Re: Draft KEP: Image Pull Tokens

52 views
Skip to first unread message

Michael Taufen

unread,
Jan 6, 2022, 1:17:57 AMJan 6
to kubernetes-sig-auth, Jordan Liggitt, Mike Danese, Micah, Taahir Ahmed, Kermit Alexander, gke-kubernetes-secteam, CJ Cullen, mok, kubernete...@googlegroups.com, Dawn Chen, Derek Carr, d...@kubernetes.io
I think this is still interesting and really useful but it's sadly been in don't-have-time limbo for me during my work week. If anyone is interested in seriously working on it I can take some time ~1 day/wk to help mentor/consult/review things but I can't drive it directly right now.

If anyone is interested in driving this please let me know. The next steps IMO would be to update the draft KEP with feedback from the SIG-Auth meeting (likely scoped down to just Kubelet credential provider plugin config to start IIRC), review it with SIG-Node, and get it merged on GitHub.


On Wed, Sep 1, 2021, 11:58 AM Michael Taufen <mta...@google.com> wrote:
Thanks for the great discussion in today's meeting!

+kubernete...@googlegroups.com, since it was raised in today's SIG-Auth meeting that SIG-Node is responsible for the Kubelet credential providers KEP and will probably be interested in this/maybe be a potential owning SIG. 


On Tue, Aug 31, 2021 at 6:55 PM Michael Taufen <mta...@google.com> wrote:
As a reminder, we will be discussing the KEP in the biweekly SIG-Auth meeting tomorrow at 11am PT.

On Fri, Aug 6, 2021 at 4:35 PM Michael Taufen <mta...@google.com> wrote:

On Fri, Aug 6, 2021 at 4:33 PM Michael Taufen <mta...@google.com> wrote:
Hi k8s-dev/sig-auth folks,

I'd like to propose that we implement a solution to image pull authentication that leverages the benefits of all the bound service account token work that's happened in the last few years. 

I've put together a draft KEP and I'm interested in getting some early feedback on the API design and general approach before I go ahead and write an official KEP. I'm curious for your thoughts on whether this is the right direction or whether something completely different would be more appropriate, and on whether there are any major gotchas with this approach that we should be careful about.

Best,

Mike

--
Michael Taufen
Google SWE


--
Michael Taufen
Google SWE


--
Michael Taufen
Google SWE


--
Michael Taufen
Google SWE

Michael Taufen

unread,
Jan 6, 2022, 1:18:59 AMJan 6
to kubernetes-sig-auth, Jordan Liggitt, Mike Danese, Micah, Taahir Ahmed, Kermit Alexander, gke-kubernetes-secteam, CJ Cullen, mok, kubernete...@googlegroups.com, Dawn Chen, Derek Carr, d...@kubernetes.io
(you can just reply on this thread if you're interested)

Derek Carr

unread,
Jan 6, 2022, 10:04:53 AMJan 6
to Michael Taufen, kubernetes-sig-auth, Jordan Liggitt, Mike Danese, Micah, Taahir Ahmed, Kermit Alexander, gke-kubernetes-secteam, CJ Cullen, mok, kubernetes-sig-node, Dawn Chen, d...@kubernetes.io
Hi Michael,

I agree this feature has a lot of value, and it is worth pursuing across impacted SIGs during 2022.  Happy to help support.

Thanks,
Derek

Danielle Lancashire

unread,
Jan 6, 2022, 10:37:04 AMJan 6
to Derek Carr, Michael Taufen, kubernetes-sig-auth, Jordan Liggitt, Mike Danese, Micah, Taahir Ahmed, Kermit Alexander, gke-kubernetes-secteam, CJ Cullen, mok, kubernetes-sig-node, Dawn Chen, d...@kubernetes.io
Hey Michael,

I’m also happy to help here - I’m mostly OOO until the 14th, but can take a proper read through when I’m back.

Thanks,
Danielle

-- 
You received this message because you are subscribed to the Google Groups "kubernetes-sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-node/CAHROWxROZYEgxbNrrjp%3DHGTyac-KfycFTHx6sxWCwt5itiGDxA%40mail.gmail.com.

Michael Taufen

unread,
Jan 10, 2022, 12:41:20 PMJan 10
to sharma aditi, kubernetes-sig-auth, Jordan Liggitt, Mike Danese, Micah, Taahir Ahmed, Kermit Alexander, gke-kubernetes-secteam, CJ Cullen, mok, kubernetes-sig-node, Dawn Chen, d...@kubernetes.io, Danielle Lancashire
Hi Danielle, Sharma,

Thanks for offering to help! What works best to help you get started?

For initial ramp up, I'd recommend:
After that, maybe we hop on a Zoom call if it helps clarify anything? The next step is basically to update the KEP and get a PR open on GitHub, and one of you should take point on that.

Also no rush, enjoy your OOO Danielle :). 

Best,

Mike

On Thu, Jan 6, 2022 at 7:11 PM sharma aditi <adi....@gmail.com> wrote:
Hello Micheal,

I would also like to help here along with Danielle, have also been working on Credential provider KEP.

Thanks,
Aditi
(slack/github: adisky)
Reply all
Reply to author
Forward
0 new messages