►
From YouTube: Istio Security Working Group Meeting 2019-08-23
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Other
there,
so
other
things
is
we
would
talk
about.
I
would
talk
about
the
change
to
seeing
in
beat
you
its
meaning
about
some
internal
refactor
about
how
to
better
support.
Repeat
you,
we
will
talk
about
the
we
were
going
to
reuse
most
of
the
work
we
had
already
down.
That
is
for
everyone,
and
we
will
also
talk
about
some
future
stuff
post
week.
You
so,
first
of
all,
it's
a
quick
overview
of.
A
So,
first
of
all,
it's
over
it's
an
overview
of
how
does
history
or
physician
Rosie
as
well
as
stays
at
impressive
work.
He
starts
from
your
user,
applying,
for
example,
you
still
a
pet
or
llamo.
It
goes
to
the
kubernetes
api
server.
Gary
will
watch
up
and
policy
in
the
obsessed
over.
It
will
also
validate
the
schematics
of
the
a
PI
server
example.
You
cannot
use
an
empty
string
in
some
of
the
fields
in
the
policy
once
very
did.
Kenny
will
push
the
event
policy
to
pilot
in
Paris.
It
does
two
things.
A
First,
it
converts
used
to
other
policy
to
internal
model,
that
is,
the
internal
data,
structuring
pirate.
Second,
an
odious
request.
It
will
convert
to
the
internal
model
to
the
our
way
back
through
duck,
confit
and
distributed
to
choose
a
corresponding
our
way.
That's
in
controlling
in
discipline
when
there
is
a
request.
It
goes
through
those.
This
is
no
filter
or
corrosion,
and
it
will
eventually
goes
through
the
up
air
filter
and
writing
in
the
upper
future.
We
would
you
the
access
control
based
on
its
I've,
ever
to
compete.
A
One
thing
to
note
is
in
issuer:
you
can
use
authenticated
identities
in
the
a
bank
policy,
for
example,
you
can
use
identity
from
dot
or
you
can
use
identity
from
two
TOS.
Those
are
supported
by
some
other
futures,
like
is
a
Java
filter
and
awesome
pewter
in
front
of
the
upper
future.
We
will
talk
more
about
this
feature,
so
the
first
new
thing
in
the
between
mutation
is
Wilbur
support.
We
were
suppose
zero
content
migration.
A
As
you
know,
the
b2
policy
is
very
different
from
the
way
one
proceed
we
imagine
it
will
take
some
time
for
our
users
and
customers
to
migrate
to
the
new
policy.
Here
is
a
short
list
about
the
major
difference
in
we
won
horsey.
We
have
three
CDs
in
which
you
will
only
have
one
CRD
in.
We
won
that
before
the
delay
by
default,
behavior
is
in
a
pond
in
explicitly
by
a
cross
for
a
bank
peak
in
which
you,
this
denied
by
default.
A
Behavior
is
only
enable
implicitly,
our
clothes,
if
you
have
authorization
policy
and
at
work
wrote
in
why
you
have
to
use
both
service
row
and
service
abiding
to
grant
permissions
to
some
identities
in
v2.
You
only
use
authorization
to
grant
permissions
to
identities.
In
other
words,
you
combine
publishing
and
entities
in
the
single
authorization
policy.
A
There
is
another
change
that
might
be
a
little
hard
for
you
so
to
migrate.
That
is
in.
We
one
will
use
service
to
specify
where
to
enable
our
Pam
policy.
For
example,
you
specify
HTTP,
being
dot
defaults,
thought
so
I
star
cluster
local
in
the
Swiss
roll
to
specific
bill
to
apply
the
policy
in
v2
we
speech
to
use
of
workload
selector,
it's
a
label
selector
on
the
pods.
A
A
A
So
the
thumb
time
everything
is
about,
we
go
with
propose
to
support
post,
we
want
policy
and
with
policy
and
at
the
same
time,
in
one
time
and
means
in
so
first,
we
are
planning
to
deliver
the
retort
in
you.
Welcome,
for
so
stunning
is
21.4.
