►
From YouTube: Kubernetes SIG API Machinery - 20230125
Description
[cici37] Clear GA graduation criteria for CRD validation rules(PR)
David and Daniel agree on suggested GA criteria
No other criteria mentioned.
[tallclair] Webhook Match Conditions https://github.com/kubernetes/enhancements/pull/3717
Secondary authz checks
[andrewsy] Mutating Admission with CEL
https://github.com/kubernetes/enhancements/pull/3776
General agreement that there is conceptual alignment on wanting Mutating too in the future.
No rush probably for 1.27, making sure we can address the items discussed in the meeting [TODO: add here] and see more feedback on the Validating use cases.
A
Hello
good
morning,
good
evening,
good
afternoon,
depending
where
you
are
welcome,
to
seek
API
machinery
for
kubernetes.
This
is
our
biblically
meeting.
Today
is
January
25th
2023..
We
have
three
great
topics
to
discuss
today
and
we
are
going
to
get
into
it
right
now
and
the
first
one
is
from
CC
and
I
will
give
you
the
spotlight.
B
Thank
you
hi.
So
today,
I
want
to
discuss
the
antique
right
here.
Ta
great
graduation
criteria
for
the
crd
validation
use.
So,
as
people
may
be
aware
of
the
charity,
validation
rules
has
been
beta
since
1.25
and
we
were
trying
to
promote
it
to
GA.
If
all
the
graduation
criteriors
are
made,
and
initially
we
were
trying
to
Target
it
for
1.27
and
we
got
an
import
from.
B
C
C
C
B
Oh
just
mentioned,
like
some
other
companies,
are
starting
elaborating
the
power
of
this
feature
and
also
like
from
Google
internally,
like
some
team
also
started
to
migrated
to
try
this
picture
out,
yeah,
so
I
guess
so
far.
We
didn't
hear
a
lot
of
complaints
about
this
and
in
terms
of
the
scalability,
even
for
the
beta
phrase,
we
have
like
the
initial
kind
of
data
collected
for
the
scalability
as
well.
B
I
have
a
interpretation
writing
all
the
data,
some
some
of
our
data
and
I
guess
it's
been
reviewed
by
Joanna
Jordan,
primarily
I
can
share
with
others
who
are
interested,
but
yeah
and
I
have
already
listed
it
as
the
ga
graduation
criteria
here
as
well,
so
I'm
not
sure
if
there
there
is
other
concerns.
Besides
those.
A
A
A
E
E
E
E
C
So
my
concern
here
is
that
the
the
use
of
a
subject
to
say
this
subject
is
this
user
is
not
required
to
go
through
a
particular
admission
check,
looks
a
lot
like
a
permissions
binding
to
me
right
in
other
places.
In
our
system
we
model
that
actually,
as
permissions
bindings,
the
GC
admission.
Plugin
is
one
concrete
case.
C
Where
we
say:
do
you
have
permission
to
delete
a
particular
resource
and
if
you
do
have
permission
to
delete
all
resources,
we
don't
have
to
run
this
check
at
all,
and
this
looks
like
a
very
similar
thing
that
is
binding
up
permission
inside
of
a
cluster
scoped
configuration
for
an
admission
web
hook
and
if
we
have
this
particular
binding
mechanism,
but
we
do
not
have
an
alternative
binding
mechanism
that
lets
someone
reuse
the
permissions
Bindings
that
our
system
already
has.
Then
we
can
drive
people
towards.
B
C
But
I
would
also
then
defer
the
ability
to
create
a
user
binding
at
this
level
right
because
if
you
look
at
like
user
bindings
today,
you
can
bind
users
at
the
level
of
a
namespace,
for
instance,
and
this
could
be
done
here.
But
as
you
start
trying
to
enumerate
it,
it
would
get
very
clumsy
in
a
single
object.
E
C
C
I
think
we
do
a
similar
thing
with
garbage
collection
admission
saying:
do
you
have
so
many
permissions
that
I
don't
even
need
to
try
to
evaluate
all
of
your
I?
Don't
need
to
evaluate
the
rest
of
the
submission
plug-in
because
you're
just
going
to
come
back
true
for
everything
and-
and
it
seems
very
similar
to
me-
but
I-
want
to
have
I'd
like
to
have
the
pattern
based
I'd
like
to
have
people
choose
which
pattern
they
mean
right.
I
can
see
valid
uses
for
like
nodes.
C
B
C
I,
don't
what
I
worry
about
is.
If
we
only
have
the
one
mechanism,
then
it
will
be
tempting
for
users
to
start
codifying
policies
that
are
like
things
like
inside
this
namespace.
This
user
doesn't
need
this
check
and
they
may
instead
have
wanted
to
model
that,
as
if
you
have
these
permissions
in
a
particular
namespace,
any
particular
namespace
doesn't
need
to
run
and
yeah.
A
C
C
E
E
D
D
D
C
A
C
C
B
C
C
D
E
I
can
imagine
something
where,
like
you,
want
to
label
objects
created
by
a
user
or
something
like
that,
and
you
want
to
assert
assert
that
the
label
matches
the
user
I
don't
know,
that's
a
contrived
example,
but
more
complicated
checks
where,
but
maybe
that
doesn't
apply
to
the
match
conditions
as
well.
