►
From YouTube: Kubernetes SIG Auth 20190724
Description
Kubernetes Auth Special-Interest-Group (SIG) Meeting 20190724
Meeting Notes/Agenda: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/preview
Find out more about SIG Auth here: https://github.com/kubernetes/community/tree/master/sig-auth
A
B
We
look
back
at
sort
of
the
history.
Like
the
first
time,
I
learned,
acute
Kahn
was
North
America
2018
that
time
you
Jordan
and
Tim
get
a
deep
dive
that
was
primarily
focused
around
some
interesting
problems.
The
sig
was
trying
to
explore
solutions
for
that
was.
Are
you
worried
there's
something
on
the
board
out
of
this.
B
So
that
was
an
interesting
kind
of
exploration
kind
of
deep
dive,
because
there
was
basically
that
you
know
there's
a
set
of
problems
that
we
had
answers
for,
but
not
necessarily
good
answers,
and
we
were
trying
to
feel
out
if
other
people
had
options
that
would
help
them
through
those
traumas
that
we
were
kind
of
looking
through.
So
that
was
one
approach:
research.
The
next
meat
dive
we
did
was
in
Barcelona
for
the
last
Keep
Calm,
and
that
was
Matt
Rogers
and
myself,
and
that
was
primarily
based
on
some
feedback.
B
We've
gotten
in
North
America's
intro,
where
a
person
who
wanted
to
try
to
contribute
had
asked
for
like
a
code,
Watson
I
mean
I'd
wanted
to
do
that
for
a
while
anyway,
so
Matt
and
I
had
to
put
together
some
slides
on
that
I.
Think,
overall,
it
went
well,
there
was
I
think
we're
the
biggest
hindrance
was.
The
is
actually
relatively
amount
of
time
to
do
like
a
code,
little
walkthrough.
B
If
you
want
to
do
like
a
lot
of
content-
and
we
happen
to
have
enough
code-
that
if
you
want
to
get
deep
into
it,
it'll
take
with
each
of
them
all
the
time,
but
I
think
it
went
well
and
it
is
recorded.
So
you
know,
if
you
know
someone
new
joins
to
save
you
at
least
have
something
to
point
them
to.
It
might
not
be
the
best
starting
point,
but
it
is
a
start.
B
I
have
I
haven't,
got
any
responses
back
on
the
mailing
list.
So
at
this
point
for,
like
future
deep
dives,
the
closest
idea
I
have-
and
this
is
just
sort
of
a
guess-
is
we
have
a
bunch
of
stuff
projects
and
perhaps
like
a
deep
dive
or
every
sub
project
like
over
a
period
of
many
coupons,
might
be
helpful.
That
way,
scoop
on
tribute
summon
and
of
look
at
even
if
it's
dated
you
know,
they'll
at
least
give
them
some
history,
but
that's
it
again.
A
C
Just
gonna
say
that
yeah,
the
the
contributor
summit
I
attended
in
Barcelona,
would
have
been
a
really
great
place
to
to
have
sort
of
like
a
hour-long
deep
discussion
about
the
code
around
off.
So
I
know,
like
I,
tried
to
get
to
as
many
of
the
deep
dive
sessions
as
I
could.
But
you
know,
there's
a
lot
of
overlapping
concerns
and
it's
like
trying
to
be
at
five
different
sessions.
At
the
same
time,
it's
kind
of
hard
so
yeah.
If
the
contributor
summit
would
be
great
to
have
something
were.
C
C
Jason
de
taille,
Buress
and
daniel
smith
were
also
in
one,
but
I
can't
remember
exactly
which
deep-dive
it
was
but
yeah
there
was.
There
was
a
few
slides
that
were
gone
through
from
daniel,
and
that
was
kind
of
helpful.
I
honestly
I
was,
I
was
just
getting
started
with
contributing
and
going
through
the
source
code.
So
a
lot
of
the
sessions
were
just
kind
of
like
information
overload.
Fire
hose
of
information.
A
C
A
D
A
D
D
B
B
A
A
B
D
A
A
A
B
B
Only
suggestions
I
think
I'd
put
in
there
because
at
the
time
I
was
thinking
about
doing
oh
I
guess
we
can
add
this
to
the
list:
a
deep
dive
on
the
lucknow
to
authorizer
and
no
mission
plugins.
