►
From YouTube: SIG-Auth Bi-Weekly Meeting for 20221207
Description
SIG-Auth Bi-Weekly Meeting for 20221207
A
B
Yeah
I
just
wanted
to
have
so
like
the
folks
that
have
been
attending
the
triage
meeting.
We've
just
had
like
a
side
DM
among
ourselves
as
we
discuss
things
and
that
that
doesn't
scale
in
any
useful
manner,
especially
since
slack
doesn't
really
let
you
expand.
Membership
of
that
and
honestly
had
no
need
to
be
private
anyway.
It
was
just
us
talking
about
the
stuff
we
discussed
in
the
meeting,
so
I
just
made
it
an
official
channel.
B
So
that
way,
what
I
plan
on
doing
is
doing
a
bit
more
async
a
triage
like
throughout
my
week
and
then
posting
you
know
whatever
I'm
doing
in
there.
So
that
way
people
can
follow
along
if
they
care,
but
that's
just
just
you
know
trying
to
make
this
stuff
a
little
bit
more
in
the
public
that,
like
people,
know
what
we're
doing,
but
the
triage
meeting
is,
you
know,
is
still
at
the
same
time
it's
on
Mondays
at
9
00
a.m.
Pacific.
C
So
I
think
this
issue.
We
were
triaging
two
weeks
back
and
then
one
was
a
documentation,
update
and
then
I
think
I
also
added
a
comment
about
enforcing
defaults,
but
I
don't
have
my
notes
to
see
why
I
added
that.
But
what
do
you
remember
why
we
added
the
comment
about
enforcing
defaults
for
this
one.
B
I
think
well,
what
we
had
wanted
to
ask
was:
is
there
any
thoughts
or
plans
about
having
a
different
default
behavior
for
PSA,
so
it's
on,
but
when
things
are
unlabeled,
it's
just
wide
open
did
I
think
we
left
that
as
like
a
undefined
like,
probably
not,
but
you
know,
we
didn't
think
commit
one
way
or
the
other
I
I.
Think
part
of
the
rationale
for
asking
the
question
was
you
know
this
is
the
the
Clusters
config
on
this
is
opaque
from
the
outside
right?
B
A
B
A
D
Without
intervention
by
the
cluster
admin,
which
they
can
currently
specify
with
this
config
or
someone
taking
action
via
the
API,
which
they
can
currently
do
by
labeling
a
namespace
or
putting
an
admission
web
hook
in
place
to
label
new
namespaces
I
I,
don't
think
we
can
ever
make
the
like
default
default.
Be
you
upgraded
a
cluster
and
now
unlabeled
stuff
is
not
privileged.
D
D
I.
Don't
know
if
metrics
are
the
right
thing
to
do
for
this,
but
there's
like
other
admission
config
what
admission
plugins
are
even
on
there's
a
question
that
people
ask
sometimes
there's
a
lot
of
API
server
config.
So
if
the
goal
is
to
try
to
understand
like
what
is
effective
in
the
cluster
visibility,
to
that
to
someone
who
has
sufficient
permissions
seems
like
a
good
thing
to
push
on.
E
A
Like
I,
imagine
like
a
config
see
Handler
where
we
expose
more
of
the
file
config.
We
do
already
have
the
command
line
exposed
under
the
debug
handlers,
but
those
would
point
to
some
file
is
that
what
you're
kind
of
talking
about
making
that
file
available
via
some
Confederacy
inspect
the
Handler
and
I
guess
the
other
question
I
have
about
this
is
suppose
a
you
know.
Cluster
administrator
does
actually
want
to
specify
a
namespace.
A
D
A
D
I
commented
on
the
cap.
This
seems
more
like
a
signal
level
thing
like
configuration
or
injection
or
modification
of
PODS
pods
generally
start
with
signode
API
Machinery
might
be
interested
if
the
mechanics
are
admission.
Related
and
auth
might
be
interested
if
there
are
security
applications,
but
I
would
probably
talk
to
Sig
node
first
to
see
if
this
is
a
thing
that
has
interest
and
seems
worth
building
in
I.
