►
From YouTube: Pinniped Community Meeting - September 16, 2021
Description
Pinniped Community Meeting - September 16, 2021
We meet every 1st and 3rd Thursday of the month at 9am PT. Would love for you to join us live!
Full agenda can be found here: https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ?both#September-16-2021-Agenda---Margo-Guest-Emcee
A
Hi
and
welcome
to
today's
edition
of
the
pen
community
meeting
today
is
september
16th
2021.
If
you're
watching
this
from
home,
we
encourage
you
to
come.
Join
us
live
we
meet
on
the
first
and
third
thursday
of
the
month
at
9
00
a.m.
Pacific
time
it's
an
opportunity
to
listen
to
what
the
maintainers
are
working
on,
provide
live,
feedback,
ask
questions
or
get
live
help
with
in
a
bed.
A
If
you
aren't
able
to
attend
live,
you
can
also
find
us
on
the
kubernetes
slack
workspace
on
the
pinniped
channel
and
on
twitter
at
project
benefit.
When
you
attend
these
meetings,
we
ask
that
you
please
abide
by
the
code
of
conduct.
A
If
you
have
anything
you
wish
to
discuss
with
the
team.
Please
add
that
to
the
discussion
topic
section
at
the
end
of
the
agenda,
we
also
ask
that
you
add
your
name
and
organization
to
the
document
so
that
we
know
who's
attending
and
keep
lines
of
communication
open.
You
can
also
add
a
comment
to
the
github
discussion,
talking
about
how
you
use
pinniped
and
include
your
company's
logo.
So
we
can
promote
your
organization
and
learn
more
about
how
people
use
pitifed
for
the
announcements.
A
A
You
can
register
to
attend
virtually
or
in
person
and
also
at
a
co-located
event
at
cloud
native
security.
Con.
A
There
will
be
a
lightning
talk
presented
by
mo
and
anjali.
A
Coming
up,
we
are
planning
on
doing
some
security
hardening
work,
there's
a
few
things
that
could
be
included
there.
A
One
of
them
being
upstream
refresh
so
tying
supervisor
refresh
tokens
to
an
upstream
session
and
then
the
other
thing
coming
up.
The
openshift
openshift
support
in
the
concierge.
B
A
Yeah
yeah
that
might
be
pushed
back
a
little
bit
because
we've
got
these
talks
coming
up.
We.
B
For
other
vmware
folks,
right,
vmworld
vmware
world
is
coming
up,
so
just
in
general,
this
is
a
very
confidence
heavy
time
for
the
vmware.
A
And
we
did
move
multiple
idp
support
back
for
now,
so
if
anyone
in
the
community
community
has
feelings
about
multiple
idp
support,
if
you
were
looking
forward
to
that,
let
us
know
we.
B
Or
context
for
anyone
watching
the
recording,
we're
trying
to
get
more
customer
feedback
and
understanding
of
the
use
cases
before
we
progress
with
that
work,
and
so,
while
we're
doing
that,
we
already
have
at
least
some
sense
for
various
compliance
and
security
requirements.
B
A
A
Hopefully,
today
we
we
found
a
couple
of
bugs
in
the
0.11
release,
one
of
which
was
with
validation
using
cube
ctl
apply.
Unfortunately,
we
mostly
used
cap
on
our
team
and
in
our
tests.
So
we
didn't
catch
that
something
you
can
work
around
by
just
not
validating
everything,
but
still
unfortunate,
and
then
another
bug
related
to
updating
or
deleting
recreating
the
bind
secret
for
active
directory
sort
of
messing
up
some
caching
and
also
has
a
workaround.
A
If
you
delete
a
pod,
then
it
should
it
should
get
recreated
because
it's
part
of
a
deployment
and
should
refresh
itself.
So
it's
annoying
and
weird
but
and
will
be
fixed
soon.
But
those
are
the
workarounds.
