sig-auth: 2023 annual report
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
This commit is contained in:
Anish Ramasekar
parent
9184aa621d
commit
f4c9580e35
|
|
@ -12,6 +12,22 @@
|
||||||
- Governance and leadership changes
|
- Governance and leadership changes
|
||||||
-->
|
-->
|
||||||
|
|
||||||
|
- Governance and leadership changes
|
||||||
|
- [**Mo Khan elected as new SIG tech lead**](https://groups.google.com/g/kubernetes-sig-auth/c/mHb4p8xWMR8/m/lk0UpMKXAAAJ).
|
||||||
|
- Previous SIG TL Mike Danese stepped down during 2023 and stayed on as a chair. Many thanks for his leadership and guidance over the years.
|
||||||
|
- The alpha `SecurityContextDeny` admission plugin was deprecated in [in v1.27](https://github.com/kubernetes/kubernetes/issues/111516) and removed in v1.30.
|
||||||
|
- The [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) plugin enforcing the
|
||||||
|
[Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) `Restricted` profile captures what this plugin was trying to achieve
|
||||||
|
in a better and up-to-date way.
|
||||||
|
- [KEP-3325: Review attributes of a current user](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3325-self-subject-attributes-review-api) promoted to stable in v1.28.
|
||||||
|
- `whoami` kubectl command promoted from `kubectl alpha` to `kubectl` [in v1.27](https://github.com/kubernetes/kubernetes/pull/116510).
|
||||||
|
- Kubelet: security of dynamic resource allocation was enhanced by limiting node access to those objects that are needed on the node [in v1.28](https://github.com/kubernetes/kubernetes/pull/116254).
|
||||||
|
- [KEP-3299: KMS v2 Improvements](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements) promoted to stable in v1.29.
|
||||||
|
- `KMSv2` is the recommended version of the KMS feature.
|
||||||
|
- `KMSv1` was deprecated [in v1.28](https://github.com/kubernetes/kubernetes/pull/119007) and will only receive security updates going forward. Set `--feature-gates=KMSv1=true` to use the deprecated `KMSv1` feature.
|
||||||
|
- Important initiatives that aren't tracked via KEPs:
|
||||||
|
- Once a week issue/PR triage meetings.
|
||||||
|
|
||||||
2. Are there any areas and/or subprojects that your group needs help with (e.g. fewer than 2 active OWNERS)?
|
2. Are there any areas and/or subprojects that your group needs help with (e.g. fewer than 2 active OWNERS)?
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
|
|
@ -19,6 +35,7 @@
|
||||||
If you find any discrepancy in the generated list here, please check the KEP metadata.
|
If you find any discrepancy in the generated list here, please check the KEP metadata.
|
||||||
Please raise an issue in kubernetes/community, if the KEP metadata is correct but the generated list is incorrect.
|
Please raise an issue in kubernetes/community, if the KEP metadata is correct but the generated list is incorrect.
|
||||||
-->
|
-->
|
||||||
|
- The [Needs KEP / release work #sig-auth](https://docs.google.com/document/d/1sY8fRyRtk4eG9R439z5ao5i9bFuuxilS03XaNlqoni0/edit?usp=sharing) document lists multiple areas that need help and some currently have volunteers working on them.
|
||||||
|
|
||||||
3. Did you have community-wide updates in 2023 (e.g. KubeCon talks)?
|
3. Did you have community-wide updates in 2023 (e.g. KubeCon talks)?
|
||||||
|
|
||||||
|
|
@ -26,27 +43,33 @@
|
||||||
Examples include links to email, slides, or recordings.
|
Examples include links to email, slides, or recordings.
