►
From YouTube: Octant Community Meeting - May 6, 2020
Description
May 06, 2020
Agenda
Current
Designing better resource access checks.
Component documentation work.
Container exec dropdown
Resource viewer discussions
drain
Since last week
Editing merged #885
Delete in object lists #907
Plugins can now use label selectors #908
Cache-Control, no more hard refreshes after the next release #913
Fixed unclaimed PVCs causing a panic #889
Show service account secrets #905
New label/selector tooltips #903
Demo
Current master
Technical discussion
Resource Access
Current state
HasAccess, Per request, Backoff, Long lived cache
New ideas
SubjectRulesReview, Refresh periodically, Check/expire token
A
Hi
everyone
and
welcome
to
this
week's
boxing
community
meeting.
My
name
is
jonathan
rossman
I'll
be
your
host
here
today
we
got
the
often
team
here
with
us
and
wonderful
community
members.
If
you
have
anything
that
you
want
to
add
into
the
meeting
notes,
please
do
so
I'm
sure
the
hacking,
the
end
chat,
I'm
going
to
share
my
screen
as
well.
So
you
can
see
the
agenda
for
today.
A
There
we
go
and
with
that,
let's
kick
it
off
so
wayne.
B
Yeah
great
hi,
thank
you
jonas
yeah,
so
real
quick
this
week
we
are
gonna
just
kind
of
cover.
B
What's
currently
being
worked
on
what
we
what's
new
since
last
week,
and
then
I
was
gonna,
hopefully
do
a
quick
demo
of
current
master,
but
my
screen
share
doesn't
seem
to
be
working
right
now,
so
might
not
get
a
demo
of
current
master,
so
yeah,
so
currently,
with
the
the
the
team
has
been
kind
of
working
on
a
host
of
things
that
I've
been
looking
at
a
lot
of
trying
to
get
some
better
design
around
resource
access
checks.
B
Brian
lyles
has
also
been
looking
into
kind
of
how
our
informers
work
and
and
how
we
track
and
keep
track
of
all
the
information
and
cluster
and
and
all
the
workloads,
and
so
we're
we're
kind
of
revisiting.
All
of
that.
What
we
currently
have
has
got
us
this
far,
but
we
kind
of
need
to
re-engineer
what
we
have
to
take
us
to
where
we
want
to
go
so,
which
includes
in
cluster
work
and
restricted
clusters,
and
and
things
like
that.
B
So,
there's
a
lot
of
a
lot
of
ideas
and
and
just
kind
of
experimentation
happening
around
that
we've
been
working
pretty
diligently,
a
big
a
lot
of
credit
to
sam
here
to
get
the
component
documentation
work
completed.
What
this
is
is
there's
an
open
issue
for
it,
but
what
it
is
just
a
it's.
A
nice
formatted,
html
view
of
all
of
our
components.
B
That
include
example
go
code
as
well
as
the
example
json
output
that
you
can
expect
and
a
little
preview
of
what
the
component
looks
like
when,
when
it's
in
the
browser,
this
would
be
really
nice
for
plugin
authors
to
be
able
to
kind
of
browse
what
components
we
have
and
and
what
they
can
expect
them
to
look
like
when
they're
piecing
them
together
in
their
and
the
output
of
their
plugin.
B
It
also
allows
you
to
really
quickly
and
easily
just
kind
of
copy
and
paste
and
grab
a
sample
and
and
bring
it
into
your
code
and
modify
it
as
you
need
to
to
kind
of
do
what
you
what
you
want,
so
that
that
works
in
progress
and
and
progressing.
It
is
it's.
You
know
I
wouldn't
call
it
fun
work,
but
it's
important
work
and
we're
getting
it
done,
and
and
it's
it's
going
to
be
really
really
nice
when
we
have
it
all
done
the
container
exec
drop
down.
