►
From YouTube: Istio Security Working Group Meeting 2019-01-23
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
D
A
A
D
E
F
A
Hello,
yes,
so
now
is
it
iris,
okay,
yeah!
That's
because
we
have
another
computer
that
that
is
not
guilty.
Okay,
that's
I!
Don't
know
why
the
inquest
Kate,
who
a
staff
manager,
enables
you
to
read
the
certificates
from
their
community's
secret
dynamically
and
it
doesn't
require
you
to
restart,
doesn't
require
a
hot
restart
of
the
ingress
gateway
to
be
able
to
load
more
sirs
or
delete
stirs
because
it's
delivered
through
SDS.
Now,
that's
a
another
feature.
The
third
feature
is
about
integration.
A
We
have
the
boat
integration
at
their
node
agent
level.
So
in
that
scenario
you
don't
need
to
have
their
Citadel
to
issue
you
their
certificates
for
workload
to
workload
communication.
You
can
directly
cook
half
with
both
use
your
node
agent
and
then
the
node
agent
to
the
invoice
through
SDS.
So
that's
their
third
thing.
We
are
going
to
enable
for
release
1.1.
So
leave
me.
Do
you
have
any
update
from
the
policy
side
for
1.1
new
features?
You
can
give
someone.
C
G
C
Another
update
about
a
shot,
so
we
supported
to
allow
you
to
exclude
some
passes
from
the
JA
das
indication.
A
couple
users
are
asking
this
feature
because
they
want
to
what
is
the
some
of
the
object
has,
for
example,
the
snatch
house
or
status
report
from
the
ja
das.
On
occasion,
and
now
you
can
put
those
passes
in
the
George
policy
accomplishing
and
worthless
to
them
found
John
ossification,
and
it's
it's
really
in
one
point.
One
right:
you.
H
G
A
So
for
information
41.1,
the
SDS
support
will
be
optional.
You
still
can
use
the
Lexy
secret
volume.
Mount
and
SDS
is
obtained
by
default,
is
by
default,
is
opt
out
and
yeah
for
the
control,
and
we
are
still
for
the
control
plan.
Components
such
as
pilot
mixer
promises
like
those
components
and
galley.
They
are
still
using
their
secret
volume
month.
They
are
not
using
SDS,
yet
we
will
also
enable
them
to
use
SDS
after
one
point.
One
may
be
one
point,
one
one
yeah
so.
A
Regarding
to
the
third
item,
so
let's,
let's
talk
about
third
item
first,
because
this
one
is
just
a
status
update.
So
the
third
item
is
asking
about
the
east
EOC
ni,
plugging
how
far
from
production
and
has
been
reviewed
by
history
security
group.
So
I
checked
with
there
is
teo
networking
team,
because
this
feature
is
mainly
about
eastern
networking.
A
C
A
Sorry
so
so
we
consider
it
as
the
alpha
stage
early
stage
and
if
you
want
to
get
more
information,
you
can
post
it
there
workgroup
agenda
here.
You
can
see
in
last
year
on
November
and
October.
They
did
a
demo
and
you
can
follow
up
and
you,
if
you
have
more
questions,
you
can
do
actually
ask
in
their
working
group.
So
far
this
feature
is
pretty
Auto
g''l
to
our
security.
So
that
means
sorry.
D
Ok,
yeah
I'll
definitely
follow
up
on
that
one.
This
particular
case
was
like
hey
we're.
We
are
providing
the
net
admin
capability
to
the
namespace
and
then
any
container
within
the
namespace.
We
were
able
to
claim
the
capability
and
that
missile
and
it's
a
security
issue,
and
then
there
was
a
proposal
from
Red
Hat
to
something
released:
June
it
will
controller
or
something.
Then
we
want
to
know
which
row
to
the
community
is
picking
up
and
then
I
can
vote
and
I
can
ask
a
neighbor
community
to
get
more
information.
Okay,.
I
I
Key
and
then
the
information
would
have
a
location
to
access
the
key
from
well
as
a
list
of
locations.
So
whoever
gets
it
first
from
a
header
query
or
from
a
claim
a
claim
would
come
from
a
jot
token
or
an
auth
token
that
was
processed
before
this
and
then
some
verifier
information
as
to
where
what
the
end
point
is
to
contact
to
resolve
that
API
key
the
let's
see.
I
I
That
is
the
API
key,
in
which
case
that
could
be
pulled
from
there
and
then
verified,
and
this
is
this
is
a
requirement
for
some
places
that
don't
want
to
pass
an
API
key
directly
on
the
request,
but
still
require
a
verification
of
an
API
key,
as
opposed
to
including
the
claim
information
directly.
In
the
jaw
token.
I
I
So,
as
I
mentioned
up
here,
one
of
the
locations
it
can
be
from
claim
and
you
specify
the
claim
that
it's
coming
from
and
basically
what
happens
is
after
the
wathah
processing
is
done.
If,
if,
if
that's
required,
the
API
key
processing
is
done,
the
it
basically
just
posts
a
request,
the
endpoint
that
is
specified.
If
it's
a
valid
key,
it
should
return
a
string
map,
basically
string
to
string.
So
a
claims
list
like
like
you
would
find
in
the
jot
token
or
in
token.
I
The
claims
would
then
be
appended
to
the
existing
claims.
If
there
are
any
conflicts,
it
would
be
a
simple
replace
of
those
that
could
potentially
be
parameterize
so
that
we
could
do
something
else
other
than
replace.
But
for
now
it
seemed
like
the
easiest
thing
and
if
it's
not
correct
the
you
would
just
return
an
error
code.
I
I
B
B
I
I
Basically,
what
is
going
to
happen
is,
in
the
specific
case
of
API
management,
there's
going
to
be
a
specify,
well-known
claim
that
allows
it
to
tell
which
API
is.
