►
Description
Blog post on https://everyonecancontribute.com/
Kubernetes group repos: https://gitlab.com/everyonecancontribute/kubernetes
Twitter thread: https://twitter.com/dnsmichi/status/1364622431202213893
A
And
we
are
live
back
to
more
kubernetes,
magic
and
stuff
in
our
18th.
Everyone
can
contribute
coffee,
and
today,
nicholas
will
dive
into
users
permissions
and
much
more.
I
think
so.
I
will
just
hand
it
over
to
you.
B
Okay,
so
I
think
we
can
start
directly
now
don't
r
from
our
screen,
so.
B
Yeah,
so
we
are
known
everyone
number
everyone
can
contribute
number
18,
so
it's
like
our
birthday,
so
also
a
little
bit
of
18
birthdays
so
that
we
can
also
talk
about
getting
promised
and
getting
rights
to
do
something.
So
it's
the
right
point
to
get
into
this.
So
today
we
want
a
little
bit
to
speak
about
arbor.
So
that
means
literally
that
we
need
to
look
into
two
important
points,
so
the
first
point
will
be
a
little
bit.
B
What
the
most
people
know
is
probably
under
the
name
authentication
mostly
if
you
read
it
in
go
or
other
systems,
it's
mostly
only
specified
as
often
and
if
you,
of
course,
if
you
have,
if
you
are
authenticated
against
the
service,
you
want
also
probably
authorized
to
do
something.
So
this
is
the
other
step.
So,
instead
of
authentication,
then
we're
talking
about
authorization
and
the
short
form
would
be
else
so
currently.
B
Kubernetes
in
the
past
has
different
models
to
do
the
authorization
part,
but
the
authentication
part
was
mostly
the
same
so
for
that
we
will
look
at
first
into
the
identification
part
how
it
can
authenticate
as
a
user
and
afterwards
we're
looking
more
into
the
row
based
axis
in
the
model
so
on
the
authorization
part
so
which
access
do.
I
have
to
get
directly
into
the
api
so
before
that,
no
not
before
we
can
deeply
dive
back
into
our
system.
B
So
much
max
was
so
great
that
he
provided
me
with
cluster
shared
with
me,
the
config
so
currently
I'm
as
the
same
user,
and
so
we
can
first
check.
Currently.
I
hope
it's
big
enough
right,
so
everyone
can
reach
the
screen
or
should
I
make
it
smaller.
B
Yeah
so
first
we
can
check
and
very
I
can
connect
to
it
communities
cluster.
So
everything
is
in
place.
Most
important
point
is
here
so
that
we
can
see
the
control
plane,
at
least-
and
this
is
currently
where
we're
connecting
against
each
other.
So
for
that
now,
because
I
don't
want
to
use
the
the
same.
B
Yeah,
so
really,
this
is
the
same
configuration
from
last
time,
so
we
see
here
the
demo.
We
don't
care
about
the
nicolas
user.
I
will
come
related
to
that.
We
have
our
cluster,
so
we
have
the
namespace
and
the
user.
Now
what
we
want
to
do.
I
don't
want
to
log
in
with
the
standard
user,
so
I
want
to
create
my
own
user
also
that
at
least
I
can
give
michael,
also
a
configuration
or
someone
else.
It
can
also
use
our
cluster.
These
alternate
access
to
the
cluster.
B
So
for
that
there
are
multiple
ways
to
do
that.
Currently,
the
most
common
are
when
I
look
into
this
is
mostly
the
first
would
be
tls,
so
I
have
a
private
key
and
it
gets
in
certificate,
and
these
are
my
credentials
to
authenticate
against
the
cluster.
B
So
if
you
are
running
on
the
managed
to
wear
needles,
for
example,
on
rks
eks
or
kikai,
mostly
there's
another
concept
used
for
the
authentication,
I
will
move
it
there,
it's
a
little
bit
finer
so
for
that
most
people
use
another
approach
and
that
would
be
open
id
so
in
terms
of
identity.
Br
token,
literally,
this
is
for
authentication
for
idiot
bureau
token,
mostly
called
used
the
protocol
for
that
or
the
data
format
for
that
it's
jot.
B
So
data
ability-
and
this
can
be
also
used
but
cool
part
about
this-
that
currently
all
the
requests
go
into
the
api
server
so
and
our
api
server
is
capable
to
do
multiple
authentication
models.
So
it
means
when
you
choose
to
use
ts
certificates
for
authenticating
your
users.
