►
From YouTube: Kubernetes SIG Windows 20210608
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Welcome
everybody:
this
is
sick
windows,
it's
june,
8th
2021.
This
is
our
weekly
meeting
and
we
are
a
part
of
the
cncf,
and
so,
if
you
have
any
so,
we
follow
cncf
guidelines
around.
A
So
with
that
we're
going
to
get
started
today,
we
typically
try
to
do
some
intros.
I
do
see
one
or
two
names
on
the
list
that
I
haven't
seen
before.
So
if
anybody
wanted
to
say
hello
and
just
introduce
themselves
to
the
community-
and
let
us
know
why
you're
here,
what
you're
interested
in
that'd
be.
A
Okay,
if
you
do
want
to
speak
up
just
let
us
know
so
announcements
code
freeze
is
just
a
few
weeks
out
it's
july
8th
currently,
and
so
I
know
that
there's
a
lot
of
folks
working
on
different
components,
but
that's
when
the
code
freeze
is
happening
so
just
make
sure
you're
aware
of
that
and
getting
anything
in
and
there's
also
a
patch
release
coming
up.
I
think
it's
next
week
is
the
deadline
for
the
next
set
of
patched
releases.
A
A
Okay,
great,
so
then,
we'll
go
on
to
our
agenda.
I
just
wanted
to
call
out
the
we've
made,
some
updates
to
the
gmsa
web
hooks
for
122,
a
bunch
of
apis
depreciated,
and
so
a
bunch
of
our
end-to-end
tests
started
failing
so
I've
over
the
last
week
and
a
half
I've
been
working
on
improving
and
cleaning
that
up.
We
had,
we
were
using
travis
ci,
which
is
was
being
removed
at
the
end
of
may,
and
also.
A
Part
of
that
was,
I
moved
to
the
windows
that
the
image
that
was
that's
being
published
for
the
web
hook
to
sig
windows
tools.
I
was
on
somebody's
private
repository,
the
original
contributor,
and
so
I've
moved
it
over
there
just
wanted
to
give
it
a
heads
up.
A
I
also
added
version
tags,
so
it's
tagged
to
the
commit
that
we
have
and
eventually
I'll
do
a
release
once
some
other
folks
give
some
more
tries
on
this.
So
if
anybody
is
interested,
please
give
that
a
try
on
the
newest
versions
and
let
us
know
if
there's
any
any
issues
so
any
questions
there.
B
Just
a
minor
one
after
curiosity,
I
see
that
there's
an
image
there
is
that
the
windows
or
linux
image.
A
It
is
a
linux
image.
Yes,
the
the
the
web
hook,
image
is,
is
complete,
but
the
webhook
gmsa
components
all
run
on
linux.
Okay,.
A
Great
yeah,
we
did
have
some
folks
validated
in
the
community,
so
feel
pretty
confident
with
it
and
all
our
tests
are
passing
now
and
so
just
a
heads
up
for
that
argument.
You
had
cloud
controller
manager.
C
Yeah-
I
don't
remember
if
we
discussed
this
before
here,
but
our
cloud
team
brought
this
to
our
attention
today
about
how
some
features
that
are
part
of
the
cubelet
today
is
actually
being
extracted
out
and
if
you
are
running
with
a
provider
external,
especially
microsoft
azure,
you
will
use
this
cloud
node
manager
or
they
call
it
sorry
cloud
controller
manager
and
that's
going
to
take
care
of
all
that
functionality
that
was
provider
specific
that
was
built
into
the
cubelet
and
it'll
run
as
a
you
know,
separate
daemon
set
on
the
windows
node.
C
Is
this
on
the
same
cadence
as
the
pause
image,
because
I'm
guessing
you
would
need
this
image
to
work
on
all
different
versions
of
windows,
so
are:
is
that
image
going
to
be
like
sort
of
up-to-date?
Can
we
just
use
it?
You
know
if
there's
a
cve
is
it?
Is
it
going
to
get
fixed
just
wondering
about
that?
And
I'm?
If
we
have
discussed
this
here
before
sorry,
I
must
have
like
not
been
paying
attention
or
something
like.
A
That
I
don't
think
we
have,
I
don't
have
a
whole
lot
of
information
on
this.
I
haven't
been
involved
in
this
at
all.
I
don't
know
if
anybody
else
on
the
call
has
any
information,
but
we
can.
I
think
I
know
who
to
to
ask
so.
C
Yeah,
we
should
definitely
be
aware
of
this
because
I
think
the
way
that
cubelet
gets
configured
on
azure
is
going
to
change
and
mainly
the
command
line
parameters
and
on
azure.
B
Regarding
the
the
that
image
you
are
asking,
if
it
is
going
to
run
for
other
or
window
source
versions,
right,
correct,
yeah,
yeah,
I
think
we
can
easily
do
manifest
inspect
on
that
image
and
see
if
it's
a
manifest
list
and
if
it
contains
multiple
images
for
different
os
versions.
