►
From YouTube: SIG Network Gateway API meeting for 20221219
Description
SIG Network Gateway API meeting for 20221219
A
Okay,
thank
you,
let's
just
redo
that
one
more
time.
So
this
is
a
today
because
of
the
holidays.
We
decided
this
would
be
kind
of
a
town
hall
just
open
floor,
nothing
on
the
agenda
to
start
with,
but
bring
any
agenda
you'd
like
kind
of
meeting,
it's
still
governed
by
the
kubernetes
code
of
conduct.
So
please
just
be
nice
to
one
another,
and
with
that
we
don't
have
an
agenda
to
start
with
so
I'll
just
shrink.
My
diet,
coke
and
people
can
start
talking.
B
So
yeah,
like
honestly,
this
is
the
whole.
The
whole
point
of
this
is
to
yeah,
make
it
so
that
Shane,
Rob
and
I
aren't
monopolizing
this
for
a
change,
but,
like
I,
don't
know
about
anyone
else,
but
I'm
perfectly
capable
of
monopolizing
the
discussion.
If
that's
what
you
want,
but
we
figured,
it
would
also
be
called
to
like
let
anyone
ask
questions
they
want.
They've
always
wanted
to
ask,
but
we're
always
too
busy
talking.
So
let's
give
you
all
a
few
minutes
to
to
figure
out
what
you
want
to
say.
C
D
D
There's
a
policy
to
say
you
know
from
the
cluster
operator
who
normally
owned
the
Gateway.
They
issue
policy
who
can
associate
to
Gateway
and
then
somehow
let
the
HTTP
route
to
you
know.
I
think
we
talk
about
I'm,
just
curious.
Can
you
guys
reiterate
this?
Maybe
the
example,
you
know
I
think
I
was
trying
to
you
know.
This
is
my
question
clear.
D
Yeah
sound
example,
yeah
exactly
you
know,
say,
for
example,
you
don't
want
to
like
get
the
Persona
of
HTTP
route
owner.
You
don't
want
to
you
know.
Sometimes
they
want
to
associate
to
every
single
Gateway.
You
may
want
to
say
Hey,
you
cannot.
You
can
only
associate
to
this.
You
know
for,
for
example,
death.
What
I
was
Gateway
or
you
can
associate
to
these.
You
know
building
Gateway
or
something
like
that.
So.
B
B
So
you
can
say
anything
in
these:
namespaces
can
connect
to
this
Gateway
and
then,
if
someone
tries
to
connect
a
HTTP
route
from
outside
that
gateway,
then
it
has
the
the
it
has
to
fail
so
like
so
from
outside
that
outside
those
set
that
set
of
namespaces.
So
you
can
say
only
allow
billing
things
to
connect
to
the
billing
Gateway
from
the
billing
namespace,
for
example,
and
then
only
HTTP
routes
that
are
that
exist
in
the
billing
namespace
will
be
able
to
connect
to
the
building
Gateway.
B
Sorry,
the
yeah
so
I
think
that
that
that's
probably
one
of
the
that
part
is
sort
of
for
the
routes,
but
for
policy
attachment.
The
policy
attachment
I
think
is
designed
to
have
settings
that
you
may
want
to
configure,
sometimes
on
a
like,
or
that
makes
sense
on
a
per
HTTP
route
basis,
but
you
also
want
to
be
able
to
default
it
or
override
it
at
a
higher
at
a
higher
level
in
the
thing,
so
you
have,
for
example,
you
have
like
you
know.
B
We
couldn't
make
a
timeout
policy,
that's
like
sits
in
the
actual
Gateway
API,
but
so,
for
example,
you
want
a
Envoy
timeout
policy
that
that
lets
you
set
say
nobody
can
set
their
client
time
out
for
their
thing
to
Infinity,
because
this
is
a
shared
proxy
and
you
want
all
clients
to
have
to
time
out.
At
some
point,
you
can't
just
keep
their
connections
held
open
forever.
B
So
a
way
you
could
do
that
is,
have
a
timeout
policy
object
that
has
a
default
and
an
override.
In
this
case
you
would
say
you
know
some
sort
of
override
that
says
you
can't
set
this
value
to
Infinity
and
then,
if
you
attach
that
to
the
gateway,
then
the
part
of
the
contract
for
policy
attachment
is
that
when
you
attach
something
to
a
Gateway,
the
settings
that
will
apply
to
all
HTTP
routes
that
attach
to
that
Gateway.
B
D
B
Yes,
so
there's
there's
only
two
pieces
of
information
that
we
have
in
our
ladder
routes
at
the
moment.
That
is
the
kind,
so
the
group
version
kind
and
the
namespace
so,
like
you
can
say,
HTTP
routes
from
the
billing,
namespace
or
TLS
routes
from
the
billing
namespace
or
both.
