►
From YouTube: Kubernetes SIG Windows 20180424
Description
Kubernetes SIG Windows 20180424
A
Hello,
everybody
and
welcome
to
another
sig
windows
meet
up.
Thank
you
all
for
attending.
We
don't
have
a
lot
of
updates
today,
so
I'll
just
circle
through
a
few
of
them
and
then
we'll
go
around
and
provide
status.
So
first
Jason,
who
had
a
couple
of
people,
review
your
PR.
It
looks
like
a
lien
who's
on
the
caller's
wall.
He
can
give
us
a
little
bit
more
detail,
feedback
and
I.
Think
Bob
also
reviewed
it.
So
overall
I
think
the
feedback
was
positive.
A
So
when
you
get
to,
you
will
have
them
also
update
that
status
from
aprender.
Who
was
so
when
I
had
then
added
a
couple
more
developers
to
the
project,
so
they
can
help
with
the
road
towards
GA.
There
are
a
lot
of
the
responsibilities
initially
will
include
getting
ramped
up,
making
sure
our
dogs
are
up
to
date,
but
also
start
fixing
a
lot
of
the
bugs
that
were
finding
out
of
the
effort
that
Alena
and
Microsoft
are
basically
running.
A
B
B
Probably
the
biggest
outcome
that
came
out
of
that
was
that
they
had
some
suggestions
around
moving
the
databse
needed
into
a
config
map,
rather
than
the
secrets,
because
that's
going
to
be
much
lower
overhead
to
deal
with
since
we're
not
actually
storing
any
passwords
in
there.
That
seems
like
a
perfectly
reasonable
thing
to
do,
but
I
need
to
think
more
about
another
area
and
go
back
to
them
in
a
few
weeks,
because
the.
B
But
I
know
that
was
an
issue
they
were
looking
at
and
they
said
that
config
map
didn't
suffer
from
the
same
limitations
and
so
there's
not
any
reason
that
this
needs
to
be
a
secret
because,
like
all
the
data
is
just
like
account
names,
it's
not
you
know,
there's
no
password,
there's
no
certificate
in
there
all
that's
handled
separately.
You
know
by
Windows,
using
using
secured
connections
with
Kerberos
from
between
the
nodes
and
the
Active
Directory
controller
yeah.
A
B
It
yeah
but
there,
but
the
other
part
of
the
use
case
said
you
know.
I
hadn't
really
thought
through
that
that
they
had
a
lot
of
feedback
on
was
how
we
control
access
to
being
able
to
use
this
feature.
So
so,
let's
imagine
that
you
wanted
to
say
that
you
know
users
that
can
deploy
into
a
certain
namespace
can
only
use
certain
group
managed
service
accounts.
They
think
that
we
could
probably
achieve
that
sort
of
limitation.
B
So
that
way,
a
you
know,
someone
with
access
to
one
Cabernets,
namespace
can't
use
an
unauthorized
in
windows
account
if
we
either
tied
to
a
kubernetes
service
account
which
can
be
restricted
on
a
per
name,
space
basis
or
or
possible,
or
using
a
pod
security
policy,
and
so
I
think
that
that's
a
that's
a
pretty
good.
A
pretty
good
thing
to
follow
up
on
so
I
need
to
dig
more
into
those
topics
and
see
how
they
work
and
see.
B
A
I
think
I
guess
you
know,
there's
actually
a
great
point.
We
had
to
deal
of
about
something
similar
in
a
panda,
but
because
group
managed
service
accounts,
I
mean
what's
gonna
prevent
someone
from
setting
up
their
own
kubernetes
cluster,
with
our
own
namespace
typing
a
few
names
in
there
and
then
immediately
start
having
workloads
I
run
as
crew
managed
service
accounts
that
are
authorized.
I
mean
the
only
thing
that
can
prevent
that
is
someone
called
in
Active
Directory
and
saying
only
these
target
servers
can
use
this
managed
services.
Yes,.
B
A
B
C
B
A
B
C
Yeah,
so
we've
been
having
multiple
discussions
internally
with
that
PR
also
with
the
azure
team
and
the
community
in
general.
We
wanted
to
put
that
out
there
just
because
obviously,
a
lot
of
people
are
using
the
wind
C&I
plug-in
right.
However,
what
I
want
to
point
out
is
that
longer-term,
who
are
going
to
have
those
unite,
plug-ins,
publish
both
4lt
bridge
mode
and
overlay
mode.
C
All
that
said
that
again
we're
wanting
to
standardize
or
rather
consolidate
development
of
those
CNI
plugins
on
the
container
networking
official,
repo
I'm
Elizabeth.
