►
Description
Come hang out with Joe Beda as he does a bit of hands on hacking of Kubernetes and related topics. Some of this will be Joe talking about the things he knows. Some of this will be Joe exploring something new with the audience. Come join the fun, ask questions, comment, and participate in the live chat!
This week we will look at OPA! It is a policy evaluation engine that just moved to the CNCF incubating level of support. We'll learn about the basics of OPA along with how it is typically used in Kubernetes.
See https://github.com/heptio/tgik/tree/master/episodes/071 for notes and code.
Coverage of OPA starts around 11:00
A
Hello,
hello,
hello
and
welcome
to
another
episode
of
tea,
GI
kubernetes,
quick
soundtrack.
Can
you
all
hear
me?
You
know
every
time
we
do
these
things
I
feel
like
we're,
always
mucking
around
with
the
setup
and
with
with
OBS,
but
welcome
to
TGI
kubernetes
and
I
am
Joe
Beda
your
host
I'm
doing
it
this
week
and
I'm
likely
to
do
it
next
week.
Also
I
think
and
teach
I
kubernetes
is
a
weekly
livestream
that
either
I
do
it
or
Chris
Nova.
Does
it
where
we
try
and
explore.
A
You
know
parts
of
the
kubernetes
ecosystem
play
with
projects
learn
stuff
together:
oftentimes
I'm,
exploring
technology
that
I
don't
know
all
that
well
and
so
we're
really
finding
out
about
it
together,
I'm
Joe,
Beda
I'm,
a
principal
engineer
at
VMware
was
the
co-founder
of
happy.
Oh
that's
where
we
started
this
stuff
and
yeah,
and
so
thanks
for
joining
us,
we
also
record
it.
So
this
is
episode
71.
You
can
go
and
watch
all
the
old
versions.
A
If
you
like
well,
I,
always
like
to
start
out
by
saying
hello
to
all
the
folks
that
are
joining
us
from
everywhere
around
the
world,
especially
you
know
when
I,
when
I
first
set
this
thing
up,
I
didn't
realize
that
you
know
time
zones
right
so
like
Friday
afternoon.
Here
means
that
it's
Friday
night
or
even
Saturday
morning
in
other
parts
of
the
world
oftentimes.
So
for
everybody
joining
us.
You
know,
regardless
of
where
you're
at
welcome
I,
just
want
to
start
going
down.
A
I
like
reading
off
names,
Martin
from
the
Netherlands
Rory
from
LA
coil
head
in
the
Scottish
Highlands
boss,
bunk
from
Lagos
Joe
from
Atlantis
and
deep
from
Poland
Ola
from
Denmark
Turin.
Who
is
the
the
originator?
The
author,
the
founder
of
OPA
I,
believe
I
got
to
get
the
right
right
title
for
him,
but
thanks
for
joining
us,
Turin
he's
going
to
be
helping
make
sure
that
we
don't
get
too
far
off
the
rails.
Duffy
who's,
one
of
the
the
VMware.
A
What
we
call
him
katz,
kubernetes
architect
from
the
kubernetes
architect
team
and
he's
also
done
episodes
of
TGI
kubernetes
in
the
past,
to
Petra
from
Prague
Suresh
from
Hamburg
ash
l'm,
a
d
good
to
see
you,
sir
joy
mike
merrill
from
new
jersey,
Joe
from
London
Fog,
o
from
Brazil
Ivan
from
Colombia.
Oh
man,
it's
just
crazy
I
had
no
idea
when
we
started
this.
That
I'd
be
I'd,
be
doing
this
alright.
A
So,
let's
see
Lizzie
on
Oh
from
Cincinnati
Brian
from
Riverside
Southern
California
I
went
to
school
in
Claremont
at
Harvey
Mudd,
just
down
the
way
from
Riverside
Inland
Empire.
My
wife
is
from
San
Bernardino
Frankfurt
from
Virginia
yan
from
Palo
Alto
Craig
from
Boston,
oh
man,
so
good
seat
could
seen
you
all.
Thank
you
so
much
for
joining
us.
What
we're
going
to
be
covering
today
is
the
open
policy
agent.
A
Oh
I
have
the
everything
they
like
all
the
links
and
stuff
gonna
be
clicking
through
these
things
are
in
a
hack
MD
that
if
we
want
to
crowdsource
some
notes,
if
you
guys
want
to
put
some
stuff
in
there,
that
would
be
great.
The
link
is
in
the
comments
after
the
episode
I'm
going
to
take
these
and
we're
going
to
check
these
into
a
github
repo
so
that
they
get
archived
next
to
the
next
to
the
episode
and
will
lead
to
that
from
the
YouTube
comments.
A
So
let
me
switch
to
my
screen,
and
here
we
go.
I
will
make
this
a
little
bit
bigger,
okay,
so
first
the
reference
so
so
Opa
stands
for
open
policy
agent,
but
if
you're
a
fan
of
the
expanse,
which
is
this
series
of
books
and
TV
show
it
also
is
the
outer
planetary
Alliance
outer
planets
Alliance.
So
that
is
my
obscure
reference
in
the
image
here
there
we
go
alright,
so
let's
see
stuff
that
we
want
to
go
through
so
I,
just
like
great
articles
that
we've
seen
so
glad
Muir
here
wrote
a
great
article.
A
Talking
about
using
go
modules,
client
go
go.
Modules
are
in
the
new
dependency
tracking
system
that
that
NGO
is
moving
towards.
It's
been
a
bit
of
a
bumpy
ride,
but
it's
great
to
see.
Client
go,
which
is
the
the
sort
of
official
client
for
talking
to
the
kerbin
adsap
I
just
recently
switched
to
actually
using
go
modules,
so
that's
pretty
exciting.
So
so
Vladimir
goes
through
a
bunch
of
the
details.
There
there's
a
bunch
of
CVEs
that
have
been
that
have
come
up
and
I
think
it's
worth
looking
at
these.
A
So
the
first
one
is
a
path
traversal
bug
in
kubernetes
CP
and
the
twist
locks
folks
actually
have
an
article
here
that
really
so
this
was
I,
believe
Ariel
was
I,
found
it
and
then
goes
into
details
in
terms
of
what
the
issue
is,
how
it
works.
I,
love,
I,
love,
seeing
these
things,
because
this
is
how
we
learn
not
to
make
more
bugs
right
is
by
understanding
these
things.
A
Understanding
going
like
wow
I
never
would
have
thought
that
would
have
been
a
security
issue,
so
I
always
loved
reading,
in-depth
analysis
of
security
issues
like
this
one
small
quibble,
though,
if
there's
anybody
from
twistlock
on
the
line.
This
is
not
the
kubernetes
logo.
You're
trying
you
know,
I'll
give
you,
like.
You
know
an
A
for
effort
here,
but
this
is.
This:
has
eight
spokes
on
it,
so
somebody
wasn't
paying
attention
there
all
right,
so
the
the
next
one
now
I
haven't
dug
into
this
one.
A
So
I
don't
know
exactly
what's
going
on,
but
there
is
a
CBE
around
C
and
I
okay,
so
this
is
so
C.
Ni
is
a
bunch
of
plugins
that
you
can
either
use
or
not
use
if
you're
using
what's
called
the
port
map
plug-in,
and
this
is
used
for
host
ports
with
CNI
which
are
not
as
well.
You
know
not
super
well
used
these
days.
Most
people
will
use
node
ports.
Host
port
is
a
way
to
say:
I
want
to
put
a
port
on
the
specific
host
that
this
thing
lands
on.
A
We
know
that
/proc
is
not
read
only
for
things
like
binaries
and
so
that
ended
up,
meaning
that
you
can
install
your
own
run,
C,
which
meant
that
future
or
maybe
even
this
one,
but
even
but
but
future
of
invocations
of
run
C
would
be
running
your
code
and
so
really
dangerous,
run
C
container
escape.
And
it's
a
super
interesting
that
this
one
got
found
and
great
explanation
here
from
Samuel.
