►
From YouTube: Kubernetes - AWS Provider - Meeting 20200221
Description
Recording of the AWS Provider subproject meeting held on 20200221
A
Hello,
everybody:
this
is
sig
aws
office
hours
or
the
bi-weekly
meeting
or
provider
aws.
I
am
your
host
moderator,
facilitator,
justin,
santa
barbara.
I
work
at
google
a
reminder.
This
meeting
is
being
recorded
and
will
be
put
on
the
internet
and
to
be
mindful
please
avail
of
our
kubernetes
code
of
conduct,
which
essentially
boils
down
to
being
a
good
person.
I
have
pasted
a
link
to
the
agenda
in
the
chat.
I
will
replace
it
right
there.
We
do
have
two
items
on
the
agenda,
but
nothing
else
on
the
agenda.
A
Please
do
feel
free
to
add
your
name
in
the
attendees
section.
If
you
would
like
to
it
can
be
helpful
for
people
watching
the
video
at
a
later
date
and
if
there
are
topics
that
you
would
like
to
discuss,
please
add
them
at
the
bottom
of
the
agenda.
Yes,
I'm
sure
we'll
get
through
our
agenda,
but
then
we
can
be
sure
we
don't
forget.
A
Optionally,
all
right,
then
I
we
will
proceed
with
our
agenda.
Nick
you
have
the
two
and
only
items
on
our
agenda.
First,
two
and
only
items
on
our
agenda.
Do
you
wanna
pick
us
up
for
the
testing
account
one
first.
B
Yeah,
so
I
figured
I'd
just
bring
this
up
in
the
meeting
since
we've
been
chatting
about
it
a
little
bit
so
the
background
is,
there
exists,
a
cncf
testing
account
that
is
used
for
I
think
it's.
It
might
only
be
periodic
jobs
right
now,
for
is
that
true,
that's
true!
Yes,
okay,
so
it
it
does
run
periodic
jobs
and.
A
That's
true,
I
just
realized
technically
the
cops
pr
jobs
do
run,
but
yes
for
kubernetes,
okay,
so
the.
B
Cops
jobs
as
well,
so
so
I
personally
want
to
add
both
periodics
and
pre-submit
jobs
to
the
external
cloud
provider
repo,
so
that
should
be
happening
fairly
soon
and
then
separately.
Andrew
sykim,
one
of
his
co-workers,
is
working
on
some.
B
I
think
it's
something
related
to
ipv6
and
he
also
wants
to
add
some
sort
of
jobs
to
a
testing
account.
I
guess
now
I
have
two
options.
I
could
add
them
to
the
cncf
account
or
I
could
add
them
to.
Apparently
we
have
this
other
internal
account
which
the
pros
of
the
internal
account
are.
I
don't
have
to
worry
about
the
the
funding,
but
the
cons
are
that
only
amazon
employees
have
access
to
it.
So,
ideally,
I
think
the
cncf
account
would
be
better.
B
If
there's
other
concerns,
we
can
always
do
the
the
internal
one
but
yeah.
I
just
wanted
to
throw
that
out
there
and
we
can
kind
of
finish
our
discussion
here.
Justin.
If
you
have
thoughts.
A
Yeah
I
just
wanna,
like
the
the
cncf
account
is,
is
actually
funded
by
amazon
as
well.
So
thank
you
to
y'all
for
that.
The
so
it's
not
like
it's
not
like
cincinnati
is
shelling
out,
as
it
were,
and
from
that
point
of
view,
as
long
as
as
long
as
amazon
is
willing
to
continue
funding
the
cncf
account,
I
don't
think
they
would
like
mind
having
more
money
go
like
more
spend
there.
A
I
think
the
spend
is
actually
pretty
low
right
now
anyway,
because
we've
turned
off
most
of
the
pre-submit,
so
it's
I
didn't
make
it
clear,
but,
like
cops,
does
run
on
every
pr
they
run
on
amazon.
So
there
is
precedent
for
non-kk
repos
to
to
run
on
every
pr,
and
that
seems
to
work.