F
Think
I
would
see
questions
on
this
like
at
the
time
that
issue
was
written.
I,
don't
think
we
had
very
good,
viable
extension
mechanisms
like
admission
web
hooks,
but
we
do
now
and
so
even
I
kept
with
the
idea
of
an
API
where
you
can
describe
it
or
configure
it
it.
You
may
get
a
response
that
says
the
recommended
way
to
do.
This
would
be
to
create
this
API
and
create
an
admission
web
hook
to
do
it
rather
than
try
to
modify.
E
G
A
H
H
I
A
H
Yeah
there's
one
small
change,
basically
around
a
race
condition.
The
current
cap
is
designed
to
basically
say
give
me,
give
me
the
key
and
then
sign
with
this
key
two-step
process.
If
the
key
rotates
in
between
there's
an
issue
so
now
the
new
interface
would
just
be
here's
this
thing
sign
it
one
step.
A
B
This
one
is,
you
know,
in
line
to
cubelet
keeping
pods
working,
the
API
has
sort
of
described
there
like
I
know,
I
couldn't
run
in
the
environments
that
I
have
to
support,
so
I
I
think
what
I
would
want
from
such
a
feature
is
changes
to
the
design
or
capability
that
sort
of
address.
What
cam
s
V2
tries
to
address
right
by
making
it
so
that
signing
doesn't
always
have
to
call
remote
things
somehow.
B
J
Yeah,
the
motivations
are
largely
the
same
like
as
before.
It's
just
more
just
updated
implementation
and
I
think
like
we
also
have
usage
experience
of
actually
using
the
previously
proposed
cabin
implementation
for
three
years
or
whatever
four
years
almost
and
I
think
like
totally
get
to
know
that,
like
you,
might
not
be
able
to
run
something
like
this,
but
I
think
there
are
use
cases
that
do
that.
Wouldn't.
J
B
Right
no
I
mean
it
comes
down
to
if
the
feature
exists,
I'm
going
to
have
to
implement
it
right,
so
I'm,
I,
I'm,
sort
of
stuck
right,
so
I
I
need
the
API
to
be
expressive
enough
for
me
to
be
able
to
actually
reasonably
implement
it
and
feel
comfortable
right.
That
I
won't
cause
complete
havoc,
I
I.
Think
I
I
do
still
need
a
bit
more
crispness
on,
like
I
think
there
was
some
stuff
about
like
rotation
and
stuff
and
like
around
API
server
restarts
I,
don't
think
does
are
like
significant
motivating
factor.
B
B
J
B
It's
both
it's
both
yeah,
so
I
mean
I.
I
have
no
issue
with
reloading
any
API
server
config
that
can
be
reasonably
reloaded.
So
if
we
wanted
to,
you
know
prevent
that
issue.
We
can.
We
can
just
do
that
so
I
I
think
I'm,
just
trying
to
understand
motivations
that
cannot
be
sort
of
built
on
the
existing
entry
point
right
and
I
think
the
core
one
there
is
well
I.
Just
don't
want
the
private
Keys
sitting
beside
my
API
server.
K
B
In
in
sort
of
trying
to
think
of
ideas
around
this
space,
for
whatever
reason
the
Jose
spec
includes
certificate
support,
so
you
can
technically
technically
you
can
build
chains.
So
you
could.
You
could
have
some
kind
of
hierarchy
where
you
have
short-lived
intermediates
or
something
that
that
is
sort
of
the
Vegas
statement.
I
have
at
this
exact
moment,
but.
I
B
Yeah
I
I
said,
can
be
built.
Okay,
I'm,
not
saying
a
mandate
like
KMS
V2
does
not
mandate
that
the
reference
implementation
will
have
the
capability
of
doing
that.
But
you
get
to
pick
you
you
can
have
every
single
operation
go
call
out
to
your
key
Vault.
If
you
want
that's,
that's
totally
all
right.
