►
From YouTube: Kubernetes WG Multitenancy 20180309
Description
Notes and Agenda: https://docs.google.com/document/d/1fj3yzmeU2eU8ZNBCUJG97dk_wC7228-e_MmdcmTNrZY/edit
A
A
I
mean
I,
mean
sorry
I'm,
a
East.
We
sorry
I
worked
with
I
apologize.
I
was
just
having
a
meeting
with
another
person
at
Google
got
the
names
mixed
up?
Yes,
we
are
you.
Are
you
there
yeah
yeah,
I'm,
sorry
about
that
yeah
I?
Do
you
want
I?
Do
wanna
go
ahead
and
talk?
Maybe
before
you
talk,
we
should
ask
if
I'll
just
so.
You
know
how
much
time
you
have
are
there
other
topics.
A
A
B
For
them,
so
thanks
David
I'm
going
to
talk
about
the
security
community
profiles,
so
it's
a
very
basic
McKinnon
required
for
multi-tenancy
isolation.
So,
first,
what's
the
problem,
the
security
profile
going
to
solve
the
many
there's
two
kinds
of
problems:
the
first
thing
about
all
the
management
complexity
so
currently
to
set
up
a
communities.
Cluster
security,
the
class
enemy
had
to
have
a
lot
of
knowledge.
B
They
must
know
the
command
Flex
correctly
and
they
must
know
how
to
use
the
policy
object,
synchronous
and
they
also
have
to
be
a
security
expert
with
domain
knowledge
and
currently
there's
no
automatic
mechanism
to
provision
the
policy
objects
into
namespaces.
So,
in
a
case
when
attend
the
cretan
namespace,
the
people
have
to
find
some
other
mechanisms
to
do
that.
Work
to
make
sure
the
namespace
is
properly
populated
with
policy
objects,
so
in
community
people
are
building
in-house
solutions
for
different
needs,
but
without
a
common
standard.
B
B
So
everything
comes
into
a
ultimate
goal
like
when
you
want
to
create
a
cluster
just
specify
the
name
of
security
profile
and
hopefully
at
all
we'll
set
up
everything
properly
and
when
you
create
namespace,
the
policy
objects
will
automatically
be
populated
on
the.
The
solution
will
also
work
with
confidence
as
Co
system,
which
is
different
from
the
tariff
in
managing
the
a
cluster
on
the
way
the
company
has
consistently.
B
People
will
basically
put
all
the
Kunitz
kubernetes
manifest
file
into
a
color
repo
and
secure
profile
according
to
provide
us
some
tools
for
helping
provisioning
the
manifest
files
and
also
integrate
with
CI
CD
to
validate
these
manifest
files.
So,
what's
inside
a
secure
profile,
it's
basically
a
predefined
set
of
class
settings,
so
it
includes
three
parts.
The
first
part
is
the
post
wrapping
configuration
so
including
the
command
line,
flags
and
the
rules
for
setting
up
the
file.
Permissions
like
the
key
certificates
and
the
second
category
is
the
classical
policy
objects.
B
It's
like
a
particular
policy
and
the
third
category
is
namespace
scope
for
objects
which
will
be
automatically
populated
into
namespaces
when
they
are
created.
So
it
is
designed
to
simplify
the
custom
administration.
I
just
select
the
name
of
scale
profile,
and
it
should
also
be
highly
portable
that
people
can
use
this
in
different
community
environments
and
for
a
particular
needs
of
environments.
B
People
can
customize
or
extend
the
security
profile
to
bring
their
own
features,
and
it
should
ensure
the
smooth
smooth
of
upgrades
and
by
versioning
the
secure
profile,
and
we
don't
involve
any
changes
to
the
code
communities
and
we're
also
seeking
contribute
to
the
conformance
test
to
adding
test
cases
to
their
date.
A
class
is
a
secure.
B
As
the
just
mentioned.
The
diagram
shows
the
three
categories
of
security
rules,
including
the
security
profile,
and
these
roles
can
be
enforced
by
plugable
enforcers
like
the
post
game
rule
can
be
enforced
by
the
tool
deployment
cluster
like
cast
a
PR
coup,
a
DM
or
something
else,
and
the
classical
per
se
is
either
imagined.
