►
From YouTube: Kubernetes & Cloud Native Berlin Meetup New Year Edition
Description
Welcome to the live stream of the Kubernetes & Cloud Native Berlin Meetup - Jan 2023. Doors open for the in person meet up at 5 pm. The talks will begin at 6 pm, so stay tuned.
Find more information here: https://www.meetup.com/berlin-kubernetes-meetup/events/290693388/
About this meet up: We are a group for people interested in discussions around working with, running and developing Kubernetes and other cloud native technologies. We’re excited about container infrastructure, distributed systems and learning more about managing and extending them as such.
A
B
A
B
D
Okay,
I
think
we've
I
think
I
figured
out
what's
wrong.
I
I
think
the
we
had
a
tab
open
for
the
YouTube
thing
so
when
it
kicked
in
like
10
seconds
later,
it
was
feeding
back
into
the
place.
B
B
A
Hi,
everyone
good
evening
welcome
to
the
kubernetes
and
Cloud
native
Berlin
Meetup
Jan
New
Year
Edition.
First
of
all,
happy
happy,
New,
Year,
I,
hope
this
goes
way
better
than
the
other
New
Year's
we'll
see.
Time
will
tell
it's
just
Jan,
but
look
how
fast
it's
it's
gone
on,
and
here
we
are
to
celebrate
our
first
Community
Meetup
this
new
year
and
I'm
happy
to
kick
it
off
with
Boston
and
Stefan
bustin's
from
Souza
shafans
from
Isa
villain.
A
They
will
be
talking
about
the
main
theme
running
to
in
today's
program:
security
and
security
vulnerabilities
and
working
around
that
so
I'm
glad
all
of
you
have
turned
up.
This
is
a
great
great
opportunity
for
us
to
slowly
keep
building
these
Community
meetups.
So
we're
really
hoping
that
a
lot
of
you
keep
showing
up
as
we
plan
to
do
these
regularly
up
to
June
yeah
January
to
June
I
mean
yeah
up
to
June
at
least
yeah,
and
just
a
few
things
that
I
wanted
to
quickly
point
out.
A
We'll
have
two
Talks
Of
course.
It's
the
usual
format
that
we're
having
and
that
we're
continuing
with
and
followed
by
a
quick
q.
A
round
Sebastian's
talk
will
be
half
half
an
hour
and
Stefan
stock
will
be
half
an
hour,
followed
by
a
quick
q
a
round.
We
also
had
this
little
chat
earlier,
Chris
and
I.
A
If
you
want
to
take
that
further,
if
you
want
to
take
it
Beyond
10
minutes
of
a
q,
a
round
there's
plenty
of
time
to
network
there
will
be
pizzas
behind
there's
Refreshments
go
grab
a
drink,
talk
to
everyone.
Also,
we
need
helpers.
We
need
volunteers
to
help
us
put
all
of
this
together.
Chris
has
been
a
great
help.
Aditya
has
been
a
great.
A
Hand
forward
to
some
community
building
together
here,
so,
as
many
of
you
can
actually
reach
out,
if
you
follow
Kinfolk
IO,
if
you
don't
follow
Kim
Focus,
now
is
the
time
for
you
to
follow
it
on
Twitter
and
also
on
LinkedIn
I.
Keep
posting
regular
updates
there.
There
are
lots
of
forms
where
you
can
fill
in
your
details
and
we'll
actually
reach
out
to
you,
set
up
meetings
and
we
can
brainstorm
about
content
and
how
you
want
to
further
see
these
Community
meetups
grow.
A
What
kind
of
content
you
want
and
how
you
want
to
manage
to
procure
different
items
and
put
things
together?
We
can
roll
with
it.
We
have
fantastic
AV
setup
here,
albeit
with
some
coex
here
and
there,
as
you
can
see,
but
we're
constantly
working
on
improving
it.
So
please
help
us
out
the
more
of
you
actually
show
up
and
try
and
help
us
out
the
better
it
is.
A
And,
lastly,
just
a
quick
update
about
the
code
of
conduct.
We
have
a
reactor
code
of
conduct.
This
is
the
Microsoft
reactor
Berlin
space,
but
we're
also
using
this
independently
to
just
commence
our
community
meetups
and
to
host
them
regularly.
Here.
Just
one
quick
thing
about
keeping
this
harassment-free
Zone,
please
respect
everyone's
opinions.
Differences
of
being
opinions
can
be
dealt
with
very
well
and
yeah
just
be
respectful
and
be
mindful,
as
you
always
are,
and
that's
about
it.
E
E
A
The
construction
doesn't
make
it
easy,
but
we're
trying
to
improve
on
the
signage
outside.
It's
just
that
yeah
we're
it's
kind
of
it's
a
little
tricky,
but
we're
also
trying
to
figure
it
out,
because
we
can't
keep
putting
it
down
on
the
doors.
I
mean
everyone
sort
of
also
pulls
it
out
even
in
this
building,
if
they
don't
feel
it's
necessary
or
important
to
be
there,
but
we're
trying
to
work
around
that.
We
don't
really
know
how
to
perfectly
go
about
it,
but
we're
trying.
Yes.
A
B
A
True,
actually,
yes,
that's
that's
a
brilliant
idea
and
yeah
a
code
of
conduct
is
also
done
and
I've
touched
upon
the
program.
It's
your
turn
now.
Chris.
D
Actually,
I'd
like
to
cover
that
in
the
next
meet
up
a
little
more
so
I.
D
Though
is
you
know
we're
having
this
meet
up
here
and
we've
done
this
a
few
times
here?
If
you
have
a
location
in
Berlin,
if
you
can,
let
us
know,
and
then
we
can.
Maybe
you
know
if
you,
because
we
don't
want
to
just
do
it
here.
You
know
if
you
have
a
location,
you
know
we'd
like
to
kind
of
spread
it
around
Berlin.
If
you
know,
if
we
have
the
opportunity.
B
Said
we.
D
Will
have
pizza
in
the
in
the
in
between
so
you
know
and.
F
D
D
Time
I
think
we'll
do
a
little
bit
more
about
the
history
and
because
you
know,
we've
actually
been
doing
this.
Since
you
know
you
see
some
signs
on
the
on
the
when
you
come
in
from
like
2016
2015.,
we've
been
doing
this
for
a
long
time,
meetups
and
other
events
in
Berlin,
and
maybe
we
can
talk
about
that
and
how
it
kind
of
ties
together
and
also
we
had
this
merger
of
two.
D
C
Awesome,
no,
it's
actually
not
fine.
Yeah
yeah,
okay,.
C
Containers
against
security
vulnerabilities
that
you
know
about
or
that
you
don't
know
about
nowadays.
Kubernetes
is
very
ubiquitous.
Who
is
running
kubernetes,
probably
everyone
or
most
of
the
people
here.
Don't
otherwise.
You
wouldn't
be
here
right
and
you
can
run
it
everywhere
in
the
data
center.
On
your
developer,
laptop
in
the
cloud
on-premise
somewhere
on
iot
or
Edge
devices,
it
has
been
a
platform
that
helps
us
standardize
how
we
run
applications
instead
of
Reinventing
the
wheel,
the
whole
time.
C
On
the
other
hand,
of
course,
that
also
makes
it
a
prime
target
for
attackers,
because
if
you
find
a
security
vulnerability
in
kubernetes,
you
can
probably
break
into
a
lot
of
installations,
because
everyone
is
running
a
standardized
kubernetes,
but
it
doesn't
only
affect
kubernetes,
but
also
your
applications.
More
and
more
applications
are
running
inside
of
containers
and
if
you
have
been
I.T
a
bit
longer
and
in
operations
a
bit
longer
a
lot
of
the
traditional
security
tools
like
firewall
systems,
and
so
on
that
you
have
been
using
to
secure
your
applications.
C
They
don't
work
that
well
anymore,
with
containers
and
kubernetes,
because
you
have
a
much
more
Dynamic
environment.
It's
not
as
static
you,
don't
have
three
servers
and
always
like
these
three
or
five
applications
running
on
these
servers
container
can
be
run
here
or
here
or
here's
being
scaled
up
scaled
down,
and
this
is
great,
but
for
traditional
security
tools
that
can
become
problematic.
C
An
additional
thing
when
talking
about
security,
people
and
psychops
people
in
companies
is
what
they
don't
like
about,
kubernetes
that
they
don't
have
any
visibility
in
the
networking
into
the
networking
anymore
or
not
a
lot
for
most
people.
It's
actually
great,
because
networking
just
works
in
kubernetes.
If
you
set
up
the
Q
a
disclosure
correctly,
but
then
it
just
works
and
the
containers
that
are
supposed
to
be
talking
with
each
other.
C
So
when
we
talk
about
Security
in
kubernetes
environments,
we
of
course
have
to
talk
about
how
to
actually
Harden
your
kubernetes
clusters
how
to
make
sure
that
your
kubernetes
clusters
are
not
accessible
by
everyone
on
the
internet
without
authentication
how
to
do
certificate
management,
how
to
do
version
upgrades
properly
so
that
you
can
patch
cves
in
kubernetes
itself
how
to
do
admission,
controls
at
the
encryption
and
all
that,
and
there
are
tons
of
tools
out
there
that
can
help
with
that.
I.
Don't
want
to
cover
these
today.
C
What
I
want
to
focus
on
more
is
the
actual
security
of
the
applications,
because
that's
oftentimes
gets
overlooked
in
my
at
least
from
what
I'm,
seeing
with
the
customers
I'm
working
with
with
different
organizations
I'm
working
with,
and
that
in
the
end,
also
applications
that
are
probably
publicly
in
the
Internet
available
and
then,
if
there
is
a
cve
there.
C
If
a
security
problem
is
in
there,
it's
way
more
likely
that
this
is
going
to
be
yeah
attacked
by
attackers
and
securing
applications
means
you
can
lock
down
the
capabilities
of
what
a
container
can
do
in
your
cluster.
