►
From YouTube: SIG Network - Gateway API meeting for 20221107
Description
SIG Network Gateway API meeting for 20221107
A
Okay:
let's
try
that
again
hi
everybody
Welcome
to
the
Gateway
API
meeting
for
November
7th
2022..
My
name
is
Nick.
Young
I
am
monitoring
this
one
today,
as
always,
this
is
a
kubernetes
project
meeting
and
so
all
of
the
usual
kubernetes
project
conduct
stuff
applies.
You
know,
in
summary,
please
be
nice
to
each
other.
Okay.
A
B
Yeah,
hey
everyone.
My
name
is
Andrew
stoichus
I
work
with
red
hat
and
have
been
working
in
coop
for
a
while,
mostly
on
the
network
policy
work.
So
stick
Network,
API,
Network
policy,
API
subgroup
system,
Network
on
admin,
Network
policy
and
I
met
up
with
Rob
and
Shane
and
others
at
kubecon
a
week
ago
and
kind
of
got
pulled
into
some
fun,
evpf
stuff.
So
learning
more
about
Gateway
and
excited
to
see
where
I
can
help
out.
A
A
D
C
I
think,
okay,
right
now,
you
should
be
able
to
just
see
the
meeting
notes
everything
good,
yep,
you're,
good,
all
right
so
a
couple
of
weeks
ago
and
for
those
who
are
uninitiated.
I
brought
up
the
idea
of
creating
a
implementation
of
Gateway
API
that
was
layer
4
only
that
used
ebpf
as
kind
of
the
back
end
data
plane.
C
Basically,
the
Linux
kernel
and
Gateway
API,
which
is
kind
of
the
breadth
of
the
Technologies
involved
in
this
project,
are
not
contentious
to
anybody
here.
So
thus
became
bleaks,
which
is
Swedish
for
lightning.
The
flash
of
lightning
is
how
I
understand
it.
This
is
a
fun
name,
and
this
is
an
experimental
layer
for
kubernetes
Gateway
API
implementation
that
uses
ebpf.
It
currently
uses
XDP,
but
we'll
go
into
some
details
about
like
where
it's
headed
and
stuff
like
that
and
do
a
quick
demo.
C
So
hopefully
that
was
a
good
enough
intro
to
like
what
it
was
for
those
who
weren't
here
and
then
for
everybody
else,
you're
caught
up
on
like
where
we're
at
suffice
to
say
at
kubecon,
we
got
a
lot
of
traction.
Andrew
is
here
on
my
request,
because
he
and
I
have
been
basically
pairing
on
this
thing
for
the
last
couple
weeks
and
during
kubecon
it's
been
a
lot
of
fun.
It's
also
been
a
lot
of
struggles.
C
C
It's
going
to
be
deployed
inside
of
I
have
a
little
kind
cluster
here,
that's
not
doing
a
whole
lot
of
anything
and
then
we'll
trace
the
control
plane
in
the
data
plane
logs
and
then
what
we'll
show
is
a
UDP
route
coming
up
and
ultimately
getting
traffic
into
a
pod.
So
today
this
all
works.
You
can
customize
in
the
repo.
C
C
The
short
version
of
what
this
is
doing
is
this
data
plane
is
going.
Is
it
has
host
Network
or
host
network
access
and
privileged
access,
and
it's
loading
code
directly
into
the
kernel?
This
is
what
ebpf
does
to
take
care
of
the
routing,
basically,
instead
of
doing
it
inside
of
like
nginx
or
Envoy,
or
something
like
that
or
even
with
iptables.
C
But
that's
what
this
thing
is
doing
is
loading
C
code
into
the
kernel,
that's
like
controlling,
like
packet
redirection
for
us,
and
then
the
controller
manager
is
just
listening
for
gateways
and
Gateway
classes
and
so
forth.
Okay,
so
once
that's
up,
we
have
a
couple
of
samples
in
here
right
now.
You
can
do.
C
Gateway
class,
which
the
control
plane
said
yep,
that's
my
controller
name,
so
I'll
take
care
of
that
and
anything
you
attach
to
it
and
then
the
Gateway,
which
gets
an
IP
address
and
then
we'll
also
also
in
the
cluster
already
I,
have
a
nginx
pod,
which
is
listening,
has
two:
has
a
service
listening
load
balance
type
service
listening
here
for
UDP,
actually
I
used
nginx,
just
because
it
has
apps
and
I
could
just
app
install
netcat.
So
it's
it's
easy.
C
Everything's
working
just
as
you'd
expect,
you
see
that
our
kernel
actually
caught
track
of
the
fact
that
we
were
doing
it
because
we're
doing
a
bunch
of
tracing
right
now,
but
ultimately,
that
is
everything
working
outside
oblig's.
The
traditional
way.
I
have
a
surface
type
load
balancer,
where
I
hit
the
service
IP
and
ultimately
sent
it
a
UDP
packet
and
got
it.
C
Is
doing
nothing
so
the
Gateway
in
this
example
is
actually
backed
by
a
service
type
load
balancer,
because
that's
just
how
these
things
work
right
now
in
Gateway,
API
But.
Ultimately,
you
can
see
that
this
IP
address
over
here
ended
up
not
having
any
back
ends.
This
is
our
kernel,
our
kernel
code,
that
is
telling
us
okay,
well,
I,
don't
know
where
to
send
that.
So
it's
dying,
it's
basically
just
kind
of
a
we're
holding
on
to
a
service
load,
balancer
IP,
but
it's
not
doing
anything.
C
I
meant
to
show,
and
then
I
didn't
do
it
f
meant
to
show
the
control
plane,
What
It.
