►
From YouTube: Kubernetes SIG Auth 20170726
Description
Kubernetes Auth Special-Interest-Group (SIG) Meeting 20170726
Meeting Notes/Agenda: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/view#
Find out more about SIG Auth here: https://github.com/kubernetes/community/tree/master/sig-auth
A
A
B
A
Evicted
their
own
pods,
which
is
basically
just
a
controlled
deletion,
already
delete
their
own
pods.
So
this
lets
them
go
to
the
eviction
sub
resource,
so
they
can
respect
eviction
policy,
just
as
an
FYI
I
will
be
opening
up
a
poll
to
discuss
how
we
want
to
control
nodes,
labeling
themselves
and
removing
taints
from
themselves.
That's
kind
of
the
last
piece
that
I
have
in
mind
for
a
subdivision
of
nodes.
A
If
you
look,
if
you
let
them
know
the
label
and
paint
and
unpainted
itself,
then
it
in
steer
pods
to
itself
that
come
along
with
highly
privileged
secrets.
So
we
don't
want
to.
We
want
to
have
a
way
to
control
that
so
I
will
be
opening
that
proposal.
This
week,
Eric
had
put
together
just
some
documentation
around
the
discussions
that
we've
had
around
access
patterns
for
secrets
and
kind
of
future
facing
expectations
around
watch
capabilities,
and
things
like
that.
A
C
So
things
that
have
come
out
when
we
were
initially
a
much
of
it
is
pretty
straightforward
right.
There
is
a
it's
implemented
using
a
separate
interface
so
that
an
authorizer
that
supports
the
or
what
it's
called
essentially
their
first
index
interface,
will
be
able
to
say
these
or
the
attributes
for
the
things
that
you
can
do
and
since
that
the
attributes
are
codified
in
generic
sense,
our
X
happens
to
you
the
same
name,
but
there
could've
generically
it's
reasonable
to
have
an
attention
there.
C
There
were
questions
about
how
to
structure
it,
though
right
normal
users
are
going
to
make
requests
inside
of
a
namespace,
so
it's
natural
to
grant
them
that
power
inside
of
a
namespace.
The
actual
fan
out
from
doing
it
across
the
entire
cluster
is
so
expensive
that
you
can't
reasonably
do
it
at
least
for
the
authorizers.
We
know
about
now.
C
B
C
Makes
it
seem
logically
namespace
code,
but
the
fact
that
it
is
a
self
review
means
that
someone
inside
of
the
cluster
should
always
be
able
to
ask
about
themselves,
and
if
they
want
to
ask
about
any
given
namespace,
they
should
structuring
it
as
a
cluster
scope
of
resource
in
that
sense
makes
sense
and
makes
it
congruent
to
the
self
subject,
access
review
that
we
have
that
performs
a
different
function,
but
is
still
about
a
self.
Now
the
subject
coming
and
actually
Jordan
I
think
it
convinced
me
that
for
consistency,
cluster
scoping,
it
made
sense.
C
E
C
Because
you
can
create
it
even
if
the
news
base
isn't
there,
so
you
can't
go
sniffing
yeah,
yeah,
I'm,
I'm,
convinced,
okay,
the
the
other
one
is
control
over
extra.
If
you
guys
recall
long
ago
now,
over
over
a
year
and
a
half,
we
added
this
concept
of
an
extra
field
inside
of
user
info
and
the
extra
field
blouse
and
Authenticator
authorizer
hair
to
pass
information
through
it
exchanges
the
impasses
the
information
from
the
Authenticator
to
the
authorizer
in
an
opaque
way.
C
Subject,
rules
reviews
you
cannot
do
anything
else,
you
can't
create
mods,
but
you
could
look
to
see,
could
create
quads
as
an
example
and
the
other
one
that
I
heard
of
is
for
a
while
I
think
it
was
he's
selling
the
earth.
There
was
one
other
authenticated,
I
was
talking
about
using
it
to
pass
custom
rule
information,
so
they
can
make
decision.
Their
example
was
widening,
but
over
shifts
example
was
narrowing
I.
