►
From YouTube: Kubernetes WG K8s Infra - 2021-03-31
Description
A
Okay,
hi
everybody
today
is
wednesday
march
31st,
and
this
is
the
kubernetes
caden
for
a
working
group,
bi-weekly
meeting
at
it's
new
time,
8
pm
gmt,
whatever
that
comes
out
to
locally
for
you
all
we're
going
to
adhere
to
the
kubernetes
code
of
conduct
in
this
meeting.
A
If
you
have
any
problems
with
the
conduct
in
this
meeting,
please
reach
out
to
conduct
kubernetes
dot,
io
or
I'm
also
happy
to
chat
with
you
privately
I'm
spiff,
xp,
github
and
slack
and
all
the
places
and
this
meeting
is
being
publicly
recorded,
and
hopefully
it
will
automatically
post
to
youtube
later.
A
A
A
I
don't
have
tim
here
to
sort
of
cross-check
me
against
the
actual
gcp
billing
thing,
but
I
feel
like
it's:
we've
basically
confirmed
over
time
that
the
numbers
match
up
so
now.
It's
about
any
expected
bumps
or.
A
Trends
and
yeah-
I
don't
know
just
sort
of
roughly
comparing
this
to
what
we
looked
at
last
time.
It's
about
roughly
the
same
spend
rate
we're
seeing
less
overall
compute
being
used,
which
is
probably
because
we
had
the
run
up
to
code
freeze
for
v121
a
couple
weeks
ago
and
now
we're
actually
in
code
freeze.
A
B
A
So
I
feel
like
it
would
be
worth
opening
up
an
issue.
I
know
that
I
I
participated
in
the
removal
of
the
there
was
like
a
vulnerability
dashboard
that
was
supposed
to
be
showing
sort
of
publicly
what
all
of
the
vulnerabilities
were
for
the
various
images
hosted
in.
I
think
kates.gcr.io,
and
it
was
disabled
for
reasons
that
I
am
not
privy
to,
but
I
believe
it
was
some
something
security
related,
okay,.
C
I
have
some
context
or
it's
not
sure
too
much
I've
had,
but
I
remember
I
spoke
with
just
augustus-
or
I
guess
stephen
augustus
about
that,
and
apparently
he
told
us.
I
guess
this
is
hearsay,
but
he
told
me
that
he
turned
it
on
for
kids,
artifacts
fraud,
but
then
got
a
ping
from
somebody
else
in
the
community
saying
maybe
we
should
not
have
this
on,
because
I
think
it
was
publicly
visible
yeah
like
the
dashboard
and
stuff.
So
so
then
they
just
briefly
yeah.
C
A
Sure
yeah,
so
that's
why
I'm
suggesting
maybe
arno
would
be
great
to
open
up
an
issue.
So
we
could.
We
could
follow
up
on
this
yeah.
It
was
if
it
was
about
like
removing
public
access.
I
could
have
done
just
that
just
that,
but
I
was
asked
to
remove
like
service
accounts
and
a
whole
bunch
of
supporting
infrastructure,
so
I
think
it's
an
open
question
whether
we
should
have
container
vulnerability
scanning
enabled
by
default
or
or
not.
I
still
feel
like.
A
That's
the
that's
the
vision
so
having
it
enabled
at
least
gives
us
a
sense
of
what
the
spend
what
the
resulting
spend
is,
and
then
I
guess
sort
of
my
only
other
question
would
be
sort
of
confirming
that
kate,
staging
ci
images
actually
has
a
life
cycle
enabled
on
it
and
we're
actually
like
deleting
images
there.
A
If
I
remember
correctly,
we
have
an
open
issue
somewhere
about
the
fact
that
we
don't
actually
have
automatic
expiration
of
images
in
our
staging
projects.
We
do
for
some
of
the
buckets
but
gcr
by
itself.
Natively
does
not
support.
You
know
auto
removing
images
after
a
certain
number
of
days.
A
I
think
there
are
third-party
tools
out
there
that
could
do
this.
For
us
it
might
even
I
may
have
even
linked
it
in
whatever
the
issue
is
I
just
I
don't
have
it
handy
right
now,
but
yeah.
Thank
thank
you
for
raising
that,
and
maybe
everybody
here
already
knows,
but
the
reason
you
see
so
much
compute
for
the
artifacts
project
is
because
that's
the
way
that
network
egress
is
built.
A
Okay,
ai
review-
I
did
not
do
a
good
job
of
actually
categorizing
ai's
last
time.