I
can
take
a
look
at
that.
C
And,
and
also
it's
on,
the
question
was
an
extension
right.
Is
that
going
to
be
constantly
updated
because
I
know
like
the
pause
in
it?
We,
you
know
we
keep
updating
it
right.
Every
time,
there's
a
new
os
release
for
windows
that
gets
updated.
Is
that
going
to
get
updated
or
you
know,
should
we
be
looking
into
running
the
ccm
as
a
as
a
service
or
something
along
those
lines.
B
Just
a
second
I
there
might
be
a
chance
that
the
date
is
also
published
inside
the
manifest
list
itself,
but
I'm
not
exactly
sure
about
that
one.
I
can
tell
you
soon.
Maybe
if
you
download
me.
B
And
I
looked
upstream
foreign
that
image
only
has
supported
platforms,
linux,
amd64
and
only
one
windows.
B
Amd641017763,
I
guess
that.
C
Oh,
that's
2019
ltsc
james.
C
B
C
Yeah
sounds
good.
I
just
wanted
to
make
sure
that
that
we
sigmundos
are
aware
of
this
change
coming
down.
I
think
it's
slated
for
124.
and
I
tried
looking
for
an
enhancement
around
this
sort
of
cubelet.
You
know
separating
out
the
the
cloud
provider
specific
configuration
from
the
cubelet
into,
and
you
know
external
binary.
C
C
I
was
about
to
ask
that
question
also
yeah.
I
know
the
pause
images.
I
don't
know
anything
about
that.
I
just
found
out
about
this
an
article
so.
B
The
pause,
the
pause
image
you
can
also
find
it
in
kk
in
builds,
pause
or
something
like
that.
There's
a
folder
for
that,
and
it
has
support
for
every
single
os
versions
of
windows.
Yes,
and
now.
C
B
B
A
Yeah
there
it
looks
like
there's
a
docker
file
in
here.
So,
of
course,
the
cloud
can
manager
windows.
Docker
file
looks
like
it's
hard
coded
to
1809
right
now,
but
definitely
can
add
support
for
that
can.
A
A
Cool,
I
I
think
we're
running
the
out
of
tree
cloud
controller
manager
in
cap
z,
but
I
don't
know
exactly
how
that's
configured
so.
C
They're,
removing
the
cloud
provider
specific
features
that
are
to
today
in
the
cubelet
they're,
removing
it
out
of
the
cubelet
and,
and
so
I
think
at
least
starting
with
azure.
It's
going
to
be
mandatory
to
run
this
ccm
on
every
master
and
on
every
control,
plane,
node
and
every
worker
node.
C
C
A
We
should
look
at
the
owner's
file
yeah
so
that
one
is
pankay
who
works
for
microsoft,
so
I'll
follow
up
with
him.
Okay
internally
see
if
I
can
get
more.
A
E
Yeah,
sorry,
I
mean
I
put
it
last
minute
on
top
of
your
item,
because
it's
probably
a
very
quick
question.
So
last
week
you
talked
about
the
open,
ssh
installer
for
for
image
building,
especially
for
air
gap
environment.
I
was
just
wondering:
do
you
know
the
name
of
the
binary,
so
I
could
get
you
know
the
owner
within
microsoft
to
to
give
us
a
more
concrete
answer.
E
Do
you
know
what
which
binary
you
you
use,
or
what's
the
name
of
the
binary
for
open
ssh,
install.
A
So
I
believe,
that's
installed
via
like
the
features,
but
I
can.
I
can
send
you
a
link
to
the
the
install
instructions
they're
just
from
microsoft,
docs
so.
E
Okay,
yeah,
that
sounds
good.
Sorry
yeah!
I
didn't
have
that
knowledge.
So
if
I
can
get
that
information,
I
can
move
forward
on
seeing
if,
if
it
could
be
installed
offline
or
it
could
be
made,
you
know
provided
offline.
A
Okay
sounds
good,
I
don't
see
perry
on
the
call,
so
all
right
and
then
average
did
you
want
to
quickly
bring
this
up.
C
Yeah,
so
I
saw
this,
I
think
it
was
posted.
Yesterday,
it's
coming
from
palo
alto
networks.
They
are
building
up
on
the
other,
escape
they
found
where
you
can
come.
You
can
escape
out
of
the
a
process,
isolation
container
with
process,
isolated
windows,
container
onto
the
host
and
they're
sort
of
expanding
on
it.
It's
a
pretty
complicated
attack,
so
it's
sort
of
it.
It
starts
with.
