►
From YouTube: Kubernetes SIG Node 20201006
Description
Meeting Agenda:
https://docs.google.com/document/d/1j3vrG6BgE0hUDs2e-1ZUegKN4W4Adb1B6oJ6j-4kyPU
A
All
right
and
we
should
be
able
to
once
again
go
and
check
and
see
that
those
profiles
now
exist,
so
our
cubelet
cert
comp
and
they
should
be
an
operator,
and
we
should
see
that
now
we
have
another
directory.
This
signal
demo,
one
which
was
the
name
of
the
namespace
that
that
config
map
was
created
in
and
then
we
should
see
a
directory
for
the
name
of
the
config
map,
which
was
signo
profiles.
A
A
So
if
we
wanted
to
actually
test
these
out
on
a
pod,
let's
look
at
how
we
have
this
configured
like
I
said,
I'm
using
a
1.18
version
of
kubernetes,
so
setcomp
is
not
part
of
the
security
context.
Yet
so
I'm
still
using
the
annotation
here,
basically
we're
just
specifying
that
this
is
a
local
profile
and
it's
in
this
directory
here
and
we'll
start
off
with
doing
profile,
one
which
is
default
error.
So
we
should
fail
to
create
this
container
when
we
apply
it.
So,
let's
give
that
a
shot.
A
All
right
and
if
we
look
at
our
pods
here
container
crating
and
if
we
watch
that
we
should
see
that
fairly
soon,
we
should
get
an
error
for
it,
creating
yep
great
container
error.
So
you
know,
obviously
it
can't
make
any
sys
calls.
So
it's
not
going
to
be
able
to
start
up.
So
let's
go
ahead
and
delete
that
pod
and
now
we'll
do
the
same
thing,
but
we
will
use
profile
2,
which
just
has
a
default
action
of
log.
So
when
we
apply
this,
this
should
start
up.
A
If
we
watch
that
it's
already
running
so
yeah,
that's
that's
kind
of
the
main
workflow
of
how
it
works.
It's
pretty
straightforward
and
the
main
thing
we
want
to
do
is
provide
similar
experience
and
continue
to
build
on
this
for
other
security
measures
such
as
app
armor,
so
yeah
I'll,
pass
it
off
to
sasha
and
paulo
to
cover
anything
else
that
they
have
specifically
related
to
the
name.
Change
of
the
controllers
and
that
sort
of
thing.
D
C
D
Yeah
working
out,
thank
you
cool,
so
one
of
the
topics
I
but
we
brought
it
up
a
few
weeks
ago
was
about
renaming
the
second
operator,
and
that
is
because
we
we
find
the
need
to
kind
of
do
all
the
things
as
well.
Within
this
within
this
operator,
the
initial
name
we
had
was
security
operator,
which
the
feedback
we
received
was
that
it
was
too
broad.
D
So
we
we've
done
a
bit
of
brainstorming
and
came
up
with
this,
which
actually
helped
us
kind
of
find
a
new
name
which
is
security
profiles
operator,
and
this
is
based
on
the
kind
of
features
we
want
to
implement
on
this
operator
right.
So
at
the
moment,
the
second
operator
does
quite
a
few
things,
so
you
know
we
support
config
maps
crds,
we
sync
those
into
you
know
across
the
nodes
within
a
given
cluster.
D
We
storing
second
profiles,
for
you
know
public
workloads
so,
for
example,
energy
x,
and
that
is
to
expand
on
that
in
the
future.
We
want
to
allow
people
to
automatically
apply
them.
So,
for
example,
if
you
have
you
know
ngx
in
a
cluster
by
using
these
operator,
you
will
be
able
to
automatically
just
apply
a
second
profile
to
it.
So
there's
a
few
other
things
that
we
want
you
to
do
on
that
in
space
and
then
now
on
app
armor,
for
example.
We
want
to
do
similar
things
right.
D
There
are
a
few
other
things
around
sc
linux,
pod
security
policies.
In
our
back
that
we
started
to
think
about.
We
haven't,
really,
you
know,
fleshed
it
out
as
much
as
we
have
for
a
second
apartment,
but
we
definitely
see
the
need
you
know
and
and
where
we
could
add
value
around
those
subjects
and
other
you
know,
security
features
within
this
space.
So
the
key
thing
that
we
would
like
to
ask
you
guys.
So
we
have
a
pr.
You
know
to
rename
the
project
into.
D
D
No,
no
well
so
far.
