►
From YouTube: Kubernetes SIG API Machinery - 20230125
Description
[cici37] Clear GA graduation criteria for CRD validation rules(PR)
David and Daniel agree on suggested GA criteria
No other criteria mentioned.
[tallclair] Webhook Match Conditions https://github.com/kubernetes/enhancements/pull/3717
Secondary authz checks
[andrewsy] Mutating Admission with CEL
https://github.com/kubernetes/enhancements/pull/3776
General agreement that there is conceptual alignment on wanting Mutating too in the future.
No rush probably for 1.27, making sure we can address the items discussed in the meeting [TODO: add here] and see more feedback on the Validating use cases.
A
Hello
good
morning,
good
evening,
good
afternoon,
depending
where
you
are
welcome,
to
seek
API
machinery
for
kubernetes.
This
is
our
biblically
meeting.
Today
is
January
25th
2023..
We
have
three
great
topics
to
discuss
today
and
we
are
going
to
get
into
it
right
now
and
the
first
one
is
from
CC
and
I
will
give
you
the
spotlight.
B
Thank
you
hi.
So
today,
I
want
to
discuss
the
antique
right
here.
Ta
great
graduation
criteria
for
the
crd
validation
use.
So,
as
people
may
be
aware
of
the
charity,
validation
rules
has
been
beta
since
1.25
and
we
were
trying
to
promote
it
to
GA.
If
all
the
graduation
criteriors
are
made,
and
initially
we
were
trying
to
Target
it
for
1.27
and
we
got
an
import
from.
B
To
move
it
to
next
release
because
we
were
trying
to
introduce
the
formatted
message
in
current
release,
so
I
would
get
it
aligned
to
see
if
there
is
any
other
concerns.
Besides
this
and
get
the
graduation
criteria
clear
for
this
cab.
C
C
The
old
object
seems
to
work
well
for
us.
We
haven't
gotten
many
complaints
about
that.
I'm
I
see
no
issue.
C
Okay,
the
scalability
was
the
one
that
I
thought
you
might
have
comments
on.
So
for
us
the
power
is
worth
the
potential
degradation.
I
know
you
guys
have
tighter
tighter
requirements.
D
Yeah
I
guess
my
question
would
only
be
like
how
much
how
much
user
feedback
have
you
gotten
on
this
feature.
D
Very
valuable,
but
has
anyone
else
used
it
yeah.
B
Oh
just
mentioned,
like
some
other
companies,
are
starting
elaborating
the
power
of
this
feature
and
also
like
from
Google
internally,
like
some
team
also
started
to
migrated
to
try
this
picture
out,
yeah,
so
I
guess
so
far.
We
didn't
hear
a
lot
of
complaints
about
this
and
in
terms
of
the
scalability,
even
for
the
beta
phrase,
we
have
like
the
initial
kind
of
data
collected
for
the
scalability
as
well.
B
I
have
a
interpretation
writing
all
the
data,
some
some
of
our
data
and
I
guess
it's
been
reviewed
by
Joanna
Jordan,
primarily
I
can
share
with
others
who
are
interested,
but
yeah
and
I
have
already
listed
it
as
the
ga
graduation
criteria
here
as
well,
so
I'm
not
sure
if
there
there
is
other
concerns.
Besides
those.
D
No,
if
people
are
using
it
and
you
haven't,
heard
complaints,
that's
a
pretty
good
sign.
Thank.
B
You
yeah
I,
guess
the
major
concern
I'll
feedback
I
collected
from
Jordan
earlier
is
like
he
want
the
format
message
to
be
in
beta
for
at
least
the
wine
cycle
before
we
motivated
to
Jay
so
I
guess
we
all
started
to
promote,
try
to
promote
this
feature
in
2G
in
1.28,
if
you
know,
but
nobody
have
like
a
major
objection.
A
Cc
you've
been
running
for
some
time
already.
The
triage
meetings
for
this
thing,
we
didn't
saw
any
issue
from
anybody.
Also,
there
right.
A
And
hypothetical
question
imagine
you're
running
a
large
Fleet
of
kubernetes
clusters
like
you
work
for
a
company
like
Google,
all
right
or
other
cloud
provider.
Is
there
a
way
for
us
to
see
how
many
people
is
using
cell
for
crd
validation
versus
the
other
mechanisms.
