►
From YouTube: Sig-Auth Bi-Weekly Meeting for 20200330
Description
Sig-Auth Bi-Weekly Meeting for 20200330
A
Hey
everyone:
this
is
the
march
30th
22nd
2022
cigars
meeting
yesterday
was
code
freeze
for
3,
so
I
think
everybody's
good
and
tired
right
now.
Thankfully
we
have
a
pretty
light
agenda
granted.
I
don't
know
to
hear
how
much
discussion
he
wanted
to
have
about
trust
makers
today,
but
we'll
find
out
and
get
to
it,
but
max.
I
think
you
have
the
first
two
items.
B
Yeah,
I
think
we
can
drop
the
second
one,
because
you
already
answered
this
so
about
the
first
one.
The
idea
is
simple:
I
proposed
it
on
slack,
so
we
have
a
bunch
of
apis
to
debug
authentication
flow.
For
example,
token
review,
subject,
access
review
self
subject
and
this
review
and
so
on,
but
there
is
no
api
which
helps
you
to
get.
B
You
know
who
you
are
your
attributes,
your
user
id
username,
extra
attributes
and
so
on
and
as
we
discussed
on
slack,
it
looks
like
a
missing
part
of
this,
so
I
propose
to
add
some
kind
of
an
api
end
point
to
check
your
attributes
and
also
provide
a
corresponding
obstacle
command
to
like
to
to
make
the
back
easier
to
make
debugging
easier.
Yes,
that's
the
idea.
C
C
D
Can't
you
just
use
can't
you
just
make
a
request
that
gets
rejected
by
rbac
and
it
returns
your
username
yeah,
not
seeing
that
as
a
like
solution
to
this
feature.
C
It
so
I
don't.
I
don't
remember
whether
that
was
there
or
not.
I
bring
this
up
because
I
would
like
to
be
sure
that
same
party
gets
asked
again,
so
they
get
a
chance
to
explain
it.
A
Yeah,
so
like
so
with
my
personal
experience
with
this
in
gcp,
is
that
gcp
does
or
tk
really
does
encode
some
encrypted
blobs
in
the
extra
field.
A
Which,
I
guess
they're
happy
with
all
the
other
web
books
and
everything
else
being
able
to
see
because
they're
semi
privileged
yeah,
I
mean
I
I
mean.
I
would
personally
like
to
see
this.
I
guess
I'd,
maybe
even
be
okay.
If
it's
our
back
is
optional
or
something,
but
the
our
back
to
call
the
api
is
optional.
A
I
guess
that
would
be
that
would
at
least
alleviate
the
concerns.
I
know
jordan
who's
also
not
on
the
call
I
mentioned
concerns
about
just
the
extra
fields
in
general.
We
don't
know
what
people
are
putting
in
them
and
that
that
could
be
bad,
and
I
feel,
like
you,
shouldn't
rely
on
hiding
secrets
inside
of
extra
people
can
do
anything.
E
Yeah
I
mean
the
so
the
problem
maybe
so
like
we
could
build
something
that
works
for
our
back,
but
when
you're
running
on
a
cloud
platform,
usually
you're
integrated
with
the
cloud
platforms,
I
am
abstraction,
so
kind
of
who
you
are
and
what
you
can
do
is
kind
of
a
very
open-ended
question
when
you're
using
webhook
token,
authenticators
and
web
token
authorizers.
A
Yeah,
I'm
not
saying
this
wouldn't
work
with
all
those
I
I
should
have
used
the
word
authorization,
the
idea
being
that
if,
if
you
built
an
api
but
then
did
not
provide
bootstrap
our
back
policy
for
it,
then
it's
up
to
the
cluster
admin
to
assign
that.
But
that's
what
I
was
saying
is
that
we
could.
If
the
concern
is
who
can
see
this
and
you
want
to
control
who
can
see
it
then
go
for
it?
Don't
don't
give
don't
give
anyone
access
or
give
whoever
you
trust
to
have
access?
