►
From YouTube: Kubernetes SIG Federation 20170508
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Well,
hi,
everybody
today
is
maybe
eight,
and
this
is
the
first
of
our
attempt
at
doing
designer
view,
based
meetings
every
second
week.
Today
we
have
to
design
reviews,
but
before
we
do
that,
we
have
a
special
guest
from
the
testing
team.
Eric's
data
will
be
showing
us
what
the
testing
team
has
been
doing.
Can
we
spend
the
last
quarter
kind
of
aligning
our
and
testing
status
and
that
a
lot
of
our
tests
again
invoke
submerge
blocking
of
next?
B
Great
hi
everybody.
Let
me
share
my
screen
here
on
CSI
I'm
Eric
on
D.
You
can
mostly
participate
with
the
sick,
testing
and
contributor
experience
groups
and
then
everything
I'm
going
to
show
you
a
mostly
prowl,
is
on
the
tests.
Infrared.
Oh,
so
you
can
even
now
to
get
yourself
there
and
then,
if
you
go
down
to
the
readme,
it
has
links
to
some
of
our
tools
and
then
quickly.
You
know
I
presume.
Maybe
some
of
you
have
preferred
you
know,
but
maybe
not
so
there's
the
pr
dashboard.
We
can
click
here.
B
Then
this
gives
you
a
quick
little
thing
about
showing
you
which
PRS
need
your
attention
and
not
on.
So
if
this
is
a
potential
way
to
help
you,
you
know
expedite
the
review
process
and
then
there's
also
test
grid
which
will
show
you
a
a
bunch
of
different
things.
A
bunch
of
different
test
results.
One
thing
we're
trying
to
work
on
this
quarter
is
to
give
everybody
a
their
own.
B
You
give
each
cig
their
own
dashboard
and
so
yeah
so
like
where
we're
trying
out
with
like
a
sick,
CLI
dashboard
with
the
idea
being
that
each
you
know,
tab
in
here
will
be
highly
relevant
to
each
cig
to
help
them.
You
know,
find
test
results
that
may
need
their
attention
on
some.
B
Yeah,
okay,
yeah
yeah
and
then
let's
see
here
so
yeah
so
whatever
so
now
and
then
some
fun
things
that
may
not
also
be
known
is
you
can
graph
on
test
grid?
So
each
row
will
be
graphed
here
and
then
in
the
options
area
you
can
filter.
So
if
you
only
want
to,
if
you
only
wants
to
look
at
replica
set
tests,
you
can
do
that
pretty
quickly
by
typing
the
replica
set,
and
so
then
I'll
just
show
those
tests
which
are
pretty
nice.
B
You
know,
let's
say
that
something
says
now.
Probably
the
least
easy
to
find
feature
is,
like
imagine,
you
know
maybe
like
it
was
all
green
on
a
zero
for
this
commit,
but
then
it
was
red
starting
on
the
6d
AI
wanted
to
know
what
PRS
went
in
between
us.
I
can
click
and
drag
between
the
two
PRS
and
then
do
search
for
changes,
and
it
will
throw
up
a
github
search.
That
lets
me
see.
B
That
looks
like
there
are
eight
commits
that
went
in
between
those
two
things,
so
that
so
that
can
be
so
that
can
be
a
pretty
quick
way
to
search
for
things
and
then
the
real
reason.
So
you
can
see
here.
Actually
the
summary
is
really
nice
because,
rather
than
having
to
scan
through
each
and
every
tab,
you
can
just
go
to
the
summary
page,
and
this
is
showing
that
it
looks
like
the
1.6
tests
are
having
trouble
like
these.
Three
rows
are
consistently
failing
right
again,
so
we
saw
here
what
it
looked.
B
Something
weird
happened
at
eight
am
not
too
concerned
about
that
because
you
know
probably
the
next
time
it's
going
to
go
away,
but
these
guys
it
looks
like
we're.
Consider
you
know
consistently
having
this
problem
starting
the
cluster,
so
that
sort
of
can
help
us
focus
on
what
exactly
we
need
to
look
at
and
then
another
nice
thing
about
test
grid
is
that
if
you
go
to
the
test
grid
config
all
of
these
dashboards
are
you
know
everything
about
the
configuration
is
open
source.
B
So
anybody
who
wants
to
add
their
own
results
on
like
Justin
Santa
Barbara,
for
example,
is
running
his
own
results,
and
so,
if
you
are
not
Google
but
want
to
have
your
results
be
part
of
test
grid,
it's
easy
to
do
that
and
then,
if
you
are
wanting
to
sort
of,
you
know,
change
the
how
we
run
tests,
that's
just
a
CRA
and
then
so
we
have
test
groups
would
sort
of
say
the
you
know.
B
They
specify
that,
like
these
stackdriver
tests
are
all
going
to
be
stuck
inside
this
GCS
prefix
and
then
what
you
have
a
bunch
of
test
groups.
You
can
build
them
up
into
a
dashboard.
B
Was
it
cluster
Federation
yeah?
So
it's
here
that
the
cluster
Federation
dashboard
is
composed
of
these
dashboard
tabs
and
then,
if
you
look
at
the
CLI,
so
the
difference
between
a
test
group,
a
test
group
is
essentially
a
collection
of
tests,
and
then
you
can
specify
some
additional
filtering
select
for
the
CLI.
