►
From YouTube: Kubernetes SIG API Machinery 20201007
Description
- [jdetiber] Demo / discuss https://github.com/thetirefire/badidea
- [jqmichael] Quick follow up on the discussion from July 15th 2020, “exclusion-based options to webhook configuration”.
- [soltysh] Aliases for related resources https://github.com/kubernetes/kubernetes/issues/95280
A
We
are
recording,
we
are
live
hello.
Everybody
thank
you
for
joining
us
today
in
the
kubernetes
sea,
apa
machinery
meeting.
We
have
a
very
nice
agenda
today
is
october
7th
2020,
this
wonderful
2020.,
so
I'm
presenting
the
agenda.
I
will
stop
presenting
to
allow
our
first
presenter
today,
jason,
to
give
us
a
demo
of
something
called
they've
been
working
on.
Give
me
a
second
and
stop
recording
these.
I
know
stop
presenting
okay,
all
yours.
B
All
right,
so,
hopefully
that's
coming
through
right
now,
yes,
so,
to
give
a
brief
overview,
I
decided
to
throw
out
a
crazy
idea
on
twitter.
A
few
weeks
ago,
I've
been
working
on
a
project
called
tinkerbell.
That's
you
know
trying
to
bring
kind
of
like
cloud-native
infrastructure
management
into
the
data
center,
and
one
of
the
things
that
we
started
doing
is.
Is
we
wanted
to
try
to
implement
an
event-driven
workflow
and
some
of
the
things
that
we
started
implementing?
B
For
that
reminded
me
a
lot
of
kubernetes
and-
and
I
kind
of
wish
we
could
just
reuse
some
of
the
kubernetes
api
machinery
and
stuff
to
kind
of
implement
some
of
the
things
that
we
were
doing
and
that
brought
me
down
this
whole
rabbit
hole
of
you
know.
Would
it
be
possible
to
build
a
minimally
viable
and
embeddable
api
server?
B
That
has
just
enough
components
to
be
able
to
host
and
manage
crd
type
resources-
and
I
know
folks
have
talked
about
that
various
times
over
the
past
couple
of
years,
but
I
had
trouble
finding
any
actual
concrete
implementations
of
it.
So
what
I'm
presenting
today
is
basically
the
kind
of
proof
of
concept
type
work.
I've
been
doing
about
trying
to
actually
do
the
thing,
and
you
know.
Basically,
what
is
the
goal
you
know
be
able
to
embed
a
minimal
api
servers
capable
of
supporting
crds
into
a
standalone
application.
B
I
I
didn't
want
to
have
to
recreate
and
duplicate
code
from
upstream,
if
at
all
possible,
I'd
like
to
use
what's
already
there
and
available
where
wherever
I
can
also
because
this
is
embedding
into
an
application,
I
want
to
avoid
exposing
a
necessary
port.
So
you
know
in
the
example
that
I'll
be
showing
in
a
little
bit.
It
actually
runs
that
cd
and
it
runs
the
aggregated
api
server
and-
and
I
didn't
want
all
of
these
things
to
actually
have
separate
http
endpoints.
B
B
You
know
it's
more,
like
kind
of
the
kubernetes
the
hard
way
of
api
servers,
it
would
be
possible
to
build
something
using
this,
but
it's
not
very
user
friendly
and
I've
really
grown
to
like
the
crd
type
tooling,
that
we
have
where
it's
really
simple,
to
define
the
types.
It's
really
simple
to
define.
You
know
the
applications,
it's
not
necessarily
tied
to
go.
Go-Based
implementations.
B
It
has
a
lot
of
nice
tooling,
but
it's
still
kind
of
tied
around
the
you
know:
command-based
architecture,
where
it's
like
you,
you
get
a
cobra
command
and
you
run
the
cobra
command
and
kind
of
the
same
with
api
server.
Runtime,
and
you
know
I'd
really
love
to
be
able
to
leverage
some
of
the
cue
builder
tooling.
