►
From YouTube: SIG-AUTH Bi-Weekly Meeting for 20220525
Description
SIG-AUTH Bi-Weekly Meeting for 20220525
A
Hey
everyone:
this
is
the
sega
meeting
for
may
25th
2022.
We
have
a
relatively
light
agenda
today,
just
two
items,
so
we
can
get
started.
Joe,
is
still
trying
to
figure
out
audio
stuff,
so
we'll
skip
that
for
a
second
and
talk
about
canvas
so
see
during
here
that
you
and
rita
are
the
only
other
leads
on
the
call
right
now,
but
I
think
the
gist
of
the
last.
The
meeting
that
rita
myself
and
this
christophe
and
others
had
yesterday
was
that
we
need
reviewer,
slash
approver
for
this.
A
B
A
D
B
B
B
So
what
we
did
in
in
the
last
couple
releases
for
sig
program
machinery
was
put
it
inside
of
crds.
So
now,
in
addition
to
all
the
other
ways
that
you
can
make
a
crd
type
safe
and
you
can
add
basic
validation
rules,
you
can
now
add
expressions
and
you
can
do
fairly
sophisticated
things
because
you
can
access
multiple
fields.
B
The
alternative
to
doing
it
this
way
would
have,
of
course,
been
to
put
it
in
maybe
a
validating
admission
controller,
probably
a
web
hook
with
all
the
like
operational
and
developer
complexity.
That
involves
compared
to
like
this
one
line
here,
the
other
alternative
that
some
that
I
actually
see
people
do
a
lot
in
crds.
Is
they
don't
want
to
have
a
web
hook,
so
any
additional
rules
that
they
have
they
just
put
in
their
controller?
B
But
that
of
course
means
that
the
error
is
shifted
pretty
far
right
and
you
don't
often
as
a
developer,
get
to
see
the
air
as
soon
as
you
would
like
to
so
that's
kind
of
what
cell
is
at
a
really
basic
level
and
that's
the
first
thing
we're
doing
in
kubernetes
with
it.
We
are
also
interested
in
doing
more
general
admission
with
it.
B
That
is
something
that
we're
going
to
be
looking
at
in
126
and
on
the
idea
being
that
you
might
actually
be
able
to
write
an
admission
control
rule
that
makes
sure
that
your
name
space
has
like
the
right
labels
or
other
things
that
you
might
want
to
check.
With
an
admission
controller
you're
going
to
be
able
to
do
that
without
necessarily
having
to
go
out
to
a
web
hook.
You
could
just
write
the
rule
directly
into
it.
I
can
show
what
I
don't
know.
B
E
B
A
A
B
D
B
Right,
thank
you.
Yep
there's
a
couple
there's
a
couple,
interesting
things.
If
you
want,
if
you
want,
I
can
talk
more
about
crds,
I'm
also
interested
in
kind
of
learning.
If
there
are
other
use
cases
and
other
systems
where
people
are
interested
in
this
where,
where
it
might
fit
in
people,
have
questions.
E
B
Some
point
makes
it
easier
for
me
to
say:
maybe
yes,
what
we're
planning
to
do
is
we're
planning
to
do
validating
admission
control
first,
because
it's
a
much
more
constrained
problem
and
use
that
as
a
way
of
figuring
out
a
lot
of
the
details
and
getting
this
right
and
then,
if
that
goes
well,
then
look
into
mutating
the
mission.
Control
cell
does
have
what
we
need
to
do
mutations.
You
can
return
an
object.
B
You
can
return
a
new
field
that
would
replace
something
else,
so
it
is
feasible
to
use
it
to
do
mutations
at
like,
at
least
at
the
very
like
basic
level,
but
how
that
looks
in
a
yamo
object
where
you're
declaring
a
mutation
hasn't
been
figured
out
yet
so
I
would
expect
that
to
be
quite
a
bit
further
out.
Definitely
not
this
year.
D
There's
basically,
a
progression
of
complexity
with
cell,
so
individual
validation
rules
inside
a
custom
resource
were
the
most
constrained
case,
where
the
expression
just
evaluates
to
a
boolean
like
good
bad,
and
we
it's
paired
with
a
specific
schema
so
that
all
the
type
checking
stuff
that
cell
gives
you
we
could
apply
and
make
sure
that
the
the
rule
that
you're
specifying
actually
maps
to
fields
that
are
good
and
the
operations
you're
doing
like
exist
for
those
types.
So
it's
this
is
super
constrained.
