►
From YouTube: sig-auth bi-weekly meeting 20200106
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Cool
all
right
welcome
everyone,
so
this
is
the
sig
off
meeting
for
january
6
2021,
the
first
one,
I'm
gonna,
I'm
gonna
do
a
little
different
word
than
we
normally
do,
because
I'm
gonna
start
with
the
main
discussion
topic,
because
I
want
to
make
sure
we
sort
of
see
the
idea
in
everyone's
mind.
I
kind
of
want
to
be
able
to
actually
come
to
a
conclusion
by
the
next
cigar,
which
is
basically
what
does
the
sig
want
to
do
in
2021,
so
tina
had
link
are
open,
kept
vrs
and
open
cap
issues.
A
B
I
feel
like
it
would
be
useful,
at
least
for
me,
to
walk
through
the
open
issues
in
caps.
Some
of
those
are
marked
as
stale
and
I
think,
kind
of
checking
in
on
what
the
status
is
and
some
idea
of
what
the
plan
is
for
closing
those
out
be.
C
C
A
Okay,
so
yeah
this
one's
old,
we'll
start
with
the
2018
one
api
server
authentication
to
workbooks.
Does
anyone
remember
when
we
got
to
this.
E
D
I
believe
that
the
person
working
on
it
changed
to
a
different
company
and
was
not
able
to
prioritize
it
or
something.
B
I
think
this
was
originally
filed
as
a
blocker
for
dynamic
audit
web
hooks
which
have
since
been
removed
it.
I
think
the
feature
is
useful
outside
of
dynamic
audit
web
hooks,
but
I
think.
B
Of
why
progress
on
this
was
her
development
on
this
was
abandoned.
A
All
right
cool
so
that
one's
there,
so
I
don't
know
this
one
ever
got
traction.
A
Okay,
but
I
don't.
D
F
Accounts
isn't
this
something
that
could
be
handled
with
custom
csi
plugins
like
at
some
point,
if
we're
not
actually
trying
to
come
up
with
extensible
side
channels
for
delivering
this
info
instead
of
just
shoving
everything
through
a
secret,
like
secrets,
aren't
secret
right,
a
secret
is
a
totally
uniform
security
zone,
which
anyone
who
can
see
secrets
can
do
anything
that
those
secrets
can
do.
Therefore,
and
like
bound
security
tokens,
the
principle
was
service.
Account
token
shouldn't
be
in
secrets,
something
like
this.
I
think
you
could
make
a
similar
argument.
G
F
That
part
of
it
yeah,
I
mean
that,
maybe
that's
the
question
that
we
could
should
definitely
answer
is:
what
is
the
sig
off
perspective
on
what
what?
What
is
the
coordination
points
that
we
extend,
intend
to
expose
four
extensions
within
the
platform
for
people
who
want
to
sign?
Is
that,
like
a
completely
orthogonal
thing,
they
have
to
do
their
own
crds,
for
should
they
use
csr
whatever?
Is
that
fair?
Is
that
what
you're
getting
at
david.
G
Yeah
and
in
part,
I
guess,
if
we
in
my
mind,
I
would
want
something
like
different
than
than
just
general
clients,
but
I
guess
the
general
client
one
we
created
would
serve.
G
Well,
there's
already
a
signer
name
for
signing
something
for
cube
client
right,
so
you
could
totally
use
that
to
make
a
service
account.
Sir
yeah,
you
have
to
have
something
to
approve
it.
Yes
right
I
mean
like
I
guess
I
guess
that
could
be
built.
H
H
I
feel
like
the
building
blocks
for
this
sort
of
exist.
I'm
not
sure
we
would
want
to
expose
this
as
a
like
a
a
bit
that
anyone
could
flip
and
say,
give
give
me
my
servicing
credentials
as
assert
like
maybe
but.
F
I'm
not
sure,
certainly
we
would
need
more
reason
to
do
so.
After
bound
service
account
tokens
and
some
of
the
like.
