►
From YouTube: Kubernetes SIG API Machinery 20221019
Description
[andrewsy] Discuss kube-apiserver identifier format (KEP-1965)
[lavalamp] fine-grained-authz KEP pre-review (follow up from Sep 21 discussion)
[fedebongio] Virtual Session at Kubecon NA - API Machinery deep dive: https://kccncna2022.sched.com/event/182Mo
A
Okay,
it's
recording
and
good
morning,
good
evening
good
afternoon,
depending
where
you
are.
This
is
kubernetes
open
source
Sig
API
Machine
by
weekly
meeting
today
is
October
19th
2022.
We
are
heading
right
into
Q4
of
this
year.
It
flew
by
very
quickly.
We
have
two
great
topics
today
and
I
want
to
thank
the
people
that
helps
us
every
week.
You
know
have
in
every
two
weeks
interesting
things
to
Wisconsin,
so
Andrew
you're,
the
first
one
I
will
give
it
up
to
you
yeah
thanks.
A
A
So
I
tried
to
articulate
all
the
options
we
had
discussed
on
stock
in
the
the
pros
and
cons
of
each
approach
and
the
agenda
notes
so
I
think
after
getting
more
familiar
with
the
code
I'm
personally
in
favor
of
the
hostname
one,
the
cube
API
server,
Dash
hostname
for
three
reasons,
the
first
one
being
that
I
don't
buy
the
argument
around
wanting
to
run
multiple
API
servers
on
the
same
host,
and
even
if
you
did,
you
can
work
around
that
by
assigning
different
pod
names
for
the
cubelet
managed,
static,
pods.
A
So
I
feel
like
there's
like
a
reasonable
prompt
for
that.
Second
being,
if
we're
really
concerned
about
hostname
exposure,
there
are
already
places
where
the
lease
identifier
contains
host
names,
such
as
like
with
leader
election
with
controller
manager
and
Cube
scheduler,
and
that's
the
after
digging
through
a
bunch
of
the
garbage
collection
logic.
It
seems
like
creating
and
requiring
a
garbage
collection
of
leases
for
every
Cube.
A
B
One
second
Mike,
the
the
thing
with
two
API
servers
on
one
system:
I'm,
pretty
sure
that
we
had
at
least
one
person
who
really
wanted
to
do
that
to
the
extent
that
they
added
a
feature
to
let
API
servers
share
the
port.
The
reason
they
wanted
to
do
that
was
that
they
wanted
to
reboot
or,
like
start
one
and
then
stop
the
other
on
us
on
the
same
machine
without
having
a
outage.
B
A
C
B
Oh
kubernetes
uses
the
Pod
name
as
the
container's
host
name
by
default,
unless
you
set
the
hostname
field
in
the
container,
in
which
case
kubernetes
uses
that.
B
But
if
you
run
API
server
in
it's
like
systemd
or
something,
then
you
don't
get
that
feature.
B
So
API
server
uses
the
the
syscall
to
acquire
your
one's
own
hostname,
whatever
that
is.
D
B
D
B
Like
oh
yeah,
that's
a
good
question
I.
If
I
were
doing
that,
I
would
consider
the
second
API
server
to
be
an
extension
of
the
first
API
server
and
give
them
both
the
same
name
and
hope
that
they
didn't
fight
too
much
during
the
brief
amount
of
time
when
they
were
both
alive.
That's.
C
Awesome
so
so
hang
on
thinking
that,
through
with
KMS
or
or
even
with
storage,
we
think
it
through
with
storage
and
it's
gonna
be
careful
I'm
I'm,
not
confident
that
does
good
things.
I
also
I
also
think
I'm,
probably
okay,
telling
a
person.
If
you
wish
to
Run
Two
at
once.
We
would
expect
you
to
give
them
unique
names,
and
even
if
we
didn't
support
it
as
an
argument,
I
I
would
find
the
setting
spec
hostname
work.
Is
it
pod,
spec,
hostname.
B
I
think
it's
not
that
hard
to
to
set
that,
even
if
you're
not
running
inside
cubelet.
C
So
one
of
the
things
that
I
was
interested
in
related
to
this
is:
are
we
going
to
go
for
graceful,
lease
release
and
I?
Think
we
we
do
not
want
to
delete
our
release
when
we
shut
down.
We
want
to
leave
that
up
to
GC.
We
we
did
settle
on
that.
Then
I
know
I
confused
the
issue
by
bringing
it
up,
but
it
didn't
exist.
The
first
time
we
did
this
cap
and-
and
it
does
exist
now
and
so
I
just
want
to
have
an
explicit
like
we
will
not
gracefully
release
I
I.
B
So
I
I
think
we
should
start
without
graceful
release
and,
if
so,
the
case
in
which
that
would
be
useful.
Like
imagine,
you're
scaling
up
or
down
your
control
plane
by
adding
API
server
replicas,
and
you
know
that
you're
removing
one
and
it's
not
coming
back.
