►
From YouTube: Istio Networking WG meeting - 2018-08-02
Description
Agenda:
- Istio 1.0 is out!
- Discussing VirtualService Delegation RFE proposal
- Istio-pod-network-controller
- Scaling endpoints
A
All
right,
I
think
we
can
get
started,
hi
everybody
and
welcome
to
this
wonderful
community
meeting
where
we
have
a
big
item
to
celebrate,
and
this
is
the
release
of
Easter
1-0
yeah.
Yes,
so
it's
time
to
cheer
be
happy
and
Frank
I
want
to
thank
everybody
for
their
contribution,
because
this
is
was.
This
was
an
amazing
like
community
important
collaboration
and
contributions
from
everybody
in
this
working
group
and
all
the
other
working
groups.
So
this
is
really
amazing.
Ok,
so
I
hope
everybody
had
some
champagne
or
something
to
celebrate
with
it.
A
B
A
C
A
Good
yeah
and
we'll
have
more
items
on
the
agenda,
so
we'll
probably
cover
this
for
about
20
minutes.
I.
Think
that's
fair!
Let
me
know
if
you
need
more
time,
then
I
will
discuss
the
upcoming
big
work
items
and
one
of
them
is
the
scaling
of
the
end
points
and
costing
will
cover
this
and
I
see
somebody
else
at
the
East,
your
quad
network
controller,
so
I
think
if
we
do
20
minutes
20-
and
maybe
we
have
minutes
in
the
end
left
for
you
for
the
last
item-
I
think
we'll
see
how
it
goes
all.
A
B
They
can
write
routes
for
those
services
and
other
services
can
other
virtual
services
can
refer
to
them
when
they
want
that
routing
functionality,
rather
than
incorporating
all
the
routes
in
a
single
document.
So
I
think
after
sending
the
dog
I'd
received
after
sending
the
email,
I
received
some
feedback
from
Louis
and
Shriram
and
I
thought
it
might
be
worth
writing
an
RFA
and
getting
that
discussion
going
again
since
when
zero
is
out,
so
this
is
the
dot
which
explains
the
various
goals
at
the
top
level,
if
you
scroll
a
little
further
down
under.
B
So
these
are
the
challenges
that
I
see
in
the
current
document.
Basically,
there
are
three
challenges.
The
virtual
service
resource
can
continuously
keep
on
growing.
If
you
have
a
large
number
of
nested
sub
routes
for
each
sub
path
matching
and
additionally,
if
you
have
a
lot
of
matches
on
the
on
a
regex
or
on
a
wild
card
host
again,
your
virtual
service
resource
can
become
enormous
and
as
it
grows,
the
operational
complexity
is
huge.
So
this
talk,
this
RFP
aims
to
solve
that
problem.
B
Additionally,
there
is
a
very
weak
ownership
semantics
in
the
current
virtual
service,
spec
I'm,
hoping
this
design
solves
that
issue
too,
and
the
last
thing
is
in
kubernetes.
If
you
have
name
space
based,
ownerships
or
namespace
based
are
back
policies,
at
least
in
my
mind.
There
is
no
clear
way
to
have
a
similar
behavior
in
coop
in
the
current
sto,
what
your
service
pack
yeah
alright.
So
with
that
I
mean
I'm.
The
document
basically
goes
through
a
simple
example
to
illustrate
what
the
problem
is.
B
The
example
is
in
this,
where
you
have
two
virtual
services
for
vs
and
bar
vs.
Phobias
is
for
the
food
service
in
team,
one
namespace
it's
currently,
because
the
virtual
service
route
destination
has
to
be
a
cluster.
It
has
to
refer
to
the
host
bar
team
to
directly
as
as
you're
doing
this,
you
are
automatically
skipping
over
all
the
routes
which
are
defined
in
the
bar
vs,
so
in
the
current
document
in
the
current
resource.
One
way
to
do
that
will
be
to
merge
all
of
them
together,
as
I
say
in
the
table
below.
