►
Description
Join Evan as we explore https://github.com/kcp-dev/kcp, a kubernetes apiserver without most of the built-in Kubernetes types. Learn a bit about the goals of the project, what it's good for now, and what it might be good for in the future.
A
Hello,
everyone
welcome
to
tgik.
A
It's
friday
and
I'd
say:
I'm
happy
to
see
you
all,
but
I'm
I'm
not
seeing
you
all
you're
seeing
me
so
we've
got
a
pretty
busy
day.
B
A
So
we've
got,
I
see,
jason
in
the
chat.
We've
got
jason
hall
here
today
and
we'll
be
talking
about
his
program.
I
didn't
get
a
chance
to
set
up
stream
yards,
so
he'll
be
in
chat
and
I'll
be
on
screen,
but
maybe
sometime
we'll
get
him
on
screen
too
we'll
be
talking
about
kcp,
which
is
a
minimal
kubernetes
api
server
and
first,
let's
see.
A
Yes,
there
we
go
first
of
all,
we'll
be
doing
our
week
in
review,
so
we've
got
a
little
bit
of
notes
here
of
stuff
going
on
in
core
kubernetes.
For
those
of
you
not
in
the
know,.
A
There
is
a
shortcut
t
g,
a
k,
dot,
io,
slash
notes
where
you
can
add
any
news
that
you're
aware
of
or
if
you
want
to
take
notes
during
the
stream.
It
makes
it
easier
to
compile
stuff
later
and
yeah
welcome
everyone.
So
the
first
one
is
just
a
head
up
heads
up
that
there
are
patch
releases
next
week,
if
you're
using
docker
shim.
I
think
that
this
may
affect
you
if
you
use
docker
sharing
port
forward.
So
hopefully
you
are
not
in
that
combo.
A
But
if
you
are
good
luck
and
then
there,
the
last
alpha
release
of
zero
of
1.22
is
out.
A
A
So
it's
pretty
cool
to
see
you
know,
kubernetes
is
still
building
and
maturing
and
adding
you
know
adding
these
sorts
of
tools
so
that
you
can
be
sure
that
you
are
getting
the
software
you
know
about
or
that
you
intended
to
get
and
you
can
figure
out.
Is
it
vulnerable
to
this
or
that
upstream
library,
maybe
we'll
do
a
future
episode
on
what
all
that
means.
A
A
I
need
a
new
machine,
give
it
to
me
so
there's
a
cluster
api
providers
for
gcp
and
aws
and
for
things
like
vsphere
and
and
there
may
even
be
a
bare
metal
one
where
you
have
to
like
turn
on
the
machine,
but
then
it
will
get
things
booted
up
after
that,
so
yeah,
that's
cappy.
A
It
looks
like
it's
it's
a
lot
since
the
last
one,
so
maybe
maybe
there'll
be
a
tgik
about
that.
One
too
sig
note
is
also
doing
a
bug
scrub
soon.
So
if,
if
you're
interested
in
participating
in
signal,
this
is
probably
a
great
chance
to
get
in
and
figure
out,
you
know,
okay,
which
of
these
issues
are
really
important
and
which
ones
you
know.
Oh,
this
has
been
open
for
two
years
and
maybe
it's
not
even
really
reproducible
anymore.
A
Similarly,
in
more
in
more
making
things
cleaner
and
better
news,
cluster
fs
and
ceffes
are
not
going
to
be
in
tree
anymore,
so
I'm
actually
on
my
home
cluster
running
rook,
but
they
have
csi
plugins,
container
storage
interface
plugins,
which
means
that
there's
a
plug-in
model
and
those
teams
can
maintain
it
without
needing
to
go
into
the
kubernetes
tree
and
version
their
software
alongside
kubernetes.
A
So
that's
all
goodness,
technologies
that
we
hadn't
figured
out
when
kubernetes
launched
and
everyone
jumped
in
and
said.
How
can
I
get
my
storage
in
there?
There's
better
answers
now
and
so
kubernetes
is
getting
a
little
smaller.
A
I
do
not
see
equinix
in
that
list.
There
is
a
metal
three.
I
think
metal
three
managed
bare
metal
hardware,
so
I
don't
know
how
all
that
works,
but
you
can
dig
in
and.
