►
From YouTube: CNCF SIG Security 2020-06-17
Description
CNCF SIG Security 2020-06-17
A
A
A
Okay,
so
comments
on
the
document
itself.
Maybe
we
can
just
quickly
browse
through
those
and
see
if
there's
some
worth
discussing
and
then
we'll
look
at
so
I
have
the
CR
DS
drafted
and
and
just
a
very
simple
example.
We
can
look
at
inside
a
cluster
and
we
can
talk
about.
You
know
next
steps
and
what
we
need
to
do
to
get
the
like
a
PRN
and
get
this
into
the
repo.
A
A
A
D
A
A
Okay,
yeah
it's
just
kind
of
scanning
through
it
yeah
it's
talking
about
state
transitions
and
I
guess
the
idea
is
to
record
some
of
these
states
right,
so
you're
we're
interested
in
policy
results.
Obviously,
as
a
state,
okay,
that's
fine,
then
I
think
we
were
talking
about
audit
logs
and
also
I.
Think
Robert.
This
one's
from
YouTube,
which
is
talking
about
yeah
audit
logs,
serve
a
different
purpose.
That's
correct!.
D
A
Year,
I
guess
I
was
trying
to
you
know
at
one
point.
If
you
recall
there
was
a
discussion
of,
should
we
be
using
the
if
the
flexibility
or
a
proposal
to
provide
more
flexibility
into
the
audit
policy
and
allow
multiple
sources
of
writing
to
the
audit
logs.
Would
that
make
sense
to
put
policy
results
there,
but
I
you
know
perhaps,
as
just
does
another
output
stream,
but
I,
don't
think
it
replaces
what
we
or
it
doesn't
overlap
with
having
a
policy
report
and
I.
Think
that's
what
you
were
mentioning
here.
D
Yeah
and
I
think
I've
probably
gone
back
and
forth
myself
on
that
and
I
think
I
come
back
to
where
you
originally
were
a
Jim
and
that
you
know
as
an
as
a
convenient
mechanism.
I
think
we
were
looking
at
the
cig
off
opportunity.
But
when
you
take
a
step
back
and
say
where
does
this
logically
belong
for
me,
it
doesn't
really
belong
in
the
right.
A
Okay
sounds
good
multi-tenancy.
That
was
your
next
comment:
Robert
yeah!
So
that's
the
interesting
one
and
that's
where
I
think
the
customer
resource
we
want
to
allow
both
that
cluster
scope,
as
well
as
namespace
scope,
to
make
it
possible
to
report
violations
for
namespace
owners
if
they
don't
have
access
to
cluster
resources.
A
D
Yeah
and
that
does
bring
up
another
issue
and
that
that's
a
real-world
issue
and
that
some
of
the
projects
I've
been
involved
with
you
know
you
talk
about
compliance
issues,
the
decision
logs
or
you
know,
in
this
case
a
policy
violation
report.
If
there's
sensitive
data
in
there,
that
becomes
a
problem.
D
A
D
Guess
the
only
the
only
real-world
use
case
I'll
speak
to
is
any
guy
I
want
to
derail
the
whole
topic,
so
I'll
just
leave
with
us.
You
know
you
have
a
case
of
say:
you're,
a
media
company
you're
using
you
know
this
for
your
compliance
and
you're
trying
to
prevent
I
just
say:
big
data
loss
right,
so
the
compliance
violation
is
a
case
where
some
end
users,
personal
information,
is
found
in
the
wrong
place.
D
If
you
log
that
and
use
its
personal
information
in
the
appliance
report
or
the
violation
report
that
then
itself
propagates
the
sensitive
information
and
now
has
to
be
purged
and
controlled.
What
have
you
right
now
so
that
that
date,
I
read?
There
has
to
be
some
way,
I
think
to
not
just
roll
back
our
back
control
over
who
can
see
the
what
data
goes
in
there
like
it's
right,
essential
that
you
put
that
pH
I
in
there.
D
C
I
think
I
think
this
is
a
very
valid
comment
right,
but
I
think
maybe
like
Jim.
You
were
saying
we
need
to
include
some
guidelines
on
the
kinds
of
data
that,
because
there
are
some
free
form
fields
in
the
schema
right
and
so
putting
those
guidelines,
and
so
that
considerations
for
GDP
are
and
those
kinds
of
things
should
be
right.
Yes,
right
would
be
important
agree.
A
A
Yes,
the
sentence.
You
write
it.
It
does
talk
more
about
violations,
so
policy
report
must
provide
actionable
information
and
current
valuations
for
the
scope.
