►
From YouTube: Kubernetes SIG API Machinery 20221019
Description
[andrewsy] Discuss kube-apiserver identifier format (KEP-1965)
[lavalamp] fine-grained-authz KEP pre-review (follow up from Sep 21 discussion)
[fedebongio] Virtual Session at Kubecon NA - API Machinery deep dive: https://kccncna2022.sched.com/event/182Mo
A
Okay,
it's
recording
and
good
morning,
good
evening
good
afternoon,
depending
where
you
are.
This
is
kubernetes
open
source
Sig
API
Machine
by
weekly
meeting
today
is
October
19th
2022.
We
are
heading
right
into
Q4
of
this
year.
It
flew
by
very
quickly.
We
have
two
great
topics
today
and
I
want
to
thank
the
people
that
helps
us
every
week.
You
know
have
in
every
two
weeks
interesting
things
to
Wisconsin,
so
Andrew
you're,
the
first
one
I
will
give
it
up
to
you
yeah
thanks.
A
So
I
feel
like
there's
like
a
reasonable
prompt
for
that.
Second
being,
if
we're
really
concerned
about
hostname
exposure,
there
are
already
places
where
the
lease
identifier
contains
host
names,
such
as
like
with
leader
election
with
controller
manager
and
Cube
scheduler,
and
that's
the
after
digging
through
a
bunch
of
the
garbage
collection
logic.
It
seems
like
creating
and
requiring
a
garbage
collection
of
leases
for
every
Cube.
A
B
One
second
Mike,
the
the
thing
with
two
API
servers
on
one
system:
I'm,
pretty
sure
that
we
had
at
least
one
person
who
really
wanted
to
do
that
to
the
extent
that
they
added
a
feature
to
let
API
servers
share
the
port.
The
reason
they
wanted
to
do
that
was
that
they
wanted
to
reboot
or,
like
start
one
and
then
stop
the
other
on
us
on
the
same
machine
without
having
a
outage.
B
A
C
B
D
B
C
Awesome
so
so
hang
on
thinking
that,
through
with
KMS
or
or
even
with
storage,
we
think
it
through
with
storage
and
it's
gonna
be
careful
I'm
I'm,
not
confident
that
does
good
things.
I
also
I
also
think
I'm,
probably
okay,
telling
a
person.
If
you
wish
to
Run
Two
at
once.
We
would
expect
you
to
give
them
unique
names,
and
even
if
we
didn't
support
it
as
an
argument,
I
I
would
find
the
setting
spec
hostname
work.
Is
it
pod,
spec,
hostname.
C
So
one
of
the
things
that
I
was
interested
in
related
to
this
is:
are
we
going
to
go
for
graceful,
lease
release
and
I?
Think
we
we
do
not
want
to
delete
our
release
when
we
shut
down.
We
want
to
leave
that
up
to
GC.
We
we
did
settle
on
that.
Then
I
know
I
confused
the
issue
by
bringing
it
up,
but
it
didn't
exist.
The
first
time
we
did
this
cap
and-
and
it
does
exist
now
and
so
I
just
want
to
have
an
explicit
like
we
will
not
gracefully
release
I
I.
B
So
I
I
think
we
should
start
without
graceful
release
and,
if
so,
the
case
in
which
that
would
be
useful.
Like
imagine,
you're
scaling
up
or
down
your
control
plane
by
adding
API
server
replicas,
and
you
know
that
you're
removing
one
and
it's
not
coming
back.
It
could
be
handy
to
just
remove
your
lease
completely
and
instead
of
letting
it
be
garbage
collected.
But
it's
not
that
big
of
a
deal
and
I
think
we
shouldn't
Implement
that
unless,
unless
a
lot
of
people
ask
for
it,.
D
B
B
C
In
terms
of
detecting
this
went
bad
I,
remember
one
of
the
prr
answers
was.
You
will
be
able
to
look
and
see
that
the
Post-Star
hook
did
not
finish,
and
that
seems
valid
to
detect
someone
who
had
a
problem
right.