B
Oh
sure
they
actually
have
like
a
couple
metrics
for
this
so
like,
if
you
yeah
I
guess,
hopefully
the
metrics
will
help
to
collect
those
kind
of
things
that.
A
E
E
So
yeah
I'm
still
hoping
to
get
this
kept
in
for
127
Alpha
I
just
wanted
to
put
it
on
the
agenda
to
kind
of
one
give
anyone
an
opportunity
to.
We
have
some
feedback,
but
also
specifically
I.
Don't
know,
if
is
David
on
the
call.
E
Yes,
he
had
a
comment
about
secondary
authorization
on
this
that
I
wanted
to
discuss
in
a
bit
more
detail.
We
followed
up
a
bit
on
slack
and
I.
Think
where
I
stand
on.
This
is,
if
it
sort
of
depends
on
how
we
Implement
secondary
authorization
for
General
cell
admission.
E
C
So
my
concern
here
is
that
the
the
use
of
a
subject
to
say
this
subject
is
this
user
is
not
required
to
go
through
a
particular
admission
check,
looks
a
lot
like
a
permissions
binding
to
me
right
in
other
places.
In
our
system
we
model
that
actually,
as
permissions
bindings,
the
GC
admission.
Plugin
is
one
concrete
case.
C
Where
we
say:
do
you
have
permission
to
delete
a
particular
resource
and
if
you
do
have
permission
to
delete
all
resources,
we
don't
have
to
run
this
check
at
all,
and
this
looks
like
a
very
similar
thing
that
is
binding
up
permission
inside
of
a
cluster
scoped
configuration
for
an
admission
web
hook
and
if
we
have
this
particular
binding
mechanism,
but
we
do
not
have
an
alternative
binding
mechanism
that
lets
someone
reuse
the
permissions
Bindings
that
our
system
already
has.
Then
we
can
drive
people
towards.
B
C
But
I
would
also
then
defer
the
ability
to
create
a
user
binding
at
this
level
right
because
if
you
look
at
like
user
bindings
today,
you
can
bind
users
at
the
level
of
a
namespace,
for
instance,
and
this
could
be
done
here.
But
as
you
start
trying
to
enumerate
it,
it
would
get
very
clumsy
in
a
single
object.
E
Yeah
I
definitely
see
where
you're
coming
from
part
of
my
thinking
here
is
for
like
a
more
complex
policy
evaluation
like
finer
grain
control
based
on
on
bindings
of
users.
E
That
feels
like
something
that
should
just
go
in
the
web
hook
itself,
where
we're
not
trying
to
replicate
the
full
admission
and
business
logic
here,
but
rather
just
kind
of
opt
out
when
the
web
hook
needs
to
be
called
both
for
performance
reasons
and
like
reliability
reasons.
E
C
C
I
think
we
do
a
similar
thing
with
garbage
collection
admission
saying:
do
you
have
so
many
permissions
that
I
don't
even
need
to
try
to
evaluate
all
of
your
I?
Don't
need
to
evaluate
the
rest
of
the
submission
plug-in
because
you're
just
going
to
come
back
true
for
everything
and-
and
it
seems
very
similar
to
me-
but
I-
want
to
have
I'd
like
to
have
the
pattern
based
I'd
like
to
have
people
choose
which
pattern
they
mean
right.
I
can
see
valid
uses
for
like
nodes.
C
Just
don't
need
to
have
this
check
run
on
them.
I
think
I
see
more
uses
for.
If
you
have
this
much
permission,
we
don't
need
to
make
this
check.
B
C
I,
don't
what
I
worry
about
is.
If
we
only
have
the
one
mechanism,
then
it
will
be
tempting
for
users
to
start
codifying
policies
that
are
like
things
like
inside
this
namespace.
This
user
doesn't
need
this
check
and
they
may
instead
have
wanted
to
model
that,
as
if
you
have
these
permissions
in
a
particular
namespace,
any
particular
namespace
doesn't
need
to
run
and
yeah.
A
C
I'm
hoping
that
we
do
get
this
for
free
with
the
the
shared
library
that
you
did
specifically
call
out.
So
thank
you
for
that
I'm
hoping
we
get
that
for
free
with
a
specific
library,
but
I
really
don't
want
to
have
user-based
skips
without
having
the
option
to
do
a
permission.
Space,
skill.
C
D
Think
Joe
is
sick.
Today,
yeah
do
we
do
any
user
base
skips
anywhere
in
the
in
the
system
at
all.
