►
From YouTube: Kubernetes WG IoT Edge 20220406
Description
April 6, 2022 meeting of the Kubernetes IoT Edge Working Group. Secure Device Onboard discussion
A
A
A
It
also
has
a
period
where
it
has
for
a
short
term,
it's
pretty
demanding
of
CPUs
and
memory,
so
it
they
don't
really
document
it.
But
if
any
of
you
wanted
to
follow
in
my
footsteps,
I
suggest
at
least
two
CPU
cores
and
four
gig
of
ram
in
that
VM
and
I.
Probably
I,
don't
know
that
it
needs
this
much
but
I
when
I
got
it
to
work.
I
gave
it
a
a
VM
with
100
Gig
of
disk
space
and
that
ran
to
completion
and
it's
nowhere
near
full.
A
A
So
the
way
this
works
is
that
manufacturers
would
manufacture
a
device
and
put
kind
of
a
lay
down
an
initial
footprint
of
something
that's
to
be
completed
by
a
distribution
chain
and
a
finally
a
customer,
and
it
talks
to
this
Rendezvous
service,
which
I
think
in
general
would
be
hosted
on
the
internet.
But
according
to
docs,
you
could
run
that
entirely
privately.
A
If
you
wanted
to
and
like
I
say
I'm
at
the
stage
where
I
ran
the
test
script
from
secure
device
on
board
that
purports
to
simulate
onboarding
a
device
and
it
works.
This
runs
entirely
on
the
single
Linux
box.
So
it
isn't
really
an
actual
device
that
connected
over
the
network
and
I
got
to
the
stage
where
I
I
wanted
to
see
something.
A
A
little
more
realistic,
like
I've,
got
a
number
of
Raspberry
Pi's
and
even
some
low
end
x86
Edge
devices
that
I
wanted
to
try
as
a
guinea
pig
for
this
and
I
found
that
the
documentation
didn't
really
cover
that.
But
you
were
LED
down
into
the
arm
of
the
source
code
that
deals
with
manufacturer,
onboarding
and
kind
of
it's
almost
like
the
source
code
is
the
docs.
It
wasn't
quite
that
bad.
There
is
a
readme
file,
but
there
wasn't
much
there.
A
So
then
I
went
exploring
on
YouTube,
because
often
people,
when
they're
trying
to
promote
these
open
source
projects
and
build
a
community
will
have
some
public
facing
presentations
and
in
fact
an
Intel
person
gave
a
presentation
to
our
group
about
a
year
ago,
and
it
was
a
very
good
presentation
and
that
one's
recorded,
but
I
was
kind
of
surprised
that
there
weren't
that
many
of
them
out
there,
maybe
a
dozen
some
of
them
several
years
old.
So
at
that
point,
I
began
to
question
whether
the
information
is
still
good.
A
A
After
doing
that,
YouTube
exploration,
I.
Interestingly
enough
stumbled
upon
a
video
from
the
open,
Horizon
Project
that
covered
their
support
for
secure
device
on
board,
and
it
led
me
to
the
open,
Horizon
GitHub
repo
and
they
have
a
much
easier
to
understand.
Onboarding
example
of
onboarding,
a
generic
Linux,
VM
and
I
think
I
found
a
video
of
somebody.
Onboarding
Raspberry,
Pi
and
I
haven't
I
just
discovered
that
information
in
the
last
24
hours,
so
I
haven't
had
a
chance
to
go,
actually
try
to
follow
and
reproduce.
A
What
is
in
the
video
and
the
documentation,
but
like
I
say
it
looks
pretty
straightforward.
Well
documented
and
I
intend
to
do
that,
so
that's
kind
of
where
I
am
right.
Now,
with
that
secure
device
onward,
just
kind
of
curious,
whether
either
of
you
have
had
any
experience
or
even
heard
of
people
doing
things
with
with
that.
A
Right
I
think
there's
a
way
you
can
generate
a
manufacturing
certificate
and
I
found
docs
that
would
I
haven't
actually
done
it,
but
it
seems
to
describe
how
you
would
go
about
it
and
then
under
open
Horizon.