C
C
G
A
We
have
a
similar
API
to
this,
but
we
only
let
you
specify
scopes
so,
rather
than
being
able
to
override
anything
about
the
extra
field
it
was.
You
could
ask.
Could
I
do
this
with
these
scopes?
Could
I
do
this
without
these
scopes,
once
you
make
it
generic,
it
depends
on
what
the
server
authentication
layer
and
all
in
lair
are
using
the
extra
field
or
I'd.
D
Forget
what
we
do
this
for
authentication,
but
in
authentication
there
are
two
unique
api's
for
one
is
query:
what
can
I
or
Who
am
I,
it's
the
token
review
and
then
those
are
one
of
them.
Sorry,
the
access,
the
access
one
I'm
like
what
can
can
this
person
perform
this
action?
Those
are
split
up
between
connect
from
this
action.
You
can
yeah.
A
B
A
Same
could
be
done
here,
but
I
would
not
envision
giving
arbitrary
users
the
ability
to
ask
what
any
subject
could
do.
That
seems
much
more
powerful
and
the
case
where
you
have
a
scoped
token.
That
is
only
able
to
be
used
to
check
your
unscoped
permissions
like
using
that
token
itself.
You
can't
do
any
of
those
other
things
you
can't
create
pogs,
but
using
that
token
you
could
ask
if
the
subject
associated
with
it
could
create
cogs.
A
D
C
You
would
ask-
and
you
became
say
where
cluster
admin
on
you
would
end
up
lying
to
yourself-
that
you
had
powers
in
the
namespace.
This
doesn't
indicate
to
you
whether
the
namespace
exists
or
not.
It
only
indicates
to
you
whether
you
have
powers
in
that
namespace
as
it
exists
or
doesn't
exist
today
right.
So
a
cluster
admin,
for
instance,
would
always
have
powers
inside
of
a
namespace,
even
if
that
namespace
didn't
exist,
but
a
regular
user
would
never
have
powers
inside
of
a
namespace
that
didn't
exist.
C
C
To
do
that,
you
would
have
to
have
messed
up
when
you
wrote
the
extra
interface
right
like
this
interface.
You
don't
get
it
for
free
this.
Doesn't
this
isn't
gonna
just
suddenly
start
happening
right?
Someone
is
gonna,
have
to
go
and
eat
authorizer
and
say
for
each
authorizer.
This
is
how
I
do
this
reverse
lookup
and
if
they
have
a
need
to
handle
certain
things,
especially,
they
will
know
that
and
they
choose
how
to
angle
right.
This
doesn't
force
it
on
anyone.
D
So
you
you
can,
it
seems,
like
you,
could
do
this
with
impersonation
or
something
like
that
like
we
would
want
an
access
check
to
figure
out
if
somebody
can
find
information
about
this
visit,
this
user
or
this,
this
particular
extra
field,
like
it
works
really
well,
if
they're
restrictive,
but
when
they're
our
and
seems
like.
We
don't
want
to
mix
that
with
a
self
review.
We
would
want
to
create
a
unique
subjects.
Rules
review
where
someone
can
ask
about
anything
well.
C
So
I
guess
I'm
still
struggling
with
the
with
the
how
it
would
actually
expose
something
right
like
so
so
someone
uses
their
extra
field
to
grant
the
additional
royalties
or
whatever.
It
would
be
very
easy
for
the
person
who
is
writing
their
preferred
over
the
name
of
the
interface,
but
writing
that
interface.
They
will
say,
I'm
gonna,
add
an
additional
check
to
see
if
you
can
actually
use
this
bit
of
extra
or
I'm
just
not
going
to
respect
this
extra
at
all
or
I'm.
Gonna
return
an
error.
C
F
F
C
F
D
Seems
weird:
let's
see
we're,
let
me
selectively
so
my
assumption
about
extra
is
that
a
lot
of
authorizers
are
going
to
be
using
this
to
grant
powers
rather
than
restrict
them.
It
seems
weird
that
I
am
allowed
to
not
have
the
power
that
but
I
wouldn't
be
an
okay
sign
man
to
a
user
on
them.
