►
From YouTube: Istio UX Working group August 25, 2020
Description
- istioctl using JWT tokens to contact XDS
- Continue Inventory/Analysis of istioctl commands
- issue to use consistent capitalization
- PR for duplicate matches leading to unreachable rules
A
A
This
should
eliminate
all
of
the
huge
difficulties
we
had
with
security
and
file
to
make
certificate
directories
and
all
those
other
problems
we're
having
with
one
seven.
So
I
got
some
initial
reviews.
I
totally
redid
the
pr
and
it's
very
quick
it.
It
goes
and
asks
kubernetes
for
a
token
which
takes
a
few
milliseconds
and
then
it
starts
using
it
and
it
recreates
the
token
every
time
it
runs.
A
A
Yes,
so
tarek
has
been
submitting
some
pr's
recently.
I
I
do
not
know
him
he's
from
mulesoft
and
salesforce.
Is
that
right?
Oh
correct?
Yes,
I
just
copy
that
off
your
github
page
anyway.
He
he
found
some
problems
with
remove
from
mesh
and
we
merged
them
for
one
eight
and
he
was
thinking
that
we
should
merge
them
for
one
seven.
I
thought
we
could
take
five
or
ten
minutes
to
look
at
this
or
hear
from
tariq.
Why
we
think
this
is
important
enough
to
get
into
one
seven.
B
So
what
istio
does
is
rewrites
all
the
health
check
at
probes
whenever
we
inject
the
psychoproxy
now
when
we
want
to
remove
all
of
the
injections
that
is,
do
the
uninject
remove
from
mesh
does
not
restore
the
app
probes
as
it
was
so
it
so
it's
kind
of
a
blocker
for
us.
If
we
were
to
use
ad
from
add
to
mesh
and
remove
from
mesh,
can
you.
A
B
B
So,
but
I
guess
the
main
a
main
motivation
behind
I
had
to
mention
the
room
from
mesh.
Is
that
it?
I
think,
that's
the
our
best
way
of
limiting
what
you
know
the
pods
that
will
be
injected,
because
if
we
were
to
enable
istio
injection
in
namespace,
then
all
of
the
workloads
in
that
name
space
would
be
injected
with
hdl
proxy.
C
B
B
C
B
C
B
B
A
Thank
you
and
if
you
ever
want
to
talk
about
how
your
organizations
use,
sto
or
the
troubles
you've
had
and
want
to
give
feedback
to
the
experience
group,
let
me
know-
and
I
can
try
to
put
you
on
the
calendar
for
sure.
Thank
you.
I
appreciate
that
excellent.
So
last
week
we
were
going
through
our
analysis
of
all
of
the
istio
cuddle
commands
to
see
what
we
wanted
to
preserve
and
strengthen
and
what
we
wanted
to
remove.
A
A
A
A
A
A
A
A
A
A
A
A
B
C
A
So
the
next
command
is
metrics.
Metrics
is
basically
terrible.
It
has
no
docs
other
than
itself
either,
but
we
have
good
news,
which
is
that
there's
now
an
issue
from
telemetry
to
approve
that
that
has
an
assigned
person
and
also
someone
else
told
me
that
they
might
be
interested
in
helping
with
it.
So
anyone
who
wants
a
cli
way
to
read
metrics,
for
you
know,
scraping
with
scripts
and
using
awk
and
things.
A
A
C
C
Yeah-
and
I
think
if
one
of
the
key
questions
is,
does
this
thing
support
multi-network,
because
I
remember
at
one
point
it
doesn't
support
multi-network,
which
is
why
we
never
use
it.
I
don't
remember
if
it's
added
to
super
multi
network,
I
don't
know
who
who
would
be
jason's
replacement
on
google's
site?
Would
that
be
amazing
would
be
a
good
person
to
ask.
E
A
A
A
E
E
E
C
A
C
E
It's
it's
it's
actually
not.
I
mean
I
definitely
install
so
do
pre-check,
but
it's
I
think
it's
reasonable
to
have
a
tool
that
is
just
pre-checking
that
everything
is
in
good
state.
In
case
you
actually
want
to
do
the
install
to
other
means
like
helm3
or
ci,
cd
or
other
systems.
So
I
I
don't
think
we
we.
I
mean
the
plan
is
to
to
support
him
three
and
other
mechanisms
as
well.
So
we
cannot
assume
that
people
will
always
use
this
to
apply.
