►
From YouTube: Kubernetes SIG Auth 20170809
Description
Kubernetes Auth Special-Interest-Group (SIG) Meeting 20170809
Meeting Notes/Agenda: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/view#
Find out more about SIG Auth here: https://github.com/kubernetes/community/tree/master/sig-auth
A
We
live
yep
cool
everybody.
This
is
the
cig
off
meeting
for
August
9th.
So
today,
we'll
be
going
over.
A
few
things
specifically
looks
like
there's
a
discussion
about
a
a
proposal
for
generating
our
back
profiles
that
will
probably
take
up
most
of
the
conversation
I.
Imagine
so
just
to
go
through
our
agenda
items.
There
are
a
few
pull
requests
a
note.
A
The
biggest
one
is
probably
enabling
the
short
captioning
of
successful
tokens.
This
is
opened
by
Jordan
and
is
meant
as
a
way
to
alleviate
some
of
the
pressures
on
service
accounts
authenticating
very
frequently
when
they
require
a
lookup.
It's
on
every
single
HTTP
request.
It
becomes
very
heavy
load
on
a
high
cluster
on
a
big
cluster,
so
this
adds
a
sort
cache
and
you
should
look
at
it.
If
you
sort
of
interested
one
I
would
like
to
call
out
is
the
the
eee
node
tests.
A
So
I
do
note
that
this
is
actually
blocked
on
moving
the
sing-off
eee
tests
out
of
or
into
their
own
repo.
So
we
can,
you
know,
be
paged
throughout
the
release.
I
think
that
was
Jacob
Simpson,
who
was
opening
the
the
PR.
That
is
blocking
the
other
one,
so
Jacob,
if,
if
you're
on
the
call
it'd
be
it'd,
be
great
to
see
that
one
move
forward
a
little
bit,
because
it's
blocking
us
adding
a
whole
lot
more
other
auth
EA
e
related
tests
well.
A
A
So
if
you're
using
the
CSR
approver
in
the
manager,
you
might
want
to
take
a
look
at
that
also
another
one
that
was
merged
is
that
the
node
authorizer
is
now
on
by
default
on
local
up
cluster,
and
so
this
is
another
one
of
these
things
that
we'll
probably
be
pushing
more
and
more
of
the
cluster
up
strategies,
whether
that
be
actual
distribution
mechanisms
or
whatever
to
be
using.
So
this
is
a
great
step
forward
on
that.
A
A
Cool
we're
going
on
to
the
next
item,
so
designs
of
notes.
We
eye
together
a
proposal
from
a
little
formal
proposal
for
actually
a
current
PR,
that's
out
specifically
around
adding
an
API
to
allow
users
to
get
in
bulk
the
set
of
actions
that
they
can
provide.
That
has
some
good
discussion
on
it.
I.
Don't
think
that
there's
a
whole
lot
that
we
can
address,
or
that
is
not
that
we
need
to
address
here
in
this
meeting,
because
the
I
don't
see
anything
super
blocked
right
now.
A
A
These
are
authenticators
and
authorizers
that
use
the
web
hooks
built
into
the
API
server
to
drive,
authentication
and
authorization
and
I
think
is
where
we
want
to
see
more
of
the
development
happen.
We
want
to
see
more
development
of
out
of
tree
things
that
interact
with
specific
identity
providers
or
policy
management
systems.
So
I
wanted
to
call
that
out
as
a
good
and.
B
As
a
note,
the
the
authentication
provider
for
kube
control
that
provides
the
client-side
aspect
of
that
for
obtaining
an
OpenStack
token
merged
as
well
in
the
past
week
or
so
so,
if
you
have
a
machine
that
has
all
the
environment
environment
variables
set
to
speak
to
OpenStack,
a
lot
of
OpenStack
tooling
is
driven
by
that
it
can
actually
obtain
a
token
and
then
present
it.
And
if
your
server
was
using
this
token
Authenticator
authorizer
then
keep
control
would
just
work
seamlessly
for
you
and.
A
And
this
was
this
work
on
at
least
on
the
the
plug-in
side
or
the
out
of
tree
Authenticator
has
been
done
by
tims.
