►
From YouTube: 20200728 Kubernetes Multi-Tenancy Working Group
Description
- MTB demo (Divya, Anuj, Jim)
- HNC update (0.5.1, v1alpha2, etc)
- Live from sig-multicluster: Naming Survey Results with 112 responses
A
Hey
everybody
and
welcome
to
our
regularly
scheduled
multi-tenancy
working
group
session
today,
jim
divia
and
anush
will
be
going
over
the
multi-tenancy
benchmark
project
and
doing
a
demo
and
then
adrian's
gonna
give
an
update
on
the
hierarchical
namespace
controller
project.
B
All
right,
thank
you,
tasha,
so
hi
everyone.
This
is
jim.
I
am
going
to
give
a
quick
update
or
just
a
review
on
the
multi-tenancy
benchmark.
Work
that
we've
been
doing
and
anuj
and
divya
are
gonna.
Do
some
live
demos
on
what
they've
built
so
far?
So
the
goal
here
is
to
kind
of
checkpoint
and
get
some
feedback
see.
You
know
what
thoughts
are
on
next
steps.
B
So
just
a
quick
recap
for
those
of
you
who
might
not
be
familiar
with
the
benchmarks.
You
know
effort.
So
what
we're
trying
to
do
here
is
establish
a
set
of
guidelines
for
different
levels
of
multi-tenancy
and
then,
along
with
that,
have
some
automated
tests
that
we
can
run
on.
The
idea
is
to
be
able
to
run
these
on
one
or
more
namespaces
and
report
if
those
namespaces
are
properly
configured
for
multi-tenancy.
B
So
there
is
a
if
you
on
on
the
github.
You
know.
If
you
go
into
the
multi-tenancy
folder,
you
can
read
about
the
categories
definitions,
the
benchmarks
we
have
so
far,
but
today
what
we're
going
to
focus
on
is
a
subfolder
cuddle
mtb,
which
is
what
a
new
gen
divia
have
been
working
on,
and
you
know
we'll
see
that
live
so
just
to
kind
of
quickly
set
the
context
for
the
demo
and
then
I'll
hand
off
to
your
news.
B
So
we're
going
to
see
two
demos
one
is
you
know
with
the
10
controller,
we'll
see
how
namespaces
are
set
up
through
using
the
tenant
controller
crs
and
then
how
the
mtb
tool
can
run
a
set
of
benchmarks,
report
results
and
then
to
expand
to
rectify,
or
you
know,
fix
particular
problems,
we'll
see
how
we
can
use
gatekeeper,
oppa
as
well
as
kiverno
to
install
policies
then
rerun
the
benchmarks
so
that
we
get
a
pass
on
like
all
of
the
profile
level.
B
So
with
that,
let
me
stop
sharing
and
I
think
a
new
divia
with
whoever
one
of
you
wants
to
go.
First,
you
can
share
and
go
through
the
demo.
C
Okay,
this
is
announced
hi
everyone,
I'm
gonna,
show
you
how
like
running
the
benchmarks
on
our
tenant
controller.
So
if
you
can
see,
let
me
show
you
first,
that
I
have
our
tenant
set
setup
already
using
the
tenant
controller.
If
we
get
a
tenant,
so
we
have
our
tenant
zero
cr
and
if
you
get
the
tenant
admin
name
space,
we
have
a
tenant,
zero
admin
and
if
you
look
into
the
tenant
admin
namespace,
we
have
one
tenant,
namespace
already
created.
C
C
C
C
So
at
present
we
have
around
14
benchmarks,
so
most
of
them
are
profile
level
benchmarks
and
we
have
a
single
sec
second
profile
level
benchmark,
and
we
can
filter
this
benchmarks
according
to
the
profile
level,
if
you
can
get
apply
the
flag
at
benchmarks
dash
p1,
so
it
will
show
you
all
the
level
one
benchmarks.
C
So
we
don't
have
right
now
more
than
we
have
only
benchmarks,
all
of
one
and
single
of
two.
So
there
are
the
total
benchmarks.
So
we
are
now
gonna
run
our
benchmarks
over
the.
C
So
you
can
pass
the
user
user
that
you
want
to
impersonate
while
running
the
benchmarks
with
the
as
flag.
