►
From YouTube: Istio Networking WG meeting - 2019-08-15
Description
- Connect Clusters with Istio for Isolation and Boundary Protection
- Concise definitions of multicluster and federation.
- mTLS Adoption simplification
A
We'll
have
another
lie:
presentation
from
Lina
and
John
Fay
about
them.
Tls,
adoption,
simplification,
and
if
there
is
time
George
would
like
to
cover
the
topic
called,
reducing
and
while
overhead
with
kernel
offloads.
So
let's
try
to
do
about
like
15
minutes
each
all
right,
so
Vadim
I
see
already
presenting
go
ahead.
Please.
B
Can
you
hear
me
now
yeah,
okay,
good,
so
I
talked
about
isolation
and
boundary
protection.
There
are
multiple
compliance
standards
that
require
isolation
of
sensitive
data
and
protection
of
the
boundaries
of
relation.
So
we
have
PCI
DSS
for
credit
card
data.
We
have
FedRAMP
or
federal
data
and
information.
We
have
HIPAA
for
health
data
and
we
have
GPR
and
it
is
the
most
recommends,
for
example,
putting
cloud
environment
on
a
separate
Network
and
if
you
have
one
in
C,
so
we
have
this
security
architecture.
B
So
first
we
have
a
DMZ
demilitarized
zone,
we
have
back
office
environment
and
we
have
some
sensitive
data
environments,
okay
for
private
privacy
date
or
federal
data
or
health
data
or
credit
card
data,
and
we
have
multiple
here
levels
of
Defense.
We
have
a
firewall
between
the
public
Internet
and
the
DMZ,
a
firewall
or
gateway
between
DMZ
and
back
office
environment,
and
we
have
also
get
a
firewall
between
the
inside
the
back
office
environment
between
the
sensitive
data
environment
and
the
rest
and
the
rest
of
the
environment,
and
we
also
have
our
back
inside.
B
C
B
B
And,
for
example,
to
clarify
PCI
DSS
requires
performing
penetration
tests
from
outside
from
from
the
public
internet
and
also
from
from
the
inside,
so
so
you'd
have
to
test
how
your
environment
is
protected
from
inside
as
well.
Okay
from
back
office,
you
try
to
attack
your
sensitive
data
environment,
okay,
and
the
idea
is
that
you
want
to
isolate
these
sensitive
data
environments,
to
reduce
the
scope
of
the
compliance
audits,
to
reduce
risks
to
reduce
the
cost,
and
you
also
want
to
improve
security.
B
Okay,
so,
for
example,
PCI
DSS
talks,
a
common
network,
isolation
or
cardholder
data.
It
has
a
requirement
for
a
firewall
between
internet
and
DMZ,
between
DMZ
and
the
internal
network
zone,
okay
and
also
Google
Cloud.
Let
me
show
you
I
mean
all
the
from
multiple
cloud:
Amazon
Google
IBM.
They
have
all
these
PCI
DSS
compliance
guides,
and
also
so.
This
is
from
Google,
for
example,
and
google
recommends
using
network
policies
for
this
isolation.
B
However,
for
a
large,
a
large
customer
that
we
IBM
work
with,
they
do
not
for
them
network
policies
are
not
enough
and
they
want
as
relation
by
clusters
and
FA.
My
guess
is
that
many
customers
will
actually
won't
use
multiple
clusters
or
different
environments,
so
the
idea
is
to
allocate
the
cluster
here
DMZ
per
each
sensitive
data
environment
and
also
and
for
the
rest
of
the
environment,
okay,
and
what
I
propose
is
to
facilitate
this
cross
cluster
communication
by
Easter
cross
cluster
routing
load,
balancing
and
so
on.
B
So
since
it's
your
control,
plane
I'm
talking
about
now
the
shared
control
planes,
mighty
cluster
or
single
control,
plane
mighty
cluster,
when
you
have
a
control
plane
that
controls
other
clusters
that
controls
services
in
other
clusters,
and
so
it
falls
from
this
requirement
that
you
cannot
let
an
easier
control
plane
outside
of
your
cluster,
with
sensitive
data
to
manage
the
security
of
your
cluster
and,
together
with
the
previous
item,
share.
These
two
control
planes
do
not
provide
as
relation
and
boundary
protection.
This
is
my
claim
any
questions.
Remarks
on
that.
B
So
it's
both
requirements.
Okay,
so
now
let
me
switch
so
once
we
understand
that
single
control,
plane
or
shared
control
plane
shared
control
planes.
They
do
not
provide
enough
isolation.
Let's
talk
about
the
third
pattern,
that
is,
which
is
the
multiple
control
planes
or
give
the
connectivity
or
dedicated
gateways.
So
we
have
so.
