►
From YouTube: Kubernetes SIG Auth 20170823
Description
Kubernetes Auth Special-Interest-Group (SIG) Meeting 20170823
Meeting Notes/Agenda: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/view#
Find out more about SIG Auth here: https://github.com/kubernetes/community/tree/master/sig-auth
A
This
is
David
II,
so
I'm
picking
this
up
for
Jordan,
it's
been
a
while,
but
I
think
I
remember
how
to
do
it.
So.
First
announcements
on
the
agenda:
the
container
identity,
working
group-
it's
Friday,
11:00
a.m.
it's
in
that
window,
where
we're
trying
to
hit
the
East,
Coast,
West,
Coast
and
maybe
Europe,
but
if
you're
interested
the
last
one
was
interesting.
I'm
sure
that
this
one
will
be
code
freeze
is
on
September
1st,
so
I've
been
seeing.
Several
polls
come
in
I
think
that
our
features
are
pretty
well
set
at
this
point.
A
A
B
Yeah
I'm
kind
of
new
I've
been
kind
of
lurking
around
so
goth
and
also
attended
the
first
container
I
gonna
be
meeting
the
other
day.
I
joined
recently
company
called
Scytale,
which
was
working
on
spiffy
and
you
know
the
work
that's
played
on
has
stayed
off
and
the
work
displayed
on
in
container
I
got
ideas.
B
Those
very
similar
to
the
stuff
that
were
trying
to
solve
is
50,
so
you
know
I
just
kind
of
been
kind
of
been
hanging
out
tracking
your
progress,
and
you
know
here
today
to
kind
of
give
you
guys
a
brief
on
the
stuff
we've
been
working
on
and
maybe
explore.
You
know
how
those
things
align
and
but
there's
some
usability.
C
B
We
would
like
to
integrate
urban
areas,
and
we
have
some
ideas
on
how
to
do
that
and
so
see
what
get
some
input
from
you
guys.
Oh,
it
would
be
valuable
as
well
so
today
you
know
the
first
thing
that
we'll
talk
about
is
kind
of
like
what
what
exactly
is
50?
What
are
the
goals
and
what
is
the
definition
of
it?
I
will
talk
about
spire
the
software
project,
a
similar
thing.
What
are
the
goals?
What
does
it
look
like
architecturally
from
a
high
level?
What
are
you
trying
to
accomplish?
B
B
So
so
what
exactly
this
is
a
set
of
standards
consists
of
the
first
one
is
a
standard
around
kind
of
an
identifier.
You
know
an
identity
namespace
if
you
will-
and
we
have
this
defined
as
a
URI
with
a
spiffy
scheme
to
it.
We
don't
have
a
lot
of
like
rules
around
how
this
was
formed,
its
it's
meant
to
be
fairly
flexible
and
a
lot
of
it
is
opaque
to
the
smithy
standard
of
self
spiffy
standard
is
more
around
like
the
set
of
standard
is
more
around
like
how
to
transmit,
invalidate
these
identities.
B
We
have
another
standard
which
defines
what
we
call
verifiable
document
or
spiffy
verifiable
document
which
is
ested.
For
short,
a
50s
vid
can
be
any
number
of
things.
There
are
some
constraints
placed
of
it
and
requirements
placed
upon
what
qualifies
as
nested,
and
then
there
are
further
standards
to
say.
Okay,
this
is
how
you
encode
a
nested
of
type,
foo
or
bar.
Currently,
the
only
support
of
s
the
type
is
x.509
and,
and
it
uses
pretty
standard
exercise,
mat
and
semantics
with
a
little
bit
of
extra,
valid
H
and
layered
on
top
of
it.
B
And
finally,
the
third
standard
that
we're
looking
at
is
an
API
endpoint,
and
this
API
endpoint
serves
to
to
retrieve
these
certificates.
These
are
standardized,
I've
done
any
certificates
from
a
workload,
so
a
workload
when
I
spins
up
will
hit
this
standardized
endpoint
and
there
some
validation
will
occur.
The
validation,
the
type
of
validation
other
Affairs
is
up
to
the
implementer,
but
we've
just.
