annual-report-2024.md

2024 Annual Report: SIG Auth

Current initiatives and Project Health

1. What work did the SIG do this year that should be highlighted?

• No governance or leadership changes.
• The SecurityContextDeny admission plugin was removed in v1.30 after being deprecated in v1.27. The Pod Security Admission plugin, available since v1.25, is recommended instead.
• Updated an audit annotation key used by the …/serviceaccounts/<name>/token resource handler in v1.30. The annotation used to persist the issued credential identifier is now authentication.kubernetes.io/issued-credential-id.
• Added support for configuring multiple JWT authenticators in Structured Authentication Configuration in v1.30. The maximum allowed JWT authenticators in the authentication configuration is 64.
• The AuthorizationConfiguration type accepted in --authorization-config files has been promoted to apiserver.config.k8s.io/v1 in v1.32.
• Allowed creating ServiceAccount tokens bound to Node objects in v1.31. This allows users to bind a service account token's validity to a named Node object, similar to Pod bound tokens. Use with kubectl create token <serviceaccount-name> --bound-object-kind=Node --bound-object-node=<node-name>.
• When the alpha UserNamespacesPodSecurityStandards feature gate is enabled, Pod Security Admission enforcement of the baseline policy now allows procMount=Unmasked for user namespace pods that set hostUsers=false starting in v1.31.
• Starting in v1.31, container_engine_t is in the list of allowed SELinux types in the baseline Pod Security Standards profile.
• Starting in v1.31, the Node Admission plugin rejects CSR requests created by a node identity for the signers kubernetes.io/kubelet-serving or kubernetes.io/kube-apiserver-client-kubelet with a CN starting with system:node:, but where the CN is not system:node:${node-name}. The feature gate AllowInsecureKubeletCertificateSigningRequests defaults to false, but can be enabled to revert to the previous behavior. This feature gate will be removed in Kubernetes v1.33.
• Disallow k8s.io and kubernetes.io namespaced extra key in structured authentication configuration starting in v1.32.
• Starting in v1.32, NodeRestriction admission validates the audience value that kubelet is requesting a service account token for is part of the pod spec volume. This change is introduced with a new kube-apiserver featuregate ServiceAccountNodeAudienceRestriction that's enabled by default in v1.32.
  • The feature gate ServiceAccountNodeAudienceRestriction was disabled by default in v1.32.2 to fix a regression. It is enabled by default in v1.33+.
• Added a new SIG Auth subproject: Secrets Store Sync Controller, a Kubernetes controller to sync from external secrets store to Kubernetes secrets.
• Important initiatives that aren't tracked via KEPs:
  • Once a week issue/PR triage meetings.

2. Are there any areas and/or subprojects that your group needs help with (e.g. fewer than 2 active OWNERS)?

• The Needs KEP / release work #sig-auth document lists multiple areas that need help and some currently have volunteers working on them.

3. Did you have community-wide updates in 2024 (e.g. KubeCon talks)?

• [KubeCon EU 2024] - Safety or Usability: Why Not Both? Towards Referential Auth in K8s - Rob Scott, Google & Mo Khan
• [KubeCon NA 2024] - Pushing Authorization Further: CEL, Selectors and Maybe RBAC++ - Mo Khan, Rita Zhang, Jordan Liggitt

4. KEP work in 2024 (v1.30, v1.31, v1.32):

• Pre-Alpha

  • 4317 - Pod Certificates
  • 4412 - Projected service account tokens for Kubelet image credential providers

• Alpha

  • 3926 - Handling undecryptable resources - v1.32
  • 740 - Support external signing of service account tokens - v1.32

• Beta

  • 3331 - Structured authentication config - v1.30
  • 4601 - Authorize with Selectors - v1.32
  • 4633 - Only allow anonymous auth for configured endpoints - v1.32

• Stable

  • 2799 - Reduction of Secret-based Service Account Tokens - v1.30
  • 3221 - Structured Authorization Configuration - v1.32
  • 4193 - bound service account token improvements - v1.32

Subprojects

New in 2024:

• secrets-store-sync-controller

Continuing:

• audit-logging
• authenticators
• authorizers
• certificates
• encryption-at-rest
• node-identity-and-isolation
• policy-management
• secrets-store-csi-driver
• service-accounts
• sig-auth-tools

Archiving in 2025:

• hierarchical-namespace-controller

Working groups

Continuing:

• Policy

Operational

Operational tasks in sig-governance.md:

• README.md reviewed for accuracy and updated if needed
• CONTRIBUTING.md reviewed for accuracy and updated if needed
• Other contributing docs (e.g. in devel dir or contributor guide) reviewed for accuracy and updated if needed
• Subprojects list and linked OWNERS files in sigs.yaml reviewed for accuracy and updated if needed
• SIG leaders (chairs, tech leads, and subproject leads) in sigs.yaml are accurate and active, and updated if needed
• Meeting notes and recordings for 2024 are linked from README.md and updated/uploaded if needed