B
You
aren't-
and
you
want
later
to
add
open
id
to
that
it's
possible,
so
you
can
use
twice,
authentication
layers
or
you
can
use
three
in
terms
of
so
that
you
have
multiple
authentication
methods
in
your
20,
most
reason
when
you
go
into
production
or
when
you
want
to
use
it
in
the
day
two
or
day
three
operations,
really,
you
should
use
opm
id,
but
we
will
come
later
to
the
point
why
you
should
use
this
instead
of
theater
certificates,
but
for
understanding.
I
think
ts
is
a
great
way
and
also
otherwise.
B
We
need
to
dig
a
little
bit
into
the
gis
j3s
server
and
check
how
it
works
there.
So
for
that
we
will
come
back.
Okay,
so
luckily,
let's
create
a
user
so
for
creating
a
user
or
creating
creating
creating
the
user
for
the
control
plane.
First,
what
we
need,
of
course,
is
a
username.
So
probably
I
will
use
my
same
username,
so
I
will
use
nicolas
and
we
need
a
special
one
later
with
group,
so
I
told
everyone
to
contribute.
B
We
will
come
later
to
the
very
so
we
need
that
and
for
that
I
have
prepared
a
document.
Also
sorry,
I
can
find
this
okay
good
and
move
this
also
outside
okay,
it's
fine!
So,
first
of
all,
because
we
are
talking
about
certificates,
most
libraries
that
is
known
as
openssl,
so
that
you
can
generate
a
little
private
key
first
of
all,
so
we
will
start
and
creating
our
privacy.
B
If
any
questions
you
can
ask
besides
that,
so
I
can
explain
and
also
do
something
yeah.
So
in
the
next
step
now
we
have
literally
on
our
system.
We
have
a
private
key.
B
You
can
see
here,
so
this
shouldn't
be
shared
to
anyone.
It
should
be
only
local
on
your
system.
Please
don't
share
it
because
I
generated
only
once
it's
fine
for
testing
purpose
and
afterwards
now
we
have
a
key.
We
need
to
identify
the
the
variety
of
history
so
for
that
we
need
to
have
a
certificate
that
can
someone
trust
me
that
this
is
my
property,
so
for
that
we
need
to
create
first
specificate
request,
so
it's
also
called
assigning
request.
B
So
for
that
we're
using
again
openssl-
and
hopefully
it
works
again,
yeah
truth.
So
now
we
have
a
new
file,
it's
towards
csr,
so
this
will
certificate
signing
requests
here
you
can
would
see
all
the
dates
for
the
certificate,
and
now
we
want
to
so.
What
we
want
to
achieve
now
is
that
our
application,
or
that
or
to
beneath
the
servers
because
kubernetes
for
api
services
own
certificate
authority,
so
that
means
you
can
manage
a
lot
of
multiple
private
keys
with
the
certificates
means
to
allow
our
certificate.
B
So
that's
the
reason
why
we
create
now
a
new
file
that
is
called
certificate,
signing
request
and
for
that
we
will
use
now
the
key
from
our
file
and
so
on
and
we'll
generate
a
new
document.
So,
first
of
all,
we
can
look
afterwards
into
the
file,
so
when
it's
generated
we
generate
now
assigning
request
identification.
We
need
this
service,
and
now
we
can
also
inspect
that.
B
So
when
you
type
you
can
do
the
you
can
do
the
full
kind
or
doing
the
short
handle
like
next
last
time
reported
so
that
you
can
also
generate
this.
So
what
we
can
see
now
here,
I
use
the
name
literally.
This
name
will
be
used
as
the
username
afterwards,
which
have
it's
ultimate
to
see
the
yamaha
fun
and
literally,
we
can
also
see
here.
We,
you
can
also
see
here
the
username.
What
usage
we
want
to
use.
B
We
want
to
use
a
client
authentication
really
our
chipset
is
declined.
So
that
means
that
we
also
want
to
authenticate
against
that,
and
so
for
that
we
now
need
in
the
next
step.
We
need
to
approve
this
certificate
request,
so
that
means
we're
proving
because,
when
we're
going
back
into
the
files,
so
when
we're
checking
with
csr,
you
can
see
it's
currently
in
a
bit
condition
pending.
B
So
that
means
we
are
not
allowed
to
use
this,
but
someone
needs
to
accept
this
and
currently
because
we
are
luckily,
we
are
on
the
point
of
that.
We
are
system
admin
with
our
first
user,
so
we
can
accept
the
certificate.
So
for
that
it's
straightforward,
we
can
use
tube
ctrl
certificate
approve
and
afterwards
we
have
nowhere
proof.
