►
From YouTube: Kubernetes SIG API Machinery - 20220921
Description
*[lavalamp, pohly] Add whole-object logical clock field, or relax client RV constraints, to support “assumption caches”? https://github.com/kubernetes/kubernetes/pull/112202
*[lavalamp] subresources vs fine grained permissions. See doc (shared with api machinery mailing list).
thoughts on using CEL for this (design 5)
because CEL is non-default, optional, example of https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement which is off by default causing confusion for developers and cluster operators
thoughts on using secondary authz checks (~design 4)
*[deads2k] - choose which KEPs we want in 1.26 in the next week or so.
https://github.com/orgs/kubernetes/projects/98/views/1
*Shameless Plug: Virtual Session at Kubecon NA - API Machinery deep dive: https://kccncna2022.sched.com/event/182Mo
A
And
we
are
on
good
morning
good
afternoon
good
evening,
depending
where
you
are,
this
is
kubernetes
sea
api
machinery
by
weekly
meeting
today
is
the
beginning
of
a
new
season
in
all
the
hemispheres,
the
fall
for
the
northern
hemisphere,
the
spring
for
the
southern
hemisphere.
So
times
of
changes,
thank
you,
everybody
for
coming.
We
have
a
couple
of
topics
from
lava
lamp
into
the
agenda
today,
so
I
would
say:
let's
get
to
them.
B
Sure,
let's
see,
I
think
this
first
one.
Well,
I
don't
know
we'll
see
we'll
see
if
it's
controversial
or
not.
Basically,
if
you
look
at
this
pr,
the
the
goal
here
is
to
add
a
and
the
author
has
called
it
a
assume,
cache,
basically
to
add
it
to
clanko.
What
this
thing
seems
to
do
is
when
you
make
a
write
to
api
server.
C
B
Yeah,
to
put
it
another
way,
what
I
just
described
is
fine,
if
you're
only
looking
at
individual
objects,
but
if
you're
looking
at
combinations
of
objects.
Once
you
do
this,
you
have
put
things
in
your
cache
in
an
order
in
which
they
haven't
appeared
in
the
server
and
if
you
compare
two
objects,
one
of
which
you've
written
to
and
one
of
which
you
hadn't
haven't.
We
can
probably
come
up
with
some
sort
of
guarantee,
but
it
may.
C
B
D
B
Is
there
is
that
your
prop
jordan,
that
doesn't
make
it
impossible
to
solve,
but
it
does
mean
that
you
would
you
would
like
like,
for
example,
you
could
just
lock
everything
until
you
observe
the
right,
the
the
watch
event
corresponding
to
your
right
that
solves
the
problem
and
maintains
the
property
that
david
is
talking
about
at
the
cost
of
like
locking
the
entire
cash
for
all
consumers
for
a
long
time.
Well,.
D
B
Yes,
yes,
now
you
get
to
the
problem
for
why
I
have
put
this
on
the
agenda
because
there's
actually
no
way
to
do
this
at
all
on
our
in
our
system,
because
you
can't
compare
you're
not
supposed
to
compare
resource
versions
right
and
you're,
not
guaranteed,
to
see
an
exact
change.
So
how
do
you
know
if
a
watch
event
is
older
or
newer
than
the
thing
that
is
in
your
cache
right
now,
so
I
I
can
like.
B
I
think
it's
actually
not
possible
today
and
I
think
I
can
think
of
two
ways
of
making
it
possible.
The
first
way
is
to
relax
our
constraint
on
not
letting
clients
parse
the
resource
version.
If
we
let
clients
parse
the
resource
version,
which
in
fact,
clients
do
anyway,
even
though
we
tell
them
not
to,
then
you
could
compare
resource
versions
to
see
if
something
is
older
or
newer
and
solve
the
problem.
That
way.
B
D
B
D
D
B
B
C
D
Well,
you
know
we
do
still
have
work
percolating
around
the
edges,
that
maybe
it
doesn't
need.
