►
From YouTube: Envoy Community Meeting - 2019-04-09
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
Yeah
we
may
have,
admittedly,
it's
because
of
next
there
at
least
some
people
that
directly
it
will
be
there.
Okay,
so
I
was
three
topics
that
I
wanted
to
come
over.
The
first
is
discussed
on
the
recent
movie
II.
So
as
I'm
sure,
most
folks,
here
or
aware,
we
had
a
security
release
in
Friday,
and
this
covered
two
vulnerabilities
one.
We
related
to
past
normalization
and
the
other
two
headed
matching.
We
discovered
that
roughly
the
same
time
and
had
competitors
at
roughly
the
same
area.
A
They
had
the
same
sort
of
tech
sector
and
threat
model.
They
were
fixed
by
the
almost
security
team
under
embargo
over
a
period
of
about
two
weeks
together
with
various
Googlers,
and
this
was
really
our
first
run-through-
the
Envoy
security
release
process,
so
I'm,
first
of
all,
happy
to
answer
any
questions
about
these
vulnerabilities.
If
anyone
has
any
and
second
I'm
like
to
sort
of
discuss
how
we
even
move
forward
from
here
and
specifically,
we
would
like
to
take
process
improvements.
We're
going
to
do
a
post-mortem.
A
We
have
a
dock
for
jotting
down
initial
thoughts
if
anyone
has
any
to
share
based
on
their
experiences
during
the
handling
of
these
vulnerabilities
and
I
think
we
should
probably
set
up
a
longer
meeting
next
week,
because
we
always
kind
of
time
cramped
in
this
meeting
to
discuss
some
other
fallout
from
that
and
I
think
some
of
the
things
we're
going
to
want
to
do
our
first
of
all
the
various
process
tweaks
and
improvements
based
on
our
experience.
This
includes
things
like
looking
at.
You
know.
A
We're
our
own
thing
and
we
have
both
distributors
and
service
providers
and
where
there's
tension
between
wanting
to
make
the
list
larger,
to
provide
advance
notification
to
as
many
people
as
possible
and
try
to
keep
it
small
to
try
and
ensure
the
embargo
isn't
broken,
and
we
need
to
have
a
lot
Capri,
an
open
discussion
about
that.
And,
finally,
we
need
to
think
about
how
we
can
do
things
like
canary
and
staging
rollouts
of
docker
images
where
you
know
their
own
voice.
A
Icon
is
actually
visible
to
other
applications
and
potentially
users
of
distributions
in
a
way
which
doesn't
actually
break
embargo
and
leak.
Information
and
I
think
these
are
all
sort
of
like
deeper
topics,
so
I
built
a
weapon
now
and
as
the
owner
wants
to
say
anything
briefly
about
them,
but
instead
I
think
I
will
schedule
a
meeting
and
share
it
with
everyone
for
probably
next
week.
Does
that
sound
good.
A
A
Actually,
the
statuses
are
preserved
by
home
voice,
so
we
were
hoping
this
can
be
sort
of
standard
which
many
different
sort
of
application
and
micro
service
frameworks
will
eventually
adopt
and
make
available
to
envoy
to
facilitate
this
but
and
the
first
step.
We
know
that
the
GRP
CLB
folks,
who
are
busy
working
to
adopt
XDS
are
interested
in
using
this,
for
example,
this
purpose
and
so
they're
gonna
be
driving
the
initial
implementation
there,
but
I'll
try
to
share
a
design
doc
and
we
can
see
if
what
changes
need
to
be
made.
A
B
Yeah,
so
I
just
wanted
to
talk
about
the
deprecation
stuff
again,
specifically
the
host
abrogation
for
the
cluster
load
assignment
thing
and
then
there's
the
other
one
that
deprecated
TCP,
deprecated
v1
I
think
that
one
is
not
I.
Think
the
TCP
deprecated
v1
is
not
controversial.
I
just
I
think
we
need
to
have
a
policy
basically
that
unless
there
is
an
explicit
replacement,
we
can't
we
can't
have
something
be
deprecated
I.
C
B
That's
what
that's
the
one
that
I
want
to
talk
about
here
and
that
one
is
more
subjective,
I,
think
my
personal
feeling
and
I'd
love
to
hear
what
other
folks
think
is
that
I
I
don't
think
deprecating.
