►
From YouTube: 20191008 Kubernetes Multi-tenancy Working Group
Description
Tasha: Kubecon Update
Raffaele Spazzoli: Namespace configuration operator
Angel Barrera/Pau Rosello: Hosted Namespace as a Service
Full notes here: https://docs.google.com/document/d/1fj3yzmeU2eU8ZNBCUJG97dk_wC7228-e_MmdcmTNrZY/edit#
A
So
hello
and
welcome
to
multi-tenancy
working
group
meeting
on
October
8.
We
have
a
pretty
full
agenda:
I'm,
just
gonna!
Kick
it
off
by
quickly
going
over
our
plans
for
coop
comm
in
San,
Diego,
so
I
hope,
a
bunch
of
you
are
planning
on
going
to
coop.
Con
I
would
like
to
encourage
you
if
you're
traveling,
for
coop
con
to
attend
the
contributor
summit,
which
is
a
kubernetes
contributor
day.
That
is
the
day
before
the
conference
start.
So
the
conference
really
kicks
off
on
Tuesday
and
the
contributors
some
it
is
on
that
Monday.
A
So
if
people
would
like
to
attend
currently
you
can
sign
up
to
go.
If
you
are
an
active
contributor,
then
you
will
automatically
be
added
to
the
attendee
list
and
otherwise
don't
be
put
on
a
waitlist,
but
there
is
space
and
so
for
everyone,
who's
interested
in
attending
the
contributor
summit.
I
would
definitely
encourage
you
to
do
so.
We
will
have
a
multi-tenancy
presentation.
A
There
that's
going
to
be
more
of
an
open
conversation
where
we
encourage
all
the
current
contributors
from
the
different
six
and
working
groups
to
talk
about
what
they
want
to
see
out
of
multi-tenancy
in
kubernetes.
We
did
that
last
year
in
Seattle
and
it
was
super
popular,
so
we're
doing
it
again
at
the
contributors
summit
this
year,
so
that
should
be
cool.
In
addition,
if
you're
going
to
coop
con
this
year
and
all
of
these
are
things-
are
going
to
be
recorded
as
well
for
people
who
can't
attend.
A
So
don't
worry
if
you
can't
make
it
so
the
contributor
summit,
our
session
there
will
be
recorded
and
shared
on
the
internet
for
people
who
want
to
watch
it,
and
then
we
also
are
going
to
have
an
introduction
to
multi-tenancy
and
a
deep
dive
to
multi-tenancy
at
KU
con
itself.
The
introduction
is
normally
aimed
at
so
a
lot
of
coop
Con
attendees
are
not
contributors
to
kubernetes.
A
A
So
it's
a
very
like
101
sort
of
experience
and
then
a
deep
dive,
that's
going
to
be
led
by
Sanjeev,
is
going
to
go
over
in
more
depth
the
various
projects
that
were
working
on
and
he's
going
to
work
with
some
of
the
contributors
on
putting
together
that
presentation
in
presenting
we're,
also
gonna,
have
a
panel
and
the
panel
will
have
I
think
five
or
six
people
on
it
just
discussing
multi-tenancy
at
their
different
organizations,
how
they
see
it
evolving,
and
so
that
should
be
cool.
So
we
got
a
lot
of
stuff
going
on.
A
I
definitely
encourage
everyone
to
come
to
coop
con
if
you
can
definitely
check
out
the
contributor
summit
and
if
you
have
been
sort
of
checking
out
the
multi-tenancy
market
group,
but
don't
consider
yourself
a
kubernetes
contributor.
Yet
there
are
two
workshops
at
the
contributor
summit
for
new
contributors:
there's
a
101
and
a
201
level
class.
A
So
if
you
really
want
sort
of
the
maintainer
x'
of
kubernetes
to
take
you
on
a
code
walkthrough
of
the
different
pieces
of
kubernetes
and
encourage
you
and
how
you
can
get
started
as
a
contributor
to
the
kubernetes
project,
those
are
great
things
to
sign
up
for
so
yeah
I.
Think.
That's
everything
that
we're
planning
on
doing.
There
is
also
going
to
be
sort
of
a
cig
meet-and-greet
where
we'll
have
a
table
and
we'll
talk
to
people
about
multi-tenancy
and
do
some
other
activities.
