►
From YouTube: Ambient Mesh WG meeting 2023 08 09
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
there
we
go
all
right
folks,
welcome
to
the
Wednesday
August
9th
ambient
weekly
contributors
meeting.
So
first
up
on
the
agenda,
I
just
want
to
ask
the
ambient
early
leads.
How
are
we
doing
on
creating
the
issues
attract
the
Beta
release?
Are
these
all
in
the
GitHub
issues
list?
Now?
If
so,
we
can
start
get
the
board
started
and
start
assigning
work
items.
A
I
I
hate
to
Knack
people,
but
in
this
case
I'm
gonna
laugh
on
that
I
will
work
with
you
guys
offline
to
make
sure
we
get
these
created.
C
Nagging
is
appreciated
if
it
helps
us
get
to
if
it
helps
us
get
to
the
Bank
debate
at
design.
Yeah.
C
Just
one
quick
thing
on
timing
for
beta:
we
have
119's
getting
released
in
late,
August,
9th
okay,
so
that
what
does
that
put
a
set
for
our
planned
Beta
release.
C
A
D
A
You
next
item
is
Kevin.
E
E
Think
that's
the
kind
of
thing
we'd
like
to
get
done
while
we're
still
in
Alpha,
and
so
this
here
is
kind
of
a
summary
of
like
what
I
see
the
problem
as
and
and
some
potential
Solutions
so
yeah,
just
to
kind
of
get
the
spirit
of
all
this
there's
a
lot
of
text
here
so
just
to
walk
through
it.
E
The
idea
is
basically
I'm
concerned
about
races
between,
like
the
Z
tunnel
perspective
of
the
world
and
istio
D's
perspective
of
the
world
when
we
do
Network
and
IP
address
lookups,
that's
the
spirit
of
the
the
issue
that
I
want
to
talk
about
here,
just
as
a
kind
of
a
quick
recap
at
the
top
I
kind
of
remind
people
how
how
network
works
and
similarly
for
the
IP
address
I'm,
not
as
concerned
about
IP
addresses
lookups
being
out
of
sync,
because
we
have
remediations
for
that
already
built
in
I'm
more
concerned
about
Network.
E
So
we
could
talk
about
the
IP
stuff
and
I
think
I
cover
it
there,
but
it's
it's
kind
of
orthogonal
John.
Yes,.
B
E
F
E
B
But
the
proposal
is
introducing
a
ton
of
complexity
to
solve
what
seems
to
be
a
non-problem.
That's
already
existed
in
istio
since
its
Inception.
So
that's
what
I'm
concerned
about
like
well
I,
don't
know
why
we
need
to
solve
this
problem
when
it's
already
exists
in
eastern
I've.
Never
once
heard
anyone
complain
about
this
like
it's
not
like.
Networks
are
changing
on
a
day-to-day
basis
right,
that's
kind
of
a
static
thing
like
does
anyone
think
you
can
change
your
network
in
easier
today
and
things
will
just
work.
It
seems
there's.
G
Also
forgets
that
we
already
have
what's
the
problems.
If,
if
you
update
zetanal,
you
know
whatever
or
anything
on
the
Node,
it
will
probably
play
connections
cause
traffic
laws.
So
it's
only
safe
upgrade
party
software
to
restart
the
note
really
today.
So,
if
you
change
network,
you
will
do
another,
updated
loading
update
or
something
similar.
There
is
no
really
good
solution
for
not
losing
traffic
I.
F
G
G
F
F
Yeah
I
mean
I
think
that
this
is
a
matter
of
auditing,
our
usages
of
like
the
istio
meta
Network
that
or
that
whatever
Network
M
the
environment
variable
that
the
Z
tunnel
has
and
just
trying
not
to
use
them
and
in
all
cases
that
we
possibly
can
use
information
from
the
workloads
that
we're
serving.
On
behalf
of
word.
Proxying.
F
F
We
need
to
just
make
it
get
rid
of
a
config
field
in
my
opinion,
and
consolidate
on
using
WDS.
E
Yeah,
for
example,
let's
say
I
I
had
to
take
a
while
to
think
about
like
how
how
this
could
become
a
problem
and
for
sidecars
yeah
the
network
you
have
to
like
cycle
the
Pod
they
get
injected
at
regular
traffic
routing.
But
if
I
like
spin
up
new
or
new
pods
on
different
networks
and
Z
tunnels
remain
static,
can
you
get
failed,
lookups,
I?
Guess
not.
E
F
B
F
E
E
B
F
Yeah
my
reversal,
just
at
the
Z
tunnel,
has
no
idea
what
network
it
is
and
it
doesn't
care
if
workloads
are
on
the
same
network
is
the
proxy.
It
just
appears
what
network
workloads
are
on
and
we
assume
that
like
if
this
thing
is
able
to
get.
