►
From YouTube: SIG-Auth Bi-Weekly Meeting for 20220928
Description
SIG-Auth Bi-Weekly Meeting for 20220928
A
Hello:
everyone
welcome
to
the
September
28th
2022
meeting
of
Sig
auth.
Let's
kick
it
off.
We
have
a
lot
of
items
on
the
agenda.
As
you
can
see,
you
can
y'all
see
the
screen.
Okay,
all
right
with
that.
Let's
get
started
with
sub
resources.
B
B
It
doesn't
matter,
let's
see
we
had
a
long
discussion
on
this
at
API.
Machinery
last
week
feel
free
to
share
your.
B
Hopefully,
you're
seeing
only
one
window.
A
B
That
a
little
bit
okay,
so
I'll
just
go
as
fast
as
I
can,
and
if
this
is
too
slow,
then
stop
me.
Why
did
I
start
this
proposal?
Basically,
API
Machinery
has
a
couple
caps
that
are
blocked
on
this
need
for
sub
resources
or
something
else
that
accomplishes
the
purposes
of
sub-resources.
B
And
it's
a
very
sad
story.
We've
been
keeping
this
poor
author
waiting
for
like
two
years
through
a
comedy
of
errors,
so
I'm
motivated
to
at
least
have
a
Direction
so
that
we
can
give
an
answer,
even
if
we're
not
ready
to
implement
something
this
instant
Yeah.
So
basically
the
the
problem
is.
B
Sometimes
people
need
to
write,
make
generic
controllers
which
operate
on
some
portion
of
a
resource
like
finalizers
or
labels
or
annotations
or
like
something
that
many
resources
have,
but
we
don't
want
the
controller
to
have
update
on
all
resources
in
the
whole
cluster,
because
that
is
pretty
broad
security.
B
So
the
goal
is
to
limit
this
somehow
to
specific
Fields,
and
so
the
I've
declared
it
a
non-goal
for
these
purposes.
Also,
reading
limiting
What
fields
can
be
read
so
because
I
think
that
makes
it
a
lot
harder.
If
that
is
too
much
of
a
non-goal,
we
can
talk
about
expanding
the
scope
of
this,
but
I'd
like
to
keep
it
as
targeted
as
possible
yeah.
So
today,
I'll
just
go
through
the
designs,
real
quick
today.
B
The
only
solution
that
we
have
really
is
to
use
sub
resources
to
make
a
sub
resource,
and
so
this
is
this
is
what
we've
asked.
This
is
what
David
is
asking
the
this
cap
author
to
do
is
make
a
sub
resources
for
this
proposed
liens
field
and
also
one
for
the
final
edges
field,
because
they
should
really
be
similar,
but
in
Reading
in
reading
that
kept
for
proposing
adding
a
sub
resources
for
sub
resource
for
finalizers.
B
I
realized
that
this
makes
life
very
inconvenient
for
clients,
because
every
sub
resource
implies
a
whole
new
set
of
functions
in
the
client,
like
not
just
an
additional
thing,
but
all
new
set
of
functions
like
you
can't
set
this
the
scale
subresource
without
calling
the
special
like
scale
functions,
and
you
can't
update
the
status
resource
without
calling
the
like
this
apply
status,
Etc.
So
if
we
make
three
or
four
or
five
new
sub
resources,
that
implies
like
a
bunch
of
functions
like
it's.
B
Like
that's
several
verbs
at
times
all
the
all
the
client
objects,
all
the
client,
all
the
clients
that
we
generate.
It's
a
lot
of
functions
and
it's
going
to
be
confusing
to
users
which
ones
they
need
to.
They
need
to
call
additionally,
when
you're
writing
your
controller.
You
have
to
write
it
in
such
a
way
that
it
uses
a
sub
resource
right
like
an
existing
client,
would
be
able
to
set
labels
through
the
labels
like
through
the
regular
object,
just
updating,
spec
or
whatever.
B
But
if
you
want
your
controller
to
be
able
to
be
controlled
in
this
way,
this
this
permissions
model,
you
have
to
make
it
use
this
separate
sub
resource
you
also
have
to
you
also
have
to
like.
If
you
want
to
update
multiple
Fields,
this
controller
has
to
make
multiple
calls.
You
can't
combine
that
right.
So
I
think
this
is
actually
super
inconvenient
and
I
hope
that
we
can
do
better
any
questions
so
far.
D
You've
just
been
the
only
one
talking
so
far,
so
it
was
all
okay
is
like
I
thought.
We
had
a
very
productive
discussion.
B
Right
well
hold
on
yeah
I
can't
hear
a
word
you're
saying
so
if
I've
been
steamrolling,
anybody
I'm
sorry
give
me
give
me
one
second
to
grab
a
different
pair
of
headphones.
A
B
B
Yeah,
okay,
I
figured
it
out
my
my
Mac
muted
itself:
I,
don't
know
how
that
happened.
I'm.
B
D
D
Okay,
so
you
talked
about
the
case
where
we
we
have
a
controller.
We
want
to
let
like
right,
you
know
finalizers
or
liens
or
conditions
or
some
specific
field,
and
we
don't
want
to
Grant
Broad
access,
or
you
know
some
a
couple
of
fields
and
we
don't
want
to
make
them
jump
through
hoops
to
call
like
n
different
sub
resources.
