►
Description
Come hang out with Joe Beda as he does a bit of hands on hacking of Kubernetes and related topics. Some of this will be Joe talking about the things he knows. Some of this will be Joe exploring something new with the audience. Come join the fun, ask questions, comment, and participate in the live chat!
This week we will look at kube2iam and kiam. These are systems that aim to bridge the world of Kubernetes with AWS from an auth perspective.
See https://github.com/heptio/tgik/tree/master/episodes/070 for notes and code.
Coverage of kiam starts around 12:00
A
All
right,
hello,
hello,
hello,
it
is
1:00
p.m.
Pacific
on
Friday,
my
name
is
Joe
Beda
and
this
is
t
GI
kubernetes
and
for
those
who
don't
join
us
all
the
time.
This
is
a
weekly
issue
broadcasts
that
we
do
where
we
talk
about
all
things.
Kubernetes
explore
some
new
technologies,
talk
about
the
news
of
the
day,
what's
happening
in
the
the
kubernetes
and
wider
cloud
native
ecosystem,
so
yeah
I'm,
Joe,
Beda
I,
am
a
principal
engineer
here
at
VMware
started
TGI
K
when
we
were
at
hekia
and
so
hefty.
A
It
was
purchased
by
VMware
and
now
we're
we're
working
on
integrating
stuff,
so
yeah
and
let's
see
and
so
I
trade
off
a
lot
of
times
with
with
chris
nova
who's
on
the
line
in
the
comments
here
and
sometimes
duffy
Cooley
who's
who's
also
hanging
out
today,
all
right.
So,
first
of
all,
hello,
Suresh
and
Jesse
good
to
see
you
Martin
from
the
Netherlands
Olaf
from
Denmark,
send
deep
from
Poland
l'm
adi
good
to
see
you
roberto,
divs
dims,
I
mean
how's.
A
It
go
man
you're
in
boston,
good,
to
see
you
ford
rico
from
gothenburg,
which
I
am
I
you
know,
Frederico
taught
me
a
cube
con,
how
to
say
it
I'm
sure
I'm
messing
it
up
here,
Wellington
from
Brazil,
okay.
So
in
the
comments
is
a
link
to
hack
MD,
and
so
this
is
a
markdown
document
where,
if
you
want
to
you
can
log
in
there,
you
can
start
parting
on
that.
It's
a
good
way
for
people
to
take
notes,
especially
if
you
want
to
put
time
codes
in
there
of
like
hey.
A
When
do
certain
parts
of
the
episode
start,
it'll
really
help
folks
who
are
watching
layer
later.
So
you
know
if
you
want
to
join
in
in
terms
of
actually
creating
some
content,
we'll
check
this
into
the
into
the
github
repo,
and
all
that
alright,
so
Troy
good
to
see
you
double
D
JD
from
Wisconsin
Alexi
from
LA
nadir.
A
Thank
you
from
the
pointers
man
you're
in
you're
out
in
London
cool
have
I
been
working
out,
no
yeah,
you
know
what
happens
is
like
the
the
beard
gets
bigger
and
then
my
wife's,
like
you,
got
to
like
cut
it
back
and
then
I
cut
it
and
I.
Look
like
10
years
younger,
that's
kind
of
how
things
roll
okay.
A
A
A
There's
a
lot
of
good
stuff
here,
and
so
oh
one
thing
I
want
to
after
TGI,
K
and
george'll
I'll
put
a
link
in
the
in
the
in
the
in
the
chat,
but
after
TGI
K
we're
gonna
be
doing
sort
of
an
after-party
type
of
thing
where
some
other
folks
from
from
VMware
are
gonna,
be
and
some
other
folks
from
around
the
community.
We're
gonna
be
really
looking
in
depth
in
terms
of
what's
new
with
1.14.
A
We
want
that
one
to
be
a
more
sort
of
like
you
know,
hanging
around
a
table
sort
of
everybody
chatting,
so
we're
gonna
be
doing
that
in
zoom.
So
it's
more
of
like
an
office
hours,
hangout
type
of
thing,
we're
trying
it
out
something
new,
so
join
us.
That's
going
to
be
gonna,
be
in
a
little
bit
we're
going
to
do
that
after
after
TGIF
all
right.
A
So,
let's
see
we
have
a
Arthur
from
from
from
nice
Brian
from
Riverside
Dimitri
from
Serbia
good
to
see
you
alright,
so
really
interesting,
just
quick
overview
of
what's
new
and
1.14.
Obviously,
you
know
we're
gonna
go
into
more
depth
in
the
in
the
after
hours
is
windows,
nodes
are
graduating
to
stable.
This
was
a
real
sort
of
push
for
folks
to
get
better
windows,
support
really
document.
Where
do
things
work?
Where
do
things
not
work?
Where
do
some
of
the
kubernetes
abstractions
break
down
on
windows
or
where
they
interpret
it
differently?
A
So
that
is
definitely
something
to
look
forward
to,
and
so
a
lot
of
work
went
into
that
other
stuff.
Durable
local
storage.
I
really
want
to
do
an
episode
on
this
and
learn
about
this.
This
is
really
interesting,
stuff
pit
limiting,
which
is
one
of
those
things
where
you
can
exhaust
pigs
in
the
kernel.
So
it's
another
type
of
isolation.
That's
going
on
there
pod
priority,
preemption,
pod,
ready
plus
plus.
Let
me
explain
sort
of
what
this
is,
because
this
one's
actually
really
confusing
right
now
we
have
ready
checks
inside
of
a
pod
right.
A
Are
you
ready
and
if
you're
ready,
you
should
be
hooked
up
to
a
load?
Balancer
and
people
should
start
sending
you
traffic
well.
One
of
the
problems
is
that
when
you
have
really
interesting
support
from
clouds
where
they
want
to
hook
up
a
load
bouncer
that
goes
directly
to
a
pod,
because
the
networking
supports
that
so
you're
not
going
through
a
kubernetes
service.
A
It
takes
time
for
those
load
balancers
to
be
able
to
actually
recognize
and
start
rotating
in
new
pods,
and
so
so
sometimes
for
a
pod
to
be
ready,
there's
other
factors
than
just
the
pot
itself,
and
so
this
is
essentially
being
able
to
represent
that.
So
that's
actually
really
cool
and
then
cube
admin
much
easier
now
to
be
able
to
do
multi
master,
which
is
really
exciting,
and
so
this
is.
This
is
ways
to
be
able
to
what
we
do.
A
We
would
call
Swizzle
and
certificates
between
machines
so
that
things
can
talk
to
each
other
securely
and
then
cube.
Admin
join
is
now
in
phases.
So
a
lot
of
good
work
going
on
with
respect
to
cluster
lifecycle,
so
yeah
so
Wellington
was
calling
out
the
multi
master
support
and
then
hello,
Sayid
from
London,
so
that
is
and
I
think
we'll
go
into
a
lot
more.