We're
filtering
we're
taking
existing
test
results
but
filtering
down
to
the
Q
control
client
tests
yeah.
B
You
can
also
add
a
description
which
will
then
what
does
it
mean
used
elsewhere
yet,
but
so,
for
example,
that
is
what
shows
up
on
the
C
light
a
square.
Each
tab
isn't
going
to
have
little
description
on
the
top
saying
exactly
what
each
tab
means.
B
So
that
is
test
grid
and
then
prowl
is
the
other
tool
that
we
are
using
for
a
sort
of
our
replacement
for
Jenkins
and
it
has
to
you
know,
primary
purposes
in
life.
The
first
is
to
receive
github
events
such
as
you
know,
anytime,
someone
adds
a
label
or
creates
an
issue
or
pushes
a
commit
or
as
the
comments
github.
B
It
sends
us
a
notification
about
that
happening
and
then
we
kind
of
lots
of
plugins
written
that
will
respond
to
those
events,
either
by
leaving
the
bot,
leaving
a
comment
or
by
adding
a
label
or
removing
the
label
and
most
typically
by
triggering
testing
and
then
the
way
testing
works
is
we
start
a
container
in
a
kubernetes
cluster.
B
We
essentially
schedule
a
kubernetes
pod
and
then
wait
for
it
to
complete
and
then
the
yeah,
and
so
then
that
gets
no
shoved
into
the
pull
request
of
the
pull
requests,
the
little
green
check
boxes
or
red
X's
in
the
pull
request.
So
if
you
go
to
crowd
kto
right
now,
it'll
show
you
all
the
stuff
that's
happening.
Then
you
can
filter
the
like
I
just
want
to
look
at
the
testing
for
a
change
us
or
I.
You
know
only
want
to
look
at.
B
You
know:
Co
requests
that
are
in
whatever
only
one
to
look
at
my
flow
requests
or
I
want
to
only
want
to
look
at
jobs
that
are
running
the
Federation
test,
results
or
I
only
want
to
look
at.
You
know
successful
Federation
tests,
so
you
can
do
all
that
filtering
now.
This
isn't
mints
like
test
greater
shows
a
week
of
data.
This
is
a
little
bit
quicker,
which
is
nice,
but
it's
not
really
is
mostly.
B
It's
not
meant
for,
like
historical,
it's
more
meant
for
current,
like
I,
want
to
make
I
want
to
see
what's
happening
now
and
yeah.
So
one
potential
right
is
that
potentially
interesting
is
the
fact
that
we
are
attending
this
week
to
start
blocking
on
Federation
presa
myths.
So,
in
order
to
merge
your
PR,
it
will
need
to
pass
on
Federation
tests,
and
so
we're
actually,
and
so
likewise.
This
is
the
configuration
for
this
is
open
source.
B
B
If
you
want
to
request
the
gka
tests,
you
can
leave
this
comment
on
your
PR
and
it'll
start
them,
but
we
don't
always
run
them
anymore,
since
people
cannot
always
fix
them
by
making
the
PR
the
Federation
tests
are
interesting
because
they
are
sort
of
running
in
stealth
mode.
In
order
to
help
us
debugging,
we
always
run
them,
but
we
also
skip
the
report,
which
means
that
we
won't
actually
add
the
check
mark
or
you
know,
try
and
notify
people
that
they
need
to
rerun
them.
B
B
Guess
you
know
what
looks
like
what
they
just
post
a
change
over
looks
like
Aaron
just
said
this
was
okay
to
test
28
minutes
ago,
and
this
little
hamburger,
icon
right
here
means
that
the
orange
guy
means
that
the
test
is
running
or
hasn't
finished
yet,
and
the
the
hamburger
means
that
the
tests
are
they'll,
show
you
the
test
logs,
and
so
you
can
see
here
that
I
guess
it's
building,
and
you
know
if
you
refresh
now
there's
more
data,
so
you
can
get
the
you
know:
output
as
it's
happening,
which
is
pretty
nice,
because
that
has
not
historically
been
something
that
is
easy
for
everybody
to
do,
and
then
the
other
cool
thing
is
this:
guy
here
is
the
command.
B
Now
this
is
this
is
sort
of
you
know
if
you
want
to
typically
four
PRS
right.
You
just
leave
a
comment
and
on
the
PIA
on
the
PR
and
then
it
will
be
trigger
testing.
But
if
you
look
at
the
arm,
if
we
look
at
like
the
kubernetes
anywhere
a
pull
request,
you
can
see
that
this
is
just
a
you
know,
regular
pod,
so
here's
the
pod
spec
for
this
and
yeah.
B
Instead
of
inside
of
Jenkins
and
I,
guess
that
is
it
unless
yeah,
so
those
are
the
main
things
I
wanted
to
show
you
and
we're
pretty
active
on.
You
know
the
stig
testing
and
a
channel
on
slack.
So
if
you
want
to
talk
to
us,
please
do
so
either
by
coming
over
to
the
select
channel
or
sending
an
email
to
our
Google
group
and
yeah.
Thanks
for
letting
me
present
and
I,
don't
know
how
much
time
we
want.
I
can
answer
questions
or
happy
to
yeah.
A
B
Need
access
to
the
prowl
cluster
that
this
runs
in,
which
is
not
accessible
to
everybody?