D
So
that
makes
sense
to
me
the
other
direction
is
sort
of
what
I
was
also
trying
to
understand,
which
is
we
have
a
field
like
liens,
actually,
where
users
have
broad
update
rights
today,
and
we
don't
want
update
to
automatically
give
them
the
right
to
do
lean.
Stuff
like
liens
are
like
have
implications
for
the
system,
and
so
we
we
want
to,
in
addition
to
update
you,
need
to
specifically
have
update
on
Lanes.
B
Okay,
that's
that's
a
complicated
question.
Can
I
defer
it
a
little
bit
sure
yeah,
okay,.
H
A
Control
I
know
that's
kind
of
addressed
here
as
a
possibility,
as
we
just
add
another
admission
controller
for
this,
but
I
guess.
My
question
is
like
why
I
don't
know
exactly
what
my
question
is
it
just
feels
like
something
like
in
the
past.
Like
we've
just
said,
this
is
an
admission
control.
B
Problem
so
I
I
think
okay,
I've
I
have
like
two
answers
for
this.
One
is
like
this
is
a
mission
control
problem
is
here's?
Here's
a
here's,
a
lot
of
instructions.
Please
go
write
an
admission
controller
like
that
is
not
a
low
bar
to
entry
at
all.
Not
everybody
is
capable
of
doing
that
easily
or
within
a
small
time
constraint,
and
this
is
a
common
desire.
Right
like
like
this
is
solvable
with
admission.
Control
is
something
you
could
maybe
tell
a
cloud
provider.
B
My
second
answer
is
that
I
I
don't
know
if
anyone
else
makes
it
makes
this
distinction,
but
I
make
the
distinction
between
like
policy
and
authorization
and
I.
Think
like
permissions
and
policy
are
separate
things
and
I
think
ability
to
change
a
specific
field
is
pretty
tightly
scoped
and
it's
reasonable
to
have
that
covered
in
the
permissions
model,
not
necessarily
the
the
like
the
policy
layer,
I,
don't
know
if
anyone
else
thinks
of
those
things
as
different
layers,
but
I
do.
E
B
That
affected
the
recommended
Choice
here
and
I-
think
yeah.
Do
we
want
to
debate
that
now
or
do
we
want
to
see
what
Tim
Hawkins
has
to
say,
I
think
we
can
go
to
other
teams,
Yeah
Tim,
Tim.
H
So
I
just
wanted
to
to
say
like
while
this
is
not
at
all
my
home
Sig.
They
I
took
interest
in
this
cap
because
I
do
a
lot
of
their
API
reviews
and
so
I'm.
Looking
at
this
from
the
API
review
perspective,
where
you
know
we're
trying
really
hard
to
give
people
good
advice
on
how
to
do
things
safely
and
securely
in
the
bad
old
days
that
was
do
whatever
you
want
and
now
we're
trying
to
be
more
like
secure
by
default
and
and
minimum
access
and
least
privilege
by
default.
H
H
I
do
think
that
as
our
life
cycle,
management
and
referential
integrity
options
get
more
sophisticated,
more
people
will
want
to
use
them,
and
that
will
mean
in
today's
model
granting
a
lot
of
spec
access
to
a
lot
of
actors
who
don't
really
need
spec
access.
They
just
need
the
ability
to
hook
life
cycle
events,
and
so
that's
why
I
think
this
is
going
to
just
grow
in
importance
in
how
we
solve
this
I
I.
Read
that
you
know,
I
read
the
doc
and
my
comments
are
there?
H
The
idea
of
being
able
to
do
filtered
reads
is
compelling
to
me,
but,
like
I,
said
I'm,
not
against
the
idea
of
just
having
multiple
sub
resources.
If
that's
the
thing
that
turned
out
to
be
most
implementable,.
B
A
B
F
Yeah
so
I
guess
to
attempts
Tim
all
clear's
point,
but
I
guess
this:
we
weren't
he
wasn't
recommending
multiple
sub
resources.
I
think
he
was
recommending
writing
an
admission
control
for,
like
lean
specifically
and
I.
Think
that
makes
sense
for
anything
in
in
core.
That's
that's
what
we
do
for
signer
name,
that's
what
we
do
for
we
we
did
for
PSP.
F
B
F
I
totally
I
agree
that
this
is
challenging
for
people
working
outside
of
core
or
challenging
or
impossible
for
them
to
follow
this
pattern.
But
it
is
the
pattern
that
we
followed
for
core
features
in
the
past.
B
Yeah:
okay,
why
don't
I
continue
and
since
I
think
this
is
relevant?
I'll
go
into
the
next
design.
I
was
going
to
skip
it,
but
the
design
two
option
is
basically
like
how
could
I
solve
this
without
changing
anything
in
tree,
and
it's
listed
a
design
how
you
could
solve
it
like
some
objects
that
are
analogous
to
crds
like
this
is
a
field
field,
selection,
expression
and
like
a
something
that
binds
into
users
or
groups
Etc.
B
So
the
the
reason
why
the
more
or
less
the
reason
why
this
design?
Okay,
there's
a
few
reasons.
Reliability
is
bad
with
web
Hooks
and
this
Mrs
David's
constraint
of
it's
on
everywhere,
because
this
can
be
turned
off
and
David's
David
and
mo
mentioned
this.
Also.
The
constraint
that
it
is
on
everywhere
lets
people
plan
for
it
and,
like
developers
like,
if
it's
on
everywhere,
it's
like
oh
yeah.
