►
From YouTube: Sig-Auth Bi-Weekly Meeting for 20230719
Description
Sig-Auth Bi-Weekly Meeting for 20230719
A
A
Everyone,
this
is
the
Sig
auth
meeting
for
July
19,
2023.
I,
think
we
have
a
light
agenda
today
for
folks
that
weren't
aware
yesterday
was
code
freeze
for
128..
If
you
forgot,
then
it
might
be
a
little
late.
Otherwise,
if
you
have
some
exceptions
or
anything
in
you
know,
hope
those
get
approved
and
get
your
stuff
done.
A
B
All
right
one
moment,
sorry,
so
what
color
is
that
I'm
getting
set
up
like
I
just
want
to
do
a
quick
like
background,
slash
contacts
intro
there
I
know
like
yeah.
The
the
cap
yourself
is
huge,
so
we're
hoping
to
like
break
it
down,
and
you
know
pick
apart
things
that
are
only
relevant
to
the
focus
of
this
meeting.
B
B
B
Only
backup
like
those
does
so,
and
the
reason
why
we
are
here
is
because,
like
we
last
year
like
as
some
of
you
who
have
seen
this
cap
floating
around
might
remember
like
we
have
tried
like
multiple
approach
to
try
to
implement
and
present
this
CSI
API
challenge.
There
is
like
the
amount
of
data
is,
you
can
imagine
that
comes
back
from
the
provided
storage
provider
can
be
huge
right,
say
in
the
worst
case
scenario,
every
block
on
the
this
have
changed.
B
You
know,
I
think
you
have
10
terabytes
of
all
these,
like
hundreds
of
gigabytes
of
metadata,
coming
back
going
through
the
SCD
going
through
kubernetes
API
server,
finally
back
to
like
the
the
consumer,
so
we
have
to
like
kinda
in
a
way
like
I'm
thinking
out
of
the
box
and
so
that
the
conventional,
like
crd,
slash
controller
approach,
is
not
going
to
work.
We
tried
the
aggregate,
the
API
server
approach
that
got
shut
down
because
of
this
unbounded
amount
of
data.
They
can
flow
through,
like
the
kubernetes
control
plane.
B
So
you
know
we
try
to
put
together
a
device,
like
you
know,
a
grp,
PC,
streaming,
endpoint
and
then
part
of
the
requirements
is
that,
like
this
has
to
be
secured
from,
like
you
know,
a
a
workload
as
far
as
like
cluster
security
perspective.
So
hence
again,
we
want
to
take
the
time
to
talk,
walk
everyone
through
the
focus
of
the
cap
and
zoom
in
especially
on
the
security
aspect
of
it
and
give
some
advice
from
you
folks
to
see
you
know.
B
C
D
C
C
So,
as
I
will
mention
the
goals
of
this
design,
iteration-
and
there
were
two
previous
iterations
right-
was
to
provide
a
secure
and
idiomatic
CSI
API
to
it's
all.
Buzzwords,
okay,
efficiently,
identify
Okay
blah
blah
blah,
but
you
know
the
point
is
we're
going
to
get
change
blocks
from
a
volume
snapshot
between
two
volume
snapshots
and
all
all
the
allocated
blocks
of
a
snapshot
in
order
to
do
efficient,
backup
at
the
Block
Port
level?
Now
so
the
the
technical
details
of
how
to
do
that
are
pretty
straightforward
and
well
defined
by
industry.
C
The
issue
really
is
integrating
this
into
kubernetes
and
requirements
for
us.
You
know
are
like
we
cannot
be
any
less
secure
than
the
kubernetes
API
itself
and
we
cannot.
We.
We
have
to
use
the
existing
container
orchestrator
storage
provider,
interaction
pattern
used
by
the
CSI
API
implementations.
Today
right.
We
can't.
We
can't
impose
additional
constraints
of
the
service
on
the
storage
provider.
Right
to
you
know
to
do
anything
extra
fancy
in
terms
of
how
we
implement
this
by
the
the
co
hyphen
SP.
C
These
are
like
terminology
from
the
CSI
spec,
so
I'm
just
reusing
it.
You
know
these
abbreviations,
then
we
have
to
relay
a
large
amount
of
snapshot
metadata
without
overloading
the
kubernetes
API
server
and,
as
I
have
mentioned
right,
the
through
previous
couple
of
iterations.