B
A
B
Is
so
both
this
end
point
this
end
point
will
give
you
a
certificate
and
a
key
pair
where
you
stand
identifying
yourself
and
will
also
provide
you
like
CA,
bundles,
which
you
should
trust
externally
in
this
house,
the
Federation.
That's
okay,
thank
you
that
make
sense
yes,
yeah,
so
so
the
workload
this
will
be
called
a
workload
API.
The
workload
API
is
still
under
a
little
bit
of
flux,
but
we
should
be
kind
of
settling
on
on
what
that
interface
looks
like
shortly.
We've
been
working
with
the
G
RPC
team.
B
So
this
this
is
kind
of
a
set
of
standards
which
is
the
fee,
and
you
know
the
goal
of
these
things,
as
I
mentioned
earlier,
is
really
an
interoperability
of
service
identity.
So,
through
these
use
three
distinct
standards,
we
hope
to
set
forth
the
way.
The
the
you
know.
Individual
projects
can
implement
themselves
or
consume
through
our
software
project,
which
I'll
speak
about
next.
You
know
the
goal
being
like
hey.
B
You
know
my
kubernetes
cluster
over
here
can
talk
to
my
mages
cluster
on
this
different
writer,
or
perhaps
you
know
two
different
companies,
you
know,
and
so
through
this
through
this
API,
we
delivered
those
creds
and
the
bundles
which
should
be
trusted.
So
the
next
thing
we
have
is
this
project
called
spire
which
stands
for
cs50,
runtime
environment
and
this
this
is
essentially
an
open
source
project
which
looks
to
implement
kind
of
asipi
standards.
Of
course,
there's
there's
a
lot
more
that
has
to
happen
than
just
implementing
certificates
and
endpoints.
B
So
this
project
is
much
larger
in
scope
than
the
set
of
standards
itself
and
really
what
it
aims
to
do
is
it
is.
It
aims
to
issues
mint
and
issue
these
certificates
automatically
in
a
secure
way
and
so
and
the
way
that
we
do,
that
is
kind
of
it's
very,
very
flexible,
I'm,
very
pluggable.
So
we
have
different
plugins
for
different
compute
providers,
there's
kind
of
two
levels
here
where
we
about
we
do
it
at
a
station.
B
For
the
compute
layer
or
the
platform
or
node
layer,
and
then
we
do
another
a
station
for
the
workload
itself.
The
thing
which
is
calling
which
was
calling
the
work
live
API
so
because
it's
pluggable
I
could
work
across
variety
of
providers
and
variety
of
runtimes,
and
we
also
enable
folks
to
kind
of
write
their
own
plugins.
If
they
have.
B
So
this
is
I'd
like
to
talk
just
a
little
bit
that
kind
of
architectural
II.
What
spire
looks
like
hold
on
I
think
that
I'm
being
chatted
here.
Yes
speaking
out,
I,
oh
and
also
there's.
B
B
Like
under
very
heavy
development
by
the
Scytale
team
and
a
few
of
other
of
the
folks
that
have
been
engaged
in
strictly
for
a
long
time,
we're
planning
on
opening
it
up
in
the
near
future.
If
we,
the
plans
for
spire,
is
for
it
to
be
a
fully
open
community
owned
project,
it's
not
going
to
be
docker
style
or
nginx
style,
or
anything
like
that,
but
it
is
still
kind
of
a
senato.
B
The
code
is
not
all
there
yet
and
so
we're
quickly,
turning
towards
kind
of
like
a
fashion,
rough
release
that
we
can
kind
of
put
people's
hands,
but
it's
still
pretty
early.
So
so
the
answer
there
is
no
spire
is
not
public.
Yet
this
repo
contains
all
of
the
standard
stocks
that
we've
minted
to
date
and
also
contains
information
of
the
community
how
to
join
the
community
and
things
like
that
awesome
Thanks.
B
So
this
is
kind
of
you
know
that
the
30,000
foot
view
where
there
are
two
major
components
to
aspire
deployment,
there's
a
node
agent
which
runs
on
every
host
and
there's
a
control
plane
which
handles
the
authorization
and
the
minting
of
the
actual
certificates.