This
is
something
I
do
in
my
development
cluster.
B
It's
not
something
I
miss
until
deployment
time
when
I
find
I
need
this
strange.
Other
permission,
I
didn't
know
about
so
I
think
that's
the
justification
for
the
it
has
to
be
on
everywhere,
pattern
that
I
understand,
I,
don't
know
if
I
failed
to
capture
something
David
or
Mo,
please
jump
in
yeah.
C
That's
a
that's
a
good
expression.
I
would
I
would
like
to
see
the
check
that
is
made
be
something
that
is
in
conformance
over
time.
This
is
the
way
our
API
behaves
and
the
actual
permissions
themselves
could
be
granted.
You
know
someone
could
say:
oh
I,
don't
care
about
this
I'm
going
to
Grant
everyone
permission
yeah,
but
the
checks
are
always
made.
B
Yeah,
so
that
requirement
rules
out
design
too.
It
also
rules
out
design,
three,
which
is
like
just
modify
our
back
and
fix
it
there.
It
also
rules
out
the
variations
where,
instead
of
a
web
hook,
you
build
a
admission
plug-in
inside
API
server
so
that
that
gets
us
down
to
two
designs.
B
So
it
you
can
well,
you
have
to
do
something
that
passes
to
Performance,
but
you
can
turn
off
admission,
plugins
and
just
use
the
the
right
you
can.
You
can
turn
off
various
parts
of
the
of
the
chain.
If
you
turn
off
everything,
you
probably
won't
pass
conformance.
If
you,
if
you
turn
off
parts
of
it,
you
probably
can.
B
So,
like
people
configure
their
their
permissions
in
different
ways,
right,
like
you,
can
use
our
back,
but
you
don't
have
to
use
rbac.
You
can
get
the
you
can
pass
the
you
can
let
the
permissions
checks
gets
passed
on
to
to
a
plug-in
that
is
a
Web
book
and
calls
out
to
some
other
authorization
system
right,
yeah.
A
D
You
can
use
them
both
together.
The
two
examples
that
we
referenced,
like
the
CSR
signer
thing
and
the
garbage
collector
reinforcement
both
of
those
are
in
tree
admission,
plugins,
which
do
authorization
checks.
So
like
the
fact
that
an
authorization
check
is
done,
that's
codified
in
the
admission
plugin.
It
is
calling
out
to
the
authorization
subsystem,
so
you
can
satisfy
that
authorization
check
with
our
back
or
whatever
Authority.
You
have
hooked
up
so
so.
B
F
B
Yeah,
so
you
can
you
can
disable
the
authorization
chain
or
do
whatever
you
want,
but
you
can't
we're
not
letting
you
opt
out
of
the
fact
that
API
server
is
going
to
do
those
checks,
even
if
even
if
the
checks
all
return
true
or
just
go
into
a
black
hole
because
they're
they're
not
configured.
C
D
The
one
problem
that
like
just
implementing
a
new
admission
plugin
would
have
is
that
it
doesn't
satisfy
the
case
where
we
want
a
controller
to
be
limited
to
only
updating
a
few
fields,
and
we
don't
want
to
give
it
broad
update
permission
otherwise,
because
in
order
for
it
to
even
reach
that
admission
plugin,
you
would
have
to
do
that
controller.
Like
total
update
permission
and
then.
A
A
B
Yeah,
okay
shall
I
outline
the
the
like
what
is
recommended
which
is
designed
for
here
so
so,
basically
we're
going
to
do
a
couple
like
those
the
straw
proposal,
like.
Obviously,
this
needs
to
be
written
up
more,
but
the
the
Like
Straw
proposal
is
to
add
a
like
virtual
permission.
Verb
I
understand.
We
do
that
and
like
you
can
grant
the
permission
via
rbac
or
via,
like
some
external
system.
However,
you,
however,
the
system
administrator
is
in
the
habit
of
granting
remissions.
B
You
can
grant
that's
this
permission.
That
way
so
it'll
be
a
basically
a
it's,
not
an
edit
permission,
but
it
is
an
indication
like
if
you
have
this
permission,
it's
an
indication
that
we're
going
to
do
the
secondary
auth
checks
later
in
the
chain.
Once
we
know
what
is
changing,
so
you
tell
like,
like
the
the
flow
it
looks
like.
Okay,
you
does
this
person
have
edit
or
update
permission?
No.
Does
it
have
the
per
field
edit
permission?
Yes,
okay.
B
At
that
point,
we
proceed
down
the
request
chain
like
we
put
something
in
the
context
or
something
to
tell
us
to
tell
us
that
we
need
to
do
these
secondary
checks
and
when
we're
going
to
write
to
storage
at
the
point
where
we
have
both
the
Old
and
the
new
object.
It
is
at
that
point
pretty
easy
to
diff
the
two
and
figure
out
what
fields
are
changing.
B
We
can
use
some
of
the
some
of
the
code
written
for
server-side
apply
to
Express
this,
so
we
don't
have
to
write
a
bunch
of
structured
set
manipulation
right.
We
can
just
reuse
that
of
that
code,
so
I
wouldn't
look
to
like
this
is.
This
is
modifiable
like
how
exactly
we
want
to
express
which
field
somebody
is
able
to
have
right
here.
