►
From YouTube: Kubernetes Office Hours (US Edition) 20180117
Description
Third Wednesday of every month, everyone is welcome!
http://git.k8s.io/community/events/office-hours.md
A
A
B
A
Right
well
welcome
everyone
to
today's
kubernetes
office
hours,
where
we
answer
your
user
questions
live
on
the
air
with
our
esteemed
panel
of
experts.
Here
you
can
find
us
in
hash
office'
office
hours
on
slack
and
check
the
topic
at
the
URL.
That
should
take
you
to
a
document
in
github
that
has
all
the
live
stream
information
and
hour
times,
and
things
like
that.
This
is
our
Western
addition.
We
had
a
session
earlier
in
the
day
today
for
the
European
folks.
So
before
we
begin,
let's
get
started
by
introducing
ourselves.
I'm
gonna
be
your
host.
A
C
I'm
Marta
Lauria
I
am
based
in
Ann
Arbor,
a
mile
away
from
George
actually
and
I
am
working
for
Luca
web,
a
leader
in
posting
web
properties,
for
small
medium-sized
businesses,
and
we
are
embarking
on
kubernetes
and
that's
what
I
worked
on
so
I
also
run
our
little
media
group
called
Orca
structure.
I
wish
George
house
would
so
that's
my
story.
Next.
D
A
E
B
E
B
And
I
am
Frank
Greco
I
work
at
Northwestern
Mutual,
which
is
based
out
of
Milwaukee
Wisconsin
I.
Do
a
lot
of
work
with
kubernetes
here.
I
also
do
a
lot
of
work
with
implementing
controllers
for
grenades,
custom
resource
definitions
and
then
Flaminio
Canali,
it
guy
gateway
or
API
gateway,
called
Canali
project,
but
hi.
A
Awesome
awesome
all
right
well
before
we
start
we're.
Gonna
set
a
few
ground
rules
for
everybody
here
so
first
off
this
is
a
judgment-free
zone,
so
everyone
had
to
start
from
somewhere.
So
please
help
us
out
by
being
supportive
in
the
channel
and
things
like
that,
let's
not
make
any
judgments
of
people's
mistakes
or,
if
they're
doing
something
wrong.
Let's
just
try
to
keep
it
positive
and
pay
it
forward.
While
we
do
our
best
to
answer
your
questions,
the
panel
actually
doesn't
have
that
so
sage,
access
to
your
cluster
so
live
debugging.
A
Doing
like
really
complex
things
is
kind
of
off
topic.
So
what
we'll
do
our
best
is?
Do
our
best
to
get
you
kind
of
moving
down
a
path
to
help?
You
understand
the
things
that
you
need,
debug
and
hopefully
help
you
kick
the
can
down
the
road.
Is
it
worse,
Pano's
you're
encouraged
to
expand
on
your
answers
with
your
experience
and
pro
tips
as
well.
A
So
if
it's
a,
if
it's
a
quick
answer
about
a
certain
topic-
and
you
you
have
some
expertise
in
that
area,
let's
expand
it
a
little
bit
so
that
we're
not
just
churning
through
subjects,
let's
actually
teach
people
our
expertise
and
best
practices
audience
you
guys
can
help
us
out
by
piecing
in
URLs
to
the
official,
Docs
blogs
or
anything
that
might
help
any
research.
While
we're
discussing
these
topics,
if
you
find
yourself
googling,
please
paste
those
URLs
in
there.
A
What
we
like
to
do
is
collect
them
all
and
put
them
in
the
show
description
so
that
those
resources
are
available
to
people
later.
You
can
also
help
us
out
by
tweeting
spreading
the
word
telling
your
co-workers
about
us,
telling
your
friends
telling
people
that
meetups,
so
that
we
can
make
this
show
be
as
useful
for
everyone
as
possible.
We
record
each
and
every
session
and
it's
available
on
YouTube
if
you're
using
this
resource.
A
Please
just
do
let
us
know
how
we
can
get
better,
because
we're
also
always
constantly
tweaking
something
if
there's
a
problem
with
the
stream
or
there's
a
technical
issue.
Just
let
us
know
on
slack
like,
for
example,
right
now
we're
streaming.
This
is
the
EU
Edition,
where
it's
actually
the
Western
Addition
I'll
fix
that
after
this,
so
yeah
feel
free
to
go.
Watch
the
old
archives
and
stuff
like
that.
There's
lots
of
good
information
there.
A
If
you
want
to
sit
in
on
this
panel
and
spread
your
knowledge
you're
more
than
welcome
and
you
can
earn
this
fabulous
water
bottle
by
helping
helping
us
help
users,
so
you
can
help
us
take
notes
at
the
URL
that
we've
pasted
it
in
the
channel.
If
you
want
to
feel
free
and
paste
URLs
in
there
or
excuse
me
I'm
getting
over
the
flu
or
if
we
find
a
bug
or
something
that
we
need
to
ping
someone
or
a
developer
or
something
please,
let
us
know
we're
always
looking
for
marketing
help.
A
So
if
you're
good
at
social
media
like
while
we're
doing
this,
show
it's
really
difficult
for
us
to
tweet
and
do
things
like
that.
So
if
you
want
to
help
us
out
and
that
matter,
you're
more
than
welcome
it's
a
great
way
to
earn
one
of
the
water
bottles,
Zoo
will
be
holding
raffles
for
the
audience,
so
we'll
be
giving
away
shirts
kubernetes
spinner.
If
you
can
hold
that
up
again,
mario
that'd
be
that'd,
be
great
and
all
sorts
of
cool
stuff.
So
what
we'll
do
is
if
you
participate?
A
If
you
ask
a
question,
if
you
help
somebody
out
we'll,
have
a
raffle
at
the
end
and
give
somebody
a
and
then
we'll
pick
a
winner
and
then
we'll
give
you
a
code
of
the
CNCs
store
and
you
get
some
swag,
it's
pretty
cool,
but
not
the
water
bottle.
Yet
you
have
to
you
have
to
sit
in
this
panel
for
a
while
to
earn
this.
