►
From YouTube: Hack your own Kuberntes Controller in less than 10 min in Bash - M. Valais & A. Le Squéren, OneStock
Description
Hack your own Kubernetes controller in less than 10 minutes in Bash!" is a presentation where we aim at demystifying controllers, also called “operators”.
Website: https://www.onestock-retail.com/de/
Organized by @Microsoft @kubermatic7173 @SysEleven
Thanks to our sponsors @CapgeminiGlobal, @gardenio, @sysdig, @SUSE, @anynines, @redhat, nginx, serve-u
A
I
will
tell
you
the
story,
the
story
of
Antoine,
who
the
story
about
these
developers
who
were
slowed
down
by
the
secrets
and
then
our
common
story
when
Matt's
at
this
co-working
space
and
were
a
simple,
simple
command.
Last
command
turned
that
turned
out
to
be
a
controller
and
also
about
that
later
and.
B
How
it
solved
these
two
problems:
okay,
okay,
so
I'm
briefly,
I'm
going
to
briefly
speak
about
one
stock
and
what
the
program
will
solve.
We
set
an
sas
solution
to
a
minerals
for
unifying
warehouse
and
store
stops.
So
imagine
you
want
to
buy
a
t-shirt
on
a
BTS
for
a
website.
You
visit
the
website.
The
warehouse
have
the
T-shirt
installed,
so
you
can
order
it
and
the
warehouse
previous
your
import,
Center
and
send
it
to
you.
But
what
happened
if
the
warehouse
doesn't
have
stock?
B
B
So
the
your
order
will
be
sent
to
All
Stars
that
can
fulfill
your
order
and
the
store
seller.
So
one
standard
store
sellers
will
pick
up
your
product
from
the
shelves.
Prepare
the
ones
are
actually
with
you,
it's
completely
transparent
on
your
side.
So
it's
a
basic
use
case.
We
have
to
one
stock
like
two
young,
develop
many
more
use
cases.
B
So
when
stock
has
grown
creepy
over
the
last
year,
10
000
stores
use
our
UI
really
and
more
than
10
percent
of
European
reviewed
our
experience,
Reserve
Marines
and
we
are
now
more
than
40
developers.
So
at
one
stock
we
handle
a
lot
of
different
cigarettes
as
many
companies
do.
We
have
three
cigarettes
on
one
side.
There
are
internal
spread
for
our
stack
credentials
that
it
include
our
database,
including
password
and
also
the
power
RPI,
without
search
for
each
environment
I'm.
On
the
other
side,
there
are
external
Secrets.
B
They
contain
source
to
connect
to
external
services
such
as
the
stock
API
of
our
clients.
So
because
we
now
have
many
many
players,
we
have
to
handle
more
than
300
cigarettes
there.
So
how
do
we
observe
those
secrets?
In
the
past,
in
2016
we
had
a
September,
local
and
local
compose
to
run
our
stack
to
a
classical
way.
We
have
one
hit
report
for
multiple
service
with
155
and
we
use
Docker
controllers
to
build
and
evolution
images
speed,
but
also
we
use
it
to
run
the
application
locally.
B
B
Information,
you
update
your
your
adventure,
Secrets
files
and
then
it
was
deployed
on
an
ultra
device,
this
Workshop.
So
this
also
have
worked
well
for
us
back
up
to
last
year
when
the
dev
team
has
grown
quickly,
so
we
exceeded
more
than
100
services
and
with
many
database
as
such
an
elastic
search.
So,
unfortunately,
what
the
plan
happens
enough
resources
to
remember
application,
local,
it's
all.
This
is
why
one
of
the
reasons
why
we
switched
to
manage
kubernetes
Cloud.
So
historically,
our
servers
were
hosted
by
The
Village,
so
we
have
chosen
4H
managed
Club.
B
B
So
this
news
cluster
is
based
on
the
port
resources.
So
this
is
a
really
nice
feature,
because
when
we
only
pay
for
the
resources
we
use
yeah
and
how
does
it
work
in
practice
in
the
morning
when
the
cluster
grows
progressively,
as
a
developers
can't
start
deploying
and
at
the
end
of
the
day,
work
run
jobs
shuts
down
all
applications
on
the
cluster
of
xp.k
tools
by
machine.
So
with
this
solution
we
have
solved
our
versus
limitation
problem,
but
we
also
have
a
nice
benefit.
B
It's
easier
for
people
to
collaborate
so,
for
example,
help
willing
to
help
about
a
new
feature:
I
just
watched,
I
kind
of
inspect
his
writing.