A
There's
a
bare
metal,
there's
controllers
and
operators
and
stuff
like
that,
and
I'm
not
going
to
dig
in
here
right
now,
but
if
you're
curious,
the
cappy
book
has
a
whole
list
of
the
different
providers
right
now
and
you
can
see
that
there
are
like
15
or
so
and
now
it
looks
like
you
can
do
kubernetes
dev
upstream
kubernetes
dev
on
windows
much
more
easily,
so
that's
pretty
cool.
A
I
do
have
windows
subsystem
for
linux
and
I'm
going
to
be
using
it
a
lot
today
because
I
don't
think
it'll
be
helpful
to
rake
jason
over
the
calls
for
stuff
that
doesn't
work
on
windows
right
now,
but
there's
lots
of
developers
out
on
windows
and
some
developers
who
only
have
windows.
So
it's
great
that
it's
great
to
see
that
coming
along
as
a
sign
of
maturity
and
then
I
only
had
two
notes
from
the
larger
kubernetes
ecosystem.
A
This
is
my
personal,
the
stuff,
that's
interesting
in
my
personal
bubble,
but
I'm
sure
there's
more
stuff
out
there.
If
people
want
to
add
notes,
go
ahead,
so
lightbend
launched
a
akka
serverless
platform
which
looks
like
it's
using
kubernetes,
pods
and
stuff
under
the
covers.
Akka
is
a
oh
okay,.
A
Packet
good
to
know,
akka
is
a
distributed
actor
model
built
on
some
fancy
and
complicated
data
structures
called
crdts
and
basically
the
idea
with
crdts
is
you
can
get
changes
in
on
two
different
hosts
and
you
can
safely
merge
those
changes
later
to
get
to
a
reasonable
insane
state,
and
so
this
is
a
platform
where
you
can
go
in
and
you
can
run
little
bits
of
code
that
you
know
work
alongside
your
data
and
use
these
safe
data
structures
to
not
just
serverlessly.
A
You
know,
do
some
compute
and
put
it
in
then
a
like
a
sql
database,
but
you
can
actually
have
your
compute
scale
up
and
down
alongside
your
data
or
a
lot,
your
computing,
your
data
scale
together
in
your
and
store
together
and
I've
only
like
I've
literally
opened
it
up
and
said:
oh
that's
pretty
and
closed
it
up,
so
don't
know
a
lot
more
about
it
right
now,
but
I
saw
that
it
was
based
on
kubernetes
that
seems
kind
of
interesting
and
then
for
those
of
you
who
haven't
been
following
the
sig
store
project
related
to
the
software
bill
of
materials.
A
A
A
So
for
those
of
you
who
know
a
little
bit
about
my
background
before
I
moved
over
to
vmware,
I
worked
at
google
and
google's
cloud
run.
Product
actually
exposes
a
kubernetes-like
api
for
the
k
native
custom
resources
and
it
doesn't
expose
the
rest
of
kubernetes
and
you
can
mentally
think
about
it.
A
little
bit
like
hey
I've
got
access
to
this
slice
of
a
kubernetes
cluster.
This
namespace
with
certain
rbac
that
lets
me
see
certain
things
and
then
the
underlying
implementation
that
google
has
for
for
their
managed
cloud
run
product
is
actually
completely
different.
A
It's
built
off
of
the
same
serverless
infrastructure
that
powers
cloud
functions
in
app
engine,
but
it
looks
like
kubernetes
and
you
could
use
a
kubernetes
aware
tool
to
manage
it.
So
you
could
use
something
like
cubecontrol
to
upload
your
manifests,
and
so
kcp
is
an
attempt
to
actually
make
that
simple
and
reusable
infrastructure.
So
that
you
can
use
the
kubernetes
controller
model
to
to
manage
things,
but
you
don't
need
to
actually
do
all
of
the
you.
Don't
actually
need
pods
and
stuff
to
manage
that
you
can
have
controllers
that
sync
things.
A
The
first
example
that
they
have
is
a
demo
that
lets
you
do
multi-cluster
by
creating
deployments
and
then
splitting
them
out
across
multiple
different
actual
physical
clusters.
They
also
point
out
that
you
could
do
this
the
opposite
way.
You
could
give
everybody
their
own
kubernetes
api
server
and
their
own
etcd
that
they
can
beat
up
on
and
then
sync
the
resources
out,
using
a
controller
that
you
run
into
a
common
infrastructure
cluster
using
the.
