►
From YouTube: SIG-Auth Bi-Weekly Meeting for 20220622
Description
SIG-Auth Bi-Weekly Meeting for 20220622
A
See
tomorrow,
is
enhancements
freeze
for
week
125.,
so
we're
just
going
to
go
over
some
of
the
open
she
got
kept
so
make
sure
we
get
those
in
so
like
you,
and
I
reviewed
this.
I
think
this
one
is
relatively
fine.
I
just
have
basically
one
open
question,
which
is,
I
know,
david's
not
here,
but
it's
basically.
A
This
is
not.
We
are
proposing
this
to
not
be
part
of
conformance
and
as
such
we
want
to
be
able
to
turn
it
off,
and
I
said
that
turning
it
off
using
the
runtime
config
seems
impractical,
because
you
would
turn
off
the
entire
authentication
group
doesn't
sound
like
a
good
idea
on
any
cluster
you
care
about.
A
B
Yes,
it
was
added
in
120
or
124
124.
Probably
124
is
when
we
said
that
new
beta
apis
would
not
be
on
by
default,
and
part
of
that
was
needing
resource
level
control
over
enablement
and
disablement.
So,
if
they're
not
on
by
default,
then
you
need
to
be
able
to
turn
on
a
particular
api.
I
see
the
comments.
What
version
was
that
on,
because
I'm
pretty
sure
that
capability
was
only
added
in
124.
A
A
Because
your
eyes
will
bleed
yeah,
it
didn't
look
fun
and
I
was
like
I
don't
really
understand
what
this
monster
does,
but,
okay,
so
all
right
so
max.
I
think
we
just
need
to
figure
out
the
syntax
for
exactly
disabling
this
particular
resource.
I
assume
it's
group
and
resource
right,
not
like
version.
It
doesn't
include
also
a
version
now.
It's
group
slash
version,
slash
resource
all
right,
we're
wonderful.
A
To
figure
out
the
incantation-
and
I
think
you
could
probably
drop
the
whole
bit
about
a
validating
web
book-
I
don't
think
we
would
recommend
you
do
that
if,
if
there
is
a
specific
syntax
for
this,
so
I
think
that
was
my
only
open
thing
on
this
one.
Otherwise
I
think.
A
C
I
think
he's
out
this
week,
but
I
I
would
say,
let's
go
over
it
as
well.
Yeah.
A
A
I
think
the
only
question
I
had
about
the
revocation
stuff
is:
if
we
build
some-
or
we
presumably
will
have
to
add
some
code
into
client,
go
for
using
this
resource
and
you
know
having
trust
based
off
of
it.
Would
we
want
to
build
within
that
the
capability
of
looking
at
those
extensions
for
like
the
ocsb,
urls
and
stuff?
A
A
How
was
it
what
you
mean
by
built
in
so
like?
I
think
what
we're
saying
is
that
if
you
want
revocation,
that's
cool
use,
one
of
the
existing
extensions
within
x509
that
lets
you
do
that.
A
C
A
Yeah-
let's
see
other
things
I
had
so
I
I
think
I
generally
like
the
design-
that's
here
now
with
just
having
a
dedicated
feel
for
respect
designer
name
and
just
using
admission
to
enforce
it.
It
is
a
little
bit
strange
to
me
that
it's
optional,
but
I
I
get
why
I
I
think
the
use
case
is
fine,
which
is
just
to
have
ca,
bundles
that
are
not
attached
to
a
specific
signer
in
the
sense
of
those
kubernetes
liner.
A
I
guess
I'd
ask
why
what's
what's
the
concern,
what
you
mean
a
direct
binding
for
our
back
for
system
authenticated,
so
I
I
think
you
had
said
that
you
want
create
pod
to
sort
of
indirectly
give
you
access
to
this
one
of
the
side
effects
of
having
the
name
name
name
of
both
the
object
and
the
sets
within
it
be
just
strings
that
somebody
came
up
with.
