►
From YouTube: Kubernetes Community Meeting 20171214
Description
We have PUBLIC and RECORDED weekly video meetings every Thursday at 10am US Pacific Time.
https://docs.google.com/document/d/1VQDIAB0OqiSjIHI8AWMvSdceWhnz56jNpZrLs6o7NJY
B
Hi
everybody:
this
is
the
community
meeting.
Last
one
of
the
year
for
2017
post
cube
con.
We
rolled
off
an
awesome
conference,
so
hopefully
everybody's
well
rested
for
the
new
year,
so
we
can
start
on
some
awesome
features
and
things
for
next
year.
Just
a
reminder
that
this
is
being
reported
and
also
publicly
streamed
via
YouTube,
and
we
do
have
a
full
schedule
today.
We
also
have
a
new
addition
to
the
schedule
which
is
chart
of
the
week,
which
is
from
Def
sacks
and
our
first.
B
A
A
And
this
is
a
presentation
and
a
demo
of
our
solution
for
running
VMs
on
kubernetes
clusters.
First
of
all,
what
I
they
use
cases
for
that,
it's
of
course
running
applications
that
can
be
easily
containerized,
such
as
non
Linux
systems,
which
can,
for
example,
some
kind
of
PhD
or
for
new
stuff,
for
example,
uniqueness.
A
A
Ask
unit
implementation:
the
VMS
are
ports,
you
can
objects
out
of
them,
such
as
a
full
set
can
be
useful.
For
example,
for
this
you
know
case
you
can
use
your
familiar
cube.
City
Airport
comments
to
work
with
your
VMs
and
vert
integrates
closely
with
master
network
with
support
for
multiple
Siena
implementations,
and
you
see
the
pod
IP
inside
your
VM.
A
It
has
extensive
support
for
cloud
in
it,
so
you
may
use
it
to
make
your
VMs
behave.
The
way
you
want
them
to
it's
also
easy
to
deploy
the
CI
proxy
package.
You
don't
have
to
make
the
deployment
of
notes
that
ran
vert.
That's
very
special,
because
the
right
box
allows
you
to
run
dirt
as
a
demonstrator
and
also
have.
A
A
So
here
you
can
see
an
example
of
such,
but
it
has
some
annotation
and
image
graphics
for
this
multiple
runtimes
here,
I
proxy
feature.
You
can
use
your
typical
comments
to
manipulate
this
pod.
We
even
have
keeps
it
exact
at
some
point,
but
for
now
we
have
create
delete
attach
logs.
You
can
mount
some
volumes
into
your
ports.
This
includes
cities
and
concede
maps
that
actually
get
injected
using
cloud
in
it
and
also
there's
some
web
specifics.
Workforce
flex
Williams,
as
you
may
use
to
added
some
space,
Youssef
or
row
devices
in
your
VMs
crowding.
A
Next,
as
of
networking
via,
as
I
already
mentioned,
the
imports
are
first
class
citizens
in
clustered
network,
so
both
IP
is
used
inside
VM.
You
can
use
Cuban
meta
services
that
target
VMs.
You
can
use
TCP,
HTTP,
redness
probes
and,
besides
usual
popular,
see,
nine
limitations.
We
support
some
more
exotic
stuff.
Like
open
control.
We
have
a
service,
support
and
works.
We
support
CNI
Genie
for
people
who
might
need
to
run
several
CNI
implementation
satins.
A
We
can
create
it.
So
sorry,
it's
already
created
here,
I
did
setup
environment
to
make
it
a
bit
quicker.
I
have
a
helper
script,
so
I
can
lock
into
the
pot.
It's
was
actually
created
by
just
playing
keep
city
or
create
comment,
and
here
you
can
see
that
the
IP
address
of
the
pod
inside
the
VM
is
the
same
as
the
pod
ID
and
you
can
access
the
internet
from
there
and
you
can
access
cluster
services.
A
A
If
we
look
at
the
pods
that
are
anandhan
in
our
test
cluster
here
we
see
that
Worth
itself
runs
as
a
pod.