This
guy
and,
lastly,
feel
free
to
hang
out
in
Hash
office
that
showers
afterwards
I
know
a
lot
of
the
channels
have
a
lot
of
people
there
full.
A
Sometimes
it's
hard
to
get
an
answer.
So
if
you're
filing
value
here
and
you're
looking
for
a
place
to
kind
of
hang
out,
pull
up
a
chair
and
try
to
help
us
make
this
a
really
fun
and
collaborative
place
to
do,
and
with
that
we
are
ready
to
get
started.
What
do
you
guys
say?
We
start
this.
This
show.
A
Feels
like
yeah
one
second
I
lost
I
lost,
desktop
audio
how's.
The
stream,
if
someone
can
is
the
audio
still
coming
through
stream,
is
rocking
okay,
all
right.
Let's
start
with
our
first
question,
which
comes
from
a
whip
ler,
but
one
second
Mario
or
one
of
the
panels.
Can
you
guys
talk
real
quick
I
just
want
to
make
sure
that
testing.
C
A
A
And
they
sound
good
stream
all
right
here
we
go
all
right.
Is
there
a
good
introduction
to
all
the
networking
requirements
for
kubernetes,
such
as
where
kubernetes
against
its
pod,
node,
etc?
Ips
I,
set
up
a
cluster
was
cryo
and
flannel.
My
notes
can
pull
down
images,
but
my
pods
cannot
route
to
the
outside
world
and
he
goes
on
to
say
the
pods
can't
ping
8.8.8.8.
D
Looking
into
cases
where
people
had
similar
problems
also
spinning
up
a
kubernetes
cluster
in
the
background,
the
and
usually
this
has
to
do
with
your
network
overlay
config
the,
but
in
this
particular
case
he's
also
using
cryo
he's
relatively
new.
So
I
was
also
going
to
ping
one
of
the
cryo
developers
to
see
if
there
was
anything
special
that
needed
to
be
done
for
network
setup
there.
Okay,
unfortunately,
the
private
team
is
all
European,
so
so
far,
I've
not
seen
a
response
to
my
ping,
since
it's
pretty
late
over
there,
okay.
A
B
A
Feel
free
to
go
ahead
and
just
type
type
in
type
in
the
channel
and
then,
if
there's
too
much
of
a
delay,
we
can
go
to
other
questions
and
bounce
back
and
forth.
This
is
a
bare-metal
cluster,
as
you
probably
suspected
so
I
I
was
gonna,
say
usually
when
I
run
into
people
having
problems
with
bare
metal
clusters
and
networking,
it's
an
on
site
issue
like
they're
doing
it
at
work.
They
have
egress
filtering
or
something
like
that.
Yeah.
A
So,
while
that,
let's
let
that
conversation
kick
off
for
a
little
bit
while
we
move
on
and
then
we'll
circle
back
around
to
it,
Jim
angel
asks
I'm
seeking
advice
for
limiting
users.
/
are
back
for
deaf
team
deployments
in
the
enterprise
/
production.
What
are
the
best
practices
for
user
/
application
segmentation.
B
So
first
I
would
say:
split
your
environments
and
different
clusters.
Don't
have
crowd
of
the
same
clusters.
You
have
you're,
not
proud
environments,
but
specifically
with
our
back
so
by
defaults.
Kubernetes
will
inject
a
service
account
token
into
your
pod,
without
any
are
back
that
we'll
have
so
that
used
to
have
access
to
everything,
I
believe
in
newer
versions
of
kubernetes.
They
limit
that
well,
that
still
lacked
from
it
from
a
deployment
perspective.
B
That's
still
not
gonna
stop
developers
from
their
example
in
their
deployments
back
mounting
secrets
that
maybe
they
shouldn't
mount,
because
it's
not
actually
that
pod
that's
doing
the
mounting
the
couplet
that's
doing
the
mounting,
and
so
you
have
to
use
something
like
in
mission
controllers
to
actually
limit
stuff
like
that.
Our
back
would
be
more
useful.
If
you
want
on
the
limits,
maybe
a
developers
cuddle
axis
or
if
your
app
is
actually
reaching
out.
A
B
If
you're
not
familiar
what
it
will
do,
is
it
well
there's
there's
there's
a
couple
of
them.
The
one
that
I
like
to
use
is:
what's
called
a
validating
you
I
put
configuration.
This
is
fairly
new,
it's
it's
a
it's
an
1-9
and
it
basically
allows
the
api
server
to
call
out
to
a
service,
and
you
can
basically
write
a
rules.
Engine
and
kubernetes
will
send
you
the
spec,
that's
attempted
that's
being
applied
and
then
based
on
their
rules
that
your
specific
security,
team
or
enterprise
has.
C
Was
basically
going
to
kind
of
add
to
that
right
now?
What
we
do
for
our
internal
stuff
is
have
a
really
fancy
batch
script.
That
just
adds
people
to
the
cluster
admin
role,
which
is
something
you
don't
want
to
do.
Do
not
do
that.
That
is
a
quick
way
to
it.
Cause
problems
actually
giving
em
one
every
one
root
in
the
in
the
cluster.
So
definitely
do
it,
but
don't
do
that
admission
controllers
are
quite
nice.
C
B
B
Thing
I
would
do
is
like,
even
if
you
use
a
mission
controllers,
definitely
create
like
a
global
air
bag
policy
that
denies
access
or
maybe
just
has
read-only,
because
nothing
stops
a
malicious.
Some
malicious
application
code
from
you
know
calling
the
kubernetes
api
and
deleting
all
resources
yeah.
C
B
A
And
it's
similar
to
the
namespaces
question
we
had
this
morning.
There's
I
also
think
there's
like
a
separation
of
concerns
things
here.
So
one
of
things
I
got
out
of
Kelsey
Hightower's
keynote
this
year
he
was
I,
don't
don't
fall
down
the
are
back
rabbit
hole
where
you
find
yourself
making
really
complex
policies
right
just
put
things
in
this
cluster.
Put
things
in
that
cluster
and
keep
it
simple,
organizationally
right,
yeah.
C
So
separation
here
is
a
huge
thing,
so
I
know
when
I
like
started
using
it.
