►
From YouTube: Ambient Mesh WG meeting 2023 07 26
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Let's
start
a
meeting
hi
everyone
welcome
to
the
Wednesday
July
26th
occurrence
of
ambient
worker
meeting
here.
I
will
present
the
agenda
momentarily.
A
All
right
there,
it
is
okay,
so,
first,
just
a
quick
update.
The
a
group
of
us
met
last
week
and
went
to
the
rest
of
the
drive
ambient
match
to
Beta
document.
A
As
you
recall
a
couple
of
weeks
ago,
we
finish
up
until
I
believe
this
point
on
integration,
testing
we've
gone
through
the
rest
of
the
dock
and
the
prioritized
all
these
sub
subtracts
here
also,
most
importantly
assigned
owners.
So
the
call
for
the
community
is
please
go
through
and
take
a
look
at
this
Doc
and
give
us
your
feedback
on
whether
you
agree
with
the
priority
rankings
here.
So
everything
that's
marked
as
P0
essentially
means
that
it's
a
must-have
for
NBN
beta
and
then
p1s
and
p2s.
A
Those
are
good
to
halves.
Also
for
each
one
of
these
areas.
We
have
the
leads
called
out
and
specified
here,
so
the
lead's
job
is
to
ensure
that
the
items
features
or
deliver
deliverables.
However,
you
want
to
call
it
are
filled
out
and
turn
those
into
issues
so
that
we
can
start
triaging
them
and
tracking
them
in
the
GitHub
issue,
board.
A
B
Yeah,
so
right
now,
if
you
have
a
plain
text,
client,
uncaptured
or
external
client
try
to
talk
to
something
that
has
a
waypoint.
The
server-side
zetamin
will
capture
it
attempt
to
Hairpin,
and
if
the
client
IP
is
something
that
that
z-tunnel
knows
about
it
will
try
to
impersonate
it
and
it
will
get
denied
by
Mr
OD
because
it
doesn't
have
or
potentially
denied
by
his
duty.
If
it
it
doesn't
happen
to
have
something
with
the
same
service
account
on
the
Node.
B
So
we
need
to
kind
of
decide
what
the
behavior
should
be.
I,
don't
think,
even
if
it
happened
to
have
one
of
those
service
accounts
on
the
Node,
it's
appropriate
to
Hairpin
or
to
impersonate
yeah.
So
we
need
to
decide
on
like
how
we're
going
to
set
the
H
bone
identity
like
if
it
was
forwarding
plain
text
to
be
fine,
but
if
it's
recording
each
bone
it
needs
an
identity.
I,
don't
know
what
that
should
necessarily
be
besides
something
that
signifies
this
is
like
coming
from
outside
of
the
mesh.
B
C
B
C
D
D
D
If
we
want
that
avoid
this
problem,
basically,
you
know
kind
of
having
workable
Discovery
service
return,
the
IP
of
Z
tunnel
and
the
identity
of
the
tunnel
to
be
expected,
and
then
you
know
hitting
C
tunnel
use
Sni
or
whatever
to
to
to
do
the
rest
without
having
to
have
the
inbound
interception
or
the
complexities
that
is
associated
both
cni
and
other
things,
because
technically
the
incoming
part
is,
you
know,
can
be
very
straightforward
and
not
do
any
cni
perception,
hacks
or
anything
else
can
just
you
know
if
history
tells
you
that
this
is
the
exactly
still
as
Eternal
that
you
need
to
talk
with.
D
So
it's
two-part
one,
one
part
is
long
term.
We
should
rediscus
and
consider
again
dedication
model
and
the
second
part
is
if
we
want
to
go
with
what
you
propose.
We
need
to
be
extremely
careful
because
it
changes
dramatically
the
secretary
and
it's
super
dangerous
in
many
ways,
but
if
we
consider
that
in
in
the
future
we
may
want
to
switch
to
a
delegated
model
Zen,
probably
this
will
go
away,
because
that
solution
doesn't
have
this
problem
mostly.
