►
From YouTube: Kubernetes SIG API Machinery - 20231214
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
And
we
are
on
hello
and
welcome
everybody
good
morning
good
evening
good
afternoon,
depending
on
where
you
are.
B
B
A
The
year
went
by
in
a
blink.
This
is
the
last
meeting
of
the
year
because
we
are
going
to
cancel
the
next
one.
Next
one
is
going
to
be
in
January
and
we
have
a
nice
agenda
for
today.
So
I
think
we
shall
start
with
Mo,
yeah
and
I
will
leave
it
to
you.
C
Yeah,
do
you
mind
opening
the
links.
D
A
C
C
Doing
like
writing
the
docs
and
stuff.
For
this
there
were
some
issues
noted,
which
are
tracked
in
I.
Think
the
second
tab.
E
C
You
opened
all
right,
oh
No,
actually
that's
my
PR.
One
of
them
is
an
issue.
The
issue
is
the
one
yeah
this
one
right
here
from
Tim,
so
one
is
the
label.
Key
is
not
maybe
the
most
best
key
we
could
have
used.
Arguably,
we
also
did
not
have
the
wiring
of
the
code
correct
so
that
it
would
actually
work
for
aggregated
API
servers.
We
just
flat
out
had
it
in
the
wrong
spot.
C
So
all
of
our
tests
passed
because
our
tests
were
testing
the
cube,
API
server,
and
that
was
all
great
and
and
Andrew
added
a
bunch
of
extra
tests.
So
we
were
really
confident
that
we
had
got
a
working
feature
and
technically
it
works
for
one
specific
component
in
its
configuration,
but
also
in
the
process
of
trying
to
fix
it.
C
The
value
that
we
associated
with
the
key
doesn't
necessarily
make
sense
in
the
general
context,
because
it's
like
Cube
Dash,
API
server,
or
something
like
that.
So
that's
confusing
and
like
during
the
pr
to
try
to
fix
the
fix
this
you
know
Andrew
was
like
Hey
like.
Why
is
the
GC
still
inside
the
cube?
Api
server?
C
You
know
I
have
some
vague
reasons
for
why
I
want
the
GC
in
one
spot
or
the
other,
but
it
really
sort
of
comes
down
to
the
question
of
how
do
we
want,
like
our
back
for,
like
aggregated
API
servers
to
be
configured
as
in
what
do
they
have
access
to
and
how
do
they?
How
does
that
get
set
up?
C
And
that
leads
into
questions
of
like
what
namespace
do
these
things
go
in?
What
are
the
keys
and
values
we
use
for
this
stuff
if
they're
Dynamic?
How
does
something
like
the
source
version
migrator
find
the
identities
that
it
needs
to
find
Etc,
or
maybe
you
know
just
a
general
component
wanting
to
know
the
identities
that's
supposed
to
be
present,
I
think
that's
the
open
questions.
Andrew
did
I
miss
anything.
C
Okay,
yeah,
so
I
wanted
to
bring
this
up
and
see
what
feedback
Focus.
D
G
Yeah
I'll
go
easy
stuff.
First,
I
think
that,
in
terms
of
the
key
value
which
is
currently
API
server,
it
would
be
fairly
easy
to
say
that
cleanup
is
based
on
the
presence
of
the
label
and
the
value
just
decides,
which
particular
server
it
is.
So
if
we
want
to
allow
some
other
API
server
to
set
a
different
value,
I
think
we
can
actually
be
backwards
compatible,
even
if
we
allow
them
to
set
another
value.
G
C
So
the
garbage
collector
would
change
from
looking
for
key
equals
value
to
like
whatever
the
syntaxis
or
key
present
exists.
C
That
so,
okay,
yeah
I
could
I
could
see
that
so
the
whatever
value
we
pick
for
the
cube,
API
server
we
would
keep,
but,
but
maybe
in
the
code
that
wouldn't
actually
be
the
default.
It
would
actually
be
like
something
that
the
apis,
the
cube
API
server,
is
overriding
to
its
string
with,
like
the
default
might
be
like
I,
don't
know
generic
API
server
or
something
I
think
that
would.
G
Be
that
would
be
plausible,
so
then,
moving
up
in
difficulty,
the
the
permissions
I
like
the
idea
of
describing
a
cluster
role.
That
will
do
what
we
want
if
possible,
but
one
thing
I'm,
unsure
of
is
whether
we
want
to
allow
or
even
perhaps
recommend
that
another
API
server
use
a
different
namespace
to
store
their
lease
and
I.
