►
Description
Office Hours is a live stream where we interview one of the Kubernetes SIGs and answer live questions about Kubernetes from users on the YouTube channel. Office hours are regularly scheduled meetings where people can bring topics to discuss with the greater community. They are great for answering questions, getting feedback on your use of Kubernetes, or just passively learning by following along.
A
A
Okay,
let
me
beat
it
because
I'm
here
myself
twice
so,
let's
get
started.
This
is
kubernetes
office
hours
for
the
month
of
june
july.
This
is
year
2022,
I'm
saying
that,
because
all
these
recordings
are
in
youtube.
So
if
you're
watching
from
the
future
hello
here
we're
in
the
past,
we
are
in,
as
I
like
to
reference
times.
It's
like
we
are
in
125
land
like,
for
example,
now
you
re
issues
about
1,
10
and
117,
and
one
five
and
one
eight
like,
oh,
my
god,
so
we're
in
125.
A
So
if
somebody
watch
this,
when
we
are
in
150,
come
and
see
us
if
we're
still
around
so
this
is
the
office
hours
we
have
today.
What
we're
doing
is
first
half
we're
going
to
talk
about
understanding,
learning
about
a
sig
so
every
month
we'll.
I
will
try
to
wrestle
my
way
to
find
some
of
the
leaders
of
members.
I
would
say
members
because
it
could
be
a
member
right.
A
Everyone
has
the
same:
equal
right
and
vote
and
power,
so
a
member
of
a
sig
that
wants
to
pitch
their
purple
also
to
like
get
more
contributors,
more
members
interests
into
their
sick
and
see.
A
People
are
interested
in
what
they're
doing
and
understand
what
they're
doing
and
then
the
second
half
we'll
keep
the
the
tradition
of
picking
up
some
questions
from
the
discus
discuss
of
kubernetes
some
questions
that
are
not
answered
and
try
to
discuss
them
here
and
and
if
there's
people
that
want
to
answer
have
some
questions,
you
can
also
try
on
youtube
or
on
slack
and
we'll
see
if
we
can
see
them,
but
most
of
the
time
we
run
out
of
time.
A
So
with
that,
let's
get
started
the
intros
and
then
I'll
go
and
go
to
conduct.
So
my
name
is
carlos
antennas.
You
can
see
here
I'm
in
the
sig
release
the
release
notes
lead
for
now,
125
like
I
was
saying
and
and
also
contrib
contrib
x.
I
guess
running
these
kerenata's
office
hours
and
I'm
a
architect
for
kubernetes.
So
go
ahead
right,
hey.
B
Folks,
my
name
is
ray
lahano.
I
am
a
sub
project
lead
for
sig
security,
which
I
will
talk
about
today,
but
I'm
also
a
co-chair
for
sig
docs.
I
was
the
release
lead
for
1.23
and
I'm
the
current
emeritus
advisor
for
1.25
great.
A
C
Hi,
my
name
is
oracle.
I'm
based
out
of
canada
at
canada.
Here
during
my
professional
day,
I
work
as
a
software
engineer
at
render,
and
I
volunteered
for
this
webster's,
because
I
always
learn
new
things
so
happy
to
help.
Others
learn
as
well.
A
D
Hi
everyone-
this
is
pushkar
zobaker.
I
am
the
lead
for
sub
project,
seek
security
tooling.
I
am
also
tech
lead
for
cncf
tag
security.
So
surprise.
Those
are
two
different
groups
which
I
can
share
about
today
in
office
hours
and
I
work
in
my
day
job
at
vmware
as
senior
security
engineer.
A
Yeah
and
one
of
us
are
involved
in
the
upstream
kubernetes
project.
So
with
that,
let's
do
some
of
the
house
items.
This
is
a
kubernetes
event,
so
the
code
of
conduct
right
under
the
cncf
is
an
effect
current.
It
has
the
wrong
kind
of
conduct.
Please
be
excellent
to
each
other.
This
adjustment
freezone
everybody
had
to
start
somewhere.
So
please
help
me
your
body
if
you
are,
can
help
now
or
any
to
their
environment
and
answer
questions.
A
We
don't
have
access
to
your
cluster,
so
we
cannot
debug
live
the
clusters,
but
we
can
discuss
those
type
of
things.
Panelists
you're
encouraged
to
expand
on
the
answers,
so
everyone
has
a
chance
to
talk
and
expand
on
everyone
else.
Answer
audience
you
can
help
by
pasting
urls
if
you're
watching
in
youtube.
A
Please
comment,
if
you're
into
slack
at
the
links
that
we
refer
to
or
if
you
have
more
links
with
more
information,
add
them
there
and
then
keep
posting
questions
on,
discuss,
kubernetes,
dot,
io!
That's
where
we
get
the
the
questions
that
are
answered,
the
latest
one
and
then
we
discuss
them
here.
The
panel
is
made
of
entire
volunteers.
A
So
if
you
want
to
rotate
in
I'm
looking
for
people
to
help
out,
sometimes
calendar
things
happens
and-
and
we
don't
have
enough
people,
so
if
you
are
using
kubernetes,
then
you
should
be
able
to
help
us
here
to
figure
out
some
of
those
questions.
So
with
that,
let's
get
started
with
sig
security.
So
who
wants
to
start?
Maybe
you
can
share
for
context
your
the
screen
and
show
like
github
with
some
pages
or
something
who
wants
to
start
ray
or
pushcart?
What
is
seek
security.
D
D
D
Okay,
all
right,
so
you
should
see
a
chrome
browser.
Can
everyone
see
it.
D
A
D
Oh,
it
has
lost
permissions,
restart,
chrome,
okay,
maybe
you
have
better
luck
ray.
Can
you
try?
Otherwise
I
can
restart
my
chrome,
but
I'll
have
to
be
kicked
out
of
the
meeting.
D
A
And
push
card
as
a
new
user.
I
guess
everyone
has
a
way
to
finding
things.
At
least
I
didn't
know
where
to
look
when
I
was
a
new
user
for
the
six
and
then
I
think
I
remember
hippie
in
in
one
of
the
cute
game,
kubecons
on
on
the
hallway
track.
He
showed
me
this
website
called
kids.dev,
which
is
not
kubernetes.io
and
it
had
a
lot
of
information
so
that,
from
that
point
on,
I
always
go
to
case.dev
and
then
I'll
be
able
to
find
the
communities
and
the
groups.
B
It's
a
great
tip.
I
should
be
sharing
my
screen
here.
You
should
be
seeing
a
github
page
for
kubernetes
community,
which
is
also
a
good
resource
as
well
to
find
information
on
cigs
each
each
of
the
six
have
their
own
directory.
If
you
just
go
into.
A
So
this
is
a
this
is
a
repository
called
community.
It's
not
kubernetes
kubernetes.
So
if
you're
looking
for
this
informed
kubernetes
kubernetes,
which
is
the
main
repo,
that's
that's
not
it.
B
Yeah,
so
I'm
just
clicking
here
through
through
sig
security,
so
under
under
kubernetes
committee,
it
has
all
the
high
level
information
of
the
cigs,
including
just
where
the
when
the
meetings
are
taking
place.
So
we
meet
on
thursdays,
bi-weekly
at
9
a.m.
Pacific,
there's
links
here
to
the
meeting,
notes
and
agenda
and
also
meeting
recordings
as
well.
Let
me
just
dive
into
the
charter,
I'm
just
kind
of
talking
to
and
just
do
just
a
high
level
overview.
B
What
what
security
does
insect
security
is
a
horizontal
sig
and
it
covers
the
security
initiatives
for
the
project.
There
are
several
sub
sub
projects
that
work
under
six
security.
One
like
one
sub
project,
helps
to
manage
the
third
party
security
audits,
one
sub
project
also
that
push
card
is
highly
involved
in
is
to
to
run
or
to
I
guess,
as
far
as
for
security
and
tooling,
and
how
to
integrate
security
tooling
into
the
project
as
well.
B
Another
sub
project
is
for
security
documentation
as
well,
and
we've
had
some
good
publications
this
recently
about
security
documentation
like
the
our
back
good
practice
guide.
Now
you
can
see
here,
that's
mostly
written
by
by
rory.
Thank
you
rory.
So
this
is
a
new
edition
from
this.
The
security
docs
sub
project.
Oh
there's,.
B
It
was
published
right
around
coupon
valencia,
and
then
we
have
a
another
one.
That's
open
for
a
security
checklist
as
well,
so
so
keep
that
keep
your
eyes
open
for
that
kind
of
see.
If
I
have
a
tab
here
yep.
So
that's
this
pull
request
under
coupe
name
website
to
add
a
security
checklist
for
clusters
here.
B
So
this
is
just
some
of
the
the
work
that
some
of
the
sub
projects
are
working
on,
along
with,
along
with
the
new
one,
which
is
the
self-assessment
sub
projects
as
well,
which
is
where
various
subprojects
and
and
groups
in
within
within
kubernetes
could
do
a
security
self
assessments
on
their
on
themselves
and
I'll.
Let
pushkar
talk
about
about
that.
A
little
bit
more.
D
Yeah
for
sure,
one
of
the
things
I
wanted
to
also
share
is
it
gets
confusing
when
we
are
talking
about
like
projects
of
projects,
cncf
projects,
kubernetes
project,
what
is
really
going
on
so
the
best
way
I
found
to
understand
it
was
kubernetes
is
a
cncf
project,
and
then
there
are
many
other
cncf
projects
within
kubernetes.
There
are
multiple
small
projects
which
we
call
again.
Projects
would
be
confusing,
so
what
we
basically
do
is
call
it
as
a
sub
project,
and
then
that
becomes
part
of
a
cncf
project.
D
D
The
idea
again
here
is
seek
security
by
themselves.
Can't
do
everything,
so
we
try
to
collaborate
across
all
the
other
sigs
as
well
as
in
cncf.
So
the
way
this
all
started
was
one
of
the
maintainers
from
cluster
api,
which
you
saw
the
turtle
software
that
chris
had
actually
came
up
and
said
hey.
We
would
like
to
do
a
third
party
assessment
for
cluster
api
and
ray
was
about
to
start
one
for
kubernetes,
and
then
we
were
like.
D
Maybe
we
can
do
a
bit
better
and
as
a
precursor
to
a
third
party
assessment,
we
can
do
a
self-assessment
like
how
it's
done
in
cncf
tax
security
and
that's
how
it
basically
started.
So
now
we
have
a
list
of
recommendations
coming
out
of
that
assessment,
and
now
more
and
more
projects
are
joining
in
to
do
their
own
assessments
with
the
help
of
folks
in
seek
security.
D
D
So
some
of
the
things
we
collaborated
with
sig
architecture
was:
how
can
we
do
build
time,
dependency
scanning
or
for
vulnerabilities?
How
can
we
do
vulnerability
scanning
for
container
images
that
are
shipped
with
kubernetes
release?
We
also
helped
out
sig
release
on
some
of
the
signing
and
verification
work
that
happened
in
124.
A
B
Would
be
me
right?
Okay,
I'm
leaving
the
third
third-party
security
audits,
which
is
ongoing,
currently
ongoing.
The
last
one
was
in
2019
and
you
could
look
at.
You
could
read
the
security
audits
from
2019
under
the
kubernetes
sig
security
repository.
Let
me
go
to
that.
A
And
since
2019
now,
you're
you're
you're
in
the
process
of
gathering
information
on
doing
the
rfp
for
and
when
we
say
third
party,
it's
like
there's
a
vendor
that
the
cnc.
D
A
B
Yes,
exactly
it
so
the
rfp
already
went
out
in
2021.
We
have
a
vendor
for
2012
and
the
vendor.
It's
currently
ongoing
right
now,
so
2019
the
vendor
was
trail
bits
and
atreides
for
20,
and
this
is
the
the
link.
Let
me
put
this
on
the
chat
for
the
2019
one
and
a
lot
of
good
things
came
out
of
2019
one
and
of
course,
2020.
Lots
of
things
happened
so
that
rfp
was
delayed
and
was
went
out
in
2021
and
also
just
things
were.
B
I
see
take
a
long
time
so
that
20
21
20
2022
bought
it.
So
that
is
cooling
on
going
and
we
hope-
and
we
are
expected
to
publish
the
findings
sure
but
around
the
summer
around,
but.
A
B
Think
it
was
1.12
and
1.12.4
and
in
20
the
the
current
third-party
security
audits,
it's
using
124.0.
A
Okay,
and
and
in
terms
of
people
helping
out
like
if
they
they
come
into
the
security
audit,
what
are
the
type
of
things
they
could
help?
You
write
like
you,
have
there's
a
lot
of
work,
but
no
one
knows
what
is
that?
A
That's
a
lot
of
work
that
you
can
delegate
right
if
somebody
comes
in
and
wants
to
help
with
the
audit
when
you
come
back
like
there
might
be
a
hundred
things
and
now
what
happens
like
who's
in
charge
of
working
with
the
different
I'm
guessing
working
with
the
different
six
like
they
found
something
in
signo.
They
found
something
in
the
cube
ctl,
which
I
call
cub,
ctl
and
then
ray.
Does
all
the
work
with
all
work
with
everyone
right
can?
Can
somebody
join
and
help
bring
the
security
audits.
B
Yeah,
of
course,
and
there's
there's
very
different
ways
to
help
out.
There
could
be
just
writing
the
next
rfp.
So
our
goal
is
to
do
security
audits
every
year
and
it's
been
a
while
since
of
course
our
last
one
in
2019.
