►
From YouTube: Kubernetes - AWS Provider - Meeting 20210625
Description
Recording of the AWS Provider subproject meeting held on 20210625
A
All
right
all
right:
everybody
welcome
to
the
provider
aws
meeting.
It
is
friday
june
25th
2021,
remember
the
code
of
conduct
for
cncf
and
kubernetes
projects
and
we'll
go
ahead
and
get
started
so
two
items
on
the
agenda
today.
I
have
the
first
one.
So
go
ahead
and
start
with
that.
A
Basically,
it's
just
a
pull
request
that
I
opened
up
for
actually
there's
two
pull
requests.
One
of
them
is
two
kubernetes
and
one
of
them
is
to.
I
guess
the
important
one
is
to
kubernetes.
So
let
me
just
that's
the
issue
which
links
to
the
other
pull
requests.
I
should
have
just
linked
the
the
the.
A
That
I
should
have
linked,
but
that's
okay,
so
if
we
actually
I'll
go
ahead
and
share
my
screen.
A
Okay,
so
the
idea
is
basically
the
name
that
is
passed
to
client
builder
in
the
in
the
utility
functions
that
start
the
cloud
control
loops.
A
This
name
is,
is
hard
coded
and
it's
used
to
create
a
service
account
for
each
control
loop,
so
that
effectively
means
that
the
the
name
you
know
is
you
can't
change
it
unless
you
duplicate
all
this
code
in
your
like
in
the
cloud
provider
itself,
and
that
means
you
can't
change
the
service
count,
and
then
you
can't
change
the
r
back
so
you're
stuck
with
the
r
back
that
that's
bootstrapped
by
default.
So
there's
like
a
couple:
different
control
loops
that
fall
under
the
node
controller
are
back
for
example.
A
So
as
you
change
functionality,
you
might
want
to
change
the
role
and
and
and
such
things
so
anyway.
This
allows
us
to
change
that.
So
I'll
just
quickly
show.
A
The
pull
request
it's
I
there
was
a
couple
different
approaches
I
could
have
taken.
I
took
the
most
the
least
invasive
one.
There
was
some
talk
of
whether
I
should
try
to
change
like
the
generic
controller
generic
controller
manager.
Config,
you
know,
takes
a
list
of
controllers
and
change
that.
So,
instead
of
just
a
list
of
controllers,
it's
like
a
list
of
controllers,
plus
their
service
account
name.
That
would
have
been
a
pretty
big
change,
and
I
wanted
to
avoid
that.
A
So
this
this
basically
just
in
a
lot
of
places,
adds
a
client
name
to
some
of
these
init
functions
and
changes.
The
there's
like
these
init
funk
constructors
and
it
just
changes
those
to
include
a
client
name.
Those
can
be
overridden
from
the
cloud
provider.
So
if
you
look
at
what
a
cloud
provider
has
to
do
to
change
these
names,
if
I
get
the
right
yes,
this
one
so.
A
Basically,
you
can
override
the
client
names
from
your
main
function
in
the
cloud
provider.
So
yeah,
I
don't
know
just
if
anybody's
interested,
would
appreciate
a
review
and
see
if
we
think
this
is
a
good
idea
and
if
it
is
I'll,
take
it
to
say
cloud
fighter.
B
This
is
cool,
it
sounds
like
it
was
motivated
by
kubernetes
are
back,
but
presumably
you
could
also
end
up
using
this.
For,
for
irsa
is
that
true,
I
mean.
A
B
Yeah
for
irsa
well.
A
I'm
not
sure
what
or
how
you
would
do
that.
Maybe
you
can
explain,
but
let
me
just
say
that
this
was
motivated
by
I
don't
want
when
we
migrate
to
the
likes
when
eks
migrates
to
the
external
cloud
provider
I
want
to
have,
we
want
to
manage
our
own
rbac,
and
without
this
we
can't
do
that
unless
we
duplicate
a
bunch
of
the
utility
functions
into
our
cloud
controller.
A
So
that
was
that
was
the
primary
motivation
just
like
we
want
to
be
free
from
that
bootstrapped,
our
back.
If
that
makes
sense.
B
That
that
does
make
sense.
Yes,
I'm
not
sure,
I'm
sort
of
reasoning
by
analogy
with
how
it
works
on
gcp,
but
I,
as
I
understand
it
like
the
exchange,
is
I
exchange
my
service
account
token.
B
I
get
a
service
account,
token,
that's
bound
with
a
different
audience,
and
then
I
do
some
fancy
exchange.
So
if
I'm
running
under
a
different
to
get
enough
to
get
an
aws,
I
am
token
or
a
token
value
with
aws
iam.
So
if
I'm,
if
I'm
running
under
different
kubernetes
service
accounts,
we
could
then
do
more
fine-grained
allocation
of
cloud
iam
as
long
as
those
are
genuine
kubernetes
service
accounts,
but
anyway
it's
it's
one
to
think
of
for
the
future.
I
guess.
Oh
so.
A
As
long
as
you
specify
dash
dash
use
service
account
credentials
which
we're
doing
right
so
but
there's
weird
stuff,
like
the
node
controller,
the
node
lifecycle
controller,
the
node
ipam
controller,
they
all
have
the
same
identity
and
we
can't
change
that
even
if
we
wanted
to
in
the
external
cloud
provider.
So
this
allows
us
to
change
that.
A
B
A
B
A
Cool,
so
that's
that's
it
for
that
yeah
just
reviews
would
be
appreciated.
Do
you
want
to
take
the
next
one
justin.
B
B
Cybrian
has
got
ipv6
working
on
aws,
I
think
with
calico
as
an
overlay,
but
this
is
sort
of
part
of
it
and
I
think
it's
ready
for
review.
I
think
angus
lees
gave
an
early
review
and
had
some
feedback,
and
I
think
cyprian
incorporate
incorporated
that,
and
so
it
now
has
lgtm
from
angus
and
I
think
it's
in
pretty
good
shape.
I
think
it's
basically
additive.
B
If
I
understand
correctly,
because
I
don't
imagine,
most
people
are
currently
running
with
ipv6
so
on
the
nodes
anyway
on
aws
address.
So
if,
if
if
we
are,
if
we
think
it's
good
it,
I
think
it's
a
good
unblocker.
I
think
I
would
love
to
see
more
than
just
calico,
but
I
think
it's
a
great
starting
point
got.
A
It
okay
cool
yeah,
I
think
we'll
try
to
get
this
merged
as
well.
I
think
we
looked
at
this
last
meeting
too
so
probably.
B
We
did
and
all
that
has
changed
incidents
I
think
angus
had
angus's
feedback
was
incorporated
in
angus,
gave
lgtm.
I
got
it.
Okay
sounds
good.
A
I
will
just
say
since
peter
is
here.
A
I
am
still
working
on
open
sourcing,
the
certificate
controller
just
fyi
I
haven't.
I
should
rephrase
that
I
haven't
done
any
work
recently
on
it,
but
it's
it's
in
the
process
of
happening.
A
A
All
right
anything
else.