►
From YouTube: Kubernetes - AWS Provider - Meeting 20220218
Description
Recording of the AWS Provider subproject meeting held on 20220218
Agenda - https://docs.google.com/document/d/1-i0xQidlXnFEP9fXHWkBxqySkXwJnrGJP9OGyP2_P14/
Subproject updates
CCM - discussed adding tagging support for ec2 instances (https://github.com/kubernetes/cloud-provider-aws/issues/306)
kOps - IPv6 Issue
LBC - v2.4.0
Karpenter - v0.6.3
aws-iam-authenticator - v0.5.5
A
Good
morning,
welcome
to
the
cloud
provider
aws
meeting
today
is
february,
18th
2022
and
the
meeting
is
being
recorded,
so
please
be
respectful
and
adhere
to
the
cncf
community
code
of
conduct
and
we
have
the
agenda.
I
have
shared
the
screen
here.
If
you
have
agent
items,
please
go
ahead
and
add,
and
without
further
ado,
we'll
get
started.
B
C
So
there
are
a
lot
of
customers
today
who
are
interested
in
making
sure
that
all
the
resources
related
to
a
cluster
are
kind
of
tagged,
with
a
particular
tag,
prefix
and
potentially,
which
contains
information
about
the
cluster
name.
That
kind
of
just
helps
them
keep
track
of
the
resource
usage,
as
well
as
of
the
cost
associated
with
those
resources.
So
eks
customers
especially
have
been
asking
for
this
since
a
long
time.
I'm
pretty
sure
other
customers
who
run
kubernetes
on
aws
would
benefit
greatly
from
this
as
well.
C
So
this
proposal
is
just
like
I
and
and
to
give
you
some
background.
I
think
we
there
are
a
number
of
ways
we
could
do
this
like,
but
each
customer
would
basically
then
have
to
find
their
own
solution.
So
there
are
customers
who
use
cloud
permission,
terraform
some
use
controllers
to
bring
up
these
resources.
C
So
if,
if
like
the
proposal
to
add
this
to
cloud,
forwarder
is
just
to
make
a
single
unified
solution
for
all
of
those
customers.
If,
if
not
like,
every
one
of
that,
just
to
would
have
to
go
and
add
like
their
own
tags
to
each
of
these
ways
how
it
how
they
bring
up
these
resources
so
to
speak.
So
that's
kind
of
the
proposal
and
some
background
behind
that.
So
when
is
also
from
aws,
is
going
to
work
on
the
implementation.
C
Yeah,
so
we
would
probably
like
get
into
more
details
once
we
like
start
implementing
this,
but
but
at
least
like
my
idea
of
doing
this
was
to
potentially
take
these
stacks
either
from
like
a
command
line
argument,
because
we
would
have
to
add
a
flag
to
enable
or
disable
this
controller.
Anyway,
we
could.
I
I
don't
know
if
there
is
support
for
config
files,
but
we
could
potentially
like
read
this
from
a
config
as
well,
but
that's
kind
of
how
we
are
planning
to
make
it
configurable
for
our
customers.
B
C
C
Very
good
one
go
ahead,
no
go
ahead.
No!
I
I
just
want
to
clarify.
Yes,
I
mean
the.
The
overall
idea
is
to
extend
this
to
all
of
the
resources,
but
like
we
are
starting
off
by
ec2
instances,
just
so
that
we
kind
of
build
the
framework
and
start
off
with
something
small,
but
at
the
same
time
one
that
is
most
demanded
by
our
customers
today,
but
eventually,
yes,
we
will
probably
extend
it
to
like
more
resources
just
so
that,
like
customers
would
have
like
a
unified.
A
C
This
this
is
perspective,
so
we
I
I
mean
the
integration
here
would
be
largely
dependent
on
like
the
different
aws
resources
so
like
we
have
different
apis
for
tagging,
ec2
related
resources.
We
might
have
something
else
for
other
resources.
So
that's
kind
of
why
you're
proposing
to
add
this
in
the
rate
of
the
stock
provider.
A
D
Yeah,
if
I
might,
I
think
I
think
this
is
a
great
idea.