So
thanks
for
that
and
there's
some
good
conversation
in
there
not
thread
about
sort
of
how
people
think
about
out
of
tree
authenticators
and
authorizers,
and
there
might
be
some
docs.
We
can
clean
up
based
off
of
some
of
the
conversations
in
that
thread
cool,
so
any
other
designs
of
notes
that
I
missed
or
didn't
see
that
people
anybody
wants
to
bring
up.
We.
B
Don't
have
to
talk
about
it
here,
but
I'd
wanted
to
mention
the
tenor
identity.
Working
group
kicked
off
this
week,
so
I'll
put
in
a
link
to
the
discussion
group
and
the
agenda
notes
from
that.
If
people
are
interested
in
in
that
they
can
join
that
working
group
discussion
and
follow
the
agenda.
The
meeting
was
recorded
so
I'll
put
a
link
to
that
as
well.
C
C
Yeah
just
to
go
into
a
few
things
quickly,
it
would
be
pretty
trivial
at
this
point
to
hack
swing
up
and
I've,
been
meaning
to
do
this.
One
of
these
evenings
that
just
scans
through
the
audit
logs
that
we're
generating
looking
for
a
specific
service
account
or
whatever
you
want
to
give
it
and
kind
of
collecting
up
all
of
the
different
API
calls
that
are
being
made
and
generating
a
profile
for
you.
C
One
of
the
issues
with
actually
using
the
audit
logs
here
is
it
I
deal
e.
This
would
be
open
to
the
developer
of
the
application
and
not
necessarily
something
that
the
cluster
admin
would
need
to
do
for
them,
and
the
audit
logs
are
typically
going
to
be
more
locked
down,
since
they
could
have
potentially
confidential
information
in
them,
and
so
we're
sort
of
talking
about
some
ways
that
we
could
provide
the
same
functionality
without
opening
up
access
to
the
entire
audit
log.
And
so
that's
what
some
of
the
discussions
below
are.
B
That's
really
useful.
The
interesting
thing
is
that
to
successfully
audit
or
to
be
confident
that
you
have
kind
of
exercised
most
of
the
API
calls
or
all
the
API
calls
you
actually
need
them
to
be
allowed,
while
you're
in
the
audit
phase
or
the
generation
phase,
and
so
is
that
something
you
taught
you
talked
about
the
split
between
kind
of
the
application
developer
and
the
cluster
administrator.
Would
you
expect
a
cluster
administrator
to
let
the
developer
kind
of
run
with
essentially
unbounded
permissions
in
order
to
gather
the
information
about
what
API
requests
we're
being
made.
C
C
You
wouldn't
necessarily
need
to
give
full
like
route
on
cluster
access
to
the
application.
If
you
have
some,
you
know
pretty
existing
assumptions
about
what
the
application
is
doing.
You
could,
you
know,
constrain
it
to
a
certain
namespace
or
you
know,
make
a
kind
of
best
guess
of
like
what
is
the
upper
bound
of
commissions.
The
application
needs
yeah.
D
B
E
B
Ran
into
even
you
know,
but
the
cubelet
or
controllers,
where,
if
it
encounters
some
error,
condition
it's
going
to
try
to
do
a
get
of
this
other
thing
and
then
do
a
patch
of
this
other
thing
to
recover
from
that,
and
so
like
it's
starting
starting
with
a
really
permissive
role
and
then
see
what
it
actually
uses
and
then
giving
it
a
tighter
role.
I
think
you
still
need
a
feedback
loop
once
you
have
like
a
tighter
roll
to
say,
hey
this
thing
got
denied
and
I
wasn't
expecting
it
to
get
tonight.
C
C
B
F
C
D
C
If
you
scroll
down
on
the
discussion
section,
one
of
the
questions
I
had
posed
was
a
bet
on
this
dry
run
mode,
which
I
think
is
related
to
what
you're
just
talking
about
in
the
this
workflow.
You
start
with
the
very
ad
missive
rules
and
you
use
that
to
collect
the
data,
and
then
you
generate
this
profile
and
then
there's
this
kind
of
like
iteration
cross.
