►
From YouTube: Kubernetes SIG-Windows 20230829
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Folks,
welcome
to
the
August
29th
segmentos
community
meeting.
This
meeting
is
recorded
and
uploaded
to
YouTube.
So
please
adhere
to
the
cncf
code
of
conduct,
which
basically
translates
to
be
nice
to
everyone
all
right.
Let's
kick
things
off
here.
Hope
everyone
can
see
the
agenda
so
August
29th
any
announcements.
Folks,
I,
don't
have
any
on
my
radar.
I,
don't
know
if
you
have
any
mark.
A
Good,
this
is
the
time
we
give
time
for
any
new
contributors
to
introduce
themselves
and
so
that
we
can
extend
a
warm
welcome
to
them.
So
let
me
check
if
there
are
any
new
folks
here.
A
A
All
right,
so,
let's
kick
things
off.
The
first
item
on
the
agenda
is
I'm
not
opening
the
slack
Link
at
the
moment,
since
it's
going
to
be
hard
for
me
to
get
to
that,
but
there
were
a
couple
of
CVS
or
I
think
to
be
exact:
three
cves,
which
affected
just
Windows
workloads.
Basically,
what
happened
is
if
you
have
a
Mount
point
in
your
pod
spec
and
in
that
mount
point
you
could
actually
put
in
a
Powershell
command
and
that
would
end
up
getting
executed
on
the
host
from
what
I
understand.
A
And
the
way
to
fix
that
was
to
add
more
input
sanitization
in
these
places,
the
same
thing
happened
in
if
you're,
using
CSI,
proxy
and
I
think
the
two
CVS
affect
all
versions
over
119
about
119
and
I.
Think
it's
a
lesser.
It's
I
think
123
for
the
for
the
CSI
proxy
one.
But
don't
quote
me
on
that.
Take
a
look
at
the
thread
and
all
the
details
are
are
in
there.
A
So
we
highly
recommend
everybody
to
move
to
the
latest
version
of
whichever
kubernetes
minor
version
that
you're
running
update
to
the
latest
patchworks
in
the
latest.
D
stream
go
ahead,
Mark.
B
Yeah
I
was
just
gonna
say
that
the
one
124
was
in
the
extended
servicing,
and
this
prompted
that
to
be
patch
two,
so
124
and
greater
new
releases
have
been
or
new
patch
releases
have
been
cut
for
all
of
those
and
please
upgrade
yeah.
And
if
there's
any
questions
feel
free
to
reach
out
on
slack
or
there's
a
lot
of
information
in
the
disclosure
there.
A
Yeah-
and
this
is
a
time
where,
if
you're
in
one
of
the
older
versions
that
are
not
supported,
this
is
a
very
good
reason
for
you,
folks
to
upgrade
to
the
next
major
origin.
This
is
a
pretty
bad
vulnerability
and
you
shouldn't
be
running
your
cluster
with
this,
with
the
version
that
has
this
vulnerability.
B
Great,
oh
I,
I
just
saw
it
too,
but
I
was
gonna,
say
we're
talking
about
this
a
little
bit
before
the
recording,
but
for
anybody
who's
interested
and
for
anybody
who
uses
Powershell
in
production.
This
is
probably
particularly
relevant,
but
the
the
issue
was
that
there
were
some
Powershell
variables
that
were
getting
kind
of
string
formatted
into
a
landline
call,
and
then
we
would
shell
out
to
Powershell
on
the
Windows
nodes
and
though
we
weren't
doing
the
input
sanitization.
So.
B
In
Powershell,
which
is
where
you
do
a
dollar
sign
and
then
wrap
it
in
parentheses,
and
that
allows
you
to
execute
arbitrary
Powershell
code
at
in
this
case,
whatever
permission
the
cubelet's
running,
which
we
require
to
be
elevated.
So
it's
a
pretty
easy
thing
to
catch
in
or
to
miss
in
in
code
reviews.
B
There's
a
couple
of
options
to
prevent
Powershell
from
ever
expand
or
running
that
sub-expression
and
the
two
simplest
ones
are
to
put
it
in
single
quotes.
If
you,
if
you,
if
you're
able
to
if
you
don't
need
to
worry
about
like
path,
manipulation
or
anything,
and
the
other
way
is
to
set
that
as
an
advice
set,
what
you
want
as
an
environment
variable
and
then
reference
the
environment
variable
in
the
Powershell
commands
call,
and
that
will
prevent
that
sub-expression
from
being
evaluated.
It
will
just
pass
it
in
as
a
string
literal.
B
So
that's
a
nice
tip
for
anybody.