D
Sure
so
we
spotted
actually
mo
spotted
a
bug,
made
a
mistake
in
our
service
and
deployment
selectors
when
you
run
the
pinniped
concierge
you're
running,
typically
a
couple
of
pods
that
provide
the
back
end
services
for
the
concierge
api,
endpoints
and
rest
endpoints
and
you're
also
running
typically
another
pod,
that
we
call
the
coop
cert
agent.
D
So
this
would
be
evident
to
an
end
user
if
they
tried
to
perform
a
login
through
the
pinniped
coupe
cuddle
plugin,
and
they
got
messages
about
the
service
not
being
available,
and
typically
they
would
see
that
message
about
one
third
of
the
time
if
they
were
affected
at
all
and
so
we've.
We
believe
that
we
have
fixed
that
bug
in
the
upcoming
release
that
we're
about
to
put
out.
B
A
It's
sort
of
a
trend
of
us
a
couple
of
these
bugs
being
ctl
specific
and
let's
not
test
them
well,.
E
B
B
I
know
one
of
my
exercise
items
not
last
name
which
would
mean
before
that
was
to
start
writing
a
design
for
like
getting
cute
conflicts
from
the
supervisor.
B
I
I
started
on
it,
but
it's
just
a
little
too
early
like
I
can
talk
about
it,
but
I
have
it
in
my
head.
If
people
want
to
talk
about
it,
but
it's
probably
probably
not
digestible
in
that
form,
if
you
like,
like
some
written
text
with
some
diagrams
and
sometimes
you'll,
actually
understand
what
I'm
talking
about.
A
D
B
Oh,
I
mean
it
depends
right.
Our
priorities
after
the
security
hardening
are
a
little
open-ended.
I
think
right
now
it
really
depends
if
we
want,
we
want
to
significantly
improve
the
open
source
experience
and
start
forcing
our
downstream
integrators
to
sort
of
coalesce.
B
B
B
Okay,
so
the
high
level
problem
statement
is,
if
you
have
a
running
supervisor
somewhere
and
that's
riser
has
valid
certificates,
which
you
should
always
because
we
expect
people
to
use
it
in
the
browser.
So
if
you
don't
configure
it
that
way,
nothing
good
is
going
to
come
out
of
it
and
your
it
administrator
somehow
tells
you
the
url
of
the
supervisor,
maybe
something
like
kubernetes
auth.company.com,
so
something
that's
sort
of
easy
for
you
to
remember.
B
You
should
be
able
to
log
into
your
customer
or
sorry.
You
should
be
able
to
log
into
all
clusters
in
that
environment.
That's
the
that's
sort
of
the
ask
of
this
functionality.
All
you
have
is
the
url.
B
B
So
pretty
immediately
from
a
user-facing
perspective,
any
api
that
we
add
on
the
supervisor
has
to
has
to
be
part
of
the
federation
domain,
because
that's
basically
what
we
just
said
right,
the
design
is
immediately
limited
by
that
the
user
does
not
know
of
kubernetes
cluster
underneath
or
the
fact
that
it
even
is
a
pretty
nice
customer.
They
only
have
access
to
the
federation
of
them
right.
They
don't
have
any
cluster
relaxes,
so
we
would
have
to
build
apis
on
the
federation
domain.
That
did
something
like
this.
B
B
Theoretically,
you,
if
you
wanted
to
be
really
awful,
you
could
try
to
hack
the
existing
endpoints
to
return
extra
data.
I
think
that's
still
compliant
with
the
watts.
Why
do
you
suspect
to
send
expert
dips
back?
I
would
say:
don't
do
that.
It
just
seems
like
a
hack.
Also,
since
you
can
add
extra
end
points
to
the
federation
domain.
If
you
want
I'm
not
really
sure
we
would
want
to
just
hack
on
stuff
to
like
the
code
response
or
something
so
the
the
way
I
thought
about
this,
in
my
mind,
was.
B
By
that,
what
I
mean
is,
if
you,
for
example,
are
using
the
impersonation
proxy
today
and
you
hand
out,
keep
config
from
that.
