Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Istio / Technical Oversight Committee / 16 Oct 2020
Istio / Technical Oversight Committee / 16 Oct 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Technical Oversight Committee 2020/10/16

Description

Istio's Technical Oversight Committee for October 16th, 2020.

Topics:
- API for external authorization plugins
- Release managers for 1.8

A

uh Does anyone know how to access the youtube account because I don't have access to it? I have the video from last time, but I don't have the login uh craig. Does okay, I'll ping, craig um and I'll get that loaded up.

B

Since I hit the record button, I might get the email. If I do um actually I created the uh invite.

A

To fix the old meeting, because the old meeting was owned by someone who left the company and that's why I wasn't recording anymore good debugging, um but then I was silly enough to create the meeting so now I have to do that. Upload.

C

Great.

D

Oh.

A

Yeah.

A

Okay, so should we get started, I was going to suggest we move young men's topic from after some.

A

But you're getting feedback um yeah, let's go through the release, broker blockers. It's a good idea.

E

Hey but before that, I just want to do the announcement and then it can be done.

A

Oh all right are you on the list. You can put yourself on the list.

B

No.

E

No.

B

Yeah, I think I think we'll have to schedule this out for a couple months in the future, and until then you can't make an announcement. You just have to too.

E

Late, I just already saw unsubscribed myself from all the ownership lists and teams and so on.

E

Okay, go ahead. Go ahead, all right, so I mean for those who don't know. This will be my very last day in istio onward that trade and all of those stuff, and so I'm moving on to do something completely different, and so I just wanted to tell people in person. This will be probably my. This will be my last doc meeting and anything has to do with istio kubernetes the whole land.

B

So when you say completely different, does that mean you're you're getting to general contracting or.

E

uh Still within you know, interesting.

F

In the north sea.

E

Still within software, but I guess it's not going to be anything related to kubernetes.

E

So.

G

Is committed to supporting the envoy filter api into perpetuity.

E

No way, no I've put spam blockers for all of you. So if I get any debugging emails, it'll just go straight to spam. So don't bother contacting me again.

C

We'll just parties we'll show up at your house how about that.

E

Sure, okay, that's fine! If you made it that far! Yes, that will be fine, yes, but.

B

Why don't you take the opportunity to tell people what you really think of them.

E

No, it was actually I mean it was. I mean I think I don't know if dan burke was actually here, but I think he's probably the only one here who who he and I go back like five six years back in this entire space but yeah, it's been a wild ride and uh I still remember the very first time we presented amalgamate to eric prover and I don't know who else was actually on the caller.

E

Maybe lou, strand and swan were on the call, but this was like three years ago or four years ago and then we did the whole steel thing and so on and so forth. So yeah it's been a fantastic ride, a lot of learning, but I kind of also got bored. So I wanted to go. Do something different.

B

Yeah sven's pretty boring. I blame it on sven.

H

Well, your contributions have helped the community a lot shira. So thanks for all the work, thank.

B

You shrimp.

C

Here guys we're breaking the first rule of like farewells. What is that don't be thankful for anything you just give them a hard time. The whole time.

H

uh I think if I was in hawaii and drinking some good uh drinks, I will be in the same mood.

A

At least another hour before.

C

Yeah I got another hour before I start my second. My time.

I

You were supposed to give hard time to sri ram not to louis.

J

He's going fast he's good now. This is good helpful.

H

Yeah, it's diff, but yeah I'll. Do it on slides, yeah.

C

Sure it's been a pleasure we've. You know we've been working together for a long time in this project. You know: we've made huge contributions to it, so we're all really thankful for everything that you've done and you're not really going to be allowed to escape. I'm sorry, I'm going to ensure that personally so yeah.

E

I will be around just not in the full official capacity, so do please make sure to remove me from all the all garments.

I

Admins on the.

E

Drive and the good headwork and whole bunch of other things, so it may be prudent to remove me before something somebody hacks it and then an unused account. So before you.

A

Get really upset at everyone and just start working out.

I

When you hold your design, docs.

C

Over to a new google, you know uh account you're gonna, get like a thousand notifications, penance.

E

Now it's all gonna be going to some folder that will probably never check so my strategy. I told that to mandar do not reach out to me. I will block you on on a messenger and whatever it is that people are going to use, especially amanda. I agree.

K

Yeah, hopefully you still remember us.

K

Yeah nice.

C

People watching from facebook, twitter right I mean the shade- is in the street, like all of it, like totally.

E

I no longer have to do twitter. That's.

H

Nice actually doesn't already suffer from the fact that there is a github handle close to his name and that person receives all his notifications.

E

I'm pretty sure that guy is going to be very angry.

H

Oh I've seen some very angry comments on get up from him.

E

Oh all right but yeah, it was fantastic working with you guys and do please stay in touch and yeah I'll still follow this project from far yes.

K

Guys.

K

Thank you all right. Thank.

I

You so much.

K

For your contribution to the prize, thank you guys. Thank you.

A

Also you're dead, but thank you.

C

Yeah, can you get off the call now I mean seriously honestly.

E

Yeah seriously, because this is just I can hear my own echo- it's just very bad- actually.

