►
From YouTube: CNCF CNF WG Meeting - 2021-11-29
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
I'm
all
right
took
last
week
off,
I'm
just
getting
going
again.
A
D
A
A
A
Then
is
this
your
first
call
to
join.
A
A
All
right:
well,
that's
five!
After
let's
see
what
we
have
here,
so
you
can
add
your
name
to
the
meeting
notes
and
any
agenda
items
right
now.
I
don't
see
anything
and
other
than
checking
our
pull
request
and
kind
of
going
through
existing
items.
Does
anyone
have
a
topic
they'd
like
to
chat
about.
A
All
right
any
best
practice
ideas.
A
I
guess
that's
a
topic
so
go
with
that.
One
I'm
going
to
open
the
pull
request,
looks
like
jeffrey
added
one
he's
not
here
today,
but
I
can
take
a
look.
A
A
Let
me
come
back
to
this
view.
Real
quick,
see
if
anyone
else.
A
A
Okay,
some
environments
and
we've
been
hearing
this
for
a
while
production
systems
deny
public
internet
access,
maybe
even
to
the
point
of
no
proxies
so
controlling
how
the
applications
that
are
deployed
and
components
that
may
be
part
of
the
platform
are
deployed
and
used
in
the
environment.
It's
important,
partly
because
around
this
malicious
code,
so
we
have
some
stuff
about
supply,
chain,
attack
and
other
things
that
are
probably
related
to
this.
But
this
is
getting
more
specific
to
the
aircraft
environments
and.
A
A
Maybe
only
accessing
internal
systems
and
pulling
all
right
a
cnf
utilize,
a
cloud-based
licensing
model
all
right,
so
you
have
a
networking
application
that
you
deploy
and
it
validates
its
license
externally.
Potentially
I'm
not
going
to
go
through
all
of
it
right
now.
Let's
keep
going
forward
there.
We
go
so
you're
using
get
ops
methodologies
with
defense
method.
A
A
Okay,
so
the
problem
is
around,
I
think,
automation
and
having
to
do
that
as
part
of
if
you're
expanding.
A
If
you
have
to
purchase
in
advance?
That's
a
problem:
if
you
have
to
do
dynamic
licensing
right
then-
and
it's
remote-
that's
also
problematic.
So
how
do
we
deal
with
that?
A
A
I'm
not
gonna,
let's
see.
A
Okay,
this
is
fine,
this
just
phrasing
which
we
always
have
to
go
through
and
update.
What's
going
to
work,
there's
probably
something
between
centralized
registry.
This
is
about
may
have
been
thinking
about
images,
which
is
one
part
image
registry
image
repository-
I
don't
know
damning,
but
whatever
we
can
figure
that
out.
A
All
right
and
then
ian
is
saying
this
is
saying
what
networks
the
machines
will
be
able
to
connect
to
so
they
may
have
some
type
of
network
connectivity
to
a
specific
area,
but
nowhere
else.
A
This
is
a
probably
important
commit
comment
that
ian
makes
so
that
there
will
be
network
connections,
but
the
idea
that
a
cnf
won't
have
control
commands,
so
it
won't
be
able
to
do
modifications
as
the
idea
after
it's
deployed
potentially
or
make
changes
to
the
the
server
or
whatever
else.
D
D
And
also,
it's
probably
important
to
realize
that
different
groups
are
got
for
different
reasons.
So,
if
you're
air
gapping
for
security
in
regards
to
like
a
scada
system,
you
probably
don't
really
care
about
whether
the
data
is
actually
excel,
traded
or
not.
You're
primarily
concerned
about
protecting
from
active
attacks.
D
But
if
you're
air
gapping
for
a
a
skiff
somewhere
like
a
military
style,
then
that
matters
that
matters
a
lot
and
what
information
you
get
in
and
out.
So
it
would
be
interesting
to
see
if,
if
we
can
get
some
input
on
what
type
of
systems
that
they're
they're
likely
trying
to
tear
gap,
we
don't
have
to
know
the
exact
systems,
but
just
to
know
some
of
the
properties
there.
If,
if
we
want
to
soak
the
use
case
properly,.
A
What
type
of
systems
the
last
part
kind
of
cut
off
for
me.
D
As
in
is
what
like
is
the
use
case,
primarily
for
like
scada
systems,
where
the
information
inside
of
it
is
really
not
sensitive,
or
is
there
a
goal
to
go
for
air
gap
like
systems
that
are
going
to
hold
like
state
secrets
and
they
need
to
network
those
systems
together?
And
so
I
think
in
in
both
for
this
particular
use
case.
I'm
curious
as
to
what
which
use
case
they
have
in
mind
out
of
those
two
or
there's
a
another,
one
that
that
that
I'm
not
thinking
of.
C
D
Yeah,
I
I
think
the
point
that
jeffrey
was
trying
to
make
in
the
licensing
side
was
like:
should
it
be
more
like
seat
style
licenses
where
you
buy
like
a
thousand
licenses
or
something?