B
I
have
like,
like
you,
you
construct
a
verb
based
on
the
like
the
type
name
and
the
field
that
they
want
to
modify
and
do
a
regular
permissions
check
based
on
that
constructed
name,
and
you
do
this
for
every
modified
field.
There's
like
we
could
do
more
complicated
things
where
there's
intermediate
objects,
and
it
like
gives
you
a
set
of
fields
and
I.
Don't
think
that's
important
to
settle
right
now.
Okay,
we
could
even
have.
B
We
could
even
have
a
negative
permission
if
so
desired.
David
thinks
it's
a
bad
idea,
but
if
so
desired
we
could.
We
could
have
a
like.
You
could
only
modify
this.
You
can
only
find
modify
spec
if
you
don't
have
the
no
spec
permission,
of
course,
that
that
depends
on
other
things
in
the
authorizer
chain,
not
letting
you
do
it
anyway,
but
you
only
get
into
this
into
this
condition.
If
that's
the
case
anyway,
right,
okay,
yeah,
maybe
I,
should
stop
there.
B
The
properties
are
like,
obviously
it
it
works
with
your
existing
permissions
granting
system
whatever
that
might
be.
It
works
on
existing
resource
types
like
like
all
resource
types.
You
don't
have
to
do
something
special
for
crds
and
this
code
is
basically
all
API
server
codes.
We
don't
have
to
change
admission
plugins
or
anything
like
that.
H
B
H
Guess
my
point
is
one
of
the
the
carrots
that
you
dangled
was
we
could
provide
filtered
gets,
but
I
can't
actually
Express
that
if
I
want
to
be
version
safe
across
time,
yeah.
B
I
would
say
that
the
the
designed
for
filtered
get
like
the
sketch
design
for
filtered
gets
in
this
was
invalidated
by
one
of
David's
requirements,
so
at
the
moment
I'm
not
dangling
filtered
gets.
If
that
is
something
that
you
need,
then
we
probably
need
to
think
of
a
different
design.
No.
H
I
mean
personally
I,
don't
have
a
strong
need
for
it,
but
it
it
certainly
come
up
before,
as
wouldn't
it
be
neat.
If,
but
it
was
for
me,
it
was
the
it
was
the
the
extra
carrot
that
got.
A
B
B
You
can
only
do
this
if
you
have
data
in
the
object,
because
not
all
of
our
conversion
functions
survive
objects
that
have
Fields
missing
so
like
there's
code
that
finds
an
order
of
switching
between
all
versions,
because
because
we
don't
want
people
owning
things
in
different
versions,
so
we
have
to
like
figure
out
what
collides
with
what
like
it
works.
B
I,
don't
know
if
anybody
completely
understands
it
anymore,
but
so
it's
it's
possible
but
but
difficult
to
convert
between
versions.
I
would
prefer
not
to
do
it
personally.
Mo.
E
So
I
think
this
is
related
to
the
thing
Jordan
had
said
earlier,
but
it's
sort
of
a
specific
sort
of
nuance
of
it,
which
is
I'll,
speak
by
example.
With
with
pot
security
admission,
we
were
really
careful
to
say
that
the
policies
were
versioned.
So
that
way,
if
you
needed
the
latest
meaning
you
could
ask
for
it.
But
if
you
built
your
stuff
around
a
particular
version
of
the
prospect,
that's
that's
where
you
can
sort
of
Point
things
at
the
the
thing
that
I
don't
know.
E
If
any
of
these
sort
of
talk
about
is
today,
if
you
grant
update
it,
sort
of
means
update
on
the
whole
object
till
sort
of
like
the
end
of
time
and
doesn't
matter
really
what
changes
in
the
object
like
you
know,
if
you
add
new
Fields,
so
so
yeah.
B
To
use
this
problem
to
use
this
mechanism
to
solve
the
problem
Jordan
asked
about,
you
would
have
to
not
Grant
users
update
and
then
grant
them
this
per
field
thing
and
Grantham
a
the
the
like
ver,
the
special
verbs.
That
means
the
field
they
want
to
to
change.
Now
you
as
as
written
it
is
a
recursive
check.
So
it
starts
at
the
root
of
the
object
goes
down.
So
if
you
have
permission
to
to
modify
spec
like,
and
we
check
that
first,
like
it's
only
a
couple:
extra
checks.
E
So
I
I
think
I
think
you
still
need
something
some
way
to
express
that
this
field
is
special
and
you
need
a
special
check,
no
matter
what,
for
this
field,
like
I,
think
I
think
it's
compatible
with
somewhere
in
this
design.
I'm
just
saying
that,
like
like
you
know,
if
I
add
some
new
lean
field
or
whatever
some
new
privileged
field.
Okay,.
B
I
I
think
the
difficulty
in
doing
that
is
that
it,
if
like
over
time,
that
adds
up
to
a
ton
of
extra
Z
checks,
foreign.
B
If
everyone
does
that
for
their
field
and
like
we
at
like
over
time,
we've
added
like
20
Fields
and
you
do
a
create-
and
it's
like
20
Z
requests
to
see
if
you
can
do
the
create
or
not
like,
like
I'm,
proposing
we're
adding
a
few
requests
but
I'm
also
like
proposing
a
mechanism
where,
like
we,
only
go
down
this
path
in
certain
conditions,.
E
B
I
mean
for
for
so
I
I
think,
that's
a
policy
question
and
not
a
like
per
field.
