►
From YouTube: Multi-tenancy working group regular meeting 20210824
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
We
don't
have
a
strong
agenda
today
and
we
might
end
up
leaving
a
little
bit
early,
but
we've
just
been
having
a
chat
with
a
couple
of
the
new
folks
who
joined
us
today
and
we're
going
to
be
talking
about
what
people
want
to
see
out
of
our
cucumber
panel
that
we
need
to
record
within
the
next
week
or
so
or
two
weeks
and
as
well
what
people
are
hoping
to
see
so
out
of
the
multi-tendency
working
group.
A
So
I
just
wanted
to
answer.
I
think
I
think
marco,
who,
from
new
york
times
was,
was
asking
about
this
there's
a
couple
of
projects
that
are
that
have
been
going
on
in
this
group.
One
of
them
is
hierarchical,
namespaces,
which
is
a
way
of
doing
in-cluster,
multi-tenancy
and
then
you've
got
bay,
who's
been
leading
virtual
clusters
and
that
work
has
mainly
moved
over
to
the
cluster
api
repo
correct.
Oh
sorry,
marco,
that
is
hierarchical
namespaces.
B
Yeah
yeah
so
yeah
yeah,
so
the
all
the
new
changes
we
we
made
it
on
the
champion
repo
with
the
major
cluster,
but
barely
this
there
in
a
virtual
cluster,
the
synchronization
part
is
kind
of
pretty
stable.
We
are
mostly
working
on
the
canon,
converting
management
stuff
we're
trying
to
leverage
a
caption
framework.
A
And
then
we
also,
so
those
are
the
two
projects
that
basically
help
you
to
do
multi-tenancy
and
then,
in
addition
to
that,
we've
got
multi-tenancy
benchmarks,
which
are
run
by
jim.
So
jim.
Do
you
want
to
mention
that.
C
Yeah
sure
so
the
idea
there
was
to
provide
a
way
of
measuring
multi-tenancy
so
basically
checking
both
through
configuration
checks
as
well
as
runtime
checks.
Whether
a
namespace
is
a
provision
for
multi-tenancy,
so
we
have
a
fairly
good.
You
know
set
of
benchmarks.
It
requires
like
either
psps
or
a
policy
engine
to
be
configured,
because
it
also
does
things
like
making
sure
privilege,
pods
and
things
which
can
access,
hosts
resources
and
and
violate
multi-tenancy
concerns.
Those
aren't
permitted
right
so
there's
about,
if
I
recall,
like
17
or
18
checks.
C
So
far
and
there's
a
few
you
know,
requests
were
received
for
more
checks,
but
it
certainly
continued
to
maintain
things
as
things
come
up
and
but
it
can
be
the
main
use
case
we've
seen.
Is
it
being
used
to
validate
multiple
namespaces,
but
it
should
be
fully
reusable
with
even
control
planes
as
a
service
or
virtual
clusters
or
capy
nested.
Any
form
of
that.
A
Thanks,
jim
and
one
of
the
things
that
we
were
discussing
earlier
is:
does
it
still
make
sense
to
keep
this
group
as
a
standalone
group,
because,
basically,
what
we
did
was
we?
We
started
incubating
a
couple
of
things
in
this
group.
A
Two
of
the
three
have
now
graduated,
so
hierarchical,
namespaces
graduated
to
its
own
repo,
that
was
sponsored
by
sigoth
virtual
clusters,
has
now
graduated
to
its
own
project.
That's
part
of
sick
multi-cluster,
correct,
okay,.
B
A
Yeah
and
so
working
groups
are
typically
meant
to
be
kind
of
time.
Limited
entities
they're
not
usually
actually
supposed
to
run
for
three
years,
which
I
believe
this
one
has
or
so,
and
so
one
thing
that
we
were
thinking
about
is
does
it
makes
we
were
talking
about
this
in
an
earlier
meeting.
Does
it
make
sense
to
maybe
move
the
multi-tenancy
benchmarks
into
something
that's
on
bicycle
directly,
perhaps
and
say:
okay?
A
Well,
this
working
group
is
done,
we've
basically,
we've
come
up
with
our
new
primitives
and
which
are
control
plane
as
a
service
and
and
basically
enhancements
on
top
of
name
spaces,
as
well
as
some
checks
on
top
of
those.
