►
From YouTube: sigclusterops 20180315
Description
Kubernetes SIG-ClusterOps Meetings for Thursday March 15, 2018.
C
C
You
know
widely
published
CBE
involving
subpaths
and
then
there's
also
the
1:10
feature
here.
Sorry,
the
one
can
release
is
coming
up
next
week,
so
it's
gonna
see
if
anyone
wanted
to
talk
about
future
review
on
that
or
that's
gonna
be
something
we
do
in
a
couple
weeks
and
then
I've
been
going
through
and
putting
together
some
stuff
on
certificate
management.
B
B
A
C
C
If
you
get
effectively
slash
inside
of
your
volume
or
inside
of
your
container,
I
could
have
that
one
wrong,
but
that's
how
I
read
it
and
some
of
the
code
I
know
goes
in.
It
explicitly
looks
for
some
links
and
starts
to
ignore
and
download
them
or
actually
error
on
them
if
they
show
up
and
when
the
pot
you
realized
so
yeah
that
was
kind
of
an
interesting
one.
I
know
there
was
another.
There
was
a
bug
that
pertained
to
this.
After
the
fact
I
wanna
say
it's
referenced
and
six.
Oh
eight
one
three.
C
C
C
C
C
C
C
C
C
The
couple
other
links
you
know,
release
notes,
draft
changelog
know
these
trying
to
go
through
all
the
changes
in
the
changelog
is
a
fun
one,
trying
to
keep
stuff
summarized
it's
impressive,
to
say
the
least,
so
kudos
to
the
teams
who
are
summarizing
all
the
docs,
because
the
release
notes
drafts
has
got
so
much
in
it.
I
will
say:
I
did
notice
this
on
the
official
issue,
tracking
bug,
I'm.
Sorry,
it's
your
tracking
issue.
As
of
yesterday,
the
overhaul
status
is
crimson.
It's
how
the
release
is
supposed
to
be
Monday.
C
Yeah
yeah
I
want
to
say
they
were,
like,
maybe
I'm
remembering
two
days
ago,
but
I'd
like
there's
19,
open
issues
which
could
cause
it
descries
or
all
set
multiple
unclose
issues
which
are
sufficient
to
block
and
even
as
of
yesterday
or
the
day
before,
19
open
issues.
This
seems
like
it's
going
to
be
a
lot
I.
Think
part
of
that
is
the.
This
is
a
larger
release
and
most
just
given
the
time
want
timing,
because
we
had
the
1
9
release
at
the
beginning
of
December,
and
then
that's
one
at
the
end
of
March.
C
C
B
C
So
a
couple
of
things
that
are
interesting
to
me:
you
can
talk
about
them.
The
Akula
TLS
bootstrap
went
to
stable,
who
you
know
dynamic,
of
configuration
where
that
stored
is
as
a
guy
objection
with
the
data.
Odd
securities
policy
beta
token
requests.
Aap
I
went
alpha
this
one
I
kind
of
been
interesting.
Accordion
F's
actually
got
pushed
to
1.11
from
a
default
standpoint,
but
I
think
it's
in
there.
C
A
C
A
A
B
C
C
A
C
A
C
It's
kind
of
extending
upon,
but
also
replacing
the
service
API.
Sorry,
the
service
account
items
just
largely
for
Maddon
and
sourcing
aspect,
but
it's
meant
for
you
could
get
the
tokens
without
having
to
be
a
service
account.
Any
anyone
who
has
authorization
to
get
a
token
can
have
the
token
get
generated
for
it
by
contacting
the
API
so.
C
Alright,
so
this
one
is
all
for
me:
I
started
putting
together
a
little
bit
with
regards
to
what
I've
been
running
into
with
kubernetes
certificates
and
I
will
admit.
I
hid
some
blocks
from
the
standpoint
of
timing,
so
this
is
incomplete,
especially
in
one
area
around
the
aggregator
service
and
authenticating
proxies,
which
I
find
really
interesting,
mainly
because
I
just
I
think
trying
to
follow
it's
a
very
hard
thing
to
follow.
C
C
Talk
about
how
to
get
certificates
other
than
mentioning
some
stuff,
bootstrap
TLS,
but
there's
definitely
alternatives
to
that
to
be
done.
