►
From YouTube: Argo Contributors Office Hours Dec 12th 2021
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
good
morning,
everyone-
hopefully
you-
can
see
my
screen.
Welcome
back
to
the
contributors
meeting,
looks
like
we
have
a
few
topics
this
morning.
So
let's
get
started
so
the
first
topic
hari
as
usual.
Do
you
want
to
take
over
for
the.
B
B
I
think,
as
usual,
we
will
set
the
primary
and
secondary
for
the
week
before
that
any
comments
from
keith
and
alex
for
the
last
week.
If
there
is
anything
that
is
highlighted
from
the
tries
and
discussions.
B
Remedy,
can
you
actually
go
to
that
list?
Let's
see
who
can
be
the
next?
I
think
we
are
done
dan.
I
think.
Do
you
want
to
be
the
primary
for
the
week
as
in
the
list.
A
What's
the
exact
dates,
is
it?
Is
it
monday
to
sunday
or
is
it
it.
A
B
A
Thank
you
all
right
great.
So
next
topic,
it
looks
like
is
argo
cd
interlace.
So
I'm
not
sorry.
If
I
mispronounced
your
name,
would
you
like
to
take
over?
Yes,
thank
you.
Thank
you
very
much.
I'll
share
on
the
screen.
F
Okay,
you
see
the
screen
right
right.
Okay,
great!
Thank
you!
Okay,
thank
you
again
for
the
opportunity
to
share
our
project
in
this
call.
We
shared
it
last
last
call
it
was
short,
but
this
time
we
will
take
like
10
to
15
minutes
to
do
this
if
it's
possible.
So
so
we
I'm.
My
name
is
I
showed
me
so
I'm
we
are
from
ibm
research
today,
my
colleague
eugene
and
I
joined
this
today's
code,
so
we
are
working
in
the
area
of
cloud
security
related
research
projects.
F
F
So
the
purpose
of
this
talk
is
to
share
the
project
and
with
the
community
here
and
to
get
your
feedback
on
this
project
and
also
possibly
to
see
we
can
contribute
this
project
to
the
community
if
there
is
any
interest,
so
let
me
start
the
with
the
problem
statement.
So,
what's
the
problems
that
we
trying
to
address
today?
F
Is
that
so
when
you
deploy
application
in
by
through
argo
cd
detox
process,
so
you
have
this
github
in
the
source
material
sign
the
github
repository,
so
you
use
the
helm
and
has
to
customize
template
engines
are
internally
used
in
argo
cd
to
generate
the
kubernetes
manifest
from
the
source
materials,
so
those
source
material
manifest
is
deployed
to
the
target
cluster.
So,
but
there
are
two
questions.
Naturally,
that
comes
up.
F
For
example,
first
question
would
be
as
from
the
cluster
admin
perspective
of
the
target
cluster,
so
the
first
question
might
be
as
a
cluster
I
mean
I
want
to
know
if
source
materials
used
are
properly
signed,
so
to
make
sure
that
the
manifest
was
generated
from
the
signed
verified
source
materials.
So
there
are
various
signing
mechanisms
for
source
material
signature,
for
example.
Currently,
one
good
example
is
that
argo
cd
is
already
providing
a
commit
signature
verification.
F
So
if
there's
commit
signature
is
available
and
if
it's
very
powerful
it
will
seem,
but
it's
whether,
however,
the
signature
is
not
attached
to
the
generated
manifest
that
is
deployed
to
the
cluster.
So,
regardless
of
what
signature
was
used
for
signing
the
source
materials
or
verifying
the
source
materials,
what
we
want
to
achieve
here
is
to
is
to
create
the
signature
for
the
generated
manifest
that
will
be
deployed
to
the
cluster.
F
So
if
the
source
materials
have
a
little
signature,
so
if
the
source
material
does
not
have
valid
signatures,
so
then
the
generated
manifest
to
be
deployed
to
the
cluster
will
not
have
the
signature
attached.
So
as
a
result.
So
what
will
happen
is
that
at
the
cluster
side,
cluster
admin
could
verify
if
the
manifests
were
deployed
were
generated
actually
from
the
genuine
source
materials
which
could
be
verified
the
signature.
F
There
are
signature,
verification
so
on.
So,
but
it's
easy.
If
the
cluster
admin
has
access
to
the
github
repository,
they
can
go
ahead
and
check
it
directly,
but
also
argo
city
ui.
But
could
we
enable
this
verifiability
and
this
transparency,
even
without
such
direct
access?