It's
more
of
I
need
the
choice
not
to
have
that.
B
Probably
it's
not
so
easy
when
you
can't
throw
away
keys,
it's
not
so
easy
right
and
they
all
have
to
be
synchronized
across
API
servers.
It's
not
like
KMS,
where
the
grpc
API
makes
it
super
trivial
to
have
distinct
key
sets
and
then
use
the
remote
KMS
to
sort
of
break.
Any
inconsistencies
can't
do
that
here,
because
it's
if
I
present
it
present
a
signed
service
account
token
from
API
server.
One
API
server
2
obviously
has
to
be
able
to
verify.
K
J
B
F
C
D
Had
a
couple
questions
I
I
couldn't
tell
if
this
was,
it
was
similar
to
what
Mo
was
talking
about,
like
jobs
can
have
like
lots
of
different
algorithms
and
even
some
sort
of
crazy
things
in
their
signature
stances.
Is
this
proposing
something
that
could
be
so
flexible
that
it
would
start
putting
like
really
really
unusual
or
obscure
things
in
the
signing
stanza
and
are
we?
Can
it
well
I'll?
Stop
there
I
couldn't
I
couldn't
tell.
J
J
Basically,
sending
okay,
here's
the
payload,
yeah
and
I
want
these
bits
signed.
So
the
signer
then
would
need
to
come
up
with
the
header
and
the
signature
right.
And
could
you
introduce
something
crazy
that
does
you
know
some
weird
algorithm?
Yes,
but
the
API
server
would
just
transparently
pass
that
back.
Yeah.
B
A
C
A
A
A
B
M
Yeah,
so
this
came
up
I
guess
you
know,
one
of
the
touch
points
was
from
some
kubecon
conversations
and
the
segment
and
greet
I
think
you
know
we
haven't
been
I.
Guess
we
haven't
presented
in
a
while
or
given
an
update
on
some
of
the
projects,
so
I'm
not
gonna
go
through.
Obviously
this
whole
deck,
but
it's
linked,
but
this
was
a
kubecon
presentation
myself
and
I
have
Robert
and
Jaya
are
also
on
the
call
today.
M
You
know
or
publish
to
some
extent,
for
the
paper
and
for
this
second
item
I'll
talk
about
where
we
are
and
what
we
you
know
need
might
want
to
do
as
next
steps
and
then
we'll
talk
about
some
of
the
future
activities
where
planning
or
proposing
or
being
discussed
so
about
a
year
or
so
ago.
Now
we
published
the
paper
on
kubernetes
policy
management
talked
about
admission
controllers,
it's
something
we
will.
You
know.
M
So
if
there's
any
feedback
any
thoughts
on
what
a
we
do
would
look
like
would
certainly
welcome
those
and
then
the
next
item
here
is
the
policy
report,
crd
so
just
very
quickly.
The
intent
here
was
to
standardize
on
a
custom
resource
that
various
policy
tools,
whether
they're,
you
know
admission
controllers
or
their.
M
Of
different
sorts
could
leverage
and
we
have
created
I'll.
You
know
show
some
of
the
adapters
we
have
done,
and
then
you
know
where
this
has
been
used
and
there's
some
challenges,
of
course,
that
come
up
with
managing
things
like
policy
reports
as
a
CR,
but
various
projects
have
solved
them
in
you
know
different
ways
and
then
there's
also
mapping
from
the
policy
report
to
both.
You
know
those
to
oscow
for
compliance
and
there's
a
tool.
I'll
just
jump
to
this
slide.
M
There's
a
policy
report
tool
which
also
can
run
in
cluster,
which
is
part
of
the
caverno
project,
which
can
provide
a
view
right
so
just
very
quickly.
I
have
this
running
on
my
local
minicube
cluster.
It's
showing
me
all
of
the
policy
reports
in
this
case
from
caverno,
but
could
be
from
any
of
these
engines
right,
it
could
be
from
group.
Bench
could
be
from
Falco.