If
some
source
is
being
proxied
through
Z
tunnel
outbounds,
then
it
must
be
on
our
Network.
G
Yeah
I
I
I
kind
of
I
I
thought
that
was
the
design
from
the
beginning.
That
istio
did
tell
us
the
internal
what
to
do,
and
there
is
no
other
information
except
the
one
from
his
duties
that
should
really
matter
I
believe
still,
he
tells
you
to
do.
Go
to
this
Gateway
go
to
this.
Whatever
is
the
Westgate
or
whatever
it's
it's
always
determined
by
stod.
So
it's
not
that
the
case
and
you
should
make
it.
B
F
I
guess
it's
only
yeah
when
you
look
at
my
IP,
you
need
a
network
to
make
sure
you
look
up
the
right
version.
If
there's
overlapping.
B
Yeah,
but
we
could
say
it's
something
you
know
if
they
don't
set
the
network
on
the
on-demand
lookup,
then
assume
it's
from
their
local
network,
which
we
derived
from
something
maybe
I,
don't
know
how
we
drive
it,
though,.
F
G
Wait,
you
still
need
to
know
some
Network
where
the
zitana
is
residing
one.
G
G
Okay,
I
mean,
if
you
studies
is
a
shared
wait
is
a
whatever
collaboration
is
called.
Where
one
is
your
users,
multiple
networks
and
has
a
public
address.
You
know
the
connection
basio
that
goes
through
not
school
to
whatever
and
we
kind
of
lose.
We
cannot
determinate
it
from
from
the
variety
anything
it
needs
to
be
passed.
Somehow.
G
You
have
two
clusters,
you
know
with
overlapping
IP.
You
connect
twist
your
the
same
sdod,
so
you
have
the
same.
Namespace
same
label
same
everything.
Just
you
know
they
have
the
same
IP
one.
How
do
you
know
which
network
it
is
and
supports
the
program?
And
it's
not
a
big
deal,
I
mean
sending
the
network,
you
know
it's
not.
We
can
send
it
in
a
header
in
a
metadata.
F
E
G
G
And
that's
the
biggest
problem:
if
I
could
use
and
p5p
that,
because
MPS
doesn't
help
so
yeah,
we
tell
you
what
to
verify.
D
H
I
think
I
think
taking
a
step
back
for
a
second.
If
that's
right,
if
that's
a
failure,
that's
an
unacceptable
failure.
All
around
I
think
we
can
agree
on
that.
So
the
question
is:
do
we
have
a
metric
that
we
alert
to
the
user
that
they
need
to
restart
their
Z
tunnels,
or
do
we
solve
or
do
we
just?
Do
we
say
that
that
you
can't
run
it
that
or
do
we
create
a
solution
where
you
can't
be
in
that
situation?.
G
I
E
I
think
you
could
express
it.
So
let's
say
you
had,
you
were
doing
like
an
upgrade
or
something
you're,
you're
adopting
Network
features
or
functionality.
So
you
started,
you
know
you
started
from
a
blank
state
or
you
had
a
different
network
and
you
wanted
to
rename
it
and
you
had
one
IP
and
one
network.
That
was,
you
know,
remote
by
Brooklyn
entry
and
another
one
that
was
on
your
local
network
and
you
happen
to
change
from
one
to
the
other.
G
G
E
The
attack
Vector
is
a
workload
entry,
so
it
doesn't
have
to
be
a
real
IP
that
actually
exists.
Even
if
you
segment
them
I
mean
I
said
you
know:
malicious
user
I
can
create
a
workload
entry
with
any
network
and
any
IP,
so
I
just
have
to
identify
that
you
changed
your
network
and
what
you
changed
it
to
and
from
and
then
I
can
start
like,
mocking
or
swapping
identities
right.
G
Yeah
I
know
I,
understand,
I,
understand
that,
because
I'm
not
sure,
there's
a
use
case
of
connected
like
being
a
different
network,
needs
to
be
supported.
In
the
first
place,
I
mean
we
should
filter
out
any
any
IEP
from
other
networks,
because
we
don't
have
any
way
to
address
them.
How
do
you
know
ten
one?
One
is
the
network
a
or
network
B?
They
have
overlapping
spaces.
We
don't
have
any
way
to
indicate
it.
G
G
G
B
G
And
then
for
service
we
have
a
service,
you
know
secure,
naming
or
whatever,
so
you
cannot
have
basically
any
attack
on
that
side.
That
would
be
vulnerable.
F
So
I
used
to
have
a
pod
at
like
1001,
that
was
a
head
service
account
a
I
changed
my
network
to
B,
but
my
Network
in
my
Z
tunnel
is
still
a
now
something
on
a
has
a
different
surface
or
something
with
that
same
1001
has
a
different
service
account
and
I'm.