That's
what
we
try
to
focus
on
here.
F
So
the
next
important
aspect
is
that,
for
example,
if
we
just
have
the
signature
for
the
manifest
it's
possible
to
know
to
see
manifest
was
generated
from
the
genome
in
source
material,
but
it's
not
possible
to
know
like
how
source
materials
was
transformed
to
generate
the
manifest,
whether
if
it's
to
customize
or
help
template
or
what
other
plugins
and
so
on.
So
in
summary,
so
we
want
to
achieve
both
of
these
questions.
Households,
materials
signed
properly
from
and
also
how
the
source
materials
were
transferred.
F
So
to
in
order
to
address
these
two
problems,
we
proposed
a
plugable
tool
called
argo
city
intelligence.
So
this
is
just
an
application.
Controller
just
add
an
on
top
of
vanilla,
argo
cd,
so
once
it's
deployed,
so
if
the
when
the
application
seems
happen
or
the
argo
cd
keyed
up
thing
happens
in
class
automatically
detects
that
then
checks
the
source
materials.
If
it's
valid,
the
signature
is
valid.
It
generates
the
signature
for
the
manifest
and
patches
the
manifest
with
the
signature.
F
So
if
the
source
material
is
let's
say
if
the
source
material
is
compromised,
means
that
it
does
not
have
the
valid
signature
so
then
intellect
will
not
attach
a
signature
to
the
manifest.
So
if
the
let's
say,
if
then,
why?
Why
do
you?
Why
do
we
need
such
thing
in
this
case,
so
who
would
require
such
capability?
For
example?
Let's
imagine
few
use
cases
here.
So
one
is
the
cluster
enforcement,
as
I
mentioned
here.
F
So
if
you
have
the
signature
for
the
resources
that
is
deployed
to
the
cluster,
so
we
can
enable
like
admission
controller
technologies
to
enable
verification
of
the
resources
at
the
time
and
also
allow
only
the
resources
which
have
valid
signature
or
the
old
allow,
only
the
resources
that
are
generated
from
the
value,
valid
or
genuine
source
medicals,
and
also
there's
another
aspect
of
cluster
in
like
a
resource
verification
for
any
time
administrator
could
verify
so
what
resources
should
be
deployed
at
the
moment,
given
time
so
work
through
these
githubs
process
and
who
signed
those
science
source
medievals,
they
could
all
verify
this
kind
of
information.
F
So,
in
addition
to
that,
it's
also
possible
to
have
a
kind
of
a
periodical
observation
of
the
source
materials
than
their
status
for
the
signature,
verification
statements
and
so
on.
So
if
there
is
any
valid
value
violation,
so
there
you
can
alert
that
and
so
on.
So
it
kind
of
improves
the
whole
security
aspect
of
this,
the
kid
of
specific
github
process
through
arco
city.
So
this
is
the
kind
of
a
solution
idea.
F
So
just
let
me
briefly
explain
about
how
the
the
architectural
view
of
this
pro
intellect
intelligence,
so
basically
interlaced
as
an
application
controller.
It's
pluggable
to
the
vanilla,
argo
cd,
which
means
that
it
just
looked.
It
just
observes
the
application
resource
status,
specifically
the
status
information.
So
when
there's
a
status
changers,
it
detects
that
okay,
there's
a
github
sync
process
started
or
if
there's
a
new
application
or
if
their
existing
application
is
updated.
So
then
it
captures
the
source
information
and
then
from
the
source
information.
The
class
can
verify
the
source
material.
F
So
in
this
case,
when
I
say
verify,
source
materials
you
could
use
already
existing
mechanism
like
commit
signature.
Also,
like
another
mechanism
like
a
gpc
signing
to
create
a
check,
some
hash
values
for
the
verify
all
the
files
and
generate
signature
for
that.
So
then,
based
on
the
assumption
that
we
could
verify
the
source
material,
so
we
could
generate
the
signature
for
the
manifest
which,
which
is
done
through
the
api.
Argo
cd
api
through
the
api
calls
so
and
also
in
addition
to
that.
So
we
want
to
capture
how
this
transformation
happened.
F
For
example,
whether
it
was
how
the
source
material
was
transformed
to
produce
the
final
manifest
whether
it
was
helm.
So
if
it's
helm,
which
was
the
source
materials
which
was
the
source
repository
that
was
used,
so
if
it's
customized,
then
you
also
can
track
down
further
customize
based
directories
based
repositories
and
so
on,
like
recursively
track
down
all
the
resources
that
were
used
to
generate
this.
