With Kubernetes 1.30, we (SIG Auth) are moving Structured Authentication Configuration to beta.

Today's article is about authentication: finding out who's performing a task, and checking that they are who they say they are. Check back in tomorrow to find about what's new in Kubernetes v1.30 around authorization (deciding what someone can and can't access).

Motivation

Kubernetes has had a long-standing need for a more flexible and extensible authentication system. The current system, while powerful, has some limitations that make it difficult to use in certain scenarios. For example, it is not possible to use multiple authenticators of the same type (e.g., multiple JWT authenticators) or to change the configuration without restarting the API server. The Structured Authentication Configuration feature is the first step towards addressing these limitations and providing a more flexible and extensible way to configure authentication in Kubernetes.

What is structured authentication configuration?

Kubernetes v1.30 builds on the experimental support for configurating authentication based on a file, that was added as alpha in Kubernetes v1.30. At this beta stage, Kubernetes only supports configuring JWT authenticators, which serve as the next iteration of the existing OIDC authenticator. JWT authenticator is an authenticator to authenticate Kubernetes users using JWT compliant tokens. The authenticator will attempt to parse a raw ID token, verify it's been signed by the configured issuer.

The Kubernetes project added configuration from a file so that it can provide more flexibility than using command line options (which continue to work, and are still supported). Supporting a configuration file also makes it easy to deliver further improvements in upcoming releases.

Benefits of structured authentication configuration

Here's why using a configuration file to configure cluster authentication is a benefit:

1. Multiple JWT authenticators: You can configure multiple JWT authenticators simultaneously. This allows you to use multiple identity providers (e.g., Okta, Keycloak, GitLab) without needing to use an intermediary like Dex that handles multiplexing between multiple identity providers.
2. Dynamic configuration: You can change the configuration without restarting the API server. This allows you to add, remove, or modify authenticators without disrupting the API server.
3. Any JWT-compliant token: You can use any JWT-compliant token for authentication. This allows you to use tokens from any identity provider that supports JWT. The minimum valid JWT payload must contain the claims documented in structured authentication configuration page in the Kubernetes documentation.
4. CEL (Common Expression Language) support: You can use CEL to determine whether the token's claims match the user's attributes in Kubernetes (e.g., username, group). This allows you to use complex logic to determine whether a token is valid.
5. Multiple audiences: You can configure multiple audiences for a single authenticator. This allows you to use the same authenticator for multiple audiences, such as using a different OAuth client for kubectl and dashboard.
6. Using identity providers that don't support OpenID connect discovery: You can use identity providers that don't support OpenID Connect discovery. The only requirement is to host the discovery document at a different location than the issuer (such as locally in the cluster) and specify the issuer.discoveryURL in the configuration file.

How to use Structured Authentication Configuration

To use structured authentication configuration, you specify the path to the authentication configuration using the --authentication-config command line argument in the API server. The configuration file is a YAML file that specifies the authenticators and their configuration. Here is an example configuration file that configures two JWT authenticators:

apiVersion: apiserver.config.k8s.io/v1beta1
kind: AuthenticationConfiguration
# Someone with a valid token from either of these issuers could authenticate
# against this cluster.
jwt:
- issuer:
 url: https://issuer1.example.com
 audiences:
 - audience1
 - audience2
 audienceMatchPolicy: MatchAny
 claimValidationRules:
 expression: 'claims.hd == "example.com"'
 message: "the hosted domain name must be example.com"
 claimMappings:
 username:
 expression: 'claims.username'
 groups:
 expression: 'claims.groups'
 uid:
 expression: 'claims.uid'
 extra:
 - key: 'example.com/tenant'
 expression: 'claims.tenant'
 userValidationRules:
 - expression: "!user.username.startsWith('system:')"
 message: "username cannot use reserved system: prefix"
# second authenticator that exposes the discovery document at a different location
# than the issuer
- issuer:
 url: https://issuer2.example.com
 discoveryURL: https://discovery.example.com/.well-known/openid-configuration
 audiences:
 - audience3
 - audience4
 audienceMatchPolicy: MatchAny
 claimValidationRules:
 expression: 'claims.hd == "example.com"'
 message: "the hosted domain name must be example.com"
 claimMappings:
 username:
 expression: 'claims.username'
 groups:
 expression: 'claims.groups'
 uid:
 expression: 'claims.uid'
 extra:
 - key: 'example.com/tenant'
 expression: 'claims.tenant'
 userValidationRules:
 - expression: "!user.username.startsWith('system:')"
 message: "username cannot use reserved system: prefix"

Migration from command line arguments to configuration file

The Structured Authentication Configuration feature is designed to be backwards-compatible with the existing approach, based on command line options, for configuring the JWT authenticator. This means that you can continue to use the existing command-line options to configure the JWT authenticator. However, we (Kubernetes SIG Auth) recommend migrating to the new configuration file-based approach, as it provides more flexibility and extensibility.