Fine,
the
we
have
some
tips
and
cops
which
we
can
share
with
you
about
like
not
running
head
tip
of
of
kk.
A
If
you
want
a
little
bit
more
stability,
actually
peter
did
a
lot
of
that
work,
and
so
I
can
probably
like
fill
you
in
on
that,
but
also
kappa
cluster
api
provider
aws.
A
We
just
created
a
whole
new
set
of
sub-accounts
under
the
cncf
account,
I'm
probably
mangling
my
words,
but
that
are
dedicated
for
testing.
As
long
as
we
get
the
okay
from
the
cncf,
I
think
we
can
create
more
of
that
nature.
I
don't
know.
Actually
we
might
just
be
able
to
continue
to
share
those
same
that
same
set
of
getting
a
lot
of
noise
from
your
mic.
Thanks.
A
Sorry,
we
don't
want
to
share
that
same
set
of
10
accounts.
I
think
it's
10
accounts
like
share
that
pool
with
other
jobs
running
on
prowl.
I
actually
don't
know
if
we
can
not
share
them,
but
so
I
think
you
can
certainly
use
those
before
we
just
give
a
heads
up
to
the
kappa
folk
in
case
they
are
concerned,
but
it
seems
pretty
reasonable
to
reuse
those
accounts,
and
I
actually
don't
know
if
we
can
not
reuse
those
accounts,
we
should
probably
just
check
with
cncf
and
then.
A
Finally,
there
is
a
move
to
put
more
of
this
under
open
and
transparent
cncf
management
in
the
kubernetes
working
group.
Kate's
infras,
which
is
has
a
get
repo
called
github.com
kubernetes
kate's
dot
io,
which
is
perhaps
a
little
confusing,
but
that's
what
it
is-
and
I
did
not.
I
created
the
the
10
accounts
under
using
a
bash
script,
but
I
I
spoke
to
them
on
wednesday
around
their
weekly
bi-weekly
meeting
about
putting
those
scripts.
A
What
we
should
do
about
those
scripts,
whether
we
should
like
keep
it
off
the
books
or
whether
we
should
like
put
it
in
the
management
in
there
in
their
repo,
and
we
agreed
that
we
should
actually
just
put
it
in
their
repo
so
that
it
will
be
transparent
and
like
there's
no
reason
to
as
long
as
we
don't
commit
the
keys.
There's
no
reason
to
to
hide
it.
So
we're
not
gonna,
give
it
the
keys
to
it,
but
we'll
commit
the
scripts
that
produce
the
accounts
that
produce
the
keys.
B
A
10
is
big,
but
not
too
big,
and
the
reason
was
that
cops
and
kk
originally
would
was
able
to
share
an
aws
account,
and
I
think
still
does
so.
There
is
there
was.
There
is
like
one
like
shared
editors
account
where
a
bunch
of
tests
would
run
and
has
very
high
quota,
and
it
relied
on
the
installation
tools
that
ran
in
there
being
cooperative
with
other
tests
that
rank
concurrently.
A
The
kappa
one
didn't
want
interference
between
tests
didn't
want
to
like
have
that
happening
so
essentially
in
the
kappa
model,
or
in
this
model,
which
is
the
same
model.
That's
used
on
gce
testing.
A
You
check
out
a
project
for
the
duration
of
your
test
and
you
give
it
back
when
you're
done
and
a
it's
called
a
janitor
runs
and
basically
like
nukes
anything
that's
left
over
when
you're
done
in
theory.
So
it's
pretty
it's
a
nice
design,
I
think
and
yeah,
and
so
there
are
10
accounts
so
that
we
can
run
up
to
10
jobs
in
parallel
across
the
entirety
of
the
fleet.
As.
B
A
Do
you
want
to
yeah?
We
could
certainly
yeah.
I
think
I
think
putting
them
in
a
pool
is,
is
a
using
the
pool
using
a
pool
is
a
good
idea,
one
of
the
things
it
drove
one
of
the
things
that
sharing
the
account
drove
was
like.