But
you
can't
say
TLS
routes
named
something
from
the
village
neighbor.
So
you
can't
like
be
really
specific.
You
can
only
sort
of
do
things
by
the
kind
and
the
namespace
got.
D
B
So
the
HTTP
route
needs
has
a
parent
ref
field,
where
the
HTTP
run
is
to
say
I
want
to
connect
to
these
gateways.
It's
a
list,
so
you
can
have
more
than
one
Gateway.
A
HTTP
figure
out
can
connect
to
more
than
can
attach
to
more
than
one
Gateway,
but
each
of
those
gateways
has
to
allow
that
HTTP
route.
B
Yeah
and
in
fact
the
the
multiple
gateways
thing
is
also
useful
for,
if
you're
say
provisioning,
a
new
Gateway
and
you
want
everything
to
be
available.
You
can
just
connect
all
your
HTTP
routes
to
two
gateways
and
know
that
the
HTTP
routes
are
accessible
on
both
of
those
gateways
and
you
can
shut
one
down
or
remove
it
or
something
like
that.
Sorry
Rob.
You
want
me
to.
E
E
Also
I
I
noticed
that
there
are
some
people,
some
names
I,
don't
recognize
that
well
on
the
call
and
I
I
may
have
I
may
have
I
know
I
arrived
late,
so
sorry,
but
if
this
hasn't
already
been
offered,
if
anyone
is
new
to
the
community-
and
you
know
willing
to
give
just
a
short-
you
know
20
second
introduction
or
longer
about
what
interests
you
in
Gateway
API.
You
are
very
very
welcome
to
do
that,
no
pressure,
but
we
always
like
to
learn
more
about
who's
interested
in
Gateway
API.
And
what
brings
you
here.
F
F
Hey
so
my
name
is
Alejandro
I
used
to
work
for
d2iq,
currently
looking
for
new
rules
interested
in
networking
in
general,
so
I'm
kind
of
interested
in
this
new
project,
the
Kong
has
blicks
I
looked
right,
I
thought
it
was
awesome,
so
I'm
gonna
be
very
trying
to
learn
more
things
about
the
API
Gateway,
the
role-based
stuff.
I.
Think
it's
interesting!
So
that's
why
I'm
here.
A
E
H
Hey
I
guess
I'll
go.
My
name
is
Hamza
I'm
over
at
Ambassador
Labs
working
on
my
Ingress
Emissary
Ingress
and
debate
product
Edge
stack
kind
of
just
been
hanging
around
here,
just
to
see.
What's
going
on
in
Gateway
API
land
I
think
I
briefly
met
Rob
at
kubecon
like
this
Flynn
and
doing
like
that
break
room
session.
So
just
just
just
here
to
see
what's
going
on.
E
I
I
B
I
would
I
I
hesitate
to
correct
you
on
your
first
first
time
out,
but
one
thing
that
is
really
important
is
the
terminology
game
API
game.
Api
implementations
are
generally
API
gateways,
but
Gateway
API
and
API
Gateway
can
be
very,
very
different
things.
So
the
ordering
of
the
words
is
really
important.
I'm,
sorry
to
be
a
stickler
but
I'm,
a
one
of
the
things
you've
probably
learned.
E
H
E
E
E
E
But
then
we
inexplicably
called
it.
Okay,
it
was
service,
apis,
I
think
is
what's
the
name
of
the
project,
but
the
pluralization
got
really
annoying
to
work
with,
and
we
couldn't
just
call
it
service
API,
because
that
was
already
the
Upstream
thing
and
it
was
very
easy
to
confuse
with
kubernetes
service
the
API
as
opposed
to
this
new
thing,
and
the
Gateway
was
kind
of
the
front
end
to
our
set
of
API
naming
is
hard,
I
I
don't
know,
and
we
clearly
have
not
been
great
at
it.
So
apologies,
but.
A
F
J
A
A
That's
our
project
by
the
way,
if,
if
it
wasn't
clear
to
people
it's
a
sub-project
of
Gateway
API
for
doing
service
mesh
with
the
apis,
we
already
have
for
the
most
part.
Gateway
is
not
a
part
of
that
and
not
not
that
it
never
will
be
or
anything.
But
it's
just
it's
more
focused
on
using
the
routes
right
now,
and
so
that
can
be
very
confusing
if
you're
interested.
However,
that
is
a
completely
different
meeting.
There's
that's
usually
on
Tuesdays,
so
please
do
check
out
our
community
page
and
the
calendar.
K
Well
so
my
question
is
like
if
we
don't
trust,
like
the
crd
validation,
so
I
wonder
if
any
implementation
implemented,
like
this
duplication
of
crd
validation,
logic
in
name
control
plane
this,
it
seems
like
also
like
a
heavyweight
thing
like
you
know,
importing
like
crds
in
doing
that.
So
so
I
wonder
if
anyone
actually
is
doing
that
or
they
right
there.
