►
From YouTube: TGI Kubernetes 066: Even More Secret!
Description
Come hang out with Duffie Cooley as he does a bit of hands on hacking of Kubernetes and related topics. Some of this will be Duffie talking about the things he knows. Some of this will be Duffie exploring something secret with the audience. Come join the fun, ask questions, comment, and participate in the live chat!
A
Good
afternoon
ever
everybody
from
welcome
hello
from
San
Francisco
and
welcome
to
this
week's
TGI
K
in
this
episode.
I
want
to
cover
more
about
secrets
and
I
want
to
dig
more
into
like
some
of
the
different
patterns
for
managing
secrets
within
the
scope
of
listeners.
Let's
go
for
the
application,
but
before
we
before
we
get
into
that,
let's
go
ahead
and
I
want
to
go
ahead
and
take
care
of
some
stuff.
You.
A
A
B
A
A
A
So
what
happened
this
week
in
review
lots
of
interesting
stuff
happening
out
there
in
the
kubernetes
space,
one
of
the
interesting
edgy
coupe
things
that
happened
this
week
by
the
folks
at
rancher
was
k3s.
Maybe
haven't
had
a
chance
to
take
a
look
at
it
yet
go
ahead
and
check
that
out.
It's
a
it's!
A
pretty
interesting
project,
I
mean
very,
very,
very
I,
could
see
why
this
is
interesting
to
the
folks,
a
trencher
and
also
probably
to
quite
a
few
of
you.
A
So
if
you're
looking
to
embed
communities
in
your
environment-
and
you
and
you
are-
and
you
you
don't
think
this
is
the
way
to
go,
then
then-
and
this
might
be
an
interesting
project
for
you
to
about
to
evaluate,
but
my
concerns
around
it
are,
you
know,
probably
very
common
concerns
that
other
people
have
are.
This
is
a
for,
need
is,
and
how
is
it
going
to
actually
maintain
track
with
the
crazy
amount
of
change
that
happens
at
upstream
kubernetes,
weekly
monthly
quarterly?
A
It
seems
like
a
lot
to
take
on
to
manage
all
of
that,
but
I'm,
not
someone
who
wrote
it
so
we'll
see
how
that
all
goes.
Another
interesting
thing
that
happened
this
week
is
that
Google
started
dropping
the
domain
and
just
kind
of
blowing
up
my
Twitter
people
by
in
different
dev
domains.
I
just
thought
I'd
give
that
a
shout-out,
it's
kind
of
an
interesting
thing,
I
think
a
lot
of
people
are
using
these
for
kind
of
like
personal
websites.
A
So
if
you're
looking
to
set
up
a
blog-
or
you
want
to
do
anything
else
like
that,
that
might
be
good
way
to
go.
They're
about
12
bucks
a
year
to
pay
for
right
now
and
they're
very
inexpensive
I
wanted
to
point
out
a
couple
of
other
interesting
things
that
happened
this
week.
We
have
operator
hub
which
actually
just
landed
yesterday.
This
is
an
interesting
one.
This
is
actually
tied
into
a
couple
of
different
projects
that
I've
worked
with
and
been
around
for
a
couple
of
years.
A
This
is
actually
representative
of
the
work
that's
happening
with
the
operator
SDK.
It's
got
fresh
operator,
SDK
you'll
have
the
ability
to
generate
an
operator,
for
you
know
managing
your
software
as
a
reminder.
Folks,
operators
are
really
just
you
know,
kind
of
the
controller
pattern
within
kubernetes,
but
written
as
software
such
that
they
can
actually
manage
your
particular
application
and
we're
actually
going
to
make
use
of
an
operator
today
the
cube
vault
operator,
as
we
as
we
play
with
this
and
get
and
get
further
into
the
episode.
A
So
this
is
actually
a
really
interesting
place
where
you
can
actually
or
make
pull
requests
to
show
off
your
operator
and-
and
at
that
point
like
folks
who
are
running
kubernetes
as
a
bet,
you
know
as
a
as
an
infrastructure
solution
can
download
your
operator
and
make
use
of
it
very
cool
stuff
to
see
that
kind
of
continuing
you
know,
starting
to
build
the
market
excited
to
build
a
marketplace
around
it
pretty
exciting.
To
see
that
happening.
The
kubernetes
114
code
freeze
will
happen
on
March
7th.
A
So
if
you're
working
in
development
for
kubernetes
you
you're
gonna
want
to
be
aware
of
that,
and
if
you're
not
working
for
development
in
kubernetes,
be
aware
that
114
is
coming
soon
to
a
cluster
near
you,
hopefully
I
mean
it's
a
usually
takes
a
revision
or
two
past
the
the
first
release
to
get
to
a
place
where
we
like
fully
trust
and
stabilize
it.
But
at
the
same
time
you
know
every
every
good
on
the
ground
is
like
a
step
forward.
So
let's
keep
that
moving.
A
The
next
thing
I
wanted
to
get
into
was
I.
Think
I've
talked
about
this
and
I've
referenced
this
site
quite
a
few
times.
This
is
a
LW
t,
LW
KD
info,
and
it's
got.
It
doesn't
actually
have
a
circuit
or
something
like
that.
But
anyway,
this
is
actually
put
up
by
Josh.
Burris
is
a
very
cool
website
where
folks
can
actually
make
pull
requests
against
the
github
repository.
A
That
is
lwk
d,
and
you
can
actually
open
issues
just
read
through
this
and
like
go
ahead
and
put
up
things
that
you
have
seen
in
the
community
that
are
interesting
to
you
as
it
relates
to
the
kubernetes
development
specifically
but
like
so.
If
you're
working
on
you
know,
cluster
API
and
something
really
cool
happened
this
week
and
you've
got
it
merged.
You
know
feel
free
to
link
that
here,
pretty
cool
stuff,
but
I
wanted
to
show
you
on
the
elder.
Bkd
stuff
was
I
actually
noticed
that
last
week,
I
was
pretty
impressed
with
this.
A
A
Started
this
idea
with
trying
to
like
make
it
so
that
we
could
list
all
of
the
access
that
a
particular
user
has,
with
related
with
relation
to
their
queue
config.
So
when
you
you
have
given
you
couldn't
granted
access
to
kubernetes
you've
been
given
a
namespace.
How
do
you
know
like
what
calls
is
in
that
kubernetes
api
are
available
to
you
right
now,
the
only
ways
or
prior
to
this
change?
A
The
only
way
to
do
it
would
be
to
like
literally
just
you
know,
iterate
over
the
world
and
I
actually
just
saw
something
over,
though
during
this
last
week
that
was
called
RAC
casts
RAK
Kess,
which
does
exactly
that.
It
basically
iterates
over
the
whole
world,
and
it
just
doesn't
check
to
see
if
you
actually
have
the
ability
what
what
permissions
you
have
for
that
particular
object
or
API
path
within
the
kubernetes
api.
In
this
way
yeah.
A
This
is
actually
gonna,
make
use
of
self
service
rules,
review
or
self
subject
to
rules
review,
which
is
a
very
different
call.
This
call
will
actually
result
in
a
list
of
all
of
the
rules
that
apply
to
your
account,
rather
than
making
you
iterate
through
them,
which
I
think
it's
probably
far
more
efficient,
and
it's
also
really
interesting
when
you
think
about
the
different.
A
A
The
specifically
this
ticket
is
about
adding
that
capability
to
cube
kettle
auth,
which
is
a
sub
command
of
cube.
Kiddo
can
I
already
works,
but
this
list
option
is
new
right,
so
the
stash
list
option
would
actually
makes
the
call
to
self
subject
access
review
and,
as
you
can
see,
it
got
merged
some
I'm,
pretty
jazzed
about
that.
I
can't
wait
to
play
with
that.
It'll
probably
make
it
into
the
cube
cut',
all
in
114,
I
suppose
look
forward
to
seeing
how
that
works.
A
Customized
got
added
back
into
cube
kettle.
What
else
do
they
want
to
I
wanted
to
show
you?
This
week's
or
last
week's
you
know
what
happened
last
week
stuff
most
of
this
stuff
is
really
just
interesting.
Stuff
you're
like
working
on
the
development
of
communities,
but
I
think
that
at
the
same
time,
it's
really
good
to
kind
of
keep
an
ear
to
the
ground
as
far
as
like.
A
What's
changing
in
those
API
is
what's
being
deprecated
what's
graduating
and
this
site
I
think,
does
a
really
good
job
of
actually
highlighting
that
you
can
see
like
other
mergers
that
have
happened,
cube
kennel,
auto-scale
as
being
possible
or
potentially
supporting
CR
DS.
That's
pretty
neat
kind
of
moving
in
that
direction.
Cube
ADM
reset
now
will
remove
at
CD
nodes
there's
another
one.
This
is
actually
the
stuff
that's
happening,
incubating
em
and
I'm
pretty
excited
about
this
cube
ADM
in
it
supporting
uploading
of
certificates.
A
This
is
useful
because
in
this
map,
in
this
model,
if
you
were
gonna
produce
cube
ADM
to
stand
up
a
multi
master
cluster,
it
kind
of
makes
it
a
little
bit
easier
for
moving
the
shared
certificate
material
that
has
to
be
shared.
So
things
like
the
the
signing
key
for
the
surface
accounts,
for
example,
that
needs
to
be
the
same.
Signing
key
on
each
host
or
the
API
server
has
to
have
a
public
key
that
matches
the
whole
set.
A
But
yeah,
like
you,
got
to
be
like
that
kind
of
stuff
that
there
are
certain
pieces
of
key
material
that
are
shared
across
those
things
and
it's
kind
of
good
to
know
how
to
get
to
that
stuff.
So
that
is
the
lwd
Cady
portion
of
our
show.
I
also
reference
a
lot
of
the
time.
I
referenced,
the
cube
weekly.
A
A
There
we
go
yeah,
no
I'll
figure
it
out.
One
of
these
ties,
I'm
gonna,
put
it
up,
put
it
in
a
link,
but
out
of
that
Cuba
weekly
this
week,
I
found
a
few
interesting
articles.
What
was
happening
all
right,
one
of
them
actually
I
thought
was
interesting.
It's
this
podcast
from
software
engineering
daily,
and
they
actually
cover
a
lot
of
really
interesting
things
in
their
podcasts
and
software
engineering
daily
is
a
relatively
new
with
a
really
new
thing.
A
For
me,
I'm
sure,
like
some
of
you
probably
have
already
are,
are
already
aware
of
it,
but
the
what
I've
been
seeing
is
they've
actually
started,
like
you
know,
having
you
know
have
been
on
folks,
like
Liz
Rice
talking
about
kubernetes
security.
They've
got
some
other
stuff
on
Cooper
and
it
is
Kay
native
service.
Were
clothes,
being
work,
coronated
strategy
with
Brad
weasels.
There's
lots
of
interesting
things
happening
around
here
and
the
this
in
this.
In
this
all
this
website
software
engineering
and
really
so
go
check
that
out.
That's
pretty
neat!
A
A
Cb
denial
of
service
attack
was
reported
within
Kubik
API
server,
in
which
authorized
users
with
write
permissions
can
cause
the.
If
you
have
somebody
to
consume
excessive
resources
while
handling
a
write
request,
so
I
mean
basically,
this
would
allow
you
to.
This
would
allow
you
to
basically
make
the
API
server
so,
as
you
couldn't
do
other
things
or
affect
your
affect
other
tenants
using
the
same
cluster,
interesting
vulnerability,
and
it's
here,
it
looks
like
it's
been
fixed
in
111,
eight,
one,
twelve,
six
and
113
four,
and
presumably
in
one
fourteen
as
well
so
medium
severity.
A
Nothing
is
quite
as
blow
the
wheels
off
the
bus,
as
we
saw
earlier.
In
the
last
time,
I
saw
y'all,
which
was
the
run
seam
ulnar
ability,
so
I'll
check
in
with
our
chat
here,
see
how
y'all
doing
got
people
who
are
very
interested
in
k3.
Yes,
we
got
Antoine
from
Paris
how's
it
going
and
it
does
conform
with
CN
CF
Coubertin
is,
is
actually
pretty
impressive.
I
mean
like
as
an
experiment
I'm
like
really
impressed
with
what's
happened
with
that
just
with
C
3s
alright,
and
let's
get
back
to
our
notes
here.
A
Okay,
so
the
next
thing
yeah
Rochester's,
the
things
I
was
talking
about,
and
this
one
is
an
interesting
one.
It's
a
really
cool
cute
kind
of
plugin
that
allows
you
to
effectively
do
exactly
what
we
were
talking
about
in
that
in
that
chat
and
I
mean
to
open
a
ticket
against
Rutgers
to
make
him
aware
of
this.
Not
just
you
know
like
not
just
like
talking
about
him
doing
that
in
the
broadcast,
but
also
actually
putting
this
up.
A
But
what
I
noticed
inside
of
the
packaging
was
in
the
client
side
the
check
access
code
here,
it's
actually
just
iterating
through
using
csrs
orchestra,
its
intereting,
through
all
the
things
that
you
have
and
all
of
the
permissions
that
you
could
have
over
the
entire
in
over
the
entire
space.
And
so
that's
actually
not
a
terrible
way
to
go
about
it,
except
that
you
can
imagine
that
that's
a
pretty
significant
load
for
the
API
server
and,
at
the
same
time
it
is.
A
A
If
we
think
about
how
all
that
works,
like
is
the
way
secrets
are
exposed
to
pods
are
still
somewhat
are
still
like
within
the
scope
of
the
cluster
itself,
and
that
means
that
if
I
tried
to
like
really
constrain
what
can
have
access
to
those
secrets,
I
still
I'm
still
I'm
still
relegated
to
keeping
within
the
constraint
of
the
clusters,
Auerbach
model
and
all
and
through
those
things.
Now.
A
But
if
you
create
a
secret,
you
have
that
secret
for
a
period
of
time,
and
then
you
go
about
rotating
this
and
there's
tons
of
patterns
out
there
for
how
to
do
that,
with
like
vault
and
and
many
other
and
and
a
variety
of
other
tooling.
