►
From YouTube: sig-auth bi-weekly meeting for 20201028
Description
sig-auth bi-weekly meeting for 20201028
A
Hello,
everyone
welcome
to
the
october
28th
meeting
of
sig.
Auth
got
a
couple
items
on
the
agenda
today,
so
120
code
freeze
is
approaching
and
let's
figure
out
what
we
need
to
review
and
get
done
before.
120.
so
pulls
of
note.
I
think
jordan
pointed
these
out
control
potential
provider
extraction.
B
Feedback
from
the
maintainers
of
the
more
well
of
the
existing
entry
providers,
which
is
good-
and
there
are
reference
implementations
that
show
that
this
will
let
us
externalize
the
azure
and
the
aws
credential
providers
and
walter
has
been
involved
on
the
review
and
the
gcp
credential
provider
is
simplistic
enough
that
I'm
sure
that
that
can
be
externalized
as
well.
So
that
is
what
I
had
asked
for,
and
that
is
good,
and
so
this
is
on
my
list
to
review
this
week.
Andrew
set
up
a
meeting
on
friday
to
go
over
that.
So.
A
Is
this
a
alpha
api.
B
Perfect,
I
pushed
for
sort
of
more
rigor
around
it
just
so
that
we
can
hopefully
get
a
single
release
in
alpha
and
then
go
to
beta,
like
I
didn't
want
it
to
be
like
we
release
alpha
and
then
realize
oh
yeah,
this
doesn't
work
at
all
like
we
tried
to
externalize
this
and
it
didn't
actually
work.
So
I
I'm
pleased
with
the
amount
of
engagement
there's
been
with
the
people.
We
expect
to
be
using
this
right
away.
So
that's
good.
A
Awesome,
do
you
need
any
help,
or
do
you
expect
this
to
go
just
fine
for
120.
B
B
B
So
what
this
lets
an
exec
credential
provider
do
is
say.
I
want
information
about
the
cluster
so
like
the
hostname,
insecure
status,
ca
data
stuff
like
that
and
yeah
the
the
really
the
only
notable
changes
from
when
mo
was
working
on
this
last
release
are
that
receiving
cluster
information.
Is
opt-in
so
we're
not
going
to
like
send
a
giant
and
var
full
of
ca
data
to
existing
plugins
unless
they
ask
for
it?
Okay,
and
we
settled
on
including
the
insecure
preference
expressed
in
the
cube
config.
B
My
the
way
I
sleep
at
night
with
that
is
that
this
would
let
a
strict
credential
provider
refuse
to
return
token
credentials
if
they
were
going
to
be
used.
Insecurely.
B
More
realistically,
it
means
that
exec
credential
providers
that
connect
to
the
cluster
will
do
so
using
the
same
level
of
security
that
the
cube
config
is
set
up
with
which
eh,
if
they're,
going
to
give
back
a
token
and
then
cube
control
or
whatever,
is
immediately
going
to
turn
around
and
send
it
without
verifying
tls
like
is
that
that
different
than
yeah
anyway,
I
say
the
right
thing.
A
strict
thing
could
refuse
to
return
tokens
for
insecure
purposes.
So.
E
D
Yeah
for
this
one,
six
extraordinary
has
revealed
and
approved
so
right
now
we
need
the
api
and,
let's
take
off
the
review.
A
Okay,
I'll
do
the
sig
off
code
review.
Do
you
want
to
just
review
the
api
jordan.
B
Yeah
I
I'd
like
to
get
did,
did
michelle
take
a
look
at
it
from
the
api
side
or
just
from
the
storage
side?
Do
you
know.
D
He
revealed
something
guys
I
like
that.
I
related
code
and.
B
B
A
All
right,
those
are
the
pulls
of
note
and
then
for
the
discussion
topic.
We
have
the
beta
ga
stuff
and
I
think
we
were
trying
to
figure
out
whether
we
would
make
some
flags
required
as
part
of
ga
or
beta
yeah
and
trying
to
decide
whether
it
would
be
part
of
the
ga
or
the
beta,
even
though
they're
happening
at
the
same
time.
So
the
end
result
is
the
same.
B
A
B
Got
two
features:
one
is
the
ability
for
the
api
server
to
mint
tokens
and
for
pods
to
opt
in
to
asking
for
projected
tokens
like
that's
one
feature
and
that's
been
around
for
a
long
time
and
they're
like
that's
a
new
thing
that
pods
would
opt
into,
and
so
it's
a
lot
easier
to
graduate
that
and
not
worry
about
breaking
existing
pods.
That
aren't
time
to
get
into
that.
B
B
B
I
think
it's
reasonable
to
enable
token
requests
to
ga
and
120
and
require
the
api
server
to
have
those
arguments
and
have
a
conformance
test
for
it.