We
figured
out
that
the
only
way
to
get
this
is
to
just
bypass
the
kubernetes
API
server,
because
no
matter
what
solution
we
do,
it's
going
to
go
through
the
kubernetes
API
server,
so
we
have
to
make
sure
that
whatever
we're
doing
you
know
adheres
to
these.
C
You
know
these
are
these:
are
the
goals
for
this
iteration
I'm?
Very
briefly,
going
to
flash
this
that
you
want
to
move
on,
because
it's
not
relevant
to
the
presentation
we
want
to
make.
We
want
you
guys
to
examine
the
security
aspects
of
what
we're
proposing.
This
is
the
use
of
an
API.
That's
what
we
want
to
check
that
our
use
of
this
API
is
secure,
not
the
details
of
the
API,
but
you
know
just
for
background
information.
It's
a
grpc
service
right,
which
has
a
couple
of
RPC
calls.
C
You
know
once
called
get
allocated
that
returns,
all
the
the
metadata
on
the
blocks
of
a
single
snapshot
and
the
other
is
called
get
Delta,
which
will
return
the
metadata
on
the
changes
between
two
snapshots,
and
you
know
the
the
rest
of
these
couple
of
slides
just
gives
us
the
detail,
and
the
format
of
you
know
how
we
represent
stuff
right.
So
it's
all
there
in
the
K
in
the
written
cap.
But
you
know
it's
just
interest
of
time:
I'm
not
going
to
go
through
this
data
right
now.
C
Oh
so
I
want
to
talk
about.
You
know
what
we
are
proposing,
so
the
CSI
spec
is,
you
know,
is
supposedly
independent
of
any
container
orchestration.
But
you
know
reality
is
you
know
we're
doing
this
from
the
point
of
view
of
kubernetes.
So
this
is
our
kubernetes
implementation
to
use
that
spec.
So
so
our
solution
requires
that
a
kubernetes
backup
application
will
directly
connect
to
this
grpc
I
just
showed
you
and
fetch
the
change
block
their
metadata
through
this
API,
bypassing
the
kubernetes
API
service.
C
We
call
it
the
external
snaps
snapshot
session
psych
up
and
that's
that's
provided
so
that
the
storage
provider
can
can
be
isolated
and
insulated
from
the
kubernetes
side
of
managing
the
session,
and
so
I'll
go
on
to
this
the
details
as
we
go
back,
but
you
know
just
keep
in
mind
what
the
overall
solution
is.
So
I'll
start
with
this
very
intimidating
picture
right,
which
has
big
picture
of
everything
and
we'll
zoom
in
some
of
y'all
may
not
even
be
able
to
read
it.
C
The
actual
vendor
specific
logic
used
to
actually
to
get
the
change
block
or
snapshot
blocks
is
going
to
be
handled
by
the
SP
Snappers
snapshot
session
service
and
existing
paradigms
today
says
that
the
sidecar
pattern
is
used
very
commonly
with
CSI,
and
the
existing
Paradigm
today
is
that
the
sidecar
talks
to
the
to
the
csips
through
a
Unix
domain
socket.
So
there's
no
security
ramifications,
particularly
over
here.
C
For
this
thing,
it's
deployed
by
the
SP
vendor,
but
the
most
important
takeaway
from
this
is
that
this,
the
storage
provider
doesn't
see
kubernetes
clients.
The
client
of
the
storage
provider
is
kubernetes,
so
in
the
container
orchestration,
the
entire
system
right
and
it's
securely
set
up
to
work
with
the
system.
The
clients
of
the
kubernetes
clients
are
not
clients
of
the
storage
provider.
C
That
is
that's
a
really
important
takeaway
from
this
part.
So
over
here
we
see
that
you
know.
So.
This
is
one
security
domain,
the
gray
one,
the
gray
area.
It's
it's,
the
Unix
domain
socket
stuff.
It's
already
an
established
pattern,
we're
just
using
this
pattern
and
we
provide
the
sidecar
to
handle
the
kubernetes
side
of
it.
C
Now
our
design
requires
that
a
kubernetes
backup
application.
Well,
it's
going
to
directly
use
this
grpc
service,
so
the
the
sidecar
we
provide
offers
such
a
service
right
and
kubernetes
backup
applications
run
in
the
cluster,
so
we're
really
going
to
make
TCP
IP
based
grpc
calls
to
the
Sidecar.
Now
the
tricky
thing
is
these
are
TLS
calls
not.
This
is
like
no
there's,
no
Mutual
authentication
involved.
Why?
