Re: Draft KEP: Image Pull Tokens

Michael Taufen

unread,

Jan 6, 2022, 1:17:57 AM1/6/22

to kubernetes-sig-auth, Jordan Liggitt, Mike Danese, Micah, Taahir Ahmed, Kermit Alexander, gke-kubernetes-secteam, CJ Cullen, mok, kubernete...@googlegroups.com, Dawn Chen, Derek Carr, d...@kubernetes.io

I think this is still interesting and really useful but it's sadly been in don't-have-time limbo for me during my work week. If anyone is interested in seriously working on it I can take some time ~1 day/wk to help mentor/consult/review things but I can't drive it directly right now.

If anyone is interested in driving this please let me know. The next steps IMO would be to update the draft KEP with feedback from the SIG-Auth meeting (likely scoped down to just Kubelet credential provider plugin config to start IIRC), review it with SIG-Node, and get it merged on GitHub.

On Wed, Sep 1, 2021, 11:58 AM Michael Taufen <mta...@google.com> wrote:

Thanks for the great discussion in today's meeting!

+kubernete...@googlegroups.com, since it was raised in today's SIG-Auth meeting that SIG-Node is responsible for the Kubelet credential providers KEP and will probably be interested in this/maybe be a potential owning SIG.

+Dawn Chen +Derek Carr

On Tue, Aug 31, 2021 at 6:55 PM Michael Taufen <mta...@google.com> wrote:
As a reminder, we will be discussing the KEP in the biweekly SIG-Auth meeting tomorrow at 11am PT.

On Fri, Aug 6, 2021 at 4:35 PM Michael Taufen <mta...@google.com> wrote:
+CJ Cullen +mok

On Fri, Aug 6, 2021 at 4:33 PM Michael Taufen <mta...@google.com> wrote:
Hi k8s-dev/sig-auth folks,

I'd like to propose that we implement a solution to image pull authentication that leverages the benefits of all the bound service account token work that's happened in the last few years.

I've put together a draft KEP and I'm interested in getting some early feedback on the API design and general approach before I go ahead and write an official KEP. I'm curious for your thoughts on whether this is the right direction or whether something completely different would be more appropriate, and on whether there are any major gotchas with this approach that we should be careful about.

Best,

Mike

--
Michael Taufen
Google SWE

--
Michael Taufen
Google SWE

--
Michael Taufen
Google SWE

--
Michael Taufen
Google SWE

Michael Taufen

unread,

Jan 6, 2022, 1:18:59 AM1/6/22

to kubernetes-sig-auth, Jordan Liggitt, Mike Danese, Micah, Taahir Ahmed, Kermit Alexander, gke-kubernetes-secteam, CJ Cullen, mok, kubernete...@googlegroups.com, Dawn Chen, Derek Carr, d...@kubernetes.io

(you can just reply on this thread if you're interested)

Derek Carr

unread,

Jan 6, 2022, 10:04:53 AM1/6/22

to Michael Taufen, kubernetes-sig-auth, Jordan Liggitt, Mike Danese, Micah, Taahir Ahmed, Kermit Alexander, gke-kubernetes-secteam, CJ Cullen, mok, kubernetes-sig-node, Dawn Chen, d...@kubernetes.io

Hi Michael,

I agree this feature has a lot of value, and it is worth pursuing across impacted SIGs during 2022. Happy to help support.

Thanks,
Derek

Danielle Lancashire

unread,

Jan 6, 2022, 10:37:04 AM1/6/22

to Derek Carr, Michael Taufen, kubernetes-sig-auth, Jordan Liggitt, Mike Danese, Micah, Taahir Ahmed, Kermit Alexander, gke-kubernetes-secteam, CJ Cullen, mok, kubernetes-sig-node, Dawn Chen, d...@kubernetes.io

Hey Michael,

I’m also happy to help here - I’m mostly OOO until the 14th, but can take a proper read through when I’m back.

Thanks,

Danielle

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-node/CAHROWxROZYEgxbNrrjp%3DHGTyac-KfycFTHx6sxWCwt5itiGDxA%40mail.gmail.com.

Michael Taufen

unread,

Jan 10, 2022, 12:41:20 PM1/10/22

to sharma aditi, kubernetes-sig-auth, Jordan Liggitt, Mike Danese, Micah, Taahir Ahmed, Kermit Alexander, gke-kubernetes-secteam, CJ Cullen, mok, kubernetes-sig-node, Dawn Chen, d...@kubernetes.io, Danielle Lancashire

Hi Danielle, Sharma,

Thanks for offering to help! What works best to help you get started?

For initial ramp up, I'd recommend:

Read through the draft KEP: https://docs.google.com/document/d/1qX7FoXBxWrPfUD55IDQMyeDQMH-HzH8vSx6-WsLNr8o/edit?resourcekey=0-iLUGguVKXPeHMNDwEzBMbw#

Feel free to ask questions in comments on the doc. (It's shared with d...@kubernetes.io and kuberne...@googlegroups.com, but let me know if you have trouble accessing and I can share directly too).

Watch the recording of the SIG-Auth meeting where we discussed: https://www.youtube.com/watch?v=1HtY7HbGTpc&list=PL69nYSiGNLP0VMOZ-V7-5AchXTHAQFzJw&index=11
Review the meeting notes (copied at the end of the draft KEP doc linked above).

After that, maybe we hop on a Zoom call if it helps clarify anything? The next step is basically to update the KEP and get a PR open on GitHub, and one of you should take point on that.

Also no rush, enjoy your OOO Danielle :).

Best,

Mike

On Thu, Jan 6, 2022 at 7:11 PM sharma aditi <adi....@gmail.com> wrote:

Hello Micheal,

I would also like to help here along with Danielle, have also been working on Credential provider KEP.

Thanks,
Aditi
(slack/github: adisky)

To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-node/2ca5f25a-ccb0-4ded-9bbd-0d269f841e35n%40googlegroups.com.

Reply all

Reply to author

Forward