Anybody
who's
running
Powershell
anywhere
near
production,
try
to
check
your
Powershell
to
make
sure
you're
not
allowing
that
those
sub-expression
commands
to
be
executed,
but
I
think
the
other
thing
is,
and
we
don't
have
to
have
this
discussion
now,
but
I
think
there
is
going
to
be
a
discussion
in
the
community
about
how
do
we
either
prevent
this
from
happening
in
the
future
via
some
sort
of
lenters
or
something
or
potentially
just
Banning
Powershell
from
the
kubernetes
code
base?
B
So
I
think
James
also
kind
of
has
a
lot
of
background
here
too
I.
Don't
know
if
you
have
any
comments,
but
if
not
it's
okay,
you
didn't
already
say
but
yeah
I,
would
say
I
think
there
is
plans
to
have
a
retro
on
on
this
in
the
community
and
so
we'll
make
sure
that
we
mention
that
in
slack
once
we
have
date
and
time
so
anybody
interested
in
come
join.
B
B
Painting
just
I
want
to
just
raise
awareness
of
this
class
of
vulnerabilities
for
everybody
to,
since
it's
pretty
easy
to
do
a
lot
of
things
in
Powershell
I
imagine
this
is
the
only
place
that
this
could
happen
in
anybody.
Who's
on
this
college
workloads.
A
Yeah
I
I,
like
James's
suggestion
of
adding
this
dislike
so
that
it's
out
there
but
yeah
this
is
this,
is
you
know,
I'm
glad
we
caught
this?
Finally,
all
right,
so
we
can
move
on
to
the
next
topic
so
Mark.
What
has
happened
is
my
computer
is
completely
Frozen.
I
might
need
to
restart.
Could
you
start
taking
over
while
I
restart.
B
I,
can
you
make
I,
don't
think
I'm
host?
Can
you
make
me
host
so
I
can
I.
C
B
B
Sorry,
it
says
I'm
okay,
never
mind.
Let
me
see
if
I
can,
okay
I
can
share
and
then.
A
Once
you're
ready,
I'm
gonna
drop
sorry
about
this
folks,
technical
difficulties.
C
B
Okay,
so
next
on
the
agenda
was
this
runtime
handle
for
image
polls?
Do
we
know
who
added
this.
C
So
that
Pi
just
opened
so
basically
it
supports
a
runtime
class
but
imageable-
and
this
is
I
think
primarily
the
modulation
was
to
support
the
hyper-v
scenarios
on
the
Windows
platform
module,
but
I
think
it
can
be
used
across
different
runtimes
and
the
bulk
of
the
changes
line
container
de
so
I
wanted
more
feedback
from
the
community
and
I
opened
that
PR
as
a
draft
I
know,
Mark
and
Derek
have
taken
a
look
and
they
left
some
comments
in
there.
C
But
if
anyone
else
on
this
call,
one
would
like
to
take
a
look
at
that
PR
and
then
give
us
feedback
on
that.
That
would
be
great,
and
that
also
has
a
link
to
that
can
be
that
just
has
like
a
draft
cap
of
the
changes
in
the
motivation,
Etc
and
I
think
primarily
one
of
Derek's
main
comments.
That
was
to
not
change
the
image.
C
Api
calls
in
continuity
and,
to
just
add
labels,
that's
going
to
end
like
indicate
the
runtime
Handler
that'll
be
used
for
the
Imagine,
use
that
to
pass
to
the
crisis
so
I'm,
making
those
changes
and
I'll
publish
like
new
changes
to
this
PR
today,.
C
B
Stuff
last
week,
but
this
is
good
yeah.
C
Think
Mike
was
more
specifics,
but
he
said
Derek
like
no
start
code
pack,
better,
so
I
think
Derek
also
I
took
a
look
at
it
and
he
just
said
like
we
like
to
add
labels
and
not
change
the
image.
Api.
B
Yeah,
it's
giving
some
like
feedback
like
that.
I
think
it's
it's
that's
great,
because
it
means
like
that.
They're,
probably
like
there's
ideas
that
they're
willing
to
you
know
take.
We
just
need
to
make
sure
it
aligns
with
our
goals
too
and.
C
Everything
and
I
also
had
a
call
with
Micron
on
Friday,
and
he
mentioned
they
created
a
work
group
on
the
signals
to
just
get
this
through,
and
my
PR
happened
to
go
out
on
Thursday.
So
he
added
me
to
that
work
group
and
he
said
we
could
discuss
more.
There.
B
C
B
B
Take
a
look
at
this
I
guess
for
this
audience
is
there
anything
people
should
be
concerned
about,
or
is
this
purely
additive
functionality.
C
I
think
it's
additive
and
my
goal
is
to
like
not
affect
any
functional.
Current
functionality
is
runtime
class
is
not
specified
during
multiple.
The
goal
is
to
just
keep
it
the
same.