A
A
So
it's
so
it
ends
up
getting
packaged
up
in
terms
of
you
know,
rpms
and
apt
and
deb
packages
as
part
of
the
kubernetes
release
process,
and
so
that
one
ended
up
being
a
bit
of
a
pain
to
make
sure
that
we
get
updated
packages
there
as
soon
as
possible.
Oh
go
away
medium
and
then
the
the
certified
kubernetes
exams.
These
are
always
interesting
and
here's
another
article
from
christian
talking
about
some
of
the
stuff
that
he
did
to
actually
prep
for
it,
which
was
really
interesting.
A
So
that's
something
else
that
you
should
know
about,
and
I
let's
see
what
else
we
have
griffin
o
logging
using
low
key,
so
I
think
George
put
this
one
on
here.
I
haven't
seen
this,
and
so
it's
a
logging,
back-end
optimized
for
users,
running
Prometheus
and
kubernetes
with
great
log
search
using
Griffin.
This
looks
really
interesting,
so
I
think
logging
and
looking
at
how
do
we
collect
logs
and
how
do
we
move
past,
like
hey,
just
throw
it
in
an
elastic
search
cluster?
A
It's
something
that
I'd
be
really
interested
in
digging
into
at
some
point.
So
I
think
this
looks
super
interesting,
something
that
I'd
like
to
learn
about.
So
maybe
that's
something
that
we
should
have
a.
This
is
from
the
Giants
forum.
Folks,
don't
go
away,
I
just
hovered,
but
this
might
be
something
that
it's
worth
digging
into
and
another
episode
I
don't
know
that
might
be
fun.
This
is
from
Griffin,
oh
labs
and
so
optimized
to
work
with
Prometheus
and
karate.
A
So
super
cool
okay,
so
that
is
sort
of
like
around
sort
of
what's
been
happening
this
week,
some
cool
pointers,
let's
see
so
I'm
Frank
from
Virginia
Yod
from
Palo
Alto
Craig
from
Boston
Marco
from
Milan.
Let's
see,
Chris
is
Novas
over
over
in
the
next
door,
Bismark
from
Hoboken
Marco
from
Serbia
nice
to
see
you
all
any
other
things
that
you
all
want
to
cover
this
week,
any
other
things
that
I,
you
think
I
missed,
really
interesting
news
stuff!
That's
coming
out!
A
A
Let's
see
do
we
have
a
bird
there,
we
go
I'll
just
this
has
been
talking
about
this
here,
so
this
is
interesting
there.
These
are,
you
know
they
were
somewhat.
You
know,
things
hardly
ever
always
really
compete,
but
somewhat
competing
efforts
around
distributed
tracing
and
with
slightly
different
approaches
and
open.
A
So
it's
great
to
see
these
things
come
together.
The
the
only
other
part
large
part
of
the
the
open
tracing
system,
which
is
really
kind
of
a
different
sort
of
parallel
evolution,
is
Zipkin.
So
if
you're
interested
in
this
stuff,
Zipkin
is
also
something
that's
worth
looking
at,
and
I
know
adrian
who
runs
that
project
is
super
passionate
about
it.
A
Anything
else
that
I
should
be
covering
alright.
We
will
then
jump
in
to
talking
about
OPA
and
the
way
that
we're
going
to
be
looking
at
using
OPA.
So,
let's
see,
let
me
close
some
windows
here
so
Tauron.
Do
you
pronounce
it
OPA
or
OPA?
Are
we?
Are
we
all
having
a
Greek
party
or
is
it
you
pronounce
it
OPA
all
right?
A
Well,
in
any
case,
so
OPA
is
essentially
a
rule
evaluation
engine
that
helps
to
sort
of
take
a
bunch
of
input
and
then
make
a
decision
yes
or
no
on
stuff,
and
so
you
can
use
this
for
all
sorts
of
different
things.
Opa
break
some
glass.
Ok,
so
he
says
OPA.
So
that's
the
way
it's
gonna
go
and
I
looked
I.
A
We
thought
about
using
a
picture
for
like
Greece
like
OPA
right,
but
then
I
did
that
the
outer
the
you
know
that
the
planet
instead
it's
a
Greek
party
exactly
so,
let's
see
so
so,
let's,
let's
start
with
with
the
OPA
project,
page
and
I,
think
that
does
a
good
job.
A
Talking
about
so
policy
based
control
for
cloud
native
and
environment,
so
it's
an
engine
for
evaluating
rules
and
here's
some
use
cases,
so
you
can
use
it
kubernetes
admission
controls.
The
thing
that
probably
is
is
is
most
relevant
to
the
audience
here,
but
you
know
it's
also
can
be
used
for
a
bunch
of
other
things
like
you
can
use
it
for
your
own
HTTP
api's.
A
You
can
use
it
for
like,
say
you
know
a
Pam
module
for
likes.
You
know
SSH
pseudo
type
of
stuff
data
filtering,
so
all
sorts
of
different
stuff
in
it,
and
then
it
uses
this
this
language
to
actually
be
able
to
express
that
policy,
and
it's
a
pretty
rich
language
and
there's
a
packaging
system
where
you
can
pull
stuff
in
and
so
that's
what
we're
going
to
be
looking
at,
but
we're
going
to
be
concentrating
it
in
the
context
of
a
kubernetes
admission
controller.
A
Let's
see
foz
9600
for
future
TT
GI
k
is
k3
as
planned.
I
mean
kind
of
I
mean.
The
truth
of
the
matter
is,
is
that
it's
an
interest
project,
but
it's
really
kind
of
a
fork
of
kubernetes.
The
the
folks
from
Rancher
had
to
make
some
big
changes
there.
They
didn't
work
with
the
community
and
there's
really
not
much
of
an
involvement
outside
of
Rancher
with
that.
A
So
I
think
it's
an
interesting
project
from
that
point
of
view,
but
it's
not
something
that
that
I'm
honestly
looking
to
spend
a
ton
of
time
digging
into
I'd
rather
look
at
stuff.
That's
that's,
really
sort
of
more
community
focused
and
open
yeah,
and
so,
if
there's
something
that
you
want
to
see
me
cover,
feel
free
to
file
an
issue
in
the
tgia
repo
for
sure,
and
we
can
definitely
look
at
it.
And
so
you
know
we
don't
plan
these
things
as
much
as
we'd
like
to
plant
them.
A
You
have
to
get
a
couple
of
members
of
the
TOC
to
actually
you
sponsor
you
in,
but
there's
not
a
lot
of
sort
of
diligence
or
process
around
that.
But
the
next
level
is
really
where
we're
like.
Hey
is
this
something
that
has
some
traction?
Are
there
a
bunch
of
people
involved
from
more
than
just
one
company?
Is
it
something
that
we
think
you
know
really
fits
in
with
the
rest
of
the
cloud
native
technologies?
A
And
so
that's
why
sometimes
you'll
see
something
like
you
know:
container,
D
and
rocket,
and
now
we
have
cryo
at
all
moving
into
into
the
CNC
F
and
those
are
all
in
some
ways
operating
at
the
same
level,
with
some
different
approaches,
different
trade-offs,
and
so
this
is
really
sort
of
a
recognition
of
sort
of
attraction
and
the
maturity
project
that
we're
seeing
so
far.
So
congratulations
to
the
opah
project
for
making
this
this
leap
here
so
yeah.
A
So
that's
that's
the
thing
that
I
think
for
me
triggers
like
hey:
let's
do
an
episode
on
this,
which
is
really
fun
alright,
so
in
lieu
Mattie's
asking
about
hey,
let's
do
an
episode
on
on
mission
controllers.
This
is
kind
of
an
episode
on
admission
controllers,
because
and
I
think
we
could
go
through
and
maybe
do
one
where
we
write
an
Amishman
controller
from
scratch.
A
Alright
and
let's
see
so,
can
someone
click
on
Fernan
sink
there
and
see
if
that's
something
that
we
should
take
a
look
at
alright.
