►
From YouTube: SIG-Auth Bi-Weekly Meeting for 20220302
Description
SIG-Auth Bi-Weekly Meeting for 20220302
A
All
right,
hey
everyone.
This
is
the
cigar
meeting
to
march
2nd
22..
We
have
a
pretty
light
agenda
today,
so
we
can
get
started
so
the
first
one,
let's
see,
I
think
in
this
year
on
the
call
with
me.
So
this
was
a
conversation
that
finished
myself,
rita
and
some
others
were
having
yesterday,
and
why
did
I
bring
it
up
again,
dude
this
larger
group
just
to
confirm
so
like
two?
A
We
plus
years
ago
now
we
had
talked
about
the
envelope
encryption,
that's
used
by
kms
and
the
fact
that
it
uses
aescbc
and
I
really
shouldn't
probably-
should
use
ads
gcm
and
I
had
made
a
pr
to
start
the
migration
away
from
the
old
to
the
new,
but
we
sort
of
paused
that
work
because
we're
like
yeah
we're
going
to
change
the
storage
format.
A
You
know
building
a
new
format
and
the
overall
question
is,
I
think
we
would
like
to
encode
within
that
format.
What
encryption
is
being
used
just
so
it's
clear
and
explicit
how
the
system
was
set
up,
but
we
did
not
want
to
expose
any
configuration.
Instead,
we
would
use
aes
gcm,
and
that
would
just
be
how
the
system
works
and
expanded
the
configuration
and
other
things
later,
truly
necessary.
B
I
don't
think
so.
I
I
think
what.
B
What
we
could
do
I'm
trying
to
remember
since
it
was
so
long
ago,
but
yeah
it
would
be
like
so
it
would
be
just
nice
to.
B
Even
if
it
was
just
like
a
name
field
for
now
or
something
that
is
like
equal
to
what
the
current
prefix
is,
that
would
allow
us
to
make
changes
more
easily
in
the
future.
I
don't
even
know.
If
so
I
guess
we
have
to
decide
whether
it
is
easier
to
do
two
things
at
once,
or
whether
it's
kind
of
the
same
amount
of
work,
and
if
it's
the
same
amount
of
work,
then
we
can
just.
We
don't
really
need
to
bundle
these
things
up
either.
A
A
We
were
kind
of
we're
kind
of
looking
at
this
from
the
the
viewpoint
of
like
a
v2
alpha
one
that
way
we
we
can
try
to
solve
all
the
problems
that
are
sort
of
apparent
to
us
in
whatever
way
makes
the
most
sense
and
then
kind
of
come
back
to
should
we
improve
like
we
want
beta
one
grpc,
api
or
or
whatever
or
like
leave
it
alone
kind
of
like
it's,
not
the
the
act
of
migrating
from
like
a
storage
format,
change
for
kms
versus
just
migrating
to
a
different
kms
is
basically
exactly
the
same
right
you
you
have
to
do
the
storage
migration
dance,
basically
so
yeah.
A
So
I
right
now
we're
thinking
about
this
all
as
just
a
large
effort
to
just
basically
fix
the
problems
within
kms,
but
I
from
here
for
this
particular
thing.
I
just
wanted
to
make
sure
that
there
wasn't
some
actual
use
case
where
ascbc
was
preferred
and
someone
would
actually
ask
for
that
as
a
choice.
A
That's
being
used
to
encrypt
data
right,
yeah,
okay,
as
an
aside,
I
know
it's
been
many
many
years.
Does
anybody
know
why
we
picked
ascd
like
it's
not
exactly
clear
to
me.
B
B
I
know
we
made
conscious
decision
for
cbc
on
the
encryption
of
the
dex,
but
I'm
not
sure
if
we
made
a
conscious
decision
for
dec
encrypting
data.
B
Well,
so
I
would
just
say:
don't
yeah
I
I
don't
want
to
like
over
complicate
it
if
we
can
make
the
incremental
progress
kind
of
like
we're
doing
for
the
ca
search
stuff.
So
this
seems
like
an
incremental
product
for
us.
We're
gonna
have
to
have
like
a
perfect
vision
for
the
future
before
we
get
started
so.
