►
Description
Index:
00:03:20 - Thank you Unsplash!
00:04:56 - Tesla k8s dashboard cryptojacking
00:09:21 - img container image builder from JessFraz
00:13:40 - ksync from vapor.io
00:15:24 - Hacking and Hardening k8s clusters from Brad Geesaman
00:17:34 - Sealed Secrets
00:19:36 - Blog post tease: Contour+Let's Encrypt+cert-manager
00:23:31 - Accessing dashboard with kubectl proxy
00:28:54 - Dashboard without credentials
00:30:01 - Giving the dashboard root (don't do this!)
00:35:24 - Creating a service account token for dashboard access
00:45:18 - Running oauth2_proxy in front of dashboard
00:48:45 - Aside: using RBAC as allow list for users at proxy?
01:02:04 - First try at logging in with proxy
01:03:26 - Relaxing dashboard network policy
01:05:42 - Exposing HTTP from dashboard service
01:08:50 - Didn't take for some reason. Debugging...
01:12:43 - Getting the dashboard to listen on unsecured port
01:19:20 - Logging into worker node to confirm flags
01:22:14 - Success! We are hitting the dashboard through oauth2 proxy. Now about that auth header...
01:25:35 - Back to the dashboard login screen!
01:29:23 - Wrapping up! Thanks!
01:32:49 - Aside: Episode on cluster autoscaling?
Come hang out with Joe Beda as he does a bit of hands on exploration of Kubernetes and related topics. Some of this will be Joe talking about the things he knows well. Some of this will be Joe exploring something new with the audience. Ask questions, comment and help decide where things go.
With the recent report of Tesla being compromised by having an open kubernetes dashboard, it seems like a good time to review best practices for both the dashboard and other similar services. We'll look at the current security model of the Kubernetes dashboard and explore using an authenticating proxy to secure any internal facing web service.
Links:
* Files from the episode: https://gist.github.com/jbeda/53a7c6c81359054eacc1608f5211150c
* Images for title cards from Unspash. Thanks Unsplash! https://unsplash.com/
* Details on the Tesla k8s dashboard cryptojack: https://blog.redlock.io/cryptojacking-tesla
* Jess' awesome image builder: https://github.com/jessfraz/img
* ksync from vapor.io: https://github.com/vapor-ware/ksync
* Securing k8s talk from Brad Geesaman: https://www.youtube.com/watch?v=vTgQLzeBfRU
* Sealed Secrets: https://github.com/bitnami-labs/sealed-secrets
* Dashboard access wiki page: https://github.com/kubernetes/dashboard/wiki/Access-control
A
Hello
and
welcome
to
t
GI
kubernetes.
This
is
episode,
ode,
27
and
I'm.
Really
looking
forward
to
this
one
I
think
we
have
a
great
episode
going
on
the
reserved
space
X.
So
is
there
some
already
some
folks
talking
a
little
bit?
My
see
Tom
says
that
there's
a
SpaceX
launch
going
on,
so
let
us
know
how
that
goes.
That's
always
exciting
too,
but
in
any
case,
so
my
name
is
Joe.
A
Beda
I'm,
founder
and
CTO
for
hep
tio
also
helped
get
the
kubernetes
project
itself
up
and
running
and
for
those
who
don't
join
me
all
the
time.
This
is
a
weekly
live
stream,
where
I
play
with
something
kubernetes
related
make
mistakes
grew
up.
Answer
questions
interact
with
folks,
and
so
that's
the
plan
today
and
I'm
going
to
call
this
the
Miami
Vice
episode
because
of
the
image
that
I
have
here
of
this
gate.
That's
like
pink
and
blue
and
yellow
supercool
all
right.
A
A
Some
folks
have
been
working
hard
on
it
and
then
how
to
secure
it
and
expose
dashboards
like
that
on
the
Internet
in
a
somewhat
safe
way,
I'm,
not
gonna,
promise
total
safety
I
think
we
can
definitely
definitely
do
better
than
just
putting
stuff
raw
on
the
internet.
So
let
me
say
some
more
hellos
here
so
Kevin
good
to
see
it.
Nick
is
Nicholas
good
to
see
you
are
you
you're
not
in
the
office
today
you
must
be
working
from
home
or
maybe
you're
with
a
customer.
A
A
So
let
me
so
so
one
of
the
things
that
I
do
when
I
do:
TGI
K
as
I
spend
the
first
I,
don't
know
like
10
minutes
or
so
talking
about
sort
of
what's
been
happening
in
the
kubernetes
world
and
you
know
and
just
sort
of
dissecting
sort
of
new
stuff
that's
happening
because
everything
is
moving
so
fast.
And
so
let
me
go
ahead
and
and
jump
in
and
get
started
there
and
yeah.
Ok,
and
so
we
have
Wan
Joe
you
wanna
go
from
Argentina
or
is
from
Berlin.
A
A
Riga
and
then
Barrett
in
Charlottesville
all
right,
okay,
so
let
me
switch
screens
here
so
the
first
thing
that
I
want
to
talk
about-
and
this
is
totally
not
kubernetes
related-
is
whatever
I
do.
Like
my
favorite
thing
about
doing,
TGI
K
is
actually
pulling
together.
The
images
that
I
use
for
the
backgrounds
on
the
on
the
title
cards,
and
so
these
days
most
of
the
images
that
I'm
getting
are
coming
from
this
site
called
unsplash.
These
are
it's
a
site
where
folks
can
share
high
resolution
images.
A
They're,
all
really
great,
you
know,
photos
lots
of
good
stuff,
and
these
things
are
shared
with
like
no
restrictions
on
how
you
use
them,
and
so
so
really
good.
For
this
type
of
thing,
there's
all
sorts
of
interesting
stuff
here,
and.and
one
of
the
things
that
that
I
think
is
interesting,
that
these
folks
do
to
help
encourage
people
to
really
pick
their
best
work.
A
Is
they
limit
the
number
of
photos
that
you
can
submit
per
month,
and
so
people
really
try
to
try
to
cherry-pick
their
best
work
and
get
it
up
there,
but
you
can
see
that
there's
a
lot
of
really
really
cool
stuff.
So
thank
you
to
everybody
from
unsplash,
but
the
community
and
the
folks
running
the
site
for
for
providing
this
service
because
it
definitely
makes
makes
the
the
Internet
and
Beyond
more
interesting.
So
thank
you
alright.
So,
let's
see
so
let
me
catch
up
here.
A
So
we
have
yosh
from
India
Paul
Australia
Tomiko
is
just
down
the
hall
here,
Sam
in
North
Carolina
and
then
Tom's
reporting
that
SpaceX
successfully
deployed
the
payload.
So
another
boring
rocket,
launch
hokum.
Who
cares
all
right?
So
the
big
news
this
week
in
kubernetes
world
was
this,
this
security
issue
at
Tesla,
and
so
so.
The
first
thing
is
apparently
they're
running
kubernetes,
which
I
don't
think
anybody
had
positive
confirmation
from
at
least
not
publicly
and
and
they.
A
The
reason
we
know
they're
running
kubernetes
is
because
they
left
the
kubernetes
dashboard
for
their
cluster
exposed
publicly
and
they
they
did
it
in
a
way
where
you're
able
to
log
in
and
read
out
all
sorts
of
information
from
the
cluster,
and
so
one
of
the
things
that
you
read
out
from
the
cluster
is
secrets
that
you've
put
in
there
to
make
available
to
workload.
So
essentially,
if
you
get
access
to
a
kubernetes
dashboard
with
root
credentials,
you
can
do
root.
A
Things
like
like
read
other
credentials
like
AWS
credentials
and
such,
and
so
these
particular
attackers
didn't
do
anything
too
nasty
it
looks
like,
but
they
did
go
through
and
they
didn't
go
through
and
start
doing,
some
cryptocurrency
mining,
and
so
it
looks
like
the
it
was.
The
folks
at
red,
lock,
I,
believe
that
actually
discovered
this
and
alerted
them
about
that
and
then
and
then
got
to
write
a
blog
post
talking
about
what's
going
on
so
that's
kind
of
prompting
the
a
little
bit
of
the
topic
that
we're
talking
about
today.
A
This
is
something
that
I've
had
sort
of
a
you
know
been
driving
a
lot
and
sort
of
talking
about.
A
lot
is
like
how
do
you
think
about
security?
You
know
folks
who've
been
watching
tjk
for
a
while
know
that
I've
had
my
own
incidences
where,
as
I've
been
playing
with
the
project,
they've
exposed
a
dashboard
publicly
one
time
I.
A
Did
it
an
easy
to
type
in
URL
and
while
I
was
actually
doing
the
broadcast,
somebody
went
and
started
poking
on
that
system
installed
a
a
Bitcoin
miner,
a
cryptocurrency
miner
and
I
was
running
on
really
underpowered
nodes
at
the
time.
So
we
ended
up
breaking
the
cluster
in
a
way.
So
this
is
super
easy
to
do,
especially
if
you're
installing
random
software
off
the
internet
into
your
kubernetes
cluster.
A
So
one
of
the
other
things
that
you'll,
if
you've
been
watching
TGI
K
for
a
while
you'll
see,
is
that
before
I
deploy
any
piece
of
software
I
go
through
I
read
the
yam.
Oh
I
see
what
it's
doing
I
see
if
it's
going
to
be
exposing
stuff
to
the
Internet
I,
see
what
kind
of
permissions
are
being
given
to
different
parts
of
the
system
and
so
I
think
that's
just
good
hygiene
for
anybody,
who's
deploying
stuff.
So
that's
what
prompted
this.
A
Now
I,
don't
think
any
any
cluster
set
up
exposes
something
like
this
to
the
Internet
by
default,
but
because
it's
so
easy
to
actually
get
stuff
exposed
with
kubernetes.