A
C
C
C
So
what
we
see
is
that
very
often,
these
large
deployments
of
of
open
ship
class,
it's
about
that.
It's
going
to
the
same
for
kubernetes.
There
is
a
team
that
manages
the
platform
and
then
there
are
several
development
teams
that
want
to
be
inverted.
So
we
try
to
create
of
the
method
process
to
to
empower
the
team,
which
means
in
technically
it
means
to
create
the
needed
namespaces
to
support
the
application
as
you'll
see
it
means
given
permissions
are
back
permissions.
C
These
namespaces,
it
means
create
quotas;
sometimes
it
can
mean
create
default,
Network
policy
configurations
and
so
on,
depending
from
the
customer
needs.
So
in
general
we
don't
see.
I
haven't
found
much
in
the
upstream
community
to
support
this
use
case.
So
generally,
the
customers
end
up
using
something
like
ServiceNow
or
or
the
like
to
create
these
processes,
because
it's
it's
a
workflow
that
has
to
go
through
approvals
and
and
ideally
in
the
end,
it's
all
automated
and
self-service
right.
C
But
one
thing
so
I
think
in
you
know
long
term
with
this.
This
process
could
be
self
hosted
on
a
cluster
if
somebody
would
want
it
to
take
the
time
to
develop
such
an
application,
but
in
general,
in
the
end,
we
need
a
way
to
make
sure
that
whatever
the
configuration
was
that
was
created
for
these
namespaces
that
we
have
created
for
the
teams
they
stay
in
place
right.
D
Just
I've
got
one
question:
this
is
I'm
Adrian
blood
when
I
work
at
goal
and
I've
been
working
on
the
hierarchical
namespace
controller,
which
which
covers
some
of
the
same
grounds
into
your
controller
as
well
or
operators.
Are
the
users
ever
have
the
ability
to
make
any
changes
to
to
the
objects
in
their
namespace
or
world?
The
NCC.
C
I,
as
the
code
is
now,
what
you
can
see
the
operator
will
just
will
react
to
you
changing
the
definition
of
what
you
need
to
be
what
your
configuration
needs
to
be.
But
if
you
have
the
permission
to
change
the
actual
created
object
in
one
of
those
namespaces,
the
operator
will
not
react
to
that.
Okay,.
C
Or
react
found
I've
just
found
so
expect
a
PR.
It's
gonna,
it's
gonna,
get
that
feature
also
okay.
So
you
attempt
to
do
that.
Yeah,
yeah
I'm,
trying
to
do
that.
Yeah
I,
think
I.
Think
a
good
operator
should
be
able
to
do
that
it
just
it
was
difficult
to
find
a
way
to
create
a
controller
on
an
unknown
type
right,
because
you
don't
know
what
the
user
is
going
to
ask
you
for
a
limited.
D
C
It
changed
I
got
it
thanks:
cool
thanks
yeah,
so
it's
generally.
Okay,
like
I,
said
it
can
be
anything
that
is
a
namespace
type
and
the
controller
will
make
sure
that
those
namespaces
get
these
configuration.
And
then
this
upcoming
feature
will
make
sure
that
if
you
by
mistake
or
maliciously,
you
change
the
configuration
it
gets
immediately
reset
to
what
it
should
be
and.
D
B
D
C
E
C
Way
to
assign
quotas
to
namespaces
right
I
have
two
examples.
So
I
call
this
the
CID
that
that
enforces
the
configuration,
namespace
config
and,
as
you
can
see
here,
we
have
the
namespace
selector,
so
we'll
select
all
the
namespaces
that
have
a
given
label
and
then
what
it
does
is
is
create
a
quota
of
resource
court
object.
This
is
an
array,
but
in
this
example,
I
only
have
one
object,
and
so
this
was
an
example
to
show
you
can.
C
F
C
E
C
C
If
you
care
familiar
with
openshift
before
network
policies
were
introduced,
where
there
was
some
default
network
rules
inside
the
Sdn,
and
this
this
example
sets
up
the
same
rules
but
in
network
policy
terms,
so
it
was
going
to
be
a
simple
way
for
customers
to
migrate
from
the
old
way
to
the
network
policy
way
and
again
it's
it's.
