Add a meeting Rate this page

A

Hi folks greetings happy new year.

A

We'll wait until 5 after to get started. You can start adding your names and any agenda items to the meeting nets which I've posted a link for in the zoom chat.

A

I didn't see if anyone else joined we'll get started at five after so just a couple of minutes and happy new year, and you can add your name and any agenda items to the meeting notes.

A

Hopefully, folks can hear me yeah.

B

Happy new.

A

Year, all right, uh this call is being recording, if recorded. If you didn't hear the notice when it started, and we published these to the cncf youtube channel and the cnf working group.

A

um Q, if you want to go, look at any of the old ones you can, and this one will be published there.

C

Then.

A

I welcome, uh let's see we are at five after why don't we get started? Meeting notes? Are posted into the zoom chat.

A

For folks that are new to this call, this is the cloud native network function working group.

A

It's one of several telecom focused initiatives within the cncf, and this call has been recorded and will be posted on youtube at some point after it's done.

A

I'm going to bring up the screen share.

A

I.

A

Can I think that worked, I should be able to see my call there. I mean my uh screen share on the call you can add. Your name would be appreciated here.

A

This meeting group meets mondays at 1600, etc.

A

We shift with the time changes, but it's um I guess it's. I guess it doesn't shift. I'm sorry. It says 1600, but we should be this way for a few more months and for those that don't know, uh the main purpose in this group is um around documenting and publicizing on cloud native best practices for telecom applications running on environments, kubernetes based environments.

A

That's what we're doing our main focus right now. We have a lot of documentation that we've been working on around use cases, user stories, we're going to be publishing best practices and also publishing or writing up things around problem areas. So if you're trying to utilize a kubernetes environment and having a problem adopting any type of technology or methodologies or whatever, then we want to note those and try to see you know what are the problems and what tips and things that we can have to work with those?

A

Usually that's general generic, vanilla, kubernetes. But if it's specific environments hosted environments, then we want to know those too some environments, uh or I should say one of the best practices that we had done. A lot of talk about was in the area of security and specifically least privilege, so we had one practice that we wrote up called non-root, so not running your processes and containers as the root user.

A

There's a lot of different things you can do regarding security if, if someone say discover an exploit- or there is a bug- maybe just something goes wrong with your application, so not having root limits. The damage within the container there's a lot of other places that you can have problems, but this is just one area, so it's recommended to not run root and we've written up some stuff around that.

A

So that would be one of the areas.

A

I'm going to jump right in if, if someone has any agenda items actually I'll just ask: does anyone have anything, that's not written? We have check and pull requests right now and I'll go over the upcoming events as well, but anything else to add.

B

I don't know uh taylor, you remember that I sent you okay, the you know very very early draft of of my next uh best practices around a server, and if we have a few minutes, okay, somewhere along just a small feedback, would be. You know helpful for me if this is the way to go and start to creating from this uh items.

B

In the repository.

A

Yeah for sure, would you like to um drop a link in here and we just get some feedback right now on the call yeah I mean.

C

Even if it's.

A

Minor georgia kind of give an overview of it and then, um if it's do you have a comment access available on the document yeah, I will open it. It just opened comment access, um since, if we're going to drop a link in here, don't want to random people on the internet modifying it. But if they can do comments, then you can approve or reject sure all right.

C

So.

A

Just add that um below the meeting host uh review, open, pull, request, item, okay, okay, does anyone else, have anything they'd like to add.

A

Or have any questions just about the cnf working group.

A

All right.

A

Okay, so um mwc barcelona um is anyone going to be there? Do you know of any specific, interesting events.

A

I don't know of anything: that's made it from people that I know that submitted.

A

For mwc.

A

All right: how about uh one summit.

A

Nope, okay, so kubecon eu um see if these are closed. So if you didn't get them in that's too late for that. But if you have something interesting feel free to add, add a um an entry here, just so that we know about it, and everyone in the group can see it um a neckline.

D

I can I I can share hello, this nikoi. I can share that I'm on the program committee for the networking track and there are lots of interesting things going on there. So and it's it's a pity that only only a handful of them will make it to the conference, but yeah.

A

On one summit or kubecon.

D

uh Cubecon, sorry, all right.

A

Cool, um well, I guess when, when they make it through, we can add them. I guess would be the next thing: yeah people that don't make it through nick life. It seems super interesting. Maybe you could tell them to come home.