Ultimately,
the
control
plane
was
logging
under
the
hood
that
it's
like
the
service
is
ready,
so
it
updated
the
Gateway
and
you
saw
the
Gateway
class-
was
set
as
true
blink
system.
Log,
slash,
F
data
plane
and
then
this
thing
is
just
started
up
and
it
has
a
UDP
route
controller
in
it
because
that's
temporary.
B
C
Yeah
that
was
like
I
said
in
the
beginning:
there,
that's
the
ebpf,
like
the
actual
C
code,
doing
debug
statements,
that's
coming
out
in
the
kernel,
debug
Trace,
so
anything
you
see
on
this
window
is
us
in
our
C
code,
basically
saying
what
we're
doing
with
packets
as
we
see
them,
Bulls
UDP
route.
So
if
we
apply
the
UDP
route,
if
I
didn't
break
anything
okay,
it
created
a
back
end
and
this
added
the
info,
all
the
information
needed
to
like
for
that
UDP
route
and
you'll
see
it's
repeating.
C
C
If
I
didn't
break
anything
now
we
get
it
here
and
we
see
that
the
ebpf,
the
xdt
code
is
actually
working
and
we
got
a
bunch
of
different
outputs
showing
us
like
where
we're
sending
it
now.
It
has
a
back
end
now
that
it
found
in
that
map.
So
you
can
see
that
it's
updated.
It's
got
all
the
information
it
needs
to
redirect
that
packet
off
to
the
pod
and
that's
pretty
much
it
I
can
similarly
delete
the
UDP
route.
C
A
C
C
The
demo
that
we
said
we
were
going
to
do
a
couple
weeks
ago.
We
had
a
great
time
building
and
hacking
on
it
at
kubecon.
We
have
some
goals
that
are
in
here
right
now.
Basically,
we
want
to
support
Gateway
and
Gateway
class
UDP
Rock
TCP
you're
out,
maybe
TLS
route
I,
don't
know
this
is
kind
of
a
yeah
we'll
see
we
want.
C
One
of
the
things
we
want
to
do
is
like
an
early
goal,
for
this
is
we'd
like
to
get
it
to
the
point
where
it's
working,
functional
like
fully
functional
with
these
apis
and
then
plug
it
in
as
a
Gateway,
API
conformance
test
tool,
use
it
to
build
more
conformance
tests
for
L4.
Part
of
the
purpose
of
this
project
isn't
just
to
have
fun
and
to
build
a
load
balancer
and
all
this
other
stuff,
but
it's
also
to
push
The
L4
agenda
in
Gateway
API.
C
That
really
hasn't
had
much
of
a
champion,
basically
Force
this
to
kind
of
help
us
to
Champion
it
ourselves.
So
that's
one
of
the
things
that'll
be
cool
and
then
the
other
one
we
want
to
do
is
actually
plug
it
directly
into
the
CI.
It's
agnostic.
It
doesn't
have
nginx
or
Envoy
or
anything
in
it.
That
can
make
anybody
hopefully
upset.
So
we
would
plug
it
in
as
a
testing
tool
and
then
PR's
can
when
PR's
come
in,
they
would
run
the
conformance
for
this,
which
actually
can
cover
a
lot.
C
Even
though
it
doesn't
do
L7
it
can
get
reference
grants,
it
can
get
all
kinds
of
different
pieces
of
like
the
Gateway
and
there's
there's
quite
a
bit
that
it
can
cover
plus
it'll
cover
the
all
four
stuff.
So
that's
the
goals
for
now
and
then
I
put
here
like
we're.
We
don't
know
if
it
may
end
there.
This
is
an
experiment,
it's
kind
of
for
funsies,
we'll
see
if
it
ends
up
being
kind
of
a
reference,
implementation
and
a
testing
tool.
C
That's
great,
ultimately
in
Maine
right
now,
there's
one
thing
that
we
did
recently
was:
we
did
decide
that
the
data
plane,
which
was
previously
in
celium's,
ebpf,
go
and
see
we
switched
to
rust
and
Aya
because
it
had
there's
just
kind
of
a
missing
support,
features
for
TC
and
ebpf
go
right
now
that
are
pretty
well
shaped
in
Rust
and
Aya.
So
you'll
see
that
in
Maine
it's
very
different
from
what
I
just
demoed
there's
a
branch
here
with
kind
of
the
demo.
C
Yeah,
that
was
the
next
thing.
I
was
going
to
point
out.
We
are
in
the
process
of
kind
of
getting
this
moved
into
kubernetes
six,
one
way
or
another
right
now:
I'm
just
trying
to
get
the
whole
repo
moved
over.
Otherwise
we're
just
going
to
make
a
repo
would
it,
but
it
should
be
just
a
matter
of
giving
my
company
a
couple
of
days.
B
I
think
you
know
beyond
just
Gateway
I'm
really
interested
in
looking
like
what
BPF
looks
like
you
know,
truly
an
upstream
and
tackling
some
of
the
problems
that
are
kind
of
come
with
this.
You
know
with
deploying
BPF
and
Cube
like
there's,
there's
a
lot
of
bigger
problems
in
Chain
of
I
and
I
have
kind
of
been
talking
about
like
how
can
we
maybe
get
a
working
group
together
to
address
that
and
Nick?
Maybe
you
have
some
great
connections.
You
know
within
psyllium.
You
guys
have
solved
all
this
most
of
it.
C
Yeah
yeah
I'm,
making
like
building
a
better
ecosystem
behind
us
because
we
ran
into
so
many
weird
troubles
and
it
would
be
a
wonderful
thing,
we'd
like
to
do
yeah
last
little
bit.