D
The
like
expanding
that
to
validating
admission.
You
start
to
get
cases
where
we
might
not
be
able
to
do
type
checking
of
the
expression.
If
you're
saying
this
is
going
to
intercept
like
pods
and
some
custom
resource
as
well
like
we
might
not
have
the
schema
available
or
the
schema
might
change
in
the
future,
and
so
we
start
having
to
have
to
apply
expressions
dynamically
to
things
like
at
runtime,
instead
of
being
able
to
type
check
them
at
like
when
you
write
this
configuration
and
web
hooks
do
more
than
just
return
booleans.
D
They
can
also
like
return
warnings
and
return,
audit,
annotations
and
so
figuring
out
how
you
would
do
things
like
make
an
admission
decision,
yes
or
no,
but
then
also
like
admit
warnings
or
audit
annotations.
We
would
like
this
to
have
parody
with
other
types
of
admission
and
then,
like
james
said,
mutation
adds
like
one
more
thing
on
top
of
that
like
in
addition
to
a
yes,
no
decision,
maybe
warnings,
maybe
annotations,
you
would
also
be
including
mutations.
B
Wasm
was
an
alternative
that
we
considered
when
we
were
looking
at
this
problem
space
and
one
of
the
reasons
I
have
a
slide
about
wasm
in
this
little
deck
that
I'm
using
as
a
visual
aid
is
sometimes
people
ask
me
why
didn't
you
just
give
wasm,
and
the
answer
is,
I
think
while
wasm
is
interesting,
it's
a
it's.
It's
it's
a
very
different,
primitive
that
solves
very
different
problems.
Well,
so,
for
example,
when
you're
embedding
these
expressions
in
here
that's
just
part
of
the
yaml
and
everybody
knows
which
language
we're
using.
B
If
we're
consistent
about
it.
That
means
that
you
have,
you
could
start
to
build
a
community.
That's
pretty
familiar
with
these
and
honestly,
there
are
such
basic
c
style.
You
know
grammar
that
most
people
don't
even
need
to
like
blink
to
figure
out
what
this
expression
means
and
that's
pretty
common
across
cell.
B
If
you
were
instead
to
try
and
use
wasm.
Presumably
what
you'd
be
doing
is
you'd
be
having
some
kind
of
build
chain
somewhere
that
produces
a
whales
and
binary
which
then
has
to
go
somewhere.
They're.
Almost
certainly
not
going
to
fit
embedded
into
the
yaml,
I
think
a
minimum
go
size
for
a
wasm
bomb
is
1.9
megabytes,
which
is
already
too
big,
and
so
you
then,
presumably
what
you'd
have
to
be
doing
is
saying.
B
Well,
I've
got
this
blob
somewhere,
which
is
a
wasm
thing,
so
I
could
give
coordinates
to
it
and
then
the
api
server
would
have
to
somehow
load
in
that
blob
and
have
access
to
load
it,
and
then
it
would
have
to
entry
point
into
it.
It's
not
that
you
can't
do
stuff
like
that,
not
that
you
wouldn't
get
benefits
of
running
something
inside
the
api
server,
but
it's
a
very
different
developer
experience
and
it's
a
very
different
operational
experience
than
just
having
these
embedded
strings
and
what
we've
seen
a
lot
for
a
lot
of
use.
B
F
B
B
That
makes
sense.
So
yes,
we've
thought
about
this,
so
some
good
news
is.
The
cell
community
is
very
cognizant
to
the
fact
that
this
is
being
used
embedded
than
other
systems
and
it
affects
their
aps
surface
area.
So
a
change
to
cell
could
be
br
like
basically,
any
change
to
cell
is
going
to
be
breaking
because,
if
you
add
a
new
feature,
even
if
it
was
backwards,
compatible
kind
of
so
to
speak
in
the
language
terms,
any
system
that
doesn't
recognize
it
would
presumably
not
be
able
to
execute
it
right.
B
So
we
we
are
aware
that
cell
may
add
new
things
in
the
future,
but
we're
working
with
them
to
a
make
sure
that
we
have
ways
to
kind
of
control
what's
turned
on
over
time,
and
we
also
we're
also
thinking
I
don't
know
jordan.
Should
I
get
into
ratcheting
here
how
that's
going
to
potentially
work
or
some
of
the
mechanisms.
D
Yeah
I
mean
the
only
types
of
changes
being
contemplated
in
cell
are
ones
that
allow
more
things
than
are
currently
allowed,
like
things
that
are
currently,
errors
could
become
understood
by
cell
in
the
future
and
so
to
roll.
