►
From YouTube: Istio Security Working Group Meeting 2019-04-17
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
C
D
D
A
A
A
You
know
easier
to
extend
for
new
authentication
method
coming
along,
as
he
talkin
support
general
TOS,
so
that
we
can
use
that
for
ghetto
as
well,
if
possible,
and
in
order
to
do
that,
we
want
to
make
you
know
not
the
Pfizer
tomatoes
in
lies
and
policy,
but
I
defied
in
a
separate
place
and
refer
them
so
that
you
know
the
felicidad
sorrow
and
more
focus
on
when
to
which
method
will
be
activated.
So
basically
is
at
least
the
motivation
for
us
to
make
this
change,
and
so
a
lot
of
detail.
A
We
discussed
in
the
previous
design
review
on
another
discussion.
You
can
rip
moyes
appendix
there
at
least
some
thoughts
at
this
discussion
based
on
on
this
Desai
I,
mainly
highlight
I,
mean
there's
a
high
level
of
the
overall
structure
of
the
blistery
and
how
they,
you
know,
work
together
so
first
about
the
vocal
selector
kind
of
agree
on
using
the
labels
for
the
photo
selector.
So
it's
a
lie
with
the
way
we
defy
studies
or,
if
I
as
a
networking
policy
in
steel.
A
A
A
Right
now
so
the
metal
we
can
defy
them
in
a
separate,
CID,
authentication
metals.
It
contains
information
we
had
as
far
today.
If
you
look
at
the
occupation,
please
see
you
have
to
defy.
You
know,
chart
with
all
the
issuer
you
are.
Such
Akio
are
etc,
and
it's.
How
do
we
use?
So
we
think
of
like
devices
in
separate
place
and
in
the
police
is
just
refers
them
by
name
for
example,
but
this
show
here
is
I,
just
called
using
East,
kos
or
using
acne,
chart,
etc,
etc.
A
Of
course,
with
on
something
of
keeping
the
inline
option,
so
user
casting
defy
them
in
the
policy
if
they
want
to
that
could
be
useful
or
the
case
that
they
just
have
that
method
defined
in
only
one
service
and
not
be
tend
to
share,
but
that
is
the
you
know,
which
is
a
decent
option.
We
we
keep
some
open
question.
A
F
A
A
A
A
The
scope
is
about
where
the
let
me
try
to
remember,
was
it
yeah,
so
the
scope
is
about
what
is
the
workload
that
the
policy
can
affect
it,
and
so
today
we
have
max
policies
that
define
master
scope
and
intent
to
apply
for
a
people
is
a
older,
full
all
the
service
in
the
mesh.
We
have
an
airspace
wide
which
define
the
namespace
called
CID
and
doesn't
have
any
selector,
and
we
have
we
call
service
specific,
which
you
have
a
selector,
or
we
have
a
target
if
I,
which
specific
service
you
want
to
apply
on.
A
Sorry
in
the
very
next
sessions
overriding
rule,
so
again
we
keep
at
east,
and
so
today
is
that
the
most
specific
scope
we
over
eyes,
the
one
above
it.
So
if
in
the
fire
service
specific
or
go
specific
policy,
then
that
wanna
be
used
instead
of
the
namespace
or
mess
Y.
If
that
variable,
we
know
there
is
a
demand
that
you
know
you
want
to
enforce
the
other
way.
A
Riser
you
want
to
have
the
organisation
we
find
the
mess
Y
policy
and
prevent
anyone
else
to
over
with
over
either
so
I
think
we're
not
trying
to
solve
that
today,
because
then
there
could
be
like
a
couple
of
options
to
doing
so.
One
is:
he
has
a
separate
echo
man
who
can
set
what
few
in
the
policy
or
who
can
actually
writing
new
policy,
or
we
can
add
a
new
flight
new
field
in
the
policy
to
say
what
can
be
overridden,
but.
A
C
A
A
A
A
A
D
A
D
C
A
A
A
For
example,
if
you
stay
like
on
label,
AB
go
to
full
and
some
other
policy
holding
the
police
within
the
selector
has
I,
don't
know
environment
equal
to
prod
for
some
workloads
that
have
labeled
what
fool
they
were:
a
beautiful
and
environment
good
to
prod
it
be
I
mean
both
of
policies
leave
legally
usable,
and
we
think
we
cannot
provide
goods.
So
listen
how's
this,
because
we
don't
know
you
know
in
what
context
is
a
one
to
defy
those
policy
for
so
I.
Think.