If
you
want
to
change
the
certificate
conserve
insert
of
the
impersonation
proxy,
for
whatever
reason
that's
disruptive
to
your
users,
so
you're
basically
encouraged
never
to
do
that
right
in
the
same
way.
B
B
B
Basically,
building
off
of
that,
you
can
imagine
an
api
where
an
iit
admin
registers
on
the
federation
domain,
the
intent
to
have
the
concierge
be
part
of
that
federation
domain
and
then,
on
the
other
side,
the
concierge
registers
that
federation
domain
much
more
specifically
than
a
dial
authenticator,
does
today,
like
it's
explicitly
saying.
I
want
to
use
this
federate.
This
supervisor.
C
B
Yeah,
you
can
start
making
assumptions
in
your
code
about
well
like
this.
This
is
a
supervisor
federation
domain
and
not
just
like
google's
endpoint
or
something
so
once
you
have
that
you
can
effectively
build
a
handshake
between
those
components
right,
so
the
supervisor
can
validate
a
concierge
just
trying
to
talk
to
it
and
which
concierge
it
is,
and
you
can
validate
a
service
account
token
coming
in
from
that
concierge.
As
a
way
of
saying
you
are
indeed
the
concierge.
B
I
think
you
are
right
so
then
the
information
that
the
concierge
sends
it
is
at
least
somewhat
trustworthy.
I
think
there's
still
some
careful
design
work
there.
For
example,
the
audience
always
has
to
come
from
the
supervisor.
It
can't
come
from
the
concierge,
so
this
will
end
up
being
a
bi-directional
api
right.
B
So,
like
the
concierge
would
say
I
would
like
to
be
part
of
your
federation
domain
and
the
federation
domain
would
be
like
cool
here's,
your
audience
once
all
that
stuff
is
done
but
like
there
would
be
an
initial
registration
and
then
or
like
there
would
have
to
be
some
mechanism
for
this
to
be
kept
up
to
date.
So
that
way
as
if
the
concierge
changes
this
configuration
over
time,
yes,
your
cube
config
might
become
invalid,
but
the
act
of
fixing
the
key
config
is
very
trivial.
B
Just
run
like
I
don't
know
in
the
supervisor:
login
url,
that's
it!
Your
your
stable
endpoint
is
the
federation
domain
and
not
any
particularly
config,
which
I
think
would
be
a
pretty
nice
sort
of
middle
ground.
That
way,
if
you
know,
if
an
I.t
admin
migrated
away
from
the
impersonation
proxy
to
like
the
new
flow,
they
could
leave
the
impersonation
proxy
working.
B
But
the
new
flow
would
be
the
preferred
approach
so
that
when
users
did
run
that
command
again,
they
would
get
a
better
to
config
the
next
time
all
right.
So
then
they
can
build
a
buffer
right.
They
could
say
we
have
one
month
or
n
number
of
months
before
the
conflict
will
stop
working,
and
this
is
what
we
have
done
in
our
commercial
products
before
for
our
sas
offerings,
it
was
when
they
migrated
from
the
old
concierge
the
dot
4
branch
where
it
was
the
concierge,
was
a
namespace.
B
The
apis
were
all
named
spacecode
to
the
cluster
scope.
Since
that
was
a
breaking
change.
They
ran
both
the
old
and
new
versions
of
the
concierge
in
those
environments
and
basically
told
customers.
They
had
a
couple
of
months
to
upgrade
like
they
just
needed
to
run
the
command
again
to
get
a
new
config
and
that
allowed
them
to
sort
of
do
that
kind
of
transition.
B
That's
the
kind
of
floor,
I'm
thinking
it's
basically
a
very
limited
configuration
on
the
part
of
the
ip
admin
right
basically
saying
this
is
how
you
find
the
concierge
and
like
on
the
concierge
side.
It's.
This
is
how
you
find
the
supervisor
and
the
rest
is
dynamic
and
fade.
That's
sort
of
handshake
when
you
do
respond
by
those
components,
and
once
you
have
that,
then
you
don't
really
have
to
maintain
it
over
time,
like
the
components
get
to
maintain
those
right.
