Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kubernetes / SIG Auth / 20 Jul 2022
Kubernetes / SIG Auth / 20 Jul 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SIG-Auth Bi-Weekly Meeting for 20220720

Description

SIG-Auth Bi-Weekly Meeting for 20220720

A

All right, hello, everyone welcome. This meeting is.

B

Being recorded.

A

uh Welcome to the uh july 20th meeting of sigots, we have a couple items on the agenda, so let's get started.

A

All right so off um issues of notes, I'll just start opening these up.

C

I just threw these in here to get eyes on them. These were a couple bugs that got identified. uh I think they were late last release. um That seemed like things we should try to address in the 125 time frame. um They are pretty long standing, so I don't know that they are like the severity is high, but their correctness issues. So it would be good to get them addressed this one. I don't think, has anyone actively working on it? I think it got assigned a while ago and I haven't seen any activity.

C

So um if it's going to get addressed at 125, we probably need someone else to pick it up.

A

All right.

B

It's currently assigned to someone right.

C

It is, um but that's been a month more than a month should.

B

We ask them if they're still working on it.

C

Yeah, probably so.

B

Okay, I can ask.

C

um The other one someone uh got assigned someone opened a pull request today. Actually, so I I wanted to get eyes on it, since this is a um I, I vaguely remember there being a little bit of discussion around the issue, uh whether it was necessary.

C

I, if we're requiring key usages that aren't strictly required for a particular certificate type that doesn't seem great, especially if we want to interoperate with other signers who might raise their eyebrows like. Why do you need this key usage?

C

So I I haven't reviewed the pr I assigned myself to review the pr uh for, like compatibility backwards, supports commutability, but if people have thoughts on the actual key usage aspect, I would welcome that feedback.

C

Anyway, we don't have to spend a lot of time on it here, but I did want to highlight those and link to them if anyone carries.

A

Awesome.

A

um

A

Thanks for raising these all right, so uh pool of note, that's what we just opened up.

A

Cool moving on to the kms stuff.

A

um

A

Anything specifically, you wanted to raise here.

B

I think this is just a call to get more eyes on it, more reviews so that we can get this um hopefully merged for 125.

B

And there are a bunch of things that are pending on this pr. I, like you, know like docs, and um why not.

A

The the big one or there's a bunch of things, spending on this pr.

B

Yeah, that needs to happen for 125., okay, yeah, all right.

D

um So I had a question related to this in terms of implementation.

D

um So in the cap we mentioned that we're going to use a new proto structure format for storing this, and as I I reviewed some of the initial code that initially written and um I was unsure.

D

If we were going to try to like directly call the marshall functions on the on that prototype. Or would we want to use the protobuf serializer we have which wraps the whole thing in the runtime that unknown thing or the type metasta, which then leads to the question of? If we did the latter, then, are we going to basically have like conversioning of this new protostructure, which we will then I guess bump and maintain and test for basically how?

D

How close are we going to make it to the rest of our code base and how much flexibility do? We think we need here.

D

um

A

That's a good question, uh so I don't think we need multiple encoding formats.

A

And I'd like to think that we're not going to need a v2 of the obstruct, um I guess the proto anytime soon, um but I you know, I don't know um the. I guess the alternative is doing a migration like we're doing now, but we do have the.

A

That prefix, so we can do versioning later. I guess a version switch later if needed.

A

um I I guess how how much uh work is it to? uh Are there present pros towards just using uh the proto-marshall functions? So it's a lot.

D

Simpler, uh so it certainly like ends up being kind of like easier code to read, because all the logic basically already exists in a separate place and in a sense you could assume it's correct um and it gives you a bunch of flexibility to change stuff later.

D

The weirdness of that flexibility is now you're like storing you're, storing a runtime down unknown with type meta information. So now you have to have type meta information right, like you have to declare an api version and stuff for the thing that you're going to store in there, because you're effectively saying that that encrypted object is like, for example, the equivalent of like a pod or something right like you're. You have like that layer of indirection, um so you get a bunch of flexibility from that layer.