Well
the
sidecar
itself
we
sidecar!
We
require
to
be
deployed
with
well.
C
You
know
to
provide
a
CA
certificate
and
you
know
things
like
that,
so
that
we
can
advertise
the
the
server
side
credentials
to
the
to
the
client
and
the
client
can
trust
the
certificate
they
call.
This
EQ
calls
no
problem,
but
we
don't
have-
or
we
don't
know
right
that
security
is
not
our
background,
but
we
don't
know
of
any
standard
mechanism
for
arbitrary
kubernetes
client
to
authenticate
or
validate
itself
to
a
kubernetes
application
right.
So
we
didn't
know
about
that.
Yeah
we
looked
at.
C
We
looked
at
various
forms
that
maybe
we
could
emulate.
You
know
we
ideally
we'd
love
to
just
use
the
whatever
ID
kubernetes
uses
when
we
use
say
cube
cutter
right,
we
log
in
and
we
do
stuff.
We
love
to
just
use
that
we
love
to
use
a
service
account.
For
example,
we
don't
know
how
to
so,
at
least
without
sucking
in
and
maintaining
and
and
basically
re
emulating
or
actually
modeling
what
the
kubernetes
API
server
does
today.
We
we
do
not
want
to
put
that
logic
into
our
Sidecar.
C
So
all
the
rest
of
the
solution
is
all
around.
How
do
we?
How
do
we
validate
this
backup
applications
connection
to
the
side
car
you
know
so
because
the
because
the
sidecars
address
and
certificate
is
well
known,
anyone
can
connect
to
it,
but
we
can't
let
unauthorized
entities
connect
to
it.
So
the
rest
of
the
solution
is
all
about
this.
How
do
we
authenticate
this
stuff?
C
So
there's
an
independent
manager
which
provides
the
snapshot
session,
request,
CR
controller
I'll
get
into
some
of
the
details
later
there
is
this
sidecar
and
the
psycha
is
advertised
to
the
manager
by
the
by
the
presence
of
a
simple
CR
which
just
gives
its
CA
certificate
address
and
there's
a
label
on
it,
so
the
manager
can
find
it
easy
efficiently.
Etc,
that's
all
standard
stuff,
then
the
back
a
backup
client
will
create
a
snapshot
session
request
in
the
snapshot.
Namespace
the
manager
handles
this
request.
C
Right
gets
invoked
and
it
will
look
for
that.
Sidecar
and
sorry.
Look
for
the
service
configuration
object
which
advertises
the
sidecar
it
finds
it.
Then
it
you
know,
authorizes
the
the
caller
and
creates
a
a
session
data
object
with
a
large,
unique
name
and
that's
this
object
is
created
in
the
namespace
of
the
CSI
driver,
and
the
manager
then
gives
the
the
the
name
of
this
object.
It
puts
that
name
and
the
the
ca
certificate
and
URL
of
the
site
car
into
the
result
of
this
session.
Request.
C
Then
the
backup
client
then
uses
this
session
token
and
makes
the
jrpc
calls
it's
talking
to
the
side.
Car
the
sidecar
looks
at
that
token
then
goes
and
searches
for
that
snapshot
session
data
CR
the
existence
says.
Okay,
you
know
this
is
the
token
is
valid
and
then
it
looks
inside
and
finds
the
rest
of
the
data
required.
What
is
authorized
to
be
used
and
does
the
rest
of
the
rest
of
the
the
validation
of
the
RPC
at
runtime?
C
A
C
A
Irregardless
of
the
schema
right
like,
for
example,
you
store
a
secret
inside
of
a
non-secret
custom
resource,
and
then
you
copy
it
to
a
different
one
right.
When,
at
the
bare
minimum
you
didn't
need
to
store
the
secret,
you
could
have
stored
a
hash
of
the
secret
like
there's,
there's,
like
all
sorts
of
like
better
actual
security
ways.
Jordan
go
first,
yeah.
C
Let
me
finish:
there's
only
a
few
more
slides
I
mean
the
deck
is
big,
but
I'm
only
showing
a
few
images.
So
it's
not
that
much
left.
Okay,
all
right
so
just
go
to
the
details.
So
the
session
set
up,
the
storage
format
is
not
involved
at
all
it's,
so
it's
only
on
the
community
side
right.
What
we're
providing
over
here
so
starting
off
from
where
the
snapshot
session
request
is
created
right.