A

There is that remove from meeting button.

E

I'm very tempted to just click it yeah. I don't know why. I'm gonna change the iphone, so yeah bye guys my best of luck. Thank you.

D

All right super.

H

Oh wow, he really dropped off the cup.

K

Why would I waste 50 minutes on us.

B

I'm so hurt I'm so happy. We recorded this.

D

Yeah this was recorded. This will.

D

Be.

C

All righty well these blockers now that tree ram is not a release. Blocker.

A

So we have four wait when it. What is our timeline? Someone remind me of our timeline for 1.8. Where are we in the.

I

Tent.

A

Right but like sorry, I meant like when's. Are we already code, freeze or when's good freeze.

I

So feature faces happening, 10 20, which is monday, and the testing is starting tuesday, which is 10 21.

A

Okay, okay, so next month, okay, so monday, like monday,.

L

Yeah.

A

Oh, so people can work on monday, great okay. So what are the four blockers we have? What do you want us to go through those short? What did you want to cover.

I

I we don't have an eta, so it's good if we can discuss a little bit, at least on the release blockers, because peter is going to clean up the p0's, but the release blockers absolutely.

A

And john just said that the second and third ones are the same or which ones sorry.

D

Was that john.

M

uh

D

Yeah, the second and fifth.

M

One are the same bugs so: okay, we really only have three really small ones line two and line five are the same yeah, my two and five okay.

A

uh So are these all are any of the missing assignees.

I

Peter was looking into it peter do you know.

L

um I think I think they are all oh actually, two of them are missing assignments like the sds, but like the line from line to your line, five are assigned to william and I think, and which changes in progress. So I don't worry too much about those two, but the second one. Oh sorry, the uh crd regression, I don't think it's assigned to everyone.

L

So we need to find a candidate. I think jason is.

I

Yeah jason work on it uh in uh 1.6.8 or something.

L

Social which exercise this for jason, I would be interesting offline. Let's see.

A

If he has cycles to look into it,.

I

Does anybody else want to take it in the.

A

Meantime, sorry- and this is not very- this- is not a very detailed report- um yeah but maybe yeah. Let's have jason look into it and see if it's actually a release blocker and what's going on yeah.

L

Okay and this, uh the other one, is uh the dog chaser competition, uh I'm not sure whether it's a regression or not, but I mean enjoying your market so for this blocker, so you can take a look at it.

M

Yeah, I I can do it or it's it's probably not a hard fix. If someone else wants to pick it up. I think I'm kind of committed on a fair amount of release, blockers already.

L

uh Should we assign to someone else running around with you.

L

Or I can take a look at this.

G

Either we yeah, we should like someone from from the from the telemetry site should should take that all.

L

Right.

L

Okay,.

L

Yeah, we'll clean up all the p0's lots of gear, zeros or long-term work and can be removed from this street, and I think, uh by the way of today, we will have a better look and I will ping uh each individual assignments of those speed videos to get an eta.

L

Sounds.

A

Good.

A

Okay um and also a call out for the testing.

I

Yes, please, um it's always a struggle to actually chase first to sign up. So um since it's starting wednesday, um I really appreciate if we can get some sign-ups. Please.

A

This.

D

Is.

A

Okay, so we have like nobody signed up for anything yet.

K

No okay.

N

Yes,.

I

um um So if we can, I don't know, try to get at least five percent. Ten percent of these needs automation to actually get automated. It's another thing which you're not able to achieve.

I

The test automation, especially.

A

Especially ones that are like p0 or p1 yeah,.

A

All right, so, if people could pick those up, your uh efforts will be eternally rewarded with prizes short on. We need.

A

Prizes.

A

Or do people have other ideas for how to get more people to help with both testing and with automating of the tests.

A

I think we have this perennial problem of being able to unable to get enough people.

A

Thoughts from toc.

C

Members, I think we're gonna have to do a lot of testings. Then.

H

Yeah I mean: do we do any uh twitter or external messaging other than the calendaring things that we have done in the past.

I

We do announce on slack and discuss, but I don't think we do that on twitter.

D

We normally also announce at the community meeting, but it's been cancelled for the last four weeks.

I

Yeah.

H

Okay: let's try to do some twitter uh messaging and see if that helps, but I agree with louis louis mostly we will have to do a lot of testing yeah now.

B

That trade room's gone. We need somebody else to call louie lewis.

H

Sorry.

O

I can I can. This is christian. I can jump in and help on this release on testing, um and then we can also make announcements I'll I'll make sure I get a couple of these automated at least a couple.

I

Of months, thank you. That's awesome. Yeah.

H

And I'll sign up too.

I

Thank you.

J

All right.

A

uh Do we need anything on? Oh you guys working on dashboard. Do you need to review any of these things short of the issue of health.

I

uh No, that should be good. The dashboard is coming along. Well once we are ready, we'll share it.

A

Okay, um all right, so we did shurim's announcement. I before we dive into authorization support. I wanted to go through a couple quick earth things um so that we uh nico was signed up to be one of the release, managers for 1.8 he's leaving our team and is no longer going to be released manager for 1.8.