B
But
it's
our
goal
is
to
always
to
annually
publish
the
rfp,
only
manage
the
relation
with
choosing
a
vendor
and
manage
the
the
audit
process
itself.
So
I'm
just
I'm
going
to
take
an
example
from
2019.
B
One
of
the
examples
that
findings
that
came
out
from
2019
was
that
secrets
were
exposed
to
to
log
execution,
environment,
and
so-
and
this
is
a
cap,
a
kubernetes
announcement
proposal
and
out
of
the
2019
audit.
As
a
result
of
it,
there
was
a
new
sorry,
enhancement
or
feature
that
was
g8
in
1.23.
B
It's
this
cap
called
defend
against
logging
seekers
via
static
analysis
and
it's
under
kubernetes
enhancements
under
security
out
of
the
out
of
the
audit
in
2019.
Since
since
secrets,
what
was
when
the
findings
was
secret,
some
of
the
secrets
were
exposed
to
logs
or
execution
environment.
So
this
cap,
and
what
graduated
in
1.23
is
the
use
of
goflow
levy,
which
is
attain
propagation
analysis
tool
for
go.
B
So
what
this
tool
does
is
it
helps
prevent
exposing
secrets
to
logs
or
to
execution
environments.
So
now
it's
actually
run
as
part
of
testing
a
pull
request.
So
this
is
results
and
and
of
of
the
2019
audits-
and
this
is
from
a
contributor,
I
think
mostly
patrick
brownberg,
who
worked
on
this
announcement.
B
So
folks
could
come
in
see
any
findings
from
the
audits,
decide
to
propose
a
cap
to
fix
the
findings
and
work
on
it
and
or
gather
a
group,
a
team
to
work
and
to
work
on
it
and
to
and
to
fix
any
any
things,
any
findings
from
the
audits.
So
this
is
one
example
from
the
2019
audit.
A
Very
good,
so
I
think
if
people
are
looking
into
collaborating
into
seek
security,
these
are
the
type
of
things
that
will
be
working
like
working
on
the
making
sure
that
a
goal
of
like
running
having
an
rfp
written
every
year
happens
right.
So
more
people
help
out
to
review
it
to
write
portions
of
it,
and
that's
one
one
outcome
that
you
can
work.
One
of
the
benefits
that
you
get
is
that
you
help
makes
kubernetes
more
secure.
A
A
How
would
you
find
out
that
there's
go
fleet
exist
and
go
flow
exist
and
that
scanning
doing
static
analysis
for
security
is
a
good
practice
right.
This
will
give
you
knowledge
that
you
can
like
increase
your
skills,
but
also
bring
it
back
to
the
company
or
to
the
organizations
like
you
know
what
we
should
have
security
static
analysis
and
appeals
like
where
do
you
find
that
out?
A
Like
that's
a
bad
idea,
well,
kubernetes
is
doing
it
like
at
least
have
one
data
point
to
make
our
and
then
the
questions
like
okay,
fine,
how
difficult
it
is
to
implement
it
like
I'm
involved
in
the
seek
security.
Actually,
I
have
access
to
the
scripts
on
how
they
do
it,
which
tool
do
they
use.
I
can
implement
it
myself
right
and
that's
at
least
that's.
I
see
that
more
and
more
of
people
joining
it's
a
mutual
relationship
right.
They
contribute
to
kubernetes,
but
then
they
get
back.
A
Those
type
of
benefits
right,
the
the
software
that
they
use
is
more
secure
and
then
the
software
that
they
write
like
it's
not
kubernetes,
it's
like
they
write
applications,
they
write
java
applications
go
applications
and
they
can
take
those
benefits
so
moving
on
of
like
benefits
like
if
they
don't
write
go,
maybe
they
write
java,
node.js
scripts
and
they
create
docker
images
and
those
torque
images.
I
heard
like
there's
something
called
secure
supply
chain,
and
then
you
need
tools
right
to
I
heard
something:
called
signatures
are
good
put.
A
Labels
are
good,
this
trellis
is
good
bombing
or
s-bomb
is
good.
What
is
all
that
pushkar,
I
don't
know
if
you
have
a
essay
on
that.
D
Yeah,
so
that's
a
good
point
and
to
kind
of
finish
off
the
third-party
audit
story,
I
was
an
end-user
not
involved
in
community
when
2019
was
report
was
released
and
I
was
sort
of
feeling
stuck
like.
I
want
to
dive
deeper
into
kubernetes
security,
but
I
don't
know
how
and
that
report
actually
opened
my
eyes
and
I
was
like
wow.
D
All
of
that
is
so
important,
and
one
of
the
things
that's
great
about
six
security
is
slack
is
open,
24,
7
and
if
you
you
can
be
from
anywhere
in
the
world,
but
you
can
always
send
a
message
to
us
and
most
of
our
collaboration
started
like
that
where
either
somebody
came
up
to
our
channel
and
said,
hey,
I'm
this
this
person,
I'm
new
to
the
community
or
I'm
in
this
sig,
and
I
want
to
work
on
this
particular
problem.
D
Or
I
don't
know
what
to
work
on
and
do
you
have
something
I
can
work
on?
So
that's
how,
in
terms
of
supply
chain,
also,
things
started
where
one
on
one
kept,
that
was
published
last
version
to
sign
all
the
container
images.
D
Actually
they
labeled
it
with
a
simple
command
that
you
can
add
in
a
github
command.
Anybody,
I
think,
can
do
it,
which
is
slash
six
space
security
and
once
that
is
done,
what
we
are,
what
we
do
on
our
site
is
we
have
a
project
tracker
for
seek
security
issues
and
we
take
a
look
at
all
the
issues
that
are
labeled
with
that.
So
I
was
looking
at
that
cap
and
I
saw
like
oh
they've
labeled,
something
related
to
signing
and
seek
security,
which
is
when
we
started
the
collaboration.
D
So
that
is
a
great
way
for
anyone
to
get
us
involved
just
label
any
issue.
You
think
where
we
can
help
with
security
and
in
case
you
are
blocked
by
the
robot,
because
for
some
reason
sometimes
labels
are
blocked.
If
you're,
not
a
member,
ask
somebody
who
is
a
member
to
add,
add
it
to
you
or
send
it
on
slack
and
we
can
add
the
label.
A
So
we
so
we
talk
about
security,
audits,
security,
tooling,
and
what
about
security?
I
see
security
docs
being
a
sub
project.
I
I
think,
there's
another
device
there,
who's
who's,
the
lead
for
that.
B
Yeah,
that's
cevita,
yeah
cevita
is
the
sub
project
lead
for
security
docs
with
that
they
meet,
they
meet
monthly,
but
they
have,
but
they
have
a
slack
channel.
Also,
I
think
it's
six
security
docs
and
they
have
they
have
goals
in
mind.
So
there
there's
they
have
goals
like
the
rbac
good
practice
guide
that
that
was
published
as
well
and
also
a
they
have
published
blog
posts
as
well
like
the
response
to
the
cisa
report
on
kubernetes.