Getting
that
service
account
incorrectly
is
what
we're
describing
so
it's
kind
of
an
edge
case,
where
not
only
am
I
updating
my
network
but
I'm,
like
reusing
names
that
I
had
before.
E
J
B
E
B
Yeah,
to
be
honest,
if
the
attack
Vector
first
starts
with
tricked
the
Eastview
admin
to
dynamically
change,
their
Network
you're,
already
on
your
way
to
a
one
1.0
cve
like
that's,
that's
not
something
that
you
can
do
as
an
attacker
and
it's
not
something
any
Easter
user
should
ever
do
for
any
reason.
I
can't
imagine
someone
dynamically
changing
the
network
in
istio
and
things
don't
break
that.
E
B
F
Both
sides
have
to
have
some
value
set.
So
if
you're
going
from
nothing
to
something
like
we
don't
do
any
liquids
with
the
network,
so
it
doesn't
really
matter.
It's
like.
You
won't
go
through
a
Gateway
unless
both
sides
have
the
networks
up.
If
either
one
is
unset,
we
just
assume
things
have
connectivity.
G
Do
we
have
a
talk
about
how
monkey
network
is
supposed
to
work
with
ambient
I
mean?
Are
we
switching
to
the
H1
on
the
east
west?
It's
a
world
East
West
and
in
general,
the
design
for
multinational
doc?
Are
you
assuming
this
old
one,
because
portable
definitely
Falls
outside
it
was
never
supported
and
and
maybe
I'm
out
of
the
loop.
G
J
D
E
J
J
The
key
is:
does
this
break
use
a
how
little
break
user
and
also
compile
with
sidecar
case,
because
if
for
sidecars
you
know
do
we
have
user
complaining
about
this?
And
you
know
if,
if
not,
then
maybe
it's
not
as
a
big
problem.
E
Yeah
I'm
still,
you
know
frankly
thinking
I
don't
want
to
dominate
this
meeting
and
take
too
much
time
when
I'm
spending
so
much
time.
Thinking
given
the
feedback
I've
already
received,
but
my
primary
concern
is
I
want
to
make
sure
that
we
have
like
I,
understand,
John's
point
about
the
permissions
already
required
to
change
the
networks.
So
if
we
have
a
reasonable
like
upgrade
path
to
like
adding
a
network
or
changing
networks
in
ambient
and
then
we're
fine
with
it
being
static,
I'm.
E
F
That's
the
idea
I
can
put
in
the
issue
and
we
can
kind
of
discuss
it.
Async
I,
don't
want
to
take
up
too
much
more
time
on.
C
Hey
I
was
kind
of
tossing
this
idea
around,
but
I
wanted
to
see
if
folks
are,
would
be
interested
in
having
a
GitHub
group
for
ambient
ambient
containers.
The
reason
I
ask
is
because
we
have
one
for
Z
tunnel
specifically,
but
a
lot
of
the
work
we're
doing
with
Andy
can
be
cross-cutting
and
requires
multiple
working
groups
working
groups
anyway,
John
mentioned
that
there
was
some
some
conversations
happening
about
the
working
group
structure
in
general.
C
I
just
wanted
to
see
if
there's
appetite
for
it.
The
context
for
this
is,
you
know,
I'm
putting
together
some
architecture
diagrams
and
such
in
documentation
in
the
issue
repo,
and
we
needed
some
code
owners
and
then
I
realized
that
oh
there's
not
like
just
an
ambient
group
and
in
the
period
you
know
you
could
have
every
working
group
listed
under
the
ambient
directory.
So
don't
know
if
anybody
had
thoughts
or
had
similar
feelings
about
an
ambient
group.
J
Yeah
I
think
we
discussed
this
a
while
back
ago.
Some
similar
line
of
the
idea.
I
recall
one
of
the
concerns
from
people
is
right
now
the
review,
the
review
and
approval
are
pretty
much
by
GitHub
directories
right,
so
people
are
maintaining
those
files
for
sidecars.
C
That
makes
sense
yeah,
because
you
need
you
for
Consumer
Network
code.
You
need
you
need
both
I
guess
do
we
do.
We
have
any
concerns
about
the
inverse
of
that.
Where
folks
who
are
working
on
slide
cars,
don't
have
and
don't
have
ambient
context
and
I
couldn't
be
able
to
review
any
specific
PRS.
J
D
C
Then
I
think
that
convinces
me
does.
It
seem
like
there
is
a
big
need
for
it.
So
for
the
PRN
question
now,
just
because
you
ton
of
users
as
well
as
General
I,
think
General.
Networking
is
what
I've
got
there
now
and
we'll
just
kind
of
get
more
get
more
data
and
if
something
changes
we
can
talk
about
it
again.
