►
From YouTube: Istio User Experience WG September 8, 2020
Description
- "istioctl command type/name" enhancement
- organizing istioctl commands better to reflect persona/role
A
Yeah,
so
we
pretty
much
prefer
to
have
a
crd
for
the
defaults
and
the
main
reason
is
the
mesh.
Config
is
actually
not
configurable
in
our
managed
issue
environment,
where
we
don't
allow
users
to
change
mesh
config,
a
lot
of
at
least
most
of
the
field
in
the
mesh
config
and
the
main
reason
is
you
know,
because
if
because
we
automatically
manage
like
the
control
plane
update
forward
use
if
they
change
mesh
config,
you
have
to
think
out,
you
know
it
could
be
overwritten.
A
First
of
all,
second
of
all,
how
do
you
upgrade
the
mesh
complex
to
the
new
version
right?
If
you
can't
solve
that
problem,
it
would
overwritten
for
them.
So
if
we
can
separate
the
admin
default
out,
so
they
could
configure
admin
default
separately
like
the
outlier
detection
time,
our
retry
and
mesh
config
could
be,
you
know
from
really
advanced
user,
but
for
normal
user.
Hopefully
they
don't
have
to.
B
A
B
B
Everyone-
everyone
wanted,
I
mean
it's
it's
just.
The
problem
was
that
that
we
had,
you
know,
values,
global
and
a
lot
of
other
things
and
mesh
config
was
a
better
place
than
those
because
at
least
it
was
an
api,
but
I
agree
we
always
wanted
to
have
mesh
config
and
proxy
configures
proper
crds,
and
we
already
have
proxyconfig.
We
went
that
way
where
it's
the
annotation,
it's
kind
of
a
proper
exposed
api.
A
B
A
B
Yeah,
I
think
the
main
the
main
argument
is
that
mesh
config
was
never
really
user
editable
because
you're
right,
I'm
almost
all
the
time
I
mean
yes,
we
have
ability
to
change
it
at
runtime
and
reload
it
and
and
apply
it,
but
next
time
the
user
is
going
to
do
an
install
or
any
change.
It's
going
to
be
overwritten
and
lost,
and
we
had
this
problem
for
a
very
long
time.
So
it's
kind
of.
A
C
Okay-
okay,
great,
I
will
make
sure
I'm
at
the
next
meeting
and
talk
about
how
we
can
dump
out
that
field
and
explain
it
to
users.
So
the
we've
been
putting
this
off
for
a
while
organizing
the
commands
by
personas
and
roles.
This
this
document
is
very
preliminary
and
I
think
it
is
kind
of
old,
but
I
didn't
I
first.
C
For
the
admins
and
which
commands
are
for
the
users-
and
I
think
I
did
this
before
one
seven
came
out-
so
I've
started
trying
to
fix
it-
tell
me
about
the
control
z
stuff,
that
users
should
never
see
any
of
that
right.
C
Even
on
the
is
there
anything
that
would
run
in
a
user
pod
that
they
build
a
c
for
control,
z,.
D
Yeah
these
would
be
these
would
be
control
plane
logs
that
typically
users
wouldn't
look
at.
I
guess.
D
So
yeah,
I
I
think
I
think
that's
what
you're
implying
that
that
it's
it's
mostly
an
admin.
It's
it's
mostly
something
for
admins.
I
I
think
that
it
does
belong
in
this
in
this
section.
E
B
A
So
so
I
that's
a
good
question,
so
I
think
there's
really
three
roles,
so
why
is
the
cloud
operator
like
you
were
saying?
You
know
google
right
operating
issue
for
your
customer?
The
second
row
is
the
platform
team.
Who
is
we
also
called
mesh
admin
early,
which
is
the
platform
owner
of
the
service
mesh
platform
for
a
particular
customer?
F
A
F
A
B
It's
it's
it's
familiar,
for
example
in
in
hosted
services
you
have
the
admin,
so
even
if,
if
the
yeah,
the
user
is
a
user-
and
that
mean
is
the
ones
that
has
been
administered,
you
know
east
ud
or
whatever,
but
he's
not
actually
operating
and
running
the
service.