A
C
See
the
last
bit
yeah
and
it
exists
in
openshift,
because
openshift
also
has
a
user
concept
which
is
managed
on
the
platform
and
that
isn't
the
case
for
general
cube.
So.
A
Would
this
new
endpoint
be
authorized
or
available
to
all
micah
this
question?
Yeah,
I
mean
so
I
think
that's
open-ended.
We
could.
We
could
do
something
similar
to
what
we
did
with
the
bound
service.
Token
account
discovery
endpoint,
where
we
we
only
bind
that
one
to
service
accounts
and
something
like
this.
We
may.
A
I
guess
I
don't
know
if
that
care,
if
a
service
account
can
see
its
own
metadata,
because
it's
already
in
the
in
the
token,
so
maybe
we
could
also
just
the
service
accounts,
but
the
choice
for
binding
it
to
like
system
called
authenticated
or
system
called
unauthenticated
is
deferred
to
the
platform
for
the
discovery,
and
we
could
technically
do
the
same
here.
The
same
concerns
present.
A
But
we
want
max,
we
can
try
to
follow
up
with
mike
and
jordan.
Make
sure
I
I
guess
david
you're
here.
Do
you
have
concerns?
What's
your
what's
your
stance.
C
I
don't
have
an
issue
with
it.
I
just
want
to
make
sure
that
people
who
had
previously
objected
to
it
get
a
chance
to
object
to
it
again
and
provide
those
reasons
and-
and
I
presented
them
as
best-
I
remember,
but
it
was
many
years
ago.
This
came
up.
A
Yeah
yeah,
if
you
feel
feel
free
to
ping
them
directly
in
slack
and
try
to
get
feedback
on
my
side.
I'd
be
happy
to
look
at
it
kept,
but
maybe
don't
write
one
until
you
understand
their
concerns
and
if,
if,
if
you
want
we
can,
we
can
also
put
this
on
the
agenda
for
two
weeks
from
now
and
try
to
try
to
discuss
again
if
they're
on
on
the
call.
A
I'm
I'm
more
than
happy
to
discuss
the
second
item
too
max.
You
don't
have
to
just
take
what
I
said
as
the
final
answer
did
you
want
to
discuss
it.
B
Yeah,
maybe
someone
has
the
same
problem
as
I
am
they
have
just
because
you
know
we
have
this
repo
authorization
that
you
know
you
can
custom
customize
your
like
excel
slides.
So
we
use
this
to
provide
some
kind
of
a
multi-tenancy
to
forbid
access
to
some
namespaces
or
some
resources
during
days
or
nights
for
some
engineers.
B
So
such
policies
and
we
want
to
enforce
them,
so
we
want
them
to
be
strict,
but
if
like,
if
webhook
doesn't
work
because
of
something,
so
it
counts
like
like
okay
situation,
so
you
do
not
policies
doesn't
work.
If
webhook
doesn't
work,
that's
not.
I
don't
think
this
is.
B
So
in
in
our
case,
this
is
not
useful.
It
became
like
we
cannot
use
this.
B
But
it
allows
so
if
it
allowed
buyer
buck,
for
example,
and
we
use,
we
use
google
just
to
deny
requests
so
and
if
this
is,
if
these
requests
are
allowed
by
bugs,
so
they
are
allowed
if
a
book
isn't
unavailable.
C
A
Oh
yeah,
no,
what
I
what
I
said
is
this
is
totally
fine.
We
there's
already
folks
trying
to
write
a
kept
for
a
proper,
structured
config
for
multiple
authorization
web
books,
one
one
of
which
would
be
this
capability
of
configuring.
Your
failure
policy-
and
you
know
there.
You
know
it
could
be
fail
close
by
default
or
it
could
be
just
there
is
no
default,
and
you
have
to
tell
us,
but
I
just
I
what
I
didn't
want
is
more
api
server
flags
just
trying
to
tack
on
features.
C
As
it
happens
right
now,
I
believe
we
have
an
ordered
authorizer
but
yeah.
