►
From YouTube: Istio Security Working Group Meeting 2019-08-07
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Yes,
so
I
had
created
this
issue
based
on
one
of
our
customers.
Feedback
and
I
only
wanted
to
get
feedback
from
the
community
if
this
seems
reasonable
to
implement
and
if
so,
if
someone
and
if
anyone
had
any
concerns
about
rating.
So
it's
a
simple
case
where
galley
is
right
now
rejecting
policies,
if
you
have
multiple
JWT
sections
with
the
same
assure
and
if
you
the
the
issue
points,
the
relevant
coordinator
also
has
the
example
that
we
are
trying
to
use.
Basically,
so
you
can
scroll
down.
C
B
C
E
A
F
C
C
F
B
D
D
It
will
overlap.
He
passes
it
with
overlapping
audience,
totally
agree
that
should
be
a
galley
validation
and
rejection.
Yeah
I'm
wondering
if
Lewis
think
more
about
what
that
evaluation
should
be
I,
think
that's
fair,
I
yeah,
because
we
are
introducing
more
finesse
Vidya.
Now
it
might
be
a
good
time
to
think
about
that.
B
C
C
C
B
C
E
C
E
G
E
Not
independent
of
any
authorization
and
authentication
authentication
authorization
are
meaningless
in
reality.
What
we
are
doing
here,
you
are
performing
authorization
you
are
taking
over
some
part
of
our
party
and
our
duplicate
in
your
authentication.
They
are
copied
if
one
is
verifies,
the
signature
is
good,
in
the
token
is
valid
as
yellow
one
is
verify
if
it's
allowed.
E
G
The
in
order
to
access
this
pass,
you
need
to
present
a
chart
with
this
specific
issue
and
audience,
but
doesn't
mean
I
have
to
so.
For
example,
my
application
just
will
require
this
job.
I
doesn't
have
to
define
additional.
You
know
a
backer
repeatedly,
the
same
right,
because,
if
I
repeat
it
as
end
the
user,
neither
define
it
twice.
What.
G
H
C
C
C
B
E
F
Issue
than
than
authorization
I
mean
these.
These
things
kind
of
blur
together
right
and
audience
is
one
that
is
kind
of
in
this
gray
area,
but
I
think
you
know
people
kind
of
logically
think
about
jots.
The
audience
is
about.
It
is
more
of
an
authentication
issue
like
because
they
were
supposed
to
be
used
to
prevent
replay,
basically
to
delimit
the
replay
not
to
be
some
decision
that
you're
making
a
about
like
access
to
to
a
resource.
It's
like
I
want
to
make
sure
I
use
a
token.
F
B
E
Think
I
think
there
is
a
very
simple
way
to
know
if
something
optimization
of
the
indication
authentication,
if
the
question
is,
is
it
true
or
false,
I
mean?
Is
it
by
Don
about
it?
That's
authentication
if
it's
allowed
or
not
allowed
that
authorization.
In
this
case
you're
saying
sir
reviews
can
only
be
it's
only
allowed.
If
you
have,
some
parameters
are
like
audience
review
audience.
It
is
part
of
allowing
or
not
allowing
that's
authorization.
No
people.
G
E
B
E
G
F
C
Okay,
you
can
definitely
put
in
the
like.
I
was
way
to
today
in
the
authentication
policy
and,
alternatively,
this
relationship
can
be
moved
for
authorization
policy.
It's
just.
How
do
we
simplify
the
policies,
so
we
can
either
either
the
like
and
and
or
a
lot
of
logics
in
the
authentication
policy
makers,
including
policy
like
perform
some
somewhat
similar
to
authorization
policy.
However,
we
would
prefer
not
to
bullet.
We
want
to
keep
the
authentication
policy
simple,
don't
introduce
a
lot
of
complicated
logic
and
then
or
a
gift
when
not
only
if.
F
C
B
So
I
mean
this
is
holding
one
of
our
customers,
it's
an
issue
for
them
and
we
have
to
jump
around
hoops
so
limbing.
If
you
can
help
me
at
least
write
some
Arabic
policies
that
you
are
saying
will
work
at
least
that
piece
moves
forward,
and
then
we
can
debate
on
the
issue
if
you
want
to
do
a
short-term
fix
or
just
do
a
long-term
fix
of
having
of
removing
trigger
rules
I'm
fine
with
that
yeah.