It
could
be
handy
to
just
remove
your
lease
completely
and
instead
of
letting
it
be
garbage
collected.
But
it's
not
that
big
of
a
deal
and
I
think
we
shouldn't
Implement
that
unless,
unless
a
lot
of
people
ask
for
it,.
D
B
B
You
that
we're
exciting
or
if
you've
put
pii
in
your
in
your
host
name,
that's
going
to
broadcast
that
to
everybody.
Yeah.
B
Do
they
put
that
in
there
I
see
I
see
okay,
they
might
be
in
different
containers
and
not
have
the
same
host
name
as
API
server.
C
In
terms
of
detecting
this
went
bad
I,
remember
one
of
the
prr
answers
was.
You
will
be
able
to
look
and
see
that
the
Post-Star
hook
did
not
finish,
and
that
seems
valid
to
detect
someone
who
had
a
problem
right.
They
they
had
a
problem,
their
API
server
was,
oh,
you
wouldn't
be
able
to
help
fight.
They
would
both
think
they
had
it.
D
Oh
also,
what's
the
expected
Behavior,
if,
like
an
API
server
crashes,
and
it's
immediately
restarted
by
whatever
Watchdog
is
trying
to
keep
it
up,
should
like
immediately
try
to
hold
like?
Is
it
like,
just
not
cool
that
that
lease
was
technically
lost
for
a
little
bit,
because
the
process
does
withholding
it
got,
killed
somehow
and
well?
I
think
the
point
of.
B
A
C
D
Yeah
I
mean
I
I.
Think
the
human
ergonomics
of
a
fixed
name
are
are
nice.
There
seems
to
be
at
least
you
know
some
quantifiable
benefit
to
just,
let's
not
just
recycle,
a
bunch
of
objects
with
basically
no
op
updates
that
do
actually
change
stuff
and
cause
people
to
care
and
maybe
run
storage
migrations
or
something
and
just
you
know
otherwise,
waste
io
on
the
system
for
no
good
reason.
So
all
that
seems
like
good
reasons.
D
B
I
I
vaguely
I
vaguely
recall
having
a
conversation
with
Highway
I
think
we
were
worried
about
exposing
the
hostname
that
we
weren't
sure
that
it
wouldn't
be
pii.
B
D
D
B
I
mean
and
and
right
it
doesn't
have
to
be
the
system
host
name
right.
It
can
be
the
container
the
host
name
reported
by
the
container
API
server's
end,
which
people
can
set
without
too
much
trouble,
even
if
you're,
not
using
qubit
so
like
I,
think
that's
as
reasonable
a
way
as
any
to
set
this
bit
of
information.
C
D
And
and
we're
just
okay,
we
talked
about
it
just
a
little
while,
but
we're
okay.
If
you
accidentally
give
the
same
hostname
to
separate,
distinct
processes
that
you
can't
actually
tell
like,
which
one
has
it
actually,
they
both
think
they
have
it.
I
guess.
B
Okay,
yeah.
Maybe
we
should
talk
about
that
scenario
a
little
bit
more
because
imagine
somebody's
misconfigured
it
like
they
put
they've
hard-coded,
a
a
host
name
in
their
pod
configuration
and
they
blasted
the
same
pod
configuration
to
all
all
of
their
control,
plane,
nodes
and
so
they've
got
like
three
API
servers
and
they
all
think
they're
called
the
same
thing.
That's
configuration
error,
but
we
probably
it
would
defeat
the
purpose
yeah.
So
so
we
probably
need
to
make
sure
those
things.
Don't
think
that
they're
called
the
same.
D
B
There's
a
present
I
forget
exactly
the
format
of
leases,
but
suppose
you
could
add,
like
I,
don't
know
a
label
or
something
with
a
uuid
and
and
it
would
be
fine
for
that
thing,
to
change
every
time.
It's
just
if
you.
If
API
server,
looks
at
the
lease
and
it
sees
that
it's
got
some
other
UI
uuid,
it
overwrites
it
with
its
currently
generated
one,
and
if
it
keeps
having
to
do
that,
then
we
know
that
we're
fighting
over
the
lease
with
some
other
system
how's
that
that
at
least.
B
C
D
What
if
it
was
like
much
simpler
logic,
which
is
that,
if
you're
doing
an
update
to
fix
that
you
just
increment
a
metric
counter,
and
that's
it
like
you,
you
keep
doing
it,
you
don't
actually
change
your
behavior
at
all.
You
just
say
hey.
This
update
I
did
at
least
part
of
the
reason
I'm
issuing
this
update
to
this
lease
is
because
this
random
uuid
is
different
and
I
increment.
My
metric,
and
if
you
see
this
metric,
going
really
high
up,
you
know
it's
not
working
as
you
expected.
A
B
Yeah
yeah
observability
is
the
first
is
the
first
step.
I
guess
the
question
is:
if
we
need
to
do
more
than
that
or
if
making
it
observable
is
enough,
I
mean.
