annual-report-2023.md

2023 Annual Report: SIG Auth

Current initiatives and Project Health

1. What work did the SIG do this year that should be highlighted?

• Governance and leadership changes
  • Mo Khan elected as new SIG tech lead.
  • Previous SIG TL Mike Danese stepped down during 2023 and stayed on as a chair. Many thanks for his leadership and guidance over the years.
• The alpha SecurityContextDeny admission plugin was deprecated in in v1.27 and removed in v1.30.
  • The Pod Security Admission plugin enforcing the Pod Security Standards Restricted profile captures what this plugin was trying to achieve in a better and up-to-date way.
• KEP-3325: Review attributes of a current user promoted to stable in v1.28.
  • whoami kubectl command promoted from kubectl alpha to kubectl in v1.27.
• Kubelet: security of dynamic resource allocation was enhanced by limiting node access to those objects that are needed on the node in v1.28.
• KEP-3299: KMS v2 Improvements promoted to stable in v1.29.
  • KMSv2 is the recommended version of the KMS feature.
  • KMSv1 was deprecated in v1.28 and will only receive security updates going forward. Set --feature-gates=KMSv1=true to use the deprecated KMSv1 feature.
• Important initiatives that aren't tracked via KEPs:
  • Once a week issue/PR triage meetings.

2. Are there any areas and/or subprojects that your group needs help with (e.g. fewer than 2 active OWNERS)?

• The Needs KEP / release work #sig-auth document lists multiple areas that need help and some currently have volunteers working on them.

3. Did you have community-wide updates in 2023 (e.g. KubeCon talks)?

• [KubeCon EU 2023] - Kubernetes SIG Auth Deep Dive - Jordan Liggitt & Mike Danese, Google; Rita Zhang, David Eads
• [KubeCon NA 2023] - The Future of Kubernetes Auth and Policy Config: Common Expression Language - Mo Khan & Jordan Liggitt

4. KEP work in 2023 (v1.27, v1.28, v1.29):

• Pre-Alpha

  • 3766 - Move ReferenceGrant to sig-auth API Group
  • 3926 - Handling undecryptable resources

• Alpha

  • 3221 - Structured Authorization Configuration - v1.29
  • 3257 - Cluster Trust Bundles - v1.29
  • 3331 - Structured authentication config - v1.29
  • 4193 - bound service account token improvements - v1.29

• Stable

  • 3299 - KMS v2 Improvements - v1.29
  • 3325 - Review attibutes of a current user - v1.28

• Withdrawn

  • 2718 - Client Executable Proxy

Subprojects

Retired in 2023:

• multi-tenancy

Continuing:

• audit-logging
• authenticators
• authorizers
• certificates
• encryption-at-rest
• hierarchical-namespace-controller
• node-identity-and-isolation
• policy-management
• secrets-store-csi-driver
• service-accounts
• sig-auth-tools

Working groups

Retired in 2023:

• Multitenancy

Continuing:

• Policy

Operational

Operational tasks in sig-governance.md:

• README.md reviewed for accuracy and updated if needed
• CONTRIBUTING.md reviewed for accuracy and updated if needed
• Other contributing docs (e.g. in devel dir or contributor guide) reviewed for accuracy and updated if needed
• Subprojects list and linked OWNERS files in sigs.yaml reviewed for accuracy and updated if needed
• SIG leaders (chairs, tech leads, and subproject leads) in sigs.yaml are accurate and active, and updated if needed
• Meeting notes and recordings for 2023 are linked from README.md and updated/uploaded if needed