You
can
look
for
compliance
issues
like
having
certificates
in
container
images.
You
can
look
and
see
if
there
are
any
non-security
vulnerabilities
vulnerabilities
in
the
base.
C
Image
is
of
your
container
applications
in
the
installed
packages
or
in
the
Frameworks
and
libraries
that
you're
using
there,
and
then
you
may
also
not
only
want
to
look
for
these,
but
also
protect
against
vulnerabilities
and
issues
that
you
have,
because,
oh
let's
do
the
other
way
around
oftentimes
when
I'm
talking
about
security
with
people,
they
say.
Oh,
we
are
amazing.
We
actually
scan
our
images
in
our
CSV
pipeline,
that's
great,
but
what
I
want
to
focus
on
today
is
that
it's
not
enough.
C
Why
a
typical
like
when
you
think
about
security
for
your
applications,
there
are
usually
two
things
to
take
into
account.
First
is
the
whole
supply
chain?
How
do
I
ensure
that
I
don't
have
any
security
vulnerities
that
I
know
of
in
my
the
application
containers
that
I'm
writing
so
cve
scanning
compliance
scanning?
But
the
second
is
then
also
what
do
I
do
when
I
have
to
run
something
running
in
production
and
a
new
security
vulnerability
pops
up.
C
Let's
look
into
both
a
bit
deeper
and
start
with
the
supply
chain.
A
typical
supply
chain
probably
looks
like
this.
The
developer
writes
some
code
at
some
point:
they
Commit
This
to
the
git
repository
or
another
version
control
system,
and
then
some
cicd
pipeline
runs
executes
some
tests
and
by
probably
builds
a
container
image.
C
This
container
image
is
then
pushed
into
registry
and
at
some
point
you
are
going
to
deploy
this
registry
to
a
kubernetes
cluster
and
when
I
talk
with
customers
or
with
people
thinking
about
container
security,
what
they
are
doing,
they're
saying
hey,
we
are
actually
great
in
our
CSV
pipeline.
We
are
scanning
our
images
that
we
just
built
for
security,
vulnerabilities
and
cves
and
compliance
issues.
We
also
regularly
scan
all
the
images
in
our
registry,
most
Registries.
C
A
lot
of
Registries
actually
have
functionality
to
scan
images
for
CVS
built
in
things
like
Harvard,
hardware,
artifactory
and
so
on,
and
then
a
lot
of
people
also
say
hey.
We
are
also
scanning
our
containers
running
for
in
production
in
our
kubernetes
clusters,
also
for
non-security
vulnerabilities
and
images.
We
have
some
tooling
for
that,
and
that's
great
scanning
for
cves
is
important,
because
otherwise
your
security
strategy
is
basically
I,
don't
look
at
it
and
then
I
have
no
problems.
C
C
C
If,
if
there
is
a
cve,
but
there
is
no
patch
for
it
yet
or
if
there
is
a
cve,
but
there
is
a
patch,
but
you
are
not
able
to
upgrade
yet
because
either
the
team
responsible
for
the
application
is
on
vacation
or
it's
weekend
and
nobody
saw
the
alert
or
maybe
you
can't
upgrade,
because
there
is
some
dependencies
that
prevent
you
from
upgrading,
because
you
have
to
rewrite
your
code
for
like
two
weeks
before
you
actually
can
go
to
the
news.
C
Library
version,
so
you
need
kind
of
a
strategy
to
deal
with
actually
running
insecure,
vulnerable
stuff
in
production
in
a
way
that
makes
it
still
okay
to
do
so
and
not
like
a
complete
disaster,
or
maybe
it's
even
not
a
published
cve
in
some
third-party
libraries.
Actually,
a
bug
that
you
introduced
yourself
in
your
code
and
no
security
scanner
in
the
world
will
be
able
to
find
it
maybe
static
analysis,
maybe
some
AI
or
stuff,
but
probably
not
at
least
nowadays.
C
So
you
need
more
than
just
scanning
for
security
vulnerities.
You
need
to
have
additional
stuff
to
also
secure
your
application
during
runtime
and
securing
doing
runtime
can
be
based
on
two
things.
There
is
a
more
traditional
thread
based
approach
where
you
have
no
network
attacks,
known
like
something
like
SQL
injection
cross-site,
scripting
attacks,
lock
for
Shell
attack.
We
had
last
year
where
you
can
probably
maybe
scan
the
whole
incoming
traffic,
and
if
you
see
a
certain
attack
Vector,
you
just
block
it.
It's
more
like
a
traditional
approach
or
a
lot
of
web
application.
C
Firewalls,
for
example,
can
help
you
making
stuff
more
secure,
also
important
good
approach,
but
maybe
in
addition
there
you
can
also
think
about
runtime
security
to
use
a
more
of
a
zero
trust
model.
What
do
I
mean
with
that?
You
can
look
in
an
application
running
inside
of
a
container
at
all
the
network
connections
they
are
making
like
inbound
and
outbound
connections.
The
container
has
either
from
the
internet,
to
the
internet
or
Internet
or
also
inside
of
a
container.
C
C
Now
you
can
build
up
this
rule
set
these
rule
sets
manually?
There
are
tools
for
that.
Basically
firewall
tools.
You
could
write
kubernetes
Network
policies,
but
that
can
become
very
tedious
and
I
want
to
show
you
a
way
how
you
can
automate
some
of
the
some
of
the
stuff.
With
an
automated
learning
approach,
there
are:
oh
I
forgot
I
mixed
up
some
slides,
sorry
about
that.
Let's
go
to
this
one.
First,
there
are
a
couple
of
tools
that
can
help
you
with
that
Aqua
security
systems
that
also
have
runtime
security
capabilities.
C
They
have
a
lot
of
differences
in
how
they
do
this
technically
and
we
can.
If
you
want
to
cover
this
in
a
more
one-to-one
discussion,
and
then
we
can
go
deeper
into
that.
I
want
to
show
you
how
what
I
mean
and
how
you
can
approach
this
with
one
tool
in
particular,
which
is
called
new
vector
two
reasons
for
that.
F
C
So
directly,
at
the
source,
when
even
before
Network
packages
go
into
a
container,
it
already
sees
it
will
go
there
and
then
it's
doing
a
depacket
inspection
on
it,
so
that
you
on
one
on
the
one
hand,
can
configure
with
rules
hey.
This
port
is
only
allowed
to
communicate
outgoing
to
this
port
and
nothing
else
so
layer,
three
layer
4,
which
IP
addresses,
are
you
communicating
with,
but
also
on
layer
7?
What
is
actually
the
protocol
that
is
spoken
on
this
connection?
C
C
C
First
of
all,
you
can
say
all
all
these
limitations
that
you
put
in
and
into
a
container
like
what
network
connections
you
can
make,
what
files
you
can
access.
What
processes
that
you
can
execute,
allow
you
then,
to
limit
the
impact
a
zero
day
or
an
unknown
or
unpitched
cve
actually
has
on
a
container,
because
even
if
this
is
a
WordPress
and
there's
a
plugin
in
there,
that
has
a
vulnerability
and
then
an
attacker
could
attack
this
and
get
into
the
container.
C
No
layer
of
these
is
perfect,
but
security
is
a
bit
like
cheese
in
every
layer
of
cheese
has
holes
in
it.
You
just
have
to
put
enough
layers
of
cheese
on
top
of
each
other
that
you
can't
see
through
the
holes
anymore.
So
these
are
just
additional
layers
of
yeah
security
that
can
prevent
an
attacker
from
actually
doing
something
malicious,
even
if
you
have
a
cve,
if
you
have
a
security
problem
in
your
applications,.
C
Because
new
Vector
is
doing
on
all
these
connections
a
deep
packet
inspection
by
actually
seeing
the
content
of
every
Network
package,
it
can
also
automatically
do
things
like
web
applications,
firewalls
and
Delta
Data
loss
preventions,
so
that
you,
for
example,
can
scan
for
cross-site,
scripting
or
SQL
injection
patterns
in
your
traffic
and
the
nice
thing
is:
you
can
do
this
where
it
makes
sense,
instead
of
going
broadly
that
you
check
for
lock
for
shelf
patterns,
for
example
everywhere
in
your
system,
even
where
it
doesn't
make
any
sense,
because
it's
not
a
Java
service
or
there's
no
Java
Source
involved.
C
You
can
do
this
granularly
and
decide
on
this
connection.
I
want
probably
want
to
check
for
SQL
injections
on
this
connection.
I
want
to
check
for
xss,
and
you
don't
have
to
scan
all
your
traffic
for
everything
and
making
stuff
very
slow
in
the
process.
C
Now,
building
up
such
a
rule
set
of
what
network
connections
are
allowed
was
process
processes
can
be
executed.
What
files
can
be
accessed
can
be
quite
tedious,
at
least
it's
not
something.
I
enjoy
I,
don't
like
writing
firewall
rules,
and
if
someone
does
please
come
to
me,
I
probably
have
jobs
for
you
the
great
thing
about
what
new
Vector
can
do.
It
can
help
you
doing
this
by
automatically
learning
the
normal
and
standard
Behavior.
C
You
can
run
the
whole
system,
the
whole
cluster
or
individual
pots,
or
groups
of
pots,
like
all
pods,
within
a
namespace
in
different
modes.
The
first
mode
is
the
Discover
Mode,
where
in
this
case,
new
Vector
will
learn
what
is
the
current
behavior,
so
what
network
connections
are
being
executed?
What
processes
are
being
executed
and
what
files
are
being
accessed
and
then
it
will
can
create
a
rule
set
automatically
for
you?
C
You
should,
of
course,
do
this
in
some
kind
of
a
trusted
environment-
probably
not
on
production.
When
there's
already
an
attacker
on
there,
then
you
learn
what
the
attacker
is
doing,
maybe
in
a
staging
environment
where
you're
running
your
hqa
tests
or
we're
testing.
