►
From YouTube: Kubernetes SIG API Machinery 20171108
Description
For more information on this public meeting see this page: https://github.com/kubernetes/community/tree/master/sig-api-machinery
A
B
I
think
most
of
you
have
read
it
already,
a
sense,
the
same
thing
to
prove
cubed
F
this
morning,
there's
a
pending
PR
for
quite
some
time,
which
will
be
based
again,
which
moves
the
core
types:
internal,
core
types
to
package,
a
ice
core
source
or
Gaza
API
groups.
It's
just
a
code
level
package
move
and
a
lot
of
fix.
Ups
of
imports.
There's
no
semantical
change
in
the
camera.
She
knew
it
was
a
good
name.
So
it's
really
mostly
syntactical
yeah
and
it's
maybe
green
soon
and
we'll
merge.
A
A
C
Would
we
might
given
me
I
think
you
have
to
stop
sharing
so
that
I
can
share
okay,
sure
all
right,
and
if
things
went
well,
you
guys
should
be
seeing
a
terminal
right
now,
all
right
so
I'm
gonna
show
the
current
state
of
webhook
admission
as
it
is
in
master
using
an
example,
server
and
helper
library
I
built
to
show
how
the
pieces
work
so
I've
just
started
using
HAC
local
cluster
and
I
am
going
to
install
an
API
server.
It
happens
to
be
an
API
server.
C
That
is
runs
an
admission
web
book.
And
if
you
look
at
how
it's
deployed,
you
can
see
that
I
have
a
daemon
set.
That's
going
to
run
it
I
have
a
secret
with
my
serving
certificates
service
account
to
grant
permissions
to,
and
then
I
have
a
stanza
to
register
the
API
and
then
one
stanza
to
register
the
external
web
book.
I've
got
a
little
script.
C
Now
what
we
can
actually
do,
because
we
have
made
this
an
API
server
is
we
can
actually
use
cube
control
to
send
an
example,
request
for
an
admission
review,
type
and
test
our
admission
plug-in.
So
you
can
see
here.
This
is
an
admission
review
object.
It's
simulating
the
creation
of
a
namespace.
This
is
roughly
what
the
actual
cube
API
server
would
send
and
it,
except
this
makes
painfully
obvious
some
serialization
bugs
that
exist,
but
they
will
be
updated.
C
C
B
C
C
So
that's
interesting
and
that's
valuable
shows
you
how
to
integrate
with
the
cube
api
server.
But
another
thing
that
actually
works
is
working
with
an
extension
API,
sir,
so
I
happen
to
have
one
from
a
while
back,
not
sure
how
much
you
guys
remember,
but
there
was
a
project
API
that
showed
it
was
an
apple
filtered
view
of
namespaces.
So
there
was
an
API.
It
said.
Show
me
the
namespaces
that
I'm
allowed
to
see
so
I
am
creating
a
namespace
for
it
and
you
can
see
it
just.
Doesn't
it
actually
does
use
the
custom
resource?
C
Doesn't
just
unconditionally
fail?
We
got
Auerbach
resources
for
it
and
then
another
list
for
installing
I
think
I
showed
it
to
you
last
time
we
did
it
so
I'm
just
gonna
go
ahead
and
create
that
and
it's
gonna
make
the
daemon
set.
That
runs
my
my
extension
API
server,
and
so,
if
we
take
a
look
at
the
admission
WIPO
configuration,
you
can
see
that
we
have
a
wire
to
create
namespaces,
but
we
also
have
a
wire
to
create
for
creates
on
project
requests
and
a
project
request
was
an
endpoint
from
this.
This
projects
server.
C
So
just
to
refresh
your
memory
about
how
this
works.
If
you
do
aq
control
get
project
as
the
cluster
admin,
you
see
all
the
namespaces,
but
if
you
were
to
do
it
as
dad's
dad's
isn't
allowed
to
see
any
projects
and
if
you
add
him
to,
if
you
give
him
the
view
role
inside
of
a
particular
project
and
then
request
again,
you
can
see
now
you
get
a
result
that
says
that
there's
a
this
particular
project
there,
which
is
corresponds
to
a
namespace.