So
I
thought
that
was
important
to
call
out,
though
cuz
violations
and
failures
are
probably
one
of
the
primary
use
case.
I
mean
yes,
there
are
potentially
others,
but
at
least
you
know,
we
want
to
make
sure
that
if
a
failure
is
reported,
there's
enough
information
about
which
object-
and
you
know
which
policy
and
rule
and
how
to
remediate
right.
D
A
C
A
E
F
You
each
represent
what
is
going
on
right
now
in
the
cluster
in
the
state
and
what
can
be
then
remedy,
but
any
sort
of
historical
analysis
needs
to
be
pushed
to
a
different
system
and
we
believe
kubernetes
and
those
resources
as
representing
the
state
of
the
cluster
right
now,
that's
kind
of
more
of
a
thing
that
is
just
because
how
kubernetes
resources
in
the
model
of
it,
rather
than
something
specific
to
policy.
That's
my
stance
that
CD
is
not
going
to
work.
Well,
if
you're
trying
to
keep
history.
A
Yes,
so
certainly
and
I
think
there's
some
balance
to
be
found
right
where
I
mean
there
are.
There
are
examples
where
some
historical
data
gets
stuffed
into
like
metadata
and
other
fields
which
is
not
always
best,
but
it's
you
know
it's
there,
so
I
think
totally
agree
with
what
you're
saying
Erika.
In
terms
of
mostly,
we
want
a
report
on
current
state
and
guide
administrators
in
terms
of
what
they
need
to
remediate.
What
problems
exist,
however,
there's
nothing
in
the
CR
that
prevents
you
know
I.
Think
for
what
you
is
asking.
A
If,
if
you
want
to
create
some
multiple
instances,
and
maybe
if
policy
engine
has
a
retention,
you
know
period
or
something
like
that
now,
obviously
this
would
you
know
you
would
want
to
say,
like
okay
I'm
going
to
keep
it.
Maybe
the
last
three
instances
and
do
this
on
a
daily
basis
or
something
like
that,
so
we're
not
specifying
or
dictating
the
period
or
the
retention
over.
A
Here
again,
these
could
be
guidances.
To
you
know,
I
mean
we
could
state
what
Erika
just
mentioned,
that
the
ideas
or
current
results,
but
it
makes
sense
if
the
if
some
upstream
management
system
is
let's
say,
retrieving
information
once
every
hour.
You
want
to
make
sure
at
least
you've
covered
like
your
hours
worth
of
retention
right,
so
something
reasonable
like
that,
would
would
make
sense
to
perhaps
like.
F
F
If
you
have
a
policy
resort
that
show
a
violation
because
of
some
pod,
that's
running
something
I
shouldn't
be
here
whatever
and
that
pod
gets
deleted.
Having
it,
the
policy
results
a
lot
around.
Still
that
was
the
violation.
Isn't
it
often
it
becomes
not
as
useful
it's
out.
Did
you
keep
the
information?
What
pod?
Well,
the
pods
changed.
I
think
the
policy
result
needs
to
change
somewhat.
In
the
best
case.
F
Reconciliation
live
in
a
similar
way
and
just
like,
if
you
do
need
that
kind
of
audit
information
of
for
that
pod,
you
need
to
kind
of
have
an
event
stream
pushed
for
the
policy
results
itself.
It's
so
kind
of
on
a
this
is
what
your
to
the
best
effect
of
the
policy
engine.
This
is
the
state
of
the
cluster,
but
that
makes
sense
rather
than
thinking
too
much
about
retention
it's.
This
is
our
best.
Most
recent
attempt
to
give
you
the
state
of
the
cluster
in
terms
of
its
policy.
C
A
So
that
the-
and
this
is
you
know
something
actually
that
I
but
I
was
trying
out
the
custom
resource.
I
went
with
a
different
approach
because
it
already
has
a
creation,
timestamp
I,
removed
these
fields
and
the
custom
resource,
but
the
intent
was
to
show
when
this
report
was
generated.
So
really
it
was
more
about
a
timestamp
and
the
count
was
if
we
want
to
keep
a
record
of
how
many
times
the
policy
has
been
scanned
or
applied
on
the
resources.
C
Okay,
so
because,
for
example,
in
our
concept
right,
we
have
a
policy
controller
that
will
process
the
policy
against
the
control,
and
it
is
that
it
can
be
configured
to
run
every
so
often,
and
so,
if
it
runs
like
three
times
a
day,
then
the
execution
count
will
show
three
and
the
last
execution
will
be.
