►
Description
Office Hours is a live stream where we interview one of the Kubernetes SIGs and answer live questions about Kubernetes from users on the YouTube channel. Office hours are regularly scheduled meetings where people can bring topics to discuss with the greater community. They are great for answering questions, getting feedback on your use of Kubernetes, or just passively learning by following along.
A
A
Okay,
let
me
beat
it
because
I'm
here
myself
twice
so,
let's
get
started.
This
is
kubernetes
office
hours
for
the
month
of
june
july.
This
is
year
2022,
I'm
saying
that,
because
all
these
recordings
are
in
youtube.
So
if
you're
watching
from
the
future
hello
here
we're
in
the
past,
we
are
in,
as
I
like
to
reference
times.
It's
like
we
are
in
125
land
like,
for
example,
now
you
re
issues
about
1,
10
and
117,
and
one
five
and
one
eight
like,
oh,
my
god,
so
we're
in
125.
A
So
if
somebody
watch
this,
when
we
are
in
150,
come
and
see
us
if
we're
still
around
so
this
is
the
office
hours
we
have
today.
What
we're
doing
is
first
half
we're
going
to
talk
about
understanding,
learning
about
a
sig
so
every
month
we'll.
I
will
try
to
wrestle
my
way
to
find
some
of
the
leaders
of
members.
I
would
say
members
because
it
could
be
a
member
right.
A
So
with
that,
let's
get
started
the
intros
and
then
I'll
go
and
go
to
conduct.
So
my
name
is
carlos
antennas.
You
can
see
here
I'm
in
the
sig
release
the
release
notes
lead
for
now,
125
like
I
was
saying
and
and
also
contrib
contrib
x.
I
guess
running
these
kerenata's
office
hours
and
I'm
a
architect
for
kubernetes.
So
go
ahead
right,
hey.
B
A
C
A
D
A
Yeah
and
one
of
us
are
involved
in
the
upstream
kubernetes
project.
So
with
that,
let's
do
some
of
the
house
items.
This
is
a
kubernetes
event,
so
the
code
of
conduct
right
under
the
cncf
is
an
effect
current.
It
has
the
wrong
kind
of
conduct.
Please
be
excellent
to
each
other.
This
adjustment
freezone
everybody
had
to
start
somewhere.
So
please
help
me
your
body
if
you
are,
can
help
now
or
any
to
their
environment
and
answer
questions.
A
We
don't
have
access
to
your
cluster,
so
we
cannot
debug
live
the
clusters,
but
we
can
discuss
those
type
of
things.
Panelists
you're
encouraged
to
expand
on
the
answers,
so
everyone
has
a
chance
to
talk
and
expand
on
everyone
else.
Answer
audience
you
can
help
by
pasting
urls
if
you're
watching
in
youtube.
A
Please
comment,
if
you're
into
slack
at
the
links
that
we
refer
to
or
if
you
have
more
links
with
more
information,
add
them
there
and
then
keep
posting
questions
on,
discuss,
kubernetes,
dot,
io!
That's
where
we
get
the
the
questions
that
are
answered,
the
latest
one
and
then
we
discuss
them
here.
The
panel
is
made
of
entire
volunteers.
A
So
if
you
want
to
rotate
in
I'm
looking
for
people
to
help
out,
sometimes
calendar
things
happens
and-
and
we
don't
have
enough
people,
so
if
you
are
using
kubernetes,
then
you
should
be
able
to
help
us
here
to
figure
out
some
of
those
questions.
So
with
that,
let's
get
started
with
sig
security.
So
who
wants
to
start?
Maybe
you
can
share
for
context
your
the
screen
and
show
like
github
with
some
pages
or
something
who
wants
to
start
ray
or
pushcart?
What
is
seek
security.
D
D
D
A
D
D
A
And
push
card
as
a
new
user.
I
guess
everyone
has
a
way
to
finding
things.
At
least
I
didn't
know
where
to
look
when
I
was
a
new
user
for
the
six
and
then
I
think
I
remember
hippie
in
in
one
of
the
cute
game,
kubecons
on
on
the
hallway
track.
He
showed
me
this
website
called
kids.dev,
which
is
not
kubernetes.io
and
it
had
a
lot
of
information
so
that,
from
that
point
on,
I
always
go
to
case.dev
and
then
I'll
be
able
to
find
the
communities
and
the
groups.
B
A
B
Yeah,
so
I'm
just
clicking
here
through
through
sig
security,
so
under
under
kubernetes
committee,
it
has
all
the
high
level
information
of
the
cigs,
including
just
where
the
when
the
meetings
are
taking
place.
So
we
meet
on
thursdays,
bi-weekly
at
9
a.m.
Pacific,
there's
links
here
to
the
meeting,
notes
and
agenda
and
also
meeting
recordings
as
well.
Let
me
just
dive
into
the
charter,
I'm
just
kind
of
talking
to
and
just
do
just
a
high
level
overview.