B
Also,
the
what
currently
that's
in
the
progress
like
I
mentioned
before
is
the
this
is
the
security
checklist
for
clusters.
This
is
an
open
pull
request,
so
it's
not
merged.
It's
not
finalized.
There's
some
comments
that
still
needs
to
be
addressed,
but
we
could
take
a
look
and
see
what
the
current
status
of
the.
So
what
is.
B
Just
kind
of
like
good
practices
to
set
up
your
cluster
I'll
just
kind
of
go
through
the
file
here
like
I
do
you
want
to
mention
that
this?
This
is
an
open,
pull
request.
This
is
not.
This
is
not
approved,
so
things
might
might
change.
So
it's
like
like
not
using
system
masters
group
because
it
will
pretty
much
bypass.
Our
back
will
give
you
pretty
much
cluster
admin
access
using
setcomp
and
using
app
armor.
C
B
Yeah
so
like
so
there's
just
using
also
just
part
of
our
back
as
well,
and
also
linking
to
the
artback
good
practices
guide
as
well,
using
the
pop
security
mission
controller
or
the
neopod
security
support
security
mission
controller,
not
not
psps,
as
we
know,
since
psps
will
be
removed
and
targeted
for
removal
in
1.25.
A
In
it's
what
about
so
security
docs
on
security?
Somebody
joins
in
terms
of
this
aspect
of
documentation.
A
This
is
an
area
where,
where
people
can
learn
like
a
lot
about
what
are
the
best
practices
for
security,
but
there's
also
cncf,
I
know
there's
a
cncf
tax
security,
so
there's
a
sick
security
and
then
there's
attack
security,
and
I
heard
that
there's
a
white
paper
right
about
security
that
talks
about
cloud
native
security,
but
I
would
say
maybe
90
is
about
kubernetes
right
and
but
how
is
the
security
involved
is:
are
the
same
people
involved,
so
that's
maybe
a
way
of
how
somebody
can
can
start
their
way
into
through
the
cncf
security
and
landing
kubernetes
or
they're
already
using
currencies.
A
You
can
start
in
in
kubernetes
and
then
learn
about
like
well
that
our
project,
our
company
use
kubernetes,
but
that's
like
one
component
of
the
whole
business
right.
We
have
other
areas
of
securing
the
the
our
cloud
resources
or
our
developers
machines.
A
D
First
thing
like
to
be
clear:
sig
and
tag
security
both
are
friends
of
each
other,
so
we
really
love
all
the
work.
That's
done
in
both
the
groups
some
storytelling
time,
initially,
one
or
two
years
back
both
were
called
sec
security,
so
we
had
to
kind
of
prepend
it
with
cncf6
security
and
kubernetes
security.
D
But
one
of
the
changes
that
the
toc
did
was
rename
all
the
groups
that
are
at
cncf
level,
not
at
a
project
level
like
kubernetes
into
tags,
and
that's
why
now
this
is
called
a
cnc
of
tag
security
and,
like
you
said
carlos,
it
is
exactly
right
that
they
are
responsible
for
not
just
kubernetes
but
all
the
projects
in
cncf.
So,
if
you're
running
a
full
blown
platform
that
runs
on
cloud
native
technology,
what
are
the
different
projects
you're
going
to
use?
What
are
the
things
that
you
will
have
to
secure?
D
D
Many
people
from
tax
security
continue
to
help
out
on
some
of
the
work
we
do
in
six
security.
So
so
far
it's
been
really
great.
Fun
collaborating
and
I
hope
this
continues
as
long
as
we
have
cncf
kubernetes
and
everything
in
between
so.
A
Yeah
joining
seek
security,
so
how
difficult
do
I
need
to
be
a
master
in
gold
programming
to
to
join?
Seek
security
like?
Why
is
the?
What
is
the
bar
that
I
need
people
need
to
to
meet,
to
be
able
to
join
security?
Gurus,
like
you
in
the
in
in
in
that
sick
meeting,
how
hard
it
is.
Yeah.
D
So
I
would
say
I'll,
add
my
perspective
and
will
reveal
it
reach
I
mean
as
well.
For
me,
I
feel
like
just
bring
in
your
best
self
and
intent
to
learn
and
to
be
curious,
and
there
are
no
prerequisites
in
terms
of
programming
in
terms
of
security
knowledge.
D
There
is
so
much
work
to
do
and
there
are
so
many
people
willing
to
help
that
you
will
find
something
that
is
worth
doing
and
that's
going
to
help
you
as
well
as
the
community.
So
if
you
are
worried
that,
oh
I'm
not
good
enough,
don't
worry
about
that.
Just
say:
hi
just
introduce
or
just
listen
in
on
meetings,
even
if
you
don't
introduce
that's
okay
and,
as
you
come
up
with
more
courage,
feel
free
to
start
jumping
in
on
things.
That's
how
most
of
us
started,
and
it's
totally
fine.
B
B
With
that
as
well,
I
actually
was
used
to
joining
the
cncf
security
meetings
several
years
ago
before
I
actually
can
really
contribute
to
to
kubernetes,
then
my
focus
changed
to
to
mostly
kubernetes
for
upstream
contributions,
so
I
haven't
gone
to
a
3d
meeting
in
a
few
years,
but
yeah
I
100
agree
with
push
card.
Just
if
you're
interested
in
security
aspect,
you
don't
need
to
have
any
expertise
or
programming
knowledge
beforehand.
B
A
Yeah
and
and
what
about
the
the
folks
that
maybe
work
in
security
right,
they
might
have
cyber,
you
know
hacker
knowledge
back
or
that
back
cyber
criminality
or
cyber
security
roles
or
my
profession,
or
role,
education
or
or
or
experience,
but
don't
know
anything
about
containers
or
kubernetes.
Would
that
people
be
useful
to
have
or
would
it
be
useful
for
them
to
join
in
in
the
sick
security.
D
I
I
would
say
yes
definitely
I
I
think
it's
like
the
whole
kubernetes
security
domain
is
so
complex.
It's
almost
like
a
forest
where
you
have
different
trees
and
all
the
trees
bring
their
own
seeds
and
fruits,
and
flowers
and
everything
becomes
much
better.
So
folks
who
don't
know
kubernetes
containers,
but
no
security
well
are
very
welcome
and
folks
who
know
kubernetes
no
containers
but
aren't
very
familiar
with
security
are
also
very
welcome,
and
even
if
you
are
just
curious
about
both
of
those
things
and
want
to
learn,
those
are
also
welcome.
D
So
absolutely
okay.
Everyone
has
something
to
share
in
my
opinion
and
experience,
and
this
is
your
chance
to
help
out
and
learn
from
each
other.
A
Okay,
so
I
wanted
to
give
a
chance
before
to
barco
chris
any
any
questions
comments
about,
seek
security.