C
I
agree
that
it's
super
Kitty
may
need
to
be
very
careful,
I'm,
not
sure
that
I
think
the
delegation
staff
only
solves
this.
If
we
want
to
say
that
you
can't
have
policies
on
on
Plain
text
right
like
today
in
Eco.
What
really
is
the
root
of
a
lot
of
this
is
that
today
in
Easter
you
can
do
policies
on
Plain
text
right,
you
can
say
I
wanted
my
post
requests
and
this
can
be
plain
text
or
mpls
or
not,
and
you
may
want
Telemetry
about
L7's
country
right,
other
things,
not
necessarily
policy
policies.
C
D
You
mean
you
mean
we
would
get
plain
text
for
non-eastial
workloads.
I
mean
it's
it's
kind
of
if
Zeta
is
on
by
default.
That's
not
a
problem,
because
everything
will
use
the
tunnel.
If
you
have
known
sea
tunnel,
basically,
okay,
workloads
or
or
things
using
plain
text.
They.
C
D
Not
ambient,
so
it's
not
I
mean
that's
always
been
kind
of.
Yes,
it
has
been
a
feature
of
classical
istio,
but
but
the
high
cost
and-
and
you
know
it's
not
really-
I
mean
if
you're
not
using
Ambience,
then
you're
not
expected
to
get
Telemetry
policies
or
anything
else.
You
are
expected
to
be
either
deny
that
a
lot.
That's
that's
a
very
different
discussion.
If,
if
we
have
any
responsibility
for
non-easter
to
generate
telemetry.
C
Well,
it's
not
really
the
policies
and
Telemetry
are
on
the
server
side.
That's
not
right.
The
client's
choice,
but
I
mean
I
was,
if
you
asked
me
that
year
ago,
this
exact
conversation
I
would
have
been
much
stronger
of
the
opinion
that
we
need
to
do
the
plain
text
and
Waypoint
and
stuff
a
bit
less
of
that
opinion
these
days.
Given
all
the
complexity
and
whatnot
that
we
found
in
ambient.
D
It
has
a
huge
cost
and
it's
not
a
strict
requirement.
I
mean
the
normally
is
a
policies
are
expected
to
be
applied
when
both
ends
use
Virtual
identity.
We
don't
I
mean
that's
a
made-up
features
that
we
we
added
to
be
nice,
basically,
because
we
were
intercepting
anyway
and
with
sidecars,
and
why
not,
but
I,
don't
think
it
was
ever
a
requirement
that
if
you
have
a
non-este
workload,
you
should
do
anything
about
it
except
deny,
because
you
know.
C
D
Has
a
you.
C
C
So
you
first
year
so,
let's
say
you're
a
normal
State.
You
have
plain
text
traffic.
You
apply
a
waypoint,
it's
bypassed
entirely,
that's
fine!
Then
you
apply
a
single,
obviously
policy
that
says:
denied
post
requests
or
deny
traffic
to
Port
80
and
all
your
traffic
is
now
blocked.
I
mean
all
your
plain
text.
Traffic.
C
C
D
Yeah
but
let's
not
forget
our
goal
is
for
ambient
to
be
on
by
default,
so
be
kind
of
an
sc
and
I
level.
Cluster
white.
So
this
case,
where
you
have
some
workloads
using
Ambience
I'm,
not
it's
kind
of
transition,
step
or
but
it's
not
kind
of
intended
and
State.
We
should
not
optimize
for
it.
Basically.
C
Yeah
I
mean
it's
hard,
it's
harder
in
practice
because
you
may
have
things
that
are
not
even
in
kubernetes
or
multiple
clusters,
or
even
like
the
API
server
makes
webhook
calls
Etc.
So
I
I
agree
that
it's,
you
would
not
expect
most
of
your
traffic
to
be
plain
text
in
the
long
term,
but
I
also
wouldn't
expect
that
100
of
your
traffic
is
not
plain
text
in
the
long
term.