This
is
really
just
a.
These
are
the
certificates
that
are
a
bit
better
there
or
what
I
can
use
certificates-
and
these
are
some
things
you
might
want
to
separate
out-
is
what
the
target
is
so
going
through.
This
I
found
this
kind
of
interesting.
Is
somebody
opened
a
issue
of
you
know
five
or
six?
C
Sixty
five
of
GA
search,
Keys
fast
API
servers
are
incomprehensible,
which
I
kind
of
found
funny
and
then
notice
that
hey,
this
might
be
a
duplicate
of
1104,
eleven
thousand
eleven
thousand,
which
was
opened
in
July
ninth
of
2015
and
is
still
open.
So
I'm
gonna
go
and
say
that
this
is
not
a
soft
problem.
I,
don't
know
if
that's
just
me,
but
that's
kind
of
my
feel
for
it.
C
A
C
You
know
primary
kubernetes
services,
basically
everything
that
has
a
configuration
item
that
can
be
pointed
to
is
what
I'm
referencing
here.
So
we've
got
stuff
like
the
API
server,
obviously
with
the
materia
that
is,
and
then
you
know
all
the
extensions
from
to
and
from
the
Kubla
all
the
scheduling,
plane
item,
STD
external
providers,
users
coming.
C
C
C
So
jump
into
the
first
one
there's.
Obviously
the
pay
data
is
stored
as
an
FTD.
It'd,
probably
be
good.
If
that
was
secured
in
some
way.
So
take
a
look
at
this
API
server.
It
has
an
STD
GA
file,
search
key
file
because
they're
all
about
it
being
a
client
to
STD
I,
would
argue
for
most
security.
Best
practices
aspect
this
CA,
let's
use
the
STD,
see
a
file
needs
to
be
an
independent
CA
from.
C
I'm
sorry
I
apologize
taking
this
step
back
side
talking
to
a
DD,
which
means
two
parts:
it's
mutual
to
him.
A
2d
supports
mutual
TLS,
so
the
client
has
to
authenticate
itself,
which
is
what
that
sir
file
and
keep
following
for
and
then
the
API
server
needs
to
trust
that
CD,
you
know
sed
needs
jump,
indicate
itself,
which
is
what
the
sed
see
a
file.
C
What
I
meant
to
say
was
where
this
STDs
cert
file
comes
from
ie
the
circle
which
API
server
uses
to
authenticate
itself
at
CD.
That
really
should
be
its
own
certificate
authority
hierarchy.
A
separate
trunk,
neo
trusted
root
kind
of
thing,
because
it
f
CD
doesn't
apply
any
authorization
on
top
of
the
certificate
chain.
Validation,
unless
you
add
additional
authorization,
headers
which
are
and
I
don't
think
the
API
server
implements.
C
B
C
It's
not
a
single
certificate
authority
file,
so
you
can
put
multiple
certificate
authorities
in
here,
so
you
can,
if
you're
doing
like
rotating
your
roots,
you
can
rotate
them
use
or
you
can
add
a
new
route
to
this.
Distribute
that
file
then
update
your
s.
Cds
and
you'll
have
basically
a
non
impacting
changes.
C
Obviously,
when
you
restart
the
at
CDs
and
everything
there,
every
change
they'll
be
impact,
but
you
know
brief
impacts
versus
having
to
take
the
entire
control
plane,
down,
rotate,
all
certificates
and
all
back
so
that's
kind
of
usual,
oh
yeah,
and
then
all
of
this
out,
that's
one
of
the
things.
I've
done
really
good.
All
of
these
use
certificate
pulls
there's
heart
certificate,
bundled
file,
rather
than
just
straight
certificates.
C
What
needs
that
and
that's
the
majority
of
these
connections
that
you'll
see
so
there's
involved
similar
kind
of
things,
but
these
are
from
the
API
servers
perspective.
The
server
side
instead
of
the
client
side,
so
this
cert
file
and
private
key
file
are
for
it
authenticating
as
a
server
and
then
the
CAA
file
is
to
authenticate
the
clients
versus
when
they're
talking
about
to
do
is
flip.
So
this
is
what
we
normally
see.
