►
From YouTube: SIG-Auth Bi-Weekly Meeting for 20220720
Description
SIG-Auth Bi-Weekly Meeting for 20220720
A
A
All
right
so
off
issues
of
notes,
I'll
just
start
opening
these
up.
C
I
just
threw
these
in
here
to
get
eyes
on
them.
These
were
a
couple
bugs
that
got
identified.
I
think
they
were
late
last
release.
That
seemed
like
things
we
should
try
to
address
in
the
125
time
frame.
They
are
pretty
long
standing,
so
I
don't
know
that
they
are
like
the
severity
is
high,
but
their
correctness
issues.
So
it
would
be
good
to
get
them
addressed
this
one.
I
don't
think,
has
anyone
actively
working
on
it?
I
think
it
got
assigned
a
while
ago
and
I
haven't
seen
any
activity.
C
So
if
it's
going
to
get
addressed
at
125,
we
probably
need
someone
else
to
pick
it
up.
C
It
is,
but
that's
been
a
month
more
than
a
month
should.
C
The
other
one
someone
got
assigned
someone
opened
a
pull
request
today.
Actually,
so
I
I
wanted
to
get
eyes
on
it,
since
this
is
a
I,
I
vaguely
remember
there
being
a
little
bit
of
discussion
around
the
issue,
whether
it
was
necessary.
C
C
So
I
I
haven't
reviewed
the
pr
I
assigned
myself
to
review
the
pr
for,
like
compatibility
backwards,
supports
commutability,
but
if
people
have
thoughts
on
the
actual
key
usage
aspect,
I
would
welcome
that
feedback.
A
A
Thanks
for
raising
these
all
right,
so
pool
of
note,
that's
what
we
just
opened
up.
B
I
think
this
is
just
a
call
to
get
more
eyes
on
it,
more
reviews
so
that
we
can
get
this
hopefully
merged
for
125.
B
D
D
If
we
were
going
to
try
to
like
directly
call
the
marshall
functions
on
the
on
that
prototype.
Or
would
we
want
to
use
the
protobuf
serializer
we
have
which
wraps
the
whole
thing
in
the
runtime
that
unknown
thing
or
the
type
metasta,
which
then
leads
to
the
question
of?
If
we
did
the
latter,
then,
are
we
going
to
basically
have
like
conversioning
of
this
new
protostructure,
which
we
will
then
I
guess
bump
and
maintain
and
test
for
basically
how?
D
A
That's
a
good
question,
so
I
don't
think
we
need
multiple
encoding
formats.
A
And
I'd
like
to
think
that
we're
not
going
to
need
a
v2
of
the
obstruct,
I
guess
the
proto
anytime
soon,
but
I
you
know,
I
don't
know
the.
I
guess
the
alternative
is
doing
a
migration
like
we're
doing
now,
but
we
do
have
the.
A
I
I
guess
how
how
much
work
is
it
to?
Are
there
present
pros
towards
just
using
the
proto-marshall
functions?
So
it's
a
lot.
D
Simpler,
so
it
certainly
like
ends
up
being
kind
of
like
easier
code
to
read,
because
all
the
logic
basically
already
exists
in
a
separate
place
and
in
a
sense
you
could
assume
it's
correct
and
it
gives
you
a
bunch
of
flexibility
to
change
stuff
later.
D
The
weirdness
of
that
flexibility
is
now
you're
like
storing
you're,
storing
a
runtime
down
unknown
with
type
meta
information.
So
now
you
have
to
have
type
meta
information
right,
like
you
have
to
declare
an
api
version
and
stuff
for
the
thing
that
you're
going
to
store
in
there,
because
you're
effectively
saying
that
that
encrypted
object
is
like,
for
example,
the
equivalent
of
like
a
pod
or
something
right
like
you're.
You
have
like
that
layer
of
indirection,
so
you
get
a
bunch
of
flexibility
from
that
layer.
D
D
And
you
know
that
you
know
reminds
me
of
the
fcv
storage
path
test
that
confirms
this
for
all
for
all
existing
resources
right,
so
I
would
feel
the
need
to
like
expand
it
to
cover
this.
Are
you
saying
something
about
this.
A
I
would
like
to
hear
what
others
think.
Maybe
jordan
do
you
think
this
needs
a
full
api
group
for
the
like
prefix
and
associated
data
for
an
encrypted
record.
