►
From YouTube: CNCF SIG Runtime 2021-02-18
Description
CNCF SIG Runtime 2021-02-18
B
A
A
A
A
Oh
cool,
so
I
think
we
can
start
people
are.
Maybe
gonna
show
up
a
little
bit
later,
but
yeah.
So
so
thank
you
for
taking
the
time
to
present
tryout
excited
to
be
here,
so
the
presentation
will
be
recorded.
So
you
know
other
people
can
actually
watch
it
later
and
yeah
and
then
happy
to
learn
more
about
like
how
you
implemented
it
container
registry
in
rust.
C
Yeah
cool,
it's
good
to
hear.
Do
you
want
me
to
start
now
or
do
you
have
any
other
business,
okay
cool?
I
did
prefer
a
few
slides
I'll
share
those
I
am
quite
keen
to
have
you
know
a
discussion
as
well,
though
so
like
feel
free.
D
C
A
C
C
C
And
yeah,
as
I
was
saying,
I
do
want
to
kind
of
a
discussion
about
things.
I
thought
it
might
be
interesting
to
sort
of
first
talk
about,
what's
going
on
with
like
registries
and
so
on
in
general,
and
also
I've
kept
the
stock
fairly
technical.
Given
it
was
the
the
sig
run
time,
which
I
I
assume
was
the
right
decision.
So
you
can.
C
We
can
talk
about
standards
and
stuff
yeah,
there's
a
few
things
that
are
going
on
in
the
registry
world,
which
I
think
are
quite
interesting
and
it's
you
know
a
space,
that's
kind
of
needs,
some
updating,
because
not
a
lot
has
really
been
happening
until
the
last
year
or
so.
Yeah.
Really,
you
know
it's
not
changed
much
since
the
initial
versions
of
docker
distribution,
or
at
least
since
it
moved
to
v2,
which
is
a
good
few
years
now
so
what's
happening
recently.
C
Well,
docker
distribution,
as
I'm
sure
you
know,
was
donated
to
the
cncf
so
be
interesting
to
see
where
that
goes
next,
because
it
was
you
know
it
wasn't
sorry,
my
dog,
squirming
and
about
was
in
a
state
where
people
were
asking
for
updates
and
to
be
frank,
docker
weren't
doing
much
with
it
like
there
was
been
very
little
progress
on
it
so
be
interesting
to
see
what
happens
now.
C
That's
part
of
the
cncf
a
lot
of
registries
and
I'm
particularly
thinking
of
things
like
the
the
google
was
artifact
registry
and
azure
have
one
and
so
on.
They've
all
started
moving
towards
supporting
multiple
artifacts,
so
registries
are
no
longer
just
for
container
images,
they're
also
for
things
like
helm,
charts,
opa,
config
files
exceeding
bundles
things
like
that.
I
guess
cloud
native
stuff
and
there's
probably
an
argument
that
we've
really
recreated
ftp
servers,
but
that's
gonna
be
a
bit
cynical
and
added
a
rest
for
intended
at
the
top.
C
There
is,
as
I'm
sure,
you're
also
aware,
a
standardization
process
of
the
oci,
so
you've
got
the.
I
don't
know
what
it's
called
now,
but
effectively
distribution
spec
around
with
official
title,
but
there
is
a
spec
and
it's
also
conformance
suite.
So
you
can
like
verify
whether
or
not
a
particular
implementation
conforms
to
the
standard
and
they're
starting
to
talk
about.
C
You
know
doing
extensions
and
in
particular,
when
the
most
important
things
that's
being
talked
about
is
notary,
v2,
so
you're,
probably
aware
of
notary
v1,
which
was
you
know
how
we
did
signing
or
like
how
we
did
sign
in,
but
was
an
implementation
or
signing
for
container
images.
C
So
people
could
sign
an
image
and
do
so
and
then
people
who
had
that
image
could
verify
that
it
came
from
who
it
claimed
to
come
from
effectively
and
also
it
was
quite
you
know,
impressive
implementation,
because
I
had
all
the
update
framework
stuff
in
it.
So
it
could
also
verify
that
it
was
up
to
date,
and
things
like
that
that
now
there
were
a
lot
of
problems,
the
first
or
there
are
problems
for
the
first
version
of
notary.
It's
not
seen
as
much
uptake
as
we'd
like
and
there's
issues
like.
We
can't.
C
You
know
signatures,
don't
travel
with
images,
so
one
thing
we'd
really
like
to
see
is
if
an
image
has
moved
from
one
registry
another
you
can
still
somehow
you
know,
move
the
sign
with
it
and
and
still
you
know,
tell
where
it
came
from
and
that's
the
sort
of
stuff
that's
been
worked
on
notary
v2
and
I
know
both
docker
and
justin
cormack
and
microsoft
and
steve
lasker
and
people
are
working
heavily
on
this.
The
interesting
thing
is
that
kind
of
notary
v2
is
very
different
from
military
v1.
