►
From YouTube: TGI Kubernetes 045: Calico (CNI)
Description
Come hang out with Kris Nova as she does a bit of hands on hacking of Kubernetes and related topics. Some of this will be Kris talking about the things she knows. Some of this will be Kris exploring something new with the audience. Come join the fun, ask questions, comment, and participate in the live chat!
A
A
Hello
and
welcome
to
episode
45
of
DJI
Kay
how's
everybody
doing
this
week.
I
am
just
got
done:
hacking
on
calico
a
little
bit
and
just
jumped
into
the
studio
last
minute,
so
we're
getting
set
up
here.
Thankfully,
we
have
George
here
with
us
who's
who's,
helping
us
get
some
stuff
set
up
and
we're
trying
out
some
new
some
new
tools
and
some
new
goodies
for
everyone.
So
this
is
genuinely
my
favorite
part
of
the
week
is
telling
everybody
hi
and
going
through
the
chat.
A
So
let's
go
and
let's
see
who's
all
here
and
play
catch
up,
so
I
haven't
looked
at
the
chat,
yet
it
looks
like
folks
have
already
been
chatting
away.
So
let
me
let
me
just
load
this
into
memory,
real,
quick
and
so
I'm
on
the
same
page
as
everyone
else.
Ok
so
Sean
says
happy
Friday
from
Seattle
Sean,
happy
Friday
to
you
as
well,
it's
a
great
day
in
Seattle.
It
was
raining
this
morning
and
it
couldn't
have
been
happier
got
a
great
night's
sleep
with
my
window,
open,
'la
Matty.
A
It's
always
great
to
see
you
happy
Friday
to
you
Matty.
It
looks
like
shot
in
the
Matier
talking.
Oh
oh
they're,
talking
about
scute
con
CFP
I
thought
they
were
talking
about
the
TGI
Katie
notification,
okay
and
then
looks
like
hefty
Oh,
which
this
is
George
who's
during
his
live
from
his
basement
studio.
He
says:
hi
everyone.
This
is
George,
I'll,
be
helping
Chris.
Today
everything
is
setting
good
to
go.
We've
got
good,
sound
and
audio
and
we'll
be
tracking
those
here
today.
A
So
let's
pull
this
up
real
quick,
so
I'm
gonna
go
to
screen
and
face,
and
let's
pull
up
this
link
that
George
just
opened
for
us.
So
this
is
something
that
he's
been
talking
about
doing
for
a
while
and
I
think
I've
never
played
with
this.
So
actually
we're
gonna
do
a
little
bit
of
live
playing
with
hacking
D
here
at
the
beginning
of
the
episode,
but
I
talked
to
George
about
it,
and
he
said
this
is
something
that
we
can
totally
come
in
and,
like
folks,
can
contribute
real
time
here.
A
A
Okay,
that's
not
working,
there's
got
to
be
like
an
edit
button
or
something
1400
right
here.
Okay,
so
that's
what's
going
on
is
up
here
at
the
top
left.
It
looks
like
there's
view,
there's
both
and
then
there's
edit,
so
oh
cool.
So
then
I
get
like
this
like
hacker
style
theme
where
I
can
come
in
so
I
can
then
come
in
and
say
hacks
for
the
episode
here.
We'll
do
a
quick
comment
here:
oh
I
want
to
login
I'll
sign
in
via
github
authorize
hack.
A
Indeed,
so
I
think
you
guys
can
do
this
too
at
home,
and
you
can
actually
contribute
to
the
notes
or
ask
questions
here
and
then
let's
go
back
here.
Okay,
we're
still
editing.
So
let's
go
back
to
our
/proc
and
then
I
can
now
come
in
and
say,
look
at
our
see
groups
in
/proc
and
I
bet.
I
can
commit
this
somehow
I,
don't
know
how
to
like
save
or
commit,
or
whatever
do
I
I
can't
just
do
both.
A
Okay
cool,
so
it's
like
real
time:
sweet,
okay,
cool!
So
it's
like
real
time,
editing
and
then
other
folks
can
come
in
and
edit
as
well,
and
then
George
can
PR
this
afterwards.
Okay,
so
this
is
me
learning
how
to
use
hack
and
Dee
for
the
first
time.
This
is
a
suite
tool
and
thanks
for
studying
the
subject.
A
So
what
we
ready
Dene
is
this
file,
which
is
our
weekly
TGI
Kay
episode,
45
file,
and
this
week
we
have
a
picture
of
a
kitty
because
calico
I
wish
this
was
a
cat
that
I
knew
and
I
thought
afterwards.
How
I
totally
could
have
used
a
picture
of
my
partner's
cats,
but
I
just
picked
a
random
kitty
anyway.
So
hopefully
we'll
do
some
of
the
other
tinier
and
tools.
So
I
can
actually
use
your
own
kitty
pictures,
but
anyway
we
have
the
calico
picture
there.
A
Let's
see
what
folks
have
been
saying
in
chat
dum-dum-dum,
so
our
nan
says
hi
folks,
Adelle
good,
to
see
you
Suresh
greetings
from
Hamburg.
This
is
my
favorite
part
Rory
evening
luciano
says
episode.
25.
Do
we
have
episode
25
somewhere?
Maybe
there
is
a
typo
on
my
end:
Keith
hello
from
Scotland,
ed
hi
from
Starbucks
good
to
see
you
ed,
I
love,
Starbucks
I
really
do
I
like
pumpkin
spice
lattes.
A
Let's
see
greetings
from
North
Carolina
hello
from
London.
He
says
old,
hello
from
in
Montreal
Toronto
Tim
car.
To
me,
good,
to
see
you
Simon
greetings
for
Bordeaux
Justin.
Welcome
back
Jesse
wave
good
to
see
you
Australia
there's
a
lot
of
folks
today.
Alex
says
hello
from
San
Francisco,
happy
Friday.
That
looks
good
to
see.
You
I
think
for
all
your
help.
A
This
week,
Alex
and
I
can't
wait
to
make
it
back
down
to
you,
San
Francisco,
so
I
can
hang
out
with
you
folks
at
the
taiga
office
and
see
how
you
guys
have
been
doing.
Let's
see
here,
we
have
hello
from
bond.
We
have
a
lobe
from
Portland
Germany,
let's
see
howdy
from
Vegas
and
I.
Think
folks
are
trying
to
help
me
with
hacking,
be
there
and
then
another
person
Duncan
from
San
Francisco
Carl
from
New
Zealand
Leonardo
head
from
Brazil,
San,
Diego
and
Turkey
okay.
A
A
Sixty
days
has
been
folks
kind
of
like
it
wondering
about
CNI
and
wondering
about
which
one
they
should
use
and
our
third,
it's
like
metrics
on
them,
and
if
people
have
like
good
ideas
on
which
ones
to
use
or
more
importantly
like,
why
do
we
need
them?
And
what
does
it
even
do
so?
A
I
don't
know
because
I
haven't
played
with
really
any
other
ones
as
much
as
I
played
with
calico,
but
we're
going
to
be
doing
calico
today
and
if
you
look
at
the
cuba,
corn
bootstrap
scripts.
This
is
like
a
good
little
like
trip
down
memory
lane
here
when
we
released
cuba,
corn
at
gopher
con
a
year
ago.
I
remember
we
like
ran
two
problem
that
were
actually
gonna
replicate
today.
That's
how
we're
gonna
learn
about
calico
is
to
actually
replicate
this
problem.
A
When
we
first
released
Cuba
corn,
which
was
we
couldn't
actually
schedule
a
schedule,
any
pods
on
our
nodes
and
I,
remember
Kelsey
was
there
and
he
swung
by
our
table,
and
he
said,
oh,
you
know
I
just
I
just
solved
this
in
something
else.
I
was
doing,
and
he
gave
us
this
little
one-liner
here
and
a
year
later
the
one-liner
is
still
there
and
if
you
look
it
just
does
the
the
calico
install.
So
this
is
totally
where
we're
gonna
start
hacking
into
calico.
A
Oh
wow,
we
have
even
more
people,
so
it
looks
like
folks
are
excited
about
learning
about
calico
and
learning
about
CNI
I
know
I,
certainly
am
we've
gotten
great
feedback
this
week.
So
hopefully
we
can
do
a
couple
of
really
solid
C&I
episodes
here
and
really
go
deep
into
sort
of
the
technical
networking
stuff
in
kubernetes
and
understanding
how
it
works,
and
why
did
we
need
it
and
how
it's
doing
what
it's
doing
so
more
folks?
A
Here
we
have
Marc
from
California,
we
have
Sanket
from
Napper
Ville
Boston,
Bosnia,
Minnesota,
Germany
I,
think
this
is
our
first
London
high
natter
good
to
see
you
I
think
this
is
our
first
India,
oh
and
mark
says
it's
International
Beer
day.
Well,
why
am
I
drinking
diet?
Coke
if
it's
International
Beer
day
I
wish?
There
was
somebody
else
here
at
the
office
who
could
totally
bring
me
a
beer
for
TGI
K,
but
we'll
see
if
we
get
lucky
enough?
Okay.
A
So
let's
go
look
at
our
document
here
and
see,
what's
been
going
on
in
kubernetes
this
week,
so
I
put
together
a
long
list
of
commands
that
we
can
use
as
we're
debugging
calico
and
as
we're
looking
at
the
kubernetes
system,
and
a
lot
of
these
commands
give
us
some
visibility
in
what
the
host
is
doing
behind
the
scenes
and
then
down
here
at
the
very
bottom.
We
totally
have
some
reference
links,
more
people
hi
from
Columbia
and
hi
from
Turkey
good
to
see
everyone.
A
So
if
we
come
here
and
actually
I
think
Jorge,
let
me
just
check
really
quick
I
think
Jorge
might
have
added
other
links
here,
maybe
not
okay,
but
well,
oh
yeah.
Here
they
are
so
we're
gonna
go
through
all
these
here
in
a
second,
but
I
want
to
call
out
this
one
first,
this
if
you
want
to
start
reading
and
looking
at
some
of
this
as
we
go
through
the
what's
new
in
kubernetes
this
week.
A
This
is
a
good
place
to
start,
and
this
is
going
to
start
to
at
least
let
you
as
a
person
to
think
about
what
see
and
I
sort
of
does
behind
the
scenes
and
how
we're
going
to
interface
with
it.
But
if
you
want
to
check
this
out,
we're
gonna
go
through
in
depth
later,
but
this
is
a
good
starting
point
if
you
want
to
pull
that
up
and
another
tab.
Next
to
my
my
beautiful
handsome
face,
that's
a
good
idea!
A
Okay,
so
here
let's
see
what
our
Week
in
Review
is
so
it
says:
Linux
Foundation
is
having
a
sale
on
kubernetes
training.
It's
a
sysadmin
day
sale.
Oh
that's,
pretty
cool,
so
it
looks
like
like
we're.
Cutting
prices
at
the
Linux
Foundation
come
on
down,
looks
like
we're
getting
some
systems
administration
bundles
for
like
less
than
half
off.
They
have
an
engineer
program.
It
looks
like
something
for
OpenStack
and
kubernetes
admin.
So
this
one's
cool
I've
heard
some
good
things
about
this
and
I
know
we
have
the
kubernetes
exams
that
you
can.
A
You
can
get
the
cka
exam
and
there's
kubernetes
fundamentals.
This
is
a
great,
a
great
program.
I've
heard
folks
who
have
taken
it.
You
know
they've,
gotten
great
jobs.
After
the
fact
they
don't
know
board
about
kubernetes
and
they
really
increase
their
value
as
an
engineer
and
as
a
systems
administrator.
So
that's
a
great
a
great
program
there.
Let's
see
Sebastian
Gus
grunt
auks
about
Caden
ativ,
build
primitives,
so
Joe
and
I
have
this
like
running
banter
that
we're
both
usually
pretty
busy
on
the
Fridays.
A
We
don't
do
T
gik,
so
it's
actually
pretty
hard
for
us
to
to
watch
the
other
ones.
T
gik,
because
that's
like
our
Friday
to
kind
of
catch
up,
so
I
only
was
able
to
catch
a
few
minutes
of
Joe's
last
week,
but
everybody
I've
talked
to
it
was
been
freaking
out
about
how
great
it
was
and
how
much
they
enjoyed
it.