You
can
apply
the
code,
we
want
up
and
policy
and
which
you
policy
at
the
same
time
in
your
custard,
they
will
posts
out,
effects
will
go,
merge,
merge
them
automatically
for
you,
so
you
can
so
in
terms
of
a
migration.
A
You
can
convert
you
with
142
with
you
a
prize
or
b2
policy,
make
sure
everything
is
working
as
expected,
and
then
TD
to
your
b1
policy.
During
this
process
we
will
have
the
exact
same
access,
control
on
your
service
or
precludes
so
you
don't
need
to
restart
any
of
your
workload.
You
don't
need
to
worry
about.
You
are.
There
is
no
gap
between
like
there
is
no
cap
for
any
access
control.
Listen.
A
There
are
some
cafes
here
together,
for
example,
it
might
be
a
hard
to
make
sure
that
your
redo
policy
is
working
as
expected.
Right,
especially
consider
you
I
have
complicated
with
one
policy,
and
you
have
you
cover
to
those
map
in
addition
to
its
new
of
reading
in
ceoddi,
so
we
will
also
provide
a
tool,
not
shoes,
that
these
between
Zoe
one
I,
went
to
proceed
in
the
format
of
up
and
feel
config.
This
will
help
you
to
identify
any
semantic
differences
between
your.
We
went
with
the
policy.
A
A
If
you
can
try
to
look
up
all
those
map,
in
addition,
ship
in
your
service
roles,
virtual
biding
and
there's
a
general
visa,
which
also
is
important
automatically
for
you,
but
this
is
only
this
efforts
because
there
are
some
fields
we
cannot
do
too
much.
It
depends
on
your
actual
environment,
for
example,
if
you
are
using
prefix
or
suffix
matching
in
your
service
team,
we
were
up
and
policy.
A
The
other
new
thing
here
is:
we
will
officially
start
to
support
increase
in
any
Greece
individual
policy,
so
we
have
seen
a
lot
of
customers
asking
this.
They
want
to
have
some
access
control
on
their
increased
gateway.
We
already
supported
the
chart
or
education
policy
on
increased
kid.
We,
which
is
used
by
a
lot
of
users
by
allowing
the
access
control,
is
an
authorization
policy
interests.
Kids.
We
think
it
will
make
this
more
useful.
A
So
one
cap
is
here
is
when
you
are
using
authorization
policy
on
increase
crete.
We
currently,
we
do
not
subparts
authorized
based
on
to
TLS
identities,
because
the
authentication
policy
tunnel
supports
beauty
as
an
English
schedule
for
now,
but
you
can
still
use
identities
from
your
token
and
you
can
also,
if
you
can
even
just
use
those
source
IP
if
you
want,
if
you
just
want
to.
B
A
B
B
A
A
B
A
A
That's
the
two
major
new
things,
things
of
b2
in
finishing,
we
will
also
do
some
major
refactor
that
will
change
our.
We
won't
be
fishing,
so
the
biggest
changes
we
will
reflect
to
use
an
internal
model
in
Paris
previously
before
we
convert
the
source
row
so
binding
directly
to
our.
We
are
painful
to
compete
and-
and
there
is
low
and
the
intermediate
data
structure
here-
and
this
is
causing
a
cup
of
forums
here,
for
example-
and
it
makes
it
hard
to
support
to
horses
and
a
saint.
A
Even
we
can
reuse
out
of
code
here.
It's
still
has
to
repeat
a
lot
of
logic
here,
which
is
pretty
bad,
and
it
could
introduce
a
lot
of
inconsistencies
here.
So,
the
after
refactor
we
will
introduce
an
internal
model
impedance.
That
is
an
abstract
data
structure
and
we
convert
the
user-facing
service
row
service,
providing
to
this
internal
data
structure.
And
then
we
convert
this
internal
data
structure
to
our
where
you
feel
complete.
So
basically,
we
divide
it
into
two
steps.
A
So
new
or
anything
redo
per
seat
can
be
just
converted,
the
tubes
or
into
the
model,
and
the
second
part
can
be
shared
by
posts.