I
think
you
know
we
do
have
those
tags,
some
tags
already
for
resources
that
kcm
does
create.
I
understand
these
are
like
user
tags.
I
think
the
one
thing
I
I'll
put
a
comment
on
the
issue.
The
one
thing
that
I
think
we
should
be
mindful
of
is
the
bring
up.
So
in
other
words,
how
does
a?
How
do
we?
How
do
we
know
that
a
node
is
allowed
to
join
the
cluster
right?
D
And
I
don't
know
if
eks
has
a
clever
solution
here,
but
in
the
past
we've
used
things
like
verifying
the
tags,
so
it
may
be.
We
don't
want
to
like
on.
We
don't
want
to
like
undo
that
good
work
or
or
create
a
circular
dependency.
Where
you
know
you
can't
actually
join
the
cluster,
because
you,
the
the
only
the
only
secure
weight,
requires
a
tag.
There
are
other
things
you
can.
D
B
B
D
C
Yeah,
no
totally,
I
think
that
that's
a
great
point
and
we'll
keep
it
in
mind
as
part
of
the
implementation.
One
other
thing
that
I
also
wanted
to
call
out,
which
is
kind
of
important
at
least
for
eks
customers,
is
that
we
want
to
use
system
tags.
So
obviously
the
reason
behind
making
this
these
stacks
configurable
and
passed
by
the
customers
is.
We
know
that
other
customers
who
are
kind
of
running
kubernetes
on
aws
might
not
have
permissions
to
apply
system
tags.
C
D
I
guess
I
guess
that
can
be
me
unless
john
is
here
I
don't
see
john
or
anyone.
I
will
give
the
update
so
no
significant
updates,
except
thank
you
very
much
for
releasing
the
lbc.
That
was
one
of
our
blockers
for
our
next
release,
and
so
we
are
very
appreciative
of
that.
Thank
you.
John
myers
does
have
an
issue
open
or
a
general
challenge
around
ipv6
traffic
routing,
I
think,
to
load
balancers.
A
So
like
what
I've
seen
is
like
with
amazon,
vpc
ipv6
works,
but
the
vpc
cni,
but
I
feel
that
he's
using
a
different,
cni
plug-in
in
this
case,
and
I
believe
that
is
the
reason
why
ipv6
is
not
working.
I
haven't
had
a
chance
to
reproduce
this,
but
I
will
have
some
cycles
to
put
in
if
I
can
get,
I
will
reach
out
to
john
separately.
D
That's
actually
really
awesome
like
it.
I
think
if
we
know
that
it
works
database,
thank
you
for
doing
that
and
I
think
if
we,
if
we
know
that
it
works
with
database
vpcc,
we
can
do
like
a
differential
diagnosis
and
figure
out.
What
is
what
is
the
difference
that
is
causing
it
to
work
in
one
scenario,
but
not
not
in
another.
So
that's
that's
awesome.
Thank
you.
A
Like
the
only
the
ip
targets
are
supported
right
now
for
both
alb
and
nlp
in
since
target
aren't,
but
that
works
like
verified
multiple
times
so
so
the
next
one
is
load,
balancer
controller
we
released
version
2.4.0,
we
finally
support
ingress,
v1
and
the
service
load
balancer
class.
With
this
release,
thank
you
community
for
the
contribution,
especially
john,
who
contributed
the
ingress
v1
support
and
we
had
to
fast
track
this
release.
Without
this
we
were
not
able
to
support
kubernetes,
1.22
and
later
releases.
E
B
Yeah,
I
can
take
that
one,
just
a
quick
announcement
that
the
release055
is
out.
We,
it
was
a
fast,
follow
to
o54.
We
decided
to
not
publish
binaries
for
o54,
because
we
wanted
to
get
some
changes
into
the
build.
Previously,
we
were
building
a
bunch
of
images
with
different
base
like
different
base
images,
which
is
pretty
much
totally
pointless.
So
we
we
kind
of
minim
minimize
the
build
just
one
minimal
base,
and
it's
multi-arch
now
as
well.
A
A
B
Yeah
jay
add,
but
the
only
thing
is
I
was
just
thinking
we
could
have
a
section
or
I
don't
know
a
section
of
the
meetings
with
pr
reviews,
kind
of
dedicated
pr
reviews.
