►
Description
Let's explore the krustlet --- an alternative to a golang kubelet ? And... lets see how the rust ecosystem works.
A
We're
live,
okay,
welcome
to
andrea,
live,
it's
the
it's
august,
17th
rustlit,
rustlet,
okay
and
I'm
gonna
update
I'm
updating
the
github
table
as
we
speak
here,
github
k8s
prototypes,
I'm
going
to
add
the
show
here
under
andrea
live,
so
you
all
want
to
introduce
yourself
before
we
get
started
yeah.
So
my
name
is
ami.
I
work
for
vmware
and
we
are
here
today
to
learn
about
crossland,
whatever
it
is
yeah
and
we
just
learned
that
like
what's
the
deal
like,
do
they
work
on
it
still
or
not?
Yeah.
B
B
A
Okay,
cool
and
okay,
you
all
you
all
know
me,
you
all
know
who
we
are.
Are
we've
all
been
on
here
before
so,
okay,.
A
B
A
B
A
B
Go
ahead
so
as
of
this
quarter,
I
guess
a
couple
months
ago
the
v1
alpha
1
version
of
the
admin
network,
admin
network
policy
finally
merged,
but
let's
take
a
step
back
and
talk
about
how
this
all
came
about
right,
there's
cluster
admins
all
over
who
are
using
network
policy
like
what's
wrong
with
that
like
what's
the
number
one
thing
wrong
with
that,
it's
that
a
network
policy
wasn't
designed
for
the
cluster
admin.
B
B
For
the
developer
to
secure
their
applications,
but
in
tree
there
are
no
tools
for
cluster
admins
to
secure
their
clusters
at
hole.
So,
therefore,
you
have
a
cluster
admin
that
has
to
maintain
x,
number
of
network
policies
for
x,
number
of
name
spaces,
and
that's
no
good.
So
it's
pretty
obvious.
We
needed
a
way
to
apply
policy
to
the
cluster
as
a
whole.
Globally,
scoped,
right
and
various
vendors
have
you
know
their
own
solutions.
Andrea
has
a
cluster
scope
policy.
I
know
cilium.
B
Does
everyone
kind
of
did
their
own
thing
for
this
and
a
lot
of
them
look
just
like
network
policy
except
cluster
scopes,
but
the
working
group
identified
a
lot
of
problems
with
existing
network
policy
and
we
took
those
into
our
two
years.
Two
year
designing
stage
of
admin,
network
policy.
B
So
so
mainly
it
removes
the
concept
of
default.
Deny
like
no.
No
longer
do
you
have
this
weird
implicit
deny
that
happens.
Only
when
you
have
network
policy
like
admin
network
policies
can
be
read,
as
is,
if
you
want
to
deny
traffic
to
a
workload,
you
write
a
rule
to
deny
it.
Nothing
else
happens
in
the
background.
There's
no
magic,
implicitness,
that's
happening,
so
it's
not
following
a
whitelist
model
anymore.
B
That's
one
of
the
biggest
things.
There's
also
a
couple
different
things
where
we
really
tried
to
design
the
api
around
extensibility
today
with
network
policy.
There
are
certain
new
features.
People
want.
One
of
those
is
a
service
selector
or
a
service
account
selector
yeah,
but
it's
almost
impossible
for
us
to
add
new
fields
in
a
safe
way,
because
what.
B
B
B
We've
solved
it
in
a
way
by
being
super
explicit,
okay
and
and
part
of
that
comes
with
not
having
any
more
default
intrinsic
denied
behavior,
but
it's
still
something
that
plagues
every
api
like
there
is
no
generic
way
to
do
it,
but
in
this
one
yeah
we've
designed
it
so
that
in
the
future
we
can
add
new
selectors
in
the
future.
We
can
keep
iterating
on
it
and
it's
out
of
tree.
So
that
makes
things
a
lot
easier
as
well.
B
Mainly
because
failing
closed
was
kind
of
an
issue
with
network
policy-
and
I
gotta
say
this
in
the
right
way.
Tim
is
like
the
man
when
it
comes
to
explaining
this
part,
but
that's
something
that
hung
a
lot
of
folks
up
with
network
policy
in
the
first
place
was
like
you
have
our
default
kubernetes
networking
model
right.
Everything
can
talk
to
everything,
but
the
moment
you
apply
any
network
policy
in
the
namespace.
It
flips
everything
on
its
head
right,
okay-
and
you
know.
A
B
I'm
a
little
rusty
because
I
haven't
talked
about
this
in
a
while,
but
basically
the
problem
always
is
going
to
be
like.