It's
a
sort
of
a
one-line
change
to
a
llamó
file
to
be
able
to
do
something
like
this,
at
least
in
with
older
versions
of
kubernetes,
and
so
that
is
it's
it's.
It
was
easier
to
do
it's
harder
to
screw
this
up
now
with
the
dashboard
with
the
latest
versions,
but
we'll
we'll
get
into
the
details
as
we
go
forward
here.
A
So
chris
is
saying
that
she
also
had
a
cryptocurrency
mining
happen
on
a
cluster
a
while
ago,
yeah
and
so
yeah
I,
think
I
think
kubernetes
as
it
becomes
popular.
It's
going
to
be
a
target
for
people
going
through
and
scanning
looking
for
open
dashboards
looking
for
open
ports
so
that
they
can
do
stuff
like
this,
so
Eddy
is
in
Fort.
Lauderdale
Aaron
says
that
he
had
a
Bitcoin
miner
on
his
doctor
server
a
couple
years
ago,
that's
kind
of
scary,
my
wife's,
an
MD.
They
don't
have
any
sir.
A
First
though,
everything
they
do
is
is
is
cloud-based
and
you
know,
and
so
no
no
servers
there
and
then
sync,
it's
a
neighbor
Ville
Naperville
Illinois
and
it's
near
where,
where
I
grew
up,
alright,
so
other
stuff
happening
in
the
sort
of
kubernetes
world
is
so
our
friend
our
friend
just
who
was
online
earlier,
maybe
she's
listening,
maybe
she's
not.
She
introduced
this
really
cool
tool
or
at
least
started
talking
about
it,
because
she's
been
working
on
it
for,
for
a
little
bit
now
called
image
Krista's.
They
don't
have
any
servers,
never
true!
A
Well,
they
don't
have
any
servers
that
they
admin
themselves.
Alright,
let's
just
put
it
that
way.
My
my
wife's
doctor's
office
is
server
Alice,
so
you
can
quote
me
on
that
and
so
yeah.
So,
ok,
so
so
so
Jesse's
here,
but
she's
Heidi
and
she
says
so.
This
is
really
really
really
exciting.
It's
it's
so
right
now!
So,
just
just
when
you
build
a
docker
image
and
you
do
docker
build
what
that
ends
up
doing.
It
ends
up
taking
all
the
data
in
your
current
directory,
tearing
it
up,
sending
it
over
to
the
docker
daemon.
A
That's
running
as
a
root
and
then
that
whole
flow
of
actually
building
the
thing
happens
in
the
docker
daemon,
and
this
is
just
sort
of
I
think
in
some
ways
an
accident
of
history
of
how
docker
was
built.
So
the
upshot
that
of
that
is
that
is
that
building
a
docker
image
is
really
in
twined,
with
docker
in
a
sort
of
fundamental
way.
A
Now
the
docker
folks
have
been
working
over
the
long
time
sort
of
take
the
pieces
of
the
the
docker
daemon
and
sort
of
explode
that
out
into
a
bunch
of
different
sort
of
projects.
One
of
these
being
build
kits,
I
haven't
used
it
directly,
but
there
were
a
couple
of
things
that
that
happened
here.
Is
that
number
one?
Is
that
to
build
something
you
had
to
talk
to
docker
directly
and
and
that
this
needed
root
privileges,
because
the
docker
daemon
runs
his
route.
A
And
so
there
is
no
great
solution
right
now
in
terms
of
what
it
takes
to
build
a
container
on
top
of
a
kubernetes
cluster,
at
least
using
the
using
the
docker
model.
And
so
there's
a
couple
of
projects
that
have
started
pointing
the
direction
to
sort
of
breaking
these
things
out
into
into
sort
of
more
sort
of
plug-and-play
component
paese,
both
inge-
and
this
is
the
one
that
Jesse's
been
working
on.
But
the
super
superduper
interesting
stuff
for
this
one
is
that
Jesse's
working
hard
to
make
it
unprivileged
and
daemon
less.
A
And
so
this
means
that,
as
this
stuff
continues
to
move
forward,
and-
and
you
know,
I
talked
to
Jesse
about
it
a
little
bit
and
the
unprivileged
mounting
stuff
is
a
little
bit
a
little
bit
shaky.
But
as
we
continue
to
work
on
this
and
by
we
I
mean
Jesse
and
other
people
as
folks
continue
to
work
on
this.
We're
gonna
get
to
a
point
where
you
can
actually
build
containers
on
top
of
kubernetes
on
a
kubernetes
cluster
in
a
super
clean
way
and
I.
Think
that's
really
really
exciting.
A
I
guess
there's
a
third
way
that
you
could
build
it
and
that
would
be
to
to
run
a
virtual
machine
inside
a
container
and
then
run
docker
inside
of
that
and
use
that
to
drive
things.
So
that's
totally
totally
I,
don't
know
if
anybody's
doing
that
or
not
that'd
be
an
interesting
way
to
do
it,
maybe
like
a
clear
containers,
type
of
thing
all
right.
So,
let's
see
so
saying
thank
it
says
we
had
a
AWS
workshop
four
months
back
and
someone
committed
these
access
keys
on
github,
yeah
that'll
happen
really
fast.
A
I
know
folks,
like
github
and
and
Amazon
continually
scrape
people
checking
stuff
into
github.
Looking
for
things
that
look
like
a
skis
or
row
of
tokens
or
stuff
like
that,
Jesse
does
write
the
dopest
software.
This
is
true
and
then
yeah,
so
so
Jesse's
saying
it's
kind
of
rough
right
now,
but
we're
making
forward
progress
and
I
think
a
lot
of
times
in
situations
like
this.
Once
you
can
start
seeing
the
pieces
come
together,
then
it's
just
a
way
of
chipping
away
that
the
problems
that
are
left
so
I'm
really
really
excited
to
start.
A
So
the
next
project
I
want
to
talk
about
I
haven't
played
with
this
one
yet,
but
I
was
I
was
pointed
at
it
from
from
the
folks
at
at
vapor,
IO
they're
doing
this,
this
edge
compute
type
of
thing
and
using
kubernetes
to
do
it.
They
I
think
they
sell,
sell
edge
boxes
to
some
degree.
I
don't
want
to
I,
don't
want
to
make
too
many
assumptions
about
about
what
their
products
are.
A
You
know
I'm
super
interested
in,
because
I
think
that
that
bridging
the
gap
between
sort
of
the
development
process
and
the
deployment
process
of
what
you
run
on
the
cluster
is
super
interesting.
So
so
I
think
this
might
be
something
that
I
want
to
do.
A
future
episode
of
TTI
K
on
let's
see,
and
so
so
Erin
say
we
recently
launched
something
called
cred
scan
where
we
monitor
github.
For
anything
that
looks
like
one
of
our
secrets
and
notify
the
customer
yeah
totally
interesting
and
Bert
says
bye-bye
docker
sink
I
haven't
used.
A
Is
this
the
docker
sink
that
was
used
for
like
local
docker
sink,
because
the
mounts
were
so
slow?
I
know
that
there
were
that
it
was
using
this
like
super
old,
like
you
know,
synchronizing
thing
called
synchronicity.
This
looks
really
interesting,
though
so
I
want
to
dig
into
this.
This
looks
really
cool,
so
there's
that
and
if
folks
have
have
a
chance
to
play
with
it
before
I
get
to
it,
you
know.
Definitely,
you
know
reach
out
on
Twitter
and
let
me
know
what
you
think
of
it.
A
A
This
is
I
mean
I,
I
I
missed
it
when
I
was
there,
but
I
I
I
watched
it
prepping
for
this,
and
this
is
actually
a
really
good
introduction
into
some
of
the
low-hanging
fruit
of
what
we
need
to
do
to
actually
secure
kubernetes
and
as
if
you
go
through.
Let
me
find
the
I
think
this
slide.
Let's
see
this
slide,
I
think
is
really
interesting
here,
because
I
think
one
of
the
lessons
that
we're
going
to
talk
about
here
is
that
there
is
like
a
lot
of
the
security
features
that
we
started.
A
A
Let's
see,
and
so
so
yeah
so
starting
in
one
7-ish
is
when
we
really
started
adding
a
lot
of
the
security,
hard
name
for
kubernetes,
and
so
you
know
this
is
one
of
those
things
where,
if
you're
running
something
pre
1:7,
you
have
to
be
much
more
careful
about
hardening
things
and
sort
of
isolating
the
cluster
over
time.
We're
going
to
be
continuing
to
to
lock
things
down
and
provide
more
and
more
features.
Okay,
so
so,
let's
see
so
this
in
the
spirit
of
the
Olympics
I've.
A
Given
you
a
gold
medal,
thank
you
for
that
from
fern
and
fern
and
different
for
we
had
Fernando
sent
me.
The
link
was
fern
and
here
who's
asking
about
this
speaking
of
Secrets
in
github.
What
are
your
thoughts?
Experiences
with
a
get
crypt
to
stowaway
credits?
I
haven't
used
git
kripp,
one
of
the
other
things,
though,
that
I
think
is
interesting
for
storing
this
credentials.
Is
this
thing
called?
Oh
god,
what
is
it
called?
It's
a
bit
Namie
project.
A
A
bit
Namie,
cryptid
secret,
sealed
secrets.
That's
right!
Oh
it's
bit,
not
me
labs
because
they
have
labs,
everybody
is
cool,
has
labs.
So
this
is
Gus's
thing,
and
so
this
is
actually
a
really
interesting
way
to
actually
deal
with
secrets.
You
essentially
encrypt
stuff
check
them
into
kubernetes
and
then
there's
a
as
you
as
you
apply
these
to
your
cluster
there's
a
controller
that
has
the
decryption
keys
that
decrypt
them
in
the
cluster,
so
that
you
never
have
to
check
them
into
your
cluster.