Is
that
they're
kind
of
hard
to
discover?
A
So
I
was
just
trying
to
think
of
ways
to
make
it
so
that
one
could
do
that,
and
if
the
information
is
meant
to
be
public
on
the
cluster
itself,
and
if
we
added
like
field
selector
support
for
the
designer
name
like
it
would
it
would
be
really
nice
to
be
able
to
just
be
like
hey,
keep
cto
get.
You
know,
cluster
trust
bundle,
field,
selector
designer
name
that
one
and
you'll
be
like
all
right,
cool.
Here's,
here's
the
stuff
on
this
cluster,
and
I
can
I'm
configuring
my
pods.
I
know
what
to
do.
A
D
A
C
You're
running,
like
a
builder
or
something
where
you
have
maybe
a
bunch
of
tenants
that
are
running
like
builds
in
containers,
for
I
don't
know,
building
a
website
or
running
like
I
guess,
hugo
or
something
in
that
situation.
You
like
you
at
runtime.
You
don't
want
the
tenants
to
have
access
to
the
read
arbitrary
data
about
the
cluster.
C
C
Yeah,
I
guess
you
would
not
auto
mount
the
token
would
be
a
better
approach
there,
but
I
just
think
that
there's
a
distinction
between
like
authorship
and
runtime.
That
is
important.
I
would
not
like
all
authenticated
to
have
access
to
clustered
trust,
bundles.
D
B
We
shouldn't
well,
we
shouldn't
make
default
role
bindings.
If
there's
a
plausible
reason,
people
would
need
to
remove
those.
We
should.
D
A
But
it's
supposed
to
be
exceptional,
because
it's
kind
of
annoying
and
puts
you
in
this
weird
state,
because
your
back
no
longer
gets
reconciled,
which
is
kind
of
against
the
point
of
our
back
reconciliation
in
the
first
place,
would
would
with
a
approach
like
we
took
for
the
oidc
discovery
stuff,
be
more
amicable
where
we
bind
it
to
system
phone
service
accounts.
A
C
I
would
defer
that
until
there's
like
a
real
need
for
it,
because,
like
we
intend
for
service
account-
or
I
guess
things
running
on
the
cluster-
to
consume
this
via
volumes,
I
guess
it
would
be.
A
A
A
Like
I
think
the
api
is
expressed
better
and
is
less
magical
in
the
sense
of
the
name,
isn't
like
weirdly
deterministic,
based
on
some
algorithm
on
the
designer
name,
but
like
like.
I
I'm
trying
to
think
of
like
myself
installing
something
into
a
cluster
using
tooling
and
would
like
to
make
it
somewhat
more
automatic.
Instead
of
having
to
know
magic
strings.
E
Are
you
suggesting
that
there
should
be
like
a
default
like
association
of
your
trust,
anchor
sets
with
signers,
or
something
like
that?
So
I
I
still
just
as
a
user
need
to
specify
the
signer
I
want
and
then
maybe
I
can
override
the
default
if
I
really
want,
but
otherwise
I
just
get
like
what
the
signer
gives
me
or
what
that
association
is.
D
Most
clusters
want
a
default
system.
Authenticated
can
view
these.
It's
not
as
if
you
can't
they're,
not
innumerable
by
just
creating
a
bunch
of
pods
with
you
know,
likely
signer
name,
you
know
creating
pods
with
likely
signer
name
mounts
and
trying
to
figure
out
if
those
exist.
A
B
It's
not
like
they're
blocked
from
creating
a
deployment
where
a
service
account
fetches
it
from
the
api.
They
can
do
that
if
there's
evidence
that
that's
a
generally
useful
thing,
I
think
the
next
step
would
be
to
grant
get
access
on
the
particular
well-known
names
that
we
have
corresponding
to
the
signers,
because
it's
a
lot
easier
for
us
to
reason
about
like
here
are
the
kubernetes
signers.