So
these
red
use
red
boxes
that
you
see
here
on
those
boxes
represent
my
API
endpoints
and
the
green.
The
the
bright
green
boxes
that
you
see
those
boxes
represent
plug-in
interfaces
and
some
plugins
that
can
some
plug-in
interfaces
to
contain
more
than
one
plugin.
E
B
Validate
you
know
kind
of
the
integrity
of
the
machine
which
which
is
presented
it
once
there's
no
data
station
passes
it
notice.
The
station
can
have
multiple
plugins
as
well,
depending
on
what
platform
you're
running
on
once.
This
manifestation
passes
a
certificate
as
a
node
certificate
is
minted
and
measured
to
the
node
agent,
which
a
node
agent
then
uses
to
request
further
certificates
on
behalf
of
the
workloads
following
the
workload
API.
B
So,
of
course,
when
this
happens,
when
a
workload
hits
the
workload
API,
we
need
to
understand
number
one.
What
this
workload
is
our
number
two
what's
the
fee.
Id
should
truly
be
issuing
it,
but
we
don't
expect
the
workload
to
know
this
information
for
him,
so
we
have
with
the
registration
API.
This
is
an
example
of
you
know,
kind
of
what
the
registration
API
interface
looks
like
you
know,
kind
of
very
rough
pseudo
interface.
B
Is
this
the
portion
where
we
can
give
CA
bundles
for
external
external
change,
that
we
want
to
trust
as
well
and
on
the
right
hand,
side
I,
just
kind
of
gave
some
some
mock
kubernetes
the
specific
selectors
for
workload?
I'm,
not
you
know,
super
I
haven't
been
run.
These
are
very
long.
So
these,
please
do
excuse
me
if
some
of
these
things
don't
don't
quite
make
sense,
but
you
know
some
slightly
and
these
selectors
can
become
combined,
as
you
can
see
yourself
with
continued.
F
B
Were
similar,
oh
yeah,
absolutely
so
right
now,
I
I'm
not
I've,
seen
a
little
bit
of
the
city
code
within
s,
Tia
sto
is
not
so
so
this
is
kind
of
the
distinction
between
these
two
works,
as
do
is,
is
compliant
with
the
specificity
specifications.
The
set
of
standards
that
we've
set
forth
so
spiffy
has
its
own
CA
mechanisms
and
signing
mechanisms
or
sorry.
Miss
tio
has
its
own
CA
of
signing
mechanisms
through
which
they
issues
with
the
compatible
structure.
B
B
B
So
so,
just
yeah,
so
mike
has
kind
of
been
following
our
progress
on
spiffy
for
a
while
and
there's
a
little
bit
of
confusion
on
because
we
we
previously
did
not
have
a
name
for
aspire
to
the
software
project
and
the
name
sniffy
had
been
used
interchangeably
in
the
past.
So
we're
trying
to
kind
of
clarify
that
these
are
definitely
two
different
things
and
that
this
deal
is
not
using
the
software
project.
They
are
simply
using
kind
of
the
specifications
that
we've
set
forth
as
part
of
the
sippy
set.
B
Okay,
so
back
to
this
registration
API
here,
this
is
kind
of
a
mock
set
of
selectors
that
would
be
registered
when
running
on
top
of
kubernetes,
and
these
selectors
will
say
you
know
within
this
particular
namespace.
This
particular
service
account
also
running
with
this
UNIX
UID
1001.
We
know
this.
We
know
this
to
be
the
signature
of
you
know:
50
ID,
through
slash
bar
and
when
we
can
validate
that
this
is
the
caller
issue
at
this
certificate.
With
this
50
ID.
B
So
this
is
just
a
quick
diagram
of
that
node
attestation
that
I
mentioned
earlier.
So
when
the
node
comes
up,
it
calls
this
plugin
called
the
key
manager
which
could
be
a
memory
or
can
be
backed
by
hardware
like
TPM
crypto
hardware,
and
and
also
calls
this
a
tester
plugin.
