►
Description
Whether one cluster or a thousand, operating and automating a Kubernetes fleet can be rife with challenges. Ansible is a great toolbox to overcome these challenges, but translating your playbooks to a fleet of clusters can be a headache! The stolostron.core Ansible Collection supercharges your playbooks with easy, secure, and Ansible-native access across your Kubernetes fleet. Join Gurney and Joydeep as they talk to Hao Liu and the team behind the stolostron.core Ansible Collection as they discuss Ansible for fleet management and automation.
A
Hello
and
welcome
to
the
cloud
multiplier.
I
am
your
co-host
granny
buchanan
and
I'm
thankfully
joined
by
my
co-host
joy
deep
today,
glad
to
have
you
back
hope,
feeling
better
and
we're
joined
well,
honored
to
be
joined
by
our
guest,
how
lou
have
guest
personal
friend
colleague,
all
of
the
above
today
we
didn't
have
our
our
load
in
today.
We're
experiencing
some
technical
difficulties,
but
we've
come
to
you
on
time
hopefully
and
live
so
we
are.
A
We
are
ready
to
go
joy,
deep
glad
to
have
you
back
so
I'll
put
you
immediately
in
the
hot
seat
as
we
move
into,
and
I'm
I'm
borrowing
actually
borrowing
a
background
today.
So
there's
top
of
mind
topics
it's
appropriate
because
we're
using
the
af
ask
an
open
shift.
Admin
loadout
that
we've
put
together
so
any
top
of
mind
topics.
Today,
jo
yeah.
A
B
Now,
after
a
bout
of
kobe,
I
can
count
from
five
to
zero
backwards.
I
can
do
my
exercise
and
I
had
actually
the
plethora
you
know
for
you
folks,
first
time
seeing
gertie
a
little
flustered,
because
some
somebody
or
something
deleted
the
show
and
he's
responsible
for
it.
So
he
was
loading
all
the
stuffs
in
the
last
15-20
minutes
so
anyway.
The
the
interesting
thing
that
I
wanted
to
share
is
something
called
hugging
face:
hugging
face
dot
co,
so
I
just
picked
up
this
chatter
from
a
machine
learning
expert.
B
This
this
side
is
not
free
exactly.
There
are
some
things
which
are
free,
but
it
has
amazing
amount
of
machine
learning
models
uploaded
there
by
lots
of
different
companies.
They
are
powerful
problems
that
are
solved
there
for
people
to
reuse.
I
did
not
have
a
clue
that
such
kind
of
thing
existed.
This
was
fascinating
because
I
was
I
was
actually
looking
for,
something
which
I
think
has
been
solved
already
and
trying
to
you
know,
reuse
that
so
that
was
a
fantastic
surprise.
For
me,
a.
B
A
Yeah
something
like
that.
You
know
your
npms,
your
your,
your
goodness
pip,
all
of
that
pipi,
but
for
machine
learning
models.
B
A
Yep,
especially
I've
always
heard
the
story
of
you
know
it's
very
difficult
to
compete
with
google,
because
you
don't
have
all
of
the
data
that
google
has
produced
and
that's
a
that's
a
hyper
wild
scale
problem,
but
even
smaller
problems
where
you
don't
have
the
data
and
data
is
expensive
and
data
is
valuable
and
even
more
that
valuable
than
that
are
the
models
that
it
produces.
So
you
know
you
can
pay
use
a
google
service
to
use
a
pre-built
model.
That's
amazing
that
there's
a.
B
A
Also,
I
would
have
never
guessed
that
a
website
called
hugging
face
whose
logo
is
an
emoji
would
be
a
repository.
I
guess
I
didn't
screen
share
this
button.
That
is
amazing.
Well,
how
you're
in
the
hot
seat,
do
you
have
any
have
any
fun
open
source
projects?
I
know
recent
fairly.
Recently,
you
moved
from
the
advanced
cluster
management
team
over
to
ansible,
so
I
assume
a
lot
of
your
recent
discoveries
have
been
ansible
related
right.
C
I'm
just
drinking
from
a
fire
hose
at
the
at
the
moment
and
learning
a
lot
about
ansible
automation,
controller
yeah.
Besides
that,
not
that
many
interesting
news
discovery,
although
speaking
of
ai
right,
like
recently,
I
started
using
copilot
and
I
compete
continuously
be
sure
in
shock
about
how
it's
just
fascinating.
It
actually
produces
useful
stuff.
Sometimes-
and
I
used
to
be
very
skeptical
of
ai-
and
I
don't
think
I
am
anymore.
A
C
A
My
favorite,
my
favorite
github
co-pilot
joke
is
that
we've
built
a
machine
that
copies
and
pastes
the
code
from
that
stack
overflow
for
you,
you
just
write
the
pseudo
code
and
it
does
the
copying
and
pasting
for
you,
but
and
then
I
think
how
your
joke
was
that
you
you,
like
writing
the
pseudo
code
and
it
writes
the
code
and
I
said
well
then
just
write
python.
A
So
there's
there's
my
joke.
The.
C
B
A
A
So
it's
always
fun.
I
have
one
for
you,
jody.
B
A
B
Heard
of
it,
I
think
you
mentioned
that
to
me
the
first,
the
first
time
couple
of
weeks
or
months
back
yes,.