Maybe
we
don't
want
it
to
be
a
64-bit
integer.
You
know
I'd
be
up
for
something
a
little
more
abstract.
You
know
we
provide
an
abstraction
that
can
compare
for
you
know
ordering
without
revealing
exactly
that.
It's
an
integer.
B
The
easiest
way
I
thought
of
doing
that
is
just
to
put
a
few
like
set
a
few
bits
at
the
most
significant
side
of
the
n64,
so
that
it's
different
for
different
collections,
which
would
make
it
very
difficult
to
compare
without
a
lot
more
processing.
So
so
that
like.
If
we
want
to
relax
our
constraint
and
say
okay,
you
can
do
some
comparison,
maybe
at
the
same
time
we
can
be
like,
but
we're
going
to
make
it
actually
difficult
to
compare
across
resource
versions
where
we
are
sorry
across
collections.
B
D
D
Let
me
remind
you,
I
I
don't
know
if,
if
you
know
steve
presented
his
work
here,
but
you
know
steve
kuzner's
work
on
the
storing
direct
to
cockroach,
he
pretty
much
needs
all
64
of
those
bits,
they're
they're
they're
kind
of
precious
and
he
would
rather
have
more
bits,
but
he
can
kind
of
get
away
with
squeezing
it
into
64
bits.
But
I
wouldn't
ask
it
to
be
squeezed
into
any
fewer.
C
D
D
D
Yeah
I
mean,
could
I
mean
you
kind
of
touched?
The
next
question
I
was
going
to
ask,
is
you
know,
could
we
do
a
transition
where
we
introduce
an
abstraction
to
use
instead
of
parsing
and
then
at
some
point
we
change
the
strings
that
appear,
so
the
abstraction
keeps
working
because,
of
course,
we've
shipped
an
implementation
that
will
keep
working,
but
the
strings
will
will
break
clients
that
are
not
using
the
abstraction.
C
C
A
D
B
D
B
B
E
Also,
the
client
libraries
we
provide
like
then
get
used
by
programming
languages
which
will
pull
out
those
string
fields
and
parse
them.
Like
the
client
libraries
we
provide,
aren't
doing
parsing
today,
so
the
part
thing
is
being
done
by
other
people's
code
built
on
top
of
those
libraries
and
experience.
Updating
the
client
go
like
token
refresh
stuff
in
114
time
frame
has
shown
like
you
can
wait
years
and
you
won't
get
adoption
of
new
versions
of
client
libraries
in
the
ecosystem.
D
Yeah
I
can
see
how
that
could
be
a
practical
problem
right.
So
now,
there's
stuff
going
on
in
the
chat
right.
The
problem
with
string
ordering
is
it's
not
consistent
with
the
integer
ordering
we
have
now
right
if
we
could
somehow
switch
to
string
ordering
that
would
be
much
more
powerful
than
63-bit
integers.
That
would
be
a
great
solution,
but
I
don't
we've
just
been
talking
about
why
we
can't.
C
C
B
D
E
D
Yeah,
I
kind
of
right.
I
agree
with
jordan
right.
I
would
like
to
see
this
to
be
an
opaque
string,
ideally
with
a
wrapped
in
the
distraction
we
ship.
But
you
know
the
conversation
has
just
reiterated.
It's
a
63-bit
end.
We
can't
change
it
from
anything,
but
I
mean
63
billion
right
and
if
we're
going
to
insist
that
it's
going
to
stay
a
63
bit
end,
let's
just
admit
that
it's
a
63
bit
end.
C
B
D
Oh
actually,
oh
right,
yes,
okay,
you're
using
so
first
so
to
be
clear
right.
The
suggestion
was
to
use
both.
So,
let's
just
understand
correctly
the
suggestion.
One
version
of
this
is
keep
the
resource
version
for
bid.
Parsing,
add
a
whole
object,
generation
number
all
right
and
then
in
lists
there
is
no
whole
object.