So
I
still
need
to
brush
up
on
my
K
native
as
well,
so
I
definitely
need
to
watch
Joe's
to
you.
A
Okay,
so
I
can
speak
intelligently
about
this
new
tool
that
came
out
of
Google
but
yeah.
It
looks
like
there's
this
whole
block
here
that
talks
about
the
build
primitives
and
getting
it
set
up
and
looks
like
it's
building
it
from
source
and
it
looks
like
it
kind
of
goes
through
K
native,
probably
in
a
similar
fashion,
that
Joe
did
so.
This
is
a
good
step
and
a
good
resource.
If
you
want
to
go
and
explore
K
native
more
on
your
own
and
then,
of
course,
our
friend
Sebastian
always
writes
wonderful
technical
pieces.
A
So
I'm
already
pretty
excited
about
this.
Just
because
I've
read
some
of
his
other
stuff
in
it,
it
looks
really
good
so
coming
up.
Next,
we
have
cube
con.
Cfp
closes
on
August
12
I've
had
a
lot
of
folks,
both
from
PGI
K,
and
my
work
in
upstream
kubernetes,
reach
out
to
me,
have
even
gone
out
of
my
way
to
meet
with
a
couple
of
folks,
for
you
know
to
talk
about
keep
con
CFPs.
This
Monday
is
my
big
CFP
day.
A
A
A
A
Okay,
so
this
is
lucky
talking
about
the
new
kubernetes
vs
code
extension,
so
I
remember,
seen
Ralph
another
old
colleague
of
mine
from
Microsoft
who
I
keep
in
touch
with
I
saw
Ralph,
do
a
live
demo
of
this,
and
this
was
pretty
mind-blowing.
You
were
able
to
actually
go
in
and
edit
kubernetes
Hamill
right
there
in
vs
code
and
it
really
made
like
navigating
kubernetes
editing,
kubernetes
resources,
exploring
kubernetes
resources,
a
lot
more
user-friendly
and
it
was
a
really
really
cool
extension.
A
So
I'll
probably
be
checking
this
out
later
and
even
thinking
about
switching
back
to
vs
code,
just
because
a
lot
of
the
stuff
that
I've
been
doing
in
cracks
has
already
solved
it
with
tools
like
this
so
check
out.
Lackey
he's
a
great
guy,
giving
us
a
demo
over
vs
code
using
the
kubernetes
extension.
That's
a
great
one.
I
think
George
is
the
one
who
found
that
link
so
hats
off
to
George.
We
have
Qbert
extending
kubernetes
with
C
RDS
and
virtually
I
used
to
work
loads.
A
The
thing
that
jumped
out
to
me
was
less
about
Qbert
and
what
Qbert
does,
although
I'm
sure
keyboard
is
a
great
tool,
but
this
little
snippet
here
why
you
see
RDS
over
aggregated
API
server.
This
is
an
interesting
read
for
folks
who
are
looking
at
building
out.
You
know
a
little
more
complicated
software
on
top
of
kubernetes.
This
is
a
big
discussion.
We've
had
in
the
cluster
API
working
group
under
sync
cluster
lifecycle,
where
we
went
from
CRTs
back
to
an
aggregated,
API
server
and
now
we're
on
our
way
back
to
see
IDs
again.
A
So
there's
a
lot
of
pros
and
cons
to
each
approach
and
I.
Think
you
know
having
a
good
compare
and
contrast
there
is,
is
going
to
be
helpful
anyway.
Qbert
is
the
kubernetes
add-on
that
provides
users,
the
ability
to
schedule
traditional
virtual
machine
workloads,
side
by
side
with
container
workloads,
ok
cool,
so
I.
Think
Joe
was
tweeting
about
this,
the
other
day
where
it
was,
or
somebody
tweeted
about
Joe
singing
this
at
Alikhan
yesterday
or
something
which
was
like
you
know,
virtual
machines
and
containers
now
exist
side-by-side
and
it's
just
a
matter
of
picking.
A
What's
right
for
you
and
your
team
looks
like
Hubert
is
a
totally
great
example
of
a
time
where
you
could
sort
of
run,
containers
and
Virtual
Machines
sort
of
in
concert
with
each
other,
depending
on
your
use
case
and
how
you
want
to
approach
running
your
software.
This
sounds
exciting
for
folks
who
are
you
know
going
down
that
moving
my
monolithic
application,
the
kubernetes
journey,
where
they
may
have
already
have
their
application
configured
to
run
a
certain
type
of
virtual
machine.
A
So
this
is
a
pretty
cool
breed
if
folks
want
to
come
check
that
out
as
well
edge
computing
at
chick-fil-a.
You
guys
can
read
that
if
you
want
I'm
not
going
to
pull
that
one
up,
NFS
participant
volumes
with
kubernetes
yeah,
so
it's
a
case
study
here.
So,
let's
see
NFS
persistent
volumes
with
kubernetes,
which
NFS
is
pretty
much
the
common
way
of
doing
any
sort
of
network
file
storage,
and
you
can
use
that
with
PBS
and
PVCs.
A
A
You
know
fest
server
inside
of
kubernetes,
so
this
is
a
pretty
cool
read,
and
this
would
be
really
handy
for
folks
who
want
to
do
some
pretty
cool
things
with
keeping
your
data
stored
off-site
or
even
taking
a
data
that
already
exists
and
plugging
it
into
an
application
running
on
kubernetes.
So
this
is
a
great
read
as
well.
A
Okay,
so
that's
what's
new
this
week
in
kubernetes,
also
over
the
past,
like
probably
four
or
five
TGI
Caze,
that
I've
done,
I've
always
made
it
a
point
to
go
through
and
do
like
a
really
quick
go
Ling
101
for
folks
and
I
didn't
get
a
chance
to
get
around
to
coming
up
with
anything
this
week.
So
this
is
a
call
for
for
questions.
If
anybody
has
anything
in
go
that
they
want
to
ask
me
I'm
happy
to
like
write
some
really
quick
code
in
a
few
minutes
and
just
answer
the
question.
A
A
Chances
are
other
folks
have
also
wondered
the
same
thing
that
you're
wondering
so,
even
if
you
think
it's
silly
or
something
small,
but
it
just
doesn't
make
sense
to
you
feel
free
to
drop
it
into
chat
and
we'll
see
what
what
we
can
do.
Okay,
like
big
deep
breaths,
we
did
that
in
18
minutes,
which
was
a
good,
intro
and
I.
Think
it's
I
think
it's
time
to
start
hacking
on
calico.
So,
let's
look
and
what
we
have
here.
A
So
here's
my
terminal
and
I
want
to
go
into
my
go
pass:
FDOT,
tak
and
go
into
episodes.
Also,
can
you
can
you
folks,
tell
my
hand
is
doing
way
better
I'm
able
to
tie
up
and
actually
navigate
the
Linux
file
system
like
at
the
speed
I
used
to
it's
so
much
better
to
be
able
to
navigate
the
Linux
file
system
quickly?
Again,
that
was
really
hard
for
a
while.
Anyway,
we
go
into
45,
and
here
we
have.
Let's
do
a
tree
here
we
have
the
readme,
which
is
what
we
were
just
looking
at.
A
We
have
a
directory
called
cubic
corn
and
in
there
we
have
a
shell
script
called
Amazon,
Keats,
Ubuntu
1604
master,
and
we
have
another
directory
called
tjk
calico
cluster
cluster
dot
animal.
So
what
we're
gonna
do
is
we're
gonna
nuke,
the
cubic
corn,
T
GI,
k,
calico
cluster
and
we're
going
to
create
a
new
one.
Lemat
e
says:
oh,
we
have
some
coke
questions
in
here.
It
looks
like
steve,
says:
difference
between
normal
mutex
and
rewrite
mutex.
That's
a
good
one!
A
I
don't
know
if
we
have
time
to
go
into
the
whole
read
write
new
text
and
how
it's
different
than
a
regular
mutex
LeMat
e
says.
If
no
one
answers,
what
are
your
thought
on
versioning
thoughts
on
versioning?
That's
a
good
one,
because
I
can
just
rant
about
this
in
this
a
little
more
high
level,
so
I
feel
like
I.
Can
do
this
really
quick
on
versioning
like
if
you
remember
Sam's
keynote
at
gopher
con
last
year.
It
was
sort
of
like
a
call
for
action
for
folks
to
to
begin
versioning.
A
Their
go
programs
and
I
think
you
know
the
go
community
is
just
constantly
in
this
struggle
to
figure
out
what
we're
doing
with
package
management
and
versioning
and
I
feel
like
every
six
months.
There's
like
a
new
hero
and
a
new
effort,
I
really
thought
Depp
was
going
to
be
the
winner,
but
I
think
we're
exploring
other
ideas
right
now.
I
contributed
to
Deb.
So
there
was
a
spare
amount
of
heartbreak.
A
For
me,
when
I
found
out
that
my
work
there
anyway,
so
yeah
I,
think
versioning
Yorgo
programs
are
important,
no
matter
how
we're
going
to
end
up
ultimately
solving
package
management
and
dependency
problems
and
go
I.
Think
versioning
and
adhering
to
a
strict
semantic
versioning
policy
for
your
go
program
is
going
to
be
important.
A
So,
no
matter
if
you
want
to
use
Deb,
if
you
want
to
use
glide,
if
you're
going
to
use
some
new
tool,
if
you
want
to
use
Vigo,
if
you're
going
to
put
it
into
some
sort
of
package
management
having
semantic
versioning
versioning
helps
folks,
and
it
also
really
helps
folks
who
are
trying
to
vendor
your
program.
Understand
when
you
they
can
expect
a
breaking
change.
A
Think
it's
a
good
habit
for
folks
to
get
into
and
I
think
you
know
you
could
there's
tools
out
there
like
there's
some
millions
of
versioning
packages
that
make
it
much
easier
and
sort
of
enforce
the
semantic
versioning
where,
if
you
do
make
a
breaking
change,
it
will
detect
that
and
then
actually
say
no,
you
need
to
bump
this
or
we're
not
going
to.
Let
you
like
push
up
there,
so
you
can
build
that
right
into
your
your
build
pipeline
as
well.
A
So
a
good
question,
though
Matti
I
think
versioning
is
important
and
if
you're
not
doing
it,
you
should
do
it
and
you'll
thank
yourself
later
and
the
rest
of
the
NGO
community
will
thank
you
as
well.
Okay,
so,
anyway,
back
to
Cuba,
corn,
I,
just
nuked
our
old
state
store
that
I
was
using
before
TDI
K
and
we're
going
to
do
this
thing
on
the
fly.
So
if
we
go
back
into
our
episode
here,
this
is
how
we're
gonna
set
up
our
keep
a
corn
cluster.
A
So
we're
going
to
create
art
that
ya
know
file
that
we
just
deleted
using
this
command
and
I
want
to
kind
of
show
folks
the
command
and
then
show
you
what
happened
here.
So
we
said,
Cuba
corn
create
TGI,
K
calico.
This
is
capital.
S
stands
for
state
store,
so
we're
telling
it
to
make
it
in
this
Cuba
corn
directory
here,
pa
WS,
telling
it
that
we
want
to
create
a
cluster
in
Amazon
and
then
the
stash
em.
It
means
we're
gonna
mutate,
the
master
provider
config
and
we're
gonna
say
in
the
server
pool.
A
We
want
to
set
the
first
bootstrap
script
zero
index,
so
the
first
one
is
equal
to.
This
is
a
local
reference,
the
cubic
or
directory
in
the
name
of
our
shell
script,
which
is
of
course
right
here.
So
if
we
actually
look
at
the
shell
script,
we
can
see
we'll
do
a
aside
by
signing.
We
can
see
how
this
differs
from
the
normal
cubed
corn,
bootstrap
scripts,
so
Amazon,
Cates,
Ubuntu
and
I
tweeted
about
this
earlier
today
was
like
this
program.
A
Makes
this
way
too
easy
to
like
come
in
and
just
add
little
one-liners
to
make
your
your
kubernetes
cluster
just
special
for
you,
so
the
first
thing
I
did
I
came
in
here
is
I
added
Emacs
24,
so
that
when
we
SSH
into
our
master
later
and
start
looking
at
calico
will
have
Emacs
to
explore
it
in
and
I
added
this
alias
here,
which
there
is
a
like.