B
This
is
something
that
that
we
originally
we
kind
of
had
something
like
this
in
the
first
in
the
first
iteration
of
the
terminal
work,
we
removed
it
because
we
we
weren't
using
it
a
lot,
but
now
we
actually
have
some
people
requesting
this
feature.
So
it
was.
It
worked
the
way
we
intended,
we
kind
of
we
stripped
the
terminal
down
back
to
like
it's
bare
components
and
then
we're
just.
B
We
were
just
waiting
for
people
to
start
using
it
and
to
provide
feedback
and
then
we're
going
to
add
in
the
features
that
folks
want
and
that
way
when
we're
adding
in
these
features,
we
actually
have
some
use
cases
and
we
can
be
a
little
more
considerate
about
how
we're
doing
it
and
really
think
about
the
way
we
want
to
implement
these
things.
So
the
container
exec
drop
down
is
one
where
currently
on
the
terminal.
B
We
just
default
to
the
first
container
as
long
as
it's
not
in
any
container,
and
we
attempt
to
start
a
shell.
The
ability
to
switch
to
a
different
container
is
something
that
multiple
people
want.
So
that's
something
that
sam
is
currently
working
on
now
to
get
in
place.
There
was
also
a
request
to
be
able
to
kind
of
link
directly
to
the
terminal
window
with
a
container
pre-selected.
B
That's
something
we'll
have
to
explore
the
way
routing
currently
works
within
the
application.
Things
like
that
can
be
a
little
difficult,
not
impossible,
but
they
usually
require
some
refactoring
of
how
we
handle
the
the
pads
and
the
routes,
and
we
try
to
avoid
doing
things
that
tie
the
expected
route
on
the
front
end
to
behavior
on
the
back
end.
So
I
I
can't
say
whether
or
not
we
will
be
doing
that.
B
My
dog
barking
in
the
background
I
end
up,
I'm
now
I'm
a
meme,
so
the
if
it's
is
it
too
bad?
Is
it
or
should
I
just
keep
no
you're.
I
think
you're
good.
Okay,
all
right
as
long
as
I
keep
talking,
I
think
the
the
noise
cancellation
kind
of
helps
so
the
resource
viewer
discussions.
B
So
milan
has
been
doing
most
of
this
work
and
we
all
have
been
thinking
about
it
and
talking
about
it.
B
But
milan's
been
like
heading
this
up
and
speaking
with
brian
and
ross
and
various
folks,
and
just
kind
of
starting
to
get
some
ideas
and
create
some
discussions
around
what
the
resource
viewer,
like
kind
of
just
like
the
the
the
anatomy
of
the
whole
thing
and
and
our
desired
like
you
like,
get
gathering
use
cases
and
and
how
it
should
be
well
that
should
be,
but
how
we
desire
to
be
used
and
what
our
vision
for
it
is,
and
things
like
that
and
we're
just
trying
to
kind
of
collect
all
these
things
together
and
and
think
about
them
a
little
more
right
now,
so
that
we
can
work
towards
coming
up
with
a
proposal
and
the
just
to
touch
on
that.
B
The
the
resource
checks
and
the
access
checks.
Those
will
also
be
be
coming
down
in
the
form
of
a
of
a
proposal
for
implementation
and
and
so
so
yeah.
B
So
that's
that's
been
happening,
and
I
think
that's
going
well
that
I
think
that's
gonna
lead
us
to
a
path
of
of
having
some
really
useful
visualizations
of
a
workload
as
well
as
the
object
status
of
those
work,
like
of
all
the
resources
within
that
workload
and
really
help
us
drive
the
navigation
and
and
and
how
folks
can
get
insights
into
what
their
workload
within
the
cluster
is
doing,
which
is
really
the
the
primary
goal
of
octan
is,
is
to
kind
of
demystify
all
of
this
and
show
how
all
these
things
are
interconnected
and
show
how
they
all
work
together
so
and
then
the
thing
that
I've
been
working
on
for
I
don't
know
for
like
three
weeks,
I've
just
been
kicking
the
can
down.