C
Yeah,
I
I
mean
I
just
found
out
about
this
checklist,
so
I'm
just
curious.
How
does
this
that
checklist,
that
compared
to
something
like
cis
benchmark
for
kubernetes
and
like
ready
for
different
target
audiences
or
different
like
level
of
detail
or
scope
like
how
should
people
think
about
those.
B
So
I
I
think
they
complement
each
other,
so
they
don't
one
does
not
replace
the
other
and
for
it
and
for
the
the
checklist
it's
I
think
the
target
audience
is
is
is
the
is
the
I
think,
the
operators
who
are
setting
up
the
clusters
setting
up
the
our
back
groups
creating
those
role
bindings.
You
know
cluster
role
bindings
or
we
do
suggest
role
bindings
over
close
role,
role,
bindings
ins
instead,
so
I
think,
and
in
the
cs
benchmarks
as
well,
I
mean
they're.
B
Also
for
me,
in
my
opinion,
you
know
it's
also
it's
it's
all
about
how
you
set
up
your
clusters
more
secure
as
well,
so
I
think
they
complement
each
other
very
well.
The
security
checklist
is
a
good
starting
out
points,
and
I
don't
think
it's
it's
as
comprehensive
as
yet
with
the
cs
benchmarks.
It's
like
make
sure
you
enable
this
flag
or
this
option
etc,
to
to
be
more
secure
and
there's.
B
Some
there's
definitely
some
overlap,
but
I
think
they
see
us
benchmarks,
has
some
more
granularity
and
like
what
on
how
to
set
up
a
cluster
with
using
those
more
secure
flags
and
options.
D
I
think
this
started
in
parallel,
but
I
would
be
surprised
if
people
haven't
read
the
tech
people
who
would
check
this
out.
The
white
paper.
A
Okay,
very
good,
so
that
between
the
audits,
the
white
paper,
css,
benchmark
and
and
the
checklist
and
then
it
looks
like
there
might
be
more
in
the
roadmap
or
security
docs
right
more,
this
type
of
docs
going
into
the
kubernetes
website
because
make
it
more
discoverable
right
like
how
do
you
find
about
the
cloud
native
security
unless
you're
like
geek,
like
us,
in
twitter,
tech,
tweeter
or
slack
right?
How
else
are
you
going
to
find
out
about
this?
A
It's
like
we
need
to
put
it
in
multiple
places,
blog
posts
in
the
dogs
and
usually
the
kubernetes
dogs.
I
think
that
the
asset
community.
We
want
that
to
be
like
the
central
place
or
the
first
place,
where
people
find
the
information
and
there's
extra.
I
think
it's
not
it's
not
uncommon
to
point
to
the
different
to
the
different
other
sources
right
to
to
augment
the
information
like
it.
Cannot.
Every
information
cannot
be
in
one
single
place,
so
yeah.
I
think
that
covers
it.
A
Hopefully
my
my
kp,
my
goal
is
like
get
some
new
contribution
to
seek
security
in
the
next
month
or
two
and
and
shut
up
like
I,
I
saw
the
office
hours.
This
is
I'm
just
joining
and
just
listening
in,
I
even
heard
people
scouting
like
this
is
just
an
idea
to
put
out
there.
A
I
saw
in
some
of
the
because
I
also
lurk
into
some
sick
meetings,
and
people
were
saying
my
company
gave
me
10
or
20
of
my
time
to
work
on
open
source
and
we
choose
where
to
work,
and
since
we
are
in
the
company
that
we
use
kubernetes,
we
want
to
contribute
to
communities,
but
we're
not
sure
if
we're
going
to
be
in
six
cli
or
sig
note,
or
six
security
or
sick
release,
or
so
many
sigs,
and
there
were
like
six
shopping,
they
just
went
into
one
of
the
six
meetings
and
just
like
hey,
we
do
this.
A
We
work
on
this
and
they
got
some
advice
of
that.
Take
a
look
at
this
other
stick.
This
might
be
also
another
thing
that
you
may
feel
comfortable
like
joining
first
or
this
is
the
one
that
you
should
join
like
great
may
say:
like
you
know,
dogs
or
release
is
are
good.
Security
are
like
all
the
ones
that
I
aim
are
good
and
then
join
that,
and
that's
that's.
A
That's
also
something
that
you
can
do
like
getting
your
company
to
give
you
your
ten
percent
and
you
contribute
to
kubernetes
and
then
picking
a
sick
is
a
good
way
of
contributing
versus.
I
guess
a
lot
of
people
start
like
lost
like
look
at
the
big
repo
and
say,
like
I
don't
know
how
to
contribute
here.
I
think
a
good
method
is,
I
go
through
a
sig,
go
through
one
of
those
meetings
and
listening
or
what
are
the
problems
they're
trying
to
get?
A
What
are
the
help
that
they're
looking
at
listen
for
those
those
type
of
you
know,
sentences
when
the
chair
or
the
list
says
like,
and
we
don't.
We
don't
have
anyone
to
look
into
this
or
we
don't
have
anyone
to
look
into
this
week
or
we
have
to
delay
because
we
don't
have
anyone.
A
So
that's
where
you
can
raise
your
hand
like
hey,
can
I
help
bear
with
you
and
you
know
you
show
me
how
to
to
join
and
how
to
do
it,
and
then
I
can
do
it
by
myself
right
and
then
that's
how
we
grow
the
number
of
contributors.
So
I
wanted
just
to
close
with
that,
because
I
saw
six
chopping
is
a
thing
and
I
saw
it.
A
So
if
you
want
to
stick
around
and
ready
and
pressure,
I
know
your
your
time
is
valuable.
You
want
to
stick
around.
We
can
go
into
the
into
some
of
the
questions.
How.
A
Yeah
same
here
so
the
first
one
that
we
got.
Let
me
see
if
I
should
share
this
where's,
my
hack
md.
I
think
I
lost
it
one
second,
to
get
the
first
one.
A
And
move
the
hackmd
over
there,
so
this
is
the
hacking.
These
are
the
notes.
Maybe
we
have
access
to
them
and
the
first
questions
is
from
ankit
bandsai.
I
don't
know
if
people
see
my
screen,
let's
see
if
I
get
the
link,
so
these
are
questions
that
we
try
to
find
in
this.
Discuss
like
this
is
the
discuss
kubernetes.io.
A
This
is
where
you
can
go
and
ask
questions
kind
of
our
a
forum.
Also
stack
overflow
is
also
work
on,
like
those
there's
attack
or
kubernetes,
and
this
one
is
about
hpa
understanding
how
hpa
works
and
the
readiness
probe.
So
the
question
goes
also.
I
think
I
have
a
summary
here
and
is
they
have
have
a
doubt
without
modifying
any
auto
scaler
thresholds,
those
auto
scaler
checks
for
pods.
