►
From YouTube: Kubernetes - AWS Provider - Meeting 20220218
Description
Recording of the AWS Provider subproject meeting held on 20220218
Agenda - https://docs.google.com/document/d/1-i0xQidlXnFEP9fXHWkBxqySkXwJnrGJP9OGyP2_P14/
Subproject updates
CCM - discussed adding tagging support for ec2 instances (https://github.com/kubernetes/cloud-provider-aws/issues/306)
kOps - IPv6 Issue
LBC - v2.4.0
Karpenter - v0.6.3
aws-iam-authenticator - v0.5.5
A
Good
morning,
welcome
to
the
cloud
provider
aws
meeting
today
is
february,
18th
2022
and
the
meeting
is
being
recorded,
so
please
be
respectful
and
adhere
to
the
cncf
community
code
of
conduct
and
we
have
the
agenda.
I
have
shared
the
screen
here.
If
you
have
agent
items,
please
go
ahead
and
add,
and
without
further
ado,
we'll
get
started.
A
So
we'll
start
with
a
sub
project
updates
the
first
one
is
ccm,
so
nick
yeah.
B
Yeah,
so
we
have
an
item
here,
I'm
going
to
let
sarah
drive
the
discussion,
it's
essentially
about
adding
some
support
for
a
kind
of
generic
tagging
feature
but
yeah.
So
that's
where
I
wanna
go
into
that.
C
Yeah
thanks,
so
basically,
we
are
proposing
that
we
add
support
for
take
tagging
aws
resources
as
part
of
the
cloud
provider.
C
So
there
are
a
lot
of
customers
today
who
are
interested
in
making
sure
that
all
the
resources
related
to
a
cluster
are
kind
of
tagged,
with
a
particular
tag,
prefix
and
potentially,
which
contains
information
about
the
cluster
name.
That
kind
of
just
helps
them
keep
track
of
the
resource
usage,
as
well
as
of
the
cost
associated
with
those
resources.
So
eks
customers
especially
have
been
asking
for
this
since
a
long
time.
I'm
pretty
sure
other
customers
who
run
kubernetes
on
aws
would
benefit
greatly
from
this
as
well.
C
So
this
proposal
is
just
like
I
and
and
to
give
you
some
background.
I
think
we
there
are
a
number
of
ways
we
could
do
this
like,
but
each
customer
would
basically
then
have
to
find
their
own
solution.
So
there
are
customers
who
use
cloud
permission,
terraform
some
use
controllers
to
bring
up
these
resources.
C
So
if,
if
like
the
proposal
to
add
this
to
cloud,
forwarder
is
just
to
make
a
single
unified
solution
for
all
of
those
customers.
If,
if
not
like,
every
one
of
that,
just
to
would
have
to
go
and
add
like
their
own
tags
to
each
of
these
ways
how
it
how
they
bring
up
these
resources
so
to
speak.
So
that's
kind
of
the
proposal
and
some
background
behind
that.
So
when
is
also
from
aws,
is
going
to
work
on
the
implementation.
C
C
We
wanted
to
obviously
make
this
generic
so
that
customers
could
pass
in
their
own
tags
so
and
for
eks
it
might
be
something
related
to
aws,
but
for
for
other
customers
they
might
just
choose
to
tag
all
these
resources
to
their
own
custom
tags.
B
Yeah,
and
so
have
we
thought
about,
like
what
kind
of
I
don't
know
like
how
they're
going
to
configure
this,
how
they're
going
to
input
the
tags
that
they
want
to
be
applied.
C
Yeah,
so
we
would
probably
like
get
into
more
details
once
we
like
start
implementing
this,
but
but
at
least
like
my
idea
of
doing
this
was
to
potentially
take
these
stacks
either
from
like
a
command
line
argument,
because
we
would
have
to
add
a
flag
to
enable
or
disable
this
controller.
Anyway,
we
could.
