►
From YouTube: 2020-04-02 Istio Community Meeting
Description
This is a recording of the Istio Community Meeting which took place on Thursday 2nd April 2020 at 11am Pacific.
A
Okay,
so
Connie
should
be
underway
again.
Okay,
thank
you
very
much
for
joining
us.
It
looks
like
we've
got
eight
people
on
the
company.
So
for
those
who
don't
know
me,
my
name
is
Kevin
Connor
I
work
at
Red,
Hat
I'm,
an
engineering
manager
at
Red,
Hat,
and
one
of
the
teams
that
I
run
is
the
sto
team
there.
So
it's
my
my
probably
guess
two
to
run
the
core
today,
I
turn
in
the
schedule,
so
we
have
a
short
agenda.
A
Unfortunately,
I
used
up
quite
a
lot
of
my
demo
slots
for
previous
meetings,
where
I'm
supposed
to
be
leading
this
right
out
of
people
that
I
could
pull
in
to
do
to
do
demos-
and
things
like
that,
though,
unfortunately
we
just
have
a
short
agenda
today.
So
the
first
thing
that
I
wanted
to
cover
was
the
releases.
From
last
week
they
were
two
releases
went
which
went
out
and
Brian
aber.
He
was
on
the
call
he
works
at
Red
Hat
as
well.
He
was
driving
the
CVE
portion
of
those
releases.
A
There
was
an
update
for
one
for
seven,
which
included
an
update
to
an
update
for
kyani.
There
was
an
issue
there
with
the
way
that
they
were
verifying
the
tokens
I
made
included
a
signing
key
a
static
sign
and
keep
with
them
the
distribute
they
container
that
they
were
distributing,
that's
one
that
had
to
be
fixed,
and
that
was
also
rolling
to
one
five
one,
along
with
a
number
of
other
stability
changes
as
well
to
improve
the
release
there.
Four
one
five,
so
those
were
shipped
last
I-
think
was
less
went
in
this
day.
A
It
so
if
you
haven't,
if
you're,
using
1/4
or
1/5
and
you
haven't
updated,
then
we
definitely
advise
you
to
do
that,
especially
for
the
kyani
issue.
If
you
so
that's
the
only
topic
that
I
wanted
to
bring
up
today,
it
looks
like
John
you've
added
in
and
if
you
support
for
using
communities
and
see
APIs
that.
C
A
previous
community
meeting,
but
the
top
topic
came
up
of
like
using
a
citadel
or
I.
Think
about
him
in
the
context
is
in
the
vault
and
I
believe
someone
mentioned.
The
idea
that
you
could
somehow
configure
is
do
to
use
kubernetes
as
the
certificate
signer
since
criminais
is
like
sort
of
signing
requests
and
various
things
like
that,
and
I
tried
looking
through
the
docs
to
find
out
any
more
information
about
that
and
I
couldn't
find
anything
so
I,
don't
know
whether
I
remembered
or
understood
things
wrong
or
there
are.
C
C
Use
case
or
what
is
not
being
uncomfortable
having
a
kubernetes
secret
that
has
the
private
key
of
the
sea,
a
float,
you
know
see
a
floating
around
there.
Just
don't
entirely
trust
they.
You
know
some
someone
with
enough
cute
control.
Permissions
could
steal
that
and
then
impersonate
pretty
much
anything.
A
Yeah
I
know
the
use
case.
That's
certainly
one
that
we
are
interested
in
as
well,
but
we
on
our
side.
We
haven't
done
any
investigation
into
that.
There
was
I
know
there
wasn't
even
brought
in
with
one
for
which
does
it
through
DNS
I'm,
not
sure
whether
that
is
possible
to
go
there.
Is
there
anybody
on
the
call
who
would
know
from
what
do
you
know
anything
about
that?
No.
A
C
A
A
That
I
know
off
the
top
of
my
head.
It
doesn't
sound
as
if
anybody
on
the
call
who
knows
that
one
as
well
so
yeah
I
mean
take
it
to
discuss
and
we
can
chase
it
up
there
and
know
that
we're
going
to
be
in
we're,
definitely
interested
in
that
from
the
right
hand,
side
it's
one
of
the
things
that
we
have
to
do
as
part
of
our
mix
release.