A
You
know
you
want
the
cloud
provider
to
work
if
you're
running
two
clusters
in
the
same
aws
account,
so
it
sort
of
forced
us
to
implement
that
correctly,
hopefully
not
knock
on
wood,
but
you
know
you
don't
necessarily
have
to
be
testing
that,
and
certainly
we
do
see
flakes
where
you
know
like
you
run
out
of,
particularly
when
you
run
with
like
ips
or
whatever
it
is
in
a
particular
region,
because
you
just
happen
to
get
like
five
tests
that
all
ran
in
that
same
region
at
the
same
time,
whatever
it
was.
A
So
it's
nice
to
have
the
separate
accounts,
because
then
you're
isolated
and
that's
good,
and
I
don't
think
we're
actually
running
that
many
concurrently
at
the
same
time.
So
I
don't
think
we
even
need
to
create
more,
but
we
can
certainly
create
more
now
that
we
have
a
script
to
do
so.
B
Got
it
so,
how
does
the
like
this
janitor
thing
that
you're
talking
about
so
or
how
does
the
check
checking
out
of
the
account
work
and
checking
out
the
project.
A
Yeah,
there's
a
there's
a
the
tool
that
implements
it
is
called
boss,
gauss
b-o-s-k-o-s
and
that's
in
test
infra,
and
there
is
a
it
has
a
very
simple
rest
interface
and
it's
a
fairly
simple
service
in
that
it
like
basically
keeps
the
state
of
whether
of
those
10
projects
and
whether
they
are
leased
to
a
test
or
not.
And
like
will
eventually
like
time
out
your
lease
and
reclaim
it
and
do
that
sort
of
stuff.
But
you
basically
make
a
rest
request
and
you
get
back
the.
A
I
think
you
get
the
credentials
to
use
actually
and
you.
You
then
can
use
that
and
I'm
just
gonna
sorry
for
the
loud
type
or
what
I'm
sure
is
that
typing.
I'm
just
gonna
create
a
it's
gonna
paste
in
the.
A
A
B
Would
you
okay,
probably
yeah
yeah
we
would
be,
and
so
I'm
just
just
to
make
sure
that
the
like,
like
us,
sharing
it
with
cluster
api,
would
go
through
the
same
boss
costs
and
play
nicely.
A
Yes,
I
so,
as
I
was,
I
was
going
to
have
a
look
at
this.
I
don't
know
whether
I
didn't
see
a
way
to
say
like
I
want
this
set
of
accounts
versus
this
other
set
of
accounts
like,
in
other
words,
isolation.
I
don't
know
whether
we
need
that
need
need.
The
one
thing
we
do
probably
want
is
like
if
you're
gonna
start
touching
a
new
resource
which
we're
not
cleaning
up,
we
probably
should
make
sure
that
the
janitor
correct
the
generator
is
the
recycling
thing,
the
janitor
correctly
like
recycles
that
new
resource.
A
I
don't,
I
can't
imagine,
there's
any
new
ones
but
yeah
exactly,
but
if
there
was
then
we
should
just
make
sure
that
it's
getting
cleaned
or
recycled
correctly.
C
Cool,
given
that
a
test
only
runs
in
a
specific
region,
and
we
I
know
that
we
have
jobs
that
choose
a
random
region
to
run
their
tests
in.
Do
you
need
to
check
out
an
entire
account,
or
could
you
check
out
a
region
of
an
account.
A
Yeah
we
we
could
check
out
a
region
of
account,
but
the
the
way
it's
built,
the
way
the
boss,
aws
account
pool
works.
You
check
out
a
whole
account,
I
think
cops
doesn't
even
use
the
boscos
pool.
I
think
it
actually
just
has
a
single
shared
account,
and
so
that's
why
we
randomize
our
regions
and
things
like
that,
and
so
we
could
try
to
look
at
using
boschos.
A
If
we
wanted
to
in
cops,
I
yeah,
but
I
I
I
it
used
to
be
harder
to
create
sub-accounts,
I'm
not
even
sure
they
existed
when
we
first
started
or
I
don't.