A
Does
it
make
sense
to
still
have
something
that's
dedicated
to
multi-tenancy,
given
that
the
the
kinds
of
ways
that
you
can
implement
that
are
going
to
be
so
tight
into
the
other
special
interest
groups,
and
so
maybe
that's
something
that
our
new
members
who
have
come
to
this
group
and
not
to
sig
off
or
anywhere
else.
Maybe
this
is
a
good
chance
for
you,
folks
to
chime
in
on
that
and
tell
us
what
you
think.
A
Do
you
think
it
still
makes
sense
for
us
to
to
keep
this
as
a
standalone
grip,
or
should
we
fold
into
the
the
special
interest
groups
that
that
started
this
working
group?
So
why
don't?
I
nominate
because
he's
at
the
top
of
my
screen
I'll
nominate
marco
to
go
first.
D
Sure
I
I
don't
know
if
I
have
a
strong
opinion.
This
is
the
first
time
I've
come
to
any
meeting
regarding
kubernetes.
D
A
C
Yes,
I
guess
the
question
would
be
from
an
end
user
perspective.
Is
it
clear
what
you
know,
multi-tenancy
models
kubernetes
offers
at
this
point
or
like?
If
you
go
to
the
docs,
I
mean
obviously
we're
working
very
closely
with
these
projects,
so
we
know
what's
available
but
yeah.
I
always
wonder
like
for
new
users.
C
I
don't
know
if
you
go
to
the
kubernetes,
docs
and
search
up
multi-tenancy
like
what
do
you
even
get?
Where
do
you
you
know?
Is
there
a
place
to
start
and
say?
Okay,
these
are
the
proposed
models,
or
these
are
some
options
and
here's
where
you
go
for
more
information.
I
mean
marco.
When
you
started
researching
this
or
others.
You
know
on
the
meeting
when
you
looked
at
this,
what
did
you
find?
First
for
multi-tenancy.
A
I
feel
like
that
could
be
useful.
Like
we've
done
a
couple
of
blog
posts
over
the
years,
maybe
we
should
engage
with
sig
docs
document,
what
we
found
point
people
towards
the
projects
that
we
have
right,
like
both
the
sponsored
pro
like
the
cncf
projects
that
we
have
sponsored.
So
you
know
what
the
the
three
of
us
on
this
call
have
been
doing,
plus
some
of
the
other
community
contributions.
A
You
know
loft
capital,
all
that
stuff
caverno
gatekeeper,
which
we
haven't
really
done
a
lot
with
either
of
those
in
this
forum,
but
obviously
they're,
relevant
and
yeah,
maybe
that
maybe
that
should
be
like
a
good
wrap-up
project
for
this
working
group
and
then
we
can
declare,
if
not
victory,
then
at
least
the
end
of
the
beginning.
I
think
that
munir
did
you
have
anything
that
you
wanted
to
add
or
like
what?
A
What
is
it
that
led
you
to
where,
when
you
thought
of
multiple
tenancy
and
you
wanted
to
come,
join
this
meeting?
Oh
thank
you
for
the
offer
of
marco
when
you
said
that
you
wanted
to
help
out
with
sorry
when
you
said
you
wanted
to
to
research
multi-tenancy.
What
did
you
have
in
mind?
Was
it
the
policy?
Was
it
neighbors?
Was
it
something.
F
A
So
when
you
said,
htc
is
not
designed
for
what
we
typically
call
hard
multi
tendencies.
I'm
sorry
you're
still
interested
that
or
that's
just
where
you
started,
but
now
you've
ended
up
somewhere
else.
F
A
Cool
thanks
and
I
think
louis,
if
you
wanted
to
go
next.
G
Yeah,
no,
I
I
don't
think
I
have
have
too
much
to
add
on
on
top
of
what's
been
said,
you
know,
we've
been
doing
a
bunch
of
research
into
a
few
other
technologies.
You
mentioned
like
calverno,
and
it
kind
of
I
think,
there's
some
centralized
documentation
on
like
kind
of
the
state
of
the
world
or
where
to
look
at
for
what
the
state
of
the
world
is
would
be
helpful.
I
think
like
when
I
was
looking
through
the
docs
and
just
trying
to
kind
of
see
what
was
going
on.