D
A
D
I
know
I
I
think
that's
I
I'm
not
worried
about
this,
because
I
will
not
make
this
configuration
mistake.
I
am
because
I'm
aware
of
it
so
I'm
not
gonna.
Do
it
I
I'm
more
trying
to
help
others
understand
that
they've
gotten
here
and
so
like
metrics,
you
know
if
you're
looking
you'll
notice,
audit
events,
if
you're
looking
you'll
notice
granted
leases
might
be
Exempted
from
audit
events,
because
they're
noisy.
B
Yeah
I
think
they
are,
we
can
I
think
API
server
if
it
notices
this
number
increasing,
rapidly
needs
to
put
a
warning
or
an
error
in
its
own
logs.
People
do
sometimes
look
at
those.
D
A
D
Well,
for
like
the
purpose
of
like
storage
migration,
regardless
of
if
it's
for
key
rotation
or
storage
schema
changes
does
does
any
of
this
need
to
have
like
the
number
of
expected
API
servers
so
that
way
on
the
outside,
if
you're,
looking
at
storage
version
and
there's
only
one
API
server,
because
the
threes
are
configured
have
the
same
post,
name
I'm,.
B
Fairly
against
trying
to
program
that,
in
like
the
original
coordination
mechanism,
the
API
server
used
to
put
its
endpoints
in
the
endpoints
table
was
based
on
everybody
added
their
own
IP.
If
it
wasn't
in
the
list
and
truncated
the
list
to
the
number
that
they
expected
and
basically
everybody
hated
that
system,
and
so
we
went
to
this
like
yeah
I
mean
this.
Is
this
is
kind
of
a
evolution
of
the
desire
to
not
use
that
system
and
have
API
servers
figure
out
how
many
of
them
there
are.
B
D
Yeah
I
think
the
only
concern
I
have
is,
if
you
were
in
this
misconfigured
State
like
the
encryption
arrest
stuff
might
like.
You
know
you
might
trigger
rotations
earlier
than
you
should,
because
you
think
the
servers
have
converged,
because
you
think
there's
only
one
right
like
one
of
the
things
I
had
in.
At
least
you
know,
some
of
the
alpha
reasoning
was
like,
like
the
the
controller,
that's
gonna
like
kick
off.
D
C
A
C
D
Right
so
I
I
think
when
I
originally
wrote
some
of
that
there
was
some
specific
numbers.
I
had
written
based
on
forget
exactly
what,
but.
D
D
And
we
are
okay
with
something
probing
the
leases
based
on
that
label.
And
thus
they
can
like
with
something
that's
not
built
into
the
system.
Necessarily
doing
that
probe.
D
I
think
it
would
be
fine
right,
you'd
be
able
to
find
the
leases,
and
then
you
know
if
they've
all
been
held
for
some
amount
of
time.
That's
greater
than
small
number
of
minutes,
but
maybe
less
than
an
hour.
I
feel.
B
Like
that's,
okay
I
mean,
depending
on
how
worried
we
are
about
this.
If
API
server
detects
the
condition
we
could
make
it
not
like-
maybe
not
right
to
the
the
storage
storage
versions,
object.
A
C
C
Foreign,
that
way,
you
would
have
something
that
was
persistent,
but
it
would
handle
the
the
restart
case
fairly
gracefully.
It
would
effectively
be
that
second
label,
you
were
talking
about
Daniel
yeah
and
it
would
cause
the
post
start
hope
to
like
delay
indefinitely,
which
would
hit
the
thing
that
Andrew
had
already
said.
You
can
look
at
this
and
say
if
you
don't
go
ready.
This
is
how
you
know
it
why
it
has
happened.
B
Yeah
yeah,
basically
we'd
be
running
a
instead
of
one.
Basically,
we've
been
running
a
leader
election
per
API
server,
name.
D
That
seems,
okay,
now,
I
think
you
get
better
ergonomics
right
because,
like
it
doesn't
it's
unlikely
to
come
up
and
become
healthy
if
the
fighting
is
happening,
so
it
kind
of
dies
loudly
and
then
the
person
goes.
D
B
If,
if
a
failure
mode
for
API
server,
it's
like
I
can't
I
can't
I
can't
lock
my
name
so
I'm,
just
not
going
to
start.
That
makes
it
not
not
work
in
the.
You
deliberately
want
two
things
to
have
the
same
name,
but
maybe
we
shouldn't
let
people
do
that
anyway.
S.
C
You
do
storage
migration,
but
you
don't
need
to
I'm
more
concerned
about
the
KMS
usage
where
I
decide,
I'm
okay,
to
remove
something
and
now
I
can
no
longer
decoup
my
data
yeah
right
so
so,
and
I'm
willing
to
bet
that
the
person
who
wanted
to
do
that
is
Stefan
he's
not
here,
but
he
would
have
wanted
to
do
it
to
reduce
API
server
downtime
during
graceful
release.