And
then
you
divvy
them
out
over
time,
because
you
have
the
right
to
use
them
or
are
they
trying
to
push
towards
a
different
model
where
they
keep
track
of
the
usage
over
time?
So
they're
less
concerned
about
capacity
but
they're
more
concerned
about
the
usage.
D
So
if
you
use
500
of
them
at
a
given
time,
then
you
get
charged
for
that
500
as
opposed
to
paying
for
the
thousand
at
all
times.
So
the
same
way
that,
like
you,
spin
up
a
vm
and
easy
tube,
then
you're
only
paying
for
the
time
of
use,
as
opposed
to
paying
for
the
possibility
paying
for
the
for
the
quota.
D
D
Yeah-
and
these
are
just
best
practices-
we
can't
force
anyone
to
do
anything
anyway,
so
we
could
put
something
up
best
practice.
We
believe
that
this
will
have
these
positive
benefits.
So
it's
it's
unlikely
that
if
someone
is
really
really
want
to
go
down
a
certain
path
that
we'd
be
able
to
sway
them,
but
if
someone
is
on
the
fence
like,
should
I
go
with
one
path
or
another,
then
we
may
persuade
people
in
that
respect.
A
A
I
think
this
that
the
comments
are
on
the
best
practice.
That's
kind
of
that
and
our
next
thing.
A
A
The
principle
of
least
privilege,
which
has
has
many
best
practices
tied
into
that
we've,
been
looking
at
that
for
a
while.
Is
there
any
other
made
like
a
high
level
principle
that
may
contain
many
best
practices
that
anyone
can
think
of?
Besides
the
principle
of
least
privilege
that
would
be
applicable
for
air
gap
environments.
B
I
don't
know
you
know
when
we
are
talking
all
this
privilege.
We
also
usually
mention
defense
in
death,
so
having
multiple
defensive
mechanisms,
but
but
again
this
is
a
very,
very
broad
principle.
Okay,
and
I
don't
know,
okay,
if
we
are
talking
about
something
that
is
already
air
gap,
we
might.
We
might
want
to
say
that
air
gap
itself
doesn't
solve
security
problems
and
they're
there
there's
a
need
for,
for,
in
general,
we
could
secure
security
approach
even
with
an
air
gap
system.
A
All
right
anything
else,
or
maybe
any
other
best
practice
ideas
that
anyone
wants
to
talk
of,
and
this
can
be
an
area
for
best
practices
or
potentially
specific
things
and
we'd
love
to
get
some
more
best
practice
proposals
in
place.
A
We
could
write
up
some
around
continue
with
the
least
privileged
ones.
There's
a
lot
of
different
things
that
we've
talked
about
for
least
privilege
and
security
related
one.
We
have
a
whole
set
of
documentation
around
that.
So
that's
definitely
an
area
that
can
be
continued.
It's
I'm
not
going
to
go
down,
but
there's
links
down
in
here.
A
That
goes
to
the
least
privileged
docs
and
a
whole
set
of
best
practices,
and
then
there's
other
security
related
ones
so
happy
to
have
any
of
those,
especially
if
we
can
talk
about
the
user
stories
that
are
related
to
them
any
testing,
that's
out
there
or
pointing
at
stuff.
That
may
be
already
happening
in
the
cloud
native
and
kubernetes
community.
A
But
if
there's
other
things
like
to
hear
them,
ideas,
areas.
A
B
B
For
something
which
is
like
you
know,
ideas
around
high
level
ideas
or
something
like
we
should
say
that
how
to
set
up
our
bus
in
a
cluster,
how
to
what
kind
of
configurations
to
use
what
kind
of
a
part
best
practices
of
how
to
protecting.
You
know
kubernetes
secrets
and
stuff
like
that
or
more
general
ideas,
because
you
know
this
privilege
is
a
very,
very
abstract.
You
know
thing,
but
if
you
want
to
be
more
specific,
you
know
I
I
have
ideas.
Okay,
what
what
could
we
write
here.
A
We're
looking
for,
I
guess,
more
more
specific,
focused
best
practice
where
we
say
we
we
can
give
someone
a
suggestion.
This
idea
this,
when
you're
coming
across
and
you're
you're,
wanting
to
look
at
you're,
developing
a
cnf
and
you're
looking
at
guidelines
trying
to
follow
the
best
way
to
do
deployments
and
provide
your
services
and
everything
else.
What
are
things
that
you
should
do
so
one
of
them
that
we've
put
forward
was
containers
shouldn't
execute
their
processes
as
a
route.
A
So
this
is
one
of
the
best
practice
if
you
think
like
12
factor,
apps
and
other
things
like
that,
you
can
go
out
there
and
and
look
at
here's
a
big
set
of
guidelines,
things
that
in
general
you
should
do
or
you
shouldn't
do
so.
This
is
a
shouldn't
do
so
we
have
the
summary.