A

um So I think peter was going to replace him. Was that right? No, I was serious.

L

One of our users already don't do one yeah.

A

uh He told me now I forget, I should have put that on here.

C

Did you mean.

A

1.8.

I

We were three people for 1.8, greg, peter and nico nico, leaving. We are down to two.

I

Right.

A

Oh okay, so but yeah should we just stick with two? Are we okay with two for one night or should we try to get.

B

Three is a good number.

B

So I I just pinged niko trying to figure out who the back pull was.

I

Yeah, especially at the end stages, triaging, getting things done. um Three is good, we probably don't need them in the beginning, but in the late stages we it's good to have.

I

Three.

A

Okay: um okay, let's follow up on that! um Is there anything else, quick on this before we should before we dive into the authorization support questions.

A

Nobody, uh if you had something agenda, please put your name on it by the way I don't know who added this one, but now we don't know: um okay, let's go into better authorization support. Then.

P

Yeah thanks so much. I will.

P

Present.

P

Hi everyone, so uh this is a design proposal from the security work group about having better and first class uh support of the excel authorization in the authorization policy, and we bring this up in the tlc meeting to resolve so first to review the design and also resolve many issues arised in the review process that might need input from the toc and other working group to help make the decision and approval of this design.

P

So a very quick background is that many users today they are using our extra oc filter to integrate their custom operating system and in istio they do this by using the onward filter crt the big pain points of using our filter to do things like this is very obvious.

P

Some of those things are related to the general difficulty in using our filter. Some of those things are specific to the external oc process. Here, for example, the pipe character is invalid to be used in the xlrc grpc client, but that is the default cluster format we generate in pilot and also the only filter, it's generally hard to use, not only because of the syntax, the transparent lecture. It's also because of it's exposing the native onward filter api.

P

So whenever a small change in the upstream away api, it could cause the user applied onward filter to fail. Sometimes it will fail silently, for example, we have seen many users complaining this, that the version of the object in the onboard filter is dependent on the version of visual is using, and this was a huge pain.

P

So, additionally, the other big pain point in using the exclusive flow is that it currently cannot support to trigger the extra flow conditionally. You have to enable it either for all of your requests or you disable it even technically. It allows you to use the per route override to find controls or triggering rule, but practically it is very, very hard and mostly impossible to use because of the complexity in dealing with the rotting rules that is already generated by istio.

P

The goal yeah feel free to interrupt me if there are any questions.

H

uh Yangman quick question here, so uh do you want doc to resolve a particular issue, or do you want us to approve the doc I'm just trying to understand if you have to go through the entire thing or we can focus on a subset here.

P

uh I think it's a if the tlc approves this design. It means we resolved the questions and concerns from uh about this talk. It's unfortunately costing is not here, because I think he um brought up most of the concerns that resolves. That requires the result from the tlc and other.

H

Literature- and you are targeting one eight for this or one nine.

P

uh Previously, this is targeting one eight, but for now I think it will most likely not in one eighth. Okay got it: yeah no carriers.

A

Skip ahead a little bit and summarize so this is uh this is basically the same api as mixer's check api in a sense right. It's it's forming the same place in istio, where you can say you know uh or like the external tech apis right. It's like when this match occurs in this in this situation. Please call this service to check if this action is allowed.

H

Is there cash ability this one, so duration.

G

No.

H

There.

G

Is there is no cash ability in in the x dot cps? As of now.

A

So I was gonna say in theory, this is cacheable because we have existence proofs of us having done caching on similar apis in the past, but.

K

Nice.

A

uh The the current one is not to cache it.

H

So so every request will have an inline out of process call okay,.

P

Yeah, so I think it's important to call out that we only send the header to the external server. We do not send the body and the payload.

H

Yeah, yes, I think the network cost is the problem here. I I'm assuming with board payload yeah. It can get worse.

C

Yeah, the network overhead right, even with small payloads right.

J

Yeah.

B

External call has a pretty high cost, but it is no worse worse than using the envoy um x, off z, filter now right. This is there's.

C

Nothing very important using the call g filter they're getting this cost all right right.

A

Yeah yeah, this doesn't change how it works under the hood. It just changes how it's configured by the user, mostly, although.

M

It makes it.

P

Conditional.

A

Very.

P

Important so I guess I can so do you have anything other to add a scrap.

A

um No, I think we should go through the api yeah.

P

Proposal.

A

So.

P

Yeah sure, so let me jump to the example and give a review of the api we are actually making here. So, first of all, it's a prerequisite that the user they should deploy the external oc server, either raising the mesh or out of the mesh. This is just some examples for one of the deployment type.

P

For example, the user can deploy the xlr server in the easter system namespace, and they expose this server to sdo by defining the kubernetes servers, and then they can use the peer authentication policy to enable mutual tiers for the connection to the extraoc server, and they can also use the authorization policy to only allow the increased gateway to talk.

I

To it,.

P

Because we will later apply the external policy on ingress gateway.

P

Next, we move to the real.

H

uh Yeah.

