From aed95fa01038d80bc27b2c2126af0884e41cf744 Mon Sep 17 00:00:00 2001 From: Anshuman Tripathi Date: Sat, 25 Oct 2025 23:28:34 -0700 Subject: [PATCH 1/7] Invisible pods Signed-off-by: Anshuman Tripathi --- .gitignore | 4 ++++ archetypes/tutorial.md | 12 +++++++++++ content/blog/invisible-pods.md | 39 ++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 archetypes/tutorial.md create mode 100644 content/blog/invisible-pods.md diff --git a/.gitignore b/.gitignore index e8ca202..da9d171 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,7 @@ hugo.linux *.iml .idea *.DS_Store + + +# LLM plugins +.claude/ diff --git a/archetypes/tutorial.md b/archetypes/tutorial.md new file mode 100644 index 0000000..4152e67 --- /dev/null +++ b/archetypes/tutorial.md @@ -0,0 +1,12 @@ +--- +title: "{{ replace .Name "-" " " | title }}" +subtitle: "" +date: {{ .Date }} +draft: true +story: [] +categories: +- tutorial +tags: [] +pagefindWeight: "0.1" +slug: {{ replace (lower .Name) " " "-"}} +--- diff --git a/content/blog/invisible-pods.md b/content/blog/invisible-pods.md new file mode 100644 index 0000000..6378e2b --- /dev/null +++ b/content/blog/invisible-pods.md @@ -0,0 +1,39 @@ +--- +title: "Invisible Pods" +subtitle: "" +date: 2025-10-25T12:35:25-07:00 +draft: false +story: [] +categories: +- tutorial +tags: +- kubernetes +pagefindWeight: "0.1" +slug: invisible-pods +--- + +I am a huge fan of [Ivan Velichko](https://iximiuz.com/en/). His platform https://iximiuz.com/en/, provides great materials and practical lab exercises to learn more about concepts like Containers, Networking, Linux, Kubernetes, Dagger, etc. Ivan covers the core fundamentals behind all these concepts which makes all posted materials an exceptional resource for learning new things. + +I recently attempted an exercise posted on this platform about [Invisible Pods](https://labs.iximiuz.com/challenges/kubernetes-invisible-pod-0bf2109b). Its based on [a talk from Rory Mcune](https://www.youtube.com/watch?v=GtrkIuq5T3M&t=923s) about container security where he breifly mentions how pods can be come invisible. This is a great exercise which touches on some Kubernetes concepts that are not very well known. + +> Before moving forward I would recommend to attempt the exercise and try finding the solution. + +## Concepts + +Before we dig into solving the exercise lets touch on some important concepts in Kubernetes. At this point I assume the reader has a working understanding of Kubernetes. If needed I would recommend going through my previous post about [Kubernetes Concepts](/blog/understanding-kubernetes). + +### Kubelet + +The Kubelet in Kubernetes runs outside the jurisdiction of the Kubernetes cluster. It runs as a systemd service on a Kubernetes node. This is because an external service is needed to manage and orchestrate a containers which itself is a not a container. + +This allows the Kubelet to bootstrap key control plane components on control plane nodes like the api-server, etcd, scheduler and controller-manager as [static pods](#static-pods). Once these critical components are up and running _the kubelet registers the static pods as [mirror pods](#mirror-pods) on the api-server_. + + +### Static Pods + +Static pods are pods managed by the kubelet which are created from manifests added in path `/etc/kubernetes/manifests/` on the node. Any Pod manifest added here would be used by the kubelet to create a mirror pod. + +### Mirror Pods + +Mirror pods are entries of a static pod in the api-server. These are references to the actual static pods. + From 1b231e9e53e1309234577d7caaddf9318dfa221c Mon Sep 17 00:00:00 2001 From: Anshuman Tripathi Date: Sun, 26 Oct 2025 12:50:13 -0700 Subject: [PATCH 2/7] Complete invisble pods post Signed-off-by: Anshuman Tripathi --- content/blog/invisible-pods.md | 102 ++++++++++++++++++++- layouts/shortcodes/img.html | 12 +-- static/diagrams/static-pods.excalidraw.png | Bin 0 -> 70393 bytes 3 files changed, 101 insertions(+), 13 deletions(-) create mode 100644 static/diagrams/static-pods.excalidraw.png diff --git a/content/blog/invisible-pods.md b/content/blog/invisible-pods.md index 6378e2b..73c85f3 100644 --- a/content/blog/invisible-pods.md +++ b/content/blog/invisible-pods.md @@ -14,17 +14,17 @@ slug: invisible-pods I am a huge fan of [Ivan Velichko](https://iximiuz.com/en/). His platform https://iximiuz.com/en/, provides great materials and practical lab exercises to learn more about concepts like Containers, Networking, Linux, Kubernetes, Dagger, etc. Ivan covers the core fundamentals behind all these concepts which makes all posted materials an exceptional resource for learning new things. -I recently attempted an exercise posted on this platform about [Invisible Pods](https://labs.iximiuz.com/challenges/kubernetes-invisible-pod-0bf2109b). Its based on [a talk from Rory Mcune](https://www.youtube.com/watch?v=GtrkIuq5T3M&t=923s) about container security where he breifly mentions how pods can be come invisible. This is a great exercise which touches on some Kubernetes concepts that are not very well known. +I recently attempted an exercise posted on this platform about [Invisible Pods](https://labs.iximiuz.com/challenges/kubernetes-invisible-pod-0bf2109b). It is based on [a talk from Rory Mcune](https://www.youtube.com/watch?v=GtrkIuq5T3M) about container security where he briefly mentions how pods can become invisible. This is a great exercise which touches on some Kubernetes concepts that are not very well known. > Before moving forward I would recommend to attempt the exercise and try finding the solution. ## Concepts -Before we dig into solving the exercise lets touch on some important concepts in Kubernetes. At this point I assume the reader has a working understanding of Kubernetes. If needed I would recommend going through my previous post about [Kubernetes Concepts](/blog/understanding-kubernetes). +Before we dig into solving the exercise let's touch on some important concepts in Kubernetes. At this point I assume the reader has a working understanding of Kubernetes. If needed I would recommend going through my previous post about [Kubernetes Concepts](/blog/understanding-kubernetes). ### Kubelet -The Kubelet in Kubernetes runs outside the jurisdiction of the Kubernetes cluster. It runs as a systemd service on a Kubernetes node. This is because an external service is needed to manage and orchestrate a containers which itself is a not a container. +The Kubelet in Kubernetes runs outside the jurisdiction of the Kubernetes cluster. It runs as a systemd service on a Kubernetes node. This is because an external service is needed to manage and orchestrate containers which themselves are not containers. This allows the Kubelet to bootstrap key control plane components on control plane nodes like the api-server, etcd, scheduler and controller-manager as [static pods](#static-pods). Once these critical components are up and running _the kubelet registers the static pods as [mirror pods](#mirror-pods) on the api-server_. @@ -35,5 +35,99 @@ Static pods are pods managed by the kubelet which are created from manifests add ### Mirror Pods -Mirror pods are entries of a static pod in the api-server. These are references to the actual static pods. +Mirror pods are entries of a static pod in the api-server. These are only references to the actual static pods. This means doing kubectl operations like edit, delete, etc. would not affect the pod because the Kubelet treats the manifest present on the node as the source of truth. The kubectl commands on the other hand go the api-server and try to update the mirror pod. After the saved update, the kubelet detects changes, applies the changes from its manifest and sends the updated information to the api-server. +{{< img src="diagrams/static-pods.excalidraw.png" caption="static pods and mirror pods" loading="lazy" decoding="async" width="100%">}} + +## Invisible Pods + +Now that we understand about static pods and mirror pods, let's see how we can make a pod invisible. You can find all following examples in this git repo - https://github.com/AnshumanTripathi/invisible-pods. + + +Let's create a [KinD](https://kind.sigs.k8s.io/) cluster for our exercise + +```yaml +kind: Cluster +name: test-cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: + - role: control-plane + - role: worker + extraMounts: + - hostPath: ./static-pod.yaml + containerPath: /etc/kubernetes/manifests/static-pod.yaml + readOnly: false + - role: worker +``` + +This sets up a Kubernetes cluster with a control plane node and worker node running a static pod. Following is the manifest of the static pod + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: podinfo + labels: + app: podinfo +spec: + containers: + - name: podinfo + image: stefanprodan/podinfo:latest + ports: + - containerPort: 9898 + protocol: TCP + resources: + requests: + memory: "64Mi" + cpu: "100m" + limits: + memory: "128Mi" + cpu: "200m" +``` + +This sets up a pod in the _default_ namespace running a [podinfo container](https://github.com/stefanprodan/podinfo). +We can see the pod is a static pod since it is managed by the Node (Kubelet). + +``` +❯ kubectl get pod podinfo-test-cluster-worker -o jsonpath="{.metadata.ownerReferences[0].kind}" +Node% +``` + +Now let's change the namespace of the static pod. We can change the static-pod.yaml, delete the kind cluster with `kind delete cluster --name test-cluster` and recreate the cluster. +The other way to do it is to use `kubectl debug` as follows: + +``` +❯ kubectl debug node/test-cluster-worker -it --image ubuntu --profile sysadmin -- chroot /host bash +Creating debugging pod node-debugger-test-cluster-worker-4brfr with container debugger on node test-cluster-worker. +All commands and output from this session will be recorded in container logs, including credentials and sensitive information passed through the command prompt. +If you don't see a command prompt, try pressing enter. +root@test-cluster-worker:/# whoami +root +``` + +Now edit and save the manifest at `/etc/kubernetes/manifests/static-pod.yaml` and add `metadata.namespace: podinfo`. +Once we add the namespace and try to get pods `kubectl get pods` we do not see the pod anymore! What does this mean? +The pod is still running on the node, but since the `podinfo` namespace does not exist, the kubelet cannot create a mirror pod in the api-server. +This causes the pod to be invisible to `kubectl get pods` (which queries the api-server), even though the container is still running on the node. + +Now let's create the namespace + +``` +❯ kubectl create ns podinfo +namespace/podinfo created +``` + +And now when we check for pod in the namespace + +``` +❯ kubectl -n podinfo get pods +NAME READY STATUS RESTARTS AGE +podinfo-test-cluster-worker 1/1 Running 0 58s +``` +It becomes visible again because the mirror pod was successfully created. + + +## Conclusion + +Static pods are a core concept used in Kubernetes with nuances. As we have seen, these nuances can be exploited by attackers to run invisible pods in a cluster. This makes them particularly dangerous from a security standpoint. [For more details see Rory's presentation on attacker persistence strategies](https://youtu.be/GtrkIuq5T3M). +One way to detect and catch these scenarios is to have auditing enabled on the Kubernetes cluster so that the administrator can quickly catch anomalous scenarios like these. diff --git a/layouts/shortcodes/img.html b/layouts/shortcodes/img.html index 6e7738c..a725e71 100644 --- a/layouts/shortcodes/img.html +++ b/layouts/shortcodes/img.html @@ -8,15 +8,9 @@ {{- end -}} {{- with .Get "width" }} width="{{ . }}"{{ end -}} {{- with .Get "height" }} height="{{ . }}"{{ end -}} - /> - {{- if .Get "link" }}{{ end -}} - {{- if or (or (.Get "title") (.Get "caption")) (.Get "attr") -}} -
- {{ with (.Get "title") -}} -

{{ . }}

- {{- end -}} - {{- if or (.Get "caption") (.Get "attr") -}}

- {{- .Get "caption" | markdownify -}} + style="display: block; margin-bottom: 0;" + />{{- if .Get "link" }}{{ end -}} + {{- if or (or (.Get "title") (.Get "caption")) (.Get "attr") -}}

{{- if or (.Get "caption") (.Get "attr") -}}{{- .Get "caption" | markdownify -}} {{- with .Get "attrlink" }} {{- end -}} diff --git a/static/diagrams/static-pods.excalidraw.png b/static/diagrams/static-pods.excalidraw.png new file mode 100644 index 0000000000000000000000000000000000000000..440528b14c98590e33c1ea46a3c61818780c253b GIT binary patch literal 70393 zcmbTecRbba|3A*@R8+DevR5_@E4%CwC6cYk49VV3FGXa9kiA2Zy+;v6nc16UudNl{h<4-d5m|Fa-C z0e`uWFE|MQ!FSM5xPh0~MmvXx$B3sSdtKAja4~_f`eqOIkm1j*OxCD$W(`ec&h+pT z;jGWj5uH*pJ*5m~1m3q#8z7O}czfbTTpSkewlaN12pCOlCZC?F3dEvi*m1Ix<*nfTy zJ{E8vMQ}issIULe-$me__B6>F4>ia7c(#LSsMs=MslTA%_s_2;$4^rhqmG~Ix6Dd- z-S+w#9V%8qx^H2$#$#k*b)wUa>_u zuVHn6jnJchW4+Qx1^d`7_Jx**(FSI2e}3Iu_X?rC#dLm? z*up&?YeHHn?_srgkqN`y5s##7 zp3{`OeGhz*LX7NhtRmjWq!*7ZMRy5l#a%l_-Dc?G1T0^@*Dc}NrTcV@ARQx}p&Yf? zt7lholHRpmqUO`lX;cz0Zl_t-QrS?F-g?uvy*9N}(r4(9E&B1@jc2F$=q5j%<}d!! zE;SZ-oMWNMe zujIwgkT$UXv(e*JY7(K3`h3-+fx-%Q&QX_94=>8?gucYBs~Ia~^fcR}*20f@FkbHJ z){gpl`W3_d>x~yDJiLB+LoA^YB+>DH6#IJ*sa4ChOb#P~eA1T7yz zYkBO%8O6eGJ===U7X&PfdvdfKPCHyCXcWanacd6_+0`v2IC*mLC&7JEz8|Y zJ;4CBiLqex9S?o3^WbHyn)Dp+(qKsuf8E}d+eU$tWp-nukA%$P>06X3RZsBk&>d7VEWEed1m zwT--{nO`Sb;!o1pRp0M3^6{b!^;>2nF+fN5<ob$!Qu!*TaBt_&P*#$+)pSeLF={j;2@11Pi*2L#-kxw(nE!h36Agys z%_Ir#6u!v9DX99Xbcf$ezMUp71ddaFJ%nCj(5fegV&ES$N0NX`s9l%tDwh@4H20n9 z==X*-?xaE*&yT^{>+8@Ydj|;~Mjo{fJ_ou^)>?LFzK{*d$Da^KYh0JUw$I?XdVQFB zFj6JXHNky8JKN%!3==L^6@f8b4dPjn7r=mx^v@*uEH~ZDRHeSd=Oe#lc%d`ostAE8 z3V-S6aJmvXc4sDON_S0h%^SE~4}c$MdOG=`pXtNHR?1wBjKBm4iq{11 ze?sTNA{Rvh*hvVEVczSN>4G&a&32~cZB2d-s*0?Lzvl4#zJMbkZu>Ft7=7YemR0b` z{{8}!gt5S7>j@?}oAe~ZX=F_cHnU;tm5`_%lkQ&GBe|9hNp zRm#>}cXRO^<?PDNvI9p~vN?aCDE`xB{h zL8>KNmm!3k5WHp0vRe1pTq+wYJZ9IFoI!z{lI2C;arLXBYA@wc7^jAn$^||eNl#aS z%8xNjBn9Z#yn1G3W8NOa+s}z;%v{F2TpB~7F^FZZ9>Yi1F_=*^OuYzAk@2tG+TYzM zY6_;2If)|qVvN!@aEjurQD~Car#=(?3wg1045S944iPqYLJRF%cHw#6R-JtCN~S!R znM98^B>44NlvwpF)@+To_Mf#N!lfS#FyJIEeOlTjbYA)7si6WBe+n+mFW!gyTNW<< zYchbJ>JR-y-gS$&+D`IJkC_=_2RP^#0?kU2>fud%N!nlOlxyJBqs14cz$rn6W(=!9Yf`B66nJBogt_(0 zAOCWeU%+iv7!Oi>_}dXY8ZPh5tJ&0TO_HkPHL4vJ_MYNEf0C27HY;}i1(B-Iq3s&G zenYYma;mlLzT;c_Y~u`ghkJiQxj!qNt@HUstKOh8{=1dG%%IA7KzPiPT$@a|nkCf* z`N9D!d|{><+qKY>t37m6c*NB0_s@d5gWcBXGmkHzbd;ny9hEb%5Z9MlxbwfYm%CcB7B-Yc}7E*f-O~4pG0C!3C;9B*M_v zG9@cB!BLgaUVG9H>D6;eIOGPSKDt=ZFlhQDG5w>hQ4hQF=hy3yt@BieoyV%wOW{%S z8$Q~Y?|=hycJfm4;waOD?Ts?XPsfJe9Z%Y0vc z==j$6ms1wyg!&HO1xqcvFD~>Kq)F`jjF_N5yN|4El^248UDl{i2)}-L$8yCCJ-Y5N zlRmUTw!U@3ZlEy3X|9V+H7!{W=V{Wb4n*6}>mjok(A$?j8h8XwTDwN0z(m4_GK@+* z$>7=HzA;accfW%lNlRm3E!YFHRbpS*)j_YV5&!Y6_Q)yA7(&;lM%j)s{%48)Sj^JH zG5Gp`TkMN%)&B8pi@(z5 z=V33gFFh{#)kC%5z_k4wFUZ;JYLCbTCUnbdUTc412BH0UNiTQ5mx1@es7Y2C;Cv2$ z4VTe_8?-w^FeRU8Pv@4d7=*ekaQa*9)d=_G0SlH}m5!ET&WkZ~Gh1Um3^ons)rbK- zcn*=#ER#&(De0=vXqSEZIyx$$oaj`67jAF0GcG%%mc- z?}0i}_DJxNPKN_j*gbQ(_6*A?Di zy@Y!|RLOLGS&i#ZFWEuuR}^jN&e?hI?t9&bp_03A_xHEP?8oL#$TE*qU7PL6jSi;1 z+GOan@8rUA*=hbqxe1M+l_@#9n&S#=r6m+Kp?&_IHJgLhHirlMn-l&FgFV_tOUykN zTA^K=q7!@a^NR>m{uF=h_5+uz0;XR`a`nn=t4*TRGUJG)2B6*;7H>I4$z!4NnrAHn zyL}4DfvFI3S*%2Xleg zs0(-)akcEv=jQ7|$2+W`9IIhERAt#;_%JBwNiI)X>V!fFt^K6Vr1}ik4WB*(mkI~A z$euFqi{{E(+1mMu9;a^AxI1lO#a60K>JAU8h-id(Y;8BN9Vs$5tE%U#p!Cv>6SC2- zbHA_(CCX4s6!*=^I-kRXwMv@H5BxktljAOEMSYFpjuw+QiGYasnbow%Kctf=!d9TV zE28rLZJ!Idsk`pkL_2X%>wT-PX34Wzxu|%oHJU%Es-W?xS`>$fGBKf+f1fcq5=E#= z$e&@p-5J6lwVe7VCx-bW7rw`53hn+pgQ~^NAv>2jE@huJ+3M6nmr=JY89}$-rrmAX zqFZxWNzS)dotFkH#vTS%=l1UYo^Iv!IoNY+JgP#%V zq95ZUODsA+jik>$f3Q0KkuNyQZmf2*iN@|8xZ_C06^R!e%nxD*ci|B9m0y^{7C?%u zqCrXEuRhvZ9=Tg$r8U!sU8!4P-dBm{3l5rGP{QnuK}T-@DPStTR(0(34U0YPP z&&Gs#cQ@JP*K?T)>gGqt1OYKV+Q+rL+nS2Nby90*2E)m8pGvvEG9LP8@@6t@VC{MC zyWfJ@E(N|Pi{r}Yyi*z6Wm~*?J)4VAu4ptUH+6<=n5<*W8~Z-!hYF+5dZ&WgqQT>j z$N5_L?Ty~vV(PwgY(!JhlzXEoC^=U`ZYs)(oMVq7JO55r$bz9T8k74oM@cS7N+ntdv z`Eu_~nnOzB>}m&?wjm@N1im!K+~{pBi0=1Vso9!L9T4pevN!~5%e&AT#9wP+SG$wh z>ax|V?ALPd_8)CSH#XY@-?r|Xn8vz9%9j@eTV6cQXnHhOJ0kHcjFaC`m|J+%)kI%= zbn?*%)vOuo)K4wfY#ByhScm?yBJRx2on&czm$xm-Idl>)Vy-+?)<+wu zQx|V*kGW-@V_N#P2klOI7KeA4%}{BD6I0^cMX`#{qu%Dv4v~m-B@QA|5n;D?Bgw6t z7dge-I;-5uc@`C2k9DD;$!X(wuRv-o_r0dto1a%fa6@Za{w}25J6vizzo!lIyrD%H zo-xb`N?j)#!;tb=aHaiS^j9m5X~ zu$a7jJhx?3B3nan#Uikt}cgqRy&iH zsLZiqBrI83@Vm-pq_RhX;`%CfU%B1~q74}mZSGT2$-E}HSMcB&bb+nBg_>U#q~4t8 zRG+P4?rN7htTyo3-%$I(C0wf%aZ$~f+uZ2Wke*|liOrZH zr~Z{vw?Agk(JIrP&~V@LmK%o(hC~fIkH=kED?Dt;dsfprSU3EX)L!LlYs!zTP^_g8 zdzTtZbJ`RwtgpZSJys(?FTRAe9?W~^*5Rotv@eT0K`_v|!#5ZJ|T&NY*xkuduGxl4SR>pdFB7imIox`-mUwk=4D z#%>1XI8Cvo@nntVpV$M({sfNAuuPqN$io5=TPx|dQw+2d+^xI8ze1`b6O+7mzfONJ ze?50m#!~zZi(H3Rr^0D7txoooIggC4*%N9eT+sLHXC!>PkTlry{TpN%{qs4EEa59< zgS*)iG#uN4p}Jy!!6R2N(uRfv!v<+-PFl!dbWf!y7L%Zqz%CZG4?i%RUNa#fh>|wm zVAqoBiXi(xt)byVY7O@r{`rMbh85rZPCt~fd&aV_SYP$=^@{t0v?tlnph55A=MN4o zK0GIQ23;-Zm%i?I)<~?)d3kssDps>X=?p4`Y*k~{vAQdXEDu9aLKlJqbTR8t1!g5N z@yZh7N7+j{J2M)Q?_pC`~TN5cmlXr2}nJ(#E&B%c^M2=>5W0J_k!qW%ZBH*nVRn zDYww3$+;POh3$`M+CyB=pcsz#H0gAsFnV)wzyyk;>>)QTu@A6l>0hJ-=l0wSHzCQI z8JZWL!9AV8I}e{Az*k63BfUTxgDM61FByI`R*~_;**fJ)wU|pxiGr%vj5T6x;{+`F7v!PEpkB~1>JIS5MSk&VB?QZk2^O} zoBP=dI1<5`)sMk`9VGe~xvdZ$0M0(JQg^t_J!VgdnqWlmjJ_pkEkAWic;OJl`a?h( zW;9lb@cAbdl|$_^X%!k2#}O`~^pVcLsL4x~6l>fG<2v9#-}CnRg{ChM6id5yiU(cz z%C~Io?%L#Mn}fX_odH3wBSaVl;1VC95orhW4c?2Uq$&BCbmrjTmJU#87d)A6!9f_$ zNddw^oYNIK<KeY>v zo1+kX9lDZ!diPl-kG0R|_g|vMn8LEr(EL9%X?j_Jz=ZT(>z%4gK~1=B*Ox%54-Y*_ zP>o%#>V2;#oU2=sb2DCq^a^<0Mbh%6(xFFCGYB~^-mBXA6?ZlJ{2LsYfw@Hx) zeGU+Hg^#S48(*?@02&c@)jVWlaiBYjs1d@-OEv^1F4v^*nP9m5K(>DcA3;>&IM9PYbV z`6>Kiy|Nj=@_4cTGC~dv+x9*?eZCZW*rH34lV&gQ!5+O4d~E97R8f#Pbjzb)eh&dR zDuS$Z<2Z^$ksSk-j}Ej12HeoX6!RHWrWeVnK^8>b7s!=%g1}-@C$wh9476dTfF9@p z9<`LvJb4gHqqNh46!Q@ zFmYNxz|#9p5YsQ(F}f0C1js~y>l$(DGuQ-hvz)TOpD&p48UihYfk>~Klihn0?1_tz zfYJ@Xo{SiCc2n;-G!d{w_&VqJ^7SUx{BGgC3t0UZTAnlpkU?UJXLOhb^b;$e6IyJ#o-=17)} zF8*T+=)j}SR5^Q@YQTBlY3CchW>-&Cq!XHYDlJPwCE;GoDX7-tW(qcZb*az;U^My0 zZ7MW82cKXMtT2iD;}*KO|CZCv*5Uwp^W@Xhe2>Eqp>@M165}z3h1J6;nzxJpc}c#7 z+3Zr`ACTA@K6cbT0r3I^Sscl8a(Wa*#W;!e4w+KxzC71sVXl@Vl_gPp2BPA}(zFR= zsW5CRughP>K?QAB9WMB&zoR%v@F=;4D?laV=I|-tldLhMi{5HC2R#6cQb~uMhirN? zZ_?!6O1TjuuTVxpz>jaExdq)}f3aovBG};C37PNvt8GLzNNypJhv&Q`8N&wR0C~VO zgdVm;vhMR~=fx}S_2p=tUR%lKZb)j&dD;WCl}$^JQTgNh%mf344~v*&o`*F}wYMJ2 z2OOD$8R)vyuMghpD2xN`X8O9-JO@-k(^PlA91{;DRi@#7s$GO_!s{>bFU z!q@eiOG7rlzQt}f5KHw#{E6ZC{+;IgMxT)#S95lp@ljF4j5IBUGya{=V(S56niHDY z1z7H%kaU1%`R0uPhpB=XIl}F-JdCgj-EFmmK2}A{8S;w#Il8x=D{({Sj`KPf6_oN@@D2jetVUGOavRZl4B$wrzh8UR*V4AC}LVTE0CQgm}9x z@#&+tNc{)iLiE>*+s|WtxwgLncLDEh0uCEAbX(wCL*Uotn&1xcnSkH^K5ufh^KAvK zetcNSt7>E21{@krDu55nX7&xgJPi}t@z@9BkEre&O-Peh?2kbFh=;24;x%>2ORKZJ zBHsx(EWS)M{jR7@w6#tAk1DrDdVoh^>R5jDZ{@0AZ>;+xn9uprBGne-Q-r^8eL{5s zy{9Pc!RVT;hB<)lu@}mUiN-9AjQ_|HZm8i%yj?P;nE<+#xIr$z+ zx4ci`w&?2l8>7L#+P4+o&lN$-QEm{bp?w4aPu%Gc-cq3<1ME-ro!XH;&_HHB ztFCe1c#9m$pc$27@nQ%8SUY8{uq@lXY-u(Pd2L3Sho_$WiG&@R_epF^)Q zMeW;%Z3$vxO!)>ckKMes2Uxdb6+L@N!}9LNLc(m{9sDDEW*k3>?BusAlCYD692x*& zdPQfZ9WMv0)q&KLaG#V#9^qZd<*-phV-TOLA+{m>;X3_aRmpY~@GkjRL&r!0m{H1~ z!)LWkLAkI}Ch4_X-XeA-W07MpKYrh@^WaaLSo?`HRO6KMRtusWvGK{AP zIbQLn$$TSp)QFOwrmUjLL(Z*hww%>&n-zo5Bna_)VmqV6sh~S-PkT!;I{PNYyz2u6xcZl zpuY0=;U&}-)f2@BierSYbvGGIH3d7AU|m*5>0nzNfUz*86Ln-9WC$<%o{Wndj1o{; z%%wC}z((IADo>*etS7~wh>Dg&=t>3qcjWVQwU{x-bdUsW2 z=BQ{3hwoD>MU)~*pM4c%6*^GGB)Doz)@pdcyF^WjoLgc5w?RZE?coDNYEAtCky@*;0A$)+T zWDVRz@K!mj^^dpLi=|48uOa*!L{2sE?@dl)Jj7l}V*s2bq8IOXUhJQk-#a-7%=R?p z9@$c8I<*N8Zrey+f+12d)gl0>f-xi}MA0(vPN(SA%gs8-W&p4XS6b8wtsW_%K;VJ| zkgr7z{jkp;$U2@Ig4E{&WF)r0O>37i#C<>nrDp4M&-_Ij?u8hsz~e66@C4v!`;Bj- zcPPEYqo$YCe1rKVsKo3?=8%A2Y+`p$eRM4S0;nzs7+0YiDDO%F{6*>9 zQr%RDn7*5O)Nf$R%+W7jGvT}v4}E}CX1QR$zS05c;;=IF_Cz7C-F4Z{17^9vm?v24 z-gip2J^|v_j)F)bLZ(@Zbe{%nLk10ar5SwqGVij4`?`gAJHj0!Kw|3>ap{!Z8K#do z%?3$;F;c!I(msb%mF2^?>0;|V1j=I&Qqt7)Cih_exg=1u=z;IN{YhTY{pAZ{)7wuW z)Sd5s838LZBaOM{kjXt!0jw0PjK;S7BhqD=Cpb}d9(;R)H+a-2C4&)PC$-0wu8}y> zf2k2s%&^08Llm{?)he?!NZr?0JUTo|Sk(vPtUC~pC<(tMN(^QEegx#+SBt~b{ME*6 z%8}q=2gZJvj`QRz7M0K_K3od>gVy7CBO z!e|8*LYnhDl?d$9SM;y8gazkG1JIX&JFt%4f?{R)3AX*(3~eh|F>BRFum|K@Cm?Z| z7?ar};Y1aubh!S{iGg&b2r@bB>2n;$5Sa=Ak|0?M{WfQ!iLC2C{I8qBG}cNf_H!1 zQ7<`5C)y7zwL-Dfsb8;{5XTNcL^lxl$l<9AS=_kwWh&QB>sf3)zj2Q}^LxB^2CuAuwn|%{{$Iz7$%lVizg7$l z*}d2+4|yQeQ}=VWGAvSS7$0V;wDNkVtWY>|Tv~Nzf)j zBEzcyyIjz^#6FmWskc0Z{QFDD_03;oC*i%viBZrc7TZrXRSfQfbS~ulQhS0}nZ#Nn z`Q~g|s4fO|{O!