B
D
D
We
have
docs
on
nearly
every
pod
that
runs
anywhere.
Sane
has
a
the
pot
anti-affinity
right,
that's
just
in
the
docks.
Maybe
we
just
add
this
to
the
using
cluster
role
binding
stocks
to
create
this,
where
cluster
trust,
binding
stocks
create
this
role
binding,
so
that
people
can
actually
list
which
signers
exist.
B
A
A
Okay,
I
think
that's
fine,
I
I
I'm
not
gonna
necessarily
push
on
this
one
too
hard.
I
just
was
I
leaned
towards
making
the
thing
more
useful
from
a
default
standpoint.
A
A
B
A
A
You
must
have
this
extra
permission
to
be
allowed
to
update
that
specific
signer
in
the
in
the
kept
here
was
like,
I
think,
writing
it
out,
like
as
a
full
like
crud
style
echo,
and
I
was
like
I'm
not
sure
why
you
would
do
that.
I
just
said
you
would
you
would
just
use
a
custom
word
like
we
did
for
the
other
thing,
mostly
because
all
the
code
already
exists,
and
so
I
was
trying
to
come
up
with
a
verb
that
described
the
act
of
creating
slash,
updating,
a
a
bundle,
update,
bundle.
A
That's
not
really
a
verb
but
sure
that
that
that
that
could
be
okay.
It
could
be
okay,.
D
A
A
Let's
see
this
one
is
basically
they
have
a
discriminate.
A
field
like
a
one
of
api
in
the
volume
thing,
I'm
like
pretty
sure,
say,
api
machinery
is
all
in
on
discriminators
and
you
need
to
have
a
discriminator,
even
if
you
don't
have
a
thing
right
now
that
needs
a
discriminator.
A
I
think
that
covers
most
of
the
stuff
there
I
think
two
high-level
stuff
I
had
is.
I
don't
think
we
have
a
pr
on
this
and
I
think
we
need
one
because
this
is
like
I
I
have
concerns
around
like
performance
of
this.
This
thing
I
I
don't.
I
don't
fully
understand
exactly
how
much
work
the
cuba
is
going
to
be
doing
to
keep
all
these
up
to
date,
especially
if
you
have
a
large
amount
of
pods
using
it.
A
Yeah,
it
says
that
the
qubit
will
keep
it
up
to
date,
and
I
one
of
the
questions
I
asked
is
all
like:
how
often
does
it
do
that
and
just
in
general
I
don't
there's
like
no
metrics
and
stuff
discussed,
so
I
don't.
I
don't
know
how,
like
an
admin,
would
understand
how
much
cpu
this
is
basically
consuming
across
their
cluster
or
anything
like
that.
A
B
Terms
of
like
visibility
to
performance,
I
mean
config
maps
and
secrets
did
cause
performance
issues
and
the
scalability
team
did
a
fair
amount
of
work
to
try
to
improve
that,
and
even
added
things
like
immutable,
config
maps
and
secrets.
So
you
can
flag
things
that
shouldn't
change
so
that
people
who
hit
specific
problems
could
dig
themselves
out
of
holes
by
markings
as
unchangeable
to
stop
the
cuban
doing
work
on
this.
A
Yeah,
but
so
what
should
we
do
in
our
cpr
for
this?
Because
I
don't,
I
don't
think
we
can
merge
this
without
that
right.
C
Yeah,
I
think,
there's
a
lot
that
still
needs,
so
I
have
not
commented
on
the
kept
about
this
yet,
but
I
think
the
api
is
needs
a
fair
amount
of
work.
I'm
kind
of
confused
by
the
complexity,
specifically
like
multiple
non-default
trust
anchor
sets
in
a
cluster
bundle.
I
don't
understand
why
there's
one
does
anybody
here
know,
or
should
we
wait
for
it
to
hear
for
something
like
that.