They
had
another
note
saying
that
it's
possible
to
use
Intel's
Rendezvous
service,
so
they
apparently
have
one
running
on
the
internet
and
you
can
get
a
you
can
register
and
potentially
I.
Don't
know
if
it's
registering
as
a
developer
as
a
manufacturer,
but
they
have
a
process
for
doing
it.
A
So,
apparently
you
could
potentially
use
the
Intel
one
I'm,
not
sure
that
that
would
that
would
support
a
pie.
I,
don't
know
how
picky
this
is
in
terms
of
architecture.
It
seems
to
me,
like
it,
wouldn't
be
in
Intel's
business
interest
necessarily
to
take
it
that
far.
But
certainly
if
you
were
on
an
x86
platform,
I
could
see
why
they
do
it
so,
like
I,
say,
I've
discovered,
docs
related
to
it,
but
I
haven't
gone
there.
A
Yet
I
did
register
for
an
account
with
Intel,
but
it
you
fill
out
a
form
and
then
it
says
they'll
get
back
to
you.
So
I
have
a
feeling
that
they
they
are
likely
to
Green
Light
me,
because
I
used
my
VMware,
creds
and
I
I
think
we
have
a
pretty
good
relationship
with
Intel
in
general,
so
that
I
would
be
surprised
if
they
didn't
give
me
access.
A
But
who
knows
we'll
find
out
I'm,
not
sure
how
quickly
to
expect
a
response
back,
but
the
advantage
there
would
be
that
you're
using
their
hosted,
Rendezvous
server
but
I
think
as
far
as
I
can
tell
I've
got
one
up
and
running
in
my
home.
Lab
I
haven't
exposed
it
out
on
the
internet,
but
I
think
I
could,
if
I
wanted
to.
C
B
It's
certainly
interesting
to
hear
that
you're
running
into
like
documentation
issues
which
is
similar
to
what
I
had
two
years
ago
and
I
feel
like
sdo's,
gotten
a
lot
more
visibility
and
there
hasn't-
and
it's
got
the
support
of
LF
Edge.
So
I
wonder
if
they
have
some
work
underway
to
better
document
that
yeah.
A
It's
not
horribly
unreasonable,
there's
plenty
of
there's
plenty
of
startups.
That
would
run
in
the
maybe
non-open
Source
mode.
That
would
that
would
be
the
exact
exactly
the
behavior
you'd
expect
and
I
can
maybe
appreciate
that
it
maybe
isn't
embracing
of
a
broad
community
of
every
anybody
who
wants
to
come
along
to
rapidly
pick
it
up,
but
in
terms
of
getting
movement
done
quickly.
A
Maybe
that's
the
way
to
go
and
unless,
as
an
only
an
observer,
not
contributing
to
the
work,
I,
don't
know
how
much
of
an
opinion
I'm
entitled
to
have
saying:
hey
you,
you
people
are
doing
it
wrong.
I
mean
really
to
have
a
vote.
You've
got
to
be
willing
to
show
up
and
do
some
of
the
heavy
lifting
too
and
right
now,
I'm
in
the
mode
where
I'm
undecided,
but
I
I
really
can't
find
anything
that
looks
any
better
out
there
yeah
either
and
they
seem
to
be
getting
momentum.
A
So
they
say,
I
saw
evidence
that
open
Horizon
has
gone
that
direction.
The
old
edgex
Foundry
also
has
things
in
their
GitHub
repo
that
imply
they're
supporting
it,
but
it
wasn't
as
well
written
as
the
open
Horizon.
So
I
think
that
my
next
step
is
to
play
around
with
the
open
Horizon
I've
I'll
end
up
learning
that
too
and
I
have
nothing
against
it.
I'm
almost
like
still
trying
to
form
an
opinion
as
to
what
I
think
about
that
too.
A
C
A
Want
to
actually
use
it
and
if
I,
the
other
thing
we
could
do
is
ask
them,
but
at
this
point
I'm
on
a
crash
course
to
learn
it
to
try
to
integrate
coverage
of
it
into
my
presentation
at
kubecon.
So
I
don't
really
have
time,
for
you
know,
I've
got
time
to
spend
on
it
as
part
of
what
I
intend
to
present
at
kubecon
and
I
I'm,
okay,
with
not
presenting
myself
as
an
expert,
just
kind
of
like
a
person
in
the
streets.
A
Experience
with
trying
to
learn
it
I
think
that's
valuable
to
others
too.
So,
if
that's,
what
I
end
up
reporting
on
that
hey
I
went
to
these
places
and
kind
of
if
I
could
get
it
working,
I'm
I
could
almost
see.
Maybe
if
time
would
allow
of
packing
bundling
up
some
stuff
and
maybe
trying
to
even
do
a
demo
or
if
the
demo
doesn't
fit.
You
know
in
a
reasonable
amount
of
time.
A
Maybe
I
can
record
one
and
integrate
it
into
part
of
the
presentation
or
just
use
it
at
kubecon,
this
kind
of
hallway
track
or
something
you
know
that
the
equipment
I'm
using
I
can
easily
put
in
a
backpack.
So
you
know
a
legit
iot
scenario
would
Encompass
something
like
you
know,
a
very
small
form
factor,
Pi
or
x86
small
form
factor
system
that
you
could
just
run
on
a
tabletop.
B
B
A
A
It's
been
a
while
for
me
since
disembarking
into
the
pure
Java
world
and
I,
don't
know
learning
experience.
I
did
by
the
way,
find
some
other
thing.
That
really
was
just
a
press
release,
but
I
saw
some
press
release
out
of
a
startup
that
contended
they
were
potentially
combining
secured
device
on
board
with
webassembly
and
which
sounded
interesting.
But
then
what
I
couldn't
find
anything
beyond
just
what
was
in
this
press
release
and
that
it
didn't
they
didn't
appear
to
have
any
open
source.
So
I
gave
up
on
that.
B
Yeah
interesting
I,
wonder
if
the
web
assembly
would
be
for
my
memory
of
sdo.
You
have
to
have
a
client
implementation
on
the
device,
that's
being
onboarded,
and
so
maybe
they
implemented
the
client
side
in
webassembly,
like
maybe
they
somehow
compiled
the
Java
or
re-rewrote
it
in
like
see
or
rust,
so
that
it
was
smaller
and
could
go
on
smaller
devices.
A
Yeah,
the
Rendezvous
service
I
think
since
I
believe
you
really
only
have
to
have
one
now.
Maybe
you
would
load
balance
it
for
redundancy
because
it
would
be
potentially
critical,
but
that's
kind
of
like
the
anticipation.
I
think
is
it's
Cloud
hosted
or
if
you
had
an
air
gapped
on-prem.
It
still
would
probably
be
kind
of
in
a
richly
provisioned
Gateway
scenario,
where
you
had
a
lot
of
equipment
as
opposed
to
the
edge
device
itself.
A
So
I
don't
think
it
has
to
be
that
fan
and
it's
it's
running
a
full
database
behind
it
to
keep
its
state.
And
then
you
really
are
going
to
need
to
back
up
the
database,
because
this
is
like,
if,
if
you
lose
some
of
the
certs
and
keys
in
there,
you're
probably
going
to
have
a
really
bad
day.
So
that
one
is
that
one
probably
isn't
going
to
be
a
small
low
resource
deployment
for
the
actual
Rendezvous
service.
B
Yeah
that
makes
sense,
I'm
curious,
rolling
back
to
when
you're
talking
about
the
manufacturing
certificates.
How
you
could
generate
that
service?
Do
you
think
that's
a
prevailing
scenario,
or
is
that
demo?
Only
because
my
understanding
would
be
you
would
have
like
a
formal
manufacturer
provide
the
original
certificate,
it
kind
of
builds
up
the
certificate
chain.