A
Yeah,
I
I
a
devops
person,
a
you
know
somewhere
some
some
days
are
devs.
Some
days
are
ops
most
days
or
both
did
take
some
design
classes
in
college,
mostly
human
computer,
interaction,
interface,
design,
hdi
design,
but
this
was
just
a
magnificent
book
with
a
wonderful
book
cover
because
it's
a
cover
of
a
teapot
and
tea
kettle
and
the
pourer
of
the
tea
kettle.
The
spout
of
the
tea
kettle
is
near
the
hand
right
above
the
handle,
because
it's
not
very
intuitive
you're,
just
going
to
pour
it
all
over
yourself.
A
A
A
Yeah
and
speaking
of
things
that
you
can
naturally
that
so
many
people
really
naturally
understand
how
to
use
I'm
getting
really
good
at
the
segways
today.
How
is
actually
coming
to
not
talk
about
some
of
the
many
other
things
he's
built
in
in
and
before
my
presence,
like
the
the
cluster
lit
that
we
use
in
in
red
hat
advanced
cluster
management.
This
is
the
the
man
behind
the
curtain
in
many
ways,
but
he's
moved
on
and
he's
done.
A
Some
amazing
work
in
kubernetes
fleet
management
with
ansible
coming
today
to
tell
us
how
to
use
ansible
to
reconcile
and
interact
with
and
manage
a
huge
fleet
of
kubernetes
clusters.
I
I'm
sure
you've
brought
a
demo
that
will
break
the
bank.
So
are
you
ready
to
go
how
what
do
you
give
us?
The
kickoff.
C
Well,
first
time
attending,
I'm
still
trying
to
figure
out
my
flow
here.
So
I
well
I
I
guess,
let's
I
guess,
let's
just
go
straight
into
the
demo
right.
I
I
I
don't
know
who
how
many
people
use
this
ansible
to
manage
the
kubernetes
cluster,
but
given
the
number
of
download
counts
on
ansible
galaxy
for
the
kubernetes
module,
I
I
guess
there
is
probably
a
fair
bit
of
people
right.
A
Yep
I'll
turn
it
on
just
a
second.
It
looks
like
you're
sharing
the
screen
that
shows
all
of
us,
so
I'm
gonna
avoid.
B
C
Awesome
so
I
have
a
acn
cluster
here,
that's
managing
a
couple
of
aks
and
eks
clusters.
I'm
just
gonna
go
ahead
and
refresh
that
page.
C
Okay,
there
we
go
a
couple
of
aks
and
eks
clusters
right
when
I
first
started
well
like
through
my
career
working
on
acm,
I
ki
there's
one
functionality
that
I
really
really
want.
C
I
kind
of
just
want
to
directly
interact
with
these
these
these
cluster,
the
acm
managers
like
I
want
to
be
able
to
set
coop
cpl
against
it.
I
want
to
any
other
tool
right
that
is
able
to
interact
with
the
kuber
api
server
directly
from
acm
and
well
that
also
included
ansible
kubernetes
module
as
well.
So
I
I
don't
remember
how
long
ago
I
think
about
six
months
or
so
ago,
a
couple
of
our
community
contributors
for
open
cluster
management
contributed
a
really
cool
project.
C
It
established
a
reverse
proxy
from
acm
from
the
managed
cluster
to
acm,
so
that
from
a
service
on
acm
you're
able
to
communicate
with
all
the
cooper
api
server
on
the
manage
cluster
and
using
you
using
this
functionality,
we
built
a
couple
we
built.
We
built
a
couple
of
modules
and
acm
ansible
collection
to
allow
ansible
to
directly
talk
to
those
managed
cluster.
So
here
I
have
a
couple
of
cluster
being
managed
by
acm
and
going
into
my
ansible
automation,
controller
ui.
Let
me
log
back
in
right,
quick.
C
I
I
ran
around
a
couple
of
setup
script
to
to
to
set
up
a
couple
of
things
in
this
instance,
all
of
the
playbook
that
I
used
to
set
up
the
controller.
C
The
ansible
automation,
controller
itself
for
the
demo
is
in
the
demo,
repo
that
gurney
will
post
later
and
we
can
go
over
that
a
little
bit
in
a
little
bit.
But
the
main
thing
here
I
created,
I
created
a
credential
type
for
community
for
communicating
with
acm
hub,
and
I
created
a
quick.
Well,
I
created
a
credential
to
this
acm
hub.
C
I'm
just
just
been
showing
you
from
here.
I
loaded
the
demo
project
and
also
the
dynamic
inventory,
that's
in
the
demo
project,
so
this
dynamic
inventory,
I
could
go
a
little
bit
into
the
configuration
of
this
dynamic
inventory
plug-in
for
the
acm
ansible
collection
in
a
little
bit,
but
all
that
all
that
it
does
is
a
allows.
Ansible
to
know
know
about
the
cluster.
That
acm
is
managing.
B
C
B
To
interrupt
you,
so
that
means,
if
I,
if
the
if
a
cluster
an
additional
new
cluster,
is
getting
managed
by
acm,
this
dynamic
inventory
will
pick
up
the
details
of
the
cluster
right.
C
That's
correct:
I
can
show
that
a
little
bit
actually
in
a
little
bit.
