►
From YouTube: CNCF CNF WG Meeting - 2021-12-13
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Hi
was
there
an
issue
with
the
the
zoom
link,
or
was
I
just
confused.
A
I'm
not
sure
what
was
the
problem.
Oh.
A
We'll
get
started
in
a
minute
or
two
I've
posted
the
meeting
nets
into
the
zoom
chat.
You
can
add
your
name
anything.
I
would
like
to
talk
about.
C
A
Let's
see,
please
add
your
name,
I
guess
I
should
do
that
as
well.
Select
the
wrong
area.
A
Does
anyone
have
any
agenda
items.
E
Taylor-
I
don't
know
if
it's
if
it's
okay,
okay
to
rate
this
special,
but
I
just
wanted
to
give
a
few
minutes
to
the
discussion
how
I
opened
in
the
in
the
repository
about
the
best
practices
we
talked
about
last
last
meeting.
A
Yeah,
definitely
I
see
that.
A
Now,
let's
see
today
oss
summit,
japan
is
going.
We
did
a
a
little
recording
for
that.
That
will
be
late
this
evening.
A
One
summit
don't
have
much
details
about
that.
Is
anyone
speaking
there
or
keep
counting
you.
I
guess
cfps
are
open
on
that.
So,
if
you
haven't
submitted,
you
want
to
do
it
for
kubecon
eu,
make
sure
you
do
it
all
right.
Yeah,
let's
open
this
one
up.
A
E
I
don't
have
anything
else,
so
I'm
fine
with
you
sharing
the
screen
again.
This
is
okay.
This
is
just
continuation.
Okay
of
the
discussion
we
had
before
about
you
know
of
adding
best
practices
yeah.
I
have
my
specialty
security.
Therefore
you
know
I
I'm
taking
on
you
know:
security,
best
practices
and
and
in
general,
okay.
E
I
think
the
the
idea
behind
this
my
proposal
is
to
create
network
security,
best
practice
paper
or
or
description,
okay,
where,
where
we
discuss
the
issues
around
network
security
in
with
installation
of
kubernetes-
and
I
think
it's
pretty
important-
okay
for
for
for
telcos
and
and
into
this
industry-
okay,
because
most
likely,
okay,
they
are
going
to
start
to
install
currencies
by
themselves
and
and
and
will
you
know,
get
into
the
pitfalls
around.
E
So
that's
why
we
are
here
and-
and
I
think
that
that
there
are
two
major
parts
of
the
discussion
around
network
security
of
bernanke's
and
and-
and
I
think
that
one
is
that
is
the
the
actually
the
access
to
the
cube
api
and
around
the
cube
and
the
insert
and
to
the
infrastructure
components
themselves.
E
So
so
we
in
the
one
hand,
okay,
making
sure
okay,
that
that
the
cube
api
server
is
the
api
service.
It
has
limited
networks,
network
access
and
all
it
is,
it
is
separated
from
the
public
internet
enough
and
and
people
are
not
allowed
to
connect
it
from
from
the
outside.
The
second
is
actually
not
just
networks
segmentation,
but
but
the
the
actual
excess
control
of
kubernetes
to
use
to
enable
arbor
to
to
remove
any
authorizations
for
anonymous
user
in
kubernetes.
E
What
I
wrote
here
is
disabled
in
insecure
access
configuration
of
the
cube
of
the
api
server,
and
there
are
several
few
around
this
point.
Okay,
we
could,
we
could
add
here
and
and
could
describe
in
more
detail
what
to
do
about
the
test
tool.
Okay,
I
I'm
I'm
here.
E
There
are
things
here:
okay,
which
can
be
easily
tested,
and
there
are
things
which
are
pretty
hard
to
test
so
we'll
need
to
to
somehow
only
point
out
those
which
can
be
we
can
which
we
can
test
in
the
test
in
the
cnf
test
bench
and
those
things
we
cannot.
E
This
is
one
part.
The
other
part
is
actually
the
protecting
the
the
the
control
plane
and
the
machinery
of
kubernetes
making
sure
the
network
security
of
the
mutual
tls
are
in
place,
certificates
and
are,
and
private
keys
are
in
place.
