►
From YouTube: Istio UX Working group August 25, 2020
Description
- istioctl using JWT tokens to contact XDS
- Continue Inventory/Analysis of istioctl commands
- issue to use consistent capitalization
- PR for duplicate matches leading to unreachable rules
A
A
This
should
eliminate
all
of
the
huge
difficulties
we
had
with
security
and
file
to
make
certificate
directories
and
all
those
other
problems
we're
having
with
one
seven.
So
I
got
some
initial
reviews.
I
totally
redid
the
pr
and
it's
very
quick
it.
It
goes
and
asks
kubernetes
for
a
token
which
takes
a
few
milliseconds
and
then
it
starts
using
it
and
it
recreates
the
token
every
time
it
runs.
A
So
I
invited
tariq
here
tariq.
Am
I
pronouncing
your
name
correctly.
A
A
Yes,
so
tarek
has
been
submitting
some
pr's
recently.
I
I
do
not
know
him
he's
from
mulesoft
and
salesforce.
Is
that
right?
Oh
correct?
Yes,
I
just
copy
that
off
your
github
page
anyway.
He
he
found
some
problems
with
remove
from
mesh
and
we
merged
them
for
one
eight
and
he
was
thinking
that
we
should
merge
them
for
one
seven.
I
thought
we
could
take
five
or
ten
minutes
to
look
at
this
or
hear
from
tariq.
Why
we
think
this
is
important
enough
to
get
into
one
seven.
B
Yep,
oh,
I
can
explain
my
case
if
you'd
like
sure,
yeah
so
right
now,
since
we
have
enabled
enable
I'm
sorry
enable
the
appropriate
write
in
sdo.
B
So
what
istio
does
is
rewrites
all
the
health
check
at
probes
whenever
we
inject
the
psychoproxy
now
when
we
want
to
remove
all
of
the
injections
that
is,
do
the
uninject
remove
from
mesh
does
not
restore
the
app
probes
as
it
was
so
it
so
it's
kind
of
a
blocker
for
us.
If
we
were
to
use
ad
from
add
to
mesh
and
remove
from
mesh,
can
you.
A
B
Oh,
so
our
setup
is
basically
we
use
istio
in
a
different
namespace,
not
sdf
system.
We
have
a
control
center
sort
of
of
sorts,
which
acts
which
has
its
own
namespace,
so
we've
kind
of
scoped
istio
under
that
control,
center
namespace
and
we
also
use
istio
cni,
that's
a
kind
of
different
scenario.
B
So,
but
I
guess
the
main
a
main
motivation
behind
I
had
to
mention
the
room
from
mesh.
Is
that
it?
I
think,
that's
the
our
best
way
of
limiting
what
you
know
the
pods
that
will
be
injected,
because
if
we
were
to
enable
istio
injection
in
namespace,
then
all
of
the
workloads
in
that
name
space
would
be
injected
with
hdl
proxy.
A
So
I
approve
these
prs
because
I
thought
that
they
were
low
risk
and
now
that
they
were
going
to
be
in
one
eight
do
we
do
we
want
to
enable
this
for
one
seven,
I
don't
think
it's
gonna
affect
anyone
unless
they're
using
remove
for
mesh
and
if
they're
using
remove
for
mesh,
then
it
probably
won't
affect
them
unless
they're
in
using
the
special
stuff
that
tariq
is
talking
about.
C
So
I
have
a
question,
so
how
do
you
restore
the
app
pro
as
part
of
remove
to
mesh?
Does
it
still
actually
remember?
Yes,
the
probe
user
used.
C
Okay,
I
I
have
another
question:
why
would
you
needs
to
change
the
control,
but
I
assume,
maybe
your
environment
doesn't
have
the
http
properly
right
configuration
enabled.
B
B
Oh
so
I
think
my
argument
is
that
since
istio
does
this
rewrite,
it
should
do
the
I
think
it.
It
falls
under
the
scope
of
istio
to
restore
the
probes
once
the
istio
proxies
are
removed
once
the
uninjection
is
done.
