►
From YouTube: Kubernetes WG Multitenancy 20181218
Description
December 12, 2018 - Kubernetes Multitenancy Working Group Meeting.
Agenda:
- Yisui Hu will go over outstanding KEPs:
-- Namespace population
-- Security profiles
Notes:
- Namespace Population KEP https://github.com/kubernetes/community/pull/2052
- KEP: Namespace Initializer https://github.com/kubernetes/enhancements/pull/645
-- Presented in SIG-API Machinery twice, agreed to move forward by pinging all reviewers for explicit comments
-- Next step: namespace initializers upstream contribution
- Conformance: we need to get an explanation of what conformance end to end tests can and can’t include
A
Cool
so
today,
I'm
going
to
go
over
the
security
profile
JEP,
which
was
drafted
quite
long
ago
and
the
still
sits
in
the
communities
community,
repo,
the
kami
country,
is
closed.
Supporting
future
as
the
KP
on
currently
moved
to
different
repo.
So
probably
in
future,
I
will
have
a
chance
to
read
resubmit,
a
new
KP,
mostly
based
on
same
content,
but
it
would
maybe
was
a
clearer
scope.
So,
first
about
the
security
profile.
A
There's
a
lot
of
concepts
like
policy
objects
like
a
back
post,
a
proxy
Network
policy
class
stuff
and
and
also
requires
the
COS.
Let
me
have
and
in-depth
knowledge
about
security
and
relevant
domain
area,
knowledge,
ease
and
plus
the
complexity
of
setting
up
the
correct
command
line
flags
to
make
sure
there's
no
potential
security
risk,
there's
actually
a
lot
of
work
to
do
and
without
a
common
solution.
People
are
also
building
like
in-house
solutions
with
different
kind
of
tools,
it's
very
difficult
to
share
in
the
community.
A
If
people
are
building
things
in
different
ways
and
wears
different
aspects
from
the
user
scenarios,
so
proposer
trying
to
provide
a
well-defined
common
place
for
people
to
specify
a
best
practice
to
set
up
a
community
class
which
is
secure
or
or
even
meet
a
further.
Restricting
requirements
potentially
can
be
used
to
secure
a
cluster
for
a
more
tense
a
scenario.
So
the
proposal
basically
defines
a
sink
tax.
For
example,
it
can
be
presented
in
llamó
or
something
and
as
a
set
of
rules
which
includes
three
parts.
A
The
first
is
about
the
prescribing
configuration,
so
it
defines
a
bunch
of
rules
or
about
the
command
line,
flags
of
all
the
secure
or
the
committee's
control
plane
like
API
server
control
manager,
schedule
and
or
other
kinds,
including
etcd,
constant
and
possibly
other
stuff
like
a
file
permissions
or
certificate
files,
key
files
which
must
be
secured-
and
these
are
basically
rules
not
like
something
predefined
values
for
command
line.
Flags
that
are
can
be
directly
used
when
you
create
cluster,
so
it
works.
A
Basically
by
first,
you
specify
the
canaries,
c'mon
on
flex,
buy
some
tools
like
of
atm,
and
you
can
use
secure
profile.
These
rules
validate
you
have
these
command
line.
Flags
complies
to
this
with
this
security
requirements,
and
the
second
part
is
all
the
cluster
scoped
policy
objects,
including
like
policy,
clear
policy
and
all
are
backed
rules
and
other
stuff.
So
these
are
mostly
very
simple
communities:
resources
that
can
be
directly
creating
too.
The
wind
class
is
up
and
running,
and
no
additional
mechanics
required
for
that
and
the
soda
palate
is
about
namespace.
A
A
So
we
need
some
mechanism
when
a
namespace
accredit
seahorse's
guests
automatically
aren't
crazy
inside
a
new
namespace.
So
it's
all
these
three
parts.
We
can
define
a
security
profile
like
in
in
this
example,
so
you
can
think
that
as
a
a
regular
cornetist
manifest
file.
So
first
I
defined
the
particular
policy
and
then
a
namespace
template,
which
I
will
mention
that
later
it
is
used
to
populate
the
policy.