B
F
B
E
G
Roxbury
is
that
you
have
you,
have
a
single
hostname
and
within
a
subsection
of
that
hostnames
namespace
like
a
path,
the
ownership
of
all
these
services-
and
there
may
be
many
that
mapped
into
that
portion
of
the
namespace
are
owned
by
one
distinct
organization
than
another
sure.
Right
so,
let's
say
your
Google
comrat
Google
has
Gmail
and
you
have
I,
don't
know,
play
yes
right
and
so
google.com
slash,
Gmail
is
owned
by
a
massive
organization
in
google.com.
G
H
E
Discussion
of
ingress
as
well
and-
and
there
was
a
very
big
debate
about
how
far
should
we
go
with
merging
stuff,
because
this
example,
when
we
take
header
matching
everything
else,
becomes
very,
very
complicated,
beau
to
implement
and
to
understand
by
the
user.
If
the
use
case
is
not
always,
you
know,
basically,
you
have
a
prefix
I
mean
you
have
the
domain
name
space
and
you
want
to
also
want
to
add
the
prefix
to
say
that
Gmail
goes
to
some
other
domain
and
so
forth.
G
This
is
one
of
the
intrinsic
problems
with
HTTP
right
I
mean
you
can
end
up
on
these
word
permutation
cases,
because
well,
the
URI
structure
is
strictly
hierarchically.
Space
people
do
tend
to
route
on
things
that
are
outside
of
that,
for
instance,
you
say
maybe,
like
I,
have
an
experiment,
flag
and
a
header,
and
that
goes
to
an.
H
My
favorite,
the
talk
about
like
there
are
certain
classes
of
merging
that
we
can
do
relatively
easily.
Thank
you
actually,
I
I'm,
not
convinced
of
the
merging,
is
really
what
we
want.
Andrew
he
scroll
back
up
to
that
first
example.
I
actually
think
that
it
can
be
pretty
nice
if
this
just
worked
correctly,
where,
when
I'm
at
one,
where
the
left
side
routes
over
to
the
virtual
service
on
the
right
side,
exactly.
G
H
G
E
We
can
imagine
in
pretend
is
not
clear
how
we
can
be.
You
know
made
to
scaler,
yes
Quincy,
and
what
do
we
want
this?
We
would
just
move
to
approach
the
other
side.
I
mean
from
my.
You
have
Detroit
host
that
sees
too
much
and
is
a
literal
host.
You
need
to
apply
a
large
number
of
rules
because
of
the.
If,
if
wearing
a
large
organization,
you
may
have
prefix,
mattress
and
so
forth.
This
at
some
point
needs
to
be
optimized
in
scale
to
national
breast.
G
J
It
is
personal,
worry
doesn't
want
to
do
it,
that's
just
so
much
complexity
for
something
that
you
can
actually
automate
at
the
control
plane.
Our
advocate
ops
level
right,
it's
like
I
mean
this.
Is
yes
it's
a
column,
but
like
imagine,
you
build
something
else
on
top
of
whatever
we
have.
That
actually
offers
is
abstraction.
Where
you
know
you
have
a
UI
or
something
that
says
like
here
is
a
something
delegated
thing,
and
then
somebody
else
comes
and
overrides
it.
They
all
go
through.
One
combination.
J
I
agree
but
I'm
saying
that
this
I
mean
is
rather
than
trying
to
make
a
hierarchical
list
with
a
non-void.
This
is
something
you
can
actually
handle
very
easily
with
an
additional
layer
on
top
not
directly
as
a
yeah
Mel
thing
that
interacts
with
pilot.
But
you
know
you
have
a
build
additional
layer
sticker
database
in
and
that
thing
automatically
takes
and
much
this
thing
and
you.
G
Know
is
there's
two
different
issues
like
I
think
we
know
how
to
make
pilot
like
if
you
want
to
do
a
delegation
thing
to
another
declaration
for
the
same
domain,
that's
fine!