C
That's
a
group
well
yeah,
sorry,
user,
I,.
E
E
D
C
D
I
mean:
how
do
you
get
users
into
groups?
If
you
can
get
a
user
into
a
group,
then
with
the
permissions
and
but
I,
don't
think
you
can.
C
Varies
by
System,
for
instance:
openshift
has
a
resource
you
can
set
for
the
IEP.
They
provide.
E
C
A
C
If
you
look
at
the
other
resources,
even
talked
about
for
providing
cell
cell
policy
I
think
one
of
them
was
actually
trying
to
expose
a
name
space.
I,
don't
remember
where
we
landed
on
that
we'll
have
to
look
but
that,
for
instance,
it
would
not
be
present
in
CR
validation,.
E
C
B
C
C
E
D
E
I
can
imagine
something
where,
like
you,
want
to
label
objects
created
by
a
user
or
something
like
that,
and
you
want
to
assert
assert
that
the
label
matches
the
user
I
don't
know,
that's
a
contrived
example,
but
more
complicated
checks
where,
but
maybe
that
doesn't
apply
to
the
match
conditions
as
well.
Yeah.
D
I
think
we've
shied
away
from
story
like
like
in
fact
I
think
the
position
is
it's
kind
of
an
anti-pattern
to
include
user
information
in
an
object
like
the
classic
example.
Is
somebody
wants
a
object
that
only
they
can
delete,
so
they
want
to
put
their
username
in
the
object
to
do
a
check,
but
then
they
leave
the
company,
and
now
nobody
can
can
delete
the
object
so.
C
Maybe
I
can
think
of
one
what
what
if
someone
had
a
system
where
their
SRE
team
had
a
special
group?
This
isn't
a
thing.
I
actually
know
deeply,
but,
like
one
team
has
a
group,
but
they
give
cluster
admin
now
if
they
gave
cluster
admin
controls,
they
would
just
delete,
never
mind
that
wouldn't
work.
E
E
A
hard-coded
expression
in
there,
but
you
don't
you-
don't
want
to
generally
have
a
permission
that
can
be
bound
to
other
users.
You
just
want
to
say
like
this,
never
applies
to
nodes,
or
this
never
applies
to
the
service
accounts,
or
this
never
applies
to
authenticated
users
or
something
along
those
lines,
and
it's
just
kind
of
a
simplification
to
not
have
to
create
those
additional
objects.
E
Actually,
maybe
the
bootstrapping
case
that
Tim
Bannister
brought
up
would
be
another
one
where
the
ability
to
opt
out
some
bot
user,
that's
instantiating
objects
would
be
useful.
E
To
kind
of
like
decouple
the
dependency
on
the
roll
bindings
being
created
before
the
web,
Hook
is
defined.
D
E
If
you
have,
you
know
just
a
directory
of
manifests
that
some
add-on
manager
is
applying
and
they
get
created
in
arbitrary
ordering
and
the
if
the
web
hook
gets
created.
First,
it
prevents
the
service
definition
the
hacking
that
web
Hook
and
the
role
bindings
opting
out
of
the
web
Hook
from
being
created.
D
E
D
D
Yeah
I'd
have
to
think
about
that
more.
It
still
seems.
E
E
E
Think
over
time,
yeah
I
agree
with
that.
I
was
talking
about
the
my
understanding
was
we
were
discussing
whether
user
info
should
be
omitted
from
the
admission
review
that
gets
passed
to
the
expression
so
to
force
the
user
to
use
secondary
authorization
checks-
oh
I,
see,
but
also,
if
that
secondary.
E
C
I
was
about
to
say,
I'm,
not
sure
the
secondary
authorization
check
is
likely
to
have
a
what
is
the
user?
What
are
the
groups?
Yeah
and
I
would
like
to
be
able
to
put
in
this
user
in
these
groups.
So
at
a
practical
level
that
becomes
a
problem,
so
yeah
I
do
think
that
it's
worth
discussing
in
docs
that
that,
if
you
find
yourself
using
this
as
a
binding,
especially
if
it's
something
that
can
be
bound
at
a
namespace
level,
you
really
want
to
use
an
actual
check
and
not
hard
code
binding.
D
A
F
C
E
Okay,
so
cell
gives
us
the
ability
to
bound
the
estimated
run
time
of
an
expression,
I
think
exactly
what
we
want
to
constrain,
that
to
is
TBD.
