►
From YouTube: Technical Oversight Committee 2021/05/03
Description
Istio's Technical Oversight Committee for May 3rd, 2021.
Topics:
- Test & Release WG Roadmap
- API Versioning Woes
- Istio at the Application Layer
A
B
B
I
presume
we
don't
need
the
community
testing
day
on
the
13th
of
april
unless
we're
gonna
have
another
community
testing
thing.
I
don't
know
about
release
health,
so
we
have
one
release
blocker.
I
don't
know
if
you
could
click.
D
D
Yeah
not
so
much
the
release
health,
but
in
terms
of
the
release
announcement,
I
think
it
was
brought
up
last
week
kind
of
a
marketing
style
announcement.
We
do
with
all
of
our
minor
releases
and
we're
still
looking
for
an
owner
on
that.
So
if
we
can
somehow
identify,
we
should
be
writing
that.
A
Do
I
remember
who
volunteered
someone
volunteered
who
got
a
volunteer?
I
think
craig
and
one
other
person
craig
and
zach.
Oh
dear
dell,
yes,.
D
E
E
B
B
But
we
don't
quite
have
all
the
test
cases
automated,
that's
what
you
were
saying.
So
that's
the
spreadsheet
right
there.
E
Last
week
that
was
marked
as
being
completed
in
january,
which
was
before
110
was
really
started,
so
cleared
that
out,
and
there
was
a
lot
left
over,
I'm
just
catching
up
on
it.
Now
from
I
don't
know
wednesday
or
whenever
the
last
time
I
looked
at
it
was,
but
I'm
not
sure
where
that
stands
right
now,.
B
Not
so
much
now
stan
shared
a
link
and
was:
is
that
the
cleared
up
sheet
brian
or
is
yeah.
E
That
one's
the
testing
sheet
as
it
stands
right.
E
E
If
you
go
up
to
the
top
there's
a
filter
for
p
zeros,
only
where's
that
data
the
funnel
yeah
there
you
go.
E
Okay,
so
we've
got
this
one
p0
right
here.
The
line
27
is
also
a
p0.
That's
not
done
yet
line
38
as
well.
E
Started
and
then
yeah
27
38
and
then,
if
you
scroll
down
further.
H
G
I
A
test
for
it
ed,
no
well,
there
is
a
I'm
sure,
there's
a
test
for
it.
The
question
is:
jaeger,
being
a
graphical
thing,
I'm
very
curious
as
to
how
it
was
possibly
tested.
H
G
A
I
I
I
feel,
like
the
automation,
is
great
for
things
that
are
command
line
only
and
I'm
gonna,
hopefully
in
a
few
hours
or
days
I'll,
know
why
the
automation
is
succeeding
for
this
particular
item,
but
in
general
I
would
rather
not
have
the
security
of
an
automated
test
if
the
person
didn't
test
the
appearance
of
the
gui,
which
is
the
problem
right
for
for
a
tracing
tool,
the
traces
have
to
be
there.
So
it's
not
just
enough
that
I
can
do
all
the
commands
like
deploying
jager
and
that
sort
of
thing.
J
B
Should
sync
up
with
doug
or
somebody
like
that
and
then
okay
what's
covered,
and
then
you
guys
kind
of
have
a
discussion
about
it
and
certainly
testing
gui
tools
is
is
hard
and
if
they
don't
have
apis
behind
them
right
to
verify
their
own
behavior,
then
that
makes
it
right.
You
have
to
use
other
mechanisms.
F
G
I
I
guess
I
can
you:
you
talked
about
the
doc
stuff,
so
yeah
so
most
of
these.
Well,
I
shouldn't
say
most
most,
but
most
of
them
are
probably
in
our
yearly
roadmap.
They
all
weren't
in
there
and
we
didn't
have
a
1.11
spreadsheet
created.
Yet
so
that's
why
we're
sort
of
doing
it
here
we
want
to
continue
with
the
promotion
of
the
features
process,
brian
and
schwetta.
G
G
One
of
the
things
that
we
want
to
try
to
do
this
release.
If
we
can
is
to
rename
the
branches
from
master
domain.
I
know
envoy's
done
that.
