►
From YouTube: Kubernetes SIG Auth 20160626
Description
Kubernetes Auth Special-Interest-Group (SIG) Meeting 20160626
Meeting Notes/Agenda: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/preview
Find out more about SIG Auth here: https://github.com/kubernetes/community/tree/master/sig-auth
A
Hey
everyone:
this
is
the
segaki
meeting
for
June
26
2019.
Let's
get
started
so
announcement
from
myself.
I
had
semi-rimless
asking
for
a
feedback
on
any
topics
that
people
would
like
covered
in
the
next
I
got
deep
dive
in
San
Diego.
Anyone
has
and
their
desires
for
what
they
would
like
covered.
It
would
be
super
awesome.
A
B
A
With
that
Joshua,
are
you
on
the
call.
D
Cool
I'm
saying
you
can
see
my
screen:
yep
cool
yeah,
so
I'm
Josh,
Christian
from
Jets
type,
and
yet
we've
been
working
on
something
called:
keep
our
DC
proxy,
very
imaginative
new,
but
yeah,
basically
a
reverse
proxy
to
authenticate
with
our
IDC
cube,
missus.
So
yeah.
You
typically
want
to
use
this
when
IDC
authentication
is
available,
so
you
know
things
like
G
key.
D
We
don't
get
to
control
the
OID,
C
or
Mike
distribution,
etc,
and
also
you
can
use
it
for
on
a
consistent,
Mike
authentication
across
motor
cloud
so
because
it's
an
R,
vac,
consistent
user
identity,
control
of
the
kind
of
CA
of
the
OID
C,
so
yeah
its
first
proxy
kind
of
other
core
based
on
the
kind
of
HTTP
util
proxy,
which
is
quite
nice
recently
in
112
I,
believe
it
was
the
kind
of
reverse
proxy
got
support
for
HTTP
upgrades,
so
things
like
execve
logs
things
like
that.
Just
work
out
the
boxes.
D
Just
quite
nice,
yeah
yeah
we've
tried
to
kind
of
use
as
much
of
the
Cuban
assistant
code
base
as
possible.
So
wanting
keeps
the
code
very
slim
and
yeah
I
mean
it's
kind
of
that's.
Some
least
functionally
corrects
in
terms
of
the
kind
of
code,
reusing
yeah
so
to
a
minimum,
etc.
So
yeah
it
was
essentially
how
it
works.
You
have
qrvg
proxy,
typically
running
in
your
cluster
supposed
service
account
so
and
personally,
it
will
kind
of
grab,
keep
CTL
requests.
D
Authenticate
them
using.
Oh
I
DC
will
then
kind
of
rip
out
their
kind
of
user
info,
repackage
that
into
a
impersonation
headers
so
grab
to
the
user
name.
The
groups
and
extra
headers
repackages,
the
HTTP
request,
then
or
seizing
queue
by
DC
proxies
like
service
account
so
yeah.
When
it
reaches
the
kind
of
real
API
it
will
kind
of
authorize
based
on
kind
of
Connaught
cubed.
Is
he
proxy
authenticate?
Yes,
and
then
it
will
go
on
and
authorize
the
kind
of
request
based
on
the
kind
of
impersonated
headers.
D
So
you
had
the
effect
of
kind
of
the
person
making
the
real
request,
except
we're
kind
of
using
or
IDC
books
or
using
our
ideas
instead,
so
yeah
I
guess
the
first
limitation
is
obviously
you
can't
use
impersonation
when
you're
kind
of
going
through
qiz
proxy,
because
you
can't
stuck
impersonation
yeah
I.
Guess
that's
a
kind
of
limitation,
but
yeah
I
have
a
little
demo
to
show.
So
this
is
a
public
website.
You
can
go
here.
D
So
if
you
think
of
this
in
the
context
of
like
an
organization
or
something
you
might
have
kind
of
like
identity
already
set
up,
but
in
this
case
we're
going
to
use
github
so,
for
example,
so
cheeky,
for
example,
sign
in
with
github
Dex
is
now
going
to
do
like
an
old
folk
with
github
and
then
I,
otherwise,
Dex
grabs
my
identity.
So
in
this
case
it'll
be
my
name,
my
email
address
and
some
other
things
gone
access.
And
then
it's
gangways
now
going
to
generate
cucumber
to
me.
D
Yep
so
yeah
looks
like
this
I've
had
configured
X
to
give
group,
so
you
can
try
this
yourself
and
do
like
a
keep
ctrl
T
key
and
yeah,
like
I
said
before,
like
we
own
the
CA,
so
it's
kind
of
signed
by
us
so
obviously
in
like
an
organization
and
stuff,
probably
advantageous
the
other
cool
thing
as
well.