C
D
D
You
can
have
you
know
the
normal
kubernetes
certificates
and
and
its
own
authentication.
Please
do
is
not
every
single
abilities.
There
are
other
policies
that
can
be
applied,
so
I
don't
think
it's
we
should
have.
The
expansion
is
views
that
that
only
is
to
exist
and
other
policies
should
it
should
should.
E
D
C
I
think
in
this
case
well,
I
mean
anytime.
We
change
Behavior.
Technically,
it's
always
going
to
be
tricky
in
this
case
the
times
we're
denying
they
didn't
really
explicitly
tell
us
to
deny.
So
if
we
start
allowing
it
doesn't
seem
that
bad,
like
it's
definitely
better
than
the
alternative
that
we
used
to
allow
it,
and
now
we
start
denying
it
that
is
guaranteed
to
break
someone.
But
in
this
case
it's
kind
of
like
we
do
the
limitations
we
denied
it,
and
now
we
allow
it
kind.
It
feels
okay.
C
Unless
users
rely
on
this,
so
I'd
say
it's
not
the
worst
thing,
but
obviously
it's
not
perfect.
One
thing
I
will
say:
is
that
I
don't
actually
think
that
that's
the
option?
One
is
the
full
extent
of
what
Constance
proposing
if
I
understand,
right,
I
think
costlin's
proposing
that
plain
text
traffic
never
even
makes
it
to
Z
tunnel.
Is
that
accurate,
costume.
E
D
Yeah,
which
also,
incidentally,
is
the
safest
way
for
people
to
adopt
Ambience,
because
that
would
mean
that
if
you
use
plain
text,
you
are
100
guaranteed
to
not
have
any
breakages,
because
that's
that's
exactly
kubernetes,
because
you're
not
interested
interfering
and
then
you
will
gradually
opt
into
issue
into
ambient
feature
by
by
you
know
specifying
that
hey
I
want
to
use
policies
or
other
things
or
if
both
both
ends
are
part
of
functions,
but
in
terms
of
transition
and
Adoption
of
you
know,
having
a
safe
beta.
C
Yeah
I
will
say
that
yeah
I
think
that's
correct
that
there's
both
that
there's
both
option
one
and
two.
We
still
do
simplify
things
quite
a
bit
by
doing
two,
even
if
we
don't
go
all
the
way
of
option.
One.
C
Now
it
may
be
the
compromise
that
makes
no
one
happy,
but
it's
worth
considering
at
the
very
least
result
all
I'm
trying
to
say.
B
How
critical
is
this
to
answer
before
beta.
C
Oh,
we
need
an
answer
before
beta.
That's
for
sure.
C
Like
the
easiest
one,
if
we
want
a
short-term
answer,
that's
the
most
flexible
later
is
probably
option.
Two
right
like
it's
the
simplest
we
just
in
case.
We
were
not
sure
we
deny
it
and
then
we
can
change
how
we
do
it
later,
but
I
don't
think
we
can
realistically
transition
to
one
which
is
kind
of
a
pretty
fundamental
architectural
change
at
any
point
after
we
should
beta,
regardless
of
the
user-facing
behavior,
like
it's
a
huge
change
to
what
we're
doing.
D
C
D
Guess
so
it's
only
capturing
Port
150.
That's
why
it's
super
safe,
because
we
are
not
touching
anything
that
is
not
ours
and
if
a
client
is
not
Ambience,
then
it's
exactly
the
same
as
well.
Anyway,
it
wouldn't
have
a
credential.
So
anyway
it
doesn't
speak
H1.
It
does
not
go
into
Waypoint,
so
client
without
ambient.
D
It's
not
completely.
