►
From YouTube: Kubernetes SIG Windows 20200728
Description
Kubernetes SIG Windows 20200728
B
A
A
So
anchor
is
a
coordinated
plugin
based
on
open
with
switch.
It
implements
kubert's
network
connectivity
for
qrs
ports
and
influence
combat
slider
policies.
It
also
includes
many
extended
lightwork
and
security
features
for
kubernetes
one
goal
of
the
project
to
support
any
platform
kubernetes,
including
priority
called
public
cloud
banner
servers,
kubernetes
ios
needles
and
bonus
platforms.
A
A
A
So
I
just
want
to
give
a
quick
overview
of
the
features
we
support
up
to
version
0.8.
That's
the
last
version
we
just
released
in
this
month
and
the
features
we
are
looking
at
for
year,
2020
until
I
support
watercool
based
networking
functionalities,
we
support
overlay
tunnels,
routing
of
port
traffic,
and
this
supports
simple
ipad
subnet
for
node,
opposed
with
support,
commands
data
policies
and
for
service
traffic.
We
provide
two
options:
user
can
choose
to
use,
the
update
could
be
proxy
or
untrust
native
service.
A
Node,
balancing
implementation
with
open
view,
switch,
lightwork
diagnostics
and
observability
is
one
area
we
want
to
address
in
andrea
and
where
they
build
some
useful
functionalities.
Here
until
the
ui
plugin
octane
octane
is
an
open
source
class
dashboard
until
auction
ui
plugin
can
shield
runtime
information
on
jr
components
and
support
some
job
shooting
operations.
A
One
this
operation
is
trace
flow,
which
is
a
very
useful
feature
in
entire
to
double
network
users.
It
can
trace
the
whole
voting
parts
of
a
game
packet,
of
course,
notes
later
in.
In
my
time
I
will
just
show
his
feature
too,
and
she
also
supports
exporting
metrics
and
traffic
stats
to
promise
use
and
since
0.7
we
start
to
support
the
windows
quest
nodes.
We
support
the
major
public
cloud
class
offering
too
until
the
support
sync
plug-in
adks
engine.
We
also
support
eks
and
gk
clusters.
A
Besides,
kubernetes
policies
actually
also
implements
its
own
network
crdr.
We
support
classical
policies
and
are
working
on
many
more
electronic
extensions,
and
we
also
have
some
screen
features
like
we
can
do
episode
encryption
of
tunnel
traffic
and
there
will
also
support
ip
source
card
for
the
traffic.
A
There
are
many
other
features
we
are
still
working
on.
On
the
network
observability
front,
we
will
support
exporting
network
flow
information
with
kubernetes
and
the
light
quality
contacts.
We
will
also
support
capturing
specific
packets
and
stream.
The
package
to
the
connector
we
plan
to
support
the
policy
hearing
indian.I,
which
allows
users
to
create
multiple
tiers
of
led
policies
with
different
priorities.
A
So,
besides
sublime
per
node,
we
will
also
support
flexible
ipam
and
plan
to
implement
egress
policy
that
was
to
control
the
s
data
ipo
of
the
eagle
traffic
to
external
network,
so
singapore
plugging
is
more
at
level
two
to
level
four
layer
in
compressed
networking,
but
we
also
look
at
some
simple
level.
Seven
policies
like
some
simple
dns
and
tp
filtering.
A
So
andrea
use
open
research
to
be
the
network
data
plan
open
with
switch
is
a
full
functional,
four
switch
which
can
take
care
of
layer
two
to
level
four
forwarding.
So
this
is
quite
different
from
other
technology
like
ib
tables
we
just
for
track,
filtering
or
ls
bridge.
A
We
just
follow
to
bridging
or
ebpf,
which
is
a
more
like
a
low-level
project
processing
mechanism,
but
in
engineering
we
leverage
the
openweight
switch
as
the
only
data
plan
to
implement
the
watercoolers
networking
features
open
with
support
needles,
windows
and
arm
platform,
and
this
enables
android
to
support
voice
platforms
with
a
unified
implementation
and
open
wizard
is
the
programmer
switch.
It
allows
you
to
build
your
own
pipeline
with
open
flow
and
in
entry
we
use
by
leveraging
openly
switch.
A
The
controller
includes
the
high
performance
controller
response
for
lighter
policy
computation.
We
also
leverage
cross
api
server
library
to
build
the
high
efficiency
efficiency
channel
for
the
controller,
to
publish
the
computer
ladder
policy
to
the
agents
on
every
node
and
also
to
expose
quebec
style
api.
So
we
build
resolution
scales
very
well
so
far.
We
test
and
share
with
100
sound
ports,
500
nodes
and
the
50
000
led
policies.