C

That's provisioning, the x dot, z server as an example right mimicking what we expect a customer to do and part of the reason why you would maybe put an authorization policy on traffic into the x dot. Z. Server right is because you want to prevent it from being abused.

C

Yes, although that's probably not that typically use case, like the other parts like setting up the the traffic policy in right, almost certainly makes sense, because you want to identify the workload. That's calling you right when you're the authorization server.

C

Yes and you might use a different credential type right. It might not be mtls that you use here or you might use mtls, and you might use something in the credential payload to act as an identity. Yeah.

Q

And to the clear user, you means a systematic, because that's one of the main issues uh we have. The measured means, the one that is installing sqrd and- and uh you know, managing this ud and then you have the booking for user who's, actually playing booking, for which user is deploying the other server.

P

So if you are already, if you are already trying to do this in easter system namespace, it should be the measure of the means responsibility to this because booking for, like the namespace, I mean they should not have control over the easter name space in the first place. Okay,.

Q

So the measurement is operating so deploying generally.

A

We would expect that, like either security, admins or platform admins are managing these off the server services and configuring the access control to those and the authentication methods supported by them. We should not expect individual namespace owners to be doing that.

H

And exactly uh so, and what's the time to steer system here, is that just an example name space or it has to be steer system? That's.

N

Just an example yeah, it's just an example, so.

Q

It's like it's like it's like tracing tracing or or ca, or any other systems that we integrate with got it.

M

Perfect ying man- I thought you mentioned somewhere, though, that it's common for like this is for ingress example. But it's common. If you have like your book info to have the book of your team, deploy their own auth server.

P

Yes, so this is one example of the deployment as a namespace owner or nmc admin. You can, of course, deploy your own extra oc server in your opening space and configure your workload in your namespace to use that extra oscillator server- and this is just like you- can apply the other other history api in your namespace to control the workloads in your namespace.

P

So what is the reason why that make use cases common? That is not common. I think the most common use cases for xoz and like the job is use it on english gateway. No.

C

No, no, not the use case of whether it's ingress or sidecar, but the use case of the namespace owner owns their own auth z, service.

H

That's very that's very rare. I have not seen those.

Q

And dangerous and something we should not recommend because you you do not want to.

A

Manage so, if I mean.

N

Like.

A

You have any customers that are doing that with x, z, filter today, where the name space admin like a service owner is writing their own external aussie. Like do we even do examples of users doing that.

P

So I I think this is not something we are recommending users to do, but it's just like if the organization they have their name specifically amen.

A

My question is: do you know of users who are doing that today? No okay.

H

So we should not try to take additional uh overhead on our side on the api and implementation, in my opinion, to support that use case. As of today.

Q

uh To talk to clarify, we support unofficially running your own tracing ca, uh whatever I'm.

H

We're not talking about tracing I'm talking about external.

Q

It's the same pattern. It's the same pattern. Someone can run their own tracing servers or in their own namespace, and we have some ways to configure it if you choose to, but it's not something that we expose in the apis.

P

Yeah, it's it's not in the api. We do not.

Q

See.

P

Anything specific about the deployment type in the api.

H

And we are going to document it. Okay, right.

C

Here I guess there are like, without an example of a user needing to override, let's say right, so there are kind of three things right: the mesh white admin could say there is one alt z policy server for the mesh one. Next to all these servers for the batch, or they could save for many right because- and I don't know have we seen any use case where companies or users have more than one xbox server.

H

um Only for migrations, just like you will do it for chart.

C

Yeah, like I think, that's certainly typical, um so I guess there's a question of how we might allow for migrations, um obviously by not allowing this in line in the api here. Something else has to fulfill that role elsewhere.

C

I think right would be the obvious.

Q

But we have a pattern for that I mean we have. We have these patterns that we use for every other service. We integrate.

C

Yeah no, no. I know I'm just trying to point out that that pattern is mesh config right.

Q

It's proxy clearly but yeah.

H

Yeah something other than our first class api yeah.

Q

Well, it's impressive because it needs to be deployed in each in each sidecar and it's you know, that's how it is. I mean tracing ca and other things that happen.

C

Well, this this doesn't need to be written out at injection time. It is produced solely out of the control plane. So I'm a little surprised to say it's in proxy config, but.

Q

All right, it is in the injection time because uh the the site card needs to connect to this server. So we need to get this address and that's the only way to get there yesterday. We can have a default if we want, but uh so you need to restart your workloads today for tracing uh ca and other things. You need to restart.

H

It's important here, there's there's going to be breaking changes for people and upgrade costs. I think, if you put in a proxy conflict, they will have to roll their workloads. You should start with mesh config. uh Yes,.

Q

uh

H

We.

Q

Could put it config if we want to.

C

And that's strictly better right, justin from a life cycle perspective. If we can.

Q

If it's mesh config default, we don't have to restart the pose every time you change proxy configuration it's just if we want to restart them for some things, but even proxy config changes. Many of them are actually enforced by by pilot and sending configuration. So it doesn't really make a difference, but.

C

Yes, schema then behavior right, yeah yeah when we say mesh config. What we really mean is all the config central config artifacts, read by pilot right to manage the control, plane and proxy configure all the things that we inject, because we have to.

