- Hosted by @mauilion
- Recording date: 2019-08-09
- 00:00:00 - Welcome to TGIK!
- 00:00:00 - Week in Review
- John Harris on sudo like access with kubectl
- Make sure you check out CVE-2019-11247
- https://github.com/trailofbits/audit-kubernetes
- The Kubernetes 3rd Party Security Assessment is now available
- Ian Coldwater is on the latest episode of the k8s podcast from Google talking about attacking and defending Kubernetes.
- Vito Botta is doing a comparison of a bunch of k8s storage solutions
- Tools and methods for auditing RBAC policies
- Building a Kubernetes platform at Pinterest
- Tim Hockin did some slides on reconciliation.
- Show Outline:
-
The parts and the config reference
-
kubelet
- client/server auth
- cri and all the other c*i integrations
- kubelet api
- configz
- metrics
- theory of operation
- static pods
- PLEG
-
kube-proxy
- auth to apiserver
- iptables
- ipvs
- services
- theory of operation
- configz
- metrics
-
kube-controller-manager
- auth to apiserver
- per controller!
- control loops!
- can be skipped!
- theory of operation
- leader election!
- metrics
- auth to apiserver
-
kube-scheduler
- auth to apiserver
- theory of operation
- direct scheduling
- not to much magic here.
- extensible tho
- leader election!
- metrics
-
kube-apiserver
- auth to etcd
- auth to kubelet
- access patterns.
- theory of operation
- ha
- kubectl get --raw /metrics
- Exploring the API.
- kubectl explain
- openapi stuffs
- api reference docs
-
-
General systems stuff.
- show direct scheduling!
- The ways that each are configured/configurable.
- The access patterns for each.
- The authentication mechanisms for each.
- What even is edge vs level triggered?
- What is a watch?
- Why is all this so darn stable?
-