A

Tell.

D

Them.

A

To come and tell them to come, talk to the working group after they've been rejected.

D

Okay, this makes sense, but then.

A

All right, um so there is a there's going to be a collocated event that cncf is putting on uh cloud native telco day so for anyone that doesn't make it through the cfps, maybe for kubecon itself, maybe try to get them over, but uh probably ask them anyways.

A

So if, if you're available um at those times and you'd like to be present at the cloud co-located event cloud native toka day, then uh let me know, um I don't think we have details yet for submitting on that, but we'll get that uh soon added as soon as we have it. I should hear more this week about that.

A

All right, um cfp's, not open for the n, a I'm gonna go ahead and pull up the pull request. Oh we have several here. What do we have 25 days ago?

A

So is there anything else on jeffrey's air gap? What happened to unicorn? Let's try that again, there's another unicorn too long.

A

It loaded this time.

A

That hasn't been resolved. This hasn't been resolved, probably need.

A

Someone else to step in that would be interested in air gap to help jeffrey is no longer a charter and um getting things going at his new job and we'll see how much availability has gone forward.

A

Yeah, I don't really see anything else, but this is still something folks could look at and give some feedback on, uh especially if you do like we have some of these that got they were able to be resolved. So if there's anything where you want to change- and you click on the plus and then suggest- and edit is the most helpful way to move it through, but you can take a look at this one, these user stories, so these user stories will be helpful in many areas to help us with supplemental documentation.

A

I'm going to move on what do we have.

A

Best practice, compliance.

A

Oh yeah, all right this one um folks can look at it. It's not ready yet got to get back continue on it, but this is one of those that are when you, when you're looking at a set of best practices or you're you're working on the test, um you're, maybe you're, working with the cnf test suite and trying to pass as much as possible, whatever you're you're, trying to improve your software and going along, but you're found an area where it just doesn't work.

A

This is an area where you don't feel like you can follow a recommended best practice, for whatever reason very valid reasons. Maybe it's in conflict you're following like hipaa compliance or something- and you can't do it- you can't follow something because it would conflict well. This is about and we need to update the title there, but this one is about documenting any type of exceptions.

A

And communicating where you can, when, where you're not able to be compliant um and the reasons and stuff and making that easily accessible for the people that care about this, you know so this could be the ops team at a service provider or wherever else um documenting the reasons around that and then some suggestions there.

A

So if anyone has comments or wants to add to this, that would be good, but this one is definitely a draft right now.

A

Any comments or questions otherwise I'll move on.

C

All right.

A

Oliver are you here, you are.

E

Here.

A

Yep, I am here, you go, this is all you I'm going to. Let you.

E

You want me.

A

To screen share, or you want to take over yeah.

E

No, it's fine, you can just you, can I'm not going to yeah just keep it up there I mean yeah. I think this is we uh uh opened this pull request just before the uh holidays. um I think we we've done this in the past. We we have already. Today we have a use case which really looks at stateful cnf, um but trying to go a bit lower level sort of to tackle some of the user. Not you know not some only use cases but some of the user stories.

E

um I I opened this up with taylor here on you know just before the holidays, and these are mainly derived out of you- know what I would say: 4g and 5g. um You know online charging system perspective or convergent charging system. uh Company I work for is is uh offering a product in this area, um and so these are some of the challenges that we face. In terms of you know, cloud native uh for places where we are uh dealing with state need to manage state as part of it, a 3gpp compliant 5g core.

E

um So that's where these use cases are are deriving from or user stories are coming from. I have tried to genericize them a little bit more and the reason for that was just simply to try to create some appeal for others who might recognize.

E

uh You know some areas where they are also facing some of the similar challenges, and I see that um we've had some comments on here that you know. Maybe these are more I.t related in you know I don't totally dis disagree, but they are in fact network related. um So we are talking about cnfs um talking about network functions uh and I certainly see the chf um as defined at least in in 3gpp.

E

um That is a network function um and therefore you know there are some there's some interesting challenges that I think we need to work around with so by all means. If you have thoughts comments, please do have a look.

E

This would be interesting to see if we can get this to push it a little bit further along.

A

Do you want to give a just a quick run through of the stories and use cases.