I
know
the
big
one
was
to
schedule
this
new
meeting,
so
thank
you
all
for
your
patience
in
me
figuring
out
how
to
calendar
across
multiple
time
zones.
A
Yeah,
the
only
other
ai's
I
see
are
mashley
showed
up
last
time
to
talk
about
sort
of
expectations.
A
You
know
what
what
does
it
take
to
get
us
to
24
7
on
call
and
we'll
we'll
follow
up
on
that
when
we
see
more
of
a
document,
okay,
so
the
first
two
topics
here
are
from
justin,
who
is
unfortunately
not
present
at
this
meeting.
D
A
Yeah,
I
I
legit
am
not
as
deeply
involved
in
the
in
that
document
right
now,
so
I
I
certainly
can't
answer
it,
we'll
we'll
punt
those
to
next
time.
Justin
second
item
was
about
an
alternate
approach
for
managing
aws
accounts,
which
I
will
follow
up
on
that
pr,
as
I
have
time
in
bandwidth,
okay,
next
up
claudio,
you
wanted
to
talk
about
creating
a
registry
for
private
images
to
be
used
in
some
etv
tests.
E
Yeah
there
are
a
couple
of
tests
which
require
some
registries
to
be
private.
E
E
So
that's
currently
my
question
at
the
moment.
After
that,
I
think
we
can
actually
use
the
same
staging
registry.
We
already
have
for
the
other
ito
test
images
to
promote
from
the
staging
to
the
private,
not
dedicated
e3,
test
images
registry
and
then,
basically,
we
won't
have
to
have
different
jobs
for
the
same
images.
We
can
use
the
same
jobs.
A
The
way
I
would
implement,
that
is
by
probably
updating
the
ensure
staging
storage
script
and
adding
some
sort
of
a
special
case
block
there
to
like
make
a
private
registry
or
make
one
of
the
staging
projects
of
a
private
registry
instead
of
a
public
registry.
Something
like
that,
the
way
we're
standing
up
projects
we
don't
allow.
A
We
only
allow
bucket
level
im
policies
instead
of
object
level,
iam
policies,
which
means
if
we
want
a
private
registry,
the
whole
registry,
the
whole
bucket
needs
to
be
private.
So
to
me
that
would
be
a
separate
staging
project
just
for
private
stuff,
but
like
more
specifically
to
dig
into
these
the
two
that
I'm
aware
of
are
authenticated
image
pulling
and
kate's
authenticated
test.
I
really
want
somebody
from
the
the
sigs
that
own
these
tests
to
kind
of
speak
to
like
what
is
the
purpose
of
these
tests
and
are
these?
A
Are
these
necessary?
I
don't
have
the
context
in
my
head
right
now,
but
I
feel
like
when
I
was
looking
at
kate's
authenticated
test.
For
example,
it
was
not
clear
to
me
that
we
were
actually
testing
authentication
or
not.
E
E
A
E
Some
sounds
like
something
that
qubits
should
be
able
to
do:
anyways
and
the
other
two
tests.
Basically,
they
are
the
same
scenario:
it's
for
a
replication
controller
and
the
other
one
for
the
replica
set.
Basically,
it's
trying
to
spin
up
an
acknowledged
test
web
server
pod
and
tries
to
run
a
couple
of
commands
against
it.
E
A
Yeah
and
as
I'm
looking
at
one
of
the
issues
somebody
from
I
guess,
somebody
wanted
a
more
recent
version
of
windows.
Nano
server
in
the
authenticated
image,
pulling
project.
A
I
figured
that
might
be
why
you're
here
so,
I
feel
like
a
staging
project
that
is
specifically
for
private
images,
sounds
great
and
then,
if
you
have
the
time
to
read
through
the
existing
set
of
scripts
and
functions
and
stuff
inside
of
interstate
in
the
inter
staging
script,
you
might
be
able
to
see
how
it
sets
up
a
gcr
registry.
I'm
pretty
sure
what
we
could
do
is
like
make
one
as
usual
and
then
have
a
special
case.
A
A
This
is
the
sort
of
thing
that
yeah
it's
a
great
time
to
be
talking
about
it.
I
don't
really
anticipate
us
moving
much
on
this
until
after
121
goes
out
the
door,
but
yeah.
E
A
Okay,
thank
you
for
taking
taking
some
notes
linus,
I
appreciate
it.
I
can't
kind
of
walk
and
talk
and
type
at
the
same
time,
any
other
questions
on
that.