There
is
a
selector
with
the
multi-tenant
label
and
then
to
network
policy
to
set
up
the
same.
The
same
type
of
rules.
D
So
I
assume
that,
in
deployments
of
this,
the
people
who
have
access
to
the
main
space
itself,
who
can
could
modify
the
name
space
has
to
be
trusted
because
it's
based
on
the
label
on
namespace,
and
so
you
can
change
the
policies
that
you
get
simply
by
changing
the
full
labels
that
you've
applied
on
your
namespace.
That's
correct,
yeah,
right.
C
C
G
C
It's
different,
it's
true
that
you
know
pre-shift
when
you
create
a
project,
that's
basically
a
template
for
a
set
of
objects
that
need
to
be
created
in
the
namespace,
but
those
exist
only.
You
know
those
are
enforced
only
at
creation
time,
and
then
there
is
nothing
to
really
enforce
that
they
have
to
remain
what
they
are.
What
was
requested,
this
operator
will
enforce
consistency
at
you
know
at
runtime,
okay,.
D
C
Other
problem
with
with
that
mechanism
in
a
friendship
is,
you
can
only
have
one
template
that
it's
the
same
for
all
the
projects
that
you
ever
create
with
this
with
this,
because
you
can
assign
multiple
Lib
volta
multiple
projects,
you
can
actually
have
a
variety
of
a
flavor
of
spaces
or
configurations
of
main
stages.
Okay,.
C
C
F
C
E
Yeah
I
hadn't,
I'm
sort
of
a
general
question
that
covers
quite
a
few
of
the
previous
ones,
which
is
how
in
general,
do
you
handle
errors?
So
it
sounds
like
you
know.
Somebody
creates
the
CR
D
and
it
says
you
know
propagate
this
country
to
all
these
namespaces,
but
then,
for
whatever
reason,
either
if
the
config
is
not
valid,
or
maybe
it
was
at
some
point
but
then
later
the
clusters,
you
know
something
gets
updated
and
that
configure
is
no
longer
valid
or
there's
insufficient
quota
or
whatever
may
cause
an
error.
E
Okay
and
it
sounds
like
at
the
moment,
you
only
ever
actually
attempt
that
operation
once
so.
You
don't
you
mentioned,
there's
an
update
which
now
goes
and
dips.
You
know
looks
what's
in
the
cluster
and
sees
if
it's
correct
and
if
not
corrects
it,
but
but
previously
it
sounds
like
you
only
ever
tried
everything
once
and
and
if
that
error
happened,
then
this
is
correct
that
there's
no
reattempt
to
apply
their
conflict.
No.
C
F
Hey
Rafael
I
have
one
more
very,
like
you
know,
so:
I
see
that
it's
possible
to
have
Network
policy
assigned
for
each
namespace
right
using
this
namespace
config
operator.
Now,
if,
if
I
want
to,
you
know,
extend
it
further
and
you
know
like
you
something
like
IP
pools,
/
namespace
is
that
possible,
and
how
can
that
be
done?
If
you
have
any
idea?
H
C
C
G
C
I,
don't
you
know
this,
for
me
is
just
input
data.
You
can
change
at
any
time
and
my
operator
is
not
dependent
on
what
you
on
specific
version
of
resources,
right,
I,
guess
dynamic.
So
if
one
day
we
have
next
for
policies,
v2
you
have
to
grade
them,
choose
choose
whatever
method.
You
decide
to
grade
them,
but
if
you
can
just
rewrite
this
to
be
v2,
the
operator
will
overwrite
whatever
you
and
and
should
be
fine
yeah.
G
C
C
Label
yeah,
so,
for
example,
if
you
know
what
I
mean
if
this,
if
you
are
deploying
this
namespace
configure,
and
then
you
decided
it
didn't
need
this
one.
So
you
override
this
namespace
config
and
deleting
this
object.
Now
you
have
maybe
thirteen
in
spaces
that
have
this
object.
The
operator
will
detect
that
and
will
delete
those
objects.