Generation
number
that
makes
sense,
there's
only
a
resource
version,
a
but
a
controller
that
is
caring
about
this
stuff.
It
knows
no,
it's
still
not
good
enough
yeah.
So
daniel,
I'm
not
sure.
I
understand
what
you're
saying.
B
E
B
E
B
A
B
B
E
B
E
B
D
D
No,
that
would
still
be
a
conflict,
though,
wouldn't
it
I
mean,
if
you
I,
I
think,
we're
getting
into
really
corner
cases.
I
don't
see
the
value
in
you
know
we're.
We
already
live
without
this
whole
object
generation.
Today
we're
hypothesizing,
really
corner
cases
that
could
benefit
from
it.
I'm
just
not
convinced.
B
B
D
B
E
B
Like
our
no
op
right,
detection
has
broken
the
storage
migrator
in
in
the
past
because
it's
like,
oh
you're,
not
making
a
change.
So
I
forget
how
we
solved
that,
but
I
agree
that
we
have
strayed
from
the
topic
very
far,
as
does
anyone
strongly
object
to
telling
people
that
they
can
parse
the
resource
version.
D
D
I
agree
right.
The
problem
is
that
I
you
know
the
current
state
is,
it
is
a
64-bit.
It
is
a
63-bit
end,
but
you
can't
parse
it
right.
That's
what
was
strongly
emphasized
in
this
meeting
earlier
right.
So
the
the
question
is:
do
we
one
way
of
viewing
what's
happening?
Is
the
question
is:
do
we
change
from
it's
a
63
bit,
but
you
can't
parse
it
too.
It's
a
63
bit
and
you
can
parse
it.
E
If
we
wanted
to
frame
it,
you
should
use
this
as
a
big
hint.
Then,
like
yeah
people
will
still
not
read
the
docs
just
like
they
don't
read
the
docs
today,
but
in
the
normal
case,
where
you're
working
in
a
tv
or
you're
working
in
a
system
that
can
fit
within
63
bits
like
the
parsing
works.
Fine
and
if,
if
any
examples
we
give
of
parsing
or
comparing
candlelit
is
a
big
end
that
at
least
starts
to
maybe
shift
the
ecosystem
towards
like
if
you're
gonna
parse
do
it.
This
way,
I
I
don't
know.
D
F
D
I
mean
I'm
sorry
it'll
take
years
to
get
reasonably
completed.
I
don't
even
know
where's
the
right.
Here's
the
question
right.
There's
this
unbounded
universe
of
code
out
there
right.
We
can
make
recommendations
we
can
expect
most
of
it
will
change
relatively
soon,
but
that
doesn't
answer
the
question.
F
B
D
Basic
project
governance
kind
of
question:
here
we
have
a
change
that
we'd
like
to
make
and
we
have
this
unbounded
universe
of
clients
right.
We
can
provide
a
path,
a
migration
path
for
these
clients,
but
we
have
no
way
of
you
know,
making
sure
that
everybody
actually
does
migrate.
But
as
daniel
says,
maybe
it's
enough
to
provide
a
reasonable
path,
a
reasonable
amount
of
time.
D
We're
talking
about
you
know
being
nervous
about
saying
that
it's
only
63
bits.
Okay,
we've
been
talking
about
alternatives
to
63
bits.
Maybe
it's
a
big
end.
Maybe
it's!
We
have
some
other
field,
the
strings
lexicographically
compared
we
could
take
our
existing
ants
and
pad
them
out
so
that
they
lexicographically
compare
right.
So
it's
it's
actually
both
big
and
in
lexicographic
string.
B
Okay,
so
so,
let's
let's
wrap
this
up,
so
we
can
so
we
can
go
on
to
the
next
topic.
I
actually
mike.
I,
I
think
you
convinced
me
the
opposite
that
you
were
intending.
I
I
think,
actually
it's
best
to
make
a
to
make
a
new
field
and
make
it
a
logical
clock,
and
if
people
have
this
problem,
they
can
look
at
that
field.