D

But you also get this weird indirection, because you know like, for example, what's the version of encrypted object like what's the group version kind of, or I guess I know the kind? What is the group and the version of this object? And are we going to change it over time?

D

And you know that you know reminds me of the fcv storage path test that confirms this for all uh for all existing resources right, so I would feel the need to like expand it to cover this. um Are you saying something about this.

A

um I would like to hear what others think. Maybe jordan do you think this needs a full api group for the like prefix and associated data um for an encrypted record.

C

um I I don't know I mean any any time we're talking about like wire, serialization or storage serialization.

C

um I think we want to have a really clear understanding of what we're going to do in the future if that format, changes or if we need to version it or detect like um it.

C

What moe was talking about reminds me of how we had to do like envelope, wrapping of proto-encoded stuff to add like an api version kind, uh but I will admit that my proto serialization foo is weak, and so maybe there are facilities for doing that version like self self identification and serialized content that we're not taking advantage of. I'm I'm just not very familiar with what is possible.

B

This.

D

Isn't this isn't.

B

About.

D

Serialization right, this is about how do we identify.

B

That a record in scd is an encrypted blob.

A

And we have the transform prefix for that yeah. Okay,.

C

What mo was asking about like if we were going to be marshalling the prototype to build that header? Maybe I'm supposed to do that.

E

Yeah, so with this question we are adding some overhead right like because etcd objects are limited to one megabyte and adding encryption adds some small overhead. But, uh like now we add a lot more data in terms of head to each secret. So uh we could run into uh secrets not being able to store being able to be serialized to etcd without in the new version where it would have been possible in the world.

D

So you have to remember those secrets: are size limited by the api server first with a much smaller size than the maximum lcd size limit. So I don't think you can actually practically hit that case because our api, our api, doesn't like you storing a bunch of bytes and secrets because we're not your database.

E

Okay, so I see the one one megabyte limit now that I saw is the api server thing, not the needs.

D

Yeah, he also has a pretty small limit. It's just bigger than one megabyte. It's like one and a half or something.

C

I'm not sure that's true, so we we accept up to three megabyte requests in the api server.

D

Yeah, so I'm talking specifically just about kubernetes secrets and their data field and its validation like a static api server validation. We just like count all the bytes and, if they're over a certain amount of bytes we're like.

B

No.

D

Please really, yes, I know, because I've I used secrets.

C

I knew we did that on annotations and labels. I didn't know we did that on secrets. Yeah.

D

Just to event like, presumably to prevent you from using kubernetes as your database.

E

uh Is that, like a a limit on the like base64 encoded data, like counting the overhead or on the unencoded version of.

D

I always forget which layer.

C

Only on the value of the fields and the data, the byte length, yeah.

D

Wait but yeah so like. I think my overall question is so this type encrypted object that mike has on screen. Do we want to treat it like? We treat like runtime dot unknown, which is it's just the thing that's stored and it's not versioned.

D

It is just directly looked at or are we gonna use runtime.unknown and it's raw field to store one of these things at some version and then ask ourselves to version it somehow and like like the the prefix that we're adding the magic encrypted proto prefix has the same like two reserved bites at the end, to allow for us to bump it and go crazy and do whatever we want with our proto-serialization later I just was trying to figure out what is the correct answer right now, because when I, when I had asked for that stuff and the kept in my head, I had just sort of imagined well, this is the thing you store and you don't you don't need.

E

To.

D

Check if this is the thing you're storing.

A

Yeah, I think so too, because the we we have the switch on the the prefix already. So you can have any very specific decoding logic you want and not have to worry about bumping a virgin in the future right. So I guess we don't get very much benefit from the.

A

Runtime object generic deserialization.

A

Okay, and so that would mean that if we wanted a v2 of this api, we would bump.

B

Those those last two bytes that mo was talking about and we'd, be able to have encrypted object.

D

V2, yes,.

B

Right.

