►
From YouTube: This Week in Cloud Native 8/16/21
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
A
B
A
A
A
I
use
obs
for
this
streaming
stuff
and
sometimes
it
works
really
well,
and
sometimes
it's
kind
of
a
pain
to
get
knocked
in
just
right,
but
generally
speaking,
it
works
pretty
well
all
right.
There
we
go
so
this
week,
I'm
going
to
be
digging
into
some
security
stuff.
It
should
be
a
fun
episode,
I'll
be
digging
into
a
few
different
pieces
of
it.
A
A
Oh,
I
just
realized,
see
that's
what
I'm
talking
about
funk
there
we
go
so
this
week
is
the
ebf
ebpf
summit
so
wednesday
and
thursday
are
going
to
be
the
ebpf
summit.
Let
me
go
ahead
and
just
share
with
you
a
little
bit
of
information
about
that.
A
A
A
It's
a
free
registration.
It's
two
days
of
incredible
things.
There
will
be
an
evp
based
some
it'll,
be
an
evb
f
based
ctf,
which
ought
to
be
super
fun
for
folks,
there'll,
be
lots
of
really
great
stuff,
so
yeah
come
check
it
out.
It's
a
free
event
and
it'll
be
streaming,
live
on
youtube
and
you
can
interact
with
us
on
slack.
The
ucf
summit
should
be
amazing,
that's
kind
of
what
I've
been
focused
on
and
clearly
there's
a
lot
going
on
there.
A
A
Let's
take
a
look,
so
I
always
start
off
with
a
reminder
that
this
is
a
coc
official
live
stream
of
the
sea
of
the
cncf,
so
be
nice
to
each
other
in
the
chat
and
be
nice
to
everybody,
real
really
just
generally
as
a
rule,
if
you
can,
if
you
could
do
that,
registration
for
kubecon
cloud
native
north
america
is
2021
is
now
open
for
in-person
and
virtual
to
explore
the
registration
opens.
You
can
follow
this
link.
A
A
A
A
So
I
think
I've
mentioned
this
before,
but
if
I
haven't,
then,
if
you
want
to
catch
up
with
episodes
that
have
already
happened,
this
is
a
great
way
to
do
that.
If
you
go
to
that
link,
you'll
be
able
to
see
the
playlist
for
each
channel
or
for
each
thing
that
we've
got
managed
here,
including
one
that
just
was
updated
earlier
today,
search
magic
by
siam
and
we
have
solid
state.
We
have
kunal
doing
dot
ed
dot.
A
U
we
have
maddie
doing
cnc
cncf
face
off,
and
then
there
are
a
number
of
other
shows
as
well.
All
really
great
stuff
cloud
native
latin
x
fields
tested
sounded
like
it
was
a
complete
kick,
and
so,
if
you
haven't
had
a
chance
to
check
out
fields
tested
this
most
recent
episode,
probably
the
one
to
jump
in
on
because
it
was
a.
A
It
was
a
caslin
going
through
the
secure
kubernetes.com
ctf
challenge
that
tabitha
sable
and
brad,
and
a
bunch
of
other
amazing
folks
worked
on
at
the
at
the
most
recent
in-person
kubecon,
which
was
san
diego
gosh
forever
ago.
We
got
this
week
in
cloud
na.
We
got
that's
the
channel
that
you're
watching
now
so
as
soon
as
this
episode
is
over,
it'll
be
posted
on
that
playlist
100
days
with
a
nice
cognitive
classroom,
and
all
of
these
things
are
just
up
and
and
ready
for
you.
A
So
if
you
miss
an
episode
or
if
you
aren't
able
to
catch
a
thing
that
you
wanted
to
see,
you
can
always
just
go
to
youtube
and
they're
all
archived
there
there's
new
content
every
day
and
there's
always
something
kind
of
fun
happening,
so
definitely
check
it
out
a
quick
reminder
again
that
in
version
1.22,
which
is
actually
going
to
be
the
version
of
kubernetes
that
we're
going
to
be
playing
with
live
today,
there
have
been
api
removals,
which
means
that
some
things
that
worked
before
are
not
working
anymore
right.