A
I
think
the
the
local
kubernetes
development,
where
you're
actually
like
when
we're
working
on
canadian
a
lot
of
the
time,
we're
worried
about
the
logic
of
how
does
a
kubernetes
service
or
k-native
service
map
down
onto
like
deployments
and
network
policies
and
whatever
else,
and
you
could
actually
create
these
things.
You
know
create
a
mock
environment
using
kcp
where
you
don't.
You
don't
need
the
whole
real
kubernetes
underneath
reconciling
things
and
you
just
you,
stick
in
custom
resources
for
the
types
that
you
care
about.
A
So
the
I
think
I
think
the
question
was:
what
are
the
use
cases
for
kcp?
So
I
think
kcp
is
infrastructure.
This.
This
is
squarely
as
an
end
user,
you're,
probably
never
going
to
directly
use
kcp.
You
might
use
kcp
within
a
product,
but
you
may
not
even
know
that
it's
using
kcp
it's
oh
there's
a
little
bit
of
output
there,
okay,
well
we'll
see.
A
What's
going
on
there
in
a
minute,
you
wouldn't
directly
use
kcp,
but
you
could,
if
you're,
using
a
tool
like
a
couple
weeks
ago
I
did.
I
talked
about
crossplane,
for
example.
Where
are
we
here?
We
go.
A
A
They
install
custom
resource
definitions
and
then
they
use
that
to
provision
underlying
resources
like
an
rds
database
or
something
like
that,
using
the
same
the
same
controller
mechanisms
that
you'd
use
for,
like
a
you,
know
something
that's
on
the
cluster,
but
instead
they
go
and
create
an
rds
instance
somewhere
else,
and
you
know,
there's
no
particular
reason
that
you
need
to
actually
have
underlying
kubernetes
stuff
for
a
lot
of
this,
so
cross
plane
is
an
example
of
a
place
where
you
might
have
a
cluster.
A
You
sync
out,
let's
see
using
something
like
flux,
you
may
sync
a
bunch
of
resources
into
the
cluster
use
crossplane
to
create
rds,
you
know
rds
instances
or
the
like,
and
what
you'd
be
checking
in
at
the
beginning
would
be
yaml
of
what
you
want.
Your
configuration
to
look
like,
and
so
you
have
a
simple
declarative
model
for
what
you
want.
Your
configuration
to
look
like
you
check
it
in
and
then
it
gets
exploded
out
into
resources.
A
It
would
look
a
little
bit
like
terraform
in
some
senses,
but
it
would
be
continuously
reconciled,
whereas
my
understanding
with
terraform
not
having
used
it
a
lot
in
anger,
is
that
you
tend
to
intentionally
do
a
terraform
apply
rather
than
having
it
a
continuously
reconciled
process.
In
the
background.
A
You
know
where
terraform
is
mostly
a
complete
stack
from
provider
to
language
to
deployment.
You
can
delegate
service
access,
so
kcp
is
a
kubernetes
control
plane,
so
it
has
our
back.
It
has
kubernetes
our
back.
That
is
one
of
the
types
that
it
has
and
it
has
service
accounts.
A
A
He
checked
in
some
docs
and
I
chatted
with
him
before
this,
and
so
this
is
describing
the
multi-cluster
demo.
A
Kcp
doesn't
currently
support
validating
or
mutating
emission
controllers.
So
if
you
have
things
that
you
want
to
use
like
opa
policy
for
that
won't
work
with
kcp,
unless
you
extend
kcp
to
start
supporting
the
admission
controllers.
Let's
see
this
is
just
saying
fail
to
list,
so
I'm
going
to
guess.
B
B
A
A
Oh,
should
support
admission
web
hooks
eventually,
okay,
I
thought
it
was
a
design
goal.
Not
to
my
mistake.
It
sounds
like
kcp
will
eventually
support
admission
web
hooks,
which
is
great
because.
A
Yeah,
oh
and
jason
is
well,
you
can
have
limit
range
objects
and
not
actually
do
any
admission
control
on
them.
Oh,
you
need
me
to
zoom
in
thank.
