VMware Pinniped Community Meeting, 15 Jul 2021

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Pinniped Community Meeting - July 15, 2021

Description

Pinniped Community Meeting - July 15, 2021
We meet every 1st and 3rd Thursday of the month at 9am PT. We'd love for you to join us live!

This week we discuss July 2021 Roadmap Updates and announced the CNCF Pinniped Webinar. Full details here: https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?view#July-15-2021

A

Hi everyone welcome to this week's edition of the pinniped community meeting. Just a reminder, these meetings are being recorded and uploaded to our youtube playlist. If you're watching from home on one of these recordings, we invite you to attend these in person. We meet every first and third thursday of the month at 9 a.m.

A

Pacific time, that's just an opportunity for you to listen in on what the team is working on and bring up any discussion topics that you wish to share with the team, or you have anything that you need help with from the team. um It's a really good like live opportunity for you to engage with the team in that way, when you do attend, we ask that everyone reads and abides by our code of conduct.

A

um So please read that and and when you attend justified by by that and you, we also ask that when you attend, you put your name in any organization or company that you represent here and that's just a way for us to keep track of. Who is attending these meetings and making sure the lines of communication are left open and we can reach out and not lose sight of of who, from from the community, is joining us as far as announcements goes, it looks like we don't have anything here.

A

um Is that correct? Is there any announcements that the team wishes to share.

A

All right moving on.

A

All right status updates on the project roadmap.

A

We have three items that have the timeline of july of this year.

A

And then we want to give.

B

Updates on these three yeah, so uh the first one out over there remote over dc login support. I think we are very close to getting that done. um I know marco can give more updates on the ad support side. um The the the third one there wider concierge cluster support, uh we're still we're still trying to work that out and see what makes sense, because um mo has come up with a cool pr upstream for short-lived certs.

B

So we want to evaluate whether we need to integrate that and then go in for the wider considerate cluster support, select more and uh I'll. Let marco talk about ad and more talk about the short-lived search.

C

Yeah so yeah, so we've been kind of trying to get this uh active directory, specific uh identity provider, it's slightly different than that the old app identity provider uh and.

C

We've been trying to figure out how to make all the defaults.

C

uh Be as little configuration as possible, um so, like you know, if you don't say this, is the username ldap attribute that I want to be present in my id token- and this is the uid attribute that I want to be present in my id token, we can just kind of infer that, based on our knowledge of what attributes active directory has uh we've been kind of working on figuring out if we can get the search base defaulted, which is kind of hairy, because.

C

Without the search face, we really don't know anything about where to look, and so you can do some stuff with the global catalog, but then that these other issues, like things not being unique.

C

um So it's all kind of weird.

A

um Mo do you have anything to end.

D

On a d or on my thing.

A

On your thing,.

D

uh I was going to ask margo and ryan. If they, I guess we could, we can wait for a discussion. um I had a question for them, but I can wait um so in regards to my thing um I'll: go, find the kept link and put it somewhere in the community meeting stats, but the the gist of it is in 122 and later clusters.

D

You will be able to use the csr api to request a short-lived cert and that, depending on the cluster's configuration it may honor that request for you, and so we could in pinpag, detect this capability and in all environments that are new enough and support that configuration.

D

We could then use that to issue credentials for users.

D

What that does is, then it broadens the scope of things that we can support environments that we can support. uh So as a for example, today we require an impersonation proxy to be used. If you want to use a gke cluster or a openshift cluster. Those are the only those both require. The impersonation proxy feature to be enabled.

D

It is possible in the future that that won't be a requirement by using this other functionality, the the negative is. You have to wait for 122 to be rolled out to those environments, which may be a long time from now.

D

So, if, as a for example, if we wanted direct openshift support- and we did not want to wait for a 122 version- a kubernetes version of openshift that had that functionality, then we could add direct support in a different way, but we're still trying to work out what makes sense long term. I think, no matter what we will eventually implement an approach that uses the csr api, because it has some nicer, just sort of architectural semantics that we would like to have.

D

But it's not a requirement anytime soon for us to do.

A

That, okay, um anything else from the team on those items.

A

Before we move on to the previous meeting, there is something that just came in late yesterday was put online: we've been working on pinniped, cncf, webinar, cncf cloud native computing foundation.

