►
From YouTube: Kubernetes SIG Node 20201006
Description
Meeting Agenda:
https://docs.google.com/document/d/1j3vrG6BgE0hUDs2e-1ZUegKN4W4Adb1B6oJ6j-4kyPU
A
A
All
right
and
we
should
be
able
to
once
again
go
and
check
and
see
that
those
profiles
now
exist,
so
our
cubelet
cert
comp
and
they
should
be
an
operator,
and
we
should
see
that
now
we
have
another
directory.
This
signal
demo,
one
which
was
the
name
of
the
namespace
that
that
config
map
was
created
in
and
then
we
should
see
a
directory
for
the
name
of
the
config
map,
which
was
signo
profiles.
A
A
So
if
we
wanted
to
actually
test
these
out
on
a
pod,
let's
look
at
how
we
have
this
configured
like
I
said,
I'm
using
a
1.18
version
of
kubernetes,
so
setcomp
is
not
part
of
the
security
context.
Yet
so
I'm
still
using
the
annotation
here,
basically
we're
just
specifying
that
this
is
a
local
profile
and
it's
in
this
directory
here
and
we'll
start
off
with
doing
profile,
one
which
is
default
error.
So
we
should
fail
to
create
this
container
when
we
apply
it.
So,
let's
give
that
a
shot.
A
All
right
and
if
we
look
at
our
pods
here
container
crating
and
if
we
watch
that
we
should
see
that
fairly
soon,
we
should
get
an
error
for
it,
creating
yep
great
container
error.
So
you
know,
obviously
it
can't
make
any
sys
calls.
So
it's
not
going
to
be
able
to
start
up.
So
let's
go
ahead
and
delete
that
pod
and
now
we'll
do
the
same
thing,
but
we
will
use
profile
2,
which
just
has
a
default
action
of
log.
So
when
we
apply
this,
this
should
start
up.
A
If
we
watch
that
it's
already
running
so
yeah,
that's
that's
kind
of
the
main
workflow
of
how
it
works.
It's
pretty
straightforward
and
the
main
thing
we
want
to
do
is
provide
similar
experience
and
continue
to
build
on
this
for
other
security
measures
such
as
app
armor,
so
yeah
I'll,
pass
it
off
to
sasha
and
paulo
to
cover
anything
else
that
they
have
specifically
related
to
the
name.
Change
of
the
controllers
and
that
sort
of
thing.
B
Go
ahead
with
the
app
armor
cap,
though
this
cap
is
linked
in
the
agenda
and
it
has
been
quite
open
for
a
while,
and
I
saw
that
jordan
did
some
review
five
days
ago
and
I
probably
have
the
chance
today
to
implement
the
review
and
I'm
not
sure
if
we
make
it
until
the
enhancements
deadline,
which
is
today
end
of
the
day,
but
in
general,
if
we
want
to,
I
mean
we
can
target
it
for
120
or
121,
so
there
is
no
rush,
but
all
in
all,
I
would
really
appreciate
some
approval
from
zig
note.
D
C
D
Yeah
working
out,
thank
you
cool,
so
one
of
the
topics
I
but
we
brought
it
up
a
few
weeks
ago
was
about
renaming
the
second
operator,
and
that
is
because
we
we
find
the
need
to
kind
of
do
all
the
things
as
well.
Within
this
within
this
operator,
the
initial
name
we
had
was
security
operator,
which
the
feedback
we
received
was
that
it
was
too
broad.
D
So
we
we've
done
a
bit
of
brainstorming
and
came
up
with
this,
which
actually
helped
us
kind
of
find
a
new
name
which
is
security
profiles
operator,
and
this
is
based
on
the
kind
of
features
we
want
to
implement
on
this
operator
right.
So
at
the
moment,
the
second
operator
does
quite
a
few
things,
so
you
know
we
support
config
maps
crds,
we
sync
those
into
you
know
across
the
nodes
within
a
given
cluster.
D
We
storing
second
profiles,
for
you
know
public
workloads
so,
for
example,
energy
x,
and
that
is
to
expand
on
that
in
the
future.
We
want
to
allow
people
to
automatically
apply
them.
So,
for
example,
if
you
have
you
know
ngx
in
a
cluster
by
using
these
operator,
you
will
be
able
to
automatically
just
apply
a
second
profile
to
it.
