►
From YouTube: Kubernetes SIG Windows 20190611
Description
Kubernetes SIG Windows 20190611
A
Hello,
everybody
and
welcome
to
another
sip
windows
Meetup.
This
is
the
11th
of
June.
Thank
you
all
for
attending.
As
always,
please
remember
that
this
is
a
recorded
meeting,
so
use
the
code
of
conduct
of
CMC
African
communities
all
right.
So
let's
talk
a
little
bit
about
115
first,
so
the
work
that
was
done
on
GMS
a
that
definitely
got
merged
and
we
were
able
to
move
forward
there
with
some
of
the
API
changes.
A
However,
some
of
the
other
work
that
we
had
you
know,
even
though
we've
made
significant
contributions
and
a
lot
of
effort
went
into
them.
We
were
not
gonna,
be
able
to
realize
in
me,
115
benefits
and
that's
specifically
on
Rhonda's
username
container
D,
as
well
as
the
GMS,
a
GMS
a
was
the
one
that
started
in
comedian.
Cuba
diem
was
the
one
that
basically
got
closest
to
the
wire,
and
yesterday
we
had
pr's
open
around
the
key
mutation
and
code
and
I.
A
Don't
see
Lea
on
so
turned
out
was
that
we
have
some
licensing
issues
on
between
MIT
and
an
apache
license
that
we
still
have
to
sort
out
before
that
communication
and
Scripps
kept
put
up
my
call
personal
goal.
Anything
we'll
be
able
to
do.
This
is
115
kinship,
and
if
we
get
the
other
work
out,
there
was
still
publish
it,
but
the
dog
scene
will
give
would
give
the
customer,
so
they
can
start
trying
it
out
without
even
having
any
effect
on
us.
B
And
just
to
pull
of
them
are
on
cube
ADN,
like
the
main
code
PRS
that
we
needed,
reviewed
and
approved
were
merged.
The
stuff
that
didn't
get
was
the
better
set
up
scripts,
but
those
are
things
that
we
can
carry
into
our
own
repo,
so
I
think
we
could
get
those
merged
in
live.
You
know,
I,
don't
think
it
has
to
necessarily
be
tied
to
a
release.
A
B
A
Exactly
my
sentiment
as
well,
and
for
those
of
you
guys
that
don't
know
we
have
kubernetes
SIG's
repo,
specifically
for
tools
or
simple
English,
so
if
you
guys
have
an
output
poster
thing
in
the
notes
as
well,
if
you
have
things
that
feed
kind
of
that
model,
like
screams,
ancillary
things
or
windows
that
you
want
to
publish,
please
let
us
know,
and
we
can
give
you
a
folder
into
that
into
that
repo
and
you
can
place
them
in
there.
I'm
posting
it
here
right
now,.
B
Yeah
but
first
I
wanted
to
double
check
something
on
that:
qu
Bernays,
cigs
repo,
so
the
PR,
the
Ben
got
merged
for
port
forwarding,
still
depends
on
a
binary
called
wind
cat
to
be
there
in
the
pause
image
and
the
source
code
is
currently
over
in
his
repo.
So
can
he
move
that
into
the
sig
windows
tools?
Repo
is.
C
A
B
B
So,
basically,
that
some
of
the
background
behind
this
was
I
happen
to
be
in
San
Francisco,
like
a
couple
weeks
before
cube
con
and
and
so
I
spent
a
little
bit
more
time,
walking
through
through
deep
si
si
proposal
on
a
white
board
with
him
and
the
the
main
outcome.
Was
this
option
C
here
where
I
was
trying
to
basically
summarize
the
idea
that
we
had?
But
you
know
we
don't
have
any
code
for
it,
but
basically
what
what
I
was?
What
I'm
trying
to
do
in
this
document
in
his
first
kind
of
capture?
B
What
the
use
cases
are
that
we
have
for
privileged
containers
today
in
a
way
that
someone
that's
less
familiar
with
kubernetes
could
sort
of
understand
what
the
constraints
are,
because
I'm
also
sharing
this
with
some
of
the
developers
working
on
the
internal
windows
side.
But
what
I
wanted
to
do
was
sort
of
frame
out
kind
of
what
we
need
in
order
to
make
CNI
and
CSI
drivers
work,
and
you
know
possibly
device
plugins
in
the
future
and
I
was
trying
to
kind
of
just
outline.
B
What
a
couple
different
solutions
would
look
like
that
could
meet
these
same
use.
