►
From YouTube: Istio networking WG meeting - 2018-09-13
Description
- Controlling Policy Governance With Istio Authorization
- Istio-pod-network-controller
- Upgrading the Envoy binary
A
The
networking
community
meeting
is
Tiana
thirteen
community
meeting
and
we
have
two
items
today
on
the
agenda.
The
first
item
is
controlling
policy
governance
with
installation
and
I'm,
not
sure
if
Lehman
is
on
the
line
or
maybe
should
join
us
later
in
the
room.
And
the
second
item
is
East.
Your
pod
network
controller
and
I
saw
Rafael
joining
so
maybe
we'll
just
switch
the
order
and
cover
this
in
the
beginning.
A
B
C
C
D
D
So
so
it's
new
policies
are
currently
expressed
in
the
form
of
community
status,
and
we
currently
use
the
communities
are
back
talking,
show
who
can
edit
our
bill
a
particular
and
each
new
policy.
So,
for
example,
is
the
authentication
policy
and
of
oscillation
policy
or
use
the
namespace
as
the
scope
to
determine
policy
ownership,
and
so
this
model
has
the
other
advantage
of.
So
it's
fully
utilized
the
pledge
of
what
platform
provider
the
kinetics
provides
all
the
control
kinetise
up
and
provides
all
can
shown.
On
the
other
hand,
it
also
has
some
limitations.
D
First,
it
does
not
applied
to
the
resources
like
workload
or
hosts,
which
has
it's
not
it's
unrelated
at
four
namespaces
and
it
can
cross
multiple
namespace
of
be
a
finer-grained
object
inside
an
in
space
and
the
other
limitation
is,
it
does
not
apply
to
a
non
communities
platform.
In
that
case,
the
namespace
concept
does
not
apply.
D
Yes,
so
I
read,
there
was
another
proposal:
traffic
owner
proposed
ownership
proposal
which
proposed
to
solve
his
problem
by
creating
association
between
the
e
steel
objects,
like
hosts
our
clothes
with
the
namespace,
and
so
this
is
just
another
alternative.
We
can
do
and
I
think
it
provides
a
more
finesse
rate
here:
okay,
yeah,
so
here
the
goals
we
try
to
provide
the
access
control
for
who
can
edit
and
for
cambio
an
Eastern
policy
at
different
levels.
D
My
coworker
order
level,
then
a
host
level
name,
space
level
or
mesh
level,
and
we
want
to
have
the
oscillation
work
across
the
platform.
So
basically,
this
can
work
for
Communities
platform
and
the
non-cognitive
platform,
and
the
access
control
should
apply
to
all
SEO
policies
and
we
want
to
provide
our
consistent
policy
configuration
interface
for
communities
and
the
easier
users.
A
D
D
D
D
So
here's
the
definition
of
operator
Rome
our
euro
can
include
a
list
of
rows.
Each
row
is
of
commission,
so
each
row
can
include
a
lot.
The
following
entries:
the
API
group,
for
example,
networking
dot
instead
of
I/o
or
authentication
top
Easter
dot
IO.
So
it
should
all
and
Swiss
is
the
adult
IO,
because
we
only
talked
about
the
Easter
policies
and.
D
If
this
entry
is
not
our
if
resources
is
not
specified
its
applied
for
all
resources
in
the
Aegean
group
and
hosts,
so
we
think
also
for
our
particular
resource
you
can
specify
a
hosts,
for
example,
is
applied
for
started
in
Opel
calm
and
it
can
also
other
hosts.
The
same
host
entry
can
also
express
their
own
a
space
scope
so,
for
example,
NS
one
name:
space
can
be
expressed
as
start
on:
NS
1
dot,
as
we
see
doc
custom,
the
local
and
it
are
the
other.