So
we
can
get
somebody
to
take
a
look.
Nobody
else
connects
with
it.
E
So
this
is
a
generic
problem
with
kubernetes
specific,
so
right
now
running
easier.
The
sidebar
for
shortly
jobs
is
being
a
problem
and
the
problem.
There
are
two
problems
there.
One
is
whenever
this
short
lead
container
gets
into
completed,
state
like
there
is
no
mechanism
to
kill
the
sidecars
and
the
second
one
is
duty
ordering
of
the
things.
Sometimes
these
short
big
jobs
are
just
making
networking
requests
before
the
Easter
sidecar
comes
up,
and
then
this
is
just
causing
failures.
E
But
due
to
some
data
processing
jobs
that
we
have,
it
is
possible
to
retry,
because
we
don't
know
whether
it
is
stemming
from
a
networking
request
or
a
data
processing
problem,
and
this
is
specifically
being
an
issue
for
cube
flow
pipelines
for
us,
because
we
are
unable
to
just
I
get
into
the
line
and
then
try
to
add
some
weight
statements
before
making
networking
requests,
and
we
are
normally
planning
to
just
like
develop
some
hacky
solutions
around
things.
But
I
don't
know
if
anyone
else
has
any
recommendations
about
this
problem.
A
C
F
C
E
I
saw
that
one,
but
the
problem
is
this
cue
flow
pipeline
thing,
because
we
are
unable
to
just
inject
that
into
those
containers,
but
we
are
planning
to
do
a
similar
thing.
Probably
we
are
gonna
just
create
a
separate
meditating
weapon
controller
where
we're
gonna
just
inject
some
scripts
to
do
a
similar
thing
and
also
there
will
be
a
separate
controller
which
will
be
checking
the
container
statuses
and
then
he'll
sto
proxies
whenever
all
the
other
containers
are
in
completed.
States.
C
A
Yeah,
so
on
our
side
we
did
some
investigation
with
CNI,
where
we
actually
had
a
version
of
CNI
which
kick-started
the
or
my
process
as
well,
rather
than
playing
as
I
cough.
So
we
were
already
using
it
to
set
up
the
IP
tables
the
issue,
so
Michael
look
so
was
the
person
in
Red
Hat
who
did
that
there
is
likely
a
github
repo
around
with
his
stuff
there.
A
The
issue
that
we
had
with
that,
though,
was
that
because
the
proxy
was
being
started
in
through
the
CNI,
that
there
was
no
real
way
from
kubernetes
to
either
restrict
or
track
the
resource
usage
for
the
sake
car.
So
we
couldn't
find
a
way
to
actually
make
kubernetes
aware
of
the
fact
that
it
was
running
and
get
it
restricted
through
the
the
C
group
stuff.
So
Marco
was
certainly
working
on
the
psycho
proposal
and
providing
feedback
on
to
to
that.
There
I
think
that
he
did
have
some
issues
with
that.
A
There
I
think
it
was
it's
it's
kind
of
like
assembly
by
80%
solution
to
what
we
had
there
and
I
think
it
was
to
do
with
the
fact
that
they've
evening
with
the
sidecar,
they
split
the
unit
container
part
from
the
main
containers.
So
if
I
remember
rightly,
it's
been
a
while
since
I've
read
there,
but
you
ended
up
with
two
different
sets
of
psychos.
A
For
that
you
had
to
actually
specify
I
suppose
there
was
something
something
strange
like
that,
but
I'd
like
you
to
say
that's
for
a
future
version
of
kubernetes,
but
it's
if
you
can
get
away
with
using
CNA
and
you
don't
mind
the
fact
that
they
say
cars
are
not
the
resource
usage
for
the
psychos
is
not
detract.
Then
you
could
look
at
Marco.
Lucas's
were
conceived,
I
give
that
to
to
give
up
running,
and
he
would
certainly
be
more
than
myself.
A
C
A
A
Next
Mel
is
pointed
to
is
pretty
much
doing
the
same
thing
there.