Cases
where
you
know
privileged
containers
is
kind
of
what's
there
and
what's
used
on
Linux
today
privileged
proxies
or
something
that
that
that
deep
and
and
and
Ben
and
others
have
been
exploring,
and
that's
actually
detailed
yeah
in
the
persistent
storage
option
stock
that
deep
circulated
earlier
and
then
the
third
option
was
another
idea
that
another
idea
that
we
have
been
sort
of
kicking
around,
but
never
really
written
down,
and
so
this
is
kind
of
what
came
out
of
that
whiteboard
session.
B
But
the
third
idea
is
basically
saying
well.
If
we
can't
create
a
privileged
container,
is
there
still
a
way
that
we
can
reuse
a
portion
of
the
container
runtime
to
manage
the
lifecycle
of
something
running
on
the
host,
so
sort
of
pretend
it's
a
container,
but
just
you
know
launched
on
the
host
and
the
benefit
of
that
would
be
that
we
could
still
probably
reuse
things
like
a
container
registry.
You
know
whether
it's
a
public
one
like
docker
hub
or
a
private
one
running
like
harbor
or
ACR,
or
something
like
that.
A
Wouldn't
I
think
with
that
option
part
people
might
need
to
do
a
real
threat
model
and
include
some
of
the
security
experts
from
kubernetes,
because
this
has
far
and
wide
implications
right.
So
now
we
have
container
D
or
running
a
privileged
host
process.
That's
getting
called
from
a
different
address
space.
I
guess
that.
B
That's
true,
but
it's
also
it's
also
true,
although
the
reviewers
would
be
different
for
the
option
B
with
the
privileged
proxy
as
well.
Okay,
because
if
we're
asking
admins
to
install
something
on
the
host
in
order
to
support
running
a
CSI
or
C
and
I
plug
in,
they
still
need
to
understand
what
the
threat
model
is.
Of
that
thing.
That
they're
installing
and
you
know,
I'd
really
like
some.
B
Some
feedback
from
from
users
here
to
understand,
like
you
know,
does
having
a
split
model
where
you've
got
a
proxy
installed
and
then
you've
got
a
container
talking
to
it
like.
Is
that
something
that
is
perceived
as
better
from
a
usability
as
well
as
a
security
approach?
Or
does
it
make
more
sense?
D
Question
I
had
option
see
like
maybe
I,
can
find
this
information,
but
just
was
wondering
if
someone
knows
off
the
top
of
their
heads
is
method
pod.
Is
it
possible
to
mix
the
runtime
classes
as
in?
Can
you
have
like
a
mainline,
say,
a
mainline
workload,
that's
deployed
as
a
process
class
and
then
can
there
be
side,
cars
that
are
containerized
or
do
all
of
them
need
to
be
processed
or
a
VM
or
a
container
any
thoughts
on
it.
So.
B
D
B
D
I
get
and
my
my
question
was
like:
let's
say
you
know
we
have
this
privileged
plug-in.
You
know
either
containerized
or
running
as
a
host
process.
Is
it
possible
to
package
in
a
sidecar
container
that
is
common
and
published
by
say
Company
D
CSI
to
be
launched
as
a
container,
or
does
that
also
need
to
be
a
process
any
like
I
guess?
My
question
is
like:
if
there's
a
pod,
do
all
the
components
in
the
pod
need
to
be
like
off
the
of
the
single
runtime
class
or
can
maybe
you're
a
fragrant
and
classes
runtime.
B
There's
not
there's
no
announcement
that
far
out,
but
given
that
that
the
2019
release
there's
a
long
term
servicing
release
and
the
previous
one
was
2016
I
think
that
it
would
be
2
or
3
years
before
we
see
another
long
term
servicing
release
and
the
feet
maiden.
Feedback
I've
had
from
on-premises
customers
is
that
deploying
a
new
windows
release
every
18
months
is
too
fast
and
so
I
think
we
might
be
able
to
do
it.
B
C
C
D
With
option
C,
you
do
not
need,
like
any
kernel
level
support.
It's
mainly
using
existing
second
Kennedy
or
CRI
constructs
to
get
the
same
effect
as
as
option
a,
but
it's
just
like
trying
to
use
existing
kubernetes
mechanisms
to
kind
of
make
something.
That's
potentially
packaged
as
a
container
launch
as
a
host
process.
Yeah.
C
B
Well,
I
think
C
is
a
little
bit
cleaner
from
a
MANET
from
a
management
standpoint
in
that
we
could
potentially
get
visibility
for
those
privileged
workloads
at
the
kubernetes
api
level.
But
it's
you
know,
it's
a
lot
more
work
and
it's
and
it's
a
different
threat
model.