B
Yeah,
well
I
mean
the
ik
admin
will
always
kind
of
keep
config
if
they
wanted
to,
because
I'm
not
being
private
about
that.
But
you
don't
need
to
the
the
thing
you
need
to
hand
out.
Is
the
federation
domain
issuer
url
from
the
supervisor
and
the
knowledge
of
typing
in
like
some
pinpoint
command
like
printer
supervisor
login,
so.
B
Yeah,
you
know
like
how
you
log
into
like
the
g
cloud
cli
right,
like
you,
have
the
concept
of
logging
in
and
asking
for
two
configs
back
right.
This
is
in
that
same
way,
right,
like
you
log
in,
and
you
know,
there's
no
reason
that
you
have
to
keep
the
name
of
the
piniped
cli
like
pinpad
right.
You
could
rename
it
to
something
that
made
more
sense
in
your
environment,
but
the
idea
is
to
instead
of
saying
you
somehow
get
a
tube
config
and
you
use
it.
B
The
idea
is
you're,
saying
you
log
into
your
kubernetes
environment,
and
then
you
can
pick
which
cluster
you
want
to
use
right
so
like
once
you
have
this
right,
you
can
have
higher
order
apis
on
the
federation
domain
that
are
like.
I
would
like
to
get
all
the
clusters
cool.
I
see
I
have
seven.
I
would
like
that
you
can
fake
further
one
called
dev,
seven.
B
B
That
and
that's,
I
think,
that's
a
much
nicer
and
easier
to
explain
experience
than
somehow
you
get
a
cube
config
handed
to
you
by
your
it
admin,
which
is
like
the
sort
of
approach
that's
available
today
in
the
open
source.
B
I
realize
there's
like
a
lot
of
like
missing
details,
because
it's
like
we
need,
like
many
diagrams,
to
really
explain
yeah,
that
that's
sort
of
what
I've
been
advising
you
know,
folks
have
ideas
or
feedback,
and
I
was
hoping
to
listen.
D
B
B
B
Was
it
the
the
actual
apis
for
doing
this
much
more
sort
of
open-ended
the
other
bit
that's
kind
of
in
interesting
and
weird
is
like
the
like.
The
way
we
would
write
the
code
for
this
like
in
the
way
we
want
today
would
be
like
controllers
doing
all
this,
but
that
would
mean
that
the
federation
domain
would
have
to
support
list
and
watch
which
is
not
necessarily
easy.
B
It's
not
necessarily
hard
either,
but
if
we
wanted
to
actually
continue
to
write
controllers
for
all
this
stuff,
we
would
have
to
have
that
semantic
available.
We
could
always
just
do
polling
and
just
say:
yeah,
take
some
time,
take
some
number
of
minutes
or
whatever
for
it
to
figure
out.
If
you
can
pay
changes
that
might
be
okay.
B
Network
topology
has
also
been
on
my
mind.
We
already
have
a
requirement
that
the
concierge
must
be
able
to
talk
to
the
supervisor,
because
otherwise
the
discovery
would
fail.
There's
no
way
to
work
around
that
really.
D
We
have
that
requirement
today,
although
we've
contemplated
removing
that
requirement,
because
you
could
just
register
your
jocks
with
the
job
authenticator
and
then
there
would
be
no
need
to
have
that
directionality
of.
B
Yeah
we
haven't
built
that
feature.
Yet.
No
I'm
saying
no
one
has
even
asked
like
we
have
thought
about
it.
It's
like
not
a
bad
thing
to
build,
but
no
one
has
asked
exclusively
either
like
the
closest
I've
heard
for
like
network
topology
is
like
please
like
stop
deploying
this
other
image
for
your
keemstar
agent
or
something
like
like.
Basically,
I
want
all
the
images
to
be
locally
hosted
on
my
cube,
but
stop
trying
to
fetch
stuff,
because
there
is
no
network
on
the
keyboard
to
fetch
anything
so
that
that
makes
sense
right.