G
Think
Daniel
was
likely
to
have
a
much
stronger
opinion
here
than
I
do
maybe
maybe
Tim
as
well,
where
they
would
say
I
want
I,
don't
want
to
Grant
access
to
I,
don't
know
what
Nancy
put
in
we
put
in
Cube
system,
but
I
don't
want
to
Grant
access
to
that
name.
Space
to
lease
is
in
that
namespace
to
other
people's
API
servers,
and
if
that's
something
that
you
feel
strongly
about,
then
we're
going
to
want
to
figure
out
where,
where
to
tell
people
to
create
them,.
F
I
personally,
don't
care,
but
I
do
suspect
that
if
we
let
everybody
write,
their
leases
to
the
same
spot.
I
will
eventually
get
complaints
from
someone
that
some
end
user
is
hogging.
All
the
bandwidth
and
or
all
of
the
concurrency
and
the
cube
system.
G
H
G
You
could
you
know
you
would
either
have
to
be
specific
about
the
names
or
they'd
be
allowed
to
modify
WPI
servers
lease.
F
F
Don't
we
oh
I
thought
the
the
deal
was
requiring
people
to
have
different
host
names
for
the
given
component
right.
Oh
you're,
saying
two
different
kinds
of
aggregated
API
servers
on
the
same
host,
yeah.
F
F
F
E
F
Change
our
like
we're
going
to
put
this
name
in
the
label
or
the
the
value
of
this
label
right.
So
if
we're
going
to
put
that
on
then
maybe
we
can
change
this
to
also
go
into
the
either
the
hash
or
the
the
prefix
of
the
of
the
name.
G
I'd,
be
okay
with
that
and
you're
not
worried
about
someone
misusing
their
permission
to
modify
leases
to
go
and
just
start
I,
don't
know
deleting
Cube,
APS
or
releases
or
updating
them
in
such
a
way
that
it
destroys
the
qpi
server
release.
F
I'm
slightly
worried
about
that
I'm,
more
I
think
it's
a
more
reasonable
mistake
to
just
overwhelm
the
the
concurrency
in
that
priority
level
and
starve
out
legitimate
traffic
right
like
in
theory,
programming.
Fairness
fixes
this,
but
we
probably
shouldn't
encourage
people
to
make
priority
fairness,
work
hard,
okay,
but
yeah
I.
Guess
that
means
that
the
garbage
collector
is
going
to
have
to
look
in
more
than
one
place
like
more
than
one
namespace.
G
G
F
Yeah
that
tells
me,
if
there's
much
risk
of
needing
this,
then
we
should
probably
segregate
these
leases
from
the
beginning
and
I
think
there's
at
least
like
a
five
percent
chance
that
somebody
will
need
this
desperately.
Okay,.
C
I
was
gonna:
ask
on
the
on
the
segregation
bit.
Does
it
make
the
problem
any
better?
If
we
didn't
use
Cube
system,
if
we
just
made
a
namespace,
that
was
entire
purpose
for
was
for
these
identity
leases
or
are?
We
still
is
the
concern
that
we
want
to
guarantee
that
like,
for
example,
the
cube
API
server
identity
leases
can't
be
mocked
with
by
people.
We
don't
expect
I.
C
C
Your
aggregate
API
server
because
that's
totally
valid
to
not
okay,
so
you
make
you
opt
in
and
the
namespace
you
specify
you
better
have
our
back
forward,
because
otherwise
it's
not
going
to
work
out
so
well.
F
Yeah
but
I
I
think
a
lot
of
other
projects
that,
like
the
sort
of
project
that
is
making
an
aggregated
API
server,
is
often
already
making
some
sort
of
you
know:
project
name,
Dash
system
namespace,
like
I'm,
aware
of
istio
system
out
in
the
wild
and
other
various
things
like
that.
So
I
don't
think.
That's
too
much
of
an
ask.
F
C
F
When
I
was
arguing
that
it
should
go
into
Cube,
API
server,
I
hadn't
thought
that
aggregated
API
servers
about
the
same
thing,
I
think.
Originally
we
had
it
in
controller
manager.
F
I'm
conflicted
I
guess
it
seems,
like
controller
manager,
is
a
more
General
place.
F
However,
it
also
seems
like
this:
should
this,
like
API
servers
should
be
able
to
like
know
who
it
is
without
like
if
your
controller
manager
is
having
a
problem
or
not
running
or
something
I,
don't
know
that
we'd
want
that
to
impact
API
server,
knowing
people
what
each
instance
is
called
so
I
I
guess
I'd
still
vote
for
having
that
an
API
server
I,
don't
know
how
David
feels
about
that
I
don't
know
it's
a
little
weird,
either
way.
