►
From YouTube: Kubernetes SIG K8s Infra - 2021-09-29
Description
A
All
right,
hi
everybody
today
is
wednesday
september
29th
and
you
are
at
the
sig
kate's
infra
bi-weekly
meeting.
I
am
your
host
aaron
kirkenberger
aka
aaron
of
sig
beard,
also
known
as
spiff
xp
at
all
the
places,
and
we
are
all
being
publicly
we're
all
being
recorded.
This
meeting
will
be
posted
to
youtube
publicly
later
and
we
can
all
go
watch
ourselves
adhere
to
the
kubernetes
code
of
conduct
by
basically
being
our
very
best
selves
to
each
other.
A
A
D
D
So
one
of
the
things
that
came
in
to
the
security
channel
for
sig
docs
recently-
or
I
should
say
you
know
six
months
ago
or
so-
was
the
lack
of
caa
records
on
the
kubernetes.I
o
domain
and
for
those
who
aren't
very
familiar
with
caa
records.
It
is
basically
the
validating
authority
of
who
can
issue
certificates
against
any
fqdn
or
any
domain.
D
And
what
happens
is
you
can
have
a
list
of
certificate
authorities
that
are
like
a
approved
list
of
who
can
issue
kubernetes.io
certificates?
And
today
there's
nothing
said
so.
For
example,
if
you
had
a
way
to
validate
ownership
by
either
running
a
service
or
dns
queries
or
some
sort
of
way
to
circumvent
this,
you
could
potentially
issue
a
certificate
representing
that
service
as
being
kubernetes.io.
D
There
is
a
public
log
of
all
the
certificates
issued.
I
don't
know
the
time
frame
of
how
far
back
that
public
law
goes
to.
You
can
search
as
public
log
or
public
records,
of
all
the
certificates
issued
for
domains
and
what
I
came
back
with
on
the
kubernetes.I
one
was
google
pki
at
some
point
in
the
past.
D
That
is
not
one
of
those
two
cas.
It
will
fail
once
that
pr
merges.
I
think
the
risk
is
relatively
low
in
the
sense
that
we
can
easily
revert
this.
The
my
fear
or
my
reluctancy
would
be
unintended
consequences.
I
can't
foresee
any,
especially
when
we're
talking
certificates-
and
hopefully
I'm
not
foot
gunning
here,
but
when
we're
talking
about
certificates,
hopefully
the
renewal
process
and
the
actual
act
of
issuing
certificates
isn't
done
just
in
time.
It's
done
before
a
certificate
expires
before
a
service
goes
live
or
something
of
that
nature.
D
D
However,
I'm
not
really
against
the
idea,
one
way
or
the
other,
so
we
can
definitely
raise
visibility
if
we
think
it
would
help
and
it
adds
you
know
more
signal
and
less
noise
than
my
opinion
and-
and
I
think
we
merge
this-
we
see
what
happens
if
nothing
within
a
week
or
two.
We
opened
the
k8.iopr
merged
that
and
we
might
even
consider
at
some
point
even
trimming
that
down,
because
as
of
right
now,
I'm
only
aware
of
netlife
being
the
issuer
of
kubernetes.io
and
case.io
certificates.
A
Pressing
that
every
button,
because
I
didn't
understand
the
full
context
of
the
change-
I
appreciate
you
coming
by
to
explain
it.
I
think
I
think
you
sort
of
provided
that
on
the
pr
as
well.
I
just
hadn't
thought
I
didn't
feel
like.
I
had
consensus
from
enough
people
to
say
like
let's,
just
let's
just
merge
it
and
find
out
what
happens
so
for
your
historical
context.
A
D
A
Tim
hawkin
we
now
use
gke's
managed
certificates
for
the
majority
of
our
stuff.
I
think
we
have
one
lone
circ
manager
instance
hanging
out
there.
That
still
goes
through.
Let's
concrete,
I
agree
with
the
like.
I
was
planning
on
pressing
the
approve
button
during
this
meeting,
and
just
I
think
it's
raising
the
signal,
maybe
sounds
like
a
good
idea.