E

um Yeah: let's, why don't you come down then, to the first one? Okay, so yeah I mean basically the way I would look. Sorry go up just a little bit tell her apologies uh right there yeah, so I will try to run through it fairly quickly. uh If you look at the you know, the way it works is we start off kind of at the highest level and sort of what I'm doing by doing the way I've done this is to say you look at this use case.

E

You talk about a csp, a a service provider. You know just recognizing that there's you know almost at the highest level, there's a need to maintain. You know persistent data things like subscriber information account balances quota balances. You know different things that are used along the life, the journey of a subscriber and also recognizing that that data may be fairly static in nature or it may be very dynamic and changing. You know all the time.

E

um It's just kind of a starting point uh to this, and then I go through and give just a few examples with the user stories. So you know that, and from a user perspective I have a I have an address on file. I may need to change that. You know I expect my provider to be able to allow me to do that kind of thing.

E

um So it's just making the case that the the csp needs to be able to handle that um at the same time, then, if you move into sort of the point number two here, it starts to move into cases which are more, um you know dynamic in nature. So things like, I have a balance and I expect just like my bank. I expect my bank to be able to maintain my balance and it should be accurate um or you know things that I have purchased.

E

If it's, uh if I purchase a number of uh you know, gigabyte, for example, I expect my service provider to maintain that an accurate balance of that, because that will also be used to trigger different decisions.

E

Whether or not I can use a service or continue to use a service, or perhaps my quality of services changed, because you know some some threshold has been met.

E

So that's kind of the very first user story or use cases user story. Then you go to the next one, which is basically the way I see this is kind of nested saying: okay! Well, that's great! I'm in that situation, but you may find yourself depending on what you're what you're doing you may also have the a need for things like real time and low latency, and this is certainly again an area from from an online charging system.

E

The need for real time is quite key, so I've described this in a use case. You know that, basically just describing it as being able to do perform real-time crowd actions. So you know when we create things we want to be able to update them and to delete them and um and there's a number of different reasons why this would be necessary and one of the main ones from a online charging perspective is that you're trying to limit the financial exposure um to to to primarily the the service provider.

E

Right I mean I shouldn't allow you to do something unless you actually have the right to do it, whether you have you know monetary funds or if you've actually purchased already some again, some, you know quantity of of some data or you know or events whatever it might be, that you're allowed to do. I don't want to allow you to start doing that or continue to do that if you've run out of money, because then I put myself in in you know, I I I basically putting myself in financial risk.

E

So this is where sort of the real time uh low latency comes in and if you look down to, if you scroll down just a little bit taylor to the user stories here, um I just outlined a couple examples: no not that far, not that far just go up a little bit to those three green yeah. So the user stories here is just kind of again playing from subscriber doing different things. uh The first one saying I want to access a service.

E

I'm not going to go into this in detail guys, but you know um you know just basically saying hey. I want to do something, but before I can, you know, csp needs to determine if I'm allowed to do that. Likewise, if you look at number two, this is really you know.

E

I'm using a service, and the quota that I have you know from originally been allocated is, is going to be consumed and therefore you know, under the period of me using a service, there needs to be frequent checks to make sure that I'm not going over and beyond what I'm allowed to do and again it may serve to make different uh decisions, uh which is the third point. So looking at an example here, you might have in 5g an iot device in a factory smart factory and you're.

E

It's attempting to access higher quality of service network slice um to accommodate a spike in production. So there's a need to. You know get a better quality of service well before we can enable that um we may want to first ensure that the device has you know the the um the possibility to do so or if it has, you know if it's if it's already utilized, for example, a threshold that was you know, allocated for the week for the day for the month, whatever that might be.

E

So this is just an example of how it might be used. um You know, and if it and if you're, not, if you don't have that threshold or if you don't have that balance, then you'd be denied or that particular device would be denied stepping up to a higher quality of service. So again, it's just examples of how that really in the end, it's the persis. You know this persistent and dynamic data is being being used and carried forward to make different business decisions.

E

If you scroll down just a little bit, then uh taylor we'll get to that next point here, being the high transaction just a little bit there, high transaction processing. So you know, in addition to that, you know again, I'm drilling deeper and deeper to sort of some of the use cases that we face, uh and one of the things is that we're dealing with you know quite a large amount of uh transactions that are taking place per second, and I think most of us are probably familiar with.

