►
From YouTube: Cloud Custodian Community Meeting 20220829
Description
Our community meeting is public and we encourage users and contributors of Cloud Custodian to attend! You can find the notes for this meeting on our github repo: https://github.com/orgs/cloud-custodian/discussions
To get an invite to the meeting join the google group and you'll receive one via email: https://groups.google.com/g/cloud-custodian
A
All
right
welcome
everybody.
It
is
august
30th
2022,
and
this
is
the
bi-weekly
cloud
custodian
community
meeting.
As
always,
we
do
record
and
put
these
on
youtube,
so
be
cognizant
of
that,
and
also,
as
always,
we
are
under
the
cncf
code
of
conduct.
So
please
be
excellent
to
each
other.
I
am
pasting.
The
notes
in
the
side
chat
there.
A
A
Okay,
awesome
all
right.
Some
governance
update
so
following
along
on
the
agenda
here,
we
do
have
some
governance
updates
I've
linked
to
the
github
issue.
There
that's
github
issue,
7149,
it's
kind
of
a
long-term
thing
that
we
just
have
pinned
there.
If,
if
you
have
time
to
go,
take
a
look
shouldn't
be
any
surprises,
it
looks
a
lot
like
other
cloud
native
cncf
projects.
There
did
someone
have
enough
appeal.
You
gotta
yeah,.
C
A
I
would
say
is
a
codification
of
what
we
are
doing,
but
also
adding
titles
to
things
that
we're
doing
that
we
didn't
do
before
right,
so
you
were
kind
of
like
like
you're
you're,
the
de
facto
maintainer,
but
you
didn't
have
a
document
that
said
you
know
only
kapil
can
be
the
maintainer.
You
know
what
I
mean
so.
C
Yeah
and
I
would
say
that
we
have
over
a
dozen
maintainers,
it's
it's
really
a
question
right.
It
shows
up
to
help.
Do
the
work
yeah
yeah,
as
opposed
to
just
asking
from
a
perspective,
with
regards
to
hey
we're
now
in
incubating,
which
I
don't
know
if
we
actually
said
that
a
community
meeting,
yet
I
don't
know
we
have.
C
A
I
I
think
the
biggest
difference
was
for
me.
You
know
having
wrote
it
and
gone
through
it
is
we
actually
have
different
roles
and
responsibilities
written
down
as
to
what's
expected,
whereas
I
think
before
it's
like
hey
you're,
a
maintainer
in
the
aws,
and
that
comes
with
like
implied
responsibilities,
and
I
think
we're
codifying
things
that
we
kind
of
feel
are
community
conventions
like
if
you're
an
aide,
if
you're
a
maintainer
in
aws.
A
A
Yeah
yeah,
because
a
lot
of
it
is
like
if
you're
gonna
be
a
maintainer
you're
expected
to
do,
and
I
think
the
number
was
like
30
prs
or
whatever.
However,
I
did
leave
because
I
know
a
lot
of
projects
are
starved
for
attention
right
and
what
we
don't
want.
Is
you
get
a
new
excited
person?
That's
really
interested
and
they're
doing
stuff,
and
you
say
sorry,
you
can't
be
a
maintainer.
You've
only
done
28
prs.
You
know
what
I
mean
so
I
live.
A
Leave
the
existing
maintainers,
always
kind
of
have
the
you
know,
you're
a
maintainer.
You
can
use
your
brain
and
say
nope,
you
know
we.
We
trust
this
person.
Now
we
feel
they've
done
the
amount
of
work
we
can
override
that
so
I've
given
us.
I
call
that
the
relief
valve
you
know,
but
then
we
also
kind
of
say
30-ish
is
what
we
expect
for
you
to
work
with
the
you
know.
With
the
code
base.
A
You
know,
obviously,
if
it's
30
trivial
prs,
the
maintainer,
who's,
mentoring,
them
obviously
wouldn't
just
say:
well,
george,
you
edited
the
docs
30
times.
Therefore,
now
you
can
be
an
aws
maintainer,
so
system
like
wouldn't
work
either
right,
so
I
kind
of
we
kind
of
set
those
as
guidelines
and
and
have
the
relief
valve
for
the
maintainers.
A
I
I
would
say
it's
kind
of
the
adaptation
that
I've
made
to
how
we're
what
I
observed
we're
behaving
and
what
is
written
down
there,
because
I
didn't,
I
also
didn't
want
to
go
in
there
and
be
like
we
should
change
how
we
do
the
whole
project,
because
you
know
we're
trying
to
fit
in
into
the
model.
