set
up
to
bound
it
to
just
under
this.
C
C
C
So
I've
created
my
secret
and
now,
when
I
create
my
token,
I'm
also
going
to
bind
it
to
the
secret
and
tell
it
the
name
of
the
secret
that
I
want
to
bind
to,
and
so
you
can
see
that
showed
up
in
the
spec.
So
the
server
recognized
that
and
then
what
that
looks
like
in
practice.
We
do
run
that
again,
but
capture
the
result.
C
C
That
token
no
longer
works,
that's
funny
there
we
go
that
token
no
longer
works.
I
think
that
was
our
10
second
token
cash,
I'm
pretty
sure
that
was
it,
and
so
what
that
lets
you
do
is
revoke.
Tokens
like
create
tokens
for
service
account,
associate
them
with
a
particular
secret
or
pod,
which
is
what
we
do
for
the
ones
injected
into
pods
and
then
control
the
lifetime
of
that
token.
Via
that
api
object
as
a
proxy,
there
was
actually
no
content
in
that
secret.
C
Oh
yeah,
one
last
thing
was
about
audiences,
so
we
really
want
to
encourage
people
to
start
using
audiences
when
they're
setting
up
tokens
for
use
against
things
that
aren't
the
cube
api
server,
and
so
that's
supported
here
as
well.
So
I
can
ask
for
a
token
for
a
particular
audience,
so
this
might
be
for
talking
to
vault
or
talking
to
some
other
endpoint,
and
if
I
capture
that
and
try
to
use
that
against
the
api
server,
the
api
server
says
like
I
don't
recognize
this
token.
This
does.
E
C
C
C
C
C
C
A
C
Not
necessarily
so
warnings
are
for
problems,
we
are
aware
of
that
are
actionable
by
the
caller,
and
so
we
return
warnings
for
apis
that
are
deprecated,
that
don't
have
a
replacement
that
aren't
intended
to
be
removed,
but
are
deprecated
so
we'll
say
so.
You
know
this
is
dedicated.
You
should
stop
using
it.
That's
the
action
you
should
take
in
this
case
we're
saying
warning:
you're
sending
us
a
bear
token
header,
that's
malformed,
we're
ignoring
it
fix
your
token
header.
C
We
so
the
bare
token
authenticator
says:
does
this
request
have
a
header
that
I
recognize
and
if
it
doesn't
have
bearer
space
token
with
no
spaces,
then
that
authenticator
says
I
have
no
opinion
about
this
request
ignore
it,
and
so
it
falls
through
to
the
anonymous
case.
It's
it's
as
if
you
submitted
a
request
that
said
authorization
blah
blah
blah
blah
blah
like
this.
Isn't
this
isn't
a
recognized
authorization
header,
so
it
ignores
it.
C
That
would
turn
requests
that
currently
fall
through
to
anonymous
and
depending
on
what
they
were
requesting,
maybe
were
allowed
like.
So
the
example
mo
gave
was
someone
has
a
load
balancer
that
they
thought
they
configured
with
a
token
and
it's
sending
it
with
this
weird
malformed
thing,
and
so
it's
falling
through
to
anonymous.
But
the
end
point
it's
hitting
is
health
z,
which
is
actually
allowed
to
be
requested
by
anonymous,
and
so
by.
C
E
C
C
And
useful,
like
the
main,
I
think
most
people
either
are
hitting
something
that
anonymous
can
hit,
and
so
they
don't
actually
care
if
they're,
authenticated
or
not
or
they're
super
confused
right
now
about
what
do
you
mean?
I
gave
you
a
token.
Why
am
I
getting
errors
about
anonymous
like
what
in
the
world's
going
on,
and
so
the
warning
will
help
that
type
of
person.
A
C
E
C
Like
the
volume
subsystem
in
the
cubelet,
that
like
is
it
continuing
to
refresh
those
mounts,
that's
one
question
and
then
the
other
question
is:
will
the
node
authorizer
allow
the
cubelet
to
keep
requesting
updated
tokens
for
a
pod?
