►
From YouTube: TGI Kubernetes 048: Exploring the Harbor
Description
Come hang out with Duffie Cooley as he does a bit of hands on hacking of Kubernetes and related topics. Some of this will be Duffie talking about the things he knows. Some of this will be Duffie exploring something new with the audience. Come join the fun, ask questions, comment, and participate in the live chat!
A
Happy
Friday
everyone
how
you
doing
this
is
TG
aka
number
48
and
I'm
Duffy
Cooley
your
host
for
TGA,
okay,
very
good
to
meet
you
all
can
see.
We've
got
quite
a
few
people
already
logged
in
its
own
comments
from
all
over
the
place.
So
hello
to
everyone.
We've
got.
Let's
see
here.
Yes,
Maddy,
hello,
Maddy,
good
good
to
meet
you
good
to
interact
with
you
on
Twitter,
and
thank
you
very
much
for
the
warm
welcome
Kali.
A
She
will
be
our
moderator
today,
so
any
questions
and
anything
you
throw
them
in
the
comments
and
I'll
make
sure
I
see
them
if
I
don't
see
them.
So
please
feel
free
to
ask
questions
as
we
go
along
I'm.
Also
welcoming
Giorgio
1:39
welcome
to
the
show
suresh
fish,
no
editing
from
hamburger.
We
have
some
folks
from
Phoenix
Arizona.
They
have
John.
A
We
got
Roy
from
Toronto,
we
got
Leonardo
from
Brazil.
We
got
some
people
from
Bristol
I'm,
presuming
that
might
be
England,
but
I'm
not
totally
sure
welcome
to
San
Diego,
the
Peter
Benjamin
and
Valen
from
Boston
and
Dimitri
from
Serbia
Eddie
Hernandez
from
Guatemala
Antoine
G
from
Paris
Antoine.
It's
good
to
see
you
nadir
jiwa
from
London
James
Weber,
one
of
my
co-workers,
good
guy,
Rory,
McCune
good
friend,
who
was
also
really
interested
in
some
of
the
security
stuff
Josie.
A
A
A
Now,
let's
get
up
your
way
here
and
talk
about
our
plan,
so
I
wanted
to
kind
of
I.
Have
the
hack
MD
thing
set
up
just
like
we
did
last
week,
so
this
is
kind
of
the
way
we're
going
to
be
keeping
the
notes
for
this
particular
episode,
and
this
is
what
we're
gonna
cover
and,
like
all
that
good
stuff,
we're
gonna
start
with
the
welcome
which
we've
already
done,
which
is
awesome
again
welcome
to
everyone.
A
The
next
thing
is
who
the
heck
am
I
right:
I'm,
Duffy,
Cooley
and
I'm
gonna
field
engineer
for
hep,
Q
and
prior
to
coming
to
FDA.
I
was
at
core
OS
by
the
year,
helping
build
a
support
like
the
tectonic
product
and
and
really
kind
of
focus
on
kubernetes
in
general.
I
spent
quite
a
lot
of
time
with
distributed
systems
over
the
years,
whether
those
systems
are
networks
or
see
we're
getting
some
buffering.
It
looks
like.
B
A
For
hep
tio
I'm
gonna
do
this
I.
Did
this
at
core
OS
been
working
on
Cooper
needed
since
about
one
five
one?
Six
before
that
I
worked
on
mezzos
a
large
company
in
the
South
Bay
and
spent
quite
a
lot
of
time
working
with
distributed
systems
in
general.
Anything
from
you
know
working
with
networks
at
juniper,
Networks
or
working
with
distributed
systems
in
general,
so
fun
stuff.
So
that's
kind
of
what
I
bring
to
the
table.
A
I've
been
playing
with
everything
for
far
too
long
and
I
have
a
lot
of
experience
across
a
wide
variety
of
things,
so
that
seems
fun.
Thank
you,
for
the
feedback
looks
like
it's
going.
A
little
better.
I
am
Mike
I've
been
I'm
using
Linux
for
this
rather
than
a
Mac.
That's
probably
my
problem.
I,
probably
gotta
get
a
beefier
machine
for
this
sort
of
streaming,
which
I'll
take
into
account
for
next
time
for
sure
so,
I
wanted
to
kind
of
talk.
A
Some
of
the
show
notes
I
have
here
any
anybody
who
wants
to
give
footnotes
up.
They
could
put
these
things
up
right
in
this
link
right
here,
which
is
BHT
gjk
48.
That's
the
link
to
the
hack,
md
document,
carly
shay
will
be
managing
that
and
that's
awesome
I'm,
not
slaughtering
your
name
moving
on
down
the
list.
So
today,
what
I'm
going
to
be
doing
in
my
demo
is
I'm
gonna
be
exploring
harbor,
which
is
a
container
registry.
That
is
a
that
is
actually
going
to
be.
A
It
becomes
pretty
clear
to
us
that
we
would
want
to
make
sure
that,
when
we're
downloading
those
200-300,
gig
or
sorry
200,
300
Meg
images
down
from
our
container
industry
that
we
don't
want
the
nodes
to
have
to
go
too
far
to
go.
Get
that
data
right.
We
want
that
local
wants
that
to
be
locally
relevant,
so
we
have
a
cougar
news,
cluster
in
California
and
one
in
Texas
or
one
of
the
east
coast,
one
of
the
west
coast.
A
A
It's
coming
coming
timing
to
help
you
I
was
actually
really
really
glad
because,
like
when
I
so
I
worked
at
Apple
for
a
little
while
and
when
I
went
to
Apple
I
broke
my
streak
of
running
Linux
on
the
desktop
I
had
been
running
Linux
on
the
desktop
since
about
92
prior
to
that.
But
when
I
joined
Apple,
so
much
of
their
stuff
was
ingrained
with
the
OS
stuff
that
I
I
really
went
to
a
Mac,
and
so
once
I
left
Apple
I
was
still
on
the
Mac.
A
A
Yeah
Moody,
I'm,
not
sure
I
know
the
Quai
does
use
some
torrents
for
moving
objects
for
images
around,
but
I'm,
not
totally
sure
about
that
for
the
harbor
piece.
I
haven't
looking
to
do
that
yet,
but
if
we
get
to
the
point
where
we
stand
up
to
clusters
and
play
with
that,
maybe
will
make
looking
into
that
and
find
out.
A
So
in
my
environment,
I'm
gonna
set
up
a
local
local,
cube,
D,
n,
cubed,
ATM
D&D
thing
and
that's
why
and
that's
why
I
have
reference
links
down
below
so
for
my
test
environment
today,
I'm
gonna
use,
D
and
D
to
stand
up
a
cougar
to
the
cluster
and
then
we're
going
to
deploy
some
stuff
onto
that
kubernetes
cluster.
