►
From YouTube: Kubernetes SIG API Machinery 20221005
Description
* [mo, anish] Discuss about KEP status and blockers for moving these to beta in v1.27? In regards to sig-auth/3299-kms-v2-improvements
**2339-storageversion-api-for-ha-api-servers
**1965-kube-apiserver-identity
* [lavalamp] quick followup from last time: status of logical clock vs RV
* [lavalamp] quick followup from last time: status of subresources vs fine grained permissions (follow-up doc)
* [fedebongio] KEP List for 1.26? Tracking Board for 1.26 & All Open KEPs with SIG API Machinery label
**Allow informers for getting a stream of data instead of chunking #3157
**CEL for Admission Control #3488
**Aggregated Discovery #3352
A
To
three
recording
very
good
hello
good
morning
good
evening,
depending
where
you
are,
this-
is
ckpa
Machinery
by
weekly
meeting
for
kubernetes
open
source.
My
name
is
Federico
and
Giovanni
I'm
co-chair
of
ckba
Machinery.
Luckily,
in
the
call
we
have
David
eats
my
culture
and
technique
of
the
Sig
and
Daniel
also
another
technique
opposite,
and
we
are
going
to
cover
a
number
of
interesting
topics
today.
A
B
B
That
problem
set
is
very
similar
or,
in
the
sense,
exactly
the
same
as
what
the
storage
version
API
tries
to
solve
for
encoder
version,
so
like
schemas
of
objects
and
I
suspect
is
probably
the
only
way
to
solve
it
in
kubernetes,
based
on
what
I've
started
to
think
about
and
gone
through
all
the
bits,
but
so
those
the
API
server
identity,
cap
and
the
storage
version
kept.
Are
you
know
pretty
tightly
linked
and
have
not
been
updated
in
orders
or
two
to
three
years,
depending
on
how
you
gonna
count?
B
So
what
I
wanted
to
kind
of
get
a
sense?
There's
like
two
high-level
question
height
one
is
on
these
caps.
Were
you
guys
happy
with
sort
of
the
apis
that
you
came
up
with
in
the
code
and
sort
of
the
approach,
or
was
there
like
something
like
more
dramatic?
That
needs
to
be
actually
changed
about?
The
actual
implementation
that
exists
within
kubernetes
API
today
or
is
it
just
like
hey,
add
some
tests
and
you
know
like
make
sure
it
actually
does
what
it
does
kind
of
deal.
B
C
So
one
thing
I
can
definitely
say
is
the
the
API
server
identity
and
storage
version
caps
have
kind
of
stalled
out
due
to
the
contributors
going
off
and
doing
other
things.
So
I
think
it's
not
that
we
don't
want
them.
We
just
don't.
Have
somebody
drive
them
at
the
moment?
I
think
the
API
server
identity
cap
is
actually
pretty
important
and
is
blocking
a
lot
of
things
and
there's
a
bunch
of
people
working
around
it.
So
I
I
think
that's
important.
D
C
D
D
Yeah,
if
I'm,
remembering
correctly,
the
problem,
was
a
race
on
Startup
to
be
sure
that
you
knew
what
version
you
had
and
it
was
accurate
before
you
started
storing
data
right.
So
so
part
of
this.
If
someone
is
relying
on
this
for
something
like
storage
version
migration,
they
have
to
know
that
the
value
that
is
present
is
actually
being
used
and
you
haven't
used
something
else
to
store
instead
and
that's
what
I
believe
this
PR
was
doing.
B
D
B
C
C
D
It
has
been
a
while,
but
my
memory,
and
you
you
probably
looked
at
it
more
recently
than
I
have
is
that
is
that
we
actually
did
say,
reuse
the
existing
leases.
We
we
put
them
in
a
I,
don't
think
we
put
them
in
default.
We
put
them
in
some
namespace
where
people
was
supposed
to
be
our
namespace
Cube.