Actually,
we
can
try
to
dynamically
add
a
client
cluster
to
to
my
acm
hub
and
sync
the
inventory
and
see
if
it
shows
up.
Hopefully,
everything
works.
So
after
the
dynamic
inventory
is
synced,
you
can
see
that
the
cluster
that's
being
managed
by
my
acm
plus
acl
hub
shows
up
within
the
inventory
of
ansible.
C
Now
each
of
these
hosts
represents
a
kubernetes
cluster,
so
in
one
of
the
feedback
that
I
got
is
this
may
not
be
immediately
apparent
for
a
season
for
for
people
who
uses
ansible,
but
the
host
here
represents
the
kubernetes
cluster
and
yeah.
A
And
one
one
thought
there
doesn't
a
host,
and-
and
this
is
me
being
fairly
naive
about
ansible
automation-
controller
hosts
typically
can
also
run
playbooks
as
well.
That's
one
of
the
is
that,
where
the
confusion
comes
in
that
these
are
kubernetes
clusters,
these
are
hosts,
but
they
don't
necessarily
run
the
playbook
on
on
the
client
or
is
that.
C
C
Correct
and
these
hosts
are
being
grouped
by
the
dynamic
inventory
plugin,
so
let
me
show
the
inventory
a
little
bit
here
is
the
inventory
I'm
using
the
oc
managed
cluster
yeah
can.
A
C
Okay,
so
this
is
the
dynamic
image
the
inventory
file
that
I'm
I'm
showing
you
so
here,
I'm
I
give
I'm
giving
selection
criteria
and
grouping
criteria
for
those
clusters
so,
for
example,
the
cluster
I
have
here
that's
marked
amazon
is
all
the
clusters
that
have
the
label
amazon.
C
C
That's
correct,
it's
quite
flexible,
so
anything
that
you
can
label
you
can
do
and
also
from
here
you
can
see
that
we
also
like
exclude
base.
You
can
also
exclude
based
on
label
as
well.
So
it's
a
fairly
flexible
mechanism
for
you
to
group
your
clusters.
B
B
C
Typically,
here
is
where
you
will
like
in
any
traditional
inventory
like
a
vm.
This
is
probably
where
all
the
information
about
that
host
is
stored
right.
You
know,
like
the
ip
address
and
like
any
additional
information
that
you
want
to
store.
You
can
see
that
this
is
empty,
so
that
this
dynamic
inventory
plug-in
is
actually
pretty
dumb
by
design.
C
It
only
provides
it
provides
the
grouping
mechanism
and
it
provides
a
pointer
into
the
acm
system
and
the
other
tools
that
we
have
built
in
the
module.
Allow
you
to
use
this
pointer
to
further
ask
acm
about
any
information
that
you
want
around
that
cluster,
like
okay,
well,
policy
is
applied
to
this
cluster.
C
You
know
what
applications
deploy
on
onto
that
cluster
and
what
add-on
is
deployed
onto
that
cluster.
Any
anything
else.
This
provides
a
pointer
into
acm
to
allow
you
to
query
more
information
about
the
cluster.
B
C
Are
you
doing
here?
Well,
we
can
get
into
that
a
little
bit
right
like
right.
Now
we
are
kind
of
just
showing.
How
do
I
get
ansible
to
know
about
the
cluster
that
acn
manages
go
with.
C
A
little
bit
later,
when
we
try
to
connect
to
these
clusters,
we
I
I
will
try
to
show
how
is
this
being
established
so,
okay
and
there's
no
credential
right,
that's
associated
with
any
other
managed
cluster,
I'm
not
storing
like
tokens
or
certificates
or
anything.
It's
used
to
authenticate
against
those
the
api
server
of
the
managed
clusters.
So
from
here
I
I
I
want
to
go
into
a
really
really
simplistic
demo.
C
This
is
a
playbook
that
I,
this
is
a
task.
Oh
sorry,
this
is
a
playbook
that
I
have
in
the
demo
project.
It's
really
simple.
All
that
it
does
is
create
a
namespace.
C
I
I
I'm
not
that
imaginative
of
a
person
when
it
comes
to
content
and
I'm
sure
people
that's
attending
the
string.
If
you
have
any
idea
about
like
what
kind
of
cool
things
you
can
make,
you
can
leverage
this
technology
for,
please
let
me
know
play
around
with
the
demo
and
ping
me
I
I
have
gurney
will
even
give
you
my
phone,
a
cell
number
I
would
love
to.
C
C
I
can
target
a
group
of
hosts
the
groups
group's
grouping
that
I
showed
earlier
so,
for
example,
I
can
I
can
target
for
just
cluster
on
amazon
or
on
azure,
and
I
can
target
one
specific
cluster
by
referencing
the
custom
name
directly
or
I
can
just
target
all
the
clusters.
So
let's
go
ahead
and
do
that
and
as
this
playbook
run
I
I
can.
You
know
roll
back
the
curtain
a
little
bit
and
try
to
show
what
exactly
are
we
doing
behind
the
scene
right
so
earlier
I
mentioned
this
cluster
proxy
add-on.
C
What
it
essentially
allows
you
to
do
is
allows
you.
It
creates
a
service
on
the
cluster,
that's
hosting
acm
and
having
the
proxy
agent
calls
back
to
connect
back
to
the
acm
so
that
for
any
user's
perspective,
you
can
connect
the
service
and
have
your
traffic
being
able
to
reach
the
kuber
api
server.