A
F
Yeah
but
I
mean
timestamp
as
as
the
conflict
resolution
means
that
if
I've
got
a
config
file,
that
has
a
couple
of
different
policies
in
it
and
I
just
swapped
the
order
of
them
and
next
time,
I
deploy
I
might
get
completely
different.
Behavior,
like
that's,
that's
gonna,
be
really
really
confusing,
or
somebody
like
just
touches
one
and
like
makes
a
trivial
update.
F
F
I
mean,
ideally,
we
should
have
things
that
can
actually
be
composed,
like
that.
That's
the
whole.
The
way
that
the
kubernetes
api
is
sort
of
designed
is
so
that,
like
a
configuration
and
and
policies,
are
composable.
If
we
really
think
that
we
can't
compose
them,
then
you
can
introduce
an
ordering
field
or
like
a
precedence.
Kind
of
field,
or
even
like
a
sort
based
on
on
alphabetical
name,
would
be
better
than
timestamp.
Timestamp
is
is
like
really
far
down
the
list
of
bad
bad
ways.
A
A
C
C
A
D
D
Too
bad
idea,
yeah,
if
you
even
alphabetic,
is
confusing
I
think
it
would
be
really
a
good
idea
to
combine
them
all
in
a
single
CRV
and
then
yeah.
You
can
have
this
order
and
then
every
time
whatever
you
change,
if
you
don't
change
the
order,
their
outcome
will
be
deterministic.
You
don't
need
to
go
to
different
see.
Are
these
to
see
I
was
in
this
yard,
it
wasn't
a
CRT
and
then
you
write
them
down
and
tell
you
order
that.
That's
ready,
confusing!
Oh.
A
F
I
mean
that's,
that's
pretty
typical
way
to
deploy
right
is
that
I've
got
I've
got
a
manifest
that
contains.
Basically
everything
I
need
right.
It
contains
the
deployment
it
contains.
The
network
policy
it
contains
the
service
object
like
all
these
different
objects
that
you
need
in
order
to
deploy
service,
you
put
them
all
in
one
manifest,
and
then
you
deploy
that
as
a
unit,
but.
F
F
C
D
F
That
the
the
to
policy
objects.
If
they
apply
to
the
workload,
then
both
policies
apply
and
there's
no
sort
of
inherent
conflict
in
saying
that
both
policies
apply.
So
so,
for
example,
kubernetes
Network
policy
is
allow
only
right.
You,
you
just
have
a
list
of
things
that
are
allowed,
and
so
combining
two
lists
of
things
that
are
allowed
is
is
very
straightforward.
There's
no
there's
no
conflict
there.
Okay,.
A
F
G
A
A
Can't
least,
a
thousand
me
this
one
and
so
Fossum
maker
of
context
of
how
the
match
conditions
you
know
the
minimum
is
we
need
port,
also
the
request
path
for
job,
for
example.
Today
the
thought
is
part
of
the
tacky
selector
spike,
but
if
you
just
using
the
label,
the
silica
cloth
is
either
the
most
important
half
of
the
match
conditions.
So
and
then
caneta
was
a
l7
property,
like
you
know,
request,
Havel,
etc.
A
So
this
is
like
kind
of
expandable
letter
in
the
beginning,
which
is
like
using
a
common
attribute
that
we
needed
today,
like
pot
and
pass
letter,
can
add
or
other
fancy
stuff
and
including
some
expressive
language.
If
you
come
to
that
way,
so
the
structure
is
simply
a
list
of
attributes
that
I
have
come
to
preserve
over
later
any.
So
these
are
all
the
condition
right
so
match.
G
A
F
A
A
A
A
So
we
could
have
the
use
case
that,
for
example,
we
won
to
use
job
from
Y
or
if
only
the
principle
is
X
or
you
know,
came
from
the
chest
of
NZ
or
some
other
condition
of
the
peer
authentication.
So
that
is
big.
You
know
it's
big
enough
to
put
in
the
authentication
liar
instead
of
authorization,
because
it's
not
really
authorized
to
a
status
of
resource.
It
is
a
requirement
of
combinations
for
the
principle
of
the
credential
presented
for
that
request.
A
A
A
D
A
D
F
Then
then,
when
the
workloads
come
up,
they
they
can
get
a
trust
bundle
that
that
says:
okay,
well,
here
all
the
keys
that
you
should
be
able
to
authenticate
against,
and
there
has
to
be
a
sort
of
constraint
placed
on
on
any
of
the
federated
keys
to
say,
okay.
