|
12 | 12 | - Governance and leadership changes |
13 | 13 | --> |
14 | 14 |
|
| 15 | + - Governance and leadership changes |
| 16 | + - [**Mo Khan elected as new SIG tech lead**](https://groups.google.com/g/kubernetes-sig-auth/c/mHb4p8xWMR8/m/lk0UpMKXAAAJ). |
| 17 | + - Previous SIG TL Mike Danese stepped down during 2023 and stayed on as a chair. Many thanks for his leadership and guidance over the years. |
| 18 | + - The alpha `SecurityContextDeny` admission plugin was deprecated in [in v1.27](https://github.com/kubernetes/kubernetes/issues/111516) and removed in v1.30. |
| 19 | + - The [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) plugin enforcing the |
| 20 | + [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) `Restricted` profile captures what this plugin was trying to achieve |
| 21 | + in a better and up-to-date way. |
| 22 | + - [KEP-3325: Review attributes of a current user](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3325-self-subject-attributes-review-api) promoted to stable in v1.28. |
| 23 | + - `whoami` kubectl command promoted from `kubectl alpha` to `kubectl` [in v1.27](https://github.com/kubernetes/kubernetes/pull/116510). |
| 24 | + - Kubelet: security of dynamic resource allocation was enhanced by limiting node access to those objects that are needed on the node [in v1.28](https://github.com/kubernetes/kubernetes/pull/116254). |
| 25 | + - [KEP-3299: KMS v2 Improvements](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements) promoted to stable in v1.29. |
| 26 | + - `KMSv2` is the recommended version of the KMS feature. |
| 27 | + - `KMSv1` was deprecated [in v1.28](https://github.com/kubernetes/kubernetes/pull/119007) and will only receive security updates going forward. Set `--feature-gates=KMSv1=true` to use the deprecated `KMSv1` feature. |
| 28 | + - Important initiatives that aren't tracked via KEPs: |
| 29 | + - Once a week issue/PR triage meetings. |
| 30 | + |
15 | 31 | 2. Are there any areas and/or subprojects that your group needs help with (e.g. fewer than 2 active OWNERS)? |
16 | 32 |
|
17 | 33 | <!-- |
18 | 34 | Note: This list is generated from the KEP metadata in kubernetes/enhancements repository. |
19 | 35 | If you find any discrepancy in the generated list here, please check the KEP metadata. |
20 | 36 | Please raise an issue in kubernetes/community, if the KEP metadata is correct but the generated list is incorrect. |
21 | 37 | --> |
| 38 | + - The [Needs KEP / release work #sig-auth](https://docs.google.com/document/d/1sY8fRyRtk4eG9R439z5ao5i9bFuuxilS03XaNlqoni0/edit?usp=sharing) document lists multiple areas that need help and some currently have volunteers working on them. |
22 | 39 |
|
23 | 40 | 3. Did you have community-wide updates in 2023 (e.g. KubeCon talks)? |
24 | 41 |
|
25 | 42 | <!-- |
26 | 43 | Examples include links to email, slides, or recordings. |
27 | 44 | --> |
28 | 45 |
|
| 46 | + - [KubeCon EU 2023] - [Kubernetes SIG Auth Deep Dive - Jordan Liggitt & Mike Danese, Google; Rita Zhang, David Eads](https://youtu.be/j9nzOLPJxAI?si=7p61DKRZ9aRwhRwe) |
| 47 | + - [KubeCon NA 2023] - [The Future of Kubernetes Auth and Policy Config: Common Expression Language - Mo Khan & Jordan Liggitt](https://youtu.be/yOF9S_0TO3A?si=etTKdsEZmC3EmiZc) |
| 48 | + |
29 | 49 | 4. KEP work in 2023 (v1.27, v1.28, v1.29): |
30 | 50 |
|
| 51 | + - Pre-Alpha |
| 52 | + - [3766 - Move ReferenceGrant to sig-auth API Group](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3766-referencegrant) |
| 53 | + - [3926 - Handling undecryptable resources](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3926-handling-undecryptable-resources) |
| 54 | + |
31 | 55 | - Alpha |