C
D
Right,
the
intent
is
that
eventually-
and
this
is
this-
is
very
much
a
google
alt
use
case
first
and
foremost,
the
intent
is
that
eventually,
you
will
be
able
to
say
for
this
bundle
for
this
particular.
You
know
group,
you
use
you
use
this
ca
bundle
for
this
other
group.
You
use
a
different
ca
bundle
where
there
are
multiple
ca.
Bundles
that
are,
there
are
multiple
ca,
bundles
contained
within
one
cluster
trust
bundle
separated
out.
D
I
I
don't
think
that
that's
the
right
approach
to
this
api,
but
that
is
how
how
it
was
explained
to
me.
C
I
think
again,
so
that
is
a
very
opinionated
response
to
this.
I
don't
think
we
can
do
this
question
justice
without
both
sides
right,
I
absolutely
agree
I'll
just
I'll.
Just
for
that
question
I
think
the
other
one
is
the
actually.
I
have
two
more
comments
on
the
api.
The
other
one
is.
This:
has
a
status
with
conditions
similar
apis
for
projected
volumes.
Data
distribution
do
not
have
conditions.
C
I
am
not
sure
about
the
value
of
that.
It
says
the
documentation
says
ready
when
designer
for
the
signer
to
indicate
to
the
cubelet
that
the
cluster
trust
bundle
object
is
up
to
date.
I
don't
get
that
because.
C
When
it
goes
stale,
why
don't?
Why
doesn't
the
signer
just
update,
updated,
not
sure
if
there's
value
in
it
status,
field
here
and
then
I
think
the
final
confusing
point
about
this
api
is
the
actual
trust
anchors
projection
has
files
trust,
ankle,
anchor,
set
file
and
flat
file
types
there's,
and
I
it
I'm
wondering
if
we
can
simplify
this
a
bit.
C
What
we
have
for
other
projected
volume
types.
A
So
certainly
I
think
you
could
you
could
get
rid
of
this
slice
right.
You
could
just
say
that
there
can
only
be
one
because
you
can
have
more
than
one
projection
right.
You
just
add
more
if
you
needed
more
than
one
and
then
this
bit
over
here
is
the
thing:
that's
missing
the
discriminator,
because
the
idea
is
the
reason
for
this
being
included
is
right.
A
Now
it's
just
flat
file,
maybe
someday
we'd,
add
support
for
like
a
java
key
store,
which
I
do
not
recommend,
because
but
whatever
I'm
sure
somebody
can
write
the
code
to
make
a
java
keystore
bingo,
but
yeah
it
is
a
little
bit
flexible
while
we're
picking
on
the
api.
A
A
Oh,
what
do
you
mean
like
the
like
the?
I
can't
remember
the
name,
but
maybe
jordan,
you
remember
like
the
like
the
cluster
hot
signers,
like
we
have
four
of
them
right
that
the
the
csr
controller
does
they
have
specific
designer
names
in
our
api?
So
if
I
was
to
go,
make
a
bundle
and
just
say
hey
by
the
way,
this
kubernetes
signer,
this
is
the
ca
bundle
associated
with
it.
Is
that
okay,
I
don't
think
it's
okay,
because
it
doesn't
really
make
sense.
B
Somehow
I
mean
whatever
mechanism:
is
it
using
this
to
distribute
trust
anchors
for
kubernetes
signers
seems
plausible
to
me
right
when
you
say
like
if
I
were
to
create
an
object?
B
Who
are
you
if
you're
a
cluster
admin,
then
maybe
this
is
how
you're
populating
the
trust
anchor
sets
for
the
kubernetes
signers
like
if
there's
an
authorization
check
around
you
know
permission
to
populate
for
a
particular
designer
name.
Then
I
I
haven't
thought
a
lot
about
it,
but
you
populating
trust
anchors
for
kubernetes
signers
in
these
objects
doesn't
offend
me.