C
B
C
B
B
A
Okay,
unless
anyone
objects,
I'm
going
to
I'm
going
to
help
atari
create
a
cherry
pick.
Pr417.
A
Excellent,
thank
you
for
your
hard
work
tariq
and
I
hope
you
consider
making
more
contributions
to
istio
in
the
future.
A
Thank
you
and
if
you
ever
want
to
talk
about
how
your
organizations
use,
sto
or
the
troubles
you've
had
and
want
to
give
feedback
to
the
experience
group,
let
me
know-
and
I
can
try
to
put
you
on
the
calendar
for
sure.
Thank
you.
I
appreciate
that
excellent.
So
last
week
we
were
going
through
our
analysis
of
all
of
the
istio
cuddle
commands
to
see
what
we
wanted
to
preserve
and
strengthen
and
what
we
wanted
to
remove.
A
A
This
this
is,
I
wrote
this
command,
it's
a
pretty
good
command
for
adding
sto
without
adding
it
to
a
namespace.
Don't
think
it
deserves
a
lot
of
talk.
A
The
the
auth
z
command
deserves
discussion.
First,
we
recently
removed
the
convert
piece
from
it
and
the
check
piece
I
wasn't
able
to
find
it,
but
it
we
are
trying
to
redo
the
auth
z
check
it.
It
is
not
satisfying
people.
A
Istio
cuddle
config
is
brand
new.
Has
everyone
seen
that
command.
A
If
you
do
a
config
list,
it
gives
these
defaults,
and
these
defaults
are
currently
mostly
used
for
the
security
features
of
central
stud,
and
the
goal
is
to
any
is
take
any
features
that
people
commonly
use,
such
as
this
to
your
namespace
and
put
them
in
a
config
file
similar
to
cubeconfig.
A
A
So
if,
in
my
first
version
of
the
new
sub
commands,
users
had
to
enter
explicitly
every
single
time,
their
is
to
the
endpoint
authority
and
certificate
dur,
which
was
a
huge
problem
because
you,
obviously
you
didn't-
want
to
keep
typing
them
in
every
single
time.
You
ran
the
commands.
A
You
would
like
to
just
be
able
to
use
the
existing
commands
exactly
with
the
same
syntax,
no
arguments
so
with
istio17.
It
now
looks
in
the
sdo
cuddle.
The
dot
is
to
cuddle
directory
for
a
file.
So
let
me
if
I
cre,
if
I,
if
I
paste
such
instructions,
it
will
make
the
file.
I
may
already
have.
A
A
A
People
don't
want
to
type
and
then
just
like
cube
control,
they'll
be
sort
of
defaults
for
the
commands
that
will
help
it
find
things
like
you
know
if
you've
installed
this
to
a
non-standard
directory.
That
kind
of
thing.
A
A
I
wanted
to
ask
about
create
remote
secret.
Are
we
still
using
that
command?
I
never
create
multi-clusters
using
this
command.
C
Yeah,
it's
used
a
multi-cluster
environment
to
give
the
primary
cluster
access
to
the
remote
cluster
so
that
it
can
like
read,
services
and
some
of
the
gateway
configuration
like
the
gateway
and
networking
maps.
A
Perfect,
well,
then
we
can
keep
it.
I
just
wanted
to
go
through
and
see
which
commands
deserve
more
or
less
attention,
so
cube.
Cuddle
describe
is
another
troubleshooting
command.
We
have
a
issue
to
restore
tls
setting
display
and
check,
but
I
think
that,
except
for
that
issue
is
basically
ready.
A
Cube
uninject
is
the
command
that
tarek
was
talking
about
earlier
in
the
meeting,
I
wanted
to
point
out
that
it
cuban
inject,
has
no
docs
other
than
itself,
so
we
have
remove
from
mesh
and
cube
uninject,
and
if
we
want
people
to
be
sort
of
using
either
one
removed
from
macro
cube
and
eject,
we
should
probably
work
with
the
docs
team
to
make
some
kind
of
guide
or
path
about.
B
C
A
So
the
next
command
is
metrics.
Metrics
is
basically
terrible.