C
It's
not
you
know,
they've
kind
of
moved
away
from
the
first
version
of
notary,
which
I
thought
was
an
interesting
decision,
but
you
know
maybe
make
sense
with
given
the
problems
they're
trying
to
solve,
and
the
reason
it
brings
up
in
this
context
is
because
it's
going
to
be
very
important
for
registries
like
how
we
handle
cyan
is
a
is
a
it's
going
to
affect
how
things
going
forward,
and
that
leads
me
on
to
the
other
point.
C
I
think
it's
going
to
become
very
important
over
the
next
few
years
and
that's
supply
chain
security
and
some
people
have
started
looking
at
this.
You've
probably
seen
projects
like
in
toto
and
graffias,
and
I
think
the
google
cloud
platformers
even
integrated
some
of
those
solutions
and
I've
not
really
played
with
what
exactly
they've
done
yet.
But
I
think
this
is
going
to
be
quite
a
big
thing
and
yeah
you'll
see
more
sort
of
solutions
and
and
people
talking
about
this,
particularly
in
the
light
of
things
like
the.
What
was
it
cloud?
C
Yes,
no
I'm
sure
I'm
saying
closing
you're
right,
so
it
wins
yeah
and
you
know
a
lot
of
that
was
all
about
supply,
chain
security
and
being
known
where
stuff
came
from
and
being
able
to
prove
where
it
came
from.
Basically,
okay.
So
the
other
question
you
can
ask
yourself
is
why
what's
the
point
involved
in
another
registry,
given
we
have
docker
distribution
and
so
on?
C
C
I
don't
know
how
many
people
are
running
the
open
source
version
of
I
struggled
to
say
quay,
but
I
guess
that's
the
official
pronunciation,
because
I
should
probably
wear
in
in
the
uk
and
europe.
It's
normally
for
nice
key.
C
And
that
one's
written
in
python,
docker
distribution
is
obviously
very
popular,
particularly
because
it's
using
hardware
so
if
you're
using,
however
you're
really
using
docker
distribution
plus
a
few
other
things,
yeah.
A
We
we
just
a
comment,
so
we
had
quay
also
present
a
few
months
ago,
and
harbor
is
also
another
cncf
project
right,
yeah.
C
Yeah,
I'm
not
yeah,
I
think
they're,
I'm
not
knocking
in
them,
they're
all
fantastic,
I'm
particularly
interested
in.
C
I
I
want
to
like
dig
into
to
key
a
bit
more
or
quiet
and
figure
out
how
I
did
some
does
some
of
this
stuff
because
they
did
some
interesting
stuff
with
like
disputed
downloads
and
things
yeah
and
harbor
has
added
on
a
whole
bunch
of
stuff,
that's
very
important,
like
vulnerability
scanning
and
a
nice
gui,
and
things
like
that
and
things
that
are
sort
of
essential
for
enterprise.
C
But
the
thing
is
with
trial
is
I've
kind
of
focused
on
slightly
different
things
and
the
way
I
started
describing
it
and
I'm
still
kind
of
working
on
how
I
describe
it
and
how
I
think
about
it.
So
I'm
very
interested
in
the
feedback,
but
I
started
talking
about
the
work
and
set
so
most
registries
at
the
minute
they're
designed
to
store
all
your
images
for
all
time.
If
you
like,
so
you
push
all
your
test
images.
C
You
know
you
have
old
versions
of
the
images
dating
back
to
v0.1
of
the
software
and
they
all
live
in
your
clusters.
You
can
go
back
and
get
them
and
check
whatever's
going
on,
but
with
trout.
C
I
started
thinking
about
things
a
bit
differently
and
what
I
want
to
focus
on
was
like
the
working
set
of
images,
so
I'm
being
able
to
securely
and
efficiently
deliver
those
to
the
nodes
within
a
cluster
so
by
work
and
set
what
I
mean
it's
just
the
bare
set
of
images
that
are
required
to
run
your
applications
on
your
system.
So
it's
not
the
full
history.
It's
not
like
all
the
things
going
back
in
time.
C
It's
just
what
do
you
need
to
get
your
application
up
and
running,
maybe
like
a
version
back
for
rollback
or
whatever,
but
it's
a
much
more
constrained
problem.
C
And
leaving
on
from
that,
the
design
that
I
know,
if
you
know
you
can
use
it's
just
a
registry,
so
you
can
do
what
you
like
with
try.
You
know
you
could
store
everything
and
there's
absolutely
no
reason
you
can't,
but
the
way
I
sort
of
designed
it
it's
normally
will
run
inside
a
cluster,
typically
a
kubernetes
cluster.
C
So
if
you
have
a
system
with
multiple
clusters,
you'd
have
multiple
instances
of
trial
and
those
instances
of
the
trial
could
then
talk
to
you
know
another
registry
which
may
be
stored
in
all
your
images,
for
example.
So
it's
not
that
so
in
a
lot
of
cases,
if
I
might
not
replace
harbor
or
whatever
it
may
be,
it
could
work
alongside
it.
For
example,
I
have
there
is
no
choice
of
storage
back
ends
until
at
the
minute
it
just
saves
the
file.
That
was
a
deliberate
decision.