A
But
yet
you
can
still
use
things
as
as
you
always
use
them.
So
it's
a
really
interesting
project
there.
So
I
haven't
used,
you
know,
but
with
a
name
like
get
crypt
I
think
maybe
it's
similar
to
this,
but
here
we're
actually
doing
it
with
decrypting
at
cluster
time,
not
necessarily
using
something
like
a
get
hook.
So
that's
actually
pretty
cool.
A
Alright,
so
sealed
secrets,
yeah,
so
y'all
are
way
ahead
of
me
and
says:
dos
honor
boy
take
security,
best
practices
into
account.
Not
yet
that's
something
that
we're
looking
at
super
carefully
for
sort
of
enhancements
to
sauna
boy,
and
so
you
know
is
essentially
you
know.
As
soon
as
we
saw
the
test
list
thing.
I
said
a
slack
message
to
Tim,
saying:
hey:
we
need
to.
A
We
need
to
make
sure
we
get
this
into
sauna
boy
he's
like
file
an
issue
I'm
like
ok,
Tim
I'll,
go
file,
an
issue
yeah
and
then,
let's
see
yeah,
it's
Sean
says
I've
used
decrypt
before
it's
ok,
but
I've
only
used
in
our
internal
git
server
at
work,
so
yeah
I
have
no
experience
with
it
and
then
Kelsey
you'll
do
no
security,
no
I,
don't
think
no
security.
Well,
if
you
have
no
code,
you
have
no
security
problems.
A
It's
like
you
know
mo
code,
most
security
problems
right,
alright,
so
the
next
thing
this
is
a
tease
here
is
Dave.
Cheney
is
working
on
a
blog
post
and
let
me
just
which
is
how
to
deploy
using
contour,
let's
encrypt
and
the
the
jet
stack
cert
manager,
stuff,
and
so
the
cluster
that
I'm
gonna
be
working
today.
A
Yes,
Equifax
already
did
no
security
yeah.
Well,
you
know
don't
throw
stones,
it's
only
a
matter
of
time
before
you
know
it's
like
everybody
can
screw
up.
Well,
I,
don't
all
right!
So
so
with
that
said
what
I
have
here,
starting
on?
Let's
see
if
I'm
still
logged
in
what
I
have
here
starting
out
so
we're
20
minutes
in
here
already
is
I.
Have
a
kubernetes
cluster
using
the
hefty
Oh
QuickStart,
because
that's
my
my
go-to
thing
and
then
I've
taken
that
cluster
and
I've
installed.
A
A
So
we
got
that
all
up
and
running
and
it's
happening
and
it's
all
nice
and
secure,
so
that
is
sort
of
where
we're
starting
from
here,
and
so
the
first
thing
here
you
know
and
I
have
sort
of
a
set
of
notes
that
I'm
going
to
be
going
through,
but
cute
control
version.
I
can
look
at
that.
You
can
see
I'm
running
a
193
cluster
in
a
192
clients,
I
can
do
cube,
control,
get
nodes
and
I.
A
Think
I
have
like
three
nodes
and
a
control
plane,
node,
so
I'm,
pretty
much
empty
ish
cluster
Fernan
says,
are
using
certain
manager
how
short
or
a
straight-up
docker
I'm
we're
using
the
the
yeah
mall
that
the
the
cert
manager
repo
has
checked
in.
Under
its
examples
day,
ml
is
generated
from
the
hound
chart
and
there's
some
and,
and
one
of
the
things
are
working
with
is-
is
making
it
so
that
that
works
easily
out
the
gate,
I
think
helm
is,
is
as
a
whole
nother
ball
of
wax
from
a
security
point
of
view.
A
Who
did
the
sealed
secret
stuff
dug
into
some
of
the
details
of
some
of
the
the
things
you
really
need
to
be
aware
of,
as
you
use
helm
from
a
security
point
of
view,
I
didn't
want
to
sort
of
layer
on
more
security
stuff
to
talk
about
in
this
particular
talk,
and
so
I
did
it
with
without
using
helm,
okay,
so
alright.
So
here
we
go
so
the
the
normal
thing
that
people
do
when
they
want
to
get
to
the
dashboard.
A
Is
they
call
cube
control
proxy
and,
oh
so,
Mark's
asking
what
is
the
cloud
formation
that
I'm
using?
So
if
you
search
for
hefty
Oh
quick
start
you'll
get
to
this
thing?
This
is
an
Amazon
QuickStart,
and
this
is
a
one-click
bring
up
a
single
master
single
zone
kubernetes
cluster.
This
is
something
that
we
was
one
of
the
first
things
that
hep
do
did
and
we've
been
continuing
to
keep
this
up
to
date
and
improve
it.
A
Yeah,
okay,
so
l'm
a
DS
cat
is
super
interested.
So
that's
all
that's
good
to
know.
Thank
you,
alright!
So
that's
that's
the
cluster
that
I
used
to
get
up
and
started.
Okay,
so
most
the
time
what
people
do
is
they
do
Q
control
proxy,
and
what
this
does
is
this
essentially
creates
an
HDTV
proxy
that
that
gets
hosted
on
the
API
server
that
then
forwards
all
stuff
to
a
particular
node,
that's
running
and
as
a
particular
particular
service,
and
as
it
does
does
so
it
it
sidetracks
a
bunch
of
this
sort
of
networking.
A
So
this
talks
to
the
API
server
and,
and
one
of
the
things
that
that
it's
doing
is
it's
using
the
credentials
that
I
have
in
you
know
that
I
use
for
cube
control
to
actually
you
know
essentially
do
this
browser
and
so
anything
that
I
actually
hit
here
from
the
kubernetes
api
point
of
view
will
be
using
those
credentials.
So
this
is
essentially
a
credential
stamping
proxy,
as
things
go
now.
One
of
the
things
that
you'll
see
is
there's
this
shortcut
here.
A
If
you
do
UI,
it
does
a
redirection
here
and
it
does
a
redirection
to
to
this
particular
URL,
and
so
what
this
says
is
we
have
API
v1,
namespaces,
cube
system
services
and
then
it
says
well:
I
want
to
go
to
the
HTTP
port
of
the
kubernetes
dashboard
and
I
want
a
proxy
to
that.
So
this
is
a
way
of
essentially
talking
to
a
service
and
proxy
into
it.
A
So
the
feature
of
a
PKI
is
that
it's
it's
harder
to
intercept
and
do
like
a
man-in-the-middle
attack,
hard,
slash,
impossible
and
and
but
what
that
means
is,
that
is
that
there's
no
way
for
the
API
server
to
take
my
credentials
and
then
forward
those
credentials
to
the
dashboard
so
that
the
dashboard
could
use
them.
And
so,
if
you
show
up
at
the
dashboard
with
no
other
type
of
credentials
coming
through
with
a
I
think
this
is
one
seven
plus
cluster
you're
gonna
get
a
screen
like
this.
A
This
is
a
login
screen
and
all
the
details
that
talk
about
this
and
I'll
put
all
these.
These
links
in
the
in
the
show
notes
are
here
that
talk
about
sort
of
what
happens
with
with
different
clusters
and
sort
of
what
the
default
permissions
and
stuff
are
that
they
have.
But
what
you'll
see
here
is
that
you
have
this
login
view.
Now
what
you
can
do
with
the
login
view.
A
Is
you
can
pretty
much
you
can
give
it
a
token
or
you
can
upload
a
cube
config,
and
that
cube
config
is
just
a
shortcut
for
extracting
the
token
out
of
your
cube
config.
If
you
have
a
cube
config
that
isn't
that
has
non
token
based
off
that
has
authentication
based
on
the
keys.
You
can
upload
it
here,
but
it
won't
work
and
then,
if
you
go
through
and
if
you
hit
skip
here,
what
happens?
A
So
so
what
that
means
is
that
is
that
so
far,
the
default
setup
in
sort
of
like
a
1:9
cluster
that
we
have
here
in
a
more
recent
cluster
is
actually
not
too
bad.
It's
actually
in
pretty
good
shape.
You
need
keep
control
proxy
to
even
get
to
the
thing,
and
once
you
get
to
the
thing,
you
need
a
way
to
actually
give
it
credential
so
that
it
can
act
as
you
so
yeah.
So
that's
where
we're
at
right
now
so
now.
A
The
problem
here
is
that
a
lot
of
people
that
hit
this
and
they're
like
man,
that's
a
pain
in
the
butt,
because
security
often
is
a
pain
in
the
butt,
and
then
they
start
searching
google
saying
like
how
can
I
make
these
warnings
go
away
and
there
are
hammers
that
you
can
bring
to
this
thing
to
make
these
warnings
go
away
and
they're
ill-advised.
So
let's
do
one
of
those
ill-advised
things.
So
don't
do
this
right
now.
So
Bismarck
saying
is
that
you
can
also
pass
a
token
with
the
authorization
header
system
right.
A
So
that's
something
that
we
can
get
to
later.
Is
that
if
you,
if
you
don't
want
to
use
that
that
login
page
that
we
had
earlier,
you
can
go
through
and
configure
something
to
pass
a
header
to
this
and
it'll
actually
then
pass
that
header
through
to
the
API
server.
Still
it's
token
based
off,
but
you
can
do
that
by
with
a
brother,
a
browser
extension
to
add
that
or
you
can
do
it
with
a
with
a
proxy
in
front
of
it
that
actually
stamps
that
thing
on
there
all
right.
A
This
is
don't
do
this
all
right,
I'm
going
to
do
it,
but
but
you
all
shouldn't,
do
this
so
I'm
gonna.
Do
the
controls
the
background
with
this
thing
and
then,
if
I
bring
up
here,
these
are
my
notes.
