►
From YouTube: Octant Community Meeting - May 6, 2020
Description
May 06, 2020
Agenda
Current
Designing better resource access checks.
Component documentation work.
Container exec dropdown
Resource viewer discussions
drain
Since last week
Editing merged #885
Delete in object lists #907
Plugins can now use label selectors #908
Cache-Control, no more hard refreshes after the next release #913
Fixed unclaimed PVCs causing a panic #889
Show service account secrets #905
New label/selector tooltips #903
Demo
Current master
Technical discussion
Resource Access
Current state
HasAccess, Per request, Backoff, Long lived cache
New ideas
SubjectRulesReview, Refresh periodically, Check/expire token
A
Hi
everyone
and
welcome
to
this
week's
boxing
community
meeting.
My
name
is
jonathan
rossman
I'll
be
your
host
here
today
we
got
the
often
team
here
with
us
and
wonderful
community
members.
If
you
have
anything
that
you
want
to
add
into
the
meeting
notes,
please
do
so
I'm
sure
the
hacking,
the
end
chat,
I'm
going
to
share
my
screen
as
well.
So
you
can
see
the
agenda
for
today.
B
Brian
lyles
has
also
been
looking
into
kind
of
how
our
informers
work
and
and
how
we
track
and
keep
track
of
all
the
information
and
cluster
and
and
all
the
workloads,
and
so
we're
we're
kind
of
revisiting.
All
of
that.
What
we
currently
have
has
got
us
this
far,
but
we
kind
of
need
to
re-engineer
what
we
have
to
take
us
to
where
we
want
to
go
so,
which
includes
in
cluster
work
and
restricted
clusters,
and
and
things
like
that.
B
So,
there's
a
lot
of
a
lot
of
ideas
and
and
just
kind
of
experimentation
happening
around
that
we've
been
working
pretty
diligently,
a
big
a
lot
of
credit
to
sam
here
to
get
the
component
documentation
work
completed.
What
this
is
is
there's
an
open
issue
for
it,
but
what
it
is
just
a
it's.
A
nice
formatted,
html
view
of
all
of
our
components.
B
It
also
allows
you
to
really
quickly
and
easily
just
kind
of
copy
and
paste
and
grab
a
sample
and
and
bring
it
into
your
code
and
modify
it
as
you
need
to
to
kind
of
do
what
you
what
you
want,
so
that
that
works
in
progress
and
and
progressing.
It
is
it's.
You
know
I
wouldn't
call
it
fun
work,
but
it's
important
work
and
we're
getting
it
done,
and
and
it's
it's
going
to
be
really
really
nice
when
we
have
it
all
done
the
container
exec
drop
down.
B
This
is
something
that
that
we
originally
we
kind
of
had
something
like
this
in
the
first
in
the
first
iteration
of
the
terminal
work,
we
removed
it
because
we
we
weren't
using
it
a
lot,
but
now
we
actually
have
some
people
requesting
this
feature.
So
it
was.
It
worked
the
way
we
intended,
we
kind
of
we
stripped
the
terminal
down
back
to
like
it's
bare
components
and
then
we're
just.
B
We
were
just
waiting
for
people
to
start
using
it
and
to
provide
feedback
and
then
we're
going
to
add
in
the
features
that
folks
want
and
that
way
when
we're
adding
in
these
features,
we
actually
have
some
use
cases
and
we
can
be
a
little
more
considerate
about
how
we're
doing
it
and
really
think
about
the
way
we
want
to
implement
these
things.
So
the
container
exec
drop
down
is
one
where
currently
on
the
terminal.
B
We
just
default
to
the
first
container
as
long
as
it's
not
in
any
container,
and
we
attempt
to
start
a
shell.
The
ability
to
switch
to
a
different
container
is
something
that
multiple
people
want.
So
that's
something
that
sam
is
currently
working
on
now
to
get
in
place.
There
was
also
a
request
to
be
able
to
kind
of
link
directly
to
the
terminal
window
with
a
container
pre-selected.
B
That's
something
we'll
have
to
explore
the
way
routing
currently
works
within
the
application.
Things
like
that
can
be
a
little
difficult,
not
impossible,
but
they
usually
require
some
refactoring
of
how
we
handle
the
the
pads
and
the
routes,
and
we
try
to
avoid
doing
things
that
tie
the
expected
route
on
the
front
end
to
behavior
on
the
back
end.
So
I
I
can't
say
whether
or
not
we
will
be
doing
that.
B
B
B
The
road
is
the
drain
feature
which
is
just
just
implementing
drain
within
within
octane,
so
that
you
can,
you
can
safely.
You
know
drain
your
your
your
notes,
so
that
that
right
now
is,
I
have
a
branch
for
it.
I
just
need
to.
Actually,
you
know
finish
it
so
does
anyone
else
have
anything
they
want
to
add
to
the
to
the
current
set
of
work.
B
All
right
and
so
moving
on
to
kind
of
since
the
last
community
meeting.