So
this
which
can
be
captured
and
attested
as
a
kind
of
a
record,
a
verifiable
record
of
you.
F
Some
may
call
it
provenance
record
where
you
can
trace
back
to
the
source
and
see
okay,
what
was
used
for
generating
this
manifest.
So
this
is
kind
of
a
high-level
idea
of
this
project
this.
So
let
me
so
if
you
have
any
question
before
I
will
move
on
to
the
demo,
so
I
will
I
can
talk
or
I
can
go
ahead
and
explain
how
things
work
in
in
quick
demo.
G
I
think
one
question
which
I'll
probably
see
in
the
demo
is
does
interlace
sign
the
manifests
or
does
it
verify
already
signed,
manifests.
F
C
F
Yes,
at
the
moment
there
to
to
what
we
do
is
that
we
have
a
kind
of
an
empty
configuration
map
in
the
soy
github
repository.
So
then
we
we
we
identify
that
resource
as
the
resource
signature
that
we
use
in
the
annotation,
then
I
will,
I
will
show
you.
This
is
a
real
example
here,
let's
let
me
go
to
the
real
example
here.
So,
okay
here
this
is
my
source
example
right.
So
this
is
customized
example
I'm
showing
here
so
this
I'm
defining
us
like
a
empty
empty
resource.
F
So
where
I'm
saying
okay,
this
is
my
resource
signature.
Please.
If
this
resource
has
this
particular
annotation,
so
I
will
use
this
okay.
This
is
my
signature
resource.
Then,
when
argo
cd
uses
this
resource
material
to
generate
the
manifest,
so
the
it
will
have
this
empty
resource
generated.
So
when
this
empty
resource
is
created
in
the
cluster,
so
then
are
we
see
using
the
argo
cd
api.
You
can
embed
the
signature
to
this
resource.
F
I
will
show
that
in
short
in
the
demo,
so
let's
say
before
that:
okay,
so
here
this
is
the
source
material,
as
I
said
so
when
I
say,
source
material
is
signed,
so
one
mechanism
is
to,
of
course
you
can
use
this
commit
signature
here.
What
we
use
is
okay,
we
look
at.
We
take
the
hash
values
of
the
every
file
here
in
this
repository,
and
then
we
create
the
signature
gpg
signature
for
this
list
of
hashes
here.
So
then
we
can
verify
this
interlaced
will
take
this
file
and
verify
the
signature.
F
F
Okay,
it's
not
ready,
so
I'm
going
to
create
an
application
here,
so
we
just
but
the
resource
source
material
is
here
right.
So
when
I
create
the
application
in
class,
we'll
be
monitoring
this
application
creation.
Sync
process
started,
so
it
will
detect
that
okay,
then
it
will
vary.
It
will
retrieve
the
application
source
materials
here
and
download
the
arrow
to
see
through
the
argo
cd
api.
It
downloads
the
manifest
here
and
attach
the
signature
here.
So
so,
what
let
me
show
you
the
exact
example
of
how
the
signature
looks
like
here.
F
So
this
is
the
application
that
I
just
created
now.
So,
as
I
showed
you
earlier,
so
I
created
the
mtc
empty
resource
in
the
source
material
so
which
has
the
which
had
the
annotation,
so
intellis
can
retrieve
the
manifest
and
search
for
the
signature
resource
using
the
predictor,
for
example.
Here
using
this
annotation
intellect,
can
detect
this
okay.
This
is
the
resource
image.
F
It
should
attach
the
signature.
So
here
this
is
the
signature
that
interlaced
has
attached.
So
this
message
contains
the
actual,
manifest
content
the
base
encoded
content
of
the
manifest
for
entire
manifest
for
this
application.
So
this
this
will
be
the
signature
resource
that
will
be
used,
for-
let's
say
let's
say
if
you
want
to
enforce
the
signature,
verification
in
the
cluster
site.
You
can
use
this
signature
and
there
is
message
content
to
verify
the
rest
of
the
resources
that
should
be
verified
before
you
allow
them
to
be
created
in
the
cluster.
F
F
F
Yes,
actually
we
do
have
a
technology
called
integrity
shield,
which
is
a
different
project
which
has
the
basically
you
know
this
is
the
introduction
project,
which
has
the
mechanism
to
verify
the
incoming
resources
based
on
signature
verification.
So
we
use
this
interla
integration.
