►
From YouTube: 20200728 Kubernetes Multi-Tenancy Working Group
Description
- MTB demo (Divya, Anuj, Jim)
- HNC update (0.5.1, v1alpha2, etc)
- Live from sig-multicluster: Naming Survey Results with 112 responses
B
All
right,
thank
you,
tasha,
so
hi
everyone.
This
is
jim.
I
am
going
to
give
a
quick
update
or
just
a
review
on
the
multi-tenancy
benchmark.
Work
that
we've
been
doing
and
anuj
and
divya
are
gonna.
Do
some
live
demos
on
what
they've
built
so
far?
So
the
goal
here
is
to
kind
of
checkpoint
and
get
some
feedback
see.
You
know
what
thoughts
are
on
next
steps.
B
So
just
a
quick
recap
for
those
of
you
who
might
not
be
familiar
with
the
benchmarks.
You
know
effort.
So
what
we're
trying
to
do
here
is
establish
a
set
of
guidelines
for
different
levels
of
multi-tenancy
and
then,
along
with
that,
have
some
automated
tests
that
we
can
run
on.
The
idea
is
to
be
able
to
run
these
on
one
or
more
namespaces
and
report
if
those
namespaces
are
properly
configured
for
multi-tenancy.
B
So
there
is
a
if
you
on
on
the
github.
You
know.
If
you
go
into
the
multi-tenancy
folder,
you
can
read
about
the
categories
definitions,
the
benchmarks
we
have
so
far,
but
today
what
we're
going
to
focus
on
is
a
subfolder
cuddle
mtb,
which
is
what
a
new
gen
divia
have
been
working
on,
and
you
know
we'll
see
that
live
so
just
to
kind
of
quickly
set
the
context
for
the
demo
and
then
I'll
hand
off
to
your
news.
B
C
Okay,
this
is
announced
hi
everyone,
I'm
gonna,
show
you
how
like
running
the
benchmarks
on
our
tenant
controller.
So
if
you
can
see,
let
me
show
you
first,
that
I
have
our
tenant
set
setup
already
using
the
tenant
controller.
If
we
get
a
tenant,
so
we
have
our
tenant
zero
cr
and
if
you
get
the
tenant
admin
name
space,
we
have
a
tenant,
zero
admin
and
if
you
look
into
the
tenant
admin
namespace,
we
have
one
tenant,
namespace
already
created.
C
C
C
C
C
So
you
can
pass
the
user
user
that
you
want
to
impersonate
while
running
the
benchmarks
with
the
as
flag.
So
if,
when
you
run
the
benchmark,
you
will
see
a
default
console
log
that
so
that
the
show
the
description
and
you
get
a
scorecard
of
all
over
what
was
the
what
happened
while
running
the
benchmark.
So
you
can
see,
we
have
classified
the
benchmark
result
into
the
four
categories.
Past
failed
skipped
and
the
error
pass
takes
place
when
it,
you
know
it
passes
the
benchmark.
C
Failure
is
like
it
didn't
pass
the
benchmarks
escape.
I
didn't
pass
skipped
any
so
it
is
zero
and
the
error
like
we
have
set
the
prerequisite
for
the
benchmarks
that
need
to
be
passed
to
actually
run
the
benchmark
like
we
have
any
benchmark
that
is
for
pod.
But
if
the
user
don't
have
any
code
privileges
to
create
or
something
that
so
we
will
put
that
benchmark
into
the
error
category.
That
user
can't
create
codes.
C
C
C
C
C
C
C
C
So
yeah
it
when
I
applied
all
the
thing
like
user
can
create
port
so
and
when
I
run
that
run
the
benchmarks
it
passed
according
to
the
configuration
you
have
applied
to
the
tenant,
namespace
or
the
tenant
user,
and
there
is
one
more
thing
like
you
want
to
create
policy
report.
That
is
a
new
repo
that
gym
has
been
working
on,
so
you
can
take
the
output
as
a
policy
report
object
for
that.
C
C
C
C
so
yeah
we
have
got
a
new
policy
report
that
is
created
in
again
in
p0
and
s0,
so
you
can
get
the
policy
reports
here,
so
yeah
yeah.
This
is,
can
be
used
for
the
multiple
purpose
that
you
can
put
it
on
a
job.
