►
From YouTube: Cloud Native Live: Improving the Kubernetes experience - eliminating toil and tribal knowledge
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
So
every
week
we
bring
a
new
set
of
presenters
to
showcase
how
to
work
with
cloud
native
technologies.
They
will
build
things
and
break
things
and
answer
your
questions
join
us
every
wednesday
at
11
a.m.
Eastern
this
week
we
have
billy
click
which,
with
us
today
to
talk
about
improving
kubernetes
experience,
sounds
very
intriguing.
A
Before
we
jump
into
that,
I
would
like
to
draw
your
attention
to
a
kubecon
cloud
native
con
north
america,
that
is
open
for
registration
in
person
conference
and
also
virtual,
so
very
exciting.
A
You
should
see
the
link
popping
up
right
now.
If
you
want
to
take
a
look
and
register,
we
really
hope
to
see
you
there
and
also
just
a
quick
reminder
that
this
is
an
official
live
stream
of
the
cncf
and
as
such
is
subject
to
the
cncf
code
of
conduct.
Please
don't
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
the
code
of
conduct.
So
basically
just
please
be
respectful
of
your
fellow
participants
and
presenters.
A
B
Yeah
hi,
my
name
is
billy
click,
I'm
a
staff
engineer
at
digitalocean
in
the
past
group,
but
we
we
build
things
like
kubernetes
or
doks
marketplace
app
platform.
I'm
sure
there's
some
things
that
I'm
forgetting
and
dbas
is
another
one
that
we've
been
working
on
a
lot
lately
and
I've
been
writing.
Go
code
primarily
go
codes
for
since
about
the
end
of
2013.
Shortly
before
go
1.2
came
out.
We
talked
a
lot
about
a
lot
of
go
today.
B
I'm
also
the
the
package
main,
I'm
I'm
also
the
maintainer
for
for
vimgo.
So
if
you
write
go
and
you're
using
vimgo,
you're,
probably
you're,
using
something
that
I
work
on.
Thank.
A
You
yeah
great,
so
actually
a
quite
intriguing
title:
how
can
you
offer
to
improve
our
kubernetes
experience.
B
Yeah,
so
I'm
going
to
tell
you
a
little
story
so
when
I
started
digital
in
2017,
they
had
started
creating
a
platform
on
top
of
kubernetes.
So
it's
been
said
that
kubernetes
is
a
platform
upon
which
to
build
platforms
and
that's
exactly
what
what
digitalocean
had
done.
The
platform
is
called
docc
and
it
provides
a
a
an
opinionated
platform,
really
simplifies
the
kubernetes
experience
so
that
all
the
kubernetes
users
don't
have
to
understand
all
the
particulars
of
all
the
yaml
and
groups
versions
and
kinds.
B
They
don't
have
to
worry
about,
updates
or
upgrades,
or
anything
like
that.
That's
all
taken
care
of
for
them
and,
of
course,
it's
opinionated.
So
it'll
it's
going
to
do
things
like
it's
going
to
inject
environment
variables
into
people's
applications,
so
they
have
information
on
what
region
they're
in
or
what
what
particular
cluster
and
we
run
about
14
clusters.
These
clusters
are
somewhere
between
15
and
40
nodes
typically,
and
they
all
the
nodes
have
between
24
and
48
cpu.
So
these
are
large
shared
environments,
and
so
we
want
to
kind
of.
B
We
want
to
protect
those
large
environments
from
you
know,
people
that
might
might
be
doing
something
that
would
be
dangerous
to
others
right.
You
have
to
worry
about
noisy
neighbors
and
things
like
that.
So
there's
a
lot
of
protections
built
into
the
occ,
but
the
occ
oftentimes
does
not
have
you
know
it
satisfies
the
80
case.
People
sometimes
need
to
get
outside
that
box
and
go
to
more
of
a
coupe
cuddle
experience
where
they're
using
kubernetes
manifest
directly,
but
even.
B
They
they've
come
to
expect
certain
things
to
be
available
in
docc
and
the
the
team
that
maintains
the
occ
needs
to
be
able
to
change
how
things
work,
change
a
lot
of
implementation
details,
and
so
what
we
found
is
using
things
like
mutating
emission
web
hooks
and
valving
and
mission
web
hooks
allows
the
doc
team
to
make
sure
that,
regardless
of
how
you're
creating
your
applications,
whether
you're
using
the
doc
manifest
which
is
json
and
can
take
like
I've,
seen
it
take
like
280
lines
of
yaml
down
to
about
70
lines
of
json
it'll.
B
So,
regardless
of
whether
you're
using
that
or
whether
you're
using
kubernetes
manifest
you
still
want
to
have
those
environment
barrels
injected.
You
still
want
to
have
your
syslog
sockets
and
things
hooked
up
and
mutating
emission
web
hooks
is
how
we
do
that
without
having
to
make
sure
that
everybody
in
the
company
understands
all
how
how
the
nodes
are
configured
and
make
sure
that
they
don't
have
to
worry
about
hooking
things
up,
like
all
those
environment
variables.
A
All
right
so
to
clarify
this,
for
the
audience
is
the
topic
of
the
call
docc
and
how
it
can
help
them
or
how
you,
the
dlcc
team,
used
admission
controllers
and
web
hooks
to
improve
your
experience.
B
Yeah,
so
it's
about
how
how
we
use
a
mission
web
hooks.
So
what
we
you
know
the
mission
web
hooks
are
really
the
fundamental
building
block
to
creating
a
platform
on
top
of
on
top
of
kubernetes.
You
can
also
combine
that
with
custom
resources,
but
we're
not
going
to
get
into
customer
resources
today
we're
going
to
focus
just
on
providing
a
curated
experience
to
you.
B
Yeah
sounds
good,
so
I'm
going
to
share
my
screen
here
and
I
believe
I'm
going
to
share
my
I'll
just
share
batch
my
terminal
window
for
right
now
I've
stood
up
a
doks
cluster
in
digital
ocean
and
also
created
a
digital
ocean
registry
and
hooked
that
up
to
the
cluster
already
so
just
real
quick,
let's
kind
of
go,
can
you
see
my
screen?
Okay,.