M
You
know,
KUB
armor
is
also
another
adapter,
and
then
you
know
we're
in
discussions
and
open
to
kind
of
creating
more
adapters
if
needed.
Let
me
pause
there
and
see
if
there's
any
thoughts,
questions
on
these
two
items.
We
have
a
question
on
what
we
do
next
with
the
crd,
because
it's
it's
sitting
in
the
work,
Group,
Policy,
repo
and
I
know
back
when
we
got
approvals
for
that
git
repo.
We
had
discussed
that
the
intent
was
to
prototype
it
and
then
figure
out
where
it
goes
from
there.
M
A
M
Correct
to
various
degrees,
some
of
these
were
you
know,
prototypes
that
you
know
we
initiated
from
within
the
work
group.
Others
have
Incorporated
like
Falco
and
caverno.
Natively
use
these
Coupe
bench,
there's
an
adapter,
so
different
tools
have
taken
different
mechanisms
to
generating
policy
reports
and
then
there's
tools
which
consume
the
policy
reports.
The
last
two
are
consume.
The
policy
report.
A
B
D
D
Yeah
I
mean
I,
don't
know
that
it
needs
to
change.
If
it's
useful,
the
way
it
is,
and
it's
been
able
and
useful
I
think
that's
fine.
If
it
was
going
to
start
getting
like
bundled
with
kubernetes,
then
we'd
probably
want
to
shift
it.
Although
the
more
the
more
Integrations
it
gets,
the
more
painful
it
is
to
shift
so,
but.
A
I
guess
right
now
we
are
still
in
the
working
group
repo
for
this
yeah.
If
we
want
to,
you
know,
have
a
better
process
for
making
an
API
changes
or
if
there
are
issues
with
democratization
of
like
all
the
different.
You
know,
people
that
are
interested.
It
might
be
good
to
move
it
to
its
own
Standalone
Republic,
CRI
API
and
you
know,
adopt
like
the
kept
process
for
proposing
updates.
M
B
M
D
The
the
secret
CSI
driver
comes
to
mind
as
an
API
that
a
lot
of
things
integrated
with
and
ended
up
in
its
own
repo
that
had
other
things
associated
with
it.
But
there
was
some
good
discussion
around
there
about
testing
like
how
do
you
test
a
thing
where
you
have
an
API
and
then
you
have
a
bunch
of
different
Integrations
with
sort
of
externally
controlled
things,
but
so
so
there's
a
little
bit
of
prior
art
there.
Maybe
in
terms
of
an
approach.
M
All
right,
yeah,
we'll
we'll
dig
into
that,
and
then
you
know
it
seems
like
then
the
next
step
would
be
to
propose
a
cap
that
sounds
good
that'll,
be
great
to
have
this
graduate
to
at
least
a
separate
repo,
and
we
can
of
course,
continue
maintaining
it
and
receive
feedback
on
that
all
right.
So
those
were
the
two
projects
we
had.
You
know
more
or
less
completed
I'll.
You
know
let
Robert
and
Jaya
talked
about
some
of
the
new
projects
we're
discussing.
L
Yeah,
just
at
a
high
level
and
I
know
you
guys
have
a
packed
agenda,
so
we
can
keep
this
super
short,
but
you
know
higher
level.
We
we
seem
to
attract
a
lot
of
folks
in
the
community
interested
in
that
more
GRC
perspective
on
policy.
So
you
know
some.
Some
members
have
studied
to
use
the
nomenclature,
big
p
policy
for
kind
of
that
human,
understandable
compliance
policy,
security
policy
and
then
Little
P
policy.
L
L
And
what
would
that
look
like
and
then
how
do
you
manage
both
those
big
p
policies
and
Little
P
config
policies
over
time
and
Jay
I
mean
if
you
want
to
jump
in
and
some
of
the
things
that
you've
seen
in
the
field,
maybe
that
we
could
enrich
that
discussion,
but
that's
kind
of
how
we
do
we
cut
across
several
of
the
sigs.