Timing.
C
D
Yeah
I
mean
like
I,
guess,
basically
what
we
just
discussed
I
think
I'd
be
comfortable.
If
that
was
like
updated
in
the
captain.
We
just
said
yeah:
let's
go.
Let's
do
that.
B
Yeah,
okay,
okay,
so
on
a
restart
I,
come
back.
I
see
my
old
lease
with
my
old
holder
identity.
How
do
I
know
that
that
old
holder
identity
is
a
former
iteration
of
me
and
not
some
other
API
server
that
I'm
fighting
with.
A
C
C
C
You
have
to
wait
for
that.
The
the.
B
C
No
there's
two
different
processes.
One
is
one
is
saying
if
this
name,
if
this
lease
name
disappears,
I
have
cleanup
to
do
on
the
storage
version,
and
that
takes
an
hour
for
me
to
decide
to
delete
the
entries
from
the
storage
version.
Okay,
then
we
have
a
separate
piece
that
says:
I
hold
this
lease
as
the
holder
for
X
many
seconds
and.
B
B
Okay:
okay,
no,
that
works
good.
That
works
good,
so
we're
gonna
hold
it
for
like
10
seconds
or
20
seconds
or
something
we
take
that
long
to
start
anyway.
So.
A
A
Okay,
I
added
some
action
items
I'll
take
at
the
bottom
of
the
agenda,
so
I'll
send
the
cap
here.
Yeah.
B
Yeah
this
is
so
we've.
We've
we've
effectively
changed
from
a
model
where
we
have
like
three
names
in
the
cluster
to
a
model
where
we
have
three
hats,
and
each
hat
can
only
be
one
by
one
name
at
a
time.
C
B
Okay,
great,
should
we
go
to
the
next?
Yes,.
A
Thank
you
Andrew
for
capturing
some
of
the
discussion
and
then
Daniel
next
one
is
yours.
Do
you
want
me
to
open
this
one.
B
Sure
all
right
I
will
open
my
open
it
on
my
screen
too.
So
I
can,
let's
see
so
we
talked
about
this
two
meetings
ago
and
we
talked
about
it
in
the
Sig
auth,
the
meeting
after
that,
and
basically
the
designs.
The
last
time
this
came
around
didn't
didn't
fulfill
a
second
obligation,
which
is
the
ability
to
add
a
new
field
without
including
that
field
in
the
existing
broad
permission
for
rights,
and
so
we've
come
up
with
a
design
that
addresses
that
and
is
slightly
simpler.
B
The
other
concern
that
Tim
Hawkins
had
was
that
if
we
don't
want
a
system
where
we
changed
version-
and
that
implies
that
you
need
different
permissions
because
that's
too
much
burden
for
system
administrators,
so
the
basic
design
now
is
to
add
to
schema
per
field,
a
tag
describing
the
permission
for
that
field
and
whether
that
permission
is
like,
like
you,
can
grant
that
permission
to
anybody,
and
then
they
can
edit
that
field
or
if
it's,
even
if
you
have
the
regular
permission,
you
still
can't
edit
that
field,
unless
you
also
have
the
special
permission.
B
So
this
is
the
two
modes
yeah,
so
it
becomes
a
part
of
the
API
design
to
describe
what
permission,
if
any,
you
don't
have
to
have
one.
What
permission
goes
with
a
particular
field,
and
this
means
some
implications
for
like
how
you
describe
the
permission.
So
instead
of
let's
see
where's
that
section
instead
of
A
system,
that
I
was
describing
before,
where
the
permission
is
generated
from
the
field
path.
B
Now,
basically,
there's
a
style
guide
for
how
you
set
up
a
permission.
I,
the
one
I
made
up
in
the
cap,
which
is
completely
open
to
change
at
the
moment,
is
the
permission.
Name
has
to
be
a
noun
should
be
in
a
lower
camel
case.
It
should
be
referred
to
like
a
conceptual
attribute,
not
a
field
name
that
helps
you
reuse
the
permission
in
other
contexts.
B
Right,
like
you,
can
imagine
some
permission,
making
sense
for
I,
don't
know
like
both
pod
and
and
like
some
sort
of
networking
thing
or
some
sort
of
storage
thing
right.
So
you
want
to
grant
that
permission
General
generally
over
both
of
those
types
instead
of
generating
an
additional
permission
right
that
the
more
permissions
you
have
the
more
work
it
is
for
system
administrators
to
figure
out
what
is
going
on
and
administer
this
thing
and
the
permission
shouldn't
reference,
all
the
ancestor
Fields
right.
B
So
instead
of
saying
you
know
like
pod.spec
Dot,
node
name,
you
should
just
say
like
node
assignment
and
you
get
a
hierarchical
system
by
assigning
permissions
to
the
like,
so
like
spec
spec
has
a
permission
associated
with
it
and
that
if
you
have
that
permission
that
covers
everything
inside
it
right.