It's
on
node
1x,
cubed
e
ing
cluster
used
under
the
hood
for
this
test,
its
multi-node
Oh
cluster
pool-
and
here
you
see,
cube
proxy,
which
is
dr.,
put
an
old
one,
and
here
you
see
some
the
impulse
run
in
there.
So
now,
let's
try
something.
We
didn't
actually
do
any
special
work
to
support,
but
you
can
have.
A
A
D
A
D
Container
infrastructure
like
as
your
container
instances
so
that
kubernetes
can
schedule
it.
So
it's
how
you
schedule
pods
without
any
vm,
whereas
the
first
light
stuff
is
actually
about
how
to
use
scheduled
pods
that
are
virtualized
on
hardware
that
you
run
or
the
machine
is
like
a
dozen
different.
A
B
D
G
F
A
Qbert
is
not
a
Sarah
implementation
and
it's
more
targeted
at
being
solid
support,
stuff,
like
migrations
and
other
stuff
that
you
may
want
to
use
for
a
long
time
in
VMs.
But
if
you
have
something
like,
for
example,
unicorn
Oz
when
you
might
want
to
build
stateful
set
of
VMs
or
if
you
want
for
some
other
reason
to
for
your
games,
to
behave
like
pods,
the
rest
is
better
much.
A
C
Yeah,
can
you
hear
me
all
good
perfect
so
today,
I'm
speaking
about
wunderkind
release
on
behalf
of
them,
I
mean
I
just
wanted
an
analyst
team
I'm
the
future
slate
of
all
right
now
the
entire
team
is
meeting
and
Brandon
made
an
end,
define
and
final
status
of
the
release.
So,
unfortunately,
yesterday
yesterday
we
had
our
plan
to
our
control
is,
but
do
you
do
several
issues?
We've
decided
to
move
the
date
to
Friday
right
now.
We
have
several
issues
that
may
affect
your
release.
C
At
the
same
time,
we
have
solutions
for
all
of
them,
so
it
is
expected
that
it
will
have
one
to
ten
release
right
Mauro
and,
if
you're
interested
in
the
currents
Disorderlies,
you
have
a
great
chance
to
interview
the
MIDI
notes
right
here
in
the
community
meeting
notes.
We
have
it
a
link
to
qnet,
responded,
mannerless
burned
down
and
you
can
share
Jolie
status
in
a
real-time.
It's
all
from
me.
B
H
B
H
H
Let
me
just
click
the
link.
That'll
be
easiest.
I
wanted
to
preload
initially,
but
so
it
seems
like
there's
a
like
for
the
last
few
months
at
least,
there's
been
roughly
70
to
80
unique
people
approving
PRS
in
the
kubernetes
repo,
so
that
just
gives
you
a
sense
of
how
many
people
are
using
the
slash
proof,
command
and
the
size
of
our
overall
approver
spool.
H
The
number
of
PRS
in
total
in
the
same
pool,
is
around
800,
so
seven,
eight
hundred
so
on
average,
if
we
just
took
a
rough
average
that
would
be
about
ten
approvers
per
person.
However,
I
also
there's
also
a
histogram
type
of
view
where
you
can
see
the
distribution
and
in
the
last
month
you
can
see
that
quite
a
few
of
the
approvals
tend
to
come
from,
like
the
top
15
or
so
people.
H
So
it
seems,
like
you
know,
even
the
top
three
are
responsible
for
the
a
lot
of
the
approvers
are
number
of
the
approvals,
so
we
may
be
bottlenecked
in
a
few
areas,
and
I
also
need
to
investigate
still
the
like
the
areas
that
PRS
are
coming
in.
So
my
question
now
after
looking
at
this
data
for
like
a
few
minutes
yesterday
was:
are
the
owners
files
not
sufficient
or
these
P
welljust?
H
I
Alright
I
do
have
a
question
quick
question.
This
is
called
the
chart
of
the
week
yeah
sorry,
the
name
confused
me
a
little
bit
because
home
packages
are
called
charts
and
helmets,
part
of
the
kubernetes
org,
and
so
the
name
just
confused
me
a
little
bit
when
I
first
heard
it
I
thought.
I
would
put
that
out.
B
J
So
I'm
gonna
cop
out
and
give
a
little
up
the
same
update
we
gave
for
the
coop
con
update.
So
if
you've
already
sat
through
that
I
apologize
and
thank
you
for
sitting
through
it
again.
So
just
this,
this
update
went
over
a
bunch
of
the
features
that
we've
been
shipping
over
the
past
few
releases,
so
hopefully
that'll
be
informative
to
people
who
aren't
intimately
aware
of
sort
of
what
sig
off
is
doing.
Probably
the
biggest
thing
that
we
did
recently
is
getting
our
back
to
G
a
so.
J
Our
back
was
introduced
in
1/6
as
a
beta
feature
and
recently
went
G
a
and
1/8.
What
our
back
allows
you
to
do
is
it
allows
you
to
sort
of
have
fine
gain
frame
permissioning
about
what
pods
can
access
the
API
or
what
users
can
access
the
API?
It
allows
you
to
create
less
privileged
users
that
can't
like
dump
all
the
secrets
or
something.
So
that
was
a
huge
effort
by
a
few
people,
specifically
Jordan
Leggett
and
David
EADS.
J
J
Another
thing
that
has
been
we've
been
working
on
is
the
couplet
client
sort
through
strapping
a
rotation,
that's
a
bit
of
a
mouthful,
but
basically
what
it
means
is
that
when
couplets
come
online
in
order
to
request
unique
credentials
for
themselves,
so
in
order
to
request
I
am
this
couplet
that
is
on
this
node.
They
will
be
able
couplets
today
are
able
to
create
CSRs
to
the
kubernetes
api
server.
J
J
The
another
item
that
pairs
well
with
TLS
bootstrapping
is
the
node
authorized
or
an
admission
controller,
so
couplets
historically
have
been
able
to
sort
of
get
any
secret
in
the
system
and
well
that
applies
the
secrets.
It
also
applies
to
various
other
things.
This
is
because
a
lot
of
our
authorization
policies
don't
deal
well
with
okay.
This
person
is
requesting
this
was
specific
secret
and
can
I
reason
about
if
that
should
have
visibility
of
it.
J
So
the
node
authorization
authorized
on
the
mission
controller
lets
the
kubernetes
api
server
build
up,
a
graph
of
which
node
is
running,
which
pod
and
limit
access
to
things
like
secret
based
off
of
that
graph.
So
what
it
could
say
is
that
the
this
node
is
running
this
pod,
with
this
secret,
so
I'm
going
to
allow
that
node
to
get
that
secret,
but
if
it
tries
to
get
a
different
secret,
it's
not
running
a
pod
that
would
require
it
and
therefore
I'm
not
going
to
give
it.
J
J
As
of
some
point
releases
of
1-8,
there
were
some
major
six,
not
security
bugs,
but
there
are
major
usability
bugs
with
like,
depending
on
how
you
setup
pod
security
policies
that
might
not
be
deterministic,
which
ones
were
evaluated
so
pod
security
policies
are
ways
that
you
can
create
namespaces,
where
users
cannot
create
pods
that
mount
arbitrary
volumes
run.
A
host
networking
do
privileged
things
in
general
and
is
another
effort
to
in
this
sort
of
multi
tendency
world
of.
J
We
do
not
want
people
to
be
able
to
escalate
just
because
they
can
create
pods,
Tim,
Eclair
and
Jordan
Leggett
did
a
huge
amount
of
work
over
the
one
8
+
1
9
cycles
to
get
pod
security
policies
to
a
usable
state
and
one
9
is
sort
of
when
we
want
the
community
to
start
experimenting
and
really
using
these,
even
though
they've
been
beta
for
a
bit
advanced
audit
logging
is
something
that
sort
of
been
ongoing
throughout
a
few
releases.
As
of
1/8.
