►
From YouTube: Kubernetes SIG Auth 20180124
Description
Kubernetes Auth Special-Interest-Group (SIG) Meeting 20180124
Meeting Notes/Agenda: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/view#
Find out more about SIG Auth here: https://github.com/kubernetes/community/tree/master/sig-auth
A
A
We
had
a
short
agenda
which
is
getting
longer
as
we
as
we
wait.
So
let's
go
ahead
and
jump
in
and
see
see
where
we
end
up
there
weren't
any
new
polls
referenced
though
I'm
not
sure
that's
accurate,
trying
to
think
what's
happened.
Since
last
time
we
met
there
was
one
update
which
for
people
who
are
doing
the
audit
interested
in
the
audit
work,
the
are
back
authorizer
now
returns.
A
The
reason
why
a
particular
request
was
authorized
and
including
the
role
and
role
binding
and
the
subject
that
allowed
the
request,
which
is
handy,
we're
looking
at
pulling
that
information
into
audit
logs.
There's
a
pull
request
to
do
that.
So
there
will
soon
be
more
information
in
your
audit
logs
if
you're
trying
to
figure
out
why
a
particular
request
was
allowed,
which
is
nice,
and
when
audit
hooks
up
to
include
that.
That
would
also
bring
back
reasons
that
were
returned
from
like
the
webhook
authorizer
as
well.
C
B
A
F
A
A
F
F
A
And
what's
the
source
of
these
annotations,
what
you
mean
by
the
source,
so
the
the
annotation
is
a
hint
to
something:
I
guess
an
admission
plugin
that
says:
if
you
want
to
exec
or
attach-
or
you
know,
change
the
image
of
or
in
other
and
some
other
way
access.
The
innards
of
a
pod
that
has
one
of
these
annotations
run.
These
extra
checks,
who
is
setting
those
hips
on
pods,
so.
F
The
the
the
creator
of
the
pod,
so
it's
something
like
if
I
am
running
in
a
namespace
and
I,
want
to
use
a
Google
service
account
with
a
pod
that
I'm
running
I
would
add
that
Google
service
account
as
a
elevated
annotation
fields
on
the
pod.
I
would
run
for
create,
and
you
know
I'm
the
specific
am
I
allowed
to
run
a
pod
in
this
namespace.
The
admission
controller
would
dispatch
another
subject.
Access
review,
which
is,
is,
is
the
user
allowed
to
use
this
specific,
validated
annotation?
Okay,.
A
F
The
kubernetes
ID
token
private
claims
to
propagate
the
validated
annotations
in
the
standard
in
arguments
to
a
flex
volume
and
also
the
external
system
could
read
the
kubernetes
api
server
directly
and
the
external
system
would
have
to
say
you.
A
pod
is
only
allowed
access
to
this
specific,
whatever
the
annotation
refers
to.
If
it
is
running
with
that
validated
annotation,
okay,.
B
A
F
F
A
B
A
I,
don't
know
it
seems
like
we're.
You
would
need
to
express
two
things.
One
is
the
external
credential
or
thing
that
you
wanted
access
to
and
then
also
a
generic
way
to
pair
that
or
Express
that
as
a
subject,
access
review,
and
the
second
is
the
thing
I'm
unsure
about
whether
that
is
whether
you
can
map
every
type
of
external
credential
you're
going
to
want
to
request
access
to
to
a
subject.
Access
review,
I.
A
B
You're
already
implicitly
giving
the
cube
authorization
system
a
lot
of
power
by
your
ability
to
create
pods
and
then,
if
you're
gonna
use
that
information
to
say
this
pod
in
this
namespace
has
this
access.
So
I
think
it's
just
moving
one
more
of
that
piece
potentially
into
the
cube
policy
world.
Potentially,
if
you
would
like.
B
D
Think
I
think
seeing
it
prototype
out
using
something
other
than
core
cube
to
do
that.
Prototype
with
would
make
it
a
little
bit
easier
to
see
both
exactly
how
you
would
use
it
and
how
would
be
righted
that
there
are.
You
can
look
at
access
to
a
pod
in
terms
of
if
I
grant.
If
you
have
access
to
this
pod
in
this
namespace
or
any
pot
in
this
namespace,
you
just
have
access
to
every
unit
namespace
and
this
it
feels
like
it
attempts
to
subdivide
that.
F
Well,
so
the
problem
is
that
is
that
in
direction
through
the
namespace
I
sewed,
the
alternative
to
this
is
to
force
people
to
adopt
that
indirection
and
I.
That's.
The
specific
worry
here
is
the
actual
credential.
We
don't.
We
care
less
about
the
services
that
point
to
a
pod,
any
other
resources
specifically
about
access
to
the
credential
and
the
alternative
is
adopt
namespace
the
namespace
interaction
and
that
that's
just
our
kubernetes
works.