In
this
case,
you
have
AWS
shown
there
and
then
calls
up
to
the
node
API
on
a
control
plane
which
calls
his
own
loaded
tester,
which
has
matched
but
different
logic.
B
That
knows
understands
how
to
call
provider
specific
API
is
in
order
to
validate
the
information
that
that's
been
handed
to
it.
Trust
trusted
third
party,
if
you
will
so,
is
a
diagram
of
kind
of
what
happens
when
a
workload
hits
the
workload
API
within
the
Aspire
project.
So
the
workload
api
is
is
not
an
authenticated
endpoint.
B
It
is
meant
to
be
exposed
locally
only,
and
it
is
implied
that
the
provider
of
the
workload
api
is
doing
some
sort
of
introspection
in
order
to
identify
the
caller,
and
this
has
done
a
you
know,
because
at
some
point
we
have
to
do
away
with
authentication
and
bootstrap
thinks
this
is
where
that
occurs
on.
So
we
have
these
things
called
workload
of
testers,
this
sort
of
misspelling
on
their
I
apologize,
and
you
can
have
many
of
them.
B
So
getting
a
little
bit
more
specific
about
what
this
looks
like
I'm
under
a
the
kubernetes
deployment
in
terms
of
registration,
there's
been
a
few
so
to
be
clear
here
we
don't
really
have
we
don't
really
have
this
hammer
down.
You
should
just
yet
we're
trying
to
kind
of
what
this
would
look
like,
but
but
right
now,
we've
got
a
few
options
in
terms
of
like
how
we
get
registrations
done.
B
One
of
them
is
to
have
a
sort
of
adapter
which
sets
a
watch
on
the
API
server
and
then
would
run
externally
to
the
spire
project
and
kubernetes
or
uber
Nettie's,
perhaps,
and
receive
updates
from
api
server
and,
as
does
up
this
Pimentel,
massage
and
whatever
way
needs
to
be
massaged
and
then
post
back
to
registration
aid.
Some
concerns
have
been
raised
with
this
approach
in
terms
of
race
conditions,
where
how
long
will
it
be
till
The
Watcher
is
notified
and
the
registration
happened
before
the
container
starts.
B
So
another
option
there
that
was
kind
of
thrown
around
was
teasing
in
the
shrink
controller,
which
calls
back
the
registration
API
as
soon
as
a
workload
is
scheduled.
The
obvious
downside
of
that
being
a
very
tight
coupling
between
the
spire
system
and
Trinity
scheduler,
and
the
third
option
is
a
that
has
been
capped
enough
turnaround
as
a
cubit
plugin,
which
would.
B
A
B
B
So
in
terms
of
node
access
station-
which
I
think
is
what
your
question
just
was,
how
do
we
know?
How
do
we
bring
the
node
into
the
spire
trust?
I
mean?
If
you
will,
there
are
kind
of
two
two
largest
options
that
have
been
floated.
One
is
just
completely
a
spire
based
which
is
leaning
on
that
native
spire
platform
attestation,
an
audible
infrastructure
which
may
or
may
not
be
aware
of
the
compute,
but
from
the
ear
running
on,
and
we
have
a
joint
token
option
there
as
well,
which
was
fully
spire
native.
B
The
second
is
fully
kubernetes
based.
No
that's
a
station
where
we
give
the
noted
tester
plugin
at
the
Brunetti
is
API
token,
which
it
uses
to
hit
the
API
server
and
generate
a
certificate
for
itself,
and
once
the
certificate
is
successfully
issued,
it
uses
the
certificate
to
perform
the
node
attestation
against
the
spire
control
plane.
The
advantages
here
is
this
that
it's
easier
brownfield
deployment
on
top
of
kubernetes.
You
don't
have
to
configure
any
of
the
platform
specific
stuff
and
you
don't
have
to,
but
you
do
have
to
still
give
it.
B
You
know
these
somehow
the
seated
with
these
API
tokens
and
then,
as
far
as
the
workload
attestation
go.
So
this
is
when
a
work,
look,
it's
the
workload
API.
How
do
we
know?