We
are
looking
for
contributors,
there's
lots
of
different
things
to
contribute
in
this.
It's
not
a
high-speed
high
stakes
thing.
It's
a
you
know
for
testing
and
stuff
like
that.
We're
doing
a
meeting
tomorrow
before
the
gamma
meeting,
which
is
kind
of
our
first
movie.
A
C
E
E
C
E
C
Would
love
to
but
currently
like,
like
we
put
in
the
in
the
goals?
That's
not
one
of
the
current
goals
and
we
don't
know
what
the
future
goals
are
going
to
be.
Yet,
if
you're
interested
in
getting
involved
and
like
driving
it
that
direction
we're
all
for
like
having
you
come
in
and
like
say
this
is
something
I
want
to
Champion
in
this
project
to
make
this
work.
E
A
A
My
to
be
honest,
my
suggestion
would
be
that
it's
better
to
keep
this
thing
tightly,
focused
on
on
handling
the
equivalent
the
layer
for
equivalent
of
an
English
controller
use
case,
and
we
you
take
the
lessons
that
we
learn
from
this
and
like
take
them
to
doing
sort
of
other
more
like
East,
West
kind
of
traffic
stuff,
like
I.
Think
that
that
would
be
my
summary
of
this,
like
I,
think
it's
best
to
keep
it
tightly
focused
on
a
north-south
scope,
and
you
know
that
way
that
way.
A
This
has
like
a
much
more
clearly
defined
set
of
goals
and,
as
as
Shane
said,
I
mean
it
would,
it
will
be
very
useful
to
have
an
implementation.
That's
you
know
under
kubernetes,
like
a
reference
implementation
of
sorts
that
is
under
kubernetes
that
you
can
run
like
they
can
run
the
basic
test
when
you're
updating
the
conformance
test,
because,
right
now,
when
you
update
the
conformance
tests,
hopefully
your
implementation-
you
are
working
on
the
conformance
tests
at
the
same
time
is
your
implementation,
and
so
you
can
test
that
the
performance
test
check.
A
What
do
you
think
they
do?
But
right
now,
if,
if
you
don't
like,
have
an
implementation
that
has
implemented
the
conformance
tests,
then
there
is
no
way
for
you
to
test
that
they
actually
test
what
you
think
they
do
so
this
is
I
mean
this
is
gonna.
This
has
kind
of
come
up
for
us
very,
like
probably
later
on
in
this
meeting.
A
When
we
talk
about,
you
know
changing
the
conformance
tests
for
the
new
status
changes
where
nobody
is
going
to
have
done
them
yet
because
we
haven't
made
the
changes
yet
so
you
know
so
that's
that
sort
of
thing
is
going
to
come
up
soon
and
having
it
be
that
you
know
like
having
having
something
to
help
tighten
that
Loop
up
and
make
it
a
little.
A
little
shorter
will
be
really
helpful,
I.
Think,
okay,
does
anyone
else
want
to
contribute
any
more
discussion
on
Blake
really.
C
Cool
demo,
by
the
way
there
was
one
more
question:
yeah
I,
don't
want
to
take
up
all
the
time.
I
heard
we
actually
took
25
minutes
already
holy
sh,
okay,
so
real,
quick
Bowie.
We
are
trying
to
communize
or
make
some
things
common
I'll
talk
about
that
a
little
bit
more
today.
If
we
have
any
time,
I
actually
have
an
agenda
item
related
to
that
Mikhail,
no
I,
don't
think
we're
gonna
go
that
Direction
with
it.
C
A
A
Yeah
yeah
like
if
you
have
some
other
tool
that
you
can
make
that
problem
go
away.
That
is
good,
because
solving
that
problem
is
hard.
That's
why
we
don't
have
TCP
route
or
UDP
or
out
supporting
ceiling
matters,
because
we
have
to
solve
the
problem,
hopefully
without
using
that
sort
of
stuff,
because
we've
got
all
the
tools:
okay,
yeah.
Thank
you
very
much
guys
that
was
awesome.
Yeah.
As
you
said,
25
minutes,
we
need
to
keep
moving
I.
Have
a
quick
up.
A
I
have
a
couple
quick
updates,
no
actions
here
for
anybody.
The
policy
attachment
update
is
coming
along
the
current
document.
Sorry,
let
me
share
my
screen
again
this
one.
The
current
document
is
here
I.
This
is
a
basically
a
bit
of
a
narrative
of
what
I
want
to
update
that
I
want
to
convert
into
an
update
PR
to
the
policy
attachment.
A
The
actual
Gap
I've
just
got
a
few
things
here
that
yeah
and
Sanjay
has
been
really
helping
here,
thanks
Sanjay
for
with
like
clarifying
some
things,
because
he's
actually
looking
at
implementing
some
policy
stuff
I
think
that
as
people
start
implementing
policy,
other
people
have
similar
questions.
So
I
want
to
kind
of
get
this
and
it
feels
like
people
are
starting
to
talk
more
about
policy
now.
So
I
want
to
get
this
in
reasonably
soon,
not
I.
A
Don't
think
this
is
absolutely
not
a
blocker
for
o60,
though
this
is
just
a
general
sort
of
Bou
kind
of
thing
of
trying
to
tidy
up
the
language
around
this
and
actionable
changes,
so
this
should
definitely
go
into
070
in
my
opinion,
so
that
is
my
update.
Does
anyone
have
anything
they
want
to
ask
or.
A
To
action
is:
have
a
look
at
the
have
a
look
at
the
doc
I'll.
