►
From YouTube: Technical Oversight Committee 2021/04/09
Description
Istio's Technical Oversight Committee for April 9th, 2021.
Topics:
- Moving TOC meetings to Monday morning instead of Friday morning, and an hour earlier.
- Inbound Forwarding for 1.10: Approval to add upgrade pre-check command.
- istioctl analyze warnings on alpha/experimental: Approval to add whitelist of expected alpha/experimental usage, warn on the rest.
- 1.10 release pushed to 5/18
B
C
B
Yeah,
that's
excellent,
that's
good
to
know.
We
really
need
to
start
sending
some
swag
once
things
become
better
in
qs,
I
guess
for
people
who
are
doing
many
jobs,
let's
see
so
the
weekly
routine
here
feature
freeze
was
april.
Sixth,
we
have
done
the
branch
cut
and
our
free
feature
frozen.
That's
good!
Anything
to
add
there.
C
Correct
we
have
a
couple
of
automation
which
needs
to
be
done,
but
separate
than
that
there
is
no
sign
up
since
last
week
and
the
automation
required
the
ones
which
actually
requires
testing
at
34,
because
other
than
that
they
are
automated.
So
34
test
cases
which
are
still
p
zeros
requires
the
ownership
and
the
testing
is
starting
tuesday.
B
C
D
B
B
B
C
E
Yeah
so
three
release
blockers,
I
think,
as
of
like
the
last
hour,
that
should
actually
be
two
release
blockers
and
ten
p0's,
but
I
think
it's
premature
to
discuss
the
specifics
right
now
in
toc,
but
I've
reached
out
to
the
owners
individually
and
I
I
think
that
these
are
release
blockers.
We
have
paths
to
resolution
for
so.
B
B
All
right,
so
let
us
know
again
if
you're
short,
stuffed
and
somebody
needs
nudging.
It
looks
like
sam
and
the
other
release
managers
have
this
handled
well,
so
we'll
keep
moving
next
release,
istio
111,
all
right,
so
the
timelines
are
10th
august.
What's
that,
I
think
we
discussed
it
last
time.
Do
you
need
an
explicit
approval?
Srita
or
this
is
again
an
fi?
F
B
G
B
G
B
B
B
Does
that
sound
good
all
right?
So,
first
one.
Hopefully
this
is
quick,
I'm
proposing
to
move
toc
to
the
monday
time
time
slot
at
9
am
pst.
The
two
reasons
for
it.
First
is
I
wanted
to
move
the
time
earlier
so
that
folks,
like
me
and
other
from
different
time
zones,
can
attend
in
a
reasonable
hour.
I
had
discussed
it
with
other
toc
members
and
we
had
rough
approval.
B
B
G
Oh
yeah,
I
was
on
vacation
yeah.
I
think
this
is
fine.
I
think
you
know
we'll
have
a
couple
of
more
missed
days,
because
u.s
kind
of
national
holidays
tend
to
fall
on
mondays
right
when
there
are
three
day
weekends.
So
I
think
you
know
we'll
probably
that
will
cause
us
to
have
three
or
four
more
non-scheduled
toc
meetings
a
year,
maybe
a
bit
more
than
that,
like
I
don't
remember
how
many
it's
somewhere
in
the
four
to
six
range
right,
so
we'll
lose
one
and
a
half
a
quarter.
B
G
I
G
I
D
A
F
C
K
K
We
got
the
feedback
previously
that
we
want
to
do
this,
but
we
are
a
bit
worried
about
the
impact
it
may
have
on
upgrade
and
the
feedback
from
qsc
was
yes,
sorry,
if
that's
too
small,
we
should
have
some
command
that
you
know
before
every
upgrade
users
run
the
upgrade
check
and
we'll
encode,
all
of
or
as
much
of
like
upgrade
notices
in
code
rather
than
I
expect
users
to
read
them,
and
the
first
would
be
checking
for
this.
