►
Description
Blog post on https://everyonecancontribute.com/
Kubernetes group repos: https://gitlab.com/everyonecancontribute/kubernetes
Twitter thread: https://twitter.com/dnsmichi/status/1364622431202213893
A
B
Yeah,
so
we
are
known
everyone
number
everyone
can
contribute
number
18,
so
it's
like
our
birthday,
so
also
a
little
bit
of
18
birthdays
so
that
we
can
also
talk
about
getting
promised
and
getting
rights
to
do
something.
So
it's
the
right
point
to
get
into
this.
So
today
we
want
a
little
bit
to
speak
about
arbor.
So
that
means
literally
that
we
need
to
look
into
two
important
points,
so
the
first
point
will
be
a
little
bit.
B
What
the
most
people
know
is
probably
under
the
name
authentication
mostly
if
you
read
it
in
go
or
other
systems,
it's
mostly
only
specified
as
often
and
if
you,
of
course,
if
you
have,
if
you
are
authenticated
against
the
service,
you
want
also
probably
authorized
to
do
something.
So
this
is
the
other
step.
So,
instead
of
authentication,
then
we're
talking
about
authorization
and
the
short
form
would
be
else
so
currently.
B
Kubernetes
in
the
past
has
different
models
to
do
the
authorization
part,
but
the
authentication
part
was
mostly
the
same
so
for
that
we
will
look
at
first
into
the
identification
part
how
it
can
authenticate
as
a
user
and
afterwards
we're
looking
more
into
the
row
based
axis
in
the
model
so
on
the
authorization
part
so
which
access
do.
I
have
to
get
directly
into
the
api
so
before
that,
no
not
before
we
can
deeply
dive
back
into
our
system.
B
B
Yeah
so
first
we
can
check
and
very
I
can
connect
to
it
communities
cluster.
So
everything
is
in
place.
Most
important
point
is
here
so
that
we
can
see
the
control
plane,
at
least-
and
this
is
currently
where
we're
connecting
against
each
other.
So
for
that
now,
because
I
don't
want
to
use
the
the
same.
B
Yeah,
so
really,
this
is
the
same
configuration
from
last
time,
so
we
see
here
the
demo.
We
don't
care
about
the
nicolas
user.
I
will
come
related
to
that.
We
have
our
cluster,
so
we
have
the
namespace
and
the
user.
Now
what
we
want
to
do.
I
don't
want
to
log
in
with
the
standard
user,
so
I
want
to
create
my
own
user
also
that
at
least
I
can
give
michael,
also
a
configuration
or
someone
else.
It
can
also
use
our
cluster.
These
alternate
access
to
the
cluster.
B
B
So
if
you
are
running
on
the
managed
to
wear
needles,
for
example,
on
rks
eks
or
kikai,
mostly
there's
another
concept
used
for
the
authentication,
I
will
move
it
there,
it's
a
little
bit
finer
so
for
that
most
people
use
another
approach
and
that
would
be
open
id
so
in
terms
of
identity.
Br
token,
literally,
this
is
for
authentication
for
idiot
bureau
token,
mostly
called
used
the
protocol
for
that
or
the
data
format
for
that
it's
jot.
B
B
You
aren't-
and
you
want
later
to
add
open
id
to
that
it's
possible,
so
you
can
use
twice,
authentication
layers
or
you
can
use
three
in
terms
of
so
that
you
have
multiple
authentication
methods
in
your
20,
most
reason
when
you
go
into
production
or
when
you
want
to
use
it
in
the
day
two
or
day
three
operations,
really,
you
should
use
opm
id,
but
we
will
come
later
to
the
point
why
you
should
use
this
instead
of
theater
certificates,
but
for
understanding.
I
think
ts
is
a
great
way
and
also
otherwise.
B
We
need
to
dig
a
little
bit
into
the
gis
j3s
server
and
check
how
it
works
there.
So
for
that
we
will
come
back.