-FP!$wEaxiE%h~9w#$8hFKkNF>ID-udg%-vc~w7T!RX* zRr`~ljs%GJm=JIbN_p?O0)luCP9Joh@1WA&1U!L!shw)L81=s#6AyDpiqKNfh}eQ$ zrCPQEa((VA^=GFjRO4Lk| zNRV#(QSUn)I1CUzCgu(q0S5)O&h~|mPJlZwfVCgQm?OF)gN7zVhdQ&sEoKi*x&l_1&B zv8mJXhd^LpB#A(qwZ+dVyV?#Ga~c*KwFz1M_#)~!D_tyg(VRXDo-2iDPVc{7L)=}O z00GmdayC4n6H=1LZm=dpK9t4E7=Oi`F7pcr2CvNiDZm*99tx1QQrnTr0gx(!VSv$E zfXKNRpr}_v4EPS8Nswjxfh3Rtpg#oj8o!DH^VAI$T2hV~^7$2OUdfIRJRZy7O3?z! z1v36DauRKBCO;5cD)g%dk;c-1c~S|0mqQ>OoZN5&O!QusTEZe=0cBv1W?x-r(Xetn zv!P1pzb+DwF?KDvfDtA8&&=*eMI^0)5Cmz^J!tzYaj zQt1Q+2#}b=80ix66uMIov2as3>IwnmZKN4ZQ6TL804PX*;|ubebxGoGSC;kVutuJ1 za#d?hGzP^+G_FUEN8$}}eYG8*1y;vM;)F)TUj~(q1<(>gknYRA(=3M#!qrMYzVjS| z(|Q1mh7_eaMH2E$rvD#Vr`%AhvzE%%oyRKF-0IY~jzi)`2nX-7 z(j&O*5I9t2E}nts+UGpFk#ivY;wLkBsERYOztUJ-c~nWL4>D1{KqKge5S`Ex2sELQ zvjn_9z(F-b@H8b4l~#yy@|a`y&E@Q8iN>0_cX_{0ZJ`eVQ5t@JABlq)3kd$9o7ARz z$m6g0)+0JBq?6{AOB)~iaQ`0!CkZ}`yrWhy*PW&Jf{d+8wuyW%;^NIh&^`}=_!kjM zWfC=l(j_`m=o%riu_6%q8kCZ1adsW++qe&QI>o#PmR&^2tLx{cX$g7?9%ZFn1h;x% zpnjPQsbZH9byCKmzT0%vYi?~mmw-gaZ}Hchr9vn>J0QFmmyI~uI-b>LH*p9wZv+oyhY!x>MfaWgz)62!dyfOeOXX$;}XdwjnA@I&g$-cZgMEc~B zpXAOJ7Kum#gLe?=fhSprdetePKi`Fyzuo}jo#OR;?V~QS5vh`71r^$Rqq$Z8}0y>Mgds zqdhH8;almlLf`kRVkXgA>R>y~qt2>_i@g|-+LiJZr>QlNROx{3aVl7b`M{sS`vY(k z<~c80Y~wZsc7$gxTh5&ROUj+!*Unboc^`*g6RDQY zjskF5<-DC5E^GZ)Q_4t^h6ZNa5_)+DW)B$qu)n=pPvE4hf4Goe7az8PKou{do6_1# z)TFb;Ay1TnF;{U^He!*P3nU$}CwX=y@O>NxJV97q2MSTusOPM0QGBfS{7n0;{B`B+ ztm#lmEOeQhR=&73ACkIu<;4O>doyNV3k!{i54%nUE731(Wbiw&q{h)q9~vQgDOU-d zFHi$wNA%F|#x^u3)|wgAPv31rl3bV>1RH_0DOn`Y705`3Zz6iy7iNUBJAY=_m2(Mu z^h&0u=cIrD*n~=>Nla_ffb-fFxmvrLjl0@}=F7ts%U7qd+%pCjJNH2>S~cdeK1*tM z^&PaO!x_wTzaD&xxvXY7_N0}U?-~20@A4H`QMIX8t9=g)Mo26qu50|t*qZ&tQXxo0 zEVcK6CQEhUY~)4OiTrc)Bgq_I%~yk!OjP&`I5qQVPa^s3J=l;XTeBPD%c)_$sk>PT z&bqHy`feD$u!_~t?W$bJqs)2DXE0bYC0BP$j8@Pp646%?ZY&Lz4M7wd>C17;7l^HY zTY26_`{&+2#F7El@?IPg3c|$7S+`rlJaYlC*Kd^ipw2to6WpLKwQmZ$?O?=dpm3o4 z;pE`ec5xF1uk~<*^|8OUrQC_IAs$?}3r&?^f-JI1rviY$kxGI&QS0SICFqA?7KzM^(I_5A&cVr$cf3ZC{FDl>mKC{QMyW3`k+WGhlP62pjlGtdR98CRmZ$ShhM7(^Z4wnjyZ+#LgvZc^)tdQ3aL zD|u>*6rvZl87O4qOU-v?`=oVU;k3te+&8^5xdFAmf7Ptb%3l{|QfBFzxe_dQW8^A- z3CE@Vrl47sVQzLK{#Z&z>tQPu+GEdZ`x47Sq}4?mNf10VtOqIZZpI%V9_;tRw=72J z-d2uy+OVs-s)y4~&5u~)nFSAZ<2qnd`MzK5a6GmKg-=yzaYH`k(uqL?jgs{OY-{9u z{V`&3lIVt{4|Wn1VdYyef}&-mnIX+quO(~*<7b?~Gu40E9Q>8HxgVNC6S9n`cBx(d zNqbiA-jz&~3c~41xjNA{6(^0a?ciCXFFb?2Ac)xS>{_Xm9B9A0cORgN*LvcMQG1?? z1Dc@5I9{nYAUPsFjPnIGnc6}O@$BBi5!K?GZjHO#&W z@M+}`(Y-nGz;E0)0PuE}+*_5|s-Z;X1CkCyewpPf8?4gV%7}Qh*)>~al<4W%bz3sB zU24}qsq9R@uV?0nLk@bfa15Dga4BNyz8PVgSj_0&k$ipmxyMK!9%Tx98dUwf>N)8ga1-)jhJDl5|&9HQ)fkw-2k;2<}@c0MHfgZA!i z=%S|*@>`_IevbwRZDo{^=q$bFxcvzRw&q(L=bN%X5J4({Jp&EK>S+*z7@1v=LXx^H zBR-*HMjZ!PzP{^p(+q6$tYXcx62L#4v!zmEC^xJW#-Jh8h549a=KIro>@Igw2KRC@ zR-*b;^N8O|b-Xzl%eAKX^NyZWB=rQOKE_k72ne%wd2+bLA5tS33 zf3xBh_g3sHezIMz_Uzz7O^gB--!*f@_v9HWV?Jvgq5gY6W+%r&B63970r zYDZ_Gi<@?Zv}pnbR&kBT)|*ied0QXd>?iclQz*f6!v$zwA}uIDzw*Y=xbO|uxvotD z{SmlX_GqAs9$2R**ajgnN2prU5#5-?y2yFl=N|<63hlaMm&$CmS0_q6wro@PFAG+Q z9Q#*Jv_^~j*ej-0P^#zxA^&K!+HLI#)?vD3I&~kZ#3(p!`6^55Uk8uTM7WX90+$tW zWXm9ij|4-?5lc-PxP_s<-y{gcdiTBu|pf-S;ELnUuw|Ie*r zqpJ0sRN|`j=jOJv6o4Yd0x-;d)E+XDFk=9v*7+~=S+2Ga8pt=P`|jaG49u!$5y&5@ zJ6dmbBftzC#VHKP;XeTZW)8p`(;x$PL?FZenvw=-+6MqS76yv4ZYD`e05Ktm)%xyl z;qz-P3uJ1Hju0C=bnID=8Xrbd4CsTK+_#o(fQcziQwVMH${#)eQco9JC>{WC!VnMo zcUam4x0eAFC@As^fFFy|@H$H`PQ_nl)Oo<3==urt_=+P3_hKLK`ASD3Q>z1hm-Uan zqmT6F&NR-PgFY~PSB^mvcn{!P3>6N|Ul>VRVKWQFtG1711v+Yg21l(x+4-c}!UqN^ zhR@bO1Iav?G+lJVpJeq&iN*kfV@SaeLGUd>tk0&u#CAk9bw9Q-#ta(w4u~K!Q;oL~ zJA}SQlN=d}Bci_2cu_6hVs|8WDBt3cB~<(Y&d`&ra^m4p>91k8OBzLvdRN9UWfXM7 zrJz{phtVh-7@-LfiyJ=BeERb-{OV0uvE`>GrN2M$gS4Zqy1}2g3}z*V4 zPRoQ0;SmHj;Nlt{iu$JX?E|$0(E(72M7+d7v!Hy6=p5++2L?QZz&q)t$X_n^jH#v2AKIfP7?u=08v=t+qf$yj)aW`ia56~Ls&XN-qnq7 z2#(1RR1~64^5p`2^4)|g|KD9pMr&sIKvow5fO!a9t=i&HhFHQBTBUQH2g&EILCjQy z3Hf$G1Vljs=p_{NHu+AVET!brSG4u<`%ct=krsegRG4~q+3e^;ZUE}2$6Wdd9GMji z(gXs6-1_=ESQ1RXWDha?(MFxU!MG3SH)pPR`tM3qS)koH0rv$|eUH7$ZfJ{8<_04N z(8u2S%HBQOeF^;lQBDZ`BIQ3y5KV-h+Y|mmAjd)`QnL#~RXY!WyBP%f%m#w-9;#k~ zARYM%-Kq$zXU4SH@CoK8rBym&F=7L!=a1*aV*at>(x-VHv`B=gk!Kz(s*Zyi8 zNUmUDnobWu&PNFSalAHB(4wP$dM{##;fnHEKj}s!(ho;oV*LBMt^~-17=Q(t=hyD$ zST-BhM01waL8yYa7lhP*RdD?j#u2`hb((=4DU09`9)#8dUHKj?y!7$JCny#Siw}#t z)rue?HYHBEqA^rpW}%%gKI6y$Nbl|h2q-b?wPm1Pg#dtXW*~1V1RkGcNuAiZ?U^(s zSeZG~qe`6Y4hKg7(O#}BiD;dohj2QPAs-Ow0WDRk^su@XKVEFl*D=%PJIVceL^Np zXU;G6F&hmaggMt<7(}sXytDG8V8-WeQp(`!IC#eknCv@QmEs2gtMtRr;mGP2gmZf! z?hUZs7M8*nH+=)?(2=a;#wY}W{%9j_OVB&N4BG5_uh$3iWr#-!o^X509PGC`|MfPU zP!n9K9!D4J{ip(_05}Msr#fw`*W|U!5Du^d_P7vXbAvG5bbt5nHI6La-CD7Oc?Qc= zgyJ~IZx~;>U*L&9t|yB`?4QM#IR4sfV<&iiGA4hfG zw9p%nH#p)2o*!ixl7OR`^}kFmgvW&+*;CFdK+F;qeW5Zz?irvoBW2K6DhCH00_U7G zRI1S)C@-d+iHf^}g?n1&YE)P5{4w|>gc@Vtlek}%lDLpC6U@I_UEfZ2uw0`)N0tA+ z-h_NJV!#VcVjkQP3DuhT}D)P_MHFaBY z@b0!Bbrvup{=(X*;wOgREBptxzCA*$sa1t|Z>}V2HNKv9)3`bPhwT%u41uN}rO`j` zMNGZcsDn&Z2pC?&Sz3|tgA=*IKsD$AO0Wb2K#rV}g!@V_JU+Q8huDAEQ4Qh;2r|?q zVYX&VXS{vgGt>Urpe=0MH;)%48Y{=7w!Hh=J$HUToUaqU5K4=>&AH9CEPg*riWbAn z$9erc2Z}r~Ybz0Nz3pcI^F9TQX7^OClmON2c6i}apVMV^m7nroTchSsBtKOX>1S!x zrlOR7VmIb-2x^8gMOs}c%zE^%7*Gv`5za`ICa%70dfCqOTdpk%Wp~PPDrHLv#@$YP z<(aH|e2RH@yZY@$K&O(b^J$e5D&Cif0FEIYzoTc(5>KAoP%a&jf_Ny#1mk2o+j z&X-+`b#wCTwPw|9qvg2=rHx$B&?c`zq=L+~FHTkj<*D|A8>p>PY2y)WSjJ>LtBb`Y0Bc4FJR#-3>-W zA@iGk?{p$6_jQCR)+5iNfYdF8%CxDbc%gX98*=m};DYJ>yKr%bEx=r5g%4XZP0n#9 zy~%!hh)g>dm^2T9>iPT@@wLYypl*BYA`BtB4AG9fi4gefG``ZNI4yJyutLijIg+Ey zE-#V+({ARS5B}D9m5Tt)o;;EjHIRC4Q>Vym07i(TekuW_5RDAaDo69tRd;IAhjTtf zZty8a%G^x#Bzij$XcP(|c2^Cv5qj19M{)_U%N`;CfTpst#rg_p3(iAb2r_V-#uku% z+pA{Z6n~~}=DWh=<<%b>XDIe|Pwv8C=|!?#9cUMxFWSZ{*PLTt-kYVan@9Y9{=Z_(<2xq## zQ(xRJq1yU*lEKl*Swd{;<<&)iNz0Inm8K_-C^B3_L4{ATe#`a{u*9!R#3zDQOrH9t z9sn5nI+#IfR5L{bH$qM`{_@_BI3_sz3D!+vyHVPc1{E%V2YmfqD0BJpg2>;5ym}2^ zYxTDKDnQIPgP3b9e4vk61Q^@}Izvj)6PSC<$-mcI0%L{k5*<_?N@Qe3ktNZql#NIC z=Ytx&T66~yZ3^QZ!4pV9qezSaQ8yB*f1z&~+tyL8=cK2gN#mR|{4dSOGviB4XgpJC z*TiF&IBwg;wp}uRFMJQYYA9HNQ`~+1@xa4qIcBk@Bb^;sV+*MtWG^iav6`JGFH?nhua{DQYCua4lq#|e)_zT+ajiGdZ+yH zMDfdi9R58eU+F+}r05<@m{kUg)mYRy`ls$IyD<*7A3tY}uHE@X6FtdNHJcg)ACOe( zuIv{$?aj;8A$4g0<}*#e?n;pBdx&16vFzhj$NReG4KzINo*$|8n%pHWoO$OaK5&%f_J43?Ff9nm%fdZsq{o2`T zJ(snMje3Y2fl0@kKC%8B~GvI80WT0XHJ1joge? zmdK{5QZlYRrOTOLbvo(`7ZfvZz3gdmxtjI*ICKC7fS-I>VxI3YJaGPNiGAwh>iNWU zQ(m(|f+h(>SMQ4Ud0@=5K+bDOdoUAOkMlNBT$5CbOzH&v+*%GeU_u?*5 z1>%4JQHC&A8@Qzok@vc*Cmg(sjp$Yr`#xg98P$T#uK(Z-N#W0XNToVg!>E?0p{*%{ zzE^};OT0OEoc!CgCZTu6%4~S-B82B+xIu^Y9u|=mf}e7d+-kE29nvuAF0nnNm({1z zUl0wzOjo`4-kJjY?+tpa6e@9BVO60?D}@FXWnTw(AsC#Ra+^swPkk&X_4ZriwkU1G zxx@!^P0DOmGD>3};@>7~5c`6Q;Uft9}}PDS~8s5NgNqqPMzss!pRaj;Wt4FdoV*?+#W{u`vCqfSHy-aFIFP7q^u@sCT&Q{&Hlfs{2M@%hJOH_ThH zC!Xwz8SJ3&qV{~?bS#6N?TXfNXGk^jdr~gT`c*I&Gt3-<%*UoTpZq8~Mi>R_YJEu|4%@SjXP$TgHG|W+Z?cpbweunDsOy+#=G9o zt!e10UplR`O3WZR{QL~{Czcsw*&Tq20(4P<(nts8416zAu^FhX-%*#CX1>j(kxby3 z%t?|uB6*%qpK7Zhl@Aee;J@oO2QGlnQX zCn8aw)8?~^+e>GLtL}S-J*p*Ghy_(SdYn36o*rUO(mxJ*n&|mk3Hm}4`OvscB*ywB z)CW>!%Z8et<8K5@BZmopUM5nI74Li=+!Ti;$Piyu!hwR6)*T=w&4Qg{#uSHq0 zzzq@0HI%y9w!Z;-nA*vvwN7w=+NZLv07Ds*mF+%R$#lCmGepajC-Rx@eg77`E;(uS zkijy$6%8iSU3J4gQb>WU$(j`JZ^nXXGW$yUI{-zO$M7hVd=pcZsj+qy!Ai@O|=`cy_+hk&f^X8kLHY|HsvP z2V(hu|Kr9jd&`!+_g>jsc4UMKnUSrs_a-xBZz^Sm%FHZ#MTC%%8QJ4^?%uD@_mAKI z#qGYX=kuKNSVxOw?FX80^bRyg%}X|wiLWi>ysB_$?TM?n!tiJ%hTjAx%lzqO-hNzZ z5YDnN;SF9a3w^}ftX^QJmkN&o^zgDap!@4o)zn?TIOq3ymSsVY7InZEs%6eDn8gxf z|LkA!Q$*2Y*}sX=)V+kY6si<^LBTr32r%W~msa^}{6a()KhzubWKR*=NJ zk5arM=8V*PTKrGIV8Wc=Q>dA;t2J_jM0i&+09O50GR1MBDtSh-DdeB$np6zX02a&g z^$}y2Kwtsp_JY@eSc;g+8}>uZ(z5bt+2e6Q1N%+P*>~tN|q@mu9=}mM;Uzu zStD~}`YW@Tlhaf5PAd<7R|MNVyZMUiy3ibpJswWO+D_FAvtlm<+}&)uBq_!VSJ|U3 zjhei-V=}bP=5HP^gbHp7Rw*z%MU%TYNV#Rb-#@fb!TI#!YN;fAK=WuUQ;r<1ISJN2FLE4|90|uFnNn7(Dp#J>(>P~&` zHG5(jT@&k563;Z^2u8 zQeJ6Z@aLW*?LRC%7Exzi;m&9@<_F^4J@eFZ;~yWnHp_WzfeH9YzQt9dCVivQuQVZP zop2X!zu%R62w7sis+LL2C$YY1Y{fm*mEVebt4=2fQu`;;d#83PEepCjayd)XapQ)h ze)CN6lS?BEqwPSNFvvKEQt60Yf^BUVu*b56KtmV8iQ>pH2)uXk$npW^*2hJv~ z4C=ZT3|&1^zL+CSB4k#pU#gY)&6R*3DIGaD(nlrAykz4-@8b4+jyj-bLCSTPYve82 z?VV^hcbzbntq~y3|;n{K#y1~hJrBi zgWPcCM_|yW?^p!zJC@X=H*=~tR>X`xOXV9cP{Mq_jzdm^sEZ8kC+V+C@8oWxp!udo!lw;X_RogeIdSQ@+cV5F%csJ|gz>5lkcWren{n|Rm2Zo-O#^-!qF&MZX!fOrie zZD*ypOJp5Wl;pBroUUI_RgYGHw=9;~@Q#kkC8=!4A@hAdq-q5&M;kI!qu}PvnlGC` z8C3PPT~G>D63zt6^APK$-uqpWYFiO4wl}0S}?ONrbKPCQ$^`Ia~NbN@o!@uV#l*Z3}9GJh40eU=Lc@-kV1`{cx z-xh|iR+XoWJbWF1MU!B96`SZqKk$2=_lMj>sEr zMtOkr7&*oQ%_FmEZG}P<1zbL0m)}dwOaG+KaChk*!o=E4G5{03r|)N*j0NM)&EwUw zTiEyhM?nc=+mnhq=d+Ck&d#V~!7*24&Zk+1aiTF4ZW?c2kd!G&3#ukSyiMl*-I6TQ z?WyG9u6)V!8Ld*!_0jE{&Xh&k5B?vDF{*nX?uJs5P$BPHT{&H|T?*8doqNyLOG-a! z*7-L5Iliy~(Q`da-QP{^avplD4r-75%@4UpL-XXW?{6K=MB4x1Gk_tE>gEHe3KIij zY8dIf1%Z!FU{M`JyAls~-<}E5EXBvUsC$rOoL¬xIi7Do^=>vBmwZO%5Pp=lx7q z$JMS}T>r;l)I4tk8Z|ypD@?Jl9v7TrE1y+d?EfRTtkk~s>T##|WD&!{Cf!t5x+aj`iW??{5 zF-Rx>Ssk)TE4f86FK`NW*15si(O;u$$SFQ$8vKciG|wfFEIItFUM;lTg||kp(t)g! z68=!=jP;o(7#OaX-mj}5hyb5XO2qa;Yb`^$C6~nU#RHYIG1g;3Iw>2N8a$jibabg_O2%St4T)ATPt{1gE6<@i6VBeESs)1>d1! zZ2kW}%;T}rcrWk)|My`~Aup!`nb0(|&>m_%ITV(_xnBzNY*k1pmqRIc2Yn-FRLtqC z#{W`#;pm@2m|m zOoQ?FBddSkDjfXcydd^twKz)R_rZFncS|s^j$_;YPuX0=jj7-f+L`#?=kc@9z%59CUUjH>ja1G~JN zX5U++VV4Um-kX9mkCYO5>vba}qADzdTe-`22Bmkj_Sk^B*%E_@vZ;hA)dk&ppMK7= z#(3=mX}BM4cu;kBfo2t~8ddK;ly@SE@<%hfD!jV;U&cwif8llizIia z-s9(IY@`!%u3@V$liY^8qYf-7Ppo%mzJ2g{D~;?I>Vf`dn)YVN_R2xjLhCeJx2WY# z-k7AS>5S|z0ia6se9v4h2fjC(?<13QGf((3Cd&0Y>pX1TCtLh|+24hlzT*hLVG1a& zkcsfNKDZ4-lV!G{zanr5PU#Q8r#T%_I-p7ne1mlRke(CQIyIdOs_8zdRv!# zaC62>HVBiu*Wz~waNmrPu|?YJd(9_$tRVmxvNkK+{(kDieY;pG5HDF6+l!Z6%i*S! z__ug1q*79sKP1zU1^l8cmIzgGv}VcS)zgY+9j98(xuA`0&sz2cI~D5N=BQlNTnM<+ z-@*-zgtXN-8u7t80@bU>>J-Oa#clxHI7+%N3p`XUwo$-nW%_`GOr6zxEj&k50v0nI zpKx> z@%>n)5dU+EXuVvjGN~?fS_Tv%PWp0ps%N0>ALhq!j^O*S zDFm7T@esN5+wE9|8EqitUYK080JZBOK)A})>=iW4lUj~j#ahGxDyJ#600bcwsRupS zXY{Bg0vyggweZ6Q&bm@L z3&$U4j`pRACIhZpf~_HVLf_x^f$Nj8B*)5o5MapvA{}nN&TBr|fsFdL3y3^G3D#oL zgJk;m_BYz|G=dx^DG(oVok-@7AePd zEzB#qb*cjN3~8ZdX3h5!Haq4Xv*O(nhbKsloeJr!_;**bp`oCQ=M%6+VgaCJavUqu z^;yY5is9cSvcI~P?^XQchdN06d=%D}kuAbXCWru<_Unlhahd)#E{iPr?1^08D+h)&zjsc5NdGK{3NU`D`i9G%>>)afoz>tN-;d4*&Tu7`Tt~As7brM8O zJWcB_N+mC8IPNOd$#Fy?BHNA@FTI;|2Mt({K{{?RCbobq?7`{``2))k4F2=*^{}=1 zmROVm_(%{gk1D!+a*q?!_k?vI?gw@2Y4H`hVM+J*a}k5?^voqa$EHdCUZhC#{aybE ztjoQno)0~1|Mvq$IzdL$R8W4cR?MQEfruA@7Hj4AcfuI_bSL&yQcGd-%EWqU%Fgy& zxDBXA%J?