Yeah.
A
A
Yeah
and
that
does
bring
up
the
cncf
incubation,
so
the
cncf
talk
voted,
we're
going
to
be
incubated
we're
just.
We
have
to
write
a
press
release
with
the
cncf
where
we
put
quotes
and
things
like
that
and
that's
in
progress,
darren
you're
going
to
get
an
email
from
umer
asking
for
you
to
put
a
comment.
A
A
All
right
cool
that
should
be
a
lot
of
fun.
Next,
we
have
governance's
code
day,
cfps
are
still
open.
I
know
at
least
two
of
you
in
this
room
have
submitted.
Thank
you
for
that.
We
are.
We
are
going
to
keep
extending
that,
though.
So,
if
you
still
want
to
do
a
cfp,
that's
fine.
Please
also
be
aware
that
they
don't
have
to
be
full
like
60
minute
sessions.
We
do
have
on
the
forum
there
for
10
minute
20
minute
talk.
A
So
if
you
have
a
thing,
that's
like
not
like
a
huge
thing,
but
it's
you
feel
it
would
be
useful
for
the
community
for
sure
feel
free
to
submit
to
that
and
I've
left
links
to
the
cfp
form
and
all
that
stuff
here
and
then
I'll
just
pasting
in
the
notes
there
again
for
those
of
you
that
are
just
joining.
And
lastly,
we
are
we're
testing
slack
steve.
We
found
it
was
easier
for
us
to
just
set
up
our
own
slack
than
it
was
to
get
aj
into
the
finnops
slack.
A
So
we
set
that
up
it's
going
to
be
cloud
custodian.slack.com
yeah!
I
have
a
link
to
the
inviter
there,
so
if
you
want
to
join
in
kick
the
tires,
we've
got
an
automated
bot
that
you
know
shows
the
prs
and
issues
as
they're
coming
in
we've
got
a
channel.
We
got
a
dev
channel
now,
so
I
think
before
it
was
like.
You
had
to
wait
until
this
meeting
to
bother
someone
to
have
them.
Look
at
your
pr
now.
You
can
do
it
in
slack
in
real
time.
A
If
you
want
to
do
that
and
we
can
kind
of
organize
it
the
way
we
want.
So
what
the
plan
I'm
gonna
do
for
now
we
don't
have
archiving
yet,
which
will
be
important
because
slack
only
keeps
90
days
of
rolling.
So
I'm
investigating
some
current
tools.
We
will
figure
that
out.
So
we'll
kick
the
tires
for
now,
but
we're
still
quite
a
ways
from
saying
you
know:
hey
we're
gonna
quote
unquote,
move
from
getter,
and
things
like
that.
A
However,
if
you
do
prefer
slack
and
want
to
get
in
there
give
us
some
feedback
on
how
it's
going
so
far.
Every
time
I've
asked
people
are
like.
Finally,
we're
moving
to
slack,
but
I
do
want
to
make
sure
that
we
do
cover
for
people
who
you
know
might
be
stuck
not
using
slack
or
you
know
one
of
the
concerns
we've
always
had.
Is
you
know
what?
If
what,
if
slack,
is
banned
at
your
job,
and
you
have
to
use
clock
custodian,
do
they
have
a
method
of
you
know
doing
that?
C
Would
would
also
just
add
that
we're
not
stopping
getter
per
se
like
getting
to
be
available
we're
just
opening
up
an
additional
channel.
You
know
if
there's
any
show
of
hands
for
people
that
can't
use
slack,
definitely
curious
to
hear
that,
but
I
I
will
otherwise
assume
that
default
is
slack's
cool
all
right.
A
I
was
concerned
that
the
onboarding
would
be
hard,
but
so
far,
not
not
bad
anything
else.
So
that's
the
end
of
the
formal
agenda.
Before
we
start
looking
at
prs
and
cool
stuff,
I
know
sonny's
got
something
he
wants
to
show
show
everyone
today.
Anybody
have
anything
burning
that
they'd
like
to
discuss.
A
D
B
D
Any
of
y'all
have
been
paying
attention
to
the
prs,
but
there
is
a
pull
request
here:
76.97,
it
adds
a
new
mode
on
the
kubernetes
provider
called
kate's
validator.
They
might
change
in
the
future.
This
is
all
up
to
debate,
but
basically
this
implements
a
admission
controller
on
your
kubernetes
cluster.
That
will
allow
you
to
write
policies
that
filter
on
your
resources
and
allow
you
to
either
allow
deny
or
warn
on
any
incoming
resources.