A
Saying
the
process
didn't
run
as
root,
then
the
motivation
behind
it,
the
proposal,
so
this
kind
of
goes
into
it,
for
this
practice
is
actually
pretty
well
known
in
a
lot
of
domains.
A
So
we're
reiterating
something
that's
pretty
easy,
but
we
specifically
chose
this
one
because
of
that
and
then
we'd
tie
it
into
real
user
stories.
That
could
happen.
So
these
are
the
supply
chain
attacks
and
how,
if
you
run
your
processes
in
your
cnf
as
a
non-route
and
have
some
type
of
security
issue,
then
it
could
help
so
we're
looking
at
best
practices
like
that.
When
we're
saying
saying
these
one
other
item,
I
think
that
would
be
maybe
related
a
couple
of
things.
A
I
I
don't
recall
right
now,
but
it's
possibly
the
case
that
the
nsa
guide
actually
says
it
so
there's
I
know
there's
a
cubescape
test,
so
one
of
the
things
that
we
do
with
this
is
we
have
a
test
objective
section
and
we're
giving
some
information
about.
If,
if
you're
gonna
follow
this
best
practice
and
here's
someone
to
test
for
it,
you
can
do
static
analysis,
runtime
analysis
and
that
sort
of
thing.
B
There
we
go
so
think
things
like
you
know,
saying
that
you
should
configure
your
cluster
so
that
the
eccd
is
is
is
encrypted.
It
could
be
some
sacha,
you
know
of
best
practice.
That's
right!
This
is,
what's
got
the
kind
of
things
we
are
looking
for,
because
you
know
I
I
I
could
you
know
I
can
raise
that
with
you
know.
Without
you
know,
even
blinking,
I
could
raise
like
five
five
six
things
like
this.
A
I'd
love
to
adam
one
of
them
for
sure,
and
so
if,
if,
if
you
think
one
is
a
a
good
idea
to
add
like
you're
like
no,
this
is
a
best
practice
and
I
can
point
you
at
some
places
that
talk
about
that.
Then
you
could
just
add
a
new
issue.
A
So
here's
one
that
we
plan
to
right
up,
but
we
haven't,
you
know
we
haven't
done
it
yet,
but
we
thought
this
would
be
a
good
one.
Don't
run
containers
with
the
privileged
flag
equals
true,
so
this
is
one
that
you
can
put
forward
so
any
that
you
think
would
be
good.
You
can
create
an
issue
if,
if
you
want
to
provide
a
place
to
talk
about
it,
the
the
discussion
board
is
a
good
place
for
that.
A
A
This
container
should
be
run
time.
Isolated
might
have
been
frederick
and
nikolai
way
back
when
we
were
working
on
a
document.
Some
of
these
got
copied
over
but
feel
free
to
add
them
any
of
these
places.
C
C
D
Two
places
you
could
source
material
from
actually
double
check.
The
second
one,
the
first
one
is
the
cncf
security
tag,
has
a
white
paper
that's
worth
reading
through
and
if
you
read
through
that
ideas
should
pop
out
for
best
practices.
D
So
I
would
recommend,
if
the
license
is
flexible
enough
to
to
also
look
at
that
as
a
as
a
source.
Don't
look
at
it
for
this
purpose
if
the
license
is
not
appropriate,
but
it
is,
is
a
release
course
you
can
use
where,
when
you
take
it
to
production,
that
is
a
fantastic
resource.
You
can
use
to
help
harden
your
systems
as
well,
so
we
could
put
a
pointer
to
it.
I
think,
would
be
appropriate
at
the
very
least.
A
A
Yeah
sig
security
white
paper.
We
actually
went
over
that
and
that's
definitely
a
good
place
that
we
can
keep
pulling
stuff
from
some
of
the
least
practice
stuff
that
we
found
had
found
before
also
matches
right
up
with
what
they're
saying.
So
we
started
to
reference
that,
but
that's
a
good
one
and
I
think
lucina
may
have
dropped
it
or
somebody.
I
don't
know
who
just
dropped
that
in
all
right
is
there
anything
else,
and
references
to
places
are
also.
D
D
Yeah
they
want
people
to
sign
up
to
their
service
and
and
pay
for
their
for
their
reports
for
commercial
usage.
So
that's.
C
A
Funny
is
this
the
the
nsa
cisa
hardening
guide?
No,
this
is
a
different
one.
No,
we
were
referring
to
the
nsa,
cisa
kubernetes,
hardening
guide,
or
something
like
that.
D
I
posted
a
link
to
the
press
release
for
the
kubernetes
targeting
harding
guidance.
A
All
right,
looking
through
the
end
of
the
year
schedule,
I
think
we
are
on
for.
A
A
20Th
27th
all
right,
I
guess
we'll
figure
out.
A
A
I
think
I'm
gonna
mark
them,
as
maybe
cancel.
A
If
there's
no
objections,
then
I'll
keep
it
like
that
check
back
next
week
with
folks
and
ian
and
see
how
that
goes
all
right.
Anything
else,
otherwise
give
everyone
20
minutes.