Give
it
like
a
couple
days
to
for
anyone
to
have
a
look
at
it
and
add
any
comments
they
like,
after
that
I'm
going
to
work
on
basically
start
an
update
PR
for
the
Gip
and
then
once
I've
done
that,
then
everyone's
welcome
to
Pile
in
on
there.
A
So
if
you
want
to,
if
you
don't
have
a
chance
to
review
the
doc,
don't
worry
too
much,
because
all
of
the
changes
that
are
in
there
are
going
to
end
up.
You
know
get
PR
anyway,
but
if
you
would
like
to
sort
of
have
a
chance
to
throw
stones
at
me
right
now,
as
opposed
to
have
throwing
biggest
stones
at
me
later
and
then
then
yeah
knock
yourself
out
I!
Think
most
of
what
I
got
there
is
pretty
reasonable.
A
The
settings
in
that
policy,
sort
of
default
or
override
the
settings
in
the
hierarchy,
and
so
that's
that's
the
really
important
part
about
policy
attachment,
as
opposed
to
other
meta
resources,
and
that's
what
I
want
to
clarify
so
anyway.
I
don't
want
to
take
very
much
time
with
this.
It's
probably
too
much
ready,
so
yeah
that
call
to
action
is
have
a
look
at
the
have.
A
look
at
that
document
have
a
read
of
it
and
please
comment
on
there.
A
A
I
think
that
a
lot
of
the
questions
that
we've
had
around
backend
capabilities
have
been
around
the
fact
that
you
that
the
explanation
of
the
model
in
the
original
Gap
was
was
not
as
clear
as
it
could
have
been,
and
so,
when
Candace
very
kindly
went
to
do
an
implementation,
people
had
a
lot
of
questions
that
were
sort
of
actually
underlying
model
questions
that
we
hadn't
explained
well
enough
in
the
Gap.
So
that
one
is
on
me:
I,
don't
there's
no
I,
don't
think
that's
going
to
make
it
into
060
I'm.
A
Sorry,
everyone
yeah,
but
I,
think
we
need
to
get
060
out
pretty
urgently
and
so
I
think
that
one's
going
to
need
to
be
an
070
thing,
yeah,
so
yeah.
Those
are
two
updates
of
things
that
I
that
are
on
me.
So
yeah,
sorry
for
not
moving
them
forward
faster.
The
next
thing
on
the
agenda
is
Mike's
default
group
of
parent
reference
is
a
mic.
Are
you
here,
I'm.
D
G
Yep
all
right,
so
this
is
something
that
John
Howard
noticed.
While
we
were
working
in
kind
of
like
starting
to
pocket
implementation.
Now
that
we've
learned
in
the
first
Gap
programmer
focused
on
using
Service
as
a
paragraph,
we
noticed
that
the
spec
does
not
actually
Define
what
the
default
group
is
for
parent
preference.
This
is
in
contrast
to
all
the
other
references
back
in
the
reference
secret
object.
Reference
mobile
object,
reference
which
all
specify
that,
when
it's
unspecified
or
empty
string,
the
core
API
Group
is
inferred.
G
The
paraffin
crb
is
currently
implemented
to
set
gateway.networking.kates.io,
as
the
default,
which
makes
sense
in
the
context
of
Gateway,
is
the
only
known
thing
when
service
becomes
a
possibility
too.
That
starts
to
get
weird.
It
is
unclear
like
how
somebody
would
do
that.
Hopefully,
we
would
kind
of
avoid
the
inconsistency
of
like
manually,
setting
MP
string
and
relying
on
maybe
weird
language,
specific
behavior.
G
Unfortunately,
the
the
thing
that
might
be
nice
to
do
of
just
like
change
the
default
to
court
for
that
as
well,
would
probably
break
everybody
and
there's,
like
maybe
split
the
difference
kind
of
things
of
like
setting
different
defaults
based
on
kind,
but
that's
potentially
a
confusing
ux.
So
I'll
turn
over
to
Rob
yo
you're
hand
raised
thoughts.
H
Yeah
I
I
know
we
were
hoping
to
leave
room
for
this,
so
group
is
a
pointer
and
the
parent
reference
struct,
which
should
make
it
clear
whether
something
is
an
empty
string
or
just
nil
and
unspecified
all
throughout
kubernetes
object.
References
we
have
to
deal
with
this.
Empty
string
means
core
API
Group,
it's
weird,
but
I
think
it
will
work.
G
A
H
That's
so
so
wouldn't
defaulting
my
guess
and
again
this
just
to
guess,
but
defaulting
should
get
applied
before
something
reaches
the
controller
code
right.
So
in
that
case,
you're
going
to
have
a
very
clear
definition
when
it
gets
to
Gateway
networking
kxio
when
I
get
to
your
controller,
that
that
is
the
value.
H
I
Yeah
I
mean
I
think
for
sure
any
implementation
that
has
the
ability
to
implement
it.
My
bigger
concern
would
be
the
user
experience
of
it
like
how
many
people
are
going
to
write,
mesh
or
write
service
and
then
forget
that
they
had
to
put
group
equals
empty
string
or
look
at
that
and
not
have
any
idea
what
it
means.
I
Quite
large
right
like
from
a
user's
standpoint,
they
don't
really
care
what
the
group
of
Gateway
is
I,
don't
care
what
the
group
of
services
they
just
care
about,
services
and
gateways,
and
for
the
very
rare
case
when
they
happen
to
be
dealing
with
an
object
that
has
an
ambiguous
kind
without
the
group
name,
then
they
maybe
have
to
start
caring
now
like
from
because
the
choices
we
made
the
default
is
Gateway,
but
in
theory
the
default
could
be
conditional
based
on
what
the
kind
was
right
like.
We
know
what
service
means.