E
Not
for
me
yeah,
no,
just
actually
one
one
other
thing
we
will.
We
are
going
to
need
some
authentication
token,
with
which
we
will
will
then
hard
code
into
the
test
itself.
How
can
we
get
that
afterwards.
A
I'm
honestly
not
sure
off
the
top
of
my
head.
I
yeah,
let's,
let's
iterate
on
that
offline,
I
I
feel
like
it
was.
It
was
something
like
somebody
set
up
a
service
account
and
then
copied
out
the
key
or
something
from
that,
so
it
might
have
to
be
something
similar.
A
Typically,
I'm
trying
to
get
us
to
follow
up
policy
if
there's
ever
a
secret,
that
corresponds
to
say
a
service
account
key
or
something.
We
also
try
to
keep
it
in
google
secret
manager
so
that
we
kind
of
have
a
backup
there,
that's
accessible
to
the
right
people,
if
need
be
yeah.
A
Like
part
of
my
problem
with
these
tests
was,
I
know
there
are
a
bunch
of
people
who,
when
they're
air
gapping
when
they're
running
in
an
air
gap
environment,
they
need
to
like
pull
all
the
images
down
and
it's
completely
possible
for
them
to
pull
the
private
image
into
a
public
repository
or
like
a
repository
that
doesn't
have
any
authentication
and
the
test
will
still
pass.
A
Yeah,
so
I
guess
I
had
also
wondered
if
there
was
a
way
to
sort
of
rewrite
the
test
so
that
it
explicitly,
you
know,
fails
if
it's
if
it's
pulling
from
a
non-private
registry,
but
anyway
I
we
can
talk
about
this
in
the
issue.
E
Actually,
we
could
add
another
check
for
that,
but
yeah.
Definitely
that's
a
good
idea
too.
F
Yes,
we
got
through
all
the
legal
entities
with
cncf.
They
gave
us
the
policy
the
whole
team
signed,
so
the
policy
is
done.
We're
still
waiting
for
some
contract
information,
which
is
not
directly
related,
but
the
policy
will
be
adding
them
to
that
contract.
So
the
policy
you
did
ask
erin.
If
you
can
see
it,
if
you
care,
I
can
just
drop
you
a
message
with
the
with
the
policy
of
taxes,
sir
generic.
G
F
Good
I'll
show
I'll
share
it
with
you
after
the
meeting,
then
also
specifically,
that
they
asked
to
mention
that
google
legal
also
have
the
documents,
so
it's
been
communicate
that
they
saw
communication
between
league
or
google
legal,
so
everybody's
happy
everybody's
arranged.
F
A
A
It
would
be
even
cooler
if
you
figured
out
how
to
if
you
could
update,
I
don't
know
which
script
it
is.
I
think
it's
like
ensure
prod
storage
or
something,
but
if
you
can't
eventually,
when
I
get
time
to
approve
the
creation
of
that
group,
I
will
then
take
that
as
the
opportunity
to
look
into
enabling
gcs
access
logs
and
then
restricting
access
to
those.
Just
to
that
group
yeah,
I
also
know
in
my
backlog
somewhere,
is
to
like
create
a
like
a
playground,
type
of
project
or
sandbox
project.
A
For
for
you
all
I
just
haven't.
I
haven't
had
the
time
to
get
there
yet.
F
A
Or
no
I'm
gonna
hand
over
to
you
for
the
next
item.
While
I
try
to
type
up
what
I
just
said.
B
Okay,
so,
basically,
as
you
know,
we
are
in
the
process
of
migrate
pro
to
the
community
in
france
and
I'm
about
to
set
up
a
station
instance
from
pro.
But
before
that
I
need
a
github
token
that
will
be
used
by
tide
and
basically,
all
the
component
of
pro,
and
I
need
to
decide.
We
need
to
decide
from
way
which
account
we
need
to
take
this
token,
is
it
the
current
kti
robot
or
do
I
need
to
create
a
new
but
robot
for
that?
A
The
the
reason
is
that
the
the
github
rate
limit
applies
to
an
account
as
a
whole,
so
the
situation
you
would
not
want
to
happen
is,
if
you
spin
up
a
staging
crowd,
that's
using
the
same
account
and
then
it
starts
draining
tokens
and
we
kind
of
don't
know
why
on
the
actual
product
case.io.
A
So
that's
why
I
like
the
idea
of
a
separate
account
and
I'm
glad
kristoff
is
here
to
put
on
his
his
github
management
hat
as
well.