If
your
application
is
actually
working
and
then,
if
you're
happy
with
the
rules
and
of
course
you
can
modify
them,
you
can
add
your
own
delete
sum.
C
Rules
but
then,
if
something
is
happening
that
is
not
covered
by
rules
again
network
connection
process
execution
of
file
access,
it
will
still
happen.
Nothing
is
blocked,
nothing
breaks,
but
you
get
an
alert
and
when
you're
happy
with
that-
and
there
are
no
alerts
anymore,
you
can
also
switch
individual
pots,
the
whole
systems
or
groups
of
pods
in
a
protect
mode.
When
your
vector
will
then
also
not
only
alert
you,
but
something
is
happening
that
is
not
covered
by
rules,
but
also
completely
blocked.
C
And
this
behavioral
learning
is
something
that
can
greatly
help
you
creating
all
these
hundreds
of
Fiverr
rules
that
you
need
for
to
have
for
an
application.
Instead
of
you
having
you
having
to
do
this
manually,
let's
spend
the
last
five
six
minutes
to
actually
have
a
look
at
this.
C
So,
first
of
all
one
point:
I'm
using
is
this
visible
from
the
front
size
from
the
back
perfect,
so
I'm
using
here
Rancher
as
a
kubernetes
management
tool?
That
is
just
where
my
kubernetes
cluster
new
Vector
Works
in
any
kind
of
kubernetes
cluster,
regardless,
where
it's
running
so,
if
you
run
kubernetes,
you
can
run
an
install
new
vector
and
you
install
it
very
easily
with
a
hump
chart
and
I.
Have
this
installed
here?
Ready
and
one
thing
I
also
deployed
in
my
cluster-
is
a
small
demo
application.
That's
maybe
limit
this
a
bit.
C
F
C
So
in
your
vector
you
have
some
information
about
the
security
of
your
system.
You
can
of
course,
look
at
all
the
scanning
results,
so
I
can
look
at
all.
My
containers
deployed
here
and
I
can,
for
example,
see
that
in
the
front
end
port
there
are,
there
is
one
Security
vulnerity
in
open
SSL
that
I
probably
should
fix
in
the
base
image.
I
can
also
get
more
details
on
the
cve,
get
ordered
and
even
get
to
the
source
of
the
where
the
CV
was
reported.
C
So
that's,
okay,
but
not
really
exciting.
What's
exciting
is
the
runtime
security
part
and
let's
have
a
look
at
this
I?
Have
this
front-end
service
here
right?
Let's
maybe
remove
that
and
here
for
this
front-end
service
I
have
a
couple
rules
for
process
execution
that
have
already
been
learned.
So
for
some
reason
someone
was
probably
me
testing
executed
sh
in
there
in
the
in
the
container.
C
There
is
this
server
binary
that
was
executed
and
then
the
pause
binary
from
the
kubernetes
from
kubernetes
itself,
and
there
are
no
additional
files
that
are
written
or
being
accessed
in
the
container,
so
that's
empty
and
there
are
a
couple
of
network
rules
that
have
been
learned,
for
example,
that
the
front
end
is
calling
the
DNS
inside
of
the
Pod
inside
of
the
cluster
and
actually
speaking,
DNS
on
the
on
the
connection.
The
nodes
are
calling
the
front-end
service.
These
are
the
H,
the
health
checks
from
the
cubelet.
C
There
is
a
load
generator
inside
of
this
cluster.
That's
calling
the
front
end
and
doing
HTTP
and
then
the
front
end
is
calling
additional
microservices
like
the
Currency,
Service
checkout
service
and
much
more.
But
there
is
no.
If
we
scroll
through
here,
there
is
no
connection
to
external
systems
from
the
container.
C
So
let's
maybe
have
a
look
and
change.
This
also
note
I'm
here
currently
in
Discover
Mode,
so
I'm
actually
learning
new
stuff
at
the
moment.
So
if
I
go
back
in
here
and
let's
go
to
the
front
end
and
let's
actually
execute
a
shell
inside
of
the
container,
so
this
is
basically
Cube
CTL,
exec
and
then
I'm
starting
an
sh
process
instead
of
the
container
and
I
think
I
don't
have
curl
in
here,
but
I
have
wget.
So
let's
do
a
double
you
get
at
google.com
works
and
yeah.
C
C
C
Then
now
to
new
Vector
you
can
see
there
are
a
couple
things
happening.
First,
I
now
have
wget.
That
was
just
learned
like
a
few
seconds
ago,
and
I
also
should
have
a
network
connection
alert
here
also
a
few
seconds
ago
here
that
the
default
front-end
Port
connected
to
an
external
system
in
this
case
google.com.
C
So
let's
maybe
see
how
we
can
alert
and
block
this
so
I'm
switching
now
the
mode
manually.
You
can
also
do
this
automatically
first
to
the
monitor
mode
where
a
new
Vector
will
now
stop
learning
new
things
and
alert
all
us
if
something
is
happening
that
we
don't
want
and
if
I
maybe
go
back
to
the
process,
profile
process,
rules
here
and
I'm
just
going
to
delete
the
rule
that
wget
is
allowed
again,
because
that
was
me
testing.
C
And
execute
the
same
thing
again,
then
the
process
is
directly
killed,
I
think
I'm
not
even
allowed
to
execute
it
and,
of
course,
I
also
get
alert
for
that.
So,
if
I
go
back
to
the
security
events,
I
now
have
a
critical
alert
because
something
was
blocked
in
this
case
wget
and
if
I,
if
that
were
now
a
false
positive
I,
of
course,
can
also
directly
from
here
create
a
rule
again
saying
quickly.
C
Okay
and
if
we
try
the
same
thing
again
and
if
I
did
nothing
wrong,
it
should
now
be
able
to
execute
the
wget
process,
but
the
connection
is
now
yeah
timing
out
and
I.
Don't
get
any
response
back
anymore
and
I,
don't
know
what
the
connection
timeout
of
wget
is
at
some
point.
It
will
probably
say
connection
timed
out
and
of
course,
I
can
also
see
this
in
my
alerts
that
something
has
been
happening
here.
C
A
connection
to
google.com
that
has
been
blocked.
I
can
not
only
see
this
in
lists.
I
also
have
a
nice
visual
representation
of
all
of
that.
That's
now
a
bit
like
UI
sugar,
which
this
is
now
all
the
pots
on
my
cluster.
You
can
see
lots
of
bubbles.
Every
bubble
is
one
one
application
here
and
you
can
see
the
front
end.
Port
is
green
because
it's
running
in
protect
mode,
but
it
has
a
red
bubble.
C
C
Maybe
one
last
thing
that
you
can
also
do
from
here
just
a
bit
of
convenience,
because
you
we
have
here
the
packet
inspection
running
I
can
also
do
a
packet
capture
here
and
saying.
Hey
I
want
to
check
what
is
actually
running
on
this
connection
in
just
live
and
then
I
can,
when
I
cut
enough
traffic,
I
can
generate
myself
a
download
file
and
then
also
analyze
all
the
traffic
and
all
the
network
packages
that
were
sent
on
this
connection
directly
with
Wireshark
I.
Don't
want
to
update.
C
C
C
At
least
I
have
to
Google
all
the
time,
but
the
correct
Flex
are-
and
this
is
maybe
a
bit
more
approachable-
there's
tons
of
more
stuff
in
there
in
terms
of
Automation
in
terms
of
what
you
can
do
with
scanning,
also
with
compliance
scanning
how
you
can
visualize
all
the
data
also
didn't
cover
any
of
the
application
firewall
rules
yet
or
things
that
you
can
configure
with
kubernetes
admission
control,
where
you
can
say,
hey
forbid
the
deployments
of
container
images
that
have
non-security
vulnerabilities
stuff,
like
that,
so
there's
lots
of
more
stuff
to
see.
C
But
for
me
the
most
important
part
would
be
to
show
you
hey.
There
is
software
out
there
that
is
open
source
that
you
can
use
to
actually
protect
your
containerized
applications
during
runtime
and
it's
quite
easy
to
use.
Actually,
when
you
it's
a
lot
easier
for
you
to
use
than
you
may
think,
if
you
want
to
try
it
out
again,
everything
is
open
source
you,
the
documentation,
is
open.
Source
I
also
have
the
link
to
it.
C
In
my
slides,
it's
in
the
end
a
home
chart
you
install
inside
of
your
cluster
or,
if
you're,
using
openshift,
then
you
install
from
the
application
marker
place
the
correct
operator
and
then
you're
good
to
go,
and
the
great
thing
is:
if
you
install
it,
nothing
will
break
because
everything
will
be
in
Discover.
Mode
Nothing
is
being
blocked,
so
you
can
just
install
it
and
try
it
out,
get
visibility
and
then
start
maybe
playing
around
with
it
and
without
fearing
breaking
everything
directly.
C
E
C
Only
that
is
possible,
so
you
can
use
it
in
a
multi-tenancy
cluster
and
you
can
also
learn
things
in
one
cluster
like
a
staging
cluster
and
then
export
this
as
kubernetes
resources.
Put
it
in
git.
Do
then
secops
or
git
Ops
and
deploy
it
to
a
production
class.
That's
also
possible,
and
additionally
there.
If
you
don't
like
to
do
git
Ops
some
people,
don't
like
it
for
some
reason
that
I
haven't
figured
out.
C
C
The
question
was
about
the
overhead
of
running
this.
There
are
two
angles
to
think
about
here.
The
first
is
how
much
resources
does
novector
need
on
its
own,
like
it
needs
a
bit
of
CPU
and
memory.
That's
documented
Sony
Vector
has
a
couple
parts.
It
has
a
so-called
controller,
that's
like
the
rest,
API
another
internal
database.
