►
From YouTube: Kubernetes - AWS Provider - Meeting 20210723
Description
Recording of the AWS Provider subproject meeting held on 20210723
Issue triage
A
Hello,
everybody
and
welcome
to
the
bi-weekly
provider
aws
meeting.
I
am
your
moderator
facilitator
for
today.
Just
in
santa
barbara,
I
work
at
google
a
reminder.
This
meeting
is
being
recorded
and
will
be
put
on
the
internet.
So
please
be
mindful
of
our
code
of
conduct,
which
boils
down
to
any
good
person.
I
should
have
said
today
is
friday
july
23rd
2021..
A
We
don't
have
a
lot
on
the
agenda
today.
I
am
going
to
paste
a
link
to
the
agenda
in
the
chat
so
that
people
can
have
it
if
they
would
like
to
add
their.
B
A
Which
I
see
nick
has
done
or
would
like
to
add
any
items,
but
otherwise
we
will
just
go
through.
I
guess,
sort
of
the
triage
of
our
sort
of
open
issues
and
see
how
it
goes
from
there.
Let
me
try
to
share
my
screen.
A
A
C
Yeah,
I
think
it's
it's
ready
to
merge
walter
approved
it,
but
it
needs
another
lg
tm,
just
because
the
most
recent
commits
didn't
have
it.
So
if
anybody
wants
to
look
at
it,
that
would
be.
That
would
be
very
much
appreciated.
A
Awesome
I
will
try
to
after
this
meeting
then
otherwise
we're
going
to
go
through
the
issues
in
cloud
provider,
aws,
repo
and
kubernetes
kubernetes
that
are
tagged,
aws,
we'll
start
with
a
cloud
provider
aws
which
are
intend
to
sort
by
recently
updated.
A
There
aren't
as
many
of
them.
Obviously
in
here
I
don't
know
if
there
are
any
that,
let's
see
in
the
past
two-ish
weeks,
it
seems
like
it's
this
point
up,
but
I
don't
know
if
anything
anyone
wants
to
call
out,
otherwise
you
can
sort
of
go
through
them
in
order.
A
All
right:
well,
let's
go
through
them
in
order
creation
of
an
anal
nlb
ignores
the
proxy
protocol.
Annotation.
A
B
This
comes
from
the
entry
limitation,
so
in
the
entry
code
we
did
not
support
proxy
protocol
for
nlb,
but
then,
if
we
use
the
aws
load
balancer
controller,
we
do
support
the
proxy
protocol
and
annotation.
So
that
was
the
reason
this
issue
might
still
there
in
the
car
provider.
C
Yeah,
I
think
we
should
just
comment
that
and
I
don't
think
it's
super
high
priority
for
us
to
add
it
to
entry,
since
it's
supported
by
load,
monster,
controller.
A
Yeah,
I
think,
that's
reasonable.
I
think
it's
not
like
a
bug
fix,
so
it
seems
like
it's
a
motivator
to
get
to
the
out
of
three
one,
so
I
think
that's
reasonable
would
would
one
of
you,
two
nick
or
kishore,
mind
commenting
on
that
then
sure
yeah,
thank
you
and
then
we
can
keep
going.
A
B
Not
that
I
know
of
that,
we
can
send
a
payload
okay.
I
I've
seen
like
tcp
and
http
https,
but
not
like
any
custom
payload
that
customers
can
configure
not
to
my
knowledge
so
mostly
like
a
nlp
site,
feature
itself.
A
Yeah,
I
mean,
I
think,
we've.
B
A
Something
we
had
something
similar
in
the
chaops
project,
where
we
overcame
a
limitation
of,
I
think
it
was
classic,
but
whatever
by
basically
using
a
sidecar
pod.
So
maybe
that's
something
we
could
recommend
here.
So
in
other
words,
sidecar,
pod
or
sidecar
container
speaks
in
this
case
zookeeper
and
basically
like
when
a
health
check
an
http
health
check
comes
in.