So
if,
when
you
run
the
benchmark,
you
will
see
a
default
console
log
that
so
that
the
show
the
description
and
you
get
a
scorecard
of
all
over
what
was
the
what
happened
while
running
the
benchmark.
So
you
can
see,
we
have
classified
the
benchmark
result
into
the
four
categories.
Past
failed
skipped
and
the
error
pass
takes
place
when
it,
you
know
it
passes
the
benchmark.
C
Failure
is
like
it
didn't
pass
the
benchmarks
escape.
I
didn't
pass
skipped
any
so
it
is
zero
and
the
error
like
we
have
set
the
prerequisite
for
the
benchmarks
that
need
to
be
passed
to
actually
run
the
benchmark
like
we
have
any
benchmark
that
is
for
pod.
But
if
the
user
don't
have
any
code
privileges
to
create
or
something
that
so
we
will
put
that
benchmark
into
the
error
category.
That
user
can't
create
codes.
C
So
let's
assign
the
user
the
role
to
create
the
ports
deployments
and
other
things
that
we
need
our
in
our
benchmark.
So
we,
I
have
already
already
created
thing.
C
C
C
C
Can
you
see
my
vs
code,
hello,
so
I
will.
I
will
create
a
now
a
role
that
is
for
the
our
user,
that
it
has
some
privileges
like
board
service
deployments
and
a
role
binding
to
the
my,
the
my
user
and
resource
code
for
a
benchmark.
C
C
C
So
yeah
it
when
I
applied
all
the
thing
like
user
can
create
port
so
and
when
I
run
that
run
the
benchmarks
it
passed
according
to
the
configuration
you
have
applied
to
the
tenant,
namespace
or
the
tenant
user,
and
there
is
one
more
thing
like
you
want
to
create
policy
report.
That
is
a
new
repo
that
gym
has
been
working
on,
so
you
can
take
the
output
as
a
policy
report
object
for
that.
C
C
Yeah,
so
we
have
the
status
that
13
pass.
One
fail
warning:
zero
error,
zero
skip
zero.
Now
we
have
some
more
flags.
I
wanna
show
you
like.
If
you
wanna
skip
some
benchmarks
like
you,
can
pass
it
in
the
skip
skip
flag.
C
C
so
yeah
we
have
got
a
new
policy
report
that
is
created
in
again
in
p0
and
s0,
so
you
can
get
the
policy
reports
here,
so
yeah
yeah.
This
is,
can
be
used
for
the
multiple
purpose
that
you
can
put
it
on
a
job.
Jim
can
explain
this
better
than
me,
for
the
policy
report
aim
to
create
that
and
yeah
and
we
have
another
flag,
like
you,
wanna
run
only
the
profile
level,
one
benchmarks
to
profile
level,
two
as
well.
You
can
just
pass
dash
p
one.
C
It
will
just
run
only
one,
only
first
level
benchmark,
so
it
will
now
run
11
benchmarks
out
of
14,
because
two
were
skipped
in
through
via
skip
flag
and
one
was
skipped
in
the
profile
level
player
yeah.
E
E
A
question
before
we
go
on
two
questions.
One
question
was
we
we
started
by
setting
up
a
tenant.
I
see
that's
the
tenant's
credit
right.
The
tests
that
I
saw
it
looked
like
you
were:
writing
them,
mainly
in
a
namespace.
Did
the
tests
take
advantage
of
any
of
any
particular
feature
in
the
tendency,
or
do
you
or
or
was
the
10
series
just
the
way
that
these
these
policies
were
enforced?.
C
Actually,
the
main
aim
is
of
the
mtv
benchmark
is
just
to
validate
your
name.
The
namespace
you
have
provided
is
validating
the
bad
lines
or
not,
so
it
was
just
okay.
You
can
say
just
an
example:
we
used
for
our
demo.
We
use
the
tenant
controller
in
case
of
device.
She
will
use
just
a
normal
namespace.
She
will
create
her
own,
like
cubecode,
create
namespace
demo,
or
something
like
that.
C
For
me,
I
just
use
the
tenant
controller
to
just
show
you
the
application
of
that.
We
can
use
different
multi-tenancy
aspects.
E
Cool
and
the
only
other
question
I
had
is
what
was
the
motivation
to
make
the
policy
report
a
custom
resource,
as
opposed
to,
for
example,
like
outputting
it
as
a
file?