They
they
had
a
problem,
their
API
server
was,
oh,
you
wouldn't
be
able
to
help
fight.
They
would
both
think
they
had
it.
D
Oh
also,
what's
the
expected
Behavior,
if,
like
an
API
server
crashes,
and
it's
immediately
restarted
by
whatever
Watchdog
is
trying
to
keep
it
up,
should
like
immediately
try
to
hold
like?
Is
it
like,
just
not
cool
that
that
lease
was
technically
lost
for
a
little
bit,
because
the
process
does
withholding
it
got,
killed
somehow
and
well?
I
think
the
point
of.
B
A
C
D
Yeah
I
mean
I
I.
Think
the
human
ergonomics
of
a
fixed
name
are
are
nice.
There
seems
to
be
at
least
you
know
some
quantifiable
benefit
to
just,
let's
not
just
recycle,
a
bunch
of
objects
with
basically
no
op
updates
that
do
actually
change
stuff
and
cause
people
to
care
and
maybe
run
storage
migrations
or
something
and
just
you
know
otherwise,
waste
io
on
the
system
for
no
good
reason.
So
all
that
seems
like
good
reasons.
D
B
D
D
B
I
mean
and
and
right
it
doesn't
have
to
be
the
system
host
name
right.
It
can
be
the
container
the
host
name
reported
by
the
container
API
server's
end,
which
people
can
set
without
too
much
trouble,
even
if
you're,
not
using
qubit
so
like
I,
think
that's
as
reasonable
a
way
as
any
to
set
this
bit
of
information.
C
D
B
Okay,
yeah.
Maybe
we
should
talk
about
that
scenario
a
little
bit
more
because
imagine
somebody's
misconfigured
it
like
they
put
they've
hard-coded,
a
a
host
name
in
their
pod
configuration
and
they
blasted
the
same
pod
configuration
to
all
all
of
their
control,
plane,
nodes
and
so
they've
got
like
three
API
servers
and
they
all
think
they're
called
the
same
thing.
That's
configuration
error,
but
we
probably
it
would
defeat
the
purpose
yeah.
So
so
we
probably
need
to
make
sure
those
things.
Don't
think
that
they're
called
the
same.
D
B
There's
a
present
I
forget
exactly
the
format
of
leases,
but
suppose
you
could
add,
like
I,
don't
know
a
label
or
something
with
a
uuid
and
and
it
would
be
fine
for
that
thing,
to
change
every
time.
It's
just
if
you.
If
API
server,
looks
at
the
lease
and
it
sees
that
it's
got
some
other
UI
uuid,
it
overwrites
it
with
its
currently
generated
one,
and
if
it
keeps
having
to
do
that,
then
we
know
that
we're
fighting
over
the
lease
with
some
other
system
how's
that
that
at
least.
B
C
D
What
if
it
was
like
much
simpler
logic,
which
is
that,
if
you're
doing
an
update
to
fix
that
you
just
increment
a
metric
counter,
and
that's
it
like
you,
you
keep
doing
it,
you
don't
actually
change
your
behavior
at
all.
You
just
say
hey.
This
update
I
did
at
least
part
of
the
reason
I'm
issuing
this
update
to
this
lease
is
because
this
random
uuid
is
different
and
I
increment.
My
metric,
and
if
you
see
this
metric,
going
really
high
up,
you
know
it's
not
working
as
you
expected.
A
B
D
A
D
I
know
I
I
think
that's
I
I'm
not
worried
about
this,
because
I
will
not
make
this
configuration
mistake.
I
am
because
I'm
aware
of
it
so
I'm
not
gonna.
Do
it
I
I'm
more
trying
to
help
others
understand
that
they've
gotten
here
and
so
like
metrics,
you
know
if
you're
looking
you'll
notice,
audit
events,
if
you're
looking
you'll
notice
granted
leases
might
be
Exempted
from
audit
events,
because
they're
noisy.
B
D
A
B
Fairly
against
trying
to
program
that,
in
like
the
original
coordination
mechanism,
the
API
server
used
to
put
its
endpoints
in
the
endpoints
table
was
based
on
everybody
added
their
own
IP.