I
know
john
had
made
the
comment
that
this
might
be
a
slightly
bigger
hassle
than
what
we
thought
we
were
going
to
get
for
free
from
github,
but
I
think
we
can
probably
use
the
private
repos
to
do
some
testing
between
the
various
repos
as
we
move
over
to
maine.
G
We
want
to
make
sure
we
continue
promoting
external
istio
data
beta.
I
think
this
was
probably
on
the
environments
list
as
well.
I
know
there's
a
couple
issues
there
that
I'm
going
to
work
on
and
I
believe
miriam
also
said
she
would
work
on
some
things
there,
so
that
was
all
the
p
zeros
a
p2
brian
was
looking
at
making
sure
we
get
the
distress
images
promoted
to
beta.
I
know
there
was
a
couple
of
issues
open
in
that
space
that
have
to
be
solved
as
well.
G
I
know
we
want
to
try
to
figure
out
how
to
handle
the
maintenance
for
anastasio.io.
I
know
mitch
is
trying
to
not
have
to
spend
as
much
time
doing
that
and
so
brian
and
I
are
going
to
try
to
figure
out
what
we
can
do
in
terms
of
maintenance.
G
In
terms
of
the
testing
for
generation,
so
this
is
basically
related
to
the
automation
of
the
branch
cutting
which
is
work.
We
started
a
couple
of
releases
ago
and
just
trying
to
finish
that
up,
as
as
things
change
every
release,
we
have
to
make
some
updates,
so
we
find
some
things-
and
I
know
sam
and
brian
had
made
a
list
of
things
that
were
done
during
the
last
branch
cut
to
to
work
on
with
automation
and
then
finally,
sam
was
going
to
work
on
some
release.
G
Notes
tooling,
so
we
want
to
do
some
things
related
to
release
notes.
I
know
sam
was
talking
earlier
this
morning
and
there's
some
some
issues
with
validation
and
running
the
tooling
and
some
things
end
up
going
missing,
because
area
names
are
specified
in
the
release.
Notes
that
we're
not
capturing,
so
we
end
up
skipping
over
those.
G
G
G
I
actually
get
a
quick
question
on
that.
What
what
work
is
involved
there,
mostly
adding
additional
test
cases
in
terms
of
the
external
stod?
Yes,
we
need
to
do
so
yeah.
We
need
to
do
some
test
cases
there.
I
think
linda
actually
got
most
of
the
docs
done
as
well
as
testing
in
the
docs.
So
now
it's
just
making
sure
we
add
some
stuff
to
the
integration
test
framework
and
some
tests.
Okay
and
who's.
G
Doing
that
work
I
had
said
I
would
do
some
of
it
and
I
didn't
put
stephen
up
here,
but
I
think
I
had
heard
that
stephen
was
also
stepping
up
to
do
some
of
that
work.
I
haven't
been
involved
with
the
meetings,
but
I
think
stephen
and
greg
hansen,
and
maybe
another
person
have
been
talking
about
that.
B
So
when
we
talk
about
the
the
feature
promotion
process,
you
know,
obviously
you
spend
a
lot
of
time
in
iterating
on
on
the
process
itself.
Is
there
more
automation,
work,
that's
expected
and
what
what.
E
Yeah
one
of
the
big
things
that
tfc
asked
for
which
we've
laid
the
groundwork
for,
but
we
haven't
really
done
anything
with,
is
a
way
to
keep
features
moving
forward.
So
this
feature
has
sat
in
alpha
for
three
years.
We
should
decide
whether
we
want
to
get
rid
of
it
or
whether
we
want
to
actually
promote
it
or
that
sort
of
thing.
So
that's
really
what
this
focuses
on.
A
A
Yeah,
it
looks
really
good
has
have
people
that
have
gone
through
the
process
had
feedback
on
it.
A
So
the
the
on
the
first
one
I
actually
I'm
kind
of
slightly
wondering
we
should
punt
it
for
a
week,
but
I
wanted
to
maybe
just
give
a
quick
rundown
we
were
discussing
some
of
the
apis
for
vm
support
and
john
howard
was
was
pushing
back
a
little
bit
on
our
desire
to
make
those
beta
apis,
not
because
of
quality,
but
because
of
the
pain
that
it
is
to
go
through
to
change
apis.