In
that
respect,
that
you
know
you
can
have
configuration
Little,
P
policy
in
a
number
of
places,
of
course,
in
a
cluster.
N
Yeah
I
think
I
think,
for
what
we
are
trying
to
do
here
is
there
are
so
many
different
personas
involved
right
in
terms
of
taking
making
sure
that
various
controls
for
security,
resiliency
Etc
are
operating
the
best
practices
so,
and
some
of
them
are
more
smes
on
the
technology
itself,
whereas
others
are
more
SMS
on
the
compliance
aspects
right.
The
compliance
standards
like
PCI
stock,
2
Etc.
So
how
do
we
Bridge
the
two
gaps
right
and
then
bring
them
together?
So
that
is
what
we
are
trying
to
do
here.
N
So
what
we
did
last
year.
Is
we
authored
this
policy
management
white
paper?
Now?
What
we
are
saying
is:
okay,
why
do
customers
do
policy
management?
It's
a
means
to
an
end,
and
typically
one
of
the
end
goals
is
Regulatory
Compliance.
So
then,
how
do
we
Bridge
what
we
did
to
standards
such
as
oscal,
that
is
defined
for
compliance
right?
So
so
that
is
kind
of
what
this
item
number
two
is
and
and
again
you
know
we
want
to
apply
the
github's
methodology
there
as
well
and
then.
N
The
first
item
focuses
more
on
governance,
which
is
another
business
goal,
and,
and
governance
could
be
for
operational
governance.
It
could
be
for
Financial
governance
as
well
as
compliance
related
aspects.
So
so
what
we
want
to
do
is
to
kind
of
articulate
how
policy
management
can
be
used
as
a
building
block
to
achieve
governance,
goals
and
best
practices
for
that.
So
that's,
basically
a
white
paper
that
we
are
authoring.
So
those
are
the
two
next
set
of
goals
we
have
for
the
group
foreign.
C
B
So
my
my
desire
is
that
if
you,
if
you
have
sort
of
like
a
a
goofy,
remote
KMS
implementation,
that's
basically
just
a
local
key,
but
you
artificially
introduce
like
a
small
sleep
to
simulate
a
network
call.
If
you
have
such
an
implementation,
that's
using
cam,
sv2,
I
I
would
like
you
to
basically
be
able
to
encrypt
like
a
large
cluster,
and
it
just
kind
of
works.
Just
fine
right,
because
that's
kind
of
the
whole
point
of
KMS
V2
is
that
the
outer
edges
that
cam
sv1
doesn't
work
so
well
on.
B
Those
are
the
things
that
need
to
work
better
here,
right
like
so
like
well,
like
storage,
migration
and
stuff
I.
Think
we'll
be
able
to
test
pretty
well
in,
like
a
integration
test
that
you
know.
Once
we
have
all
the
apis
set
up,
we
can
I
think
we
could
probably
reasonably
test
them
out
working
correctly,
but,
like
the
scale
version
of
this
is
a
little
bit
harder,
but
it's
I.
Okay,.
D
That
makes
sense,
maybe
I
would
suggest
making
it
clear
that
the
point
of
the
E
to
e
test
is
testing
scale
and
behavior,
with
sort
of
the
lag
that
you
would
get
from
a
KMS
yeah.
With
that
clarification.
I
like
this
a
lot
I
was
gonna
suggest
using
integration
tests
as
much
as
possible
for
all
the
functional
aspects.
B
A
O
Did
I
hear
my
name
yep
so
I'm,
so
sorry
that
I
didn't
show
up
last
time.
I
almost
missed
this
time
too,
because
I
was
double
booked,
but
David
bring
me
in
time.
Okay,
you're,
gonna,
open
up
the
cap.
That's
great
I'm,
trying
to
remember
the
state
when
I
last
talked
about
this
cap
in
this
forum,
I
think
it
has
changed
rather
substantially.
Since
then,
let's
see
I'll
say
the
latest
thing
I
did
to
it
is
I
removed.
