►
From YouTube: Kubernetes SIG Auth 20190501
Description
Kubernetes Auth Special-Interest-Group (SIG) Meeting 20190501
Meeting Notes/Agenda: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/view#
Find out more about SIG Auth here: https://github.com/kubernetes/community/tree/master/sig-auth
B
Just
wanted
to
let
people
know
a
couple
other
things:
I
was
looking
to
do
got
pushed
out
by
some
of
the
extinctions
work
that
was
happening.
I
see
later
on
metric
was
asking
about
some
of
the
beta
stuff
for
dynamic
got
it.
So
there
are
things
we're
still
working
on,
but
as
far
as
like,
what's
targeting
115
I
didn't
see
anything
major
coming
in
for
sig
off.
C
C
D
D
Somebody
way
to
say
we
might
just
send
out
an
email
very
quickly
to
to
want
people
not
to
engage
in
a
very
specific
user
interaction.
So
we
have
things
so
I
want
to
get
thoughts
on
that
and
wanted
to
in
general
figure
out.
If
this
is
the
right
place,
say
God
is
the
right
place
to
discuss
PSC's,
there's.
B
A
security
disgust
mailing
list
that
we
can
probably
start
a
thread
on
think
that's
officially,
where
we
talk
about
like
security
policies
and
things
like
that.
A
lot
of
the
same
people
are
probably
on
there,
but
there
are
likely
people
on
that
list
that
are
not
here,
so
I
think
that
the
use
internet
user
interaction
of
it
is
a
good
point,
especially
if
there's
like
a
really
clear
I'm
going
to
be
thing
to
avoid
yeah
letting
people
know
hey,
don't
run,
don't
run
this
command
or
don't
run
this.
B
D
B
B
B
Or
ways
that
authenticated
users
could
be
disruptive
and
then
trying
to
map
that
to
like
well
here's
another
way
they
could
be
disruptive.
Do
we
like
have
an
all-hands
alert
private
release
process
to
fix
this
thing
that
is
equivalent
in
nature
to
something
that
is
already
if
you're
running
the
cluster,
you
have
to
protect
against
this
yourself
kinds
of
things.
F
F
G
F
The
bug
bounty
I
think
we
ended
up
settling
on
fairly
fuzzy
guidelines
because
we
sort
of
just
decided
it
was
too
hard
to
really
write
the
full
detailed
threat
model
and
none
of
the
efforts
to
do
so
have
have
led
anywhere
I,
don't
know
about
the
security
audit.
If,
if
there's
some
like
more
concrete
guidelines
that
have
come
out
of
that.
G
Okay,
I
Clayton
has
a
really
old
doc.
That
was
pretty
reasonable.
In
my
opinion,
does
anybody
remember
that
doc
I
can
paste
it
into
the
chat
I.
Think
Clayton
hat
did
an
initial
pass
at
trying
to
sketch
a
threat
model,
however,
I
think
it's
probably
something
that
would
be
useful
to
have
somewhere
in
documentation.
So.
B
Yeah,
so
I
would
probably
kick
this
you'd
be
discussed
thread.
Maybe
he
summarizes
stuff
we
talked
about
here
and
see
if
we
can
invite
some
more
feedback
and
if
there
was
threat
model
stuff
that
could
help
inform
this.
So
we
could
be
really
clear
about
here's.
Here's
the
things
that
we
claim
the
current
policies
and
protections
actually
protect
against,
and
so,
if
some
of
those
claimed
things
are
able
to
be
circumvented,
that's
much
more
compelling
to
you
know,
try
to
fix
privately.
B
D
A
H
G
Yeah
we
brainstormed
a
couple
ideas:
I,
think
that
we
should
follow
up
I'd,
not
sure
if
it
everybody
who
is
interested
yeah
claim
doesn't
seem
to
be
on
the
call,
but
we
can
push
this
forward.
I
think
that
this
is
a
pretty
common
three
common
problems.
I
think
would
be
useful
to
have
support
for
this
and
the
long
term
in
kubernetes.
We
have
fixed
for
the
immediate
issue,
so
he
can
take
our
time
and
try
to
pick
an
optimal
solution.
All.
I
Right
so
this
was
the
discussion
about
how
do
you
handle
it?
What
we
really
want
to
have
happen
between
intersection
and
similar
to
us
guys,
you're
on
the
node?
If
you
want
to
act
like
the
no,
you
use
no
credentials
you're
already
effectively
route
here,
and
if
you
want
to
act
like
something
else,
you
can
act
like
your
service
account
using
a
different
client.
G
I
C
E
E
E
E
F
E
F
H
F
E
E
That's
making
some
progress.
