►
From YouTube: SIG-Auth Bi-weekly Meeting for 20221109
Description
SIG-Auth bi-weekly meeting for 20221109
A
B
Hi
morning
it's
the
first
time
that
we
attend
the
sick
of
meeting
I've,
put
the
thread
in
the
slack
Channel
Mark,
thanks
for
proposing
that
we
make
all
of
our
conformance.
So
we
will
make
a
note,
there's
plans
for
next
year
to
look
at
that.
So
basically,
there
is
two
endpoints
remaining
that
on
the
off
that
needs
conformance
tests,
and
them
all
clear
gave
us
some
nice
feedback
on
on
that.
B
If
you
click
on
the
link
to
the
conformance
meeting,
you'll
see
a
full
comment
there
suggesting
that
it
would
be
hard
to
make
a
proper
taste
without
our
back.
So
we
would
appreciate
some
feedback
on.
Is
it
viable
to
test?
How
would
we
test
at
the
moment
we
we
can't
really
discuss
because
we
haven't
dug
into
it.
We
just
thought
to
as
this
level
time
left
in
the
heel.
B
C
So
I
think
it
might
help
I
don't
know
if
everyone
here
is
already
familiar
with
what
conformance
attempts
to
test,
but
my
recollection
is
that
it
primarily
checks
to
make
sure
the
endpoint
is
accessible,
that
it
returns
a
proper
result,
but
it
is
not
there
to
exhaustively
test
every
possible
every
plausible
category
of
return
right.
So
if
you
were
to
be
able
to
see
a
successful
subject,
access
review,
one
that
said
you're
allowed
and
one
that
said
you
were
denied-
would
that
be
enough
for
your
purposes.
B
Normally
the
it
should
be
yes,
it
sounds
sounds
about
right,
normally
the
what
is
making
your
endpoint
conformance.
We
leave
to
the
sick,
so
we
normally
take
the
endpoints
to
the
second.
B
So
how
would
you
feel
about
taking
into
account,
as
you
said,
you
just
need
to
prove
that
the
endpoints
are
actually
doing
what
you've
expected
to
be
doing
and
not
you're
right,
not
every
scenario,
and
if
our
back
is
required
for
the
thing
that
the
Sig
requires
to
be
tested,
then
it
wouldn't
be
eligible
because
all
back
is
not
eligible,
so
we
can't
include
it
in
the
conformance
project.
C
It
seems
as
though
you
could
write
a
conformance
test
that
used
a
service
account
attempted
to
take
a
particular
action,
hopefully
managed
to
get
a,
not
403
or
even
if
it
did
get
a
four
or
three
that
would
be.
Okay,
ran
a
subject
access
review
and
made
sure
that
it
got
the
same
result
right
so
that,
if
you're,
if
you
got
a
403
from
the
server,
when
you
try
to
read
the
default
namespace,
and
then
you
ran
a
subject,
access
review
for
the
same
user,
you
should
also
get
a
403.
D
Yeah
that
makes
sense
to
me.
I
would
probably
make
a
read
request
so
that
you
take
admission
custom
admission
stuff
out
of
the
equation,
because
with
reads
only
authorization
is
in
play.
C
The
end
point
that
you're
testing
is
actually
one
that
says
essentially
run
an
authorization
check
to
see
whether
this
user
is
allowed
to
take
this
action,
so
there's
no
way
to
avoid
an
authorization
check
in
there.
The
key
point
is:
do
you
have
an
authorization
check
that
matches
the
reality
of
what
happens
in
your
cluster
contract.
A
Basically,
like
I,
see
where
you're
saying
David
that
if
you
say
you
know
assuming
ignoring
cash
inconsistency
for
like
some
order
of
seconds
like
if
I
try
to
get
a
namespace
and
it
says
no
and
then
the
cluster
admin
does
a
subject
access
review
of
for
me
and
it
also
says
no
yeah,
it's
working
they're
doing
the
same.