A
Yeah,
no,
I
mean
I'm
making
some
decent
progress
because,
like
anish,
myself,
rita
and
a
few
other
folks
meet
every
week,
just
kind
of
talk
and
just
kind
of
force,
just
a
meeting
forces
us
to
think
about
this
and
actually
try
to
do
something
instead
of
hand
waving
it.
So
that
that's
that's
helpful,
so
yeah.
I
think
we're
not
too
far
off
from
having
some
something
to
bring
back
to
this
group
and
get
feedback
and
see
what
folks
think.
B
A
It's
all
kind
of
weird,
together:
okay,
yeah
cool.
B
About
making
a
cat
he's
not
able
to
make
this
meeting,
but
he
just
wanted
to
give
an
update
that
should
be
ready
by
the
next
sig
off
meeting.
A
Okay,
I
I
missed
the
last
cigar
meeting
did
by
any
chance
was
revocation
brought
up.
I
think
I
saw
you
mike
about.
I
would
like
a
web
book
like.
I
would
like
to
be
able
to
plumb
this
data
through
a
network
request,
which
is,
I
think,
totally
reasonable.
I
I
would
also
like
to
be
able
to
crl,
while
I'm
at
it.
B
I
guess
that
isn't
that
up
to
the
ca
implementation
like
if
the
cser
has
a
crl
list.
A
Thanks
yeah,
it
is
basically
I
would
like
to
also
have
trust
distribution
as
part
of
csr
api
and
that
in
itself
is
a
valuable
problem
to
solve
that.
We've
kind
of
hand
waved
by
saying
that
it's
not
csr's
responsibility
to
do
that,
so
it'd
be
kind
of
nice.
A
Okay,
I'm
looking
forward
to
that.
A
Micah
I
saw
that
you
added
something
about
our
back
conditions.
Like
fractions
of
seconds
before
the
meeting
I
haven't
exactly
had
time
to
look
at
yeah.
C
Yeah,
so
this
was
just
I
just
wanted
to
bring
this
up
for
discussion
like
I
don't
have
it
kept.
I
literally
did
this
in
like
an
hour
yesterday
and
an
hour
today
to
just
like
play
with
this
idea,
but
yeah.
If
you
can
you
reload
that
page,
because
I
I
fixed
the
tabs
to
spaces
thing
for
that.
That
are
back
example.
The
the
basic
idea
here
is
that
there's
a
rvec
is
great,
but
there's
a
lot
of
things.
C
You
can't
do
with
our
back
right
like
and
there's
a
lot
of
use
cases
that
I've
I've
seen
that
I
don't
want
to
call
anyone
out,
and
you
know
I
need
one
project
out
or
anything
at
this
point,
but
where
they'll
just
give
like
something
like
node
status,
patch
to
every
daemon
that
runs
on
every
node
and
sometimes
it's
a
lot
more
than
that.
C
Like
pod,
update
or
node
update,
like
node,
patch
or
no
or
pod,
delete
right
and
the
the
agents
typically
only
need
access
to
like
the
node
object
that
they
run
on
or
a
shadow
object
like
the
csi
object,
but
not
a
one
injury
right,
and
so
I
like.
I
want
to
be
able
to
express
okay,
I
want
the
service
account
to
only
modify
itself
or
the
the
stuff,
the
node,
that
it
runs
on,
or
some
shadow
crd
of
the
the
node
that
it
runs
on
or
or
something
like
that.
C
And
so
I
started
to
kind
of
explore
this
idea
of
what,
if
we
could
add
conditions
to
our
back
and
what,
if
we
could
also
integrate,
like
authentication
user
info
into
that
and
then
also
request
request
attributes.
C
So
this
way
with
this
example
yaml
here,
like
I
can
restrict,
say,
say
this:
cluster
role
was,
you
know,
bound
to
a
service
account
and
in
the
service
account
again.
It's
also
in
this
this
branch.
I
added
extra
info
of
the
the
node
name
that
the
pod
is
bound
to.
C
So
this
way
you
can
see.
Okay,
if
it
again,
this
condition
is
dependent
on
there
being
a
node
name
in
the
in
the
user
extra
info,
but
that
would
allow
a
service
account
to
only
modify
or
patch
the
node
that
it
runs
on
and
this
so
this
kind
of
adds
a
back
to
our
back,
but
I
I
I
haven't
compiled
this.