I.
G
I
think
the
most
critical
choice
is
is
how
we
identify
it,
which,
if
we
agree
on
multiple
name
spaces,
and
then
we
agree
that
for
permissions,
we're
going
to
create
a
cluster
role
that
somebody
can
bind
into
their
namespace
if
they
need
to.
Then
then
I
think
that
takes
us
to
the
next
spot
of.
There
was
one
of
these
issues
opened
by
someone
who
said
you
have
an
unregistered
name,
and
it's
not
prefixed
right.
F
F
G
F
Okay,
yeah.
This
also
like
means
that
if
some
aggregated
API
server
is
doing
a
lot
of
turning
this
leases
for
some
reason,
you're
not
stressing
out
the
garbage
collector
and
the
main
API
server,
which
seems
okay,
I
guess
so.
C
G
Ahead,
I
think
they
get
what
they
deserve.
It
would
be
hard
to
come
up
with
a
case
where
they
were
running
and
had
explicitly
disabled
the
garbage
collection,
and
we
should
feel
sorry
for
them,
because
leases
are
namespaced
so
when
they
go
and
delete
the
whole
thing,
everything
gets
cleaned
up
anyway.
C
Yeah
I
guess,
by
moving
it
into
a
like
making
it
opt-in
and
then
moving
it
into
a
prayer.
Api
server
name
space
makes
it
so
that,
like
you're,
much
less
likely
to
leave
any
garbage
around
because
you're
not
using
a
shared
namespace
anymore
you're
using
your
own
at
least,
delete
the
namespace
at
least
delete
the
namespace
on
the
API
service,
and
that
should
actually
handle
most
of
the
stuff.
You
could
have
done
wrong.
C
Namespace
makes
the
rbac
story
much
easier,
which
is
just
make
a
new
cluster
role
and
tell
people
to
bind
it.
Gc
is
pretty
straightforward,
especially
if
it's
per.
G
And
I
feel
kind
of
bad
about
that,
because
I
think
I
helped
author.
The
best
practice.
C
Yeah
no
I
mean
I
feel
bad
about
it,
because
we
should
have
looked
at
it
more
closely
like
we
spent
a
lot
of
time
discussing
how
to
make
leases,
be
like
really
nice
and
good
and
like
how
we
were
going
to
Hash
things.
But
we
forgot
I
think
to
like
actually
look
at
the
value
associated
with
the
constant
yeah
yeah.
G
Oops
yeah
so
I'm
inclined
to
try
to
fix
this,
even
though
it
is
beta.
I
think
this
would
be
one
where
I,
where
I
would
say
over
time.
We
become
backwards,
incompatible
and
I.
Just
tell
people
I'm,
really
sorry
what
yeah.
H
I
left
the
proposal
like
at
the
bottom
of
this
issue
on
how
how
to
how
we
should
go
about
changing
it
like
I,
think.
The
real
concern
is
just
the
compatibility
with
the
label
like
when
you
have
a
new
API
server
that
expects
a
different
that's
using
a
different,
constant
I
think
we
just
have
to
account
for
the
fact
that
the
new
GC
controller
has
to
just
look
for
releases
with
both
both
selectors
and
I.
Think
that.
H
C
Yeah,
so
this
GC
controller
will
actually
at
least
transiently,
then
live
in
like
two
separate
places
like
it'll
live
in
or
not
necessarily
live,
but
it'll
be
invoked
in
two
separate
places
for
the
cube
API,
so
they're
once
generically
for
like
the
new
key
and
value,
but
once
like
explicitly
with
like
the
old
key
and
value
saying.
No,
no,
you
need
to
go
find
these
and
nuke
them,
because
nothing
is
updating
them
anymore
and
we
need
to.
We
need
you
to
sit
there
and
do
this.
G
I
think
it's
API
server,
kubernetes
IO,
Slash
identity,
components.
C
D
C
D
Okay,
cool,
thank
you
David
and
Daniel
for
the
discussion
and
I
think
we
can
talk.
Let
Tim
and
Igor
go
for
it
for
the
next
stuff
they're
here.
Thank
you.
J
Yeah,
so
we
pushed
a
PR
furry
cap.
Yesterday,
we've
been
doing
a
little
back
and
forth
on
it.