So
we
can
check
now
the
csiden
and
now
it
means
so
that
it's
approved
and
the
certificate
was
generated.
B
So
that
means
the
true:
we
have
no
certificate,
and
now
we
need
to
fetch
the
sign
certificate.
So
for
that
we
can
use,
we
can
check
for
csi,
then
and
type
in
class.
B
And
luckily
now,
when
we're
checking
the
status
field,
so
every
demo
file
in
juventus
has
this
bait
and
the
status
field
and
the
status
are
mostly
updates
of
the
item.
So
that
means
that
we
now
need
to
fetch
this
certificate.
As
we
remember,
okay,
all
the
credentials
are
encoded
in
basic
c4.
So
that
means
we
need
also
decrypt
that
and
then
we
get
the
final
certificate.
So
for
that
I
wrote
a
shorthander
literally
so
that
we
can
use
this
now,
I'm
fetching
the
certificate,
and
now,
when
I
check
this,
it's
549.
B
And
which
takes
the
thing
yeah
true,
you
can
see
the
whole
certificate
literally.
B
And
now
you
can
see
here
is
the
user
group
name
the
the
common
name,
and
you
should
also
see
the
issue.
Let
me
check
where,
like
something.
B
Let's
issue
yeah
yeah:
you
see
it
here
right
so
really
have
your
issues,
so
that
means
it's
from
the
ks3s
server.
It's
from
our
control
plane.
Now
we
have
a
valid
certificate
to
sort
to
the
certificate
of
solution
yeah.
So
that
means
we
have
now
everything
in
place.
We
can
use
these
certificates
to
authenticate
against
virtually
service.
So
now,
let's
do
it.
So
luckily
it's
a
little
bit
straightforward,
so
I
will
set
up
my.
B
I
will
set
up
my
cube
config
to
a
separate
one,
because
my
default
config
is
a
bit
different.
You
have
lots
of
options
to
do
that.
So
when
it's
supporting
the
two
config
variables,
you
can
also
set
this
so
for
that
point
we
now
need
to
update
our
credentials.
B
So
literally,
what
we
do
here
is
that
we
will
create
a
new
user
in
youtube
in
the
chase
3stmo
file.
So
when
we
checking
this
is
a
terminal.
B
B
So
we
can
first
of
all
what
we
did
is
here
now
to
to
create
the
new
user.
This
is
currently
the
data
of
the
plant
certificate
date
and
also
video,
so
here's
also
for
private
use.
It's
also
a
reason
why
you
shouldn't
share
these
fights
around
the
world,
because
someone
can
get
access
to
that
so
for
that
we
now
need
to
set
next
to
the
credentials
we
can
set
up
our
contacts.
B
So,
for
that
reason
I
have
no
electronics
code.
Needless
and
laterally.
We
now
want
to
use
this
context
in
terms
of
because
last
time
also
much
explained
that
we
can
use
cuba
ctx
for
that.
So
probably
I
can
also
use
this.
So
that
means
we
have
a
normal
js3s
user.
So,
for
example,
when
we're
now
typing
into
the
namespace
and
the
same
so
we
have
the
default
namespace
and
when
we
type
duplicate
our
pots,
we
see
the
pots.
B
Now
I
will
switch
to
my
user,
it's
called
nebulas
and
when
I
type
tubes
together
pots,
oh
we
got
an
error.
So
now
you
see
the
first
concept
that
we
currently
finished.
So
what
we
finished
right
now
was
the
authentication
so
yeah
I'm
allowed
to
authenticate
against
it.
So
when
I
type
tube
ctl
cluster
info,
I
should
see
it's
working.
Oh
it's
also
not
a
lot,
no
okay!
So
now
we
need
to
fix
this
part
really.
So
what
we
did
now.
We
finished
mostly
the
authentication
parts.
B
So
we
finished
the
authentication
they
set
up
a
privately
approved
identifier,
api
server
and
I'm
now
able
to
use
this.
But
now
I
need
to
have
rights
to
do
to
execute
commands
at
the
end.
So
now
traps
are
better
in
place
mostly,
so
for
that
we
can
go
into
the
documents.
B
I
hope.
So
there
were
no.
Let
me
check
yeah
cool,
so
what
we
need
to
do
now
is
so
that
we
give
our
user
on
the
permissions,
and
for
that
we
have.
B
We
have
really
a
new
concept,
so
now
we
will
introduce
a
new
a
new
type,
so
it's
called
cluster
binding,
and
this
allows
us
to
get
permissions
to
something,
and
mostly
we
will
create
this
in
first
place
so,
and
I
already
spent
afterwards
so
first,
because
our
current
username
class
doesn't
have
any
permissions.