A
B
A
B
Okay,
great
so
we
have,
we
have
here
that
has
a
a
small
cluster
that
has
three
nodes.
This
is
running
in
doks,
I'm
going
to
just
show
real
quick
that
we
have
a
like
a
deployment,
and
we
just
call.
I
just
call
this
one
example.
B
And
you
can
see
that
this
deployment
is
really
simple.
It
has
a
single
container
that
all
that
container
does
is
prints
out
the
the
date
and
the
hostname
every
15
seconds
we
put
a
cpu
limit
in
place
and
a
cpu,
some
cpu
requests
in
place,
and
the
reason
we
put
those
limits
in
place
is
what
we're
going
to
do
today
is
walk
through
how
to
build
a
muting
emission
web
book.
That
will
react
to
that
cpu
limit
and
inject
some
environment
variables.
Based
on
that.
B
There
are
no
pods
in
in
the
default
myspace
because
I've
as
I've
scaled
the
application
down,
I'm
going
to
scale
it
up.
So
we
get
one.
B
B
And
you
remember
that
when
we
looked
at
that
deployment
there
were
no
environment
variables
there.
So
now,
if
we
go
look
at
there's
one
one
pod
that
we
that
we've
created,
we
see
that
there's
a
go
max,
go
max,
prox
our
variable's
been
injected
and.
B
Is
is
digital,
which
is
primarily
a
ghost
shop.
So
all
the
things
we're
going
to
talk
about
today,
we're
going
to
focus
just
on
this
one
environment
variable
because
it's
simple
and
can
provide
the
path
forward.
But
it's
it's
not
it's
not
overly
complicated,
but
you
can.
You
can
do
very
complicated
things
with
with
mutating
mission
web
books
to
to
provide
that
platform
that
you
want.
B
B
There's
a
couple
of
things
that
things
that
we
need
to
do
first
thing
is:
you
have
to
create
a
a.
B
Mutating
webhook
configuration
so
let's
go
take
a
look
and
see
what
that
looks
like.
B
So
the
prepaid,
webhook
configuration
is
very,
is
pretty
straightforward.
It
really
consists
of
of
a
web
hooks
property
that
contains
an
array
of
admission
review
versions
and
that
emission
review
version
contains
a
client
config
which
has
a
ca
bundle.
So
this
is
going
to
be
the
certificate
that
that
the
kubernetes
control
plane
will
trust
so
that
all
the
all
the
kubernetes
web
hooks
have
to
have
have
to
be
secure
with
ssl
or
tls.
So
it's
https
only,
and
so
in
order
for
the
control
plane
to
be
able
to
trust
the.
B
What
it's.
What
it's
talking
to
you
put
the
ca
bundle
in
the
meeting
or
in
the
mutating
web
hook
configuration
you
also
provide
the
url
for
this
particular
web
hook,
a
failure
policy
which
can
be
either
failed
or
ignored
a
match,
a
match
policy,
a
name
for
the
sorry
about
that,
and
a
name
for
the
particular
review
version,
which
in
this
case,
is
going
to
be
we'll.
B
Go
up
to
this
yeah
we're
gonna,
do
object,
ignorable,
go
match
procs,
then
a
selector
which
says
what
things
what
resources
this
should
apply
to
and
within
the
cluster
and
then,
of
course,
the
kinds
of
resources
and
the
operations
on
those
resources
that
this
should
apply
to
and
then.
A
Maybe
we
can
describe
in
a
second
the
high
level
flow
of
things
so
that
people
can
visualize
it
in
their
mind.
So
any
and
someone
creates
a
resource.
Let's
say:
pod
api
server
handles
this
request
and
because
we
register
this
web
book,
then
we
tell
basically
kubernetes
whenever
something
like
this
happened
that
matches
this
criteria.
A
Please
call
out
to
my
web
book
handler
my
my
web
server
that
I
stood
up
in
advance
right
and
this
is
where,
for
example,
the
the
ca
bundle
comes
in,
because
how
would
kubernetes
know
that
it
can
trust
that
server,
and
this
is
the
criteria
and
so
on.
Right
just
wanted
to
summarize
the
high
level
flow
for
the
viewers.
B
B
A
a
a
web
hook
can
be
either
a
validating
web
hook
or
mutating
web
hook.
Validating
web
hooks
can
be
used
to
make
sure
that
someone
has
the
right
permissions
to
modify
a
certain
field
or
that
they
don't
use
certain
fields
so
like
in
earlier.
I
talked
about
docc
docc,
for
instance,
because
it's
a
large
multi-tenant
environment
makes
sure
that
people
can't
use
host
network.
B
It
does
things
like
make
sure
that
people
can't
spin
up
privileged
pods
right,
because
because
we
don't
want
all
those
users
getting
access
to
the
underlying
nodes,
we
also
put
restrictions
on
what
volumes
they
come
out.
If
someone
is
using
kubernetes
directly,
but
so
yeah
that
this
this
is
all
just
explaining
to
to
the
control
plane
exactly
how
to
connect
when
to
when
when
to
use
the
web
hook
and
what
things
it
should
apply
to.
A
B
In
this
case
we
are,
we
are
running
the
the
the
web
hook
in
the
cluster
itself
and
because,
because
we're
running
it
in
the
cluster,
we
also
want
to
make
sure
that
if
the
web
hook
is
down
for
some
reason
or
if
or
you
know,
certain
critical
things
that
might
need
to
be
executed,
executing
the
cluster,
like,
like
your
your
cni,
if
you're
running
that
in
your
in
your
cluster,
that
it's
the
the
lack
of
the
instance
if
the
instance
is
down,
if
you
spam,
a
new
cluster
or
if
you're
doing
an
update
or
something
while
someone
else
is,
is
trying
to
make
changes
to
cni
that
we
don't
get
into
a
circular
dependency
problems.
B
So
we
make
these.
These
match
policies
a
little
bit
more
complicated
what
they
would
need
to
be.
In
this
case,
the
the
base
admission
policy
is
this
last
one
here
which
is
just
go
max,
prox
c
l
web
hook
configuration
then
we
had.
We
had
two
others,
they're
really
functions
escape
hatches.
B
The
first
one
is
na
is
ns
ignorable
go
max
prox
with
that
name,
and
what
it
does
is
make
sure
that
hey,
if,
if
a
label
c
l
webhook
allow
webhook
failure-
and
this
is
customizable-
exists
on
the
namespace
and
it
doesn't
exist
on
the
object,
then
we're
gonna
use
a
policy
of
ignore
so
that
if
the
web
hook
fails
it's
okay,
it
that
the
the
the
pod
can
still
be
created,
and
then
we
do
something
similar
with
the
with
the
object
ignorable,
where
we
say
hey,
if
the
namespace
selector
doesn't
exist,
but
the
the
object
label
does.
B
B
So
that's,
that's
the
that's!
The
configuration
real,
quick
I'd
like
to
show
the
deployment
itself
that
we're
running.
B
Here
this
also
is
it's
a
very
simple
web
hook.
It's
a
very,
very
simple
container.
I
have
a
cnl
web
hook,
container,
that's
hosted
in
the
the
docr
registry
or
exposing
port
443,
and
I've
mounted
in
a
certificate.
In
this
case,
I
just
use
a
self-signed
certificate,
there's.
Obviously,
if
you're
going
to
do
this
in
production,
you
want
to
do
something
probably
more
robust
than
that,
and
so
this
this
runs
in
the
coordinate
space,
and
I
also
have
this.
B
This
deployment
has
the
all
the
pods
has
that
label
we
talked
about
before
to
allow
it
to
be
ignored
so
that
if
the
web
hook
isn't
running,
that's
the
web
hook,
pods
can
still
be
created.
A
Yeah,
so
I
I
mean
people
are
now
exposed
to
the
concept
of
validating
webhook,
mutating
workbook
and
you've
shown
a
few
examples
or
how
you
are
using
it.
I
guess
with
jesus
or
ocean
is
this
like:
do
you
have
any
recommendations
for
or
ideas
more,
what
people
could
or
should
look
after
with
those
tools
like
what
what
what
possibilities?
B
Yeah,
so,
if
you're
doing
mutating
your
mission
web
hook,
you
know
one
of
like
some
of
the
things
that
we
do
in
docc,
they're
they're
very
useful
is
hooking
up
the
syslog
socket
for
people
we,
and
we,
because
we
have
a
most
of
our
services
in
order
to
get
logging
to
central.
Centralized
logging
are
going
to
be
using
syslog,
and
so
we
go
ahead
and
hook
that
syslog
up
into
all
the
pods
for
people
automatically.
B
We
also
do
things
like
inject
environment
variables
to
the
left
hill
know
what
which
applications
know
which
cluster
they're
running
in
which
region
they're
in
what
their
service
domain
name
space
is
or
sorry
what
their
service
domain
is
and
and
the
cluster
the
cluster
name
itself
and
that
all
feeds
into
centralized
logging.
So
we
can
identify
where
something
actually
is,
and
you
know
we
have
14
large
clusters.
B
If
you
have
your
application
deployed
into
five
of
those
seeing
errors
in
the
logs,
you
need
to
know
exactly
which
one
it's
coming
from,
so
we
we
inject.
All
of
that.
B
We
also
do
things
like
inject
the
the
root
ca
certificate,
so
that
we
can
establish
trust
with
all
the
other
services
that
that
are
running
in
in
the
in
the
clusters.
So
so
the
people
don't
have
to
worry
about,
including
all
those
things
in
their
containers
or
on
their
applications
that
just
gets
hooked
up
automatically
for
them.
A
Yeah,
it
makes
complete
sense
actually,
and
it's
also
maybe
expressing
a
a
well-known
debate
or
idea
of
the
separation
between
the
developers,
role
and
the
operations
people
role
when
it
comes
to
kubernetes,
which
is
kind
of
in
the
middle.
So
the
developer,
you
know,
is
mostly
concerned
with
writing
their
code
and
making
sure
the
application
is
functional.
A
Where
does
the
line
go
like
do?
We
ask
them
to
also
know
about
kubernetes
primitives
to
the
partner
up
and
if
they
do,
how
far
should
their
knowledge
or
familiarity
with
the
platform
go?
And
in
this
couple
of
examples,
did
you
just
shared?
A
B
That's
right,
yeah
this.
This
is
all
about
making
sure
or
trying
to
make
sure
that
that
application
developers
can
focus
on
delivering
that
business
value
and
they
don't
have
to
worry
about
all
those
operations
and
particulars
about
how
to
how
to
configure
their
applications
or
operate
their
applications
in
these
large
multi-tenant
environments,
and
especially
as
as
organization
grows
and
gets
more
complicated.
B
You
want
people
to
be
able
to
specialize,
and
you
want
application
developers
to
really
be
able
to
focus
on
developing
code
and
delivering
business
value
and
operations,
folks
to
be
able
to
just
focus
on
operations,
and
these
mutant
web
hooks
can
help
bridge
that
gap
and
to
reduce
that
tribal
knowledge.
It
also
frees
up
operations
and
administrators
to
make
changes
to
how
the
clusters
are
configured
right.
B
If,
if
I,
if
we
decide,
you
know
we,
for
whatever
reason
we
want
to
put
the
syslog
socket
into
a
different
place,
or
we
want
to
start
introducing
new
environment
variables
to
to
explain
or
to
allow
applications
to
to
understand
more
context
about
where
they
are
or
what
else
might
be
near
them,
then
mutating
english
and
web
books
can
can
help
with
that,
and
you
can
just
introduce
new
mutant
mission,
web
books
and
let
people
know
hey
when
you
redeploy
you're
going
to
have
these
these
new
things
yep.
So.
B
Going
into
exactly
how
we
build
one
of
these
mutating
emission
web
hooks
and
start
going
to
controller
runtime,
and
so
I'm
going
to
I'm
going
to
start
out
very
simply
we're
going
to
start
at
high
level
and
go
through
the
main.
You
know
just
the
the
high
level
of
how
this
works,
and
hopefully,
by
the
end,
we'll
be
able
to
talk
about
testing
a
little
bit
because
control
runtime
has
some
great
testing
features,
we'll
back
up
just
just
just
for
a
minute
kubernetes.