The
application
then
creates
that
request
and
pulls
to
the
result,
and
so
it's
that's
what
the
application
does.
C
The
manager
has
a
validating
web
hook
to
check
the
contents
of
the
of
the
payload
and
validate
the
payload
of
the
object
and
then
a
little
bit
later
right
to
the
listeners
on
the
controller
right
yeah,
the
managers
controller
gets
access
at
this
point.
It
actually
goes
and
finds
the
CSI
driver
name
from
the
snapshot
or
objects
mentioned,
and
then
it
searches
for
the
snapshot
configuration
CR
by
using
a
label
search
once
it
finds
that
then
it
creates
this
session
data
CR
and
updates
the
result.
C
C
C
Sorry
yeah
the
sidecar,
then
you
know,
looks
up
that
CR
and
uses
it
to
validate
the
invokers
right
to
use
it,
and
it
then
checks
the
RPC
parameters
make
sure
they
are
correct.
As
per
the
session
and
just
you
know,
other
types
of
stuff
which
are
related
to
the
actual
request,
and
then
it
proxies
the
calls
with
all
the
translations
required
for
the
storage
provider
and
proxies
the
results
back
to
the
client.
C
You
know
so
there
was
the
okay.
Given
our
limited
security
background,
we
identified
a
couple
of
the
couple
of
issues
involved
which
we
had
to
address.
One
was
the
unintentional
exposure
to
volume,
snapshot
objects
by
an
entity,
who's
authorized
to
create
a
see
the
this
request
CR.
So
essentially,
we
put
a
validated
web
hook
in
place
to
make
sure
that
when
you
create
this
snap
snapshot
session
request
CR,
you
also
have
permissions
to
access.
Volume
snapshot
objects
in
that
same
namespace.
It's
a
namespace
object,
so
that
says
from
a
backup
applications
perspective.
C
Just
because
you
have
you
have
permissions
to
create
this
request.
Cr
doesn't
mean
you
have
permissions
to
peep
into
you
know,
to
use
it
to
grab
a
snapshot
data
from
any
arbitrary
application.
You
also
need.
You
also
need
access
to
the
volume
snapshots
in
that
namespace.
In
order
to
do
this,
that's
what
it
was
addressing
and
then
you
know
we're
worried
about
obviously
about
the
spooking
up
the
session
token,
because
the
sidecar's
existence
is
well
known,
so
the
mitigating
steps
we
take
for
this.
C
We
use
a
very
large,
very
long
string
of
randomly
chosen,
kubernetes
name
characters
for
the
name
yeah
we
could
put
the
we
could
use
the
name
or
we
could
put
the
name
in
something
else
and
use
a
token
search.
We
can.
We
can
address
all
that
right
and
that's
what
we're
really
talking
about.
You
know
some
of
the
feedback
we
want
from
you
guys.
More
importantly,
the
visibility
of
this
object
is
restricted
by
kubernetes
are
back
to
the
CSI
driver
and
to
the
manager.
C
Essentially,
we
don't
want
the
backup
application
to
have
access
to
this.
Then
we
also
impose
a
Lifetime
on
this
object.
So
there
is
this
inspiring
field
in
the
object
and
the
expiry
timeout
is
enforced
by
the
sidecar
and
is
enforced
by
the
manager.
The
manager
will
also
delete
all
these
objects
as
they
expire.
C
So
in
a
nutshell,
I
mean
these
are
the
permissions
we
were.
We
were
defining
or
we
are
requiring
sorry
exist.
Every
CSI
driver
right
in
every
infrastructure.
They
have
their
own
way
own
ways
of
setting
up
policies
to
you
know
do
this,
but
essentially
so
we
have
three
principles
involved
here.
There's
the
backup
application
service
account
right
that
one's
going
to
need
access
to
the
to
create
the
snapshot,
session,
requests
or
objects,
and
is
also
going
to
need
access
to
get
volume
snapshots
in
that
same
name
space.
C
Then
there's
the
snapshot
session
manager,
which
pretty
much
needs
permissions
on
everything,
though,
on
the
configuration
object.
It's
only
going
to
get
unless
so
I'm
going
to
delete
those
objects
and
there's
the
CSA
driver
service
account.
The
CSI
driver
service
account
is
going
to
need
permissions
to
get
list,
delete
the
snapshot
session
data
objects
it.
It
definitely
already
has
permissions
to
read
volume
snapshots,
because
that's
the
it's
the
entity
that
has
been
creating
these
volume
snapshots
to
start
with
the.