Oh
yes
way
back
when,
like
people
were
like
well
just
make
separate
a
togas
accounts
entirely,
and-
and
maybe
you
don't
have
to
do
that-
maybe
you
do
completely
separate
areas
and
be
pcs
and
whatnot,
but
that
those
those
methods
should
kind
of
carry
over
to
kubernetes
and
that
isolation
separation
take
the
time
to
do
it
and
get
it
ironed
out.
And
then
you
worry
less
and
it's
life
is
easier
overall.
So
mm-hm.
A
All
right,
hopefully,
that
answers
your
question.
If
not,
please,
please
feel
free
to
post
follow-up.
Also,
everyone
else,
please
feel
free
to
start
dumping.
Your
questions
in
hash
office,
ours
and
we'll
get
to
them
as
we
get
to
them.
We
will
also,
if
you
see
someone
struggling
on
kubernetes
users
and
want
to
point
them
this
way
that
that
can
all
that
would
also
really
help
us
out.
A
Let's
see
so,
let's
catch
up
on
the
AMA
channel
here,
Tim
pepper
would
like
to
point
out
egress
policy
documentation,
x',
someone
sharing
their
flannel
config
yo
matteo
would
like
to
remind
everyone
that
our
does
not
equal
in
our
back
replacement
at
the
application
layer
plus
or
minus
API
gateways
everyone,
everyone
that
appears
to
be
nodding.
Okay,
good,
a
whip,
lers
back
with
some
more
information
about
his
network.
Unfortunately
he's
not
able
to
get
a
rot.
Dump
bummer
but
looks
like
people
are
pointing
him
to
similar
bugs.
A
So
yeah
that's
open
enough
for
questions.
While
we're
waiting
for
some
questions.
Someone
asked
this
morning.
Are
there
any
common
tools
that
you
all
use
for
debugging
your
clusters?
As
far
as
you
know,
when
things
are
busted,
it
kind
of
we
didn't
want
to
turn
into
the
text.
Editor
comparison
thing,
but
you
know
if
pano,
if
you
want
to
share
just
some
of
the
the
best
practices
or
some
great
tools
that
you
use
to
debug
your
clusters,
that
would
that
would
help
add
to
the
to
our
corpus
of
information.
B
The
person
so
what
I'm
debugging
so
a
cluster
I
guess
not
so
much
an
application,
but
a
cluster
like
a
five,
a
cluster
issue.
If
the
first
thing
I
do
is
I'll
spin
up
a
busy
box
container
in
a
cluster
and
I
check
networking
right.
So
if
it's
a
networking
thing
you
want
to
see
if
kubernetes
dns
is
working,
DNS
can
have
some
side
effects
depending
on
what
base
image
you're
using
career,
docker,
container
I.
B
C
B
B
Thing
I'll
add
real,
quick
is,
if
your
develop
your
developer
and
you
have
like
a
larger
half-price
cluster.
It
definitely
like
get
it
working
in
mini
coop
or
something
first
before
deploying
out
to
to
a
larger
cluster.
Just
a
little
bit.
You
know
just
to
get
rid
of
you
know
any
application
bugs
right
off
the
bat.
A
Sure,
okay,
we've
got
a
long
one,
so
I'm
gonna
do
my
best
to
try
to
translate
this
so
Marc
femme
if
I
butcher.
Any
part
of
this,
please
I'll
point
it
out
in
the
in
the
channel
and
you
guys
can
probably
see
this
I
have
a
question
about
network
policy.
If
that's:
okay,
I'm
on
gke,
using
calico,
I've,
read
quite
a
few
different
documents,
and
example
policy
configs.
However
I
don't
think
the
following
has
been
covered
in
as
much
detail
anywhere
that
I
found.
A
B
B
Is
very
naive
because
I
not
an
IP,
don't
know
not
expert
with
IP
tables,
but
it
a
lot
of
the
network
policy.
Stuff
works
with
label
selectors
right
so,
like
you
can
say,
ingress
traffic
to
this
pod
can
only
come
from
pods
that
have
keys
medicated
labels
on
it
is
that
stuff
stored
in
an
IP
tables
command
like
what
calico
create
IP
table
rules
based
on
that
and
then
update
them,
one
that,
when
the
pod
updates
or
does
it
actually
enforce
those
by
a
controller
that
they
implement
I
haven't
looked
into
the
implementation
details
as.
C
A
Let
me
keep
filling
you
guys
in
while
you're
thinking,
presumably
orders
important
is
IP
table
normally
simply
goes
through
a
list
one
by
one
finds
the
first
match
than
whatever
that
matches
will
result
for
that
connection,
does
either
deny
or
allow
I
have
a
higher
priority
over
the
other
like
if
two
rules
existed,
it
was
deny
on,
the
other
was
allow,
which
would
take
precedence
and
solar
again.
What's
good,
no.
C
Yeah
I
was
just
gonna,
say
it.
So
IP
tables
is
all
based
on
order
right.
So
there
isn't
a
there's
a
demand,
allow
which
one
takes
presidents
the
limits
above
it
right.
So
the
basically
you
peg.
It
comes
in
and
it's
match
against
the
rule
and
it's
match
against
all
the
rules
and
then
once
it
matches
one,
then
that
action
is
taken
right,
and
so
it
doesn't
continue
down
the
chain
and
generally
with
most
of
most
kubernetes
things
you
shouldn't
be.
C
You
know
directly
working
with
IP
tables,
because
you've
got
your
we've
working
on
we,
even
whatever,
like
Frances
doctor
working
in
IP
tables
and
putting
rules
in
there
and
managing
those
for
you
generally
see
you
generally
don't
want
to
manually
intervene.
If
you
can
help
it
so
continue,
yeah
and
he's
using.
A
Just
as
a
reminder
similar
again,
what's
the
order
of
precedence
when
you
have
multiple
network
policies
in
existent,
they
might
contain
different
rules
but
impact
the
same
pod.
So
two
different
scenarios
here,
two
different
ever
policies-
are
configured
to
create
rules
from
the
same
pod
labels
as
another
network
policy
already
might
have
defined
similar
scenario,
but
a
rule
exists
covering
the
whole
namespace,
such
as
block
all
ingress
traffic
to
all
pods.