E

You know if you're looking at it from a 5g perspective, you know the expectations. This is just going to continue to grow and we have you know some. We have some examples ourselves. I think I've mentioned it um in here and I don't remember, give me a second here, yeah, hundreds of thousands, for example, per second of transactions per second, perhaps there's others out there who have.

E

You know examples where you know there's even higher number of transactions per second, um you know these, but these are business decisions right for from our perspective, each particular uh transaction is, you know, is eventually a charge, uh that's being you know, that's being applied for uh some type of event uh that has taken place in the network. um So this is why we're kind of saying that it's important to be able to do you know to handle very high high volume.

E

So it's not just you know one or two uh transactions per second, but we're a high number and we're needing to do things on a very low latency basis. So that's kind of you know, that's that complicates and challenges things technically for us a little bit further. If you go one more um a little bit down acid compliant, so I think from our perspective, this is not an option. uh So again, this is something because we're dealing with financial transactions, um the expectations that these can be relied on, always that they're accurate.

E

Always so when you're making decisions, um you know financial nature, it can't be um it's not okay to make decisions on things that are not yet accurate, or you know maybe accurate later, but at the given time uh you know it may be. It may be incorrect uh data. That's that's! Not that's! Not! Okay, so we we, you know we are required to be acid compliant. So this is again one of those things that you know you say: okay.

E

Well, how do we ensure that, when you're dealing with, perhaps you know, distributed uh data- and you know high volumes and low latency responses, you know things become, you know more and more challenging. So that's you know again. Another one, I think, would be interesting for us to explore some of the best practices around how you know others. You know again, as you follow down this tree, it's sort of how do we handle that and then, if you have to do that as well, how would you do that?

E

You know what are some of the technologies that you know might be possible to use or best practices uh that might be. You know useful. um I don't want to take all the time here, taylor, so if you just want to slide down, I think we've got one, maybe two more the availability and continuity.

E

You know I'm I'll kind of try to go through these a little bit quickly. um Yeah I mean as users. I guess, if we think about it, you know we're expecting our services to work right, I mean we don't we. We want to make sure that they're, you know. I say at least from a customer perspective. The expectation is that services that I want to use are available.

E

24, 7 365, so you know csps need to have that high availability and I don't want to pigeon us into sort of the the five nines or something like that. I was thinking mainly from the perspective of you know how you accomplish that, whether it's you, you have the resilience and you can you know you can spin up. um You know if you've got a number of instances running uh of a particular service. uh One goes down. Well, it's not the end of the word world.

E

You have multiple and you're able to handle that so that's kind of where this one was coming from, um as is the the next point, is also really you know. Instant and total recovery is basically saying. You know that persistent data is extremely critical. You know back to the point it is making there's financial implications. There are business decisions which are being made from that data and again it's not something we look at at the end of the month.

E

um So I want to you know, erase any notion that this is sort of billing data, and you know we've got we still have time, but this is sort of this is in line service being used. This data is constantly being you know, accessed in order to make decisions for that subscriber for that particular device. um You know what it can and cannot do or consume. So this is.

E

This is sort of the the last place where I wrap up and then you know, I'm sure there are other challenges, other you know things that need to be addressed, but these are the the key ones that I think from a from matrix perspective. What we, what we see and what we face within our uh area, that we work with in uh you know convergent charging systems for 5g.

E

Hopefully that helps so hopefully provide some clarity.

A

Thank you. Oliver um comments and questions from everyone.

E

And this was to I don't know if pankau is on the uh is on the call here but yeah I threw a comment in there. I don't I I just think it's you know. I think, there's certainly more uh examples of where we have some of these same kind of challenges, and I don't think that they, you know some of them are going to be complementary.

E

Some of them may be, you know completely new, um I you know I I don't want to you know see I I don't particularly see these partic, these uh use, use cases or user stories as being accounting related. I think these are very much. You know these are they're online charging they're.

E

You know convergent charging, they're they're in line to service, you know experience uh and and and very much you know, impact the customer experience um in in real time in the sense that you know, if you you have inaccurate uh data, you may be denying customer service when they should have service or providing them a certain experience.

E

um And again I'm talking people it's easier for us, but it could be a device. It could be a you know, piece of equipment that is, you know, then uh stopped from doing what it should be doing, uh because it's you know, not accurate data and that's why I think this is extremely important to the to the to the work that we're doing.

A

Yeah one thing to always keep in mind: is it related? Things are used all throughout telecom, just like everywhere else, if you're using technology, then it's likely that both I t generic, I t and problems and generic I.t solutions are likely to be are more than likely to be applicable.