The
last
time
it
was
executed
is
that
is
that
what
it
is?
That's.
A
Exactly
right
so
and
of
course,
if
the
policy
engine
keeps
you
know,
let's
say
reports
up
to
one
day
or
one
hour
or
you
know
in
addition
to
the
current,
then
it
would
have
to
the
exit,
the
last
execution
or
the
creation
date
of
the
resource
or
tell
us
which
one's
the
latest.
So
it
will
basically
create
multiple.
A
C
A
Totally
makes
make
sense
and
I
think
even
we
can
look
at
metrics
as
an
example
right
Prometheus
inside
the
cluster
typically
keeps
some
amount
are
very,
very
limited
history
right,
like
15
minutes
or
something
by
default.
But
of
course
everybody
wants
metrics
for
the
last
month
last
year,
so
you
would
push
that
into
a
management
cluster
or
some
other
management
tool
offline
or
that
tool
will
pull
the
data
through
events
or
through
other
mechanisms,
and
you
can
have
long
term
storage
there.
Okay,.
F
C
F
Good
point,
like
I,
think
we
a
way
back
a
couple
years
ago
when
helping
my
intern
build
the
container
scanning
operator
thing
I,
think
we
pushed
Prometheus
metrics
for
it,
and
that
was
like
a
really
cheap
way
to
kind
of
get
a
history
of
the
policy
violations.
I
don't
know
if
it
still
does
that,
but
we
could
talk
about
like
standardizing
on
that,
like
we
recommend
you
push,
your
controller
also
pushes
these
violations
to
like
Prometheus
using
the
same
kind
of
format
or
something.
C
Yeah
yeah
we
can,
we
can
take
that
offline
and,
if
necessary,
come
bring
it
back
here,
because
we
do
have
a
observability
component
that
we
will
be
integrating
a
bit
as
well,
which
is
going
to
be
collecting
metrics
and
such
so
so
that's
good!
Okay,
are
you
I
didn't
really
do
drop,
though
he's
still
around
yeah.
E
I'm
still
here
yet
the
other
thing
is
is
it's
like
we
do
want
to
provide
some
kind
of
UI
Oh,
for
example.
One
use
case
is
like
we
have
a
controller
that
generates
that
scans
image
vulnerability
and
then
once
there's
a
vulnerability,
it'll
generate
a
custom,
see
our
CSS
er
D.
It
is
it'll
be
named
as
as
a
image
char,
the
char
of
the
image
and
in
dusty
our
it
contains
some
detailed
information
like
what
vulnerability
exists
in
this
in
this
image,
but
today
it
into
this
report.
We
only
show
some
summary
information.
E
A
Right
so
so
the
yeah
there
would
be
a
status
and
some
summary
data
I
think
if
you
need
any
other
custom
data
that
would
you
know,
belong
in
the
data
field,
at
least
in
this
structure.
Right
now,
where
you
can
put
any
any
links,
any
additional
information
you
would
require,
and
you
can
also
use,
for
example,
if
you
want
to
point
to
a
particular
part
as
that
source.
Of
course
you
can
use
either
the
resource
or
if
the
vial
of
the
entire
report
is,
you
know,
just
form
one
violation.
A
D
Ignore
my
ignorance
on
the
implementation
details
but
architectural
it
might
be
nice
to
have
other
components
decorate.
These
results
with
that
kind
of
more
detailed
information
is
that
is
that
supportive?
Is
that
a
pattern?
That's
used,
so
we,
you
know
the
policy
engine
creates
the
resource
for
the
violation
and
then
some
downstream
system
can
can
annotate
or
decorate.
Annotate
is
a
bad
word
given
that
has
a
notation
meaning,
but
it
add
data
to
the
to
the
fields
to
enhance
the
report.
D
F
The
first
version
did
museum,
sits
in
on
the
pods,
but
I
think
one
of
the
things,
maybe
is
this
brought
up
somewhere
else,
the
problem
with,
for
instance,
the
moment
in
our
vulnerability
using
you
can't
put
them
all
in
one
policy
report
right.
You
can't
link
to
every
single
pod.
Necessarily
you
might
have
thousands,
so
you
don't
have
its
own
vulnerability
and
so
I
think.
That's
why
you
know.
Sometimes
you
need
to
then.
F
Okay,
do
you
create
you
decide
to
create
one
per
pod
sort
of
a
per
image,
but
then
you
trying
to
aggregate
the
results
up,
maybe
yeah.