So
we
have
a
single
Dex
running
that
assigning
all
the
tokens
but
you'll
notice
that
the
kind
of
audience
is
different
for
every
cluster,
so
which
is
really
important
right,
so
sending
requests
to
one
key
policy
proxy.
D
D
Yeah,
so
it
shows
a
different
audience,
so
yeah,
that's
pretty
much
it
for
that
I
guess
to
talk
about
kind
of
future
work,
so
this
is
kind
of
more
point.
One
release
would
be
quite
keen
for
people
to
try
it
and
kind
of
like
put
some
real
stress
on
it,
so
obviously
putting
things
in
the
critical
path.
So
it's
very
important.
D
It
gets
right,
but
in
terms
of
like
future
development
and
features,
so
the
first
thing
would
be
auditing
so
clearly
anything
that
isn't
since
the
API
server
kind
of
quote-unquote,
real
API
server
won't
get
audited.
So
it's
kind
of
our
responsibility
so
kind
of
audit
those
requests
that
fell
and
I
guess.
The
second
thing
would
be
doing
Tanabata
pass
through
with
authentication,
so
sonot
bitNami
was
interested
in
when
requests
come
through
that
on
a
agency
or
kind
of
fail,
then
we
kind
of
used,
cube.
D
I
didn't
see
boxes
like
a
first
or
best
effort
off
and
passed
through
a
request
that
we
can't
make
yeah
that's
still
kind
of
up
near
how
we
want
to
work,
yeah
and
I
guess
the
final
one
would
be
kind
of
supporting
other
authentication
methods
but
yeah
I.
Guess
that's
a
quick
whistle!
Stop
tour!
If
anyone
has
any
questions
or
comments.
D
That
kind
of
have
multiple
teams,
where
they're
kind
of
have
one
kind
of
repo,
with
single
our
buck
set
up
that
some
operator
can
maintain,
and
then
they
can
kind
of
deploy
that
out
that
consistently
across
multiple
clusters
in
multiple
providers
and
using
the
kind
of
cube,
Odyssey
proxy
users
quote-unquote
so
like
developers
and
such
can
kind
of
use,
that
kind
of
I
will
flow
and
then
kind
of
get
tokens
for
each
cluster
yeah,
and
that
kind
of
our
back
is
going
to
start
straightaway.
Yeah.
D
Yes,
exactly
that's
owed
X,
so
there's
a
debt
single
debts
which
is
kind
of
single
co-signer
and
you
run
queue
bodies
he
could
see
per
cluster.
So
like
it's
very
important
that
each
cube
is
a
proxy
is
a
different
audience.
Otherwise,
yeah
you
have
a
mess
where
different
cuboids
proxies
can
kind
of
impersonate
you
to
the
other
pop
season.
Yeah.
B
D
Okay,
pops:
it
again,
you
could
have
this
concept
of
best
effort
and
maybe
the
qiz
proxy
co-discoverer
when
it
kind
of
an
it's,
whether
that
kind
of
features
that
are
enabled
in
the
cluster
that
it
belongs
to.
Perhaps
that
would
not
be
an
option
but
yeah
I
part.
A
B
B
I've
imagine
people
would
use
impersonation
like
this,
and
I
have
recommended
it
to
people,
but
I
will
be
interested
to
see
how
it
holds
up
as
people
start
using
it
more
heavily.
I
I
think
that
there's,
it's
probably
without
doing
any
testing,
significantly
less
performant
than
the
request
that
our
Authenticator
and
it
also
shows
up
the
the
double
impersonation-
are
not
being
able
to
impersonate
twice
as
annoying
and
I,
don't
like
how
it
shows
up,
particularly
in
audit
logs.
B
My
big
thing
is
that
the
the
principal
shows
up
as
the
proxy
and
then
there's
a
impersonated
principal
in
in
another
field.
I
would
have
proof.
I
would
have
slightly
preferred
if
the
principle
is
always
the
thing
that
we
do.
The
authorisation
check
on
and
have
the
impersonating
user
be
the
second
field.
That
way
you,
the
the
primary
identity
of
the
request,
is
always
in
one
field,
and
you
don't
have
to
do
weird.
If
statements
on
parsing
logs
that
maybe
came
through
impersonation
proxy
or
maybe
did
it.
B
A
Was
gonna
mention
on
like
the
double
impersonation
thing,
like
nothing
technically
prevents
you
from
seeing
the
impersonation
headers
come
in
and
like
doing
the
authorization
check
that
the
server
would
you
and
then
like
impersonating
thing,
they're
asking
you
to
impersonate.