You
can
just
use
cookie
apply
to
import
this
or
you
can
strew
them
to
the
to
be
managed
by
the
add-on
manager
and
for
namespaces
scope
policy
objects.
B
We
introduced
a
new
controller
which
monitors
namespaces
and
do
the
initialization
work
when
the
names
was
created.
There's
also
the
other
part.
Regarding
the
security,
the
components
test
we
have
been
adding
some
cases
related
to
security,
so
from
being
confused
on
the
security
profile
is
not
a
defining
some
new
process
or
new
behavior.
It
just
utilized
existing
mechanisms
and
it's
not
making
anything
to
come.
Nettie's
and
the
security
profile
is
defined
rules
for
the
common
cases
and
very
generic.
B
So
it
does
not
include
anything
which
is
specific
to
a
particular
use
case,
for
example,
on
a
very
specific
resource,
quota
definition
and
class
rows
or
rows
and
bindings
relevant
to
specific
identities.
False
and
it's
not
template
system,
it
doesn't
do
fancy,
template,
templating
work
and
it's
not
a
policy
engine,
so
here's
an
example
of
a
security
profile.
B
So,
on
the
right
hand,
side,
the
post-acute
policy
is
already
available.
Today,
it's
a
kind
of
cluster
scoped
policy.
We
can
create
use
oopsy
directly
on
the
cluster,
while
on
the
left-hand
side,
we
can
find
a
namespace
template,
which
is
actually
reflect
as
a
namespace,
a
namespace
code,
a
container
of
the
class
objects.
B
So
if
the
file
templates
for
all
the
namespace
group
policy
objects
and
all
the
bottom,
the
security
profile
will
reference
this
names
with
template
as
a
rule
to
be
applying
to
our
namespaces,
and
we
can
define
more
rules
into
a
security
profile
and
beyond
the
wrong
time
rules.
As
we
mentioned,
we
also
defining
the
post
trapping
rules
so
on
right
hand,
side.
This
is
a
was
dragged
into
example.
It
defines
the
way
how
to
set
up
the
command
line
flags.
B
B
And
it's
possible
to
define
multiple
security
profiles
in
a
single
cluster,
but
only
one
of
them
is
effective,
so
we
introduce
a
custom
resource
called
security
profile
selector
with
a
pretty
fun
name
called
current
to
select
the
security
profile
to
be
effective,
just
as
example,
showed
up
in
the
right
bottom
is
currently
enforcing
the
standard.
1.0.
A
B
Profile,
the
controller
enforcing
the
rules
in
the
security
profile
will
report
the
enforcement
status
in
the
status
cyber
resource
of
a
security
firm.
So
when
we
use
Cooper
CTO
get
security
profile
and
name
a
Oh
Jason
a
llamo,
it
will
show
up
the
status
to
reflect
each
role
in
the
profile
and
how
they
are
enforced
right
now.
So
we
can
find
five
categories
of
enforcing
status
to
indicate
the
current
situation
on
the
cluster,
which
is
really
helpful
for
the
trust
element
to
get
an
idea.
What's
going
on
in
the
cluster
and.
B
With
help
of
a
security
officer
lecture,
it's
very
easy
to
switch
between
the
secret
profiles
and
beyond
being
enforced
with
only
one
skill
profile
on
the
class
enemy
can
label
another
secure
profile
to
be
in
the
preview
mode.
Pramana
means
the
Infosys
will
also
evaluate
to
the
rule
signal
security
profile,
but
without
enforce
them
on,
and
they
were
also
contributed
to
the
status
stubble
resource
on
the
screen
without
refract
the
gap
between
current
classes.
B
Now
it's
most
important
part
of
the
enforcement
of
names,
very
scoped
voices,
so
there's
a
namespace
population
mechanism
introducing
the
security
profile
when
a
name
is
base
is
created,
the
posse
objects
can
find
for
namespace
will
be
public
interest
in
into
the
namespace
and
because
these
processes
are
very
generic.
Common
and
the
clustering
can
still
use
additional
tools
like
telephone
and
smoke,
etc.
To
creating
more
policy
objects
into
the
namespace
and
the
the
name
spec
template
itself
is
actually
can
be
used
extensively
for
something
else.
B
If
class,
adding
annotate
that
was
custo,
custom,
auto
applied
to
the
Inc
force
and
this
namespace
template
will
be
take
care
being
visually
to
inject
some
more
on
objects
into
namespace.
It
can
even
not
be
related
to
security,
and
it's
also
helpful
to
populate
the
heterogeneous
namespaces
by
using
the
the
namespace
selector
in
the
names
of
a
template.
B
Unless
one
problem
during
the
naming
of
a
population
is
about
the
race
condition,
so
when
the
names
was
created
but
before
all
policies
policy
objects
are
populated,
it's
possible
people
can
have
access
to
a
namespace
and
create
objects,
including
industry
experience.
Before
it's
ready.
So
there's
a
few
ways
we
can
use
to
mitigate
this
risk,
so
the
recommended
way
is.
B
We
should
have
a
welcome
designed
our
back
system,
which
ensures
the
user
cranium
space
doesn't
have
the
permission
to
create
obviously
into
a
namespace
and
until
the
namespace
temperature
controller,
popular
everything
and
then
grant
the
user
permission
to
to
have
the
full
control
in
name
namespace
and
alternately.
We
can
use
the
initializer
admission
control,
which
already
existed
internet
Canaries,
but
the
initializer
hiding
a
namespace
without
actually
blocking
any
access
and
to
solve
a
problem.
B
For
customers
with
special
requirements,
they
can
change
the
rules
in
a
secure
profile.
The
way
we
recommend
to
change
rows
is
by
copying
a
existing,
secure
profile
and
rename
it
and
then
change
the
rules
and
employ
that
into
clusters.
Then
use
Kushi
applied
to
refresh
the
security
profile
selector
to
make
effective.
B
B
Each
if
your
profile
has
a
burgeoning
cannon,
so
it
has
a
very
schema
on
defining
the
the
requirements
for
secure
profile
and
the
rules
and
post
objects
and
also
indicated
that
the
the
enforcement
logic.
So,
if
anything
of
them
change,
the
relevant
portion
of
the
version
will
be
bumped
and
the
most
important
seeing
in
the
security
profile
as
we
need
to
make
sure
the
compatibility
of
the
secure
profile
with
kubernetes
versions.
So
a
volume
matrix
had
to
be
maintained
somewhere,
ideally
should
be
in
the
same
sauce.
B
Repo
of
security
profiles
and
the
volume
metrics
records,
the
comparable,
compatible
security
profile
versions,
vs.
cognitive
agents
and
most
important
information
in
the
virtual
matrix
is
the
the
duplication
mark,
which
here's
an
example
which
identifies
a
security
profile
if
it's
being
deprecated.
B
So
regarding
the
duplication
of
skilled
profile,
it's
not
like
a
simple
body
upgrade
so
when
a
secured
for
a
profile,
health
reduplicated,
if
we
find
the
rules,
is
not
proper
defined
or
the
definitional
rules
have
some
other
security
concern
not
covered
or
backs
found
in
the
enforcement
logic
I'm
in
the
controller
and
maybe
any
other
security
concerns.
In
this
situation.
The
security
profile
should
be
duplicated
immediately,
so
we
are
mark
the
duplication
in
the
body
matrix
and
that
allows
the
possibility
the
class.
B
B
So
for
a
complicated
system,
it
works
a
little
differently.
There's
a
the
conveyance
system
maintains
a
single
source
of
truth,
which
is
normally
in
a
sauce
repo
with
volume
control
so
and
it
turned
into
a
cluster,
will
first
be
checking
into
the
repository
and
goes
through
a
CSE
pipeline
to
be
pushed
to
the
to
the
cluster,
which
mitigates
a
lot
of
risks
like
manual
mistakes,
causing
potential
damage
to
the
cluster
and
to
support
such
kinds
of
the
system.
B
The
secured
profile
provides
CI
tools
to
help
generate
the
manifest
files
when
it
can
detect
something
like
when
we
changed
our
name
space.