We're
going
to
deploy
ingress
with
a
search
from
let's
encrypt
we're
going
to
deploy,
go
harbor
on
top
of
that
make
sure
it
all
works.
A
They
will
start
pushing
images
around
kind
of
playing
with
that
sort
of
stuff.
It
should
be
pretty
fun.
That's
my
overall
plan
before
we
get
into
that,
though.
Let's
do
kind
of
what
happened
this
week,
so
community
meeting
summary
so
I,
don't
know
if
you
guys
followed
this,
but
there's
a
lwk
deed
info
page
definitely
recommend
just
kind
of
reading
through
that,
once
a
week,
understanding
what's
happening
inside
the
community,
there's
a
lot
of
really
good
stuff
around
what's
at
home.
A
A
We
have
a
new
design
for
cute
cuttlebug
heads,
which
I
think
I'll
actually
be
really
interesting,
because
on
the
idea
is
that
you
can
actually
have
a
cute
little
plugin
just
described.
You
just
describe
the
binary
as
cute
kettle
and
then,
whatever
the
name
of
your
plug-in
is,
and
the
cube
cannon
will
be
able
to
discover
it
using
that
path,
rather
than
having
to
define
that
plug-in
using
like
metadata
within
your
cube
directory,
which
is
how
it
works
today,
you
can
we'll
just
be
able
to
describe,
would
be
able
to
find
it
and.
A
Works
which
is
interesting
like
if
you
actually
look
for
all
the
wineries
that
are
related
to
get
on
your
on
your
file
system.
You'll,
find
that,
like
you
know,
get
you
know,
get
pull
get
push
all
those
things
are
actually
individual
by
all
binary.
It's
a
get.
It's
a
model
to
kind
of
discover
all
of
those
things
kind
of
neat
stuff,
some
of
the
other
stuff
that
has
happened.
Some
of
the
other
merchants.
A
We
have
a
couple
of
kind
of
important
fixes:
DNS
loot
detect,
keep
DNS,
which
will
be
good,
fixed,
buffering
performance
you're
a
dear
to
my
own
heart
in
this
particular
case,
as
you
can
probably
imagine,
we're
reducing
the
work
that
anti
affinity
checks
do
because
probably
it
just
takes
a
little
too
long
to
get
that
done.
That
work
would
be
in
the
scheduler
but
interesting
stuff.
A
A
Time
once
again
for
voting
for
the
steering
election
committee
and
it's
important
I'm
like
with
anything,
you
got
a
vote-
gotta
go
out
and
vote,
whether
it's
for
you
know,
government
stuff
or
whether
it's
for
things
that
you
care
about,
like
Cooper
need,
is
make
sure
you
bring
that
stuff
up.
I
didn't
know
was
run
by
Josh
Burris
good
pill.
Josh.
That's
awesome,
I
really
like
that.
That
actually
exists,
so
Thank
You
Josh,
shut
up
just
even
for
pointing
that
out.
I
really
appreciate
that
so
eligibility
for
voting.
A
Now
this
now
we
know
that
this
is
a
somewhat
limited
view
and
how
you
could
be
determined
eligible
for
voting,
but
we
have
to
start
somewhere,
and
this
is
how
it's
done
if
you
have
50
contributions,
and
that
doesn't
mean
that
you've
actually
committed
50
lines
of
code.
That
means
that
you,
actually
you
know,
comment
on
things
that
are
happening
within
the
kubernetes
kubernetes
github
repository
or
you
open
issues
or
you,
you
know,
or
you
do
contribute
code
or
you
do
stuff
like
that.
A
A
We
know
that,
for
example,
I'm
a
field
engineer,
I
spend
a
lot
of
my
time,
teaching
people
about
kubernetes
and
helping
them
resolve
a
bunch
of
different
stuff,
but
I
don't
really
spend
a
lot
of
my
time
on
the
kubernetes
repository,
but
I
do
think
that
I
should
get
to
vote
so
I
voted
that
I
went
ahead
and
filled
out
a
voting
exception
form
and
will
see
how
I
wanna
see
what
happens.
I
did
this
last
year.
A
Also
when
who
was
the
core
OS
and
it
worked
out,
great
I
was
able
to
vote
in
the
in
the
initial
committee.
That
was
great
eligibility
for
candidacy.
If
you
want
to
go
next
level,
you
can
actually
put
your
hat
in
the
ring
and
then
I
guess
it's
three
people
from
three
different
companies
can
+1
you,
and
then
you
look
either
in
the
running
that
sort
of
stuff
and
there's
usually
multiple
sheets,
but
kubernetes,
as
you
already
know,
are
well
aware,
it's
really
all
about
maximum
respiratory
represent.
A
We
want
to
be
super
inclusive
across
all
the
things,
so
we
really
want
to
make
sure
that
we
get
like
everybody's
opinion
about.
You
know
everybody's
opinion
that
everybody
feels
included
in
in
what
is
happening
within
the
community
with
regard
to
its
governance,
with
regard
to
whether
you
feel
comfortable
contributing
to
kubernetes.
With
regard
to
all
that,
so
help
us
be,
the
change
we
want
to
see
in
the
world
help
us
be
inclusive
here
terms
in
elections,
tech,
titles,
all
this
stuff
is
actually
in
this
doc.
A
A
What
else
did
we
want
to
cover
here?
Another
shout
out
to
Jorge
or
Jorge,
who
is
not
here
this
week,
because
he
is
having
internet
problems
of
his
own.
B
A
George
had
actually
put
up
a
really
good
video
here,
talking
about
discussed
that
kh2,
IO
and
discussed
arcades
IO
is
kind
of
like
a
newer
idea
on
the
whole
mailing
list
approach
right,
so
it's
not
quite
as
are
not
quite
as
challenging.
It's
like
Google
Groups
is.
It
has
been
in
the
past
for
dealing
with
things,
but
go
check
out.
This
video
George
describes
it
way
better
than
I
ever
will,
and
you
should
really
just
go.
Take
a
look
at
it
and
you
should
also
go
check
out.
A
Which
is
an
awesome
site
where
we
can
actually
like
start
opening
conversations
around
saying,
listen,
really
kind
of
like
interact
with
each
other
in
this
model,
as
well
as
it's
like
I
mean
slack.
A
lot
of
people
consider
slack
to
be
kind
of
like
the
fists
that
we
all
stare
into
for
a
period
of
time.