It
should
be
possible
to
show
this
working
without
us
having
to
make
a
code
change
today,
and
it
wouldn't
be
as
smooth
as
you
want,
and
I
kind
of
agree
with
like
I
would
like
to
see
bound
service
to
tokens
like,
let's
dramatically
reduce
the
surface
area
risk
of
secrets
on
platform
security
before
we
introduce
a
new
point
of
concern.
D
There's
another
aspect
to
this
cap,
which
is
serving
certificates,
balance
service
account
tokens
only
solve
the
client
authentication
side
of
things
is.
D
F
Okay
and
honestly
like
so,
I
had
been
like
talking
with
a
few
people
in
the
community
on
things
like.
How
would
you
do
service
account
like
identity
across
clusters
and
like
there
have
been
a
couple
of
caps
and
like
some
of
the
secret
stuff,
has
also
touched
it
like
this.
F
B
Can
I
suggest
that
we
take
this
discussion
offline
in
the
interest
of
kind
of
getting
through
more
here?
I
think
the
the
issue
I
linked.
We
have
talked
about
this
in
the
past
and
decided
that
it
needed
more
evidence
and
it
looks
like
someone
went
and
wrote
up
a
cap
for
this
without.
B
A
Okay,
so
I
have
not
been
around
for
a
bit.
Has
there
been
movement
on
this
external
tls
cert
thing
aka?
I
want
to
shim
in
my
hsm
design,
stuff.
C
H
This
seems
like
the
server
side
version
of
the
client
side,
request
signing
bit,
which
I
think
ends
up
with
us,
redefining
a
like
an
x,
509,
tls
api,
which
I'm
not
eager
to
do
either
client
side
or
server
side.
I
kind
of
like
the
idea
of
proxies,
like
proxies,
are
a
thing
and
the
api
is
the
http
api
proxy
api,
and
if
you
want
a
client-side,
you
do
it
client-side
and
if
you
want
server-side,
you
do
it
server-side.
H
A
I'm
curious
because
the
folks
that
proposed
this
you
know
they
did
a
presentation
to
us
and
stuff
and
they
seemed
like
they
were
looking
at
it
for
like
some
work
they
were
contracted
out
to
so
I
came
up
with
something
for
their
employment
purposes,
but
they
have
not
responded
in
any
of
the
comments,
so
I'm
just
kind
of
curious
if
they,
because
I
think
we
had
recommended
what
is
it
the
new
proxy
field,
proxy
rail
that
was
for
the
client
side,
yeah
yeah
well
well,
this
one
is
this:
one
is
purely
client
side.
A
This
kept
is
all
about
the
client,
the
the
request,
header
proxy
lets.
You
basically
do
anything
you
want
on
the
server
side,
if
you,
if
you
want
to.
D
Yeah,
I
didn't
understand
the
requirements
other
than
somebody
asked
me
to
do
exactly
this,
and
I
tried
to
get
clarification
on
first
the
issue
and
they
didn't
reply
and
they
wrote
a
cap,
and
then
I
pasted
my
comment
on
the
cap
and
then
they
didn't
reply
to
it.
So
I
still
have
a
lot
for
this
specific
implementation.
I
still
have
a
lot
of
clarification
around.
D
D
Don't
know,
did
we
say
that
this.
H
H
I
said
it
I
wasn't
here,
I
I
guess
I
I
was
wanting
to
know
what
what
was
needed,
that
wasn't
covered
by
a
local
authenticating
proxy
and
like
were
there
were
there
things
that
we
could
do
around
the
client
go
and
keep
control
talking
to
a
local
proxy
like
making
it
a
proxy
on
a
unix
socket
instead
of
an
http
proxy
or
like
where
there's.
E
D
I
think
we
violently
agree
with
each
other,
then,
because
that's
also,
I
guess
I
was
calling
request
signing
assuming
it
was
out
of
cube,
control
and
out
of
core,
and
we
had
some
like
proxy
mechanism
to
local
socket,
I
would
say,
is
somebody
actually
working
on
that.