I
think
I
have
a
picture
for
this
hold
on
a
second.
Let
me
try
to
find
a
picture
for
this
all
right.
I
I
think
the
the
this
is.
Can
you
can
you
all
see
this
picture.
C
All
right
cool,
so
there
is
two
services:
that's
host
on
acn
hub,
the
user
service
and
a
proxy
service
right.
The
proxy
agent
connects
to
the
proxy
service
and
the
and
the
user
connects
to
the
user
service.
So
I
I
I
can
set
this
my
my
coop
ctl,
the
api
server
that
my
coupe
ctl
talk
to
against
this
user
service
with
like
slash
cluster
name
and
then
that
will
that
will
allow
me
to
communicate
with
the
kuba
api
server
on
the
manage
cluster
one.
C
One
key
thing
to
note
here
is
that
this
is
a
reverse
proxy,
so
all
traffic
there's
no
inbound
connectivity
required
to
the
managed
cluster.
C
Much
like
most
of
the
plug-ins
that
that's
on
acm
right.
It's
it's
a
managed
cluster,
communicating
back
to
the
hub
and
not
the
other
way
around.
A
Okay,
so
you've
created
a
secure
tunnel,
that
is,
that
is
basically
initiated
by
the
managed
cluster
and
handshaked
by
the
hub.
Now
you
have
a
secure
tunnel
and
you
can
access
the
cube
api
and
I'm
going
to
go
ahead
and
guess
you're
about
to
tell
us
that
step.
One
of
running,
an
ansible
playbook
targeting
all
of
your
managed
clusters
is
to
configure
communication
through
that
secure
tunnel.
You've
created.
C
So
if
we
take
a
look
at
the
demo
playbook,
you
will
see
how
to
enable
the
appropriate
components
with
it
with
the
with
it,
with
the
plugins
within
our
module.
That's
right
with
with
the
module
within
the
collection
and
how
to
set
this
up.
It's
pretty
boilerplatey.
C
So
this
is
the
first
part
right.
We
are
enabling
this
cluster
proxy
add-on
on
the
manage
cluster
and
then
there's
the
second
part.
The
second
thing
that
we
we're
using
called
it's
a
managed
service
account
add-on,
so
managed
service
account.
Add-On
is
another
thing
that
came
out
of
the
open
cluster
management
open
source
project
by
the
way,
awesome
contributors,
if
you
guys
have
not
had
the
chance
to
check
out
our
upstream
project,
please
do.
C
It
allows
you
to
create
service
account
on
the
manage
cluster
and
using
the
token
request
api
for
service
account
to
request
a
service
account
token
and
feed
that
back
to
the
hub,
so
that
well,
you
have
a
credential
to
authenticate
against
that
managed
customer
now
you
can
definitely
use
other
methods
of
obtaining
authentication
credential
to
the
manage
cluster,
but
this
is
just
one
of
the
convenient
ways
that
we
provide.
A
So
you've
so
far
just
gone
through
configured
and
verified
a
configuration
of
the
proxy
and
then
you've
gotten
authentication
to
that
managed
cluster
acting
as
the
hub
through
a
managed
service
account,
and
now
you
have
how
to
contact
the
managed
clusters,
plural
and
how
to
contact
all
and
how
to
authenticate
with
them
in
two
steps.
Two:
two
quick
easy
steps
to
the
whole
inventory.
C
Correct
so
here
the
first
part
here
is
just
enabling
the
add-ons
second
part
here
is
obtaining
the
proxy
url,
and
then
here
we
are
generating
a
dynamic,
managed
service
account.
So
this
dynamics
managed
service
can
actually
only
lives
for
the
time
that
this
playbook
runs.
C
So
afterwards,
this
service
account
is
destroyed
and,
if,
let's
say
your,
your
playbook
imploded
in
in
the
middle
of
execution
right,
there's
a
way
of
setting
expiration
time
for
these
services
managed
service
accounts
so
that
they
self-destruct
after
certain
periods
of
time,
so
you're
not
like
accumulating
or
leaking
service
accounts
and
credentials,
and
then
there's
another
part
that
we
ended
up
providing
in
our
collection
is
well
now
that
you
have
connectivity
and
authentication.
C
The
next
part
is
we
we.
We
need
to
have
authorization
right,
because
at
the
end
of
the
day
you
are
trying
to
do
things
on
those
manage
clusters,
so
another
another
plug-in
that
another
module
that
we
provided
is
a
module
for
you
to
create,
like
rbac
resources
on
the
manage
cluster
for
the
managed
service
account.
This
is
done
via
the
manifest
work
api
provided
by
acm.
A
C
A
C
The
plug-in
survive
supports
two
different
mode
right.
One
is
a
dynamic
service
account.
One
is
a
static
service,
account
the
dynamic
servers
kind
of
have
like
generated
names
so
that,
even
if
you
have
like
60
or
100
of
these
playbook
running
they
don't
they
don't
step
on
each
other.
They
don't
accidentally.
A
So
at
this
point
I'm
guessing
the
step
is:
do
whatever
you
need
to
do
against
every
cluster
that
you
matched
and
then
close
out.