How
can
we
force
implementers
to
fail
close
in
a
scenario
when
they
see
something
they
don't
know
about
in
in
an
object?
Well,
they
probably
wouldn't
even
see
it
see
that's
kind
of
the
main
problem.
So
it's
like.
B
If
we
want
to
extend
the
api
either
we
make
the
api
explicit
enough
so
that
we
communicate
to
the
cni
like
fail
closed
or
we
push
the
complexity
to
the
cni
and
they
need
to
may
have
mandated
emissions
controllers.
Saying
like
oh
here's,
a
new
field
in
network
policy.
We
don't
know
it.
B
Those
are
the
great
design
details,
that's
what
we
agreed
on
in
the
cap.
What
actually
merged
in
the
v1
alpha
1
version
of
the
api
is
a
bit
different
and
we
need
to
update
the
cap
to
reflect
that.
But
here's
the
link-
but
currently
I
am
kind
of
bogged
down
and
just
trying
to
get
some
documentation
off
the
ground
for
the
api.
So.
B
Yep,
what's
a
good
thing
to
look
at,
you
can
probably.
A
B
A
B
This
is
kind
of
straightforward,
but
it's
overly
explicit,
like
we.
We
built
this
so
that
every
field
here
is
a
pointer
and
you
have
to
select
one
of
them
right.
So
if
we
were
one
day
to
implement
a
new,
a
new
way
to
specify
a
subject
right
so
call
it,
maybe
service
account.
Selector
and
a
cni
didn't
understand
that
new
field.
B
A
B
A
B
So
if
a
user
specifies
a
service
accounts,
selector
here
and
the
cni
hasn't
update,
upgraded
their
api
spec,
they
aren't
conforming
to
the
latest.
Spec
they're
gonna
see
that
whoa
wait.
There's
nothing
selected
here
right,
because
exactly
one
of
the
fields
need
to
be
specified
and
so
compare
that
to
network
policy
where
what
happens
in
a
lot
of
cases
in
network
policy,
where
you
don't
specify
anything
so
say
you
leave.
A
B
And
so
now,
let's
rewind
to
what
network
policy
does
say
for
specifying
a
subject
of
a
network
policy.
Do
you
know
what
the
default
behavior
is
when
you
leave
it
blank?
What
does
network
policy
do?
Do
you
remember
and.
B
B
Right
right
exactly
so
no
longer
do
we
have
assumptions
like
that,
like
we're,
we're
trying
to
be
super
explicit,
because
then
in
the
same
scenario
say
you
added
a
new
selector
type
to
network
policy.
What
does
the
cni
see
if
it
doesn't
understand
this
electrified
type?
It
sees
a
blank
space
and
it
selects
everything
in
the
name
space.
So
you
could
accidentally
allow
traffic
to
all
pods
in
the
name
space
when
you
only
meant
to
allow
it
to
one.
So
it's
it's
like
a
really.
B
A
B
Oh
yeah,
so
in
this
implementation,
I'm
working
on
documentation,
that'll
really
highlight
it
and
have
some
diagrams
on
how
that
works.
But
currently
there's
two
objects
within
this
api
and
let
me
I
actually
have
this
image.
Let
me
pull
it
up.
A
And
we're
10
minutes
in
so
while
you
find
that
bring
it
back
and
show
it
and
then
let's
ask
grace
and
grayson:
what's
the
can,
can
you
link
us
to
a
screenshot
of
or
the
link
of
the
final
proposal
for
the
multi-cluster
andrea
network
policies,
because
I've
been
curious
about
whether
you
can
use
that
to
do
things?
For
example
like
make
it
so
that.
A
In
a
cappy
situation,
where
I
have
a
control
plane
where
I
have
a
management
cluster
and
a
workload
cluster,
if
I
could
somehow
make
it
so,
I
could,
inside
my
management,
cluster,
specify
a
network
policy
that
cascaded
down
to
the
workload
cluster
and
the
management
cluster
had
the
same
policy
or
vice
versa.
If
I
could
do
that
from
a
workload
cluster,
just
out
of
curiosity.
A
A
A
B
Whole
website
in
progress
that
I'm
doing
that's
fine.
That
literally
has
everything,
but
the
short
of
it
is
the
new
admin
network
policy.
Api
defines
two
objects
and
one
object.
The
admin
network
policies
have
a
priority
above
network
policy,
while
we
also
have
baseline
admin
network
policies
which
are
going
to
be
a
layer
below
network
policies.
B
So
then
you
can
kind
of
express
both
things.