A
So
what
I'm
hearing,
though,
is
probably
what
we
would
ask,
so
this
kept
right
now
does
not
say
anything
about
the
controller
manager,
but
maybe
it
should
maybe
it
should
have
some
mechanism
that
tells
the
controller
manager
hey
you're,
passed
in
the
ca
bundle
for
all
these
things.
I
think
at
least
some
of
them
you,
you
should
go
populate
objects
in
the
api
that
match
it,
because
that's
where
we
expect
people
to
actually
consume
it.
Now
you
have
an
api.
B
We
need
to
be
careful
that
so
the
signer
is
given
a
singular
certificate
to
sign
with
that
doesn't
mean
that
that
is
the
full
bundle,
especially
in
rotation
cases
or
aj
cases.
So
I
I
think
it's
worth
mentioning
and
discussing
like
how
does
this
interact
with
the
kubernetes
signers?
Are
we
going
to
create
objects
that
hold
the
bundles
for
the
community
designers,
which
components
going
to
do
that
how's
it
going
to
do
that?
How
do
we
handle
rotation
cases
like
right
now?
B
The
api
server
is
the
one
who
is
given
the
full
bundle
of
acceptable
client
cas
so
that,
but
that's
not
universal,
like
the
api
server,
isn't
the
one
that's
verifying
all
of
the
certificates
for
all
of
the
kubernetes
designers.
It
knows
about
the
client
cas,
but
that's
about
it,
maybe
not
sure
anyway.
I
I
think
that's
that
should
be
mentioned
and
clarified
and
discussed
and
say
like.
B
A
Good,
so
I
think
what
I'm
hearing,
though,
is,
I
think,
ted
you
had
some
comments.
I
would
ask
you
to
write
those
as
a
comment
in
the
chat.
I
think
mike
you
did
too
and
I'll
take
the
one
about
describing
that
well,
the
built-in
signers
probably
should
should
do
something
with
with
their
own
bundles
and
this
somehow
so,
but
I
think
what
I'm
hearing
is
that
this
is
not
ready
for
125
and
I
think
that's
okay
just
but
do
you
folks
agree
with
that?
C
A
So
I
I'll,
I
think
I
don't
remember.
I
don't
think
this
is
in
the
kept
tracking
sheet
anyway.
So
I
think
that
part
is
okay.
Okay,
is
there
anything
else
folks
want
to
discuss
on
this?
We
have
20
minutes
and
we
still
have
at
least
one
more
thing.
A
A
It's
okay!
Well,
that
is
like
my
biggest
confusion
on
this,
which
is
so
all
right.
So
the
high
level
of
this
proposal
is
to
allow
for
a
fully
structured
configuration
cli
pass
it
with
the
cli
flag
to
the
api
server.
That.
A
So
I
mean
like
this.
One
is
fixable,
I
guess,
but
this
one
is
not.
I
think,
but
but
like
I
feel
like
somewhere
in
here,
david
said
that
they
carried
a
patch
and
openshift
to
make
this
work.
So
now
I'm
like
real
confused.
I'm
like
what
work.
I
don't
think
it
works
at
all
david.
B
Authorizers
seems
reasonable
and
plausible
and
useful
right.
It
seems
like
what
david's
asking
for
which
is.
I
want
to
take
the
you
know,
always
on
first
in
the
chain,
super
user
authorizer
and
move
where
it
happens
in
the
chain.
That
seems
like
a
distinct
feature,
request
thing
with
its
own
considerations,
and
if
we
allowed
that
to
be
movable,
then
it
could
be
ordered
along
with
other
authorizers
in
this.
So
I
I
think
this
is
independent
of
what
david
described
about
subjecting
the
super
user
group
to
web
hook.
Authorization.
A
Okay,
that's
my
10
second
take
on
it,
yeah
no
yeah!
I
I
can.
I
can
see
it.
I
I'm
just
not
sure
I
I
I
think
I'm
just
stuck
on
the.