C
Ask
maybe
afterwards
and
the
question
is:
do
we
need
a
sort
of
like
mixed
mode,
where
you
know
we're
still
trying
to
apply
the
profile
but
things
that
would
get
blocked,
make
it
through,
or
can
we
say
just
to
kind
of
keep
it
on
for
longer
in
the
permissive
mode
or
kind
of
what
that
workflow
is
in
terms
of
updating
the
profile
from
there?
So.
B
When
I
was
actually
working
on
this
I'd
done
it
as
a
just
a
webhook
authorizers
that
actually
ran
before
our
back.
So
everything
that
everything
that
this
service
account
did
would
hit
the
web
hook,
and
it
would
say
yes,
no
Eric,
it's
log
it
and
then
pass
it
through
to
our
back
and
then
once
you
thought
you
were
good,
you
could
actually
move
it
behind
our
back
and
then
anything
that
are
back
rejected
would
come
through,
and
so
then
it
would
kind
of
ping.
B
If
you're
messing
around
with
the
API
server
stuff
and
restarting
API
server,
this
is
more
of
a
test
environment.
So
it's
not
something
you
could
easily
do
live,
but
if
you're
bit,
if
you're
basing
it
on
audit
events,
then
you
could
as
long
as
those
are
telling
you
this
got
denied
it's
got
allowed.
We.
B
You
know
those
times
if
you
allow
lists,
you
should
probably
also
allow
get
like
there's
no
real
reason
to
not,
and
if
you
do
a
list
and
you
need
to
do
a
live
check,
doing
a
get,
it
might
be
something
you
would
do
so
there's
you
know
having
a
way
to
kind
of
guide
people
to
say
these
groups
of
things
go
together.
If
you
need
fine-grained
permission
or
fine-grained
control,
you
have
it.
But
if
you
don't
have
a
strong
opinion,
these
types
of
permissions
usually
go
together.
H
H
So
I
mean
so
right
now
we
have
this
undocumented,
but
whispered
way
of
actually
figuring
out
where
you're
our
back
rules
might
be
wrong.
By
doing
this
sort
of,
like
you
know,
turning
on
you
know
it
I'm
trying
to
really
you
run
our
back.
You
have
it
log
it
like.
Was
it
V,
equal
six,
and
then
you
run
always
a
lot
outside
of
it,
and
then
you
look
at
the
sort
of
the
text
logs
coming
out
of
it
right.
Is
that
documented
yeah?
What
is
documented
now?
Sweet,
okay,
right
there
and.
B
H
We
can't
expect
that
every
application
developer
is
gonna,
do
a
local
level
cost
or
even
mini
cubed.
Even
setting
this
in
mini
cube
is
going
to
be
difficult
right,
like
yeah,
like
most
user,
is
out
the
gate.
They're
gonna
have
a
cluster
that
they
develop
against
and
they
don't
want
to
be
in
there
and.
B
They're
not
and
they
don't
have
access
to
the
logs.
Oh
don't
get
me
wrong.
I
love
the
idea
about
it
to
allow
type
of
things
and
making
it
easier
to
do
that
off
of
the
audit
stream
or
like
I,
think
that's
great,
because
even
someone
who
has
that
cosa
the
logs
turning
that
into
the
right
roles
and
bindings
is
not
trivial.
You
know
well.
H
I
guess
that's
what
I'm
trying
to
say
is
that
there's
two
parts
of
it
so
number
one
is
actually
getting
the
data
in
a
way,
that's
easy
to
easy
to
access
that
structured.
Well
and
you
know,
and
you're
comfortable,
actually
ending
it
off
based
on
you
know,
permissions
and
roles
of
versus
not
and
then
the
second
thing
is
ok.
How
do
you
distill
that
data
into
actionable
things
right
and
I
feel
like
you
know,
maybe
if
we
solve
the
first
one
first,
then
we
can
look.
A
At
what
is
in
the
second
one
and
and
in
Tim's
defense,
the
actual
proposal
does
go
into
a
little
bit
about.
You
know
how
we
might
make
API
servers
expose
this
a
little
bit
more
regularly.
I.
Imagine
that
there's
some
audit
back-end
built
into
the
API
server
that
allows
people
to
view
their
own
audit
log,
for
instance,
with
a
given
amount
of
time
within
a
given
time
or
something.