A
So
if
we
take
a
closer
look
of
the
water
onto
our
components,
we
have
os
bridge
angle,
request
node
and
the
water
port.
Lateral
interface
will
be
connected
to
the
bridge.
We
have
untrail
agent
on
irene
to
manage
the
local
bridge
and
can
fix
political
interfaces,
connects
them
to
the
bridge.
It
progresses
openly
switch
to
implement
oblique
tunnels.
Metal
policy
is
so
slow,
balancing
and
relatively
straightforward.
A
So
we
talked
about.
We
have
a
centralized
controller
to
come
to
that
policy
and
publish
the
results
through.
The
controller
also
exposes
api
to
some
operations.
Apis
one
consumer,
api's,
rci
tool,
add
cutter
which
can
be
used
to
perform
some
debugging
operations
like
dump
some
internal
state
of
interior
components,
dump
open
with
flows
performs
os
packet,
tracing
and
kind
of
support,
bundles.
A
Both
entire
controller
and
this
agent
supports
protein
matrix
to
promise
use
and
then
share
also
support
exporting
network
flow
information
using
iphix
protocol
to
any
flow
connector
to
to
any
flow
connector
or
led
light
support.
Ipv6.
A
So
all
the
entrepreneur
bits
are
packing
a
single
docker
image
and
can
be
deployed
with
compressed
manifest,
especially
on
nina's.
We
also
packaging
the
we
paired
osb
in
os
dot
internet
documentation
around
os
in
in
our
demo,
set
on
every
node
for
this
one
different
on
windows.
Let's
talk
about
windows
now
so
and
windows.
A
So,
as
you
can
see,
there
are
still
some
limitations
in
the
capacity
with
the
current
implementation
on
windows,
which
we
probably
need.
Your
help
to
improve.
For
example,
we
now
require
heavyweight
to
be
enabled
on
the
windows
note.
This
is
many
limitations
of
the
open
research
driver
implementation
and
we
plan
to
enhance
the
waste
driver
to
remove
hybrid
dependency
and
so
far
we
didn't
sign
os
driver.
A
First
of
all,
we
require
to
enable
windows,
server,
testing,
test,
standing
mode
to
load
the
os
driver
and
last
we
would
like
the
agent
management
port
to
start
and
manage
os
demos
too.
So
you,
you
don't
need
to
install
os
demons
separately.
A
Let's
all
have
about
unsure
introduction.
I
just
want
to
pause
here
to
see
any
questions
you
guys
have
before
we
move
to
the
demo
section.
B
A
A
So
so
fast
as
we're
doing
monthly
release,
we
are
still
doing
a
zero
dot
x
series
for
our
releases,
but
we
start
to
have
some
production
customers
already
and
we
start
to
have
customers
really
wrong
in
production
environment
and
you
can
see
until
the
support
signal
plugin
aks
engine.
So
you
can
see
it's
really
add.
Production
quality.
A
Okay,
I'm
sure
you
guys
can
see
my
console
right.
A
D
A
Okay,
great
so
here
I
have
a
clink
blast
cluster.
Let's
see
it.
C
A
So
you
can
see
here
I
have
totally
three
nodes:
one
month:
node
and
one
nina's
worker
node
and
the
two
windows
node
and
let's
start
to
apply
our
yamo
to
the
parametria.
A
A
A
A
A
Then
last
fully,
let's
log
into
one
of
the
windows
node.
I
just
want
to
show
you
the
os
setup
in
the
windows.
Note,
since
we
have
android
agent
started,
it
will.
Oh
sorry,
it
will
create
linear,
spread,
sorry,
open
research
bridge
under
node
and
for
the
local
port
and
the
load
it
will
be.
It
will
have
the
metal
interface
connected
to
the
bridge.
A
So
you
can
see
here
we
have
this
bridge
called
behind
and
then
now
this
one
is
our
default
gateway
port
on
the
bridge
and
for
every
windows
port
like
this
windows,
server
port
here
and
this
clan
port.
A
It
also
have
a
os
port
on
the
bridge
and
the
way
this
one
is
our
tunnel
interface
and
you
can
see
where
you
need
to
leave.
Tunnels
are
uninstalled.
A
A
Client,
it's
also
working
and
then
let's
apply
one
of
our
my
sample
light
policy
here.
This
policy
will
just
allow
the
track
from
the
allowed
client
to
the
server
port.
So
let's
try
the
same
test
again,
you
can
say:
try
from
the
disallowed
client
to
the
server
will
be
dropped
by
the
led
policy,
and
then
we
change
the
command
port
to
this
allowed
client.
A
You
can
see
that
this
time,
since
a
lot
of
kinds
allowed
by
that
point,
you
can
have
the
traffic
still
working.
So
that's
all
that
time.