We
can
make
that
work
right,
though
the
configuration
aspect
of
it's
not
hard.
Well,
there's
a
separation
will
talk
about
the
access
management
stuff
and
then
there's
all
play
that
can
do
is
flatten
that
down
right
into
just
an
order
list
by
basically
treating
everything
as
a
conjunction.
Yes,.
C
J
J
You
are
now
going
to
have
two
or
three
matches,
one
which
has
a
wildcards
assist,
Astrix
or
local
and
then
another
which
has
an
exact
specific
match
and
then
there's
something
else
that
comes
in
between
and
then
you
have
to
take
all
of
them
combined
and
merge
them,
and
this
is
where
the
match
conditions
start
getting
complicated
because
you
have
a
red
X
on
top
and
then,
like
you
know,
somebody
else
has
a
specific
part
in
the
bottom.
You
don't
have
to
do.
J
Is
they
get
matching
according
to
how
on
why
would
the
extra
gets
much
easier,
miss
good
thing?
That
means
you
have
to
import
JavaScript
objects
possible
to
this
because
I
mean
people
probably
have
like
you
know
some
food
comm
/
Department
want
/
something
else.
I
just
want
to
delegate
snack
Department
goes
to
this
virtual
service,
where
they
can
do
whatever
the
hell
they
want
and
that's
where
all
the
follow.
Ups,
not
English,
which.
G
I
mean
sure,
trying
to
explain
to
people
that
we're
gonna
reorder,
something
right
or
like
that
difficulty
we're
gonna
have
is
invalidation
right,
because
you're
gonna
have
raba
clusion
right,
but
trying
to
tell
people
that
doing
anything
other
than
order
dispatch
and
then
we'll
say
that
somehow
magically
we
can
make
order
dispatch
tree
based
dispatch
sure,
but
we
shouldn't
present
anything
other
than
order
dispatch
in
the
interface.
Otherwise,
it's
gonna
be
really
hard
for
people
longer.
Simon,
API,
I.
J
What
we
do
instead
is
have
a
different
cost,
a
completely
different
cost
truck
that
that
has
same
or
limited
semantics
of
virtual
service,
which
simply
says
host
match
and
delegations,
and
you
know
some
features
that
we
know
can
actually
be
changed.
Like
you
know,
the
header
matches
can
actually
be
all
appended
together,
but
nothing
in
nothing
in
traffic's,
nothing
else
just
host
match
and
probably
the
source
label
match
or
not.
Even
so,
they
will
match.
I
mean
that.
J
E
E
E
F
J
The
complexity
into
something
else
right,
I
mean
this
is
effect,
I
mean
the
simplest
and
the
most
dumbest
way.
If
you
give
me
like
one
week
to
solve
this,
I
would
just
simply
have
a
very
simple,
my
sequel
database
in
a
simple
UI,
where
somebody
goes
and
enters
the
rules
as
a
top
level
tool,
and
then
somebody
goes
and
enters
a
more
specific,
delegated
rule
and
I
would
just
use
a
bunch
of
scripts
to
like
generate
to
spit
out
the
complete
rules.
J
J
I
was
trying
to
say,
I
mean
so
if
there
is
a
dire
need
for
something.
That's
not
like
you
know,
you
can
just
start
with
scripts
and
database
and
so
on,
but
rather
you
want
to
create
a
full
full-scale,
API
I
think
then
create
a
separate
constellated
I
mean
like
you,
don't
virtual
service
pand,
whatever
it
is,
some
fubar
virtual
service.
That's
look
at
new
API
construct
which
has
like
set
of
all
hosts
that
would
match,
and
that's
the
only
thing
where
the
delegation
is
set
and
it
has
a
very
limited
set
of
concepts.
J
H
G
G
A
G
G
E
E
G
J
Example
right
we
can
even
write
that
that
merging
thing
like
you
know
some
that
simple
later,
when
somebody
talks
database
fetches
the
thing
and
spits
it
out.
