►
From YouTube: [SIG Auth] Bi-weekly Meeting for 20220216
Description
[SIG Auth] Bi-weekly Meeting for 20220216
A
Hello:
everyone
welcome
to
the
february
16th
meeting
of
sigos
2022..
Let's
get
started,
looks
like
we
have
a
little
demo
to
kick
us
off.
Jordan,
yeah.
B
D
C
All
right,
can
you
see
my
terminal
yep,
all
right
cool,
so
as
part
of
the
work
around
migrating
to
bound
service
account
tokens.
We
wanted
to
make
sure
that
we
had
a
good
user
experience,
and
so
we
spent
a
lot
of
time
in
past
releases
working
on
the
aspects
where
secret
or
tokens
are
mounted
into
running
pods,
and
so
that
that
went
pretty.
C
Well,
as
we
are
wanting
to
turn
off
the
auto
generation
of
secret
base
tokens,
we
want
to
make
sure
we
have
good
user
experiences
for
people
who
might
be
trying
to
use
secret
base
tokens,
and
so
we
just
added
a
command
to
cube
control,
to
allow
creation
of
bound
service
account
tokens
using
the
same
cue
control,
create
pattern
that
we
have
for
other
resources.
C
C
If
I
output
this
to
something
that
is
not
an
interactive
terminal,
it
actually
drops
the
new
line
as
well,
so
we
avoid
the
like
trailing.
New
line
gets
picked
up
and
passed
in
the
header
values
anyway,
but
because
this
is
a
standard,
cue
control
create
command.
We
can
also
output
the
api
response.
So
if
we
wanted
to
see
other
parts
of
the
api
response,
we
can
say
output
yaml
and
we
can
see
all
the
information
about
it
right.
We
can
see
what
our
request
was.
C
We
can
see
the
expiration
timestamp
that
the
server
set
on
the
token,
and
then
we
can
see
you
know
the
token
and
so
just
to
prove
that
this
is
actually
doing
a
thing.
I'm
going
to
capture
that
into
a
environment
variable
and
then
curl
the
server,
and
it
correctly
authenticates
me
this
service
account.
Doesn't
happen
to
be
authorized
to
do
anything,
but
it
is
authenticating
me
as
that
user,
so
authentication
is
working
a
couple.
Other
things
you
can
do.
The
create
command
supports
the
options
that
the
api
object
supports.
C
C
One
thing
that
I
added
to
the
server
while
I
was
doing
this
was
a
warning.
If
you
ask
for
an
expiration
longer
than
what
the
server
will
allow.
So
we've
always
said
the
request
is
advisory.
The
server
can
shorten
it
at
its
discretion,
but
now,
if
you
submit
a
request,
that
is
longer,
I
have
my
server
set
up
to
bound
it
to
just
under
this.
C
C
C
So
I've
created
my
secret
and
now,
when
I
create
my
token,
I'm
also
going
to
bind
it
to
the
secret
and
tell
it
the
name
of
the
secret
that
I
want
to
bind
to,
and
so
you
can
see
that
showed
up
in
the
spec.
So
the
server
recognized
that
and
then
what
that
looks
like
in
practice.
We
do
run
that
again,
but
capture
the
result.
C
So
now
I've
got
my
token
bound
to
that
particular
secret
object
and
it
works
to
talk
to
the
api.
But
if
that
api
object,
that
secret
gets
deleted.
C
That
token
no
longer
works,
that's
funny
there
we
go
that
token
no
longer
works.
I
think
that
was
our
10
second
token
cash,
I'm
pretty
sure
that
was
it,
and
so
what
that
lets
you
do
is
revoke.
Tokens
like
create
tokens
for
service
account,
associate
them
with
a
particular
secret
or
pod,
which
is
what
we
do
for
the
ones
injected
into
pods
and
then
control
the
lifetime
of
that
token.
Via
that
api
object
as
a
proxy,
there
was
actually
no
content
in
that
secret.
C
Oh
yeah,
one
last
thing
was
about
audiences,
so
we
really
want
to
encourage
people
to
start
using
audiences
when
they're
setting
up
tokens
for
use
against
things
that
aren't
the
cube
api
server,
and
so
that's
supported
here
as
well.