That's
it
for
me,
then.
J
A
Okay,
next
topic
is
Stephen
Hey
Stephen
Stephen
did
you
meant
to
add
link
to
the
stock.
The
Z
tunnel,
hair
painting
dog
is.
F
Keeps
like
Doc,
that's
like
in
a
PR
some
of
the
diagrams
and
it's
kind
of
the
part
of
the
discussion
for
that
same
doc.
F
Youth
you're
a
little
more
familiar
with
the
way
that
this
one's
laid
out.
If
you
want
to
go
over
it
or
I,
can
try
to
do
like
a.
C
Awesome
so
I'll
just
briefly
go
through
go
through
this
there's
some
good
comments.
There
I
appreciate
the
folks
you've
already
taken
a
look
on
a
look
at
it.
Basically
talk
through
pure
authentication
and
its
role
in
Ambience
and
their
in
the
section
around
pure
authentication,
Waypoint
proxy.
We
discuss,
we
discuss
hairpinning,
the
I,
think
the
open
questions
so
far,
based
on
what
I
remember
from
the
doc,
as
well
as
the
and
actually
go
to
this
view,
diagram
yeah.
C
So
open
questions
here
are
mostly
around
one:
should
z-tunnel
apply
policy
before
haircutting
to
the
waypoints
and
by
policy
you'll
be
more
specific
in
say
transport
policy
before
it's
afford
to
travel
to
the
Waypoint
the
option,
three
that
we
discussed
in
the
airplane
discussion
mentioned
doing
these
Eternal
Waypoint
communication
over
TLS,
so
the
diagram
currently
shows
actually
have
a
disclaimer
here
for
yeah
right
here.
C
For
some
of
this
is
not
implemented
yet,
but
the
option
three
has
this
eternal
Waypoint
communication
to
be
over
raw
H
phone
TLS,
so
vanilla,
TLS,
not
mtls,
and
then
there's
an
open
question
on.
Should
this
communication
back
be
TLS
or
mtls,
John
and
Lynn
mentioned
that
this
should
be
mutual
TLS,
and
my
question
is
around
which
identity
should
be
used
here
for
an
unauthenticated
request
and
then
the
all
of
the
alternate
situation
where
this
is
an
authenticated
request?
C
We've
got
the
pool
workflow
here
where
the
source
pod
goes
to
Z
tunnel
and
waypoints
destination
Waypoint
and
then
that
destination
pod.
So
that's
the
the
diagrams
that
I
that
I
made
in
the
scenario
it
captures.
C
Oh
and
then
I
mentioned
here
in
the
in
the
text
where,
if
the
pre-authentication
is
strict,
then
the
traffic
will
be
denied
at
the
Waypoint
I'm.
Sorry
at
the
easy
tunnel
before
even
forwarding
to
the
Waypoint
but
yeah
those
two
open
questions.
Should
you
turn
off
apply
transfer
policy
before
seeing
forwarding
the
Waypoint
and
should
the
connection
back
to
Z
tunnel
from
the
Waypoint
BTL,
regular,
TLS
or
ntls.
J
Okay,
I
think
that
I'm
leaning
to
was
that
you
don't
know
what
I
enforce
it
if
it's,
if
it
can
enforce
it
before
sent
to
the
Waypoint,
if
it's
a
transport
layer
and
now
I
I,
know,
I
made
the
comments
the
Waypoint
to
back
to
zetano,
Dimitri
POS,
but
now
I'm
thinking,
maybe
TLS,
make
more
sense,
because
if
we
do
Mutual
TRS
which
identity
would
use,
we
don't
want
to
use
the
waypoint's
identity
unless.
J
Because
we
need
a
way
to
convey
it's
also:
it's
like
unknown
identity
if
we
use
waypoints
identity
for
exchange,
Mutual
tiers
back
to
zetano,
so
I'm
not
sure
how
to
convey
that.
So
it
might
be
easy
if
it's
just
POS.
C
And
that
was
my
intuition
as
well
yeah
that
if
something's
unauthenticated
there
shouldn't
be
any
kind
of
mutual
art
involved
at
all
and
from
a
proxy
perspective,
both
way,
both
Waypoint
and
G
tunnel
can
use
the
the
lack
of
client
search
to
know
that
this
is
an
unauthenticated
request
and
therefore
not
assume
anything
about
the
the
requester.
K
That
seems
a
little
weird
and
quite
involved
honestly,
it's
a
fact:
I'm,
just
back
from
vacation,
so
I'm
trying
to
catch
up
on
this.
We
are
talking
about
a
situation
where
there
is
a
Source
pod
with
no
client
certificate.
J
K
C
K
C
C
D
J
I
I
K
Consider
you
see
an
argument
for
Z
tunnel
forwarding
to
the
Waypoint
in
plain
text,
but
anything
coming
back
from
the
Waypoint
in
would
seem
right.