C
G
C
Well,
every
object
is
created,
get
gets
a
label
that
is
that
unique,
uniquely
identify
this
namespace
config
as
the
owner
of
that
object.
I
cannot
use
really
used
owner
annotation
because
they
they
will
exist
in
different
instances
and
the
owner
works
only
if
you
are
in
the
same
namespace,
but
there
is
a
similar
concept.
So
then
I
scan
for
all
the
objects
with
that
label
and
if
they're
not
in
the
manifest
it
means
they
need
to
be
deleted.
C
C
H
C
Can
you
can
you
know
you
can
scale
it
down?
You
can
be,
you
know,
give
it
a
service
account
with
fever,
permission,
less
permissions
and
and
make,
and
then
you
can
incur
any
in
province
we're
using
a
permission
to
create,
delete
or
lease
those
resources,
and
you
know
so.
It's
that's
something
that
is
up
to
you.
If
you
want
to
find
fine
tune,
the
security
around
it,
but
my
assumption
is,
is
gonna,
run
as
cluster
Amin.
C
So,
interestingly,
none
of
my
customers,
but
they
have
I
have
I,
have
colleague
is
that
of
customers
that
are
using
it
and
exactly
in
the
in
the
context
that
I
was
explaining.
They
they
need
ways
to
enforce
configurations
that
have
been
have
been
decided
at
at
namespace,
provisioning
time
and
I
was
talking
to
a
colleague
of
mine
just
yesterday.
He
is
using
it
mainly
for
network
policies.
At
this
point
and
I
think
he's
considering
resource
quarters.
D
D
On
the
it's
on
the
repo
and
at
our
last
meeting
I
think
I
gave
a
demo
which
was
reported
on
YouTube,
and
so
basically
it
is,
you
can
think
of
it.
It's
not
actually
an
annotation
on
the
namespace,
but
you
can
think
of
it
as
though
this
or
each
namespace
can
point
to
its
parent
and
certain
certain
objects
get
copied
down
like
our
backpack
for
policy
etc.
D
D
D
C
D
D
D
Yeah
I,
don't
know
which
one
I
don't
think
that
one
is
better
necessarily,
it
would
be
nice
if
we
could
figure
out
some
way
for
them
to
I
mean
on
the
world
on
one
hand,
they
will
work
cleanly
together.
If
you,
for
example,
have
a
tree
of
namespaces
and
you
have
a
mole
on
the
root
namespace,
the
NGO
will
copy
stuff
into
it,
and
then
they
won't
get
distributed
through
the
tree.
D
Well,
they
should
work
together,
I
think
even
today,
if
you
just
happen
to
include
both
of
them,
I'm,
not
sure
what
the
best
practices
would
be
around
that
okay,
okay,
I,
think
well.
The
last
question
I
have
is:
do
you
help
all
the
people
that
you
know
who
are
using?
It
have
all
those
thoughts
about
get
offs?
Are
they
not
using
it?
Do
they
check
the
configuration
in
ticket
ops
but
then
not
eliciting
spaceman?
How
does
it
work
for
them?
D
C
C
And
and
every
box
manage
it,
that's
actually
an
option
or
you
can
just
have
your
kids
Rico
have
all
the
configuration
you
need
for
your
namespaces
right
and
then
manage
everything
with
ETOPS
we
yeah
I
yeah.
We
need
to
see
some
two
customers
doing
doing
the
two
things
together,
which
one
is
better
I
I,
don't
know,
I,
just
fine.
Okay,.
G
File
does
not
have
a
position
on
this
because
we've
seen
a
few
similar
initiatives
are
of
Red
Hat
1
1
is,
of
course
projects
and,
as
I
said,
as
you
mentioned
earlier,
projects
are,
do
not
have
a
operator
model;
they
they
just
have
an
initial
template.
Namespace
templating
model
we've
also
briefly
heard
about
operator
groupings.
Is
this
your
essentially
your
personal
initiative
or
or
does
it
have
roulette
Lessing's.
C
It's
it
doesn't
have
that
blessing.
It's
a
little
bit
more
than
my
initiative.
I
am
the
one
who
wrote
the
code,
but
it's
now
part
of
the
what
we
call
the
community
of
practice,
which
is
an
internal
organization
of
all
the
consultants.