You
know,
there's
like
pulling
together.
The
release.
A
A
So
so
so
Nicolas
lean
one
of
our
field,
engineers,
Duffy
Cooley,
another
field,
engineer
and
then
a
handful
of
other
folks
are
going
to
be
getting
together
to
do
this
stuff
all
right
and
then
let's
see,
and
then
we
also
have
this
great
blog
post
here,
a
guide
to
admission
controllers.
This
is
on
the
kubernetes
blog.
This
really
goes
into
some
details
in
terms
of
like
and
I
think.
This
is
a
great
diagram
here
of
how
what
is
sort
of
a
pipeline
for
how
stuff
works
inside
of
the
the
API
server.
A
So
that's
actually
really
cool
talks
about
admission
controllers,
how
they
work
so
really
really
interesting
stuff
going
on
there.
So
that's
a
great
blog
post.
If
you
want
to
take
a
little
bit
deeper
I,
don't
think
we've
done
an
episode
on
admission,
controller's,
explicitly
I
think
that
might
be
fun
to
actually
try
and
write
one
from
scratch
implement
in
bash.
Maybe
I
don't
know.
Can
you
could
probably
implement
in
batch?
What
do
you
think
a
little
netcat
you
need
to
do.
Tls
I,
wonder.
A
Is
there
like
a
netcat,
TLS,
I'm
sure,
there's
like
a
obscure,
open,
SSL
commitment?
Let
you
do
that
and
then,
let's
see
so
Duffy
called
attention
to
this.
This
is
real,
interesting
Amazon.
So
Amazon
has
not
one
not
two
but
three
different
types
of
load:
balancers,
there's
the
yes
tunnel:
that's
it
yeah
good
one!
A
So
that's
looks
really
really
interesting,
and
so
this
is
something
that
would
be
really
interesting
to
dig
into
at
some
point
to
how
you
actually
can
use
these
things
together
and
that
type
of
director
pod
thing
is
I
believe
something
that
that
GCP
supports.
Also,
if
I'm
not
mistaken,
so
yeah,
so
that's
actually
really
cool
stuff.
Oh,
let's
see!
Oh
ok,
we
got
another.
Some
people
added
some
other
stuff
here.
A
A
Let's
see
and
I
want
to
say
hi
to
folks
so
Joseph
from
London
our
Co
from
Milan
nice
to
see
you
abhishek
from
india,
Bogdan
from
Romania
and
then
Philip
from
London
good
to
see.
Y'all
thanks
for
joining
me.
I
know
like
like
I,
picked
the
wrong
time
to
do
this,
because
Friday
here
is
like
different
times
everywhere
else.
There's
no
good
time
to
do
these
things.
Okay,
so
with
that
or
any
other
sort
of
topics
of
the
day
that
folks
want
to
talk
about
before
we
before
we
jump
in
to
today's
episode.
No.
A
Let
me
switch
back
here.
You
take
some
notes,
all
right,
all
right,
so
here's
the
deal
we
have
it
all
started
with
with
cube
to
AI
M,
which
is
this
project
here,
and
this
has
been
around
for
for
quite
a
while,
and
a
lot
of
folks
are
using
this
and-
and
the
idea
here
is
that
so
Bismarck
is
saying
that
a
really
interesting
stuff
in
that
Zalando
presentation
that
that
that's
in
the
notes
all
right.
A
A
They
must've
been
working
on
it
concurrently
by
Amazon,
adding
role,
support
and
so
I
think
you
know
it's
also
worth
looking
and
well
we'll
talk
a
little
bit
about
the
difference
between
a
role
and
a
user
in
the
Amazon
I
am
system
because
I
think
you
know.
For
me
at
least
that
has
been
a
little
bit
confusing
all
right,
but
first,
let's
talk
about
the
metadata
server.
So
what
I'm
going
to
is.
A
And
I
don't
know
if
Amazon
called
it
the
metadata
server,
that's
what
I
called
it
in
GCE,
but
essentially
what
you
can
do
here
is,
if
you
do
a
curl
to
this
particular
to
this
particular
address.
It
starts
returning
you
information
about
your
your
instance
right,
and
so
what
we'll
do
here
is
I
didn't
give
me
a
second
here
of
a
script
that
helps
to
set
up
my
config
here.
B
A
And
then,
if
I
do
one
tunnel,
this
will
actually
SSH
to
the
to
the
master.
So
I
have
a
kubernetes
cluster
up
and
running
yet
knows
in
a
in
Amazon
using
the
the
VMware
QuickStart,
and
this
is
not
working
from
there.
Okay,
there
we
go
we're
essentially
I
just
have
a
single
control,
plane,
node
and
then
I
have
two
worker
nodes.
I
am
SSH
into
the
control
plane
node
right
now,
and
now
in
this
is
so
this
is
running
on
Amazon.
Oh,
that's!
Not
what
I
wanted
to
do.
I
do
this.
A
If
I
do
curl
there,
what
you
see
is
that
you
get
a
whole
bunch
of
information,
so
I
can
go
through
and
actually
say.
Well
give
me
the
ami
or
the
the
let's
see
the
what's
something
that
might
be
interesting
here:
the
whether
it's,
the
ami
ID
that
I'm
running
the
instance
ID-
and
it's
like.
Oh
there's
my
instance,
ID
I-
can
do
the
instance
type,
which
is
an
m5
large
right.
So
you
can
get
a
bunch
of
sort
of
meta
information
there.
A
A
You
can
see
that,
like
what
we
have
is
is
there's
this
this
profile
a
RN
and
an
ID,
and
you
can
actually
get
out
of
this
yeah.
Please
don't
sew
Troy's
asking.
Is
this
like
Google's
metadata
server?
It
is
it's
not
exactly
like
when
we
did
GCE
we
considered
trying
to
actually
create
the
same
structure,
the
same
schema
as
the
ec2
metadata
server,
but
there's
just
enough
differences
in
terms
of
how
we
did
stuff
in
GCE
versus
versus
ec2.
It
didn't
really
make
sense
to
do
that.
A
So
that's
actually
a
really
bad,
really
bad
thing.
Now,
one
of
the
things
that
we
did,
we
didn't
do
it
right
away
at
Google,
but
we
did
it
over
time
is
that
we
require
you
to
pass
a
special
header
along
with
that.
It's
something
it's
not
everything.
What
it
means
is
that
a
lot
of
times
when
you're
doing
proxying
you're,
not
you
know
that
proxy
doesn't
carry
all
the
headers
forward,
and
so
this
is
a
way
to
to
essentially
create
some
mitigation
for
some
of
these
proxy
attacks.