So
this
is
something
that
it
really
is
an
admission
controller,
and
so
the
thing
that
I
wanted
to
do
is
like
as
an
intro
for
what
an
admission
controller
is.
There's
this
a
great
article
from
bonsai
cloud,
and
this
talks
about
sort
of
the
admission
controller
and
the
systems
that
they're
building,
but
they
really
do
a
good
job
of
actually
talking
about.
A
Ok
link
is
ok
cool.
Let's
see,
let's
see
what
Fernandes
pointing
us
at
here:
kate's
clusters:
Oh
Biff,
I'm
Popeye.
What
is
this
this
looks?
This
is
Popeye.
What
does
this
do?
Well,
debugging
a
port
mapping
yishun
on
a
dead
water
application
is,
would
it
be
cool
to
have
some
kind
of
cluster
sanitizer
to
quickly
assess
the
live,
kubernetes
resource
state
of
affairs
and
issue
recommendations
based
on
a
cluster
scan?
Oh,
this
looks
really
interesting.
All
right
all
right.
A
Can
somebody
put
that
in
the
notes
and
we'll
something
for
folks
to
take
a
look
at
looks
really
cool.
All
right.
Let's
see
where
were
we
at
oh,
this
is
I'm
closing
clean
up
some
stuff
here,
all
right,
so
so
here's
the
and
one
of
the
things
that
that
these
folks
put
in
this
blog
post
is
a
great
diagram
that
talks
about
sort
of
the
life
cycle
of
a
request
through
the
through
the
API
server.
A
Now
we've
talked
in
the
past
and
I'll
pull
up
that
blog
post
is,
let's
see,
kubernetes
jazz
improv
over
okay.
So
this
is
a.
This
is
a
blog
post
that
I
wrote
forever
ago
that
talks
about
sort
of
the
general
architecture
of
kubernetes?
If
you're
not
familiar
with
it,
it's
essentially
a
database
with
a
bunch
of
policy
in
front
of
it,
whereas
Etsy
D
is
typically
the
database.
One
of
the
things
that
the
folks
at
Rancher
did
with
k3s
is
replaced
that
database
with
what
did
they
do?
A
It's
the
embedded
database,
the
embedded
sequel
engine,
that's
brain
for
it
right
now,
instead
of
sed,
but
at
CD
ends
up
being
the
database,
the
API
server
and
then
everything,
but
everything
really
talks
through
the
API
server.
So
it's
the
center
of
the
world
and
when
we
zoom
into
that
epi
Center
API
server
box,
what
you
end
up
seeing
is
a
pipeline
that
looks
some
sequel
Lite.
That's
right!
Thanks
Mario.
That
looks
something
like
this.
A
Where
an
API
comes
in
through
the
API
HTTP
handler,
there's
authentication
and
authorization
there's
actually
more
to
this.
It
turns
out
that
authentication
happens.
You
can
actually
do
that
via
web
hook.
Also,
where
token
gets
passed
out
and
you
say
who
it
is
and
what
groups
they
belong
to
and
then
authorization
goes
through.
There's
also
an
audit
coming
out
of
this
that
we
can
really
dig
into
that's
super
interesting
too.
A
Then
there's
authorization
I
believe
that
you
can
use
open
as
an
authorization
hook
also,
which
gives
you
better
more
data
different
data
than
what
you're
going
to
get
as
an
admission
controller,
and
but
it's
also
harder
to
install.
So
my
guess
is
that
most
folks
are
using
OPA
as
an
admission
controller,
because
it's
easier
to
install
and
then-
and
this
is
relatively
new-
well
new,
as
in
like
like
at
first,
there
were
sort
of
validating
admission
controllers,
and
then
we
added
these
mutating
admission
controllers.
But
the
idea
is
that
there's
a
set
of
admission
controllers.
A
Some
of
these
are
built-in,
but
one
of
them
that
you
can
enable
is
called
a
web
hook,
admission
controller,
which
means
that
you
can
now,
via
a
kubernetes
resource
register
web
hooks,
which
means
that
every
time
a
request
comes
into
the
API
server.
It
then
calls
out
to
your
code
to
actually
say
hey:
do
you
want
to
go
through
and
modify
this
particular
request?
And
then
you
can
set
up
a
pipeline
of
these
things
and
then
you
go
through
object,
schema
validation,
making
sure
that
you
don't
have
anything.
A
A
And
the
interesting
thing
is
that
the
the
mutating
emission
controls
these
things
have
to
be
done,
sequentially,
because
the
output
of
one
becomes
the
input
to
the
next,
but
for
the
validating
emission
controllers,
you
can
actually
do
these
things
in
parallel,
and
so
it
can
be
more
efficient
and
then,
finally,
that
object
gets
written
into
at
CD,
and
this
is
for
a
mutation.
If
you're
just
reading
data,
then
admission
controllers
don't
come
into
play,
which
is
one
of
the
difference
between
article
on
it
actually
sees
who's.
A
Reading
data
admission
controllers
just
sees
the
right
path,
so
that's
kind
of
what
an
admission
controller
is
in
general.
You
want
to
be
careful
with
admission
controllers
because
they
are
in
the
synchronous
pipeline
for
every
kubernetes
api
mutation,
and
so
that
means
that
they
see
a
lot
of
data.
They
process
a
lot
of
stuff.
A
The
second
edition
we're
working
on
it
right
now,
we're
trying
to
add
some
more
chapters
to
it.
Honestly
Brendon
is,
is
more
of
a
machine
than
I
am
and
he's
actually
been.
Writing
more
than
more
than
I
have
and
Kelsey
hasn't
been
super
involved
in
the
in
the
second
edition.
I
am
doing
a
chapter
on
the
ingress
and
we're
gonna
do
our
back
so
I
know
those
are
a
couple
of
things
that
we're
definitely
adding
to
the
second
edition
I
just
wish.
We
had
more
time
to
actually
get
stuff
out
there.
A
I
think
you
know
we
still
view
kubernetes
up
and
running,
though,
as
mostly
a
sort
of
like
just
getting
your
feet
under
you
with
kubernetes
I
mean
there's
a
lot
of
topics
a
lot
to
go
into
above
and
beyond
just
the
simple
stuff.
So
we
want
to
keep
it
at
the
sort
of
new
user
type
of
level
to
really
get
people
so
that
they
sort
of
understand.
You
know
the
basics
of
the
system
and
then
Mohammed
from
go
nice
to
see
you
and
beyond
physics.
Nice
to
see
you
too,
all
right.
A
So
that's
what
an
admission
controller
is,
and
so
you
can
read
the
full
article
here.
It
goes
into
some
more
detail
of
what's
going
on
here,
it's
interesting.
So
there
were,
you
know,
pre-admission
pre,
mutating
and
mission
controllers.
There
were
kind
of
never
made
it
out
of
alpha.
There
was
a
similar
feature
where,
essentially,
you
could
essentially
modify
resources
before
they
actually
got
created.
I'm
trying
to
remember
the
name
of
that
feature,
but
we
actually
ended
up.
A
Saying
hey,
you
know,
admission
controllers
are
a
better,
a
better
path
to
go
down,
and
so
that's
the
preferred
way
to
do
this
stuff
now,
all
right.
So
that
is
a
little
bit
of
a
theory
on
admission
controllers:
initializers,
that's
right
towards
ya.
Pod
precess
is
something
different
and
it
turns
out
that
pod
precess
is
interesting.
A
Get
that
stuff
up
and
running
I
mean
it
really
sort
of
lets
a
ton
of
sort
of
innovation
happen
without
any
gatekeepers.
So
that's
something!
That's
really
exciting.
Yeah,
but
Torrens
right.
The
the
feature
I
was
thinking
about
what's
called
initializers,
and
so
this
is
also
a
little
bit
of
a
little
bit
of
a
you
know:
a
cautionary
tale
around
starting
to
build
on
top
of
alpha
level
features
and
kubernetes
early.