B
E
C
Don't
know
if
that's
like
so
like
that
sounds
like
the
way
the
API
server
would
figure
out
who
all
the
API
servers
are
it's
not
necessarily
the
way
we
would
want
to
present
that
to
users
of
API
server.
I
can't
promise
that,
without
looking
at
how
easy
that
is
to
consume,
and
if
there's
like
other
like
like
likely
API
servers
need
to
communicate
to
each
other
what
version
they
are,
what
what
their
feature
flags
are.
Etc
and
I.
Don't
think
that
that
is
going
to
be
captured
in
the
lease
thing.
B
E
B
E
B
B
Right
there,
so
this
is
sort
of
like
ignore
the
exact
specifics,
but
this
is
the
rough.
A
proposal
I
had
of
like
hey
I'm,
just
going
to
add
fields
to
the
storage
version.
Api
that
tell
you
like
each
API
server
would
say
Hey.
You
know
this
is
my
encryption
State
and
then
this
is.
We
have
a
common
coding
version
we
would
you
could
have
a
common
competition
is.
B
B
E
C
Is
there
I'm
not
so
I
so
I'm?
It
seems
reasonable
to
do
something
I'm
not
sure
like
if
we're
adding,
if
we're
adding
something
to
this,
that
we
need
to
be
kind
of
clear
about
what
it
is
and
how,
like
the
literal,
key
ID,
is
that
really
something
that
we
should
share
is
a
hash
of
the
or
hmac
of
the
keys,
something
better
to
share
I
I.
B
D
C
It's
completely
known
in
process
to
the
API
server,
even
for
crds,
yes,
okay,
then
wiring
it,
along
with
the
other,
like
I'd,
expect
it
to
get
wired
along
with
the
other
things
that
we
wire
from
like
what?
What
part
of
the
code
knows?
It
is
the
etcd
storage
layer,
or
is
it
the
like
command
line,
resource
enablement,
stuff.
B
Yeah,
so
it's
the
LCD
storage
layer
and
it
isn't
funneled
out
yet
because
there's
no
user
of
it
outside
of
that
layer,
but
it's
it
is.
It's
meant
to
be
dynamic
because
they're,
a
plug-in
the
KMS
plugin
is
allowed
to
change
it
at
any
time.
So
it's
already
sort
of
fully
set
up
to
be
dynamic,
so
it
would
probably
end
up
looking
like
some
interface
function
or
something
that
tells
you
the
current
information
so.
C
Don't
think
API
server
does
anything
other
than
like
make
sure
the
object
is
there,
but
if
you've
got
some
part
of
it,
that
can
change
on
some
basis,
then
we
have
to
add
a
mechanism
that
can
like
propagate
that
change
and
if
we're
adding
a
mechanism
that
propagates
that
change,
it's
not
obvious
to
me
if
we
should
like
make
the
current
code
also
propagate
changes
or
if
it
maybe
it's
just
easier
to
have
a
loop
inside
like
the
NCD
storage
layer,
which
then
sends
a
patch
request
or
whatever.
When
something
changes
like.
B
So
it's
kind
of
like
that.
So
it
is
pulled
because
there's
no
watch
on
it
or
because
it's
I
mean
I
guess
we
could
have
built
a
watch
for
the
status
API
for
PMS,
but
it's
just
a
pulled
API,
so
it
would
be
like
today
the
storage
version
stuff
just
tries
to
update
every
10
minutes
because
it's
like
yeah,
it's
kind
of
slow
moving.
You
shouldn't
be
messing
with
this,
but
if
you
kind
of
messed
it
up,
we'd
fix
it
up
every
10
minutes
for
you
kind
of
deal.
C
D
D
A
D
B
Yes,
it,
it
is
a
reflection,
and
if
someone
messed
with
it,
then
it
you
made
a
wrong
reflection
and
it'll
get
fixed
but
like
it
doesn't
like
we're,
not
not
trying
to
we're
not
trying
to
consume
this
information
in
the
API
server.