A
So
that
seems
broken
to
me.
So
I
wanted.
H
H
A
A
For
us
to
make
api
changes
as
we
move
our
apis
from
alpha
to
beta
to
staple.
H
So
to
to
be,
you
know,
from
the
various.
A
F
H
We
obviously
have
the
ability
to
name
that
to
to
call
the
apis
whatever
you
want.
I
mean
it's
not
really.
A
problem
of
not
being
able
to
have
cps
move
to
better,
so
only
program
is
how
the
string
you
know,
type
url
in
kubernetes
looks
like
and
that's
a
kubernetes
problem.
You
know
the
infrastructure
in
kubernetes
and
even
if
they
fix
it
today,
it
would
be.
You
know,
six
months
to
a
year
or
two
years
until
all
kubernetes
versions
support
it,
and
so
it's
it's
it's
a
sorry.
H
Only
problem
is
basically
that's
that
cosmetics
thing
at
the
beginning
of
the
api.
M
Yeah,
I'm
so
for
what
it's
worth.
I
put
together
the
original
transformation
to
get
us
that
go
client,
stuff
and
the
kubernetes
api.
I
don't
quite
understand
why
we
don't
just
want
to
move
to
a
kubernetes-like
api
for
everything
and
make
that
like
what
we're
starting
from
for
all
this
other
stuff.
I
think
that
would
certainly
simplify
things.
M
I
mean
it
would
probably
require
a
lot
of
work,
because
we'd
have
to
remove
all
of
that
rapper
library,
that's
within
istio,
to
convert
the
native
istio
types
to
a
kubernetes
type
that
we
can
then
register
with
the
go
clients
and
all
that
stuff
for
the
library,
because
the
istio
itself
doesn't
use
any
of
those
go
clients.
M
Those
are
mostly
for
third
party
folks,
but
in
doing
that,
and
using
a
more,
I
guess,
kubernetes
centric
approach
right
with
kubernetes
schema
and
those
kinds
of
things
have
stuff
built
in
for
doing
api
conversion.
All
this
stuff,
I
mean
it's
an
extra
web
hook
to
get
the
conversion
library
in
there,
but
that's
pretty
much
a
singleton,
but
I
think
you
know
adopting
approach
like
that
and
trying
to
move
to.
It
would
certainly
give
us
a
the
ability,
at
least,
to
support
multiple
versions
of
a
given
resource.
H
And
to
be
clear,
we
did
try
this
and
it
didn't
work
very
well,
because
you
know
the
web
hook
and
infrastructure
and
kubernetes
versions.
We
support
did
not
play
well
very
nicely
with.
B
B
F
A
What
I
was
hoping
to
get
is
somebody
to
take
this
on
as
a
project
and
come
back
with
a
purple
rather
than
doing
the
design
in
toc.
A
M
I
mean
I
could
write
something
up.
It's
really
just
a
bunch
of
grunt
work
to
go
and
convert
all
this
stuff
up
to
regular
types.
I
don't
know
what
work
would
be
involved
to
convert
the
existing
proto
stuff
that
we
have
into
kubernetes
types
resources,
because
right
now
we
kind
of
do
it
backwards
right.
We
start
with.
H
H
M
Yeah,
I
think
the
first
thing
is:
is
you
got
to
move
to
a
real
kubernetes
type
and
away
from
the
proto
right,
so
that
would
be
a
prerequisite
for
that,
so
that
you
get
using
the
kubernetes
serialization
mechanism
in
place
and
using
kubernetes
schema
type
instead
of
the
stuff,
that's
sort
of
wrapped
up
in
right,
because
istio
has
its
own
infrastructure
for
doing
all
of
this
stuff.
M
So
the
first
step
would
be
moving
off
of
that
and
on
to
like
a
native
kubernetes
thing
and
once
you're
on
that,
then
you
have
the
ability
to
start
looking
at
okay.
Now
I
can
version
an
api.
Here's.
What
the
converter
looks
like
if
anything
and
then
begin
to
to
make.
You
know,
I
guess
more
more
usable
changes
to
the
api
other
than
just
saying
we're
going
from
v1
alpha
to
b1
beta,
and
it
just
works
because
we
didn't
change
the
structure.