If
it
wasn't
in
the
list
and
truncated
the
list
to
the
number
that
they
expected
and
basically
everybody
hated
that
system,
and
so
we
went
to
this
like
yeah
I
mean
this.
Is
this
is
kind
of
a
evolution
of
the
desire
to
not
use
that
system
and
have
API
servers
figure
out
how
many
of
them
there
are.
D
Yeah
I
think
the
only
concern
I
have
is,
if
you
were
in
this
misconfigured
State
like
the
encryption
arrest
stuff
might
like.
You
know
you
might
trigger
rotations
earlier
than
you
should,
because
you
think
the
servers
have
converged,
because
you
think
there's
only
one
right
like
one
of
the
things
I
had
in.
At
least
you
know,
some
of
the
alpha
reasoning
was
like,
like
the
the
controller,
that's
gonna
like
kick
off.
D
C
A
C
D
D
D
B
A
C
C
Foreign,
that
way,
you
would
have
something
that
was
persistent,
but
it
would
handle
the
the
restart
case
fairly
gracefully.
It
would
effectively
be
that
second
label,
you
were
talking
about
Daniel
yeah
and
it
would
cause
the
post
start
hope
to
like
delay
indefinitely,
which
would
hit
the
thing
that
Andrew
had
already
said.
You
can
look
at
this
and
say
if
you
don't
go
ready.
This
is
how
you
know
it
why
it
has
happened.
B
D
B
C
You
do
storage
migration,
but
you
don't
need
to
I'm
more
concerned
about
the
KMS
usage
where
I
decide,
I'm
okay,
to
remove
something
and
now
I
can
no
longer
decoup
my
data
yeah
right
so
so,
and
I'm
willing
to
bet
that
the
person
who
wanted
to
do
that
is
Stefan
he's
not
here,
but
he
would
have
wanted
to
do
it
to
reduce
API
server
downtime
during
graceful
release.
Timing.
D
B
A
C
C
B
C
No
there's
two
different
processes.
One
is
one
is
saying
if
this
name,
if
this
lease
name
disappears,
I
have
cleanup
to
do
on
the
storage
version,
and
that
takes
an
hour
for
me
to
decide
to
delete
the
entries
from
the
storage
version.
Okay,
then
we
have
a
separate
piece
that
says:
I
hold
this
lease
as
the
holder
for
X
many
seconds
and.
B
B
A
A
B
C
A
B
Sure
all
right
I
will
open
my
open
it
on
my
screen
too.
So
I
can,
let's
see
so
we
talked
about
this
two
meetings
ago
and
we
talked
about
it
in
the
Sig
auth,
the
meeting
after
that,
and
basically
the
designs.
The
last
time
this
came
around
didn't
didn't
fulfill
a
second
obligation,
which
is
the
ability
to
add
a
new
field
without
including
that
field
in
the
existing
broad
permission
for
rights,
and
so
we've
come
up
with
a
design
that
addresses
that
and
is
slightly
simpler.
B
So
this
is
the
two
modes
yeah,
so
it
becomes
a
part
of
the
API
design
to
describe
what
permission,
if
any,
you
don't
have
to
have
one.
What
permission
goes
with
a
particular
field,
and
this
means
some
implications
for
like
how
you
describe
the
permission.
So
instead
of
let's
see
where's
that
section
instead
of
A
system,
that
I
was
describing
before,
where
the
permission
is
generated
from
the
field
path.
B
Now,
basically,
there's
a
style
guide
for
how
you
set
up
a
permission.
I,
the
one
I
made
up
in
the
cap,
which
is
completely
open
to
change
at
the
moment,
is
the
permission.
Name
has
to
be
a
noun
should
be
in
a
lower
camel
case.
It
should
be
referred
to
like
a
conceptual
attribute,
not
a
field
name
that
helps
you
reuse
the
permission
in
other
contexts.
B
Right,
like
you,
can
imagine
some
permission,
making
sense
for
I,
don't
know
like
both
pod
and
and
like
some
sort
of
networking
thing
or
some
sort
of
storage
thing
right.
