►
From YouTube: Istio Security Working Group Meeting 2019-07-10
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
A
C
B
A
B
D
B
F
So
the
reason
we
brought
this
up
word
that
we
have
a
lot
of
external
clients
that
are
not
part
of
the
mesh
and
they
are
not
able
to
pass
an
application
protocol,
not
sto,
so
I
will
finally
fall
fall
into
the
second
trilogy
for
massive
mode,
and
the
connection
is
not
expected
to
be
MPLS
and
it's
faster
on
yeah.
So
what
we
want
is
that,
regardless
of
where
is
present,
is
within
the
mesh
and
SEO
plan
or
it's
outside
the
mesh.
E
In
reality,
what
the
requirement
was
that,
if
an
application
should
be
able
to
terminate
MPLS
if
they,
if
they
want,
because
some
application
terminated
MPLS,
I
need
to
be
able
to
continue
an
MPLS.
You
want.
The
publication
is
being
plain
text
obvious.
You
want
to
work
and
you
are
adding
the
requirement
for
application
to
not
terminate
MPLS
and
void
automate
MPLS
system.
F
G
H
Everybody
agrees:
it's
a
valid
use
case.
You
need
to
support
it
questionnaires
of
order.
Okay.
How
do
we
appreciate?
How
do
we
say
that
this
particle
cloud
should
be
terminated
but
a
cycle?
And
I
pass
it
through
an
application,
and
maybe
we
add
that
flag
to
differentiate
these
two.
So
that's
a
machine,
technical
implementation,
which
is
your.
E
E
So,
somewhere
we
need
to
specify
that
an
epiphany
attentiveness
possesses.
The
fundamental
question
is:
where
do
you
specify
whatever
it
is,
and
one
proposal
is
to
extend
strict
permissive,
apparently
I,
put
in
the
comments
and
other
option
is
to
nix
the
sidecar
API
to
to
do
you
find
how
it
is
set,
and
yet
another
one
is
to
use
connotations
rather
mechanism
I,
suspect.
H
E
And
the
related
question
is:
do
you
want
to
serve
or
to
request
client
certificates,
or
do
you
want
an
option
for
the
clients
do
not
request,
because
every
time
a
client
connects
the
server
decides,
I
want
to
read
client
certificates
and
send
a
packet
or
not.
So
if
a
browser
connects,
for
example,
you
see
a
pop
up
every
time
the
server
is
asking
for
a
client
certificates.
Do
you
want
to
customize
this
as.
F
E
Where
I'm
getting
is,
do
we
want
to
have
a
way
to
customize
sidecar,
to
specify
pretty
much
hey,
I
want
to
have
empty
rest
of
TLS.
I
want
to
have
I,
don't
know
different
policies,
I
mean.
Is
it
just
three
permissive,
any
nom
keys,
or
is
it
a
more
refined
set
of
options?
I
mean?
Maybe
you
want
to
specify
the
APN
protocols
that
are
exposed
are
negotiated,
because
some
client's
needs
is?
F
As
long
as
in
publicist
in
our
create
forums
in
any
language
is
often
index
its
own
emptiness,
any
of
the
three
should
be.
It
should
work
as
you
want
on.
Where
are
you
will
do
the
doorway
in
circles
one
being
weak
to
have
a
negotiation,
because
again,
that
will
be
something
which
our
clients
would
need
to
specify
so
zero
one
half
at,
especially
at
the
end,
there
is
no
I.
E
Mean
one
p.m.
is
exposed
by
the
server,
because
some
protocols
requires
the
server
to
say:
hey,
I'm,
h2
in
zombie,
GRP
see
you,
it
expects
h2
to
be
specified.
It
seems
that
you
know
propose
you
know
hard-coded
h2,
but
there
are
other
protocols
that
require
other
strings
to
be
specified
in
the.
If
sidecar
is
terminating
in
TLS
for
external
application
run
is
two
applications
or
those
factors
need
to
be
discussed
because
you
are,
you
have
TLS
client.