A
It
takes
five
minutes
to
start,
I'm
not
going
to
say
the
language
you
can
see
it
there,
no
pointing
fingers
so
and
then
the
cpu
during
the
five
minute
cpu
this
app
is
100,
but
it's
not
ready.
A
So
that's
his
concern
like
it's
not
ready
and
it's
like
working
their
way
up
and
also
mentions
two
two
flags
which
I
look
into
the
source
code
and
I
think
the
source
code
has
better
explanation
than
the
docs
and
that's
something
that
I
need
to
point
out:
horizontal
port,
autoscaler,
cpu
initialization
period
and
also
our
horizontal
parallel
parasite
initiate
in
initial
readiness
delay,
and
these
are
two
flags
that
you
pass
to
the
auto
skater
to
the
control
manager.
That's
not
something
that
you
can
control.
A
Sometimes
you
don't
have
access
to
this,
but
I
think
that
the
simple
the
first
question
is
like,
while
the
the
pot
is
getting
ready
and
is
unready,
does
the
hpa
account
for
that
pod?
Who
wants
to
take
that
one.
A
So
I
I
think,
there's,
oh,
I
I
think
there's
some
yeah
out
of
this,
so
there's
hpa
the
documentation.
So
what
I
found
from
the
documentation
and
and
it's
implementation
is
like-
if
the
if
the
bodies
is
not
ready,
the
algorithm
of
the
hpa,
the
the
default
hpa
it.
It
doesn't
cover
those
spots,
so
it
tries
when
it's
collecting
the
pots
that
it
needs
to
evaluate
the
metrics.
A
It
has
to
have
metrics.
So
it's
many
many
things
to
make
sure
that
that
that's
the
plot
that
should
count
and
the
other
ones.
So
it
ignores
so
the
algorithm
tries
to
ignore
pods.
So,
for
example,
it
doesn't
have
a
metric
it.
I
cannot.
I
cannot
count
it
for
unless
this
is
starting
and
it
counts
as
zero,
but
for
the
readiness
yeah
when
it
when
it
starts
it,
doesn't
it
doesn't
collect
and
it's
not
it's
not
ready
and
that
flag
that
I
was
showing
in
there.
It
has
a
default.
A
I
think
is
this
one
is
30
seconds
and
this
one
is
five
minutes,
so
it
would
not
count.
So
it
would
not
hurt
you
those
when
the
app
starts
and
it
is
not-
and
it's
not
ready-
and
I
put
down
here
the
the
the
definition
that
the
niche
one
is
the
initial
readiness
delay
and
it
has
a
default
value
it's
seconds.
I
cannot
know
that
the
right
number,
but
it's
the
bitter
after
the
pot,
starts
during
which
radiance
changes
be
treated
as
initial
readiness.
A
So
if
that
is
used
in
when
it's
ignoring
pods
and
again,
it
doesn't
have
metrics.
Also
it
gets
ignored
in
that
initial
algorithm
and
then
the
other
one
is.
It
bought
all
scalar
cpu
it's
the
period
after
the
bot
starts,
so
it's
ready,
so
it
counts
as
a
ready
and
then
when
cpu
samples
might
be
skipped.
So
I
don't
I
don't
want
to.
A
I
don't
want
to
account
the
metrics
yet
so
it's
kind
of
a
it
has
metrics,
but
I
don't
want
to
impact
the
sampling
yet
so
this
one,
I
I
think
is,
is
longer
so
it's
five
minutes
from
the
docks.
I
think
it
was
here
in
the
docks
so
for
five
minutes.
It
will
not
account
for
that,
but.
A
A
What
like
is
coming
up
to
affect
your
your
window,
where
you
do
the
sampling
to
this,
to
make
the
decision
if
you
need
more
pots
or
you
need
to
downscale
or
upscale,
and
there's
other
thresholds
like
how
many
no
more
than
four
parts
at
a
time
or
not
more
than
x
percent
at
a
time
during
this
amount
of
time,
so
hpa
could
be
something
very
simple
to
get
started,
but
also
has
a
lot
of
power
has
a
lot
of
fields
and
parameters
that
you
can
tweak
to
really
like
tune
to
the
point
that
that
you
want-
and
these
are
two
two
flags
that
are
passed
to
the
hpa
controller
and
there
might
be
a
possibility
that
using
a
kubernetes
cluster
that
you
don't
have
access
to
it
right
like
manage
kubernetes.
A
I
don't
think
those
people
know.
I
don't
think
you
have
access
to
these
flags
as
a
managed
kubernetes
cluster.
But
if
you're
using
cube,
adm
right
and
then
you
have
access,
you
can
pass,
you
can
edit
the
yaml
of
the
static
pod
and
then
adjust
adjust
these
flags.
But
if
you
don't
pass
them
in,
they
take
defaults.
It's
not
it's
not
zero.
So
this
is
the
five
minute
one.
A
The
other,
the
other
thing
is
I
found,
is
there's
a
somebody
knows:
who's
the
sig
that
deals
with
hp,
autoscaler,
there's
other
auto
scalers
examples
in
the
from
that
sig,
and
they
show
examples
that,
if,
if
there's
an
organization
that
they
want
to
write
their
own
auto
scaler,
they
can
write
it
and
they
can
use
apis.
They
can
use
the
the
go
libraries
and-
and
they
have
some
examples,
I
found
some
examples,
but
I'm
not
sure
which
is
the
seek
for
this.
A
It
says:
let's
seek
auto
scaling,
it's
called
cigar
scaling
yeah
see.
Maybe
I
should
show
that
the
first
page
I
was
talking
about.
If
you
want
to
know
what
what
are
the
six,
the
six
ratio,
the
community
repo.
But
this
is
the
kx
kubernetes.dev,
which
is
a
kx
or
that
dev
should
also
give
you
here.
If
you
go
to
community
and
then
you'll
be
able
to
find
everything
about
kubernetes
contributing
to
kubernetes,
and
you
will
find
the
community
groups
since
this
special
interest
group.
A
A
I
think
we
also
talk
to
docs
and
then
one
that
I'm
involved
is
release.
So
release
has
two
two
parts:
engineering
and
sick
release
that
takes
care
of
releasing
the
the
the
release
of
kubernetes
that
specific
version
and
also
release
engineering.
But
this
is
like
my
shortcut
to
find
the
six
and
also
in
here
you
will
find
information
about
the
the
meetings
that
are
happening
and-
and
this
is
a
quick
way
also-
you
can
see
the
the
chairs
who
are
the
shares
for
sick
security.
A
Okay,
very
good,
and
you
will
you
find
them
here
also,
so,
if
you
want
to
reach
out
to
them,
also
they're
also
good
people
to
talk
about
security,
the
chairs
and
I'm
guessing
they're,
always
looking
for
contributors
for
their
sig
in
the
hunt.
A
That's
part
of
the
main
role
right
as
I
share.