I
A
The
problem
is
that
anything
we
do
to
make
this
easier
for
service
makes
it
harder
for
Gateway,
therefore
right
like
because
if
we
make
it
so
that
the
default
is
aside
from
adding
magic,
where
you
look
at
the
kind
and
then
try
to
guess
the
group
then
you're
like
then
anything
we
do
for
like
the
reason
we
made
it.
The
defaulted
to
gateway.networking
is
before
the
the
Gateway
use
case,
to
make
it
easier
so
that
you
didn't
have
to
include
client
right.
I
A
I
think
that
it,
it
feels
risky
to
me
to
be
you're
eventually
you're,
basically
going
to
end
up
with
a
list
of
like
specific
kinds
that
you
assume
than
a
group
for
which
you
know
is
not
I,
don't
think
like
it
seems
it
seems
reasonable,
but
the
the
the
sort
of
the
local,
the
the
object
references
require
the
group
for
a
reason
because
it
is
possible
to
have
you
can
make
another
object.
That
is
also
called
that
has
the
kind
of
service.
A
If
the
group
is
distinct,
then
kubernetes
will
let
you
do
that
right
like
it
would
be
a
bad
idea.
Absolutely
can
you
do
it
definitely
yeah
and
so
like
yeah.
So
that's
why
you
know
the
okay
I'm,
assuming
Focus,
sort
of
mandate
that
you
have
to
have
a
group
in
this
sort
of
thing.
Sorry
constant!
You
go.
A
A
E
No,
but
but
we
we,
we
can
be
a
bit
flexible.
I
agree
that
someone
can
create
service
in
a
group
full
bad
whatever,
but
if
the
group
is
empty
in
the
API,
if
someone
is
pretty
empty,
normal
behavior
is
already
either
service
or
organic.
So
as
long
as
the
Gateway
networking
kubernetes
doesn't
Define
something
called
service
which
hopefully
they
will
not
do.
E
F
H
F
H
We're
stuck
between
a
few
awful
Solutions
here
and
and
I'll
I'll
admit
that
all
of
them
have
rough
ux
right.
We
don't
have
conditional
defaulting
as
an
option
to
us
with
crds
today,
so
we
could
say:
okay,
if
this
is
empty,
we're
going
to
interpret
it
differently,
but
then
default
is
going
to
apply
or
we
remove
the
default
entirely
from
the
API
and
but
that
requires
a
version
rev
and
all
controllers
to
update
and
awful
awful
changes.
All
the
way
down.
H
I,
don't
know
that
that's
backwards,
compat,
I,
I,
don't
know
I
mean
we
could
do
that
with
a
new
API
version.
Maybe,
but
you
can
change
defaults
on
that
boundary,
but
still
it's
awful
I
personally
think
the
least
painful
thing
available
to
us
today
is
to
require
users
to
specify
group,
but
I
admit
that
still
an
annoying
thing,
so
I
would
love
to
like
what
Bowie
was
already
saying
like
we
should
follow
up
with
API
machinery
and
sit
and
see
hey.
Can
we
do
conditional
defaulting?
Can
we
I
I,
don't
know?
H
E
F
A
In
those
ones
in
those
ones,
they
have
an
explicit
call
out
that
an
empty
string
means
call
I
think
we
can
easily
add
an
explicit
call
out
that
there's
an
empty
string
means
core,
but
we
can't
easily
change
the
default
right
now
and
I.
Think
that's
what
you
know
and
so
that
that
means
that,
like
that
means
that,
because
we
can't
change
the
default
without
API
revs,
as
Rob
mentions,
we
can't
make
it
so
that
you
can.
Just
you
know.
A
A
Are
we
either
assume
that
if
you
say
Gateway
gateway.networking
and
you
have
a
service
that
you
actually
mean
core-
which
like
is
not
great,
but
it
might
be?
Okay
or
you
say
Hey
you
have
to
you-
have
to
do
empty
string,
I
kind
of
would
prefer
that
it
that
we
say
hey?
Yes,
we
know
it
sucks,
it's
a
bad
ux,
but
you
need
to
do
MP
string
for
now,
while
we
figure
out
what's
going
on
with
this.
A
This
is
still
an
experimental
API
right,
like
you
know,
I
agree
that
this
is
absolutely
an
API
that
a
problem
that
needs
to
be
solved
before
this
goes
to
abroad.
But,
like
you
know,
this
is
an
experimental
API
I.
Think
that
having
a
sharp
edge
like
this
is
probably
okay,
because
we
still
need
to
fix.
We
still
need
to
get
you
know.
We've
got
to
do
API
overview
for
this
right,
like
you
know,
if
the
API
review
folks
call
this
out
in
the
API
review,
is
the
thing
then
we're
like?
F
Yeah
so
I
think
like
we
should
look
at
the
API
ecosystem,
which
is
bigger
than
just
this
project,
or
this
narrow
thing
and
see.
Is
it
well
understood
and
if
other
people
were
successful
in
making
people
understand
empty
string,
which,
admittedly,
is
very
confusing,
but
I
mean
like?
If
people
have
been
successful,
then
it's
like
okay,
even
though
it
feels
weird,
maybe
in
the
end
it
doesn't
matter,
I
think
it's
probably
not
quite
there,
but
we
we
definitely
shouldn't
sort
of
like
take
a
shortcut
on
our
side
without
doing
the
general
investigation.
A
Okay,
so
I
think
thanks
for
taking
notes
on
this
one,
everyone
say
I
I've
said,
but
I
think
you
know
I
think
that
the
to
summarize
I
think
that
this
is
absolutely
a
ux
issue.
