►
From YouTube: Technical Oversight Committee 2021/08/23
Description
Istio's Technical Oversight Committee for August 23rd, 2021.
Topics:
- Extensibility Roadmap for 1.12
- Security Roadmap for 1.12
- Istio Upgrade survey results and feedback discussion
- Extending Istio's support window - conclusion (n-1 + 6w)
A
A
So
in
the
last
quarter
we
made.
We
basically
did
some
work
there,
but
we
discovered
that
it
does
need
much
wider
consensus
and
there
are
many
more
dependencies
potentially
so
we
have
to
put
that
back
on
the
agenda.
A
Middle
proxy
is
now
coming
up,
often,
and
we've
had
middle
proxy
telemetry
on
sort
of
the
menu
for
a
while,
but
I
think
now
there
are
other
reasons
to
do
it,
and
what
I
expect
here
is
to
be
able
to
produce
talk.
That
says
here
is
the
design,
and
this
is
the
equivalence
or
lack
thereof,
between
a
sidecar
and
middle
proxy
telemetry.
A
So
a
lot
of
this
work
is
going
to
be
to
actually
document
and
then
blog
about
how
to
do
it
and
then
metadata
discovery
service
is
is
again
so
mixer
was
a
metadata
discovery
service
which
we
got
rid
of
long
time
ago,
and
since
then
we
have
had
again
another
persisting
request,
and
even
that
is
becoming,
I
think,
important
for
other
reasons
now
so
in
the
previous
111,
it
was
a
p2
this
time
it
it
is
slightly
higher
and
it
has
it
has
one
primary
owner
and
a
secondary
owner.
B
A
So
so
gateway
like
telemetry
that
that's
that's
based
on
purely
gateway
right,
so
our
the
the
gateway
telemetry
works
great
great
at
ingress
because
it
it
mostly
talks
about
kind
of
where
the
the
traffic
is
headed
and
doesn't
talk
a
whole
lot
about
where
the
traffic
is
coming
from,
because
once
you're
in
ingress,
there
are
many
more
places
that
the
traffic
could
come
from
when
you
have
a
middle
proxy.
A
Actually,
both
sides
are
quite
nicely
bounded
and
you
can
produce
a
full
telemetry
just
like
a
side
cardboard
and
that's
what
that's.
What
middle
proxy
telemetry
would
give
you
so
almost
full
correct.
A
Right,
correct
and,
and
that's
where
it
intersects
with
the
metadata
discovery
service
as
well,
because
knowing
information
about
the
source
of
the
traffic
is
also
needed.
A
A
A
And
so,
for
example,
if
you
have
a
a
middle
proxy,
where
some
of
the
clients
of
the
middle
proxy
are
not
in
the
mesh,
then
being
able
to
resolve
who's,
the
source
of
that
traffic
back
to
its
metadata
is
what
material
discovery
service
gives
you.
C
D
I
I
would
say
it's
it's
coupled
with
with
what
we
discussed
last
week
in
networking,
where
you
know
the
micro
proxy
can
completely
go
away.
If
the
network
infrastructure
provides
you
the
same
thing,
and
then
you
need
this
metadata
service
to
actually
resolve
ip
secure
id
with
with
metadata.
A
A
D
So
another
one
thing
that
would
be
great
to
also
track
us
b2
or
something
we
are
working
on
proxies
grpc
and
some
other
things
I
mean
the
microprocessor
that
was
discussed
last
week
would
be
good
to
have
some
some
thought
about
how
we
collect
telemetry.
In
those
cases
where
android
is
not
in
the
pot
or
make
the
full,
instead
of
almost
full
with
middle
proxies,
because
we
need
something.
D
A
E
Okay,
security
or
someone.
F
G
I
can
get
started
the
first
one
is
oh
yeah
between
me
and
shankar,
and
I
I
think
the
first
one
also
includes
yeah
some
alignment
like
across
what
we
were
already
doing
and
inside
google
and
their
external
oss
part.
So
we
want
to
gather
design
complete
for
their
external
certificate
premium
api
and
their
sds
configuration
api.