B
What
what
security
does
insect
security
is
a
horizontal
sig
and
it
covers
the
security
initiatives
for
the
project.
There
are
several
sub
sub
projects
that
work
under
six
security.
One
like
one
sub
project,
helps
to
manage
the
third
party
security
audits,
one
sub
project
also
that
push
card
is
highly
involved
in
is
to
to
run
or
to
I
guess,
as
far
as
for
security
and
tooling,
and
how
to
integrate
security
tooling
into
the
project
as
well.
B
Another
sub
project
is
for
security
documentation
as
well,
and
we've
had
some
good
publications
this
recently
about
security
documentation
like
the
our
back
good
practice
guide.
Now
you
can
see
here,
that's
mostly
written
by
by
rory.
Thank
you
rory.
So
this
is
a
new
edition
from
this.
The
security
docs
sub
project.
Oh
there's,.
B
It
was
published
right
around
coupon
valencia,
and
then
we
have
a
another
one.
That's
open
for
a
security
checklist
as
well,
so
so
keep
that
keep
your
eyes
open
for
that
kind
of
see.
If
I
have
a
tab
here
yep.
So
that's
this
pull
request
under
coupe
name
website
to
add
a
security
checklist
for
clusters
here.
B
So
this
is
just
some
of
the
the
work
that
some
of
the
sub
projects
are
working
on,
along
with,
along
with
the
new
one,
which
is
the
self-assessment
sub
projects
as
well,
which
is
where
various
subprojects
and
and
groups
in
within
within
kubernetes
could
do
a
security
self
assessments
on
their
on
themselves
and
I'll.
Let
pushkar
talk
about
about
that.
A
little
bit
more.
D
Yeah
for
sure,
one
of
the
things
I
wanted
to
also
share
is
it
gets
confusing
when
we
are
talking
about
like
projects
of
projects,
cncf
projects,
kubernetes
project,
what
is
really
going
on
so
the
best
way
I
found
to
understand
it
was
kubernetes
is
a
cncf
project,
and
then
there
are
many
other
cncf
projects
within
kubernetes.
There
are
multiple
small
projects
which
we
call
again.
Projects
would
be
confusing,
so
what
we
basically
do
is
call
it
as
a
sub
project,
and
then
that
becomes
part
of
a
cncf
project.
D
D
The
idea
again
here
is
seek
security
by
themselves.
Can't
do
everything,
so
we
try
to
collaborate
across
all
the
other
sigs
as
well
as
in
cncf.
So
the
way
this
all
started
was
one
of
the
maintainers
from
cluster
api,
which
you
saw
the
turtle
software
that
chris
had
actually
came
up
and
said
hey.
We
would
like
to
do
a
third
party
assessment
for
cluster
api
and
ray
was
about
to
start
one
for
kubernetes,
and
then
we
were
like.
D
Maybe
we
can
do
a
bit
better
and
as
a
precursor
to
a
third
party
assessment,
we
can
do
a
self-assessment
like
how
it's
done
in
cncf
tax
security
and
that's
how
it
basically
started.
So
now
we
have
a
list
of
recommendations
coming
out
of
that
assessment,
and
now
more
and
more
projects
are
joining
in
to
do
their
own
assessments
with
the
help
of
folks
in
seek
security.
D
D
So
some
of
the
things
we
collaborated
with
sig
architecture
was:
how
can
we
do
build
time,
dependency
scanning
or
for
vulnerabilities?
How
can
we
do
vulnerability
scanning
for
container
images
that
are
shipped
with
kubernetes
release?
We
also
helped
out
sig
release
on
some
of
the
signing
and
verification
work
that
happened
in
124.
B
D
B
Yes,
exactly
it
so
the
rfp
already
went
out
in
2021.
We
have
a
vendor
for
2012
and
the
vendor.
It's
currently
ongoing
right
now,
so
2019
the
vendor
was
trail
bits
and
atreides
for
20,
and
this
is
the
the
link.
Let
me
put
this
on
the
chat
for
the
2019
one
and
a
lot
of
good
things
came
out
of
2019
one
and
of
course,
2020.
Lots
of
things
happened
so
that
rfp
was
delayed
and
was
went
out
in
2021
and
also
just
things
were.
B
A
A
A
That's
a
lot
of
work
that
you
can
delegate
right
if
somebody
comes
in
and
wants
to
help
with
the
audit
when
you
come
back
like
there
might
be
a
hundred
things
and
now
what
happens
like
who's
in
charge
of
working
with
the
different
I'm
guessing
working
with
the
different
six
like
they
found
something
in
signo.
They
found
something
in
the
cube
ctl,
which
I
call
cub,
ctl
and
then
ray.
Does
all
the
work
with
all
work
with
everyone
right
can?
Can
somebody
join
and
help
bring
the
security
audits.