And
that's
your
that's
your
conclusion,
but
you
said
we're
making
a
namespace
so
have
we
made
a
namespace
now.
C
All
right,
let's
see,
I
guess
I
should
have
shown
beforehand
before
before
the
namespace
was
created
right.
So
I
guess
we
can
take
a
look
at
the
timestamp
and
it
should
be
fine.
C
Yeah
again,
I
completely
understand
that
this
is
a
really
really
trivial
example
right,
if
you're,
just
creating
namespace
on
a
cluster.
I
can
do
that
here.
Like
with
this,
you
know
broadcasting
criminal,
but
I
I
think
the
the
key
thing
to
take
away
from
this
demo
is
that
this
gives
you,
like
you,
don't
have
to
manage
any
credentials.
You
don't
have
to
know
but
hold
on
a
second.
Let
me
let
me.
C
Technical
difficulties
all
right,
so
you
can
see
that,
like
different
cloud
providers
have
different
ways
of
authenticating
right
so,
for
example,
and
they
have
different
patterns
for
the
api
servers,
it
gets
a
little
messy
like,
for
example,
the
coupe
config,
that's
generated
by
aks.
Okay,
that
one
is
portable,
like
you
can
give.
I
can
give
this
file
to
joy,
deep
and
joy.
Deep
should
be
able
to
use
it,
but
the
one
that's
generated
by
eks.
C
C
Right,
so,
in
order
for
me
to
give
this
joy
deep
access
to
this
cluster,
well,
actually
I
have
to
give
him
granted
access
to
my
aws
account,
which
I
don't.
I
don't
think.
I
trust
you
or
deep
enough
for
that.
C
If
I
just
want
to
give
him
a
cluster
to
use
and
then
I
can
destroy
it
later
right,
so
this
the
spike
all
like
even
there
are
just
as
so
many
different
other
different
plugins
and
different
ways
that
you
can
authenticate
a
kubernetes
cluster.
It
gets
a
little
chaotic
right.
B
A
Yeah,
so
what
you're
showing
here
is
the
core
the
core
pieces
of,
and
this
is
plugged
for
last
week,
where
we
talked
about
open
cluster
management,
the
community's
made
one
homogenous
way
to
access
and
authenticate
and
talk
to
these
in
this
incredibly
heterogeneous
landscape.
I
can
tell
you
we
have
an
eks
cluster.
That
is
occasionally
has
an
expired
certificate,
and
it
is
the
only
way
we
get
into
it.
Is
this
exact
method,
because
otherwise
the
original
person
who
made
it
on
aws
has
left
the
left,
the
organization,
their
account's?
A
No
longer
there,
it's
a
headache.
So
that's.
B
B
The
other
thing
that
I
see
while
you're
talking-
let's
say,
I'm
I'm
a
seasoned,
ansible
admin.
I
don't
know
much
about
coop.
I
can
use
my
same
tools
to
handle
not
to
do
things
in
coug
and
the
greatest.
The
most
important
thing
is
all
the
security
aspects,
etc
are
all
being
taken
care
of
for
me
automatically.
B
If
I
would
do
it
myself,
I
would
probably
create
a
trail
of
mess.
You
know
trailer
service
accounts
or
whatever
credentials
would
leak,
etc
and,
and-
and
the
other
point
of
course,
how
did
you
say-
is
clusters
in
different
areas
in
different
clouds,
etc.
You
have
to
handle
out
out
and
out
z
differently
and
things
like
that.
That's
all
being
taken
care
of
so
this
is
this
is
way
very
powerful.
Yeah.
A
Donning
my
sre
hat:
if
I
need
to
give
someone
access
to
some
clusters
to
do,
and
often
you
know,
do
some
operation,
I
need
to
do
some
tasks.
I
can
write
an
answer,
a
playbook
that
that
does
that
task
verify
it
against
one
cluster
and
hand
it
kindly
to
this
to
this
collection.
I
haven't
linked
it.
Yet
I
need
to
link
this
actual
ansible
collection
to
this
collection
and
then
it
will
just
do
the
hard
lift
heavy
lifting
for
me.
A
We
have
a
question
as
well
how
and
now
might
be
a
good
time
to
talk
about
it.
Yeah
scott
asks.
Let
me
pop
it
up
real
word
example.
What
if
the
cluster's
busted,
let's
say
the
cluster
upgrade
fails,
never
get
happy
state.
Can
you
use
these
methods
to
grab
logs
and
remediate,
and
I
think
I'm
a
hazard
to
guess
how
tell
me
how
wrong
I
am
as
long
as
you
can
authenticate
to
the
cluster
through
a
service
account,
you
can
use
this
method
to
communicate
with
it
capture
logs
remediate.
Do
whatever
you
want.
C
Well,
one
great
thing
about
the
ansible
ecosystem
is
that
it
doesn't.
It
allows
you
to
automate
against,
I
think,
pretty
darn
much
anything
right.
So,
let's,
let's
let's
say
the
upgrade,
is
busted
and
my
cooper
api
server
is
now
yeah.
C
Well,
we
can,
if
we
can
ssh
into
the
the
vms
that
that's
running
this
and
perhaps
we
we
can
get
a
deeper
or
the
hypervisor
right
or
or
the
aws
can.
Perhaps
we
will
be
able
to
gather
like
related
information
about
how
did
this
mess
happen?