If
we
do
do
the
regulation,
it's
it's
much
cleaner
because
we
no
longer
have
any
ID
tables
in
host
or
whatever
it
works
perfectly
fine
yeah,
and
then
we
can
start
adding
us
in
the
future
in
beta,
2
or
whatever
say,
hey
now
suddenly,
for
plain
text,
we
are
doing
something
that
we,
when
we
have
an
idea
what
we
want
to
do
because
I
don't
think
we
have
a
good
idea.
What
is
the
correct
behavior
when,
when
the
period
is
playing
text.
A
Okay,
so
we
have
these
options.
Do
we
have
a
plan
to
make
a
choice
between
them
already.
D
D
Let's
think
about
it,
get
more
feedback,
I
mean
it's,
it's
I,
I,
don't
think
everyone
had
the
full
context
and
we.
D
Yeah
pretty
much
I
mean
implementation
is
not
very
difficult,
but
the
choice
is
kind
of
whatever
we
do
it's.
We
are
stuck
forever,
I
mean
if
we
choose.
E
D
A
D
B
D
A
D
F
D
C
D
C
D
We
can
agree
is
that
we
should
have
a
choice,
given
that
it's
it
has
clear
trade-offs
and
we
should
at
least
provide
users
an
option
to
deploy
with
you
know
plain
text:
disabled
easy,
you
know,
choose
one,
so
it
doesn't
have
to
be
an
exclusive
we
we
do
it
only
one
way
if
I
don't
know.
A
Okay,
let's
get
it
to
apply.
It
sounds
like
a
short
design,
doc
summarizing
these
options,
a
person
conscious
the
right
way
to
go
and
Stephen
I
assume
you
will
write
that
up
and
once
we
have
that
we
can
bring
it
in
front
of
TLC.
D
One
more
thing
for
completeness:
I
think
I
forgot
to
mention
it.
You
know
what
is
working
on
the
proposal
for
water
Discovery
service
we
discussed
previously
with
Louie
and
other
people
about
using
the
WDS
for
identity.
D
So
plain
text
is,
is
kind
of
loaded
word
here
it.
It
is
entirely
possible
that
it's
already
encrypted
by
by
lower
level
cni
and
all
we
have
to
do-
is
basically
use
WDS
to
apply
policies.
D
So
there
is
a
third
of
fourth
option
where,
where
we
actually
capture
and
apply
policies
based
on
WDS
only
without
using
speaking
certificates
at
all
I,
don't
know
if
I
explained
it
correctly
or
John.
Do
you
have
a
better
way
to
describe
it
time.
D
D
C
D
D
E
D
D
C
D
D
Reason
true,
but
but
you
know,
if
it's
not
mtls
clearly,
because
you
receive
the
request
without
the
certificate
that
is
not
mtls.
The
question
is:
what
do
we
do
interrupt?
We
rely
on
on
other
mechanisms
to
to
get
the
identities
the
actual
identity
and
applies
the
policy
correctly.
Knowing
that
is
not
in
PLS
we
mark.
It
says
that
was
kind
of
ipsec,
but
not
mtls,
but
the
police
supply
identically.
D
So
from
from
from
or
Agnes
point
of
views,
that
seems
to
be
the
best
except
user
needs
to
be
aware
that
ipsec
I
mean
needs
to
agree
that
ipsec
is
considered
sufficient
and
they
presumably
do
because
they
they
don't
use
the
LS7
they
didn't
opt
into
into
ambient.
For
that
workload.
C
C
D
To
decide,
but
it
is
still
a
validation
communicate,
especially
if,
if
encryption
moves
into
I
mean
if,
if
cni
is
implementing
theories
natively,
they
do
still
have
TLS
and
you
still
need
to
have
a
way
to
get
the
the
relax
the
metadata
server
you
described.
We
we
have.
D
F
Yeah,
basically,
it
is
just
like
the
fundamental
need
is
to
support
authenticating
with
this
DOD
without
the
use
of
that
token,
just
within
TLS
yeah,
whether
that's
you
know,
the
cert
has
provided
SEO
data
band
and
also
to
see
tunnel
anyways.