B
I
need
to
switch
back
to
my
admin
user
and
I
will
add
this
cluster
raw
binding.
Another
explain
afterwards
for
what
the
cluster
row
binding
literally,
is
so
cool,
because
the
robot
is
there.
B
So
now,
when
we
checking
it,
you
can
see
that
we
have
our.
Everyone
can
contribute
viewbinding.
So
when
I
now
switch
back
into
the
username
class
and,
for
example,
type
the
same
command
that
I
did
before,
for
example,
cubectl
reports
you
can
now
see,
I
don't
get
an
error
anymore.
I
did
only
no
resource
font
namespace,
so
that
means
we
have
now
the
authenticate
part,
soft
and
auto
reauthorization.
So
I'm
allowed
to
start
some
commands.
It's
like
true.
B
Now
we
are
in
a
more
in
a
true
way
so,
but
now
check
where
it
was
so.
I
will
go
back
into
the
case
with
into
the
admin
account.
Is
there
a
shorthand
for
customer
binding
three
letters
or
something
right,
because
crb
doesn't
work?
B
I
don't
like
to
type
everything
so
when
we're
now
changing
this.
B
Down
to
they
are
not
important.
So
literally,
what
we
have
here
is
like
the
row
reference,
so
that
means
a
cluster
role
and
currently
all
the
subjects.
So
all
people
or
all
persons
are
currently
or
groups
are
allowed
to
do
this.
So
roughly
because
I
created
the
everyone
can
contribute
group,
everyone,
every
user,
where
everyone
can
contribute
group,
can
use
the
cluster
role
so
and
a
role
literally
or
cluster
role.
B
When
we
look
into
this,
it's
a
standard
role,
that's
provided
by
by
humanities
by
itself,
so
it's
mostly
built
in
in
every
conformant.
We
need
this
cluster
and
there
you
can
see
a
lot
of
commands
and
a
lot
of
actions.
So
what
you
can
see
here
here
are
now
all
the
rules
currently
that
our
users
are
allowed
to
do
all
actions
so
because
we
are
talking
with
kubernetes
against
an
api
server.
B
We
have
the
same
pattern
literally,
so
it
means
we
can
allow
all
the
api
groups,
so
it
means
from
which
version
comes.
So
luckily,
we
can
also
see
now
that,
in
the
view
role
we
have
the
serp
manager,
so
I'm
allowed
to
see
certificates
and
then
I'm
allowed
to
start
to
see
the
certificate
request
issuers.
B
D
B
Yeah,
take
this
so
really
what
we
did
now
is
we
have
our
group
developers
in
terms
of
our
group
was
everyone.
Everyone
can
contribute,
so
this
was
coming
from
the
from
the
certificate.
So
it's
the
organization
unit.
Now
we
created
the
role
of
the
cluster
role
binding.
That
was
called.
B
B
B
So
that
we
have
here
the
view
binding
and
the
view
binding
is
the
connection
between
between
the
role,
the
cluster
role
and
the
group
of
a
user.
So
this
we
are
having
here
currently
three
items
to
do
the
authorization.
So
that
means
this
also
we're
mentioning
white
spot
arbut
and
not
before
that.
B
So
coming
back
so
now
we
talked
a
little
bit
about
the
concept
of
cluster
role
and
cluster
role
binding.
So
for
you
asking
why
now
currently,
which
view
role
we
used
before
or
not,
and
for
that
we
have
currently
default
adjuster
roads
or
default
rods
that
you
can
use,
and
for
that
I
use
the
standard
for
euro.
So
I
would
also
recommend
to
start
first
with
the
standard
roads,
and
then
you
can
extend
it
afterwards
to
your
own.
B
If
you
need
that
yeah
so
coming
back,
probably
you
want
also
to
start
a
little
bit
about
about
now,
starting
your
pot
at
least,
and
we're
coming
out
to
a
new
concept.
B
So,
luckily,
now
let
me
check
where
my
stuff
is
so
now
we
need,
instead
of
so,
what
we
want
to
do
now
is
we
want
to
create
a
new
namespace
so
literally,
because
we
want
don't
want
to
use
the
default
namespace,
we
want
to
have
our
own
namespace,
so
what
we
can
do
is
proof
stuff,
so
for
that
we
creating
on
all
namespaces
that
we
call
everyone
can
contribute,
and
now,
when
I'm.
