►
From YouTube: Technical Oversight Committee 2021/10/25
Description
Istio's Technical Oversight Committee for October 25th, 2021.
Topics:
- TOC review of Istio Security CRD graduation to v1
- Follow up on extended support window - good adoption of skip-level upgrades
- Delaying 1.12 branch cut to update Envoy, delaying release by 1 week to accomodate.
A
A
C
C
C
D
B
F
F
I'm
not
worried
about
adding
to
them.
I'm
more
worried
about
from
from
the
original
eti
is
everything
broadly
used.
Is
everything
works
in
the
promotion
I
mean
additions
we
can
make
at
any
time
is
not
a
problem.
My
my
concern
is,
it
seems
a
bit
strange
that
you
know
I
mean
luckily,
maybe
maybe
we
did
an
excellent
job
of
designing
it
initially,
but
you
know
for
all
apis.
We
typically
find
some.
You
know
parts
that
are
not
commonly
used.
Sometimes
they
don't
work
very
well.
F
G
G
F
D
F
F
That's
I
mean
permissive
mode.
Is
it's
something
that
we
want
to
promote
to
have
v1
as
supported,
or
is
we
we
can
just
select
a
subset
of
the
field
like
we
did
proxy
config?
We
we
didn't,
move
everything.
We
just
went
over
the
field
and
selected
the
ones
that
we
felt
most
confident
that
you
know
socially
stable,
that
can
be
implemented
by
others
and
so
forth.
But
it's
okay.
G
C
G
Right
both
of
these
is
an
entirely
new
revision
of
you
know
the
previous
form
of
authorization
policy
request.
Authentication,
you
put
a
lot
more
time
and
effort
into.
I
think
constant
has
a
point
that
you
know
there
is
some
inherent
conflict
between
auto
mtls
and
pure
authn
that
we
do
need
to
be
careful
with.
F
I
know
for
sure
that,
for
example,
approximately
grpc
can
support
and
will
probably
support
our
z.
So
I
have
no
problem
with
odyssey.
It's
it's.
You
know
it's
pretty
standard,
jots
they're,
fine,
they
pretty
much
have
no
support,
but
but
but
the
permissive
point
is
the
one
that
gives
me
concern.
I
know
hedge
bond
would
not
use
it
probably
proxies
will
not
support
it.
So
it's
it's
dangerous.
I
think.
C
F
I
mean
permissive
will
probably
go
away
soon
and
will
not
be
supported
broadly
and
it's
dangerous
for
users
to
believe
that
permissive
mode
is
a
v1,
stable
api.
When
a
large
part
of
office,
you
will
not
even
be
able
to
technically
support
it
and
then
three
like
will
go
away
and
it's
also
the
transition
mode.
Anyway,
it's
not
meant
to
be
something
that
is
permanently
used.
B
H
F
B
B
H
F
I
agree
with
that
now,
I'm
not
saying
we
we
need
to
get
rid
of
it.
For
you
know
people
migrating
to
eastern,
just
saying
that
the
ap
I
mean.
First
of
all,
I
don't
know
if
it
can
be
technically
supported,
I
mean,
even
if
we
want
it,
it
is
not
possible
to
support
it
in
some
environments
with
with
our
implementation,
with
the
port
being
either.
F
I
Go
ahead,
justin
yeah,
I
mean
I
agree
with
john.
It
seems
like
the
transition.
It's
important
to
be
able
to
have
this
permissive
mode,
but
also
I
worry
a
little
bit
about
having
some
particular
data
path.
Implementation,
then
dictating
what
apis
we
want
to
support.
I
understand
that
it
can,
if
it's
just
hard
to
implement,
that,
might
be
an
issue
sometimes,
but
it
seems
like
a
fairly
new
addition
to
the
data
path
and
sort
of
letting
that
drive
and
modifying
apis
seems
a
little
to
me.
B
I
would
also
mention
that
we
don't
have
a
technical
solution
to
change
fields
between
v1,
beta,
1
and
v1,
so
to
say
something
like
we
will
just
not
add
this
one
field
or
something
to
the
v1.
Api
really
means
that
we're
going
to
block
this,
for
you
know
a
substantial
period
of
time
until
we
figure
out
that
solution.
F
C
F
G
G
C
G
A
Okay,
one
thing
I
do
want
to
say
is
like
when
we
recommend
user
to
adopt
istio
for
pure
authentication
policy,
we
do
recommend
them
to
change
strict
per
service
first
and
then
per
namespace
and
then
look
at
globally.