D
D
Thank
you
there
we
go
basically
it's
saying
on
match.
We
warn
when
you
create
and
then
there's
one
that
says
like
you
can't
run
nginx
so
anytime,
you
have
you,
try
to
create
a
deployment
with
kubernetes
that
has
nginx
in
there
as
the
image
then
we'll
deny
it
again,
this
value
type
stuff
is.
This
will
change
in
the
future?
It's
not
as
based
off
of
a
branch.
D
This
might
be
off
of
the
wrong
branch
in
any
case,
I'll
show
you
the
log
line
and
what
it's
supposed
to
look
like.
So
basically,
you'll
get
this
you're
saying
failed
admission
due
to
policies
and
they'll,
give
you
the
list
of
policies
as
well
as
the
description.
So
if
you,
you
know,
need
to
tell
your
users
like
you
have
to
have
labels,
these
are
the
required
labels
etc.
D
You
can
include
that
in
the
message,
and
it
will
also
tell
you
multiple
failures
as
well,
so
it
won't
require
your
users
to
continually
try
to
apply
the
manifest
and
then
run
the
same
issue
over
and
over
again.
Additionally,
it
supports
warnings.
So
in
this
case
it
says
you
know
you
try
to
create
this
custom
resources
policy
report
resource
and
it
gives
you
a
warning,
but
it's
still
allowed
to
create
it,
and
then
we
also
support
generating
out
the
validating
weatherhood
configuration
manifest.
D
So,
in
this
case,
this
might
change
in
the
future
to
a
mutating
webhook
configuration,
but
for
now
it
will
inspect
the
policies
that
you
have
in
your
policy
directory
and
then
generate
the
the
resulting
rules
that
you
need
to
keep
so
that
way,
you're
not
getting
every
single
kubernetes
api
server
event,
and
then
I
think
the
last
bit
was
on
it.
It
supports
all
of
the
operations
to
creation,
update,
connect,
delete
on
deletion;
it
will
inspect
the
previous
objects
aka.
What
is
about
to
be
deleted?
D
D
B
B
C
D
Yeah
right
now,
the
like
operations
side
of
things
is
very
immature
in
terms
of
documentation
and
different
examples,
but
I
think
we'll
have
some
samples.
I
know
john
anderson
is
working
on
getting
some
documentation
for
like
setting
up
with
eks
going
through
the
full
flow
and
stuff
like
that.
So
but
yeah
function
url
would
be
really
cool.
D
D
D
B
Yeah,
well,
it's
more
and
more
right.
We
have
people
coming
in
from
on-prem
into
cloud.
You
know
acquisitions
and
things
that
are
running
currently
in
kubernetes
and
they're,
not
going
to
switch
like
ecs
or
anything
so
they're
just
going
to
put
their
whole
ek.
You
know
their
whole
load
into
eks
so
and
we
already
run
custodian
across
everything,
so
it
would
be
good
for
that.
Yeah!
It's
great,
I
mean
yeah,
I
mean
we
should
just
tell
people
not
to
use
it.
A
D
A
A
D
D
C
C
I
think
something
you
know
as
a
core
capability
concerning
one
thing
that
I
feel
like
it's
been
lacking.
Is
this
notion
of
a
there's
a
list
of
dictionaries
and
you
want
to
multi-tribute
a
multi-key
match?
Let's
say
in
that
on
item
in
that
list,
and
so
treating
that
as
a
first-class
citizen
feels
like
a
better
path
like
think
about
aws
security
group
ingress,
let's
say
or
egress
like
we
have
rules
and
you
want
to
do
a
multi-tribute
value
match
or
you
know,
lambda
function.
C
Urls,
like
there
are
dozens
of
these
examples
where,
where
you
have
a
rich
data
structure
in
an
array-
and
you
want
to
match
multiple
attributes
of
it
and
treating
that
as
a
first
class
entity
with
a
dedicated
syntax
is,
is
sort
of
one
direction
to
go
into
where
we
just
compose
the
value
culture,
as
opposed
to
extending
it
with
directly.
And
I
think
that
allows
for
clear
expression
of
intent
without.
C
D
Yeah,
I
would
say
it's
I
think
any
any
form
of
that
would
be
would
be
good,
because,
right
now,
it's
it's
incredibly
like
you
can
do
some
of
the
the
things
that
I
mentioned
before
like
red
text
over
list,
but
it's
it
is
incredibly
hacky
and
you
have
to
basically
just
use
the
james
path
rebel
and
try
to
do
like
string
concatenation
stuff
like
that
to
get
it
to
work.
