►
From YouTube: SIG-Auth Bi-Weekly Meeting for 20220622
Description
SIG-Auth Bi-Weekly Meeting for 20220622
A
See
tomorrow,
is
enhancements
freeze
for
week
125.,
so
we're
just
going
to
go
over
some
of
the
open
she
got
kept
so
make
sure
we
get
those
in
so
like
you,
and
I
reviewed
this.
I
think
this
one
is
relatively
fine.
I
just
have
basically
one
open
question,
which
is,
I
know,
david's
not
here,
but
it's
basically.
A
This
is
not.
We
are
proposing
this
to
not
be
part
of
conformance
and
as
such
we
want
to
be
able
to
turn
it
off,
and
I
said
that
turning
it
off
using
the
runtime
config
seems
impractical,
because
you
would
turn
off
the
entire
authentication
group
doesn't
sound
like
a
good
idea
on
any
cluster
you
care
about.
A
B
Yes,
it
was
added
in
120
or
124
124.
Probably
124
is
when
we
said
that
new
beta
apis
would
not
be
on
by
default,
and
part
of
that
was
needing
resource
level
control
over
enablement
and
disablement.
So,
if
they're
not
on
by
default,
then
you
need
to
be
able
to
turn
on
a
particular
api.
I
see
the
comments.
What
version
was
that
on,
because
I'm
pretty
sure
that
capability
was
only
added
in
124.
A
A
Because
your
eyes
will
bleed
yeah,
it
didn't
look
fun
and
I
was
like
I
don't
really
understand
what
this
monster
does,
but,
okay,
so
all
right
so
max.
I
think
we
just
need
to
figure
out
the
syntax
for
exactly
disabling
this
particular
resource.
I
assume
it's
group
and
resource
right,
not
like
version.
It
doesn't
include
also
a
version
now.
It's
group
slash
version,
slash
resource
all
right,
we're
wonderful.
A
A
A
I
think
the
only
question
I
had
about
the
revocation
stuff
is:
if
we
build
some-
or
we
presumably
will
have
to
add
some
code
into
client,
go
for
using
this
resource
and
you
know
having
trust
based
off
of
it.
Would
we
want
to
build
within
that
the
capability
of
looking
at
those
extensions
for
like
the
ocsb,
urls
and
stuff?
A
A
A
A
Yeah-
let's
see
other
things
I
had
so
I
I
think
I
generally
like
the
design-
that's
here
now
with
just
having
a
dedicated
feel
for
respect
designer
name
and
just
using
admission
to
enforce
it.
It
is
a
little
bit
strange
to
me
that
it's
optional,
but
I
I
get
why
I
I
think
the
use
case
is
fine,
which
is
just
to
have
ca,
bundles
that
are
not
attached
to
a
specific
signer
in
the
sense
of
those
kubernetes
liner.
A
I
guess
I'd
ask
why
what's
what's
the
concern,
what
you
mean
a
direct
binding
for
our
back
for
system
authenticated,
so
I
I
think
you
had
said
that
you
want
create
pod
to
sort
of
indirectly
give
you
access
to
this
one
of
the
side
effects
of
having
the
name
name
name
of
both
the
object
and
the
sets
within
it
be
just
strings
that
somebody
came
up
with.
Is
that
they're
kind
of
hard
to
discover?
A
So
I
was
just
trying
to
think
of
ways
to
make
it
so
that
one
could
do
that,
and
if
the
information
is
meant
to
be
public
on
the
cluster
itself,
and
if
we
added
like
field
selector
support
for
the
designer
name
like
it
would
it
would
be
really
nice
to
be
able
to
just
be
like
hey,
keep
cto
get.
You
know,
cluster
trust
bundle,
field,
selector
designer
name
that
one
and
you'll
be
like
all
right,
cool.
Here's,
here's
the
stuff
on
this
cluster,
and
I
can
I'm
configuring
my
pods.
I
know
what
to
do.
A
D
A
C
You're
running,
like
a
builder
or
something
where
you
have
maybe
a
bunch
of
tenants
that
are
running
like
builds
in
containers,
for
I
don't
know,
building
a
website
or
running
like
I
guess,
hugo
or
something
in
that
situation.
You
like
you
at
runtime.
You
don't
want
the
tenants
to
have
access
to
the
read
arbitrary
data
about
the
cluster.
C
C
D
B
D
A
A
A
A
Like
I
think
the
api
is
expressed
better
and
is
less
magical
in
the
sense
of
the
name,
isn't
like
weirdly
deterministic,
based
on
some
algorithm
on
the
designer
name,
but
like
like.
I
I'm
trying
to
think
of
like
myself
installing
something
into
a
cluster
using
tooling
and
would
like
to
make
it
somewhat
more
automatic.