Then
further
rules
exists
that
are
more
fine-grained
because
they
relate
to
a
spot.
A
E
Someone
correct
me
if
I'm
wrong,
but
I,
think
network
policies
are
actually
applied
in
how
fab
ethical
order
in
kubernetes,
which
is
kind
of
strange.
It's
a
strange
thing
we've
run
into,
but
you
can
actually
get
a
network
policy
to
proceed
another
by
adding
saves
zero,
zero
dash
in
front
of
it
in
numbering.
In
that
way,
it's
kind
of
a
strange
thing,
but
I'm
pretty
sure
that
applies
here.
Yeah.
A
A
Okay
mark
well,
let
me
let
us
know
how
you
get
on
and
then
we
can
certainly
close
the
loop
on
that
and
there's
also
SiC
networking
I'm,
pretty
sure.
Calico
smart
folks
attend
that
meeting.
If
someone
can
find
the
list
o
cigs
and
paste
it
into
the
into
the
chat
there
I'm
sure
someone
at
cig
network
could
at
least
point
you
in
the
right
direction.
A
Okay,
so
I
am
going
to
go
to
the
next.
How
question
which
is
about
Hell
me
if
I
am
skipping
your
question
or
I
haven't
seen
it
because
it's
skirling,
please
feel
free
to
just
highlight
me,
paste
it
back
in
and
then
we'll
get
to
it.
Durr
made
you
to
ask
questions.
How
into
ham
are
y'all
is
how
am
I
best
practice
yet
at
one
level
of
complexity,
would
one
ditch
individual
resource
configs
to
go
with
a
chart,
so
we
actually
had
a
hun
person
here
a
few
weeks
ago,
yeah
I,
don't.
C
C
Folks,
so
I'm,
a
huge
proponent
of
helm,
I've
been
using
it
literally
days
after
I
found
the
kubernetes,
because
it
is
makes
life
easier
on
so
many
levels.
The
let's
see
his
first
question.
How
and
how
are
you
I'm
using
it
daily
I'm
using
it
for
production
deployments,
upgrades
rollbacks
for
for
workloads
in
our
cluster,
mainly
core
services,
so
things
like
ingress
controller,
cube,
sort
manager,
you
know,
works
whatever
we're
running.
That's
a
course
service.
We
have
a
completely
managing
helm.
We
have
our
own
repositories
as
well.
It
is
is
stable.
C
It's
something
that
you
can
trust.
You
know
what
you're
getting
the
commands
are
straightforward,
there's
its
ride-along
thank
functionality,
etc.
It's
one
of
my
favorite
utilities
ever
actually
best
practices
be
very
explicit
with
things
take
the
time
to
invest
in
your
values.
Files
which
define
configuration
for
for
this
particular
template.
Writes
over
your
ingress
controller.
You
might
have
a
few
page
values
file.
Make
sure
that
is
version
control.
C
Make
sure
that
multiple
people
understand
why
certain
options
are
set,
make
sure
you've
got
standards
within
your
organization
for
how
to
handle
changes
and
that
process
as
well.
Not
just
a
I'm
on
my
my
laptop
and
I
need
to
apply
something,
it's
also
a
CICE
tool
as
well,
primarily
a
CD
tool
and
that's
where
it
actually
has
a
rollback
and
fantastic
upgrade
functionality
that
you
can
use
as
well.
Let's
see
at
one
level
of
complexity,
wait
wait
real,
quick
before.
A
C
A
C
It's
it's
home
charts
and
then
so
what
we
actually
do
is
we
pull
from
upstream
and
we
maintain
our
own
charts
because
there's
a
lot
of
customizations
we
might
have
here
in
there
for
hire
like.
Oh,
maybe
a
service
account
is
configured
or
something
like
that
that
you
can't
get
with
just
a
values
by
with
just
basic
configuration
right.
So
we
do
that
because
then
we
track
them
as
well,
so
they're
version,
so
a
chart
itself
is
version
so
that
that
tumbler,
the
config
is,
is
its
own
version
right
as
well.
C
The
application
it
might
be
deploying
right
so
and
and
the
other
thing
with
column,
is
that
it's
actually
meant
to
be
a
centralized
catalog
that
you
can
you
can
so
home
was
meant
to
tap
into
it.
You
know
a
hound
server
if
you
will,
that
can
find
a
chart
and
to
play
it
for
you
right.
So
you
don't
have
to
do
just
a
repository
or
just
local
files.
You
can
actually
have
them
hosted
somewhere
as
well
so
yeah,
so
we
actually
pull
this
down
and
maintain
those
and
we'll
pull
any
updates
from.
C
So
the
nginx
negative
potential
is
a
great
example.
There's
fantastic
updates
going
into
that
weekly
into
that
chart.
Optimizing
it.
You
know,
a
new
image
has
been
pushed
at
cetera
right,
so
we'll
go
in
and
we'll
pull
those
down
as
needed.
That's
that's
kind
of
a
very
intro
way
of
using
it
right,
so
the
other.
The
key
thing
is
making
sure
that
all
the
people
that
are
using
home
understand
how
to
use
it
right.
C
So
you
don't
want
people
stepping
on
each
other's
actions
and
he'll
makes
that
really
easy
to
do,
and
then
he
has
just
one
more
thing:
level
of
complexity
with
one
dish,
individual
resources
and
things
and
go
with
the
chart.
I
there's
the
initial
level
of
understanding
and
a
little
bit
of
complexity
there
and
understanding
what
a
template
actually
is
the
multiple
pieces
and
how
to
multiply
it.
But
once
you
start
using
it,
you'll
realize
it
how
very
powerful
it
is
the
whole
community.
C
It
hangs
out
in
a
hash
tag,
home
users
and
the
kubernetes
slack
that
are
super
supportive
and
every
issue
that
I
have
opened
up
for
helm
has
been
closed
as
extorter
implemented.
So
I
would
definitely
look
into
it
and
and
keep
using
it.
I
will
be
hanging
out
on
office
hours.
I've
answer
more
questions
about
it.
Yeah.
A
E
C
Yeah,
there's
there's
the
we
definitely
we
always
pull
them.