If
they're,
currently
pressing
resource
version,
we're
not
changing
anything
about
resource
version,
so
we're
not
going
to
break
them
at
all.
B
D
C
B
B
If
you'll
recall
one
or
two
releases
ago,
we
had
a
couple
caps,
one
about
leans
and
and
the
one
about
lean
leans
has
been
in
the
system
for
a
while,
and
we
have
not
given
the
author,
a
very
expedient
response,
and
the
last
time
it
went
through
david
was
very
worried
about.
I
mean
not
that
he
shouldn't
be,
but
was
worried
about
like
permissions,
and
how
do
you
keep
people
from
like
wasting
other
people's
resources
etc
by
holding
objects
open
forever
and
wanted
some
way
to
cap
the
permissions?
B
B
But
if
we
make
all
these
sub
resources
we're
going
to
put
a
client
that
is
like
you
know,
you
know
how
we
have
the
apply
status
and
update
status
and
put
status
like
we're
going
to.
If
we
have
like
six
sub-resources
we're
going
to
duplicate
all
those
methods
for
every
for
everything
and
then
for
every
sub-resource
and
then
controller
authors
have
to
know
which
sub-resource
to
go
to
and
if
they
want
to
do
multiple
things.
B
They've
got
to
make
multiple
calls
because
they
they
have
to
use
the
sub
resource
or
people
won't
be
able
to
to
configure
their
permissions
correctly
and
it
just
becomes
a
large
mess.
And
I
don't
like
it
at
all.
So
I
wrote
this
document
with
a
number
of
other
approaches
that
I
was
hoping
we
could
debate
here,
so
I
think,
fed
if
you
could
go
if
you
could
display
the
document.
That
might
be
a
better,
a
better
thing
for
us.
B
B
Yeah,
okay,
so
let's
go
to
design
five,
let's
go
backwards
because
I
think
the
I
think
five
and
four
are
the
most
plausible
ones.
Design
five
basically
makes
us
a
part
of
the
cel
admission
control
effort
by
making
sure
that
that
that,
if
you
write
a
policy,
you
can
perform
a
secondary,
auth
z
check
to
see
if,
like
there's
an
example
on
the
screen
right
now
like
either
the
labels
match-
or
you
have
this
permission,
which
would
involve
api
server,
doing
a
secondary
auth
check
right.
B
C
Sure
I
think
it's
important
to
have
behavior
around
what
authorization
checks
are
made.
Not
what
the
value
of
the
authorization
check
is
right.
If
cluster
admin
wants
to
be
always
allowed
fine
but
which
authorization
checks
are
made,
I
would
like
to
see
be
consistent
across
every
cube
api
server
out
there,
and
so
I
don't
want
this
check
this
make
this
authorization
check
when
these
fields
are
changing.
I
don't
want
that
to
vary
between
clusters,
cause
I
go
to
cluster
one.
C
Sure
so
so
there
is
a
gc
admission
plugin
today
that
checks
to
see
whether
a
user
has
permission
to
delete
an
object
before
setting
an
owner
reference,
and
it
is
disabled
today,
and
so
some
clusters
you
run
on
are
protected.
You
cannot
issue
an
update
that
results
in
a
phantom
delete,
an
escalation
of
the
garbage
collector
to
actually
do
a
delete
and
other
clusters
are
not
protected.
C
F
I
was
just
going
to
give
a
quick
little
thing
like
we.
The
src
recently
had
a
vulnerability
submission
where
someone
was
like
hey,
I
can
delete
stuff
and
I
shouldn't
be
able
to
it's
like
turn
on
the
admission
plugin
and
then
you
won't
be
able
to,
but
it's
in
our
docs
and
everything.
But
like
people
don't
know
it
exists,
so.
A
C
E
E
So
if,
if
we
are,
if
we
are
strict
by
default,
then
when
people
are
developing
against
a
kind
cluster
or
whatever
they're
going
to
realize
they
need
this
permission,
they're
going
to
take
that
into
account
they're
going
to
write
their
controller
write
their
permissions
in
a
way
that
accommodates
it.