B
The
road
is
the
drain
feature
which
is
just
just
implementing
drain
within
within
octane,
so
that
you
can,
you
can
safely.
You
know
drain
your
your
your
notes,
so
that
that
right
now
is,
I
have
a
branch
for
it.
I
just
need
to.
Actually,
you
know
finish
it
so
does
anyone
else
have
anything
they
want
to
add
to
the
to
the
current
set
of
work.
B
All
right
and
so
moving
on
to
kind
of
since
the
last
community
meeting.
This
is
by
the
way
this
is
kind
of
the
new
format
I
was.
I
was
thinking
about
using
was
kind
of
like
what
we're
currently
doing
what
happened
in
the
last
week
and
then
moving
on
to
any
more
other
type
of
agenda
items
like
demos
or
technical
discussions
or
further
details.
B
But
this
way
people
can
come
in
the
beginning
of
the
meeting,
get
the
current
what's
happening,
what
happened
since
last
week,
and
then
they
can
leave
if
they
want
so
quite
a
bit
since
last
week,
editing
got
merged
the
delete
objects
in
a
list
got
merged.
So
all
of
these
things
are
there.
B
You
can
click
right
on
the
issue
and
check
them
out
for
yourself,
most
of
them
have
little
screenshots
and
and
things
we
fixed
the
bug
we
sam
fixed
the
bug
with
the
plug-in
using
label
selectors
cache
control,
so
this
one's
actually
been
around
for
a
while,
where
you've
had
to
kind
of
hard
refresh
after
a
new
release
to
get
the
updated
ui-
and
it's
just
like
this
under,
like
undocumented
thing,
that
everyone
runs
into
and
we're
just
like.
Oh
just
hard,
refresh
hard
refresh
and
we
finally
fixed
it.
B
So
what
that
means
is
after
the
next
release
and
you
hard
refresh
you'll
no
longer
have
to
hard
refresh
because
the
the
cache
control
is
properly
set.
So
this
will
be.
This
would
be
a
nice
change
moving
forward.
We
also
fixed
the
pvc
unclaimed
pvcs
causing
a
panic.
They
no
longer
do
that,
and
service
accounts
show
secrets
now,
which
is
which
is
really
convenient.
B
They
can
click
right
through
to
them
and
and
get
that
information
out,
and
then
we
also
fixed
the
the
selector
tool
tips
like
we
added
in
and
and
adjusted
the
labels
and
selected
tooltips,
and
so
all
of
that's
currently
in
master
some
of
this
just
merged
in
today,
but
some
of
it's
been
emerging
for
the
week.
The
nightly
that'll
be
available
tonight
will
have
all
of
this
in
it.
So
what
I'm
gonna
do
now
is
is
stall.
B
While
I
try
to
get
my
my
zoom
demo,
working,
which
I'm
hoping
won't
be
too
painful,
so
give
me
one
second,
this
is
the
worst
I
like.
I
know
for
me
personally,
whenever
I'm
in
a
meeting
and
and
someone
is
like
trying
to
get
their
demo
set
up-
and
I'm
like,
why
didn't
you
have
it
ready
to
go
and
I'm
like?
Well,
I
have
it
ready
to
go
this
time
and
then
zoom
s
is
the
bed.
B
B
Who,
who
owns
zoom,
where
is
it
just
zoom,
is
that
the
company
that
owns
zoom
zoom.
B
D
B
A
B
B
B
Well,
yeah,
if
everyone's
broken
and
that's
fine,
we'll
just
we'll
just
I
will.
I
will
insert
a
video
where
it
says
that
there
is
a
demo
and
I'll
show
off
some
of
the
new
features
to
entice
people
to
go.
Try
the
nightly,
unless
it's
everyone
says
it's
broken
and
then
not
broken
here.
So
moving
on
to
the
technical
discussion,
the
resource
access.