Maybe
even
talk
about
whether
you
know
when
to
swap
private
keys
and
certificates
in
a
cluster
and
so
on.
E
So
I
think
that
these
are
two
main
parts:
okay,
the
the
cube
api
and
the
segment
and
the
other
part
is
the
kubernetes
system
components
the
secure
communication
of
them.
There
are
two
main
parts
I
would
like
to
focus
on
and
I'm
I'm
guys,
I'm
I'm
very
open.
Okay,
I'm
really
open,
for
you
know
any
comments
and
I'm
I'm
ready
to
start
to
work
and
write
these
things
up
in
detail.
A
B
Oh,
maybe
just
a
comment
over
organization
but
yeah.
I
also
like
this
idea
a
lot.
It's
it's
definitely
the
beginning,
just
the
beginning
of
security,
but
there
are
you
write
that
there
are
two
components
of
protecting
this
api,
but
then,
in
the
second
section
below,
if
you
scroll
down
a
little
bit,
please
that's
where
we
talk
about
tls
security,
but
I
think
tls
security
is
higher
up.
B
So
I
I
think
in
terms
of
networking
there
are
two
components:
there's
the
firewall
and
encryption
and
then
a
second
level
is
really
rbac
and
users
and
all
that
which
is
just
honestly
a
very
weak
point
of
kubernetes
generally,
so
you
don't
get
a
lot
of
security
from
rbac,
but
the
yeah
talking
about
encryption
and
how
to
handle
those
best
practices
of
dealing
with
certificates.
Things
like
that,
maybe
even
hosting
your
own
ca.
Something
like
that.
B
E
E
A
I
would
say
the
organization,
or
maybe
even
priority,
of
what's
important
to
people
that
can
be
an
effort
that
someone
cares
about
that
can
help
write
up.
Ideally,
it
would
be
supplemental
documentation
if
that's
something
that
you
care
about,
then
focus
on
that.
If
there's
an
area
that
you
think
is
important
or
you're
passionate
about,
but
it
may
not
be,
it
may
be
lower
level
or
higher
level.
It's
okay.
We
don't
have
to
start
with
one
specific
area
and
write
up
everything
before
moving
on
to
another.
A
E
Yeah,
like
hoping
cas
every
year,
yeah
sure
also
another
question.
Okay,
I
I
was
thinking
about
okay,
that
that
it
is
obviously
okay
to
say
that
limiting
access
to
cube
api
is
is,
is
really
you
know,
a
a
very,
very
basic
security
measure,
setting
up
firewall
rules
and
and
limiting
access
to
it.
E
But
but
the
question
is
what
I
am
asking
is
an
open
question
for
you
of
of
whether
you
know
the
opposite
direction
is,
is
a
is
something
that
applicable
in
this
industry,
where
you
know
we
can
limit
the
traffic
from
the
cluster
to
the
outside
world
or
or
this
is
something
that
you
know
rather
problematic,
because
because
the
way
that
usually
these
cnf
will
work,
okay,
they
will
need
connectivity
out
to
the
outside
world.
A
I
I
think
it's
going
to
depend
on
the
organization,
some
of
them
we've.
We've
talked
about
this
a
little
bit
when
we've
gone
into
like
air
gap
discussions,
so
there's
some
that
may
not
allow
any
public
access.
Even
they
don't
even
want
to
have
proxies
or
anything
they
have
everything
on
internal
systems,
and
then
some
of
them
may
have
some
type
of
proxy
or
you
have
a
partial.
A
So
maybe
your
image
repository
is
within
the
organization's
network
and
they
don't
allow
access
to
say
images
for
the
different
components
outside,
even
if
they're
dependencies,
so
I
think
that's
going
to
be
dependent
and
then
any
type
of
other,
I
guess
call
outs
whatever
that
would
be
would
be.
I
would
I'd
say,
it'd
be
similar.
A
I
don't
know
if
best
practices,
if
that
would
tie
in
specific
around
like
allowing
or
not
like,
is
it
but
the
process
of
doing
that.
So
someone
says
we
have
a
use
case
where
we
need
to
limit
access
for
going
outside
versus
in
inbound.