I
haven't
like
tested
this.
C
This
is
more
just
like
a
an
example
that
I
just
wanted
to
try
and
see
if
I
could
play
around
with
in
the
last
like
12
hours,
so
I
I
kind
of
wanted
to
get
any
early
feedback
and
see
if
people
think
like
this
is
something
like
this
is
the
need
that
we
have,
because
I
I
feel
like
it
is.
I
feel,
like
I
see
this
problem
all
the
time
and
there's
not
a
great
answer
to
it,
but
I
I'd
love
to
hear
yeah
feedback
or
something
from
anyone
else.
C
A
C
Checked
the
agenda
before
lunch,
and
I
don't
think
this
was
on
it.
I
came
back
after
lunch,
and-
and
here
it
is,
I
have
I
have
some
very
raw
thoughts,
but
like
nothing,
I
wouldn't
want
to
be
able
to
to
think
about
and
come
back
with,
more
perhaps
sure
or
different
ones,
but
you
know
one
thought
that
occurs
to
me
is:
if
we
want
such
a
different
kind
of
of
authorizer,
why
marry
it
to
too
far
back
right,
like
this
is
notionally
different?
C
Would
it
actually
even
be
simpler
to
do
as
a
as
a
new
kind
of
authorizer?
Other
thoughts
would
be
things
like
a
not
equals
comparison
is,
is
something
that
worries
me
because
you
know
in
the
early
days
of
our
back,
there
were
a
lot
of
requests
for
for
that
feature
or
star
minus
as
as
something
they
wanted,
and
then
we
added
more
resources
and
if
we
had
had
that
they
would
have
broken.
A
C
I
guess,
while
we're
waiting
for
tim,
I
also
do
have
another
sort
of
mechanical
question
of
what
you
would
expect
this
to
do
on
creates.
I
often
see
cases
where
people
want
if
they
want
control
by
a
particular
name.
They
almost
always
also
want
control
on
creates
and
that
information
is
not
available
to
the
authorizer.
A
C
A
D
C
Other
people's
thoughts
but
sure
so
not
having
this
power
on
create.
I
I
would
say
that
this
looks
as
though
it
is
most
likely
going
to
be
used
for
someone
can
control
this
particular
instance
of
this
particular
thing,
but
I
don't
want
to
enumerate
every
single
one
of
them
independently,
and
I
would
expect
that
create
would
be
an
important
part
of
of
the
full
use
case,
but
I
I
I
didn't
even
click
to
see
if
there
was
a
full
use
case
listed
in
the
the
diff
yeah.
There's
no
use
case.
C
This
is
mostly
just
I
hadn't.
I
haven't
even
had
time
to
really
write
this
up.
I
can,
I
can
put
something
together
for
next
time,
but
mostly
just
kind
of
wanted
to
see
it.
I
know
that
this
has
been
a
problem
discussing
with
some
folks
and
kind
of
wanted
to
see
if
there
was
any
yeah
what
the
thinking
was.
So
this
is
helpful.
C
A
Guess
I
would
ask
this:
I
believe
what
you're
saying
there
is.
This
is
trying
to
key
off
something
from
extra.
As
far
as
I
know,
there's
no
built-in
thing
that
does
extra
other
than
token
web
hook.
A
Yeah,
that's
right.
Service
account
does
extra
for
the
bound
fanciness
stuff,
but
yeah
other
than
that,
though,
like
for
a
for
for
humanish
actors,
I
guess
maybe
this
is.
Maybe
this
is
less
relevant
to
some
of
the
chapters.
It's
usually
a
token
book
yeah.
I
I
guess
my
question's
sort
of
still
the
same.
C
Why
not
well
web
hook?
Authorizer
sorry,
I
thought
you
said
webhook
admission.
Yes,
webhook
authorizer,
yes
yeah,
but
that's
that's.
I
think
that
the
my
initial
thinking
has
been
like
our
back
for
better
for.
Worse
is
what
everyone
thinks
of
when
they
think
of
coup.