Authorization
question,
like
you
have
permissions
to
set
the
admin
pod
flag
or
whatever
it
is.
You
can
just
only
set
it
to
false,
like
I,
wouldn't
use
this
mechanism
to
enforce
that
you
can
get
the
you
could
always
get
the
default
value
because
you
can't
say
anything
about
the
field
at
all
like
like,
okay,
I
guess,
I
could
work,
but
why?
B
Wouldn't
you
do
that
in
a
a
like
a
policy
context
instead
of
a
feel
bubble,
permission
context
the
the
attribute
I'm
trying
to
capture
here
is
like
can?
Can
you
modify
the
field
at
all.
B
D
A
D
The
difficulty
of
the
the
like
can
you
modify
this
field
at
all,
is
when
we
are
talking
about
adding
a
field
to
objects
that
gives
them
sort
of
power
on
other
objects
or
on
the
system
that
they
didn't
previously
have
so
like.
The
liens
field
is
a
good
example
right
like
previously,
if
I
could
set
pods
like
I,
you
know
maybe
positive
example,
because.
D
If
I
can
create
config
Maps
like
previously,
that
was
just
a
blob
of
data
and,
like
you
know,
I
can
create
these
things
and
they
sit
there
inert
and
now
we're
adding
a
field
that
lets
them
like
block
deletion
of
other
objects
or
block
name
spaces
or
whatever
it
is,
and
so
like
being
able
to
saying
we
need
a
policy
layer.
D
Someone
has
to
decide
that
they
want
to
disallow
that
for
users
who
otherwise
could
just
create
and
update
these
things.
That
kind
of
goes
back
to
the.
If
it's
not
there,
by
default,
people
aren't
going
to
realize
they
need
it
and
then
someone's
going
to
do
something
clever
or
disruptive,
and
then
cluster
evidence
are
going
to
come
to
us
and
say
like.
Why
didn't
you
protect
me
from
this
like,
oh
well,
you
could
have
put
a
policy
in
place
that
you
didn't
know
you
needed
to
I.
D
D
B
Trying
to
I
think
to
be
complete,
it
would
have
to
run
on
create
also.
A
B
The
the
check
that
is
sketched
out
in
the
straw
proposal
is
recursive,
so
it
starts
at
like
spec.
If
that
comes
back
to
Yes,
it
doesn't
check
on
anything
under
spec
and
if,
like
metadata,
is
yes,
then
it
doesn't
check
anything
under
metadata.
B
B
Yeah
I
think
so,
if,
if
it
is
desirable
that.
B
Well,
okay,
I
think
actually
I've
heard
two
incompatible
requests
here,
like
the
the
desire
for
us
not
to
like
have
a
large
permission
like
edit
granted
and
then
later
scoped
down,
because
you
don't
have
fine
grain
permissions
like
that
was
something
Jordan
expressed,
and
that's
also
something
that
seems
reasonable
and
desirable
to
me.
B
But
then
I
think
that
also
is
incompatible
with
this
notion
that,
like
we're
going
to
introduce
new
fields-
and
you
have
to
have
a
special
thing
to
get
this
new
field
set
like
like
I-
don't
think
if
we
were
starting
from
scratch
today,
would
we
would
we
would
we
do
it?
That
way,
would
we
split
the
permission
Space
by
verb
and
field
like
like
you
have
create
on
spec,
okay,
great,
you
create
not
on
spec,
but
on
spec
dot
replicas?
What
does
that
even
mean
I'm,
not
sure?
B
Are
you
an
update
on
like
spec.reficas
but
create
an
all
of
spec
foreign
that
comes
out
to
be
like
you
get
very
fine
grain
control,
but
would
you
want
to
be
the
system
administrator
who
has
to
figure
out
who
should
get
which
of
our
thousands
of
potential
special
permissions?
Like
that
does
not
sound
too
easy
to
me.
B
I
I
realize
I'm
I'm,
also
adding
like
the
the
permissions
in
this
model
are
all
constructed
and
so
we're
adding
basically
a
combinatorial
large
number
of
them,
but
at
least
it
would
only
be
for
users
who
have
the
special
like.
Please
go
check
this
tree
of
combinatorially
large
permissions,
yeah
I,
don't.
A
C
I
know
that
my
goal
at
least
the
first
one
that
I
thought
of
maybe
I
have
that
goal
as
well.
But
my
goal
was
to
be
able
to
produce
controllers
or
other
clients
that
have
the
ability
to
modify
liens,
but
not
the
ability
to
modify
the
spec
of
an
object.
D
I
am
more
focused
on
the
first
one
you
mentioned
where,
and
maybe
this
is
being
burned
from
finalizers
like
where
any
user
with
update
can
add
or
remove
any
finalizer
they
want,
and
so
finalizers
are
actually
unsuitable
for,
like
actually
ensuring
we
protect
things.
You
know
if
we
have
an
external
system
and
we
need
to
clean
up
a
reference,
International
System.
We
can
put
a
finalizer
on
there
with
a
controller,
but
any
user
with
update
can
take
the
finalizer
off
if
they
read
something
on
the
Internet.
D
It's
like
here's,
how
to
unstick
deletion
of
your
objects
and
so
I'm
scared
of
users.