This
is
by
the
way
this
is
kind
of
the
new
format
I
was.
I
was
thinking
about
using
was
kind
of
like
what
we're
currently
doing
what
happened
in
the
last
week
and
then
moving
on
to
any
more
other
type
of
agenda
items
like
demos
or
technical
discussions
or
further
details.
B
B
You
can
click
right
on
the
issue
and
check
them
out
for
yourself,
most
of
them
have
little
screenshots
and
and
things
we
fixed
the
bug
we
sam
fixed
the
bug
with
the
plug-in
using
label
selectors
cache
control,
so
this
one's
actually
been
around
for
a
while,
where
you've
had
to
kind
of
hard
refresh
after
a
new
release
to
get
the
updated
ui-
and
it's
just
like
this
under,
like
undocumented
thing,
that
everyone
runs
into
and
we're
just
like.
Oh
just
hard,
refresh
hard
refresh
and
we
finally
fixed
it.
B
So
what
that
means
is
after
the
next
release
and
you
hard
refresh
you'll
no
longer
have
to
hard
refresh
because
the
the
cache
control
is
properly
set.
So
this
will
be.
This
would
be
a
nice
change
moving
forward.
We
also
fixed
the
pvc
unclaimed
pvcs
causing
a
panic.
They
no
longer
do
that,
and
service
accounts
show
secrets
now,
which
is
which
is
really
convenient.
B
They
can
click
right
through
to
them
and
and
get
that
information
out,
and
then
we
also
fixed
the
the
selector
tool
tips
like
we
added
in
and
and
adjusted
the
labels
and
selected
tooltips,
and
so
all
of
that's
currently
in
master
some
of
this
just
merged
in
today,
but
some
of
it's
been
emerging
for
the
week.
The
nightly
that'll
be
available
tonight
will
have
all
of
this
in
it.
So
what
I'm
gonna
do
now
is
is
stall.
B
While
I
try
to
get
my
my
zoom
demo,
working,
which
I'm
hoping
won't
be
too
painful,
so
give
me
one
second,
this
is
the
worst
I
like.
I
know
for
me
personally,
whenever
I'm
in
a
meeting
and
and
someone
is
like
trying
to
get
their
demo
set
up-
and
I'm
like,
why
didn't
you
have
it
ready
to
go
and
I'm
like?
Well,
I
have
it
ready
to
go
this
time
and
then
zoom
s
is
the
bed.
B
B
D
B
A
B
B
B
Well,
yeah,
if
everyone's
broken
and
that's
fine,
we'll
just
we'll
just
I
will.
I
will
insert
a
video
where
it
says
that
there
is
a
demo
and
I'll
show
off
some
of
the
new
features
to
entice
people
to
go.
Try
the
nightly,
unless
it's
everyone
says
it's
broken
and
then
not
broken
here.
So
moving
on
to
the
technical
discussion,
the
resource
access.
B
So
this
is
something
that
I've
been
thinking
about
recently
and
specifically
around
kind
of
what
what
does
it
mean
like
to
see
if
someone
has
access
to
a
resource,
but
also
like
what
does
that
mean
for
octant?
And
then
how
should
octan
behave?
Where
should
it
get
this
information
from?
How
long
should
we
hold
on
to
it?
B
What
are
some
patterns
that
have
been
emerging
where
in
restricted
clusters
or
an
enterprise
environment,
where
someone
maybe
doesn't
have
access
to
things
like
listing
name
spaces
which
we
take
like
we
just
kind
of
take
for
granted
that
you
can
list
name
spaces?
Or
you
know
you
know
only
having
the
the
read
permissions
to
a
certain
set
of
things
and
maybe
having
right
permissions
to
to
another
set
of
things,
but
not
having
full
permissions
to
any
single
resource.
So
we
we've
been.
B
I've
been
looking
at
kind
of
the
current
state
of
resource
access
and
what
that
kind
of
boils
down
to
is
this.
We
have.
This,
has
access
check
which
lives
in
the
code.
That's
a
per
request
check
that
goes
and
and
hits
the
api
and
actually
takes
the
resource
you're
trying
to
access
the
verb
you're
trying
to
access
it
with.
B
So
you
know,
delete,
create,
update
list
whatever
get
and
then
we'll
issue
a
access
check
to
the
server
and
then
gets
back
a
response,
and
in
that
response,
it'll
tell
us
whether
or
not
you
have
access
to
the
thing.
You're,
trying
to
it'll
give
us
a
response
about
whether
or
not
you
have
access
to
things
you're
about
to
try
and
do,
and
if
you
don't
have
that
access,
what
we
do
is
we
we
cache
that
result
well,
even
if
you
do
have
that
access,
we
cache
that
result.
B
B
Well,
you
you
made
that
request
too
recently,
so
we're
just
going
to
assume
you
still
can't
do
it
and
that
will
just
continue
until
I
believe
it's
about
five
minutes
is
where
we
kind
of
max
out
and
there's
currently
no
kind
of
reset
for
that
back
off
it.