Yeah.
D
I
think
we've
shied
away
from
story
like
like
in
fact
I
think
the
position
is
it's
kind
of
an
anti-pattern
to
include
user
information
in
an
object
like
the
classic
example.
Is
somebody
wants
a
object
that
only
they
can
delete,
so
they
want
to
put
their
username
in
the
object
to
do
a
check,
but
then
they
leave
the
company,
and
now
nobody
can
can
delete
the
object
so.
C
Maybe
I
can
think
of
one
what
what
if
someone
had
a
system
where
their
SRE
team
had
a
special
group?
This
isn't
a
thing.
I
actually
know
deeply,
but,
like
one
team
has
a
group,
but
they
give
cluster
admin
now
if
they
gave
cluster
admin
controls,
they
would
just
delete,
never
mind
that
wouldn't
work.
E
A
hard-coded
expression
in
there,
but
you
don't
you-
don't
want
to
generally
have
a
permission
that
can
be
bound
to
other
users.
You
just
want
to
say
like
this,
never
applies
to
nodes,
or
this
never
applies
to
the
service
accounts,
or
this
never
applies
to
authenticated
users
or
something
along
those
lines,
and
it's
just
kind
of
a
simplification
to
not
have
to
create
those
additional
objects.
D
E
If
you
have,
you
know
just
a
directory
of
manifests
that
some
add-on
manager
is
applying
and
they
get
created
in
arbitrary
ordering
and
the
if
the
web
hook
gets
created.
First,
it
prevents
the
service
definition
the
hacking
that
web
Hook
and
the
role
bindings
opting
out
of
the
web
Hook
from
being
created.
E
D
D
E
E
Think
over
time,
yeah
I
agree
with
that.
I
was
talking
about
the
my
understanding
was
we
were
discussing
whether
user
info
should
be
omitted
from
the
admission
review
that
gets
passed
to
the
expression
so
to
force
the
user
to
use
secondary
authorization
checks-
oh
I,
see,
but
also,
if
that
secondary.
E
C
I
was
about
to
say,
I'm,
not
sure
the
secondary
authorization
check
is
likely
to
have
a
what
is
the
user?
What
are
the
groups?
Yeah
and
I
would
like
to
be
able
to
put
in
this
user
in
these
groups.
So
at
a
practical
level
that
becomes
a
problem,
so
yeah
I
do
think
that
it's
worth
discussing
in
docs
that
that,
if
you
find
yourself
using
this
as
a
binding,
especially
if
it's
something
that
can
be
bound
at
a
namespace
level,
you
really
want
to
use
an
actual
check
and
not
hard
code
binding.
D
A
F
E
C
D
A
F
F
The
cap
has
some
like
examples
of
what
I
think
are
common
use
cases
for
mutation,
so
yeah
like
forcing
DNS
policy
or
injecting
like
a
HTTP
proxy
environment,
variable
to
containers
things
like
that,
so
yeah
mainly
I'm,
trying
to
figure
out
what
the
appetite
is
for
something
like
this.
In
the
sake
and
what
kind
of
concerns
you
would
want
to
see
address
before
we're
happy
with
trying
to
land
in
Alpha.
D
Go
okay,
I've
got
two
thoughts.
One
is
the
issue
with
doing
mutating
is
that
we
haven't
gotten
any
experience
on
whether
we've
done
things
right
for
validating
right.
Like
did
we
get
all
the
admission,
all
the
configuration
details
and
like
what
it
applies
to
and
like
the
because
it's
pretty
validating
one
is
pretty
complicated,
with
like
three
objects
involved
to
hook
up,
parameters
to
objects
and
rules
and
I
I'd
feel
a
lot
more
confident
with
mutating
version.
F
F
D
C
C
So
I
don't
want
to
put
a
super
high
threshold
on
this
before
this
will
go
to
Alpha,
but
I
do
think.
I
want
to
see
I'd
like
to
have
a
chance
to
get
some
feedback
on
the
validating
admission
policy
beta
before
I
tried
this
one
in
Alpha
in
case
we
made
some
significant
mistake
with
the
bindings
the
parameters.
C
C
D
There
so
so
there
are
with
our
objects.
The
thing
is,
the
problems
are
mainly
with
concurrency,
so
you
can
make
a
Json
patch
say
anything,
but
you
have
to
do
things
like
reference
specific
indexes
in
lists
and
that
doesn't
work
very
well
when
other
people
could
be
mutating
it
at
the
same
time.
But
in
this
case
all
the
mutations
are
done
in
serial.
So
there's
not
an
issue
with
that,
and
that's
also
how
our
mutating
web
hooks
return
things.
This
Json
patch.
C
Yeah,
so
our
mutating
web
hooks
were
built
before
we
had
server
side
apply
where
it
is
today.
One
thing
that
I
wonder
is
whether
it
would
actually
make
more
sense
to
express
the
I
want
to
set
this
in
the
form
of
serialize,
either
yaml
or
Json,
where
you
say
if
I
were
doing
a
server.apply.
