►
From YouTube: Pinniped Community Meeting - February 3, 2022
Description
Pinniped Community Meeting - February 3, 2022
Our first meeting of 2022! We meet every 1st and 3rd Thursday of the month at 9am Pacific Time. We'd love for you to join us live!
This week we discuss the community feedback survey (please fill out!), open staff engineering role, the latest release of Pinniped (v0.13.0) and the project roadmap. Full details here: https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ
A
Hi,
everyone
welcome
to
the
first
pinniped
community
meeting
of
2022..
Today's
date
is
february
3rd
and
we
are
excited
to
come
back
with
our
community
meetings.
If
you're
watching
this
from
home-
and
you
would
like
to
join
us
live,
we
do
meet
every
first
and
third
thursday
of
the
month
at
9
a.m.
Pacific
time
you
can
join
our
google
group
to
get
updates
on
the
project
and
invites
to
the
community
meetings,
and
if
you
have
anything
you
want
to
discuss
with
the
team
during
these
meetings.
A
Please
add
that
down
in
the
agenda
within
the
discussion
topic
section
if
you're
unable
to
attend-
and
you
still
want
to
reach
out
to
us
for
any
reason
at
all-
you
can
find
us
on
the
kubernetes
slack
workspace
within
the
piniped
channel
or
you
can
find
us
on
twitter
within
project
picniped
at
any
point
in
which
you're
interacting
with
us
with
the
community.
In
these
meetings,
we
ask
that
you
do
please
read
and
abide
by
our
code
of
conduct.
A
Now,
if
you
are
using
pinniped,
we
want
to
know
more
about
how
you're
using
it-
and
we
want
to
add
you
to
our
adopters
page.
So
please
add
a
comment
to
are
you
using
pinniped
in
this
github
discussion,
link
right
here
and
just
give
us
a
little
bit
more
details
about
how
you're
using
pen
a
pad?
Add
your
logo?
If
you
wish
be
added
to
the
adopters
page,
and
that
way
we
can
understand
more
about
how
folks
are
using
it
and
share
it
with
the
community
for
those
that
are
attending.
A
A
A
All
right
next
up,
we
have
the
release
of
0.13.
This
was
a
long
time
in
the
making
congrats
to
the
team
on
pulling
this
through.
We
have
a
blog
post
by
anjali
the
product
manager
for
pinniped,
covering
all
the
details
regarding
this
particular
release.
So
please
go
read
that
and
get
more
information
there,
and
we
also
have
a
little
demo
by
one
of
the
the
maintainers
depending
head
margo.
B
Yeah,
so
a
lot
of
the
main
themes
of
this
release
are
not
super
easily
demo-able,
because
it's
mostly
you
know,
tightening
security
posture,
there's
also
happening
in
the
background
that
wasn't
previously
happening
to
keep
things
in
line
with
your
iep
so
upstairs
refresh.
B
But
one
thing
we
did
do,
which
is,
I
guess
more
of
an
interesting
demo-
is
upstream
group
refresh
for
oidc.
So
when
you
initially
log
in
so
version
13
and
I've
already
set
up
like
an
odc
identity
provider,.
B
This
is
gonna
prompt
me
to
log
in
I
already
had
a
session
so
that
just
worked
the
the
user
that
I
logged
in
as
walrus
countless
pods
and
if
I
do,
who
am
I.
B
Let's
see
which
groups
I
belong
to
and
my
username,
but
go
into
the
admin
consoles.
This
is
an
incognito
window.
B
Add
myself
to
another
group
and
then
I
actually
have
to
wait
five
minutes,
because
that's
how
long
it
takes
for
the
refresh
to
happen
so
I'll
start
timer,
and
we
can
come
back
to
that.
Yes,
in
the
meantime,
maybe
we
can
kind
of
talk
through
what
the
release
is
doing
so.
A
Yeah,
if,
if
you
want
to
go
into
more
details
overall
about
this
particular
release,.
B
Yeah
so
upstream
refresh
so
previously,
the
pinniped
supervisor
would
log
you
in
at
the
beginning
of
the
day
and
then
throughout
the
day
it
would
log
you
in
with
your
upstream
identity
provider.
You
know
your
oidc
or
active
directory
or
ldap
identity
provider
at
the
beginning
of
the
day,
and
it
wouldn't
check
back
so
you
know
if
someone
moved
teams
or
quit
or
anything
else
in
the
middle
of
the
day,
they
would
still
have
the
rest
of
that
today's
session.
B
B
So
it
checks
whether
the
user
still
exists
and
whether
their
tokens
are
still
valid,
whether
their
groups
have
changed
and
all
that
fun
stuff.
Also
in
the
release
is
some
stuff
that
my
worked
on
pls
hardening,
I
don't
know
if
you
want
to
go
over
that.