So
there's
a
few
other
things
that
we
want
you
to
do
on
that
in
space
and
then
now
on
app
armor,
for
example.
We
want
to
do
similar
things
right.
D
We
want
to
support
crt,
we
want
to
support
config
map,
so
people
can
represent
and
deploy
those
apartments
more
easily,
and
we
also
want
you
to
be
able
to
load
those
profiles
into
the
nodes
which
is
a
different
mechanism
than
we
have
for
second
operator
at
the
moment,
but
that
would
be
targeted
for
armor
and,
conversely,
we
also
would
like
to
you
know,
store
up
armor
profiles,
for
you
know,
public
workloads
like
ngx
and
and
others,
which
then
would
be
able
to
be
auto
applied.
D
There
are
a
few
other
things
around
sc
linux,
pod
security
policies.
In
our
back
that
we
started
to
think
about.
We
haven't,
really,
you
know,
fleshed
it
out
as
much
as
we
have
for
a
second
apartment,
but
we
definitely
see
the
need
you
know
and
and
where
we
could
add
value
around
those
subjects
and
other
you
know,
security
features
within
this
space.
So
the
key
thing
that
we
would
like
to
ask
you
guys.
So
we
have
a
pr.
You
know
to
rename
the
project
into.
D
You
know
security
profiles
operator,
and
it
would
be
great
to
get
feedback
from
from
you
a
lot
about.
You
know
the
things
that
we
want
to
do
if
you
have
any
other
ideas
on
on
things
that
we
could
also
implement
and-
and
also
you
know,
hopefully
get
these
approved,
so
we
can
rename
the
operator.
E
Do
you
foresee
it's
supporting
any
other
kind
of
configuration
in
the
future
like
beyond
just
security.
D
No,
no
well
so
far.
We
haven't
thought
about
that
like
to
that
extent,
I
think
you
know
the
amount
of
things
within
security
is
already
quite
quite
big
again.
It
will
take
some
time
for
us
to
implement
it,
but
we
haven't
started
discussing.
Would
you
have
any
ideas
of
things
that
might
be
worth
doing
so.
E
So
I
guess,
like
you
guys
have
already
linked
to
like
openshift,
has
a
machine
config
operator
which
is
more
general,
which
allows
you
to
basically
manage
any
files
anywhere
on
your
system
and
then
make
sure
that
those
files
contents
don't
change.
So
I'm
wondering
if,
like
you
started
with
here,
a
sick
comp
here
and
now
you're
adding
security
profiles.
Do
you
see
it
headed
that
direction
and
maybe
we
should
think
of
something
more
general,
but
by
the
way,
like
just
sticking
with
security
profiles
sounds
great
to
me.
D
So
that's
really
good
feedback.
Thank
you
for
that.
So
when
we
started
thinking
about
the
operator,
the
idea
was
to
to
decrease
the
barrier
for
people
using
security
features
within
kubernetes
right
at
the
moment.
You
need
a
lot
of
you
know
knowledge
to
actually
get
you
know,
second
up
and
running,
make
sure
that
that's
actually
running
and
so
on.
D
So,
for
example,
one
thing
that
we
wanted
to
do
is
actually
be
able
to
notify
the
cluster
admin,
for
example,
if
second
is
not
enabled
on
a
given
node,
for
example,
because
if
the
runtime
doesn't
support
it,
you
know,
then
the
admin
would
be
oblivious
to
that.
D
So
that's
why
I
think
you
know,
like
our
focus.
Insecurity
is
kind
of
primary.
Overall
we
haven't
thought
you
know
on
extending
on
that,
but
the
idea
was
to
really
add
value
on
making
it.
You
know
transparent
and
really
easy
to
to
onboard
those
kind
of
security
features.
So
I'm
not
sure
if,
if
it
makes
sense
for
us
to
be
more
generic
and
then
not
be
able
to
to
add
that
extra
mile
of
functionality,
for
example,
to
really
test
and
give
metrics
on,
for
example,
usage.
D
So
this
is
one
of
the
things
that
we
were
thinking
about
that
company
about
the
other
ones
as
well
like
within
your
workload
in
the
cluster.
What
are
the
things
that
are
being
that
they're?
Actually
using
profiles
which
ones
are
not
which
ones
are
using?
