►
From YouTube: Pinniped Community Meeting - March 3, 2022
Description
Pinniped Community Meeting - March 3, 2022
We meet every 1st and 3rd Thursday of the month. We'd love for you to come join us live!
This we went over what to expect with v0.15.0 and doing investigative work in regards to Pinniped auth against dashboards. We also announced our new community manager, Nigel Brown! Full details on this meeting here: https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ
A
All
right,
hi,
everyone
welcome
to
the
first
meeting
of
march
of
the
pinniped
community
meeting.
Today's
date
is
march
3rd
2022..
If
you
are
watching
this
from
home,
we
encourage
you
to
come.
Join
us
live
we
meet
every
first
and
third
thursday
of
the
month
at
9
a.m.
Pacific
time
it's
an
opportunity
for
you
to
come
and
hang
out
with
the
maintainers
other
members
of
the
community.
A
A
A
A
Moving
on
to
agenda
items
just
a
reminder:
we
have
this
github
discussion
that
asks
how
you're
using
pinniped
and
you're
you're
welcome
to
go.
Put
a
comment
within
this
discussion
so
that
others,
as
well
as
maintainers,
can
learn
use
cases
of
how
folks
are
using
pinniped.
It
helps
the
team
understand
the
ways
that
people
are
using
it
to
best
learn
how
to
you
know,
work
on
the
project.
A
What
other
features
they
might
need
to
to
work
on
kind
of
gives
them
a
more
insight
on
on
how
things
are
are
working
for
others
with
regarding
that,
and
it
helps
the
community
understand
better
on
how
they
might
be
able
to
use
it
if
they
see
the
way
others
are
using
it
whenever
you
are
attending.
We
just
ask
that
you
put
in
your
name
and
any
organization
that
you're
representing
here
in
the
attendees
section.
A
When
previously
we
didn't
have
something
clearly
defined.
So
we
have
this
governance
doc,
and
then
we
also
have
proposals
so
that
whenever
you
do
have
a
proposal
for
pinniped,
you
know
how
to
follow
a
process
and
make
it
a
little
bit
easier
for
for
you
and
for
others
to
to
read.
A
If
you
have
any
feedback
regarding
either
one
of
those
items
please
reach
out
to
us,
we
would
love
to
hear
more
from
you
and
and
how
we
can
possibly
update
this
to
to
better
suit.
You
next
thing
for
announcements
in
case
you
missed
it.
Margo
crawford
one
of
the
maintainers
for
pinniped
did
a
demo
and
went
over
pinniped
itself
within
tgik,
pgi
kubernetes,
and
you
can
go
to
their
youtube
list
and
check
out
the
video
there
for
a
replay.
A
A
This
is
going
to
be
my
last
pinniped
community
meeting
that
I
am
the
community
manager
of
we
have
been
doing
a
few
little
transitions
kind
of
changing
up
some
stuff
here
at
vmware
and
I
will
be
taking
over
a
different
project
and
my
colleague
nigel
brown,
will
be
coming
the
community
manager
for
pinniped
and
he
is
on
the
call
today.
I
don't
know
nigel
if
you
wanted
to
say
hello
to
everybody.
B
A
Angel
and
nigel's
a
bit
more
technical
than
me,
so
he
you
may
see
him
actually
doing
more
demos
of
his
own
on,
pin
and
pad.
You
know
sharing
more
of
of
of
things
that
I'm
not.
I
I'm
not
too
knowledgeable
about,
so
he
definitely
has
a
one-up
on
there
for
me,
and
you
might
see
him
on
the
conference
circuit
talking
about
pinniped.
Who
knows,
I
might
be
speaking
a
little
bit
too
much
for
him
right
now,
but
I'm
always
super
impressed
with
his
technical
background.
A
So
super
excited
to
have
him
take
this
over.
While
I
am
sad
that
I
will
be
leaving
I'll
still
be
around.
C
Yeah,
we
are
definitely
sad
to
see
you
go
nancy,
but
yeah
yeah
also
happy
nigel
that
you're
joining
the
group.
At
the
same
time,
sad
to
see
that's
mixed
emotions.
A
A
C
Yes,
we
are
very
close
to
releasing
the
group
refresh
functionality.
Just
you
know
a
bunch
of
delays
internally,
but
you
know
ready
to
release
it
very
soon,
either
today
or
tomorrow.
So
look
for
that
and
we
already
released
last
time
I
had
spoken
about
it
that
we
have
a
great
how-to
guide
now,
which
is
posted
on
in
on
the
website.
C
So
do
go
over
that
if
you
haven't
already
the
rest
of
the
roadmap
is
the
same.
A
A
And
then,
as
far
as
the
upcoming
release,
you
said
in
the
next
couple
of
days,
I
I
did
see
the
there's
a.