B
A
C
I
know
the
talk
I
I,
just
it's
the
the
meeting
is
not
only
all
the
meeting
not
of
the
meetings
not
on
your
calendar.
Sorry.
C
C
Yeah
hi
everyone
so
I'm
trying
to
present
this
new
citation
policy
today.
So
we
already
had
a
current
is
the
assertion
policy
for
quite
a
while,
and
after
that
we
have
received
a
lot
of
user
feedback
and
we
have
done
user
survey,
and
we
had
many
of
my
discussion
whether
this
is
a
good
model.
How
do
we
simplify
the
policy
so
for
this
visual
design,
our
DISA?
These
are
our
top
level.
Calls
we
try
to
align
with
the
new,
is
your
config
model.
C
Basically
is
the
origin
policy
is
part
of
is
to
configure,
so
we
want
to
align
with
the
rest
is
the
configure,
and
then
we
want
to
simplify
the
policy
by
introduce
fewer
number
of
our
CRTs,
and
we
want
to
make
the
policy
improve
the
policy
clarity
and
provide
a
better
user
experience
and
also
another
laugh.
The
article
is
we.
We
want
to
allow
this
policy
to
be
applied
to
ingress
and
egress
gateway,
and
the
also
these
are
the
DTO
design.
C
So
first
we
are
going
to
introduce
a
new
CID
object
is
an
instance
cop
CIT
called
oscillation
policy
inside
an
oscillation
policy.
We
define
a
list
of
oscillation
rules
that
are
applied
for
a
target,
so
oscillation
policy
has
the
following
sections:
the
first
one
is
a
selected
section,
so
the
selector
is
basically
a
water.
Selector
is
sort
of
the
reason
we
introduced.
This
selector
is
to
align
with
the
all
the
other
is
to
config.
C
E
Give
you
some
background
for
networking
perspective.
I
mean
we.
We
have
a
number
of
changes
that
requires
that
we
will
be
able
to
sell
it.
Zero
care
for
corner
case
is
related
with
the
host
mapping
to
a
workload,
so
anything
that
is
applied
server
site
and
the
sidebar
api
benefits
from
being
able
to
his
labor
select
or
not,
depending
on
the
service
to
IP
mapping.
E
B
E
This
is
not
not
clients,
and
so
everything
that
histories
result
in
a
cluster
remains
with
host.
Probably
ok,
but
every
single
advancing
listener
probably
need
to
move
to
to
work.
Otherwise
we
skip
headings
the
problems
of
corner
cases
where
we
don't
know
if
an
IP,
because
we
use
IP
as
a
primary
key
each
one
kind
of
for
synchronization
problems,
yeah.
G
C
C
We
may
also
introduce
the
other
rows
like
deny
our
audit,
but
currently
is
or
allows
yes,
so,
unless,
yes,
so
on
the
label,
selector,
plus
the
namespace
fielder
in
metadata
or
defines
the
horoscope
if
the
Assad,
if
the
namespace
is
successful,
a
root
namespace
in,
in
which
case
the
roots
namespace
the
default
value
of
no
rows
namespaces
is
to
configure
and
it's
configurable
for
other
values
as
well.
If
the
namespaces
several
rows
namespace,
the
policy
basically
applies
to
all
the
namespace
near
mesh.
It
basically
becomes
our
mesh
policy.
E
But
in
general
it's
not
tied
to
Labour's
it's
for
default
values,
main
issue
it
cross
namespace
label
selection-
is
that
it's
very
hard
to
enforce.
We
had
the
same
problem
with
gateway,
so
regional
gateway.
It
has
the
same
program
where
you
define
the
gate
weight
by
labels,
but
the
labels
could
change.
E
Someone
could
update
were
close
with
particular
labels
that
would
automatically
get
the
photic,
so
I
think
we
should
need
to
discuss
how
these
behaviors
is
your
perfect
namespace,
because
you
don't
want
to
put
a
whole
certain
and
then
breaks
them
type
of
the
protection
global
settings
that,
but
it's
orthogonal
means
exam.