That's
in
its
deletion
grace
period
and
the
answer
there
should
be:
yes,
like
that
we
intentionally
don't
cut
off
the
cube.
Let's
access
to
get
tokens
until
the
pod
is
like
gone
or
has
exceeded
its
grace
period.
B
E
C
E
Sure
so
this
is
a
follow
onto
a
proposal
that
ted
and
I
brought
last
year
that
was
more
wide-ranging
about
sort
of
integrating
service
account
certificates
into
kubernetes.
The
feedback
from
that
proposal
was:
let's
focus
on
one
first
piece
that
brings
immediate
value
and
is
shippable.
So
that's
what
this
proposal
is.
Basically
this.
What
I'm
proposing
here
is
a
plugable
mechanism
that
lets
gives
kubelet
the
ability
to
request
certificates
for
pods
from
signers.
E
E
E
For
that
the
csr,
and
then
we
just
tell
the
signer
just
because
that
the
csr
that
came
from
cubelet
has
this
format
doesn't
mean
anything.
You
just
need
to
parse
the
information
out
of
the
csr
which
it
carries.
Information
about
the
service
account
that
the
certificate
is
being
requested,
for
it
contains
information
about
the
pod.
The
certificate
should
be
bound
to
and
some
other
a
few
other
pieces
of
information,
and
then
the
signer
can
make
its
own
security
checks.
E
Does
it
believe
that
this
is
a
valid
certificate
to
issue
and
if
so,
issue,
whatever
a
certificate
in
whatever
format
it
likes?
So
you
could
imagine
a
project
like
cert
manager
would
parse
out
the
service
account
and
pod
information.
You
know:
do
some
out-of-band
check
some
non-kubernetes
check
to
make
sure
that
hey?
I
really
expect
this
service
account
to
be
backing.
You
know
a
given
dns
name
and
if
so
issue
the
certificate
against
that
dns
name.
A
E
A
Yeah,
so
it
seems
like
the
trust
anchor
set,
is
independently
useful
in
my
opinion,
and
I
think
that
would
be.
I
don't
know
everyone
told
me,
but
it
seems
like
that
could
proceed
now.
We
have
you
know
an
old
issue
kind
of
tracking
this
work.
It
seems
like
you
know
we
could
get
it
kept
in
for
just
that
piece
in
125
and
start
making
progress
there.
E
E
Can
make
css
for
whichever
signers
and
asserting
whichever
service
account
identities?
It's
not
actually
security,
critical,
because
the
expectation
is
that's
just
having
an
unapproved
csr
hanging
around
harms,
no
one
and
it's
the
signer
that
needs
to
take
the
action
on
approving
and
issuing
the
certificate.
E
A
E
A
A
E
E
It
so
we
send
some
information
to
the
signer
inside
the
csr,
but
signers
are
free
to
check
more
information
like
pod
or
service
account
annotations
if
they
want
to
so
like
a
cert
manager,
style
use
case
where
you
want
to
get
a
publicly
trusted
certificate,
you
could
imagine
you
know
your
pod
is
in
a
service.
The
service
is
annotated
with
the
dns
name,
that
you
want
to
appear
in
the
certificate
and
then
the
signer
is
responsible
for
checking
that
the
pod
and
services
account
really
do
back
that
service.
A
E
E
A
A
A
The
general
flow
seems
reasonable.
I
guess
the
one
thing
that
I
would
be
interested
in
is,
if
there's
any
ideas
on
how
to
extend
the
node
authorizer
with,
like
maybe
like
a
cert
verb
on
service,
counter
cert
verb
on
service.
That
would
make
the
job
of
the
signer
easier,
rather
than
maintaining
their
own
graph.
If
that's,
what
it
comes
down
to,
they
would
be
able
to
issue.
Subject
access
reviews.