It
is
annoying
to
have
to
do
this,
but
I
can't
see
a
way
to
solve
this
quickly
and
easily.
Now,
so
I
think
that
this
is
a.
We
need
to
keep
this
game
down
the
road
discussion
and
like
the
you
and
and
see
how
we
go
as
we
as
we.
This
is
a
like.
A
Let's
graduate
this
thing,
to
beat
up
kind
of
discussion
in
my
mind
you
rather
than
I.
We
need
to
worry
about
this
in
the
alpha
phase.
You
know.
Yes,
it
sucks
100
agree,
but
this
is
a.
This
is
a
a
blocker
from
Peter,
rather
than
a
block
of
alpha.
In
my
mind,
does
anyone
else
have
thoughts
here?
I
mean
obviously
I
know
you
probably
disagree.
Mike
and
John.
A
D
E
A
If
it
so,
there's
only
two
options:
it's
a
pointer
field,
in
which
case
the
default
is
nil
and
setting
to
empty
string
is
setting
a
different
value
than
nil,
so
it
will
work.
The
second
case
is,
it
is
not
a
pointer
field,
in
which
case
the
zero
value
is
the
empty
string,
but
that
zero
value,
if
not
specified,
will
be
overwritten
by
the
default,
so
specifying
an
empty
string.
E
A
Okay,
so
yeah
no
worries
so
yeah.
Do
we
have
anything
more?
We
want
to
say
there:
okay
cool.
We
are
I'm
conscious.
We
are
running
low
on
time
and
I
did
want
to
get
to
some
of
the
triage
today.
If
we
could
manage
it.
There
are
a
couple
of
issues
here
for
no
matching
listener.
Port
I
think
I
I
had
a
bit
of
a
look
at
these
sorry,
but
you
want
to
go
rob.
H
A
Yep
I
think
yeah
this.
This
one
just
just
needs
like
a
small
PR,
to
add
a
reason
to
the
covers
these
things
that
covers
it
and
then,
preferably
when
we
add
reasons
like
that,
we
should
also
add
conformance
tests
to
exercise
them.
So
I
will
see
if
discussion
and
there
isn't.
There
is
an
issue
for
it.
So
I
think
that
issue
I'll
just
note
in
there
that
it
should
also
include
a
performance
test
so
check
the
the
reason
Works.
A
A
A
Stronger
strongly
about
it
and
they
would
like
to
get
it
into
o60,
then
you
have
at
it:
okay,
yeah.
Let's,
let's
talk
speaking
of
let's
talk,
o60
Milestone,
so
there's
there's
quite
there's
a
little
bit
left
here.
The
the
conditions
and
status
update.
One
that's
on
me,
basically
is
mostly
kind
of
done.
A
The
outstanding
things
are
the
the
program,
Gateway
condition
PR.
That
Lucas
has
what
we've
been
working
on.
I
think
that
one
is
pretty
close,
but
just
need
some
more
conformance
tests.
I
I'm,
pretty
sure
that
there
are
that
a
lot
of
the
API
currently
uses
the
ready
condition
in
the
conformance
test
to
signal
that
the
conformance
test
should
be
run.
All
of
that
tooling
needs
to
be
moved
to
programmed
as
part
of
this
change.
So
that's
probably
the
thing
that
has
that
is
the
most
work.
H
Here,
yeah
I'd
agree:
I
really
want
to
highlight
the
first
one
in
that
list,
the
conformance
test
that
is
incorrect.
We
don't
have
anyone
working
on
that
right
now.
Yes,
I,
that
needs
to
be
prioritized.
I,
I
think
the
other
items
in
the
in
the
list,
specifically
the
other
the
net
new
conformance
test
we
want
to
add,
is
not
a
blocker
like
we,
we
have
said
in
our
versioning
guidelines.
We
can
add
new
conformance
tests
and
Patch
releases,
and
you
know
as
long
as
they
describe
Behavior
that's
already
in
the
spec.
H
H
H
A
A
D
D
H
Yeah
that
that's
awesome,
my
my
own
personal
goal
for
this
is
I,
would
love
to
enter
API
review
next
week.
So
this
this
week
is
OSS
code,
freeze
and
Upstream.
So
we're
not
going
to
get
any
attention,
but
next
week
I
would
really
love
to
have
things
in
place.
That
means
especially
status.
Getting
that
in
place.
A
H
Be
done
this
week,
then
yeah
and
then,
if,
if
we
can
at
least
get
that
first
round
of
API
review
done,
we
don't
have
massive
changes
in
this
release,
but
I
really
want
to
make
sure
we're
we're
as
ready
as
we
can
be
next
release
because
I
know
there.
You
know
Contour
is
probably
not
the
only
implementation
that
would
really
love
to
see
this
release
get
out
the
door
so.
A
Yeah
yeah
I'm.
Sorry,
we
keep
finding
things
that
are
like.
Oh
no,
we've
got
to
fix
this,
especially
like
a
lot
of
this
is
on
me
for
fixing
this
for
trying
to
fix
the
status
that
has
created
a
lot
of
churn
in
the
API
like
I
said
before,
we
would
have
had
to
break
it
at
some
point.
I'd
rather
do
it
now,
but
it's
meant
that
it's
taken
us
longer
than
I
would
have
hoped
to
to
get
this
done.
D
C
C
So
even
if
you
don't
know,
Russ
like
the
whole
system
is
using,
copium
should
be
capable
of
actually
being
automated,
and
what
I'd
like
to
do
is
have
that
automatically
build,
keep
it
in
tag
parallelization
with
the
go
library
and
then
ultimately
contribute
this
to
kubernetes.