C
I
think
that
after
this
I
have
no
other
reservations
about
this
cap,
have
you
reviewed
it
Daniel?
Do
you
want
to
do
you
want
to
see
if
Joe
has
a
look
at
Joe's
had
a
look
at
it.
D
Yeah
this
was
talked
about
at
the
last
meeting
that
I
didn't
make
it
to
is
that
right,
yeah,
yeah,
yeah
I
haven't
had
a
chance
to
review
it.
If
both
you
and
Joe
are
fine
with
it,
then
I
don't
need
to
I
review
it,
but
I'll
probably
try
and
look
at
it.
A
F
Yes,
hi
hi
here
with
yet
another
topic
on
Cell,
hopefully
aren't
sick
of
it.
Yet
it's
the
end
of
the
year
yeah,
so
I've
been
prototyping.
Mutating
admission
would
sell
with
some
early
feedback
from
Joe
Tim
and
Jordan
I.
Initially
wasn't
planning
to
propose
a
kept
for
127.
F
Giving
validating
is,
is
still
you
know,
very,
very
early
stages,
but
I
was
able
to
get
a
decent
prototype
working
by
having
cell
Expressions
that
can
resolve
to
Json
patch
objects,
which
we
can
then
apply
against
objects
via
built-in
admission
plugin,
which
ends
up
being
kind
of
similar
to
what
we
do
with
mutating
web
books
since
I
think
we
end
up
using
Json
patch
under
the
hood
there.
F
So
basically,
the
the
kept
proposes
introducing
a
new
API
called
mutating
imagery
policy
that
uses
the
same
binding
pattern
with
support
for
parameter
objects
much
like
validating,
and
it
allows
Forest
cell
Expressions
to
use
a
custom,
Json
patch
type,
which
we
can
actually
statically
type
check
during
validation
and
whatnot
yeah.
F
The
cap
has
some
like
examples
of
what
I
think
are
common
use
cases
for
mutation,
so
yeah
like
forcing
DNS
policy
or
injecting
like
a
HTTP
proxy
environment,
variable
to
containers
things
like
that,
so
yeah
mainly
I'm,
trying
to
figure
out
what
the
appetite
is
for
something
like
this.
In
the
sake
and
what
kind
of
concerns
you
would
want
to
see
address
before
we're
happy
with
trying
to
land
in
Alpha.
C
I'm
still
Gathering
I'm
still
Gathering
and
ordering
my
thoughts
I'll.
Let
you.
D
Go
okay,
I've
got
two
thoughts.
One
is
the
issue
with
doing
mutating
is
that
we
haven't
gotten
any
experience
on
whether
we've
done
things
right
for
validating
right.
Like
did
we
get
all
the
admission,
all
the
configuration
details
and
like
what
it
applies
to
and
like
the
because
it's
pretty
validating
one
is
pretty
complicated,
with
like
three
objects
involved
to
hook
up,
parameters
to
objects
and
rules
and
I
I'd
feel
a
lot
more
confident
with
mutating
version.
D
D
My
other
the
thought
on
this,
and
this
isn't
the
details
that
is
the
Json
patch,
is
pretty
surprising
because,
like
it's
got
a
bunch
of
paths
in
there
like
I,
don't
how
do
you
type
check
the
paths
inside
a
nested
inside
a
Json
patch
object,
so
that
that's
pretty
surprising,
although
I
believe
that
it
was
easy
to
do.
F
So
I
should
clarify
so
the
the
type
checking
is
not
against
the
path
value.
It's
more
against.
Did
you
specify
all
the
required
fields
for
the
patch
like.
F
Path,
but
the
actual
validation
against
the
actual
mutation
would
be
runtime
like
if
you
specify
a
pod,
the
spec
field
that
doesn't
exist.
That
would
be
a
runtime
error.
D
Yeah
I
think
I'd
feel
a
lot
more
comfortable
if
it
was
a
like
the
the
whole.
The
whole
theme
around
cell
is
that
we
type
check
things
early
and
so
it's
surprising
to
see
a
Json.
It's
like
a
like
a
field
path
that
isn't
typedract
looks
like
David
has
a
hand
up.
C
Yeah,
so
my
first
concern
is
actually
the
same
as
your
first
concern.
I
want
to
have
confidence.
We
got
the
validating
admission
policy.