That
is
out
there,
but
really
what
I
wanted
to
get
to
was
like
if
you're
going
to
actually
generate
a
secret.
There
are
kind
of
two
principles
to
keep
in
mind.
One
principle
is:
how
long
is
that
secret
going
to
be
good
for
in
case
it
gets
about
it?
A
In
case
it
becomes
exploiting
if
somebody
gets
a
hold
of
it
right
like
what.
What
is
your
fallback
plan
like?
What
do
you
do
if
somebody
gets
a
hold
of
the
wild-card
search
for
your
corporation
right?
That's
a
wild-card
circuit.
That
means
that
anybody
could
impersonate
your
corporation
and
the
first
thing
that
a
lot
of
people
think
about
when
they
think
about
that
kind
of
security.
A
Surfaces
they're
like
well
I
actually
need
they'll,
really
lock
it
down
and
only
make
it
so
that
certain
entities
can
have
that
wild-card
search
and
really
like
I,
think
you
know
in
reality
like
locking
it
down,
can
only
get
you
so
far
like
because,
inevitably
you
still
have
that
you
still
have
that
kind
of
the
challenge.
That
is,
everybody
is
a
human
and
you
have
like
the
ability
to.
You
know
like
make
a
mistake
and
leave
that
wildcard,
sir.
A
While
you
were
troubleshooting
something
or
debugging
something
you
could
leave
that
sort
in
a
place
that
it
is
about
vulnerable
and
somebody
gets
a
hold
of
it,
and
now
that
cert
is
going
to
be
a
risk
to
your
corporation.
The
entire
time
of
the
length
of
that
certificate
right
and
that's
that's
challenging
so
like
so
if
we
can't
rely
on
people
to
secure
secrets,
then
like
what
what
other,
what
other
tools
are
at
our
disposal?
A
Things
like
vault
things
like
in
this
is
a
certificate
case,
the
ability
to
actually
ensure
that
the
certificate
has
a
short
lifetime.
If
I
was
gonna,
make
a
wild-card
search
for
a
thing,
it
would
behoove
me
to
ensure
that
that
wild-card
search
had
a
short
lifetime,
maybe
ten
days,
maybe
twenty
days,
maybe
a
month
even
shorter,
if
I
could
get
away
with
it,
and
the
benefit
of
that
is
that
the
is
that
I
have.
Is
that
I
want
I?
A
A
Have
that
token
be
time
bound
and
then
and
then,
as
part
of
the
protocol,
they
actually
support
the
idea
of
rotating
these
tokens.
So
when
we
look
at
like
different
things,
different
ways
to
keep
things
a
secret,
the
first
part
we
have
to
really
think
about
this.
You
know
what
is
the
artifact
of
that
secret
and
what
can
I
do
to
provide
governance
or
control
over
that
secrets,
such
that
it's
such
that,
if
it
worked
I
should
say
when
it
becomes
exposed.
A
A
But
all
of
these
things
are
pretty
easy
to
kind
of
punch,
big
holes
in
as
far
as
like
the
security
posture
or
the
security
part
of
it,
and
so
really
what
would
be
better
is
if
you
had
a
way
to
ensure
that
your
application
code
had
some
form
of
identity
and
had
the
ability
to
go
and
authenticate
with
wherever
you're
you
know,
secrets
are
held
or
being
issued
from,
and
then
you
would
go
about
like
you
know
ensuring
that
you
get
that
secret
and
then,
as
part
of
your
code,
right
like
as
part
of
the
running
code
inside
of
your
container,
you
would
have
the
ability
to
authenticate
to
that
entity
that
the
secret
is
held
at
held
in
you
would
give
it
a
secret
that
would
issued
specifically
to
your
application
for
perhaps
a
period
of
time
when
that
pod
is
actually
when
that
pod
goes
away
and
the
new
pod
comes
up
that
new
pod
as
part
of
its
init
state.
A
Would
actually
go
out
and
get
a
new
secret
or
have
a
new
one
issued,
and
that
is
like
kind
of
about
the
most
secure
way
to
actually
manage
secrets
within
kubernetes
right.
If
you
can
get
to
that
point,
what
are
you
doing
it?
At
the
code
level?
Dad
is
going
to
be
probably
the
most
secure
way
to
go
about
it.
A
What
I
want
to
talk
about
in
this
episode
when
we
get
our
hands
on
part
of
it,
is
I'm
going
to
show
you
Cooper
cube
vault,
which
is
a
open
source
project
put
out
by
Apps
code,
and
this
one
actually
gives
us
both
the
ability
to
spend
it
standup
vault,
which
is
pretty
cool.
It
also
gives
us
the
ability
to
reason
about.
A
It
also
gives
us
the
ability
to
reason
about
secrets,
as
they're
held
in
like
kind
of
a
container
storage
interface
right.
So
in
this
way
we
can
actually
store
a
secret
inside
a
fault
and
we
can
actually
make
use
of
a
volume
that
is
mounted
to
my
pod,
where
the
secret
would
be
made
available
only
to
that
pod
right.
It's
not
using
the
it's
not
using
the
mechanism
to
get
hold
of
secrets
inside
of
the
kubernetes
construct,
but
it's
actually
ensuring
that
the
secret
that
it's
going
to
go
fetch.
A
It's
actually
only
available
to
my
pod
through
a
mounted
volume
that
only
the
pod
has
and
that's
a
pretty
secure
way,
that's
kind
of
like
if
we
think
about
the
distills
of
we
think
about
these
levels
of
surface
right.
If
I
expose
a
secret
encrypted
or
not
inside
of
kubernetes,
that's
a
pretty
wide
surface.
Lots
of
things
have
access
to
that
secret.
If
I
expose
a
secret
to
a
volume
that
only
pods
have
that
greatly
reduces
my
surface
right.
A
You
know
exploiting
the
application,
but
again
as
long
as
you're
thinking
about
that
ahead
of
time.
If
you're
thinking
about
the
fact
that
any
secret
has
to
have
a
shelf
life,
no
matter
what
they
can't
have
a
you,
can't
have
a
cert
that
last
twenty
years
it
has
to
be
a
certificate
that
is
only
going
to
be
good
for
a
week
right.
A
A
A
How
do
I
actually
access
that
container
storage
interface,
that
metal
also
secure
and
just
kind
of
thinking
about
all
the
different
ways
that
those
secrets
working
and
like
what
kind
of
controls
you
have
our
own
auditing
and
and
enforcing
the
constraints
that
you
might
want
to
put
around
that
sort
of
stuff?
So
yeah?
That's
what
I
want
to
talk
about
there.
A
So
cue
ball
is
going
through
a
CSI
driver,
piece
and
I
think
that's
actually
pretty
cool
we're
gonna
actually
get
handle
on
here
in
a
minute,
I
stood
up
at
eks
cluster.
We're
gonna
like
play
with
that.
The
other
one
that
I
actually
leaked
before
and
was
talking
about
is
the
is
the
Camus
tool
by
over
and
saluto
a
sutra
engineering.
This
is
another
interesting
project.