Obviously,
two
namespaces
and.
A
Then
can
find
a
CR
D,
which
called
a
security
profile
and
within
the
CI
D
it
a
rare
reference
since
all
three
components
so
inspector
the
first
comes
with
supposed
travelers
to
define
starter
pants
on
comma
flag.
Then
it
defines
around
time
rows
to
reference
the
name,
suite
template,
which
you
will
create
process
into
your
namespaces.
So,
with
all
this
information
in
one
manifest
file,
you
can
simply
use
a
Kubik
ato
apply
and
to
import
it
as
fowling
to
cluster
and
then
with
a
controller
running
inside
the
cluster.
A
A
Let's
quickly
skip
into
the
proposed
here
profiles,
so
in
the
KP
I
propose
to
secure
profiles
with
different
levels
of
requirements.
The
first
is
default,
which
is
very
a
permissive
profile
only
mostly
folks
on
the
command
line
flags
and
try
to
avoid
some
very
basic
mistakes
like
I'm,
putting
all
on
basica
or
token
stuff.
So
it
has
a
very
long
list
of
patisserie
rules
to
require
turning
off
some
insecure
options
like
anonymous
source
space
costs
and
a
back
on
things
it.
A
It
has
mostly
no
rules
defined
for
the
namespace
scoped
policies
and
the
second
one
is
SAS
model
tenancy,
which
is
more
restricted
than
the
default
one.
So
anyway,
we'll
use
policy,
clear
policy
and
by
default,
the
poor
created
in
namespace
won't
have
cannot
be
provisions
and
it
will
disable
the
privilege
escalation
and
also
may
not
allow
root
permissions,
and
it
will
also
limit
the
volume
types
that
can
be
used
in
a
port
and
within
this
security
profile
you
can
also.
A
A
A
When
you
create
a
class
that
you
simply
specify
the
name
of
secured
profile,
it
will
take
care
of
setting
up
everything
automatically
and
once
the
class
already
all
policy
objects
has
been
set
up,
and
you
are
ready
to
use
this
cluster
in
a
secure
way
and
also
with
a
restricted,
secure
file.
When
you
create
a
new
namespace,
the
namespace
policy
policy
objects
gets
automatically
created
into
a
new
namespace.
A
So,
let's
go
to
the
implementation.
A
little
details
are
in
implementation,
so
just
as
I
mentioned
in
the
example,
a
security
profile
is
basically
a
set
of
manifest
files.
They
are
standard
community,
manifest
files,
take
a
fine
bunch
of
class
to
cope
policy
objects
and
a
custom
resource
called
secure
profile,
which
includes
bus
terminals
and
also
on
a
reference
to
a
namespace
template.
I
wish
another
custom
custom
resource
and
for
both
driving
rules.
A
It
defines
just
rules
not
as
the
actual
value
of
each
of
command
line
flags.
So,
for
example,
you
can
define
row
say
the
anonymous
US
flag
cannot
be
specified
or
the
admission
control
I'm.
Sorry,
the
the
also
authorize
a
a
bag
cannot
be
present
in
command
line
flags.
So
these
are
all
kinds
of
rules,
so
he
basically
can
write
some
tool
to
check
the
actual
command
line.
Flags
according
to
rules
and
runtime
Ruth
is
mostly
about
the
policy,
obviously
into
a
namespace.
A
A
Let's
just
skip
this
names
of
selector
right
now,
because
the
single
osteo
changing
I,
don't
think
the
name
is.
Luck
is
still
applicable
to
according
to
today,
so
in
the
specs
there's
a
templates
session.
So
it's
basically
an
array
of
a
regular
kinetise
resources
like
a
row
row
bindings
or
kind
of
stuff.
You
can
basically
define
any
Cannell
resource
in
this
template
and
when
namespace
gets
created,
the
resource
defining
these
templates
are
created
into
the
namespace.
A
So
in
a
cluster
you
can
define
multiple
security
profiles
and,
at
a
time
there's
only
one
secure
profile
is
effective,
so
by
house
of
tube.
