16 KiB
Auth Special Interest Group
Covers improvements to Kubernetes authorization, authentication, and cluster security policy.
"All I want is a secure system where it's easy to do anything I want. Is that so much to ask?" - xkcd
The charter defines the scope and governance of the Auth Special Interest Group.
Meetings
Joining the mailing list for the group will typically add invites for the following meetings to your calendar.
- Regular SIG Meeting: Wednesdays at 11:00 PT (Pacific Time) (biweekly, you must be signed into a free zoom account to join). Convert to your timezone.
- Secrets Store CSI Meeting: Thursdays at 9:00 PT (Pacific Time) (biweekly, you must be signed into a free zoom account to join). Convert to your timezone.
- Weekly Issues/PR Triage Meeting: Mondays at 9:00 PT (Pacific Time) (weekly, you must be signed into a free zoom account to join). Convert to your timezone.
Leadership
Chairs
The Chairs of the SIG run operations and processes governing the SIG.
- Anish Ramasekar (@aramase), Microsoft
- Micah Hausler (@micahhausler), Amazon
- Rita Zhang (@ritazh), Microsoft
Technical Leads
The Technical Leads of the SIG establish new subprojects, decommission existing subprojects, and resolve cross-subproject technical issues and decisions.
Emeritus Leads
- Eric Chiang (@ericchiang)
- Eric Tune (@erictune)
- Mike Danese (@mikedanese)
- Tim Allclair (@tallclair)
Contact
- Slack: #sig-auth
- Mailing list
- Open Community Issues/PRs
- GitHub Teams:
- @kubernetes/sig-auth-api-reviews - API Changes and Reviews
- @kubernetes/sig-auth-bugs - Bug Triage and Troubleshooting
- @kubernetes/sig-auth-feature-requests - Feature Requests
- @kubernetes/sig-auth-misc - General Discussion
- @kubernetes/sig-auth-pr-reviews - PR Reviews
- @kubernetes/sig-auth-proposals - Design Proposals
- @kubernetes/sig-auth-test-failures - Test Failures and Triage
- Steering Committee Liaison: Patrick Ohly (@pohly)
Working Groups
The following working groups are sponsored by sig-auth:
Subprojects
The following subprojects are owned by sig-auth:
audit-logging
Kubernetes API support for audit logging.
- Owners:
authenticators
Kubernetes API support for authentication.
- Owners:
- kubernetes/kubernetes/pkg/apis/authentication
- kubernetes/kubernetes/pkg/kubeapiserver/authenticator
- kubernetes/kubernetes/pkg/registry/authentication
- kubernetes/kubernetes/plugin/pkg/auth/authenticator
- kubernetes/kubernetes/staging/src/k8s.io/api/authentication
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/authenticator
- kubernetes/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/authentication
- kubernetes/kubernetes/staging/src/k8s.io/client-go/listers/authentication
- kubernetes/kubernetes/staging/src/k8s.io/client-go/pkg/apis/clientauthentication
- kubernetes/kubernetes/staging/src/k8s.io/client-go/plugin/pkg/client/auth
- kubernetes/kubernetes/staging/src/k8s.io/client-go/tools/auth
authorizers
Kubernetes API support for authorization.
- Owners:
- kubernetes/kubernetes/pkg/apis/authorization
- kubernetes/kubernetes/pkg/apis/rbac
- kubernetes/kubernetes/pkg/kubeapiserver/authorizer
- kubernetes/kubernetes/pkg/registry/authorization
- kubernetes/kubernetes/pkg/registry/rbac
- kubernetes/kubernetes/plugin/pkg/auth/authorizer
- kubernetes/kubernetes/staging/src/k8s.io/api/authorization
- kubernetes/kubernetes/staging/src/k8s.io/api/rbac
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/authorization
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/authorizer
- kubernetes/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/authorization
- kubernetes/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/rbac
- kubernetes/kubernetes/staging/src/k8s.io/client-go/listers/authorization
- kubernetes/kubernetes/staging/src/k8s.io/client-go/listers/rbac
- kubernetes/kubernetes/staging/src/k8s.io/kubectl/pkg/cmd/auth
certificates
Certificates APIs and client infrastructure to support PKI.
- Owners:
- kubernetes/kubernetes/pkg/apis/certificates
- kubernetes/kubernetes/pkg/controller/certificates
- kubernetes/kubernetes/pkg/registry/certificates
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/request/x509
- kubernetes/kubernetes/staging/src/k8s.io/client-go/util/cert
- kubernetes/kubernetes/staging/src/k8s.io/client-go/util/certificate
encryption-at-rest
API storage support for storing data encrypted at rest in etcd.
- Owners:
node-identity-and-isolation
Node identity management (co-owned with sig-lifecycle), and authorization restrictions for isolating workloads on separate nodes (co-owned with sig-node).
- Owners:
policy-management
API validation and policies enforced during admission, such as PodSecurityPolicy. Excludes run-time policies like NetworkPolicy and Seccomp.
- Owners:
- kubernetes-sigs/wg-policy-prototypes
- kubernetes/kms
- kubernetes/kubernetes/pkg/apis/imagepolicy
- kubernetes/kubernetes/pkg/apis/policy
- kubernetes/kubernetes/pkg/registry/policy
- kubernetes/kubernetes/pkg/security/podsecuritypolicy
- kubernetes/kubernetes/plugin/pkg/admission/imagepolicy
- kubernetes/kubernetes/plugin/pkg/admission/security/podsecuritypolicy
- kubernetes/kubernetes/staging/src/k8s.io/api/imagepolicy
- kubernetes/kubernetes/staging/src/k8s.io/api/policy
- kubernetes/pod-security-admission
secrets-store-csi-driver
Integrates secrets stores with Kubernetes via a CSI volume.
- Leads:
- Owners:
- Contact:
- Slack: #csi-secrets-store
- Mailing List
secrets-store-sync-controller
This is a Kubernetes controller that watches for changes to a custom resource and syncs the secrets from external secrets-store as Kubernetes secret.
- Leads:
- Owners:
service-accounts
Infrastructure implementing Kubernetes service account based workload identity.
- Owners:
sig-auth-tools
Tooling to automate the SIG Auth project boards
- Owners: