►
From YouTube: SIG Cluster Lifecycle 2020-11-03
A
A
A
A
The
meeting
was
gone
from
the
calendar,
but
I
can
for
today,
but
I
can
see
it
on
the
17th.
It's
16
1800
hours.
My
time.
A
A
Basically,
the
like
quote-unquote
policy
nowadays
in
kubernetes
is
to
not
print
any
secrets
anywhere
in
logs,
unless
this
is
like
part
of
the
ux,
for
instance,
cube
adm
prints
the
booster
token
at
the
end
of
the
output
of
the
cubed
ammunit
command.
So
we
cannot
avoid
that.
A
But
basically
the
recommendation
is
to
not
print
secrets
in
logs,
so
I
saw
a
certain
initiative
by
security
and
seeking
instrumentation
to
basically
implement
the
idea
that
brian
had
last
time,
which
is
to
add
some
tax
to
certain
structure
fields
and
that
basically,
these
six
started
adding
data
policy
tags
to
kubernetes
structures.
A
I
think
they
are
at
this
to
the
cube
adm
api,
but
I
say
that
we
don't
want
to
change
the
kubernetes
api
at
this
point,
so
there
was
a
pr
to
change
other
areas,
but
we
can
quickly
have
a
look
at
these
issues,
so
the
first
one
is
the
general
walk
sanitization,
which
is
basically
a
proposal.
A
How
to
how
to
apply
such
a
policy
and
the
tldr
is
that
they
apply
the
tags
and
then,
if
you
use
something
like
a
walk,
it
will
filter
using
refraction
certain
fields,
maybe
replace
them
with
stars
asterisks,
and
I
think
they
have
a
list
of
pr's
here.
Yeah
there's
a
there
are
a
lot
of
changes
in
kubernetes
kubernetes.
A
They.
I
don't
think
it's
in
scope
for
them
to
change
other
repositories,
but
if
you
think
it's
appropriate,
you
can
do
it
in
your
project.
I
can
show
you
an
example
for
cube
adm
if
I
can
find
okay.
This
is
the
first
one.
A
Yeah,
so
this
is
useful
here,
so
the
data
policy
tax
security
key,
which
is
a
tos
key.
If
it's
printed,
you
know
it's.
If
it's
inlined
inside
a
string.
A
So
if,
for
some
reason
you
print
this
structure,
supposedly
k
work
will
filter
it
and
immediately
on
the
pri,
I
asked
some
relevant
questions
like
what,
if
you
print
the
string.
A
Directly,
the
answer
was
that
there's
a
second
cap,
this
will
not
be
captured
by
anything.
Obviously-
and
the
answer
is
there's
a
second
cap
that
will
do
static
analysis,
but
this
means
that
you
have
to
enable
static
analysis
in
your
repository.
A
A
It
okay,
it's
not
reference
here,
but
basically
you
add
this
static
check
as
part
of
the
ci,
the
pr
pre-submits
and
you
can
potentially
capture
such
undesired
printing
of
tokens
and
secrets-
and
I
said
okay,
but
if
the
tool
does
not
capture
sorry
does
not
catch
this
problem.
How
do
you
do
it?
The
answer
was
you
just
have
to
do
it
on
the
review
like
this
is
the
final
gate.
You
gate
on
review,
make
sure
that
you
don't
print
secrets
and
that's
the
whole
summary
of
these
two
new
caps.
B
B
So
this
is
a
the
tldr
is
that
this
is
a
multi-uh
cycle
effort
and
what
we
are
asked
now
is
to
start
adding
tags
to
our
structure,
and
then
there
will
be
for
the
initial
fees
only
pro
jobs.
That
basically
does
the
log
filtering
and
try
to
to
check
if
everything
is
fine
in
inmate,
kubernetes
and
yeah
for
projects
like
kubernetes.
A
Yeah
the
four
tools
like
cubed
m:
it
doesn't
matter
much
for
core
cooperatives,
where
we
have
thousands
of
keyword,
calls
which
can
be
very
dense,
requiring
a
lot
of
cpu
if
you
add
reflection
to
one
of
them.
Obviously
this
is
going
to
impact
performance,
so
I
don't
see
how
they
can
resolve
some
of
these
problems.
They
can
optimize,
but
still
it's
overhead.
A
A
Yeah,
I
guess
they
might
also
want
to
add
something
like
a
general
guide,
how
to
write
local
wrappers
so
because,
if
you
are
using
a
third-party
library
or
basically
the
standard
library
to
walk,
this
means
that
you
have
to
write
local
wrappers
to
catch
these
problems,
maybe
import
something
from
k,
walk
to
be
able
to
do
it.
I
don't
know.
A
I
don't
see
the
other
group
topics.
Does
everybody
want
to
talk
about
something.
A
A
Okay,
moving
to
subproject
readers
for
kubernetes
that
we
don't
have
any
major
updates.