D
E
D
D
D
D
D
And
so
this
is
an
example
of
operator
role,
definition
of
networking
academy,
so
so
the
the
name
of
the
ROI
is
the
network
and
me,
and
so
for
networking
a
demeaning
he's
allowed
to
configure
networking
dot
e
still
does
I
networking
tell
is
the
dot
IO
a
key,
a
group
for
all
the
resources?
Basically,
I
can
even
skip
the
resource
count.
Mm-Hmm
and
just
for
this
particular
hosts
started
example.com
and.
D
This
is
another
example
which
is
security
at
me
for
NS
one
you're.
Actually,
the
same
function
are
here
today
is
already
provided
for
secret
currencies
because
we
already
use
in
in
space.
So
this
example
is
using
namespace,
which
is
you
can
see.
You
can
see
the
hosts
entries
the
start
out.
Ns
went
on
and
easy,
don't
cross,
don't
open.
So
this
is
sort
of
security.
Amy
is
allowed
to
configure
security
policies
for
and
this
one
namespace
that's
what
it
means
right.
A
E
If
we're
gonna,
so
I
am
not
totally
sure
that
we
can
do
that,
that
method,
to
restrict
namespaces
in
general
and,
like
I,
think
we
might
need
an
ace
field
specifically
if
that
is
what
we're
trying
to
do.
I
also
kind
of
worry
it's
a
little
bit
of
an
abuse
of
the
semantics.
That's
not
like!
That's
not
really!
What
host
means
there
right,
and
it
just
so
happens
that
the
namespace
as
a
concept
is
encoded
in
the
DNS
name,
but
I.
A
F
D
A
D
D
D
Yes,
so
awkward
to
row.
Binding
is
actually
very
similar
to
the
current.
It's
your
service
row
binding
or
yeah.
It's
also
similar
to
the
community's
role
Andy.
So
so
it
has
two
parts.
Why
is
the
subjects
its
list
as
a
list
of
subjects
which
you
find
through
this
row
and
the
other
part
is
the
row
ref,
which
refer
to
the
low
definition
you
can
refer
to
the
network
enemy
wrong,
for
example,
yeah?
D
C
G
E
G
Given
I
think
that
server
right
like
this
is
configured
or
access
control
over
configuration.
So
so,
when
we're
talking
about
subjects
here,
we're
talking
about
subjects
who
who
have
access
to
change.
Stos
configuration
not
about
subjects
who
have
access
to
particular
services
that
are
sort
of
in
the
mesh.
A
I
F
Problem
now
is
not
about
the
access
control
problem
is
to
have
this
at
the
point
of
config.
In
addition,
so
this
is
not
like
I
mean
if
this
is
in
Cabana
does
this
is
the
lowest
level
of
a
stack
when
somebody
is
defining
this
through
the
CF
API?
Isn't
so
on
we're
not
going
to
be
able
to
catch
this?
It's
all
probably
going
to
be
coming
through,
like
one
galley
user,
always
that's
it
and
the
same
thing
applies
in
any
other
CIC
D
context.
F
E
D
F
F
D
F
Name
is
actually
like
a
complete
I,
don't
know
portable
struct
or
whatever
it
doesn't
happen
to
call
it.
The
point
being
that
this
operator
role
will
no
longer
have
any
idea
of
whether
you're
applying
this
role,
the
role
is
applicable
for
IP
addresses,
hosts
addresses
and
so
on,
because
these
are
things
that
are
very,
very
specific
to
the
networking
see
IDs
and
you
know
if
you
go
and
take
this
and
I
like
this
too.
F
If
you
want
applies
for
mixer
stuff,
then
there
will
be
a
whole
bunch
of
other
things
that
come
in
and
we'll
just
have
way
too
many
attributes
it
just
becomes
unusable.
You
study,
you
just
create
this
as
a
very
generic
template,
something
that
very
supplier
blob
like
that.
Like
the
way
we
do
validation
today,
right
so
like
pilot,
has
a
validation
file
which
has
all
the
validation,
stuff.
Miksa
probably
has
something
similar.