32 | | - - [2718 - Client Executable Proxy](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2718-20210511-client-exec-proxy) - v1.27 |
33 | 56 | - [3221 - Structured Authorization Configuration](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3221-structured-authorization-configuration) - v1.29 |
34 | 57 | - [3257 - Cluster Trust Bundles](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3257-cluster-trust-bundles) - v1.29 |
35 | 58 | - [3331 - Structured authentication config](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3331-structured-authentication-configuration) - v1.29 |
36 | | - - [3766 - Move ReferenceGrant to sig-auth API Group](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3766-referencegrant) - v1.27 |
37 | | - - [3926 - Handling undecryptable resources](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3926-handling-undecryptable-resources) - v1.29 |
38 | 59 | - [4193 - bound service account token improvements](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/4193-bound-service-account-token-improvements) - v1.29 |
39 | 60 |
|
40 | | - |
41 | 61 | - Stable |
42 | 62 | - [3299 - KMS v2 Improvements](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3299-kms-v2-improvements) - v1.29 |
43 | 63 | - [3325 - Review attibutes of a current user](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3325-self-subject-attributes-review-api) - v1.28 |
44 | 64 |
|
45 | | -## [Subprojects](https://git.k8s.io/community/sig-auth#subprojects) |
| 65 | + - Withdrawn |
| 66 | + - [2718 - Client Executable Proxy](https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2718-20210511-client-exec-proxy) |
46 | 67 |
|
| 68 | +## [Subprojects](https://git.k8s.io/community/sig-auth#subprojects) |
47 | 69 |
|
48 | 70 | **Retired in 2023:** |
49 | 71 | - multi-tenancy |
| 72 | + |
50 | 73 | **Continuing:** |
51 | 74 | - audit-logging |
52 | 75 | - authenticators |
|
64 | 87 |
|
65 | 88 | **Retired in 2023:** |
66 | 89 | - Multitenancy |
| 90 | + |
67 | 91 | **Continuing:** |
68 | 92 | - Policy |
69 | 93 |
|
70 | 94 | ## Operational |
71 | 95 |
|
72 | 96 | Operational tasks in [sig-governance.md]: |
73 | | -- [ ] [README.md] reviewed for accuracy and updated if needed |
74 | | -- [ ] [CONTRIBUTING.md] reviewed for accuracy and updated if needed |
75 | | -- [ ] Other contributing docs (e.g. in devel dir or contributor guide) reviewed for accuracy and updated if needed |
76 | | -- [ ] Subprojects list and linked OWNERS files in [sigs.yaml] reviewed for accuracy and updated if needed |
77 | | -- [ ] SIG leaders (chairs, tech leads, and subproject leads) in [sigs.yaml] are accurate and active, and updated if needed |
78 | | -- [ ] Meeting notes and recordings for 2023 are linked from [README.md] and updated/uploaded if needed |
79 | 97 |
|
| 98 | +- [x] [README.md] reviewed for accuracy and updated if needed |
| 99 | +- [x] [CONTRIBUTING.md] reviewed for accuracy and updated if needed |
| 100 | +- [x] Other contributing docs (e.g. in devel dir or contributor guide) reviewed for accuracy and updated if needed |
| 101 | +- [x] Subprojects list and linked OWNERS files in [sigs.yaml] reviewed for accuracy and updated if needed |
| 102 | +- [x] SIG leaders (chairs, tech leads, and subproject leads) in [sigs.yaml] are accurate and active, and updated if needed |
| 103 | +- [x] Meeting notes and recordings for 2023 are linked from [README.md] and updated/uploaded if needed |
80 | 104 |
|
81 | 105 | [CONTRIBUTING.md]: https://git.k8s.io/community/sig-auth/CONTRIBUTING.md |
82 | 106 | [sig-governance.md]: https://git.k8s.io/community/committee-steering/governance/sig-governance.md |
|
0 commit comments