M
M
If
you
want
to
go
a
step
further
and
have
like
an
internal
type
right,
that
sort
of
wraps
everything
together
and
it's
sort
of
like
the
in
between
you
can
go
that
route,
but
we're
using
it
in
maestro
the
conversion
web
hook
and
all
this
stuff
to
convert
between
values.yaml
and
our
version
of
what
the
istio
operator
resource
is
without
any
problems.
M
B
So
I
guess,
there's
obviously
a
bunch
of
people
who've
played
with
this
stuff
in
the
past,
so
they
should
all
get
together,
which
working
group
owns
this
now.
L
A
H
K
H
H
Right,
but
would
it
possibly
sidestep
the
problem
and
and
decouple
ourselves
from
the
semantics
of
kubernetes,
because
it's
also
you
know
a
bit
bigger
than
kubernetes
is
not
necessarily
tied
to
just
kubernetes.
M
Yeah,
I
think
that's
kind
of
a
bunk
argument,
because
all
you're
doing
is
using
that
kubernetes
type,
which
just
has
a
metadata
field
and
everything's
in
spec.
So
it's
not
like
you're.
You
know,
jumping
off
a
bridge
here
and
can't
support
anything
else.
It's
just
saying
if
we
adopt
that
as
our
standard
type,
it
works
really
well
in
kubernetes,
which
is
I'm
guessing,
is
where
a
majority
of
people
are
using
istio
in
the
first
place,
and
it
doesn't
preclude
you
from
using
those
same
types
and
using
proto
and
all
this
other
stuff
external
to
kubernetes.
H
Because
we
again,
we
had
some
experience
and
it
didn't
work
very
well,
but
the
point
is
we
do
not
need
to
have
the
api
structure
tied
to
that
particular
type.
I
mean
we
can
have
use
v1
in
kubernetes
and
have
their
our
own
internal
structure.
You
know
defined.
However,
we
we
we
need.
H
A
Beta
as
long
as
we
can
convert
right,
so
that's
the
whole
point,
and
today
we
don't
have
that.
So
I
think,
like
the
status
quo
is
not
is
not
good
enough,
because
we're
getting
pushback
on
making
simple
string
changes
right,
so
we
we
clearly
need
to
do
something
better.
I
think
the
question
is
who
is
willing
to
own
this
problem?
A
B
H
B
Well,
they're
still
going
to
be
yeah.
H
H
B
Okay,
rob
it's,
it
sounds
like
you're.
You
at
least
have
formed
opinions
on
the
subject
we
know
john
has
is
probably
going
to
write
something
up
sven
based
on
I
I
don't
know.
If
I
can
convince
him
too.
That's
right,
okay
and
and
jason
is
the
one.
Who's
worked
on
this
problem.
H
C
Addressing
I'm
happy
to
get
involved
and
do
some
like
requirements
gathering
at
least
internally
at
google,
because
I
know
it's
been
a
concern
here,
so
I
can
I'm
happy
to
be
involved
in
that
too.
All
right
thanks,
justin.
C
B
L
That
sounds
good
to
me,
oh
so
so
louie,
just
just
to
just
make
it
clear
right.
Typically,
we
designate
working
group
because
the
decisions
can
be
made
within
it
looks
like
regardless
of
whichever
working
group
we
choose.
L
B
At
least
for
the
moment,
yes
right,
because
it's
possibly
a
big
decision,
but
I'd
still
also
like
to
know
right,
which
working
group
will
own
kind
of
api
machinery,
questions
okay
for
small
to
medium
decisions
as
well.
B
B
And
yeah,
so
if
people
feel
like
they
have,
you
know
things
to
say
about
the
subject,
then
they
should
attend
to
that.
So
ux
working
group
folks
could
use
to
make
it
clear
when
it's
on
the
agenda.
K
So
we're
meeting
on
tuesdays
normally
at
11am
pacific.
I
don't
think
we
probably
would
have
like
papers
ready
to
present
tomorrow.
So
I
would
expect
the
earliest
to
be
a
week
from
tomorrow.
Does
that
sound,
reasonable.
