Wednesday, 2020-08-12

« Tuesday, 2020-08-11 Index Thursday, 2020-08-13 »
*** rcernin has quit IRC03:10
*** rcernin has joined #openstack-containers03:18
*** ramishra has joined #openstack-containers03:21
*** ykarel|away has joined #openstack-containers04:06
*** ykarel|away is now known as ykarel04:11
*** logan- has joined #openstack-containers04:40
*** johanssone has quit IRC06:04
*** tobberydberg has quit IRC06:05
*** ricolin has quit IRC06:08
*** johanssone has joined #openstack-containers06:11
*** tobberydberg has joined #openstack-containers06:11
*** nikparasyr has joined #openstack-containers06:20
*** rcernin has quit IRC07:07
*** yolanda has quit IRC07:32
*** sapd1 has joined #openstack-containers07:33
*** yolanda has joined #openstack-containers07:33
*** yasemind has joined #openstack-containers07:49
*** born2bake has joined #openstack-containers08:14
*** udesale has joined #openstack-containers08:27
*** udesale has quit IRC08:27
*** udesale has joined #openstack-containers08:27
*** sapd1 has quit IRC08:42
*** udesale has quit IRC08:50
*** flwang1 has joined #openstack-containers08:59
flwang1strigazi: brtknr: meeting?09:00
brtknrflwang1: morning!09:00
brtknryes :)09:00
brtknrhow are you stranger?09:00
brtknrlong time09:00
brtknrbtw the topic on this channel has been roll call for 3 weeks :P09:01
jakeyip:)09:01
jakeyiphi all09:01
flwang1:(09:02
flwang1#endmeeting09:02
*** openstack changes topic to "OpenStack Containers Team | Meeting: every Wednesday @ 9AM UTC | Agenda: https://etherpad.openstack.org/p/magnum-weekly-meeting"09:02
openstackMeeting ended Wed Aug 12 09:02:11 2020 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)09:02
openstackMinutes:        http://eavesdrop.openstack.org/meetings/magnum/2020/magnum.2020-07-29-08.59.html09:02
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/magnum/2020/magnum.2020-07-29-08.59.txt09:02
openstackLog:            http://eavesdrop.openstack.org/meetings/magnum/2020/magnum.2020-07-29-08.59.log.html09:02
flwang1brtknr: sorry about that :(09:02
flwang1i was busy for house moving09:02
brtknrhehe no worries09:02
brtknrmornig jakeyip09:03
flwang1#startmeeting magnum09:03
openstackMeeting started Wed Aug 12 09:03:52 2020 UTC and is due to finish in 60 minutes.  The chair is flwang1. Information about MeetBot at http://wiki.debian.org/MeetBot.09:03
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.09:03
*** openstack changes topic to " (Meeting topic: magnum)"09:03
openstackThe meeting name has been set to 'magnum'09:03
flwang1i only have one thing to bring to you guys  attention09:04
flwang1but i'd like to allow you guys talk first09:04
flwang1brtknr: anything from your side?09:04
*** ioni has quit IRC09:05
brtknrwell there's a bunch of open reviews which would be good to deal with:  https://review.opendev.org/#/q/project:openstack/magnum+status:open09:06
flwang1brtknr: sure, i will start to review them soon09:08
flwang1just had a quick look, most of them are small changes09:08
brtknratm, k8s-atomic is broken on master without this patch: https://review.opendev.org/#/c/745359/09:08
brtknrthats about it really09:09
brtknrwhat do you need to talk about?09:09
flwang1brtknr: is the failure of magnum-tempest-plugin-tests-api related?09:10
flwang1brtknr: i'd like to propose a patch to support separate CA for etcd and front-proxy09:10
flwang1it's a security risk09:10
brtknrflwang1: no magnum-tempest-plugin-tests-api only deploys coreos09:11
brtknrflwang1: no magnum-tempest-plugin-tests-api only deploys fedora-coreos09:12
brtknrflwang1: ok how is it a security risk?09:12
*** ioni has joined #openstack-containers09:12
flwang1now we're sharing the same ca cert for kubelet, etcd and front-proxy09:13
flwang1which means user can use the ca cert in any node to access etcd09:13
brtknrbut a user that has access to a node also has access to any cert09:14
flwang1we're talking about the case that the node is hacked09:17
flwang1it's a typical best practice by any k8s install tool or managed services09:18
*** udesale has joined #openstack-containers09:20
flwang1i can't find the link on k8s doc, i will show you later09:21
brtknrflwang1:09:22
brtknri guess it makes sense from the POV of separating CA for kubelet and etcd09:22
brtknrsince etcd  is usually running on master09:22
brtknrand normal workload only runs on minions09:22
flwang1yes, it's09:23
flwang1brtknr: did you get a chance to revisit the ca rotate patch?09:24
jakeyipI'd like to know more about this too, can share the doc here if you don't mind?09:24
flwang1jakeyip: which one?09:25
jakeyipsecurity best practice of separating certs09:25
flwang1https://github.com/kubernetes/kubeadm/issues/71009:26
flwang1https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/09:26
flwang1jakeyip: does that make sense?09:30
flwang1it's actually quite straighforward to implement09:30
