►
From YouTube: Kubernetes WG K8s Infra Bi-Weekly Meeting for 20200513
Description
Kubernetes WG K8s Infra Bi-Weekly Meeting for 20200513
A
A
D
E
C
A
A
C
A
C
And
every
day
I
think
you
partially
paid
you
have
to
pay
for
storage
of
logs
as
well,
so
it
could
be
related
to
that.
If
we're
not
deleting
it,
then
it
would
be
constantly
growing,
but
I
guess
there's
going
to
be
a
bounded
time
period
that
we'd
store
it
for
I
don't
quite
know.
Actually
I
need
to
dig
in.
C
A
D
For
some
reason,
my
hardware
mute
got
pressed.
Can
you
hear
me
better
now?
Yes,
I
can.
Yes,
I
think
I
pressed
it
when
I
was
trying
to
make
you
go
louder.
I
don't
think
we
need
to
not
work
and,
like
I
don't
think
you
need
to
cut
back
sorry.
The
money
is
there
to
be
spent
and
we're
not
really
putting
a
dent
in
how
much
we
have
yet
okay.
So
I
I'm
not
worried
about
it.
A
A
A
A
D
D
Can
we
file
a
bug
and
get
somebody
to
like?
I
wouldn't
say
it's
urgent,
but
you
know
eventually
somebody
should
go
and
take
a
look
at
this
and
see
is
the
value
of
the
logs
commensurate
with
the
cost
of
them,
and
if
not,
should
we
change
logging
or
purge
logs
or
what
is
the
right
action
to
take
here?.
A
A
A
A
A
A
A
A
Would
be
number
one
so
greenhouse
is
our
basal
cache,
it's
basically
a
high
cpu
instance
to
maximize
iops
and
then
a
pod
is
scheduled
to
that
instance,
and
then
we
give
it
like
a
three
terabyte
ssd.
So
it's
got
all
the
iops
to
that
ssd
possible
and
then
anything
that
uses
bazel
and
is
configured
to
do
so
uses
that
as
a
cache,
it
provides
the
most
benefit
to
any
of
our
pre-submit
jobs
that
use
bazel.
A
A
The
build
cluster
that
is
used
over
in
google.comland
is
a
zonal,
build
cluster,
and
so
we
assume
there's
just
one
node,
that's
configured
as
a
high
cpu
node,
and
we
pin
greenhouse
that
since
we're
using
a
regional,
build
cluster
here.
If
I,
I
can't
create
a
single
node,
I
can
create
a
single
node
per
zone,
and
so
I'm
torn
as
to
whether
to
just
deal
with
it
and
have
the
other
two
like
special
nodes.
A
A
A
The
only
other
issue
that
has
been
encountered
occasionally
is
that
us
central
one,
sometimes
experiences
stockouts,
but
because
we
kind
of
keep
the
build
cluster
at
a
relatively
fixed
size.
We
don't
tend
to
bump
into
that,
so
I
could
also
just
tear
this
whole
thing
down
and
recreate
it
as
a
zonal
cluster.
I'm
a
little
concerned
about
doing
that
and
causing
some
downtime,
but
that's
that's
another
option.
D
Can't
we
still
configure
oh,
never
mind
if
we're
concerned
about
mastered,
like
a
control,
plane
downtime
across
things
like
upgrades
than
regional
matters.
If
we're
really
concerned
about
a
zonal
outage,
which,
honestly,
we
probably
should
be
it
well,
which
role
this
is
the
cash
for
all
the
builds.
So
if
a
zone
went
down
for
six
hours,
what
would
happen
it
would
be
all
ci
would
stop
for
six
hours
right.
F
No,
but
not
if
all
of
our
other
nodes
were
there
and
for
some
reason
we
couldn't
reach
them.
The
other
sorry
guys
we
don't
do
a
lot
of
adding
removing
nodes,
at
least
currently,
except
I
guess
during
like
upgrades,
so
that
hasn't
been
an
issue
in
years
so
far,
but
I
could
see
it
in
the
future
depending
on
how
we
were
managing
it.
Going
forward.
A
A
It
it
kind
of
doesn't
so
I'm
not
sure
you
know.
Option
d
here
would
be
figure
out
some
way
to
deploy
a
zone,
local
instance
of
greenhouse
and
have
each
zone's
node
pool
talk
to
that
instance
of
greenhouse
that's
a
little
more
complicated
than
I
have
time
for.