There's
various
pull
requests
that
I've
noticed
recently
I
mean
especially
especially
around
aws
I'm
authenticator,
and
then
the
pod
identity
web
hook,
where
you
know,
there's
security,
related
aspects
or
api
changes,
and
I
am
proposing
an
internal
meeting
to
kind
of
aws,
especially
eks,
for
this
as
well.
D
F
F
I'm
I'm
pretty
happy
with
the
approach
taken,
but
it
it
definitely
will
change
the
the
security
sort
of
stance
for
I
am
authenticator
right
because,
instead
of
specific
string
matching
for
user
and
role
arns
instead
it
it
adds
the
ability
to
use
the
iron-like
matching.
So
you
can,
you
know,
put
glob-like
rn-like
things
in
there,
which
is
frankly,
very
useful
for
sso
integration
where
sso
like
auto-generates
role,
arns
of
a
particular.
F
F
A
B
F
B
So
there's
this
weird
there's
this
weird
thing
with
aw
with
with
I
am
rolls
where
the
end
of
the
roll
is
like
a
path.
Basically,
so
when
you
create
a
role,
it
can
have
this,
you
know
slash
delimited
path
at
the
end
of
it.
That
might
suggest,
like
you
know
it's
part
of
a
organization
or
you
know
you
have
slash
org
slash
whatever,
but
that
that
was
kind
of
like
a
later
edition.
So
it's
not
actually
a
part
of
the
the
role
name,
it's
a
separate
component
and
it's
not
returned.
B
I.
I
can't
remember
right
now,
if
it's
not
returned
at
all
in
the
sts
response,
or
it's
not
returned
as
part
of
the
iron
or
something
anyway,
the
authenticator
handles
it
a
little
bit
weird-
and
I
was
just
kind
of
wondering
if
that
was
addressed,
I
I'll
take
a
closer
look
and
and
and
try
to
get
an
understanding
of
the
pr
but
yeah,
just
just
a
thought.
F
C
F
Should
we
sort
of
by
default
ask
that
that
feature
be
gated
behind
a
feature
flag?
I
I
think
most
people
would
agree
that.
That's
probably
yes,
that
it
should
be
an
opt-in
type
thing,
as
opposed
to
changing
the
default
behavior
of
the
configuration
and
then
the
second
point,
I'd
like
to
get
some
feedback
on
is.
Do
you
actually
agree
that
this
does
change
the
security
stance
of?
I
am
authenticator,
I
mean
it's.
It's
still
doing
matching
right.
F
A
F
No,
I
I
specifically
made
sure
that
all
the
all
the
configuration
was
entirely
backwards
compatible,
so
it
adds
a
new
field
called
user
arm
like
and
roll
on,
like
in
user
mapping
and
role
mapping
the
configuration
pieces
for
that
and
they
are
mutually
exclusive.
So
if
you
set
user
arn,
it
overrides
anything
that
you
put
in
user
r
like
and
yeah.
It's
not
changing
the
behavior
of
existing
fields
in
the
configuration
so.
D
Oh
sorry,
on
the
on
the
feature
flag
point,
I
think
I
think
it's
a
good
idea
to
do
a
feature
flag,
but
I
would
say
we
should
just
remember
that,
like
it's
still
gonna
people
are
still
gonna
turn
it
on
and
we
can't
be
like.
Oh
yeah,
we
didn't
really
securely
review
this,
like
sorry,
too
bad
like
so
it's
we
still
have
to
do
that
security
review
like
and
so.
F
F
D
D
F
B
So
I
have,
I
guess
my
my
my
original
thought
was
like
we
have.
You
know
we're
gonna
have
a
an
additional
internal
meeting,
that's
that's
kind
of
for
security
and
api
review
of
pull
requests,
but
I'd
also
like
to
get
community
feedback
on
those
things.
So
just
to
kind
of
you
know,
I
don't
know
something
it
you
know
it
doesn't
have
to
be
like
a
super
formal,
but
just
bringing
these
kind
of
pr's
to
the
attention
of
the
community.
I
think
would
be
a
good
thing
to
do
so.