That
out
safely
would
require
us
to
sort
of
tolerate
the
the
more
relaxed
cell
expressions
for
one
release
and
then
allow
data
that
uses
new
cell
expressions
in
the
next
release.
So
it's
the
same
thing.
D
We
do
with
other
apis
when
we're
relaxing
validation
or
adding
support
for
a
new
enum
value,
or
something
like
that.
It's
like
a
two
release,
rollout
and
so
cell-
has
ways
to
indicate
which
of
the
features
you
want
to
enable,
and
so
they
added
something
like
being
able
to
compare
ins
and
floats
for
a
long
time.
You
had
to
compare
the
exact
types,
so
they
added
a
way
to
compare
like
an
inch
to
a
float
and
they
would
do
a
cast
and
that
there
was
a
flag
when
you're
setting
up
your
cell
environment.
D
You
could
say
I
want
to
enable
this,
and
so
for
our
case,
it
didn't
matter
because
that
happened
like
before.
We
enabled
cell
in
a
beta,
but
if
we
had
already
enabled
cell
expressions
and
we
had
to
maintain
like
one
version
compatibility,
we
could
have
used
that
feature
flag
and
cell
to
say,
like
don't,
don't
let
that
data
in
for
a
release
until
we
know
we
have
a
runtime
that
can
interpret
it.
D
The
stuff-
that's
one
of
the
one
of
the
benefits
of
doing
it.
This
way
was
that
you
don't
operationally
have
to
run
a
process
outside
the
cube
api
server,
which
is
one
of
the
pain
points
with
web
hooks,
and
so
I
think,
if,
if
we
shipped
it
or
tried
to
do
some
sort
of
plug-in
or
separate
process
or
something,
I
think
we
find
ourselves
back
in
a
similar
spot
as
we
are
with
web
hooks
today.
D
Now
in
the
development
phase,
I
actually
would
like
to
see
a
web
hooked
version
that
can
run
these
cell
expressions,
so
we
did
something
similar
with
pod
security
right.
So
pod
security
is
a
built-in
edition
plug-in,
but
we
also
compile
it
into
a
binary
that
you
can
run
as
a
web
hook.
So
you
could
take
that
pod
security
logic
and
install
it
as
a
web
hook
on
like
122
or
121
or
120
api
servers.
D
I
don't
know
that,
like
long
term,
we
would
want
to
do
that,
but
in
the
early
phase
that
that
gets
us
a
lot
faster
cycles,
especially
if
we're
just
treating
them
as
alphas
like
alpha
1
alpha
2
alpha
three
like
use
this
see
if
it
works
like
if
the
expressions
make
sense
and
if
they
let
you
do
what
you
wanna
do.
If
this
was
built
in,
would
it
solve
your
problems?
I
think
that's
a
great
way
to
iterate
quickly.
B
One
of
the
features
I
wanted
to
point
out
that
we
have
in
cell-
that's
that
makes
it
a
little
different,
at
least
for
for
serious
validation
is
that
we
allow
you
to
access
the
object
prior
to
the
update
that
you're
doing
so.
We
call
this
a
transition
rule.
So
what
that
means
is
that
you
can
not
only
see
the
current
version
of
a
field,
but
the
old
version.
B
B
A
lot
of
these
use
cases
were
possible
with
validated
admission
because
you
had
access
to
the
old
object,
but
these
rules
express
really
nicely
and
you
get
to
you
get
to
you
get
to
inline
them
wherever
is
appropriate
in
your
crd.
So
if
you're
only
concerned
with
one
field,
you
just
move
the
rule
down
adjacent
to
the
field
that
you
care
about,
and
the
rules
automatically
scope
to
that
field.
B
A
Was
going
to
ask
you
a
quick
question
jeffy,
so
you
know
you'd
ask
you
know
like
what
others
might
have
as
use
cases.
So
I
see
max
is
on
the
call.
So
one
of
the
things
that
max
had
asked
to
work
on
was
one
of
the
caps.
That's
one
of
the
areas
for
us,
that's
open
for
caption
improvement
is
how
we
configure
oidc
authentication
through
the
api
server
today.
A
B
It's
pretty
it's
pretty
fast,
so
one
one
of
the
good
things
about
cell
is
that
you
can.
You
can
pre-compile
it.
It
basically
builds
an
ast
for
you
in
memory,
so
you
don't
interpret
from
scratch.