So
I
can
ask
for
a
token
for
a
particular
audience,
so
this
might
be
for
talking
to
vault
or
talking
to
some
other
endpoint,
and
if
I
capture
that
and
try
to
use
that
against
the
api
server,
the
api
server
says
like
I
don't
recognize
this
token.
This
does.
E
C
Authenticate
to
me
so
nothing
new
api
wise,
but
this
takes
the
power
of
the
api
we
already
made
and
makes
it
accessible
to
control
users.
That's
it.
C
Just
kidding,
I
don't
think
so,
I
think
the
bound
object
ref
is
singular
in
the
api.
Yeah
is
it
I
don't
know.
I
can't
remember.
A
Awesome
thanks
for
the
demo,
jordan.
A
There
are
no
questions.
Let's
move
on
to
issues
of
note.
C
C
C
I
think
it's
probably
worth
warning
saying
you
sent
a
bearer
header,
but
this
is
a
malformed
one,
so
we're
not
going
to
honor
it.
Like
that's
a
non-breaking
thing.
We
could
do
that.
C
C
It's
a
malformed
header.
I
don't
think
the
spec
allows
spaces
leaping
spaces
and
tokens
okay,.
A
C
Not
necessarily
so
warnings
are
for
problems,
we
are
aware
of
that
are
actionable
by
the
caller,
and
so
we
return
warnings
for
apis
that
are
deprecated,
that
don't
have
a
replacement
that
aren't
intended
to
be
removed,
but
are
deprecated
so
we'll
say
so.
You
know
this
is
dedicated.
You
should
stop
using
it.
That's
the
action
you
should
take
in
this
case
we're
saying
warning:
you're
sending
us
a
bear
token
header,
that's
malformed,
we're
ignoring
it
fix
your
token
header.
C
We
so
the
bare
token
authenticator
says:
does
this
request
have
a
header
that
I
recognize
and
if
it
doesn't
have
bearer
space
token
with
no
spaces,
then
that
authenticator
says
I
have
no
opinion
about
this
request
ignore
it,
and
so
it
falls
through
to
the
anonymous
case.
It's
it's
as
if
you
submitted
a
request
that
said
authorization
blah
blah
blah
blah
blah
like
this.
Isn't
this
isn't
a
recognized
authorization
header,
so
it
ignores
it.
C
That
would
turn
requests
that
currently
fall
through
to
anonymous
and
depending
on
what
they
were
requesting,
maybe
were
allowed
like.
So
the
example
mo
gave
was
someone
has
a
load
balancer
that
they
thought
they
configured
with
a
token
and
it's
sending
it
with
this
weird
malformed
thing,
and
so
it's
falling
through
to
anonymous.
But
the
end
point
it's
hitting
is
health
z,
which
is
actually
allowed
to
be
requested
by
anonymous,
and
so
by.
C
C
Ability
to
like
how
many
of
these
hitting,
if
there's
a
way
to
do
that,
so
a
warning,
maybe
a
metric,
and
that
way
that
at
least
gives
people
like
some
visibility
to
if
they
have
clients
that
are
doing
this
or
getting
this.
E
C
We
strip
the
authorization
header
in
the
authentication,
filter,
okay,
yeah,
so
once
once
you
pass
through
the
authentication
filter,
we
drop
the
authorization
header
completely,
so
it's
not
visible
to
anything
downstream
in
the
hand
or
chain.
Okay.
A
C
And
useful,
like
the
main,
I
think
most
people
either
are
hitting
something
that
anonymous
can
hit,
and
so
they
don't
actually
care
if
they're,
authenticated
or
not
or
they're
super
confused
right
now
about
what
do
you
mean?
I
gave
you
a
token.
Why
am
I
getting
errors
about
anonymous
like
what
in
the
world's
going
on,
and
so
the
warning
will
help
that
type
of
person.
A
Awesome
next
one:
is
it
expected
that
bounce
service
contact
can
stop
being
refreshed
for
pods
that
have
been
soft
deleted?