A
This
one
doesn't
actually
use
a
CSI,
yet
I
think
that
there
may
be
they
may
be
working
on
it,
I'm,
not
sure,
but
but
yeah
check
out
this
article
check
out
the
threat
model.
This
is
actually
one
of
the
few
projects
I've
seen
that
has
a
threat
model.
Well,
it
also
has
one
but
pretty
neat
stuff,
like
it
actually
very,
very
cool
project.
A
A
All
right
dad
I
need
you
see
my
screen.
Thank
you
for
calling
that
out.
I
will
see
it
to
my
ranch
as
I
could
see
my
screen.
These
were
the
pages.
I
was
talking
about,
I,
didn't
know,
I'm,
afraid,
I
didn't
share
this
with
you,
but
I
was
actually
clicking
through
this
stuff,
the
whole
time
and
we
weren't
able
to
see
I
apologize
anyway.
A
A
A
These
are
the
docs
that
are
available
to
me.
It's
wrong.
I
want
to
start
with
like
so
what
I've
done
already
I
should
say
is
I've
already
spun
up
a
cluster
in
AWS
using
the
using
the
the
VMware
QuickStart
or
you
know,
by
hefty
Oh.
This
used
to
be,
they
have
to
your
quick
start.
So
I
have
my
cluster
already
running
here
and
if
I
spin
up
a
shell
here.
A
We
can
see
our
kubernetes
cluster
running
yeah.
We
could
see
it's
running
exams,
you
see
it's
running,
calico
got
core
DNS.
We
got
one
single
master
with
one
single
API
server.
All
of
that
stuff.
That's
running
and
I
have
already
deployed
the
vault
operator.
Well,
the
wall
operator
is
the
operator
that
will
manage
all
of
the
vault
servers
and
stuff
that
I
wanted
to
create.
So
that's
what
you've
got
so
far
and
to
talk
about
how
I'm
doing
that.
Basically,
this
this
was
a
I
stood
up.
A
The
I
stood
again
the
QuickStart
cluster
that
I
pointed
out
already
and
in
a
ws
I,
went
ahead
and
deployed
the
operator
using
this
mechanism.
Actually
I'd
put
it
on
my
master,
so
I
did
this
one
right,
which
is
basically
run
this
on
master.
When
you
deploy
this
operator,
it's
actually
pretty
interesting.
They
provide
you
a
lot
of
options
for
like
what
you
want
to
do
here.
A
So
if
you
wanted
to,
for
example,
host
the
images
that
are
going
that
are
being
used
in
the
ball
operator
locally
or
on
your
own
private
repository,
you
could
do
that
by
basically
providing
the
image
pull
secret
and
the
docker
registry
command-line
arguments.
If
you
didn't
want
to
keep
the
operator
in
cube
system,
you
want
to
put
it
somewhere
else.
You
can
just
specify
the
namespace
and
then
they're
really
cool.
This
is
actually
one
of
the
few
things
one
of
the
few
projects
I've
seen
that
actually
makes
use
of
this.
A
Is
they
actually
make
use
of
validating
web
hooks
and
mutating
web
hooks
to
ensure
that
when
you're,
creating
these
objects
that
they're
good
form
it
with?
What's
with
the
spec
of
the
object,
so
they're
doing
all
that
in
web
hooks
pretty
cool
stuff,
you
can
specify
the
cube
API
server
fqdn
for
other
things,
your
naval
analytics,
which
is
true
by
default.
You
can
do
an
uninstall
or
a
purge,
and
you
can
install
the
catalog
again
will
automatically
do
that.
There's
a
monitoring
agent,
a
monitoring
operator.
A
These
are
all
options
that
you
have
when
deploying
this
operator.
So
I've
already
got
this
one
deployed,
and
here
are
the
images
that
it's
going
to
use
and-
and
it's
mainly
because
I
want
to
kind
of
spend
more
time
kind
of
looking
at
at
the
creation
of
the
of
the
vault
kind
of
getting
down
to
the
place
where
we
start
playing
with
this
the
CSI
way.
So,
as
I
said,
this
is
already
deployed.
So
look
it
back
over
here.
A
A
See
environment
variables
that
have
actually
been
put
up
so,
in
you
know
again
kind
of
against
the
whole
well
as
an
example,
I
guess
of
the
of
the
of
the
risk
of
environment
variables
and
those
sorts
of
things.
What
I'm
gonna
do
and
went
later
on
in
the
episode
when
we
actually
mount
a
volume,
a
secret
in
to
CSI
I'm,
actually
going
to
use
this
little
application
to
show
you,
the
secret.
That's
actually
been
exposed
in
my
environment
variables,
and
this
is
I.
A
You
know
this
is
some
of
the
early
security
problems
of
things
like
Java
and
PHP,
and
many
others
is
if
you
leave
what
debug
page
on
like
a
lot
of
the
times,
they'll
print
the
environment
variables,
and
you
got
to
be
careful
with
that
kind
of
stuff.
So,
let's
get
into
the
next
piece
of
this
I'm
gonna
go
ahead
and
stack
these
two.
A
A
Okay,
so
deploy
a
vault
on
it,
Amazon
eks,
that's
what
I'm
gonna
do
mainly
I'm,
not
using
UK
s
I'm
just
using
Amazon
but
like
in
their
example.
Here
they're
referring
this
they're.
Referring
to
this
as
es
so
let's
go
ahead
and
create
our
demo,
namespace
I
believe
I
already
have
it
created,
but
let's
take
a
look
anyway.
A
Demo,
nothing
in
there,
so
the
next
thing
I
want
to
do
is
I
want
to
go
ahead
and
well
that's
kind
of
a
weird
ordered
thing.
Yeah
we've
already
got
our
bucket.
We've
already
got
our
key.
We've
already
got
our
cluster.
Let's
go
ahead
and
get
to
this
part
we're
in
we're
gonna
have
to
like
probably
edit
some
of
these
fields,
because
my
clusters
in
a
different
place,
but
we'll
get
to
it.
Let's
go
ahead
and
do
that
now.
A
So
what
this
is
gonna
allow
me
to
do
is
gonna.
Allow
me
and
create
a
cube
vault
a
vault
server,
effectively
leveraging
the
operator
inside
of
it's
the
developer,
that
I
have
deployed
into
my
cube
system,
namespace
and
so
we're
gonna
kind
of
watch.
We're
gonna
walk
through
how
all
that
works
and
play
with
that.
A
So,
oh
one
more
thing
before
I
get
before
I
get
too
far
it's
down
here
at
the
bottom
of
this
document,
there's
actually
example:
I
on
policies,
SSM
policies
and
kms
policies
and
I
had
to
apply
these
to
my
node
role,
where
the
vault,
where
the
vault
will
be
deployed
to
actually
get
this
stuff
to
work,
and
so
I
just
wanted
to
call
it
out.
That
was
actually
the
thing
that
took
me
a
little
while
to
actually
get
wired
in
correctly,
but
yeah
you
gotta
have
the
policies.
A
If
you're
gonna
make
use
of
a
node,
they
also
provide
you.