So
we
get
to
write
the
stuff
and
the
semantics
of
that
proto
thing
is
and
a
fully
enclosed
within
pilot
mixer.
F
D
D
F
But
I'm,
basically,
the
we'll
also
encompass
a
traffic
ownership
proposal
where
we
say
that
hosts
started,
phu
kham
cannot
be
modified.
This
is
always
read-only,
but
people
can
define
something
under
started.
Combat
like
you
know
they
can
only
add
additional
HTTP
rules
or
with
these
parts
and
so
on,
and
at
the
same
time
you
know
you
can
also
define
that
nobody
can
define.
Something
like
hosts
are
calm.
You
can
actually
do
an
outright
deny,
which
would
have
actually
allow
this.
It
should
encompass
the
use
cases.
F
This
are
back
who
that
says:
nobody
can
overwrite
that
the
TLS
field,
a
destination
rule
or
internal
hosts,
and
then
then
we
would
be
guaranteed
that,
like
every
destination
rules,
the
user
supplies
will
not
have
the
TLS
field.
At
all,
you
can
always
inherit
directly
from
the
global
thing
today.
The
problem
is
that
they
can't
do
this,
because
inheritance
is
not
defined
because
we
can
have
user
can
define
a
local
destination
to
run
a
global
one,
and
things
are
just
so
I
I.
E
F
B
F
Not
have
a
terrace
field
set,
which
means
there
is
no
conflict
in
merging
it's
a
parent
rule
and
that
becomes
an
easier
one
and
the
same
thing
can
be
applied
applied
in
in
other
scenarios,
where
somebody
wants
to
define
a
global
rewrite
across
all
virtual
services.
Today
we
can't
implement
that,
because,
inheriting
a
virtual
service,
like
from
Starcom
to
start
out
to
outcome
to
start
out,
bar.com
is
complicated.
What
happens
if
there
are
conflicts
in
the
same
field
and
so
on?
F
F
D
F
E
Railing
but
you
get
the
ideas
yeah
so
like
we
can
use
field
masks
to
achieve
the
same
thing.
That's
a
horrible
API,
but
it's
the
same
semantics
as
one
way
to
do
that.
So
you
could
just
the
the
binding
itself
for
this
rule
itself
could
just
be
a
list
of
strings
or
a
list
of
field
masks
that
target
the
fields
of
the
virtual
service
or
you
could
the
lecture
and
suggest
to
do
like
a
CR
D
per
object.
A
F
F
F
As
far
as
saying
that,
Albany
is
operated
role
and
operator
role
binding
and
then
in
every
CRD
that
we
currently
have
in
sto
and
in
places
where
that
could
actually
be
overridden
and
whatever
it
is.
We
asked
to
add
on
in
feed
in
every
I.
Don't
know
the
sub
struct
that
say
it's
like
you
know
our
back
more
disallow
deny
it's
an
enum
that
we
actually
have
to
add
so
that
when
people,
whatever
template
that
people
defined
here
would
actually
be.
You
know
that
I
don't
want
to
stock.
E
Up
all
our
API
definitions
with
with
our
back
stuff,
like
those
those
are
two
independent
concerns,
the
objects
themselves
and
the
policies
over
the
objects
like
if
we
want
to
do
this
kind
of
generic
stuff
over
top
I
think
we
can
totally
do
that,
but
we
can
do
it
in
a
way
that
doesn't
require
us
to
change
the
actual
SEO
API
objects.
I,
don't.
F
A
F
Yeah
IIIi
had
meant
thought
of
like
changing
the
API,
where
we
actually
add
additional
are
back
fields
and
then,
which
will
be
like
not
used
when
people
define
and
stuff
but
they'll
be
only
used
in
this
template
mode.
But
Zack
is
right.
We
can
do
it
in
other
ways
as
well.
You
don't
have
to
couple
them
but
decide.