G
You
know
ended
up
on
like
kind
of
thinking
about
attending
a
spattering
of
different
sig
meetings
and
looking
at
and
evaluating
a
few
different
technologies
and
so
having
something
kind
of
maybe
a
little
bit
authoritative
on
that
would,
I
think,
would
help,
maybe,
especially
especially
like
kind
of
classifying,
what
sort
of
use
cases
and
what
sort
of
kind
of
you
know
what
sort
of
semantics
or
whatever
it
is
that
you're
trying
to
achieve,
and
like
kind
of
like
lining
up
the
technologies
with.
Maybe
what
like,
how
things
are
being
approached.
E
No,
not
really,
I
think,
yeah
like
moving
to
the
cigar
for
hnc
and
virtual
cluster.
It
belongs
to
multiplanar.
So
that
makes
a
lot
of
sense.
E
B
My
my
opinion
is
that,
because
the
terms
of
multi-tenancy
it
is
it's
not
a
new
term.
It's
pretty
long.
It's
a
term
has
been
using
computer
science
for
decades.
So
that
implies
a
lot
of
things,
but
what
we
have
been
doing
right
now
in
this
working
group,
I'm
primarily
focusing
on
the
control,
translation,
everything
what
we've
been
doing
so,
as
I
think
as
time
goes
on.
When
people
dig
this
problem
more
and
more,
they
move
they
more.
They
may
care
more
about
in
the
data
plane.
B
It's
a
lot
of
things
in
the
node,
so
any
isolation,
probably
in
the
node.
You
know
any,
but
but
I
would
argue
that
some
of
that
problem
may
lead
to
kind
of
security
problem
like
you
know
the
problem
that
seek
all
cosmos-
or
I
don't
know
it's-
do
you
have
a
seek
for
security?
I
doubt
it.
B
Do
okay,
yeah,
so
yeah,
so
I
I
think
automatically
so
two
of
our
three
proposed
model
is
either
inc
a
namespace
service
or
in
the
conference
service,
the
very
at
least
in
our
stream.
B
We
rarely
touched
the
you
know,
isolation,
part
in
the
in
the
night
yeah
so,
but
that
I
I
you
know,
I
got
a
lot
of
some
questions
from
people
about
whether
how
you
isolate
you
know,
I'm
not
sure
if
we
should
seek
to
you
know,
do
something
or
move
that
injections
and
that's
just
one
of
my
concepts
because
for
the
control
plan
it
has
been
two
years.
I
really
see
any
other
choice
other
than
I
can
see
or
receive
to
make
this
things
better.
So
axos
was
proposed
to
change.
B
You
know
you
can
also
introduce
a
new
apis
for
tenancy,
but
in
fact
you
know
that
is
not
the
right
direction.
I
mean
most
of
us
saying
this
is
the
overhead
is
too
hard?
I
mean
it's
really
hard
for
people
to
change
the
old
plugin
to
introduce
new
api
dependency.
That's
what
I
saw,
and
the
auto
seems
to
you
know,
drop
that
idea
into
you,
guys
hnc
or
vc
type
of
thing.
So
that's
one
the
reason
I
was
thinking
as
a
working
group.
C
Yeah,
that's
a
good
point
and
I
recently
had
a
discussion
with
the
architect
at
the
pretty
large
sas
company
and
they
had
similar
questions
because
they
actually,
they
had
initially
assumed
that
you
know
the
control
planes
as
a
service
also
gave
them
node
isolation,
which
was
a
good.
You
know
point
of
discussion
and
clarification,
so
they're
like
okay.
Well,
so
we
obviously
need
a
combination
of
different
tools
and
techniques
right.
So
so
I
think
there's
still
a
few
things
missing.
C
Perhaps
in
that
big
picture
to
say,
if
you
really
want
you
know,
I
guess
quote-unquote
hard
multi-tenancy
or
some
level
of
multi-tenancy.
What
exactly
do
you
need
to
do?
And
if
you
want
to
completely
isolate
workloads,
there's
a
lot
more?
That
needs
to
be
done.
A
Yeah
it's
funny
because,
like
in
the
two
years
or
so
that
I've
been
here,
we
rarely
got
into
the
sas
use
case
that
much
we
didn't
really.