So
you
want
to
grant
that
permission
General
generally
over
both
of
those
types
instead
of
generating
an
additional
permission
right
that
the
more
permissions
you
have
the
more
work
it
is
for
system
administrators
to
figure
out
what
is
going
on
and
administer
this
thing
and
the
permission
shouldn't
reference,
all
the
ancestor
Fields
right.
B
B
I
didn't
even
think
about
labels
with
specific
prefixes
as
being
equivalent
to
new
fields
and
since
the
since
the
permission
system
is
now
going
to
be
part
of
the
spec
and
since
the
built-in
the
built-ins,
including
metadata,
are
shipped
with
kubernetes.
There
wouldn't
be
a
way
to
configure
that,
if
that's
important
to
you,
then
we
can
see.
If
maybe
we
can.
C
D
Well
so,
let's
see
I
had
a
few
things,
and
you
know
some
of
this
is
like
really
small,
like
on
some
of
the
implementation
details
anywhere
that
you
had
about
how
like
some
of
the
wiring
would
work.
I
I
think
I
would
want
the
wiring
to
be
written
in
a
way
that,
if
it's
using
something
like
context
to
pass
state
that
it
always
passes
some
State,
and
if
that
state
is
missing,
they
just
hard
fails
as
an
internal
error.
Saying
I,
don't
know
what
checks
I
need
to
make
instead
of
like.
Oh.
B
A
B
D
The
the
on
the
part
about
where
you're
like,
actually
it's
like,
really
it's
actually
almost
on
screen
right
now,
where
it
says,
marking
existing
Fields.
This
way
with
break
existing
clients,
because
you
know
oxy
is
fully
configurable
I.
One
of
the
ideas
that
David
had
shared
last
time
was
basically
retroactively,
adding
that
stuff
to
like
the
bootstrap
rvac
policy
to
then
allow
and
admission.
B
D
My
thought
on
that
was
there's
two
things:
one.
We
could
just
hard
to
require
you
to
start
using
our
back.
So
that's
that
should
just
be
a
thing,
but
fine.
If
you
don't,
if
you
don't
don't
want
to
make
that
strong
assertion,
we
could
we
could
make
it
so
that
when
our
back
is
not
configured,
there's
just
an
a
new
authorizer
at
the
end
of
the
chain
that
takes
those
Legacy
permissions
and
just
allows
them
to
happen.
D
C
C
D
B
Along
those
same
lines,
one
thing
I've
considered
but
haven't
written
into
this
is
like
if
a
system
administrator
does
want
to
go
through
the
trouble
of
locking
something
down
extra
and
that's
no
problem
for
them,
because
they
know
how
their
auth
system
is
configured
and
they
can
just
add
in
the
permissions
to
the
people
who
should
have
it
while
taking
it
away
from
everybody.
That
part
is
easy.
The
problem,
the
thing
that
this
design
doesn't
address
is
that,
like
the
the
schemas
for
the
built-in
types,
are
the
same
for
everybody
and
not
changeable.
C
D
C
Is
the
case
where
you
are
reusing
a
schema
somebody
else
to
find
so
you're
either
reusing
a
pod
spec
or
you
are
reusing,
maybe
meta
V1,
which
is
very
common,
and
you
want
for
your
type,
your
embedded
version
of
meta
V1
to
have
different
rules
and
then
there's
the
third
case
where
you're
a
cluster
administrator.
The
person
who
has
defined
the
schema
did
not
Define
it
as
you
wished.
D
B
So,
okay,
yeah,
let
me
clarify
a
couple
things.
One
is
part
of
the
point
of
putting
this
in
the
schema
is
that
we
will
be
able
to
generate
a
list
of
all
the
permissions
that
there
are
in
the
system
and
you
know
link
back
to
the
types
that
they
apply
to
which
maybe
one
permission
May
apply
in
multiple
places.
Okay,
so
so
that's
that's
one,
the
other.
The
other
other
answer
is
like.
Let
me
be
a
little
bit
clearer
about
how
the
the
deny
system
work
works.
