Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIG Auth 2021 Annual Report #5740

Merged
merged 4 commits into from
May 5, 2021
Merged
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
117 changes: 117 additions & 0 deletions sig-auth/annual-report-2021.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
# Kubernetes SIG Auth 2021 Annual Report

## Operational

**How are you doing with operational tasks in sig-governance.md?**

**Is your README accurate? have a CONTRIBUTING.md file?**

- Yes, our README is accurate. As of this report, we do not have a CONTRIBUTING.md file. We will be [creating one](https://github.com/kubernetes/community/issues/5760) shortly.

**All subprojects correctly mapped and listed in sigs.yaml?**

- Yes.

**What’s your meeting culture? Large/small, active/quiet, learnings? Meeting notes up to date? Are you keeping recordings up to date/trends in community members watching recordings?**

- Our bi-weekly meetings are usually pretty active with medium size attendance consists of mostly the same people. Some meetings may get more people depending on the topic.

- Subproject meetings are smaller.

- We take [meeting notes](https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/edit#) during the meeting. Unfortunately we do not do a great job of keeping good meeting notes. We are discussing various ways to improve.

- The recordings serve as a historical record for bi-weekly SIG meeting and special topics meetings. They are uploaded to YouTube automatically. Then SIG chairs add the video to the [SIG Auth playlist](https://www.youtube.com/playlist?list=PL69nYSiGNLP0VMOZ-V7-5AchXTHAQFzJw).

**How does the group get updates, reports, or feedback from subprojects? Are there any springing up or being retired? Are OWNERS files up to date in these areas?**

- We do not do much here today. We will ask subproject owners to give updates in the main SIG meeting on some cadence.

- Our OWNERS files are up-to-date.

**How does the group get updates, reports, or feedback from working groups? Are there any springing up or being retired? Are OWNERS files up to date in these areas?**

- We do not do much here today. We will ask working group owners to give updates in the main SIG meeting on some cadence.

- Our OWNERS files are up-to-date.

**When was your last monthly community-wide update? (provide link to deck and/or recording)**

- [February, 2020 Slides](https://docs.google.com/presentation/d/1HBMqr5V79S8BSrSMAxPdQiyyCL9byBBWj2D4WrR3hPY).

## Membership

**Are all listed SIG leaders (chairs, tech leads, and subproject owners) active?**

- Yes, all SIG chairs and leads are active.

- Need to review subproject owners to confirm.

**How do you measure membership? By mailing list members, OWNERs, or something else?**

- We do not currently measure membership. We could start with Slack, mailing list members, and meeting attendance. As of this report, there are 2,136 members of the main SIG Auth Slack channel and 447 members of the mailing list.

**How does the group measure reviewer and approver bandwidth? Do you need help in any area now? What are you doing about it?**

- We do not currently measure this. Need to look at how other SIGs do this today.

**Is there a healthy onboarding and growth path for contributors in your SIG? What are some activities that the group does to encourage this? What programs are you participating in to grow contributors throughout the contributor ladder?**

- Currently there is no onboarding or growth path. This is something we are working on and learning from other SIGs. We will start by creating a CONTRIBUTING.md file.

**What programs do you participate in for new contributors?**

- We have intro sessions at KubeCon to help new contributors get started.

- We now have weekly issues and PRs triage meetings. New contributors can join to help with new issues and PRs.

**Does the group have contributors from multiple companies/affiliations? Can end users/companies contribute in some way that they currently are not?**

- Yes. Our chairs, leads, contributors, participants, and subproject owners are from various companies.

## Current initiatives and project health

- Please include links to KEPs and other supporting information that will be beneficial to multiple types of community members.