Mia
fabrics
are
currently
discussing
like
what
we're
going
to
do
with
the
cubanium.
E
A
For
british
prototyping
some
ways
to
make
the
api
consumable
and
I'm
also
making
changes,
sorry
not
changes,
but
I'm
prototyping
some
experimental
code
for
how
to
consume
the
cube.
Adm
config
api
itself
on
the
outside,
which
will
potentially
is.
A
The
job
of
projects
like
kind
and
mini
cube,
because
currently
they
need
a
lot
of,
if
branches,
to
detect
what
version
of
kubernetes
maps
through
certain
apis
things
like
that.
I
think
we
can
simplify
that
and
also
expose
conversion
to
the
outside.
A
But
yeah
this
is
a
very
early
stage,
I'm
not
sure
when
I'm
going
to
be
able
to
showcase
something
for
bristol,
you
know
when,
if
you
will
be
able
to
demo
or
showcase
some
of
the
work
around
the
some
of
the
methods
we
want
to
expose
in
the
library.
B
A
Yeah
me
neither,
I
think
we
should
have
a
call
to
discuss
some
of
these
library
aspects
separately,
but
yeah
that
that's
pretty
much
all
we
have
for
kubernetes.
Does
anybody
have
questions
comments.
A
Okay,
justin
cops.
D
Thank
you.
Yes,
I
apologize.
My
camera
is
not
working.
There's,
no
real
major
updates
we're
trying
to
get
119
out
the
door.
We
have
one
sort
of
problematic
blocker
ish,
which
is
the
kubernetes
project,
is
gradually
deprecating
basic
oauth.
I
can't
remember
whether
it's
in
119
or
120.,
unfortunately,
that
that
is
sort
of
the
default
configuration
at
least
for
cops
for
people
using
aws
when
aws
elb
is
holding
your
your
certificate
and
so
we're
trying
to
find
a
workaround.
For
that.
D
I
don't
know
exactly
what
that
workaround
is
going
to
be.
We've
talked
about
various
approaches
but
yeah,
trying
to
figure
figure
out
a
nice
workaround
for
that.
D
Absolutely
so
it's
it's.
We
use
basic
oauth
because
we
don't
want
to
use
or
we
can't
use
certificate.
Author
client
certificate
authentication
when
the
elb
is
holding
the
is
doing
the
tls,
and
so
you
know
basic
auth
token
off
two
sides
of
the
same
coin
and
but
basically
he's
being
deprecated,
and
so
we
are
a
basic
worth
was
for
the
people
that
enabled
this
particular
scenario,
which
is
not
the
default.
D
But
it
is
a
convenient
one
for
the
people
that
did
this
and
put
their
api
server
behind
an
elb
which
was
doing
the
tls
decryption.
They
were
using
basic
auth
and
they
cannot
use
basic
oauth
when
that
is
removed
from
the
kubernetes
project.
A
I
think
I
mean
the
projects
like
sorry.
The
name
of
this
evades
me.
What
was
the
name
of
the
project
that
forked
kubernetes
to
replace
ncd
k2s
yeah
k3s
yeah?
They
also
used
basic
of
for
bootstrapping
the
notes,
but
they
replaced
the
mechanism
with
I,
for
I
forgot
with
what
my
memory
is
not
very
good
today,
but
so
what?
How
do
you
want
to?
How
do
you
want
to
replace
this
mechanism.
D
There
are
a
couple
of
suggestions.
I
actually
cannot
remember
in
detail
what
we're
talking
about.
I
can
try
to
update
next
time
I'm
trying
to
bring
up
the
office
hours
where
we
discuss
it
regularly,
the
notes
from
the
office
hours.
I
think
the.
D
If
I
recall
correctly,
the
current
plan
is
to
create
a
second
port
which
doesn't
I'm
trying
to
understand
how
that
makes
sense,
but
create
a
second
port.
And
I
guess
we
manage
our
own
cert
on
that
or
something
but
yeah
trying
to
figure
that
out
see.
A
All
right,
yeah,
I
think
it's
going
to
be
removed.
I
would
not
be
surprised
if
it's
removed
in
120.
Do
you
know
when.
D
I
think
that's
right.
I
can't
I
couldn't
remember,
there's
119
or
120,
but
yes,
it's,
it's
definitely
going
to
be
removed,
which
is
not
a
bad
thing.
It's
just
as
unfortunate
for
these
people
in
this
using
this
particular
configuration.
A
I
don't
think
for
some
of
these
old
deprecations.
We
don't
have
tracking
issues
in
kubernetes
enhancements,
which
recently
around
the
whole
story
of
bootstrap
token
volume
projection,
sorry
volume,
token
projection.
A
We,
the
release
team,
complained
that
we
don't
have
tracking
issues
for
some
of
these
ancient
features
and
I
think
the
deprecation
of
basic
off
it
happened
so
long
ago
that
the
release
team
does
not
know
how
to
track
it,
which
is
I
I
like
if
I
start
searching
right
now,
I
it's
going
to
be
difficult
for
me
to
find
when
it's
going
to
be
removed.