Here is an example of how to migrate from the command-line flags to the configuration file:

Command-line arguments

--oidc-issuer-url=https://issuer.example.com
--oidc-client-id=example-client-id
--oidc-username-claim=username
--oidc-groups-claim=groups
--oidc-username-prefix=oidc:
--oidc-groups-prefix=oidc:
--oidc-required-claim="hd=example.com"
--oidc-required-claim="admin=true"
--oidc-ca-file=/path/to/ca.pem

There is no equivalent in the configuration file for the --oidc-signing-algs. For Kubernetes v1.30, the authenticator supports all the asymmetric algorithms listed in oidc.go.

Configuration file

apiVersion: apiserver.config.k8s.io/v1beta1
kind: AuthenticationConfiguration
jwt:
- issuer:
 url: https://issuer.example.com
 audiences:
 - example-client-id
 certificateAuthority: <value is the content of file /path/to/ca.pem>
 claimMappings:
 username:
 claim: username
 prefix: "oidc:"
 groups:
 claim: groups
 prefix: "oidc:"
 claimValidationRules:
 - claim: hd
 requiredValue: "example.com"
 - claim: admin
 requiredValue: "true"

What's next?

For Kubernetes v1.31, we expect the feature to stay in beta while we get more feedback. In the coming releases, we want to investigate:

• Making distributed claims work via CEL expressions.
• Egress selector configuration support for calls to issuer.url and issuer.discoveryURL.

You can learn more about this feature on the structured authentication configuration page in the Kubernetes documentation. You can also follow along on the KEP-3331 to track progress across the coming Kubernetes releases.

Try it out

In this post, I have covered the benefits the Structured Authentication Configuration feature brings in Kubernetes v1.30. To use this feature, you must specify the path to the authentication configuration using the --authentication-config command line argument. From Kubernetes v1.30, the feature is in beta and enabled by default. If you want to keep using command line arguments instead of a configuration file, those will continue to work as-is.

We would love to hear your feedback on this feature. Please reach out to us on the #sig-auth-authenticators-dev channel on Kubernetes Slack (for an invitation, visit https://slack.k8s.io/).

How to get involved

If you are interested in getting involved in the development of this feature, share feedback, or participate in any other ongoing SIG Auth projects, please reach out on the #sig-auth channel on Kubernetes Slack.

You are also welcome to join the bi-weekly SIG Auth meetings held every-other Wednesday.

Busy day, but I created time to read a number of interesting items that you’ll find below. Enjoy!

[blog] Explaining Trunk Based Development. Here’s a good walkthrough of the definition, benefits, and challenges of this “single source of truth” source control strategy.

[article] 4 Software Design Principles I Learned the Hard Way. These are fairly specific, but useful ideas around software architecture.

[blog] The Art of System Debugging — Decoding CPU Utilization. Troubleshooting modern software and infrastructure isn’t as simple as checking a monitoring dashboard. This post brings to life the journey to find a specific performance problem.

[blog] Pub/Sub to BQ connector. Real-time data processing isn’t easy. I like that we’ve made it simpler (i.e. fewer moving parts) to push data from our messaging service directly into the data warehouse.

[blog] The Humane AI Pin: A Case Study in Poor Strategy and Poor Execution. What is good strategy, and good execution? Sometimes a case study can help, as this one does.

[article] Vulnerabilities Versus Intentionally Malicious Software Components. Know the difference between a vulnerability and malware. Good examples of both here.

[blog] New additions to Amazon Bedrock make it easier and faster than ever to build generative AI applications securely. AWS shows up to the generative AI party with some nice updates to their Bedrock platform.

[article] Microsoft unveils Phi-3 family of small language models. Microsoft gets into the open model game with these small, high performing editions.

[article] Snowflake releases a flagship generative AI model of its own. Sure, everyone ships a model now. This one is supposed to be good at database code.

[blog] A Promising Methodology for Testing GenAI Applications in Java. Can you use LLMs to confirm the responses from … LLMs? This example from the Docker team shows a possible pattern to use.

[blog] Using Gemini to help write Synthetic Monitoring tests in Google Cloud. Speaking of tests, I like this example of generating a set of tests for synthetic monitoring. Built-in AI generation, FTW.

[article] IBM to Acquire HashiCorp, Inc. Creating a Comprehensive End-to-End Hybrid Cloud Platform. This moved quickly! Hopefully this turns into a great deal for users of Hashicorp’s widely used products. More here.