All
we
create
a
namespace,
manifest
files
and
user
tool
to
generates
the
policy
options
into
namespaces,
and
it
also
prevents
words
to
be
integrated
with
a
pre-commit
hook
or
in
to
be
using
a
CD
to
link
event
the
commit
if
it
contains
objects
which
violates
the
secret
profile.
B
So
there's
a
separate
document
in
in
the
links
page
for
details
of
this
for
the
solution
so
kill
a
few
dogs,
including
the
design
doc
and
the
dylan
dog
for
convience
code
and
we'll
have
a
demo
later
and
puncture
reference
to
the
background
information.
So
this
is
demo.
If
we
have
time,
I
will
show
that
or
we
can
just
skip
it
for
questions.
C
So
I
noticed
that
there
was
a
line
there.
That
said,
there
were
no
roles
in
the
security
profile.
B
So,
strictly
speaking,
there
will
be
rose
or
castle
rose,
which
is
generic
to
reference,
for
example,
to
use
poor
security
policy
or
something
like
that,
but
there's
no
class
a
rose
or
Rose
specifically
for
a
particular
use
case.
For
example,
in
a
particular
on
friend
as
environment,
the
the
class
ever
made,
you
find
the
Rose
or
Custer
rose
for
their
own
use,
and
there
are
also
be
ro
bindings,
for
particular
users
or
groups,
and
these
part
are
not
covered
in
the
skill
profile.
B
Basically,
it's
basically
a
name:
three
templates:
you
can
define
your
own
custom
resource
cause,
something
else
and
you're
just
adding
a
new
rule.
In
the
runtime
rule
session,
I
showed
on
the
left
bottom,
adding
a
random
rules
list
to
your
own
custom,
my
custom
resource
kind
and
name,
and
you
will
need
to
deploy
a
controller
to
enforce
that
and.
B
Helps
the
the
in
it
helps
the
controller
to
be
aware
which
custom
resource
is
currently
effective,
listed
in
the
currently
selected
security
profile,
so
the
control
will
will
will
know
which
custom
resource
to
be
enforced
or
which
should
be
skipped.
According
to
the
counter
selection
of
secure
file,
I.
A
A
A
A
B
So
we'll
show
the
security
profile
installed:
the
Collegium
sector
1
security
profile,
while
there
will
be
multiple
secure
profile
already
installed,
because
this
security
profile
is
pulled
from
a
bundle
which
includes
multiple
security
files
and
the
there's
only
one
effective
which
is
selected
by
in
the
sector
called
current
and
will
show
that
the
details,
the
selector,
shows
the
enforced,
secure,
propriety.
Fourth,
1.0
1,
there's
zero,
so.
B
B
So
in
reality,
based
on
the
security
profile,
the
most
likely
cost,
the
enemy
will
still
create
additional
rules.
Part
of
this
thing
to
name
safe
space,
to
allow
predict
particular
service
access,
like
adding
new
network
policy,
objects
to
opt
to
allow
certain
services
to
be
accessed
by
external
or
allow
support
to
access
external
services
and
may
also
adding
new
Pro
bindings
for
another
particular
policy
for
certain
posts
to
be
to
run
like
in
privilege
mode
or
something
else.
B
A
Once
there's
agreement
on
what
the
profiles
look
like
and
what
their
name
was,
that
standardization
that
work
across
all
the
different
platforms,
I
think
is
a
key
piece
of
this
any
any
plan
and
take
questions
about
that.
I
assume
people
haven't
read
the
proposal.
Yet.
Do
you
want
to
say
again
what
the
name
of
it
was
and
what
repo
I
guess
it's
in
a
community
repo,
but
you
want
to
mention
again
what
yeah.
A
Yeah,
do
you
want
to
yeah
yeah
you
see?
Do
you
want
to
say
more
about
the
like
you
mentioned
briefly
that
for
the
namespace
per
namespace
policies,
you
would
have
a
label
selector
that
would
allow
you
to
specify
like
which
namespaces
the
template
applies
to.
So
it's
the
idea
there
that
you
could
have
multiple
templates
and
then
each
of
them
would
specify
which
namespaces
they
apply
to
using
a
label.
Selector
is
that
agenda
yeah,
yeah.