So
it's
waiting
for
the
psych
car
healthy
state
before
it
goes
in
on
the
command,
and
then
it's
got
this
trapping
exit
and
then
studying
sending
the
quit
signal
you
can,
if
you
could
tie
that
in
with
objection
that
would
that
would
likely
do
it.
C
E
Are
gonna
implement
something
like
that,
but
this
is
gonna
definitely
be
separate
from
the
rest
of
the
ECT
of
components.
Yeah
yesterday,
I
was
able
to
just
come
up
with
some
work
in
POC,
which
will
just
check
in
the
container
services
and
also
injecting
some
stuff
to
wait
for
Easter,
proxy
and
yeah.
It
worked
well
I
just
wanted
to
double-check.
If
there
is
anything
else
before
we
start
implementing
and
spending
some
time
on
this.
C
C
B
E
E
E
In
relevance
addition,
here's
I
also
looked
into
telepresence
in
the
meantime
to
just
run
things
from
my
local
environments
and
allow
kubernetes
clusters
to
connect
to
my
laptop,
and
it
worked
pretty
well
I.
Remember
seeing
the
demo
here
in
one
of
these
community
meetings
and
I'm,
not
sure
if
those
folks
are
here
at
the
moment,
but
thanks
for
the
work
as
well.
They're.
A
So
all
I
all
had
a
project
which
I'm
sure
they'd
remember
the
neighbor,
where
you
could
run
a
debugger
in
the
remote
cluster
and
then
it
would
proxy
the
connection
through
to
your
local
dealer.
So
then
telepresence
does
it
the
other
way
around
where
you
can
run
something
locally
and
then
it
properties
all
the
traffic
instead,
your
local
instance.
So
it's
to
two
sides.
A
A
C
A
Yeah,
that's
our
community
for
our
sto
formed.
Essentially,
so
we
added
things
like
sub
multi,
Tennessee
and
stuff
like
that
there
specifically
to
degrade
with
open
ship.
We
have
some
other
projects
in
there
as
well.
So
as
talking
about
ash
are
the
two
guys
who
work
on
on
that
site
and
they
are
doing
this
independently
of
the
work
that
we're
doing
around
the
service
meshwork.
But
with
with
that
in
mind
and
with
using
SEO
as
power,
research
I
think
it's
this
one.
As
with
previous
Kansai,
can
you
find
it.
A
A
A
So
you
can
run
things
in
the
cluster
in
two
different
ways.
You
can
either
have
something
run
locally
and
have
it
be
proxied
from
they
cost
over
30
local
instance,
so
the
tooling
that
they
have
developed
will
set
up
a
telepresence
to
do
that
and
will
set
up
the
rules
within
with
an
sto
so
that
it
intercepts
the
traffic.
A
It
just
gives
alternatives
for
that,
but
they're
developing
tools
around
that
they
didn't
do
the
demo
a
few
weeks
ago.
That
was
one
of
the
ones
that
I
arranged
I,
think
it
was
Dan
Burke
who
was
running
that
that
cost,
how
much
or
whether
there's
a
recording
of
that
there
but
bartosh
nest
like
we're,
gonna,
go
away
and
do
recording
all
the
session
and
send
that
around
now,
so
I
will
chase
them
up
like
that
and
get
it
to
the
minutes.
C
A
They
have
but
they're
the
kind
of
alternatives,
I
mean
I,
don't
think
they're
I,
don't
think
you
can
I
simply
wouldn't
choose
one
or
the
other
I
think
both
have
their
place,
so
it
all
depends
on
since
your
set
your
workflow,
it's
good,
so
that's
I
mean
that's.
Why
we're
looking
at
both
of
them
we're
not
really
choosing
one
or
the
other
we're
just
trying
to
develop
something
around
that
to
help
ourselves
as
well
as
others
to
do
people
within
this
as
much
powerful.
Well
within
the
customer
in
general
that
we've
tailored
for
service.
C
I
just
think
I'm
thinking
myself,
they
didn't
talk,
Ramiz
just
come
out
with
like
debug
containers
or
ephemeral
containers,
or
something
like
that
wondering
if
anyone
is
he
use
those
to
like
kind
of
deep
deal
with
sto
and
I
know.