Jim
can
explain
this
better
than
me,
for
the
policy
report
aim
to
create
that
and
yeah
and
we
have
another
flag,
like
you,
wanna
run
only
the
profile
level,
one
benchmarks
to
profile
level,
two
as
well.
You
can
just
pass
dash
p
one.
E
E
A
question
before
we
go
on
two
questions.
One
question
was
we
we
started
by
setting
up
a
tenant.
I
see
that's
the
tenant's
credit
right.
The
tests
that
I
saw
it
looked
like
you
were:
writing
them,
mainly
in
a
namespace.
Did
the
tests
take
advantage
of
any
of
any
particular
feature
in
the
tendency,
or
do
you
or
or
was
the
10
series
just
the
way
that
these
these
policies
were
enforced?.
C
Actually,
the
main
aim
is
of
the
mtv
benchmark
is
just
to
validate
your
name.
The
namespace
you
have
provided
is
validating
the
bad
lines
or
not,
so
it
was
just
okay.
You
can
say
just
an
example:
we
used
for
our
demo.
We
use
the
tenant
controller
in
case
of
device.
She
will
use
just
a
normal
namespace.
She
will
create
her
own,
like
cubecode,
create
namespace
demo,
or
something
like
that.
C
E
E
B
So
the
benefit
here
is
for
cluster
admins.
It
gives
one
common
way
at
a
high
level.
You
can
get
output
from
different
policy
engines
and
scan,
for
you
know,
reports
within
namespaces
or
at
the
cluster
level,
and
then
you
would
link
to
details.
You
know
I
guess,
for
different
policy
engines
as
required.
B
C
Actually,
I'm
also
I
was,
I
had
already
set
up
all
the
things,
but
actually
I
had
to
apply
the
given
policies
I
have
you
can
see
like
I
work
all
in
our
in
this
hair,
but
when
I
saw
maybe
there
is
a
something
cash
problem
or
I
don't
know
it
so
it's
applied
already.
You
can
say
I
didn't
have
to
apply
so
it
passed
everything.
C
B
C
F
Hi,
this
is
faye
quick
question,
yeah
a
few
minutes
late.
So
I
I
see
your
test
kind
of
pause.
I
see
some
of
the
tests
say
block
using
abc,
so
I
feel
that
thing
can
be
done
by
kind
of
validation,
webhook.
So
do
you
need
a
web
hook
or
how?
How
does
it
test
around
to
make
sure
you
cannot
add
ipc
in
your
parts
back
or
that
is
not.
C
B
B
Those
would
have
to
be
enforced
by
a
policy
engine
right.
So
we
focused
on
gatekeeper,
oppa
and
caverno.
We
did
not
use
pod
security
policies.
I
guess
as
they're
still
beta
there,
and
I
guess
the
plans
are
to-
I
think
it's
a
few
years
out,
but
the
plans
are
to
deprecate
them.
So,
instead
of
that
we're
using
policy
engines
to
enforce
the
actual
behavior
to
get
the
test
to
pass.
F
B
D
D
D
So,
as
you
can
see,
the
most
of
the
test
failed
this
passed
because
the
current
year
doesn't
have
the
privilege
that
is
create,
update
and
use
privilege.
So
that's
why
this
test
passed,
but
other
tests
failed.
So
what
are
you
doing
either
picking
one
of
the
tests?
That
is
a
block
use
of
notepad
services
and
I
will
apply
oppa
gatekeeper
here.
So
with
the
upper
gatekeeper,
we
need
a
constraint
template.
So
actually
I've
already
applied
the
constraint
template
because
it
takes
some
time
to
activate
so
I'll
show
it
here.
D
So
you
can
see,
I
have
a
constraint
template
here
that
is
kts
block
node
code.
So
what
consent
template
is
actually
it
defines
the
schema
and
the
rego
logic
of
the
oppa
policy,
and
then,
after
that,
we
need
to
apply
a
constraint
which
basically
defines
the
scope
of
object
to
which
a
specific
constraint
template
applies
to
so
I'll,
be
applying
a
constraint
template
here.
I
constrained
you,
so
you
did
and
I'll
run
the
test
again.
F
F
B
Right
so
I
think
one
of
the
and
these
tests,
you
know
the
the
ones
we
decided.
I
think
we'll
have
to
go
and
re-review
the
list
and
see
what
how
we
want
to
position
most
of
these
checks.