A
So,
if
you
I've
already
read
this
blog
post,
please
go.
Do
it
it's
a
very
important
one.
It
describes
just
those
things
that
will
be
removed
from
from
version
122..
So,
for
example,
I
think
you
know
likely
the
stuff
that's
really
going
to
catch
people
out.
A
One
of
the
big
benefits
is
that
in
the
120
time
frame
we
also
inserted
a
warning
so
now,
whenever
you're
registering
a
web
hook
or
register
or
leveraging
any
of
these
apis
that
are
about
to
become
removed,
you
should
get
a
deprecation
warning
telling
you
hey
that
is
deprecated.
Now
I
spent
the
last
two
episodes
kind
of
covering
api,
deprecation
and
removal.
If
you
want
to
know
more
about
that,
definitely
go
check
out
those
videos.
A
Easy
to
remember
takes
you.
There
there's
been
lots
of
really
great
posts
just
this
month,
and
I
wanted
to
kind
of
cover
a
few
of
them
and
mainly
it's
part
of
the
release.
Cadence
of
a
of
a
release
like
this
one
that
actually
talked
where
there,
where
you
will
see
a
number
of
blog
posts,
kind
of
referring
to
different
features
or
or
capabilities
that
are
changing
right
and
so
the
122
release
came
out,
and
you
can
definitely
check
this
one
out.
A
And
we're
going
to
look
at
a
couple
of
them
that
I'm
particularly
interested
in
we
have
server
side
apply
moves
to
ga
csi
windows,
support,
which
means
that
the
custom
storage
interface
of
being
able
to
actually
create
new,
oh
cool
deeps
in
there
to
be
able
to
create
new
volumes
and
things
as
a
plug-in
or
will
be
a
ga
in
122,
and
then
we
have
new
and
version
122.
The
alpha
support
for
using
swap
memory.
A
I
know
alana
has
done
a
ton
of
work
on
this
trying
to
get
this
in.
But
basically
this
means
that
you
will
no
longer
see
the
cubelet
crash
when
you
have
when
you're
bringing
up
on
a
system
with
swap
and
that
cube
and
the
cubelet
will
be
smart
enough
to
use
that
swap
reasonably,
which
I
think
will
be
great.
These
are.
This
is
a
pretty
significant
change
in
122..
A
I
think,
since
the
beginning
of
the
project,
or
something
very
close
to
that,
we've
always
told
people
to
remove
the
swap
capability
like
to
turn
off
that
swap
volume.
But
now
we
don't
have
to
do
that
anymore.
So,
that's.
I
think,
a
good
thing.
A
A
A
Talks
about
the
way
that
memory
is
managed
in
this
cube
sub-component,
I'm
actually
curious
about
this
one
a
little
bit
and
then
we'll
dig
into
the
kind
of
the
fun
work,
so
some
kubernetes
workload
run
on
move
on
on
those
with
non-uniform
memory
access.
Now,
if
you're
not
aware
of
what
numa
is,
this
is
a
pretty
fascinating
thing.
The
idea
they
probably
get
into
it.
Do
they.
A
The
idea
is
that,
basically,
the
path
between
the
cpu
core,
where
your
process
is
being
executed
and
the
the
memory
that
that
cpu
core
has
access
to
will
be
direct
from
one
cpu
core
to
a
particular
bank
of
memory,
but
not
direct
to
the
other
bank
of
memory
and
so
depending
on
what
you're
trying
to
do,
you
can
actually
incur
a
cost
when
you're
trying
to
actually
access
memory,
that's
in
a
non-uniform
location,
and
so
what
this
does
is
it
tries.
A
You
know
this
is
going
to
be
for
some
really
specific
work
like
trying
to
make
sure
that
you're
operating
with
as
little
latency
as
possible,
but
with
numa
you
can
actually
addre.
