►
From YouTube: Cluster Addons meeting: 2020-07-07
Description
Meeting Notes: https://docs.google.com/document/d/10_tl_SXcFGb-2109QpcFVrdrfnVEuQ05MBrXtasB0vk/edit#heading=h.ddrn7k8vehon
A
Hey
all
if
you're
joining
us
from
YouTube
in
the
future,
this
is
the
cluster
ions
call
and
it
is
July
7th
which
can
chat
about
some
things.
Gonna
be
smaller,
meaning
I
think,
because
we
are
just
coming
off
of
the
holiday
weekend
and
Happy
Holidays
to
all
of
you.
So
we
just
kind
of
came
up
with
two
impromptu
agenda
items.
One
is
to
just
quickly
discuss
some
merged
work.
Justin
and
I
have
been
working
closely
with
some
touchy
who's.
A
Our
google
Summer
of
Code
participant-
and
she
has
some
cool
things,
we'll
talk
about
that,
and
then
we
figured
that
we
could
use
some
of
the
time
today
to
do
a
little
bit
of
overview
over
the
cops
PR.
Maybe
get
it
to
a
little
bit
of
code,
reviewer
discussion
thanks
for
joining.
Does
anybody
else
have
any
other
agenda
items
feel
free
to
pop
them
on?
A
A
So
pull
68
for
cluster
add
on
some
Sochi
open
this
patch
just
and
reviewed
it
go
ahead
and
link
this
here
like
to
take
a
look.
We
ran
into
with
this
augustus
problem
on
this
call
before,
which
is
that,
when
you're
building
operators
that
are
intending
to
take
some
ownership
over
other
objects
inside
of
kubernetes,
that
the
permissions
can
be
wide
and
sweeping
one
of
the
most
naive
ways
that
you
can
deal
with
that
problem
is
you
can
give
the
operator
cluster
edge
triggered
permissions?
A
So
we
looked
around
and
we
thought
that
it
would
be
a
solved
problem
that
you
would
be
able
to
figure
out
what
the
minimum
our
back
is
for
a
particular
set
of
objects,
and
there
was
no
easy
way
to
do
that.
So
some
touchy
built
this
are
back
generator
in
yeah.
You
can
go
ahead
and
look
at
this
pull
request
if
you're
curious,
it's
all
sharing
it's
this
patch
right
here,
which
is
pull
request
68.
B
Think
it
might
have
made
it
in
I
camera
with
it.
Essentially,
this
I
think
the
initial.
The
initial
genesis
of
this
was
just
that
when
you're
creating
an
add-on,
if
you
want
to
add
those
permissions,
you
have
to
sort
of
do
it
manually
and
figure
them
at
Miami.
So
it's
this
tool
started
off
as
here's
a
manifest.
What
are
the
additional
permissions
I
need
to
apply
to
that
manifest,
like
sometimes
she
basically
discovered
through
trying
to
build
one
that
that
was
like
one
of
the
points
of
friction
of
building
an
add-on
operator
and
I.
B
Think
what's
interesting
is
then
shed
into
fide
that
you
know
the
requirement
for
a
role.
You
know
what
you
wanna
create
a
role.
You
need
the
superset
of
that
and
then
I
think
what
it's
very
interesting
is
we
took
it
from
there
to
this
idea
of
I.
Guess
it's
already.
If
I
like
the
idea
of
splitting
out
these
permissions
into
separate
files
and
applying
them
judiciously
and
perhaps
in
different
phases,
I
can't
remem
if
I
recall
correctly.
B
Auerbach
aggregation
is
in
this
PR,
perhaps
by
the
flag,
but
we
decided
to
merge
it
as
it
was
because
we
could
see
that
there
was
gonna,
be
a
stream
of
these
ideas
coming
and
we
didn't
want
to
like
grow
this
PR
infinitely.
So
we
sort
of
cut
it
and
merged
it.
As
at
a
given
point
and
I,
imagine
there'll
be
more
PRS
in
this
stream
yeah
building
this
tool,
one.
A
Other
comments
on
here
is:
we
did
talk
about
how
this
our
back
generation
being
able
to
reduce
the
minimum
permissions
necessary
to
work
with
a
particular
set
of
manifests
or
set
of
objects.
It's
not
just
useful
for
add-on
operators,
but
potentially
for
all
sorts
of
automation,
or
least
privileged
access.
B
B
B
B
It's
supposed
to
use
these
the
same
code,
as
is
called
by
the
coop
cuddle
CLI,
when
you
call
apply
so
by
default,
client
side
apply
and
it
just
removes
the
requirement
to
bundle
group
cuddle
into
that
container
image
and
it
may
the
image
I
think
she
I
think
she
said
it's
about
half
the
size,
which
is
great.
Oh.
A
Binary-
and
this
is
something
that
we
mentioned-
could
be
a
great
example
of
vendor.
Encode
cuttle
apply
logic
into
another
code
base
as
an
alternative
for
something
like
server-side
apply,
which
is
currently
still
behaving
differently
from
coop
cuddle
apply.
So
this
does
the
exact
same
behavior
more
or
less.
We
did
find
one.
B
A
A
A
B
A
B
We
got,
we
got
a
review,
it
was
actually
interesting
because
I
think
the
it's
around
the
the
different
behavioral
models
of
operators
versus
the
way
K
Ops
has
traditionally
done
it,
where
the
manifests
are
pre-rendered
and
by
the
client-side
tool,
and
so
people
concerned
around
the
idea
that
the
server
now
guess
of
additional
permissions.
So
for
some
people,
that's
that's
not
what
they
desire.
So
some
people
want
the
flexibility,
the
dynamic
like
live,
updating
some
people
want
or
more
on
their
side
of
control
and
like
very
methodical,
they.