We're
eventually
hoping
to
maybe
make
this
like
a
button
on
goober
nadir
like
when
you're.
Looking
at
your
test
results
that
failed,
you
can
just
click
like
a
rerun.
This
job
button
that's
sort
of
new,
so
it
isn't
hasn't
been
fully
fleshed
out,
but
yeah,
okay,.
B
Good,
so
we
actually
had
the
Pierre
so
I
mean
I
can
answer
that
we
actually
he
had
a
PR
out
on
Friday
and
we
were
planning
to
do
that.
We
mostly
just
need
to.
We
didn't
want
to
do
it
on
Friday
because
will
actually
try
Saturday
morning,
but
then
I
messed
something
up,
and
so
we
just
decided
it'd
be
better
to
revert
and
wait
till
Monday
when
everyone's
you
know
fresh
and
paying
attention,
I
like
to
be
half
of
it
and
so
I
just
caused
chaos.
B
A
Ok,
so
Megan
do
you
want
to
go
over
like
what,
since
you've
been
the
primary,
you
have
a
build
cop?
You
have
a
set
of
tools,
I,
don't
know
if
there
a
demo,
both
state,
but
whatever
that
you
can
tell
the
state
that
you
do
to
monitor
testing,
because
we
have
a
kind
of
specialized
environment
that
a
lot
of
other
states
don't
have
to
deal
with
right.
F
So
most
of
the
tools-
I
use,
are
pretty
much
the
things
that
Eric
already
showed
I
use,
casting
I,
hope,
I,
keep
my
test,
click
open
all
the
time
and
look
at
it
like
once,
every
30
minutes,
or
so
as
far
as
monitoring
is
concerned.
Desperate
and
pro
are
the
only
things
that
I
use.
So
if
anybody
is
signing
you're
signing
up
for
build
corporation
for
monitoring,
that's
all
you
need.
You
don't
need
any
special
permissions.
F
There
is
one
problem
that
we
have
it
our
daesil
test
test,
though,
when
the
tests
fail,
we
eke
a
lot
of
resources.
I
think
that's
two
about
community
steps
as
well,
but
in
our
case
it
can
be
especially
and
painful,
and
because
some
of
these
resources
that
we
have
really
low
quota
cabs,
it's
painful
because
we
stall
with
you
or
we
stall.
Our
tests
when
we
run
out
of
quota
or
the
tests
are
failing
when
there
are
not
a
quota.
F
So
I
have
this
small
little
tool
which
I
return
to
clean
up
all
the
obsolete
or
stale
resources
in
our
project.
Testing
for
people
saint-lo
from
testing
testing
also
has
pretty
much
the
same
tools
which
he
calls
as
kubernetes
janitor
it.
But
kubernetes
janitor
is
like
a
big
hammer,
but
the
tool
that
I
have
is
more
targeted.
It
knows
Federation
specific
resources
and
you
can
go
into
those
resources.
We
have
been
talking
about
integrating
my
tools,
which
I
call
expect
ID
with
kubernetes.
F
Janitor
hasn't
happened
yet,
so
you
still
need
to
run
it
as
a
command
line
tool.
I
just
show
you
how
to
run
it.
It's
very
simple.
On
the
right
side:
I
have
my
channel
I'm
in
the
directory.
It's
a
very
simple
tool,
and
if
you
pick
you
build,
the
output
goes
to
the
output
directory,
and
once
we
have
that,
there's
also
readme
for
people
who
are
interested.
It's
in
a
separate
repository
right
now,
but
I'm
considering
where
to
put
it.
But
anyway,
all
you
need
to
do.
After
reading
the
source
is
run.
The
command
set.
F
A
H
A
Bag
of
tools
for
whoever's
on
those
confrontation,
the
side
effect
you
know
here,
if
you're
on
rotation
for
just
a
week
or
two,
you
may
never
have
to
run
it,
especially
what
catches
up
with
us.
This
there's
too
many
failing
tests
that
we've
resources,
then
it
turns
into
a
cascading
set
of
theories
failures
and
then
you'll
see
Federation
turn
red
for
absolutely.
Everybody
so
know
that
this
is
the.
This
is
what
you
need
to
use
as
a
backup
strategy
would.
B
C
To
people
and
the
clickin
on
once
with
people
bigger
than
it
God,
okay,
I,
know,
mother
and
I
discuss
something
about
keeping
resources
for
24
hours
of
the
cattle
in
this
tool.
All
linked
by
default
only
deletes
resources
that
are
more
than
24
hours
old.
Maybe
then
we
can
run
it
because
we
still
have
other
resources
which
are
littler
than
24.
Mother
can
addressed
right.
G
G
So
you
could
dump
that
to
a
file
and
then
each
time
it
runs.
You
have
a
an
idea
what
was
being
deleted
and
you
could
save
that
histories.
Even
you
wouldn't
have
access
to
the
objects
themselves
in
Google
Cloud,
but
you
would
know
that
they
were
deleted
and
you
could
see
what
was
deleted
than
something
look
like.
It
was
leaking
yeah.
F
F
G
C
All
right,
that's
like
also
I,
wanted
to
trace
back
to
running
these
tools.
We
need
access
to
the
project,
and
so,
if
it's
fine
and
whoever
is
going
to
be
on
build
competition,
is
it
fun
to
add
them
to
give
them
access
to
this
project,
or
maybe
we'll
start
with
like
only
a
few
people
having
access
and
others?