B
So
that's
how
you
get
a
hierarchical
system,
yeah,
so
I
I,
don't
know
I,
don't
want
to
go
through
the
whole
design,
because
it's
kind
of
long.
But
if
anyone
has
questions
now's
a
good
time,
David.
C
Can
you
go
through
an
example
of
how
you
would
have
and
exclude
of
a
label
pattern
from
the
generic
privilege
so
so
I
want
labels
with
start
with
a
pattern
security.openshift.io
to
be
excluded
from
the
generic
update.
B
In
the
design
is
written,
you
can't
do
that.
People
were
only
asking
about
new
fields.
B
I
didn't
even
think
about
labels
with
specific
prefixes
as
being
equivalent
to
new
fields
and
since
the
since
the
permission
system
is
now
going
to
be
part
of
the
spec
and
since
the
built-in
the
built-ins,
including
metadata,
are
shipped
with
kubernetes.
There
wouldn't
be
a
way
to
configure
that,
if
that's
important
to
you,
then
we
can
see.
If
maybe
we
can.
C
I
figure
out
a
way
you
know,
I
was
trying
to
figure
out
how
to
do
it.
I
thought
I'd
be
able
to
do
it.
What
what
if
I
said,
I
want
to
have
an
exclude
of
certain
patterns
on
liens
that.
B
I'd
have
to
think
about
that
that
wasn't
the
request
that
I
had
been
anticipating
the
problem
with
exclude
yeah
it's
difficult
to
support
both
include
and
exclude
on
the
same
field.
D
Well
so,
let's
see
I
had
a
few
things,
and
you
know
some
of
this
is
like
really
small,
like
on
some
of
the
implementation
details
anywhere
that
you
had
about
how
like
some
of
the
wiring
would
work.
I
I
think
I
would
want
the
wiring
to
be
written
in
a
way
that,
if
it's
using
something
like
context
to
pass
state
that
it
always
passes
some
State,
and
if
that
state
is
missing,
they
just
hard
fails
as
an
internal
error.
Saying
I,
don't
know
what
checks
I
need
to
make
instead
of
like.
Oh.
B
A
B
D
The
the
on
the
part
about
where
you're
like,
actually
it's
like,
really
it's
actually
almost
on
screen
right
now,
where
it
says,
marking
existing
Fields.
This
way
with
break
existing
clients,
because
you
know
oxy
is
fully
configurable
I.
One
of
the
ideas
that
David
had
shared
last
time
was
basically
retroactively,
adding
that
stuff
to
like
the
bootstrap
rvac
policy
to
then
allow
and
admission.
B
D
My
thought
on
that
was
there's
two
things:
one.
We
could
just
hard
to
require
you
to
start
using
our
back.
So
that's
that
should
just
be
a
thing,
but
fine.
If
you
don't,
if
you
don't
don't
want
to
make
that
strong
assertion,
we
could
we
could
make
it
so
that
when
our
back
is
not
configured,
there's
just
an
a
new
authorizer
at
the
end
of
the
chain
that
takes
those
Legacy
permissions
and
just
allows
them
to
happen.
B
D
C
C
D
Yeah,
it
might
be
a
little
bit
complex
to
get
it
to
work.
I,
I
I
do
think
it's
tractable
and
the
idea
of
allowing
environments
to
tighten
this
down
sort
of
retroactively
is
appealing
to
me.
So.
B
Along
those
same
lines,
one
thing
I've
considered
but
haven't
written
into
this
is
like
if
a
system
administrator
does
want
to
go
through
the
trouble
of
locking
something
down
extra
and
that's
no
problem
for
them,
because
they
know
how
their
auth
system
is
configured
and
they
can
just
add
in
the
permissions
to
the
people
who
should
have
it
while
taking
it
away
from
everybody.
That
part
is
easy.
The
problem,
the
thing
that
this
design
doesn't
address
is
that,
like
the
the
schemas
for
the
built-in
types,
are
the
same
for
everybody
and
not
changeable.
B
So
if
we
want
administrator
to
be
able
to
lock
down
labels
in
a
special
way
in
their
system,
we
would
need
like
a
way
for
them
to
override
the
the
tags
that
we
ship
on
the
built-in
schemas
or
something
like
that
which
I
don't
have
written
down,
because
I
don't
want
to
do
that
unless
it's
absolutely
necessary.
C
There
are
three
cases
of
type
smoke,
so
there's
there's
one
where
you
are
defining
your
own
schema.
You
have
a
field
on
your
schema
and
you're
going
to
decide.
You
need
a
permission
to
set
this
so.
D
C
Is
the
case
where
you
are
reusing
a
schema
somebody
else
to
find
so
you're
either
reusing
a
pod
spec
or
you
are
reusing,
maybe
meta
V1,
which
is
very
common,
and
you
want
for
your
type,
your
embedded
version
of
meta
V1
to
have
different
rules
and
then
there's
the
third
case
where
you're
a
cluster
administrator.