We
start
playing
with
them
and
dab
figuring
out
what
resources
to
push
out
and
there's
the
dry
run
flag
and
the
debug
flag,
and
so
you
can
see
exactly
what
helm
pushed
to
the
to
the
cluster
and
I
think
a
lot
of
people.
So
for
us
we
had
a
lot
of
people
that
were
deploying
some
sort
of
workload
and
it
had.
You
know
a
service
account
a
our
back.
C
You
know,
role
and
other
assets
that
were
just
kind
of
placed
around
the
cluster,
and
so
I
had
to
go
back
now
and
actually
reverse-engineer
certain
things
and
try
to
bring
them
together
into
a
home
chart,
bring
all
of
its
asses
together
and
you
know,
make
it
easier
to
manage
long
term.
So
it's
something
that
you
should
definitely
definitely
look
into
yeah.
That.
A
C
C
There's
also
TLS
that
you
should
enable
as
well
there's
there's
more
that
you
can
do
it's
it's
it's
our
back
is
enabled,
and
you
really
just
kind
of-
have
to
sit
down
and
configure
it
based
on
what
you
want
that
the
power
helm
should
have
over
your
clustering
before
things
right-
and
you
may
say:
I
only
want
to
a
deploy
access
to
queue
system,
but
no
kill
access
or
something
like
that.
That
should
be
possible
right.
So
it's
it's
come
quite
quite
a
ways
it's
well
supported
and
it's
a
pretty
fantastic
school
yeah.
A
Okay,
we
have
some
follow-up
questions
as
well,
so
we're
gonna
we're
gonna
move
on,
so
we
can
get
back
to,
but
get
back
to
here
asked
a
mass.
How
do
I
prevent
a
note
from
going
down
because
the
out
of
memory
killer
on
a
cluster
that
was
brought
up
by
cops,
cube,
cuddle
server
version
and
he's
running
one.
A
Eight
four
clusters
brought
up
on
AWS
I've,
seen
a
node
go
oom
a
couple
of
times
which
causes
a
domino
effect,
because
a
cluster
autoscaler
does
not
react
as
fast
and
feel
pods
are
scheduled
on
other
nodes
which
later
brings
it
down
with
the
same
problem,
I
already
upgraded.
It
is
this
type
to
prevent
that.
So
you
vertically
grew,
however,
since
I
want
my
application
to
be
out
of
scale
by
HPA.
It
may
happen
in
the
feature
again
I'm
looking
for
advice
on
how
to
prevent
node
nodes
from
memory
over
commitment.
Basically,.
B
I
I
mean
step,
one
I
would
say,
or
you
know,
step
zero
is
do
proper
capacity
planning.
That's
something!
That's
a
lot
of
people
don't
start
with
and
mature
into
the
one
thing
I
will
say
and
we've
run
into.
This
is,
if
you
use
a
horizontal
Patil
scaler,
if
you
do
not-
and
this
is
important-
if
you
do
not
define
a
resource
on
your
pod,
the
HPA
has
no
effect.
B
D
I
actually
wanted
to
ask
for
some
clarification
here,
which
is:
are
the
nodes
running
out
of
memory
and
killing
off
pods?
For
that
reason,
or
are
the
individual
pods
running
past
their
limits
and
getting
killed
off,
because
those
are
two
different
situations.
A
B
So
yeah
so
then
doing
proper
capacity
planning,
for
you
know,
and
this
isn't
something
you
can
necessarily
do
per
node,
but
you
could
I
mean
unless
you
like
strongly
use
affinities
and
antiph
interviews
and
whatnot,
but
you
can
kind
of
like
times
it
by
how
many
nose
you
have
in
your
cluster
and
the
coop
scheduler
will
well
well
do
it.
The
other
thing
I
would
say,
though,
is
you
definitely
want
to
design
your
applications
and
clusters
in
a
way
where
you
can
handle
nodes
going
down
it?
Kuru
Nettie's.
B
You
know
it's
meant
to
work
as
one
machine
and
it's
one
part
of
that
unikz
goes
goes
down.
You
might
still
want
to
design
your
application
to
be
highly
available.
One
thing
we've
done
is
we'll
always
make
sure
like
we'll
write
something
for
the
community
scheduler
to
make
sure
that
we,
at
least
at
a
minimum,
have
two
replicas
one
and
ejz
so
that
if
one
goes
down
you
know,
so
we
don't
run
in
the
situation
where
you
have
two
replicas
they're.
B
C
B
A
You
yeah
one
thing:
I
noticed
a
while
when
I,
when
I,
when
I
was
getting
started,
I'm
still
getting
started
a
lot
of
the
examples
you
run
into
don't
have
memory
or
CPU
limits,
and
it's
like
one
thing
that
I
learned
right
away
from
people
who
were
experts
or
like
set
limits
for
everything.
So
you
could
do
math
right
and
then,
if
something
can't
get
scheduled
there,
you'll
get
an
error
as
opposed
to
oh,
like
I.
Don't
know
that
this
app
needs
this
amount
of
memory
versus
this
other
one.
B
Other
things
with
that
that
you
can
do
as
a
cluster
admin
is,
you
can
assign
resources
at
a
namespace
level
so
that,
even
if
pods
don't
assign
resources,
your
story's
tricking
them
space
level?
The
second
thing
is
this
requires
1.9,
but
earlier
I
was
talking
about
validating
webhook
configuration
there's,
also
a
mutating
web
configuration
which
allows
you
to
actually
modify
this
back,
and
so,
if
pods
are
being
deployed
and
not
putting
resource
limits,
you
can
actually
add
them
for
the
developers.
A
And
I
know
there
are
some
work.
This
is
getting
a
little
bit
too
out
of
scope
about
tying
into
Prometheus
and
a
bunch
of
things
that
can
actually
monitor
your
app
and
then
to
let
you
know
that,
like
what
you're
asking
for
what
the
app
is
actually
using
is
reasonable,
so
that
you
it
gives
you
a
tool
to
be
able
to.
You
know,
make
make
smarter
decisions.
I
guess
we
should.