It
went
to
beta
and
we've
continued
to
sort
of
work
on
it.
J
Since
then,
the
biggest
improvements
in
the
audit
logging
that
have
come
so
far
is
that
the
we
actually
have
formalized
the
format
for
the
audit
logs,
so
instead
of
it
just
being
sort
of
a
style
or
an
engine
textile
log
of
what
events
there
are.
Instead,
it's
a
JSON
formatted,
where
we
formalized
this
is
the
actual
API
definition
of
what
an
audit
is
that
looks
like
additionally,
we
added
a
web
hook
to
the
API
server,
so
systems
can
now
activate
across
highly
available
API
servers
or
across
multiple
clusters.
J
So
you
can
centralize
your
audit
logs
to
a
place
where
you
can
act
on
them.
You
can
analyze
them
and
that
kind
of
stuff.
The
the
hope
recently
is
that
tooling
can
be
built
now
to
consume
this
new
format.
One
of
the
good
examples.
This
is
one
of
the
tools
that
Jordan
will
they
get
built
called
audit
to
our
back,
which
allows
you
to
point
a
tool
at
an
audit
log
and
generate
an
are
back
profile
for
a
user
or
for
a
particular
service
account.
This
is
a
huge
improvement
over
something
like
writing.
J
There
were
a
lot
of
miscellaneous
sort
of
changes
over
the
one
8
+
1
9
to
the
authorizers.
One
of
the
most
visible
things
that
users
will
see
in
1/9
is
something
called
an
are
back
aggregated
cluster
rule.
So
for
our
back
cluster
rules,
this
list
feature
allows
you
to
create
a
a
cluster
rule.
That
is
actually
the
summary.
That's
the
union
of
several
other
cluster
rules.
J
Why
this
is
useful
is
kubernetes
has
a
lot
of
default
roles
for
users
roles
like
the
view
that
edit
and
they
admin
roles,
are
intended
to
be
granted
to
users
and
as
a
sort
of
easy
way
to
bootstrap
people
into
the
cluster.
You
can
just
say:
ok,
I,
give
that
person
the
edit
ability.
One
thing
we've
seen
with
that
is
that
as
people
add
things
like
aggregated
API,
servers
or
custom
resource
definitions,
that
these
roles
do
no
can't
refer
to
them.
You'd
have
to
manually
go
edit
them,
which
is
not
the
best
user
experience.
J
So,
as
of
1-9,
the
the
default
roles
have
been
switched
to
this
thing
called
an
aggregate
cluster
roll,
and
if
you
would
like
to
say
that
anyone
with
the
edit
permission
can
edit
this
particular
CRD,
you
can
create
your
own
roll
that
has
specific
annotation
and
the
aggregated
default.
Rolls
will
pick
it
up,
so
it
allows
the
default
roles
that
we
ship
to
now
reference
CR,
DS
and
other
types
of
custom
resources.
J
This
is
in
the
planning
phase,
so
you
know
I
have
no
guarantees
about
what
will
actually
get
into
110
or
in
the
future.
One
things
a
few
things
that
we're
working
on
for
110
or
plan
to
work
on
over
the
110
cycle
is
to
continue
to
improve
the
node
authorizer,
to
be
able
to
lock
down
further
sort
of
things
that
we
see
as
possible
escalation
points.
So
example
of
this
is
the
fact
that
couplets
often
self-report
a
lot
of
things.
These
couplets
have
the
ability
to
apply
labels
to
themselves
or
untain,
and
this
is
problematic.
J
If
you
take
over
a
particular
node,
you
could
say
something
like.
Oh
I
am
going
to
change
the
label,
so
this
is
now
an
ingress
note,
and
you
should
give
me
all
the
Tia
lessons
or
as
people
and
also
a
very
common
pattern
is
that
people
partition
their
clusters
for
multi-tenancy
environments,
saying
that
these
are
very
specific
nodes
and
you
should
only
be
able
to
run
workloads
on
notes
with
this
label.