I
don't
remember,
but
so
that's
why
we
ran
in
regions
and
we
ran
sometimes
in
the
same
region.
The
it's
now
relatively
easy
to
create
sub-accounts
apparently
there's
a
limit,
but
I
haven't
hit
it
yet.
A
I
don't
know
if
anyone
can
tell
me
the
limit,
but
anyway
well,
I'm
sure
we'll
find
it
eventually,
and
so
we
can
certainly
do
that.
And
then
we
don't
even
need
to
worry
about
randomizing
regions.
A
B
Cross-Region
cool
well
that
sounds
reasonable.
A
So
so
next
steps,
I
guess,
are
I
don't
even
know
if
we
need
permission
we
should
just
check
with.
We
should
look,
have
a
look
at
that
script
and
see
if
it's
possible
to
have
a
separate
pool
and
assuming
it's
not
possible
to
have
a
separate
pool.
We
should
just
like
check
with
cap.
If
they
mind
you
sharing
the
same
pool
which
they
shouldn't
do.
A
C
Other
than
that
yep
sounds
good,
it'd
be
nice.
If
project
maintainers
had
like
read
access
to
the
aws
accounts,
I
know
I've
had
to
troubleshoot
some
of
the
we
had.
When
I
was
setting
up
the
vpc
cni
provider
end-to-end
tests,
there
were
lingering
resources
that
were
preventing
the
next
test
from
starting
up
correctly.
I
was
having
a
very.
C
Tracking
that
down
making
changes
to
the
aws
janitor,
if,
if
we
had
read
access
to
the
management
console
that
could
have
helped
a
lot,
I
don't
know
if
that
would
be
something
that
we
could
do.
It's.
A
The
the
sub
accounts
are
very
disposable
as
it
were
like
it
doesn't
really
matter
too
much
about
what
happens
in
them.
So
I
I
think
we
certainly
could
give
read
access
to
those
sub
accounts.
I
think
in
the
main
account
we
have
to
look
a
little
bit
more
closely
at
what's
going
on
in
there,
but
we
could
do
that.
B
Should
we
should
somebody
write
a
short
proposal,
not
like
a
extensive
one,
but
just
something
about
how
we
want
to
manage
the
accounts
like
something
to
the
like?
You
know,
like
you're,
doing
everything
right
now.
I
don't
know
how
the
the
governance
is
supposed
to
work
of
this,
but.
A
I
am,
I
am
going
to
send
a
pr
to
the
working
group
kids
info,
which
will
include
the
scripts.
I've
been
using
to
create
those
accounts,
and
I
think
the
intent
is
that
that
group
will
essentially
like
take
on
questions
of
governance
and
management,
and
that
sort
of
thing
I
don't
know
if
you
have
any
particular
concerns
that
you
want
to
pre-address.
A
But
I
mean
there's
like
there's,
there's
two
things
right,
there's
the
mechanics
of
like
how
do
we
actually
create
these
accounts
and
then
there's
like
who
should
be
allowed
to
ask
for
a
new
account
that
sort
of
stuff-
and
I
think
that
the
sort
of
like
rules
is
is
probably
like
working
through
kate
feels
like
the
forum
for
that,
and
I
think
the
scripts
are.
I
have
some
crappy
scripts
and
we
can
put
them
upload,
upload
them
and
you
can
rip
them
apart.
B
More
like,
for
example,
I
I
believe
so
one
of
my
co-workers
was
was
troubleshooting,
some
issues
a
while
back,
and
so
he
so
we
figured
out
that
we
have
credentials
to
the
cncf
account,
and
so
we
stored
that
in
secrets
manager
just
so
that
we,
you
know,
have
that
access,
but,
like
you
know
how
do
we?
B
A
Yes,
and
so
the
the
this
is
exactly
what
working
group
kate
simple
is
doing
on
the
gcp
side,
so
there
has
been
a
similar
lack
of
process
around
the
kubernetes
resources
that
are
used
or
the
gcp
resources
that
are
that
that
are
used
for
like
kubernetes
testing,
but
also
like
things
like
kate,
stadio
and
the
dns,
and,
like
all
this
ram
random
stuff.