Can
you
contact
them
to
love
this?
How
do
you
want
to
be
good
I.
A
F
Is
not
a
problem?
Eric
already
said
you
could
run
periodic
jobs
in
pro
the
same
way,
we
run
all
our
other
jobs,
so
you
could
just
either
integrate
the
stool
with
the
current
janitor
and
Janet
around
once
every
our
I
think,
or
we
could
have
our
own
pro/con
fit
for
this
tool.
That
comes
every
hour
or
every
eight
hours
on
it
wit,
Equinox.
Whatever.
A
C
So
the
main
mode
official
and
these
tools
was
to
ensure
they're
given
in
the
sense
that
how
to
debug
and
all
these
tools
are
available
so
that
people
is
outside
not
just
Google.
Earth
also
have
access
to
the
logs
and
they
can
join
the
big
operation
and
use
these
students.
And
they
are
when
they're
under
rotation.
F
K
C
L
L
C
L
G
G
H
L
G
L
F
The
way
I
write
the
dog
over
the
weekend,
I
think
bunch
of
comments
that
one
result
has
been
marked
as
a
result,
all
ready
to
take
on
the
comments
button
at
the
top
you'll
see
them.
My
understanding
was
that
D
comments
that
were
on
the
dog
were
unresolved
ones
or
ones
that
were
not
important
from
the
initial
implementation.
Depending
on
the
comment.
So
that's
not
and
then
I
had
a
specific
question
about
rebalancing.
F
F
H
F
Mean
I
mean
here
is
fine,
but
because
we
have
this
design,
dog
I
would
really
love
to
have
all
of
them
in
one
place
so
that
individual,
you
could
point
people
it
and
have
some
discussions
here
as
well:
I
guess
or
maybe
have
EPR
being
here
and
appoint
people
there.
I
don't
know,
because
this
is
a
nice
write-up
about
what's
going
on
the
Federer
in
the
federated
job
controller,
why
not
have
it
in
one
place
in
like
in
like
in
a
more
natural
language
form
than
in
the
PR
for
in
on
github.
H
L
L
L
H
A
Okay,
maybe
again
it
opening
up
the
discussion
in
terms
of
seeing
the
annotations
follow
the
same
format
as
what's
been
suggested
and
federated
replicas.
That
are
we
going
to
try
to
formalize
on
an
abstraction
that
works
in
let
the
cassette
and
in
jobs
or
are
we
just
gonna?
Are
we
just
going
to
copy
paste?
The
annotations
wasn't.
K
C
Took
so
just
like
more
collect
point,
a
fancier
does
it
like.
Now
we
have
these
specific
allocations.
It's
like
replica
set
preferences
and
deployment
services.
He
renames
them
to
effort
what
the
new
name
is,
but
it's
a
generic
name
which
all
of
these
controllers
can
use.
I
said
I
need
much.
Yeah
I
got.
A
F
H
A
H
F
H
A
C
G
And
that
should
hopefully
be
hopefully
the
work
is
in
progress
right
now,
hopefully,
by
the
end
of
today,
it
will
be
quite
ready
for
early
out
and
ready
for
I
think
some
initial
review
and
once
that's
gone.
Hopefully,
the
work
for
job
controller
should
be
a
lot
more
straightforward.
I
know
that
Marvel
also
has
a
change
in
flight
that
should
make
this
even
better
and
simpler
and
cleaner
factory,
so
hopefully
that
all
can
be
merged
this
week
will
be
my
goal
for
replica
sets.
G
Don't
really
have
a
strong
opinion,
I
mean
I,
think
in
a
perfect
world
yet
should
just
use
the
sink
controller
right
away
rather
than
having
a
bunch
of
code,
go
in
and
then
be
refactored,
but
we
don't
live
in
a
perfect
world
and
TR
has
been
outstanding
long
enough.
That
I
mean
if
there
are
other
things
blocking
it
and
the
SIGGRAPH
except
sync
controller
work
goes
in
soon
enough,
and
this
can
be
converted.
G
Then
it
would
be
good,
but
don't
necessarily
mean
I
guess
the
question
is:
would
we
be
okay
with
this
not
being
a
sync
controller
controller
in
the
1.7
release?
Okay,
if
the
answer
is
no,
it
has
to
be
a
sync
controller
than
it
should
be
controller
now,
because
we
don't
want
to
end.
If
the
answer
is,
that's
okay,
then
putting
it
in
now
setting.
C
D
G
Think
is
Clank.
We
know
got
the
point,
oh
yeah,
that
makes
sense,
but
I
guess.
The
question
is:
are
the
Sager
we?
Okay
with
that,
going
in
one
seven
and
not
being
a
sync
controller?
If
that's
acceptable,
then,
if
that's
unacceptable,
then
I
would
be
concerned.
If
that's
okay,
then
I
think
it
should
just
go
in
I.
A
A
H
I
A
D
Least,
to
the
file
type
is,
if
it
has
integration
test.
Sorry
not
talked
about.
Maybe
we
had
this
discussion
before
I
agree
that
e
to
e
for
any
type,
it's
based
on
the
same
controller,
isn't
really
necessary.
Since
a
pathway
is
tested.
If
a
type
isn't
based
on
the
same
controller,
then
we
probably
want
to
maintain
it
for
now.