F
A
A
The
the
versioning
elements
of
the
design
are
lifted
pretty
directly
from
the
way
the
cubit
has
its
G
RPC
API
is
versioned
and
I
was
hoping
that
someone
with
a
clearer
picture
of
how
that
would
actually
play
out
if
we
needed
to
bump
the
version
of
this
would
work.
I
don't
have
a
lot
of
experience
with
how
G
RPC
is
versioned
in
general
or
how
the
cubelet
is
planning
to
version
its
API,
and
so
I
was
wondering
if
someone
else
did
and
could
explain
that.
D
A
C
A
Appreciated
can
can
we
get
someone
to
tag
people
into
that,
so
we
can
get
that
they'd
like
to
see
that
in.
A
A
So
if
there
are
opinions
and
ideally
opinions,
backed
by
precedent
and
consistency
with
other
things,
we're
doing
those
would
be
welcomed
in
the
poll
and
we'll
try
to
get
that
closed
out
with
the
API
review
and
prove
the
process.
All
right,
client
go
off
provided
proposal.
Eric,
you
want
to
get
sewious
yeah.
C
C
This
has
gone
through
a
couple
of
iterations
of
the
proposal.
The
thing
we've
sort
of
landed
on
is
that
they
will
be
struck
with
an
output
to
the
plug-in,
so
the
plug-in
will
receive
some
structured
information
about
the
runtime.
There's,
nothing
explicitly
provided
or
there's
nothing
proposed
about
the
idea,
but
the
output
will
also
be
structured.
So
the
output
will
expect
the
JSON
structure
thing
with
a
fuel
called
tooken.
Then
it
then
will
be
used
by
Franco.
C
C
Russians
about
if
this
could
be
used
to
so
there
was
some
comments
that
a
lot
of
people
use
Bastion
host
before
they
allow
people
to
connect
via
to
the
API
server.
If
this
could
be
used
to
help
expediate.
Some
of
those
says
I,
don't
think
so
initially,
but
I
haven't.
Given
that
a
whole
lot
of
thought
now,
I,
don't
that.
C
A
The
the
call
pattern
seemed
reasonable
to
me
the
the
the
format
of
the
structure
data
we
provide
and
structured
data.
We
receive
I
I,
don't
want
to
under
specify
that,
but
I
don't
also
want
to
over
specify
it.
So
can
we
come
up
with
some
minimal
thing
that
also
seems
like
we
can
support
and
extend
if
we
need
to.
C
Yeah,
so
the
input
has
zero
things
specified,
so
I,
don't
know
if
that's
under
specified
too
much.
The
output
of
the
plug-in
is
just
sort
of
flat
fields.
Right
now
we
could
potentially
have
something
like
a
spec
or
have
different
types
of
things,
but
we
go
into
a
little
bit
further.
How
we
might
extend
this
tax
509
states
I
think
that
that
gives
a
good
idea
of
how
the
plugin
will
evolve
without
API
will
evolve
for.
A
C
A
D
As
I
recall,
seeing
it
you
hadn't
set
up,
so
it
was
going
to
be
a
JSON
encode
JSON
inside
was
the
way
was
specified.
Yeah,
okay,
I'm,
not
saying
I
want
to
do
that
I'm
just
so,
it
seems
like
we
have
one
thing
at
least
put
there.
We
have
to
indicate
to
the
plug-in
whether
it
is
the
on
calling
you
on
first
initialization,
or
this
is
the
HTTP
status
that
I
got
back
from
my
failed
request
right,
so
you
have
at
least
one
thing
to
spec
in
there
yeah.
E
I'm
actually
not
sure
how
much
there
is
to
say
here.
We
want
to
bring
audit
advanced
audit
logging
to
be
one
in
the
110
release.
There's
some
few
open
issues
but
I
think
the
general
consensus,
at
least
among
our
team,
is
that
most
of
the
remaining
features
and
work
can
be
done
in
a
backwards
compatible
way.
Post,
v1
and
isn't
is
in
critical
core
functionality
that
we
I.
A
E
E
E
E
D
There
were
two
of
the
things
that
occurred
to
me.
A
woman
was
working
with
a
greedy
API
servers
like
the
Service
Catalog
I.
Think
I
saw
a
comment
from
Stephan
saying
arguments
are
all
there
and
it
was
short
like
a
way
to
specify
what
server
it
originated
from
which
it's
is
a
problem
I'd
like
to
see
it
resolved
and
then
I
remember
seeing
an
issue
a
while
back
where
someone
wanted
to
be
able
to
end
like
almost
annotation
information
on
the
audit
event
to
indicate
the
PSP
status
and
not
PSP,
as
like.
D
E
D
The
shape
of
our
other
hooks
right,
I'm
thinking
about,
say
the
admission
hooks
in
particular.