What's
the
benefit
of
keeping
it
on
the
cluster.
B
Yeah
so
that
yeah
yeah,
I
can
provide
some
more
context
to
that,
so
that
the
policy
report
is
something
that's
being
worked
on
in
the
policy
working
group
and
there
you
know
there
has
been
quite
a
lot
of
discussion
on
different
ways
to
capture
outputs
from
different
policy
engines
like
oppa,
gatekeeper,
caverno,
falco,
even.
E
B
So
the
benefit
here
is
for
cluster
admins.
It
gives
one
common
way
at
a
high
level.
You
can
get
output
from
different
policy
engines
and
scan,
for
you
know,
reports
within
namespaces
or
at
the
cluster
level,
and
then
you
would
link
to
details.
You
know
I
guess,
for
different
policy
engines
as
required.
B
C
Actually,
I'm
also
I
was,
I
had
already
set
up
all
the
things,
but
actually
I
had
to
apply
the
given
policies
I
have
you
can
see
like
I
work
all
in
our
in
this
hair,
but
when
I
saw
maybe
there
is
a
something
cash
problem
or
I
don't
know
it
so
it's
applied
already.
You
can
say
I
didn't
have
to
apply
so
it
passed
everything.
C
Okay,
I
can
just.
C
B
C
F
Hi,
this
is
faye
quick
question,
yeah
a
few
minutes
late.
So
I
I
see
your
test
kind
of
pause.
I
see
some
of
the
tests
say
block
using
abc,
so
I
feel
that
thing
can
be
done
by
kind
of
validation,
webhook.
So
do
you
need
a
web
hook
or
how?
How
does
it
test
around
to
make
sure
you
cannot
add
ipc
in
your
parts
back
or
that
is
not.
C
B
Yeah,
so
I
I
can
explain
it.
Maybe
nudity
can
also
show
like
one
sample
for
a
test
case,
so
the
tests
are
actually
some
of
the
behavioral
checks
are
actually
trying
to
perform
that
application
like
the
operation.
B
So,
for
example,
if
you're
trying
to
see
can
you
know
can
a
user,
for
example,
like
you
know,
let's
say
change
resource
quotas
right,
so
it's
actually
performing
that
application
or
that
operation,
and
then
you
know,
recording
the
result
and
then,
of
course,
for
things
like
where
we
want
the
user
to
not
access
like
path
or
other
checks.
B
Those
would
have
to
be
enforced
by
a
policy
engine
right.
So
we
focused
on
gatekeeper,
oppa
and
caverno.
We
did
not
use
pod
security
policies.
I
guess
as
they're
still
beta
there,
and
I
guess
the
plans
are
to-
I
think
it's
a
few
years
out,
but
the
plans
are
to
deprecate
them.
So,
instead
of
that
we're
using
policy
engines
to
enforce
the
actual
behavior
to
get
the
test
to
pass.
F
B
D
D
D
So,
as
you
can
see,
the
most
of
the
test
failed
this
passed
because
the
current
year
doesn't
have
the
privilege
that
is
create,
update
and
use
privilege.
So
that's
why
this
test
passed,
but
other
tests
failed.
So
what
are
you
doing
either
picking
one
of
the
tests?
That
is
a
block
use
of
notepad
services
and
I
will
apply
oppa
gatekeeper
here.
So
with
the
upper
gatekeeper,
we
need
a
constraint
template.
So
actually
I've
already
applied
the
constraint
template
because
it
takes
some
time
to
activate
so
I'll
show
it
here.
D
So
you
can
see,
I
have
a
constraint
template
here
that
is
kts
block
node
code.
So
what
consent
template
is
actually
it
defines
the
schema
and
the
rego
logic
of
the
oppa
policy,
and
then,
after
that,
we
need
to
apply
a
constraint
which
basically
defines
the
scope
of
object
to
which
a
specific
constraint
template
applies
to
so
I'll,
be
applying
a
constraint
template
here.
I
constrained
you,
so
you
did
and
I'll
run
the
test
again.
D
Like,
as
you
can
see,
it
passed
so
yeah,
so
this
this
test
was
done
on
a
simple
name:
space
and
a
user
data
created
locally
on
the
system
without
using
a
tenant.
F
F
I
understand
I'm
also
part
but,
for
example,
the
node
part
of
service.