So
when
something
is
accepted
there,
it
means
that
we
kind
of
agreed
to
try
to
adopt
it
with
within
our
engagements.
C
C
Alright,
so
it
is,
you
know
we
said
we
say
to
the
customer.
You
have
to
automate
onboarding
some
of
them.
Do
it
some
of
them.
You
know,
do
it
only
to
a
certain
extent,
most
of
them
do
it
to
a
place
where
it's
automated,
but
but
enforcing
the
configuration
at
runtime
is
something
that
they're.
You
know
it's
not
not.
Many
of
them
are
doing
it
and
for
something
like
that,
you
need
an
operator
right.
G
G
Sorry,
let
me
just
get
in
last,
because
I
think
we've
got
some
that
you
know
the
only
reason
you
need
to
dynamically
enforce.
It
is
because
you
are
allowing
the
project
user
to
also
change
those
very
same
resources,
but
if
you're
our
back
was
set
up
such
that
network
policy
can
only
be
ever
changed
by
the
cluster
admin,
then
templating
is
fine,
because
nobody
other
than
the
cluster
men
will
change
it
and
you
do
not
meet
the
dynamic
reconciliation.
You
need
reconciliation
only
because
the
namespace
user
can
themselves
change
these
objects
right.
C
H
C
D
C
I
Well,
hello:
everybody
thank
you
for
giving
us
some
time
to
be
here
in
the
multi-tenant
working
group.
My
name
is
Paul
and
my
colleague
is
Fernanda
with
whom
I
started.
It's
been
a
few
months
ago,
we
are
implementing
a
multi-tenant
unit,
a
solution
similar
to
what
Roger
said.
We
are
creating
some
many
spaces
with
resources
in
many
spaces
in
order
to
to
have
the
users
kind
of
placed
inside
a
single
namespace,
and
we
are
using
the
vanilla
given
integer
objects
and
using
this
the
objects.
I
Next
yeah,
we
found
different
different
problems,
mainly
about
logging
on
matrix.
Then
we
had
to
think
about
how
to
external
transition.
Then
there's
another
problem:
how
to
do
traffic
routing
to
the
different
namespaces
and
finally,
traffic
encryption.
That
is
something
that
we
have
not
solved
yet
and
we're
going
to
see
in
all
of
them
which
problems
have
we
found,
and
how
did
we
try
to
fix
them?.
H
As
you
know,
almost
all
most
of
us
with
Ryan
we
deploy
communities
Crestor
with
ELT
cluster
or
the
L
key
stack,
I
mean
elasticsearch
first
or
in
the
deadlock
and
Shobana
from
to
discover
the
logs
and
Cody
fall
for
it,
and
some
some
local
ecology
like
look
stressful
in
the
upland
it,
but,
as
we
are
offering
a
Cuban,
it
is
name,
is
pitch
as
a
serving
solution.
Yeah,
we
have
to
figure
out
how
to
provide
air
locks
to
our
customers.
H
The
first
thing
that
came
into
our
mind
is
to
provide
elasticsearch
end
point
where
customers,
but
how
we
can
secure
that
any
user
writing
its
own
index
and
how
we
provide
credentials
to
our
users
to
query
in
the
Cabana
were
so
with
how
we
found
that
the
ex
back,
even
plugins,
was
included
in
the
call
subscription,
which
is
a
paid
subscription
until
six
point.
Eight
and
seven
point
versions,
so
an
option
of
an
alternative
to
to
make
it
possible
is
to
provide
that
entire
API
key
stack
to
any
user.
But
how
does
is?
H
Does
it
scale
I
mean?
Are
you
going
to
create
a
elastic
search
concept
for
our
tenon
or
producer
report
namespace?
So
it's
quite
complex
and
we
thought
that
is
quite
so
to
provide
this
stack.
So
we
find
how
we
phone
and
in
the
gift
cone
you
look
in
Barcelona
this
year,
a
low-key
solution
that
was
designed
by
the
fall
to
make
it
possible
to
run
funny
looking
in
with
it
anyway
now
when
to
turn
away.
But
you
separate
that
is
not
in
even
stable
release.