The
corollary
is
that
we
for
isolation.
We
have
to
to
have
a
separate
code,
easier
control
plane
in
each
cluster.
We,
however,
still
with
the
current
implementations,
we
have
a
single
multi
cluster
mesh.
B
Okay,
we
have
the
uniform
naming
we
have
exposed
all
by
default.
Behavior
we
have
our
bug.
Control
at
the
destination
service
is
not
at
the
gateways
and
we
have
common
trust.
So
today,
this
multi
pastor
single
service
mesh,
consider
this
diagram
at
the
top.
You
have
a
single
mesh
and
at
the
bottom
it
had
the
same
single
mesh,
split
or
spread
between
two
physical
clusters,
and
we
have
this
pastor
gateway
and
the
idea.
The
idea
here
is
just
to
connect
these
two
clusters
and
to
form
a
single
logical
mesh.
So
we
have
any
from
naming.
B
We
have
the
same
names,
namespace
name,
space
names
and
also
service
his
name.
So
so
we
had
the
same
food
in
both
clusters.
We
have
the
same
name,
space
and
swamp
here,
and
we
had
this
past
from
gateway
and
we
can
create
virtual
services
and
to
load
bounds
between
the
local
version
in
cluster
1
and
remote
pastor,
2,
and
the
claim
is
here
that
this
passed,
some
gateway
cannot
provide
this
isolation.
It's
the
opposite.
Actually,
there
is
to
to
combine
these
two
clusters
into
one
service
match.
B
Ok,
we
have
our
bug
policies
enforced
at
the
at
the
destination
services,
but
we
do
not
have
restrictions
at
the
gate,
and
this
is
what
is
required
for
reservation
and
some
technical
details.
This
pass
through
gateway,
it's
TCP
pass
through
proxy.
It
doesn't
the
frontalis
termination,
so
it
cannot
know
the
identity
of
the
source
it
just
sniffs.
The
value
reply
replaces
that
global
suffix
with
the
SVC
cluster
local
and
directs
the
project
to
the
cluster
by
the
resulting
name.
So
this.
D
B
So
let
me
switch
to
the
proposed
implementation,
so
what
I
propose
is
to
use
the
standard,
Easter
mechanisms
just
regular,
English
and
vigorous
gateways
virtual
services
destination
rules.
Are
bark
use,
HTTP
right
to
be
right,
the
path
and
authority
for
DNS
to
use
kubernetes
selector
lists
services
just
use
the
standard
East
installations
and
to
perform
ad-hoc
last
appearing
okay,
that
is
to
deploy
it
to
private
gateways
for
cross
cluster
communication
with
special
certificates
and
private
keys,
and
these
gateways
will
trust
each
other
and
no
trust
is
required
between
the
side
cuts
of
different
clusters.
B
D
B
B
We
have
trust
only
between
these
two
gateways,
private
agreed
will
private
ingress
gateway
and
we'd
select
selectively,
expose
the
services
of
here.
We,
the
owners
of
the
cluster
and
decide
to
expose
my
food
okay
by
some
tag
and
the
owners
of
cluster
one
can
bind
to
this
server
remote
service
and
they
can
define
a
virtual
service
with
the
local
name
and
to
perform
load
balancing
between
the
local
and
remote
versions,
and
please
note
here
that
the
application
uses
the
local
name
like
food
dot.
Enis
one
SVC,
Quattro
vocal.
B
The
application
is
not
aware
that
the
load
balancing
is
per
form
between
the
local
and
remote
versions.
Okay,
so
this
is
a
proposed
implementation.
I
wrote
a
blog
about
blog
post
about
it,
and
I
would
like
to
get
your
feedback.
I
would
like
to
publish
this
blog
okay,
so
let
me
switch
sorry
to
the
blog
okay.
B
So
the
idea
is
that
okay,
so
this
is
the
initial
state.
It's
two
clusters
with
first
one
I
have
booking
for
product
page
details
and
if
used
version,
one
in
the
second
cluster
cluster
I
have
ratings,
reduced
version,
2003
and
I
have
the
these
services
are
in
different
namespaces
default
and
looking
for
and
I
also
have
different
names,
for
example,
my
reviews
here
in
the
cluster
two
different
names,
non-uniform,
naming
non
common
trust.
What
I
do
here
I
create
two
gateways
with
say
pair
gateways
with
the
certificates
and
they
trust
each
other.
B
B
B
B
Okay,
so
I
moved
the
exposure
of
ratings
from
serviced
from
cluster.
To
and
now,
as
you
can
see,
rating
service
is
not
available
for
reviews
version
two,
but
it
is
available
for
reviews
version
three
which
isn't
the
same
fast,
okay,
and
so
what
I
propose
the
next
steps
we
are
going
to
write
automated
trading
operator.