I
don't
appreciate
I,
don't
personally
feel
that
way,
but
there's
a
lot
of
people
who
are
just
like
it's
far
too
much
going
on
and
slack
for
me
to
really
follow.
I
need
a
better
threading
model
this
this.
A
One
of
the
things
that's
happening
on,
discuss,
topcase,
I,
hope,
I
think
is
really
interesting.
It's
this
board,
which
is
a
contributor
role
board,
and
the
goal
here
is
to
actually
put
up
requests.
You
know
help
connect
people
who
are
operating
particular
projects
or
some
projects
within
kubernetes
with
people
who
want
to
help
right.
A
You
can
see
that
on
this
list
there
are
people
who
are
asking
for
people
to
come
step
forward
and
help
out
with
projects
and
there's
also
people
who
are
saying
I'm
interested
in
helping
but
I,
don't
know
what
to
do
so
feel
free
to
like
kind
of
interact
with
that
here
as
well.
I
think
it's
a
great
great
opportunity
to
kind
of
get
involved.
A
All
right,
so
that
was
the
beginning
for
the
what
happened
this
week
and
what's
and
what's
going
on
you're
a
big
take
away
from
what
happened
this
week,
get
ready
to
vote
for
a
steering
committee
and
go.
Do
it
it'll
be
really
awesome
all
right.
So,
let's
start
playing
with
kubernetes.
That's
what
we're
all
here
to
do!
It's!
What
I'd
like
to
do.
A
So
my
background
is
actually
kind
of
neat.
Let's
just
talk
about
that
real
quick.
So
this
background
is
actually
live,
updated
and
it
will
update
every
hour.
I
started
using
this
as
a
background
when
I
was
in
Texas
and
hurricanes
were
a
thing
I'm
in
California
now,
not
so
bad,
but
like
it's
kind
of
interesting.
If
you
live
in
Texas
and
you
kind
of
watch
that
hurricane
move
across
the
bay,
in
fact
there's
one
of
them
right
now,
headed
for
headed
for
a
white,
interesting
Lena,
so
neat
background
stuff
bump
up
my
resolution
here.
A
So,
like
I
said
I'm
using
D
and
D
to
kind
of
set
this
up.
There's
some
interesting
stuff,
also
that
I'm
using
that
office
that
I'll
talk
through
here,
one
of
the
first
ones
I
want
to
talk
about
is
an
incredible
project
called
dear
end,
if
you
haven't
heard
of
dear
M,
you
should
go.
Look
it
up.
It's
really
awesome!
A
A
Now,
if
I
look
at
my
denim
bar
see
here,
I'm
actually
setting
some
of
the
environment
variables
that
DND
uses
to
start
up
cordie
and
ask
to
pick
my
C
and
I
pick
my
dns
service
and
to
get
my
snapshot
piece
yeah
that
does
hurricane,
looks
pretty
darn
intense
I'm,
really
hoping
that
I'm,
really
hoping
that
you
know
Paley
will
scare
it
away.
Bailey
is
the
goddess
of
fire
and
hot,
and
talking
of
the
stuff
I
grew
up
in
Hawaii.
I
still
have
some
family
over
there.
So
I'm,
like
you
know,
maybe
just
veer
off.
A
A
If
I
were
to
like
edit
that
and
make
up
a
new
one
export
foo
equals
Baz,
then
you
hit
that
really
cool
security
feature
of
dear
M,
in
which
it
will
not
actually
allow
the
change
you
have
to
allow
it
explicitly,
and
this
makes
it
safe
to
check
and
var
cheese
and
stuff
like
that
and
get
because
your
local
machine,
unless
you
actually
have
a
local,
a
local
allowed,
won't
actually
allow
it.
So
if
I
do
dear
envelo
and
those
environments,
work
and
I
can
and
I
can
echo
and
get
buyers,
and
that's
really
awesome.
A
Now
the
thing
I
like
about
there's
some
interesting
stuff
about
DMD,
there's
also
some
kind
of
shady
stuff
about
the
indie,
but
I
mean
you
really
got
to
start
somewhere
and
I
think
that
these
guys
have
done
an
amazing
job
of
doing
exactly
that,
like
I,
didn't
have
to
wait
for
very
long
to
see
a
1.11
D&D
and
that's
actually
a
pretty
significant
change
from
one
ten
to
one
eleven.
So
it
was
really
impressive
to
see
that
happening,
but
some
of
the
stuff
I
like
about
it.
It
actually
does
use
cube
ATM.
A
So
if
you're
working
on
cubing
em
I
spend
a
bit
of
my
time
on
keep
it
here,
you
could
actually
use
this
this
cluster
as
a
way
to
kind
of
play
with
the
different
values
or
play
with
flat
feature
flags
and
and
do
all
of
that
stuff.
That's
really
pretty
neat
I
think
you
can
spin
up
a
number
of
workers
as
far
as
I
know.
A
Right
now,
D&D
doesn't
support
multi
master,
it's
just
a
single
master
and
multiple
workers,
but
the
neat
thing
about
that
is
that,
like
you
know,
leveraging
Calico
and
such
you
can
actually
get
a
multi
node
cluster
running
in
docker
containers
on
your
laptop.
So
if
what
you're
trying
to
prove
what
you
want
to
exercise
is
anti
infinity
or
something
that
would
require
more
than
one
node
to
play
with
stuff,
that's
like
maybe
a
little
a
little
a
little
higher
than
what
you
would
normally
work
with
with
MIDI.
B
A
You
can
see
right
now.
This
is
some
of
the
normal
output
from
cue
ADM.
What
it's
doing
right
now
is
kind
of
generating
all
of
the
search,
creating
the
static,
modern
balance,
creating
the
static
pod
manifest
throwing
them
into
Etsy
kubernetes
manifests
where
they
are
created,
and
now
it's
calling
down
those
control,
plain
images,
so
that
will
start
up
money,
master
and
it'll
create
the
the
notes,
and
then
we
get
to
play
with,
like
you
know
what
that
actually
looks
like
on
the
system,
because
these
are
not
the
end.
A
These
are
containers,
so
somebody
basically
hijacks
just
in
useful
way
like
run
it
as
a
container
which
is
kind
of
hard
to
do.
He
runs
everything
inside
docker
containers,
yeah
and
so,
which
is
a
which
is
a
neat
feat,
because
effectively
it's
running
its
own
little
hijacked
copy
of
system
D
in
each
container,
and
that's
that's
how
that's
being
achieved.
B
A
It
run
everything
inside
dr
containers.