I
view
it
as
an
asking
forgiveness,
not
permission
sort
of
thing,
just
like
hey
fyi.
C
D
D
Cool
that
sounds
good
to
me.
The
one
other
thing
I
don't
think
we're
going
to
get
an
answer
here
is
looking
at
historical
records
of
who's
issued
certificates
for
these
domains
case
that
I
also
includes
aws,
pki
or
ca
certificate
authority.
I
have
no
context
on
where
that
issuer
would
have
came
from
at
some
point.
That
happened.
D
I
don't
know
if
it's
actively
happening,
but
one
of
my
ideas
being
is:
let's
not
break
anything
that
previously
is
existing
in
those
historical
records,
we'll
include
those
as
being
allowed
per
se,
and
then
we
could
potentially
evaluate
and
make
the
move
from
there,
but
wanted
to
raise
awareness.
I
thought
that
was
a
little
funky
from
the
case
that
I
owe
perspective.
A
D
Yeah
definitely-
and
it's
in
the
pr,
I
believe,
I'll-
pull
up
the
executive
link,
because
I
had
this
giant
synopsis
of
how
I
was
testing,
because
I
wasn't
totally
comfortable
with
octo
dns
and
so
it's
buried
in
there.
Let
me
figure
out
what
that
actual
link
is
okay
and
it's
still
relatively
new
to
me
as
well.
I'm
not
sure
exactly
where
this
historical
record
is
kept
house
maintained
where
the
data
is
coming
from,
but
the
fact
that
it
did
return
the
actively
valid
ones
that
I
was
aware
of
plus
some.
C
A
A
search,
console
access
for
the
website
for
sig
docs
maintainers,
so
that
you
could
better
understand
like
who's
using
the
website
and
how-
and
that
seemed
like
a
perfectly
reasonable
request,
but
it
was
like
vaguely
unclear
who
already
had
access
to
it
or
something
I
feel
at
this
point.
I
I
have
the
same
kind
of
reason:
arno.
A
Verifies
the
site
for
a
kubernetes.io
account
that
we
own
and
from
there
I
think
we
can
work
on
delegating
that
out.
I
I
think,
I'm
not
sure
this
one
requires
as
much
visibility
to
kubernetes
dev
in
terms
of
racing
signal.
I
think
I
am
going
to
go,
make
sure
tim
hawkins
and
some
of
the
other
usual
suspects
are
made
aware.
D
D
You
name
it,
and
so
I
think
this
is
just
a
artifact
of
the
folks
who
previously
had
access
have
moved
on
and
that
access
is
no
longer
given
to
the
current
docs
co-chairs.
Right
now.
I
think
there's
a
few
of
these
that
might
come
through.
I
have
no
problem
with
them
merging
as
this,
but
I
believe
the
historical
context
that's
missing
here
is
those
that
did
have
access
went
away.
D
D
C
C
A
All
right,
then,
I
will
follow
up
with
you
on
that
offline.
I
okay,
I
personally
and
I'm
like
I'm
trying
to
get
to
a
point.
Maybe
it's
a
bad
single
point
of
failure
where
there's
one
account
that
is
like
workspace,
super
admin
and
also
has
the
ability
to
hand
out
credentials
for
things
like
analytics
and
the
search
console
and
whatnot,
and
so
I'd
rather
see
if
we
can
get
that
hooked
up,
but
maybe
I'm
creating
too
much
of
a
spot
so
we'll
take
it
off.
A
C
A
D
A
A
C
C
B
C
Basically,
none
of
the
chair
of
our
technicalities
of
this
group
will
attend
the
los
angeles.
We
want
to
do
only
virtual
and
I
talk-
and
I
talk
to
some
the
summit
staff
about
that,
and
they
told
me
I'm
fine
to
brand
my
own
things.
So
if
you
can
have
a
meeting
from
10
to
12,
we'll
be
fine
or
less
on
that,
but
just
send
it
send
a
notification
out
there
and
say
to
people
hey.