You
write
your
own
liquidation
layer.
E
I
I
feel
like
Nick
and
I
are
about
to
say
the
same
thing
but
okay,
okay,
but
thank
you.
Thank
you
for
raising
this
and
I.
It's
been
on
my
mind
for
a
while,
because
I
I
feel
pretty
strongly
that
we,
if
we
don't
communicate
this
clearly
enough
and
we
haven't,
there
will
be
some
future
vulnerability,
something
something
goes
wrong
in
some
bad
way.
With
some
implementation
that
that
doesn't,
you
know,
read
the
fine
print.
E
B
You're
right
yeah,
so
it's
it's
not
safe
to
use
it
for
like
really
super
secure
things,
because
so
even
for
CID,
validation
and
stuff,
like
that,
you
can
bypass
that
by
doing
Cube,
catalog
life
force
right,
like
you
know,
it's
not
it's
not
a
it's
not
like
a
super
hard
requirement.
It's
there
to
help
you,
but
but
it's
not
a
super
hard
requirement.
So
that's
what
Rob
is
trying
to
say
about
it
can't
be
you
can't
be
relied
on.
B
E
K
E
Good
luck!
It's
it's!
It's
that's
harder
to
replicate
and
I've
been
thinking
for
a
while
and
I
think
Nick
and
one
of
the
more
recent
PRS
we
were
talking
about.
You
had
said
something
like
along
the
lines
of
why
not
make
webhook
validation
kind
of
a
superset
of
so
you're.
You
know
it
covers
everything
crds
we
have
in
our
crd,
spec,
Plus
stuff
that
can't
fit
in
the
crd
spec
that
that
feels
like
it
would
address
this,
but
I
don't
know
Nick.
B
B
I
B
Have
a
default
case:
that's
not
just
Panic
in
go
terms,
but
I.
Think
more
importantly,
the
other
thing
that
I
would
like
to
do
about
this
is
I
want
at
some
point
us
to
have
effectively
conformance
tests
for
for
the
validation
that
invalid
things
will
will
not
be
accepted
in
some
way
either
that
they
get
rejected
when
you
try
and
apply
them,
which
is
the
which
is
what
a
validating
workbook
does
or
they
get
status
updates.
B
B
K
Oh
God,
it
seems,
like
the
recommendations,
still
stays
apply,
so
it's
not
not
trust
and
not
trust
the
input,
and
it's
really
it's
be
great-
to
have
like
a
common
motivation
code
but
I'm
I'm,
I'm
sort
of
you
know.
I
tried
to
like
reproduce
this,
bypassing
validation
and
I.
Couldn't
just
make
it
like.
With
this
the
ways
I
understand
the
validate
force,
the
flag
is
that
just
it
turns
off
the
client-side
validation
and
Cube
CTL,
but
the
sort
of
organization
cannot
be
turned
off
because
it's
like
an
ABS
server.
Okay,.
B
K
K
K
K
E
Think
it
depends
on
how
your
implementation
is
deployed
to
some
implementations
of
the
API
are
deployed
in
the
same
cluster,
and
so
you
assume
that
a
cluster
admin
somebody
who
can
create
a
crd
basically
has
full
control
over
anything.
Your
implementation
of
the
API
can
do
anyways.
Other
implementations
may
be
deployed
somewhere
outside
of
your
cluster
and
may
have
greater
access
to
resources
than
your
your
cluster
itself
has
access
to,
and
in
those
cases
in
particular,
you
have
to
be
very
careful
about
what
inputs,
you
trust
and
so
yeah
yeah.
It's
it's
understanding.
E
D
E
Know
the
line
for
anything
deployed
in
the
cluster
you're,
probably
okay,
but
if,
if
your
implementation
is,
you
know,
can
connect
to
more
things.
Is
you
know
at
risk
of
some
kind
of
confused
Deputy
attack
where
you're
confusing
the
controller
to
Grant
you
access
that
you
shouldn't
have
then
I
would
be
especially
careful.
B
Yeah
I
think
some
of
that
came
from
like
both
Rob
and
I
have
had
experiences
with
Ingress
controllers,
where
it's
pretty
easy
to
do.
Yeah
unless
you're
really
careful
and
you
really
look
at
the
fine
print.
It's
like
it's
actually
really
is
more
straightforward
to
do
some.
Some
really
nasty
confused
wpe
attacks
with
Ingress
controllers.
B
E
B
B
A
E
Maybe
you
know
I'll,
anyone
is
free
to
bring
anything
up,
but
one
of
the
things
I'm
curious
about
just
open
question
to
people
here.
Are
there
things
in
the
API
that
are
either
unnecessarily
confusing
to
you?
You
know
like
I,
I
would
imagine
at
least
some
of
the
people
here
on.
This
call
have
started
to
work
with
this
API
more
recently
than
myself
anyway.