|
||||||
-->
|
-->
|
||||||
|
|
||||||
|
- [KubeCon EU 2023] - [Kubernetes SIG Auth Deep Dive - Jordan Liggitt & Mike Danese, Google; Rita Zhang, David Eads](https://youtu.be/j9nzOLPJxAI?si=7p61DKRZ9aRwhRwe)
|
||||||
|
- [KubeCon NA 2023] - [The Future of Kubernetes Auth and Policy Config: Common Expression Language - Mo Khan & Jordan Liggitt](https://youtu.be/yOF9S_0TO3A?si=etTKdsEZmC3EmiZc)
|
||||||
|
|
||||||
4. KEP work in 2023 (v1.27, v1.28, v1.29):
|
4. KEP work in 2023 (v1.27, v1.28, v1.29):
|
||||||
|
|
||||||
|
- Pre-Alpha
|
||||||
|
- [3766 - Move ReferenceGrant to sig-auth API Group](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3766-referencegrant)
|
||||||
|
- [3926 - Handling undecryptable resources](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3926-handling-undecryptable-resources)
|
||||||
|
|
||||||
- Alpha
|
- Alpha
|
||||||
- [2718 - Client Executable Proxy](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2718-20210511-client-exec-proxy) - v1.27
|
|
||||||
- [3221 - Structured Authorization Configuration](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3221-structured-authorization-configuration) - v1.29
|
- [3221 - Structured Authorization Configuration](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3221-structured-authorization-configuration) - v1.29
|
||||||
- [3257 - Cluster Trust Bundles](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3257-cluster-trust-bundles) - v1.29
|
- [3257 - Cluster Trust Bundles](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3257-cluster-trust-bundles) - v1.29
|
||||||
- [3331 - Structured authentication config](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3331-structured-authentication-configuration) - v1.29
|
- [3331 - Structured authentication config](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3331-structured-authentication-configuration) - v1.29
|
||||||
- [3766 - Move ReferenceGrant to sig-auth API Group](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3766-referencegrant) - v1.27
|
|
||||||
- [3926 - Handling undecryptable resources](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3926-handling-undecryptable-resources) - v1.29
|
|
||||||
- [4193 - bound service account token improvements](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/4193-bound-service-account-token-improvements) - v1.29
|
- [4193 - bound service account token improvements](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/4193-bound-service-account-token-improvements) - v1.29
|
||||||
|
|
||||||
|
|
||||||
- Stable
|
- Stable
|
||||||
- [3299 - KMS v2 Improvements](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements) - v1.29
|
- [3299 - KMS v2 Improvements](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements) - v1.29
|
||||||
- [3325 - Review attibutes of a current user](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3325-self-subject-attributes-review-api) - v1.28
|
- [3325 - Review attibutes of a current user](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3325-self-subject-attributes-review-api) - v1.28
|
||||||
|
|
||||||
## [Subprojects](https://git.k8s.io/community/sig-auth#subprojects)
|
- Withdrawn
|
||||||
|
- [2718 - Client Executable Proxy](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2718-20210511-client-exec-proxy)
|
||||||
|
|
||||||
|
## [Subprojects](https://git.k8s.io/community/sig-auth#subprojects)
|
||||||
|
|
||||||
**Retired in 2023:**
|
**Retired in 2023:**
|
||||||
- multi-tenancy
|
- multi-tenancy
|
||||||
|
|
||||||
**Continuing:**
|
**Continuing:**
|
||||||
- audit-logging
|
- audit-logging
|
||||||
- authenticators
|
- authenticators
|
||||||
|
|
@ -64,19 +87,20 @@
|
||||||
|
|
||||||
**Retired in 2023:**
|
**Retired in 2023:**
|
||||||
- Multitenancy
|
- Multitenancy
|
||||||
|
|
||||||
**Continuing:**
|
**Continuing:**
|
||||||
- Policy
|
- Policy
|
||||||
|
|
||||||
## Operational
|
## Operational
|
||||||
|
|
||||||
Operational tasks in [sig-governance.md]:
|
Operational tasks in [sig-governance.md]:
|
||||||
- [ ] [README.md] reviewed for accuracy and updated if needed
|
|
||||||
- [ ] [CONTRIBUTING.md] reviewed for accuracy and updated if needed
|
|
||||||
- [ ] Other contributing docs (e.g. in devel dir or contributor guide) reviewed for accuracy and updated if needed
|
|
||||||
- [ ] Subprojects list and linked OWNERS files in [sigs.yaml] reviewed for accuracy and updated if needed
|
|
||||||
- [ ] SIG leaders (chairs, tech leads, and subproject leads) in [sigs.yaml] are accurate and active, and updated if needed
|
|
||||||
- [ ] Meeting notes and recordings for 2023 are linked from [README.md] and updated/uploaded if needed
|
|
||||||
|
|
||||||
|
- [x] [README.md] reviewed for accuracy and updated if needed
|
||||||
|
- [x] [CONTRIBUTING.md] reviewed for accuracy and updated if needed
|
||||||
|
- [x] Other contributing docs (e.g. in devel dir or contributor guide) reviewed for accuracy and updated if needed
|
||||||
|
- [x] Subprojects list and linked OWNERS files in [sigs.yaml] reviewed for accuracy and updated if needed
|
||||||
|
- [x] SIG leaders (chairs, tech leads, and subproject leads) in [sigs.yaml] are accurate and active, and updated if needed
|
||||||
|
- [x] Meeting notes and recordings for 2023 are linked from [README.md] and updated/uploaded if needed
|
||||||
|
|
||||||
[CONTRIBUTING.md]: https://git.k8s.io/community/sig-auth/CONTRIBUTING.md
|
[CONTRIBUTING.md]: https://git.k8s.io/community/sig-auth/CONTRIBUTING.md
|
||||||
[sig-governance.md]: https://git.k8s.io/community/committee-steering/governance/sig-governance.md
|
[sig-governance.md]: https://git.k8s.io/community/committee-steering/governance/sig-governance.md
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue