Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kubernetes / SIG Cluster Lifecycle / 26 May 2022
Kubernetes / SIG Cluster Lifecycle / 26 May 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: SIG Cluster Lifecycle - Cluster API Azure Office Hours - 20220526

Description

SIG Cluster Lifecycle - Cluster API Azure Office Hours - 20220526

A

All right welcome to the kubernetes sid cluster lifecycle, cluster api provider azure office hours- it is thursday, may 26 2022 the year is almost halfway over. How did that happen? Don't know uh we are abiding by the cncf code of conduct. um Please use the raise hands feature and this meeting will be recorded.

A

Let's see, we've got, um I think. uh Perhaps a little bit of um capsie release excitement match. You wanna tell us about that or.

B

Sure, I guess that's the only thing we have on here.

A

Everyone is probably well aware.

B

But we had a patch release last week that fixed a couple significant things, essentially up until now, uh azure user assigned id was not working correctly, uh but it is now and then the calico upgrade thing relates to upstream testing. So it won't actually affect most people, but we're on the almost latest calico there's actually a new patch. We might want to pull in.

A

Cool, I'm sorry I'm trying to share my screen, but I have way too many windows that all look the same and I'm trying to not share the wrong one. So.

A

ah I see it.

A

Sharing now.

A

Yes, this is the right thing, so yeah putting this up here. We've got that 1.3.1 release yep.

B

That's about it and we're still working on the one for milestone. Maybe we maybe we should look at that, while we're here.

A

Sure absolutely.

A

And we do we anticipate this will in fact go out in early july.

B

Seems like we have a good chance. What do you guys think? What do you think cecile.

C

um Yeah, I think it'd be nice. If we try to stick to like just you know, try this out. We said we would try to do a release, cadence, that's driven by date rather than by teachers. So the idea is that on july, 6th, that's when we release, even if this list is not done, which is very likely. um This is just the things we're trying to.

C

You know work towards like our main priorities right now, but if we don't get all of them done, that's okay, we release 1.4, and then we move all the remaining ones that are still relevant to the 1.5 nelston.

A

Okay, awesome and looking at the milestones, do we right now? If we're kicking things out of 1.4, do we put them in next or right now? Should we have a 1.5, you know ready to go, or should we create that closer to the time.

C

um In the past, uh what we've done is just create the new milestone at the time of the release and just move everything that's left over, um but we can also put things in next now. If you already know that we don't want to focus on them anymore, for this release,.

A

Right right, of course, I am excited to see that this uh plot car support one might be in this release. It's been a long time coming so exciting.

B

I guess I should add the new skus to this. The new sku's changes to this milestone, although that should land today and then we'll cherry pick it back to one three. I assume.

B

But I'll go add that.

A

Cool cool awesome: okay, uh do we have anything else that we want to talk about.

A

We didn't talk about this fix for azure assigned user id. Is this um in that.

D

That particular.

A

Yeah that particular thing in the release is it um that was just a bug fix.

B

Yeah.

A

I see there.

B

Was a disagreement over what we were supposed to put in that field uh between us and uh cloud provider, and so we fixed it from both sides. So if you're using an up-to-date external cloud provider, then this is fixed regardless of whether or not you got the capsc fix, but.

A

In general,.

B

Most people will need this to be safe.

A

Right right: okay,.

B

At some point in the far future that to do comment shows at some point in the future when we're sure that cloud provider everywhere has been patched, um we can undo this and if that time ever arrives,.

A

I was going to say that the mythological future in which everything everywhere is patched, I don't know well.

B

Because it would need to be patched on the entry version of cloud provider as well, and I don't think that's actually going to happen.

A

Well, there I mean it's possible to get bug fixes into that.

B

It is, but I don't think we've tried to do that with this one. I should go. Follow up.

A

We could yeah they'll, take bug fixes for sure.

A

uh Let's see anything else that we should chat about.

B

Just uh I hope everybody saw vince's email yesterday. That was pretty awesome. He did a really good job of summarizing all the cluster api hype. That happened at kubecon and there was quite a lot of it.

B

So it's good to be part of a project. That's on the way up.

A

Yes, it's pretty exciting um I'll put a note in here. We should add a link to the notes because I believe they they posted something as well. So we can link to the uh uh happy report from kubecon.

B

Yeah good call.

A

Okay, all right what else, if anything, should we discuss.

C

I guess I have one small thing, um so I've been uh playing with um users, speaking of user, assigned identity, user assigned identity, but so there are two identities in chemistry: there's the identity that we use to actually create the cluster, and then this the identities that we put on the vms, um like the node vms that are created as part of the workflow cluster.

C

um So right now for uh vm identity, we support, managed identities like user assign system design, but for creating the actual cluster. We use a d part identity which supports three methods of authentication. First, one is service principle. Second, one is service principle with a certificate and then the third one is user assigned identity.

C

We actually only support service principles right now in cap c, so you can't use a user assigned or other type of managed identity to like actually create the cluster you need to service principal.

C

I was able to add, like support for user assigned identity. uh It's not too much of a big change like it works, and um it's it's not too much change on the capsie side.