A
So,
let's
see
what
happens,
the
node
authorizer
gets
a
delete
pod
when
the
pod
is
soft
deleted
and
then
gets
a
tombstone
when
it's
fully
deleted.
Is
that
right,
jordan.
C
Yeah,
because
it's
just
updating
it
with
a
deletion
time
stamp.
Do
you
know
where
this
is
happening?
Is
it
is
it
that
the
cubelet
stops
trying
to
keep
the
volume
out
up
to
date?.
E
C
If
I
have
a
pod
that
I
say
takes
an
hour
to
shut
down
because
it
has
to
whatever,
like
finish
a
job
or
during
connections
or
whatever
the
volume
mounts
that
say,
they
support
remount
should
keep
getting
refreshed
during
that
life
cycle.
C
Like
the
volume
subsystem
in
the
cubelet,
that
like
is
it
continuing
to
refresh
those
mounts,
that's
one
question
and
then
the
other
question
is:
will
the
node
authorizer
allow
the
cubelet
to
keep
requesting
updated
tokens
for
a
pod?
That's
in
its
deletion
grace
period
and
the
answer
there
should
be:
yes,
like
that
we
intentionally
don't
cut
off
the
cube.
Let's
access
to
get
tokens
until
the
pod
is
like
gone
or
has
exceeded
its
grace
period.
B
E
Issue,
I
think
yeah,
it
is
the
case
you
said
like
we
have
a
team
in
google
that
is
like
setting
termination
grace
period
to
12
hours
like.
Why
is
my
token,
stop
working,
I'm
like.
Why
are
you
doing
this,
but
it
just.
C
A
Right
cool,
moving
on
to
discussion
topics:
we
have
a
cubelet
certificate,
provisioner
projected
volume.
E
Sure
so
this
is
a
follow
onto
a
proposal
that
ted
and
I
brought
last
year
that
was
more
wide-ranging
about
sort
of
integrating
service
account
certificates
into
kubernetes.
The
feedback
from
that
proposal
was:
let's
focus
on
one
first
piece
that
brings
immediate
value
and
is
shippable.
So
that's
what
this
proposal
is.
Basically
this.
What
I'm
proposing
here
is
a
plugable
mechanism
that
lets
gives
kubelet
the
ability
to
request
certificates
for
pods
from
signers.
E
E
Let's
see,
the
other
main
point
is
that
the
communication
between
cubelet
and
the
signer
is
pretty
constrained.
So
we've
gone
opposite
so,
instead
of
making
the
csr
that
cubelet
sends
to
the
signer
very
configurable,
instead,
we've
settled
on
a
fixed
format.
E
For
that
the
csr,
and
then
we
just
tell
the
signer
just
because
that
the
csr
that
came
from
cubelet
has
this
format
doesn't
mean
anything.
You
just
need
to
parse
the
information
out
of
the
csr
which
it
carries.
Information
about
the
service
account
that
the
certificate
is
being
requested,
for
it
contains
information
about
the
pod.
The
certificate
should
be
bound
to
and
some
other
a
few
other
pieces
of
information,
and
then
the
signer
can
make
its
own
security
checks.
E
Does
it
believe
that
this
is
a
valid
certificate
to
issue
and
if
so,
issue,
whatever
a
certificate
in
whatever
format
it
likes?
So
you
could
imagine
a
project
like
cert
manager
would
parse
out
the
service
account
and
pod
information.
You
know:
do
some
out-of-band
check
some
non-kubernetes
check
to
make
sure
that
hey?
I
really
expect
this
service
account
to
be
backing.
You
know
a
given
dns
name
and
if
so
issue
the
certificate
against
that
dns
name.
A
Yeah
we
had
previously
talked
about
separating
the
like
what
is
the
coupling
between
the
cubelets
certification
requests?
Functionality
in
the
trust,
anchor
cubelet
trust
anger,
set
projection.
E
Only
that
they
are
both
needed
for
the
mtls
use
case,
but
the
trusting
reset
use
case
could
also
be
useful
for
non-mtls
use
cases
and
that
you
still
need
a
way
to
get
trust
anchor
sets
into
the
pod
file
system
and
right
now.