Correct
I
did
find
to
be
one
of
the
more
complicated
apis
I
thought
to
use
when
I
was
reading
it
for
review.
C
So
I
don't
want
to
put
a
super
high
threshold
on
this
before
this
will
go
to
Alpha,
but
I
do
think.
I
want
to
see
I'd
like
to
have
a
chance
to
get
some
feedback
on
the
validating
admission
policy
beta
before
I
tried
this
one
in
Alpha
in
case
we
made
some
significant
mistake
with
the
bindings
the
parameters.
C
C
Maybe
that
doesn't
require
beta
feedback,
but
at
least
a
complete
half
of
feedback.
The
other
thing
is
Json
patch
surprised
me
in
part,
because
I
thought
their
I
thought
there
were
some
things
that
Json
patch
had
a
hard
time
expressing.
D
There
so
so
there
are
with
our
objects.
The
thing
is,
the
problems
are
mainly
with
concurrency,
so
you
can
make
a
Json
patch
say
anything,
but
you
have
to
do
things
like
reference
specific
indexes
in
lists
and
that
doesn't
work
very
well
when
other
people
could
be
mutating
it
at
the
same
time.
But
in
this
case
all
the
mutations
are
done
in
serial.
So
there's
not
an
issue
with
that,
and
that's
also
how
our
mutating
web
hooks
return
things.
This
Json
patch.
C
Yeah,
so
our
mutating
web
hooks
were
built
before
we
had
server
side
apply
where
it
is
today.
One
thing
that
I
wonder
is
whether
it
would
actually
make
more
sense
to
express
the
I
want
to
set
this
in
the
form
of
serialize,
either
yaml
or
Json,
where
you
say
if
I
were
doing
a
server.apply.
This
is
the
thing
that
I
would
want
to
apply
there.
So.
C
D
C
D
Just
I
expected
to
see
something
like
constructing
an
object
of
the
type
that
is
going
through
the
pipeline
and
then
having
that
object
merged
with
the
pre-existing
object
somehow
and
that
could
be
server-side
apply.
It
could
be
that
logic
or
it
could
be
something
else,
but.
F
Yeah,
there's
a
there's
an
unresolved
section
somewhere
in
the
dock,
and
one
of
the
things
that
we
would
consider
in
the
future
is
supporting
other
custom
types.
So
one
of
them
being
like
an
apply
configuration
which
contains
like
the
desired
behavior
for
service
side
apply,
and
then
we
could
also,
in
theory,
support
strategic,
merge,
patch
and
Json
merge
patch
as
well.
C
C
The
others
that
you
mentioned
sound
good,
but
the
one
that
occurred
to
me
was
I
guess
it
would
be
apply,
configuration
from
this
list
to
try
to
figure
out
what
makes
sense,
what
makes
the
most
sense
to
try
it.
First
yeah.
D
D
Think
in
this
in
this
thing
that
there's
not
really
a
reason
to
do
strategic,
merge,
patch
and
I
yeah
I
I,
don't
like
Json
merge
patch,
because
the
you
have
to
get
the
field
paths
correct,
apply
configuration
you
could
do,
but
there's
no
reason
not
to
construct
a
so.
Maybe
there
is
a
reason
not
to
just
construct
an
object
and
that's
if
you
want
to
delete
a
field,
the
syntax
isn't
clear
for
every
like
every
field
type,
so
maybe
apply
configuration
model.
Data
model
would
be
correct.
D
Yeah
yeah
Antoine
has
a
good
point
in
chat,
which
is
which
is
web.
Hooks
are
currently
like
a
mysterious
exception
to
ownership.
Semantics
I
guess
is
the
problem
with
cell
that
you
can't
do
like
I
guess
what
I
kind
of
expected
is
just
like
you
know,
object,
dot,
blah
blah
blah.
You
know
that
you
know
index
0
or
index
of
cell
expression
equals
like
value
that
I
want,
including
like
clearing
it.
Is
there
a
reason
why
that's
not
easy,
with
cell.
F
So
yeah,
like
the
where
I
was
going
with
the
initial
prototype,
was
basically
that,
like
you,
you
break
down
the
specify,
the
feel
that
you
want
with
an
expression,
and
then
you
have
a
a
value
that
the
expression
resolves
to,
but
that
got
tricky
because
you
have
to
like
you,
don't
know
how
that
field
can
expand
like
it
could
be
a
list
or
an
object
with
many
fields,
or
it
could
just
be
like
an
intro
string
like
it
was
hard
to
do
it
correctly,
whereas
with
Json
patch,
it's
kind
of
like
you.