I'm
gonna
have
this
I'm
gonna
put
this
in
there,
and
this
is
I'm
not
going
to
upload
this
to
a
gist
that
I
created
after
the
fact
we're
gonna
create
this
in
this
admin.
Dashboard
yamo!
A
A
What
it
does
is
it
says
the
service
account.
So
this
is
the
subject.
The
kubernetes
dashboard
service
account
in
the
cube
system.
Namespace
I'm
gonna
give
it
cluster
admin
which
does
give
it
word.
So
this
is
kind
of
like
a
pseudo
file.
It
says,
like
hey,
you
know:
I'm
gonna
give
my
my
web
UI
root
on
my
on
my
machine.
A
A
A
You
can
see
that
we
already
have
a
service
for
the
kubernetes
dashboard
and
I
can
do
cases
at
a
service
or
I
can
edit
or
recreate
this
and
then
I
can
go
through,
and
if
you
do
something
like
type
equals
load
balancer,
this
will
actually
go
off
and
create
a
publicly
accessible
load
balancer.
If
I
were
to
do
that,
yeah
I
would
now
all
of
a
sudden
expose
my
dashboard
to
the
world.
A
Now
it
turns
out
that
there's
another
block
here-
and
this
is
probably
something
I
think-
is
a
default
in
1-9,
where
it
applies
network
policy
on
top
to
block
out
the
dashboard.
Also
just
because
you
know
the
current
policy
around
this
stuff
is
super
paranoid,
but
you
can
see
how
people
can
easily
via
changing
a
couple
lines
here
and
there
expose
their
dashboard
to
the
rest
of
the
world
without
being
super
careful
about
it.
A
It's
gotten
harder
over
time,
but
it's
still
way
easier
than
then
I
think
most
people
suspect
it
should
be
so
I'm
not
going
to
go
ahead
and
change
that
I'm
gonna
go
ahead
and
close
this
and
then
I'm
gonna
go
through
and
I'm
going
to
so
like
now,
I
have
full
access
and
you
can
go
every.
You
can
not
only
just
read
stuff,
but
I
can
go
through
and
start
reading,
secrets
and
stuff
like
this,
and
so
these
are
just
reading.
A
You
know,
let's
see
so,
you
know,
I
can
read
the
here's
the
certificate
for
the
htd
Beebe
in
service
that
I
had
right.
So
you
start
reading
TLS
secrets
and
all
sorts
of
stuff
out
of
this,
and
it's
not
uncommon
for
people
to
put
secrets
in
here.
So
that's
bad
news
all
right!
So,
let's
go
through
and
let's
delete
that
that
that
policy
that
we
had
there
so
we
had
apply
the
admin
dashboard
thing,
we're
gonna
do
go
through
and
we're
gonna
go
delete
and
that's
going
to
delete
the
cluster
role
binding.
A
A
Let's
say
that
I
do
want
to
actually
get
a
token
that
I
can
put
in
here.
So
this
is.
This
is
sort
of
a
more
safer
way
to
do
this.
Now,
if
you're,
using
a
different
kind
of
ought
system
with
kubernetes,
you
may
already
have
a
token,
in
which
case
you
can
upload
the
cube,
config
or
paste
the
token
in
there
or
configure
a
browser
extension
to
go
ahead
and
put
that
in
the
in
the
header,
as
you
actually
set
it
to
this.
A
But
if
you're
like
me
and
you're
running
in
a
cluster
that
doesn't
have
a
token
you're
like
well,
how
can
I
go
ahead
and
get
a
token
and
out
of
the
box?
There
are
three
ways
without
installing
some
sort
of
extra
type
of
authentication
for
kubernetes.
There
are
three
ways
to
get
tokens
to
authenticate.
The
first
way
in
this
is
kind
of
a
legacy
thing
that
most
people
don't
use
anymore.
Actually,
no
I
think
this
is
there's
two
ways
to
get
a
token,
so
one
of
them
is
a
bootstrap
token.
A
Generally,
these
tokens
aren't
used
for
anything
besides
bringing
up
a
cluster,
and
the
second
way
is
service
accounts
service
accounts,
as
you
create
them,
create
tokens
right
now.
Those
tokens
are
long-lived
and
it's
not
uncommon
for
people
to
extract
those
tokens,
put
them
someplace
and
use
them
we're
in
the
process
of
rethinking
about
how
we
create
a
service
account
tokens
so
that
they
are
created
on-demand
at
the
node
level
and
they're
more
scoped,
and
they
get
rotated
in
that
type
of
thing.
A
That
hasn't
happened
yet
so
right
now
we
show
you
how
to
how
to
create
a
service
account
for
doing
this
stuff
and
get
a
token
from
that,
and
then
the
other
way
authenticating
in
his
username
and
password
I
think
there's
a
token
way.
These
are
files
that
are
laid
down
on
disk
at
the
API
server,
and
if
you
change
these
files,
you
have
to
restart
the
API
server
to
be
able
to
update
things,
I
believe,
there's
one.
A
That's
there's
a
token
method
there
and
then
there's
also
user
name
and
password,
and
you
can
set
up
the
dashboard
so
that
it'll
ask
for
user
name
and
password
and
then
pass
that
forward.
I'd
recommend
that
folks,
don't
use
those
those
files
that
are
on
disk.
It's
a
super
brittle
to
change
those
things,
because
you
have
to
like
edit
the
files
on
disk
and
then
restart
the
API
server
and
it's
difficult
to
keep
those
things
in
sync.
If
you
do
any
sort
of
each
a
type
of
thing.
A
All
right
so
so
I
did
this
before
and
I
think
I
forgot
to
actually
delete
the
the
server's
account
that
I
created.
But
if
I
look
at
my
notes
here,
let
me
go
ahead
and
delete
these
cube
control
delete!
Oh
so
that's
my
dashboards!
Si
I
dashboard,
si
I
think
I
forgot
to
do
there.
We
go
okay,
that's
deleted
and
then
I
had
a
cluster
role
binding.
A
Now
you
can
do
these
things
with
the
ammo
or
you
can
do
them
sort
of
in
an
imperative
way
with
with
with
cube
control.
But
so
the
first
thing
I
want
to
do
here
so
so
pretend
I
didn't
have
that
there,
because
I
was
left
over
from
before
as
I
create
a
service
account,
so
I
created
a
service
account
called
my
dashboard
si.
Now
the
service
account
is
in
the
the
default
namespace,
because
that's
how
my
cube
control
is
set
up
right
now,
so
I
can
do
cube.
A
A
So
now,
if
I
go
through
and
do
Q
control
get
secret
and
dump
this
secret,
you
can
see
that
there's
a
couple
of
things
here,
there's
there's
a
the
the
the
CA
bundle
that
I
want
to
use
to
talk
to
the
API
server,
there's
which
namespace
this
thing's
is
for,
and
then
there's
this
long
thing
here,
which
is
my
token
now.
This
secrets
are
base64,
encoded
and
encoded.
So
now
what
I
can
do
is
I
can
copy
this
and
oh
actually
know
if
I
do
a
describe
secret
on
this
describe
secret.
A
Oh,
that's,
not
I'm,
gonna
copy
and
I'm
gonna
paste
that
into
the
login
screen
and
and
for
astute
readers,
you'll
notice
that
this
is
actually
a
JWT.
So
actually,
let's
go
through
and
explore
what
this
token
looks
like.
So
if
you
go
up
so
if
you
go
through
and
if
you
go
to
jot
do-
and
you
can
go
through
and
I
can
put
this
in
here
and
it
decodes
it.
For
me,
and
what
you
can
see
is
that
this
is
a
RSA
256.
A
That's
the
algorithm
that
you,
so
it's
a
public
key
type
of
thing
to
actually
sign
this
jot
and
the
information
in
the
jaw
is
that
this
is
a
service
account
for
the
default
namespace
and
here's
the
name
of
the
secret
that
holds
in
here's,
the
name
of
the
service
account
and
here's
the
UID
for
that,
so
all
sorts
of
all
sorts
of
information,
and
then
here's
the
signature
stuff.
So
you
can
take
that
tok
token,
which
is
a
jot
and
decode
it
and
actually
start
seeing
a
little
bit
of
data
behind
it.
A
Ok,
so
now
we're
going
to
take
that
thing.
That's
in
my
paste
buffer
here
and
not
we're
not
going
to
upload
a
file.
We're
gonna
paste
that
in
here
and
now
I'm
going
to
go
through
hit
sign
in
and
everything's
gonna
ask
me
if
I
want
to
save
that
and
look
at
that
woohoo.
I
actually
now
have
access
to
this
now.
A
This
is
strictly
better
than
what
we
had
before
and
the
reason
why
it's
better
is
because
if
somebody
accidentally
gets
a
network
path
to
the
api
server,
I
mean
to
the
the
dashboard
they'll
be
able
to
they'll
be
able
to.
They
won't
be
able
to
do
anything,
because
the
dashboard
itself
now
has
zero
permissions.
A
Now
that
doesn't
mean
that
you're
now
safe
to
actually
expose
the
dashboard
to
the
world,
because
there
could
be
a
bug
in
the
dashboard
that
lets
you
compromise
it,
and
if
you
can
compromise
the
dashboard,
you
can
sit
there
and
then
you
can
capture
other
people's
tokens
and
act
for
them
right.
So
you
still
don't
like
there
might
be
a
bug
in
the
dashboard
that
you
want
to
protect
against.
So
I
still
wouldn't
go
ahead
and
put
this
sort
of
open
to
the
world
and
I
think
we
see
this
with.
A
You
know
systems
like
Jenkins,
which
are
super
complex,
where
you
know
it's,
it's
still
probably
not
best
practice
to
take
Jenkins
and
only
trust
the
Jenkins
authentication,
if
you
expose
it
to
the
rest
of
the
world.
There
have
been
issues
with
that
in
the
past.
