►
From YouTube: sig-auth bi-weekly meeting for 20210407
Description
sig-auth bi-weekly meeting for 20210407
A
A
A
A
A
A
A
Right
so
this
would
mostly
come
into
play
if,
let's
say
an
exempt
user
had
created
a
pod
and
then
a
non-exempt
user
edits
that
pod.
How
does
the
policy
apply
or,
alternatively,
if
a
pod
was
in
the
already
in
the
name
space,
and
then
the
the
namespace
policy
was
updated
so
that
the
pod
is
now
in
violation
of
that
policy?.
A
A
A
A
D
A
Yes,
you
would
have
to
say:
you'd
have
to
have
a
separate
policy
mechanism
that
says
well.
So,
first
of
all,
you
need
to
taint
those
nodes
to
prevent
anything.
That's
not
tolerating
that
taint
from
running
on
them.
Then
you
would
have
a
policy
that
says
only
these
namespaces
are
allowed
to
have
this
toleration.
A
C
C
A
I
don't
know
if
gatekeeper,
if
the
gatekeeper
policy,
library,
ships
with
something
like
that
there
has
been
a
fair
amount
of
discussion
around
a
built-in
scheduling
policy
that
would
limit
things
like
node,
selectors
and
tolerations
and
other
things
around
that
that
policy
I
can.
I
can
find
the
proposal
and
link
it
to
the
agenda
later.
C
A
Yeah
the
when
that
proposal
was
raised,
we
were
still
kind
of
undecided
around
the
direction
that
we
were
going
with
pod
security
policy,
and
there
was
some
questions
around.
Are
we
just
gonna
push
all
policy
out
of
the
cl
out
of
the
cluster
out
of
built-in
things,
so
that
was
part
of
the
reason
that
that
didn't
go
anywhere.
A
A
A
A
That's
only
done
through
an
ephemeral
containers
sub-resource,
but
one
of
the
challenges
there
is
that
the
ephemeral
container
sub-resource
takes
a
different
request
type.
It
doesn't
take
the
full
pod
specification.
It
just
takes
the
basically
the
ephemeral
container
that
you're
adding
to
the
pod,
and
so
what
that
means
is
that
an
admission
controller
operating
or
looking
at
those
requests
only
gets
only
gets
the
ephemeral
container.
It
doesn't
get
the
full
context
for
the
whole
pod.
A
So
if
you
have
you
know
your
baseline
policy
says
you
can't
run
host
network
or
something
and
you're
adding
an
ephemeral
container.
You
can't
tell
if
it's
being
added
to
a
pod
with
host
network,
so
one
option
would
be
to
say
that
we
only
check
the
fields
that
are
on
the
ephemeral
container
and
ignore,
say:
host
network
checks.
A
A
D
A
I
think
it
should
be
safe
with
the
built-in
controller,
since
all
of
the
fields
that
you'd
be
checking
or
almost
all
the
fields
you'd
be
checking
were,
are
immutable.
It's
possible.
There
could
be
some
sort
of
edge
case
there,
but
for
if
you're
running
in
web
hook
mode,
there
would
definitely
be
a
race
condition.
A
A
However,
I
think
that
we're
going
to
change
the
admission
interface
for
that,
so
I
think
it
should
start
getting
the
full
pod
spec
once
those
changes
go
in
again.
This
is
a
feature
that's
currently
in
alpha,
so
it's
I
kind
of
expect
it
to
change,
and
now
that
we
have
an
actual
proposal
here,
we
can
make
sure
that
they
sort
of
track
together.
A
But
the
other
thing
I
want
to
call
out
around
ephemeral
containers
is
so
the
the
target
use
case
for
them
is
debugging,
and
I
think
it's
a
common
case
where
you
want
to
run
your
production
workloads
in,
like
least
privileged
mode,
but
oftentimes
to
effectively
debug.
You
need
elevated
privileges,
so
the
example
I
gave
here
is
cast
as
p
trace.
If
you
wanted
to
p-trace
that
process
for
debugging,
I
believe
that
requires
the
privileged
profile
today.