E
So
right
now,
theoretically,
your
cat
will
apply
is
doing
a
pre-check
you're
supposed
to
be
doing
a
pre-check
is
doing
any
kind
of
release,
notes
related
changes
like
if
we
can
automatically
change
some
some
of
the
config
so
and
then
it
applies
the
owl
in
in.
In
the
case
of
of
you,
know,
cicd
system,
the
last
part
applying
the
yaml
will
be
outside
of
the
control
of
official
cattle.
E
So
we
deprecate
stuff
and
say:
hey
you
have
until
the
next
release
to
do
those
steps
because
they're
going
away
and
then
after
the
upgrade
users
will
go-
and
you
know,
whenever
he's
comfortable,
do
this
fix,
maybe
by
namespace
or
whatever,
and
then
test
it
and
then
and
then
have
three
months
or
whatever
to
to
get
the
cluster
ready
for
the
next
upgrade.
When
the
feature
is
going
away,
does
it
make
sense.
A
C
E
The
policy
has
been
that
if
we
want
to
remove
something,
we
deprecate
it
first
and
in
the
next
three
days
we
get
rid
of
it
completely,
and
maybe
we
one,
but
the
problem
is
that
during
this
three
months,
where
the
feature
is
deprecated,
the
user
can
go
and
start
fixing
that
application
so
wow
great
for
authentication
view
alpha
one
two
beta
one
or
do
whatever
nature's
necessary
changes
in
their
own
config
right
right
now.
I
think
we
are
trying
to
do
it
at
startup.
E
So
when
we
install,
we
are
combining
doing
some
fixes
with
with
installing,
but
if
we
decouple
them,
so
we
can
say,
for
example,
you
have,
you
know,
upgrade
this
authentication
policy.
For
example,
you
can
both
do
it
namespace
by
namespace,
and
you
are
not
coupling
with
with
the
upgrade,
especially
for
naturalistic
audio
or
manages
to
your
dealer
when,
when
again
you
don't
control
exactly
this
upgrade
cycle.
F
F
Is
that
something
we
wanted
so
that
that
that
kind
of
gives
us
like
we,
we
probably
yeah?
I
need
to
kind
of
have
a
policy
for
that,
like
what's
the
oldest
version
that
you
can,
you
can
use
this
right,
like
we
can't
say
like
in
one
you
you
use
in
one
or
two
and
we
convert
it
for
you,
that's
impossible.
E
E
Separate
pre-check
is
would
probably
combine
the
deprecation,
analyzer
and
pretty
much
anything
else
and
the
other
one
will
be
especially
since,
since
we
want
to
split
the
mean
versus
sorry,
cluster
admin
versus
namespace
admin
and
probably
this
check
will
be
run
by
namespace
admin,
because
they
will
need
to
understand
what
the
hell
is
going
on.
In
many
cases,.
E
F
A
C
F
E
But
but
the
critical
part
of
what
I'm
trying
to
to
convince
is
that
it
needs
to
be
split
into
one
part:
that
designed
by
the
cluster
admin,
which
may
not
understand
all
the
namespaces
and
also
users,
and
one
part
that
should
be
targeted
toward
users.
So
it's
a
user
needs
to
change
something.
The
system
admin
should
not
go
and
make
changes
to
the
user
configurations
which
may
be
overwritten
later
by
base
acd,
because
in
reality,
in
a
namespace
you
will
have
a
csd
that
is
pushing
the
configs.
F
E
A
E
F
F
A
A
So
with
the
latest
pr,
if
the
user
has
kubernetes,
it
works
perfectly,
it
100
of
the
time
goes
out
acquires
the
token,
which
is
very
fast,
and
then
it
uses
the
token
there's
no
steps,
the
only
the
only
risk
would
be.
If
you
didn't
have
kubernetes
at
all,
and
in
which
case
you
would
have
to
use
the
certificate
thing
or
we
could
come
up
with
something
else,
but.
A
E
Now
one
tiny
comment
I
have,
since
we
are
going
to
this
direction
and
there
are
some
other
pr's.
I
don't
know
if
you
show
them
to
to
disable
the
debug
endpoint,
would
it
make
sense
or
it
will
simplify?
Or
would
you
simplify
your
life
if
we
moved
the
debug
endpoints
to
the
https
endpoint
with
jot
authentication,
and
you
can
access
them
through,
you
know
to
the
gateway.
E
Does
it
have
do
you?
Is
there
any
information
in
the
debug
that
that
you
would
use
in
istio
cattle?
