►
From YouTube: Kubernetes SIG Auth 20180207
Description
Kubernetes Auth Special-Interest-Group (SIG) Meeting 20180207
Meeting Notes/Agenda: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/view#
Find out more about SIG Auth here: https://github.com/kubernetes/community/tree/master/sig-auth
A
All
right,
this
is
the
sick
off
call
for
February
7th
2018
Before.
We
jump
into
the
agenda.
I
didn't
want
to
mention
I,
don't
know
if
you're
getting
the
110
release
updates
that
sig
releases
been
sending
out.
But
as
a
reminder,
code
freeze
is
on
February
26th.
So
if
there
are
things
you
are
working
on
for
110
and
they
are
not
making
progress,
it's
probably
time
to
start
pinging
reviewers
and
getting
getting
eyes
on
things
starting
to
get
things
merged.
A
Four
designs:
there
was
one
new
one
that
got
posted.
This
is
sort
of
the
accompanying
consumption
proposal
for
the
work
that
Mike
Denis
was
doing
for
generating
service
account
tokens
dynamically.
So
this
is
starting
to
discuss
how
we
would
make
use
of
those
on
the
cube
left
side
to
be
able
to
stop
publishing
secrets
or
service
account
tokens
as
secrets
and
and
start
to
move
those
out
of
API
objects
into
a
more
on-demand
model.
A
A
I'm
not
sure
what
I'm
Clinton
time
timeline
on
that
was
I
know
we
were
hoping
to
get
something
at
least
in
Alpha
State
in
110,
but
I.
Don't
know
if
we're
gonna
have
time
for
that,
but
it
would
be
good
to
get
eyes
on
the
direction
so
that
we
can
start
to
work
out
any
issues
and
get
implementation
in
early
in
111,
if
not
in
110,
in
Alpha
form.
B
A
A
combination
it's
discussing
how
how
you
would
communicate
that
a
pod
one
of
those
service
accounts
open
at
all,
so
that
the
cubelet
would
go,
make
use
of
the
token
request,
API
and
mention
token,
and
then
also
how
you
would
plumb
the
accompanying
data,
like
the
cluster
CA
to
the
cubelets,
how
it
would
obtain
that
information.
So,
yes,
it's
both
of
those
pieces.
Okay,.
A
A
D
Background
noise,
you
guys
yep
and
I
yeah
I-
think
we're
pretty
happy
he's
been
he's
been
also
been
doing
some
more.
Maybe
he
just
also
jumped
it
kind
of
like
coming
up
with
the
extra
stuff
he's
been
doing.
That
he's
also
been
working
on
performance
monitoring,
metrics
that
we
know
we're
gonna
need
when
this
thing
and
other
related
pools,
mostly
around
monitoring,
but.
B
A
E
A
I
was
just
it'd,
be
nice
to
know
that
it
was
actually
able
to
be
used
so,
like
I,
said,
I
wouldn't
block
on
it,
but
it'd
be
nice.
There'd,
be
a
nice
data
point
okay,
we're
trying
to
get
it
done
for
one
awesome
all
right
and
then
a
similar
call
on
the
client
go
credential
provider
proposal.
So
this
was
Eric's.
Sorry,
this.
F
Is
actually
linked
to
my
initial
implementation.
Everything
is
red
right
now,
because
I'm
fighting
people,
but
since
we
aren't
gonna
have
since
the
next
meeting
is
going
to
be
in
two
weeks,
I
would
recommend
anybody
who
wants
to
comment
on
that
to
comment
in
a
day
or
two
when
I
figure
stuff
out
with
with
that.
But
the
bulk
is
there,
the
sort
of
the
main
couldn't
pass.
Won't
change
I
just
need
to
go
and
fix
up
a
lot
of
the
the
build
fighters
that
I'm
that
I'm
hitting
right
now.
B
F
A
There
wasn't
a
lot
of
other
things
on
the
agenda,
so
we
can
move
to
the
discussion.
There's
only
one
thing
in
here,
a
couple
items
here,
one
of
which
was
the
the
cig
governance
template
PR,
that's
being
worked
on,
that
is
kind
of
a
umbrella
template
or
recommendation
for
SIG's
to
start
defining
how
they
actually
run
instead
of
just
kind
of
running.
However,
they
happen
to
run,
but
before
we
get
into
talking
about
that,
we
actually
wanted
to
I.
Think
David
was
gonna,
bring
up
something
around
the
cig
leads
first
I
got
yeah.
B
B
Overall,
if
we
can
first,
if
I,
where
we
come
from
at
least
a
little
bit
and
we
look
at
who's
been
really
active
in
the
area
and
Google
stands
out
as
the
company
that
has
been
very
active
and
so
I
think
that
I
will
step
down
and
will
highly
recommend
Tim
st.
Clair
Tim,
all
clear
sorry
take
my
place.
He's
been
active
in
the
area
for
quite
some
time.
He
has
worked
on
PSP
and
drove
the
auditing
feature.