That's
good!
I
want
to
make
sure
we
have
clear
names
and
separation
between
them,
because
again
it's
a
big
difference
between
mesh
admin
and
the
service
owner
and,
for
example,
I
don't
want
the
measured
bin
to
control
his
upgrades.
A
A
I
would
think
he's
the
platform
team
right
because
under
him,
he's
probably
have
like
multiple
service
owner
that
he
work
with.
B
B
B
A
C
B
Except
the
mesh
config
settings
we
discussed
as
a
default
settings,
not
mesh
config.
We
want
to
kill
mesh
config
and
leave
it
for
operator,
so
the
new
default
settings
or
new
whatever
you
want
to
call
it.
B
D
A
C
Some
of
the
options
that
we
see
here
like
the
profile
stuff,
I
don't
even
know
how
that
would
apply
something
like
turning
on
the
demo
profile
thing.
Do
we
even
want
to
have
profiles
still
in
the
future.
D
I
think
that
that,
probably
for
most
cases,
they're
not
gonna,
be
all
that
useful,
but
we
do
have
some
internal
use
cases
that
that
do
leverage
it
actually
for
for
managed
steel.
So.
A
C
D
I
I
think
so
yeah
I
don't
see
users
wanting
to
poke
around
in.
Unless
I
I
mean
it's
actually,
it's
a
general
purpose,
stiffing
tool.
So
it's
it's
not
really
specific.
It
just
happens
to
be
on
the
manifest,
but
you
can
div
any
ammo
manifest
with
it
that
you
want,
and
it
gives
you
a
pretty
nice
nice
yaml
diff
view
which
is
which
is
not
easy
to
come
by.
D
I
I
think
yeah
yeah.
I
consider
that
that
may
be
the
way
to
go,
because
it's
it's
just
happens
to
be
on
the
that's
what
we
initially
created
it
for,
but
I
I'm
not
sure
if
that's
where
it
belongs,.
C
So,
let's
so
this
promote
canada
master
has
a
new
name,
and
I
forgot
what
it
is.
So
I
can't
change
it
right
here.
It's
the
idea
of
modifying
the
web
hook
so
that
the
istio
injected
true
points
to.
C
C
Command
hasn't
been
created
yet,
and
it's
it's
scheduled
for
one
eight.
I
forget
what
I
called
it
in
one
eight,
but
it's
something
like
a
command,
a
command
that
so
you
know
we
have.
C
We
have
a
special
annotation
for
these
other
control
planes,
and
then
we
have
this
special
legacy.
Annotation
and
I
almost
don't
want
to
discuss
it
because
we
had
like
a
20-minute
conversation
last
time
about,
should
we
get
rid
of
it
or
should
we
make
it
easier
to
point
this
special
label
at
a
particular
control
plane.
A
D
D
Currently,
I
I
don't
think
it
does
a
whole
lot
or
it
would
do
a
whole
lot,
and
you
know
an
alternative
approach
to
it
is,
is
just
to
to
just
change
recommendations
to
stop
using
the
old
label,
but
anyway
I
I
mean
I
I
think
if
we,
if
we
do
decide
that
there
is
enough
under
that
command
that
that
you
know
we
should
create
it,
and
I
I
do
think
it
should
be
user.
C
Fair
enough,
so
I'll
ask
you
about
these
three
operator
commands:
do
we
still
need
them,
and
I
assume
they're
for
admins
only
definitely.
D
Yes,
we
we
do
need
at
least
the
second
two,
the
the
first
one
is
something
that
it
was
a.
It
was
a
request.
You
know
I
I'm
actually.
I
would
like
to
remove
it,
but
but
somebody
asked
for
it-
and
I
I
don't
know
if
we
can
just
remove
it
arbitrarily,
but
it
just
really
doesn't
do
much
other
than
renders
the
installation
template
for
operator.
D
So
for
folks
that
use
different
installation
paths
for
for
operator
they
they
use
that
to
to
be
able
to
inspect
and
apply
the
install
manifest
for
operator
so
but
anyway,
yeah.