This
is
the
thing
that
I
would
want
to
apply
there.
So.
C
D
C
D
F
Yeah,
there's
a
there's
an
unresolved
section
somewhere
in
the
dock,
and
one
of
the
things
that
we
would
consider
in
the
future
is
supporting
other
custom
types.
So
one
of
them
being
like
an
apply
configuration
which
contains
like
the
desired
behavior
for
service
side
apply,
and
then
we
could
also,
in
theory,
support
strategic,
merge,
patch
and
Json
merge
patch
as
well.
C
C
D
Think
in
this
in
this
thing
that
there's
not
really
a
reason
to
do
strategic,
merge,
patch
and
I
yeah
I
I,
don't
like
Json
merge
patch,
because
the
you
have
to
get
the
field
paths
correct,
apply
configuration
you
could
do,
but
there's
no
reason
not
to
construct
a
so.
Maybe
there
is
a
reason
not
to
just
construct
an
object
and
that's
if
you
want
to
delete
a
field,
the
syntax
isn't
clear
for
every
like
every
field
type,
so
maybe
apply
configuration
model.
Data
model
would
be
correct.
D
D
Yeah
yeah
Antoine
has
a
good
point
in
chat,
which
is
which
is
web.
Hooks
are
currently
like
a
mysterious
exception
to
ownership.
Semantics
I
guess
is
the
problem
with
cell
that
you
can't
do
like
I
guess
what
I
kind
of
expected
is
just
like
you
know,
object,
dot,
blah
blah
blah.
You
know
that
you
know
index
0
or
index
of
cell
expression
equals
like
value
that
I
want,
including
like
clearing
it.
Is
there
a
reason
why
that's
not
easy,
with
cell.
D
F
F
Well,
to
go
there,
for
example,
like
if
you're
setting
a
DNS
policy
in
a
pod
spec,
that's
invalid,
like
that.
Would
then
fail
like
that,
like
you
could
you
would
you
would
allow
that
object,
but
then
it
would
just
feel
validation
for
pods.
But
then,
if
you
had
like
a
crd
right
which
had
no
validation
for
that
field,
but
the
like
the
like,
you
would
allow
the
object.
But
then
you
can't
actually
check
the
values
of
the
object
until
runtime.
D
D
D
D
E
D
Check,
that's
so
yeah
like
I'm,
not
I'm,
not
expecting
this
to
force
people
to
only
express
valid
objects
in
the
sense
that
it
passes.
The
validation
I
am
expecting
it
to
force
people
to
express
valid
objects
in
the
sense
that
it
conforms
to
the
schema.
Yes,
yeah
and
Json
patch
doesn't
force
you
to
conform
to
the
schema.
D
That
would
keep
it
short,
the
like
I'm,
not
sure
if
we
can
take
code
entry
well
I.
So
so
maybe
maybe
if
maybe
we
could
take
code
that
actually
did
the
mutating
part
of
it
without
taking
any
of
the
like
API
and
configuration
stuff.
That
way,
if
we
change
our
mind
on
the
validating,
we
don't
have
a
bunch
of
extra
work.
To
do
is
that
seem
like
a
option
David
like
if
we
get
a
library
which
which
demonstrates
the
mutation
I,
don't
know
if
I'd
say
no
to
that.
C
That's
that's
where
I'm
biased
as
well.
I
also
think
that
trying
to
figure
out
what
what
how
we
want
to
express
the
mutation
itself
is
is
important
and
I'll
confess
this
kept
was
probably
opened
recently.
I
hope
so
otherwise
I'm
really
embarrassed
yeah.
It
was.
It
was
open
recently,
so
I
hadn't
seen
it
I
haven't
looked
so
when
we
did
validating
there
or
when
we
did
we're
initially
choosing
cell.
C
Against
mutating
web
hooks,
I
could
see
where
you
came
to
Json
patch,
because
I
think
that's
what
we
did
there,
but
I
think
with
the
evolved
world
of
server-side
apply
and
using
that
schema
to
make
good
decisions
about
how
to
actually
do
replacement
and
merging.
We
have
another
option
I'd
like
to
see
considered
before
choosing
One
Direction
or
the
other.
C
D
D
C
F
D
C
Yeah,
so
I
am
definitely
in
favor
of
mutating
I.
Have
my
biggest
question
is
about
how
we
figure
out
what
to
mutate
and
then
I
will
have
a
look
I
think
there's
a
couple
use
cases
that
we
have.
That
are
unusual,
where
we
have
one
area
of
an
object,
point
to
another
area
of
the
object
and
say
mutate
here.
Yes,
so
I
want
to
want
a
chance
to
add
that
in
there
I
don't
want
to
discourage
you
but
I'm,
not
confident
that
it'll
be
ready
for
implementation.
When
127
starts.
F
I
I,
yeah
I
would
I
would
think
anything
requiring
network
access
to
anything.
External
would
defer
the
web
hooks,
but
I
do
plan
on
supporting,
like
parameter
objects
like
validating,
and
you
can
use
the
value
of
a
parameter
object
to
set
mutate
some
field
in
the
current
object,
or
something
like
that.