There
wasn't
a
lot
of
demand
to
get
into
the
like
protecting
the
workload
to
that
level
of
detail,
and-
and
I
think
that
this
may
would
probably
resonate
with
with
our
guests
today
like
from.
A
If
you
think
about
the
new
york
times,
you
probably
aren't
worried
about
two
new
york
times
developers
trying
to
attack
each
other,
there's
usually
within
an
organization,
a
certain
level
of
trust
and
you're,
more
worried
about
misconfigurations.
A
I
I
engaged
in
a
campaign
within
gke
which
was
unsuccessful
to
ban
the
term
multi-tenancy
completely,
because
I
hate
the
term
tenant,
because
what
is
a
tenant?
Is
it
a
person?
Is
it
a
workload?
Is
it
a
team?
Is
it
a
when
we
talk
about
sas?
We
often
talk
about
producer
consumer.
So
the
producer
is
the
organization
offering
the
the
service,
which
of
course
may
have
multiple
teams,
each
of
which
can
be
a
tenant
and
multiple
workloads.
And
then
you
have
the
consumers,
which
are
you
know
for
the
case
of
ga.
A
Would
be
anybody
using
gke
or
even
the
same
customer
using
gkbit
in
two
different
projects,
which
they
basically
ask
for
isolation
from
each
other?
In
the
multi-team
use
case,
you
generally
don't
need
hard
isolation
of
the
data
plane.
You
might
want
it
for
some
reasons,
but
you're
probably
not
worried
about
hacks
in
the
multi-consumer
use
case.
You
absolutely
do
need
to
care
about
that.
A
This
group
has
tended
to
veer
more
towards
what
I
would
call
the
multi-team
use
case
both
for
control
plane
as
a
service,
and
also
for
for
name
space
as
a
service,
even
for
example,
for
virtual
clusters.
I
believe
you
know
one
of
the
largest
users
is
apple
and
and
of
course,
that
is
within
their
own
organization.
They
just
thought
we
don't
want
to
have
to
coordinate
crd
versions
across
every
development
team.
We
want
them
all
to
be
able
to
just.
A
I
don't
know
if
that's
actually,
where
they're
using
it
I'd,
have
to
go
back
and
watch
the
keynote
again,
but
they
have
given
everybody
their
own
control
plane,
but
I
don't
know
if
at
least
I
don't
think
it's
been
brought
up
frequently
in
this
venue
that
they
need
runtime
isolation,
sandboxing
from
each
other,
so
yeah,
I
don't
know
if
I
would
say
that
it
that
this
this
working
group
has
not
completed
it's
working
to
solve
that
problem.
A
There
are
pieces
of
solutions
available
for
that,
but
I
would
almost
want
to
see
like
a
wg
sas
for
that
use
case,
because
in
that
case
there
would
be
a
large
number
of
things
that
might
need
to
be
solved,
of
which
the
data
plane
isolation
would
only
be
one
of
them.
Yeah
again,
I
haven't
really
seen
the
demand
in
this
group.
People
like,
I
would
say,
maybe
three
to
one
four
to
one
on
the
team
versus
sas.
A
Does
that
match
for
the
other
long
time,
group
members
does
that
kind
of
match
what
you've
seen
showing
up
at
this
group.
C
Yeah,
certainly
it's
more
internal
teams
trying
to
share
resources,
share
clusters
versus
external-
I
guess
end
customers
for
for
the
you
know,
for
whoever
is
running
the
application.
A
C
Yeah
we'll
have
to
check
if
ryan
was
on
there
as
well
or
not.
Okay,.
A
Yeah
and
maybe
we
can
basically
prepare
a
couple
of
notes
and
and
redo
a
version
of
this
conversation
for
for
kubecon,
and
that
will
probably
get
us
some
some
interesting
feedback
one
way
or
another,
rather
than
just
giving
an
update
on
what
we've
done,
but
yeah
take
that.
Take
the
idea
that
we
need
to
document
everything
that
we've
done
so
that
in
an
official
documentation,
not
just
blog
posts,
so
that
it's
easy
for
people
to
to.
A
As
I
forget
who
said
it,
but
I
think
it
was
marco
to
get
a
good
view
on
the
current
state
of
the
art
and
given
that
that,
given
that
these
models
were
introduced
about
two
years
ago,
we
haven't
seen
a
lot
of
diversity.