You
can
kind
of
fence
that
stuff
off,
so
that
your
cpu
and
memory
are
the
quickest
and
that
you
can
ensure
that
those
workloads
that
you're
deploying
are
going
to
stay
aligned
on
the
same
pneuma,
node
or
locality.
A
As
possible,
so
you
can
really
drive
down
that
latency
the
amount
of
latency
the
amount
latency
between
your
application
execution
time
and
the
memory
that
it's
accessing.
So
I
know
that
was
a
lot
to
cover
but
like
it
is
a
pretty
interesting
thing
and
that's
actually
moving
along
pretty
well,
so
that's
exciting
moving
debate.
It
means
that
it's
already
been
through
an
alpha
period.
A
What
else
do
we
have
up
for
today,
so
I
did
not
see
anything
in
the
security
announce
group,
but
it
never
hurts
to
check
again.
Nope
looks
like
the
last
latest.
Most
recent
update
was
in
july,
so
still
looking
pretty
good
there,
I
like
to
cover
those
things
as
they
surface
cncf
things.
Another
big
announcement
from
a
surveillance
this
week
actually
is
the
ebpf
foundation.
A
A
Why
folks
actually
want
to
see
it
adopted
and
what
it
can
be
used
for,
and
I
think
the
story
is
very
compelling.
Basically,
like
you
know,
like
you
say
you
have
some
new
kernel
feature
that
you
want
or
you're
doing,
application
tracing,
and
you
want
to
be
able
to
see
what's
actually
happening
with
your
application,
a
couple
different
ways
to
solve
that
problem.
A
There
might
be
a
kernel
feature
that
does
it
right,
and
so
you
might
like
write
that
kernel
feature
to
enable
some
particular
form
of
tracing
or
you
might
like
a
kernel
module,
but
both
of
these
two
instances
take
a
bunch
of
time
to
actually
get
something
merged
into
the
kernel,
and
you
also
might
take
a
bunch
of
time
to
get
something
merged
into
the
distribution
of
linux
that
you're
using
and
when
we're
in.
A
If
we
like,
you
know,
expose
an
ebpf-like
interface
into
the
linux
kernel,
then
you
could
write
that
software
as
long
as
it's
within
the
constraints
of
the
ebpf
ecosystem.
You
could
write
that
and
deliver
that
much
faster,
so
pretty
exciting,
stuff
kind
of
enabling
this
to
extend
the
kernel
more
dynamically
and
with
a
much
shorter
time
frame
than
what
it
would
normally
take.
So
I
just
realized
that
you
may
not
have
been
able
to
see
anything.
I
was
just
presenting.
A
A
Oh,
you
didn't
see
it
just
not
me,
okay!
Well,
that's
good!
All
right!
Well,
okay!
I
mean
good
enough.
I'm
excited
that
that
happened
all
right.
So,
let's
move
on,
you
probably
saw
me
catch
my
green
screen.
Oh
no,
you
didn't,
because
you
didn't
see
me.
My
green
screen
fell
over
and
I
had
to
go.
Save
it.
A
Now,
the
stuff
that
I
wanted
to
dig
in
oh
cncf
things,
let's
do
that
first,
so
we
talked
about
ebpf
foundation,
one
of
the
other
places
I
look
for
weekly
news
is
at
cube
weekly.
This
is
actually
a
great
newsletter
put
together
by
my
fellow
cncf
ambassadors,
and
so,
if
you're,
like
looking
for
a
good
source
of
news,
this
is
probably
the
best
one
that
you'll
find
or
like
at
least
a
pretty
consistent
one
that
you'll
find
there's
also
the
kubernetes
podcast
that
does
a
pretty
good
job
of
capturing
the
news.
A
There's
a
number
there's.
Also
this
can
or
lwkd.info
another
favorites.
A
So
lwkd
is
focused
more
kind
of
like
on
the
developer
side
of
things
so
like
what
commits
are
interesting.