But
you
know
that
kind
of
assumes
that
you
already
have
the
kubernetes
cluster
up
and
running.
B
So
and
then
you
know,
then
it's
like
okay.
Can
I
dig
into
the
underlying
libraries
and
one
of
the
first
things
that
I
found
is
that
there's
a
lot
of
verbosity
in
trying
to
use
the
underlying
libraries
directly
so
it
it
doesn't
really
seem
like
a
feasible
way
to
tell
people
to
kind
of
like
implement
this
on
their
own
there's
a
lot
of
replicated
configuration,
especially
when
you
talk
about
delegated
api
servers.
You
know,
there's
you
know
you
have
to
pass
some
common
config
among
all
of
them.
There's
separate
config.
B
That
needs
to
be
done.
It
there's
a
lot
of
complexity
there,
and
all
of
this
is
really
highly
tied
to
cobra.
You
know
you,
you
define
the
options
and
then
you
complete
the
options,
and
then
you,
you
know
take
it
that
and
you
input
that
into
the
config.
Then
you
complete
the
config
and
then
it
goes
into
the
command
and
and
so
forth,
and
and
I
wanted
to
try
to
kind
of
see
if
I
can
focus
on
a
more.
B
You
know
api
native
model
and
you
know
quite
a
bit
of
the
functionality,
especially
when
you
get
into
like
the
delegated
api
server
bits.
All
of
that
functionality
generally
lives
in
kk
and
it
gets
back
into
that
same
issue
of
vendor
and
then
kk
and
you
know,
even
if
you
could
vendor
it
in
and
it
wasn't
in
kk.
B
If
I
list
out
the
api
resources
currently,
the
only
things
that
are
exposed
right
now
are
api
services
and
custom
resource
definitions.
Obviously,
there's
going
to
be
need
to
be
more
implemented
to
fully
support.
You
know
non-trivial
crds,
but
this
was
enough
to
get
things
up
and
running
and
just
prove
that
I
could
run
the
minimal
server
needed
to
just
support.
B
B
There
we
go,
I
don't
know
what
happened
in
that
other
window,
but
if
I
do
a
get,
I
actually
see
that
the
resource
is
there
and
you
know
populated
the
way
that
I
expect
it
to
be
so
from
the
basis
of
a
you
know,
single
version
stored
crd,
that
is,
cluster
scoped.
This
project
is
already
functional
and
let
me
switch.
B
B
There
would
be
great
what
I've
kind
of
taken
to
call
in
like
the
core
core
components:
the
the
bits
that
are
needed
out
of
core
just
to
support
the
crds.
So
far
I
know
there's
going
to
be
namespaces
support.
I've
already
started
working
on
that,
hopefully
I'll
be
able
to
sort
that
out
soon.
Rbac
will
definitely
be
needed
because
you
know,
if
you're
going
to
invent
this
in
your
application.
B
You
want
to
have
some
type
of
security
model
and
it
seems
decent
to
be
able
to
leverage
our
back
where
possible,
config
maps,
possibly
secrets
and
then
something
to
support
the
defaulting,
validation
and
conversion
web
hooks,
because,
ideally,
you
know
be
able
to
leverage
the
the
tooling
you
know,
so
something
will
have
to
be
figured
out
there.
How
to
work
around
the
services.
B
B
You
know
the
non-deployment
related
components
of
a
kind
of
non-trivial
crd-based
project,
and
I
just
kind
of
picked
cert
manager,
out
of
the
hat,
for
that
and
and
if
it's
possible
to
run
cert
manager
with
the
deployment
based
components
the
web
hooks
outside
of
you
know
this
api
server
are
the
components
actually
functional.
I
feel
like
that's
a
good
kind
of
test
and
the
last
bit.
You
know
part
of
the
reason
why
I
started
looking
into
this
was
the
whole
idea
of.
B
B
Any
clients
for
your
application
are
talking
directly
to
your
service,
but
then
you
know
once
you've
bootstrapped
a
kubernetes
cluster.