It's
exclusion
for
web
hooks
again,
except
now
it's
on
the
now
we're
following
the
pattern
of
validating
admission
policy
and
including
it
on
the
validating
con
webhook
configuration
object
so
basically
we're
allowing
those
to
also
have
exclusion.
Is
the
proposal
similar
to
how
validating
admission
policy
does?
J
J
We
were
talking
about
the
validating
admission
policy
as
well,
and
we
spoke
to
Joe,
who
was
a
primary
author
there
about
how
one
modification
we
make
is
to
the
named
rule
with
operation,
which
is
that
exclusion
object,
we're
adding
a
namespace
there,
so
validating
admission
policy
we'll
also
get
that
just
to
allow
for
more
specificity
for
the
user,
so
that
kind
of
will
help
with
one
anytime.
A
user
wants
to
be
more
specific
with
the
holes
they're
poking
and
kind
of
like
they're.
J
Maybe
they
have
like
a
catch-all.
They
want
poke
some
holes
into
it'll,
help
with
that
it'll
just
make
it
more
expressive
and
easy
for
a
user
to
exclude
things
and
then
the
other
benefit
is.
We
can
use
it
with
validating
admission
policies
to
kind
of
suggest,
hey
like
as
a
cluster
operator
now
I
can
suggest
to
a
user
hey.
This
is
probably
stuff
you
want
to
exclude
and
it's
transparent
to
them.
A
G
J
Yeah
so,
for
example,
with
like
the
the
namespace
selector
you
may
want
to
it,
just
allows
you
to
be
more
specific
right,
so
you
can
tie
the
other
selections
like
a
specific
resource.
Name
to
that
namespace,
whereas
in
the
the
global
namespace
selector
is,
is
more
Global.
So,
like
you
couldn't
say,
I
want
all
pods
in
I.
I
want
to
watch
everything,
including
most
pods
and
Cube
system,
except
for.
If
there's
a
pod
and
Cube
system
called
core
DNS
I
want
to
ignore
that
one
specifically,
for
example,.
E
F
In
general,
sorry
to
drop
the
queue
I
think
in
general.
What
this
lets
you
do,
like
exclusion
rules,
make
the
wild
cards
useful,
because
it
may
not
be
safe
to
use
a
wild
card
for
either
you're,
getting
a
different,
a
type
that
you
don't
want,
or
a
specific
pod
that
you
don't
want
or
a
specific
type
that
you
don't
want.
F
I
think
I
said
that
twice
so
an
exclude
rule
lets
you
like
the
deal
is
when
you
want
all
things
of
some
reading
some
rule
except
something
else
like
you,
don't
want
to
be
adding
a
list
of
names
for
every
pod
right.
You
want
to
use
star
for
the
name
and
exclude
the
specific
thing
you
don't
want.
F
G
What
the
example
that
was
just
given
for
for
pods
in
a
namespace
I
think
that
could
be
achieved
with
a
configuration
that
listed
I
want
to
look
at
all
namespaces
using
not
in
so
I
can
match
namespaces
with
the
name,
not
in
Cube
system.
G
F
So
I
I
personally
I
think
a
better
example
is
when
you
want
to
watch
like
like,
say,
you're
a
garbage
collector
or
something
like
that,
and
you
want
to
watch
all
resource
types,
including
types
you
don't
know
about
at
the
time
when
you're
writing
your
web
hook.
But
you
know,
for
example,
you
don't
want
to
watch
leases
today.
There's
no
way
to
write
that
in
our
right.
There's
no
reasonable
way
to
write
that
right
now.
I
think
that's
a
better
example.
F
Yes,
I,
don't
know
it
is
a
different
spot.
I,
don't
know
if
we
want
to
litigate
exclusion
rules
on
each
aspect
of
this
separately,
I.
F
G
Yeah
so
I
click
clicked
through
this
cat
this
morning
or
just
before
this
meeting
and
I
noticed
there
wasn't
an
alternative
section.
That
said
this
is
the
additional
power
that
is
granted
here.
I
think
those
uses
are
going
to
be
really
useful
and
I
will
find
that
Tim
go
he's
been
very,
very
patient.
I
I
G
It
only
about
the
name
spaces
and
any
object
name
is
usually
something
that
the
resource
owner
himself
like
the
person
who's
creating
the
instance
they
can
just
choose
whatever
name
they
want.
So
it's
like
an
opt-in
validation
when
you
get
down
to
that
level,.
I
Yeah
so
from
a
security
perspective,
I
wouldn't
want
to
I,
wouldn't
want
to
exclude
Things
based
on
labels.