B
We
people
in
IBM
to
automatically
where
these
clusters
to
create
this
gate,
with
with
certificates
and
I,
propose
to
consider
this
to
be
to
make
it
part
of
East
EO
of
the
Eastern,
multiple
asteroid,
crater
and
also
we
want
to
automate
this
exposure
and
binding
of
services
and
maybe
to
create
another
operator.
So
I
would
like
again
to
to
post
the
this
blog
post.
B
B
Good
question
so
here
exposure
means
that
you
expose
your
service
at
some
path.
It
the
at
the
private
in
this
gateway,
and
you
configure
consumption
of
this
service.
Okay
at
the
ego
gateway,
so
here
the
for
them
here
bar
the
service
bar
holes,
the
virtual
service
ons,
one
sec,
cluster,
local
by
local
name,
and
here
the
configure
how
the
routing
is
to
the
remote
cluster.
B
F
G
The
d'emic
couple
of
questions,
no,
the
white:
you
need
to
go
through
an
egress
gateway,
right,
I
presume
on
the
ingress
gateway
on
the
remote
side.
You
need
to
trust
the
certificate
authority
of
the
consuming
cluster
right
and
you
said
they
weren't
in
the
same
mess.
It's
tricking
the
same
trust
Amin,
so
they
did
not
have
the
CA
same
CA,
true
right.
G
B
G
Want
it?
No,
no,
it's
only
the
common
trust
between
all
the
services
in
a
consuming
cluster
and
the
ingress
gateway
in
the
receiving
cluster.
It's
not
n-by-n
doing
it
that
way,
right,
because
the
disadvantage
of
doing
the
egress
cluster
and
having
it
terminate
is
you
lose
the
knowledge
of
what
the
consuming
service
identity
was.
Okay,.
B
Okay,
so
so
it's
a
additional
requirement
is
to
perform
this
right.
Okay,
so
the
Gator
performs
the
rewrite
of
the
path
and
the
authority.
So
this
is
additional
a
function
of
this
egress
gateway.
First
and
the
regarding
your
your
question
about
the
identity,
I
think
what
can
we
can
implement?
Just
passing
the
D
identity
in
some
header,
so
the
egress
gateway
with
will
pass
the
identity
to
the
ingress
gateway
in
a
header
and
the
ingress
gateway
can
pass
the
same
header
to
the
destination
service?
Okay,
but
then
now
we
have
to
do.
G
B
Yes,
maybe,
but
additionally,
no
additional
idea
here
is
that
maybe,
if
you
do
not
have
any
fun
in
this
identity
of
one
cluster,
maybe
remote,
you
will
not
tell
you
much,
okay,
so
the
services
in
one
cluster
just
may
not
know.
You
know
the
I
think
is
or
the
names
of
the
series
evening
in
the
coding
cluster
see
what
I
mean.
B
Yes,
so
here,
for
example,
the
the
destination
services,
they
will
know
that
they
are
called
by
the
ingress
it
way,
so
they
don't
trust
their
Ingrid.
Italy
right
in
yours
gateway
will
know
that
it
is
called
by
a
private
ingress
gateway
that
he
trusts.
Okay
and
the
ego
slipper
will
know
that
it
is
called
by
specific
source
services.
So
it's
another
say
model
over
in
of
Arabic,
and
additional
point
is
that
you
know
in
in
this
case
we
can
also
we
can
switch
to
excess
tokens.
B
G
G
A
A
G
But
what
information
right
I
understand?
We
want
egress
gateway
policies
or
egress
policies
in
general
to
prevent
services
from
egress
into
things,
they're
not
supposed
to
that's
a
given.
So
that
doesn't
mean
that
the
implementation
detail
of
a
service
right
has
to
be
exposed
into
the
consuming
cluster,
which
is
what
the
Dean
currently
showed,
because
he
was
doing
Authority
and
path
rewrites
right.
That
is
an
implementation
detail
of
the
producing
cluster
and.
D
G
Basically,
what
you're
saying
is
this
is
an
egress
gateway,
an
ingress
gateway
whose
job
it
is
to
expose
a
set
of
services
to
another
cluster
and
what
those
services
look
like
right
is
entirely
up
to
the
ingress
gateway
to
decide.
I
mean
consuming
clusters,
shouldn't
know
any
details
or
shouldn't
perform
any
action
other
than
effectively
treating
them
as
l4
like
services
that
they
talk
to.
That.
B
Okay,
so
so,
first
just
to
clarify-
maybe
here
we
have
this
double
translation,
so
my
oh-
and
this
too
is
exposed
as
in
to
example,
that
Coleman
is
my
aversion
to
write
and
and
you'd
have
in
the
day
consuming
after
you
have
to
perform
this
they're,
the
opposite
translation.