It's
maybe
we
any.
C
F
F
F
L
G
C
All
right
Romano's,
thank
you.
Thank
you.
So
next
is
the
art
requirements
for
condition,
control
thing
so
I
from
the
list
of
open
comments,
I
see
the
direct
to
set
of
comments.
What
is
the
value
of
sleep
while
finally
doing
this
and
one
is
related
to
the
implementation,
details
and
I
see?
There
was
another
issue
in
kubernetes
itself,
where
there
was
a
proposal
to
do
this,
like
cat
created
by
user
and
the
customer
service
only
to
track
created
by
user.
But
with
the
comments
there
was
tracker,
updated
by
user
as
well.
D
C
My
back
and
another
thing
they're
waiting
on
mostly
getting
more
use
cases
of
where
this
would
be
useful
and
so
I
decided
that
you
want
to
use
it
in
finish
in
inches
and
if
we
can
get
across
the
discussion
today,
when
people
use
cases-
and
maybe
this
particular
implementation
is
not
a
good
one
but
their
other
use
cases
outside
Federation
which
want
to
cap
same
created
by
users.
In
so.
D
When
we
were
discussing
this
kind
of
just
turn
over
the
context
of
the
discussion,
but
I
think
we
did
talk
about,
the
idea
of
using
namespaces
is
kind
of
like
a
way
of
kinda
the
mechanism
for
protecting
clusters.
I
guess,
I'm
kind
of
like
this
proposal
doesn't
really
touch
on
that
yeah
I'm
wondering.
Is
that
an
oversight
or
is
that
just
not
something
you
think
is
viable
in
the
near
term?.
D
The
month,
I
think
that
there's
kind
of
like
overlap
and
now
because,
if
I'm,
providing
I
guess
for
me,
like
there's,
there's
identity
in
the
context
of
the
Federation
control,
plane
and
there's
identity
in
the
context
to
the
member
clusters,
and
there
has
to
be
some
sort
of
way
of
reconciling
not
and
to
me
like,
because
the
way
that
you
protect
resources,
at
least
in
a
when
you're,
not
talking
about
specific
resources,
you
have
access
to
resources
of
the
namespace
level.
I'm
kind
of
thinking
like
well
would
not.
D
Would
it
make
sense
to
kind
of
have
that
be
true
in
both
Federation
control
plan
and
number
clusters,
rather
than
worrying
about
impersonation
and
per
object
control.
You
could
say
this
class
of
users
has
access
to
setting
spaces
and
not
business
setting
spaces,
for
example,
so
yeah
just
a
minute
by
department
or
team,
or
something
like
that.
But
to
me
that
that
seems
like
a
more
concrete
use
case
than
I
just
want
to
I
want
to
control
things
at
a
very
granular
level,
without
really
specifying
why
and
then
how
that
were
used,
yeah.
C
D
There
was
another
issue
that
was
related
where
he
was
where
we
were
talking
specifically
about
what
it
would
take
to
monitor
resources
in
a
gasser,
and
it
was
like
by
her
name,
space
yeah,
okay,
yeah,
so
yeah
I
think
that
those
two
issues
are
capturing
some
of
the
implementation
details.
We
ought
to
consider
yeah.
C
J
L
C
Strategy
baggage-
stop
it's
not
so
I
wanted
to
say
that
I
definitely
see
value
in
this,
and
this
is
thing
this
with
Christian
as
well,
and
we
can
discuss
this
as
well,
but
the
other
proposal
I'd
get
these
two
as
two
different
proposals
which
we
can
go
forward.
This
I
do
have
a
small
details
and,
like
a
movie
design
talk
for
the
first
one
for
the
second
one.
I
just
find
this
issue
to
discuss
more
in
the
jet
coming
from
Sega
and
I.
C
D
I
think
this
proposal
is
I,
think
it's
just
a
more
realistic
way
at
least
right
now.
The
way
the
Kuban
of
these
laws
works
like
a
way
to
provide
a
degree
of
security,
isolation
across
the
Federation
and
not
worry
about
the
vagaries
of
like
who
changed.
What,
when
which
is
not
something
the
kubernetes
does
a
very
good
job
of
listen.
C
D
C
So,
but
there
are
some
drawbacks
with
this
proposal
is
really:
how
do
we
create
new
spaces?
How
do
we
get
hydrated
insist
this
Indians
that
they
there
are
some
existing
namespaces
and
physician,
gets
access
to
those
and
in
this
case,
tradition,
would
not
get
access
to
create
namespaces,
because
then
they
could
get
successful
on
one
new
schedule.
Is
it
so?
This
is
more
restrictive,
and
if
we
want
school
all
physician
to
baking
scissors,
then
this
won't
work
right
and.
D
That's
definitely
a
question
per
se.
Gough
I
mean
when
I
was
thinking
about
like
through
how
this
kind
of
thing
would
work.
I
think
the
only
only
positive,
though,
is
at
least
there
would
be
kind
of
partitioning
so
that
maybe
Federation
would
have
like
it
had
mid-level
access,
but
all
it
would
do
without
an
inn
level.
Access
would
be
to
create
and
set
permissions
for
namespaces
and
then
propagation
to
namespaces,
though
that
are
created.
That
would
be
using
a
different
like
restricted
set
of
permissions.