That's
why
we
were
so
hesitant
to
publish
the
source
code
just
because
longer
term,
we
already
have
the
win
l2
bridge
when
overlay
CNI
plugins
that
are
in
PR
review,
and
our
development
team
is
looking
to
finish
those
up,
adding
some
CNI
tests
for
them
in
the
first
week.
Well,
I'll
definitely
respond
to
the
comments
that
we've
received
in
the
PR.
I
can
do
that
now,
even
but
longer-term
I.
A
Okay,
that
makes
sense
I'm
just
trying
to
think
right
now
so,
like
you
know,
obviously
I
lean
and
I
think
Bob.
But
if
you
did
this
work,
is
it
worthwhile
for
them
to?
You
know
how
much,
how
much
of
a
thorough
review
or
like
and
an
effort
should
they
bring
it
in
long
term?
We
know
when
I
go
to
the
see
a
night
out.
C
You
know
adding
a
guide
and
a
readme
having
some
other
details
about.
You
know
someone
respond
saying:
does
this
solve
the
bill
problem
where
we
can't
ping
outside
the
cluster
from
inside
and
a
lot
of
these
are
separate
from
C
and
I
and
more
generic
kind
of
Windows?
Never
questions,
I
would
say
yeah.
We
will
definitely.
D
D
A
That
I
asked
so,
if
you
nobody
picks
it
up,
can
you
just
send
me
a
quick
message?
Alex,
coach
Jeff,
that's
on
the
call
a
couple
of
developers.
Maybe
we
can
put
one
of
them.
That
would
be
a
good
to
ramp
up
everything
for
them
to
make
sure
that
a
we
can
get
the
right,
pod
and
node
level
statistics
and
be
the
horizontal
photo.
Ghost
killer
can
scale
out
windows
containers
based
on
load,
so
so
Alex
and
his
team
can
at
least
I
call
that
this
an
early
early
start
on
their
work.
Ok,.
B
E
Your
twenties,
which
enables
a
nice
support
for
Windows
Server
2016
people,
build
and
they're
guarding
the
we
see
and
I.
Thank
you
Jason
for
publishing
the
source
code.
There
are
some
Nicias
in
kubernetes
did
because
it
calls
a
lot
of
times
the
CNI
when
it
shouldn't
and
I
might
have
a
look
at
that
and
change
it.
So
we
should
call
the
chin-up
again
only
when
necessary
and.
A
I
think
Alan
Bob,
you
wanna,
give
us
your
update
and
one
of
the
other
things
that
Bob
is
also
spending.
Some
time
now
is
ramping
up
a
couple
of
more
developers
from
aprenden
I
mentioned
earlier,
so
see
his
and
team
is
all
going
to
harp
on
addressing
bugs
like
I
mentioned
earlier,
go
ahead,
Bob!
Yes,.
F
H
A
A
H
A
B
B
B
Okay,
so
what
I've
been
experimenting
with
here
is
that,
over
the
last
couple
months,
we've
had
a
series
of
patches
in
windows
that
were
needed
in
order
to
enable
hyper-v
pod
support
and
the
aprile's
cumulative
update
basically
should
have
the
last
of
those
changes
that
are
needed
to
be
able
to
run
one
container
per
pod
on
the
Windows
Server
version
1709
and
so
on.
The
node.
B
The
only
change,
that's
really
needed
other
than
installing.
That
patch
is
basically
adding
adding
an
extra
feature
gate
enablement
here,
because
this
is
currently
an
experimental
feature.
So
you
know
the
qiblah
command
line
just
needed
that
needed
that
to
be
enabled
there
and
because
it's
an
experimental
feature.
B
I'll
go
for
this
17
or
9.
It's
enabled
this
is
enabled
through
an
annotation
he
or
yeah
within
the
within
the
deployment.
So
let
me
go
ahead
and
give
us
a
quick
shot.
Checks
of
cubes
yeah.
So
right
now,
I
have
two
nodes
running
here.
These
are
both
Windows
nodes
and,
of
course,
I've
got
the
Linux
master.
This
is
something
I
deployed
through
ACS
engine,
but
then
I
went-
and
you
know,
made
a
few
updates
to
the
machine,
because
this
isn't
all
fully
set
fully
orchestrated
yet
for
the
setup
steps
so.
B
So
I'll
show
the
quick
changes
between
these
two
files.
So
in
this
one
this
is
the
2016
version.
I'm
deploying
an
image
where,
if
you
were
to
go,
pull
that
down
look
at
the
base
layers,
it's
actually
based
off
of
Windows
Server
2016.
If
I
tried
to
run
this
one
without
hyper-v
isolation,
it's
going
to
fail
to
start
with
an
error.