Is
there
a
blog
there's
going
to
be
a
blog
post.
C
A
Moving
on
to
discussion,
topics
looks
like
we
didn't
have
anything
here.
Does
anybody
have
anything
that's
popped
up
since
we
started
the
meeting
that
they
want
to
bring
up
for
the
team.
E
Version
15
is
yeah,
it's
mostly
about
bringing
our
ldap
refresh
up
to
parody,
with
oidc
by.
E
Checking
whether
groups
have
changed
upon
refresh
that's
happening
in
line
so
for
some
users
that
might
require
tweaking
the
ldap
search
params
to
make
it
performant.
So
that's
not
like
a
very
long
operation.
That's
happening
every
time,
a
user
refreshes,
which
is
every
five
minutes,
or
so
in
the
case
that
that's
still
not
really
possible
to
do.
There
is
like
a
flag.
You
can
use
to
turn
it
off.
Although.
E
We
don't
recommend
it
if
there's
a
way,
you
can
just
tweak
your
ldap
search,
params
to
be
more
performant
and
we
might
change
it
or
remove
it
in
the
future.
So.
F
Awesome
once
it's
once
it's
out
I'll
test
it
on
an
environment
with
13
domains
in
a
forest
that
is
set
to
search
the
entire
forest
with
22
000
users.
So
I'll,
let
you
know
what
the
performance
is.
F
No,
but
we'll
see
you
know
based
off
of
that
and
then
I'll
start
to
tweak
it
and
everything-
and
you
know
there
can
also
be
might
get.
Is
there
going
to
be
any
recommendations
on
the
types
of
tweaking
or
anything
like
that?
Is
there
anything
that
you
guys
have
found
in
terms
of
the
tweaking,
or
is
that
more
it'll
be
exploratory?
F
And
things
like
that,
because
I
can
also,
probably,
after
tweaking
with
it
in
that
environment,
which
I
probably
will
need
to
do.
You
know
I
can
give
some
feedback,
and
maybe
that
can
be
added
then
to
documentation
of
ideas
of
types
of
tweaks
that
could
be
made
to
make
it
more
performant.
In.
D
There's
one
right,
which
is
turn
off
nesting,
search
that
that's
the
one
we
noticed
internally
made
the
query
go
from
30
seconds
to
instant.
Let's
just
don't
look
for
nested
groups
and
I
was
like
yeah
but
that's
lame
like
I
want
my
nested
groups
to
also
work,
so
it
wasn't
maybe
desirable,
but
it
did
at
least
was
tractable,
for
I
guess
in
certain
environments
where
maybe
it's
not
as
important.
D
And
you
know
if
you
have
more
control
over
the
schema,
you
know
you
know
in
ad
and
stuff,
you
know
you
might
be
able
to
scope
it
down
to
not
just
the
whole.
Forest
right
depends
on
your
situation,
yeah
as
a
as
a
as
a
way
to
try
to
make
it
more
clear
to
the
user
that
these
things
are
happening
as
you're
using
you
know,
cube
ctl,
which
is
under
the
hood
using
the
kinetic
cli.
D
The
the
server
will
send
sort
of
informative
warnings
to
the
client
to
let
it
know
when
the
groups
are
changing
so
like
you'll
you'll,
actually
notice
that,
if
you're
in
a
state
where
your
groups
are
actually
changing,
because
you
know
the
adn
stuff
are
not,
you
know
they're
eventually
consistent.
So
you
can
hit
different
replicas
of
domain
controllers
and
stuff
and
get
different
group
information
back.
So
that
might
be
confusing.
D
If
you
have
policy
attached
to
your
groups,
so
we
did
try
to
make
it
more
clear
to
an
end
user
that
that
is
occurring.
You
can't
really
can't
make
your
idp
more
consistent
than
it
is,
but
we
can
at
least
inform
you
that
stuff
is
happening.
F
Right
awesome,
yeah,
no,
and
I
think
I
think,
in
active
directory.
There
is
a
way
also
to
limit
the
depth
of
a
query.
If
I'm
not
mistaken,
of
nested
searches
in
active
directory,
I
don't
think
that's
native
ldap
but
and
I'll
see
what
the
performance
is
there
and
then,
if
I
end
up
finding
something
like
that,
that
may
be
something
that
gets
that
could
be
added
then
to
the
active
directory.
F
You
know:
identity
provider,
you
know
at
least
or
to
documentation
for
ldap
of.
If
your
ldap
supports
this
like
active
directory,
you
can
do
abc
so
after
testing
I'll
come
back
with
some
numbers
and
some
findings
for
sure.
E
E
F
F
D
I
did
remember
this
is
a
little
bit
early
and
I
didn't
necessarily
plan
on
talking
about
it,
but
I
I
will
mention
it.