So
you
have
this
translation
from
who
and
s1
sv
c
cluster
local.
To
this
see
two
examples
comments
to
my
fool
me
to
pack.
Okay,
so
you
rewrite
this
authority
and
you
rewrite
the
death,
but
we
probably
thought
that
blasphemous,
probably
optional,.
G
J
G
Nate
and
I
were
having
a
conversation
about
tooling
to
help
automate
this
with
pilot
an
MCP,
so
you
could
create
these
special
types
of
egress
ingress
gateways.
That
then,
would
act
as
MCP
sources
for
their
clusters
right,
so
you
didn't
have
to
do
jewel.
Config
right,
you
could
just
say
I
want
to
consume
services
from
that
right
and
then
it
would
import
those
definitions.
Aida
see
to
that
example,
comm
with
all
the
necessary
information
so
right,
including
what
trust
domain
you
wanted
to
use.
G
G
A
G
J
K
A
G
Let
me
just
because
Nate
has
been
working
on
some
stuff
around
terminology
and
I
know
Frank
you
have
as
well.
Can
you
three
to
a
pass
over
visions,
blog
and
the
team?
In
addition,
we
should
talk
about
the
topological
things
and
what
we
actually
recommend
people
to
do
with
whether
we
should
start
with
a
simpler
model
right,
where
we
don't
recommend
virtual
services
on
both
sides
or
things
like
that.
We
push
more
things
into
the
ingress
gateway,
and
then
we
talk,
maybe
about
variations
which
have
more
complexity,
might
find
butter
optional.
J
This
blog
post
and
in
a
lot
of
other
places
there
a
lot
of
confusion.
A
lot
of
about
the
fact
that
the
current
multi
cluster
mesh
gateway
exposes
everything
by
default,
and
that
is
I
think
on
the
eggs
and
it's
a
bug
or
a
missing
feature,
and
we
probably
need
to
keep
the
bug
as
a
zero.
Bhaga
means
offense
that
we
exposing
by
default
and
is.
L
M
M
B
G
A
Okay,
so
anything
more
on
this
before
we
go
to
the
next
nope
so
before
we
go
to
the
next
I'd
like
to
actually
raise
the
fourth
topic
on
the
list
by
Josh,
so
George
would
like
us
to
review
the
document
that
is
linked
in
the
meeting
notes.
It's
called
reducing
my
overhead
with
journal
offloads.
So
please
go
ahead.
Commenting
the
doc.
There
will
be
a
formal
review
in
a
month
or
so.
Okay,
all
right.
A
F
So
the
purpose
here
is
just
to
get
everybody
to
know
to
see
this.
We
don't
necessarily
have
to
spend
a
whole
lot
of
time.
Talking
about
it
here.
Let
me
let
me
just
you
know,
I'd
like
to
get
people
to
look
at
this
PR
and
put
their
comments
and
Nathan's
already
done
done
some
good
stuff.
There
added
some
good
comments.
My
point
here
is
you
know,
okay,
what
what
that
beam
was
talking
about?
He
he
originally
was
calling
my
Federation
in
his
in
his
blog
and
then
because
of
all
the
pushback.
F
We
don't
really
know
what
that
is.
He
took
it
all
out,
so
he
would
read
his
latest
version
of
the
PR
accosting
you'll
see
forgot
all
that
all
that
all
that
talk
about
you
know
these
different
patterns
and
all
that
stuff.
It's
it's
just
it's
just
showing
here,
is
a
pattern.
I
maintain
that
that
pattern
is
a
pattern
of
combining.
You
know
it's
a
multi
cluster
because
there's
multiple
clusters
in
this
picture,
but
people
when
you
talk
a
multi
cluster.
F
What
I
think
we're
really
referring
to
is
a
single
mesh
composed
from
multiple
clusters,
and-
and
we
should-
we
should
be
clear
so
I'm,
trying
to
with
this
with
this
PR,
come
up
with
a
concise
definition
of
what
we
mean
when
we
say
multi
cluster,
that
we
do
mean
a
multiplexer
mesh
and
and
then,
when
we're
talking
about
something
like
what
their
beam
is
showing
here,
that's
a
pattern
where
I
would
argue
we're
not
combining
we're
not
trying
to
create
a
single
mesh,
we're
taking
two
meshes
and
we're
federating
on
so
I.
Think.
F
That's
why
I
would
say
that
I
would
like
to
call
that
mesh
Federation
and
talk
about
multi
cluster
to
mean
a
single
mesh
so
that
so,
basically,
this
PR
is
trying
to
make
this
distinction
and
and
just
to
give
these
terms
concrete
names
that
we
can
all
agree
on.
It's
just
a
glossary
entry.