If
a
particular
cluster
wants
to
like
turn
off
protections,
it's
like
okay,
but.
B
C
B
A
A
B
B
Option
four
yeah:
we
can
talk
about
option
three,
first,
okay,
so
just
to
just
outline
them
option.
Two
is
like
how
you
would
build
this
thing
like
to
limit
people
to
particular
fields.
If
your
tools
were
web
hooks
and
crds
and
like
obviously,
you
can
turn
those
off
or
fail
to
install
them
option.
Three
is
what,
if
we
modified
our
back,
which
surprisingly
you
don't
have
to
run
rvec,
you
can
run
other
authorizables.
B
So
that
also
has
this
problem
yeah
mo.
I
see
your
comment.
Aren't
all
admission
plugins
disabled.
Yes,
they
are,
but
that
doesn't
like.
We
have
the
code.
We
can
still
run
an
admission
plugin,
even
if
it's
disabled
right
like
we
could,
we
could
make
a
separate
path
for
turning
it
on
and
off
and
make
sure
that
it's
on
by
default,
so
that
doesn't
seem
like
a
huge
blocker
to
me.
I
think
david
disagrees
with
me,
but
I
I.
C
C
F
B
F
C
I
possibly
I
see
the
difference
between
modifying
our
back
and
creating
a
secondary
authorization
check,
as
as
the
rbac
change
is
more
of
a
how
you
would
get
it
done,
but
the
secondary
authorization
check
is
what
you
would
actually
do.
I've
I've
grabbed
these
two
objects.
I
have
them
before.
I
have
the
after.
I
know
what's
changing
and
now
I
need
to
check
to
see
if
that's
allowed
and
the
only
spot
I
can
do
that
is
either
in
admission
or
in
storage
and
then
to
check
whether
it's
allowed.
C
B
Yeah,
I
think,
if
you
can
scroll
to
design
four,
I
think
a
new
type
is
what
I
proposed
here.
So
basically
just
to
outline
this,
since
it
seems
like
this
is
going
to
be
the
the
winner.
We
do
two
checks,
the
first
one
like
okay,
so
first
like
do
you
have
edit
at
all.
If
you
just
have
a
regular
edit,
then
it
does
what
it
does
today.
If
you
don't
have
regular
edit,
then
we
check
this
some
sort
of
perfield
permission
like
like.
E
I
I
was
just
gonna
say
like
what,
whatever
we
end
up
with,
I
think
a
good
property
is
that
the
expression
of
the
permissions
can
be
done
in
a
single
place
or
in
a
coherent
way,
like
one
of
the
scary
things
that
I
see,
people
having
to
do
is
sort
of
over
grant
permissions
at
the
authorization
level.
To
say
why,
yes,
you
can
update
nodes
and
then
separately
put
some
sort
of
admission
protection,
web
hook
or
cell
or
whatever
it
is.
C
B
B
B
Then
we
don't
really
have
a
choice:
we're
just
going
to
do
regular,
auth,
z
checks.
So
all
we
can
like
we've
got
the
resource
information
and
the
verb
and
the
the
the
subject.
Is
that
the
right
word
and
that's
like
that's
like
all
you
can
that's
all
you
can
get
out
of
a
and
it
gives
you
a
yes
or
no
or
a
deny,
allow.
I
don't
know
triplet
right,
but
that's
all
you
can
do
for
an
aussie
check.
B
E
B
C
B
C
B
F
F
B
F
B
E
E
F
E
Find
green
permissions
like,
on
the
one
hand
you
might
be,
you
might
want
to
say,
like
you,
can
you
can
update
deployments,
but
you
can't
set
liens
on
deployments
like
because
lien
setting
is
like
something
I
want
to
limit.
So
that's
one
one
way
to
frame
it.
The
other
way
is:
oh,
you
are
a
lien
setter.