It
has
no
docs
other
than
itself
either,
but
we
have
good
news,
which
is
that
there's
now
an
issue
from
telemetry
to
approve
that
that
has
an
assigned
person
and
also
someone
else
told
me
that
they
might
be
interested
in
helping
with
it.
So
anyone
who
wants
a
cli
way
to
read
metrics,
for
you
know,
scraping
with
scripts
and
using
awk
and
things.
A
A
C
I
don't
think
so.
I've
never
used
this
either.
I
think
jason
might
be
introducing
this,
but
I
don't
believe
our
documentation
has
been
updated
to
use
it.
C
Yeah-
and
I
think
if
one
of
the
key
questions
is,
does
this
thing
support
multi-network,
because
I
remember
at
one
point
it
doesn't
support
multi-network,
which
is
why
we
never
use
it.
I
don't
remember
if
it's
added
to
super
multi
network,
I
don't
know
who
who
would
be
jason's
replacement
on
google's
site?
Would
that
be
amazing
would
be
a
good
person
to
ask.
D
Yeah
we
haven't
really
hired
in
terms
of
a
backfill,
for
that
nathan
is
familiar
with
some
of
jason's
work,
I'm
familiar
with
some
of
it,
I'm
not
familiar
with
this
particular
command.
E
A
E
Less
is
more
and
all
that
hey,
I
I
was
louis
asked
me
to
do
some
exercise
to
look
at
mesh
config
in
general
and
see
which
fields
are
really
used
by
users
which
fields
are
used
by
operators
which
still
are
useless,
and
there
is
a
very
small
number
of
fields
that
are
really
useful
for
users
right
now,
from
the
current
estimation,
so
even
the
mesh
config
editable
by
users,
it's
debatable
and
it's
alpha,
so
we
can
probably
get
rid
of
it
poke
some
of
it.
A
A
I
think
it
was
used
for
some
one
floor,
specific
installation
thing.
I
have
never
used
it
and
there
are
no
examples
and
it
may
no
longer
be
needed.
It's
no
longer
needed.
E
E
E
Okay,
it
would
work
with
what
is
your
cutter
and
with
hand3.
We
definitely
don't
use
posters
or
books.
A
All
right,
I'm
thinking
I'm
going
to
create
an
issue
and
tell
you
this
good
first
issue
to
get
some
people
to
start
contributing
because
it
looks
pretty
easy
to
get
rid.
F
I
think
people
are
still
using
it.
F
C
A
C
E
It's
it's
it's
actually
not.
I
mean
I
definitely
install
so
do
pre-check,
but
it's
I
think
it's
reasonable
to
have
a
tool
that
is
just
pre-checking
that
everything
is
in
good
state.
In
case
you
actually
want
to
do
the
install
to
other
means
like
helm3
or
ci,
cd
or
other
systems.
So
I
I
don't
think
we
we.
I
mean
the
plan
is
to
to
support
him
three
and
other
mechanisms
as
well.
So
we
cannot
assume
that
people
will
always
use
this
to
apply.
E
And
we
have
a
fixer
or
a
kind
of
we,
we
should
probably
have
both
a
pre-check
and-
and
you
know,
kind
of
fix
or
prepare.
E
So
right
now,
theoretically,
your
cat
will
apply
is
doing
a
pre-check
you're
supposed
to
be
doing
a
pre-check
is
doing
any
kind
of
release,
notes
related
changes
like
if
we
can
automatically
change
some
some
of
the
config
so
and
then
it
applies
the
owl
in
in.
In
the
case
of
of
you,
know,
cicd
system,
the
last
part
applying
the
yaml
will
be
outside
of
the
control
of
official
cattle.
E
It
will
be
done
by
cicd,
but
the
admin
periodically
may
need
to
do
pre-check
and
and
fix
to
do
whatever
is
necessary
to
get
to
fix
the
applications
and
and
other
things,
and
that
can
be
done
during
after
the
upgrade.