B
So
this
is
something
that
I've
been
thinking
about
recently
and
specifically
around
kind
of
what
what
does
it
mean
like
to
see
if
someone
has
access
to
a
resource,
but
also
like
what
does
that
mean
for
octant?
And
then
how
should
octan
behave?
Where
should
it
get
this
information
from?
How
long
should
we
hold
on
to
it?
B
What
are
some
patterns
that
have
been
emerging
where
in
restricted
clusters
or
an
enterprise
environment,
where
someone
maybe
doesn't
have
access
to
things
like
listing
name
spaces
which
we
take
like
we
just
kind
of
take
for
granted
that
you
can
list
name
spaces?
Or
you
know
you
know
only
having
the
the
read
permissions
to
a
certain
set
of
things
and
maybe
having
right
permissions
to
to
another
set
of
things,
but
not
having
full
permissions
to
any
single
resource.
So
we
we've
been.
B
I've
been
looking
at
kind
of
the
current
state
of
resource
access
and
what
that
kind
of
boils
down
to
is
this.
We
have.
This,
has
access
check
which
lives
in
the
code.
That's
a
per
request
check
that
goes
and
and
hits
the
api
and
actually
takes
the
resource
you're
trying
to
access
the
verb
you're
trying
to
access
it
with.
B
So
you
know,
delete,
create,
update
list
whatever
get
and
then
we'll
issue
a
access
check
to
the
server
and
then
gets
back
a
response,
and
in
that
response,
it'll
tell
us
whether
or
not
you
have
access
to
the
thing.
You're,
trying
to
it'll
give
us
a
response
about
whether
or
not
you
have
access
to
things
you're
about
to
try
and
do,
and
if
you
don't
have
that
access,
what
we
do
is
we
we
cache
that
result
well,
even
if
you
do
have
that
access,
we
cache
that
result.
B
If
you
don't
have
the
access,
we
put
you
into
a
back
off
it's
it's
a
logarithmic
back
off
that
over
time
just
gets
longer
longer,
and
we
what
we
do
is
every
time
you
make
that
new
request.
We
check
the
back
off
status
first
and
we
say:
okay.
B
Well,
you
you
made
that
request
too
recently,
so
we're
just
going
to
assume
you
still
can't
do
it
and
that
will
just
continue
until
I
believe
it's
about
five
minutes
is
where
we
kind
of
max
out
and
there's
currently
no
kind
of
reset
for
that
back
off
it.
The
reset
is
to
change
your
context
or
update
your
context
or
switch.
B
The
you
know
switch
the
name
space
that
you're
looking
at
so
the
the
problem
with
that
is,
if
you
are
in
a
restricted
cluster
environment-
and
you
are
getting
like
tokens
assigned
to
you
and
so
you're
refreshing
tokens
locally.
Sometimes
we
we
won't
see
that
change,
especially
if
you're,
using
like
a
helper
within
the
config
file.
That's
calling
out
to
another
executable,
think
of
like
aws.
You
know
auth,
helpers
and
stuff
like
that
or
gcloud
right.
It's
calling
out
to
another
thing
and
then
refreshing
your
authorization
to
octant.
B
B
We
think
you
don't,
and
so
you
have
to
manually
take
intervention
with
an
octane
to
kind
of
get
those
new
credentials
in
place
and
start
to
see
resources
again.
The
other
downside
to
this
is
that,
if
you
do
currently,
we
just
kind
of
loop
through
resources
and
check
them
in
order.
Think
of
list
like
the
list
of
all
of
your
workloads.
B
So
we
go
through
and
we
check
pods
and
deployments
replica
sets
and
we're
looping
through
these
things
and
if
any
of
them
hit
a
back
off
the
the
wait
time
kind
of
stacks
up,
and
so
you
things
can
get
a
little
slow,
responding
like
getting
data
onto
the
stream
because
we're
waiting
to
build
up
this
whole
list.