It
has
access
to
there's
nothing
special
about
the
API
key
authentication,
though
that
could
that
information
could
be
passed
directly
in
the
jaw
token
or
the
OAuth
information,
and
it
really
doesn't
have
anything
specific
to
do
with
authentication
or
authorization
other
than
that
those
claims
would
be
made
available.
I
G
G
G
It's
happy
to
the
for
different
use
case.
Some
API
management
like
use
API
key
and,
like
some
user
use,
job
token
and
some
user
uses
up
a
token,
so
so
the
total
content.
The
difference
is
the
token
contents
may
not
be
visible
to
everybody.
So
it's
just
to
adjust
different
use
case.
You
can
see
it's
basically
extension
to
us
and
clicking
policy
other
than
George.
We
added
another
type,
which
is
called
a
kinky
yeah.
F
F
G
H
F
H
Then
there
it
makes
it
much
easier
because
we've
just
got
a
standardized
API
for
exchanging
some
type
of
token.
For
a
token
that
we
understand
natively,
and
so
we
it
makes
it
easy
just
then
to
add
other
implementations,
whether
it's
API
tokens
or
something
completely
different
in
future.
Maybe
it's
sam'l
or
something
weird
like
that.
G
G
F
G
H
G
I
I
Yeah
I
can
see
the
the
point
about
using
the
token
exchange.
It
kind
of
makes
sense
to
me,
but
I
also
just
wanted
to
mention.
There's
there's
another
draft
for
the
token
introspection
end
point:
it
seems
to
suit
the
purpose.
Pretty
well.
I
know
that
you've
allowed
for
configuring
of
arbitrary
tabs
on
a
per
implementation
basis,
but
I
don't
know
if
the
introspection
spec
gives
you
enough
to
return
the
claims
that
you
would
want
from
a
non
jot
off
to
token.
G
G
I
Yeah
greed,
I
guess
in
terms
of
the
auth
to
spec,
you
can
kind
of
use
any
token
format
that
you
want.
If
I
understand
correctly
so
I
guess
conceptually
the
way
I'm
thinking
it's
like
well,
an
API
keeps
that
a
token
sure
it's
like
some
weird,
a
64
encoded
gif
a
token
may
be
I
sure
and
that
stuff.
Maybe
it's
okay,.
I
I
I
B
Yeah
I
mean
basically
the
way
I'm
thinking
about
this.
Is
that
like
in
some
ways
it
almost
feels
a
little
too
specialized
kind
of
for
for
what
it
does
right
like
if
you,
if,
without
that
sort
of
like
pull
it
out
of
a
job
thing,
it's
basically
like
Oh,
get
a
value
out
of
a
header,
go
query
some
server
with
that
header
value
and
then
get
some
claims
back.
So
it's
just
like
it's.
B
B
These
configuration
options
and
things
like
that
in
you
know
a
generic
and
in
a
more
generic
and
flexible
way,
if
that's
possible,
but
this
whole
like
sort
of
burying
it
in
jot
thing,
and
then
you
have
like
more
claims
that
are
coming
out,
like
you
could
imagine
going
like
very
deep
with
it
very
deeply.
Nested
right,
like
oh
I,
have
I
have
some
jot.
That
gives
me
some
claims.
One
of
those
claims
is
another
opaque
thing
that
gives
me
more
claims
may
be.
B
I
It's
the
only
one
I
know
of
there's
nothing
deep,
but
yeah
I
I,
don't
have
a
use
case
for
what
you're
talking
about,
but
you
could
imagine
it
and-
and
your
other
point
is
well-taken
that
perhaps
it
shouldn't
be
labeled
a
key.
Perhaps
it
could
just
be
labeled
some
opaque
token
or
something
like
that.
B
B
Why
not
just
do
the
whole
thing
in
mixer
you
have
like
one
mixer,
whatever
they
call
it
filters
that
goes
and
resolves.
The
claims
creates
new
set
of
attributes
which
are
consumed
by
something
else
or
and
like
it
or
and
making
so
like
mixer
is
ultimately
going
to
be
making
some
decision
about.
Do
I
allow
this
this
request,
because
it's
making
a
valid
like
API
call.
Why
not
just
do
it
all
there?
B
I
Got
a
little
confused
there
I
understand
so
originally
my
my
my
first
cut
of
this
was
actually
to
do
it
as
an
attribute
producing
adapter
and
just
you
know
be
done
with
it
there,
but
it
fits
very
well
with
authentication
right
because
it
does
exactly
the
same
thing.
It
takes
a
token
from
the
request
and
it
proved
that
presents
a
set
of
claims
that
can
be
used
throughout
the
system.
I
I
B
G
I
I
G
I
G
I
Mean
it
sounds
like
the
the
biggest
question
is
you
know,
can
we
possibly
shoehorn
this
thing
into
the
AP
token
API
or
into
this
token
exchange
ancient
OAuth?
It
didn't
seem
like
it
fit
very
well
to
me,
but
I'm
perfectly
willing
to
to
believe
that
perhaps
I
didn't
understand
those
particular
formats
well
enough.
G
D
G
B
Okay,
let
mean
I
think
it
would
be
helpful
if
you
could
try
and
maybe
record
some
of
your
thoughts
about
about
why
it
makes
sense
to
to
keep
them
separate
either
in
this
dock
or
in
in,
like
the
API
token
dock
or
just
posting,
on
the
on
the
secure
like
in
the
security
part
of
part
of
discuss,
I
mean
I.
Think
that,
like
my
instincts,
are,
are
that
as
well
that
they
should
be
separate,
but
I
think
we
wanted.