We
were
in
with
you
in
such
a
way.
We
can
make.
Sure
we
were
generate
is
a
consistent,
I
will
feel
config
and
we
could
use
most
of
the
unit
tests.
That
is
already
in
our
code
base,
quick.
C
Question
on
this,
for
for
our
blade,
which
we
will
have
the
requirement
to
convert
from
syrup
forest
forest
from
the
old
API
to
the
new
API
with
some
tool.
Is
it
still
the
case
well
and
if
we,
if
such
tool
exists
or
such
a
library
exists,
that
converts
from
old
library
to
new
library?
Can
we
just
use
it
internally?
I
mean,
as
a
library
inside
pilot,
to
convert
from
the
old
rules
to
the
new
new
spec
or
to
the
code
base
using
the
new
API?
Basically,
so.
A
A
A
C
A
Slide,
yes,
that's!
Yes,
that's
exactly
what
we
are,
how
we
are
designing
this
model.
If
you
look
at
this
model
in
this
table
it
it's
very
simple:
it
is
almost
1/2
backing
to
the
olive
oil
up
and
filter
campaign.
It
has
a
distal
permission.
It
has
a
distal
principle,
so
we
think
surely
to
make
it
very
close
to
the
arm
way
up.
Africa
peak,
you
mix
our
conversion
much
more
easier.
C
Could
you
document
the
gaps?
I
mean
why
it
cannot
be
the
same
and
what
is
different
from
because
it's
a
bit
difficult
to
do,
diff
between
your
model
and
and
every
model,
and
maybe
maybe
you
can
embed
proto
employ
proto.
So
we
again
we
have
to
avoid
translations
and
in
fact
we
have
a
lot,
a
lot
of
problems
with
memory
allocations
and
all
those
things
that
we
hate
a
proto.
It
create
another
protocol
by
end
and
it's
using
a
lot
of
garbage
collection
and
limiting
or
scalability.
That's.
Why
I'm
concerned
about
this?
A
We
can
we
can.
We
can
talk
him
into
this.
One
thing
I'm
a
mind.
I
can
answer
you
for
now
is
the
Envoy
other
filter
config.
It
involves
a
lot
of
data
structure.
That
is
only
that
is
specific
to
only
here.
We
are
trying
to
use
those
basic
extreme
and
instructs
those
panels
in
Konya
should
represent
this
do
to
help
to
help
it
has
a
similar
layout,
but
in
terms
of
the
detail
and
type
of
each
field,
we
tend
to
use
lady
wining
eesti.
Oh
it
just
fits
you
yeah.
C
But
my
point
is:
that
is
why
we
have
scalability
problem,
because
you
have
closed
structures
that
are
need
to
could
be
copied
and
you
know
obstructs
anything
that
can
use
the
cached
proto
certain
way
is
using
is
going
to
be
far
more
efficient
and
scale
much
better
than
creating
intermediate
representations
and
copying
from
proto
a
to
proto
B
to
profit
from
proto
a
to
structure
to
protect
that
that's
again
important
for
scalability.
Yes,.
D
A
C
A
real
situation
when
we
you
know
nya
P,
is
the
one
we
want
to
support
and
those
things
yeah.
C
C
C
D
C
Yes,
there
is
an
effort
to
clean
up
and
refactor
pilot
itself
and
and
to
move
some
of
those
translations
to
different
layers,
and
those
would
benefit
a
lot
by
not
putting
it
is
model,
because
the
model
is
the
one
that
is.
We
have
a
lot
of
problems
with
the
current
pilot
model,
which
is
out
of
sync.
It
was
created
two
years
ago
and
it's
out
of
sync
with
the
parent
api's
and
we
are
trying
to
move
stuff.
C
E
C
E
Intermediate
representation
will
help,
however
API
is
we
have
the
support
initiative
to
support
multiple
representation,
which
is
what
Youngman
was
saying.