C
I
don't
sorry
doesn't
say
I
don't
remember
what
the
what
the
are
back
around
ephemeral
containers
looks
like.
Is
there
separate?
Is
there
separate
control
possible
for
who
can
create
ephemeral?
Containers
versus
like
who
has
create
pod
because,
like
what
I'm
trying
to
think
through
here
is,
is
whether
we
can
allow
this
kind
of
breaking
policy,
but
only
for
ephemeral
containers
without
that,
actually
just
meaning
that
the
elevated
policy
is
what
applies
to
most
things
most
of
the
time
and
like
one
way
that
I
was
imagining.
A
C
If
you
allowed,
you
know
the
staff
who
would
want
to
debug
things
to
have
impersonate
privilege
onto
system
debuggers,
then
normally
they
couldn't
bypass
any
of
these
things,
but
when
they
did
coop
ctl
debug,
if
they
added
the
appropriate
dash
dash
as
group
option,
then
they
could
put
an
ephemeral
container.
That
would
break
policy
temporarily.
A
Yeah,
that's
interesting,
so
yeah
the
there,
because
ephemeral
containers
are
only
added
through
the
ephemeral
container
sub
resource.
Then
you
can
control
arvax
separately.
On
that
I,
like
the
idea
of
using
impersonate,
we
don't.
We
said
that
we
explicitly
didn't
want
to
allow
group
exemptions,
but
that
doesn't
actually
matter
for
the
impersonate
case.
D
So,
does
that
mean
that
that
to
do
this
correctly
within
a
namespace,
those
debuggers
would
not
be
allowed
to
otherwise
create
pods,
but
they
would
be
able
to
like
could.
Would
there
be
a
workaround
where,
because
they're
able
to
do
that
for
ephemeral
containers,
they
can
also
create
regular
pods
and
basically
do
it
for
everything.
A
Yeah
so
the
way
I
would
suggest
setting
this
up
is
so
you
say
this
made
up
username
that
doesn't
isn't
an
actual
username,
that
anyone
could
have.
You
know,
system,
colon,
ephemeral,
debuggers
or
whatever
have
it
as
a
one
of
the
statically
configured
exempt
users,
and
then
only
grant
our
back
bindings
to
allow
them
to
to
allow
that
user
to
operate
on
the
ephemeral
container
sub-resource.
A
A
A
It
means
that
we
don't
need
to
build
some
special,
like
second-tier
policy
level
for
ephemeral
containers.
If
this
workaround
seems
sufficient,
it
is
a
bit
of
a
kind
of
a
little
bit
of
a
hacky
work
around,
so
we
might
want
to
think
about
if
there's
a
way
to
kind
of
streamline
the
user
experience
on
this.
C
C
So
I
am
not
familiar
with
the
out
of
the
box
use
of
se
linux
on
any
distributions
that
aren't
red
hat
distributions,
and
I
am
of
the
impression
that
se,
linux
labels
are
completely
site,
specific
modulo.
The
fact
that
you
inherit
a
ton
of
your
site,
specific
labeling
from
your
os
installer
and
so
like
sbc
spc
underscore
t
or
container
underscore
t
like
literally
speaking,
are
just
strings,
but
they
are
special
on
red
hat
type.
Linux
distributions
because
they
are,
you
know,
hard-coded
into
what
your
file
system
looks
like
when
you
install
the
appropriate.
B
C
E
A
Of
unconfined
for
se
linux,
then
we
could
just
deny
that
and
say
anything
else
goes
actually.
Another
reason
that
app
armor
is
different
is
with
app
armor,
there's
validation
in
the
cubelet.
That
says
you
can
only
run
with
a
policy.
That's
been
defined
and
loaded
into
the
kernel,
and
only
the
system
administrator
can
define
and
load
policies.
A
C
C
And
if
so,
maybe
we
can
ban
those,
but
otherwise
it
seems
that
we
can't
really
have
an
opinion
about
se
linux
without
breaking
people's
reasonable
se.
Linux
use
cases
because
there's
no
way
for
this
policy
engine
to
know
whether
a
particular
label
is
actually
restricting
you
or
opening
up
your
permissions.