B
If
you've
written
kubernetes
code,
you're,
probably
familiar
with
with
controllers
controllers,
are
going
to
work
with
informers
or
watch
or
watchers
controller
runtime
takes
informers
and
watchers
and
and
those
concepts
and
reconciliation,
concepts
and
abstracts
a
little
bit
further.
So
they're
even
easier
to
work
with
controller
runtime
also
provides
the
framework
for
for
working
with
web
hooks
more
easily.
So
you
know,
kubernetes
itself
doesn't
prescribe
what
a
web
hook
has
to
be
implemented
in
it
just
says
it
needs
to
be
https.
You
could
implement
your
web
hooks
and
ruby.
B
If
you
want
to
you,
can
you
can
put
your
web
hooks
in
and
go
or
rust,
or
whatever
feels
most
comfortable
to
you,
but
controller
run
time
is
targeted,
go
and
makes
it
very
easy
to
start
creating
web
hooks.
So
what
we
have
here
is
we
have
a
very
simple
application
that
is,
is
our
web
hook
server
and
the
main
function
just
calls
real
main,
so
we
give
back
an
error.
It's
a
common
pattern.
It's
just.
It
does
really
three
simple
things:
it
creates
a
creates.
B
The
configuration
passes
that
configuration
off
to
the
controller
in
this
case
controller
is
not
like
a
reconciler.
It's
just
it's
just
it's
a
control
in
the
sense
that
it's
gonna
run.
It's
going
to
it's
going
to
have
some
lifetime.
You
could
think
of
this
as
anything.
B
That's
runnable
this
this
code
is
borrowed
from
some
of
the
things
we
have
a
digital
ocean
that
I've
paired
down
a
lot,
so
this
is
kind
of
set
up,
so
you
can
build
out
from
it
and
start
making
much
more
complicated,
introducing
more
more
more
than
just
this
one
web
hook,
you
start
introducing
reconcilers
and
things
like
that.
If
you
wanted
to
start
dealing
with
reconciling
resources
in
your
in
your
cluster,
so
so
after
we
create
config,
we
create
the
controller
and
we
want
to.
B
We
want
to
hook
up
contacts
handling
so
that
when,
when
the
when
the
pod
needs
to
be
terminated
by
kubernetes,
it
will
handle
the
termination
signal
and
ship
the
controller
down
quickly,
so
it
doesn't
have
to
be
killed,
and
then
we
run
the
controller.
So
all
all
pretty
all
pretty
straightforward,
I'm
going
to
go
over
here
into
new
config
because
it
has
some.
It
sets
up
flags
and
some
things.
B
We
don't
need
to
worry
about
too
much
today,
but
one
of
the
important
things
it
does
here
is:
it
has
to
create
a
a
manager-
and
this
is
this-
is
one
of
the
key
things
in
in
controller
runtime.
It's
this
concept
of
a
manager.
A
manager,
provides
the
scheme,
a
cert
directory
report,
a
number
of
other
options
that
you
can
add
if
you're,
if
you're
gonna
be
dealing
with
resources.
B
So,
if
you're
doing
something
this,
that
is
mutating
a
custom
resource
or
even
some
core
resources,
you,
you
need
to
add
the
scheme
to
to
your
options,
and
you
do
that
by
just
doing
runtime.new
scheme,
adding
that
to
scheme
and
passing
passing
everything
off
to
to
the
manager
and
that's
a
critical
piece
for
for
a
controller
runtime
manager.
B
After
after
we
create
the
config,
then
we
need
to
go
create
the
the
controller
itself
again.
This
is
this
is
really
straightforward.
Pretty
simple!
We
have
a
base
rail
that
we
that
we
need
to
configure.
We
have
a
number
of
options
that
we
got
from
new
config
and
we
and
it
creates
the
controller
or
just
it's
just
in
this
case.
It's
just
a
thing
that
has
a
run
method.
B
You
might
remember
from
over
here
on
main
that
when
we're
done
after
hooking
up
the
context,
we
recall
when
we're
done
hooking
up
the
signal
handling,
we
call
run
on
the
controller.
B
And
this
is
this
is
where
the
meat
of
things
happens.
So
we
set
the
logger
on
controller
runtime
so
that
both
our
application
and
the
the
controller
runtime
manager
will
be
using
the
same
log.
So
everything
will
get
to
the
same
log
sync,
so
they're
gonna.
We're
then
going
to
register
some
web
hooks
we're
going
to
register
the
webhook
configuration,
and
this
might
be
controversial.
B
B
I
don't
like
to
have
my
yaml
separated,
far
away
from
my
code,
and
I
want
to
be
more
dynamic
so
that
if
I
deploy
a
new
version
of
our
controller
that
the
mutang
web
hook,
configuration
also
gets
updated.
So
it's
all
there
so
they're
tightly
coupled
because
they
are
tightly
coupled
that
allows
us
to
move
a
little
faster.
It
gives
us
locality
of
reference
and
it
makes
it
a
little
bit
more
testable
as
well.
So
we
create
the
we
register.
The
webhook
configuration
we'll
go
to
that
here
in
just
just
a
minute.
B
Have
we
have
a
set
of
handlers
and
these
handlers?
In
this
case?
It's
just
going
to
be
a
bunch
of
a
bunch
of
runnables.
B
A
Just
want
to
clarify
what
you
said
like
a
moment
ago
about
the
yaml
being
coupled
with
the
code.
Does
that
mean
that
when
it
when
I
want
to
deploy
this
admission
webhook
instead
of
deploying
the
code
and
registering
it,
I
would
just
deploy
the
pod
and
it
would
register
itself.
B
You
you
certainly
could
have
your
manager
yaml
separately
from
from
the
code
that
you're
deploying,
but
then
the
problem,
of
course,
is
that
then
you
need
to
go,
deploy
your
code
and
then
you
have
to
go
up.
You
know
you
deploy
your
app
your
update
and
then
you
have
to
go
update
the
gamble
or
you,
and
so
there's
this
time
period
where
something
there
could
be
an
impedance
mismatch
between
what's
actually
running
and
what
the
configuration
is.