B
It's
not
a
deny
system.
There
is
no
denying
the
the
the
the
two
options
are
either
okay,
so
yeah.
Actually,
let's
just
walk
through
the.
Where
did
I
write
this
the
overall
flow,
which
is
yeah
so
the
first
step,
a
request
comes
into
the
API
server.
The
first
step
is
we
check
the
do
you
have
put
patch
create
you
know?
Do
we
do
you
have
a
mutating
permission?
B
If
you
do,
that's,
that's
the
regular
permission,
we'll
mark
it
as
such
in
the
context
or
whatever
like
Mo
wants,
and
if
you,
if
you
have
that,
we
don't
need
to
check
the
specific
field
permissions,
except
for
the
ones
which
are
marked
as
exceptional
yeah.
That's
that's
step.
Three
I
think
yeah.
If
you
don't
have,
on
the
other
hand,
if
you
don't
have
the
regular
permission,
then
we're
going
to
check
the
granular
permissions
for
everything
that
you
are
attempting
to
change
right.
B
So
it's
like
the
regular
permission
gives
you
you
know
99
of
the
fields
and
for
a
couple
Fields.
There
may
be
yet
another
permission
that
you
need,
but
if
you
don't
even
have
the
regular
permission,
then
you
might
still
be
able
to
make
the
change.
If
you
have,
the
special
permissions
I
feel
like
I,
still
didn't,
explain
that
very
well.
But
hopefully
the
highlighted
bit
on
the
screen
makes
it
clearer
right.
But
at
no
point
are
we
looking
at
what
you
have
and
then
denying
that.
B
B
A
D
D
B
And
in
order
to
help
people
do
that
the
documentation
is
going
to
have
to
make
a
list
of
the
fields,
so
you
change
the
AP
API
type,
so
I.
If
you
make
a
conflicting
field,
you
would
probably
see
in
this
list.
If
it
is
reasonably
organized,
you
would
probably
see
that
you've
made
a
conflicting
permission
if
you
fail
to
add
a
permission
that
makes
sense
in
the
context
of
the
field.
I,
don't
know
that,
there's
anything
that
I
can
do
to
help
you
with
that.
D
B
B
There
I
think
the
build-in
types
are
fine,
because
we
can
generate
them
from
the
docs
and
put
them
in
one
place
in
a
list
and
I
think
humans
are
fairly
good
at
like
looking
at,
like
we
just
don't
Mark
that
file
as
like
generated.
Don't
review,
We
mark
it
as
please
review
the
changes
to
this
file,
even
though
it
is
generated
and
I
think
people
are
going
to
be
relatively
good
at
noticing
that
you've,
you
know,
made
a
duplicate
permission
or
failed
to
use
some
already
existing
permission
Etc
or
have
produced
a
permission.
B
D
The
thought
I
have
in
my
head
I
have
absolutely
no
idea
how
to
apply
to
crds,
but
for
a
built-in
API.
Since
we
do
go
through
the
like
the
Hub
type
Could,
you
actually
Define
the
permission
on
the
Hub
type
and
then
have
it
actually
funneled
back
out
to
the
associated
Fields,
oh
or
Associated
concept.
B
B
That
the
expectation
is
that
we
will
add
these
to
at
least
the
fields
mentioned
in
this
cap,
which
is
mostly
metadata
and
conditions,
and
there's
like
a
couple
of
fields
in
pod,
I
think
mechanically.
We
could
also
do
spec
if
people
think
it
is
going
to
be
generically
useful
to
have
a
permission.
That
means
spec
and
nothing
else.
B
That
that
one's
easy
to
do
mechanically
and
after
that,
like
I
I,
think
that's
enough
to
like
get
this
off
the
ground,
and
if
people
want
to
add
more,
they
can
just
add
them
over
time
and
I.
Think
it's
not
gonna
like
if
you.
If
you
come
up
with
a
use
case,
it
will
no
longer
be
like
a
big
deal
to
do
this.
You
just
add
the
stuff
to
this
to
the
schema
and
check
your
changes
in
and
you're
good
to
go
right.