A
So
the
idea
here
is
that
you
can
essentially
walk
up
to
the
metadata
server
and
on
an
Amazon
account,
and
you
can
you
can
get
credentials
that
let
you
talk
to
other
Amazon
API,
so
like
s3,
and
so
that
means
that
when
you're
running
in
Amazon
in
an
ec2
VM-
and
you
want
to
talk
to
s3-
it
just
magically
works
when
you
set
it
up
and
I
say
magically
because
setting
it
up
can
be
painful,
but
it
magically
works
in
terms
of
you.
Don't
have
to
manage
pushing
credentials
around
that's
a
great
experience.
A
It's
like
get
caller
identity,
so
this
is
Who
am
I.
This
essentially
Who
I
am
I,
and
what
we
see
here
is
this
is
giving
me
information
and
to
do
this,
it
had
to
actually
essentially
often
make
a
call
into
an
AWS
API,
say:
here's
the
account,
here's,
the
user
ID
that
we're
working
with,
and
then
here's
the
role,
the
air
and
that
I'm
that
I'm
working
with
all
right.
A
So
that
is
the
problem
that
we're
trying
to
solve
got
this
great
experience
when
you're
working
at
the
VM
level
for
talking
to
other
Amazon
services,
how
do
we
bring
that
to
the
container
level?
All
right?
So
Bogdan
is
like
a
bit
off
topic
by
talking
about
AWS.
What
are
your
thoughts
on
eks
I
played
with
it
a
bit
the
last
couple
of
days
and
I
was
surprised
to
find
it
quite
crude
compared
to
gke,
for
example,
I
think
I
mean
this
is
this
is
a
touchy
thing.
A
I
know
a
lot
of
folks
in
the
eks
team.
I
know
they're
working
really
hard
to
make
this
stuff
work
and
I
know
that
there's
there's,
definitely
customers
that
are
seeing
success
with
it.
It's
definitely
a
project
that
or
a
product
that
is,
is
under
heavy
development
and
expansion.
I
think
what
you're
seeing
is
that
the
you
know
and
there's
different
approaches
that
you
can
take
to
building
a
service
like
this?
One
of
those
is,
you
know,
build
a
solid
foundation
and
then
extend
the
set
of
features
over
time.
A
I
think
the
biggest
thing
that's
missing
out
of
eks
is
node
management.
You
go
to
a
gke,
you
press
a
create
cluster
button
and
it
actually
manages
bringing
up
not
only
your
control
plane,
but
also
all
the
nodes
it'll
manage
upgrades
across
those.
You
can
have
this
idea
of
node
pools.
It'll
do
repair
of
those
things
all
of
that
stuff
is
built
in
and
she's,
essentially,
a
more
complete
user
experience
for
gke.
A
Now.
That
means
that,
if
you
want
to
do
other
special
things
with
nodes,
it
can
be
a
little
bit
different.
There's
not
a
sort
of
bring
your
own
no
type
of
type
of
approach
to
this.
On
the
flip
side,
where
Amazon
you
bring
your
own
node,
which
is
something
that
you
know
if
you're
like
hey
I,
have
a
corporate
standard.
I
must
be
using
rel,
but,
like
maybe
it's
hard
to
use
well
with
G
key
I,
don't
know,
maybe
you
can
do
it
I've
never
done
it.
A
A
I'm
gonna
put
on
my
admin
hat,
so
I'm
gonna
actually
assume
my
super
dooper.
My
super
duper.
You
know
pseudo
route
type
roles
so
that
I
can
do
a
bunch
of
admin
type
of
stuff.
Okay,
well,
now,
I'm,
actually
deploying
an
application
or
now
I'm,
actually
doing
sort
of
an
SRE
type
of
thing.
Well,
I!
Don't
need
permissions
to
do
a
bunch
of
other
things.
A
So
let
me
put
on
my
more
limited
role
to
be
able
to
act
in
that
more
limited
role,
so
I
don't
make
a
mistake
and
leak
credentials
or
accidentally
do
something
that
that
that
that
impacts,
my
account
more
than
I,
really
wanted
it
to,
and
so
roles
are
a
way
to
essentially
bundle
up
a
bunch
of
permissions
and
then
make
them
available
by
choice.
So,
like
the
user,
doesn't
necessarily
have
those
permissions
but
can
choose
to
sort
of
take
those
permissions
if
they
want
to,
and
so
that
I
think
is
the
critical
thing
of
roles.
A
Is
that
it's
something
that
you
opt
in
saying
I
want
to
act
as
this
role
now
in
this
in
this
situation,
let's
see
you
like,
there's
some
chat
stuff
so
Sega
from
Atlantic
good
to
see
you,
let's
see
ya
the
assumed
role.
Stuff
is
the
D
behind
the
project
and
then
you're
pointing
to
AWS
I,
haven't
seen
the
99
secure
stuff,
it's
a-ok.
This
is
a
way
to
secure
credentials
that
you
daily
use.
Look
at
this
well
for
development
environments.
Interesting,
ok,
Duffy!
Can
you
throw
that
in
the
notes?
Man
all
right
cool?
A
Let's
see
all
right,
so,
let's
but
okay,
but
now,
when
you're
an
ec2
instance.
What
happens?
Is
you
don't
have
a
user
so,
instead
of
actually
creating
this
sort
of,
like
you
know
having
to
create
a
user?
What
happens
is
that
when
you
get
these
credentials,
you
just
say
hey
whenever
this
instance
wants
to
do
something
within
the
AWS
sort
of
I?
Am
world
use
this
particular
role
for
it?
A
So,
let's
trace
through
how
that
actually
works
and
then
we'll
play
around
with
that
from
the
command
line,
and
then
we'll
look
at
doing
one
of
these
systems.
I'm
gonna
start
with
k,
ID
K
I
am
came,
I,
don't
know
like
as
a
way
to
actually
sort
of
start
to
automate
some
of
the
stuff
that
we're
gonna
that
we're
going
to
look
at
doing
by
hand
all
right.
So
the
first
thing
is:
let's
explore
what
we
actually
have
here.
I
have
two
clusters:
one
called
tik
tik,
two
just
in
case
I
screw
something
up.
A
A
As
part
of
the
heavy,
a
QuickStart
and
depending
on
which
tools
that
you're
using
these
things
may
be
called
different,
but
generally
to
do
anything
that
has
any
integration
with
the
rest
of
ec2,
you
need
to
be
able
to
have
roles,
and
so
what
you'll
find
here
is
this
stuff?
Like?
Can
you
all
read
this?
Is
this?
Do
I
have
to
make
it
a
little
bit
bigger?
Maybe
I
actually
sorted
this.
What
I
do
mean
to
do
that
better?
Well,
alright!
So
what
we'll?
What
we'll
look
at
here
is
all
right.
A
A
We
have
a
role
for
the
for
the
masternode,
and
then
we
have
a
role
for
the
other
nodes,
and
so
what
we
can
look
at
since
we're
actually
in
the
master
node
is
that
we
can
go
through
and
we
can
see
what
are
the
policies
that
are
that
are
actually
attached
to
this
role.
So
essentially,
what
can
we
do?