B
B
B
B
It's
this
cap
called
defend
against
logging
seekers
via
static
analysis
and
it's
under
kubernetes
enhancements
under
security
out
of
the
out
of
the
audit
in
2019.
Since
since
secrets,
what
was
when
the
findings
was
secret,
some
of
the
secrets
were
exposed
to
logs
or
execution
environment.
So
this
cap,
and
what
graduated
in
1.23
is
the
use
of
goflow
levy,
which
is
attain
propagation
analysis
tool
for
go.
B
So
what
this
tool
does
is
it
helps
prevent
exposing
secrets
to
logs
or
to
execution
environments.
So
now
it's
actually
run
as
part
of
testing
a
pull
request.
So
this
is
results
and
and
of
of
the
2019
audits-
and
this
is
from
a
contributor,
I
think
mostly
patrick
brownberg,
who
worked
on
this
announcement.
B
A
Very
good,
so
I
think
if
people
are
looking
into
collaborating
into
seek
security,
these
are
the
type
of
things
that
will
be
working
like
working
on
the
making
sure
that
a
goal
of
like
running
having
an
rfp
written
every
year
happens
right.
So
more
people
help
out
to
review
it
to
write
portions
of
it,
and
that's
one
one
outcome
that
you
can
work.
One
of
the
benefits
that
you
get
is
that
you
help
makes
kubernetes
more
secure.
A
A
How
would
you
find
out
that
there's
go
fleet
exist
and
go
flow
exist
and
that
scanning
doing
static
analysis
for
security
is
a
good
practice
right.
This
will
give
you
knowledge
that
you
can
like
increase
your
skills,
but
also
bring
it
back
to
the
company
or
to
the
organizations
like
you
know
what
we
should
have
security
static
analysis
and
appeals
like
where
do
you
find
that
out?
A
Like
that's
a
bad
idea,
well,
kubernetes
is
doing
it
like
at
least
have
one
data
point
to
make
our
and
then
the
questions
like
okay,
fine,
how
difficult
it
is
to
implement
it
like
I'm
involved
in
the
seek
security.
Actually,
I
have
access
to
the
scripts
on
how
they
do
it,
which
tool
do
they
use.
I
can
implement
it
myself
right
and
that's
at
least
that's.
I
see
that
more
and
more
of
people
joining
it's
a
mutual
relationship
right.
They
contribute
to
kubernetes,
but
then
they
get
back.
A
Those
type
of
benefits
right,
the
the
software
that
they
use
is
more
secure
and
then
the
software
that
they
write
like
it's
not
kubernetes,
it's
like
they
write
applications,
they
write
java
applications
go
applications
and
they
can
take
those
benefits
so
moving
on
of
like
benefits
like
if
they
don't
write
go,
maybe
they
write
java,
node.js
scripts
and
they
create
docker
images
and
those
torque
images.
I
heard
like
there's
something
called
secure
supply
chain,
and
then
you
need
tools
right
to
I
heard
something:
called
signatures
are
good
put.
A
D
Yeah,
so
that's
a
good
point
and
to
kind
of
finish
off
the
third-party
audit
story,
I
was
an
end-user
not
involved
in
community
when
2019
was
report
was
released
and
I
was
sort
of
feeling
stuck
like.
I
want
to
dive
deeper
into
kubernetes
security,
but
I
don't
know
how
and
that
report
actually
opened
my
eyes
and
I
was
like
wow.
D
D
Actually
they
labeled
it
with
a
simple
command
that
you
can
add
in
a
github
command.
Anybody,
I
think,
can
do
it,
which
is
slash
six
space
security
and
once
that
is
done,
what
we
are,
what
we
do
on
our
site
is
we
have
a
project
tracker
for
seek
security
issues
and
we
take
a
look
at
all
the
issues
that
are
labeled
with
that.
So
I
was
looking
at
that
cap
and
I
saw
like
oh
they've
labeled,
something
related
to
signing
and
seek
security,
which
is
when
we
started
the
collaboration.
D
So
that
is
a
great
way
for
anyone
to
get
us
involved
just
label
any
issue.
You
think
where
we
can
help
with
security
and
in
case
you
are
blocked
by
the
robot,
because
for
some
reason
sometimes
labels
are
blocked.
If
you're,
not
a
member,
ask
somebody
who
is
a
member
to
add,
add
it
to
you
or
send
it
on
slack
and
we
can
add
the
label.
A
B
Yeah,
that's
cevita,
yeah
cevita
is
the
sub
project
lead
for
security
docs
with
that
they
meet,
they
meet
monthly,
but
they
have,
but
they
have
a
slack
channel.
Also,
I
think
it's
six
security
docs
and
they
have
they
have
goals
in
mind.
So
there
there's
they
have
goals
like
the
rbac
good
practice
guide
that
that
was
published
as
well
and
also
a
they
have
published
blog
posts
as
well
like
the
response
to
the
cisa
report
on
kubernetes.
B
Also,
the
what
currently
that's
in
the
progress
like
I
mentioned
before
is
the
this
is
the
security
checklist
for
clusters.
This
is
an
open
pull
request,
so
it's
not
merged.
It's
not
finalized.
There's
some
comments
that
still
needs
to
be
addressed,
but
we
could
take
a
look
and
see
what
the
current
status
of
the.
So
what
is.
B
Just
kind
of
like
good
practices
to
set
up
your
cluster
I'll
just
kind
of
go
through
the
file
here
like
I
do
you
want
to
mention
that
this?
This
is
an
open,
pull
request.
This
is
not.
This
is
not
approved,
so
things
might
might
change.
So
it's
like
like
not
using
system
masters
group
because
it
will
pretty
much
bypass.
Our
back
will
give
you
pretty
much
cluster
admin
access
using
setcomp
and
using
app
armor.
C
A
A
A
D
First
thing
like
to
be
clear:
sig
and
tag
security
both
are
friends
of
each
other,
so
we
really
love
all
the
work.
That's
done
in
both
the
groups
some
storytelling
time,
initially,
one
or
two
years
back
both
were
called
sec
security,
so
we
had
to
kind
of
prepend
it
with
cncf6
security
and
kubernetes
security.
D
But
one
of
the
changes
that
the
toc
did
was
rename
all
the
groups
that
are
at
cncf
level,
not
at
a
project
level
like
kubernetes
into
tags,
and
that's
why
now
this
is
called
a
cnc
of
tag
security
and,
like
you
said
carlos,
it
is
exactly
right
that
they
are
responsible
for
not
just
kubernetes
but
all
the
projects
in
cncf.
So,
if
you're
running
a
full
blown
platform
that
runs
on
cloud
native
technology,
what
are
the
different
projects
you're
going
to
use?
What
are
the
things
that
you
will
have
to
secure?
D
D
A
D
D
There
is
so
much
work
to
do
and
there
are
so
many
people
willing
to
help
that
you
will
find
something
that
is
worth
doing
and
that's
going
to
help
you
as
well
as
the
community.
So
if
you
are
worried
that,
oh
I'm
not
good
enough,
don't
worry
about
that.
Just
say:
hi
just
introduce
or
just
listen
in
on
meetings,
even
if
you
don't
introduce
that's
okay
and,
as
you
come
up
with
more
courage,
feel
free
to
start
jumping
in
on
things.
That's
how
most
of
us
started,
and
it's
totally
fine.
B
B
With
that
as
well,
I
actually
was
used
to
joining
the
cncf
security
meetings
several
years
ago
before
I
actually
can
really
contribute
to
to
kubernetes,
then
my
focus
changed
to
to
mostly
kubernetes
for
upstream
contributions,
so
I
haven't
gone
to
a
3d
meeting
in
a
few
years,
but
yeah
I
100
agree
with
push
card.
Just
if
you're
interested
in
security
aspect,
you
don't
need
to
have
any
expertise
or
programming
knowledge
beforehand.
A
Yeah
and
and
what
about
the
the
folks
that
maybe
work
in
security
right,
they
might
have
cyber,
you
know
hacker
knowledge
back
or
that
back
cyber
criminality
or
cyber
security
roles
or
my
profession,
or
role,
education
or
or
or
experience,
but
don't
know
anything
about
containers
or
kubernetes.
Would
that
people
be
useful
to
have
or
would
it
be
useful
for
them
to
join
in
in
the
sick
security.
D
I
I
would
say
yes
definitely
I
I
think
it's
like
the
whole
kubernetes
security
domain
is
so
complex.
It's
almost
like
a
forest
where
you
have
different
trees
and
all
the
trees
bring
their
own
seeds
and
fruits,
and
flowers
and
everything
becomes
much
better.
So
folks
who
don't
know
kubernetes
containers,
but
no
security
well
are
very
welcome
and
folks
who
know
kubernetes
no
containers
but
aren't
very
familiar
with
security
are
also
very
welcome,
and
even
if
you
are
just
curious
about
both
of
those
things
and
want
to
learn,
those
are
also
welcome.
D
C
B
So
I
I
think
they
complement
each
other,
so
they
don't
one
does
not
replace
the
other
and
for
it
and
for
the
the
checklist
it's
I
think
the
target
audience
is
is
is
the
is
the
I
think,
the
operators
who
are
setting
up
the
clusters
setting
up
the
our
back
groups
creating
those
role
bindings.
You
know
cluster
role
bindings
or
we
do
suggest
role
bindings
over
close
role,
role,
bindings
ins
instead,
so
I
think,
and
in
the
cs
benchmarks
as
well,
I
mean
they're.
B
Also
for
me,
in
my
opinion,
you
know
it's
also
it's
it's
all
about
how
you
set
up
your
clusters
more
secure
as
well,
so
I
think
they
complement
each
other
very
well.