I
want
to
shoot
for
the
traffic,
but
I
probably
want
to
use
one
more
minute
to
show
the
special
features
we
have
with
andrea,
and
for
that
I
need
to
deploy
the
ultra
octant
ui
here.
A
A
A
A
And
let's
switch
to
the
entry
plugin
here
you
can
see
we
can
have
all
the
components
information
here,
like
android
controller
and
agent,
but
for
demo.
Let's
just
go
to
the.
F
B
Asian
we're
going
to
have
to
cut
this
shortman
because
we
have
a
few
more
topics
that
we
need
to
cover,
so
you
know
put
in
the
chat
a
place
where
folks
can
come
in
and
join
the
android
community
and
learn
more.
I
know
much
of
the
question
if
you
can
enforce
hierarchical
network
policies.
If
you
can
answer
that
in
chat,
that'd
be
great,
so
stay.
D
B
Stay
on
the
meeting
answer
take
some
q
a
in
the
chat,
if
folks
want
to
do
that,
but
we
need
to
proceed
with
the
rest
of
our
me.
Yeah.
B
B
All
right
moving
on
to
our
to
our
rest
of
our
topics,
the
first
one
is
aravind.
You
wanna
talk
about
that.
The
strip,
unnecessary
security
context
on
windows.
D
Yeah
sure,
thanks
thanks
mike,
so
what
we
found
happening
on
windows
is:
if
you
try
to
bring
up
a
windows
pod
with
any
sort
of
security
context
attached
to
it.
It
ends
up
with
a
pod
crashing
because
the
docker
runtime,
underneath
it
basically
throws
its
hands
up.
We
we
have
a
workaround
for
it
at
the
moment,
which
is
at
the
keyboard
level,
but
there
is
ongoing
discussion
as
to
how
to
you
know,
fix
it
long
term.
D
The
cubelet
change,
I
think,
would
address
it
in
the
short
term,
and
the
thing
that
we
are
also
curious
about
is:
has
anybody
else
run
into
this
situation
before
so
those
are
the
things
and
ravi
who's
on
the
call
who's,
the
one
who
authored
this
pr
ravi?
Do
you
have
anything
more
to
add
to
this.
F
Yeah
just
to
add
some
more
color
to
this,
the
the
main
thing
that
is
happening
is
say:
if
you
have
like
s,
linux
or
linux,
specific
security
constructs
security
contacts
in
the
pod
spec.
The
part
is
actually
coming
up
on
the
node
on
the
windows
node,
and
then
it
is
the
queue
that
is
actually
passing
those
security
contacts
to
the
runtime,
which
is
docker
in
our
case,
and
it's
failing
at
that
level.
B
Yeah,
so
unfortunately,
ben
moss
is
not
on
this
meeting
today,
but
whenever,
when
we're
going
ga
for
windows
containers,
we
actually
had
a
discussion
on
this.
Should
we
strip
them?
Should
we
not
allow
your
pot
to
be
scheduled
if
he
has
additional
security
contacts
and
we
opted
not
to
do
any
of
those
and
we
instead
documented
it
that
these
are
not
supported
on
windows?
Don't
add
them,
behavior
potentially
could
be
undefined.
B
I
don't
know
deep
if
you
have
any
opinion
like
I
don't
mind
if
we
strip
them
because
either
way
these
don't
work
on
windows.
So
it's
not
like
we're
missing
any
functionality
here
and
if
we
do
decide
at
some
point
in
the
future
for
some
of
the
security
context,
if
there's
a
specific
one
for
windows,
we
could
add
it
in
an
opt-in
way.
So
I'm
okay.
That
way,
I'm
just
letting
you
know
that
initially
we
decided
to
do
nothing
about
this,
because
windows
developers
know
not
to
add
these
security
contacts.
G
Just
a
small
question,
basically
you're
saying
that
with
that
security
context,
it
crashes,
public
or
docker,
or
what.
F
Yeah,
the
part
will
win
the
container,
creating
state
and
we
would
get
an
error
saying
that
some
sl
in
in
in
our
case,
we
are
actually
applying
an
essay
linux
label
within
the
security
context,
and
it
is
failing
to
come
up.
G
Yeah,
I
see
oh,
so
that's
so
basically,
nothing
changed
since
last
time.
I
was
thinking
that
maybe
you
were
saying
that
it,
it
actually
crashes
darker,
then
that
would
have
been
a
bigger
issue,
because
there
would
have
been
a
regression
since
we
last
checked
this.
B
B
Anything
has
changed
claudio,
so
I
mean
you
have
the
pr,
let's,
let's
get
it
reviewed.
Let's
take
a
look
at
that.
I
think
deep.
Any
thoughts
on
this.
E
Yeah
I
took
a
look
at
the
pr,
looks
pretty
good.