D
But
we
know
the
schema
right
like
if
you,
if
you
select
a
field
which,
if,
if
you
select
a
field
which
expands
to
a
list,
we
can
stop
you
at
compile
time.
Can't
we.
F
Yeah,
you
could,
but
you
wouldn't
know
if,
like
you
wouldn't
know,
if,
if
you
can
actually
apply
the
actual
value
right
until
runtime,
which
is
the
same
thing
with
Json,
why?
Why
wouldn't
you,
though,.
F
Well,
to
go
there,
for
example,
like
if
you're
setting
a
DNS
policy
in
a
pod
spec,
that's
invalid,
like
that.
Would
then
fail
like
that,
like
you
could
you
would
you
would
allow
that
object,
but
then
it
would
just
feel
validation
for
pods.
But
then,
if
you
had
like
a
crd
right
which
had
no
validation
for
that
field,
but
the
like
the
like,
you
would
allow
the
object.
But
then
you
can't
actually
check
the
values
of
the
object
until
runtime.
D
Mean
but
we,
the
the
validation,
runs
shortly
after
the
mutating
part
of
the
admissions
stack.
So
all
I'm
expecting.
D
Actual
all
I'm
expecting
of
this
of
this
cell
is
that
you,
you
obey
the
sin.
The
the
type
syntax
right
I
don't
also
require
that
it's
that
it's
semantically
passes.
D
D
So,
but
that,
but
that
isn't
type
checking
right
like
making
sure
that
you
have
like
IP
addresses
in
the
right
range.
That's
not
a.
E
D
Check,
that's
so
yeah
like
I'm,
not
I'm,
not
expecting
this
to
force
people
to
only
express
valid
objects
in
the
sense
that
it
passes.
The
validation
I
am
expecting
it
to
force
people
to
express
valid
objects
in
the
sense
that
it
conforms
to
the
schema.
Yes,
yeah
and
Json
patch
doesn't
force
you
to
conform
to
the
schema.
D
Yep,
that's
true,
so
I
guess
that
yeah,
if
just
to
make
totally
clear
what
I'm,
what
I'm
trying
to
say
yeah
makes
sense.
D
Maybe
if
the
cap
was
structured,
like
you
know,
for
configuration
and
whatever
we'll
do
exactly
what
what
validating
admission
policy
did
and
it
focused
on
the
like
just
the
like
the
mutate,
the
part
of
the
mutating
parts
of
it.
D
That
would
keep
it
short,
the
like
I'm,
not
sure
if
we
can
take
code
entry
well
I.
So
so
maybe
maybe
if
maybe
we
could
take
code
that
actually
did
the
mutating
part
of
it
without
taking
any
of
the
like
API
and
configuration
stuff.
That
way,
if
we
change
our
mind
on
the
validating,
we
don't
have
a
bunch
of
extra
work.
To
do
is
that
seem
like
a
option
David
like
if
we
get
a
library
which
which
demonstrates
the
mutation
I,
don't
know
if
I'd
say
no
to
that.
C
That's
that's
where
I'm
biased
as
well.
I
also
think
that
trying
to
figure
out
what
what
how
we
want
to
express
the
mutation
itself
is
is
important
and
I'll
confess
this
kept
was
probably
opened
recently.
I
hope
so
otherwise
I'm
really
embarrassed
yeah.
It
was.
It
was
open
recently,
so
I
hadn't
seen
it
I
haven't
looked
so
when
we
did
validating
there
or
when
we
did
we're
initially
choosing
cell.
C
There
was
a
comparison
to
what
currently
existed
in
the
wild
and
I
haven't
had
a
chance
to
read
this
apologies
if
it's
already
there,
but
have
you
compared
this
against
how
how
existing
mutation
is
described
right
as
I
recall,
Opa
allows
mutation
as
a
for
instance,
and
comparing
this
to
that
seems
useful.
C
Against
mutating
web
hooks,
I
could
see
where
you
came
to
Json
patch,
because
I
think
that's
what
we
did
there,
but
I
think
with
the
evolved
world
of
server-side
apply
and
using
that
schema
to
make
good
decisions
about
how
to
actually
do
replacement
and
merging.
We
have
another
option
I'd
like
to
see
considered
before
choosing
One
Direction
or
the
other.