O
So
the
the
basic
idea
is:
there's
this
stuff,
we're
going
to
add
to
the
schema
and
the
the
stuff
that
we're
adding
to
the
schema
describes
how
you
can
specify
a
special
permission
verb
for
a
given
field
in
the
schema,
and
it
is
somewhat
hierarchical.
So
you
could
give
like
a
particular
permission
verb
to
mean
everything
inside
metadata
and
another
permission
verb
to
mean
everything
inside
metadata.labels
and
another
permission
verb
to
mean
a
specific
label.
Within
metadata.labels
all
right.
So
that's
that's
like
the
the
stuff
that
we
would
add
to
the
schema.
O
Does
that
and
there's
another
aspect,
which
is
whether
a
specific
permission
is
covered
by
enclosing
permissions
or
not?
And
you
need
this
if
you
want
to
be
able
to
add
a
field
which
people
don't
get
right
permission
by
default
and
I
went
ahead
and
and
expanded
the
definition
of
what
what
things
are
uncovered
to
satisfy
David's
criteria.
O
So
now,
if
you
wanted
to,
for
example,
have
a
specific
label
that
only
people
with
a
specific
permission
could
modify,
you
want
to
mark
that
specific
permission
string
is
uncovered
and
then,
when
API
server
is
evaluating,
whether
the
change
can
go
through
it
sees
that
this
is
modifying
a
field
which
has
a
permission,
that's
uncovered,
and
it
has
to
check
to
see
if
that
person
has
that
permission,
let's
see,
did
that
make
any
sense
at
all.
Given
what
people
recall
from
last
time,
we
had
this
discussion.
O
Basically
this
this.
This
satisfies
the
criteria
that
Jordan
and
David
were
asking
for.
As
far
as
I
can
tell,
and
oh,
and
so
the
important
thing
is
that
this,
this
notion
of
what
is
uncovered
and
what
is
covered
has
moved
out
of
the
schema
and
into
some
sort
of
object
in
the
cluster
which
cluster
administrators
can
configure.
O
So
the
important
thing
is
that
this
can
be
chosen
per
cluster
right,
because
we
can't
just
unilaterally
move
things
and
like
make
things
into
uncovered
permission,
even
though
we
would
like
to
because
it
would
break
unknown
amounts
of
users,
and
we
don't
necessarily
know
how
to
make
at
a
corresponding
permission
to
the
with,
like
whatever
authen
system.
Every
cluster
is
using
right.
So
instead
we
at
least
give
the
cluster
administrator
the
ability
to
do
that
right.
O
B
So
I
was
going
to
ask
just
some
high-level
questions.
So
do
you
imagine
this
unconfig
sorry
uncovered
permission
set.
Do
you
imagine
like
a
default
policy
of
these
objects
that
we
provide
going
forward
like,
as
we
add
things
and
realize
that
or
decide
that
those
things
should
not
be
covered
by
default?
I.
O
Believe
that
by
default
we
can,
we
can
place
new
fields
in
in
this
by
default.
I,
don't
see
a
path
for
how
we
kubernetes
could
take
existing
fields
and
put
them
in
the
system,
because
that
would
break
existing
workflows.
You
know,
if
everybody
were
using
our
back,
then
we
could
do
it
right.
We
could
we
could.
We
could
add
a
our
back
permission
at
the
same
time.
We
add
something
to
uncovered
and
then,
like
I
mean
you're
not
actually
more
secure,
because
everybody
that
could
have
done
it
before
could
still
do
it.
B
O
B
O
B
O
B
G
O
That
may
be
an
error.
I
I
may
have
been
trying
to
say
that
you
we
gotta,
we
gotta,
choose
I,
don't
know
if
we
can
well
I
I,
you
know
if
we
can
write
down
anything.
We
want
right,
I,
think
if,
if
label
prefixes
is
what
people
want,
then
we
should
put
that
in
the
verb
it
does
seem
like
prefix
is,
it
seems
like
prefix
is
the
most
logical
thing
to
put
in
the
permission
system.
I
think
David
was
asking
for
a
specific
field.