Q

Yeah as long as it's for systems, I'm happy it doesn't matter what it is. I want to be consistent with other integration points that we have. Okay, all right.

C

We have our api issues there, but we can take those separately.

A

We need to be a little bit more concrete about what we're actually talking about, putting in where right like what would we put in mesh config. Presumably, we would not put all the rules about when to apply this right.

Q

No, no, no, the other is uh the parameters that you know. Support is uh like we do for telemeth for tracing tracing is a perfect example. You deploy jager and then in mesh configure specifies the address of jager. You specify support, you specify the tls settings and whatever else is necessary.

H

Just the producer's settings we're.

A

Talking about being able to find the available external aussie services as part of question,.

H

So when you say multiple uh swell, then you have to have a selector to specify which workloads which will choose what at the global level.

A

So I think we still want authorization policy to define when to use which one and then it would be name reference based. So an author should possibly use this use. This server for.

C

These we could make sure that we could add that capability later, without disrupting the api and start with one.

H

That's totally reasonable.

Q

Ca integration is kind of the same thing I mean we have one, only one, one ca that we integrated the field still should be an array.

C

Well, if you don't need to specify, there doesn't need to be a field right.

C

All right, that's the nice thing about right. We should be able to do this in a disruptive way, so we should be able to design like if we have multiple. What would the schema look like in the future and walk the schema be today if we only had one and if this the change between those two schemes is only additive, then that's good right.

A

Yeah, that's right in one case: louie are you assuming that this would apply globally, although there would still be rules defining when it is applied.

C

So we already have a mechanism right if this is in mesh config, with revision to migrate. So we would cover the migration case today with that. The only other thing, then, is something more fine-grained than migration.

A

Right so does this have to be called everywhere, or can it be a called say only from ingress gateway.

Q

Policies, external, I mean.

C

Yeah in the policy right right.

A

Okay, you're saying we would still have that, it would just say external and the meaning is purely in mesh config. Yes,.

N

So basically like moving this part to the mesh config right. Yes, yes,.

H

Yeah, so mesh config is just service discovery. That's how I think of this. A global service, discovery and so bindings are through fine-grained apis.

C

I see so you may want to add control over the headers right.

P

Yeah.

C

So that's the additional.

P

Config, in addition to the address of the target, we have some other final control here over, like a one headers to be sent to the extra server and what headers the extra server can modify in the original request, because the modification part is often needed in many advanced us flow today, like the old dc flow, it's controlled by currently. This is still in this oc policy, but I will just use this as an example here.

P

It should just work if we move all this part to the mesh config, and it will only keep this extra action and the rows to trigger that behavior in runtime.

Q

So one comment here is: if you deploy on a particular oc server, that oc server will have some particular behavior. I mean what supports whatever does it? Support so typically will be the system admins. The measure means that deploys other server. That will know what headers need to be forwarded and whatever should be written. It's not booking for developers. That needs to know that yeah.

P

So this is a part of this right. This is, I mean uh the option we are talking like a lot of demonstration here is like moving this whole part from which configuration okay, perfect.

C

Okay, hang on well, let's discuss that for one second right. So generally, I agree custom, but usually what you would see, for instance, is the headers that were dealt with at ingress would differ from the internal ones.

H

Yeah.

H

And mesh config doesn't feel like the right slot to go at that level of granularity. In my opinion, my my.

Q

My concern was that uh authorization should not necessarily be involved in header manipulation and someone who writes an authorization policy should not be concerned with what headers particularly are used in what way. It's very insane.

C

Yeah I agree. I just I think that that usually divert like you have one one concrete set for internal and one concrete set for ingress. The admin could set both.

Q

Zenya, I'm happy it doesn't matter where I mean I'm happy, you don't and.

C

We have to think about how we would do that.

C

A.

A

System-Wide mesh-wide policy right so.

H

I.

A

Don't think authorization.

H

Policy exists right now in that capacity.

R

Yeah, just uh uh just a uh just a random proposal: can we uh instead of putting in mesh config, can we actually have a global crd like a global authorization policy or external observation policy and just apply this? uh We can use the same protocol as the oscillation policy, but.

C

We already have lehman, we already have a global.

R

Yeah, I know, um but this is a little different right. We we don't want to apply at name space level, so we cannot just uh restrict the namespace has to be. Is your system.

Q

And so basically system is not a problem. Mesh config can inject any address, including external addresses yeah. Just like.

R

We are watching too much things in mesh config, like mexican figure, is becoming a giant stuff like it contains everything and it's hard to show.

Q

Well, I mean that's a different story: we need to improve mesh config, but not by putting the mesh config in uh spreading the mess in here. Yes,.

H

I I I think louis you can correct me if I'm wrong here, we should start simple. Most of the use cases that are going to come across are going to be ingress enforcement, let's start with global service discovery and mesh config and the bindings and the audsy headers that you need in the api, the authorization api and you can bind it to ingress. If, if the feedback is no, we need defaults for that.

C

Yes, I'm not sure we need defaults, given that all the policies are additive, the admin can always put whatever policy they want and expect it to be enforced globally.