This
cube
projected
volume
type,
is
how
you
do
that.
A
Yeah,
so
it
seems
like
the
trust
anchor
set,
is
independently
useful
in
my
opinion,
and
I
think
that
would
be.
I
don't
know
everyone
told
me,
but
it
seems
like
that
could
proceed
now.
We
have
you
know
an
old
issue
kind
of
tracking
this
work.
It
seems
like
you
know
we
could
get
it
kept
in
for
just
that
piece
in
125
and
start
making
progress
there.
A
E
Let
me
take
a
look
over.
We
had
some
discussion
around
what
actual
security
checks
are
needed
inside
signer
and
inside
cube
api
server
around.
A
E
I
think
where
we
settled
is
that,
while
it
may
be
a
good
idea
to
restrict
you
know
built-in
suspenders,
which
cubelets
can
make
csrs,
for
which.
E
Can
make
css
for
whichever
signers
and
asserting
whichever
service
account
identities?
It's
not
actually
security,
critical,
because
the
expectation
is
that's
just
having
an
unapproved
csr
hanging
around
harms,
no
one
and
it's
the
signer
that
needs
to
take
the
action
on
approving
and
issuing
the
certificate.
E
So
it's
inside
each
signer
that
they
have
to
draw
a
security
boundary,
and
we've
outlined
some
of
the
security
checks
that
they
will
have
to
do
in
order
to
maintain
the
node
isolation.
Battery.
A
E
A
So
what
are
the
leaf
certificates
signed
for?
Are
they
signed
for
pods
service
accounts
services,
anything
under
the
sun
that
is
totally
up
to
the
signer
implementation?
A
Okay,
what
information?
I'm
sure
it
says
it
already
in
here
what
information
I
I
guess,
it's
just
basically
the
signer
name
that
dictates
whether
you
wanted
for
a
service
or
whatever
yep.
E
E
It
so
we
send
some
information
to
the
signer
inside
the
csr,
but
signers
are
free
to
check
more
information
like
pod
or
service
account
annotations
if
they
want
to
so
like
a
cert
manager,
style
use
case
where
you
want
to
get
a
publicly
trusted
certificate,
you
could
imagine
you
know
your
pod
is
in
a
service.
The
service
is
annotated
with
the
dns
name,
that
you
want
to
appear
in
the
certificate
and
then
the
signer
is
responsible
for
checking
that
the
pod
and
services
account
really
do
back
that
service.
E
E
And
I
think
what
we
recommend
in
the
security
rules
is
that
signers
check
very
carefully
that
this
was
actually
requested
by
a
system,
colon
node
identity,
and
then
that
gives
some
assurance
that
this
isn't
just
some
rando
making.
Csrs.
A
A
Yeah,
I
I
think
this
looks
plausible.
There
is
certainly,
from
my
perspective,
there's
certainly
a
lot
of
configuration
knobs
that
I
might
recommend
adding
incrementally,
but.
A
The
general
flow
seems
reasonable.
I
guess
the
one
thing
that
I
would
be
interested
in
is,
if
there's
any
ideas
on
how
to
extend
the
node
authorizer
with,
like
maybe
like
a
cert
verb
on
service,
counter
cert
verb
on
service.
That
would
make
the
job
of
the
signer
easier,
rather
than
maintaining
their
own
graph.
If
that's,
what
it
comes
down
to,
they
would
be
able
to
issue.
Subject
access
reviews.
F
Reason
that
we're
talking
about
adding
this
as
a
projected
volume
which
which
I'm
not
super
up
on
storage,
but
I
believe
projected
volumes
are
actually
baked
into
cubelet
code-
is
the
primary
reason
we're
looking
at
adding
this
to
the
cubelet
code
to
have
access
to
that
cubelet
identity,
as
opposed
to
doing
this
in
a
csi
driver,
and
if
you
have
a
functional
csi
driver
today
is,
is
that
csi
driver
using
the
cubelet
identity
in
some
way?