C
So
there
is
a
resource
for
this
server
that
allows
you
to
create
a
project
request
and
so
I'm
gonna
pipe
that
through
said
and
create
it
as
deads
Oh.
We
run
afoul
of
our
back
it.
Never
it
never
fails.
So
you
can
see
here.
I
guess
makes
eliminate.
The
request
is
actually
coming
from
the
API
server
running
the
project.
Api
server,
the
admission
web
look
knows
this
and
knows
that
it
does
not
have
permission
to
actually
make
the
request,
so
the
aggregator
blocked
the
request.
C
So,
let's
see
we
have
one
yes
good
in
history
and
so
I
can
create
it
and
let's
try
that
request
again.
Okay,
so
I
was
able
to
create
the
project
request.
And
now,
when
you
look,
you
can
see.
I
have
another
project,
but
if
you're
called
Ed's
is
reserved,
so
if
we
try
to
create
the
project
deads,
this
is
the
said
giving
us
up
request
for
des.
We
get
an
error
telling
us
that
it
is
reserved
and
for
these
suspicious
people
we
can
actually
modify
that
bit
of
admission
configuration
to
stop
doing
it
or
namespaces.
C
And
if
we
then
try
to
run
the
same
command
again,
we
still
get
from
a
project
request
that
is
not
allowed
to
create
a
project
request,
but
using
the
direct
namespace
degree,
because
we've
now
removed
that
bit
of
the
configuration
you're
allowed
to
create
the
deads
namespace
directly.
So
the
the
configuration
that
we
have
here
shows
that
we
have
something
that's
easy
to
install,
develop,
deploy
test
and
troubleshoot,
and
it's
secure
by
default
and
I
can
actually
show
you
the
amount
of
user
driven
code
that
has
to
be
written.
C
If
you
want
to
make
one
of
these,
it
takes
less
than
a
hundred
and
fifty
lines
and
there's
very
little
glue.
You
say
where
you
want
your
resource
to
be,
and
then
you
spend
the
bulk
of
your
code
describing
what
your
admission
plug-in
actually
does
and
then
there's
a
little
bit
of
admission
or
initialization
work
to
be
able
to
get
a
client
to
make
the
requests.
So.
A
This
is,
this
is
really
nifty.
My
only
reservation
about
this
is
that
it
creates
an
entry
in
the
type
system
for
each
web
book.
I
think
we
need
to
figure
out
how
to
make
the
aggregator
make
an
entry
like
like
each
web
book
should
be
an
additional
object
in
the
system.
Not
an
additional
type.
Each
workbook
should
be
an
additional
object
in
the
system,
not
an
additional,
because
you're,
basically,
the
way
you've
wired
it
up,
which
web
book
request
has
to
go
through
the
aggregator.
C
Oh,
you
know
that's
an
easy
way
to
set
it
up
in
a
portable
secure
way.
Today
it
keeps
it
keeps
secrets
from
leaking
out
into
other
components
as
SIG
off
completes
more
of
it's
container
identity
work
and
in
particular,
probably
the
trustworthy
jeonse
from
Mike
Denis
I
think
we'll
be
able
to
start
wiring
pieces
directly
as
Peters
yeah.
C
A
D
A
D
D
C
Yeah
and
so-
and
so
that's
a
way,
if
you're
concerned
about
not
wanting
to
leak,
say
a
service
account
credential
through
this
is
a
very
easy
way
to
actually
configure
things
to
get
started.
I
think
for
beta,
it's
completely
acceptable
to
do.
I
could
even
see
people
choosing
to
do
it.
Instead
of
trying
to
set
up
more
complicated
configurations,
there
are
other
things
that
are
possible
to
do,
certainly
with
with
the
power
we've
given
people
for
config,
but
from
a
practical
I
want
to
see
this
get
started.
I
want
to
prove
that
it
works.
C
B
D
A
A
Split
it
up
that
we're
gonna.
First,
we
have
to
plumb
some.