Basically,
underlying
mechanism
is
the
gatekeeper,
so
there's
the
integration
at
least
the
logic
is
here.
We
are.
It's
also
part
of
the
six
store
project
that
you
might
be
aware
of
that.
F
So
there
is
a
way
to
sign
the
source
made
science-
the
like,
let's
say,
kubernetes
resource
like
here,
and
then
you
can
verify
the
risk
signature
of
these
resources
when
they
are
deployed
here.
So
in
this
case
of
detox
process.
So
we
will
use
this.
Let's
say
when
argo
cd
deploys
the
resources
here
to
the
target
cluster
target
cluster
will
have
the
integrity
shield
mechanism
protection.
So
then
integration
will
take
the
resource
resource
signature
and
then
it
will
verify
the
rest
of
the
resource
that
is
deployed
by
our
cd.
B
Topic,
yes,
so
before
this
argo
city
has
the
manifest
it
tries
to
deploy
right,
and
at
this
time
your
interlace
tries
to
verify
and
resigns
the
signature
right.
F
B
It
verifies
the
source,
material
and
science,
the
manifesto
right.
Okay,
so
you
you,
so
your
shield
actually
waits
for
it
to
to
have
a
valid
signature
or
what
happens
actually
in
the
meantime,
by
the.
J
B
Signs
the
manifest.
So
could
you
rephrase
your
question?
Please
so
will
it
actually
so
argo
city
has
the
memphis
it
tries
to
deploy?
Yes
in
the
meantime
tries
to
verify
and
science
the
manifest
right
yeah.
So
there
will
be
a
time
where
it
can
be
deployed
in
the
meantime.
So.
F
Yes,
so
what
will
happen
is
that
so
here
in
the
in
this,
for
example,
in
the
industry
shield,
can
prevent
the
resources
from
being
created
in
the
cluster
without
signature.
So
it
means
which
means
that.
So
that's
why
we
use
the
mechanism
called
empty
signature,
so
empty
signature
is
a
special
resource
where,
let's
say,
for
example,
english,
empty
signature,
for
example.
Here
with
this
flag,
it
you
could
still
can
say.
Oh,
this
is
an
empty
empty
resource
which
will
indicate
you
will
allow
this
resource
to
be
created.
F
So
once
this
resource
to
be
created
once
this
resource
is
created
in
the
cluster
target,
cluster,
then
intellect
can
actually
patch
the
resource
this
resource
right,
because
because
in
order
to
use
argo
cd
api
to
patch
any
resource,
the
resource
must
exist
in
the
class
surface.
Right,
that's
a
requirement!
F
So
that's
why
we
use
this
kind
of
mechanism
to
empty
the
resource,
and
then
we
allow
the
this
resource
to
be
created
in
the
target
cluster
and
then
in
class,
we'll
patch
that
resource
with
the
signature
and
then
integration
will
use
that
signature
resource
to
verify
the
rest
of
the
resource.
That
is
deployed
by
argos
city.
F
Yes,
so
that's
the
demo,
so
I
think
actually
yeah.
So
let's
say,
if
I
just
let's
say
if
I
go
ahead
and
do
some
changes
like
let's
say
I
just
go
ahead
and
change
this
without
without
proper
x
signature
here
right
so.
F
What
will
happen
is
that
okay,
I'm
going
to
commit
this
one,
and
so
now,
let's
say
if
I
sync
this
process
refresh
this
application.
So
what
will
happen
is
that
okay,
signature
resource
will
not
have
the
let's
say
lftc.
F
Okay,
so
this,
what
should
happen
is
that
here
it's
many,
the
signature
should
disappear
from
this
resource
here.
So
that's
the
idea
that
we
vendor
when
when
when
the
signature
resource
is
like
a
for
example,
signature
resources
like
a
this
source
material
signature
is
not
verified
successfully.
Then
uclass
will
not
generate
the
signature
for
the
resource
for
the
many
members
here.
So
that's
a
end-to-end
flow
here.
F
So
so,
just
to
find
and
finish
my
talk
here
so
so
current
status
of
this
project
is
that
we
have
open
source
this
as
a
part
of
this
ibm
flow.
So
we
would
like
to
contribute
this
project
to
the
argo
cd
project
lab.
So
the
one
of
the
advisory
code
is
to
create
this
issue,
so
I
think
the
one
of
the
requirement
to
contribute
this
project
to
the
community
is
that
we
need
some.