So
this
is
a
potential
like
way
of
intersecting.
A
A
This
can
configure
the
vms
in
aws
and
it
can
go
out
and
ssh
into
you
know
a
bastion,
node
and
use
that
or
anything
to
do,
a
bunch
of
this
extra
behavior.
And
then
this
looks
ansible
native
enough
that
you
could
just
start
applying
other
ansible
collections
to
it
as
well.
Like
I
I
I
know,
there's
a
k-8s
collection
as
well.
C
Right
and
like
one
of
the
use
cases
I
was
thinking
of
that,
I
didn't
really
have
time
to
to
actually
write
a
demo
for,
as,
for
example,
let's
say
I
want
to
I
I
I
I
know
that
there
is
an
impending
meteor
strike
on.
I
don't
know
us
ease
one
right
and
I
have
a
standby
cluster
on
us
east
ii
right.
I
I
can
label
my
application
and
tell
this
okay
go
gather
all
the
all
the
artifact
of
one
cluster.
That's
labeled!
This
way
now
move
it
to
my
other
cluster
and
then
test.
C
If
the
new
application
is
working
and
once
it's
working
hook
it
up
to
the
load
balancer
to
make
sure
that
it
routes
to
the
new
cluster
or
something
like
that,
it
allows
you
to
court
like
it
allows
you
to
coordinate
things.
That's
outside
of
your
kubernetes
environment,.
A
C
Oh
by
the
way,
you
know
that
you
know
that
you
know
that
thing
that
you
said
earlier
about
like
generating
a
coop
config
and
then
give
it
to
someone
for
a
short
duration
of
time,
yeah
and
funny
enough.
That
was
one
of
the
debug
tools
like
well.
As
I
was
working
on
this
collection,
it
was
one
of
the
debug
tool
that
I
created
so
there's
I
mean
at
the
end
of
the
day
right,
it's
it.
It's
just
like
at
the
end
of
the
day
how
this
work
is
essentially
well
get
the
information.
C
A
So
no
I
I
gotta
pause
there
for
a
second.
So
what
you're
saying
is
I
can
use
this
managed
service
account
tool
through
this
ansible
playbook.
To,
for
example,
have
an
ansible
playbook
trigger
off
of
some
condition?
Maybe
someone
opens
a
servicenow
ticket
against
me
and
says
hey.
I
need
access
to
this
namespace
on
this
cluster
and
I
approve
it
and
then
this
playbook
goes
and
it
runs,
and
it
makes
a
service
account
that
lives
for
12
hours
and
gives
them
a
coupe
config,
and
I
don't
have
to
touch
anything.
C
This
just
grabs
the
information
for
acm
templates
out
to
a
group
config,
and
then
I
can
send
that
coop
config
to
joy
deep
and
I
I
I'm
gonna,
I'm
gonna
go
ahead
and
show
the
playbook
a
little
bit
and
show
how
you
can
modify
this
to
to
like
give
different
permission
to
this
service
account
and
and
to
modify.
How
long
does
you
want
the
service
account
to
live
for
right?
C
So
here
is
the
playbook
I
think
right
now
I
have
it
generating
a
static,
a
static
right,
because
this
is
for
my
own
debugging
purposes.
I
trust
myself,
I
think,
sometimes
on
good
days
and
right
now,
I'm
giving
it
custom
permission
right.
So,
let's
take
a
look
so
in
this
directory
here
I
have
the
row
binding
for
cluster
admin.
I
also
have
row
binding
for
let's
say
name
space
management
right.
C
I
only
want
to
be
able
to
manage
main
spaces,
so
I'm
going
to
try
to
modify
this
live
and
if
it
doesn't
work,
you
know
I'm
not
being
too
brave
journey.
A
C
All
right,
let's
see
if
this
works
right,
so
I
am
targeting
this
by
the
way.
This
is
definitely
not
rehearsed.
I
I
I
scout's
honor
so
yeah,
so
I
I'm
still
creating
a
static
one.
I
I
could
change
that
to
dynamic,
but
to
make
sure
that
I
spell
it
correctly.
Temp
temp
access.
C
All
right,
if
I'm
using
temp
access,
I
I
needed
to
give
another
parameter
here
to
specify
like
how
long
do
I
want
this
to
live
for
right.
So
like
right
here.
This
is
an
example
of
well
so
this
is
the
playbook
that
I
I
read
earlier
right
to
to
create
the
namespace.
C
So
in
here
I'm
getting
a
temporary
managed
service
account,
I'm
asking
it
to
live
for
60
seconds,
and
let's
make
this,
do
you
guys
want
to
see
the
the
the
expiration
or.
A
B
B
A
B
C
A
Are
you
telling
me
that
having
cluster
admin,
all
the
time
isn't
a
healthy
thing
to
give
your
give
your
your
sre
team?
Well,.
C
B
B
B
C
But
that
playbook
ran
through
within
the
time
so
well.
One
thing
about
like
one
thing
that
this
temporary
access
is
meant
to
do
is.
C
Like
you,
you
know
how
long
your
playbook
typically
runs
for
and
and
since
it's
a
system,
that's
running
it
like
you're
kind
of
fine
with
like
tightly
scoping
to
to
the
time
period,
right,
yeah,.