We're
trying
to
tell
other
things
that
hey!
You
know,
barring
someone
just
arbitrarily
messing
with
like
core
system
resources.
You
can
trust
the
data
in
here
to
be
something
useful
for
your
for
your
purposes
for
a
Next
Step.
B
So
I
can
certainly
try
to
resurrect
that
crd,
P
or
crpr
and
make
it
storage
version
stuff
work
there.
One
of
the
next
steps
that
I
thought
might
be
appropriate
is
like
the
cap
document
seems
to
be
not
in
line
with,
what's
actually
in
the
API
server
code,
because
you
know
those
things
diverse
I
was
going
to
try
to
update
it
and
like,
and
that
would
hopefully
give
you
all
a
way
of
like
being
like
yeah.
B
That
seems
like
a
good
idea
versus
not
but
they're
kind
of
the
high
level
I'm
getting
is
there's
not
necessarily
anything
like
invalid
about
any
of
these
cups
and
like
if
I
was
to
like
make
sure
they
had
good
test
coverage
and
stuff,
then
otherwise,
actually
were
feature
complete
for
what
they
said.
They
would
be
that
this
could
go
to
Beta
in,
like
127.
E
C
B
B
Yeah
that
you
know
that
sounds
fine,
I
I
can
find
bodies.
That's
that
that
part
is
not
hard
yeah
it's
at
a
high
level.
My
concern
is
I'm,
taking
a
Sig
off
cap
and
then
deeply
coupling
it
into
two
separates.
They
gave
API
machine
Recaps
and
hoping
that
the
other
two
graduate
so
I
can
graduate
my
thing.
I.
D
D
B
Yeah,
if,
if
you
think
that
there
isn't
that
much
left
for
it
to
go
to
Beta
I
can
I
can
certainly
push
my
efforts
towards
getting
this
move
forward,
because
I
I'm
not
moving
KMS
forward.
This
release
on
purpose
so
like
I,
have
I
have
time
it's
but
yeah,
I
I
know
what
I
need
to
do
for
KMS,
I,
don't
necessarily
know
exactly.
C
D
B
C
You
guys
cool
thanks,
Moe
I.
Think
of
the
next
two
items
are
the
gender
for
me
and
I'm
gonna
try
to
keep
each
of
them
super
short.
These
are
just
follow-ups
from
last
time.
The
current
state,
the
current
state
of
The
Logical
clock
versus
expanding
the
definition
of
resource
version
is
that
I
made
this
issue
and
a
number
of
people
expressed
opinions.
C
Seven
is
my
expansion
of
that
and
Tim
didn't
like
that,
so
he
wrote
a
design,
eight
and
I
thought
that
was
insufficiently
clear,
so
I've
written
to
design
nine
and
I
still
think
it's
not
right,
I!
Think
design.
Nine
at
least
illustrates
the
problem
with
ex
like
parameterizing
permissions
and
making
them
like,
like,
like
it's
in
some
sort
of
nested
manner,
making
them
restrictable.
So
but
that's
that's
the
current
State
and
I.
C
D
E
D
C
I'm
not
going
to
write
a
cabinet,
I
I
might
be
so
I
I,
think
design.
Nine
might
be
close
enough
to
passing
everybody's
criteria
that
maybe
a
kept
format
to
finish
off
the
design
is
The
Next
Step,
but
I'm
not
going
to
get
that
out
in
the
next
couple
couple
weeks.
Probably
okay,
maybe
in
the
next
couple
weeks,
but
not.
C
A
Thank
you
Daniel
for
the
updates.
This
is
great,
I
mean.
Do
you
have
photo
apps
on
things
that
you
know
we
discussed
in
our
journey
and
then
we
lost
track?
Okay,
so
David
Daniel.
Do
we
want
to
do
these?