We
need
to
have
the
endorsement
or
the
sponsorship
from
sub
project.
Many
maintain
us.
F
So
we
would
like
to
say
invite
you
have
interest
this
project
and
if
you
see
the
there's
some
more
interest
here,
so
we
would
like
to
have
your
sponsorship
support
so
that
we
can
contribute
this
project
to
the
whole
community.
And
then
we
keep
developing
this
to
be
useful
for
the
entire
community
for
the
end
users
as
well,
and
thank
you
very
much
for
your
time
again.
G
F
I
These
are
just
details
right,
so
thanks
thanks
guys.
Yes,
I
I
have.
I
have
not
fully
understood
how
how
it
works,
but
I
definitely
will
take
a
look
and
I'm
from
so
from
from
the
point
of
like
just
having,
instead
of
you
mentioned
earlier
like
right
now,
our
cd
is
able
to
to
verify
pgp
signatures
and
git
commits
right,
but
that
is
just
like
one
thing
you
you
can
do
and
if
you
actually
have
science
data
within
your
sources
that
actually
can
be
verified.
That's
that's
pretty.
I
I
Useful,
so
yes,
it
definitely.
J
I
Interesting
enough
to
to
to
deep
dive
into
it
so
yeah,
I
actually
you
called
my
interest.
So
thanks
thank.
G
Yeah,
I
think
the
next
possible
steps
for
the
further
would
be,
I
would
say,
of
course,
we
need
to
as
a
community
and
the
maintainers
would
go
through
the
project.
Try
to
understand
it
better,
because
I
think
your
demo
was
amazing,
but
since
it
does
touch
upon
a
lot
of
advanced
concepts
which
a
lot
of
us
were
not
thinking
about,
it
will
take
a
while
for
people
to
cross
exactly
what
are
what
what
we
are
verifying
and
which
are
the
security
vectors.
We
are
blocking
with
respect
to
this.
G
Okay,
the
attack
vectors,
we're
blocking
with
respect,
so
I
think,
once
that's
done
we'll
effectively
need
nods
from
at
least
a
couple
of
our
cd
maintainers,
since
this
is
a
very
rvo
series,
specific
thing.
Yes,
that
would
be
so
those
would
be
the
next
steps,
I
would
say.
B
Well,
I
think,
thank
you,
sir.
We
can
move
on
to
the
next
topic.
A
Yep
sounds
good.
Thank
you.
That
was
really
interesting.
So
thank
you
for
presenting.
Let
me
share
my
screen
with
the
agenda
again.
A
All
right,
can
you
guys
see
my
screen?
Yes,
perfect,
all
right,
so
it
looks
like
the
next
topic
is
applications
outside
the
argos,
unique
cd
name
space.
So
beyond
it
looks
like
you
have
a
proposal
open
for
this.
I
I
wasn't
aware
that
this
is
on
the
agenda
for
today,
but
yeah.
I
I
think
last
time
we
briefly
spoke
about
that.
I
just
wanted
to
to
raise
awareness
of
that
for
for
getting
some
eyes
on
it
right,
but
I
think
in
the
meanwhile
we
also
spoke
so
I
spoke
to
jesse
and
to
alex-
and
probably
we
need
some
more
discussions
on
that
yeah.
But
basically
this
this.
I
This
is
a
proposal
about
like
having
the
possibility
to
to
allow
application
resources
to
exist
outside
the
agrocd
control,
plane's,
namespace
and
yeah.
I
I
put
together
a
lot
of
thought
into
that,
so
major
use
cases
would
be
self-servicing
from
from
users
in
a
declarative
way
without
having
to
revert
to
the
api
or
having
to
revert
to
use,
pull
requests
and
have
those
reviewed
by
some
kind
of
cluster
administrator
or
our
cd
administrator,
so
yeah.
I
The
goal
of
this
is
to
to
rethink
a
little
bit
about
the
multi-tenancy
model
that
we
have
and
to
to
drive
aggro
city
more
in
a
in
a
self-service
model,
even
when
using
the
the
declarative
approach
by
creating
application
resources,
for
example,
from
git
right
so
yeah.
It's
I
just
wanted
again
to
raise
awareness
and
pull
some
eyes
on
it,
for
review
and
for
your
thoughts
and
and
things
that
I
may
have
overlooked,
or
things
that
are
unrealistic.
D
Yeah,
so
I
think
this
is,
I
agree.
This
is
a
direction
that
I
want
to
go
in.