It's
not
just
think
of,
but
used
for
kubernetes
authorization
so
requiring
a
webhook
authorizer
is
a
pretty
heavy
lift
for
a
lot
of
a
lot
of
a
lot
of
you
just
users
and
then
also
how
do
you
exp?
C
B
C
D
Yeah
my
my
view
on
a
like
potential
killer.
App
is
the
the
thing
that
I
think
tim
was
trying
to
say
and
number
two.
The
node
scope
demon
sets
which
is
like
there's
all
these
agents
running
around
that
want
to
run
something
on
a
node
and
want
to
update
something
on
a
node
and
the
way
you
do
that
today
is
you
give
yourself
permission
to
update
all
nodes.
D
Potentially-
and
I
think
there's
like
avenues
where,
if
this
really
caught
on
and
people
were
like-
oh
I
now-
I
want
to
be
able
to
mess
with
secrets
that
are
bound
to
this
node.
You
could,
you
know
populate
resource.
You
could
populate
the
available
conditions
on
a
resource
to
include
like
contents
of
the
node
graph.
C
What
yeah
it
it's
very
early
for
all
of
us
looking
at
this,
but
I
think
I
would
say
that
that
would
require
a
different
sort
of
implementation,
because
you
would
need
to
have
both
an
authorizer
and
an
admission
plugin,
and
you
would
some
and
you
may
need
to
take
into
account
the
results
of
one
in
the
other
right.
C
C
Okay-
and
I
I
don't
know
that
I
think
the
goal
is
not
to
solve
every
case.
Probably
with
this.
I
think
it's
just
to
try
to
make
some
things
better,
which
certain
things
are
are
not
great,
like,
I
think,
there's
just
big
avenues.
I
see
big
avenues
for
lots
of
daemons
to
run
amok
with
too
many
permissions
that
are
cluster
scoped
and
easily.
Like
cross
note,
boundaries.
C
That
possible,
oh
yeah,
like
that,
I'm
not
saying
it
would
have
no
so
like
that
that
wouldn't
have
the
full
node
graph,
so
that
would
it
would
be
mostly
request
based.
So
what's
in
the
request
and
what's
in
the
identity
of
the
caller
so
and
by
the
request,
I
mean
like
the
things
that
are
accessible
to
the
authorizer,
so
you
know
api
schema
or
api.
Excuse
me,
api
version,
resource
type.
A
I
think
what
you're
saying,
though,
is
that
this
does
not
have
the
capabilities
of,
like
the
note,
authorized
or
plus
noted
right.
Those
things,
of
course,
both
a
very
specific
work,
authorization
level
semantic
using
the
graph,
and
then
they
certainly
extend
that,
with
updates
to
be
very
specific
on
objects.
A
With
the
admission
bit,
I
was
going
to
take
a
second
and
just
try
to
read
what
tim
wrote
in
chat,
which
was
first
thing
he
said
is
this
has
definitely
come
up
before
two
common
use
cases
I've
heard
of
are
granting
access
in
specific
time,
windows
or
granting
access.
If
the
request
is
coming
from
certain
ip
ranges,
the
clo
and
so
the
second
item
he
said
the
closed
cap
I
linked.
I
do
think
something
like
this
is
interesting
for
bounding
requests
to
a
specific
node
and
then
another
thought.
A
A
Okay,
I
I
don't
think
anyone
has
written
up
the
doc
or
kept
or
anything,
but
I
had
spoken
to
some
folks
about
the
the
issue
about
being
able
to
specify
more
than
one
web
hook,
authorizer
to
the
api
server
and
then
one
of
the
things
you
guys
like.
Are
you
asking
what
cell
is
yeah
common
expression,
language?
A
C
It's
actually
implemented
in
alpha
they're
gonna.
Do
a
second
alpha.
This
release,
adding
some
more
features
to
it.
Yeah
it's
used
for
validation
of
custom
resources.
I
had
not
heard
of
anyone
trying
to
do
it
for
an
authorizer.
C
A
Yeah
but
yeah
I
had
suggested
to
the
folks
that
were
working
on
or
trying
to
start
the
work
on
the
more
than
one
webhook
structure:
config
thing
that
since
this
was
being
used
elsewhere,
it
might
be
interesting
because
it's
there,
I
don't
know
that
it
went
anywhere.