C
Okay,
okay,
I
was
trying
because
it's
been
a
while,
so
I
was
trying
to
remember
what
have
we
already
talked
about
so
yeah,
so
it's
okay,
so
yeah.
So
this
is
the
first
time
we're
talking
about
the
013
release,
basically
so
everything
in
there
yeah.
So
previously,
if
you
were
running
security
scans
against,
like
the
pinpoint
supervisor,
which
is
supposed
to
be
component
exposed-
broadly,
you
know,
maybe
even
on
the
public
internet
you
would
they
could
fail
because
it
would
be
like.
Oh
you
support
triple
des,
which
is
like
terrible.
C
Don't
do
that
and
you
know
I've
even
spoken
to
the
ghost
security
team
on
this,
and
you
know
their
viewpoint
is
that
the
only
time
that
it
would
ever
be
used
is
if
the
client
could
not
do
anything
better
and
I
was
like
yeah.
I
understand
that
and
if
a
client
can't
do
anything
better,
I
just
don't
want
to
talk
to
that
client.
It's
the
way.
I
want
the
system
to
behave
by
default.
That's
not
how
google
is
by
default.
C
It
favors
compatibility
over
strictness
there
so,
but
in
in
this
release
the
pinpoint
supervisor
basically
no
longer
supports
any
insecure
kls
configurations.
So
what
that
means
is
you
have
to
have
a
relatively.
C
Modern
is
the
wrong
word,
but
something
within
the
last
decade
supported
set
of
cyphers.
That
means
that
they
support
things
like
forward
secrecy
and
other
things
that
are
sort
of
considered
the
industry
standard
of
us,
so
tls
1.2
has
a
minimum.
So
that's
1.3
is
preferred.
C
We
we
do
relax.
This
configuration,
I'm
integrating
with
ldap
providers,
because
we
test
against
active
directory
2012
because
that's
still
supported
by
microsoft
and
they
don't
support
nearly
as
good
of
a
set
of
ciphers.
They
support
a
slightly
less
good
set
of
ciphers,
so
we
automatically
kind
of
just
downgrade
that
connection,
because
we
just
expect
I'll
have
to
build
it
so
yeah.
So
no,
if
you
run
pinpat
against
a
a
scan
today,
it's
gonna
pass
with
flying
colors.
C
C
C
You
know
a
small
set
of
entry
points
within
our
codebase
and
so
now
we're
in
a
really
good
place
to
do
like
fip
support
to
make
sure
that
when
we,
when
we
work
on
the
the
the
the
variation
of
pinpat
that
will
be
compiled
by
the
drillfix
compiler,
that
everything
works
as
expected,
we're
constraining
things
correctly,
but
that
kind
of
covers
the
last
bit.
C
It
is
technically
not
backwards
compatible
in
the
strictest
sense,
in
the
sense
that
previously,
you
just
blindly
updated
and
basically
any
finite
release
after
the
yeah
5
and
up
nothing
really
bad
was
going
to
happen
in
this
one.
You
could
get
into
a
situation
where
users
are
going
to
have
a
bad
experience.
C
So
it's
just
something
to
be
aware
of
carefully
the
the
I.
The
ideal
approach
to
the
upgrade
path
would
be
to
first
upgrade
your
configuration
and
then
do
the
update
and
that's
that's
the
desired
approach
and
that's
totally
practical
and
possible.
You
can
enhance
all
the
configuration
into
the
perfect
state
and
then
exactly
yeah
at
least
notes.
Talk
about
this
in
some
pretty
specific
and
painful
detail,
along
with
updated
documentation
on
every
single
provider.
C
I
think,
just
at
a
high
level,
you
know
we
really
did
focus
on
the
security
bits.
You
know
the
the
customer
outcome.
There
is,
if
you,
if
you
lose
access
in
your
identity
provider,
benefit
notices
that
you
don't
get
to
continue
to
having
access
to
your
head
for
up
to
nine
hours
after
that
accident
reacts
quickly.
C
This
is
one
of
the
key
steps
in
in
in
the
future.
We
want
to
allow
you
to
configure
how
long
your
finite
pet
sessions
ask
for
so
we
need
a
little
bit
of
stuff
there,
in
particular
around
rotation
of
our
signing,
keys
and
stuff,
and
once
we
get
to
all
that
working,
I
think
we'll
be
in
a
good
place
to
allow
users
to
safely
configure
that
value,
because
we've
done
all
the
work
right,
it's
much
easier
to
say
that
you
can
have
a
one
week
session.
B
Yep,
thanks
for
the
summary
my
timer
just
went
off.
So
if
we
run
this
again.