B
C
B
C
Exploring
what
those
three
cases
mean
and
comparing
it
against
say,
I
can
think
of
a
couple
either
labels
or
annotations.
We
have
on
name
spaces
related
to
scheduling
where
you
can
say
this
is
the
default
node
selector
for
my
namespace
and
you
must
fit
inside
of
it
and
an
update
to
namespace
permission.
Maybe
shouldn't
include
that
and
that's
one
example.
There
are
other
ones
that
are
openshift
specific.
B
C
C
You
leave
a
sign,
the
mechanics
of
of
expressing
the
authorization
choice
and
say
somebody
built
an
authorizer
that
can
do
this.
What
I'm,
trying
to
figure
out
is,
is
whether
the
minimum
amount
of
design
that
we
have
is
simply
a
a.
What,
if
we
asked,
does
the
user
have
permission
to
send
any
of
these
labels
and
we
just
list
them
all.
C
B
B
A
C
C
Would
be
more
natural
in
terms
of
if
you
were
expressing
policy
for
it
versus
in
terms
of
of
implementing
how
at
what
layer?
We
would
ask
for
the
request
where
the
policy
would
be
written.
For
instance,
the
thing
I
just
described
that
policy
would
not
be
written
into
the
schema
of
the
label
right,
because
the
idea
is
right.
The
king
of
the
label
is
immutable
for
every
custom
resource
using
it
right
and
that
that
may
not
be
appropriate
for
what
we
have
actually
created.
Yeah.
C
C
C
D
So
I
try
to
parse
the
problem
that
we're
talking
about
to
me.
I
think
labels
and
annotations.
If
you
step
back
and
think
of
them
as
like,
distinct
kubernetes
objects.
What
we're
basically
saying
is
hey
I
want
the
ability
to
at
any
time
retroactively,
say
something
inside
of
this
object
is
now
special
I.
Think,
that's
basically
what
you're
asking
for
right,
which
is
that
hey
it
doesn't
matter
that
the
top
level
field
says
you
can
have
anything
in
labels.
D
C
D
Right,
I
think
that
the
I
think
the
retroactive
part
of
that
is
the
fact
that
you
can't
there's
no
way
for
you
to
actually
go
far
back
enough
because
you
don't
control
the
schema.
Okay,
like
you,
can't
actually
go
far
enough
to
be
at
the
beginning
of
time,
because
we,
the
kubernetes
Developers,
start
the
time
already
before
you
see
the
code,
basically
yeah,
okay,.
B
Mo,
you've
actually
made
me
think
of
an
alternative
system
for
describing
these
things
like
like.
If
we
figured
that
okay,
basically,
a
label
is
an
object.
What
if
we
made
the
request
where
what,
if
we
made
the
permission,
request
substituting
the
labels
key
for
the
object's
name
and
like
the
object's
kind
becomes
label,
then
it's
easier
to
see
how
you
would
configure
such
a
thing
and
your
system
I.
Don't
think
that
it
would
be
easier
to
understand,
though
foreign.
C
C
Come
up
with
some
examples,
the
the
node,
the
node
selector
one
definitely
occurs
to
me
because
it's
it's
a
spot
where
effectively,
you
know
created
something
highlighted.
There's
there
is
it's
a
spot
where,
for
instance,
the
namespace
API
different
sigs
have
not
been
able
to
add
fields
to
it,
but
they
have
added
meanings
for
labels
that
are
then
used
in
admission
and
the
you
know
the
off
Sig
has
done
this
for
pod
security
admission,
for
instance.
It's
the
basis
of
how
that
works.
C
C
B
A
Very
good
yeah,
we
are
at
time
there
is
keep
going
next
week
and
we
have
a
deep
that
session
and
then
it's
going
to
be
public.
You
can
watch
it
I
think
some
people
hearing
the
call
are
going
to
be
present.
I
know,
Joe
is
going
to
be
there
and
some
others
so
have
a
good
coupon.
If
you're
going
and
we'll
see
you
next
time.
Thank
you.
Everybody
bye.