B
I
would
be
interested
to
see
if
it
would
be
possible
to,
instead
of
using
cell
as
conditions
in
raw
policy
use
it
to
build
a
node
graph
that
is
extensible
and
supports
stuff
like
crds.
B
Yeah
or
a
different
object,
I
guess
you
could
do
either,
but
it
seems
like
you
could
implement
the
node
authorizer
re-implement
it
with
something
more
generic.
If
you
could
extract
edges
generically.
D
Is
there
a
concrete
use
case
of
of
that
that
you
don't
get
by
just
having
name
matching
pause
stuff
down
to
pause,
but
like
update
a
pod
that
is
on
the
node
that
my
demons
at
runs
on?
Is
that
kind
of
the.
A
Yeah,
I
think
what
mike
is
trying
to
say
is
today
by
the
virtue
of
a
pod,
referencing
a
secret
and
then
being
scheduled
on
a
node.
The
node
authorizer
and
admission
plugins
together
allowed
that
partic
that
node
at
that
time
to
access
the
secret
so
that
it
can
mount
it
as
a
volume
within
the
pods
file
system.
A
Mike
is
saying:
wouldn't
it
be
great
if,
instead
of
that,
being
all
hard-coded
into
kubernetes,
if
there
was
a
way
to
express
this
within
the
api,
and
then
you
know
as
long
as
you
have
the
right,
you
know
validation,
checks
and
authorization
checks
of
the
various
places.
You
could
then
allow
arbitrary
extensions
of
this
type,
so
I
have
a
custom
resource
that
can
be
referenced
somehow
by
a
pod
and
thus,
by
that
pod
being
scheduled
on
a
particular
node.
A
So
I
mean
that's
certainly
interesting
and
I
think
valuable
I
was
gonna
ask
this
is
a
high
level.
This.
This
whole
condition
idea
to
me
sounds
more
like
a
binding
than
a
roll.
B
A
D
C
Before
I
woke
up
yeah
well,
I
figured
it
would
hold
us
for
a
while
and
yeah.
We
made
it
seven
years.
C
Comment,
I
would
be
more
interested,
I
think,
in
a
separate
object
to
express
this
than
trying
to
reuse
rbac.
The
last
time
I
reused
rbac
was
for
aggregated
roles
and
in
the
end
people
were
not
very
happy
with
that
decision.
C
C
If
people
wanted
to
use
it,
they
had
to
understand
a
new
field
on
a
type
that
they
weren't
expecting
changes
on
and
that
particular
one
ended
up
being
self,
not
self
mutating
but
mutating
well,
yeah
self
mutating
right.
You
describe
what
you
want
to
aggregate
and
it
almost
became
like
a
secondary
spec
and
status,
and
so
people
started
getting
modifications
to
to
resources.
They
didn't
expect
things
they.
C
A
Well,
they
are
it's
totally
there's
totally.
Definitely
I
mean
I'm
not
even
saying
anything
about
openshift
I've
seen
plenty
of
people
use
the
r
back
data
and
it's
expected
to
mean
a
thing
and
they
use
the
standard,
go
partials
and
stuff.
So
they'll
just
drop
these
new
random
condition
fields
and
have
no
idea
that
the
meaning
of
the
rvac
is
not
yes,.
C
And
the
change
in
the
change
for
the
aggregated
cluster
roles
didn't
even
have
that
problem,
because
eventually
it
would
settle
to
the
final
set.
But.
B
C
Anyway,
separate
would,
in
my
mind,
be
probably
preferred
if.
C
D
C
A
Even
that
being
a
separate
object,
I
think
would
be
preferable
because
then
it
would
be
very
clear
that
this
new
binding
thing
is
conditional
instead
of
always,
and
that
would
also
prevent
the
whole,
like
you
interpret
it
wrong,
because
there's
no
way
you're
randomly
going
to
read
a
resource
that
you
have
no
idea
exists,
and
then
you
know
we
at
least
still
have
that
level
of
control
of
the
idea
of
what
permission
you
got
was
still
just
easily
correctly
expressed
by
a
cholesterol.
I
don't
know
if
it
is
or
not.
A
A
Yeah,
this
is
interesting,
michael.