Instead
of
having
to
know
magic
strings.
E
Are
you
suggesting
that
there
should
be
like
a
default
like
association
of
your
trust,
anchor
sets
with
signers,
or
something
like
that?
So
I
I
still
just
as
a
user
need
to
specify
the
signer
I
want
and
then
maybe
I
can
override
the
default
if
I
really
want,
but
otherwise
I
just
get
like
what
the
signer
gives
me
or
what
that
association
is.
D
A
B
It's
not
like
they're
blocked
from
creating
a
deployment
where
a
service
account
fetches
it
from
the
api.
They
can
do
that
if
there's
evidence
that
that's
a
generally
useful
thing,
I
think
the
next
step
would
be
to
grant
get
access
on
the
particular
well-known
names
that
we
have
corresponding
to
the
signers,
because
it's
a
lot
easier
for
us
to
reason
about
like
here
are
the
kubernetes
signers.
B
D
D
We
have
docs
on
nearly
every
pod
that
runs
anywhere.
Sane
has
a
the
pot
anti-affinity
right,
that's
just
in
the
docks.
Maybe
we
just
add
this
to
the
using
cluster
role
binding
stocks
to
create
this,
where
cluster
trust,
binding
stocks
create
this
role
binding,
so
that
people
can
actually
list
which
signers
exist.
B
A
A
A
A
B
A
A
You
must
have
this
extra
permission
to
be
allowed
to
update
that
specific
signer
in
the
in
the
kept
here
was
like,
I
think,
writing
it
out,
like
as
a
full
like
crud
style
echo,
and
I
was
like
I'm
not
sure
why
you
would
do
that.
I
just
said
you
would
you
would
just
use
a
custom
word
like
we
did
for
the
other
thing,
mostly
because
all
the
code
already
exists,
and
so
I
was
trying
to
come
up
with
a
verb
that
described
the
act
of
creating
slash,
updating,
a
a
bundle,
update,
bundle.
D
A
A
A
I
think
that
covers
most
of
the
stuff
there
I
think
two
high-level
stuff
I
had
is.
I
don't
think
we
have
a
pr
on
this
and
I
think
we
need
one
because
this
is
like
I
I
have
concerns
around
like
performance
of
this.
This
thing
I
I
don't.
I
don't
fully
understand
exactly
how
much
work
the
cuba
is
going
to
be
doing
to
keep
all
these
up
to
date,
especially
if
you
have
a
large
amount
of
pods
using
it.
A
Yeah,
it
says
that
the
qubit
will
keep
it
up
to
date,
and
I
one
of
the
questions
I
asked
is
all
like:
how
often
does
it
do
that
and
just
in
general
I
don't
there's
like
no
metrics
and
stuff
discussed,
so
I
don't.
I
don't
know
how,
like
an
admin,
would
understand
how
much
cpu
this
is
basically
consuming
across
their
cluster
or
anything
like
that.
A
B
Terms
of
like
visibility
to
performance,
I
mean
config
maps
and
secrets
did
cause
performance
issues
and
the
scalability
team
did
a
fair
amount
of
work
to
try
to
improve
that,
and
even
added
things
like
immutable,
config
maps
and
secrets.
So
you
can
flag
things
that
shouldn't
change
so
that
people
who
hit
specific
problems
could
dig
themselves
out
of
holes
by
markings
as
unchangeable
to
stop
the
cuban
doing
work
on
this.
A
C
Yeah,
I
think,
there's
a
lot
that
still
needs,
so
I
have
not
commented
on
the
kept
about
this
yet,
but
I
think
the
api
is
needs
a
fair
amount
of
work.
I'm
kind
of
confused
by
the
complexity,
specifically
like
multiple
non-default
trust
anchor
sets
in
a
cluster
bundle.
I
don't
understand
why
there's
one
does
anybody
here
know,
or
should
we
wait
for
it
to
hear
for
something
like
that.
C
D
Right,
the
intent
is
that
eventually-
and
this
is
this-
is
very
much
a
google
alt
use
case
first
and
foremost,
the
intent
is
that
eventually,
you
will
be
able
to
say
for
this
bundle
for
this
particular.
You
know
group,
you
use
you
use
this
ca
bundle
for
this
other
group.
You
use
a
different
ca
bundle
where
there
are
multiple
ca.
Bundles
that
are,
there
are
multiple
ca,
bundles
contained
within
one
cluster
trust
bundle
separated
out.
C
I
think
again,
so
that
is
a
very
opinionated
response
to
this.
I
don't
think
we
can
do
this
question
justice
without
both
sides
right,
I
absolutely
agree
I'll
just
I'll.