Six
I
am
aware
of
Mike
put
in
there
that
Linker
D
has
done
something
kind
of
similar
I,
don't
think
they
automate
their
builds.
C
A
J
We
got
down
this
far,
so
Robin
raised
the
question.
Basically,
so
we
have
two
options
for
validating
that
you
don't
try
to
make
the
header
filters
do
things
that
are
a
bit
confusing
one
way
to
do.
This
is
that
you
just
make
it
so
they
only
do
one
action
and
we
can
do
the
lather
with
a
validation
web
hook
or
kind
of
a
hybrid
between
a
validation,
web
Hook
and
the
controller.
So
the
current
proposed
version
here
is
just
the
validation
webhook,
which
means
that
you're
not
running
the
validation
web
hook.
J
Then
you
can
have
mixed
like
multiple
actions
get
to
the
controller,
it'll
kind
of
just
be
undefined
Behavior
what
the
controller
does
from
there.
You
could
also
implement
it
as
something
in
conformance
test,
for
the
controller
actually
does
have
to
take
that
and
if
it
does
see
it,
assign
a
status
and
reject
the
route.
My
kind
of
position
on
this
is
at
least
briefly
in
the
past.
J
I'd
heard
that,
like
basically,
we
kind
of
just
want
to
consider
the
validation,
Bishop
webhook
as
a
required
portion
of
the
environment,
so
that,
if
you're
not
really
running
out-
and
you
can
expect
to
see
undefined
behavior
and
I
kind
of
like
that,
because
a
you
know
it's
one
less
thing
from
Nations
to
deal
with.
You
know
this
is
something
that
we
can
very
much
easily
say
from
the
resource
alone
that
you
just
are
not
you
shouldn't
accept
this.
J
It
doesn't
really
have
to
rely
on
anything
else
that
the
implementation
may
know
about
about
its
internals.
It's
very
clear
and
apparent
for
the
resource
alone
that
the
configuration
is
incorrect
and,
secondly,
that
I
I
don't
know
I
could
kind
of
like
wonky
around
having
the
mix
config,
where
it's
like.
J
Sometimes
the
failure
will
happen
this
way,
if
you're
you
know
running
the
web
hook,
sometimes
it'll
happen
the
other
way
and
then
kind
of
like
with
the
additional
weird
thing
where,
if
you
have
two
of
the
same
action,
then
it
violates
the
schema,
so
it's
kind
of
like
a
web
hook.
But
you
know
not,
if
you
don't
have
the
web
clock
in
place,
yeah
I
feel
like
yeah.
Aren't
that
bad?
If
we
let
it
through,
but.
H
H
But
at
the
end
of
the
day
we
have
to
recognize
that
there
will
be
some
point
where
our
controller
runs
where
the
web
Hook
is
not
present,
and
we
need
to
do
something
when
that
when,
when
this
gets
through
right,
when
that,
when
this
validation
just
is
not
present,
what
do
we
do?
We
can
leave
that
unspecified
and
leave
that
completely
up
to
implementations,
because
well
I
mean
we
don't
expect
that
to
be
a
common
case
or
we
can
provide
some
kind
of
either
recommendation
guidance
or
requirement
even
for
what
they
do.
H
I
think
requirements
too
strong,
but
something
like
along
the
lines
of
if
this
validation
isn't
here
if
it
gets
to
you.
This
is
what
you
should
do
so
far.
We
haven't
done
that
anywhere
in
the
API
we've,
basically
just
left
it
wide
open
and
I
I.
You
know
we
do
have
some
in
our
implementation
guidelines.
H
We
clearly
state
that
the
validation
web
Hook
is
ux,
it's
not
something
that
a
controller
can
rely
on,
but
at
the
same
time
like
we
don't
say
what
to
do
in
these
cases
and
and
I
imagine
it
will
take
some
thought
for
every
implementer
that
comes
along
this
and
says.
Well,
okay,
I
know
the
web.
Hook
is
going
to
prevent
this,
but
if
it
doesn't,
I
have
to
have
some
code
somewhere
to
do
something.
H
A
So
yeah
I
I
agree
with
Rob
that
it's
possible
that
people
will
not
be
running
the
webhook
I.
Think
Travis.
You
probably
got
that
idea
about
from
me.
I
have
certainly
always
planned
that
that
the
web
hook
should
be
required
for
your
implementation
to
be
conformed.
If
you
are
not
running
the
Web
book,
then
then
your
gateway,
API
install
is
not
conforming.
It's
not.
A
So
there
should
be
conformance
tests
that
say
if
you
try
and
put
to
two
of
the
same
filter
in
that
that
gets
rejected,
and
if
it
doesn't
get
rejected,
then
you're,
then
your
gateway,
API
install,
is
not
conforming
right
like,
and
so
it's
not
necessarily
that
you
have
to
run.
Our
book
is
that
you
have
to
have
the
same
behavior
like
the
the
and
that
way
we're
we're
kind
of
Black
Box
tasting
that
I
think
that.
C
A
I
will
I'll
take
a
note.
The
yeah
I
think
that
I
think
that
Rob
is
100
right.
We
can't
as
an
implementer.
You
can't
rely
100
on
the
fact
that
it's
running
but
I
think
that
us
providing
the
guidance
that
hey
it
is
possible
for
the
webhook
to
not
be
running.
It
is
possible
for
someone
to
do
to
you
know
you
can
Cube
Kettle
apply
force
and
it
will
go
and
it
will
bypass
the
Web
book
right
like.
Is
that
a
great
idea?
A
No
it's
terrible
and
you
but
like
you
can
do
it
and
and
so
like
you,
we
should
just
have
a
thing
that
says:
hey.
You
need
to
do
two
things.