D
So
I,
don't
know
like
I,
said
I
think
say:
God
definitely
would
have
to
provide
feedback
on
that,
but
I
think
it's.
It
definitely
has
advantages
that
we're
just
providing
like
a
single
admin
level
user.
They
could
do
anything
because
that
kind
of
opens
it
up
to
all
kinds
of
things,
but
one
more
thing
before
I
finish
when
I
was
thinking
about
like
protecting
like
member
clusters
and
potentially
having
like
differential
access.
D
It
occurred
to
me
that
this
is
tied
into
like
your
work
federation
control,
plane
being
able
to
access
number
clusters
like
view
the
contents
of
it
and
actually
deliver
that
to
the
user,
and
not
not
that
I
necessarily
want
to
open
the
discussion,
but
just
that
those
team
really
closely
related.
If
start,
protecting
or
gathering
differential
access
to
the
underlying
clusters,
then
we'll
have
to
reflect
that
in
when,
when
users
try
to
access
those
resources
through
the
Federation
control
plane.
C
Yeah
yeah
I've,
even
the
second
button
for
the
first
but
I
would
say.
Yes,
we
need
feedback
phones
to
go,
but
we
need
to
put
our
requirements
as
patricia-
I.
If
I.
If
we
go
with
this
proposal
like
I,
don't
think
we
we
should
give
a
physician
access
to
creating
spaces
as
well,
because
then
it
it's
like
glued
on
the
underling
cluster,
the
country
evening
switches
can
create
service
accounts
for
those
namespaces
and
then
use
them,
and
then
we
are
not
really
restricting
figuration
to
some
specific
namespaces.
C
D
It
could
be
that
it's
a
separate,
it's
a
completely
separate
server
that
handles
the
provisioning
of
permissions
and
main
spaces,
and
you
know
I
mean
it's
more
like
if
we
expressed
that
we
have
that
need
then
how
we
can
implement
it.
I
think
there's
there's
ways
to
do
it
that
are
better
than
others.
Yes,.
C
But
I
just
wanted,
like
I
learning
in
this
mode,
we
do
Federation
access
to
patients.
Is
it
there
can
be
some
tools
outside
and
there
are
some
outstanding
proposals
to
think
like
adapt
with
namespace
systems.
So
that
is
a
one
way
of
creating
the
interface
automatically
and
there
are
other
proposals
as
well,
and
we
are
these
outside
tools
which
you
can
use
to
create
namespaces,
but
Federation
won't
get
access
to
create
resources.
I
C
This
mode,
where
it
is
refusing
the
Inspira
scope
service
at
all,
it
gets
access
to
some
set
up
next
reason,
and
there
is
a
service
account
associated
with
each
change
this
and,
if
you
dishin,
wants
to
lead
or
fugitive
systems
in
that
interest,
if
user
service
account
associated
with
that
means
this
so
each
time
this
configuration
needs
access
to
a
new
user.
The
admin
explicitly
need
to
give
it
back
in
space,
and
so
this
account
associated.
That
means
addition
it
since
they're
not
create
onion
in
serious
enemies.
So
this
account
okay,.
C
D
That,
if,
if
a
namespace
approach
was
pursued,
we
probably
need
to
I
mean
I
guess
is:
there's
nothing
stopping
adding
security
protection
to
the
Federation
control
planning,
so
that
specific
users
could
only
you
know,
create
resources
and
specific
namespaces.
That's
possible
right,
just
using
standard
queue
nowadays.
Primitives!
Yes,
yes,
okay,
because.
C
D
I
guess
key
I,
don't
know
that
there's
been
I
know
that
Clayton
actually
was
thinking
about
how
to
propagate
security
policy
for
open
chefs
and
I.
Haven't
really
talked
to
them.
The
detail
about
it,
but
maybe
that
would
be
something
we'd
want
to
consider
as
well.
I,
don't
know
how
it
ties
into
like
how
namespace
creation
security
would
work
or
like
if
you
were
to
creating
spaces
in
the
Federation
control
playing
with
specific
properties,
security
wise.
Maybe
you
could
actually
propagate
that
as
part
of
it.
D
C
Then,
because
the
word
secure,
gated,
it
didn't
insert
that
multiple
things
is
like
I
bad,
this
resource
with
a
dislike
for
security
policies.
So
these
are
resources
which
we
don't
get
support
in
physician.
We
don't
want
to
support
all
of
them
so
like
how
we
don't
have
this,
and
whenever
we
do
support,
we
will
definitely
like
sent
across
one
or
send
them
out
to
the
underline
clusters.
So
we
want
that
missing
my
little
fingers
in
negative
Leda.
Thank
you.
C
D
And
we
I
guess
I
just
wanted
to
point
out
that
when
we
get
to
the
point,
I
mean
it
to
me.
It's
kind
of
it's
exciting
in
a
way
because
it
means
we
kind
of
become
like
a
actually
secure
system
and
there's
kind
of
like
a
degree
of
similarity
between
how
the
Federation
control
plan
works
and
how
the
number
of
clusters
will
operate.
C
A
A
A
So
alright
people-
you
were
talking
about
earlier,
and
we
could
be
nice
to
see
this
little
server,
that
sinks
into
a
scope
and
seemed
like
the
answer
for
anything
related
policies.