So
if
you
go
from
v1
beta
or
v2
beta,
2,
V
3,
something,
then
the
intermediate
representation
helps
as
far
as
I
understand
yeah,
but
you
can
solve
that
by
tooling
also
by
making
sure
that
the
newer
objects
always
translated
to
the
older
ones.
Many.
D
C
C
A
So
actually,
it
simplifies
our
unity,
so
here
so,
while
the
reason
is,
it
makes
us
easier
to
to
do
those
unit
tests
because
we
can
separate
or
to
just
fishing
and
whatever
separately,
tasting
this.
Those
two
steps
well
anyway,
I
think
this.
You
Bob
some
imitation
tea.
We
may
talk
about
these
things
up
here
or
in
offline,
so
the
also
change
the
singing
with
you
is
so
in
we
one.
We
have
this
permissive
mode
in
up
and
proceed,
allows
you
to
test
your
policy
without
really
enforcing
it.
A
C
C
A
Yeah
so
anyway,
this
is
not
a
proposal
for
using
anything.
It's
just
an
example.
The
goal
is
it's
better
for
us
to
decouple
this
premium
or
the
filter
from
the
policy
itself.
In
one
policy,
it
is
a
single
field
in
either
service
role,
and
you
have
to
set
it
to
do
some
primitive
curing,
Evo's
I'll
feature,
but
this
thing
might
be
better
to
put
something
put
somewhere
out
of
the
force
itself
so
because
it
is
not
related
to
what
you
are
having
your
policy.
It's
just
control,
whether
or
not
you
have
a
field.
C
C
Place,
you
know
the
general
general
approaches
for
installer
and
for
our
Gradius
and
for
you
know,
graceful
are
great
and
actually
for
for
a
SDS
as
well
is
for
one
rotates,
the
poles
or
many
spaces,
and
then
you
know
to
including
that
when,
when
permissive
mode
it
will
be
implemented
will
still
be
alpha
feature
and
will
it
be
off
by
default
and
users
who
need
to
opt
in
because
again,
we
don't
launch
alpha
features
enable
by
default.
So
normal
is
the
process
used
for
all
the
other
features.
It's
a
notations
or
support
yeah.
C
E
D
So,
basically,
when
you
add
a
new
authorization
policy,
you
may
want
to
test
it
out.
First
make
sure
it's
working,
it's
not
of
it's
one
to
Microsoft
your
production
traffic,
then,
after
that,
after
you
look
at
the
log
to
make
a
machine
works.
Fine,
then
you
can
remove
the
permissive
tag
and
the
make
is
the
real
policy
does.
E
A
C
D
Won
we
have
the
optic
config
that
will,
if
you
set
up
a
configure
like
enable
a
particular
namespace,
then
once
your
set
is
come
favored,
all
the
traffic
to
a
lesson
in
space
will
be
denied.
So
we
we
think
this
may
prevent
users
who
adopt
a
banner
because
it
may
interrupt
her
existing
traffic
color.
So.
E
C
E
C
F
C
E
D
C
A
We
can
have
further
design
so
country.
We
will
remove
it
in
with
you,
so
that's
so
next
I
will
talk
about
something
we
arrived
reviews
from
the
women
team
teaching.
The
biggest
thing
is:
how
do
we
support
the
also
indicated?
Indeed
it
is
the
other
thing
is
they
are
already
implemented
in
the
way
one
up,
M
policy.
A
So
basically
you
can
use
identities
for
mutual
TOS
or
from
shots
in
your
authorization
policy.
For
example
this
example:
it
uses
this
sleep
service
account
and
it
uses
this.
The
Christos
claims
issued
by
Google
the
first
one
is
extracted
from
the
Pierrot
certificate.
The
SCADA
mind
is
extracted
from
that.
Your
token,
on
the
request,
how
do
we
support
is?
We
will
insert
two
different
filters
in
front
of
a
pair
filter
in
runtime.
The
short
filter
will
Veritate,
search
or
token
and
write
claims
to
the
transmitted
italian.