We
can
even
write
it
for
end-users
because,
like
we
know
how
this
thing
works
much
better
than
anybody
else.
So
we
know
the
semantics
and
you
can
just
simply
expose
a
very,
very
simple,
demas
UI,
which
simply
says
here.
G
There's
a
separate
concern
or
a
separate
topic
here
about
Oh,
there's,
obviously
the
scalability
stuff,
and
what
we
want
to
capability
the
system
to
be
there's.
You
know
how
do
we
won't
be
able
to
do
this,
and
one
other
thing
that
needs
to
be
dealt
with
in
general
is
how
do
operators
clean
ownership
of
DNS
name
spaces
that
are
not
implicit
yeah?
We
don't
have
our
back
over
hey.
How
does
Costin
claim
ownership
of
start
Google
com
right,
mm-hmm,.
K
G
B
I
totally
agree
with
Lois,
but
I
think
that
can
be
dealt
separately
rather
than
on
this
proposal.
The
idea
here
is,
in
my
mind,
at
least
the
mental
model
is
every
service
in
your
cluster.
Ideally,
you
can
think
of
it
as
a
reverse
proxy
in
front
of
it,
which
is
doing
all
the
routing
for
sure
yeah
and.
G
The
issue
I
have,
and
do
you
think
these
need
to
be
solved
together
to
some
degree?
Okay,
if
we
define
an
acting
system
that
says
this
namespace
owns,
you
know
start
out,
you
know
yahoo.com,
and
then
you
want
to
delegate
to
a
virtual
service
declaration
in
another
namespace
right
and
how
does
the
a
clean
system
work
without
declaration
all
right?
What
are
the
expectations
around
the
ability
to
edit
it?
What
kind
of
declaration
must
occur
in
the
yeah
and.
E
G
B
And
I
agree
I
mean
we
can
have
an
example
where
you
have
a
common
host
name,
which
is
where,
in
this
example,
it
holds
true,
and
you
have
four
specific
paths:
delegate
your
routing
to
specific
services,
different
services
and
then,
as
you
have
sub
routes
and
paths
matches
within
those.
Your
virtual
service
spec
keeps
on
growing
I.
Think.
Currently,
that
is
a
real
problem
where,
if
you
have
a
lot
of
routes
for
a
specific
host,
I
think
can
I
it
very
difficult
to
my
that.
J
Is
I
agree,
but
what
I'm
trying
to
push
here
is
what
you're
trying
to
compress
it.
I
mean
what
you're
trying
to
push
in
is
the
user
experience
in
terms
of
like
and
how
you're
going
to
match
and
how
you're
going
to
like,
let
thing
delegate
and
so
on
into
one
giant
war
of
yeah
meld
flat
at
the
a
melody.
J
It
is
a
into
an
API
that
is
meant
to
be
like
more
modular
and
like
as
a
composability
API,
rather
than
doing
that
as
pushing
it
down
to
the
lowest
start
of
API
construct
a
second
layer
above
it
where
you
can
occur,
you
can
create
exposure
thing
to
the
end
users
Marrakesh.
They
can
submit
their
things
and
you
have
the
logic.
G
J
G
B
Operator
can
look
at
I
think
if
an
operator
looks
at
what
they
have
configured
the
smallest
unit
possible.
It
makes
them
easy
to
understand
things
and
I
agree
that
when
it
gets
lowered
to
envoy,
you
still
have
a
big
list
of
routes
which
is
difficult
to
debug,
and
we
can't
have
a
good
solution
in
there.
Well,.
J
J
A
flattened
one
giant
virtual
service
for
every
host,
which
says
here,
are
the
list
of
all
drowse
that
I
map.
This
is
something
that
machine
generated,
so
there's
no
chance
of
errors.
The
humor
input
things
which
is
also
gonna,
be
in
the
same
syntax
as
virtual
service
will
be
merged
by
a
layer
about
which
hatched
and
spits
it
out.