So
one
of
these
things
is
that
we
can
do
a
bunch
of
stuff
around
cloud
watch
logs,
so
there's
some
integration
with
our
have
with
our
stuff.
A
There
we
have
this
cluster
info
thing,
that's
used
to
be
able
to
store
and
get
cluster
info
stuff.
That
can
be
super
useful
and
then
we
have
the
essentially
the
master
roles
which
are
pretty
broad
here.
So
there's
ECR,
stuff,
auto
scaling,
elastic,
load,
balancing
and
then
essentially
like
a
whole
bunch
of
stuff
for
ec2.
We
could
probably
narrow
this
down
more,
but
with
different
versions
of
kubernetes.
These
things
are
expanded
and
so
I
think
there's
probably
there's
room
to
be
able
I
know
at
one
point
we
were.
A
So
we
want
to
add
other
permissions
for
STS
and
we
want
to
be
able
to
assume
role.
So
this
is
essentially
the
thing
that
we
need
to
do,
and
it's
like
which
roles
do
we
want
to
assume?
Well,
it
turns
out
that
you
want
to
have
some
restrictions
on
who
can
assume
what
roles
we're
going
to
do
that
on
the
role
not
actually
on
the
role
that
we're
not
on
the
guy
that
wants
to
assume
it,
and
so
we're
gonna
hit
all
resources
here.
A
Review
the
policy,
and,
and
now
we
save
those
changes
all
right,
so
let
me
go
through
I'm
gonna
switch
to
the
document
camera
and
actually
map
out
the
way
that
we're
actually
gonna
going
to
be
able
to
do
this.
So
so
what
we
have
here
is
we
have
our
master
and
it
is
allowed
to
assume
the.
What
do
we
call
this
thing,
the
the
you
know
we'll
call
it.
The
Cates
stack
master
roll
okay.
A
A
Is
TJ
King
too
so
this
this
one
here?
What
you'll
find
is
that
there's
an
I
am
role,
and
so
this
is
the
this.
Is
that
that
role
matches
up
with
the
role
that's
defined
here
and
then
that
role
from
within
the
vm
I
with
this
get
caller
identity.
I
can
actually
see
that
role
alright,
so
let's
go
back
to
the
back
to
the
doc
camera.
So
this
actually
has
this
role,
and
then
this
has
a
set
of
policies,
and
one
of
these
is
the
sts
assume
role.
A
So
what
we're
going
to
say
is
not
only
can
we
actually
assume
this
role,
but
then
we
confer
they're
sort
of
chained
and
actually
decide
that
we
want
to
assume
other
roles,
and
so
we're
gonna
actually
attach
this,
and
I
already
set
some
of
this
stuff
up
before,
but
I'll
lead
you
through
it.
Two
more
roles
here,
actually
two
three
more
roles,
so
one
of
them
is
that
we're
gonna
have
a
tank,
cam
cam
kai
am
what
did
I
call
this
one
I
called
this
role
in
a
second
here.
A
I
called
this
one
I
just
want
to
make
sure
I
get
it
right,
server,
okay,
so
we're
creating
a
little
bit
of
indirection
here
and
the
reason
we're
doing
this
is
that
it
actually
makes
it
easier
to
share
this
across
multiple
clusters
as
nodes
come
and
go,
and
then
from
here
we're
gonna.
Actually
we
have
two
roles.
One
of
them
is
called
T,
G
Ike,
a
CTF
read
and
T
GI
k,
CTF
right
and
these
actually
set
up,
read
and
write
access
to
a
particular
s3
bucket.
A
So
CT
s
stands
for
capture
the
flag
and
so
right
now
what
we
have
is
that
we
can
login
to
the
master
and
we
can
act
as
this
role.
That's
where
we're
at,
and
so
the
next
thing
we're
gonna
do
is,
is
we're
gonna,
actually,
I'll
show
you
sort
of
where
I
have
this
stuff
set
up
and
we're
gonna
create
the
connection.
This
particular
connection
here
between
these
two.
So
let
me
switch
back
to
my
screen.
A
So
the
first
thing
we
have
is
the
the
camp
server
role
this
all
this
has
is
a
policy
called
assumed
role
that
says
that
this
thing's
allowed
to
assume
other
roles.
It's
just
essentially
a
pointer.
It's
a
it's
a
level
of
indirection
that
makes
management
of
roles
easier
later,
and
this
will,
when
we
configure
it,
Cayenne
will
have
to
actually
set
that
up
and
then
and
then,
if
I
go
back,
what
I
see
is
like
we
can
have
this
ETF
read
stuff.
A
A
So
that's
pretty
cool
and
then,
but
but
with
roles.
There's
actually
two
policies,
there's
the
policy
of
what
the
role
can
do
and
then
there's
another
policy
of
who
can't
assume
the
role
right,
and
so
that's
called
a
trust
relationship.
So
this
is
what
anybody
acting
as
this
role
can
do.
The
trust
relationship
is
well
who's
allowed
to
actually
assume
this
role,
and
so,
if
we
actually
go
year,
we
can
say
what
we're
saying
is
that
well,
the
the
the
the
CTF
read
role
can
be
assumed
by
the
the
km
server
role
right.
A
So
that
means
that
we
have
that
link
between
those
two
things
and
then
similarly
for
the
the
CTF
right
role.
So
those
are
things
that
we
can
go
ahead
and
set
up
now.
What
we
will
see
here,
though,
is
that,
if
I
go
to
the
km
server-
and
we
look
at
the
trust
relationship,
what
you'll
see
is
that
I
don't
even
know
what
that
is.
A
That's
left
over
some
other
crap
when
I
was
testing
this
out
before,
but
what
we
really
want
to
do
here
is
that
we
want
to
be
able
to
say
the
role
that
our
master
document
had,
that
our
that
our
master
node
has
can
assume
this
role.
So
let's
actually
go
through
and
we're
gonna
actually
test
this
out.
A
A
Now
dear
says
that
that's
an
AWS
I
am
unique.
Id
is
that
because
I
deleted,
the
role
was
referring
to
so
that
it
actually
went
through
and
and
diverted
to
something
it's,
my
guess
is:
there's
probably
a
sort
of
a
unique
ID
and
then,
when
it
gets
rendered
in
roles,
let's
see
and
then
new
year
will
show
that
so
there's
some
documentation
on
that.
Okay,
yeah,
so
I
think
this
is
probably
to
prevent
you.
A
If
you
delete
and
then
recreate
a
role,
maybe
things
don't
hook
up
because
the
connections
are
based
on
unique
ID
is
not
based
on
these.
These
redirected
names.
That's
my
guess.
If
I
were
designing
this
alright,
but
if
I
go
through
this
and
then
I
also
have
to
do
oh
there's
another
parameter
here
that
I'm
forgetting
role
session,
name,
okay
and
the
role
session
name
is-
is
for
auditing
purposes.