I
I
don't
object
to
a
structure
config,
if
that's
necessary
to
do
it.
That
sounds
okay,
the
idea
of
being
able
to
build
something
that
allows
a
deny
authorizer
sounds
very
reasonable
to
me.
It's
a
thing
that
that
we've
made
use
of
before.
A
A
B
A
So
I
wanted
to
bring
sure
I
went
to
pr
so
so
there
was
some
recent
effort
by
some
folks
to
clean
up
or
try
to
fix
some
bugs
in
our
client-side
oidc
logic.
So
this
is
the
the
not
not
the
server
side,
but
but
with
cube,
ctl
and
client
going
both,
and
I
wanted
to
get
folks's
feelings
around
one
around
sort
of
the
the
health
of
this
thing
that
we
have
that
we
basically
don't
fix
bugs
in.
Even
though
there's
like
known
issues,
they've
been
known
issues
open
for
years.
A
For
this
thing
they
do
cause
people
pain
and
we
basically
haven't
meaningfully
changed
it
and
multiple.
A
A
Ish,
it's
really
messy
and
really
hard
to
reason
about
what's
gonna
happen
and
well,
there's
bugs
in
it
and
folks
were
trying
to
fix
the
bugs
and
like
tim
and
myself
reviewed
it
and
they
were
like
so
bad
and
then,
like
you,
didn't
make
coach
breeze,
because
I
just
didn't
feel
confident
enough
in
what
the
change
was
doing
to
feel
good
about
it.
C
I
don't
have
experience
in
that
area
of
the
code
david.
You
wrote
it
son
of
a
gun,
so
I
don't
remember
that.
A
C
A
So
there
I
think,
there's
like
two
open
right
now,
but
they
they
all
come
from
weird
behaviors
caused
by
this
global
client
cache
primarily
around
when
refresh
tokens
are
rotated
and
basically
it
gets
confused
and
will
like
sometimes
return
to
stale
refresh
token
or
sometimes
not,
and
so
you
know
on
certain
providers.
A
This
is
not
problematic,
because
a
lot
of
providers
should
just
keep
returning
the
same
refresh
token
or
no
refresh
token
at
all
and
just
assume
you're
using
the
old
one,
whereas
like
modern
providers,
modern
in
the
sense
of
more
security,
conscious
ones
make
the
refresh
tokens
one
use,
so
you
get
a
new
one,
every
single
time
and
the
old
ones
invalidated.
In
those
cases,
this
thing
goes
haywire
and
just
falls
off
a
push.
A
Yeah
so
I
mean
yeah.
I
have
a
hard
time
reasoning
about
this
code,
because
there's
there's
locks
inside
this
client
cache
there's
like
global
locks,
then
there's
this
thing
that
hides
a
lock,
because
it's
the
cube,
config
abstraction
and
all
of
this
is
really
really
muddled.
If
you
ever
invoke
more
than
one
tube
cto
command
at
the
same
time,
because
there's
no
synchronization
against
the
cube
config
itself,
so
then
like
we're
gonna,
basically
trash
your
food
config,
which
was
also
not
cool.
A
E
Like
but
but
it's
like,
yeah
go
ahead.
Three
years
I
was
gonna
say
like
for
the
out
of
three
provider
plugins
that
is
like
for
the
g
cloud,
one
that's
what
we
have
done
is
we
have
a
separate
cache
file
where
we
use
a
simple
locking.
Actually
we
don't
even
lock
it.
We
just
rewrite
the
whole
file
every
time
like
atomically,
if
you
have
a
complicated
one.
E
One
thing
we
looked
at
was
using
something
like
both
db,
so
just
like
a
tiny
key
value
store
so
that
we
didn't
have
to
worry
about,
like
all
the
complexity
of
locking
the
file
and
ensuring
that
rights
are
consistent
and
all
that
good
stuff,
in
our
case,
we're
only
caching
a
single
value.
