►
From YouTube: Contour Community Meeting - August 11, 2020
Description
August 11, 2020
News
What have we been working on?
[stevek] exploring Gatekeeper as a validating admission controller
Discussion
Next week
A
Hello,
everyone
and
welcome
to
the
contour
community
meeting
today
is
august
11
20
20..
We
have
just
a
few
things
that
we
want
to
go
through
today.
So
let
me
share
my
screen
and
let's
go
over
them.
B
Yeah,
so
I
think
I
think
two
weeks
ago,
in
the
community
meeting,
I
was
I
mentioned
that
I
was
working
on
adding
some
controls
for
enabling
a
kind
of
a
contour
administrator
to
set
a
min
and
max
for
some
of
the
different
timeout
settings
that
we
were
adding
and
the
thinking
there
was
that
you
know
a
a
central
contour
admin
might
want
to
limit,
say
the
max
timeout
range
that
a
user
could
put
on
a
proxy
so
that
they
couldn't
just
set
infinite
timeouts
for
all
the
different
settings.
B
And
originally
we
were
thinking
about
just
adding
these
as
as
new
fields
into
the
contour
config
file.
But
we
we
discussed
it
some
more
and
and
thought
that
that
might
not
be
a
the
best
approach
to
it
for
a
number
of
different
reasons
and
also
got
some
feedback
from
from
some
users.
B
And
so,
as
coming
out
of
that,
I
started
looking
into
some
other
options,
particularly
around
using
admission
control
and
james
peach
recommended
looking
at
gatekeeper,
which
is
related
to
the
opa
project,
open
policy
agent
project
and
basically
gives
you
a
validating
admission
controller
where
you
can
define
opa
policies
to
enforce
kind
of
whatever
policy
you
want.
So
anyway
long
story
short
I've
been
spending
the
last
a
couple
of
days
starting
to
look
into
this.
B
I
I
don't
have
any
experience
with
it,
so
part
of
it
is
me
just
getting
up
to
speed
on
it
and
also
starting
to
play
around
the
sea.
B
If
this
is
something
that
we
could
sort
of
integrate
with
contour
and
think
about
what
sorts
of
policies
we
would
want
to
actually
put
into
gatekeeper,
you
know
early
impressions
are
that
I
I
do
think
it
definitely
could
be
useful.
You
know
it's.
I
can
definitely
see
how
some
of
the
things
that
we
would
want
when
force
could
be
pretty
easily
expressed
as
policies
and
from
my
playing
around
with
it.
It's
you
know
it's
relatively
simple
to
get
going,
especially
if
someone
else
is
kind
of
writing.
B
The
the
policies
or
the
constraints
for
you
and
all
you
really
have
to
do
is
apply
them
with
your
specific
parameters
you
want
so,
but
I
don't
know
if
we
want
to
make
it
a
kind
of
a
required
part
of
the
contour
stack.
B
I'm
thinking
we,
you
know
we
might
want
to
position
it
more
as
sort
of
an
optional
thing
where,
if
users
are
interested
in
using
it,
they
can,
but
if,
for
whatever
reason
they
don't
want
to
deploy
it
into
their
cluster,
contour
still
works.
Fine
and
and
still
has
some
validation
for
for
things
that
aren't
exposed
through
gatekeeper.
A
I
think
we
do
have
a
lot
of
people
using
oppa
or
opa
already,
so
I'm
wondering
if
we
could
so
this
is
kind
of
separate
from
that
project,
but
still
utilizing
the
policies.
Is
that
correct.
B
Yeah,
so
it
uses
opa
kind
of
as
the
as
the
engine,
so
gatekeeper
specifically
refers
to
deploying
it
as
a
kubernetes
validating
and
mission
controller.
So
it's
it's
kind
of
just
deploying
it
in
a
particular
context
and
there's
a
kind
of
a
crd
model
that
enables
you
to
define
your
your
policies
and
your
validations.
B
So
I
think
for
for
anyone
who's
already
using
opa,
it's
a
pretty
a
pretty
natural
extension
and
odds
are,
if
they're,
using
it
in
kubernetes.
You
know
they
may
already
have
gatekeeper
deployed
anyway.
A
So
for
this,
I'm
just
thinking
of
a
deployment
scenario
for
this,
you
would
first
deploy
gatekeeper,
apply
the
correct
policies
and
then
deploy
contour
right,
because
otherwise
you
you
wouldn't
be
able
to
call
on
gatekeeper
and
the
policies
when
you,
when
you
start
up
contour.
