►
From YouTube: Pinniped Community Meeting - March 18, 2021
Description
Pinniped Community Meeting - March 18, 2021
Project roadmap and contributor opportunities announced!
Main discussion around March 2021's roadmap item: Impersonation proxies (coming in v0.7.0)
Details here: https://hackmd.io/rd_kVJhjQfOvfAWzK8A3tQ
A
All
right,
hi,
everyone
welcome
to
the
pinnie
ped
community
meeting,
just
a
reminder
this
is
being
recorded,
so
please
adhere
to
the
code
of
conduct
when
attending
these
meetings.
That
is
listed
out
in
the
agenda
here
today
is
march.
18Th
2021,
and
we
have
some
really
big
announcements
to
make
a
huge
undertaking
with
project
roadmap
and
opportunity
areas
for
pinniped
contributors.
B
Sure,
okay,
so
the
roadmap,
which
is
linked
here
and
you
can
find
on
the
top
level
page
of
our
repo,
it
kind
of
outlines
a
couple
of
different
aspects
of
the
roadmap
in
terms
of
like
what
about
the
document
is
relevant,
how
you
can
help
and
then
it
also
links
out
to
the
opportunities
area
document
that
you
also
saw
on
the
page.
That
was
just
shared
by
nancy
for
the
community
meeting.
B
So
these
are
suggestions
but
they're
great
starting
points
for
anyone
that
might
come
into
the
project
and
might
be
wondering
about
where
they
would
start
the
roadmap
itself.
If
you
want
to
go
back
to
that,
really
only
looks
out
about
three
months
in
terms
of
planned
work
well
like
past
that
there
are
items
that
we
kind
of
qualify
as
exploring
or
ongoing,
such
as
improving
security
posture,
improving
our
ci
cd
systems,
telemetry
and
observability.
Those
items
will
probably
also
change
as
they
get
prioritized
in
the
roadmap.
B
So
as
you
can
see
it
kind
of
looks
out
through
about
june,
and
these
themes
are
pretty
they're
kind
of
they're,
very
high
level,
and
so
in
terms
of
getting
visibility
into
what
the
team's
working
on
we're
hoping
to
use
this
meeting
as
well
to
talk
about
items
anchored
firmly
in
the
roadmap,
as
the
team
makes
progress
toward
those
things.
B
So
it's
also
a
great
opportunity
for
contributors
to
get
a
better
sense
of
where
they
might
also
contribute
on
the
current
items
that
the
team
is
working
on,
if
there's
space
for
that
as
well,
but
otherwise
the
opportunity
areas.
Dock
has
specific
items
that
also
map
to
these
themes
and
the
descriptions
as
well.
So
hopefully,
that
can
also
help
anchor
contributors
that
are
considering
making
contributions
to
the
project,
and
this
will
be
updated.
A
Cool
great
thanks
pablo
so
with
that
moving
forward,
the
community
meeting
will
be
anchored
to
the
project
roadmap.
What
the
team
is
working
on
any
updates
geared
towards
that
particular
item
in
the
project
project
room
up
so
moving
on,
we
have
march
2021's
roadmap
issue
is
the
impersonation
proxy.
You
know
the
team's
been
working
on
this
for
a
few
weeks
now
and
I'd
like
to
get
the
updates
from
margo
first.
C
Sure
so
I've
been
working
mostly
with
andrew
on
writing
some
good
integration
tests
for
the
impersonation
proxy
branch,
so
particularly
like
kind
of
some
of
the
more
interesting
keep
cuddle
commands.
Like
you
know,
port
forward
and
watches
and.
C
You
know
copying
and
kind
of
websockets
as
well
like
using
websocket
client
and
so
writing
those
tests
and
then
also
a
little
bit
of
documentation,
work
to
bring
that
up
to
date.
With
what
we'll
have
once
we
release
the
impersonation
proxy
feature.
D
A
D
It
is
actually
still
impersonation
proxy
related.
The
second
bullet
point
at
least
ryan,
if
not
matt,
if
not
also
other
team
members
that
they
were
working
with,
found
some
interesting
behavior
with
our
impersonation
proxy
http
handler,
and
we
thought
it
was
a
bug,
but
now
we
don't
think
it
is
a
bug.