It's
just
gonna,
slow
I,
probably
have
been
on
it
as
much
as
I
need
to
just
been
super
busy,
so
I
can
kind
of
lean
on
that
some
more.
It
seems
like
we're
kind
of
getting
there,
so
we
could
probably
shoot
for
it.
I.
It's
just
kind
of
a
lot
of
that
kind
depends
on
how
much
how
much
review
Tom
Daniel
has
because
he's
kind
of
a
primary
reviewer
on
that.
Okay,.
B
For
the
yet
for
the
scalability
tests
and
the
buffers
like
the
performance
aspects
of
it,
yeah
typically
for
features,
we
do
scale
testing
like
between
beta
and
GA.
Okay
for
this
one
I
I
can't
remember.
If,
if
this
is
enabled,
does
it
affect
the
current
audit
logging
path
like?
Would
it
what
we
want
to
avoid?
Is
regressing
a
feature?
B
That's
already
GA
right
so
like
today
there
are
clusters
that
have
audit
logging
enabled
and
they're
dumping
to
a
log
or
a
dumping
to
an
existing
web
hook,
and
if
I
recall
correctly,
enabling
this
like
move
some
copies
stuff
around
and
like
change
the
performance
characteristics
of
what
was
already
there.
Yeah.
C
B
B
So
that's
that's
like
the
easiest
one
to
do,
because
you
don't
have
to
spend
a
lot
up
and
the
other
end
of
the
spectrum
is
like
if
this
would
show
up
in
our
scalability
tests
which,
for
this
it
probably
would
so
checking
with
the
the
scalability
team
to
see
if
they
have
awed
it
enabled
in
our
scale
tests.
And
for
that
there's
not
a.
B
You
can
run
some
of
those
as
pre
submits,
but
there's
not
a
great
way
beyond
like
enable
it
by
default
and
then
watch
this
the
scale
tests
on
master
to
see
if
there
are
regressions
but
reaching
out
to
the
scalability
team
to
see
your
ideas
enable
fraud
it.
So
those
are
kind
of
the
two
ends
of
the
spectrum.
Okay,.
I
B
Don't
know
yeah,
you
could
always
be
the
first
and
I'd
be
curious
to
see
your
results
most
of
the
go
benchmarks
employer
but
they're
like
unit
test
level.
Ones
marks
so
okay,
so
so
yeah
in
this
case
I
think
because
it
does
interact
with
an
existing
feature.
I
think
we
do
need
to
at
least
prove
that
when
you,
when
you
don't
have
any
web
hooks
registered
or
you
kind
of
have
the
default
configuration
you're
not
going
to
impact
performance
by
turning
this
on.
Okay.
B
E
B
B
E
B
A
C
J
B
A
G
Is
just
the
cloud
providers
stuff,
I
I?
Think
that's
why
this
landed
with
us,
because
moving
cloud
providers
has
some
impact
to
sort
of
the
authentication
plugins
that
are
provider
specific,
although
I
don't
think,
there's
actually
very
much
dependency
between
a
package
cloud
provider
and
the
libraries
in
and
client
go
so
I
think
moving
cloud
provider
would
actually
remove
most
of
that
code,
but
that
is
just
to
guess:
I
haven't
actually
got
added
that
other
than
that
I
didn't
see.
Really
a
relation
is
oh
I,
guess
credential
provider
rework!
D
C
B
Find
yeah,
so
this
is
issues
that
clearly
are
related
to
sig
off
stuff
that
have
someone
assigned
and
but
don't
have
a
priority
yet
and
so
to
help
us
make
sure
we're
kind
of
going
in
the
right
priority
order.
What
we're
just
doing
here
is
making
sure
it
belongs
to
us
and
then
maybe
adding
a
priority,
so
I
think
backlog
is
probably
where
this
belongs.
A
B
That
people
are
having
issues
from
just
as
a
calibration
important
critical
urgent
is
basically
like
you
shouldn't
be
working
on
anything
else.
Important
soon
is
it
should
be
fixed
in
the
current
release.
Important
long-term
is,
it
should
be
fixed
and
backlog
is
like
things
that
we
will
work
on
once.
We
finish
all.
A
B
Getting
better
resilience
and
making
sure
the
credential
you're
actually
using
were
short-lived.
That's
been
done.
The
opt-out
on
the
clean
up,
I
think
are
distinctive
things
that
we
want
to
do
generally
beyond.
Just
this
I
would
probably
split
those
out
and
go
ahead
and
close
this
one
and
preference
the
individual
items
for
the
opt-out
and
the
cleanup
do.