You
know
the
idea
is:
is
this
should
be
able
to
reach
out
to
that
kubernetes
cluster?
It
should
be
able
to
sync
kind
of
the
resources
that
it
knows
about
and
do
that
at
an
api
server
level
rather
than
you
know,
trying
to
do
eight
std
synchronization,
because
then
you
have
to
worry
about
you
know,
is
the
storage
version
between
you
know
the
ap,
this
embedded
api
server
and
the
kubernetes
cluster.
B
That's
running
the
same.
You
know
try
to
throw
all
of
that
out.
Just
api
server
based
sync
of
the
actual
resources
that
this
service
knows
about
and
and
avoid
any
of
the
other
various
kubernetes
types
that
the
actual
kubernetes
cluster
may
know
about,
and
then
once
things
are
synchronized
you
know
it
doesn't
make
a
lot
of
sense
to
have.
The
client
need
to
know
that
there's
two
different
endpoints
to
talk
to
you
know.
Oh
for
boot
trapping
purposes,
I
need
to
talk
directly
to
the
service,
but
then,
if
kubernetes
available,
should
I
talk
to
kubernete?
B
You
know
trying
to
put
that
logic
into
the
client
seems
a
little
crazy.
So
I
have
the
idea
that
we
should
be
able
to
continue
to
proxy
requests
through
to
the
kubernetes
cluster
when
it's
available,
so
the
kubernetes
cluster
itself
is
kind
of
the
record
of
origin
and
the
client
is
still
talking
to
our
service,
but
instead
of
communicating
directly
with
the
embedded
api
server.
That's
you
know
just
through
the
process.
You
know
worrying
about
the
process
of
syncing.
B
C
B
Yeah,
I
think
that
gets
into
some
of
the
same
challenges
around
the
deployment
components.
I
think
you
know
I
haven't
really
dove
too
deep
into
that,
because
I
you
know
I
was
trying
to
prove
out
just
the
initial
components.
To
start
with,
and
the
name
spaces
have
kind
of
been
kicking
my
butt
a
little
bit,
because
some
of
that
code
needs
to
be
replicated.
D
C
Yeah,
I
I
I
have
a
bunch
of
thoughts.
All
my
first
one
is
is
actually,
I
think
you've
got
two
ideas
here.
The
the
second
one
is
you're,
actually
talking
about
a
right
through
cache,
almost
right.
It's
like
people
have
asked
us
to
do
that
for
cubelet
right
like
make
it
functional,
even
when
the
control
plane
is
not
there
and
yeah.
It
hasn't
worked
so
far.
C
E
About
just
want
to
share,
but
make
sure
to
understand
the
idea
here
when
you're
talking
about
adding
namespace
support.
Do
you
see
the
namespaces
present
in
the
little
crd
server
that
you
made
as
consistent
with
the
namespaces
in
the
kubernetes
cluster
that
you're
attaching
it
to,
or
do
you
see
them
as
distinct
just
so
that
I
make
sure
we're
talking
about
the
same
thing.
E
B
Yeah,
I
think
the
sync
sets
for
this
use
case
are
are
likely
fine,
like
I
said,
like
the
idea
here,
like
there's,
really
two
use
cases
in
mind
because
we
are
taught
like
this
came
about,
because
I
don't
know
if
I
mentioned
the
project
the
tinkerbell
project,
trying
to
do
infrastructure
management
and
be
able
to
handle
like
the
disaster
recovery
scenarios
and
having
a
hard
dependency
on
kubernetes.
There
doesn't
necessarily
make
sense,
but
there's
going
to
be
a
lot
of
people
who
will
also
be
using
kubernetes.
B
C
C
B
So
from
my
perspective,
you
know
one
of
the
things
I
mentioned
there
is,
I
really
don't
want
to
have
to
reinvent
too
many
wheels
and
I
don't
want
to
have
to
manage
too
much
stuff.
So
I
would
be
more
than
happy
to
work
with
y'all
to
try
to
refactor
some
of
this
stuff
out
to
a
more
consumable
state
if
the
group
is
open
to
it
for
sure.