H
The
so
when
we
a
couple
meetings
ago,
the
folks
who
were
talking
about
the
request,
hunting
stuff,
they
had
the
actual
item
to
go.
Try
it
with
try
it
against
a
proxy
and
like
see
if
they
were
blockers
or
issues
that
prevented
them
from
using
that
mechanism
and
to
sort
of
let
us
know
if
there
were
things
that
we
could
add
to
clango.
H
A
Think
I
have
the
general
sense
that
I
would
I
agree
with
jordan
that
we
should
not
just
leave
this
open
and
if
the
desire
is
please
go,
try
a
proxy
and
report
back
to
cigarette
at
your
leisure
of
what
did
not
work
well,
which
I
suspect,
probably
there
will
be
something
at
the
very
bare
minimum.
The
ux
might
be
bad
and
then
we
can
make
a
new
kept
for
fixing.
Whatever
is
not
working.
Do
folks
agree.
H
It's
really
easy
to
reopen
a
thing.
I,
if
there's
a
clear
sort
of
path
of
exploration
that
is
not
implement
an
external
tls
signer.
I
would
direct
towards
that
and
if
that
turns
out
to
be
impossible,
we
can
resurrect
this
or
open
something
more
targeted.
Based
on
the
results
of
that
exploration,
I
will
take
the
action
to
summarize
that.
A
Does
anything
need
to
happen
on
the
so
I
had
opened
this
issue
a
while
back
just
to
talk
about
quick
signing
specifically
and
not
just
like
tls
offload.
Does
this
need
anything?
Are
we
are
we
just
waiting
for
someone
to
go?
Try
this.
H
I
think
the
the
outcome
there
is
probably
pretty
similar
like
we
didn't
really
want
to
define
an
api
that
pulled
all
the
relevant
bits
of
a
request.
We
thought
would
be
important
and
then
discover
like
turns
out.
You
also
need
the
body
turns
out.
You
also
need,
like
tls
information
turns
out.
You
also
need
also
need,
also
need,
and
so
I
think
the
summary
here
is
use
the
proxy
mechanism,
if
that
doesn't
work,
come
back
with
the
gaps
and
we'll
work
on
specific
proposals
to
address
those
gaps.
A
A
Yeah,
I
guess
that's
fine,
I'm
thinking,
I
guess
in
the
summary.
I
guess
we
should
be
open
to
things
like
extending
cube
ctl
to
support
proxies
over
like
are
you
next
to
main
socket
just
as
an
option
that
way?
If
someone
is
interested
in
writing
a
cap
and
doing
the
work
for
that
they're
not
discouraged
from
trying
to
improve
that
bit
of
the
proxy
flow.
H
A
Okay,
awesome
all
right,
I
think
so
we
covered
the
prs
because
there
aren't
that
many
and
this
one's
not
ours.
So
if
we
go
to
issues
radiation
is
good.
A
We
have
a
lot
more
issues.
Do
we
need
to
talk
about
psp
at
all?
I
feel
like
we've
beaten
this
thing,
I.
B
B
Do
tabitha-
and
I
were
talking
a
little
about
timeline
for
this
earlier-
the
I
think
the
deadline
for
enhancements
for
121
is
in
about
a
month,
and
it
seems
somewhat
unlikely
that
we're
going
to
get
to
consensus
on
this
in
that
time.
B
J
Yeah
I
mean
ideally,
it
would
be
cool
to
have
an
alpha
for
a
replacement,
but
that
would
depend
on
a
lot
of
things
happening
very
quickly
in
a
area
where
things
have
historically
not
happened
very
quickly.
So
so
I'm
concerned
that
it
would
be
cool
but
not
realistic,
to
ship
an
alpha
of
a
replacement
in
121.
J
A
J
Is
yeah
yeah,
which
is,
which
is
why
I
led
with
the
ideal,
would
be
to
actually
get
a
cap
in
before
the
enhancement
deadline
for
121
and
so
like
the
the
current
thinking
is.