C
E
It
sounds
like
you
have.
This
is
a
good
screen
if
we
could
just
sit
on
this
one
for
a
minute,
so
you
have
the
backup
application,
which
has
a
service
account.
So
this
is
a
kubernetes
service
account
already.
So
it
has.
An
identity
am
I
understanding
that
correctly,
yes,
okay
and
it's
making
kubernetes
API
calls
so
it
it's
getting
service
account
credentials,
somehow,
probably
running
in
a
pod
being
fed
service,
account
credentials
and
then
the
driver,
so
the
the
token
that
you're
envisioning
this
thing
getting.
C
E
And
when
jumping
back
to
the
page,
that
has
the
actors
which
actor
is
this
is
the
site.
Top
This
is
the
sidecar
okay.
So
then
it's
going
to
take
the
token
and
validate
it
somehow
that
this
is
a
good
token
and
that
it
represents
authorization
to
do
this
request.
So
it
seems,
like
the
are
those
the
bits
you're
wanting
feedback
for
like
how
how
to
get
this
backup
application
a
token
and
then
how
the
driver
can
use
that
token
or
verify
that
token
is
authorized.
Is
that
you're?
E
E
For
a
few
reasons,
one
is
that
anyone
who
has
the
ability
to
list
those
objects
can
see
all
of
those
Secrets.
Yes,
so
that's
that's
not
great
and
then
even
worse,
the
name
of
objects
is
used
in
their
etcd
storage
paths,
and
so,
even
if
you
like
encrypted
your
storage
information,
the
content
of
the
storage
and
CD,
if
the
secret
is
the
name
of
the
object,
that
means
the
secret
is
unencrypted
in
the
in
NTD.
E
So
having
it
also
shows
up
in
other
places,
it
shows
up
in
the
URL
of
the
object
when
you
request
it,
which
can
easily
get
logged
like
having
the
name
of
the
object
could
be.
The
secret
is
not
great,
so
just
right
off
the
bat.
That's
that's
not
a
great
thing.
Fortunately,
we
do
have
a
way
to
create
tokens
that
can
be
used
to
verify
identity
to
arbitrary
audiences.
So
what
I
would
recommend
is
using
audience.
Scoped
service
account
tokens
for
this.
E
So
if
the
backup
application
is
going
to
be
making
backup
requests
to
some
CSI
driver,
it
can
ask
for
a
token
for
its
service
account
yeah
scoped
to
the
audience
of
that
CSI
driver
or
CSI
service,
so
that
can
be
either
a
well-known
name
for
that
CSI
driver
or
it
could
be.
The
service
name
of
the
CSI
driver,
I'm,
not
sure
how
how
the
backup
application
identifies
the
grpc
service
that's
going
to
make
a
call
to,
but
it
would
it
would
say.
C
E
C
Do
need
one
thing,
though:
we
do
need
one
thing,
and
that
is
so
that
again
I
don't
know
the
apis.
You
just
say
you,
you
know
who
can
use
this
API
for
the
audience.
Scope
service
account
token,
but
assuming
that
it's
that
it's
only
doable
by
the
backup
client
right,
how
when
we
pass
it
through
I
mean
yes,
we
this
so
This
manager
can
validate
the
snapshot
contents
and
all
that
part
has
to
be
done
because
the
service
account
doesn't
actually.
This
SP
doesn't
actually
do
that.
E
Token
yeah,
so
there's
there's
two
ways
to
get
a
token.
One
is
to
make
the
API
request
directly.
Okay,
and
so
that's
just
a
normal
API
call
I'll
I'll
link
to
the
API.
So
that's
a
normal
API
call
that's
authorized
in
in
the
normal
way.
So
if
you
could
do
this
in
Cube
control
like
as
a
admin,
you
could
say,
keep
control
create
token
for
this
service
account
and
if
you
are
authorized
to
you
can
create
a
token.
E
You
can
request
those
tokens,
so
it
automatically
gets
a
token
that
identifies
it
to
the
API
server.
But
what
you're
wanting
to
do
is
identify
that
service
account
to
some
other
service
like
the
CSI
service.
So
that
doesn't
happen
automatically,
but
you
can
add
things
to
the
backup
pod
to
say:
I
want
to
mount
in
a
token
to
identify
myself
to
the
CSI.