E
G
Can
I
can
I
ask
a
question:
I
I,
don't
know
if
it's
regarding
that,
but
we're
trying
to
figure
out
conformance
tests
like
how
how
do
we
fulfill
that
and
I
just
started
looking
at
the
documentation
on
conformance
tests
and
maybe
I'm
not
reading
it
correctly
and
I
tend
to
miss
a
lot
of
things
when
I
read
it,
but
I,
don't
I,
don't
really
see
kind
of
like
a
template
or
kind
of
like
this.
How
you
do
it.
E
I
E
G
E
A
Yeah,
that's
what
we
okay
like
at
Kong.
That's
what
we
do
for
all
of
our
implementations.
We
just
like.
We
have
a
conformance
test
suite
and
then
it's
literally
just
loading
the
go
code,
like
literally
loading
the
go
tests
and
running
it
on
our
implementation.
You
can
do
that,
but
we
really
do
not
want
to
have
that,
be
the
only
like
the
only
way
that
makes
sense.
A
So
if
you
do
get
in
a
position
where,
like
you
feel
like,
you
need
to
be
able
to
run
it
from
a
non-go
or
just
you
are
go,
but
you
don't
want
to
have
to
run
it
in
that
way.
We
should
probably
smooth
those
edges,
because
people
should
be
able
to
come
in
this
with
any
implementation
that
is
conformant
and
not
have
to
do
go.
Of
course.
A
E
Yeah
and
one
thing
I'd
say,
is
I-
think
there's
a
PR
related
to
this,
but
I
think
many
implementations
of
the
API
kind
of
built
their
own
way
to
skip
tests.
Basically,
you
know
because
there
are
a
lot
of
implementations
of
the
API,
especially
in
the
earlier
days
where
they
were
conformed
with
you
know,
maybe
half
of.
E
Could
pass
half
the
test,
but
they
didn't
want
to
run
the
other
half
because
they
knew
they
hadn't
implemented
this
or
that
or
whatever
I'd
recommend
that
as
a
starting
point,
there's
been
some
work
to
try
and
bring
that
into
the
into
the
conformance
test,
definitions
and
sell.
So
you
don't
have
to
you
know,
do
it
yourself,
but
if
you
are
looking
for
examples,
I
think.
G
We
we
had
another
question.
Someone
asked
regarding
visibility
of
resources
across
implementation,
so
so,
okay,
so
with
the
Gateway
class
that
basically
controls
I,
guess
an
implementation
of
the
Gateway
API
right.
So
I'm
thinking
you
can
theoretically
load
two
or
more
implementations
on
the
same
cluster
like
let's
say
you
load
a
Kong
implementation
or
you
load
and
istio
implementation
on
the
same
cluster.
And
then
it
depends
on
what,
like,
let's
say,
a
gate.
You
create
a
Gateway
resource
and
then
you
reference
in
Gateway
class.
G
So
let's
say
you
get
you
in
your
gateway,
you
reference
the
Kong
Gateway
class
and
that
and
so
then
then,
let's
say
and
then
that
Gateway
would
obviously
choose
the
Kong
implementation
would
say.
Oh
this
is
for
me
now
I'm
gonna,
you
know
provisioned
the
Gateway
resource
and
all
that
stuff
yeah
or
if
the
istio
sees
it.
It
says.
Oh,
this
is
for
me
I'm
gonna,
I'm,
gonna
process
this,
but
but
does
that
get
into
the
problem
where
you
have
different
implementations,
seeing
the
same
object
that
that
may
not
be
for
it,
though,.
A
A
G
G
B
B
Yeah,
so
practically
practically
most
controllers.
A
lot
of
the
time
get
read,
get
read
permissions
on
gateways
everywhere,
right,
like
it
basically
cluster
wide
to
read
permissions
on
gateways.
One
of
the
reasons
for
that
that's
actually
kind
of
okay
is
that
we've
specifically
designed
a
Gateway
so
that
there's
nothing
secret
really
in
the
in
the
Gateway
object.
B
You
know
I
keep
a
list
of
gateway,
gateway,
class
names
and
then,
when
I'm
looking
at
gateways,
if
the
gate,
if
the
Gateway
class
that
references
isn't
one
of
mine,
then
I
just
throw
it
away,
I
drop
it
on
the
floor,
and
so
when
you're
using
controller
runtime
or
something
like
that,
it's
pretty
easy
to
do
that.
You
just
you
when
you
get
a
thing
you
one
of
the
first
checks
you
do
is
to
say.
Is
this
relevant
to
me?
Is
this
in
scope?
B
For
me,
if
not,
you
know
do
nothing,
no
of,
and
that's
the
that's
sort
of
the
usual
way
to
do
this
so
and
like
to
some
extent.