I
A
J
J
B
H
Move
on
to
my
other
topic,
I
have
one
one
more
question
for
on
this
topic
before
so
then,
if
you
would
prioritize
your
your
goals
here
is
moving
to
v1,
presumably
is
a
primary
goal,
but
is
making
backward
incompatible
changes,
maybe
a
v2
or
p1
or
or
or
would
it
be
okay?
If
we
have
a
solution
that
just
moves
to
v1
with
what
we
have
with
blackboard
compatible
and
maybe
deprecating
fields,
but
without
semantic
renaming
or
do
we
want
all
to
answer
all
generic
solutions
that
does
translation,
conversions,
automatic
everything.
H
F
H
M
H
Do
we
have
any
backgrounding
of
changes
that
we
are
planning
to
make
in
the
next
two
or
three
releases
I
mean?
Can
we
have
a
solution
that
is
just
moving
to
v1
and
that's
I'm
trying
to
do
to
to
to
figure
out
how
how
much
we
want
to
break
things
and
how
much
instability
we're
going
to
to
to
get
to
towards
the
benefit
of
hypothetically
making
the
product
yeah.
M
I
guess
if
I
were
to
plan
it
out
on
the
fly
here
like
I
said,
the
first
thing
would
be
to
use
kubernetes
type
resources,
so
structured
with
you
know,
object,
metadata,
type,
metadata
and
spec
instead
and
remove
the
wrapper
lab
library,
that's
part
of
istio,
so
that
the
kubernetes
types
become
first
level
types
that
would
pretty
much
obviate
most
of
the
the
client
go
and
api
project,
because
we
would
start
with
api
types
and
use
those
for
a
generation.
M
Obviously
we
need
to
make
sure
that
all
that
stuff
is
backward
compatible
with
protos,
but
all-
and
this
would
be
only
for
the
types
that
are
used
with
kubernetes
controllers
right.
M
Yeah,
I'm
not
underestimating
anything
right
because
we're
swapping
out
that
entire
mechanism
and
moving
to
kubernetes
first
for
our
controller
pattern,
which
I
think,
makes
things
easier
for
everybody
right.
We
don't
no
longer
have
to
maintain
this
weird
translator
that
translates
from
erd
to
client
go
libraries
and
proper
kubernetes
api
types
right.
We
start
with
kubernetes
api
types
and
everything
else
flows
out
of
it.
M
We've
got
the
controller
gen
tools
that
manage
all
this
stuff
for
us,
so
we
can
offload
all
of
the
extra
tooling
that
we
have
in
our
builds
and
I'm
not
saying
that
it's
not
that
it's
going
to
be
a
small
change
at
all.
So
don't
get
me
wrong,
but
I
think
that's
what
needs
to
be
done
in
order
to
get
to
the
point
where
we
can
start
doing.
Api
management
is.
H
That
that's
that
one
approach,
also
don't
forget.
We
also
have
other
protocols.
Like
you
know,
former
ncp,
I
mean
history
used
to
send
protocols,
and
that
I
mean
it's
it's
it's
both
design
and
implementation
are
are
massive.
If
we,
if
we
need
to
achieve
all
those
goals
at
once,
that's
why
I'm
trying
to
clarify
the
strict
requirements.
B
B
And
so
I
I
don't
want
to
get
into
it:
a
proto
versus
not
proto
as
the
primary
authority
of
discussion
here
I
know
I'm
gonna,
no
cussing,
I'm
gonna.
Let
the
the
folks
who
have
spent
most
of
the
time
doing
this
come
back
with
a
recommendation
and
have
a
a
discussion
about
it,
because
the
tlt
isn't
going
to
have
a
strong
opinion
about
that
unless
there's
clear
evidence
that
there's
going
to
be
disruption,
one
way
or
the
other.
I
take
your
point
about
it
being
very
expensive.
B
C
A
B
You
know
other
p0s
here
is,
you
know,
can't
disrupt
the
whole
development
process.
I
can't
destabilize
the
release
right
all
the
usual
engineering
things
right,
and
so
you
know
it's
either.
If
it's
big
bang,
it's
cheap
and
quick
right
or
it
can
be
done
incrementally,
and
we
can
prove
that
we
can
do
so
safely
right
because
we
can't
stall
all
the
other
teams
right.