We
will
try
to
do
that,
but
but
realistically
acknowledging
that
that
there's
a
decent
likelihood
of
failure
there,
even
knowing
that
the
conversations.
H
Are
going
to
take
a
little
time
having
the
design
out
in
the
next
two
or
three
weeks
so
that
those
can
start,
even
if
they
end
up
taking
a
month
or
two
like
having
the
design
ready
to
review
within
the
next
few
weeks,
is
the
only
way
we're
gonna
get
something
actually
approved
by
even
by
the
time
121
ships.
So
yeah.
A
Okay,
so
as
as
a
security
person
representative,
what
is
your
stance
for
like
next
to
god?
Could
there
be
a
rough
draft
of
a
cap
open,
so
folks
could
like.
A
Okay,
all
right,
okay,
I
think
that's
good
for
psp.
I
don't
know
what
this
is.
A
B
That's
maybe
more
of
a
signate
issue
than
a
cigar
issue.
I
think
it's
did
it
make
it
to
stable.
Does
it
just
need
to
be
closed?
I
can
take
an
action
item
to
follow
up
on
that.
A
C
H
I
think
the
only
remaining
question
was
whether
we
wanted
to
try
to
get
some
sort
of
approval
mechanism
in
place.
So
right
now
the
cubelet
will
rotate
the
certificates,
but
it
will
not
there's
nothing
entry
that
will
approve
those
certificates
because
we
don't
have
knowledge
of
what
dns
names
the
keyblade
is
allowed
to
have.
The
last
question
was
whether
or
not
that
was
required
for
g8,
so
we
kind
of
ran
out
of
time
for
119
to
think
about
that.
So
the
api
was
completed,
but
nothing
was
done
for
the
approval
or
moving
this
forward.
H
If
we
don't
add
an
entry
approver,
then
I
think
this
is
probably
unblocked
for
ga,
but
it's
it
feels
sort
of
half
baked
as
a
as
a
consumer
of
it.
It's
like
here's
this
thing,
but
I
have
to
write
my
own
controller
to
use
it,
although
to
in
that
way,
it's
not
that
different
than
like
ingress
or
you
know
some
something.
That's
mostly
an
api
and
you
bring
an
external
controller
to
it.
So
maybe
that's
okay.
I
have
had
a
lot
of
conversations
with
people
who
said
so.
H
I
G
But
for
service
accounts
I
see
it,
I
buy
it.
H
H
A
So
this
is
the
exact
plugins.
Let's
see
andrew,
I
know
you're
working
on
the
tests
for
this
right
now.
I
think
that's
really
it
right
get
all
the
tests
working
actually
get
proof
that
this
is
a
functioning
feature,
promote
the
ga.
K
Yeah
I
wrote
down
tests
metrics
existing
usages,
which
you
brought
up,
maybe
some
documentation
making
the
v1
struct
and
so.
K
H
The
trickiest
bug
I
know
of
is
the
one
about
spawning
a
million
clients
and
to
create
a
client
that
it
spawns
like
45,
different
clients
from
config,
and
each
of
those
has
its
own.
Like
background
rotation,
loop,
garbage
collection
thing
anyway,
that
I
think
that
needs
to
be
resolved.
A
K
A
H
So
this
got
decomposed
into
three
distinct
things,
so
we
could
phase
them
in
safely.
So
token
request
the
api
itself
and
keyblade
integration
went
ga
in
120
the
making
the
root
certificate
bundle
available
and
went
beta
in
120.
H
H
I
H
A
Okay,
is
anyone
actively
working
on
making
those
things
happen.
H
Yes,
jihong
did
all
the
work
in
119
and
120
on
this
and
he
is
continuing
to
drive
that
okay,
awesome.
A
C
A
Oh
just
this
is
the
tls
upload
for
the
the
service
account
tokens
and
such
micro.
Are
you
doing.
L
A
G
It
is
beta
and
I've
been
trying
to
think
about
how
to
write
an
e
to
e
test
for
a
configuration
that
can
never
happen
requirement
for
ga
yeah.