It
will
do
it
in
this
case
telnet
health
check
to
zookeeper.
B
Mean
they
could
they
could
also
configure
tcp
based
health
check
right,
so
it's
only
gonna
look
at
the
connection
establishment
and
not
worry
about
the
internal
protocol.
Details
in
there.
A
Yes,
that's
true,
I
think
the
so,
if
I
recall
correctly,
zookeeper
has
a
bunch
of,
I
think
they
call
them
four
letter
commands
and
one
of
them
is:
are
you
okay
and
it's
like
a
it's?
A
deeper
status
check,
it's
more
like
a
kubernetes
readiness
check
so
and
it
returns.
I
am
okay.
D
Or
something
based
on
this
and.
A
Exactly
I
cover
what
it
says:
if
it's
not
okay,
but
anyway
the
so
I
think
I
but
I
think
it
there
is
a
not
okay
answer,
so
it's
not
just.
I
think
it
can
be
listening
and
not
be
happy,
but
but
I
think
also
we
can
just
I
mean
if
we,
if
we
assuming
nlb,
doesn't
support
this,
which
and
it's
a
fairly
least
request
as
well.
Then
I
would
I
can
comment
and
recommend
a
a
sidecar
container
to
adapt
the
zookeeper
protocol
to
http
or
something
like
that.
C
B
A
All
right,
I
was
muting
to
type,
but
we
can
come
back
to
that
one.
I
will.
I
would
come
on
in
a
minute
all
right.
Well,
let's
keep
going
publish
credential
provider
consumables,
some
random
person
called
nick
turner.
C
Yeah
this
is
this
is
on
my
to-do
list
either
me
or
somebody
from
my
team.
I
have
sad
news.
Actually,
a
burke
left
went
to
some
strange
team
at
google.
Actually
not
gke,
though
I'm
not
sure
what
what
team
it
is.
It's
something
to
do
with.
C
Functions
in
the
cloud
I
think,
but
so
he
was
assigned
this.
If
you
want
to
just
assign
me,
I
can
take
it
from
him.
A
Awesome,
google
has
very
imaginative
naming
so
it'll
probably
be
called
cloud
functions
if
it
functions
in
the
cloud.
D
A
Reassign
to
you,
I
think
I
could
just
do
that.
A
Will
do
all
right
yeah,
but
that
would
be
wonderful
to
get
those
published
the
next
one
is
another,
I
presume
tracking
issue,
which
is
a
test
nick.
You
know
the
one
of
your
test
framework
for
ede
tests,
yeah.
C
I
have
a
pr
for
this,
which
I
started,
but
one
of
my
co-workers
had
some
thoughts
here
so
working
on
it.
I
haven't
had
time
in
the
last
couple
months,
but
getting
back
to
it
soon.
A
Very
cool,
an
issue
with
the
helm
chart
relatively
old
one,
but
recently
updated.
Let's
see
what
okay,
so
they
got
an
image
pulled
back
off
when
using
the
latest
helm.
Chart
and
comments
are
that
it
also
happens
with
the
cloud
controller
image.
B
A
A
A
Okay
or
just
there's,
actually
no
tag.
It's
and
martin
stefani
says
that
there
are
date-based
tags,
but
no
oh
yeah.
C
There,
oh
okay,
there's
a
121
alpha
zero
with
the
with
the
date
prefix
and
there's
a
120
alpha
zero
without
the
date
prefix.
C
Yeah,
maybe
we
pushed
the
120
alpha
zero
by
hand.
No,
we
don't
think
we
would
have
done
that
this
could
have
been
like
prior
to
and
after
a
change
to
the
automation.
Maybe
we
did
make
a
change
to
the
container,
build
automation
so
yeah
I
will.
I
will
follow
up
on
this
one.
I
guess
I
don't
know
do
we
do
we
care
if
there's
a
tag
like
without
the
day.
It's
convenient,
certainly.