Okay,
so
luckily,
let's
create
a
user
so
for
creating
a
user
or
creating
creating
creating
the
user
for
the
control
plane.
First,
what
we
need,
of
course,
is
a
username.
So
probably
I
will
use
my
same
username,
so
I
will
use
nicolas
and
we
need
a
special
one
later
with
group,
so
I
told
everyone
to
contribute.
B
We
will
come
later
to
the
very
so
we
need
that
and
for
that
I
have
prepared
a
document.
Also
sorry,
I
can
find
this
okay
good
and
move
this
also
outside
okay,
it's
fine!
So,
first
of
all,
because
we
are
talking
about
certificates,
most
libraries
that
is
known
as
openssl,
so
that
you
can
generate
a
little
private
key
first
of
all,
so
we
will
start
and
creating
our
privacy.
B
B
You
can
see
here,
so
this
shouldn't
be
shared
to
anyone.
It
should
be
only
local
on
your
system.
Please
don't
share
it
because
I
generated
only
once
it's
fine
for
testing
purpose
and
afterwards
now
we
have
a
key.
We
need
to
identify
the
the
variety
of
history
so
for
that
we
need
to
have
a
certificate
that
can
someone
trust
me
that
this
is
my
property,
so
for
that
we
need
to
create
first
specificate
request,
so
it's
also
called
assigning
request.
B
So
for
that
we're
using
again
openssl-
and
hopefully
it
works
again,
yeah
truth.
So
now
we
have
a
new
file,
it's
towards
csr,
so
this
will
certificate
signing
requests
here
you
can
would
see
all
the
dates
for
the
certificate,
and
now
we
want
to
so.
What
we
want
to
achieve
now
is
that
our
application,
or
that
or
to
beneath
the
servers
because
kubernetes
for
api
services
own
certificate
authority,
so
that
means
you
can
manage
a
lot
of
multiple
private
keys
with
the
certificates
means
to
allow
our
certificate.
B
So
that's
the
reason
why
we
create
now
a
new
file
that
is
called
certificate,
signing
request
and
for
that
we
will
use
now
the
key
from
our
file
and
so
on
and
we'll
generate
a
new
document.
So,
first
of
all,
we
can
look
afterwards
into
the
file,
so
when
it's
generated
we
generate
now
assigning
request
identification.
We
need
this
service,
and
now
we
can
also
inspect
that.
B
So
when
you
type
you
can
do
the
you
can
do
the
full
kind
or
doing
the
short
handle
like
next
last
time
reported
so
that
you
can
also
generate
this.
So
what
we
can
see
now
here,
I
use
the
name
literally.
This
name
will
be
used
as
the
username
afterwards,
which
have
it's
ultimate
to
see
the
yamaha
fun
and
literally,
we
can
also
see
here.
We,
you
can
also
see
here
the
username.
What
usage
we
want
to
use.
B
We
want
to
use
a
client
authentication
really
our
chipset
is
declined.
So
that
means
that
we
also
want
to
authenticate
against
that,
and
so
for
that
we
now
need
in
the
next
step.
We
need
to
approve
this
certificate
request,
so
that
means
we're
proving
because,
when
we're
going
back
into
the
files,
so
when
we're
checking
with
csr,
you
can
see
it's
currently
in
a
bit
condition
pending.
B
So
that
means
we
are
not
allowed
to
use
this,
but
someone
needs
to
accept
this
and
currently
because
we
are
luckily,
we
are
on
the
point
of
that.
We
are
system
admin
with
our
first
user,
so
we
can
accept
the
certificate.
So
for
that
it's
straightforward,
we
can
use
tube
ctrl
certificate
approve
and
afterwards
we
have
nowhere
proof.
So
we
can
check
now
the
csiden
and
now
it
means
so
that
it's
approved
and
the
certificate
was
generated.
B
B
And
luckily
now,
when
we're
checking
the
status
field,
so
every
demo
file
in
juventus
has
this
bait
and
the
status
field
and
the
status
are
mostly
updates
of
the
item.