It's
just
about
adding
another
authentication
mechanism
right,
because
the
only
way
as
far
as
I
know
you
can
do
it
today
is
with
a
service
account
token
that
you
manually
copy
around.
C
F
Them
I
just
pinged
a
ton
he
can,
he
could
join,
he
knows
more
about
it
than
I
do.
But
that's
my
initial
understanding
is
that
that's
the
difficulty
we're
trying
to
solve
yeah.
C
F
C
Yeah,
my
main
question
is
how
you're
mutually
authenticating
right,
because
outside
of
the
typical
Easter,
the
demo,
it's
the
CA
and
the
xgs
server
and
everything
in
one,
the
Easter
D
certificate
and
the
workload
certificate
are
completely
orthogonal
right,
they're,
not
necessarily
the
same
or
from
the
same
CA
or
anything
I
get
that
you
can
make
them
from
the
same
CA.
So
that's
what
I
was
trying
to
clarify
like
do
you?
Have
these
external
certificate
providers
providing
something
for
you
study
as
well?
It
doesn't
use
a
sidecar.
H
Yeah
so
I
I
I
can
answer
this
hold
on
because
I
put
up
this
PR
custom,
so
I
think
can
y'all
hear
me
yeah.
So
basically,
my
my
purpose
in
opening
this
PR
was
was
just
again
so
to
start
the
conversation
about
mtls
with
over
the
XDS
connection,
because
right
now
it's
not
supported
in
terms
of
how
we
are
getting
those
right.
H
You
know
you
have
a
cert,
that's
in
a
that's
being
mounted
by
a
separate
process
in
the
background,
and
you
need
to
wait
for
it
right.
I
think
I!
Think!
Yes,
there's.
Definitely
this
question
of
what
is
the
source
for
those
certs
and
I
knew
that
making
this
PR,
which
is
why
I
thought
about
creating
a
separate
interface
other
than
the
the
one
that
is
currently
being
used
to
fetch
the
workload
certs,
but
I
did
think
about
that.
H
But
I
put
up
this
PR
just
to
start
that
conversation
because
I
think
what
what
for
our
purposes
right,
we're
using
a
cert
provider
that
can
use
that
same
interface,
because
we
just
need
to
give
it
a
trust
domain
right.
But
in
the
general
case
it's
more
about
you
know.
How
can
we
enable
those
use
cases
from
the
Z
tunnel
in
environments
where
the
token
is
not
available
so
that
that
was
my
whole
context?.
D
Yeah
I
mean
this
is
something
I'm
I'm
super
interested
in,
because
in
our
use
case,
I
mean
for
I'm
looking
for
using
Z
tunnel
in
in
other
environments
and
kubernetes
and
assert
is
going
to
be
available
as
part
of
the
platform,
so
I
think
it
I
mean
and-
and
you
know,
vmc
needs
your
classic.
D
It's
supported
certificate
on
indications,
that's
the
feature
we
had
for
a
very
long
time
and
and
is
not
necessarily
applicable
for
the
case,
or
maybe
it
is
for
the
case
where,
where
zetan
is
around
paranoiding
kubernetes,
but
for
all
other
environments
or
when
it's
running
as
a
sidecar,
it's
definitely
is
a
modes
that
will
be
most
used
or
most
useful
in
in
all
cases.
So
so
that's
that's
pretty
much
a
requirement
for
for
at
least
for
my
use
cases
that
I'm
working
also.
H
Maybe
John
I
guess
I'm
wondering
like
what
what
would
you
like
to
see
out
of
something
like
this
right
like
what,
assuming
that
the
like
the
two
I
would
say,
requirements,
at
least
in
my
mind,
are
ntls
auth
and
asynchronous
basically
for
the
implementation.
Those
are
like
the
two
oh
yeah.
C
Yeah
I
mean
I'm,
not
necessarily
against
it.