In
fact,
it's
not
going
to
get
as.
O
O
F
F
What
the,
how
do
all
that
is
all
irrelevant
to
the
purpose
of
a
glossary
entry
that
says
what
does
the
term
mesh
Federation
mean
and
I'm
trying
to
as
well?
So
my
PR
is
trying
to
just
say
something:
you
know
at
a
very
high
level,
it's
a
baby
step
as
I
as
I
told
Nathan
just
to
try
to
get.
You
know
some
concrete
terms
that
we
could
just
be
using
these
and
what
we
mean
by
mesh
Federation
is
a
thing
that
yeah
there's
there
aren't.
You
know
there
is
no
common
trust.
G
F
Only
going
to
be
information,
that's
in
the
concepts
documentation,
not
the
glossary.
The
glossary
is
just
going
to.
You
know,
put
a
stake
in
the
ground
that
this
is
what
we're
going
to
call
when
we
just
combining
meshes
like
this
and
this
little
console.
This
PR
is
really
a
baby
step
and
I
just
like
to
sort
of
get
people
to
look
at
and
try
to
just
come
up
with
a
agreed
that
this
is
what
we
mean
when
we
say
mesh
Federation
and
is
what
we
mean
when
you
say
you
know:
Multi
multi,
classical.
I
Just
to
tie
this
together
to
the
coming
soon
concepts
talk,
so
the
cosmic
Doc's.
Definitely
all
all
this
out
now.
So
it's
it's
pretty
well
articulated
I.
Think
at
this
point,
I
am
saying
for
one
section
that
refers
to
multiple
clusters.
It's
all
within
the
context
of
the
single
mesh.
There
is
no
talk
of
multiple
clusters
across
multiple
meshes,
because
that's
multiple
mesh,
so
that
that
is
pretty
well
spelled
out.
I
believe
and
I
do
use
the
term
when
I,
when
I
talk
about
multiple
clusters,
I
do
say
aka
multi
cluster,
so
it
probably
is.
F
Worthy
of
a
glossary
term
at
some
point,
I
think
what
you're
saying
is.
We
probably
are
all
on
the
same
page.
It's
just
about
you
know
when
people
have
multiple
clusters
with
this
do
and
they're
trying
to
flip
them
together,
you
know:
do
they
understand
that
a
multi
cluster
mesh
is
is
what
we
call
this
thing?
That
is
a
single
and,
and
you
know
it's
there,
but
that's
what's
a
glossary
term
that
we
can
just
point
to
normally
when
we
mention
multi
cluster.
This.
I
F
J
G
F
Glossary
I
think
the
glossary
intentionally
would
not
would
be
a
higher
level
description.
It
would
apply
to
any
pattern
of
how
you
implement
this.
If
there's
one
or
multiple
different
ways
of
doing
it,
the
glossary
entries
just
to
say
what
this
is
not
and
how
the
connection
and
not
how
you
know
so
I
think
that's
the
point
just
to
come
up
with
the
term.
That
means
you
know
like
if
you
look
at
what
I'd
like
you
guys
to
look
at
the
PR
and
add
your
comments.
There
yeah.
G
F
J
At
least
we
need
to
know
that
it
can
be
implemented
somehow,
because
if
you
don't
have
answers
the
question
about
identity,
how
do
you
manage
the
certificates?
What
certificates,
meaning
the
naming
is
not
consistent
and
how
you
address
things?
If
meaning
is
not
consistent,
I,
don't
think
the
previous,
maybe
concrete.
I
G
G
I
I
I
I
G
G
To
say,
consistent,
naming
and
identity
represents
the
same
mesh.
Yes
right,
it's
only
when
we
get
into
Federation.
Do
we
choose
almost
term
to
Barry
and
and
is
it
more
acceptable
to
vary
by
administrative
domain
I,
my
team-wise
right,
just
independent
action,
or
is
it
more
typical
to
vary
by
no
was
the
main
I,
not
common
root
for
us
right,
so
the
demon
you're,
the
customer
you're
talking
to
right
a
concrete
example
on
which
boundary
today
actually
very,
was
at
administer
domain.
Or
was
it.
B
B
L
G
J
G
D
A
G
A
F
P
Thanks
Sandra,
so
I
want
to
discuss
a
little
bit
about
a
proposal
that
is
trying
to
simplify
the
NTS
adoption
user
experience,
and
here
is
the
design
dog
and
I
received
a
lot
of
feedback.
Thank
you
folks
and
I.
Think
too,
since
their
basic
I
would
like
to
discuss,
is
our
Foley
the
first
things
about
how
we
can?
What
kind
of
this?
Basically,
this
proposal,
it's
designing.