B
Right
I
mean
you,
you
could
deploy
it
after.
You
already
have
a
running
contour
instance,
and
what
will
happen
is
any
new.
Any
new
proxies
that
are
configured
will
will
essentially
get
run
through
your
gatekeeper
policies
and
then
gatekeeper
also
has
an
audit
functionality.
So
it
will
periodically
look
at
all
the
existing
resources
in
the
cluster
that
match
your
your
policies
and
and
tell
you
whether
they
sort
of
pass
or
fail
according
to
the
policies,
but
they
won't
gatekeeper,
won't
kick
them
out
of
the
cluster
or
make
them
invalid
in
any
way.
C
B
Know,
hey
you're
you're
out
of
you
know,
you're
violating
the
policy.
A
Okay,
yeah,
okay
yeah.
That
makes
makes
it
a
little
easier
than
to
because
then
you
don't
need
to
have
a
complete
green
field.
Deployment
of
contour.
B
Right
that
makes
it
easier,
and
that
was
that
was
definitely
one
of
the
major
concerns
that
was
raised.
Around
kind
of
embedding.
This
kind
of
policy
information
directly
into
contour
is
that
it
made
it
more
difficult
to
to
start
adding
policy
without
having
all
you
know,
potentially
having
existing
proxies,
get
broken
by
rolling
out
a
new
policy
if
they,
if
they
violated
it
and
gatekeeper,
makes
that
pretty
pretty
easy.
A
So
what
what's
the
the
main
reason
for
not
going
with
a
configuration
file?
Is
it
because
you
can
set
certain
certain
settings
wrong
or
what
what's
the
main
reason.
B
I
mean
if
we,
you
know,
if
we
just
expose
some
things
through
a
config
file,
I
think
we
would
end
up
having
to
build
a
fair
amount
of
the
functionality
that
something
like
gatekeeper
already
exposes
into
contour
directly.
I
think
we
would
you
know
we
would
want
something
similar
to
that
audit
functionality
where
we
could
flag
things
without
marking
them
invalid.
B
The
other,
I
guess
the
other
issue
is
that
you
know.
If
we're
adding
things
directly
to
a
config
file,
then
every
new
policy
check
that
we
want
to
add
needs
to
be
programmed
in
the
contour.
Whereas,
with
with
gatekeeper
and
opa,
you
know
end
users
can
can
write
whatever
additional
policies
they
want.
B
I
think
we'd
probably
have
a
recommended
set
from
contour
that
we
would
you
know
we
would
suggest
that
you
install,
but
it
would
be
completely
extensible
for
users
to
add
their
own
without
having
to
submit
pull
requests
to
contour
and
wait
for
releases
and
that
kind
of
thing
so
a
lot
more
flexibility.
A
Yeah,
that
would
make
it
a
lot
easier
for
for
people,
as
you
say,
than
to
do
their
own
custom
valid
settings
so
to
speak,
yep
cool
so
for
for
people
on
the
call,
are
you
using
opa,
oppa
or
gatekeeper
right
now.
A
Okay,
cool,
so
would
this
be
useful.
C
Yeah
well
so,
yes,
I
think
I
think
this
could
be
useful,
but
I
guess
my
question
is:
is
this
different
from
the
external
authorization
design
that
you
did
because
in
theory
the
external
auth
capability,
you're
building,
can
talk
to
oprah
over
grpc
right?
This
would
be
a
different
integration.
B
I
think
this
would
be
different,
so
I
think
you
know
this
would
we
would
use
gatekeepers
as
an
admission
controller
for
new
http
proxies
and
basically
use
it
for
validating
that?
The
proxy
configuration
is,
you
know,
meets
your
policy,
and
so
it
could
be
a
mix
of
validating
things
like
every
proxy
has
a
unique
fqdn.
B
It
could
be
enforcing
minimum
and
maximum
values
for
some
of
the
settings
for
some
timeout
settings,
et
cetera.
So.
C
So
yeah,
I
think
this
would
be
useful
as
there's
a
couple
of
specific
use
cases
for
us.
One
is,
we
think
we
want
to
disable
people
being
able
to
sit
set
infinite,
for
example,
on
timeouts
and
the
way
that
the
way
that
contour
implements
that
with
the
word
infinite
is
has
always
bugged
me.