So
we
want
to
remove
the
stability
from
couplets
and
do
this
sort
of
in
a
backwards
compatible
way.
J
Secret
encryption
at
rest
will
be
getting
a
external
kms
integration
mechanism.
So
right
now
you
can
currently
provide
some
encryption
keys
to
the
API
server
and
it
will
allow
it
to
encrypt
certain
resources
before
storing
them.
A
net
CD
secrets
are
a
very
common
one
that
you
would
want
to
do,
but
you
could
do
this
for
config
maps
or
anything
else.
J
As
of
110,
we
hope
to
get
some
alpha
sort
of
integration
with
external
kms
is
allowing
people
to
start
writing
integrations,
but
things
like
vault,
google,
KMS
and
other
cloud
provider
KMS
services
we
also
there
are
some
big
sort
of
plans
for
overall
service
account
improvements.
It's
a
bit
much
to
go
into
right
here,
but
I
suggest
anybody
interested
follow
that
link.
The
the
biggest
thing
that
sigilyph
is
looking
at
is
trying
to
find
ways
to
get
service
accounts
actually
out
of
secrets.
J
I
can
give
a
plugin
that
can
give
me
some
credentials
if
you
look
at
some
examples
like
the
hefty
Oh
AWS
provider
or
a
database
client
token
generator.
You
have
to
do
some
weird
things,
but
like
bash
aliases
or
that
kind
of
thing
we
want
to
avoid
that
and
just
let
coups
et
al
be
able
to
call
to
an
external
command
for
credentials.
J
J
We
also
have
TLS
bootstrapping
rotation
that
is
going
to
have
improvements.
External
authorizers,
we
see
as
getting
improvements
in
sort
of
a
general
timeline
as
well
as
pod
security
policies
and
finally
Docs.
We,
a
big
thing
that
came
out
of
coupon,
is
that
there
are
a
lot
of
security
efforts
that
are
going
around
in
terms
of
people
identifying
sort
of
failure,
domains
and
hardening
recommendations.
We
want
to
formalize
those
and
keep
those
up
to
date
for
the
general
community,
so
I
think
I'm
at
a
time.
B
All
right
last
call
for
questions
for
air
all
right,
so
Raul
sent
me
a
note
that
he
could
no
longer
make
the
meeting.
Unfortunately,
something
came
up.
Rahul
was
representing
siggy.
Why
I
actually
want
to
put
a
call
out
for
him,
though,
in
the
slides
and
I'll
put
it
in
chat,
I
mean
it's
like
in
the
notes
and
I'll
put
it
in.
The
chat
is
a
link
to
a
dashboard
user
survey
that
CQI
has
recently
created
they're
about
to
undergo
some
major
plans
for
next
year,
so
you're
the
poll
would
be
very
much
appreciated.
K
Everybody
so
lots
of
excitement
happening
in
sick
windows
lately,
so
I
will
give
you
guys
the
high-level
updates,
so
we
released
alpha
last
last
year
in
December
with
1.5
and
we're
excited
to
announce
that
we're
going
to
beta
with
1.9.
So
we
had
a
couple
of
close
calls
at
then.
So
we
had
a
couple
of
late
merging
PRS,
but
the
team
worked
really
hard
towards
the
end
and
were
able
to
complete
all
our
work
to
make
it
to
beta.
K
So
some
of
the
notable
features
that
are
coming
in
with
beta
are
particularly
alarm
the
area
of
networking.
So
we
made
a
lot
of
investments
primarily
Microsoft
in
the
area
of
the
host
networking
service,
on
docker,
for
Windows,
Server
containers
and
hyper-v
containers,
and
were
able
to
leverage
that
to
create
a
variety
of
network
plugins
for
for
kubernetes.
K
That
will
allow
our
users
to
kind
of
take,
take
our
work
and
be
at
least
up
to
par
with
some
of
the
networking
solutions
in
Linux,
specifically
with
1.9
we're
gonna
have
three
network
plugins
I'm
going
to
come
out.