A
Okay,
I
think
this
problem
proposal
makes
sense.
Do
you
think
that
doesn't
make
sense,
you,
oh
sure,
yeah
I,
think
we
haven't
touched,
whereas
this
API
yeah
yeah.
J
I
E
To
point
out
that
we
already
have
a
gateway,
API
already
has
the
definition
for
customizing
the
TLS
protocol
that
endpoint
so
in
the
network.
Indeed,
the
is
we
have
a
way
to
specify
if
we
should
request
that
difficut
what
private
key
to
expose.
Subject:
alternative
names,
protocol
version
of
TLS
cipher
suites
to
customer
to
to
to
to
expose,
so
we
already
have
a
mechanism
to
fine-tune
how
GLS
is
terminated
at
the
Gateway
level.
Okay,.
I
B
E
E
B
E
B
So
the
logic
exam
will
be
if
the
model
is
permissive
and
we
look
at
the
sidecar
API
correspond.
You
know
these
were
close,
corresponding
sidecar
API
to
see.
If
this
studies
has
been
self,
then
we
change
the
filter
chain
master
because
transpose
transport
protocol.
Yes,
rather
than
therapy
and
easier.
Does
that
sound?
What
you're
proposing
I.
E
Think
it's
part:
Oh
I
mean
90%
years.
Okay,
the
question
is:
if
a
user
goes
to
configure
just
on
the
sidecar
level
and
find
it
and
how
interest
is
to
behave,
I
think
we
can.
We
can
have
the
sidecar
also
specify
if
it
allows
TCP
proxying
I
mean
if
it
enables
this
sniffing
and
let's
disappear,
go
to
as
one
of
options
in
in
the
sidecar
API
itself.
So
if
users
use
this
new
API,
this
extension
of
the
sidecar
to
fine
tune
the
side
Carson,
they
probably
don't
need
to
be
first.
I
B
I
Yeah
I
want
to
kind
of
revise
my
my
earlier
statement:
I
guess
that
I
don't
necessarily
have
a
problem
with
this
being
part
of
authentication
policy,
but
I.
Don't
think
that,
like
the
ALP
n
is,
is
the
same
thing
as
strict
versus
permissive.
You
think
we
could
say
it's
permissive
and
then
add
additional
fields
that
say:
okay!
Well,
what's
the
ALP
in
that
you.
J
J
M
N
E
E
E
J
I
We
have
a
kind
of
statement
or
other
documentation
from
the
TOC
about
what
what
the
sidecar
API
is
supposed
to
be
about,
like
what
are
the
limits
on
on
kind
of
what
you're
supposed
to
be
able
to
configure
in
the
sidecar
API,
because,
like
I
said,
basically,
everything
every
knob
and
touch
everywhere
affects
sidecars
right.
Yes,
so
the
sidecar
API.
What
is
that
supposed
to?
What
is
that
supposed
to
do?
What
is
it
supposed
to
mean.
B
E
Anything
that
is
supposed
to
touch
the
sidecar
configuration
can
go
into
the
sidecar
API,
just
like
anything
that
we
take
and
go
into
gear
to
API
I.
Don't
think
that
some
settings
should
be
only
networking
or,
for
example,
export
which
controls
who
is
allowed
to
import
a
particular
service
that
can
be
translated
and
should
be
enforced
as
not
indication
authorization
policy,
yeah.
I
But
like,
let
me
give
you
an
example:
question
yeah:
if
I
create
a
service
entry
right
completely
different,
API
like
when
I
do
that,
what
will
happen
is
that
some
piece
of
sidecar
config
will
be
will
be
created
right,
there'll,
be
a
cluster
created
for
it
on
the
sidecar,
so
like
I,
don't
think
that
we
want
to
get
in
the
business
of
people
like
using
the
cipher
sidecar
API
to
like
start
creating
extra
clusters.
Right
like
we
say
that
the
service
entry
is,
is
the
way
that
you
know
that.