Engineers
he's
wearing
pods
with
scananas,
just
as
I
do
with
my
thoughts.
So
it's
the
same
flight.
So
it's
easier
to
help
each
other
and
I've
got
stuck.
It
has
created
a
positive
inside
the
team
so
but
Wednesday
my
city,
okay,
my
desk,
told
me
hey,
someone
from
an
interesting
is
using
our
these
animals
are
a
major
credentials.
B
So
after
a
few
investigations,
the
login
password
has
been
linked
under
the
director
was
was
using
it.
So
hopefully
it
was
the
Dell
account
and
only
developers
to
use
it.
So
it's
easy
to
fix
the
program
right.
You
choose,
you
change
your
credentials
and
you
send
a
message
to
the
deaf
child
and
then
people
will
attend
their
local
environment
file
files
and
everything
is
fine
but
whatever
in
practice.
It
was
a
pain
because
people
don't
feel
the
our
chat
messages
and
sometimes.
B
B
So
that's
why
we
use
the
boards
the
secret
management
tool,
so
we
have
stored
all
our
secrets
there
and
we
use
a
rewards
policies
to
escape
the
secret
success.
So,
for
example,
running
a
few
developers
use
are
available
to
access
production
Express
and
we
originally
used
a
lot
for
handling
underlying
user
identities.
So.
A
B
So,
yes,
we
just
have
to
add
a
Brisk
scaffolding
to
fetch
your
credentials
and
we
are
down
it's
great
for
us
because
it
has
removed
the
friction
and
when
you
also
create
an
item
for
developers.
So
no
we
can
update
a
secret
import
and
or
beautiful
events.
I
will
use
the
view
value
without
to
approaches,
but
we
have
our
program
with
distortions,
because
every
time
you
developer
a
deploys,
the
hook
makes
many
Portables
and
it
it
really.
It
will
increase
the
the
deployment
Time
by
many
seconds.
B
B
From
external
apis
into
a
kubernetes,
so
in
our
case
we
we
will
use
the
operator
to
synchronize
the
whole
key
to
a
new
kubernetes.
So,
instead
of
directly
creating
the
secret
of
object,
pattern
declares
next
levels
that
object
with
a
broad
plus.
So
when
the
developer
deploys,
an
application
is
capable
it's
great
and
then
the
the
operator
will
fetch
the
value
involved
and
create
the
corresponding
Secrets
objective
impurities,
so
the
pods
and
then
the
Pod
definitions
are
not
modified.
They
use
a
consequence
activity
for
me.
So
this
is
great.
B
We
moved
from
our
synchronous
actions
that
slowed
the
application
deployment
to
a
net
synchronous
section
made
by
a
controller
in
kubernetes
and
I'm.
Happy
because
I
know
it's
important.
It's
an
important
factor
of
adoptions.
The
fact
the
faster
the
deployment
is,
the
more
developers
we
use
the
platform.
A
A
So
you,
you
talked
about
consumerosity,
which
means
faster
deployment
on
every
every
time
a
developer
wants
to
deploy
to
their
Dev
environments,
namespace
it's
much
faster,
but
it
goes
a
bit
farther
than
this
fibonacci's
controllers,
because
there
are
declarative,
there
are
synchronous,
so
you
can
declare
and
accurately
does
it
for
you,
but
it
is
also
interesting
because
it
will
self-heal
actual
sequence
operator.
Imagining
that
you
have
another
unique,
as
you
mentioned,
that
happens
another
passively.
A
You
would
like
to
rotate
it,
but
when
you
do
rotate
it
and
change
it
in
gold,
there
will
be
an
inconsistency
between
the
password
involves
and
the
password
in
the
secrets,
indicators
and
that's
where
excellent
Secrets
is
helpful
and
reconciles
the
states.
The
the
thing
involves
into
your
secret
I
call
it
self-healing
that
something
equivalency
Sports
often
talked
about.
Would
you
like
me
to
talk
more
about
it?
Yeah,
of
course,.
A
And
to
talk
about
a
bit
more
about
brunette
strippers
I
want
to
take
a
bit
a
bit
of
distance
and
talk
about
traditional
systems.
A
bank
is
a
traditional
system
and
I'm
going
to
talk
about
the
database.
Point
of
view
like
how
you
solve
things,
so
everything
in
this
slide
will
be
about
the
database
perspective.
When
I
talk
about
consistency,
it
means
from
a
database
perspective
or
data
perspective.
A
band
is
in
a
bank,
you
want
all
the
accounts
and
account
balance
it
to
be
equal,
the
sum
to
be
equal
to
zero.