So,
as
you
know,
the
process
in
126
has
changed.
We
have
two
opt-in,
the
Caps
that
we
think
are
going
to
make
it
or
that
we
want
to
make
it
into
the
next
three
days.
So
this
is
the
general
board
and
then
there
is
okay.
It's
one
of
my
screen.
A
A
D
A
A
C
C
D
Yeah,
as
I
recall,
John
had
the
prr
on
this
I
looked
through
the
unresolved
sections
at
like
155
and
I
thought.
That
was
pretty
good.
It
was,
they
reflected
the
yes,
we
are
going
to
do
this.
No,
it
is
not
in
phase
one
so
I
was
I
was
happy
with
that
for
secondary
authorization
and
for
namespace
metadata.
C
E
A
C
A
E
E
D
If
this
is
the
pr
about
like
beta
versus
Alpha
and
feature
date
versus
serialization,
there's,
actually
a
long
slack
Thread
about
that
now
and
I.
Think
where
it
landed,
is
the
idea
of
a
more
stable
serialization
makes
sense,
because
we
have
a
lot
of
experience
with
Discovery
many
years
of
experience
with
discovery,
but
we
have
controllers
and
concerns
for
the
implementation
of
of
the
backing
data
that
have
not
been
tested.
So
a
beta
serialization
would
allow
us
to
have
clients
honor
it
when
it
was
available,
because
we
know
the
serialization
is
stable.
D
It's
not
going
to
dramatically
change
and
as
opposed
to
an
alpha
which
could
you
know
significantly
change
over
time,
basically
complete,
discard
and
redo,
and
so
we
can
gate
the
beta
serialization
with
an
alpha
feature
date
without
changing
the
the
timelines
proposed
here.
So
the
client
would
be
able
to
use
it
if
the
server
chose
to
enable
it
and
and
then
the
decision
about
whether
to
enable
that
will
be
left
up
to
how
confident
individual
individual
distros
are.
And
potentially
you
can
even
change
your
mind
at
a
later
point.
D
E
Go
remember
just
if
I
could
just
say
a
couple
words
on
behalf
of
the
six
CLI.
It
would
be
really
useful
for
Coupe
control
to
to
be
able
to
have
a
significantly
more
efficient
Discovery.
We
strongly
support
this
and
we're
hoping
that
this
doesn't
have
to.
We
don't
have
to
wait
another
four
months
for
the
next
release.
E
D
Yeah,
that's
that's
the
goal
of
that
more
stable,
beta
serialization.
So
with
a
beta
serialization,
we
would
be
willing
to
merge
into
client
go
usage
of
that
serialization,
and
that
means
that
if
the
server
turns
it
on
for
you
in
126,
you
can
use
it
in
127
it'll
be
on
by
default
and
there's
somebody
retroactively
turns
it
on
for
you
in
126,
in
their
distro
by
enabling
it
on
Alpha
the
client
go
automatically
use
it.
For
me,.
A
You
David,
okay,
and
so
we
went
through
these
three
and
then
there
was
one
more
thing:
I
wanted
to
show
that
there
are
two
more
caps
that
are
not
in
the
world,
but
they
are
open
and
tagging
CDP
Machinery
with
the
naval
126,
so
I
think
it's
this
one
and
this
one
so
I
understand
they
are
not
primarily
API
machinery
and
they
may
be.
You
know,
on
the
side
involving
us.
C
C
But
in
the
discussion
it
turns
out
that
there,
the
code
making
the
patches
is
not
really
tolerant
of
other
actors
racing
to
make
similar
changes
and
is
buggy
like
potentially
adding
a
second
condition
or
deleting
or
replacing
the
wrong
condition,
so
I
think
they're
keeping
the
request
to
switch
to
server
side,
apply
or
or
or
whatever
else,
we'll
fix
that
yeah.
So
I,
don't
think
we
really
need
to
pay
attention
to
this.