D
H
So
I
I'm,
my
concern
is
with
David
I,
see
more
and
more
controllers
coming
up
and
people
granting
them
overly
broad
access,
which
just
scares
the
pants
off
me
I
hear
your
your
point.
Jordan
I've
certainly
seen
those
stack
Overflow
posts,
but
at
least
the
blast
is
localized
right
like
well.
You
you
blew
something
up
in
your
own
namespace
I
I,
don't
feel
too
bad
for
you
right
like
we
can
do
better
about
that,
but
take
into
its
conclusion.
H
In
addition
to
liens,
one
of
the
things
I
thought
was
interesting
was
and
I
know
that
it's
not
the
normal
kubernetes
sort
of
rest
semantic,
but
was
we
could
make
it
possible
through
sub
resources
to
say
this
person
is
allowed
to
add
annotations,
but
only
annotations
that
have
this
prefix,
right
and
and
actually
that's
kind
of
interesting
I
can
give
my
Fubar
controller
access
to
all
annotations.
That
start
with
fubar.com-
and
you
know
that
gives
you
some
limited
impact.
Finalizers
too
some
limited
sorry
limited
attack
of
what
you're
describing
as
a
problem.
A
B
B
H
B
B
D
A
A
A
D
I
mean
if,
if
we
saw
these
two
there's
two
different
sides
of
the
same
coin
like
sometimes
you
only
want
to
Grant
access
this
one
thing.
Sometimes
you
in
specific
Fields,
you
want
a
generic,
updater
or
Creator
to
also
specifically
have
access
to
this
field.
I
would
map
those
to
the
same
permission
check
so
that
the
controller
who
you're
going
to
give
targeted
access
to
that
field,
like
you
have
to
you,
have
to
give
access
specifically
to
that
field,
and
then
a
user
who
has
generic
update
access.
D
B
D
A
B
H
D
C
Would
we
be
willing,
then,
to
say,
as
we
introduce
new
Fields
there
is
a
default,
allow
or
gosh
it
sounds
terrible,
but
a
default
allow
or
a
default
deny
in
order
to
get
the
behavior
means.
As
an
example.
C
E
D
D
H
I
was
just
gonna
make
the
last
point
on
the
evolution
of
stuff.
I
mean
what
we've
done
in
a
few
other
places
is
decide
wow.
That
was
a
bad
thing
to
have
done.
Let's
make
it
possible
for
users
to
do
the
right
thing
in
the
future
and
recommend
to
them
they
should,
but
that
becomes
an
opt-in
thing
on
a
cluster
level.
H
Granule
with
well
documented,
escape
hatch,
I'm
thinking
about
stuff,
like
the
endpoints
manipulation
right
like
we
over
granted
that
permission
by
default,
and
now
we
say
we
don't,
but
you
can
turn
it
back
on
if
you
want
to
and
then
implementers
like
openshift
and
gke
and
NATO
eks
can
choose
whether
they
want
to
go
through
the
pain
of
moving
their
customers
over
to
the
new
model
or
not
I
mean
the
truth.
Is
we
have
to
support
both
forever?
B
Okay,
I
guess
I
will
write.
B
And
circulate
it
for
another
round
before
we
make
a
cap.
A
All
right
next,
we
have
status,
update
client,
exec
proxy
Nick.
Are
you
ready
yeah?
This
was
basically
just
I
was
I
needed.
Reviews
on
this
I
did
I
did
get
additional
reviews
from
looks
like
Mo
looked
at
it.
A
Approved
for
Alpha
and
126.
Mo
you
looked
at
it
recently.
Is
there
anything
that
you
want
to
call
out.
E
Think
top
of
mind
for
me
was
that
the
cap
says
that
this
would
be
featured,
which
it
would
be
I
just
don't
know
how
that
will
work
with
Cube
CTL,
because
it
is
something
that
is
exposed
or
would
be
exposed,
like
the
the
crappy
answer
to
that
question
could
be
that
you
literally
cannot
use
this
through
Cube
CTL
until
the
gas
or
something
I
think
you
have
to
use
it
in
other
places
or
some
somehow,
but
that
that
sounds
garbage.
D
I
mean
what
we've
done
with
other
stuffing
clients
like
any
any
Flags,
get
like
alpha
or
experimental
in
the
flag.
Any
dedicated
commands
get
put
under
the
alpha
sub
command
and
any
dedicated
configurations
like
the
API
version
on
the
config,
is
Alpha
so
like,
however,
you're
interacting
with
the
surface
area
of
it,
you're
typing
experimental
or
alpha
or
like
you're,
configurus
Alpha.
And
then
it's
like.
F
So
should
we
re
introduce
the
V1
Alpha
One
V2
Alpha
One,
what
V2
Alpha
One
I?
Don't
I,
don't
know
about
that,
because
I
don't
think,
there's
any
changes
that
we
want
to
make
to
V1
I
think
we
just
want
to
eventually
get
this
into
right.
E
So
we
too,
Alpha
One
implies
that
we're
going
to
end
at
V2,
which
is
not
the
end
goal.
The
end
goal
is
V1.
With
this
new
field.
That's
perfect,
so
I
I,
don't
know
what
sort
of
like
the
project
level
guidance
on
something
like
this
is
and
but
I
think
there.
There
probably
should
be
something
that
I
I
think
you
should
not
be
able
to
accidentally
run
into
this
feature.
If
you
need.
F
This
we
just
did
this
for
the
subject
subjects.