Sola
Maddie
says-
and
he
suggested
four
using
two
factor:
auth
offly
or
duo
with
the
dashboard
I,
don't
know
of
anybody,
who's
doing
to
factor
auth
I.
Think
one
of
the
things
that
you
can
do
is
you
can
authenticate
to
the
dashboard.
A
The
dashboard
then
takes
that
token
sends
it
through
the
API
server
and
if
you
have
access
to
muck
with
the
command
line
flags,
the
API
server,
you
can
actually
do
a
web
hook,
type
of
thing
to
verify
your
thing,
and
so
you
can
actually
do
two-factor,
authentication
and
all
sorts
of
stuff
for
actually
getting
to
the
dashboard.
That's
a
pretty
advanced
use
case.
We're
gonna
get
close
to
that,
but
we're
not
quite
there
yet
all
right.
So
this
is
probably
you
know
pretty
state-of-the-art
in
terms
of
locking
this
stuff
down.
A
It's
still
not
great
because
you
have
this
service
account.
The
service
account
itself
is
kind
of
a
shared
thing.
You
really
want
to
have
things
as
much
as
possible
to
be
locked
down
to
an
individual
user
or,
as
anybody
who
has
access
to
that
namespace
or
a
sort
of
broad
access
to
that
namespace
can
get
and
read
that
service
account
token,
and
so
it
kind
of
hides
the
hides
they
the
attribution
of
who's
doing
what
when
and
where.
But
this
is
not
bad
right,
so
this
is
a
sane
way
to
do
it.
A
The
Q
control
proxy
plus
the
the
token
like
that-
and
you
can
obviously
do
something
like
the
browser
extension
to
to
eliminate
that
login
screen
all
right.
But
the
next
thing
is
like
well:
I,
don't
want
to
do
a
cube
control
proxy
every
time.
I
want
to
talk
to
the
dashboard,
that's
a
real
pain
in
the
Bible.
So
so,
let's
go
through.
Let
me
look
at
my
notes
here.
So.
A
A
You
could
expose
it
with
node
port
and
if
you
deal
with
node
port
that
anybody
who
has
access
to
any
of
the
nodes
and
the
thing
can
actually
get
to
the
in
the
cluster
can
actually
get
to
the
dashboard.
But
a
lot
of
times
when
you're
running
in
the
cloud
or
when
you're
running
on
Prem.
There's,
like
a
sort
of
you
know,
you
don't
have
direct
access
to
these
things,
and
you
know
a
lot
of
times
in
sort
of
more
traditional
enterprises.
A
A
You
just
assume
that
the
Corp
network
is
already
is
already
compromised,
and
so
so
one
of
the
ways
that
you
can
do
this
is
that
you
can
run
a
proxy
and
authenticating
proxy
in
start
in
front
of
your
workload
and
that's
what
we're
gonna
do
and
there's
a
whole
host
of
these
I'm.
Not
an
expert
here,
Barrett's
here
saying
that
the
Google
identity,
aware
proxy
is
really
nice,
just
and
so
Emma's
so
Sowmya
saying
any
idea
why
see
advisor
is
decoupled
from
the
cubelets
during
1-9?
How
do
you
suggest
we
get?
A
The
usage
info
indicates
dashboard
going
forward.
I
think
see.
Advisor
is
built
into
the
cubelet.
My
understanding
is,
but
you
need
to,
but
you
still
need
to
run,
keep
stir
to
collect
that
data,
and
so
you
need
that
to
be
able
to
get
at
this
data.
I
believe
that's
where
it's
at
yeah,
and
so
the
the
beyond
corp
is
a
service
thing.
The
identity
of
our
proxy
is
one
of
those
things
that
Google
has
been
pushing
I,
don't
I
haven't
used
it
I,
don't
know
how
well
it
integrates
with
GK.
A
The
thing
that
we're
gonna
be
deploying
now
is:
let
me
find
it
here.
Oh
there's
improvements
coming
to
all
this
stuff
and
so
like,
like
the
dashboard
team's,
not
done,
there's
a
checklist
of
things
that
they're
looking
at
here
with
things
like
support,
native
support
for
external
identity
providers.
That
type
of
thing
there's
still
the
question
of,
then,
how
do
you
actually
pass
that
identity
into
the
into
the
the
data
into
core
kubernetes,
and
so
there
ends
up
being
a
sort
of
tight
configuration
coupling
between
the
dashboard
and
kubernetes.
A
In
terms
of
the
way
you
ought
to
the
dashboard,
how
do
you
then
go
ahead
and
use
that
with
kubernetes
and
because
kubernetes
authentication
is
so
flexible?
It
really
gets
a
little
bit
tricky
to
be
able
to
to
make
this
sort
of
secure
and
easy
and
working
by
default.
It's
a
hard
problem.
It
really
is
so
that
the
proxy
that
we're
going
to
be
working
with
this.
A
This
is
this
project
from
Bentley
called
the
oauth2
proxy,
and
they
have
some
nice
handy-dandy
diagrams
here
ignore
well
the
one
that
we're
doing
is
going
to
be
similar
to
this
to
the
one
on
the
left.
There's
sort
of
two
scenarios
that
you
have
here,
so
what
we
have
here
is
the
user
is
going
to
go
through
talk
to
instead
of
nginx
here
we're
using
contour
and
envoy.
So
this
is
going
to
talk
to
contour
ingress.
That's
going
to
do
SSL,
TLS
termination
from
stuff
coming
from
the
web.
A
It's
going
to
go,
go
ahead
and
forward
that
to
the
oauth2
proxy,
which
is
this
project
here.
That's
then
I'm
going
to
go,
coordinate
to
actually
confirm
your
identity
with
with
an
auth
provider.
We're
gonna
be
using
github
in
this
example,
and
then,
if
you
pass
muster
there,
if
you're
able
to
authenticate
and
there's
ways
to
specify
which
users
you
could
do
something
like
anybody,
who's
joined
to
a
github
org
or
if
you're
using
Google,
you
can
use
a
Google
group
to
actually
authenticate
stuff.
A
So
you
can
manage
some
sort
of
some
sort
of
a
low
list
there.
But
if
you
pass
the
allow
list,
then
this
goes
ahead
and
proxies
to
the
upstream
service,
and
so
it
essentially
becomes
a
discriminating
proxy
to
the
upstream
service
and
then
there's
options.
Whether
you
want
to
go
ahead
and
take
the
token
that
you
got
from
the
auth
provider
or
information
about
the
user
and
pass
that
through.
So
we're
not
going
to
take
it
all
the
way.
A
There's
some
really
fancy
stuff
that
you
can
be
doing
here,
but
well
at
least
get
this
as
a
sort
of
safety
screen
in
front
of
the
in
front
of
the
the
in
front
of
the
dashboard.
So
David
Anderson,
it
says.
Can
you
use
our
back
as
an
as
an
allowed
list
and
both
to
purely
to
buying
an
external
identity
to
the
Cates
role?
Now
that's
a
really
good
question.
So
there's
there's.
A
You
know
resource
to
be
able
to
do
that.
I,
don't
think
the
oauth2
proxy
supports
that
natively
and
I
think
it
would
be
they
would
have
to
start
integrating
with
with
kubernetes
and
have
its
own
permissions
to
be
able
to
call
subject
access
review,
but
I
think
that
might
be
an
interesting
way
to
do
this
No.
A
So
that's
not
there.
The
interesting
thing
is
that
you
can't
walk
up
to
a
kubernetes
cluster
and
say
what
are
all
the
users
who
are
authorized
to
the
kubernetes
cluster,
because
kubernetes
just
says:
well,
if
I
get
a
token
or
something,
let's
say
token,
for
example,
I
pass
that
off
to
somebody.
They
tell
me
what
user
it
is
and
then
I
trust
what
they
say,
and
so
that
set
of
users
that
kubernetes
is
able
to
recognize
is
actually
unbounded.
A
And
it's
really,
you
know
the
job
of
the
identity
provider
to
actually
decide
which
user,
which
set
of
users
it
returns
so
yeah.
So
the
idea
of
using
our
back
here
is
is
I,
think
a
same
one
I,
don't
think
it
does
it
right
now,
okay,
and
so
because
we
have
to
do
this
TLS
termination.
Here,
that's
why
I
said
I've
contour
with
with
let's
encrypt
and
cert
manager,
because
that
at
least
gives
us
table
States
in
terms
of
being
able
to
get
this
thing
up
and
running.
A
Okay.
Does
that
make
sense
from
a
diagram
point
of
view?
So
the
first
thing
we
need
to
do
is
whenever
you're
doing
an
oil
flow.
Like
this,
you
have
to
go
to
the
OAuth
provider
and
you
have
to
say,
hey
I'm,
a
new
application,
so
we're
viewing
this
thing
as
an
application
that
wants
to
partner
with
github
for
being
able
to
do
identity,
and
so,
if
I
go
down
here,
we're
going
to
follow
the
github
instructions.
And
then
you
create
a
new
project
I
they
call
it
projects
or
applications.
A
We
say,
register
new
application,
so
we're
gonna
call
this
TGI
K
dashboard,
the
homepage
URL
HTTP,
J,
dot,
F,
dot,
IO
itgi
K.
This
is
just
informational.
So
this
is
all
context
so
that
when
somebody
is
presented
with
this
screen
saying
hey,
do
you
want
to
trust
this
application?
There's
some
level
of
like
who?
The
heck
is
that
application?
A
Because
you
know,
when
you
start
looking
at
the
threat
models
around
Olaf,
like
type
o
squatting
and
sort
of
like
lying
about
who
you
are
as
one
way
to
steal,
credentials,
TGI
K
and
then
the
authorization
callback
URL,
and
so
one
of
the
ways
that
you
lock
this
down-
is
that
if
somebody
goes
through
it
does
this
flow,
the
there's
a
redirect
that
happens
from
the
OAuth
sort
of
authorization
page
and
that
redirect
has
to
this.