Sometimes
josh
will
pick
a
particular
commit
and
talk
about
it.
But
yeah
I
mean,
like
you,
see
stuff
like
this,
so
I
introduce
event
clocks
based
on
util's
clock.
The
api
server
has
a
new
clock
in
town,
the
new
event
clock
api
provides
a
more
testable
approach
to
delaying
calls
also
be
sure
to
check
out
the
follow-up
pr
which
improves
some
interface
instruct
name.
So
that's
I
guess
the
commit
of
the
week
stuff.
A
A
So
it's
always
some
kind
of
fun
article
or
some
interesting
technical
thing
happening
inside
of
cube
weekly,
so
definitely
check
it
out
the
ones
I
called
out
today
in
the
news
section
were
the
ones
that
were
coming
up
for
the
cncf,
so
they
were
managed
thousands
of
kate's
application
and
minimum
with
minimal
efforts
using
cubecarrier.
I
haven't
explored
this
one.
That
looks
pretty
interesting
to
me.
A
It's
hosted
by
coopermatic
zhonjiang
zhu
and
if
you
wanted
to
check
that
out,
that's
happening
on
the
19th
which
is
coming
right
up
and
then
also
on
the
19th
mescheri,
we'll
be
talking
about
where
lee
cowcoat
from
layer
5
will
be
talking
about
the
service
mesh
manager
and
then
sean
mccord
and
andrew
reinert
from
talos
systems
will
be
talking
about
hybrid
kubernetes
clusters
with
wireguard,
and
all
of
those
things
are
happening
on
the
19th.
So
if
any
of
those
are
interesting
to
you
definitely
check
it
out,
quality
has
improved
again,
oh
interesting.
A
A
A
A
A
You
know
not
super
secure
and
then
we're
also
going
to
play
with
this
new
model
where
we
can
actually
define
like
at
the
cubelet
level
what
the
actual
default
should
be
and
we'll
talk
about
that
and
we'll
talk
about
docker,
runtime
defaults
and
we'll
talk
about,
like
you
know,
container,
run
time
defaults
in
general,
those
sorts
of
things.
So
that's
what
we're
going
to
dig
into
in
this
episode-
and
I
think
that'll
probably
take
us
right
up
to
the
right
up
to
the
hour,
but
I
wanted
to
kind
of
play
with
it.
A
I
want
to
let
you
know
what
we're
going
to
dig
into
and
then
we're
going
to
play
with
it
so
and
then
the
other
one
which
I
might
save
for
another
episode,
but
I'd
like
to
cover
it.
There's
an
incredible
cap.
That's
actually
moving
forward
it's
in
alpha
now,
so
it's
already
got
an
alpha.
It's
already
got
a
feature
gate
and
this
is
a
replacement
for
pod
security
policies,
and
so
this
one
is,
I
blame,
dns
nice.
A
So
this
is
a
replacement
for
pod
security
policies
and
it
greatly
simplifies
the
model
that
pod
security
policies
follow
to
interact
with
things,
and
I
wanted
to
play
with
this
because
I
wanted
to
play
with
like
how
it
works
and
like
what
it
looks
like
and
all
of
that
good
stuff.
I
haven't
actually
started
this
one
up
locally
yet,
and
so
I
think
I
might
come
back
and
do
this
another
time,
but
it's
already
in
the
120
122
code
base
as
a
behind
a
feature
flag,
and
I
thought
we
might
explore
that.
A
Probably
in
the
next
episode
just
kind
of
play
with
it,
because
I
have
spent
a
big
amount
of
time
like
helping
people
understand
pot
security
policies,
yeah
saved
yourself
for
a
little
bit,
but
I'm
going
to
be
digging
into
this
one,
probably
in
the
next
episode
or
perhaps
perhaps
an
episode
after
but
yeah.
I
think
that'll
be
probably
the
right
way
to
go.
A
We're
going
to
talk
about
why
pot
security
policies
are
good
too.