Something
that
is
discussed
is
the
config
working,
how
to
apply
config.
C
Yes,
so
so,
basically
yeah.
So
in
this
example,
you
see
file
oscillation
policy,
which
is
in
NS
one
namespace,
and
we
have
the
selector
FP.
So
basically,
the
selector
plus
namespace
defines
the
target
where
the
policy
applies.
It
applies
for
the
workloads
with
labels
at
P
inside
the
namespace
NS
one.
If
selector
is
that
are
missing,
if
we
don't
have
the
selector
washing
facilities
applies
for
our
clothes
in
our
namespace
and
it
can
apply
to
all
workloads
in
a
mesh
if
the
namespace
is
the
routine
in
space.
B
C
Good
question
so
currently
we
only
support.
Allow
goes
so
basically
when,
basically,
the
policy
will
not
conflict.
You
you
are
you
just
after
you
add
another
policy,
you
basically
give
more
permissions.
Yes
policy.
Basically
they
are
a
DQ,
so
basically
yeah.
C
I
E
E
E
C
G
This
you
know
this
question
so
basically,
this
is
for
z/os
authorization
policy
for
authentication
policy.
We
will
go
into
introduce
our
order,
so
when
there
is
a
conflict,
so
the
conflict
will
be
resolved,
as
rules
are
definitely
that
fee.
Basically,
there
will
be
a
divine
order,
so
first
one
in
the
order
will
be
applied
so
that
one
will
have
yeah.
That's
a.
C
C
I
E
C
E
E
E
C
E
User,
making
a
request
to
immigrants
with
a
Joe
to
talk
on
ingress
is
forwarding
to
the
surface.
Self
is
verifies
that
the
ingress
is
the
one
that
is
forwarding
the
request,
so
not
that
we
trying
people
who
make
cut
is
a
job
is
any
shaking
that
I
would
really
think
we
should've
already.
If
we
should
not
be
clear
in
the
names
what
it
is
because
I
don't
know
if
people
not
coming
are
its
security
and
principle
for
this
is.
J
G
The
rationale
behind
this
have
our
AG
and
appear
so
peer
is
basically
transportation
layer,
it
cure,
can
be
NP
RS
or
can
be
taught.
The
origin
can
only
be
taught
because
the
origin
is
lacquer,
basically
slow,
client.
The
client
is
in
the
drop
and
forward
other,
like
here
too,
which
is
our
back-end.
That's
the
reason
they
are
have
distinguished
distinguish
this
tool
like
a
concept
so
which
one
yes.
B
So,
ideally,
that
should
be
a
an
all,
instead
of
both
because
as
far
as
I
know,
very
few
people
are
doing
empty,
LS,
plus
jarred,
both
verification
at
the
sidecar.
So
normally
you
will
do
er
validation
at
ingress,
and
then
you
only
need
em,
TLS
principle,
validation
at
services
which
the
ingress
reaches
out
to
this.
G
C
B
G
C
B
G
G
C
C
C
E
To
the
previous
to
the
principal
and
request
principle,
if
you
are
now
key
value
pairs
matching
shouldn't,
you
use
the
same
mechanism,
a
succeed,
I
mean
define
what
kind
of
credentials
are
uttered
like
George
explicitly
define
what
what
is
about.
Maybe
some
request
is
allowed.
If
you
get
MPLS,
only
some
requisite
allowed
only
authenticated
tapas
may
be
our
other
mechanism
identification.
We
don't
know
about
tenderness,
that
user
may
choose
to
transfer
some
URLs
and
not
for
other
URLs,
so
wouldn't
be
cleaner
for
users
to
know
exactly
what
they
accept.
F
Is
valid
because
we
told
policy
you
can
make
things
optional
and
you
may
want
to
say
something
like
you
can
check
the
health
path,
even
if
you're
not
authenticated,
but
other
paths
require
authentication.
So
I
guess
right
now
we're
saying
you'd
have
to
check
that
in
the
in
the
when,
because
like
we
have
those
those
attributes
that
get
set
when
when
authentication
succeeds,
give.