I
I
don't
know
if
there
is
support
for
config
files,
but
we
could
potentially
like
read
this
from
a
config
as
well,
but
that's
kind
of
how
we
are
planning
to
make
it
configurable
for
our
customers.
B
Yeah,
I
think
the
question
would
be
either
you
know
some
type
of
flag
or
config
file,
that's
passed
in
as
an
argument
or
something
more
dynamic
like
config
map
or
custom
resource.
I
think
that
would
be
the
decision.
C
C
Very
good
one
go
ahead,
no
go
ahead.
No!
I
I
just
want
to
clarify.
Yes,
I
mean
the.
The
overall
idea
is
to
extend
this
to
all
of
the
resources,
but
like
we
are
starting
off
by
ec2
instances,
just
so
that
we
kind
of
build
the
framework
and
start
off
with
something
small,
but
at
the
same
time
one
that
is
most
demanded
by
our
customers
today,
but
eventually,
yes,
we
will
probably
extend
it
to
like
more
resources
just
so
that,
like
customers
would
have
like
a
unified.
A
C
This
this
is
perspective,
so
we
I
I
mean
the
integration
here
would
be
largely
dependent
on
like
the
different
aws
resources
so
like
we
have
different
apis
for
tagging,
ec2
related
resources.
We
might
have
something
else
for
other
resources.
So
that's
kind
of
why
you're
proposing
to
add
this
in
the
rate
of
the
stock
provider.
A
D
Yeah,
if
I
might,
I
think
I
think
this
is
a
great
idea.
I
think
you
know
we
do
have
those
tags,
some
tags
already
for
resources
that
kcm
does
create.
I
understand
these
are
like
user
tags.
I
think
the
one
thing
I
I'll
put
a
comment
on
the
issue.
The
one
thing
that
I
think
we
should
be
mindful
of
is
the
bring
up.
So
in
other
words,
how
does
a?
How
do
we?
How
do
we
know
that
a
node
is
allowed
to
join
the
cluster
right?
D
And
I
don't
know
if
eks
has
a
clever
solution
here,
but
in
the
past
we've
used
things
like
verifying
the
tags,
so
it
may
be.
We
don't
want
to
like
on.
We
don't
want
to
like
undo
that
good
work
or
or
create
a
circular
dependency.
Where
you
know
you
can't
actually
join
the
cluster,
because
you,
the
the
only
the
only
secure
weight,
requires
a
tag.
There
are
other
things
you
can.
D
B
You
know
we
don't
allow
any
node
to
just
authenticate
to
a
cluster,
so
we
have
a
we.
You
know
we
use
the
awsim
authenticator,
which
relies
on
the
the
instance
role
to
to
and.
B
D
That's
awesome.
I
do
think
the
role
is
the
primary
mechanism,
but
I
think
that
some
people
sometimes
share
roles,
but
yes,
I
mean.
Presumably,
if
we,
if
we
say
roll,
is
the
secure
mechanism
that
that
feels
pretty
good
and
then
anything
else
is
advisory.
C
Yeah,
no
totally,
I
think
that
that's
a
great
point
and
we'll
keep
it
in
mind
as
part
of
the
implementation.
One
other
thing
that
I
also
wanted
to
call
out,
which
is
kind
of
important
at
least
for
eks
customers,
is
that
we
want
to
use
system
tags.
So
obviously
the
reason
behind
making
this
these
stacks
configurable
and
passed
by
the
customers
is.
We
know
that
other
customers
who
are
kind
of
running
kubernetes
on
aws
might
not
have
permissions
to
apply
system
tags.
C
But
since,
like
eks
is
like
aws
service
itself,
it
does
have
permissions
to
apply
those
stacks.
So
the
way
it
kind
of
helps
is
it
does
not
eat
up
into
the
tag
limits
of
a
resource
that
is
applicable
to
all
the
individuals
resources.
Today,.
A
Wonderful,
thank
you,
sarah.