We
have
something
during
kubecon
comment,
talk
to
us
I'll,
come
and
ask
a
question:
that's
it.
D
A
Having
this
meeting
and
then
having
just
an
extra
hour
after
that,
just
kind
of
hanging
around
for
whoever
wants
to
show
up
like
the
only
and
I
don't
particularly
care
about
having
an
agenda,
I
would
say
if
we
talk
about
future
plans,
I'd
want
to
make
sure
that
no
decisions
are
made
at
this
time.
It's
the
sort
of
thing
where
I
want
to
include
and
be
inclusive.
I
think,
like
it'd,
be
a
great
chance
to
talk
about
ideas,
hopes
and
dreams,
ponies
and
unicorns
sports
cars
and
horsies,
so
that
that
sounds
good.
A
C
B
B
D
Yeah
I
threw
in
chat
there
too.
I'm
gonna
try
to
capture
these
findings
on
the
pr
itself.
So
if
anyone
else
digs
up
this
old
issue,
it
digs
up.
You
know
if
there's
any
sort
of
dust
up
from
this,
or
even
you
know,
six
months
or
a
year
from
now
capturing
that
in
the
pr,
as
well
as
the
case
that
I
owe
one.
D
But
it
sounds
like
all
of
the
certificate
authorities
that
that
ssl
tool
that
I
linked
in
the
chat
there
came
back
with
are
all
at
least
accounted
for
was
one
way
or
another,
and
so
it
sounds
like
they're
all
valid,
and
we
shouldn't
really
go
about
trimming
down
that
list,
as
as
far
as
we
know
in
our
purview
that
list
that
we're
providing
for
the
caa
is
accurate
and
valid.
Today,.
A
F
F
We
do
it
and
be
excellent
to
each
other,
so
he's
driving
that
quite
hard
with
the
cncf
and
just
letting
the
folks
in
infra
know
that
we're
pushing
this
way
beyond
us
and
make
sure
that
everybody
that's
doing
open
source
cloudy
things
in
cooperation
with
us
and
the
cncf
will
have
the
infrastructure,
the
people,
the
support
to
do
great
things.
So
that's!
F
What's
all
about
so
have
a
look
out
for
that
at
the
cncf
cloud
native
conference
awesome,
and
if
your
employer
is
available
to
do
some
things
in
this
space
there
will
be
a
page
where
you
click,
and
we
will
talk
to
you
about
the
great
things
you
want
to
contribute.
So
that's
fantastic,
so,
okay,
that
is
it
on
that
topic.
A
F
Yeah,
no
he's
is
really
trying
to
get
that
culture
cultivated
everywhere
where
we
are
so
yeah.
Thanks
for
everybody
for
cultivating
that
within
our
group
and
the
next
topic
is
carried
over
from
last
week,
I
had
a
look
at
the
the
data
logs
for
downloading
artifacts
and
just
an
interesting
thing
that
I
noted
in
august
there's
a
quite
a
big
drop
in
the
number
of
downloads,
but
cost
stayed
roughly
the
same,
which
was
interesting.
F
I
did
try
to
get
the
slides
to
load,
to
show
you
where
we
are
now,
but
it
is
sticky
because
we
have
in
data
studios,
26
billion
rows
of
data,
that's
being
processed
now
to
get
this
report
out.
So
it's
really
a
massive
amount.
We're
talking
since
april,
we're
talking
about
85
million
gigabytes
of
data,
13
million
unique
ip
addresses
and
710
images.
Unique
images-
that's
been
downloaded,
so
that's
just
some
information
to
share
that.
Unfortunately,
I
can't
get
the
live
data
to
come
up
the
show,
because
data
studio
is
just
struggling.
A
F
There
should
be
some
smarter
ways
to
deal
with
the
data
and
then
also
out
of
this
information.
We
are
talking
to
all
different
providers
to
try
and
see
how
we
can
get
the
cost
and
and
the
amount
the
traffic
shaped
in
a
way
that's
going
to
be
beneficial
for
the
community.