H
C
This
is,
this
is
definitely
brainstorm
stage,
I
really
like
that
idea
of
some
sort
of
web
hook
or
if
there
is
a
way
that
I
could
run
something
locally.
That
would
you
know,
open
a
communication
channel
to
the
cluster
and
start
gathering
every
call
that
came
through,
and
then
this
would
give
us
a
way
to
generate
profiles.
Clients
I'd,
have
like
you
know,
limit
what
I'm
actually
allowed
to
see
in
the
cluster,
not
get
full
audit
log
access
and
also
kind
of
work.
In
the
you
know,
various
deployment
environments
yeah.
So
one
thing
I'm.
H
Thinking
about
is
that
like?
Could
we
build
so
right
now
you
could
you
you
could
have
I,
haven't
I'm,
not
an
expert
on
the
audit
log
stuff,
unlike
you,
but
could
we
build
something
that
takes
the
full
firehose
of
the
audit
log
and
then
based
on
configuration
policy
starts
teeing
that
off
in
appropriate
ways
in
you
know
in
a
decoupled
way.
So
this
means
that
this
doesn't
require
more
stuff
to
be
built
into
the
API
server.
It
builds
on
the
stuff
that
we
already
have.
A
H
I
think
so
the
other
Tim
saint-clair
I'm,
sorry
too.
This
is
confusing,
so
the
other
Tim
saint-clair
FTO
built
this
event.
Router
thing
to
do
something
similar
for
scraping
events
coming
out
of
right.
It's
just
you
know
it's
a
little
connector
that
you
know
there.
It's
pole
versus
of
push
type
of
thing
that
that
is
so
sort
of
a
generic
sort
of
multiplexer.
That
might
be
one
way
and
I'm
thinking
like.
H
Maybe
you
could
program
that
multiplexer
with
CR
DS
that
are
on
a
per
namespace
basis,
so
that,
like
for
your
namespace,
you
could
say
I
want
to
actually
create
a
CID
kind
of
like
an
ingress
that
actually
redirects
the
audit
logs.
For
me
to
this
particular
end
point,
and
then
it
would
be
up
to
that.
You
know
bad
that
thing
to
actually
figure
out
what
happens
if
that
webhook
webhooks
not
available,
etc,
etc.
B
Do
you
want
to
send
that
document
to
the
Chekhov's
mailing
us
for
the
folks
that
aren't
on
the
calls?
Is
there
aware
of
it.
A
So
the
only
other
discussion
item
I'd
like
to
bring
up
at
least
is
there
was
a
request
to
cherry-pick
one
of
the
OID
C
server
fixes
this
involved
go
ID,
see
the
dependencies
not
parsing.
Headers
correctly,
so
I
was
gonna
open
that
just
as
a
PR
as
it's
terrific,
but
if
somebody
has
opinions
about
whether
it
was
appropriate
or
interpreting
the
grittier.
A
H
E
Someone
brought
up.
Are
we
going
to
do
kind
of
detection
and
alerting
as
part
of
this
work-
and
we
said
no
so
like
the
the
scope
that
I
at
least
I'm
thinking
of
is,
is
kind
of
to
take
the
detection
alerting
piece
like
that.
We
have
identities
that
we
can
strongly
verify
that
we
know
are
reliable,
that
aren't
spoof
of
all
that
we
can
write
into
logs
and
then
that
that's
the
end
of
the
kind
of
identity,
piece
for
detection
and
the
loading.
E
E
That
was
how
does
helm
until
that
there's
kind
of
some
special
some
specialness
around
how
that
works
for
kind
of
being
able
to
assert
other
identities
as
it's
creating
things,
that's
kind
of
interesting
and
what
else
we
talked
about
so
I
think
that's
mostly
what
we
got
too
and
we
settled
on
a
there's
another
doodle
for
creating
a
regular
discussion.
We
went
a
little
bit
down
the
path
of
do.
We.
E
E
First
of
his
account
the
right
place
to
plug
things
in
or
do
we
want
these
like
external
identity
exchanges,
and
there
was
a
little
bit
of
discussion
on
that
and
we
basically
tabled
that
and
said
we
kind
of
try
and
figure
out,
or
at
least
discuss
that
at
the
next
meeting,
so
I
think
that
was
I,
think
that
was
most
of
what
we
got
to
in
that
first
meeting
that
yeah
I
think
the
next
meeting
will
be
along
the
lines
of
where
we
know
we
want
pluggable
identities.
