►
From YouTube: SIG-Auth Bi-weekly Meeting for 20221109
Description
SIG-Auth bi-weekly meeting for 20221109
A
B
Hi
morning
it's
the
first
time
that
we
attend
the
sick
of
meeting
I've,
put
the
thread
in
the
slack
Channel
Mark,
thanks
for
proposing
that
we
make
all
of
our
conformance.
So
we
will
make
a
note,
there's
plans
for
next
year
to
look
at
that.
So
basically,
there
is
two
endpoints
remaining
that
on
the
off
that
needs
conformance
tests,
and
them
all
clear
gave
us
some
nice
feedback
on
on
that.
B
If
you
click
on
the
link
to
the
conformance
meeting,
you'll
see
a
full
comment
there
suggesting
that
it
would
be
hard
to
make
a
proper
taste
without
our
back.
So
we
would
appreciate
some
feedback
on.
Is
it
viable
to
test?
How
would
we
test
at
the
moment
we
we
can't
really
discuss
because
we
haven't
dug
into
it.
We
just
thought
to
as
this
level
time
left
in
the
heel.
B
C
So
I
think
it
might
help
I
don't
know
if
everyone
here
is
already
familiar
with
what
conformance
attempts
to
test,
but
my
recollection
is
that
it
primarily
checks
to
make
sure
the
endpoint
is
accessible,
that
it
returns
a
proper
result,
but
it
is
not
there
to
exhaustively
test
every
possible
every
plausible
category
of
return
right.
So
if
you
were
to
be
able
to
see
a
successful
subject,
access
review,
one
that
said
you're
allowed
and
one
that
said
you
were
denied-
would
that
be
enough
for
your
purposes.
B
C
It
seems
as
though
you
could
write
a
conformance
test
that
used
a
service
account
attempted
to
take
a
particular
action,
hopefully
managed
to
get
a,
not
403
or
even
if
it
did
get
a
four
or
three
that
would
be.
Okay,
ran
a
subject
access
review
and
made
sure
that
it
got
the
same
result
right
so
that,
if
you're,
if
you
got
a
403
from
the
server,
when
you
try
to
read
the
default
namespace,
and
then
you
ran
a
subject,
access
review
for
the
same
user,
you
should
also
get
a
403.
D
C
The
end
point
that
you're
testing
is
actually
one
that
says
essentially
run
an
authorization
check
to
see
whether
this
user
is
allowed
to
take
this
action,
so
there's
no
way
to
avoid
an
authorization
check
in
there.
The
key
point
is:
do
you
have
an
authorization
check
that
matches
the
reality
of
what
happens
in
your
cluster
contract.
D
A
Right
is
there
any
like
I,
like
the
suggestion,
David
I,
think
it's
a
good
approach.
I
was
just
curious
if
there
was
any
other
if
there
was
any
other
Nuance
to
try
to
get
basically
both
positive
or
negative,
or
is
it
just
kind
of
that's
the
bit?
That
is
kind
of
the
part
that
right
now
we're
saying,
isn't
part
of
the
performance.
C
E
C
B
A
Okay
I
mean
that
makes
sense.
You're
not
gonna
have
a
very
useful
kubernetes
environment.
That
I
was
in
okay,
so
yeah,
so
we
can
guarantee
service
accounts
exist
and
often
for
works
for
them
and
then
we'll
just
check
that
oxy
is
consistent
with
them.
That'll
do
a
good
good
feels
for
the
API.
That
seems
nice.
B
C
F
So
maybe
we
should
just
treat
this
as
an
announcement
and
then
discuss
it
in
an
upcoming
meeting
when
we
have
people
with
context
available
yeah,
just
a
general
gist
of
it
is
to
break
up
the
break
up
the
verbs
that
we
use
on
the
cubelete
apis.
So
that,
like
you,
can
give
reasonable
access
to
subsets
of
the
cumulated
API.
C
Are
you
familiar
with
this
mic?
I
did
skim
through
it,
and
I
was
wondering
if,
if
now
was
actually
a
reasonable
time
to
produce
an
API
that
was
more
closely
shaped
to
what
a
the
Cub
API
server
API
looks
like
to
provide
a
more
natural
mapping.
Since
now
is
the
point
when
someone's
trying
to
get
a
trying
to
reuse
the
authorization
checks
that
we
have
today.
F
C
A
F
H
D
E
D
H
C
A
A
C
D
A
G
G
A
Going
to
say
that
that's
fine,
unless
someone
feels
very
strongly
about
trying
to
Splunk
through
a
bunch
of
test
grade
right
now
anyone
have
anything
they
want
to
talk
about
yeah
40
minutes,
so
you
can
have
40
minutes
back
and
I
will
send
out
a
cancellation
for
next
Sega
theme,
because
it's
like
it's
like
Thanksgiving,
so
I
didn't
expect
anybody
should
go
up
the
meeting
after
that
is
almost
certainly
our
last
meeting
for
the
year.
It
becomes
done
right
by
Christmas,
so
we
have
one
meeting
left
in
this
year.