E
An
example,
let's
say:
I
have
a
certain
and
one
slash
employees
to
require
a
good
man,
yeah
Karos
token,
because,
let's
think
they're,
not
policing
inside
I
want
slash
public
to
require
a
token
and
then
I
want
some
services
URL
to
use
emptiness
pretty
quadrant
EMS,
because
IBM
is
the
most
secure
centroids.
Can
you
express
I
mean?
Can
you
express
the
fact
that
a
particular
URL
is
only
authorized
with
yeah
yeah.
C
Yeah,
so
basically
yeah,
actually
I'm
I
want
you
to
talk
about
it
next,
so
for
every
field.
We
we
currently
support,
exact,
match
perfect
match
and
a
suffix
match.
We
also
want
to
introduce
the
presence
match.
So
in
the
use
case
you
just
mentioned,
we
can
say
for
this
pass.
The
sauce
loss
principle
has
to
exist,
okay
requests
or
such
principle,
so.
C
E
G
E
G
C
G
C
B
Just
have
one
feedback
for
the
ports,
so
there's
a
lot
of
confusion
and
ste
overall,
when
the
ports
are
serviced
and
when
the
ports
are
worth
load
because
as
far
as
I
know,
this
is
the
only
case
we'll
be
using
workload.
Ports
is
there
a
way
to
make
it
more
specific
and
not
just
call
it
forth
and
and.
E
C
E
F
I
mean
the
only
thing
we
can
reasonably
do
today
is
the
workload
port.
We
need
to
name
it
workload
port
so
that
people
know
that's
what
they're
getting.
But
if,
if
it's
a
requirement
to
match
on
service
port,
then
we
got
to
kind
of
go
back
to
the
drawing
board
and
figure
out
a
way
to
securely
like
capture
that
information
I
just.
E
I
don't
know
what
word
is
even
implementable
and
the
service
would
be
a
challenge
to
implement
as
well.
I
want
to
mention
that
digital
services,
for
example,
don't
have
port
and
the
port
may
be
a
UDS
socket
in
networking,
maybe
other
things
that
we
don't
know.
The
word
round
is
not
required
even
to
have
a
TCP
port
to
accept
the
connection
we
support
UDS
base.
For
me,
no.
F
E
F
E
B
E
J
E
E
So
important
agenda
is
the
question
is:
do
we
require
work
reports
to
be
consistent,
a
percent
when
the
cluster
mesh?
So
if
you
have
a
service
all
were
close,
nipple
is
no
safe
port.
That's
already
not
supported
by
sidecar
wide
white
box.
It.
Yes,
the
white,
not
API,
you
can
have
were
closed
as
the
same
service,
but
going
to
different
ports.
Maybe
it's
okay!
Maybe
it's
the
police
is
applied
in
each
cluster
separately.
Maybe
yes,
that's.
F
E
C
If
that
happens,
we
we
may
replace
the
key
value
pairs
with
a
cell
okay,
so
I
have
talked
about
the
process,
presence
match
and
increase
it
enablement,
actually
yeah,
actually
I
already
mentioned
it
a
little
bit.
So
previously
we
have
to
explicitly
enable
is
the
other
feature
using
a
CIT
code
across
the
upper
configure
or
other
config.
Now
we
want
to
make
it
implicit.
So,
basically,
if
you
don't
have
a
policy
apply
to
our
cloud
network
law,
the
accesses
are
always
allowed.
C
We
don't
affect
it,
but
if
you
have
a
authorizing
policy
applies
to
all
that
workload.
Then
access
to
that
workload
is
a
denied
by
default.
Unless
there
is,
the
explicit
rule
allows
it.
So
this
is
the
same
behavior
as
how
community
network
policy
works
today.
I
think
this
behavior
is
nice,
because
it's
done
neither
explicit
Ciotti
to
enable
it,
and
it
basically
allows
the
existing
application
to
adoption
Fisher
easily
and.
C
Yeah,
so
you
know,
if
you
want
the
default,
deny
deny
all
policy
and
you
can
just
define
a
social
policy
well
with
the
empty
room.
Basically,
and
you
can
apply
this
policy
on
ingress
and
egress
gateway.
This
is
a
pretty
easy
you,
you
basically
simply
apply
this
auto
policy
using
the
selector
is
the
ingress
gateway
and
in
the
east
EO
system,
namespace
or.