A
B
A
B
I'm
literally
copying
like,
if
you
go
to
gateway
api,
you
can
look
at
images.
A
anp
api
model
is,
is
the
the
one
I
was
trying
to
find,
but
it's
like
a
clear
s.
Sv,
I
don't
know
it's
a
png,
but
it's
just.
I
guess
that
looks
that
works
so
like
that's
kind
of
the
relation
between
network
policies
and
the
new
api,
both
objects
and
then
looking
at
the
personas
of
each.
B
A
Okay,
so
if
I've
no
got
it
so
if
I
have
no
policy,
my
baseline
is
applied
and
then,
if
I
have
network
policies,
those
will
override
that
and
then,
if
I
have
an
admin
network
policy
that
will
override
anything,
that
the
baseline
has
okay
right
and
the
baseline
and
the
admin
are
both
added
in
this
okay
cool.
All
right,
we'll
wait
for
grayson,
maybe
grayson
will
come
back.
I
don't
know
if
he's
still
here.
B
A
A
B
A
Okay,
help
yeah,
so
so
yeah.
We
definitely
stoicas
has
been
working
on
this
for
like
two
years
now
and
he's
got
other
things
to
do.
Okay,
people
are
always
asking
how
they
can
get
involved
and
like
it's
just
show
up
and
do
something
do
anything.
B
I'm
screaming
for
help
here
and
it's
gonna
be
a
cool
api.
We
already
have
sign
on
from
andrea
who's,
gonna
implement
it.
Google
just
told
me
that
they're
gonna
work
on
implementing
it
for
psyllium
and
then
I'll
be
working
to
implement
it
for
oven
kubernetes,
which
is
what
openshift
uses.
So
that's
three,
pretty
big
vendors.
A
Yeah
can
do
we
have
a
issues
filed
for
updating
the
net
paul
test,
suite.
A
B
B
A
B
A
Okay,
that's
perfect,
yeah,
okay,
yeah,
so
folks,
reach
out
and
say,
network
slack
to
to
soyuz.
A
Chrislet
has
a
lot
of
documentation
the
doc,
the
first
documentation
page,
that
it
says
that
it
okay,
a
high
level
overview
of
how
it's
organized
the
introduction
takes
your
hand
through
a
series
of
steps
to
run
an
application
on
a
crestlet
start
here.
If
you're
new
to
crestlit
topic
guides,
okay,
so
okay!
So
how
do
I
okay?
So
I
download
it
and
unpack
it,
and
then
I
move
it
and
then
after
I
do
all
that?
A
B
A
A
B
A
B
Is
a
whole
another
like
field,
but
from
I
just
pulled
up
crustless
website
and
like
the
first
thing
they
show
me
is,
it
says,
run
web
assembly
workloads
in
your
kubernetes
cluster,
so
that
must
be
their
main
marketing
point
right.
What's
webassembly
supposed
to
do
it's
just
a
binary
format,
that's
super
portable.
It's
supposed
to
be
compiled
once
run
everywhere.
It
started
in
the
web
like
it
started
for
web
applications,
but
now
it's
being
used
all
over.
A
A
B
Like
isolation
inside
this
wasn't
thing
so.
B
A
A
Okay,
grayson
by
the
way
answered
the
questions.
First,
he
said
sorry,
he
was
thinking
about
stretched
network
policies,
but
then
he
said
in
short,
multi-cluster
admins
can
define
cluster
network
policies
that
can
be
replicated
across
the
entire
cluster
set.
No,
but
I
meant
stretched
network
policies.
I
meant
the
one
that
spanned
different
infrastructure
grayson.
So
I
think
that's
what
I
meant
recently.
There
are
some
design
changes,
okay,
so
the
the
update
there
is
that
we
need
to
update
the
docs
with
the
design
changes
and
that's
totally
fine.
A
I
just
wanted
to
do
a
quick
check
in
and
see
how
things
were
going.
So
if
you
have
any
links
or
images
grayson
on
the
thing
that
spans
infrastructure,
let
me
know
I'm
happy
to
like
show
people.
I
think
it's
the
stretch,
network
policies.
Okay,
so
let's
go
back
to
the
quick
start,
where's
quick
start.
B
A
B
A
A
A
B
A
A
A
A
A
B
A
There
we
go
hold
on
hold.
B
A
B
A
cargo.tomo
tomol
is
essentially
a
go
mod
like
it's
just
keeping
track
of
the
dependencies
or,
in
this
case,
crates.
Okay,.
A
A
B
B
A
B
B
You
need
to
run
cargo
build
again,
but
yeah
you
don't
have
to
keep
doing
the
target
ad.