You
can
big
files
to
a
server,
because
that's
where
the
token
or
sorts
we're
gonna
come
from,
so
for
that
a
few
steps
also
on
this
Chau
has
like
half
a
dozen
PRS
that
are
in
various
states
of
progress
that
we'll
try
to
be
reviewing
very
quickly
and
my
API
change
is
I
just
started
working
on
like
actually
wiring
it
through
the
system.
A
A
The
I
think
we've
got
enough
time
left
to
get
everything
done.
The
issue
is
this:
there's
gonna
be
kind
of
a
rebase
freight
train,
so
everybody
who's
got
a
PR
that
might
be
blocked
by
a
rebase
like
we
may
want
to
get
together
and
use,
get
like
its
intended
and
like
rebase
on
top
of
each
other.
So
but
there's
less
to
do
when
we,
when
we
start
getting
these
PR
xin.
A
C
Figured
I
would
go
ahead
and
mention
that
the
that
there
is
generic
admission
server
project
that
I
built
that
allows
you
to
create
easily
create
an
admission
web
hooks
server.
That
is
also
an
API
server.
It's
just
an
easy
starting
point
to
do
it
and
I'll
be
keeping
it
up
to
date.
As
we
add
more
pieces
like
the
mutation
hooks,
yeah
I've.
A
D
D
Yeah
there's
a
broken
for
a
graded
types
and
we
do
the
best
effort
by
guessing.
So
the
there
was
a
discussion
about
what
would
be
like
the
most
impactful
couple
of
changes
that
would
drive
us
forward
to
replacing
sig
or
getting
the
cute
control
out.
Breaking
internal
is
the
hardest
of
all
of
those
and
of
the
internal
printers
are
the
worst
so
I
briefly
passed
this
bribe,
Brian
and
Jeff
and
Jordan,
and
we
all
kind
of
had
at
least
somewhat
of
the
same
mindset,
which
would
be
when
we
released
a
new
version
of
cute
control.
D
Api
implementation
has
been
there
for
since
1/8
it
isn't
alpha.
It
is
a
fully
implemented,
so
I
believe
all
the
types
are
implemented.
We
don't
have
a
reflective
test,
I'm
pretty
sure
we're
missing.
At
least
one
the
implementations
are
all
shared.
The
implementation
is
pretty
much
validated.
The
work
I
think
on
beta
is
the
actual.
The
API
is
fairly
generic,
but
we
need
to
firm
up
some
bits
and
get
the
just.
D
You
know
kind
of
push
through
on
the
the
bug
side
to
be
totally
sure
that
we
haven't
screwed
something
up
with
like
how
we
represent
a
simple
value.
I
think
the
concern
is
structure
and
the
meaning
of
fields
which
is
very
beta
e.
If
we
had
to,
we
could
like
the
work,
the
what
the
thought
would
be
if
Q
control
110
can
talk
to
a
1/9
server,
that's
beta
and
just
works.
Then
cube
control
drops
all
that
code,
because
every
version
that
cute
control
supports
has
that
version.
I.
C
D
The
things
that
we
haven't
done
like
that,
that
code
is
still
mostly
coming
because
of
other
factors
in
cute
control
to
get
at
to
spot,
so
at
best
I
think.
We
also
want
the
garbage
collector
to
use
that
going
to
that's
another
possible.
Yet
object
meta
was
being
proposed
to
move
to
beta.
We
didn't
put
it
in
the
features
list,
but
object
meta.
D
There
hasn't
been
any
comment
about
that
has
to
be
in
beta
for
the
garbage
pitcher
to
use
it,
but
I,
don't
think
the
garbage
collector
changes
we're
going
to
happen
in
one
night,
but
the
I
mean
I
agree
David
with
with
David's
concern,
I
think
it's
valid
I'm
trying
to
think
of.
We
have
to
get
cute
control
out.
If
we
don't
do
this
in
one
9q
controls,
probably
not
coming
out
until
one.
C
D
C
D
Until
one
night
or
110
anyway,
so
the
the
pull,
the
the
pool
that
was
going
to
happen,
four
one
nine
was
alpha
and
alpha
an
experimental
flag
you
can
have.