##

Want to get this update sent to you every day? Subscribe to my RSS feed or subscribe via email below:

By Gaurav Sharma, founder and CEO of Attrock, a results-driven digital marketing company he grew an agency from 5-figure to 7-figure revenue in just two years. He also contributes to top publications like HuffPost, Adweek, Radical Candor, Business 2 Community, TechCrunch, and more. 

It’s no news that remote work has become the norm since the onset of the COVID-19 pandemic. And despite many folks returning to in-person activities, many employees still work remotely, and many managers’ leadership communication skills with their remote teams leave a lot to be desired. 

While working remotely has its perks, such as more flexibility, it also has major challenges. One of these is effective communication. 

In a Forbes study, 49% of respondents stated that ineffective communication affected their productivity.

How do you keep everyone on the same page as a remote team leader without face-to-face interactions? 

Well, the answer lies in what you’re about to read below. I have compiled a list of the seven most important leadership communication skills for managing a remote team.

Let’s get into it.

Want to improve your remote communication skills? Let's talk! 

7 Non-Negotiable Leadership Communication Skills for Remote Managers 

1. Create an Effective Remote Team Communication Strategy

First things first, your communication needs to be strategic.

What tools do you use to reach out to your team consistently? How often will you engage with your team members?

These are some important questions you should cover with a communication plan.  A communication strategy prevents remote teams from feeling disconnected, alongside many other issues that come with inconsistent communication.

The previously cited Forbes study shows how poor communication affects trust in the workplace.

So how exactly do you put this into place?

First, determine the communication channel that will be most effective for your team. While the old-fashioned email might work for communication that doesn’t require an immediate response, you might need something different to replicate in-person, impromptu communication.

Remember that everyone is different, which is why you need to ask each member of your team what works for them. While some people may want to talk on the phone several times a day, others might find this disruptive and stressful. 

Don’t assume that what works for one person will work for every person.

That being said, for effective communication with remote teams, you should also look for an interactive communication channel that everyone agrees on, like Slack. 

Also, your communication plan should include your meeting schedule. The meetings could be daily, weekly, or any other time frame that works.

Learn the art of impromptu conversations >>

2. Make Sure Your Communication is Specific and Clear 

One of the biggest communication challenges remote workers face is a lack of clarity. Some workers may not know their exact duties, deadlines, and performance goals because no one has explicitly told them.

Radically candid communication is measured not at the speaker’s mouth but at the listener’s ear. So while you think you may had communication with someone, if they didn’t get the message, your communication was not effective.

So, as a remote team manager, you need to communicate the team goals effectively. Ensure each team member knows the objectives and how to align themselves with them. 

Your communication should be precise and concise. The employee should know how and when to complete tasks.

I’d recommend creating a priority list for each task for your team members. Also, setting clear performance standards helps with effective team communication.

Alongside the goals, you also need to set clear deadlines for tasks and projects. For instance, if your team is working on influencer marketing campaigns, state clear performance metrics using the Objectives and Key Results (OKRs) method.

Ensure each team member knows how you’ll evaluate their work by setting clear expectations and performance metrics. With these, you could limit misunderstandings and guarantee accountability and effectiveness.

3. Create An Accessible Remote Workplace Culture

As I stated earlier, what works for one person does not work for every person. This is especially true for folks who identify as neurodivergent.

Since neurodiversity is a spectrum, understanding how to effectively communicate with someone on that spectrum depends on getting to know the person well enough to understand how they like to communicate and whether or not they need any workplace accommodations to set them up for success. 

If a teammate has disclosed they are neurodiverse, the first thing a leader should do is solicit feedback from that person about what they need to be successful. (This article from Forbes is a great resource.)

When giving feedback to neurodiverse employees, use concrete examples and avoid vague or ambiguous language. Double down on being clear and specific. This can help neurodivergent individuals better understand the feedback and make any necessary improvements. One of the easiest ways to do this is by using the CORE model. Feedback should never be about someone’s personality or about any aspect of their neurodiversity. 

Consider tailoring your communication style to accommodate their needs. Some neurodivergent individuals may prefer written communication over verbal, while others may benefit from visual aids or structured frameworks. 

By adapting your communication style, you can ensure that your feedback is effectively received and understood. The rules of remote work are not inflexible. While many leaders recommend in-person or on-video conversations, that might not be effective for everyone and it’s OK to adapt your communication medium to the other person’s needs.

Create a safe and inclusive environment where neurodivergent teammates feel comfortable expressing their thoughts and concerns. Encourage open dialogue and actively listen to their perspectives. By fostering a culture of respect and understanding, you can create a supportive space for everyone to thrive.