E
J
J
I
J
E
E
B
E
So,
basically,
the
question
is
from
metal
in
point
of
view.
I
believe
you
know
this
is
a
networking
concern
and
should
be
configured
using
psychology.
I
apparently,
is
there
is
a
belief
set
authentication,
so
dedication
policy
should
be
expanded
to
cover
networking
concerns.
I
think
that
something
that
we
need
to
you
know
discuss
is
the
networking
working
group
as
well,
because
we
run
just
representative
and
not
st.
our
working
group,
and
if
the
networking
working
group
believes
that
they
are
setting
should
be
notifications
and
done
otherwise.
D
Don't
know:
do
you
have
some
I,
don't
know
either
I
I'm
little
dismayed
that
we're
getting
so
policy
heavy
here.
However,
if
anyone
anyone
can
say
that
that
we
have
a
concern
and
bring
it
up
to
the
TOC.
So
if
there
is
a
disagreement
between
networking
and
config
working
groups,
anyone
from
the
networking
working
group
can
objective
Greene
the
TOC.
It
would
be
better
if
you
can
resolve
this
ourselves
and
not
take
it
there
in
the
person
who's
well.
I
I
guess
my
my
point
is
that,
like
this
is
this
is
a
question
of
like
API
design
right.
How
do
we
decide
what
lives
where
and
so
like
we
can?
We
can
just
sort
of
talk
about
it
between
the
networking
and
security
working
groups.
If
that's
the
way
that
we
go
I
think
you,
you
know
it
would
be
helpful
for
us
to
have
a
reasonably
kind
of
sharp
definition
of
of
what
each
of
the
API
objects
that
we
have
are
for,
so
that
so
that
people
can
analyze.
Okay,
well,
I
need
to
do
this
thing.
E
Right
are
you
sure
how
it'll
go,
because
it
seems
that
the
fundamental
disagreement
is
that
the
API
should
be
either
in
I
mean
we
agree
on
what
should
be
in
the
ATM's.
There
are
said,
TLS
settings
that
need
to
be
configured
so
this
agreement,
if
is
this,
setting,
should
go
into
the
sidecar
API
or
they
should
go
into
the
authentication
policy
API.
So
if
TLS
setting
should
be
defined
by
authentication
policies
or
should
be
defined
by
networking.
B
B
B
B
D
E
E
E
B
D
D
E
I
can
propose
a
short-term
solution
for
you,
I
think
in
general.
The
agreement
in
each
tier
is
that
we
are
using
for
experiments
since
at
eighty,
our
API,
and
they
take
a
long
time
to
discuss
in
approve,
but
we
have
used
sanitation's
and
Labor's
to
enable
features
that
are
not
here.
Take
a
ready,
pretty
much.
What
you
need
here
is
to
define
a
small,
annotation
or
label
on
the
workload
and
a
small
change
in
pilot
to
generate
the
corresponding
config
phase
and
and
F.
E
We
do
consistently
for
a
lot
of
features
where
an
annotation,
which
is
not
yet
an
official
API,
is
used
to
customize.
What
I
wrote
is
is
generating
so
I.
Don't
see
any
reason
why
you
couldn't
put
an
annotation
as
a
wardrobe
that
needs
this
particular
behavior
and
pilot,
who
generates
the
config
that
you
want.
A
B
Is
only
concern
is
that
the
annotation
is
her
determinate
deployment,
time
and
policy
pertaining
from
permissible
scripts
or
from
plaintiffs.
Permissive
is
changing
on
the
fly
it
dynamically
I.
Don't
know
you
guys,
move
your
you,
you
guys,
you
guys
you
skates,
I,
don't
know
if
you're,
okay,
with
these
proposal
use
annotations,
I,
don't
know
the.
K
K
E
I
H
F
E
B
E
H
E
Right
and
one
extra
moment
here
in
your
second
part
of
the
document
where
you
describe
adding
an
extra
filter,
I
put
some
common
sense
that
it's
probably
not
necessary.