Yes,
it
does,
or
does
it
use
something
else
like
vagrant,
it
doesn't
use
bakery.
I've
used
I've
got
a
few
environments
that
I
used
vagrant
for,
but
this
in
this
case
it's
actually
running
it's
running
inside
of
docker
containers
and
it's
not
running
mini
Cube.
Actually,
this
is
a.
This
is
a
and,
in
my
opinion,
it's
kind
of
a
better
model
than
mini
cube
in
a
lot
of
ways,
because
you
can
actually
have
a
multi
node
cluster
about
you're
playing
with
rather
than
a
single
nut
cluster.
So.
A
A
We're
bringing
up
the
community
dashboard
I'm
going
to
get
into
like
exactly
what's
happening
here,
will
just
be
pretty
neat:
it's
not
using
any
spawn
it's
using
Ducker.
There
is
another
one.
There's
another
project,
that's
actually
using
in
spawn,
which
is
I,
can't
remember
the
name
of
it
right
now,
but
I
think
it's
all.
It's
basically
kin
bulks
ten
test,
harness
can't
think
of
it
right
off,
but
there
is
another
one
that
is
actually
using
system
the
edge
spawn
pretty
neat.
B
A
More
like
I,
like
basically
a
different
way
of
thinking
of
the
problem,
but
it's
pretty
neat,
though
okay.
So
let's
take
a
look
at
our
cluster.
This
is
the
kind
of
a
fun
part.
If
I
do
docker
PS,
hey,
look
there's
my
cluster
I
could
see
that
I
have
a
master
and
two
nodes
running
a
talker
containers
and
I
can
do
a
duct
or
network
LS
and
I
have
a
D&D
net
that
is
connected
to
my
local
bridge.
A
A
A
secret
within
the
cluster,
that
is,
that
I'm
gonna
use
to
manage
the
kind
of
fall
through
or
default
certificate,
and
we'll
talk
about
this
pattern
here
in
just
a
minute,
but
basically
what
I've
done
is
I've
used,
let's
encrypt,
who
is
going
through
a
round
of
raising
money
right
now
take
a
moment.
You
got
a
buck
or
two
and
you've
actually
gotten
free
certificate
from
let's
encrypt
totally
worth
supporting
them.
If
you
really
feelin
generous,
you
can
get
one
of
those
beautiful
pomegranate
sweaters.
A
That
says,
let's
encrypt
up
on
the
top
shout-out
to
my
friend
janessa,
who
works
there.
Now,
it's
just
a
name.
It's
an
incredible
company,
doing
a
kind
of
a
work
encrypt
all
the
things
it's
awesome,
so
I
used
I
just
generated
a
couple
of
shirts.
One
of
them
is
c1
that
case
it's
a
wild-card
search
for
c1
short
for
cluster,
one
case
that
work
and
I've
created
another
one
for
c2
now
page
that
work
not
sure
we're
gonna
get
to
the
second
cluster,
but
the
first
cluster.
We're
gonna
stand
up
right
now.
A
A
This
end
up
my
ingress
controller,
and
you
can
see
that
I've
made
the
certificate
ingress
default
SSL,
and
you
can
also
see
that
I'm,
basically
passing
as
a
home
as
a
home,
setting
this
new.
This
argument
as
an
extra
arg
to
the
controller
and
the
extra
heart
is
default.
Ssl
certificate
we're
going
to
talk
about
why
that's
cool
here
in
a
minute.
A
A
A
Try
and
curl,
you
know
blah
DUP,
c1,
okay,
it's
not
work!
I
can
see
that
it's
not
connecting
to
me
right
now.
There's
no
ingress
controller
there
at
the
moment.
So
that's
not
going
to
work
for
me
at
all.
I
can
do
that
with
HTTP
or
HTTPS
I'll
talk
about
why
bla
works
here
in
a
second,
but
first,
let's
I!
Guess
we
give
you
that
real,
quick
right
now.
A
Now
you'll,
remember
from
before,
when
I
did
keep
Kittel
get
no
of
wide,
that
those
are
the
IP
addresses
of
my
workers,
keep
node
1
cube,
node
2,
R,
1,
872,
1803
and
0
4,
so
I
just
created
a
Public
DNS
record
that
will
route
a
wild
card
to
that
to
those
two
endpoints,
and
this
way
I
can
actually
attract
any
host
name
to
those
two.
Those
two
and
IP
addresses.
A
Right
and
what
that
means
is
that
anything
dot
c1
caves,
that
work
will
be
attracted
to
these
two
IP
addresses
now.
This
will
only
work
for
me
because
I'm
the
only
one
with
access
to
those
genetically
addresses,
but
it
actually,
it
makes
it
a
little
easier
to
kind
of
reason
about
how
to
attract
traffic.
To
your
ingress
controllers.
A
A
Are
these
Sen
is
star
dot
C
one
a
case
that
work?
There
should
also
be
a
SAN
there.
It
is
right
there,
okay,
pop
quiz
is
it
is
it
required
to
have
a
subject
alternate
name
on
certificates
that
you're
going
to
be
using
to
extend
trust
to
browsers
or
can
I
just
put
in
the
key
subject?
Name
right
up
here,
it's
this
enough
or
do
I
need
both
that
and
thus-
and
the
answer
is
anybody.
A
Answer
is
you
need
both
as
of
about
things
2016
or
be?
It
was
2017
a
lot
of
the
browsers
out
there.
If
you
don't
have
a
subject,
alternate
name
that
matches
the
target
name.
They
won't,
even
though
your
subject
might
be
totally
accurate
and
correct,
it
will
not
actually
take
it.
Will
it
will
not
honor
that
certificate?
You
need
to
have
the
same
as
well.
This
is
part
of
an
RFC
I'm,
not
gonna,
go
find
it,
but
interesting
stuff.
You
do
need
both
yes,
cm.
It's
not
supported
by
all
C.
A
A
Now,
I'm,
actually
gonna
use
helm
in
two
different
ways
in
this.
In
this
experience,
the
first
one
I'm
going
to
use
is
a
thing
called
home.
Template
which
might
be
the
most
secure
waiting
is
home
because
of
tiller.
But
let's
talk
about
the
little
bit
more.
So
what
I'm
doing
here
is
I'm
using
helm
template
to
generate
what
a
set
up
manifests
that
are
going
to
deploy
my
ingress
controller.
If
I
look
at
this
is
just
leveraging
the
standard
home
stuff
so
I
have
a
values,
not
EML
here.
A
This
is
all
the
settings
that
I
can
that
are
well
defined
within
the
helm.
Chart
that
I
can
apply.