A
Like
there
would
be
too
much
complexity
for
the
you
know,
casual
user,
if
they
have
to
think
about,
do
I
want
our
back
or
not.
What
is
this
our
back
right?
So
we
want
to
start
simple
and
add
features
on
topics
you
know
just
like
we
had
security
or
telemetry
or
our
back.
You
know
fine-grained
control
policies,
so
yeah.
D
So
so
for
hosts
and
the
IP
addresses
they
have
the
natural
hierarchy.
You
know.
Actually,
entry,
oh
and
you're
already
mentioned
is
oh
yeah,
who
is
one
of
the
yeah,
so
we
need
it
yeah.
So
basically
we
can
use
the
kubernetes
other
to
bootstrap
to
create
the
mesh
level,
natural
natural
enemy
or
security
on
me.
D
So
so,
for
example,
you
can
create
this
operator
role,
which
is
called
a
global
network
enemy
which
are
quite
holding
in
high
mesh,
and
this
should
be
a
cricketer
through
kubernetes,
now
back
control
that
kinetise
are
back
and
after
that
the
global
network
Academy
can
interoperate
does
stop
enemy.
For
example,
they
can
create
the
network
Academy
for
started
example.com.
D
So
you
can
just
include
the
hosts
entry
here
and
you
can
so
for
the
example.com
Network
Academy
can
further
create
another
another
operator
role,
which
is
called
Network
Academy,
for
example
finance.
So
it's
only
applies
to
all
started,
financed
on
example.com
and
so
similar
to
IP
addresses,
and
so
the
the
general
rule
is
again.
It
is
allowed
to
create
or
edit
an
operator,
row
or
awkward
opening,
even
only
if
he
has
other
permissions
that
in
turn,
if
he
has
all
the
Commission's
that
are
in
the
comic
regular
Rowan
romantic.
D
D
You
should
exclude
this
from
communities.
Other
policy,
you
don't
want
to
apply
for
controls
because
it
will
just
be
confusing
and
it
may
conflict
and
also
for
T
for
the
operator
row
and
aqua
clear
opening.
If
we
don't,
if
the
permission
delegation
is
not
supported
or
used,
the
other
operator
operator
appending,
sherek
insured
by
communities
attack.
D
If
we
support
permission
delegation,
then
we
should
use
kubernetes.
Our
bags
for
bootstrap
basically
created
a
mesh
level
aqua
to
know
and
Robyn
D,
and
after
that
the
control
should
be
switched.
For
instance,
addition,
so
you
use
the
you
use
the
operator
run
or
it'll
open
itself
through
control
who
can
create
additional
room?
D
So
we
want
who
implements
this
operator
of
oscillation
entry
inside
carry
and
the
import
for
the
Osaki
trim
will
be
the
ocular
row
and
operate
a
row
pending
and
the
other
is
the
public
objects
which
will
also
control,
and
we
want
to
have
two
plugins.
Where
is
the
oscillation
webhook?
The
other
is
admission
control
hook.
D
The
reason
we
need
to
is
because
our
mission
can
show
webhook
actually
does
not
support
the
read
operation.
So
all
the
operation
will
be
authorized
as
through
oscillation
well
cook
and
the
web
poker.
Ascender
are
subject:
actors
access
the
radio
request
to
the
to
the
oscillation
engine
inside
any
and
for
for
the
write
requests
there
will
be
additional
admission
admission,
control,
review
request,
which
will
contain
the
rupee
to
a
modified
object
which
is
not
included
in
the
oscillation
well
cook,
request.
A
So
also
I
wanna
clarify,
if
you
think
so
for
this
this
to
work.
We
need
golly
right
so
because,
obviously
the
plugin
is
in
garlic
and
what
is
the
current
status
for
far
back
in
general?
So
let's
say
we
have
like
some
basic
are
back
functioning
and
we
need
to
add
the
new
operator
operators
and
operator
roles
like
the
associate
that
you
described
in
the
document,
but
other
than
that
there
is
already
some.