So
there
are
a
transition
phases
that
we
wouldn't
recommend
people
to
enable
strict
materials
for
the
entire
mesh.
A
G
G
F
J
I
Networking
apis
may
have
been
at
beta
for
a
long
time,
but
that
was
one
of
the
things
we
wanted
to
avoid
was
staying
and
perpetual
data
not
to
say
that
this
shouldn't
not
necessarily
say
that
we
should
rush
to
move
to
promote
this.
But
on
the
other
hand,
I
don't
know
if
the
past
past
ways
that
we've
treated
apis
is
the
right
way
to
think
about
going
forward
either.
G
F
I
I
don't
even
know
if
foxy
configures
the
rest,
I'm
just
saying
that
it's
it's
good
to
have
additional
discussion.
Thinking
about
this,
and
you
know
two
out
of
three-
is
not
badly.
We
are
pretty
clear
about
the
other
two,
this
one.
If
we
are
not
convinced,
maybe
it's
good
to
delay,
release
or
two
there
is
no.
No
I
mean
nobody
will
die
if
we
keep
this
one
for
another
order
or
two
releases.
C
G
A
F
I
mean
I
think
that
the
current
status
is
proxy
configures
out
of
the
selection.
We
don't
plan
to
move
it
proxy
config
louis
proposal.
It's
actually
perfect,
I
mean
it's
just.
We
will
imply
it
from
the
authorization.
If
you
have
authorization
policy
implies,
you
have
strict
because
plain
text,
you
cannot
verify
the
principle.
If
you
don't
have
authorization
policies,
then
it
can
be
permissive.
A
D
K
Internet
is
not
reliable.
I
apologize
if
I
break
off,
but
I
just
wanted
to
give
a
brief
follow-up
on
our
decision
to
extend
the
support
of
the
111
release.
You
may
recall
that
we
were
aiming
at
a
behavior
change
on
the
part
of
our
users,
we'd
like
to
see
more
frequent
upgrades,
or
rather
not
more
frequent
upgrades,
but
more
frequently
we'd
like
to
see
our
users
on
an
up-to-date
version
or
a
supported
version
of
istio,
and
so
we
extended
the
support
of
111
by
six
weeks.
K
That
support
ended
on
october
5th,
and
I
took
a
snapshot
of
gke
data
around
upgrades
on
october
7th
to
sort
of
capture
how
we
did
and
what
we
found
in
terms
of
upgrades
was
twofold
one.
We
found
that
the
skip
version
upgrades
one
eight
to
one
ten,
one,
nine
to
one
eleven
has
actually
been
a
common
user
practice
since
far
before
we
supported
it
so
about
ten
to
fifteen
percent
of
users
in
any
given
release
that
upgraded
would
do
so
across
two
or
more
major
versions.
K
That
was
interesting
to
see
even
before
we
supported
it
in
one
nine
to
one
eleven.
We
see
28
percent
of
of
all
of
our
upgrades
are
coming
directly
from
one
nine,
so
that
is
a
user
behavior
change,
but
also
we're
seeing
that
we're
supporting
the
existing
behavior
of
users.
Additionally,
one
nine
has
now
had
the
fastest
turndown
of
any
istio
version.
Yet
and
111
has
had
the
fastest
adoption
of
any
istio
version.
Yet
so
I
think
overall,
we
we
have
moved
the
needle
we're
seeing
more
users
stay
up
to
date.
A
A
H
K
I
think
staying
the
course
would
probably
be
what
I
would
advocate.
I
haven't
heard
any
complaints
from
users
that
six
weeks
was
good,
but
not
good
enough.
It
would
be
interesting
if
you've
heard
from
users.
I
would
love
to
see
that
feedback,
but
we
certainly
moved
the
needle.
We
could
try
a
12-week
extension
at
some
point
and
see
if
that
moves
the
needle
further.
K
A
But
I
think
niraj
is
asking
a
really
interesting
question.
So
if
you
guys
look
at
this,
when
we
have
this
announcement
out
there,
we
did
kind
of
say:
did
we
get
any
actual
feedback
on
any
of
these,
because
we
did
say
you
know,
based
on
more
data,
we're
going
to
decide
whether
to
continue
this
path
or
not.
A
A
K
K
A
K
Right,
the
extension
allows
them
to
do
it
while
still
supported
you
know
not
not
leaving
the
support
window
at
any
time.