So
we
have
done
that.
K
You
can
kind
of
see
the
output
here,
it's
a
bit
small,
but
it
will
show
you
all
of
your
pods.
That
will
be
impacted.
So
if
you
run
this
before
you
upgrade,
then
assuming
all
goes
well.
You
should
be
notified
that
anything's
going
to
change
and
you
can
go
fix
those
pods
or
if
it
was
just
a
mistake
and
they're
not
actually
broken,
then
ignore
it.
So
that's
pretty
much
it.
I
wanted
to
make
sure
that
this
is
what
we
wanted
and,
if
there's
anything
else
we
want
to
do
before.
B
K
Two
we'll
mention
it
in
the
upgrade
notes
like
run
the
pre-check
command,
and
I
think
we
can
also
put
on
the
install
and
upgrade
documentation
it's
actually.
It
can
be
used
for
both.
So
it's
meant
to
be
not
just
upgrade
check.
We
changed
the
name
since
that
picture,
but
it's
a
check
for
pre-install
and
pre-upgrade.
J
One
question
I
have
is:
what's
the
thought
process
for
you
to
have
a
dedicated
command
was:
have
it
part
of
the
analyzer
command,
because
I
do
remember
we
kind
of
tell
people
you
know
if
you
need
to
upgrade
issue,
go
ahead
and
run
the
analyzer
command
and
see
what
only
you
got
right.
If
we
have
newer
version
of
api
that
may
not
be
compatible
with
your
environment,
we
would
want
you.
So
I
assume
this
is
an
additional
command
and
what's
your
thought,
process
of
not
having
it
as
part
of
the
analyzer.
D
So,
in
particular,
the
reason
that
we
don't
have
this
running
as
part
of
the
analyzers
today
it's
twofold
one.
It
reads:
data
that
the
analyzer
framework
does
not
have
access
to
analyzers
are
by
definition
config
only
they
do
not
have
runtime
access
to
envoy,
etc,
and
this
particular
operation
does
require
that
so
things
like
ci
cd
would
not
be
able
to
use
this.
The
second
is:
we
are
trying
to
create
a
set
of
analysis
like
operations
that
are
particular
to
upgrade.
D
So
if
you're
running
istio,
one
nine
you're
running
istio,
one
nines
analyzers,
and
so
those
analyzers
are
not
going
to
include
any
problems
with
an
upgrade
to
110.
The
idea
would
be
that
you
download
istio
cuddle
110
and
run
upgrade
pre-check,
which
runs
only
commands
that
are
relevant
to
your
upgrade.
Does
that
make
sense.
D
Yeah
running
all
of
analysis
will
will
give
you
a
lot
more
information
than
is
necessarily
relevant
to
your
upgrades
and
also
will
not
give
you
this
particular
check
that
john
has
written.
So
that's
why
we
have
a
particular
command.
It's
just
the
subset
of
analyzers
that
are
relevant
to
upgrade
along
with
a
few
other
runtime
checks.
K
K
That
the
easter
cuddle
analyze
command
can't
also
include
this
right.
It
seems
like
I
mean
we
have
to
think
about
the
details,
but
we
could
probably
combine
them.
You
can
add
a
flag,
that's
like
dash
dash
include
upgrade
checks
or
whatever
we
want,
but
ultimately
I'm
sure
we
can
find
a
way
to
make
it
reasonably
be
just
one
command.
D
K
L
H
Right
can,
I
add,
was
one
small
comment
here
on
this
topic
in
in
practice.
Yeah.
I
understand
that
how
it
is
today,
but
there
is
a
need
to
have
more
fine
granularity
of
permissions
and
access
control,
starting
with
ability
for
users
to
to
run
analyze
with
access
to
an
a
space
only
and
then
with
file
only
which
is
very
important
for
csd,
but
also
what
what
john
mentioned
with
cluster
admin
or
with
mesh
admin.