C
A
Now,
in
60
seconds,
you
should
run
this
again
and
get
unauthorized
right.
C
And
yeah:
let's
give
it
a
let's:
I'm
not
gonna
watch
this
for
60
seconds.
So
if
I
pan
away
from
this
from
this
window,
will
anyone
think
that
I'm
I'm
futzing
with
it
on
the
back
end
or
do
we
want
to
just
stare
at
that
clock.
A
I
I
think,
we'll
trust
you
we
are,
we
are
doing.
It
live
yeah,
the
yeah
yeah,
your
clocks,
livestream.
We
we
got
it
on
the
record,
all
right.
C
So
yeah
feel
good.
Oh
there
we
go
self-destruct.
B
A
That
is
magnificent
and
that-
and
I
can
imagine
at
the
in
the
same
way
you
could
you
could
do
a
lot
with
that.
You
can
do
a
lot
with
that
time
to
live
so
yeah,
and
now
you
have
playbooks.
So
what
you've
also
walked
me
through
has
given
me
the
thought
of
someone
requests
access
to
a
project
on
an
openshift
cluster
which
is
another
common
one.
You
write
a
playbook,
you
go
out.
You
select
the
cluster
that
matches
their
selector.
A
C
Yeah,
that's
perfectly
legit
too
right.
This
is
actually
one
of
the
one
of
the
examples
that
you
can
you
can
use.
This
is
the
autobac
configuration
for
allowing
access
to
a
specific
namespace.
C
This
is
actually
something
cool
that
I
got
working
last
night.
I
want
to
show
a
in
a
little
bit
but
yeah
you,
you
can
create
a
namespace
right,
create
a
service
account
that
only
gets
access
to
the
namespace
and
whatever
that
the
user
need
to,
and
then
I
have
another
playbook
to
reclaim
the
namespace
afterwards.
A
Nice,
so
the
last
the
the
last
one
question:
that's
on
my
mind
is:
what
does
it
look
like
to
actually
invoke
these
steps
to
to
use
the
prop
configure
the
proxy
to
access
a
cluster
and
configure
the
service
account,
because
you
showed
us
the
service
account
step
just
a
second
ago.
What
does
the
proxy
look
like?
Do
you
have
to
do
anything
for
that?
Or
does
that
just
happen.
A
C
Can
go
a
little
bit
into
it
so
like
by
the
way?
Please
don't
so
so
I
I'm,
even
though
I'm
working
on
ansible
right
now,
I'm
still
very
much
a
novice
ansible,
and
I
know
that
my
playbook
are
not
very
clean,
not
very
consistent,
like
syntactically
right
and
if
you
please
take
a
look
pr
help
me
help
me
learn
more
idiomatic
ansible
practices.
If,
if
you
are
ansible,
expert
or
heck
play
around
with
the
playbook
dude
hack,
it
up
do
the
cool
things
that
you
you
wanted
to
do.
C
But
let's
go
back
and
take
a
look.
So
this
is
the.
C
This
is
the
playbook
that
I
ran
earlier
right
there.
It's
a
task
that
I
created
for
getting
the
temporary
access,
there's
a
task
for
doing
the
business
logic,
which
is
just
creating
a
stupid
name,
space
here
and
then
there's
a
task
that
always
I
execute,
even
though,
even
if
this
fails,
which
will
remove
the
access
garbage
collect.
Although,
as
you
see
earlier
that,
since
there
is
time
to
live,
you
don't
really
need
to
garbage
collect
if
you
are
lazy,
but
let's
go
into
this
task
and
take
a
look.
A
C
Okay,
awesome,
so
this
is
all
just
modules
within
the
solo,
strong
core
collection,
I
think
gurney's
going
to
pop
up
a
link
to
that
collection.
C
And,
like
the
collection
itself,
provides
a
lot
more
utility
than
what
I
have
demonstrated
here,
like
some
basic
functionality
for
configuring,
acm
and
working
with
acm
right,
it's
very
very
much
a
work
in
progress
in
its
early
early
phase.
It's
it's!
The
release.
C
Version
of
0.0.1
is
how
early
we
think
it
is,
but
it
provides
the
utility
for
like
enabling
enabling
features
within
acm,
so
cluster
cluster
manager
add-ons
right,
enabling
add-ons
for
specific
clusters
so
manage
cluster
add-ons
and
a
couple
of
specific
modules
to
interact
with
the
subsequent
function.
I
mentioned
earlier,
like
plus
the
proxy
and
manage
service
account,
and
that's
it
so
this
this
playbook.
Just
it's
there's
nothing
that
tricky
here.
C
A
Okay,
so
you
can
just
basically,
if
you,
if
you
have
I,
I
guess
this
is
rackham
out
of
the
box.
I
assume
multi-cluster
engine
and
maybe
the
open
source
project
can't
guarantee
that
one.
But
if
you,
if
you
configure
it
similarly
we're
just
using
that
technology,
then,
theoretically,
you
can
just
walk
up
with
your
ansible
playbooks
targeted
at
kubernetes
and
use
this
to
access
them,
natively
and
immediately
and
securely
and
temporarily,
to
carry
out
remediations,
and
I
assume,
all
the
venting
and
everything's
ansible
native.
C
B
Sorry,
I'll,
let
me
push
you
a
little
bit.
I
I
want
to
harp
on
something.