So,
let's
get
started,
let's
go
ahead
and
build
our
kind
cluster
with
just
like
nothing
special
going
on,
and
then
I
want
to
show
you
kind
of
like
what
you
can
detect
and
what
you
can
determine
from
like
those
system
calls
that
are
available
and
that
sort
of
stuff.
So
let's
dig
into
it.
A
A
A
A
A
Well,
let's
see
so
the
way
I'm
reading
this
is
it's
saying
that
it's
just
it's
a
feature
flag
that
you
determine.
You
can
set
the
feature
flag,
setcomp
default,
and
this
enables
the
use
of
runtime
default
as
the
default
sitcom
profile
for
all
workloads
and
the
setcom
profile
file
specified
in
the
security
context
of
a
pod
or
a
container.
A
The
runtime
default
is
going
to
be
whatever
the
default
second
profile
built
into
your
runtime
is
so
container
d.
Has
a
runtime
default.
Docker
has
a
runtime
default
both
of
these
runtime
defaults
actually
limit.
The
system
calls
that
a
given
process
that
has
been
containerized
can
run.
A
A
Yeah
I
mean
like
I'm,
I'm
streaming
at
the
full
at
the
full
full
resolution.
1080P
30.
A
Weird
well
we'll
figure
it
out
anyway
to
this,
because
it's
a
complex
topic,
so
I
want
to
speak
slowly
and
I
want
to
make
sure
that
you
understand
what
I'm
talking
about
as
we
get
into
it.
Actually,
I'm
not
even
streaming
from
obs
I'm
streaming.
Basically,
I
mean
I
am
streaming
from
obs,
but
it's
coming
out
a
virtual
cam
interface
that
is
going
directly
as
a
camera
into
restream
we're
using
restream
for
this.
A
A
A
But
to
give
you
a
little
background,
setcomp
is
a
way
of
providing
a
kind
of
a
rule
set
for
processes
that
have
been
generated
inside
of
a
container
that
can
limit
or
otherwise
constrain
those
processes
to
specific
system
calls
that
are
reasonable
for
those
processes,
so
that
so
that
you
can't
do
things
like.
I
don't
know,
reboot
the
node
or
you
know,
delete
things.
Or
do
you
do
things?
You
can't
see
anything.
A
A
This
page,
by
the
way,
is
amazing,
so
if
you're
ever,
if
you
want
to
learn
more
about
setcomp,
this
is
a
great
way
to
do
it.
Reading
the
docker
docs
for
succomp
are
are
amazing,
so
there
is
an
option
where
you
can
tell
it:
securityops.com
equals
unconfined.
A
A
And
inside
of
that
bash
shell,
we
can
look
at
the
capabilities
that
we
have
running
as
root
inside
of
this
container
and
then
we're
going
to
run
the
same
command
without
the
security,
opt
flags
and
see
what
the
runtime
default
capabilities
are,
and
then
we
can
kind
of
compare
the
two
of
them
right.
So
if
I
do
apk
at
lib
cap.
A
Now
remember,
you
can
actually
go
to
this
hackmd
yourself
directly
and
help
me
edit.
It
put
notes
in
that
kind
of
stuff
that
is
available
to
you
right
here
at
the
bottom,
where
it
says
hackmd.io
slash
at
twicn.
A
A
A
A
A
A
A
A
A
What
emma
contain
does
is
it
actually
goes
through,
like
in,
for
each
system
call
that
it
could
make
it
tries
to
make
the
call
to
see
if
those
things
are
filtered
or
not
filtered
and
in
a
filtering
state,
which
is
what
we
see
here
for
container
runtime
in
docker.
There
are
60
block
system
calls
right,
and
that
is
a
good
thing
and
we're
going
to
talk
about.
A
If
you
want
to
know
more
about
why
that's
a
good
thing
definitely
check
out
the
suck
comp
page
inside
of
the
docker
documentation,
because
they
really
get
into
like
exactly
why.