flwang1we may need a db schema change to add extra fields09:31
*** yolanda has quit IRC09:34
jakeyipI don't think I'm knowledgable enough to give comments09:34
jakeyipstupid question - do the minions not need to contact etcd to report in their status?09:34
*** yolanda has joined #openstack-containers09:38
*** yolanda has quit IRC09:38
*** yolanda has joined #openstack-containers09:38
flwang1minions only talk to api server09:38
jakeyipok I will need to read up more09:42
jakeyipwhat is this etcd used for?09:43
jakeyipanyway I've got a question if no one is discussing anything else?09:44
brtknrre09:46
brtknrsure09:46
jakeyipanyone uses istio? any idea if deploying a service mesh with magnum is a good idea?09:47
brtknrflwang1: thanks for reminding me about CA rotate patch, I will take a look at it when I have some free time next week, busy all week this week on a scheduled piece of work Im afraid09:47
flwang1brtknr: thanks09:48
flwang1jakeyip: we're not using istio yet09:48
brtknrjakeyip: ive tried istio last year, the older version seemed to work okay, the newer version i had some issues with09:48
flwang1but i'm happy to see if you want to contribute it09:48
jakeyipbrtknr: what kind of issues?09:49
brtknri cant remember, it didnt deploy cleanly09:49
brtknri was just following the docs09:49
jakeyipflwang1: sure. all these are pretty new to us and is just a question from users for now09:49
flwang1anything else?09:54
flwang1i'm going to off now09:55
flwang1#endmeeting09:57
*** openstack changes topic to "OpenStack Containers Team | Meeting: every Wednesday @ 9AM UTC | Agenda: https://etherpad.openstack.org/p/magnum-weekly-meeting"09:57
openstackMeeting ended Wed Aug 12 09:57:16 2020 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)09:57
openstackMinutes:        http://eavesdrop.openstack.org/meetings/magnum/2020/magnum.2020-08-12-09.03.html09:57
flwang1thank you, team09:57
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/magnum/2020/magnum.2020-08-12-09.03.txt09:57
openstackLog:            http://eavesdrop.openstack.org/meetings/magnum/2020/magnum.2020-08-12-09.03.log.html09:57
*** yolanda has quit IRC10:44
*** yolanda has joined #openstack-containers10:46
*** vishalmanchanda has joined #openstack-containers10:57
*** yolanda has quit IRC11:03
*** yolanda has joined #openstack-containers11:06
*** yolanda has quit IRC11:12
*** k_mouza has joined #openstack-containers11:12
*** yolanda has joined #openstack-containers11:25
*** k_mouza has quit IRC11:52
*** yolanda has quit IRC12:03
*** yolanda has joined #openstack-containers12:16
*** ianychoi has quit IRC12:40
*** dave-mccowan has joined #openstack-containers12:57
*** ykarel is now known as ykarel|afk12:58
*** yolanda has quit IRC13:07
*** ricolin has joined #openstack-containers13:22
*** sapd1 has joined #openstack-containers13:35
*** mgariepy has quit IRC13:36
*** hongbin has joined #openstack-containers13:40
*** ianychoi has joined #openstack-containers13:44
*** yolanda has joined #openstack-containers13:51
*** ykarel|afk is now known as ykarel14:00
*** ykarel_ has joined #openstack-containers14:13
*** hongbin has quit IRC14:14
*** mgariepy has joined #openstack-containers14:15
*** ykarel has quit IRC14:15
*** ykarel_ is now known as ykarel14:16
*** mgariepy has quit IRC14:25
*** hongbin has joined #openstack-containers14:39
*** udesale_ has joined #openstack-containers14:44
*** udesale has quit IRC14:46
*** mgariepy has joined #openstack-containers14:59
*** nikparasyr has left #openstack-containers15:21
brtknrflwang1: thanks15:29
*** ykarel has quit IRC16:13
*** sapd1 has quit IRC16:31
*** hongbin has quit IRC16:43
*** mgariepy has quit IRC16:47
*** mgariepy has joined #openstack-containers16:48
*** udesale_ has quit IRC16:52
*** mgoddard has quit IRC16:56
*** hongbin has joined #openstack-containers17:00
*** mgariepy has quit IRC17:49
*** mgoddard has joined #openstack-containers18:02
*** mgariepy has joined #openstack-containers18:03
*** pcaruana has quit IRC18:20
*** gouthamr has quit IRC18:20
*** pcaruana has joined #openstack-containers18:21
*** ioni has quit IRC18:21
*** gouthamr has joined #openstack-containers18:22
*** mgoddard has quit IRC18:23
*** ricolin has quit IRC18:23
*** mgariepy has quit IRC18:25
*** ioni has joined #openstack-containers18:27
*** mgariepy has joined #openstack-containers18:38
*** k_mouza has joined #openstack-containers19:23
*** hongbin has quit IRC19:26
*** k_mouza has quit IRC19:27
*** hongbin has joined #openstack-containers19:44
*** mgoddard has joined #openstack-containers20:08
*** vishalmanchanda has quit IRC21:55
*** ramishra has quit IRC22:37
*** rcernin has joined #openstack-containers22:43
*** born2bake has quit IRC22:51
« Tuesday, 2020-08-11 Index Thursday, 2020-08-13 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!