The
same
is
true
for
HTTP,
although
the
the
process
in
that
case
is
more
complicated,
because
you've
got
to
figure
out
if
it
applies
to
a
Gateway
that
you
control
well,
there's
another
step
down
in
the
hierarchy,
but
yeah
it's
a
broadly
similar.
Does
that
make
sense.
G
Yeah
I
mean
it
makes
sense
that
you
have
to
do
that
cross
reference,
the
paragraph
and
then
the
listener
allowed
routes
and
all
that
checks
right,
exactly
I
mean,
but
the
implementer
can
still
like
with
HTTP
route.
You
can
still
kind
of
see
the
path
configuration
right
like
the
yes
yeah,
so
you
can
see
that
a
little
that
might
be
a
little
bit
sensitive,
I
I
can
see
how
the
Gateway
only
references,
the
secret
in
the
namespace,
so
that's
kind
of
hidden.
G
E
Yeah
I
would
say
it's
entirely
possible
to
segment
your
controllers
in
such
a
way
that
you
could
Grant.
You
know
like
Grant
it
access
to
a
subset
of
namespaces
and
then
tell
users
of
that
implementation.
They
can
only
create
resources
in
those
namespaces
I,
don't
know
how
it
really
depends
on
what
you're
putting
in
your
routes
and
how
sensitive
they
are.
A
A
B
B
You
need
the
the
implementation
needs
to
have
very
high
cost
of
wide
privileges.
For
the
for
the
thing
to
fully
work,
you
absolutely
can
make
it
you
can
cut
down
the
rbac.
You
can
give
it
restricted,
R
back,
so
that
only
see
stuff
in
some
namespaces,
but
that
means
it
only
sees
stuff
in
those
namespaces
and
then
anyone
who
wants
to
interact
with
it
has
to
have
access
to
those
namespaces
as
well
right.
B
So
that's
the
trade-off
that
you're
making
by
doing
that,
is
that
you,
but
like
the
fact
that
the
you
know
the
Gateway
API
implementation
is
effectively
part
of
the
system
right
like
it's.
It's
part
of
the
infrastructure
of
the
system
and
you
need
to
treat
it
accordingly
in
the
same
way
that
you
would
like
you
know,
a
mutating
webhook
or
something
like
that,
like
it's
part
of
your
system,
implementation
and
if
anyone
ever
pops
it
like
yeah,
you
like
it's
you're,
going
to
get
the
access
that
it
has.
B
As
for
a
lot
of
people,
the
way
they
want
the
implementation
to
work
is
they
want
people
to
be
able
to
create
gateways
reasonably
arbitrarily
and
they
want
to
be
able
to
have
those
gateways
like
pick
up
TLS
secrets
from
multiple
namespaces
or
like
an
arbitrary
namespace,
in
which
case
your
implementation
needs
to
have
cluster-wide,
read
access
to
gateways
and
cluster-wide
read
access
to
Secrets,
because
you
can't
split
secrets
on
secret
type.
Right:
cluster-wide,
read.
Access
to
Secrets
is
often
like
very
scary
for
people
and
that's
completely
Fair,
because
it
is
very
scary.
B
But
if
you
want
to
get
the
full
sort
of
maximally
dynamic
experience,
there
is
no
other
way
than
doing
cluster
word
access
to
Secrets.
The
only
other
way
to
do
it
is
to
segment
things
off
with
our
back,
and
then
you
need
to
have
the
secrets,
leaving
certain
namespaces
and
only
certain
manage
spaces.
B
Part
of
what
we're
trying
to
do
with
reference
Grant
is
to
make
it
so
that
users
don't
need
to
have
cluster-wide
access
to
secrets
to
be
able
to
use
Secrets,
but
your
implementation
will
need
to
have
Costa
white
access
to
Seekers
to
be
able
to
see
those
secrets
to
be
able
to
read
them
to
be
able
to
configure
them
in
your
underlying
data
plane.
And
so
that's
the
yeah.
B
There's
there's
a
there's
a
bit
of
a
fine
point
there,
but
like
yeah,
I,
think
the
fact
that
this
is
like
Network
Plumbing,
like
means
that
it's
going
to
end
up
with
a
very
high
level
of
access
to
your
system,
like
it's
very
difficult
to
restrict
the
access
too
much.
Without
significantly
impacting
how
Dynamic
your
users,
the
experience
your
users
will
get,
does.
J
On,
like
the
the
perspective,
I
I
mean
I
I,
mostly
work
with
service
providers
like
Communication
service
providers,
and
you
know
they're
targets
of
you
know.
Espionage
right
and
they've
got
a
lot
of
security
concerns,
and
so
you
know
like
and-
and
you
know
like,
if
you,
if
you
ordinarily,
you
would
expect
that
if
you're
implementing
one
set
of
resources
like
a
Gateway
class
for
one
set
of
apps
and
a
different
one
for
a
different
set
of
apps,
but
they
wouldn't
be
able
to
see
what
the
other
side
is
doing.