Our
ede
tests
don't
set
up
nodes
with
invalid
cubelet
certificates,
which
makes
it
really
hard
to
write
an
ede
test
for,
but
to
my
knowledge,
that's
the
only
thing
blocking
it.
G
A
G
G
A
A
G
I've
used
it
for
my
own
purposes,
but
yeah
I'll
find
the
integration
test
I'll
link
it
I'll
explain
why
and
I
guess
I'll
update
the
cap.
So
you
guys
can
take
a
look
in
the
sun.
B
Yes,
I
think
that
has
a
timeline
on
it.
B
I'll
follow
up
on
this
offline,
there's
kind
of
two
different
pieces
to
this.
One
is
some
changes
that
already
went
in
for
making
the
cube
or
making
the
node
the
controller
on
mirror
pods
and
I
think,
there's
a
follow-up
to
make
that
required
after
enough
time
has
passed.
I
can't
remember
where
we
stand
on
that.
B
A
A
Yes,
michael's
on
the
call
jordan,
you
have
a
sense
for
where
this
is.
H
A
B
Question
are
the
labels
on
these
issues.
The
stage
label
is
that's
the
stage
it's
currently
in
or
the
stage
that
it's
targeting
in
the
milestone.
H
A
Yeah,
who
is
able
to
make
sure
michael,
is
working
on
this
anymore.
C
D
Yeah
we
did
the
api
review
and
code
review.
The
notes
are
linked
in
the
doc.
A
bunch
of
issues
have
been
fixed,
not
all
of
them,
and
nothing
really
seems
insurmountable,
especially
for
an
out
of
tree
project,
so
I
would
say
I'll
go
through
and
kind
of
summarize
what
the.
D
I
would
I
would
move
towards
just
approving
this
and
giving
them
their
repo.
They
already
have
a
repo,
it's
a
giant,
mono
repo.
They
want
a
specific
one
for
agency.
I
don't
see
a
problem
with
finishing
this
up,
so
this
is
for
the
multi-tenancy
working
group.
C
A
G
That
was
gonna
be
my
question
so
because
it
was
because
it
was
api
reviewed,
we're
thinking.
This
goes
into
kate's
I
o,
instead
of
was
it
x
case
just
to
save
them
future
pain.
D
H
I
don't
know,
I
don't
know
if
they
want
to
honestly.
G
I
would
I
would
try
to
they
get
a
choice
right.
If
you
do
the
api
review,
they
can
decide
what
they
want
to
do
in
the
future,
but
just
when
they
come
in,
if
you
can
make
sure
they
understand
the
trade-offs
of
that.
E
Choice:
hey
guys,
I'm
ryan
working
on
hnc,
so
I
can
answer
anything.
G
E
H
H
You
can
just
tag
david
and
I
you
could
do
it
in
slack
or
start
a
email.
Basically,
you
get
to
pick
which
api
group
and
their
implications
and
be
good
to
make
that
decision
knowingly,
instead
of
just
stumbling
into
one.
H
C
G
G
D
J
A
I
D
No,
it
it'll
keep
chugging
along.
I
don't
think
this
is
that
risk
of
stagnation
at
this
time.
C
Okay,
so
no
follow-ups
is
on
here.
A
Let's
see
yeah
so
we
went
over
the
stuff,
that's
open,
so
we
got
about
10
minutes
left.
We
could
possibly
do
the
demo
if
we
want
to
or
if
folks
would
prefer,
to
just
sort
of
talk
about
thoughts
for
the
next
year
and
we
can
defer
the
demo
to
the
next
time.
H
M
A
B
Okay
for
2021
planning-
I
would
say
everyone
just
kind
of
think,
a
little
about
what
you
would
like
to
see
out
of
the
sig
beyond.
E
B
The
caps
that
we
just
went
through
over
the
next
year
and
then
maybe
we
can
grab
some
time
to
talk
about
that
in
two.
