README.md

Auth Special Interest Group

Covers improvements to Kubernetes authorization, authentication, and cluster security policy.

"All I want is a secure system where it's easy to do anything I want. Is that so much to ask?" - xkcd

The charter defines the scope and governance of the Auth Special Interest Group.

Meetings

Joining the mailing list for the group will typically add invites for the following meetings to your calendar.

• Regular SIG Meeting: Wednesdays at 11:00 PT (Pacific Time) (biweekly). Convert to your timezone.
  • Meeting notes and Agenda.
  • Meeting recordings.
• Secrets Store CSI Meeting: Thursdays at 9:00 PT (Pacific Time) (biweekly). Convert to your timezone.
  • Meeting notes and Agenda.
  • Meeting recordings.
• Weekly Issues/PR Triage Meeting: Mondays at 9:00 PT (Pacific Time) (weekly). Convert to your timezone.

Leadership

Chairs

The Chairs of the SIG run operations and processes governing the SIG.

• Mo Khan (@enj), Microsoft
• Mike Danese (@mikedanese), Google
• Rita Zhang (@ritazh), Microsoft

Technical Leads

The Technical Leads of the SIG establish new subprojects, decommission existing subprojects, and resolve cross-subproject technical issues and decisions.

• David Eads (@deads2k), Red Hat
• Mo Khan (@enj), Microsoft
• Jordan Liggitt (@liggitt), Google

Emeritus Leads

• Eric Chiang (@ericchiang)
• Eric Tune (@erictune)
• Tim Allclair (@tallclair)

Contact

• Slack: #sig-auth
• Mailing list
• Open Community Issues/PRs
• GitHub Teams:
  • @kubernetes/sig-auth-api-reviews - API Changes and Reviews
  • @kubernetes/sig-auth-bugs - Bug Triage and Troubleshooting
  • @kubernetes/sig-auth-feature-requests - Feature Requests
  • @kubernetes/sig-auth-misc - General Discussion
  • @kubernetes/sig-auth-pr-reviews - PR Reviews
  • @kubernetes/sig-auth-proposals - Design Proposals
  • @kubernetes/sig-auth-test-failures - Test Failures and Triage
• Steering Committee Liaison: Patrick Ohly (@pohly)

Working Groups

The following working groups are sponsored by sig-auth:

• WG Policy

Subprojects

The following subprojects are owned by sig-auth:

audit-logging

Kubernetes API support for audit logging.

• Owners:
  • kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/apis/audit
  • kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/audit
  • kubernetes/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/audit

authenticators

Kubernetes API support for authentication.

• Owners:
  • kubernetes/kubernetes/pkg/apis/authentication
  • kubernetes/kubernetes/pkg/kubeapiserver/authenticator
  • kubernetes/kubernetes/pkg/registry/authentication
  • kubernetes/kubernetes/plugin/pkg/auth/authenticator
  • kubernetes/kubernetes/staging/src/k8s.io/api/authentication
  • kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication
  • kubernetes/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/authenticator
  • kubernetes/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/authentication
  • kubernetes/kubernetes/staging/src/k8s.io/client-go/listers/authentication
  • kubernetes/kubernetes/staging/src/k8s.io/client-go/pkg/apis/clientauthentication
  • kubernetes/kubernetes/staging/src/k8s.io/client-go/plugin/pkg/client/auth
  • kubernetes/kubernetes/staging/src/k8s.io/client-go/tools/auth

authorizers

Kubernetes API support for authorization.

• Owners:
  • kubernetes/kubernetes/pkg/apis/authorization
  • kubernetes/kubernetes/pkg/apis/rbac
  • kubernetes/kubernetes/pkg/kubeapiserver/authorizer
  • kubernetes/kubernetes/pkg/registry/authorization
  • kubernetes/kubernetes/pkg/registry/rbac
  • kubernetes/kubernetes/plugin/pkg/auth/authorizer
  • kubernetes/kubernetes/staging/src/k8s.io/api/authorization
  • kubernetes/kubernetes/staging/src/k8s.io/api/rbac
  • kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/authorization
  • kubernetes/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/authorizer
  • kubernetes/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/authorization
  • kubernetes/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/rbac
  • kubernetes/kubernetes/staging/src/k8s.io/client-go/listers/authorization
  • kubernetes/kubernetes/staging/src/k8s.io/client-go/listers/rbac
  • kubernetes/kubernetes/staging/src/k8s.io/kubectl/pkg/cmd/auth

certificates

Certificates APIs and client infrastructure to support PKI.

• Owners:
  • kubernetes/kubernetes/pkg/apis/certificates
  • kubernetes/kubernetes/pkg/controller/certificates
  • kubernetes/kubernetes/pkg/registry/certificates
  • kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/request/x509
  • kubernetes/kubernetes/staging/src/k8s.io/client-go/util/cert
  • kubernetes/kubernetes/staging/src/k8s.io/client-go/util/certificate

encryption-at-rest

API storage support for storing data encrypted at rest in etcd.

• Owners:
  • kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig
  • kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/storage/value

hierarchical-namespace-controller

Controller to manage hierarchical namespaces

• Owners:
  • kubernetes-sigs/hierarchical-namespaces

node-identity-and-isolation

Node identity management (co-owned with sig-lifecycle), and authorization restrictions for isolating workloads on separate nodes (co-owned with sig-node).

• Owners:
  • kubernetes/kubernetes/pkg/controller/certificates/approver
  • kubernetes/kubernetes/pkg/kubelet/certificate
  • kubernetes/kubernetes/plugin/pkg/admission/noderestriction
  • kubernetes/kubernetes/plugin/pkg/auth/authorizer/node

policy-management

API validation and policies enforced during admission, such as PodSecurityPolicy. Excludes run-time policies like NetworkPolicy and Seccomp.

• Owners:
  • kubernetes-sigs/pspmigrator
  • kubernetes-sigs/wg-policy-prototypes
  • kubernetes/kms
  • kubernetes/kubernetes/pkg/apis/imagepolicy
  • kubernetes/kubernetes/pkg/apis/policy
  • kubernetes/kubernetes/pkg/registry/policy
  • kubernetes/kubernetes/pkg/security/podsecuritypolicy
  • kubernetes/kubernetes/plugin/pkg/admission/imagepolicy
  • kubernetes/kubernetes/plugin/pkg/admission/security/podsecuritypolicy
  • kubernetes/kubernetes/staging/src/k8s.io/api/imagepolicy
  • kubernetes/kubernetes/staging/src/k8s.io/api/policy
  • kubernetes/pod-security-admission

secrets-store-csi-driver

Integrates secrets stores with Kubernetes via a CSI volume.

• Owners:
  • kubernetes-sigs/secrets-store-csi-driver
• Contact:
  • Slack: #csi-secrets-store
  • Mailing List

secrets-store-sync-controller

This is a Kubernetes controller that watches for changes to a custom resource and syncs the secrets from external secrets-store as Kubernetes secret.

• Owners:
  • kubernetes-sigs/secrets-store-sync-controller

service-accounts

Infrastructure implementing Kubernetes service account based workload identity.

• Owners:
  • kubernetes/kubernetes/pkg/controller/serviceaccount
  • kubernetes/kubernetes/pkg/kubelet/token
  • kubernetes/kubernetes/pkg/serviceaccount
  • kubernetes/kubernetes/plugin/pkg/admission/serviceaccount

sig-auth-tools

Tooling to automate the SIG Auth project boards

• Owners:
  • kubernetes-sigs/sig-auth-tools