The
ability
and
I
didn't
look
into
this,
but
if
you
wanted
to
actually
issue
a
and
a
different
account
within
AWS
that
would
have
access
to
those
things
you
can
actually
use
that
account
credential
directly
for
those
things.
So
you
don't
have
to
necessarily
use
the
note
role.
If
you
want,
then
there
we
go.
If
you
wanted
to
actually
provide
a
credential
for
the
s3
bucket
and
a
credential
for
the
a
kms
and
SSM
permissions,
you
can
actually
separate
those
permissions
into
two
things.
A
You
can
provide
a
credential
for
each
of
those
and
then
just
provide
that
it
provides
that
to
the
spec,
and
so
that's
actually
pretty
cool,
I
kind
of
like
that,
it's
as
flexible
as
that.
What
that
means
is
that
when
you're
actually
generating
the
vault
and
you're
providing
the
the
secret
you
can
actually
you
could.
You
are
the
Prudential
to
use
to
authenticate
to
AWS.
You
can
use
it.
You
can
do
it
that
way,
which
is
pretty
nice
all
right.
A
A
A
I
do
that
let's
go
back
to
our
Docs
because
they
refer
to
one
more
thing
that
we
should
do,
which
is
basically
what
we're
looking
right
now.
What
we're
looking
for
right
now
is
basically
all
the
parameters
that
we
need
to
configure
this
vault.
So
let's
go
ahead
and
run
this
command,
and
this
will
tell
me
what
version
of
vault
I
want
to
deploy.
Yeah
looks
like
I
have
101
and
I
have
over
them
five,
so
I
guess
I'll
just
go
with
a
little
over
five
here.
A
A
A
Let's
see
what
that
gives
us,
you
could
all
get
demo
whoa,
oh
it's
Ronnie,
okay,
cool
and
then
we'll
do
logs.
B
A
A
A
A
A
A
So
now,
if
I
do
my
cute
kettle
yet
waltz
server,
demo,
vaults
I
could
see
that
it's
in
running
state
and
it's
running
version
Euler
than
five
and
there's
one
note
a
bit
and
it's
about
three
months
old.
So
let's
go
ahead
and
do
some
other
checks
and
make
sure
let
this
fall.
This
ball
cluster
is
doing
what
it
says
or
what
we're
expecting.
A
A
A
We
can
see
that
it's
all
tuned.
B
A
A
A
We
can
see
from
the
configuration
that
you've
configured
it
to
listen
on
any
interface
on
8200.
The
cluster
address
is
not
listening
on
port
80
80,
oh
one,
there
is
a
cert
and
a
key
file,
that's
being
used
to
secure
those
interfaces,
be
configured
it
to
use
as
storage
the
default
1212
bucket
in
the
US
West,
one,
which
is
awesome
which
what
we
expected
and
telemetry
has
been
configured
I'm,
actually
curious
about
this
certificate,
so
I'm,
actually
I'm
gonna
take
a
look
at
that
certificate
because
I'm
actually
curious
to
see
which
what's
happening
there.
A
A
A
You
know
that's
what
we're
talking
about
before
it
right,
like
I,
have
an
administrator
in
this
cluster,
but
I
have
access
to
all
so
I
have
access
to
all
the
secrets.
You
would
have
a
record
of
me
doing
a
get
of
this
certificate,
but
here
is
the
key
and
the
certificate.
Is
it
not
uncommon,
inside
of
communities
to
host
those
things
as
secrets,
regardless
of
their
current
state
I?
A
Really,
regardless
of
what
those
secrets
are
good,
ID
or
not,
but
me,
and
you
could
imagine
that
if
we
were
going
to
try
and
use
this
for
it,
our
problem
would
be
that
we'd
have
a
chicken-and-egg
problem,
but
you
have
to
get
some.
We
have
to
have
some
mechanism
to
allow
for
this
running
pod
to
have
a
secret
before
a
secret
could
be
stored
somewhere.
So
let's,
but
let's
take
a
look
at
this
secret,
and
this
is
actually
pretty
interesting
way
to
go
about
this.
A
It's
gonna
bear
with
me
what
I'm
doing
is:
I'm
actually
grab
the
entire
base64
blob
for
the
TLS,
cert
and
I'm
echoing
it,
and
then
I'm
gonna,
pipe
it
out
to
base64
minus
D
and
then
I'm
gonna,
pipe
it
out
to
open
SSL
x.509
text,
because
I
want
to
see
what
this
is
configured
to
do.
This
is
a
good
way
to
actually
understanding
secrets
generally
at
all.
Right
like
this
is
a
very
cool
trick
for
understanding
understanding,
sorry
certificates
at
all.
A
So
if
you're,
if
you
want
to
look
at
a
certificate
and
see
how
it's
actually,
what
its
configured
for
this
is
a
pretty
decent
way
to
do
it
so
inside
here,
I
can
see
that
this
one
is
actually
issued
the
web
server
authentication.
So
this
is
actually
going
to
be
a
serving
certificate.
It's
going
to
be
a
certificate
that
is
protecting
a
serving
a
listening
interface.
A
It's
not
meant
to
be
used
as
a
client
certificate
and
that,
when
I
interact
with
the
interface
that
is
using
this
certificate,
it
will
allow
me
to
address
it
in
with
one
of
the
following
names:
I
could
call
it
localhost
I
can
call
it
anything
demo.
Pod
I
can
call
it
my
vault
demo,
dot
service
and
I
can
call
it
and
I
can
call
it
by
the
IP
address
one
two:
seven:
zero,
zero
one.
A
So
what
that
means
is
like
if
I
was
going
to
do
a
curl
or
our
host
trying
to
authenticate
against
the
certificate,
this
certificate
will
ensure
that
miss
tippy
will
ensure
that
the
secret
sorry
that
the
host
name
that
I'm
actually
using
one
it
has
to
match
one
of
these
subjects
and
alternate
names
or
it'll
oral
error
out
on
my
browser.
Now
the
funny
thing
is
I'm
not
going
to
use
a
browser
to
interact
with
this
I'm
gonna
use
a
client-
and
this
is
this
same
thing-
is
true
for
clients
as
well
right.
A
So
we've
looked
at
the
way.
This
is
configured.
That's
pretty
neat.
We
can
see
our
secrets
that
are
in
there.
Oh
and
it's
actually.
It
goes
on
to
tell
us
to
look
at
the
secrets:
that's
pretty
cool
and
then
we
could
see
the
unsealed
keys
and
route
took
in
in
a
parameter
store,
which
we
already
saw.
That's
that's
there
and
then,
let's
get
into
using
vault.
You
know,
how
is
it's
gonna
do
this?
A
How
is
it
going
to
ensure
that
I
can
get
off
hold
of
the
token,
but
not
everybody
else
can't
like
that'll
be
interesting.
So
what's
what
looks
like
it's
gonna
happen?
It's
telling
me
that
I
can
go
ahead
and
get
the
vault
root
token
from
the
from
the
parameter
store
and
then
I
have
to
use
AWS
kms
to
decrypt
it.
So
it's
not
stored.
So
the
ball
true
token
is
not
stored
and
presumably
none
of
the
shares
are
either
in
the
parameters.
