►
From YouTube: CF on K8s WG Forum 16th Nov 2021
Description
Recording from the CF on K8s Working Group Forum call held on 16th November 2021.
Topics
[TD] HNC propagation woes making it difficult to stage (and probably run) apps
- https://github.com/cloudfoundry/cf-k8s-controllers/issues/243
Service accounts / Secrets don’t propagate. This is an issue with Kpack.
Disable SA propagation and have shim create SAs?
Lends weight toward CRD abstraction for Orgs/Spaces.
HNC webhook is also aggressive https://github.com/kubernetes-sigs/multi-tenancy/blob/master/incubator/hnc/config/webhook/manifests.yaml#L95-L116
Needed to monitor everything under nested namespaces
[GC] Binding Service Accounts
Users vs Service Accounts -- perhaps add a defaulted field/parameter on requests that would allow end users to create service accounts. This should maintain backwards compatibility with current CF API.
Create Role https://v3-apidocs.cloudfoundry.org/version/3.110.0/index.html#create-a-role
B
B
B
So
we're
just
giving
a
couple
minutes
for
anyone
else
to
show
up
I'm
going
to
drop
the
link
to
the
document
and
chat
again
if
anyone
would
like
to
add
a
topic
to
discuss,
probably
going
to
be
a
little
light
on
topics
looking
at
it
so
far,
but
always
good
to
have
the
forum
and
then
we'll
take
whatever
time.
We
need
and
then
go
on
our
merry
way.
B
A
B
B
All
right
well,
if
anyone
else
shows
up,
then
we
can
bring
him
into
the
fold
on
the
fly.
But
thank
you.
Everyone
who's
here
for
again
attending
the
cfan
cates
working
group
forum,
we're
we're
just
trying
to
provide
an
open
space
for
everyone
to
discuss
the
various
topics
that
are
germane
to
the
cloud
foundry
on
kubernetes
space.
Oh,
and
we
got
one
more
welcome,
two
more
okay
I'll,
be
dropping
that
chat
document
link
again
for
everyone
to
add
topics
feel
free
to
add
them.
E
Yeah
might
not
be
interesting
for
many
of
the
people
who
have
just
joined
and
some
of
the
people.
I
want
to
talk
with,
aren't
here
so
I'll,
give
a
brief
update
here.
We're
planning
on
using
h
c
to
which
is
higher
the
hierarchical
name,
spaces,
controller
to
propagate
service
accounts
and
other
objects
across
the
namespaces
that
are
created
with
cf,
create
space
and
cf
create
org,
and,
as
we've
tried
to
use
it
in
in
earnest.
E
So
I
was
bringing
this
up
here
to
see
if
any
of
the
the
folks
over
on
the
umea
side
like
had
more
thoughts
here.
But
in
my
opinion,
it's
like
kind
of
like
not
looking
so
good
like
I'm,
not
sure
if
the
benefits
we're
getting
from
agency
are
are
super
useful
if
it's
like,
if
we
might
have
to
like
manually,
manipulate
these
and
propagate
the
service
accounts
themselves.
E
I
also
like
was
surprised
to
see
how
aggressive
it
is
in
terms
of
permissions
like
it.
It
sets
up
a
web
hook
that,
like
validates
on
on
the
wild
card,
object
type,
so
literally
every
every
creation
or
update
or
anything
of
any
object
on
the
cluster
has
to
go
through
h
and
c,
which
is
also
perhaps
not
ideal.
E
B
B
E
The
tldr
of
what
I
just
was
talking
about
was
it
I'm
not
positive.
The
agency
works
very
well
with
service
accounts,
and
I
think
that
might
be
a
an
issue
given
how
that's
like
our
primary
use
case
for
it,
I'm
wondering
if,
if
y'all
drink,
your
explorations
on
it
like
got
it
to
successfully
propagate
them
such
that
they
are
usable
or
like,
if
I'm
just
doing
something
wrong
with
it.
F
E
No,
it's
a
it's
a
requirement
from
kpac,
so
to
be
able
to
stage
apps
in
in
the
appropriate
spaces
that
line
up
with
them.
You
need
a
service
account
for
kpac
to
use
and
I
believe
it
runs
the
build
pods
with
that
service
account
and
that's
how
it
lines
it
up
with
the
image,
pull
secrets
and
everything.