Just
for
that
question
I
think
the
other
one
is
the
actually.
I
have
two
more
comments
on
the
api.
The
other
one
is.
This:
has
a
status
with
conditions
similar
apis
for
projected
volumes.
Data
distribution
do
not
have
conditions.
C
C
When
it
goes
stale,
why
don't?
Why
doesn't
the
signer
just
update,
updated,
not
sure
if
there's
value
in
it
status,
field
here
and
then
I
think
the
final
confusing
point
about
this
api
is
the
actual
trust
anchors
projection
has
files
trust,
ankle,
anchor,
set
file
and
flat
file
types
there's,
and
I
it
I'm
wondering
if
we
can
simplify
this
a
bit.
A
So
certainly
I
think
you
could
you
could
get
rid
of
this
slice
right.
You
could
just
say
that
there
can
only
be
one
because
you
can
have
more
than
one
projection
right.
You
just
add
more
if
you
needed
more
than
one
and
then
this
bit
over
here
is
the
thing:
that's
missing
the
discriminator,
because
the
idea
is
the
reason
for
this
being
included
is
right.
A
A
Oh,
what
do
you
mean
like
the
like
the?
I
can't
remember
the
name,
but
maybe
jordan,
you
remember
like
the
like
the
cluster
hot
signers,
like
we
have
four
of
them
right
that
the
the
csr
controller
does
they
have
specific
designer
names
in
our
api?
So
if
I
was
to
go,
make
a
bundle
and
just
say
hey
by
the
way,
this
kubernetes
signer,
this
is
the
ca
bundle
associated
with
it.
Is
that
okay,
I
don't
think
it's
okay,
because
it
doesn't
really
make
sense.
B
Who
are
you
if
you're
a
cluster
admin,
then
maybe
this
is
how
you're
populating
the
trust
anchor
sets
for
the
kubernetes
signers
like
if
there's
an
authorization
check
around
you
know
permission
to
populate
for
a
particular
designer
name.
Then
I
I
haven't
thought
a
lot
about
it,
but
you
populating
trust
anchors
for
kubernetes
signers
in
these
objects
doesn't
offend
me.
A
So
what
I'm
hearing,
though,
is
probably
what
we
would
ask,
so
this
kept
right
now
does
not
say
anything
about
the
controller
manager,
but
maybe
it
should
maybe
it
should
have
some
mechanism
that
tells
the
controller
manager
hey
you're,
passed
in
the
ca
bundle
for
all
these
things.
I
think
at
least
some
of
them
you,
you
should
go
populate
objects
in
the
api
that
match
it,
because
that's
where
we
expect
people
to
actually
consume
it.
Now
you
have
an
api.
B
We
need
to
be
careful
that
so
the
signer
is
given
a
singular
certificate
to
sign
with
that
doesn't
mean
that
that
is
the
full
bundle,
especially
in
rotation
cases
or
aj
cases.
So
I
I
think
it's
worth
mentioning
and
discussing
like
how
does
this
interact
with
the
kubernetes
signers?
Are
we
going
to
create
objects
that
hold
the
bundles
for
the
community
designers,
which
components
going
to
do
that
how's
it
going
to
do
that?
How
do
we
handle
rotation
cases
like
right
now?
B
The
api
server
is
the
one
who
is
given
the
full
bundle
of
acceptable
client
cas
so
that,
but
that's
not
universal,
like
the
api
server,
isn't
the
one
that's
verifying
all
of
the
certificates
for
all
of
the
kubernetes
designers.
It
knows
about
the
client
cas,
but
that's
about
it,
maybe
not
sure
anyway.
I
I
think
that's
that
should
be
mentioned
and
clarified
and
discussed
and
say
like.
B
A
Good,
so
I
think
what
I'm
hearing,
though,
is,
I
think,
ted
you
had
some
comments.
I
would
ask
you
to
write
those
as
a
comment
in
the
chat.
I
think
mike
you
did
too
and
I'll
take
the
one
about
describing
that
well,
the
built-in
signers
probably
should
should
do
something
with
with
their
own
bundles
and
this
somehow
so,
but
I
think
what
I'm
hearing
is
that
this
is
not
ready
for
125
and
I
think
that's
okay
just
but
do
you
folks
agree
with
that?
C
A
A
A
A
B
Authorizers
seems
reasonable
and
plausible
and
useful
right.
It
seems
like
what
david's
asking
for
which
is.
I
want
to
take
the
you
know,
always
on
first
in
the
chain,
super
user
authorizer
and
move
where
it
happens
in
the
chain.
That
seems
like
a
distinct
feature,
request
thing
with
its
own
considerations,
and
if
we
allowed
that
to
be
movable,
then
it
could
be
ordered
along
with
other
authorizers
in
this.
