►
From YouTube: Cloud Foundry On Kubernetes Working Group Forum [Nov 30]
Description
Recording from the CF on K8s Working Group Forum call held on 30th Nov 2021.
A
All
right,
the
recording,
let
me
start
again
welcome
to
everyone.
That's
here.
Thank
you
for
attending
for
anyone
that's
new
here.
This
is
the
cloud
foundry
on
kubernetes
working
group
forum.
That's
an
area
for
anyone
to
discuss
any
topics
they
want
to
bring
up
regards
to
any
projects
in
the
kubernetes
space
that
are
cloud-funded
related.
A
A
I
don't
currently
have
any
topics
there,
but
I'll
give
it
a
couple
minutes.
So
we
can
think
about
that.
A
All
right,
I
don't
see
any
topics
popping
up
right
now,
but
we
can
also
run
this
as
just
a
completely
open
forum.
If
anyone
has
anything
they'd
like
to
discuss
initially
off
the
bat.
Otherwise,
we
can
just
sort
of
like
talk
about
what
has
been
going
on
in
the
space.
B
Hey
bird
rock,
I
wanted
to
just
get
some
understanding
about
some
of
the
kubernetes
work
with
the
cfcli.
I
saw
a
few
updates
on
github.
I
also
saw
some
stuff
on
slack
pop-up,
so
I'm
not
entirely
sure
what
it
is.
So
I'd
really
appreciate
some
understanding
of
what
that
actually
is.
A
Sure
I
can
feel
that
or
tim
if
you
want
to
feel
that
that's
fine
too.
Let
me
know
I.
C
Yeah,
so,
basically
in
terms
of
actual
behavior,
we
do
not
expect
changes
on
the
cli,
because
we
basically
aim
at
implementing
the
same
api
as
cfo
vms,
so
the
cli
should
just
straight
out
work.
C
The
thing
we
deviated
from
the
thing
in
which
we
we
deviated
from
cfon
vms
is
authentication
because
we
basically
we're
trying
to
get
the
cfcli
to
authenticate
using
kubernetes
native
ways
of
authenticating
instead
of
bringing
in
ua
and
in
its
way
of
authenticating,
which
means
we
had
to
change
the
cli
to
teach
it
how
to
authenticate
in
a
kubernetes
native
way,
and
we
achieve
that
by
reusing
code
that
comes
from
a
library
called
clientgo,
which
is
the
one
the
cube
cattle
is
based
on.
C
So
basically
this,
if
we
we've
managed
to
get
the
cfcli
to
authenticate
to
kubernetes
by
leveraging
the
user's
cubeconfig
and
which
means,
if,
if
you
have
a
cluster
with
any
of
the
any
provider,
that
provider
usually
provides
a
way
to
generate
a
cube
config,
they
usually
ship.
These,
like
proprietary
clis,
like
google,
does
amazon,
does
microsoft,
etc.
C
Every
operation
that
the
api
will
perform
will
be
performed
on
behalf
of
the
user,
because
the
cli
will
send
over
the
authentication
information
that
is
needed
by
the
api
to
then
call
the
actual
kubernetes
api
and
yeah.
But
this
means
that
basically
any
cluster
you
can
authenticate
to
with
cubecastle
you'll
be
able
to
authenticate
too
with
cfcli.
C
B
Thanks
for
that,
so
just
to
follow
up
to
that-
and
I
hope
I'm
not
interrupting
any
other
topics
that
folks
have.
But
what
does
it
mean
in
terms
of
behavior
and
I'll?
Give
you
an
example,
so
I
have
a
team
of
let's
say
four
or
five
developers
who
are
going
to
be
interacting
with
the
cf
interface
right.
B
So
previously
they
did
not
have
to
gain
access
to
the
kubernetes
clusters,
because
if
they
authenticated
with
the
cf
endpoint
that
will
automatically
lead
that
will
automatically
allow
them
to
push
apps
to
a
cloud
foundry
foundation
somewhere
remote.
Does
that
behavior
change
in
any
way?
So
does
this
mean
that
they'll
require
access
to
both
the
kubernetes
cluster,
as
well
as
the
cloud
foundry
endpoints
or
what?
What?
What
is
that
behavior
like.
C
There
is
no
distinction
between
kubernetes
users
and
cloud
foundry
users
anymore.
It's
just
the
same
user
base
and
in
the
same
spirit,
we
at
some
point
want
people
to
be
able
to
consume
cf,
both
via
the
api
shim,
that
the
thing
we've
been
concentrating
on
lately
or
via
our
custom
resource
definitions,
so
that
distinction
is
just
not
in
place
anymore.