The
reset
is
to
change
your
context
or
update
your
context
or
switch.
B
The
you
know
switch
the
name
space
that
you're
looking
at
so
the
the
problem
with
that
is,
if
you
are
in
a
restricted
cluster
environment-
and
you
are
getting
like
tokens
assigned
to
you
and
so
you're
refreshing
tokens
locally.
Sometimes
we
we
won't
see
that
change,
especially
if
you're,
using
like
a
helper
within
the
config
file.
That's
calling
out
to
another
executable,
think
of
like
aws.
You
know
auth,
helpers
and
stuff
like
that
or
gcloud
right.
It's
calling
out
to
another
thing
and
then
refreshing
your
authorization
to
octant.
B
B
We
think
you
don't,
and
so
you
have
to
manually
take
intervention
with
an
octane
to
kind
of
get
those
new
credentials
in
place
and
start
to
see
resources
again.
The
other
downside
to
this
is
that,
if
you
do
currently,
we
just
kind
of
loop
through
resources
and
check
them
in
order.
Think
of
list
like
the
list
of
all
of
your
workloads.
B
B
So
if
deploy,
if
you're
we're
backing
off
on
deployments
and
and
and
then
we're
backing
off
on
pods
and
then
we
finally
hit
replica
sets
the
the
time
it
takes
for
those
things
to
start
to
populate
after
you
have
authorization
can
be
very,
very
slow
on
the
front
end
because
we're
waiting
for
that
the
entirety
of
that
list
to
be
created.
So
that's
how
things
currently
work
some
new
ideas
so
subject
rules
review
is
is
part
of
the
kubernetes
api
it
it
it
does
some
of
what
we
want.
B
B
B
B
B
We
can
pass
that
to
the
resource
viewer
and
you
can
essentially
see
you
know-
maybe
not
the
resource
group,
but
some
some
visualization
tool
and
you
can
see
at
a
at
a
glance
like
in
a
grid
form
or
whatever,
similar
to
the
output
of
like
the
cube
ctl
command
api
resources,
where
it
shows
you
all
of
the
resources
within
the
api
and
all
of
the
verbs.
They
accept.
Imagine
that
but
specific
to
your
user.
So
you
would
see
all
of
the
all
the
resources
and
verbs
available,
but
only
scoped
to
your
user.
B
B
We
start
to
operate
in
a
way
that
that
lets
us
be
more
friendly
when
there
are
tools
that
are
fetching
tokens
and
those
are
embedded
in
the
cube,
config
and
eventually
move
to
a
model
where
we
can
start
to
visualize
your
access
and
and
not
have
to
worry
about
doing
something
that
you're
not
have
to
worry
about
trying
to
capture
every
single
error.
Every
single
edge
case
of
of
oh
I'm,
making
this
api
request
to
this
resource.
Let
me
go
check
and
see
if
I
can
do
it.
D
Comments,
I
I
think,
that's
a
great
summary
thank
you,
and
I
think
this
is
really
important
because
it's
going
to
lead
us
to
so
many
important
things
in
the
future,
like
you
know,
we're
working
inside
a
cluster
and
hopefully
get
get
some
more
data
to
resource
viewer
and
stuff
like
that.
So
this
is
really
exciting
to
to
nail
it
down
and
make
sure
we
we
make
it
work
really
well
in
all
scenarios.
B
C
Also
kubernetes,
like
permissions
in
kubernetes,
is
just
confusing
and
when
we
break
it
down
into
like
on
the
verb
level
and
trying
to
visualize
it,
it's
it's
a
it's
a
lot
more
work
than
like
you
know
than
simply
just
like.
Oh
checking
can
I
do
this
there
and
it's
yeah.
So
it
sounds
simple.
We
talk
about
it,
but
when
we
get
to
the
implementation,
I'm
sure,
though
it'll
be
more
complex
than
we'd,
expect.
B
B
Yes,
so
currently
yeah
right
now,
just
doing
a
a
go
get
is
not
sufficient.
You'll
have
to
have
the
full
repo,
because
the
web
assets
do
not
come
across
in
the
go
get
and-
and
that's
what
that's
what's
lacking
with
the
embed.
Is
that
because
the
web
assets
are
not
there
there,
there
is
no
disc
front
end
that
that
can
be
built,
and
so
when
it
goes
to
start
up,
it
is
unable
to
find
that
image
and
then
it
fails
to
start.
So.
B
The
the
the
bad
answer
would
be
to
for
us
to
embed
the
binary
in
in
our
repo
and
and
so
that
when
you
go
get
you
also
get
the
binary,
we're
not
against
that,
but
we're
we're
thinking
before
we
just
do
that.
We
want
to
think
about
the
problem
some
more
and
see
if
there's
another
way,
potentially
even
making
some
tooling.
That
would
just
help
people
do
that.
So,
like
you,
you
go
get
the
opt-in,
embed
helper
and
then
that
does
some
things
that
builds
the
the
asset
and
takes
care
of
things
for
you.