Then
you
know
option
B
or
you
know,
I
realized
for
option.
D
is
basically
we're
doing
today.
D
B
Yeah-
and
this
is
this-
is
just
kind
of
one
too
close
way.
We
could
do
that
and
you
know
I
think
there's
other
other
like
you
could
basically
pick
a
layer,
and
this
is
where
it's
important
create
a
host
process
instead
of
a
container
I.
Think
that
could
happen
at
any
of
the
layers.
We
just
have
to
pick
one.
C
B
Were
just
exposing
a
privileged
API
endpoint,
the
way
you
protect,
that
could
be
a
little
bit
more
better
constrained
than
in
option
C
and
the
reason.
Why
is
that
it's
relatively
easy
to
describe
things
like
like
network
or
mount
policies
today,
and
we
could
probably
do
it
without
too
many
changes
in
the
context
of
a
pod
security
policy.
We
could
say
you
know
mounting
these
types
of
host.
Host
paths
are
not
allowed.
B
You
know,
unless
you
know,
unless
you've,
unless
you've
opted
into
you
know,
unless
you're
declaring
that
you're
using
a
specific
pod
security
policy
and
the
kubernetes
service
principle,
that's
being
used
to
do
that,
meets
the
our
back
rules
to
deploy
with
that
with
that
policy,
whereas
in
an
option
C
or
basically,
because
things
are
happening
out
like
at
a
different
layer-
and
it
looks
like
creating
a
pod.
You'd
have
to
do
a
deeper
inspection
of,
what's
being
passed
through
the
API
to
figure
out.
If
they're
trying
to
elevate
privilege.
B
C
C
Complicated,
it
seems
like
option.
C
is
a
little
bit
more
complicated
mm-hmm.
Also,
as
you
mentioned,
the
security
record,
then
how
to
the
thread
model
is
lit.
It's
maybe
more
complicated
compared
to
B
2.
So,
based
on
these
two
points,
I'm
just
thinking
maybe
option.
B
is
better
at
this
point
because
later
we
might
all
still
change.
If
we
later,
we
have
support
less
a
privileged
container
or
something
else.
So
if
we
want
to
have
something
available
for
users,
maybe
option
B
is
right.
Now
is
better.
It's
just
my
thoughts.
Yeah.
B
B
C
A
D
B
B
Okay
well
but
yeah.
So
if
everybody
could
take
a
look
and
add
some
comments
in
there-
and
you
know
what
we
can
continue
this
discussion
next
week,
but
my
main
goal
is
to
try
to
just
facilitate
a
discussion
around
some
of
the
different
options
that
are
here
so
that
way
we
you
know
it
gets
get
some
more
viewpoints
on
it.
So
I,
don't
think
commenting
is
enabled,
at
least
in
the
link
that
I
got.
Oh,
it's
not.
B
Sure
you're
in
the
kubernetes
dev
and
sig
windows,
Google
Groups
I'm,
signed
in
with
my
other
Google
account.
That's
the
problem:
oh
okay,
okay,
that's
yeah,
yeah,
cuz,
I!
Think
I
opened
it
up
to
convey
his
dev
because
I
wanted
to
once.
We
did
a
first
pass.
I
wanted
to
make
sure
that
we
could
get
people.
You
know
late
like
Jing
and
others
over
and
six
storage
to
be
able
to
comment
on
it
without
having
that
join
the
sig
windows
groups.
So.
D
A
All
right
and
a
couple
minutes
left
one
of
the
other
things
I've
asked
and
I,
don't
know
if
Ben
hasn't
applied
to.
Maybe
he
has
time
maybe
has
not
is
to
investigate
some
of
the
storage
options
for
vSphere.
So
we
know
a
lot
of
the
folks
are
installing
windows
containers
on
vSphere
so
left
to
see
what
kind
of
options
come
from
a
storage
perspective?
So
if
it
Ben
has
some
time,
hopefully
he
can
tackle
that.
If
not,
if
there's
anybody
else
that
has
some
time
for
a
community
that
wants
to
look
into
this.
A
A
A
Alright,
don't
finish
a
minute
early.
Well,
thank
you
all
for
attending.
Thank
you
for
all
the
hard
work
everybody
did
for
1:15,
we'll
showcase
that
slowly,
some
of
these
things
like
police
work
and
lumo
meters
and
bands,
it's
gonna
come
out
of
cycle
and
then
the
rest
of
the
things
will
show
a
lot
of
value
in
1/16.
So
thank
you
have
a
great
rest
of
your
day
and
we'll
see
you
guys
next
week.