C
So
previously,
I
guess
with
cfo
kate's
you
had
ua
running,
so
you
had
a
user
base
that
was
inside
ua's
database
and
you
so
you
could
add
someone
to
the
ua
use
base
and
people
could
use.
It
would
be
able
to
use
cf
via
those
users
and
then
cf,
okay,
via
irini,
created
containers
on
cloud
on
on
kubernetes,
with
with
its
own
privileged
user.
C
Now
what's
happening
is
that
operations
are
being
performed
as
your
kubernetes
user.
So
you
log
in
to
your
kubernetes
cluster
as
a
kubernetes
user,
and
then
the
cli
will
communicate
your
credentials
to
the
api
which
will
use
them
to
act.
On
your
behalf
on
the
cluster
there's
exceptions
to
this,
there
is
operations
that
just
can't
be
performed
on
behalf
of
the
user,
like
just
by
using
the
user's
credentials.
C
So
there
are
things
where,
like
we
fill
in
the
gaps,
there
are
places
where,
like
we
have
to
fill
in
the
gaps
with
some
privileged
credentials,
but
overall,
most
operations
will
just
be
half
them,
be
like
happen
on
behalf
of
the
user,
using
the
user's
credential
credentials
that
get
sent
over
by
the
cli.
C
So
we
kind
of
did
removed
that
layer
all
together
the
authorization
most
of
the
authorization
will
also
happen
basically
via
kubernetes
raw
based
access
control.
So
we
will.
We
aim
to
recreate
the
same
permissions
that
cf
has
for
different
roles
via
role
and
roles
and
road
bindings
in
kubernetes,
so
that
basically
consuming
cf
via
the
api
or
the
crds
should
be
pretty
much
the
same
even
in
terminal
in
terms
of
permissions.
C
If
the
concern
is
that
you
want
to
like
constrain
your
users,
to
only
be
able
to
do
cf
things
and
not
do
anything
else
on
the
cluster,
then
you
you
have
to.
I
guess,
do
that
via
the
kubernetes
tools,
so
restrict
access
to
only
the
namespaces
created
by
the
cloud
foundry.
C
This
is
a
slightly
tricky,
because
cloudfoundry
will
create
namespaces
dynamically
when
you,
for
example,
as
an
admin,
create
spaces
and
create
orgs,
but
in
the
end,
just
by
creating
the
user
and
then
as
an
admin,
creating
spaces
and
orgs
and
adding
roles.
Just
like
you
did
on
cloud
foundry
on
vms
the
things
you
just
work
out
and
your
users,
your
users
should
not
have
any
permission
on
the
rest
of
the
kubernetes
clusters,
because
those
roles
will
be
set
up
to
only
give
permissions
to
the
user
on
the
namespaces
created
and
managed
by
cloud
foundry.
B
Got
it
yeah
thanks
so
much
for
clarifying
just.
A
Awesome
that
was
great
for
the
people
that
are
just
joining
us
or
that
are
listening
to
this
discussion
may
not
know
the
context.
This
discussion
was
centered
around
the
cf
kate's
controllers,
repo,
and
I
can
drop
a
link
into
that
which
is
a
project.
That's
ongoing
to
sort
of
re-envision
the
cf
experience
on
top
of
kubernetes
so
giving
that
nice
sort
of
cf
push
flow,
but
without
the
underpinnings
of
previous
cloud
foundry.
So
that's,
if
you
haven't
seen
it
check
it
out,
works
ongoing.
A
A
A
A
Cool
sounds
like
it's
a
little
quiet
for
the
moment,
so
last
chance
to
interject
something
before
I
wrap
it
up
and
say
we'll
see
in
two
weeks:
okay,
cool.
So
thank
you
for
the
first
time,
attendees
please
come
back.
A
Hopefully
it's
been
worth
your
time
and
feel
free
to
reach
out
and
send
any
questions
to
myself
or
some
of
the
other
people
via
slack
via
direct
message
or
the
cf
kate's
dev
black
channel
in
the
cloud
foundry
slack
we'd
love
to
hear
from
people
make
sure
we're
addressing
the
concerns
that
people
have
moving
forward
on.
All
of
this
and
we'd
really
like
to
just
have
more
more
people
to
talk
about
to
make
sure
everything
is
serving
the
needs.
So
again,
once
again,
thank
you.
A
Everyone
for
coming
and
we'll
see
you
in
about
two
weeks
at
the
next
meeting
and
we'll
keep
on
moving
so
happy
holidays.
Everyone.