Currently
they
are
using
either
environment
variables
or
mesh
config.
We
want
to
move
them
out
and
use
crds
to
define
those
apis.
G
F
F
Yes,
they
already
shared
design
earlier
and
I
think
the
initial
implementation
has
been
done,
but
yeah
they
need
to
complete
the
implementation,
and
the
second
part
is
yami
is
working
on
supporting
extracting
george
clint
to
http
header.
He
already
shared
the
design
to
to
the
security
working
group
and
also
networking
working
group.
F
F
Yeah,
and
next
is
the
future
graduation.
We
have
yeah
a
bunch
of
security
features
we
want
to
graduate
so
for
the
external
oscillation
feature
yeah,
we
want
to
promote
it
from
experimental
to
alpha,
auto
mqs.
Promoting
auto
mqs
is
actually
mostly
done.
There
is
a
a
few
left
left
over
item.
F
I
think
mostly
on
support
side,
a
16
phase,
pencil
completed
yeah
and
for
promoting
security
policy
api
to
stable,
I
think
for
the
p0
is
to
scoping
off
the
work
needed
so
yeah,
so
yummy
plans
to
properly
write
a
dock
to
put
down
what
are
the
work
needed
to
graduate
the
api.
G
So
this
one
promote
external
ca
integration
feature
from
the
experiment
to
the
r
to
alpha
it's
owned
by
shankar.
Currently
we
have
this,
customers
are
using
it
already.
We
want
to
promote
it
at
least
to
our
far
shooting
for
that
goal
in
the
next
release.
G
Yeah
the
last
one
also
belongs
to
me
improvements
on
the
documentation.
Currently
we
have
their
security
concept
page,
which
is
pretty
long.
We
have.
We
are
halfway
there
to
get
this
improved,
to
make
it
much
shorter
by
moving
some
of
the
contents
into
their
tasks
or
best
practice,
documentation
and
also
didn't
mention
it
here.
We
also
add
we'll
add
more
tasks
for
the
concept
page
as
well.
H
For
the
documentation,
improvements
will
that
include
the
automated
tests.
Yes,
okay,
awesome
yeah.
I
will.
E
Yeah
me
too,
we
should
make
sure
the
auto
mt
last
stuff
is
well
aligned
with
the
micro
proxy
proposal,
not
not
that
it
blocks
the
promotion
of
the
existing
feature
to
stable,
but
what
we
were
going
to
do
next.
F
So
louis
you
are
talking
about
the
microservice
of
proposal.
That's
the
on
the
networking
roadmap
agenda.
Okay,.
E
Okay
seems
like
we're
all
done
here.
I
I
I
I
The
feedback
we
showed
in
april
with
one
nine,
was
our
first
release
that
had
been
reorganized
around
upgrade
experience
and
we
found
that
there
was
some
improvement.
We
moved
the
needle,
but
there
was
still
quite
a
long
ways
to
go.
I
Looking
at
our
110
survey,
we
got
27
respondents,
which
is
about
double
what
we
got
for
the
one
nine
survey,
and
the
reason
for
that
is
that
now
our
surveys
are
open,
starting
on
the
release
date
and
more
or
less
open
indefinitely.
They're.
Also,
now
a
part
of
the
upgrade
process,
both
helm
and
istio
cuddle
will
dump
a
small
message
to
the
user,
asking
them
to
fill
out
a
survey
about
their
experience.
Upgrading.
I
There
we
go
all
right,
so
the
first
question
that
we
ask
our
users
is
to
get
an
idea
of
the
maturity
of
their
installations.
You'll
notice
that,
as
a
change
from
one
nine,
we
saw
a
lot
more
users
who
have
had
only
some
of
their
meshes
or
some
not.
You
know,
test
message,
meshes
fewer
production
installations
than
we
saw
in
110
or
one
nine
sorry.
This
is
because
we
had
the
survey
open
from
day
one.
So
this
is
an
expected
change.
I
I
We
measure
satisfaction
versus
the
progress
of
installation
and,
in
one
nine
we
had
a.