A
Yeah,
it's
it's
it's
certainly
I
mean
it
would
be
nice
to
have
the
tag
it's
sort
of
what
everyone
else
does.
So,
let's
have
the
clean
tag:
the
cleantech
yeah,
okay,.
C
A
A
Wonderful
all
right:
let's
go
back
to
the.
A
This
one,
I
think
the
next
one
here
is
ebs
storage
class,
not
working
and
somehow
get
cloud
provider
returns,
nil,
which
seems
very
unrelated.
But
let's
see
trying
to
use
the
out
of
tree
provider.
I
guess
with
the
with
an
rke
cluster,
it's
a
branch
or
red
hat.
C
They
either
need
they
either
need
csi
or
they
need
to
pass
external
cloud
volume
plug-in
equals
aws
to
the
kcm
right.
A
D
A
C
Yeah
but
okay,
I
guess
the
the
way
to
do
this
is
to
look
at
this
rancher
deployment.
I'll
also
ask
to
see
like
what
their
settings
are
in
terms
of
do
they
have
external
cloud
volume
plug-in
set
and
do
they
have
csi
installed
and
then
see
what
is
expected
based
on
their
settings,
so
yeah.
A
I
think
it's
reasonable
to
verify
that
it
works
with
some
configuration
and
highlight
the
flags
you
think
might
are
most
likely
to
be
wrong
or
the
like
mismatched
most
likely
to
be
wrong
and
then
say,
like
here's,
here's
the
working
configuration.
If
we
have
such
a
thing
right
so
yeah,
I
don't.
I
don't
yeah
yeah.
A
Okay,
thank
you,
node
labeling,
from
aws
tags.
I
think
we've
talked
about
this.
Oh
yeah,
indeed
a
lot,
because
this
is
a
june
2020
issue.
A
Okay,
and
this
is
the
idea
that
goes
around
a
lot
saying
that
we
want
to
label
nodes
from
aws
instance
or
ac2
instance,
or
ec2
instance,
tags
and.
A
A
I
mean
that's
where
that's
where
it
gets
tricky
right
it
I
mean
I'd,
say
this
is
not
a
proposal,
but
it's
not
a
formal
proposal
but
yeah.
A
A
A
A
All
right,
it's
a
little
misleading
to
say
that
we
do
this.
The
reason
is.
A
We
were,
it
is
possible
to
configure
some
node
labels
that
also
get
reflected
into
the
tags,
and
then
there
was
a
race
condition
whereby,
when
we
were
getting
the
node
labels
for
an
instance,
we
might
get
the
wrong
ones
based
on
the
wrong
version,
and
so
the
workaround
was
to
source
those
instead
from
the
tags,
because
those
correctly
follow
the
correct
version
of
the
auto
scaling,
launch
configuration
or
launch
template.
A
A
A
A
So
that
it's
basically
asking
for
a
so
chaos
has
a
privileged
controller,
which
is
a
borah
controller
that
is
able
to
apply
those
labels.
But
if
you're
doing
it
like
with
cube
adm,
for
example,
I
don't
know
how
it
you
can
set
those
labels.
C
D
A
And
it
has
a
controversial
history,
because
there
was
some
confusion
about
whether
kk,
whether
it's
yeah
kk
would
like
the
label
not
to
exist,
but
kk
has
no
proposal
for
how
to
do
anything
with
kubernetes
without
that
label.
So.
D
A
It's
it's
an
interesting.
It's
an
interesting
like
position.
D
C
I'm
sorry
going,
I
was
gonna
say
I
don't
know,
I'm
not
familiar
with
the
joining
process,
but
doesn't
the
like
bootstrapper
role
have
something
to
do
with
that?
It's
like
the
node
bootstrapper
with
its
own
permissions.
I
don't
know
yes.
A
I
think
this
might
be
a
good
sig
cloud
provider
topic,
maybe,
which
is
essentially
how
do
nodes
securely
join?