So,
let's
move
on
the
next
sub
project
is
k,
ops,
anybody.
D
I
guess
I
guess
that
can
be
me
unless
john
is
here
I
don't
see
john
or
anyone.
I
will
give
the
update
so
no
significant
updates,
except
thank
you
very
much
for
releasing
the
lbc.
That
was
one
of
our
blockers
for
our
next
release,
and
so
we
are
very
appreciative
of
that.
Thank
you.
John
myers
does
have
an
issue
open
or
a
general
challenge
around
ipv6
traffic
routing,
I
think,
to
load
balancers.
A
So
like
what
I've
seen
is
like
with
amazon,
vpc
ipv6
works,
but
the
vpc
cni,
but
I
feel
that
he's
using
a
different,
cni
plug-in
in
this
case,
and
I
believe
that
is
the
reason
why
ipv6
is
not
working.
I
haven't
had
a
chance
to
reproduce
this,
but
I
will
have
some
cycles
to
put
in
if
I
can
get,
I
will
reach
out
to
john
separately.
A
If
I
need
further
details,
if
I
can
reproduce
here,
we
can
troubleshoot
further
and
see
like
what
could
be
blocking
here
once
once
we
have
the
details,
I
will
try
to
get
something
for
the
next
meeting
here.
D
That's
actually
really
awesome
like
it.
I
think
if
we
know
that
it
works
database,
thank
you
for
doing
that
and
I
think
if
we,
if
we
know
that
it
works
with
database
vpcc,
we
can
do
like
a
differential
diagnosis
and
figure
out.
What
is
what
is
the
difference
that
is
causing
it
to
work
in
one
scenario,
but
not
not
in
another.
So
that's
that's
awesome.
Thank
you.
A
Like
the
only
the
ip
targets
are
supported
right
now
for
both
alb
and
nlp
in
since
target
aren't,
but
that
works
like
verified
multiple
times
so
so
the
next
one
is
load,
balancer
controller
we
released
version
2.4.0,
we
finally
support
ingress,
v1
and
the
service
load
balancer
class.
With
this
release,
thank
you
community
for
the
contribution,
especially
john,
who
contributed
the
ingress
v1
support
and
we
had
to
fast
track
this
release.
Without
this
we
were
not
able
to
support
kubernetes,
1.22
and
later
releases.
E
Yeah
hi,
I'm
just
covering
up
for
the
carpenter
folks,
nothing
major
just
that
there
were
two
minor
releases
on
the
carpenter
side
and
starting
zero
6.2.
A
Wonderful
thanks:
pratik
are
there
any
incompatibilities
for
the
upgrade
or
it
should
just
work.
E
Mostly,
it
should
just
work,
but
there
is,
I
think,
some
cleanup
that
needs
to
be
done.
I'll
have
to
follow
up
the
upgrade
more
closely
like
I
haven't
done
it
myself,
but
there
is
some
cleanup
that
that
is
required.
A
Cool
thanks.
So
let's
move
on
the
next
sub
project
is
aws
im
authenticator.
B
Yeah,
I
can
take
that
one,
just
a
quick
announcement
that
the
release055
is
out.
We,
it
was
a
fast,
follow
to
o54.
We
decided
to
not
publish
binaries
for
o54,
because
we
wanted
to
get
some
changes
into
the
build.
Previously,
we
were
building
a
bunch
of
images
with
different
base
like
different
base
images,
which
is
pretty
much
totally
pointless.
So
we
we
kind
of
minim
minimize
the
build
just
one
minimal
base,
and
it's
multi-arch
now
as
well.
A
A
So
moving
further.
The
next
item
is
api
security
reviews
so
jay
or
nick.
If
you
guys
want
to
talk
about
it,
please
go
ahead.
B
Yeah
jay
add,
but
the
only
thing
is
I
was
just
thinking
we
could
have
a
section
or
I
don't
know
a
section
of
the
meetings
with
pr
reviews,
kind
of
dedicated
pr
reviews.