F
Reason
that
we're
talking
about
adding
this
as
a
projected
volume
which
which
I'm
not
super
up
on
storage,
but
I
believe
projected
volumes
are
actually
baked
into
cubelet
code-
is
the
primary
reason
we're
looking
at
adding
this
to
the
cubelet
code
to
have
access
to
that
cubelet
identity,
as
opposed
to
doing
this
in
a
csi
driver,
and
if
you
have
a
functional
csi
driver
today
is,
is
that
csi
driver
using
the
cubelet
identity
in
some
way?
You
said
you
were
betting,
that
it
came
from
system
colon
nodes.
E
A
Yeah,
I
think
it's
a
fair
question
that
needs
to
be
addressed
in
the
cap
of
why
we
would
use
a
csi
driver.
Well,
I
would
use
the
protective
volume
instead
of
the
csi
driver.
The
one
thing
about
trust
anchor
sets
is,
I
I
think
it
would
be
really
nice
to
reference
them
from
dynamic
web
hook
configuration
instead
of
embedding
certs
there.
A
So
I
think
you
know
at
least
some
support
in
core
is
probably
maybe
useful
or
necessary.
For
that
I
don't
know
if
that's
an
argument
for
making
trust
anchor
sets
exposing
them
via
projected
volumes.
I
think
there's
then
the
separate
argument
for
using
projected
volumes
rather
than
csi
for
the
actual
certificate,
provisioning
stuff
sure
I'm
I'm
happy.
E
I
think
there's
some
strong,
so
at
least
in
my
mind,
the
strong
argument
for
putting
the
using
a
cubic
projected
volume,
as
opposed
to
a
csi
driver,
is
that
it's
primarily
around,
like
cubit
is
already
responsible
for
pod
identity
in
general,
and
these
certificates
are
another
aspect
of
bot,
identity
and
there's
a
security,
critical
aspect
of
odd
identity.
That's
very
easy
to
get
wrong.
F
E
A
F
F
E
There's
no
like
blocker
to
shipping
this
functionality
as
the
csi
driver.
That
is
just
advertised
as
the
way
you
get
certificates,
but
I
think
that
argument
can
be
applied
to
a
lot
of
stuff
that
cubelet
does
so
I'm
not
sure
what
the
maybe
sig
storage
is.
The
person
is
the
community
to
talk
to
about
that.
E
E
E
A
B
E
B
Inside
well,
pod
authors,
putting
putting
arbitrary
data
into
the
the
pod
spec
seems
fine,
so
long
as
that
is
not
necessarily
reflected
in
the
csr
format
right
if
we
were
to
allow
them
to
put
a
arbitrary
arbitrary
data
into
the
pod
spec.
But
the
only
way
that
you
can
reference
that,
but
by
looking
at
the
csr
grabbing
the
name
going
to
the
pod
grabbing
the
volume
from
that.
A
B
A
E
A
A
D
C
This
is
there's
still
an
open
issue
for
it.
It
got
bounced
around.
It
looks
like
there's
something
weird
or
some
difference
with
the
network
setup
on
some
of
the
upgrade
tests,
and
so
it's
affecting
the
way
the
api
server
starts,
like
it
can't
figure
out
what
its
public
ip
is,
and
so
this
is
like
one
of
the
only
tests
that
actually
does
things
that
care
about
the
public
ip.
C
A
C
A
C
A
C
Oh
yeah,
they
are
on
windows,
okay,
I
think
we
reached
out
to
windows
and
there
were
like
dns
propagation
timing,
issues
that
were
known
on
windows
where
stuff
doesn't
work
as
quickly
on
windows.
I
don't
know
if
there's
an
issue
specific
to
that.
That
seems
like
something
that
should
stay
open
and
actually
maybe
get
addressed,
because
that
seems
like
it's
beyond
the
context
of
just
this
test.
C
C
A
A
C
A
E
A
C
The
components
that
get
shipped
with
the
kubernetes
release
now,
if
some
of
those
components
are
extension,
points-
and
there
are
particular
implementations
connecting
to
those
extension
points,
it's
fine
to
have
tests
demonstrating
that.
But
ideally
the
thing
we
want
to
be
testing
is
the
extension
point.
So
a
stub
or
a
test
harness
or
compatibility.