Not
all
alpha
features
make
their
way
forward
and
I.
Think
initializers
are
a
great
example
of
that
all
right.
A
A
Is
is
the
admission
controller
tutorial,
so
we're
going
to
go
through
this
we're
going
to
talk
through
what
it
means
to
actually
be
in
a
mission
controller?
What
all
the
sort
of
nuts
and
bolts
we
need
to
do
to
be
able
to
wire
OPA
in
and
then
then
we'll
play
with
writing
some
admission
controller
policies
and
see
what
we
can
do
is
see
if
we
can
do
something
interesting
around
it.
A
A
I
need
it
because
sometimes
you
break
a
cluster,
and
so
you
want
some
Julia
Child
having
the
other
one
in
the
oven
type
of
thing
going
on
and
so
I
have
that
set
up
here
and
I
can
do
cube,
control,
get
pods
or
get
nodes
and
we'll
see
this.
So
we
have.
We
have
one
control,
plane,
node,
and
then
we
have
three
worker
nodes
and
we're
doing
version
1.13
dot.
A
Two
we
haven't
updated
this
to
14
yet
but
I
think
I
think
I
might
have
yea
I've
updated
my
cube
control,
so
my
cube
Patrol
is
114,
but
my
server
is
113
too,
and
and
then,
since
this
says
that
we're
going
to
be
using
some
ingress
stuff,
what
I
wouldn't
did
is
I
installed
hefty
oak
contour
with
this
one-liner
here
I
then
went
if
I
do
get
serviced.
I
then
have
the
external
I
yo
be
for
this,
and
I
went
through
and
configured.
A
Let's
see,
T
GI
k,
dot,
IO,
I,
I
went
and
configured
a
couple
of
records,
so
we
have
an
alias
record
here
for
for
the
lb
and
then
I
did
start
out
TJ.
I
k
dot
io
here
also,
so
this
means
that
with
ingress
anything
@tgite
k,
dot
io
will
actually
find
its
way
to
this
cluster
I.
Don't
have
any
any
sample
workloads
running
yet,
but
so
that's
using
contour,
which
we've
done
an
episode
on
and
in
the
past,
and
so
that
that
means
that
we
should
be
up
and
running.
A
A
Let's
see
so
Luciano
says
if
you're
interested
use
cases
I've
used
open
a
limit,
the
creation
and
a
service
type
load
balancer
only
in
namespaces
with
specific
annotation.
It's
a
great
example
cuz
like
if
you're
gonna
give
this
to
users
or
if
you
even
just
want
to
make
sure
that
you
don't
make
some
mistakes
yourself.
You
may
want
to
say
hey
every
time
we
have
a
type
equals
load,
balancer
type
of
service.
A
A
Yeah
so
you
can
hand
this
out
to
developers,
and
so
it's
a
very
flexible
way
to
be
able
to
hand
this
stuff
out
to
multiple
developers,
all
right,
so
the
the
API
controller,
as
it
calls
out
to
oppa.
That's
actually
an
HTTP
call,
that's
happening
over
your
network
and
one
of
the
things-
and
this
is
a
lesson
that
we
learned
you
know
hard
with
with
with
kubernetes
in
general.
Is
that
you
want
all
of
this
stuff
to
be
encrypted?
A
Sometimes
you
think
I.
Don't
really
need
it
to
be
encrypted,
but
I
guarantee
you
if,
even
if
you
don't
need
it
to
be
encrypted,
other
people
do
and
sometimes
in
the
future.
You
are
gonna
going
to
want
this
stuff
to
be
encrypt
and
validated,
as
you
start
moving
to
something
like
kubernetes
or
even
if
you
don't
move
to
kubernetes.
What
you'll
find
is
that
it's
very
easy
for
data
centers
or
VP
CS
or
whatever,
to
become
noisy
you're
gonna
have
a
lot
of
stuff
running
that
stuff's
gonna
be
talking
to
other
stuff.
A
Ip
addresses
get
reused.
Things
start
spamming
stuff,
like
accidentally,
you
know,
there's
all
sorts
of
things
that
happen
that
can
really
make
even
a
well-controlled
Network
noisier
than
you
would
like
it
to
be
so
having
TLS
with
validation
is
a
really
important
piece
of
securing
this
stuff
and
and
preventing
accidents.
To
be
honest,
now,
right
now
as
you're
doing
stuff,
like
installing
a
mission
controller,
you
have
to
go
through
the
painful
thing
of
actually
generating
certificates
and
and
and
putting
these
things
in
there.
A
One
of
the
things
that
I
would
love
to
see
is
for
us
to
have
something
like
spiffy
as
a
complement
to
to
things
like
OPA,
so
that
kubernetes
can
automatically
manage
certificates
on
your
behalf,
and
this
is
not
just
sort
of
talking
to
public
certificates
like
you
know
what
cert
manager
does
when
talking
to
let's
encrypt.
This
is
up
both.
You
know
server
and
client
certificates,
and
if
we
can
get
this
stuff
automated,
we
can
get
automatic
rotation
in
there.
A
Let's
see,
this
is
actually
then
self
signing
that
I
believe
so
now
what
we
have
is
we
have
CNF
CRT
and
CA
ki,
where
ki
is
our
private
and
then
this
is
a
certificate
that
we
created,
so
that
ends
up
being
our
certificate
authority
that
we're
using
here
and
then
we.
This
is
one
of
the
things.
That's
a
pain
in
the
butt
about
open
SSL
is
that
we
need
a
file
here.
We'll
go
ahead
and
do
that:
let's
pull
this
up
in.
A
Let's
see,
basically
it's
not
it's,
not
a
CA
we're
using
for
ding
digital
signature
key
inside
from
it,
and
it
can
be
used
for
both
client
and
server
off.
This
is
all
super
obscure
stuff
from
like
x.509
type
stuff,
and
so
now
what
we're
gonna
do
is
we're
going
to
generate
another
key
for
the
server.
A
Same
type
of
thing,
yeah,
so
CF
SSL,
is
actually
I.
Think
probably
a
lot
easier
to
use
to
be
honest
and
open
SSL
for
this
stuff,
but
I
don't
want
to
go
off
the
rails
too
far
here
and
start
making
up
my
own
stuff,
but
just
something
torrent
I
mean
for
the
free
examples
here.
I,
don't
know
if
that's
something
that
you've
considered.
Oh.
A
Duffy's
saying
that
that
you
can
also
limit
services
of
type
equals
load
balancer
using
object,
quota
I,
wasn't
aware
of
that,
that's
interesting!
So
the
torrent
says
it
hidden,
some
of
this
stuff
in
the
helm
chart,
but
if
you're,
using
how
oftentimes
you're
already
pretty
insecure,
anyways
it's
very
difficult
to
to
secure
helm
without
doing
some
of
this
stuff.
A
Now
we're
we
running
this.
It
says
running
in
the
right
namespace.
Let
me
make
sure
I
know
what
we're
doing
here.
So
this
is
running
in
the
open
namespace
and
it's
going
to
be
using
the
OPA.
The
deployments
going
to
be
running
in
that
thing.
Also
so
I
think
Turin
or
did
we
do
it?
Oh
here's
where
we
set
name
space
equals
OPA.
Okay,
so
I
skipped
this
step,
and
so
now
we
have
that
problem.
I'm
just
going
to
go
through
and
I'm
gonna
go
through
and
say.
A
A
A
And
then
we
can
look
at
this
and
I'll
check
this
stuff
all
into
the
TGA
K
repo,
after
that,
after
the
way,
okay,
Duffy's
saying
that
you
can
use
the
in
cluster
CA
for
this
stuff,
also
and
and
I,
don't
know,
can
you
use
the
in
cluster
CA
with?
Will
it
actually
validate
common
names
and
stuff
we'll
go
through
it
and
we'll
figure
out
what's
going
on?