I
was
mostly
making
sure
that
I
understood,
because
I
think
the
studio,
VM
dot
currently
is
misleading
and
makes
it
seem
like
it's
always
a
good
idea
when
it
really
only
makes
sense
if
you
have
two
separate
routes
that
are
understood
or
you
happen
to
have
the
same
one
right
so
I'm,
not
necessarily
against
doing
it.
I
just
want
to
make
sure
that
I
understood
the
use
case,
and
why
not.
E
C
Tedious,
if
you
have
like,
if
you
want
to
stick
a
Gateway
in
front
of
you
Studio
or
something
this
is
not
end-to-end,
then
you
have
to
do
the
whole
pass
through
TLS
stuff,
which
limits
some
options
but
I
mean
I,
can
see.
Yeah
I
mean
it
really
depends.
So
you
guys
have
I,
guess
some
CA
that
already
handles
all
these
VMS.
H
Yeah
and
in
our
environments
also,
these
things
share
networks,
so
it's
usually
not
yeah.
Even
if
it's
going
through
gateways,
it
is
it's
doing
pass-through.
It's
yeah.
D
If
we're
talking
about
custom
environments,
we
should
also
consider
using
metadata
server,
which
is
used
by
most
platforms,
and
you
know
so
so
we
should
be
able
to
plug
in
getting
access
token
or
token
from.
H
H
Well
so
the
reason
I
bring
up
certificates,
so
the
reason
I
bring
up
Spire
is
that
Spire
allows
you
to
do
that,
but
then
use
classic
mtls.
So
I
think
if
we
go
down
the
route
of
accepting
jaw,
Authentication
and
doing
like
jot
like
I
know
so,
for
instance,
I
know
that
Google
uses
the
metadata
server
and
then
authenticates
that
jot
in
sdod
at
least
that's
from
what
I've
read
of
all
the
code
and
seen
But
and
but
I.
H
Think
that,
like
doing
that,
for
every
use
case
is
a
route
that
we
could
go
down,
but
I
think
in
the
short
term,
focusing
on
something
like
mtls
and
then
using
you
know
a
project
like
Spire
potentially,
which
allows
you
to
do
that
jot
authentication
separately
from
the
data
plane
itself
and
not
over
complicating
istod.
H
D
C
H
No,
it's
definitely
a
standard
way,
but
then
you
need
to
put
that
code
into
istio
Data
validate
those
jobs.
So
the
point
that
I'm
trying
to
exactly
Aspire
provides
an
agnostic
way
to
validate
those
jots
outside
of
istio
D,
like
if
you
imagine
that
there's
already
a
system
that
does
that-
and
maybe
that's
not
the
answer
that
we
want.
But
there
is
a
system
that
exists
such
that
it
can
validate
the
job
for
you
and
provide
a
well-known
certificate.
So
it
could
be
a
way
to
keep
the
the
scope
of
istio
itself
smaller.
D
D
D
H
H
Actually
anything
is
controversial.
Listening
to
John
I
think
he
was
just
wanting
more
information
about
the
use
case.
C
Yeah,
mostly
I
mean
it
it
without
more
details.
It
seems
like
using
quite
easy
chat
token
if
possible
would
be
ideal,
but
maybe
that's
not
feasible.
So.
H
D
You
really
want
to
use
Spire
with
SDS
UDS,
whatever
interface
or
just
fire,
with
CSI
or
whatever,
mounting
a
certificate
and
not
to
other
dependency
to
because
there
are
two
ways
to
get
the
certificate
degree
from
spire.
H
I
mean
there's
a
bunch
of
different
ways,
like
you
mentioned,
and
I.
Think
all
of
them
require,
like
I,
think
that
all
of
those
should
be
separate
from
this
particular
conversation
right,
because
what
we're
talking
about
here
is
just
how
we
want
to
enable
ntls
in
the
XDS
like
in
you
know
in
these
connections
that
are
happening
from
yeah.
How
we
want
to
enable
XDS
in
the
non-workload
connections
right
and
I.