But
the
idea
here
was,
of
course,
if
you're,
using
a
noteport
service
in
a
multi-tenant
environment,
that's
a
shared
resource
right,
so
I
I
know
it's
pretty
common
to
use
noteport
services
on
for
several
things.
So
the
question
is:
is
this
in
a
multi-tenant
environment?
What
is
the
perspective?
Is
it
recommended
to
use
or
not
right?
B
B
G
B
B
B
Two
checks
right,
so
these
are
all
what
deviantart
showed
up
these
checks.
We
have
automated
and
now
we
are
able
to
test
on
any
namespace
right
and
for
each
one
of
these,
like,
for
example,
block
privilege
containers.
If
you
click
in
there's
details,
you
know,
and
what
the
rationale
is
why
we
think
this
is.
You
know
important
for
multi-tenancy
and
then
how
to
remediate
right.
B
This
is
also
it's
very
straightforward
now
to
add
new
benchmarks
and
it
will
generate
a
lot
of
these
files
and
definitions
from
some
yamls,
so
we'll
show
that
in
the
next
you
know
in
the
next
session,
like
two
weeks
out
on
how
to
do
that,
and
then
we
have
to
update
this
wiki
with
the
latest
tests
and
we
need
to
re-review
what
we
do
for
profile
level.
One
two
and
three.
G
B
Yeah,
so
it's
a
coupe
cuddle
plug-in.
You
can
download
that
we
will
publish
it
with
crew
at
some
point,
so
you
can
download
it
run
it
on
any
namespace.
So
the
idea
is,
you
would
run
it
in
a
namespace
as
a
user,
so
that
those
were
the
two
two
parameters
you
just
give
it
a
name
space
and
what
role
you
want
to
test
with
and
and
it'll
do
the
checks.
G
B
B
Good
good
question,
so
we
were
so
one
option.
We
could
follow
something
similar
to
what
coupe
bench
does
is
right.
You
know
they
just
containerize
the
command
line
and
run
it
inside
the
cluster,
so
we
could
do
the
same,
and
since
since
mtb
can
also
generate
policy
reports,
it
could
also
be
run
as
a
cron
job
where
periodically
it
would
just
generate
policy
reports
right.
B
E
B
B
E
I
should
probably
have
a
chat
with
you,
jim
about
or
the
other
members
of
your
team
about
seeing
how
hierarchical
namespaces
interact
with
all
of
this
as
well.
I
know
that
you
asked
a
question
or
two
on
on
slack,
but
I
haven't
really
thought
about
it
systematically,
but
it
was
I
enjoyed
watching
the
presentation,
so
I
get
a
better
idea
of
what
you're
up
to.
B
E
So
that's
one
really
nice
improvement,
which
is
already
paying
dividends
other
than
that
ichi
is
working
hard
on
the
results
of
our
api
review.
So
basically
we
did
a
an
api
review
with
jordan.
Leggett,
who
is
this
is
one
of
like
passing.
The
api
review
is
one
of
the
requirements
that
we
have
of
graduating
from
the
incubator
directory
into
our
own
repo,
and
I
believe
that
the
the
virtual
cluster
project
is
also
looking
at
a
going
through
a
similar
process.
E
The
security
review
is
the
other
thing
that
will
be
required
after
that,
so
she
is
working
hard
on
that
and
our
goal
is
that
we're
going
to
hold
the
next
minor
release
of
hnc,
which
is
0.6
until
we
have
that
until
we
have
that
new
api
in
place,
so
that
will
be
v1
alpha
2..
We
will
have
a
one-way
upgrade
process
so
that
anybody
who's
using
agency
now.
H
E
Has
a
bunch
of
crds
of
our
custom
resources
in
the
cluster
we'll
be
able
to
install
the
new
one?
It
will
automatically
update
all
of
your
existing
crs
to
the
new
format.
You
will
not
be
able
to
downgrade,
but
it's
a
fairly
easy
process
to
backup
your
cluster.
If
you
want
to
ahead
of
time
and
so
she's
working
hard
on
that
other
than
that,
as
I
said,
I'm
about
to
release
zero
five
one,
it's
got
a
couple
of
minor
bug
fixes
on
top
of
0.5.