So
that
means
that
we
now
need
to
fetch
this
certificate.
As
we
remember,
okay,
all
the
credentials
are
encoded
in
basic
c4.
So
that
means
we
need
also
decrypt
that
and
then
we
get
the
final
certificate.
So
for
that
I
wrote
a
shorthander
literally
so
that
we
can
use
this
now,
I'm
fetching
the
certificate,
and
now,
when
I
check
this,
it's
549.
B
B
Let's
issue
yeah
yeah:
you
see
it
here
right
so
really
have
your
issues,
so
that
means
it's
from
the
ks3s
server.
It's
from
our
control
plane.
Now
we
have
a
valid
certificate
to
sort
to
the
certificate
of
solution
yeah.
So
that
means
we
have
now
everything
in
place.
We
can
use
these
certificates
to
authenticate
against
virtually
service.
So
now,
let's
do
it.
So
luckily
it's
a
little
bit
straightforward,
so
I
will
set
up
my.
B
B
B
B
So
we
can
first
of
all
what
we
did
is
here
now
to
to
create
the
new
user.
This
is
currently
the
data
of
the
plant
certificate
date
and
also
video,
so
here's
also
for
private
use.
It's
also
a
reason
why
you
shouldn't
share
these
fights
around
the
world,
because
someone
can
get
access
to
that
so
for
that
we
now
need
to
set
next
to
the
credentials
we
can
set
up
our
contacts.
B
So,
for
that
reason
I
have
no
electronics
code.
Needless
and
laterally.
We
now
want
to
use
this
context
in
terms
of
because
last
time
also
much
explained
that
we
can
use
cuba
ctx
for
that.
So
probably
I
can
also
use
this.
So
that
means
we
have
a
normal
js3s
user.
So,
for
example,
when
we're
now
typing
into
the
namespace
and
the
same
so
we
have
the
default
namespace
and
when
we
type
duplicate
our
pots,
we
see
the
pots.
B
Now
I
will
switch
to
my
user,
it's
called
nebulas
and
when
I
type
tubes
together
pots,
oh
we
got
an
error.
So
now
you
see
the
first
concept
that
we
currently
finished.
So
what
we
finished
right
now
was
the
authentication
so
yeah
I'm
allowed
to
authenticate
against
it.
So
when
I
type
tube
ctl
cluster
info,
I
should
see
it's
working.
Oh
it's
also
not
a
lot,
no
okay!
So
now
we
need
to
fix
this
part
really.
So
what
we
did
now.
We
finished
mostly
the
authentication
parts.
B
B
B
B
So
now,
when
we
checking
it,
you
can
see
that
we
have
our.
Everyone
can
contribute
viewbinding.
So
when
I
now
switch
back
into
the
username
class
and,
for
example,
type
the
same
command
that
I
did
before,
for
example,
cubectl
reports
you
can
now
see,
I
don't
get
an
error
anymore.
I
did
only
no
resource
font
namespace,
so
that
means
we
have
now
the
authenticate
part,
soft
and
auto
reauthorization.
So
I'm
allowed
to
start
some
commands.
It's
like
true.
B
B
Down
to
they
are
not
important.
So
literally,
what
we
have
here
is
like
the
row
reference,
so
that
means
a
cluster
role
and
currently
all
the
subjects.
So
all
people
or
all
persons
are
currently
or
groups
are
allowed
to
do
this.
So
roughly
because
I
created
the
everyone
can
contribute
group,
everyone,
every
user,
where
everyone
can
contribute
group,
can
use
the
cluster
role
so
and
a
role
literally
or
cluster
role.
B
When
we
look
into
this,
it's
a
standard
role,
that's
provided
by
by
humanities
by
itself,
so
it's
mostly
built
in
in
every
conformant.
We
need
this
cluster
and
there
you
can
see
a
lot
of
commands
and
a
lot
of
actions.
So
what
you
can
see
here
here
are
now
all
the
rules
currently
that
our
users
are
allowed
to
do
all
actions
so
because
we
are
talking
with
kubernetes
against
an
api
server.