You
usually
run
this
three
times
for
high
availability
and
each
depends
a
bit
on
the
size
of
a
cluster
probably
needs
like
a
gig
of
RAM
or
so,
or
two
gigs
of
RAM
each
instance.
C
So
it
is
a
bit
unique
for
a
new
Vector
for
for
the
brain
of
new
Vector.
Then
there
is
a
part
that
serves
the
web
UI,
that's
very
small.
It's
basically
just
static
web
server
that
serves
HTML
CSS,
and
then
there
is
an
enforcer
running
as
a
Daemon
set
on
every
node.
That
actually
does
then
the
looks
at
the
network
stack
loads
at
the
process.
Execution
does
the
blocking,
and
that
also
needs
like
a
gig
of
RAM
and
like
a
tiny
bit
of
CPU.
It's
not
that
much.
C
Of
course,
it
is
something
if
you
have
if
you
want
to
run
on
a
Raspberry
Pi,
it
doesn't
won't
work,
but
in
a
normally
sized
kubernetes
cluster,
the
resources
you
need
and
I
think
the
benefit
of
new
Vector
outweighed
what
you
have
to
pay
for
it
in
order
to
run
it
the
second
angle,
to
it
what
actually
happens
on
as
an
overhead
on
the
network
connections
when
new
Vector
is
running,
thus
might
do
my
network
connections
get
slower
or
the
network
connection
setup
when
you
run
a
pot
in
either
discover
or
monitor
mode.
C
If
new
Vector
is
running
in
protect
mode
for
a
pot,
then
there
is
a
slight
overhead,
because
an
electron
needs
to
get
in
between
the
traffic
in
order
to
be
able
to
block
it,
and
that
overhead
is
from
our
benchmarks
around
one
to
three
percent,
which,
usually
you
don't
see
it
kind
of
like
goes
under
like
the
normal
deviation
that
you
have
in
network
connections.
But
please
don't
trust.
C
My
word
on
it
and
measure
it
because
every
system
is
different
measure
it
on
your
own
Benchmark
it
because
it's
quite
easy,
do
benchmarks
and
then
switch
it
on
and
do
your
same
Benchmark
again
and
see
doesn't
make
stuff
slower
or
not.
Do
we
see
anything
or
not,
and
I
I've
been
working
with
quite
a
few
large
companies
also
testing
that
and
integrating
that,
and
they
also
said
to
me
here.
We
agree
with
you.
We
don't
see
any
thing
getting
slower
in
a
measurable
way.
C
Yes
Does
this
answer
the
question.
Okay,
perfect,
any
other
questions,
yes,
yeah.
C
The
question
is:
if
I
know
the
technology
used
at
kernel
space
to
do
the
packet
inspection
I'm,
not
a
network,
networking,
Guru
or
kernel
Guru,
I,
so
I
know
what
it's
not
doing.
It's
not
that's!
Where
probably
the
first
angle
to
the
answer.
That's
quite
actually
quite
important.
You
don't
have
to
install
sidecars
everywhere.
So
it's
not
something
like
a
service
mesh
like
istio,
where
you
need
a
sidecar
additionally
into
in
every
pot.
C
It
works
together
with
istio
and
other
service
measures
that
are
using
sidecar,
and
it
can
even
make
this
a
bit
more
secure
because
you
can
limit
your
application
container
to
always
only
connect
to
the
sidecar
and
then
the
sidecars
between
each
other
to
always
do
TLS
or
something
like
this,
so
it
works
well
together.
You
also
don't
need
to
install
any
kernel
modules
or
something
like
that.
C
C
F
C
C
The
question
is:
does
it
provide
custom
resource
definitions
for
actually
providing
the
configuration
through
gitres
git
and
get
Ops
and
resources?
Yes,
it
does
so
you
can
click
in
the
UI.
You
can
also
do
this
with
infrastructure
Securities
code,
yes,
yeah.
C
So
the
question
is:
is
there
any
kind
of
hardening
in
your
vector,
because
new
Vector
has
a
lot
of
Privileges
and
basically
you
have
to
trust
that
new
Vector
is
doing
its
job,
its
job?
You
have
this
with
any
kind
of
security
tool
that
doesn't
runtime
like
if
you
use
firewall
D,
for
example,
to
block
stuff
you.
C
You
also
have
to
trust
that
it's
working,
if
you
use
kubernetes
Network
policies,
you
also
have
to
trust
that
they're
working
as
cni
plugin
is
also
doing
lots
of
important
stuff
that
also
meets
behind
you
have
to
you.
You
have
to
ensure
and
trust
that
it's
working
the
there
so
we
provide
Harding
guides
and
of
course
it
is
an
open
source
project,
but
there
are
also
people
behind
this,
so
we
as
soon
as
we
develop
it.
C
We
acquired
new
Vector
of
the
company
last
year
now,
two
years
ago
and
a
half
years
now
ago.
The
first
thing
we
did
is
open
source
proprietary
software
and
then
we
can
also
provide
you
Insurance
there.
So
if
it's,
for
example,
you
need
certifications
or
for
compliance
reasons,
you
need
like
a
vendor
that
you
have
to
call
and
have
to
can
blame
if
something
goes
wrong.
That's
also
possible,
but
then
of
course,
that
would
cost
money
or
if
you're,
interested
I
can
also
give
you
the
right
context.
C
There
I
think
I
get
the
sign
that
that
was
the
last
questions.
I'm
gonna
stick
around
here,
so
we
can
chat
and
talk
about
all
the
other
questions
afterwards.
Thanks
again,
thanks
so
much.
D
There's
Pizza
back
there.
There.
D
A
Okay,
we
have
all
the
outputs
set.
We
have
some
of
you
seated
great.
We
have
Stefan
now
and
he
will
be
talking
about
psyllium
cluster
mesh
and
his
work
with
it
so
without
further
Ado.
Take
it
away.
Oh.
F
Oh
god,
okay!
So
as
an
introduction,
I
I
thought
it
was
an
hour
and
a
half
talk.
Then
it
was
an
hour
and
it's
30
minutes.
So
I
hope
you
have
no
plan
after
that
today,
as
mentioned,
I
will
be
talking
about
psyllium
cluster
mesh
I'm,
not
a
technical
guy,
but
kind
of
so.
If
you
have
questions,
that's
the
good
thing
about
this,
not
being
like
a
coupon
talk,
it's
very
small.
F
A
A
G
A
F
All
right
so
yeah.
F
So
it's
not
a
talk.
It's
a
meet-up.
So
if
you
have
any
questions,
feel
free
to
raise
your
hands,
I'm
technical,
but
not
that
much
so
if
I
don't
have
the
answer
at
least
I
know
that
I,
don't
so
yeah
I
will
I
will
probably
ask
you
to
take
a
note
and
send
me
the
question
afterwards,
as
you
might
guess,
by
the
accent,
I'm
French.
So
sorry
about
that
already
one
other
thing,
because
I
got
this
question
every
time,
so
I'm
using
an
iPad.
So
this
is
pictures
of
my
presentation.
F
It's
not
my
actual
presentation.
So
if
you
see
me
drawing
on
it,
it's
because
once
again
it's
a
pictures.
I
do
that
for
tourism.
The
first
one
is
so
I
can
easily
answer
your
question
and
show
you
stuff
and
the
second
one
is
because
I'm
sending
this
presentation
to
friends
and
my
wife
also
who
review
the
slide
and
let
me
comment
and
most
of
the
time
I
forget
to
delete
the
comments.
So
that's
also
why
I'm
mentioning
this?
F
So,
let's
start
the
talk
and
we're
going
to
talk
about
psyllium
Crystal
mesh,
oh
yeah,
so
first
comment:
I
need
to
introduce
myself
first,
so
my
name
is
Stefan.
I
worked
four
years
at
Google,
I
was
a
kubernetes
specialist
trying
to
help
our
customer
using
gke
recently
moved
to
a
company
called
I
surveillance,
and
one
of
the
products
done
by
isolated
is
called
psyllium.
I
need
to
make
it
quick,
yeah
I'm,
also
a
kubernetes
contributor,
mostly
around
Auto
scaling
and
networking.
F
Oh
yeah
I
didn't
do
the
the
joke.
That's
okay!
So
first,
who
already
knows
about
psyllium
I,
had
some
discussion
during
Pizza
time.
So
don't
lie
okay
and
who
already
knows
about
ebpf,
mostly
the
same
person?
Okay,
so
half
you
never
know!
You
never
know
the.
F
Will
be
fun,
but
so
I
will
start
and
do
a
quick
introduction
if
you
have
any
questions,
feel
free
to
raise
your
hand.
Once
again,
there
is
no
I
mean
there
is
dumb
question,
but
don't
ask
them
so
today,
I'm
gonna
mention
multiple
things.
Oh
I
lost
the
screen
so
without
the
screen.
F
What
was
the
joke?
Oh
yeah,
so
I
always
share
something
personal.
When
I
do
a
talk
and
I
was
about
to
say
that
at
the
beginning,
I
wanted
to
do
comedy
and,
and
one
man
show
that
was
a
dream
of
mine
when
I
was
a
young
kid,
but
I
was
very
bad
at
it.
So
and
I
wanted
money.
Also,
so
I
went
into
I.T
and
then
I
learned
about
stuff
like
blockchain
and
nfts
and
and
I'm
still
doing
joke
anyway.
Now
so
yeah.
That
was,
that
was
the
joke,
but
it
was
bad.
F
So
my
wife
told
me
not
to
do
so
so
I'm
going
to
talk
about
multiple
things.
So
Celia
me
BPF
and
I
surveillance
isoven
is
the
company
behind
psyllium
and
ebpf.
Why
am
I
saying
that?
Because
we
have
the
funders
inside
of
the
company,
but
it's
still
an
open
source
project.
So
if
you
want
to
become
a
member
of
the
community,
you
can
still,
and
what
we
do
at
eisenvenant
is
continue
to
contributing
to
this
project
and
also
selling
Enterprise
version
to
customers
who
want
Enterprise
support.