You
just
need
to
remove
APN.
So
if
the
assumption
is
you
label
whatever,
wherever
it
is,
you
don't
need
water
either.
Another
filter.
You
just
need
to
remove
least
your
buddies.
H
K
E
B
B
K
H
Alright,
alright
and
then
like
from
now
on,
like
what
Ryan
and
see
what
it
takes
for
us
to
do
that,
one
right
and
from
now
we
get
it
into
a
final
stage
with
warning
this,
like
who's
gonna.
Take
this
to
process.
Do
you
want
us
to
do
that?
I,
it's
like
between
you,
take
a
little
networking
suck
it
out
and.
A
A
H
A
I
A
M
Presenting
this
one,
can
you
guys
hear
me
pretty
well,
yeah
sure
yeah,
so
I'll
move
through
this
as
quickly
as
possible,
so
just
introduce
myself.
My
name
is
Sam
I'm
interning
with
John
Fay,
and
yes,
your
team
at
Google,
and
what
I'm
gonna
do
today
is
just
put
forward
some
discussion
on
how
Citadel
targets
which
namespaces
it
should
actually
be
operating
on.
So
if
we
could
pull
up
the
design
doc
really
quickly
on
the
Sam.
A
P
M
All
right,
you
guys
so
yeah
just
to
start
on
like
what
the
state
of
how
this
works
now
pretty
much.
There
are
two
flights.
One
of
them
is
some
namespaces
and
what
listen
namespaces
does?
Is
you
pass
it
a
list
of
namespaces?
You
want
Citadel
to
operate
on,
and
it's
just
like
set
launch,
and
you
can't
really
configure
it
after
that
point
and
Citadel
won't
even
receive
updates
about
things
happening
in
other
namespaces
by
default,
it's
blank
and
it
gets
updates
from
every
new
space.
M
So
the
other
flight
you
can
use
to
configure
which
namespaces
Citadel
operates
on
is
explicit,
opting
and
that
was
added
in
like
three
months
ago
by
IBM
and
pretty
much.
If
you
have
explicit
opt-in,
enabled
then
it'll
check
for
the
presence
of
this
sto
enabled
label
on
the
one
space
before
it
like
generates
a
secret
from
a
service
account
creation,
so
that's
kind
of
the
current
state
of
the
world.
There's
like
those
two
different
flags.
The
way
they
interplay
together
isn't
necessarily
entirely
clear.
It's
also
not
really
documented.
E
M
Sir
comes
from
the
values
and
then
gets
passed
as
the
flag
in
the
Citadel,
so
yeah
we're
just
putting
forward
a
few
different,
just
a
few
different
alternatives
to
what
it
is
now
so
initially.
This
was
an
order
of
preference,
but
there's
been
a
lot
of
discussion,
so
I'll
just
I'll
just
list
them
as
equal
as
equal
proposals,
so
the
first
one
is
to
have
a
label.
M
Initially
we
were
going
to
make
it
citadel.
Sto
diode
like
slash,
managed
and
then
have
that
true
or
false.
I
know
that
cost
and
I
think
you
brought
up
a
concern
about
that
and
then
we're
going
to
always
follow
what
the
label
said
so
pretty
much
the
label
Trump's
all
the
other
configurations.
If
the
label
is
present,
we
follow
what
the
label
is
telling
us
and
if
the
label
is
not
present,
we're
going
to
use
another
flag
that
we
introduced,
unlabeled
namespaces
mandatory,
maybe
a
better
name
that
says
what
to
do.
In
the
case.
E
My
questions
here
for
auto
ejection,
we
follow
the
same
pattern
and
for
the
new
installer
we
have
exactly
the
same
pattern:
we're
going
to
an
owl
only
space
to
specify
which
injector
to
use
which
control
plane
to
use,
and
in
this
case,
what
CA
to
use.
In
the
past,
we
had
the
boolean
rejected
or
not
for
injector,
and
that
obviously
doesn't
work
very
well
when
you
have
multiple
digital
profiles
and
multiple
verification.