It's
like
this
seems
like
the
only
project
that,
instead
of
treating
zero
dot
s
as
infinite
treats
zero
dot,
s
is
nothing
and
the
word
infinite
is
infinite.
But
anyway,
aside
from
that,
we
think.
C
The
the
but
we're
interested
in
like
blocking
stuff
like
infinite
we're,
actually
thinking
about
writing
an
open
policy
for
that
already
and
then
the
other
one
too
is,
and
we
were
thinking,
maybe
the
external
authorization
provider
here
is
we
want
to
prevent
what
we're
sort
of
calling
crosstalk.
So
we've
got
two
sets
of
contours.
One
is
like
for
pci
workloads.
We
want
to
basically
look
at
the
the
source,
ip
of
of
the
request
to
say
that
only
these
contours
can
this
contour
can
only
accept
traffic
from
this
sort
of
source
ip
type
stuff.
C
B
C
A
C
We're
migrating
a
lot
of
that
stuff
out
of
sort
of
mutating
web
hooks
into
more
of
a
gatekeeper
service.
So
it's
the
same
rules
we're
just
migrating
how
we
run
them,
I'm
not
super
close
to
it.
We've
got
a
guy
in
our
team,
that's
doing
a
lot
of
that
work,
but
we
we're
basically
suffering
from
sort
of
opus
sprawl
right
now,
and
so
there
are
some
benefits
that
I
can't
articulate
super
well,
there's
some
benefits
around
using
gatekeeper
versus
just
raw
roper.
B
Yeah,
I
mean
the
the
nice
thing
and
you
know
I've
only
been
playing
with
gatekeeper
for
a
couple
of
days,
but
kind
of
all
of
your
constraints
and
your
constraint,
templates
and
constraints
are
exposed
as
as
custom
resource
definitions
within
your
cluster.
So
you
can
sort
of
access
them
in
a
very
kubernetes
native
way,
which
is
probably
helpful
for
management.
C
Actually,
you
know
one
of
the
things
I'm
just
recalling
back
on
our
internal
meetings,
one
of
the
things
that
I
think
that
we
get
away
from
is
having
to
write,
write,
sort
of
small
validating
workbook
code
and
go
so.
We've
sort
of
we've
been
doing
these
little
snippets
of
of
go
code
and
we
want
to
get
out
of
that
game
too.
C
A
Awesome
good
discussions,
anything
else
you
want
to
add
here,
steve
or
michael,
no.
B
No,
I
mean
you
know,
I
think
the
next
steps
are
going
to
be
to
talk
this
over
some
more
with
the
other
maintainers.
I
haven't
really
had
a
chance
to
to
talk
about
that
with
with
others
much
yet,
but
we'll
sort
of
figure
out.
You
know
based
on
what
I've
seen
so
far.
If
there
are
additional
areas
we
need
to
explore
and
then
figure
out
sort
of
how
to
proceed
so
more
to
come.
Just
wanted
to
kind
of
raise
what
I've
done
so
far.
A
Sounds
good?
Does
anyone
have
any
discussion
topics
that
they
would
like
to
talk
about
today?
Any
anything
you're
wondering
anything
that
steve
can
answer.
D
A
link
to
an
issue
in
the
chat
window
that
I
was
hoping
to
discuss
today,
but
I
have
a
feeling
that
I
need
james
and
nick
on
the
call
to
discuss,
and
this
is
about
proceeding
with
the
service
api's
implementation.
D
So
yeah
just
trying
to
move
this
forward
as
nick
laid
out
in
his
most
recent
comment.
We
need
to
start
enumerating
work
that
needs
to
be
done
in
preparation
for
implementing
service
apis
and
then
the
actual
service
api's
implementation,
specific
work.
D
A
So
you
can
just
log
in
with
your
github
account
on
hackmd
and
add
in
a
line
under
next
week
and
add
what
you
want
to
talk
about
next
week.
A
C
C
C
C
C
To
edit,
so
it's
unlike
google
docs
like
there's
no
wysiwyg,
which
is
sort
of
what
I
what
I
was
originally
stuck
on,
but
yeah.
A
Yeah
yeah
so
just
add
your
stuff
in
here
and
then
we'll
bring
it
up
on
on
next
week's
call.