You
also
have
to
foster
your
group
and
and
there's
a
mailing
list,
so
if
you're
also
want
to
join,
there's,
always
a
slack
for
every
group,
there's
always
a
slack
and
a
specific
menu.
So
we
have
many
lists
for
kubernetes
dev,
but
also,
if
you
just
want
to
get
the
emails
for
the
things
that
are
happening
security,
you
can
join
this
public
mailing
list,
so
the
main
needs
are
public.
A
A
No
down
but
showing
still
as
running
for
hours,
other
stocks
in
terminating
and
if
you
google,
search
for
pots
terminating,
you
will
find
a
lot
of
use
cases
where
that
would
show
up,
but
this
is
specifically
what
the
summary
for
this
one,
if
I
can
summarize
yeah,
so
what
happens
with
running
pods
when
a
node
is
shut
down,
for
example,
if
you
go
to
that
node
and
then
like
shut
it
down
or
delete
the
vm,
why
is
the
what
happens
to
white's
deployment
demon
sets
stable
sets
replica
sets
single
parts
differently,
so
anyone
wants
to
describe
what
is
what
is
what's
happening
when
you
shot
when
you
shut
down
a
navn,
what
happens
there.
C
D
A
Node
dies.
The
only
communication
from
the
node
to
the
control
plane
is
cubelet
right.
C
Right
yeah,
so
so
I
think,
and
basically
like
the
idea
here
is
that
you
don't
know
whether
the
node
is
done
or
not,
because
it
could
be
an
issue
with
the
cubelet
process
or
communication
to
the
cubelet
and
stateful
sets
and
and
demon
sets,
offer
guarantees
around
how
many
pods
are
running
at
any
specific
time.
So
I
think
the
the
idea
is
that,
in
order
to
gracefully
shut
down
these
pods,
you
would
have
to.
C
If
you
know
that
the
node
is
actually
down,
you
have
to
delete
the
node
object
through
the
controller,
so
it's
removed
from
the
lcd,
at
which
point,
then
the
controller
will
essentially
reschedule
those
spots
to
a
different
node,
but
until
it
knows
that
those
pods
are
absolutely
not
available
and
not
running,
then
will
not
take
any
action
against
them
that
that's,
basically,
my
understanding.
A
Yeah
yeah,
so
the
the
the
just
for
as
a
high
level
explanation
the
cube
api,
which
is
the
control,
no
control
plane,
and
you
have
the
worker
know
where
your
apps
are
working.
The
cube
api
is
not
like
reaching
out
to
the
cubelet
like
you're
there
or
you're
there.
It's
the
opposite.
The
cubelet
is
the
one
communicating
back
to
the
control
point
saying
I'm
alive,
I'm
alive
and
I'm
alive.
So
there
could
be
many
way.
Many
reasons
of
why
that
communication
breaks
of
the
cube
not
talking
to
the
cube
api.
A
It
could
be
like
somebody
added
a
security
group
rule
or
a
firewall
setting
that
they
put
something
in
there
that
blocks
that
communication,
but
your
business
application
are
still
peppy
and
happy
and
crunchy
numbers
and
processing,
paychecks
and
crunching
during
the
ai
against
health
records,
whatever
they're
doing
right,
so
it
could
be
like
the
business
application.
Is
it's
fine
but
then
again,
if
you
have
the
sr
team
screaming
at
you
saying,
there's
a
problem
like
or
like
the
business
application.
A
So
you
have
to
take
that
into
account
that
the
worker
node
it
may
be
that
the
somebody
broke.
A
cable,
a
physical,
cable
right
like
oops,
we
were
digging
outside
and
we
broke
a
a
fiber
channel
line
or
something.
But
the
idea
with
kubernetes
is
those
worker
nodes
are
independent.
They
can.
They
can
keep
working
and
doing
their
work
because
they're
they're
processing
data
they're
communicating
with
things
they
don't
need
the
control
plane
right.
That's
they
don't
need
the
control
point
to
work,
so
it
was
designed
for
that
purpose.
A
But
somebody
needs
to
the
information
is
like
the
cube
api
says
it
looks
like
nobody
have
updated.
The
the
heartbeat
right
of
the
cubelet
have
not
updated
so
the
bots
go
to
into
a
unknown
state
like
I
don't
know
if
it's
running
or
if
it's
not
running,
because
I
cannot.
So
if
you
want
to
emulate
this,
it's
super
easy.
You
can
launch
a
mini
cube
with
two
notes.
A
Now:
mini
q
has
super
for
two
multiple
notes:
mini
q,
multiple
nodes,
then
ssh
into
one
of
the
working
nodes
and
system,
cto
stop
the
cubelet,
and
then
you
can
play
it
around
with
different
and
that's
what
I
did
yesterday
play
around
with
different
pods.
So
for
the
demon
sets
demon
sets
run
on
every
node,
so
those
will
be
running
forever,
like
the
person
says,
because
they're
they're
demon
sets,
you
have
one
one
on
every
node,
so
you
they're
not
touched
because
they
have
a
toleration.
A
So
that's
what's
happening.
Demon
sets
when
you
create
them.
They
have
a
toleration
of
like
no
execute,
so
they
will
not
be
kicked
out.
They
will
not
be
evicted
because
they
can
tolerate
the
no
execute
and
they
don't
have
a
threshold
regular
pods
non-demon
sets
by
default.
They
get
a
toleration
saying
no
execute
with
a
threshold
of
five
minutes.
So
what
you
will
see
is
when
you
stop
the
cubelet
and
you
look
at
it
like
they're,
running
running
and
running,
and
you
look
at
your
watch
in
five
minutes.
A
A
They
get
terminating
a
new
pods,
get
spin
up
because
you
can
create
a
new
pod
on
that
namespace.
They
get
it
so
there's
no
conflict
of
the
bot
name.
So
that's
why
deployment
sets
are
more.
I
guess
I
wanna,
I
don't
want
to
say
robust,
but
you
get
you
see
those
spots
running
new
pods
running,
but
take
into
account
that
the
other
parts
are
still
running.
If
you
do
container
d
or
docker
ps,
you
will
see
the
pods
are
still
running
in
the
nodes
like
the
cube
is
not
communicating.
A
So
that's
what
you
see
there
for
a
single
pod.
So
if
you
create
one
pod-
and
you
call
it
like-
I
don't
know
carlos
and
it
goes
into
terminating
the
control
manager.
There's
nothing
to
create
another
pod,
because
it's
not
part
of
the
replica
set
or
it's
not
part
of
the
deployment.
So
it
gets
terminated
and
and
that's
it
for
stateful
sets
it's
kind
of
the
same
thing,
because
they
get
a
unique
name
like
sql
cto
right,
the
master
sql
one
two
and
three.
A
So
if
they
go
to
terminating,
if
the
controller
wants
to
create
another
pod,
what
would
be
the
part
name?