While
this
is
happening
right,
that
is
not
allowed
like,
we
could
install
users
yeah.
M
H
B
Yeah
so
like
I,
I
there's
a
list
of
people
who
all
have
expressed
interest
in
being
or
have
had
interest
expressed
in
their
behalf.
If
more
than
one
proposed
solution
comes
out,
then
we'll
talk
about
it.
We
should
probably
move
along
at
this
point.
A
So
my
other
topic,
so
let
me
this
was
yeah
an
interesting
discussion,
so
I
I
have
been
thinking
about
how
to
frame
what
istio
does
and
so
we're
not
going
to
get
too
much
into
detail.
I
think
today,
because
only
15
minutes
or
less
but
I'd
like
everyone
to
you
know
on
toc
to
take
a
look
at
this
and
provide
feedback
like
some
people
have
already
there's.
A
You
know
a
way
to
look
at
what
issue
does
as
really
just
being
networking
done
at
the
application
layer
instead
of
at
the
you
know,
other
layers
and
actually
there's
a
lot
of.
You
know
existing
discussion
actually
from
folks
about
about
that,
and
basically
I
tried
to
write
up
what
would
happen
if
we
leaned
more
heavily
into
that,
and
really
you
know,
rather
than
talking
so
much
about
services
and
service
mesh
started
talking
about
applications
and
application
networking.
A
So
basically
there's
a
list
of
proposals
in
here
for
what
we
would
do
so
one
is
that
we
already
have
the
concept
of
an
application
in
istio.
We
just
call
it
canonical
service,
but
really
what
it
means
is
actually
the
name
of
the
application
endpoint.
H
A
The
application
networking
model
that's
actually
like
what
it's
semantic,
meaning
it.
A
We
didn't
well,
we
actually
thought
about
calling
an
application
we
just
when
we
were
working
on
the
design
port.
We
didn't
have
this
framing
of
the
problem,
and
so
we
we
leaned
against
application
because
of
that,
because
people
were
like
everything
services,
but
it
actually
better.
A
If
we
did
that,
so
that's
one
and
then
another
is
that
today
the
we
have
this
sort
of
disjointed
identity
model
where
we
have
this
indirection
between
the
applications
and
the
service
accounts
and
there's
sort
of
this
mapping
you
have
to
do
kubernetes
makes
it
pretty
easy
to
do
because
it
gives
everything
a
default
one
in
the
namespace
so
like.
If
all
you
care
about
is
name
space.
A
Fine,
but
you
know
it's
providing
this
extra
level
of
indirection.
That
kind
of
is
not
necessary,
and
so
the
proposal
would
be
to
just
stick
that
basically
application
name
canonical
service
name
in
the
certificates
and
allow
that
to
be
used
for
our
authorization
policies.
A
There's
a
a
pretty
long
discussion
here
of
what
that
would
lead
to,
but
there's
some
nice
benefits
that,
like
what
you
end
up
monitoring
and
what
your
authorization
policies
look
like
then
become
symmetric
right.
Everything
becomes
kind
of
lined
up
on
the
same
things,
and
you
don't
have
to
do
this
mapping
of
oh
okay,
wait.
I
have
calls
from
this
client
it's
running
as
a
service
panel.
A
H
All
right,
if
I
can
say
it's,
it
will
be
pretty
awesome
if
we,
if
we
do
see
it
in
terms,
so
it
will
simplify
a
lot
of
things
and
you
know,
prove
skeletons
of
other
things
in
in
you
know,
give
us
a
secure
naming
and
a
lot
of
implementation
details
so.
B
H
Identities
you
you
cannot
have,
you
cannot
have
according
to
the
spec.
As
far
as
I
know,
there
is
only
one
switch
identity,
but
you
can
have
additional
sun,
so
you
can
have
dns
plus,
but
that's
perfect,
because
for
intervality
I
mean,
if
we
express
canonical
service
name
is
a
service
name.
It
is
not
a
spf
identity,
so
it
is
basically
perfect
matching
to
have
both
identity,
because
spiffy
plus
the
suns,
which
allow
interoperability
with
other
crimes
that
are
not,
let's
be.