That
is,
we
introducing
a
security
profile,
selector
CRD
arm,
which
has
only
one
field
calling
force
and
the
value
specified
which
secure
proper
is
currently
being
enforced,
all
say
effective
and
we
can
switch
a
secure
profile
by
updating
this
selector
and
when
a
secure
profile
gets
switched.
A
A
A
For
example,
some
rules
take
a
wild
who
gets
enforced,
for
example
the
names
by
the
template
when
the
name
is
gets
created.
It
takes
maybe
a
few
milliseconds
to
seconds
to
get
all
these
policies
created.
So
when
the
inspectors
here
profile,
we
can
try
to
find
out
the
status
whether
rule
has
been
enforced
or
still
in
progress.
Okay,.
A
So
this
is
names
various
population
k,
EP
and
the
motivation
is
in
the
scenario
introduced
by
the
security
profile.
We
need
some
meant
mechanism
when
a
namespace
gets
created.
The
the
policy
objects
gets
automatically
crazy
into
the
near
a
crane
namespace,
and
this
is
really
helpful
when
we
allow
users
to
do
a
self-service
names
of
its
creation.
So
thinking
about
alternative
ways
is
basically
when
I
want
Krenim
space.
I
don't
have
permission
to
do
that
and
I
have
to
explicitly
ask
class
era
me
to
do
that
or
through
some
some
different
service
API
token
things.
A
If
we
go
down
data
paths,
it's
actually
much
easier
and
because
the
the
different
service
API
or
the
class
emitting
can
do
everything
after
craniums
place,
they
can
basically
have
the
opportunity
to
to
create
course.
The
obvious
and
everything
makes
the
names
of
is
ready
and
then
notify
me.
Okay,
you
can
use
the
namespace,
then
everything
gets
set
up
well
in
the
case,
if
I
want
to
create
my
namespace
I
want
to
be
quick,
so
I
just
used,
Quebec,
autocrat,
namespace
and
provided
my
name
is
the
name
and
I
want
the
name
of
space.
A
Being
ready
with
all
the
policy
objects
when
it's
ready,
so
that's
the
motivation
introducing
this
namespace
population
mechanism
so
to
be
to
to
explain
that
in
in
a
shorter
way,
as
basically
we
are
introducing
a
controller
and
another
custom,
resorption
called
names
by
template.
The
controller
is
watching
the
namespace
templates
and
also
the
namespace
creation.
A
A
And
an
example:
a
completely
creation
flow
is
like
the
the
user,
creates
a
namespace
using
avocado,
creme,
namespace
commands
and
basically
the
controller
watches
a
crazy
on
namespace
and
extracts
the
objects
into
namespace
template
and
create
all
these
objects
into
the
namespace
and
there's.
A
very
important
part
in
this
flow
is
about.
A
Why
it
does
it's
important
because
it's
a
very
common
case,
the
name
is
space.
Creator
will
not
have
additional
permission
in
the
classical,
especially
in
the
more
tense
the
case.
Otherwise,
the
namespace
owner
will
be
able
to
override
all
kind
of
things.
The
COS
aiming
manages
so
a
little
helper
measuring
arm
piano
namespace.
So
while
they
create
namespace,
we
need
a
direct
rule
to
grant
the
namespace
having
permission
to
the
creator
and
after
the
crater
can
add
more
users
into
name
J's
or
defining
further
direct
rules.
A
So
the
problem
with
a
Lim's,
a
controlling
the
Canaries
when
it
watch
the
name
is
recreation.
It
has
no
knowledge
about
crew
Chris
the
name
face,
and
it
will
be
impossible
for
the
controller
to
create
a
back
row
granting
the
user,
the
crater
are
the
the
right
privilege.
So
in
this
flow
we
have
to
leverage
a
mutating
animation
webhook
when
it
intercepts
the
creation
of
namespace
material.
A
Basically
add
a
label
to
represent
the
creator
of
the
namespace
by
passing
in
a
username
as
a
variable
label,
and
then,
when
the
controller
watch
the
creation
of
namespace,
it
will
happen.