We
haven't
thought
about
that
like
to
that
extent,
I
think
you
know
the
amount
of
things
within
security
is
already
quite
quite
big
again.
It
will
take
some
time
for
us
to
implement
it,
but
we
haven't
started
discussing.
Would
you
have
any
ideas
of
things
that
might
be
worth
doing
so.
E
So
I
guess,
like
you
guys
have
already
linked
to
like
openshift,
has
a
machine
config
operator
which
is
more
general,
which
allows
you
to
basically
manage
any
files
anywhere
on
your
system
and
then
make
sure
that
those
files
contents
don't
change.
So
I'm
wondering
if,
like
you
started
with
here,
a
sick
comp
here
and
now
you're
adding
security
profiles.
Do
you
see
it
headed
that
direction
and
maybe
we
should
think
of
something
more
general,
but
by
the
way,
like
just
sticking
with
security
profiles
sounds
great
to
me.
D
So
that's
really
good
feedback.
Thank
you
for
that.
So
when
we
started
thinking
about
the
operator,
the
idea
was
to
to
decrease
the
barrier
for
people
using
security
features
within
kubernetes
right
at
the
moment.
You
need
a
lot
of
you
know
knowledge
to
actually
get
you
know,
second
up
and
running,
make
sure
that
that's
actually
running
and
so
on.
D
So
that's
why
I
think
you
know,
like
our
focus.
Insecurity
is
kind
of
primary.
Overall
we
haven't
thought
you
know
on
extending
on
that,
but
the
idea
was
to
really
add
value
on
making
it.
You
know
transparent
and
really
easy
to
to
onboard
those
kind
of
security
features.
So
I'm
not
sure
if,
if
it
makes
sense
for
us
to
be
more
generic
and
then
not
be
able
to
to
add
that
extra
mile
of
functionality,
for
example,
to
really
test
and
give
metrics
on,
for
example,
usage.
D
So
this
is
one
of
the
things
that
we
were
thinking
about
that
company
about
the
other
ones
as
well
like
within
your
workload
in
the
cluster.
What
are
the
things
that
are
being
that
they're?
Actually
using
profiles
which
ones
are
not
which
ones
are
using?
You
know
the
default
ones
or
just
the
runtime
default,
and
you
know
again,
there's
quite
a
few
things
that
we
want
to
implement
around.
Those
are
on
those
lines.
D
At
the
moment,
we
do
only
basic
validation
as
well,
because
again
different,
you
might
use
different
syntax
and
you
know,
depending
on
the
runtime
you're
using.
So
it's
a
bit
tough
for
us
to
be
really
specific.
On
that
perspective,
in
terms
of
validating
fires
across
the
you
know,
after
they've
been
saved
at
the
moment,
we're
not
doing
that.
That
is
one
of
the
things
that
is
on
our
backlog.
To
make
sure
that
you
know
the
profiles
are
not
being
tampered
with.
D
E
C
D
C
So
I'm
wondering
because
the
all
those
kind
of
those
feature
I
understand
do
you
want
to
introduce
operator.
Basically,
it's
just
reduce
of
the
complexity
for
the
user
to
adopt
and
use
of
the
security
features,
and
also
some
of
it
is
the
complementary
and
the
zombies
kind
of
provide
a
similar
overlap
of
the
functionality
that
just
because
admin
can
choose
different.
But
the
sum
also
is
different.
Just
solve
the
difference
to
provide
the
difference
that
created
perspective
right
too,
so,
are
you
applying
to
this
operator?
C
You
could
have
like
a
different
combination
or
you
basically
just
only
support
one
among
four.
Actually,
that's
the
five
and
all,
maybe
just
like
the
deploying
like
doing
department,
you
have
the
operator,
but
I
actually
could
deploy
arbitrary
combination
and
how
you're
going
to
ensure
and
which
one
you
can
deploy
so
because
I
haven't
seen
your
carp
to
about
this
one
yet
because
I
haven't
seen
anywhere
to
find
that
one
so
yeah.
So
I
just
wondering
how
you're
going
to
in
your
plan.
D
Well,
it's
still
kind
of
early
days.
We
we
haven't
really,
you
know
flashed
out
us
as
much
as
as
far
as
that
to
be
honest,
but
what
we
were
thinking
and
one
of
the
reasons
why
changing
the
name
of
the
operator
was
to
be
able
to
to
give
one
deployment
and-
and
you
know
users
would
be
able
to
use
all
of
that
instead
of
having,
like
you
know,
like
let's
say,
five
or
or
four
operators
to
tackle
specific
parts
of
you
know,
security
features.