M
So
one
of
the
things
you
know
we've
been
doing
with
kiverno
and,
of
course,
oppa
gatekeeper
has
been
doing
the
same
as
we
support
policies
for
pot
security
and
the
question
really
is:
what
do
we,
you
know
tell
users
as
an
interim
solution,
so
if
psps
are
being
deprecated
soon
until
we
have
the
replacements
out,
what
are
the
guidelines
and
how
do
we,
you
know
kind
of
put
something
out
which
users
can
start
using
today
for
their
pod
security
right.
M
M
So
what
I
can
quickly
show
is
what
the
user
experience
looks
like
if
you're
starting
pretty
much
you
know
without
caverno,
you
want
to
install
kubernetes
run
these,
and
then
we
can
try
running
a
workload
and
and
see
what
that
looks
like
so
to
install
caverno
I'll
just
go
through.
You
know,
command
line
installation.
M
Yeah
so
currently,
let
me
just
make
sure
I'm
not
running
cabernet
here
yep.
So
that's
good
I'll
just
go
ahead
and
install
from
the
yamls,
and
at
this
point
I
should
have
the
caverno
name.
Space
I'll
have
some
pods
running
in
there,
but
no
policies
right.
So
the
next
step
would
be.
I
want
to
install
the
pod
security
policies
to
at
least
get
the
you
know,
recommended
level
of
security.
M
M
Once
customized
does
this
thing,
and
so
if
I
now
do
so,
cpal
is
the
short
form
for
cluster
policy.
I
see
I
have
a
bunch
of
policies,
they're
all
sent
to
enforce
mode,
so
kevon
has
two
modes
audit
or
enforce,
and
then
force
will
block
requests
right.
So
now,
if
I
try
to
run
a
workload,
I
just
have
a
very
simple
nginx
workload
here,
so
I'm
going
to
try
and
run
that
in
the
cluster,
we'll
just
do
create
minus
f.
M
So
in
this
case
the
one
policy
it
violates
is
you
know,
running
as
non-root,
so
that's
what
got
flagged
from
the
restricted
mode
and
it
blocked
the
request
right
so
and
the
interesting
thing
is,
the
policy
will
work
on
all
of
the
pod
controllers.
So
in
this
case
it
was
a
deployment
and
I
can
just
for
reference
I'll
show
what
the
policy
looks
like.
If
we
go
back
into
givernow
in
the
docs,
we
have
this
policy
documented.
M
So
I
think
that
you
know
we
just
wanted
to
demonstrate
this
and
show
what's
available
the
other
question
we
had
and
I
think,
there's
a
there
was
an
open
pr
on
this.
Is
you
know,
do
we,
I
guess
just
thoughts,
and
you
know,
should
this
something
like
this
be
referenced
from
the
pod
security
standards
as
well
as,
of
course,
if
oppa
gatekeeper
has
similar
implementations
and
the
other
question
I
had
is
you
know
if
there's
any
way,
we
can
get
some
help
in
auditing
and
going
through
these
policies?
M
M
So
maybe
on
the
yeah,
the
pod
security
standards
itself,
I
mean
right
now
we
have
a
link
to
the
psps,
but
what
would
be
and
tim?
I
think
we
had
some
discussions
on
this
and
there
were
some
comments
on
the
pr
where
the
the
folks
managing
the
documentation
right
where
they
thought.
Perhaps
it
wasn't
the
appropriate
thing
to
do
to
link
to
a
project
like
this.
So
I
don't
know
what
the
alternatives
are
for
that.
B
Yeah
I
haven't
followed
up
on
the
pr
to
see
if
there's
more
updates
there,
but
I
think
I
there's
some
disagreement
between
us
about
whether
we
should
be
linking
things
like
this.
Personally,
I
would
like
to
see
these
projects
being
linked
from
that
standards
document,
because
the
document.
B
To
most
users-
and
I
think
the
implementations
of
it
are
a
lot
more
useful,
I
would
also
like
to
see
a
gatekeeper
implementation
linked
there
as
well
right.