How
do
we
validate
the
caller
is
who
they
say
they
are
or
how
do
we
even
know
which
the
ideas
to
issue
I
mean?
There's
there's
not
too
much
contention
on
this
front.
There's
a
variety
of
options
available.
We
can
hit
a
few
blit
api.
We
didn't
respect
docker
engine
directly.
B
E
A
A
B
You
can
write
any
kind
of
logic
to
do
this
attestation
jam
it
in
there
and
what
you're
required
to
use
is
mandated
by
the
selectors
that
you
choose
to
use.
So
the
selector
that
the
types
of
select
the
selectors
are
actually
typed
and
the
type
of
selectors
that
you
register
on
my
vessel
registration
API
dictate,
which
plugins
must
be
used
in
order
to
generate
a
data
station.
That.
A
B
F
B
Yeah
I
mean
that's
just
exactly
what
we're
looking
to
do
so
yeah
I'm,
not
sure
I'm
excited
to
see
at
the
time
the
next
meeting
there's
good
work
going
on
there
and
so
finally
I'm
kind
of
nearing
the
end
here.
Wrapping
up,
you
know
the
last
kind
of
thing
here.
It's
just
you
know
spiffy
and
few
brunetti,
so
we
just
we
just
kind
of
went
over
well,
what's
fire
looks
like
on
top
of
or
underneath
or
next
to,
brunette
ease
and
and
and
what
what
integration
points
would
be
required
upon?
B
How
those
would
look,
but
then
I
do
kind
of
just
I'm
gonna
make
them
mention
here
I.
You
know
I'm
totally
aware
that
there
are
some
automated
signing
semantics
within
to
burn
of
these
already
and,
and
so
there
might
be
some
hesitation-
and
you
know
also
swap
in
that
or
ditching
the
worth
or
whatever
you
know
so.
B
I,
just
kind
of
also
want
to
point
out
that,
as
kind
of
Mike
pointed
out
earlier,
sto
wrote
satisfaction
where
you
know
you
don't
necessarily
have
to
take
the
project
you
know,
but
we
do
think
that
adopting
these
standards,
these
good
standards
and
how
to
encode
the
identity
into
a
certificate
that
identity
they
do.
You
think
the
adoption
of
those
standards
is
really
really
valuable.
B
So,
even
if
even
for
folks
who
are
not
necessarily
wanting
to
pick
up
spire
and
use
it
as
this
or
for
whatever
resource
they
have,
we
do
hope
to
kind
of
see
folks
using
spiffy
compatible
certificates
or
s
Goods
and
their
own
CA
mechanisms
in
the
future.
And
that's
all
that's
all
I
got
for
you
guys.
A
B
G
G
B
Change
victim
is
actually
leading
that
leading
that
said,
and
so
the
the
information
on
joining
the
stages
is
available
on
the
Brico.
All
the
community
information
is
there,
so
if
you're,
interested
and
participating,
or
even
just
following
along
on
our
work,
and
particularly
if
you're
going
to
be
a
specific
stuff,
feel
free
to
join.
This
call.
H
So
just
a
plug
for
the
a
lot
of
the
stuff
you
were
talking
about,
like
injecting
things
in
containers
and
how
that
initialization
time
or
like
in
response
to
a
watch
or
done
on
the
node
a
lot
of
those
are
being
discussed
in
the
container
and
how
that
could
be
done
with
like
initializer
ease
or
external
admission
and
then
pairing
that,
with
like
volume,
plugins
or
flex,
plugins
things
like
that
on
the
node.
So
if
you're
interested
a
lot
of
that
was
being
discussed,.
B
Yeah,
that's
really
good
to
know,
I'm,
that's
definitely
on
upon
our
radar
and
something
that
we're
trying
to
figure
out
too.
So
you
know
we're
happy
to
kind
of
lend
a
hand
and
also
you
know,
give
our
input
and
then
hear
what
you
guys
think.
There's
the
best
approach
sure
you
know
we're
not
the
experts
we're
just
trying
to
make
it
work
in
a
fashion
that
gets
like
90%
there.