Don't
think
that
it
needs
to
be
like.
Oh,
how
do
you
you
know?
H
Does
it
need
to
be
SDS,
or
does
it
need
to
be
the
workload
API
directly
or
some
mounted
file
right,
I?
Think
if
we
come
up
with
a
way
that
we
can
add
each
of
those
later,
each
of
them
right,
because
it's
potentially
depending
on
the
environment,
you
might
want
to
handle
it
differently.
H
D
H
In
the
probably
like
something
like
SDS
in
the
short
term,
so
there's
a
shared
because,
like
let's
say
something
like
Spire,
already
supports
it
and
it's
a
known
interface
to
do
that.
D
H
C
Maybe
you
just
answered
this
and
I
was
a
little
distracted.
Sorry.
So
what
how
much
connectors
like
we
have
this
generic,
better
thingy?
How
many
different
ones
are
we
going
to
implement
in
the
core.
H
H
I
mean
in
my
mind,
I
would
say
at
most
probably
you
know
definitely
file.
Maybe
SDS
I
would
definitely
keep.
C
It
small
Okay,
the
reason
I
ask
is
we
have
this
issue,
that's
like
identify
interfaces
for
extensibility
or
something,
and
it's
trying
to
define
the
minimum
set
of
integration
points
for
various
things,
to
support
all
use
cases
because
I
used
to
currently
has
too
many
like.
We
have
like
10
ways
to
integrate
with
secrets
and
find
that's
that's
great
that
we
could.
We
could
integrate
with
just
as
many
products
with
probably
two
or
three
or
four.
E
C
We
do
open
Telemetry
or
Prometheus,
maybe
for
certificates.
There's
a
lot
more
choices.
I
just
want
to
make
sure
we're
conscious
about
making
the
smallest
set
to
meet
the
maximum
use
cases.
So
we
don't
end
up
what
the
kitchen
sink
of
like
hey,
here's
40
ways
to
get
a
certificate,
go
for
it.
Yeah.
D
How
about
four
I
mean
the
two
four
certificates
plus
amounted,
shot
plus
and
MDS
address
so
two
for
for
tokens,
two
for
certificates,
yeah.
H
Yeah,
you
have
authentication
plugins
versus
plugins
because
you
could
technically
do
authentication
over
right,
mpls
stream.
If
you
really
wanted
to
no
I,
don't
know
if
it's
DOD
supports
it
today,
but
I
do
think
those
are
technically.
D
C
I
mean
the
number
sounds
right.
We
have
to
look
at
the
cases
it
covers,
and
you
know
what
not
let
me
link
on
the
issue.
We
can
I
forget
some
of
the
contexts
today.
I
thought
about
that's
a
small
amount
a
while
ago.
H
No
and
I
think
that's
why
I
mentioned
SDS
I
mean
if
there
is
a
different
mechanism
that
others
think
is
like
kind
of
a
go-to
in
terms
of
cert.
You
know
interfaces
that
I,
don't
know,
I,
don't
think
I
know
of
any
yeah.
C
I
think
at
the
at
least
at
the
time
I
wanted
the
kubernetes
CSR
API,
because
it's
kubernetes,
so
it's
kind
of
standard
API.
But
it's
not
quite
the
same
as
SDS.
D
C
Yeah,
so
I
I
don't
have
an
issue
with
the
pr.
As
this,
it's
not
actually
adding
any
denigration
points.
So
there's
none
of
that
contentious
stuff,
so
I'm
I
think
I'm.
Fine
with
that
I
mean
I,
didn't
look
at
the
code
or
anything,
but
the
idea
seems
fine
and
I'll
find
adding
more
integration
points.
We
just
need
to
do
a
little
bit
of
discussion
and
get
some
consensus.