If
you
want
to
continue
discussion
next
time,
I
think
that'd
be.
C
Yeah
no,
this
is
really
helpful.
I
think
I
I
had
some
thoughts
around
this
and
I
just
kind
of
wanted
to
I've
been
around
for
a
while,
but
I
just
wanted
to
hear
what
other
folks
thought
and
what
other
folks
were
thinking
about
direction
on
this.
So
so
it
sounds
like
you're,
a
secondary
type,
a
class
like
a
a
conditional
cluster
role
and
condition
or
set
of
types,
roll
roll,
binding
cluster
role,
cluster
role
bindings
with
the
same
almost
the
same
set
of
types,
but
with
these
conditions,
so
there's
not
confusion
about.
C
C
A
You
you
know
mo,
can
update
this
object,
but
he
can
only
set
this
field
and
I
think
that's
where
stuff,
like
cell
is.
A
C
C
It's
the
custom
resource
validation,
the
actual
cell
engine
itself,
though,
if
you
set
it
up
with
these
or
like
your,
I
forget
what
they
call
it,
but
like
the
starting
node,
you
can
reference
and
pull
names
out
of
them,
for
instance,
and
then
there's
a
set
of
the
library
of
functions
for
things
like
comparisons.
A
Yes,
good
switched
over
to
windows,
the
yeah,
so
the
approved
cap
and
the
thing
that's
implemented
in
alpha
is
for
crd
validation,
but
I
think
it
was
called
out
and
that
kept
as
a
possible
future
extension
to
add
kind
of
validating
and
even
mutating
admission
control.
Based
on
that,
I
think
there
might
be
a
draft
cap
shared
at
my
google
doc.
I
can
see
if
I
can
find
that
afterwards
and
send
it
your
way.
A
Yeah
I
mean
I
I'm
relatively
like
positive
on
this
stuff,
just
because
I
find
it,
it
is
a
hard
sell
to
say
that
hey,
if
you
want
to
validate
this
field
to
like
be
within
like
this
starts
with
x,
go
write
an
entire
website
to
do
that,
instead
of
like
two
lines
of
sale
or
actually,
I
think
it's
one
line
to
sell
so
or
at
least
the
simple
stuff
it's.
It
makes
a
lot
more
sense
to
just
encode
it
within
the
crd.
A
A
I
think
it
would
be
helpful
to
collect
a
list
of
use
cases
for
this,
because,
right
now
it
sounds
like
the
strongest
use
case.
We
have
is
node
scoped
authorization
and
if
that's
really
the
like
primary
use
case
for
this,
it
might
be
worth
considering
open
reopening
something
like
that
that
node
scoped.
A
I
can't
remember
exactly
what
was
proposed
there,
but
like
something
that
could
potentially
take
advantage
of
the
the
graph
that's
already
built
out
by
the
node
authorizer.
Instead,.
B
C
A
That
might
have
been
in
the
transition.
Was
this
about
using
cell
to
access
yeah?
What
did
you
think
about
that
yeah?
I
think
that's
interesting.
I
mean
I
think,
if
we're
talking
about
full-fledged
cell
based
authorization,
then
that
would
definitely
subsume
this
use
case.
B
What
do
you
mean
by
that
I
mean
if.
A
We
could
like
if
there
was
something
where
you
say
like
write
a
cell
expression
to
grant
authorization,
or
were
you
saying
something
more
narrowly
scoped
than
that.
B
B
So,
instead
of
hard
coding
how
we
extract
the
edges
to
the
node,
we
could
allow
that
extraction
to
be
programmed
dynamically
using
cell.
So
you
could
still
query
the
node
graph,
but
it
could
require
it
for
something
like
a
crd
instead
of
the
ac
grid.
Is
that
what
you
were
thinking
or
were
you
thinking?
Is
that
how
you
interpreted
what
it
said?
B
B
B
All
right
so,
like
cj,
said
that
this
could
be
a
bull
flag
on
roll
binding.
That
is
just
like
note.
Scoped
david
said
that
we
shouldn't
willingly
add
weird
things
that
change
the
semantics
of
our
back.
C
Yeah,
I'm
just
trying
to
think
of:
what's
the
user
gonna,
how
does
how
does
the
user,
interacting
with
the
api
reason
about
what
permissions
a
thing
has
so
like?