I
If
we
could
scope
that
to
a
specific
namespace
to
say,
like
only
exclude
things
in
this
namespace
that
have
this
label
that
might
be
more
tolerable,
but
right
now
the
namespace
selector
and
object
selector
are
it's
a
let's
see
if
you're
using
a
negative,
namespace
selector
and
a
negative
object
selector,
it
would
be
the
union
of
things
that
match
those
or
the
intersection.
K
G
Little
bit
right,
but
I'm
also
drilling
down
on
the
like.
What's
what's
the
really
of
a
match
on
object?
Name
when
you
know
that
a
user
can
choose
whatever
object,
name,
they
they
desire,
and
so
like.
It's
like
an
opt-in.
Do
you
want
to
opt
into
having
this
admission
plug-in
touchy,
even
if
it's
negative
selection,
we
actually
explicitly
said
that
on
the
object
selector
when
we
built
it,
is
that
this
can't
be
used
for
security.
This
is
a
user
option
to
being
checked.
F
So
your
your
gen,
the
general
form
of
your
concern,
is
your
like.
If
you,
if
you
mention
a
specific
object,
name,
the
user
controls
that
and
they
can
control
it
in
some
random
namespace
all
right.
If
it
was
just
a
specific
name.
Space
then
like
there
could
only
be
one
part
of
that
name,
but
across
namespaces
it
effectively
gives
people
a
way
to
get
out
of
the
policy.
G
F
Come
up
several
times
before
I
I'm
I'm,
quite
certain
that
it
is
reasonable
for
people
to
do
this
because,
like
for
example,
our
own
garbage
collector
does
something
like
this
watching
everything,
except
for
like
events
right
there's
more
than
events,
but
it
watches
everything
except
for
a
few
things.
K
Even
for
stuff
that
you
can
do
today,
I
think
there's
a
lot
of
like
cluster
operation
benefit
to
be
able
to
explicitly
list
out
your
excludes
and
know
that
you're
never
going
to
hit
those
objects
so
like
if
I
was
a
cluster
administrator
and
I
was
letting
other
people
put
in
you
know
admission
rules.
I
would
feel
a
lot
safer
if
we
had
already
established
a
good
set
of
exclusion,
rules
that
go
on
every
web
hook
and
then
I
just
made
sure
that
they
were
always
present.
F
Yeah,
let's
see
yeah.
B
Yeah
I
I
have
the
continuation
of
that
and
similar
question.
I
came
here
because
this
is
quite
a
common
problem
for
not
becoming
unreliable.
Somebody
has
a
bad
web
hook
and
I
was
curious
if
this
cap
may
help
somehow
to
make
it
Universal
to
apply
the
same
exclusion
for
every
web
hook,
so
I
would
like.
Maybe
there
is
a
web
hook
that
checks
the
old
web
Hooks
and
like
modify
them.
Adding
this
exclusion
to
everything
to
everything
or
perhaps
some
Global
rules
that
will
apply
to
it.
I
think
everything
somehow
so.
K
G
I
guess
I
guess
I'm
still
interested
in
what
additional
power
that
is
right,
like
I
can
write
a
label
selector.
That
says
not
in
and
I'm
not
clear
on,
and
this
is
where
an
example
I
think
could
really
help
where
it's
is
this
additional
power
is
this
syntactic
gravy
is
how
much
syntactic
is.
F
It
it
is,
it
is
I
think
it
is
not
additional
power.
The
benefit
is
that
you
can
mechanically
modify
the
web
hook.
Configuration
object
to
get
this
negative
selection
rule
in
in
a
way
that
is
difficult
or
impossible,
but
right
if
a
user
is
already
using
the
namespace
selector
feature,
and
you
want
to
modify
it
to
make
sure
that
they're
not
selecting
certain
things.
You
have
to
combine
the
like
cluster
or
platform,
admins
preferences
with
the
end
users
preferences
and
that's
difficult
to
do
programmatically.
G
If
you
have
one
already
defined
I'm
going
to
add
a
stanza,
because
they're
always
anded
and
my
stanza
is
going
to
be
select
on
this
key
with
an
operator
that
is
not
in
with
these
values
and
so
adding
it
and
forcing
it
is
extremely
easy
and
and
if
I
missed
okay,
maybe
it's
easier
than
I
thought
it
is,
but
like
it's
it's,
it
was
made
to
make
this
easy
like
it
was
the
that's
why
it's
in
the
dock,
like
ciao,
added
it
to
the
dock?
F
Okay:
let's
go
through
the
hands
MO.