Whatever
review
subject:
attributes
review
we
I
thought
we
were
going
to
introduce
the
alpha.
F
A
D
D
If
that
is
the
only
sticking
point
on
the
design,
I'm,
actually,
okay,
with
finding
an
appropriately
visible
way
like
in
the
implementation
review
to
say,
like
we
can
name
the
field
Alpha
until
it
graduates
or
we
can
require
you
to
set
an
environment
variable
or
like
something
where
you
explicitly
have
to
opt
in
to
experimental,
Alpha
stuff.
E
Right,
that's
fine!
Rita!
Do
you
mind
going
to
my
latest
review
comments?
Just
so
I
don't
forget
my
I
think
I
had
like
maybe
one
other
thing.
I
wanted
to
ask
folks.
E
Well,
I
I!
No,
my
concern
is
mostly
I
just
want
to
make
sure
that
until
this
is
I,
guess,
GGA
I
think
because
beta
is
still
is
supposed
to
be
off
by
default.
Now,
I
think
that
a
user
has
to
take
some
action
for
them
to
be
opted
into
this
Behavior.
That's
all
that's
the
main
thing:
it's
not
that
I
think
right.
So
we're
going
to
go
wrong.
I'm.
F
D
I
thought
this
was
a
pre-existing
type
which
had
previously
existed
in
V1
Alpha
One
I,
don't
want
to
reintroduce
it
with
a
different
schema
same
schema.
It's.
E
Yeah
I
think
this
is
fine
for
like
offline,
but
I.
Think
metrics,
for
this
are
interesting,
because
this
code
is
invocable
through
web
books
on
the
API
server.
So,
yes,
it
is
the
campus
scope.
Does
hey
I
have
a
client
that
wants
to
authenticate
to
the
API
server,
but
that
same
code
is
used
by
the
API
server
to
authenticate
to
external
identities,
so
it
can
be
turned
around
and
done
in
the
other
direction.
E
Presumably,
if
that
is
happening,
you
want
to
know
at
least
something
about.
This
is
happening
like
I,
don't
know
proxy
latency
or
something.
A
Yeah
that
makes
sense.
Yeah
you'll
see
a
comment
about
oh
go
ahead.
A
E
E
The
end
it
should
still
work
like
you
should
get
off
correctly
and
the
whole
upgrade
request
thing
should
happen
as
well
right,
I,
I,
just
remember
when
I
did
the
really
hacky
POC
of
this
I
had
to
I
had
to
really
work
at
it
to
make
the
stuff
work
for
a
speedy,
okay,
I
ended
up
doing
something
really
strange
to
kind
of
make
it
work.
A
F
A
A
I've
gone
through
and
done
so
so
I
think
there
was
some
stuff
around.
It's
not
clear
why
there
was
mtls
Federation
stuff
in
there.
I
came
up
with
a
different
way
to
do
my
model
of
that
just
using
annotation,
so
I've
just
cut
all
that
stuff
out.
The
API
object
is
very
simple.
Now
the
cubelet
projected
volume
is
very
simple,
so.
F
Yeah
David,
do
you
mind
taking
another
look
at
this
I
think
I
will
it'll
be
Friday,
but
I
will
and
I
will
do
the
same.
A
I
know
one
one
random
question:
Mo
you
had
a
lot
of
questions
around
metrics
and
stuff.
Is
that
I
agree?
We
need
metrics
everything
I
can
find
says,
like
you,
don't
need
a
super
nailed
down
plan
for
an
alpha
feature,
so
I
kind
of
put
some
thoughts
in
on
like
what
we
need,
but.
E
Yeah
I,
don't
think
you
need
it
immediately.
I
was
more
like
my
initial
thoughts
on
the
exact
practice.
Stuff
I'd
be
like.
Oh,
it
probably
doesn't
need
many,
but
then
I
was
like
oh,
but
you
can
use
ways
that
are
not
obviously
I
think
we
want
metrics
for
all
of
our
stuff.
It's
just
yeah.
G
Yeah
I
know
we're
super
short
on
time
here
and
don't
have
much
time
to
cover
reference
Grant,
but
I
wanted
to
just
spend
I
guess
the
the
few
minutes
we
have
left
trying
to
answer
a
couple
key
questions
here.
One
reference
Grant
is
used
widely
within
Gateway,
API
and
Sig
store
is
showing
interest
in
one
of
their
caps.
Is
there
interest
in
a
neutral
home
for
it
and
then
two?
If
so,
should
we
delay
our
plans
to
graduate
reference
Grant
debata
within
our
Gateway
API
and
networking
API
Group.
C
So
one
thing
I'm
not
clear
on
is
the
the
reference
Grant
is
is
a
way
to
say:
I
was
away
for
one
person
in
namespace
a
to
say,
I
own.
The
things
in
this
namespace
and
I'm.
Okay,
with
objects
of
this
type
in
namespace,
be
referencing,
I'm,
understanding
it
correctly
correct.
But
in
order
to
make
that
check
generic,
how?
How
does
some
generic,
let's
assume
admissions,
plug-in,
know
that
there
should
be
a
referential
match
like
do
you
have
to
specifically
like?
C
G
Yeah,
it's
hard
to
make
this
a
generic
and
Jordan
covered
this
in
one
of
his
questions
in
the
agenda
as
well.