A
A
If
you
sit
an
awesome,
kissing
policy
to
use,
use
or
raking
is
about
general
retailer
trippin
based
on
the
output
of
the
table
filter,
although
the
things
they
are
studying
this
dynamic
mediator,
for
example,
it
has
a
key
and
it
has
a
venue.
An
upper
pewter
will
just
greet
those
key
and
values
and
and
compare
it
against
or
against.
The
policies
receives.
That's
how
we
support
those
authenticates
entities
in
sto
and
in
alloy.
A
A
A
We
can
just
use
it
as
is
so
post,
video
and
and-
and
this
is
also
something
where
country
doing
is
we
are.
We
are
enhancing
the
up
air
filter
to
be
more
powerful
and
flexible.
The
long-term
goal
is,
we
want
to
evolve
the
upper
future
to
be
the
generic
access
control
filtering
our
way,
so
that,
if
you
want
to
do
local
or
traditional
way,
you
can
use
this
generator
access
control
pewter.
If
you
want
to
do,
for
example,
extra
oxidation
there,
another
extra
authorization
filtering
our
way.
So
basically
you
you
can.
A
You
can
choose
based
on
what
you
want,
and
for
this
you
defer
access
control.
The
most
important
change
here
we
are
proposing
is
to
end
the
cell.
Expression
supports,
choose
a
way
up,
a
filter
that
allows
you
to
use
expressions
in
the
arm-in-arm
boy
up
and
few
token
fee.
If
you
are
not
familiar
with
the
expression,
it
is
basically
expressionist
pause,
logical
and
lists
and
strikes
and
math,
and
it
returns
true
or
false
after
evaluation.
E
G
A
So
for
your
first
question,
the
Search
Widget
County
is
only
a
leading
the
a
pack
on
web
filter.
We
are
still
considering
how
to
support
it
in
the
user
facing
east
EO
api.
If
we
later
decided
to
support
a
so
expression,
it
will
it'll
just
be
a
user
facing
API
underlying
the
fastest
way
and
as
a
maybe
the
easiest
way
to
supports
to
implementing
it
is
to
integrate
with
the
same
evaluator
in
our
way,
which
is
what
we
are
doing
for
now
is
a
long
term
is
possible.
A
C
C
C
Are
working
I,
don't
know
if
this
port
service
they
are
working
to
support
XDS,
that's
the
first
station.
They
have
a
lot
of
problems
because
again
we
generate
a
lot
of
config
to
some
custom
filters
and
to
some
kind
of
complicated
or
non
avoid
standard,
because
they
also
want
to
support
any
xDSL
for
not
only
easier.
So
you.
D
Say,
sir,
is
too
complicated,
so
the
plan
is
the
country
we
are
going
with
the
authors.
You
me
to
write,
so
we
have
just
to
be
aware
of
the
condition
it's
optional
for
you,
so
if
they
want,
if
they
think
that
the
current
authorization
policy
cannot
express
the
semantics
they
want
to
express,
they
can
use
cell
because
the
cell
provides
more
advanced,
efficient,
icon,
recursive
and
then
order
and
other
things.
E
Totally
totally
I
understand
women.
The
only
concern
for
me
always
with
these
new
languages.
It
is
more
or
less
a
DSL
which
I
don't
know
if
it
is
during
a
turing-complete
or
not,
is
how
do
you
validate
beforehand
that
it
is
going
to
work,
or
how
do
you
validate
that?
You
are
not
going
to
hose
your
envoy
to
talk
data
data
playing
there,
because
I
have
some
experience
doing
this
in
other
proxies
by
injecting
programming
and.
C
E
F
Ok,
so
this
is
I
think
this
is
secure.
You
have
a
guarantee
if
you
terminate
license,
you
cannot
have
loops
or
anything
like
that,
the
real
problem
we
have
here
that
you
have
to
evaluate
rules
in
order
right.
If
you
have
a
bunch
of
rules
like
that,
you
know
we
rule
matches,
you
have
to
evaluate
them.
So
you
have
a
linear
cost
problem.
Now.
D
So
another
biggest
hurdle
for
us
to
adopt
a
cell
is
on
the
performance
side.