It
was
it
kind
of
felt
to
me
like
this
is
the
sort
of
account
we
might
want
the
github
management
team
to
have
the
credentials
for
or
be
the
owners
for
like
it.
Just
wasn't
clear
to
me
whether
I
could
say
hey
just
create,
like
a
google
group
call
it.
G
But
the
only
thought
that
I
had
is
like
either
way.
We
need
to
be
explicit
about
who's
in
that
group,
because,
in
addition
to
the
email
there
would
be
we'd
have
to
figure
out
how
we're
handled
to
factor
on
a
new
account
and
making
sure
that
everybody
is
set
up
with
their
proper
stacker
credentials
to
be
able
to
log
into
that
account.
If
we
need
humans
to
actually
log
in
and
administer
that
account.
A
A
I
can
tell
you
the
way
things
are
done
with
the
ktci
robot
account
today,
and
maybe
we
can
talk
about
what
we
want
to
improve
on
that.
So
today,
that
account
is
hooked
up
to.
A
It
ends
up
getting
forwarded
to
the
set
of
people
inside
of
google,
who
are
on
call
so
that
if
something
urgent
happens
like
they
need
to
quickly
kill
off
the
old
tokens
and
create
new
ones
or
something
as
part
of
their
own
call
duties,
they
can
log
in
and
do
that
as
far
as
logging
in
goes
for
2fa,
I
think.
A
They
can
just
use
one.
I
think
we
have
like
the
one-time
passcodes
stored
in
our
internal
secret
management
system,
and
so
somebody
can
use
that
if
they
are
unable
to
get
a
hold
of
whomever,
has
the
the
2fa
app
on
their
phone.
G
Yeah,
I
I
I
know
well
depending
on
how
the
scope
and
how
big
the
group
is
and
that
kind
of
stuff
I
know
you
could
use
like
you-
can
register
multiple,
like
u2f
tokens
against
a
single
account,
so
you
could
have
like
if
everybody
in
that
group
has
like
a
ub
key
or
some
other
u2f
token,
you
could
register
that
youtube.
You
can
register
multiple
u2f
tokens
against
an
account.
You
can
also
use
the
same
u2f
token
on
multiple
accounts.
G
It's
like,
for
example,
I
have
a
soft
puppet
github
account
that
I
use
for
for
testing
things,
and
I
use
my
same
uvp
to
log
into
both
and
I
have
a
main
uv
key
and
I
have
like
a
a
backup
gp
key.
That's
stuffed
in
a
vault
in
case
I
lose
my
main
one.
So
there
are,
there
are
some
things
we
could
do
around
around
those
physical
focus.
G
That
would
definitely
be
better
than
like
the
one-time
backup
codes
stored
in
the
password
manager,
but
having
the
one-time
code
stored
up
in
a
password
manager,
you
know
shared,
like
you
know,
shared
password
manager
probably
also
gives
it
the
bad
idea
anyways.
If
everybody
loses
their
their
stuff,
but
that
also
yeah,
it's
definitely
not
the
fastest
way
to
access
things.
G
Basically,
what
I'm
saying
is,
I
think,
there's
something
bad
about
the
way
that
we're
currently
doing
it
with
the
current
case,
the
ci
robot
yeah
account,
but
it
still,
I
think
it
ends
up
just
coming
down
to.
However,
we
do
it,
it
just
needs
to
be
like
a
group
of
people
that
have
all
that
all
say.
Yes,
we
we
accept
being
able
to
log
into
that
account
because
yeah,
that's
the
one.
G
G
Okay,
that's
like
that
that
I
can
see
being
like
the
most
urgent
thing
that
we
would
have
to
do
if,
like
you
know,
even
if
the
current
prowl
was
completely
broken,
like
the
main,
prod
prowl,
if
it
was
broken
for
a
few
hours,
it
would
be.
It
would
be
a
big
deal,
but
it
wouldn't
be
like
an
urgent
urgent
deal
if
the
current
prow
token,
which
is
an
owner
on
everything,
got
leaked.
That
would
be
a
much
much
bigger
deal
a
much
more
urgent
thing
to
to
to
deal
with.
A
Okay
yeah,
ideally
it's
the
same
group
of
people
who
are
on
call,
but
right
now
our
on-call
alias
also
includes
some
folks
from
scalability.
A
It
was
kind
of
laziness
on
my
part,
it
was
kind
of
I
I
want
to
move
to
a
future
where,
like
the
scalability
projects,
are
in
a
folder
over
here
and
the
pro
other
pro
projects
are
over
here.