E
So
we
deprecate
stuff
and
say:
hey
you
have
until
the
next
release
to
do
those
steps
because
they're
going
away
and
then
after
the
upgrade
users
will
go-
and
you
know,
whenever
he's
comfortable,
do
this
fix,
maybe
by
namespace
or
whatever,
and
then
test
it
and
then
and
then
have
three
months
or
whatever
to
to
get
the
cluster
ready
for
the
next
upgrade.
When
the
feature
is
going
away,
does
it
make
sense.
A
C
But
yeah,
so
are
you
suggesting
the
prepare
would
be
people
would
do
it
wasn't
clear
to
me
that
whether
you
were
proposing
istio
would
automatically
upgrade
certain
resources
for
the
user
because
of
it?
Maybe
it's
out
of
support,
or
would
they.
E
We
during
issue
history:
we
deprecated
your
kind
of
features
like
authentication,
v1,
authentication,
v2
and
all
kinds
of
other
things,
and
we
make
some
backward
incompatible
changes
in
general.
E
The
policy
has
been
that
if
we
want
to
remove
something,
we
deprecate
it
first
and
in
the
next
three
days
we
get
rid
of
it
completely,
and
maybe
we
one,
but
the
problem
is
that
during
this
three
months,
where
the
feature
is
deprecated,
the
user
can
go
and
start
fixing
that
application
so
wow
great
for
authentication
view
alpha
one
two
beta
one
or
do
whatever
nature's
necessary
changes
in
their
own
config
right
right
now.
I
think
we
are
trying
to
do
it
at
startup.
E
So
when
we
install,
we
are
combining
doing
some
fixes
with
with
installing,
but
if
we
decouple
them,
so
we
can
say,
for
example,
you
have,
you
know,
upgrade
this
authentication
policy.
For
example,
you
can
both
do
it
namespace
by
namespace,
and
you
are
not
coupling
with
with
the
upgrade,
especially
for
naturalistic
audio
or
manages
to
your
dealer
when,
when
again
you
don't
control
exactly
this
upgrade
cycle.
F
So
that's
a
little
overlap
with
the
deprecation
analyzer
right.
The
the
difference
is
different.
Deprecation
analyzer
just
tells
you
you're
in
the
older
version,
but
this
one
we
need
to
correct
the
version.
F
Is
that
something
we
wanted
so
that
that
that
kind
of
gives
us
like
we,
we
probably
yeah?
I
need
to
kind
of
have
a
policy
for
that,
like
what's
the
oldest
version
that
you
can,
you
can
use
this
right,
like
we
can't
say
like
in
one
you
you
use
in
one
or
two
and
we
convert
it
for
you,
that's
impossible.
E
E
E
Separate
pre-check
is
would
probably
combine
the
deprecation,
analyzer
and
pretty
much
anything
else
and
the
other
one
will
be
especially
since,
since
we
want
to
split
the
mean
versus
sorry,
cluster
admin
versus
namespace
admin
and
probably
this
check
will
be
run
by
namespace
admin,
because
they
will
need
to
understand
what
the
hell
is
going
on.
In
many
cases,.
F
Wait
but
if,
if
they're
running
on
namespace
admin,
then
one
namespace
has
the
updated
api,
but
the
other
one
doesn't
have
the
updated
api
and
they're.
E
F
A
So
with
one
seven,
we
do
deprecation
analysis
piece
in
istio,
cuddle
analyze.
That
will
tell
you
about
any
crs
that
are
going
away
or
you
that
you
still
have
that
are
gone.
C
F
E
But
but
the
critical
part
of
what
I'm
trying
to
to
convince
is
that
it
needs
to
be
split
into
one
part:
that
designed
by
the
cluster
admin,
which
may
not
understand
all
the
namespaces
and
also
users,
and
one
part
that
should
be
targeted
toward
users.
So
it's
a
user
needs
to
change
something.
The
system
admin
should
not
go
and
make
changes
to
the
user
configurations
which
may
be
overwritten
later
by
base
acd,
because
in
reality,
in
a
namespace
you
will
have
a
csd
that
is
pushing
the
configs.
F
E
A
E
F
I
think
in
over
this
is
a
better
solution
compared
to
the
old
kind
of
version.