Is
there
already
a
beginning
early
that
foreign.
D
D
L
D
L
D
L
It
does
apply
I'm
trying
to
understand
for
my
user
perspective.
Would
they
be
using
operator
row
when
they
see
you
know
the
API
version?
Is
it
still
dial
in
their
config,
then
they
would
be
thinking
about
using
operator
row
and
operate
a
row
binding
to
control
to
control
the
also
in
authorization.
Oh,
do
we
I
mean?
How
does
the
user
know
when
to
use
Kuban
any
are
back
with
israel
authorization?
I
think
that
that's
not
super
clear.
L
D
So
I
think
the
guideline
we
should
give
this
to
a
user
is
if
the
current
namespace
based
or
sedation
is
enough,
which
is
provided
by
communities
are
back,
is
enough.
Then
they
should
just
stay
with
the
community
topic,
but
if,
if
it's
not,
if
they
want
to
find
a
green
like
her,
they
they
actually
want
namespace
level
access,
control
or
if
they
are
running,
are
now
communities
platform.
They
don't
naturally
have
the
namespace
or
if,
for
example,
for
the
networking
policy,
they
have
hosts
the
concept
which
namespace
cannot
restrict.
F
I
E
I
D
E
D
A
Okay,
so
I
think,
like
I,
think
we
got
a
very
good
overview
like
pretty
detailed
in
fact,
and
the
world
probably.
We
need
to
leave
some
time
to
people
to
like
evaluate
the
proposal.
Also
like
look
at
the
other,
the
other,
like
the
other
proposal
and
we'll
probably
make
a
decision
as
a
community
and
at
some
point
like.
A
B
A
B
B
B
That
says,
if
a
pod
should
be
injected
with
that
mission
controller,
so,
unfortunately,
it
cannot
be
the
same
annotation,
because
we
have
slightly
different
logic,
but
it's
so
it's
an
additional
annotation
that
works
the
same
way
and
then
the
second
was
it's,
it's
a
docker
will
be
add
we
need
to.
We
need
to
do.
F
B
A
B
B
Yeah,
that's
better
right
and
then
the
third
point
is,
we
didn't
have
last
time
an
explicit
synchronization
between
the
pods
and
the
container
starting
in
the
pod
and
the
Taman
set,
which
sets
up
the
the
IP
table
rules.
So
we
introduced
an
inny
container
that
it's
not
privileged,
but
it
waits
for
the
ford
IPTV
rules
to
be
set
up
so
right
now
we
have
full
full
synchronization.
B
B
B
A
B
Yeah
sure
I
could
do
that.
I
see
what
you
mean.
The
any
container
could
could
annotate
the
pod.
The
problem
is,
we
didn't
want
to
give
any
privilege
to
the
inner
container,
so
instead,
if
it
needs
to
be
able
to
annotate
the
body,
it
now
needs
a
grant
or
on
the
kubernetes
api.
We
didn't
want
to
do
that,
but.
M
F
A
B
E
M
E
M
M
M
So
I
mean
obviously
the
net
container
requires
no
privilege
the
contents
of
that
API
right
can
be
evolved
over
time
to
support
more
complex
use
cases
around
initialization,
which
might
be
useful
all
right.
So
really.
The
goal
here
is
also
you
to
push
the
complexity,
the
network
initialization
down
into
something
that's
already
privileged
yeah
right
by
the
demon
so
so,
and
then
container
weight.
A
A
M
B
B
M
A
M
The
only
thing
you
have
to
worry
about
is
the
security
of
it
right
kind
of
be
spoofed
or
not.
Well,
you
can
tell
us
for
that
right,
simple
deal
us
that
can
be
simple
to
us
right.
We
already
call
like
the
Citadel
agent
on
the
node
to
do
stuff
right
to
get
certs,
and
we
normally
have
to
wait
for
those
certs
to
actually
start
the
network
anyway
right.
So
we're
already
doing
this.