B
We
have
the
same
pattern
literally,
so
it
means
we
can
allow
all
the
api
groups,
so
it
means
from
which
version
comes.
So
luckily,
we
can
also
see
now
that,
in
the
view
role
we
have
the
serp
manager,
so
I'm
allowed
to
see
certificates
and
then
I'm
allowed
to
start
to
see
the
certificate
request
issuers.
B
D
B
B
B
B
B
So
coming
back
so
now
we
talked
a
little
bit
about
the
concept
of
cluster
role
and
cluster
role
binding.
So
for
you
asking
why
now
currently,
which
view
role
we
used
before
or
not,
and
for
that
we
have
currently
default
adjuster
roads
or
default
rods
that
you
can
use,
and
for
that
I
use
the
standard
for
euro.
So
I
would
also
recommend
to
start
first
with
the
standard
roads,
and
then
you
can
extend
it
afterwards
to
your
own.
B
B
So,
for
example,
when
I
start
now
here
the
airplane
army
airplane
image
to
test
it.
It
doesn't
work
so,
but
when
I
now
switch
into
the
everyone
can
contribute
and
start
it
there.
It
works
so
the
main
difference.
What
we
didn't
know
was
we
don't
use
a
rope.
We
don't
use
a
cluster
row
binding.
We
used
a
row
binding.
So
what's
the
difference
between
that
cluster
roles
or
everything
with
cluster
prefix
is
about
the
whole
kubernetes
cluster,
so
it's
placed
in
every
namespace.
B
You
can
do
everything
in
every
namespace,
but
if
you
have
only
a
row
binding
or
role,
it's
only
contained
into
a
single
namespace
of
kubernetes.
So
that
means
you
can
give.
For
example,
you
can
have
multiple
namespaces
or
also
multiple
teams.
Each
team
has
our
namespace
and
can
do
things
that
they
want
to,
but
without
harm
the
others
or
adding
new
resources,
or
something
like
that
and
probably
we
cannot
communicate
outside
because
we
don't
have
network
policies
in
place
in
the
air
crew.
B
B
B
B
The
reason
from
that
is
because
kubernetes
doesn't
put
in
place
a
certificate
revocation,
because
it
would
be
a
tremendous
amount
of
work
to
do
that
and
that's
very
recommendation
why
you
should
use
open
id
connect
or
some
other
tools
to
do
that
for
the
authentication
layer.
So
we
can
look
a
little
bit
into
the
part
where
you
can.
B
So
roughly
this
is
mine
which
says
yeah.
So
really
we
have
so
you
could
also
use
a
static
file
token
mostly,
but
it's
what
mostly
recommend
it's
like
the
beer
token,
so
it's
the
dot
place
and
also
mostly
an
open
id
connect.
So
it
means,
like
you,
have
lots
of
options
with
open
id
and
how
open
id
is
working.
Currently,
it's
like
a
little
bit
different
to
that
that
you
used
before
so.
B
You
are
also
allowed
to,
for
example,
provide
only
a
subset
of
open
id
users
by
the
identity
provider,
for
example,
for
everyone
train
contribute
group
can
do
that
afterwards
for
tube
ctl,
chords
identity,
it
will
be
added
to
the
identity
provider
of
the
token
and
then
in
our
tube
config.
We
don't
use
tls
certificates
anymore.
We
use
the
spirit,
tokens
and
then
finally
authentic
hands.
It
lands
for
api
server,
so
the
open
id
flow
will
be
executed
mostly
and
afterwards
the
authorization
part
will
be
performed.
B
So
that
means
which
roads
I
have
and
so
on,
and
then
the
user
gets
the
final
feedback
yeah.
But
for
that
we
need
now
a
little
bit
to
decide
if
you
want
to
do
that
or
not
because
for
that
we
need
a
little
bit
to
hack,
because
we
need
to
probably
to
change
the
api
server
to
allow
an
identity
provider,
because
this
is
not
built
in
by
dynamic
or
you
can't
change
it
by
dynamically.