D

And that would only be, I think, if you wanted to make a change that, like an old api server using the old schema, would confuse or lose data or do something weird, so it would be purposely saying hey. I want this v2 thing and I'll do like you know a graceful rollout of the capability of being able to read such a thing, but I won't write as it for some like another release, etc, etc.

D

We could phase it in carefully, um so I think we have. The flexibility we need is just. I just wanted to make sure that I wasn't.

D

I wasn't even leaning towards the prototypalizer out of just uh like knowing it yeah.

A

That sounds good. I think that makes sense to me.

A

We can forego most of the machinery because it's not needed here.

D

That works as long for me as long as we can't have that v2, it sounds like we can.

A

V3.

B

V3 sorry v3: let's not do that.

D

Let's, please just get it right. Let's.

C

Just all assume, v1 and v2 won't work and let's go straight to v3. Now.

A

um Okay uh mo, I assigned that to you I'll, take a look as well. I see a hand.

B

uh All right.

D

Sorry, I think that was earlier right.

E

Yeah, I just lowered it all right, that's my question. Yeah.

C

So.

E

You have other.

C

Trending towards code freeze: let's make sure that the people who should be reviewing things are like assigned. So if it's assigned to mo- and you were going to look mike, maybe assign yourself and then we can try to get like order of a day or two turnarounds on things. Otherwise, we won't make progress towards cook trees.

D

uh Anish is there uh any other specific questions or concerns that you want to highlight to try to get any? I banded feedback, though that was the one item about product stuff was the thing that was on my mind, but I don't remember anything else.

E

Yeah, I think it was only that I was outstanding other than that for the v2 alpha one. I don't think we have anything.

B

Else sure.

A

um All right and the next one was uh this one.

A

So this is just a continuation of switching to asgcm. From that we started last release correct. That's.

B

Right, if you could scroll down to the to tim's comment, that would be good.

B

It was.

A

Asking me if.

B

It's kept it, it needs a cap or for that change.

A

This isn't uh this isn't. I would consider this to be an implementation detail of the api server.

D

Also, can you find my pr that was like I made a pr that did this as uh like, remember to finish this by 125.? Can you please find it and close it and say that it was superseded by yours.

B

Yeah.

D

um Yeah, I I think I would agree with you mike. I just consider this an implementation detail and we made sure to roll it out in a way over multiple versions so that it doesn't break anything and we're.

B

Not.

D

We're not removing the ability to read the cbc data, maybe ever so it's like no action required.

C

Yeah, the.

B

Less.

C

The casing it is the less a cap is needed if there are like caps, are useful both for communicating like user-facing things and for like documenting design decisions um so like the more of either of those there are in this.

C

The more useful I've kept is to capture that, if we're intending this to be like a self-driving thing, where there's no user toggle switches and there's no like action required, and it's not user surfaced, um then maybe it's like fully an implementation detail. I I haven't dug in to this enough to know, but.

A

So this is the data encryption algorithm that we use for all envelope uh encryption so envelope encryption gets one type of encryption in the past that was aes cbc we're trying to change that to asgcm it's not configurable.

A

Users should not notice the uh that we are making this migration.

A

We supported both in 124 to allow for a downgrade of 125 to 124 clusters. um Now we are switching rights to asgcm, um while supporting reads by ascbc.

A

I think just making sure that the documentation is accurate. I think maybe some somebody might be interested in knowing what the algorithm is used because of they have to tell a compliance auditor or something um but other than that there should be no user action and it's a relatively small change.

A

So I would say no cap.

A

No.

A

No, I I'm not even sure, maybe a release, note very minor one that says that there's no action required um yeah.

E

And this.

C

Is this.

E

Go.

C

Ahead.

E

Should we take the opportunity to like and add this to the serialization kms we do like in case? We need both for interest reflection reasons and to like be able to change the algorithm more smoothly in the future.

D

It's it's been a while rita, and this and everyone knows who had these conversations that we were talking about. I think we think we've voted for. No, we will not include any details about this. It's an implementation detail. We have to change the whole bumper version and we'll pick whatever. The other thing is.