D
So
I've
did
that
past
couple
days
along
with
some
other
team
members,
and
the
third
bullet
point
is
kind
of
forward-looking.
I
know
we
wanted
to
do
some
manual
testing
on
gke,
so
that's
kind
of
what's
on
the
on
the
table
right
now,
but
that's
pretty
much
me
in
terms
of
impersonation
proxy.
The
past
two
weeks.
A
Cool
and
then
ryan,
what
do
you
have.
E
I've
been
trying
to
help
out
with
the
things
that
were
already
mentioned,
as
well
as
the
thing
that
mo
hasn't
mentioned
yet
so
just
kind
of
working
with
everyone
on
the
team
on
all
the
different
things.
The
I
think
the
biggest
the
most
number
of
days
in
the
last
two
weeks
was
spent
with
mo
working
on
rewriting
the
front
end
of
the
impersonation
proxy,
and
I
put
that
actually
down.
F
So
I
can
wait
on
the.
I
guess.
The
first
bullet
point
until
we
get
to
the
discussion,
but
the
a
little
to
add
some
color
to
what
andrew
was
saying
on
the
gke
stuff.
We
just
we're
trying
to
give
us
ourselves
like
strong
confidence
that
we're
testing
against
in
realistic
environments.
F
So
a
lot
of
our
tests
run
on
kind,
but
the
impersonation
proxy
is
not
really.
It
doesn't
really
care
about
kind.
It
cares
about.
Gke
cares
about
those
managed
environments,
so
we
do
have
those
running
in
our
pr
pipelines,
but
we
just
wanted
to
try
some
more
like
human
style
testing
of
just
poking
at
the
system
for
a
long
time,
instead
of
like
just
running
through
a
test
suite
that
lasts
for
just
a
few
minutes
and
just
give
ourselves
strong
consonants,
so
it
actually
behaves
the
way
we
expect
it
to
behave.
F
F
F
I
had
actually
added
a
little
bullet
for
matt
because
he's
not
here.
I
know
he
spent
a
decent
chunk
of
time
getting
our
pr
pipeline
to
support
ephemeral,
gke
clusters,
which
is
really
good,
like
we
have
like
a
super
nice
set
of
covers
across
a
bunch
of
different
clustered
environments.
B
Yeah
more
work
on
internal
strategy
bits,
some
of
which
will
also
affect
our
open
source
strategy.
More
on
that,
probably
in
the
next
two
weeks
and
continuing
with
customer
interviews
just
as
a
kind
of
looking
forward
thing.
One
of
the
interviews
I
conducted
was
with
a
person
named
dodd
pfeffer,
who
seemed
to
have
like
a
lot
of
experience
with
customer
pain
points
specifically
around
configuring
off
in
ldap
environments,
which
is
rather
apropos
because
we
are
approaching
our
next
bit
of
work
around
extending
peniped
support
for
ldap.
B
A
Thanks
pablo
all
right
discussion
topics,
impersonation
proxy
design,
change,
who
wants
to
take
take
it
from
here.
E
E
It
so
the
job
of
the
impersonation
proxy,
just
to
remind
anyone,
who's
listening
to
the
video
later,
is
to
act
like
the
api
server.
So
it's
going
to
receive
requests
from
the
client
and
then
turn
around
and
proxy.
Those
requests
to
the
real
api
server
and
it's
going
to
add
impersonation
headers.
So
it's
job
is
to
authenticate
you
and
then
add
the
impersonation
headers.
So
it's
using
a
admin
level
service
account
that
can
do
anything.
It
wants
to
the
real
api
server.