Conversion
I
was
proposing
john,
is
was
strongly
opposing
my
kind
of
ink
cluster
kind
of
conversion.
So
if
we
do
this
like
prepare
in
ahead
of
time,
then
I
think
you'll
probably
be
a
better
solution.
Yeah.
F
Okay,
I
think
yeah,
that's
a
good
idea.
Yeah
we'll
take
a
look
into
that,
and
hopefully
we
can
achieve
it
for
one
day.
A
Excellent,
shall
we
move
proc.
The
experimental
proxy
status
is
new
in
one
eight,
it's
going
to
get
token
support,
there's
already
a
pr
for
that
and
it
may
replace
the
existing
proxy
status
in
one
eight.
So
we'll
have
to
discuss
that
soon.
D
All
right,
as
long
as
we
get
all
of
the
needed
authorization
steps
so
that,
like
I,
haven't
seen
your
pr
ed,
is
there
separate
work,
that's
required
to
acquire
the
token
or
can
a
user
just
run
istio
control
proxy
status
as
they
did
before.
A
So
with
the
latest
pr,
if
the
user
has
kubernetes,
it
works
perfectly,
it
100
of
the
time
goes
out
acquires
the
token,
which
is
very
fast,
and
then
it
uses
the
token
there's
no
steps,
the
only
the
only
risk
would
be.
If
you
didn't
have
kubernetes
at
all,
and
in
which
case
you
would
have
to
use
the
certificate
thing
or
we
could
come
up
with
something
else,
but.
A
E
Now
one
tiny
comment
I
have,
since
we
are
going
to
this
direction
and
there
are
some
other
pr's.
I
don't
know
if
you
show
them
to
to
disable
the
debug
endpoint,
would
it
make
sense
or
it
will
simplify?
Or
would
you
simplify
your
life
if
we
moved
the
debug
endpoints
to
the
https
endpoint
with
jot
authentication,
and
you
can
access
them
through,
you
know
to
the
gateway.
E
Does
it
have
do
you?
Is
there
any
information
in
the
debug
that
that
you
would
use
in
istio
cattle?
That
is
not
specific
to
a
particular
instance,
because
if
you
go
to
a
gateway
and
https,
you
will
well
actually
no
it's
that's
that's
not
necessarily
true.
You
can
still
go
to
individual
eqd
over
https
with
token
and
and
access
it.
D
A
few
commands
that
have
not
been
migrated
off
the
debug
endpoint
weight
comes
to
mind.
E
Those
two
so
pretty
much
everything
that
is
right
now:
exposure
on
the
8080,
unsecure
port.
We
can
move
on
the
secure
port
and
and
put
drought
authentication
on
top,
and
that
will.
C
A
So,
let's
do
so
mitch
if
you
could
implement
the
commands
that
still
use
the
old
debug
endpoint
as
quick
as
possible,
and
if
we
get
this
token
in
we
can
get.
We
can
replace
the
old
commands
quickly
and
that
will
be
wonderful.
D
Okay,
I
think
long
term
we'd
still
like
to
see
all
of
this
moved
over
to
xds,
of
course,
but
I'm
not
sure
that
all
of
that
is
necessarily
in
scope
for
one
eight.
A
lot
of
that
depends
on
how
much
progress
that
that,
mostly,
I
can
work
with
you
constant
on
the
troubleshooting
api.
E
E
So
I
think
the
most
important
is
to
stop
having
admin
interface
over
plain
text.
That's
really
an
analogy
unauthenticated
that
was
really
about,
but.
E
Still
want
xds,
but
it's
it's
kind
of
okay,
good.
A
Excellent,
so
the
remove
from
mesh
command.
I
think
we're
not
going
to
touch
this
release.
It
seems
fine
with
tarik's
fixes,
perhaps
the
sidecar
bootstrap.
I
don't
know
well
enough,
but
I
hope
that
the
people
who
wrote
it
are
using
it
and
making
sure
it
is
staying
healthy
and
current.
F
Actually,
it's
not.
I
tried
it
for
vm,
it's
it's
just
totally
outdated.