M
M
F
A
F
M
M
M
E
I
M
B
The
way
the
way
this
work,
this
works
is,
you
will
be,
you
can't
constrain
the
user
to
what
type
of
mount
they
can
do
and
they
they
will
all
you
know
the
least
privileged
action
is
to
mount
a
persistent
volume
usually
ask
mount,
are
considered
very
highly
privileged
type
of
months,
good
cause.
The
idea
is
to
protect
the.
M
M
A
B
M
E
B
A
M
M
M
It
runs
on
nodes
that
you
can't
are
totally
virtualized
and
don't
necessarily
have
demons.
That's
remain
on
them
unless
you're
gonna
have
the
notionally
virtual
daemon,
which
is
kind
of
like
a
thing
that
exists,
a
logical
node,
that's
all
unresolved
right,
but
it's
an
open
dialog
in
the
cabeza
community,
I
sure
shipped
a
product
rate
called
me
KS
with
I.
Don't
know
it
was
it
either.
It's
either
infinitely
scalable
load
or
it's
something
else,
depending
on
whom
you
look
at
it.
But.
J
A
M
B
M
M
E
Saw
a
pilot
agent
in
the
Envoy
container
to
do
that
could
do
binary
upgrades
right.
Yes,
we
still
love
that.
So
that
seems
more
desirable
to
me.
It
feels
like
you
wouldn't
wanna
I
mean
it
depends.
What
your
security
model
is.
I.
Guess
right,
do
you
trust
the
daemon
to
the
point,
the
new
binary?
It's
everything
on
the
node.
A
M
M
M
Right,
so
really,
what
we
now
have
is
this
injection
this
in
a
container
that
says:
hey
demon,
inject
pilot
with
the
right
properties
right
into
the
network
path
for
this
thing,
which
basically
subsumes
the
role
of
Pyla
agent,
alright,
but
then
we're
assuming.
We
fix
the
other
problems
right,
acting
like
there's,
health
checking,
a
readiness
or
other.
M
F
A
F
M
F
How
do
you
push
that
container
into
an
existing
pod
and
binary
you'll,
throw
into
the
existing
or
and
that's
the
bigger
problem
is
like
you
can
create
a
special
mount
within
the
pod
such
that
you
can
always
like.
You
know,
mount
a
second
version
of
an
Y,
and
then
the
demon
can
actually
also
exact
into
that
container.
M
F
By
default,
in
all
the
hosted
platforms,
they're
like
you
can
only
meant
set
that
would
do
all
of
this
stuff.
It's
like
well,
I,
don't
know
if
it
works,
then
great,
but
I
mean
an
easier
approach,
would
actually
need
to
have
a
amount,
a
worldly
mode
or
something
about
sort
from
where
envoys
actually
started
up,
such
that
the
demon
can
decide
to
stick
in
another
NY
binary
in
that
same
mount
and
then
literally
exactly
every
port
and
hot
restart
that
envoy
and
the
two
things
would
automatically
transfer
and
it's
just
zero
downtime
for
a
pod.
M
E
M
F
M
M
The
only
thing
and
the
question
is:
what's
the
security
model,
you
can
at
least
have
a
situation
where
using
an
outer
band
handshake
mechanism,
it's
the
key
material
is
only
in
the
pod
and
therefore
the
only
handshake
can
only
be
granted
if
the
pod
basically
allows
it,
but
something
running
at
the
node
levels
he's
all
the
traffic
in
the
clear
after
the
handshake.
So
how
do
you.
F
M
A
F
A
B
F
H
F
F
E
G
F
E
A
All
right
so,
let's
say
even
if
you
have
more
m
voice
training
as
a
diamond
set
instead
of
running
inside
car.
To
me
this
is
still
a
better
model
than
the
sidecar
model
like
we
couldn't
implement
this
earlier,
because
I
think
some
of
the
constructor
missing
in
envoy
right.