I
guess
so.
H
C
So
imagine
a
use
case
where
you
have
granted
rights
within
your
cluster
and
to
look
at
pots
or
whatever
jobs,
look
at
jobs,
and
you
have
a
different
system
that
is
going
to
allow
you
to
get
a
prettier
look
on
jobs
because
you
want
to
do
some
post-processing
or
you
want
to
relate
it
to
some
of
the
case.
You're
tying
multiple
namespaces
together
and
you're,
giving
it
a
few
look,
a
user.
C
C
F
A
A
Would
it
makes
sense
to
have
a
paired
set
of
good
guys
self
subject,
rules,
review
and
subject
rules
review
and
in
subject
roles
review?
You
can
fully
specify
the
subject
just
like
the
subject:
access
review
and
David
if
you
wanted
to
if
you
had
a
specific
extra
field
that
you
knew
was
a
limiting
field
and
you
wanted
to
let
the
user.
A
C
A
It
doesn't
know
like
there's
consensus
on
it:
let's
move
forward
with
a
namespace
or
the
cluster
scope
bit,
and
we
can
keep
discussing
yesterday.
I
think
concrete
use
cases
and
discussing
how
those
could
be
solved
and
maybe
the
concerns
about
it
and
how
those
could
be
mitigated,
and
we
can
continue
talking
about
it.
The
the
poll.
A
Setting
up
a
non-standard
cubelet
user
names
have
already
been
doing
this
binding,
so
in
GCE
and
gke
they
already
set
up
an
explicit
binding
for
the
the
legacy
cubelet
user.
So
that
is
there
and
is
release
noted
there's
a
pull
open
to
promote
are
back
to
be
one
I
looked
back
over
the
notes
and
discussions
and
I
didn't
remember
any
changes
or
anything
we
were
planning
to
tweak
promoting
to
be
one.
If
I
have
miss
remembered
that.
A
A
And
so
we
we
can
authorize
that
I
think
this
is
a
this
is
encouraging.
This
is
the
sort
of
thing
that
wouldn't
have
been
noticed
necessarily
in
previous
releases
and
now
we're
actually
thinking
through.
Does
it
make
sense
to
give
a
node
write
permission
to
any
object
of
this
kind,
or
only
ones
that
are
related
to
the
node
and
how?
How
should
they
be
related?
So
this
is
I'm
glad
to
see
this
kind
of
discussion
taking
place
after
the
the
net
restriction
stuff
that
went
in
last
release.
A
A
B
Is
okay?
Okay,
very
quickly?
This
is
based
this
closely
mirrors
the
envelope
encryption
screamed.
It's
auction
shadow
together,
he's
using
the
Google
cameras
for
that.
This
would
essentially
provide
a
mirror
image
of
that,
but
you
squall
to
the
came
as
provider.
The
proposal
simply
goes
with
goes
along
with
the
same
models
instruction
outline.
You
would
have
a
game
as
provider
at
a
provider
factory.
You
could
configure
one
kms
provider
in
a
given
cover.
It
is
deployment,
so
you
could
consider
a
board
to
be
your
EMS
provider,
for
example,
fashion
comfort.
B
The
benefit
PCE
to
the
community
is
that
a
lot
of
customers
already
use
fall
to
manage
encryption
keys.
You
can
use
the
transit
back-end
involved
to
encrypt
and
decrypt
data.
That's
going
to
a
CD
without
necessarily
persisting
it
in
part,
so
you
are
using
it
as
encryption
decryption
service
with
the
key
encryption
managed
involved.
That
way,
you
have
separated
out
the
responsibilities
of
key
management,
strengths
of
the
key.
That's
used
as
the
key
encryption
key.
B
G
D
A
A
E
A
C
A
I
A
E
It
is
that
you
have
the
deck
per
item
and
then
yeah
you,
your
your
kick
just
just
never
leaves
your
store
whatever
it
is
and
just
creates
those
decks
for
every
new
item,
and
this
actually
makes
the
rotation
a
lot
easier
too,
because
in
just
kind
of
like
the
steady
state
rotation,
you
just
need
to
rotate
the
cake
and
then
it'll
start
writing.