That
should
be
over
ntls
Waypoint
should
be
the
thing
enforcing
the
policy,
otherwise,
there's
no
reason
to
go
through
it.
K
So
in
this
diagram
right,
you
have
Source
pod
plain
text
to
Z
tunnel.
K
Zetol
goes
oh
this.
This
has
to
go
through
a
waypoint
and
it
didn't
so
Z
tunnel
to
Waypoint
would
be
plain
text
right,
because
this
is
just
delegation
right,
there's,
no
additional
protection,
waypoints
and
forces
policy
just
like
it
would
for
anything
else.
Then
it
can
be
mtls
back
to
the
Z
tunnel
and
then
from
Z
tonal
plain
text
into
the
destination.
So.
C
Two
problems:
two
problems
with
that:
the
for
Detonator
Waypoint
I,
don't
know
that
it
can
be
plain
text
because
jungle
between
that
eight
foot
from
a
protocol
perspective,
the
Waypoint
can
only
accept
H
bone
and
then
the
second
part
of
that
is
that
the
way
to
put
a
different
node
so.
C
So
this
was
this:
was
the
the
Steven's
dock?
I,
don't
know
if
you
maybe
you
want
to
you-
want
to
go
through
that
Stephen,
but
we
had
kind
of
four
or
five
options
and
having
a
special
identity
for
no
I
didn't
know
or
unknown,
or
something
like
that
was
was
one
of
them.
But
last
week
we
were
discussing
would
be
kind
of
circled
around
hey
for
potentially
sitting
to
a
different
node.
We
should
do
that
encrypted.
So
TLS
makes
sense.
C
G
Kid
let
me
clarify
a
bit
when
we
discuss
this.
What
we
discussed
is
that
or
but
when
people
were
against
was
using
this
unknown
identity
and
authorization
rules
that
exposing
it
to
User.
It's.
G
Some
communication
between
the
Z
Talent
Waypoint
is
even
using
zitana
loan
identity.
Because
again
we
want
to
verify
the
request
is
really
coming
from
the
internal
and
it's
encrypted.
We
know
fossil
is
coming
from
Z
tunnel.
We
can
indicate
somewhere
that
it's
it's,
it
has
no
real
certificate,
so
the
issue
was
and
why
the
point
was
rejected
was
rejecting.
Is
users
being
exposed
to
this
dummy
identity
and
pretend
to
be
mtls?
G
L
The
other
option
that
I
think
costin
brought
up
was
just
don't
stop
capturing
any
inbound
traffic,
that's
not
on
the
H1
port
and
just
let
it
through.
If
it's
not
coming.
If
it's
coming
to
a
pod
that
is
in
the
mesh,
we
only
capture
H
bone.
If
it's
plain
text
coming
from
somewhere
else,
we
let
it
through,
which
is
a
little
more
drastic,
but
it
would
sort
of
handily
sulk.
This
too,.
G
L
G
Reason,
for
me,
is
that
you
know
affinity
and
all
these
you
know
you
have
one
port,
client
board
and
destination
portal,
the
same
node
for
the
same.
You
know
kernel
and
you
have
super
high
bandwidth.
You
have
you,
can
you
know
you
can
do
all
kind
of
stuff
and
you
have
maximum
security
because
it
never
needs
a
node.
You
don't
have
to
go
to
wires
and
and
slow
down
and
suddenly
you
are
the
good.
G
Let's
say
it's
a
TCP
database
and
you
want
to
have
a
pickup
or
some
some
machine
learning
that
it's
you
know
you
take
advantage
of
affinity
and
everything
and
suddenly
you
want
the
Waypoint
and
the
entire
thing
breaks
because
it
has
to
go
to
Waypoint.
It
has
to
go
back
twice
over
the
wire
with
mtls,
so
all
your
performance
is
gone
or
your
security
is
mostly
gone
because
it's
now
going
to
a
different
note
circuits.
So
it
has
a
very
dramatic
impact
with.
G
K
C
That's
right:
it's
a
good
persons
to
do
with
the
proposal
of
not
capturing,
because
if
it
goes,
D
tunnel
in
Waypoint
are
inherently
policy
enforcement
points,
not
enforcing
policy,
because
the
product-
because
it's
it's
plain
text,
feels
that's
a
very
unpleasant
surprise
for
our
user
to
note
to
think
that
traffic
goes
through
your
policy,
Corporate
Point
and
doesn't
actually
Force
policy
that
I'm,
not
in
love
with
that.
That's.
L
True
but
then
the
downside
is,
we
literally
cannot
enforce
an
entire
subset
of
policy
because
we
don't
know
the
source
identity
and
so
the
what
you
would
normally
expect
to
be
able
to
write
policy
against
where
special
casing
say.