You
can
you
can
pre-check
your
program
so,
for
example,
with
crds.
What
we
do
is
when
you
first,
when
you
first
add
this
rule
to
your
crd,
we
type
check
it
then,
and
we
won't
let
you
make
and
you
won't.
Let
me
let
you
add
a
rule.
B
A
I
get,
I
guess
one
of
the
one
concern
could
be.
Is
we
don't
know
necessarily
the
schema
of
the
claims
in
a
jot
since
it
can
be
arbitrary
json
and
then
maybe
there
could
be
some
way
to
pre-pre-warm
some
cache
where
they
basically
ask
about
the
admin
to
define
what
the
schema
of
their
id
tokens
will
look
like
maybe
up
front.
B
Cell
can
run
in
two
settings,
so
you
can
run
it
where
you
give
it
specific
declarations
of
your
actual
types
or
you
can
just
say
that
this
is
a
dynamically
typed
json
blob.
Basically,
and
if
it's
a
dynamically
type
json
blob,
you
can
you'll
lose
your
type
checking.
So
if
you
say
dot
some
field
name,
then
you
could
potentially
get
a
runtime
error.
B
If
that
field's
not
there
now
there
is
a
has
check
that
you
can
guard
it
with,
but
that's
more
error-prone
code
to
expect
people
to
get
that
kind
of
code
right.
So
that's
the
trade-off,
but
I
mean,
if
you're,
going
to
do
dynamic
value
access,
that's
kind
of
what
you
signed
up
for
so
probably
not
a
big
surprise.
So
cell
can
do
it.
D
D
A
B
You
can
mix
and
match.
If
say,
you
had
some
information
that
you
were
passing
in
the
cell
environment,
where
the
variable
names
and
the
type
are
known.
You
could
give
cell
the
types
for
that
and
if
there
was
some
field
that
was
just
json
data,
you
can
tell
it
that's
just
json
data
and
you
can
still
say
what
you
expect
the
expression
to
evaluate
back
to
you
can
say
I
don't
care,
give
me
anything
or
you
could
say.
I
know
this
has
to
be
a
string.
D
B
D
D
That
was
pretty
important
to
do
to
like
keep
the
costs
down.
I,
if
you
were
going
to
do
something
like
in
an
authentication
flow
or
authorization
flow.
That's
going
to
run
on
every
query.
You'd
really
want
to
pay
attention
not
just
to
how
expensive
it
was
to
like
get
into
and
out
of,
sell
like
the
invocation
cost.
But
like
the
complexity
of
the
expressions
you
were
allowing.
B
And
so
you
know
you
can
you
can
do
things
like
say
for
each
of
the
elements
in
a
list
do
something
and
in
the
crd,
if
you
say
the
list,
size
is
small,
we'll
let
you
do
it,
but
if
you
basically
have
an
unbounded
list,
we're
not
going
to
let
you
do
another
squared
on
that,
so
the
nice
thing
is
we
have,
and
we
have
that
in
two
forms.
So
we
have
one
where
you
can
estimate
the
running
time
cost
statically,
which
works.
B
If
you
have
enough
information
and
then
at
run
time,
we
also
increment
a
cost
counter
as
we
interpret
and
that
is
independent
of
your
wall
clock
time
or
the
machine
it's
running
at
any
any
input
with
the
same
program
is
going
to
have
the
same
cost
and
so
and
you
can
bounce
that
exactly,
and
you
know
if,
if
you
say,
if
you
say,
there's
a
bounds
and
exceeds
the
bounds
cell's
going
to
bail
the
moment.
It
realizes
that
it's
above
the
bounds
and
it's
going
to
stop
evaluating.
A
Okay,
but
I
mean
it
sounds
like
if
all
you
wanted
to
do
was
basically
say
like
okay,
I
got
the
string
username,
you
know
it
said
it
was
mo,
but
in
this
environment
every
username
is
prefixed
with
foo,
so
it's
going
to
be
fudashmo
or
whatever.
That
seems
relatively
benign
same
with,
and
I
can
imagine
validations
that
are
basically
like.
Oh,
I
see
you're
not
in
group
x
and
you
have
to
be
in
group
x
to
log
into
this
cluster.
So
I'm
just
going
to
reject
your
authentication.
G
A
B
Yeah,
I
think,
we're
very
happy
to
help
anywhere
where
we're
seeing
cell
being
used.
One
one
of
our
goals
in
our
first
couple
was
resist
was
to
integrate
cell
with
kubernetes
as
well
as
we
could.