I
think
yeah,
I'm
a
little
bit
confused,
because
this
seems
has
nothing
to
do
with
namespace
right.
It's
the
node
setup
or.
B
Right
so
I
think
one
of
the
and
these
tests,
you
know
the
the
ones
we
decided.
I
think
we'll
have
to
go
and
re-review
the
list
and
see
what
how
we
want
to
position
most
of
these
checks.
But
the
idea
here
was,
of
course,
if
you're,
using
a
noteport
service
in
a
multi-tenant
environment,
that's
a
shared
resource
right,
so
I
I
know
it's
pretty
common
to
use
noteport
services
on
for
several
things.
So
the
question
is:
is
this
in
a
multi-tenant
environment?
What
is
the
perspective?
Is
it
recommended
to
use
or
not
right?
B
So
what
it's
trying
the
test
will
actually
try
to
create
a
noteport
service
and
see
that
that's
denied
right.
So
I
think
each
one
of
these
is
written.
B
B
G
Hi
this
is
johnny
and
for
this
node
node
path
service.
In
addition
to
try
to
create
and
see,
if
it's
rejected,
do
you
try
to
list
any
existing
node
part
services.
B
B
B
Two
checks
right,
so
these
are
all
what
deviantart
showed
up
these
checks.
We
have
automated
and
now
we
are
able
to
test
on
any
namespace
right
and
for
each
one
of
these,
like,
for
example,
block
privilege
containers.
If
you
click
in
there's
details,
you
know,
and
what
the
rationale
is
why
we
think
this
is.
You
know
important
for
multi-tenancy
and
then
how
to
remediate
right.
B
This
is
also
it's
very
straightforward
now
to
add
new
benchmarks
and
it
will
generate
a
lot
of
these
files
and
definitions
from
some
yamls,
so
we'll
show
that
in
the
next
you
know
in
the
next
session,
like
two
weeks
out
on
how
to
do
that,
and
then
we
have
to
update
this
wiki
with
the
latest
tests
and
we
need
to
re-review
what
we
do
for
profile
level.
One
two
and
three.
G
Thank
you,
sorry.
I
will
I'm
not
familiar
with
the
detail
of
this,
so
it's
just
a
simple
question:
can
this
benchmark
tool
be
running
against
any
kubernetes
cluster
or
it
requires
some?
Oh
okay,.
B
Yeah,
so
it's
a
coupe
cuddle
plug-in.
You
can
download
that
we
will
publish
it
with
crew
at
some
point,
so
you
can
download
it
run
it
on
any
namespace.
So
the
idea
is,
you
would
run
it
in
a
namespace
as
a
user,
so
that
those
were
the
two
two
parameters
you
just
give
it
a
name
space
and
what
role
you
want
to
test
with
and
and
it'll
do
the
checks.
G
B
B
Good
good
question,
so
we
were
so
one
option.
We
could
follow
something
similar
to
what
coupe
bench
does
is
right.
You
know
they
just
containerize
the
command
line
and
run
it
inside
the
cluster,
so
we
could
do
the
same,
and
since
since
mtb
can
also
generate
policy
reports,
it
could
also
be
run
as
a
cron
job
where
periodically
it
would
just
generate
policy
reports
right.
E
So
I
know
that
I
don't
know
if
gatekeeper
has
audit
mode,
but
I
know
they
were
thinking
of
adding
it
so
yeah
some
kind
of
audit
mode,
basically
right
right.
B
E
B
Yeah,
so
maybe
every
time
a
new
namespace
is
created,
for
example
right
it,
it's
possible
to
then
run
the
benchmarks
and
report
for
that
namespace.
B
B
E
I
should
probably
have
a
chat
with
you,
jim
about
or
the
other
members
of
your
team
about
seeing
how
hierarchical
namespaces
interact
with
all
of
this
as
well.
I
know
that
you
asked
a
question
or
two
on
on
slack,
but
I
haven't
really
thought
about
it
systematically,
but
it
was
I
enjoyed
watching
the
presentation,
so
I
get
a
better
idea
of
what
you're
up
to.
B
A
Thanks
cool,
so
I
guess
next
up
is
adrian's
update
on
hnc.