Then
then,
like
in
the
security
person,
would
actually
inspect
the
final
flattened
virtual
service
that
your
layer
is
generating
and
the
end
users
are
actually
end.
B
J
B
J
Control
plane,
so
the
main
problem
here
is
there's
certainty
in
terms
of
like
know.
If
there
is
a
there's
a
bit
of
thing
here,
where
you
have
to
decipher
what
the
user
intent
is
and
I
got
enemies,
for
example,
if
I
specify
a
slash,
Google
and
then
somebody's
ass
Google
slash
one
two
three,
there
is
an
explicit
intent
here
which
which,
with,
if
you
do
with
the
NIST
you
they
effectively
in
term,
not
even
interpret
images
guessing
the
whole
thing
and
trying
to
like
in
a
match
and
let
combine.
B
B
Layer
above
you
do
two
things:
either
you
take
away
some
of
the
functionality
which
the
layer
below
provided
or
the
layer
above
is
the
exact
same
replica
of
the
configuration
and
the
API
which
is
below
because
you
want
to
provide
all
the
functionality.
So
you
haven't
actually
solved
the
problem.
You
just
pushed
it
to
a
you.
J
E
I
E
G
A
Thing
and
explain
what
I
understood
it
is
in
more
like
simple
things.
So
are
we
trying
to
do
some
sort
of
viral
article
partitioning
here
where
we
have
some
set
of
route
rolls
right
that
applied
to
the
like?
Almost
in
the
DNS,
let's
say:
I
go
to
google.com
I
have
my
top-level
rules
and
then,
depending
on
I,
can
go.
Let's
say
to
translate.
I
apply
some
other
rules,
but
there's.
G
B
A
L
G
G
H
So,
as
far
as
like
short
term
steps
to
proceed,
I
think
Sriram
is
right
and
then,
like
a
tool
to
prove
this
out,
is
a
reasonable
way
to
start
to
implement
this
right.
It's
like
we
clearly,
we
don't
quite
know
what
we
need
here.
So
I
think
that
that
would
be
a
pretty
lightweight
way
to
iterate
on
ways
that
we
could
expose
this
and
what
that
new
API
would
look
like
without
actually
impacting
Pilate
right.
J
It
should
be
a
completely
interactive
tool
when
like
when
it
actually
looks
at
these
conflicting
paths
and
conflict
in
networks
and
so
on.
It
actually
presents
the
question:
is
the
user
before
actually
like
doing
anything?
It's
not
an
out
of
the
ball
asynchronous
like
admission
control,
pool
or
anything
about
sort
it
just
it's
purely
an
interactive
pool,
and
we
can
actually
we
can
ship
it.
J
H
E
H
H
B
E
Actually,
if
you
look
at
the
reverse,
I
mean
if
we
start
to
talk
about
discussion
for
the
mess
and
how
we
delegate
and
how
we
actually
shape
configurations
that
we
want
to
reject.
It
will
also
simplify,
because
if
we
have
some
way
to
delegate
at
arbitrable,
it
would
also
fit
into
this.
This
delegation,
because.
B
L
J
G
L
G
Like
most
things
right
yeah,
we
have
an
infrastructure,
all
API
on
virtual
service.
It
does
a
lot
of
things
and
it
to
some
degree
or
other
is
usable
directly
today.
So
I
do
expect
lots
of
users
to
keep
using
it
yep.
Now
whether
there
should
be
higher
level.
Api
is
on
top
well,
we've
already
seen
on
happen
with
key
native
and
we're
not
gonna.
Preclude
that
there's
a
separate
issue
about
whether
we
want
to
keep
making
usability
enhancements
to
virtual
service
Yeah
right
to
support
some
of
the
things
that
need
rise
right.
G
G
N
J
This
code
can
I
come
in
where
the
code
dress
is
different.
That
I
mean
like
we
have
all
the
libraries
and
validation
stuff
in
pilot,
but
this
thing
is
gonna
have
if
you're
gonna,
prototype
the
merging
and
so
on.