E
So
if
you,
if
you,
if
you're
using
either
of
those
on
gke,
you
can
go
in
and
turn
on
what
we're
calling
hierarchy,
controller
and
it'll
install
agency
in
a
couple
of
integrations,
so
the
config
sync
and
acm
have
actually
adopted
the
hnc
tree
label
model
so
that
you
can
use
your
you
can
use
a
common
way
referring
to
the
hierarchy.
That
was
in
your
git
repo,
which
wasn't
instantiated
on
the
cluster
as
any
namespaces
that
you
do
create
on
the
cluster
that
weren't
available
again.
F
E
Apologize,
I
think
it
went
out
on
the
slack
channel,
but
we
may
not
have
sent
it
out
on
the
mailing
list.
If
you
you
go
up,
you
should
be
able
to
see
the
results
of
the
reviews
so
yeah.
Basically
we
went
to.
I
don't
know
how
you
become
an
api
reviewer.
To
be
honest,
being
charging
is
probably
a
good
qualification,
but
he
and
mike
dennessy
went
over
the
v1
alpha
one
api
and
looked
for
all
the
kinds
of
any
kind
of
stylistic
inconsistency.
E
And
then
there
were
a
variety
of
of
problems
mainly
on
the
reporting
side,
like
our
specs
are
pretty
much
unchanged
in
alpha
2
as
they
weren't
all
for
one,
but
the
stat
a
bunch
of
the
ways
we
report
the
status
is
changing
so
yeah
we
basically
just
went
to
sigoth.
We
asked
him
for
a
review.
He
gave
it.
E
It
was
the
the
attendees
were
myself
ryan,
attended,
ichi
and
and
jordan
and
and
mike,
I
think,
were
the
main
attendees
and
you
wrote
up
a
report
about
what's
changing
and
I
believe
that
got
sent
to
the
slack
channel
ishii.
If
you're
on
the
line
did
you
send
that
out
to
the
mailing
list
as
well
or
just
slack
or
someone
else,.
E
F
E
Yeah
they
didn't
ask
this
to
change,
certainly
very
little
structural,
nothing
that
a
web
hook
can't
handle
and
especially
because
we're
still
just
at
the
alpha
level,
we
actually
got
the
advice
that
we
shouldn't
even
be
bothering
with
my
books.
We
should
just
make
people
upgrade
by
hand,
didn't
really
like
the
the
sound
of
that
myself.
E
H
H
I
did
look
through
the
additional
name
suggestions
we
put
a
blank
in
there
of
what
terrific
name
did
we
miss.
I
didn't
see
any
winners
in
there.
There
were
a
lot
of
suggestions
for
names
that
we
already
disqualified,
particularly
cluster
group.
The
only
new
ones
were
cluster
pool
cluster
fleet
and
cluster
array.
H
H
E
E
Attribute
of
tenancy
because
all
of
our
tenancy
models
use
name
spaces,
except
for
perhaps
virtual
clusters,
which
are
a
bit
of
a
special
case.
So
it
is
maybe
interesting
to
have
this
idea
that,
across
a
it
looks
like
cluster
set,
is
the
winner
yeah?
You
could
have
a
common
set
of
tens
that
are
using
multiple
clusters,
either
across
regions
or
availability
zones,
or
other
things
like
that.
H
H
There's
network
sharing,
which
there
are
several
different
tools
for
there's
job
sharing
across
clusters,
which
is
the
old
federation
approach,
and
it's
still
a
thing,
and
now
one
of
the
new
things
we've
gotten
is
namespace
sharing
right,
as
in
you
can
say
that
this
particular
namespace
is
going
to
be
and
its
objects
will
be
shared
across
all
of
these
clusters
and
there's
a
reconciliation
loop
to
make
sure
that
the
objects
in
the
name
space
exist
in
all
of
these
various
clusters.
But
we
needed
a
name
for
that.
H
H
Yeah
so
anyway,
so
you
know
that's
what
that's
going
on
that
hasn't
been
announced
yet,
but
when
we
have
our
next
monster
meeting,
the
survey
is
over
so
we'll
be
picking
that
as
a
name
the
and
incidentally,
if
you
all
need
to
run
surveys,
I've
become
the
sort
of
community
person
for
manipulating
the
cncf
surveymonkey
instance
so
feel
free
to
ping
me
on
slack.
If
you
need
a
survey.