A
That,
like
you
know,
was
done
as
a
one-off
here
and
one
up
there
and
no
one's
quite
sure
like
which
project
is
it
in
who
actually
has
access
and
all
this.
So
there
is
there's
actually
some
great
stuff
going
on
in
that
reboot.
So
far,
only
for
gcp,
but
it
there
are,
like,
I
think,
they're
starting
to
use
more
terraform.
A
There
are
scripts
to
dump
like
a
list
of
all
the
people
that
have
permissions
on
gcp
into
a
yaml
file
so
that
it
can
be
audited
and
the
intent
being
that,
essentially,
it's
taking
a
get
ops
type
approach
where
everything
is
in
git
and
any
deviation
from
get
is,
is
a
is
a
red
flag
and
we
could
certainly,
I
think,
it'd
be
great
to
like
get
some
aws
experts
to
help
us
figure
out
the
best
practice
on
it.
A
But
yeah,
I
think
it
would
be
great
to
have
like
the
sub
accounts
listed,
a
list
of
people
who
had
read
only
access
to
them.
A
So
it'd
be
great
to
get
the
cnc
in
general
that
cncf
test
account.
It
would
be
great
to
get
that
under
under
management
in
the
case.io
people.
A
Okay,
cool
all
right,
I
think
that's
good
yeah,
I
think
my
way
forward
there
does
that
make
sense.
A
I
think
the
the
first
thing
to
do
would
be
to
just
let's
see
if
we
can
just
share
the
kappa
pool.
I
think,
okay,
if
you
want
to
just
get
unblocked
on
running
tests,.
A
I
think
that's,
I
think
that
makes
sense,
and
then
in
theory,
you
can
just
like
send
figure
it
out
with
like
how
to
run
a
pro
figure.
The
proud
job
that
does
this
and
peter
has
a
lot
of
experience
here,
and
I
think
kappa
has
experience
as
well
so
like
how
to
do
a
proud
job
that
uses
these
credentials,
and
you
know
re,
recycle,
some
of
the
scripts
from
kappa
and
some
of
the
proud
jobs.
A
So
yeah,
so
then,
I
think
the
path
there
is
like
first
step
is.
I
should
get
the
the
ten
accounts
that
were
these
ten
kappa
accounts
and
at
least
mentioned
in
their
repo,
and
then
we
can
like
start
to
go
from
there
and
sort
of
try
to
get
more
and
more
under
management.
I
think
I
think
big
great
topics
bring
up
in
their
bi-weekly
meeting.
They
just
met
on
wednesday,
so
it's
the
next
meeting
will
be
in
12
days.
A
It's
wednesday
at
pretty
early
like
8
30
pacific.
I
think
great
exactly.
A
I
tend
to
go,
but
yes,
it's
a
little,
it's
usually
a
little
later
in
the
day.
For
me,.
A
B
Let
me
just
mark
put
the
other
action
item
for
talking
to
kappa.
If
you
want
to
give
anyone
else
a
chance
to
talk,
while
I'm
doing
that.
A
A
Yeah,
it
would
be
great
to
get
more
of
infrastructure
under
our
working
group
kits
in
for
management.
B
Gcp,
okay,
so
for
this
for
the
next
item
I
was
I'm
trying
to
just
do
like
one
or
two
pull
request:
reviews
for
for
cloud
provider
every
week
or
so
the
one
that
I
was
looking
at
recently
is.
I
think
I
mentioned
it
to
you
a
while
back,
but
I
hadn't
actually
reviewed
it
at
that
time.
B
So
I
just
reviewed
it
this
past
week
and
it's
adding
so
when
load
balancers
are
created,
we
we
create
a
health
check
for
them,
and
the
old
behavior
was
to
basically
pick
a
health
check
port
at
random,
and
the
idea
is
that
there
might
be
cases
where
you
want
to
kind
of
intelligently
pick
the
port
that
probably
is
ssl
for
an
ssl
health
check,
so
paste
the
pull
request
in
the
group
chat.