J
C
K
A
J
J
A
A
That
can
let
you
kind
of
do
this
restriction
so
that
if
that
implementation
became
compromised,
it
would
at
least
not
have
access
to
say
other
name
spaces
than
the
one
for
it,
but
there's
still
obviously
danger
there
even
in
the
name
space,
it's
in
there's
some
I,
don't
know
of
any
implementations
that
necessarily
do
this
today,
but
there's
some
architectural
things
that
you
could
theoretically
do
to
improve
this.
That
I've
actually
actually
thought
about
before,
but
not
implemented.
A
Yet,
where
you
it's
still,
it's
still
not
a
Silver
Bullet
kind
of
situation,
but
if
you
actually
can
make
the
actors
which
are
responsible
for
things
like
Secrets,
a
completely
different
actor
with
a
different
set
of
permissions
and
stuff
like
that
than
the
like
main
controller,
basically
a
micro
service
or
architecture,
as
opposed
to
a
monolithic
like
Gateway
operator
or
Ingress
controller.
There's
some
things
that
you
could
potentially
do
to
reduce
the
the
damage
or
the
scope
of
an
attack
even
more.
B
Like
you
know,
it's
kubernetes
multi-tenancy
is
really
pretty
soft
like
if
you've
got
access
to
one
thing,
it's
like
there's
absolutely
things
to
make
it
more
difficult,
but
it's
it's
very
difficult
to
make
it
impossible
to
like
privilege,
escalate
out
like
around
things
or
like
things,
things
kind
of
expect
that
you
have
like
reasonably
broad
level
of
read
access
but
may,
but
a
lot
of
your
right
access
will
be
limited
like
that's.
A
pretty
common
assumption
is
that
controllers
that
are
running
as
part
as
part
of
the
system,
like
I,
said,
have
read.
B
Access
to
everything
that
they
need
in
every
namespace
in
in
the
cost
is
a
pretty
common.
Like
expectation,
you
can
absolutely,
as
Shane
said,
you
can
absolutely
change
that
by
when
you
run
an
implementation,
you,
the
r
back
you
granted,
can
be
limited
to
a
number
of
namespaces
and
then,
when
the
API
server,
when
it
calls
like
list
on
the
API
server,
it'll
only
see
the
stuff
that
you've
given
it
access
to.
So
you
can
absolutely
sort
of
segment
things
that
way.
B
Otherwise
you
may
as
well
just
give
it
access
to
the
whole
cluster,
because
once
you
go
out
a
little
bit
and
it
all
doesn't
match,
then
then
you've
got
the
way.
The
Escape
patch,
if
you
said
I'm,
saying
and
so
like
I,
think
a
lot
of
people
who
have
tried
to
do
hard
multi-tenancy
for
clusters,
sort
of
end
up
landing
on
the
idea
of
let's
have
smaller
clusters,
one
for
each
tenant.
E
E
A
Ahead,
no,
it's
just
doubling
up
on
that.
I
see
that
quite
a
bit
with
some
of
my
customers
like
they'll
end
up
making
the
the
actual
they
won't
bother
with
namespaces
it'll,
be
a
cluster
that'll,
be
the
the
the
area
of
which
they'll
like
do
a
specific
application,
and
that's
easier
these
days
than
it
used
to
be
like
a
lot
easier.
You
know.
What's
really
funny,
though,
is
like
five.
Six
years
ago
like
when
Ingress
was
really
new
I
feel
like
every
implementation
just
had
cluster
admin.
It
was
like
the
default.
Wasn't
it
like?
E
I
had
a
really
interesting
comment:
conversation
with
Mo
from
cigarth
about
this
and
and
related
problems,
and
one
of
the
one
of
the
areas
that
I
think
is
interested
interesting
to
both
of
us
and
I.
Don't
think
either
of
us
have
time
to
lead
it,
but
if
this
is
something
that
is
interesting
to
you,
there
is
room
for
another
kind
of
authorizer
in
kubernetes.
E
So
if
you
are
familiar
with
how
kublet
works
today,
it
relies
on
node
authorizer
to
granted
access
to
the
resources
that
are
running
on
that
node.
You
could
perchance
have
another
kind
of
authorizer
that
could
follow
a
reference
tree
and
understand.
This
is
a
thing
that
this
class
of
resources
should
have
access
to
this
top
level
thing
and
I'm
going
to
Grant
you
access
to
anything
that
ends
up
being
attached
in
the
tree
to
this
controller
right.
E
E
This
is
an
area
of
significant
concern.
If
you
follow
kubernetes
security,
you
notice
that
on
occasion
we
have
cves
tied
to
implementations
of
Ingress
and
probably
eventually
Gateway
API
over
time
and
and
you
think
about
it.