So.
We
gave
ourselves
a
good
baseline
to
build
on
and
we,
when
we
did,
that
we
were,
we
were
making
sure
we
supported
the
our
immediate
use
case,
but
we
were
also
thinking
that
like
if,
if
cell,
were
to
use
somewhere
completely
different
kubernetes,
would
this
still
be
sane,
and
we
were
trying
to
anticipate
that
and
be
very
complete.
F
D
B
D
I
I'm
I'm
happy
to
take
a
look.
If
I
have
time.
Most
of
the
questions
I
ask
on
the
kms
and
grpc
stuff
are
like
here
are
questions
that
someone
who
knows
nothing
about
this
area
would
ask,
because
I
know
nothing
about
this
area,
so
I'm
happy
to
be
like
a
rubber
duck.
Api
reviewer,
but
I
think
someone
like
mike
would
have
a
lot
more
like
actual
knowledge
to
to
bring
to
bear.
A
E
A
D
I
just
looking
at
the
motivation
and
like
the
high
level
bits,
I'm
hoping
that
it
gives
really
good
flows
like
one
of
the
big
problems
with
the
first
version
was
that
it
was
sort
of
this
single
actor
view
of
the
world
and
especially
with
kms,
like
all
the
hard
problems
are
when
you're
trying
to
coordinate
like
three
actors
like
the
kms
back
end
and
the
api
server
config
and
the
kubernetes
api
clients,
like
those
all
three
actors,
so
sequence
diagrams
and
swimlanes.
Yes,
yes,
I'm
so
happy
to
see
those
yeah.
D
And
like
not
just
the
diagrams,
but
also
what
triggers
each
step
like,
how
does
one
actor
know
that
it's
its
turn
to
do
a
thing
like
that?
That
coordination
aspect,
and,
if
that's
out
of
scope
of
this,
that
could
be
okay,
but
just
be
explicit
about
like
this,
is
not
indicating
how
this
will
happen
just
so.
We
know
where
there
are
gaps,
because
I
think
those
gaps
existed
in
the
first
version
and
is
where
a
lot
of
the
pain
came
from.
F
A
And
you
know,
I
think,
we're
very
open
to
adding
more
diagrams.
I
feel
like
these
diagrams
are
like
significantly
more
like
once
when
you
read
the
character
like
I
don't
know
what
this
is
saying
or
you
read
the
diagrams
like
all
right
cool.
Now
I
can
go,
get
the
kept
again
and
it'll
make
some
sense.
A
A
D
A
All
right,
the
the
high
level
idea
is,
you
have
the
v2
api,
you
know
assuming
go
through
all
the
effort.
Get
everything
done.
It's
ga.
It's
been
ga
for
like
at
least
three
releases,
then
we
can
deprecate
the
veda
one,
but
on
any
of
those
three
or
I
guess
at
any
point
where
you're
comfortable
with
it
being
good
enough.
You
know,
if
you
know,
past
data,
you
could
migrate
using
the
existing
storage
migration
mechanism,
which
you
can
specify.
D
As
it
should
be,
and
honestly
I
don't
know
that
we
would
ever
drop
the
old
one,
I
think
we'd,
probably
just
freeze
it
and
say
like
we
know
there
are
problems.
This
is
the
thing
that
fixes
the
problems
like
the
old.
The
old
one
will
just
be
there
with
its
problems.
Until
you
want
to
pick
up
this
new
one
yeah.
G
D
E
A
Okay,
so
I
think
what
you're
saying
is:
not
only
would
this
thing
have
to
be
ga
for
some
time,
but
so
there
are
some
high-level
conversations
in
this
that
talk
about
how
like
automatic,
rotation
and
stuff
could
be
done.
But
it's
basically
saying
that
the
storage
version
api
stuff
has
to
be
like
not
alpha
and
done
like,
because
I
need
that
to
be
a
functioning
api
for
me
to
use
it.
So
I
think
what
you're
saying
is
in
order
to
drop
the
old
beta
api.
D
A
A
A
I
A
D
Built
into
the
cubelet,
so
that
was
what
the
pod
os
field
is
doing.
So
when
the
pod
os
says
explicitly,
I
am
windows,
then,
on
the
cubelet
side
it
actually
looks
and
right
now,
linux,
linux,
cubelets
say
like
if
you're
anything
other
than
linux,
I'm
just
going
to
reject
you,
I'm
not
even
going
to
try
to
run
you
and
windows
today
can
only
run
windows
pods.