So
we
just
went
with
atomically
replacing
the
file
yeah.
B
E
I
think,
in
our
case,
it
doesn't
matter
because
when
you
use
g
cloud
authentication,
no
matter
which
cluster
you're
connecting
to
you're
always
the
same
person,
it's
a
little
weird.
F
Yeah,
no,
that
there
are
specific
circumstances
where
it
doesn't
where
it
doesn't
matter,
but
for
the
kube
config
file,
specifically
for
configuration
files
like
there
are.
There
are
certainly
circumstances
where
just
doing
atomic
replaces
is
not
enough.
Okay,.
E
A
Yeah,
so
I
mean,
I
guess:
that's
where
this
comes
down
to
right
is:
how
far
are
we
willing
to
go
to
actually
make
this
work
right
like
in
something
correct?
I
shouldn't
use
the
word
right,
because
this
happens
to
be
important
to
people,
because
it's
built
into
cube,
ctl
and
very
soon.
This
will
be
the
only
thing
built
into
cube
ctl,
because
the
next
release
is
when
the
built-in
aks
and
gk
stuff
goes
away.
A
So
I'm
just
trying
to
sort
of
figure
out
how
we
roll
out
changes
to
this
thing
and
how
dramatic
we
can
be
with
them
as
a
for
example,
we
if
we
build
in
some
mechanism
that
doesn't
store
credentials
in
the
cube
config
anymore.
B
So
this
is
a
real
problem
for
dex,
because
index
rotation
of
refresh
tokens
was
enabled
by
default,
and
we
have
a
lot
of
bug.
Reports
about
this-
that
coop
city
lost
refresh
tokens.
A
A
And
start
having
a
distinct,
separate
cache
in
there
and
using
that
file
or
whatever,
as
the
actual
locking
mechanism,
not
not
anything
in
process
or
anything
like
that
and
not
having
multiple
layers.
If
you
make
a
million
clients,
it's
okay,
you
get
a
million
copies,
but
they'll
still
be
synchronized
by
the
file
system.
It
doesn't
matter.
A
E
D
A
C
A
E
Okay,
here
it
doesn't
sound,
like
anyone,
has
a
strong
objection
to
beautify
again.
A
All
right
trusted
anchor
sets.
I
have
not
read
this
cap.
E
E
Certificate
provisioner
kept
draft
google
doc
thingy
was
that
trust
anchor
sets
were
a
useful
piece
of
functionality
on
their
own,
so
they
should
be
broken
out
into
account
and
landed,
and
then
so
I've
done
that
it's
largely
the
same,
except
I
did
a
little
digging
into
how
certificate
signing
requests
interact
with
our
back
and
I
copied
that
mechanism
for
trust
anchor
sets
so
trust.
The
trust
maker
sets
now
carry
a
sign,
a
spec
dot,
signer
name
field.
E
That
is
the
name
of
their
signer,
that
controls
them,
and
then
you
can
use
rbac
to
say
a
user
xyz
can
update
all
trust.
Snickers
sets
associated
with
signer
x.
A
Can
have
an
in-depth
discussion
next
time
or
something
so
I
just
did
a
quick
scan
of
the
api.
The
one
thing
that
sticks
out
to
me
is
as
a
for
example,
on
these
things.
It
is,
is
the
concept
of
a
crl
discussed
within
this
cap?
F
A
Yeah
I
mean
so
it
is
possible
for
this,
the
crl
endpoint
to
be
embedded
within
the
ca
itself,
and
that's
not
uncommon
for
like
the
big
cas
to
have
it,
because
you
know
they
have
a
ton
of
pki
infrastructure,
but
it
would
be
nice
to
have
the
capability
of
you
know.
I
you
know
I
have
this.
The
ca
bundle
whatever
it's,
maybe
just
a
file
on
disk,
and
I
want
to
be
able
to
control
revocation
for
it
within
this.
E
A
Yeah,
I
guess
I
wasn't
imagining
the
url-based
one,
but
I
guess
you
could
have
both.