You
can
copy
and
paste
this
out
of
the
markdown.
This
is
great
if
you
ever
need
to
list
all
of
the
IP
tables
or
rules
for
every
table.
A
This
is
a
great
little
handy,
alias
and
it
fits
the
IP
tables,
some
sub
command
syntax,
so
we're
adding
that
to
the
end
of
our
batch
profile
and
down
here.
At
the
end,
this
is
just
a
normal
kubernetes
bootstrap
script.
You
can
see
them
in
the
kippah
corn
bootstrap
repo,
which
is
linked
in
the
readme
as
well.
You
can
see
I
have
this
big
doc
block
here.
A
That
says
note
we
hack
in
here
for
TGI
K,
and
then
this
is
where
we
uncomment
the
Calico
installation
that
normally
ships
with
cuba,
corn
and
then
we
we
apply
our
cloud
provider
and
we
do
some
like
weird
stuff
on
the
file
system.
So
we
can
get
our
cube
config
later,
but
we're
intentionally
deploying
a
broken
cluster
so
that
we
can
start
to
explore
the
filesystem
and
explore
Calico
and
see
how
see
how
it
works
to
see
what
it's
doing.
Okay,
let's
see
here,
so
we
have
a
question.
A
It
says:
Debenhams,
root,
I'm,
sorry,
I
can't
I'm
not
going
to
try.
Anyway.
We
have
a
question
and
says
Chris
your
thoughts
on
dependency
management
tools
in
general
and
new
vigo
stuff.
Specifically,
when
you
get
a
chance,
so
I
think
dependency
manage
it's
just
fundamentally
a
heart
problem
and
the
go
programming.
Language
keeps
introducing
new
features
that
actually
make
dependency
management
even
harder,
but
it
makes
programming
to
go
much
easier.
Vanity
package
name
in
ports
is
a
great
example.
There
I
think
I
haven't
really
used.
A
Vigo
I
just
use
depth
and
usually
99%
the
time
it
works.
For
me,
I'm
really
busy
so
I
actually
don't
get
much
time
to
actually
go
play
with
new
software,
because
it's
fun
most
of
the
time
if
I'm
playing
with
software
is
40
gik
and
otherwise
it's
pretty
much
full
time
doing
my
work
here.
I'd
have
do
or
getting
ready
to
go
climb
a
mountain,
but
maybe
we
can
do
a
TTI
knv
go
or
maybe
we
can
bring
it
up
in
a
future
episode.
A
If
you
want
to
open
up
an
issue
in
the
TGI
K
issues,
tracker
and
github,
which
is
of
course
here
we
can.
You
can
come
in
here
and
add
an
issue
and
we
will
definitely
try
to
check
it
out
so
go
land
or
new
terminal
and
then
of
course,
I.
Don't
know
if
Jo's
used
it
maybe
Jo
has
opinions.
There
usually
have
chose
you
something
he
has
opinions
better
worth
listening
to,
usually,
okay.
So
let's
get
out
a
max,
that's
our
shell
scripts!
There
and
now
we
can
run
our
cubic
corn
apply
command.
A
So
what
we're
waiting
for
that?
We
can
talk
about.
What's
going
on
up
in
the
cloud
right
now,
so
I
think
I've
done
an
episode
and
keep
it
corn
most
folks
have
used
it
and
all
we're
doing
is
creating
some
infrastructure.
We
have
a
brand
new
vp
c.
We
have
a
brand
new
internet
gateway
and
recreating
some
rules
and
policies
and
poking
some
holes
in
the
firewall
and
we're
creating
a
route
table.
A
A
A
Syed
says:
I
wish
there
was
no
such
thing
as
go
path.
How
about
you?
I
love,
go
path
ever
since
I
learned
to
go
past
like
I
was
frustrated
for
maybe
five
minutes,
and
you
know
three
or
four
years
later,
I
still
love
my
go
path,
but
a
lot
of
folks
I've
met
a
lot
of
C
programmers
a
lot.
A
Otherwise
I
know
we've
all
been
in
situations:
I
can
Python
where
we
have
like
Python
virtual
environments
and
Python
differently
in
one
directory
than
it
doesn't
the
other,
and
then
you
get
into
some
really
weird
behavior
that
you
gotta
kind
of
keep
track
of,
and
it
becomes
a
support
burden
for
the
programming
language
over
time.
Go
path
just
says
we
can
guarantee
it's
going
to
be
like
that
and
it's
going
to
work
well.
A
A
The
name
of
this
repo,
a
directory
in
the
repo,
a
file
in
that
directory
like
I,
just
like
that
flow
and
I,
feel
like
it's
a
good
level
of
balances.
So
anyway,
we
have
completely
deployed
a
broken
kubernetes
cluster
and
I
should
be
able
to
get
nodes
and
see.
Yes,
we
do
have
two
nodes
up
and
running
and
we're
gonna
open
up
a
couple
tabs
here
and
I'm
gonna
kind
of
get
my
command
station
set
up.
So
you
grab
some
time
cook.
First,
okay,
so
I'm
gonna
do
a
new
tab.
A
I'm
gonna
zoom
in
here
I
cancel
that
I
just
opened
up
the
printer
for
some
reason:
okay
zoom
in
and
then
let's
do.
A
resize
cool
looks
like
we
have
a
question.
Bjorn
says:
I'm
still
curious.
Why
did
choose
the
CNI
over
others
would
be
nice
to
know,
see
Liam
says
to
use
BPF
instead
of
IP
IP
tables
get
more
performance
if
I
understand
right.
A
What
about
this
so
again,
Bjorn
I'm,
just
now
starting
off
exploring
the
other
sinaia
providers
that
pick
two
calico
just
cuz
I've
used
it
before,
as
we
move
forward
I'm,
hoping
that,
in
the
end
of
the
series,
we're
gonna
be
able
to
use
calico
as
sort
of
our
control
variable
here
and
compare
some
of
the
other
ones
and
I
think
what
Bjorn
is
hinting
at.
Is
that
and
we're
gonna
learn
this
as
we
certainly
start
looking
at
how
calico
is
working
behind
the
scenes?
A
Is
that
there's
two
main
concerns
that
that
calico
solves
and
that
you'll
see
with
other
style
tools,
which
is
enforcing
network
policy
as
well
as
actually
helping
with
the
pod
networks
on
the
host
system?
And
in
this
case
Bjorn,
is
alluding
to
the
fact
that
Calico
uses
IP
tables
as
one
of
their
deferred
implementations
of
building
and
managing
and
mutating
this
pod
networks,
and
it
looks
like
this
new
tools
helium
that
I've
heard
a
lot
about,
but
I
have
never
used
uses
BPF
instead
as
an
alternative.
A
So
I
think
this
is
more
of
like
you
know
two
ways
to
skin
the
same
cat
and
there's
probably
pros
and
cons
to
each
one
and
hopefully
we'll
learn
those
a
little
bit
more.
As
we
start
looking
at
him,
I
was
kind
of
thinking
about
doing
see,
Liam
next,
just
because
I've
been
hearing
a
lot
about
it
and
I
want
to
see
how
it
sort
of
compares
to
calico
moving
forward
and
Tim
I
thanks
for
joining
Tim,
says
BPF
is
still
nascent
in
kubernetes
great
comment:
thanks
Tim,
okay.
A
Tim
Clare
says
cat,
puns,
yay
I'm
glad
you
picked
up
on
that
I
thought
it
was
perfect.
Let's
deploy
a
pod,
so
Kay
run
in
genetics
image
engine
X.
So
this
was
this
little
command
I,
just
typed
I.
Remember
one
of
my
old
colleagues
at
Microsoft
Matt
Tucker.
He
said
this
to
me
like
at
work.
One
day
he
was
like
yeah
I.
Just
do
a
kay
run.
Engine
X
image
in
genetics
and
I
was
like
what
do
you
mean,
and
this
is
actually
one
of
my
most
commonly
used.
Debugging
commands
to
this
day.
A
I've
still
been
using
it
like
two
years
later
and
all
this
does
is
it
just
runs
an
engine
X
pod
that
serves
as
an
HTTP
server,
and
you
can
use
it
for
a
million
and
one
different
things.
So
if
this
is
not
in
your
kubernetes
debugging
repertoire,
you
should
definitely
add
it
now.
It's
a
good
one
to
have.
It
looks
like
George
says
reminder,
though,
for
those
of
us
just
join
us,
you
can
help
us
take
notes,
so
yeah
there's
a
hack
in
D.
A
If
you
want
to
go
and
log
in
and
contribute
to
the
notes,
that's
always
appreciated.
Okay,
so
let's
run
app
on
and
it'll
create
a
deployment
with
a
replica
set
of
one,
and
we
can
go
and
look
through
all
that,
but
we're
just
going
to
trust
that
deployment
in
communities
is
doing
its
thing
and,
let's
just
see
our
pot
here.
A
So
we
have
our
NGO
next
pond
and
that
is
in
status
pending
and
we'll
explore
that
a
little
bit
more
later,
and
let
me
clear
the
screen
over
here
and
let's
SSH
into
our
master,
so
we
can
start
to
kind
of
see
things
side
by
side,
I'm
hoping
to
kind
of
do
like
on
the
left
side.
Here
this
is
what's
going
on
on
the
server
and
then
the
right
side.
This
is
like
a
user
who's
trying
to
interact
with
kubernetes
and
what
are
they
doing
and
what's
happening
on
the
server
behind
the
scenes.
A
Let's
make
sure
Emacs
works
in
beautiful,
it
does
so
yeah
that
was
a
great
bootstrap
script
hack
thanks,
Kiba
corn,
pat
myself,
on
the
back
there
and
let's
see
what's
going
on
with
this
potty
chrome
fire
says,
isn't
theirs
they're
two
rd
for
debugging
deployments,
yeah!
That's
the
thing!
Joe
uses
all
the
time
I
just
like
to
use
engine
X,
because
it's
just
an
old
habit
of
mine,
but
qid
actually
does
a
lot
more.
It
does.
A
Some
cool
DNS
looks
at
lookup
soon
it
serves
a
nice
dashboard
and
X
has
a
good
landing
page
for
folks.
So
that's
a
good
one
as
well.
I've
actually
never
run
it
before,
but
I
could
try
it
out.
One
time,
maybe
one
time
itgi,
k
I'll
just
try
to
run
it
on
the
fly
Yolo
and
just
see
how
it
works.
That
would
be
actually
kind
of
fun.
David
says:
hey
Ronnie,
nginx
image,
engine
X
dry
run.
Oh
yeah,
Mille
is
cool,
also
get
a
quick
yeah.
A
Mille
template
for
a
deployment
dem
says:
keep
hoxsey
switched
away
from
IP
tables.
An
IP
vs
for
a
member
croc
correctly
does
calico
support
that
today,
we're
gonna
be
looking
at
cube
proxy
mutating
IP
tables
rules,
100%,
that's
gonna
happen
and
I,
don't
know
about
Calico
I
know
we
have
engineers
from
the
Calico
team
here
with
us,
so
hopefully
they
can
jump
in
and
give
us
a
little
bit
of
guidance
on
questions
like
this
well
Maddie
has
a
question
for
Tim
BPF
XDP
support
also
isn't
available.
A
Most
standard
operating
system
releases-
if
you
run
bleeding-edge
in
production,
that
has
got
to
be
fun,
I
mean
bleeding-edge
in
production.
This
is
a
kubernetes
live
stream
right.
That
was
a
joke.
Come
on
I'm
killing
it
today,
you
guys
yes,
Cal
Alec,
says
yes.
Calico
supports
ipbs,
keep
proxy
good
to
know.
Okay,
so
we're
here
on
our
server
in
our
home
directory
and
I
want
to
see
what's
going
on
with
this
pot.
A
So
you
know
to
tell
a
story
we're
here
at
gopher
con
we
just
got
Cooper
getting
us
up
and
running
with
the
cube
admin.
We're
excited.
We
tried
to
run
a
pod
just
to
see
what
happens
and
poof
we're
stuck
in
pending,
and
nobody
knows
what
to
do,
and
then
we
start
to
go
through
this.
Oh
wait
and
install
CNI.