F
C
E
C
E
For
for
capex
sake,
yes,
and
the
reason
why
is
we,
we
really
want
to
be
able
to
run
the
staging
pods
in
the
the
same
name,
space
as
the
apps,
or
at
least
in
discrete
name
spaces
primarily
for
log
output.
Reasons
like
like
we
want
the
same
r
back
to
be
in
play.
That
is
normally
there
like
for
staging
as
it
is
for
running,
but
also
like
yeah.
I
guess
this
is
the
same
concern
for
it's
a
tendency,
related
concern.
C
Maybe
we
should
just
because
there
is.
There
is
a
specific
reason
they
don't
propagate,
which
is,
I
think,
the
comments
in
the
code
basically
say
if
we,
if
we
propagate
this,
would
be
basically
working
against
the
kubernetes
controllers,
and
we
don't
want
to
do
that
so
that
kind
of
suggests
that
we
want
to
achieve
the
same
outcome
differently
in
a
way
that
doesn't
like
go
against
the
grain
of
what
kubernetes
usually
does
so.
C
The
first
thing
I
was
thinking
was
exactly
that,
like
we
just
created
it's
a
bit
annoying
because
like
if
and
if
you
use
the
the
shim,
then
I
guess
we
could
add
that
to
the
shim
and
just
the
shim
just
creates
a
service
account
every
time
possibly
like
if
you
want
to.
If
you
don't
want
to
use
the
shame,
then
of
course
it
becomes
annoying,
but
we've
already
discussed
having
crds
for
orgs
and
spaces.
So
maybe
that's
where
yeah
that's
one
extra
point
for
going
in
that
direction.
E
I
think
there
will
be
value
in
that,
like
I,
I
was
also
surprised
to
see
like
I'm,
I'm
not
saying
like
we
really
like
rip
out
hnc
or
anything,
but
I
was
also
surprised
to
see
that,
like
it
sets
up
web
hooks
like
on
on
every
object
in
the
cluster,
and
I
could
see
that
being
not
agreeable
to
some
some
operators
out
there
so
like.
If
we
had
the
crds,
then
there
could
be
like
also
a
an
alternative
to
it.
E
Where,
like
you,
make
the
crds
and
then
like
an
operator
could
set
up
the
namespaces
or
whatever
and
and
the
controller
could
put
the
appropriate
service
accounts
and
stuff
in
those
that's
a
separate
issue.
I
think
I
think
what
you're
saying
about
maybe
for
expediency
like
in
the
gym
it
could.
It
could
do
this
for
now
and
then,
like.
C
Among
the
other
things
I
don't
know
what
all
the
web
books,
but
like
the
one
I
hit
from
time
to
time
playing
with
it
is
like,
if
you
try
to
delete
something,
and
this
thing
is
not
empty
or
something
it
tells
you,
you
can't
do
it
or
stuff
like
that,
like
you,
it
doesn't
allow
you
to
mess
up
the
hierarchy
so
well.
If
we
replace
this
with
something
else,
there's
a
chance
that
we
have,
we
wouldn't
need
the
same
validations.
No,
I.
E
E
F
E
C
E
E
B
E
B
E
F
E
A
B
Yeah,
I
definitely
would
caution
against
immediately
going
and
trying
to
rip.
Hnc
out
sounds
like
it
probably
still
provides
value
in
certain
areas,
and
then
we
can
disable
certain
facets
of
it
and
then
supplement
it
with
some
of
our
own
stuff
until
we
decide
well,
maybe
that
will
be
what
we
go
with
long
term,
but
at
least
would
give
us
some
room
to
breathe
so
cool.
It's.
C
E
C
E
Yeah,
I
think
I
think,
right
now,
it's
just
early
days
for
it,
which
might
might
be
what
we're
betting
up
against
like
I
was.
I
was
also
surprised
to
see
it's
like.
There
was
an
issue
for
like
it,
propagating
some
istio
config
and
like
stepping
on
istio's
toes
and
their
like
work
around,
for
it
was
just
a
hard
code
like
the
names
of
the
resources
that
istio
was
making.
I
was
like
what
the
heck,
but
but
anyways.