I
think
these
three
are
definitely
under
admin
or
cloud
operator.
C
Fair
enough,
so
I
had
jumped
ahead
and
we
talked
about
profile,
diff
and
profile,
dump
and
profile
list.
C
D
So
you
know,
I
think,
they're
they're
tight,
they're
kind
of
a
package
deal
with
with
profiles
in
general.
C
Fair
enough,
I
listed
version
here,
I've
put
version
on
both
user
and
admin
because
I
think
they
both
need.
It.
C
At
a
previous
meeting
we
said
we
want
to
get
rid
of
this
post
install
which
no
longer
does
anything
and
pre-check.
I
think,
do
we
think
this
is
admin
only.
Do
we
think
that
users
want
something
more
like
what
lynn
was
talking
about
in
her
service
mesh
contact
to
take
a
look
at
your
workload
and
tell
you
if
it's
a
good
workload
for
istio
steve
current
pre-check
is
telling
you
if
your
kubernetes
cluster
has
the
right
version
in
memory
for
sdo
control
plane.
Do
we
want
a
pre-check,
a
data
plane,
pre-check.
B
B
I
I
mean
you
have
a
mesh,
you
can
add
clusters
because
multi-cluster
what
different
versions,
the
version
of
study
may
be
upgraded
by
the
operator
when
they
decide
to
pre-check
will
do
what
I
mean.
When
do
you
run
pre-check,
because
after.
F
C
D
D
Well,
we
should
we
should
make
it
easier
for
them,
but,
but
I
think
the
concept
is
is
good.
I'm
not
sure
if
this
is
the
best
implementation
of
it.
C
B
C
Good
point
so
we'll
try
to
improve
it.
A
I
mean
certainly
pre-check
is
not
useful
for
people
who
rarely
manage
the
service
mesh
environment
right,
but
it
could
be
useful
for
people
learning
istio.
They
can
just
you
know,
run
this
to
before
they
install
insta,
because
it
helps
you
to
check
for
it.
For
instance,
we
don't
support
kubernetes,
115
and
1.7
at.
D
A
D
Good
point
it
has
caught
it
I
mean
I,
I
think
it
came
into
existence,
because
we
were
getting
persistent
installation
issues
that
that
were
easily
identified
with
this
pre-check.
C
So
we
have
a
new.
We
want
to
make
this,
so
I
I
I
put
everything
under
workload
users,
but,
as
was
pointed
out,
we
have
this
idea
that
there's
someone
who
manages
the
whole
account
and
then
there's
individual
service
operators
who
manage
a
single
service
or
namespace
or
test
develop.
C
So
most
of
these
commands
seem
to
benefit
both
groups.
Things
like
analyze,
I
think,
convert
ingress
is
gone.
C
C
So
if
you
have
any
special
things
to
say
about
these
commands
regarding
these
add-on
commands,
grafana,
jaeger,
prometheus
and
zipkin,
I
had
something
I
wanted
to
talk
to
costume
about
with
that.
So
currently
these
commands
work
by
looking
for
the
demo
installations
that
we
do.
I
was
thinking
that
it
would
be
nice
if
these
commands
worked
in
a
different
way.
C
If,
when
you
are
the
mesh
admin,
you
install
some
prometheus
in
your
own
way,
and
then
you
want
your
user
to
be
able
to
bring
up
grafana
that
this
dashboard
grafana,
rather
than
looking
for
istio
in
the
control
plane,
just
there's
a
url
that
it
does
and
I'm
gonna
make
this
thing
work
with
a
total
hack,
so
I'll
just
mention
this
hack
to
you
all
now.
Currently,
this
thing
looks
at
looks
at
istio
system
and
the
idea
is
that
in
the
future
we'll
be
able
to
specify
a.
C
Arfana
url
and
all
that
it
will
do
is
it
will
open
that
url
so
that,
in
a
sense,
that's
stupid
because
you
could
just
type
in
something
like
open
food
bar
grafana,
but
the
reason
it's
not
going
to
be
stupid
is
that
we
now
have
istio
cuddle
settings.