**What are initiatives that should be highlighted, lauded, shout out, that your group is proud of? Currently underway? What are some of the longer tail projects that your group is working on?**

- [CSR v1](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1513-certificate-signing-request)
- [Token Request / bound SA token admission](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens)
- [client-go auth plugins](https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/541-external-credential-providers)
- [external kubelet credential providers](https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/2133-kubelet-credential-providers)
- [New features in Secrets Store CSI driver](https://secrets-store-csi-driver.sigs.k8s.io/introduction.html#features)
- [Pod Security Policy Replacement](https://github.com/kubernetes/enhancements/issues/2579)

**Year to date KEP work review: What’s now stable? Beta? Alpha? Road to alpha?**

- Stable
- BoundServiceAccountToken (v1.22)
- Certificates API (v1.19)
- TokenRequest (v1.20)
- TokenRequestProjection (v1.20)
- RootCAConfigMap (v1.21)
- ServiceAccountIssuerDiscovery (v1.21)
- client-go auth plugins (v1.22)
- Beta
ritazh marked this conversation as resolved.
Show resolved Hide resolved
- CSIServiceAccountToken (v1.21)
- Alpha
- Hierarchical Namespace Controller
- Road to alpha
- Pod Security Policy Replacement

**What areas and/or subprojects does the group need the most help with?**

- Audit Logging
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some smaller feature requests & issues related to audit logging, but I'm not sure how much work the core auditing system needs right now. I'd still be interested in seeing an out-of-tree implementation of dynamic auditing or a namespaced audit server.

Copy link
Member Author

@ritazh ritazh Apr 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tallclair! Do you have a link so people who may want to help out will know where to start? How about these: https://github.com/kubernetes/kubernetes/issues?q=is%3Aopen+is%3Aissue+label%3Asig%2Fauth+%22audit+logging%22

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to add the link please

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would explicitly highlight kubernetes/kubernetes#82295, as it's something I really want to see.

Then generally: https://github.com/kubernetes/kubernetes/issues?q=is%3Aopen+is%3Aissue+label%3Aarea%2Faudit+

- https://github.com/kubernetes/kubernetes/issues/101597
- https://github.com/kubernetes/kubernetes/issues/84571
- https://github.com/kubernetes/kubernetes/issues/82295
- https://github.com/kubernetes/kubernetes/issues?q=is%3Aopen+is%3Aissue+label%3Aarea%2Faudit+
- Testing
Copy link
Member Author

@ritazh ritazh Apr 29, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have any issues we can link here that outline what is missing today? @tallclair @mikedanese @liggitt @enj

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes please!

Copy link
Member

@enj enj May 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main thing I am aware of is the testing work that @ankeesler has been doing for client-go auth plugins.

xref: kubernetes/enhancements#541 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ya, the mature surface is pretty well covered. Maybe kubelet auth in e2e tests?

- https://github.com/kubernetes/enhancements/issues/541#issuecomment-799372909
- KMS
- [KMS-Plugin: Areas for improvement](https://docs.google.com/document/d/1-WHXX_Dh_MNcJb2QJxF0gOAvLjh0fAnc3QrylWdMZJA/edit)

**What's the average open days of a PR and Issue in your group? / what metrics does your group care about and/or measure?**

- Based on devstats [Issue Velocity / Issues age by SIG and repository groups](https://k8s.devstats.cncf.io/d/15/issues-age-by-sig-and-repository-groups?orgId=1&var-period=d7&var-repogroup_name=Kubernetes&var-sig_name=auth&var-kind_name=All&var-prio_name=All) at the time of writing this report, median time to close sig auth issues in Kubernetes/Kubernetes created in the last 7 days is roughly 24 hours.
ritazh marked this conversation as resolved.
Show resolved Hide resolved
- Based on devstats [Issue Velocity / Inactive Issues by SIG for 90 days or more](https://k8s.devstats.cncf.io/d/73/inactive-issues-by-sig?orgId=1&var-sigs=%22auth%22) at the time of writing this report, average is 7.
- Based on devstats [PR Velocity / Awaiting PRs by SIG for 90 days or more](https://k8s.devstats.cncf.io/d/70/awaiting-prs-by-sig?orgId=1&var-sigs=%22auth%22) at the time of writing this report, average is 47.