Okay,
so
it
says
access
denied.
A
So
this
means
that
right
now
that
connection
that
that
super
black
line
that
I
drew
in
the
document
here,
this
connection
here
is
not
made.
We
have
like
we,
we
already
modified
it,
so
the
distant
can
actually
call
a
zoom
role,
but
what
we
didn't
do
is
actually
attach
the
policy
here.
We
need
to
allow
the
the
the
master
right,
and
so
what
we're
going
to
do
is
we're
going
to
take
the
a
RN
of
let's
see.
B
A
This
is
the
one
we
want,
so
we're
gonna
copy
this
a
RN
and
then
we're
gonna
actually
go
through
and
hook
it
up
and
again.
You
can
use
something
like
terraformed
automate
this,
but
we're
doing
this
all
by
hand
go
to
trust
relationships
edit
this
and
then
for
the
AR
AWS
sort
of
principle.
Who
can
assume
this
role?
What
I'm
actually
saying
is
it's
that
role
that
we
actually
created
and
assigned
to
the
to
the
master
node
to
the
control
plan.
I
update
trust
policy.
Now
this
stuff
is
eventually
consistent.
So
it's
not
immediately
effective.
A
Oh
sorry,
shoot
switch
back
to
the
screen.
Okay,
here's
I'll
show
you
what
I
did
I
went
to
edit
trust
relationship
here
and
then
I
posted
that
AR
n
for
that
particular
role
in
there
and
then
I
hit
the
update
trust
policy,
so
that's
actually
becoming
effective.
Now,
and
if
we
do
this
look
now
we
actually
get
a
session
token
that
will
expire
and
I,
don't
know
in
an
hour
right.
So
these
things
last
for
an
hour
and
so
now
we're
able
to
assume
that
role.
Hey,
that's
pretty
cool!
A
Well,
it
turns
out
that
that
role
can
do
nothing
but
assume
other
roles.
So
now
what
we
actually
want
to
do
is
we
want
to
say
well:
okay,
I
want
to
read
from
our
capture-the-flag
bucket,
which
means
that
I
want
to.
You
know
going
back
to
the
doc
camera
and
I
need
to
get
hot
keys
for
this
I
want
to.
Actually
we
now
can
actually
were
here
by
default.
A
Whatever
we
do
stuff,
we
assume
this
role
we've
now
to
set
up
the
connection,
so
that
we've
proven
that
we
can
assume
this
role,
but
now
we
want
to
go
ahead
and
assume
the
TGI
CTF
read
role.
So
that
means
that
we
have
to
essentially
sort
of
assume
a
bunch
of
roles
in
sequence
before
we
actually
get
to
this
one
here,
and
so
you
can
do
that
with
the
AWS
command
line
and
I'll
show
you
how
to
do
that,
but
it's
a
little
bit
tricky.
A
So
what
we're
gonna
do
here
is
I
have
a
document.
So
what
we
have
here
is
different
profiles
that
the
AWS
commands
can
use
and
a
lot
of
the
SDKs
know
how
to
do
this.
Also,
and
so
we're
going
to
create
a
profile
for
the
the
kind
km
server
and
it
says
well,
we're
taking
from
the
instance
metadata
is
where
we're
actually
grabbing
those
credentials
and
then
we're
gonna
create
okay.
A
Once
you
do
that
now,
I
want
to
switch
to
the
CTF,
read
role
or
be
able
to
switch
to
the
CTF
rightful
role,
and
each
of
these
things
are
essentially
forked
off
of
the
cayenne
profile.
So
I'm
going
to
copy
this,
and
we
want
to
put
this
in
a
special
sort
of
location
that
the
AWS
command
line
knows
so
I
can
do
nano.
A
Yeah
got
lost,
shoot,
Oh,
get
get
color
identity.
Okay,
if
I
do
this
now,
what
we
see
is
that
okay,
the
the
a
RN
that
we're
acting
as
is
the
KY,
am
server
assumed
role.
But
now,
if
I
go
through
and
if
I
do
profile
to
TGI
K
CTF
read,
you
can
see
that
now
I'm
able
to
assume
that
role
but
okay.
So
now,
let's
switch
back
to
our
browser
and
if
I
look
at
the
capture
the
flag,
read
role
and
I.
Look
at
permissions.
A
B
A
And
then
we
we
see,
we
have
our
flag
file
flag
and
you
can
output
this
and
to
lift
this
up
stackoverflow
to
the
rescue-
and
it
says
hello,
t
gik
alright.
So
this
is
the
basis
sort
of
the
IM
structure
that
we're
going
to
be
taking
in
as
we
try
and
apply
this
with
kubernetes.
The
idea
now
is
that
we
want
to
be
able
to
set
things
up
such
that
we
can
say,
hey
pod.
A
I
am
actually
vend
that,
for
you
and
like
I
said,
there's
all
there's
a
class
of
class
of
systems
out
there
and
there's
a
really
and
one
of
the
one
of
the
folks
at
Atlassian
and
there's
a
link
here
to
it
put
together
this
really
interesting,
google
doc
that
talks
about
some
of
the
pros
and
cons
across
all
of
these
things,
which
is
really
interesting.
So
this
will
help
you
evaluate
some
of
this
stuff,
all
right,
so
all
right
so
I
want
to
start
installing.
A
I
am,
but
the
first
thing
I
want
to
do
is
I
want
to
talk
about
the
critical
difference
between
a
cube,
I
am
and
and
and
in
newer
systems
like
I
am
so.
The
first
thing
is
cube:
diet,
I
am
what
it
does
is
that
it
goes
through
and
it
says,
assign
every
role
that
you
might
want
to
use
from
any
pod
to
every
node
and
then
what
qim
does?
A
Is
it
actually
uses
some
iptables
rules
to
hijack
any
calls
to
the
to
the
instance
metadata
server
and
then,
as
it
goes
ahead,
and
does
that
what
it
does
is,
is
it
then
replaces
that
it
actually
sort
of
traces
back
based
on
IP
addresses
so
which
pot
is
calling?
It
then
goes
and
does
the
assumed
role
for
you
and
passes
back
credentials
as
you
need
it
to
the
main
problem
with
that?
Is
that
I
give
every
role
that
I
might
want
to
use
to
every
note?
A
And
so
that
means
that
if
any
single
node
gets
compromised,
it
becomes
essentially
a
compromise
of
my
entire
infrastructure,
at
least
any
roles
that
I've
delegated
to
any
pot.
The
way
that
that
newer
systems
work
is
that
they
have
a
central
server,
that's
going
to
be
doing
the
credential
stuff,
and
then
they
have
a
trust
relationship
to
an
agent,
that's
running
on
the
node
and
that
agent
on
the
node
actually
says.
Hey
I
got
a
hot
one
here
that
it's
this
pod.
They
say
they
want
to
assume
this
role.