I
think
one
thing
I
was
wondering
is
that
with
this
mechanism
work
when
there's
for
the
managed
clusters,
so
where
the
like,
how
could
we
get
it
to
work
when,
if
you
have
a
remote
cluster
that,
like
needs
cell
servicing,
if
the?
If,
if
a
user
has
or
is
this
only
in
the
control
plane
where
they
could
have
yeah.
I
The
way
the
way
I
wrote
that
proposal
currently
and
also
the
I
wrote
an
accompany
accompanying
poc
for
that
that
it's
it's
just
within
the
control
plane,
cluster
right
and
probably
when
you
want
to
have
remote
classes,
you
will
have
several
challenges,
but.
I
The
application
controller
itself-
I
mean
it
will
have
the
connection
to
the
remote
cluster
and
it
already
watches
everything
there
and
but
it
would
complicate
matters
right.
So.
D
Yeah,
no,
I'm
not
I'm
not
totally.
Actually
I
don't
know
the
the
correct
answer
flight
like
that.
Even
should
be
a
feature
like
if
yeah.
I
D
D
Be
perfectly
fine,
so
the
the
idea
is
that
the
end
users,
they
essentially
get
a
name
space
in
the
control
plane
right.
B
D
D
But
okay,
the
are,
there
are
the
projects.
How
are
the
projects
involved.
I
The
projects
they
just
they
they
they
are
not
touched
right.
So
the
proposal
doesn't
touch
the
project
and
the
project
still
provides
the
same
level
of
governance
that
it
does
right
now.
I
I
Maybe
this
can
also
be
merged
with
the
with
the
target
names,
but
I'm
I'm
not
quite
sure,
but
probably
should
not.
But
so
you
you
can,
you
can
say
the
allowed
namespaces
for
this
project
are
foo
and
bar,
and
then
applications
that
are
created
in
namespace,
foo
and
bar
can
specify
the
project
and
an
application
that
specifies
this
project
that
would
live
in
in
namespace
bats
would
be
forbidden
right.
So
the
application
controller
would
say
this
is
not
allowed.
Please.
I
I
ignore
this
application
go
away
so.
C
Yeah
I
figured
that
projects
and
names
and
namespace
are
going
to
be.
There
will
be
some
kind
of
relationship
between
project
and
namespace.
I
was
surprised
like
don't
you
think
it
would
make
sense
to
maybe
maybe
have
a
label
that
says
that
can
be
applied
to
a
namespace
and
then
argo
cd
would
automatically
create
a
project
for
state
namespace.
C
My
impression
was
that
we
want
to
use
kind
of
kubernetes
are
back
as
much
as
possible
to
control
multi-tenancy
here,
or
am
I
overthinking,
and
it's
too
much.
I
G
So
we
actually
have
both.
We
support
both
models
where
the
name
space
so
well.
To
be
precise,
I
think
so.
We
have
a
model
where
we
say
we
have
a
cluster
config
argosy
instance,
but
developers
can
also
spin
up
their
own
argo
cds
in
their
own
namespaces
and
have
their
teams
use
that
argo
cd.
So
we
support
both
the
cluster
config,
argo,
cd,
namespace,
sorry,
the
cluster
config
argo
cd
has
a
lot
more
permissions
to
it.
G
Of
course
it's
not
a
cluster
admin,
but
it
has
a
lot
more
than
but
but
it
has
a
lot
more
than
a
typical
developer,
whereas
the
developer,
argo
cds,
of
course,
are
namespace
code
by
default,
can
only
apply
to
the
same
namespace,
but
other
folks
can
join
into
the
party
if
they
wish
to
from
other
namespaces.
So
that's
the
model
we
have
today
and
I
think
when
I
said
that
I
would
be
happy
with
you
know.
Use
of
the
kubernetes
are
back.
G
What
I
had
in
mind
generally
was
that
you
know
if
I
am
trying
to
deploy
something
on
my
cluster
using
argo,
cd
application
cr.
What
my
permissions
are
on
that
namespace
should
be
evaluated
before
application.
Cr
drives
deployments
of
those
objects
like,
for
example,
if
I'm
not
allowed
to
create
deployments,
there's
no
way.
I
should
be
able
to
create
an
application
cr,
which
creates
deployments.
D
Oh
yeah
yeah,
but
that
one
I
think
we
there's
there
was
a
separate
issue
about
impersonation,
where
I
think
it's
somewhat
related
to
this,
but
I
think
we
can
achieve
that
capability
independently
to
visit
correct,
yeah
yeah.