A
We
have
to
figure
out
CNI
a
story,
but
a
lot
of
folks
I'm
assuming
have
gone
through
the
same
journey
and
I'm
gonna
kind
of
point
people
all
the
way
through
it
actually
understanding
why
this
pod
is
in
status
pending
and
how
that
relates
to
the
Calico
tooling,
and
how
that
relates
to
the
different
various
pieces
of
software
running
on
our
server
over
here.
So
the
first
thing,
I'm
gonna,
give
him
and.
A
A
So
if
you
come
in
here,
you
get
some
good
information
and
if
a
pod
is
that
varying
status
pending,
it's
good
to
do
and
described
on
it
because
clearly,
you're
not
gonna,
be
able
to
get
logs
because
nothing
is
running.
So
this
is
usually
a
good
starting
point
to
at
least
get
some
visibility
in
what's
going
on
with
kubernetes
and
why
your
pod
isn't
starting.
So
if
we
come
down
here
at
the
top,
we
can
see
that
yes,
it's
a
replica
set
from
our
deployment
called
nginx.
A
It's
running
need
to
fall,
nginx
image,
and
if
we
look,
let
me
see
if
I
can
scoot
this
thing
over
to
make
it
a
little
more
legible.
If
we
look
as
we
scroll
down
it
says,
pod
scheduled
false
default
token,
yadda
yadda,
there's
some
teens
and
Toleration
x'
and
it's
failed
scheduling.
Zero
of
two
nodes
are
available.
Two
nodes
were
not
ready,
so
if
we
come
here
and
we
do
K
get
nose
will
actually
confirm
that
two
of
our
kubernetes
nodes
are
in
status,
not
ready.
This
is
interesting.
A
Behavior,
this
status
on
a
node
is
important,
because
if
a
node
goes
into
status,
not
ready,
the
cloud
provider
might
do
some
interesting
things
like
mutating
the
you'll
be
behind
the
scenes
are
even
turning
that
off.
If
you
have
one
configured
and
also
we'll
try
to
actually
nevermind
we're
not
going
to
go
into
that
today,
so
anyway,
we
want
to
get
these
notes
into
status
ready.
So
how
can
we
see
what's
going
on
with
these
notes?
A
So
we
can
do
a
describe
on
the
notes
as
well,
which
is
pretty
handy,
so
we
can
do
K
to
scry.
Actually,
let's
get
the
name
of
the
node.
Let's
do
K
described
node.
This
is
our
master
node
here
and
we
can
see
what's
going
on
here,
and
this
gives
us
a
little
bit
more
visibility
into
the
actual
underlying
server
that
is
running
kubernetes
on
top
of
it.
A
So
if
we
scroll
all
the
way
up
to
the
top
we'll
go
through
this
thing
again
kind
of
line
by
line
you
can
see
here
we
have
some
conditions
and
we
have
some
statuses
here
that
looks
probably
that's
about
the
best
I'm
gonna
get
it.
So
it
looks
like
we're
having
some
out
of
disk
some
memory
pressures
and
disk
pressure
at
first.
These
can
look
at
lahrman,
but
the
one
that
is
really
kind
of
standing
out
at
me
is
this.
Last
one
here:
cubelet,
not
ready,
runtime
network,
not
ready
network,
ready,
equals
false
message.
A
Docker
network
plug-in
not
ready,
seen
I
config
uninitialized
okay.
So
what
that
is
telling
me
as
a
systems
administrator,
is
that
the
cubelet
is
having
problems
on
the
server,
because
it
cannot
find
what
it
needs
to
for
C&I.
So,
let's
look
at
how
the
cubelet
is
going
to
be
looking
for
various
CNI
providers,
so
we
do
that
by
SSH
into
our
server
here
and
we
want
to
check
out
the
cubelet
logs.
A
So
this
is
a
great
command
folks,
if
you
haven't
run
this,
it's
actually
quite
rewarding
because
you
get
to
say
Journal
cuddle,
fu
cubelet,
which,
if
the
keep
whatever
breaks
and
you're
trying
to
debug
something,
that's
pretty
much
what
you
would
be
saying
anyway.
Oh
Journal,
cuddle,
Journal,
cuddle,
fu
cubelet
and
we
can
actually
get
the
cubelet
log.
That's
running
real
time.
So
the
way
the
Hewlett
works
is
it
runs
as
a
system
D
watched
service
on
the
node.
It's
not
running
in
a
container.
It's
actually
a
true
system
service.
A
So,
if
you're
familiar
with
how
system
D
works,
you're
going
to
be
very
familiar
with
how
to
debug
the
cubelet,
which
this
experience
is
significantly
different
than
debugging
a
pot
or
a
node
that
we
did
over
here
in
this
screen
a
few
minutes
ago.
So
if
we
come
through,
we
can
enter
some
some
space
here.
A
A
It's
it's
tells
you.
The
different
conditions
is
checking
for,
but
it
says
false
do-do-do-do-do
right
here.
So
if
we
select
this,
it
says
out
of
disk
status,
false.
So
that's
what
David
is
referring
to.
So
these
are
just
checks
that
it
does
no
matter
what
and
then
I'll
just
give
a
little
piece
of
output
on
it.
That
says
what
is
going
on
with
that
check
and
if
you
actually
look
it
says
qiblah,
it
has
sufficient
disk
space.
A
I
have
sufficient
memory
pressure
available,
so
the
cubelet
is
happy
in
those
regards,
and
then
we
get
down
here
to
the
bottom
and
it
says
not
ready
and
we
have
a
message
on
why
that
one's
not
ready
so
a
little
more
clarity
there
and
let's
pull
up
this
documentation.
So
we
can
see
what
the
cubelet
is
doing
by
default.
A
It
is
here
I
think
at
the
bottom
BAM,
so
we
had
some
folks
helping
me
in
the
tidy
air
channel
earlier.
This
is
a
great
link
they
provided.
This
is
the
link
I
said
at
the
beginning,
the
episode
you
should
go
check
out
that
we're
gonna
get
to
a
little
bit
later.
So
if
you
did
read
it,
you
already
are
step
ahead
of
the
game
here,
but
we'll
go
through
this
for
folks
who
have
not.
A
So
this
is
the
kubernetes
documentation
that
talks
about
CNI,
and
if
you
look
it
says
the
CNI
plugin
is
selected
by
passing
the
cubelet.
The
network
plugin
equals
C&I,
meaning
we
can
have
multiple
network
plugins.
The
c9
is
just
one
like
type
of
network
plugins
that
you
could
use
in
kubernetes
and
then
we
have
CNI
comforter,
which
default
is
at
CCI
netd,
and
then
we
have
CNI
vendor
which
defaults
to
opt
C
and
I
been.
So.
A
If
we
go
back
in
our
file
system,
we
can
actually
see
what
flags
are
passing
into
the
cubelet
by
going
and
checking
out
the
unifying
in
the
Etzel
system,
D
system
directory.
So
we
go.
Let's
see
what
I
do
here,
that's
C
system,
D
system,
and
in
here
you
can
see
all
our
unit
files
that
were
watching
to
a
system,
D
and
I
just
know
this
was
here
because
I
wrote,
Cuba,
corn
and
I
know
we
used
key
bad
man
and
I
helped.
You
know,
bring
all
this
stuff
to
life.
A
So
this
you
know
it
might
look
different
on
your
file
system
here,
depending
on
what
tool
you're
using
the
bootstrap
kubernetes.
So
if
you
actually
look
at
what's
going
on
in
the
system,
D
system
cubelet
service,
dot,
t--
directory,
we
can
see
all
of
our
configuration
bits
for
the
cubelet.
In
this
case
we
have
two
files.
Here
we
have
cube
admin,
cough
and
cloud
provider,
Kampf
where's,
going
to
count
on
both
out
at
the
same
time.
So
we
can
see
all
the
flags
that
were
looking
for,
and
so
here
we
go.
A
We
have
our
first
service
file
that
starts
here
and
we
have
our
second
one.
That
starts
here.
The
second
one,
pretty
much
all
it
says,
is
cloud
provider
your
equals
AWS,
which
is
just
enabling
the
amazon
cloud
provider.
But
this
first
bit
is
broken
up
into
different
sections
here,
where
we
have
cubelet
config
args.
We
have
system
pod
args,
we
have
network
args
and
that's
like
me,
as
a
systems
administrator
going,
aha
I
know
I'm,
looking
at
where
we're
passing
in
a
ton
or
arguments
to
the
cubelet
and
sure
enough.
A
By
default
we
have
Network,
plug-in
equals
C
and
I
see
an
icon
stir.
We
actually
reset
it
to
the
default
already
is,
and
we
keep
our
scene
I
bender
the
same.
We
reset
that
to
the
default
as
well.
So
the
hacker
in
me
is
like
okay,
let's
go
see
what's
going
on
in
the
opt
C
and
I
bin
directory,
so
earlier
today,
I
came
in
here,
and
this
was
created
by
cube
admin
when
we
I'm,
assuming
this
was
created
by
Kiev
admin,
a
good
question
for
a
cube
admin.
A
Folks,
maybe
10,
could
you
give
some
color
here
on
what
actually
created
this
on
the
file
system
for
us
anyway?
We
have
a
couple
of
different
executables
here
and
like
of
course
me
being
the
hacker
that
I
am
I
was
like.
Ok,
let's
just
go
ahead
and
see
what
flannel
is
and
it's
a
compiled,
executable
and
I
was
like.
Ok,
let's
just
run
it
Yolo,
so
I
ran
flannel
and
I
got
this
like
CLI
command
in
the
variable
machine
and
I
got
a
little
snippet
of
Jason
and
I
was
like
ok.
A
Well,
that's
not
very
fun.
Let's
try
a
different
one
and
I
said:
ok,
let's
run
IP
deal
and
it
said:
ok,
that's
not
very
fun.
Let's
try
different
when
I'm
wearing
VLAN
and
I
went
through
and
I
ran
all
at
least
one
at
a
time,
and
this
is
where
I
went.
Oh
I
should
probably
tell
people
about
CNI
and
why
it
is
the
way
it
is
and
why
all
of
these
commands
are
looking
and
feeling
almost
exactly
the
same,
even
though
they're
different.
A
So
let's
pull
up
the
C&I
specification
here,
see
a
nice
spec
to
do
container
networking,
/,
c9
so
I
know,
there's
some
rich,
rich
history
here
of
folks
in
kubernetes
networking
in
the
kubernetes
container
space
about
bringing
this
specification
to
life.
Oh
my
gosh
I've
contributed
to
this
file.
I
really
didn't
I.
Don't
even
remember
I
guess:
I've
contributed
to
this
file
in
the
past,
but
anyway,
I
guess
people
came
in
and
said
you
know
we
were
doing
things
differently.
A
A
Okay,
so
that's
the
package
that
actually
created
the
the
binary
files
that
we're
looking
right
in
it
at
right
now,
which
it
gives
us
these
various
C&I
executables
here
in
this
opt
C
and
I,
been
directory
anyway,
going
back
to
the
spec,
the
history
here
being
folks
came
together
and
said:
okay,
we
would
like
for
each
of
our
plugins
to
sort
of
behave
the
same
and
we're
actually
going
to
standardize
an
interface
and
the
word
interface
is
kind
of
hard
for
a
lot
of
people,
especially
the
folks
who
are
new
to
go,
or
maybe
even
new,
to
kubernetes
interface
doesn't
always
necessarily
mean
like
a
go
interface.
A
It
just
means
what
is
the
surface?
How
would
another
component
on
our
system
interact
with
this
other
component
and
in
the
case
of
CNI
we're?
Actually
our
interface?
The
point
where
the
rubber
meets
the
road
is
actually
just
doing
a
shell
exec
of
these
various
commands
and
the
way
that
we
standardize
how
kubernetes
is
going
to
do
a
shell
exec
of
these
commands
is
by
enforcing
that
commands,
behave
in
a
standardized
way,
meaning
that
you
always
get
these
same
error
messages.