C
Yeah,
because
the
aggregator
and
the
extensions
api
server
are
fairly
reasonable
to
consume,
like
as
as
they
are,
it's
actually
the
built-ins
one
that
is
not
reasonable
at
all
to
consume,
because
it's
all
like
mashed
together.
So
this
is
kind
of
a
question
to
david,
like
like
yeah.
What
do
you
think
about
this.
E
So
I
like
the
idea
of
this
project,
I
like
the
idea
of
building
up
to
it
and
not
building
down
from
it
right,
so
I
I'm
supportive
of
the
idea
of
trying
to
build
a
server
up
to
provide
the
functionality
that
you
want.
I
don't
want
to
try
to
take
a
cube
api
server
and
turn
things
off.
That
would
make
me
pretty
unhappy
because
I
think
risk
wise.
We
would
have
an
accent
I
would
like
to
before
fully
endorsing
it.
E
The
name
spaces
are
weird
they're,
so
old
here
when
you
go
in
and
try
to
delete
them
and
finalize
them,
you
have
a
lot
of
logic
around
how
they
work.
It's
all
built
around
these
internal
types,
to
provide
validation
for
the
types
that
you're
going
to
be
using,
and
I
guess
I'm
probably
of
the
opinion
that
at
this
point,
people
are
used
to
external
types
enough.
E
E
E
I
don't
know,
maybe
machines,
imagine
you're
you're
running
some
service
that
provides
physical
machines
and
you
want,
because
for
groups
of
those
physical
machines,
you
don't
want
to
wire
your
access
control
to
name
spaces
in
the
hosting
cluster
right.
You
want
to
have
a
different
concept
of
authentication
and
authorization.
C
F
F
Hat
cycle
sometimes,
and
anyway,
yeah
david
h,
was
just
saying
about.
I
just
want
a
place
to
build
a
controller-
that's
not
really
connected
to
kubernetes,
because
that
pattern
lends
itself
to
so
many
useful
abstractions
where
I
have
like
listeners
and
farmers,
and
it's
just
basically
the
reconcile
pattern
where
I
want.
I
want
a
declarative
state
that
other
actors
can
communicate
and
save
that
state,
and
you
can
build
a
lot
of
things
that
way.
F
I
think,
as
far
as
namespaces
go
in
my
mind,
I'm
kind
of
looking
at
it
like
a
separate
database
server,
where
it's
just
strictly
for
partitioning
in
our
back.
So
I
might
have
one
group
of
applications.
It's
talking
to
this
namespace
space,
but
yeah.
I
wouldn't
expect
it
to
be
tied
to
any
underlying
kubernetes
name,
space
or
server.
C
F
G
A
B
You
know,
looking
at
the
controllers
that
I've
been
dealing
with,
they've
used
config
map
for
like
the
leader
election
locking,
but
this
is,
I
think,
definitely
would
fall
in
scope
as
far
as
server
side
apply,
I'm
kind
of
either
way
on
that
one.
You
know
if
we
get
it
for
free
out
of
the
api
machinery
stuff
great.
If
not,
then
it's
not
really
a
huge
loss
for
the
use
cases
that
I
have
in
mind.
E
Yeah,
I
think
you
will
get
it
for
free,
so
I
will
also
come
down
on
the
if
this
is
going
to
be
used
by
controllers
and
if
controllers
are
going
to
use,
server
side
apply,
and
then
that
is
one
of
the
ga
requirements
to
talk
about
is
getting
at
least
one
controller.
You
service
that
applied
approval
that
works
well,
I
think
that
you're
gonna
need
service
that
apply
to
be
able
to
participate
in
that
area.
C
A
C
B
Yeah,
definitely,
you
know
as
soon
as
I
get
a
little
bit
further
in
the
implementation
and
get
a
better
feel
for
what
the
api
is
looking
like,
then,
at
that
point,
I'll
be
ready
to
open
up
more
discussions
about
potentially
some
proposals
of
you
know
how
we
could
potentially
make
some
of
this
more
easily
consumable
instead
of
having
to
duplicate
it.