4. Double Down On Active Listening On Remote Teams

Managing a remote team isn’t just about giving directives and getting feedback. It’s a lot more than that.

One of the most important leadership communication skills you should have is listening skills. And not just listening skills, but active listening. While getting feedback from your team members is great, how you understand and act on the feedback is equally important.

Picture a scenario where a team member shares an idea or gives feedback and you aren’t paying attention. This usually leads to miscommunication and could affect the team’s cohesion.

Active listening involves paying attention to each team member. It involves staying engaged with each conversation, listening with the intent to understand, and asking clarifying questions without rushing to reply.

The goal here is to understand the speaker’s perspective, ideas, or even complaints. 

You’d also need to pay more attention to subtle cues while communicating with team members virtually. 

Be interested in and actively listen to what your team members are saying. One of the main perks of active listening is that it makes team members feel valued. Active listening also provides the best opportunity to understand each team member. 

If the communication isn’t clear, you can ask follow-up questions.

You can learn each person’s preferences, needs, strengths, major challenges, and more just by listening actively.

Active listening doesn’t stop with you. It can become the team culture. To encourage active listening, use interactive communication channels. For instance, video calls can help improve communication within a remote team.

Encourage other team members to pay more attention to team discussions as well.

Ensure you acknowledge work well done while motivating them to get even better by showing everyone what good looks like.

5. Lean Into Empathy (Not the Ruinous Kind)

Your team members aren’t mindless robots. It’s important to show empathy and compassion when communicating with your remote team members. 

With online communication, it’s quite easy to send a strongly worded message that can come off as harsh. This is because the natural body language cues are absent. 

How can you avoid this?

Adopt Compassionate Candor. Compassionate Candor engages the heart (care personally) and the mind (challenge directly). It’s communication that is kind, clear, specific, and sincere.

Compassionate Candor focuses on leaders demonstrating that they care personally about their employees as human beings.

This includes learning about their aspirations and goals through Career Conversations and regular one-on-one meetings, demonstrating an interest in helping them achieve them, and making clear that feedback goes both ways. Caring personally builds a foundation of trust that allows a culture of feedback.

6. Boss Up Your Written Communication Skills — AI Can Help

For starters, ensure you organize your thoughts properly when writing. You can draft and edit your messages and announcements to get a refined output.

When using written communication, you should be concise and precise. You do not want to drown your team members in a wall of text. Break down your text into easily understandable formats.

Using tools like Grammarly to check your tone, clarity, and message can help take some of the guesswork out of effective written communication. Leaders can also use products like Textio to ensure that written performance feedback is unbiased.

If writing is a difficult communication medium for you, consider recording yourself talking and then use an AI program to transcribe and synthesize the message. You can join Radical Candor’s weekly AI Live chat to learn more about how AI can simplify some of your work.

Watch our weekly AI Life chat >>

7.  Foster Inclusive Communication On Remote Teams

Here’s how.

First, ensure your communication does not discriminate or stereotype anyone based on gender, age, race, etc. Show respect for each team member’s identity. For instance, you can adopt gender-neutral language when communicating with your team members.

Also, you can ask your team members how they want to be addressed. Learn the right way to pronounce their names, while using affirmative and empowering language. 

Learn more about this in Radical Candor author and co-founder Kim Scott’s new book Radical Respect: How to Work Together Better.

I always recommend using each team member’s preferred communication medium, especially when it isn’t a team meeting. Ensure there are different communication options available to foster inclusion.

Most importantly, ask for feedback from your remote team members and be willing to improve your verbal and written interactions based on that. A detailed guide by Attrock provides some more tips on how you can effectively manage a remote team.

Ready to Develop Your Remote-Team Leadership Communication Skills?

I know managing a remote team is a lot of work. However, these leadership communication skills can help you keep your team engaged and efficient. 

Always keep in mind that the major goal of communication is understanding. Work on these skills I have listed above and watch your team blossom.

If you have questions about leadership communication skills for managing a remote team, email advice@radicalcandor.com or ask our AI Radical Candor bot (personally trained by the Radical Candor team).

* Gaurav Sharma is the founder and CEO of Attrock, a results-driven digital marketing company. He grew an agency from 5-figure to 7-figure revenue in just two years | 10X leads | 2.8X conversions | 300K organic monthly traffic. He also contributes to top publications like HuffPost, Adweek, Radical Candor, Business 2 Community, TechCrunch, and more.

————————————————————————————————————————————————————————————–

• Take the Radical Candor quiz >>
• Sign up for our Radical Candor email newsletter >>
• Listen to the Radical Candor podcast >>
• Shop the Radical Candor store >>
• Get Radical Candor coaching and consulting for your team >>
• Get Radical Candor coaching and consulting for your company >>