Quranic
right
now,
citadel
is
only.
B
E
That
is
a
part
of
use
for
injection
is
that
you
have
a
label
or
the
nice
paste
that
specify
which
inject
or
you
want
to
use,
and
we
specify
it
by
specific,
as
the
name
space
where
the
injector
is
gonna
gasification
can
re-inject
or
tannery
you
put
a
live
or
East
injector,
Connery
and
z2
not'm
Attica.
To
pick
up
scepter
I
see
you
are
because
SDS
is
also
coming.
E
A
A
E
E
The
main
question
I
have
is:
if
we
want
to
have
10
annotations
one
for
each
component
or
do
we
want
to
have
a
single
annotations
that
is
defining
an
environment,
and
then
the
environment
consists
of
a
set
of
control,
brain
components,
because
it
doesn't
mean
it's
one,
part
of
East
you
and
there
are
many
other
functions.
So
do
we
want
users
to
have
I.
B
Your
coordinate
between
the
different
things
I
add
into
that
I
think
the
use
case
that
we
heard
I
first
I
have
to
say
they
control
my
body
for
control,
plane
and
Canaries
scene.
Why
use
case
that
we
definitely
the
support?
There
are.
The
use
case
we
found
is
some
use.
Users.
Are
you
just
install
SEL,
only
UCLA
in
a
particular
namespace
and
using
for
some
purposes,
not
for
East
EO,
and
then
they
have
some
other
namespace
that
use
the
foo
foo,
for
that
is
your
installation.
B
I
M
So
that's
option:
I
won't
give
pros
and
cons
since
I.
Guess
we'll
discuss
that
afterwards.
So
the
second
option
was
passing
through
a
coup,
brunetti
selector,
so
pretty
much.
The
operator
can
define
a
rule
on
which
namespaces
he
wants
to
target
he
or
she
wants
to
target.
So
maybe
you
have
a
maybe
you
have
Pradhan
staging,
so
you
can
have
the
selector
select
namespaces
namespaces
that
are
tagged
with
that.
M
M
E
E
M
That
was
the
second
option.
The
third
option
is
probably
the
most
rigid
so
right
now
we
have
the
listing
namespace
flags
or
something
kind
of
similar,
but
that
lets
us
do
a
blacklist
as
well.
So
we
have
a
whitelist
flag
for
namespaces
that
we
would
like
to
target
or
mutually
exclusive.
You
can't
set
both
of
these
at
the
same
time
a
blacklist
flag
which,
by
default,
will
target
every
namespace,
except
for
the
namespaces.
You
include
in
the
blacklist.
E
Option,
first
of
all,
for
why
he
seems
that's
why
I
asked
the
question
about
bodies
document.
Typically,
we
want
to
maintain
backward
compatible
so
and
I
don't
see
any
reason
to
replace
instead
of
odd.
So
we
have
listed
a
space
which
is
a
whitelist.
If
you
do
not
specify
the
hammer
on
that.
You
know
that
is
to
means
that
every
six
sensors,
but
it
doesn't
require
that
when
you
go
back
to
a
change
right.
E
M
On
the
implementation
side,
it's
it's
slightly
different
in
that,
so,
as
it
is
the
necklaces
it
like,
it
literally
get
updates
at
all
about
events
happening
in
other
namespaces.
With
this
we
do
the
filtering
like
after
the
fact
after
we
receive
the
update,
we
check
if
it's
another
one
of
us
blacklist,
I'm
saying
well.
M
Q
B
E
Is
right
in
our
work
that
right
now,
Auto,
ejection
and
other
operator
in
particular,
they
all
rewrite
one
values
the
camera.
So
what
is
the
families
Meshkov
VP
image
config?
This
config
has
a
lot
of
settings
that
are
stable
and
compatible
and
so
forth
and
different
components
that
inject
or
part
and
so
forth,
treats
those
values
and
can
be
updated
enough.