C
This
obfuscated
piece
of
malware
that's
very
hard
to
detect
using
like
static
analysis
or
anything
like
that,
because
they
do
a
lot
of
runtime
patching
off
that
binary
and
their
their
main
goal
is
try
and
find
the
cubelet
get
cloud
configuration
information
on
it
and
see
if
the
cube
config,
that's
on
the
node
has
enough
privileges
to
create
deployments
on
the
cluster,
and
this
binary
then
goes
and
talks
to
a
like
a
onion
server
running
somewhere
and
it
will
post
the
credentials
and
using
irc
commands
are
being
passed
back
from
that
onion
irc
server
back
into
the
node
and
you
it'll
kick
off
and
I
think
that's
the
the
beginning
to
do
doing
more
nefarious
stuff.
C
B
C
To
see
yeah,
this
person.
A
We
have
brandon
from
the
container
platform
team.
I
don't
know
if
you.
F
Want
to
yeah
no
I'm
on
the
thanksgivings
yeah,
I'm
on
the
kernel
team
here
at
microsoft,
and
we
just
became
aware
of
this
yesterday
as
well
and
we're
working
on
investigating
it
right
now.
So
I
don't
have
a
ton
of
information
at
the
moment,
but
I
think
from
what
we've
seen
so
far,
it's
related
to
the
elevation
of
the
process
inside
the
container
to
the
ttb
privilege,
which
we
actually
fixed
back
in
january.
F
With
this
fix,
we
basically
only
enable
we
basically
block
the
silo
processes
from
achieving
this
tcp
privilege,
and
I
think
it's
on
a
similar
strain,
but
we're
not
quite
sure
at
the
moment
we're
still
investigating,
but
it's
likely
that
the
fix
that
we
released
back
in
january
covers
covers
this.
F
So
I
I
would
have
refrained
from
sensationalizing
it
if
possible,
because
it's
it's
possible.
It
may
not
even
be
a
problem,
but,
and
still
we
recommend
that
people
use
hyper-v
containers
when
possible,
and
you
know
stay
up
to
date
with
the
latest
security
fixes.
C
Oh,
that's
great
news.
That's
a
good
stands
for
us
to
have
with
customers
in
general.
I
I
would
think,
as
in
like
you
know,
that
this
is
not
make
sure
you're
you're
updated
and
this
the
fix
that
you're
talking
about
this
has
gone
out
for
both
ltsc
and
sac
releases.
Right.
Yes,.
C
F
B
B
Yeah,
there's
been
a
new
feature
that
we
have
introduced
in
kubernetes
this
version,
which
is
called
host
processes.
Okay,
I.
B
D
D
C
No,
no
you're
not
using
the
cubelet
to
create
pods
right.
Oh
okay,
if
you
just
have
a
if
you're
able
to
if
that
from
that
node.
If
you
have
enough
privileges
to
create
deployments
or
parts,
that's
where
the
problem
starts:
it's
not
about
the
cubelet
or
not
about
asking
the
cubelet
to
create
pods.
So
what.
D
D
D
F
To
answer
the
question
about
the
host
process
containers,
I
I
have
to
remember
exactly
what
privileges
we're
enabling
for
any
process
running
with
a
post
process
container,
but
I
the
whole
the
whole
purpose
of
the
host
process.
Containers
is
to
have
an
elevated
set
of
privileges,
to
be
able
to
configure
and
do
administrative
tasks,
so
you
shouldn't
be
running
any
like
potentially
hostile
workloads
in
a
host
process
container
in
the
first
place,
and
there
should
only
be
a
limited
set
of
those
to
be
able
to
perform
any
sort
of
task.
B
All
right
well,
this
kind
of
I'm
also
thinking
another
thing.
I
know
that
I
have
been
using
a
couple
of
times
darker
hyper-v.
I
threw
the
containers,
but
I
haven't
used
container
d
hyper-v
isolated
containers.
Yet
do
we
have
them?
I
don't
think
so.
A
Yeah,
so
there
has
been
work
done
on
a
fork
to
enable
this,
and
but
it
hasn't
been
upstreamed
yet
and
we
we
actually
even
have
some
test
grid
tests
that
show
this
working
on
on
hyper
on
hyper-v,
but
we
don't
have,
but
it
hasn't
been
upstream
yet
and
it
hasn't
been
kind
of
flushed
out
fully.
So
there
is
work
being
done
for
that,
but
it's
not
complete
yet.
A
Okay,
any
other
topics
for
the
last
three
minutes.
Otherwise
I
think
we
can
wrap
it
up
here
and
have
a
couple
minutes
back.
A
Oh
and
once
going
twice
alright,
thank
you.
Everyone
we'll
we're
gonna
cut
over
and
I'll
hand
over
to
jay
to
run
our
after
hours.
So
if
you're
interested
in
doing
some
hands-on
and
taking
a
look
at
some
of
the
dev
environments
that
the
folks
have
been
working
on
then
stick
around.
Otherwise,
we'll
see
you
next
week.