There
has
to
be
some
form
of
a
database
and
whether
we
can
use
the
same
at
sea,
RDS
or
modify
and
write,
and
so
on.
We
just
keep
that
separate
and
then
bring
it
in
which
is
a
much
more
easier
path,
faster,
D
plate,
rather
than.
G
H
H
G
A
B
E
G
G
B
G
G
And
the
plighted-
oh
yes,
so
Google
has
a
product
that
kubernetes
configuration
astronomical.
The
name
of
it
is
which
is
basically
a
kind
of
automation
around.
This
get
ops
principle
that
does
policy
composition
and
other
types
of
things
and
I'll
have
the
guy
who
work
on
that
helped
to
review
whatever
we
do
around
the
or
back
stuff,
and
we
can
also
talk
about
how
the
composition
or
delegation
might
work.
This
composition
is
really
domain-specific,
but
we
could
make
sure
at
least
we
are
aligned
in
convention.
G
G
A
G
C
O
H
B
There
are
few
things
that
I've
mentioned
in
the
doc
when
you
guys
get
a
chance.
Please
read
about
these
semantics
like
for
the
thing
that
just
wants
to
be
delegated
to.
We
can
even
skip
the
hosts
if
you
want,
because
the
hosts
of
those
are
currently
ignored.
These
are
just
for
composition.
The
top-level
parent
is
the
one
which
gets
to
decide
what
the
host
name
is.
I
thought.
A
A
E
H
P
B
A
L
Gets
really
complex,
we've
done
this
in
Cloud
Foundry.
We
allow
domains
to
be
associated
with
one
deployment
of
gateway,
routers
or
another,
and
and
the
cardinality
of
pools
where
I
guess
in
kubernetes
land
clusters
and
those
routers
and
the
allocation
boards
gets
really
fun.
So
I
only
see
HTTP
here,
but
it
would
be
interesting
as
as
the
community
thinks
about
I
miss
you
TCP
IP
is.
G
E
E
E
P
L
H
G
Q
J
R
R
A
R
R
J
So
this
is
just
an
image
container
right,
which
is
not
even
going
to
contain
any
application.
I
mean
unless
you
write
your
own
inert
containers
and
so
on.
This
is
just
gonna,
it's
transient,
it
runs
and
then
it
is
gone,
and
this
is
not
something
that
this
is
running
like,
while
your
application
is
running
or
like
so
on.
Right.
R
I
mean
let
me
get
into
a
little
bit
deeper
in
the
into
that,
because
I
understand
that
this
is
the
point
of
view
of
the
maybe
of
the
community.
But
let
me
ask
you,
then:
let
me
add
another
piece
of
information.
So
there
is
an
upcoming
feature
in
in
kubernetes,
which
is
called
pod
security
policy,
which.
R
To
specify
what
a
pod
can
do
certain
it's
a
set
of
profile
for
the
permissions
that
you
give
to
the
pod
processes,
and
it's
now
in
beta.
This
is
something
that,
if
you
don't
activate
it,
anyone
can
create
a
privileged
spot
and
that's
that's
basically
how
it
works
out
in
how
they
any
container
works
in
in
OpenShift,
so
I'm
about,
for
that,
so
I've
been
using
openshift.
R
Obviously,
in
a
bishop,
these
features
has
always
existed
as
this
security
contest
constraint,
sec
and,
as
you
probably
know,
in
openshift,
it
doesn't
work
by
default
because
the
default
SEC
does
not
allow
you
to
create
privileged
spots,
and
so
you
have
to
you
have
to
add
this
line
to
your
namespace.
You
have
to
run
this
command
on
your
namespace.
To
basically
give
the
default
service
account,
privilege
SEC.
Therefore,
the
default
service
account
can
create
privileged
spots.
This
is
like
giving
your
developers
root
access
to
the
to
the
nodes.
Well,.
J
So
let's
say
this
is
the
case
right
then.