Now,
it's
it
does
not
create
workload.
Entry
at
all.
So
I
think,
there's
a
new
install
cuddle
command
work,
something
you
still
call
experimental
workload
entry,
something
like
that
proposed
yeah.
F
I
don't
know,
but
this
the
sidecar
bootstrap
basically
only
creates
a
service
entry
or
service.
Well
yeah.
I
I
don't
know
the
reason
for
for
the
naming.
D
A
A
Okay,
so
we
have
the
uninstall
command.
That
is
new
in
one
seven
seems
to
work:
fine,
the
experimental
version,
which
is
just
a
replacement
for
the
version
command
with
the
new
communication
thing,
is
fine.
We
have
weight
and
I'm
going
to
color
that
or
experimental
weight,
because
mitch
is
going
to
fix
that.
So
it
does
need
some
some
work
and
it
is
at
risk,
but
I
think
we're
in
good
shape
for
that.
A
Okay,
well,
I
will
go
through
this
document
and
create
issues
to
reflect
what
we've
had
and
try
to
get
this
going.
C
A
That's
true,
and
I
think
we
said
that
they
they
have
to
stay
until
they
have
an
automated
integration
test
and
documentation
and
sort
of
you
know
people
use
them
or
have
an
owner.
A
Some
of
these
commands
have
somewhat
suffered
because
we
have
been
too
lazy
to
write
integration
tests
for
things
like
add
to
mesh.
It's
a
huge
pain
to
write
a
test.
It's
loads
of
powder,
no
name
space,
does
add
to
mesh
weights
for
it
to
restart,
because
there
aren't
really
helpers
for
all
that
stuff.
Yet
so
tell
me
lin
which
commands
you
think
are
worthy
and
we
can
try
to
focus
on
getting
the
measures
tests.
The
vms
no
retimes
is
just
like
cube
inject.
C
With
the
services
already
existing
cluster,
actually
I
think
constant
is
asking
an
interesting
question,
because
we
have
this
bootstrap
cycle,
bootstrap
right
and
then
there's
another
new
command.
Some
someone
just
mentioned
that's
going
to
replace
cycle
bootstrap,
but
active
mesh
is
kind
of
doing
something
doing
stuff
similar
except
the
app2
mesh.
Only
works
for
kubernetes
workflows
right
now.
So
what
does.
A
A
It
there's
several
things?
First,
unlike
it
first,
so
it
as
an
argument,
it
can
take
a
deployment
or
a
service
or
a
pod.
It
can
do
what
cube
inject
does
or
it
can
create
annotations
so
that
if
there's
an
existing
like
oh.
E
B
A
So
why
okay,
the
reason
for
adtamesh
is
that
what
I
found
when
I
was
testing
was
that
I
found
it
was
really
great
to
patch
my
deployments
to
turn
on
and
off
the
annotation
for
injection
and
when
I
did
that
it
made
it
really
easy
to
figure
out
which
pods
had
and
supported
and
did
not
support.
Istio,
and
I
gave
a
requirement
for
how
to
write
that
to
some
people,
and
it
came-
became
back
very
big
and
complicated.
E
Actually,
now
that
I
think
about
it,
I'm
starting
to
become
a
big
fan
of
it.
That's
great!
E
So
would
I,
for
example,
so
does
it
use
the
injector
or
does
it
manually
that
cube
inject,
because
so,
basically,
if
you
pass
a
deployment
or
a
pod
and
it
reapplies
it,
that
would
be
a
good
way
to
test
without
putting
the
label
on
the
namespace
yeah.
A
A
It
yeah
anyway.
Okay,
I
get
it.
E
Yeah,
I'm
no
longer
going
to
find
it.
It's
basically
the
same
argument
with
the
ci
cd.
I
mean
it's,
it's
it's
a
transient
state
that
will
be
overreacted
next
time.
People
apply.
This
yeah
use
the
cicd
and
reconcile
with
the
icd.
That's
really.