The
person
who
has
defined
the
schema
did
not
Define
it
as
you
wished.
B
Yeah,
okay,
should
we
let
Tim
say
something:
yeah.
B
Do
do
this
bread
first
Tim.
D
B
So,
okay,
yeah,
let
me
clarify
a
couple
things.
One
is
part
of
the
point
of
putting
this
in
the
schema
is
that
we
will
be
able
to
generate
a
list
of
all
the
permissions
that
there
are
in
the
system
and
you
know
link
back
to
the
types
that
they
apply
to
which
maybe
one
permission
May
apply
in
multiple
places.
Okay,
so
so
that's
that's
one,
the
other.
The
other
other
answer
is
like.
Let
me
be
a
little
bit
clearer
about
how
the
the
deny
system
work
works.
B
It's
not
a
deny
system.
There
is
no
denying
the
the
the
the
two
options
are
either
okay,
so
yeah.
Actually,
let's
just
walk
through
the.
Where
did
I
write
this
the
overall
flow,
which
is
yeah
so
the
first
step,
a
request
comes
into
the
API
server.
The
first
step
is
we
check
the
do
you
have
put
patch
create
you
know?
Do
we
do
you
have
a
mutating
permission?
B
If
you
do,
that's,
that's
the
regular
permission,
we'll
mark
it
as
such
in
the
context
or
whatever
like
Mo
wants,
and
if
you,
if
you
have
that,
we
don't
need
to
check
the
specific
field
permissions,
except
for
the
ones
which
are
marked
as
exceptional
yeah.
That's
that's
step.
Three
I
think
yeah.
If
you
don't
have,
on
the
other
hand,
if
you
don't
have
the
regular
permission,
then
we're
going
to
check
the
granular
permissions
for
everything
that
you
are
attempting
to
change
right.
B
So
it's
like
the
regular
permission
gives
you
you
know
99
of
the
fields
and
for
a
couple
Fields.
There
may
be
yet
another
permission
that
you
need,
but
if
you
don't
even
have
the
regular
permission,
then
you
might
still
be
able
to
make
the
change.
If
you
have,
the
special
permissions
I
feel
like
I,
still
didn't,
explain
that
very
well.
But
hopefully
the
highlighted
bit
on
the
screen
makes
it
clearer
right.
But
at
no
point
are
we
looking
at
what
you
have
and
then
denying
that.
B
So
it
maintains
the
current
it's
like
positive
framing
of
our
back.
B
B
Yeah,
if
you
can
think
of
a
better
way
to
describe
this,
then
yeah
feel
free
to.
Let
me
know
our
Sunday
Sunday
poll
to
my
Branch
here.
A
D
D
B
And
in
order
to
help
people
do
that
the
documentation
is
going
to
have
to
make
a
list
of
the
fields,
so
you
change
the
AP
API
type,
so
I.
If
you
make
a
conflicting
field,
you
would
probably
see
in
this
list.
If
it
is
reasonably
organized,
you
would
probably
see
that
you've
made
a
conflicting
permission
if
you
fail
to
add
a
permission
that
makes
sense
in
the
context
of
the
field.
I,
don't
know
that,
there's
anything
that
I
can
do
to
help
you
with
that.
D
B
Okay,
if
everybody
goes
off
and
makes
their
own
their
own
set
of
permissions,
it's
not
likely
to
work
together
and
somewhere
near
the
bottom
of
this
I
have
a
set
of
ideas
on
how
we
can
do
that.
I
think
I
think
it's
below
this
Friday.
B
If
you
keep
going
down
a
little
bit
yes
by
the
style
guide,
yeah
so
I
suggested
either
put
a
registry
file
in
the
in
the
repository
for
third-party
authors
to
you
know
just
make
a
make
an
entry
there
sorted
alphabetically,
so
you
don't
get
too
many
contact
conflicts
or
something,
but
go
record
that
you're
using
some
permission.
B
What
it's
about
to
make
it
possible
for
other
people
to
use
it,
and
the
other
option
is
third
party
authors
prefix
their
permissions
with
something
unique
to
them
like
namespace,
and
if
anybody
has
better
ideas
than
those
I
would
be
happy
to
change
them
because
I,
don't
think
those
are
very
good
ideas,
but
yeah
I
think
there's
some
there's
some
sort
of
problem.
B
There
I
think
the
build-in
types
are
fine,
because
we
can
generate
them
from
the
docs
and
put
them
in
one
place
in
a
list
and
I
think
humans
are
fairly
good
at
like
looking
at,
like
we
just
don't
Mark
that
file
as
like
generated.
Don't
review,
We
mark
it
as
please
review
the
changes
to
this
file,
even
though
it
is
generated
and
I
think
people
are
going
to
be
relatively
good
at
noticing
that
you've,
you
know,
made
a
duplicate
permission
or
failed
to
use
some
already
existing
permission
Etc
or
have
produced
a
permission.