A
Those
would
be
where
we
would
talk
about
what
are
the
best
practices
for
implementing
these,
because
that's
that's
what
we're
really
looking
at
here
when
you're
implementing
the
applications
running
services
on
a
platform
and
the
platform
components
themselves
in
your
building
in
a
kubernetes
space
environment?
A
D
A
E
Yeah
cool,
so,
okay,
I'm
I'm
going
to
start
to
to
do
some
write-ups,
okay,
okay
and
we'll
align
those
later
stage
where,
where
to
put
it
in
the
in
the
repository.
A
One
place,
if
you
you
can,
I
mean
we
could
probably
just
change
this
whole
thing
to
security,
it's
kind
of
around
least
privilege,
but
if
you
want
to
create
a
google
doc
and
have
like
a
shared
draft
or
whatever
for
what
you're
working
on
you
could
link
it
from
this
best
practice
discussion
I
mean
feel
free
to
put
anything
in
here
and
then
you
know
we
can
add
comments
like
tal
has
done,
and
we
can
add
stuff
here.
A
C
A
Comment
capability
for
the
doc
so
that
other
people
can
join
in
and
do
suggest,
edits
or
whatever
and
and
then
start
building
it
up.
So
this
particular
doc,
which
we've
linked
a
few
times
in
the
discussion,
this
one's
around
least
privilege.
So
one
of
the
most
recent
things
working
with
ian.
What
we're
looking
at
is
what
happens
when
you
need
to
deviate
so
whenever
a
best
practice
that
everyone
goes
yes,
this
is
great.
We
all
agree.
A
We
want
to
get
there,
but
right
now
it
we
can't
implement
it
for
whatever
reason
it
may
be:
six
months
it
may
be
18
months
or
who
knows
before
they
can
get
to
that
ideal
goal.
So
what
do
you
do?
So
we
wrote
up
some
information
here
and
then
here's.
So
this
is
on
the
deviation
and
then
we
started
writing
up
a
new
set
accounts
and
rights.
A
So
I
think
this
one
might
actually
be
related
a
little
bit
to
what
you're
talking
about
with
the
kubernetes
api
bin,
but
feel
free
to
look
through
this.
One
like
this
is
a
kubernetes
api
server.
So
you
have.
This
is
referring
to
the
service
account.
A
So
if
you
want
to
say
out
of
this
limiting
access,
which
is
kind
of
a
somewhat
higher
level,
you
could
say:
how
do
you
want
to
limit
access?
We
definitely
want
to
say
never
public
facing
that's
a
good
practice.
Okay!
Well,
maybe
that's!
The
first
thing
you
write
up
yeah
but
feel
free
to
just
kind
of
brainstorm
is
the
idea
with
all
these
and
we
have
a
big
dump
of
information
and
then
eventually
we
come
down
to
something
like
specific.
A
I
tried
to
open
it
and
filled
there.
Eventually,
we
end
up
with
a
specific
one
that
we
feel
this
one
is
something
we
can
agree.
This
is
a
good
practice.
You
may
not
always
be
able
to
do
it,
but
it's
a
good
practice.
So
let's
write
it
up
as
a
very
specific
thing
that
we
can
recommend
that
rolls
up
into
a
higher
level.
E
Yeah
sure,
okay,
I
think
I'm
I'm
going
to
start
with
a
google
document.
Okay,
because
more,
I
assume
that
most
of
the
texts
will
be
you
know,
movable
around
and
restructured
around.
You
know
different
places,
I'm
guys
I'm
really
open
to
ideas.
Also,
I
think
matan
was
the
one
who
who,
where
this
idea
of
of
prioritization
of
different
parts,
so
I'm
just
tell
me
some
ideas.
Okay,
I
will
continue
and
we'll
just
continue
to
discuss
this.
A
Sounds
good
yeah
once
you
have
something
you'd
like
to
share
after
I
mean
this
is
great
so
far,
just
for
the
first
kicking
off
ideas,
but
when
you
have
some
more
content,
just
share
it
and
then
we
can
start
iterating
from
there
until
something
pops
out
and
we
go.
This
can
be
written
up.
Let's
do
a
pull
request.
B
A
All
right,
I
see
the
interested
parties
that
one
should
be
pretty
straightforward,
just
accept
it,
it
looks
like
you
have
two
there.