Okay,
but
but
basically,
what
we
want
is
we
want.
A
Alright.
So
now
what
we
can
do
is,
and
now
we
have
the
config
map
modifier
or
update
and
patch
of
some
config
Maps.
This
is
a
role
within
just
the
OPA
thing,
because
apparently
now
we'll
be
modifying
config
Maps
on
the
interest
and
see
that
what
how
that
happens
and
we're
doing
the
same
thing
where
it's
all
the
surface
accounts
in
the
I
believe
in
the
open
name
space,
and
then
we
have
a
service
called
OPA.
A
A
So
it's
hosted
on
81-81,
and
this
mammal
is
not
very
explicit
about
the
ports
you
don't
have
to
be,
but
it
actually
makes
the
stuff
more
discoverable.
If
you
do,
we
have
a
read-only
amount
of
the
certificates
that
we
have
and
then
there's
another
container
that
we're
having
here,
which
is
the
cube
management
container,
and
this
essentially
translates
between
kubernetes
admission
controllers
and
the
OPA
protocol.
A
So
this
is
essentially
a
translator
there
and
what
this
is
saying
is
and
then
the
other
thing
that
this
does
is
that
actually
I
believe
incorrectly
I'm
wrong
torrent
is
that
it
actually
reads
and
caches
a
bunch
of
stuff
from
the
cluster.
And
so
what
we're
tat
saying
is
that
we
wanted
to
read
all
the
namespaces
and
all
the
ingressive.
So
these
are
the
objects
that
it'll
have
fast
access
to
to
be
able
to
look
at
as
it's
making
policy
decisions
and
then
and
then
here's
the
secrets
that
we
mapped.
A
By
default,
our
response
is
allowed
true
and
then
I
don't
know.
This
is
this:
is
the
OPA
language
so
I'm
not
quite
sure
how
this
all
works,
but
one
of
the
things
that
you
can
see
it
says
this
is
being
embedded
into
a
config
map.
So
this
is
how
we
press
that
stuff
in
there
yeah.
So
cube
management
replicates
objects
into
OPA,
so
you
can
refer
to
them
in
policies.
One
minor
note
the
admission
way
hook
talks
directly
to
open,
not
cube
management.
Ok,
that's
that's
good
to
know.
A
Ok,
so
so
the
I
see
yeah,
here's
four
or
four
three,
so
so
OPA
inside
this
pod
is
listening
on
four
four
three
directly
and
and
then
it's
also
listening
locally
on
81-81
and
and
the
mission
controller
is
talking
directly
to
OPA.
So
OPA
knows
how
to
speak,
kubernetes,
admission
control
and
but
then
the
cube
management
essentially
provides
extra
context
into
the
thing
just.
A
Yeah,
so,
let's
see
so
and
then
and
then
joy,
saying
I
currently
using
open
various
use.
Cases
like
to
restrict
accidental
overwrite
anger
as
host
path
from
a
different
user,
enforce
recourse
were
resource
requests,
limits
and
then
also
whitelist,
docker
container
registry,
yeah,
cool,
okay
and
then
the
boilerplate
down.
There
is
actually
essentially
that's
how
you
speak.
Kubernetes
admission
control,
let's
see,
okay,
that's
cool
joy,
so
joy,
just
I
mean
for
the
accidental
or
overwrite
an
ingress
host
path
from
a
different
user.
A
That's
why
we
built
the
ingress
route
stuff
in
in
contour,
which
is
allows
for
some
more
self-service
of
stuff
and
delegation
across
namespaces
that
you
can
actually
defer
to
user.
So
it's
a
different
way
to
skin
that
particular
cap,
okay
cool.
So
let's
go
through.
This
all
looks
totally
reasonable.
Oh
I
want
to
see
like
let's
see
so
if
we
do,
this
I
believe
what
this
means
is
that
the
deployment
we
didn't
talk
about
service
account,
so
the
default
service
account
will
get
both
of
these
role
bindings
as
I.
Think
what
we're?
A
A
Yeah,
so
what
what
Joe
is
saying
here
is
he's
bringing
up
that
one
of
the
features
of
OPA
is
that
it
can
actually
integrate
data
from
other
sources,
and
so
it's
not
just
a
static
configuration.
It
really
is
a
way
to
integrate
a
whole
bunch
of
stuff,
so
opens
up
being
a
policy
language,
but
you
can
have
like
correct
me
if
I'm
wrong
tor,
you
could
have
something
like
a
CSV
file
and
a
config
map
of
like
what
users
are
not
which
namespaces
are
allowed
to
do.
A
What
and
then
you
can
import
that
and
then
use
that
inside
about,
but
maybe
not
a
CSV
file,
but
but
some
sort
of
data
file,
and
so
that
means
that
you
you're
not
rewriting
the
policy
stuff
all
the
time.
Okay,
so
I
think
we
are
up
and
running
one
of
the
things
that,
let's
see,
what
are
we
doing
so
we
were,
we
were
restricting
opens
gonna
make
decisions
on
names.
A
Oh
we
haven't
installed.
We
haven't
installed
the
the
admission
controller
yet
so
the
next
thing
we
have
to
do
is
we
have
another
object
here
which
we're
going
to
call
webhook
config
touch
web,
and
so
this
is
the
thing
that's
actually
going
to
configure
the
web
book,
and
so
this
is
a
validating
with
hook
configuration
now.
It
turns
out
that
web
hook
the
the
though
validating
web
hooks
it's
a
it's
a
clustered
global
object.
So
these
things
are
not
home
to
inside
of
a
namespace.
A
All
right
so
torrents
saying
that
we
can
load
arbitrary,
JSON
data,
so
not
CSV,
but
you
know
the
moral
equivalent,
probably
better,
standardized
all
right.
So
this
is
the
opal
adatom
web
hook.
What
we're
saying
is
that
we
want
to
see,
create
and
update
of
everything
and
oh
and
actually
I-
need
to
go
ahead
and
do
this
and
paste
this
in
here
and
and
what
it's
saying
is
that,
like
hey
when
I
talk
to
the
service,
I
expect
it
to
be
signed
by
the
CA,
the
TLS?
A
A
So
I'm
going
to
pipe
this
to
PB
copy
on
the
Mac
and
then
I
can
come
up
here
and
I
can
paste
it
and
there
we
go
okay
and
then,
and
then
so
this
is
essentially.
This
is
how
we
do
the
web
hook.
The
web
hook
says
I
expect
to
see
the
TLS
and
the
other
things
be
signed
by
this
and
then
I
expected
it
to
be
in
in
the
open
name.
Space
I
expect
it
to
be
the
oppa
service,
and
so
that's
where
the
oppa
oppa
stuff
comes
from.
It's
the
it's.
A
The
way
that
we
map
service
is
in
a
DNS
cross,
namespace,
the
first
oppa
that
you
see
there
is
the
name
of
the
service.
The
second
oppa
is
the
name
of
the
namespace
and
then
there's
dot
as
our
SRV
service
or
something
I.
Don't
know
it
gets
abbreviated,
but
that's
that's
what
we
had
here
or
no.
No,
it
was
on
the
command
line,
but
here
we
go.
So
that's
how
that
stuff
shows
up
all
right.
So
now
keep
control
apply.
A
And
I
had
webhook
config,
so
that
thing
is
now
created,
and
so
now
what
happens
is
oppa
will
be
in
the
path
for
every
create
and
update
of
every
resource
across
my
cluster,
which
is
kind
of
scary
I'm
wondering
does
anybody
I
mean
maybe
maybe
folks
who've
played
with
admission
controllers
more
than
I
have?
Is
there
a
way
to
remove
an
admission
controller
without
going
through
admission
controller?
So
if
you
have
a
broken
admission
controller,
is
there
a
way
to
say
hey
ignore
the
admission
controllers
make
this
happen
regardless.
A
A
A
A
A
I
see
and
then
the
request
path
here,
so
here
we're
actually
going
through
data
kubernetes,
cube
system,
it's
a
put
request
parameters
and
then
sent
response.