They
end
up
having
a
tree,
but
this
does
and
and
something
like
the.
What
server
does
this
come
from?
That's
gonna
directly
affect
all
the
sink
behavior
right
like
so
it's
it's
not
that
it
isn't
additive
from
from
an
API
side,
but
it
does
affect.
E
A
The
question
is:
does
it
fall
above
or
below
the
the
feature?
Do
we
is
be
one
like
feature
complete
or
is
it
Minimum,
Viable,
Product
and
I
think
what
we
have
now
is
kind
of
Minimum
Viable
Product,
and
there
are
a
couple
pretty
significant
things
before
we
would
say:
yeah
feature
complete
like
you
can
actually
trace
something
across
servers
and
so
yeah.
Where
do
we
want
to
draw
the
v1
line,
I
guess
and.
D
E
D
A
A
E
E
G
So
it's
sort
of
like
soft-serve
versus
star
to
be
able
to
ask
what
can
a
user
do
across
the
namespace
all
the
things
logically,
the
use
case
we
have
is
that
asar
doesn't
work
in
this
case,
because
we
have
to
ask
a
lot
of
questions
so
like
it
becomes
unreasonable
when
you
have
to
do
like
20
stars
to
answer
a
question
so
I
want
to
get
people's
ideas
on
like
something
you
would
want.
Well,
it
ends
up
being.
G
Is
you
do
a
SAR
or
sorry
a
subject,
rules
review
and
then
you
do
a
logical
coverage
to
check
yourself
to
make
sure
that
it
covered
what
you
wanted
to
actually
know.
So
it
doesn't
fully
cover
making
it
a
nice
like
like
entry,
point
moderately,
but
it
does
allow
them
to
actually
do
it.
If
they're
willing
to
do
the
covers
check
well,.
D
B
C
C
B
G
Well,
I,
guess
we
have
this
coupons
riser,
but
we
have
some
brokers
from
service
catalog
that
run
sort
of
very
arbitrary
code
and
they
like
to
check
the
privileges
of
the
users
for
invoking
requests
against
them
before
running
random
things
on
their
behalf
and
since
they
don't
necessarily
know
it
can't
easily
do
like
checks
of
like
you
get
pods
or
something
or
anything
like
that,
so
they
they
get
more
of.
Are
you
an
admin
in
the
namespace?
Yes,
okay,
I'll!
Do
this
thing
for
you?
D
The
concept
of
well,
what
can
I
do?
It
is
useful
to
be
able
to
do
right.
It
has
a
similar
bearing
to
what
the
initial
subject
rules
review.
That
Eric
made
was
for
right,
like
it
was
a
case
of
web
console,
wants
to
look
and
decide
which
button
should
I
enable
here,
I'm,
not
authoritative,
but
if
you
can't
do
this,
I
shouldn't
have
this
button
because
I
know
it's
just
never
gonna
work,
and
this
is
the
similar
sort
of
thing
for
a
user
just
saying.
But
what
can
I
do
in
this
namespace?
B
I
would
still
argue
that
the
web
console
should
use
a
bulk
subject,
access
review.
It
should
say
I
want
to
enable
buttons
for
these
four
actions.
So
I'm
gonna
ask
about
these
four
resource,
verb,
combos
and
evaluate
you
know
yes
on
list
pods,
but
no
on
create
pods,
as
opposed
to
saying
tell
me
all
of
the
permissions
and
then
I'm
going
to
iterate
through
that
list
and
figure
out
the
ones
that
I
actually
cared
about.
What
I
think
that
is
still
super
useful
for
an
auditor.
That's
gonna,
say
you
know
this
person's
credentials
were
compromised.
G
A
Especially
in
the
case,
like
imagine,
you're
using
a
web
block
authorizer
that
doesn't
actually
instantiate
its
policy,
and
so
it's
not
going
to
be
able
to
return
self
subject.
Rules
review
like
it's
not
gonna,
be
able
to
enumerate
all
the
things
yeah
I.
If
you
are
going
to
use
this
to
gate
the
user
from
doing
things,
then
I
want
it
to
be
server
evaluated.
F
A
F
F
I
didn't
necessarily
want
that.
I
just
thought
that
it
was
a
possibility
and
the
more
I
think
about
like
actually
partitioning
that
keyring,
the
more
I
don't
want
to
do
it
so
yet,
but
I
think
that
questions
like
that
can
be
continued.
We
can
continue
to
discuss
questions
like
that
on
the
actual
API
change
PR.
If
everybody
thinks
that
there's
nothing
wearing
Li
wrong
with
the
proposal.
F
Yeah
so
I
had
we.
We
will
continue
to
accept
Joss
without
audiences
to
support
the
legacy.
Id
tokens
I
had
commented
and
I.
Don't
think
anybody
responded
that
I
was
going
to
first
use.