A

They may need some modification, but they're very likely and of course, these particular set of problems use cases user stories in the context these are being used by telecom applications that matrix and other 5g application providers are creating.

A

um We can always add more user stories, so I don't want this to be a block. If anyone wants to write up any of this.

A

These particular ones, so this is referencing a good, a good paper. It's also it's always great by the way to reference existing papers and content. So we can pull more and more material and show relevance and why it's helpful important if anyone wants to take these and do a write-up on any of them, especially if it's relevant to you because you're working on these problems, then then, please feel free to, and this can be adding to existing documentation because you feel it's related, go in or create new documents to add into this section.

A

These are this: pull request is going to the docs folder, covering any user stories. User cases use cases, but you can add new ones there or add to existing. I don't want to block this, though, based on that. So, if, if folks can look at it and as long as you don't see any problems, I mean go update this one. Let's get it.

A

Merged I'll, do I'm going to do a review um oliver this week to go through and make sure there's? No, you know, spelling or grammar or anything that we don't want to adjust slightly and otherwise. uh You'll have a thumbs up for me in the next couple of days to merge and we want to get some reviews here.

A

If anyone doesn't have if you're not listed and you'd like to be added as a reviewer, then just let me know but feel free and add comments, and you can put a thumbs up in the comments once we have a set of thumbs up and we've addressed any concerns that we feel should be addressed before merging then we'll merge it.

A

Similarly, for the this one that ian's working on, if you add comments, we'll try to address those and then, ideally by uh next monday, we can get both of these merge but for sure the stateful, the air gap may take a little bit longer because jeffrey's not available, but I think again, this is these are just areas we're trying to give context, and then we can add to that context.

A

Does anyone have any questions or comments, otherwise, I'm going to hand it over to ben.

A

Okay um ben, are you ready, I'm sorry um yeah, you want me to share. Are you ready ben yeah, yeah? Sure, okay, I'm gonna stop my share and I'm going to. Let you share. Go ahead.

B

In just a minute: okay, while I'm getting back to this window so again um as part of.

B

Oh wait a second. Do you see my window?

B

I do so um again. I I just you know our last meeting was way back, so I just going back to the original story. Okay of of adding uh security related the best practices, okay around the cnf- and um I just simply you know, started to get together.

B

uh You know the best practices uh from you know from getting from the top to bottom, I mean getting from the most relevant and and simplest things uh with some. You know very speci with some specific recommendations of best practices, so not just a high level uh uh suggestion. Okay of of you know, try to like uh you know when sometimes we joke okay, we say: that's okay, try to do your system, secure, okay, but that's the recommendation and it's usually it's not enough.

B

Obviously, so uh what I'm trying to do here is I'm with my proposal was to start from the next network security part of of of the kubernetes installation and how to set up a cluster okay in the in the telco industry, which is you know somewhat uh um more. um uh I would say mo nate uses kubernetes more natively than you know, users who are who are using kubernetes in uh in uh by through a cloud vendor.

B

So um so I started to collect to call the the recommendations are around network and started with the grantees api, because uh in the previous meeting we discussed the two main parts which was in, on the one hand, protecting the kubernetes api server and the access to the api server, and the second part was, in the general, the uh the protection of the kubernetes uh control plane uh and a control plane components and not just the api server, but also the cubelets, the scheduler, the cd and stuff like that.

B

So um so I just simply started to. I opened this document. Okay and going through. You know one by one of the of the configuration of the api server and simply you know, taking the configurations which are which I think is are relevant to secure installation of the api server um and and listing here.

B

Okay, what what is the best practice and how to do it so, um for example, okay, uh disabling anonymous requests, okay uh in api server, so api server once uh won't do anything for unauthenticated users, uh which is a option you know in in api server that you can enable for many reasons: uh uh anonymous requested api server, uh audit logging, okay, how to setting up audit logging and and audit log. So uh you have a trace of any kind of uh security uh uh event in case of any consent of security event.

B

You can have a log back of of what was done against the api server, uh the authorization configuration and authentication configuration so uh um so one hand okay. Obviously, today we are, uh we are um promoting those also in the security. We are promoting the role-based access control in any kind of uh of setup. uh Obviously, okay, no, the authorization is needs to be allowed, but but but you bypassing a back.