B
A
I
always
forget
that
not
everyone
has
a
great
screen
and
great
eyes
for
it,
so
yeah,
so
we've
got
resource
quotas
and
limit
ranges,
and
I
don't
know
if
those
are
enforced.
A
It
looks
like
a
lot
of
this
is
pulling
in
kubernetes
control
plane
stuff
directly,
so
this
is
mostly
aiming
to
actually
build
with
the
kubernetes
code,
with
a
little
bit
of
extra
stuff,
not
to
fork
more
than
is
necessary,
which
I
think
is
a
good
decision,
because
core
kubernetes,
it
may
feel
like
the
kep
process,
is
really
slow.
But
there's
a
lot
of
motion
in
that
repository.
So
keeping
up
with
it
is
challenging.
A
I
was
just
noticing
that
events
were
in
two
different
api
groups,
so
I
don't
actually
have
I'm
gonna.
Take
a
look
at
this
control,
this
cluster
controller
a
little
bit,
but
then
I
think
I'm
actually
gonna
go
off
and
see
if
we
can
get
authorization
working.
Oh,
let's
see
we
get
somewhere
in
here
I
was
told
to
find
my
cubeconfig
here
and
since
this
is
going
to
go
away
real
soon,
I'm
not
too
worried
about
looking
at
this
and
right
now
it
looks
like
we
have
a
user
with
token-based
authentication.
A
A
Kcp
does
not
really
compete
with
k3s,
so
for
those
of
you
who
aren't
familiar
k3s
is
a
project
started
at
rancher
where
they've
taken
the
kubernetes
api
server
they've
replaced
the
underlying
storage,
which
is
at
cd
on
kubernetes
with
mysql,
and
so
they
use
mysql
for
all
the
storage
layer,
but
otherwise
it's
a
complete
kubernetes,
so
it
still
manages
nodes
and
pods
and
services
and
endpoints,
and
if
you've
looked
at
how
pods
and
pod
labels
and
services
and
endpoints
all
line
up,
you
can
kind
of
imagine
that
it
would
be
hard
to
build
a
kubernetes
that
had
half
of
those
and
not
the
other
half
the
network.
A
Oh,
it's
sequel
light.
Okay,
I
stand
corrected.
It
was
some
form
of
sequel
when
I
couldn't
remember
which
kind,
but
yes,
so
they
they
have
an
alternate
backing
store,
which
they
feel
makes
it
easier
to
administer
and
higher
performance.
A
But
it's
really
a
different
approach
and
you
could
imagine
combining
the
two
approaches.
So
if
the
k3s
patches
and
the
kcp
patches
were
mostly
compatible,
you
could
imagine
running
a
kcp
where
okay
yeah
it
sounds
like
they
have
an
ncd
shim.
So
you
could
use
the
etsy.
You
could
use
the
ftd
shim
with
kcp.
A
A
So
this
is
a
walkthrough
of
how
to
set
up
auth0
so
that
you
can
authorize
to
a
kubernetes
cluster,
and
this
would
me
this
would
be
a
step
towards
if
you
actually
wanted
to
run
kcp
for
a
service
like
if
you
were
going
to
provide
if
you
were
going
to
provide
cross
plane
as
a
service
or
something
like
that,
you
might
want
to
do
off
using
something
like
gcp
credentials
or
microsoft
credentials,
or
something
like
that,
and
so
this
is
a
way
to
get
in
and
do
that.
A
A
Okay
looks
like
I
had
a
brief
network
connection
hiccup.
So,
let's
see
we
will.
B
B
B
B
A
A
Url,
so
it
looks
like
the
api
server
will
only
support
a
single
issuer,
but
since
we're
using
auth0,
I
can
use
my
google
auth
to
auth
to
off
zero
and
then
off
zero
to
off
to
the
cluster.
So
let's
see
looks
like
this
is
the
new
parameter
name
yeah.
A
B
A
A
B
A
While
that
is
figuring
out
what
is
available,
let's
go
back,
and
so
this
is
defining
a
new
cluster
type.
So
this
is
we're
going
to
go
through
through
the
official
tutorial
for
a
moment
or
two.
While
I
go
digging
that
out.
Api
version
yeah,
okay,
so
this
is
just
a
this
is
just
a
crd
and
the
spec
has
a
cube
config.
A
Yaml
serialized:
oh
it's
a
cubeconfig
file!