One
don't
crash
right.
Like
you
know
it's
you
need.
You
need
to
have
case
statements
that
have
defaults
or
something
like
that
that
just
have
things
that
say
you
know
hey
you
try
to
do
something
that
I
can't
do
that.
A
Well,
we
run
the
Web
book
right,
like
you
know,
I'm
not
I,
don't
think
that
we
should
waste
too
much
time
looking
after
people
who
are
not
going
to
do
the
things
that
we
tell
you
to
do.
If
you
want
to
go
and
not
run
the
Web
book,
she's
gonna
get
weird
right,
like
you
know,
that's
not
on
us
right,
like
we
told
you
around
the
Web
book,
you
know,
and
so
like
I
think
that
you
know
providing
some
guidance.
That
says
just
drop
the
just
drop
the
object
and
don't
process.
J
I
guess
one
of
the
questions
on
mine.
It
was
like.
So
what
are
the
situations
where
we'd
expect
people
not
to
run
the
web
hook?
I
guess
it's,
maybe
a
bit
unclear
whether
we
kind
of
expect
the
web
hook
to
be
running
as
a
standalone
application
deployed
on
its
own
or
if
we
expect
that
it's
you
know
at
least,
if
you're
a
gog-based
controller
that
you
just
entered
the
code
and
run
it
separately,
it's
your
own
server.
J
A
Yeah
so
well,
we
Supply,
we
Supply
the
workbook
as
a
standalone
application
today,
okay,
and
so
that's,
why
I
think
that,
having
a
conformance
test,
the
tests
that
you're
blocking
the
stuff
that
the
the
current
webhook
does
means
that
you
know
we're
like
hey,
we
give
you
a
thing
that
you
can
just
run
and
have
it
do
it.
If
you
want
to
do
it,
something
else,
then
you
need
to
you
know:
that's
on
you
right,
like
yeah.
A
D
E
Typically,
the
use
case
and
people
who
wouldn't
run
the
web
hookers
because
they
are
concerned
about
you,
know
extra
Publications.
They
need
to
maintain
with
high
privileges
because
anywhere
cook
is
super
privileged
and
other
things
so
I
completely
agree.
We
should
just
drop
the
objects
with
the
same
validations
that
what
book
is
doing,
because
interactive
is
the
same
thing,
ignore
it.
H
Yeah
I
would
point
out
that
the
web
hook
code
is
written
in
such
a
way
that
it's
pretty
easy
to
import
into
your
controller
and
run
the
same
set
of
validations,
and
if
you
hit
a
resource
that
fails,
those
validations
dropping
it
on
the
floor
does
seem
like
a
pretty
reasonable,
Middle
Ground
here.
Okay,
that's.
A
Yeah,
yeah,
and
so
again
likely
key
part
is
that
that
the
I
mean
I,
think
I.
Think
the
the
case
I
think
that
the
webhook
validation
conformance
test
that
I
was
talking
about,
would
probably
expect
that
the
API
server
does
not
accept
invalid
at
yaml,
so
that
there's
no
invalid
yaml
inside
a
like
stored
in
kubernetes.
So
that
would
mean
that
if
you
wanted
to
run
your
own
thing,
you're
going
to
need
to
approximate
the
functionality
of
a
webhook,
so
I
but
I,
don't
like
you're
gonna
have
to
run
your
own
workbook.
A
Basically,
but
it's
like,
if
you
would,
if
you
don't
trust
us
to
run
the
webhook,
then
sure
whatever,
but
like
I
kind
of
be
like.
If
you
don't
trust
us
to
run
the
workbook,
then
why
are
you
trusting
us
to
write
the
API
right
like
yeah,
like
the
I,
think
that
yeah
I
I
think
that
yeah,
like
like
I,
said
it's
probably
not
worth
spending
too
much
time
on.
E
With
very
many
marketing,
Villages
I
mean
you
just
have
a
nice
piece
and-
and
some
are
about
that,
but
if
it
depose
a
web
hook
that
gives
you
almost
full
control
over
the
same
time,
because
who
can
do
a
lot
of
if
you
can
create
imitating
web?
Who
can
create
all
the
other
stuff?
You
can
easily
kind
of
take
over
the
cluster.
So
it's
a
slight
difference,
but
I
agree
I
mean
it
should
be
installed
by
defaulting
kubernetes.
H
I
I
feel
like
the
web
hook.
It
operates
on
the
same
level
as
installing
crds,
which
both
a
highly
privileged
thing
that
you
know,
at
least
you
know
from
the
perspective
of
a
cloud
provider.
That's
something
that
you
know
your
cluster
operator
infrastructure
provider
can
manage
for
you,
but
yeah
like
we
are
past
time.
So
I'll
stop.
A
Yeah
yeah
I
mean
we
have
big
problems
in
psyllium
with
handling
web
hooks,
because
if
we
need
to
use
them
and
but
we're
the
one
that
sets
up
the
network,
so
you
can
use
them
like
dependency,
circle's
Point.
So
anyway,
yes,
we
are
at
time
we
didn't
get
to
triage.
Sadly,
I
was
hopeful
when
I
saw
the
initial
thing,
but
you
all
did
a
great
job
of
adding
things
for
us
to
discuss.
A
Thank
you
for
making
a
engaging
meeting
but
yeah
the
anyone
who
wants
to
stay
around
a
little
bit
for
triage
I
could
probably
stay
around
for
a
bit
to
do
a
little
bit.
Triage
I
think
it
would
be
good
to
talk
a
little
bit
about
some
of
these
issues,
but
yeah
we
should
we
can
stop
the
recording
or
leave
it
running
up
to
you
but
yeah.