But
yeah.
Thank
you
for
entertaining
my
apparently
not
so
bad
ideas.
C
A
I
So
I
believe
the
conclusion
from
that
discussion
was
adding
the
exclusion-based
list
to
webhook
configuration
was
not
the
direction
the
community
wants
to
move
forward,
but
the
problem
still
exists.
So
I
just
want
a
quick,
quick
follow-up
on
the
long-term
recommendations
that
community
have
would
that
be
each
webhook
user
author
set
a
reasonable
configuration
policy
or
we're
considering
like
adding
like
as
daniel
mentioned
in
the
github
issue,
a
kind
of
a
list
of
critical
objects
that
the
cluster
operator
can
optionally
enable
saying
we're
not.
C
E
D
E
E
C
H
E
I
E
I
think
that's
what
we're
talking
about.
I
don't
know
that
either
myself
or
daniel
is
ready
to
say.
Yes,
that's
definitely
going
to
work
well,
I
think
I
think
part
of
the
request
is
someone
if
they're
motivated
to
look
into
this
trying
to
to
build
out
what
that
would
look
like
and
see
you
know
in
a
prototype.
Does
it
actually
work?
Well.
C
E
A
A
D
D
We
are
not
using
that
much,
so
I
figured
out
that
we
could
probably
reuse
that
kind
of
that
kind
of
category
and
expose
to
people
all
the
different
configuration
options
that
we
have
david
and
stefan
proposed
that
we
could
probably
somehow
group
these,
because
maybe
we
have
hooks
by
itself
is
not
necessarily
sufficient.
Maybe
we
could
have
some
logical
categories
that
will
be
grouping
resources
of
similar
functionality
or
related
functionality
in
some
logical
groups.
D
That
will
help
find
those
information,
because,
obviously
knowing
that
it
is
called
mutating
additional
web
co,
web
hooks
or
validating
admission
web
hooks
is
very
long.
Although
we
have
the
tube
cattle
api
resources,
which
will
give
you
the
list
of
all
the
possible
resources
that
the
any
server
you're
talking
with
has
but
gripping
through
that
it.
It
is
cumbersome
for
sure
so
and
and
to
answer
it
daniel's
question.
No,
there
are
no
short
names
for
mutating
admission
of
hooks,
nor.
H
C
D
C
E
C
C
E
C
C
C
G
Yeah,
I
love
the
idea,
but
I
I
mean
I
question
whether
this
needs
to
happen
in
the
api
server.
This
seems
like
it
could
just
be
an
extension
to
the
cube
cuddle
tool
itself,
but
I
mean
the
ap.
The
api
is
to
get
this
information
exist
right,
so
it
just
seems
like
we
could
create
a
new
top-level
command,
which
is
you
know.
I
think.
C
Yeah
walter,
let
me
let
me
see
how
I
think
it
works,
and
people
can
correct
me,
but
I
think
the
way
it
works
is
we.
We
tag
our
our
apis
in
the
discovery,
information
with
what
group
they're
or
what?
What's
I
don't
know
what
the
word
for
this
is
what
thingy
they're
a
member
of
and
then
the
cube
control
already
has
a
command
which
will
list
all
resources
of
some
particular
category.
Yeah
category
things,
that's
something
so
there's
actually
no
like
the
cli
work
is
already
done.
C
D
C
D
A
Yeah,
I
think
that
is
the
last
big
topic
that
we
have
for
today.
If
you
came
yesterday
to
the
back
triage
or
you're
going
to
come
in
the
future,
you
will
see
that
now
we
are
starting
to
use
aliases
the
labels.
Sorry
not
aliases
the
labels
for
the
triage,
which
is
great-
and
I
will
add
a
note
here
and
that's
all
for
today.
I
will
upload
this
recording
later
in
the
afternoon,
will
be
available
for
everybody.