And
I
don't
you
know
there
is
no.
It
would
be
a
great
like
chaos
has
a
relatively
secure
joiner
or
we
intend
it
to
be
like
secured
by
more
secure
design
or
intensive
design.
A
You
know,
but
it's
never
gone
through
an
audit,
so
you
know,
but,
for
example,
using
the
aws
instance
data
is
that
right
instance
document
the
signed
instance
document
or
using
using
a
a
call
to
the
sign
token
service
to
sort
of
prove
you
are
the
node
that
you
say
you
are
to
then
get
to
start
that
bootstrap
process
and
then
to
securely
identify
the
node
and
identify
which
roles
or
labels
which
labels
and
taints
it
should
have,
because
those
are
what
those
are
security,
sensitive
things.
A
That's
why
we
stopped
allowing
the
cubelet
to
do
it,
because
the
idea
was,
if
you
had
a
privileged
workload,
if
any
node
could
just
self-assign
that
that
label,
you
would
have
a
good
chance
of
getting
that
privileged
workload.
C
I
don't
know
an
r
cloud,
node
controller-
I
mean
it,
it
probably
would
have
to
it
would
require
changes
to
the
the
node
controller
logic
itself.
Right,
there's
no.
D
Yeah
and
potentially
the
the
default
surface
account
and
role
of
the
controller,
I
guess
but
the
like.
So
this
request
has
come
up
multiple
times
across
many
providers
where,
like
people
want
their
own
way
of
kind
of
doing
like
no
tools,
so
they
use
tags
so
that
then
they
can
use
those
for
note,
selectors
and
whatnot.
D
So
you
know
if
we're
seeing
it
in
enough
places.
I
think
it's
worth
talking
about
doing
this
in
a
generic
way
where
you
can
like,
maybe
not
specifically
with
tags
but
like
a
mechanism
to
request
some
arbitrary
labels
that
should
be
applied
to
node
as
it's
registered
similar
to
zones
but
like
just
more
generalized.
C
Cool
all
right
I'll
take
a
note
to
to
bring
it
to
the
next
six
pop
provider
meeting.
C
We
had
one
this
week,
I
believe
so.
Okay
should
be
the
week
after.
A
Cool
all
right,
thank
you
all
right,
another
long
runner
we're
up
to
24
days
ago.
So
I
guess
we
actually
didn't
have
a
meeting
last
week.
So
why
don't?
A
We
do
the
next
two,
because
then
we
get
to
28
days
ago
and
then
that's
good
yeah,
at
least
for
this
repo
we
can
see
if
we
wanna,
we
have
the
appetite
to
do
the
next
repo,
but
so
the
next
issue
in
in
the
top
five
aws
repo
is
nlb
services
with
external
traffic
policy,
local
route
traffic
to
nodes
that
cannot
cannot
handle
it
for
a
short
time
when
a
node
joins
the
cluster.
B
So
this
is
like
a
known
issue,
like
known
limitation
from
the
nlp
side,
where,
like
the
health
due
to
the
health
check
complication,
they
are.
They
apparently
are
healthy
for
the
short
period
of
time
and
eventually
like
when
the
health
check
kicks
in.
That's
when
the
true
health
check
status
gets
reflected
in
the
target,
so
for
now,
like
one
way
is
to
use
the
ip
targets
so
that
this
limit
limitation
isn't
there,
and
we
also
follow
up
with
the
nlp
team.
B
We
are
following
up
actively
engaging
them
to
see
what
would
be
a
proper
fix
for
these
customers.
A
Wonderful,
thank
you
that
sounds
that
sounds
great
yeah,
so
that
was
the
last
update
effectively
that
there
isn't
an
issue
and
yeah.
That
sounds.
That
sounds
great.
B
B
So
it's
because
of
the
nlp
right
so
when
the
nlb
instance
join
the
target
group
like
when
the
instances
are
added
like
for
the
short
period
of
time,
nlps
internal
accounting
treats
as
healthy.