We
are
running
applications
that
are
Exposed
on
the
edge
which
usually
have
access
to
all
secrets
in
the
cluster.
E
You
take
that
combination
of
things
and
again
you
know,
be
very
careful
as
an
implementer
to
be
as
cautious
as
you
can,
but
also
there's
some
room
to.
If,
if
there
is,
you
know
a
problem
in
your
application,
hopefully
you're
only
exposing
the
minimal
set
of
things
that
you
need
to
see,
not
everything
and
a
better
authorization
model,
a
new
authorizer
or
something
like
that
would
be
a
good
first
step
towards
that.
There
are
intermediate
things
that
we
can
do
today.
You
know
the
cross
namespace
secret
references
actually
help
with
that.
E
You
can
say
all
my
certificates
for
this
specific
implementation
are
going
to
live
in
this
namespace
and
I'm
only
going
to
get
give
this
controller
access
to
that
namespace
and
nothing
else.
You
know
there
are
things
you
can
do
today
if
you're
a
security
conscious
but
I.
You
know
everything
is
kind
of
makeshift
until
we
can
build
a
new
authorizer
to
really
do
this
properly.
That
is
a
a
longer
term
effort,
but
there's
definitely
interest
from
cigar.
J
B
Oh
I
was
just
the
same
but
certificates.
The
problem
is
that
certificates
are
generally
stored
in
Secrets
inside
kubernetes,
and
you
can't
get
any
more
fine
grain
when
they
are
back
like
in
terms
of
type
right.
You
can't
have
unless
you
make
another
thing,
that
is
a
certificate
and
not
a
secret
like
you
can't
get
any
more
fine
grain
than
also
then
all
secrets
in
this
namespace.
That's
the
most
fine
grain.
You
can
get
read
access
to
all
secrets
in
this
National
Space
is
the
finest
grains
you
can
get.
B
You
can't
say
all
secrets
of
type
TLS
certificate
right
like
unless
you
make
a
separate,
a
completely
separate
type.
That's
how
the
type
system
in
kubernetes
works.
Unfortunately,
so
that's
that's
what
I
mean
by
all
secrets
is,
like
you
can't
say,
only
significance
and
not
like
you
know,
environment
variables
that
are
used
for
pods
right,
because
there's
no
distinction
in
the
type
system
between
that.
J
B
Yes,
yes,
and
so
to
make
that
work,
though
you'll
still
need
like
The
Listener,
TLS
config
is
going
to
need
some
way
to
know
which
secret
that
you're
loading
into
memory.
It
needs
to
use
for
that
specific
listener
right,
so
you're
going
to
need
practically.
Probably
what
you
would
need
to
do
is
to
have
a
CID
that
says,
like
an
in-memory
search
is
the
name
of
the
CID
or
something
like
that
and
then
listener.
B
Instead
of
having
a
reference
to
a
secret,
you
have
a
reference
to
an
in-memory
cert
that
that
tells
you
the
name
of
the
in-memory
search
right
and
that
you
are
that
you
retrieve
in
some
out-of-band
way
right,
so
that
the
API
has
the
spot
for
to.
Let
you
do
that.
It's
just
not
going
to
work
as
seamlessly
rather
you're
going
to
have
to
build
some
extra
infrastructure
around
it.
B
And
I
mean
that
sounds
like
a
great
idea
to
be
honest,
that
sort
of
thing
for
like,
if
you
want
to
make
sure
that
the
the
controller
doesn't
have
access
to
those
like
the
the
controller,
doesn't
need
access
to
all
secrets
in
the
cluster.
Then
the
way
to
do
it
is
to
make
it
so
that
the
TLs
secrets
and
needs
are
not
in
the
cluster
right
like
that's
effectively.
B
The
the
simplest
way
to
solve
that
problem
is
to
make
it
so
that
the
secrets
that
it
needs
are
not
in
the
cluster
and
then
all
you
need
to
do
is
to
build
some
sort
of
naming
scheme
that
lets
you
pick,
which
secret
out
of
all
of
the
secrets
that
it
has
access
to
in
some
other
way.
It
picks.
For
that
specific.
B
You
know
which
soda
picks
right.
Okay,
thank
you
yeah,
and
that's
what
that's
why
in
The
Listener,
we
left
that
as
our
it's
not
like
secret
name.
It's
like
you.
It's
like
a
certificate
name
or
something
like
that,
but
there's
a
good
version.
Client
selector,
that
it's
not
just
the
secret.
It
defaults
to
secret,
but
you
can
choose
any
other
type
of
resource.
You
want.
A
J
Yeah
so
so
I'm
I'm
at
F5.
We
have
a
thing
called
the
service
proxy
for
kubernetes
spk,
and
it's
it's.
It's
really.