A
Tor
unencrypted
they're
all
encrypted
individually,
with
with
the
whisk
it
with
the
KMS
key
that
I'm
providing-
and
that's
that's
pretty
neat
right.
So
then
I
can
leverage
AWS
to
ensure
that
only
certain
people
or
entities
have
access
to
that
to
that
kms
key
and
then
that's
that's
pretty
cool.
So
let's
go
ahead
and
go
through
this
process.
And
what's
this
all
I
was
to
do
is
actually
grab
or
you
know,
authenticate
to
vault,
which
we
cannot
currently
do
so.
A
A
Toaster
before
I
can
actually
hit
that
I,
though
I
want
to
do
pork
forward
like
it's
not
exposed
to
the
outside
world.
It's
only
exposed
within
the
within
the
scope
of
the
cluster
and
even
its
certificate
is
actually
limited
to
that
too
exposure
within
the
cluster.
So
for
me
to
actually
get
to
that
vault
and
interact
with
it.
I'm
gonna
have
to
do
some
port
forwarding
magic
here,
so
he
says:
go
ahead
and
forward
port
8200.
A
Listening
locally
and
the
way
parkford
works,
you
can
actually
have
port
forward
point
to
a
particular
pod
or
to
a
service.
If
you
do
use
a
service,
it
will
actually
resolve
one
of
the
pods
on
the
back
end
of
that
service.
The
first
time-
and
you
know
henceforth
all
other
connections
will
go
to
that
to
that
same
pot.
It's
not
gonna.
A
Like
balance,
it's
not
it's
not
making
use
of
the
cluster
IP
mechanism
and
that
it's
going
to
bounce
across
those
things,
because
it's
just
a
single
session
that
you're
standing
out
so
I'm
going
to
go
ahead
and
start
this
up.
Also,
if
I,
if
I,
don't
specify
another
court
forward.
That
means
that
you
use
the
same
port
for
both
parameters,
and
this
will
make
it
so
that
I'm
Park
forwarding
this
application
across
this
service.
On
my
local
I,
look
like
a
200
port,
apparently
I
already
have
it
running
somewhere.
A
There
we
go
alright,
so
now
we
have
my
port
forward
going
to
that
application
on
port
80
200.
Let's
see
if
we
can
get
a
little
further
down
the
road
here
since
I,
don't
have
the
CA.
That
was
an
issue
that
used
that
was
used
to
issue
that
certificate.
I'm
gonna
just
go
ahead
and
do
skip
verify.
What
this
means
is
just
trust,
the
cert
that
you're
given
don't
don't
last
so
many
questions,
yeah
and
not
really
probably
the
best
thing.
A
What
would
be
cooler
is
if
you
had
a
way
to
actually
ensure
that
you
had
the
CA
certificate
or
a
copy
of
the
certificate
that
signs
that
or
that
you
issued
that
certificate
yourself.
I
haven't
actually
looked
into
like
how
that
could
be
done
with
this.
Yet
maybe
we'll
look
into
that
after
this,
but
so
we
have
exposed
our
token
we've
got
our
waltz
get
verify
true.
We've
got
our
vault
address
so
now,
let's
try
ball
status
well
status.
A
It's
not
in
H
a
mode
she
didn't
steal
type.
It
is
not
sealed.
Currently,
there
are
four
shares
of
threshold
of
two
and
it's
all
working.
So
that's
pretty
cool.
Let's
see
now
that
we
have
our,
we
have
because
we
have
our
token
already
in
our
environment,
let's
run
through
some
of
the
rest
of
this
demo.
Here
do
bolts
to
kids,
so
we
can
see
the
secrets
and
we
create
a
secret.
Let's
try
that
what
looks
like
it
works
and
if
we
do
get.
A
Yeah
cool,
so
that
all
works,
so
we
are
now
able
to
authenticate
with
our
ball,
so
we
got
our
ball
working.
So
let's
see
your
the
cheers
for
that.
That's
pretty
cool!
Let's
go
ahead
and
see
how
we're
doing
here,
everybody
hope
you're
all
doing
well,
I'm,
not
seeing
a
lot
of
feedback
on
the
on
the
chat.
So
just
let
me
know
if
you
have
questions
I
know
it's
a
lot
of
information
and
I'm
trying
to
cover
it
in
a
pretty
cohesive
way.
A
A
They
do
have
some
constraints,
though,
like
if
you
can
provide
them
the
certificates,
but
if
you,
if
you
want
to
do
so,
the
expectation
is
that
the
following
will
be
encoded
in
right.
You'd,
be
all
the
references
involved
service
as
an
internal
service,
and
so
these
are
kind
of
like
the
mechanisms
within
kubernetes
that
allow
you
to
do
discovery
all
right.
A
A
Spec
back-end,
as
a
required
field.
Oh
tells
you
where,
to
put
it.
I
was
actually
just
using
s3
the
s3
bucket
in
the
example,
but
there's
like
a
lot
of
other
options,
you
can
do
in
memory
Swift.
You
could
use
that
CD
as
a
backing
store
lots
of
lots
of
options
here
for
vault,
and
this
is
actually
specific
to
vault
this,
and
this
configuration
option
is
specific
to
the
configuration
of
the
vault
server
as
it
relates
to
cueball.
It's
a
very
cool
project
for
helping
you
manage
vault
secrets.
A
Then
you
have
this
thing
called
spec
on
the
sealer.
We
already
ran
that
command,
but
let's
take
again
again
a
look
at
our
my
fault,
so
our
spec
unseal.
It
must
be
the
default.
I,
don't
see
it
in
here
and
what
it
tells
us
like
how
many
secret
shares
there
are
what
the
threshold
is.
Presumably
it's.
Like
four
by
default
and
two
is
the
threshold
and
then
how
long?
How
many
times
should
we
retry
and
over
what
period
of
time?
A
Then
you
have
your
template,
but
it's
a
node
port,
whether
it's
a
load
balancer.
What
the
source
ranges
are
lots
of
really
great
stuff
written
into
this
spec
that
you
can
use
to
really
tightly
constrained
like
what
has
access
to
that
particular
ball
instance
and
who
can
authenticate
to
it
where
you
want
to
run
it.
It's
an
option
with
the
image
pull
secret
for
getting
the
images
the.
A
A
You
have
off
methods.
This
is
pretty
cool.
I
should
have
actually
turned
on
the
kubernetes
one,
but
optional
optional
fields,
and
if
you
think
about
it
like
these
are
all
parameters
you
would
use
like
normally
in
configuring,
vault
right
I'm,
not
nothing
here
is
specific
to
the
cube
vault
implementation.
A
This
is
just
the
cube
fault
implementation,
supporting
those
parameters
that
would
be
making
that
would
be
made
available
to
you
or
exposed
to
you
if
you
were
going
to
deploy
a
vault
on
your
own,
like
on
a
server,
and
these
guys
are
just
making
them
a
lot
easier
to
reason
about
all
of
those
parts
which
is
pretty
cool,
so
our
vault
status
is
actually
the
status
field
for
that
vault,
and
we
have
already
looked
at
that.