We
had
a
light
skew
to
the
positive
side
with
some
concerning.
Let's
see,
oh
no,
no,
this
is
particularly
concerning,
but
the
the
skew
was
light
and
we,
of
course
we
didn't
have
a
lot
of
response.
Only
13
respondents
in
nine
looking
to
110,
we
have
a
much
stronger
and
clearer
skew
towards
a
positive
upgrade
experience
for
reference.
I
You
can
also
see
that
this
this
response,
this
strong
bias
towards
the
positive,
is
pretty
evenly
distributed
across
users,
who
have
only
just
begun
their
process
of
upgrading
or
who
have
completed
upgrading
all
of
their
meshes
to
sto110.
I
The
next
question
again
in
one
nine,
we
ask
for
areas
where
we've
seen
the
most
improvement
versus
areas
where
we
need
the
most
improvement.
This
is
what
we
saw
in
one
nine
fairly,
even
across
the
areas
where
we
saw
positive
revision
based
upgrades
had
two
showing
improvement,
two
saying
it
needs
more
improvement.
Upgrade
stability,
biasing
slightly
positive,
skip
version,
upgrades
being
the
most
popular
request
in
one
nine
in
110,
revision-based
upgrades
biases
much
more
strongly
positive,
which
is
great
news.
I
This
is
an
area
that
the
environments
working
group
has
been
investing
in
for
quite
some
time
and
we're
beginning
to
see
positive
feedback
from
our
users
on
revision-based
upgrades.
We'll
look
a
little
bit
more
at
that
later.
We've
our
users
are
happy
with
upgrade
tooling
and
stability,
but
still
skip
version.
Upgrades
are
a
very
strong
ask
from
our
users
the
ability
to
upgrade
from
one
eight
to
one
ten
one,
nine
to
one
eleven
within
the
support
window
questions
there.
I
So
we
did
not
get
any
qualitative
feedback
from
these
users
on
why
they
selected
skip
version
upgrades,
so
skip
version.
Upgrades
are
supported
within
110,
so
you
can
upgrade
from
one
eight
to
110
and
that
was
announced
shortly
after
the
110
release.
However,
you
can't
do
it
within
the
support
window,
like
one
eight
went
out
of
support
before
skip
version.
Upgrades
from
1
8
to
110
were
possible.
I
I
I
sam
I
do
have
a
section
at
the
end
where
I'm
going
to
ask
for
qualitative
questions.
We've
gotten
contact
information
from
a
lot
of
users
who
said
that
they
would
be
interested
in
being
interviewed,
so
we
can
dig
more
deeply
into
that
in
those
interviews
as
well.
I
I
I
In
one
nine
we
saw
more
than
half
of
our
users,
prefer
in-place
upgrades
and
then
more
users
not
understand
what
their
upgrade
posture
was
than
prefer,
revision
based,
which
was
disheartening,
because
this
is
somewhere.
We've
invested
a
lot
well
in
this
release.
The
needle
has
moved
substantially.
I
Users
prefer
revision-based
upgrades
slightly
over
in-place
upgrades.
We
do
still
have
a
large
swath
of
users
who
don't
know
how
they
upgrade
istio,
which
I
I
don't
know
what
conclusion
to
draw
from
that.
But
it
is
great
to
see
revision
based
upgrades
gain
some
traction
here.
Excellent
work
from
the
environments
working
group.
I
You
know
I
have
divided
the
like
feelings
on
that.
On
the
one
hand,
if
you
just
run,
you
know
an
install
command
without
any
special
flags
you
get
in
place.
On
the
other
hand,
if
you've
copied
your
install
command
from
anywhere
in
the
istio
documentation,
you've
very
likely
gotten
a
revision
based
upgrade.
H
Yeah,
so
looking
at
this
question
here
to
me,
it
specifically
asks
which
one
you
prefer,
which
sets
me
you.
We
might
have
users
who
have
tried
both
and
not
actually
figured
out
which
one
they
really
want
to
use
long-term.