B

Well, and also it's going to be part of the release, notes right, so it would actually get its own.

D

Well, I mean just referring to v2 right: v2 is just going to do gcn right.

B

Right right.

D

If you want.

B

Later.

D

As.

B

In you, don't need v2 to use gcm, which is nice.

D

Well, yeah yeah yeah, so yeah v2 is just going to start correct and be done.

A

It's also independent of the kms api or configuration I mean, maybe not configuration, but it is fairly. It is independent of like the kms extension.

E

It seems to me, like this change, will now try to decrypt twice for secrets and encrypted with cbc right like it will try gcm first fail and then try see cdc is that is that.

B

How it does that.

D

Yeah I mean, if you already do we always try in every single way possible until you just give up and can't figure out how to get your data, because it's like the key's gone or something so like I mean, if you're ever worried about this from that level, you just run storage migration to force it to the latest.

A

Right.

E

Yeah.

A

And we can always add a field to the um encrypted blob thing now.

E

That's what I meant really like to add a feedback.

A

It's possible to add it later and uh since we haven't had of um like a request to make this configurable, yet I would say we can add it once that request comes in.

A

And it would be um pretty much compatible change to support that in the future, we'll just default gcm.

C

Pretty much compatible changes are the best kind of.

A

Pretty much compatible in that you can't use it until it has been available for in two releases for the downgrade. I guess so yeah um it takes longer to um make available than other features in kubernetes, but not much longer. Yeah.

C

This seems in line with other types of validation, fixes that we've made, where, like internally validation like tolerated, relaxed data but didn't on update but didn't, allow it on create for release and then did the next level of enablement the next release, and there were no user knobs, no feature gates. No cap, it was like. Oh, we found a validation bug and we fixed it over two releases.

A

um

A

I'll just say from us.

A

Detail of the envelope encryption.

A

Storage, transformer.

A

There are no feature, it's or user, not knobs, and the user should never be aware of the migration.

A

um So I guess um we, let's make sure the dock is, is, let's make sure the doc is accurate, but I don't think we need to.

A

um I guess uh stretch this out with a cap or uh feature gates uh board configuration.

A

This time, all right uh does everybody somewhat agree with that.

B

Sounds good.

A

Okay, um were there any other.

A

Concerns here this seems aligned with what we have been planning on doing so.

A

I'm going to also assign this to mo easy three line.

A

Cool uh anything else on this topic.

A

um So follow up from last two weeks there was.

A

Mode the client proxy for 126 is um a bunch of comments were addressed. So please take a look at that.

D

Yeah I can't I haven't. I haven't gone back and watched the recording, but I plan on doing that. Well,.

B

Before 126.

D

Deadlines, yeah.

A

um And I can't remember if the trust anchors is in a similar state but yeah the client, uh client exec stuff came up last meeting um cool.

A

So I think that.

A

That's it for our.

A

Regular agenda items: let's talk to the flakes.

B

um

A

Everything looks good uh secret store. Stuff is reviewed in the secret store meetings. uh I just.

A

And then let's look at flakes.

A

uh Local e to e.

A

What is local ede now.

C

That's running ede on a local up cluster, okay.

C

It doesn't look like that's white one, while.

A

These all look pretty good.

A

uh I'm actually getting kicked out. I don't know why, but I'm getting kicked out of a meeting room, so I will need somebody else to continue this um sorry. Okay,.

C

Who has host.

B

uh I do do you want me to drive, or do you want to be host.

C

um I am in the web client, so maybe it would be better if you drove.

B

Okay, give me one second.

B

Let me know when you can see my screen.

C

Yep we got it.

B

uh Were we here, I think earlier.

C

um The primary one, so this one continues to be problematic on the windows, jobs.

C

And I can't tell if it's because they were windows, jobs or because they were older releases. I know there were some dns resolution issues that I think got like a workaround put in place, but I that might have happened in the 124 time frame.

C

So if these are failing on the 123 windows, jobs that might predate that workaround says.

B

123.

C

Let.

B

Me see if I can dig.

C

Up when that workaround went in.