B
Yeah
so
again
and
run
we're
right
to
the
web
hooks
and
what
we're
doing
is
we're
going
to
be
registering
with
the
manager
we're
going
to
register
the
web
configuration
we're
going
to
for
that,
we're
actually
going
to
register
it
with
the
kubernetes
control
plane.
We
register
the
handlers,
and
so,
let's,
let's
dig
into
what
registering
which
registering
to
web
hooks
actually
looks
like.
So
this
is
again
a
pretty
simple
method.
We
have
a.
We
get
the
url
for
our
for
our
for
this
one
particular
web
hook.
B
Remember
our
mutating
webhook
configuration
can
can
describe
multiple
hooks,
so
in
this
case
we're
just
doing
the
go
max
prox
web
hook.
Then
we
we
write.
We
register
that,
with
with
the
hook
server,
which
is
oh
sorry
about
that,
you
mention
that
with
with
the
manager,
so
we
we
grab
the
webhook
server
from
the
manager
and
that
this
is
that
controller
runtime
manager
type
register
it
now.
B
So
that's
that's
all
you
pass
off
to
register
this
admission
type
has
has
a
handler
and
it
is
a
handler
interface
which
just
has
a
single
handle
method,
and
in
this
case
we
are
going
to
create
a.
B
Mutate
pod
strategy
handler
so
remember.
This
is
really
part
of
a
larger
piece
of
code,
so
you
wouldn't
have
to
have
a
strategy.
You
could
just
have
a
single
handler
that
will
take
care
of
what
the
strategy
does
here,
but
we'll
take
a
look
at
the
strategy.
You
can
see
again,
it's
really
pretty
pretty
straightforward.
B
B
You
need
to
decode
your
pod,
because
that
comes
in
on
the
web
hook,
admission
request
and
then,
in
our
case
we're
going
we're
going
to
mutate.
It
we'll
be
modifying
the
the
pod
in
some
way.
Potentially,
then
we
marshal
the
result
of
that
process
and
then
provide
a
patch
response.
So
when
we
what
what
what
this
does
is
this
tells
the
control
plane
hey.
B
You
gave
me
this
raw
thing
originally
that
which
is
json,
I'm
going
to
give
you
a
json
response
back
to
that
and
what
the
control
plane
will
do
is
look
at
those
the
differences
between
those
two
things
and
well
actually,
sorry,
like
the
patch
response
from
raw
gives,
compares
the
raw
and
the
marshall
figures
out
exactly
how
to
construct
a
patch
that
kubernetes
understands
and
passes
that
back
in
the
response
for
kubernetes.
When
you
take
the
plot
itself,
so.
B
B
And
then,
once
once,
we've
done
once
we've
done
that
we
now
have
our
web
hook
is
registered
and
it's
time
to
com.
It's
time
to
con
update
the
configuration
before
we
go
on
the
configuration.
You
have
any
questions
about
how
those
handlers
work.
Do
we
want
to
get
into
looking
looking
at
the
actual
handler
for
the
go
max
prox
now
or
should
we
keep
going
to
the
configuration
first.
A
So
yeah
we
can
continue
just
a
quick
clarification,
actually
a
question
of
mine,
so
we
in
the
previous
step,
we
got
the
raw
object
into
the
workbook
handler.
We
did
something
and
we
returned
the
attach.
A
So,
if
the,
if
the
result
of
this
operation
is
a
a
a
patch
meaning,
please
kubernetes
do
something
that
is
another
like
a
an
operation
against
kubernetes
api
and
the
webhook
is
validating
or
muting
that
request
as
well
or
not.
B
A
A
B
Yeah,
so
when
we're
we're
creating
a
plot
in
this
case,
so
it's
actually
part
of
the
mutating
webhook
configuration
about
whether
or
not
you
you
can
call
multiple
times
or
not.
So
you
you
can
you
can
you
say
yes
call
me
at
least
you
can
call
me
up
to
one
more
time
or
don't
call
me
again,
and
so,
if
you
have
a,
if,
like
one
of
your
web
hooks,
these
might
need
to
respond
to
changes
that
other
web
hooks
might
do.
B
Then
you
want
to
make
sure
that
you
can
call
this
web
book
multiple
times
for
a
single
creation
event.
If,
but,
if
you're,
if
you
don't
care,
if
you
just
need
to
do
your
thing
and
and
move
on,
then
you
can
say
yeah.
Don't
don't
call
me
again
and
that's
that's
part
of
the
web
configuration.
A
B
So
after
we
create
the
create
and
register
the
the
web
hook
with
the
manager,
then
we
we
want
to
go
ahead
and
register
these
web
configurations
with
the
control
plane
in
this
case
again
we're
going
to
need
that
webhook
based
url,
because
we
have
to
put
that
into
the
mutating
webhook
configuration.
B
So
in
this
case,
what
we've
done
is
we've
created
a
a
a
set
of
weapon
configurations.
So
what
we're
going
to
do
is
we're
going
to
say,
hey
give
me
all
all
the
mission
web
hook
configurations
and
we
have
a
a
set
of
these
see
if
I
can
find
them
under
there
yeah.
So
it's
just
a
string
of
them
or
a
slice
of
strings
of
them
for
the
ones
we
can
pick
want
to
configure.
B
And
then
we
say,
okay,
give
me
give
me
this.
The
webhook
config,
and
what
we've
done
here
is
we've
defined
a
type
in
our
code.
That
is
really
just
the
things
that
we
care
about
on
on
a
web
hook
to
pay.
The
things
are
going
to
vary
among
our
web
hooks
and
that's
going
to
be
the
path
so
or
we
have.
We
have
we're
going
to
be
running
an
http
server.
We
want
to
provide
a
path,
so
we
can
deal
with
different
different
web
hooks
being
served
by
the
same
server.
B
B
B
B
And
in
this
case,
because
we're
because
we're
dealing
with
pods,
we
really
don't
care
about
cree.
I
don't
care
if
you,
if
somebody
is
trying
to
update
a
pod
or
something
like
that,
we're
modifying
the
containers
and
environment
variables
on
it.
So
we
don't
need
to
worry
about
anything
other
than
other
than
creates.
B
You
do
need
to
make
sure
you
set
the
scope,
it's
either
main
space
or
or
unnamed
space
scope,
because
we're
dealing
with
pods.