It's
focused
currently
on
service
providers
and
launching
five
5G,
and
so
that's
why,
before
I
raised
like
the
issue
about
egress,
which
is
one
of
our
big
issues,
you
know
how
we
manage
secrets
and
the
sort
of
skeptical
nature
of
our
customers
around
using
secrets
is
another
one
of
the
big
ones.
J
H
A
No
seriously
like
seriously
don't
mean
to
so:
please
just
take
it
with
a
grain
of
salt,
but
I
think
we
would
be
happy
to
host
a
blog
post
about
your
experience
when
you
kind
of
get
further
along
in
this.
Like
yeah.
We
have.
We
have
spots
for
like
the
Gateway,
API,
blog
and
stuff,
like
that.
This
would
be
kind
of
interesting,
I,
think
for
other
implementers
and
users
of
Gateway
API.
J
J
J
B
B
Like
you
just
put,
then
you
can
just
put
the
name
of
a
secret
because
we
default
to
group
core
kind
secret
and
there's
also
an
optional
namespace
filter
there
as
well
so,
but
that
that
could
absolutely
that
does
not
have
to
be.
We
specifically
made
it
so
that
does
not
have
to
be
a
secret.
Yes,
I
just
wanted
to
make
100
sure
that
we've
done
that
right,
so
yeah.
B
That
absolutely
is
a
way
that
I
would
recommend
if
people
are
really
conscious
about
really
strongly
feel
that
you
shouldn't
have
access
to
all
the
controllers
like
this
shouldn't
have
access
to
all
secrets.
The
best
solution
is
to
just
not
put
it
in
the
cluster
as
a
secret
right
like
give
it
what
it
needs,
as
as
in
some
other
way
it
could
be
a
it.
B
A
B
Yeah,
you
would
need
to
jump
through
those
Hoops
for
your
thing,
but
I
think
the
thing
that
you
mentioned
about
storing
the
search
out
of
band
and
having
that
record
be
sort
of
a
a
signal
to
retrieve
the
outer
band
cert
from
some
other.
You
know
grpc
standpoint
or
something
like
that.
That
sounds
like
a
great
idea
to
me
for,
for
that
sort
of
much
more
secure
use
case.
100
Michaela
asked
in
that
chat
that
Dewey
require
TLS,
can
secrets
and
conformance
test.
B
Yes,
we
do
currently,
so
you
know
if
we
you
know
if
this
became
more
of
a
thing,
then
I
would
guess
that
we'd
probably
need
to
slice
and
dice
the
conformance
test
a
little
bit
more
to
sort
of
be
like
hey
we're
testing
the
sort
of
common,
the
common
cases
of
you,
you
just
you
store
your
stuff
in
Secrets
and
then
there'd
be
other
conformance
tests.
That
would
need
or
there'd
be
some
other
way
that
you
need
to
test
this
stuff.
B
Yeah
yeah,
but
that
I
think
that's
100,
a
thing
that
we
can
do
that
will
again
come
back
to
exactly
how
we
handle
the.
How
do
you
submit
a
conformance
report
and
what
does
it
look
like
and
you
know
what
test
did
you
Skip
and
are
those
tests
okay
to
skip?
And
what
overloads
did
you
use
and
some
other
stuff
like
that
which
is
kind
of
similar
problems
to
what
Upstream
kubernetes
has
with
the
kubernetes
the
Upstream
kubernetes
conformance
so
I'm,
hoping
that
we
can
crib
a
lot
from
what
they
do.
E
I
can't
read
it
hang
on
yeah,
so
Candace
I
think
is
actually
the
person
working
on
this
right
now.
So
Candace
is
working
on
performance
tests
for
TLS
route.
Looking
forward
to
getting
those
in
ASAP
actually
Candace,
you
may
have
a
better
status
update
than
I.
Do
it's
I've
been
meaning
to
review
your
PR.
E
B
Thank
you
and
thank
you
notably.
It
is
probably
relevant
because
before
we
run
out
of
time,
we
are
probably
going
to
cut
o60
in
the
next
couple
days,
certainly
before
the
end
of
the
week.
But
we
do.
One
thing
that's
important
to
remember
about
our
versioning
is
that
we
do
reserve
the
right
to
add
conformance
tests
in
a
patch
release.
So
if
that
particular
test
doesn't
make
it
into
060,
we
can
still
release
a
patch
release,
much
quicker.
B
A
Roger
that
all
right
thanks,
everybody
for
coming
just
a
heads
up,
I,
believe
we
canceled
next
weeks
and
the
following
weeks,
just
because
we
had
so
many
people
say
that
they
wouldn't
be
able
to
show
up.
So
we
will
be
back
I
want
to
say
that's
the
second
week
of
of
the
of
the
month.
It
should
all
be
on
the
calendar
if
you
need
anything
during
that
time,
hit
us
up
in
slack
and
discussions
and
issues
and
so
forth,
happy
holidays.
Everybody.