The
github
will
only
redirect
to
a
URL
that
you
configure
here.
A
So
it's
another
way
of
locking
down
Olaf,
and
so
what
we
need
to
do
is
is
it's
gonna?
Look
something
like
this
and
let's
see
what
was
I
gonna
call.
This
thing
I
have
to
Kate's
dashboard
I.
Think
I
have
a
whole
pile
of
the
amyl
here,
but
I
forget
what
the
domain
name
that
I
was
going
to
use,
was
Kate's
dashboard
on
T
GI
k,
dot,
IO,
okay.
So
this
is
what
we're
gonna
call
there.
Okay,
so
this
is
Kate's
dashboard.
A
So
now
I'm
going
to
go
ahead,
I'm,
going
to
register
this
application
and
as
I
do
this,
what
you
can
see
is
that
you
can
put
a
logo
up
here.
You
can
do
all
sorts
of
things.
Interesting
thing
is
that
it's
it's
a
single
person
that
owns
one
of
these
things
with
github,
and
so,
if
you're
a
company-
and
you
know
you're,
worried
about
somebody
quitting
or
leaving
and
losing
track
of
this
stuff.
This
is
something
that
you
want
to
be
aware.
A
So
now
what
I'm
going
to
do
is
I'm
going
to
take
these
I'm
going
to
put
these
into
a
kubernetes
secret
so
that
we
can
reference
them
as
we
go
through
and
and
reference
these,
as
we
actually
set
up
the
the
oauth2
proxy
and
so
I
have
here
a
command
line
to
be
able
to
create
these
things,
and
so
these
are
previous
run
that
I
had
here.
So
the
client
ID
I'm
going
to
put
here
and
then
the
client
secret
I'm
going
to
put
here
and
then
what
I
then
the
other
thing
we
need
is.
A
We
need
a
random
cookie.
That's
used
to
actually
sign
tokens
that
the
the
kubernetes
dashboard
is
settings.
You
know
cookies,
and
so
this
needs
to
be
a
random
value
and
so
we're
using
a
little
sort
of
python
sub
program
here
to
be
able
to
do
this,
so
this
becomes
a
one-liner
when
I
run
this
well,
when
I
guess
you
know,
logically
a
one-liner
when
I
run
this
it
outputs
the
amyl
for
a
secret
that
I
can
then
upload
and
apply
to
my
cluster
I
could
upload
it
directly
but
I.
A
I'm
gonna
go
ahead
and
put
that
in
there.
Okay,
so
let's
go
through
the
ammo
that
we're
gonna
be
setting
up
here
and
I'll
talk
about
which
each
of
these
resources
is
and
how
they
relate
to
each
other.
So
the
first
thing
I
have
here
is
I
have
the
secret.
This
is
the
kubernetes
dashboard,
OAuth
secrets.
This
is
the
information
that
the
OAuth
proxy
needs
to
do
its
job.
A
It
lets
it
identify
itself
to
github,
and
then
it
and
then
it
has
the
data
that
it
needs
to
to
be
able
to
sign
things
so
that
it
knows
that
nobody's
trying
to
spoof
a
cookie
to
it.
The
next
thing
I
have
here
is
they
have
a
deployment
for
the
oauth2
proxy
itself.
So
Lamanna
says:
where
can
we
find
a
list
of
authentication
providers
curious
what
solutions
are
available
for
on
from
k2
relations?
We
are
highly
regulated
and
can't
use
external
authentication
sources.
That's
a
really
good
question.
A
I
think
you
can
be
as
flexible
as
you
want
to
be
with
kubernetes
kubernetes
authentication
is,
is
really
a
whole
nother
ball
of
wax.
Most
of
the
time,
people
will
use
something
like
LDAP,
Active,
Directory
or
or
Open
ID.
To
be
able
to
do
this,
I
would
look
at
something
like
decks
as
being
sort
of
a
intermediary
here.
That
gives
you
a
way
to
start
bridging
stuff
and
one
of
the
things
that
I
want
to
do
in
a
future
episode,
and
we
have
a
project
that
we're
going
to
be
open.
Sourcing.
A
That's
going
to
help
make
this
stuff
easier
is
demonstrate
how
to
install
a
custom
off
provider
into
kubernetes
and
I'll,
probably
end
up
doing
github
again,
but
you'll
see
some
of
the
same
techniques
and
we
can
talk
about
other
other
ways
of
doing
stuff.
So
yeah
tectonic
is
the
one
of
the
sort
of
the
the
authorization
so
Sean
says
we
use
tectonic,
which
has
integration
with
Active
Directory
and
has
its
own
dashboard,
so
yeah.
A
So
the
the
the
non
dashboard
part
of
of
tectonic
is
this
system
called
Dex
DX
that
core
OS
is
open
sourced,
and
so
you
need
that
plus.
You
need
some
sort
of
dashboard
type
of
stuff
to
be
able
to
actually
play
the
play,
the
sort
of
dashboard,
the
role
and
so
I'm
hoping
to
be
able
to
show
something
there
that
I'll
actually
get
you
up
and
running
without
without
having
to
to
necessarily
do
something
like
tectonic
all
right.
A
So
now
we
have
a
deployment
here
for
the
OAuth
proxy,
and
so
this
is
all
relatively
sane
stuff.
The
cookie
secure
thing
here
this
is
set
to
false.
This
was
something
that
I
coltd
from
something
else.
I,
don't
know
if
this
can
be
true
or
not,
I
haven't
had
a
chance
to
check
it.
So
you'll
have
to
forgive
me:
I
suspect
that
we
could
get
away
with
this
being
true,
but
I'm
not
sure
I,
just
haven't
had
time
to
try
it.
We're
saying
we're
using
github.
This
is
the
upstream.
A
So
this
is
the
thing
that
it'll
proxy
to
so.
If
we
go
back
to
the
diagram,
what
we'll
see
here
is
whatever
this
server
set
here,
that's
sitting
behind
the
proxy
is
called
the
upstream
service,
so
david
says
Dex
only
bridges
to
another
to
provider
one.
Let
you
build
an
on-prem
off
the
provider,
it
will
bridge
to
LDAP
and
Active
Directory,
David,
I,
believe
and
then
key
cloak,
which
I'm
not
familiar
with,
also
provides
a
no
IDC
interface
that
can
be
delegate
to
multiple
ID
providers.
A
One
of
the
things
that
I'd
love
to
do
is
actually
do
a
kubernetes
native,
oh
I,
open
ID
provider,
so
that
you
can
actually
have
something
like
custom
resources
to
allocate
users
along
with
passwords
and
stuff
like
that,
so
that
you
can
actually
get
to
the
point
where
you
could
install
by
user
database
into
it.
But
most
people
will
defer
to
some
sort
of
SSO
type
of
thing
as
they're
setting
this
stuff
up.
But
nobody,
em
to
my
knowledge,
has
built
a
sort
of
kubernetes
native
ID
provider.
A
Okay,
so
HP
address
is
what
this
thing
is
listening
on,
the
redirect
URL.
So
this
is
the
thing
that,
when
this
thing
redirects
people
to
to
github
to
sign
in
this
is
the
place
where
we
want
things
to
call
back
and
you'll
see
that
this
lines
up
with
the
the
authorization
callback
URL
here.
So
these
things
are
the
same
thing.
So
we
have
to
make
sure
that
those
are
aligned.
A
Alright.
So
this
is
this
is
relatively
straightforward.
This
thing's
going
to
be
listening
on
port
8080
and
so
that
lines
up
there.
Also,
one
of
the
interesting
things
to
keep
in
mind
is
that
this
is
actually
doing
HTTP
upstream.
So
the
connection,
let's
see
going
back
to
our
diagram.
Oh
that's,
not!
Okay,
so
this
arrow
here
and
our
set
up
is
not
TLS
encrypted,
and
the
reason
being
is
that
by
default
the
dashboard
does
do
TLS
encryption,
but
it
does
it
with
a
self-signed
cert
and
there's
no
way
to
that.
A
I
could
find
with
the
the
oauth2
proxy
to
essentially
say
here's
an
extra
CA
that
I
want
you
to
use
for
the
upstream
provider
or
to
say
use
HTTP,
but
ignore
validation,
errors
on
the
certificate,
so
we're
just
defaulting
back
to
regular
old
HTTP.
Here
key
cloak
is
used
as
part
of
OpenShift
if
I'm
not
mistaken,
so
it's
similar
to
Dex
and
tectonic.
Okay,
all
right.
So
this
is
this
is
going
to
run
the
dashboard.
A
We
got
the
secrets
and
all
that
I
mean
running
the
oauth2
proxy,
and
now
we
have
to
actually
get
everything
else
plumbed
in
so
we're
gonna
have
a
service
to
the
oauth2
proxy.
So
this
is
a
regular
old
kubernetes
service
and
then
we're
going
to
set
up
ingress
to
this
thing
and
since
we're
using
certificate
manager
and
we're
not
doing
this
sort
of
you
know,
super
duper
cute
thing.
This
is
essentially
saying:
I
want
to
go
through
and
do
a
an
ACME.
A
You
know,
let's
encrypt
prod
thing
for
the
kubernetes
dashboard
and
then
and
then
I'm
gonna
set
up
ingress.
We're
using
contour
here
is
our
ingress
controller.
That
says
everything
coming
into
Kate's
dashboard
is
going
to
use
this
TLS
certificate
and
redirect
to
the
kubernetes,
the
the
oauth2
proxy
and
we're
up
and
running
so
I'm
again.
I'm
gonna
put
this
all
in
a
gist
that
y'all
can
see
after
the
episode
here,
but
but
this
should
be
relatively
straightforward
here.