I
I
Not
having
time
to
do
the
canary
or
revision
based
upgrade,
is
a
concern
then
again,
when
you're
working
in
production
moving
fast
is
not
necessarily
the
best
for
the
users
who
prefer
revision
based
upgrade
by
the
way.
Last
time
we
only
had
one
person
explain
why
they
were
preferred
revision
based
upgrades
so
having
three
this
time
again.
Big
improvement
in
this
area,
and
we
are
seeing
that
perception
is
changing.
There's
more
safety,
there's
more
stability,
we
can
move
progressively.
I
I
A
lot
of
diversity
of
perspective,
this
did
not
come
from
the
survey,
but
it's
relevant
to
the
discussion
at
hand.
I
know
last
two
weeks
ago,
when
we
were
discussing
which
release
we
should
extend
the
life
cycle
of
one
of
the
comments
was
that
the
110
release
should
have
much
higher
adoption
than
one
nine.
I
This
chart
shows
the
number
of
pods
running
components
of
istio
in
each
version
on
gke,
using
only
open
source
istio
and,
as
you
can
see,
1
9
is
far
and
away
the
most
popular
release
in
terms
of
release
life
cycle
where
110
is
at
now
with
about
three
months
after
the
release,
one
nine
had
about
thirty
percent
or
sorry
fifty
percent
more
pods
running
at
that
time.
I
So
takeaways
are
again
revision
based
upgrades.
I
am
just
super
thrilled
to
see
that,
finally,
catching
on
with
our
users
still
a
strong
expectation
about
those
direct
upgrades
or
skip
version
upgrades
and
looking
forward,
we
do
already
have
the
111
survey
open.
It's
been
open
since
day,
one
for
istio
111,
with
links
in
all
the
appropriate
places
after
upgrade,
but
it's
been
about
a
year
since
we've
conducted
a
survey
that
focused
on
anything
other
than
upgrade
behavior
and
experience.
I
So
if
you
have
suggestions
on
what
you
would
like
to
see
collected
in
the
fall,
it's
probably
time
to
do
a
more
universal
survey
for
istio
user
experience.
I
I
B
Thank
you
so
much
mitch.
This
is
very
encouraging
data
and
I
do
agree
with
you
about
the
wider
survey.
I
was
actually
just
thinking
about
this
recently,
especially
with
the
roadmap
documentation.
You
know
we're
trying
to
produce.
I
think
it
aligns
really
well
if
we
can
collect
some
type
of
global
survey.
Not
only
just
for
upgrades,
especially
upgrade
has
been
improved.
Quite
a
bunch
now.
I
Yeah
yeah:
I
think
that
that
it's
it's
about
time
for
that
and
I'll
be
putting
together
a
document
in
the
ux
folder
before
long
sort
of
soliciting
questions
or
or
themes
that
we
could
address
in
that
next
survey
and
I'd
love
your
feedback
on
that
lynn.
C
C
Seems
like
on
the
next
one
right
now
we're
talking
a
lot
about
in
place
versus
revisions.
We
may
want
to
add
something
about
tags,
and
if
that
causes
a
lot
of
confusion,
then
that's
a
sign
that
we
poorly
documented
the
new
tags
feature.
So
I
think
even
that
would
be
a
good
signal,
but
I
would
in
theory
hope
that
we
once
we
start
pushing
that
then
in
place
becomes
or
sorry
revisions
becomes
both
more
used
and
gets
better
ratings,
and
that
would
be
a
good
way
to
prove
that's
working
as
expected.
I
Yep
I
have,
I
have
reference
tags
in
the
111
upgrade
survey,
so
we
should
start
getting
feedback
on
that.
We
don't
have
any
respondents
yet
who
have
upgraded
to
111.
But
that's
you
know.
It's
not
surprising
at
this
point.
K
B
So
meet
you
just
a
quick
question
as
we
throw
it
into
the
next
topic,
the
data
you
have
on
gke,
that's
regardless,
which,
like
there's
no
subset
of
user.
It
will
be,
I
guess,
a
general
data
from
gke,
because
your
other
server
is
switching
for
one
turn
right.