A
A
B
A
States
often,
for
example,
in
the
two
deployment
objects
you
have
the
spec
and
the
spec
is
the
design
anyways
in
a
band.
This
is
the
desired
stage
and
The
observed
state.
That
I
will
mention
later
again
is
how
what
the
action
you
do
to
get
this
information?
Is
it?
Is
it
in
the
desired
state
or
not,
and
for
example,
in
my
postgres
database,
that
is,
that
represents
my
bank.
I
will
do
this
SQL
query
at
the
sum
of
all
balances.
A
A
That's
so
the
outcome
is
that
on
one
on
one
side,
imagine
somehow
Cosmic
wave
breaks
the
database
and
one
value
is
Chance
from
from
a
balance
number.
It
is
changed
that
doesn't
happen
right.
Databases
are
extremely
extremely
stable,
I
I
think,
but
you
think
I
guess
there
are
examples
of
the
basic
becoming
consistent
but
yeah
it's
not
able
to
recover
its
consistencies.
So
you
all
that
you
decide
to
take
is
always
true.
It
is
always
the
same
as
the
opportunity,
but
it's
always
consistent
and
that's
the
the
point
of
a
bank.
A
You
don't
want
your
income
balances
to
be
a
random
chance.
Kubernetes
is
told
neighborhood.
It
has
nothing
to
do
with
a
bank.
Actually
it's
like
the
reverse.
We
absolutely
don't
care
about
consistency
and
that's
why
we
say
we
have
a
separation
between
the
desired
and
observed.
States
I.
The
desired
state,
for
example,
is
replica.
Is
fine.
I
want
five
replicas
of
my
pod
running
in
the
costume
and.
A
For
example,
The
observed
state
is
what
you
do.
How
do
you
look
at
the
world
to
make
sure
that
when
I
say
world
I
mean
things?
What
do
you
so
with
this
specific
example?
What
commands
would
you
run
to
make
sure
that
the
desired
tip
has
been
reached?
I
I
would
do
PS
and
I
would
count
on
like
across
all
machines
and
I
would
tell
the
number
of
processes
running
this
deployment.
I
want
so
yeah
besides
stay
different
from
other
states,
and
everything
in
kubernetes
is
about
changing
going
from
this
observed
state.
A
That
is
very
often
not
the
design
State
and
we
consolidate
it,
reconcile
it
with
the
desired
thing.
So
we
we
move
from
The
observed
stage
to
a
design,
State,
that's
yeah.
So,
for
example,
who
who
is
a
outer
talk
about
that
later,
for
example,
the
cubelet
will
create
a
process
on
the
machine
that
is
running
and
create
a
new
Linux
process.
Namespace
see
roots
and
everything
in
order
to
comply
with
the.
B
A
State
so,
as
I
said
previously,
it's
the
reverse
of
the
bank.
We
don't
care
about
ethnicity,
but
in
exchange
for
consistency,
because,
like
that
you
know
it's,
the
stating
kubernetes
is
always
wrong.
You
do
like
this.
When
you
look
at
the
status
bare,
often
it
doesn't
match
what
you
are
expecting
in
the
spec,
but
in
return
we
get
some
feeling
it
recovers.
It
there's
a
note
that
goes
down
for
some
reason:
Cosmic
wave
whatever
it
where
it
will
recover.
A
That's
that's
for
me.
That's
the
most
important
thing
about
this
one.
Is
that
that's
what
we
are
going
to
try
to
achieve
when
we
think
in
a
controller
mindset,
we
talked
about
external
Secrets.
Xlc
price
is
an
operator.
In
my
mind,
an
operator
is
a
controller.
There
is
no
difference:
For
Me,
Maybe
yeah.
Maybe
people
do
a
difference,
but
I
don't
know
so.
Every
time
I
say
operator,
it
means
you
can
follow
and
no
reverse
sorry.
A
Actual
suppress
operator
tries
to
yeah
wait.
You
said
it
tries
to
reconcile
copy
a
password
from
all
to
secret
influences.
In
this
example,
Excel
Secrets
saw
that
there
is
a
mismatch
between
a
Vault
password
called
radish
in
red.
It
belongs
to
the
observed
States,
and
it
is
a
desired
State,
because
the
secret
particular
system
does
not
exist.
Yet
it
does
an
action
reaction
here
is
supposed
to
get
and
then
to
CTL
create
a
secret
and
fortunately
that
solves
the
inconsistency
and
the
red
is
XL.
Secret
becomes
in
the
desired
state.