C
So
like
two
things,
one
I
think
I
don't
know.
If
this
helps
or
is
it
relevant,
then
we
added
a
label
to
like
all
namespaces
right.
That
includes
like
the
name
of
the
namespace
as
a
label,
so
you
can
like
select
against
them
or
something
right.
We
did
that
right.
That
was
a
thing
yeah,
there's
there's
some.
F
Special
label
to
help
you
use
a
namespace
selector
to
detect
the
object's
name,
I
think
yeah.
C
Okay,
I,
don't
know
if
that
helps
here
or
it
was
relevant.
It
was
just
thinking
about
it.
The
question
I
was
trying
to
understand
is
like
so
as
a
platform
operator
is
the
expectation
that
I
would
wait
for
the
sell
admission
policy
stuff
to
make
it
to
Beta
and
then
write
a
validation
rule
that
basically
enforces
that
you
have
my
currently
defined
preference
which
could
change
over
time
in
there.
C
F
Usually,
security
people
want
these
evaluated,
both
at
the
front
door
and
in
an
ongoing
capacity.
So,
yes,
you'd
have
to
do
both
yeah
I.
E
C
Yeah,
okay,
I
mean
I,
guess
that's
fine,
but
so
I
I
would
have
to
be
careful
to
make
sure
that
my
controller
that
goes
and
fixes
my
web
hooks
isn't
getting
broken
by
my
customers
cell
policy.
That
can
intercept
my
controller
because
it
can
intercept
my
books,
which
is
really
annoying
in
this
particular
case.
C
G
Yeah
for
us,
it
came
up
say
for
qapi
server
operator,
which
runs
as
a
pod
on
the
cluster
which
runs
in
a
namespace,
and
so,
if
someone
adds
an
admission
Web
book,
it
stops
the
operator
which
is
managing
your
kpi
server
from
being.
G
You
say
this
is
the
ones
that
are
violating
this
rule.
This
is
how
you
can
fix
them,
and
it's
a
fairly
straightforward
thing
to
add.
C
G
Will
find
a
new
Faith
that'll
be
escalating
battle,
but,
like
that's,
why
this
I'm
interested
in
what
the
power
is
so
like?
If
it's
not
going
to
be
object,
selection,
because
a
user
can
opt
out
of
object
selection
and
it's
not
going
to
be
namespace
selection
because
it
won't
have
a
mechanism
for
doing
it?
Is
it
the
negative
matching
on
the
types.
F
I
think
Igor
was
next
on
the
list.
I
feel
like
Zoom
is
changing
the
order
on
me.
You
heard
you
wanna
yeah,.
J
Maybe
I
don't
understand
namespace
selectors
fully,
but
I
I
think
a
good
example,
at
least
with
my
understanding
is
like
say:
I
want
to
just
capture
all
things
everywhere,
just
asterisk
asterisk,
asterisk
and
I.
Don't
want
to
exclude,
for
example,
Cube
system
from
all
those
things.
I
only
want
to
exclude
maybe
leases
if
they're
in
Cube
system,
maybe
leases
that
are
in
Cube's
system
of
a
certain
name.
G
So
when
you
made
your
web
hook
configuration
you
could
make
one
for
leases
and
you
can
make
another
entry
for
the
other
types
you
want
to
watch
and
the
one
for
leases.
You
would
put
a
namespace
selector
on
sure
right.
So,
okay,
I'm,
not
saying
that
like
I'm,
not
saying,
there's
no
syntactic
sugar
here
right,
but
separating
out
what
is
syntactic
sugar
versus?
G
What
can
you
actually
not
do?
Sure
I
think
is
useful
to
explain
here,
because
we
are
looking
at
fields
that
are
going
to
be
I
won't,
say
conflicting,
we're
gonna
we're
gonna
have
Fields.
If
we
do
this
we're
gonna
have
fields
that
are
interacting
with
existing
Hills
in
a
different
level
in
this
type
right
sure
sure.
K
There
was
also
a
issue
opened
by
dims
and
some
code
where
I
think
eks
had
thrown
over
the
wall.
Apr
to
add
an
ability
to
ex
have
excludes
on
web
hooks
written
into
the
API
servers
like
configuration
that
loads
on
Startup,
and
then
you
wouldn't
even
see
those
configurations
at
runtime.
So
there
was
there
was
kind
of
like
a
management
play
and
desire
to
have
like
some
really
hard
fixed
control
over
this.
At
that
level.