If
we
don't
know
the
source
identity,
you
can
only
you're
limited
to
a
subset
of
policy,
which
is
also
kind
of
a
weird
break
right.
It's
like
we
can't
attest
anything
about
the
source.
Therefore,
these
search
policy.
You
can't
write
no
matter.
What
really
is,
if.
G
You
if
we
use
the
approach
that
the
Gateway
is
using
to
have
you
know
some
tests,
Suite
that
verifies
that
subsequencer
doesn't
work.
It
will
not
pass
the
test
and
it
will
be
very
bad
for
users
because
they
will
be
confused
with
some.
Some
Security
will
work.
Some
will
not.
Nobody
will
know
what
works
and
doesn't
work
really.
C
L
Right,
you
can
write
policies
saying
that
you
know
this.
There
is
no
Source
identity,
therefore
deny
or
do
something
right.
You
can
do
a
denial
policy,
but
there's
not
you
can't
write
any
cut.
You
can't
actually
write
anything
that
attests
to
the
identity
of
the
source,
because
you
don't
have
one.
So
we
don't
want
people
to
be
able
to
write
policy
that
assumes
things
about
the
source,
Identity
or
anything
about
the
source,
because
we
can't
prove
any
of
it
right.
L
G
Have
the
ability
to
write
this
kind
of
policies
by
using
network
policy,
because
with
natural
policy
the
CLI
implementation
takes
now
the
labels
of
the
source
nodes
everything
they
can?
You
can
actually
write
very
powerful
policies
for
plain
text
relying
on
on
on
the
CMI
layer,
but
if
we
capture
we
break
that,
because
the
traffic
from
from
cni
will
look
like
from
Zita
will
bypass
it
or
whatever,
so
you
lose
ability
to
write
policies
with
federal
policy,
and
you
have
no
ability
to
write
policies
with
with
the
tunnel.
C
If
Z
tunnel
is
enforcing
the
L
to
transport
layer
policy,
how
is
that,
in
a
different
network
policy,
you
can
check
in
that
Network
policy
can't
check
identity
and
the
obligation
policy
for
a
transport
layer
Purdue
tunnel
can,
in
my
from
what
I
understand,
can
do
everything
that
our
policy
can
do.
So,
how
are
we
losing
anything.
G
D
G
Me
give
us
a
simple
case:
I
mentioned
before
you
have.
You
know
two
different
bullets
from
the
same
namespace
same
service
accounts
of
everything
you
write
another
policy
saying
that
everything
with
a
label
same
label,
same
namespace
as
I
have,
which
is
a
very
strong
boundary
in
kubernetes,
so
basically
my
own
workloads.
G
G
It's
very
common
I
mean
you
have
you
know
you
develop
a
set
of
applications.
They
need
to
have
communication
between
them.
You
trust
yourself,
so
labor
authentication,
especially,
is
a
network.
Sorry,
it's
a
namespace
label.
It
is
powerful
enough
to
express
identity
more
powerful
than
cidr,
which
is
unenforceable.
C
C
If
the
situation
for
Network
policy
makes
perfect
sense,
but
they're
not
meshed
that
the
Delta
that
we're
talking
between
Network
policy
and
the
authorization
data
structure
that
we
have
in
issue,
ambient
is
labels,
and
so
the
only
functionality
that
we're
missing
is
to
allow
non-meshed
pods
to
talk
to
ambient
pods
through
plain
tents.
That
feels
like
a
very
big
like
it
feels
like
very
much
like
an
edge
case
to
me
so
I,
don't
know
why
that
should
factor
in
like
fundamentally
what
this,
what
the
doc
proposes.
H
C
Have
traffic
that
is
unauthenticated
to
the
mesh
and
we
are.
We
need
to
decide
how
to
handle
it
this
this
doc,
as
well
as
the
option
three
in
The
Proposal.
The
approach,
essentially
is:
let
peer
authentication
decide
let
your
authentication
be
the
API
for
you
to
decide
how
they
want
to
handle
that
use
case.
If
authentication
is
permissive,
then
we
will
let
traffic
go
through
to
the
Z
tunnel.
C
If
you
happen
to
have
a
policy,
a
separate
policy
that
block
your
traffic
or
get
blocked
right
at
the
utunnel,
but
if
it's
permissive,
you
can
go
to
the
waypoints
via
the
topic
gets
forward.
At
the
rate
point
I
said
to
the
G
tunnel:
it
goes
to
the
Waypoint
via
TLS,
to
designate
that
it
is
unauthenticated
traffic
and
then
traffic
comes
back
to
the
Z
tunnel
through
another
encrypted
tunnel.
Again,
that's
the
that's.
The
proposal.
J
Yeah
I
I
want
to
add
something
here.