But
it's
about
how
you
control
that
diamond,
set
pull
of
n
voice
right.
You
can
apply
different
policies
so.
K
E
Is
that
you
get
to
use
a
single
tenant
proxy?
That's
vastly
simpler
and
so
in
theory
can
be
faster
and
use
less
resources,
because
you
don't
have
to
worry
about
heart
resource
isolation.
You
don't
have
to
worry
about
all
of
these
things.
You
get
better
cache
locality.
There's
all
the
right
like
it's
a
it's
a
it's,
a
large
fundamental
shift
in
the
model
to
trying
to
promote
yeah.
M
E
E
A
E
E
M
E
M
E
F
I
F
They
cannot,
let's
say
for
example,
share
this.
Can
I
have
a
thing
and
without
CF
over
there
is
the
plain
old
vm's
and
so
on.
It
will
shall
be
like
a
sidecar
per
a
binary
of
BM
I,
guess
in
the
VM
sidecar
per
VM,
but
still
and
the
way
we
generate
configurations
cheated,
treating
it
as
a
pod
and
so
here's
a
whole
bunch
of
configuration.
So
if
anything,
we
do
ends
up
changing
that.
Then
we
have
this
duality
problem
that
we
also
have
to
generate
this
envoy.
F
F
Packaging
becomes
harder
because
actually,
dementia,
at
least
you
can
just
spin
up
more
containers
and
so
on,
I,
don't
know,
and
the
VM
thing
you
would
have
to
have
something
else.
That
is
like
looking
at
the
number
of
services
that
are
assigned
to
that
VM
workload
and
then
based
on
the
dynamically
spend
some
more
on
voice
and
we
have
to
create
whatever
that's
necessary
to
like.
You
know,
recycle
down
my
manager,
lifecycle,
Apollo,
the
on
voice
and
so
on.
F
A
M
F
Of
the
mesh
extraction,
but
that's
the
problem
with
the
policy.
That's
a
column
is
everything
else,
but
not
with
the
actual
running.
It's
a
fact
that
makes
a
Condit.
You
don't
mind
whether
it's
going
from
someone
or
service
to
right,
and
that
is
where
the
multiple
service
Forum
comes.
It's
a
more
inherent
column
and
in
our
you
know,
the
actual
policy
design
and
not
with
the
fact
that
we
cannot
run
multiple
language
because.
M
A
A
F
Anyway,
so
I
think
I
took
namespace
at
all
to
be
an
issue
because
journey
has
containers.
The
the
demon
said.
The
whole
thing
is
gonna,
be
one
network
namespace
and
that
might
actually
create
an
issue,
because
you
know
this
one
white
listening
on
the
same
15,
thousands,
it's
not
gonna
work.
So
we
have
to
change
that
thing.
Then
you
know
if
every
hard-coded
port,
that
we
have
15,000
series
port
we'd
have
to
have
multiple
sets
of
those
15,000
16,000
14,000.
M
So
so,
coming
back
to
the
more
a
more
basic
part,
if
we
have
an
in
a
container
that
basically
calls
the
demon,
then
says:
hey
inject
me
that
at
least
gives
us
flexibility
to
control
how
the
injection
occurs
without
change
in
that
contract
yep,
which
is
right.
If
we
want
to
support
more
than
one
of
these
models
of
these
injection
models,
then
that
seems
advantageous
in
the
long
run.
Yeah.
E
And
well
and
I
picked
out,
aligns
with
some
of
the
other
like
identity
issuance
problems
and
that
kind
of
stuff
maybe
can
be
simplified
with
that
kind
of
model.
I
know
that's
roughly
what
the
note
agent
does
today
right,
but
yeah
I
Jiri
earlier
point
about,
like
one
abstraction
to
solve
those
that
set
of
startup
problems.
I
think
it
would
be
nice.
M
It
also
makes
it
look
a
little
less
scary
to
people
when
we
inject
stuff-
yes
right,
because
all
they
see
is
these.