You
know
new
decks
and
if
you
have
an
emergency
you
you
basically
need
to
rewrite
everything.
B
E
B
E
A
E
E
H
Have
a
full
proposal
yet
I
just
have
sort
of
an
idea
and
I
wanted
to
throw
it
out
there
and
see
if
anyone
like
to
work
on
it
with
me
or
if
you
have
thoughts.
So
in
1:7,
there
was
support
added
for
dynamic
registration
of
admission
controller
web
hooks.
So,
instead
of
as
a
command
line
to
the
command
line
flag
to
the
API
server,
you
can
now
at
runtime
sort
of
install
an
add-on
that
adds
itself
as
an
admission
controller
and
I
would
like
to
do
this.
H
A
similar
thing
for
authorization
web
hooks
and
audit
web
hooks
so
that
you
can
sort
of
deploy
a
new
authorization
web
hook
or
a
new
audit
web
hook
as
an
add-on
on
to
a
running
cluster.
Without,
maybe,
obviously,
is
there's
some
author
concerns
here.
This
is
sort
of
equivalent
to
cluster
admin.
I
think
we
can
I
think
we
can
work
through
those
anyway
I
hope
to
come
back
sort
of
next
week
with
the
actual
proposal,
but.
H
C
I
guess
I
have
some
general
comments
on
it
right,
so
the
dynamic
admission
control
was,
after
we
had
clear
use
cases
around
adding
aggregated
API
servers
which
could
logically
impact
the
api's
that
they
have
and
that
admission
is
a
strictly
limiting
activity
right.
You
can
never
allow
from
admission.
H
G
G
So
so
restarting
it
restarting
the
API
server,
with
the
command-line
options
to
set
up
the
the
webhook
authorizer
I'm.
Sorry
Authenticator,
it's
very
difficult
for
us,
and
maybe
our
situation
is
peculiar,
but
I
understand
the
danger
that
you're
describing,
but
it
sure
would
be
convenient
for
us
if
a
cluster
admin
could
install
a
new
webhook
Authenticator
in
a
running
cluster.
D
Master,
then,
wouldn't
that
be
a
concern
them
like
I
I
get
the
East
case.
It's
just
just
on
the
same
way
as
I'm
sure
gke
doesn't
want
you.
Installing
new
Authenticator
is
on
tier
you're
API
servers.
If
they're
not
giving
you
access
to
the
master,
then
would
they
ever
want
you
to
be
a
witness
or
ever
want
you
to
be
able
to
do
this
yeah.
H
C
First
ones
that
have
started
down
the
path,
work
out,
kinks
right,
cubelet,
try
last
release
and
didn't
make
it,
and
so
I'd
like
to
see
that
work
first
and
then
perhaps
look
more
holistically
at
a
dynamic
config
overall,
rather
than
trying
to
special
case
something
for
authorization
and
even
audit,
without
having
the
same
kind
of
clear
use
cases
that
we
had
for
admission.
One
thing
that
I
would.
A
Note
is
that
you
could
actually
do
this
today
by
implementing
a
dynamically
register,
a
table,
registerable
authentication,
server
and
then
point
to
that
as
your
web
book
server.
So
you
could
implement
this
separately.
Yeah
be
able
to
register
and
unregister
things
to
it
and
make
that
your
webhook
Handler
and
then
it
could
fan
out
to
whatever
or
so,
if
right,
yeah.
G
A
H
I
definitely
agree:
I
think
this
is
definitely
hinting
at
some
broader
dynamic
configuration
structure
for
for
other
components,
so
it
sort
of
in
terms
of
like
doing
sort
of
like
a
federated
like
a
proxy
that
fans
out
I.
Think
that's
true,
but
it
still
assumes
that
you
are
running
that
you
still
have
to
restart
the
cluster
once
you
still
have
to
restart
the
API
server
wants
to
set
that
thing
up
so
I,
don't
think
I
think
the
core
need
have
sort
of
deploying
an
add-on
to,
let's
say,
add
an
audit
stream
into
a
running
cluster.