This
is
the
way
it's
done
this
way,
and
I
think
it's
a
really
good
article
on
like
what
setcomp
is
and
why
it's
important
okay,
so
these
are
filtered
messages
right.
So
I
can't
do
things
like
you
know:
mess
with
nfs
exports,
and
I
can't
do
things
that
are
that
would
otherwise
that
would
otherwise
mess
me
up
things
like
set
domain
name.
A
If
I
go
back
and
I
pull
up
our
unconfined
one
and
I
do
apk,
add
curl
and
I
grab
curl
minus
lo,
just
like
we
did
before.
A
A
There
we
go
oh
in
this
case
in
this
state
we
can
see.
Setcomp
has
been
disabled,
but
there
are
still
some
system
calls
that
are
blocked,
swap
on
swap
off
are
blocked,
reboot
set
host
name,
some
things
have
been
blocked,
but
not
nearly
as
much
as
what's
been
blocked
here
in
the
lower
end,
and
what
these
are.
A
These
are
basically
system
calls
that
have
been
picked
that
are
likely
to
affect
the
overall
performance
of
the
system
rather
than
and
be
outside,
of
what
a
normal
process
might
do
right
and
so
in
this
baseline
succumb
profiling,
like
you
likely
you've,
probably
never
even
noticed
that
it
was
there,
because
this
set
of
system
calls
that
has
been
limited
here,
really
are
just
there
to
keep
you
within
the
bounds
of
a
regular
process.
A
Right,
it's
trying
to
be
as
restrictive
as
it
can,
without
being
so
restrictive
that
you
ever
notice
that
setcomp
is
actually
in
place
at
the
same
time
like
get
rid
of
stuff,
like
you
know,
giving
you
the
ability
to
insert
new
modules
or
to
remove
modules,
or
you
know
things
like
this-
that
you
probably
shouldn't
necessarily
be
able
to
do
as
just
a
running
application
inside
of
a
container
on
a
kubernetes
node.
They
want
to
limit
that
stuff,
and
that's
why
there
are
60
blocks.
A
A
A
A
I
had
written
it
so
that
when
the
ssh
didn't,
he
would
actually
like
drop
into
a
scenario
where
he
was
in
a
container
that
was
in
a
read-only
file
system
and
he
had
to
realize
that
ssh
was
listing
on
two
different
ports
and
ssh
over
to
the
other
port.
So
they
can
escape
that
kind
of
trippy
all
right.
Let's
move
on
so
yeah,
so
these
are
the
kind
of
things
that
are
filtered
and
why
they're
filtered,
and
if
you
want
to
know
more
about
that,
like
I
said,
definitely
check
out
the
docker
setcomp
documents.
A
So
the
next
question
we
had
was
like:
what
capabilities
do
I
have
in
an
unconfined
mode
versus
like
what
are
docker's
defaults,
but
we
haven't
looked
yet
at
what
container
these
defaults
are.
So
let's
look
at
that
next
and
for
that
I'm
actually
going
to
do
this
an
easy
way
for
myself.
I'm
just
going
to
go
ahead
and
start
up
a
kind
cluster,
because
I
know
that
kind
runs
container
d
under
the
covers
find
create
that's
very
config
before.
A
Yeah
you
can
even
I
mean
we
might
try
this,
but,
like
you
can
anything
you
can
do
with
cube
adm.
You
can
tune
with
kind,
in
fact,
one
of
the
interesting
side,
projects
of
kind.
While
this
is
booting
up.
Why
don't
we
just
go?
Look
at
that
real,
quick,
so
one
of
the
interesting
side,
projects
of
kind
is
that
you
can
do
a
thing
where
it's
called
kinder.
A
Tinder
is
kinder
kinder
or,
however,
you
want
to
say
it
kinder
is
the
is
tooling
that
is
used
by
cubadm
to
test
the
cubadm
software,
and,
if
you
don't
know
about
qadm
qbdm
is
tooling
that
is
used
to
turn
a
bunch
of
nodes
into
a
kubernetes
cluster.