B
B
E
The
CSI
portion
of
it
is
agnostic,
it's
just
an
opaque
token,
so
we're
trying
to
figure
out
how
to
make
use
on
either
end
like
the
backup
application
running
in
kubernetes
context
and
a
CSI
snapshot
service
running
in
the
kubernetes
context.
Both
of
those
are
kubernetes
specific,
so
you're
using
the
CSI
Plumbing.
E
So
the
plumbing,
through
the
CSI
grpc
request,
is
just
agnostic,
it's
just
here's
a
token
session
token
sure,
but
the
backup
application
is
running
in
kubernetes,
and
so
it's
going
to
get
its
token
from
kubernetes
and
the
backup
service
is
running
in
kubernetes,
and
so
it's
going
to
verify
the
token
against
kubernetes
mechanisms
right.
So
the
The
Proposal
you
have
is
verifying
the
token
by
making
a
kubernetes
request
to
see
if
there's
an
object
named
a
certain
way.
E
B
E
About
what
happens
in
the
sidecar
and
what
happens
in
the
driver
like
if,
if
the
point
of
the
sidecar
is
to
do
the
kubernetes
specific
things
and
then
hand
it
off
to
this
is
CSI
driver
and
the
CSI
driver
can
assume
that
it
was
all
authorized
and
verified
already
that's
a
possibility,
like
the
sidecar,
can
do
that
check.
The
sidecar
can
say
you
know
I'm
running
on
behalf
of
CSI
driver
Foo,
so
I'm
going
to
take
the
session
token.
E
Do
a
kubernetes
API
call
to
do
a
token
review
to
get
out
the
identity
then
turn
around
and
do
an
authorization
check
on
that
identity
and
once
everything
is
happy,
then
I'll
pass
it
through
to
the
CSI
driver
and
the
CSI
driver
just
says:
I
assume.
This
is
okay.
Now
I
I'm
I'm
fuzzy
on
the
line
on
what
the
role
of
the
sidecar
is
in
terms
of
enforcing
kubernetes,
specific
stuff.
C
Yeah,
oh
so
the
sidecar
really
insulates
the
storage
providers
service
from
kubernetes
clients,
so
it
has
to
it's.
Basically,
it's
a
proxy,
so
you
know
it
invalidates
that
the
clients
are
correct
and
then
it
just
passes.
Does
the
business
logic
stuff
to
the
service
provider
using
whatever
you
know,
as
a
service
provider,
the
storage
provider's
got
been
set
up
to
do
support
the
entire
cluster
right.
It's
authorization
support
the
cluster,
but
it
doesn't
know
about
the
individual
clients
within
the
cluster.
That's
the
sidecar's
job
to
do
all
that.
Yeah.
C
C
Token
right.
Okay
service
account
token,
but
we
also
have
to
convey
to
the
sidecar
the
context
under
which
we're
operating,
because
we
have
done
an
authorization
check
right
at
the
in
the
in
the
controller.
Now
that
authorization
check
could
be
done
in
the
side
cut
too.
If
that
token
can
be
used
in
the
same
way,
see
right
now
we
we
are
using
a
validating
web
hook
to
do
that.
C
Authorization
check
for
the
snapshots
and
kubernetes
API
is
validating
the
actual
construction
of
the
CR,
which
is
I
mean
incidental,
because
that's
you
know
that's
only
about
because
we
had
to
make
a
session,
but
the
check
to
do
to
authorize
access
to
snapshots
is
a
SAR
check
right,
Prasad
chamin
over
here.
You've
done
you
right.
You
know
this,
and
can
this
account
service
account
token
be
used
for
the
same
check
exactly.
E
Yeah
it
it
that's
exactly
what
it
can
do.
So
there's
two
steps,
one,
you
take
the
token
and
you
do
a
token
review
to
make
sure
that
the
token
is
valid
for
your
audience
and
what
you
get
back
is
the
user
information
which
you
would
then
drop
into
a
subject.
Access
review
to
do
an
authorization
check.
So
it's
two
steps.
One
is
verify
the
token
and
get
the
identity
and
then
the
second
step
is
to
take
that
identity
and
check
the
authorization.
D
A
C
Yeah
yeah
I
mean
cluster
Road
cluster
role.
Bindings
I
mean
we
have
to
leave
that
to
the
CSS
driver,
but
you
know
we
can
you
know
because
they
already
have.
It
deploys
CSI
things
with
all
the
stuff,
so
we
just
have
to
advise
people
how
to
set
what
you
know
like
I
had
in
that
last
slide.