H
It's
almost
in
beta
or
alpha
status,
and
there
is
not
a
lot
of
information
about
how
how
to
make
possible
this
multi-tenant
configuration
in
grapnel
oke.
We
find
more
information
for
more
information
in
in
good
half
issues
in
the
grafanello
key
repository,
Dani
side,
documentation,
official
documentation,
so
it
was
difficult
to
think
about
how
to
configure
it
in
in
Cuban.
H
It
is
in
in
harmony
has
a
multi-tenant
way,
so
this
is
just
a
very
simple
diagram
with
the
diadem,
where
you
can
find
in
the
right
more
like
a
platform
namespace
which
has
a
graph
on
a
server
a
low
key
server
and
looking
with
detect
and
proxy,
which
is
a
piece
that
we
developed
to
make
it
this
year
to
deploy
referral.
Ok,
now
with
it
a
long
way,
a
security
turn
away,
harmoo
determine
and
we
depend
on
toner
just
it
could
be
controller
from
from
a
black
hat
or
the
one
developed
in
this
working
group.
H
It
has
to
inject
the
tenants
that
has
the
logging
capabilities
enable
the
koreans
just
to
push
loss
to
the
local
pool,
didn't
and
proxy,
and
this
validates
the
basic
health
and
proxy
there.
The
the
request
to
the
okay,
sorry,
Justin
L
called
the
request
has
to
be
has
to
be
pass
it
through
they're
looking
at
dependent
proxy,
because
this
is
the
one
involving
injecting
the
HTTP
headers
to
the
graph
analogous
I
read.
That
makes
it
possible
to
configure
Serena
now
with
it
in
our
way.
H
So
that's
the
sticky
I
mean
the
final
latkes
service
rotation
is
suppose
that
you
had
to
inject
some
headers.
But
how
did
you
do
it
in
us
in
a
secure
way,
I
mean
how
do
you
prevent
so
Tina?
A
used
header
from
10
am
a
instead
of
tenancy,
so
we
implement
a
basic
proxy,
a
basic
:
proxy
that
adds
the
basic
health
layer.
That
is
not
by
doing
the
graphing,
a
lucky
7
and
once
validate
it.
A
requested
are
forwarded
to
the
Anunnaki
server
with
a
header
in
defying
the
dependent.
H
Also,
we
make
a
POC
to
validate
the
solution,
and
it's
fully
documented
here
so
give
it
a
try.
It's
quite
interesting
to
see
how
grafanello
key
works
in
a
multi-tenant
way.
So
that's
all
interesting
ponies
that
we
deploy
front
a
lot
reflector
as
a
sidecar
because
of
our
clients,
but
once
inside
our
jeep
I
saw
inside
a
device,
an
old
device,
a
dozen
hearted
ability
to
mount
host
volumes
in
through
the
pods.
So
we
have,
we
cannot
have
a
demon
said
I
promise.
A
demon
said
that
mounts
they
touch
pad.
That's
love
hospital!
H
About
kubernetes
metrics
is
really
quite
similar
to
the
loudness
stack.
I
mean
Prometheus
wasn't
created
to
support
multi-tenant
out
of
the
box,
so
there
appears
solution
opposite
solution
from
branches
from
all
the
guys
in,
and
it's
quite
similar,
like
their
proxy
with
developed
I
mean
in
graph
analogy
it
just
inject
some
headers
or
some
attributes
in
the
body
of
the
request
of
the
primitives,
both
sides
in
the
pushing
metrics
and
the
query
for
metrics.
H
H
To
deploy
in
in
our
platform
because
we
are
small
by
today
provides
more
quality
that
then
we
need,
or
by
the
moment
so
Prometheus
woody
tenon,
so
the
Bitterroot
it
an
architecture
would
like
something
similar
to
the
previous
diagram.
They
are
so
so.
The
multi-terminal
taller
now
has
to
inject
a
label
and
unique
entry,
unique
than
any
in
the
fire
label,
to
the
very
object
in
a
tenant
so
graphing
on
queries
to
the
primitives
out
proxy.
H
I
Yeah
and
then
we
go
to
the
extending
the
tradition
majority.
