►
From YouTube: Kubernetes SIG Auth 20180627
Description
Kubernetes Auth Special-Interest-Group (SIG) Meeting
Meeting Notes/Agenda: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/view#
Find out more about SIG Auth here: https://github.com/kubernetes/community/tree/master/sig-auth
A
B
All
right
welcome
to
our
Sigma
bi
weekly
meeting
of
June
27
2018
couple
things
on
the
announcements
short
agenda
today.
I
think
a
lot
of
folks
are
focused
on
111
still.
So
so
the
big
item
for
this
week
is
we've
announced
we
would
like
Mike
Denis
to
be
the
new
cig.
Auth
chair
Mike
has
been
a
longtime,
very
active
participant
in
the
cigar
community
and
we're
happy
with
his
nomination
and
think
he'll
do
a
great
job
in
the
role.
B
A
A
B
C
From
the
original
token
request
proposal,
so
I
just
wanted
to
make
people
aware
that
I'm
reintroducing
a
small
change
to
the
token
request
proposal,
so
it
was
originally
emitted
just
so
that
we
could
exceed
the
merge
of
that
original
proposal.
Now
that
it's
saying
I
think
it
would
be
interesting
to
revisit
so.
This
is
just
an
announcement
and
hopefully
get
some
eyes
on
it.
Maybe
talk
about
it
next
and.
B
I
put
the
next
item
on
here,
so
this
came
up
when
I
was
looking
into
ways
that
the
well
I
noticed
that
we're
allowing
basically
anything
to
be
sent
in
a
self
subject,
access
review
and
started
some
conversations
around
whether
we
should
be
doing
any
validation
on
that
to
kind
of
just
at
least
limit
eyes.
At
those
two
same
links
when
I
was
poking
around,
it
seemed
like
every
resource
had
a
250
character
limit
on
the
names,
including
custom
resources,
but
Jordan
I
think
you
said
there
were
some
that
were
not.
A
So
yeah,
there
are
a
few
dimensions
here.
One
is
like
what
our
authorizer
actually
uses.
So
when
you
hit
the
API
server
a
URL
on
the
API,
it
translates
that
into
attributes
and
then
asks
the
authorizer
about
those
attributes.
And
so,
if
we
want
to
start
putting
limits
in
place
that
we
didn't
previously
have,
we
need
to
figure
out
what
the
behavior
is.
A
A
We
need
to
define
what
what
it
would
mean
if
you
exceed
those
limits,
so
the
API
server
calling
out
to
a
web
hook
or
someone
actually
submitting
one
of
these
reviews
to
the
API
server
and
then
the
final
reason,
which
I
think
is
why
you
hit
this
tim-
was
like
we,
the
places
where
we
do
remote
authorization.
We
have
caching
layers
and
that's
why
this
is
actually
really
concerning
at
all.
I,
guess
was
because
you
could
fill
the
cache
with
large
amounts
of
garbage,
so.
B
Yeah
I
think
there's
other
ways
that
we
can
fix.
The
problem
and
I
was
sort
of
wondering
if
we
want
to
just
have
some
kind
of
sanity
checks
on
these
things
at
all,
it's
I
guess
it's
a
you
know
a
backwards,
incompatible
kind
of
braking
change,
although
I
would
be
surprised
if
anyone
is
legitimately
doing.
Subject
access
reviews
for
you
know,
resources
that
are
a
hundred
thousand
characters
and
thanks
yeah.
A
C
B
A
B
C
So
anecdotally,
I've
run
into
this
with
people
misusing
cute
control,
trying
to
add
weird
things
like
commas
in
between
names,
cute
control
ends
up
forwarding
or
trying
to
delete
a
very,
very
long
name
with
a
bunch
of
commas
in
it.
So
people
do
kind
of
do
this
in
scripts
accidentally
and
I've
seen
some
very
large
requests
that
hit
our
authorizer
and
gke
yeah.
C
B
Guess
the
sort
of
the
more
fundamental
question
and
why
I
wanted
to
put
this
on
the
agenda
is
subject,
access,
reviews
and
kind
of
like
barback
system
could
be
used
to
like
answer
authorization
queries
for
things
that
have
nothing
to
do
with
kubernetes
like
we
could.
You
can
put
arbitrary,
like
non
resource
rules
in
there
and
then
and
then
check
those
with
you
know
an
external
system.
That's
it's
submits
reviews
and
sort
of
wondering
if
that's
a
use
case
that
we
want
to
support
I.
A
B
A
A
Now
that
111
is
releasing
today
tomorrow,
the
112
release
goes
fast.
So
let's
try
to
get
tracking
issues
and
designs
and
discussions
around
those
designs
going
and
actionable
stuff
wrapped
up
in
the
next
two
three
four
weeks,
so
we
can
not
be
doing
last-minute
implementations.
I
know
Mike
had
stuff,
he
was
working
on.
Patrick
has
the
audit
proposal
and
then
I'm
I'm,
looking
at
the
some
of
the
node
restriction
stuff
as
well.
So
let's
get
visibility
on
those
things
early
in
the
relationship
we
can.