O
Some
I
forget
what
I
have
it
listed
in
this
somehow
somewhere,
but
it
was
like
if,
if
it's
safe
enough
to
just
use
the
prefix
and
take
and
protect
everything
with
that
prefix,
that
seems
preferable
and
more
useful
to
me.
If
we
absolutely
have
to
do
like
both
prefixes
and
like
specific
labels,
then
we
would
like
right
now,
there's
only
one
slot
to
put
a
permission
for
a
specific
Concept
in
the
in
the
schema
as
as
it's
written
in
the
design.
O
F
F
O
Yeah
that
makes
sense
to
me
I
think
it
would
be
kind
of
weird
to
have
like
the
the
permission
type
system,
change
per
namespace
that
seems
like
it
would
make
it
really
hard
to
reason
about
who's
got
permission
to
do
what,
additionally,
like
not
all
objects,
have
a
name
space.
So
the
what
you
have
to
have
it
like
a
both
a
cluster
and
namespace
scoped
version
of
this
and
I,
don't
know
it
seems
like
it
adds
a
lot
of
opportunity
to
make
mistakes.
O
My
current
suspicion
is
that
the
fine
Green
auth
in
this
cap
could
be
implemented
faster
than
the
the
cell
stuff
can
be
implemented,
and
this
is
certainly
simpler
and
has
fewer
moving
pieces.
I.
Think
there's,
maybe
some
argument
to
be
made
about.
Like
some
things
are
policy,
and
some
things
are
permissions,
and
this
is
a
permission
system
and
cell
is
a
policy
system
where
policy
involves
things
that
are
hard
to
check
in
binaries.
F
O
J
O
C
A
So
I
trust
David
on
I
know
that
we
had
issues
with
that.
We
discussed
operator
lockout.
That
was
a
concern
with
the
initial
our
back
designs
and
also
I
would
be.
It
would
be
nice
to
have
some
bounds
on
the
number
of
subject,
access
reviews
that
were
actually
issuing
intensely
stuff
explode
when
people
start
using
this
feature
yeah
and
other
than
that
I
think
I,
trust,
David
and
Jordan
to
lead
the
review
on
this.
O
F
G
O
Have
if
you
have
the
general
permission
to
modify
metadata.labels
and
but
not
the
specific
or
not
the
permission
to
update
that
resource
type?
It's
going
to
be
at
least
two
checks
to
to
validate
you,
one
that
you're
allowed
to
do,
use
the
granular
permissions
at
all,
and
then
one
that
you
have
that's
a
permission
that
specifically
covers
that
and
if
we
set
up
recursive
permissions
or
like
hierarchical
permissions
like
first
we
check.
Do
you
have
the
general
one,
then
do
you
have
the
metadata
one
then
do
you
have
metadata.labels
right?
A
B
B
A
G
G
Thank
you
for
links.
You
paste
it
below
I'm
a
little
bit
surprised
that
the
ga
will
require
more
features
to
be
added
because
it's
already
in
production,
so
many
places.
So
it's
like
okay,
it's
already
in
production,
everybody
using
it.
Can
we
just
GA
with
documentation
and
then
have
new
features
for
people
who
need
this
new
features
or
those
are
strictly
required.
So
I
mean,
depending
on
the
answer
I'm
like
we
may
find
somebody
to
help
or
may
not
find
somebody
to
help.
Oh,
like
we'll.
D
D
Yeah
I
stuck
those
links
in
I,
I
mean
the
the
feature
works
like
the
apis.
There
is
obviously
in
use.
It
holds
the
information
we
needed
to
hold
and
people
have
successfully
written
approvers
and
designers
against
this
API,
so
I
think
for
what
it
currently
delivers
like
it's
stable
and
it
would
be
fine
to
Market
as
stable.
It's
a
little
bit
weird
to
have
the
cubelet
have
a
feature
that
has
it
requesting
certificates
and
have
no
in
Project
version
or
recommendation
of
how
to
approve
those
things.