►
Description
PRs for code freeze:
* Remove insecure serving: https://github.com/kubernetes/kubernetes/pull/108953
* Webhook: https://github.com/kubernetes/kubernetes/pull/108838
* leader migration: https://github.com/kubernetes/kubernetes/pull/108016
* Kubelet credential provider
- Node e2e test PR: https://github.com/kubernetes/kubernetes/pull/108651
- Graduation to Beta: https://github.com/kubernetes/kubernetes/pull/108847
B
A
All
right,
hey
folks:
this
is
the
bi-weekly
cloud
provider
extraction
migrations
project.
Reading,
given
code
freeze
is
a
few
days
away.
I
figured
it'd
be
good
to
spend
this
time
reviewing
pr's
talking
about
prs
that
we
want
related
to
the
whole
extraction,
effort
and
whatnot.
I
know
nick
has
a
few
peers.
A
If
anyone
else
has
prs
that
they
want
to
go
over
in
this
meeting
or
just
talk
about
or
you
want
them
reviewed
and
just
putting
on
people's
radar,
please
drop
them
in
the
agenda.
Go
through
them.
A
Okay.
First,
this
is
removing
the
deprecated
insecure
serving.
C
So
I
just
came
across
this
when
I
was
working
on
the
web
hook
stuff-
I
I
don't
think
we
set
a
date
for
removing
it,
so
that
would
be
the
kind
of
the
con,
but
it
is
marked
as
deprecated
and
I
believe,
pretty
much.
Every
other
component
has
removed
their
insecure
serving
stuff
configuration.
So
I
thought
I
would
at
least
propose
it
and
we
can
either
remove
it
in
124
or
set
a
date
or
instead
of
set
a
release.
A
Okay,
because
yeah,
if
it's
that
long
and
we
already
know
that
cube
controller
manager
deleted
a
while
ago,
then
I'm
inclined
to
say
yeah,
let's
just
remove
it,
I'm
wondering
though
like
is
it?
Did
you
just
notice
this
deprecated
and
you're
removing
it,
or
was
there
like
a
technical
issue
when
implementing
the
webhooks
pr
around
the
insecure,
serving.
C
No,
there
was
not
well
yeah,
there
was
not.
I
was
originally
like
deciding
whether
or
not
to
add
it
to
insecure
serving
you
know,
because
my
original
implementation
was
essentially
adding
it
to
the
secure
serving
handler.
That's
already
there,
that's
changing,
which
we
can
talk
about
for
the
next
vr
but
yeah.
I
just
noticed
it
and
then
figured
might
as
well
rip
it
out.
A
A
I
have
no
objections
to
this,
but
yeah
probably
good
to
maybe
get
like
walter's
opinion
on
it
too,
because
he's
more
familiar
with
the
with
that
area
of
the
controller
manager.
So
I
will
poke
walter
about
that.
One
yeah,
let's
go
over
the
webhooks
yar.
C
Yeah,
so
this
one,
I'm
finishing
up
the
addressing
all
the
the
comments
that
you
had
so
basically
to
summarize,
there
were
some
some
things
you
pointed
out
that
I'll
I'll
fix
like-
or
maybe
it
was
walter,
but
just
making
sure
to
to
you
know,
make
sure
the
flags
can
disable
the
the
web
hooks
and
all
that.
C
But
the
big
thing
is
the
the
sort
of
short
the
alpha
shortcut
that
we
were
talking
about,
where
we
would
add
the
web
hooks
to
the
secure
serving
port,
that's
already
included,
which
has
hell
c.
It
has
config
z
and
it
has
metrics
so
there's
kind
of
an
interesting
problem
with
that
which
is
going
to
force
me
to
create
a
new,
secure,
serving
configuration
and
serve
it
off
of
a
different
port.
C
C
C
So
the
api
server
calls
to
ccm
and
then
ccm
calls
back
out
to
the
api
server,
and
that
only
would
work
if
you
had
the
same
ca
configured
for
client,
cert
auth
and
for
the
api
server
proxy
client,
but
as
it
is
now,
those
are
in
almost
all
setups.
Those
are
different
cas
and
that's
how
you
like
that.
That's
the
secure
way
to
kind
of
configure
stuff.