B
Yeah
now,
when
I
switching
into
that,
I
will
change
the
namespace.
B
So
we
can
check
here,
nothing's
currently
running
so
also
the
same
with
no
roads
there.
We
have
nothing
so
for
that
now
we
were
at
a
roll
literally
to
the
point,
a
new
role
binding
so
and
now
what
we
did
is
when
I
go
back
now
into
my
nexus
user.
I
would
come
later
to
the
convention
of
that.
B
So,
for
example,
when
I
start
now
here
the
airplane
army
airplane
image
to
test
it.
It
doesn't
work
so,
but
when
I
now
switch
into
the
everyone
can
contribute
and
start
it
there.
It
works
so
the
main
difference.
What
we
didn't
know
was
we
don't
use
a
rope.
We
don't
use
a
cluster
row
binding.
We
used
a
row
binding.
So
what's
the
difference
between
that
cluster
roles
or
everything
with
cluster
prefix
is
about
the
whole
kubernetes
cluster,
so
it's
placed
in
every
namespace.
B
You
can
do
everything
in
every
namespace,
but
if
you
have
only
a
row
binding
or
role,
it's
only
contained
into
a
single
namespace
of
kubernetes.
So
that
means
you
can
give.
For
example,
you
can
have
multiple
namespaces
or
also
multiple
teams.
Each
team
has
our
namespace
and
can
do
things
that
they
want
to,
but
without
harm
the
others
or
adding
new
resources,
or
something
like
that
and
probably
we
cannot
communicate
outside
because
we
don't
have
network
policies
in
place
in
the
air
crew.
B
We
can
now
work
as
an
owned
developer
with
our
own
user,
and
that's
really
true.
So
that's
really
the
authentication
and
authorization
part
about
juventus.
So,
but
now
we
are
coming
a
little
bit
to
the
point.
B
What
I
wanted
to
point
it
out
is
now
probably
when
I
switched
back
to
my
ks
k3s
demo.
I,
for
example,
we
say:
okay,
I'm
don't
find
anymore
with
use
any
class.
I
want
to
delete
that
so
when
we
now.
B
B
You
can't
revoke
the
access,
at
least
so
the
identification
can't
be
revoked,
so
what
we
only
can
do
is
we
could
revolt
the
cluster
roles
and
for
cluster
row
bindings
and
also
the
role
and
raw
bindings,
but
currently
the
user
still
acts
has
can
still
authenticate
against
the
kubernetes
servers.
B
The
reason
from
that
is
because
kubernetes
doesn't
put
in
place
a
certificate
revocation,
because
it
would
be
a
tremendous
amount
of
work
to
do
that
and
that's
very
recommendation
why
you
should
use
open
id
connect
or
some
other
tools
to
do
that
for
the
authentication
layer.
So
we
can
look
a
little
bit
into
the
part
where
you
can.
B
So
roughly
this
is
mine
which
says
yeah.
So
really
we
have
so
you
could
also
use
a
static
file
token
mostly,
but
it's
what
mostly
recommend
it's
like
the
beer
token,
so
it's
the
dot
place
and
also
mostly
an
open
id
connect.
So
it
means,
like
you,
have
lots
of
options
with
open
id
and
how
open
id
is
working.
Currently,
it's
like
a
little
bit
different
to
that
that
you
used
before
so.
B
For
that
we
can
start
first
of
all,
as
user
error
against
your
identity
provider,
so
our
identity
provider
could
be,
for
example,
github.com
or
it
could
be
another
server,
for
example,
google,
or
something
like
that,
so
every
user
from
root
can
login
can
get
authenticates
a
density
to
a
data
source
or
you
can
also
specify
by
the
open
id
protocol.
B
You
are
also
allowed
to,
for
example,
provide
only
a
subset
of
open
id
users
by
the
identity
provider,
for
example,
for
everyone
train
contribute
group
can
do
that
afterwards
for
tube
ctl,
chords
identity,
it
will
be
added
to
the
identity
provider
of
the
token
and
then
in
our
tube
config.
We
don't
use
tls
certificates
anymore.
We
use
the
spirit,
tokens
and
then
finally
authentic
hands.
It
lands
for
api
server,
so
the
open
id
flow
will
be
executed
mostly
and
afterwards
the
authorization
part
will
be
performed.
B
So
that
means
which
roads
I
have
and
so
on,
and
then
the
user
gets
the
final
feedback
yeah.