D
A
Right
is
there
any
like
I,
like
the
suggestion,
David
I,
think
it's
a
good
approach.
I
was
just
curious
if
there
was
any
other
if
there
was
any
other
Nuance
to
try
to
get
basically
both
positive
or
negative,
or
is
it
just
kind
of
that's
the
bit?
That
is
kind
of
the
part
that
right
now
we're
saying,
isn't
part
of
the
performance.
C
E
C
B
Okay,
that
sounds
very,
very
workable,
so
for
those
that
do
not
know
our
approach
or
what
we
normally
do,
we
go
back
to
the
test.
Repo,
bring
up
the
things
in
the
way
that
we
think
we
should
taste
it.
They
normally
run
it
past.
B
The
sink,
get
some
feedback
comments
and
once
everybody's
happy
that,
with
that,
we
make
the
e2e
test
and
send
that
again,
this
way
for
the
other
safety
review,
and
once
the
review
has
been
approved
in
in
two
weeks
of
like
free,
we
will
promote
it
and
we
hope
to
have
that
early
next
year,
somewhere
and
close
this
out
before
kubecon
North
Amsterdam.
E
No
at
the
moment,
I'm
pretty
happy
about
the
feedback
and
looking
forward
to
getting
into
giving
a
an
initial
test
in
seeing
how
how
much
needs
to
be
adjusted
when
we
get
to
it
early
in
the
new
year.
A
Okay
I
mean
that
makes
sense.
You're
not
gonna
have
a
very
useful
kubernetes
environment.
That
I
was
in
okay,
so
yeah,
so
we
can
guarantee
service
accounts
exist
and
often
for
works
for
them
and
then
we'll
just
check
that
oxy
is
consistent
with
them.
That'll
do
a
good
good
feels
for
the
API.
That
seems
nice.
B
One
that's
it.
Thank
you
very
much
really
appreciate
it.
We'll
swing
back
when
we
have
something
to
show.
C
I,
do
not
I,
guess
I'll
go
ahead
and
nag
him
he's.
There's
one
more
person
in
advance
right,
yeah,.
F
So
maybe
we
should
just
treat
this
as
an
announcement
and
then
discuss
it
in
an
upcoming
meeting
when
we
have
people
with
context
available
yeah,
just
a
general
gist
of
it
is
to
break
up
the
break
up
the
verbs
that
we
use
on
the
cubelete
apis.
So
that,
like
you,
can
give
reasonable
access
to
subsets
of
the
cumulated
API.
F
But
yeah.
Let's
discuss
in
a
follow-up.
C
Are
you
familiar
with
this
mic?
I
did
skim
through
it,
and
I
was
wondering
if,
if
now
was
actually
a
reasonable
time
to
produce
an
API
that
was
more
closely
shaped
to
what
a
the
Cub
API
server
API
looks
like
to
provide
a
more
natural
mapping.
Since
now
is
the
point
when
someone's
trying
to
get
a
trying
to
reuse
the
authorization
checks
that
we
have
today.
F
Yeah
I,
unfortunately,
am
not
very
familiar
at
all
with
it,
so
yeah
I
think
that
is
a
good
point.
We
have
talked
about
doing
something
like
that
for
a
very
long
time.
C
F
Yeah,
that's
a
good
point:
I
would
I'll
drop
it
on
the
dock,
yeah
drop
it
on
the
dock
and
we'll
have
vinayak
and
Tim
reply.
A
F
H
Just
a
quick
question
on
this-
mostly
this
might
just
be
my
lack
of
understanding
at
last
I
knew
that
the
cubelet
API
is
like
unspeced
like
formally
like
there's
no
yeah,
it's
not
a
it's,
not
a
there's.
No
stability
guarantees
around
it.
D
E
D
H
C
A
Yeah
I
suspect,
like
many
things,
when
new
caps
get
written
for
new
features.
The
the
bar
is
very
high
now
and
we
will.