So
I
I
think
this
is
independent
of
what
david
described
about
subjecting
the
super
user
group
to
web
hook.
Authorization.
A
B
Maybe
I
mean
authorization
runs
before
anything
else
gets
a
crack
at
the
request
and
anything
else
that
is
doing
authorization
checks
would
be
using
like
subject.
Access
review
would
enforce
it
and
things
that
are
using
their
own
authorization.
Logic
maybe
are
already
off
in
the
weeds,
like
we
have
a
hard
time
making
any
sort
of
guarantee
about
things
that
have
built
their
own
isolated
authorization,
checks
right.
A
So
but
like,
for
example,
I
I
have
servers
that
I
have
written
myself
that
are
based
off
of
kids
io,
slash
api
server,
that
delegate
back
to
the
api
server,
but
they,
but
they
are
hard
coded
with
a
check
right
now.
That
says,
if
presented
with
an
identity
in
this
group,
don't
bother
delegating
because
that's
just
a
waste
of
a
network.
B
A
A
A
The
ability
so
I
like
to
take
a
very
specific
check,
a
specific
example.
If
jordan,
if
you
remember
how
the
openshift
scopes
authorizer
is
implemented,
it
only
acts
on
requests
that
have
a
particular
extra
field,
because
it
knows
that
the
authentic
the
crew,
the
openshift
off
stack,
was
the
one
that
actually
did
the
authentication
and
not
like
the
kubernetes
code.
A
A
B
Yeah,
that
seems
useful.
I
don't
know
how
strongly
we
should
hold
that
as
a
requirement
for
like
get
being
able
to
define
multiple
web
hooks
and
being
able
to
make
them
struck
like
a
structured
config,
for
it
seems
useful.
The
filtering
aspect
is
a
lot
easier
to
do.
It's
like
possible
to
do
once
you
have
an
actual
config,
so
I
just
don't
have
a
sense
for
how
much
time
or
complexity
that
would
add.
A
A
So,
like
weirdly,
it
still
has
a
cube,
config
path
in
there,
but
also
this
and
this.
So
it's
it's
just
I.
I
think
this
is
a
typo.
I
think
they
meant
to
delete
this
and
forgot
to
delete
it
based
on
some
of
the
comments
I've
seen,
but
the
the
gist
of
what
I
had
asked.
It
is
to
not
continue
to
use
the
cube
config
format
as
a
way
of
specifying
what
the
web
book
is
and
instead
like
specify
the.
D
A
A
Yeah,
like
that,
that
part's
less
clear
to
me
like
I,
I
honestly
would
rather
just
start
with
like
you
get
exec
off.
So
if
you
want
to
find
you
can
host
a
plugin,
so,
like
no
authors
like
then
at
least
you
get
cert
and
tokens.
If
you
want,
because
your
exec,
odd
plugin
could
literally
be
echo
or
token
if
you
wanted
so
like
technically
it
does,
it
basically
does
all
the
things.
B
B
B
A
B
B
Can
take
that
and
take
the
server
stands
and
the
user
stanza
and
dump
them
into
an
in-memory
basically
make
an
mreq
config,
and
then
we
can
use
all
the
same
client,
config
construction
like
it's.
We
just
translate
that
internally.
So
that
saves
us
from
like
a
config
file,
referencing
a
config
file
for
sort
of
simple
cases
where
they
don't
need
to
specify
credentials
and
they
don't
need
to
specify
a
bunch
of
stuff.
I
don't
know
I
like.
I
said,
I'm
not
that
offended
by
basically
just
translating
the
flags
we
have
into
a
snippet.
A
C
B
C
A
Yeah
I
mean
I'm
okay,
if
we
just
decide
that
the
runway
is
too
short
because,
like
like
you
know
like
max,
is
kept,
we
talked
about
like
three
different
times
and
then
it
was
basically
just
right.
They
kept
this
one.
We
talked
about
a
very
long
time
ago.
I
think,
but
there's
like
a
many
month
gap
between
a
conversation
and
an
actual
cat.
A
The
the
cube
config
stuff
makes
me
a
little
unsure,
but
if
you
want
to
look
at
it,
I
guess
what
I'd
ask
is,
if
you
have
time
between
now
and
freeze,
look
at
it.
If
you
feel
that
strongly
enough
to
say
that
you
think
it's
ready,
then
then
we
can
pursue
it.
Otherwise,
I'm
okay,
if
if
it
slips-
and
we
just
take
more
time
on
it,
because
sigoth
has
like
well
seven
kept
being
tracked
right
now
for
125,
so
I
think
we
are
pretty
well
committed.