I
want
you
to
be
able
to
remove
your
lean
from
deployments,
but
I
don't
want
you
to
be
able
to
update
like
anything
in
deployments.
That's
crazy.
B
C
C
B
C
B
C
B
E
Yeah,
they
want
to
say
like
until
these
things
are
true,
this
pod
isn't
really
ready
to
be
scheduled
and
then
they
want
to
have
like
distributed
actors
saying
like
yep.
I
made
this
thing
happen
to
make
this
time
happen
and
only
be
able
to
set
like
their
yep,
I'm
schedulable
now
bit
and
I'm
trying
to
figure
out
how
you
would
express
that
without
doing
that
over
granting
like
yep,
you
can
edit
anything
in
the
pod
and
then
somewhere
else
separately
later
say,
but
actually
only
this.
F
B
F
F
No,
I'm
not
saying
we
allowed
that.
I'm
saying
that
if
you
have
both
update
and
update
lien,
you
can
do
anything
you
want.
You
can
set
liens
and
change
the
whole
thing.
If
you
have
just
update
lean,
you
can
only
do
update
lien.
If
you
just
have
update
you
can
update
everything
but
lean
or
whatever
the
other
fancy.
Things
are
right,
like
they're
bus,
but
there's
just
there's
positive
permissions.
You
can
have
them
both
together
to
do
all
the
things
you
want,
but.
B
B
The
new
object
and
this
bit
that,
like
hey,
you
gotta,
make
sure
that
this
changes
is
authorized
and
then
it
goes
through
and
computes
the
different
fields
and
computes
which
set
of
authorization
checks.
It
needs
to
do
to
let
this
in,
but
that
still
doesn't
solve
jordan's
question
of
like
how
do
I
know
if
I've
got
this
per
field
permission?
How
do
I
know
that
this
person
doesn't
already
also
have
the
edit
thing,
but
I
think
that's
just
a
general
fact
of
how
our
back
or
how
how
our
authorization
system
works.
E
B
That's
not
what's
written
in
that's
not
what's
written
as
indesign
four
and
design
four
is
like.
There
is
a
single
permission
for
update
everything,
there's
a
single
permission
for
do
granular
checks
and
then
in
the
storage
layer.
When
we
know
the
old
and
the
new
object,
we
compute,
which
fields
have
changed
and
we
can
search
for
authorizers
which,
like
like
we
can
we
can.
We
can
have
a
name
for
each
field
like
like
a
programmatic
name,
and
we
can
query
authorizers
to
see
if
they
have
permission
for
that
thing.
F
I
I,
while
I'm
not
like
ecstatic
about
the
code
complexity
of
any
of
this,
I
I
find
that
it
will
probably
be
much
easier
to
explain
to
someone
that
doesn't
work
on
this
code
base
with
us,
which
is
that
this
thing
logically
maps
to
this
field.
This
singular
check-
and
maybe
you
need
this
other
marker
permission-
to
say
that
those
singular
checks
have
to
go
through
or
something.
B
C
B
C
Yeah,
I
just
want
to
make
a
we
have
to
add
the
caps
that
we're
gonna
do
for
126
before
too
long.
So,
if
you
want
your
cap
included,
you
know
bring
it
up
on
the
mailing
list.
Bring
it
up
here,
actually
probably
bring
it
up
on
the
mailing
list
and
we
can
see
about
getting
it
added
make
sure
it
gets
review
bandwidth
and
such.
D
B
A
Yeah
nothing.
It's
just
me
saying
that
coupon
north
america
is
coming,
I'm
not
sure
who
is
going,
but
we
have
a
deep,
deep
dive
session
for
api
machinery.
It
has
two
topics.
Thank
you,
david
for
taking
care
of
it.
Jeffrey
we'll
also
cover
the
second
one.
So
we
have
aggregated
cube
api
servers
and
then
open
api
v3,
and
here
is
the
link
for
the
session.
I
don't
know
if
this
is
open.