It's
just
a
little
weird,
because
then
in
the
audit
logs
you'll
miss
the
fact
that
the
user
right
it's
it's
user
day,
impersonating
B.
But
you
actually
will
see
the
proxy
impersonating
C.
A
D
We've
thought
about
that
quite
a
bit,
so
the
first
one
is
the
fact
of
who
need
to
do
the
orbit.
Chuck
well
I'll
make
myself
which
can
maybe
Causton.
Well
it's
another
kind
of
very
pop
pop
kind
of
touch.
We
had
decided
to
touch
the
authorization
there
then,
and
that's
kind
of
yeah,
tricky
and
yeah.
Secondly,
the
kind
of
a
latina
will
god
or
not
what
you
expect.
Oh.
B
B
B
E
F
F
F
Has
the
ability
to
do
something
so
something
you
see,
people
do
a
lot
is,
can
I
checks
like
as
some
user
and
as
some
group,
and
so
if
you
wanted
to
check,
if
a
particular
user
with
a
particular
group
could
do
something,
then
running
can
I.
You
know,
get
pods
as
user
as
group.
At
that
point,
you
are
explicitly
specifying
the
username
in
groups
that
you
want
to
be
considered
for
that
authorization
check
and
if
we
sort
of
helpfully
add
in
other
things
than
what
you
think
you're
checking
you
might
not
actually
be
checking.
F
B
F
A
Yeah
I
generally
I
wish,
when
you
impersonated
a
user,
that
it's
somehow
impersonate
the
right
group
that
the
user
would
eventually
have
but
barring
that
I'd,
like
the
fact
it
just
doesn't,
do
anything
special.
You
asked
for
this
user
name
and
that's
what
you
got.
You
asked
for
this
group.
That's
what
you
yeah
I.
F
B
F
B
F
F
F
C
A
F
A
E
B
A
B
F
F
F
F
The
cubelet
prefix
with
a
node
prefix
so
after
this
release,
all
of
the
add-ons
and
all
of
the
in
project
use
of
node
labels
will
be
limited
to
labels
that
we
are
fine
with
nodes
setting
and
owning,
which
means
that
probably
119
is
when
we
can
start
enforcing
but
whatever
yeah.
So
so
we
fixed
the
cube.
Let
me
fix
the
add-ons
this
release.
All
the
API
server
and
new
releases,
three
releases.
B
A
A
F
B
F
A
B
A
A
A
F
A
F
G
B
B
B
Have
I
mean
it
is
different
than
every
other
integration
point
that
we
have
in
kubernetes?
It
is
not
what
we
did
for
kms,
which
is
actually
a
better
fit
for
pkcs
11.
Then
this
is
the
other
reason
for
not
doing
it
is
because
we,
it
is
not
it's
like
a
Venn
diagram
of
what
we
need.
It
has
a
little
bit
of
what
we
need,
but
not
all
here
and
and
so.
A
A
A
A
B
D
B
A
B
Yeah
dependent
it
again
like
it
depends
on
what
we
decide
that
we
want
to
do,
but
if
you
wanted
to
have
like
assign
restore
some
claims
about
at
the
managed
offering
like
this
is
a
W
SDKs
cluster,
you
RN
blah,
then
that
might
be
something
that
is
useful.
I,
don't
know
it's
not
something
we
could
do
with
an
HSM
interface.
B
A
I
mean
that's
sort
of
what
I
generally
got
from
using
a
portable
API
a
custom
protocol,
big
guy
over
the
main
socket
was
basically
we.
We
push
a
certain
level
of
burden
on
everyone
to
implement
that
API
and
whatever
way
they
want.
But
then
they
get
incredible
flexibility
on
how
long
yeah
and
but
then
the
converse
is
true
right.
Everyone
gets
to
go,
implement
their
own
thing,
yeah
I,
build
me
a
generic
EMS
like
I
might
build
me
a
generic.
A
Yeah
I
haven't
thought
through
all
those
details,
but
I
figured
if
my
only
concern
was
that,
if,
like
I
I
had
heard
some
comments
on
kms
or
like
yeah,
we
wanted
rigid
with
pkcs
11
with
us.
Like
the
only
thing
you
wanted
rigidly,
why
doesn't
it
just
because
he
has
11
and
I'm
not
sure
it
was
that
awful,
like
I.
Do
like
the
fact
that
the
cameras
that
guy's
is
so
small,
you
can
make
it
any
smaller,
so
I
don't
want
to
be
labor
too
much.