B

Authentication is is important, okay and something up to how we think that that modern deployment of kubernetes should look like uh and simply I'm going to uh to go through. Okay, now of the api's clients, authent aps-era, client authentication and uh progressing from here to to the access to it to lcd uh and setting up secure access to lcd- and you know putting inside you know not just uh you know not just the statement, but also okay. So what is going to be set in the actual deployment?

B

Okay, what is the uh the actual recommendation of configuration um and if at least okay, someone decides that that, for his deployment is for some reason it's not good. At least we have to make sure that they understand what is what chances they are taking and what is what is going to happen if they uh not use the the best practices, and you know um I think that this might this might be okay.

B

The resolution here is, uh you know, is very detailed here: okay and- uh uh and you know, really going into kind of different configuration settings, but on the hand, I think that uh that this is for someone who's hands on uh to create the deployment.

B

uh It is going to be an uh uh great way of of going through these things, because in general, okay, these are not uh very new things. Okay, these are things which we've many myself any other people from from security discussed in different places. Okay, but uh but I think that this is going to be in a one-stop shop of of of how to set up these things, and I would be glad to to to get some input.

B

If not, then I'm just we'll progress, okay and and wait for you guys to go to edit to the actual repository.

A

Thank you so much ben. It sounds great to me um I'd like to hear some feedback if folks are have any.

A

Nikolai you're quiet.

E

Yeah indeed,.

A

Have any thoughts.

B

So guys, uh really, okay, so you can you know slack also, uh and you know you can also come. I try to enable comments here, okay documents, so um I I will try to finish by the end of this week. Okay, all the api server communication part.

B

Then, okay, I would be glad next week to just discuss how to how to edit in what format we can add it to the to our repository and.

B

I I assume that we are also still recovering from.

A

I.

B

Tried.

A

To um and I tried to access it from an account that you didn't share with and it's not accessible.

A

Okay, can you set the settings so that anyone in the world, with the link, anyone with the link so that yep sure yeah click on share with armor bottom left and then change it to let, on the left hand, side uh anyone with link but make a comment only yeah yeah.

A

It should work all right now, I'm gonna refresh. I should be able to access it. Okay, great can access it now and I should be able to say make a comment. I'm going to make a comment. Yeah.

A

There we go, I also should be able to the good thing about this is I should be able to.

A

Yeah see that that's like a suggest, edit, okay, see that at the the exclamation point, yeah yeah, so everybody that has the link.

A

If you have um you want to add, you have thoughts or comments or you just want to update like a grammar, spelling whatever add some clarification, either add a comment or directly suggest an edit I'm going to delete my suggestion, but you can suggest and edit and then we'll look over it, and if it's you know it's aligned, then we can just add that right in and that'll help ben move this along feel free to look at it and review at your. You know whenever it works for you your time.

A

Thank you ben. I appreciate this. I think this can be a very good one to get in.

B

Awesome.

A

Thank you.

B

All right.

E

Sure.

A

If there's nothing else, then we'll end there.

A

And we'll be back next week same time same thing,.

C

Oh hi, everyone. I I have a question. Actually oh, go ahead, hi! So I'm I'm I'm new here. My name is charles unizy and um I always ask how would I, how would I contribute because I'm pretty new to this technology though, but I was hoping, maybe resources I can probably read up.

C

You know all anything, because I find it very interesting.

C

So yeah.

A

um Well, if you're wanting to contribute or you're looking, I don't know what you're looking for, if you're, if you're developing an application, trying to look for improvements or want to contribute somewhere.

C

Yeah, maybe contrib probably contribute they are writing. I guess because technically I'm not that good right now in this aspect, yeah.

A

All right, so this is a new area. Maybe um so the the working group has um documentation. You can look under the two main areas. I'm gonna try to bring this up. I can screen share as well, and let's see all right, so there's these user stories and use case folders, we'll probably move those under this documentation. Folder I'm going to bring this up, but this would be some areas to kind of look and understand context around problems that are trying to be solved specific to communication service provider environments.

A

um But a lot of these are generally useful for any type of networking, environment and problems you're running into, and some of them are even applicable to general I.t issues, but you have under this user stories. This is a security related set of user stories, supply chain attacks, so these are laying down a bunch of areas where there could be problems, and then we could talk about what are different ways that we can try to address these. If, if a attack occurs, then what are you going to do? How do you try to prevent them?