B
B
And
along
with
that,
if,
if
I
had
been
deactivated
or
something
I
would
not
have
been
able
to
log
in
that
second
time
after
five
minutes,
I
would
have
been
prompted
to
log
in
again
having
that
nice
seamless
edition
of
the
groups.
A
So
also
on
the
topic
of
the
release,
I
just
wanted
to
do
a
shout
out
to
give
thanks
to
the
contributor
siddhant.
I
don't
know
if
I'm
saying
that
right
but
submitting
this
pr
875
to
add
the
sessions
flag
to
the
pinniped,
get
config
command.
C
A
Okay,
so
either
one
of
you
want
to
go
over,
I
know
anjali
said
she
updated
it
did
she
did
it?
Did
the
pr
go
through
or
she
just
created
the
pr
which
pr.
A
Nope
she
didn't,
she
wasn't
a
pr
she
she
just
updated.
It.
B
But
yeah,
so
the
sort
of
what
I
demoed
was
oidc
upstream
group
information
refresh
it's
a
technically
a
bit
of
a
harder
problem
in
ldap
and
because
of
that,
we
we
delayed
that
until
after
this
release
to
get
out
the
door.
But
first
thing
on
this
roadmap
is
allowing
that
same
behavior
of
checking
back
in
with
the
upstream
identity
provider
and
seeing
which
new
groups
are
added
or
removed
throughout
the
day
for
ldap
and
active
directory,
and
then
yeah
we've
got
some.
Some
documentation
changes
some
of
the
stuff
that.
B
With
phipps
compliance,
I
think
mo
mentioned
that
when
talking
about
the
tls
stuff,
multiple
idps
is
something
we
are
currently
trying
to
plan
out,
so
that
would
be.
Currently
you
can
say
this
is
my
oadc
identity
provider
and
you
only
have
one.
So
if
you
know
you
wanted
slightly
different.
B
Ci
bots
in
inactive
directory.
You
had
some
service
accounts,
but
you
were
using
piniped
and
then
you
also
had
some
users
in
oidc.
B
That
would
be
hard
to
do
today,
because
the
supervisor
only
supports
one
idp
and
so
we're
trying
to
figure
out
trying
to
scope.
That
problem
then
break
it
down
into
stories.
Audit
logging.
B
And
that
is
really
a
cli
based
tool,
but
in
the
future
we'd
like
to
support
dashboards
that
plug
into
kubernetes
and
make
that
experience
easier,
it
would
be.
C
What
that
effectively
means
is
we
have
effectively
no
ui
surface
in
the
browser
and
we
have
no
support
for
a
client
that
isn't
the
connected
cli
effectively
and
the
pinup
at
cli,
because
it's
written
by
us
encapsulates
an
incredible
mountain
of
complexity
and
hides
it
on
purpose,
and
once
you
move
into
a
browser-based
approach,
things
get
a
lot
harder,
because
the
browser
constrains
what
you
can
do
significantly.
C
It
has
a
very
different
security
model
and,
just
in
general,
isn't
as
isn't
in
your
control
as
much
as
a
full.
You
know
it
all
seems
technically
possible.
It's
gonna
be
a
large
set
of
work.
I'm
excited
for
this
set
of
work
because
I
I
think
dashboards
and
things
of
that
nature
is
actually
how
a
lot
of
people
want
to
interface
with
kubernetes,
especially
when
they're
just
getting
started.
C
C
A
A
Team
can
come
into
some
blockers
moving
things
around,
but
this
kind
of
gives
you
an
idea
of
what
the
team
is
actively
pursuing
for
new
features
of
pinniped,
and
if
you
have
any
feedback
whatsoever
on
the
project
roadmap,
please
feel
free
to
reach
out
to
us
on
slack
and
if
you
want
to
help
us
out
with
any
of
this,
we
would
love
to
add
on
some
more
contributors
from
outside
of
the
maintainers
to
assist
in
all
these.
So
with
that
looks
like
we
don't
have
anything
put
into
the
discussion
topic
section.
A
Yes,
so
with
that,
thanks
for
watching
from
home,
we
hope
that
you
come
and
join
us
for
the
next
commun
pinniped
community
meeting,
which
is
going
to
be
the
third
thursday
of
february
and
again
we
meet
at
9am
pacific
time,
but
in
the
meantime,
we
hope
that
you
check
out
that
feedback
survey
fill
it
out.
Let
us
know
what
you
think
about
the
tool,
what
you
think
about
these
community
meetings.
A
What
is
it
that
you
would
like
to
see
in
the
future?
We
we
built
this
for
the
community
and
we
want
to
make
sure
that
we're
we're
doing
our
part
to
make
it
the
most
beneficial
tool
out
there
for
you
all
and
as
well
as
that,
these
community
meetings
are
adding
value
to
your
life.
So
with
that,
thank
you
and
we
hope
to
see
you
next
time.