The
idea
cool,
Chris
namespace
and
go
back
to
this
names
with
hemp
templates
example.
We
can
see
there's
a
row
binding
here
with
some
parable
called
crater,
which
will
be
substituted
by
the
value
from
the
label
and
with
that
once
the
robot
has
been
public
to
namespace.
The
crater
will
have
the
right
permission
to
manipulate
full
of
things
into
namespace.
A
And
also
regarding
another
problem
in
this
proposal
is
basically,
we
have
no
idea
when
the
all
public
or
all
policy
object
has
been
populated
into
the
namespace.
So
there's
our
f
a
feature
in
current
communities
called
initializes
week
and
every
Saturday
that
basically
works
by
defining
a
initializer
configuration
with
the
namespace
template
controller
on.
So
when
the
name
cell
gets
great
heads,
so
initialize
a
pending
list
will
be
populated
with
the
name,
space
template
controller
and
when
all
obvious
gets
creating
to
namespace.
A
The
controller
will
remove
the
name
from
the
initial
pending
list
and
eventually
that
initializes
admission
control
will
be
aware.
Name
is
ready
and
then
allow
the
client
to
move
forward.
However,
this
mechanism
is
going
to
be
deprecated
because
there's
no
other
use
case
today
using
this
feature
so
I'm
actually
proposing
another
k
EP
to
keep
this
feature
specifically
for
namespace,
and
at
least
we
can
have
a
mechanic
to
know
whether
than
the
all
objects
has
been
publishing,
namespace
or
not.
A
These
are
few
features
I'd
like
to
skip
on.
These
are
more
complicated
features
and
we
don't
need
these
l
beginning.
So,
let's
get
these
something
was
to
mention
is
about
the
schema
validation
because
names
where
template
is
a
CRD.
He
come.
We
don't
have
full
mechanism
to
bear
this
if
everything
correct
into
a
name
space.
However,
if
there's
anything
wrong
in
the
template,
it
will
only
be
detected
when
we
are
trying
to
crazy
objects
into
a
namespace
at
a
very
late
time.
So
there's
no
better
way
to
do
that.
A
A
A
A
The
way
to
do
it
is
very
simple:
they
just
copy
a
existing,
secure
profile
and
rename
it
and
then
update
the
rules,
Inc
sides
and
populating
the
cluster
then
update
the
security
profile
selector
to
send
to
their
own
secure
file,
and
that
gives
the
possibility
occurs.
Class
enemy
is
able
to
customize
a
standard
rule,
especially
report
their
own
business
needs
so
boring
and
upgraded
in
the
application.
This
is
another
session
we
can
discuss
if
we
have
official
repo
of
secure
profile-
and
we
start
development
on
that.
But
I
will
skip
this
for
today.
A
One
more
thing
about
the
working
with
called
company
against
color
systems.
The
system
basically
manage
all
the
commands
manifest
files
in
source
control
repo
and
they
will
have
CICE
to
that's
all
these
changes
before
they
push
that
into
a
community
system.
So
in
the
in
that
case,
they
definitely
don't
want
some
automatic
mechanism
to
populate
objects
into
the
communities
because
they
want
everything
to
be
explicit
and
mesh
managed
in
the
sauce
repo.
B
So
usually
again,
this
is
lots
of
really
good
stuff.
So
before
we
get
into
some
details,
one
quick
question
was
what
was
the
status
of
the
KB's
like?
Have
you
I
I
seem
to
recall
that
the
technical
committees
have
not
yet
approved
these
to
go
ahead
or
sort
of
what
what
was
done
in
terms
of
getting
these
reviewed
and
what
was
the
response
so
far,
so.
A
Things
are
still
moving
slowly,
but
get
a
little
progress.
So,
as
I
mentioned,
are
the
secured
property.
P
is
a
very
big
umbrella,
which
contains
a
lot
of
things,
and
this
definitely
not
good
for
a
KP
to
iterate
on.
So
this
also
the
PDA
I
get
from
the
community,
so
I'm
trying
to
break
our
things.
So
the
namespace
publishing
has
been
moved
out.