A
In
addition
to
those
we've
seen
a
lot
of
implementations
of
the
same
idea,
but
not
nothing
really
like
that
came
out
of
left
field
that
we
didn't
see.
So
there's
a
couple
of
virtual
cluster
implementations.
Now
I
just
discovered
that
there's
a
second
hierarchical,
namespace
implementation,
that's
like
explicitly
based
on
hnc,
but
got
some
of
the
details
different,
which
is
unfortunate,
that
they
didn't
email
me
first,
because
we
probably
could
have
just
put
that
into
agency.
A
C
Yeah,
I
guess
one
other
question
would
be
like
road
maps
for
both
you
know
the.
I
guess
the
cappy
nested
as
well
as
you
know,
hnc,
because
I
think
there
were
some
questions
also
on
the
slack
channel
on
when
hnc
hit
1.0.
What's
the
plan
for
that
things
like
that
would
be
good
to
capture.
C
I
guess
both
right,
so
in
the
presentation
at
least,
we
can
talk
to
some
of
the
you
know
immediate
plans,
but
then
longer
term.
Perhaps
it's
worth
our
session
or
two
to
kind
of
figure
out
what
is
needed
to
bring
these
to
a
1.0
sort
of
release
right
or
at
least
where
we're
saying
it's
generally
available.
It
can
be
used
in
production.
A
E
Like
you
mentioned
like,
there
are
multiple
implementations
at
this
point
for
virtual
clusters,
like
I
know,
but
at
least
three
like
this
kcp,
this
one
y
loft
and
one
this
group
has
so,
I
think,
like
I'm,
not
saying
this
for
the
coupon
presentation,
but
in
general
like.
E
I
think
it
would
be
good
if
we
can
point
out
the
similarities
and
differences
like
for
one
thing
like
all
of
these
three
have
the
concept
of
sinker,
and
I
heard
the
in
one
of
the
kcp
presentations
that
it
was
a
live
stream.
So
basically
they
said
that
it
would
be
nice
to
have
a
common
sinker
across
all
these
projects
right.
So
such
sort
of
differences
and
similarities
might
be
good
to
point
out
and.
A
E
Oh
yeah,
like
it's
open
source
yeah,
but
I
think
reddit
folks
are
leading
it
and
also
one
more
thing.
Just
came
to
my
mind
was
kcp.
Does
something
really
cool
with
crds
like
if
there
are
two
clusters
which
have
two
different
crds
installed
in
them?
They
do
a
type
negotiation
between
the
crds,
which
is
pretty
cool.
So
I
don't
know
like.
There
are
some
things.
B
Yeah
so
yeah,
if
you
are
talking
about
the
case,
speed
from
their
hand,
so
so
we
had
a
meeting
with
red
hat
before.
I
think
the
direction
is
kind
of
slightly
different
in
the
sense
that
they
want
to
make
the
very
concise
contribution.
It's
not
even
they
want
to
make
an
extremely
trimmed
version
contributions
for
tenants,
so
they
get
rid
of
all
objects
that
you
don't
need,
so
they
probably
even
get
rid
of
the
they
probably
just
leave
the
pot
or
even
get
rid
of
a
party.
B
If
you
don't
need
a
problem,
a
product
so
so
yeah
that
that
that's
they
call
it
not
a
virtual
class,
they
put
the
logical
cluster,
that's
doesn't
current
where
they
use,
they
create
watchmen
so
for
loft
and
vc.
B
Yes,
the
difference
is
hard
to
see
for
the
for
the
new
guys
at
a
glance.
They're
the
same,
so
I
I
I
don't
mean
they're
the
same,
but
at
the
underlying
the
underlying
immunization
is
different.
So
I
think
I
think
it'll
be
good
if
you're
in
a
panel,
we
can
compare
this
and
give
the
angry
what
you're
saying.
So.
I
think
it's
okay.
We
can
make
some
distinguished
points
because
there
are
some
assumptions
for
the
two
models,
both
virtual
custom
motor
and
the
loft.
So
you
know
a
lot
of
the
model.
B
I
think
the
the
major
difference
is
for
the
use
cases
for
the
loft
for
the
larger
use
case.
