Tao Li

I followed this colab (https://colab.research.google.com/github/GoogleCloudPlatform/ml-on-gcp/blob/master/tutorials/explanations/ai-explanations-tabular.ipynb) but failed at the export_saved_model part. Error msg: https://i.stack.imgur.com/gjTCd.png Even I changed dense_input to dense_3_input, it still failed: https://i.stack.imgur.com/I2Aza.png Details: https://stackoverflow.com/questions/62055398/keras-estimator-export-saved-model-error-expected-keys-dense-3-input-n-tfe/62056170#62056170

RBAC setup for CA key/cert

3

Currently the CA's key/cert is stored in a secret without RBAC protection. Please set it up proper RBAC so that only CA can access the secret.

RBAC setup for ingress key/cert

2

The ingress key/cert is not protected by RBAC and it's long-lived. We need to specify RBAC rules for it. https://istio.io/docs/tasks/traffic-management/ingress.html

Specify how to bring your own key/cert for CA

3

We mention this feature in our release note, while we haven't document it yet. https://istio.io/docs/reference/release-notes.html

This is a general issue including k8s, VM, cross-cluster, etc.

We added some test in istio/pilot e2e.sh. But we will need more to make sure these scenarios won't work: - Client does not provide cert - Client have wrong cert...

Enable Auth without breaking existing service

3

Including Istio service -> non-istio service (e.g., ApiServer) non-istio service -> istio service (e.g., Liveness/readiness check from kubelet) Upgrading a TLS traffic with Istio Auth.