C

Ingress is like an ad like it's a sub-admin thing right if it's managed infrastructure, so they can control there too. So I I don't know if we need like customers. Well, I I buy your argument about standardization for sure um I don't think having the api actually represent. The information presents a problem.

H

So it does because it's a bleed over for the internal things where you won't be using it uh for east west workloads. That's not good.

C

But then there would be no global policy right and the the ingress admin would just put it in the ingress name space and they would do exactly what they wanted.

R

I just wanted.

C

Yeah.

R

Ingress is the majority use case, but uh I think I did see some use case. That's not limited to ingress.

R

Talk.

Q

To it, having ability to modify dynamic headers is super useful for them is connected in general minutes. I'm sure we'll find out.

N

I think, let's separate that part out right, but yeah, let's see if outside yeah so do we.

K

Need the.

N

Call.

A

Right, this is check which, yes, I can also modify headers, but like maybe we should should we consider trying like doing something simple for now and then think about how to make this more generally powerful, rather than narrow. On this use case,.

H

That's where I was going right so, and so I think yangmin was highlighting those pieces which feels like we don't have any controversy, putting it in mesh config right now uh right so, but the real controversy is just the authorization request allowed headers.

G

Where they belong, yangmin.

C

Is does your document capture what you would consider to be the primary use cases.

P

Yes, so the example is actually the primary use case, so we have three examples here. The most and the fundamental basic example is just use extra server to make a allow or delay decision. This is example one and uh you can also use the jpc to talk to your extra server. This is.

C

Just a use case in in in the business sense right, so I I get the overviews and I want to ensure that when traffic comes into my network happens, I'm the owner of a service and when traffic comes into my service, I want blah to happen and I'm the admin of a mesh and for all traffic in the mesh. I want to have that right.

P

So I so currently the model is that um the api itself doesn't control like who can apply this. So if the mesh admin or namespace admin, they have the necessary permission, they can apply the install api to like the workload under the air control.

A

Amen, amen, you're, not answering louis's question he's asking for use cases, business use cases. What are users trying to do with this feature.

P

Yeah so like the first one is use it to like integrate the third party oc server that can do some customized check of the request.

P

The other use case is cases it can be used to integrate with oitc flow by specifying the external oidc proxy or your server, and also by allowing that server to modify the headers in the original request. So young man, that's the how.

C

So uh right, because the y has a lot of impact on the shape of the api right. If there was no ad like mesh wide admin use case for this, we wouldn't put things in mesh convex or we would put very little in mesh config. If, if there was only an ingress use case, then we wouldn't bother trying to make mesh white default management for mesh admin a priority in the shape of the api.

P

I think it is mainly used on ingress gateway, I'm not sure what else like is still not.

A

Another way to ask this question is why why are we adding this at all right? What what request led to this being added, because we're not just doing this for fun right like we're doing this, because users have needs.

H

I think uh let me try to help here so I've seen hey koston. Do you mind muting?

H

So I I think uh I've seen a lot of requests come in where users are trying to configure uh onwards, external filter.

I

Because they.

H

Want enforcement at ingress where they want to consult an external system for authorizing their services just like they want to consult an external server for doing jwt verification right and they fail miserably when using onward filters. So this is creating a first class api to support, at least that use case now, yang min, you might have more use cases where people have asked. I want to enforce it on sidecar workloads, but I have not.

P

Yeah, the primary use case is just like um what you said: it's use this to improve the overall user influence when you are leading the xlrc and increase gateway and the more detail like cases like you want to integrate your like a oitc flow or you want to integrate with maybe whatever like oppa or whatever your extra authorization server, and that's it's just like the jot use case on english gateway.

P

You delegate this work to istio to do the job authentication or do the like external c, and then you can um like kind of like a dedicated disease like dodge to esteem.

H

Yeah, I'm gonna now counter myself and say that, even though the chart authentication is also primarily used for ingress, there are emerging use cases right now where side cars need that enforcement and our api is being flexible, is helping us.

Q

Especially.

H

Since your id is moving to.

Q

Chat pretty aggressively.

H

Yeah, so so we should think about that logical extension, even if users are not asking for it now.

Q

But part of authentication api is possible because odc is already. We already have an api for ydc, and uh that was all my questions that we are putting so yeah. Let's talk about.

P

One api I mean we do not have api for white usb.

Q

We do have auto authentication api. I think it has support for idc. No, no, we don't.

H

No, no.

C

Well, she shouldn't right.

H

Okay,.

Q

What do you see you.

A

Guys.

Q

Have.

A

So I think it would be good to try to separate the use cases that are authentication from the use cases that are authorization.

A

um It might be that the right answer is still a single api call for optimization and performance reasons, but like we should at least make that decision based on data, um so be good to know like do. We actually think we need to have authentication use cases separate. Could we actually do all the authentication in history rather than forwarding it externally? Do we need to do that or like that part needs to be thought through separately from the authorization use case.

C

Yeah I mean I I I think I take your point narration right that sometimes we have to integrate with infrastructure, that is mixing wall, z and auth, n and one d, and that's not really our choice right. We don't get all that, um so we have to be somewhat accommodating for that.