The
security
checklist
is
a
good
starting
out
points,
and
I
don't
think
it's
it's
as
comprehensive
as
yet
with
the
cs
benchmarks.
It's
like
make
sure
you
enable
this
flag
or
this
option
etc,
to
to
be
more
secure
and
there's.
D
A
Okay,
very
good,
so
that
between
the
audits,
the
white
paper,
css,
benchmark
and
and
the
checklist
and
then
it
looks
like
there
might
be
more
in
the
roadmap
or
security
docs
right
more,
this
type
of
docs
going
into
the
kubernetes
website
because
make
it
more
discoverable
right
like
how
do
you
find
about
the
cloud
native
security
unless
you're
like
geek,
like
us,
in
twitter,
tech,
tweeter
or
slack
right?
How
else
are
you
going
to
find
out
about
this?
A
It's
like
we
need
to
put
it
in
multiple
places,
blog
posts
in
the
dogs
and
usually
the
kubernetes
dogs.
I
think
that
the
asset
community.
We
want
that
to
be
like
the
central
place
or
the
first
place,
where
people
find
the
information
and
there's
extra.
I
think
it's
not
it's
not
uncommon
to
point
to
the
different
to
the
different
other
sources
right
to
to
augment
the
information
like
it.
Cannot.
Every
information
cannot
be
in
one
single
place,
so
yeah.
I
think
that
covers
it.
A
A
We
work
on
this
and
they
got
some
advice
of
that.
Take
a
look
at
this
other
stick.
This
might
be
also
another
thing
that
you
may
feel
comfortable
like
joining
first
or
this
is
the
one
that
you
should
join
like
great
may
say:
like
you
know,
dogs
or
release
is
are
good.
Security
are
like
all
the
ones
that
I
aim
are
good
and
then
join
that,
and
that's
that's.
A
That's
also
something
that
you
can
do
like
getting
your
company
to
give
you
your
ten
percent
and
you
contribute
to
kubernetes
and
then
picking
a
sick
is
a
good
way
of
contributing
versus.
I
guess
a
lot
of
people
start
like
lost
like
look
at
the
big
repo
and
say,
like
I
don't
know
how
to
contribute
here.
I
think
a
good
method
is,
I
go
through
a
sig,
go
through
one
of
those
meetings
and
listening
or
what
are
the
problems
they're
trying
to
get?
A
A
So
that's
where
you
can
raise
your
hand
like
hey,
can
I
help
bear
with
you
and
you
know
you
show
me
how
to
to
join
and
how
to
do
it,
and
then
I
can
do
it
by
myself
right
and
then
that's
how
we
grow
the
number
of
contributors.
So
I
wanted
just
to
close
with
that,
because
I
saw
six
chopping
is
a
thing
and
I
saw
it.
A
A
A
And
move
the
hackmd
over
there,
so
this
is
the
hacking.
These
are
the
notes.
Maybe
we
have
access
to
them
and
the
first
questions
is
from
ankit
bandsai.
I
don't
know
if
people
see
my
screen,
let's
see
if
I
get
the
link,
so
these
are
questions
that
we
try
to
find
in
this.
Discuss
like
this
is
the
discuss
kubernetes.io.
A
This
is
where
you
can
go
and
ask
questions
kind
of
our
a
forum.
Also
stack
overflow
is
also
work
on,
like
those
there's
attack
or
kubernetes,
and
this
one
is
about
hpa
understanding
how
hpa
works
and
the
readiness
probe.
So
the
question
goes
also.
I
think
I
have
a
summary
here
and
is
they
have
have
a
doubt
without
modifying
any
auto
scaler
thresholds,
those
auto
scaler
checks
for
pods.
A
So
that's
his
concern
like
it's
not
ready
and
it's
like
working
their
way
up
and
also
mentions
two
two
flags
which
I
look
into
the
source
code
and
I
think
the
source
code
has
better
explanation
than
the
docs
and
that's
something
that
I
need
to
point
out:
horizontal
port,
autoscaler,
cpu
initialization
period
and
also
our
horizontal
parallel
parasite
initiate
in
initial
readiness
delay,
and
these
are
two
flags
that
you
pass
to
the
auto
skater
to
the
control
manager.
That's
not
something
that
you
can
control.
A
A
So
I
I
think,
there's,
oh,
I
I
think
there's
some
yeah
out
of
this,
so
there's
hpa
the
documentation.
So
what
I
found
from
the
documentation
and
and
it's
implementation
is
like-
if
the
if
the
bodies
is
not
ready,
the
algorithm
of
the
hpa,
the
the
default
hpa
it.
It
doesn't
cover
those
spots,
so
it
tries
when
it's
collecting
the
pots
that
it
needs
to
evaluate
the
metrics.
A
It
has
to
have
metrics.
So
it's
many
many
things
to
make
sure
that
that
that's
the
plot
that
should
count
and
the
other
ones.