But
do
you
think
these
scenarios
of
like
having
a
Raspberry
Pi
and
creating
your
own
certificate,
will
become
one
or
it'll
more
be
like
the
manufacturers
of
Raspberry
Pi's
will
start
to
support
SEO.
A
I,
don't
know
I
I,
don't
know
if
the
manufacturers
of
a
pie
would
but
to
be
honest,
I
think
when
it
comes
to
production
grade
Edge
I,
a
lot
of
people
dream
of
it
literally
being
a
pie
and
I
keep
hearing
War
Stories
of
people
who
tried
to
use
a
pie.
You
know
and
tried
to
deploy
using
sdram
cards
and
things
like
that
only
to
find
out
that
the
actual
durability
at
scale
leaves
much
to
be
desired,
so
you
want
to
spend
just
a
little
more
money
to
get
something.
A
If
you
kind
of
crept
out,
you
know
the
crept
up
a
little
bit
in
pricing
and
I
I
think
you
almost
want
to
creep
up
a
little
bit
to
get
off
the
sdram
card
and
have
a
legit
disc.
You
know
an
SSD
or
something
that's
a
little
more
durable
than
that.
It's
kind
of
like
I,
think
those
sdram
cards
are
kind
of
made
as
throwaway
consumer
Commodities,
and
you
need
to
kind
of
spend
a
little
more.
A
A
So
in
many
ways,
they're
recounting
the
same
sort
of
things,
but
maybe
I
just
align
with
whoever
the
writer
of
this
was
kind
of
the
writer
of
the
other
ones,
and
they
go
through
these
steps
of
you
know:
owner
Services,
initializing,
a
device,
Etc
and
kind
of
it
doesn't
go
in
order,
so
I
would
think
making
the
device
would
come
first
before
an
ownership
transfer
right.
But
in
this
dock
the
device
step
is
way
down
in
the
middle
and
they
describe
a
mechanism.
A
For
you
know,
if
you
don't
have
a
phys
life
that
came
that
way
from
a
manufacturer.
They
are
publishing
the
script
that
can
perform
this
just
on
a
Linux
VM.
So
you
would
start
with
a
Linux.
Vm
run
this
script
and
apparently
it
turns
it
into
you
know
kind
of
the
equivalent
of
some
device
that
came
from
a
manufacturer
and
it's
a
simulation.
If
you
actually
read
the
script
that
this
is
running,
the
simulate
manufacturer,
you
can
find
more
detail
that
they
came
up
with
an
example
manufactured
certain
things.
A
A
This
is
coming
out
of
that
same
open,
Horizon,
STL,
repo
and
they're,
going
through
the
script
they're
document.
The
script
is
pretty
well
documented.
It
says
on
a
Linux
VM
it
simulates,
the
steps
of
device
manufacturer
would
do
device
initialization,
creating
a
manufacturing
manufacturer
voucher,
getting
the
voucher,
ready
for
a
custody
transfer
to
the
owner
and
then
switching
it
into
Owner,
Mode
and
so
far
I
haven't
tried
to
run
this
I've.
A
Just
read
it
so
I
got
to
this
later
today,
but
it
seems
fairly
easy
to
understand
and
somewhere
in
here
it
even
documents
that
you
can
either
run
this
against
the
Intel
Rendezvous
server.
If
you
get
Intel
to
Grant,
you
an
account
there
or
you
can
run
your
own.
So
like
I
say
my
intention
is
to
try
to
follow.
A
You
know:
try
to
do
the
same
thing
at
home
in
my
home,
lab
and
I
I
didn't
get
stuck,
I
just
haven't
gotten
around
to
it
yet,
but
you
know
it's,
this
isn't
I
I,
don't
think
I
call
this
documentation,
but
as
far
as
bash
scripts
go
you
know
it's
pretty
well
documented
for
a
batch
script.
So
I
haven't
had
any
trouble.
Thinking
I
understand
this.