I
guess
it
wouldn't
necessarily
hurt
to
have
both.
E
A
C
So
there's
not
like
a
verify
option,
at
least
as
of
one
level
of
go
go
is
that
116
is
the
last
time
I
remember
personally
looking.
A
Just
so
there
would
be,
I
guess
some
implication
for
like
the
cubelet
or
whichever
actor
we're,
is
doing
the
verification
to
be
enhanced
to
also
consume
the
information
in
some
writing
shape
or
form.
A
Right,
which,
which
is
fair,
I
I
think
what
what
I'm
hoping
for
is,
the
mechanism
to
be
available
and
less
of
the
enforcement
that
workloads
do
the
right
thing.
A
C
In
my
own
world,
I've
gotten
a
lot
of
requests
for
it.
The
assumption
is
that
it's
built
into
the
library,
and
we
just
aren't
using
it.
I
I
don't
know
that
I
have
an
opinion
about
coupling
it
together
here.
My
memory
is
that
you
can
actually
just
say
on
a
ca
bundle.
Here's
where
my
crl
is
and
if
the
client
honors
it
it
works,
and
so,
if
the
trust
anchor
gives
us
a
spot
to
place
that
which
I
haven't
read
this
cap,
probably
because
it
was
made
at
3am
today
then.
A
Yeah,
I
guess
in
my
head,
I
was
imagining
like
if
you
have
an
existing
kubernetes
cluster
with
just
its
file-based
ca
bundle,
and
you
want
to
you
have
some
way
of
doing,
revocation
in
the
sense
of
knowing
when
to
evoke
some
certificates
that
you
have
issued.
A
D
Just
one
thought
from
looking
at
the
api
here.
I
definitely
think
this
will
be
useful
for
organizations
that
maintain
their
own
private
cas
for
internal
services.
I'm
not
sure
what
I
don't
think.
Signer
name
is
necessarily
relevant
in
that
case.
E
So
I
create
my
own
example.com,
slash,
super
cool
ca,
signer
and
that's
how
I
surface
the
ability
to
use
that
private
ca
hierarchy
inside
my
cluster
there's
some
cases
where
the
signer
name
is
kind
of
redundant.
Where
like
what
mike
was
wanting
where
we
could
throw
some
certs
into
one
of
these
trust
maker
sets
and
then
use
it
in
a
webhook,
backend
config.
D
Yeah,
that
makes
sense
I
mean
you
can
always
just
make
up
a
dummy,
signer
name.
I
guess
I'm
just
encouraging
you
to
think
about
the
case
where
you
want
to
do
like
mutual
tls
or
something
between
a
service.
That's
outside
of
the
cluster
as
well.
E
D
Yeah,
that
might
be
all
I'm
saying,
which
is
pretty
nitpicky
at
this
stage,
but
I
guess
just
kind
of
thinking
about
that
use
case.
E
E
If
you're
using
youtube
to
us-
and
you
want
to
federate
yourself
with
you-
know
some
other
company-
you
want
to
talk
to
their
workloads-
that's
still
occurring
under
the
auspices
of
your
dot.
Example.Com
super
cool
case
signer,
but
it
will
have
a
different
named.
Trusting
set
you'll
have
the
default
one
for
your
workloads
and
then
you'll
have
you
know:
billy
bob's,
emporium
trust
set.
A
A
A
Okay,
no,
it's
fine,
it
looks
like
otherwise
the
regular
stuff
is
happy
and
then,
let's
see.
A
C
My
eyes
are
so
bad.
I
can't
read
what
you're
showing
me:
okay
hold
on
sorry,
my
bad.
C
There
we
go
blind
person,
so
the
opting
out
was
to
be
sure
that
you
didn't
get
it
assigned
by
admission.
I
am
surprised
that
it's
flaking,
I
don't
have
insight
as
to
why.
A
A
All
right,
let's
take
that,
does
anyone
else
have
anything
they
want
to
talk
about.