A
When
we
were
when
we
were
sort
of
designing
spiffy,
there
was
actually
a
discussion
about
this
exact
situation,
and
you
know
I
think,
at
the
time
I
was
pushing
for
servants
against
that's
what
we
had.
We
didn't
really
have
this
other
model
and
sticky
intentionally
is
more
general
very,
and
there
was
a
lot
of
discussion
of
like
application
identity
when
we
were
talking
about
this
and
building
this
50
model.
So
it
is
unfortunate
if
you
can
only
have
one
sticky
identity
that
makes
this
harder
yeah.
H
Or
it
makes
it
better,
I
mean
you
look
at
it
as
a
feature
because
it
allows
us
to
put
the
identity
in
in
sni,
which
is
perfectly
in
in
in
the
sun,
which
is
perfect
match
with
snare
routing
we
are
doing,
which
is
also
based
on
on
dns
name
hostname,
so
it
it's
a
perfect
fit
for
for,
inter
rarity.
So
there
are
a
lot
of
benefits.
If
we,
if
we
implement
it
as
a
you,
are
a
dns.
A
A
H
Common
name
is
also
possible,
but
again,
if
we
think
about
sni
routing,
which
is
you
know,
we
are
using
it
extensively
it
will.
It
will
tie
things
together
very
nicely.
J
Like,
for
instance,
you
in
your
proposal,
you
talk
about
right
instead
of
using
service
account,
which
kubernetes
provides
to
us
today.
We
use
that
in
authorization
policy
right,
so
you
are
proposing
okay,
we
could
using
application
names
instead
of
service
account.
I
was
just
wondering
regarding
your
proposal,
some
of
these
application
name
and
the
identity.
J
If
it's
coming,
naturally
from
kubernetes,
I
think
it
would
be
pretty
transparent
for
our
user
to
adopt,
instead
of
they
would
have
to
mentally.
Do
a
mapping
between
service
account
to
the
application
name
right,
because
they
could
still
like.
If
I
deploy
book
info
today,
I
could
create
service
account
for
each
of
my
booking
for
services,
which
is
probably
recommended
by
user
running
services
in
production.
So
I
mean,
if
kubernetes
have
that
native
concept
of
application,
name
and
application
identity,
it's
just
so
much
natural
for
people
to
leverage
from
a
service
perspective.
A
Yes,
I
did
not.
I
did
not
propose
tackling
that
trying
to
push
this
down
into
kubernetes.
A
There
is
so
kubernetes
does
virtual
application
concept
that
they've
been
working
on
and
there's
a
good
but
not
perfect
fit
between
what
we
want
to
do
and
what
they
want
to
do,
but
yeah,
I
I
have
on
my
list
to
reach
out
to.
A
I
don't
even
know
if
that's
a
whole
working
group,
that's
sort
of
the
word
group,
the
leads
of
that
working
group
and
discuss,
discuss
this
yeah.
So
maybe.
J
J
J
H
A
And
the
you
know,
like
we
had
this
huge
internal
to
google
discussion.
Also
about
this
and
like
ideally,
we
would
have
been
able
to
call
this
thing
a
service,
but
kubernetes
has
the
name
service
already
for
something
different,
and
it's
like
that.
We
need
another
name,
and
so
we
just
added
canonical-
and
I
don't
know
that
that
was
necessarily
the
best
thing
to
do.
We
maybe
should
have
just
at
the
time
sucked
it
up
and
chose
an
application
and
I'm
kind
of
saying
hey.
Let's
just
do
that.
H
By
the
way,
speaking
of
kubernetes,
there
is
also
a
discussion
about
in
the
gateway,
api,
kubernetes
gateway
about
how
you
know,
ownership
and
and
how
those
names
can
be
authorized
and
mapped
to
different
workloads
and
and
delegated
and
and
basically
the
whole.
The
whole
model,
for
you
know
who
is
allowed
to
to
claim
a
particular
name.
M
H
B
H
Yeah,
I
know
that's
happening
speaking
of
api
revisioning.
No,
but
but
again,
if
you
claim
to
your
application,
name
is
example.com,
and
then
you
have
gateways
that
forward
due
to
example,
common
and
so
forth.