Oh
that's
interesting,
because
your
cubeconfig
may
have
access
control
secrets
in
it,
so
I
probably
would
have
had
it
be
a
reference
to
a
secret,
but
it's
also
a
demo.
So.
B
B
A
A
And
it
looks
like
it's
just
gonna
keep
complaining
that
it
doesn't
know
about
services
and
endpoints,
so
we
can
probably
just
keep
going
from
there
and
I'm
guessing
that's
some
of
the
did.
I
mention
this
was
an
early
project.
This
is
some
of
the
code
that
kcp
would
like
to
clean
up
so
that
they
can
just
say
don't
watch
services
and
endpoints,
but.
B
B
A
A
Oh,
it
looks
like
we
can
create
multiple
logical
clusters
by
pointing
things
back.
B
B
B
A
A
So
yeah,
I
don't
see
clusters
in
here
there's
a
deployment.yaml
clusters.
A
I'm
wondering
if
here's
our
custom
resource
definition
again
cluster
example
dev
clusters,
so.
B
A
Okay,
that
was
apparently
a
momentary.
We
observed
etcd
in
the
middle
of
reconciling
things.
Now
things
work,
and
now
we
have
a
cluster
resource
type
here.
A
So
yeah
this
is
one
of
the
fun
things
that
you
get
when
you're
using
etcd
as
a
backing
store
is
unlike,
if
you're,
using
something
like
sql
and
you
do
a
alter
table
like
you
will
you
know
every
other
query
will
see
either
before
the
alter
table
or
after
the
alter
table,
but
because
kubernetes
is
eventually
consistent
and
it's
doing
this
reconciliation
process.
You
can
actually
observe
the
cluster
while
it's
in
the
middle
of
adding
a
new
cut,
a
new
type
and
that
usually
doesn't
go
well.
A
It
looks
like
that
made
this
happy.
It's
able
to
list
the
clusters
now
and
then
they
run
it.
We
run
a
deployment
splitter
as
well.
A
I'm
wondering
jason,
I
see
you
have
two
different
ways
of
defining
cubeconfig
in
here.
I
think
that
probably
only
needed
to
be
one-
and
it
looks
like
the
only
argument
to
deployment
splitter
is
a
cubeconfig.
A
A
A
B
A
If
I
connect
it
to
a
cluster,
this
is
my
personal
cluster.
Where
I
run
stuff
that
has
all
these
types,
it's
not
going
to
sync
them
all
over.
A
B
A
Okay,
so
now
it
looks
like
we
have
deployments,
and
then
the
next
step
in
the
demo
is.
A
Whoops
we
create
these
clusters
and
then
we
get
the
syncer
up
and
running.
Oh,
the
syncer
will
do
the
type
syncing
and
it
will
sync
things
up
and
downstream
and
only
if
they
match
a
certain
label.
So
I
can
say:
okay
only
put
it
in
my
cluster.
A
And
then,
let's
see
it
will
sync
things
down
and
then
it
will
copy
the
status
back
up.
So
you
can
have
deployments
in
like
three
different
clusters
and
then
have
all
their
status
in
one
cluster.
So
you
can
look
at
that
easily.
A
A
And
it
looks
like
the
deployment
splitter
will
intelligently
figure
out
how
many
to
run
in
each
cluster.
So
I
can
say
I
can
run
something
like
a
horizontal
pod,
auto
scaler
in
my
kcp
cluster
horizontally
scale.
You
know,
okay,
I
should
have
15
deployments
or
15
instances,
and
then
the
deployment
splitter
will
figure
out
how
to
align
them
down
to
lower
level
clusters.
A
If
you're
all
running
in
the
same
cluster,
that
would
that
would
work
really
well
or
in
the
same
like
az
or
region,
but
you
need
different
kubernetes
clusters
for
redundancy
or
you've
got
different
data
centers,
or
something
like
that.
You
could
improve
that.
A
So
cubecontrol
works
a
couple
versions
forward
and
back
so
let's
see
I
should
be
able
to
say
cubecontrol
versions,
control
version
and
my
client
version
is
v121.
A
A
So
that
other
cluster
over
here.