A
That's
running
on
every
node
and
this
sort
of
server
that
can
vend
stuff
and
so
we're
gonna
have
to
create
some
TLS
certs
to
be
able
to
do
that
and
and
those
things
can
get
a
little
finicky
to
set
up.
This
is
the
type
of
thing
that
if
we
had
something
like
spiffy,
which
is
a
another
project
that
I
started,
it
would
make
this
type
of
stuff
a
heck
of
a
lot
easier
to
be
able
to
do
cross
authentication
in
these
situations.
A
All
right,
so
I'm,
gonna
exit
out
of
this
and
we're
gonna
start
following
some
instructions
on
the
the
cayenne
page.
Let's
see
here
and
there's
there's
instructions
in
terms
of
how
this
stuff
works,
which
is
really
interesting,
how
to
build
it
locally
and
how
to
install
it.
So
and
I
haven't
done
this
yet
so
I'm
going
to
hit
some
snags
I'm
sure
so,
there's
the
agent
in
the
server.
A
And
so
we
have
a
CF
SSL
and
let's
see,
if
I
actually
have
that
well,
the
way
that
brew
a
day
see
it
because
I
probably
have
an
ancient
version
upgrade
please
so
we'll
go
ahead
and
upgrade
that
so
essentially,
what
we're
gonna
do
is
we're
going
to
generate
a
certificate
court,
a
certificate
authority
we're
going
to
generate
a
server
certificate,
we're
going
to
generate
an
agent
certificate.
The
the
interesting
thing
here
is
that
it
looks
like
we're
using
the
same
agent
certificate
for
every
agent.
That's
probably
just
for
ease
of
management.
A
If
we
had
something
like
I
said,
like
you
know,
like
a
spiffy
type
of
thing,
then
you'd
end
up
having
an
agent
per
per
node,
since
we
can
use
certain
manager
if
we
want
to
do
that,
but
we're
not
going
to
go
ahead
and
do
that
because
that's
a
whole
other
bunch
of
stuff
to
set
up
and
then
we're
just
gonna
create
secrets
for
this,
and
this
looks
like
we
install
those
secrets
into
cube
system,
and
so
this
is
easy
enough.
This
doesn't
seem
seem
too
hard,
oh
and
then
I
do
have
the
latest
version.
B
B
A
And
the
sample
config
that
I
put
into
the
this
thing
here
we're
gonna
check
that
in
and
make
that
available
later.
So
don't
worry
about
trying
to
trying
to
copy
that
stuff
and
then,
when
you
do
that
this
number
here
this
is
my
particularly
AWS
account.
So
you're
gonna
have
to
add
it
this
with
your
with
your
account,
let's
see,
okay,
so
we're
gonna
do
this,
and
this
is
called.
A
A
That
looks
good
close
enough.
We'll
pretend
we
work
at
you
switch,
which
are
the
folks
that
did
this
and
and
so
now
we're
gonna
go
through
and
we're
gonna
do
this.
Oh
I
expected
end
up
Jason
input.
Oh
and
there's
oh
wait,
there's
CA
dot
date!
I
got
the
wrong
one.
Oh
okay!
Oh
we
need
a
CA
Jason.
Also.
A
A
And
so
now
we
actually
have
CA
keyed
up
em
CA,
that's
this
is
the
yeah.
So
this
is
the
public
certificate.
This
is
the
private
certificate
and
then
this
is
the
certificate
signing
request
that
we
self
signed.
One
SSL
Bogdan,
says
I
didn't
know
about
one
SSL
all
I
know
is
that
open
SSL
is
just
painful
like
it's
the
weirdest
thing
ever
so
we're
gonna
do
the
same
thing
with
with
the
server
key
and
the
server
Pam
and
then
same
thing
with
the
agent.
A
Lacks
a
host
field
so
yeah.
This
is
saying
that
okay,
you
can't
use
this
for
websites
we're
like
that's
fine,
we're
only
using
it
for
the
client
end
of
neutral
TLS,
and
then
we
want
to
upload
these
things
to
kubernetes,
and
so
we're
gonna
tell
her
what
the
CA
file
is
and
all
the
server
stuff
and
then
same
thing
with.
A
Cool
beans,
okay,
so
I
think
we're
set
up
there
with
our
TLS
certificates.
That's
cool
I
went
through
this
is
all
the
I
am
stuff
that
that
I,
essentially
let
we
just
went
through,
and
so
now
we
have
to
actually
deploy
it.
The
directly,
for
example,
manifested
so
that
means
I,
probably
to
clone
this
thing.
Let's
do.
B
A
A
This
is
probably
for
the
agent,
so
Khayyam
read
we're
gonna
give
that
to
the
server
okay
yeah,
so
the
server
doesn't
need
to
do
be
able
to
do
that
being
able
to
write
we're
gonna,
write
events,
we're
gonna
go
ahead
and
give
that
to
the
server
also,
and
then
our
server,
let's
see
daemon
sets
well
that's
interesting.
Why
is
it
a
daemon
set.
A
Ca
certificates
but
we're
also
pulling
these
things
in
and
then
that's
a
volume,
and
then
we
have
the
Khayyam
container,
use
a
tag,
release
in
production,
good
advice,
there's
a
whole
bunch
of
stuff
here
so
base
air
and
auto
detect
is
one
thing:
there's
another
parameter
that
we
may
have
to
to
deal
with
here.
So
the
thing
that
I'm
worried
about
here
is
node
selector,
okay,
so
this
has
only
run
this
on
the
master
node,
so
it's
using
a
daemon
set,
but
only
run
on
the
master
nodes.
A
So
this
way,
if
you're
doing
like,
if
you
have
an
H,
a
control
plane,
it'll
actually
do
the
VHA
can
control
plane,
it'll
run
on
every
single
node
in
your
control
plane.
So
I'm
not
worried
about
doing
this.
It'll
only
show
up
on
that
one
node
that
we've
given
in
those
extra
formations
too,
because
remember
we
want
to
keep
the
the
regular
nodes,
as
least
privileged
as
possible,
and
then
the
agent
similar
type
of
stuff
we're
loading
TLS
there
there's
this.
A
B
A
And
then
we're
saying
we're
gonna
run
this
on
all
the
nodes,
but
we're
not
gonna
run
it
on
the
master.
You
might
want
to
run
this
on
the
master
too,
or
maybe
the
server
actually
plays
that
role.
I,
don't
know
interesting,
okay
and
then
this
is
the
address
of
the
server
there's.
Some
Prometheus
stuff
going
on
there,
which
is
very
cool
logging,
is
JSON.
A
X
tables
has
a
lock
to
prevent
multiple
IP
tables
operation,
stopping
all
over
each
other.
Oh
I
didn't
know
that.
Okay,
that
totally
makes
sense
now,
one
of
the
okay,
so
one
of
the
other
security
things
is
that
you
want
to
say:
hey
pods.