We
will
ask
this
question
like.
A
Kind
of
force
it
to
be
that
yeah
because,
as
David
said,
how
would
you
want
to
see
an
API
if
you
have
absolutely
no
idea
what
the
shape
of
the
API
is.
A
Okay
cool,
so
I
guess
people
should
read
this
and
if
you
have
opinions
share
them,
I
will
be
curious
to
understand
if
this
makes
some
of
this
less
like
I'd
be
curious.
If
this
could
make
it,
the
performances,
I
think.
C
D
Just
as
a
note,
the
triage
board
is
I
think
only
showing
up
to
October
30th,
so
unless
that
got
fixed
like
in
the
last
day,
this
is
a
week
old.
At
this
point,.
A
Okay,
it's
unfortunate.
A
G
One
job
that's
failing,
so
we
have
a
image
scan
for
CVS
and
then
the
latest
Cube
TTL
binary
we
are
using,
has
two
CVS
that
will
be
fixed
in
the
next
release.
So
after
that
that
job
should
start
passing.
A
Okay,
does
that
cover
all
of
the
scary.
G
A
Okay,
make
sense
right,
so
that's
being
taken
care
of,
and
this
is
apparently
happy
yeah
I
can
maybe
quickly
look
at
it
service
accounting
see
if
this
is
probably
not
because
when
you
do
numbers
of
other
test
failed
all.
A
Going
to
say
that
that's
fine,
unless
someone
feels
very
strongly
about
trying
to
Splunk
through
a
bunch
of
test
grade
right
now
anyone
have
anything
they
want
to
talk
about
yeah
40
minutes,
so
you
can
have
40
minutes
back
and
I
will
send
out
a
cancellation
for
next
Sega
theme,
because
it's
like
it's
like
Thanksgiving,
so
I
didn't
expect
anybody
should
go
up
the
meeting
after
that
is
almost
certainly
our
last
meeting
for
the
year.
It
becomes
done
right
by
Christmas,
so
we
have
one
meeting
left
in
this
year.
D
You
want
to
talk
about
any
of
the
stuff
that
got
completed
for
126.,
maybe
give
a
update
on
the
KMS
stuff,
yeah
yeah.
A
Let's
see
for
KMS,
we
we
got
it
so
that
the
encryption
config,
but
we
I
mean
the
leg,
got
it
so
that
it
will
reload.
But
as
we
went
through
the
process
of
doing
the
wiring,
it
was
very
hard,
slash
technically
impossible
not
to
break
the
existing
Health
endpoint
in
some
way
shape
or
form
to
make,
while
keeping
other
stuff
kind
of
sane.
So
like
the
API
server,
wiring
doesn't
allow
you
to
have
Dynamic
Health
checks,
which
makes
sense.
Why
would
you
but
East
KMS?
A
Has
your
health
check
Associated
directly
today,
so
we
ended
up
having
to
put
that
behind
the
flag
so
that
flag
is
wired
in,
and
so,
if
you
set
it
to
true.
A
In
that
case,
we
will
collapse
here.
Health
checks
down
to
a
single
one
that
is
basically
multiplexing
across
all
the
KMS
plugins
that
you
have
configured,
but
otherwise
nothing
really
changes
other
than
now.
If
you
change
the
file
on
disk,
be
able
to
vote
for
you,
we
have
some
follow-ups
left
like
today
when
it
reload
so
we'll
lose
the
debt
cash,
so
we'll
hopefully
fix
that
up
in
27.
So
that
way,
it'll
be
like
reload,
with
like
zero
cost,
instead
of
like
kind
of
an
annoying
cash
loss.
A
Let's
see
otherwise,
oh
customer
read
affects
custom
resources,
so
now
they
can
be
encrypted
arrests,
a
bunch
of
wiring
got
cleaned
up.
So
that's
nice.
It
should
be
pretty
easy
to
change
things
now,
because
everything
uses
the
same
path,
which
is
nice.