This
is
what
we
need
effectively
set
it
up
and
whatever
policies
you
already
have
right.
So.
D
A
A
If
you
can
accurately
model
what
you
want
in
the
way
that
sort
of
kubernetes
expects
you
ask
these
questions,
I
think
you
could
get
the
oxy
checks
that
you
expect
I.
Think
the
certainly
the
can
this
identity,
or
does
this
identity
have
list
access
on
these
resources
within
this
namespace.
Yet
we
can
obviously
help
you
answer
that
question
very
easily.
Yeah
yeah.
A
E
The
token
review
and
subject
access
review
apis
are
V1
and
stable
and
those
are
the
foundation
of
everything
kubernetes
does
with
delegated
authentication
and
authorization,
so
they're
not
going
anywhere.
The
API
calls
you
make
against
those
would
continue
to
work,
even
if
we
add
things
in
the
future
and
there
are
helpers
and
foreign
straightforward
clients
in
a
client
go
that
will
do
these
things.
A
A
E
F
Be
happening
suggesting
either
to
them,
but
if
you
actually
look
at
the
API,
it's
really
well
factored
into
I
know
about
these
things.
I
know
what
a
user
is.
I
know
what
a
group
is
I
know
what
verb
resource
I
want
to
ask
the
API
server
about.
Let
me
make
that
request
and
whether
you
use
the
the
API
server
delegator
or
whether
you
use
just
client
go
and
roll
your
own
I
think
you'll
be
able
to
understand
it.
F
F
D
D
E
C
E
A
a
jaw,
it's
an
opaque
token.
You
should
be
able
to
just
set
it
directly
and
there's
it
can
be
treated
as
opaque.
Actually,
all
the
way
through
to
the
CSI
driver,
the
CSI
driver
is
going
to
take
that
token
and
put
it
into
a
token
review
request
and
pass
it
to
the
kubernetes
API
server
and
say:
please
tell
me
if
this
is
valid
and
who
this
represents.
Okay,
so
nobody
needs
to
introspect
the
token
anywhere
in
your
chain.
D
A
And
I
don't
know
if
it's
relevant
but
I
know
secret
CSI
store,
which
is
a
CSI
driver,
uses
bound
service,
account
tokens
in
a
special
way
for
sort
of
passing
through
application
identities.
I,
don't
know.
If
you
have
that
same
use
case.
The
diagram
is
complex
enough.
That
I
can't
actually
follow.
What
actors
are
doing
what,
but
that
might
be
useful
to
you
guys
too
I
don't
know
if
it's
relevant.
B
B
No
I
think
this
is
I,
think
we
that
this
token
review
stuff
it
come
up
during
our
previous
discussion
I
think
there
was
also
a
prototype
being
done
on
it,
so
we
can
always
pull
that
back
up
to
see
where
we
left
off
the
yeah.
The
reason
why
we
started
to
roll
our
own
like
session
code,
looking
thing
I
think
is
because
someone
brought
up
that
it
has
to
be.
You
know
kubernetes
on
or
platform
agnostic.
B
E
B
A
About
authenticating
the
sidecar
to
the
backup
thing,
it
is
effectively
part
of
the
backup,
then
application
over
a
well-defined
interface
that
abstracts
kubernetes
from
it.
Yes,
it
is
correct,
so
I
mean
that
that
seems
totally
fine,
I
think
you're,
basically
just
gonna
end
up
building
a
very
kubernetes
specific
shim,
yes,
I
think
that's
yeah
I
think
that's
totally
valid
and
expected.
C
D
C
C
A
E
E
Right
yeah
there,
if
you
want
to
pull
it
up,
that's
an
example
of
asking
for
a
token
for
the
vault
audience
and
then
putting
it
at
a
specific
point
in
the
in
the
Pod.
So
you
could
ask
for
a
token,
for
you
know
the
vsphere
CSI
driver
or
the
whatever
the
audience
that
you
come
up
with
for
the
particular
CSI
driver.
E
And,
and
if
you
do
it
this
way,
you
don't
have
to
worry
about
setting
up
any
other
permissions
for
making
the
token
API
requests
to
get
the
token
and
the
cubelet
handles
rotation
of
it
for
you.
So
it's
a
it's
a
Time
limited
token,
but
the
cubelet
will
say
at
80
of
its
lifetime.
It'll
fetch
a
new
token
and
update
it
inside
the
Pod,
so
inside
the
side
inside
the
backup
service
pod.