But
let's
look
at
it
again:
you
don't
get
well
server
demo.
A
So
here's
our
back
our
vault
status.
We
can
see
that
it's
unsealed
and
that's
the
and
that
this
one
this
particular
vault
is
active.
Oh
looks
like
awesome.
It's
awesome.
Is
it
status
passes
communities
it
already?
It's
already
enables
that,
probably
presumably
because
you're
deploying
it
to
kubernetes,
so
that's
pretty
neat
so
like
as
we
get
into
the
CSI
stuff.
A
You
won't
have
to
actually
wire
that
up
so
yeah
I
mean
like
lots
of
really
cool
stuff
and
like
the
vault
status
I
like
that,
it
actually
goes
through
a
transitional
period,
right,
quick,
whether
it's
active
standby
or
being
initiated.
There's
lots
of
lots
of
really
good
good
stuff
written
into
this
spec.
A
A
You
some
the
key/value
secret
engine
in
this
CSI
so
before
we
begin
and
we're
gonna
have
to
so.
This
will
be.
This
will
be
kind
of
like
the
part
that
I
have
not
explored
at
all
prior
to
the
show.
So
this
will
be
kind
of
a
fun
part
that
we
hack
through
in
this
week's
episode,
and
this
week's
episode
we're
gonna.
A
A
A
A
So
what
does
it
happen?
So
these
are
the
things
that
they're
asking
us
to
create
we're
gonna
go
ahead
and
like
we're,
gonna
walk
through
this
policy
walk
through
this
stuff
and
make
sure
that
all
kind
of
makes
sense,
but
it'll
be
interesting
to
kind
of
figure
this
account.
So
we
have
our
CSI
service
account.
A
A
A
A
A
A
A
A
A
A
A
Okay,
so
here's
where
we
were
with
our
create
our
service
counts.
They
want
to
create
a
service
account
in
the
demo
namespace
that
has
token
off.
So
this
is
actually
the
service
account
that
vault
presumably
is
going
to
use
to
authenticate,
or
it's
going
to
use
to
review
the
token
provided
by
the
caller
to
ensure
that
they
have
access
to
it.
Let
me
back
up
a
sec
to
kind
of
talk
through
what's
happening
there.
A
lot
of
this
has
already
been
taking
care
of
us
care
for
us.
A
But
let's
talk
through
what's
happening,
Balt
can
use
a
variety
of
different
forms
of
authentication
to
give
to
provide
entities
access
to
secrets
whether
that
means
read/write
access,
whether
that
means
that
we
only
access
or
even
access
to
a
particular
sub
path
or
set
of
Secrets
right.
But
how
do
we
actually
identify
those
users
or
or
consumers
of
those
secrets,
or
even
the
creators
of
them?
How
do
we
actually
get
a
list
of
things
that
are
going
to
try
to
offset
a
cait
to
vault?
By
default?
A
A
Now
that
AHS
client
token
represents
the
tokens
that
you
will
then
use
to
interact
with
vault.
So
let's
walk
through
that
flow
again,
just
to
make
sure
it's
really
clear
so
I
can
use
my
service
account
to
authenticate
to
evolve
and
that
authentication
mechanism
right
will
basically
ensure
that
vault
sees
my
service
account
as
some
as
an
entity
that
has
access
to
this
particular
vault.
But
what
permissions
like?
How
do
I
authorize,
or
how
do
I
actually
from
then
on
authenticate
to
go,
get
a
secret?
How
do
I?
A
Actually
what
took
and
do
I
use
to
say
that
vault
command
earlier,
that
we
saw
a
fault
get
but
get
secret.
Food
right,
I
would
not
be
able
to
use
my
service
account
to
do
a
vault
secret.
Foo
I
can
only
use
my
service
account
to
authenticate
or
login
to
vault,
once
I've
logged
in
it
will
issue
me
upon
the
period
of
that
login
a
token
that
I
can
use
to
to
then
interact
with
vault
as
a
as
my
credential.
A
So
it's
like
it's
like
two
things
and
it's
it's
neat,
because
if
you
think
about
it,
that
service
account
is
it's
something
that's
shared
across
the
entire
cluster,
so
I,
don't
really
have
a
good
understanding
of
who
is
using.
That
service
account.
Sorry,
not
the
entire
cluster.
A
service
account
is
available
to
anybody
within
the
namespace,
and
so
anybody
can
use
that
service
account
to
authenticate
to
vault
and
get
crit
and
get
this
token.
A
But
if
but
for
the
audit,
log
piece
is
actually
pretty
compelling
because
it
means
that,
like
any
call
to
go,
get
a
secret
or
to
create
a
secret,
then
we
get
secret.
I
can
understand.
Who
was
who?
What
client
token
that
happened,
and
as
part
of
the
part
of
the
kubernetes
authentication
piece
I'm
actually
going
to
get
it's
going
to
return
to
me
a
lot
more
information
about
that
client,
so
pretty
cool
stuff,
as
far
as
like
what
you
can
actually
do,
but
yeah
to
just
go
over
at
the
third
time.
You
know
for
magic.
A
Is
your
to
use
your
service
account
to
authenticate
to
vault
vault
will
provide
you
a
token
that
token
is
the
thing
that
you
will
be
able
to
use
to
do
fall,
get
secret,
alt,
delete',
secret
vault,
put
secret
all
those
things
and
what's
interesting
when
we
think
about
the
way
the
CSI
works,
the
CSI
driver
for
vault
is
actually
gonna,
be
doing
all
of
that
work,
and
so
would
be
interesting
to
see
how
that
works.
Let's
keep
going.
A
A
A
A
A
B
A
A
A
This
is
the
JWT
token
that
was
issued
for
that
service
account
and
that's
pretty
cool
you
kind
of
see
how
that's
happening
right.
So
we
already
know
the
secret
name,
we're
in
that
same
namespace,
we're
just
doing
a
JSON
path
to
actually
grab
the
token
value,
and
then
we
decode
that
and
that's
pretty
cool
so
because
it
is
actually
stored
in
base64
format.
So
now
we're
gonna
grab
the
CA
cert,
which
I
think
we
I
actually
already
have
uploaded,
but
let's
go
ahead
and
grab
it
anyway.
So.
A
A
A
You
know
this
is
cool.
This
is
actually
going
to
be
where
we
relate
the
service
account
to
a
particular
path.
Inside
of
all
so
because
we
have
our
test
policy,
we
saw
what
our
policy
was,
and
we
know
that
that
token
is
we're
gonna
issue.
For
this
thing,
one
it
actually
issues,
one
that's
gonna
be
for
24
hours,
so
we'll
talk
through
that
here
in
a
second
we
get
on
the
big
screen
here.
So
so,
what
we're
doing
now
earlier?
A
So
now
it
means
so
now
like
we're
going
to
go
through
this
further.
But
basically,
what
this
means
is
that
I
have
now
the
ability,
as
that
service
account
to
authenticate
to
vault
the
token
that
vault
will
provide
me
will
match
the
policy
that
has
been
given,
which
will
only
allow
me
to
read
the
secrets
and
but
it
will
allow
me
to
read
secrets
at
pretty
much
any
pass
right.