^PLPyNR-Z-ROK+^P`I{OiLBeqc1jDAsxyJXLSD`TDZMi~;H?u7;kfL6}P zN^8si^1Zr6w77|S(a?ggT5D4L$x+H;Gguj%H&hNoCyEkTvA}qh37ICh2TMT4@C_N= z;N4Ddf~G6__Holnx{1~G8ve?p*RvdNt@L}@-5KB&sz7|CBM0rXCv3jZFFjOQBI;E~ z1IJnncUZg5A(cjY!?~*b?^{!E@9oSI+{qP6|7IWf8krl=Bm$TZ*-;60Rwq5jF>uq! zl&%=oJB%kJCKXYiuoM-$6^MF;&`xPe=-&Qi8GUu<`NJF#u#GA#Kv9jpOHrn_58-GI zQf5nrSjR7dE-!yaXY!cTXPFcp02^}`Xwd9i$d0yJ%TKSp6&k?CnX`a7Z82B&+W*>m ztMzB?6#v>j2;c|v(zkf=A8XHS+0O*DP%J>@08rKpa3rheBR?%BmX1O>vEEojJoNbW zwHlcP_}d$PEa*Ghe|5Npisv;GcZVoj! zWprqi21A0dQelrrUFj`QDJX(uD}%qyUTGGDA`cw#O*nF}epHbY2f2jB5|$ zvphTGhTDOVOl(epYls910U+D67eSRV<;_uXWj*U9eJ25I3tJ|<*V^5ut)o*eT|76x zjWitqS~LU3j+fr;t!_)IACT}cIuftZI6ocW`?#wJ5xG&-O^NfiHv*AUh|LXD=hP*P z5v0Hk=A?m-gZ5P5uarO4k{YPJKjCPF-3gWEF_@#h`5ej?+i3E_0XE6GPmvW`l9iCDC{qdhJ}k9Yv{CPl%k0s@X51&s z41ccG=cE-X^!erb)d}B~*Zisrct(Et9{zChmp$^>k+IABl(+i+XxdlC>08eX+M5L5n&*^Pu971>UbvrX(H#oFc}|R-c6*FzGJxY4kR|+Zy@O^T>2c|)~DLz zi(q*00jS64WXSS5UHfClT`+Vvfp5uhWbF|L{EmDqqB*3K{`Xi};$6pz5te|8|~YE{Z-`_Td=no%N3>^M4sgnW1AukQ3|opC_FHg%-8>XN00J*`Wm zf5SkrqxX|L4XKNqgT$t7WX2&_Q#mGFoaIc3cAd1xe(lZ!!Ri8>O2{DSvrJ#5Gh&%q z5(H99ZrWwLMIar9Dr483jfIukh{|OV=U77+6y^(Xq%8bH>xij9XBE{;2l=Xh9L;F% zs#=ig<$yQy7wCtVK=nvn|8#Ii>C-eA{Y&hrF**#UHP~~OVfI>$X(DVdwMRO7mY*wW zioRCf=_$)C8(5s$!Q2n{8O^SoEAo|z?h+!xzdD1p>(2==iQl2?4Tx@W4M~ySC@-3Y zNn|ri{P8yQSnGxZb8JpnpD|G7NHbO4f*Z5hY3!U4$ebFV&%|oIu_fO2DIxU+Ae8Bvzx1TulV>VP&S#3E?~|2*@f)kH*1$rd@+vM z#Yoau;gw)WxTAe4*t1V`Ho#FHLfG(k^6m$CnYa)4tFbB3G?bB=J}-zFd0v6kR6_2X zaP*kgK{jA+t2bbmNkKec({gfj?kk;y`y>QR|6;_!fK_7k<3!6H0Dbf z`$q!v`FWH;JDQrBQBd(jf*(?-3JNf+*LLGTpBqpZ=ULJ zCO%F`f_hSEv`ElO$npv+OSh!YUaI>Ae$_m1!zrZ|-_7xZzcI8GW_LA7>QqZU45V2D z+^wYugN=kA#^0)Tx2QqwVd_yp7YcBIjJqln+k;GVDKs5i3O+JR$AXbj zzaIU*Eq{Vm{ShJNw*-L#Ut}Nllc~KJfgJY{1@Y2e(XX)5#0RrA^V#Q>^t(D@x2yb9 zQ^;o7Uq>S6N!|~eHHFt;fkBbkOAhX!J&c|(euX=j0kQ#U_wH-li7ou174eZ>YTu8L z!`u?AqTEk2?_5-$pUH)m5Td!iau6_FZ@d(&;`N&p`0`~@?R52BC&4ZB2vHAZAEZv# z3jhEg$XL>vn1!2D-khjS(vWjd!lS@ViwJX}y=BtOsSD$>u%}Ok{Bm8ehc?CS-a>FE zc^y))r2h_c?g7X#_@2?G{Xk79lD&;gzIqRdjK2#9lo`G6?B66mNDuO}947d*Q@_?BP9;k&5G3C*;Leiy6YI*?O(y;azjl z?719+E!3H~CDv4$gfxYWesz^<#a)B!)$@$e8oGA88K8Yv~gzf2IZS=Y`{ z0)fO&)hLTM|AdB?2mb!uJ}*%SR==9F9=S_>cfO}LI;%FcCl>7#boGUU)x5Hj+E}=Y z=i4E#LgL8|*`m91Ip@%HS**emV<>{|Cm{bG$ZT?nHD&caHgKIjt9RXdd;4%e1|>54 zcY>g!@f2@ zuR8+no`R=EjpxN*@)E$#i+b|r_7gSL;|r@s1LNABMH^S8Uq7cIB;U~>*p2di{0Nac z4VnZxNcYL9=I&>GA~QJ$UPp1KQxf)XND~dAfkB3GiIwS}I_7K*iEtqiwk+ zi_0H#>{jagcY_s|n`g{xmA>-@BYYd=0^9tw^i?t&{u!$KP2Q6roirnmTm1;2($85Z zer6%FxNs-(fq-r17CKm7l{}*8uFpB)Z4t&Cl-PYCAAhzFiHSKlz0U(DvIw{Roo7Hq z=3_}9cl{3+V>%9tb23!k=Z*+ha@S$kKLrVG!etK#sW8Z|-?Y(7G!6Iv(P_Y-&SHbGCXvCXc0*mU^9%(22O<<7IjzqY+w-**AY8#l0J z)}tfm>2*%rn~qtgm@0ZqlfrtO4Le))PofkQyu zJI>M~tVB#n0w)lXe^!XR_W@d+)%W{tlgejN@;}>7Q_%~%c7xrx3e8GarBQytN&==S z*gayFaFam9gMA~4StpegleVZK=vo-O@t+Q?8Iw2emPX>&Avh=$>@qO$sN(a-N)vR% zqBS{m)#CmVmYQg1ZB9aWRaCD-OE!F;IH zB5htPa4nzsflX0kfEVp$^tj6>r2li)T0n?yoSx`J_qM+-AB99FNlf#EpOg__UgEx3 zOJ^SE-Q^)({>Z%8-EY>3@xo$a-bxIISVaCEravF(z3^N4hEA1%qJuKXBPy*t%gMyr z9JL=+x}W7##W{#R=-A*Aaq_d{ge3zl4YS8`g4NHm@{iyCoR6z-;iiPt-c^J7OMP7ah62|gL<+tN!4YCo=c5?KFIx6|9B zf4l?feg#BpJ6hjQzL$qe05YsLPQ|QQhMQ?M=gQLswxoS58+2dm9I z&802rH@?e0q`L%vA%8E`nU>@Aw$*DBdNW(mpdi*#4AiA{EWhrJ$b_h!nNYW?k?XfEKVg~ zYGyJCa*OvMB&_{N8_|5^w8kcDCnFVG_6sRBE#j^6?XhPlsFal2Vw_vD4CM<&Y+57?Smbme;Bp zOq_JMb?gPD7vk5tE{}*9GiTu(O&d$>QwSF4x()l^J`Lp$eSPk*bx@^m?s;aKt&nqH z5QSB}mUrC!-8=mr>9vekDT9ywhkQmSo=zQonK&_?ux^t-nd{13E%wiK!qIp{K0`Kt z`U%&ws`<%5to2`+Du*iTk|<7#uVpw2^^A@QMNz_u1skD13Fr066F&~h1pS_Cy^;T# zm|=l>IiS5opgW|WzCIDQtVGW0nsA)`Rhjk8_k185u3gl?Q@9?e91&E#`$;*PgEWWJ zVO1vY#5K?`oco==*8a4b`TOvYYji|PrRl3087fleEwjXfEmeL?I0^9|4zOIuYH0M< z-SEE`^|ugr8EjjwB;;l@D_FEwu+GG%B!=QoV3ZN7P&PJ5oVJHF8!!cR;1OUCqBuBQ z`4(^B-t1Msps)@=S6S&_;<+7)5=k{fQaTWI{4$EkQK4nsDrG94Pad};x+hh&eSW4O z2M-MwePxX4#S_@oGqFihmh;meaLXg$V~Dh-Pn?Y=_*maZQ!o*R8o zcsifPX8mD$;R&zTPGk5UkrEAdI zRX)*IALTijy*D%)+N_duCv(e`V*!zr*|w*4Z`PPJST(qg zfmrhpo1EuHcLE(Zu^tBr&pQ)8dEMLl6l}xZ3qP627pDY|GjR$pcFUV~h*pXw6`gQh zOTQFM8h(9>6>x{b@1qMrphS($qvHg`#EawH-MN9ZnJDJozZ5)c5T2W$yj$>_sN@KD z+{@7X9uLcT7wS%hA5SbU$K&x!*NZcQ8XLj_roA~_YEyKyigv48mSz}d36ga73(ak*2=Z)cBcf5vc2QSana-FT?KfvcZ4wVkIg6lg|7 zb2x1Hkd&8+?G}k4( z!B0{0T8fA_fUJdwJ(#AZ#6hs;j!n8iP1$#s56&>C-Fp%qf;N&aLUq5UpY6J~)bwjH zv;fU4AJPVRSt+w zC}JpzK*#dn|(Up|m z7RS)Yt=eye7Uc6h9noa&goL(J8NwnO*?`~!~b`nC2Giw};u%kCdFi=b$F z$q}aJqp48;%KbtcO6awsmRxD<@_1NKEqXlk7>62hSa< zlt=5=wBIT~-&bxP*dA5gny9sY=C^AYt(sSq1}|+p5%oq%9nl0 z3+A;Pzs?Giyy#x=-839wcl;7p#8FzY zi4dru7iId(LK{V`CopB%b~v?`S&xs#D}VO;cl> z`XS-`LOp3z8zWoVEqv`%g^ERK@^ph(`=*KEec^KTlPDT~W|)|LvbeU79yuO! zTr}8wZ|4kEG=#zC{#QIyB?dV}Bm3TLw;yrH`60>Bn|jKek=tt652X&C9B;RKy zilp<-SYs~hE1zWFid#}o$})9EEW|F}>||fH>ReRuQj~o7DCd@KR4LW&c0NYilu?eW zY@#_M#%&1}GNFzWBd=>edMZK{+t5PFSyX~fpVAV$Ab6C|RienRyYpmoT{R!pXB7>K zC&+s8le18U8}r1~J5>hA=2frT)hTgymCSzDdwD-8^ziA7i=+N(`)Zt1G1)W1q(_Ba z%EOYFj+L!d2@)gTPtGM4PqTK4&vZUqJ!`@l@^{2vcg$no`OSwJYgy#_Gm9yz6D>L% zGs$P$*{tr%s_1tVImws7?DPIO3{5vewV%V3vLoFW;!Yswal92HfWT1-TF9S7FC8#u zK2}`h`^ByIP*F&zW5-wy6SoXUT6FJ}EP=t{sP1~mvU~c$OdD#UQKL8I_|P9YosaX+ zvX2&UJ9pTHG=f=54SY|jm=eq%Qxf}SKPgN(l}*4Q!(b{Ne#7AyQnty>F;$$bZCR<;a7{x)ppo_9Cry(0Qw50z9@|pXhf5ccAUitWe6~Kk=kV7qMMQyrKhZ*FIewYYLzR>`BF89o z4=eqeH%}$c9Skvor!u zS|+*xrn+HX0hZ-_(&E0lB|4984F)dzU&?=#W6xX%fgjy$0V#AA8@t4*#DQkfVteUF z%Xr5ToV&O6B?cviDfLhD-4ng(Rxa+V8CZ^WbMRc#lWo`7*IwCi?KgELx|raQ-MB?7 zcdzIU>J9(rY6CuD<5}J$13r%=N<@esye7Ll`i6KPmtR=avES!hW9COI5VpQXVx1$H zc2&4*R<82V=S%0L7CjZE4CH?)4Z6&^&)?3TX-Z#dNEwU0xMEy5q7#UmufkKxhv$42 zIJ3bk%7O2WFim61!0uCzoPU9@w4JbKniaQ3P3s)jn{S{u8m3U%R2iBO8XuD+CWOlT zq)p=uoE-uuCq&-?-x zHAKYh`}=wXt^G8;@~cUvQSAjK+|KV@)@ss`S9&kqVlB+-pmqD>|HiL7Yv&up#*;}2 zvGX*Ts=o^?yn1AP^YY39;}Sows>bX}zt`t_8b=Ig(~;Yp!j+XmJ7Fd&dCl-(e!`yX zVm3lpGn{rxHboXu&Ob7k!S*GyW&g1-A3oZ+jf0&hnh@AS`3DlL-%-pj4t);TEhAdr zJDT1xM|CPPV0p>H@_pLaG@4GmxJ*hqc+GnMwE@Vnl9r8;U! zEwfCe;NTeI<+I<10ecdwh&S%@uA3SUD-g^BpE#CRJZ2V!%gKugd<_e3QNBKXO3q)2 z^I1^|*IEA>lR@6jw{qQuTFNuk;0Sf$SSm*r4z>xtlFWDI!w>b0BKN$G+s*g5yBOMU zWcQgXh!@FIUdnw8#PK)Hs9q2jM*LA}D^oDL7wVG_Zuute9~**-@mmMO%h{PjAgc?dvGPS@5xsp-U)a$pUS&wysDcj z&nd^rX<6{f;`mEOJyL5(Cl}(@xN1@*?qx~^)#w&CsmGor=X@Oedn@c_`Nz(`ap*oE z9mh6ertgd{D^FSDqq7`2=+WH18@TdpRamU>I>*8BK%9wyK6idB-bFHnrdq#U zmD@BqdtUmHUNcUCy~+TorJT9Gqq6H|6M>}hc#XZLs3ZL$#0H|x9vyEhdMG=`ogo}) zKrk*Agsi-}2){{`@mrsTN3F&$+va-mRhua^_Xuxyzk;+)@6X6-$ig9QURLNM6}|^O z!!&VkBZmqRU(zx9y&f%ucIxhP2yvA6AmUXJB!#wVYC-$D6sFsW2sDmum;&4tf|vq? zvSxkDr48!en7=GvamV}Kjl@u?@rrg5yaja8ujv&OC|gJ6GenTsCK1S`;%+Td0;7nY zA=dMgn1NbH1h+?2BY{|)(kaO3{Or4R3 zmJ?AnQ4!?FmLmue-iYT3I5`YzRdLx``$JzA#kY3q%oW9k%!%YLae>%3<9qpC42f78 zAbL0BX~cDea(bn2KOtmwh4>Fqy4ivQ6JB*qexjG&BUlXi^64^K>u=Z44c7?_uVpVL z@fxb?C=j%|zd8}%#=Jvh3qNRKxj%K8%fGP{{N-Iins2m6El}FHkTWRUs5!bB29U@YfMkC`H zD-hSj;og#%KF1HPV}fvj>jH&m>dl3oY8RN{^HKB%Ya>eJXcFh%^cug7toHdZ(14fm z1b*gup;3(Sm{m(Bz0ooK`tEI$;(k;IbRk}fxPe*$gdUX?Y^SCp$wzK~eIQ+}i$rIb zi1RaPHmHzBAHX8JlvfBwPz^s3;pM-@&-Q;NbzfiGg9JNSyPt@I7!6|XDGG3fcGM%w zy7X=qo3cl6Xo{KLFYZiqkJ(0%k5()m7@lRj{wkhsR4nl2V_Srw`#6rz7LFhS50xJE z)P13CY+U!{N01d96-L&fe4}(3N~!c^`#I!MB2|F z=Dw^xRi>M#w+rQynwzmFx+I>aq7*v0+B56rV|{n zAh-kaG3FupOryq@!?L6c!c)wcm8d7)NRKX-t*2H|B3-Xp36>71DIr|W&QWk`lf9gHMX>rXEXJyE7_5Y4?8kDxRnU57EEoJrH52j2`$GlIXq!VhUb-25l~@NzjPbiwP06c2`+`dPY^iaEerh zN(mwE;HECW>iTs@2eD=nk8qix4L~!mB*D4{R_OZ>-)9xkx&WH|0A zMHmkX+n(tNp{W}bw(16*W_t{3{4sPI*n$*UHw5iFj+v({C6P=lD~JLLKiD>0d`+DV znVR1O$&DtzZi3g9S~jp!{#_q6no$DEAjO*rLC@&F(sx%n8y36BPzz6n?~Z(9cPDg? zCM@8(rN5_8IQA7D*B>>Mz9$G86Z=F;L8dFZ&j+OA zuSY)ezp%Rp$M`ETik0&F`tZkE)qTF-T!kTyjUi8|+I~QE>Z>pPAu3#89QW_9b)KKF6S+XE3Qh(&zYE#rB;UUaRwLbjd*z3mTf}_)z+^J7xug*QxKGBA^ zAg|2la%k^#^Xv3zb&I8WRrhsqE(JwS2x0Tqa0OJYI+Q6Ul*Y}O5pLf5?$%Q=J7DVC zeT;+a(BA&b0n1PrP1$%+(fW@0y#YI}AJ(BiqYdcr>xRFn8AU42!44zsC#Mo;H`(EB zo6csR0Zp;m?J6kw|6;LLho&Ro_wULfA_(dE@KWnkj&-HhS;SptB~Y1S2C3I~J*>x= zP_jaXX<4)*W{GRmU_ti_RW9U**7L_&@KlietiCmRefBF62P>M*2RDxVEx0hrI|kTi zuE1_8X)lTBcKs1r^HSe>xNr_|A#EG!|E{#Uy*o28-nuvUlzl+{j&uLGQjOM4nd1pm zzmFXO7pHv$4e;;bW;w}AI1UIYCz#c2HP!U9vt|}YBuBPESg=#E1g}BX$Njrg!p}hP zusj{G}}ly&15M+Fe={+lt#%Cg$ux0LRHGoB5E^j29>3ay6UG_rNX2;)#qRuE36*! z*a6uKv5RcPlAPTj?fQnsWAe3|)9`W?FfS`fF?y1Vp-R7av6 zf&wg2_$xYf-IBZyDmT~bilE#CF%l&Nd7GMB$BWK_QumP_6`Bfj&^Q~}9WsG(;`PZl zFMFMJz*9f67BBw|G)``un{70g1pje!PKvI>x&mkmxQa%$BGvJ~f1pd>DM6#%YMw|WV7T76X zz>Z57FkX+n0sVy}=bp_==D!b+tKi1_3xuqYH~R@=(9LbP9y)gV8IVBDL2No^u;kef+#*@*rH1Q2)0FjNxfl@Ij3oX#W+L6Gm60 zp%cPvzC`9vkA!jab}L3==xWej0=I5ZNJXha{O`cb+{A~c*i0OBPXQW?H3o|s00_AM{i~zn~1**`NRppgAYOu zxbK9p0FB0LqPB{%9h^^gK=Azn72W1qxwQYOXTia+TW%L*knov~KHaMBxuJNyqcNZ< z;omtCN0bLXs6Gd&M=$1Rskh1TI6L|9{m#6s7;>>@spegiL5n(q}Z((M9B*y}p&%F`=%x>i(ZSo`zZ zBMrKM`RS4m`S4oNaCF5Tfhr`m9G8MbKVYW(Mdkfh8E(^d@Whct7)ObryjnMpYFP{j zUjH5$`so3vb{YjPf^Z!bF@KPMVHuZ&%9M`0%!uMq=Ep!l5Npmi3E`P)q}?J^WH&z9 z;en}!4i<|Ri~)qJr(FEz+1SQz=nqH;{F!j`k2f{B0r-xN8KLmOp3v_F z^6z0kjN2jXQ&Oq8t2E`il4i_j<}Hjv*Br_e6@0Nof8`2iuWIkONWS(6A9c0(Fr1oF z^wcW2QpAuK6l`}m zramJ(M`p3W(9pGD|t&^D-es=!5b{bdfzMn!`39d^w(Df2Uaig*4cqVhy zRwzVTSLd?r(*>|p6dZ?{+JxmDV14w8vtpY#(<056GQNQYa+41tR>4CWs2y$I5zCA)9SAn)QTMwxI{r00lchPj!f6rAjSYFRM@9YSvnuNZCOGG>M36^6Te7i5I_h}0rJkP55yBw0` zoMMYu`=m%nUSDVMrXZ{Hb9?WT{4eyjNyGv3i)DLJ8~&vyibWKt&&ntaWrZBCT zk5axB)+}6;+mL*b)Xe1c&Pec^bs)n%>p&1Pkv9`ipGlm%2I()Ef&l&t(}zs%C$J}o zQ zF#I18{1haie?F7yzK*up1kd6&vK8M^aNdcQUjVS-dc6O$^0qYgzeqWh)bUyQ66A~A zwMSV=p8I-Txz$=EkFinp`2g~ca%9f`WPC6og4<7YK1wjBqIPU5TJbee^8BzKd3rUO z!KXy89()d}K(LchoNgiGoR$`z*Yw4ENX$Q^s^5uTs6_zt*i|mNMP#q82#!NXr zbIlb9CVTbb6z@*ieNMO+kEQn*-M{C($nAwS;&4A%RlT^u{RiY4>x}*RMy+c(mFK#m zmRMqJ$orlEP5HrkHg3Jb?f1%7(UYYWDOT=-_A9nO;f!PmDm9+iME_G2!uscav>Mn( z$<%I&KiII0m4A^I z*?tHf!6y#10Zc4r2ze(rUILCCvY)L!QsT&XA9puM!?X;5{b=-8(bIT%!9vWt(Co&D zEW)x;C%OvoHxyQzYczcp(w*?WcMTCjeKyPoras@uB|=?#_Gasz1Q!U$;q4rW{mvSr z;CfQQt5@WrB8@`v-sh~2k?1iZ>i*fly}t1|5c5{txuqO&0A=Ah>8+_nxS3@SSU^UV zv^Y+NdakyD({)zEd9}ug<_opUkuHjCi|f^Erdi~}{qd$@#*t}1+6;lul5T2C_0(dX z|B7P^OG6$d3vJ-pC1g|#ue(~POuTf(cOMw_VEXEstVhZyL~RSQk{3~-{Ur})5@?@U3aP3@V{QLEUKlC7#AjVYdB_*nJp4z(Nm*}Hv^&}T9ZqEaW_y{$5E-ql#hV-tU%CQ47sF(7Q=6v){NX@_gOpVSCfMuATh2dLkszy zJfJ{IL2aG^$CRtAV+=N|G($>V*mfk^Bm~>3=8_2M3{!UCO`uZ~shAp$HG!Q^DrTk# z8Ih+rjZHlz@YX{Xrujgm0;t?