C
E
So
if
it's
long-lived,
then
this
is
really
nice,
because
the
cube
will
rotate
it
for
you.
If
it's
only
going
to
read
it
at
startup,
then
that
doesn't
matter
as
much,
but
it
also
is
nice
because
the
cubelet
will
get
it
for
you.
You
don't
have
to
write
the
clients
to
request
the
token
and
make
sure
it
has
permissions
and
stuff
it
just
gets
handed
the
token
so.
E
So
that
the
key
here
is
the
the
use
of
the
audience.
So
if
you
don't
include
an
audience
there,
then
what
you're
actually
getting
is
a
token
that
is
usable
against
the
kubernetes
API
server,
and
so,
if
you
hand
that
token
to
the
CSI
driver
which
you've
effectively
done
is
given
the
CSI
driver
a
token
that
it
can
use
to
do
anything,
you
can
do
against
the
API.
So
it's
really
important
to
include
the
audience
here,
so
you
can
say
here's
a
token
that
identifies
me,
but
only
for
this
particular
audience.
C
Yeah
so
suggest
you
reiterate
so
essentially
once
we
get
that
token
in
the
in
the.
Where
is
this
dude
in
the
backup
application
yeah
so
talking
from
the
backup
application
we
send
it
to
the
site
car,
then
the
side
cow
can
do.
Subject
access
review
on
that
token
to
make
sure
that
the
caller
has
access
to
the
right
things
correct.
First,.
E
D
C
E
B
A
You
just
got
a
token
review.
It
would
then
use
that
you
tell
the
API
server
that
I
want
this
token
to
match
The
Vault
audience,
and
so
the
apis
are
cool
I'm,
going
to
validate
all
the
crypto
and
everything,
but
at
the
end
of
it,
I'm
going
to
validate
also
that
it's
not
necessarily
valid.
For
me,
it's
valid
for
some
opaque
string
called
Vault,
which
is
the
audience.
A
B
E
So
a
couple
there
are
a
couple
ways
to
normally
do
it.
One
is
like
a
well-known
string
like
when
I'm
talking
to
Vault,
I,
say
Vault
or
when
I'm
talking
to
a
vsphere
CSI
driver
I'm
using
the
name
BC
or
CSI
or
whatever
that's
one
way
to
do
it.
Another
way
is
to
use
the
address
or
the
name
of
the
service
you're
actually
calling
to
as
the
audience.
So.
E
D
E
A
I,
don't
know
if
you
need
this
here.
This
is
about
how
for
a
CSI
driver
to
get
the
identity
information
about
a
pod,
that's
going
through
the
CSI
interface,
which
is
relevant
in
the
case
of
something
like
secret
CSI
store,
because
it
uses
that
token
to
then
talk
to
like
Azure,
key
Vault
or
Cloud
KMS
on
Google.
D
D
A
In
the
use
case,
where
you
need
the
CSI
driver
to
talk
to
some
external
identity-
sorry,
some
external
system,
but
it
can't
use
its
own
identity
because
using
its
own
identity,
would
require
it
to
have
all
the
privileges
in
the
world.
Instead,
it
needs
to
use
an
app
local
identity.
So
that
way,
applications
can
have
access
to
like
individual
secrets
and
the
CSI
driver
itself
is
permissionless.
D
C
E
D
C
Going
to
get
the
token
the
the
audience
token
here
right
the
audience
scope
token
from
the
backup
app
coming
here.
Yep
this
guy
is
going
to
use
the
essay.
After
does
a
token
review.
You
said:
was
that
a
token
review
API
to
validate
that
token
yeah
and
then
it's
going
to
do
an
SAR.
With
that
token
correct
so.
E
Those
two
pieces
of
information
for
the
for
validating
the
token.
If
it
needs
to
access
other
kubernetes
objects
in
order
to
do
its
job,
then
it
would
need
permissions
to
read
those
things
I'm
we
hit.
We
didn't
really
talk
about
what
other
information
was
in
these
that
it
would
need
to
slurp
up
to
pass
to
the
CSR
driver.
B
D
B
Thanks
Carl
yeah
I
want
to
be
I'm.
Sorry,
we
are
three
minutes
past
just
want
to
be
aware
of
everyone's
time.
I
think
this
is
where
available,
valuable
and
helpful.
Thank
you.
Everyone
for
taking
the
time
to
talk
us
through
this.
If
you
have
any
questions
we'll
reach
out
on
slack.
Thank
you
very
much.