C

uh I think that's reasonable and we should aim to achieve that, even if we would have like if, if we can process yvc flows in a snap like, we would still have an api to process industry, standard authentication flows right, including things like external group resolution like we do today right, but plenty of people have facebook stuff, there's not much. We can do to do right. We can't force people not to have that, but we should agree with them.

A

So I asked myself a little bit: it is nice to have a very general purpose thing that is just like.

A

Do a chemist check right like sorry, a mixer check uh call this thing pass it some stuff, get the results back and like include that right and then that thing is very powerful and can be used for lots of use cases. It doesn't require to continually iterate on our apis every time any use case comes up.

R

Yeah, I think one there was one typical use cases for the rc token exchange on ingress, which is actually well accepted by several uh by the uh the community.

R

uh So, basically, we are going to get all the request, contacts from the from the incoming request on ingress and then compose uh internally used with what we call rc token request contact token and uh use it in the mesh.

C

So so it doesn't seem like there was a lot of controversy, at least with starting out with one external service in mesh config in in the the runtime aspects of mesh config and proxy config. I'm not trying to resolve that question here and there's a separate subject about whether we need to default the headers, whether they can be overridden or whether we should just let them be defined in line every time.

H

What is the recommended thing? I mean I, if think most of the headers are default and pretty standard for these? Is that reasonable to assume at this point.

C

They cannot vary too much, um so it defaults with override.

A

I think the only concern I would have with that being def like what headers to sound being defined in mesh config, is that then the admin can change the behavior somewhat unexpectedly for everyone, but maybe that's okay.

C

Well, that would that would probably that would imply right. You'd have the same implication like if they change the export. The service, behavior, yeah, yeah.

A

It's just there needs to be a clearer contract between the admin and the namespace admin and the mesh admin. So.

G

I think one of one of the one of the issues that we're having here is that x, dot c. Is it it's not a standard but ydc flow is a standard and, like rest of the odds, see stuff that we're talking about are like standard things, and now this is mixing standards with an escape hatch, and I think that, like that's where we are having these use case issues even because escape hatch use cases, I mean it's.

G

An escape patch can have any use case and then the specific use cases so so the way this has started is clearly that people are using x.c to do whatever they want, and we want to make it better, but I think now we're moving towards.

G

Let's actually create a real api to directly address those those use cases, and um so, if we, if we don't get to it like quickly, people are going to continue using x, dot z in like really strange ways.

A

Yeah so amanda did we learn anything from mixer. That applies here in terms of like what the what the api should be for configuring and who owns setting things like what namespace uh sorry, what headers get sent.

G

So um so I mean there is like there are things that that we need to do at kind of the low level of either defining which headers are like what is sent out. What context is sent out, but that's mostly uh on a a lot of it, is on the efficiency of efficiency. Side of and it's like mesh admin is fine to define that you, you don't need individual, uh like name space or service owners uh to define it. So sorry, I don't think we need to go deeper than that.

A

So we could start with this, basically all being defined in mesh config in terms of that block kind of highlighted there. The external block saying here is the external office service, here's the here's, the headers, it takes, here's the editors it responds with and then in the namespace admin. All they would say is here's the here's. The match conditions called the external, obviously service.

C

Yeah is that kind of. If we want to allow for header variation right, they could just create two bindings to the same x, dot, z system in mesh config. If we allow more than one in the future yeah yep, so I think we'll solve that api problem.

A

You can add to the api right, like you can always add validation policy. If you need.

H

And and we shouldn't try to solve the header munching problem right now through mesh config, but probably through the higher level api.

Q

One comment about dimension efficiency uh says the word: efficiency and probably human, also stability, scalability and so forth. uh The mixer has this wonderful facility to you know cash, some some requests. So if the server goes down, it will keep uh you know not failing, uh which relied on the fact that requests were uh were very important or cashable. So uh I think that would be pretty important to address, because uh one of the problem with mixed reasoning, drop mixer was.

G

Right so so so question I I mean I yes, we like I'm super aware of that and we had excluded it from the x dot, z, api uh specifically to get customer feedback and then say that, okay, if x0 customers complain, then we will add the complexity and it's been almost like two and a half three years and people have have not complained, so I so it seems like.

G

However, people are using it right now.

P

Like no one has complained really, that's.

G

Kind of the.

Q

Box.

P

And yes, and also just to end one small point to met us, is that this flow is still improved by having the conditional triggering because many users they just they are okay with, like triggering the extra flow for all the requests today, and now they can fine tune this to trigger for the subset of the liquids that are actually needed for the xlc.

Q

So what is the delta? I mean the latency cost of this because I know for mixers. That was amazing. We trapped what is.

P

This is improving on the like current users right, the current user. They do not complain about this, and we know this is going to improve that further right.

Q

Mixer users didn't complain either, but we still measure the latency.

H

No costing there are two different arguments here right, one is: is there a user need that needs better ux now and then, with that improved ux? How do you improve performance, but we don't have to solve both of them today.