The
kubernetes
service
account
DNS
name
as
the
audience
for
expiring
tokens.
In
the
token
Authenticator
and
potentially,
if
people
were
interested
or
it
was
desired,
we
could
configure
the
Authenticator
to
expand
the
list
of
audiences
got
the
touken
Authenticator
accepted.
F
A
Like
to
see
like
a
sample
request
and
response
and
kind
of
the
here's,
hyper
question,
experiment,
here's
a
request
and
non-expiring
one
who's
hired
with
cost
one
for
the
API
and
for
someone
else.
Okay,
it
seems,
like
example.
Flow
is
useful
in
the
proposal
and
and
then,
if,
like
a
field,
name
changes
or
something.
That's
fine,
but
it's
just
easier
to
reason
through
like
how
would
this
appear
and
work
from
the
outside
before
we
get
into
the
code.
I
will
take
that.
F
As
an
action
item
to
add
that
information
to
the
PR
and
I'll
ping,
you
guys,
when
it's
ready
did
you
guys
want
to
discuss
I
think
we
can
discuss
expiring
and
non-expiring
on
the
PR.
That's
small
enough,
but
I
wanted
to
get
your
feedback
on
the
versioning
of
the
sub
resource.
Is
this
a
note
we
have
to
crack
before
to
get
token
request
in
or
well.
B
A
My
inclination
would
be
to
have
a
v1
that
matches
and
then,
if
we
want
to
iterate
or
change
the
structure
of
it,
we
do
that
in
a
group,
if
I'd
beta
version
the
fact
that
this
doesn't
persist,
anything
is
nice.
We
don't
have
any
data
in
a
TV.
We
ever
have
to
store
or
migrate
for
this,
so
it's
purely
a
functional
API
that
we
would
have
to
maintain
and
that
doesn't
seem
too
burdensome.
F
F
F
A
C
A
Well,
there
hasn't
been
a
really
concrete
proposal
about
how
we
change
the
flow
from
self-reported
to
self-reported
but
unverified
or
externally
reported
okay.
So
there
are
two
sides:
one
is
getting
the
cubelet
to
reorder,
how
it
how
it
starts
up
and
where
the
serving
portion
of
the
cubelet
gets
its
address
info
from.
But
the
other
part
is
making
sure
that
the
information
is
in
the
API
so
that
we
can
transition
smoothly
from
this
self-reported
world
to
an
externally
managed
and
verified
world.
So
the.
A
Would
like
to
not
block
solving
this
on
initializers,
whose
fate
is
done.
Certainly
at
this
point,
I
initializers
also
don't
help
us
with
migrating
existing
nodes,
so
I
would
like
to
represent
the
verified
or
unverified
or
self-reported
or
non.
Self-Reported,
however,
want
to
phrase
that
nature
of
cubelets
addresses
in
the
API
and
then
that
lets
a
particular
deployment
decide
you
know,
I,
don't
care
about
some
reported
things
just
give
them
whatever
serving
cert.
A
They
want,
or
a
cloud
provider
managed
deployment
to
be
able
to
say,
nope
only
give
serving
sorts
to
things
that
the
cloud
provider
has
come
in
and
said:
yep,
that's
the
right
address,
I!
Think
initializers.
Are
it's
not
clear
that
those
are
going
to
be
functional
and
the
time
frame
that
we
would
want
the
TLS
serving
stuff
to
be.
F
Progressive,
it
also
has
occurred
to
me
in
the
past
that
we
can.
We
can
happily
solve
some
some
of
this
outside
of
kubernetes
in
the
in
the
seiner
implementation.
So
a
for
example,
like
GK,
doesn't
do
this
and
we
don't
really
plan
on
doing
this,
but
if
we
really
wanted
to
get
serving
certificates
that
were
signed
by
the
roots,
EI
ng
K
clusters,
we
could
have
the
signer
on
a
request
for
a
cubelet
server.
Certificate
validate
against
GCE
ap
is
that
the
IP
addresses
were
what
we
expected
them
to
be,
or
the
approver
actually.
A
F
B
F
Thing
that
the
signer
can
do
right
now
that
the
approver
cannot
is
it
can
modify
that
the
certificate
template
before
it
is
signed.
So
it
can
do
stuff.
Like
add
sans
I,
don't
know,
did
you
guys
see
the
question
from
somebody
on
the
cig,
auth
mailing
lists
recently
about
their
experience,
working
with
the
certificates,
API.
F
So
this
is
kind
of
like
a
similar
case,
where
cubelet
should
just
raclette
it's
possible
that
if
we
implemented
this
functionality,
there
could
be
a
world
where
the
cubelet
requests
a
server
certificate,
but
does
not
specify
in
the
CSR
any
specifics
about
that
server
certificate.
And
we
allowed
this
signer
to
fill
in
the
gaps.