A
It
literally
just
goes
through
and
talks
about
how
you
would
structure
your
output
and
what
your
input
should
look
like
and
then
I
gives
you
like
some
guidance
on
like
if
you
want
to
develop
your
own
C&I
plugin,
you
can
come
through
and
you
can
like
write
your
own
program
that
is
C&I
compliant
and
then
you
could
actually
configure
kubernetes
to
talk
to
your
sinaia
plugin
in
the
same
way
that
we're
about
to
configure
kubernetes
to
talk
to
you
calico,
so
that's
pretty
cool.
You
could
write
C
and
I
plug-in
in
bash.
A
If
you
wanted
to
and
we'll
talk
a
little
bit
more
about
what
CNI
is
actually
doing
once
we
get
calico
installed
and
up
and
running
okay.
So
back
in
our
terminal,
we
saw
that
the
cubelet
up
here
was
giving
us
some
heirs.
We
don't
have
calico
up
and
running.
We
saw
that
we
have
some
CNI
executables
here,
but
we
don't
have
calico
installed
and
if
you
remember,
I
commented
out
that
command
a
little
bit
earlier
and
we
can
go
ahead
and
run
that
command
here
on
the
the
server
to
actually
install
calico.
A
But
before
I
do
that
I
want
to
just
we're
not
gonna,
go
super
deep
into
IP
tables,
but
I
just
want
to
show
some
metrics
here.
So
folks
can
actually
see
that
we're
demonstrating
that
IP
tables
is
in
fact
being
mutated
by
these
various
parts
of
our
system.
So
I
have
this
alias
called
IP
tables
list.
All.
Did
that
not
work
me
when
you
have
this
really
quick
I
thought
that
alias
would
have
worked.
A
So
let's
go
back
grep
for
alias
copy.
This
line
go
back
in
our
terminal
close
out
of
there
and
let's
see
what
we
have
now
yeah
I'd
be
tables
list
all
ok,
so
we
can
do
an
IP
tables
list
all,
and
this
is
going
to
show
us
every
IP
table
rule
we
have
and
the
way
IP
tables
works.
Is
you
have
different
tables
that
do
different
things?
I'm,
not
an
IP
tables,
expert
I!
Don't
ever
want
it,
be
an
IP
tables
expert,
every
time,
I've
messed
with
IP
tables.
A
It's
been
a
bad
day,
but
hopefully
today
it's
going
to
be
our
first
good
day
that
work
with
iptables.
Anyway,
if
you
come
in
here,
you
can
actually
look.
It's
called
iptables
because
it
sort
of
outputs
in
this
like
sort
of
UNIX
parlance
of
a
table
here
and
as
we
go
through,
we
can
actually
see
that
we
see
a
lot
of
kubernetes
bits
in
here.
For
instance,
we
have
this
cube
forward
rule
and
if
we
scroll
down,
we
actually
see
docker
down
here.
A
We
can
come
down
here
and
we
can
see,
there's
some
Cooper,
no
nice
firewall
rules
and
then,
if
we
keep
going
we'll
actually
see
that
we
have
cube
system
dns
up
and
running,
and
we
have
rules
here,
and
so
what
this
is
doing
is
this
is
allowing
various
bits
of
our
computer
to
talk
to
other
various
bits
of
our
computer
over
like
traditional
networking.
That's
what
IP
tables
does
and
we
use
this
a
lot
in
the
container
world.
As
we
start
to
sorry,
Tom
just
dropped
a
message
already
in
a
second.
A
A
The
IP
tables
level
of
the
system,
which
is
pretty
low
on
the
scale
of
things
it
actually
turn
bits
on
and
off
that
only
allow
various
parts
of
our
system
to
communicate
with
each
other,
and
if
we
keep
scrolling,
you
can
see
that
we
have
node
ports
and
we
have
like
more
kubernetes
services
and
then
somewhere
in
here,
there's
cube
proxy
rules.
I,
don't
know
if
I'll
be
able
to
find
them
off
the
top
of
my
head.
So
let's
do
a
grab.
So
let's
do
our
IP
tables
list
all
command.
A
Grep
will
do
I
for
cube
proxy.
Ok,
so
now
we
got
everything
out
of
there.
Ok,
that's
not
gonna
be
helpful
anyway.
I
did
see
some
cute
proxy
stuff
in
here
earlier.
If
folks
want
to
go
and
look
through
IP
tables
rules
and
actually
try
to
make
sense
of
which
every
individual
rule
is
doing,
feel
free
to
have
fun
I'm
more
concerned
that
there's
really
really
great
engineers
at
companies
like
ty
Guerra,
who
brought
us
calico
that
have
gone
through
and
pulled
us
up
above
all
this.
A
So
we
don't
necessarily
have
to
get
involved
with
with
what's
going
on
behind
the
scenes
here.
So
thanks
again
for
doing
all
this
for
us,
so
one
more
thing
I
wanted
to
point
out
before
we
install
calico,
is
that
we
do
an
if
config
you'll
actually
see
that
we
have
a
network
interface
to
find
here
on
the
system
for
Ducker,
which
is
pretty
cool.
A
If
we
didn't
have
docker
install,
we
wouldn't
have
this
network
interface,
and
this
is
going
to
be
relevant
as
we
start
looking
at
how
different
IP
tables
rules
are
interacting
with
different
devices
moving
forward
so
as
you're
debugging
your
system
for
C&I.
These
are
things
to
keep
in
mind
and
you
can
actually
go
and
and
keep
an
eye
on
some
of
these
things.
A
As
you
make
rules
later
and
Cl
a
trickle
down
stream,
so
let's
install
calico
so
how
we
do
that
is:
let's
go
back
to
our
shell
script
here
and
let's
copy
this
command
that
I
commented
out
earlier.
So
this
is
designed
to
be
ran
on
the
server.
You
could
run
a
similar
command
here
on
your
local
file
system,
but
we're
gonna
actually
run
this
directly
on
our
server
and
I'm,
trying
to
think
cuz.
It
takes
it
a
calico,
a
few
minutes
to
spin
up
I
think
we
probably
want
to.
A
Run
I'm
sure
I
think
no
we're
gonna
wait
and
run
this
because
we
can
actually
watch
different
parts
of
calico
be
created
real
time,
so
we're
actually
gonna
look
at
the
ml
first
and
then
run
it
and
not
do
it
concurrently.
So
how
we're
gonna
look
at
the
animal
is
I'm
going
to
create
a
whole
new
tab,
I'm
going
to
zoom
in
and
come
here
and
I'm
going
to.
Instead
of
doing
a
cubic
double
apply,
we're
gonna,
do
a
double
you
get.
A
A
Moved
permanently
is
this
not
wanting
to
resolve
there?
We
go
what
else
look
at
our
animal
here,
that's
fine!
So
we
have
a
config
map
that
resides
in
the
cube
system,
namespace
and
I.
Guess
before
I
go
too
much
deeper
into
looking
at
wife
actual
resources
recreated
here
this
is
the
the
Calico
command
we
use
in
cuba,
corn
and
if
you
actually
go
into
the
Calico
documentation
and
says
how
to
install
calico,
let's
go
ahead
and
pull
that
up.
You
can
see
there's
a
couple
of
different
ways:
project
calico,.
A
Introduction
is
there
an
install
anywhere
here.
I
haven't
actually
looked
at
this
in
a
while,
oh
yeah,
that's
just
I'll
redirect
thank
you
for
pointing
that
out.
Yeah
no
I
know
SSL
and
all
follows
redirects.
That
is
just
like
being
lazy
and
in
the
moment,
okay.
So
how
getting
started
Calico
with
kubernetes?
Is
there
install
here?
We
go
so
install
calico
with
the
following
command.
This
isn't
what
I
looked
at
earlier.
A
A
It
actually
read
this
line
by
line,
but
if
you
actually
want
to
learn
about
a
lot
with
what's
going
on
here
and
the
documentation
in
line
here
is
fantastic,
I
configure
the
calico
back-end
and
then
it
says
the
cni
network
configuration
to
install
in
each
node.
So
this
is
cool,
because
this
is
actually
a
snippet
of
JSON
that
we're
going
to
be
able
to
find
on
our
node
a
little
bit
later.
If
we
come
down
here,
we
have
this
demon
set,
which
this
is
the
component.
A
Introduction,
okay,
so
you
hear
all
the
different
ways
to
install
calico
this
what
I
was
trying
to
get
to
earlier.
So
this
is
just
the
quick
start
for
calico
and
kubernetes.
Thanks
for
the
pointer
Eric
anyway,
this
demon
set
is
the
piece
of
sex
come
through
and
configure
calico
and
configure
the
host
system
behind
the
scenes
for
getting
scene,
I
up
and
running
and
actually
dropping
off
the
Calico
binaries.
We
need
them
at
configuring,
the
cubelet
to
use
calico
as
its
C&I
plugin.
So
we
can
demonstrate
this.
A
A
So
we're
gonna
sort
of
use
this,
as
our
proof
here
to
say,
to
show
what
the
the
work
the
demon
set
is
actually
doing
on
the
node
behind-the-scenes
jason
says:
apologies
they've
already
entered,
but
what
are
the
main
discs
between
weave
and
calico
and
which
it's
better?
This
is
Jason.
This
is
a
great
question,
because
this
is
it's
questions
like
that
that
inspired
this
whole
miniseries
you're,
not
the
only
one
who's
wondering
that
and
we're
hoping
by
going
through
and
teaching
folks
about
CNI
and
exploring
each
one
of
the
scene,
I,
implementations
and
plugins.
A
So
bear
that
in
mind
as
we
go
through
the
e
animal
here,
we
can
assume
that
this
Y
animal
is
going
to
go
ahead
and
take
care
of
that
for
us,
so
the
demon
set
will
run
on
both
the
master
and
the
node
as
well
and
then
coming
through.
We
have
a
service
that
allows
us
to
get
to
our
calico
at
cg.
Remember
earlier,
I
mentioned
that
we're
running
calico
with
it
someone
at
CB.
This
is
just
the
service.
A
That's
gonna
allow
us
to
get
into
EDD
a
little
bit
later,
which
will
be
relevant
when
we
would
get
calico
cuddle
up
and
running
and
we
have
the
calico
node,
which
is
another
snippet
of
software.
It
says
this
manifest
installs
the
calico
node
container,
as
well
as
the
cabinet
calico
scene,
I,
plugins
and
networking
vague
on
each
master
and
worker
node.
Ok,
so
this
is
the
demon
set.
That
I
was
talking
about
earlier,
wondering
how
that
one
is
different
than
this
demon
said.
It
says
this
one
installs,
a
calico
EDD
on
the
keep
admin
master.
A
Okay,
so
I
misspoke
earlier
I
saw
a
demon
said
just
assumed
it
was
the
calico
one,
but
this
demon
said
actually
installs
EDD,
and
this
is
the
one
down
here
that
is
actually
going
to
do
everything
that
we
just
looked
at
earlier
and
it's
going
to
create
that
directory.
That
does
not
exist
yet
so
I
don't
want
to
spend
too
much
time
here
because
we're
already
almost
an
hour
in,
but
you
can
see
that
the
configuration
here
is
already
built
in
for
us
and
it
looks
like
there's
even
this
install
CNI
shell
script.
A
That's
going
to
be
ran,
and
then
we
do
some
things
with
different
volumes
and
I
would
be
willing
to
wager.
There's
components
of
this
demon
set
that
are
gonna,
be
dependent
on
the
sed
server
up.
Above
and
last
but
not
least,
we
have
a
calico
policy
controller
okay.
So
this
is
relevant
because
we
have
CNI
that's
going
to
build
our
pod
Network
for
us
and
that's
gonna
allow
different
pods
in
kubernetes
to
do
different
things
with
each
other,
and
then
we
have
this
whole
concept
of
network
policy
and
kubernetes
as
well.
A
So
this
is
a
network
policy
controller,
meaning
that,
as
we
mutate
network
policy
resources,
innkeeper
Nettie's,
there's
a
controller.
That's
going
to
run
and
reconcile
those
policy
rules
and
make
that
actually
work
in
the
case
of
calico.
How
it's
gonna
do,
that
is
by
mutating
IP
tables
and
route.
T
I
think
the
route
table
even
on.
Let's
go
look
at
the
route,
taper,
really
quick
behind
the
scenes
and
in
bringing
those
network
policy
rules
to
life.
So
just
look
at
our
about
table.
A
We
just
type
route:
okay,
nothing
exciting
going
on
there,
okay,
but
good
to
know
later.