B
C
Let
me
let
me
delete
my
old
kind
cluster.
Well,
while
this
thing
spans
and
runs,
I
want
there's
one
well,
I
think
I
don't
think
this
is
going
to
take
long.
Let
me
go
ahead
and
create
that
kind
cluster
and
let
me
go
ahead
and
go
import
that.
C
A
C
A
C
Yeah,
this
paste
gets
a
little
slow.
C
I'm
sorry
all
right!
A
C
C
Live
sure
imagine
this
laptop
as
a
print
cluster
right.
A
C
C
Far
edge
all
right,
so,
okay,
here's
my
inventory,
it
synced
the
kind
cluster
appeared.
You
know
what
let's
just
target
that
one
kind
cluster
instead
of
running
this.
All
of
it.
C
Actually
happening
to
your
kind
cluster,
you
don't
trust
me,
okay,
okay,
all
right,
so
you
know
no
trick
up
my
sleeve
right.
Let's
launch
this!
Oh!
This
is
the
wrong
playbook.
C
C
All
right
awesome,
let's
just
run
this
on
the
kind
cluster.
A
C
Which
is
in
airstream
that
is
essentially
a
fair
day's
cage.
So,
like
my
download
speed
is,
like
I
don't
know,
a
meg
on
a
good
day.
C
Go
all
right
so
pivoting
to
this
other
other
cool
thing
that
that
I
got
working
last
night
with
the
same
technology
that
that
we've
been
demonstrating.
So
I
don't
know
how
how
much
there's
know
about
like
container
groups.
C
So
in
ansible
automation,
controller,
you
can
add
instances
to
improve,
increase
its
execution
capacity.
Right.
Imagine
you
know
a
remote
vn
sitting
somewhere
that
you
get
to
like
run
the
playbook
on
against
everything
else.
That's
that's
in
your
data
center
or
whatever
just
additional
execution
capacity,
and
you
can
also
add
a
thing
called
container
group,
but
essentially
container
group
in
ansible
is
just
an
ansible
automation
controller.
C
Is
this
a
kubernetes
cluster
that
you
can
talk
to
right
that
you
can
you
can
dispatch
your
ansible
jobs
to
and
well
and
the
way
that
ansible
automation,
controller
connects
to
the
container
group
is
through
kube
api
server
and
you
know
with
a
token,
and
with
often
authorization
to
create
a
paw
right
so
which
is
exactly
what
like
the
the
technology
that
I've
been
demonstrating.
C
A
So
you're
about
to
say
that
you're,
going
to
in
a
felled
swoop,
take
by
some
label
match
turn
every
single
kube
cluster
that
matches
that
label
in
your
fleet
into
an
ansible
execution.
So
just
for
example,
maybe
you
have
a
bunch
of
different
regions
that
you're
going
to
run
ansible
jobs
on,
but
networking
latency
is
it's
faster
for
you
to
talk
from
us
east
1
to
us,
east,
1,
usc,
2
to
us
east
to
each
region.
A
C
Yeah,
essentially,
I'm
I'm
turning
every
single
cluster
right
now.
That's
been
managed
by
this
instance
of
acm
into
execution
into
a
container
group
that
ansible
automation
controller
can
use
to
execute
playbook,
thus
providing
more
capacity
to
the
ansible
automation
controller
itself
and
also
allow
you
to
well
be
closer
to
where
you
are
automating.
C
C
So
this
is
what
what
I
just
did
gives
a
gif
ansible
automation,
controller
access
well
sets
up
the
sets
up
all
the
manage
clusters
so
like,
for
example,
creating
the
namespace
and
like
and
configuring
all
the
prerequisite.
C
So
you
will
see
a
new
namespace
popped
up
on
all
the
cluster,
including
my
kind
cluster
called
ansible
automation,
platform
right,
and
so
we
we
create
and
configure
this
namespace
and
and
configure
our
back
and
image
poll
for
for
the
namespace,
so
that
you
can
so
so
that
ensign,
ansible
execution
environment
container
can
run
on
those
on
those
cluster.
C
I
added
this
cluster
into
the
instance
group
inventory
on
ansible
automation
controller
so
that,
let's
let's
try
to
do
this
on
my
kind
cluster
right.
Let's
run
the
demo
job
right,
quick
and
I'm
gonna
target
this
to
one.
C
C
C
A
That's
amazing
also.
I
just
noticed
we're
we're
at
the
top
of
the
hour,
and
today
we
have
another
show
immediately
after
this,
so
we're
gonna
have
to
call
it
and
leave
it
on
a.
I
think,
a
bit
of
a
bit
of
a
cliffhanger
for
you.
How
no.
C
Problem,
let
me
stop
the
share
before
we
go.
I
highly
encourage
everyone,
that's
here
to
to
please
check
out
the
demo
repo
and
try
to
play
with
it.
Modify
it,
and
you
know
dm
me
like
follow
and
subscribe.
A
Awesome
well
thanks,
hal,
thanks
for
joining
sorry
to
end
a
little
abruptly
we're
gonna
end.
Today,
we've
run
over
into
supply
chain
security,
best
practices,
so
catch
them
live
here
in
about
two
minutes.
Thanks
to
everyone,
and
all
the
links
should
be
in
chat,
we'll
see
everyone.