F
I
mean
all
of
you,
so
I'm,
obviously
I'm
going
to
very
quickly
introduce
ebpf.
Once
again,
we
don't
have
a
lot
of
time.
So
a
very
easy
way
to
understand.
Ebpf
is
by
this
quote,
saying
it
is
what
JavaScript
is
to
the
browser.
So
what
does
that
mean?
I
guess
all
of
you
are
familiar
now
with
like
Lambda
function
of
cloud
function
on
any
other
other
Cloud
providers
and
all
this
architecture
around
Eventing.
So
basically
something
happened.
You
do
something.
Something
else
happen.
You
do
something
else.
F
Ebpf
is
doing
that,
but
inside
the
kernel,
so
every
time
something
is
happening.
There
is
what
we
call
attachment
point
and
we're
gonna
run
codes
related
to
these
attachment
points.
So
on
this
example,
someone
is
doing
a
one
of
the
ciscal.
Sorry,
so
exactly
and
we're
gonna
start
running
code
to
answer
and
manipulate
and
do
something
regarding
what
is
happening
so
Blackjack
JavaScript
in
the
browser.
Why?
Because
we
can
do
that
without
doing
any
modification
to
the
kernel.
So
that's
why
it's
interesting.
F
So
there
is
the
attachment
point
and
we
can
load
our
code
inside
the
kernel,
but
we
don't
need
to
modify
it
so
let
JavaScript
and
the
browser
and
why
try
to
do
a
pair
for
Linux
kernel
and-
and
you
will
understand
why
so
another
example-
it's
not
only
about
networking.
That's
why
it's
very
interesting
and
I'm
going
to
talk
about
what
you.
What
other
thing
you
can
do
with
psyllium,
but
today
will
be
mostly
focused
around
networking,
but
on
this
example,
they
are
using
file
system
like
any
Cisco.
F
So
any
access
to
the
any
user,
Space
Program
trying
to
talk
to
a
kernel
space
program
will
is
going
to
make
Cisco
and
there
is
attachment.
There
is
more
than
100
of
at
touch
points
right
now,
where
you
can
execute
code
execute
code,
so
this
is
psyllium.
Psyllium
is
basically
a
two-part
program,
so
user
space
program
and
a
kernel
space
program.
So
the
senior
management
running
on
the
on
the
user
space
is
going
to
inject
code
inside
the
kernel
space.
So
it's
binary
injected
code
to
do
multiple
things.
F
The
first
thing
is
being
a
cni
for
kubernetes.
Is
everybody
aware
of
what
a
cni
is?
If
you
don't
raise
your
hand,
nobody
yeah
kind
of
okay?
So
it's
basically
helping
your
communication
between
two
applications
and
your
on
your
kubernetes
cluster.
If
there
is
no
cni,
there
is
no
communication
on
your
cluster
and
I'm
going
to
talk
a
bit
more
about
that,
and
and
what
we
do,
but
not
only
so
cm
is
not
only
a
cni.
It
started
as
a
cni,
but
it's
I
will
say
a
framework,
a
framework
for
abbf.
F
So
anything
you
you
want
to
do
around
ebpf.
You
can
use
celium
as
a
framework
and
it's
not
only
running
on
kubernetes.
We
have
some
customer
running
Cinema
on
top
of
VM
and
and
and
pretty
soon
on
top
of
Windows
VM.
Also
so
you
can
have
multi-cluster,
you
can
have
VM
Gateway.
You
can
do
networking
policy
identity
based
encryption,
I'm
going
to
talk
a
little
bit
about
that.
But
just
so
you
understand
it's
not
only
your
kubernetes
cni.
F
I
already
mentioned
all
of
that
I'm
gonna
talk
about
a
little
bit
about
networking,
then
observability
and
we're
gonna
gonna
then
go
up
into
I
mean
the
purpose
of
the
presentation
and
talk
about
custom
mesh
and
for
the
people
who,
like
the
previous
talk,
there
is
also
psyllium-based
product
called
tetragon
when
you
can
have
runtime
security
and
I
I'm,
not
gonna
mention
what
it's
doing,
because
we
already
had
a
very
amazing
talk
about
that
customers
who
have
many
customers
most
of
the
cloud
providers.
F
The
big
Goose
Cloud
providers
are
using
CDM
under
the
hood,
so
gcp
AWS
Azure
just
an
answer:
partnership
with
isovan
and
CDM.
So
if
you
run
Azure,
you
can
have
celium
so
I'm,
seeing
that
so
that
you
understand
everything
I'm
going
to
talk
about,
you
can
actually
use
it
already,
because
it's
already
there
so
first
thing
we
do
kubernetes
networking.
So
what
does
that
mean?
I
mean
that
inside
your
cluster,
you
have
the
CDM
agent
running
on
the
nodes,
so,
as
a
demon
said,
and
it's
injecting
this
ebpf
code
on
every
nodes.
F
So
it
will
allow
communication
between
your
quest
between
the
container
on
your
cluster
and
I'm.
Gonna.
Explain
how
now
so
it's
an
ebpf
based
cni,
so
instead
of
using
Cube
proxy,
like
most
I,
would
say
of
the
older
cni.
The
issue
with
script
proxy
is
that
it's
under
the
hood,
using
IP
tables
or
epvs,
and
the
issue
with
IP
tables
is
that,
as
mentioned
in
the
previous
talk
in
a
containerized
environment
containers,
they
die
very
quickly.
So
you
have
a
lot
of
containers.
F
So
there's
many
change
with
IP
address,
but
also
with
your
IP
table
rules
and
an
issue
with
IP
tables
is
that
it
is
enforcing
networking
policy
through
iptables
chaining.
So
if
you
have
one
change
of
networking
policy
on
your
cluster,
you
need
to
change
the
entire
list
of
IP
tables,
so
it
doesn't
scale
very
well.
We
don't
do
that
when
you
use
ebpf
and
also
the
hashtab
algorithm,
allow
us
to
do
per
CPU
age
table.
F
F
Any
question
at
that
point
all
right.
We
can
also
do
obviously
load
balancing,
so
you
can
use
ebpf
as
a
load
balancer,
so
you
can
deploy
great
L4
load
balancing
and,
if
that's
coming
from
me,
let
me
know
but
yeah
I.
You
can
have
a
question.
E
E
F
Okay,
sure
and
and
CM
support
both
the
kubernetes
networking
policy
and
the
senior
networking
policy
as
a
security.
So
if
you
don't
want
to
use
CM
networking
policy
and
keep
using
kubernetes
networking
policy,
it
will
just
work.
You
have
nothing
to
do.
Yeah
you're
welcome
and
it's
yeah
it's
in
for
some
at
runtime,
so
you
will
work
I'm,
not
booming
I'm,
not.
D
F
Here
we
are
so
if
you
deploy
L4
load
balancer,
we
can
also
act
as
a
load
balancer.
We
are
now
also
working
with
the
Gateway,
the
kubernetes
Gateway
API.
So
if
you're
using
kubernetes
Gateway
API,
we
have
a
Gateway
class
for
celium,
so
you
can
also
use
scenium
as
an
Ingress
way
to
have
traffic.
We
also
do
egress
Gateway.
So
if
you
need
to
go
out
of
your
kubernetes
cluster,
you
can
have
an
address
Gateway.
If
you
use
CDM
Enterprise,
we
have
Gateway,
so
you
have
multiple
Gateway
on
your
cluster.
F
F
If
you
already
have
a
cni,
we
can
do
cni
chaining
and
because
we
love
Microsoft,
we
just
announced
that
the
Azure
CNR
is
now
powered
by
psyllium.
So
if
you
use
Azure
cni
under
the
hood,
you
already
have
access
to
the
amazing
features
of
psyllium,
and
but
there
is
also
a
way
to
bring
your
own
cni
on
AKs.
So
if
you
do
that,
you
can
then
install
your
own
cilium
setup.
If
you
want
to
change
something
or
use
the
Cinema
Enterprise
version.
So
if
you're
using
one
of
the
cloud
provider,
we
can
work
together.
F
If
you
don't,
we
can
work
together,
yeah
and
we
don't
need
that.
So,
as
I
mentioned,
we
are
everywhere
security.
So
that's
very
interesting
and
you
need
to
understand
that
to
understand
the
demo.
Yes,
oh
yeah
I'm
pushing
the.
F
That's
very
smart,
oh
yeah!
That's
so
I
will.
F
In
I
will
keep
moving
it.
So
thank
you
for
that.
So,
as
mentioned
in
the
previous
talk
once
again,
very
good
talk,
the
we
have
an
identity
problem
on
kubernetes,
it's
very
hard
for
most
firewall
to
understand
who
is
doing
what,
because
the
only
thing
they
know
is
that
there
is
a
container
doing
something.
So
when
you
have
an
identity
basis,
security
system,
CM
knows
that
one
pod
is
identical
to
another
by
using
levels.
So
we
are
not
using
IP
in
our
rules.
We
are
using
identity.
Why
is
it
important?
F
Remember
the
issue
with
IP
tables
and
the
security
chaining
system?
We
don't
have
that
because
even
if
I
put
a
restart,
it
keeps
the
same
identity,
the
same
levels
and
during
the
demo
and
the
slide
on
the
cluster
mesh.
Even
when
you
have
two
clusters
so
two
clusters,
if
you
deploy
the
same
application
and
two
cluster
at
the
celium
level,
it's
the
same
application.
They
shared
a
unique
and
semi
high
density.
F
So
it's
very
important
because
it
means
we
can
have
networking
policy
working
on
top
of
multiple
kubernetes
cluster
and
not
only
one
because
they
share
a
common.
A
common
identity
I
will
show
you
that
later
networking
policy,
we
can
have
L3
L4
L7
networking
policy
of
qdn
networking
policy
DNS
networking
policy.