But
for
that
we
need
now
a
little
bit
to
decide
if
you
want
to
do
that
or
not
because
for
that
we
need
a
little
bit
to
hack,
because
we
need
to
probably
to
change
the
api
server
to
allow
an
identity
provider,
because
this
is
not
built
in
by
dynamic
or
you
can't
change
it
by
dynamically.
B
You
can
only
determine
by
boot
time
by
bootstrapping
with
cluster,
or
you
can
probably
also
fix
it
afterwards.
It's
also
possible,
but
mostly
it's
like
that.
You
should
use
this
when
it's
started
yeah
when
you
bootstrap
your
cluster.
So
but
before
we
go
into
the
opm
saying
I
would
say
that
probably
someone
has
questions
or
we
should
can
talk
a
little
bit
about
that.
What
you
don't,
if
I
probably
can
explain
something
for.
B
Probably
I
can
marci
to
provide
my
key
yeah.
B
Okay,
so
let's
check
first,
I
need
to
check
only
which
gif
on
this
machine,
so
hopefully
that
can
hold
it
yeah,
but
I
need
to
check
on
the
machine
that
you're
going
to
have
for
my
massage
okay,
I
don't.
I
don't
show
anymore
right,
yeah,
it's
fine!
B
B
B
D
B
B
So,
okay,
I'm
on
the
machine.
So
now
let's
check
so
hopefully.
B
D
A
B
B
B
B
So,
let's
check
uh-huh
move
first
with
president
now
let
me
check.
A
A
B
For
three
ctr,
so
what
I
want
to
do
right
now
is:
I
want
to
check
currently
which
container
running,
because
I
want
to
check
you
for
api
service
running.
B
B
A
I
think
it's
not
running
as
a
port.
It's
the
k3s
binary
itself.
A
B
So
let
me
check
how
this
works
really.
Okay,
coming
back
to
a
point,
so
what
I
want
to
do
now
would
be.
B
I
want
to
provide
an
identity
broker
really,
so
that
means
dex
will
allow
us
to
connect
to
an
open
id
identity
provider.
So
for
that,
my
intention
is
really
to
use
for
that
also
gitlab,
so
that
everyone
from
everyone
can
contribute
group
can
access
slowly
or
to
united
states
service
and
authenticate
against
it.
So
that
would
be
the
main
idea
mostly
for
that.
Let
me
change
if
I
wrote
the
stone
because
it
noted
there
very
cool
so
for
that
there's
some
good
point
really.
B
What
we
need
to
do
is
we
need
to
provide
decks
in
which
we
need
this
cluster
and
also
gangway.
Then
we
will
be
used
later
for
the
iphone
84
for
the
users
so
that
we
can
easily
generate
our
optimized
client
so
yeah.
Now
we
need
to
find
out
how
we
can
set
the
open
id
for
the
twenties
api
server.
Otherwise
our
journeys
api,
so
if
it
doesn't
trust
the
diplab
and
so
then
we
can't
authenticate
against
the
servers.
B
So
let
me
check
how
it
works,
trust
it.
My
assumption
was
that
js3s
uses
some
static
parts
to
do
that,
because
it's
a
quite
normal
way.
No,
that's
every
single!
What
I'm
looking.
B
It's
I
don't
even
know
where
right
well
for
stuff
total
method
of
id
connect
to
the
sim
floor.
B
Now
I
need
to
check
how
to
do
that.
Oops,
sorry,
so,
for
that
is
it
possible,
but
you
know
it
probably
is
that
we
can
restart
the
ks3s.
So
yes,.
A
A
I
would
say:
yeah
it's
it's
deployed
by
our
ansible
role,
so
it's
just
in
edc,
systemd
system,
k3s.
C
Maybe
we
we
can
talk
about
what
our
static
ports
are,
not
dynamic.
Plots
in
the
meantime.
B
Or
something
yeah,
we
don't
really
need
to
teach
you
currently
something
what
it
is.
It's
cheaper
to
know
so,
okay
yeah,
currently
by
default.
If
you
are
using
kubernetes,
so
luckily
we
can
explain
it
a
little
bit
what
is
static
and
it's
there's
no
difference
between
acetic
or
dynamic
probabilities.
So
what
you
have
typically
in
your
system,
if
you
are
deploying
with
cheap
iem
or
with
other
tools
like
mostly
a
lot
of
other
tools,
supports
the
same
way
it's
like.
B
So
what
you
can
use
is
you
have
a
root
path
under
your
node,
so
a
lot
of
it
largely
everything
from
kubernetes
goes
into
normal
font,
girls
into
etc.
Kubernetes
yamaha.