Also
it'd
be
nice
to
have
this
little
other
utility
and
yeah
I
understand
how
the
principle
of
security
is
containing,
creating
small
programs
that
don't
go
beyond
their
scope
of
what
they're
intended
makes
them
more
audible,
but
that
also
makes
Federation
you
know
much
more
difficult
to
use.
A
It
seems
like
we're
we're
just
not
going
down
a
path
where
we're
trying
to
address
these
pumps
head-on,
and
so
we
something
off
its
kind
of
a
else.
Do
that
so
yeah
I
throw
the
ball
back
in
your
court
and
McCanless.
That's
what
we
have
to
send
a
stronger
message
of
these
are
our
requirements
because
I
feel
like
we're.
Always
we're
never
going
to
get.
You
know
pointed
into
a
specific
direction.
D
Think
that
that's
true
to
some
degree
but
I
mean
you
know
both
of
David
and
you
know,
work
at
Red,
Hat
on
open
chefs
and
open
shift
has
a
certain
way
of
doing
security,
which
is
kind
of
consistent
with
like
a
namespace
based
approach
that
I've
been
talking
about
and
not
really
sure
why
they
weren't
promoting
that.
Initially,
maybe
it
just
you
know,
it
didn't
occur
to
them
because
it
wasn't
directly
proposed,
but
I
think
like
that
approach
has
been
like
tried
and
tested.
D
Customers
are
using
it
and
I
would
be
surprised
if
they
would
say
that
was
a
bad
idea
right
where
something
that
they
haven't
really
thought
about
and
isn't
really
being
used
anywhere.
Then
they're
kind
of
I
can
imagine
why
they
would
be
wishy-washy
because
they're
just
kind
of
trying
to
anticipate
what
you're
trying
to
do,
and
they
don't
necessarily
have
a
strong
sort
of
experiential
base
to
to
make
judgments
on
so.
A
Should
we
like
invite
them
to
invite
them
to
the
sig
and
it
if
they're,
if
you
think,
it'd
be
comfortable,
saying
getting
us
examples,
real-world
examples
about.
You
know
how
customers
and
you
guys
deal
with
on
trend
right,
so
if
they
have
some
sort
of
LDAP
deployment
now
that
it's
linked
to
in
a
particular
namespace
and
how
people
are
happy
using
it,
it
can
serve
as
a
good
example.
First
saying
right,
yeah.
D
I
mean
I
think,
like
I,
said:
I'm
not
entirely
sure
why
they
haven't
just
been
more
prescriptive,
based
on
what
they
kind
of
already
know,
but
I
I
definitely
think
that
extrapolating
like
what
what
has
been
shown
to
work
for
open
chef
to
like
the
Federation
like
I,
would
seem
like
an
obvious
thing
to
do,
and
they
would
be
the
best
people
to
make
suggestions
not
regard
so
yeah.
If
we
could
convince
them
to
come
and
have
a
discussion
about.
That
would
be
great,
I.
Think
but
I
mean
to
kill
you.
D
A
C
C
So,
but
for
now,
I've
kept
like
both
of
them
else
to
the
same
proposal
and
both
of
I
see
valuing
both
of
them.
Having
mainstay
scoped
service
accounts
and
condition
getting
access
to
specific
namespaces
or
tradition.
Just
using
user
identity
and
admin
stress
manage
which
you
will
get
access
to
what
resources,
learning
spaces
and
filtration
explicitly
doesn't
need
any
permission.
D
D
A
Okay,
well
in
the
context
of
Federation,
I
am
NOT
a
discussion
about
a
Hitler
later
Saturday
that
he
would
I
think
people
are
still
kind
of
running
demos.
As
a
general,
you
still
talking
the
single
users
and
single
administrators
project
teams
do
not
have
a
net
forthcoming
account,
except
it
kind
of
kind
of
expects
us
to
solve
it.
As
my
impression
mm-hmm
I
mean.
D
I'm
I'm,
not
the
most
up
to
speed,
but
I'm,
like
my
impression,
is
that
like
ogen
ship
users
are
not
going
to
use
this
unsecured
they
have
an
expectation
of
the
bar
is
pretty
high
as
far
as
security,
if
you're
open
shifts
in
the
single
cluster
and
I,
don't
think
there's
going
to
be
any
attempt
to
relax
that
for
Federation.
So
the.
D
I
have
a
meeting
this
week
with
p.m.
responsible
for
Federation,
and
hopefully
he
can
give
me
some
feedback.
My
my
sort
of
initial
take
is
that
probably
Federation
without
our
back
is
not
something
that
any
open
shift
customer
would
want
to
use
in
production
because
we
expect
to
be
able
to
use
that
on
their
individual
clusters,
so
Federation
being
supported
is
probably
like
0.1
and
then
potentially,
like
I
said:
I
probably
need
to
actually
follow
up
with
Clayton
on
this
obligation
to
policy.
D
Maybe
we
need
concern
so
that,
rather
than
having
to
maintain
all
the
paper
on
what
we
did
with
the
last
series
were
signing
at
the
Federation
level
and
waita
was
secure
because
it
was
using
our
back
I
mean
I.
Think
once
I
think,
once
you
start
using
our
back
to
protect
things,
then
it
becomes
a
lot
more
acceptable
to
have
controllers
that
do
privileged
things
desire.
The
privilege
will
be
like
limited
your.
