SIG Auth

Covers improvements to Kubernetes authorization, authentication, and cluster security policy.

“All I want is a secure system where it’s easy to do anything I want. Is that so much to ask?” - xkcd

Meetings

Joining the mailing list for the group will typically add invites for the following meetings to your calendar.

Regular SIG Meeting: Wednesdays at 11:00 PT (Pacific Time) (biweekly, you must be signed into a free zoom account to join). Convert to your timezone .
- Meeting notes and Agenda .
- Meeting recordings .
Secrets Store CSI Meeting: Thursdays at 9:00 PT (Pacific Time) (biweekly, you must be signed into a free zoom account to join). Convert to your timezone .
- Meeting notes and Agenda .
- Meeting recordings .
Weekly Issues/PR Triage Meeting: Mondays at 9:00 PT (Pacific Time) (weekly, you must be signed into a free zoom account to join). Convert to your timezone .

Leadership

Chairs

The Chairs of the SIG run operations and processes governing the SIG.

Anish Ramasekar (@aramase ), Microsoft
Micah Hausler (@micahhausler ), Amazon
Rita Zhang (@ritazh ), Microsoft

Technical Leads

The Technical Leads of the SIG establish new subprojects, decommission existing subprojects, and resolve cross-subproject technical issues and decisions.

David Eads (@deads2k ), Red Hat
Mo Khan (@enj ), Microsoft
Jordan Liggitt (@liggitt ), Google

Emeritus Leads

Eric Chiang (@ericchiang )
Eric Tune (@erictune )
Mike Danese (@mikedanese )
Tim Allclair (@tallclair )

Contact

Slack: #sig-auth
Mailing list
Open Community Issues/PRs
GitHub Teams:
- @kubernetes/sig-auth-api-reviews - API Changes and Reviews
- @kubernetes/sig-auth-bugs - Bug Triage and Troubleshooting
- @kubernetes/sig-auth-feature-requests - Feature Requests
- @kubernetes/sig-auth-misc - General Discussion
- @kubernetes/sig-auth-pr-reviews - PR Reviews
- @kubernetes/sig-auth-proposals - Design Proposals
- @kubernetes/sig-auth-test-failures - Test Failures and Triage
Steering Committee Liaison: Kat Cosgrove (@katcosgrove )

Working Groups

The following working groups are sponsored by sig-auth:

WG Checkpoint Restore

Subprojects

The following subprojects are owned by sig-auth:

audit-logging

Kubernetes API support for audit logging.

Owners:

authenticators

Kubernetes API support for authentication.

Owners:

authorizers

Kubernetes API support for authorization.

Owners:

certificates

Certificates APIs and client infrastructure to support PKI.

Owners:

encryption-at-rest

API storage support for storing data encrypted at rest in etcd.

Owners:
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/server/options/encryptionconfig
- kubernetes/kubernetes/staging/src/k8s.io/apiserver/pkg/storage/value

node-identity-and-isolation

Node identity management (co-owned with sig-lifecycle), and authorization restrictions for isolating workloads on separate nodes (co-owned with sig-node).

Owners:

policy-management

API validation and policies enforced during admission, such as PodSecurityPolicy. Excludes run-time policies like NetworkPolicy and Seccomp.

Owners:

secrets-store-csi-driver

Integrates secrets stores with Kubernetes via a CSI volume.

Leads:
- Anish Ramasekar (@aramase ), Microsoft
- Rita Zhang (@ritazh ), Microsoft
Owners:
- kubernetes-sigs/secrets-store-csi-driver
Contact:
- Slack: #csi-secrets-store
- Mailing List

secrets-store-sync-controller

This is a Kubernetes controller that watches for changes to a custom resource and syncs the secrets from external secrets-store as Kubernetes secret.

Leads:
- Anish Ramasekar (@aramase ), Microsoft
- Mo Khan (@enj ), Microsoft
Owners:
- kubernetes-sigs/secrets-store-sync-controller

service-accounts

Infrastructure implementing Kubernetes service account based workload identity.

Owners:

sig-auth-tools

Tooling to automate the SIG Auth project boards

Owners:
- kubernetes-sigs/sig-auth-tools

Feedback

Was this page helpful?