A
A
So
you
could
do
the
same
thing
with
cron
job
daman
set
actually
feels
like
it
would
be
really
powerful
because
you
can
have
a
set
of
diamond
sets
like
your
monitor,
all
your
monitoring
agents
or
all
of
your
load
balancers
in
a
single
kcp
cluster
and
then
replicate
it
out
to
multiple
instances
and
kind
of
have
a
policy
that
says
hey.
These
are
the
agents
we
have
running
everywhere.
A
And
then
a
bunch
of
other
ideas
about
what
we
could
do
so,
let's
go
back,
I've
got
about
30
minutes
or
so
at
least,
and
so
we
were
looking
in
authentication.go
and
trying
to
figure
out
where
all
this
is
called.
A
So
if
we
go
back
here,
I
see
the
flag
that
adds
the
oidc
issuer
url
and
it's
called
from
here.
Let's
pin.
A
A
A
Oh,
this
is
the
file
we're
in
so
server
run,
options.
B
A
B
A
A
A
A
Id
so,
let's
see
if
we're
over
here
following
this
example,
issuer
url,
username,
claim
and
client
id
client
id
username
claim
and
issuer.
A
A
And
now,
let's
see
we're
gonna
go
back
over
here
and
oh,
while
I'm
doing
this,
does
anyone
do
people
understand
how
oidc
usually
works?
A
A
You
know
trailing
slash
there,
okay
and
so
the
goal
here
is
that
we're
going
to
be
able
to
take
a
token
from
off
zero
we're
gonna
copy
this
over
and
we're
going
to
be
able
to
go
to
auth0,
get
a
token
put
it
into
our
cube,
config
and
use
that
to
authorize
ourselves
using
our
google
account
to
the
kubernetes
cluster,
and
you
could
use
this
for
the
dashboard.
You
could
use
this
for
octant
or
something
like
that.
A
A
Yeah
I
was,
I
was
curious,
but
let's
see,
if
we
do
this
and
then
let's
see
over
here,
I
was
running
kcp,
make
everything
sad
and
start
it
again.
A
Yeah,
I
don't
know
how
much
I
don't
know
how
well
octet
will
work
if,
if
the
you
know,
if
api
resources
that
it
expects
like
deployments,
aren't
there,
you
could
also
see
that,
as
you
know,
our
back
saying.
Oh,
I
won't
let
you
see
it,
but
if
you
go
to
like
api
versions
or
api
resources,
then
it
seems
like
you
might.
A
A
B
A
Yeah,
who
knows,
maybe
I
will
spin
up
an
extra
copy
of
kcp
and
see
if
it'll
run
on
windows.
A
You
knew
it
was
coming
okay,
so
we've
done
this.
Let's.
A
A
Cluster
test
oidc
connect
tokens
with
cube
control.
Oh
coming
soon,
of
course,
deploy
kubernetes
dashboard.
B
A
Proxy,
so
this
is
showing
how
you
could
use
the
kubernetes
dashboard
with
oidc
tokens.
My
understanding
is
that
that's
not
necessarily
considered
a
great
idea
to
have
a
web
service
where
you're
taking
your
auth
tokens
and
and
using
that
to
get
like
administrator
access
to
the
cluster.
A
A
I
can't
start
a
bitcoin
miner
using
kcp,
because
I've
got
no
nodes
like
there's
no
compute
available
for
someone
to
go
and
latch
onto
so.
Let's
see
we're
gonna
go
here.
This
is
open
id.
This
is
the
off
zero
open
id
tool
for
sort
of
getting
stuff
to
work.
So.
A
We
can
set
our
configuration
and
my
off
domain
is
evonated
at
us.
A
A
So
now
we'll
do
the
request
to
do
an
authorize,
and
so
this
is
auth
xero.
Sending
me
to
log
in,
I
can
say,
continue
with
google
here's
my
account
now.
So
one
of
the
exciting
things
about
open
id
connect,
I've
just
gotten
a
refresh
token,
but
it's
bound
to
the
audience
of
this
application.
So
if
you
take
it
somewhere
else
that
token
shouldn't
help
you
log
in
anywhere
else,
so
now
we
can
exchange
that
access
code
in
for
a
for
an
id
for
an
id
access.
Token
and.
A
A
A
A
So,
let's
see
if
that
works,
I'm
gonna
go
over
here
to
our
terminal.
B
A
B
B
Request
server
skip
headers,
senator
okay,
sorry,
it.