C
B
Yeah
yeah
manifest
will
come
later
so
and
for
that,
when
you
put
something
into
adc-
and
it
is
manifest,
these
yum,
yum
or
manifest
will
be
deployed
automatically
so
and
what
you
can
do
in
the
folder
is.
You
can
create,
for
example,
like.
B
My
pot
jammer
and
you
can
put
this
into
htc
manifest
and
then
by
by
automatically
when
the
tuplet
starts.
So
it's
more
it's
a
feature
of
a
tubelet,
so
it's
not
like
from
the
automatic
unit
service.
So
that
means
that
automatically
this
part
will
be
automatically
started
and
by
default,
if
you're,
using
another
installation
method
like
tube
idm,
the
api
server,
the
att
server
every
component
or
core
component,
but
you
beneath
this
will
be
deployed
as
a
static
manifest
into
these
manifests
and
then
will
be
executed
dynamically
by
the
tubeless.
B
So
that's
the
reason
why
it's
called
static
manifests
mostly
or
aesthetic
parts,
or
you
can
put
everything
there.
So
it's
like
that
you
have
for
bootstrapping,
so
so
that
would
be
also
coming
to
the
theory
that
you
can
do
kubernetes
without
config
management,
if
you're
looking
at
it
forwards,
so
because
it
could
also
write
everything
to
containers
into
pots
and
something
like
that
and
then
starting
on
bootstrap
and
automate
all
the
stuff
yeah.
So
now,
let's
come
back
momentum,
so
I
need
to.
B
Check,
okay,
you
can
set
it
here
so
for
that
it
was
an
etc
right.
Systemd.
B
B
Okay,
now
we
need
to
look
back
into
the.
B
I'll
make
some
notes
there,
so
it
goes
a
bit
faster.
Do
this,
and
now
I
didn't
knot
it
down
right,
but
I
noticed
it
down
into
the.
D
B
B
What
we
now
use,
we
use
our
own
operating
issuer,
so
it
means
like
we
would
deploy
dates
under
often
or
we
could
just
use
sexy.
It's
like
fine,
and
then
we
need
to
affiliate
strategies.
We
begin
with
afterwards
or
not.
B
B
B
D
B
Okay,
I
already
produced
first
number,
okay,
so
normally
we
use
like
last
time
we
also
use
a
head
chart
for
that.
So
I
prepared
everything.
So
actually
you
can
see
here
on
the
x
configuration
so
the
access
outsold
hem
chart
and
we
can
generate
the
configuration
so
in
the
connection
connect.
This
part
is
very
connection
to
video
clip,
so
date
is
only
on
proxies
predictable
with
it
for
the
japanese
api
server
so
that
you
can
have
multiple
opm
id
connection
services
yeah.
D
B
B
B
C
B
And
now
we
can
check
if
it's
available,
so
for
that
first
we
see
a
page,
not
font,
or
you
would
say:
okay,
the
service
is
at
least
reachable
because
we're
getting
http
404
page
not
found,
but
now
we
can
also
check
if
the
service
is
working
because
we're
using
open
id
the
sender
protocol.
You
can
also
draw
a
well-known
open
id
search,
configuration
yeah
and
they
can
currently
see
the
whole
open
id
information
about
our
server
syllabus
story.
B
Also
open
id
provides
a
sign
based
approach,
so
for
that
we
have
also
the
signing
keys
here
so
that
you
can
also
see
that
these
keys
will
be
used
to
sign
the
the
jot
token
so
because,
when
you're
going
to
judge,
you
need
also
to
sign
the
whole
g,
and
for
that
it's
the
reason
why
you've
also
jvtst
yeah.
So
we
have
no
decks
in
place
now.
We
need
to
bootstrap
our
trivanity
cluster
to
use
that.
B
So.
For
that
I
need
to
find
my
notes.
We
wrote
it
down,
but
I
didn't
get
the
client
any
right
yeah.
So
now
we
need
to
get
client
id.
So,
let's
check
into
the
secret
and
probably
there
we
have
the
that's
config
or
let's
check
for
docs
objects.
First.
B
Start
is
the
same
like
like
the
servers
yeah.
We
will
skip
it,
we
will
see
if
it
works
or
not.
So,
let's
check
if
it
works,
because
we
don't
use
also
not
ssl.
We
don't
also
need
that.
B
B
D
A
A
D
A
A
Because
I
think
colon,
w
q
and
and
exclamation
marks
don't
work,
you
need
to
explicitly
have
permissions
or
pre-metric.
B
A
Thanks
if
it
works.
A
Currently,
trying
to
understand
what
we're
doing
now,.