So
by
the
time
we
wanted
to
get
the
release
artifacts
over.
We
have
some
sufficient
room
for
for
that
to
to
get
into
our
budget
as
well.
A
A
But
it's
it's
more
than
just
the
management
of
like
compute
to
network
and
storage,
because
cloud
clouds
offer
so
much
more
than
just
raw
compute
networking,
storage
and
so
we're
responsible
for
the
management
and
health
of
anything.
You
can
reasonably
expect
to
provision
from
a
cloud,
but
that
boundary
is
drawn
to
signify
that
we
do
not,
for
example,
manage
netlify.
A
A
C
So
historically,
the
mission
of
this
group
was
migration
from
google
to
a
google
organization
to
a
community
organization,
and
we
we're
working
on
that.
But
once
the
migration
is
over,
the
main
role
of
this
group
would
be
to
maintain,
operate
and
evolve
or
also
browse
the
new
services
for
the
community.
So
the
current
set,
the
current
charter,
described
two
aspects
of
this
group,
so
the
migration
and
the
current
states
of
kids
ever.
A
D
A
A
A
D
A
To
group
memberships
that
they
own
without
having
to
bug
anybody
the
owner's
piles
here,
basically
the
sig
release
leads,
have
approval
rights
to
works.
I
have
greatly
it
took.
It
took
a
little
while
to
like
shuffle
everything
into
these
subdirectories,
but
it's
worth
it
because
now
I
don't
have
nearly
as
many
prs
that
I
have
to
handle.
A
It
means
that
if
you're
part
of
a
sink,
you
can
totally
manage
your
groups
way
faster.
It's
the
same
sort
of
self-model
service,
self-service
model
we
use
for
crowd
jobs,
another
one
that
recently
happened,
shiny
graphs.
So
it's
basically
when
we
first
provisioned
prowl
a
while
ago.
We
ran
into
problems
of
like
capacity
issues
and
it
seemed
like
we
were
definitely
giving
proud
jobs,
sufficient
memory
and
cpu
capacity.
A
A
So
I
did
a
quick
experiment.
The
old
network
attached
ssds
on
the
left,
the
new
local
ssd,
is
attached
on
the
right.
You
can
see
there's
way
less
throttling
happening,
so
we
migrated
everything
over.
I
managed
to
cost
out
that
it
actually
costs
us
slightly
less
money
for
this
setup
and
we
get
significantly
better.
I
o
you
can
see
a
shiny
graph
where
the
amount
of
throttled
I
o
dropped.
A
So
most
of
our
jobs
really
aren't
throttled
anymore.
What
remains
is
throttling
that
happens
when
a
node
is
first
provisioned
during
auto
scaling,
which
is
super
cool.
Sadly,
I
haven't
actually
seen
much
of
a
performance
change.
In
our
times,
so
I'm
not
sure
that
io
was
really
the
point
of
contention
that
everybody
was
hoping
or
thinking
that
it
would
be,
but
I'm
glad
to
at
least
have
taken
that
off
the
table.
A
So
as
we
look
to
optimize
our
jobs
to
have
people
waiting
around
less
time
for
their
pr
to
merge,
we
can
figure
out
what
the
actual
things
are.
We
should
be
optimizing
just
wanted
to
shout
out
a
contributor
who's
taken
up
the
fact
that
we
have
this
group's
reconciler
that
that
reconciles
all
those
groups
using
all
those
yaml
files
that
I
said,
but
there
are
no
unit
tests
for
the
reconciler
itself.
A
We
have
like
a
couple
tests
to
make
sure
that
the
yaml
files
are
formatted
correctly,
but
we
don't
have
any
unit
tests
that
define
that
the
reconciler
won't
accidentally
all
of
the
groups,
and
so
we've
had
somebody
who's
sort
of
breaking
up
or
broke
up
the
code
into
more
mockable
pieces.
So
we
can
actually
swap
out
a
mock
service
for
a
live
service
and
start
to
make
sure
that
things
don't
accidentally
get
deleted.