A
some
mechanism
from
Kyoto
simplifies
the
customer
to
adopt
materials
when
they're
in
permissive
mode
during
the
migration
face
and
that
feature
of
this
I
need
a
some
configuration.
Q
R
P
P
Alright,
so
so
the
the
problem
today
is
that
we
need
to
configure
too
many
things
for
adopting
it
with
us
and
especially
then
we
think
we
can
do
better
and
is
especially
in
the
permissive
transition
mode.
Then
sometimes
the
server
side
does
not
have
all
they
have.
The
my
sidecar
and
customers
need
to
figure
that
out
themselves
and
they
need
to
a
neighborhood
destination,
who
analyst
education
policy
tweet
twice
to
adopt
the
musical's,
and
so
we
are
proposing
something
to
tracking
the
end
points
in
the
pilot
to
do
that
scene,
configures.
J
J
P
Pan,
if
you
are
sure,
but
there
is
the
menu
in
lockdown,
so
that's
a
different
story:
okay,
so
there.
Basically
there
are
some
API
improvements
and
the
same
user
mode
and
the
API
side.
So
there
under
these
designs,
proposing
your
feature.
The
pilots
are
checking
the
endpoints
and
this
feature
needs
some
options
who.
Q
G
S
Greg
Hansen
here
I'm
working
on
the
MPLS
autopilot
reports
out
there
now
for
people
to
provide
some
feedback.
That's
a
big
thing
in
that
upgrade
scenario
from
permissive
district
is
any
destination
rules
that
they
have.
Employees
actually
end
up
breaking
communication
that
they
had
in
permissive
mode
when
they
transition
district,
because
we
most
likely
do
not
have
a
TLS
block
defined
and
those
destination
rules,
and
so
basically,
one
of
the
benefits
of
this
pull
request
is,
if
you're,
in
strict
mode.
Q
M
So
I
mean
I
think
there
are
some
multiple
problems.
It's
a
first
problem
is
what
Greg
was
mention
as
the
user
transition
from
permissive
to
strict.
They
have
to
add
this
TRS
configuration
in
destination
rule,
and
that
surprised
everybody
second
problem
is
today
we
go
through
our
installation
guide.
We
always
have
two
tabs
one
for
permissive,
one
for
strict,
which
is
extremely
confusing
and
almost
a
lot
of
our
profiles.
We
also
produce
one
for
permissive,
one
for
strict
I
think
it
confuses
a
lot
of
people.
J
There
is
another
discussion
about:
we
still
have
about.
Readiness
program
is
coming
back
with
with
a
new
filter
chains.
Maybe
we
can
pass
as
Lynn
said.
Maybe
you
can
have
a
single
profile.
That
is,
you
know,
by
default
permissive
and
wiki
permissive
forever,
and
we
don't
switch
to
strict,
but
we
put
an
authorization
rule
instead
of
authentication.
Also,
basically,
if
you
don't
want
to
accept
plain
text,
you
specified.
T
M
J
J
M
But
it's
not
actually
reflected
in
this
proposal,
which
is
why
I
ask
you,
gentlemen,
to
present
to
the
group
and
also,
if
you
look
at
this
proposal,
it
introduces
a
new
mode
outlet
jimpatog,
which
I
think
it's
extremely
confusing
having
another
mode
for
people
to
learn.
Another
TR
setting
for
user
to
learn
so.
P
G
R
No,
there
are
different
ways
in
API,
enabling
this
thing
right
will
be
used
to
have
a
simple
global
mesh
contravene
mesh
con
big
win.
That
said,
like
yes
or
no
for
mutual
TLS
and,
like
you
know,
change
into
permissive
are
strict
and
it's
just
one
top
level
boolean
toggle
that
when
enable
it
just
automatically
enforce
a
strict
mode
for
both
clients
and.
R
J
R
B
J
G
P
G
G
R
H
A
R
D
G
R
G
The
interpretation
of
destination
rule
today
is
to
affect
the
client
behavior
right,
it's
over
aidable
on
the
client
namespace
right,
which
means
that
right,
unless
you
mount
services
that,
are
you
don't
control,
if
you
mount
them
in
another
namespace,
you
can
override
their
behavior
their
destination.
Rule
in
my
nation.
Remember.
A
R
Once
again,
this
means
you
now
have
to
implement
a
heritage.
The
destination
Doland
make
sure
that,
like
anybody,
that
overwrites
at
all
needs
to
coffee,
the
auto
mode
or
if
they
don't,
then
you
go
through
some
more
hacks
like
add
another
PR
to
go,
fix
that
and
try
to
automatically
infer
this
thing
from
the
root
tool
and
all
the
usual
stuff
that
comes
in.
G
R
You
take
a
sidecar
option
like
you
can
just
simply
stick
this
as,
like.