Changes
to
I
have
all
of
the
rest
of
my
chart
here.
My
chart
about
all
inside
of
my
templates
I
have
the
template
stuff.
A
Pipe
it
to
you,
kiddo
apply
dash
F,
namespace
ingress
well,
before
I
do
they'll
right
before
I
pipe
it
out.
Let's
just
take
a
look
at
it,
so
what
this
does?
What
home
template?
Does
it
does
the
templating
bit
for
you,
which
is
normally
done
client
side,
and
here
it
is
right.
So
this
is
basically
the
set
up
manifests
that
are
generated
from
the
home
template
and
what
they
look
like
inside
there.
A
A
As
long
as
the
ingress
controller
had
the
right
permissions
to
go
and
fetch
that
secret
and
boom
it
creates
all
the
things
I
broke
this
intentionally
because
I
don't
want
a
service
associated
with
my
standard
ingress
controller
I'm,
exposing
it
as
a
daemon
set.
So
that
will
actually
listen
on
the
specific
nodes
host,
Network
port,
Nene
and
port
443,
and
that's
because
I
don't
have
a
load.
Balancer
and
I.
Don't
want
one!
It's
a
local
environment!
A
We
can
see,
for
example,
that
the
ingress
controllers
were
deployed
across
my
worker
nodes
and
that
they've
co-opted,
the
hosts
IP
address
172
1803
and
172
1804.
So
now
it
all
ties
together
right.
So
the
DNS
setting
for
star
dot
c1
that
case
that
work
is
sending
traffic
to
one
thirty,
two
eighteen,
oh
three,
oh
four
I
have
an
ingress
controller
that
is
bound
to
the
host
IP
and
is
actually
listening
on
the
host
on
the
host
IP
at
ports.
80
and
port
443
from
within
my
machine.
A
A
So
here
is
our
wild
card,
sir,
that
I
put
up
as
part
of
the
secret,
so
you
can
see
that
blonde.
She
won
decades
that
work
matches
my
wild
card,
sir
and
I
can
also
see,
because
the
Deena
side
of
things
that
it
is
that
it
is
matching
the
Deena
side
of
things.
So
it
all
ties
together,
pretty
good
stuff.
A
I
think
for
my
part,
I
think
that
I
was
avoiding
tiller
because
I'm
gonna
be
using
Chile
here
in
a
second
but
I
wanted
to
show
both
of
the
different
methods
like
you
can
actually
use
home
without
tiller
in
some
cases.
A
If
security
is
your
thing,
there's
also
some
really
interesting
experiences
or
experiments
around
leveraging,
a
an
external
each
other,
rather
than
deploying
that
tiller
within
the
cluster
maintain
control
that
tiller
external
to
the
cluster,
like
maybe
in
your
continuous
deployment
process,
manage
that
state
there
rather
than
having
that
state
managed
inside
of
inside
of
the
kubernetes
cluster
I'm
not
going
to
get
into
why
I
think
tiller
is
a
security
problem
if
you're
interested
in
it
look
into
it
on
the
internet.
There's
a
ton
of
really
great
information
around.
A
B
A
A
A
A
A
It's
going
to
put
all
this
in
the
default
namespace,
because
I
didn't
specify
now
mind.
If
you
could
I'll
get
pods,
we
can
see
those
being
created.
They
also
see
some
weird
artifact
of
the
way
that
DMD
is
standing
up
of
v1
11
cluster.
So
it's
probably
don't
belong
in
the
default
namespace,
but
we'll
leave
that
as
an
exercise
for
another
time.
A
So
now
we
have
our
echo
service.
We
can
see
that
we're
creating
an
ingress
here
that
matches
echo
dot
c1
decades.
I
work
both
in
the
host
path
and
also
in
the
TLS
spec
I'm
gonna,
send
that
I'm
gonna
edit
that
part
yeah
go
ingress.
I
want
to
make
sure
I
send
it
to
the
actual
service
port.
Not
this
8080
stuff
now
find.
If
you
can
I'll
apply
f.
Echo
ingress
describe
ingress
that
go.
You
can
see
that
my
ingress
controller
saw
the
ingress
gate
registry
they
might
in
my
default
namespace
and
it
created
it.
A
I
could
see
one
in
that
case
that
work,
welcome,
dad
UNIX
works
and
we
can
see
that
we're
secure
and
that
this
is
our
certificate
from
let's
encrypt.
That's
all
working
perfectly
all
right
now.
Let
me
think
about
this
again.
It's
because
we're
using
deedie,
because
deedie
is
using
a
docker
network.
The
IP
addresses
of
these
nodes
are
totally
exposed,
so
I
can
actually
I
can
hit
any
port
on
any
node
directly
from
my
little
work
environment,
which
really
helps
be
like
debug.
B
A
So,
let's
move
on
here,
let's
deploy
harbor,
so
excited
and
then
we
can
start
playing
with
what
even
the
more
fun
stuff.
So
this
is
the
harbor
chart
and
it's
located.
Let
me
show
you
where
that's
located,
because
I
shouldn't
have
tell
you
let's
deploy
harbor.
This
is
Harvard
website
go
Harvard
IO.
It
was
recently
it
was
recently
contributed
at
the
CN
CF,
which
started
by
started
by
VMware
or
some
folks
at
VMware,
and
it's
a
great
project.
A
I
think
it
really
kind
of
helps
solve
some
of
the
problems
that
people
run
into
when
thinking
about
local
registries-
and
there
are
some
pieces
of
this
that
I'm
actually
pretty
excited
about
that
they
actually
do
have
an
integration
with
notary
and
that
it
works
and
I
could
show
you
how
it's
all
wired
up
here
in
just
a
little
bit.
But
it's
like
off
to
a
pretty
good
running
start.
It
does
support
container
syncing
between
registries.
I
haven't
dug
into
the
code
to
see
how
it
goes
about
that
I.
A
Don't
think
it's
BitTorrent,
but
I
guess
technically
it
could
be
I'm,
not
sure,
but
you
should
definitely
go
check
out
harbor
for
a
while.
They
had
a
demo
up
on
the
demo
demo
that
you
could
actually
integrate
with,
but
I'm,
not
sure
if
that's
here
in
the
dock
still
or
or
not,
but
definitely
go
check
it
out,
really
really
cool.
If
you
go
to
the
it's
gonna,
take
me
to
get
a
pitch
where's.
My
bid
homepage
get
out
there.
A
We
go
if
you
go
to
the
github
page,
not
what
I
want
to
do
calm
where
Harbor,
that's
better!