There's
various
pull
requests
that
I've
noticed
recently
I
mean
especially
especially
around
aws
I'm
authenticator,
and
then
the
pod
identity
web
hook,
where
you
know,
there's
security,
related
aspects
or
api
changes,
and
I
am
proposing
an
internal
meeting
to
kind
of
aws,
especially
eks,
for
this
as
well.
B
D
A
Cool,
so
what
else
do
we
want
to
discuss
today?
Like
do
we
want
to
review
this
pr
here
as
well?
F
I
I'd
like
to
yeah.
If
we
could
it's
it's
a
fairly
straightforward
pr,
it's
been
through
a
number
of
rounds
of
review
between
me
and
the
contributor
logan
davies.
F
I'm
I'm
pretty
happy
with
the
approach
taken,
but
it
it
definitely
will
change
the
the
security
sort
of
stance
for
I
am
authenticator
right
because,
instead
of
specific
string
matching
for
user
and
role
arns
instead
it
it
adds
the
ability
to
use
the
iron-like
matching.
So
you
can,
you
know,
put
glob-like
rn-like
things
in
there,
which
is
frankly,
very
useful
for
sso
integration
where
sso
like
auto-generates
role,
arns
of
a
particular.
F
You
know
like
pattern
and
for
those
for
those
deployments
using
sso.
F
It
could
be
a
bit
of
a
operations
nightmare
to
have
to
like
constantly
patch
the
config
map
for
the
imf
indicator
with
those
new
auto-generated
roles
that
refresh
every
so
often
so
the
arm-like
matching,
I
I
think,
is
a
is
a
good
good
feature.
Addition.
F
I
asked
logan
to
hide
the
feature
behind
an
opt-in
flag,
feature
gate,
and
he
has
done
that
in
the
in
the
latest
revision
to
the
pull
request
anyway.
Just
wanted
to
get
other
other
people
other
than
me
feedback
on
this
particular
solution.
That's
been
proposed.
A
Looks
like
quite
like
a
lot
of
changes
here.
I
don't
think
we'll
be
able
to.
I
will
be
able
to
offer
any
feedback
at
the
moment.
B
Just
one
thing
I
was
curious
about
is
just
did
it
take?
Did
it
take
into
account
the
path
issues
that
I
the
authenticator
has,
because
the
sds
response
does
not
include
the
path
in
it?
If
I
remember
correctly,
but
if
you
have
like.
B
Card
support,
I
think
the
arm
would
include
the
path
I'm
just
wondering
if
that
was
addressed
or
mentioned.
F
Could
you
give
an
example,
I
believe
he's
so
when
you
configure
a
pattern,
an
arm-like
pattern
in
the
configuration
file,
or
you
know
the
configmat
thing
it.
It
checks
whether
it's
a
user
specific
arm
like
or
a
role
specific
arm
like.
B
So
there's
this
weird
there's
this
weird
thing
with
aw
with
with
I
am
rolls
where
the
end
of
the
roll
is
like
a
path.
Basically,
so
when
you
create
a
role,
it
can
have
this,
you
know
slash
delimited
path
at
the
end
of
it.
That
might
suggest,
like
you
know
it's
part
of
a
organization
or
you
know
you
have
slash
org
slash
whatever,
but
that
that
was
kind
of
like
a
later
edition.
So
it's
not
actually
a
part
of
the
the
role
name,
it's
a
separate
component
and
it's
not
returned.
B
I.
I
can't
remember
right
now,
if
it's
not
returned
at
all
in
the
sts
response,
or
it's
not
returned
as
part
of
the
iron
or
something
anyway,
the
authenticator
handles
it
a
little
bit
weird-
and
I
was
just
kind
of
wondering
if
that
was
addressed,
I
I'll
take
a
closer
look
and
and
and
try
to
get
an
understanding
of
the
pr
but
yeah,
just
just
a
thought.