E
It
was
I
think
so,
I
in
the
dock
that
I
wrote,
I
sort
of
presented
to
two
parts.
To
this.
There
was
like
there's
some
problems
with
how
we're
using
jobs
for
service
accounts
and
maybe
week
in
new
certificates
instead
and
then
there's
like
we
need
external
identities
for
the
things
like
vault
and
cloud
providers
and
enterprise
he's
won't
want
to
use
Kerberos
and
that
kind
of
stuff,
and
most
of
the
conversation
was
on
the
lara.
E
So
the
external
identities
bit
we
I
think
like
the
certificate
as
a
replacement
for
service
accounting
is,
is
sort
of
related,
but
also
quite
separable
from
external
identities.
A.
B
H
H
B
H
A
The
the
tiller
conversation
reminded
me
that
we
actually
I
actually
presented
to
or
talked
to,
sig
apps
about
our
back
and
charts
work.
So
this
is
part
of
the
our
back
to
V.
One
is
that
we
want
to
get
more
of
the
standard
charts
onto
to
work
on
our
back
in
April
clusters.
The
tiller
that
the
tiller,
confused
deputy
type
of
problems
did
come
up
in
that
conversation,
I
think
that
has
a
less
clear
outcome,
but
the
the
large
item
that
was
discussed
was
how
to
move
more.
A
B
It
also
be
worth
Tim
if
you
want
to
maybe
shoot
the
audio
generation
tool
document
out
to
them
as
well,
because,
like
that's
the
use
case
right,
you've
you've
got
an
app
that's
doing
stuff,
and
now
you
need
to
lock
it
down
and
having
a
tool
that
would
make
that
easier.
It's
going
to
be
you
really
important,
so
I
think
the
gaps
would
be
interested
as
well
sure.
E
Have
fun
I'm
sort
of
interested
in
this
broken
home,
tots
thing
like
with
our
backer?
Do
you
have
like
some
representative
ones
that
are
like
that
are
closing
problems
that
you
could
like
list
off?
So
it's.
A
B
You
know
if
the
person
doing
the
deployment
isn't
the
one
who
wrote
the
app
they're
kind
of
at
a
loss.
It's
like
well
what?
What
level
of
permission
does
this
need
can
I
give
it
edit
within
the
naysayers,
do
I
have
to
give
it
admin
to
I?
Think
they
cost
right.
You
know,
then
it's
just
a
guessing
game
or
kind
of
getting
mouse-like
gray
at
the
next
level
permission
and
see
what
breaks
and
that
we
don't
want
to
push
that
onto
every
administrator.
Deploying
these.
A
I
think
that
there
are
some
discussions
about
best
practices
and
education.
I
think
that
you
know
there's
some
conversations
about
giving
things
unique
service
accounts
or
how
does
somebody
who
isn't
familiar
with
art
back?
Who
needs
to
write
auerbach
policy
for
their
chart
even
begin
to
you
know
understand
what
that
problem
looks
like
so
it
there
were.
There
are
a
lot
of
beings,
disgust
and
a
lot
of
people
sort
of
chimed
in
so
I,
don't
know
if
we
have
a
concrete.
A
H
A
So
yeah,
please
do
I
know
that
we've
discussed
possibly
giving
a
demo
in
say
goth.
So
if,
if
you
would
like
to-
and
we
would
love
you
to
reach
out
to
us-
and
we
can
schedule
that
yeah.
G
Absolutely
we
have
it
I,
think,
there's
a
meeting
on
like
the
21st
or
something
so
goth
meeting
on
the
21st,
so
you're
hoping
to
present
that
we're
trying
to
we
have
a
to
burn
a
deist
cig.
That
is
the
fee
specific,
so
we
were
hoping
to
meet
with
them
first
and
get
some
things
hammered
out
before
presenting
to
y'all.
So
right
now
is
we're
hoping
for
the
21st,
but
I'll
mail,
you
or
I'll
drop
mail
on
the
list
when
we
kind
of
get
a
little
bit
firmer
on
that.