B
You
can
only
determine
by
boot
time
by
bootstrapping
with
cluster,
or
you
can
probably
also
fix
it
afterwards.
It's
also
possible,
but
mostly
it's
like
that.
You
should
use
this
when
it's
started
yeah
when
you
bootstrap
your
cluster.
So
but
before
we
go
into
the
opm
saying
I
would
say
that
probably
someone
has
questions
or
we
should
can
talk
a
little
bit
about
that.
What
you
don't,
if
I
probably
can
explain
something
for.
B
B
B
B
D
B
B
D
A
B
B
B
A
A
B
B
A
B
B
I
want
to
provide
an
identity
broker
really,
so
that
means
dex
will
allow
us
to
connect
to
an
open
id
identity
provider.
So
for
that,
my
intention
is
really
to
use
for
that
also
gitlab,
so
that
everyone
from
everyone
can
contribute
group
can
access
slowly
or
to
united
states
service
and
authenticate
against
it.
So
that
would
be
the
main
idea
mostly
for
that.
Let
me
change
if
I
wrote
the
stone
because
it
noted
there
very
cool
so
for
that
there's
some
good
point
really.
B
What
we
need
to
do
is
we
need
to
provide
decks
in
which
we
need
this
cluster
and
also
gangway.
Then
we
will
be
used
later
for
the
iphone
84
for
the
users
so
that
we
can
easily
generate
our
optimized
client
so
yeah.
Now
we
need
to
find
out
how
we
can
set
the
open
id
for
the
twenties
api
server.
Otherwise
our
journeys
api,
so
if
it
doesn't
trust
the
diplab
and
so
then
we
can't
authenticate
against
the
servers.
B
B
A
A
B
Or
something
yeah,
we
don't
really
need
to
teach
you
currently
something
what
it
is.
It's
cheaper
to
know
so,
okay
yeah,
currently
by
default.
If
you
are
using
kubernetes,
so
luckily
we
can
explain
it
a
little
bit
what
is
static
and
it's
there's
no
difference
between
acetic
or
dynamic
probabilities.
So
what
you
have
typically
in
your
system,
if
you
are
deploying
with
cheap
iem
or
with
other
tools
like
mostly
a
lot
of
other
tools,
supports
the
same
way
it's
like.
B
C
B
B
My
pot
jammer
and
you
can
put
this
into
htc
manifest
and
then
by
by
automatically
when
the
tuplet
starts.
So
it's
more
it's
a
feature
of
a
tubelet,
so
it's
not
like
from
the
automatic
unit
service.
So
that
means
that
automatically
this
part
will
be
automatically
started
and
by
default,
if
you're,
using
another
installation
method
like
tube
idm,
the
api
server,
the
att
server
every
component
or
core
component,
but
you
beneath
this
will
be
deployed
as
a
static
manifest
into
these
manifests
and
then
will
be
executed
dynamically
by
the
tubeless.
B
So
that's
the
reason
why
it's
called
static
manifests
mostly
or
aesthetic
parts,
or
you
can
put
everything
there.
So
it's
like
that
you
have
for
bootstrapping,
so
so
that
would
be
also
coming
to
the
theory
that
you
can
do
kubernetes
without
config
management,
if
you're
looking
at
it
forwards,
so
because
it
could
also
write
everything
to
containers
into
pots
and
something
like
that
and
then
starting
on
bootstrap
and
automate
all
the
stuff
yeah.
So
now,
let's
come
back
momentum,
so
I
need
to.
B
B
D
B
B
B
B
B
D
B
Okay,
I
already
produced
first
number,
okay,
so
normally
we
use
like
last
time
we
also
use
a
head
chart
for
that.
So
I
prepared
everything.
So
actually
you
can
see
here
on
the
x
configuration
so
the
access
outsold
hem
chart
and
we
can
generate
the
configuration
so
in
the
connection
connect.