Okay,
so
we're
not
getting
a
ton
of
date
here
we're
looking
at
cube
public,
so
somebody's.
You
know
something's
going
through
and
looking
at
this
stuff
here,
but
yeah.
A
A
So
there's
a
lot
of
background
in
as
well,
as
you
all
know,
like
there's,
always
a
lot
of
stuff
going
on
in
the
cluster,
and
so
that
was
sort
of
the
sort
of
the
ambient
stuff
going
on
in
the
cluster
yeah,
and
you
can
use
labels
to
restrict
the
blast
radius
of
emission
from
controllers
to,
and
so
that's
something
that
that
I
think
is
worth
looking
at
all
right.
So,
let's
keep
going
through
our
tutorial
now
we're
going
to
define
a
policy
here.
So
this
is
ingress.
Whitelist
Griego
read
rego.
A
A
This
yamo
or
noise
agree
right,
though
I
like
to
touch
the
files
there.
So
then
I'm
not
doing
this,
okay
and
and
so
I
installed.
The
the
vs
code
extension
for
Rago
Rago
is
how
you
say
for
Rago
here.
Okay,
so
I,
don't
know
anything
about
this,
but
I'm
gonna
see
if
I
can
Intuit
this
language
that
that
that
torrent
and
company
created
here,
but
essentially
I
assume
that.
A
When
I'm
gonna
set
host
equal
to
okay,
so
it
looks
like
there's,
there's
there's
a
mixing
of
assignment
and
assertions
here,
and
so
this
is
I,
think
I
mean
and
maybe
I'm
reading
this
wrong.
This
is
Ana,
so
version,
that's
saying
like
if
this
end,
if
this
end
of
this,
this
is
an
assignment
to
a
temporary
thing
so
that
we
can
actually
refer
to
it
later,
and
so
it's
a
little
non-obvious
to
me.
A
Looking
at
a
particular
cat,
a
namespace,
okay,
okay,
torence,
saying
that
in
early
2018
we
added
assignment
double
equals,
which
we
recommend
using
now.
Okay,
so
I'm,
not
crazy.
I'm
recently
refresh
the
docs
are
reflected
but
haven't
updated,
open
policy
agent
or
yet
all
right,
cool
yeah,
because
I
imagine
I'm,
not
the
first
one.
They
had
that
confusion
around
assignment
and
equality
here,
all
right,
so
it
looks
like
for
this
particular
stands.
A
Own
things
are
either
going
to
be
something
that
produces
a
bool
if
it
produces
a
bull,
it's
a
test
and
it
ends
up
being
an
and
across
all
those
tests.
To
be
able
to
actually
say,
hey
or
no
an
or
across
no
and
and
if
all
of
these
things
match,
then
you
deny
the
request
using
this
particular
message
and
then
and
then
so
we
like
so
okay,
so
it
sounds
like
I
can
do
equal
equal
here.
Equal
equal
I
could
do
this
and
that
should
go
ahead
and
work.
A
Oh
and
I
don't
have
I,
don't
have
the
the
executable
here
locally,
so
it's
do
I
want
install
it
Wow.
Let's
see
what
happens.
Oh.
A
A
Alright,
so
we'll
come
back
to
that,
okay,
so
we
matches
any.
We
have
stir
patterns.
I
think
this
is
probably
sort
of
saying
I
want
to
ratchet
cross
I
want
to
match
across
all
the
arrays.
This
is
coming
from
the
ingress.
Whitelist
has
a
common
delimited
list
and
I'm
going
through
and
I
want
to
do
host
across
all
of
these
things,
and
so
there's
a
split.
A
So
there's
like
an
array
I
need
to
understand
the
language
a
little
bit,
but
it
looks
like
there's
a
lot
of
sort
of
functional
elements
to
this,
and
then
I
go
through.
Is
that
now
what
I'm
going
to
do
is
I'm
going
to
split
this
look
for
stars:
do
a
bunch
of
sort
of
star
dot
and
actually
figure
out,
what's
happening
here
for
matches.
So
there's
like
there's,
actually
quite
a
bit
that
you
can
do
with
the
language
here.
A
But
regardless
what
we're
saying
is
that
on
the
particular
namespace
we
can
add
an
annotation
called
ingress
whitelist
and
unless
something
is
on
the
whitelist
there,
we
won't
be
able
to
to
create
an
ingress
with
that.
So
let's
go
ahead
and
and
give
that
a
try.
Okay.
So
now
we
have.
Is
this
yeah
look
at
that?
Okay,
so
brew
install
is.
That
is
the
way
to
go.
Oh,
but
there's
output,
every
time
I
did
this
merge
error,
error,
I,
don't
know
why
was
it
trying
to
load
webhook
config
dot,
yeah
moe?
A
Does
it
just
load
other
random
stuff
from
the
from
the
directory?
Okay,
weird,
okay
and
then
data
kubernetes
namespaces.
This
is
then
actually
being
injected
into
OPA
from
the
from
that
other
side
card
that
we
had
alright.
So
let's
go
through
and
we're
gonna
actually
put
this
thing
into
a
into
a
config
map.
A
And
in
the
OPA
sidecar
will
notice
the
config
mech
automatically
and
load
the
policy.
So
how
does
it
know
that
it's
an
OPA
I
mean?
Does
it
look
for
any
config
Maps
with
with
dot
Rago
files
and
actually
just
load
those
things
in?
So
that's
something
that
I
think
is
interesting,
I
think
it's
also
interesting.
A
Cm
deployed
within
the
opening
space
error
with
a
specific
annotation.
Ok,
config
map,
okay,
okay,
it's
Cube
management
that
does
it
it's
gonna
load
it
out.
You
can
further
restrict
to
the
label,
so
you
could
set
up
something
like
the
like
the
ingress
class
stuff
here
all
right
and
then
we
can
exercise
the
policy.
So
let's
go
through
and
I'm
gonna.
Let's
see
we're
going
to
have
a
namespace
called
QA
I'm,
just
a
touch
QA
namespace
yeah
mo
let's
go
through
and
do
that
yeah.
A
A
A
You
know
having
config
systems
and
I
think
this
might
be
something
that
customized
does,
but
it's
something
that
we're
starting
to
see
with
that
class
of
systems
it'll
automatically
be
able
to.
Essentially
you
keep
the
file
you
keep.
You
know
the
config
method.
Config
map
refers
to
the
file
and
it
automatically
knows
how
to
merge
this
stuff
together.
Okay,
so
taurah
needs
to
go.
Thank
you
for
joining
us.
I
really
appreciate
it.
Tim
is
here
also
is
on
the
chat,
and
he
can
help
us
out
if
we
totally
get
ourselves
stuck.
A
A
A
A
A
A
Does
anytime,
you
get.
You
know
enough
code
like
this.
What
I'd
want
to
do
is
actually
test
it
out
with
a
bunch
of
input
and
output
and
make
sure
that
it
does
what
I
expect
it
to
do
so.
I'm,
assuming
that
that
you
know
any
time
when
you
start
creating
languages
like
that,
you
really
want
to
look
for
okay.
A
What's
the
testability
can
I
actually
make
sure
that
I
that
I
can
can
get
a
handle
on
this
stuff,
and
so
the
fact
that
there's
this
open
command
line
makes
a
ton
of
sense
here,
and
we
have
things
like
open
format
and
stuff
like
that
which
looks
really
cool
and
Joe
is
saying
for
config
maps
that
cumin
to
text
it
will
annotate
those
with
the
status
of
whether
or
not
the
policy
was
accepted
by
oppa
helpful
for
troubleshooting.
Oh,
let's
check
this
out.
A
A
And
what
do
we
see
yeah?
So
we
now
have
an
annotation
here
saying
status.
So
is
okay,
all
right.