Is
it's
a
conflict
of
the
name?
I
cannot
create
another
sql,
two
right
or
three,
so
I
cannot
create
that
that
one.
So
that's
why
it
stays
in
terminating
forever.
The
pods
case
for
terminating
forever
deployments,
get
a
new
pot
and
then
demon
sets
they
stay
running
because
there's
no
need
to
create
another
post,
because
that's
the
one
running
there.
A
So
at
least
that's
that's
my
understanding
on
how
things
how
things
work
and
it's
interesting
how
these
distributed
systems
they
work
by
by
coordination
versus
like
imperative
communication
right,
like
the
cube
api,
will
put
it
we'll,
put
a
like
a
string
say
like
deletion
date
and
like
yeah
in
in
five
minutes,
and
then
what
happens
like
the
interesting
thing
is
when
you
go
and
ssh
and
bring
up
the
cubelet
to
communicate
back,
the
terminatings
will
go
away
because
it
has
the
dates
to
be
deleted
and
the
kubrick
will
do
its
job
like.
A
Oh,
it
looks
like
somebody
wanted
to
delete
this
spot,
it
would
delete
them
and
then
the
staple
sets
will
start
coming
up.
The
single
pot
would
like
gone
forever
that
you
should
not
create
single
pods
and
then
the
deployment
sets.
You
know
you
have
the
other
two
replicas
running,
so
it's
just
cleaning
up
and
then
you
restore,
but
the
what
worker
said
is
very
important.
The
way
you
resolve
like
you,
don't
want
to
have.
A
If
there's
a
issue
like
with
that
node
and
you
don't,
you
need
to
create
the
the
staple
sets
to
run
them
in
another
machine,
then
you
need
to
do
the
cube.
Ctl
remove
node
yeah,
you
have
to
tell
the
api
server
like
remove
the
node,
and
then
the
the
bots
will
actually
like
will
be
removed
from
the
api
server
like
at
cd.
Is
that
60
accurate?
I
don't
know
what
you
guys
think.
C
That
that
sounds
right.
I
think
the
other
thing
with
stateful
sets.
You
want
to
make
sure.
I
guess
you
always
want
to
be
mindful
of
any
volumes
attached
to
the
virtual
machines
and
and
then
make
sure
that
those
are
properly
attached
to
any
other
virtual
machines.
Where
you
want
to
schedule.
Your
stateful
sets.
A
Yeah
and
that
came
up
on
a
lot
of
issues,
I
have
some
of
the
issues
stock
overflow,
where
they
bring
up
the
like.
You
have
to
be
careful
because
you
have
data
and
staples
by
nature.
They
always
have
have
data
and
they
have
pvs
and
pvcs,
and
I
don't
know
if
those
pvs
were
created
manually
or
auto
provision
or
how
the
how
the
data
that
is
sitting
in
that
node
gets
replicated
to
the
other
place
and
it
needs
to
be
replicated
so
those
those
type
of
for
for
deployments.
A
I
think
it
was
a
it's
the
one
that
it's
like
yeah,
it's,
okay,
you,
you
will
get
the
pots
running
and
the
other
ones
are
just
terminating
and
ignored,
but
parts
part
of
the
yeah.
That's
that's
just
dealing
with
the
incident
in
normal
circumstances
when
you
want
to
like
service
a
vm
or
like
take
it
out
like
work.
Are
you
saying
like
intentionally
like
I'm
doing
this?
I
know
I'm
going
to
delete
this
vm.
A
I
need
to
take
care
of
the
of
the
mounts
and
then
you
would
do
like
the
drain
right.
We'll
do
the
drain.
That
will
do
the
cordon.
The
cordon
is
like
do
not
schedule
more
things
in
here,
put
that
paint
and
then
the
drain
is
drain.
The
pods,
like
you,
are
telling
the
the
system.
The
api
is
like
drain
the
pot
and
then
usually
get
that
message
right.
A
Whoever
who
knows
that
message
that,
when
you
say
drain
says
oh,
I
forgot
that
flag
is
the
indoor
demon
set
right,
you
say,
okay,
run
it
and
ignore,
because
demon
sets
are
like
agents
like
they're,
not
they
need
to
be
running
on
every
now,
but
it's
not
business
applications
right.
It's
it's
things
that
need
to
run
like
things
as
infrastructure
agents.
It
could
be
a
core
dns
or
csis
and
those
type
of
things.
So
I
think
those
those
are
the
two
questions.
I
got
an
another
one,
but
it
was
around.
A
I
need
one
that
goes
more
deeper
of,
like
I
mean
we
can
take
it
for
the
next
show
of
crds
and
validation
of
crds,
and
if
you
can
validate
labels
on
the
metadata-
and
the
answer
is
like
no,
but
I
will
answer
that
in
there
and
we
can
talk
about
crds
and
open
open
api,
spec
v3
and
the
validation
that
you
get
just
by
default
out
of
the
box.
A
But
that's
in
newer
versions
of
kubernetes,
I
don't
think
all
versions
have
that
validation,
but
is
is
something
that
people
writing
controllers
for
kubernetes
get
get
for
free.
They
don't
have
to
do
that
validation.
They
don't
have
to
do
transition
rules
and
we
can
discuss
that
in
the
next
show
anything
else,
any
closing
thoughts.
I
know
I
talked
a
lot
this
time.
I
should
should
do
something
different
next.
C
Time
you
know
this,
this
was
awesome.
I
learned
a
lot
so
I
appreciate
the
six
security
folks
as
well.
That
was
really.
A
Informative
yeah,
thank
you
ray.
Thank
you
pushkar.
I
know
that
schedules
are
hard
to
to
sync
but
yeah
ray
and
pushkar
your
your
leaders
in
the
community
and
super
happy
to
have
you
on
board
and
join
us
for
this
little
while.
D
Thank
you
so
much
for
the
invite
and
as
always
great
partnering
with
ray
and
I'm
sure
I
learned
a
lot,
how
about
how
to
host
public
youtube
streams
from
youtube.
A
No,
don't
learn
from
me.
Okay!
Well,
we'll
see
you
next
month
will
be
august
and
if
you
have
recommendation
with
sig,
do
you
want
to
know
more
about
being
me
in
twitter
or
in
slang?
Now
you
know
where
to
find
the
list
of
sigs,
and
we
have
many
does.
We
should
have
a
trivia
like
how
many
sigs
does
kubernetes
have
like
those.
A
We
should
build
an
app
a
kubernetes
app
and
just
have
a
trivia
bot
that
random
type
of
things
like
that,
for
example,
what
what
was
the
for
the
kubernetes
version
that
this
api
went
beta
or
ga
or
alpha
right?
Everybody
looks
for
that
like
that
information,
so
yeah
until
next
time.
Thank
you
for
joining.
I
I
promise
you
I'll
count
the
groups
and
I'll
put
them
in
the
in
the
slack
office
hours.