C
There's
also
a
recently
added
configuration
option
for
TLS
as
a
nicer
key,
which
allows
to
be
able
to
use
different
options
when
presented
with
different
nets
and
I
items
which
might
come
in
to
Andy
I.
Think
from
the
standpoint
of
oh,
we
need
to
put
a
load
balancer
in
front
of
our
API
servers,
which
has
a
different
key
so
we'll
there
different
name
so
we'll
make
sure
that's
there.
Rather
than
sticking
everything
it's
and
name
certificate,
Chris.
C
C
C
C
Hard
to
do
but
yeah,
it's
yeah,
so
there's
a
huge
trade
off
see
a
client's
API
servers
normal
off
that
use
case.
The
API
server
to
the
couplet
is
that
it
has
a
separate
set
of
configurations
on
the
API
server,
which
is
how
it
talks
to
the
couplet
and
again.
This
is
much
like
the
sed
configurations
where,
as
you
know,
the
certificate
authority
that
it's
using
here
is
great
to
validate
that
the
coolest
that
it's
talking
to
is
authentic
and
then
the
client
going
out.
He
uses
the
couplet
client
certificate
and
complete
client
key.
C
B
Yeah,
the
the
the
thing
that
we
were
ran
into
when
we
saw
this
before,
was
that
the
Kubla
didn't
have
a
way
to
have
multiple
certs,
and
so,
if
you
needed
to
do
a
rotation
right
to
do
a
rotation,
you
actually
have
to
propagate
the
new
route
at
in
parallel
with
the
old
route
and
then
so.
You
have
to
fully
propagate
the
new
routes.
So
the
couplet
has
to
have
be
able
to
support
that.
It
has
two
different
routes
and
this
it's
possible.
B
C
B
A
factor
Kubla
to
api
server,
so
the
couplet
was
the
client.
The
API
server
was
the
host
and
and
the
the
couplet
didn't
have
a
way
to
say.
Oh
I
have
to
there's
two
possible
CAS
or
teal
trusts.
Basically,
in
that
in
that
relationship,
so
you
in
a
word
is
to
rotate
the
API
server.
You
had
the
whole
system
and
had
to
go
to.
It
was
basically
any
of
the
coolest
little
behind
we're
down
and
there
was
no
way
to
advance
give
them
the
trust.
This.
The
route
gotcha.
B
C
And
I
think
that
it
may
have
been
one
thing:
was
he
used
to
have
to
specify
those
command-line
argument
trusts
and
using
coop,
config
and
I?
Think
mines
which
ever
do
that?
That's
when
I
resolved
it
but
didn't
necessarily
fix
the
issue
on
the
command
line,
but
switching
the
entire
subsidized
amount
fixed.
It
would
be
my
bad
I
think.
C
Check
from
the
dynamic
API
or
the
dynamic
Kubla
configuration,
if
that's
still
there,
that's
got
to
be
there
ahead
of
there
because
it's
got
to
be
able
to
talk
to
the
API
sir
right
so
anyway,
API
server
has
options
to
for
it
to
set
up
to
talk
to
couplet
couplet
as
a
server
needs
to
have
some
options
where
it's
providing
its
key
insert
or
if
you're,
using
TLS
yeah.
If
you're
using
TLS
bootstrapping
it
takes
the
cert
there
that's
a
place
for
where
to
put
its
certificate
rather
than
an
action
rather
than
individual
options.
C
C
C
But
the
controller
manager
also
has
the
root
CA
file,
which
does
need
to
be
a
valid
set
of
CAS
for
your
API
server,
because
that
gets
mapped
in
with
ever
using
service,
counselors,
the
CAPM
and,
if
you're,
changing
that,
you
have
to
make
sure
that
goes
through.
So
when
I
was
I
had
to
roll
my
root
certificates
at
one
point,
I
updated
this
file
and
controller
manager,
but
then
I
did
have
to
go
through
a.
C
Every
pot
which
used
a
service
account
needed
to
be
restarted
because
it
needed
to
get
the
new
CA
file.
Ouch
yeah
I
mean
on
the
plus
side
it
allowed
for
multiples
certificate
authorities
in
there
in
the
bundle.