They
are
main
spaced,
so
we're
gonna
go
through
that
set
of
web
configurations,
we'll
grab
the
url
for
each
of
them,
so
we
can
build
it
and
that's,
and
so
what
we're
doing
here
is
we're
grabbing
the
base
url
from
our
controller
and
just
adding
the
path
from
the
configuration
we
just
looked
at
onto
that
and
and
make
sure
we
resolve
the
reference
up
properly.
B
In
order
to
set
that
on
to
this
mutating
webhook
client
config
is
here.
We
also
go
ahead
and
include
that
search
bundle
for
for
the
server.
We
apply
the
rules
to
the
configuration,
the
policy,
all
those
things
that
are
that
we
just
talked
about,
and
this
is
our
our
initial
handler
now
remember.
We
said
we
want
to
be
able
to
make
sure
we
respond
appropriately
if
there
are,
if
they're
for
for
for
critical
things
that
need
that
don't
care
about
the
web.
Look
that
is
like
it's
okay.
B
If
the
web
book
fails,
because
we
have
those
things
fully
configured
in
those
cases
usually
what's
happening
is
like
the
operators
of
the
cluster
are
making
sure
that
everything
is
is
configured
for
those
things
correctly,
because
these
web
hooks
are
primarily
focused
on
making
it
easy
for
promotes
users.
B
If
the
failure
on
this
on
this
particular
web
hook
is
fail,
then
we're
going
to
add
a
add
a
couple
of
selectors.
B
First
one
we're
going
to
make
sure
the
namespace
that
doesn't
have
the
allow
webhook
failure
table.
We're
also
going
to
make
sure
the
object
doesn't
have
the
allow
webhook
failure
and
then
we're
going
to
add
that
to
mutating
webhooks.
We're
also
going
to
pass
in
this
video
we're
going
to
get
those
additional
web
hooks
based
on
this
particular
hook.
B
So
we're
going
to
create
the
normals
from
rotating
webhook,
and
this
is
in
that's
in
the
controller
to
make
to
make
it
easy
and
a
couple
things
we're
going
to
copy
our
original
hook,
because
when
you
deal
with
kubernetes
objects
when
there's
so
many
pointers
involved
that
you
want
to
do
a
deep
copy
that
we
get
a
fresh
full
copy
because
you
don't
want
to
modify
shared
objects
or
shared
values.
On
on
these
on
these
two
nested
structures.
B
A
B
Case
we're
going
to
say,
hey
the
failure
policy
is
going
to
be
ignore.
If
the
label
selector
for
the
namespace
doesn't
exist.
Sorry,
the
label
for
the
namespace
doesn't
exist,
but
it
does
exist
on
the
object
and
we're
gonna
do
some
do
the
same
thing,
but
for
the
namespace,
where
we
say
hey
if
the
lab,
if
the
name
space
has
the
the
allow
web
of
failure
label,
then
it
can
be
ignored
as
well.
B
Then
we
return
all
those
those
web
hooks
from
admission,
webhook
configs
and
we
just
do
a
pretty
straightforward,
absurd
operation
where.
B
B
Didn't
mean
to
so:
we
we
check
to
see
if
the
mutant
web
configuration
already
exists
and
if
it
does
not
exist,
then
we
want
to
create
it.
Otherwise
we
want
to
what
was
already
there
standard,
absurd
operation
and
then,
finally,
we'll
we
might
register
some
handlers,
and
this
in
this
case
is
mostly
just
the
runways
you'll
see
here
in
a
minute
with
when
we
did
some
of
these
tests
about
how
this
works,
with
with
other
handlers.
A
B
New
mutate
bill
max
prox
so
and
so
our
we
have
a
a
a
strategy,
so
we
so
we
can
reduce
the
boilerplate
and
that
strategy
takes
a
mutate
pod,
which
is
just
a
function
that
takes
a
context,
a
namespace
string
or
the
name
of
a
namespace
and
a
pod,
and
so
in
this
case
our
our
mutate
pod
function
comes
from
this
constructor
pneum.
You
take
bill
max
prox
and
it
passes
past.
The
back
set
go
next
proxima.
So
this
is
the
thing
in
our
case.
B
That
really
is
going
to
be
doing
the
work
of
figuring
out
what
the
pod
should
look
like.
So
first
thing
we're
going
to
do
is
we're
going
to
go
through
all
the
containers
in
the
pod
spec.
Remember:
we've.
We
already
decoded
this
over
in
the
strategy
to
reduce
the
boiler
plate.
When
we
have
multiple,
multiple
pod,
mutators
first
thing,
we're
doing
say:
hey:
does
it
have
a
bill
max
prox
environment
variable?
If
it
does,
then
we
don't
want
to
do
anything.
B
We
just
want
to
continue,
because
at
that
point
we're
assuming
that
the
the
the
the
the
users
have
conf
have
intentionally
configured
go
max.
Prox-
and
we
don't
want
to
do
it-
we
don't
want
to
overwrite
whatever
they've
done
in
that
case
and
assuming
that
they
don't
have
go
max.
B
Proc
set
we're
going
to
grab
the
cpu,
make
sure
it's
not
zero
and
then
and
then
we're
going
to
see
if,
if,
if,
if,
if
it's
less
than
the
minimum
cpu,
if
it
is
and
we'll
set
the
cpu
limit
to
the
minimum
cpu
and
then
we're
going
to
set
an
environment
variable
for
for
gomax
procs
and
that
go
back
to
proc
is
always
going
to
be
a
whole
integer
value.
So
we
do
some
energy
division
here
we
so
we
set
max
prox
on
the
go
matchbox
environment.
B
Variable
add
that
to
the
enb
slice
and
then
add
set
the
container
back,
so
it
has
that
new
environment
variable.
B
One
thing
I
feel
like
I
should
point
out
here
is
that
at
the
top
of
this
this
function
it
does
talk
about.
I
think
it's
in
here
there
is.
There
are
multiple-
maybe
I
don't
have
it
in
here,
but
there
are
multiple
ways
you
can
set
environment
variables,
it
could
be,
it
could
be
env
or
it
could
be
like
from
enb,
I
think
or
env
from,
in
which
case
it
could
come
from
like
a
secret
or
something
we
don't
mess
with
those
in
in
this.