E
Sure
so
I
just
wanted
to
give
a
quick
verbal
update
of
where
we
are
so,
as
some
of
you
may
have
seen
if
you're
watching
the,
if
you're
watching
the
repo
we
have
a
new
contributor
called
named
jenny.
E
I
don't
know
if
she's
on
the
call
today,
but
she
is,
she
has
been
working
on
taking
all
of
our
terrible
end-to-end
bash
scripts
in
the
hack
directory
and
turning
them
all
into
a
suite
of
automated
tests
that
we
can
run
easily
and
I've
been
using
it
to
qualify
the
latest
agency
release,
which
is
0.5.1
so
a
lot
of
hard
work
on
her
part,
which
has
saved
a
ton
of
work
for
me
because
for
the
last
release
it
took
me
many
hours
to
run
all
of
the
tests
and
verify
the
results
manually.
E
So
that's
one
really
nice
improvement,
which
is
already
paying
dividends
other
than
that
ichi
is
working
hard
on
the
results
of
our
api
review.
So
basically
we
did
a
an
api
review
with
jordan.
Leggett,
who
is
this
is
one
of
like
passing.
The
api
review
is
one
of
the
requirements
that
we
have
of
graduating
from
the
incubator
directory
into
our
own
repo,
and
I
believe
that
the
the
virtual
cluster
project
is
also
looking
at
a
going
through
a
similar
process.
E
The
security
review
is
the
other
thing
that
will
be
required
after
that,
so
she
is
working
hard
on
that
and
our
goal
is
that
we're
going
to
hold
the
next
minor
release
of
hnc,
which
is
0.6
until
we
have
that
until
we
have
that
new
api
in
place,
so
that
will
be
v1
alpha
2..
We
will
have
a
one-way
upgrade
process
so
that
anybody
who's
using
agency
now.
H
E
Has
a
bunch
of
crds
of
our
custom
resources
in
the
cluster
we'll
be
able
to
install
the
new
one?
It
will
automatically
update
all
of
your
existing
crs
to
the
new
format.
You
will
not
be
able
to
downgrade,
but
it's
a
fairly
easy
process
to
backup
your
cluster.
If
you
want
to
ahead
of
time
and
so
she's
working
hard
on
that
other
than
that,
as
I
said,
I'm
about
to
release
zero
five
one,
it's
got
a
couple
of
minor
bug
fixes
on
top
of
0.5.
E
E
So
if
you,
if
you,
if
you're
using
either
of
those
on
gke,
you
can
go
in
and
turn
on
what
we're
calling
hierarchy,
controller
and
it'll
install
agency
in
a
couple
of
integrations,
so
the
config
sync
and
acm
have
actually
adopted
the
hnc
tree
label
model
so
that
you
can
use
your
you
can
use
a
common
way
referring
to
the
hierarchy.
That
was
in
your
git
repo,
which
wasn't
instantiated
on
the
cluster
as
any
namespaces
that
you
do
create
on
the
cluster
that
weren't
available
again.
F
Can
you
can
you
briefly
talk
about
the
api
review,
so
it
sounds
new
to
me.
So
what
is
the
process?
Oh,
I.
E
Apologize,
I
think
it
went
out
on
the
slack
channel,
but
we
may
not
have
sent
it
out
on
the
mailing
list.
If
you
you
go
up,
you
should
be
able
to
see
the
results
of
the
reviews
so
yeah.
Basically
we
went
to.
I
don't
know
how
you
become
an
api
reviewer.
To
be
honest,
being
charging
is
probably
a
good
qualification,
but
he
and
mike
dennessy
went
over
the
v1
alpha
one
api
and
looked
for
all
the
kinds
of
any
kind
of
stylistic
inconsistency.
E
So,
for
example,
we
had
enums
that
were
starting
with
lowercase
letters,
whereas
the
the
standards
that
is
the
facebook
uppercase,
we
weren't
using
a
standard
condition
format
which
apparently
we're
all
supposed
to
be
moving
to
standard
wave
reporting
conditions.
E
And
then
there
were
a
variety
of
of
problems
mainly
on
the
reporting
side,
like
our
specs
are
pretty
much
unchanged
in
alpha
2
as
they
weren't
all
for
one,
but
the
stat
a
bunch
of
the
ways
we
report
the
status
is
changing
so
yeah
we
basically
just
went
to
sigoth.