C
I
might
revisit
it
at
some
point,
but
I
definitely
want
to
keep
the
simplicity
of
that.
You
know
there's
a
lot
of
problems
in
docker
distribution
because
they
support
s3
and
things
like
that
and
the
sort
of
guarantees
that
s3
gives
you
a
very
different
and
create
a
lot
of
complications.
C
C
So
one
thing
I
really
want
to,
I
think
I'll
talk
about
this
a
little
bit
later,
hopefully,
is
when
I'm
thinking
about
auditing.
You
know
the
registry
if
it
runs
inside
the
cluster
and
then
the
registry
should
really
give
you
a
good
overview
of
what's
happening
in
the
cluster.
I
should
be
able
to
look
at
it
and
see.
Okay,
what
are
the
images
that
are
currently
used
in
the
cluster
and
how
they've
changed
over
time
and
who
made
what
changes
and
so
on?
C
So
I
think
there's
a
lot
of
benefits
to
an
approach
like
this
for
for
auditing
and
security.
Finally
lightweight
so
you
know
it
needs
to
run
in
the
cluster
or
intended
to
run
the
cluster,
and
so
I
don't
want
to
consume.
You
know
a
lot
of
resources
and
I'm
not
you
know,
I'm
thinking
like
cpu
as
much
as
anything
else
here
and
that's
one
of
the
reasons
that,
as
I
chose
rust
as
you've
pointed
out
earlier.
C
So
what's
some
of
the
current
features
so
at
the
minute
is
oci
standard
compliant,
it
does
have
the
catalog
api,
which
is
the
the
thing
that
lets.
You
say
you
know
list
all
the
repositories
and
images
within
the
the
the
cluster.
I
also
added
what
I
call
the
tag
history
api.
So
I
can
say
you
know
say:
you've
got
image,
redis
3.4,
I
can
say
gif,
you
know.
C
One
of
the
things
I've
been
thinking
about
is
like
how
you
can
integrate
better
with
clusters.
So
one
of
the
first
things
I
did
was
add
some
image
controls.
So
the
idea
is
so
what
I've?
What
I've
got
at
the
minute
is
an
emission
controller
that
that
you
can
spin
up
the
mission
controller
talks
to
trout,
and
so,
if
you
create
a
new
deployment,
the
image
controller
will
check
the
images
in
the
deployment
and
by
default.
C
What
we'll
say
is
if
this
image
does
not
exist
within
the
registry,
then
disallow
it,
and
you
can
also
expand
this
with
regex.
So
you
can
say
things
like
okay.
If
the
image
exists
in
this
local
registry
allow
it
but
also
allow
official
images
from
the
docker
hub,
but
not
user
images,
and
things
like
that,
so
I
tried
to
make
it
easier
to
add
controls
like
that.
You
can
also
do
something
very
similar
things
with
oppa.
C
So
that's
another
way
to
go
for
that
proxy
docker
up.
So
that's
a
thing
I
implemented
the
end
of
last
year
and
that's
another
thing
that
I
I
see
is
sort
of
an
essential
feature
for
really
to
to
try
and
take
five
forward
is
sort
of
being
able
to
proxy
and
cache
images.
So
this
goes
back
to
working
in
alongside
other
registries
if
you
like,
but
the
approximate
docker
hub
was,
as
you're.
C
Probably
aware
there
was
the
docker
hub
added
limits
on
how
awesome
you
could
download
images
so
with
the
proxy
docker
hub
thing
just
allows
you
to
have
a
local
copy
and
therefore
control
or
reduce
the
the
number
of
times
you
need
to
go
to
the
docker
hub.
A
A
C
No
there's
nothing
like
that,
but
having
said
that,
you
can
associate
a
user,
so
I
mean,
and
that
works
both
for
excuse
me
for
pulling
private
images
and
for
the
limits
are
per
user
so
like,
if
you
authenticate
to
the
docker
hub,
you
get
like
a
higher
amount
of
limits,
so
you
can.
You
can
use
a
certain
user,
but
the
limits
like
you
know
it's.
I
can't
remember
it's
a
per
hour
they're
a
bit
odd,
so
it's
actually
and
also
they
don't
enforce
them
strictly.
C
A
And
I
think
the
limits
more
for
free
users
that
I
think,
if
you
have
the
pay
version,
then
yeah.
C
C
I
nearly
went
with
go
but,
to
be
honest,
I
wasn't
a
big
fan
of
go,
but
I
am
happy
that
I
chose
rust
before,
like
the
safety
and
the
speed
things,
I
think
it
potentially
will
give
us
the
ability
to
create
a
very
efficient
solution.
It's
not
that
efficient
at
the
minute.
I
have
a
lot
of
work
to
do
there,
but
the
potential,
I
think,
is
pretty
good.
The
issue
with
choosing
boss
was
web
frameworks
and
stuff.
So
I
have
the
libraries,
especially
at
the
start,
weren't
as
strong.
C
It's
actually
getting
there
now
for
a
lot
of
them,
but
I
think
it's
the
right
choice
for
like
low
level
common
components,
and
I
think
you'll
see
a
lot
of
sort
of
cloud
native
infrastructure
and
possibly
being
new
stuff
being
written
in
rust.
