Covers improvements to Kubernetes authorization, authentication, and cluster security policy.
"All I want is a secure system where it's easy to do anything I want. Is that so much to ask?" - xkcd
The charter defines the scope and governance of the Auth Special Interest Group.
- Regular SIG Meeting: Wednesdays at 11:00 PT (Pacific Time) (biweekly). Convert to your timezone.
- Secrets Store CSI Meeting: Thursdays at 8:00 PT (Pacific Time) (biweekly). Convert to your timezone.
The Chairs of the SIG run operations and processes governing the SIG.
- Mo Khan (@enj), VMware
- Mike Danese (@mikedanese), Google
- Tim Allclair (@tallclair), Apple
The Technical Leads of the SIG establish new subprojects, decommission existing subprojects, and resolve cross-subproject technical issues and decisions.
- David Eads (@deads2k), Red Hat
- Jordan Liggitt (@liggitt), Google
- Mike Danese (@mikedanese), Google
- Eric Chiang (@ericchiang)
- Eric Tune (@erictune)
- Slack: #sig-auth
- Mailing list
- Open Community Issues/PRs
- GitHub Teams:
- @kubernetes/sig-auth-api-reviews - API Changes and Reviews
- @kubernetes/sig-auth-bugs - Bug Triage and Troubleshooting
- @kubernetes/sig-auth-feature-requests - Feature Requests
- @kubernetes/sig-auth-misc - General Discussion
- @kubernetes/sig-auth-pr-reviews - PR Reviews
- @kubernetes/sig-auth-proposals - Design Proposals
- @kubernetes/sig-auth-test-failures - Test Failures and Triage
- Steering Committee Liaison: Christoph Blecker (@cblecker)
The following subprojects are owned by sig-auth:
Kubernetes API support for audit logging.
- Owners:
Kubernetes API support for authentication.
- Owners:
- kubernetes/kubernetes/pkg/apis/authentication
- kubernetes/kubernetes/pkg/kubeapiserver/authenticator
- kubernetes/kubernetes/pkg/registry/authentication
- kubernetes/kubernetes/plugin/pkg/auth/authenticator
- kubernetes/kubernetes/staging/src/k8s.io/api/authentication
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/authenticator
- kubernetes/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/authentication
- kubernetes/kubernetes/staging/src/k8s.io/client-go/listers/authentication
- kubernetes/kubernetes/staging/src/k8s.io/client-go/pkg/apis/clientauthentication
- kubernetes/kubernetes/staging/src/k8s.io/client-go/plugin/pkg/client/auth
- kubernetes/kubernetes/staging/src/k8s.io/client-go/tools/auth
Kubernetes API support for authorization.
- Owners:
- kubernetes/kubernetes/pkg/apis/authorization
- kubernetes/kubernetes/pkg/apis/rbac
- kubernetes/kubernetes/pkg/kubeapiserver/authorizer
- kubernetes/kubernetes/pkg/kubectl/cmd/auth
- kubernetes/kubernetes/pkg/registry/authorization
- kubernetes/kubernetes/pkg/registry/rbac
- kubernetes/kubernetes/plugin/pkg/auth/authorizer
- kubernetes/kubernetes/staging/src/k8s.io/api/authorization
- kubernetes/kubernetes/staging/src/k8s.io/api/rbac
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/authorization
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/plugin/pkg/authorizer
- kubernetes/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/authorization
- kubernetes/kubernetes/staging/src/k8s.io/client-go/kubernetes/typed/rbac
- kubernetes/kubernetes/staging/src/k8s.io/client-go/listers/authorization
- kubernetes/kubernetes/staging/src/k8s.io/client-go/listers/rbac
Certificates APIs and client infrastructure to support PKI.
- Owners:
- kubernetes/kubernetes/pkg/apis/certificates
- kubernetes/kubernetes/pkg/controller/certificates
- kubernetes/kubernetes/pkg/registry/certificates
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/authentication/request/x509
- kubernetes/kubernetes/staging/src/k8s.io/client-go/util/cert
- kubernetes/kubernetes/staging/src/k8s.io/client-go/util/certificate
API storage support for storing data encrypted at rest in etcd.
- Owners:
Controller to manage hierarchical namespaces
Proposals and prototypes for introducing tenant model to enable multi-tenant cluster
- Owners:
Node identity management (co-owned with sig-lifecycle), and authorization restrictions for isolating workloads on separate nodes (co-owned with sig-node).
- Owners:
API validation and policies enforced during admission, such as PodSecurityPolicy. Excludes run-time policies like NetworkPolicy and Seccomp.
- Owners:
- kubernetes-sigs/wg-policy-prototypes
- kubernetes/kubernetes/pkg/apis/imagepolicy
- kubernetes/kubernetes/pkg/apis/policy
- kubernetes/kubernetes/pkg/registry/policy
- kubernetes/kubernetes/pkg/security/podsecuritypolicy
- kubernetes/kubernetes/plugin/pkg/admission/imagepolicy
- kubernetes/kubernetes/plugin/pkg/admission/security/podsecuritypolicy
- kubernetes/kubernetes/staging/src/k8s.io/api/imagepolicy
- kubernetes/kubernetes/staging/src/k8s.io/api/policy
Integrates secrets stores with Kubernetes via a CSI volume.
- Owners:
- Contact:
- Slack: #csi-secrets-store
- Mailing List
Infrastructure implementing Kubernetes service account based workload identity.