B
For
this
mutating
mission
web
hook,
you
certainly
could,
if
you
wanted
to
cover
all
the
cases
but
we're
just
trying
to
get.
You
know.
80
95,
of
the
cases
here
to
help
protect
the
health
of
the
clusters.
B
And
that's
what
the
gomax
prox
web
hook
itself
looks
like,
and
so
at
this
point
we
we
have
our
controller
and,
and
we've
run
it
and
now
we
are,
we
are
simply
waiting
for
the
whole
thing
to
finish
before
before
the
process
ends
and
that's
what
the
weight
is
for
ground
now,
it's
meant
to
say:
hey
we're,
stopping
the
controller.
B
So
there's
a
couple
other
things
we
should
talk
about.
One
is
testing
controller.
Runtime
has
some
really
nice
test
environments.
Where
you
can,
you
can
create
very
holistic
tests
that
will
actually
use
a
a
a
a
subset
of
the
control
plane.
You
use
a
cube
api
server
and
etd.
So
if
you
have
those
binaries
locally
you
can
you
can
run
your
tests
against
the
api
server
and
that
ncd,
so
you
can
actually
make
sure
that
hey
I'm
expecting
to
modify
this
pod
right.
B
So
this
this
is
getting
beyond
unit
tests
and
getting
into
like
testing
the
integration
right.
We
we
want
to
trust
the
coupe
controller.
To
do
what
I
supposed
to
do.
We
want
to
trust,
do
what's
supposed
to
do,
but
we
want
to
make
sure
that
qapi
server
is,
is
calling
our
web
hook
and
that
our
web
hook
is
delivering
the
proper
response.
So
controller
runtime
provides
an
an
env
test.
I
believe
this,
I
believe,
that's
a
practice
name.
I
always
have
to
look
it
up
if
I
can
find
it
real.
B
B
Yeah
it
is
it
is,
it
is
named
env
test
and
we'll
take
a
look
at
the
documentation
here
in
just
a
minute.
But
if
you
have
those
binaries
locally
you
can
you
can
run
your
tests
against
them
to
make
sure
like
yeah,
hey
my
pod
after
I
create
it,
I
actually
go
grab
it
and
actually
looks
the
way.
I
expect
it
to
look,
and
so
we'll
take
a
look
at
those
tests,
but
before
we
do
that,
I
want
to
real
quick
show
what
this,
what
this
would
look
like
this
one.
A
B
Do
you
see
the
env
test,
documentation
yeah?
Now
we
do
okay,
great
so
enb
test!
Come
it's!
It's
pretty
straightforward!
You
can
control
things.
The
cube
builder
assets
environment
variable
that
just
specifies
a
location
on
your
on
your
machine
where,
where
you
can
find
a
qa
guy
server
and
an
etd,
you
do
not
have
to
be
running
on
linux.
To
do
this,
so,
although
kubernetes
really
only
publishes
the
the
linux
binaries,
you
can,
you
can
get
the
source
code
for
kubernetes
go
into
the
the
root
directory.
B
The
repository
and
run
make
kube
api
server
and
it'll
build
the
cube
api
server
for
you
on
your
system.
So
I'm
on
a
I'm
on
a
macbook
and
we'll
see
what
that
looks
like
here
in
just
a
minute
to
actually
run
these.
We
run
these
tests
locally,
also
going
to
show
exactly
kind
of
what
that
what
using
sony's
test
looks
like
and
how
to
configure
something.
B
Great
so
first
thing
we'll
do
is
we'll
just
do
go
test
here:
you're
gonna
see
not
much
you're
gonna
see
you're
gonna
see
test
pass.
B
B
B
Right
so
in
this
case
I
have
the
tests
that
use
the
the
emv
test
environment
tagged
with
with
a
sandbox
environment,
because
they
require
something
more
than
what
someone
might
have
on
their
on
their
machine,
and
so
we
separate
those
from
standard
unit
tests.
So
I
provide
the
sandbox
tag
to
go
test.
A
While
it's
running
there's
a
question
in
the
chat,
what's
the
best
way
to
conditionally
set
go
max
cross
because
it's
only
applicable
for
go
applications,
so
you
mentioned
that
you
are
go
show.
So
maybe
you
are
not
concerned
with
it.
But
do
you
have
a
general
recommendation
for
people.
B
B
The
the
general
question
of
how
you
would
control
that
if
there
were
some
other
kind
of
environment
variable
that
you
might
want
to
set
for
say
for
whatever
reason
for
a
java
application,
but
not
for
a
net
application.
In
that
case,
I
would
you
would
probably
have
to
go
with
an
annotation
and
the
value.
There
too,
though,
is
that
you
can
you
can
using
annotations
and
providing
a
set
of
annotations
for
your
users
that
you
support.
B
You
abstract
away
the
details
of
what
might
happen
so
you
might
say,
hey
in
our
particular
environment.
We
know
that
we're
going
to
want
to
do
certain
things,
those
those
things
might
be
like.
Oh
yeah.
I
need
to
hook
up
logging,
so
one
of
the
things
that
we
do
at
digitalocean
and
we
talked
about
getting
the
logs
of
centralized
logging.
I
talked
about
syslog,
but
we
actually
have
more
than
one
way
to
get
locks
to
centralized
logging.
We
can.
B
So
in
that
case
we
provide
to
provide
an
annotation
of
two
annotations,
actually
that
allow
people
to
kind
of
opt
in
to
the
syslog
experience
or
just
to
do
the
standard
out
logging
to
get
their
their
logs
extend
to
to
to
centralized
logging,
and
so,
when
you're
building
a
platform,
you
want
to
provide
something
that
you
can
support,
and
so,
if
you
had
some
kind
of
environmental
that
you
people
may
be
able
to
set,
maybe
it's
not
actually
environmentally
needs
that
they
want
to
be
able
to
set
an
annotation.
B
And
take
appropriate
action
that
might
be
selling
environment
variable.
It
might
be
something
else
right.
You
might
have
something
that
says
hey.
I
I
want
all.