B
C
We've
noticed
that
we
have
this
bit
of
discrepancy
between
cf
and
cates
when
it
comes
to
types
of
users,
because
ncf
there's
just
uses
well
in
kubernetes,
there
is
two
types
of
users:
one
is
actual
users
which
is
humans
and
then
there's
service
accounts
which
are
treated
kind
of
differently
and
at
the
moment
I
think
in
our
role
binding
code,
whether
you
try
to
assign
a
role
to
some
user.
We
just
hardcore
the
fact
that
the
subject
of
the
broadbinding
is
a
user.
C
F
Just
wonder
what
the
hnc
problems
were.
I
mean
I
just
had
a
little
stab
at
it
as
well.
So
I
was
changing
the
end
to
end
test
code
to
use
the
api
rather
than
create
kate's
objects
directly,
and
I
got
a
bit
of
a
surprise
when
half
the
roles
that
were
created
by
tokens
were
not
being
recognized
and
then
it's
because
it
was
setting
them
up
as
users
instead
of
services
accounts,
but
it's
it
seemed.
F
So
at
the
moment
I
could
see
people
doing
a
cf
curl
or
something
maybe
if
they
really
wanted
to
do
it
from
the
cfcli
to
go
and
set
that
and
then
maybe
in
the
future,
we
can
add
an
option
to
the
cli,
so
you
can
specify
that,
but
it
I
don't
know
it
seems
to
fit
kind
of
secretly
and
nicely
at
the
moment.
With
the
case
side
of
things
and.
C
F
C
Nice
yeah
in
general,
just
a
shout
out.
This
would
be
the
first
time
we
would
like
kind
of
enrich
the
acf
api
with
kubernetes
specific
things
which
don't
break
backwards,
compatibility
but
kind
of
add
new
stuff
on
top
of
cf,
which
are
kubernetes
specific.
I
don't
know
how
people
what
people
think
about
these
kind
of
things.
F
D
C
D
A
F
Unattended
stuff,
our
recommended
ways
to
create
a
service
account
and
use
the
token
from
that
to
provide
the
authentication
and
then
you've
got
to
go
and
authorize
that
account
somehow
so
that
would
either
yeah.
That
would
be
literally
creating
a
role
binding
in
case
directly.
At
the
moment,
this
opens
it
up,
makes
it
a
bit
more
user-friendly
if
you
like,
all
goods.
D
Yeah,
I
I
think,
being
able
to
certainly
like
officially
register
a
service
account
for
operations
within
within
a
space
like
that.
Definitely
sounds
really
valuable,
given
that
you
know,
assuming
that
whatever
we're
doing
to
propagate
user
roles
into
the
appropriate
role,
binding
wouldn't
interfere
with
those
like.
If
that's
the
case,
I
would
think
that
extending
the
api
wouldn't
be
a
very
high
priority,
but
it
seems
like
something
we
could
certainly
figure
out
how
to
do
and.
E
B
E
Yeah
the
way
they
structure
this
api
with
this
relationships
object
makes
it
pretty
amenable
to
things
like
what
we're
suggesting.
So
that
looks
good
cool
like
even
if
we
like,
like
name
spaced,
our
our
type
or
whatever,
with
like
kubernetes
like
I.
I
think
it
would
be
very
unlikely
for
us
to
step
on
toes,
not
not
saying
we
shouldn't
reach
out
to
runtime
team,
but
this
this
api
looks
better
than
like
what
I
what
I
expected
for
for
doing
this.
E
C
B
B
I'd
like
to
open
up
open
the
form
to
any
thing
anyone
wants
to
discuss
questions
comments,
concerns
welcome
to
all
the
people
that
are
here
for
first
or
second
time
glad
to
have
you
please
show
up
anytime.
You
want
to
talk
about
us
and
think
about
what
we're
doing
and
get
involved
yeah.
So
any
topics
anyone
wants
to
bring
up.
B
Sounds
a
little
quiet
on
the
western
front
if
anyone's
thinking
about
please
just
raise
your
hand
and
speak
up,
but
as
sort
of
like
a
logistics
thing
we're
sort
of
heading
into
holiday
season.
So
I
expect
that
the
meeting
schedule
will
get
a
little
bit
interesting
as
we
sort
of
dance
around
the
holidays.