We
should
have
him
on
at
one
time
and
explain
that
to
us
cuz,
really
great,
ok,.
B
A
Other
any
other
comments
to
add
before
we
move
on
alright.
Thanks
for
that
question,
if
we
have
an
answer,
TIF,
please
feel
free
to
continue
to
follow
up
we'll
move
on
to
the
next
one.
Here,
Nick
asked
question
regarding:
how
do
you
turn
to
run
a
single
tiller
per
namespace?
Ideally,
I
want
a
namespace
per
team
and,
with
our
back
I,
don't
really
want
a
team
in
one
namespace
to
have
the
ability
to
deploy
another
via
helm.
Tiller
derm
agent
adds
I
use
one
tiller
per
cluster.
What
do
you,
what
do
y'all
think.
B
So
I
don't
use
helm
in
production,
but
the
one
thing
I
will
say-
and
this
is
abstract
from
helm-
is
you
have
to
decide
whether
you
want
to
be
highly
available
and
highly
deployable
or
just
highly
available?
It's
a
requirement
to
be
highly
deploy
able.
You
might
want
to
make
sure
that
your
tiller
deployment
is
highly
available.
B
B
Highly
available
means
that
the
run
time
traffic
to
an
application
is
highly
available,
whereas
highly
employable
means
that
you
can
it's
basically
the
same
thing,
but
for
deployments
at
any
given
time
you're
able
to
deploy.
You
know
you
can
handle
thoughts,
etcetera.
So,
for
example,
if
you
only
have
maybe
one
replica
of
your
tiller
pod
and
it
goes
down,
you
know,
are
you
and
you
know-
maybe
maybe
Kooten
there's,
maybe
send
a
crash
back
loop.
B
You
know
you're
no
longer
highly
employable
at
that
point
mm-hmm,
but
your
application
could
still
be
highly
available
for
the
applications
that
helm
deployed.
Maybe
it's
a
writing.
Yeah.
A
C
Do
you
out
yeah
I
was
just
actually
gonna,
say
and
I
just
searched
it,
because
I've
always
just
run
a
single
tiller
instance
and
that's
by
default,
how
it
runs.
There's
an
open
issue,
I'm
looking
at
right
now
and
I
will
post
that
in
the
slack
of
people
asking
for
a
chain
and
how
your
client
would
handle
multiple
tillers
as
well.
C
Obviously
you
don't
want
them
stuffing
on
each
other,
but
you
you
again
want
a
probably
highly
highly
playable
kind
of
up
for
what
you're
doing
it
depends
on
many
people
you
have
working
and
whatnot
I.
Think
Tyler's
deployed
is
just
a
basic
deployment
by
default,
so
yeah
I
actually
do
not
know
much
about
that.
I
was
there
another
part
to
the
question,
or
was
that
just
was
it
just
about
EJ,
but
I
think
that
was
it
sorry
I
keep
coughing.
A
Let's
see
if
he
has
any
follow-up
questions
so
scrolling
back
down,
Suresh
ass,
our
case
on
it
and
how
I'm
complimenting
each
other
so
I
can
actually
answer.
This
I
know
that
Bryan
Liles,
one
of
the
developers
on
caisson
it
will
be
attending
the
helm
summit
and
now
that
they've
got
two
releases
under
their
belt
are
going
to
start
looking
at
ways
to
smartly
into
with
helm.
So
I
cannot
answer
that
question
today,
but
by
next
month
I
can
probably
answer
that,
but
I
guess
the
best
way
I
can
answer.
That
is
yes,
the
case.
A
A
B
Not
sure
if
there's
one
place
you
can
go
to
so
like
ingress
siders.
Are
you
talking
about
like
the
service
site,
arranged
like
the
cluster
IP
site
arranged?
Are
they
actual
like
like
the
overlay
networks?
They
are
arranged
like
the
pod
site
or
network,
because,
like
there's
one
place,
you
can
go
for
that.
There's
another
place
you
could
go
to
like
learn
about
kubernetes
ingress
resources.
B
A
A
A
Okay,
great,
so
my
wife
would
like
to
remind
everyone
that
we're
running
out
of
time.
Awesome.
Yes,
okay,
the
Google
home
is
also
an
intercom.
That's
been
yes,
I
found
out
if
I
was
separate
each
other
by
app
team.
I,
probably
put
in
a
parallel
Dave's
face
with
our
back
permissions
to
create
objects
in
the
app
team
names
face
something
like
app
team,
one
tiller,
an
app
team
one
app
respectively.
C
I
mean
there's
there's
a
lot
of
ways
you
can
do
this
I
don't
have
as
much
experience
with
fine-tuning
permissions,
but
there's
a
lot.
You
can
do
on
my
feet
just
about
the
post,
there's
actually
so
from
the
client-side.
It's
really
about
making
sure
that
your
helm
binary
is
talking
to
the
right
tiller
instance,
and
you
can
do
that
based
on
what
your
configure
set
or
your
your
contacts
and
namespace
currently,
but
also
there's
variables
to
control
that
right.
C
B
A
Tim
pepper
would
like
to
add
if
there's
Network
info
in
the
concept
and
tasks
in
the
top
bar
nav
on
kubernetes
io
/
Doc's,
including
some
calico
specific
network
policy,
so
you
can
find
those
URLs
in
the
channel
any
more
questions
we're
about
15
minutes
from
the
end
here.
So
we've
had
some
great
crisis
so
far,
keep
them
coming.
Folks.
C
If
people
see
my
head
bobbing,
it's
because
I'm
usually
pretend
like
there's
death
metal
playing
all
the
time,
even
when
there
isn't
and
so
I'm
actually
like
drumming
with
my
hands
right
now
as
well.
So
just
so,
if
you
see
you
know,
I
mean
I'm
not
having
a
seizure,
I'm,
okay,
I'm,
not
mad.
Let's
go
I'm
good
everything's
fine!
It's.
A
Like
you're,
the
lobo
of
the
group
we're
just
metal
all
the
time,
let's
see,
looks
like
people
are
furiously
typing.
This
give
them
a
few
minutes,
so
I
think
for
sure.
We
should
definitely
invite
some
help,
slash
leg,
apps
folks
over
to
one
of
these
sessions.