I've
actually
looked
like
there
out
table
before
and
after
a
calico
in
awhile.
So
without
further
ado,
I
know,
I've
said
this
like
three
times
already:
let's
install
calico.
So
let's
grab
this
and
go
here
and
paste.
So
let's
run
that
and
you
can
see
it
created
a
config
map.
There's
our
STD
demon
set
created
a
service,
our
calico,
no
demon
set
our
policy
controller
and
then
I
kind
of
breeze
past
the
the
our
Beck
stuff
here
at
the
end.
A
But
we
did
get
a
service
for
our
sed,
which
is
going
to
be
relevant
but
yeah.
If
you
want
to
go
through
and
look
at
the
our
back
rules
here,
you're
more
than
welcome
and
again
big
big.
Thank
you
to
the
folks
at
the
calico
project
for
actually
creating
the
are
back
rules
for
us
and
real
quick
way
that
it
installs
I'm
gonna,
take
a
quick
see
if
folks
have
questions
and
might
my
knee
just
locked
up
so
I
gotta,
like
stretch
my
knee
out
for
a
second
and
I'm
gonna,
grab
something
coke.
A
See
if
I
can't
like
that
feels
better?
Okay,
okay,
so
the
C&I
plugin
is
created,
let's
go
ahead
and
see
what's
going
on
in
Cooper
Danny's
behind
the
scenes.
So
if
we
do
K
get
P
Oh
namespace
keyed
system,
okay,
not
found
you
want
to
do
it
on
our
our
local
here.
So
let's
clear
that
and
do
K
get
P
Oh
namespace
cube
system
over
here
you
can
see
now
we're
bringing
up
pods
here
in
the
keep
system.
A
Namespace
Stefan
says
you
should
probably
get
used
to
using
IPR
instead
of
Roush,
which
hasn't
been
deprecated
for
a
long
time
and
should
disappear
soon.
Thank
You,
Stefan
I
actually
have
I
noticed
that
I'm
just
super
old-school
I
think
if
config
is
also
deprecated
I
think
we
should
be
using
IP
outer
a
or
something
I
don't
know.
I'm
such
an
old
school
thanks
person
like
I,
still
check
at
C
in
a
dot
d
for
skeleton
files.
I
don't
have
any
shame.
A
I
love
like
old
Linux,
but
actually
in
the
other
readme
here
I
put
a
bunch
of
debugging
snippets
here.
If
the
one
you
suggested
is
not
in
here,
we
should
totally
add
it,
but
here
are
some
other
handy
things
for
looking
at
the
route
table
and
actually
seeing
which
TCP
ports
are
doing
well
on
your
system,
this
command
here
this
is
this-
is
actually
probably
the
wrong
spot.
This
isn't
really
showing
the
route
table,
but
I
do
want
to
call
this
command
out.
A
This
is
like
the
one
command
that
you
want
and
you
can
actually
see
the
cube
controller
and
actually
see
it's
running
here
on
2380.
We
have
cube
proxy
on
10
251
and
keep
schedule
around
23
79,
so
that's
handy
as
well
and
George
our
friend
from
canonical
who's,
not
hefty
Oh,
says
IP
is
the
command
to
use
IP
at
our
show.
A
For
example,
thank
you,
George
and
Thank
You
canonical
for
the
operating
system
were
using
today
and
for
changing
up
all
of
my
commands
on
me
so
that
I
have
to
run
new
commands
and
relearn
how
to
you
use
Linux,
ok,
so
let's
do
our
K
get
po
again
and
see
what's
going
on
over
here
and
they
keep
system
namespace
so
a
moment
ago,
the
policy
controller
which
remember
this
is
the
controller.
That's
going
to
enforce
kubernetes
network
policy,
it
was
still
creating.
It
looks
like
we
had
noted
and
we
had
EDD
up
and
running.
A
So
if
we
run
this
again,
not
nuts
depth
open,
but
I
can't
get
P
own
namespace
cube
system,
hope
the
sysadmin.
Do
you
never
watched
this
video
he's
still
a
good
buddy
of
mine,
so
I
kind
of
hope
he
does.
He
would
laugh
hysterically
if
you
saw
that
anyway
IPCA.
It's
like
I,
have
config
button
color.
What
okay
I
want
to
try
this
now,
but
in
color,
and
it's
super
useful
with
calico
and
hundreds
of
interfaces.
What
this
is
awesome,
IP,
minus
CA?
Oh,
that's,
beautiful,
okay,
I!
Really
like
this
command.
A
A
Looks
happy
sorry,
I'm,
reading
and
trying
to
code
at
the
same
time,
so
my
thoughts
keep
going
back
and
forth.
The
new
IP
is
generally
lack
of
Docs
I.
Feel
okay.
I
haven't
actually
looked
into
IP
that
much
but
I'm
gonna.
Let
you
guys
talk
about
the
different
IP
commands
and
look
at
what
the
daemon
set
is
doing
behind
the
scenes.
So
if
you
remember,
we
had
our
list
command
in
our
batch
history,
so
I
can
run
this
command
again
and
poof.
A
A
It
looks
like
there's
some
token
information
in
here.
Nobody
stole
my
token
won't
really
matter
anyway,
because
by
the
time
you're
watching
this,
my
kubernetes
cluster
will
probably
be
offline
and
you
can
see
our
ITV
endpoints
and,
in
fact,
to
verify
that
TD
is
listening
on
port
six,
six,
six,
six,
which
is
going
to
be
helpful
later.
If
we
were
looking
at
that
earlier
and
we
weren't
sure
which
Porter
was
listening
on.
A
So
that's
good
to
know,
and
if
we
come
back
here
and
we
can
journal
cuddle,
fu
cubelet,
we
can
actually
see
that
we've
got
some
some
stuff
going
on
and
we're
not
getting
those
CNI
errors
anymore
and
I
bet.
If
we
go
back
here
to
our
K
get
nodes.
Aha,
we
now
have
two
ready
nodes
and
I
bet.
A
If
we
Cape
get
pods,
we
actually
see
that,
in
fact
our
engine
X
server
is
running
and
I
bet
I
can
do
a
cape
or
forward
the
name
of
our
pod
and
then
let's
just
do
8080.
A
Permission
denied
again
a
sudo
key
Bechdel
port
forward
name
of
our
pine
82-88
bam,
and
if
we
go
to
localhost,
let's
see
localhost
82,
nginx
and
you're
not
ready
to
kubernetes
with
calico
as
our
scene,
I
provider.
Let's
go,
look
and
see
what's
going
on
now
with
IP
tables.
So
if
we
come
back
here,
we
can
do
our
IP
tables
list
all
command.
And
let's
see
what's
going
on
in
here,
if
you
notice
there's
this
commentary
here
that
says
Callie
and
have
some
sort
of
tag
here.
A
I
thought
that
was
funny
because
my
partner's
name
is
Callie.
So
all
day
today,
I've
been
talking
about
Callie.
It's
me
Callie
anyway,
and
I'm
going
to
California.
So
it's
just
lots
of
Callie's
everywhere.
So
anyway,
if
we
come
in,
we
can
do
Callie,
and
we
can
do
a
word
count
on
that.
So,
let's
grep
for
Callie
and
do
a
pipe
that
word
count
lines.
A
Why
is
that
not
working
iptables
lists
all
pipe
to
grab
for
Cali
I
must
typed
her
name
their
name.
Okay,
anyway,
I
was
going
to
try
to
show
you
how
many
times
where
Cali
appeared
so
that
we
can
actually
see
that
IP
tables
were
being
created
when
we
create
some
Network
policy
later,
but
for
whatever
reason,
my
grep
isn't
wanting
to
work,
probably
because
of
the
way
I
have
my
alias
set
up.
So
we
can
actually
just
maybe
do
a
word
count
on
this
whole
output.
A
8.
Okay,
so
there's
a
commands
there.
So
it's
just
coming
out
one
line
at
a
time.
Okay,
that's
super
annoying,
so
the
grep
is
matching
because
Cali
exists
and
every
one
of
our
table
outputs.
It's
not
actually
doing
a
grip
on
each
line.
Within
this
those
table
outputs
anyway,
that's
gonna,
be
a
bit
of
a
bummer
Luciano
says:
have
you
tried
redirecting
the
standard
error
standard
out
before
they
grab
know?
If
you
want
it
through
a
command
in
there,
you
think
would
work
lee
seon,
oh
I'm,
happy
to
run.
A
It
feel
free
to
just
drop
it
in
and
all
I'll
run
it
anyway.
Let's
go
back
and
look
at
so
actually
what
do
we
want
to
look
at?
Okay,
so
the
cubelet
is
happy.
We're
routing
port
forwarding
is
working.
We
know
that
our
configuration
is
working.
You
know,
calico
is
working,
let's
pull
up
the
Calico
logs
and
let's
run
the
Calico
command
line
and
plug
in
tool
here
really
quick.
So
we
can
see
what
actually
the
Calico
service
and
the
Calico
controllers
are
doing
behind
the
behind
the
scene.
A
A
Here,
come
back
to
read
me:
let's
grab
this
go
back
to
Emacs
and
then
I
bet
we
can
Sh
IV
table
at
h-pipe
to
grab
for
Kali
and
then
pipe
to
word
count:
poof,
131,
okay,
good
call
thanks
for
mentioning
that
alias,
doesn't
standard
out
or
does
not
work
for
grep
like
that.
So
let's
go
and
move
this
into
our
path.
So,
let's
try
think
how
I
want
to
do
this.
We'll
move
home
/ib
table
list
is
h2
user
local
been
what
is
call
it.
A
I
PT
L
works
for
me,
mod
+,
X
user
local
been
IP
TL.
I
PT
L,
perfect
okay.
So
now
we
have
our
IP
tables
list
command
with
all
of
the
8
different
types
of
tables
we
can
use,
and
we
can
pipe
that
to
grep.
I
PT
L
grab
for
Cali
and
got
to
word
count
131.
This
is
going
to
be
handy,
so
here
we
can
go
ahead
and
kill
this
port
forward.
A
A
So
we
have
our
logs
pulled
up
and
I
want
to
now
talk
about
Cooper,
Donny's
network
policy.
You
know
you
sort
of
see
where
the
rubber
meets
the
road
holistically
for
calico
the
how
the
cubelet
is
interfacing
with
the
calico
plugin,
which
is
of
course
here
in
opt
c
ni.
Then
we
should
yet
we
have
Kali
now
and
if
we
run
it,
of
course,
it
looks
like
all
the
other
C&I
plugins
we
had
before
as
well.
So
this
is
the
actual
plug-in
where
it's
running
on
our
file
system,
that
cubelet
will
be
exacting.
A
I
bet,
if
we
did
in
an
LSO
I
thought
we
could
see
that
it's
being
open
and
closed
quite
often
anyway,
let's
go
through
and
look
at
this
lovely
documentation
here.
So
where
is
it
at
Network
policies
in
isolation?
We'll
talk
about
that
a
little
bit
more
configuring
calico
cuddle!
No,
because
there's
this
one
piece
of
documentation
here,
let
me
close
some
of
this
stuff.
I,
don't
know
how
all
this
got
open.
That
I
wanted
to
pull
up.
That's
like
a
really
great
tutorial
on
doing
some
kubernetes
network
policy
with
calico
I.
A
Think
it's
a
simple
policy
demo.
Yes,
this
is
it
okay.
This
is
probably
the
best
demo
I've
ever
done
in
kubernetes,
every
command
worked
great
and
it
totally
made
sense
to
me.
So
whoever
wrote
this
pat
yourself
on
the
back.
This
is
a
really
great
demo
and
we're
gonna
fly
through
this,
and
hopefully
is
gonna,
make
sense
to
a
lot
of
people.
So
what
we
want
to
do
is
we
want
to
first
create
a
namespace
for
this
little
demo.
A
We're
gonna
do
to
show
how
kubernetes
network
policy
works,
which
is
Kubek
dole,
create
new
namespace
called
policy
demo.
So
we're
gonna
do
that
here
on
the
right.
Actually,
let's
do
a
whole
new
tab,
we're
going
to
be
flying
in
between
tabs,
so
try
to
stay
cut
up
with
me
here:
Kubek
they'll
create
namespace
policy
demo
and
it
says,
run
the
pods.