Actually
so
sale
currently
is
not
performed
like
the
performance
is
not
comparable
with
the
current
native
my
future.
So
we
just
consider
this
as
a
complementary.
If,
if
the
current
authorization
policy
cannot
satisfy
users
requirements-
and
they
do
have
some
means
to
use
expression,
then
we
can
provide
this
option
in.
C
A
D
C
Is
that
even
worse,
because
the
biggest
problem
we
have
it
with
your
cross,
every
seeing
is
complexity
and
too
many
features
that
user
cannot
test,
cannot
understand
and
it's
a
valid
or
other
requirement
to
store
to
have.
You
know
to
minimize
the
feature
set
to
some
things
that
we
support
very
well,
and
we
have
support
for
testing
it
to
roll
out
in
production
and
not
extend
it
because
we
already
have
too
much
complexity.
So
this.
A
C
E
Going
to
say
there
is
a
difference,
though,
if
you
have
a
central
policy
enforcement
engine,
you
can.
You
can
kind
of
think
about
different
scalability
and
performance
requirements
there
compared
to
when
you
are
enforcing
it,
and
your
data
plane
where
your
data
plane
can
be
completely
hosed
by
an
invalid
expression.
A
E
When
you
are
using
mixer
based
policy
enforcement,
you
are
shipping
your
policy
matching
and
evaluation
to
a
different
entity
right.
That
entity
can
ideally
have
a
different
scaling
and
performance
requirements
compared
to
when
you
do
that
in
your
data
plane,
which
is
what
being
proposed
now
right,
but.
C
D
A
C
A
So
the
other
remaining
scene
is
about
testing
and
documentation.
We
will
end
new
entrant
is
to
cover
the
with
you
flow,
as
well
as
a
migration
scenery
for
documentation,
all
those
existing
pages,
the
DTD
to
be
updated,
and
we
will
also
add
new
pages
for
how
to
operate
your.
We
run
procedure
with
policy.
So
that's
all
about
this
design,
please
feel
free
to
comment
if
you
have
any
feedback
or
concerns.
Thank
you
very
much
name
you.
H
Hey
great
hi
everyone,
my
name
is
Jordan
I
work
for
do
security
now
Francisco
and
my
coworker
Jimmy's
on
the
call
as
well
so
I'll
be
the
first
to
say
that
I
am
not
as
in-depth
with
this.
You
know
internals,
as
all
of
you
so
I
appreciate
your
patience.
Kind
of
ever
walk
through
our
use
case.
What
we're
going
for
and
really
what
we're
looking
for
is
to
try
to
figure
out
the
best
way
that
we
can
contribute
towards
making.
H
This
idea
happen,
and
it
is
really
simple:
it's
it's
that
right
now
is
do
support
shots
via
either
a
header
or
a
URL
parameter.
I
believe
and
our
goal
is
to
add
cookie
support
as
well.
I
saw
that
there
was
an
existing
issue
where
someone
had
mentioned
a
similar
goal,
and
there
was
a
proposed
workaround
right
now
to
create
an
envoy
filter.
They
could
kind
of
do
this
translation
for
you.
H
You
know
moving
what
was
in
a
cookie
into
a
header,
so
that
is
tio
could
process
it,
but
we
would
love
to
contribute
work
towards
adding
support
via
cookies,
as
well
as
digging
through
the
codebase
I
have
a
general
game
plan
for
how
I
think
it
would
work
building
on.
What's
already
there,
I
did
see.
Someone
just
now
comment
on
the
github
issue
that
there's
an
open
effort
towards
getting
open,
ID
yeah.
H
Right,
so
ours
is
a
just
very
channel
I,
give
it
supporting
jobs
and
a
cookie
the
same
way
that
they're
supported
as
a
header
and
a
URL
parameter
now.
So
to
that
end,
if
we
think
that
I
said,
we
think
this
is
very
useful
for
single
sign-on
kind
of
cases,
but
if
that
would
be
some
things
that
you
know
would
be
in
support
of.
We
are
very
happy
to
take
on
the
effort
to
make
that
happen
since.