The
solution
that
you're
proposing
like
that
when
I
was
looking
at
solution
airy
proposed
like
even
if
what
a
moment
was
like
a
parliament
that
doesn't.
This
is
actually
the
this
is
actually
an
issue.
Then
the
solution
aliyou
had
four
poles
right,
which
was
to
actually
use
the
controllers.
To
actually
do
this,
I
mean
that
would
be
in
the
table
in
the
next
slide.
I
guess
yeah.
R
So
let
me
so
yeah,
so
my
prediction
is
as
soon
as
other
kubernetes
distribution
will
pick
up
on
the
pod
security
policy
and
will
create
a
default
security
policies
that
don't
allow
pods
to
be
privileged
and
therefore
to
have
previous
containers
inside
of
them.
This
problem
will
become
apparent
also
to
the
you
know,
more
broader
issue:
community,
ok,.
E
H
E
E
R
E
R
R
E
R
J
J
E
R
N
G
R
R
J
E
R
H
R
J
J
E
N
R
J
H
E
J
R
I
can
add,
I
can
add
on
that
by
the
way
net
admin
is
still
too
powerful,
I
think
for
most
organization.
But
the
reason
why
for
open
ship
it
still
doesn't
work,
it's
because
say:
Linux
and
I
I
cannot
tie
the
know
why
exactly
but
Celine
accessing
the
way
there.
So
the
only
way
to
work
around
that
is
to
have
privileged
pods.
O
R
A
E
On
scalability
issue,
I
want
to
quickly
talk
about
the
fact
we
did
the
load
test
with
this
car
ability
test
and
some
custom
users
reported
the
same
problem.
1000
said
we
saw
two
thousand
endpoints
and
we
start
having
problems
and
we
discussed
a
medical
experiment,
and
we
know
a
quick
fix
to
improve
that
by
caching,
the
virtual
services,
the
other
interest
used
in
infant
regeneration
and
I,
think
we
are
discussing
cutting
the
one-zero-one
release
in
two
three
weeks
with
justice
Peaks
to
get
scalability
to
better
numbers.
E
E
E
G
We're
gonna,
like
I'm
gonna,
go
talk
to
this
security
folks
on
the
kubernetes,
teaming
about
their
plans
for
reducing
privilege
and
get
them
to
review
the
proposal.
Yeah
I'm,
going
to
talk
to
people
like
Maya.
You
know
she's
at
Def
Con,
so
we
will
get
some
review
because
we
need
to
go
through
around
her
review
with
this.
Okay.
It
is
an
area
that
needs
more
focus
and
we
need
a
holistic
proposal
that
enterprises
are
going
to
accept.
G
You
know
I'm
not
sure
that
they
they're
they're
enterprises
that
are
already
willing
to
do
what
we've
done
today
yeah.
So
it's
not
clear
that
it's,
but
there
are
certain
classes
of
enterprises
that
will
want
the
app
Simone,
absolute
least
exposures
and
we'll
have
to
try
and
find
ways
to
give
it
and.
E
E
H
J
The
reason
is
the
reason
we
can't
have
unite
I
mean
it
still
does
not
remove
the
net
admin
stuff,
it
still
requires
net
admin,
and
this
thing
is
effectively.
Removing
the
anti
in
a
container
which
is
actually
nice
and
I
was
I
would
even
go
as
far
as
saying
that,
if
this
works-
and
this
is
me
and
me,
then
you
could
offer
it
as
an
option
in
the
101
and.
H
A
J
G
G
J
N
G
I
E
J
G
H
J
K
G
We
get
a
doc
going,
the
community
drive
just
maybe
take
what
you
already
have
in
your
presentation
and
just
dump
it
into
a
dock
and
put
it
they
community
right.
So
we
can
start
just
piling
on
it
and
add
some
are
not
necessary
solutions
but
add
options
in
there
and
then
I
can
get
it
reviewed
internally
by
some
folks
who
are
knowledgeable
in
this
space
too.
Ok,.