E
But
it's
going
to
add
the
impersonation
headers
with
your
username
to
make
sure
that
those
calls
are
done
on
your
behalf
with
your
level
of
permission,
so
the
we
had
originally
designed
that
in
such
a
way
that
we
were
going
to
perform
that
authentication
the
same
way
more
or
less,
that
our
token
credential
request
api
performs
that
authentication
we're
basically
going
to
duplicate
all
that
code
and
moga
posed
that
we
restructured
that
which
is
what
bo
and
I
spent
a
good
amount
of
the
last
couple
weeks,
working
on
at
least
one
week
of
the
last
two
weeks,
which
is
to
actually
just
let
the
client
call
the
usual
tech
and
credential
request,
pin
the
pet
api
that
returns
a
client
cert
a
token
a
credential.
E
E
The
advantage
of
this
change
is
that,
basically,
the
clients
don't
need
to
really
know
that
they're
talking
to
the
impersonation
proxy
do
what
they
used
to
do.
The
same
way
they
used
to
do
it,
which
is
ask
the
token
credential
request
api
for
a
credential
and
then
present
that
to
whatever
they
think,
is
the
endpoint,
whether
it's
the
real
kubernetes
api
server
or
the
impersonation
proxy
server
and
then
just
make
their
request.
Everything
works
this.
This
was
a
pretty
significant
change
to
the
code,
but
I
think
we
all
are
better
designed.
F
I
think
I
think
ryan
covered
it
really
well
at
a
if
anyone
cares
about
code
code
level
details,
we
reuse
an
enormous
amount
of
the
cube
stack
in
the
front
part
of
the
impersonation
proxy,
which
has
some
nice
benefits,
because
it
basically
interprets
your
request
in
the
exact
same
way.
The
cube
api
server
interprets
your
request,
which,
which
is
nice,
because
that's
it's
supposed
to
be
from
your
from
the
client's
perspective.
It
is
the
api
server.
F
We,
yes,
we
had
to
restructure
a
bunch
of
code,
but
for
the
most
part,
we're
not
really
using
any
code
that
we
wrote.
We
just
have
a
small
amount
of
relatively
straightforward
wiring
and
then
a
bunch
of
assertions
to
make
sure
that
wiring
behaves
exactly
the
way
we
think
it
behaves,
and
we
just
use.
F
F
I
guess
you
folks
have
us
any
thoughts
on
what's
left.
What
would
we
have
left
before?
We
can
ship
zero,
seven
zero.
I
know
folks
have
been
excited
and
waiting
for
this
release.
We
keep
telling
nancy
in
a
week
we'll
be
done
and
then
it's
another
week.
D
I
actually
had
that
same
question
the
bullet
below
this
one.
I
listed
two
things
that
came
to
mind
on
what's
left
so
fixing
some
test
flakes.
I
don't
know
if
flakes
is
the
right
word,
but
I
know
mo
and
I
were
looking
at
some
red
tests
earlier,
so
getting
getting
those
tests
passing
and
maybe
some
manual
testing.
I
know
we
talked
about
mo
mentioned
earlier,
but
I'm
curious
what
people?
What
other
folks
think
is,
is
left
here,
because
I
definitely
haven't
been
working
on
this
as
long
as
other
people
have.
F
I
guess
one
open
question
I
have,
in
my
mind,
is:
if
how
how
far
did
we
want
to
pursue
the
testing
of
the
impersonation
proxy
on
kind
and
if
we
wanted
to
restructure
those
tests
to
better
simulate
a
real
cluster,
so
not
going
through
squid
and
all
that
stuff,
because
it,
it
seems
to
behave
weirdly,
at
least
for
the
fan
like
yes
like
get
and
create
works
because
they're
just
normal
rest
verbs
and
nothing
really
special
happens
there,
but
stuff
like
watch
and
port
forward
and
exec
and
all
the
weirdness
doesn't
behave
exactly
right.
F
C
I'm
kind
of
inclined
to
say,
like
the
tests
on
kind,
are
like
mostly
a
smoke
test
that
it,
you
know,
isn't
terribly
broken,
but
any
major
issues
with
or
like.
I
guess,
any
kind
of
subtle
issues
with
the
port
forward
or
you
know
interesting
commands
might
be
caught
in
ci,
but
we
know
that
it
will
be
caught
in
ci
because
we
have
those
managed
environments.