You
know
the
default
ones
or
just
the
runtime
default,
and
you
know
again,
there's
quite
a
few
things
that
we
want
to
implement
around.
Those
are
on
those
lines.
E
Makes
sense
sounds
like
a
good
idea,
so
are
you
guys
validating
any
of
these
profiles
and
are
you
guys
checking
against
tempering
after
something
is
written
out
to
disk.
D
That's
another
really
good
question,
so
those
are
things
that
that
we
kind
of
considering
okay
when
it
comes
down
for
validating
the
second
in
you
know
itself,
there
are
a
few
things
that
are
not
really
part
of
the
oci,
so
what
we
we
defined
was
that
we're
only
validating
the
things
that
are
and
the
other
things
are
a
bit
open
when
it
comes
down
to
the
crt
when
it
comes
down
to
the
config
map.
D
At
the
moment,
we
do
only
basic
validation
as
well,
because
again
different,
you
might
use
different
syntax
and
you
know,
depending
on
the
runtime
you're
using.
So
it's
a
bit
tough
for
us
to
be
really
specific.
On
that
perspective,
in
terms
of
validating
fires
across
the
you
know,
after
they've
been
saved
at
the
moment,
we're
not
doing
that.
That
is
one
of
the
things
that
is
on
our
backlog.
To
make
sure
that
you
know
the
profiles
are
not
being
tampered
with.
D
E
C
D
C
So
I'm
wondering
because
the
all
those
kind
of
those
feature
I
understand
do
you
want
to
introduce
operator.
Basically,
it's
just
reduce
of
the
complexity
for
the
user
to
adopt
and
use
of
the
security
features,
and
also
some
of
it
is
the
complementary
and
the
zombies
kind
of
provide
a
similar
overlap
of
the
functionality
that
just
because
admin
can
choose
different.
But
the
sum
also
is
different.
Just
solve
the
difference
to
provide
the
difference
that
created
perspective
right
too,
so,
are
you
applying
to
this
operator?
C
You
could
have
like
a
different
combination
or
you
basically
just
only
support
one
among
four.
Actually,
that's
the
five
and
all,
maybe
just
like
the
deploying
like
doing
department,
you
have
the
operator,
but
I
actually
could
deploy
arbitrary
combination
and
how
you're
going
to
ensure
and
which
one
you
can
deploy
so
because
I
haven't
seen
your
carp
to
about
this
one
yet
because
I
haven't
seen
anywhere
to
find
that
one
so
yeah.
So
I
just
wondering
how
you're
going
to
in
your
plan.
D
Well,
it's
still
kind
of
early
days.
We
we
haven't
really,
you
know
flashed
out
us
as
much
as
as
far
as
that
to
be
honest,
but
what
we
were
thinking
and
one
of
the
reasons
why
changing
the
name
of
the
operator
was
to
be
able
to
to
give
one
deployment
and-
and
you
know
users
would
be
able
to
use
all
of
that
instead
of
having,
like
you
know,
like
let's
say,
five
or
or
four
operators
to
tackle
specific
parts
of
you
know,
security
features.
D
So
we
haven't
really
got
that
gone
that
far,
but
I
would
assume
we
would
stick
to
the
idea
of
deploying
only
once
and
in
terms
of
enabling
and
disabling
features.
We
will
have
to
see
how
how
we
do
that
once
we
get
there.
If
that
makes
sense,
does
that
answer
your
question.
C
It's
kind,
but
I
just
wondering
like,
for
example,
customer
one
two
are
using
rubrics
and
also,
and
they
also
want
to
use
in
apple
armor.
You
say,
oh
basically,
that
we
only
allow
you
to
deploy
one,
oh
and
also,
or
maybe
we
can
allow
you
to
deploy
multiple
altogether
and
but
at
the
same
time,
because
the
cylinders
and
upper
armor
basically
provide
a
similar
functionality.
So
you
cannot.
So
I
just
want
to
make
sure
that
you
what
in
your
mind
how
we
are
going
to
move
forward
for
those
things.
F
C
D
I
would
say
is
like
ideally
you
deploy
everything
like
so
one
operator
does,
all
of
it
and
you
you
might
disable
some
of
the
functionality
but
again
like
what
we
probably
will
do
is
once
we
start
implementing
a
bit
more
of
the
armor
functionality,
and
we
we
have
some
of
that
mechanism
running.