F
F
I
Yeah
a
couple
different
points:
I
want
to
address
to
kind
of
follow
up
on
Joe's
Point
I
am
interested
in
exploring
a
way
to
do
this
across
web
hooks,
not
necessarily
compiled
or
not
necessarily
statically
configured
on
the
API
server,
but
I
think
there's
still
some
discussion
to
be
had
around
that.
I
want
to
keep
that
totally
separate
from
this
cap,
because
I
think,
regardless
of
what
direction
that
goes
in
this
has
value
on
the
specific
web
hooks
to
David's
questions
around
what
power
this
adds.
I
Yeah
I'm,
not
convinced
that
the
namespace
and
name
selection
on
the
exclude
rules
adds
anything
beyond
syntactic
sugar
with
what
we
have
today,
I'm,
not
sure
about
name
itself.
I
think
I
also
have
some
doubts
about
how
a
useful
name
would
be
in
practice
because
like
if
you
want
to
exclude
some
specific
pod,
that's
like
controlled
by
deployment,
that's
not
going
to
be
particularly
useful.
I
I
think.
Definitely
the
resource
exclusions
is
something
that
we
don't
have
any
way
to
do
this
today.
I
also
want
to
ask
kind
of
going
back
to
sergey's
point
around
nodes.
I
If
user
requesting
user
is
something
that
we
would
entertain,
adding
to
the
exclude
adding
some
sort
of
exclude
rules
around
so
thinking,
specifically
in
the
case
of
nodes,
like
can
I
say
that
nodes
are
exempt
from
web
hooks
updating
pod
status.
I
I
G
I
C
I'm
trying
to
remember
what
my
question
was:
let's
see,
I
I
on
the
thing
that
Tim
just
said,
I
was
interested
in
the
I
and
that
idea,
though
I
I
guess,
have
folks
thought
about
having
better
support
for
things
that,
like
can't,
be
impersonated
effectively
like
that
anytime,
you
have
any
exclusion
based
on
identity.
Then
I
have
to
ask
you
how
you
plan
on
defending
it
from
the
cluster
admin,
which
is
the
Persona
we
hand
out
to
people
in
our
managed
environments
effectively.
F
I
think
that's
a
great
question,
but
it
might
be
pretty
significant
scope
creep
for
this.
For
this
conversation
so
far,
yeah.
C
Absolutely
I
I
can't
remember
what
the
other
thing
was
on
my
mind.
So
if
I
remember
I'll
I'll.
D
C
F
Hand
so
okay,
Joe,
is
at
a
stale
hand,
or
are
you
do
you
want
to
I'll
clear
that.
K
F
Perfect:
okay,
what
are
the
next
steps
on
this
cap?
I?
Think
I
hadn't
seen
it
until
this
meeting
started,
because
these
were
some
late
added
agenda
items,
so
I
think
I
definitely
need
to
read
it
I'm,
not
sure.
If
we
have
an
action
item
other
than
that
app
right
now.
David.
Do
you
have
an
action
item
more
examples?
Maybe.
G
I
want
I.
I
really
would
like
to
see
what
is
power
versus
synthetic
sugar
and
then,
and
not
just
because
I
want
to
say
no
to
everything
that
that
is
syntactic
sugar.
It's
because
looking
at
it
and
assessing
power
versus
adding
Fields
here,
they're
going
to
be
additional
selection
at
another
level
that
we
haven't
had
before
and
that
are
going
to
have
to
coexist
with
the
fields
that
we
already
have.
I
think
there
is
a
higher
bar
for
considering
what
we
should
do
with
those
the
use
of
subject.
G
G
I
think
I'm,
probably
against
trying
to
figure
out
which
Fields
have
been
modified
and
listing
those
as
a
filter
right,
because
so
so
odd
status
touches
a
lot
of
fields.
I,
don't
I,
don't
think
I
would
go
as
far
as
to
say
like
let's
explore
adding
it
so
that
if
you
modify
a
condition
we'll
allow
it.
But
if
you
modify
the
image
shots
being
used,
we
will
not
I
I,
don't
I,
don't
think
I
want
to
go
that
far.
Just
thinking
through.
J
I
David
that
last
thing
that
you
mentioned
reminded
me
of
the
authorization
web
hook,
kep,
that's
still
outstanding,
which
adds
the
ability
to
essentially
pre-filter
requests
using
cell
rules,
which
would
be
a
interesting
kind
of
extension
to
consider
for
admission
web
hooks
I'm,
not
sure
that
we
want
to
necessarily
block
this
effort
on
something
like
that,
but
the
ability
to
say
like
before
you
even
send
you
know
before
I.