C
C
C
What
moe
was
talking
about
reminds
me
of
how
we
had
to
do
like
envelope,
wrapping
of
proto-encoded
stuff
to
add
like
an
api
version
kind,
but
I
will
admit
that
my
proto
serialization
foo
is
weak,
and
so
maybe
there
are
facilities
for
doing
that
version
like
self
self
identification
and
serialized
content
that
we're
not
taking
advantage
of.
I'm
I'm
just
not
very
familiar
with
what
is
possible.
B
B
C
E
Yeah,
so
with
this
question
we
are
adding
some
overhead
right
like
because
etcd
objects
are
limited
to
one
megabyte
and
adding
encryption
adds
some
small
overhead.
But,
like
now
we
add
a
lot
more
data
in
terms
of
head
to
each
secret.
So
we
could
run
into
secrets
not
being
able
to
store
being
able
to
be
serialized
to
etcd
without
in
the
new
version
where
it
would
have
been
possible
in
the
world.
D
So
you
have
to
remember
those
secrets:
are
size
limited
by
the
api
server
first
with
a
much
smaller
size
than
the
maximum
lcd
size
limit.
So
I
don't
think
you
can
actually
practically
hit
that
case
because
our
api,
our
api,
doesn't
like
you
storing
a
bunch
of
bytes
and
secrets
because
we're
not
your
database.
D
D
B
E
D
E
A
B
D
And
that
would
only
be,
I
think,
if
you
wanted
to
make
a
change
that,
like
an
old
api
server
using
the
old
schema,
would
confuse
or
lose
data
or
do
something
weird,
so
it
would
be
purposely
saying
hey.
I
want
this
v2
thing
and
I'll
do
like
you
know
a
graceful
rollout
of
the
capability
of
being
able
to
read
such
a
thing,
but
I
won't
write
as
it
for
some
like
another
release,
etc,
etc.
D
D
I
wasn't
even
leaning
towards
the
prototypalizer
out
of
just
like
knowing
it
yeah.
A
A
Okay
mo,
I
assigned
that
to
you
I'll,
take
a
look
as
well.
I
see
a
hand.
C
C
Trending
towards
code
freeze:
let's
make
sure
that
the
people
who
should
be
reviewing
things
are
like
assigned.
So
if
it's
assigned
to
mo-
and
you
were
going
to
look
mike,
maybe
assign
yourself
and
then
we
can
try
to
get
like
order
of
a
day
or
two
turnarounds
on
things.
Otherwise,
we
won't
make
progress
towards
cook
trees.
D
Anish
is
there
any
other
specific
questions
or
concerns
that
you
want
to
highlight
to
try
to
get
any?
I
banded
feedback,
though
that
was
the
one
item
about
product
stuff
was
the
thing
that
was
on
my
mind,
but
I
don't
remember
anything
else.
E
A
B
D
Also,
can
you
find
my
pr
that
was
like
I
made
a
pr
that
did
this
as
like,
remember
to
finish
this
by
125.?
Can
you
please
find
it
and
close
it
and
say
that
it
was
superseded
by
yours.
B
D
Yeah,
I
I
think
I
would
agree
with
you
mike.
I
just
consider
this
an
implementation
detail
and
we
made
sure
to
roll
it
out
in
a
way
over
multiple
versions
so
that
it
doesn't
break
anything
and
we're.
B
B
C
The
casing
it
is
the
less
a
cap
is
needed
if
there
are
like
caps,
are
useful
both
for
communicating
like
user-facing
things
and
for
like
documenting
design
decisions
so
like
the
more
of
either
of
those
there
are
in
this.
C
The
more
useful
I've
kept
is
to
capture
that,
if
we're
intending
this
to
be
like
a
self-driving
thing,
where
there's
no
user
toggle
switches
and
there's
no
like
action
required,
and
it's
not
user
surfaced,
then
maybe
it's
like
fully
an
implementation
detail.
I
I
haven't
dug
in
to
this
enough
to
know,
but.
A
So
this
is
the
data
encryption
algorithm
that
we
use
for
all
envelope
encryption
so
envelope
encryption
gets
one
type
of
encryption
in
the
past
that
was
aes
cbc
we're
trying
to
change
that
to
asgcm
it's
not
configurable.
A
Users
should
not
notice
the
that
we
are
making
this
migration.