We
can
present
again
to
the
c
node
and
get
some
feedback
and
see
what
what
is
the
best
way
forward.
How
would
you
feel
about
that.
C
I
was
just
wondering
because
the
problem
is,
we
try
to
stop
the
try
to
reduce
learning
curve,
try
to
build
the
solution
for
customer,
but
if
we
don't
provide
the
out
of
box
connected
solution
and
also
using
validation
or
ensure
or
whatever
ensure
that
it
is
valid,
configuration
maybe
still
have
those
learning
curve
there
and
or
maybe
even
cause
more,
but
so
that's
kind
of
things,
because
so
and
also
operators
solve
a
lot
of
problems
in
many
deployment,
but
also
cause
the
actual
class
management
problem,
because
you
could
be
arbitrary,
quite
a
lot
of
things
and
without
the
carefulness
think
about
the
mini
requirement.
C
D
Yeah,
so
the
idea
is
to
actually
have
that
in
and
confirm
100
that
you
know
if
a
given
port
is
supposed
to
operate
with
a
set
comp
unless
it's
actually
applied
and
in
force,
you
know
we
would
be
able
to,
for
example,
not
allow
the
part
to
run
again,
like
all
those
things
we're
still
thinking,
but
at
least
you
go
towards
that,
like
really
do
the
whole
end
to
end
when
it
comes
down
to
those
features,
we
still
kind
of
you
know,
for
example,
the
recording
of
profiles
we're
still
working
on
that,
but,
as
as
those
things
mature,
I
think
they
definitely
make
sense
for
us
to
get
some
more
feedback
and
and
see
how
how
to
make
them
like
really
good.
D
Yeah
so
the
key
thing
for
me
now
I
I
needed
like
a
plus
one
or
an
okay
from
someone
from
sig
notes
into
the
pr,
so
we
can
actually
go
ahead
and
rename
the
projects
and
start
working
into
extending
its
functionality
into
up
armor.
So
if
you
guys
could
do
that,
that
would
be
amazing.
D
C
Okay,
so
how
about
the
after
this
one?
You
send
me
the
link
to
your
which
one
you
hope
we
can
support,
send
it
to
me
and
the
dark,
and
also
your
one
of
us
can
pass
one
there
unless
I
I
actually
derek,
is
here,
but
I
guess
he's
not
always
not
available
to
to
say
loudly.
So
we
can't
carry
on
that
one.
But
I
can't
I
can
process
that
after
after
this
meeting
is
that
okay.
F
F
Technology
information
as
part
of
the
container
resources
and
two
end
points
which
is
yes,
allocatable
resources
and
overwatch
endpoint,
I'm
here
with
my
colleagues,
alexey
and
francesco,
and
we
are
kind
of
seeking
approval
on
this
gap.
We've
already
got
an
lg
team
from
david
ashford.
He
approved,
so
it's
just
kind
of
a
matter
of
getting
a
final
approval
to
get
this
cap
merged
before
the
enhancement
phase.
Today,.
C
Yes,
david
is
not
to
join
today's
meeting.
I
will
poke
him
after
this
and
need
him
to
take
a
last
look,
look
and
he's
on
this
one.
So
even
yesterday,
he'd
give
me
update,
say
this
is
this
is
pretty
dumb.
F
Yeah,
that
would
be
great
yeah
and,
if
there's
anything
that
we
can
do
in
the
meantime,
just
let
us
know
because
we'd
like
it
to
get
more,
if
you've
addressed
all
the
comments
and
all
the
concerns,
so
I
think
it's
from
our
point
of
view.
It's
all
ready
to
go
sure
thanks.
C
So
next
one
it
is
runtime
class
2ga,
actually
direct
already
proved
that
one
and
it's
reviewed
and
there's
the
two
tests
we
need
of
the
pr
and
the
circuit
posted
here.
He
because
he
he
didn't,
feel
wild.
So
he
left
earlier
so
well.
Everything
looks
okay
on
the
right
track.
G
Yeah
hi
yeah.
I
just
wanted
to
ask
I
hope,
to
get
that
on
time
for
freeze
in,
but
I
couldn't
get
any
reviews
until
now.
So
it's
depending
your
view,
so
I'm
just
adding
it
to
the
agenda.
Just
to
you
know,
ask
again
if
anyone
could
check
it
out
and
and
leave
any
review
or
or
or
merge
it
or
whatever
yeah.