Okay,
if
you
go
to
the
harbor
page
inside
of
contribs.
A
A
A
A
A
A
So
sorry,
yeah,
okay,
so
then
now
this
one
is
interesting
because
I'm
actually
gonna
put
some
stuff
in
there.
That
is
specific
to
my
deployment
of
films.
So,
for
example,
just
let's
talk
about
this
external
domain
piece
because
I
think
it's
kind
of
interesting
and
it's
a
problem
that
a
lot
of
applications
that
are
deployed
in
the
communities
are
gonna
have
to
solve.
So
in
this
case
they
actually
have
an
external
domain.
That
tell
that
you
cannot
plot
that
you
can
describe
that.
Tells
it.
A
What
domain
to
expect
the
header
information
to
come
in
at
right
and
we're
gonna
define
Harvard
out
c1
k-8
that
work.
Now
you
notice,
I
didn't
do
that
with
nginx
right.
The
nginx
is
just
listening
on
all
interfaces
and
it's
saying
bring
it
all.
Land
it'll
be
fine,
but
in
this
case
they
actually
they
maybe
they
have,
like
particular
media
or
other
services,
that
they
want
to
be
able
to
address
by
name,
and
they
want
to
be
able
to
handle
that
routing
in
such
a
way
that
it
actually
makes
sense.
A
So
you
have
to
give
it.
You
have
to
give
it
a
hint
and
say
when
I
address
this
service
at
all,
it's
gonna
come
in
at
Harvard,
c1
k,
it's
not
work
and
from
there
you
can
figure
out
the
routing,
but
if
I
wanted
to
add
a
sub
path
right,
if
it
was
actually
going
to
be
like
my
c1
decades
that
work
slash
harbor,
this
is
this
would
be
where
you
would
put
that
instead
of
like
the
whole
hosting
thing
so
interesting
stuff
there.
So
let's
go
ahead
and
do
our
helmets
to
all.
A
A
Takes
a
minute
lots
of
containers
to
download,
let's
take
a
look
at
like
what
actually
all
we
have
here
right.
So
we
have
an
admin
server.
We
have
chart
museum
which
is
a
way
of
actually
how
posing
or
hosting
helm
charts.
We
have
Claire
shout
out
to
Clinton
who,
like
wrote,
Claire
as
an
intern
project
at
core
OS
Quentin
is
an
amazing
person.
By
the
way
we
have
a
couple
of
databases
that
were
that
we're
registering.
We
have
a
job
service,
we
have
notary
server,
exciting.
A
You
have
notary
slider.
We
have
our
registry,
it
turns
out
that
harbor
actually
uses
the
docker
registry
container
for
that
or
a
fork
of
it
today.
It's
that
they
manage
the
photon
doctorate,
photon
registry,
and
then
we
have
on
our
UI.
You
can
use
social
sensors,
in
fact,
by
default,
I
didn't
provide
any
shirts
in
my
home
chat
shut
in
my
helm
command.
A
This
is
the
ingress
that
is
created
it
by
the
home
chart
for
harbor,
but
I
want
to
be
able
to
trust
the
certificate.
That's
in
front
of
these
two
services
right,
it's
defining
to
two
hosts
within
its
configuration,
the
harbor
dot
C,
one
ducting
H
network
and
also
notary
harbour.
That's
even
a
cage
that
work
now
when
I
deployed
the
ingress
controller,
I
actually
wanted
to
play.
A
The
egress
controller
I
put
up
a
default
certificate,
and
what
that
means
is
that
if
I
don't
define
a
secret
name
within
the
TLS
spec
of
an
ingress,
it's
going
to
use
that
default
certificate.
As
the
answer,
if
I
want
a
more
specific
secret,
I
can
define
that
here
or
create
the
secret
ahead
of
time.
A
So,
let's
take
a
look
at
whether
that
worked
or
not
keep
going
to
the
wrong
screen.
Here,
however,
got
c1.
Okay,
it's
that
work.
Well,
it
did
work.
I
do
have
a
trusted
certificate,
but
the
service
isn't
quite
up
yet
I
did
I
have
noticed.
It
takes
a
minute
on
my
little
local
environment
to
get
everything
working.
It's
probably.
B
A
That's
my
Twitter
handle
feel
free
to
follow
me
if
you're
curious
about
crazy
tips
with
about
security
or
kubernetes
reach
out
to
me,
I'm
always
available
and
I
love
to
answer
questions
mainly
because
it
helps
me
think
about
things
from
a
different
perspective
than
I
might
have
thought
about
it
before
so
seriously.
If
you
have
questions
about
stuff,
please
throw
my
way
I'm.
Also
on
I'm.
Also
now
a
lion
on
the
Cougar
TV
slack.
So
yeah
we
check,
but
here's
the
thing
I
was
gonna.
Show
you
really
neat
stuff.
A
We
all
play
with
curl
all
the
time,
but
did
you
know
about
the
resolve
command
so
say:
I'm
gonna
do
blood
you
wanna
Kate's,
not
work,
I'm,
good,
too
forward
to
port
443
and
I'm
going
to
send
that
to
1803.
Now
this
is
somewhat
redundant
because
DNS
has
already
pointed
that
way.
But
I'm
gonna
show
you
this
trick
anyway,
because
I
think
it's
pretty
neat.
A
Now,
what
the
resolve
command
does
it's
like
say:
I'm
in
a
proctored
environment
and
I
want
to
change
the
and
I
have
a
different
load,
balancer
or
VIP
IP,
right
that
it's
servicing,
that
is
serving
a
bunch
of
stuff
and
I
want
to
validate
it.
That
VIP
works
either
by
I
want
to
either
want
to
validate
the
certificates
that
are
in
front
of
that
dip
or
I
want
to
sort
I
want
to
validate
the
the
host
configuration
that
is
behind
that
dip.
A
One
way
or
the
other
I
want
to
be
able
to
target
and
set
the
hostname
for
my
query,
specifically
at
a
locally
resolved
IP
or
a
specific
result
IP.
So
what
this
line
is
saying
is
I
want
you
for
the
purpose
of
this
call
to
resolve
blot
up,
see
one
dot,
K
X,
dot,
work
to
the
IP
address,
172,
1803
and
I
want
to
use
port
443
for
that
resolution,
and
I
can
actually
adjust
both
of
those
last
two
fields
to
match
whatever
I
want.
A
A
A
Yeah
chrome
is
all
totally
a
lifesaver
if
you're
trying
to
troubleshoot
some
crazy
stuff
like
it's,
your
problem,
DNS
is
if
it's
always
DNS
is
your
problem.