C
I
I
think
that
makes
sense
in
light
of
our
targeted
use
cases
and
the
fact
that
running
selinux
as
a
compensating
control
inside
your
kubernetes
cluster,
that
isn't
open
openshift
is
actually
incredibly
difficult
and
like.
If
you
can
do
that,
you
can
also
certainly
run
an
external
policy
controller.
Exactly.
A
But
that
kind
of
breaks
the
shared
volume
use
case,
the
other
one
is
to
say
that
we,
this
policy
has
no
opinion
over
the
selinux
fields
and
that
you're
on
your
own,
then
there's
kind
of
a
third
option
which
goes
against
what
we're
trying
to
do
here,
but
basically
to
introduce
some
sort
of
configuration
knob
for
se
linux.
It
says
here's
the
allow
listed
set
of
labels
that
you
can
use.
A
A
C
A
A
A
D
D
Maybe
it
sounds
like
a
single.
Basically,
a
single
bad
deployment
could
cause
that
to
happen.
Is
that
how
do
you
tune
your
thresholds
or
whatever
would
be
interesting
to
alert
on
based
on
that,
and
since
we
don't
have
labels
saying
which
pod
this
was
or
which
anything?
This
was
it's
kind
of
hard
to
really
tease
that
apart
afterwards,.
C
It
tells
you
to
go:
read
your
api
server
logs,
but
like
any
time
that
number
of
denials
spikes
it's
either
a
security
incident
or
an
operational
incident,
because
somebody
tried
to
do
something
and
they
were
prevented
from
being
able
to
do
it,
and
so
I
mean
like
how
you
would
tune
them
in
terms
of
do
you
want
to
get
somebody
up
at
night.
Questions
like
that.
C
I
feel
like
are
site
specific,
but
like
any
time
you
have
an
unusually
large
number
of
rejections,
something
bad
is
going
on
and
just
from
the
count
you
don't
have
any
idea.
What
that
bad
thing
is,
but,
like
somebody
is
unhappy,
and
if
it's
your
enemy,
that's
unhappy,
that's
great,
and
if
it's
your
friend
that's
unhappy,
you
need
to
help
them.
A
E
A
E
A
C
A
A
C
Yeah
that
actually
sounds
really
useful,
because
I
kind
of
don't
care
that
there's
a
bunch
of
of
admissions
happening
in
namespaces
that
I've
exempted
like
that's,
why
I've
exempted
them,
but
but
when
I'm
granting
user
exemptions,
that
may
be
more
interesting.
Unless
I'm
granting
that
user
exemption
to
a
controller
that
create
you
know
is
basically
a
fork
of
the
replica
set
controller.
But
if,
if
I'm
that
fancy-
I'm
probably
not
using
this.
A
E
C
I
would
say
if
it's
easy
and
cheap
yes,
because,
like
off
the
cuff,
I
don't
think
I
would
want
to
wake
somebody
up
if
the
number
of
warnings
goes
through
the
roof.
But
if
I
am,
if
I
have
a
cluster
and
I'm
trying
to
ratchet
down
the
permissions
in
it,
then
I
could
apply
a
more
restricted
policy
as
a
warning
config
on
some
namespaces
and
without
the
metric,
I
would
go
to
the
cardinality
of
audit
log
events
that
show
that
warning
yeah.
D
A
C
C
A
D
A
Optional
feature
extensions,
maybe
it's
worth
going
through
this
quickly.
I
know
that
we're
getting
close
to
time
here.
Just
I
don't
want
to
talk
through
the
details
of
these,
but
if
anyone
feels
like
this
should
be
a
part
of
the
main
cap
and
not
a
part
of
optional
future
extensions,
let
me
know
so.
The
first
one
is
a
way
to
roll
out
baseline
by
default.
A
A
A
A
A
A
The
122
version
to
let
users
know
if
they're,
using
a
feature
that
is
going
to
be
denied
in
the
future.
You
might
want
to
set
a
warning
message
that
says
something
like
you
know:
here's
the
date
that
you
have
when
this
will
stop
working
or
here's
an
email
address
to
contact.
If
you
need
an
exemption
from
this
policy
or
whatever.