So
it's
actually
trying
to
prove
the
target
and
because
of
how
legacy
and
lb
work
like
they
do
send
some
traffic
to
the
instance.
So
that's
where
this
thing
comes
into
picture.
B
I
got
it
correct.
They
do
send
some
like,
even
though
it's
unhealthy,
like
initially
nlp,
does
send
some
packets
just
to
prove
and
make
sure
like
things
are
in
order.
So
that
is
the
reason
why
this
consisting
confusion
is
so
it's
for
the
short
period
of
time.
Initially,
when
the
node
joins
the
target
group.
A
All
right
it
I
mean
it
doesn't
sound
like
there's
a
lot,
we
can
do
there
and
it
sounds
like
it
is
under
control.
So
I
will,
I
think
we
can
move
on
to
the
next
issue,
which
is
sounds
similar,
but
a
little
different.
First
provision
of
nl
oops
first
provision
of
nlp
ignores
logging
and
cross
zone.
Oh
no,
sorry!
This
is
different.
This
is
kubernetes.
I
guess
first
provision
first
provisioning
ignores.
B
B
C
C
It's
unfortunate.
C
B
C
A
Okay,
thank
you
so
yeah,
that's,
hopefully
that
can
get
cherry-picked
and
then
published.
That'd
be
awesome.
That
was
the
28
days,
which
I
don't
know.
If
there's
anything
else,
anyone
anyone
wants
to
call
out
below
the
line
the
line
is
here.
A
I
don't
know
if
you
can
see
where
my
mouse
is,
but
the
line
is
around
here.
Otherwise,
we'll
I
propose
to
take
a
quicker
look
at
kk.
A
These
are
issues
labeled
with
area
provider,
aws
sorted
by
most
recently
updated
and
we
have
looks
like
we
have
three
that
are
updated
in
the
last
28
days,
which
I
propose.
We
have
a
look
at
and
then
we
can
do
a
call
out
for
any
others.
How
about
that?
A
Okay,
that
sounds
odd,
causing.
C
So
when
you
switch
over
to
external
cloud
provider,
there's
kind
of
three
cases,
I
guess
that
a
new
cubelet
coming
up
can
configure
themselves
with
regards
to
this
or
three
different
cases
that
were
anyway.
So
cuba
can
start
up
fresh.
C
So
when
we're
talking
about
ec2
instances
and
when
you
modify
a
cubelet
running
on
a
node
and
change
so
so
when
when
cubelet
starts
up
and
that
the
hostname
doesn't
agree
with
the
node
name,
cubelet
then
can't
find
its
node
object
and
so
you'll
run
into
issues.
So
I
guess,
if
cubic
can't
find
its
node
object,
it's
to
stop
posting
updates
and
then
eventually
the
node
will
probably
get
deleted
and
pods
will
get
evicted.
C
But
andrew
mentioned
that
if
you
use
the
hostname
override
flag
or
potentially
the
provider
id
flag,
then
at
the
same
time
that
you
upgrade
the
cubelet,
then
or
I
guess
yeah
same
time
as
you
upgrade
the
cubelet,
then
cubelet
will
be
able
to
find
the
node
object
and
everything
will
work.
Fine
when
you
create
a
new
cubelet.
It
should
also
that
case
should
also
work
and
when
you
have
just
an
existing
cubelet,
which
already
has
it's
no
no
name
figured
out
that
that
should
also
work.
C
So
this
was
the
only
case
and
I
think
there's
a
workaround.
That
is
fine,
so
I
don't
know
there
was
some
other
discussion
about
potential
changes
to
the
cubelet,
but
I
don't
think
it.
I
don't
think
we
got
super
far
so.
A
So
that
I
mean
that
that
seems
reasonable,
like
it
sounds
like
in
the
long
term
we're
in
a
good
place.
It
sounds
like
in
the
expected
use
case.
There's
there's
no
workaround,
which
is
you
know.