A
A
Hi
ann,
so,
let's
see
jeffrey
submitted
this
he's
maybe
out
for
a
little
bit
before
you
can
join
back
in
and
we
of
course
have
the
holidays,
which
I
could
extend
that
a
little
bit.
But
this
one
is
a.
This
is
a
user
story,
so
a
set
of
user
stories.
A
Around
air
gapped
environments,
so
that
we
can
relate
these
context-wise
so
that
those
comments
or
questions
comments
about
external
calls
from
cns
that
could
go
outside,
maybe
related.
So
if
you
end
up
with
the
best
practice
and
probably
be
related
to
some
of
these
use
user
stories,
cnf
using
some
licensing
model
that
requires.
A
Dynamically
checking
license
with
the
remote
server
get
ups
methodology,
so
they're
pulling
stuff
in.
They
have
a
some
repository,
that's
pulling
stuff
in
from
other,
probably
other
repositories
and
then
sas
based
services.
A
Okay,
I'm
trying
to
like,
if
there's
anything
new
since
the
last
one
20
days
ago,
looks
like
a
lot
of
these
are
just
comments
and
you
responded
something
about
networks.
Ten
days
ago,
oh
victor,
okay,.
A
All
right:
well,
this
is
actually
maybe
right
around
the
last
call
anyway,
so
this
was
tying
in
with
licensing
like
what
are
we
talking
about
here.
Let's
make
sure
it's
clear
on
the
mechanism
and
stuff:
oh,
that's
a
good
one,
a
short
definition
of
what
we
mean
by
air
gap
and
I've
heard
different
things.
So
I
agree-
and
maybe
if
we
come
up
with
the
definition
here,
it
can
go
into
our
glossary
be
referred
because
I
air
gap
does
not
always
mean
you
have
no
internet
cable.
You
were
disconnected
from
the
world.
A
C
I
just
noticed
that
yeah.
I
noticed
that
in
the
glossary
they
have,
they
had
an
issue
referring
to
githubs,
so
maybe
it
would
be
nice
to
have
cross
reference
there.
B
A
You
check
refresh
and
check
it.
May
it
may
be
good,
I
think,
as
long
as
it
had
the
two
dashes
first,
everything
after
will
be
a
comment.
A
Okay,
this
is
just
questions
all
right,
so
we
probably
just
need
more
responses
in
here
before
going
on.
I
don't
know
how
much
jeffrey's
gonna
be
able
to
respond
so
I'll
try
to
reach
out.
There
also
may
need
someone
else
to
help
see
if
someone
can
assist
on
that,
specifically
people
that
are
familiar
with
the
airgap
environment.
So,
ideally.
A
Moving
on
meeting
schedule
through
the
end
of
the
year,
I
will
not
be-
I
will
be
out
on
the
20th
and
the
27th
and
and
actually
probably
the
third
potentially
so
ian.
Are
you
going
to
be
around
any
of
those
times
and
is
there
an
interest
to
have
any
of
these?
Let's
start
with
the
20th.
Are
you
going
to
be
around
for
the
20th.
A
F
Let
me
try
that
without
the
mute
I'll
be
around
for
the
20th,
but
not
the
27th
or
the
third,
I
don't
know
how
anyone
else
feels
about
having
a
meeting
on
the
20th.
I
mean
we
can
schedule
it,
but
the
thing
is:
if
nobody's
going
to
turn
up,
then
we're
not
going
to
get
very
much
done.
A
I
mean
if,
if
you
want
to
show
up
and
then
if
no
one
is
here,
you
know
by
let's
say
five
after:
if
you
feel
like
nobody's
here,
then
it
can
be
canceled
at
five
after
instead
of
starting
or
ten
after,
however
long
you
wanna
wait
all
right.
A
All
right
so
any
objections
to
canceling
on
the
27th.
A
Yeah
any
objections
to
canceling
on
the
the
third.
A
A
Okay,
so
last
meeting
of
the
year
for
this
working
group
is
december.
20Th
and
I'll
get
it
started
and
if
folks
want
to
talk
and
start
working
on
some
things,
then
please
join
it
and
we'll
cancel
the
27th
and
the
third
we'll
remove
those
have
them
removed
from
the
calendar
and
and
we'll
be
back
on
the
10th.
After
that,.