I
had
a
question
about.
G
Shoot
right-
and
I
think
just
to
add
to
that
in
general-
we
do
not
ex
like
we
do
not
like.
We
expose
our
users
because
again,
like
open
shift,
is
kubernetes
plus
a
lot
of
batteries
with
it.
So
users
can
totally
go
in
and
use
app
projects
the
api
the
way
they
wish
to.
But
in
general
we
don't
publicize
that
a
lot,
because
we
understand
that
kubernetes
is
already
pretty
loaded
with
a
bunch
of
apis
to
use,
so
the
minimal
api
exposure
would
be
best,
which
is
why
you
know
my.
G
G
We
do
have
that
there's
actually
a
there's
actually
a
different
product
which
does
that,
but
then
they
are
internally
using
so
there's
something
called
acm
advanced
cluster
management,
which
is
for
multi-cluster
use
cases,
but
internally
they
also
consume
our
openshift
github
server
cd
to
to
do
the
same
thing,
so
I
think
they
use
app
projects,
but
I'm
not
very
sure,
but
then,
like
none
of
these
stem
from
use
cases
that
come
from
that
other
multi-cluster
story,
which
I
was
talking
about.
But
yes,
we
do
like
multi-cluster
is
definitely
a
use
case.
D
And
that
that
helps,
I
think
I
I
understand
where
you're
you're
coming
from-
and
I
agree
with
alex
because
assuming
like,
if
you're
only
using,
obviously
to
manage
single
cluster,
then
projects
are
right
are
kind
of
a
over
overhead
because
you
can
just
rely
on
kubernetes
are
back
okay
that
helps.
Oh
okay.
Are
there
other
problem
that
I
was
hoping
to
solve
with
maybe
expanding
the
control
plane
to
have
you
know?
D
Applications
across
namespaces
is
the
the
issue
we
currently
have
with
name
collisions
with
application
names
and
also
scalability
of
all
of
the
apps
being
in
the
same
name
space.
I
was
hoping
with
this
proposal.
We
could
do
something
to
help,
but
just
that
and.
D
Maybe
like
the
prod
there's,
a
one-to-one
correlation
between
projects
and
applications
somehow
like
if
we
actually
not
applications,
projects
and
namespaces.
D
So
when
we,
when
we
present
these
things
in
the
ui
right,
like
the
only
when
we
in
this
proposal,
applications
still
belong
to
a
single
project,
is
that
correct.
D
I
D
Then
we
didn't
have
to
create
this
mapping
indirect
mapping,
that
that
is
there's
some
kind
of
reference.
I
think
when
I
saw
the
this,
the
spec.
I
Right
yeah,
I
think
the
the
only
problem
with
that
is
that
in
the
current
incarnation,
their
project
like
controls,
what
is
allowed
right
so
and
and
it's
the
only
it's
the
only
wall
between
the
user
becoming
a
cluster
admin.
So
unless
we
solved
that
so
I
I
mean
there
was
discussions
about
moving
moving
that
all
to
to
kubernetes
arbuck,
but
right
now,
if
you
would
allow
the
app
project
to
to
also
coexist
in
in
a
user,
controlled
namespace
then
probably
would
get
some
problems
right.
So.
D
D
I
guess
the
the
the
project
cr
could
still
live
in
the
I
think
I
like
alex's
suggestion
about.
Were
you
suggesting
we
like
annotate,
that
namespace
convention.
C
Here
I
was
suggesting
to
yeah.
Basically,
one
idea
was
to
under
label
a
namespace,
and
you
know
only
admin
can
label
apply
that
label
namespace.
If
label
is
there,
that
means
argustic
will
automatically
create
a
project
and
yeah,
and
actually
we
can
keep
expanding.
This
idea,
like
label
value,
might
point
to
a
kubernetes
role
in
the
name
space
that's
supposed
to
have
emissions
so
yeah,
basically
yeah.
I
think
we
can
come
up
with
a
way
to
fully
express
you
know
which
resources
in
kubernetes
should
have
data
to
fully
configure
the
project.
I
Yeah
this,
this
is
a
little
similar
to
how
we
do
it
in
the
agrocd
operator
right
now,
so
there
we
also
use
labels
and
namespaces
to
actually
extend
a
namespace
called
rcd
installation
to
to
more
namespaces
right
so
by
default.