So
that's
why
open
needs
the
the
right
update
for
the
right
and
update
for
the
config
map
is
so
that
I
can
actually
go
through
and
put
the
status,
that's
pretty
cool
and
then,
as
you're
saying,
that
open
does
provide
a
unit
test
framework,
yeah,
you're,
right,
Joe,
you're
way
ahead
of
me.
Alright,
so
we
had
that
accidentally
created
in
the
wrong
namespace,
okay
cool!
A
A
Okay,
so
this
is
interesting,
though,
because
it's
like
this
is
the
name.
This
is
this
webhook,
but
the
thing
is
called
opa
validating
webhook,
so
I'm
wondering
exactly:
where
does
validating
webhook
open
policy
agent
org
actually
come
in,
like
how
do
I
relate
that
to
which
webhook
that
is
configured
I.
A
There's
the
name:
okay,
okay,
so
the
the
configuration
has
a
name,
but
then
the
webhooks
themselves
actually
have
names.
You
get
a
one
configuration
with
multiple
webhooks,
okay,
so
there's
a
little
sort
of
extra
layer
of
hierarchy
there.
Alright!
So
that's
the
way!
If
you--if,
you
start
seeing
a
bunch
of
stuff,
you're
gonna
have
to
go
through
and
actually
start
digging
through.
All
of
your
revalidating
web
hooks
to
actually
see
what
happens
there,
yeah
cool
all
right
and
then
modify
the
policy
and
exercise
these
changes.
A
So
open
laws
you
to
modify
policies
on
the
fly
without
recompiling
any
other
service
that
offload
policy
decisions
to
to
enforce
the
second
half
the
policy.
On
the
start
of
this
tutorial,
you
can
load
another
policy
to
open
that
prevents
ingress
objects
and
different
namespaces
from
sharing
the
same
hostname.
This
is
to
make
sure
that
you
don't
stomp
on
people
across
namespaces,
now
just
to
be
aware
that
if
you're
using
cube
lego,
this
will
break
that,
but
certain
managers
now
actually
does
something
a
little
bit
different.
A
A
Same
sort
of
thing,
so
now
what
are
we
saying
here?
We're
saying
that
input
equals
ingress
create
now?
Is
there
a
way
and
I
don't
know
if
Tim's
online
is
or
maybe,
if
you
know
Jo,
is
there
a
way,
because
this
is
just
create?
I
could
actually
go
ahead
and
update
this
after
the
fact
and
essentially
skirt
the
policy
and
actually,
let's
go
ahead
and
try
that
because
I'm
looking
at
my
allow
list
here,
we're
only
looking
to
create
if
I
do
a
cube
control.
A
A
So
now
I
can
go
ahead
and
I
can
edit
this
and
we're
gonna
change.
This
now
to
sign
in
this
will
conflict
or
log
not
allowed
like
honed,
so
I
can
go
ahead
and
do
that
close
it
yeah,
and
so
that
actually
worked
okay,
so
that
is
is
interesting
here.
There's
a
subtlety
here
and
I
think
this
is,
why,
like
this
stuff
is
hard,
is
what
you're
going
to
want
to
do
is
probably,
if
I
do
the.
A
Let's
see
the
allow
list
here,
we
have
to
create
and
Joe
and
Tim
is
saying
that
I
can
leave
out
the
condition
for
create,
which
means
that
it
applies
to
anything
which
is
going
to
be
either
update
or
create.
If
I
go
ahead
and
delete
that
and
then
now
I'm
going
to
reapply
the
cube
control
by
F
and
grass
allow
list
I'm
gonna
reapply
that
wait,
no,
not
apply,
create
config
map.
I
already
exists,
you
control,
okay,
so
this
is
part
of
the
problem.
Is
that
like
what
I
can
do
is
I'm
gonna?
A
Do
this
I'm
going
to
do
a
dry
run?
Oh
yeah
mall
ingress
list,
yeah
mall
with
the
it
doesn't
like
it
dry
run,
or
does
it
dry?
Is
it
I
thought
we
had
a
dry
run?
Oh
dry
run.
Okay,
so
now
I
have
ingress.
Allow
list
yeah
mall,
which
embeds
this
thing
here.
So
that's
just
a
way
to
go
ahead
and
get
that
not
Duke.
You
control,
apply,
f,
ingress,
allow
list,
I
am
oh,
oh
and
it's
like
I
know,
I
have
to
say
it's
mad.
A
A
A
A
Now,
I'm
good
to
go
cool.
Alright,
so
did
you
all
get
what
happened
there
is
that
there
was
a
bug
in
our
in
the
Ray
go,
and
this
is
the
type
of
thing
that
I
think
you
know.
You're
gonna
want
to
make
sure
you
get
with
your
unit
testing
framework.
Is
that
like
pretty
much
any
time
when
you
write
this
stuff,
you
know
we
had
the
we
had
to
create
here.
You
probably
don't
want
to
leave
this
in
because,
for
all
intents
and
purposes
create
an
update.
We
want
those
things
to
be
treated
the
same.
A
A
Okay,
so
this
is
an
equal
equal,
not
equal.
This
is
a
:
equal
call,
an
equal,
equal,
equal
okay,
because
this
one
ends
up
being
derived
from
the
input
which
it
or
not
being
derived
from
ingress
--is,
which
is
actually
the
data
here.
This
means
that
this
is
actually
read-only.
I
assume
here
this
becomes
an
equal
equal.
The
message
I
assume
becomes
like
that
and
then
we'll
go
ahead
and
do
that.
A
Okay,
yeah,
so
I
think
that's
what
we
got
going
on
here
yeah,
so
this
is
kind
of
cool,
so
this
is
I,
wonder
like
because
this
is
all
again
very
functional
in
terms
of
the
way
that
we're
thinking
we're
essentially
saying
like
this
other
namespace,
where
that's
undefined
so
we're
saying
any
other
namespace,
but
we're
actually
so
there's
very
much
a
sort
of
a
you
know.
An
SML
type
of
thing
to
this
I
believe,
if
I'm,
remembering
my
functional
languages
correctly,
where
I'm
leaving
these
things
on
bound,
so
they
could
be
anything.
A
A
Or
you
all
understand
what's
going
on
here,
so
what
I'm
doing
here
is
I'm,
creating
the
config
map
from
the
file,
but
then
I'm
saved.
Instead
of
writing
it
back
to
the
server
I'm,
actually
saving
it
to
a
file
with
the
dry
Iran,
oh
yeah
mole
and
then
a
redirect
to
the
the
llamo
file.
And
so
then
this
lets
me
do
things
like
queue.
Control
apply
where
I
can
now
update
this
without
because,
if
I
do
a
cube,
control
create
I
can't
update
it
afterwards.
A
A
We'll
go
through
and
do
this
and
now
we're
actually
okay.
So
now
we're
we're,
saying
error
from
server
invalid
ingress
host
sign
into
Acme,
Corp
comm.
It
conflicts
with
production,
ingress,
okay,
error
when
creating
and
then
okay
denied
the
request
cool
okay.
So
this
is
actually
really
great
error,
then,
for
users,
it's
a
little
bit
repetitive,
but
you'll
figure
out
that,
like
oh,
the
host
is
that
this
thing
conflicts
with
production,
slash
ingress,
okay,
which
is
another
resource
in
the
same
cluster.
A
A
A
Good
documentation
here
is
that
right
now,
OPA
is
not
running
with
any
authorization
policy,
so
this
means
that
anybody
who
can
reach
the
open
endpoint
can
go
ahead
and
like
write
whatever
they
want
into
it,
and
so
there's
ways
to
be
able
to
actually
control
it
so
that
you
can
do
this
stuff.
So
Duffy
is
saying
that
mission
controllers
can
be
expensive,
though
yeah
I
think
this
is
the
thing
to
keep
in
mind.
A
The
only
thing
that
we're
looking
at
here
is
create
an
update,
but
we're
doing
it
across
of
everything
we
could
actually
just
look
at
ingress
here
and
that
would
actually
help
to
reduce
the
amount
and
so
so
Duffy
and
they're.