C
Yeah,
so
to
install
it,
I
created
like
a
couple
of
different
methods:
there's
a
quick,
install
method,
which
I
can
I
can
demo
if
you're
interested,
there's,
also
standard,
install
methods.
The
first
one
I
did
was
with
customize,
which
I
really
quite
like,
but
everybody
wants
to
use
helm.
So
I've
had
to
start
trying
to
to
support
that
properly
and
there
is
a
helm
install
now.
C
But
the
quick
install
is
quite
interesting
because
normally,
when
you
install
a
registry,
you
have
to
faff
about
setting
up
a
domain
name
and
pointing
at
it
and
so
on,
which
is
quite
right.
But
you
know,
if
you
have
just
a
development
cluster,
you
probably
don't
have
a
domain
name
or
you
can't
be
bothered
putting
it
at
a
domain
name.
So
I,
the
quick,
install,
has
some
hacks
that
kind
of
gets
around
that.
C
Yeah,
let's
do
it
cool,
it
won't
take
too
long,
and
it
might
give
you
a
chance
to
ask
any
other
questions
right.
So
let
me
see
if
I
get
this
right
so
just
before
I
started
this,
I
did
from
the
zoom
window.
I
did
spin
up
kubernetes
cluster
I've
not
even
connected
to
it
yet,
and
let
me
see
if
I
can
share
my.
A
C
Yeah
so
that
actually
comes
back
to
like
I've
been
using
rocket,
which
is
a
rust
web
framework
and
it's
been
pretty
good,
but
I'm
I'm
actually
in
the
middle
of
trying
to
move
off
it
to
impossibly
to
active,
because
it's
a
lot
faster,
but
one
of
the
problems
with
rocket
is
that
I
think
that
maybe
in
the
latest
versions
of
rockets
maybe
changed,
but
it
was
nightly
only
so
I
was
yeah
I
had
to
be
on
nightly,
which
was
actually
a
bit
frustrating.
C
C
Oh
whoa,
oh
you
get
a
bunch
of
stuff
and
you've
used
to
be
less
there.
I
think.
Okay,
apparently
it's
got
stack
driver
and
I'm
sure
that's
costing
me
a
fortune
anyway.
So
this
is
a
you
know.
That's
all
you
know.
That's
only
the
stuff
that
comes
with
by
default.
I
don't
have
anything
around
there
at
all
yet
which
directory
I
mean.
C
C
Install.Sh
and
if
we've
run
that
it
tells
you
a
little
bit
about
what
it's
going
to
do,
which
is
yeah,
create
a
service
account
associated
with
also
trial,
create
kubernetes
service
deployment,
and
the
interesting
thing
is
it
handles
all
this
tls
certificates
and
actually
uses
the
kubernetes
ca,
and
then
it
will
copy
that
certificate
to
nodes
and
also
to
the
local
laptop,
and
that's
what
lets
you
get
around
the
you
know
not
setting
up
a
domain
name
and
using
something
like
was
it
certificates?
C
I
can't
remember
you
know
it's
like
there's
a
couple
of
ways
you
can
handle
certificates
and
kubernetes,
but
it
tends
to
be
annoyingly
complex,
especially
for
just
developing
yeah.
If
you
went
on
jke,
you
need
to
run
this,
and
this
I've
done
it
before.
So
I
don't
need
to.
One
of
them
is
just
to
open
the
port
in
the
firewall
for
cubectl
and
this
other
one
yeah
what
to
do
with
the
rights
and
yeah.
C
So
this
script
is
very
hacky,
but
it's
kind
of
cool
you
can
set
the
the
namespace
you
want
to
install
and
for
some
silly
reason
I
installed
like
to
keep
public
by
default.
I
think
that
was
a
mistake.
I
should
probably
have
created
a
try
namespace
this
step.
I
should
push
this
a
minute
ago
as
well,
because
this
step
takes
a
little
while
I've
never
really
figured
out
why,
but
for
some
reason,
when
you
submit
a
certificate
to
the
community
ca,
it
takes
a
little
while
before
it
approves
it.
C
Oh
yeah,
it's
already
created
a
bunch
of
the
deployments,
the
service
role
bindings
yeah.
I
think
this
is
you
know
what
sometimes
we
complain
about
with
kubernetes.
You
can
kind
of
see
it
there.
Just
for
all,
I'm
really
trying
to
spin
up
is
a
single
container,
but
you
end
up
with
like
a
whole
bunch
of
effectively
config
around
about
it
as
well.
Okay,
there's
a
certificate.
C
C
C
The
way
that,
like
this
hacked
version,
only
works
with
docker
like
if
you
have
a
container
d
based
kubernetes
distribution,
then
it's
actually
going
to
break.
I
need
to
figure
out
a
way
to
to
make
things
easier
in
container
d
as
well
and
it's
to
do
with
where
the
certificates
live.
Basically,
so
what
I've
done
here
and
all
the
nodes?