A
All
right,
so
if
we
can
get
the
agenda
reprojected
we'll
go
ahead
and
move
on
to
polls
of
note.
First
one
is
the
bootstrap
token,
with
extra
groups.
I
think
I
saw
that
LG
TM
this
morning.
It
was
something
from
Matt
as
I
recall,
letting
you
just
specify.
The
groups
that
you
needed
clients
or
rotation
to
beta
is
another
one.
I've
seen
that
one
in
passing.
That's
yours,
Eric
right,
Eric,
I
know,
let's
take
a
Jacob's,
and
you
know
that
one
will
be
good.
I
haven't
been
following
that
one
as
closely
and
then
configure.
F
You
yeah
yeah,
so
if
you
use
Oh
ADC,
please
to
go
look
at
that.
The
idea
is
that,
right
now
we
we
conditionally
prefixed
your
user
name
based
off
of
if
you're,
using
specific
claims
and
don't
prefix
groups
so
to
make
the
OID
see
plug-in
a
little
bit
more
useful,
we're
hopefully
gonna.
Let
you
specify
those
prefixes
manually
or
specify
and
not
prefixing
it
if
you
so
choose.
A
A
F
One
of
the
blockers
of
graduating
server
certificate
rotation
for
cubelets
to
beta
is
figuring
out
how
to
secure
the
addresses
reported
in
the
node
status
of
the
cubelet.
We
want
to
use
those
to
validate
the
serving
certificate,
a
certificate,
signing
request
and
right
now,
they're
currently
self-reported.
F
This
gives
us
a
that.
This
allows
an
attack
if
this
feature
is
enabled
where
somebody
can
get
serving
certificates
for
basically
any
name
signed
by
the
root
say
as
long
as
they
have
control
over
a
node.
So
there's
a
trade-off
here.
If
we
go
if
we
move
our
rotation
to
beta
without
locking
down
some
it's
this
attribute.
Another
example
of
attributes
are
attributes
that
we
want
some
strong
exclusion
like
taints
and
labels
of
nodes.
H
Yeah,
the
the
tricky
bit
was
dealing
with
version
skewed
cubelets
that
already
exists
and
we're
trying
to
report
these
things
like
whether
we
reject
them
or
strip
the
labels
and
taints
and
addresses
what
we
do
like
for
the
next
two
or
three
releases.
Until
we
get
them
to
stop
trying
to
set
those
fields
on
themselves.
Yeah.
H
In
the
documentation
for
that
we
explicitly
say
we
will
continue
to
tighten
and
modify
these
in
future
releases,
so
I
think.
As
long
as
we
are
cognizant
of
the
effect,
this
is
having
on
version
skew
giblets
we
are
within.
We
are
within
our
rights
to
continue
to
modify
what
it
does.
It's
an
intent
based
admission,
plugin
and
so
I
think
we
have
to
be
concerned
about
that
version,
skew,
which
is
why
I
thought
about
dropping
the
data
rather
than
rejecting
Surat.
D
H
H
Basically,
just
a
shell
of
an
empty
node
object,
so
it
would
only
have
to
know
its
own
name
and
then
it
would
watch
that
object
to
determine
what
addresses
it
should
ask
for
a
surfing
surf
for.
So
this
actually
reverses
the
data
flow,
which
is
basically
what
you
want
with
an
external
cloud
provider.
You
don't
want
every
cubelet
to
have
to
know
how
to
interrogate
the
cloud
provider.
It
should
be
told
so
it's
interesting.
H
It
means
we'd
have
to
tease
apart
the
queue
but
bring
up
to
multiple
phases
like
first
register
yourself,
then
watch
for
your
dresses
then
ask
for
a
serving
cert
and
then
go
into
a
loop
to
say.
If
your
address
has
change,
you
need
to
go.
Ask
for
a
new
cert
right,
so
there's
work
there
as
well.
Yeah.
H
Think
there's
value
in
the
node
restriction
admission
plug-in,
and
this
is
actually
something
I
was
working
on
and
trying
to
get
in
this
release
and
it's
looking
like
it
might
not
have
in
this
release,
but
there's
value
to
having
sort
of
standard
labels
and
taints
that
are
not
used
to
partition
along
security
boundaries.