A
A
A
Under
the
requirements
heading,
basically,
you
get
to
have
a
staging
project
if
it
is
to
host
images
that
are
created
by
code
that
lives
in
one
of
the
github
organizations
that
the
kubernetes
project
manages,
which
github
organizations
are
those.
You
click
this
link,
and
you
see
it's
one
of
these
kubernetes
communities,
client
csi,
sigs,
I'm
going
to
ignore
these
other
two,
but
basically
that's
the
rules
and
then
so
examples
of
what
that
means
is
like
cryo
used
to
be
part
of
kubernetes,
but
is
now
its
own
project.
A
A
A
I
just
wanted
to
give
a
shout
out
to
everybody
who
helped
this
one
get
this
one
over
the
line
so
back
in
january.
You
know
we
renamed
the
default
branch
for
this,
for
the
repository
that
we
work
on,
we
renamed
it
from
master
domain
and
that
process
was
relatively
quick.
We
got
most
of
it
done
within
a
month
or
so.
A
This
was
like
the
first
repo
to
actually
make
the
move,
so
we
stumbled
into
all
the
little
roadblocks,
but
the
much
harder
annoying
thing
was
everybody
links
to
our
repo
and
they
all
use
master
when
they
do
it,
and
so
I
finally
managed
to
use
cs.kates.io
to
generate
a
checklist,
and
these
were
all
of
the
repositories
that
needed
pull
requests
made
against
them,
and
so
I
just
wanted
to
shout
out
in
the
bottom
here.
Everybody
listed
here
helped
open
pull
requests
to
get
this
over
the
line.
A
A
A
C
A
A
D
A
Next
I
wanted
to
so.
This
is
basically
like
walking
the
board,
but
using
a
google
doc.
I
walked
through
everything
that
was
done
since
we
last
talked.
I
wanted
to
walk
through
and
try
and
unblock
things
since
we
last
talked
so
we
already
unblocked
on
the
dns
stuff.
I
wanted
to
just
check
in
on
migrating
cs.kates.io
to
kate's
infra.
I
have
seen
pr's
from
jim
the
second,
the
first,
whichever
arno
has
his
hand
up,
so
I
think
I'm
going
to
defer
to
arno.
C
And
so
basically
I
went
to
the
culture-based
meeting
today
and
I
asked
if
the
interest
to
basically
be
the
sake
owning
concert
so
far
to
record
anything
running
inside
cancer
front
need
to
be
on
by
a
sig
or
a
working
group.
So
I
I
still
I
asked
to
seek
country
bags,
the
the
signature
and
the
technique
that
they
need
to
discuss
about
this.
But
ultimately,
now
we
are
saying
we
don't.
We
can
be
the
same,
owning
concern.
A
A
About
standing
this
up
like
a
slightly
different
domain
for
a
little
bit,
so
we
could
make
sure
that
this
works
before
we
take
away
cs.kates.if
before
we
shift
traffic
over.
I
only
say
this
because
I
I
really
really
depend
on
cs
decades
that
I
owe
a
lot
so
I
just
I
will
definitely
use
the
canary,
but
if
the
canary
is
broken,
I
want
to
be
able
to
switch
back
to
the
normal
thing.
C
E
A
I
I
figured
yeah
like
I
just
haven't
looked
at
the
pr's
yet
so,
if
me
looking
at
the
pr's
is
part
of
what's
blocking
this
I
will.
I
will
seek
to
review
them,
but
I
I
think
I
would
kind
of
prefer
sick
contributor
experience
own
this
if
they
are
comfortable.
But
if
it's
about
unblocking
you
I'm
cool,
saying
like
we're
the
same
for
now,
it's
it's
really
not
hard
to
change
the
labels
later.
It's
totally
fine.
A
Much
appreciated
the
other
one
was
something
I
said
I
would
have
an
update
on
by
this
time.
I
don't
have
much
of
an
update,
so
this
is
basically,
I
kind
of
need
to
really
help
us
figure
out.
What
what
is
the
plan
for
crowd.cates.io
like?