B
B
So
if
deploy,
if
you're
we're
backing
off
on
deployments
and
and
and
then
we're
backing
off
on
pods
and
then
we
finally
hit
replica
sets
the
the
time
it
takes
for
those
things
to
start
to
populate
after
you
have
authorization
can
be
very,
very
slow
on
the
front
end
because
we're
waiting
for
that
the
entirety
of
that
list
to
be
created.
So
that's
how
things
currently
work
some
new
ideas
so
subject
rules
review
is
is
part
of
the
kubernetes
api
it
it
it
does
some
of
what
we
want.
B
It
will
give
you
a
list
of
all
of
the
of
the
for,
like
a
role
in
a
namespace.
It
will
so
like
you
can
do
self
subject
so
you're
yourself,
the
person
acting
on
the
api.
It
will
give
you
a
list
of
all
of
the
actions
and
resources
that
you
have
access
to.
B
So
you
know
if
you
have
get
and
list
to
these
two
resources
for
the
and
and
create
and
watch
and
and
list
and
get
for
another
set.
You
get
all
this
information
back
out
of
the
api.
B
We
can
just
go
ahead
and
build
that
map
of
of
what
you're
allowed
to
do
within
a
cluster,
and
then
we
can
rely
on
the
the
error
codes
from
the
api
when
we
want
to
do
things
like
that,
you
can't
do,
but
then
we
can
also
prevent
things
by
by
checking
our
cache
our
list
when,
when
those
operations
are
things
that
will
block
or
hold
up
the
generation
of
the
stream
data,
and
so
it
separates
those
two
concerns
from
each
other
and
allows
us
to
interact
with
the
cluster
in
the
way
that
we
choose
to
either
preemptively
saying
well
we're
going
to
go
to
our
cache
first
before
we
make
this
request
or
actively
and
say
we're
going
to
let
the
server
reply
with.
B
B
B
All
of
these
things
we
can
kind
of
shim
into
what
we
do
now,
but
it'll
be
very
difficult
because
of
the
pattern
that
I
used
when
we
originally
implemented
our
access
controls
so
and
then
one
little
side
benefit
of
this-
is
that
eventually
we
can
get
to
the
point
where
we
could
pass
the
this
kind
of
map
of
what
we
have
access
to
and
what
we
can
get
to.
B
We
can
pass
that
to
the
resource
viewer
and
you
can
essentially
see
you
know-
maybe
not
the
resource
group,
but
some
some
visualization
tool
and
you
can
see
at
a
at
a
glance
like
in
a
grid
form
or
whatever,
similar
to
the
output
of
like
the
cube
ctl
command
api
resources,
where
it
shows
you
all
of
the
resources
within
the
api
and
all
of
the
verbs.
They
accept.
Imagine
that
but
specific
to
your
user.
So
you
would
see
all
of
the
all
the
resources
and
verbs
available,
but
only
scoped
to
your
user.
B
B
We
start
to
operate
in
a
way
that
that
lets
us
be
more
friendly
when
there
are
tools
that
are
fetching
tokens
and
those
are
embedded
in
the
cube,
config
and
eventually
move
to
a
model
where
we
can
start
to
visualize
your
access
and
and
not
have
to
worry
about
doing
something
that
you're
not
have
to
worry
about
trying
to
capture
every
single
error.
Every
single
edge
case
of
of
oh
I'm,
making
this
api
request
to
this
resource.
Let
me
go
check
and
see
if
I
can
do
it.
B
I
think,
he's
he's
planning
on
talking
about
that
some
more
next
week,
but
I
just
want
to
mention
that
we're
thinking
about
that
problem
too,
in
a
way
that
we
can
keep
octan
quick
and
fast,
even
if
it's
in
cluster
and
pair
it
with
resource
access,
so
that
we
have
this
this
this
state
of
what
does
the
cluster
look
like,
given
a
context,
because
it's
really
the
goal
of
what
we're
going
for
and
then
refresh
that
view
or
update
that
view
of
what
a
cluster
looks
like
given
a
context
and
as
fast
as
we
can,
based
on
the
changes
that
are
happening.