It's
hard
to
make
this
truly
generic,
because
the
reference
could
come
from
any
number
of
things
right
now
in
Gateway
API.
It's
well
defined
because
it's
one
of
two
places
and
those
places
are
very
clearly
defined
in
the
six
storage
proposal.
It's
one
very
clear
place
as
well
and
in
all
cases
The
Proposal
is
for
it
to
be
implemented
by
the
implemented
controller
of
the
API.
G
D
Yeah,
so
it's
not
an
admission
time
check,
it's
a
runtime
check,
so
the
controller,
that's
following
the
reference
is
assumed
to
already
have
read
permission
and
it's
self-gating
on
the
presence
of
one
of
these
reference
grants
in
order
to
say
like
before,
I
follow
this
link.
You
sent
me
I'm
going
to
see
if
the
person
on
the
other
end
is
happy
with
that.
H
Yes,
exactly
I
mean
that
was
that
was
how
I
always
understood
it.
I
I
mean
I'd
love
to
see
a
generic
solution
to
this,
but
I
always
understood
it
as
a
here's.
A
consistent-ish
way
that
you
can
apply
incrementally
to
more
and
more
places
over
time.
H
D
Yeah,
so
a
lot
of
the
a
lot
of
the
questions
I
had
were
sort
of
around
like
how
how
do
those
various
controllers
were
expecting
to
get
themselves
on
this
like
consistently
in
a
way
that
doesn't
leak?
Information
is
the
reference
fine-grained
enough,
and
so
Rob
and
I
were
kind
of
going
back
and
forth,
and
I
I
think
something
like
an
admission
check
or
a
storage
check
on
the
reference.
Grant
object
itself
to
say
like
if
you
want
to
allow
exposing
secrets
from
your
namespace
to
other
namespaces.
D
D
I
would
recommend
people
read
this
if
they
don't
remember
the
discussion
from
last
year,
and
maybe
we
could
like
kind
of
take
some
of
these
questions
async,
either
in
the
dock
or
in
the
mailing
list,
and
hopefully
get
get
some
direction.
Clarity
like
before
the
next
meeting.
H
Do
we
have
do?
We
have
other
existence,
proofs
of
places
where
we
do
sort
of
controller
on
behalf
of
user
work,
and
we
verify
that
the
user
was
allowed
to
do
the
thing
that
the
controller
would
do
for
them
like
creating
pods
from
a
deployment
right
in
theory,
I
could
create
a
deployment
and
not
have
the
Pod
any
pod
permissions
and
still
get
pods
or
I
could
change
my
labels
in
my
pod
and
trick
a
deployment
into
adopting
me
and
then
deleting
it
like.
Have
we
done
clearly,
we
sh.
H
D
All
aware
of
is
in
certificate
API,
because
the
API
captures
the
person
that
created
the
certificates
on
request
and
then
the
controllers
do
like
approved
checks
based
on
the
identity
of
the
user.
But
that's
the
only
place.
I
know
that
we
capture
that,
and
even
that,
like
other
places,
are
like,
can
we
record
the
creating
user
or
the
updating
user
like
in
an
authoritative?
You
know
trustworthy
way
and
it
actually
is
kind
of
problematic.
D
D
That
is
set
from
user
agent,
not
from
Identity,
and
it
doesn't
explode
groups
and
it
I
don't
think
it
explodes
username.
It
might
make
special
cases
for
service
accounts.
I
can't
remember
the
derivation
Tim
to
your
question,
like
yeah,
we've
sort
of
hand
waved
over
like
yeah,
but
that's
sort
of
what
deployments
mean.
If
you
give
someone
deployment
right
permission,
you
are
giving
them
pod
write
permission
and
the
fact
that
it's
contained
within
the
same
namespace.
D
It
makes
it
very
local
and
very
visible
as
soon
as
you
start
like
Crossing
namespaces
and
saying
like.
Oh,
you
have
this
right
permission
on
this
object
here.
Therefore,
you
have
read
permission
on
that
object
in
that
namespace.
That's
where
it
starts
to
get
really
wonky
and
hard
to
reason
about.
H
I
mean
I,
remember
the
cve
on
Ingress
Acro,
our
gate,
yeah
Ingress
across
name
spaces
right,
so
I'm,
I'm,
I'm,
keen
on
just
how
complicated
this
is.
I
just
don't
want
to
set
the
bar
for
things
that
is
higher
than
the
bar
we've
said
in
the
past,
without
any
path
towards
reaching
the
bar.
D
Yeah
I
know
we're
out
of
time.
I
I
would
encourage
people.
Look
at
this
ask
questions,
especially
with
an
eye
to
like
if
this
was
a
generic
thing,
that
multiple
projects
we're
going
to
use
like
what
assumptions
made
sense
in
the
context
of
Gateway
that
maybe
we
should
expand
or
rethink
or
refine.
If
it's
going
to
be
generic
so
and
Rob,
would
you
prefer
we
do
this
like
in
the
stock
or
on
the
list,
or
do
you
care.
A
G
Preference
I
can
create
another
doc
if
that's
preferable
too
just
happy
to
work
with
this
and
and
I.
Think
cigarch
is
also
relevant
here.
So
I
may
bring
this
up
at
Sega
Arch
next
week.
D
Okay,
let's
keep
going
in
the
stock
if
you
want
to
hoist
it
out
if
it
gets
on
we'll
be
that's
fine.