It's
like
a
bootstrapping
tool.
A
So
kinder
does
a
bunch
of
things.
That
kind
does
not
do,
and
so,
if
you're
really
into
kind,
you
might
be
interested
in
this
because
it
does
a
bunch
of
different
things
like
you
can
use
kinder
to
bring
up
a
cluster
in
different
with
different
run
times.
You
can
bring,
you
can
use.
You
can
stop
the
process
where
you
want
it
and
reinstantiate
particular
parts
of
the
process.
A
So,
if
you're
interested
russ,
if,
if
you're
interested
in
kind,
definitely
check
out
kinder
and
it's
under
the
kubernetes,
I
guess
it's
actually
the
main
repo.
Surprisingly
enough
cute
main
repo
cube
adm
project
underneath
tree
master
kinder
and
it's
pretty
neat-
might
be
kind
of
a
fun
episode
to
do
on
that.
Actually.
A
A
A
And
then
we'll
do
catch
actually
add
catch.
A
A
You
freeze
for
a
few
seconds
before
it
drops
in
quality,
so
something
maybe
maybe
something
is
dropping
quality
automatically.
It
frames
I
dropped
for
a
bit.
If
that's
the
case
boy,
that's
irritating.
That
might
be.
That
might
be
the
case
because
if
I'm
not
moving,
then
it's
like
yeah,
that's
all
that's
all
I'm
going
to
send
that's
I
mean
I
guess
my
alternative
would
be
to
stream
would
be
to
stream
to
restream
using
obs
and
bypass
the
the
camera
in
thing,
but
the
problem
with
that
is
that
I
can't
do
stuff
like
this.
A
We
can
see
that
the
defaults
that
we're
in
are
not
limiting
much
at
all
the
same,
like
20
system
calls
that
are
limited
and
I
didn't
have
to
tell
it
to
go
to
uncon
to
go
to
an
unconfined
mode
by
default,
it's
already
in
an
unconfined
mode,
so
inside
of
kubernetes,
if
you
don't
use
something
like
security
context
to
specify
a
second
profile,
then
you
don't
get
one.
It's
unconfined.
A
All
right,
so
we've
done
three
things
and
we've
seen
different
outputs
right.
The
first
thing
we
did
was:
we
ran
docker
in
an
unconfined
mode
and
we
saw
that
we
were
able
to
make
everything,
but
20
system
calls,
and
then
we
ran
docker
in
a
in
a
default
mode,
which
meant
that
we
were
using
the
docker
runtime
default
and
we
saw
that
they
were
like
80
or
is
it
90
might
be
90.?
A
60
sorry,
there
were
60
system
calls
that
docker
limits
by
default.
That
are
there
that
we
can
see
the
output
of
now.
A
A
A
A
Theory,
this
should
not
work,
but
I
want
to
see
it
anyway
because
that's
how
I
roll
kind
create
cluster
config.
A
After
name
equals
after
because
I
already
have
a
kind
cluster
brought
up
with
before,
then
I
can't
I
don't
want
to
create,
I
don't
know
if
I
mess
with
it,
so
I'm
creating
a
new
one
with
a
new
name
called
after,
and
we
should
be
able
to
see
that
I
was
going
to
ask
how
kates
tells
the
runtime
to
allow
that,
but
how,
but
they
both
have
to
be
active
yeah.
That
seems
weird
to
me.
A
A
You
would
think
that,
okay,
maybe
I
would
think
that
the
second
profile
I
would
I
wouldn't
have
to
apply
this
on
every
out
of
everything,
but
it
looks
like
I
do
so.
A
A
This
is
a
feature
flag
in
version
1.22
yeah,
exactly.
A
A
B
A
A
The
difference
between
join
and
in
it
is
really
interesting,
but
you
can
consent.
You
can
conceptualize
it
like
join,
takes
care
of
things
when
you're,
adding
a
node
that
is
not
a
control
plane
or
the
very
first
node
that
you're
creating
init
handles
things
that
are
just
on
the
the
way
that
maybe
a
cubelet
would
be
configured
on
that
node.