Even
then,
it's
not
like
a
super.
D
So
I
think
with
the
the
sub,
I
don't
know
what
to
call
it,
but
basically
composing
the
value
filter
I'll,
try
to
get
a
something
up
for
that,
maybe
like
by
the
end
of
this
week
or
next
week,
or
something
because
I
think
it
is
necessary
with
especially
with
the
kubernetes
stuff,
like
it's
very
evident
that,
like
the
the
filtering
you
want
to
do
on
your
deployment
spec
or
your
pod
spec,
it's
like
you
have
to
have
that
capability.
Basically,
for
it
to
be
useful.
D
Oh,
that
one
was
just
a
the
question
was
around
like
not
seeing
the
right
metrics.
I
just
I
guess,
just
a
call
out
for
in
general
for
the
metrics
filter
to
double
check
that
the
resource
type
actually
has
the
proper
dimensions
and
statistics
that
you're
looking
for
in
this
case,
elastic
is
a
little
bit.
D
B
A
Like
I've,
I've
submitted
a
help
ticket
to
the
cncf,
but
my
like
it
took
two
weeks
to
fix
my
accounts,
because
I
had
two
and
due
to
my
past
history,
like
my,
I
was
assigned
to
vmware,
so
I
had
like
the
wrong
stuff,
but
I
was
able
to
file
a
ticket.
I
haven't
really
gotten
anything
yet.
However,
like
I,
I
can't
find
a
real
like
solution
to
this,
that
isn't
an
admin
going
in
there
and
then
just
like
forcing
them
to
sign
the
cla.
I
don't
know
kapil.
What
do
you
think?
C
C
C
C
C
A
C
A
C
A
B
C
A
B
A
A
D
Yeah,
so
the
docker
image
building
has
been
moved
into
github
actions,
so
I
think
on
master,
there's
an
issue
with
the
the
actual
workflow
yaml,
but
there's
a
fix
inside
of
this
pr
to
address
that
this
utilizes,
the
six
store
keyless
signing,
which
means
that,
for
those
that
are
using
the
custodian
images,
it
will
upload
the
signature
and
manifest
and
stuff
into
dot
com
as
well.
So
if
you're
pulling
and
you
have
requirements
in
your
let's
say,
kubernetes
validator
controller
in
the
future
to
validate
that
images
are
signed.
D
C
A
D
C
A
C
B
B
B
A
B
B
C
B
C
D
A
B
A
A
C
Yeah,
so
the
tencents
reach
out
and
is
interested
in
cheering
a
provider
for
their
cloud.
There's
gonna
be
some
ongoing
work
on
this
over
the
next
few
weeks,
and
so,
if
you
use
tencent,
then
feel
free
to
chime
in
most
of
the
team.
That's
I
think,
working
on
this
is
running
at
china
from
a
time
zone
perspective,
but
kldr.
You
know
we're
in
cncf.
If
there's
other
cloud
providers
that
are
of
interest,
you
know
feel
free.
C
C
I
think
one
of
the
challenges
has
always
been
just
making
sure
that
we
have
environments
like
that.
The
maintainers
have
access
to
an
environment
in
which
to
test
tencent
is
providing
that
environment.
This
context,
I
know
we've
had
there's,
I
think
at
least
one
outstanding
issue
against
copenhag
as
well,
that
is
gated
on
some
of,
I
think,
maintain
our
access
into
an
upset
environment
so
but
I'll
leave
that
aside
and
just
generally
say
in
general,
you
know
we're
just
part
of
additional
cloud
providers,
and
this
is
a
cloud
provider.
C
A
A
A
C
B
C
D
D
C
C
B
A
B
C
B
No,
I
didn't
get
it
like
a
green
right
away,
like
I
submitted
the
request
for
my
corporate,
like
you
know
the
manager,
and
then
I
had
to
do
like
one
more
step
like
after
that
is
done.
I
have
to
go
into
my
pr
and
then
click
on
the
not
covered
again
and
then
I
have
to
select
my
the
corporate
cla
manager
and
that's
when,
like
it
changed
into
covered
okay,
okay
yeah,
I
actually
go
through
the
the
same
thing
with
one
of
my
co-workers.
B
C
A
Yeah
yeah
so
as
alluded
to
that
previous
easy
cla,
one
that
had
all
those
commit
like
messed
up
like
they
gave
me
manager
access
and
I
went
in
there
and
then
I
tried
to
fix
it.