So
it
ignores
so
the
algorithm
tries
to
ignore
pods.
So,
for
example,
it
doesn't
have
a
metric
it.
I
cannot.
I
cannot
count
it
for
unless
this
is
starting
and
it
counts
as
zero,
but
for
the
readiness
yeah
when
it
when
it
starts
it,
doesn't
it
doesn't
collect
and
it's
not
it's
not
ready
and
that
flag
that
I
was
showing
in
there.
It
has
a
default.
A
I
think
is
this
one
is
30
seconds
and
this
one
is
five
minutes,
so
it
would
not
count.
So
it
would
not
hurt
you
those
when
the
app
starts
and
it
is
not-
and
it's
not
ready-
and
I
put
down
here
the
the
the
definition
that
the
niche
one
is
the
initial
readiness
delay
and
it
has
a
default
value
it's
seconds.
I
cannot
know
that
the
right
number,
but
it's
the
bitter
after
the
pot,
starts
during
which
radiance
changes
be
treated
as
initial
readiness.
A
So
if
that
is
used
in
when
it's
ignoring
pods
and
again,
it
doesn't
have
metrics.
Also
it
gets
ignored
in
that
initial
algorithm
and
then
the
other
one
is.
It
bought
all
scalar
cpu
it's
the
period
after
the
bot
starts,
so
it's
ready,
so
it
counts
as
a
ready
and
then
when
cpu
samples
might
be
skipped.
So
I
don't
I
don't
want
to.
A
A
A
I
don't
think
those
people
know.
I
don't
think
you
have
access
to
these
flags
as
a
managed
kubernetes
cluster.
But
if
you're
using
cube,
adm
right
and
then
you
have
access,
you
can
pass,
you
can
edit
the
yaml
of
the
static
pod
and
then
adjust
adjust
these
flags.
But
if
you
don't
pass
them
in,
they
take
defaults.
It's
not
it's
not
zero.
So
this
is
the
five
minute
one.
A
The
other,
the
other
thing
is
I
found,
is
there's
a
somebody
knows:
who's
the
sig
that
deals
with
hp,
autoscaler,
there's
other
auto
scalers
examples
in
the
from
that
sig,
and
they
show
examples
that,
if,
if
there's
an
organization
that
they
want
to
write
their
own
auto
scaler,
they
can
write
it
and
they
can
use
apis.
They
can
use
the
the
go
libraries
and-
and
they
have
some
examples,
I
found
some
examples,
but
I'm
not
sure
which
is
the
seek
for
this.
A
It
says:
let's
seek
auto
scaling,
it's
called
cigar
scaling
yeah
see.
Maybe
I
should
show
that
the
first
page
I
was
talking
about.
If
you
want
to
know
what
what
are
the
six,
the
six
ratio,
the
community
repo.
But
this
is
the
kx
kubernetes.dev,
which
is
a
kx
or
that
dev
should
also
give
you
here.
If
you
go
to
community
and
then
you'll
be
able
to
find
everything
about
kubernetes
contributing
to
kubernetes,
and
you
will
find
the
community
groups
since
this
special
interest
group.
A
A
I
think
we
also
talk
to
docs
and
then
one
that
I'm
involved
is
release.
So
release
has
two
two
parts:
engineering
and
sick
release
that
takes
care
of
releasing
the
the
the
release
of
kubernetes
that
specific
version
and
also
release
engineering.
But
this
is
like
my
shortcut
to
find
the
six
and
also
in
here
you
will
find
information
about
the
the
meetings
that
are
happening
and-
and
this
is
a
quick
way
also-
you
can
see
the
the
chairs
who
are
the
shares
for
sick
security.
A
That's
part
of
the
main
role
right
as
I
share.
You
also
have
to
foster
your
group
and
and
there's
a
mailing
list,
so
if
you're
also
want
to
join,
there's,
always
a
slack
for
every
group,
there's
always
a
slack
and
a
specific
menu.
So
we
have
many
lists
for
kubernetes
dev,
but
also,
if
you
just
want
to
get
the
emails
for
the
things
that
are
happening
security,
you
can
join
this
public
mailing
list,
so
the
main
needs
are
public.
C
D
C
Right
yeah,
so
so
I
think,
and
basically
like
the
idea
here
is
that
you
don't
know
whether
the
node
is
done
or
not,
because
it
could
be
an
issue
with
the
cubelet
process
or
communication
to
the
cubelet
and
stateful
sets
and
and
demon
sets,
offer
guarantees
around
how
many
pods
are
running
at
any
specific
time.
So
I
think
the
the
idea
is
that,
in
order
to
gracefully
shut
down
these
pods,
you
would
have
to.
A
Yeah
yeah,
so
the
the
the
just
for
as
a
high
level
explanation
the
cube
api,
which
is
the
control,
no
control
plane,
and
you
have
the
worker
know
where
your
apps
are
working.