We
have
seen
the
users
have
been
doing
this
for
quite
some
time,
meaning
that
they've
been
doing
it
without
support
either
for
the
skip
upgrade
itself
or
for
the
older
version
at
the
time
of
their
upgrade.
K
L
F
Do
we
want
to
have
all
d1
releases
and
apparently
odds
is
more
popular
with
these
two,
because
1
9
and
1
11,
but
wouldn't
make
sense
for
1,
9,
1,
11,
113
and
so
forth
to
have
even
longer
at
least
to
give
them
more
time,
and
so
so
we
kind
of
keep
the
pattern
of
having
skip
release,
but
with
with
the
deterministic
deterministic,
you
know
which
questions
are
mobile
are
more.
I
don't
know
how
to
say
yeah
popular.
K
I
I
don't
think
that
we
have
enough
data
to
say
yet
that
users
prefer
odd
releases
or
even
releases
before
one
nine
became
our
most
popular
release.
One
eight
had
been
our
most
popular
release,
so
so
we
see
a
fair
amount
of
distribution,
but
I
can
keep
an
eye
on
that
as
we
do
the
110
to
112
cycle
to
sort
of
see
if
there's
a
sort
of
tick-tock
cadence
to
upgrades.
F
I
think
the
number
to
look
at
is
how
many
people
do
each
version
versus
how
many
people
do
skip
one
version,
because
it
doesn't
matter
which
version
they
skip,
but
if
they,
if
they
do
skip
version
because
they
want
to
have
fewer
upgrades
and
they
feel
confident
that
skipping
one
version
is
safe,
then
it
will
be
better.
For
us
to
you
know
not
have
all
versions
be
skipped
versions.
A
Okay,
it
looks
like
there's
no
further
question
from
mitch.
Thank
you
so
much
for
giving
us
an
update.
I
think
that
really
validates
the
plan
we
laid
out
early
this
year
on
extended
support
on
one
night
has
been
working
out
really
well
with
that
we're
going
to
be
moving
on
to
daniel
to
talk
about
1.12
branch,
cutting
daniel,
take
it
away.
M
Hey
there
yeah
that's
right
ken,
and
we
have
been
discussing
this
and
we
so
we've
been
delaying
the
branch
cutting
for
1.12
because
of
the
issues
around
the
envoy
upgrade
there
had
been,
and
there
still
is
an
automated
pr
that
hasn't
been
merged
in
three
months
this
week
there
has
been
actually
end
of
last
week.
There
has
been
some
progress
exactly
this
is
the
the
open,
pure
that
supposedly
fixes
the
issues
that
stem
from
the
envoy
update,
but
it's
not
merged.
M
Yet,
in
any
case,
we
are
now
almost
two
weeks
behind
on
the
branch
cutting
so
kennen,
and
me
would
like
to
propose
delaying
the
release
by
two
weeks
so
that
we
have
appropriate
testing
time
once
we
cut
the
branch
and
get
the
first
builds,
because
otherwise
we
would
only
have
time
for
a
single
community
testing
week
and
no
buffers
basically.
So
basically,
the
community
testing
week
would
end
of
the
day
of
code
freeze.
If
we
find
problems
late
in
the
testing
week,
we
can't
fix
them.
E
E
K
M
B
I
mean
we
may
find
something
community
testing
more
realistically.
If
there
is
something
that's
not
caught
by
our
test,
it's
going
to
be
caught
by
users
after
we
ship
it
just
historically
speaking,
I
think
there
was
still
one
change
where
the
envoy
removed
a
bunch
of
filters
that
our
users
used
through
envoy
filter
that
we
decided
we
would
add
back,
but
I
don't
think
anyone's
picked
that
up,
but
that's
like
one
or
two
hours
of
someone
making
some
basal
changes.
So
I
don't
think
that's
terribly
high
risk.
B
C
I'm
so
the
one
I
know
is,
I
have
another
pr
for
implementing
the
job.
Claim-Based
routing,
that's
one!
Pr
like
waiting.
I
get
blocked
by
the
only
dependency
update,
that's
a
feature.
We
are
planning
to
roll
out
in
world
war,
12,
so
yeah,
but
it's
kind
of
like
a.
We
really
needed
that
one
in
one
to
twelve.
A
C
C
A
M
M
A
A
A
M
H
L
Right
I
mean
the
the
community
testing
day.