So
we
need
to
to
to
kind
of
refine
a
bit
the
analyzer
permission
model.
D
So
right
now
that
is
supported.
Analyzers
can
be
run
against
a
particular
namespace
only
and
no
matter
what
model
you're
running
them
under
they
are
read
only
so
they
don't
do
any
port
forwarding
any
pod
exec.
If
you
have
read
permissions
to
the
kubernetes
api
server
or
to
a
file
system
that
has
your
configs
in
it,
you
can
run
all
the
analyzers.
H
B
What
the
source
of
confusion
here
is,
I
feel
like
like
there
are
too
many
sub
commands
or
commands,
and
sometimes
it's
not
clear
when
to
run
for
a
user,
because
I
think
there
is
a
osteoctl
verifying
stall.
Maybe
that's
going
to
get
deprecated,
I
don't
know,
then
this
new
one
and
then
istio
ctl
analyze.
I
understand
mitch
your
point
that
there
are
security
boundaries
where
some
commands
you
know
fit
very
well.
B
D
K
K
G
E
G
There's
probably
some
desire
to
consolidate
or
rationalize
the
ux
across
that
set
of
commands,
but,
but
I
think
we're
all
in
agreement
that
we
we
want
a
very
clear
definition
of
a
command
that
is
a
pre-upgrade
or
pre-install
as
a
use
case,
and
it's
perfectly
fine
for
that
to
be
well
a
command
that
is
named
differently
than
analyze
analyzes,
an
incredibly
generic
name
anyway.
So
we
might
want
to
think
about
that.
But
if
the
question
here
is,
you
know,
should
the
toc
approve
this
command?
I
think
the
answer
is
yes.
G
B
D
B
B
G
D
B
B
A
E
D
Yeah
one
thing
to
be
aware
of
too:
this
is
reporting
on
any
use
of
alpha
or
deprecated.
What
is
it
annotations
in
your
install,
which
we
do
use
by
default
in
istio
install?
So
one
of
the
reasons
for
keeping
this
experimental
is
that
we
know
we
need
to
clean
up
our
existing
alpha
and
experimental
et
cetera
features
by
default.
This
will
so
we're
going
to
get
some
users
who
see
this
and
are
a
little
bit
concerned,
as
they
should
be.
Frankly,.
K
K
K
I
I
yeah
I
mean
this
is
going
to
the
weeds,
but
I
don't
see
how
it's
useful
to
report
an
error.
When
there
is
none,
I
mean
we,
we
literally
inject
these
annotations
onto
every
pod,
so
then
to
go
around
and
warn
them
that
we
injected
an
annotation
is
kind
of.
Not
it
just
doesn't
make
sense
to
me
so,
but
we're
probably
going
too
far
into
the
weeds
here.
B
Yeah,
so
for
me
what
I
have
heard
and
then
feel
free
to
pitch
in
if
you
still
have
reservations
about
this,
looks
like
the
experimental
upgrade
pre-check
command
is
approved.
We
want
to
make
sure
for
110.
We
are
highlighting
this
in
all
the
forums
and
documentation,
blogs,
release,
notes
we
have
and
then
the
last
thing
is
after
110
we
want
to
have
the
ux
working
group.
Look
at
the
various
htoc
till
commands
come
up
with
a
better
ux
with
a
consolidated
workflow.
J
G
So,
john,
just
just
to
be
clear
in
the
behavior
when
we
provide
the
the
warning
is
telling
users
that
the
change
that
the
they
are
going
to
be
affected
by
a
change
in
default
behavior
and
that
they
should
correct
right.
That
is
what
we're
doing.
It
is
not
that
we're
trying
to
do
anything
more
refined
than
that.
K
A
A
K
Yeah
yeah
the
error.
I
changed
the
air
a
bit.