So
let's
go
ahead
and
I'm
running
all
this
stuff
in
the
cube
system.
A
Namespace,
you
know,
if
you
want,
you
could
always
put
this
in
a
different
namespace.
There's
no
reason
that
you
couldn't
so
cute
control
apply
eff,
Oh,
auth,
proxy
Gamal,
and
so,
if
we
do
this
right,
then,
if
I
go
to
Kate's
dashboard
dot,
t
gik
dot,
IO,
look
at
that,
so
signing
with
github
I
click
on
the
and
you
what
you'll
see
here
is
that
it's
saying-
and
this
is
the
screen.
A
This
is
why
you
want
to
put
an
icon
there,
and
this
is
where
it
says:
here's
what's
gonna
redirect
to,
and
it
tells
you
about
the
application
and
stuff
like
that
and
and
sort
of
who
owns
that
application.
So
you
know
if
you're
a
user-
and
you
see
a
screen
like
this-
you
want
to
be
very
careful
to
make
sure
it
all
makes
sense,
because
you're
essentially
granting
something
else
permission.
But
right
now
we're
like
well,
we
don't
have
we're
not
going
to
give
it
that
much
permission.
A
The
one
thing
you
do
since
we're
checking
against
the
TGI
K
organization
is.
We
do
have
to
grant
that
organization
here.
I,
do
that
I
go
ahead
and
hit
authorize
and
it
doesn't
work
and
that's:
okay,
that's
okay!
It
took
me
a
while
to
figure
it
out
and
it
wasn't
until,
like
I,
don't
know
like
11:45
today
when
I
figured
out
what's
happening,
and
this
is
part
of
some
of
the
lockdown
that
people
have
been
working
on
for
the
dashboard
if
I
do
get
Network
policies.
A
What
you
see
is
that
there's
a
policy
here
called
deny
dashboard,
and
so
what
this
says
is
that
nobody's
allowed
to
talk
to
the
dashboard,
and
so
my
camera
went
blurry
there
we
go.
So
what
we're
gonna
do
here
is
we're
gonna
neuter
this
policy.
We
can
look
at
locking
it
down
to
just
the
auth
to
proxy
in
the
future,
but
let's
go
through
cases.
Edit
network
policies
deny
dashboard,
so
we're
gonna
go
through
and
the
way
that
you
do
this
and
I
am
not
super
duper
familiar
with
this,
but
see
it's.
A
This
upstream
request
timed
out,
because
what
happens
is
that
network
policy
prevents
our
OS
to
proxy
from
talking
to
the
dashboard
so
again
in
in
in
modern
versions
of
kubernetes,
you
have
to
try
really
hard
to
be
able
to
expose
the
task
board,
we're
having
to
sort
of
remove
multiple
roadblocks
here
so
kubernetes
network
policy
are
you
all
are
getting
403
SR
I
knew
as
soon
as
I
put
this
out.
People
are
gonna
start
hitting
it.
A
One
of
the
things
we
will
do,
though,
is
all
I'll
go
through,
and
you
know
when
we
get
further,
somebody
can
put
their
github
idea
up
there
and
we'll
actually
try
and
see
if
you
can
get
through.
Let's
see
so
so,
here's
all
the
stuff
and
and
what
we
can
do
is
we
want
to
do
default.
Allow
all
ingress
traffic
is.
Is
we
want
to
do
this
spec
ingress
and
then
say?
A
We
were
hitting
the
dashboard
and
on
port
on
an
unsecured
port
right,
because
the
the
it's
a
self-signed
certificate,
if
we
were
going
to
make
that
link
between
the
proxy
and
the
dashboard,
secure
and
the
oauth2
proxy,
doesn't
know
how
to
deal
with
that.
So
one
of
the
things
that
we'll
see
here
is
that,
if
I
do
edit
kubernetes
dashboard
will
see
that
the
Oh.
A
A
So
if
I
go
ahead
and
I
edit,
that
what
we'll
see
here
is
that
we're
only
exposing
port
443
in
the
service,
so
we
have
to
expand
the
service
a
little
bit
to
be
able
to
expose
another
port,
but
off
the
top
of
my
head,
I,
don't
know
what
port
that
is.
So
this
is
actually.
This
is
as
far
as
I
got
so
we're
now
in
uncharted
territory.
A
A
A
I
couldn't
get
there,
no
matter
what
I
tried
I'm
like
well,
what
would
be
blocking
that
as
my
networking
broken,
but
I
could
get
to
other
things
via
services,
so
I
was
pretty
sure
that
networking
in
the
cluster
wasn't
broken
and
I
thought.
Oh
well,
maybe
they're
doing
network
policy
now
one
of
the
things
to
keep
in
mind
with
network
policies
that
not
all
network
providers
support
that
policy.
So
you
have
to
know
whether
your
provider
supports
it
or
not.
These
this
cluster
by
default,
uses,
calico
and
calico
does
support
the
network
policy.
A
Dashboard
arguments
here
we
have
here
I-
believe
it
listens
on
9090.
So
this
is
the
insecure
port
here
and
by
default
the
unsecure
bind
address
is
127,
but
the,
but
the
image
that's
using
actually
does
does
0
0
0
right.
So
what
we
can
do
here
is
that
we're
gonna
go.
Do
this
and
we're
going
to
say
we
want
to
do
a
port
80.
We
want
to
go
to
90,
90
I,
think
that'll
work.
Let's
see
what
we're
doing
on
going
on
here.
A
What
are
you
doing
here?
I
screwing,
something
up
alright.
So
now
we're
gonna.
Do
some
debugging,
okay,
sis
get
pods
and
let's
look
at
the
OAuth
proxy
here
cases
logs,
oh
did
I
apply,
did
I
apply,
I
was
doing
Q
control
edit,
so
edit
essentially
brings
it
up
in
an
editor.
So
you
can
play
with
stuff
and
then
applies
it.
So
so
I
shouldn't
have
to
apply
I,
don't
think.
A
Nice
is
maybe
a
silly
question,
but
when
would
you
use
the
company's
dashboard
vs.
Prometheus
core
fauna
is
one
of
them.
Well,
I.
Think
the
the
Cooper
nice
dashboard
gives
you
access
to
sort
of.
You
know
what's
running,
what
are
the
pods?
What
are
the
services?
It's
essentially
an
interactive
graphical,
cube
control
in
some
ways,
whereas
something
like
Ravana
and
Prometheus,
it's
about
sort
of
like
well,
what's
actually
happening
from
it,
sort
of
metrics
point
of
view
alright.
A
A
A
A
A
A
Okay,
so
let
me
do
that
bash
thing
again
and
we're
trying
to
get
this
so
that
we're
getting
connection
refused
okay.
So
so
we
are
getting
to
the
pod
we're
trying
to
actually
hit
at
in
Port
99
and
they
were
getting
connection
refused
there.
So
I
may
have
the
wrong
port
on
the,
because
I
just
have
that
wiki
page
I,
don't
know
what
the
real
default
is.
That
wiki
page
could
be
wrong
so
and
let's
try
and
go
to
90
90,
so
yeah
we're
getting
90
90
there.
So,
let's
let
me
close
that.
A
If
we
look
okay,
here's
the
arguments
will
do
and
secure
bind
a
0
to
0
at
0
and
then
we'll
set
the
insecure
port
9090
just
to
make
sure
all
right.
What
could
go
wrong?
Who
knows
alright
I
think
I
looked
earlier,
I
like
ssh
into
the
node
and
I
actually
did
a
PS
and
it
did
look
like
it
was
already
having
a
secure
bind
address
at
0,
0
0,
so
I
thought
that
was
working
but
like
we'll
just
really
make
sure.
So
it's
this
thing.
A
A
A
The
IP
address
so
there's
it's
insecure,
says
it's
using
port
and
then
secure
port,
so
it's
in
secure
port
and
port
or
port
and
insecure
port
I'm.
So
confused.
So
let's
look
at
the
code
when
in
doubt
read
the
code.
App
I,
don't
know
that's
back-end.
What
is
it
we
have?
Where
do
you
think
this
stuff
is
to
find
source
app?
A
Yeah
Chris:
you
need
to
actually
get
a
one-line
fix
and
come
in
and
help
me
here.
We're
gonna
figure
this
out
everyone!
So
don't
worry!
We
got
this.
You
just
need
to
just
need
to
give
me
a
second
here.
Alright,
so
insecure
port
is
ninety.
Ninety
and
insecure
bind
address.
Is
this
so
what
is
going
on
here?
A
Somebody's
sending
me
slack
messages.
Are
they
gonna
give
me
the
answer,
no
nobody's
helping
here
all
right,
let's
see
so
what
are
we
doing
here?
So
they
make
sure
that
these
things
did
get
through.
So
we
do
have
insecure,
bind
address
and
insecure
port
that
should
work.
Is
there
another
flag,
that
has
to
say
no
really
I
mean
it.
A
A
So
Chris
it's
like
do
I
need
a
diet,
coke
or
string
cheese.
Yeah
bring
me
a
diet.
Coke
Chris
I'd
appreciate
that
so
so
Mia
says
bash
in
the
dashboard
and
see
what
buying
is
are
so
I
could
dash
into
the
dashboard,
but
it
actually
has
a
really
minimal
image,
and
so
it
doesn't
even
have
like
bash
that
I
could
figure
out.
So
that's
something
so
the
services
does
have
the
port,
so
we
do
have
that.
A
Is
it
running
on
insecure,
secure,
I've,
missed
part
of
the
show
yeah,
so
so
the
way
that
the
oauth2
proxy
Marco
works
is
that
it
doesn't
know
how
to
deal
with
self
site
certificates
on
the
upstream
service,
so
we're
trying
to
enable
the
insecure
login
for
the
for
the
cluster.