B
So,
actually,
I
again
listing
the
in
the
example
in
the
namespace
template,
you
can
put
a
label
selector
to
apply
the
template
into
specified
namespace.
So
the
schema
is
the
same
as
as
the
existing
label
selected
in
the
communities,
you
can
use
an
labels
and
match
expressions
to
select
to
the
the
namespaces.
B
So
if
we
don't
know
if
I
want
to
exclude
the
Koopas
system
namespace
or
without
labeling,
this
namespace,
isn't
it
there's
no
way
to
express
that
so
I
have
proposed
up
by
extending
this
I'm,
not
saying
extending
the
label
selector
but
adding
another
sake
mccannon
by
exclude
the
named
namespaces.
That
will
be
easier
to
exclude
through
some
namespaces
and
yeah.
So
that's
a
selection
mechanism
I'm
open
to
any
suggestions
or
any
proposals
to
make
it
better.
A
Yeah,
that
makes
at
one
time
somebody
had
proposed
that
every
object
should
be
should
have
a
label.
That
is
the
name
of
the
object,
so
like
the
key
would
be
name
and
the
value
would
be
whatever
the
object.
Name
is
I.
Think
that
there's
issues
with
that
like
secure
in
terms
of
security,
because,
like
I,
think
someone
had
pointed
out
at
one
point
like
in
some
systems,
only
the
administrator
is
allowed
to
create
the
namespace
name,
but
users
might
be
able
to
like
change
labels
on
the
namespace
and
the
same
thing
with
objects
like
I.
A
Don't
know
how
common
that
pattern
is.
But,
like
the
question
came
down
to
how
trustworthy
would
the
name
label
be
if
you
labeled
every
object
with
its
name,
but
it
would
solve
problems
like
the
one
you're
talking
about
it
would
unify
the
ability
to
select
objects
by
name
and
by
label,
since
the
name
would
be
one
of
the
labels,
but
since
we
don't
have
that
and
I
doubt
that
we
would
get
agreement
on
that,
probably
having
the
ability
to
select,
by
name
or
by
label
in
this
template.
Selector
thing
is
the
most
reasonable
approach.
F
For
one
label
it
says
you
should
do
this,
have
this
thing
and
another
label
has
the
exact
opposite?
Well,
that
might
be
the
only
way
to
division
that
like
to
buy
that
up
that
you
could
still
have
a
new
space
that
has
both
labels,
but
until
that
namespace
is
like
creating
you
don't
know
that
that's
going
to
be
where
you
come
from.
Oh.
B
Yeah
they're
not
depending
on
how
to
write
this
label
selector,
so
I,
don't
think
I'm
going
to
introduce
something
something
I'm
different,
but
with
existing
label.
Selector
I.
Think
if
you
put
mesh
expressions
you
can
list
both
labels
too,
for
example,
you
can
match
one
label
and
not
matching
the
other
label
or
you
want
matching
both,
but
in
the
case
you
mentioned
you
have
to
or
at
least
more
than
one
label,
then
you
should
be
careful.
B
B
So
if,
if
we
talking
about
secure
profile
only
because
it's
going
to
be
generic
common,
so
what
I
can
imagine
the
security
files
we
publish
to
be
used
as
like
kind
of
standard
secure
profiles?
Well
have
very
simple:
almost
no
label
enter
the
minimum
settings.
Insecure
prevail,
deep,
apply
to
all
namespaces
and
it
depending
on
the
user
and
customer.
If
they
want
to
get
find
their
own
names
by
template
or
other
McCallum's,
they
can
do
that
by
themselves.
F
A
But
so
I
mean
I
guess
so
my
interpretation
of
the
suggestion
is
that,
like
the
initial
proposal
would
maybe
at
most
have
a
customization
feature
where
you
could
like
exclude
the
cube
system
namespace,
maybe
with
a
boolean
or
something,
and
then
there
would
be
a
separate
proposal
that
would
say
layer
on
top
of
that,
the
ability
to
select
which
specific
namespaces
a
particular
template
applies
to
I'm,
not
saying
that
I
agree
with
that.
But
I
think
that's.
What
that's
kind
is
that
kind
of
what
you
were?