F
Yeah
I
think
that
sounds
good,
so
I
guess
I'm
trying
to
gauge
for
127.
F
If
we
want
to
accept
like
a
provisional
cap
that
says,
explore
these
Alternatives
and
also
even
if
we
put
like
waiting
for
validating
admission,
to
go
to
Beta
as
an
alpha
criteria
like
that
would
make
sense
too.
D
Yeah
I
think,
like
David,
is
saying
a
list
of
options
or
Alternatives
in
the
cap
for
how
to
actually
do
the
mutating
part,
yeah
I
think
that's
until
we
get
experience
on
the
configuration
I
think
the
part
of
the
piece
of
value
is
like
how
to
actually
do
the
mutation
and
I
think
more
options
would
be
or
like
a
compare.
D
That
would
be.
That
would
be
useful
but
at
the
same
time,
priority
waiting
I'd
rather
get
more
progress
on
validating
cells
so
like
if
this,
if
this
is
funging
against
validating
cell
I'd,
prefer
to
get
more
progress
there.
If
it's
not,
then
I
think
it'd
be
good
to
get
a
list
of
comparisons
and
I.
D
Don't
think
it
is
super
important
to
get
it
to
get
this
kept
merged
in
this
time
frame
right
if
we're
especially,
if
we're
waiting
for
further
progress
and
validating
before
we
actually
start
implementing
this
so
I,
don't
think
you
I,
don't
think
we
should
need
to
rush
anything
for
the
for
the
deadline.
C
F
D
Yeah
yeah,
no,
we
definitely
want
yeah.
We
definitely
want
mutating
because
we
want
to
expand
the
number
of
web
hooks
that
people
can
get
rid
of.
C
Yeah,
so
I
am
definitely
in
favor
of
mutating
I.
Have
my
biggest
question
is
about
how
we
figure
out
what
to
mutate
and
then
I
will
have
a
look
I
think
there's
a
couple
use
cases
that
we
have.
That
are
unusual,
where
we
have
one
area
of
an
object,
point
to
another
area
of
the
object
and
say
mutate
here.
Yes,
so
I
want
to
want
a
chance
to
add
that
in
there
I
don't
want
to
discourage
you
but
I'm,
not
confident
that
it'll
be
ready
for
implementation.
When
127
starts.
D
Yeah
another
another
thing
that
cap
should
highlight
is:
are
we
going
to
permit
these
cell
Expressions
to
make
any
sort
of
like
network
access,
call
look
up
other
objects,
things
like
that
I,
don't
even
know
if
I
have
an
opinion
on
that,
but
the
cap
definitely
needs
to
definitely
needs
to
tell
people
what
they
can
expect.
D
Does
that
lock
you
into
making
a
web
hook,
or
are
you
eventually
going
to
be
able
to
do
do
that
with
a
cell
expression,
yeah.
F
I
I,
yeah
I
would
I
would
think
anything
requiring
network
access
to
anything.
External
would
defer
the
web
hooks,
but
I
do
plan
on
supporting,
like
parameter
objects
like
validating,
and
you
can
use
the
value
of
a
parameter
object
to
set
mutate
some
field
in
the
current
object,
or
something
like
that.
D
Yeah
so
yeah-
maybe
maybe
that's
good
enough
yeah.
That
would
be
an
interesting
use
of
yeah.
That'd,
be
a
good
thing
to
write
down
and
talk
about
like
I
I
could
I
could
even
see
like
since
API
server
has
nearly
everything
cached
anyway.
Let
it
do
a
cheap
lookup
of
something.
D
I
I
I
I,
I,
I,
I
I'm,
saying
it
should
be
explained.
Why
or
why
not
in
the
in
the
cap,
I'm
not
promising
I
agree
with
I
agree
with
that.
C
Okay,
I,
don't
think
I
have
strong
opinions.
Namespace
metadata
is
something
that
sell
the
validating
admissions
supposed
to
pick
up.
I
think
this
release
see.
D
If
you
can
get
everything
into
a
parameter
object
and
that's
not
inconvenient,
then
there's
not
much
else
to
do
right.
Yeah.
D
A
Yep
looks
like
record
all
the
topics.
Thank
you
for
the
good
discussions.
I
will
upload
this
recording
later
today,
posted
in
the
channel
and
we'll
see
you
hopefully
in
two
weeks,
stay
safe.