So
that's
what
we've
got
to
find
so
far.
A
We'll
talk
a
little
bit
more
about
that
findings.
I
think
this
is
actually
a
relatively
new
idea
that
I've
seen
the
apps
code
folks
starting
to
work
on
I
haven't
actually
explored
it
myself
too
much
as
far
as
what's
happening
here,
but
I
think
it's
actually
a
way
to
ensure
that
you
have
a
reasonable
implementation
of
providing
access
to
particular
things
back
and
forth
between
entities
within
your
news,
cluster
kind
of
a
better
security
model.
For
that.
A
Yeah
so
there's
the
app
binding
that
we
want
to
create
it's
going
to
be
in
the
vault
app
app
binding.
Can
we
create
in
the
namespace
demo
the
client
config,
the
URL?
What's
that
and
then
we
have
parameters
cube
bolts,
do
an
alpha
one
which
is
right,
fall
server
configuration
these
pod
service
for
CSI
driver.
But
what
is
this?
A
That's
actually
looking
at
the
certificate,
that's
in
front
of
alt
and
the
certificate
is
going
to
have
as
part
of
its
and
C
or
everything
I
need
to
build
to
the
the
URL
here
right
like
we
know
that
relisting
on
port
80
200.
We
know
that
this
is
the
DNS
name,
so
we
can
actually
interact
with
fault
using
that
from
within
the
scope
of
this
app
binding.
So
let's
go
ahead
and
edit
that.
A
A
B
A
A
A
A
And
no
events
we've
seen
policy
delete.
Oh
that's
because
this
is
the
reason
it
knows
what
to
get
is
because
we're
defining
it
in
the
parameters
of
the
storage
class.
So
they're
saying
it's
the
kv
engine,
the
path
kv,
the
ref
is
demo
vault,
and
this
is
where
we
are
defining
the
that's
where
it's
getting
the
app
binding
stuff.
Alright,
this
is
where
we
referring
to
the
app
binding
and
then
the
secret
is
my
secret.
That's
pretty
cool,
so
it'll
get
app
binding.
A
A
A
You
can
see
that
storage
classes
are
not
namespaced,
which
means
it
there.
They
can
only
be
accessed
at
a
cluster
level
and
that's
another
one
of
those
boundaries
like
for
things
like
your
access
stuff
right,
your
your.
We
can
limit
access
to
the
ability
to
read,
write
mess
with
storage
classes,
talk
to
things
that
only
have
like
a
cluster
view
of
the
world,
well
to
the
namespace
for
you.
A
A
A
A
A
A
A
A
I
see
the
app
binding
I,
don't
yet
what
I'm
looking
for
right
now
is
I'm.
Looking
for
the
thing
that
would
do
that
mounting
so,
but
if
you
kid
I'll
get
PVC
end
demo,
you
see
it's
pending
and
I,
don't
get
what
would
actually
make
that
do
anything
like
I'm,
not
sure
where
that
would
come
from
I,
don't
know
where
the
code
sits.
That
would
actually
make
that
mouth.
It's
a
CSI
but
I,
don't
think
I've
actually
installed
us
anything
that
would
satisfy
that
I.
A
Griffen
name
should
be
dimmable
app,
not
demo.
All
that
yeah
agreed
yeah,
that's
what
I
was
looking
for.
It's
a
CSI
driver,
but
it
doesn't
actually
describe
that
here
in
this
document.
So
where
is
to
CSI
driver
using
the
CSI
driver,
so
where's
that
CSI
to
remember
at
let's
take
a
look
back
at
our
Docs
and
see.
A
A
A
Let's
look
at
this
install
script,
so
this
is
going
to
drive
our
CR
DS,
our
CSI
drivers
and
CSI
node
infos.
It's
going
to
use
my
current
compute
config.
There's
a
clean
up
command
option
also,
which
is
pretty
cool.
The
applicant
environment,
tells
it
whether
it's
Prada,
some
other
environment,
presumably
select
enable
more
logging
or
that
sort
of
thing
tries
to
determine
if
or
one
of
the
functions
in
here
is
to
determine
whether
it's
part
of
a
git
repo
to
detect
the
tag.
A
We
do
a
bunch
of
X
portions,
a
bunch
of
exporting
up
stuff,
basically
setting
things
that
we're
probably
going
to
be
using
inside
of
the
rest
of
the
script
here,
environments
that
we
can
actually
overwrite,
which
I,
like
you
know,
like
basically
exposing
all
the
things
you
could.
We
could
pass
in.
You
know
to
the
user,
so
if
they
want
to
change
it
or
spend
again
setting
a
priority
class
cool
stuff.
A
A
A
A
A
So
yes,
you're
right,
you
need
to
install
the
CSI
driver,
so
vault
operator
here
is
only
covering
the
installation,
yet
exactly
I
thought
it
maybe
was
complaining.
The
two
of
it
makes
sense
to
CSI
would
be
different
so
reason
why
we
wouldn't
have
an
operator
to
help
maintain
this
bit
for
us
would
kind
of
do
it
is
actually,
if
you
look
at
the,
if
you
look
at
the
CSI
thing,
it's
actually
managing
that
side
as
well.
So
ask
you
to
Paul
play
ball
with
a
ball
operator
set
just
set
up
a
finding
and
role.
A
A
B
A
A
So,
where
you
see
CSI
vault
node,
that's
going
to
be
one
per
node
right
so
for
every
node
I
will
have
one
of
these
volume
or
one
of
these
CSI
instances
running
with
mouth
has
two
that
underline
node
and
access
to
actually
register.
That's
CSI
piece.
So
that's
that
makes
a
lot
of
sense.
That's
actually
pretty
darn
cool.
So
let's
look
at
the
log
sort
of
CSI
vault
controller.
I
bet
you.
That
is
where
we
will
find
that
typo
things
happening
so
puke
it
all
logs
and
cou
system.
A
A
A
A
A
A
We
got
four
notes
landing
on
10022
20.
So
if
we
do
cube
kettle,
get
into
system
grip.
A
A
A
A
A
A
Describe
demo.
A
A
A
A
A
A
A
Sadly,
we're
running
into
this
issue
and
the
error
is
a
really
fascinating,
because
the
error
is
that
the
cubelet
is
complaining
that
the
pod
name
is
not
found.
So
it's
like
somehow
the
CSI.
My
presumption
is
that
the
CSI
driver,
when
trying
to
mount
this
volume,
it's
not
able
to
identify
the
actual
pod,
that's
running,
and
so
it's
not
landing
it.
This
was
the
actual
error
that
we
saw.
A
A
All
right
well
looks
like
we're
kind
of
stuck
on
that
part
of
it.
So
that's
unfortunate,
but
let's
keep
moving
I
guess
that's
about.
As
far
as
we're
gonna
be
able
to
get
with
cue
ball
today,
I
think
it
is
now
322,
okay!
Well,
thank
you
all
so
much
for
your
time
and
and
I'll
revisit
this
again
with
Kim
Isetta
in
a
future
team.
So
thanks
a
bunch,
see
you
next
time,
bye.