So
if
I
do
a
steel,
coil
x,
config
list,
all
these
settings
appear.
So
the
idea
is
that
I'm
going
to
make
these
commands
just
give
you
settings
so
that
if
you
type
this
in
it
could
just
be
a
reminder
for
you.
B
I
I
not
a
big
fan
of
you,
know,
feature
bloat
and,
and,
and
you
know
I
would
expect
most
people
to
never
touches
your
cattle
in
their
life.
I
mean
normally,
you
do
not
need
to
use
these
your
cutters,
that's
kind
of
a
clutch,
it's
something
that
it's
again
we
get
to
attach
by
two
to
two
cent
to
complexity.
B
I
mean
next
we're
going
to
add
the
istio
cattle
mail
comment,
because
maybe
people
want
to
send
an
email?
It's
it's
not
really.
I
think
it's
useful
to
keep
the
dashboard
graphana
to
do.
Support
forwarding
if
you
happen
to
have
graphene
installed
in
your
cluster.
Is
your
cutter?
Could
you
know
either
search
for
labels
or
or
specify
a
namespace
and
do
support
forwarding.
B
Don't
open
url,
I
mean
if
it's
doing
a
port
forward.
I
think
it's
useful.
If
you
can
add
the
search
for
graphon,
I
mean
to
get
namespaces
or
or
have
a
label
in
the
namespace
that
is
running
rafana
or
some
other
way
to
or
put
the
main
space
parameter
and
do
the
same
thing,
because
normally
I
would
expect
people
to
install
graphara
in
the
namespace
rafana
or
some
other.
C
C
Stuck
driver,
for
example.
Well,
I
know
I,
and
I
agree
this
idea
is:
does
it
make
our
documentation
and
blogs
easier
if
they
can
know
that
if
you
type
it
to
a
cuddle
dashboard,
grafana
you'll
get
the
graphic
hooked
up
to
your
seo,
or
is
that.
B
B
It's
it's
too
much
work
and
not
natural,
because
again
in
in
a
normal
company,
there
is
a
group
that
is
going
to
a
different
group
that
is
going
to
maintain
grafana,
for
example
in
google,
and
I
think,
I'm
pretty
sure,
in
red
hat
and
all
other
companies
there
is
manage
grafana.
That
is
offered
just
like
managing
security.
I'm
not
saying
we
should
have
that.
I'm
saying.
C
B
Sure
that
would
be
a
different
project,
not
easy.
I
mean
it's
not
just
your
job
to
keep
track
of
other
things
I
mean.
Maybe
kubernetes
will
have
some
feature
like
that,
or
maybe
there
is
a
cube
cattle
described
cluster
which
actually
gives
you
that
some
some
urls
like
that,
if
you,
if
you
do
describe
cluster,
you
can
see
some
of
the
things
that
are
installed
in
in
kubernetes
with
some
I'm
just
I'm
trying
to.
C
B
Yeah
one
one
thing:
rafana
is
that,
typically,
when,
when
it's
managed
graphana,
you
have
a
username
and
password
and
unfortunately
it's
not
used
integrated
with
single
sign-on
systems
and
people
have
problems.
If
you
go
to
a
url,
I
mean
it's
not
a
http
url,
usually
an
https
url
and
at
least
for
the
ones
that
I
tried.
You
need
to
type
the
username
and
password
that
is
created
in
in
grafana
itself.
B
A
C
C
Total
dashboard
grafana
it
would
you
hadn't,
set
this.
It
would
currently
it
says
no
graffana
pods.
The
new.
The
new
error
message
will
be
no
graphanopods.
If
you
have
a
dedicated
grafana,
please
add
it
to
this
config
file,
and
then
you
type
it
you
do
that
and
then
you
type
it
again
and
it's
just
there.
It's
just
a
convenience
method.
It's
not.
B
Useless
because
if
you,
the
real
problem,
is
how
do
you?
Actually?
What
do
you
type
in
when
graphing
opens?