Do
an
injection
saying
like
this
tiny
little
binary,
then
all
that
does
is
talk
to
the
daemon
which
is
under
up
right.
So
now
yours
is
a
stronger
set
perceptual
separation
between
the
service
owner
and
the
network
operator,
which
is
probably
not
a
bad
thing.
M
We
need
to
write
a
dog
because
we're
gonna
have
to
get
this
reviewed
by
some
other
folks,
I'd
like
to
run
this
by
some
folks
in
Cabrini's
networking
world
and
actually
just
in
kubernetes
world
in
general,
because
this
reliance
on
a
daemon
is
interesting
and
what's
gonna
happen
in
notice,
I'd
like
to
get
some
feedback
on
that.
Well,
he
has
long
term
tenable
or
whether
there
are
other
solutions
out
there
to
this
permissioning
problem.
F
E
F
But
there
are
other
mechanisms
like
instead
of
running
that
thing
on
a
VM
I
mean
you
can
just
still
learn
it
as
a
co-located,
VM
and
the
traffic
can
actually
be,
like
you
know,
interceptor
and
outlet
through
this
VM
open
this
wish
thing
or,
but
if
he
allows
that
kind
of
a
stuff,
so
you
do
not
have
to
you
have
to
run
run
the
VM
and
say
injector.
Well,
yes
to
your
point.
Yes,
you
can
have
and.
M
E
M
K
A
K
A
F
But
be
country
we
can
container
in
our
dream
and
said
so
we
well
I.
Guess
that
brings
a
lifecycle
column
to
us.
Then
we
have
to
make
sure
this
thing
is
not
down,
and
then
we
have
to
make
sure
this
thing
is
backup,
which
is
a
bigger
problem,
because
a
nicer
thing
about
coherent
is
that
it
takes
care
of
a
whole
lifecycle
thing
otherwise
you're
getting
into
this
really
really
painful
thing.
This
whole
bunch
of,
like
you,
know
folks
and
exits
and
managing
the
zombie
processes
and
how
that's
a
really
painful
thing.
F
Actually,
then,
you
start
looking
at
like
where
this
thing
has
died
or
not.
If
it
is
like
not
dead
on,
and
then
you
have
to
make
sure
that
you
know
if
that
thing
is
actually
working,
something
make
sure
it's
just
not
you
know
problematic,
and
when
that
dies
you
have
to
reap
up
reap
all
the
resources.
F
From
the
pile
I
mean,
this
was
part
of
the
pilot
agent
thing
in
the
beginning
it
took
us
a
while
to
stabilize
in
just
one
envoy-
and
this
was
from
the
old
amalgamated
days,
and
it
took
us
a
while
to
stabilize
back
and
forth
with
like
whole
bunch
of
retries
back
house
and
add
on
this,
and
it's
probably
gonna
get
more
compounded
with.
We
have
multiple
envoys
are
dynamically
being
started.
Adam
I
think.
M
J
F
A
M
No,
let's
say
we're
still
living
in
pod
right.
Well
now
we
have
this
in
a
container
and
it
goes
hey.
Node
inject
my
envoy.
So
start
my
own
boy
run
an
injected
into
me
right.
So
we
can
do
that
right.
You
can
exact
it
into
the
sea
group,
but
kubernetes
won't
know
about
it.
Cause
it's
not
declared
I'll.
M
A
K
M
F
B
B
F
Is
actually
in
that
mount
and
that
actually
allows
people
to
do
a
gradual
toward
on
a
per
node
basis,
because
they
can
actually
decide
that
this
node
is
gonna.
Get
this
mount
and
then
the
new
version
of
one
way
and
all
the
pilot
egg
agents
on
that
node
will
actually
start
picking
up
the
new
version
of
on
when
doing
a
hot
restart
of
the
the
respective
invoice,
which
gives
that
nice,
gradual,
rollout
thing
that
we
actually
wanted.