add subprojects for sig-auth

[mikedanese]

Transplanted from:

https://docs.google.com/document/d/1RJvnSPOJ3JC61gerCpCpaCtzQjRcsZ2tXkcyokr6sLY/edit

I talked about this with @spiffxp in slack. Our current subprojects are generally cross cutting. The TLs for these subprojects don't roll up to specific OWNERS files generally. However, the convetions for the SIG README seems to be that subproject owners should be URLs to OWNERS files. Is this an issue?

cc @liggitt @tallclair

Fixes #2505

[spiffxp]

/hold
Each subproject is supposed to be a collection of 1-N packages or repos of code, the owners which are designated by OWNERS files within those packages/repos

Where do packages like these fall within the subprojects? eg:

• k8s.io/kubernetes/apis/authentication
• k8s.io/kubernetes/apis/authorization
• k8s.io/auth/authorizer
• k8s.io/apiserver/pkg/apis/audit
• etc.

@bgrant0607 how would you suggest proceeding here

[tallclair]

Worth calling out the the policy working group (now merged with SAFE)?

[tallclair]

(meetings field?)

[mikedanese]

Is this project supposed to represent a topic, or actual maintenance and development on the below subtrees? How involved is SAFE in the later?

[tallclair]

I think we should probably give a description (including scope) for each of these.

[liggitt]

agree

[mikedanese]

@tallclair, I was working off this document:

https://docs.google.com/document/d/1RJvnSPOJ3JC61gerCpCpaCtzQjRcsZ2tXkcyokr6sLY/edit

I asked in #2505, if that was a good starting point. Perhaps we need to revisit and iterate on the document before moving subprojects to sig.yaml.

[bgrant0607]

These subprojects aren't properly specified. Some of them are more activities right now than subprojects AFAIK.

We should ensure the scope in the charter is sufficient to cover them:
https://github.com/kubernetes/community/blob/master/sig-auth/charter.md

But I wouldn't list them as subprojects here unless there are specific code and/or doc artifacts.

Subprojects such as authentication, authorization, and audit logging should have specific OWNERS files. I realize they are spread out, but each subtree should be enumerated. Over time, we need to reorganize the code to be less sprawling.

Being spread out isn't the same as cross-cutting.

[spiffxp]

/approve
This looks way better, thanks. A description for these is possible if you want to go that route (eg: testing-commons). I leave the /lgtm and /hold removal to folks from the sig

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: spiffxp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [spiffxp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mikedanese]

Lot's of these OWNERS files don't exist yet. If we agree on the subprojects, I will backfill them.

/hold cancel

[spiffxp]

/committee steering
(now with correct command spelling) just to keep track of when this gets closed out

[mikedanese]

@liggitt @tallclair PTAL.

[liggitt]

maintaining these is going to be tough... most of these have already link-rotted and return 404s :-/

[mikedanese]

@liggitt These were broken when I sent the PR. My intention was to find the right subtrees to claim, then backfill the OWNERS files.

[mikedanese]

/assign @enj @tallclair @liggitt

[tallclair]

Can we be a bit more specific here? E.g. does kubernetes/kubernetes#63732 fall under this subproject?

[mikedanese]

I suspect that the linked issue would fit better under the service-accounts subproject.

[tallclair]

Can we expand this subproject to be "secrets management"? E.g. I think the vault integration might fall under this subproject?

[mikedanese]

The current implementation of encryption is orthogonal to resource kind even though the motivating usecase was secrets. Which vault integration are you thinking of? The KMS plugin? There's also a valut integration based on service accounts.

[liggitt]

created approvers and reviewers owners aliases for each subproject, and linked them in owners files in the referenced packages in kubernetes/kubernetes#70600

[liggitt]

the first two seem more like the certificates subproject (and pkg/controller/certificates is already under the certificates subproject)

[mikedanese]

pkg/kubelet/certificate belongs under certificate infra over node identity? And the approvers in pkg/controller/certificates/approver are only good for approving node certificates. These both seem more appropriately positioned here.

[liggitt]

ok, I can buy that. can you follow up with a PR against k/k to populate/fixup those two OWNERS files to point to the right subproject?

[liggitt]

with the switch of the certificates bits under the certificates subproject, this lgtm as a first step

the referenced owners files have been added in kubernetes/kubernetes#70600

[liggitt]

/lgtm