E
E
A
E
A
Yeah
my
case
right
here
is:
you
need
to
have
the
privilege
to
change
the
config
in
Eastern
air
system
namespace
to
do
that
operation!
Oh,
but
if
you
do
there,
sorry,
let
me
finish:
if
you
do
the
labeling
on
the
namespace,
you
don't
need
that
privilege
yeah.
So
in
there
like
multi-tenant
environment,
you
probably
want
to
do
that.
I
think
just
change
their
life
of
the
namespace
yeah.
E
Q
E
E
M
B
Because
that's
kinda
summarize
what
we've
got
the
other
problems,
the
discussion
we
need
to.
First,
we
need
to
maintain
the
backward
compatibility
in
value
samyama.
Well,
we
offer
star
users
prevent
the
breakage
during
the
up
quiz.
That's
implies
they're
these
names.
This
fact
a
second
we,
it
seems
like
we
are
okay
to
use
labels
and
point
to
different
set
out
the
instance
name,
space
to
enable
post
canary
of
control
player
and
the
use
case
using
this
combination.
If
anyone
does
anyone
has
more
comments
on
this
on.
A
I
E
I
E
E
I
R
B
J
A
J
The
issue
at
hand
is
that
we
have
a
customer
who
are
hosting
their
key
set
on
on
a
web
server
that
is
secured
using
a
TLS
certificate
that
is
coming
from
their
own
CA.
It's
obviously
not
so.
We
have
in
pilot
I,
found
that
we
have
the
heart
baked
set
of
root
certificates,
that
we
trust
when
we
resolve
the
jws.
J
It's
obviously
not
in
there,
so
I
wanted
to
find
a
way
to
add
it
in
there.
You
can
rebuild
the
containers,
but
that's
not
really
something
that
a
user
would
do
and
I
thought
this
has.
This
could
be
a
first-class
citizen
of
the
configuration
because
it's
a
valid
in
my
America
pinion,
at
least
it's
it's
a
valid
use
case.
J
So
I
was
thinking
about
how
that
could
be
implemented
and
I
looked
at
adding
value
to
the
pilot
like
adding
a
variable
on
the
pilot
that
would,
in
this
case
just
contain
the
PEM
certificate,
because
we
don't
have
any
I
mean
it's
kind
of
related
to
Citadel,
but
Citadel
obviously
doesn't
manage
these
certificates.
So
I
I
was
going
for
the
quick
solution.
J
E
E
The
proposal
from
from
fields,
if
there
is
a
document
enzyme
in
sizing
and
networking
which
documents
a
similar
problem
for
customizing
girl
boots.
Yes,
how
could
you
share
that
document?
You
know
I
look
for
it
and
I
did
so.
We
have
exactly
the
same
problem
for
multi
cluster
and
for
set
rotation
where
we
want,
but
he
is
going
with
a
config
map
that
is
going
to
be
defined
by
user
and
mounted
for
the
injector
for
the.
E
A
I
J
I
J
I
A
S
E
It's
an
API
is
that,
as
we
discussed
earlier,
we
need
backward-compatible
it
seriously,
because
many
users
and
they're
very
unhappy
when
we
break
their
upgrade
so
yeah.
We
need
to
treat
with
most
care
but
yeah.
It's
we
had
stuff
to
mesh
configure
and
it's
so
how,
by
the
way
by
mesh
configure
I
mean
values
document,
because
values
is
now.
E
The
new
mesh
configurator
is
using
input
in
storage
in
an
input,
the
restart
so
the
old
mesh
config
and
we
are
migrating
a
kind
of
logic
which
movie
come
together,
but
we
cannot
stop,
but
in
some
cases
like
this
one,
it
may
not
be
necessarily
mesh
configure
means
proposal
from
from
one
for
for
multi-class,
that
and
and
rotation
is
to
use
a
config
map
or
a
secret
where
a
is
are
used.
Just
like
respect
was
saying.
This
is
also
keys
or
what
see
I
used
to
out
indicate
pilot.