H
Without
without
having
to
restart
and
recurring.
We
can
figure
that
cluster
I
think
I
think
it
still
true.
Even
though
you
can,
you
can
sort
of
fan
out
on
your
own
anyway,
yeah
ok,
I
will
I
will
I
will
shift
this
around
a
little
bit
to
some
other
SIG's
and
I
think
and
think,
except
there's
a
broader
support
for
dynamic
config
as
a
larger
project,
and
then
maybe
AHS
can
be
a
be
a
lot
of
a
later
part
of
that
yeah.
A
A
Something
that
could
be
useful
for
a
lot
of
reasons
right,
like
they're
alive.
There
are
a
lot
of
flags
to
the
API
server
and
the
Osun
authorization
flags
are
a
subset
of
them,
but
there's
lots
of
things
that
people
want
to
change
in
and
being
able
to
manage.
Restarting
that
Stephen
to
your
to
your
point,
figure
figuring
out
how
to
do
that
in
environments
where
you
don't
have
access
to
restart
servers
or
is
useful
even
beyond
the
specific,
so
yeah.
G
C
G
D
A
F
A
A
That
one's
really
easy,
and
so
that
would
be
my
expectation
if
we
wanted
to
add
support
for
web
hook
authorizers,
it
would
be
a
second
API
call
api
request
response.
They
wouldn't
have
to
support
it.
If
they
did,
the
results
could
be
stitched
together.
If
you
have
authorizers
in
your
chain
that
don't
support
it,
I
think
we
need
a
way
to
indicate
that
the
results
are
potentially
incomplete,
right,
yeah,
it'd
be
really
nice
for
g/kg.
D
We
already
we
already
do
the
PR
as
an
expense
already
does
return
error
if
any
of
your
butt
hooks
don't
or
any
of
your
authorized
rooms.
Don't
support
this
or
any
of
your
authorizers
hit
errors
during
the
middle
of
the
valuation
and
calls
these
results
may
be
incomplete
I.
It
seems
weird
to
try
to
figure
out
if
in
existing
web
book,
supports
it
or
not
supports
the
new
functionality.
D
But
maybe
we
can
do
something
like
add
a
second
web
book
flag.
I,
don't
know
if
that
sounds
palatable
to
anyone,
but
gentleman
has
asked
in
the
PR
that
we
maybe
open
a
feature
repo
item,
because
it
seems
to
be
a
pretty
large,
largely
scoped
thing
and
adding
a
new
API.
So
I
will
open
that
and
be
sure
to
comment
at
least
about
the
web
folks
off.
A
One
other
discussion,
the
web
focusing
reminded
me
our
the
API,
is
that
we
use
to
call
web
hooks
are
sort
of
frozen
at
d1
beta1.
The
way
we
send
and
receive
information
from
web
hooks,
the
token
review
and
the
subject,
access
review,
those
api's
have
been
promoted
to
v1
and
I
would
like,
like
a
year
from
now
to
be
speaking.
A
The
v1
API
is
to
web
hooks
and
I'm,
trying
to
figure
out
the
best
way
to
make
that
possible
in
1/8,
but
keep
the
default
of
viewing
beta
1
and
then
give
you
know
two
or
three
releases
notice
to
say
the
default
is
going
to
change,
to
be
one
to
give
people
two
a
way
to
opt
into
v1
now
and
then
have
to
deal
with
the
switch
right.
Now
you
configure
web
hooks
by
giving
it
a
cube.
Config
and
I'm
I
need
to
look
okay.
A
The
web
books
are
kind
of
abusing
the
cute
big
fields
today,
anyway,
so
I'm
not
I'm,
not
sure
I'll,
probably
open
a
either
PR
or
proposal.
Name
is
just
a
PR
and
we
can
talk
about
it
there,
but
I
didn't
know.
If
anyone
else
had
thoughts
about
about
that
rollout
I
know,
gke
is
using
the
web
hook.
Some
other
folks
are.