So
people
may
not
take
time
to
even
look
at
110,
so
they
wouldn't
even
spend
time
to
look
at
that
survey.
So
it's
a
very
targeted
set
of
sampling
data
from
the
27
participant,
but
the
the
gke
data
you
presented.
B
That's
that's
just
a
wide
range
of
data
right.
I
That's
right:
that's
all
users
of
open
source
istio
on
google
that
are
not
internal
projects
like
our
testing
or
our
performance
projects,
or
things
like
that.
I
Yeah,
are
we
hoping
to
make
a
decision
today
on
which
release
to
extend
support
on,
or
is
that
something
for
another
week.
I
B
E
I
Closing
there's
sort
of
a
vague
deadline.
Technically
the
one-nine
support
window
was
supposed
to
have
closed
last
week.
I
believe
the
cve
that's
currently
being
worked
on
will
will
also
have
a
one
nine
patch
release
for
it.
E
It
certainly
seems
reasonable
to
keep
it
open
until
this
is
resolved
in
the
toc.
So
I
would
certainly
vote
in
favor
of
that
right
now.
C
And
what
exactly
are
we
going
to
tell
the
users,
because
if
we
decide
we're
not
going
to
keep
1.9
support
when
we
resolve
the
issue,
then
we'll
just
suddenly
drop
the
support.
So
I
feel
like
we
should
we
don't
want
to
tell
users
that
it's
supported
up
until
some
arbitrary
date
that
we
make
a
decision.
I
Normally
we
also
do
give.
I
think
it's
maybe
a
three
week
or
a
four
week,
heads
up
to
users.
Hey
support
for
this
release
is
ending
on
this
date.
That
announcement
did
not
go
out
as
far
as
I
can
tell
for
the
one
nine
release,
so
we've
already
been
been
more
silent
than
normal
about
the
end
of
support
for
this
release.
That.
C
I
C
I'm
fine
with
bumping
it
to
a
specific
date.
I
just
don't
want
to
bump
to
an
undefined
state,
maybe
sooner
or
later,
and
I
think
that
it's
given,
I
think
we
already
have
all
the
info
that
we
need
to
make
a
decision.
So
if
we're
going
to
be
doing
things
like
this,
it
almost
seems
like
we
better
just
come
to
a
vote
or
something
and
or
whatever
we
need
to
do
to
reach
consensus
this
week
or
so.
E
C
I
think
so
I
think
everyone
is
fine
with
extending
it,
but
the
question
and
correct
me
wrong
there.
The
question
is:
how
long
do
we
extend
it
12
more
weeks,
six
more
weeks,
do
we
do
even
odd
releases
and
do
we
start
with
1.9
or
1.10,
I
believe,
are
the
three
open
decisions.
E
And
so
the
just
so
we
narrow
down
how
long
to
extend
for
it
was
by
one
release.
Was
there
some
other
possible
measurement
of
extension,
just.
C
Yeah,
we
discussed
a
six-week
extension
so
that
way
we
don't
have
as
many
overlapping
ones,
but
you
still
get
like
right
now.
You
basically
have
to
skip
level
upgrade
in
one
day
if
you
want
to
stay
in
the
window,
so
this
would
give
you
a
six
week
window,
but
we
don't
have
the
full
overlap,
which
also
means
that
we
end
up
with
an
extra
release
during
this
time
when
we
cut
the
branch
and
we
have
master
and
next
release
and
then
the
two
three
previous
supported
releases
so
yeah.
E
So
it's
really
12
weeks
right,
which
gives
us
you,
on
average
n
minus
two,
but
periodically
n
minus
three
yeah
for
the
development
branch.
I
C
B
C
C
I
That
also
depends
on
whether
we
do
every
release
extended
or
even
odd
extended.
That
is
true,
yeah
right.
I
Yeah,
those
are
those
are
done
at
pre-submit.
D
Skip
fashion
upgrade
for
all
four,
I
mean
from
one
nine
to
one
ten,
one,
nine
one,
eleven
one,
ten
one,
eleven
all
the
permutations
have
tested
to
appreciate.