H
E
A
The
way
I
used
it
was,
I
would
install
some
application,
a
a
micro
service
application
and
then
one
deployment
at
a
time
I
would
add,
to
mesh
and
see
if
it
broke
right,
because
what
I
had
in
the
past,
I
had
taken
a
whole,
a
large
yaml
file
with
a
bunch
of
microservices
cube
injected
they're,
all
injected
it
doesn't
work.
I
don't
know
why.
So
I
loved
taking
one
deployment
at
a
time
and
injecting
it
and
finding
where
it
breaks,
but
how
about.
A
C
H
I
mean
I
would
also
vote
for
describe
and
it's
something
that
I
tell
users
to
use
it
quite
quite
often.
A
Thank
you
for
that
vote
of
confidence,
and
I
think
it's
also
nearly
ready
as
well
the
reason
that
it
did
not
was
that
it,
although
there
is
integration
tests
for
it,
the
integration
tests-
maybe
don't
test
every
case
so
but
yes,
we
could.
We
could
try
to
get
it
in
the
main
line.
A
So
shamster
is
shampster
is
removing
all
the
graduated
ones.
So
if
you
look
at
the
daily
builds
in
a
couple
days,
all
the
graduated
ones
are
gone.
C
A
A
Okay,
great,
we
have
just
eight
minutes
and
I
had
planned
to
talk
about
organizing
admin
versus
user
commands,
so
I'm
not
gonna
discuss
that
we'll
discuss
that
next
week
I
had.
I
have
an
issue
to
do
consistent,
capitalization
in
the
descriptions
I'm
looking
for
volunteers
to
just
do
that
and
get
some
credit
for
making
some
changes
to
cuddle.
A
A
A
So
this
is
two
rules
both
with
empty
match
clause,
so
the
mirror
one
can
never
fire
and
that
that
greg
figured
that
out,
but
I
did
not
notice
that
at
first
we
have
also
related,
and
my
pr
doesn't
fix-
is
this
user
who
has
shown
that
envoy
goes
stale
if
you
have
a
match
of
the
same
and
two
different
virtual
services,
and
before
I
tackle
that
one,
I
wanted
to
tackle
the
easier
one.
A
So
before
I
show
you
the
way
these
messages
look,
I
should
show
you
the
test
case
that
I
have
and
give
you
an
example
of
what
I'm
talking
about.
So,
although
I
have
examples
for
http,
tcp
and
tls,
the
basic
idea
is
pretty
simple.
A
I
have
I
have
some
rules
either
the
one
we
just
saw
with
no
matches
or
matches
where
there's
some
duplication,
exact
same
match
in
both
cases
and
cases
where
there's
partial
duplication.
So
maybe
some
of
the
matches
are
the
same.
The
subsequent
rules,
but
the
complete
rule,
has
a
few
new
matches
and
I
wanted
to
point
out
some
flaws
in
my
approach.
So
if,
if
a
match
in
a
subsequent
rule
is
a
subset
of
the
match
in
the
first
case,
my
detector
doesn't
currently
detect
it.
A
A
That
either
say
warning.
This
rule
is
never
used
either
because
all
matches
were
used
by
prior
rules
or
only
the
last
rule
can
have
no
matches
and
it
it
also
gives
you
infos
so
less
than
warnings.
If
you
have
matches
that
are
impossible
to
be
reached
because
they
existed
on
previous
rules.
A
So
I
found
these
messages
to
be
not
the
best,
but
they
were
the
best.
I
could
do.
I'm
gonna
put
a
hold
on
this
so
that,
if
I
can
think
of
some
better
messages,
but
the
logic
is
basically
straightforward.
So
if
anyone
is
interested
in
helping
this
case
out,
I
think
it
would
be
helpful
to
people
to
have
this.
A
So
next
week
we
will
talk
about
the
reorganizing.
Also
next,
probably
next
week,
lynn
gave
a
service
mesh
contact.
A
A
D
I
may
have
a
design
dock
by
then
I
hope
to
have
a
design
dock
by
then
to
talk
about
how
we
are
going
to
handle
the.
What
are
we
calling
it
aggregation
of
xds
events
across
the
mesh.