You
can
also
create
your
own
system
of
networking
policy.
This
one,
for
example,
works
with
Cassandra.
If
you
have
I,
don't
know
Kafka,
for
example,
you
can
deploy
your
networking
policy
for
Kafka
and
say
this.
F
F
E
F
How
do
you
do
that
sure?
So
the
question
is:
do
we
do
we
send?
Do
we
inject
identity
inside
the
packet?
Yes,
we
do
so.
The
thing
is
as
I
mentioned
earlier.
We
have
multiple
with
multiple
attachment
points,
this
one,
if
I'm,
not
Mystic
and
once
again
not
an
expert
is
the
socket
map
endpoint.
So
every
time
there
is
a
packet
coming
through
a
socket,
we
can
catch
this
packet
before
we
leave
socket
kernel
space
and
we
can
act
on
it.
F
So
we
can
inject
more
information
coming
from
the
user
space
inside
the
kernel
and
keep
track
of
everything
doing
we
can
stop
a
packet
at
socket
level.
We
can
redirect
between
two
sockets
yeah.
So
that's
on
me
now.
I
know
I'm,
very
sorry,
but
now
we
know
what
to
do
so
and-
and
this
is
very
interesting
because,
if
you're
out
there,
using
like
istio
for
example
or
any
other
service
mesh,
an
issue
with
istio
is
that
there
is
no
encryption
in
transit
between
two
containers
of
the
sample.
F
So
if
you
have
istio-
and
you
have
like
mtls,
someone
listened
carefully
between
the
two
containers
so
between
the
containers
and
the
side
cut
containers
can
actually
see
plain
text
traffic-
it's
not
real
encryption.
We
can
do
that
because
we
can
map
the
two
socket
together
and
act
on
it,
but
it's
a
story
for
another
time.
F
F
What
am
I
talking
about
just
to
give
you
a
very
high
level
overview?
This
is
what
you
can
have.
This
is
what
you
have
by
using
psyllium
out
of
the
box
without
deploying
anything
it's
your
kubernetes
cni.
So
once
again,
it's
already
there.
It's
already
running
on
your
cluster.
You
can
have
this
type
of
service
map.
You
can
have
information
regarding
the
networking
policy
here.
I
have
an
example
where
traffic
got
blocked,
so
you
have
Network
flow
here.
The
traffic
block
I
can
see
why
I
can
inspect
the
networking
policy.
F
I
can
update
the
networking
policy
so
if
I
want
to
make
a
change
so
that
they
can
talk
together,
I
just
have
to
click
there
and
make
the
change
so
that
it
works.
Why
am
I
mentioning
this
because
in
the
psyllium
cluster
mesh
scenario,
so
when
you
have
multiple
kubernetes
cluster,
these
also
work
multi-cluster.
F
So
all
these
flow,
all
the
flow
that
we
can
see
here
and
I
will
show
you
that
later
all
this
flow,
you
can
see
flows
coming
from
multiple
clusters,
not
only
one,
but
only
by
using
one
interface
I'm
going
to
talk
more
about
that
later.
Where
is
the
presentation
so
already
show
you
able
we
talk
about
flow
visibility?
I
can
show
you
how
it
looks.
You're
gonna,
look
that
I
love
that
there's
a
lot
of
colors.
F
So
let
me
I'm
gonna
clean
clear
that
for
you,
so
here
I
am
doing
the
wrong
thing:
yeah,
so
I'm
using
Hubble,
so
our
interface
just
to
observe
the
traffic
flow
and
I'm
going
to
only
watch
for
one
pod,
the
X-Wing
pod.
So
here
I'm,
listening,
I'm
waiting
for
something
to
happen
and
if
I
exec
a
comment,
I
can
see
that
there
is
a
flow
coming
in
and
I
can
have
information
regarding
the
traffic.
F
So
I
can
see
what
is
okay
so,
for
example,
I'm
blocking
nothing
to
my
code
DNS
to
do
DNS
resolution,
but
then
I'm
blocking
the
traffic,
so
I
can
see
that
there
is
package
drops.
So
this
is
the
flow
and
this
works
multi-cluster
when
you
are
using
cluster
mesh.
So
if
you
use
elbow
and
our
interface,
you
can
see
everything
happening
on
cluster
once
again
without
any
installation.
It's
a
part
of
your
kubernetes
cni
service.
Much
already
showed
that.
Oh
yes,
grafana
integration,
I'm!
F
Pretty
sure
there
is
like
half
of
the
people
here
are
in
love
with
grafana.
We
also
have
a
partnership
with
graph
and
I
knew
it.
So
everything
is
sending
metrics,
it's
open
Telemetry,
so
you
can
catch
that
you
can
have
information
regarding
your
senior
magent
everything's
happening
here.
I
have
information
regarding
the
metrics
yeah.
Just
just
I,
don't
know
just
break
it
so
here
I
can
have
information
regarding
the
traffic
I
can
see.
The
number
of
packets
that
have
been
dropped.
F
I
can
see
the
reason
why
they've
been
dropped
so
sometimes
that
is
because
of
the
deny
of
policy,
but
sometimes
I'm,
just
using
a
protocol
that
is
not
supported,
sometimes
again,
there's
some
success.
So
there's
a
drop
and
the
reason
is
Success
yeah.
It
just
makes
sense
so
integration
with
graphene.
So
once
again,
if
you
use
celium
cluster
mesh,
you
can
have
the
same
type
of
integration
with
graphene
and
you
will
see
One
dashboard
per
cluster
or
you
can
build
your
own
dashboard
with
multiple
cluster
into
it.
F
I
saw
something
working,
it
was
working
tetragon,
so
I
said
I'm,
not
gonna
mention
it
so
I'm
gonna
mention
it,
but
very
fast.
You
can
do
because
we
are
already
at
kernel
level
and
we
are
already
in
your
cluster
once
again.
You
have
nothing
to
do,
but
just
enable
the
feature
and
we
can
attach
to
more
endpoints.
So,
instead
of
just
we're
playing
with
networking
and
attachment
points,
we
can
play
with
way
way
more
than
that.
F
So
we
can
have
information
because
we
are
in
the
kernel
about
basically
everything
running
inside
the
cluster,
so
we
can
say
when
something
that
shouldn't
happen
is
happening.
For
example,
I,
don't
know
someone
doing
netcat
through
coming
from
a
pod
or
going
reaching
to
an
external
endpoint,
and
you
don't
want
that.
We
can
have
all
this
information
and
we
can
act
on
it
by
using
networking
policy.
F
Also,
so
you
can
you
have
crd,
you
can
deploy
policy
to
block
the
thing
that
you
don't
want
happening
on
your
cluster
and
there
is
integration
with
graph
Anna,
so
you
can
have
all
of
that
coming
through
graphene.
Now
we
don't
have
a
very
interface
I,
really
like
the
interface
from
the
previous
tool.
By
the
way,
here
is
the
processed
review.
F
So
on
this
example,
I
can
see
that
there
is
a
pod
running
on
my
cluster
and
he
did
a
netcat
and
exec
A
bash
script
and
then
a
curl
command
and
I
can
see
that
they
were
trying
to
reach
Twitter
thingy.
Don't
know
why
sodium
cluster
mesh
finally
question
before
I
start
the
talk.
F
F
That
way,
when
we
start
working
at
on
kubernetes
I
say
we
because
I
work
at
Google,
remember
that
and
a
multi-cluster
is
painful
and
the
first
step
to
manage
a
multi-cluster
environment
and
a
multi-cluster
architecture
is
first
to
understand,
what's
happening
so
everything
about
around
observability
and
second,
is
to
have
a
single
pane
of
class
and
communication.
So
you
want
to
have
one
place
when
you
can
see
what's
happening
and
act
on
it,
and
also
you
want
to
enable
so
service
Discovery.
F
So
the
idea
was
that
that
the
the
people
icelium
had
is
what?
If,
because
we
are
already
in
the
kernel
in
the
cluster,
what
if
we
can
establish
communication
between
the
two
and
run
everything
in
kernel
space,
so
not
running
user
Space
Program,
not
asking
people
to
do
stuff,
but
do
that
you
know
the
old
Linux
fashion
way,
there's
some
requirements.
Obviously
the
biggest
one
being
you
need
to
have
a
different
IP
subnet.
F
F
So
why
would
you
do
that?
The
first
scenario
is
high
availability.
So
if
you
have
a
front-end
application
running
and
this
application
has
then
back-end
services
and
there's
other
backend
services,
if
you
have
two
clusters
because,
for
example,
I
don't
know
you
have
customer
in
USA-
and
you
have
customer
and
EU-
and
you
want
that
if
something
happened
at
some
point
in
this
cluster,
the
request
can
still
goes
to
the
other
cluster
and
use
the
backend
in
the
other.
F
Cluster
So
This
is
highly
used
for
high
availability,
but
also
for
things
like
a
b
testing
or
Canary
deployments.
All
that
all
that
type
of
way.
So
by
deploying
what
we
call
the
global
Service,
you
can
have
this
type
of
thing,
so
it's
just
an
annotation
on
a
simple
kubernetes
service.
So
there
is
nothing
to
do
once
again.
You
just
annotate
your
kubernetes
services,
saying
yeah
I
want
I
want
that
service
to
be
globally
distributed.
F
You
can
also
have
shared
services,
so
what
happens?
A
lot
is
multiple
team
having
multiple
clusters,
and
there
is,
for
example,
a
team
that
has
all
the
services
regarding
users.
Now
you
can
have
two
clusters
sharing
services
so
using
kubernetes
Services,
even
if
the
service
are
not
inside
the
cluster
but
running
in
another
cluster.
So
that
can
be
very
helpful.
So
you
don't
have
to
duplicate
code
between
the
two
clusters,
and
why
would
you
do
that
this
way?
Because
here
it's
totally
invisible
for
these
Services?
He
is
just
talking
to
another
kubernetes
Services.