If
we
want
to
do
this
four
one
nine.
We
need
to
make
a
decision
about
whether
we're
going
to
go
through
to
get
the
release,
stuff,
updated
now
and
then
inject.
A
A
D
It's
most
of
the
supporting
work
is
there
basically
get
that
go
is
very,
has
humilated,
large
and
large
large
amounts
of
cruft.
I've
been
trying
to
refactor
that
over
the
course
of
this
release,
the
actual
change
is
going
to
be
within
we
go
through
when
we
ask
the
server
through
the
generic
helper,
we're
gonna
pass
a
different
mime
type
and
we're
gonna
get
back
a
runtime
object
and
we're
gonna
check
to
see
whether
it's
a
table
and
a
table.
D
D
There's
no
changes
to
the
printers
left.
That
was
all
done
in
one
eight,
a
lot
of
mine,
so
it
is
the
mechanism
whereby
we
pass
in
like
it's
kind
of
the
get
go
is
just
ugly
and
sky
gets
simplified
a
little
bit.
That's
where
the
the
hardcore
it's
gonna
be
is
not
breaking
any
of
the
8,000
layered
things.
We've
done.
D
D
A
A
Since,
when
the
topic
of
the
garbage
collector
I
have
seen
multiple
people
who
really
could
could
use
access
to
the
graph
that
the
garbage
collector
tracks
so
I
think
that
in
a
future
release
we
certainly
want
to
actually
add
an
API
to
the
garbage
collector
that
lets
people
theory.
The
ownership
graph,
I
think
I.
C
Would
build
that
in
the
other
direction,
so
I
agree
that
a
lot
of
people
are
interested
in
the
graph
and
that
it's
really
useful
to
have,
but
I
think
that
I
would
try
to
approach
it
from
the
I
want
to
make
use
of
a
pre-existing
graphing
library
of
some
and
then
I
want
the
garbage
controller
to
make
use
of
that
I.
Don't.
A
C
A
F
I
was
I
was
actually
working
on
drafting
a
proposal
for
this.
This
is
cool
Meccans
and
the
first
attempt
the
first
pass.
I
was
gonna,
take
it
was
simply
proposing
the
API
and
that
we
want
to
offer
up
to
expose
this
graph
and
then
possibly
having
a
proof
of
concept
where
we
just
reuse
the
garbage
collection
logic
and
then
evaluating,
potentially
using
sed
even
to
do
initialization
of
fields
to
build
out
the
graph
at
object.
Storage
time-
and
that's
you
guys,
looking
a
more
generalized
graph
or
a
more
specific.
A
Works
I'm
a
little
scared
about
adding
preconditions
in
at
CD,
because
right
now,
all
of
our
objects
are
logically
separate
and
you
may
not
have
there
may
not
be,
and
in
fact
there
certainly
won't
be
at
Etsy
the
instance
which
can
can
keep
the
you
can't
do
the
the
reference
checking
at
creation
time,
because
you
might
need
to
update
two
different
two
or
more
at
different.
That's
to
be
instances,
no
I
guess.
C
Yeah,
but
when
I
think
about
a
graph
right,
I
think
about
trying
to
query
a
graph.
That's
the
sort
of
thing
that
I
think
I,
see,
I,
see
that's
weird,
and
so,
if
I
were
gonna
create
a
graph.
That
would
be
a
really
useful
thing
to
have
something
really
useful
to
except
I.
Wasn't
thinking
nearly
that
advanced
I
was
thinking
literally
give
me
the
tree
of
parents.
D
That
was,
that
was
my
question.
We
David
and
I
are
asking
because
Dave
and
I
have
done
three
or
four
different
iterations
on
building
out
full
graph
relationships
between
all
the
objects
in
a
cube
system,
and
we
keep
we
keep
kind
of
bouncing
off
the
house
specific.
Do
we
want
to
be,
but
there's
a
lot
of
operational
challenge
is
that
you
just
can't
represent
without
getting
access
to
something
like
a
fairly
generic
graphing,
so
that.