A
So,
just
from
a
technical
expertise,
point
as
well
I
think
Tim
brings
a
lot
of
knowledge
about
container
and
node
security,
which
is
helpful
to
have
kind
of
a
more
of
a
seg
lead
role.
That's
kind
of
a
weakness
I
think
that
he
would
bring
a
lot
of
strength
to,
in
addition
to
just
the
the
company
diversity,
so
I
I
would
strongly
second
that
nomination
I
wanted
to
hear
discussion
feedback,
but
I
would
be
really
happy
to
have
him
step
into
that.
A
G
G
A
A
So
as
a
first
step,
we
wanted
to
at
least
get
voices
from
multiple
companies
and,
and
the
assumption
is
that
as
we're
working
through
this,
if
there
are
concerns,
there's
there's
a
pretty
easy
path
for
escalation.
But
we
hope
to
avoid
that
right
now
we
have
been
working
together
for
a
few
years
now
working
well
together
and
just
want
to
continue
doing
that
and
all
the
things
we're
trying
to
figure
this
out
right.
A
That's
why
the
template
thing
is
going
on
upstream
and
we're
working
through
it
as
best
as
we
can
trying
to
be
as
open
as
we
can
and
make
small
changes,
and
just
do
things
in
a
measured
way
to
try
to
keep
keep
everything
running
smoothly
and
running
well.
So,
if
there's
feedback
we'll
send
this
out
to
the
list
as
well,
but
be
back
around
the
broader
discussion,
if
you
haven't
looked
at
the
governance
template,
it's
actually
a
good
read
it
talks
about
recognizing
that
SIG's
aren't
monolithic.
A
They
they
work
on
lots
of
different
areas
and
different
people
have
expertise
and
responsibility
in
those
areas,
and
so
one
of
the
things
that
I
think
would
be
helpful.
To
do.
That's
really
excellent
in
that
governance.
Template
is
defining
sub
projects
and
saying
all
right,
well,
sig
off
what
does
sig
off
do?
Well,
it
does
our
back
and
a
back
and
the
note
authorizer,
but
it
also
does
security
policy
and
audit
and
security
context
stuff
on
the
nodes
and
cubelet
authentication
alters
it.
Does
all
these
different
things?
A
Who
are
the
people
who
have
worked
in
those
areas?
If
you
have
questions
about
them
or
have
suggestions
or
bugs,
and
so
just
getting
that
stuff
documented,
if
only
so
that
people
know
who
to
ask
about
the
various
areas,
but
also
to
know
if
you
have
a
suggestion
who
who
should
you
be
running
it
by
who's,
a
good
person
to
weigh
in
on
a
pull
request
or
a
proposal?
A
D
Know
I
think
that's
a
great
idea:
I
think
that
there's
some
very
kind
of
obvious
like
identity,
authorization,
kind
of
breakdowns
inside
sigilyph
and
then
some
kind
of
way
cutting
those
based
on
my
notes:
I
control
plants
I'd
also
like.
Maybe
we
don't
want
too
much
fragmentation,
but
this
I
think
there's
definitely
some
some
areas
of
expertise
that
this
is
obviously
some
people
doing.
Parts
of
that
of
that
picture.
D
A
And
we've
seen
some
of
this
with
some
of
the
working
groups
like
the
container
identity,
working
group
and
the
multi-tenancy
working
group,
and
it
it's
a
little
tricky
like
at
some
point.
You
end
up
just
having
the
same
50
people
in
six
meetings
a
week,
but
I
mean
having
having
those
as
sort
of
focal
points
for
big
cross-cutting
areas
as
helpful
as
well.
A
So
as
we're
talking
about
sub
projects,
at
least
reflecting
some
of
the
working
groups
and
saying
these
sub
projects
have
direct
impact
on
those
and
should
coordinate
with
those
where
we're
working
it
out
we're
trying
to
figure
out
how
to
how
to
define
the
graph.
That
is
all
the
kubernetes
function
and
it's
exciting.
D
Yeah
I
also
think
like
there
is
probably
like
a
space
to
be
filled
in
in
terms
of
a
bit
more
kind
of
cohesive
strategic
direction
as
well
to
like
I
think
we
do
a
bit
of
kind
of
discussion
in
Q
Khan
and
we
send
it
kind
of
like
talk
about
we're
working
on
at
this
at
a
kind
of
quarter,
level.
I
think
we
could
also
I
know
some
of
us
thinks
kind
of
a
more
sort
of
strategically
planned
I
think
we
could
also,
perhaps
think
about
I
think.
B
B
A
Know
we've
kind
of
held
planning
discussions
at
the
beginning
of
releases,
but
that
is
doesn't
typically
been
more
focused
on
like
what
what
are
people
planning
to
go
do,
which
is
one
measure
of
priority
I
mean
I,
guess:
I!
Guess
if
it's
something
you're
planning
to
go,
do
it
holds
a
certain
priority
for
you
individually,
but
making
sure
that
for
people
looking
at
where
to
get
engaged,
there's
there's
a
set
of
priorities
that
can
be
good
guidance.