#8cK`O3t#XdDN3*W2oH^`)n&h1B^n}tumDd)bfp@u zS_IFF8K`o+hV)-Zj4vu`QPWXTS-jjf_ZY_u3#T7asv2$od9Fm@rYn0=9LI~3(u*aR zMB*J%4?B1wxDC^U-;OFI<#z1_LU|~@ANPy@W;VxQGnDvc8FEbh2xc#snZsRFXO4g% zPn?O5<#O#y&B5AEZdNg>7w7z+LY#u5fOh(2$@z@q_f~?LPF1u%Iwn(8qSSufl zyA<1E*vWi#Rbs#Drmi}bU(JR`8Xw9tDAs=UE_Xs5$n zdOBn)Qw~88zbf%obgTBX&B|$K)LcZ^rTd!44^_*D+`6SQJcC#8eu1)e%zYA%Q0mcLRyH8BIFD~xOEhXh@8Ovj)(Xsp;| zo6qYazx$dR#JFs^7>K7JJo}X8+-v5#BiJ-(lA}rUC>Se_Qn14U?DzGupFsJH<2koyGk|x&L6^X#jY)%~XT?Zvpr(R^-ide^no{Oczh5XC# zex*h<`&3gk-O)WX%!5w-B}+BJ80hOb^DL$t7_oM>ma-O2)8B~op}eL=L&zq0?aa5zn$MN@9;OsD%nz!|+3bc@GZK}T@u8Zw& zoRfLl)p&925Ut%VI=sfkIqwVt!eQO8Hq1M9oq-T%JHDIw65?QMtSunSklnpPa-i>kH$;E6?zwQlPX@-gUf+hC@ zbT4<;YV=f+Yt+Be$2XrL`dyH_D#>Qg$c$@D$H$1b5@}f98rYu_$i-yM;&$)=qbPk2 z8;YxZVSN*qD4}%1KLsIja1BMN*VcRTgpYV2a!e=H8%CX<%bn9|Bc)jn#bYINYy``d znxP#HkN8Q0V_v-fhSOpjE0i&OILc0sLV;}Bu-(1q?J#cv?idd)m3t5KpM{TH2H=q z!Q4WPZqMg<$mIsy8I)pvzI?3rxIi8(`KravynpBu#9~#~40=&Qsocw*URSGDm-Wcf z%cJPX>RjC7|HPsr%fyu&UsV8b_2~@@Jm2f7KiI!;ihtcN_WjWkgd40j%({R1JhIE> zhRgWs1lEA|6(oRspE@Z=t0w`J76fwQh87xzR!rV_|Mlgb%+RjB8Vjk_eQ$gGs`rp2 zZD2}LgSv8DcvxT$aIw_9cN~tRzbwA`)nOO$VI9j=#prY`=tU1PWyU6xXR_P-fVz92 z@{e(}AnPI}TyYiYvMZ^#5fmQBDXvey(f)h2qcEY9Y9U|jxC)=T<;F*bQtUsV@x@Oz zNqF*-Z|!tnsi1OxM8&`&$=AX!;&DUnn9!5}e{7D2$1?rua8 zML|Itr9?qex*J5gBvh1?P*PGlq@`0Nr4hclx$fs3x<7GG=#w;qLhaO*o!UL9(=)7Nr z=>c15ob~BN)vdx~J&>#B*x1-={ofZs!iLmax>%XNncK!HYzFVu)in|}ycZWk7pcmrpRDtH`9Ac`bzzlD0xwK`teEEyse@My;ESLvU zK#AH@+}HESx}JnH5lHuxEA`P0g-iWGJpB1ek*+RiotoL=cOvAXewn)-9hb z2cVB3*;IUk0J3+zAo-=;%D3Tr*D1(E*Uz*=IHjCc3I>2h!F$<04a2>7qS4CE}s z8O)@bg2}gcBOejfKd^%zjF{8%C74MBCT5NL zLqrp@S$ugEGjl<>z7F}6G1kQuKktbQH{3=&ql^9DkwHMRC9=<*>Yox-Ru3_XH5XOm zEsc=Ika8AUc#t&KKA1jz0O28tSDT_JcYrqNp8Yg<%LeD-reQwAof(3b?;mSGaH}+r zB=y&SkVYO#)(g!CPfHEbcq4!980i*+mr&05P2RzL)-YGFrcwe1aQ(;*q}?`E@~&hT ze-iS%#-z-#Q8`E+RW;Q7cUh0Ad!!RJfaNLn8Fy7;lkIMYke{j3qusoeGQIZD zz#&)NM_2%g%_F0##B89^{MfA{@kiMCkk^CkkHf`7uw(l|O(j?J27&1}ptz-|lMeL5 z4zL7hGSP=D#tZh3KJLtVJq-VW9J6%i`}P$HV8_0nM`Yh7h^77-d6g+oYdX@vRVMTq ztZE|;0qR2f6CwXw$!yX$AUH&3+visIuaA`}h2X$I{+O)z}Gvk%^yassA`@4a|(z+N}NPky_r0{4#3Vy}2>0epuR`+kq z)&8FrzykOCW#3YBMj z_{9Mu4DlGe%=?R(W^V?`Xeaqb{J-PqIy`s7ERvWw1+65X{^#I$0LUEWO+S6xj}@nY z%jz7yQ3n{3kd&6(%#{D5q1EQUzX;hJk8nNq$1I;h80H2XCeJ~1o0enI-$fEk4&R?Q zNX@Fi6G_E53rT>#r=V-+mbeQ*s!b^799Hmu&){pLJOdmSmFF=i?SCNjE@GM@b6mJo zH=xdYd$&(RT9maIiH{7TcT(**u$K@9QLMuutiSOA^j)>kEZT zPo2>~Lw%~<5P$L0$P#&I-v1sN0ycpiaR$>vA)S=FOY3&=xBc-Zfp?!p_$&LB>8c^= zp#$b`O!0$F(>l4byNrkgF^Qs1UA#6RAe61a8hHok)3X5aH%~!2y?hW;$E?ab8%XUc z^@FU3Z-KlNoU(QwE_ST}8%8@iWcGCkl|#>U7xl(mKV*Lp6FbM5)ydXc@cH3v-cA=t zd^-csh|a+$H;?2>d_g3r9>5dBtAiQZItSynpE{zuXQKv_%Sw=sx`@O_#slywynsbO zcBy!x#-WhO)w>PZb_~fs%ioBfc6n9|-*L9e8;r)cxdplMgBX6@Wf-_%FQbZmfVc`L zi)%M{dg?EJ2NcX@b5dX+d2%-Ck?{Y2dT31(vKzZaC%TX+T|Y^X$V!OkSgz);9Bo39 z)P_-~u@RReE~edkLgs*c3GNLW`hh!xx)XVGQ1l5V6oi*w#nG|pwnG>By;Vo(OHw%gd1 zO@>$NCB;CDZ2%_YqA1%I#k2_%C05RkdcA8P6M00Oy_{~K19EU9Q5peG8>>|(@E^@n ziH=uNp4C-PnEDYKL+bn#oQMx?C9G&D9>g-R(8-TH{0|`<@IlTA$VM5;t*(mUG2|kY z9jCwe$O`bWbpJF~w`87TG5nEl`wJ^y3;4k=BtTN6)`wFDD48$dwo@zNi+>CL(cT9y zX9J3%zx8(B8cT2I!uNyFoT8s6eC%ApM6~Y9uz6F5e1<=nOoI_#)8J*|Jsa*Z1FD;6 z%itv?6Z7h89I-z;-PL)~uSE6FUeG}OD_+Z(^hKd6%RvI?F$O2JEcjA(;54Q`Q%@C= z2)sDSyupE!wh_|j*>@?QrcdTN`Isl52WKv4w^FS`l7t2(xvWs9FxlG%iZiW=OYsSjsB+)8r7zA#3lX2nNkZvU~?Z>{&&~V`T{ir$NY0G z(gZzsGS8{e1$g#MB2rzIw=5)MS4&NbFm7kCVpUvHkDw)eH7&L=R2YZqLj84N-eX%- zoEtV;-sNL`$&^o53(ORKP2VWOdECP4XbR|kRD+t?G>a5_r<`cemh+df^oP1FUOFWu zl{)7*H2ryjK7yZvXV7sOIuOv1z&Do-z8J5c!h>JoW2tMd2Q2RAoYz$b)s&2j_r0i$ z_E2gl9;%cFL`w0rG(9jAJ$}6pvL780Y#6mIOw(!6=LFVLrJEjy4v-5`e=j9FR)JIy zpDZ0`%|!uS9I*R56Q6;oc%roz-lwp!1NL{JJni%<#PK2WUw=oNd`Sog=t(0jLUf8W zh@8?`$hhYRE=IgRRtQJVhaM^Y^SziI|HgyB+8wc6!@Y-VSxKs#v5x z51nCbLoJd}^YcDLftI0~6k+bG4R3$?0mEZaKy|-NA>q%!jpXZ&ht=Prw=a;Sp7g|f z0qB@Q$a+qfUvt-V!8*N5pWHz33X-pn@ZKLwSWIxIGXgNj7oiskS^)|EfFkOwj=L>= z9vQw$B*GAR0yCG@?VG?$WbXVnN>E3nyw8a5(1kT(Wq$IOSp%_h%=NZ+KYg%+#g6x- ze&C=No8a{wv83E7=roXSE4L@~)o0Ze4VvbX%9GTp6oC3s^#%q-pG~d=9T7#Zd>qTT zHq|f4M;u1AqpHA~-CZbqh3FrcKWW{$viB)Eixe%cYFX0%hOh9>zGKs6&S1>V3GjL@ zBLnC<(7d=^!`POF_P`L4(5N5oZLJHYn&Lh4>)-qAh799@Z``wD z|3|iOu-Fh?DgHgHFrssy77xBW$nsbC&ghq<`3Xa7Aa@c|5P}F-EHyNl!Tprj zg%(dg^qi|{m@jZ3@HI{yLLn__Io?p0qb`y(7mr?L-_4562{jZk!4$2mQJR7CG?9-k z%z|>bi1zlEoYEXRjA}MreFmtUopF9u{@3O(VP)=RI$;KI#_6$#DfF`Xv{zA1=*M?v z`vk~~u6Ej)`F8rnG34U^gR_lnkG-jwu=@3hZ=gaN`uqXma!P@8z?YRjW~!dqnF`+@ zJU`gGfm%hK%JE>6dM-!`(!a_T&tg7Oet>}|J4AQbiV^sD4rt^t5jfp51|LnlBS06D zQ?0QP<+-1<94}`!7;zb@oTw&bPK~?@qfxmnk+)_~4dLL$w~NQ-!=|H{u7odwk*9y< zF)g2~E?Q{p$SE9{Q!rGN~Utk~Hj?I~Q5UJC=tk@VbVf}@X|h%5+ADOC8I{1UmErd`05J0xR2;2=8F%D&-)JA{2lT$cRX*47CiThJ9&36Pjq@NFPNGh=2r0{<%{oEL zDC)E#YkI@b0?9C(8qGoeV}R$Pn*Z8|-wyWK++uR>5*&cJMZmcW%Vb@~18nk2y8ZvU zI8t2XgWQ0|FXm~L@Xw~c5BYldT1CM-z&|Z2`h*X_WUU1&+8}~=_vjhU0QdW3)$LV& zzFMsHWeqB@FR6VKb>!j5Z-LTiBR5W)2Zp06#F-j4W6fLL`tO$giHmHyIZcw}R5&8o zYC`RyK-@quYq&T(wNxhW>I_{n*~0~$6Gue>Z;E|o@+(j~nbFK{Le<-aeQyBTxs^nS z|1pwXE^|18^2rz?{vJSwh4c)@d&|9-?xrDt0vrv?+LGJf2T-TTG)_qWFYYm#DEQw? zwjq(--vrr+GvYE#5i|>IK59cIA_VJ_85tuXEP@J|thfy$OcJgiCV;O&D(p!>$mvNt zP>P4M6Ube^0ck@oAV9=U`D?atpC1!sg`}JHLv+J$|BW(M&Q>BaTLc7#3S{x=P=Ovs zu-Iuy-8H){Wbcz1BjhW)%LTecn$B$S?iVw2ubOI>NEkKbrRxjOdAX@Ut}h4 zIU?9x{obbh8Ru~uVKURx)YI0#&(3dp|JKQ?>~+!n*619!YzZ=+IKh+i-_yxnWuBua z$LSjaRrbh2G|GR*|zZ=&H&EZ0F6 z^8!%!Dp0ERcBf0-uX~^Rg8m=C$M@+8iaDX7zD8;)r#^d)^cka!%zUT(F6eweLTahOW$)ku+vD2`W!#&PGe!x6VtDk5Y<} ztXZMB`d$uuu2#+B59r@q>Fho?PSbm(|CS_PfB0aFBc_P>n8@2euv+YtqeggU-m$DN z1LhppK1q7;6GV%$Ucok*;b7YE-u-eOx4QS)UPIV!LMxQC0AfP5$bY%MX0RKWN@bbIomoh1mhaE`*MxywJzW!D=h zD~v&_$ybTy3NVEJ%g8KOzcsC^^R*>_sdV1o+B}lp8b`;W*L@%S<^Ti}D;t218&R9K zk2!rZ)9VL>g}XBE(VaI)l9xVP&IxPmr$&8qNM&Bz6JFu0T!p&Y8$}XUL+J?DdeG~Ac1sk}VD9;nvMC2oavIPQ;LxiWr#&w<;iCv{C{vXk z_zYbcD~&h+LnAQhG^S)vD^IxW%6Jcm9yTng!|;SpF27vC2*PlGzR;mOGg&qbG}diO z8XG>WtuHSDQp8ngcyY)*n&)t{i@L5O~wV+=%ph44NEBd&6>uR|SfP6N!BjXat-aXF(o7WXgy)~eRaUuU<-6AXjs z&I1_9k#&`r3ugQ77FeV38U45!c;=Q>%h{|+_wsGWh7uqwf9n70w|lK~887k#3gJX? z^c8Vp$t@rAOGBAcWG`>|oe&2sgIG181$$ls&h96(J-^=)a$TZ3u`5Ncm4eM!u~RW) z{PuAcZslWvxNXxGu`$Sr<9I8J6=!v?nCwBHH`mN8PH5B_k-pbq2A6Qm;{o4E$-{12 zJ(;4um}VF9vXI_@k@}p6Y_<)=^p@FKr#*k`>mR(UZ}__Xrco)#82cHZO5Tb4{eqilS749&hV?qz0Tll-S=Xtls)m9m z&eVMyV2T+>ww8HHfVE&?T-U)201XKrB#0y{;Y855X@WXb+!3f*VdXaFtbOmoFkNWL zw63A`W#k+t{oM%ZIkCe@|29Ojwa)q8VfeNoGF@9|<368FX|njKonKkhC-i?oy=57I z*Nvn>#%GJH84Rd|YDtGwGP&sbjUbsHEn84rs)?ThZ1S<<3IjK{SB^N7(MNd8*JhLA zwR#cVritfXLheMys|~T)n$oJ|{&^?%(2r(Ru0OFSbM;W8o!+aslag@LEI@tkF5&d|Fu!0=@zY7}QhE|9NZ zKe@1-y?bM5OB#*-NF3BHqdn`OUaso8RkVih!_gX0J(i&w|RLSRt*8xAw3EKxe;ocuO zY5z`Cbo#isdG?4%#;6Q>zLe&S-lLhT4OIF$;aixFe`hH#KFdXt%ziK;mAcs|t_82; zB_yT8OW|YFCXc+N)OQtTuG%3X9Dpk)@a-d)OOHE-w+Y#e`;F{p_hDJ~*- za@N;aF;hnm=nqFI_Sd8x-qHB|x<9j5#t^Z3eMJ(1>rj6cSIhV*Na&e)vrauca9Vxt zQHD{9EGf>A6!qG?|9CZ^ky={iGm7d=rh>39yuOvz*9`VZbFom-dn zH`GMquW{}8&f_Hb$X8uY{=`0S>U;yM=rVe|C6{XUFKo6srAH}6&IW^be~2Y&g4iUL z>li@IDgPaFb;(6Z%u1Mm;o~L!mx11;ettKA>LHg4P1RrZjE==OsIjdBy*|B8&1)HK z9O~|AL|6BjN#|Am73EyVD2L&lVnXivo3{3`qCf-;?nfbXdyc-1%+lO zA1K>J!knkgj;X@r7kbm8>&=^PR`)8o2+x-dR$)1+7~Z4L=E%R@oVegi07O(nicqK; z6-`^|&-g6gsC)42aPL>c^w~cwZ*!mdb#s*9X4c7-(2I{!yN@Y;jWdOnt6)NxlI`0R zC@VjT7sMmi@m2VTWFChlJ z17t!wPKOZX$uf04&KxGekS|8D_wcJNcPu@IuD;B?(QfP&j>G0tVi;U!Hv&zifg4z#eNnYrDu@4I+Oa59+}lDaln(Z7J2JE?Ux z|C_M=yST@YdR8(4MZVIMS!X=A5uGLblO9oG1?CW3W))HJLd;gw!^E!0f|sd$umT1O zPk-qqAlk0{)&Iv<@c2LhJlIGxn|%F8*uY@v6OI0SozMrM1&eHza*V{gx@bHqN#OgK zB=i1N>{>2+r96=^F>Ntvx}njaQU$h;u)@9e5RW>rdSMQ@Xf1GAW%Dgx8{Y-=mQZw5 zmi87$%Z#|3o;VmQa-}MfP5zwF5GhAwzz@YE zmfGt7wE_PzUxBh$kxn`=9wIjJv3Wk>o-5PYFZ2ayhuW8RTzv{N?MnpyYIGibcB95< zfvDQuJNK+PkU36Q%HD^1B)(cjk{cg-|9jq{**BY#B2uB~awIy|9h!PcLN%0BcFGoF z^*5lkir&lsEdC}IE|FHcq*0(JNFr(gcl|6(hs!H^e)2o8NrD{eA2W^vzC_K-a~# zR2*Z5q~vOG^&=k&Od;T47;WZ*KTPKQNap~G8V(Fe;R8_pf4`e|PLBRntBHh*97Ayx zSDg?1BDAZsl7=bpJDv^XhHz~oipa=y|Bk13CXC9q*-6o}Pugip`<_l#l{6cT1F{;2 zx}9?CHR&i|NK;6H=M8$n$Nm#QICjqxv!Xp?N`Gb$qwx9@dCFUsXcU%}`0H3|y(rKY zeJNT>QZr+E%iiM!w74;lS4B2oMX42-J8=74b`jxaP(5^8M0uZJe9cw2PSGz|tbmgu ziHgBe@$5~+%bp;^4)M{<3x5i891cEt|KlZfE>)w(uvVFA!WVFXT=zuPDNxqm7I82i z7+tRO^S=iTZG?=mh-K%cSW2vdlq@|a{0&5ZfuwB0*hew`!7pxCu@LSD;$rE~lfKVR zLs2&c?@h0vA_cXY=&C@3#ysTO)08PXo{*HZIaY zCmq|=Dhbh};G+IHBZ&1l08Jt$Y~v=@iz&#Zj~$7c!_`B}+6)pqam}K|cpe4ohrf$3K1inD+*XQ@ z%2WmwotzhLpA~)uw;k}G@-&2HszK+Wyu}XC;MRF~ftq zsq8bJij{&8VEgiA{TZ@Jx={tC$u_gjRaMSHsfvmw|NS`G7Wy#i~6O;8GUF0t{d+0Bd!uHC;1vUVBxBuqiT8?F=Rf-aL)~D4+ZPOdMg0q8`oeuU zB+uUkD$RccdqnR8hemAuTh1`uv(r^h;Zuek8inbPp0VNE_PES{!oTue`sW2~F@iiT ztV3|zhsvWRDaP#M4{L5DkkBi-**k%QlnCymnI`SP{42>*kNt4E51SQG3}=L>z`7E= zmBJ-k-Rtvbn&eR8LZTfh-9(S@1b(sf!dx%;emb75Ixz^-dlvX2n%eP9!kd$QnW9)l zc<@bHZijLyzERS5FaEltK8yWG%`y5}?H|$pNe+w`gIYIl4|kL`BGL>;+%4UQRSsFT zAQ&_T+9-6w=zG2&?TO+}j2hd=(497f8T>gv(StCOH!x7gTRUKidG2_)ZMO5rZ5vnrWVW@w?lWGMOa_wp3nXp0p?`KOfKRdG;MnBXt2VJPXU#2Q9MRK*vzLS zK0jZ8wjEB|+8!~YSkwR00#rPm8b|02H@(wLtp5Cb@AI>r2TQdP7QpK2Y9WU^qS@@t zKnmX|^DF(^Rdl@jz-+3{UgJ?jlpWFZSO$5^06RJ&7@#)!3BXzbKQu}N^yE^{>^!D2 zTaf{_Q;5^Yb?gb%2;@!AA20dW*qbA5OQ_SVXof@6Wx`zkwx)eh!&gM?)4i4&II{8(Su@t+M}wkn*$HP`;1=jaDwDZvqJ~D*|e( zUcyjZ1iqdjxeM;iRA;s{K*{^T7x$!T@f%cdwz*O_vdD%;RR)MT(h-v=t=C0e^PCy& zAbnYCtO|zv>d|NCB|Q|+Z)BO)BAJ1Qrxf3X{*phS7N9*57Flm9EFSfZt-*lEAgjrU zpc};YC^uEdiytFIBCChFA*t+1^juu;lFSRpPTqhXj;weyn3PS3atp3K71H2rZlTLp zYiRphU-8GwO=#mQJPeB@a3STGg zEv-v6qWB8TUbvY*6-=LjJ)Owfv2I?~VQ$?U%FW0+Nd!kUUp2UmFHUT*gz&NPbtK1` zL~vskh+-8m%!{|YOow#kGGQVa`YO7oRaxUpDF-iS=C_q_xE91N{8lu$r;zL&Tho?p zE(Y8!|BC@N&T7azYTuWfsWv*MpU!NRE@yaa4V4^xq#!yHx<;3x^qMr2vkh*0j=xhd z&PGi+%AGFv)oO>|&{YOkU0~+Ajcw88T0{;$DUpJL~Os%c@IV+GAbv(T~A6sI?PLKY4#=5fOfUy&k)Y}8C)CajZ4zUzfvNl&R z&_!fcd<%A?X~5o9L<-Y`Po|&FeGd^5E;TIB2{d94ntpL;bS3UAvP>_$nTJW?R#H$M zQt7f|qBE|*IGp&7N#F;XKJ}WDU)7ApIYJnp$XC~En1(LOH*>6z^vo|ATBSE=RLA)U zd>5D-=F;9NayjUgYp|DtIf?Z~BpES7i5p?SCvddt=A!a7lUaqC9-3GrKZ(T*>}J=) zooUNv59sIm0s=TlUSAn58)%8`D+nDvLA-jqk6NA;)+jzW5lxO~n{htmuKAJMz6}OO zjhb{EaV1Ysy5+U++PKIRl+=UvCZtR!kesveqIwEIQ>yBFp*w#MPK&(YFE9x!@*#uj zbC_J;+B6vSLkAt<892#m`#1{rASt5g3furH=0UW>i2M75NT!HF@pRsfV&3XNt8NHJ z{5($0H#0*dZ^ZB)IlIT8m9C%lb0!uct(J-x3qFnc=3fiTl0U|5^Kj_j-T2;XA_~lP zxL={w*Z_r5(vmxtfR5Cj!D<_3LKHJ|51CS}qM8xz);Q!k@2vIEnYh?3I4b#Q_klky znt;hWEx@kvzl32R^6ZWz3o+^l94irI(IGW@dG3-a(o=WHqFHxCB7M90N@?NSQ*nv% z{gB|yN%SvCI5I z^6wY;uUNlY3i*D$2^ss`3zqk5EEM+qc0l%Nz>9JHcKgFex*L}tCVZb=#+M!E?b(M4 zEUf8LD^<$S|LvFhZOWlkL=^XyTC0L6G$?Ly6ab{M? zs}0$ldJq0V_<91aw6>J`0}z^LDD*D_@<#C?Ym0;;Q}-rcO`CM)rOXX8gN(`ED0^$% zAr1^Ck1bzaxAwnm(?1?