I've
configured
seos
to
know
this
try.cube
public
address
and
I've
copied
the
certificate
to
the
docker
directory,
so
in
container
d
that
changes
to
be
a
different,
it's
not
even
a
directory.
C
Actually
you've
got
like
set
it
in
the
config
and
it's
it's
a
bit
of
a
mess
actually,
but
in
docker
what
you
can
do
is
you
can
just
put
the
certificate
in
a
specific
docker
directory
and
docker
sort
of
picks
up
at
runtime.
So
I
don't
have
to
restart
docker
or
anything,
but
that's
not
the
same
with
container
d.
So
it's
a
bit
of
a
problem.
To
be
honest,
I
think
they're
actually
changing
that,
but
I'm
not
100
sure,
okay,
but
anyway,
so
it's
kind
of
it's
it's
copied
stuff
gets
to
the
docker
directory.
A
One
question
here
so
the
when
you
modify
the
etsy
host
and
the
nodes.
I
guess
you
have
to
assume
that
you
need
to
have
a
ssh
access
to
those
nodes
right
so
from
the
installation.
C
I
think
it's
even
worse
than
that.
I
can't
remember
to
look
exactly
what
I
did.
I
think
I
creates
empty.
I
can't
remember
it's
it's
possibly
a
security
hole.
Actually
I
mean
I've
not
done
anything
to
this
kubernetes
cluster.
This
is
like
a
default
kubernetes
cluster
and
it's
actually
surprising
what
you
can
achieve.
C
Yeah
yeah,
it's
a
default
gke
thing.
I
wish
you
would
remember
the
details.
Basically
yeah
you
can
edit
etsy
host
basically
for
the
node,
because
you
just
mount
it.
I
think
I
can't
remember
the
details,
but
it's
a
while
ago
since
I
wrote
it,
but
it
stayed
it's
kept
working
for
a
couple
of
years
now,
but
it's
a
hack,
it's
not!
This
is
purely
for
setting
up
a
development
cluster.
C
It's
not
something
you
should
ever
do
in
production,
okay,
so
the
other
bit
I've
got
down
here
is
yeah
we've
added
to
local
laptops.
So
this
is
the
just
adding
it
to
local
laptops,
so
troy.keep
public
yeah,
it
can
be,
can
be
rooted,
but
this
bit
more
interesting.
Try
with
the
validation
webpage.
So
that's
that
admission
controller
I
was
talking
about
earlier,
so
I'm
going
to
say.
Yes,
if
I
said
no,
then
I'll
let
any
image
run.
C
C
C
Test
yep,
so
that's
up
and
running
already
now,
because
I
put
that
emission
controller
on.
We
should
find
that
if
I
create
a
deployment.
C
Let's
go
to
and
this
time
we
can
point
it
to
an
image
on
the
docker
hub,
so
I
can
just
say
redis
I
might
come
obviously
docker.iot.readers
and
hopefully
so
I'm
expecting
this
to
be
refused
because
it's
not
in
my
registry.
C
C
C
A
So
where's,
so
how
many
replicas
of
trial
do
you
have
running
on
a
cluster,
so
you
said
that
it's
redundant
right
or
it
is
it
a
single
instance
or
no.
C
It's
a
domain.
It's
a
single
instance.
There
is
like
when
I
it's
again
like
my
ambitions,
kind
of
get
ahead
of
me
sometimes
so
when
I
designed
it,
I
did
design
it
for
the
idea
of
being
distributed,
so
you
could
have
multiple
instances
for
aja
and
so
on,
but
I've
not
really
got
that
far
yet,
but
it's
it's
actually
quite
nice
all
the
same,
because
it's
all
based
off
disk
at
the
minute.
So
you
know
if
you.
C
Pause
it
or
restart
it
or
you
know,
just
move
the
disk
somewhere
else.
Then
it
will
all
just
start
up
and
work,
which
is
quite
nice,
so
it
is
fairly
reliable.
C
C
A
Yeah
where's
the
trial
deployed
and
what
europe
is
it
in
cube
public
and
the
the
yeah.
C
C
It's
actually
been
a
while,
since
I
played
with
a
kubernetes,
I'm
normally
just
working
in
the
in
vs
course.
C
That's
not
going
to
help
that's
going
to
be
in
the
video
now
yeah,
so
that's
it
there,
and
these
are
the
so
that
was
you're
asking
about
how
I
copied
the
search.
It's
actually
a
job
that
goes
and
copies
the
search
onto
each
node
in
a
slightly
hacky
way,
and
so
that's
those
ones
you
can
see
completed
there
and
there's
our
deploy.
C
C
C
And
yeah
it
explains
because
we
turned
on
the
admission
controller.
It
makes
it
explicit
like
what's
allowed,
so
we
can
push
anything,
that's
prefixed
with
kubernetes
or
gcr.io.
Oh
and
myself.
I
think
that
was
another
problem
I
had
you
know
you
need
to
be
able
to
pull
yourself
in
some
cases,
yeah
it's
update
and
so
on,
and
you
can
also
say
things
like
this
is
specific
image
explicitly
allowed,
so
that
would
be
like
a
full
image
name
or
you
can
say
an
image
of
the
prefix
is
allowed.