So
I
don't
know
to
me.
It
sounds
like
just
maybe
create
a
kate's
infra
staging
kubernetes.io
group
and
add
yourself
to
in
arno.
G
G
If,
if
again
in
that
situation,
where
say
if
we
had
a
token
that
gets
leaked
and
the
first
person
on
the
scene
is
a
github
admin,
I
get
how
that
may
could
just
literally
kick
the
bot
out
of
the
org
yeah
and
then
that
that
lit
that
limits,
the
the
blast
radius
of
any
bad
things
that
could
be
done
with
a
leak.
Token
yeah,
I'm
totally
not
saying
this,
because
we've
done
this
ever
in
the
past.
G
A
B
You,
for
I
think
it
was
very
bolo,
the
migration
of
parabola
to
from
google
to
why
oh
yeah,
okay,
we
are
in
the
record,
so
we
can
talk
about
this
later.
But
I
have
a
quick
question
kind
of
relate
to
this.
Is
it's
about
password
manager
for
triple
a?
A
This
control
to
you
know,
via
git
ops
in
an
auditable
way
show
exactly
who
has
allowed
access
to
what
okay,
I
will
also
just
say
out
loud
the
reason
I
have
not
been
able
to
get
you
the
token
for
kate's
github
robot
is
because
I
can't
seem
to
find
the
password
for
it
anywhere
and
I
yeah
it's
gonna.
Take
me
some
time
to
track
down
the
right
people,
so
kate's
github
robot
is
not
actually
used
for
anything.
Historically,
it
was
the
the
account
that
was
used
by
munch
github
way
back
in
the
day.
A
Okay,
so
then
the
only
cluster
that
has
a
token
for
it
currently
is
the
that
proudcase.io
cluster
so
like.
I
could
get
the
token
from
there
by
asking
on
call
very
nicely,
but
it
bugs
me
more
that
I
don't
know,
I
don't
know
where
the
credentials
are
for
that
account.
So
I'd
rather
figure
that
out
or
we
we,
you
know,
kick
the
account
out
and
go
make
a
new
one.
Whatever.
A
Yeah
so,
while
we're
talking
about
you
know
setting
up
a
staging
account
or
setting
up
a
different
robot
for
the
staging
prow
instance
christoph.
How
comfortable
are
you
with
the
idea
of
giving
that
staging
bot
the
same
level
of
access
that
the
kate
ci
robot?
Has
you
know
owner
for
all
the
orgs
and
stuff
or
like,
because
we
could
be
really
careful
right
and
like
give
it
over.
G
Access
it
depends
on
the
clothes
or
whatever.
I
guess
it
depends
on
the
care
that
we
give
the
code.
That's
going
to
be
behind
that
token,
like
what
do
we
do
with
that
token,
if
we
are
going
to
be
equally
as
careful
and
cautious
as
we
are
with
the
current
prowl
code
and
proud
token
sure
if
we
are
going
to
if
the
hope
is
that
we
will
be
able
to
use
having
a
proud
staging
instance
as
an
opportunity
to
loosen
kind
of
any
gates
around
anything,
then
I
would
say
probably
not.
A
No-
and
I
should
be
clear-
I
guess
the
reason
we're
using
the
phrase
staging
here.
Arnold
can
correct
me
if
I'm
wrong,
but
this
is
like
we
just
want
to
get
an
instance
of
prow
up
and
running
in
kate's
infra
and
pretend
like
it
is
the
production
prow
instance.
It's
staging
because
it's
kind
of
unclear
exactly
what
dueling
prows
are
going
to
look
like,
and
so
we
kind
of
want
to
be
able
to
iterate
on
that
with
an
actual
prow
instance.
A
If
that
makes
sense
there,
there
is
based
on
conversations
I've
had.
There
is
a
belief
that,
for
the
most
part,
as
long
as
you
don't
have
like
two
prows
trying
to
run
two
tides
against
the
same
repos,
for
example,
then
you're
not
going
to
get
into
a
bot
fight,
but
the
idea
is
we
would
try
to
find
a
way
to
sort
of
migrate
traffic
over
to
this
prowl
instance,
and
eventually
this
would
become
proudcase.io.
G
Then
I
for
that
particular
use
case.
I
get
the
access
level.
I
don't
necessarily
have
a
concern
about
okay
like
if
we,
if
we,
if
we
wanted
to
give
it
the
the
concerns
that
I
would
have,
would
be
yeah
anything
where
it's
going
to
be
dueling
so
based
on,
like
particular
workloads
and
that
kind
of
stuff
like
whether
even
not
like
looking
at.