C

um The main issue, like the reason, I'm doubtful about actually opening the pr and I wanted to get people's thoughts on it is first one is that it actually requires like a azure vm, to be used as the management cluster node, um because it you can only have an identity if you're running on a natural resource, and so this only works if you're, using something like aks as your management, cluster or another cab, z cluster.

C

As your management cluster, that has a vm identity, you can't, just like add the identity to a kind cluster, or something like that. So that's the first thing: it's pretty restrictive and.

A

Did the sales.

E

Just freeze.

A

For anyone else, oh oh okay,.

C

It froze for a second, but it must be me, please so yeah I'll. Just tell you what I said again so the uh the second thing is we're trying to move away from a depod identity to workload, identity, because a depart identity is deprecated and is being replaced by azure workload, identity, which is a newer project which is equivalent.

C

So do we want to add the support in knowingly that you know we might completely move away from it very soon um and then the other thing is azure workflow that day does not yet support managed identities. As far as I'm aware, so it would be adding support for one thing that we basically have to regress later on, but we could also add both in parallel for now like we don't have to get rid of a deep identity right away.

C

We could also put workload identity behind some sort of feature flag and then have both available for testing um until azure workload. Id maybe supports managed identity. I don't know if that's in the plans or not, I my impression is that it is um so. I guess my question is: do we think it's valuable to add user assigned identity support for creating clusters.

B

So it requires an azure vm, with uh managed identity on it or an identity on it uh in order to bootstrap everything like the the management cluster in the first place, authentication from an existing vm or it would be enough to have, could you have? Could we provision an aks management.

C

Cluster.

B

And then okay.

C

Yeah you can create an aks management cluster with managed identity and then use those identities as long as they have the right role. Assignments.

B

Yeah, I'm thinking selfishly of the azcappy thing, and so it would actually help out. It would work pretty well there, because we definitely.

C

Don't need a service principle anymore, yeah yeah, but you do need to assign rule assignments, because your default, managed identities in aks won't have necessary permissions on the subscription, and so that means they won't be able to fetch images or resource skills or create resource groups.

B

But that's some additional scripting. We could just add into the client so that people don't need to know about that.

C

Yes, but not, everyone has permissions in their subscription to creative, real sense. Oh.

E

Right.

C

It's a very restrictive, like unique owner or administrative rights to do that.

A

I like the idea of putting anything like this behind a feature flag in that I worry that for people who don't understand what just changed and also don't have the ability to use it, I wouldn't want to break their default experience yeah. So.

C

This particular feature this would be an opt-in like it's. It would be a feature, an option alongside what we have right now, there's no defaults! Really it's up to you to like pick it. um So if you don't choose it, if you don't change your template, you won't notice it's there, um it's more further, like switching to workload, identity which is way more invasive and would like change everything underneath. That's where I was thinking of doing the pictures like.

A

I am.

E

Yeah uh one thing like uh I want to like make sure it's like: if, if we are going to move away from aad pod identity to workload entity, I think this feature might provide the incentive for, like the users to use uh a depo pod identity instead of workload, identity, which is not what we want. I think so so um yeah. We need like keep that in mind. If we want like um move to workload identity as quickly as possible,.

C

Yeah, that's my yeah. That's my thinking too.

C

But on the other hand, if some users actually need this for, like you know, because they can use service principles in their production pipelines, for example, then it would be good to give them that option before it's too late, and then we can keep that as a backup. You know until workflow identity gets there.

E

Right, do you like do you know like the like an approximate timeline when this might get implemented in workload, identity.

C

um My understanding is that it's not just work to be done. It's that azure, like identity, doesn't support what they need in order to support it right now. So it's it's put yeah. I don't know if it's like being worked on or if it's something that is at all I mean I can try to find out more and post on the repo or channel and see what they say.

E

I think it might be worth opening an issue for the I'm discussing over there.

A

I'm just dropping a link in the chat now to the roadmap for workload identity.

A

I haven't thoroughly looked yet to see if it covers this, but it has a number of items on the roadmap that might be informative.

B

I I guess the danger would be that you know it's not fully featured or there may be a lot of caveats to the feature, and so we could end up spending a lot of time, reminding people that no, it doesn't support this, or you have to do this and all that so the trade-off is. It could end up being a lot of support time for a sort of pathway implemented feature, but even so, I think we should probably I think, it'd be good to have it supported.

A

Yeah, I agree as long as we're giving people a path forward. I think that's a good idea.

A

Okay, do we have anything more on this topic, or do we have any further topics that people would like to discuss? I see we had some folks join us along the way so um and if anybody who recently joined um would like to uh introduce himself since we we missed, uh you introduce yourself at the top of the hour. Please go ahead.

F

Hey everyone, um I'm novas recently joined the team and um yeah happy to be here.

F

Welcome.

D

Hi everyone, how are you hi, hi ronaldo, I'm good and you my name- is ronald I'm based in zimbabwe, I'm new to kubernetes, I'm here to learn.

A

Awesome you're uh welcome anytime and we're excited to uh see what you have to say. As you learn more.

A

And thank you for that link cecile to the issue blocking support. I'll put that in the notes.

A

All right do we have any more topics before we call this office hours complete today.

A

Okay, thank you all for joining and we will see you next time. Bye.