It
is
worth
the
pain
given
how
simple
they
transform
is
so,
but
this
is
I
guess
this
is
just
a
general
like
policy
question,
which
is,
you
know
like
technically,
a
cluster
load
assignment
is
a
superset
of
hosts.
So
you
know
if
we
keep
with
our.
B
You
know,
idea
that
everything
is
machine
generated
and
there
should
be
a
simple
transform.
You
know,
then
we
can
probably
deprecated
host
it's
just
one
of
those
things
that
seemed
so
pervasively
used
that
I
just
know
that
it's
going
to
irritate
people
and
it
just
doesn't
it
just-
doesn't
seem
worth
it.
So
I
would
be
curious
to
hear
what
what
other
people
think
I
guess.
C
My
thought
is:
I
would
prefer
that
we
not
have
redundancy
in
the
API
long
term,
but
I
am
a
hundred
percent.
Fine,
like
I,
think
my
professors
me
the
leave
it
flagged
as
deprecated
not
make
it
fatal
yet
so
like
not
cause
the
pain
and
then
see
what
happens
with
the
conversations
we've
been
having
regarding
kind
of
our
general
API
factors,
which
will
have
a
better
sense
of
in
a
couple
months
and
brings
the
community
and
get
all
the
reproval
for
so
I.
C
A
Now,
it's
probably
a
good
time
to
point
out
that
we
are
starting
to
think
about
how
to
deal
with
the
long
term
evolution
of
envoys
api's
and
how
do
I
better
sort
of
deal
with
major
breaking
changes
and
structural
changes.
We'll
probably
have
some
sort
of
straw
man
proposal
coming
shortly,
and
this
probably
would
be
best
Bend
for
that
were
these,
like
major
structural
changes,
ya.
B
Know
and
that,
and
that
sounds
fine
to
me-
I
just
know
that
if
we
make
a
fatal
by
a
default
now
like
we're
going
to
get
a
bunch
of
people
complaining
and
yeah,
it
feels
fine
to
me
that
if
this
would
be
the
type
of
thing
and
again,
this
is
up
for
a
conversation,
but
in
our
yearly
cleanup
or
like
whatever
we
pick
that
cadence
is
of
like
doing
major
cleanups.
This
seems
like
something
that
that
we
could.
We
could
throw
in
there.
B
C
B
B
A
C
B
B
So
it's
probably
not
something
that
we're
gonna
discuss
now.
I
just
want
to
throw
it
out
there
for
food
for
thought
that
if
you
have
comments
or
thoughts
on
you
know
what
should
the
criteria
be
to
get
on
the
pre-announced
list?
We
would
love
to
hear
your
feedback,
so
you
can
have
public
feedback
or
you
can
email
the
envoy
on
my
security
lists.
Whatever
works,
yeah.
A
But
if
you
have
any
ones
sort
of
aware
of
other
open
source
projects
which
need
to
deal
with
this
kind
of
thing,
why
there?
You
know
the
answer
used.
For
example,
it's
saying
edge,
networking
and
cloud
service
providers,
or
this
kind
of
thing
or
a
so
cloud
service
providers,
not
sure
yeah,
like
you
know,
I'll
just
speak.
She
random
examples
like
people
like
an
eBay
or
Pinterest
or
square.
A
B
A
I
think,
like
the
the
the
sidecar
mode,
takes
us
closer
to
a
regular
distribution
like
red
hat
or
something
like
that.
Whereas
the
problem
is,
we
have
distributors
who
themselves
have
costs,
have
partners
and
so
on.
Who
then
may
wants
to
try
to
early
notification
to
that
customers?
And
that's
a
that's,
a
much
tougher
dynamic
to
manage
yeah.
A
B
Yeah-
and
you
know
that
the
stance
that
we've
taken
so
far
is
it's
basically
that
anyone,
you
know
effectively:
building
a
product
or
service,
clearly
known
and
based
on
envoy,
who
is
not
just
serving
themselves,
so
you
know
so
like
lyft
would
not
would
not
be
on
the
list.
Pinterest
wouldn't
be
on
the
list,
eBay
etc,
which
is
typical
for
how
most
of
these
lists
work,
but
again
we're
just
trying
to
gather
feedback.
B
A
I
mean
yeah,
there
are
all
kinds
of
ways
this
can
be
structured,
I
mean
we've
had
you
know
the
the
point
mate?