No,
our
work
is
not
enough
to
have
a
multi-tenant
solution
working
because
there
are
some
cases
where
you
will
need
to
extend
the
tradition
layer
in
order
to
introduce
some
custom
policies
like,
for
example,
you
have
seen
now
that
all
the
deployments
important
have
to
have
a
level.
So
in
this
case
the
kubernetes
allows
us
to
extend
this,
this
authorization
layer
through
mutating
web
hooks
or
validating
web
hooks.
I
This
is
this
way.
You
can
certainly
do
whatever
you
want,
with
with
the
objects
that
are
being
sent
to
the
cluster,
so
you
can
change
and
then
you
can
validate
and
also
there's
a
new
feature
in
communities
1.16
that
allows
single
object
to
be
passed
multiple
times
through
our
meeting
workbook.
So
one
policy
could
that
sidecar
and
then
another
policy
could
modify
this
side
card,
and
this
is
something
that
was
not
possible
until
now.
I
Basically,
it
is
going
to
return
an
answer,
yes
or
no.
If
this
resource
can
be
created
or
has
to
be
modified
on
this
side,
we
have
created
a
report.
That
is,
if
you
have
tried,
Rigo,
it's
a
quite
a
difficult
tool
to
understand
and
develop.
This
is
a
testing
environment
where
we
have
been
doing
a
unit
testing
environment
and
then
you
will
be
able
to
find
here
some
documentation,
the
kind
of
files
that
are
present
in
the
in
the
repo
that
you
will
be
able
to
find
the
policies.
D
You
introduce
this,
as
you
were,
extending
our
back,
that
is
it
accurate
to
say
it
doesn't
look
like
you're
really
trying
to
do
necessarily
user
based
authorization.
It
sounds
like
it's
more
like
you're
imposing
additional
legality
rules
to
make
objects
play
nicer
in
a
multi-tenant
environment,
but
it's
not
necessarily
about
our
back
itself,
like
users
and
permissions
of
birds.
Is
that
correct.
I
I
G
But
that's
anyway
not
what
our
back
would
target
right.
So
going
back
to
Adrienne's
question,
which
part
of
your
use
of
OPA
is
our
back
extension,
meaning
something
that
would
normally
be
done
with
subjects
and
verbs
I
mean
restricting
restricting
the
URL
of
ingress
was
never
in
the
scope
of
ingress.
It
was
never
in
the
scope
of
our
back
anyway
and.
D
You
can
do
it
based
on
the
namespace
that's
going
into
as
well.
I
think
you
would
really
want
to
be
seeing
something.
Maybe
it's
probably
a
question
that
doesn't
matter
too
much.
I
was
just
curious
about
whether
you
were
I,
think
it's
an
input,
dot
request,
there's
something
about
the
user
and
the
and
the
group
and
stuff
like
that.
I
would
imagine
you
don't
need
that
information
very
much
because
you're
more
interested
in
the
tenant
than
the
user
unless
you
had
some
kind
of
concept
of
tenant
admin's.
Do
you
have
a
concept
like
that.
D
I
And
then
also
this
was
presented
here
before
this
is
clever
no,
and
this
is
something
that
we
found
really
useful
and
although
you
don't
have
to
learn
rival,
so
this
is
the
good
part
of
it.
You
can
express
it
directly
with
a
communities
objects,
although
we
don't
know
if
the
logic
that
we
want
to
apply
will
be
able
to
be
expressed
with
these
customers
or
definitions.
But
we
will
take
a
look
if
it's
possible
to.
G
H
Okay
about
traffic
loading
when
we
created
the
screenplay
it
with
fine,
we
try
to
find
in
english
controller
that
was
designed
by
date
by
its
core
by
multi-tenant
in
a
multi-tenant
way.
A
waveform
control,
which
is
if
I,
don't
remember
well,
is
from
the
VMware
the
dice
and
it
is
pose
setup
see,
are
these
initially,
the
CRT
was
English
Road
and
now
it's
name
is
explicitly
proxy.
Http
proxy
allows
used
to
define
our
root
domain
or
route.
It's
the
proxy
and
delegates
some
axis
to
be
implemented
in
another
name,
a
space
for
example.
H
So
this
makes
sense
for
our
use
case,
but,
as
Paul
says
before,
we
want
to
provide
a
pure
humanities
experience,
so
we
don't
like
to
use
any
other
C.