B
D
Comments,
I
I
think,
that's
a
great
summary
thank
you,
and
I
think
this
is
really
important
because
it's
going
to
lead
us
to
so
many
important
things
in
the
future,
like
you
know,
we're
working
inside
a
cluster
and
hopefully
get
get
some
more
data
to
resource
viewer
and
stuff
like
that.
So
this
is
really
exciting
to
to
nail
it
down
and
make
sure
we
we
make
it
work
really
well
in
all
scenarios.
B
C
Also
kubernetes,
like
permissions
in
kubernetes,
is
just
confusing
and
when
we
break
it
down
into
like
on
the
verb
level
and
trying
to
visualize
it,
it's
it's
a
it's
a
lot
more
work
than
like
you
know
than
simply
just
like.
Oh
checking
can
I
do
this
there
and
it's
yeah.
So
it
sounds
simple.
We
talk
about
it,
but
when
we
get
to
the
implementation,
I'm
sure,
though
it'll
be
more
complex
than
we'd,
expect.
B
E
I
believe
I
talked
to
you
wayne
on
slack
a
while
ago
about
plug-in
design
patterns,
but
today
my
question
is
actually
around
embedding
octant,
I'm
new
to
a
project
that
was
embedding
it
in
the
sense
that
they
were
basically
wrapping
a
command
line,
call
to
the
octan
binary,
because
at
the
time
that
was
done,
I
believe
there
was
an
issue
with
the
the
logger
interface
being
internal,
and
that
has
been
since
corrected,
and
so
I'm
I'm
kind
of
going
through
the
to-do's
and
trying
to
actually
embed
it
properly.
E
B
Yes,
so
currently
yeah
right
now,
just
doing
a
a
go
get
is
not
sufficient.
You'll
have
to
have
the
full
repo,
because
the
web
assets
do
not
come
across
in
the
go
get
and-
and
that's
what
that's
what's
lacking
with
the
embed.
Is
that
because
the
web
assets
are
not
there
there,
there
is
no
disc
front
end
that
that
can
be
built,
and
so
when
it
goes
to
start
up,
it
is
unable
to
find
that
image
and
then
it
fails
to
start.
So.
B
This
is
something
that
we,
I
was
just
looking
for
the
issue
for
it,
as
you
were
talking,
I
couldn't
I'll
find
it,
and,
and
but
there
there
is
an
issue
around
embedding
octant
and
a
desire
for
multiple
people
to
do
that,
without
needing
to
have
the
full
source
repo,
essentially
vendored,
like
there's
a
strong
desire
to
be
able
to
just
have
you
know
the
the
gomod,
you
know,
go,
get
octant
and
have
it
just
work
the
currently
we
don't
have
a
good
answer
for
that.
B
The
the
the
bad
answer
would
be
to
for
us
to
embed
the
binary
in
in
our
repo
and
and
so
that
when
you
go
get
you
also
get
the
binary,
we're
not
against
that,
but
we're
we're
thinking
before
we
just
do
that.
We
want
to
think
about
the
problem
some
more
and
see
if
there's
another
way,
potentially
even
making
some
tooling.
That
would
just
help
people
do
that.
So,
like
you,
you
go
get
the
opt-in,
embed
helper
and
then
that
does
some
things
that
builds
the
the
asset
and
takes
care
of
things
for
you.
B
So
you
have
to
think
about
it,
some
something
where
it
can
be
part
of
the
normal
go
workflow,
but
maybe
that
isn't
putting
the
the
actual
binary
front-end
build
in
the
in
the
repo.
E
Okay
cool,
so
for
the
for
the
time
being,
you
would
recommend
actually
vendoring
the
the
entire
repo.
A
A
Yeah,
thank
you.
Everyone
for
for
joining
today
have
a
great
rest
of
your
week
and
see
you
all
next
week
have
a
good
one.
Bye.