A
Okay,
so
the
features
becoming
required
will
be
part
of
the
ga.
I
I
think
that
is
desirable.
If
you
say
that
that
is
okay,
I
don't
know
what
considerations
we
have
around
a
command
line.
Breaking
on
update
for
cube
api
server.
A
A
B
I
think
if
we,
if
token
request
graduated
to
ga
but
remained
opt-in,
I
would
expect
the
deployment
mechanisms
that
we
have
influence
over
like
cube,
atom
and
cube
up
and
the
ci
deployments.
I
would
expect
us
to
start
enabling
token.
B
A
Yes,
I
can
check
cops.
A
Right,
that's
kind
of
the
sticky
point
for
me,
but
if
you
are
okay
with
it,
I'm
definitely
okay
with
it.
I'm
just
trying
to
play
devil's
advocate.
A
A
It
that.
B
So
practically
what
it
means
is
that
cube
atom
can
start
configuring,
these
synar
key
arguments
and
it
doesn't
break
the
conformance
job
that
runs
with
all
beta
features,
turned
off.
A
So,
okay,
so
there
is
some
benefit
in
graduating.
These
two
features
yeah
to
ga
without
enabling
them-
and
then
I
guess,
the.
B
B
Yeah,
I
I
am
on
the
fence,
I
could
see
requiring
them.
I
I
think
it's
better
for
consumers
to
be
able
to
write
like
portable
pod,
specs
and
say
like
I
can
use
a
projected
token
volume
and,
like
my
pod,
will
work,
and
I
don't
have
to
worry
about
how
the
api
server
was
configured,
so
I
see
benefit
to
making
it
required.
B
So
there
was
discussion
with
the
cluster
life
cycle.
Folks,
I
think
I
would
probably
reach
out
to
the
main
deployments
that
we
know
of
cube
atom
cube
up.
Maybe
some
of
the
clouds
and
like
do
a
check
of
like
if
this
has
been
optional.
It's
been
on
here's
how
long
it's
existed.
Here's
how
it's
been
tested
like
this
is
the
forward-looking
plan
for
service
account
tokens.
If
this
became
required
in
120,
would
that
be
problematic.
F
All
right,
I
have
one
question
the
require.
Okay,
so
I
guess
the
questions
are
on
the
testing
and
the
requirements
like
having
the
flags
on
versus
the
implementation.
If
I
set
the
the
issuer
to
an
a
url,
that's
not
the
cluster,
then
how
does
that
change
conformance
right
like
or
how
does
that
affect
conformance.
A
A
And
any
this
is
already
turned
on
in
aws,
right
yeah,
which.
B
B
Yeah
the
the
degrees
of
freedom,
we
give
configurers
the
players
there
we
go
in
terms
of
like
setting
the
issuer
and
setting
and
setting
you
know
the
location
of
the
discovery
documents
for
these
things,
like
those
degrees
of
freedom,
are
intentional,
so
conformance
isn't
going
to
mandate
like
a
particular
issue
or
a
particular
discovery
location.
B
A
A
E
B
The
question
is,
if
we
add
a
compliance
test
that
requires
this
api
to
be
present,
but
leave
the
flags
optional.
B
B
That
that's
the
difference
like
we
need
the
deployment
mechanisms
we
use
in
ci
to
set
up
the
servers
in
a
way
that
they
will
pass
conformance
so
things
like
cube,
atom
and
cube
up,
but
we
we
have
the
option
to
add
a
test
to
conformance
and
say
this.
This
is
what
you
need
to
do
to
be
a
conformat
120
cluster
and
then
people
who
want
to
run
api
servers
differently
say
you
know
what
I
really
don't
want
that
token
api,
for
whatever
reason
can
do
that
they
just
don't
pass
conformance.
B
Yeah,
so
I
would
push
for
a
performance
test
and
I
would
push
to
configure
it
in
cube,
atom
and
cube
up,
and
I
would
I
would
want
to
know
if
the
main
deployment
mechanisms
and
employers
have
concerns
and
weren't
planning
to
enable
this
for
some
reason
like
if
they
weren't.
That
would
maybe
make
me
rethink
this
or
try
to
understand
what
those
concerns
were.
B
But
leaving
the
flags.
Optional,
fixing
cube
atom
in
cuba
and
adding
a
conformance
test
to
me
seems
like
sort
of
a
nice
middle
ground
where
we
don't
hard
break
you,
but
like
we're,
pushing
we're
pushing
in
the
direction
that
we
need
to
be
to
improve
service
account
tokens
long
term
with
conformance
tests
and
with
our
reference
deployments.
A
A
D
What
the
result
of
the
ai
will
be,
so
if
we,
if
everybody
says
that
it's
not
available,
I'm
going
to
make
you
required
or
still
like
different
too.