If
it's
going
to
be
running
tests,
is
it
going
to
be
reporting
back
the
results
of
those
tests
on
a
pr
that
also
has
tests
running
on
the
other?
G
Prowl
is
ty
going
to
be
consulting
like
both
sets
of
test
results
because
they're
all
reporting
back
in
context,
so
we're
going
to
have
like
two
sets
of
contexts
that
pi
is
going
to
be
calculating
based
off
of
it's
also
other
workloads
that
we
do
with
that
things
like
label
sync
and
that
kind
of
stuff.
F
G
And
the
right
access
is
mainly
for
things
like
label
sync
or
writing
context
to
pr's
so
yeah.
It
doesn't
necessarily
need
it
right
away.
The
other
thing
that
I
caution
there
without
getting
into
too
much
bike
shedding
is
I
I
I
don't
think
staging
is
a
great
name
for
this.
As
far
as
describing
what
it's
doing,
because
somebody
calls
me.
Oh
yeah,
we're
talking
about
the
staging
environment.
A
G
That's
not
what
that's
not
what
screens
out
when
I'm
thinking
about
staging,
so
just
from
a
intuitiveness
standpoint.
I'd
maybe
like
suggest,
I
don't
necessarily
have
a
better
suggestion
at
this
exact
moment,
but
something
that's
maybe
a
little
bit
more
intuitive
to
what
the
end
goal
for
this
would
be,
but
also
yeah.
If
we're
just
doing
initial
testing
and
that
kind
of
stuff,
it
probably
doesn't
need
owner
access
right
off
the
bat
until
there's
confidence
and
it's
actually
in
a
position
where
you're
going
to
be
flipping
workloads.
G
A
Okay,
how
about
kate's
kate's
in
for
brow
is
the
way
we
refer
to.
This
sure
is
that,
okay
with
you
or
no.
A
Okay,
any
any
other
questions
on
this
topic.
A
Okay,
as
usual,
it's
the
sort
of
thing
where,
like
I
really,
I
look
forward
to
whatever
it
is.
I
free
up
enough
bandwidth
to
help
you
sort
of
develop
the
the
plan,
but
I
really
appreciate
you
continuing
to
push
forward
on
this
yeah
you're
doing
great.
Thank
you
for
the
progress
you've
made
thus
far.
A
Okay
and
then
the
next
thing
on
the
agenda
is
also
from
you.
It's
about
terraform,
remote
states.
B
I'm
gonna
be
quick
because
we
have
justin
on
the
call,
so
I'm
gonna
leave
you
I'm
gonna
leave
in
the
time
to
speak
about
the
two
subjects.
So
basically,
we
have
now
three
gk
cluster
running
on
the
community.
Airfra
and
those
three
clusters
are
made
by
terraform,
which
means
we
have
terraform
states
store
in
the
same
gcs
bucket
yeah.
B
So
I
would
like
to
see
these
plates
in
different
bucket
because
for
security
perspective,
because
we
want
to
give
the
access
for
people
like
the
on-call
team
to
be
able
to
manage
the
pre-cluster
without
managing
the
triple-a
cluster
also,
we
want
to
add.
Basically
I
want
to
add
a
another
bracket
that
we
store.
Basically,
all
the
terraform
results
related
to
money
related
to
monitoring,
like
basically
the
check
time.
We
can
declare
from
the
the
dashboard
you
have
created
manually.
We
can
use,
you
can
use
terraform
to
push
modification
with
a
positive.
B
A
A
Instead
of
all
of
the
projects
having
the
organization
directly
as
their
parent,
we
start
to
think
about
splitting
things
into
folders
and
so,
like
all
of
the
projects
that
are
related
to
prowl,
live
in
the
pro
folder
and
then
all
of
the
projects
that
are
related
to
triple
a
or
like
the
the
kubernetes
public
project,
whatever
sort
of
look
in
their
own
thing
and
then
we
could
sort
of
shard
out
ownership
like
that,
and
that's
like
whatever
that
organization
scheme
is,
is
what
I
would
want
for
the
buckets
to
store
terraform
state
as
well.
B
A
B
We
don't
necessarily
need
to
have
the
same
structure
in
github,
as
we
have
in.
Basically,
terraform
can
be
two
different
things.
B
Okay,
ricardo
about
your
question:
I
don't
think
we
want
to
use
github.