Well,
these
are
only
used
to
authenticate
identities
that
are
actually
in
that
that
trust
I
mean
right.
It's
not
just
a
sort
of
here's,
a
set
of
keys
that
can
authenticate
any
identity.
F
F
I
I
think
that
we
can
accomplish
that
with
x.509
he
can
with
x.509
constraints
like
or
whatever
it
is
key
constraints,
so
I'm
hopeful
that
that
should
be
fine
with
the
existing
libraries
Evan.
Oh
I
see
you're
on
the
call.
Do
you
do
you
know
if
we're
gonna
be
able
to
do
that
with
with
key
constraints
or
whether
it
has
to
be
some
spiffy
specific
logic
that
enforces
that
identities
from
a
foreign
trust
domain
aren't
signing
for
for
identities?
That
they're
not
know
you're.
E
H
Yes,
so
if,
if
name
constraints
are
supported
there,
which
I
think
that
they
are,
then
it
should
be
fine.
If
there's
50
specs
have
gone
down
a
route
of
like
trying
to
support
as
many
software
as
possible.
So
we
recommend
a
different
validation
methodology
if
you
have
name
constraints
and
it's
okay,
but
you
just
have
to
be
sure
that
when
you're
importing
the
the
before
in
CAS
that
there's
not
a
collision,
a
namespace
collision,
yeah
yeah.
D
What
we
are
talking
about
here
is
through
SDS
to
populate
their
say.
They
are
not
agent
SDS
to
populate.
There
are
responders,
like
basically
the
rules.
That's
your.
This
DM
is
defining
here
like
from
this
peer.
What
trust
domain
you
are
allowed
to
authenticate
I
see
this
is
a
little
bit
conflicting,
because
this
is
defining
in
their
authentication
policy,
and
there
is
variation
contacts
that
we
are
relying
on
is
the
rule,
their
syllable,
which
is
not
defined
in
the
policies.
F
Whether
you
know
specific
service
operators
are
gonna
get
in
the
business
of
determining
whether
or
not
particular
trust
domains
are
considered,
authentic
and
or
whether
that's
that's
something
that
they
they
sort
of
leave
to
the
mesh
administrator
saying.
Well,
we
federated
with
this
other
trust
Amane.
So
so
what
we're
gonna
handle
determine
telling
you
whether
or
not
those
identities
are
authentic,
I
think
it's
a
very
separate
question
to
say:
will
I
accept
those
identities
in
the
authorization
layer
like
is?
F
Are
those
identities
from
this
other
trust
domain
even
authorized
to
access
my
service,
but,
but
here
we're
asking
the
question:
are
these
other
truck?
Do
we
consider
those
other
other
trust
domains
authentic
and
is
that
something
that
we
actually
want
to
delegate
down
to
service
owners,
or
is
that
something
that
we're
we're
gonna
say
is
determined
at
the
mesh
level?
Okay,.
F
B
A
A
F
C
F
A
separate
question
is
after
I've
decided
whether
or
not
I
consider
them
authentic
am
I
going
to
give
them
access
and,
and
so
I
think
it
is
there
is.
There
is
a
legitimate
authentication
question
around
for
entrust
of
maine's,
but
I
think
that
it
we
got
to
decide
like
I
said
whether
or
not
that's
a
question
that
service
owners
are
going
to
be
answering
or
whether
that's
something
that
mesh
operators
are
going
to
be
answering
around
around
for
entrust
of
maine's.
A
D
D
C
D
A
D
H
F
Yeah
I
mean
that
that's
kind
of
my
my
instinct
as
well
is
to
to
say
like
to
have
all
this
policy
around.
You
know
what
what
peers
are
allowed
to
present,
what
origin
identities
and
stuff
like
that
be
an
authorization
decision.
Although
I
do
you
know,
I
am
sympathetic
to
the
idea,
the
idea
that
in
some
organizations
that
may
be
an
indication
of
something
authentic
right
like
that
here
we're
worried
about
stolen
credentials
or
something
like
that
and
and
therefore
it's
an
inauthentic
request,
but.
A
F
A
The
API
still
goes
on
in
progress,
as
name
and
you
know
the
way
we
group
them
can
change
and
I'm
open
to
all
the
suggestion,
for
name
because
I
have
some
I
heard.
Some
feedback
about
I,
pee
and
origin
is
not
very
clear
and
the
way
we
you
know
you
think,
though
layout
the
structure
is
not
you
know,
it's
look.
Okay
on
photo
was
not
look.
Okay
on
llamo
noise,
Ezra
did.