D
D
Yeah
since
Jordan
for
offering
to
our
help
on
this,
providing
this
feature,
yeah
I
think
it
will
be
a
very
useful
feature.
As
you
can
see,
a
lot
of
people
comment
on
this
issue.
I
think.
Maybe
the
next
step
is.
Can
you
put
on
some
design
talk
like
you,
don't
have
to
be
very
long,
it's
just
a
basic
stress
how
you're
going
to
do
it
and
the
less
people
review
it.
This
was
pretty
yummy.
D
H
Was
like
a
plan
I'll
take
what
we
have
internally,
which
kind
of
describes:
here's
where
I
think
the
code
would
go.
Here's
the
changes
that
I
think
we
copy
that
and
elicit
comments.
That
would
be
the
best
way
to
communicate
out
to
this
working
group
feed
through
and
I.
Assuming
there
was
a
mailing
list
right
that
I
could
just
post
a
note
thing
this
document:
it's
live
it
lives
here,
would
love
some
feedback,
or
would
it
just
be
coming
to
the
next
session?
You
can.
D
A
Okay,
so
you
just
click
update
when
you
are
writing
your
design
talk.
So
the
first
thing
is
I'm,
not
sure.
If
you
already
noticed
we
as
freaking
to
use
the
Envoy
each
one
filtering
is
doing
one
for
each
tree.
So
previously
we
have.
Our
Owen
is
cute
short
filter
in
proxy.
Later
we
upstream
disaster
filter
to
only
with
a
lot
of
changes,
of
course,
and
we
have
in
speech
to
use
on
which
or
filter
for
for
done
time.
In
one
point,
Street
will
finally
finish
this
thing.
A
So
if
you
are
aiming
something
changing
post
one
point
three,
you
should
take
a
look
at
the
ala,
each
or
filter,
not
so
that
nice
touch
or
future,
because
the
Eastern
filter
will
keep
it
for
back
/
backward
compatibility
for
some
time,
but
it
will
be
removed
later.
Eventually,
that's
the
first
thing.
A
A
H
Whatever
you
say
using
the
Envoy
filter,
one
thing
that
was
a
bit
confusing
just
jumping
into
the
code
base
first
was
that
it
appears
that
the
ischial
proxy
was
kind
of
a
fork
plus
plus
of
envoy,
and
so
to
that
end,
do
you
anticipate
a
lot
of
the
codes?
Were
writing
going
upstream
to
undo
itself,
or
would
this
be
to
the
issue
of
proxy
I?
Imagine.
A
Most
of
the
code
will
go
to
the
way,
not
so
that
you
still
Palafox
to
proceed.
Ok,.
E
A
D
D
D
There
is
another
another
session
manager
which
will
encrypt
the
token
before
it's
then
sent
out
to
the
browser
and
when
the
browser
sent
back
the
cookie
at
the
token,
which
is
in
the
cookie,
it
will
decrypt
the
token
and
then
forward
for
the
charge
filter
to
the
authentication.
So
that's
young.
So
this
is
still
Attilan
talking
yeah.
H
It
definitely
seems
like
there's
a
lot
of
parallels
with
what
we're
going
from
our
use
cases,
whatever
consider,
probably
simpler
and
just
in
terms
of
building.
What's
already
there,
just
looking
kind
of
into
place,
I
really
be
interested
to
also
be
involved
with
this
effort.
In
some
capacity,
you
know
who
the
best
people
would
be,
but.
D
I
don't
know
if
so
this
talk
was
written
by
Nick
Smith
and
the
Peter
Peter
turn
and
the
other
folks
from
Cloud
Foundry,
so
basically,
I
am
in
touch
with
them
too.
So
I
am
aware
of
this
effort,
but
mostly
searchable
by
Nick
Smith
and
Oh
Peter
Chan
from
cross
country.
I,
don't
know
if
he
is
online
is
also
in
the
working
group
discussion
yeah.