If
you
look
at
the
sidecar
today
right
what
kiss
was
describing
from
out
of
match
client
to
talk
to
a
psycha,
that's
a
very
basic
scenario:
we're
targeting
and
for
psycho
we're
not
requiring
user
to.
You
know,
write
a
network
policy
for
such
a
simple
scenario.
I
think
you
know
now
that
we
look
at
the
scenario
in
ambient
I
think
it
would
be
too
much
to
ask
user
for
the
simple
scenario.
Look.
You
have
to
use
Network
policy
to
block
this
scenario.
I
I.
G
But
live
with
current
cycle,
we
do
not
break
rental
police,
so
if
users
have
metal
policies
and
they
should
help,
because
if
you,
if
you
I,
mean
cni
encrypts
traffic
and
provides
authorization
based
on
labels
today
we
teach
you.
We
say
permissive
means
that
you
allow
workers
with
outside
car.
But
if
you
want
any
security,
you
need
to
use
Network
policy,
because
that's
the
other
authorization
policies
that
exist.
We
don't
require
users
to
do
it.
We.
D
J
J
G
J
I
agree
with
not
breaking
them,
but
they
are
caveat
with
the
edge
phone
court
right
and
there
are
caveats
of
it's
different
halves.
Now
right
where
psychi
was
simple,
it
was
just
one
part,
but
now
there's
a
zetano
at
Waypoint,
so
I
I
think
it
would
be
reasonable,
which
user
would
have
too
many
to
rewrite
their
Network
policy
slightly
because
of
the
port
is
The
Edge
from
Port,
and
also
because
the
architecture
they
have
to
take
into
consideration
of
zetano
and
Waypoint.
Now.
G
A
J
I,
don't
think
we
document
that
at
the
moment
it's
something
I
think
that's
desirable
by
many
of
us.
I
would
say:
yeah,
I,
I,
so
I
don't
think
psyllium
even
works
with
Ambia
at
the
moment,
Calico
I
don't
think
that
the
policy
enforced
with
Zambia
and
either
so.
C
Right
any
cni,
like
there's
a
number
of
factors
that
might
deter
that,
can
determine
whether
or
not
ambient
will
be
a
drop
in
piece
of
software
for
you
and
me,
and
and
customers
who
know
how
to
deploy
software
are
going
to
be
used
to
okay.
What
are
the
compatibilities
here,
and
maybe
Network
policies
are
incompatibility.
G
C
Any
hold
on
in
any
scheme,
authentication
scheme
or
authorization
scheme
that
you
can
use
this
print
Tech
that
that
uses
certificates
for
identity
verification
is
not
going
to
work
for
plain
text
that
feels
exactly
given.
I
might
be
misunderstanding.
The
effectively
well
I
think
we're
discussing
at
this
point
is:
it
sounds
like
an
American
new
costume.
Is
that
this
isn't
going
to
work
if
we
can't
determine
the
identity,
and
that
feels
obvious
right.
C
If
you
can't
determine
what
your
identity
is,
we
don't
trust
you
full
stop,
and
so
we're
going
to
do
things
differently,
that
that
that's
the
that's
the
value
add
of
a
service
mesh
or
any
kind
of
ntls
proxy
substrate,
so
I.
It
feels
very
much
in
line
with
the
rest
of
istio
to
to
to
expect
a
certificate,
and
if
you
don't
have,
if
you
don't
have
anything
we're
going
to
treat
you
differently,
we
might
not
deny
you
outright.
C
G
Users
should
be
able
to
say
if
you
don't
have
certificates,
don't
allow
it
at
all,
that's
perfectly
right,
but
what
I'm
saying
is
if
the
user
says
I
want
to
support
workloads
without
certificates,
I
don't
want
to
block
them.
Then
we
should
let
it
go
and
allow
them
to
use
Network
policy
which
is
encrypted.
It
has
authorization
its
size,
different
authorization
mechanism,
but
it's
80
percentage
is
your
most
practical
ways:
I
mean
it's
identity
based.
It
takes
into
accounts,
identical
expressed
as
labels.
It
is
encrypted
and
it
work
release.
D
G
This
user
say
blog
calls
also
all
the
traffic
without
certificate.
We
have
no
reason
to
break
it.
C
So,
if
we're
in
permissive
mode,
meaning
traffic
goes
through,
it
uses
TLS
on
the
on
the
Waypoint
repair.
Pinning
this.
This
breakthrough
you're
saying
this
big
Network
policy,
because
we
are
we're
hairpinning
to
begin
with
and
yeah
and
the
IP
is
going
to
be
messed
up.
Is
that
effectively
what
you're
saying
so.
G
I
C
I
mean
if
you
want
to
again
maybe
I'm
oversimplifying,
but
if
you
want
to
allow
and
Francis
left
I
want
to
call
up
over
time
here.