A

Is one thing and then, whenever you can't prevent it and it happens, then what can you do and that's what a lot of this is leading up to um under the use cases we have different things like onboarding, so this onboarding that's about a new application.

A

Let's say you have a firewall or a charging application like what oliver was presenting user stories related um you're, bringing that into an environment and what are the different things that you may want to think about, and this was actually put forward by a service provider talking about some of those different life cycle issues more on the stateful things you should think about this one's a more specific to a application and set of, I guess, related applications, so bgp, and what you need to think about and there's.

A

If we go into some of these, they have diagrams related. What are we looking at here? So these are all areas for context under let's see, this document uh area is probably not it here we go so the best practice area right now we don't have any that are published other than the the non-root. I think in this quarter, we'll probably see a few more and then more and more come along as we've gotten all the rest of the documentation, um the context, but we should start seeing more in here.

A

These are going to be specific, so if you're interested in bringing over best practices that exist in other areas, so non-root is not something specific to cns. It's a good practice everywhere. It's utilized in many areas, um if you're in a hosting environment that uses sc linux, like red, hats, environments or other hosted solutions or maybe you're, seeing an environment that someone's building their own kubernetes based environment, they may have root disabled capabilities.

A

So if you're already doing this, but it's a good practice, I mean, even if you're directly running on the host, it's a good practice for a long time to do non-root.

A

We want more like this and it talks about why a very specific practice is useful and why we're recommending it as a general guideline that you should follow this whenever possible, and this ties into a lot of those user stories that I pointed out before the supply chain attacks and where non-route could help and then trade-offs that you're going to have.

A

If you go through and then a lot of references, so I think it was ponchai on one of the other pull requests, add references to white papers, so we want to always have references if, if they're out there and happy to see them so these are all areas. I think you could go check out if you're interested in on the documentation side reading, I'm writing up new ones.

A

The cnf test suite this effort is around implementing um tests that are checking various practices so similar to the kubernetes ede test, suite and really most environments where you're already building software, and you want to test and validate that things are running. As you expect, the the um I guess, implementation side moves at a different speed from the documentation side, as we in the working group, we're figuring out how things make sense to a large group of people and trying to improve how it's communicated on the test suite we have at this point.

A

I think it's close to 50 tests implemented across many different categories. So we didn't really talk about the categories, but if you um think, there's stuff that we're talking about compatibility, the statefulness that um oliver and talked about earlier security there's a lot around security. So there's a lot of different areas, so the tesla itself has close to 50 tests if it didn't hit it um already over the holidays, and this would be another area if you want to come check out and and take a look, there's a if you want to run it.

A

So if you actually have an application that you're wanting to test, there's a quick start on the main readme, where you can actually run and try the test suite out. If you already have a kubernetes environment and utilize an example cnf.

A

If you don't want to try to configure your own, yet five steps, you can test with it and then you can go check out the install guide and configuration guide for more info and the individual test.

A

You can go. Look at the usage guide. If you want to read about those I'm going to bring up security ones here, for example like privileges escalation, so this would be on just non-root as their capabilities to do escalation of your container or pod.

A

This is actually one. That's utilizing the.

A

Cubescape from armo- and you can go, read more about this specific test, but we try to put reasons why it would be problems to allow privileged escalation, not that you may not need it. That's fine! If you have an exception, it should be written up, but in general we're saying you shouldn't allow it for most components and most applications.

A

So we have tests around that. There's a lot of other areas and we're trying to write up include documentation for each of the areas as well as remediation. If you're trying to improve, then we try to link out to different documentation to read up and do those improvements.

A

So if you're wanting more on the implementation side, then getting involved in the test would be a good place. This meets there's a contributor meeting that meets on thursdays at 14, 15 utc.

A

You can join there, there's slacks for both the working group and the test suite channel. So you can chat in those, but either way it's you know you can get involved, read up, learn more about the area and happy to have more contributors than any of it. Including stuff is as simple as straightforward as grammar and spelling mistakes, all contributions would be appreciated.

C

Amazing, thank you so much. Thank you.

A

You're welcome.

A

Any other questions or comments before we end the call.

A

All right thanks, everybody we'll see.

E

You.

A

Again, next week same zoom same time,.

A

You.
youtube image
From YouTube: CNCF CNF WG Meeting - 2022-01-10

Description

No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).