That's
you
know,
for
example
the
Linux
kernel
community.
To
some
extent
you
know
your
amount
of
contribution
and
influence
the
community
can
impact.
How
likely
you
are
to
see
patches
early
and
is
this
a
good
model?
B
A
B
A
It
was
blocked
to
me
figuring
out
how
to
deal
with
plumbing
of
extra
of
various
flags
down
to
external
dependencies.
Another
we
switch
to
rules,
foreign
CC,
there's
a
new
version
of
rules,
foreign
CC,
which
apparently
fixes
that
situation
so
I
need
to
go
in
there
and
see
if
that
magically
works.
That
does
then
blocks
one
thing,
and
then
we
can
go
back
to
the
original
PRI
adults
I'm
hoping
to
get
you
that
juror
this
week.
F
F
The
coverage
coverage
that
fix
should
be
fixed,
the
GOP
seated
protesters
be
fixing
662
to
9:00
the
rivers
very
workspace.
That's
one
trigger
the
coverage
consistently
and
the
cause
he's
one
of
the
time
out.
He
said
to
one
second
ever
increase
to
ten.
Second,
that
should
be
good
for
now
for
the
coverage.
Failure.
I
think
that
is
like
depend
on
how
the
coverage
tests
are
the
order
to
run,
and
it
was
used
to
be
work,
but
not
working.
When
some
people
add
new
test,
it
fail.
F
B
G
G
That's
the
script
I
used
sure
I
haven't
I
haven't
figured
if
this
is
something
in
my
environment
or
something
that
I
was
done
to
my
object
ball
and
then
see
I.
The
time
meant
that
I
saw
was,
and
not
a
time
out
of
a
particular
test
time
out
of
the
whole
process,
which
I
think
might
be
related
to
how
much
code
you
have
in
the
PR
yeah.
B
B
B
Should
be
good
for
okay,
all
right
I
guess,
let's
just
make
make
sure
that
people
merge
master
what
one
one
idea!
Actually
that
comes
to
mind.
We
should
talk
to
EJ
I'm
wondering
if,
like
if
we
know
of
a
case
when
everyone
has
to
merge
master
I
bet,
we
could
do
something
with
the
bots
and
like
get
the
bot
to
go
through
all
open,
PRS
and
just
like
say
like
please,
PLEASE
merge,
Master.
C
B
G
Am
I
still
alive,
I
wanted
to
say
one
other
thing,
so
I'm
simulated
and
is
probably
not
good
for
all
integration
test,
yet
I'm
kind
of
background,
but
I
felt
it
because
I
was
too
busy
with
other
stuff,
but
there's
still
some
semantic
confusion
to
run
what
that
means.
The
way
that
it's
used
and
I
have
some
in
flight
code
to
clean
that
up.
I
just
need
to
get
it
to
work.
Okay,
but
I
think
it's
good
for.
B
G
B
I
I
Her
focus
is
sort
of
in
this
like
how
to
get
everything
running
the
best
on
Intel
hardware
like
accelerators
and
CPU
features
and
whatnot
I'm
myself,
part
query
right
now,
looking
at
this
qat
support
and
so
on,
but
other
tasks
for
our
whole
team
is
sort
of
to
try
to
make
these
projects
as
like
aalverson
as
possible
and
help
out
everywhere.
We
can
so
so.
I
H
B
B
H
The
the
the
real
result
is
it's
just
the
message
isn't
quite
clear,
and
so
it's
it's
a
question
of.
Is
it
worthwhile
to
spend
time
rewriting
the
actual
message
of
the
exception,
like
the
string
that
gets
thrown
to
the
user
or
if
it's
worth
spending
more
time
on
making
them?
You
know
protobufs,
so
that
way
they
can
be
parsed
themselves
into.
A
B
No
I
mean
I
would
say
like
better
documentation
better.
Our
messages
are
probably
always
always
going
to
be
going
to
be
approved.
I
guess.
The
only
reason
I
was
asking
to
to
maybe
discuss
further.
Is
that
I
don't
quite
know
what
you're
proposing
it's
like?
If,
if,
if
the
text
is
going
to
be
controversial,
then
we
might
have
to
discuss
if
it's
just
like,
obviously
more
clear,
then
it's
probably
fine,
but
but
without
knowing
the
details,
it's
it's
a
little
hard
to
give
guidance.
Yeah.