I
just
had
an
overall
comment
on
like
whether
we
should
have
it
in
the
generic
area,
where
we
determine
security
context,
or
should
we
put
it
in
the
windows,
specific
cube,
runtime
that
calls
this.
That
was
kind
of
the
main
thing,
but
I
think
it's
good
to
have.
F
I
just
have
a
question
around
the
changes:
it's
not
specific
to
review,
but
this
is
I'm
trying
to
understand
how
the
cube
how
the
docker
shim
works.
Perhaps
we
can
take
this
offline,
like
I
have
a
few
questions
around
how
how
the
docker
shim
works
in
in
the
cubelet
so
yeah.
D
Yeah,
so
I
I
think
we
should
have
that
discussion
offline
because
there
are
other
topics,
but
the
only
other
thing
I
would
want
to
add
michael
is
in
some
scenarios.
If
there
is
some
sort
of
admission
controller
that
is
applying
like
security
context
automatically,
the
user
doesn't
even
have
a
chance
to
sort
of
not
put
these
labels
on.
D
So
that's
the
main
scenario
we
are
concerned
about,
and
we
don't
want
to
like
muck
around
with
the
admission
control
those
sort
of
admission
controllers,
because
it's
kind
of
hard
to
identify
what
sort
of
pod
is
that?
Actually
a
windows
part
just
you
know
if
you
just
look
at
that,
based
on
pains
and
tolerations,
and
things
like
that,
it's
kind
of
iffy
from
a
security
perspective,
so
just
want
to
call
that
up.
Yeah.
D
B
Oh,
I
don't
know,
I
mean
we're
in
thought
time
frame,
you
sure
you
want
to
get
this
in
119
address,
deep's
comments
and
tag
me
on
the
pr,
and
we
can
have
a
discussion.
I
mean
I
I
don't
know
if
we
can
make
it
2019..
We
had
other
pr's
that
were
rejected
from
the
119
time
frame.
So
I
don't
know
if
this
is
going
to
make
it
in.
B
I
think
it
makes
sense
to
get
in
120,
given
that
we
need
to
make
sure
that
this
hasn't
impacted.
Anything
else
like
have
it
run
through
all
our
tests
and
and
make
sure
it
doesn't
have
any
adverse
effect.
D
What
about
like,
v119.1,
michael.
B
So
so
this
is
not
the
bug
fix
well,
it
can
be
thought
of
as
a
bug
fix
and
not
so
I
don't
know
if
we
can
get
it
in
as
a
win
19.1.
I
think
if
he
goes
in
the
if
he
goes
in
right
after
119
ships,
I
think
it
can
go
to
119.1.
B
Wrong
all
right,
james,
you
had
some
test
update
on
2004
on
container
d-test.
C
Yep,
nothing
major
here,
but
just
wanted
to
call
out
that
we
have
green
test
passes
on
container
d
in
2004
windows,
server,
2004.
minus
the
authenticated
image
poll
for
2004,
but
claudio's
already
got
a
pr
open
for
that.
So
I
should
have
that
passing
pretty
soon.
Just
want
to
say
thanks
and
for
all
the
hard
work
for
everybody
that
helps
make
that
happen.
B
That
is
awesome,
great
work,
everybody,
and
this
is
good
to
see
a
couple.
Other
quick
updates,
I'm
gonna
be
going
for
the
next
two
weeks.
So
mars
is
gonna,
launch
this
meeting
and
drive
it.
He
has
access
to
privileges
and
and
the
passwords
so
miles
is
going
to
drive
that.
Thank
you,
moz.
The
the
last
thing
is
we're
also
recording
our
cubicle
presentations.
B
So
thank
you
deep
for
for
the
review
of
the
slides
of
the
day.
So
me
amaz,
david,
contributed
to
some
of
those
slides.
So
thank
you
all,
and
the
port
device
manager
change
to
enable
gpu
support
did
not
make
it
into
119.
B
This
will
not
get
it
in
so
so
that's
kind
of
where
we
are
right
now
so
the
responsibilities
on
them,
and
I
think
claudio
and
adelina
they're
going
to
contact
you
if
they
haven't
already
to
get
some
help
on
how
to
create
some
tests
for
gpu
on
windows.
B
I
thank
you
div
also
for
helping
in
that
area
as
well
amaz
the
security
privileges
collection.
Let's
talk
about
it
next
next
week.
I
think
you
have
the
context
there.
If
you
can
drive
that
that'd
be
great
yeah
for
sure
love
too,
all
right,
all
right!
Everybody.
Thank
you
all
for
attending
today.
Thank
you
to
the
android
team,
for
the
cni
update,
always
good
to
see
more
networking
improvements
on
windows
and
more
community
engagement,
and
I
will
personally
see
you
in
three
weeks,
but
maz
will
drive
this
meeting
next
week.