B
That
is
a
bad
one,
because
it's
only
ever
going
to
be
applicable
in
this
particular
case
it
will
be
impossible
to
reuse
and
so
you're,
just
cluttering
up
the
space.
I
think
that's
something
that
human
reviewers
can
do.
I,
don't
know
how
to
do
that
for
random
series.
D
The
thought
I
have
in
my
head
I
have
absolutely
no
idea
how
to
apply
to
crds,
but
for
a
built-in
API.
Since
we
do
go
through
the
like
the
Hub
type
Could,
you
actually
Define
the
permission
on
the
Hub
type
and
then
have
it
actually
funneled
back
out
to
the
associated
Fields,
oh
or
Associated
concept.
B
I
think
it's
not
that
easy.
You
certainly
can't
get
the
same
permission
applied
to
different
Kinds
by
that
mechanism.
You
might
be
able
to
take
care
of
different
versions,
but
I
think
I
I
think
it
is
less
magical
to
just
have
humans
specify
it
in
all
the
places
where
it
goes.
D
B
That
the
expectation
is
that
we
will
add
these
to
at
least
the
fields
mentioned
in
this
cap,
which
is
mostly
metadata
and
conditions,
and
there's
like
a
couple
of
fields
in
pod,
I
think
mechanically.
We
could
also
do
spec
if
people
think
it
is
going
to
be
generically
useful
to
have
a
permission.
That
means
spec
and
nothing
else.
B
That
that
one's
easy
to
do
mechanically
and
after
that,
like
I
I,
think
that's
enough
to
like
get
this
off
the
ground,
and
if
people
want
to
add
more,
they
can
just
add
them
over
time
and
I.
Think
it's
not
gonna
like
if
you.
If
you
come
up
with
a
use
case,
it
will
no
longer
be
like
a
big
deal
to
do
this.
You
just
add
the
stuff
to
this
to
the
schema
and
check
your
changes
in
and
you're
good
to
go
right.
B
You
wouldn't
be
able
to
retroactively,
make
Fields
excluded
from
the
regular
permissions
unless
we
come
up
with
a
system
for
doing
that.
Yeah
David.
C
C
I've
been
unsuccessful
at
convincing
myself
that
it's
definitely
not
needed,
which
is
not
the
same
as
convincing
myself
that
it
definitely
is
needed.
It
just
means
that
I'm
I'm
there's
three
cases
that
I
described
earlier.
B
C
Exploring
what
those
three
cases
mean
and
comparing
it
against
say,
I
can
think
of
a
couple
either
labels
or
annotations.
We
have
on
name
spaces
related
to
scheduling
where
you
can
say
this
is
the
default
node
selector
for
my
namespace
and
you
must
fit
inside
of
it
and
an
update
to
namespace
permission.
Maybe
shouldn't
include
that
and
that's
one
example.
There
are
other
ones
that
are
openshift
specific.
B
Because
it's
still
a
a
like
positively
framed
system,
like
our
backs,
you
would
have
to
like
first
separate
somehow
separate
the
permission
for
that
specific
label
from
the
permission
from
everything
else
and
then
Grant
it
only
to
the
person
that
you
wanted
and
exclude
it
from
the
regular
permission.
C
C
You
leave
a
sign,
the
mechanics
of
of
expressing
the
authorization
choice
and
say
somebody
built
an
authorizer
that
can
do
this.
What
I'm,
trying
to
figure
out
is,
is
whether
the
minimum
amount
of
design
that
we
have
is
simply
a
a.
What,
if
we
asked,
does
the
user
have
permission
to
send
any
of
these
labels
and
we
just
list
them
all.
C
It
will
be
extremely
expensive
with
the
with
a
Web
book
API
today,
because
you
would,
you
know,
list
every
every
label
on
every
request,
but
conceptually
would
it
give
us
what
we
wanted
and
then,
if
we
built
a
a
mass
authorization
check
where
you
you
have
like
a
slice
and
you
just
issue
the
slice,
would
it
do?
C
B
I
think
that
would
work.
It
would
only
be
as
expensive
as
the
number
of
labels
with
values
that
are
changing.
B
A
C
B
So,
honestly,
if
I
had
that
problem,
I
think
a
more
natural
way
of
solving
it
is
with
a.
C
Would
be
more
natural
in
terms
of
if
you
were
expressing
policy
for
it
versus
in
terms
of
of
implementing
how
at
what
layer?
We
would
ask
for
the
request
where
the
policy
would
be
written.
For
instance,
the
thing
I
just
described
that
policy
would
not
be
written
into
the
schema
of
the
label
right,
because
the
idea
is
right.
The
king
of
the
label
is
immutable
for
every
custom
resource
using
it
right
and
that
that
may
not
be
appropriate
for
what
we
have
actually
created.
Yeah.
B
Yeah-
and
you
also,
you
also
need
the
the
the
parameterized
permission
to
not
be
to
not
like
be
recursively,
inheriting
from
the
non-parametized
permission
right
in
your
in
your
condition,
you
don't
want
a
general
permission
to
write
labels
to
imply
that
you
have
a
permission
to
write
a
specific
label.