You
need
a
username
and
password
it's
an
https
url
and
it's
authenticated.
Your
browser
is
caching
that
for
you,
caching,
from
where
I
mean
you
need
to
sign
up,
you
need
to
be
added.
It's
an
entire
process
for
that
and
why
I
mean,
do
we
have
commands
to
open
google?
Do
it?
Do
I
go
easter
cat
or
google
search
opens
a
browser?
I
mean
it's,
not
our
documentation.
C
B
A
Maybe
before
we
have
a
good
conclusion,
we
can
just
detect
it's
not
ronnie.
We
can't
do
it
for
you
know.
So
if
people
have
it
running,
we
can
do
poor,
forwarding
automatic
launch
for
them
as
a
convenience,
store.
B
B
But
we're
trying
to
make
it
easier
easier,
not
by
adding
more
features
and
functionalities
that
don't
belong,
belong
to
istio.
If
we
believe
that
it's
so
such
an
important
feature,
maybe
grafana
should
have
a
grafana
cattle
and
promote
yourself
should
have
a
prometheus
cattle
that
have
that
opens
their
own
dashboard.
However,
they
see
fit.
C
Fair
enough
carsten,
we
should
stop
talking
about
it
now
and
unless
people
change
their
mind,
we
can
either
let
this
rot
and
deprecate
it
or.
B
A
C
A
C
C
Cuban
that's
critical,
it's
critical
and
the
injection
pod
is
in
the
user's
clusters.
It's
everything
should
work
right,
there's
nothing!
That's
moved
to
centralize
2d.
B
B
F
C
B
B
C
C
The
add
to
mesh
and
remove
for
mesh
are
fairly
the
same.
The
security
team
is
redoing,
the
auth
z
command.
As
we
speak.
I
think
we
talked
about
this
at
another
meeting.
I
can't
tell
you
what
we
said:
we're
fixing
describe.
A
Create
a
remote
secret,
same
admin,
command
operator
yeah,
because
it's
creating
the
remote
secret
to
be
able
to
access
the
remote
cluster
to
read
the
endpoints
and
some
of
the
other
configuration.
C
B
B
A
B
A
That
is
true,
except
that
the
external
sdod
actually
needs
way
more
permission
than
create
a
remote
secret
because
create
a
remote
secret.
Most
of
the
permission
was
just
read
permission,
the
external
issue.
They
need
a
whole
lot
more,
so
we
don't
actually
use
create
remote
security
for
external
code.
C
Bootstrap
kiali
do
we.
I
I
put
dashboard
keali
down
here
separate.
Obviously,
if
we're
getting
rid
of
grafana,
we
should
get
rid
of
dashboards.
I
know
how
keali
would
be
working
in
a
centralized
situation.
C
B
B
B
Yeah,
so
maybe
that's
a
better
solution
to
to
just
pass.
Tell
kylie
hey,
take
care
to
take
over
dashboard
and
have
a
hyali
cattle
and
that
will
take
care
of
grafana,
jagger
and
all
the
other
stuff,
since
the
absolutely
need
is
part
of
their
business.
They
know
where
jagger
is.
B
A
A
A
B
And
second,
if
you
are
an
operator,
you
know
you
probably
know
what
you're
doing
and
probably
it's
not
a
problem
to
have
issue
admin
installed.
So
if.
C
We
wanted
if
we
want
to
do
something
for
the
next
release.
That
would
be
easy.
What
do
we
think
about
a
sub
command
called
istio
cuddle,
istio
admin,
so
we
would
move
all
of
the
commands
underneath
there
that
would
that
would
clear
up
what
you
see
when
you
type
it
still
cuddle.
I.
D
And
I
think
I
think
that
this
this
is
actually
not
not
a
big
work
item
to
to
offer
both
options.
Actually
I
mean
we
can
we
can
decide,
but
but
in
any
case
it's
going
to
be
based
around
the
the
cobra
command
framework
we
already
have
and-
and
if,
if
you
have
that,
then
it's
a
pretty
trivial
effort
to
include
it
into
istio
cuddlic
if
we
want
or
keep
it
as
a
separate
binary
right.