B
You
know
saying
that
there's
an
OS
version
mismatch,
but
now,
of
course,
this
one
I've
got
using
1709
that
one
would
succeed
without
this
annotation
because
my
host
is
also
running
1709,
but
but
if
this
works
the
way
it's
supposed
to,
when
you
go
and
actually
look
at
the
containers
on
the
host,
you
can
see
that
they're
on
hyper-v,
isolated,
so
I
should
end
up
with
both
versions.
Running
side-by-side,
so
do
keep
CTO
get
upon.
Oh.
B
Hey
they
got
started
really
quick.
Last
night,
I
took
longer
I
guess
I
had
to
pull
the
images.
Okay,
those
are
running
on
different
nodes,
but
that's
okay,
so
the
first
thing
I
want
to
do
is
actually
show
how
you
can
one
of
the
ways
you
could
tell
if
it's
running
as
a
hyper-v
container
or
not
so
this
node
is
9001.
B
B
B
B
I'm
still
having
some
issues
getting
2016
containers
working
the
way
they
need
to
and
I
think
we
may
need
to
actually
patch
the
2016
base
image
as
well
to
work
with
service
IPS,
but
that's
something
that
I'd
off
to
go
over
with
Jason
and
Dinesh
in
more
detail.
So
it's
weird
because
I
had
this
working
once
and
then
it's
not
working
on
the
2016
today.
B
But
you
know,
the
key
thing
is
that
this
is
kind
of
you
know:
we've
we're
now
at
the
point
where
we've
got
an
experiment
where
we
can
actually
start
being
able
to
test
the
side-by-side
Windows
versions
that
are
there
and
that's
going
to
be
really
important
as
we
get
to
our
TM,
because
we
don't
want
people
to
have
to
update
their
containers.
At
the
same
time
they
update
their
their
nodes.
So
this
will
let
us
run
the
mixed
versions
and
of
course,
there's
right
that
extra
isolation.
A
Excellent
Thank,
You
Patrick
and
there's
also
a
question
from
Joe.
If
that's
gonna
work
with
Linux
notes
on
Windows,
so
on
the
kubernetes
friend,
you
cannot
run
a
Linux
container
on
the
windows.
No
today
we
just
have
an
enable
that,
but
I
don't
know
about
Linux
a
Linux,
specifically
as
it
relates
to
running
Linux
containers
on
Windows,
so
Patrick.
You
know
that
yes,.
B
You
know
you
could
we
could
run
to
daemons
on
Windows
one
is
configured
to
manage
Linux
containers
and
one
is
configured
to
run
Windows
and
those
will
work
side
by
side.
You
know
I've
done
that
for
development
purposes,
but
I
haven't
tried
running
to
cubelets
side
by
side
talking
to
different
two
different
mobi
engines.
B
Maybe
it
it
may
be
feasible,
but
I
think
there's
going
to
be
some
really
interesting
problems,
particularly
with
like
resources,
because
you
know
you
what
would
happen
is,
let's
say,
I
schedule
pod
and
say:
give
it
a
gig
of
memory
for
a
Windows
container.
Well,
now
of
a
sudden,
the
free
memory
is
gonna
change
for
the
you
know:
linux
node,
that's
running
on
the
same
hardware
and.
A
Who
handled
the
routing
in
that
case,
so
the
windows?
No,
you
would
still
handle
it.
So
coop
rocks
you
in
the
windows,
note
yeah
and
you
handle
the
writing
for
both
Linux
and
windows.
Condoms
I,
don't
think
it's
something
we'll
probably
invest
to
anytime
soon,
but
yeah.
That's
interesting
that
it
could
be
possibility
in
the
future
yeah.
B
C
B
I
guess,
to
sum
it
up,
you
know
we
need
to
get
the
Windows
support
done
first
and
then
sort
of
think
about
what
the
use
cases
are
that
we
want
to
enable
for
Linux
containers
on
the
same
node
and
then
you
know
work
towards
those.
So
if
anyone
has
your
use
cases
or
or
or
feedback
on
that,
LUN
love
to
hear
so
and
that
answer
droves
question.
Yes,
this
needs
a
one
point.
A
Cool
all
right,
I
think
you're
right
right
that
time
I.
Thank
you
all
for
attending
will
talk.
There's
a
couple
of
agenda
items
code
added
in
the
next
few
weeks,
so
I'll
address
those
later,
including
some
of
the
work
around
the
ice,
calcium,
SMB
windows,
plugins
and
the
Huawei
demo.
Alright,
everybody
have
a
great
rest
of
your
day.
I'll
see
you
guys
next
week.
Alright,
alright
thanks
a
lot
Thank
You
vex
lately.