So
the
ones
that
come
to
mind
with
the
three
labels
that
all
nodes
add
so
like
OS
architecture
and
scaling.
H
Host
name
is
questionable
instance,
type
having
a
set
of
labels
and
taints
paints
for
things
like
out
of
disks
out
of
memory
that
we
say
it's
reasonable
to
let
nodes
set
these
labels
and
set
and
unset
these
paints,
and
then
everything
else
we're
gonna
drop
and
then
have
a
way
in
the
admission
blog
and
if
you
really
really
don't
want
them
to
set
anything,
you
can
tell
us
to
not
even
allow
those
but
I
think
it's
useful
to
allow
the
the
basic
set.
I.
F
H
I
had
structured
it
in
the
poll.
I
was
working
on
was
a
boolean
that
says
include
the
standard
ones
or
allow
the
standard
ones.
So
they
could
turn
that
off
if
they
wanted
and
then
a
whitelist
that
they
could
separately
specify.
So
if
someone
was
happy
with
the
standard
ones,
and
they
wanted
to
allow
like
a
few
others,
they
could
write.
We're
moving
to
an
initializer
that
used
or
specified
whitelist
might
not
be
necessary,
so
yeah
I
would
like
to
do
less
in
config
and
more
via
the
API,
if
possible
and
and.
H
H
Yeah
I
mean
that's
called
config
management
and
everyone
has
it
and
if
they
don't
have
it,
they
would
get
it
well,
but
I
mean
it's
it's
a
question
of
who
do
we
trust
in
that
scenario
like?
If,
if
you
want
to
manage
your
address
and
centrally,
then
you
are
running
an
external
cloud
provider.
You
may
not
know
it,
but
you
are
right,
so
that
does
what
I
would
push
them
to?
Okay,.
H
J
H
Remember
a
deletion
of
nodes
Wow
tainted,
so
this
is
like
the
things
that
we
can't.
Let
them
know
do
because
it
could
compromise
other
nodes.
We
can't
let
it
attest
to
its
owner
addresses
because
you
can
get
a
cert
ballot
for
other
nodes
addresses.
We
can't
let
it
label
itself,
because
you
could
steer
what
close
to
itself.
H
Would
prevent
so
I'm
sama
node
I
have
a
node
credential.
That
lets
me
register
myself
and
that's
it
and
I
get
compromised,
and
so
the
administrator
taints,
my
node,
which
prevents
any
pods
from
going
to
my
node
and
now
is
working
to
like
bring
me
down.
I
should
not
be
able
to
delete
my
node
object
and
recreate
it.
Okay,.
H
H
We
had
a
long
conversation
about
this
about
a
year
ago.
The
only
reason
it
does
today
that
I'm,
aware
of
the
only
reason
that
tries
to
today
is
during
bring
up
if
a
node
API
object
exists
that
has
a
different
external
ID.
The
node
will
try
to
delete
the
object
so
that
it
can
recreate
it
with
the
quote-unquote,
correct
external
ID.
I.
Think
that's
a
weird
case.
H
But
we
definitely
ran
into
it
right
if
you
bring
up
shut
down
to
bring
up
a
machine
in
a
cloud
and
it
obtains
a
new
IP
address
or
a
new
external
ID,
it's
gonna
try
to
read
register
itself
and
fail
because
that
field
is
immutable
and
Evi,
so
it
deletes
and
recreates
that's
the
only
case.
I
know
if,
where
it
tries
to
I'd,
be
happy
if
that
news
case
run
away,
yeah.
H
A
All
right,
so,
the
other
one
that
I
am
aware
of
is
the
vault
kms
provider.
The
proposal
is
open
is
one
is
about
basically
being
able
to
encrypt
your
secrets
at
rest
and
use
vaults
to
get
them
back.
There
are
a
lot
of
details
under
design.
It
would
be
very
nice
to
have
a
second
one.
There's
one
in
progress
now
for
GCE
I.
Remember
that
going
in
or
at
least
being
reviewed
and
targeted
at
one
eight
I
design
at
a
high
level.