C
C
E
Know
thank
you
for
probably
all
those
examples.
One
thing
that
it
will
be
super
useful
both
for
us
and
for
all
the
users
who
are
going
to
use
this
API
is
to
include
an
example
of
similar
metal
policy
from
kubernetes
how
it
looks
like,
and
also
maybe
some
examples
from
some
mainstream
servers
that
have
similar
engine
X
apart
separate
or
whatever
you
mean
take
away.
Some
of
the
example
you
gave
there
with
with
one
of
the
rules,
and
this
is.
E
Corresponding
will
seal
our
network
policy.
A
similar
nginx
configurations
here
are
Apache
configuration
as
two
of
them,
so
people
who
are
currently
using
one
of
those
products
have
an
idea
how
to
translate
to
the
new
authorization
policy
and
also
give
people
an
idea
about
the
wording
used,
because
the
word
thing
definitely
is
not
the
same.
I
mean
I
know
for
certain
is,
for
example,
say
the
one
thing
is
completely
different
and
it
will
be
good
to
you
know
what
this
yeah
speak.
What
I
was
a
part
Anderson
and
know
how
to
translate
another
yeah.
C
E
C
B
E
Think
we
should
postpone
this
for
a
future
version,
because
that's
that
mix
is
that
we
are
discussing
revamping
the
destination
API
and,
and
there
are
kind
of
implications
and
in
any
way
it's
easy
to
bypass
the
sidecar.
Can
it's
not
that
policies
that
can
enforce
3d
because
the
sidecar
can
easily
bypass?
So
your
navigation
is
if
I
pass
a
cycle
right
now,
so
until
we
have
CNI
and
and
and
strong
separation.
E
E
C
C
Yeah,
so
other
other
examples
are
like
you
can
allow
authenticated
user
in
this
young
boy.
We
are
saying
either
the
sauce
principle
is
not
empty
or
request.
The
principle
is
not
empty
and
you
can
limit
access
to
the
country
namespace.
You
can
say,
although
were
closed
from
NS
one
namespace.
Okay
access,
basically
young
can
access
the
the
workload
inside
the
same
namespace
for
this
one.
In
particular,
this
duplicate.
F
E
So
as
a
sidecar
it
actually,
the
service
has
an
annotation,
so
networking
he
finds
an
export
to
which
can
apply
since
ID
card
destination,
rule
other
things
and
right
now
is
only
enforced,
so
probably
either
need
to
be
translated
or
automatically
translated
by
value
or
someone.
We
need
to
make
sure
that
the
user
was
put
in
an
export
tool.
E
C
Yeah,
and
this
example
is
saying
all
the
work
loss
from
front
end
and
entries.
Can
access
were
closed
in
pack
and
an
interface
with
will
appear?
He'll
a
process
to
external
and
I.
Have
some
end-user
awesome
and
user
authentication
case
like
using
the
requested
oestrus
claims,
so
yeah
I
also
want
to
mention
that
we
are
going
to
change
the
API
version.
2
security,
dot
instill.
C
E
What
think
I
mean?
It
is
definitely
simpler
than
before,
but
Japan's
exports
to
that
I
mentioned,
which
is
basically
you
know
any
service.
You
can
put
an
annotation
saying
export
to
any
space
by
name
space,
slash
service
account
that
seems
even
simpler
than
than
this
I
mean
if
we,
if
we
can
have
a
way
to
automatically
translate
and
and
incorporate
in
this
specification,
saying
that
users
can
also
Express
the
simplest
case
with
just
a
notation
over
or
the
export
wins
a
literal
service
and
the
networking
API
photos.
C
E
E
That's
how
expertly
is
defined
in
terms
of
visibility,
and
is
that
the
most
convenient,
because
again
it's
something
like
users
who
need
to
do
anyway
for
networking
purpose
for
visibility,
so
if
they
do
it
for
for
visibilities,
and
there
is
no
need
for
them
to
express
the
same
thing
twice
if
I'm
saying
that
my
service
can
only
access
from
export,
it's
only
exported
to
who
that
implies.
That
is
an
authorization
as
well
and
does
not
have
to
duplicate
I.