I
just
don't
think
what
david
is
asking
for
is
technically
feasible
within
an
ecosystem.
A
B
Maybe
I
mean
authorization
runs
before
anything
else
gets
a
crack
at
the
request
and
anything
else
that
is
doing
authorization
checks
would
be
using
like
subject.
Access
review
would
enforce
it
and
things
that
are
using
their
own
authorization.
Logic
maybe
are
already
off
in
the
weeds,
like
we
have
a
hard
time
making
any
sort
of
guarantee
about
things
that
have
built
their
own
isolated
authorization,
checks
right.
A
So
but
like,
for
example,
I
I
have
servers
that
I
have
written
myself
that
are
based
off
of
kids
io,
slash
api
server,
that
delegate
back
to
the
api
server,
but
they,
but
they
are
hard
coded
with
a
check
right
now.
That
says,
if
presented
with
an
identity
in
this
group,
don't
bother
delegating
because
that's
just
a
waste
of
a
network.
B
A
That's
mine
all
right,
I'm
less
sure
what
to
do
with
this
kept
now,
because
david
has
asked
for
this
pretty
explicitly.
So
I'm
not
like
yeah.
Okay,
that's
a
further
conversation
to
have.
A
Yeah,
I
kind
of
remember
one
of
the
things
I
had
well.
One
thing
I
had
asked
for
which
I
believe
is
not
possible,
is
so
right
now,
there's
no
way
to
pre-filter
any
pre-filter,
any
web
hook
from
being
invoked,
but
so
the
reason
I
would
want
this
is.
A
The
ability
so
I
like
to
take
a
very
specific
check,
a
specific
example.
If
jordan,
if
you
remember
how
the
openshift
scopes
authorizer
is
implemented,
it
only
acts
on
requests
that
have
a
particular
extra
field,
because
it
knows
that
the
authentic
the
crew,
the
openshift
off
stack,
was
the
one
that
actually
did
the
authentication
and
not
like
the
kubernetes
code.
A
A
A
As
described
here,
actually
I
think
what's
described
here
basically
says
you
cannot
self-host
the
authorizer,
because
it's
just
not
it's
just
not
safe.
B
Yeah,
that
seems
useful.
I
don't
know
how
strongly
we
should
hold
that
as
a
requirement
for
like
get
being
able
to
define
multiple
web
hooks
and
being
able
to
make
them
struck
like
a
structured
config,
for
it
seems
useful.
The
filtering
aspect
is
a
lot
easier
to
do.
It's
like
possible
to
do
once
you
have
an
actual
config,
so
I
just
don't
have
a
sense
for
how
much
time
or
complexity
that
would
add.
B
I
wouldn't
want
to
delay
the
ability
to
have
multiple
of
them
and
having
like
a
real
config
format,
I
wouldn't
want
to
delay
it
just.
A
A
So,
like
weirdly,
it
still
has
a
cube,
config
path
in
there,
but
also
this
and
this.
So
it's
it's
just
I.
I
think
this
is
a
typo.
I
think
they
meant
to
delete
this
and
forgot
to
delete
it
based
on
some
of
the
comments
I've
seen,
but
the
the
gist
of
what
I
had
asked.
It
is
to
not
continue
to
use
the
cube
config
format
as
a
way
of
specifying
what
the
web
book
is
and
instead
like
specify
the.
A
Yeah
yeah,
I'm
also
not
happy
by
using
that
file
structure.
It
doesn't.
D
A
A
Yeah,
like
that,
that
part's
less
clear
to
me
like
I,
I
honestly
would
rather
just
start
with
like
you
get
exec
off.
So
if
you
want
to
find
you
can
host
a
plugin,
so,
like
no
authors
like
then
at
least
you
get
cert
and
tokens.
If
you
want,
because
your
exec,
odd
plugin
could
literally
be
echo
or
token
if
you
wanted
so
like
technically
it
does,
it
basically
does
all
the
things.