One
thing
I'd
like
to
mention
is:
is
that
we
kind
of
do
these
based
on
user
demand.
So
if
people
saying
hey
we'd,
really
like
to
have
a
Hal
one,
we
could
do
that.
A
We
can
definitely
do
the
hard
work
of
chasing
down
all
the
developers
and
getting
him
for
you.
It's
just
a
matter
of
time
of
grabbing
an
audience.
So
if
there
is
interest
in
this,
you
can
get
ahold
of
me
and
we
can
both
little
list
see.
People
show
up
as
long
as
more
than
three
people
show
up
it's
it's
a
party
right.
Let's
see.
A
So
it
looks
like
they're
midgets
been
using
kubernetes
in
production
for
three
years
and
he's
totally
drank
all
the
kool-aid
all
the
way
up.
So
so,
while
we
have
some
time
while
we're
waiting
for
the
next
questions,
anything
interesting
or
interesting
problems
that
you
all
have
solved
recently
that
you
might
want
to
share
with
the
community
as
far
as
as
far
as
those
busted
things
I
have.
B
When
that
process
went
down,
I
believe
I
could
be
wrong,
but
I
believe
Carlos
actually
puts
the
container
deep
process
in
the
doctor
process
and
the
system
are
in
two
separate,
separate
things
that
it
manages
separately
as
as
opposed
to
together,
but
just
a
random
one
that
I
solved
in
the
past
couple
days.
Yeah.
B
But
we
are
moving
to
it,
we're
not
on
it.
Well,
actually
take
the
back
I
think
we
are
using
it
with
flannel,
I'm,
pretty
sure
we're
using
flannel
the
thing
too.
We
keep
going
back
and
forth
right,
and
you
know
this
kinda
has
to
do
with
the
whole
overlay
thing
with.
You
know
you
know
container
izing
your
your
overlay
and
whatnot.
B
A
D
D
So
whatever,
whatever
networking
that
you're
using
for
your
cluster
over
later
otherwise
goes
through,
the
CNI
CSI,
which
is
relatively
new,
is
similar
for
storage.
The
container
storage
interface
cryo
cRIO
is
a
project
that
supplies
in
alternate
container
runtime.
D
So
that
is
the
container
runtime
is
the
piece
of
software
that
takes
a
container
image,
which
is
a
set
of
files
and
allows
you
to
run
it
in
its
own
namespace.
As
sort
of
an
active
piece
of
software.
You
know
a
virtual
environment,
obviously
the
most
common
and
popular
one
is
is
docker,
which
you
know
these
days.
It's
the
one
about
the
runtimes
container
D
your
right
eye,
core
OS
has
rocket,
and
then
cryo
is
one
that
was
designed
from
the
ground
up
to
implement.
D
There's
an
API
there
again,
another
three
that
are
api
CRI,
which
stands
for
a
container
runtime
interface
and
cryo,
is
designed
from
the
ground
up
to
fulfill
the
CRI
API
spec
and
nothing
else
mm-hmm.
The
idea
is,
you
know,
to
only
do
the
things
that
kubernetes
asked
for
and
not
anything
else
so,
and
you
know,
and
some
people
run,
that
instead
of
running
container
D
the
it
will
run
several
different
container
runtime
interfaces.
D
A
A
C
A
Let's
see,
Nick
wanted
points
out
to
everybody
that
the
new
docker
on
OS
10
has
kubernetes
integration
and
actually
tomorrow's
kubernetes
community
meeting
someone
from
doctor
will
be
there
to
demo
that
and
really
excited
to
see
that
moving
out
of
more
questions,
Nick
asks
question:
do
people
tend
to
deploy
cluster
databases
Galera,
for
example,
in
kubernetes
these
days?
I.
Remember
a
few
tweets
from
Kelsey
saying
to
avoid
these
a
long
time
ago.
Stay
full
sets
of
Island.
D
So
right
now
we're
seeing
as
a
lot
of
people
winnings
applications
in
Devon
and
tests,
because
both
I
mean
two
things
basically
made
it
worlds
easier
to
run.
Databases
in
kubernetes
one
is
stateful
sets
in
the
second.
Is
operators
on
the
end,
more
broadly,
see
RDS,
actually
so
more
acronyms.
What
a
CID
stand
for
custom.
D
Custom
research
definition
was
the
way
to
define
your
own
kubernetes
object
at
runtime,
be
without
compiling
any,
without
meaning
to
compile
any
go
on
the
fly,
yeah
rate,
some
VM
and
Sue,
and
that
I
would
say
actually
because
they're
talking
about
this,
if
a
breakdown
is
the
value
of
running
databases
on
kubernetes,
depends
on
your
use
case,
and
it's
really
a
question
of
how.
How
valuable
is
automated,
deploy
of
new
databases
to
you
right
to
give
you
two
situations
right.
D
You
have
one
small
database
for
each
application
that
you
have
and
the
development
teams
are
in
charge
of
their
own
databases.
In
that
case,
kubernetes
can
supply
tremendous
value
to
you
because
they
can
be
in
charge
of
deployment
and
maintenance.
Their
own
database
is
not
just
you
know,
be
responsible
for
a
separate
database.
On
the
other
hand,
many
large
enterprises
have
a
single
gigantic
database
with
25
terabytes
of
storage
that
has
everything
in
it
and
is
managed
by
DB
18.
D
That's
not
going
to
be
a
good
case
for
kubernetes,
because
that
database
probably
not
only
uses
all
the
resources
in
the
system
but
uses
all
the
resources
and
multiple
systems
and
it's
managed
completely
separately
from
the
application
workflow,
so
someday.
Of
course,
I
want
to
be
able
to
run
all
databases,
no
matter
how
large
and
kubernetes
right
now
there's
a
kind
of
value
proposition,
depending
on
the
sort
of
size
and
centrality
yeah.
A
So
Riley
was
adding
that
aura
cause
of
my
single
operator
that
they're
supposed
to
be
releasing
soon
and
3d
inflow
says
my
coworker
gave
a
talk,
a
cube
con
about
the
my
single
operator
and
left
a
link.