The
notes
are
in
there
and
are
this
is
in
the
we
have
this
in
the
hack.
Md
Duffy
pointed
me
to
this.
A
A
Don't
send
the
old
Reese,
so
yeah,
there's
there's
ways
that
you
can
tune
sort
of
the
amount
of
data
that
you
send
to
be
able
to
reduce
the
cost
of
these
webhook
admission
controllers.
So
you
want
to
scope
that
stuff
down
and
again,
there's
there's
a
danger
there
in
that,
like
if
you
know
we're
only
running
one
replica
of
OPA,
and
so
that
means
that
that
replica
goes
down.
It
could
actually
cause
a
cascading
failure
across
the
rest
of
our
cluster.
So
there
are
a
petite
and
kubernetes
to
essentially
say
hey.
A
This
is
a
system
level
resource
I
want
to
kill
this
thing
last
if
I
have
to
start
killing
things,
but
it's
definitely
something
to
keep
in
mind
and
you
should
have
like
you
know
from
a
sort
of
sre
point
of
view.
You
should
have
a
way
where
you're
ready
to
be
able
to
deal
with
the
fact
that
that
that
that
thing,
maybe
maybe
down-
and
you
need
to
be
able
to
bring
yourself
back
up
Joe
says
with
the
exposed
to
API.
A
You
can
do
these
checks
and
see
ICD
in
addition
to
in
place
of
the
admission
control
yeah,
that's
a
good
idea.
Joe
I!
Think
that's!
Another
point
is
that
you
know,
depending
on
whether
you're
giving
people
raw
access
to
a
cluster
or
whether
you're
having
everything
go
through
like
a
git
ops
pipeline,
there's
pros
and
cons
to
each
of
those
things
with
raw
access
to
a
cluster.
You
can
definitely
sort
of
it
feels
very
dynamic
for
development
type
purposes.
A
You
may
want
raw
access
so
that
you
can
go
through
and
play
with
stuff
and
move
fast
for
like
staging
and
production.
You
may
want
to
have
something:
that's
much
more
controlled
in
terms
of
how
you
do
stuff,
where
all
of
your
stuff
goes
through
a
get-ups
pipeline
and
then,
as
part
of
that
get
ups,
you
can
actually
go
through
and
apply
this
type
of
policy
and
I
seen
Sojo
st.
with
the
East
Coast.
A
So
but
I
think
it's
probably
I,
don't
know
if
it's
possible
I'm
sure,
like
you,
can
use
OPA
as
a
sort
of
static
checker
in
a
CI
CD
pipeline,
because
you
have
the
command
line,
because
it's
a
separate
evaluation
engine
that
you
can
probably
run
as
a
one-shot
I.
Imagine
and
I'm
speculating
here,
but
I.
Imagine-
and
this
may
be
what
Joe
is
talking
about
in
the
comments
I.
A
A
A
Alright,
so
there's
this
admission
controller
here
called
always
pull
images,
and
so
this
modifies
every
pod
to
say
I
want
to
change
the
image
poll
policy
to
always
pull,
and
the
question
is:
why
would
you
want
to
do
this?
It
turns
out
it's
a
security
thing.
If
you
have
some
namespaces
have
access
container
image,
but
others
don't
what
you
don't
want
is
that
it
happens
to
be
cash
on
a
node
and
so
therefore,
without
pulling
it,
you
can
actually
do
it.
A
So,
there's
always
pull
says:
hey
I
want
to
do
an
access
check
to
see
if
I'm
allowed
to
pull
that
image
before
I
actually
run
a
container.
That
does
it.
So
this
is
a
type
of
thing
that
you,
you
could
do
this
with
an
omission
of
mutating,
an
admission
controller
and
there
the
built-in
one,
like
all
the
ways,
pull
images
or
you
could
go
through
and
you
could
do
with
like
OPA,
it's
a
validating
one
where
I
lost
where
I
was
using,
did
I
stomp
on
it.
Where
did
it
go
here
without
the
guides?
A
You
could
use
this
where
you
could
actually
say
you
know
what
I'm
not
gonna
like
mutate,
it
I'm,
not
gonna.
Add
it,
but
I'm
gonna
verify
that
everybody
has
it
right.
So
that
means
that
you
now
put
the
burden
on
your
users
to
make
sure
that
they
configure
things
correctly
versus
actually
automatically
fixing
it
up
for
them.
And
there's
like
pros
and
cons
to
each
of
those
things,
Oh
Tim
says
you
can
set
up,
opens
a
mutating
web
hook
to
the
policies.
A
A
It's
being
able
to
actually
just
not
look
at
a
single
request,
but
actually
pull
in
other
data
super
interesting
all
right.
The
one
thing
that
I
do
want
to
call
call
out
is
that-
and
this
is
still
a
little
bit
of
a
work-in-progress
type
of
project,
and
this
is
something
I
really
want
to
play
with
now.
This
is
something
that
the
the
Microsoft
folks
started,
and
then
they
move
this
into
the
opah.
A
Is
this
thing
called
gate
keeper,
and
so
one
of
the
things
that
you'll
see
here
is
that
we
were
manually
updating
the
array,
go
files
and
applying
those
gate.
Keeper
I
think
the
idea
is
to
provide
a
little
bit
more
structure
around
this
start.
Moving
these
things
from
being
sort
of
config
Maps
and
talking
open
directly
to
being
able
to
actually
have
essentially
more
opinionated
ways
of
doing
this
stuff.
A
So
yeah
so
I
want
to
see
so.
Project
is
undergoing
heavy
restructure,
have
heavy
restructuring,
but
I
I'm
interested
I
would
love
to
dig
into
this,
but
it
looks
like
it's
not
quite
ready
yet,
but
gate
keeper
seems
like
it's
a
really
interesting
sort
of
more
opinionated
way
of
actually
configuring
this
with
kubernetes
yeah.
So
now
it's
a
joint
project
between
Microsoft
Google,
Red,
Hat
and
sty
rata
Steve,
rusty
Roth
IRA,
which
is
the
the
company.
That's
that
sponsored
open
so
yeah.
A
A
Okay,
I'm,
probably
still
mispronouncing
it
I'm
sorry
Tim
coming
from
somebody
who
started
a
company
named
hefty.
Oh
you
know,
choosing
names
for
companies
is
incredibly
hard.
Okay,
so
thank
you.
Everybody
for
joining
me,
I'm,
gonna,
sign
off
now.
Thank
you.
Tim
Thank,
You,
Turin
Jo
on
the
line
here.
Jo,
you
don't
work.
You
know,
you
obviously
know
a
lot
about
oppa
but
I'm,
assuming
that
you
don't
I
as
an
eyeballs
to
Ira,
styro
yeah.
A
Okay,
oh
I,
see
there's
an
it's
hard
for
me
to
read
the
SST
Roy,
the
the
the
CSS
that
I
apply
when
I
have
this
stuff
in
for
OBS,
for
broadcasting,
I'm,
not
sure
I
like
that
typeface,
okay,
so
Joe's
at
t-mobile
he's
a
power
user,
alright,
and
so
you
all
know
each
other
already
so
I'm
the
one
odd
man
out
here,
but
thank
you
everybody
for
joining
me.
Hopefully
this
is
a
great
sort
of
like
soft
intro.
As
we
went
through
the
tutorial
together,
you
know
broke
some
stuff
played
with
a
little
bit.
A
A
If
you
want
to
hear
more
about
this
and
I'm
sure
these
folks
would
be
happy
to
help
you
if
you
want
to
dig
into
open
more
and
again
congratulations
to
OPA
for
for
moving
on
to
from
sandbox
to
an
incubation
project.
That's
really
really
exciting
and
I.
Think
now
I
want
to
do
a
an
episode
just
on
on
admission
controllers,
where
we
maybe
write
a
little
bit
of
code.
So
thank
you,
everybody
and
we
will
see
you
next
week.