Even
do
my
Advanced
web
hook.
Logic
Let
me
see
if
this
request
is
relevant
to
it
at
all.
G
Where
my
head
was
traveling
as
I
was
talking,
what
I've
learned
about
is
the
review
for
the
API
for
validating
cell
admission
was
very
well
he's
very
challenging
for
me
to
read
through
and
try
to
think
of
the
repercussions
for
and
where
something
can
go
wrong.
G
I
think
I
think
based
on
comments.
It
was
also
challenging
for
Daniel
to
review
and
perhaps
for
Joe
to
write.
I
wouldn't
encourage
you
to
add
it
to
this
cap
and
I'm,
not
confident.
E
F
E
F
In
the
AI,
so
if
I
missed
one,
please
add
it
and
with
that
we've
got
about
10
minutes
left
mode.
You
wanna
talk
about
the
last
agenda
item.
C
Sure
I
can
I
think
this
one's
pretty
quick,
so
it
was
an
open
issue
which
is
linked
there.
The
fixes
link
is
about
we
apparently
for
I
guess
just
because
we
do
we.
We.
D
C
A
new
NCD,
client
and
connection
every
time
you
make
a
crd
which
is
interesting,
choice
of
approach,
I,
guess
and
this,
and
this
fixes
that
to
not
happen
basically
and
I
I
did
do
it
without
adding
a
global
cache,
because
I
am
against
Global
caches
because
they
have
caused
me
an
exuberant
amount
of
pain
in
like
oh,
so
I
don't
want
to
add
more
to
my
life,
but
yeah
I
wanted
to
get
folks
opinion
on
if,
at
a
general
level,
this
was
okay
and
then,
if
anyone
would
be
interested
in
reviewing
it
and
I,
see
Steve
your
hand.
E
Sure
I
think
my
mic
may
be
bad,
but
I.
Remember
there
being
one
client
for
registry,
not
necessarily
just
crds.
Is
that
true.
C
Yeah
it
I
I,
don't
know
exactly
what
the
built-in
resources
end
up
being
but
before
like,
if
I
run,
just
a
regular
API
server.
Without
this
change
from
the
head
of
Master,
it
opens
up
60
TCP
connections
to
NCD
of
approximately
with
nothing
happening
on
that
API
server.
C
And
then,
if
you
sit
there
at
the
Loop
and
create
a
bunch
of
crds
and
then
you
know,
wait
for
them
to
be
established
and
everything
and
like
just
try
to
use
them,
and
it
just
linearly
scales
out
one
to
one
with
every
crd
and
after
this
change
you
have
one
and
that's
it.
It
doesn't
change.
You
know
with
an
asterisk
beside
the
one,
because
technically
you
can
configure
different
scds
for
different
resources,
so
one
or
more
but
fixed
pretty
pretty
statically.
F
So
I'm
I'm
in
favor
of
not
making
a
ton
of
sap
clients
yeah
if
you
profile
profile
and
API
server.
The
NCD
clients
are
one
thing,
but
it
also
makes
like
each
STD
client
makes
its
own
zap,
something
or
other
logger
which
takes
up
a
ton
of
Ram
and
really
do
we
need
50
of
those
in
the
in
memory
like
I,
don't
think
so
so
yeah
I'm
I'm
in
favor
of
doing
something
like
this
I
haven't
looked
at
this
particular
PR,
but
I.
C
E
C
C
Removes
because
you
don't
you
don't
need
that
anymore,
because
there's
only
one
client
so
like
it
doesn't
matter
anymore
yeah.
If
but
yeah
is
anybody
interested
in
viewing
this
I?
The
only
thing
I
really
have
left
other
than
cleaning
up
the
commits,
and
maybe
adding
some
code
docs
or
they'll
even
try
to
come
up
with
some
kind
of
integration
test.
That
proves
that
you
only
have
one
client
and
thus
stays
that
way,
but
otherwise
the
CI
is
green
and
it's.
D
K
I
can
offer
to
give
it
a
pass.
I've
worked
on
the
the
FTD
client
side
before.
F
Great
you
can
tag
me
and
I
can
give
it
a
once
ever
when.
B
F
Done,
okay,
all
right,
I
think
that's
everything
on
the
agenda.
A
It
is
yes,
so
reminder
we
are
going
to
cancel
next
meeting.
I
hope
everybody
has
time
to
rest
and
recover,
and
you
know
celebrate
with
your
loved
ones
these
holidays
and
we
are
going
to
meet
again
next
year.
January
11.,
okay,
thank.