That
is
not
specific
to
a
particular
instance,
because
if
you
go
to
a
gateway
and
https,
you
will
well
actually
no
it's
that's
that's
not
necessarily
true.
You
can
still
go
to
individual
eqd
over
https
with
token
and
and
access
it.
E
C
A
D
E
E
A
F
F
D
A
A
Okay,
so
we
have
the
uninstall
command.
That
is
new
in
one
seven
seems
to
work:
fine,
the
experimental
version,
which
is
just
a
replacement
for
the
version
command
with
the
new
communication
thing,
is
fine.
We
have
weight
and
I'm
going
to
color
that
or
experimental
weight,
because
mitch
is
going
to
fix
that.
So
it
does
need
some
some
work
and
it
is
at
risk,
but
I
think
we're
in
good
shape
for
that.
C
A
Some
of
these
commands
have
somewhat
suffered
because
we
have
been
too
lazy
to
write
integration
tests
for
things
like
add
to
mesh.
It's
a
huge
pain
to
write
a
test.
It's
loads
of
powder,
no
name
space,
does
add
to
mesh
weights
for
it
to
restart,
because
there
aren't
really
helpers
for
all
that
stuff.
Yet
so
tell
me
lin
which
commands
you
think
are
worthy
and
we
can
try
to
focus
on
getting
the
measures
tests.
The
vms
no
retimes
is
just
like
cube
inject.
C
With
the
services
already
existing
cluster,
actually
I
think
constant
is
asking
an
interesting
question,
because
we
have
this
bootstrap
cycle,
bootstrap
right
and
then
there's
another
new
command.
Some
someone
just
mentioned
that's
going
to
replace
cycle
bootstrap,
but
active
mesh
is
kind
of
doing
something
doing
stuff
similar
except
the
app2
mesh.
Only
works
for
kubernetes
workflows
right
now.
So
what
does.
A
E
B
A
So
why
okay,
the
reason
for
adtamesh
is
that
what
I
found
when
I
was
testing
was
that
I
found
it
was
really
great
to
patch
my
deployments
to
turn
on
and
off
the
annotation
for
injection
and
when
I
did
that
it
made
it
really
easy
to
figure
out
which
pods
had
and
supported
and
did
not
support.
Istio,
and
I
gave
a
requirement
for
how
to
write
that
to
some
people,
and
it
came-
became
back
very
big
and
complicated.
A
E
H
E
A
The
way
I
used
it
was,
I
would
install
some
application,
a
a
micro
service
application
and
then
one
deployment
at
a
time
I
would
add,
to
mesh
and
see
if
it
broke
right,
because
what
I
had
in
the
past,
I
had
taken
a
whole,
a
large
yaml
file
with
a
bunch
of
microservices
cube
injected
they're,
all
injected
it
doesn't
work.
I
don't
know
why.
So
I
loved
taking
one
deployment
at
a
time
and
injecting
it
and
finding
where
it
breaks,
but
how
about.
C
A
A
C
A
A
Okay,
great,
we
have
just
eight
minutes
and
I
had
planned
to
talk
about
organizing
admin
versus
user
commands,
so
I'm
not
gonna
discuss
that
we'll
discuss
that
next
week
I
had.
I
have
an
issue
to
do
consistent,
capitalization
in
the
descriptions
I'm
looking
for
volunteers
to
just
do
that
and
get
some
credit
for
making
some
changes
to
cuddle.
A
A
A
A
I
have
I
have
some
rules
either
the
one
we
just
saw
with
no
matches
or
matches
where
there's
some
duplication,
exact
same
match
in
both
cases
and
cases
where
there's
partial
duplication.
So
maybe
some
of
the
matches
are
the
same.
The
subsequent
rules,
but
the
complete
rule,
has
a
few
new
matches
and
I
wanted
to
point
out
some
flaws
in
my
approach.
So
if,
if
a
match
in
a
subsequent
rule
is
a
subset
of
the
match
in
the
first
case,
my
detector
doesn't
currently
detect
it.
A
A
A
So
I
found
these
messages
to
be
not
the
best,
but
they
were
the
best.
I
could
do.
I'm
gonna
put
a
hold
on
this
so
that,
if
I
can
think
of
some
better
messages,
but
the
logic
is
basically
straightforward.
So
if
anyone
is
interested
in
helping
this
case
out,
I
think
it
would
be
helpful
to
people
to
have
this.