(T=MjYBHdy}+k#MFwR55ZX^Is%*M`HA4r#4 zC0W4SrxGLtec+*^=sl90yoi`mwkFFv^cXAD;{ynYb+GG=8VS((Zn z*rIV#pKRrSG|Gf;LkG-hU*t9u=glBV?7jP7i4(S+w_8bA>zrae&4bxRvMjGeVYF53 z0A1C~kWS?*hUC^r|F3Z)nP(K=zBI=7d-lC2hK&yIpW?1<&3|~$*7IB#DEN?#-Du9+ zy{}_`Q=VOu^8xXty5luTFM1F0?NZr>j-ZDDtulcgmLP;v%1K$N(8jm>k&UJd;Fj_cn-OqZ)IF!;D_M^UMM-2ykY74=+swMrc=6$2A@~Bp&?2OeqW=Up?xkcIgL@{YE~WlO*SoJ?8I z6d{p#_8%EGJCBvN+|%WjN+GNwZ1lPlU8b3pLA3)Ixs|vnIVLXTiHL!*zX4u=gB6_^ zR1_KkBQV%=;q%J5*VuWpN7<3l#K8`treeo$@DiavKLnNZQ^(g_7T-ymN(PGa1L)-# z&Y&+-b*9MvsLQQ;XGWQD4+!nUK(@%_i(lG_72E)k@ z_=-8Qk8=NTk1igYvjpG~hhdqE8E(beDkFLg8#skR#A z&!JaOSi1j%|4Zrw-~o%tN_V1`FZa^&{`~mvhJ{&2Alez9m;JRfd2|1B7(p37C(3s} zSL9m0{}qx+&n^S^>|R=KZPpCbh@!}_!-p#CSiJ5^T=vJI^BGZy@{ULZdyOBZd^Km3 zR{bY*E&}m4*s0@UOIYrs|HJx`%aK8xXgvW`e0@SsHFbQNnDY{@6kZVH*)`>%jDS_d z+(&wf%$`D0%bQkj+y4BJY&%i;5p@EMQXL;b^!8tTx52=V-6JGiH!=7sj~FdZ9uZX6 zF;()HGmhd-Qq63Ut2TA0q=ns6`bHJ+#CKLlO?41EqqFrK1HVRV)biBRd|dfJZ)JI` z{t`+kV$3_@)qA5Sq|6QxAB2_r5|;10SzO$TJN}9Bt5dtsMTIRvg+m&|0T#wt@|kLp z{@gc}MTRtm-9z7Ykn2dsIN~_8JH%(o>SC!Gh#2Nnk$Em?Rzj7dAsiTv;bEI9BoZ-x zNv5sI97O!3*Bh<7yE|K~rERvxH;JM?B(`km0$ z8*PzxG26!VdKQrdJJ?@h(DBqtQ)z9SZXC&>AO3uBgW*P%x0J=GquX?E>}`zq@{zLw zTYI~enF3fHr!vh=J}1{@JT@EBrjOs&6^A8!J`noDcHY0Re;GsBc!XyOZ4gc5<|(O1 zq8;HUCkgpS_eod$FZ(DJ9z(XUE`BCZuSPcI^`Enb|K)oOv*@$r?sc67HNfD2v%t%L zX|kD2^9!{Xdrn5PxCWtg`#`K+cOBZ(w~ECft#c&1PsSdH@tYf}a$gerU645mCJ8r7 zJgd@H)T~{R9C7w57wH(>c;oh~eV(K_1!4bolnw|xalh(j@49PJa`(v<&>@iSxohF9 zzmHhG5%cVa(t=h&mT~`k{zet#e^4_R2{GF)y)LLCZkS?L#N!Lo7oL>Jfn1+l@Cua^>ZHV09WNcOv__O+M; z`O3?YY<7-$VS?Xul=y#*J{uCPwot?yBW{ao#`rX8D6M(PrUf_LP`@3$6|d_GK?S2t zR};j294HoU1Jl*Q7@UB_YOZDR@>?@;qd33zF9u^^SN(?Z0gs5B}M^ebSHA>0`Mwu5{HsNC$tLVMX(krE{uZIZ=1wHXXs9 zN={kh$Ul4G$M5HVay`3V`up5uT_gzeqYSE2(gXpG98Vp8a=9-2`u!}&h~T_p#%pIP z5LfVI#_h+mvxD=c^O>lpy}yen@9;4?9!idg(cCHKz@j?rK0khY_NV^c#9{rv-c`%6 zjupoqASrL_x#Q6WOe;=maGS>dG0wWCB#W7YPF3Xmh;nsnF!%B3=SMqkxxb^ogq6*% zBidjg?4p!aeG6~`p0-Q57pJ~jAsi!!6z(@DmD9BsqKSxrcn#J_K5c>I1gH_KKyK72 zsH?>6H$#UX3Q(K|7Nywm^=9AZu@Ut>fI>rzSrHAU-r=JbEvgp19Azb&;p4VOYx8Yc zgN$DNLD?aO3Ql^(R98kyE{W)X2CL`Y&s(%Esgq*ocu?LN<7>segCaLa&)k+3Xm~U{ zES`Z(lUU#B!bGq6Z8MFL>PDF)$zH8&RgC!{sD*_{y8l#N`SH%1K>K^_7=0p_u}pKP zI{F&Bi~UO){!$V1;oZgEqMdd;TT(gyIgN4}`_;xh7~NM`9JdN3 z4A?SdS@?V3IMGRqNng5j-^bDzi5xGAZz2jdEqxnY){i0>$EM8NWL$Qm6nCW{sM3uI z7;=HhpHeMyBe)(8(>1EpH!L)*gpDg6J08REole?^;zUxBQp&=qT&c7?ymq~gtAW%O z>K_}8T7`MBl>%L)$1p^el6W~&g5&^?|IVGCj^0LZ#^hr5WK#F}o0Nx!kH&C6gMi=J z9KHE;&zq9RT)^emnazVQ{C|z#Z96L(M-#Vl{mQdS!bV$;*=-|yGmclbz&b-!f?aRY zk@oygatU+aN{POTaOt{Afm_6hapl43zr&af&5Zto=k;eLO=m<;Q&!885BHDKHM$>i zZKiCKyv+I)Izt|>(e1t>+Sq&e>14v@UDI+Vj?C}fAwL?@?!Ya#?$pl_=U>ig&XW@b zh$=nZNSJ@^dQ*w^oY6u%`>X!Bb%KT)fqK zKgVI*ky3>)h>oojJ0N)F4?rgiBB%+6FGty=9k<8tl!$QF&1ro0ODmH413sM{j-VGh zfvlQqS2$SSj+VS+{gG=#n(FP)B6Ni>sV3RT_*0v4TSU_U^Wa~2<`%i0w@{aZ3U8vweoM9Qp+;wc2DzbCD}`nbC(nvdk20rj2K&g7-%Rx(_F zKBG)CM!}lJtn~HIcm?@$W)YKH4{F~P-C9=}IMSb8R~YkkpI31s7F!@Gq%-Z8{p;UO zwcCImu3vw7=O7FFv&=va#itxJg-aMurLli(1%z;ws{X_!Xq)r4r+;_*Z)lY0&+LXb zBctin+bJXAZ5h*F;xtK?apyNbe=zWRRq=8DHCj2p)r-3Z<-FINOC1ph$XAjXG2$om zY!0D!RjV~UN%wWM@b*FPfG*5R6DT-pi*>Ji@NB3JHV^K~HY&8sg@r`Y*F zIGg@LF{1wP=?W{z`*FxZiY`dTgF_8eskO z)#s0Mp=ha|gfq-BLGjy0u~SNGR!$pgIP& zGX70;oO{?Ui5BMyJ}XkGE+X{W^!D^;F#h(|Ln5cO*l+d{Y+5+J*>|JLxDQ{z(;hYOlD z+jvbok>2LkL?#TcZ-n?3LblbE%gZm=C&n*`=t+`3O=*h9*{6%T%&%k6Z(u6uk(jU| zEtQPcTYu%-Tg4S_)GeO53SB~MvNyQQ35^P~4I|=NoNhe|oG)^(&ifvZjX_lYY35ev zzo0)F3|^Ep5M^&I zuCxOFw)}H)lSD(#wZ=3kqd2Q`B4`}*Icv|-dm_>h3v6K7%;jZkE8j|5coY+7AM3V# zE)bpHPELpr#zPPNrF1M741;DGq|{qF@7cfrZ5c5wI_=H84~ zrAp?ir%}k5`93^ok746|ZY7}&LIpE){*GsBSIW3^pH@+zY;Q=tzGAhV!oh@IkDLC= zW1`YNPR2SV3wE}F6ozi}Bm8(?hn2y?e_nFQJ|W;xRZ6W}e>|K+FC=S{Ps2e)s|mp3 zBizizk7UVXE1H3(&zWbYKUp#7GbFt?a}f=7f{-6Q2>zNF@VT!3WwghrmY9Wuse?uB62ra-hz3@K^s+oZ`Hpb=%n9=Z@YbdQN?gzxwXlMfDUp>;aZ2QE`h*wcBS*|Ct{epC ztPG5*k74^BoSkV$ZmF>RfQo;7Pq=5dq$G(7{mg7B*sdI8tTMd}3^P#g?5Go_xVwG#T#?v-lVy3dX z1k!cnor*ALc1HiD&<|+WkJKnjS&w6s1-B61lqcL2w@hDa#i)y|sQ%7QkU?L^(-C=?C*IgLcXj_!X{!>j$BJ2Hj{YEIY%Uy&hy?FdgbS{@er{VCX z>5+Q|p?)x8Xt;^t3?X`z=Lk5ka{1=%#-$R(`jWT7QyIMLVz&+lzzoaGi}7zDHk|}* zwC!Oo8v4S@ij|gvbj@7^g9kG+A#MSM2N>5FB1|;wg(Z~=adM2-U?in+RkKd{0(7rQ z49r`f`nUCoYxGZm%YB<8i2pN70p|s%xeV9(TC7DeDLnn!_$P!h5X?r3Qdve5ag~yuzgI`#%_3oX{pMM$bLgQQJ8=AfsBz z>T#TwXvd;i)&v2AxB>g$l|lLXL>rMS!@4bExn+fBE0fjEYC&IN6ciG?V)%8!O^uT@ zF0Ey89KY!ZP(M|ylvmeB@CK@|3_HGp1@W<;i^=w%k-|ZzPlAf+#9n3%fQ{E`J2}yX5wJqzGRk5+7gOzz|hFlTt zH4>ZQ3UbTM8t`rTGqMiMA~+Spa0~TtgZnN1y-eO}8NAvmS?f*(XU6|=WYQIWEs|mG zWeaQf~G@v2NlR5q#KMs~s@t{niOHVwJIHt+jgC~4p z5vlR+*#R5GoHGb!TiD{1>LcIw1o4ab&XLFly+jW+U9q+cT4k}XWJpk|P`gN7g zZ@SGLZN5Iv_%fAXX?OdhE@QIso4Av7m%S#cY`V(POvQ2wXuf;d|MG-CA3~5B;-{It zWAr3Jf1^fwKW_v-In{B#b-06Ch@pJc_R}P}5ybFhz1B4$SkAKqN-PaI6o zv0tdxBn9^&5wU%LF0>Nn%v(sTChgjzpVl{NmW7jyAjL?b>h~y8!1hnb6Xa7aQ#P+Y zgJ1irRxijWPy*0y+g};Ii~I;`TwS03|Drm(QpK^>;F* zoTJB=mD%nnhR7*mliM+qU3q2q{q;AhqQ``ZcVCC<2@9Gwk{M*nmH20qZT4i@P7(55;nH3F#Fnz8W$~^?I4AORD!;~@ZPuUvLI%T}4Y*Xln|NOFk#u%wsjEzh8Z+UF@gPn-xSSyDqL?*V6aT79do;@iSjP90ZbZH@yz*Aqwy5=0q?>_L)TsS$ zNL=?Ojv-H}FiP`o{RiLaB%qYWVza~|B`?XAI-W?a+C-{wYO|iWxfu@|hXF$155kqt zrj4)V%lH@E+xN{QqR?{3Yj}1SL({8_@psYMAAqFOc8vwH36}T%fa|{O706{6h*VQc z{%M~lB~r(@@^s1R<|OQn>SgNVNbIg0m0j=jV)eB4N2956;t_ZJ6qc}HVc3;5*n)<} z6se{tXAm@%mPj3vhLA${zrHN_M7@`Bewx4F!0)zyPpH?aXVI-W#$s9c1Immi`m1;c zWpioXrq~Y3F&u7`-yCXr!9u9p?or`eyIxrDKSZdx-Hgtx{#jwoA9xM&}je_uol=^o{&>MjPk zVYJ_U>V!QC<$aC>-82evBGPg6mhQ58w5xp?eH^w&Bu7O^dKdH@_X!7VeXN7|Zw=psbI3OU1i0lip74u}m!|7g=rXHq*_3qa;@C5| zEc!Lr$l(oUJ_qN`gcnHw!aTa0X=%QsKIO#&#T2 zSnl?_1uo{#XP?+5DB$*Oz18~|*wdrxqB%_;sc{XxG)P|!Nl@QX^Fb9^sIqZYQ02E& zSV^?~0@DdHEBH5m3$9G$xue)iUKTYC`ZK~L4J*tpK=YS`uQ*g@2R`QuGhdRMjHhksMS z>;B=uPWB;p3$0-qwq@*yW3huO1pm^>P%T*~7dmaAZ_>TaL_PSB^nm9jS)TQLc!^_l zSHtTA+=Lv^CF~2dCC-gZmoO}@iO5uX|;Z8oTV-A0b{_+>w`RL^0I} z@vjqj5)unKvgXy7?)DSlwGp(DwE3Q3{ZeDU?BoeP;ltlTM5s*nnenb5+sBXiUD9zj zq<*WF=2}LbUT#N4G7QJOlxA5_EL79~!gcc?%q?Ib>+_5{ir6&;H63dk!&tJ5c@ZEo z{S8-5a1-B&?lUM;N0)PFu(rBxe0t1I`PIR7#Y5Zv@IwjTfmF~!@Bu;VzsADy$t3*) z?o~#PDKpzkV^C|W)T#b#-IxO7))L!^;-Q8S>+CsP(fHk!v`XX}!oCamYVM_8e}&UY ztUR#}SvmEMiiv9XEQ@IjLS?Cst|e{V;)$}lNvUjae+}aK(m8vg>9f~JEP_cNC>09! zyil`><~Gj(vGsG3UKBn9MJvZ!ts@)jK)uVD9L+?q4v zjV8xcSH0`BL`EN9OpM{b@RT30nZIv}#>vT3R%+%@>`;1_ZBZiRQc4b`=tj9ZUuqkD zV^~_8{*_xO(bciCqU$JmEP-{S=F5#orFfy?SCr?+u;m{6`I7cr4ryQC_aW|GhSd6h zzZ172cY`oP6dK)QI^<4c?&;-SW_vC3e9a)JD{T47K=*IS-_+We-_r%VtbM|T&LvAU zchm9X?mH^K^!iY0SlFAE`zro#veHb5ej`dsGT$ggZ1Zb<;TwZavdiA1jnNyPFL(Ez zCI)K?5q|7=0=KO&5r&mR3?B)90DU_x6Z*y%4y&Xb5tEX~0Rqixe;I`o76gP@d+*#M zXKm9)Q^b`IkUQ&J3bN40#J%#JrziZBxrF5&y)tdcS}O<1J^xr|W+O*hS6oRs@v_Hq z;uG8r{hxb=SmcyMXkL0<<{Q^IEtzzBHMYl-P@*xgR&(7hIyE$4>P_>jR@<(WOs-I( zpTU};%XnoxB99_*CAd*+v&AGkEc6C(cXu?GL!P`npx<4Vm__m=NuD`S3qDrtpBxfC z;94Ers~CB>t1q06Uex}?erqQTlD9XTW=0cB;Y4vS)=VvU`7K3E@Ij5s_I*zw7G^Bk z|F5d64v4bZ`idynfZe1Z61&S1izp!}AuaJpEbJ=X0@6rGN_R+u0wN(LAR#Frph!q} zgGi_d-|Xyrzk6T);F&pd=FIHGnLNLt+Rq+CQ{o@c%h$nP5=P^J(!AuUkS-K71ZEz= zK4Is-VpB24!i`78MPjy>QOaHkOk85rEk5Ej-YodwH6bzO(61=rFn^q|86jLTNr^o= z*xFCv08t#nu-LU+Cb^xnynpVx@=+tcmb=o!rujcdMRn-n#tepB+G^V->yQ98r{Zei zmPY++lmU9$v5L~S2W*cuxm!v5`(&L*`yPEkQ?m`SEw*%LCJ9HQ*c8+^X5Y&!wC0v#rWFIQzKz0SlQ zrX?`GW6onVka=YnoO`f;Um?Aru;k+q)q=F+RvF4cybB(u8JA*#aqpX`13A9b)-FtS z*B87^#dJP7x^wW@Q(vcj+{i)o1{HID>-J?nTmR+iK7~W#bVi3M&rDP%I@MQbnjnm? zhjbS-^;!>F&RoDRA@R?_dM|nT+tDo#w!+H#ZL3=-@#3Iu>*JR%K7UKQSKu!n_lW!6 zw$W7ZefhMNG>eU^n))l@if1D?ud=vw6x{r%a6XD^ zr1jMANHmu04GE7Y;#e4}Y|ilW_f-(k1rQ<-wH z<2NON8u18Oy_@7mynf*+k(!p7dIqKNgm&J3f^k70YId#O^(2F+kDMr_6&ronw3k?> zrQAKEr(Hv72TQ3L7Gzpw(XmIA%w;hp;(8tY%G6f3=d;s#WjnkAX>UwbBp6s)jjU@4Tg*etT!<)b}JxkZPgs-zR}6MvO9B~=^x7}a^1_EF=9 z9DM}=$_Pa2;;FcxfOWCR3q1i+_L;eBYHz!j9PusAJ@02sqdoq#ok+kvqH+6S^?ceO zgxG8|Kx*@+dRtz!vB(Gt&)H2BjpZY6!MinXeW6?mZ(^{qTF!}+mxKt%PWIEK7+dAX zh11YbOfh_jz9N$l6lSA3JRiS4t5|=Mp->Y0@iTQ=llmI-vPNn}^Yy^*bfUg}3?-v` zxeW#y1L#+O-&v)}yr)sBcB7xs$4R~J;{gxUTniFUl`MX%N>}jkK$YML>RQ|n3VI#^ zcG9al$tHb50S&UulJ6hTyQ@Zfa4?25bnz@^wj%w!qqomQl}uj#S>J3@V7alcB=!4cS=+?#C!UyE9w~DJ%iN~ci!o78HwA{1Snl*R{}JK7fBGt;`IIlN zBlY)L{YUMyjY}1uuCSi>4S7WI$af~Xu<#Sr;mcpM>aHAVwXzj8>GoS@V~ctrA#nu_mf? zEKD&UWTkVxYJ8Q8BS*&!7jD{az^U(#^NQWg!?8Zprl$5Vr71{%*esSa(Atm4r+uNI z(2u;@{Q97+e|tM)n33@&(}sI)NW=NOv0&yyK|F>Sxl}@YqL)mtl(u|iMEZ$J8nkV7 zifVHhEkmk!T3!VHtzC*mRE?I45+)+V<1c9z^3t8X=MpEH*)@Ku+3Tgv3(MsY3h%}lYUW$)(I0Nm zYkexB%v{7+B}{pVqkZU4@e)hjXPDZHn$8QI6Vm>8F{s}zwPjd9H{!G540HYw+J*b; z9O70!$81LGAD*6e=b;(Dv=vAQB9z^Xp1w_$Ovs|7VljT-uTLFreu_tcahx5$4k2h)$@6BMSe*QW;A zf+)19KK`yS*3dt6;h1jU$4_Cjj#UZtXK4-68N`otSut5~epL-%gbD>x}}6&r5RUlLY?hAUr0lZ?HbGGF`gpZZ&)UZ;nh3;EHH-Xx*T=e`$JOD(d||EbFn7mO&;Jou)- zUh=I8SPiZ|`$ETGm}FVfR3vAUAAcy_xbyzEQxsw^F_fRn#6q5PN#3$j=S%H)MMWvs z(~ii_J$FpZzEyh@`_1aBy0KB!tY6CowzKm28Rf=YE!1CnilX1gH3~5_We^Azd&x_Ss(UeE?!r}=@WN##)Ll-oI)VjAy>;pE{@KL& zq166?h;%_Giyl>56|&H4jKDW({Im=DLokb(xT|RmFSe$at$Ip~~GjPzrM` z)HU#jGB)kG$$RCX^4W`|eWz#cyhEuROj8#K?H(e14!(tv`ZI{D}d7^>MyJm>R-M3dlnmh`+k`* z#x7XX6g2Q&q*5|gxlT#S{z1ywHW5NIup!^Rx=%BH$z1E)lJW%5G76c4*Cg?(Y3Dh= z8hPqVM&pFgv7oFs{PrcXbV)1k9(!nzwkX*M36`8qoF3>zck`xr+2}FBv z%voeHOE_Lum=JxiqI)urmvb!Z68%FeBXdusiSvI?`JE*Fr1_)!wVIh`QZCP|j@7#~ ziEFOYi)8Q~;hrop8y1o_&L9`Q-pYczHE)BR<;GrUAp7*WPw*!Y1BsIE^qbEahW_1*~n z!a4~RTMuKC+fRS4{yj%3ENTxek$pNcI0ZTrfZaL#Da-JpYsEd%DHbQ|j%j$eXH1^* z?hqTF{W4+?Eb7ih-Roc&Hz|$jJiz_JGH{;ut9%K7X6!n#n~>fSc<&WC{Z{&ttR}n6$-{ZJ z{Z*@VM~A>>L(+z`ww=)BSa7qiD^IKB73u{*iLje#)zqEQRlYmCv@JUiuaQ zfiuF5T@$c;Njec)00;MDcX=0NN~axWUw_t&wVVIaVv<6_YVJ*l%I5@<4pT}OX8rJ> zv)hPy|Fc_m89aHjCX!9{EQtyIt_sy$+>g(q5xQlnG zsrNG|9`jh`@iSoKu0v0w|%DZ>2=qAY<#eETbFP#DB4qVXcjh*o=Lj1&!Y>unOm%8f3(|+M^q1NvsZI0aM$dN zH#q^sWCYv+;<=#x3?xfW*(&jYVk$wZ+&=DrvILjOB_W3b?k1Tre-b|3l-CGWEYK_J zT8nJj09XSq)Np*-rn|szp1{6^oj?AqV*b#6!%L(`8??c~Ie8si0$50L+0-oUC&qtm zzliPHp%J-eVwc|^T15Vcnv zMm?54p3^nOjb-gt%SRQ8AumINxcvd(N*UND?%@tUL1g~XU7-PVipT~HJzf^4$9N8V z9z9VXA>Iyb{M0Ql70T^QBKv*7eXw7SV!QRvch;n8qOcol zHy>hIa<=*mPP#o!zT@&8+&S;FuG{;j>sC%O^DHs>Hr>ma+kJ4x?rL`iIHRg8kdO=7 z?NPYZ4j?rggS9$ITIGl6KKy+#t}|4?Du3-wz-QD8>k145jf8t}8?f!k1&}PUgTO$x zDl?KBA!#)+dJ9U|-CvJJjy8I#oOX2tNA=c!j-}2}<4lbXT+YGn9FvSj32J~Ny07-f zO%7>SJuSIkEYfW-pxEmIF!Q$Qq`#=$2FI6i`;X))QBV4O05HNXXHe32gvF)D7Xk3q zj}4!ao~XgR$Im@#!1HnZwzG=-02hz@<7JHDbMC6#-DAhCoJyz}6vL@Q9y|dRQ#sWZ z{pXkHCJEb?uQ}$Iw}ENT7Zq*T;F-ZE>%=y3q<4I@{~#uD+i=Z`4TS zpc`ScYJTze)^E45ktaybo-7a1p$hDXrdRAOmc8s80ybnvgk{`pOdXEx1t)=p&F-*e z{qZ4^#rd|G@TPsYMKG(T@7sG<+DtwMk2yDr*45PnfXf}40gb&(N-w}`!