The
cube
api
is
not
like
reaching
out
to
the
cubelet
like
you're
there
or
you're
there.
It's
the
opposite.
The
cubelet
is
the
one
communicating
back
to
the
control
point
saying
I'm
alive,
I'm
alive
and
I'm
alive.
So
there
could
be
many
way.
Many
reasons
of
why
that
communication
breaks
of
the
cube
not
talking
to
the
cube
api.
A
It
could
be
like
somebody
added
a
security
group
rule
or
a
firewall
setting
that
they
put
something
in
there
that
blocks
that
communication,
but
your
business
application
are
still
peppy
and
happy
and
crunchy
numbers
and
processing,
paychecks
and
crunching
during
the
ai
against
health
records,
whatever
they're
doing
right,
so
it
could
be
like
the
business
application.
Is
it's
fine
but
then
again,
if
you
have
the
sr
team
screaming
at
you
saying,
there's
a
problem
like
or
like
the
business
application.
A
So
you
have
to
take
that
into
account
that
the
worker
node
it
may
be
that
the
somebody
broke.
A
cable,
a
physical,
cable
right
like
oops,
we
were
digging
outside
and
we
broke
a
a
fiber
channel
line
or
something.
But
the
idea
with
kubernetes
is
those
worker
nodes
are
independent.
They
can.
They
can
keep
working
and
doing
their
work
because
they're
they're
processing
data
they're
communicating
with
things
they
don't
need
the
control
plane
right.
That's
they
don't
need
the
control
point
to
work,
so
it
was
designed
for
that
purpose.
A
But
somebody
needs
to
the
information
is
like
the
cube
api
says
it
looks
like
nobody
have
updated.
The
the
heartbeat
right
of
the
cubelet
have
not
updated
so
the
bots
go
to
into
a
unknown
state
like
I
don't
know
if
it's
running
or
if
it's
not
running,
because
I
cannot.
So
if
you
want
to
emulate
this,
it's
super
easy.
You
can
launch
a
mini
cube
with
two
notes.
A
Now:
mini
q
has
super
for
two
multiple
notes:
mini
q,
multiple
nodes,
then
ssh
into
one
of
the
working
nodes
and
system,
cto
stop
the
cubelet,
and
then
you
can
play
it
around
with
different
and
that's
what
I
did
yesterday
play
around
with
different
pods.
So
for
the
demon
sets
demon
sets
run
on
every
node,
so
those
will
be
running
forever,
like
the
person
says,
because
they're
they're
demon
sets,
you
have
one
one
on
every
node,
so
you
they're
not
touched
because
they
have
a
toleration.
A
So
that's
what's
happening.
Demon
sets
when
you
create
them.
They
have
a
toleration
of
like
no
execute,
so
they
will
not
be
kicked
out.
They
will
not
be
evicted
because
they
can
tolerate
the
no
execute
and
they
don't
have
a
threshold
regular
pods
non-demon
sets
by
default.
They
get
a
toleration
saying
no
execute
with
a
threshold
of
five
minutes.
So
what
you
will
see
is
when
you
stop
the
cubelet
and
you
look
at
it
like
they're,
running
running
and
running,
and
you
look
at
your
watch
in
five
minutes.
A
A
They
get
terminating
a
new
pods,
get
spin
up
because
you
can
create
a
new
pod
on
that
namespace.
They
get
it
so
there's
no
conflict
of
the
bot
name.
So
that's
why
deployment
sets
are
more.
I
guess
I
wanna,
I
don't
want
to
say
robust,
but
you
get
you
see
those
spots
running
new
pods
running,
but
take
into
account
that
the
other
parts
are
still
running.
If
you
do
container
d
or
docker
ps,
you
will
see
the
pods
are
still
running
in
the
nodes
like
the
cube
is
not
communicating.
A
So
that's
what
you
see
there
for
a
single
pod.
So
if
you
create
one
pod-
and
you
call
it
like-
I
don't
know
carlos
and
it
goes
into
terminating
the
control
manager.
There's
nothing
to
create
another
pod,
because
it's
not
part
of
the
replica
set
or
it's
not
part
of
the
deployment.
So
it
gets
terminated
and
and
that's
it
for
stateful
sets
it's
kind
of
the
same
thing,
because
they
get
a
unique
name
like
sql
cto
right,
the
master
sql
one
two
and
three.
A
So
if
they
go
to
terminating,
if
the
controller
wants
to
create
another
pod,
what
would
be
the
part
name?
Is
it's
a
conflict
of
the
name?
I
cannot
create
another
sql,
two
right
or
three,
so
I
cannot
create
that
that
one.
So
that's
why
it
stays
in
terminating
forever.
The
pods
case
for
terminating
forever
deployments,
get
a
new
pot
and
then
demon
sets
they
stay
running
because
there's
no
need
to
create
another
post,
because
that's
the
one
running
there.