D
There
is
some
change
to
this
architecture
later
because
we
want
to
also
so
the
the
main
changes
that
we
want
to
move
this
out
is
or
stuff
for
a
separate
or
service,
and
the
use
external
us
filter
to
communicate
with
that
or
service
and
all
the
logic
will
be
inside
also
is
itself
this
proposal.
Everything
is
inside
and
going
I
see.
H
Okay,
that
sound
like
in
general,
it
would
be
good
to
just
be
in
contact
with
them,
because
it
sounds
like
we're
working,
a
similar
to
user
authenticates,
so
I
hope
to
reach
out
to
them.
I'll
see
if
I
can
figure
out
some
contact
information,
either
through
the
dock
or
I'll
reach
out
to
some
of
the
meat,
but
also.
E
D
Know,
what's
the
proxy
you're
talking
about?
Basically
what
it
does
is.
It
is
starting
our
course
boss
from
yes,
it's
going
to
yes
and
send
a
authorize
encoder
to
the
get
also
I,
think
all
the
frontal
or
thirteen
server
you
can
deploy
off
the
engine
server
and
doing
all
the
redirect
the
boss
problem.
When.
H
First,
looking
at
this
document,
it
did
seem
very
similar
to
way
to
describe
them
just
kind
of
taking
care
of
that
use
case
that
that
come
in
use
case
of
people
putting
it
off
to
proxy
in
front
of
this.
You
know
as
a
handle
that
initial
authentication
and
then
passing
back,
authenticated
request.
So
that's
what
it
seems
like
to
me:
okay,
exactly.
D
I
I
It
was,
of
course,
obviously
it's
specifically
right
the
container
ports
in
there,
but
then
this
one
is
to
see
if
we
could
actually
enable
those
annotations
for
that
one
specific
animation
that
I've
mentioned
earlier,
which
is
the
included
bound
ports-
and
it
looks
like
in
the
1.2
relief
snow
because
mentioned
that
this
would
be.
There-
are
plans
in
the
future
to
enable
this
one
by
default.
So
so
I
just
added
this
one
in
there
to
see
whether
there
was
any
objection
to
doing
this
one.
A
A
C
D
C
That's
a
bit
more
complicated
because
I,
don't
kind
of
backward
compatibility
and
upgrade
questions,
and
we
are
working
on
doing
something
like
that
for
1.3
and
1.4.
So
there
is
a
feature
to
enable
all
ports
by
default
by
using
card
filter
and
all
kind
of
other
changes,
but
it's
a
pretty
risky
change
right
now
and
because
we
had
some
security
problems
with
with
this
approach,
when
we
included
all
ports,
this.
C
Yes,
the
problem
is
that
the
reason
we
we
have
what
we
have
is
we
had
some
security
bugs
with
using
the
sidecars
as
a
way
to
you
know,
there
are
some
security
bugs
that
were
reported
and,
and
we
have
to
fix
it
this
way
and
we
are
trying
to
have
all
ports
enable
intercepted
by
default.
But
there
are
all
kind
of
testing
and
security.
Constants
I
mean
our
bug.
I
I
I
C
And
and
it's
not
difficult
to
add
an
option
at
table.
Well,
it's
not
difficult
for
a
user
to
create
an
installer
which
modifies
the
installer
to
do
that.
Epi
wise.
It's
a
bit
more
complicated
because
we
need
to
have.
We
are
starting
to
review
all
all
install
options
as
property
is,
and
there
is
a
lot
of
discussion
about
what
should
be
exposed
and
what
should
not
be,
but,
as
an
experimental
feature
is
not
a
problem.
We.
I
I
Sounds
good
if
I
find
out
one
I
mean
if
you
could
put
a
link
over
here
would
be.
C
Wonderful,
if
you
can
help
test
this
feature,
because
that's
what
we
are
blocked
right
now,
I
mean:
where
is
a
proposal
to
enable
this
in
one
two
or
three,
because
implementation
is
quite
complete,
but
I
are
having
I
mean
it's
it's
a
difficult
feature
to
test
properly
and
to
review,
because
security
implications
that
we
need
to
be
very
careful.
It
absolutely.