#F_%B)OFo z(nU2vvi89d!nncxwtJ-jF6+y9H#X~{xO+zw*xhe`Dq~98uTP_?2OASJ;6UQRv!dPz z(pbe$+02lD;KX)aVml_VUb3}_+CD%p|I&d>zVAh15&v@w5GdYWvpz!CNIAYFhRBYxJG5q zuVlm?&+7%}P%g2`uHateq=k^Mcyw55RC{1zFBhd4-y>__7X>fDxr`t9S;fCoI6rzn%1fB4;D*0$6R6^IG+p}G-pt??*=lyMNQCGxVLk_D~#vEnI39Z0KOo*!|84_q+@1SIcKbFx92SNox54fusK5*s! zE#Mq({!5r&8h%_Y_Oh2|8`#ACjd(t)@}3B=x6QuZ05%tcuVu4e`c2*mij>&CK(llw z!(9+O)_v#qEK@QEJ)A^9H3;gQ)HQV}r$5C`fHz>KxUE4GsszYhxUUD>uJ7na?4|f# z{n2tC&W#{57{o~m^oPVg@8e-t*~NfXY05dULOA6b)dj}RHy-KJtR=#v&Bp&pL4Ne)KHIYTh#=F~!#p@AP=4O#C}VFrK=5%>b*ft%viV!CH*ymm;rYR&5yW zQ7|mkhHQj1-0ap}=KQ?&@6_n8dW_ZkR)X6$PB%^x1i(##(!vyD+OZj9@N!eJfysVw zmn7g44>2&!Cgnes`JdACXr+x2uu8pzvrfO}o<9bVf{i7fm4GzWE?TBcG_BqNhHsK! zS2{}#%aF)S`LF!OUGV@{3n~HlZGE10X~z`+H3;w*tj^pGJ3OXaVjOu3+)8!6%f&Ol z&Lbn^%wEkesPw4o#WsYgdj#C~_783LTD92#6PZDh1@1C9 zZfBSC$=pYJvK8Pl{5VblXLF>6@SprNFp*$LI}?HZ&B94~%`NbtmE4ft>+|`sw62x= zHbiqyUDN`1pdOM&9MaKKh5bst6PUsLrx>8D4|@y+4r}-=aHpm6QIcb0o@Pwsf9g&DtGuX0`vZ-DMAEaQ7x zr*ooDsL`;_s7c-l!5L&8Dh_mva{61maL)5e4$*&W>LNPU(Y~Jv5q-W#jPKi-ZBY>^w2QzDnWiYu%PWrRRMwMmAM*sdc zS_@FY*WEe+*7~`!UtrSw?N&87QMof>2S9o5oKNzdQrI@@4(SGlwWo#Rz{Q^HFE$>_ z{cm}IiCYgfus)o!23UGKZTigy<7!MhT`hY6v1%E>dfC}bf3liB%&A-bof9BR?}2xc z=7oA+qrLxC*&_MW#U|f6*6un!{Sy?H0f3@+eY0J8^S)BM@t(^e?ezX{6%ZvvylOO8 z-uD8n`Cl=gPg6f%<^O2b%lI$ZacB0^?h>okwMt3)?LX~7M1`KdZsc^SX29wH65VMY zt5b?^$8U6)4E;YRDFJy8cWO74??g`Je{~s6TADG7-dk_%j{a}{um>sj4pgA#BWT@T z%&ocoEnAs4~HK;P8J&|2UArm>BM`93GcCj@I75XvaX zh-TzqB$yjm7#f*B0$#k0tu@KT!DwJ%W@$~Zu^|{T3ffxR5&mH#c^MrNmJq~5Wl$Qi zL!r=of0J}Y(Yj6YHPA~`DJhwXc|h2@7mYgOvA-}Cp(2c^sfRy|<= z0YOsN_Mi;@T9j#{{gc#e;cWwhv;{AI^DkS8nE{f+db8Wl9{2r#OqeeSu>!`#>r6f& z$J=`cbB!V<=Kp!)`q@l^;U455DBEc3Ko{2QMW?k(>B43zjDh~S3(5RDZe~j>+x!T! zrnTv}l<)NYaX^%yTi;GmDd(F>qI@IdA_iGJg${kOSw5z$Z<|At-Oz7XEbGtK6k(Ow zuw8c>L9!8Bzid8@?)1OCCK6<2Pqo)lbkHwrD7UWrW5|a3xO5-$IB!RlVCuY_?CIRYQKBI#cGY zhmO^5(1#gns;U?K0A*nFA0@3#wam*o^=FNyEGcwC4#Ph9!Ld&CzFfgp&EA1tf-VLz zH_>-{1AV;Q9b|Dl@nRaiw<`s!QdVBXSLw8s*iG5 z^+W9sokwaazEmb}Y!bGn5d^Vrcl~|iey4pMsw{DKYeu&v6(RoNoUuv}m#GWt`eGT! zk+HI2UU+jFisf&QH#8oWhjImAswlMn8k-HhoV;?Nuow=bD*X}HgCH^tJ#5S{1_mvO zW`ZtW6s$wEfeZm5UiZR$%IJ0E$ft+D7sV&4j1X(T3<k|h*Ok-lhr zlb!)2pp@zny#D%2v$zSd0wSIqp-Fz{^Y3KHXy`KX8nONk-6({Zr19}3bn_=VKwe_+ z55!iruh%SV;n$M^iC1YADA13N}#=u(rQ1X84AV0FVXw1z4eptLug(G_RN>t+2lYM!8c}z`JR9& zx!4GjI$zLvt_1cx7>q_3L$R=HpfJyk;^b~9k;o{NTB;fhCp3`#&OZ_S4#LPqh{!Lq z1-Rei2*O^h>|Y2-k=Vg)$b_}#L;(ghp^%B(hj#jXq|jXoQ5 zWzoSv=@<{#HP9&Ll{QtT4#b-CCyaq2*s=t|oS+3DBmNcqU?+rDV2?*(-UyZVh4&-G z2y)U~H*xBz&5z32)-~}3A!J%#;QM!-(`-2~Du40!y`NE{Qq|;^&nwT6#x@&`R%#vQ zSTaPcL5n2)Zo<^(A!6bPbn|ABBR-HCne%gUc(DG?$gVZ?pL)Q-Fw}L)dAZ+>h^=J# zd-H@EEAQ?HVUt1bwd^idWDz}(4J-F++^fC}y7}T_5XM#L#2`p3{COyBnGd80aE3?z zn(7}Ma=lrxzNWV2j5UUIf?3eJXVaywUl-;1pWNr(n5pzB`!3jL?EH#%WfPn}a)eZ& zjV3t|MhCvtIKxpH^bD+~`Ir{fWN*l8Akr~fgd-~-198Yr zDCpM`ew#cFBu z>_%fkJB!DRLD!$!KlSkzlfh-R!PSi3D1yRxV-#=9HMDXz{Qme_*?S{L1To*~fFal@Q*y)NlU}WhVL+@s1KTb0 z#-ExgjcUAg)of7wstNgs5h-||xzwkeq5X~NFYl7$a=eCLKAX9PnS`j0(PG>{4W!_7 zv~CTPTqw+x@ZDm~)=o|GuwqbQ;XTqROs+M)LDr@v-xrXNNDjyIO-hJ9d>y#_R#H+W z>H3OB(Ot2`{%=qy)Lv+w>M`jBIY{8O57aJyWgI!G&fW3TU;3T|x~DCn7zU9$EKgPX zswm&cW}CD4$Re4(Jf?K3VzPaZW8qGO?#*PfaGdv>{g3&ObQ!TT&Izh^!FyC}BLfy|t~g%F1fW!|*vMb$rZu;^6z z_U*ls3&RE}6wNoH_HEiwqsp0s4GeuwA*^KTTV;eXM2w}$4SEHn<~Uo>WhLU{&`T_O z&~Ht0q4=QRaErj8qZ@+|%R`|brSAy8=;f~wHp1fI6<|#Guy;{a7{?D>aNfp3R)>`o zWH8{3baQrlKY<|O&+__lPh?~a-}1r`UV&ctC8V@5aQGxCNs}A2egMKaYZO$N<)Pm2 zn`3^sQzRGaa5T=0c?v2-6iQDVwt5s=&V;=r>3i_Q;c9l>Z2V3aNg#@+&->jpdEUqO z{3lEUSKSJ~7^Bd&HinKltDDfvQ`9}K0bMBOT8Tw+22g%>g_BQUdqfKm$@5cO1{_!Z zDGW4Xea{3>iiaZVzu)?2z$GUT5`~aMc=%=O{X3RKSyj=gFi1e%$BN}Tj73lu($_{9 z{TTugTNd&>iSIeH;Iq;_m0bQ;7!FPYjen$|1FeCYCZ&W|gi=t@gJI)l)qG{N(_ilS z!P$_F+l%23q!W|3OMTPG{5ITt+Eu?1qT#k`!gx50EI=Mm^!0yxM3?-1gV>Te*V4-! zcDCHyxZhW*2m5cs^w0zt110mKT=aJbJ=Dl3>`*?W^4BW9$crt13_V1gKDm$y?;96N zdWP55%UmMy4`7%9PyF3mBo~TTWIBp39aa!pe-{R#@Z+j6c7!a8Na)2&8~Awik(s+t z>pqi^YVdifB&pQsDT0?DWS+43SkUNcfLJ>^c3k&(o(VYw0vkR1nWp3>mGrY-nNR37 z*;$i|lqa0^4g3`-p3DWP-BEm{kzT5AS;?70D}RBh5j>$BbUuol5fm&IG!J1%BZ&Vw zWWf_eOwjDMN@_Yc#ZA?c?vcAZ8ZJ!GIO6NDVlD5Hy46bDvoB%a)tQ)+HhU*!&IqneMt`K0?`Ke z(Zp2iDz2syjHDvpBP(kFwf$|jeIxch6w3E#d2Fw zxQUqm$mAxg5*|6>9&FWbG02XFk@=>w{k)(b8yerBYp@F47?0xg7|4bqNTPToK0+$L zA423Ihg+jQlhqhDtc65DVG=)#!5~75_l8(T!6afEHjK^J)md8M;DP~srsI&4kLRI- z*n?u(3$e>b-yg9DU^Xhy-_p1QSbh@ z#c2=ov7St0=Y(GaWf%>koysqH11wO;9hS%bwwhMbuwP60!wfQe+fRe`8wPr0&s!Jx zMWgNr=05&sg!aU`e%Ebh8YO1{tNeCE9WtS$BQPWf3ahVfOx6Ru;jQWSJx~PLH_)g_ zt-(6PmcbvgW6A&3P3Op^C%~27?XRb@iWwD_z*IRu9!g9Jf#NU&@WT)J`2xt%su7}w zjb2Mt$sr- z_z?Mpx$!w(|JxszRVCW`?9u3=tX^!O87TsaTuYd(7w%%9E3wcImfq5TPj3NB5>%c6 zLL4h!x4wy9H~sVn^(>}#b5H=wMNX11Q`Ep*W@IYN67?GjLmRwU^KJD8n-+IXQU*7n ze7>&1?RSZfY{k_(VFs~UHSlX7vA$8CDQlF~v#>l;o@l|EJUDJplE^?bDHYsGBv%p2 zDKsh&a`Pq0-zPdE#J;akzoYRi4nw*KlEwzsY$D|1=Zmsxt9dDIsQ@G3;>Gt0!=Mu* ztv=(qrc4m;9||z>dN3I2xYe_0mo*~nXF9$<$u{bua})CMkcR-mAi`LhOrn4#L)o0c zXY10Z9T~|FJvKsThO0ZDEtS6BZZdA^`^EA3d!LNk`#)>KJj}1(F}e`S_6P0*e=-sZ K;`w5Fp8p4;Ozxim literal 0 HcmV?d00001 From 98d6b85144358661040a772eee9bd61fa8a58d0c Mon Sep 17 00:00:00 2001 From: Anshuman Tripathi Date: Sun, 26 Oct 2025 18:10:47 -0700 Subject: [PATCH 3/7] Fix image shortcode Signed-off-by: Anshuman Tripathi --- layouts/shortcodes/img.html | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/layouts/shortcodes/img.html b/layouts/shortcodes/img.html index a725e71..7fc6e2c 100644 --- a/layouts/shortcodes/img.html +++ b/layouts/shortcodes/img.html @@ -10,13 +10,7 @@ {{- with .Get "height" }} height="{{ . }}"{{ end -}} style="display: block; margin-bottom: 0;" />{{- if .Get "link" }}{{ end -}} - {{- if or (or (.Get "title") (.Get "caption")) (.Get "attr") -}}
{{- if or (.Get "caption") (.Get "attr") -}}{{- .Get "caption" | markdownify -}} - {{- with .Get "attrlink" }} - - {{- end -}} - {{- .Get "attr" | markdownify -}} - {{- if .Get "attrlink" }}{{ end }}

- {{- end }} -
+ {{- if or (.Get "title") (.Get "caption") -}} +
{{- .Get "caption" | markdownify -}}
{{- end }} From 6c5b000e1bc0ee0e153f8ad135d06f2765e15aea Mon Sep 17 00:00:00 2001 From: Anshuman Tripathi Date: Sun, 26 Oct 2025 18:12:34 -0700 Subject: [PATCH 4/7] Succint review Signed-off-by: Anshuman Tripathi --- .github/workflows/claude-code-review.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/claude-code-review.yml b/.github/workflows/claude-code-review.yml index 293271c..ffbcf28 100644 --- a/.github/workflows/claude-code-review.yml +++ b/.github/workflows/claude-code-review.yml @@ -44,14 +44,13 @@ jobs: REPO: ${{ github.repository }} PR NUMBER: ${{ github.event.pull_request.number }} - Please review this pull request and provide feedback on: - - Code quality and best practices - - Potential bugs or issues - - Performance considerations - - Security concerns - - Test coverage - - Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback. + Please review this pull request. Be concise and focus only on significant issues: + - Critical bugs or errors + - Security vulnerabilities + - Major performance problems + - Important best practice violations + + Keep your review brief and actionable. Skip minor style suggestions unless critical. Use the repository's CLAUDE.md for guidance. Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR. From 69e924ad3b128e401b75bf8f13a308eb3f25d653 Mon Sep 17 00:00:00 2001 From: Anshuman Tripathi Date: Sun, 26 Oct 2025 19:03:59 -0700 Subject: [PATCH 5/7] SEO improvements Signed-off-by: Anshuman Tripathi --- content/blog/invisible-pods.md | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/content/blog/invisible-pods.md b/content/blog/invisible-pods.md index 73c85f3..04b0f0b 100644 --- a/content/blog/invisible-pods.md +++ b/content/blog/invisible-pods.md @@ -1,22 +1,23 @@ --- -title: "Invisible Pods" -subtitle: "" +title: "Pods can go invisible in Kubernetes. Let's find them" +subtitle: "Kubernetes pods can become invisible to kubectl, creating security risks. A hands on tutorial explaining how this can happen and its consequences" date: 2025-10-25T12:35:25-07:00 draft: false -story: [] categories: - tutorial tags: - kubernetes +- kubernetes-security +- container-security pagefindWeight: "0.1" slug: invisible-pods --- -I am a huge fan of [Ivan Velichko](https://iximiuz.com/en/). His platform https://iximiuz.com/en/, provides great materials and practical lab exercises to learn more about concepts like Containers, Networking, Linux, Kubernetes, Dagger, etc. Ivan covers the core fundamentals behind all these concepts which makes all posted materials an exceptional resource for learning new things. +In Kubernetes, pods can become completely invisible to `kubectl get pods -A` while still running containers on the nodes. This behavior can allow attackers can use it for persistence on exploited Kubernetes clusters. -I recently attempted an exercise posted on this platform about [Invisible Pods](https://labs.iximiuz.com/challenges/kubernetes-invisible-pod-0bf2109b). It is based on [a talk from Rory Mcune](https://www.youtube.com/watch?v=GtrkIuq5T3M) about container security where he briefly mentions how pods can become invisible. This is a great exercise which touches on some Kubernetes concepts that are not very well known. +I discovered this scenario through [an exercise on Ivan Velichko's platform](https://labs.iximiuz.com/challenges/kubernetes-invisible-pod-0bf2109b) which is actually based on [a talk by Rory McCune](https://www.youtube.com/watch?v=GtrkIuq5T3M) about Kubernetes security. Both are excellent resources for learning about concepts that are not widely known. Ivan's platform https://iximiuz.com/en/ provides great hands-on labs covering fundamentals of Containers, Networking, Linux, Kubernetes and more. -> Before moving forward I would recommend to attempt the exercise and try finding the solution. +> Before moving forward I would recommend attempting the exercise and try finding the solution. ## Concepts @@ -31,11 +32,12 @@ This allows the Kubelet to bootstrap key control plane components on control pla ### Static Pods -Static pods are pods managed by the kubelet which are created from manifests added in path `/etc/kubernetes/manifests/` on the node. Any Pod manifest added here would be used