Oh
here's
a
diet,
coke
from
Chris.
Thank
you,
Chris
you're,
a
huge
help,
yeah,
which
I
think
that
we're
gonna
try
that
flag,
that'll
that'll
get
us
there.
A
A
Cases
logs,
it's
still
not
saying
that
it's
doing
the
insecure
serving
we're
gonna
have
to
read
some
more
code
here.
So
that's
not
the
thing
I
thinik
ation
mode,
ma'am
yeah,
that's
how
I
feel
bind
address
in
secure
bind.
So
where
should
be
good?
What's
going
on,
alright
I
think
something
wacky
is
going
on
so
get
pods.
A
A
Okay,
so
the
HTTPS
is
going
to
the
auth
to
proxy,
so
that
is
secure.
It's
the
link
between
the
OAuth
2
proxy
and
the
dashboard
that
we're
having
problems
with
okay.
So
we
do
see
this
as
happening
here,
so
this
is
working
we're
hitting
port
1990,
so
we
should
be
able
to
so
if
I
did
cube
control.
So
I'm
now
on
the
master
machine
get.
A
So,
let's
wide
so
now,
let's
try
so
this
is
this:
never
do
curl
I'm
still
getting
connection
refused.
So
for
whatever
reason,
this
thing
is
not
actually
listening
on
the
secure,
try,
another
port
other
than
99
I,
don't
think
that'll
do
occurs.
I'll!
Keep
that
in
mind.
Let's
see
what's
happening,
I'm
gonna
read
some
more
code
here
and
actually
see
what's
going
on
here,
because
I
think
that
there
might
be.
A
So,
let's
see
oh
here's,
the
thing
it
does
one
or
the
other.
If
I
have
serving
certificates,
it
will
only
serve
HTTPS.
If
I
don't
have
serving
certificates,
then
it
does
the
insecure
stuff
it
won't
serve
both
of
them
at
the
same
time
right.
So
that's
the
problem
here
so
now.
What
I
can
do
here
is
if
I
go
through
so
I
would
never
would
have
guessed
that,
because
the
flags
don't
imply
that
so
now
sometimes
you
just
got
to
read
the
code,
unfortunately
edit,
okay.
A
A
A
A
All
right,
this
is
I'm,
not
sure
everything
that's
going
on
there,
but
this
is
so
I
think
this
will
actually
pass
it
through.
Okay,
pass
authorization
had
our
set
authorization.
Header
passed
the
authorization
header
to
upstream.
So
that's
what
we
want,
but
that's
not
actually
worked
in
now.
So,
let's
see
so
the
so
that
looks
really
cool.
A
Okay,
so
the
container
doesn't
it
doesn't
expose?
Now
you
either
are
doing
secure
non
secure
with
the
dashboard.
So
that's
the
problem
that
we
were
hitting
there.
Okay,
so
we
still
go
through
and
this
thing
is
passing
some
sort
of
oo
header
through
and
I'm,
not
sure
why
it's
passing
an
auth
header
through
but
like
I,
think
that's
the
wrong
thing.
A
A
A
Yes-
and
we
got
to
the
point
so
now-
we
can
go
through
now-
we
essentially
are
back
to
where
we
want
it
to
be
now.
One
of
the
things-
and
this
is
I,
think
is
the
interesting
thing
here
is,
and
this
is
the
next
step,
but
I
don't
think
we're
gonna
have
time
to
do.
This
is
that
if
we
do
this
pass
access
token
pass
the
OAuth
access
token
to
upstream,
via
the
X
forwarded
access,
token
header.
A
So
this
is
essentially
we'll
take
the
access
token
that
lets
us
verify
who
we
are
with
github,
it's
gonna.
Let
us
go
through
and
actually
send
that
through
and
then
and
then
that
will
go
to
kubernetes
and
then
kubernetes
will
be
like
I,
don't
know
what
the
heck
to
do
with
this
access
token
and
it'll
then
send
that
to
any
configured
webhooks.
A
A
A
A
Yeah,
so,
okay,
all
right,
so,
okay,
so
we're
not
quite
to
the
sort
of
the
the
shangri-la
where
you
can
actually
go
through
and
have
your
authenticating
proxy
authenticate
you
to
the
you
know,
essentially
not
only
let
you
through
but
provide
the
right
stuff
so
that
you
can
authenticate
all
the
way
to
the
to
the
API
server.
It
doesn't
look
like
the
right
things
to
do
to
be
able
to
do
that.
Are
there
so
yeah
there
is
this
kubernetes
oid
seed
helper.
So
if
we
had
that.
A
A
So
maybe
next
time,
maybe
maybe
this
stuff
will
make
its
way
forward,
we'll
be
in
good
shape,
but
I'm
actually
pretty
excited
about
this
now
now
here's
the
thing
that
I
want
you
all
to
be
realized
is
that
we
set
this
up
for
the
dashboard,
but
this
same
technique
for
setting
up
this
sort
of
secure.
You
know
screen
door
right
or
you
know,
secure
gates
could
be
used
for
any
sort
of
internal
dashboard.
So
you
might
want
to
set
this
up
for
your
monitoring
dashboards.
A
A
Believe
you
can
set
this
up
such
that
it
actually
can
can
can
deal
with
a
whole
bunch
of
backends
right.
So
you
can,
you
can
deal
with
multiple
backends
and
it
uses
like
the
host
header
to
be
able
to
do
it.
I
don't
know,
I,
don't
know
how
smart
this
is
about
sort
of
letting
you
off
once
and
then
letting
you
you
access
a
set
of
services.
You
might
be
able
to
do
something
like
you
know,
multiple
levels
where
you
have
this
then
talk,
and
then
you
have.
This
goes
back
through.
A
Maybe
another
ingress
controller
for
internal
ingress
or
something
I,
don't
know.
So
that's
an
interesting
interesting
thing
because
we
just
did
a
one-to-one
between
the
oauth2
proxy
and
the
dashboard
I.
Don't
know
if
there's
a
way
to
do
is
sort
of
a
one-to-many
with
the
oauth2
proxy
and
a
bunch
of
stuff
that
you
might
have
on
the
backend.
Alright,
so
I'm,
gonna,
read
so
Sean,
says
guess:
I'm
misremember
must
have
watched
different
video
and
autoscaler.
It's
my
dad.
I
did
do
one
on
I
think
we
did
do.
A
A
You
know
where
the
bottleneck
is
in
your
application
and
for
any
complicated
application
or
bottleneck,
usually
isn't
where
you
think
it
is,
and
then
just
as
the
authentication
documentation
days
says,
there's
an
issue
with
no
ID
seen
authentication
for
dashboard
since
they're
so
short-lived,
so
yeah
we're
not
doing
Oh
IDC
10
occasion.
So
if
you
did
that
yeah
you'd
have
that
15
minute
token
we're
using
the
long-term
jobs
for
the
service
account
here,
so
we're
just
using
the
OID
C
as
a
front
door.
A
If
we
did
go
through
and
we
use
the
OID
C
thing
to
be
able
to
do
this,
then
it
would
be
up
to
the
proxy
would
actually
be
doing
the
Refresh
and
passing
a
new
access
token.
For
so,
if
we
got
this
set
up
and
this
proxy
was
passing
things
through,
we'd
be
in
good
shape,
we
wouldn't
be
dealing
with
that.
So
there
were
a
couple
questions
really
about
whether
the
Google
identity
aware
proxy
works
with
GK.
Yes,
it
does
that's
what
Brandon's
saying
here
and
then
Marco
says.
A
A
What
I'm
gonna
do
is
I'm
gonna
put
all
the
links
here,
but
I'm
also
going
to
make
sure
I
upload
this
big
yamo
file
with
the
OAuth
proxy
y'all
can
can
look
at
that,
and
then
I'll
include
my
notes
here
too,
which
has
a
bunch
of
pointers
to
stuff,
including
that
one-liner
for
creating
the
secrets.
That's
necessary
there.
A
But
if
you
look
at
the
at
the
cluster
API,
the
way
that
the
cluster
API
is
modeled
is
that
you
wouldn't
use
and
I
did
an
episode
on
the
cluster
API.
You
wouldn't
use
the
the
the
underlying
cloud
provided
sort
of
auto
scaling
mechanism
to
be
able
to
drive
the
size
of
your
cluster.
Instead,
what
you
do
is
you
actually
create
a
pairing
so
that
you
have
like
a
machine
object
which
is
a
CR,
D
and
kubernetes?
Then
you
have
a
controller
that
knows
all
the
guts
on
how
to
talk
to
your
to
your
cloud.
A
The
controller
creates
nodes
on
demand
based
on
the
machine
object
and
then
the
autoscaler
actually
knows
how
to
create
and
delete
those
machine
objects
that
then
cause
downstream
things
to
actually
be
created
or
not
so
I
think
the
future
of
cluster
auto-scaling
is
going
to
be
something
like
the
the
cluster
api
being
a
basis
there.
So
that's
something
that
I
would
look
at
and
then
yeah
with
spotty
instances
would
be
super
cool
yeah.
So
so
the
combination
of
kubernetes
and
spot
instances
is
super
neat
all
right.
That's
all
the
time
we
have
for
today.
A
Folks
I
think
you
know
I
hit
an
hour
and
a
half
on
the
nose,
but
then
I
kept
talking
so
almost
there.
But
thank
you
everybody
for
watching,
and
hopefully
you
all
got
a
lot
out
of
this
stay
safe.
Don't
expose
your
dashboards
to
the
world,
whether
it
be
the
kubernetes,
dashboard
or
jenkins,
or
anything
else
like
that.
Hopefully,
this
gave
you
some
some
ideas
and
some
techniques
that
you
can
use
to
to
keep
yourself
safe,
but
see
you
all
next
week.