So
I
could
do
it
on
my
time,
but
it
was
one
of
those
had
to
watch
based
on
when
I
did
my
a
new
certificate
authority
file
and
look
for
anybody
who
is
using
service
accounts
and
then
restart
them
and
just
basically
get
a
window
to
it.
It's.
C
This
is
one
areas
that
I'm
still
investigating
if
anyone
has
any
clear
ideas
on
this
and
be
great
but
I'm
kind
of
opening
it
up
to
the
audience
here,
how
much
of
you
guys
played
with
a
aggregate
API
I'm,
not
enough
okay,
so
this
is.
This
is
one
of
the
things
that
I
find
really
weird
too.
Let's
ignore
your
aggregate
API
for
a
second
there's,
something
called
the
authenticating
proxy
okay
and
that's
what
the
proxy
client
served
file
and
proxy
client
er.
I'm.
C
Sorry,
sorry,
sorry,
this
is
my
bed,
the
request,
setters
client
see
a
file
and
a
requests
that
are
allowed
names.
These
are
used
anytime.
You
want
to
do
an
authenticating
proxy,
which
is
basically
the
API
server
saying
I
will
trust
headers
that
come
in
from
this
request,
as
the
authentication
for
who's
using
it?
So
I'm
going
to
trust
this
proxy
to
send
me
headers
and
I
will
use
those
headers
in
place
of
my
current
authentication
mechanism,
so
that
part
makes
sense.
You
can
put
these
proxies
in
front.
C
You
can,
you
know,
have
them
run
HTTP
basic
off
if
there's
a
way
to
type
that
in
from
coop
turtle
or
whatever,
but
you
know
you
can
have
them
run
basic
auth.
They
can
secure
it
in
a
different
way.
So
if
you
have
any
like
corporate
proxies
that
you
use,
you
can
actually
you
know
inject
them.
There
totally.
A
C
The
interesting
thing
that
I've
seen
is
on
the
aggregate
API.
It
says
that
you
need
to
set
up
the
request
headers,
but
you
also
want
to
set
up
the
proxy
client
stop.
The
aggregate
API
currently
is
bundled
in
the
API
server
and
makes
requests
out
to
API
extension
server
when
it
makes
those
a
request
out
to
the
API
extension
server
it
using
these
proxy
client
configuration
tell
that
other
API
server
hey.
C
This
is
who
I
am
I,
don't
know
where
the
request
center
stuff
is
used
by
the
aggregate
API
server
I
can
I
it
sounds
like
that's
only
for
incoming
requests
to
the
API,
sir,
not
outgoing
requests,
but
it's
still
there.
So
I
got
nothing
I'm
gonna
keep
digging
into
that
one,
but
it
documentation
seems
to
be
very
hard
to
find
out
on
what
is
actually
happening.
There.
C
A
last
couple
things
TLS
bootstrapping,
the
big
thing
years
that
you
need,
including
your
controller
manager,
a
certificate
authority
or
at
least
a
certificate
in
key
for
signing.
It
should
be
a
certificate
authority
since
defining
but
again,
not
completely
clear
that
this
has
to
be
a
CA
just
based
on
the
configurations
where
you
know
the
additional
considerations.
Alt
servers,
all
server
certs
have
to
match
all
possible
names
of
the
connection.
So
you
know
it
might
ask
you
to
be
the
IP
that's
used.
It
might
have
to
be
the
internal
cluster
name.
C
It
might
have
to
be
your
map
through
type
load
bounds.
Your
question,
your
name
any
of
these
that
show
up
need
to
be
there
if,
if
you're
doing,
TLS
termination,
all
the
way
back,
which
always
gets
fun
because
you'll
do
it
for
a
bunch
of
stuff
and
then
forget
that
you
let
in
another
path
and
not
work,
and
then
the
other
thing
that
I've
run
into
is
doesn't
go.
1.10
all
sorts,
including
CH
shirts,
have
to
have
valid
dienes
and
names
if
they
are
using
dns
a
sardine
dns
Sam.
C
They
added
additional
validation
in
the
underlying
x.509
library,
where
it's
actually
validating
the
Sandman,
which
means
they
asked
them.