We
don't
want
to
give
you
access
to
any
metadata,
except
for
the
metadata
that
we're
providing
to
you.
So
there's
there's
actually
different
approaches
that
different
systems
take.
A
The
the
Khayyam
essentially
says
you
can
whitelist
other
stuff
allow
this
stuff
to
go
through,
but
but
by
default
it
actually
blocks
everything
else,
yeah
and
Duffy's
bitching.
In
the
comments
about
how
horrible
it
is,
when
multiple
things
want
to
be
able
to
to
hack
on
IP
tables
at
the
same
time,
and
then
so
that's
why
so,
this
thing
will
actually
go
through
and
do
that
IP
tables
redirection
and
that's
why
it
needs
the
net
admin
capability,
and
so
this
agent
is
a
little
bit
privileged.
A
That
way,
all
right,
so
we
I'm
totally
cool
with
running
this
stuff.
This
totally
seems
reasonable,
though
there
might
be
one
thing
that
I
actually
need
to
change,
though-
and
this
is
let's
see
if
I
go
back
here
and
if
we
look
at
the
I
am
there
is
this
assumed
role,
AR
n
flag
I
probably
want
set?
That
is
that
different
from
I.
B
A
And
so
this
I
want
this
to
be
our
kam
server
role,
so
I'm
gonna
copy
this
I'm
gonna
put
that
there
yeah
so
I
think
that's
the
one
thing
we
got
to
get,
and
so
this
is
essentially
saying
hey
before
you
try
and
assume
the
role
on
behalf
of
pods
make
sure
you
assume
this
role
first,
so
I
think
we're
good
there.
So
that's
the
one
thing
that
we
need
to
do
now.
A
One
of
the
things
that
that
I
just
want
to
call
out
is
that
there
was
in
the
episode
notes
here
there
was
a
sort
of
a
comparison
of
cubed,
I
am
versus
came,
and
my
understanding
is
that
some
of
the
there's
a
session
duration
flag
in
time
in
terms
of
how
long
it
caches
things
and
so
there's
different
sort
of
cache
policies
across
these
different
systems,
to
that's
what
okay,
so
I,
think
that's
good,
and
so
now
I
can
go
through
and
I
can
do
cube
control
apply
well
make
sure
get
nodes.
Yes,.
A
We
see
the
daemon
sets,
but
it's
not
actually
showing
up.
Oh,
you
know
what
we
did
okay,
so
this
is
so
newer
versions.
We
changed
around
how
we
do
the
note
selector
stuff,
and
so
we're
gonna
have
to
fix
that
up,
and
so
what
we
wanted
to
do
is
we
wanted
to
be
able
to
have
a
note,
be
multiple
roles
right
and
so
we
no
longer
have
role
equals
master.
A
We
actually
have
if
this
thing
is
set
in
any
way,
shape
or
form,
and
that
means
it's
actually
a
master,
and
so
in
this
way
you
can
have
you
know
a
note,
both
via
master
and
an
edge
and
no
right.
So
as
we
look
at
sort
of
having
multiple
way.
Okay,
so
we're
gonna
have
to
go
ahead
and
actually
change
the
selector
on
that
this
and
I
think
I.
So
this
is
we
want
to
set
this
to
I,
don't
say.
A
Want
to
say
if
it
exists
at
all
yeah
I
think
I
can
do
that
that
there's
a
syntax
with
label
selectors
the
quality
based
requirements
are
like
and
I
think
we've
we've
changed.
This
has
changed
over
time
like
I
want
to
be
able
to
say
like
if
it's
just
there,
then
that
matters,
but
I
think
that
in
the
there's
like
two
different
syntaxes,
this
sucks.
B
A
B
A
Yeah
and
so
okay
there's
another
way,
but
okay,
so
what
we're
gonna
do
is
we're
just
gonna
go
ahead,
and
hopefully
this
will
work
cross.
Our
fingers
we're
just
going
to
take
off
the
node
selector,
which
means
we'll
also
run
this
on
the
master,
and
that's
probably
fine,
because
does
the
master
also
go
through
and
okay,
so
this
doesn't
want
cap
net
admin.
So
this
means
that
this
is
not
going
to
actually
be
weight.
But
if
we
do
this,
then.
A
Then
this
thing
will
actually
the
the
IP
tables
will
probably
screw
it
up
shouldn't
the
master,
have
a
taint
yeah,
so
the
master
does
have
a
teenth.
So
this
should
work
you're
right,
Bogdan,
yeah,
okay,
so
that
that
that
there's
no
toleration
on
the
on
the
agent,
so
we
should
be
good,
yeah,
totally
cool,
okay,
so
we'll
reapply
this
stuff
get
nodes.
Oh
I,
don't
want.
A
B
A
Error,
creating
server
gateway,
okay,
okay,
this
is
fascinating,
okay,
so
this
thing's
in
a
crash
loopback
off
waiting
for
the
server
to
come
online.
So
this
is
by
design
here.
There's
different
philosophies
for
what
you
do,
if
you
can't
say,
connect
to
a
server
that
you
need.
There's
some
folks
who
are
like
well,
I'm,
just
gonna,
wait
and
retry
on
an
exponential
back-off.
There's
another
camp
that
says
I'm
just
gonna
crash
when
you're
running
in
a
system
like
kubernetes
crashing
is
not
bad,
because
kubernetes
will
go
ahead
and
restart
you
in
that
sense.
A
B
B
A
B
B
A
A
A
A
Could
not
resolve
wait
really!
Well,
that's
right,
because
this
is
another
thing
we
did
in
GC.
Is
we've
provided
DNS
by
default,
we're
like
when?
Would
you
want
to
have
a
bunch
of
machines
and
not
have
DNS
be
between
them
and
like
ec2,
doesn't
do
that
all
right,
so
we
can
SSH
in
there
and
if,
yes,
oh
crap
port
22,
why
can't
I
ask.
B
A
B
A
B
B
B
A
A
A
A
B
A
A
Has
GQ
in
it,
okay,
we're
gonna
we're
gonna,
do
this
and
hope
for
the
best
I
do
not
suggest
that
you
all
do
this
right.
This
is
not
like
a
good
idea
just
to
run
random
stuff,
but
we're
gonna.
Do
Cube
control,
run
and
I
always
forget
the
fine
lines
here
also
and
we're
gonna
do
because
we
just
want
to
run
a
pod.
We
want
to
do
t4
a
TTY
I
four
standard
in.
A
B
B
A
A
A
And,
let's
see
if
we
can
go
so
we
have
this
pod
so
now,
I
need
cube
control
edit
pod
AWS,
and
what
we
want
to
do
now
is
we
want
to
add
that
annotation
where's,
the
right
annotation
that
essentially
says
here's
the
here's,
the
the
stuff
that
I
want
you
to
give
this
thing:
here's
the
role
that
I
want
you
to
be
made
make
available
to
this.
So
now
we
can
do
PGI
case.