We
we
started
doing
investigatory
work
in
regards
to
pimp
that
off
against
dashboards,
so
not
just
the
qtl
south
plant
so
that
those
are
in
sort
of
like
an
early
stage.
D
D
F
Is
the
idea
going
down
an
approach
like
cube,
apps
did
with
the
pinniped
proxy,
or
is
it
like
actually
just
opening
up
apis
and
changing
the
way
that
clients
actually
authenticate
to
pinniped,
to
not
shell
out
in
a
container
to
pin.
D
Yeah,
so
in
my
sort
of
initial
proof
of
concept,
what
I
did
is,
I
wrote
a.
D
We
can
pick
so
that
is
an
approach
I
I
I
can
kind
of
see
a
spectrum
of
things
since
since
we're
so
much
more
limited
with
what
is
a
reasonable
approach
in
the
browser.
D
We
I
I
could
imagine
implementations
that
do
a
better
job
of
hiding
any
proxy
occurring
instead
of
making
it
sort
of
like
like
the
easiest
thing
would
be
to
say:
hey,
cube,
apps
and
your
backend
also
co-locate
this
proxy
process
and
just
kind
of
just
have
it
there
and
kind
of
hide
it,
and
I
think
that
would
work
fine
for
things
like
cubafs.
But
if
you
wanted
to
support
anything
like
an
spa,
then
problems
much
harder,
because
basically,
the
only
thing
you
can
do
is
sort
of
vanilla
a
lot
in
an
spa
yeah.
D
So
it
depends
if
we
care
such
a
use
case
and
how
far
we
want
to
take
it.
Certainly
those
are
much
more
complex.
I
think,
implement
on
the
pin
at
that
side,
but
it's
early
stages,
we're
just
kind
of
thinking
through
things,
but
I
was
happy
that
I
was
able
to
at
least
make
it
work.
D
F
D
It's
with
the
supervisor,
but
basically
my
demo,
my
poc
with
the
pinniped
supervisor,
cube
apps
with
multi-cluster,
with
the
same
security
guarantees
that
we
have
today
with
the
pet
cli.
So
no
compromise
in
that
sense.
F
D
So
that
that
is
a
hard
requirement
for
such
a
thing.
Probably
I
mean,
maybe
you
could
imagine
other
immigration
points,
but
if
you
want
to
stay
within
oibc
that
is
effectively
a
hard
requirement.
So
that
is
one
of
the
things
that
my
poc
did,
which
was
just
kind
of
hand,
wave
that
be
like
here's,
a
new
client
that
you
can
use
for
a
web
flow.
D
D
Even
if
you
sort
of
hand
wave
all
of
that
away
and
just
say
eventually,
we
catch
up
with
the
standard,
oibc
oauth
bits
because
pin
a
pet
tries
to
work
everywhere.
We
have
a
lot
of
machinery
in
the
cli
that
hides
a
bunch
of
clusters
of
complexity
that
either
has
to
be
replicated
in
the
backend
somehow
of
a
web
app.
And
if
you
don't
have
a
back
end,
then
there
is
really
no
solution.
It's
just
impractical!
There's!
No
there's
no
way
in
the
browser
to
do
clients
are
off
right.
D
So
if
you
wanted
something
like
an
spa,
it
requires
a
much
more
fancy
approach
if
you're
willing
to
have
a
back
end
and
that
back
end
as
it's
like
kind
of
sophisticated
like
two
lapses,
and
I
think
the
problem
is
much
smaller
and
much
more
tractable,
but
yeah
it's
hard
to
like,
like,
for
example,
cube
apps
works
with
gke
in
a
kind
of
a
vanilla,
oat
way,
because
gke
globally
will
accept
access
tokens
across
all
gke
clusters,
just
as
long
as
they
have
like
a
particular
scope
right.
D
So
because
google,
like
accounts.google.com,
is
a
global
issuer
and
it's
just
like
yeah
free
for
all
send
the
access
token
anywhere
just
basically
refuses
to
follow
that
model,
because
we,
but
we
don't.
We
cannot
guarantee
that
those
access
tokens
won't
be
observable
by
like
a
cluster
admin
on
one
environment.
A
Great
thanks
scott,
as
always,
providing
great
questions
and
good
feedback.
A
All
right,
okay,
anything
else,
folks
want
to
talk
about.
A
All
right
thanks
everyone
for
tuning
in
to
this
week's
edition
of
the
pinniped
community
meeting.
If
you
are
watching
this
from
home,
please
come
join
us
live.
We
meet
every
first
and
third
thursday
of
the
month
at
9
a.m.
Pacific
time
and
again,
this
is
my
last
time
hosting
the
community
man
as
a
community
manager
and
I'm
passing
the
baton
to
another
amazing
community
manager.