A
B
B
It
opens
up
the
idea
that
we
can
deploy
operators
in
different
configurations,
including,
like
moving
the,
are
back
permissions
into
that
pre
phase
so
into
the
so
we
can
sort
of
move
move.
The
the
biggest
concern
is,
of
course,
like
this.
The
super
powerful
or
one
of
the
concerns
is
the
super
powerful
operator
permissions.
A
A
B
So
that's
a
that's
a
it's
a
it's
a!
This
is
a
continuum,
and
this
is
a
step.
It's
a
small
step.
It's
it's
not
as
far
as
one
shot,
but
it
does
remove.
It
does
remove
a
lot
of
the
permissions
now
all
the
permissions,
but
it
removes
a
lot
of
the
permissions
that
the
operator
would
otherwise
need.
So
it's
a
it's
a
good
first
step
along
that
continuum
that
might
make
some
people
happy
and
also
show
that
we
can
do
this
sort
of
thing.
A
B
D
Think
it's
more
along
the
lines
of
like
the
Arabic
generation,
mixed
with
something
extraneous
to
the
operator
or
outside
the
operator
that
is
applying
something.
This
is
a
little.
This
is
different
in
that
that
was
a
trump
on
operator
installation,
and
this
is
more
like
you-
don't
explicitly
have
to
write
down
what
you
need
in
your
specification
right,
because
it's
going
by
API
requests
now
this
approach
to
describing
now
is
kind
of
like
we
can't
know
if
an
operator
is
gonna
explode
and
back
off,
so
it
might
not
be
great.
B
B
We
know
that
meant
that
manifest
is
generally
relatively
static
and
we
can
generally
just
scan
it
and
produce
the
our
vac
that
is
required,
including
in
diverse
scenarios
like
where
objects
exist
already,
which
is
nice,
I,
think
so
I
think
I,
don't
think
we're
precluding
some
form
of
dynamic
discovery
through
the
audit
log
or
a
like
a
proxy
or
a
kind
or
something
but
I.
Think
there's
like
there's
the
easier
or
more.
A
I
think
the
it's
not
fundamentally
different
from
what
Nick
is
suggesting.
He
was
like
just
pointing
out
that,
like
you,
could
use
an
API
server
proxy
to
catch
these
things
at
runtime
and
return
errors
that
interface,
ultimately,
that
the
operator
would
be
using
an
urbanized
client,
so
that
proxy
would
need
to
talk
like
a
kubernetes
api
server,
which
means
that
the
operators
errors
feel
kind
of
opaque.
A
That
simply
can
no,
you
know
what
it's
our
Beck
rules
are
and
report
that
it's
not
compliant
or
that's
not
going
to
be
able
to
apply
these
things
or
it
could
even
be
at
runtime
right,
like
you,
can
determine
at
runtime.
Hey
I
didn't
have
the
permission
to
apply
these
rules.
I
need
this
list
of
things
and
an
example
of
where
you
could
put
that
information
might
be
on
the
custom
resource
that
you're
trying
to
reconcile
or
in
a
config
map
for
the
operator
that
could
be
applied
by
a
cluster
administrator.
A
Really
really
interesting
idea
that
I
think
would
make
the
UX
of
like,
during
these
operators,
much
easier
and
potentially
even
allow
for
some
machine
run
mechanisms
right
to
automate.
The
management
of
these
are
back
rules
like
if
you
were
I
really
like
a
Nick.
You
were
you
were
talking
about
how
there
was
a
little
bit
of
inspiration
from
like
the
Android
user
experience
of
permissions
right
for.
A
D
There
it'd
be
great
to
have
a
link
here.
Yeah.
We
were
hanging
it
up,
something
called
the
install
API
which
in
itself
is
like
in
flux
right
now,
because
we're
going
through
like
a
lot
of
just
questioning,
designs
and
design
turn
in
early
on
no
one's
you
so
we're
trying
to
make
that
process
less
effective,
but
I'll
find
it
and
I
will
post
it
here,
but
with
respect
to
lazily
evaluating
this
stuff,
what
you
and
Justin
said,
or
totally
totally
fair,
yeah
I
just
wanted
to
throw
the
idea
there.
A
I
think
that
this
is
super
powerful
right
because
in
the
fork
workflow
right,
let's
say
a
user
wants
to
add
a
Prometheus
service
operator
or
sorry
a
Prometheus
service
monitor.
You
know
like
an
object
that
they
want
to
like
add
it
to
the
manifest
list
or
something
you
could
argue
that,
maybe
that's
not
the
right
thing
to
do,
but
a
user
wants
to
support
their
operator
manifests
and
then
point
the
operator
to
a
new
bundle.
Then
now
it's
not
going
to
have
our
back
right.
A
So
if
you
have
some
sort
of
lazy,
workflow
right
where
you
don't
just
get
errors
right,
there's
actually
an
action
that
can
be
taken
by
the
administrator.
Beyond
that
point,
to
you
know
just
copy
and
paste
this
thing,
which
is
basically
the
kubernetes
animal,
are
all
you
know,
equivalent
of
pressing
okay
on
a
permission
dialog
on
the
phone
or
something,
and
that
would
be
really
powerful
kind
of
workflow.
A
A
A
Great
thanks
for
contributing
that,
if
yeah,
if
you
end
up
stumbling
on
the
install
API
Docs,
please
do
post
them
here
appreciate.
It
will
do
great,
well
great,
quick,
meaning
Jane
awesome
to
hear
from
everyone,
assuming
that
we
have
nothing
else,
that
we
want
to
discuss.
It's
cool
to
call
this
good
and
we'll
reconvene
on
some
of
these
topics
in
two
weeks
or
in
the
slack
channel.
In
the
meantime,
thanks
everyone.