C
So
you
could
say
this
repository
on
the
docker
hubs
allowed
any
image
underneath
it.
If
that
makes
sense,.
A
C
C
C
It's
actually
import
four,
four,
three
and
if
it
can't
reach
it,
so
that's
quite
interesting.
If
you
can't
reach
it,
then
you.
C
No,
that's
a
good
question.
Yeah
I
mean
that's
one
of
the
interesting
things
in
kubernetes.
I
think
because
the
second
people
start
adding
admission
controllers,
especially
mutating
ones.
Then
you
end
up
with
like
very
different
clusters.
So
what's
something
that
works
in
one
cluster
doesn't
necessarily
work
in
another
cluster.
A
I
don't
have
any
more
questions
here,
but
I
don't
know
any
I'm
asking
all
the
questions.
So
I
don't
know
if
anybody
else.
C
I,
like
the
questions.
Okay,
I'll,
tell
you
what
I'll
go
back
to
the
the
slides
for
the
minute?
Okay
for
my
zoom's
gone.
D
C
It
is
a
little
bit
there
is,
so
it's
actually
a
little
bit
strange
because
in
a
standard,
the
distribution
standard
there
is
a
delete
command.
So
you
can
call
you
know
from
from,
like
a
sort
of
rest
command
line,
you
can
do
an
http
delete
and
give
it
a
share,
and
that
will
delete
the
associated
blob.
C
Now,
that's
obviously
quite
a
low-level
way
of
doing
things.
It's
also
a
bit
dangerous
because
you
can
delete
blobs
that
are
used
by
more
than
one
image,
for
example,
and
for
that
reason
several
registries
don't
actually
support
the
method
of
deletion,
and
I
think
it's
probably
going
to
be
changed
a
bit
in
in
the
standard.
I'm
not
quite
sure
what
I
should
go
and
check
exactly
what
what
the
situation
with
that
is
at
a
minute,
but
it
it
arguably
makes
more
sense
to
do.
C
You
know
pretty
much
the
same
thing
that
docker
does
so,
if
I
say
docker
delete
an
image
like
given
image
tag
and
that
will
only
actually
delete
the
underlying
resources.
C
If
there's
no
tags
that
point
the
two
underlying
resources,
if
you
see
what
I
mean
so
there's
two
tags
pointing
to
resource
and
I
delete
one
of
them-
it
doesn't
delete
that
resource
until
a
second
tax
deleted
and
really,
I
think
we
should
probably
do
the
same
thing
with
docker
distribution,
not
the
distribution,
the
distribution
standard,
but
I
think
the
reason
they
wanted
to
allow
things
to
be
deleted
by
sha
was
say:
you
upload
some
sensitive
content
by
accident
and
you
want
to
be
able
to
immediately
delete
it.
C
I
think
that
was
the
thinking,
but
it's
probably
not.
I
think
that
was
possibly
overthinking
things
rather
than
an
actual
good
idea.
If
you
see
what
I
mean,
but
I
I
really
would
like
to
add.
You
know,
methods
for
automatically
cleaning
stuff
up
and
deleting
all
the
images
and
so
on.
C
One
thing
that
we're
working
on
the
minute
is
actually
a
gui
and
I
think
that'll
be
a
nice
place
to
surface
things
like
you
know,
old
images
and
stuff
that
could
be
cleaned
up
and
how
much
this
space
you
could
save
or
how
much
you're
using
at
the
minute
and
things
like
that.
D
Yeah
absolutely
and
then
there
was
something
that
I
saw
at
an
oci
meeting
regarding
registry
benchmarking.
I
don't
know
if
you
had
come
across
a
project
like
that.
D
It
was
fairly
recent,
so
I
just
was
wondering
if
I
don't
know.
I
just
briefly
looked
over
the
results,
but
I
didn't
know
if
they
had
saw
you
know
or
had
done
anything
with
trial
specifically
and
was
just
curious
to
see
the
performance
there.
C
It's
well,
I'm
not
sure
they
have
so
at
the
minute.
Like
I
mentioned
before,
there
was
we've
been
using
rocket
and
I'm
in
the
middle
of
trying
to
change
to
a
different
front
end
and
refactor
a
few
things
so
at
the
minute
drives
pretty
slow,
but
it's
purely
because
of
some
arguably
bad
decisions.
C
I
took
it's
so
it's
quite
reliable
at
the
minute,
but
it's
slow
and
but
what
I'm
working
on
the
minute
would
would
be
like
an
order
of
magnitude,
speed
up
or
I
think
it
might
actually
be
two
orders
of
magnitude
speed
up
and
in
which
case
I
think,
try
will
at
that
point
be
very
competitive,
like
I
think
it
should
be
possible
for
try
to
become
one
of
the
faster
implementations
once
I've
done
a
few
changes
at
the
minute.
It
won't
be,
though,
so
I'm
quite
happy.
C
D
C
B
C
Thanks,
okay,
yeah
so
what's
happening
in
the
future.
