►
From YouTube: ClusterAPI Self Assessment Working Group 20211111
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay
cool,
so
we
can
wait
for
robert,
but
we
can
also
start.
I
saw
your
note
another
on
being
only
available
for
half
hour,
so
we
can
discuss
stuff,
that's
can
be
done
offline
and
I
expect
next
one
would
be
around
thanksgiving.
A
A
So
my
I
don't
think
I'll
be
off
on
wednesday
morning,
so
we
might
be
able
to
still
do
it
robert.
I
don't
know
actually
for
him.
A
Right
right,
so,
let's
see
I
mean
I
think
I
should
be
there.
If
things
change,
then
I'll,
let
you
know
yeah,
okay
cool,
so
maybe
we
now
that
it's
it's
recording
anyway
I'll,
add
myself
as
host
and
then
we
can
start.
A
B
B
A
Yeah,
so
I
was
hoping
maybe
instead
of
like
discussing
what
we
can
do
between
the
next
call,
and
this
call
if
we
have
enough
minutes,
left
to
wrap
up
the
second
half
of
the
flow,
so
that
we'll
have
two
flows
completely
done,
and
then
we
can
pick
up
on
the
third
floor
next
week.
Next
time
we
meet
and
then
we'll
be
done
with
all
the
three
in
scope
and
then
it's
just
about
writing
up
stuff
in
the
talk
and
then
coming
up
with
data
issues.
After
that.
A
A
B
So,
yes,
I
think
we
might
have
been
done
actually,
because
that's
more
or
less
it
at
that
stage,
so,
okay
yeah,
so
we
we
said
that
kubelet
was
going
to
send
the
certificate
signing
request.
The
load
balancer
just.
B
B
A
B
About
too
much
yeah
and
then
only
other
thing,
that's
gonna
be
happening,
so
the
cubelet
would
have
joined
it
would
have
like
filled
in
the
provider.
Id.
A
B
Right,
yeah
and.
B
So
I
think
the
mechanism
is
normally
whatever
the
node
registers,
with
from
a
host
name
right,
controller
manager
tries
to
match
cloud
controller
manager,
for
that
particular
cloud
is
gonna,
do
whatever
it
needs
to
find
the
corresponding
provider
id
so
for
aws
controller
manager
is
gonna,
call
out
to
ec2
api,
which
we've
already
got.
So
I
think
we
did
that
bit.
A
Okay,
cool
all
right:
let's
see
the
notes,
I'm
forgetting
the
third
flow.
I
think
it
was
the
bootstrap
flow
if
I'm
not
wrong,
but.
A
B
Right,
I
think
I
know
most
of
most
of
it.
B
A
A
B
A
B
Yeah
so
as
far
as
cluster
cuttle
goes,
which
I
guess
we'll
get
into
a
minute-
we
don't
we
don't.
No,
we
don't
provision
a
kind
cluster
for
you
right.
We
expected
to
do
that
beforehand.
So
that's
a
bit
different
to
say
some
of
the
vendors
like
vmware,
where
we
literally
start
a
client
cluster.
For
you,
the
only
only
exception
to
that
is
our
testing.
So
our.
A
Okay,
okay,
that
makes
sense,
so
I
actually
wanted
to
see
now
that
we
have
20
minutes
or
so
left.
We
could
explore
the
part
that
we
know
is
not
great,
which
is
the
cubelets
and
cubadium
self-signing
and
maybe
potentially
explore
what
the
ideal
state
would
look
like
if
we
had
kind
of
a
magic
wand
to
make
everything
great
again.
B
Okay,
which
doesn't
really
have
was
generically
called
kubelet,
authenticator,
okay,
and
we
wouldn't
have
a
bootstrap
token
from
well.
We
might
have.
We
have
a
bootstrap
token
in
order
to
submit
the
initial
certificate
signing
request,
but
kublet
doesn't
do
it.
So
we
would
use
the
external
authenticator
for
kubella.
A
The
problem
here
is
when
I
have
a
running
cubelet
and
a
cubed
m
in
the
same
node.
This
cubelet
can
join
the
cluster
here
by
allah
and
the
only
way
that
is
allowed
is
by
this
cube.
Adm
saying
yes,
you're
allowed
to
do
it.
So
essentially
we
have
two
in
two
entities
or
two
components
in
the
same
node
that
could
be
attacker
controlled,
saying.
Yes,
this
looks
good
for
each
other.
A
A
B
Right,
yeah
and
you
see
it
would
have
a
binary
and
then
the
binary
itself
would
have
plug-ins
with
different
infrastructure
providers.
A
B
B
And
then
so,
you
can
assign,
like
a
instance
profile
to
every
node,
so
a
node
can
be
given
permissions
to
do
certain
operations.
So
we
would
limit
this
to
well
at
present,
there's
a
bunch
of
permissions
that
the
cpi
integration
needs.
B
So
we
would
add
to
that
one
called
sts,
so
secure
token
service
and
what
is
the
yeah
so
there's
a
action
on
that
called
get
called
identity.