But
the
last
thing
I'll
say
is
that
if
we,
if
you
want
to
write
policies
that
allow
plain
text
traffic
in
in
the
label,
selectors
can
do
just
you
obscured
the
original
Danny.
That's
fair
I
mean
I
I
I,
don't
see.
L
I
think
we
do
want
to
do
that
for
stuff,
that
we
have
identities
for
right,
but
this
is
stuff
outside
of
us,
our
control,
that
we
don't
have
any
way
to
attest
the
identity
on
so
like.
If
you
want
to
do
something
out
of
our
band
with
network
policy,
we
can't
stop
you,
and
that
should
compose
I.
Think
is
what
Costa
is
saying:
that's
not
that's
sort
of
outside
of
our
purview
right.
You.
I
C
I
think
what
there's?
What
they're
saying
is
that
for
the
plain
text
case
where
we
do
allow
traffic
to
come
through
to
the
sidecar
and
there's
policy
capabilities?
On
top
of
that,
because
we
have
the
unmodified
source
labels,
yeah
sort
labels
and
such
and
kubernetes
can
determine
that
because
there's
no
extra
hop
and
no
hair
cutting.
C
G
It's
a
very
common
use
in
many
networks,
particularly
in
Google,
but
probably
most
of
them.
Traffic
from
load,
balancers
and
from
infrastructure
doesn't
have
certificates
typically
or
to
our
certificates,
and
it's
basically
enforced
to
verifies
that
it's
coming
from
the
gateway
to
another
policy.
Yeah.
L
Right:
okay,
if
you
want,
if
you
want
to
control
stuff
coming
in
and
want
to
have
identity
Association,
you
put
it,
you
put
the
gateway
in
front
of
it
and
your
funnel
stuff
through
that,
sends
that
it's
not
really
our
traffic
per
se
and
is
that's.
That's
the
whole
like
just
skip
it.
If
it's,
if
it's
something
we
don't
it's
not
a
part
of
our
mesh
traffic,
yeah
I,
don't
know
I,
just
don't
like
the
idea
of
inventing
an
identity
and
I
don't
see
a
way
around
that
entirely.
L
J
So
maybe
ask
a
question
here:
so
what
if
I'm?
Not
my
source
product
is
not
outside
of
the
mesh?
What,
if
my
source
for
pod
is
inside
of
a
mesh
and
my
destination
has
a
waypoint,
then
we
still
need
to
go
to
the
Waypoint
right,
so
the
network
policy
still
needs
to
be
modified
to
accommodate
that
flow
of
source
goes
to
Source,
Eternal
and
then
to
the
destination
Waypoint
and
destinations
Eternal.
So
you
still
have
to
make
changes
to
the
network
policy.
In
that
case,
right
once.
L
J
C
Yeah
I'm,
sorry
yeah,
no,
no
dive
into
the
same
thing.
I'm
gonna
have
to
think
about
that
some
more
because
this
is
definitely
a
decision.
Point
I
I
understand
the
arc.
I
understand
the
argument.
Now:
I
I
missed
it
before,
but
effectively.
What
we're
saying
is
non-meshed
traffic
traffic.
That
is
not
designed
to
use
the
match
that
you
shouldn't
that
we
shouldn't
make
ourselves
incompatible
with
other
identity
mechanisms
or
and
maybe
enforcement
mechanisms
that
might
have
more
context
than
we
do
on
The
Wire.
K
K
No
no
but
like
like
if
yeah
I
mean
leaving,
is
a
capture
concerns
for
a
second
right,
but
in
this
in
the
diagram
right.
If
it
was
plain
text
and
all
we
said,
then
it
somehow
ended
up
in
Z
tunnel
and
all
permissive
meant
was
let
it
go
to
the
pot
or
not
nothing.
To
do
with
hairpinning
and
Anderson
in
capture
was
allowing
it
to
work
with
network
traffic.
You
would
maintain
the
compatibility
right
custom
if.
G
K
K
K
K
G
K
C
G
Is
a
different
kind
of
work
because
you're
using
plain
text
we
are
using
permissive
in
reality,
is
using
encrypted
and
authenticated
traffic
with
different
policies
and
certificates,
because
serium
and
most
networks
are
encrypted
they're,
not
plain
text
and
they
have
authorization
policies
that
are
based
on
labels,
which
are
valid
use
cases.
C
G
K
Okay,
okay,.
C
All
right
y'all
take
this
offline.
In
the
meantime,
maybe
the
dog
thinks
about
this
and
I'll
start
a
thread
and
ambient
Dev
to
flush
this
out,
some
more
because
I
think
it's
a
important
question.
Thanks.
Everybody!
Sorry
for
the
long
meeting,
that's
good
stuff,
yeah.