They
assume
that
the
user
can
access
the
underlying
supercluster,
whatever
class
they
own.
The
analyte
clusters,
but
in
virtual
cluster,
is
more
intense
towards
a
kind
of
a
source
model
or
marketing
model.
So
you
can,
they
can
only
access
the
virtual
classes.
They
don't
have
access
to
the
underlying
silver
clusters
that
that
makes
these
assumptions
makes
quite
different
in
terms
of
implementation.
B
From
some
aspects
I
would,
I
would
argue
that
that
that
would
be
the
major
differences,
but
for
the
new
people
is
potency
in
the
beginning.
I
think
it's
okay,
I
if,
if
we
can
leverage
this
chance
to
make
some
kind
of
reason,
I
think
that's
really
less
completing
our
plan
for
the
panel.
If
we
have
some
slides,
I
think
it's
good
to
compare.
E
Definitely,
and
also
like,
as
a
group
maybe
like,
there
are
three
different
projects
working
on
three
different
sinkers
so,
like
maybe
have
one
common
sinker
project.
That's
the
reason.
B
That
that's
the
reason
I
I
was
saying
so
because
of
the
assumptions
then
emerging
can
be
quite
difficult.
So
I
we
in
the
past
meetings,
we
have
a
long.
We
have
a
dedicated
meeting
to
talk
with
the
local
guys
receive,
qsync
can
be
compliant,
and
the
conclusion
is
that
we
can't,
because
the
changes
is
very
intrusive
and.
A
Because,
if
not,
maybe
we
can,
we
can
call
it
a
day
there,
but
just
so
that
everybody
knows
there.
If
you
want
to
talk
to
us,
there's
the
slack
channel
and
there
is
the
mailing
list
for
anybody
who
wants
to
to
pop
up.
I
usually
answer
my
slack
messages
within
a
day
or
two,
but
maybe
not
right
away
and
failing
that.
This
has
been
useful
and
I
think
that
we'll
be
able
to
take
some
of
what
we've
discussed
today.
A
Turn
it
into
our
panel,
which
will
we
will
record
by
the
end
of
next
week
and
it'll,
be
maybe
a
little
bit
out
of
date
by
the
time
it
gets
presented
at
kubecon
in
october.
But
hopefully
it
will
be
able
to
have
a
couple
of
decisions
or
at
least
directions
for
the
future
of
this
group.
A
Any
closing
thoughts
from
anybody
I
did
see
somebody
just
popped
up
sergio
if
you
wanted
to
say
hi
and
let
us
know
why
you
were
joining
in
today,.
A
Nope,
okay,
any
anything
else
from
anybody.
Jim
fay
visitors.
C
So
I
guess
maybe
just
more
of
concern
to
the
three
of
us
on
here.
I
guess
we
can
discuss
on
slack,
but
should
we
just
draft
up
a
list
of
questions
and
coordinate
with
tasha?
What
would
you
suggest
as
a
next
step.
A
Yeah,
why
don't?
I
start
a
doc,
throw
it
on
the
slack
and
we
can
okay
cool
from
there.
So
marco
asks
who
do
I
reach
out
to
help
with
docs?
I
have
recorded
your
offer
for
help,
which
is
very
generous,
so
thank
you.
I
recorded
that
in
our
our
meeting
notes,
which,
by
the
way,
people
don't
know
the
meeting
notes
are
here.
A
If
you
don't
like
anything
that
I
wrote
about
you
by
the
way
you
can
feel
free
to
change
what
I
wrote
about
you,
please
don't
change
what
we
wrote
about
anyone
else.
I
I
think
probably
the
best
thing
to
do
is
make
sure
you're
on
the
slack
and
then
once
we
have
some
kind
of
decision
about
how
we're
going
to
do
this
I'd.
A
Imagine
we'll
set
up
a
shared
doc
and
some
kind
of
proposal
and
we'll
we
will
get
in
touch
with
you,
because
having
helped
to
work
with
docs
is
always
good
and
I'm
sure
sig
docs
would
agree
with
that.
They
will
never
turn
down.
A
Okay,
well
with
that,
thank
you
very
much.
Everybody
for
joining
us
today
hope
you
got
what
you
came
for,
and
we
will
talk
to
you
again
soon.