D
Yeah
I
could
see
like
you
know
what
how
do
we
want
to
push
security
for
Humanity's
forward
for
like
20
kind
of
like
a
discussion
right?
This
is
kind
of
not
tied
to
the
exact
Piazza.
We
can
kind
of
think
we
can
fit
into
this
release.
Kind
of
you
know
individual
company's
priorities,
but
kind
of
like
as
a
as
a
Singh
as
a
whole
kind
of
what
do
we
want
to
do?
A
E
A
C
So,
as
a
member
of
the
steering
committee,
this
all
seems
super
aboveboard
and
I
and
I
love.
How
open
folks
are
being
about
this
I
think
you
know
the
default
mode
for
these
types
of
transitions
was
I.
You
know
making
sure
that
we
get
some
continuity
of
leadership
with
SIG's,
but
but
also
in
general,
sort
of
to
some
degree,
lazy
consensus
amongst
members
of
the
sig.
The
details
of
that
will
be,
you
know,
decided
upon
as
part
of
the
sig
charter
or
the
sig
sig
governance.
So
we
don't
have
that
governance
in
place.
C
We
have
a
template,
okay,
so
we
can
make
that
off
of
that,
we
don't
have.
You
know
a
definite
idea
of
members,
there's
just
folks
that
happen
to
show
up
a
lot.
So
that's
some
of
the
stuff
that
that
over
time,
SIG's
are
gonna
have
to
get
a
little
bit
more
lockdown
about.
That
means
that
you
know
I,
don't
imagine
anybody
having
strong
objections.
What,
if
you
do?
C
You
know
please
reach
out
to
the
folks
here:
I
think
everybody's
reasonable,
if
you're
not
comfortable
with
that
and
then
reach
out
to
me
or
other
members
of
the
steering
committee,
as
we
sort
of
you
know,
stumble
our
way
through
trying
to
get
sort
of
more
explicit
ways
of
doing
this
type
of
thing.
Since.
B
D
C
So
here's
one
of
the
things
that
we're
trying
to
do
here
and
I
think
this
is
this
is
the
last
discussion
when
we
looked
at
this.
Is
that
I
think
to
use
a
you
know
an
analogy
here:
we
have
to
have
the
interface
and
then
the
reference
implementation,
so
I
think
that
the
biggest
thing
we
want
to
do
is
like
what
are
the?
What
is
the
interface
to
a
sig?
C
What
are
the
rights
and
responsibilities
for
a
sig
that's
outward
facing,
and
some
of
that
is
identify
that
people
are
going
to
be
the
organizational
leaders
wherever
we
end
up,
calling
that
role
identify
that
people
are
going
to
be.
The
technical
leaders
make
sure
that
there's
a
there,
you
know
process
for
determining
membership
and
save
leads
and
transition.
So
that's
all
the
stuff
that
we're
gonna
outline
that
the
and
then
it's
just
a
reference
implementation,
so
I
think
number
one
feedback
on
that
reference.
Implementations
is
very
much
welcome.
C
I
think
you
know
Phil's
been
curating
that
doc.
So
so
definitely
you
know
put
something
in
that
PR
there,
but
other
than
that.
It's
up
to
the
state
to
decide
their
own
sort
of
way
of
working
and
in
how
they
want
to
split
things
up
and
I.
Think
what
we
find
is
that
SIG's
tend
to
be
there's
a
lot
of
sort
of
divergence
in
terms
of
how
different
things
work,
and
so
we
don't
want
to
squash
that
we
don't
want
to
try
and
make
everybody
fit.
The
same.
C
A
C
Don't
know
you
know
one
of
the
other
things
that
I'm
not
happy
about
where,
if
where
we're
at
right
now
and
I
don't
have
a
better
solution
is,
is
phil
was
suggesting
that
we
use
mailing
lists
as
the
sort
of
canonical
source
of
truth,
for
you
know
who's
in
different
parts
of
memberships
of
the
sig.
That
is,
you
know,
that's
kind
of
sucks,
but,
like
you
know
using
something
like
like
you
know,
files
checked
in
like
owner's
files
or
60ml.
Each
type
of
things
also
is
unfortunate
because
there's
no
ways
to
actually
start.
C
You
know
communicate
through
that
right.
So,
if
you
have
a
members
list,
you
know
that
is
the
canonical
set
up
members
or
or
TLS
or
project
leads,
or
whatever
we
end
up.
Calling
the
different
roles
having
having
a
mailing
list
is
definitely
a
critical
thing,
so
yeah
the
fact
that
we
we're
finding
ways
to
try
and
sort
of
align
code
ownership
and
an.
A
I,
don't
think
they
were
really
any
other
pressing
things
on
the
agenda,
but
just
I
will
actually
go
through
the
recording
and
kind
of
take
some
notes
and
send
this
out
to
the
list.
Don't
I
don't
normally
do
that,
but
for
something
like
this
I
would
just
want
to
make
sure.
There's
good
visibility
on
it
and
make
people
aware
of
it.
If
they
didn't
happen
to
join.