It
seems
to
make
sense.
A
I
didn't
for
vault
I
mean
I
didn't
go
in
to
excruciating
detail,
but
if
you're
interested
in
trying
to
use
vault
and
Christian
decrypt
your
secrets
not
actually
as
the
secret
access
er
but
to
store
a
key,
then
this
is
going
to
be
worth.
You
reviewing
it'll,
be
good.
If
someone
who
was
familiar
with
bolt
came
in
and
went
through
and
made
sure
it
was
all
tractable
here,.
I
H
D
Okay,
I
thought
that
PR
for
the
world
came
as
provider
any
feedback,
any
input
you
this
would
be
nice
being
out
there
for
a
couple
of
weeks
and
a
people
busy
with
card
some
code
ready.
We
should
be
starting
the
code
PR
later
this
week
as
well.
It
could
be
nice
to
get
into
1.8
if
you
can't
time
for
it.
A
Gonna
say
that
I
think
one
Apes
can
be
closed
for
the
actual
feature,
but
for
targeting
the
design
review.
That
probably
makes
sense
Carol
and
you
should
ask
in
the
sigil
Channel
I
know
there
have
been
a
couple
people
asking
about
vault
integration
and
I
imagine
this
would
be
very
interesting
to
them.
I.
C
A
F
So
the
the
the
base
stick,
this
wasn't
actually
raised
on
that
any
of
the
either
the
proposal
or
at
the
PR.
But
the
the
sort
of
question
is
that
I'd
like
to
ask
here
is:
how
do
we
plan
to
introduce
an
API
like
this?
If
you
know
it
should
be
in
the
authorization
API
which
is
in
the
one,
is
the
fact
that
it's
been
working
and
OpenShift
enough
of
an
argument
for
us
to
do
that?
F
A
Right
so
in
terms
of
a
separate
API
group
on
the
machinery
side,
no,
it
belongs
in
the
API
group.
It's
an
if
we
were
not
confident
in
the
API.
We
would
start
it
at
one
of
the
prior
levels
and
you
would
only
put
it
into
the
version
that
it
belongs
at.
So
there
were
going
to
be
a
beta
8y.
It
would
go
into
the
beta
API
level
that
you
have
and
you
would
not
reuse
a
version.
A
H
It's
a
you,
submit
a
review
and
you
get
back
a
review
object,
so
we
don't
ever
have
to
do
with
data
migration
for
this
API,
which
is
really
nice.
The
the
main
difference
between
this
API
and
the
existing
one
that
we've
been
using
and
openshift
is
the
ability
to
indicate
partial
results,
and
so
I'd
want
to
think
carefully
about
that.
You,
if
you
have
multiple
authorizers
and
only
some
of
them
support
enumerate
in
your
permissions.
F
I
think
it's
just
a
high
level
feedback
was
before
I,
see
API,
reviewers
or
not
I,
for
the
industry
to
address
the
actual.
What
happens
when
you
get
a
result
that
is
not
complete.
The
error
code
in
the
actual
status
is
supposed
that,
like
not
the
error
code,
the
actual
error
field
is
supposed
to
indicate
that,
but
could
probably
do
that
better.
A
H
E
E
That
was
kind
of
like
the
only
thing
that
I
was
kind
of
wondering
about.
Like
would
there
be
if
you
want
to
use
different
authentication
that
kinds
I
think
that
was
like
two
or
three
mention,
maybe
in
there
but
I,
wasn't
sure
I
wasn't
clear
to
me
how
you
would
plug
in
the
rest
of
them.
Would
we
need
like
kubernetes
changes
if
you
wanted
to
use
something
different?
E
D
D
D
E
H
Well,
you!
What
do
you
bring
that
the
sections
PR
I
also
put
that
in
the
PRS
note,
if
you,
if
you
wanna,
look
at
that
I
think
there
were
a
couple
of
final
questions
about
where
that
was
where
that
was
going
and
how
it
was
registering
itself.
So,
if
you
want
to
take
a
look,
I'd
be
really
helpful.
Yeah.