B
Making
someone
shell
out
to
a
command
to
get
a
token
is
abusive.
I.
B
I
don't
I
don't
know
the
reference
cube,
config
files
from
other
structured
config,
like
admission
configuration.
B
Have
a
good
answer
right
off
the
bat
I'm?
Maybe
I'm
not
as
offended
by
referencing
and
keeping
big
as
you
are,
I'm
also
thinking
of
people
who
are
using
webhook
today
and
like
how
how
do
they
get
from
where
they
are
today
to
this
it's
way
easier
if
it's
basically
translating
their
flags
into.
B
Stanza
and
then
copy
pasting
that
stanza
and
tweaking
the
one
thing
they
want
a
different
like
ordering
it
differently.
So
is
it
what
we
would
make
if
we
were
starting
from
scratch
seven
years
ago,
maybe
not,
but
is
it
bad
to
like?
Have
it
be
coherent
with
the
flag
version?
I
don't
know.
B
This
be
a
sensitive
file,
broken,
which
I
don't
want
yeah.
I
like
the
fact
that
the
credential
aspects
are
not
inlined
here,
that's
true!
No,
that's
the
only
specific
thought
I
had
about
that.
A
B
B
Can
take
that
and
take
the
server
stands
and
the
user
stanza
and
dump
them
into
an
in-memory
basically
make
an
mreq
config,
and
then
we
can
use
all
the
same
client,
config
construction
like
it's.
We
just
translate
that
internally.
So
that
saves
us
from
like
a
config
file,
referencing
a
config
file
for
sort
of
simple
cases
where
they
don't
need
to
specify
credentials
and
they
don't
need
to
specify
a
bunch
of
stuff.
I
don't
know
I
like.
I
said,
I'm
not
that
offended
by
basically
just
translating
the
flags
we
have
into
a
snippet.
A
C
B
Don't
feel
qualified
to
judge,
but
I
mean
you've
looked
at
it
more
david's,
looked
at
it
more
david
had
a
short
list
of
things
and
one
of
those
things
I
don't
think
is
you
should
be
addressed
as
part
of
this.
I
don't
know.
Maybe
it's
ready.
C
Mike
what
were
you
saying?
I
I
don't
think
I
heard
I.
I
think
this
was
kind
of
a
late
comer.
I've
not
looked
at
it
13
days
ago,
so
we,
this
wasn't
even
up
last
sig
off.
I
think
this
would
be
a
rush
to
get
in
it
freezes
this
thursday,
it's
tomorrow
tomorrow,
yeah.
A
Yeah
I
mean
I'm
okay,
if
we
just
decide
that
the
runway
is
too
short
because,
like
like
you
know
like
max,
is
kept,
we
talked
about
like
three
different
times
and
then
it
was
basically
just
right.
They
kept
this
one.
We
talked
about
a
very
long
time
ago.
I
think,
but
there's
like
a
many
month
gap
between
a
conversation
and
an
actual
cat.
C
Right,
if
you
think
it's
really
close,
I
can
give
it
a
review
tonight.
A
The
the
cube
config
stuff
makes
me
a
little
unsure,
but
if
you
want
to
look
at
it,
I
guess
what
I'd
ask
is,
if
you
have
time
between
now
and
freeze,
look
at
it.
If
you
feel
that
strongly
enough
to
say
that
you
think
it's
ready,
then
then
we
can
pursue
it.
Otherwise,
I'm
okay,
if
if
it
slips-
and
we
just
take
more
time
on
it,
because
sigoth
has
like
well
seven
kept
being
tracked
right
now
for
125,
so
I
think
we
are
pretty
well
committed.
A
Okay,
cool!
Well,
we
have
like
20
seconds
after
the
meeting,
so
I'm
gonna
say
that's.
That's
the
meaning.
A
All
right,
y'all,
we'll
see
you
in
two
weeks.