C
So
what
happens?
Is
the
api
server
treats
itself
as
system
anonymous
and
then
you
would
have
to
create
an
r
back
rule
for
system
anonymous,
calling
on
that
web
hook
path
and
allow
that
which
I
suppose
is
possible,
but
it
is
kind
of
pretty
undesirable.
So
I'm
almost
finished,
adding
the
additional
secure
serving
configuration
and
a
couple
flags
for
that
and
I'll
have
that
updated.
Hopefully
today,
but
that's
kind
of
the
where
it
is
right
now.
A
I
I
think
I
got
like
half
of
it,
but
no,
but
that's
just
I'm
just
a
little
slow
today
but
yeah.
I
think
I
understand
what
you're
saying
yeah
and
so
you're
basically
saying
like
to
avoid
all
of
that.
C
Yeah,
I
think
the
crux
of
the
issue
is
just
that
the
the
ccm
has
to
call
out
to
the
api
server
for
authentication
and
authorization
on
that
existing
port
and
to-
and
I
tried
a
couple
of
different
things,
but
I
think
the
only
way
to
really
get
around
that
is
using
the
same
ca,
but
that's
not
going
to
happen
forever
for
all
setups
and
most
setups
and
when
I
say
same
ca
I
mean
the
api,
server,
client
ca
and
the
api
server
like
proxy
client
certificate.
C
So
those
would
have
to
be
the
same
and
then
the
api
server
could
essentially
authenticate
itself.
But
there's
no
reason
to
do
that.
Really
we
don't
want
that
sort
of
authentication.
We
want
a
different
handler
that
doesn't
call
back
to
the
api
server
and
just
allows
requests
on
on
the
web
hook.
A
Okay,
yeah
yeah.
Personally,
I
need
to
give
it
more
thought.
Anyone
else
wanna
chime
in
on
that
one.
C
Yeah
it's
in
this
webhook
config!
So
if
you
go
back
to
the
the
description
of
the.
C
C
I
was
testing
it
with
our
cloud
provider,
so
you
can
see
like
I've
added
a
workbook
here
and
you
just
kind
of
pass
it
in
with
this
webhook
config
struct.
A
A
A
Cool,
okay,
so
yeah.
I
guess.
A
Yeah,
let
me
know
when,
when
you've
updated
it
to
add
the
separate
serving
port
and
then
or
or
just
like,
whenever
you
think
the
pr
is
no
longer
like
a
work
in
progress.
Maybe
I'm
wondering
like
if
we
want
to
do
like
actually
like
a
live
review
together.
C
So
that
could
be
pretty
efficient.
I
think
that's
a
good
idea,
yeah,
let's,
let's
sync
up
on
when
maybe
tomorrow
sometime
tomorrow,.
A
All
right
joe,
do
you
want
to
talk
about
the
leader,
migration.
B
Yeah
we
were
trying
to
figure
out
if
we
should
flip
the
bits
instead
of
this
ga.
I
remember
from
previous
discussions.
We'd
wanted
to
get
a
signal
from
other
teams.
B
C
Right
yeah,
I
think
I
commented
on
the
d1
types
pr
and
I
just
said
like
is
there
like?
As
far
as
I
know,
most
of
the
testing
has
been
done
by
us.
The
cloud
providers
and
not
a
lot
of
users,
have
actually
done
this
migration
in
in
the
real
world.
B
B
I
think
all
the
people
that
we
know
we
could
convince
to
try
and
use
it
have
done
that
if,
if
there's,
if
there's
somebody,
that's
convinced
that
we're
going
to
be
able
to
get
users
to
do
something
and
there's
something
concrete
that
we
could
use
as
the
goal
post
to
know
that
we've
done
that.
I
would
be
game
for
that.
B
B
C
I'll
say,
like
eks
is
going
to
use
it
in
our
migration
to
122.
C
C
A
I
mean
I
do
think
that
we're
we're
allowed
to
add
new
features
and
enhance
the
existing
thing
or,
like
add
on
to
it.
I
think
really.
The
concern
is
like
breaking
changes
like
if
we
went
to
this
release
and
then
later
we're
like.
Oh
there's
a
breaking
change,
we
really
want
to
make
we've.