At
least
I
know:
they're
objects
that,
out
of
there
a
community
is
AP
server
by
default.
So
we
thought
in
in
deploy
any
English
controller
like
in
the
next
or
H
proxy
or
traffic
one,
but
always
with
the
with
help
with
the
help
of
OPA,
and
we
know
that
this
could
be
quick
way.
I
mean
one.
H
As
you
know,
you
can't
break
tor
English
controller
with
a
bad
english
research
definition.
This
can
be
caused
by
a
tenant,
a
user
that
can
that
intentionally
or
not
create,
but
English
definition
and
breaks.
I
think
is
controller
or
over
writes
an
English
from
the
front
other
users
or
other
tenants.
So
Opa
Opa
help
us
to
define
some
goals
to
make
it
more
robust,
and
also
we
thought
about
the
possibility
to
deploy.
H
An
English
controller
pertinent,
but
we
thought
that
this
overprice
it
I
mean
you
can
assign
a
note
board
where
tenant
and
with
an
external
load
balancers
point
to
that
note,
port,
15
and
so
on,
or
you
can
deploy
load
balancer
per
English
controller.
But
it's
going
to
be
very
expensive
for
us.
So
we
opted
Sudeep,
just
single
English
controller
for
for
the
cluster
and
and
secure
it
and
make
it
robust
using
OPA
and.
H
I
Yeah,
so
then
we
were
thinking
about.
Another
problem
is
about
2010
communication
between
from
pot
to
pot,
and
this
is
not
something
easily
done
today
and
when
you
think
about
that,
you
start
thinking
about
sorry
about
this
teal,
although
before
even
start
looking
at
it,
it's
going
to
be
overkill
because
there's
no
official
support
for
multi-tenant,
so
they
basically
they
basically
say
that
you
can
install
one
control
plane
per
turn
on
which
again
this
is
this
doesn't
scale
really
well
for
our
use
case,
where
most
of
our
tanners
does
have
two
three,
maybe
five
pots.
I
It's
going
to
be
bigger
than
the.
What
theyĆre
really
use
then
there's
another
problem
about
security,
to
install
steal,
it's
going
to
require
root
permissions
and
also
need
admin,
which
we
decided
really
early,
that
this
is
not
something
that
that
we
are
going
to
allow
to
do
short
tenants.
So
easy
to
do
is
out
of
the
after
out
of
the
way.
Then
we
also
took
a
look
at
linker
D,
which
again
it
doesn't
have
a
visual
support.
I
Then
my
mice,
it's
another
service
mess
appeared,
but
it's
kind
of
special,
because
it's
not
using
cycle
injection.
It's
going
to
be
deployed
as
a
daemon
chat.
So
with
all
the
traffic
from
pot
to
pot,
could
be
routed
through
this
demon,
chatter
and
then
also
from
node
to
node
has
to
pass
through
this
demons
head,
and
you
know
mandatory
way,
and
the
other
thing
that
mice
is
introducing
is
that
it's
it
allows
to
use
the
ssmi.
That
is
the
service
mess
interface,
which
is
really
nice
for
traffic
management
without
the
overhead
of
CEQA
or
injection.
I
But
once
you
start
thinking
about
encrypting
from
node
to
node,
this
is
something
that
can
be
also
achieved
without
talking
about
a
service
mess.
It
can
already
be
thinking
thought
about
when
you
select
the
cni,
for
example,
project
Calico,
and
why
world
war
home
these
two
projects
have
encryption
enabled
by
default.
But
sometimes,
if
you
are
in
a
modest
turn,
it
is
like
the
DCP.
I
You
might
not
be
able
to
change
the
CNI
or
it's
not
going
to
be
available,
so
this
is
still
something
some
part
that
we
have
to
work
on
and
see
if
we
can
provide
anything
on
the
traffic
encryption
site,
and
this
is
going
to
be
all
for
us.
I
hope
you
have
many
questions
and
if
you
have
solve
any
of
these
problems,
please
let
us
know-
and
we
were
going
to
be
happy
to
to
contribute
and
answer
any
question
that
you
have
cigarettes.