B
I,
since,
like
the
whole,
like
docs,
end
point
and
stuff
right
like
they
exist
as
endpoints
to
allow
for
rotation
right
so
like
there.
There
is
some
some
gotcha
right.
If
you
statically
specify
the
jocks
now
you're
responsible
for
manually,
doing
rotation
somehow,
which
generally
means
people
will
never
rotate
the
keys,
which
is
not
exactly
what
I
said.
B
Well,
yeah,
I
don't
know,
I
I'd
be
curious
to
hear
people's
feedback
and
then
watching
this
about.
Would
there
be
concerns
about
the
supervisor
reaching
out?
Actually,
I'm
trying
to
think
you
you
could.
You
could
still
build
this
where
the
directionality
was
only
from
the
concierge.
If
you
wanted
to
open
the
tunnel
from
the
concierge
to
the
supervisor
and
then
reverse
it
and
talk
back
through
the
tunnel,
that's
what
we
do
in
our
sas
products
today
is
that
the.
D
Yeah
that
could
make
sense.
It
would
also,
I
suppose,
makes
sense
for
this
to
be
an
optional
feature
that
you
don't
have
to
use
if
you
don't
want
to.
So,
if
you
really
want
to
air
gap,
your
network
and
lock
everything
down,
you
could
just
choose
not
to
use
this
feature.
B
Yeah
one
of
the
goals
I
wrote
out
and
like
I
was
I
was
trying
to
write
this
out
kind
of
like
I
would
write
a
kubernetes
cap,
so
I
was
like
writing
out
goals
and
non-goals,
and
one
of
my
explicit
non-goals
was
make
sure
nothing
that
exists
today.
Breaks
insane
right.
B
So
if
you
just
want
to
do
what
you've
been
doing,
you
should
be
evidenced
to
doing
that.
So
all
the
existing
or
live
maps
just
keep
working
cause,
there's
nothing
wrong
with
them.
They're
perfectly
fine
good
commands
they
work.
Well.
This
is
more
meant,
as
a
user
experience
booster
on
top
of
those
but
yeah.
I
totally
do
you
know
we
should
it's
not
it's
opt-in
not
knocked
out
or
yeah.
It's
opt-in
if
you
want
it,
but
the
stuff
that
exists
today
should
work
as
nicely
as
always.
E
I
knew
you
were
gonna
ask
that
question,
and
so
I
tried
to
come
up
with
an
answer,
but
I
really
don't
have
any
thoughts
I
mean
I
don't
have
any
knowledge
of
use
cases
that
would
help
here
and
it
seems
like
it
generally
improves
the
security
posture
and
user
experience.
So
I'm
I'm
in.
I
don't
have
any
specific
feedback,
though.
B
B
I'm
not
sure
how
I
would
frame
it.
Certainly
there's
like,
like
we
just
said,
there's
no
requirement
that
you
would
have
to
use
it,
so
you
would
have
to
use
it
downstream.
It
would
be
an
option
if
it
made
sense
if
it
improved
the
ux
for
our
downstream
consumers.
E
Yeah,
I
think
I'd
have
to
like
think
through
the
whole
user
experience
from
the
perspective
of
this
this
particular
downstream
project.
It
also
like
by
the
time
this
feature
is
shipped.
There
may
be
other
changes
in
this
particular
downstream
projects,
configuration
and
vision
so
well,
I
know
this
won't
be
the
last
conversation
that
we
have
about
this.
F
B
Yeah
yeah,
I
think,
hopefully
my
next
community
meeting.
I
should
have
the
design
written
up,
or
at
least
enough
that
there
is
like
something
someone
could
comment
on,
and
I
can
share
that
with
folks.
Hopefully,
before
the
meeting
that'd.
A
I'm
interested
in
seeing
what
like
seeing
those
details,
kind
of
hammered
out
anything
else.
We
want
to
talk
about.
C
A
Thanks
everyone
for
joining
the
pinniped
community
meeting,
if
you're
watching
from
home
we'd
love
for
you
to
join
us
live
next
time
until
then
take
care.