A
You
can
see
kind
of
parts
of
this
that
are
involved
where
you
know
you're
dealing
with
Maria
DB
database
and
things
so
a
lot
of
the
structure
for
doing
this.
Even
if
you
were
a
manufacturer
I
think
you
end
up
standing
up
a
fair
amount
of
stuff
to
put
the
components
together.
This
isn't
the
only
thing
potentially
lightweight
here
I
think
is
the
device
itself,
but
all
the
supporting
infrastructure
that
would
be
used
by
the
manufacturer
in
the
Rendezvous
service.
Those
aren't
necessarily
lightweight,
in
fact
they're.
A
Definitely
not,
and
if
you
think
about
it,
they
probably
shouldn't
be
because
that
stuff
is
going
to
be
Mission
critical
stuff
with
you
know,
High
availability
concerns
so
that
you
don't
want
to
cut
any
corners
on
that,
and
it
looks
to
me
that
what
they
published
stands
up
in
Docker,
so
the
sdo
thing
doesn't
use
kubernetes
to
stand
it
up.
It
actually
uses
Docker
compose,
but
given
that
it's
all
containerized
I
think
somebody
could
probably
do
a
Helm
chart
or
whatever
to
turn
it
into
a
kubernetes
hostable
thing.
A
A
And
I
suppose
that's
the
right
way
to
do
it
too,
that
you
know
stay
as
agnostic,
because
it's
more
flexible
that
way
where
somebody
could
stand
it
up
on
kubernetes
but
isn't
forced
to
if
they
don't
want
to-
and
you
know,
maybe
could
go
in
different
directions
of
a
managed
kubernetes
that
maybe
hides
some
of
the
complexity.
But
you
know
I'm
almost
too
green
at
this
to
be
entitled
to
have
an
opinion,
but
you
know
for
whatever
it's
worth:
I
just
wanted
to
go
over
what
I
found
so
far,
yeah.
A
For
for
the
demo,
they
they
apparently
have
certificates
already
built,
but
of
course,
you
know
for
production
level,
you're
you're
not
going
to
use
that
that's
kind
of
like
the
sort
of
the
equivalent
of
using
a
built-in
default
password
to
something
where
you
know
yeah
or
for
just
a
learning
exercise.
It's
probably
fine
I'm
trying
to
find
it,
but
somewhere
in
here
they
documented
the
process
of
generating
your
own
cert
pairs.
A
A
I
haven't
tried
to
do
it
so
I,
don't
know
what
the
steps
are
there,
but
it
does
appear
that
it's
documented
and
once
again
this
is
coming
out
of
the
open
Horizon
Project,
not
the
secure
device,
onboard
project
stocks.
So
I
don't
know
at
this
stage,
I'm
prone
to
just
go
with
whichever
one
I
like
best.
If
either
one
will
get
me
there,
but.
A
My
experience
in
fiddling
around
with
this
part-time
over
the
course
of
the
last
week,
and
this
is
kind
of
what
I've
learned
and
I'm
definitely
going
to
be
putting
more
time
into
this.
So
you
know
I,
don't
intend
to
give
up
until
I've
done
some
onboarding,
even
with
some
small
piece
of
equipment.
You
know
I,
don't
want
to
the
once
I
get
to
the
point
where
you
see
here.
A
It's
like
do
it
with
a
test:
VM
I
mean
if,
if
it
works
on
a
Linux
VM,
then
I
know
how
to
get
that
to
work
on
a
linen
experimental
machine
too.
So
you
know
I
I,
think
there's
a
high
probability
that
I'll
be
able
Maybe
to
you
know
not
only
demo,
this
or
record
a
demo,
but
maybe
even
bring
one
along
in
a
backpack
I.
Think
your
idea
of
doing
a
blog
post
might
be
good.
Maybe
even
doing
a
video
would
be
good.
C
A
In
terms
of
the
kubecon
session,
we
don't
want
this
to
all
be
about
secure
device
on
board.
So
I
don't
think
we
have
time
for
that.