D
C
It's
kind,
but
I
just
wondering
like,
for
example,
customer
one
two
are
using
rubrics
and
also,
and
they
also
want
to
use
in
apple
armor.
You
say,
oh
basically,
that
we
only
allow
you
to
deploy
one,
oh
and
also,
or
maybe
we
can
allow
you
to
deploy
multiple
altogether
and
but
at
the
same
time,
because
the
cylinders
and
upper
armor
basically
provide
a
similar
functionality.
So
you
cannot.
So
I
just
want
to
make
sure
that
you
what
in
your
mind
how
we
are
going
to
move
forward
for
those
things.
F
C
D
I
would
say
is
like
ideally
you
deploy
everything
like
so
one
operator
does,
all
of
it
and
you
you
might
disable
some
of
the
functionality
but
again
like
what
we
probably
will
do
is
once
we
start
implementing
a
bit
more
of
the
armor
functionality,
and
we
we
have
some
of
that
mechanism
running.
We
can
present
again
to
the
c
node
and
get
some
feedback
and
see
what
what
is
the
best
way
forward.
How
would
you
feel
about
that.
C
D
D
C
Okay,
so
how
about
the
after
this
one?
You
send
me
the
link
to
your
which
one
you
hope
we
can
support,
send
it
to
me
and
the
dark,
and
also
your
one
of
us
can
pass
one
there
unless
I
I
actually
derek,
is
here,
but
I
guess
he's
not
always
not
available
to
to
say
loudly.
So
we
can't
carry
on
that
one.
But
I
can't
I
can
process
that
after
after
this
meeting
is
that
okay.
F
F
Technology
information
as
part
of
the
container
resources
and
two
end
points
which
is
yes,
allocatable
resources
and
overwatch
endpoint,
I'm
here
with
my
colleagues,
alexey
and
francesco,
and
we
are
kind
of
seeking
approval
on
this
gap.
We've
already
got
an
lg
team
from
david
ashford.
He
approved,
so
it's
just
kind
of
a
matter
of
getting
a
final
approval
to
get
this
cap
merged
before
the
enhancement
phase.
Today,.
C
F
C
G
Yeah
hi
yeah.
I
just
wanted
to
ask
I
hope,
to
get
that
on
time
for
freeze
in,
but
I
couldn't
get
any
reviews
until
now.
So
it's
depending
your
view,
so
I'm
just
adding
it
to
the
agenda.
Just
to
you
know,
ask
again
if
anyone
could
check
it
out
and
and
leave
any
review
or
or
or
merge
it
or
whatever
yeah.
C
Yeah
I,
if
I
remove
correctly,
I
don't
think
about-
we
are
converting
about
having
this
one
available,
the
container
id
and
available
in
the
through
the
downward
api-
and
I
understand
you
shared
the
last
time,
but
I
maybe
I
remember
it's
not
correctly,
but
I
remember
we
didn't
converging
on
that.
One
yeah
still
have
the
constant.
G
G
Everything
we
discussed
presented
that
in
a
more
concrete
form
with
you
know
both
arguments,
you
know
for
or
against,
or
I
mean-
or
at
least
you
know,
considerations
and
other
alternative
approaches,
and
so
I
would
like
to
you
know,
get
feedback
back
on
that
is,
you
know,
did
I
you
know
properly
and
nicely.
You
know
present
everything,
and
is
this?
G
G
E
E
G
From
outside,
so
if
you,
if
you,
you
know,
use
the
api
from
outside
and
you
look
at
the
status
field,
you
have
an
image
id
already
there.
The
only
issue
is
that
the
container
itself
does
not
have
this
information,
so
my
hope
is
to
be
able
to.
You
know,
find
a
way
when
implementing
to
to
pass
this
in
as
environment
variable,
if,
if
you
enable
that
in
in
your
configuration
of
pod,
so
that
you
can
get
this
information,
okay,
so
hopefully.
C
G
G
C
C
G
C
G
C
Another
thing:
where
are
those
kind
of
even
we
miss
this
weenies,
but
you
if
there
is
pro
proof
and
then
we
can
continue,
we
can
continue
off
the
development
right.
So
so
you
could
you
don't
need
like
okay.
I
have
to
wait
for
next
step
nine
and
then
wait
for
next
next
release
for
the
make
the
feature
available.
So
so
it's
not
like
that
way.
Yeah.