Re: PSP Breakout session

[Mo Khan]

cc kubernetes-...@googlegroups.com

 

From: <kubernete...@googlegroups.com> on behalf of Tim Allclair <timal...@gmail.com>
Date: Friday, February 5, 2021 at 2:09 PM
To: "kubernete...@googlegroups.com" <kubernete...@googlegroups.com>
Subject: PSP Breakout session

 

Hi folks,

 

We're going to continue the PodSecurityPolicy replacement discussions outside the normal SIG-Auth meeting to ensure we can dedicate enough time to the discussion and move a design forward.

 

If you would like to join the discussion, please indicate times that you are available on this poll: https://doodle.com/poll/hbv3cdmrpzybppv4?utm_source=poll&utm_medium=link. Please only fill out the poll if you fully intend to be there and participate. Sessions will be recorded, and decisions will go to the mailing list and KEP before committing.

 

Have a great weekend,

 

-- Tim Allclair

--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/CALXpagzCwo4oaEkL%2B%3D3CC%2BnTuTjMQDrv8kwcBby42rW7x1SpaA%40mail.gmail.com.

[Tim Allclair]

I've removed the Monday options from the poll, as that was too short notice. Currently Wednesday 1-2pm PST (GMT-8) is the only slot that all respondents can make, and the most likely time. I'll give respondents until 11am PST on Monday before finalizing that, but please consider blocking off that timeslot on your calendar.

[Tim Allclair]

PSP breakout session is confirmed for Wednesday 1-2pm PST (GMT-8)

Please review the proposals here prior to the meeting: https://groups.google.com/g/kubernetes-sig-auth/c/a7zPYU-IRAA

Apologies to anyone who is not able to make this time.

[Tim Allclair]

We'll be reusing the sig-auth meeting room:

This is a special breakout session to discuss replacement designs for PodSecurityPolicy. Please see 
https://groups.google.com/g/kubernetes-sig-auth/c/a7zPYU-IRAA

Description:Zoom web client: https://zoom.us/wc/join/264572674?pwd=NHVXTm14VktMRi8zRmU0aUt1NE9uQT09


Zoom client: https://zoom.us/j/264572674?pwd=NHVXTm14VktMRi8zRmU0aUt1NE9uQT09


Meeting ID: 264 572 674
Passcode: 77777
Agenda/Minutes:
https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/edit?usp=sharing (shared with kubernetes-dev and kubernetes-sig-auth mailing lists)


Recordings:
https://www.youtube.com/playlist?list=PL69nYSiGNLP0VMOZ-V7-5AchXTHAQFzJw


SIG Auth info:
https://github.com/kubernetes/community/blob/master/sig-auth/README.md

[Tim Allclair]

Hi folks,

Thank you to everyone who has continued to show up and contribute the PSP replacement proposal. I think we're close to getting it to an implementable state, but I wanted to highlight that next Wednesdays breakout session is the last meeting we have before enhancements freeze (https://github.com/kubernetes/sig-release/tree/master/releases/release-1.22#tldr). Because of this, I'd like to do our best to close out all the unresolved issues next week. I've made a few executive decisions and closed out the ones that I considered decided (notably: renamed `allow` to `enforce`) - but please feel free to add feedback on the "resolved" sections if you have outstanding concerns.

The outstanding decisions are:

1. Name of the feature - We can no longer punt on this. We need a name to start implementation. We have an informal poll going on slack, please weigh in if you have an opinion: https://kubernetes.slack.com/archives/C0EN96KUY/p1619801233246500

2. Windows support - I think we can punt this to Beta, but I promised that we would start the next meeting with a windows discussion.

3. Monitoring - There is an open question about how to handle versions that I'd like to discuss, but otherwise this is close to resolved.

4. Capabilities - I will talk to some SIG-Node folks before wedsenday to try to come to a decision on this (leaning towards a Kubernetes default list that is the docker defaults minus NET_RAW)

Thanks all, have a great weekend!