A
B
Secret
operator
for
the
last
month-
and
there
are
so
after
the
password
linked
I
mentioned
earlier-
we
decided
to
improve
the
security
in
the
company.
So
we
thought
about
the
following
scenario,
and
that
is
if
someone
with
bad
internships
managed
to
access
the
programming
system
cluster
and
we
managed
to
compromise
the
API
credentials,
he
could
access
to
offer
developer
good
access
to
the
data
of
this
developer.
But.
A
B
B
So
this
is
a
security
issue
and
we
have
to
accept
it
so
well.
We
can
touch
the
external
Secrets
as
it
refers
to
external
services.
So
here
we
speak
about
I
mean
about
the
internal
secrets.
We
decided
to
Generate
random,
random
string
for
passport
for
every
developers,
so
10
Secrets
across
40
developers.
We
have
now
400
possible
to
generate
so.
Can
we
do
so?
If
I
go
back
to
the
previous
diagram?
B
We
will
fail
to
fetch
the
data
input
because
I
haven't
removed
the
new
secret
mode,
so
I
have
no
choice,
I
think
at
every
deployment
a
pre-install
book
invest
check
the
existence
of
the
separation
board
and
create
it
does
not
exist.
But
it's
the
same
problem
here,
as
we
saw
earlier
when
we
did
when
we
did
many
Revolt
get
doing
the
requirements.
B
A
So
maybe
we
can
write
for
a
conference
here:
okay,
I'm
here
controllers,
oh
yeah,
immediately
when
he
presented
this
problem.
I
said
why
don't
you
do
build
a
controller
because
that's
definitely
something
that
would
like
come
moving
sit
in
looking
forward
here.
It
is
synchronous,
it
is
M45
seconds
every
every
time
you
run
scaffold,
one
painful.
So
we
talked
earlier
about
design
state
after
the
state,
blah
blah
blah
and
I
once
to
again
go
over.
A
Is
our
state
other
state
action
and
Define
what
our
control
will
be,
but
we
won't
be
doing
it
in
a
hard
controller.
We
will
be
doing
a
controller
by
hand
with
qctl
and
Neapolitan
by
hand.
We
will
pretend
to
be
a
controller
for
this
performer
with
this
self-healing
capability,
but
manual
desired
State.
We
don't
want
actual
secrets
to
have
not
found
Secrets
when
we
do
find
an
excellent
secret.
That
has
a
secret
note
panel,
because
excellent
Secrets
fails
to
fetch
the
secret
involved.
A
B
A
A
It
says
random,
but
you
should
see
open
hsl
rounds
like
so
some
command
that
run
that
prints
as
a
friendly
secret.
Now
there
is,
there
is
something
very
important:
I
don't
want
to
be
pulling
all
the
time.
I
don't
want
to
be
running.
Remember
we're
in
our
terminal,
pretending
to
be
a
controller.
I,
don't
want
to
be
holy
like
every
10
seconds
doing
chipct.
A
Observed
States
and
when
I
see
the
secrets
in
there
immediately
I
default,
put
to
create
this
effect
and
then
the
next
step
on
the
sorry
upper
screen.
You
see
that
the
secret,
who
hasn't
seen
it
so
with
some
Secrets,
was
able
to
find
the
secret.
This
is
exactly
what
we
want
in
our
component.
This
is
a
controller.
This
is
as
simple
as
this:
it's
gypsychell
gas
and
some
command.
If
you
sometimes
you
cannot
because
imagine
this
is
about
gcp.
You
will
do
check
out
it's
as
simple
as
this.
A
Maybe
it's
not
possible,
but
yeah.
It
is
quite
it
is
straightforward.
If
we,
when
we
look
at
it
this
way,
okay,
so
this
I
I,
wrapped
up
everything
we
said
previously,
like
you
still
gets,
and
the
vote
put
and
I
want
this.
One
liner,
that
is
not
the
wine
liner
exists,
because
I
I
I
I
I
put
it
in
a
in
different
lights,
so
that
I
can
explain
it
and.
A
A
B
A
A
The
unbuffer
thing
on
the
right
is
a
thank
you
problem.
When
you
have
it,
you
need
to
unbuffered,
otherwise
it
will
buffer
and
you
will
unexpectedly
see
that
the
Json
output
doesn't
doesn't
come
as
anyways
next
step.
We
filter
out.
We
only
take
the
path
that
we
need
to
do
the
voltage.
So
we
we
take
the
key
and
property,
and
then
we
Loop
we
do
wire
rates.
So
we
look
over
this
and
we
do.
The
whole
choice
observed
it
action.
A
We
don't
have
desired
state.