We
wouldn't
be
able
to
do
that,
but,
like
right,
I
don't
know
like
I'm
not
sure
like
yeah,
like
I,
I
can't
think
of.
A
I
can't
think
of
like
a
well
like,
like
all
breaking
changes.
Like
you
don't
know
you
want
to
make
make
the
breaking
change
until
it's
already
out
there.
A
I
can't
think
of
it
and
like
it
is
true
like
gerry,
was
telling
me
the
other
week
that,
like
we
can
do
a
lot
like,
we
have
a
lot
of
flexibility
with
the
internals
of
the
implementation
and
what
happens
inside
the
components
we
just
can't
make
breaking
changes
to
the
specific
config
api,
which
maybe
is
not
the
end
of
the
world.
D
So
the
one-
and
I
know
this
is
a
silly
thing
to
get,
but
the
one
thing
that
concerned
me
a
little
bit
with
the
v1
change
was
removing
the
the
configurable
leader
election
resource
option,
and
I
I
understood
that
there
are
a
few
folks
from
another
sig
who
came
in
and
were
like
all
of
the
old
flags
that
we
use
for
doing
lisa
or
leader
election
like
config
maps
and
endpoints.
D
I'm
just
not
convinced
we're
not
going
to
find
a
reason
to
want
to
move
from
least
to
get
something
other
especially.
You
know
the
more
generic
version
of
this,
which
is
saying
hey.
I
want
to
be
able
to
move
any
set
of
controllers
as
any
as
examples
I
could
see
where
you
might
want
to
do
something
like
support
a
cr
or
even
an
aggregated
endpoint.
If
you
wanted
a
different
back
end,
so
I'm
just
not
I
the
one
thing
I
will
say
is
I'm
a
li.
D
B
I
think
that's
fair
feedback,
I'm
not
a
huge
fan
of
config
maps
in
general,
so
I'm
not
gonna
miss
it,
but
I
I
mean
one
thing
is:
is
if
we
do
find
something
better
in
the
future,
there's
nothing
for
preventing
us
from
adding
it
to
a
v1
api
in
a
backwards
compatible
way.
B
D
D
B
B
A
A
I
mean
yeah
and
I
I
tend
to
agree
that
we
have
this.
I
mean
we
have
this
chicken
and
neck
problem
with,
like
all
the
this
whole
cloud
provider
extraction
thing
like
we're,
not
going
to
have
the
whole
user
base
coming
in
complaining
about
the
fact
that
we
remove
cloud
providers
until
we
actually
do
it.
So,
like
we're
kind
of
at
some
point,
we
have
to
like
kind
of
fight
that
bullet
so.
B
I
think
the
bigger
picture
is
if
we
keep
the
things
that
you
need
to
do
finish,
the
cloud
provider
migration
beta.
I
think
we
are
continuing
to
push
out
like
when
we're
able
to
say
we're
done
further.
I
mean,
if
we're
okay
with
that
in
this
case,
that's
fine.
I
just
want
to.
I
want
to
make
sure
that
we
have,
because
we
kind
of
have
to
have
like
a
go,
no
go
pretty
much
today
on
whether
or
not
we're
going
to
make
that
code
change
and
try
and
put
it
in.
D
A
Yeah,
it's
not
like
meets
where
it
knows
that
you
said
something
that
raises
it
puts
it
down
for
you,
but
yeah,
I'm
yeah.
I
mean,
I
think,
I'm
convinced
right
like
the,
because
we're
not
yeah
like
joe
was
saying
like,
doesn't
require
a
round
trip,
and
it's
just
a
local
config
that
you
convert
to
an
internal
type.
It
seems
like
breaking
changes,
are
unlikely
or
like
there.
I
can't
think
of
a
change
where
we'd
be
back
into
the
corner,
so
I'm
I'm,
I'm
a
plus
one
to
try
to
get
listen.
A
I
michael,
I
know
that
you
were
mentioning
like
working
with
some
azure
folks
as
well
to
try
to
gain
adoption
on
this.
But
I
know
like
maybe
a
short
notice
and.
E
Yeah,
like
I
haven't,
heard
anything
from
bridgette
back,
yet
you
know
this.