Do
you
mind
if
I
ask
a
totally
it's
gonna
sound
like
I'm,
being
sarcastic
and
cynical,
but
you've
been
the
database.
You've
been
around
the
book.
You've
been
a
databases
for
a
long
time.
Do
you
it
just
feels
like
one
of
those
things
like
is
it?
Is
it
worth
like
it
feels
like
stable
technology?
D
A
year
where
we're
still
figuring
this
to
you
here
in
size
of
a
PostgreSQL
database
in
the
field,
mm-hmm
is
about
a
hundred
megabytes
for
every
database
that
you
hear
about
because
it's
like
16,
terabytes
or
whatever,
and
run
somebody's
entire
enterprise,
etc.
There
are
something
on
the
order
of
a
hundred
thousand
databases
that
are
100
megabytes
or
less
okay.
D
D
Like
what
you're
getting
right
yeah
is
this
you
know,
or
to
put
it
another
way,
you
don't
want
to
devote
a
full
time
person
to
managing
a
database
with
a
hundred
and
fifty
megabytes
of
data
that
supports
a
single
non-critical
application
that
should
and
doing
it
the
sort
of
manual
way
on
the
base,
OS
etc.
It's
hard
to
make
it
fully
automatic
mm-hmm,
you
know,
as
in
you,
can
make
failover
automatic.
D
A
D
And
the
answer
is
very
much
so
the
because
one
of
the
other
things
you
look
into
is,
if
you
look
into
something
like
Cassandra
or
Kafka
or
another
database,
that
requires
multiple
nodes
to
run
often
many
nodes.
The
deployment
process
of
that
can
be
very
complicated.
One
of
the
various
project
continued
the
site
is
DB,
which
is
a
distributed.
Sql
database
and
one
of
the
big
sort
of
blockers
for
customers
install
users
and
song
situs
TV
themselves
is
the
installation
process
of
how
do
I
get
all
of
these
nodes
there?
D
A
That
is
I
hadn't
thought
about
it.
That
way,
so
you
have
a
telling
people,
like
usually
at
local
groups
someone's
like
yeah
I,
want
to
stick
I
want
to
stick
my
databases
in
kubernetes
and
I'm,
like
how
many
man,
how
many
hours
have
you
spent
in
the
past
decade,
making
your
database
endpoint
like
really
reliable
and
stuff.
Do
you
really
want
to
start
over
yeah.
D
D
Of
that
changed
right,
because
there's
a
lot
right,
a
lot
of
the
newer
databases
are
designed
to
be
high
availability
from
the
get-go
mm-hmm,
any
like
my
sequel
and
Postgres
are
being
retrofitted.
To
support
that
you
know,
and
so
the
only
thing
they're
missing
is
an
infrastructure
like
kubernetes
that
can,
for
example,
replace
nodes
that
have
gone
missing
right.
A
Right
so
it
sounds
like
it
looks
like
we
have
time
for
one
more
question
and
then
we're
gonna
have
to
kill
it
for
the
day,
as
I
always
recommend
having
Josh
burkas
available
at
parties
for
insights
like
this,
that's
exactly
this
is
why
you
go
to
Scott.
It's
like
the
only
reason.
Well,
I'm,
not
just
kidding
it's
a
very
big
reason
to
go
to
ask
on.
Let's
get
this
kind
of
information,
Tim
Piper's
been
taking
notes
for
everyone
thanks
a
lot.
Tim
really
appreciate
that.
B
A
D
B
I
had
some
confusion
about
this,
so
I'm
sure
people
in
the
audience
might
but
I
implement
a
lot
of
kubernetes
controllers
and
lately
the
word
operator
has
started
to
pop
up.
What
do
you
think
the
difference
between
an
operator
and
controllers.
D
B
D
Yeah
API
is
possibly
you
know
a
namespace
with
the
N
at
CD,
where
you
actually
store
metadata
about
the
things
that
you're
deploying
the
others
can
controller
out
there
when
you.
Actually,
we
actually
modify
it
by
updating
a
manifest
through
who
control.
Then
it
looks
for
there's
manifest
items
and
then
the
custom
controller
that
comes
with
this
actually
takes
that
manifest
and
deploys
things
according
to
so
yeah.
So
it's
basically
it's
a
superset.
Then
he
calls
the
custom,
control
and
I'm
kneading
that
off
cuz.
My
answering
machines
went
off
yes.
B
A
With
that
that
was
a
that
was
all
the
time
we
had
for
this
week,
thanks
everyone
who
attended.
As
always,
we
love
feedback,
please
just
dump
it
in
the
channel.
Thanks
to
the
following
companies
for
supporting
the
community
office
hours
with
the
developer
volunteers,
it's
really
great
that
companies
allow
their
engineers
work
time
to
do
this.
So
thanks
to
Amazon,
bitNami
giant
swarm,
hefty
Oh
liquid
web
Northwestern,
Mutual
packet
net,
pivotal
Red
Hat,
we've
works
and
VMware
for
Tim.
A
Thanks
for
the
notes
today,
so
we'll
be
holding
raffles
like
I
said
with
t-shirts,
the
kubernetes
spinners
and
all
that
stuff.
So
just
by
coming
and
participating,
you
have
a
chance
to
to
win
some
stuff
and,
lastly,
feel
free
to
hang
out
and
the
office
hours
channels
afterwards
get
to
know.
Each
other
looks
like
people
are
really
excited
and
we've
had
a
lot
of
great
it.
This
is
the
first
time
there
I.
Actually
it
was
difficult
for
me
to
keep
up
with
the
scrolling.
A
So
please
help
us
out
by
telling
a
friend
and
if
you're
looking
for
a
friendly
home,
definitely
hang
out
with
us,
and
we
will
see
everybody
the
next
third
Wednesday
of
the
month,
which
you
will
find
the
link
always
in
the
channel
and
hash
office
hours.
I,
do
announce
these
at
the
community
meeting
and
I
post
them
on
kubernetes
users
and
kubernetes
novice,
and
with
that.
Thank
you
very
much.
Everybody
thanks
again
to
our
panel
for
hanging
out
and
we'll
see
everyone
next
month.