B
A
J
I
Is
not
so
much
a
stake
in
seeing
that
one
move
I
am
concerned
about
how
we
describe
to
people
the
way
they
should
should
and
can
and
cannot
trust
the
signatures
right.
So
now,
I've
seen
people
in
cluster
saying
I
think
it's
my
service
account
token
see
a
dot,
cert
and
I'll
be
able
to
terminate
every
CSR
client.
Sir
and
I
know
that's
not
the
case,
so
that
was
one
that
I
want
to
make
sure
was
on
the
wrote
out
of
G
a
list
that
we
come
out
and
make
an
explicit
statement.
I
B
A
B
All
the
all
the
CSR
ones,
I
would
put
to
long
term
I
had
those
three
open
in
a
tab.
I
was
planning
to
collapse
them
into
a
single
issue
and
gather
of
gather
the
items.
I'll
still
try
to
do
that,
just
to
get
our
numbers
down,
stop
making
people
look
at
three
issues
to
figure
out.
What's
going
on
with
one
thing.
A
I
G
G
G
J
B
B
A
B
Mean
different
signers
do
different
things
like
even
ones
they
understand,
like
you
can
say,
no
I'm,
not
gonna.
Let
you
like
do
this
extension
part
that
what
we
do
with
that
and
how
we
communicate
that
and
whether
someone
who's
requesting
a
cert
can
express
like
if
you're
not
gonna,
give
me
the
extensions
I
ask
for
don't
even
bother
giving
me
assert
like
that
is
what
we
have
to
part
of
what
we
have
to
nail
down.
B
G
G
Jealous
doesn't
work,
it's
broken,
specifically
a
host
name
validation
within
the
cluster.
It's
not
very
helpful,
especially
when
you
know,
though,
a
service.
The
service
account
that
you
expect
to
be.
On
the
other
side,
it's
a
much
better
thing
to
validate
than
the
host
name
that
you
used
to
access
the
service.
So
the
idea
is
replacing
that
host
name
validation
with
I'm.
G
Speaking
to
this
zip
I
expect
this
kubernetes
service
account
to
be
the
back
end,
I'm
gonna,
validate
that
expectation.
Instead
of
validating
that
was
name,
that's
the
the
diff
and
then
because
we
would
only
be
putting
service
account
names
and
serving
certificates.
It
would
be
much
easier
for
us
to
create
some
automatic
approval
of
approval
process
to
sign
those
in
cluster
Telos
and
to
turn
on
my
video
to
give
you
these.
B
B
B
Yeah
I
think
this
would
be
interesting
to
build
like
as
a
make
a
secret
and
annotated
or
label
it
or
something
like
some
C
or
D.
That
says,
I
want
a
serving
cert
and
then
this
thing
like
uses
the
CSR
API
to
satisfy
that
into
a
secret
and
then
you've
mounted
in
so
the
service
area
from
a
consumers
perspective
is
like
I
want
a
serving
cert
when
it's
ready
mounted
in
and
start
me,
yeah.
G
G
F
All
right,
if
you,
if
you
click
through
the
issue
linked
at
the
top
of
that
one,
it
has
a
bit
more
background
on
on
the
problem
that
this
was
originally
motivating.
This
around
the
model,
where
you
have
a
bunch
of
nude
or
a
bunch
of
demon,
sets
that
need
to
communicate
with
a
control,
plane
level
pod.
And
how
do
you?
How
do
we
do
all
of
this
secure
communication
between
those?
That's
a
flattened
three
dimensional
matrix
I
like.
B
B
C
B
I
G
I
B
B
F
G
B
F
I
I
think
the
the
proposal
that
I
presented
to
Bobby
and
yes
seen
a
while
ago,
I'm
not
sure
if
this
got
written
up
into
a
cap
or
something
is
to
do
something
similar
to
what
we
did
with
runtime
class
scheduling,
to
say,
like
here's,
a
policy
that
rather
than
apply
mission
time,
you
apply
it
at
scheduling,
time
and
say
basically
intersect.
These
scheduling
rules
with
the
scheduling
rules
on
the
pod
to
say
like
these
are
the
only
places
this
pod
is
allowed
to
be
scheduled.
B
Yeah
delete
the
outer
tree
bit
and
just
give
give
it
to
the
war
klog
and
klog.
Okay
we're
out
of
time.
As
a
reminder,
you
have
issues
that
are
unhybridized,
feel
free.
You
put
an
initial
pirate
on
them
that
helps
us
get
a
better
picture
of
cartographers,
so
you
can
kinda
pull
out
the
ones
that
are
critical
or
important
over
Michael.