G
So
I
think
that.
But
what
do
you
want
to
talk
about
the
API
machinery
gaps
that
we
depended
on.
A
Right
so
the
API
server
identity,
stuff,
Andrew,
Kim
I,
think
finished
the
work
to
get
that
promoted
to
Beta,
but
we
did
not
get
to
the
storage
right
from
this
release.
Let's
see
if
there's
kind
of
cute
contact
the
last
bit
of
time,
I
had
to
kind
of
look
at
that,
but
I
can
work
on
that
in
127.,
I,
don't
think
it'll
be
too
bad.
I
talked
to
a
Davidson,
so
I
have
like
a
better
sense
of
see,
what's
necessary
there.
A
Bunch
of
like
many
changes
but
I
think
what
we
landed
on
was
pretty
nice
I'm
happy
with
that
we
did
not
land.
The
cluster
trust
bundle
stuff.
This
released
it's
kind
of
ran
out
of
time
for
API
reviews
and
stuff.
C
About
it,
yeah
it
just
barely
missed
the
previous
one,
but
it
did
land
this
time.
A
Yeah
I'm
excited
for
that.
We
spoke
about
that
at
kubecon.
I
fully
expect
that
to
have
no
problems
graduating
mostly
because
I,
don't
know,
I,
don't
know
what
else
I
would
do.
I
was
gonna
I
guess
since
Jordan
you're
here
did
we
did
we
figure
out
the
key
and
cipherment
stuff
for
csrs.
D
The
pr
got
stuck
on
some
test
issues:
I,
don't
think
yeah,
the
the
PRS
didn't
land
for
126..
So
we'll
pick
that
back
up
in
127.
D
It
wasn't
something
that
off
folks
worked
on
the
API
Machinery
folks
really
worked
a
lot
on
it,
but
the
the
cell
based
validating
admission,
Alpha
merged.
D
So
as
people
who
recommend
people
run
like
admission
web
hooks
for
various
and
Sundry
things,
I'm
really
excited
to
see
that
start
to
get
put
in
as
a
entryway
or
non-remote
way
to
do
custom
policy
so
just
playing
around
with
it.
It
feels
like
magic.
It's.
D
A
No
super
cool
yeah
I'm
very
excited
about
that
I'll,
be
curious
to
see
how
far
we
can
take
that
API
I
I
did
talk
to
Joe
Summit
coupon,
so
I
I,
I
I'm
excited
to
see
what's
possible.
Today,
let's
see
I'm
trying
to
remember
on
the
Legacy
service
time
token
stuff,
Jordan
I,
think
one
part
of
it
went
PA
right,
but
there's
like
two
other
feature
dates
that
I'm
blanking
on
yeah.
D
So
the
the
the
bit
where
we
stopped
auto-generating
that
went
to
GA
we're
not
locking
it
to
GA
until
the
first
release
where
we
had
it
is
the
oldest
one
in
support.
We
just
want
to
give
as
much
time
as
possible
for
people
to
encounter
it
in
their
clusters
and
react
to
it
and
raise
issues
before
we
actually
lock
it,
but
that
was
just
turning
off
the
auto
generator
controller
so
that
that
is
as
stable
as
it's
going
to
be.
D
We'll
we'll
leave
it
unlocked
until
124
is
the
oldest
supported
version.
The
second
part
was
beginning
usage
of
auto-generated
tokens,
and
so
that
went
in
as
Alpha
and
then
the
last
part
is
cleaning
up
unused
auto-generated
tokens
after
a
long
expiration
period.
I
think
we're
talking
about
like
a
year
or
something
like
that.
If
they
haven't
been
used
in
a
year,
then
maybe
their
fair
game
to
clean
up,
but
that
hasn't
that
hasn't
been
implemented.
Yet
so
that'll
be
queued
up
for
127.