C

uh Looks like that went in in 121., so that's not related to that wow. That was a long time ago.

B

Okay, so do we want to follow up with sick windows on this.

C

Yeah, I think so yeah I was gonna ask if there were a lot of failures in these jobs, but it looks like it's just a couple.

A

uh

C

Yeah, if we're seeing it fail in several jobs and they look like they have a common denominator of windows and 123. That's a little eyebrow reason.

B

Okay,.

C

I can.

B

Open an issue.

C

And tag in windows and auth and maybe see if we can ask someone on windows to take a look.

B

Sounds good what about.

C

These other ones.

D

I.

C

Don't know maybe open up one of those and see if there's a lot of failures in that job.

C

It looks like there might be timeout issues in that job.

C

It's a little bit like reading. Tea leaves, if, like an overloaded, timeout type thing can make weird flakes show up in random job random tests.

C

uh To me this one's less clear, like the windows one, there were just a couple failures which.

B

Seemed.

C

Weird this one has like 10. so seems like. Maybe something generic is going on with the job.

B

I'm not sure.

B

Oh.

B

So many.

C

Yeah I I kind of discount failures like this, like so many.

B

Different things, yeah, okay, um it'll also be like test infra. Maybe.

C

Yeah, it's always possible. I think the ones that are best for us to press on are ones where, like one of our tests is failing across multiple jobs in a similar environment, so.

C

So, like the windows, 123 one seems interesting.

C

That's the next one down is an interesting failure. Text.

B

Or this one.

C

Oh yeah, so this is the local ede, like that's a.

C

It's an interesting failure text.

C

Yeah, this also seems systemic, though, if you expand like a random thing in there, is it that same like glob issue.

B

I don't know.

C

I know I know a lot of time out failures, spun up when ginkgo switched from go v1 to ginkgo v2, and I know like the investigation of that is ongoing. So I I probably wouldn't spend time here digging into this, like this looks more systemic, not off specific.

C

Yeah, I mean at this point we're probably far down enough that, like there have been failures in the last couple weeks, this this is the local ede, which seems like that job itself has a problem uh and it doesn't look like. We've got recent regular flakes in any like core jobs or jobs that we own. So that's good.

B

And for what it's worth this is, this was this was what we discussed in the last meeting for what it's worth.

C

Yeah I'll.

C

Okay, I'll.

B

Because I was like this looks very familiar.

C

Yeah.

B

Looks like an environment problem.

C

Well, could we fix the environment, okay I'll instead of opening a new one, I'll try to ping that or track someone down.

B

Okay, great um yeah, let me know if you need any help.

B

Maybe test them for might know a little bit more about this. Maybe.

C

Maybe I I haven't had good success when it's not like a environment thing that affects a lot of jobs if it's like specific to 23 or specific, to like a gcp upgrade release branch test like the testing for folks are. Like I don't know, we gave you vms and they're working for all the other jobs yeah.

B

But like this, one is not related to windows right and we're seeing concerns.

C

Right.

B

Failures so.

C

Yeah.

B

It's hard to point at windows.

C

Right, no, I meant for the 123 azure one though the local edes have a ton of failures across all areas. I.

B

See across.

C

All things in the weird position of not being a required pre-submit, um so it the when something creeps in that causes problems there. It's always like a lagging like. Oh the periodic job went haywire.

B

Okay, um all right, I mean I'll, also paint some folks on windows, see if they they have. They know anything here. Yeah.

C

It's.

B

Interesting.

C

124 jobs, I don't maybe there aren't 124 jobs, but uh it's interesting that it's only the 123 jobs where it's showing up.

C

But if we want to ping folks into the issue that was linked from last meeting, it looks like there's already got. One of them.

B

Okay sounds good I'll, just uh also tag the sig window. Folks, okay, I think that's it anything else. We need to look at.

C

uh Just a reminder that code freeze will happen before our next meeting, so timely reviews and timely updates for anything. We want to get into 125.

B

Okay, all right thanks.

B

Thanks all thanks, bye.