One
thing
is
vulnerability
scans
and
actually
that's
one
of
the
things
that
harbour
has
already,
but
one
of
the
very
nice
things
they
did
was
they
basically
created
a
standard,
so
there's
basically
standard
in
harbor
for
how
to
connect
new
vulnerability
scanners.
C
So
if
I,
the
idea
is
that
I
can
implement
pretty
much
the
same
interface
in
trowel
and
then
you
can
plug
in
whatever
vulnerability
scanner
you'd
like
assuming
it
implements
that
interface
gui.
That's
actually
been
worked
on
a
minute
by
one
of
my
colleagues,
so
I'm
very
keen
to
get
that
working
and
usable.
There
is
a
question
about
whether
or
not
you
know
we
should
do
a
gui,
that's
usable
by
any
sort
of
oci
compliant
registry
at
the
minute.
C
It's
just
compatible
with
trial,
but
you
know
it's
definitely
something
to
think
about.
I'm
full
audit
log
yeah!
I
talked
about
that
earlier.
I'm
very
keen
on
this
idea
that
you
know
we
can
look
at
throughout
and
see
what's
happening
in
thrive,
and
that
gives
us
a
very
good
idea
of
what's
happening
in
our
clusters.
I
should
give
us
a
very
good
idea
of
what's
happening
in
clusters:
mutable
tags
yeah.
C
So
that's
actually
really
interesting
with
relation
to
kubernetes.
You
know
when
you
do
like
kubernetes.
Like
the
first
time
you
spin
up
a
cluster.
You
probably
thought
right.
I
want
to
update
this
image
at
some
point,
and
so
you
just
push
a
new
image
and
then
you're
sitting.
Thinking
hang
on.
How
do
I
and
then
you
know
you
did
the
acoustic
tail
deploy
and
nothing
happened,
because
the
yaml
hadn't
changed,
because
the
image
name
hadn't
changed
and
that's
because
kubernetes
effectively
sees
taxes
immutable
right.
C
But
it
would
be
nice
to
be
able
to
at
least
support
immutable
tags
and
registers,
and
I
think
haber
already
has
this,
but
I'm
not
quite
sure
they
did
it,
because
I
don't
think
docker
distribution
does
but
yeah
be
nice
to
have
some
support
for
meeple
tags
so,
like
anything
under
a
given
or
anything
with
certain
names
can't
be
changed
once
you
push
something
to
the
other
thing,
and
this
was
really
where
when
I
started
for,
I
was
the
main
thing
I
was
thinking
of,
and
I
still
not
got
there,
but
ahead
of
time
image,
distribution
and
sort
of
faster
ways
to
dispute
images
so,
and
that
goes
back
to
the
idea
of
the
working
set.
C
So
if
I
push
a
new
image-
and
I
know
what's
going
to
be
needed
in
my
cluster,
why
don't
I
send
it
to
the
nodes
in
the
cluster
before
they
even
do
the
cube,
ctl
deploy
and
start
pulling
stuff?
And
you
can
do
nice
things
there,
also
using
stuff
like
bittorrent
or
similar
algorithms?
C
Oh,
I
could
have
presented
and
as
you're
aware
as
you're
probably
aware,
there's
already
a
couple
of
projects,
one
of
which
is
cncf,
which
is
the
dragonfly
one,
and
it's
also
the
cracking
one
from
uber
for
that
and
they're.
Both
some
quite
large-scale
projects,
though
so
they're
both
around
this
idea
of
like
distributing
images
quicker
and
using
sort
of
bittorrent
style
distribution.
C
They
do
seem
quite
large
projects
intended
more
at
the
extremely
large
scale
of
clusters,
and
I
would
like
to
try
and
keep
things
perhaps
a
bit
simpler
if
anything
so
they're
also
useful
on
the
smaller
scale,
and
I
could
be
wrong
there.
It
might
be
disparaging
dragonfly,
for
example,
and
I
don't
want
to
do
that
because
it's
certainly
an
interesting
project,
so
I
come
backwards,
but
yeah
that's
pretty
much
all
I
have
so.
Thank
you
very
much
for
listening
to
me
and
see
more
questions.
B
Adrien
thank
you
for
the
presentation.
I
have
a
question
about
about
your
users
who
who
currently
who's
currently
using
your
service.
C
Yeah,
that's
a
good
question:
there's
not
a
huge
amount
of
users.
There
is
a
handful,
I
think
it's.
I
actually
think
a
lot
of
people
have
tried
it
out
and
played
with
it
in
development,
because
it's
very
quick
to
spin
up-
and
I
think
a
few
people
are
using
it
in
like
ci
cd.
C
I'm
I've
not
really
got
to
the
bottom
of
why
people
need
a
registry
in
ci
cd,
but
they
did.
I
guess
you
know,
as
many
people
pushing
an
image
and
testing
it
in
the
later
part
of
the
pipeline,
but
you
know:
there's
not
a
there's,
not
a
large
number
of
users
and
yeah
I'm
interested
in
the
thoughts
on
how
I
can
get
more
users.
I
think
there's
a
couple
of
features
that
really
need
to
be
implemented
first,
especially
around
proxy
before
I
can
really
address
the
use
cases
that
I've
been
talking
about.