C
Yeah
I,
if
I
remove
correctly,
I
don't
think
about-
we
are
converting
about
having
this
one
available,
the
container
id
and
available
in
the
through
the
downward
api-
and
I
understand
you
shared
the
last
time,
but
I
maybe
I
remember
it's
not
correctly,
but
I
remember
we
didn't
converging
on
that.
One
yeah
still
have
the
constant.
G
I
mean
I
didn't
get
really
any
review,
so
I'm
not
sure
if
we
are
converging
or
not.
So
I
two
times
two
meetings
ago,
I
presented
the
basic
idea.
We
had
some
discussion.
I
was
asked
to
make
you
know
document
written
down.
I
made
document
where
I
hope
to
collect
all
the
you
know.
G
Everything
we
discussed
presented
that
in
a
more
concrete
form
with
you
know
both
arguments,
you
know
for
or
against,
or
I
mean-
or
at
least
you
know,
considerations
and
other
alternative
approaches,
and
so
I
would
like
to
you
know,
get
feedback
back
on
that
is,
you
know,
did
I
you
know
properly
and
nicely.
You
know
present
everything,
and
is
this?
G
Oh,
you
know
what's
the
next
step
and
but
I
don't
have
anything
and
any
review
and
any
written
comment
on
that
anywhere.
So
I'm
asking
if
we
could
get
you
know
a
review
or
or
some
feedback,
because
I
don't
know
if
we
are,
you
know
what
is
really
the
the
feeling
of
the
group
on.
G
E
E
G
G
My
main
hope
is
to
get
id,
but
you
know
the
name
is
very
similar,
so
I
I
would
my
my
proposal
is
to
pass
both
of
them
just
to
be
sure,
but
the
main
tricky
thing
and
why
you
know
this
cap
is
necessary,
in
my
view,
is
to
pass
sharp
because
you
cannot
get
sha
in
any
other
way
to
know
what
exactly
running,
if
you're
using
latest
stack.
E
Okay,
so
we'll
need
some
cri
changes,
then
to
get
the
result,
tag
back
and
then
set
it
down.
G
From
outside,
so
if
you,
if
you,
you
know,
use
the
api
from
outside
and
you
look
at
the
status
field,
you
have
an
image
id
already
there.
The
only
issue
is
that
the
container
itself
does
not
have
this
information,
so
my
hope
is
to
be
able
to.
You
know,
find
a
way
when
implementing
to
to
pass
this
in
as
environment
variable,
if,
if
you
enable
that
in
in
your
configuration
of
pod,
so
that
you
can
get
this
information,
okay,
so
hopefully.
C
G
Hopefully,
so
this
information
is
available
around
the
what
I'm
hoping-
and
I
I
haven't
yet
you
know
implemented
this.
My
you
know
hope
is
that
this
is
be
really
set
forward
to
pass
also
inside,
because
it's
already
available
outside
okay.
G
C
You
thanks
muna
and
maybe
we'll
assign
that
they'd
like
to
capture
you
and
for
the
first
reviewer
sure,
and
then
we
can
come
back
so
mita
and
I
I
don't
looks
like
we
cannot
capture
the
the
or
that
nine
for
this
release
so,
but
we
are
continue
with
the
normal
review
process.
Is
that?
Okay
with
you.
C
G
C
G
Is
the
is
this
a
few
months
because
I'm
not
familiar
with
that
like
what
is
the
you
know,
next
deadline,
I'm
I
should
be
you
know,
conscious
about
so
that
I
we
don't
miss
the
next
one
as
well.
Yeah.
C
Another
thing:
where
are
those
kind
of
even
we
miss
this
weenies,
but
you
if
there
is
pro
proof
and
then
we
can
continue,
we
can
continue
off
the
development
right.
So
so
you
could
you
don't
need
like
okay.
I
have
to
wait
for
next
step
nine
and
then
wait
for
next
next
release
for
the
make
the
feature
available.
So
so
it's
not
like
that
way.
Yeah.
C
Okay,
I
believe
that's
all
for
today,
so
any
other
topic.
People
want
to
build
up
to
the
community.
C
Okay,
then,
I
think
about
it.
We
are
okay
and
that's
for
today,
and
everyone
got
about
after
20
minutes
back.
Thank
you.
Everyone.