F
He
doesn't
know
that
under
under
the
hood,
the
traffic
is
going
to
be
redirect
to
another
kubernetes
cluster
for
him.
Actually,
it's
invisible
not
for
everybody,
but
but
that
is
for
him
splitting
Services,
who
is
running
database
on
top
of
kubernetes
here,
there's
only
always
one
and
he's
always
at
the
end.
He
is
at
the
end.
I
saw
your
hand
yeah
he's
always
hiding
somewhere.
F
So
this
is
tough.
I
mean
it's
tough
and
and
not
that
hard.
At
the
same
same
time,
the
issue
we
have
like
we
have
evolved
a
lot
around
stateful
application
Management.
On
top
of
kubernetes,
it's
way
better
than
like
four
years
ago,
but
the
issue
is
at
some
point:
you
need
to
do
an
upgrade
and
the
thing
is
who
decide
the
upgrade.
I
mean
the
developer
team,
not
the
platform
team,
so
they
are
going
to
say,
hey
I,
need
this
feature
and
I
need
to
upgrade
the
cluster.
F
The
thing
is,
everything
is
running
on
the
same
cluster,
both
the
state,
full
application
and
the
status
application,
and
it's
painful
to
upgrade
everything
at
the
same
times.
So
what
people
are
starting
to
do?
I'm,
not
saying
it's
the
right
way
of
doing
things,
but
I've
seen
things
it's
separating
that
in
multiple
clusters,
so
they
have
one
stateful
cluster.
That
is
only
running
stateful
application
and
basically
they
never
touch
this
cluster.
So
it's
called
VM,
but
you
know
it's
kubernetes
and,
and
then
there
are
other
kubernetes
cluster
with
stateless
application.
F
If
you
do
that,
once
again,
it's
invisible
for
your
cluster.
Your
service
is
inside
one
cluster
that
doesn't
know
they
don't
know,
sorry
that
the
service
is
actually
served
from
another
kubernetes
cluster.
So
that's
why,
for
this
type
of
application,
you
want
to
have
a
cluster
mesh,
but
from
time
to
time
you
don't
want
this
to
happen,
but
I
still
want
to
have
cluster
mesh.
You
can
also
do
that.
So
you
can
Define
affinity
at
the
service
level
and
you
can
you
can
say,
for
example,
I
want
to
have
a
preference.
F
F
So
it's
as
simple
as
that.
It's
a
blank
classic
kubernetes
service
and
you
just
have
two
annotation
I
mean
you
already
have
a
hundreds
of
them.
So
it's
just
two
more
annotation.
We
can
also
do
the
same
with
remote
service.
Affinity
I,
really
like
that
one
for
habit,
testing
Canary
deployment,
it's
very
useful.
F
So
if
you
do
that,
this
service
doesn't
Reserve
traffic
anymore
and
you
can
just
basically
curl
it
and
and
do
your
stuff
and
and
testing
and
do
quality
test
on
top
of
that,
so
basically
the
the
type
of
stuff
you
used
to
do
with
a
service
mesh
but
I
mean
without
having
to
have
a
service
mesh,
but
we
also
do
service
mesh.
As
I
mentioned,
we
have
some
features
like
service
Discovery,
encryption
in
transit
and
also
we
you
can
use
both
at
the
same
times.
F
So
in
this
example,
we
are
using
service
mesh
feature
like
a
b
testing,
like,
as
you
said
at
the
Ingress
level.
I
want
75
percent
to
my
customer
to
go
in
these
Services
25
of
the
customer
to
go
to
this
service,
but
at
the
same
time
I
still
want
to
have
this.
I
can
see.
Yeah
I
still
want
to
have
this
working
where
if
something
goes
wrong
here,
you
can
still
serve
my
customers.
So
if
I
lose
this
connectivity,
I
don't
lose
anything.
F
We
can
also
do
topology
aware
routing
with
cluster
mesh,
so
it
means
that
at
the
Ingress
level
so
before
and
that's
very
important
before
even
reaching
the
first
services,
so
at
the
Ingress
level
you
can
redirect
the
traffic
and
say:
okay,
this
service
is
not
there,
it's
not
up
so
before
anything.
Here
you
can
redirect
the
traffic
to
the
other
one,
that's
the
biggest
difference.
If
you
service,
like
istio
or
any
other
service
mesh,
you
need
to
be
inside
the
service
mesh
to
First,
do
something
with
the
with
it.
F
So
for
many
many
reasons,
this
is
very
helpful
once
again,
because
this
Ingress,
this
Ingress
Gateway,
is
running
on
the
nodes
using
ebpf.
So
at
the
kernel
level
we
can
inspect
the
packet,
see
what's
inside
the
packet
and
act
on
it
before
even
sending
it
to
the
first
application
already
mentioned
that
Canary
roll
out
everybody
wants
to
do
that.
Nobody
does
that,
but
if
one
of
you
is
actually
doing
it,
you
can
do
that.
Also
by
using
cluster
mesh
and
as
I
mentioned
earlier,
you
just
change
only
one
of
the
cluster.
F
You
do
the
service
annotation
so
that
the
traffic
doesn't
go
the
other
the
other
way,
and
here
you
are
not
at
your
service,
to
send
your
network
packet
to
your
backend
services.
So
very,
very
simple
way
of
doing
that.
I
mean
it
looks
simple.
I
hope
I
make
it
look
simple
and
I'm
out
of
time
so,
but
but
if
you
want
to
learn
more
I
have
many
recommendations.
F
First
psyllium
is
an
open
source
community,
so
just
join
the
slack
Channel
and
ask
your
questions
in
in
the
slack
and
people
are
very
friendly
and
the
worst
of
them,
so
they
will
be
very
helpful.
Also
check
the
isovelent
website
for
tourism,
one
because
I
know
you
want
to
work
with
me
now.
So
you
can
just
you
know
book
a
demo
and
we
can
work
with
you
or
you
can
also
do
the
labs.
F
F
Do
we
have
any
questions?
If
there
is
no
question,
I
have
demo
running
yes,.
F
That's
a
good
question,
so
most
of
the
future
I
will
say
are
around
everything
h
a
so
for
higher
availability.
For
example,
if
you
do
networking
policy
we
at
L7,
you
sometimes
need
to
do
DNS
query.
What
we
can
do
is
deploy
multiple
core
DNS
instances
so
that
you
have
h
a
DNS.
We
have
HF
or
the
aggress
Gateway.
So,
instead
of
having
one
pod
doing
aggress,
you
can
have
multiple
instead
in
case
one
fail
and
also
you
earn
the
right
to
work
with
me,
which
is
that's
it
time.
Priceless,
yes,.
F
C
F
F
Yes,
that's
a
good
question:
it
depends
who
you
are
and
and
how
adverse
to
security
the
company
is
that
first
part
of
the
question
as
I
mentioned
earlier,
the
issue
with
istio
sidecar
system
is
that
it's
plain
text
between
the
two
containers
of
one
pod.
So
if
you
have
people
with
root
access
to
not
even
roots,
not
just
Network
capability,
they
can
see
traffic
in
transit
so
that
first,
the
second
also
issue
is
that
it
is
deploying
our
Envoy.
We
have
one
per
nuts
where
they
deploy.
F
F
Yes,
exactly
yeah,
they
are,
they
are
going
in
this
direction,
yes,
and
and
just
just
faster.
If
you
look,
we
have
a
public
stress
test
on
the
website
that
you
can
see,
and
it's
just
running
like
between
10
to
100
times
faster
than
using
a
service
mesh.
But
for
that
just
go
on
the
website.
It's
publicly
available.
You
can
run
the
temps.
The
test
yourself,
yeah,
so
I
would
say.
That's
the
like,
and
also
just
most
of
the
time,
from
what
I've
seen
developer
experience.
So
I'm,
not
talking
platform
administrator,
but
just
the
developer.
F
They
can
see
the
difference.
They
don't
have
to
think.
Oh
I
have
to
use
this
m
chart
to
inject
my
Envoy
proxy
side
car
because
they
they
don't
have
to
it's.
Just
it's
just
there
I
would
say
yeah,
but
from
I
don't
often
go
front
to
front
with
this.
Actually
you
can
run
buff.
Both
you
can
have
psyllium
as
a
cni
and
still
using
istio
if
you're
happy
with
it,
and
we
can
actually
correct
this
plan
text
even
if
you're
still
using
SEO,
so
you
can
use
both
so
yeah.
F
G
F
So
that's
one
thing:
if
you,
if
I
don't
know,
if
some
of
you
do
kubernetes
demo,
it's
not
like
visual,
you
know
it's
just
it's
working,
so
I'm,
just
gonna
show
you
something
that
hopefully
is
working,
so
that
was
previous
demo.
So
that's
my
demo
environment.
So
if
you
want
to
build
the
same,
what
I've
done
is
a
very,
very
simple
things.
F
I
have
because
you
know
I'm,
a
very
big
fan
of
azure,
so
I
have
a
VM
running
on
on
Azure
and
I'm,
just
SSH
to
this
VM
and
on
this
VM
I
have
I'm
using
kindly
to
deploy
two
kubernetes
cluster.
Why
am
I
doing
that?
Because
it's
very
simple
because
it's
running
on
the
same
VM
so
I
have
layer,
2
access,
I,
don't
have
to
use
the
vehicle
or
stuff
to
connect
themselves.
F
It's
just
working
out
of
the
box
so
that
that's
the
demo
so
I
have
two
cluster
Crystal
mesh,
one
and
custom
H2
and
those
two
clusters.
If
I
show
you
I,
think
I
break
that
one
yeah.
Obviously
so
I
only
have
one.
Can
you
read
something
yeah
I
will
do
that
I
I
know
you
just
kind
with
me,
but
you
can't
read
so
I
only
have
one
very
simple
application
and
what
I'm
doing
is
deploying
an
application.