A
Yeah,
so
if
it's
unanimous,
this
is
fine,
I'd
say:
let's
do
it
yeah.
Let's
do
it
now.
B
We're
good:
we
need
to
reach
out
quickly.
This
time
is
short,
but
I
I
think
we
can
make
progress
with
the
ga
promotion
and
the
conformance
test
and
the
bound
service
account
token
bits
and
then
make
sure
yeah.
This
bit
is
basically
a
single
validation
check
at
startup,
and
so
that
can
be
a
late
breaking
call
based
on
the
feedback
we
get.
B
Yeah,
oh,
I
did
want
to
just
call
out
that
we
have
a
working
upgrade
test
exercising
this,
which
was
like
a
her
julian
effort
on
xiang's
part
which
thank
you
so
much,
and
I'm
so
sorry
that
we
didn't
have
like
a
reasonable
framework
for
you
to
use.
But
they
got
upgrade
tests
working
again
and
added
a
test
for
this.
So
if
we,
if
you
open
up
the
ci
test,
grids,
link
actually.
B
F
B
An
upgrade
test
which
is
exercising
like
upgrading
a
cluster
from
using
the
old
style
like
running
pods,
with
the
old
style
of
service,
account
tokens
doing
a
cluster
upgrade
and
enabling
this
feature
making
sure
the
old
pods
that
had
the
old
tokens
mounted
still
work
and
a
new
pod
that
uses
the
new
style
of
token
also
works.
So
thank
you.
Thank
you.
Thank
you.
Thank
you.
E
E
A
I
mean
looks,
looks
pretty
healthy
now,
yeah
anyway,
awesome
nice
work,
shion,
see
you
getting
suspicious.
B
B
This
isn't
really
for
discussion
here,
but
if
people
missed
it
there's
a
thread
in
sig
architecture,
around
label
metadata
policy
stuff.
So
I
will
drop
a
link
into
the
agenda.
But
there's
a
there
was
a
mailing
list
thread
and
it
got
brought
up
in
a
meeting
and
no
one
was
really
ready
to
talk
about
it.
So
it
got
kicked
to
the
next
sick
architecture
meeting,
but
it's
probably
relevant
to
the
interests
of
people
in
this
group.
So.
G
But
yeah
it's
currently
on
the
agenda
for
next
meeting.
A
G
Another
announcement
I
just
came
up
on
the
sigoth
slack
channel,
but
we
haven't
talked
about
pod
security
policies
in
a
while
and
there's
still
a
lot
of
open
questions
around
the
future
of
that.
G
So
I'm
going
to
take
an
action
item
to
try
and
write
up
a
summary
of
everything.
We've
talked
about
today
and
then
next
segoth
in
two
weeks,
we'll
reopen
that
discussion
and
try
and
figure
out
a
path
forward.
B
B
B
These
are
the
ones
that
I
was
looking
at.
I
wasn't
sure
where
these
surface,
but
they
seemed
like
25
to
50
flaky,
which
is
not
great.
Do
does
this
dashboard
get
looked
at
in
the
csi
secret
driver
meeting?
Do
you
know.
A
Is
read
on
the
call?
A
A
B
Percent,
oh,
I
forgot
to
update
our
queries.
We
have
tree
like
needs
triage
labels.
Now
maybe
I'll
go
do
that
before
the
next.
E
A
A
A
H
B
A
Do
exec
requests
go
through
admission
web
hook,
admission.
B
C
E
G
A
Ignition
psp.
G
Was
just
annotations,
I
was
just
digging
into
this
issue.
It
looks
like
maybe
this
was
a
regression
that
broke
the
annotation
validation
when
cycamp
went
to
ga
in
119.,
so
we
translate
docker
default.
B
G
Yeah
is,
is
this:
it
was
unclear
to
me
from
the
error
here
if.
G
B
Regression,
can
you
either
look
at
a
fix
or
work
with
the
person
who
did
the
set
comp
graduation.
G
Yeah
I'll
assign
it
to
them
and
leave
a
comment
with
us.
What
needs
to
be
done
thanks.
H
B
A
G
B
H
Of
dealing
with
issues,
thank
you
all
for
being
well
we're
on
a
break.
Do
you
remember,
if
can
I
can
a
pod
exact
map
in
our
back
to
either
a
get
or
create,
or
is
it
also
an
update?
E
H
B
G
Yeah,
sorry,
I
was
still
looking
at
the
second
thing,
so
this
I
was
kind
of
thinking
more
about
the
redirect
vulnerabilities
that
we
had.
I
don't
even
know
if
I
can
call
them
recently
at
this
point,
but
and
how
we
would
be
able
to
identify
those,
since
they
would
show
up
as
totally
new
requests
in
the
audit
logs
and
if
we
were
able
to
prop.