D
Yeah,
actually,
that's
not
that's
not
inside
their
repo
gitlab
have
an
http
endpoint
for
the
farm
state
that
you
can
use
as
githubs,
and
I
was
just
wondering
if
github
folks,
they
aren't
doing
the
same
for
a
future
release
instead
of
relying
on
on
storage
on
object,
storage
from
google
or
from
amazon.
But
that's
just.
D
B
A
I
mean
they
might
we
have
a.
We
have
a
pretty
good
relationship
with
github.
It
has
not
come
up
in
our
our
ongoing
calls
with
github
they
kind
of
try
and
tell
us
about
features
they
think
we
might
like,
and
we
ask
them
for
like
things
we
would
really
like
in
return.
Terraform
specifically
have
not
come
up,
but
I
agree
with
you
arno.
I
feel
like
again
right
now.
A
I
really
like
using
gcp
iam
to
control
access
to
as
much
as
possible,
because
it's
really
granular
and
we
can
do
nothing
and
we
can
control
exactly
what
level
of
access
to
exactly
what
resource.
So,
I'm
cool
with
continuing
to
use
gcs
as
the
place
to
store
remote
state
for
now.
G
Okay,
so
to
just
plus
one
what
aaron
said
there,
while
I
also
think
gcp
is
probably
the
best
thing
as
far
as
my
experiences
with
with
terraforming
terrifying
state,
our
relationship
with
github
is
is
excellent
and
like,
for
example,
right
now.
We
we
have
github
enterprise
on
the
kubernetes
org,
like
we
have
like
the
top
tier
of
github
subscription
on
our
org
right
now,
so,
basically,
any
tools
that
we
want
to
use
from
github.
G
We
can.
We
also
beta
test
features
for
github
on
a
regular
basis.
So
if,
if
either
this
or
other
things
like,
we
see
a
feature
in
github,
that
is
something
that
we
would
like
to
use,
or
maybe
the
best
tool
for
that
particular
job.
We
have
access
to
it
like
the
money
aspect
with
github.
Is
this
really
a
thing
that
we
need
to
worry
about?
A
H
Sorry,
yes,
I
gotta
be
confused
over
the
time
change,
so
I
apologize
for
that.
I
had
two
quick
ones,
one
of
them
which
was
like
I,
I
see
these
a
lot
of
issues
around
easier
or
like
using
registries
to
serve
our
images,
and
I
was
sort
of
wondering
why
we
don't
just
use
302
redirects.
I
think
the
the
insight
I
feel
like
I
had
is
that
when
we
are
serving
we
don't,
we
are
read
only
and
we
don't
need
a
registry
like
we
don't
necessarily
need
all
that
complexity.
H
So
I
was
sort
of
wondering
if
there's
a
reason
why
we
don't
you
know,
sort
of
go
with
simpler,
http
only
read-only
infrastructure,
rather
than
going
for
a
registry.
D
I
I
guess
I
can
answer
part
of
this
justine,
it's
it's
sort
of,
because
how
the
emoji
registry
is
implemented.
So
we
cannot.
We
cannot
redirect
I've
sent
to
you
the
the
issue,
but
like
we,
we
don't
have
like
an
end
point
that
has
the
manifest
and
an
end
point.
They
have
the
blobs,
usually
slash,
v2,
slash.
D
The
name
of
the
image
is
something
so
what
what
caleb
theme
and
the
others
they
are
discussing,
is
how
how
to
implement
these
into
like
an
engineering,
rna,
proxy
or
something
like
else,
because
I
was
taking
a
look
into
google
balancer
and
it
it
allows
us
to
make
redirections
as
well,
but
not
using
some
that
sort
of
rejects.
So
this
is
this
is
the
problem.
It's
the
it's
the
the
name.
D
H
Yeah,
I
mean,
I
think
I
think,
the
as
I
understand
it,
the
geo,
the
second
redirect
the
gre
direct
will
still
be
complex
code
like
we
can't
just
get
that
straight
out
of
the
box
from
gclb,
and
so
I
was
arguing
that
we
should
use
the
code
we
have
to
or
I'm
lobbing
that
we
should
use
the
code
we
have
to
like
do
that
and
we
should
host
it
ourselves
rather
than
taking
on
management
of
another
system,
which
we
don't
know
anything
about.
H
Like
we
all
know
about
kubernetes,
we
don't
know
anything
about
cloud
run,
and
so
I'm
pretty
sure
we
can
beat
cloud
run.