Where
is
it
in
this
case?
There
is
no
spec.
The
the
desired
state
is
the
in
our
heads
this.
It
is
not
visible.
We
yeah
that's
here,
because
we
don't
use
a
crime,
we
don't
use
a
customer.
This
whole
definition.
We
don't
use
any
sort
of
API,
so
there
is
no
step.
The
perspect
means
it's
not
written.
A
Oh,
it
makes
sense
so
yeah,
that's
our
one-nighter.
That
is
not
a
one-liner.
Now,
let's
see
how
it
works
in
action,
so
we
are
still
in
our
terminal.
We
are
not
in
the
master,
we're
using
Juicy
TL
we're
doing
produced
both
CLI.
So
here
you
can
see
me
type
the
one
language
just
to
pretend
that
it
is
not
normal,
so
you
can
check
it
and
we've
run
it.
The
immediate
output
is
that
we
can
see
there
is
a
output.
This.
B
A
A
What
I
do
next
on
the
button
pattern
screen
is
I
delete
an
external
secret
to
pretend
that
there
was
a
cosmic
way,
something
that
happened
wrong
and
we
will
see
that
the
controller
manage
manages.
We
see
another
scenes
error
and
immediately
after
that,
our
tiny
controller
fixes
the
problem,
and
that's
it.
That's
it.
That's
our
controller.
A
But
it's
another
controller.
Actually
a
controller
has
to
be
running
in
your
part.
Talking
to
the
API
server.
We
are
outside
of
other
classes,
so
it's
not
really
applicable.
We
need
to
put
it
in
a
cluster.
Our
controlling
part
that
consists
of
a
strip
will
be
running
out
of
inner
part
in
a
container.
It
will
be,
as
you
said,
doing,
Cube
cctl
commands,
so
Cube
scale
will
be
in
the
container
and
it
will
be
doing
default
commands
again,
faults
will
be
in
the
container.
A
We
should
write
a
Docker
file,
so
first
we
put
our
script
into
a
file
controlling
the
message.
Then
we
write
our
Docker
file
and
I'm
using
pipeline
here
and
we
install
Cube
and
Vault
inside
that's
because
our
script
is
dependent
on
them
and,
finally,
a
deployment
file.
For
some
reason.
Every
deployment
file
is
so
big
all
right.
This
is
yaml
I
guess
so
it's
really
small
on
the
screen.
But
what
you
can
catch
is
it's
a
deployment
with
a
service
account
very
important,
because
I
need
to
talk
to
people.
A
Yes,
sir
inside
the
pod,
ium
CTL
will
be,
even
though
you
don't
have
two
broken.
It
will
be
able
it
will
pick
up
the
photo
that
is
mounted
automatically
by
documents
to
do
that.
We
created
service
account
and
we
make
sure
that
the
woman
uses
the
service
account
and
we
allow
this
service
account
to
read
the
Excel
sequence.
A
Now,
let's
see
how
this
now
we
are
inside
the
cluster
I
at
the
bottom,
at
the
top
of
the
screen,
I
do
qctl
watch
again
because
to
visualize
the
changes
to
exhaust
secrets
to
check
that
it
works.
What
you
should
have
seen
in
this
is
that
it's
the
same
behavior.
We
have
done
a
controller.
It's
an
inner
part.
It
runs
blah
blah
blah.
That's
great
two
things!
I
I
want
you
to
remember
that
if
you
want
to
write
your
controller
again,
it's
very
simple
right:
it's
qctl
what.
A
Users
with
this
stupid
people
that
won't
know
when
there's
a
problem,
usually
people
do
Cube
CTL
describe.
You
won't
see
anything
what
you
can
do
with
qcl1.24.
That's
the
latest
version-
and
you
can
see
here
in
on
GitHub
I
upload
this
a
bit
like
a
longer
controller,
with
more
things,
38
seconds
left,
yeah,
anyways
conditions.
You
can
use
conditions
to.
Let
people
know
when
there's
an
error,
but
bash
is
restricted,
not
nice.
A
A
B
Yeah,
it's
going
to
be
very
great,
so,
as
I
smile,
we
have
to
see
this
one
under
brush
controller
inside
our
cluster
with
all
the
developers,
and
it's
worked
well.
That
was
nice,
but
in
order
to
use
it
for
real
with
the
definitely
means
the
control
in
Google
fights,
so
it
would
be
easier
to
test
and
then
extra,
so
I'm
really
happy
to
have
met.
A
smile.
I
will
still
speak
about
our
jobs,
programs,
doing
coffee
breaks
and
we
still
have
helped
each
other.