We
asked
him
for
a
review.
He
gave
it.
E
It
was
the
the
attendees
were
myself
ryan,
attended,
ichi
and
and
jordan
and
and
mike,
I
think,
were
the
main
attendees
and
you
wrote
up
a
report
about
what's
changing
and
I
believe
that
got
sent
to
the
slack
channel
ishii.
If
you're
on
the
line
did
you
send
that
out
to
the
mailing
list
as
well
or
just
slack
or
someone
else,.
E
Yeah,
I
can
see
it
on
slack
and
it
was
on
the
mailing
list
as
well.
Why
don't
I
I'm
gonna
copy
the
link,
address
and
paste
it
into
the
chat.
F
E
Yeah
they
didn't
ask
this
to
change,
certainly
very
little
structural,
nothing
that
a
web
hook
can't
handle
and
especially
because
we're
still
just
at
the
alpha
level,
we
actually
got
the
advice
that
we
shouldn't
even
be
bothering
with
my
books.
We
should
just
make
people
upgrade
by
hand,
didn't
really
like
the
the
sound
of
that
myself.
E
Okay,
okay
and
we've
discovered
all
kinds
of
entertaining
dependencies
between
between
cluster
ca,
bundles
for
validation,
web
books
versus
crd
web
books.
Yeah.
If
you
want
to
know
about
web
hooks,
talk
to
ishii
because
she's
discovered
a
lot
of
fascinating
stuff
lately.
E
Thanks
anything
else,
any
other
questions
for
cnc,
not,
I
believe,
josh
is
next
on
the
agenda.
H
H
It
was
also
50
of
the
respondees
of
the
hundred.
There
were
112
respondees
50
of
them
picked
cluster
set
as
their
favorite.
H
I
did
look
through
the
additional
name
suggestions
we
put
a
blank
in
there
of
what
terrific
name
did
we
miss.
I
didn't
see
any
winners
in
there.
There
were
a
lot
of
suggestions
for
names
that
we
already
disqualified,
particularly
cluster
group.
The
only
new
ones
were
cluster
pool
cluster
fleet
and
cluster
array.
H
H
E
E
Attribute
of
tenancy
because
all
of
our
tenancy
models
use
name
spaces,
except
for
perhaps
virtual
clusters,
which
are
a
bit
of
a
special
case.
So
it
is
maybe
interesting
to
have
this
idea
that,
across
a
it
looks
like
cluster
set,
is
the
winner
yeah?
You
could
have
a
common
set
of
tens
that
are
using
multiple
clusters,
either
across
regions
or
availability
zones,
or
other
things
like
that.
E
So,
even
though,
even
though
I
think
this
has
been
discussed
here
is
probably
a
good
reminder
for
people
on
this
group
to
to
keep
an
eye
out
on
sick
multi-cluster,
because
there's
some
interesting
stuff
going
on
there
that
could
yeah
be
involved
into
us.
H
H
There's
network
sharing,
which
there
are
several
different
tools
for
there's
job
sharing
across
clusters,
which
is
the
old
federation
approach,
and
it's
still
a
thing,
and
now
one
of
the
new
things
we've
gotten
is
namespace
sharing
right,
as
in
you
can
say
that
this
particular
namespace
is
going
to
be
and
its
objects
will
be
shared
across
all
of
these
clusters
and
there's
a
reconciliation
loop
to
make
sure
that
the
objects
in
the
name
space
exist
in
all
of
these
various
clusters.
But
we
needed
a
name
for
that.
H
H
Yeah
so
anyway,
so
you
know
that's
what
that's
going
on
that
hasn't
been
announced
yet,
but
when
we
have
our
next
monster
meeting,
the
survey
is
over
so
we'll
be
picking
that
as
a
name
the
and
incidentally,
if
you
all
need
to
run
surveys,
I've
become
the
sort
of
community
person
for
manipulating
the
cncf
surveymonkey
instance
so
feel
free
to
ping
me
on
slack.
If
you
need
a
survey.
A
Cool
well
thanks
everybody
good
meeting.
We
enjoyed
the
naming
update,
josh
thanks
for
thinking
of
us
and
yeah
I'll
post
this
to
youtube,
and
if
anyone
has
anything
they'd
like
to
talk
about
at
our
next
meeting,
please
add
it
to
the
agenda.