How
do
they
define
and
reason
about
that?
Like?
Do
they
say,
here's
my
yaml,
I'm
going
to
apply
it
like
just
like
they
do
our
back.
This
is
just
another
api
like
that
that
we're
talking
about
node
authorizer,
isn't
doesn't
have
an
api.
B
C
B
It
would
be
a
so
there
would
be
like
there
would
need
to
be
a
new
api
introduced
to
to
configure
that,
and
it
would
like
take
as
input
like
your
conditions,
but
the
conditions
would
be
used
there.
Maybe
it
wouldn't
even
be
a
condition
at
that
point.
It
would
take
in
cell,
like
the
validation
apis
do
and
the
cell
would
output
edges
and
vertices,
and
that's
what
the
node
authorizer
would
run
to
maintain
the
graph.
B
I
guess
it
wouldn't
even
need
to
be
the
node
authorizer
you
could
you
could
re-implement
parts
of
the
node
authorizer
with
that?
Probably
all
of
it
yeah
and
then
yeah.
C
Still
have
no
admission
for
some
things,
but
yeah,
okay,
okay,
yeah,
so
a
whole
different
api
group,
because
you
need
to
cover
escalate
cases
and
whatnot.
B
In
in
the
api
right,
yes,
maybe
I
haven't
even
thought
that
far.
A
I'm
just
gonna
echo
some
stuff
on
chat.
I
see
max
has
said
that
if
they're
mark
said
that
you
know
if
there's
intent
to
add
something
like
so
why
make
you
know?
Operators
learn
more
stuff,
like
don't
make
two
different.
I
guess
schemas
for
specifying
policy.
A
A
A
Sorry,
I'm
more
worried
about
the
second
one,
that
that
adds
a
lot
of
complexity,
and
I
think
this
was
the
argument
that
we've
had
against
conditions
in
the
past
that
it
makes
it
too
hard
to
understand
who
has
access
to
what.
C
One
feature
of
our
back:
that
is
nice,
is
that
it's
invertible,
so
you
can
look
and
say:
does
this?
Does
this
subject
have
access
to
make
this
particular
kind
of
request?
You
can
also
look,
and
if
you
have
all
of
our
back
present,
you
can
say
what
actions
can
this
person
take.
C
You
can
basically
say
they
can
take
this
action
if
this
evaluates
to
true,
if
it's
based
on
time,
I
think
that's
really
hard
to
do
like
you
know
from
12
to
1205.
You
can
do
this
from
12
to
5
to
7
pm.
You
can
do
that.
I
think
that
makes
it
harder.
A
I
I
guess,
I'm
I'm
a
little
less
happy
about
the
idea
of
even
trying
to
pursue
temporal
stuff
because,
like
as
a
for
example,
if
if
I
can
right
now,
temporarily
do
a
thing
I
can
but-
and
let's
just
say,
I
have
like
admin
level
access
temporarily
to
a
namespace
right.
I
can
at
that
instant,
create
a
service
account
granted
admin
access
to
that
name.
A
No,
no,
I
understand
that
this
comes
as
a
request
that,
like
I
just
want
my
my
employees
to
only
be
doing
things
during
like
work
hours
and
it's
like
okay,
but
like
it's
going
to
be
best
effort
like
it's
not
actually
a
security
thing.
It's
mostly
just
like
preventing
accidents,
not
really
preventing
a
bad
actor
from
being
bad.
E
You
don't
even
need
like
custom
authenticators,
for
that
I
mean
that
their
entire
engines,
that
will
do
this
sort
of
temporal.
You
know
provision
the
user
into
a
group
when
they're
authorized
deprovision
them.
When
they're
done,
I
mean
it's
the
entire
privileged
access
model
system
that
most
enterprises
end
up
having
I,
I
don't
know
that
I
don't
even
know
that
that
to
most
point
that's
even
a
problem
that
could
be
effectively
solved
from
inside
of
kubernetes
yeah.
A
I
mean
if
you
had
a
simplistic
system
that
was
just
adding
and
removing
you
from
groups
that
gave
you
permissions
and
far
back
was
just
bound
to
those.