It
seems
like
a
common
thing
if
you
want
to
like
muck
with
stuff
on
voices,
create
like
port
4
and
then
just
like
make
a
call
to
dump
envoy
config
or
something
like
that.
Has
anyone
done
anything
interesting
with
some
ephemeral
containers.
H
And
yeah
hi
this
is
Lynn,
so
we
have
some
interest
to
leverage
ephemeral
container.
So
one
of
the
challenging
we
have
today
is
we
find
out
the
the
images
that
Israel
use,
especially
for
the
site
proxy,
that
sometimes
they
are
like
OS
operating
system
have
security
of
all
abilities.
Then
you
have
to
kind
of
update
those,
and
sometimes
it's
the
tools
we
are
using
occur.
You
know
different
commands
so
that
the
shell,
the
bash,
I,
think
worker
by
just
plain
shell
and
different
tools.
We
embed
into
our
proxy
images.
Sometimes
those
tooling,
have
well
abilities.
H
So
we
do
plan
to
leverage
ephemeral
containers,
but
we
did
try
ephemeral
contain
as
I
terrible
is
the
116
was
17.
We
couldn't
get
it
working,
it
was
when
it
was
like
experimental
feature
of
Cuban
at
ease
and
which,
why
did
we
couldn't
get
a
working?
But
the
community
does
have
intention,
at
least
through
design,
documentation
that
we
are.
We
want
you
to
look
into
ephemeral,
contain
awaits
mature
so
that
the
users
can
run
over
our
base
image.
Gosh
I.
F
H
So
we
do
have
a
distro,
that's
the
image
today,
but
we
couldn't
turn
that
district
as
the
default
because
it
doesn't
prevail
and
there's
no
debug
tooling
associated
with
it.
So
we
will
help
me
su
femoral
container
support
user
could
attach
a
femoral
Campina
at
the
wrong
time
and
we
would
provide
the
panel
container
image
for
a
user
for
the
proxy.
So
they
would
be
able
to
run
this
through
this
image
by
B
foot
and
then
attach
the
femoral
container
as
needed
to
debug
things.
I
am.
F
I
Ephemeral
container
stuff
I
think
one
of
the
challenges
is
to
enable
that
you
need
to
set
privileged
settings
to
allow
sharing
of
kids
either
pins
or
namespace.
I
can't
remember
what
it
is,
but
you
you
need
to
have
a
setting
on
the
host
that
allows
you
to
share
some
of
those
settings
across
for
that
ephemeral
container
stuff
to
work.
I
A
H
H
I,
don't
know
if
any
of
you
have
seen
that
some
of
the
work
group
leaves-
and
maybe
TLC
member
have
seen
it
so
it's
it's
just
so
nice
to
see
community
actually
making
an
effort
to
record
what's
going
on
on
a
weekly
basis
across
different
workgroup
and
be
able
to
actually
share
that
information
through
an
email.
So
we'll
have
to
look
into.
H
C
H
So
the
last
well
I
saw
it's
like
a
private
email
to
a
bunch
of
folks
to
like
Walker,
please
and
everybody
I
can
dump
the
contents
to
here.
I,
don't
I,
don't
think
it's
a
problem
because
it's
nothing
confidential,
but
we
need.
We
do
need
to
work
with
SWAT.
You
see
you
know.
Can
we
share
on
like
a
general
channel,
maybe
some
appropriate
channel
and
discuss.
So
it's
like
open
to
everybody.
Yeah.
C
A
A
G
Thing
that's
worth
mentioning
is
that
people
should
keep
an
eye
out
on
the
blog
section
like
I
know,
just
in
March
there's
been
blogs
about,
you
know
hints
at
what's
coming
in
2020
know.
What's
going
on
with,
is
Tod
like
why
we
did
it,
how
it
affects
you,
the
new
walls
and
stuff
coming
in,
and
how
to
extend
and
write
your
own
filters.
A
lot
of
good
blogs,
blog
posts
in
there
I'll
post
a
link
to
it
in
the
document.
But
you
know
it's
something:
to
keep
up
with.