You
know
a
deep
kind
of
The
Full
end-to-end
Experience,
including
manufacture
experience
with
secure
device
on
board.
That's
probably
an
hour-long
presentation
or
something
if
you
were
going
to
do
an
actual
demo,
and
maybe
I
could
put
that
on
even
during
a
future
working
group
meeting
you
know
later
in
the
year.
Definitely.
B
And
I
think
kind
of
spending
what
five
to
eight
minutes
on
it
and
then
linking
to
maybe
a
blog
or
a
video
recording.
Even
if
like
we
spent,
and
we
still
have
like
six
weeks
or
whatever
till
kubecon.
Even
if
we
have
that
demo
in
a
working
group
meeting,
we
could
link
to
the
recording
of
the
working
group
as
a
demo.
Instead
of
having
to
have
like
a
formal,
separate
demo
yeah
and
just
seeing
how
that
pairs
well
flow.
Wise
with,
like
whatever
demo
kilton.
A
A
C
A
Approach
to
getting
this
tied
to
kubernetes
might
be
to
figure
out
how
to
host
the
Rendezvous
service
on
kubernetes.
That
might
be
useful
to
somebody.
Maybe
it
would
make
it
a
little
easier
to
just
take
the
existing
Docker
compose
yaml
file
and
turn
it
into
a
health
chart
or
something
or
something
that
you
bring
up
in
kubernetes
instead
of
Docker
compose.
But
another
angle
would
be
to
actually
do
the
bootstrap.
B
Totally
I
think
that's
a
common
use
case
for
a
lot
of
these
Edge
kubernetes
Solutions
like
portaner,
is
like
oh
I,
want
to
go
to
Best
Buy
and
buy
my
server
and
then
immediately
have
it
join.
My
like
Edge,
cluster
and
I
want
to
not
have
to
worry
about
the
hardware
and
I
think
I.
Think
SEO
is
very
related
to
kubernetes
whether
or
not
SDS
components
itself
are
running
on
kubernetes
I.
A
Together
so
open
Horizon
is,
is
one
I,
don't
even
know
enough?
You
know
it
strikes
me
that
open
Horizon,
edgex
Foundry
and
then
maybe
kilton,
who
isn't
here,
but
his
IO
fog
are
sort
of
solutions
for
running
containerized
apps
out
on
edge
devices
too.
So
at
least
two
of
those
have
some
appearance
of
the
word
sdo
in
the
repository
so
they've
at
least
thought
of
it
and
like
I,
say
this
other
one
I
came
across
mentioned
it
too
I
believe
I
might
have
the
the
name
wrong.
A
I
think
it
was
am
I
n
I
x
or
something
like
that,
and
that
was
the
one
that
was
webassembly
focused.
But
people
have
to
be
looking
at
this
because
it's
an
obvious
problem
that
needs
a
solution
and
I,
don't
know
you
know
of
this
seems
to
be
a
leading
candidate
for
that
in
the
open
source
world
for
Linux
onboarding.
There
have
been
some
other
solutions
to
boot
them
up.
B
Yeah
I
think
on
the
like
smaller
Edge
side
of
things,
for
the
talk
like
talking
about
provisioning
and
devices.
It
would
be
interesting
to
look
at
kind
of
the
set
of
like
even
smaller
MCU
class
devices
and
kind
of
what
those,
or
at
least
from
my
perspective,
what
I
find
interesting
is
kind
of
the
provisioning
abilities
that
are
built
into
protocols.
So,
for
example,
like
onvith
has
like
a
handle
for
updating
firmware.
B
That's
a
part
of
it's
like
device
management
like
specification
for
devices
and
I.
Think
OPC
UA
has
a
similar
one
and
kind
of
looking
at
all.
Those
I'd
be
curious,
I.
What
like
some
of
the
other
ones
that
are
a
little
bit
more
generic
are
like
zerocomp
I.
Think
that's
interesting
too.
Thinking
about
going
to
an
even
smaller
level,
yeah.