Actually
something
with
you
can
you
can
solve
so
many
problems
with
this
particular
trick?
You
can
determine
if
it's
dms,
you
can
determine
if
your
problem,
if
you're
searching
correct
you,
could
determine
if
the
via
host
routing
is
correct.
It's
just
a
really
good
trick
to
have
in
your
toolbox.
A
A
A
A
So
docker
PS
docker
images
see
what
I
have
a
little
kid.
I
have
a
little
container
that
basically
holds
the
cube
ATM
container,
the
cube,
ATM
command
and
I've
created
it
and
I've
gone
ahead
and
retag
did
it
with
harbor
c1
decades
that
work
library
cube
ATM
is
in
the
version
of
of
the
thing
that
I
care
about.
A
If
you
want
to
walk
through
that
real
quick,
if
I
do
doctor
RMI,
let's
go
ahead
and
blow
that
went
away.
A
Docker
images
grip,
so
here's
the
base
container
that
I
made
it's
just
like.
What's
a
docker,
build
tq8,
emp1,
1112
and
I
want
to
retag
that,
because
now
it's
in
my
local
registry,
because
I
did
docker
build
so
now,
I'm
gonna
actually
retype
that
to
something
that
I
could
push
toward
a
target
registry.
Y'all
are
probably
pretty
familiar
with
this
trick
if
you've
been
dealing
with
containers,
but
I
just
figured
I
might
take
a
moment
to
show
how
this
works.
So
Susan
I
have
my
cube
a
DMV
111
container
here.
A
A
A
This
is
where
the
rubber
meets
the
road
now
what's
neat
about.
This,
though,
is
because
I'm
actually
using
a
less
encrypt
cert
in
front
of
the
ingress
controller
forwarding
back
down
to
that
registry.
I,
don't
actually
have
to
tell
docker
about
the
self-signed
cert
at
all,
because
it's
a
trusted
circuit.
It's
in
my
local
trusted
cache,
which
is
awesome,
and
that
means
that
it
simplifies
my
whole
interaction
with
docker,
incredibly,
because
otherwise,
I
have
to
deal
with
a
bunch
of
really
kind
of
specific
semantics
around
like
a
self-signed
certificate.
A
Do
my
doctor
push
I
can
see
that
docker
command
was
able
to
authenticate
or
was
able
to
validate
that
end
point
using
the
certificate
already
I'm
able
to
push
to
that
target
cluster.
Guess
it
probably
had
done
a
doctor
login
there,
but
I
think
I
still
have
a
cache
from
when
I
was
working
through
this
before.
A
A
So
now,
if
I
go
into
library,
lo
and
behold,
we
have
a
docker
container,
here's
our
cube
ATM,
and
we
can
see
that
it's
not
signed.
But
what's
this
sign
thing
about
we'll
talk
about
it
in
a
second,
but
that's
the
notary
piece,
neat
stuff,
but
I
do
have
this
vulnerability
scan
stuff.
This
is
actually
about
Claire
that
open
source
project
that
Quentin
put
up
shout
out
to
Quintin.
A
If
I
do
a
scan
here,
what
it's
doing
is
pulling
all
the
vulnerability
information
from
a
number
of
different
sources,
and
then
it's
actually
going
to
look
at
the
packages
that
are
part
of
the
underlying
image.
So
in
my
case,
it's
an
outline
Linux
image
and
so
I
can
basically
pull
a
digest
of
the
entire
of
all
of
the
packages
that
have
been
installed
in
that
image
and
then
evaluates
them
against
the
known
vulnerabilities
that
outline
publishes
and
if
there
are
vulnerabilities
it
will.
A
A
A
So,
to
get
notary
working,
what
we're
going
to
need
to
do
is
we're
going
to
need
to
basically
pull
a
copy
of
the
CA
that
issued
the
signing
certificate
and
it's
being
used
by
the
notary.
Sider
was
in
the
cluster,
but
this
is
kubernetes,
so
we
actually
can
get
that
we
can
get
a
copy
of
that
certificate.
Let's
take
a
look
at
that.
A
So
again,
I'm
using
the
N
bar
see
stuff,
but
let's
take
a
look
at
what's
actually
being
set.
You
see,
I'm
setting,
docker
content,
rust
and
darker
contrast,
trust
server.
If
I
take
a
look
at
my
dot
number
C,
you
can
see
what
they're
trusting
we're
we're
pointing
them
at
so
I'm.
Turning
on
docker
content
trust
because
I
want
my
daugher
Damon
to
actually
start
leveraging.
Docker
content
trusts
against
that
remote
registry
or
against
any
registry
really
but
I'm.
A
Also
turning
on
I'm,
also
pointing
the
docker
contrast,
trust
server
at
Notary,
Harbor
dot,
see
one
decades
network
now,
I'm
only
turning
this
on,
so
that
I
can
sign
the
image
and
push
it
side
to
the
target
server
I'm,
not
necessarily
I,
don't
necessarily
want
DC
turn
DCT
turned
on
for
my
entire
docker
Damon,
although
that
is
something
we
could
talk
about
it's
interesting
stuff.
So
I've
got
these
two
things
turned
on,
and
these
are
flags
that
I'm
gonna
use
with
the
docker
truck
command
check
this
command
out.
It's
pretty
neat!
A
A
So
harbor.
You
can
actually
issue
issue
tokens
and
use
that
token
to
authenticate
to
harbor,
rather
than
just
a
username
password.
If
you
want
to
so
like
karma,
is
actually
pretty
complete.
I
was
really
more
focused
on
like
the
idea
of
a
registry
and
the
and
the
idea
of
notaries.
So
that's
why
we're
kind
of
going
through
this
piece
all
right
keep
kid.
Although
get
config
Matt
in
registry.
A
So
mo
so
this
is
the
CA
search
for
the
cider,
so
I'm
gonna
grab
that
theater.
Now,
why
doesn't
think
I
could
pick
Matt
I?
Think
I
was
going
to
open
an
issue
on
this.
I
haven't
done
this
yet,
but
this
at
the
very
least,
should
probably
be
in
a
secret
rather
than
a
new
config
map,
not
a
big
deal,
but
probably
should
be
me
I'm
not
going
to
say
not
a
big
deal.
A
A
Certificates
that
way
now
what
this
is
doing
is
I'm
doing
the
same,
get
config
map
that
I
did
before
I'm.
Looking
for
the
element,
notary,
signer,
CA
cert
under
the
element
data
there's
a
JSON
path
stuff.
So
if
I
look
go
back
again
to
the
top
here,
I
can
see
that
my
first
element
in
this
array
is
data
and
the
second
one
I
care
about
is
actually
notary.