Look
like
a
valid
DNS
name,
which
makes
total
sense.
But
what
you'll
see
if
you
look
at
a
lot
of
the
root
certificates?
Is
they
don't
use
a
DNS
name
for
the
certificate
for
the
common
name
on
that?
And
if
you
get
the
sorry,
if
you
pending
on
what
you're
using
to
issue
your
certificates,
it
automatically
copies
your
CN
over
into
your
DM
name,
sorry
into
your
DNS
name
as
a
SAN,
so
it's
kind
of
fun.
C
You
have
to
go
and
explicitly
exclude
those
or
change
all
of
your
common
names
that
they
match
DNS
names
or
you
just
don't
build
anything.
You
can
go
one
that
10
rate
Wow,
which
is
kind
of
weird
going
upstream,
like
we
ran
into
a
problem,
helm
281,
the
official
release
was:
go
1.9,
build
Elm
to
a
2
official
release,
built
1.10
build,
and
this
isn't
like
it
isn't
in
the
release
document
that
they
switch
to
scale
versions
because
it
shouldn't
matter.
B
C
B
C
And
that
one
I
kind
of
find
interesting
is
if
you're,
using
private
shirts
or
corporate
certs
everywhere,
like
I,
don't
know
what
their
their
answer
to
the
use
case
of.
We
don't
want
to
distribute
our
certificates
and
other
places,
because
that
means
you
might
start
him.
You
might
leak
internal
information
about.
You
know:
service
names,
host
names
into
your
certificate.
C
C
This
is
the
same
format
that
can
be
used
to
configures.
Is
that
when
you
talk
to
a
remote
web
hook,
this
is
the
credentials
you
use
and
then
on
coop,
good
ol
and
coop
config
options
for
like
Oh
IDC,
some
that
leaks
into
those
as
well,
where
you
need
to
put
these
certificate
authority
that
you're
using
to
militate
or
to
verify
in
those,
and
that
is
it.
A
Good
job,
you
can
do
try
and
set
these
up
somewhere,
so
they
can
contribute
to
the
the
issue
you
Thailand
I.
C
Was
thinking
about
I
mean
I
think
this
is
kind
of
sketchy
with
kind
of
setup,
but
I
want
I
want
to
get
this
diagram
better
in
the
nose.
Think
about
posting
the
diagram
to
the
issue
and
being
like.
Does
this
make
sense
yeah?
It
was
just
something
that
we
should
pull
into
any
of
the
documentation,
because
that's
one
of
the
biggest
things
that
are
in
into
a
problem
with
especially
around
the
cou
bagra
Gator
I
cannot
find
any
diagrams
for
that
data
flow.
There's
descriptions
some
places,
but
there's
no
diagram.
C
C
B
So
did
when
I
was
what
I
would
suspect
without
I'm
gonna
have
to
dive
deeper,
but
on
the
surface,
I'm
sort
of
my
cryptic
comment
earlier
about
opera
finding
operators
is,
we
have
a
lot
of
these
to
scale
msps
now
offering
your
managed
kubernetes
with
Amazon
Google,
Microsoft,
IBM
others
and
there's
going
to
be
API
needs
that
they
have
around
managing
coop
like
that
and
I.
Would
if
you
frame
that
API
from
their
perspective,
it
might
help
eliminate
some
of
the
Wyatts
like
that.
C
B
A
A
C
B
A
C
If
you
send
them
up,
I'll
try
to
pull
them
in,
because
one
of
the
things
that's
missing
in
that
its
links
to
a
lot
of
the
yeah,
because
there
is
there
are
some
other
good
talks
on
this
like
there
was
a
talking
coupon
on
it,
so
I
wanted
to
at
least
make
references
to
those
other
things.
Obviously
not
what
we've
shown,
but
there's
not
one
part
today
that
I
can
include
yeah.
B
B
B
B
C
Had
on
men,
maybe
it's
something
for
you
know.
It
depends
on
dollar
sign
work,
but
one
of
the
things
like
I
had
to
document
these
to
be
able
to
do
the
certificate
management
and
our
work
and
I
have
a
couple
tools
that
actually
do
that
for
us
that
if
I
can
get
away
with
work
allowing
it
I
would
like
to
demo.