Just
like
I'm
pretty
sure
a
cloud
run
expert
could
be
kubernetes,
so
that
would
be
my
view
and
I
think
actually,
if
we
mess
up,
I
think
gclb
has
a
fullback
where
we
could
just
serve
from
a
bucket
or
something.
But
anyway
I
guess
you've
answered
my
question.
I
will
follow
up
on
the
issue.
Thank
you
for
that.
D
H
I
had
another
item,
which
is,
I
put
up
a
another
attempt
at
the
aws
account
creation.
This
is
basically
based
on
the
two
observations
from
the
last
attempt,
one
of
which
is
that
terraform,
when
managing
accounts
becomes
opaque
and
people
were
like
what
is
this.
Why
are
we
doing
this?
And
the
answer
is
because
terraform-
and
so
maybe
the
answer
is
not
terraform
and
then
the
other
problem
was,
we
have
to
get
those
credentials
into
boschos.
H
So
essentially,
we
are
like
doing
a
lot
of
work
to
like
pass
around
stuff
and
we
could
just
upload
them
directly
into
boschos
and
like
have
whoever
it
is
that
we
trust
to
write
and
read
the
bosque
secrets,
be
the
person
that
actually
creates
these
accounts
was
sort
of
where
I
was
going
and
I
think
it
came
out
fairly
straightforward
and
fairly
easy
people
are
welcome
to
have
a
look,
but
it
also
like
can
help
us
address
some
other
rotation
issues,
and
things
like
that
which
aren't
necessarily
easy
to
express
in.
H
I
guess
a
declarative
way
so
anyway.
That
latest
attempt
at
aws
account
management
with
direct
to
boschos
integration.
One
source
of
truth
bosch
is
truth.
A
A
Yeah,
I
don't
know
I
mean
like
whatever,
as
the
person
who's
written
a
healthy,
if
not
the
health
healthy
is
maybe
the
wrong
word-
the
largest
chunk
of
terraform
in
this
repo
right
now,
I'm
not
I'm.
Okay,
if
we
don't
use
terror.
A
H
These
are,
these
are
things
that
make
it
more
justifiable
are
like
that.
Terraform
does
badly
on
the
like,
create
an
org
and
then
impersonate
into
that
work,
which
is
why
there
were
those
hoops
before
and,
secondly,
that
these
are
effectively
ephemeral
resources.
We
would
ideally
we'd
create
a
new
one,
every
day
or
every
hour
or
even
every
test,
but
in
practice
like,
if
we're
going
to
like
add
a
credential
or
something
we
probably
would
take
that
opportunity
to
rotate
credentials.
H
A
A
I
forget
how
if
this
is
used
much
in
the
public
boss
coast,
but
there's
the
idea
of
something
called
mason,
I
think
which
can
sort
of
dynamically
construct
resources,
and
so
it
could
be
that
we
create
sort
of
a
mason
that,
like
does
automatically
provision
an
aws
account
per
test,
but
I'm
I'm
totally
happy
if
we
iterate
our
way
towards
that
or
decide.
That's
just
too
much
for
what
we
want.
H
If,
if
we
have
a,
if
we
can,
if
mason
is
something
I
can
plug
into,
I
will
happily
convert
this
to
what
I
assume
is
go,
but.
A
Cool
it's
basically
our
time.
Does
anybody
have
anything
else
they
want
to
bring
up.
A
Yeah
kristoff,
it's
it's
great
to
have
you
around
again.
I
guess
I'll
just
throw
out
there
for
what
it's
worth
like.
I
I
apologize.
I
I
thought
I
was
gonna
have
a
lot
more
time
in
the
past
two
weeks
to
dedicate
to
this
group-
and
I
did
not.
This
is
not
me
promising
that
I
will
for
the
next
two
weeks,
but
I'll
try.
It
was
mostly
like
121
test.
A
Freeze
took
up
a
lot
of
my
time
as
well
as
some
internal
stuff
and
where
I'm
at
right
now
is
kind
of
trying
to
the
audit
prs
are
driving
me
nuts,
with
the
continually
expanding
list
of
ssh
keys.
So
there
are
a
few
things
that
I'm
trying
to
do
to
like
close
out
the
audit
prs
and
close
out
a
lot
of
the
follow-up
like
issues
we
encountered
as
we
were
reviewing
the
audit
prs.
A
B
A
A
Okay,
all
right!
I'm
done
I'm
fine!
It
was
really
great
to
see
you
all.
I
hope
you
have
a
fantastic
rest
of
your
wednesday
and
I'll
see
you
all
in
two
weeks
or
online.
See
you
folks
thank.