You
said
you
were
betting,
that
it
came
from
system
colon
nodes.
E
Yeah,
so
we
today
on
our,
we
have
a
spiffy
issuance
thing
that
backs
some
stuff
inside
jk.
It's
we
today
hijack
the
node
identity,
so
we
run
our
csi
driver
as
like
super
root
on
the
node,
and
we
just
steal
keyblade's
credentials
in
a
certificate
and
then
act
as
the
node
identity.
C
You
get
around
the
or
how
you
avoid
escalating
to
like.
A
Yeah,
I
think
it's
a
fair
question
that
needs
to
be
addressed
in
the
cap
of
why
we
would
use
a
csi
driver.
Well,
I
would
use
the
protective
volume
instead
of
the
csi
driver.
The
one
thing
about
trust
anchor
sets
is,
I
I
think
it
would
be
really
nice
to
reference
them
from
dynamic
web
hook
configuration
instead
of
embedding
certs
there.
A
So
I
think
you
know
at
least
some
support
in
core
is
probably
maybe
useful
or
necessary.
For
that
I
don't
know
if
that's
an
argument
for
making
trust
anchor
sets
exposing
them
via
projected
volumes.
I
think
there's
then
the
separate
argument
for
using
projected
volumes
rather
than
csi
for
the
actual
certificate,
provisioning
stuff
sure
I'm
I'm
happy.
E
I
think
there's
some
strong,
so
at
least
in
my
mind,
the
strong
argument
for
putting
the
using
a
cubic
projected
volume,
as
opposed
to
a
csi
driver,
is
that
it's
primarily
around,
like
cubit
is
already
responsible
for
pod
identity
in
general,
and
these
certificates
are
another
aspect
of
bot,
identity
and
there's
a
security,
critical
aspect
of
odd
identity.
That's
very
easy
to
get
wrong.
F
E
A
F
F
E
There's
no
like
blocker
to
shipping
this
functionality
as
the
csi
driver.
That
is
just
advertised
as
the
way
you
get
certificates,
but
I
think
that
argument
can
be
applied
to
a
lot
of
stuff
that
cubelet
does
so
I'm
not
sure
what
the
maybe
sig
storage
is.
The
person
is
the
community
to
talk
to
about
that.
E
E
Ahead,
would
there
not
be
a
need
to
pass
some
arbitrary
data
credentials
to
the
signer
for
it
to
be
able
to
identify
the
identity
requesting
the
certificate
at
least
the
way
I'm
thinking
about
it?
Is
the
csr
is
fixed?
E
A
B
B
I
could
see
just
adding
and
not
to
the
csr,
not
even
on
the
csr.
No,
that
wouldn't
work.
B
B
E
I
think
technically,
you
can
have
multiple
different
projected
volume
sources
inside
a
single
projected
volume,
so
something
a
little
more
involved
than
that.
But
I
really
what
I
want
to
avoid
is
having
pod
authors
put
some
arbitrary
data
in
the
volume
config.
B
Inside
well,
pod
authors,
putting
putting
arbitrary
data
into
the
the
pod
spec
seems
fine,
so
long
as
that
is
not
necessarily
reflected
in
the
csr
format
right
if
we
were
to
allow
them
to
put
a
arbitrary
arbitrary
data
into
the
pod
spec.
But
the
only
way
that
you
can
reference
that,
but
by
looking
at
the
csr
grabbing
the
name
going
to
the
pod
grabbing
the
volume
from
that.
A
B
A
It
it
only
matters
on
the
certificate
signing
request
api
and
if
those
annotations
are
mutable
on
the
csr
objects,
which
I
can't
remember,
if
they
are
or
not,
then
you
can
just
create
a
separate
field
in
the
csr
object.
That
is
not
mutable.
A
E
A
Cool
does
anybody
else
want
to
give
any
more
feedback,
or
do
you
want
feedback
on
anything
else?.
A
Awesome.
Thank
you
to
here.
A
Looks
like
we
are
through
with
our
regularly
scheduled
topics.