F
F
F
F
C
F
E
E
It
will
run
the
tests
on
an
ephemeral,
gke
cluster,
but
not
any
other
managed
cluster,
because
that's
if
it
works
on
one,
it's
probably
going
to
work
in
all
of
them,
but
then
in
the
main
pipeline.
So
after
you
merge
the
pr
before
we
release,
it
will
run
that
commit
on
eks,
aks
and
gke,
and
on
top
of
that
it
will
run
on
three
different
kubernetes
versions
of
aks
three
for
eks
and
three
for
gke.
E
B
B
What
about
these
like
the
stories
that
are
sort
of
still
in
flight?
Is
there
any
major
work
that
still
needs
to
be
done,
or
are
we
waiting
to
just
kind
of
deliver
and
accept
these
stories.
E
F
And
ryan
spent
some
time
doing
the
spike
on
moving
to
that
code,
and
it
is
pretty
egregious
like
it
takes
what
is
like
a
almost
trivially
easy
to
read
file.
If
you
just
read
the
comments
and
read
the
code,
it
reads
really
straightforward
and
the
business
logic
is
really
on
the
order
of
like
20
lines
and
the
rest
is
just
I
wired
up
the
server
it
takes
that
and
sort
of
flips
it
on
his
head.
F
This
is
the
piece
of
code
that
in
2018
had
a
9.8
cve.
So
if
we
all
remember,
10
is
the
highest.
The
scale
goes
so
9.8
is
basically
unauthenticated
remote
component
of
your
entire
environment
and
that's
what
that?
Let
you
do
really
really
don't
want
to
use
that
code.
F
D
Are
there
other
already
built
examples
of
impersonation
proxies
that
y'all
have
compared
this
to
when
trying
to
answer
that
question
of?
Do
we
need
this
new
code
like
moe,
I
remember
you
mentioning.
There's
a
project,
maybe
called
teleport
or
something.
F
Like
that
gravitational
is
a
company
to
have
a
project.
They
have
a
product
called
teleport
which
uses
an
impersonation
proxy.
It
uses
a
fork
of
a
different
project
as
its
back-end
reverse
proxy.
It
does
not
even
use
the
go
standard
library
at
all,
it's
like
or
if
it
does,
it
uses
it
in
a
very
different
way,
so
that
so
so
we
have.
F
F
F
F
I
think
patrick
you
had
mentioned
some
bugs
related
to
the
impersonate
group
header.
Was
that
because
of
that
other
proxy
thing
that
you
were
trying
to
use
on
your
clusters,
is
it
using
impersonation
in
the
back
end
with
two
clusters?
Was
that
why
that
came
up
for
you.
G
It
came
up
because
I
used
I
tested
out
miriam
another
project
that
also
uses
the
impersonation
headers.
So
I
guess
it's
a
impersonation
proxy
and
the
issue,
though
it's
it's
based
on
envoy,
and
the
issue
was
that
that
it
put
all
the
groups
in
the
same
header
and
just
comma,
separates
them,
and
then
kubernetes
doesn't
know
what
to
do
that.
They
generally
think,
is
it's.
It's
just
one
big
group
name
so
yeah.
F
F
F
Yeah,
I
feel
reason
to
be
confident
because
I
don't
I
don't
expect
code
changes
at
this
point
I
expect
like,
or
I
mean,
if
we
find
some
bug
sure,
maybe
but
yeah
we
might.
We
might
change
our
tests
or
something
to
align
better
and
we
might
do
a
bunch
of
manual
testing
or
just
other
confidence
testing
just
to
make
sure
that
our
tests
are
testing
what
we
think
they
test
and
yeah.
I
don't
know,
I
feel
pretty
good
about
it.
F
B
A
All
right
well,
thank
you,
everyone
for
joining
the
this
edition
of
the
pinniped
community
meeting,
just
a
reminder:
we
meet
every
first
and
third
thursday
of
the
month
at
11
a.m.
Central
time,
9
a.m,
pacific
time,
and
that
would
be
12
p.m.
Eastern
time,
so
we
hope
that
you
see
us
at
the
next
community
meeting
and
with
that,
thank
you
and
enjoy
your
weekend.