A
We
supported
both
in
124
to
allow
for
a
downgrade
of
125
to
124
clusters.
Now
we
are
switching
rights
to
asgcm,
while
supporting
reads
by
ascbc.
A
I
think
just
making
sure
that
the
documentation
is
accurate.
I
think
maybe
some
somebody
might
be
interested
in
knowing
what
the
algorithm
is
used
because
of
they
have
to
tell
a
compliance
auditor
or
something
but
other
than
that
there
should
be
no
user
action
and
it's
a
relatively
small
change.
A
C
E
C
E
D
It's
it's
been
a
while
rita,
and
this
and
everyone
knows
who
had
these
conversations
that
we
were
talking
about.
I
think
we
think
we've
voted
for.
No,
we
will
not
include
any
details
about
this.
It's
an
implementation
detail.
We
have
to
change
the
whole
bumper
version
and
we'll
pick
whatever.
The
other
thing
is.
B
B
D
A
A
E
A
And
we
can
always
add
a
field
to
the
encrypted
blob
thing
now.
A
It's
possible
to
add
it
later
and
since
we
haven't
had
of
like
a
request
to
make
this
configurable,
yet
I
would
say
we
can
add
it
once
that
request
comes
in.
A
And
it
would
be
pretty
much
compatible
change
to
support
that
in
the
future,
we'll
just
default
gcm.
A
Pretty
much
compatible
in
that
you
can't
use
it
until
it
has
been
available
for
in
two
releases
for
the
downgrade.
I
guess
so
yeah
it
takes
longer
to
make
available
than
other
features
in
kubernetes,
but
not
much
longer.
Yeah.
C
This
seems
in
line
with
other
types
of
validation,
fixes
that
we've
made,
where,
like
internally
validation
like
tolerated,
relaxed
data
but
didn't
on
update
but
didn't,
allow
it
on
create
for
release
and
then
did
the
next
level
of
enablement
the
next
release,
and
there
were
no
user
knobs,
no
feature
gates.
No
cap,
it
was
like.
Oh,
we
found
a
validation
bug
and
we
fixed
it
over
two
releases.
A
A
A
This
time,
all
right
does
everybody
somewhat
agree
with
that.
A
Okay,
were
there
any
other.
A
Cool
anything
else
on
this
topic.
A
Mode
the
client
proxy
for
126
is
a
bunch
of
comments
were
addressed.
So
please
take
a
look
at
that.
D
A
A
A
I'm
actually
getting
kicked
out.
I
don't
know
why,
but
I'm
getting
kicked
out
of
a
meeting
room,
so
I
will
need
somebody
else
to
continue
this
sorry.
Okay,.
C
B
C
C
Looks
like
that
went
in
in
121.,
so
that's
not
related
to
that
wow.
That
was
a
long
time
ago.
C
B
C
D
C
B
B
B
B
Different
things,
yeah,
okay,
it'll
also
be
like
test
infra.
Maybe.
C
C
C
Yeah,
I
mean
at
this
point
we're
probably
far
down
enough
that,
like
there
have
been
failures
in
the
last
couple
weeks,
this
this
is
the
local
ede,
which
seems
like
that
job
itself
has
a
problem
and
it
doesn't
look
like.
We've
got
recent
regular
flakes
in
any
like
core
jobs
or
jobs
that
we
own.
So
that's
good.
C
B
Okay,
great
yeah,
let
me
know
if
you
need
any
help.
C
C
C
C
C
All
things
in
the
weird
position
of
not
being
a
required
pre-submit,
so
it
the
when
something
creeps
in
that
causes
problems
there.
It's
always
like
a
lagging
like.
Oh
the
periodic
job
went
haywire.
B
Okay,
all
right,
I
mean
I'll,
also
paint
some
folks
on
windows,
see
if
they
they
have.
They
know
anything
here.
Yeah.
C
C
124
jobs,
I
don't
maybe
there
aren't
124
jobs,
but
it's
interesting
that
it's
only
the
123
jobs
where
it's
showing
up.
C
B
Okay
sounds
good
I'll,
just
also
tag
the
sig
window.
Folks,
okay,
I
think
that's
it
anything
else.
We
need
to
look
at.
C
Just
a
reminder
that
code
freeze
will
happen
before
our
next
meeting,
so
timely
reviews
and
timely
updates
for
anything.
We
want
to
get
into
125.