If
somebody
else
wanted
to
take
that
on
that
would
be
awesome.
I
feel
like
the
easiest
compromise
of
what
we
have
now
is
set
up
a
set
up,
a
a
node
pool
with
a
you
know.
A
F
F
D
D
A
A
D
A
F
F
D
A
F
A
Kind
of
can't
do
almost
any
pre-submit
job
without
greenhouse,
so
if
there
are
no
objections
I'll
just
do
it
the
the
slightly
manual
way,
I
was
suggesting
where
I
stand
up
a
node
pool
that
is
132
cpu
instance
and
then
I'm
going
to
manually
taint
one
of
the
nodes.
So
I
set
that
aside
for
greenhouse,
but
the
other
two
nodes
will
just
be
part
of
the
build
pool
that
everything
else.
D
D
D
D
A
A
I
really
want
the
end
state
of
all
this
to
be
that
community
members
have
this
ability
to
troubleshoot
what's
happening
in
this
cluster
and
then
a
smaller,
more
restricted
group
of
trusted.
Community
members
have
the
ability
to
write
things
into
this
cluster
or
or
help
mess
with
it
in
terms
of
troubleshooting.
A
A
D
D
A
B
A
D
So
I
don't
know
off
the
top
of
my
head
what
the
granularity
of
permissions
that
stackdriver
offers
is.
But
if
the
granularity
of
permissions
is
there,
then
we
can
go
figure
it
out
and
I
don't
have
a
problem.
Granting
access
read
access
to
this
pretty
broadly,
unfortunately,
there's
just
no
way
to
say,
like
everybody
on
the
internet
can
go
view
this
unless
we
turn
it
into
our
own
dashboard.
A
Yeah,
I
think
so.
For
example,
I
know
that
sig
node
is
working
on
improving
their
test
posture,
like
they're
kind
of
taking
a
look
at
all
of
the
node
e2e
test
jobs,
they're,
trying
to
figure
out
what
they
are
willing
to
support,
trying
to
figure
out
what
else
do
they
think
they
need
and
I'd
like
to
make
sure
that
the
people
you
know,
gets
access
to
all
of
the
troubleshooting
that
they
need
to
to
do
that
task.
G
G
To
it,
I
just
don't
know
how
to
do
it,
so
I
I
created
right
now.
There
is
a
test
test,
dashboard
graphical
dashboard,
on
a
which
I
was
playing
with
to
do
the
monitoring
it's
currently
on
my
domain.
It's
it's.
I
just
send
it,
but
it
is
the
grafana
working
already
there,
so
that
would
be
very
straightforward
to
just
connect
the
to
the
start,
driver.
A
That
that
might
be
cool,
I'm
operating
from
perspective
of
I
don't
have
a
lot
of
time
to
build
something
new.
If
somebody
else
wants
to
I'm
all
for
it,
I'm
not.
Definitely
I
can
can
do
it.
Okay,
I
I'm
viewing
it
as
like
when
I
was
trying
to
help
troubleshoot
what
was
going
on
when
all
the
node
e2e
tests
were
blocked.
I
had
to
be
able
to
go
to
a
project
page
and
be
able
to
view
all
of
the
recent
activity
on
that
project.
A
D
So
yeah,
so
we'll
just
need
to
figure
out
what
the
list
of
those
things
is.
The
activity
logs
are
interesting,
although
they're,
not
they
shouldn't
be
sensitive,
so
we
shouldn't
hesitate
to
grant
access
to
read
those
pretty
broadly.
I
think
I
I
yeah
the
audit
logs
just
seem
like
that.
One
oddball
case
okay,
audit
logs,
got
you
that
makes
sense.
G
A
D
Oh,
I
just
just
pasted
my
question.
I
was
just
poking
around
at
the
logging
in
the
boscos
nnn
clusters.
The
vast
majority
of
the
logs
look
like
they're
coming
out
of
I
mean
the
charge.
Is
just
these
log
lines
right?
What
would
happen
if
we
spun
up
those
clusters
without
logging
turned
on?
Is
the
law?
Are
the
logs
collected
some
other
way.
A
A
G
A
G
E
A
D
G
G
G
G
A
Okay,
two
quick
things
before
we
get
to
the
board
the
first
one's
kind
of
a
blocker
for
doing
more
stuff.