A
Oh,
it
looks
like
somebody
wanted
to
delete
this
spot,
it
would
delete
them
and
then
the
staple
sets
will
start
coming
up.
The
single
pot
would
like
gone
forever
that
you
should
not
create
single
pods
and
then
the
deployment
sets.
You
know
you
have
the
other
two
replicas
running,
so
it's
just
cleaning
up
and
then
you
restore,
but
the
what
worker
said
is
very
important.
The
way
you
resolve
like
you,
don't
want
to
have.
A
If
there's
a
issue
like
with
that
node
and
you
don't,
you
need
to
create
the
the
staple
sets
to
run
them
in
another
machine,
then
you
need
to
do
the
cube.
Ctl
remove
node
yeah,
you
have
to
tell
the
api
server
like
remove
the
node,
and
then
the
the
bots
will
actually
like
will
be
removed
from
the
api
server
like
at
cd.
Is
that
60
accurate?
I
don't
know
what
you
guys
think.
C
That
that
sounds
right.
I
think
the
other
thing
with
stateful
sets.
You
want
to
make
sure.
I
guess
you
always
want
to
be
mindful
of
any
volumes
attached
to
the
virtual
machines
and
and
then
make
sure
that
those
are
properly
attached
to
any
other
virtual
machines.
Where
you
want
to
schedule.
Your
stateful
sets.
A
Yeah
and
that
came
up
on
a
lot
of
issues,
I
have
some
of
the
issues
stock
overflow,
where
they
bring
up
the
like.
You
have
to
be
careful
because
you
have
data
and
staples
by
nature.
They
always
have
have
data
and
they
have
pvs
and
pvcs,
and
I
don't
know
if
those
pvs
were
created
manually
or
auto
provision
or
how
the
how
the
data
that
is
sitting
in
that
node
gets
replicated
to
the
other
place
and
it
needs
to
be
replicated
so
those
those
type
of
for
for
deployments.
A
I
think
it
was
a
it's
the
one
that
it's
like
yeah,
it's,
okay,
you,
you
will
get
the
pots
running
and
the
other
ones
are
just
terminating
and
ignored,
but
parts
part
of
the
yeah.
That's
that's
just
dealing
with
the
incident
in
normal
circumstances
when
you
want
to
like
service
a
vm
or
like
take
it
out
like
work.
Are
you
saying
like
intentionally
like
I'm
doing
this?
I
know
I'm
going
to
delete
this
vm.
A
I
need
to
take
care
of
the
of
the
mounts
and
then
you
would
do
like
the
drain
right.
We'll
do
the
drain.
That
will
do
the
cordon.
The
cordon
is
like
do
not
schedule
more
things
in
here,
put
that
paint
and
then
the
drain
is
drain.
The
pods,
like
you,
are
telling
the
the
system.
The
api
is
like
drain
the
pot
and
then
usually
get
that
message
right.
A
Whoever
who
knows
that
message
that,
when
you
say
drain
says
oh,
I
forgot
that
flag
is
the
indoor
demon
set
right,
you
say,
okay,
run
it
and
ignore,
because
demon
sets
are
like
agents
like
they're,
not
they
need
to
be
running
on
every
now,
but
it's
not
business
applications
right.
It's
it's
things
that
need
to
run
like
things
as
infrastructure
agents.
It
could
be
a
core
dns
or
csis
and
those
type
of
things.
So
I
think
those
those
are
the
two
questions.
I
got
an
another
one,
but
it
was
around.
A
But
that's
in
newer
versions
of
kubernetes,
I
don't
think
all
versions
have
that
validation,
but
is
is
something
that
people
writing
controllers
for
kubernetes
get
get
for
free.
They
don't
have
to
do
that
validation.
They
don't
have
to
do
transition
rules
and
we
can
discuss
that
in
the
next
show
anything
else,
any
closing
thoughts.
I
know
I
talked
a
lot
this
time.
I
should
should
do
something
different
next.
C
A
A
No,
don't
learn
from
me.
Okay!
Well,
we'll
see
you
next
month
will
be
august
and
if
you
have
recommendation
with
sig,
do
you
want
to
know
more
about
being
me
in
twitter
or
in
slang?
Now
you
know
where
to
find
the
list
of
sigs,
and
we
have
many
does.
We
should
have
a
trivia
like
how
many
sigs
does
kubernetes
have
like
those.
A
We
should
build
an
app
a
kubernetes
app
and
just
have
a
trivia
bot
that
random
type
of
things
like
that,
for
example,
what
what
was
the
for
the
kubernetes
version
that
this
api
went
beta
or
ga
or
alpha
right?
Everybody
looks
for
that
like
that
information,
so
yeah
until
next
time.
Thank
you
for
joining.
I
I
promise
you
I'll
count
the
groups
and
I'll
put
them
in
the
in
the
slack
office
hours.