One
of
them
is
an
overlay
wind
overlay,
plugin,
based
on
win
CNI
we're
going
to
have
a
bridge
plugin
as
well
as
an
ovn,
obvious
overlay
plugin.
Some
of
these
have
been
allowed
to
you
to
have
a
similar
products
traction
as
in
linux
as
being
able
to
ship
multiple
containers
in
the
single
pod.
K
So
so
that
was
huge
for
us
to
accomplish,
and
then
we
also
have
a
few
more
Network.
Plugins
are
in
the
pipeline.
Some
of
them
actually
nearing
completion,
including
support
for
for
flannel.
That's
gonna
come
out
in
the
near
future.
I
would
also
have
an
O,
VN
n,
o
VN
obvious,
never
plug-in
without
overlays
sometime
in
the
first
quarter
of
next
year.
K
In
addition
to
the
networking
work,
the
team
concentrated
on
providing
support
for
beta
for
a
lot
of
kubernetes
existing
features
like
config
maps,
secrets
volumes
and
windows,
CRI
and
all
performance,
pod
and
node
stats
are
coming
out
as
well
as
support
for
auto
scaling.
So
all
of
that
kind
of
brings
us
to
today.
We
are
super
excited
to
get
this
feature
to
bed
and
get
it
in
the
hands
of
customers
and
start
using
it
and
standing
with
next
year.
K
We
know
we're
gonna
have
to
fix
wide
variety
of
bugs
that
are
going
to
come
out
from
customers
as
well
as
we
have
some
big
ticket
items
that
we
need
to
address,
including
adding
an
end-to-end
automated
testing
pipeline
of
Windows
Server
containers
from
kubernetes.
So
that's
one
of
the
things
we're
missing
today,
like
we,
don't
have
automated
tests
across
the
board
for
Windows,
and
we
need
to
add
that.
That's
all
the
updates
that
I
had
from
the
cig.
E
B
So
much
Michael
all
right,
so
we're
moving
on
to
the
announcement
section.
We
do
have
a
few
announcements.
First,
we
are
not
meeting
next
week,
we're
actually
meet
or
the
week
after.
So
please
just
take
note
on
that.
As
always,
our
calendars
are
on
kubernetes
io.
Community
next
announcement
is
that
there
is
a
new
working
group.
It's
working
group
multi-tenancy,
the
readme
is
located
in
the
community
notes.
For
today
they
also
have
a
slack
channel
and
a
mailing
list.
Please
feel
free
to
join
and
contribute.
B
If
you
see
fit
last
week,
a
cubed
count
will
pre
cube
con.
We
did
have
the
next
installment
of
the
contributor
summit,
which
we
did
get
a
hundred
percent
notes,
which
is
awesome.
Thank
you.
So,
much
to
all
the
note
takers
needs
and
everybody
that
participated
in
the
contributor
summit.
It
was
a
really
great
day.
You
can
find
all
of
the
notes
within
the
community.
Repo
link
is
in
the
community
notes
as
well.
I'll
post
in
chat
in
a
second
to
the
next
cube.
B
B
Also,
all
of
these
notes
that
are
in
the
community
doc
will
be
archived
by
George
next
year.
We
will
mostly
archive
we
start
archiving
these
quarterly
just
to
make
it
so
that
the
page
does
not
are
the
doc
does
not
load,
for
you
know,
45
minutes
that
it
currently
does
so
anyone
else
have
any
announcements
updates
questions.
C
E
I
have
a
room,
so
you,
my
voice,
is
pretty
hope,
pretty
fake
right
now.
So
darker
as
a
darker
captain,
we
got
an
early
access
to
talker
for
Mac
and
now,
essentially,
what
they
announced
at
docker.
Con
Copenhagen
now
in
darker
I
have
the
ability
to
choose
sworn
or
kubernetes
either
of
those
as
an
orchestration
framework.
So
dr.
for
Mac
I've
been
playing
with
it
since
yesterday,
so
docker
for
Mac
would
be
a
reasonable
alternative
for
people
to
when
it
is
generally
available
to
spin
up
your
local
kubernetes.