You
know,
field
in
the
sidecar.
That
simply
says
all
client
from
the
next
showed
initiative
and
gave
us,
and
that's
just
one
single
boolean
flag
and
you're
done.
That's
it.
There
is
no
need
to
refer
to
destination
tool
for
mutual
TLS.
R
R
We
might
need
to
change
that
maybe
I'm
one
of
things
that
are
touching
to
change
just
this
piece
is
a
lot
more
compared
to
like
you
know,
adding
is
one
scoped
system
called
sidecar
which
says
I
just
want
to
initiate
am
Taylor's
always
from
for
all
clients.
For
this
phobics,
the
sidecar
applies
tools
and.
R
J
J
R
J
G
A
G
A
G
J
J
X
M
R
G
P
The
reiterate
all
the
end
points
during
the
CES
push
so
that
it
will
be
very
efficient
and
they're
just
a
boolean
field,
and
we
can
target
when
the
endpoints
all
have
their
MPs
label
and
the
CAS
push
will
just
look
at
that
field
and
to
the
thing
that
will
be
not
much
different
than
today's
time.
Complexity
or
Space
Command
see
still.
G
G
R
R
V
G
G
G
P
And
there
were
so
to
add
that
I
think
there
is
some
discussion,
go
the
data
plan
innovation
before
and
but
there
are
also
concerns.
If
we
put
that
into
the
my,
for
example,
the
TCP
proxy
use
case,
the
connection
overhead
will
be
doubled
and
we
we
need
to
elevate
that
and
maybe
have
some
caching
mechanism
either
m'boy.
For
that
there
we
are
basically
I'm
just
trying
to
say
that
the
complexity
there
will
be
some
complexity,
whether
it's
employ
or
the
pilots,
as
this
is
just
the
on
way.
R
Level
thing
is
much
low
in
that,
so
we
did
the
TLS
nothing
that
limited
actually
tried
to
do
that.
The
pilot
level
just
to
see
if
the
all
the
end
points
for
particular
service
are
like
using,
am
tailors
or
not,
and
then
I'd
try
to
dynamically
configure.
We
did
that
tailors
nothing
on
on.
Why
for
this
right,
because
we
didn't
want
to
do
see
all
the
clients.
So
why
can't
we
do
the
same
thing
on
envoy,
side,
first
client
as
well,
or
why
do
one
and
all
I
wanna
say
yeah?
This
is
a
different
solution.
G
R
Much
very
simpler:
they
are
already
shipping
all
the
endpoints
with
the
label
information
to
every
cluster
in
on
in
a
particular
language,
so
that
cluster
already
has
a
bunch
of
filters
that
we
can
actually
add,
and
all
we
have
to
do
is
when
you're
about
to
make
a
connection
to
a
particular
end
point
we
have
to
check
if
that
and
one
has
the
label
MTS
ready.
If
it
has,
then
we
turn
on
the
TLS.
G
G
R
Maybe
we
can,
when
I,
stop
talking,
how
do
I
stop
talking
the
plain
text
right
that
we
can
enable
from
the
control
plane
where
we
can
decide
to
not
even
configure
that
condition
for
a
cluster
which
and
always
say
this
has
to
use
MPLS
and
that's
it
done,
whereas
the
other
option
is.
But
in
this
one
mode
we
can
actually
properly
support
like
mix
mode
servers
and
mix
more
clients
without
touching
much
of
configuration
and
as
these
things
can
go
up
and
down
large.
D
R
J
D
G
J
R
The
tooling
I
agree:
we
can
definitely
build
tooling.
We
can
definitely
build
heuristics,
there
pilot
can
decide.
We
went
set
up
that
filter
chain
or
not
said
of
the
filter
chain
and
which
is
a
way
of
imposing
strict
or
no
strict
and
getting
the
idea
additional
metrics,
which
is
what
is
actually
doing.
It
he's
actually
collecting
cluster
level
telemetry
by
adding
those
additional
filters,
and
so
you
will
be
able
to
collect
those
telemetry
which
can
come
to
pilot
or
some
other
place,
which
we
can
aggregate
and
send
it
at
so.
G
We
have,
we
have
two
runtime
implementations
proposed
and
they
can
be
Dueling
Banjos,
that's
fine.
We
need
a
solution
to
that.
We
have
to
decide
what
we
want
to
do
in
the
tooling
side.
If
we
want
to
give
usability
support
right,
sto
CTL
can
I,
can
I
turn
on
straight
right
and
how
we're
gonna
meet
that
requirement
with
either
of
those
two
implementations
and
then
there's
the
API
thing
is
independent
of
all.