If
you,
if
you
install
an
iocd
operand
for
the
operator,
then
only
that
namespace
will
be
allowed
to
be
managed
by
by
this
particular
rcd
instance,
and
then
you
can
go
ahead
and
create
a
new
namespace
or
take
an
existing
one.
I
Put
a
label
on
it
and
and
the
operator
would
would
set
up
all
this
appropriately
like
the
roll
and
roll
bindings
and
would
update
the
cluster
secret
in
the
in
the
auger
cd
installation
so
so
yeah.
I
actually
like
this
idea
as
well.
So
if
we,
if
we
could
move
that
into
the
application
controller.
D
Yeah,
the
other
thing
that
helped
change
my
mind
is
that
the
compatibility
with
other
controllers,
like
the
app
app
set
crd
so
the
originally
I
was
hoping
to
solve
this
with
a
new
crdsu
like
like
you,
but
then,
unfortunately,
if
we
introduce
a
new
crd,
then
things
like
the
app
set
would
not
help
end
users
who
can
create
applications.
G
D
G
Have
a
quick
question
is
this:
is
it
part
of
this
proposal
the
possibility
to
allow
users
to
provide
their
application
reserves
together
with
the
react
with
the
rest
of
their
manifests.
I
I
But
that's
an
interesting
idea,
I
I
haven't
thought
of
that.
No,
so
it's
it's
not
part
of
the
proposal.
Okay,
cool!
Thank
you.
D
I
The
yeah
the
the
api,
the
api
changes-
I
think
they
are
described
because
the
application
names
would
change
right
to
namespace,
slash
name
of
the
application
right
but
to
to
have
to
keep
backwards
compatibility
if
the
application
will
live
in
the
in
the
control
plane,
namespace,
so
rocd
by
default.
The
name
would
not
change
right.
So
the
the
application
foo
in
the
namespace
argo
cd
would
still
be
called
foo.
I
Also
for
the
from
the
api
point
of
view,
and
if
the
application
foo
will
live
in
namesake's
bar,
it
would
become
bar,
slash,
foo
and
yeah,
and
the
prerequisite
of
that
is
is
that
we
actually,
it
has
been
implemented,
the
the
alternative
method
for
identifying
the
application,
the
the
resources
that
are
managed
by
ocd
right
so
because
a
label
only
accepts
like,
I
think,
63
characters
and
with
the
namespace
slash
name
that
you
would
fill
that
quickly
right.
I
D
Yeah,
I
think
we'll
have
to
keep
the
or
the
both
modes,
because
I
know
you
know.
For
example,
they
run
like
close
to
40
argo
cd
instances
in
the
control
plane
cluster.
I'm
not
sure
if
that
that
cluster
alex
would
have
ever
moved
to
this
model,
where
projects
are
yeah
the
tools.
Basically,
because
then
each
of
those
40
argosy
instances
would
produce
potentially
thousand
each
of
projects.
C
D
D
And
yeah
yeah,
okay,
I
think
we're
out
of
time.
B
D
I
Know
thanks
yeah,
I
I'm
always
open
for
for
improvements
or
suggestions
or
whether
something's
not
not
as
as
it
should
be
right.
So
we
can
always
discuss
that,
and
this
is
much
appreciated,
but
yeah
if,
if
the
general
direction
is
that
we
actually
want
to
make
this
use
case
happen,
so
then
I'm
more
than
happy
to
to
drive
it
together
with
you
folks.
So
thanks
thanks
a
lot
for
for
your
thoughts
on
that.
D
A
It
looks
like
there's
one
topic
from
jonathan
and
it
looks
like
it's
really
short
so
jonathan.
If
you
want
to
go
ahead,
yeah.
J
Exactly
yeah,
so
the
application
set
controller
v030
release
is
good
to
go.
I
just
need
someone
one
of
the
owners
of
the
medium
blog
to
hit
publish
on
the
blog
post.
I
pinged
alex
about
it
and
it
looked
like
he
was
pinging
hendrick,
so
that
should
be
good
to
go.
D
A
Thank
you
all
right.
It
looks
like
we
are
done
with
all
the
topics
and
we're
out
of
time
for
today,
but
thank
you
everybody
for
joining
and
we
will
see
you
I
don't
know
for.
Are
we
scheduling
a
meeting
for
next
week?
Is
that
still
the
plan
with
with
all
the
holidays
or
are
we
planning
on
canceling
next
week.
B
Next
week
is
23rd
is
that.
A
Yeah,
okay
sounds
good
all
right,
so
we
will
see
you
all
next
week,
thanks
guys.