Since
you
know
they,
if
you
combine
all
of
them
together,
those
are
kind
of
how
we
have
a
best
practice
path
right
now
for
nodes-
and
you
don't
you
don't
necessarily
know
all
of
it
at
once,
but
it's
sort
of,
if
you
check
all
those
boxes,
you
get
pretty
decent
security.
B
A
B
D
So
we
had
a
API
review
of
the
audit
policy
and
essentially
had
the
the
folks
working
on
that
go
and
collect
more
use
cases
and
kind
of
make
sure
we
really
understand
the
use
cases
for
the
audit
policy
API
before
we
design
an
API
for
it.
They
have
a
document
they're
working
on,
but
it
looks
like
that.
D
A
B
D
A
B
E
E
Wouldn't
it
be
a
maybe
we
have
to
cash,
but
the
unique
you'd
be
unique,
unique
off
clients
per
second
effectively
and
then
the
cat,
whatever
the
cash
fall-off
is.
So,
if
you're,
using
a
fusing
like
a
service
account,
you
had
a
thousand
services
hitting
you
once
a
minute
you'd,
be
you
know
at
whatever
20.
A
F
B
A
A
A
F
E
I,
don't
think
we
intended
to
answer
star
from
the
query
perspective.
At
the
time
we
discussed
it
doesn't
mean
that
it's
not
a
reasonable
request,
but
I
I
I
remember
having
an
argument
with
either
jordan
or
david,
where
we
were
like.
We
want
to
make
resource
access
review
as
good
as
it
can
be,
but
not
require
the
underlying
implementation
to
be
fully
broad
like
to
be
able
to
enumerate
specifically
for
a
case
like
this.
F
E
Anymore,
that-
and
I
think
that
that
I
think
we
wanted
to
avoid
negative
checks
in
here,
but
like
as
an
example
asking
for
a
verb,
no
one
has
thought
of
to
me
is
exactly
the
equivalent
of
star,
which
is,
if
you
make
up
an
insane
verb,
that
no
one
human
in
the
history
of
the
world
else
has
ever
used
before.
Then
you
have
all
we
kind
of
said
it
just
wasn't.
E
B
Wasn't
around
when
you
guys
did
this
like
to
me
conceptually
star
is
always
meant
it's
like
a
placeholder,
so
that
when
you
have
a
cluster
admin,
that's
got
star
and
everything
it's
sort
of
like
the
origin
of.
Although
there
are
back
permissions,
it
can
grant
like
some
operator
with
some
CRT
requirements,
any
you
know
like
any
group,
any
resource
any
verb
and
it
kind
of
bootstraps
everything
into
functional
state,
but
I've
never
thought
about
anything
beyond
that
is.
E
Like
it,
it
was,
it
was
a
little.
It
was
a
closed
variant
of
that
it
was
like.
We
want
to
express
the
idea
that,
no
matter
what
the
verb
is,
if
you
have
a
certain
permission
on
the
resource
you
had
that
permission.
So
it
is
a
cluster
admin.
It
was
it's
basically
that
statement,
but
maybe
a
little
bit
less
specific
to
the
bootstrapping,
but
it
it's
biggest
practical
implementation
will
be
bootstrapping.
Cluster
admin
has
star
star
star,
but
the
star
was
meant
doesn't
matter
what
the
other?
A
A
E
F
E
E
F
A
B
A
F
I
think
gke
specifically
has
a
this
weird
bug
with
how
it
falls
back
for
custom
resources
where
it
basically
said
star
something
I
don't
know
about.
So
we're
gonna
check
your
custom
resource
permissions
and
it
was
like
yeah.
You
can
do
stuff
with
custom
resources,
that's
something
we
need
to
fix
on
our
side,
but
we
wanted
to
get
some
clarity
on
how
everyone
else
was
thinking
about
the
API
contract.
A
A
A
Cool
well,
let's
make
this
a
short
one.
I
think
Moe
is
going
to
follow
up
with
a
pole
for
deep
dive
discussion
topics
at
the
next
cube
con
and
I
think
that
Tim
is
going
to
send
out
a
document
that
the
audit
policy
people
have
been
working
on
cool.
Thank
you
very
much.
Everybody
have
a
good
two
weeks.