A

We have secured a spot for august 24th at 10 a.m, pacific time and the maintainers matt, moyer and margaret crawford will be doing a live webinar with q, a and just going over uh pinniped and doing some demos and the history of pinniped and why it was built and all those fun things. So, um if you're really interested in learning more about the project and um being able to see some demos and ask direct questions in that way, we encourage you to sign up for this webinar.

A

Okay, now moving on to some items we had from previous meetings, I know matt who's not on the call today had brought these two up last time, but I'm curious if anybody had any thoughts. uh Any updates for this report, non-iterative password-based oidc.

C

C

I think we're still planning on it, but I don't think anyone's picked it up is that.

C

E

I haven't been part of any discussions related to this one. I think we might have set it aside for a while.

A

Okay and then the other one was enable registering new clients with supervisor.

E

I think we've also set this aside, but uh probably deserves to be on the road map somewhere, it's more of a long concern. I think.

A

Okay, discussion topics mo you said you, you had some stuff. You wanted to bring up.

D

Yeah, I just wanted to ask mario and ryan just sort of how far we've kind of gotten on the 80s stuff. In terms of like do we do. We have us a stronger sense of now of what we can determine for you.

D

um The context of my question is, I, I think, uh the so far the feedback we have uh sort of gotten from field engineering and such is that configuring, this stuff is hard like it's fine once you have it configured and that's all great, but it can be hard for customers and the field to figure out what the right configuration is.

D

So in that sort of thought process we have tried very hard to limit the configuration that's available and detect whatever we can in whatever way possible. So I'm just kind of curious how far we've sort of gotten along those lines with ad, since it is a sort of a very opinionated flavor of ldap.

E

You want to take that marga.

C

Yeah I mean I, I think.

C

The hard part is definitely.

C

The search base and that we are still kind of in the middle of trying to understand, I think.

C

For other default values to make it easier to configure.

C

It's a little bit simpler to know ahead of time like what that attribute will be, but we're not. I guess, yeah we're not really active directory experts, we're trying to kind of understand what these things mean. You find out that you can make a search with an empty uh search base if you use the global controller, but we're not sure what the implications of that are fully um so we're still.

C

Trying to understand some of the trade-offs there.

C

I know ryan, if you had anything to add.

E

Yeah that sounds that sounds about right and, uh like you said, I think we just have a lot to learn about global catalogs and forests and domains and all of the active directory concepts uh figure out what might make sense.

D

Experts did you all get a sense for um when, like like, maybe not even necessarily with versions but like how often is the global catalog, like a thing that you can actually talk to.

C

It seems like by default your first domain controller that you set up is a um also has global set up, but we're unsure about is like. Does that mean that people have enabled that global catalog port, or is that blocked by some firewall wall in almost every instance or.

C

You know, or most people manually disabling it or something.

C

So we're not really.

E

E

If uh someone gives us the host name of an active directory server, it may or may not have the global catalog role assigned to it. So it may or may not think on the global catalog port.

E

They would have to if they wanted us to search the global catalog. They would have to purposefully give us the host name of a server that does have.

E

It's also a little unclear to us, so a global catalog has a domain forest, which means there's multiple domain trees, which means there's multiple pools of users and so their user names, or that the field that we would like to consider their username we're not sure it may not be unique anymore.

E

Some complexity around that as well.

C

Guaranteed unique, we don't know in practice how often that would actually be unique and we're not worried about it as a security concern, because if we make a query and we get multiple results back for your username, we're just going to fail, but it'll be really annoying.

C

If you tried to log in- and we said no, you can't there's two of you.

C

From user experience perspective.

D

Okay, um I guess we can probably keep talking about this, maybe in the next community meeting. I think we will probably learn a lot more and probably gotten much further in our implementation.

D

I think it'd be kind of good to share all of our learnings.

D

I don't have any further questions.

A

Okay, uh anything else: the team wants to bring up.

A

All I want okay, okay, uh so thanks for attending this pinniped community meeting um just a reminder, we do meet every first and third thursday of the month at 9 a.m. Pacific time, so we encourage you to come and attend us, attend these meetings and join us um and bring up any discussion topics you wish to discuss with the team or just listen in we welcome lurkers.

A

You don't have to actively engage um it's just a nice way to to start getting involved if you're interested other ways to reach us. If you aren't able to attend these meetings is in the kubernetes slack workspace in the piniped channel and also on twitter at project pinniped, and with that um we hope to see you soon. Thank.

B

You thank you all bye.