And
if
you
look
here,
we
have
a
Quebec
tool
run
namespace
policy.
Demo
Internet's
replica
is
equal
to
two
dash
dash
image
engine
X.
A
So
this
is
just
like
the
fancier
version
of
my
cubicle
run:
nginx
image
of
engine
X
command,
which
I
think
is
probably
why
I
liked
this
demo.
So
much
is
because
it's
like
it's
doing
things
the
way
that
I'm
used
to
seeing
them.
Anyway.
We
run
this
command
and
it
says:
okay,
we
have
a
deployment
and
that's
called
nginx
created
now
remind
yourself.
You
have
a
deployment
in
the
default,
namespace
called
Internet's
and
we
have
one
in
the
policy.
Demo
namespace
also
called
engine
X,
and
here
we
want
to
create
the
service.
A
So
this
is
going
to
create
a
service
and
it's
going
to
expose
port
80
for
the
pause
music
created
in
the
engine
X
deployment,
so
it
says
service
engine
X
exposed
which,
if
you
guys,
aren't
running
cubic
to
expose
it's
a
great
command
and
exposed
things
quite
frequently.
That
would've
been
really
helpful
to
run
on
the
traffic
episode.
I
did
a
few
weeks
ago
and
it
says
ensure
the
service
is
accessible
so
before
I
ensured
that
engine
X
was
running
by
doing
a
port
forward
and
then
actually
sending
HTTP
requests
up
to
the
server.
A
In
this
case
it
looks
like
they're
gonna,
do
a
double
you
get
on
a
pod
running
in
the
same
namespace,
so
how
they
do
that
is
they
do
a
cubic
total
run.
Namespace
policy
demo
and
it's
gonna
run
a
busy
box
container
and
it's
gonna
open
up
a
TTY,
we're
running
shell
for
us,
so
we'll
be
able
to
actually
navigate
that
container.
So
key
bechtel
run
command
paste
that
and
then
we
should
be
live
inside
of
a
container.
A
If
you
don't
see
a
prompt
to
try
pressing
enter
and
then
it
become,
we
go
and
copy
and
paste
this
next
command.
We
should
see
some
output
from
engine
X,
so
really
important.
What's
going
on
here,
we
have
two
containers
running
on
our
host
system.
In
fact,
if
we
I'm
going
to
flow
to
be
able
to
see
it
here,
but
we
can
do
it
at
docker,
PS
and
actually
grep
for
nginx.
A
We
can
do
that
if
folks
want
to
see
that
a
little
bit
later
and
when
we
do
this,
W
get
we're
actually
using
the
DNS
service
in
kubernetes
to
look
up
engine
X,
which
is
just
the
name
of
the
deployment
we're
trying
to
access,
and
we
can
do
a
double
you
get
there
and
it's
gonna
hit
those
pods
Tom
says
you
run
in
a
slightly
older
version
of
calico,
so
it
might
be
worth
you
selecting
V
2.3
from
the
version
drop-down
in
the
top
right.
Okay,
I
didn't
realize.
A
I
was
running
an
older
version
of
calico.
To
be
honest,
I
didn't
even
check
it
out
before
the
episode,
but
thanks
for
pointing
that
out,
Tom,
let's
see,
if
Deb
Nora
says,
can
you
find
both
commands
by
specifying
the
expose
on
the
first
one
totally
thanks
for
thanks
for
the
tip
there.
I
think
we
just
wanted
to
do
in
two
different
commands
to
kind
of
show
folks
the
two
different
steps
that
we
were
doing.
How
do
I
whitelist
the
healthcheck
request
from
cubelet?
Well,
a
lot
of
lot
of
chats
come
in
in
hot
I.
A
Can't
send
you
a
direct
link
to
the
docs
of
this
chat,
one
allowing
Tom
it's
okay,
I!
Can
this
worked
for
me
earlier,
so
I
think
we're
good,
but
if
I
need
to
switch
over
I
totally
will.
But
this
this
document
worked
I
just
ran
through
that
couple
hours
ago,
so
we
think
we're
gonna
be
okay,
so
anyway,
using
kubernetes
dns
to
looking
up
to
look
up
nginx
and
we
send
a
actually.
It
is
back
here.
We
send
our
HTTP
request
and
you
see
that
we
actually
get
the
HTML
back.
A
A
A
But
if
we
were
running
a
very
large
kubernetes
cluster,
there's
gonna
be
a
lot
of
nodes
that
need
to
be
configured
and
that's
where
a
tool
like
calico
really
starts
to
shine
is
because
it's
gonna
be
handling
all
of
this
complex
configuration
across
nodes
and
being
able
to
tell
us
like
how
and
when
to
route
to
to
which
container
and
how
to
get
there.
So
a
lot
of
networking
fun
behind
the
scenes
and
for
users
like
me,
I,
don't
really
have
to
care
about
it
because
it
just
magically
works
and
I
love
it.
A
So
if
you
see
here,
we
can
jump
on
our
node
and
we'll
actually
go
and
validate
that
this
is
in
fact,
what's
going
on
so
we'll
come
here
to
this
other
tab.
I
have
open
SSH
bun
to
at
this
IP
address,
will
sudo
up
and
we'll
do
a
docker
PS
and
let's
scrap
for
nginx
grep
engine
X,
and
you
can
see
here.
We've
got
a
couple
of
pause
containers
and
a
couple
of
regular
containers
running.
Remember.
We
have
two
replicas
for
the
Calico
demo
engine
X.
A
We
have
one
engine
X
container
for
the
engine,
X
deployment
I
created
in
the
default
namespace,
and
we
have
some
of
these
flash
pauses
here
as
well,
and
you
can
see
the
kubernetes
pod
parlance
over
here
on
the
right,
and
these
are
actually
containers
that
are
running
and
they're
able
to
network
each
to
each
other
on
the
same
host
again.
This
would
be
a
little
bit
more
complex
if
we
were
running
on
a
larger
cluster,
as
we
would
have
to
hit
the
AWS
network
behind
the
scenes
and
actually
Traverse
that
network
as
well.
A
So
going
back
to
our
demo
here,
we
now
are
able
to
communicate
between
the
two
pods.
So
what
this
is
going
to
do
is
this
is
going
to
give
us
a
really
quick
demonstration
of
network
policy
in
communities
and
if
you
want
to
pull
up
the
documentation
on
this,
there's
a
really
great
link
here-
that's
Network
policy
and
isolation.
So
the
first
thing
our
demo
tells
us
to
do
is
it
says,
enable
isolation,
so
how
we
do
that?
Is
we
create
this
new
network
policy?
I
thought
I,
hey.
We
had
to
annotate
something
maybe
I.
A
Maybe
I
am
running
the
wrong
nano
tape.
Yeah
the
the
documentation
went
there
earlier,
had
me
sending
an
annotation.
Let
me
see
if
I
can't
change
this.
So,
let's
see
what
the
chat
said
here,
I
actually
am
gonna
change.
This
so
Tom
says
you're
running
a
slightly
older
version.
Calico
might
be
working,
selecting
v23
from
the
version
drop-down
in
the
top
right.
A
So
how
do
I,
where
is
that
at
version
nightly
v23
project,
calico,
documentation,
introduction,
let's
see
reference,
maybe
usage,
calico
I
want
to
go
back
to
the
kubernetes
documentation,
getting
started:
kubernetes
tutorials,
simple
policy,
demo,
aha,
okay,
good!
You
were
right,
tom
I,
don't
know
how
I
got
onto
the
the
different
version
earlier,
but
this
is
what
we're
looking
for
here.
So
up
until
this
point,
everything
we've
done
is
still
the
same,
and
now
we're
just
going
to
do
this
annotate
command
instead
of
what
the
the
more
recent
documentation
had
us
doing
earlier.
A
So
this
is
how
we're
gonna
turn
on
isolation
in
this
namespace
and
if
you
go
and
you
look
at
what
isolation
in
a
namespace
means
in
kubernetes,
you
can
actually
see
that
we
have
isolated
in
non
isolated
paws.
It
says
by
default,
paws
are
non
isolated,
meaning
they
accepted
traffic
from
any
source.
So
the
second
we
turn
on
isolation.
A
So,
if
we
go
here,
we
can
run
our
annotate
command
again.
Thank
you,
Tom.
That
was
very
helpful
and,
let's
see
that's
our
node.
This
is
where
we're
doing
our
demo.
Let's
exit
out
of
that
pod,
let's
run
our
annotate
command
and
it
says
namespace
policy
annotated
and
all
we
did
is
we
added
the
simple
annotation
here:
Network
policy
ingress
equals
isolation
and
we
said
default
didn't
I,
meaning
that
we
now
enable
isolation
and
that
by
default,
traffic
will
be
denied
instead
of
the
other
way
around
how
kubernetes
ships
with
default
allow.
A
So
now
it
says
when
using
the
kubernetes
api
store,
we
want
to
do
a
cubic
they'll
create
and
we're
going
to
create
a
new
network
policy
record.
So
let's
go
ahead
and
do
this
new
network
policy
record
pod
selector
is
pod,
select
or
not
defined
in
here
yeah.
Let's
see
if
we
can
find
a
better
example,
let's
do
maybe
and
getting
started.
Nettie's
tutorials
simple
policy,
demo
nope,
but
we
can
grab
that
and
I
bet
if
we
go
in
the
edit
our
command.
A
Let's
do
this
in
my
text
editor
here
we
can
actually
get
a
working
command
up
and
running.
So
here
is
our
text
editor
and
we're
just
gonna
edit.
This
we'll
just
do
a
new
file.
Call
it
edit.
It's
just
text
and
let's
go
back
here,
we'll
grab
this
paste
it
and
then
we're
gonna
use
that
to
rebuild
our
new
one,
which
should
we
go
back
to
our
two
three
version
of
calico
documentation.
Here
we
actually
fix
this
really
quick.
A
A
You
I,
wanna,
make
sure
I
say
this
right,
I
think
it's
a
default,
allow
until
you
create
some
sort
of
network
policy
rule
and
then
it
flips
that
around
and
becomes
default
deny
so
by
sort
of
creating
this
empty
network
policy
we
now
have
default
deny,
so
we
should
not
be
able
to
route
from
pod
to
pod
by
default.
So
let's
go
ahead
and
make
sure
that's
actually
what
the
the
tutorial
is
telling
us
to
do
here.
A
One
second,
really
quick
jump
back
over
to
my
face.
I,
don't
want
to
open
up
my
text
messages
here
on,
live
on
TG,
okay,
okay,
close
those
and
get
those
out
of
the
way
go
back
to
my
screen:
okay,
cool,
so
Network
policy
default
tonigh,
and
now
we
can
run
our
key
Bechdel
running
command.
There's
that.
A
And
let's
go
back
to
our
documentation
and
it
says
waiting
for
pod:
that's
just
the
output.
We
don't
need
to
see
that
and
now
we
can
get
this
w
git
command
again
and
actually
ensure
that
our
network
policy
isolation
is
working
as
expected.
So
we
run
our
W
get
with
a
timeout
of
five
seconds
and
about
five
seconds
from
now
we're
gonna
get
a
time
out.
A
2
3,
4,
40
W
get
download
timed
out,
so
Alex
says
the
namespace
invitation
was
required
back
a
year
ago,
so
go
when
kubernetes
network
policy
was
still
in
beta
Calico
version.
2.3
is
now
from
that
era.
Calico
3.1
is
latest
now,
and
that
explains
why
the
documentation
no
longer
required
us
to
do
any
annotation.
Okay,
thanks
for
the
history
lesson
there
Alex.
So
let's
go
back
here.
A
So
we've
now
proven
that
our
network
isolation
of
default
deny
is
working
just
by
creating
an
empty
network
policy
rule
and
now
we
can
go
ahead
and
open
up
our
network
policy
rule
using
the
Calico
policy
controller,
which
do
we
have
logs
on
that.
Yet
let's
do
logs
as
we
do
this
because
the
side-by-side,
because
that
would
be
pretty
cool
to
watch.