C
Of
course,
there's
like
a
lot
of
testing
that
needs
to
be
done
with
fpr
I've
just
managed
to
do
the
basic
testing
and
then
run
some
this
week
locally,
but
it
would
obviously
have
to
run
through
a
lot
more
test.
Suites
and
I'd
have
to
make
sure
that
existing
functionality
is
not
broken
in
any
way.
B
One
other
comment
that
I
just
had
I,
don't
know
if
you
thought
about
this,
but
since
this
is
going
into
container
D,
is
there
any
talk
about
if
this,
if
they'd
be
willing
to
put
this
back
into
container
D16
or
one
seven,
because.
C
B
C
Yeah
I
asked
Mike
about
it
on
Friday
and
at
that
point
I
think
dedicated
not
taking
a
look.
So
he
was
concerned
that
we
are
changing
the
image
API
on
continuity,
so
he
said
there
might
be
concerns
that
folks
have,
if
you
wanted
a
backboard
it.
But
now
my
changes
look
a
lot
like
simpler
with
without
any
image.
Api
changes
after
like
implementing
one
bit
X
suggested
I
think
it
should
be
okay
for
us
to
backboard
and
there
might
not
be
too
many
concerns
for
backward
into
1.7.
A
Yeah
I
think
Mark
1.7
is
doable
and
we
can
push
for
that
because
1.7
has
a
bunch
of
experimental
features
in
it
already
from
what
I
understand.
1.6
I,
don't
think
because
they
claim
that
the
LTS
release
of
credentiality
not
sure
if
they're
gonna
be
open
to
this
going
into
one
six.
But
we
need
one
seven
and
four
Windows
anyways
right,
yeah.
C
B
Would
make
sense
to
go
back
to
one
six,
but
I
did
hear
I
think
from
Mike
Brown
at
one
point
saying
that,
because
one
six
was
the
LTS,
they
were
going
to
be
a
bit
more
generous
about
what
they
were
willing
to,
what
kinds
of
work
they
were
willing
to
accept
and
assuming
that
it
wasn't,
you
know,
breaking
or
anything.
Oh.
C
One
question
I
had,
though,
is
adding
in
like
a
runtime
option,
specifically
to
like
the
image
back
on
Clay.
So
how
would
that
work
like
for
backboarding
to
1.7.
B
C
B
For
the
at
least
for
the
Sig
window
size
passes,
we
do
have
like
one
of
the
the
segment
of
tools.
Repository
does
build
container
D
and
the
HTS
gym
nightly
and
produce
a
package
with
that
that
we
do
utilize
in
testing,
so
I
think
that's
less
important
to
get
it
into
the
for
the
continuity
2.0
Alpha
or
rather
like
it's.
B
Not
it's
not
essential
to
get
to
be
able
to
use
this
in
our
testing
to
do
that,
but
if
it
is
something
that
we
want
users
to
to
use,
I
think
we
should
ask
to
have
it
or
try
and
get
it
included
in
Alpha
release.
B
So
I
think
it's
like
a
nice
to
have,
but
not
we
can
still
test
things
Upstream
using
this
and
the
Ed
tests
and
point
other
people
to
use
that
nightly
package,
but
I
think
it's
always
good
to
have
extra
coverage
in
the
the
releases
in
the
alpha
releases
and
things
because
I
think.
At
that
point
we
could
figure
out
how
to
plumb
like
the
runtime
class
names
and
stuff
through,
like
nerd
CTL
as
well.
B
What
was
the
working
group
that
you
mentioned?
Yeah.
C
C
They
were
trying
to
like
discuss
the
whole
like
adding
runtime
to
image
pool
and
also
like
the
snapshot
of
stuff,
that
you're
working
on.
C
And
they
wanted
to
like,
discuss
more
and
see
how
we
can
bring
those
changes
in.
B
What
are,
what
are
the
other
use
cases
for
this?
Besides,
the
windows,
hyper-v
situation,.
C
I
think
one
was
also
like
just
dying
long
time
to
image
was
also
going
to
help
having
snapchatters
put
on
very
fast,
so
I
think
that's
one
of
the
main
motivations,
although,
like
I,
think
this
particular
draft
we
are
like
our
motivation
was
to
like
unlock
hyper-based
scenarios
but
they're
happy,
because
this
will
also
help
them
snapshots
cool.
B
B
C
I
just
paid
it
I
pasted
the
link
to
the
discussion
ones
like
to
this
channel.
B
Okay,
yeah
thanks
I
I
put
that
in
the
meeting
notes
too
just
now,
as
you
can
see,
I
guess,
if
that's
the
case,
then
I
guess
in
the
recording
right
now
and
thanks
everybody
for
attending
and
to
everybody
next
week.