E
H
Yeah
I
think
it's
interesting
that
you
mentioned
the
CSR
I
kind
of
want
to
leave
like
kubernetes,
writing
and
reading
it
does
it
does
kind
of
make
sense,
but
it's
an
interesting
thing
for
the
Z
tunnel
to
do
to
be
involved
in
like
kubernetes
operations
that
deeply
right
right
now,
it's
very
much
just
it's
all
grpc
yeah!
That
would
be
a
pretty
big
change.
E
D
D
E
D
Think
it
makes
sense
actually,
but
probably
John
should
be
aware
of
the
other.
People
should
go
with
that.
This
may
go
in
this
direction.
C
Yeah,
that's
what
I
had
assumed
right,
we'd
have
the
same
set
of
integration
points
and
probably
two
configs,
which
default
to
being
the
same
thing
and
say:
XTS
client
is
X
and
workload
is
y
I,
don't
know
something
along
like
one
of
those
lines.
E
A
Okay,
George.
G
Hi
I
I
was
at
the
meeting
I
think
at
the
beginning
of
last
week
to
talk
about
conformance
and
I
was
wondering
if
I
should
file
an
issue
or
or
had
you
all
had
a
chance
to
discuss
it.
That
kind
of
thing.
C
C
We
did
not
get
much
progress
in
that
meeting.
Nothing
else
has
happened
since
then.
That's
kind
of
the
current
status,
but
we
I
also
brought
up
in
stock,
so
people
have
been
thinking
about
it
and
we
just
haven't
had
a
chance
to
meet
so
I,
don't
know
what
people's
thoughts
are.
G
Okay,
awesome,
I,
guess
I'll
just
give
it
another
week,
then,
and
just
to
let
you
know
what
I'm
working
on
is
I've
been
investigating
how
the
kubernetes
conformance
got
started
so
initially
that
the
conformance
test
on
every
major
release
of
kubernetes
and
everyone
quickly
hated
that
so
they
moved
to
a
more
time-based
approach
for
a
year
and
that's
what
Chris
anachek
said
that
you
might
want
to
consider
just
starting
off
that
way
and
then
my
second
question
is:
is
there
a
like
a
test
Suite?
G
H
E
C
Has
a
suite
of
tests
that
you
round
with
go
test
XYZ
and
a
variety
of
flags,
and
you
carefully
set
up
your
environment
to
make
it
work
and
all
do
all
sorts
of
things?
That's
maybe
not
as
streamlined,
but
it
does
exist
and
then
it
does
run
a
set
of
tests.
Now
passing
those
tests,
I
I,
don't
think
it's
running
the
right
test
that
I
would
say
is
a
conformance
test.
It's
running
things
that
are
right,
not
specific
enough
and
too
specific
and
things
of
that
nature.
But
it's
kind
of.
H
Can
I,
is
it
sorry,
I
missed
the
context
on
this?
Is
this?
Is
this
conformance
for
the
the
data
plane
or
the
control
plane
or
both.
C
G
This
will
be
for
everything,
actually,
the
you
all
would
decide.
Actually
what
performance
covers.
H
Oh
no
I
was
gonna,
say,
I
mean
I.
I
can
imagine
right
if
you're,
if
you're
developing
an
istio
solution,
an
ambient
solution,
and
you
want
to
come
in
and
say,
I
want
to
replace
the
control,
plane
or
I
want
to
replace
the
data
plane
right.
What
that
or
both
or
what
you
know.
What
that
looks
like
yeah.
C
I
think
it's
it's
both
like
it's
it
any
like.
You
could
replace
anything,
and
if
you
do,
it
should
still
open.
In
the
past
the
past,
as
kind
of
what
performance
tries
to
solve
same
with
kubernetes
right,
you
could
replace
Cube
litter
or
the
API
server
or
anything
in
between
really
and
as
long
as
you
pass
the
test,
then
you're
kubernetes.
E
G
It's
okay:
these
are
things
like
this
are
very
you
know,
gotta
get
the
process
moving
every
a
little
bit
every
week,
so,
okay,
awesome!
Thank
you.