O
W
J
W
Somewhere,
we
have
a
table
where
the
strict
mode
is
only
way
to
have
two
MPLS
and
Monday
for
me
signals
you
based
on
the
label
right
sure,
so
we
hope
that
this
is
a
bit
different
flow
with
information
and
so
how
we're
concerned.
So
it's
working
okay,
now
when
talking
this
and
policy,
is
service-oriented
actually.
W
P
W
P
A
J
G
Y
P
J
P
J
W
A
J
R
P
R
P
P
J
J
G
Where
you
can,
you
can
be
in
those
two
states.
You
could
also
be
in
a
state
where
you
look
at
the
floor.
Ality
right
if
you
weren't
as
concerned
with
availability
right
visit,
there's
a
debate
to
be
had
probably
in
the
design
dog
about
whatever
you
use
your
control
over
to
be
heuristic.
Yeah
right,
it's
your
are
your
you
know,
there's
in
either
the
Sriram
proposal
or
the
jump.
G
A
proposal
write
the
code
over
to
being
all
TLS
right
and
then
forcing
TLS
is
triggered
by
some
event,
which
is
you
in
this
case
all
the
endpoints
Binion's
laugh.
There
are
some
people
out
there
who
are
more
worried
about
their
security
posture
and
they
are
worried
about
their
availability
and
those,
so
they
would
to
say
look
at
80%
of
my
endpoints
or
MT
less
capable.
G
J
G
G
Z
It
helps
thank
you
at
least
within
the
mesh.
It
seems
like
one
could
have
confidence
that
all
the
end
points
are
M
TLS
and
thus,
but
but
during
the
the
transition,
let's
say,
I've
flipped,
a
switch
that
says:
I
want
m
TLS
everywhere,
you're
gonna
have
maybe
side
cars,
rolling
or
containers
going
up
and
down,
and
during
that
time
you
want
to
maintain
availability
of
all
applications
in
the
mesh,
and
you
have
the
intelligence
to
know
which
endpoints
are
empty,
LS
it
or
not.
Z
G
G
Endpoints
have
reached
empty,
less,
capable
right,
we'll
talk
to
all
the
endpoints
in
plain
text,
also
in
either
form
Oh,
interesting
right.
Okay,
Sri
Rams
forum
is
all
talked
to
the
end
point
in
whatever
it
supports,
but
it
still
has
the
same
net
effect
from
an
administrative
point
of
view,
as
endpoints
can
still
transition
back
and
forth
between
plaintext
and
MT
as
capable
and
they'll
still
be
talked
to,
and.
J
G
J
R
That
time,
but
I
do
not
want
even
merge
that
thing
as
an
experimental
thing,
because
the
way
it
goes
is
that,
like
you
would
merge
it
and
then
you
would
leave,
but
then
somebody
else
would
come
and
break
that
if
it
fails
block
and
something
else
will
happen
and
then
things
will
just
leak
and
one
day
we
end
up
scratching
ax
has
a
slag.
Why
the
heck.
J
R
G
Do
a
complexity
assessment
we
can
do
that
and
we
can
go
talk
to
people's
like
hey.
What
would
it
take
to
implement
this
feature
in
envoy
and
with
the
online
community
on
board
it,
and
if
you're
a
community
says
no
way
in
hell?
Are
we
taking
this
feature
and
we're
done?
Nobody
has
the
filters
are
gonna
destroy
em
if
we
can't
implement
it
with
a
filter
of
something
else
right.
So,
let's.
U
A
A
R
G
R
Is
open
to
it
because
we
actually
saw,
and
we
actually
decided
that
this
is
the
API
that
we
have
for
the
cluster
level.
Filters
is
still
not
complete
and
it'll
only
emerge
to
use
cases,
and
this
is
a
perfect
use
case
for
that
and
the
today
the
APA
is
pretty
much
like
what
we
had
for
the
network
level.
I
mean
the
listener
level
filters,
but
once
we
change
that
it
just
becomes
a
much
nicer
way
of
like
and
we
will
hold
the
filter.
R
J
Even
the
hole
filter
chain
is
not
completely
is
very
I'll
find
not
clear
how
reliable
it
will
can
be
still
final
kind
of
problem.
So
let's
not
assumes
that
something
is
on
paper
and
we're
waving.
The
hand
is
perfect,
and
some
say
that
this
concrete
is
is
bad
because
hypothetical,
it
will
look
bad
I
mean
as.
A
Totally
disagree
with
this
that
the
flag
will
treatment
like
mayhem,
okay,
so
what
I
would
like
to
see
is
a
good
design
for
this,
and
I
would
like
to
run
doc.
You
might
think
he
is
concerned
about
the
possible
deadlocks
and
what
will
like
will
happen
right
so
I,
don't
think
we
can
go
ahead
with
a
feature
that
looks
bad
like
from
a
design
perspective.