Twitter | Search | |
Clayton Coleman
Developer - Kubernetes and OpenShift
116
Tweets
6
Following
1,009
Followers
Tweets
Clayton Coleman Dec 13
KubeCon - come for the tech, stay for the feels
Reply Retweet Like
Clayton Coleman Dec 13
The same - thank you both for the chance to get teary-eyed on stage
Reply Retweet Like
Clayton Coleman Dec 13
RHEL 7 to RHEL 8 is just a rolling update for us. Might even just do it in 4.0.5...
Reply Retweet Like
Clayton Coleman Oct 28
Replying to @asanso @evilsocket
We considered padding oracle but to our best knowledge that requires you have write access to etcd which is game over. Only reader/writer are effective root
Reply Retweet Like
Clayton Coleman Oct 28
Replying to @asanso
Also, at rest secret encryption is really a very weak defense and needs to be coupled with better key management, on disk encryption, and much tighter master control (any of which void at rest secret protections) (2/2)
Reply Retweet Like
Clayton Coleman Oct 28
Replying to @asanso
At the time, for large clusters, GCM key recovery due to limited IV space was a reason to choose CBC over GCM. At the time we also didn’t have golang support for better primitives, and the argument was to pick the simplest option possible and avoid risking a mistake. (1/2)
Reply Retweet Like
Clayton Coleman Jul 17
Interesting to contrast Ingress and Pod - Pod provides generic linux processes but can be more complex by process doing arbitrary things outside Kube API. Ingress is LCD across load balancers, but all complexity has to come in annotations. No more generic APIs?
Reply Retweet Like
Clayton Coleman Jul 17
Replying to @mfyk84
Sorry for the delay, it's hard to keep up with PRs. Please keep the contributions coming (hopefully we'll be less slow next time)!
Reply Retweet Like
Clayton Coleman Jun 8
Replying to @liggitt @jbeda
I wood like to know how familiar you are with these hypothetical splinter groups
Reply Retweet Like
Clayton Coleman Jun 8
Replying to @liggitt
I think you need to meat me in the middle here.
Reply Retweet Like
Clayton Coleman Jun 7
Replying to @liggitt
I rebut your argument.
Reply Retweet Like
Clayton Coleman May 20
I think it was just after 1.0 - . And it took 2 years to get them to GA. At 1.0 openshift had I think 20 or 22 Kube-like api extensions, including rbac. Anyway, openshift is a spork of Kubernetes, not a fork. Works with pudding AND steak.
Reply Retweet Like
Clayton Coleman May 20
And ultimately all of that work done outside of the core made crd, api extension, api groups, discovery, generic kubectl possible. And was done by the people who had to extend Kube. Seems silly to design extension without real world consumers.
Reply Retweet Like
Clayton Coleman May 20
Yeah, it was the “do something to get out the door” and not be totally insecure. But we didn’t have api groups then, or tpr. Adding extension points before you make your first use case work is astronaut architecture.
Reply Retweet Like
Clayton Coleman May 20
I don’t think that matches my recollection. We talked about it, said not for 1.0, and punted it down the road. Eric Tune paid attention to the design, we did a bit of back and forth, and then coreos folks took the intiative in 1.3 to start the process in sig auth
Reply Retweet Like
Clayton Coleman May 20
Replying to @alexellisuk
Works ok as long as apps start fast (Django -> MySQL has probs because of retry loops and backoff). Redesign was about CRD use primarily instead of events or annotations. What we didn’t do was comprehensive idle strategy, so is BYO. Ugliest is the patches to Kube-proxy.
Reply Retweet Like
Clayton Coleman May 8
etcd is the bee’s knees - thanks and all the others who have helped build it over the years!
Reply Retweet Like
Clayton Coleman May 8
In case you wondered how Tectonic would integrate with OpenShift - reza lays out the high level details now. Lots of complementary technology between the two Kubernetes distros and we have a ton of exciting operational and usability improvements that will result from the combo.
Reply Retweet Like
Clayton Coleman May 3
We should have caught this when we added protobuf. I think the real mistake was caring too much about performance.
Reply Retweet Like
Clayton Coleman Apr 24
Replying to @abstractionscon
// this code will never fail
Reply Retweet Like