One
of
the
things
it
does
is
make
sure
that
the
documentation
is
aligned
with
what's
built
because
the
automation
doesn't
read
the
text
of
the
documentation,
but
apart
from
that
yeah
any
any
real
kind
of
any
real
issues.
What
have
we
been
finding
so
so
yeah?
So
maybe
one
week
is
actually
enough
and
not
really
even
a
compromise.
H
L
H
M
Well,
somebody
maybe
somebody
from
my
last
time
as
a
release
manager.
A
lot
of
the
testing
was
manual,
so
maybe
somebody
from
the
most
recent
releases
can
speak
up,
but
my
understanding
was
that
the
more
time
we
have
for
this
release
to
get
into
the
hands
of
people
and
have
somebody
playing
with
it
the
higher
the
probability
that
we're
not
going
out
the
gate
with
somebody
that
will
pray
break
production
deployments.
F
F
E
Our
p
zeros,
which
were
identified
before
has
all
been
automated,
and
then
we
had
a
course
correction
and
we
decided
that
the
pages
which
are
visited
mostly
are
the
ones
we
want
to
mark
easier
and
if
they
are
not
automated,
we
should
automate
them
at
this
point
in
the
community
testing.
We
just
make
sure
that
if
they
are
not
automated,
we
automate
them
or
manually
test
them
and
other
than
that
we
don't
do
any
feature
functional
testing
so
based
on
that
other
than
three.
E
E
So
costing
a
question
to
you
when
you
talk
about
stability,
what
do
you
have
in
mind?
Is
this
something
you
relate
with
the
community
or
is
this
something
you
relate
with
the
longevity
tests
and
you
see
after
24
hours
to
48
hours,
you
see
those
stable
lung,
stable
tests
like
how
do
you
connect
them
with
it?
So.
F
So,
typically,
what
they
expect
when
you
start
community
testing
people
from
different
companies,
you
know
pick
the
the
release
and
they
also
install
it
in
some
canary
cluster,
where
they
have
their
own
application,
and
if
we
have
tcp
first
broker
or
have
any
kind
of
the
web
feature
or
interaction
with
a
particular
crazy
application
that
we
have
no
clue
they
will
detect
it
in
that
interval.
Second,
is
yes
long
running,
I
mean
you,
let
it
running
for
a
week.
F
You
install
it
today
running
for
a
weekend
and
who
knows
what
will
happen
on
memory,
leaks
or
other
things,
but
the
first
one
is
the
more
important
because
that
community
testing
is
basically
the
interval
where
people
may
try
other
things,
not
only
our
scenarios
which
are
already
tested.
I
completely
agree
that
we
don't
need
to
worry
too
much
about
the
the
you
know
documented
install
upgrade
it's
just
how
to
interact
with
others.
E
So
then,
in
in
that
sense,
constant,
we
don't
run
those
kind
of
community
tests
anymore,
because
we
had
a
very
poor
attendance
that
has
been
stopped
for
a
very
long
time.
This
community
testing
is
very
much
about
the
docs
testing
and
that's
what
we
do
and
most
of
those
are
already
automated.
So
we
really
generally
don't
do
this.
F
I
I
know
we
don't
do
it,
but
my
my
expectation
is
that
when
we
announce
community
testing,
our
users
will
do
it
on
their
own,
because,
if
you,
you
know
kind
of
you
know
vendor
center,
it's
not
only
what
we
do
in
that
world
community
testing,
where
people
sit
around
and
install
it.
But
it's
also,
you
know
it's
a
signal
for
vendors
and
users
to
try
the
new
version
before
it
released
them
and.
A
Yeah,
I
think
it
makes
sense
to
provide
that
extra
buffer
and,
like
vendors,
I
know
sometimes
like
to
try
them
right
just
to
make
sure
that
their
is
your
offering
is
going
to
be
compatible
with
the
upcoming
new
release.
So
having
the
release
candidates
out
there
and
having
that
time
enables
vendor
to
try
them.
F
And
and
maybe
maybe
we
should
make
it
more
clear
that
that
our
expectation
is
that
vendors
will
actually
do
these
actions
that
I
hope
they
are
doing,
because
it's
in
their
interest
and
kind
of
translates
all
community
testings
that
we
used
to
do
and
to
hey
the
new
release
is
coming.
You
have
one
week
or
two
weeks
to
actually,
you
know,
do
this
and
that
and
then
verify
your
application
is
not
going
to
break
with
any
release.
Basically,.