What
you
were
suggesting
yeah.
A
B
Yeah
I
think
this
is
quite
I
think
this
is
very
clear
suggestion:
I
mean
from
skipper,
profile
perspective,
there's,
definitely
Bennet
and
we
can
layer
the
more
complex
they
were
slanted
to
be
a
stencil
functionary
of
names,
basically
at
the
template,
but
not
covering
skipper,
well,
yeah,
I
think.
F
The
other
reason
I'm
sorry,
one
of
the
other
reason
that
I
kind
of
think
we
might
want
to
separate.
We
probably
also
need
to
have
wouldn't
need
to
have
a
discussion
around
kind
of
like
they're
having
an
apps
around
common
labels
or
if
they
are
like
more
than
just
cube
system,
it's
sort
of
customary
namespaces
in
order
to
have
it
a
little
bit
more
standardized
and
but
I
think
we
can.
F
Guess
I
imagine
even
if
we
would,
even
if
you
do
say
it's
only
for
like
individual
clusters,
I
think
you're
still
gonna
want
some
a
little
bit
of
semantic
meaning
around
the
namespaces
and
labels
that
might
kind
of
come
up
like
the
way
it's
very--it's
cube
system.
Is
it
like
custom
more
than
customary,
but
whether
there
are
other
sort
of
expected
link,
cavity.
A
F
A
A
F
A
Yes
and
I
am
a
little
skeptical,
that's
possible,
but
yeah,
although
I
don't
know
if
that
would
be
a
block
or
if
that
should
be
considered
a
blocker
for
having
a
namespace
label.
Selector
mechanism
in
this,
like
I,
think
separating
the
proposals
is
reasonable,
but
like
one
when
we
get
to
that
second
part
of
it
of
adding
the
namespace
selectors
I
I'm,
not
convinced
like
trying
to
get
agreement
on
some
taxonomy
or
like.
F
B
B
C
B
B
Yeah,
the
the
the
the
product
is
an
object.
Rule
is
not
part
of
security
profile
because
the
Arabic
rules
you
have
to
assign
a
particular
user
or
group
which
has
a
permission
to
cry
namespaces,
and
this
is
to
user
specific.
So
we
cannot
design.
We
cannot
not
include
that
into
a
secure
profile.
There
will
be
a
recommendation
how
to
setup
that
up
now
how
to
set
up
the
rules.
C
C
A
A
F
So
in
a
multi-tenant
environment,
for
instance,
you
don't
want
any
tenant
to
be
able
to,
and
just
sorry
to
like
be
able
to
say.
Please
schedule
me
on
the
master
nodes
or
whatever
you
need.
So
in
order
to
prevent
that
since
there's
an
aware
right
now
having
sort
of
scheduling
policy
that
dictates
that
first,
certainly
name
by
namespace,
the
certain
namespaces
have
these
restrictions
on
what
sort
of
scheduling,
schedulers
or
other
values
they're
allowed
to
take.
F
Then
the
other
important
one-
or
there
are
quite
a
few
topology,
like
general
topology
ones,
proposals
going
around
and
there's
some
on,
like
the
network,
topology
I,
just
there's
a
storage,
topology
I
think
I
just
saw
so
there's
some
discussion
around
that,
and
maybe
there's
also
the
other
one
that
just
came
out
kind
of
is
the
idea
of
a
container
policy
interface
of
whether
kind
of
these
columns,
the
objects
aren't
good.
Any
webhooks
combination
isn't
powerful
enough
and
whether
we
should
have
an
explicit
place
where
we
can
define
the
interface
of
where
policy
is
enforced.
A
F
I
mean
it
seems,
like
people
are
doing
that
on
their
own,
but
people
haven't
brought
any
specific
concerns
or
things
to
us
lately
and
I.
Think
it's
though
one
of
the
most
common
or
you
know
advanced
sort
of
frameworks
for
policy
that
we're
seeing
most
mature
and
so
something
that
we
need
to
kind
of
take
seriously
as
either.
This
is
kind
of
something
you
need
to
support,
or
is
it
something
to
model
after
or
is
there
another
way
to
do
it
and
I
should
mention?