It
already
did
that.
A
B
So
see
how,
in
that
cargo
build
you're,
passing
target
you've
you've
imported
the
target
with
the
cargo
target
ad.
B
A
You
are
running
a
wasp
binary
on
your
machine.
That's
cool.
B
And
that
binary
that
binary
format
is
super
flexible,
like
I
think
you
can
compile
once
like,
like
truly
pretty
much
compile,
runs
once
run
anywhere
like
on
an
arm
machine
amd
like
power
pc
anything.
I
think
I
don't.
A
B
B
B
B
Do
I
have
to
go
on
the
I
have
to.
A
A
B
B
B
A
A
A
B
A
B
B
A
B
B
B
A
A
So
can
I
just
make,
can
I
call
it
that
other
thing
that
already
exists
on
a
lark
I'll,
just
call
it
this?
What
do
I
care
nobody's
using
this?
This
is
totally
why
you
should
never
run.
This
is
why
you
should
never
run
anything
from
docker
hub,
but
you
don't
know
what
it
is
cause
that
definitely
exists.
B
B
A
B
B
A
A
B
Me,
let
me
make
a
let
me
see
if,
let's
see
if
koi
works,
I'll
make
a
repo
real,
quick
under
my
name.
A
A
A
So
how
do
I
make
a
repo
like.
B
B
A
B
B
A
A
B
A
B
I
wonder
if
it
works,
I
wonder
if
they
say
if
they
support
that
repository
type.
B
A
B
B
B
A
B
A
A
B
A
A
A
B
A
This
as
gcr
dot,
io
slash
junit
100
yeah
test,
and
then
I
can
do
docker
push
gcr
dot,
io.
B
A
B
B
B
A
B
A
A
No,
we
don't
I'm
not
saying
we're
quitting,
I'm
just
saying
that
like
we're
just
making
a
tactical
retreat
here.
So
what
what
is
the
I've
been
watching?
The
news,
I'm
learning
all
these
new,
like
war
terminology
views,
so
what's
the
thing
that
I
need
to
do
to
so
so
I
can't
log.
So
maybe
I
can
I
can
update
gcloud.
Is
there
google
apis?
B
B
A
A
B
A
A
Oh,
unless
you
have
the
crust
lit
crosslink,
so
questlet's
its
own
cri,
then
okay,
the
crestlet
is
implementing
the
cri
interface
somehow
so
that,
when
kind
when
the
crestlet
starts
a
new
container,
the
cri
implementation
calls
a
totally
different
binary.
Is
that
the
idea
yeah
it's
around
the
parser
of
the
wasm
right.
B
A
A
Okay,
cool,
so
yeah
doesn't
look
like
we
can
get
this
working
today
or
maybe
it's
not
maintained.
That's
fine
june
jen,
I'm
gonna
hang
on
for
a
second.
If
you've
got
the
latest
multi-cluster
network
policy
feature,
I
I'm
happy
to
at
least
show
it
to
people
for
a
couple
of
seconds.
A
We'll
wait,
wait
a
minute
here,
but
I
I
I
don't.
Entry
andrea
proposals,
proposals.
A
A
B
A
B
Pretty
much
yeah
and
I
know
there
were
some
folks
looking
at
multicultural
network
policy
or
the
concept
of
it
and
whether
or
not
we
could
just
extend
network
policy
and
admin
network
policy
as
they
stand
today
to
work
across
multiple
clusters
or
yeah.
Psyllium
does
the
same
thing:
psyllium
has
cluster
mesh,
but
that
is
that
means
that
every
cluster
in
the
mesh
has
to
run
cilia.
A
Okay,
cool
all
right:
this
is
a
good
good
place
to
end.
I
think
thanks
june
jen
stoickis
I
mean
everybody
for
coming.
This
was
cool.
I
learned
how
cargo
works
I
haven't
played
with
it
before,
but
I'm
gonna
have
to
find
something
else
to
do
with
rust,
other
than
run
the
crestlit.
A
B
No,
it
might
not
be
ready
in
14
days
it's
for
something
we're
building
called
vpfd,
which
is
a
la
damien
to
deploy
bpf
programs
a
lot
easier
than
cool.
It
is
now
and
I'm
we're
going
to
deploy
it
in
a
kubernetes
cluster.
That's
my
goal
right
now,
so
I
just
got
done
writing
kind
of
like
the
startings
of
a
spec
similar
to
the
swazim
spec,
to
define
how
you
can
ship
around
bpf
byte
code
in
container
images
or
in
images.
Oh.