D
D
Mean
the
the
thing
that's
sitting,
underneath
every
service
account
yeah,
there's
a
reason
we
went
slow
on
this
and
I
think
the
fact
that
we
were
able
to
swap
out
the
time-bound
pod
bound
tokens
without
you
know
that
you
know
there
were
a
few
bumps,
but
largely
it
was
a
smooth
rollout,
I
think
we're
looking
for
the
same
thing
here
for
cleaning
up
the
old
ones.
C
One
of
the
thing
I
wanted
to
mention
since
I
see
Chris
on
this
call.
It
happened
this
year.
I
did
the
review
for
the
Hugh
barback
proxy
and
came
back
with
a
list
of
like
I
think
this
needs
to
be
updated
before
we
accept
the
project
and
I
know
that
that
has
made
progress.
I,
don't
believe
it
is
yet
done
so
once
my
list
is
not
it'll,
be
time
for
a
rescan,
and
hopefully
sometime
next
year,
ready
for
that
second
set
of
eyes.
I
Yeah
so
sadly
I'm
super
busy
with
Downstream,
then
the
cubao
proxy
got
a
bit
on
hold
and
then
the
key
management
topic
started
to
get.
How
do
you
say
attraction,
not
speed
rotation,
the
momentum,
so
there
are
quite
a
lot
of
topics
to
work
on
and
I'm
kind
of
ddosed
by
that.
E
A
Okay,
cool
I'm,
glad
that's
going
and
let's,
let's
not
lose
it
this
time,
because
I
think
we
like
lost
it
like
once
or
twice
no.
I
Definitely
not
it's
it's
quite
high
on
my
productivity
as
soon
as
as
we
we
reached
the
Christmas
season,
I
hope
to
to
finish
the
last
part
of
it.
A
Yeah,
let's
see
so
the
structure
oidc
can
fix
stuff
didn't
make
it
like
the
cup
didn't
make
it
to
incrementable
this
release,
but
like
Jordan,
you
and
I
should
probably
see
if
we
can
hammer
out
the
questions
we've
had
among
each
other
and
see
if
we
can
make
that
kind
of
thing.
D
Yeah
I
I
kind
of
lost
track
of
that.
Did
it
come
back
with
responses
to
the
questions
we
asked.
I
couldn't
remember,
I,
think
I.
Think
I
did
a
review
after
the
kept
deadline
or
it
was
right
around
the
kept
deadline.
So
it
was
clear
it
wasn't
going
to
make
the
deadline
for
the
126.,
so
I
I
kind
of
lost
track
of
where
it
was
at.
A
Yeah
I
think
I
responded
to
most
of
the
comments
on
there
or
or
maxid
to
kind
of
explain
some
of
the
reasonings
behind
the
apis.
That
didn't
necessarily
immediately
make
sense
so,
but
yeah
I
think
we
can.
We
can
at
least
get
the
kept
sorted
out
on
the
structured
authorization.
Config
I
think
the
two
open
questions
are
API
server
to
webbook,
authentication
and
cell
based
filtering,
though
I
did
talk
to
Neighborhood
at
coupon
emails.
A
So
I
think
that
part
was
clear,
but
I
think
we
still
got
to
figure
out
what
we
were
going
to
do
for
it
out
there.
Whoever
else.
A
Let's
see
the
client
exec
proxy,
we
did
not
make
code
progress
on,
but
I
know
Mike.
You
have
like
two
PRS
open
you're,
like
do
some
Speedy
surgery,
which
looks
real,
exciting.
F
I
think
it's
going
to
be
hard
to
implement
that
without
and
also
include
support
for
the
Speedy
stuff
without
a
little
left
of
the
Speedy
client-side
support
So
started
to
work
on
that.
A
A
Okay,
cool,
we
did
sort
of
just
talked
about
finding
keyboard
stuff,
so,
okay,
I
think
that's
I,
think
that's
what
we
got
see
anything
else
same
unless
anybody
else
wants
to
talk
about
anything.