So,
but
the
thing
is:
we're
not
actually
going
to
call
that
what
the
authenticator
would
do
is
it
would
append
in
the
csr
and
so
the
aws
api
they
authenticated
using
the
hmac
right.
So
we
would
generate
a
signed
request
for
sts
get
caller
identity
so
get
caller
identity.
All
it
does
is
give
you
I
am
disa
you
are
this
account.
B
A
A
B
A
Okay,
so
if
I
understand
correctly
now,
instead
of
cubelet,
just
saying
hey,
please
accept
me
in
this
cluster.
We
are
going
to
add
additional
authentication
related
info
or
metadata
that
allows
cappy
to
really
understand
that.
Oh
this
node
actually
exists,
and
this
is
something
that
we
are
allowed
to
trust.
A
B
It's
two
strings:
essentially:
okay,
yeah
yeah,
so
secret;
another
well
free
strings,
so
access
key
id
secret
access
key
and
a
session
token.
Okay,
and
then
that
request
that
signed
request
is
valid.
We'll
have
a
15
minute
window.
B
So
capital
will
then
run
it
executed.
That,
then,
has
that's,
then
proof
of
identity,
and
then
it
gets.
A
B
Yeah
there's
been
some
discussion
about
how
to
handle
trust
on
first
use,
because
this
has
come
up
in
some
other
projects
like
spiffy
and
spire.
I
can't
remember
the
details,
but
we
do
have
some
plans
around
sorting
out
trump,
so
we
only
do
do
it
once.
A
B
A
B
A
A
A
A
B
As
a
proposal
so
there's
and
it's
it
is
based
on
what
gke
is
doing
today,.
A
B
And
what
eks
is
doing
right,
but
they
both
got
like
their
own
implementations.
So
we
took
the
gke
specification
made
that
generic
and
aws
will
be
one
implementation
amongst
many.
So
we
we
talked
about
using
tpm
for
vsphere
and
gcp
and
azure.
I
think
yes,
it
should
be
pluggable
between
any
infrastructure
provider.
A
I
see
okay,
so
if
this
is
sort
of
like
a
caap,
if
I'm
understanding
correctly
cluster
api
enhancement
proposal.
B
A
B
B
B
B
Yeah
we
kind
of
snuck
it
into
cluster
api,
but
like
there's,
no
reason
why,
like
right,
like
what
gke
did
was
really
good
and
we
wanted
to
make
that
generic.
We
just
happened
to
put
it
into
cluster
api
nice
that
potentially
maybe
it
should
actually
be
moved
into
cloud
provider.
Maybe
it
might
should
be.
Maybe
a
cpi,
it's
just
plus
the
apr,
was
the
path
of
least
resistance.
A
Okay:
okay,
that's
good
yeah,
so
that
seems
like
a
good
significant
next
step
for
us
send
send
the
link
on
the
cappy
channel.
If
you
can
there
later
of
about
the
proposal
I'll
at
least
start
reading
a
bit
and
sharing
it
with
others.
A
Okay,
I
think
how
much
time
we
have
five
minutes
more
okay,
so
one
question,
maybe
before
we
drop
off,
was
when
the
control
plane.
Second,
control,
plane,
node
and
third
control
print
node
are
joining.
Does
anything
change
that
is
different
from
first
control,
plane,
node
getting
created
by
this
cluster.
B
To
do
that,
so
let
me
I'll
do
yeah.
I
will
take
a
note
to
do
that
because
that
that's
I
forgot
to
I've
got
to
do
it.
Basically.
Okay,.
A
No
worries
what
I
can
also
try
to
say
in
by
the
next
next
time
we
meet
is
start
documenting
this.
These
flows
in
words
like
we
have
recordings
now,
and
we
also
have
diagrams,
but
we
haven't
really
written
down
stuff.
So
it's
hard
to
like
keep
the
context
in
all
of
our
heads
after
we
go
through
the
third
flow,
so
I
I'll
try
to
do
that.
Ankita
would
need
your
help.
Also
to
correct
me
if
I
write
something.
B
A
Okay,
so
that's
that's
good.
What
would
be
the
third
floor?
We'll
talk
next,
just
for
people
watching
the
recording.
B
I
think
the
cluster
cuttle
in
it
workflow,
so
some
somebody
bootstrapping
on
a
laptop
they've
got
a
client
cluster,
but
they
haven't
even
installed
cluster
api,
which
probably
should
cover
how
class
api
gets
installed
right
and
then
how
we,
how
we
convert
a
newly
created
workload
cluster
into
a
management
cluster.
A
I
see
okay,
okay,
that
makes
sense
yeah.
That
sounds
good
to
me,
so
we'll
try
and
meet
next
time
in
couple
of
weeks
from
now.
If
so
we're
recording
started
before
we
could
say
anything.
So
this
is
today's
date,
12th
11th
november,
so
11
11,
20
21,
we'll
meet
again
14
days
from
now
and
cover
the
third
flow
and,
in
the
meantime
document
all
both
the
flows
we
have
discussed
so
far
and
see
where
we
go
from
there
any
anything
else.
You
would
add
either
of
you,
okay,
cool.