And
then
it
just
got
all
sorts
of
convoluted
and
then
their
instructions
were
just
we'll
submit
a
pr
and
just
follow
the
instructions.
And
I
was
like.
A
D
A
Yeah
and
then
one
of
the
things
I'm
kind
of
stealing
from
from
kubernetes
when
I
set
up
the
slack
stuff,
is
there's
a
channel
developer
channel
where
people
can
idle
in
and
if
you
have
a
pr
that
you're
stuck
on
or
something
instead
of
waiting.
Two
weeks
to
come
to
this
meeting,
you
know:
hey
I'd
like
someone
to
look
at
the
pr
the
idea
there
is
to.
A
Hopefully
you
know
if
you've
got
time
or
cycles
to
sit
in
the
channel
and
help
review
prs,
or
you
know
kind
of
do
more
of
a
asynchronous
work,
as
opposed
to
there's
been
times
during
where
it's
like.
Oh,
I
gotta
wait
two
weeks
to
link
up
with
darren
now
we
can
hopefully
tighten
up
that
feedback
loop.
So
thank
thanks
for
that.
C
Two
topics-
I
guess
one
more
we're
gonna
cover
sure
and
chip
left
on
the
ship.
Lefty
thing
were
parsing
terraforms
really
hard,
and
we
have
switched
tracks
from
trying
to
do
it
ourselves
on
python
to
realizing
that
the
only
way
to
do
terrifying
person
doesn't
go
and
and
beyond
that
also
realizing
that
terraform,
it's
not
simply
an
acl
purse.
C
It's
all
the
expressions
inside
of
terraform,
so
we've
created
a
binding
for
a
project
called
death
sec
from
security
and
so
we're
using
that
to
do
terraform,
parsing
and
evaluation
of
expressions
and
all
that
stuff
so
that
we
can
actually
get
a
much
higher
fidelity
and
we're
doing
that
as
a
python
extension,
so
that
it
is
that
we
can
run
the
rest
of
the
custodian
machinery
through
it.
So
what
that
means
is
effectively
system,
entire
form
is
going
to
become
deprecated,
actually
used
it.
C
C
B
C
A
C
The
same
front
end
we'll
run
over
multiple
ix
source
systems,
and
we
want
to
have
that
a
little
bit
agnostic,
but
the
python
go
extension
will
be
for
terraform.
Parsing
itself
will
be
a
new
library.
This
is
a
clock
studio
organization.
A
github
organization
will
be
a
new
repo
independent
because
people
might
use
it
for
other
purposes
and
we'll
just
have
that
there
and
I
expect
to
see
that
published
before
the
next
community
meeting.
C
Okay,
we'll
be
running,
we'll,
be
running
the
python
custodian
engine
on
top
of
it
or
just
using
the
go
extension
just
for
the
purposes
of
parsing
and
resolving
all
that
form
references
per
se.
We
had
tried
using
the
python
cl2,
you
know
parser,
and
you
know
it
works.
Sometimes
it's
a
little
bit
fragile.
Like
you
put,
you
know
this
random
white
space
coming
in.
B
C
It's
sorry
devsec
in
golang
is
the
upstream
project
that
we're
binding
to
and
then
the
downstream
project
that
we'll
be
releasing
under
pocket
stadium.
I
think
it's
gonna
be
called
tf
parse,
just
to
denote
that
it's
carson
terraform,
as
opposed
to
just
the
hcl
portion,
but
that
should
be
again
that
should
be
probably
released
in
the
next
two
weeks.
I
think
we're
just
working
on
some
ci
bits
to
get
that
and
the
multi-arch
building
that's
to
make
sure
it
works
for
people,
regardless
of
their
os
and
laptop
distributor.
C
A
A
D
C
Is
very
specific
to
terraform,
I
mean
deaf
set
is
is
used
for
lots
of
different
things
or
it's
a
general
library
for
many
different
things,
but
one
of
the
things
that
does
have
that
worked.
We're
interested
in
is
a
full
parser
and
evaluator
for
terraform
syntax.
So
if
you
have
expressions
and
you
know,
function
calls
and
you
know,
etc.
C
And
that
here
this
is
we're
not
parsing
the
json
we're
trying
to
parse
the
actual
hcl
so
that
we
can,
when
we
give
feedback
about,
hey,
go
fix.
This
go
change
this.
This
part's
broken
that
we're
actually
able
to
reference
the
actual
module
definition
or
the
block
definition
directly
in
the
source
file.