Yes,.
E
H
I
So
we,
the
skip
rate
upgrades
already
were
sorry
skip
version
upgrades
which
we're
communicating
to
the
users
and
calling
them
direct
upgrades
for
rudy's
sake
or
or
lack
of
clarity,
maybe
in
einstein,
but
anyway
that's
what
we
called
them.
I
They
already
are
supported
and
they
are
thoroughly
tested
both
across
in
place
and
revision
based
in
helm
and
in
using
istio
control.
So
those
are
functional,
however,
in
order
to
make
use
of
them.
Currently,
our
users
must
allow
their
existing
install
to
lapse
in
terms
of
support,
yeah,
okay,
yeah,
there's
somewhere
in
the
neighborhood
of
six
to
12
weeks
to
perform
an
upgrade
depending
on
how
aggressive
they
are
and
how
large
their
installs
are,
and
the
idea
is
to
provide
them
with
support
during
that
upgrade
period.
A
I
Level
upgrades
we
have
both
the
one
nine
survey
was
conducted
before
skip
level
upgrades
were
provided
for
users,
the
110
survey
most,
I
think
all
of
the
respondents
would
have
come
in
after
we
announced
that
support,
whether
they
particularly
saw
that
blog
post
or
not
is
a.
I
can't
answer
that
question.
D
Okay,
so
on
this
skip
level
upgrade
I
mean
we
do
have
some
tests,
but
you
know
the
upgrade
process.
Even
for
n
to
n
plus
one
has
always
been
pretty
complicated,
pretty
risky
with
real
applications
and
all
kind
of
things
that
users
need
to.
Do.
I'm
not
sure
it's
safe
to
claim
that
we
support
arbitrary.
You
know
n
minus
x
versions
upgrade
with
with
what
we
have
right
now
I
mean
it's
super
superficial.
In
my
opinion,.
D
E
I
E
E
E
E
C
L
There
you
go
yeah,
yeah,
no
yeah,
so
we
currently
support
one
six
and
one
nine.
So
it's
typically
every
two
to
three
releases:
there's,
no!
Even
an
odd.
M
L
We
basically
until
until
we
have
like
a
following
release
that
we
wish
to
support
so
so
like
one
six
is
still
being
supported,
but
we
will
be
ending
that
soon.
So
there's
not
really
a
set
timeline,
it's
more
or
less.
You
know
until
we
can
actually
get
the
next
version
that
we
do
want
to
support,
and
then
we,
you
know,
give
people
probably
about
six
months
to
migrate.
Okay.
So
it's.
E
We'll
that
brian,
what
does
red
hat
do
or
something.
M
Yeah
we
do.
We
do
n
minus
two
of
or
n
minus
yeah,
we'll
do
n
minus
two
of
our
releases,
but
the
older
releases.
We
only
do
critical
and
important
cbes
and
critical
bug
fixes
so
for
how
long
until
the
whatever
release
is
gonna
end
up
like
that.
M
So
I
think
like
where
we're
at
now
coming
up
with
a
release
based
on
1.9,
we
would
be
supporting
1.4,
1.6
and
1.9
until
we
moved
to
a
later
release-
and
I
think
you
know
just
this
just
has
to
do
with
our
internal
versioning,
but
because
of
the
differences
between
one
four
right
and
later
that
one
may
perhaps
linger
longer.
But
once
again,
that
would
be
just
critical.
M
Patches
typically
would
be
n
minus
two.
So
once
we
moved
to
1.11,
we
would
only
be
supporting
1.11
and
1.9
and
we
would
drop
support
for
1.6.
E
M
M
M
M
Yeah,
if
we
need
to
make
exceptions,
we
make
exceptions
correct
so
like.
If
something
came
out
like
111
and
you
couldn't
upgrade
from
1.9,
we
would
cut
a
new
release
and
you
know
call
it.
You
know.
Whatever
our
next
major
version
number
is
and
say
we
don't
support
upgrade
from
1.9
to
1.11.