Signer
see
a
search.
A
A
Also
have
to
actually
define
that
certificate
within
the
CA
associated
with
this
notary
Harbour
instance.
So
what
I'm
doing
here
is
I'm
actually
gonna
grab
that
certificate
output
and
I'm
gonna
overwrite,
the
CSR
that
I
put
in
here
earlier
when
I
was
practicing
and
I
want
to
place.
That
I
want
to
do
that
here
and
what
this
does
is.
It
enables
my
might
for
my
user
for
doctor
to
trust
shouldn't
get
signed
by
that
CA.
A
A
A
A
Oh,
you
know
what
this
is
forgot
about.
This
I
didn't
see
it
my
environment
for
doing
this
test,
so
RM
what's
happening
here,
is
that
I
had
actually
previously
run
this
test,
and
so
a
lot
of
the
trust
stuff
is
still
relevant
on
my
local
machine,
but
my
target
remote
server,
my
notary,
that's
actually
up
in
harbor
right
now,
doesn't
know
anything
about
this
world.
A
So
it's
expecting
that
this,
the
local
docker
Damon,
is
expecting
that
the
search
I
have
locally
all
the
trust
ones
that
I
have
locally
are
still
right,
but
notary
has
totally
amnesiac
right,
like
I've
blown
it
away
and
recreated
it
using
ephemeral
directories,
and
so
it
doesn't
have
any
idea
of
the
search
that
I
actually
have
locally,
but
that's
pretty
easy
to
fix,
because
all
I
have
to
do.
Is
that
and
now
I
have
been
a
local
trust
data
and
then
I
start
getting
asked
for
this.
B
B
A
All
right
so
after
entering
my
my
my
secrets
and
stuff
a
bunch
of
times
now,
basically,
what
I've
done
is
I've
created
a
new
recruited
route.
Key
I
created
a
new
repository
key
I
created
a
new
admin
key
because
I
am
user
admin.
On
the
report
on
the
record
on
the
registry,
I've
created
a
new
signer
called
admin
that
signer
is
actually
hosted
in
the
center
I've
signed
the
image
I
pushed
up
an
image
and
a
manifest
associated
with
that
image
and
I'm.
A
B
A
Of
the
other
interesting
stuff-
oh,
that
was
the
other
thing.
I
want
to
share
with
you
if
you're
interested
in
notary-
and
you
want
to
play
with
like
what
that
is
and
how
it
works,
and
all
that
stuff
there's
a
reference
link
to
a
bunch
of
really
interesting
stuff
down
here
below,
and
this
is
where
I'm
going
to
kind
of
get
into
like.
A
These
guys
kind
of
get
into
how
to
do
that
with
free
stuff,
like
with
with
just
notary
of
tough,
which
is
really
really
cool
and
Google's
project
graph
es
is
another
one
of
the
ones
ones
that
actually
addresses
exactly
that
need.
How
do
we
do
this
trust
stuff
in
our
CI
pipelines
and
stuff?
So
go
watch
this
video,
great
video.
They
cover
it
pretty
well
and
they
and
it
basically
the
story
that
we've
told
so
far
about
how
do
you
get
from
harbor?
How
do
you
use
notary?
Well
now
that
I
have
signed
images?
A
These
two
guys
Liam
and
Michael,
both
work
for
IBM
and
they
have
actually
written
an
open
source
project
called
port
Tia,
so
it
would
allow
for
that
they
get
into
what
Porteous
is
and
how
it
works,
and
all
that
stuff
in
the
video
go
check
it
out.
It's
really
really
cool
shout
out
also
to
Newberry
github
and
tough
github
to
more
projects
in
the
CN.
A
Cf
really
had
some
projects
for
like
being
able
to
manage
all
of
this
stuff
and
another
link
to
a
tweet
that
I
found
when
doing
a
little
research,
which
I
thought
was
pretty
cool.
Chris
points
out
that
saying
that
NYU
is
looking
for
a
research
associate
to
work
on
tough.
So
if
this
really
floats
your
boat,
if
you're
really
into
the
security
aspects
of
all
of
this-
and
you
actually
want
to
spend
some
time
doing
some
research
on
it
go,
try
it
out.
You
know
cool
stuff.
A
A
A
There
are
two
commands
in
play
here,
so
docker
trusts
gives
you
a
couple
of
different,
interesting
things.
You
can
do
things
like
inspect
a
particular
image,
whether
it's
locally
Gosset
or
not.
You
can
inspect
a
particular
images
image
for
those
things
that
have
signed
it.
You
can
revoke
trust
for
an
image
and
you
can
also
sign
a
new
and
a
new
image.
So
if
I
wanted
I
wanted
to
say,
I
don't
longer
want
to
trust
version.
V1
11
I
can
revoke
that
trust
using
the
darker
command.
A
The
other
command
that's
in
play
is
a
notary,
so
a
notary
gives
you
a
whole
bunch
of
other
capability
specifically
around,
like
managing
the
delegation
and
all
of
other
stuff.
That's
with
sans
a
notary
server
itself.
Now
I
didn't
dig
a
mile
deep
on
that
feel
free
to
like
really
take
it
into
that
myself
yourself
and
I
may
end
up
doing
a
follow-up
as
soon
as
I
dig
further
into
notary
around
like
how
to
make
the
whole
Porteous
image.
Providence
thing
work
within
kubernetes.
It's
definitely
one
of
the
ideas.
A
A
You
can
do
all
of
the
stuff
that
you
would
like
to
do
to
establish
trust
with
that
particular
image
before
you
sign
it,
and
then
what
you
do
sign
it
and
you're
kind
of
opening
the
door
that
somebody
could
deploy
it
into
your
computer
faster,
but
definitely
check
out,
like
the
Porteous
project,
which
gets
into
this
a
little
bit.
I
think
that
if
we
I
may
do
like
a
V
2
of
this
episode
and
and
bring
up
like
an
example
cluster
leveraging
this
right,
so
we
have
a
hardware
already.
A
A
Yeah,
so
hey,
thank
you
so
much
for
logging
in
to
TGI
K,
giving
me
such
a
warm
welcome
for
the
first
for
my
first
episode
of
TGI
K,
it's
been
a
real
pleasure
and
I
could
definitely
see
myself
doing
this
a
few
more
times.
I
have
a
lot
more
to
talk
about
and
I
hope.
You
guys
have
a
lot
more
to
listen
to
so
thanks
again
and
it's
been
been
really
fun.
So
y'all
have
a
great
weekend.