C
C
We
don't
want
users
to
be
overwhelmed
when
they
type
is
to
cuddle,
except
to
see
to
see
commands
like
operator
and
profile
that
maybe
they
can't
use.
If
we
could
get
half
of
these
commands
out
of
here
and
hide
them
under
istio
cuddle,
istio
admin
or
istio
cuddle
admin
that
might
help
it
would
just
be
moving
some
things
around
in
the
hierarchy.
D
Right
so
so
I
think
that
part,
I
totally
agree
with.
I,
I
think
whether
we
put
it
under
a
new
sub
command
and
then
you
know
require
istio
cuddle
admin
versus
having
a
separate
binary.
I
I
think
that
that
part
is
pretty
easy
to
implement.
B
C
B
No,
we
leave
the
commandance.
It
is
because
we
cannot
change
backward
compatibility,
but
we
are
the
keyboard
main
command.
That
has
only
the
admin
commands
and
we
deprecate
and
change
the
start
stage
changing
the
documentation
and
when
the
documentation
is
changed,
we
can
start
stop
using.
So
I'm
not
saying
now
do
that,
but
just
start
the
issue
admin
make
sure
that
all
the
admin
commands
go
into
histo
admin.
C
B
Feels
like,
or
maybe
the
opposite,
I
mean,
maybe
start
a
command.
I
don't
know
how
to
call
it,
but
that
has
only
the
user
visible
commands.
B
A
A
And
I
think
they
are,
they
were
created
on
different
team
also.
So
it's
not
like
us
we're
being
cuddled
together
at
the
beginning.
D
So
I
actually
think
that
it's
it's
worth
finding
the
answer
to
that
question
because
we
may
be
assuming
that
they
did
it
after
you
know
some
lengthy
deliberation,
but
it
could
be
that
that
they
did
it
for
some
some
completely
different
reason,
and
if
they
went
through
deliberations
they
they
probably
have
some
some
good
reasons
for
doing
that,
and.
B
I
I
I
can
give
you
an
example.
I
mean
we
have
jk
in
kubernetes
in
google
and
that
you
know
it's
a
managed
kubernetes
and
that's
the
job
of
google
to
figure
out
how
to
install
and
keyboard
main
doesn't
apply
same
thing.
With
this
I
mean
we
having
google
have
traffic
director
and
we
have
you
know
kind
of
other
managed
estiods
that
we
can
run
where
the
user
will
not
have
to
have
any
way
to
administer
it.
B
D
Know
I
think,
I
think
that
kubernetes
and
istio
are
are
slightly
at
different
stages
of
maturity
in
terms
of
being
a
managed
offering.
D
I
think
kubernetes
is
much
further
along
and-
and
you
know
maybe
maybe
the
the
balance
between
sort
of
users
who
are
both
admins
and
users
is
is,
is
greater
in
the
easter
case
towards
towards
people
that
are
doing
everything
themselves.
At
this
point,
I
think
it's.
B
That's
how
it's
changing
I
mean
by
by
by
making
it
clear
that
they're
separate.
So
you
know
you
can
have
a
managed
issue
and
you
can
have
separate
role
and
you
have
separate
commands
and
you
are
not
required
to
I
mean.
Even
for
multi-tenant.
We
agreed
that
the
api
is
the
line
of
demarcation
and
you
should
not
assume
that
you
are
running
an
sdod
to
have
a
talent.
D
B
A
B
Yeah,
it's
that's
not
really.
My
concern,
I
mean
I
don't
really
care
about
that
means
because,
for
example,
in
google
probably
not
use
this
to
admin
at
all.
My
concern
is
for
users
who
are
just
using
history
to
not
be
confused
by
having
some
commands
that
have
no
effect
and
or
worse.
Who
knows
what
will
do.
A
A
C
So
we
went
over.
Thank
you,
everybody,
everybody
who
wants
to
please
review
the
pr
for
supporting
type,
slash
name
instead
of
pod
name
and
istio
cuddle.
Thank
you.
Everyone
have
a
good
day.