A
J
J
G
I
think
this
came
up
with
the
docs
folks
once
before.
I
remember
the
pr
that
tried
to
remove
every
reference
to
the
google
cloud
provider
stuff
like
so
so
they've
gone
through
before,
and
even
though
the
projects
were
open
source,
they
didn't
want
to
directly
link
and
again
it
was
a
utility
thing
like.
How
useful
is
this?
If
you
can't
find
an
instance
of
your
cloud
provider,
I
don't
remember
how
whether
they
created
some
some
reusable
policy
for
how
to
handle
the.
H
Situation
they
did.
I
can
try
to
find
it
and
link
to
it.
Apart
from
just
the
mechanics
of
like
whether
it
complex
with
guidance
around
the
website,
it
would
be
helpful
to
have
like
a
rationale
for
what's
included
in
the
list
and
jim.
I
think
you
something
you
said
in
terms
of
review,
or
you
know
eyes
on
a
particular
implementation.
H
I
think
we
had
talked
at
one
point
about
having
a
test.
That
would
basically
say:
does
this
control
actually
right
limit
the
things
that
are
defined
in
each
pod
security
standard
like?
Does
it
keep
you
from
creating
a
pod
with
runner's
root?
Does
it
create
you
from
creating
a
privilege
pod?
So
if
we
had
that,
that
would
be
a
pretty
there
wouldn't
be
a
lot
of
like
judgment
like
individual
judgment
kind
of
judgment
call
stuff,
it
would
be
like.
Does
it
pass
the
test
suite?
If
so,
and
maybe
does
it?
H
G
That
would
be
a
little
bit
closer
to
what
we
had
for
the
client
levels.
Remember
the
client
level
people
were
trying
to
write
clients
in
java
and
python
and
all
daniel,
and
I
come
with
a
list
of
like
you-
need
to
be
able
to
support
reading
a
cube
config.
You
need
to
be
able
to
support
these
operations.
B
Make
sure
we
had
talked
about
integrating
this
into
the
multi-tenancy
benchmarks
in
the
past.
I
think
I
almost
feel
like
a
starting
point,
could
just
be
to
I'm
not
sure
exactly
where
this
would
go,
maybe
just
on
the
website
and
link
it
through
there,
but
a
directory
of
a
bunch
of
pod
manifests
that
can
be
dry
run
and
say
you
know
these
pods
should
be
created.
These
pods
should
be
rejected
in
a
namespace
enforcing
this
policy.
G
Well,
it
depends
some
restrictions
on
what
kind
of
pods
get
created
are
also
based
on
who
creates
that
pod.
So
we
use
this
in
openshift
with
our
secs,
where
whether
a
pod
gets
accepted
or
not
is
also
dependent
on
the
power
of
the
user
requesting
that,
and
we
make
use
of
that
feature
to
be
able
to
run
things
that
have
very
constrained
pod
profiles
from
controllers.
So
the
controller
itself
gets
elevated
to
create
just
what
it
can
inside
of
a
namespace
where
the
service
accounts
don't
have
those
privileges.
G
B
G
B
B
You
know
against
that
namespace
or
you
know,
get
the
admin
to
impersonate
the
user
they
want
to
test
or
if
you're,
you
know,
in
the
case
of
something
like
the
cover
demo,
we
just
saw
you
can
say
well,
okay,
set
it
up
with
the
policies
applied
to
one
name
space
or
I'm
not
sure
exactly
how
the
binding
works
there
and
then
you
know
verify
verify
it.
Maybe
you
could
even
integrate
it
as
a
integration
test
in
caverno.
M
Yeah,
so
maybe
as
a
next
step,
I
I'd
be
happy
to
you
know
see
if
we
can
map
each
one
of
everything
listed
here
and
the
pod
security
standards
to
a
set
of
yamls,
because
if
that
works,
that
that
would
be
the
easiest
and
then
we
can
yeah
if
there's
more
mappings
or
control
required
either
based
on
user
or
namespace.