F
No,
I
yeah.
I
would
appreciate
it
if
you
took
a
look
at
it
and
added
your
insight
in
that
I,
I
honestly
wasn't
wasn't
aware
of
that
particular
complication.
So
yeah,
I
guess
I'm
more
looking
for
just
general
feedback
on
two
things:
one
when
we
see
features
such.
C
F
That
have
a
potential
impact
on
this
overall
security
stance
of
a
project.
F
Should
we
sort
of
by
default
ask
that
that
feature
be
gated
behind
a
feature
flag?
I
I
think
most
people
would
agree
that.
That's
probably
yes,
that
it
should
be
an
opt-in
type
thing,
as
opposed
to
changing
the
default
behavior
of
the
configuration
and
then
the
second
point,
I'd
like
to
get
some
feedback
on
is.
Do
you
actually
agree
that
this
does
change
the
security
stance
of?
I
am
authenticator,
I
mean
it's.
It's
still
doing
matching
right.
F
It's
just
doing
sort
of
one-to-n
matching,
as
opposed
to
one-to-one
matching
of
arm
strings
right
and
and
the
fact
that
aaron,
like
is
an
actual
condition
matcher
in
in
I
am
and
cloud
for
cloud
formations.
I
am
support.
F
A
My
question
is
like
around
backward
compatibility
like
let's
say
that
we
have
it
behind
a
flag
and
allow
the
customers
to
opt
in
what
would
happen
to
the
existing
configuration
in
place
like?
Would
it
affect
that
or
no.
F
No,
I
I
specifically
made
sure
that
all
the
all
the
configuration
was
entirely
backwards
compatible,
so
it
adds
a
new
field
called
user
arm
like
and
roll
on,
like
in
user
mapping
and
role
mapping
the
configuration
pieces
for
that
and
they
are
mutually
exclusive.
So
if
you
set
user
arn,
it
overrides
anything
that
you
put
in
user
r
like
and
yeah.
It's
not
changing
the
behavior
of
existing
fields
in
the
configuration
so.
D
Oh
sorry,
on
the
on
the
feature
flag
point,
I
think
I
think
it's
a
good
idea
to
do
a
feature
flag,
but
I
would
say
we
should
just
remember
that,
like
it's
still
gonna
people
are
still
gonna
turn
it
on
and
we
can't
be
like.
Oh
yeah,
we
didn't
really
securely
review
this,
like
sorry,
too
bad
like
so
it's
we
still
have
to
do
that
security
review
like
and
so.
F
F
D
I'd
also
mention
it's
a
more
mechanical
point:
it's
a
pretty
small
library
that
is
vendored,
and
I
don't
know
whether
we've
approached
the
topic
of
like
is
it
you
know,
bringing
it
just
bring
it
in
like
with
whether
or
not.
F
As
as
yeah,
that's
that's
a
good
point.
I'd
go
either
way.
A
So,
what's
our
mechanism
for
security
reviews
like
for
the
community
here,
I
know
we
have
an
internal
security
review
process
with
our
components,
but
I'm
not
aware
of
like
any
community
security
reviews.
D
D
F
People
are
gonna,
put
it
yeah.
I
I
think
I
think
nick's
proposing
that
we
use
a
portion
of
this
particular
meeting
for
that
security
review.
When
a
security
related
item
is
added
to
the
agenda.
B
So
I
have,
I
guess
my
my
my
original
thought
was
like
we
have.
You
know
we're
gonna
have
a
an
additional
internal
meeting,
that's
that's
kind
of
for
security
and
api
review
of
pull
requests,
but
I'd
also
like
to
get
community
feedback
on
those
things.
So
just
to
kind
of
you
know,
I
don't
know
something
it
you
know
it
doesn't
have
to
be
like
a
super
formal,
but
just
bringing
these
kind
of
pr's
to
the
attention
of
the
community.
I
think
would
be
a
good
thing
to
do
so.