C
Yeah,
that
is
true,
and
there
was
there-
was
one
permissions
model
that
we
we
did
explore.
That
would
have
allowed
that.
C
But
I
will
admit
that
that
was
that
was
very
difficult
to
understand.
The
first
cut
of
our
back
hat.
B
Yeah,
let's
see
while
phrasing
it
in
yeah,
I,
I
I
think
I
have
to
think
about
how
to
actually
do.
B
So
the
the
problem
is
to
describe
like
the
problem
is
to
fail
to
say
yes
for
specific
labels,
while
saying
yes
for
an
unbounded
unspecified
set
of
labels
and.
C
B
You
have
to,
and
you
have
to
like,
also
not
give
all
the
enclosing
permissions.
Okay,.
D
So
I
try
to
parse
the
problem
that
we're
talking
about
to
me.
I
think
labels
and
annotations.
If
you
step
back
and
think
of
them
as
like,
distinct
kubernetes
objects.
What
we're
basically
saying
is
hey
I
want
the
ability
to
at
any
time
retroactively,
say
something
inside
of
this
object
is
now
special
I.
Think,
that's
basically
what
you're
asking
for
right,
which
is
that
hey
it
doesn't
matter
that
the
top
level
field
says
you
can
have
anything
in
labels.
C
D
Right,
I
think
that
the
I
think
the
retroactive
part
of
that
is
the
fact
that
you
can't
there's
no
way
for
you
to
actually
go
far
back
enough
because
you
don't
control
the
schema.
Okay,
like
you,
can't
actually
go
far
enough
to
be
at
the
beginning
of
time,
because
we,
the
kubernetes
Developers,
start
the
time
already
before
you
see
the
code,
basically
yeah,
okay,.
B
Mo,
you've
actually
made
me
think
of
an
alternative
system
for
describing
these
things
like
like.
If
we
figured
that
okay,
basically,
a
label
is
an
object.
What
if
we
made
the
request
where
what,
if
we
made
the
permission,
request
substituting
the
labels
key
for
the
object's
name
and
like
the
object's
kind
becomes
label,
then
it's
easier
to
see
how
you
would
configure
such
a
thing
and
your
system
I.
Don't
think
that
it
would
be
easier
to
understand,
though
foreign.
C
C
Come
up
with
some
examples,
the
the
node,
the
node
selector
one
definitely
occurs
to
me
because
it's
it's
a
spot
where
effectively,
you
know
created
something
highlighted.
There's
there
is
it's
a
spot
where,
for
instance,
the
namespace
API
different
sigs
have
not
been
able
to
add
fields
to
it,
but
they
have
added
meanings
for
labels
that
are
then
used
in
admission
and
the
you
know
the
off
Sig
has
done
this
for
pod
security
admission,
for
instance.
It's
the
basis
of
how
that
works.
C
B
Yeah,
so
I
I
think
you
can
actually
do
the
thing
you
described
with
the
with
this,
as
as
written
you
just
have
to
like
not
give
anybody
the
the
enclosing
permissions
and
like
list
out
the
permissions
for
every
label
separately.
C
B
B
If
your
mission
system
can
do
it,
you
can
do
it
with
this
I
think
if
we're
gonna
promise
something
like
that,
we
need
to
make
a
a
checker
or
a
like
a
verification
system
to
like
for
a
given
actor
like
do
the
check
and
tell
you
whether
or
not
they
actually
have
the
ability
to
set
a
label
or
not,
because
it's
too
hard
to
configure
and
be
sure
that
you've
configured
what
you
think
you've
configured
mo
one
more
thing
and
then
I
think
we're
out
of
time
is.
D
The
like
on,
like
David's,
like
you,
cannot
set
the
security.openshift.io
thing
like
is:
is
there
a
way
we
could
express
that
that
basically
made
it
that
you
would
have
to
somehow
I
guess
it
doesn't
work,
because
I
think
you'd
have
to
enumerate
everything
somehow
up
front
and
it
is
intractable
to
start
that
way.
B
All
right
seems
like
we'll
be
having
a
follow-up.
Maybe
maybe
we'll
continue
this
in
sagoth.
Is
it
next
week
or
three
weeks
from
now,
I'm,
not
sure
November.
B
Yeah
so
I
think
that's
three
weeks
from
now.
So
we've
got
lots
of
time
to
get
ready
all
right.
A
Very
good
yeah,
we
are
at
time
there
is
keep
going
next
week
and
we
have
a
deep
that
session
and
then
it's
going
to
be
public.
You
can
watch
it
I
think
some
people
hearing
the
call
are
going
to
be
present.
I
know,
Joe
is
going
to
be
there
and
some
others
so
have
a
good
coupon.
If
you're
going
and
we'll
see
you
next
time.
Thank
you.
Everybody
bye.