F
Truth,
okay,
so
here
I'm,
just
I'm
just
curling,
and
to
show
you
that
it
works
this
application.
What
they
do
is
to
give
you
the
IP
address
that
send
the
answer
to
your
curly
request,
but
to
show
you
what's
happening.
F
I'm
also
gonna
use
at
the
same
time
Hubble
to
see
what's
running
and
I'm
only
targeting
DNS,
and
you
will
see
why
I'm
doing
that,
because
it's
very
easy
to
lie
with
this
demo
and
make
you
think
that
it's
working
so,
as
you
can
see,
I
have
an
answer,
one
time
from
10
1
140
the
other
time
for
10
to
181,
so
two
different
pods
on
two
different
cluster
and
I'm.
Just
doing
that.
F
But
what's
interesting
is
that
this
herbal
command
is
only
running
on
one
cluster,
but
still
I
can
see
that
I'm
answering
from
different
IP
address.
You
can
see
because
they
are
using
different
port
on
each
clusters.
But
what's
very
interesting
is
this
ID,
as
mentioned
it
looks
like
it's
the
sample
answering
every
time,
but
as
you
see
it's
not,
but
at
the
networking
policy
level,
so
at
the
CM
identity
level.
For
us
it's
the
same
application,
because
it's
the
same
application
but
running
on
top
of
two
clusters.
F
F
So
it's
running
so
it's
working.
How
easy
it
is
actually
kind
of
easy.
If
I
have
I
mean
no
one
is
asking
me
to
leave.
So
if
I
have
two
minutes,
I
can
I
can
show
you
how
easy
it
is.
Oh
that
was
ready
so
the
way
it
works.
Basically,
that's
your
content,
I'm!
Sorry
for
my
drawing
that
is
two
cluster.
Yes
I
know
here
you
have
your
on
on
top
here
you
have
your
control
plane,
another
control
plane-
and
this
is
this-
is
not
for
each
cluster.
So
what
we?
F
What
you
do
when
you
ask
to
connect
the
two
cluster?
What
we're
gonna
do
is
basically
deploy
a
control
plane
inside
the
cluster,
and
this
is
the
control
plane
for
cluster
mesh
and
inside
this
Crystal
mesh.
There
is
two
things
there
is
an
API
server,
so
the
API
server
and
etcd
so
once
again,
API
server
and
etcd
and
what's
happening
is
that
this
cilium
agent
can
listen
to
multiple
API
server.
F
So
not
only
not
only
that
one,
but
also
that
one
and
the
externally
here,
so
it
depends
how
you
establish
the
connectivity,
can
be
fixed
and
can
be
other
technology,
so
they
are
talking
with
with
each
other
and
every
time
you
create
a
new
service.
So
you
know
you
know
how
kubernetes
works
a
lot
of
things
here
and
then
the
information
is
taken
by
the
CDM
agent
send
inside
this
at
this
API
server
duplicate
to
that
one,
so
that
this
one
knows,
but
it
never
changed
that
one.
F
Why
is
it
important?
Because
you
don't
want
to
have
like
pure
duplication
of
your
kubernetes
services?
You
can
have
many
many
issues
with
that.
So
it's
only
duplicate
at
this
level
so
for
this
control
plane,
but
it
never
go
here.
So
if
you
do
a
cube,
CTL
get
service,
you
can
only
have
the
service
of
your
cluster.
But
if
you
do
a
psyllium
service
list,
then
you
can
see
the
service
of
both
cluster
at
the
same
times.
F
G
F
So
no
worries
I
think
it's
louder
that
one
is
louder
no.
G
Worries
can
you
all
hear
me
fine
in
the
back
perfect,
so
this
kubernetes
Meetup
I'm
really
happy
to
see
that
we
have
already
a
full
house
which
is
fantastic.
This
is
only
our
second
Meetup.
We
started
doing
this
re-emergence
of
the
kubernetes
Meetup
in
Berlin
starting
last
month.
Benazir
here
has
been
leading
this
Meetup,
so
thank
you
Benazir
for
organizing.
We
always
need
more
help,
though,
and
I
would
love
to
see
more
volunteers.
We
would
love
to
see
more
volunteers.
G
So
if
you
want
to
help
us
organize,
as
you
saw,
there
were
some
technical
glitches
today
which
you
have
gracefully
endured,
but
it
always
it
takes
a
village
to
create
this
Meetup
and
would
love
to
see
the
community
come
together.
It
definitely
looks
like
we
are
going
to
need
a
bigger
space
going
forward.
So
if
you
have
any
ideas
for
space,
if
you
have
office
space
that
we
can
utilize
for
the
Meetup
we'd
love
to
see
that
and
so
on,
right
always
looking
for
new
speakers,
new
ideas
and
feedback
coming
from
the
community.
G
A
I
thanks
Aditya
I,
just
basically
wanted
to
say
thank
you
to
all
of
you.
This
was
a
New
Year's
special
edition.
We
put
it
together
in
such
a
hurry,
but
I'm
so
happy
to
see
the
turnout
today.
If
anything,
it's
just
testimony
to
the
fact
that
we
should
be
having
these
meetups
going
forward
and
that
they
are
successful
and
that
your
turnout
here
makes
it
successful.
Your
participation
makes
it
successful,
so,
let's
just
make
it
more
wholesome
and
all
round.
A
Let's
just
see
more
of
you
actually
reach
out
to
us
and
and
tell
us
what
you'd
like
to
hear
in
terms
of
content,
in
terms
of
who
should
be
speaking
any
industry
leaders.
You
want
to
hear
from
any
of
your
folks.
You
want
to
hear
from
trust
me.
These
are
your
community,
meetups
and
we'd
love
to
see
you
shape
this
program.
If
I
haven't
mentioned
it
way
too
many
times
already
I'm
going
to
say
it
again,
follow
our
Kinfolk
LinkedIn
follow
our
Kinfolk
Twitter.
A
This
is
the
best
way
for
us
to
broadcast
some
of
this
information.
We
have
some
of
these
forms
that
we're
putting
out,
which
are
Community
meter.
Props
trust
me
they're.
All
they're
they're
Google
forms
okay,
so
it's
not
just
us
here
we're
trying
to
work
with
collaborative
tools
that
work
for
everyone.
A
We
just
want
to
hear
from
you.
We
just
want
to
see
more
help.
We
just
want
to
see
more
input.
Aditya,
for
instance,
today
came
in
like
a
few
hours
before
the
Meetup
and
everything-
and
it's
just
great.
If
you
know,
if
you
can
find
me
on
LinkedIn
too,
you
can
find
me
I'm,
Benazir
Khan.
A
You
can
just
find
me
if
you
want
to
I,
can
give
you
my
email,
whatever
you
want
just
reach
out,
and
we
have
these
meetups
coming
up
monthly,
at
least,
and
what
we'd
like
to
do
is
basically,
when
we
have
more
of
the
community,
it
just
becomes
a
lot
easier
and
it
becomes
a
lot
more
fun
in
terms
of
planning
in
terms
of
organizing.
We
have
the
space
we
have
the
AV
setup.
E
A
If
some
of
you
just
come
there
and
you
know
Assist
and
go
like
hey,
you
know
what
I
have
a
better
idea
of
doing
this
or
fine-tuning
this
and
stuff
like
that,
we're
open
to
all
of
the
that,
but
it
it
really
takes
people
to
actually
show
up,
even
if
it's
a
few
hours
before
a
Meetup,
and
it's
once
a
month
at
least
so
yeah
when
you
do
hear
about
meet
updates.
G
So
when,
as
you
said,
follow
Kinfolk
on
Twitter
and
follow
our
socials
and
so
on,
you're
welcome
to
connect,
but
also,
very
importantly,
talk
to
each
other.
We
are
going
to
hang
out
here
for
30-ish
minutes
more
reach
out.
This
is
the
community.
You
get
to
learn
a
lot
from
each
other,
so
connect
to
each
other,
follow
each
other
and
learn
from
each
other.
So
that's
also
very
important
aspect
of
it
and
that
helps
us
keep
coming
here
right
and
what
I've
seen
from
the
kubernetes
community
is
very
engaged.
G
We
learn
from
each
other,
there's
a
lot
of
vendors
and
so
on.
We
learn
from
each
other.
We
do
friendly
Jabs
at
each
other
right,
it's
all
fun.
It
all
helps
us
improve.
So
please
stay
around
grab
some
pizza.
If
there's
still
some
pizza
and
have
a
chat
with
your
fellow
kubernauts
and
that's
always
lovely
go
ahead.
Please.
G
That's
that's
a
great
question.
So
are
the
slides
and
recordings
available
in
case
you
want
to
watch
any
of
the
recordings
we
actually
stream
it
on
the
Kinfolk.
A
We
streamed
it
on
the
Kinfolk
YouTube
channel
and
we
do
want
to
post
process
them
and
try
to
give
you
talk
recordings,
but
that's
a
work
in
progress
again,
which
is
where
we
need
as
much
help
as
possible.
So
I
I
would
wait
for
some
time
before.
We
could
actually
do
some
of
that
work
and
have
that
released
and
everything
because,
as
I
said,
it's
a
work
in
progress,
but
the
whole
event
should
be
available
on
kinfolks
YouTube.
So
you
can
actually
check
it
out.
There.
G
A
Last
thing
some
of
you
did
yeah
well,
I,
don't
know
who
is
who,
because
we're
not
actually
doing
anything
for
demand
or
lead
gen
or
anything,
but
I
urge
you
to
RSVP
on
meetup.com.
We
have
to
gauge
the
success
of
some
of
these
meetups
and
everything
across
organizations.
It's
it's
not
just
one
or
two
or
anything,
because
this
is
a
community
effort
and
it's
a
few
of
us
coming
together
and
doing
all
of
this.
It
just
helps
report
back
better
numbers
and
better
stats.
So
please
please,
go
there.