A
A
A
Oh
nice,
that
gives
me
all
the
tls
stuff
and
then
I'm
getting
a
401.
A
Oh
yeah,
but
if
I
say
the
authorization
is
masked,
that's
almost
certainly
not
going
to
help.
Let's
see
if
we
go
back
over
here.
This
is
this
is
updated
at
this
time
and
expires.
I
do
not
know
how
to
read.
A
B
A
A
Oh,
this
is
working
I'm
getting
authorized,
but
I
don't
have
permissions
to
actually
use
the
to
actually
use
anything
because
there's
no
r
back
for
me.
Oh
that's,
exciting!
A
A
B
A
Let's
see
ooh
system
basic
user,
that
looks
good.
Oh
no,
maybe
edit
view
view
is
even
better.
Okay,
retro
create
cluster
binding.
B
A
Oh
one
thing
I
learned
that
is
fun
and
exciting
case
matters
here
and,
depending
on
your
google
account,
it
may
not
all
line
up.
In
this
case,
it's
lowercase.
There
are
other
apis
where
you'll
actually
get
things
capitalized,
sometimes
instead,
and
that
was
a
huge
pain
I
want
to
have
to
deal
with
it.
B
B
A
B
B
B
A
B
A
My
vmware
login
is
m
a
so
I
keep
adding
an
extra
letter
over
what
I
needed
here.
So
the
auth
is
working
and
we
know
that
because
I'm
told
this
user
cannot
get
this
path,
but
it
seems
like
a
delete,
funk
returned.
A
Did
we
get
any
new
logs?
We
don't
get
any
new
logs.
A
About
permissions
here,
yes,
the
default
context
is
pointing
to
the
kcp
cluster.
A
You
can
tell
that
because
I
can
say,
keep
control
api
resources
and
I
get
just
this
list,
but
this
curl
command
is
also
pointing
at
the
cluster,
because
it's
got
this
localhost
ipv6
address
it's
kind
of
cool
that
you're
defaulting
to
ipv6,
but
since
it's
localhost
only
that
should
work
unless
someone
is
not
dual
stacked
at
all
and
I'm
guessing
that
they're
just
you're
just
using
whatever
you
get
out
of
the
go.
Libraries.
A
A
We
have
no
service
accounts
right
now,
oh
because
we
were
running
all
the
controllers
as
the
loopback
user,
so
they
were
all
clustered
men
yeah.
I
would
have
to
dig
a
little
bit
to
figure
out
where
that
auth
is.
Let's
see
if
I
look
for
the
string,
loopback.
B
A
So
we
create
two
con
wait,
so
I
see
we're
creating
two
contexts
here.
If
I
do
a
cube
control
context:
oh
yeah,
okay,
so
we
have
a
user
but
they're
the
same
auth.
So
the
fact
that
they're
named
user
doesn't
change
anything.
B
B
B
A
B
B
A
It'd
be
nice
to
have
the
web
web
hook
stuff
working
too
yeah,
so
jason
is
commenting
in
the
chat
that
you
can
actually
build
kcp
and
your
controllers
into
a
single
binary
for
actually
running
things.
So
you
could
you
know
if
you
wanted
to
have,
for
example,
hey.
This
is
a
service,
a
web
service
that
uses
kcp
and
manages.
I
don't
know
like
akka
serverless,
that
we
were
talking
about
earlier.
A
We
have
the
client
id,
which
I
think
is
the
audience
field.
A
Oh
dot,
authorize.
A
I
don't
think
there
is
server
options,
dot
authorization.
A
The
this
tutorial
about
how
to
do
it
is
pretty
old
for
the
kubernetes
and
it
suggests
an
authorization
mode,
but
it
looks
like
that's.
B
B
A
A
A
B
A
A
Yeah,
I've
got
to
run
soon
too,
so
we
got
close.
We
actually
got
author
is
authentication
working.
A
So
I'm
excited
about
this
as
a
way
to
sort
of
build.
You
know
new
cloud
services
that
look
like
kubernetes.
A
A
Yep.
Okay!
Well,
I
think
maybe
jay
or
joe
or
someone
is
going
to
be
there
next
week,
but
I
will
probably
see
people
in
a
couple
weeks
and
this
was
a
blast.
So
thanks
for
hanging
out
with
me.