by the kubelet to create a mirror pod. +Static pods are pods managed by the kubelet which are created from manifests added in path `/etc/kubernetes/manifests/` on the node. Any Pod manifest added here will be used by the kubelet to create a mirror pod. ### Mirror Pods -Mirror pods are entries of a static pod in the api-server. These are only references to the actual static pods. This means doing kubectl operations like edit, delete, etc. would not affect the pod because the Kubelet treats the manifest present on the node as the source of truth. The kubectl commands on the other hand go the api-server and try to update the mirror pod. After the saved update, the kubelet detects changes, applies the changes from its manifest and sends the updated information to the api-server. +Mirror pods are entries of a static pod in the api-server. These are only references to the actual static pods. +This means doing kubectl operations like edit, delete, etc. would not affect the pod because the Kubelet treats the manifest present on the node as the source of truth. The kubectl commands on the other hand go the api-server and try to update the mirror pod. After the saved update, the kubelet detects changes, applies the changes from its manifest and sends the updated information to the api-server. {{< img src="diagrams/static-pods.excalidraw.png" caption="static pods and mirror pods" loading="lazy" decoding="async" width="100%">}} @@ -60,7 +62,7 @@ nodes: - role: worker ``` -This sets up a Kubernetes cluster with a control plane node and worker node running a static pod. Following is the manifest of the static pod +This sets up a Kubernetes cluster with a control plane node and a worker node running a static pod. Following is the manifest of the static pod ```yaml apiVersion: v1 @@ -124,10 +126,13 @@ And now when we check for pod in the namespace NAME READY STATUS RESTARTS AGE podinfo-test-cluster-worker 1/1 Running 0 58s ``` -It becomes visible again because the mirror pod was successfully created. +It becomes visible again because the mirror pod was successfully created. ## Conclusion -Static pods are a core concept used in Kubernetes with nuances. As we have seen, these nuances can be exploited by attackers to run invisible pods in a cluster. This makes them particularly dangerous from a security standpoint. [For more details see Rory's presentation on attacker persistence strategies](https://youtu.be/GtrkIuq5T3M). -One way to detect and catch these scenarios is to have auditing enabled on the Kubernetes cluster so that the administrator can quickly catch anomalous scenarios like these. +Static pods are a core concept in Kubernetes clusters but they have the potential to create security risks. They can cause pods to become invisible to `kubectl`, by referencing non-existent namespaces allowing attackers to remain hidden in the compromised Kubernetes cluster. + +To detect this and other anomalies always have auditing enabled on the Kubernetes cluster so that the administrators can track Kubelet and API Server activities. Additionally, regularly inspect Kubernetes node processes using `kubectl debug node` to catch an unknown or unexpected process running on a node. + +For more on attacker persistence strategies, see [Rory McCune's presentation](https://youtu.be/GtrkIuq5T3M). To dive deeper into Kubernetes fundamentals, check out my [Kubernetes Concepts guide](/blog/understanding-kubernetes). From 40f4971b556e376e9e958bad069e8d95c21bb7c7 Mon Sep 17 00:00:00 2001 From: Anshuman Tripathi Date: Sun, 26 Oct 2025 19:06:14 -0700 Subject: [PATCH 6/7] Chore: Rerun claude review Signed-off-by: Anshuman Tripathi From a90a089619f0cde5982831f76f575527ae939f7a Mon Sep 17 00:00:00 2001 From: Anshuman Tripathi Date: Sun, 26 Oct 2025 19:27:39 -0700 Subject: [PATCH 7/7] Final grammar review Signed-off-by: Anshuman Tripathi --- content/blog/invisible-pods.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/content/blog/invisible-pods.md b/content/blog/invisible-pods.md index 04b0f0b..8cd595b 100644 --- a/content/blog/invisible-pods.md +++ b/content/blog/invisible-pods.md @@ -1,6 +1,6 @@ --- title: "Pods can go invisible in Kubernetes. Let's find them" -subtitle: "Kubernetes pods can become invisible to kubectl, creating security risks. A hands on tutorial explaining how this can happen and its consequences" +subtitle: "Kubernetes pods can become invisible to kubectl, creating security risks. A hands-on tutorial explaining how this can happen and its consequences" date: 2025-10-25T12:35:25-07:00 draft: false categories: @@ -13,11 +13,11 @@ pagefindWeight: "0.1" slug: invisible-pods --- -In Kubernetes, pods can become completely invisible to `kubectl get pods -A` while still running containers on the nodes. This behavior can allow attackers can use it for persistence on exploited Kubernetes clusters. +In Kubernetes, pods can become completely invisible to `kubectl get pods -A` while still running containers on the nodes. This behavior allows attackers to use it for persistence on exploited Kubernetes clusters. -I discovered this scenario through [an exercise on Ivan Velichko's platform](https://labs.iximiuz.com/challenges/kubernetes-invisible-pod-0bf2109b) which is actually based on [a talk by Rory McCune](https://www.youtube.com/watch?v=GtrkIuq5T3M) about Kubernetes security. Both are excellent resources for learning about concepts that are not widely known. Ivan's platform https://iximiuz.com/en/ provides great hands-on labs covering fundamentals of Containers, Networking, Linux, Kubernetes and more. +I discovered this scenario through [an exercise on Ivan Velichko's platform](https://labs.iximiuz.com/challenges/kubernetes-invisible-pod-0bf2109b) which is based on [a talk by Rory McCune](https://www.youtube.com/watch?v=GtrkIuq5T3M) about Kubernetes security. Both are excellent resources for learning about concepts that are not widely known. Ivan's platform https://iximiuz.com/en/ provides great hands-on labs covering fundamentals of Containers, Networking, Linux, Kubernetes and more. -> Before moving forward I would recommend attempting the exercise and try finding the solution. +> Before moving forward I would recommend attempting the exercise and trying to find the solution. ## Concepts @@ -37,7 +37,8 @@ Static pods are pods managed by the kubelet which are created from manifests add ### Mirror Pods Mirror pods are entries of a static pod in the api-server. These are only references to the actual static pods. -This means doing kubectl operations like edit, delete, etc. would not affect the pod because the Kubelet treats the manifest present on the node as the source of truth. The kubectl commands on the other hand go the api-server and try to update the mirror pod. After the saved update, the kubelet detects changes, applies the changes from its manifest and sends the updated information to the api-server. +This means doing kubectl operations like edit, delete, etc. would not affect the pod because the Kubelet treats the manifest present on the node as the source of truth. +The kubectl commands on the other hand send requests to the api-server and try to update the mirror pod. After the saved update, the kubelet detects changes, applies the changes from its manifest and sends the updated information to the api-server. {{< img src="diagrams/static-pods.excalidraw.png" caption="static pods and mirror pods" loading="lazy" decoding="async" width="100%">}} @@ -62,7 +63,7 @@ nodes: - role: worker ``` -This sets up a Kubernetes cluster with a control plane node and a worker node running a static pod. Following is the manifest of the static pod +This sets up a Kubernetes cluster with a control plane node and a worker node running a static pod. Here is the manifest of the static pod ```yaml apiVersion: v1 @@ -95,7 +96,7 @@ We can see the pod is a static pod since it is managed by the Node (Kubelet). Node% ``` -Now let's change the namespace of the static pod. We can change the static-pod.yaml, delete the kind cluster with `kind delete cluster --name test-cluster` and recreate the cluster. +Now let's change the namespace of the static pod. To update the static pod, either change the static-pod.yaml, delete the kind cluster with `kind delete cluster --name test-cluster` and recreate the cluster. The other way to do it is to use `kubectl debug` as follows: ``` @@ -119,7 +120,7 @@ Now let's create the namespace namespace/podinfo created ``` -And now when we check for pod in the namespace +And now we check for pod in the namespace ``` ❯ kubectl -n podinfo get pods @@ -131,8 +132,8 @@ It becomes visible again because the mirror pod was successfully created. ## Conclusion -Static pods are a core concept in Kubernetes clusters but they have the potential to create security risks. They can cause pods to become invisible to `kubectl`, by referencing non-existent namespaces allowing attackers to remain hidden in the compromised Kubernetes cluster. +Static pods are a core concept in Kubernetes clusters but they have the potential to create security risks. They can cause pods to become invisible to `kubectl` by referencing non-existent namespaces allowing attackers to remain hidden in the compromised Kubernetes cluster. -To detect this and other anomalies always have auditing enabled on the Kubernetes cluster so that the administrators can track Kubelet and API Server activities. Additionally, regularly inspect Kubernetes node processes using `kubectl debug node` to catch an unknown or unexpected process running on a node. +To detect this and other anomalies, always have auditing enabled on the Kubernetes cluster so that the administrators can track Kubelet and API Server activities. Additionally, regularly inspect Kubernetes node processes using `kubectl debug node` to catch unknown processes running on a node. For more on attacker persistence strategies, see [Rory McCune's presentation](https://youtu.be/GtrkIuq5T3M). To dive deeper into Kubernetes fundamentals, check out my [Kubernetes Concepts guide](/blog/understanding-kubernetes).