Basically,
the
problem
was
that
I
was,
I
was
having
difficulty
getting
the
leader
migration
to
work
on
azure,
with
just
like
kind
of
a
so-called
vanilla
kubernetes
right
like
I
thought
I
would
have
problems
getting
to
do
it
on
openshift
using
the
migration
methodology,
and
that
proved
to
be
true.
Just
the
security
requirements
were
to
I
couldn't
get
it
like.
You
know
configured
the
way
I
wanted
to
so
I
might.
E
I
moved
to
just
trying
to
like
just
deploy
like
a
normal
cube
cluster
on
ad
on
azure
and
then
just
trying
to
run
the
instructions
from
the
docs,
but
I
was
running
into
problems
getting
that
to
work
for
me
and
I
started
to
wonder
if
maybe
it
was
like
my
azure
account
credentials
or
something
like
I
like.
I
wasn't
sure
if
it
was
actually
you
know
the
attack
that
was
causing
a
problem
or
my
permissions
on
azure.
E
So
I
reached
out
to
bridget
about
two
weeks
ago,
just
saying
like
hey
like:
if
you've
got
people
there,
who
could
just
deploy
an
azure
cluster
and
like
just
try
this,
you
know
with
the
instructions
from
upstream
like
that
would
be
good.
But
at
this
point
like
I
can't
say
that
I've
done
it
on
azure
and
give
a
thumbs
up
like
I
just
I
don't
feel
confident
about
that.
But
I
don't
think
it's
because
the
patches
are
bad
in
the
migration
thing.
I
think
it's
more
because
I'm
having
difficulty
operating
the
cluster.
A
Okay,
but
yeah
do
let
us
know
if
you
do
get
around
to
that.
I
know
yeah.
It's
like
definitely
not
an
easy
thing
to
test
because
you
have
to
like,
especially
if
you're
doing
it
manually.
E
A
A
Okay
and
then
just
one
more
thing
that
I'll
add
is
for
the
cubelets
credential
provider,
we
merged
the
pr
to
add
no
dewey
tests
and
graduation
data
was
approved
today,.
A
So
yeah
we
immersed
pr
to
add
no
dvd
tests
with
the
dc
remote
runner
and
then
there's
a
pr
to
promote
the
all
the
types
in
the
beta
and
promote
the
future
gate.
So
this
should
be
merged
soon,
but
yeah.
If
anyone
wanted
to
make
any
more
changes
to
this
feature
before
beta,
maybe
some
like
a
few
days.
So
let
me
know
walter,
you
have
a
hand
up.
D
And
I'll
put
it
down
right
now
before
I
go
to
anything
else,
I
was
going
to
suggest
it
might
be
good
if
we
could
try
to
get
a
couple
of
volunteers
to
ensure
that
these
tests
are
running.
D
A
Yeah,
that
would
be
that
would
be
really
nice
to
have
like
I,
I
kind
of
took
the
path
to
release
resistance
and
just
bake
everything
in
the
main
repo
and
but
we
do
have
a
proud
job
that
is
running
it
and
passing
so
like
that.
That's
good,
but
I
agree
like
if
we
have
it
externally
running
on
the
other
providers.
Good.
A
Oh
so
also
walter,
thank
you
mick,
and
I
were
thinking
it'd,
be
a
good
idea
to
do
a
live
review
of
the
left
book
pr
sometime
tomorrow.
Just
because
we're
close
to
code
freeze
and
there's
a
lot
to
review
so
might
be
good
to
just
do
it
in
a
meeting.
D
Love
it
I'll,
try
and
get
it
reviewed
myself
tonight
and
then
yeah.
We
should
make
sure
to
send
out
an
email
and
put
it
into
the
slack
today.
So
people
can
plan
their
time
tomorrow.
A
Okay
and
oh
one
more
thing,
I
sent
an
email
up
to
the
sig
about
changing
the
meeting
time
for
this
something
a
bit
earlier.
That's
more
euro
friendly,
I
think
only
michael,
was
only
one
who
kind
of
had
like
a
veteran
for
the
time.
So
I'm
just
gonna
go
work
with
that
one.
I
think
it
was
like
12,
30
or
more.
A
All
right,
okay,
let's
I
think
we're
over
time,
so
we'll
go
into
see
everyone
tweaks.