If
we
propagated
the
audit
id
across
those,
then
we
could
easily
identify
in
audit
logs,
like
the
same.
G
That
would
point
to
that
being
exploited,
so
sort
of
a
tool
to
detect
when
that
vulnerability
was
being
exploded.
G
Yeah,
so
the
I
believe,
if
you
scroll
down,
I
think
I
might
have
answered
that
on
here
unless
it
was
on
slack.
I
can't
remember
yeah,
so
we
prefer
using
the
audit
id
from
the
request
header,
so
anyone
can
set
any
audit
id
that
they
want.
G
Yeah,
the
idea
was
that
it
was
a
way
to
when
you
have.
Let's
see,
there's
a
couple
uses.
One
is
if
you
have
different
request
stages
set,
so
you
want
to
say,
request,
receive
response,
started
response,
complete
audit
events,
and
you
want
to
be
able
to
kind
of
collapse
them
all
into
a
single
event.
G
E
B
G
G
But
if
you
know
if
you're
bouncing
through
proxies
or
whatever
we
do
include
everything
from
the
for
x
forwarded
for
header-
and
it's
like-
I
don't
know
if
this
is
good
or
not,
but
here's
what
they
said.
So
here
you
go
yeah
exactly
so
yeah.
We
could
do
a
similar
thing
there
and
have
audit
id
chain
or
something
like
that.
B
B
If,
what's
missing
is
the
server
like
telling
the
client
in
the
response,
here's
the
audit
id
that
was
assigned
to
your
request.
G
Client,
I
think
the
biggest
risk
is
if
someone
is
doing
like
post-processing
on
audit
logs
and
discarding
duplicate
events
or
deduping
events
based
on
the
audit
id.
B
B
So
is
that,
like
the
three
three
pieces,
like
maybe
fix
the
uniqueness
bit
in
a
way
that
lets
the
client
contribute
information
but
still
like
preserves
the
uniqueness
guarantees.
So
that's
one
and
then
two
is
like
communicate.
Something
back
to
the
client
to
say.
Here's,
the
auto
id
associated
with
your
request.
G
A
G
Yeah,
I
think
I
like
the
idea
of
having
the
client
audit.
I
call
it
some
sort
of
audit
id
chain
that
would
have
to
be
a
separate
field,
which
is
an
api
change.
B
G
Yeah,
do
we
need
a
cap
since
it's
an
api
change.
B
E
A
What
do
you
think,
jordan.
B
B
B
Right
now,
the
the
node
restriction
emission
stuff
is
really
oriented
towards
cubelet
callers,
like
we
assume
we
know
everything
they're
going
to
do
because
we
own
the
cubelet
code,
like
we,
the
kubernetes
project
own,
the
cubelet
code.
So
if
this
is
like
hey,
I
want
to
do
other
things.
Let's
allow
those
other
things,
but
those
don't
fall
within
what
the
huble's
doing
like
I.
I
have
questions.
G
E
E
A
B
B
B
E
A
I
mean
this
would
happen,
be
expected
in
many
deployments
right,
and
this
is
cube
atom,
so
they've
got
anonymous
off
on
so
if
but
they
created
a
csr
yeah.
A
So
I
guess
is
cube
atom,
enabling
client
tls
auth,
which
probably
oh
yeah.
They
must
be
yeah
there.
B
Error
with
a
certificate
credential
that
means
the
certificate
exists
and
matches
the
ca
that
the
server
is
advertising,
otherwise
go,
wouldn't
even
send
to
see
it
the
client
search.
I
guess
I
would
ask
for
like
the
api
server
logs
at.
G
B
B
It
would,
it
would
probably
be
worth
someone
sweeping
the
tutorial
they
linked
to
to
make
sure
that
those
steps
actually
do
work.
B
A
A
A
A
A
Okay,
so
daniel
yeah
401,
I
will
keep
it
open
in
a
tab
and
see
if
they
have
respond
to
daniel's.
Oh
interesting.
B
The
the
authenticator
when
it
sets
itself
up,
tries
to
initialize
just
linkedin.
The
chat
tries
to
initialize
with
a
poll
until
which
means
that
it
will
wait
the
linked
period
before.
B
Trying
for
the
first
time
so
it
pulls
every
10
seconds,
but
it
waits
10
seconds
before
trying
the
first
time.
So
if
it
was
switched
to
pull
immediate,
then
that
would
I
mean
you
still
have
the
potential
for
like
the
odc
server
to
not
return
this
discovery,
doc
fast
and
then
have
to
retry,
but
in
the
happy
path
where
the
server
is
available.
That
would
basically
make
it
instant.