A
Etf
lead,
okay,
so
after
I
close
this
now
I'm
not
sure
if
there's
caches
in
cayenne
will
actually
see
if
I
go
back
here.
No
we're
not
there
yet
are
there
caches?
This
is
gonna
work
you
know,
Paul
is
this
worker
did
I
screw
something
up,
I
wonder!
What's
going
on
here
like?
Let
me
make
sure
that
I'm
using
the
like
the
right
role.
A
A
Okay,
so
could
you
check
the
server
logs
make
sure
it's
able
to
tame
the
credentials?
Okay,
agent
interception
is
probably
working.
Okay
because
you
didn't
get
the
instance
credentials
yeah,
so
I
think
we
got
the
agent
intersection
is
working
but
something's
going
on
where
it's
something's
happening
at
the.
B
A
So
this
means
that
we
actually
we're
trying
to
call
out
to
HTTPS
STS
done
Amazon
AWS,
calm
and
that's
probably
failed
because
it
wasn't
able
to
actually
load
the
system
routes
which
so,
let's
see
so
this
is
in
the
pod.
So
now
I
can
go
through
run
tunnel,
let's
actually
see
yes,
the
image
have
no,
that's
a
cell
built
in
and
I
saw.
You
did
the
host
mount
for
that
stuff,
so
let's
go
through
and
actually
make
sure
that
we're
actually
host
mounting
the
right
stuff.
A
B
B
A
B
A
A
A
The
agent
should
reconnect
okay.
If
you
get
the
logs
on
the
server,
you
should
see
the
question
yeah.
The
problem
is,
I
was
getting
logs
and
it
wasn't
working.
So,
let's
just
restarted
everything
up
there
we
go
woohoo,
that's
amazing,
it
works
so
now
I
can
go
through
and
so
that's
the
idea
is
once
you
get
this
set
up.
You
just
say:
hey.
This
pod
gets
this
role
and
then
magically
everything
else
works
right.
So
now
I
can
go
through
and
go
to
AWS
without
any
other
magic
s.
3Ls.
B
B
A
A
B
B
B
A
Even
what
did
I
do
came
I
gotcha?
What
did
I
screw
up
there?
He
said
I
screwed,
a
do.
I
need
a
space
after
the
flag,
I
needed
a
space.
Didn't
I,
that's
something
like
that.
Alright,
so
there
we
go
alright!
That
is
really
cool
and
so
yeah.
So
that
is
I,
think
the
sort
of
the
basic
ins
and
outs
I.
Think
there's.
You
know,
there's
obviously
a
lot
more
to
be
looked
at
here.
I
think
you
know
it's
it's
clear
that
this
stuff
is
being
used
in
production.
A
Any
time
when
you
see
people
sweating
the
details
around
like
you
know,
monitoring
right
so
like
some
of
the
features
that
we're
talking
about
here
if
I
found
it
someplace.
Is
that
like
there's,
Prometheus
and
stats,
D,
metrics
and
stuff
like
anytime,
you
see
people
doing
that.
You're
like
okay,
somebody's
actually
using
this
in
production,
because
if
it's
a
toy
people
don't
set
up
monitoring
and
dashboards
and
stuff
like
that,
so
I
think
it
was
a
cat.
Maybe
echo
yeah
I
was
cat.
That's
right,
Robin!
A
A
A
There's
a
there's
a
point
to
an
issue
here,
which
is
a
very
different
approach
that
the
Amazon
folks
are
actually
looking
at
right
now,
and
so
this
was
updated
as
of
of
January,
and
the
idea
here
is
that
in
soakin,
instead
of
actually
using
the
metadata
server,
what
they're
gonna
do
is
they're
going
to
use
this
new
capability.
That's
been
added
in
recent
versions
of
kubernetes
called.
B
A
A
But
it's
not
useful
to
a
certain
identity
to
anybody
else.
Specifically,
it's
not
a
good
idea
to
hand
this
off
to
save
vault
right,
which
is
the
vault
provider,
actually
says,
hey
hand
me
that
job
it
doesn't
like,
and
you
handed
a
job
with
the
audience,
and
now
vault
can
act
as
you
now.
You
probably
trust
vault,
because
that's
kind
of
why
you're
running
it.
So
it's
not
that
big
a
deal
but
there's
been
new
support
added
in
the
last
couple
of
versions
of
kubernetes
I.
A
A
Essentially,
like
idea
authority
I
want
you
to
be
able,
then
translate
that
using
this
sort
of
assumed
role
with
web
identity
into
an
identity
for
a
specific
role,
and
so
that's
really
really
really
interesting
stuff,
but
that
what
it
means
is
that
for
every
pluster
that
you
bring
up,
you
have
to
create
essentially
a
federation
map
between
that
cluster
and
the
and
your
amazon
account.
And
so
it's
a
much
more
sort
of
heavyweight
configuration
between
you
and
the
Amazon
account.
So
that's
something
that
I
think
it's
it's
great
to
see
that
happening.
A
It's
gonna
be
really
interesting
to
see
if
the
amount
yeah.
So
here's
what
you
can
do.
It's
like
this
projected
token,
which
says
create
a
jobs,
put
it
in
a
volume
so
that
I
can
read
it
and
then
set
the
audience
to
something
like
client,
ID
and
then
this
is
something
that
that
you
know
as
you
set
up
this
Federation
between
the
identity
inside
of
kubernetes
and
the
identity.
Here,
Amazon
account
you
can
actually
start
mapping
stuff.
A
This
also-
and
in
fact
it
was
the
there's,
the
Google
folks
that
added
this
projected
token
thing
for
similar
capabilities
in
G,
Katie
yeah.
So
then
there's
a
lot
a
lot
of
traction
here
in
the
chat
talking
about
how
Amazon,
apparently
just
dropped
support
for
1.12
for
eks
I.
Think
that
happened
today.
A
A
This
is
the
type
of
thing
that
fills
in
a
lot
of
the
gaps
when
you're
doing
this
stuff
for
real
that
that
it's
like
it's
really
easy
to
demo
stuff
and
then
you're
like,
but
I
need
off
right,
and
so
that's
where
systems
like
this
really
become
critical.
So
very,
very
cool,
and
thank
you
everybody
for
joining
in
what
is
the
plan?
A
You
know
and
then
we're
gonna
record
I
think
we're
gonna
record
the
zoom
thing
and
then
then
we'll
post
that
later,
but
but
folks
are,
are
happy
to
come.
You
know
we're
happy
to
have.
You
come
join
us
there
and
we'll
just
hang
out
in
chat
and
talk
about
stuff,
yeah
I
know
it's
always
scary,
to
watch
your
baby
get
sort
of
like
used
like
this
I'm.
You
know
and
it's
but
it
no
problem,
it
worked
great,
so
alright
well
I.
Think,
let's
see
do
we
have
the
link
there.
I'm
gonna
put
the
link.