A
Good
so
one
more
question
question
so
so
yeah
in
more
about
the
the
differentiation
with
some
of
the
other
projects.
Right
so
like
I
mean
you
have
written,
trowel
and
rust
right,
so
one
of
the
things
is
that
maybe
it's
faster,
but
you
know
and
so
and
then
you
were
saying
that
maybe
because
it's
in
kubernetes,
then
it's
with
a
mission
controller.
A
I'm
just
thinking
because
of
there
there's
a
lot
of
different
projects,
and
I
think
you
know
all
different
projects
want
to
bring
some
value
up
right
and
make
the
users
want
to
use
that
project
right.
So
do
you
have
any
ideas
or
what
might
actually
be
other
differentiation
factors
for
for
trial
or.
C
Yeah
yeah,
I
thought
I'm
slightly
scared
to
repeat
myself,
but
I
I
was
kind
of
so
when
I
started.
I
was
very
much
what
happened.
C
I
had
a
previous
project
called
image
world
that
was
just
about
you
know,
proving
you
could
use
like
bittorrent
to
speed
things
up,
and
I
used
the
docker
distribution
and
basically
created
a
hack
that
did
that,
and
that
was
my
intention
with
tri
was
to
do
a
sort
of
production
version
of
that
and
unfortunately
I
never
quite
I've
not
still
not
quite
got
as
far
as
I
would
like
with
that,
and
now,
of
course
we
have
projects
like
dragonfly
and
I
should
really
look
into
those.
C
I
think
I
guess
the
main
differentiation
I
see
from
like
harbors
harvest
lots
of
larger,
more
heavyweight
and
whereas
you
know
tribe
intentionally
made
it
lighter,
and
you
know
I
guess
that's
why
people
are
picking
up
for
things
like
ci
cd.
C
The
other
thing
I
want
to
look
at
is
soft
security
in
auditing.
I
think
we're
missing
like
stuff
there
around
auditing
and
the
supply
chain
and
security,
and
so
on.
It's
not
clear
to
me
if
anybody
really
shares
my
concerns,
though
certainly
people
start
talking
about
supply
chains
and
note
3
a
lot
more
yeah,
so.
A
One
question
about
that,
so
I
mean
a
lot
of
these
other
container
registries
use,
maybe
third-party
scanning
tools
right
so
for
container
images
right.
So
maybe
one
way
to
target
different
types
of
users
is
to
have
that
integrated
into
a
registry
and
yeah.
And
then
maybe
you
talked
about
notary
v2,
and
maybe
that
could
be
something
that
could
be
used
more
directly
with
a
container
registry
to
sign
or
verify
legitimate
images
right.
So.
C
Yeah,
I
think
that's
actually
potentially
quite
a
big
area
like
if
we
can
offer
better
notary
integration.
Excuse
me
or
support
than
other
registries.
I
can
see
that
being
quite
a
big
thing.
A
Yeah
yeah
and
I'm
just
kind
of
putting
my
advice
role
here,
a
little
bit,
so
you
know
what
I
appreciate
that
yeah.
What
would
be
best
for
for
the
project?
I
mean
to
to
differentiate
itself
right
so
to
make
people
you
know
want
to
use
it
right.
A
So
do
you
have
any
plans
to
at
some
point,
donate
this
project
to
the
cncf
or
some
non-profit
or.
C
I
would
certainly
be
up
for
that
yeah,
I
don't
know
I
did
consider
starting
the
process,
but
I
think
we
really
need
to
have
a
user
base
before
considering
that.
A
Yeah
because
we
have
the
sandbox
stage
and
that's
actually
more
of
a
playground,
but
I'm
not
really
sure
if
the
I
don't
remember
exactly
if
there's
like
a
requirement
for
a
number
of
users
right
so
eventually
when
when
it
goes
into
like
the
next
stage
of
incubation.
Obviously
there
needs
to
be
some
amount
of
users.
A
C
A
Yes,
but
some
of
the
questions
will
will
be
you
know
about
differentiation
with
other
projects.
I
mean
hardware
is
already
a
cncf
project,
it's
a
graduated
project
and
then
all
also
the
question
comes
up.
You
know
how
is
this
yeah?
How
is
this
going
to
be
better
in
the
context
of
like
the
cncf,
you
know
having
all
these
projects
to
help
end
users
right
and
you
know
when
you
have.
You
know
too
many
projects
that
are
doing
the
same
thing.
A
It
may
not
actually
look
beneficial
for
end
users,
because
that
that
may
end
up
being
confusing
them
right
so
like
which
one
should
I
use
right,
but
then,
if
there's
more
distinct
features,
then
there's
more
of
a
story
right
behind
like
okay,
you
can
use
trial
for
this
type
of
thing
right,
so
it
might
actually
not
not
even
be
about
the
technology.
It
may
actually
might
actually
be
just
about
the
messaging
right
about
yeah.
So
like
how
how
you
position
it
right.
C
A
Thank
you,
everyone
for
attending.
Do
you
have
any
questions
for
us
or
anything
that
I.