Then
we
run
into
all
kinds
of
problems
who
can't
claim
that
it's
example.com,
if
it's
something.namespace,
we
can
vary
that
and
so
forth.
But
otherwise
it's
it's
a
it's
an
issue
about.
B
You
know
ownership,
yes,
there's
definitely
segmentation
between.
We
need
guidance
about
what
names
people
are
allowed
to
use
for
which
things,
because
we
don't
end
up
with
accidental
collisions
between
external
and
internal
survey.
A
So
real
real
quick,
I
think
I
I
only
went
through
the
first
two
points
here,
so
the
last
two
are
slightly
less.
I
think
crazy.
So
remember
three
is
that,
basically,
we
should
just
make
it
simpler
to
target
configuration
at
applications
so
right
now
you
can
do
it,
but
you
have
to
you
just
use
the
same
label
selector
right.
That
was
basically
you
say:
you
know:
label
canonical
service
equals
whatever
in
your
in
your
policy,
I'd
like
to
make
that
more
first
class.
A
So
basically
you
can
just
say
as
part
of
your
configuration
you
know:
application
equals
whatever
this
was
actually
always
part
of
the
plan
for
canonical
service.
So
it's
just
saying:
hey,
let's
finally,
do
it
when
we
first
did
this
we're
like
hey
later
we
can.
You
know
we
can
just
make
it
easy
to
talk
configuration
then
we
never
never
did
that
so
hey.
We
should
do
it
all
right.
A
J
Yeah
you
were
not
presenting
that
portion,
so
I
wasn't
sure
if
you
were
referring
to
that
yeah.
So
so
I
I
agree
with
you,
I
mean
workload.
Selector
is
actually
very
confusing.
I
was
just
looking
over
documents
like
like
the
in
the
gateway
resource.
Today
we
use
a
selector
right
in
the
envoy
filter,
we're
using
workload
selector
and
in
our
authorization
and
authentication,
which
includes
the
peer
authentication
and
also
the
user
authentication.
We
use
like
label
selector.
J
A
Yes,
we
should
try
to
unify
all
those
but
yeah.
I
think
that
the
main
the
main
proposal
here
is
just
to
add
at
a
field
that
is
like
application,
then
you
can
just
select
it
or
not
even
select
it.
You
just
enter
it
and
then
write
the
config
apps
to
that,
and
then
the
last
thing
is
less
less.
A
Out
but
you
know
like
just
basically,
we
should
finish
multi-network.
I
think
it's
not
it's
not
really
tied
as
much
to
this
idea,
but
the.
A
Basically,
if
you
think
about
like
an
application
layer
network,
that's
inherently
multi-network.
So
just
let's
lead
into
that
more
and
say
you
know:
multi-network
is
kind
of
a
big
part
of
what
istu
does
and
kind
of
a
big
part
of
the
value
and
describe
it
in
terms
of
these
application
layer,
overlays
et
cetera,
but
we're
at
a
time.
So
please
please,
read
the
doc
and
comment
and
we'll
figure
out,
but
if
we,
if
we
actually
want
to
take
on
some
of
these.
A
Yes,
I've
looked
at
them
a
couple
times.
I
probably
should
have
put
them
again.
Aren't
they
not
applicable
here,
so
they
they
are
and
they
aren't.
So
the
main
the
main
problem
is
they're
optional,
and
so
we
have
this
model
of
everything.
Is
you
know
everything
is
a
canonical
service
and
there's
this
like
every
every
endpoint
is
part
of
a
canonical
service.
Always
if
you
don't
label
it,
we
have
heuristics
that
figure
it
out
and
I
think
that's
the
perfect
missing
from
the
next
film
and
that's
what
I
want
to
talk
about.
B
A
Yeah,
what
we
do
is
we
have
a
controller
that
injects
them,
if
not
there
right,
and
so
I
think
that
would
be
the
main
proposal
to
talk
to
them
about
and
then
the
question
is:
can
we
do
it
with
our
existing
label
or
do
we
need
a
new
label
that
like
what
we
did
right?
We
invented
a
new
label
and
we
just
copy
from
there
but
yeah.
That's
the
whole
discussion.