That
is
part
of
the
control
plane
or
one
of
the
very
first
nodes
that
you're
creating.
A
A
A
A
Look
like
things
are
kind
of
taking
a
minute
to
start
up
here.
I
don't
know
why
the
control
plane's
taking
so
much
longer.
This
used
to
be
much
faster,
and
so
I
need
to
dig
into
like
what's
happening
here,
but
one
thing
we
can
do,
though,
because
the
nodes
have
been
created,
but
they
haven't
been
joined
yet
so.
B
A
A
B
A
A
This
is
weird
curse.
You
know
it's
kind
of
a
blessing
and
a
curse
right.
The
blessing
is
hey.
If
you
mess
up
the
configuration,
you
can
go,
look
at
the
configuration
and
see
why
it's
messed
up
the
curse
is:
if
you
mess
it
up,
then
you
have
to
go.
Look
at
the
configuration
and
see
why
you
messed
it
up.
A
A
A
A
A
B
A
A
A
A
Maybe
maybe
our
whole
problem,
the
whole
time
has
been
the
feature
gate's
not
working.
B
A
B
A
So
there's
two
ways
we
can
enable
this
feature
gate
so
there's
a
feature,
gate
enablement.
That
goes
this
way
right
under
the
configuration
piece
of
it
and
then
we
could
also
just
patch
the
cubelet
with
that
particular
feature
gate.
Oh,
this
is
a
cluster-wide
thing
which
I
would
have
thought
would
have
actually
worked
out.
A
A
B
A
A
A
A
Russ
I
can
see
that
the
feature
gate
is
enabled
in
the
cubelet
configuration,
and
I
can
see
that
I'm
passing
in
the
argument
right,
yeah
that'd
be
wild
too.
A
A
A
A
B
A
A
A
B
A
B
A
A
B
B
A
B
A
Oh
my
bad,
and
there
were
two
things
that
were
happening
so
like
in
the
cube
security
file
you
had
you
had.
I
had
tried
out
lower
casing
the
second
default
flag
and
as
soon
as
I
did,
that
the
error
and
the
logs
changed
telling
me
that
it
can't
be
lowercase.
That
was
my
bad,
so
I
put
it
back
to
the
correct
case,
but
then
the
problem
was
that
the
even
though
it's
the
correct
case,
the
it
appears
that
it
only
checks
the
command
line
flags.
A
So,
if
that
feature,
gate
isn't
in
isn't
on
the
command
line
of
the
cubelet
binary,
it's
not
showing
up,
and
so
the
testing
for
whether
that
feature
gate
is
enabled
or
disabled.
That's.
The
bug
is
that
it's
only
validating
that
against
the
command
line
and
not
against
the
actual
configuration
of
the
cubelet.
A
Wow
we're
already
an
hour
and
some
change
in
I'm
almost
done,
though.
I
just
wanted
to
see
this
work
and
then
I
wanted
to
show
it
and
then
we're
going
to
close
it
out
so
we're
almost
there.
Thank
you
for
hanging
out.
It
was
fun
to
kind
of
deep
dive
into
cube,
radium
and
troubleshoot,
and
all
that
stuff.
A
B
A
B
A
A
B
A
A
A
A
A
A
A
A
A
It's
bedtime,
for
you
are
you
in
the
uk
or
where
in
the
world,
are
you
that
it's
bedtime
or
is
it
always
bedtime.
A
A
Same
error,
yep:
well,
don't
go
enabling
this
flag,
yet
I'm
just
saying
it's
probably
not
the
way
to
go
anyway.
Thank
you
both
and
thank
you.
Everybody
else,
who's,
maybe
or
may
or
not
be
may
or
may
not
be
listening.
I
appreciate
you
I'm
glad
you
were
here.
I
had
a
bunch
of
fun,
I'm
going
to
try.
The
next
thing
I'm
going
to.