This
part
is
very
connection
to
video
clip,
so
date
is
only
on
proxies
predictable
with
it
for
the
japanese
api
server
so
that
you
can
have
multiple
opm
id
connection
services
yeah.
D
B
B
B
C
B
And
now
we
can
check
if
it's
available,
so
for
that
first
we
see
a
page,
not
font,
or
you
would
say:
okay,
the
service
is
at
least
reachable
because
we're
getting
http
404
page
not
found,
but
now
we
can
also
check
if
the
service
is
working
because
we're
using
open
id
the
sender
protocol.
You
can
also
draw
a
well-known
open
id
search,
configuration
yeah
and
they
can
currently
see
the
whole
open
id
information
about
our
server
syllabus
story.
B
Also
open
id
provides
a
sign
based
approach,
so
for
that
we
have
also
the
signing
keys
here
so
that
you
can
also
see
that
these
keys
will
be
used
to
sign
the
the
jot
token
so
because,
when
you're
going
to
judge,
you
need
also
to
sign
the
whole
g,
and
for
that
it's
the
reason
why
you've
also
jvtst
yeah.
So
we
have
no
decks
in
place
now.
We
need
to
bootstrap
our
trivanity
cluster
to
use
that.
B
B
B
B
D
A
A
D
B
B
B
A
B
B
B
D
B
B
We
need
to
tell
the
api
server
first
in
the
first
step,
go
to
go
to
dates,
ask
there
for
the
user
and
afterwards
dex
will
ask
instead
of
reduce,
we'll
ask
the
clip
for
the
final
user
so
that
I
can
authenticate
against
it
so
and
currently,
as
user
as
person.
What
we
are
doing
is,
we
are
only
speaking
mostly
with
just
another.
B
We
will
speak
only
with
the
with
the
api,
so
so
we
don't
know
that
dex
is
there
that
we
don't
know
that
git
club
is
there
literally.
We
know
only
that
we
want
to
authenticate
and
against
gitlab,
and
so
for
that
we
have
the
user
with
internal
ctl,
and
for
that
we
do
this
flow.
So
really
our
identity,
identity
provider
is
okay,
is
a
skid
lab.
B
And
we
want
to
authenticate
and
then
stick
clap
with
that,
so
that
we
can
use
this
user
with
a
beer
token
instead
of
tls.
But
for
that
because
it's
a
security
protocol,
it's
an
authentication
protocol.
It
requires
security,
for
that
it
shouldn't
be
good
that
we
speak
http
over
that
we
draw
them
probably
using
information
to
delete
over
the
internet.
That's
also
the
reason
why
we
need
to
speak
this
in
some
secure
ways.
B
So
for
that
we
need
to
do
only
https
ports
here,
https
and
also
here
https,
and
for
that
we
need
to
leverage
the
next
week.
We
need
to
leverage
text
with
an
external
with
the
server
manager,
so
the
textual
speech
https,
because
then
this
can
also
be
verified,
and
then
we
are
have
the
option
to
use
all
the
users
there
to
authenticate
against
that,
and
mostly
we
can
also
the
true
part
about
this
is
when
we
open
between
the
text
documentation.
B
B
A
B
Yeah,
I
can
start
with
a
short
video.
What
we
did
today
and
mostly
I
repeated
the
next
week
so
already
what
we
did
is.
We
did
the
authentication
part,
but
we
did
this
only
with
a
tls
certificate
so
with
a
private
key
in
terms
of
instead
of
a
real
username.
So
we
don't
use
an
external
user
and
we
did
for
authorization
part
with
airbag.
B
So
this
is
airborne
really
and
we
created
different
authorizations
models,
so
we
used
a
row
binding
to
get
access,
for
example,
for
our
developers
group
in
the
everyone
can
contribute
namespace
and
also
the
same
for
the
cluster
role,
so
that
also
our
admin
has
general
access
to
the
cluster
yeah.
Mostly
next
week
we
were
focusing
on
the
authentication
part
of
open
id
with
k3s
yeah.