Maybe
I
should
look
at
the
release
notes.
A
A
Yeah,
I
don't
know.
A
F
Oh
okay,
yeah
before
you
take
this
offline,
I
I'd
be
interested
in
knowing
what
the
use
cases
are
around
using
acm
certificate.
We're
redesigning
their
api
for
plus
api
aws.
So
if
that's,
if
people
want
to
use
acm
certificate
be
good
to
find
out
why
you.
D
Agreed,
I
think
one
of
the
compelling
things
is
that
you
cannot
access
it.
So
it's
like
a
security
thing
and
I
don't
know
whether
at
big
big
companies
there's
some
sort
of
like
managed,
like
managed
delegation
type
thing
going
on
here
but
like
I
think
I
think
the
main
feature
is
you
know
that
certificate
is
locked
away
and
you
don't
have
to
worry
about
it.
Leaking
type
thing.
D
And
it
might
also
work
with
fancy
names
with
real
dns
names.
I
don't
know
but
yeah,
I'm
not
an
expert
on.
D
E
B
Sure
I
hope
it
is
a
quick
update,
so
we
are
trying
to
address
some
last
minute
work
for
v0311,
I'm
addressing
some
work
for
kcp
condition
and
kcp
edition,
and
there
are
some
other
work
on
going
for
improving
memory.
B
A
Api,
I
asked
one
question
about.
A
I
asked
this
question
in
the
question
api
channel,
but
I
didn't
get
the
response
from
people
like
lee,
because
lee
mentioned
that
the
controller
runtime,
I
think,
is
using
the
same
method
as
quest
api
to
round-trip
around
the
api
versions,
which
is
to
store
a
prior
version
of
the
configuration
api
in
an
annotation
like.
Is
it
really
a
controller
runtime
that
is
doing
that
or
only
cluster
api?
A
B
A
A
A
A
I
also
had
a
look
at
the
hub
conversion
logic
in
controller
runtime
today,
yeah
all
right
thanks.
I
will
I'll
try
to
reach
out
to
leon
private
see
if
you
can
answer
right,
any
questions
for
costa
rica.
Sorry,
I
already
asked
this,
but
any
comments
on.
A
G
Yeah
not
a
whole
lot.
Over
the
last
month,
we
released
114
zero
one
and
two
mostly
around
building
a
dedicated
docker
network
for
our
docker
driver,
so
that
networking
is
less
of
a
hassle
for
us.
We
also
like
you,
can
expose
arbitrary
ports
and
that
kind
of
stuff
as
well
115,
will
come
out
at
the
end
of
this
month
and
well.
At
least
it
should
we'll
see,
and
the
other
thing
was
now
that
we
once
again
have
control
of
our
zoom
for
office
hours.
I've
been
recording
them.
A
Ideally,
every
subproject
owner
at
least
one
of
them
should
have
credentials
to
do
that.
I
can
give
you
the
contact
of
somebody
who
can
give
you
access.
I
don't
I
don't
think
we
should
delegate
all
vote
uploading
to
the
secrets.
I
think
separate
project
holders
should
do
that.
That's
fine
by
me,
yeah!
I
I
will
think
you
are
after
the
meeting
with
the
it's
basically
josh
castro,
who
has
the
keys
for
that.
B
For
pretty
sure,
I
have
a
question
for
sure
if,
with
regard
to
networking,
especially
for
the
are
you
supporting
aha
in
humidicum,
not
currently,
that's
enough?
Okay,
because
my
concern
is
how
to
get
a
veep
in
the
document.
G
A
For
the
topic
I
was
talking
about
earlier,
the
way
we
plan
to
expose
the
kubernetes
api
as
consumer
to
the
outside,
because
it's
currently
in
kkk,
it's
not
easy
to
vendor.
You
have
to
fork
it
like.
Are
you
consuming
the
kubernetes
public
types,
or
do
you
only
pass
flags
to
kubernetes?
A
Do
you
know
what
do
do
you
only
pass
flags
to
cuba
or
do
you
use
the
component
config
as
well.
A
Uh-Huh,
have
you
ever
seen
the
potential
demand
for
using
the
config
because
there's
a
lot
more
inside,
I
haven't
no.
I
haven't.
A
Yeah,
I
I
for
sure
kite
will
benefits
of
this
whole
exposure
of
the
config
and
being
able
to
convert
across
types.
But
I
guess
it
will
benefit
you
as
well,
if
you
one
day
start
using
the
config,
because
otherwise
you
have
to
branch
across
the
different
versions
of
kubernetes
to
map
which
version
was
supported.
So.
G
A
A
Okay,
we
can
end
30
minutes
earlier.
Thank
you
and
see
you
again
in
a
couple
of
weeks,
bye.