B
B
B
So
what
we
internally
missing
is
that
we
missing
the
all
right,
open,
ready,
connect,
find
id.
A
B
Yeah
now
we
need
to
probably
explain
in
high
overview
what
we
want
to
try
to
achieve.
So
I
will
draw
a
small
diagram
and
then
we
will
fix
it
in
the
next
week.
B
Hopefully,
oh,
we
will
fix
it
in
the
next
video
control
to
cross
yeah.
So
coming
back
to
my
mirrorboard,
so
let
me
check
with
some
players
for
that
yeah
cool.
So.
B
So
actually,
this
is
our
juvenile
cluster.
So
and
now
what
we
you
know
sometimes
I
know
bringing
this
into
pictures
would
be
a
fun
try.
B
B
And
what
we're
trying
to
achieve
is
that
we
want
to
connect
our
api
server
literally
to.
B
To
gitlab-
and
I
will
change
controllers
a
little
bit,
so
it
makes
more
sense
so
and
for
that
case,
what
we
need
to
do
is
because
the
api
server
doesn't
can
speak
directly
with
gitlab
as
open
id
provider.
B
We
need
to
tell
the
api
server
first
in
the
first
step,
go
to
go
to
dates,
ask
there
for
the
user
and
afterwards
dex
will
ask
instead
of
reduce,
we'll
ask
the
clip
for
the
final
user
so
that
I
can
authenticate
against
it
so
and
currently,
as
user
as
person.
What
we
are
doing
is,
we
are
only
speaking
mostly
with
just
another.
B
We
will
speak
only
with
the
with
the
api,
so
so
we
don't
know
that
dex
is
there
that
we
don't
know
that
git
club
is
there
literally.
We
know
only
that
we
want
to
authenticate
and
against
gitlab,
and
so
for
that
we
have
the
user
with
internal
ctl,
and
for
that
we
do
this
flow.
So
really
our
identity,
identity
provider
is
okay,
is
a
skid
lab.
B
And
we
want
to
authenticate
and
then
stick
clap
with
that,
so
that
we
can
use
this
user
with
a
beer
token
instead
of
tls.
But
for
that
because
it's
a
security
protocol,
it's
an
authentication
protocol.
It
requires
security,
for
that
it
shouldn't
be
good
that
we
speak
http
over
that
we
draw
them
probably
using
information
to
delete
over
the
internet.
That's
also
the
reason
why
we
need
to
speak
this
in
some
secure
ways.
B
So
for
that
we
need
to
do
only
https
ports
here,
https
and
also
here
https,
and
for
that
we
need
to
leverage
the
next
week.
We
need
to
leverage
text
with
an
external
with
the
server
manager,
so
the
textual
speech
https,
because
then
this
can
also
be
verified,
and
then
we
are
have
the
option
to
use
all
the
users
there
to
authenticate
against
that,
and
mostly
we
can
also
the
true
part
about
this
is
when
we
open
between
the
text
documentation.
B
B
A
I
think
that's
a
great
idea.
The
the
thing
which
I
need,
or
probably
others
also
would
appreciate
a
recap
what
we
did
today,
because
I
think
there
were
many
not
next
week
then
so
we
do
a
little
recap
what
we
did
and
and
then
we
were
aiming
to
fix
the
https.
B
Yeah,
I
can
start
with
a
short
video.
What
we
did
today
and
mostly
I
repeated
the
next
week
so
already
what
we
did
is.
We
did
the
authentication
part,
but
we
did
this
only
with
a
tls
certificate
so
with
a
private
key
in
terms
of
instead
of
a
real
username.
So
we
don't
use
an
external
user
and
we
did
for
authorization
part
with
airbag.
B
So
this
is
airborne
really
and
we
created
different
authorizations
models,
so
we
used
a
row
binding
to
get
access,
for
example,
for
our
developers
group
in
the
everyone
can
contribute
namespace
and
also
the
same
for
the
cluster
role,
so
that
also
our
admin
has
general
access
to
the
cluster
yeah.
Mostly
next
week
we
were
focusing
on
the
authentication
part
of
open
id
with
k3s
yeah.
A
B
Too
much
okay,
not
too
much.
It
was
a
lot
of
to
capture
yeah,
but
we
repeat
it
next
week
in
the
first
five
ten
minutes
and
then
going
back
into
the
openid
topic.
A
And
we
also
have
the
recording
in
the
live
stream
to
like
scroll
two
times
fast.
Now
the
blog
post
will
be
ready
soon
and
probably
yep.