M

If I can, if I can jump in like a higher level, is that we keep comparing this to the envoy filter solution, uh but I I don't think we should compare to onboard solution.

C

Sorry, john you're breaking up. I think.

M

um Is this better at all, so.

C

Far.

M

Yeah, so I don't think we should be comparing to envoy filter because everything's, better than onboard filter. um So if we keep doing that, we're going to have a bunch of horrible apis and I'm not saying this is one, but we we should really be looking at it in isolation.

M

I think is this an api that makes sense standalone like some of the parts which we haven't talked about here really, but we talked about offline about like the http versus grpc versus tcp, I think are clearly leaking weird quirks of envoy config and if we had actually just designed what do we want authorization to look like without thinking about envoy or android filter?

M

Then I don't think we would have come up with this api um and, like, furthermore, like we is this something that we want to support, because we got rid of mixer policy and then now we're basically adding back mixer policy. So I want to make sure we're not just doing it, because this is better than the envoy filter. So let's do it because now we're committing to it we're going to be supporting it for years, um et cetera. So.

C

So there are, I think, there's a couple things like certainly john. I would agree with you on the http versus grpc stuff right if we have service declaration- and we already have all that information in service right right, so we don't need to expose it in this api right. We know a port. Is the rpc a it's going to be a grpc service? That's what you should call right. We should just rely on the existing service method, the right and that that goes for timeouts and other things right.

C

That would come in from destination rule on that service right. So an xlt service is just a service right. We have plenty of traffic controls for talking to services, as yangmin just showed for the other parts right.

C

As for whether it's a good api, I think there's some interesting questions right. I think we all agree that we need the ability for third parties to integrate like authorization systems that are not ones that we provide all right. That's pretty clear, like we have very strong use cases for that, so I don't think we should. We should recognize that we should try to deliver an api experience that covers that, and so you know we could provide it, maybe a better abstraction than we think the envy filter is providing right like so we can.

C

We can work on that part. I think there's. Another question which is: this is just one mechanism right that we know today right perfectly possible that somebody might have wasm filter right custom code to do authorization that they inject.

C

um How would this api work with that use case when the only way to do that use case today is with uh envoy filter?

C

I think.

M

Was one of the big things that I was thinking of um whether we want to support only wasm that does this or also a wasm? I don't think it was really mentioned here, but it seems like there's a lot of considerations with lawson that need to be accounted for here.

C

Right so there's a new discussion point about action. I guess right because really literally means call an external authorization system right that we have a predefined relationship there.

A

So sorry, can I can I jump in real quick? Can we figure out next steps just because we're over time, and actually I need to drop for them.

P

So are we all agree that we move this extra part to the mesh config to simplify the oc api for now? So that's the.

H

No because I think the protocol stuff that you have should not be at that level.

H

These needs to be repurposed a bit so that the service, discovery and protocol are top level fields instead of you stamp it out for http, grpc and stuff, like that. Also.

S

But.

A

I think we need.

C

To design for what that looks like and we need to yes so we're moving to symantec, but we still need to work on the schema.

Q

Yes,.

C

There's an open there's, a debate to be had about header control um and in particular that needs to be more generic or not. So I think that's a detailed question to do in follow-up and then john has a good question about. This is just one form of external.

C

What do we think other forms of external might look like, and are we going to have specialization in the api in the future? To do that.

H

So for enforcement like whether it's implemented with an onboard native api or a wasm, that should always that's the problem. That applies to almost all of the configuration we supply right now right, so many things that we configure in mesh config tomorrow can be implemented in wasm by a custom filter. So we should think about it, generically and not just for authorization.

M

Yeah, it's actually interesting that authorization is policy, is almost becoming um like this catch-all of a very extensive matching and then driving some action like we added, which is in many ways related to security, but it's also logging and now we're adding this external authorization server, which yes, it can be used for authorization, but people are also using it for token exchange uh for all sorts of stuff and then in the future, if we add wasm that can obviously be used for anything.

C

Yeah, it is becoming a bit like a generic trigger api yeah. um That's not necessarily bad by the way. Right, um like we have pretty good user feedback that it's a good trigger api for authorization use cases like people seem pretty happy with the api right, modulo feature gaps but um which is- and it may be an interesting paradigm to consider for the future of envoy filter right, maybe instead of doing a whole bunch of matching in the control plane to try and figure out what to do.

C

We just push all the marketing down into the data plane, which is what this api does.

C

Or you know, there's some reconciliation between those two, so the control thing can figure out. If it can push or if it can't resolve locally, then it pushes the decision down to the data plane.

C

That's not top out of paradigm.

F

But quick question off topic: we had a couple uh docs, which were beta uh promotion reviews uh yeah next friday seems kind of late to do that um when when should we pick that up.

C

um That's a good question. I presume the working group meeting on tuesday is pretty focused on the release.

C

um I'm happy to show up. um Basically, we just want to sign off. I think we can handle that offline. Okay, uh if you want to just whack them all on slack. Okay, I can do that. I think that makes sense. John you had the other doc right was that yeah.

M

That one's for one night.

C

All right sounds good thanks. Okay, thanks.

H

Thanks everyone.

L

Bye you.