A
So,
let's
see
we
have
kanga,
do
namespace
cube
system,
huge
system
and
we're
already
at
2:30,
so
I
have
a
feeling
that
I'm
gonna
be
able
to
get
this
network
policy
stuff
done
and
the
Murney
be
done
so
we're,
probably
not
you
mean
you
get
to
calico
cuddle
today,
I'm
sorry,
this
is
taking
so
long,
there's
just
a
lot
of
fun
stuff
happening
in
calico
for
us
to
talk
about
okay,
so
we
want
to
get
logs
for
the
policy
controller.
A
So
we
can
see
this
there's
the
policy
controller,
so
Kay
logs
paste
the
name
of
the
pond
namespace
key
system,
minus
F
and
cool
all
right.
So
we
should
be
able
to
create
our
new
policy
rule
and
actually
watch
me
examine
this
and
actually
watch
the
policy
controller.
Take
some
action
here,
side
by
side
which
will
be
pretty
cool
so
coming
back
here
we
can
run
this
command
key
back
to
it'll,
create
minus
F
nope.
We
want
my
terminal.
A
There
we
go
and
if
we
run
Nats,
hey
look,
it
says
it's
a
handle,
it
added
a
new
policy
and
if
we
go
back
into
our
here,
let
me
ssh
back
into
our
server
here.
Sudo
bash
and
let's
run
our
IP
tal
command
grab
for
Cali
I
love,
saying
that
I
PTL
got
for
Cali
pipe.
To
word
count.
Mine
is
l1
31,
so
we
haven't
actually
changing
the
IP
tables
rules
yet
interesting.
A
A
What
namespaces
us
in
it
is
in
namespace
policy
demo
Oh
Oh
duh,
because
I'm
running
this
I'll
keep
this
one
speeded
up.
It's
because
I'm
running
this
on
that
one
there
we
go.
Let's
run
this
up
me
local,
do
you
do
Q
Bechdel
run
namespace
policy,
demo
k,
yo,
namespace
policy
demo,
and
we
want
to
kill
this
pod
Hey
delete,
P,
Oh,
BAM,
namespace
policy
in
now,
and
now,
let's
run
this
again.
Actually,
if
there's
a
deployment
well,
let's
see
what
this
one
does.
If
there's
a
deployment,
yeah
I'm
gonna
delete
the
appointment.
A
A
A
Okay,
get
deploy,
namespace
policy
demo,
engine
X,
okay,
that's
that
stole
is
there
I
have
no
idea
why
that's
terminating
very
weird,
let's
to
wait
and
run
this
after
those
pods
terminate
and
see
what
happens
anyway
effectively.
The
demo
is
going
to
demonstrate
that
by
enabling
this
network
policy
rule,
we
were
able
to
define
me
match.
Labels
run
equal
to
access
and
we
were
then
able
to
actually
match
that
to
the
pod
week.
The
Internet's
pub
you
created
earlier
and
the
Calico
policy
controller
would
then
begin
to
allow
traffic
from
this
pod.
A
We're
trying
to
run
unsuccessfully
and
do
a
double
you
get
coming
back
into
calico.
So
I'm
gonna
try
this
one
more
time
and
then
I
think
we'll
do
a
high-level
overview
and
wrap
up
for
the
day,
and
maybe
we
can
do
another
episode
on
calico
cuddle
or
use
it
in
another
episode,
as
we
actually
look
at
the
calico
cuddle
Network
policy
and
how
that
is
slightly
different
from
the
network
policy.
We
see
here.
A
So
let's
try
this
again
and
see
if
kubernetes
has
finally
decided
to
catch
up
and
now
it's
our
deployment
there
so
I
don't
know
I,
guess
our
axe,
I
guess
I
deleted
our
access
and
then
that
didn't
recreate
I,
don't
know
I'm
going
too
fast
and
it's
getting
late
on
Friday
I'm
starting
to
lose
it
okay.
So
let's
try
this
one
more
time.
A
Close
this
keep
a
coin.
Q
bechtel
run
now
we're
in
our
pod
good
and
let's
make
sure
that
we
can
actually
communicate
over
HTTP,
okay
poof
that
was
much
simpler,
I,
don't
know
what
I
did
I,
probably
just
deleted
the
the
access
deployment
and
like
forgot
about
it
or
I.
Don't
know
my
head's
got
Cheetos
in
it
right
now.
Anyway,
we
were
able
to
validate
that
the
network
policy
is
working.
A
We
turn
to
default,
deny
on
we
communicated
from
one
pod
to
the
other
or
try
to,
and
it
timed
out,
meaning
that
the
policy
controller
was
in
fact
enforcing
that
policy.
We
opened
up
the
policy
and
if
we
actually
look
at
the
pod,
get
Pio
namespace
policy
demo.
If
we
actually
look
at
the
pod
you'll
be
able
to
see
the
labels
that
were
matching
on
kpo
namespace
policy
demo.
A
We
can
actually
look
at
this
Pio
and
we
should
be
able
to
see
the
the
labels
there.
Oh
yeah
mo,
let
me
scroll
up
to
the
top
and
here
under
labels.
Yes,
we
have
run
engine
X
and
pod
template
and
match
labels
where
you
at
anyway
so
yeah.
That's
all
network
policy
works,
encumber
Nettie's,
that's
how
calico
is
gonna
enforce
network
policy
and
how
calico
is
going
to
be
interacting
with
our
host
system
to
enforce
the
different
networking
components
here.
A
So
bear
all
this
in
mind
as
you're
looking
at
CNI
providers
and
trying
to
understand
which
one
is
right
for
you.
Calico
is
definitely
from
this
example.
Anyway.
It's
demonstrated
that
it's
going
to
be,
it
has
what
we
are
looking
for
when
we
start
getting
into
complex
network
routing
with
large
numbers
of
servers,
because
calico
runs
as
a
daemon
set
and
has
its
no
data
store.
It's
able
to
do
some
pretty
cool
things,
as
we
actually
start
to
scale
out
our
cluster
in
clouds
like
Amazon
calico,
shipped
with
its
own
@
CD.
A
If
you
install
it
that
way
or
optionally
can
ship
with
running
against
the
kubernetes
at
CD
server
as
well
pros
and
cons
to
each
one
of
those
we
looked
at
network
policy
in
kubernetes,
we
learned
about
network
isolation
and
how
you
can
turn
that
on.
We
learned
about
how
network
policy
behaves,
how
it
starts
out
as
default
deny,
and
then
you
can
give
it
a
network
policy
rule
with
label,
and
then
you
can
see
that
the
Calico
controller
will
actually
go
in
and
force
that
network
policy
for
you.
A
So
now
we
have
some
pretty
flexible
tools
as
systems
administrators
to
start
locking
down
our
our
networks
and
locking
down
our
kubernetes
clusters.
So
not
only
can
we
use
different
parts
of
kubernetes
such
as
namespaces
and
other
logical
boundaries,
but
we
now
we
can
actually
just
downright
block
traffic
based
on
arbitrary
labels
in
our
deployments
in
our
pods
using
network
policy.
So
that's
a
pretty
powerful
construct
for
systems
administrators,
especially
for
security
minded
systems,
administrators
being
able
to
control
the
complexities
of
your
system
with
tools
like
IP
tables
and
whatever
implementation.
A
You
happen
to
be
running
with
your
CNI
plugin,
coming
up
layers
above
that
and
saying
no,
we
can
just
define
this
very
simple
network
policy
object
and
actually
have
a
controller
going
reconcile
that
for
us
behind
the
scenes.
So
again,
this
is
the
age-old
last
thing
we
always
see
in
kubernetes.
You
declare
something
and
then
some
sort
of
controller
goes
and
actually
makes
it
so
so
anyway,
I'm
gonna
cut
back
to
my
face
here.
I'm
gonna,
get
out
of
here
I
got
a
big
adventure
planned
this
weekend.
It's
been
great
hanging
out
with
folks.
A
Thank
you.
So
much
for
joining
I'm
gonna
spend
the
last
minute
or
two
here.
If
folks
want
to
start
saying
goodbye,
getting
stuff
cleared
up,
shutting
my
cluster
down
and
seeing
if
anybody
has
any
questions
or
anything
they
would
like
for
us
to
follow
up
on
explaining,
maybe
why
we
picked
calico
or
what
calico
is
doing
behind
the
scenes
or
how
kubernetes
network
policy
works
or
how
the
cubelet
is
interfacing
with
the
actual
calico
plugin
feel
free
to.
Let
me
know,
and
again
it's
been
a
great
episode.
A
So
thanks
everybody
for
joining
and
I'm
gonna
start
to
tear
stuff
down,
while
you
all
say
goodbye
and
go
enjoy
your
Friday
afternoons
or
Saturday
mornings.
Wherever
you
happen
to
be
in
the
world,
you
want
to
exit
out
of
that
exit
out
of
that
get
off
of
our
node
cleaner,
that
let's
go
and
we're
gonna
shut
down.
The
scooper
Nettie's
cluster
go
source,
github.com,
slash
hefty
Oh
slash.
A
What
do
you
want
at
TGI,
K
BAM?
Let's
go
into
episode
and
45,
so
change
directory
into
Oh,
45
yeah
thanks
for
joining
everyone,
I'm
seeing
things
you
think
he's
coming
in
now.
It's
always
at
the
end
of
the
episode
so
I
try
to
like
give
people
a
few
minutes
of
a
heads
up,
so
they
can
say
goodbye
why
we're
still
live
on
the
air
yeah.
It's
been
great
great
hanging
with
everyone,
Liz
good
to
see
you
you're
very
welcome.
A
Yeah
I'm
gonna
continue
funny
on
my
cluster
by
other
folks
say
goodbye
or
if
they
have
questions,
questions
are
always
a
great
one.
Okay.
So
what
do
we
want
to
do
here?
We
want
to
do.
Cuba
corn
delete
TGI
que
calico.
What
is
the
name
of
this
thing?
Let's
treat
it
again:
Cuba
corn
delete
tgia
que
calico
cluster
capital,
us-cuba
corn,
okay,
so
that's
tearing
down
our
cluster
in
Amazon.
Let's
see
what
folks
are
saying
folks
are
saying.
Thank
you.
Tom
says
thanks.
A
Chris
great
overview
is
simon,
says
things
have
a
great
weekend
engine
thanks,
Chris,
we'll
watch
your
arm
this
time.
I
definitely
will
I'll
be
very
careful
this
weekend.
Don't
worry
about
me.
Nader's
says
interested
in
the
security
story
of
the
scene.
I
plugins
at
CD
store,
for
example,
anyway
thinks
is
ever
a
good
night
yeah.
We
can
probably
poke
a
little
bit
more
about
what
calico
is
doing
with
Edie
behind
the
scenes.
A
Getting
calico
cuddle
up
and
running,
and
communicating
with
that
CD
is
a
good
way
of
seeing
what
we're
actually
storing
in
there
and
how
calico
is
actually
running
behind
the
scenes,
but
there's
a
whole
layer
of
tooling.
That
goes
beyond
the
scope
of
network
policy
that
you
know
like
the
folks
at
the
calico
project
are
working
on
that
you
know
sort
of
spans
this
community
driven
spec,
so
you
can
go
and
actually
do
even
more
with
the
calico
plugin
than
just
a
simple
kubernetes,
seeing-eye
plugin.
A
So
that's
pretty
cool
and
again
I
wanted
to
give
a
big
shout
out
to
our
friends
at
tae
Guerra.
It's
always
great
to
work
with
you
guys
you.
You
helped
us
out
a
lot
today
when
I
was
getting
a
calico
up
and
running
and
I
think
you
know
you're
pretty
much
responsible
for
keeping
this
project
up
and
running.
So
thanks
for
for
all
you
do
an
open
source.
A
We
appreciate
it,
and
you
know
all
of
our
folks
running
kubernetes
on
Amazon,
with
the
calico
C&I
plug-in
that
probably
gets
bypassed
quite
often
as
it's
just
a
one-liner
in
our
install
scripts
are
probably
super
grateful
that
we
don't
have
to
go
in
and
deal
with.
You
know
watching
their
out
table
story
made
of
information.
Handing
IP
addresses
mute,
mute,
8090
tables
and
doing
all
of
this
lower
level
of
networking
component
configuration
that
this
tool
does.
So,
thanks
to
you
guys,
we
really
appreciate
it
and
I
am
out
here
so
we'll
see
everyone
next
week.