Are
we
actually
going
to
try
and
cut
this
over
before
some
critical
dates
in
the
123
release
schedule
and
if
we.
B
A
A
Stop
using
that
and
start
using
this
other
bucket,
I'm
not
quite
sure
how
we
support
redirects.
So
we
just
we
just
need
some
time
to
sort
of
think
through
the
level
of
breakage
that
we're
talking
about
if
it
is
a
matter
of
like
we'll,
accept
the
breakage
or
whatever.
But
we
do
want
to
proceed
with
a
like,
shut
everything
down
and
turn
everything
up.
C
This
is
a
very
long
conversation
because
one
of
the
way
to
success,
the
migration
should
be
to
finish
the
microsoft
or
the
2000
job
we,
the
sig
use,
so
everything
that
press
is
just
kubernetes
kubernetes
jenkins
and
that's
great,
that's
one
approach,
but
the
problem
with
is
not
the
problem
is
from
my
perspective.
I
don't
think
this
k104
can
enforce
a
policy
forcing
the
odyssey
to
migrate
over
the
next
three
months.
I
felt
like
this
policy
should
come
from
sick
testing,
but
I'm
not
sure.
A
Yeah,
no
I'm
totally
happy
to
like
take
off
my
sig
caden
for
hat
and
put
on
my
sick
testing
hat
and
say
yeah,
I'm
totally
willing
to
like
put
out
a
threatening
deadline.
That's
like
we're.
Gonna
reduce
the
capacity
of
the
google.com
build
cluster
by
like
for
like
we're,
just
gonna
cut
it
in
four
and
who
knows
if
your
job
will
still
run
we'll
find
out,
but
if
you
do
actually
care
that
it
still
runs,
you
can
get
it
to
run
over
here.
A
A
So
I
don't
think
it's
necessarily
a
technical
blocker.
It
might
be
a
question
of
optimization,
it
might
be
a
question
of
funding
or
it
might
be
a
question
of
you
know,
project
policy
like
do
you
really
need
these
jobs?
Do
you
really
need
them
to
run
this
frequently
or
as
pre-submits
instead
of
periodics,
so
on
and
so
forth?
B
A
Yes,
I
agree,
so
I
created
an
issue
a
while
ago
about
like
hey.
Actually
it
was
about
a
year
ago
ish.
I
think
we
should
have
a
budget
and
we
should
make
sure
we
get
alerted
if
we're
gonna
blow
our
budget.
I
feel
like
it
is
really
important
that
we
do
that
now,
so
I
bumped
this
up
to
critical,
urgent
and
yeah.
Maybe
I
should
reconnect
with
y'all
and
hit
me
to
figure
out
sort
of
what
the
plans
are
to
mitigate
storage
costs,
but.
A
A
A
Having
said
that,
I
will
still
try
and
think
through
and
work
through
what
are
the
like
technical
implications
of
migrating
proud.
But
it
sounds
like
you
all
also
have
some
good
ideas
there
as
well.
So
maybe
I
can
draft
a
new
google
doc
or
pick
up
the
old
google
doc
and
try
to
like
start
just
the
spitballing
ideas
there.
So
we
can
figure
out
what
what
are.
A
B
C
C
B
A
A
B
I
don't
want
to
cut
you
off
aaron.
This
has
happened
for
like
the
past
four
five
six
meetings
where
we
haven't
made
it
through
everything
on
the
agenda
do
do
we
need
to
consider
moving
this
to
every
week
instead
of
every
other
week.
I
know
people
hate
more
meetings,
but
I'll
be
that
guy.
That
suggests
that.
A
A
Happy
to
talk
about
this,
a
lot
more
in
slack
and
in
case
infra,
I'm
pretty
active
there
it
it
makes
me
slightly
uncomfortable
when
it
turns
into
aaron's.
Looking
for
lgtm
channel,
I
mean
I,
I
appreciate
all
of
you
who
to
do
slap
on
that
lgtm.
It
helps
me
move
forward
and
I
generally
hope
great
things.