We
don't
really
expect
people
to
keep
nodes,
upgrade
nodes
in
place
in
general
in
kubernetes,
especially
on
a
cloud
right
so
and
there
is
a
workaround,
so
that
seems
reasonable.
A
That
sounds
like
you've
put
excellent
comments
on
there,
so
that
that
looks
great
next
number.
Two
of
our
three
external
traffic
policy,
local
on
aws,
does
not
work
if
the
dhcp
or
the
vpc
is
not
set
exactly
to
region.compute.internal.
A
Well,
we
definitely
have
seen
that
sort
of
issue
and
it
sounds
like
it
affects
external
traffic
policy,
local
gossip
cluster,
I'm
guessing
they're
running
chaops.
I
don't
know
why
it
would
matter
to
be
honest.
B
A
Okay
and
it
look,
it
sounds
like
it's
around
passing
the
hostname
override
to
eks,
I'm
guessing
sorry
passing
the
hostname
override
to
cubeproxy,
at
least
on
eks.
A
A
B
A
C
So
when
they
say
external
traffic
policy
doesn't
set
to
local
doesn't
work.
What
does
that
mean?
All
targets
in
that
target
group
were
unhealthy,
even
though
the
pod
I.
A
Mean
be
fair,
this
is
this
is
three
years
ago,
so
it
may
be
that
there
are
different
symptoms
over
time,
but.
B
A
You
and
I
are
already
assigned
to
it.
So
that's
I
think,
that's
the
right
set
of
assignees,
so
that's
perfect,
but
yes,
I
will
also
try
to
take
a
look
at
this
one.
D
Generally
so
like
there's
a
host
name
past
the
cubelet
and
then
there's
also
the
host
you
proxy,
and
so
if
q
proxy
is
given
a
different
host
name,
then
it
doesn't
render
local
endpoints
like
it
doesn't
think
an
endpoint
for
some
node
is
its
own
endpoint
and
that's
where
the
local
traffic
policy
would
fail.
Well,
that
would
be
my
guess
for
this.
One.
D
Yeah,
like
cubelet's
understanding
of
the
node
name,
needs
to
be
exactly
what
the
name
on
the
cubelet
is,
which
on
aws
needs
to
be
the
private
dns.
A
A
All
right
sounds
like
we
should
probably
look
at.
That
sounds
like
there's
a
reasonable
explanation
for
what
is
likely
going
on,
I'm
just
needing
to
figure
out
what,
whether
it's
still
happening,
and
whether
our
respective
tools
should
just
bake
in
effectively
this,
which
actually
feels
very
reasonable.
A
Okay,
next
and
the
the
final
one
which
we
talked
about
another
another
similar
one.
A
B
B
A
A
A
So
it
might
actually
be
related
to
excellent
traffic
policy.
Local
okay.
Is
this
the
same
person
jt
weaver,
who
filed
this
originally
now
rice,
bowl,
junior.
A
A
That's
a
good,
oh!
D
A
Exactly
all
right,
I
think
that
and
that
that
that
would
actually
sort
of
make
sense
and
that
that
might
because
I
don't
think
the
original
reporter
in
this
issue
called
out
external
traffic
policy,
but
they
may
have
had
it
anyway.
A
A
All
right,
those
were
the
issues
that
we
wanted
to
do,
based
on
our
28
day,
rule
28
day
rule.
I
don't
know
if
there's
any
others
that
people
would
like
to
call
out
I'm
going
to
move
the
line
there.
We
are,
that
is
the
line.
C
A
Like
that's
like
they're,
in
reasonable
shape,
it
feels
like
there's
a
couple
of
issues
which
are
like
tractable
as
well.
I
feel
like
we
have
a
good
grasp
on
them
or
beginnings
of
a
grasp
on
them
all
right.
Well,
I,
if
there's
nothing
else,
then
I
will
stop
the
recording
and
wish
everyone
a
very
happy
weekend.