I
want
all
of
our
our
folks
to
annotate
their
pods
with
or
with
with
kind
of
what
kinds
of
things
are
running
in
this
like
how
how
they're
being
run,
because
you
might
want
to
hook
up
jbm
environment
variables
or
something
like
that
great.
Thank
you.
B
So
so
here
you
can
see
we
we
got
a
lot
more,
a
lot,
a
lot
more
tests
that
came
out
of
this
or
a
lot
more,
a
lot
more
logs.
That
came
out
of
this,
and
the
reason
is
because
it
spun
up
the
the
api
server
and
ftp.
B
I'm
gonna
run
this
in
verbose
mode,
so
you
can
really
see
all
the
logs,
because
I'll
show
you
in
just
a
minute
the
the
tests
are
configured
so
that
when
we
run
tests
in
verbose
mode,
we
also
hook
up
the
the
api
server
and
sed
logs
to
standard
standard
out.
B
So
we
can
see
everything
that
outputs,
which
is
really
useful
whenever
you're
having
a
problem,
you
know,
maybe
your
your
server
is
crashing,
your
control
isn't
working
or
it's
not
trusting
the
certificate,
and
so
your
tests
are
failing
because,
but
you
can't
see
why?
Because
it's
really
cube
api
server
is
getting
a
response
it
can't
handle.
So
here
we
have
a
whole
lot
more
logs
and
these
all
come
from
etd
and
from
from
cube
api
server.
B
So
in
this
case
we
have
a
simple
test
function,
tesco
max
prox,
and
what
we
do
here
is
we
we
create
a
pod
notice,
it
doesn't
have
the
the
gomax
proc
set
and
but
we
do
make
sure
it
has
a
cpu
limit
and
then,
when
we're,
when
we're
done,
we
make
sure
that
hey
our
our
env
variable
or
environment
variable
for
the
container
has
has
to
go
max
box
set
and
the
value
is
what
we
want
it
to
be.
Obviously
this
could
be.
B
You
can
handle
all
of
your
other
edge
cases.
You
can
make
sure
like
yeah.
If
I,
if
I
have
go
max
prox,
set
that
it
doesn't
override
it,
you
can
make
sure
that
when
you're
dealing
with
parts
and
cpus
that
it
does
the
right
thing
in
this
case,
I
just
want
to
do
something
simple
to
show
you
like
we
can.
We
can
actually
test
this
and
the
way
this
works
is
I've
created
this
function
with
test
env.
B
B
We
have
with
with
test
env,
which
creates
a
new
ts
test
cnb
and
then
executes
the
function
that
we
pass
in
here
to
actually
do
the
test,
but
this
new
test
cmv,
is
a
thing
that
actually
sets
up
cube
api
server,
and
you
know
the
control
plane
that
we
need
for
for
for
these
tests,
it's
pretty
straightforward.
Again,
you
can
create
an
emv
test
environment.
Again
this
comes
from
controller
runtime.
B
We
grab
the
api
server.
We
make
sure
we
configure,
you
can
pass
pretty
much
any.
You
can
configure
all
the
api
server
flags
that
you
want.
Through
this
method,
you
configure
returns
back
a
a
set
of
process,
arguments
that
have
an
append
method
that
you
can
see.
You
can
add
additional
arguments
to
api
server
and
then
you
start
it
making
it
back
as
a
rest
config
that
is
you're
if
you're
not
familiar
with
these.
This
is
a
type
in
believe
it.
I
believe
it's
in.
B
I
think
it's
in
client
go
yeah,
it's
in
client
go.
It
contains
the
host
api
path,
the
credentials
you
might
need,
as
well
as
a
tls
tls
config.
So
that
allows
you
to
connect
to
the
the
api
server
that
that
stood
up
and
again
the
cpi
server
is
working
locally.
You
can
connect
to
to
a
real
cluster
if
you
want
to,
but
you
mostly
don't
need
to,
because
because
all
you
really
want
to
do
in
this
case
is
usually
it's
like
hey.
B
The
pod
has
the
right
form
and
then
then
we're
going
to
trust
kubernetes
to
do
the
right
thing
with
it
and
there,
and
then
we
pass
that
rest
config
off
to
our
new
config
function,
that
we
saw
earlier
that
configures,
the
manager
and
everything,
and
so
I
really
encourage
people
to
to
use
test
cnv
and
you
don't
have
to
use
that
you
don't
even
have
to
be
using
controller
runtime
if
you're
writing
code
in
you're,
not
using
controller
runtime
for
whatever
reason
you're
using
watchers
and
formers.
A
That's
a
good
good
tip,
thanks
and
also
thanks
for
the
crash
course
here
on
controller
runtime,
webhook
admission
controllers.
I
think
that
it
was
very
educated,
even
people
who
might
have
been
familiar
with
the
concept
looking
at
the
code
and
looking
at
actually
a
real
world
use
case
sharing
from
your
experience.
So
thank
you
for
that.
A
We
do
have
like
a
couple
of
more
minutes.
If
someone
wants
to
ask
some
questions
over
the
chat,
if
not,
you
could
use
the
slack
channel
that
we
have,
which
is
cloud
dash,
live
on
the
cncf
workspace
on
slack,
so
feel
free
to
ask
further
questions
there.
A
I
don't
see
any
other
questions,
so
I
think
we
could
wrap
it
up.
In
a
last
words,
summary
really.
B
Yeah,
so
a
couple
things
you
know,
I
I
just
kind
of
want
to
re-emphasize
that
mutating.
What
emission
web
hooks
and
validating
emission
web
hooks
are
really
the
foundation
upon
which
you
can
start
to
build
a
platform
on
top
of
kubernetes
for
your
users
and
start
to
get
rid
of
some
of
that
tribal
knowledge
and
allow
your
your
administrators
and
operators
to
be
more
flexible
in
how
they
deal
with
everything
how
they,
how
they
provide
a
consistent
experience
to
their
users.
Thanks
for
having
me,
this
is
a
lot
of
fun.
A
All
right,
thank
you
and
just
there.
This
is
cloud
native,
live
we're
here,
every
wednesday
so
tune
in
next
time,
and
thank
you.
B
A
And
see
you
next
time,
everyone.