Do
we
actually
do
random
by
the
way?
B
Which,
for
the
most
part,
we
can
derive
information
about
how
we
want
to
create
this
health
check
based
on,
I
think
the
the
pr
currently
says.
Okay,
look
at
the
front
end.
B
B
So
it's
a
little
bit
confusing,
but
maybe
that
made
sense
made
some
sense,
I'm
wondering
if
it
wouldn't,
instead
of
using
this
back
in
protocol
annotation,
which
I
believe
has
other
side
effects,
I'm
not
sure
exactly
what
they
are.
What
if
we
just
had
it,
two
annotations
one
for
health
check,
port
and
one
for
health
check
protocol
is
that.
A
A
I
guess
in
particular
we
have
to
be
careful
about
like
it's
a
behavioral
change
and
it's
okay
to
make
a
behavioral
change
if
the
previous
behavior
was
completely
broken
right.
So
if,
as
long
as
we're
only
break
as
long
as
we're
only
changing
the
behavior
for
people
that
would
have
had
non-working
configurations
before,
then
that
seems
fine
but
yeah
when
we're
looking
at
like.
So
I
like
your
idea,
because
it
can't,
if
you're,
adding
an
annotation,
you
can't
break
someone's
like
there's
nobody
it
doesn't.
A
It
can't
can't
break
anyone,
whereas
we
have
to
look
very
carefully
at
this
pr
to
make
sure
that
we
aren't
changing
a
working
configuration
or
potentially.
B
A
For
example,
api
server,
typically
401s
returns
a
401
and
an
http
request
and
uses
a
self-signed
insert,
and
so
both
of
those
things
would
cause
respectively,
a
htc,
a
naive,
http,
health
check
and
ssl
health
check
to
fail.
If
I
recall
correctly,
like
I,
don't
think
with
my
universe,
elbs
you
can
say
like
accept
the
401
as
being
healthy.
A
So,
but
anyway,
I
I
certainly
like
it
it
is,
is
I
think,
the
default
configuration,
for
example,
for
cops
and
forever
like
cuba,
boys
use
tcp
health
checks
against
the
elb
that
fronts
the
kubernetes
api
servers.
A
Precisely
because
of
this
problem
right.
That
is
an
important
one.
B
B
A
A
Look
at
these
like
the
weird
like
edge
cases
of
tcp,
plus
ssl,
and
all
this
stuff
yeah.
B
B
A
There
are
a
lot
of.
There
are
a
lot
of
paths
and
there
are
a
lot
of
annotations
at
play
like
there's
a
lot
of
functionality
in
there.
B
Because
if
nobody
else
has
anything
just
as
a
side
thing
for
for
kubecon
eu,
I
think
you
did
say
you
were
going.
Yes,
we
should
do
some
sort
of
an
informal
yep.
A
Yeah
that'd
be
great.
I
think
that
worked
really
well
uniform
one
worked
really
well
at
the
last
kubecon
in
san
diego,
in
my
opinion,
and
so
I
think
we
didn't
do
one
for
cigarettes
who
did
one
for
a
different
sub
project,
but
I
think
I
think
it
was
great
and
I
think
yeah
we
should
try
to
arrange
that.
I
guess
probably
during
the
main
week,
would
be
better
than
during
the
like
the
first
day.
B
Well,
let's
say
a
lunch.
That's
easy!
Lunch
is
good.
Yes,
all
right,
shall
we
pick
a
day
now
or
should
we
do
some
kind
of
a.
A
Why
don't
we
have
a
look
at
the
calendar
and
see
if
it
clashes
with
anything
and
then
like
pick
a
pick
a
day
and
do
it
discuss
it
in
slack.
A
It
has,
I
think
it
does.
It
also
has
like
informal
surveys
where
you
like,
using
a
mode
emoji
for
each
of
the
different
days
or
different
options,
so.