As
I
was
creating
pool's
projects
to
use
for
end
testing,
I
hit
the
billing
billing
quota
limit.
I
think,
like
the
number
of
projects
that
are
allowed
to
be
linked
to
a
billing
account,
so
I
opened
up
an
issue
where
I
described
the
questions
to
the
form
tim
said:
go
ahead
and
fill
it
out.
These
things
are
usually
auto
approved.
I
unfortunately
haven't
heard
anything
back.
A
B
A
Think
is
asking
for
a
staging
project.
I
can't
do
that
for
them
right
now.
I
could
try
as
a
workaround
or
to
temporarily
mitigate.
I
could
try
taking
down
the
number
of
projects
that
I
had
set
aside
for
and
then
testing
it'll.
Take
me
some
time
to
do
that,
but
that
might
give
us
some
breathing
room.
D
A
A
That
is
a
possibility.
It's
not
something
I
have
time
to
do,
but
we
could
have
somebody
revisit
the
entire
staging
project
and
bucket
and
service
account
so
on
and
so
forth
per
her
build
artifact.
I
think
I
think
I
kind
of
liked
the
having
a
project
per
thing
specifically
for
the
the
other.
The
reason
you
approached
me
claudia,
where
like
if
we
want
to
start
having
like
if
a
given.
A
Needs
a
specific
secret
to
build
their
thing.
It's
by
having
things
segmented
up
by
subproject
right
now,
only
they
can
have
access
to
that
secret.
That's
that's
really
great.
If
we
start
to
merge
everything
into
a
single
project,
google
cloud
build
will
always
run
as
the
same
service
account
for
a
given
project,
and
so
we
lose
the
ability
to
more.
A
Secrets
which
job
has
access
to
does
that
make
sense
yeah
I
see
yeah.
That
makes
sense,
but
that
is
another
mitigation
we
could
try
to
do,
but
I
I
feel
like
these
are
all
workarounds
around
the
fact
that,
like
really,
we
need
more
than
100
projects.
We
need
like
at
least
200
projects,
probably
more
like
300,
and
I
don't
think
projects
are
really
that
much
of
a
problem.
I
think
this
is
just
like
a
building
sanity
check.
Are
you?
Are
you
not
making
sure
we're
not
like
abusing
our
cloud
usage
or
something.
A
B
A
A
A
This
could
be
a
really
convenient
pattern
going
forward
where
each
project
gets
to
just
dump
secrets
in
there
and
then
google
cloud
build
will
automatically
have
access
to
those
secrets.
A
a
tighter
approach
that
I'm
kind
of
favoring
is
this.
This
windows,
docker
windows
certificate
might
be
neat,
might
need
to
be
used
by
multiple
jobs
all
over
the
place,
so
I'd
rather
constrain
access
to
just
that
secret
and
not
opt
to
have
that
secret
per
project
pattern.
A
A
A
G
G
D
G
G
A
A
D
D
So
we
are
disentangling
those
things
because
of
all
the
virus
and
stuff
it's
difficult
to
get
the
bandwidth
that
we
want
for
this
thing
that
isn't
super
critical,
that
some
of
these
other
teams
to
help
us
with,
and
so
we're
just
fighting
for
a
priority
to
get
these
disentanglements
done
at
this
point,
you
know
we're
still
we're
basically
day
for
day
slip
like
we
have
a
few
days,
maybe
a
week's
worth
of
like
work
to
do
by
these
teams
and
every
day
they're
not
doing
it.
It
gets
pushed
out.
D
D
G
D
D
D
G
E
A
A
G
B
It
I
think
that's
should
be
everything
should
be
finished
there.
Augustus
did
go
with
the
suggestion
by
tim,
which
is
instead
of
duplicating
everything
either
by
simulinks
or
duplicating
we
linus
suggested,
or
at
least
that
was
the
result
was
that
we
can
just
add
another
promotion
target
which
is
the
root,
and
then
it
will
duplicate
them.
A
A
We
use
a
tool
over
intestine
for
land
called
pr
creator,
which
will
automatically
create
a
pull
request
of
a
given
it'll
like
push
to
a
given
branch
or
force
push
to
that
given
branch,
and
it
will
create
or
update
an
existing
poll
request,
that
is
from
the
net
branch.
It's
how
we
have
a
pull
request
out
there
to
bump
prow
and
all
of
its
stuff
to
the
latest
versions.