Is
there
anything
else
that
somebody
wanted
to
grab
time
for
before
we
head
into
ci
stuff.
A
A
Okay
looks
like
we
are
less
green
than
usual.
D
Secret
store
yeah
for
the
periodic
ones
like
I
already
have
a
pr
to
fix
it,
so
it
should
be
green.
So
awesome.
C
This
is
there's
still
an
open
issue
for
it.
It
got
bounced
around.
It
looks
like
there's
something
weird
or
some
difference
with
the
network
setup
on
some
of
the
upgrade
tests,
and
so
it's
affecting
the
way
the
api
server
starts,
like
it
can't
figure
out
what
its
public
ip
is,
and
so
this
is
like
one
of
the
only
tests
that
actually
does
things
that
care
about
the
public
ip.
C
So
it's
failing,
but
it's
a
misconfigured
api.
I've
routed
it
to
networking
folks
and
they
don't
have
any
idea.
So
I
don't
know
what
to
do
with
this.
A
A
C
At
this
point
well,.
C
A
That
you
filed
yeah,
I
can
drop
it
in
to
the
agenda
or
in
the
chat.
A
C
Oh
yeah,
they
are
on
windows,
okay,
I
think
we
reached
out
to
windows
and
there
were
like
dns
propagation
timing,
issues
that
were
known
on
windows
where
stuff
doesn't
work
as
quickly
on
windows.
I
don't
know
if
there's
an
issue
specific
to
that.
That
seems
like
something
that
should
stay
open
and
actually
maybe
get
addressed,
because
that
seems
like
it's
beyond
the
context
of
just
this
test.
C
C
Like
that,
flake
is
saying
the
pod
never
became
ready.
So
that's
not
even
getting
to
the
point
where
the
test
was
testing
what
it
was
supposed
to
test.
I
suspect,
if
you
look
at
that
failed
job
like
there
were
a
lot
of
okay
timed
out.
Pods
didn't
become
ready
issues
with
that.
A
What,
if
I
recall
correctly
we'd
like
run
like
a
command
in
check.
A
The
pod
file,
the
token
file.
C
That
is
a
test
that
is
stressing,
creating
and
deleting
the
secrets
and
making
the
token
controller
react
to
that
and
then
clean
them
up
and
then
create
new
ones
and
then
add
those
in.
C
I
would
guess
that
this
flake
has
existed
for
probably
five
or
six
years
at
this
point
and
with
the
stop
auto
creating
tokens
work
going
on
this
release,
I
would
expect
that
test
to
go
away
because
we
will
no
longer
try
to
spawn
and
stomp
in
new
tokens.
A
Metadata
can
submit.
Is
this
actually
useful
tests
to
continue
to
have?
Has
this
ever
actually
helped
us
in
any
way.
A
I
think
it
was
ike
who've
worked
on
this
a
really
long
many
years
ago,
five
years
ago,
four
years
ago,
but
it
runs
like
a
proxy
that
blocks
the
metadata
server
or
specific
paths
on
it.
I'm
not
sure
it's
like
if
this
is
like
a
good
generally
useful,
open
source
test.
C
A
Okay,
I
will
take
an
ai
to
recommend
that
we
drop
this
or
just
drop
it.
A
E
A
I
think
effort
I
don't
know
there
has
been
an
effort
for
the
past
three
years.
A
Somebody
has
to
spend
a
lot
of
time
to
detangle
the
test
infrastructure
from
gce
at
this
point
in.
C
The
components
that
get
shipped
with
the
kubernetes
release
now,
if
some
of
those
components
are
extension,
points-
and
there
are
particular
implementations
connecting
to
those
extension
points,
it's
fine
to
have
tests
demonstrating
that.
But
ideally
the
thing
we
want
to
be
testing
is
the
extension
point.
So
a
stub
or
a
test
harness
or
compatibility.
E
C
E
F
E
C
A
A
A
Enjoy
everyone,
I
think
we're
almost
done
with
these
anyway
I'll
I'll
finish
the
last
two
offline.
Thank
you,
everyone
for
joining
sigath
today,
I
will
see
all
of
you
in
two
weeks.