A
Let's
see
for
KMS,
we
we
got
it
so
that
the
encryption
config,
but
we
I
mean
the
leg,
got
it
so
that
it
will
reload.
But
as
we
went
through
the
process
of
doing
the
wiring,
it
was
very
hard,
slash
technically
impossible
not
to
break
the
existing
Health
endpoint
in
some
way
shape
or
form
to
make,
while
keeping
other
stuff
kind
of
sane.
So
like
the
API
server,
wiring
doesn't
allow
you
to
have
Dynamic
Health
checks,
which
makes
sense.
Why
would
you
but
East
KMS?
A
In
that
case,
we
will
collapse
here.
Health
checks
down
to
a
single
one
that
is
basically
multiplexing
across
all
the
KMS
plugins
that
you
have
configured,
but
otherwise
nothing
really
changes
other
than
now.
If
you
change
the
file
on
disk,
be
able
to
vote
for
you,
we
have
some
follow-ups
left
like
today
when
it
reload
so
we'll
lose
the
debt
cash,
so
we'll
hopefully
fix
that
up
in
27.
So
that
way,
it'll
be
like
reload,
with
like
zero
cost,
instead
of
like
kind
of
an
annoying
cash
loss.
A
A
Right
so
the
API
server
identity,
stuff,
Andrew,
Kim
I,
think
finished
the
work
to
get
that
promoted
to
Beta,
but
we
did
not
get
to
the
storage
right
from
this
release.
Let's
see
if
there's
kind
of
cute
contact
the
last
bit
of
time,
I
had
to
kind
of
look
at
that,
but
I
can
work
on
that
in
127.,
I,
don't
think
it'll
be
too
bad.
I
talked
to
a
Davidson,
so
I
have
like
a
better
sense
of
see,
what's
necessary
there.
A
A
D
D
D
A
No
super
cool
yeah
I'm
very
excited
about
that
I'll,
be
curious
to
see
how
far
we
can
take
that
API
I
I
did
talk
to
Joe
Summit
coupon,
so
I
I,
I
I'm
excited
to
see
what's
possible.
Today,
let's
see
I'm
trying
to
remember
on
the
Legacy
service
time
token
stuff,
Jordan
I,
think
one
part
of
it
went
PA
right,
but
there's
like
two
other
feature
dates
that
I'm
blanking
on
yeah.
D
So
the
the
the
bit
where
we
stopped
auto-generating
that
went
to
GA
we're
not
locking
it
to
GA
until
the
first
release
where
we
had
it
is
the
oldest
one
in
support.
We
just
want
to
give
as
much
time
as
possible
for
people
to
encounter
it
in
their
clusters
and
react
to
it
and
raise
issues
before
we
actually
lock
it,
but
that
was
just
turning
off
the
auto
generator
controller
so
that
that
is
as
stable
as
it's
going
to
be.
D
We'll
we'll
leave
it
unlocked
until
124
is
the
oldest
supported
version.
The
second
part
was
beginning
usage
of
auto-generated
tokens,
and
so
that
went
in
as
Alpha
and
then
the
last
part
is
cleaning
up
unused
auto-generated
tokens
after
a
long
expiration
period.
I
think
we're
talking
about
like
a
year
or
something
like
that.
If
they
haven't
been
used
in
a
year,
then
maybe
their
fair
game
to
clean
up,
but
that
hasn't
that
hasn't
been
implemented.
Yet
so
that'll
be
queued
up
for
127.
C
One
of
the
thing
I
wanted
to
mention
since
I
see
Chris
on
this
call.
It
happened
this
year.
I
did
the
review
for
the
Hugh
barback
proxy
and
came
back
with
a
list
of
like
I
think
this
needs
to
be
updated
before
we
accept
the
project
and
I
know
that
that
has
made
progress.
I,
don't
believe
it
is
yet
done
so
once
my
list
is
not
it'll,
be
time
for
a
rescan,
and
hopefully
sometime
next
year,
ready
for
that
second
set
of
eyes.
I
E
D
Yeah
I
I
kind
of
lost
track
of
that.
Did
it
come
back
with
responses
to
the
questions
we
asked.
I
couldn't
remember,
I,
think
I.
Think
I
did
a
review
after
the
kept
deadline
or
it
was
right
around
the
kept
deadline.
So
it
was
clear
it
wasn't
going
to
make
the
deadline
for
the
126.,
so
I
I
kind
of
lost
track
of
where
it
was
at.
A
Yeah
I
think
I
responded
to
most
of
the
comments
on
there
or
or
maxid
to
kind
of
explain
some
of
the
reasonings
behind
the
apis.
That
didn't
necessarily
immediately
make
sense
so,
but
yeah
I
think
we
can.
We
can
at
least
get
the
kept
sorted
out
on
the
structured
authorization.
Config
I
think
the
two
open
questions
are
API
server
to
webbook,
authentication
and
cell
based
filtering,
though
I
did
talk
to
Neighborhood
at
coupon
emails.