I
don't
know
if
it
fully
does
that,
because
it
was
already
getting
kind
of
long,
but
it
gives
you,
I
think,
a
summary
and
then
the
intent,
or
at
least
my
expectation
is
that
they
would
then
go
to
the
ist
code,
which
I
don't
think
you
can
see
down
here
at
the
bottom.
K
I
E
G
J
K
B
G
Yeah,
so
certainly
if
the
plot,
the
port
number
was
like
80
or
443
right,
there's
a
very,
very
high
probability,
it's
going
to
be
called,
but
I
think
users
can
make
that
assessment
right
as
long
as
the
documentation
tells
them
they
can
always
try
it
and
if
it
breaks,
then
you
know
they
were
warned,
but
they
prefer
not.
They
should
go,
read
the
documentation.
I
think.
B
Here
is
my
suggestion,
lynn,
so
john,
why
don't
you
link
the
pr
here
and
lynn
and
anyone
else
in
the
toc?
Otherwise
we
can
go
and
comment
on
it
and
see
if
the
error
messages
or
the
warning
is
suitable.
I
think
that
can
be
done
on
the
pr
side
instead
of
deciding
here
how
about
that?
Yes,
yeah
all
right.
D
Well,
I,
since
we're
on
the
topic,
I'd
like
to
raise
the
issue
of
this
alpha
analyzer
and
ask
for
some
kind
of
gridlock
breakage.
This
is
something
that
we
added
to
one
nine
and
because
of
it,
the
verbosity
in
analyze,
we
decided
to
roll
it
back.
So
we
didn't
want
these
analysis
messages
going
out.
The
analyze
command
is
not
experimental,
and
so
there
was
some
concern
that
we're
we're
telling
users
we're
a
little
bit
more
noisy
than
we
should
be
there.
D
M
D
I
totally
agree
with
you
ed
it's.
I
think
I
don't
think
it's
a
question
about
that,
because
I
think
we
have
agreement
there
that
we
shouldn't
be.
You
know,
warning
users
about
things
that
are
set
by
default.
The
question
is
more:
how
to
move
forward.
Do
we
enable
the
command,
knowing
that
we're
using
some
alpha
features
by
default?
Or
do
we
wait
to
build
this
command
until
we
are
comfortable
that
we're
not
using
any
alpha
features
by.
G
An
option
to
have
the
roll-up
the
instance
the
separate
levels
of
detail
right
so
right
if
you're,
using
an
alpha,
annotation
or
an
alpha
label
or
some
other
funky
edge
legacy
stuff.
The
default
behavior,
if
we
think
it's
noisy,
is
that
we
tell
you,
you
have
three
of
these
things
and
then
run
with
this
flag.
D
B
I
I
think
the
path
forward,
then,
is
reasonably
straightforward
here,
right
for
things
that
we
have
to
do
to
make
istio
functional,
we
have
to
allow
them
or
whitelist
them
like
ed,
was
saying
until
we
don't
no
longer
depend
on
them,
and
even
after
that,
if
we
find
that
the
verbosity
of
the
output
is
high,
we
can
do
some
level
of
collapsing
and
then
expanding.
We
are
more
detailed,
cli
arts
right.
D
D
B
A
All
right,
I
I
don't
think
we
should
mark
something
data
just
because
we
use
it.
I
don't
think
that's
the
right
way,
yeah.
I
think
the
right
path
is
but
like,
let's
allow
list
the
things
that
we're
using
and
that
actually
is
a
nice
checklist
for
us
of
things.
We
need
to
resolve
right
in
the
future.
Absolutely
all
the
stuff
that
we're
we're
sort
of
cheating.
D
L
J
A
M
A
Warning
here
is
the
pod
is
listening
on
that
port
and
there's
a
service
pointing
at
it,
which
means
like.
I
thought
it
was
just
there's
a
pod
listening
and
you
know
it's
listening
on
localhost,
but
so
what?
If
there's
no
service,
but
this
is
actually
the
ones
where
there
is
a
service.
So
that's
not.