Well,
as
I
just
mentioned,
the
namespace
publishing
has
another
problem
which
requires
the
namespace
initializes
mecanim,
so
currently
I'm
moving
I'm
working
on
the
namespace
initializer
KP
I
can't
I
can't
share
specific.
B
A
So
this
is
definitely
in
the
area
of
sick.
A
PMS
in
the
race
team
and
I
have
presents
this
namespace
initializes
KP
in
being
sick
API
machinery
twice,
and
actually
we
we
agreed
to
move
for
bye-bye
peeing,
every
reviewer
being
a
part
escapee
individually,
so
I'm
going
to
send
email
to
individual
reviewers
for
explicitly
are
comments
from
about
escape.
A
C
A
B
I
think
my
some
thoughts
I
have
is
that
obviously,
as
I
mentioned
you
you
see,
you've
done
lots
of
really
good
work,
and
so
we
want
to
figure
out
how
we
we,
as
a
working
group,
can
can
develop
a
position
around
this
as
well
as
I.
Think,
basically,
we
need
to
I
think
develop
first,
a
slightly
higher
level
model.
Because
did
you
get
the
sense
that
the
viewing
committee
saw
all
of
this
in
the
context
of
a
you
knows?
A
So
so,
for
each
okay,
basically
focusing
on
a
specific
area
and
basically
a
lot
of
details.
Is
it
not
about
a
bigger
picture
of
a
mountain
say
on
skipper,
pal,
so
I
don't
know
if
there's
better
way,
we
can
move
on
like,
for
example,
if
we
can
rescale,
plus
Q,
prefer
ke
p
to
have
like
short-term
scope
and
quickly
get
stuck
a
be
proved,
and
then
we
can
iterate
on
so
I.
Think.
B
A
A
B
What
I
was
saying
was
that
even
we
could
have
a
best
practices
guide,
not
just
guide
but
a
reference
configuration
with
or
without
the
actual
series
in
place
and
get
that
also
tied
into
Cuban.
It
is
conformance
testing
so
that
we
can
then
have
a
win
with
here's,
how
you
can
do
a
conformance
test
on
a
Cuban.
B
It
is
cluster
created
today
right
without
any
of
these
new
series-
and
you
know
it
gives
you
this
model
today
and-
and
we
make
that
very
clear
as
to
what
is
the
expectation
in
terms
of
cluster
rules
and
admin
rules
and
the
level
of
isolation
and
all
that,
and
that
gives
us
a
win
with
existing
objects
and
is
passing
the
kubernetes
conformance
right.
We
iron
out
any
gotchas
there
and
then
it
panel
we
build.
B
A
C
Yeah
I
think
that
makes
a
lot
of
sense.
You
know
this
cap
is
really
well
formed
and
definitely
you
know
seems
to
be
going
in
the
pack
that
we're
interested
in
and
so
now
I
think
it's
just.
How
do
we
sort
of
a
line
from
a
you
know,
kind
of
how
do
we
kind
of
get
this
moving
and
I?
Think
looking
at
the
conformance
suite
is
a
really
good
approach.
I.
D
A
D
D
That
clarification
probably
asked
to
conform
it
than
say
or
give
them
a
high-level
idea
of
what
we're
trying
to
do
and
ask
for
high-level
feedback
to
start
with
before
we
get
too
deep
into
it
into
it.
So
we
can
make
sure
what
we're
planning
aligns,
but
what,
but
conformance,
is
actually
supposed
to
do
that.
Make
sense.
Yeah.
C
B
Planning
together
to
put
together
some
some
similar
profiles,
similar
to
what
what
usually
has
as
a
sample
profiles,
but
then
also,
you
know,
kind
of
draft
throughout
some
next
steps,
which
included
exactly
what
we've
just
discussed,
which
is,
you
know,
performance
a
plan
for
aligning
with
conformance.
So
maybe
you
know
we
will
do
some
prep
work
and
then
try
to
create
some
structure
around
that
on
the
Jan.
15Th
call
and
I'll
put
together
some
initial
thoughts,
which
we
should
all
work
together
on
yeah.