You
know
you
have
this
daemon
or
controller.
D
C
D
D
D
Implemented
the
timeline
seems
pretty
short,
yep,
okay,
okay,
so
I
mean
I'll.
Try
to
gather
some
feedback,
I
think
that,
in
addition,
getting
sick,
often
volved
in
actually
helping
to
design
a
mechanism
or
if
they
sort
of
consider
it
from
a
first
principles,
point
of
view
that
would
maybe
household
I
there
have
been
complaints.
You
know
in
past
discussions
that,
like
you,
know,
you've
gone
to
them
and
they're
like
do
this
and
you
try
to
propose
something
and
they
say:
oh
no.
No,
we
didn't
mean
that
or
you
know,
that's
not
a
good
idea.
D
If
there
involves
you
know
the
outset
and
designing
it
from
like
what
off
is
kind
of
the
state
of
off
today
in
kubernetes
and
where
it's
going
and
informed
by
what
openshift
does.
Maybe
we
can
have
like
a
better
starting
point
and
try
to
bring
in
all
of
the
you
know.
All
the
investigation
that's
been
done
in
a
way.
That's
actually
going
to
be
implementable,
maybe
in
one
a
yeah.
C
But
I
also
wanted
to
discuss
some
of
the
like
open
issues
or
feedback
that
I've
gotten.
Maybe
if
other
people
have
other
ideas
for
imposition,
then
leader,
the
feedback
that
I
don't
like
impersonation
is
too
much
of
a
foil
for
suggestion
and
there
we
used
to
mitigate
it.
Like
one
idea
we
discussed,
will
we
can
implement
sort
of
intersecting
impersonation
where
I
know
if
figuration
gets
access
to
impersonate
a
user
in
finishing,
gets
access
impulse
make
jonathan
petition
gets
access
to
whatever
Jonathan
has
access
to.
C
So
in
this
case,
in
fact,
in
some
cases,
relation
gates
can
get
more
access
than
like.
If
someone
wants
to
use
traditional
repointed
running
when
Jonathan
has
access
to
the
plumbing
secret
contra
grabs
everything
position
gets
more
access
than
it
requires.
So
the
way
intersecting
impersonation
would
work
is,
if
addition
can
impersonate
Jonathan,
it
can
do
whatever
Federation
can
do
and
Jonathan
can
do
with
intersection
of
both
those
powers.
So
in
that
case
it
won't
be
as
powerful
as
like
right
now.
The
current
impersonation
implementation
is.
D
Yeah
I
guess
what
I
I
was
kind
of
thinking.
How
personation
would
relate
to
the
namespace
thing
and
like
rather
than
having
a
user
identity
that
was
tied
directly
to
the
user,
would
be
more
like
this
resources
in
namespace
foo
namespace
foo
is
you
know,
we're
going
to
use
this
service
account
to
interact
member
clusters
and
it's
kind
of
like
I
mean
seems
like
it's
converges
at
some
point.
D
D
Name's
fails,
--because
err,
I
mean
it
could
be,
I
mean
people
could
choose
how
they
do
it,
but
at
least
that
level
of
granularity
would
be
possible
so
that
you
know
access
in
one
namespace
wouldn't
translate
into
access
in
any
other.
Namespace
wouldn't
be
like
a
you.
Have
you
get
this
account?
You
can
do
anything.
You
be
very
restricted
in
number
clusters.
C
Yeah
and
even
businesses
they're
actually
two
sort
of
subdivisions
we
can
make
using
a
single
identity
which
has
access
to
subset
of
the
installation
or
an
identity,
a
different
identity
for
each
namespace.
Well,
yes,
do
you
have
a
preference
for
that
as
well
or
like
having
a
single
service
account,
but
that's
a
visit
on
getting
access
to
a
subset
of
snail
system.
Is
that
enough
for
you
4-h,
so
sociable
I
mean.
D
D
Given
that
I
mean
the
see
the
benefits
sort
of
investigation
is
now
you
have
like
a
much
better
idea
of
you
know
what
you
want
to
accomplish.
Like
I
said.
Maybe
you
know
push
them
for
like
how
do
I
extend
the
existing
q-ball
scheme
to
do
this
rather
than
I
want
to
do
this
random
thing?
What
do
you
think
yeah.
C
C
C
C
F
D
M
A
A
K
Think
yeah
I
think
next
week
we
could
dig
the
HPA
review
because
that
sort
of
almost
concluded
in
the
design
document
also,
but
the
take-home
test
said
something
which
has
some
open-ended
stuff
from
the
from
the
other
other
six
as
a
and
okay.
So
yeah
and
I
had
one
more
query
to
either
Jonathan
normal.
Who
might
be
able
to
tell
me
you
mentioned
that
there
is
some
ongoing
work
I
until
each
article.
K
You
are
involved
with
that
we're
relating
to
replicas
at
capella
this
week,
I
raise
both
PR
today,
I,
don't
know
if
I'm
stepping
on
what
you
are
doing.
Can
you
please
just
a
check
on
that
and
tell
you
the
link
and
let
me
know
if
I'm
not
stepping
on
something
the
things
in
the
work
that
you
are
doing
I
did
it
because
the
HPA
controller
also
is
sort
of
syndrome
which
splits
the
clicks
object
into
into
different
clusters
and
I
hooks
kind
of
folks
into
the
adapter.