Well,
nothing
prevents
you
from
abusing
the
rights
at
the
time
that
you
had
them
and
pushing
them
into
a
different
actor
right,
because
our
back
itself
has
no
concept
of
time,
it's
just
in
the
sense
of
other
than
the
now.
If
you
are
allowed
to
do
this
thing
now-
and
you
know
that
happens
to
be,
it
happens
to
be
run
during
an
our
back
escalation
check.
A
Yeah,
I
was
just
wondering
about
how
this
would
work
with
anything
that
does
caching
of
authorization
as
well
and
also
subject.
Access
reviews
would
need
to
be
accounted
for
as
well.
A
A
Certainly
any
of
the
admission
stuff
is
already
available
right.
You
know
to
any
admission
web
hook
as
long
as
it's
basically
in
the
user
info
somewhere
or
admission
can
have
basically
everything.
So
it's
really
their
subject.
Access
review
bit,
but
I
neither
token
review
or
subject
access
review
in
their
response
include
anything
about
a
temporal
thing.
D
Yeah,
like
a
quick
knee-jerk
response
to
that
is,
you
could
just
return
a
condition.
You
could
extend
the
subject,
access
review
status
to
include
a
condition
or
you
could
just
say
no
for
anything
that
has
a
condition
that
you
can't
know
the
condition
kind
of
pushes
off
the
burden
to
say
hey
if
you
know
how
to
evaluate-
and
you
want
to
know
like
if
this
is
a
temporal
thing
or
if
this
is
a
request
characteristic
thing.
D
Like
there's
your
answer,
I
also
had
a
question
for
mike
about.
If
we
did
the
node
graph
in
cell
thing,
could
you
then
just
write
cell
in
a
more
general
conditional
binding
to
access
the
node
graph
and,
like
just
have
all
of
the
node
authorizer
stuff,
be
conditional
bindings.
B
All
right,
I
I'm
sure
that
you
can.
D
B
A
Nude
authorizer
does
a
lot
of
caching
and
there's
like
multiple
layers
of
indirection
there
that
I
think
to
do
that
on
the
fly
would
be
really
expensive.
D
Yeah
for
sure
I
think
we
would
still
do
the
caching.
It
would
be
like
you're
getting
a
the
attributes.
You're
allowed
to
access
are,
you
know,
guaranteed
to
be
no
more
than
three
minutes
out
of
date
or
whatever,
but
like
you're,
not
necessarily
that's,
probably
too
long,
but
it
would
probably
be
the
same
caveats
as
the
note
authorizer,
but
it
would
just
be
like
you'd
be
presenting
the
node
graph
to
be
queryable
right.
Is
that
what
you're
talking
about
mike.
B
Today
we
could
build,
we
could
continue
to
build
yeah,
so
it
the
the
graph
access
could
still
be
cached
like
it
is
today,
but
I
think
it's
more
for,
like
especially
for
things
that
are
doing
delegated
authorization
yeah.
I
think
we're
talking
about
maybe
two
different,
we're
flipping
between
subjects
which
might
make
this
conversation
confusing.
B
Right
which
is
separate
and
the
node
caching,
because
that's
a
very
busy
authorizer
and
then
now
we're
also
talking
about
how
to
cache
conditions
conditional
grants
when
we're
doing
a
subject,
access
review,
which
is
a
separate
question,
or
maybe
I
didn't
follow
the
relationship
between
what.
D
I
think
the
caching
and
subject
access
review
questions
are
also
different,
because
caching
is
just
like
all
right.
If
we
evaluated
a
condition-
and
it
answered
true
five
minutes
ago-
is
that
okay
for
us
to
just
assume
still
holds
or
do
we
need
to
be
smarter
about
what
the
conditions
are
and
like
never
cache
a
temporal
condition.
A
We're
good
at
on-the-fly
discussions,
michael
apparently
thank
you,
yeah!
Let's,
let's
continue
this
next
time.
I
think
I
think,
there's
a
lot
of
interest.
You
know
yeah.
I.
I
suspect
that
when
there's
lots
of
interest,
I
think
folks
can
get
something
done
here.
So,
let's,
let's
keep
talking
yeah,
we'll
see
everyone
next
week
or
not
next
week
to
each
minute.