This
is
always
a
weird
one,
perhaps
I'm
wondering
if,
in
the
where
we
link
to
the
resource,
if
we
should
kind
of
allow
some
kind
of
like
labeling,
selector
kind
of
thing
or
some
other
way
to
gather
multiple
resources
in
a
way
that
doesn't
require
us
to
list
them
out.
A
A
A
A
Ericka,
if
you
want
to
you,
know
just
reference
all
of
those
right
to
say
that
Hebert
we're
just
saying
that
there's
more
than
one
image
violation
or
an
image
of
this
type,
because
the
same
image
could
be
used,
maybe
in
multiple
pods,
and
you
don't
want
to
reference
each
one
separately.
But
you
want
to
group
them.
Then
yeah
labels
is
an
interesting
idea
to
just
have
a
selector.
A
D
E
A
C
Think
the
concern
here
is
that
tools
that
are
going
to
be
processing
this
information
right
information,
that
is
in
the
data
area.
It's
not
something
that
they
can
count
on
in
the
sense
that
you
know
they.
It's
pretty
much.
You
know
very
proprietary
right
because
we
are
not
speaking
it
out
here.
It's.
C
So
so
I
think
what
we
are
trying
to
do
here
is
to
say
that
in
the
non
field,
which
is
more
strongly-typed,
even
even
some
of
that
is
optional,
but
at
least
it
is
kind
of
laid
out,
so
the
tools
that
process
can
look
for
it.
We
want
to
make
sure
that
the
critical
pieces
are
there
right.
So
so
the
question
here
is
to
be
warned
so
example
that
Lou
you
is
bringing
up.
Is
it's
an
example
of
a
drill
down
right
I
mean
if
I
want.
C
A
Is
there
is
a
support
of
that
through
aggregation
at
least
to
one
level
right?
So
the
example
that
I
was
thinking
about
from
multi-tenant
environments
is,
let's
say
you
have
several.
You
know
workload
several
things
in
the
name
space
or
a
set
of
namespaces
that
belong
to
a
tenant
you
may
want
to
create.
You
know,
maybe
one
report
per
application.
A
Perhaps
one
report
per
namespace,
or
maybe
even
just
one
for
the
tenant
and
the
structure
allows
that
just
by
unit
saying
okay,
then
what
your
scope
of
the
report
is
and
then
what
the
results
are
now
what
we
haven't
thought
through,
or
at
least
I
aren't.
You
know,
thought
there
is.
If
you
want
reports
to
be
nested
or
reports
to
reference
each
other.
How
would
we
do
that
or
support
that
in
again?
A
A
E
A
E
A
E
B
I
really
added
that
comment
to
to
basically
put
my
team
to
see.
If,
if,
if
there
was
something
additional,
we
would
need
to
handle
that
case.
That
I
think
our
management
of
you
know,
policies
that
are
you
know
being
distributed
to
multiple
clusters
are
probably
kind
of
falling
into
this
multi-tenant.
You
know
idea
here.
You
know
it's
just
a
different
way
of
thinking
about
it.
B
B
C
B
Both
right
it,
it
would
be
in
both
places
so
on
the
manage
cluster
it
would,
it
would
exist
as
the
namespace
resource
or
or
cluster
scoped
resource,
depending
upon
what
it's
representing,
but
then
a
hub
cluster.
It
would
always
be
the
names
based
resource
where
the
namespace
is
associated
with
the
managed
cluster.
A
C
F
F
A
So
yeah
I
haven't
seen
any
example
where
you're
linking
or
I
have
pointers
across
clusters
in
in
the
cluster
API
in
the
copy
stuff.
Everything
that
represents
other
cluster
information
like
clusters,
which
are
being
provisioned
and
managed,
is
stored
as
a
CR
in
the
management
cluster
itself.
So
yeah
in
this
case,
if
you're
transferring
this
from
one
to
another
right
like
the
object
information
like
the
name,
spaces,
etc,
wouldn't
make
sense
in
the
hub
cluster
in
in
in
the
nomenclature
that
Gus
was
using,
but
so
it
would
have
to
be
somehow.
A
A
The
other
question
is
how
much
like,
if
I'm
running
a
controller
inside
a
cluster,
do
we
have
information
like
I,
don't
know,
look
through
just
the
standard,
bootstrapping
and
api's.
Can
you
get
I'm
sure
you
can
look
up?
Of
course
the
API
server
IP
address
and
things
like
that,
but
is
that
that's
not
an
immutable
ID
right,
so
I,
don't
know
how
we
would
reference
these
clusters
from
inside
the
cluster.
A
So
it
almost
seems
to
me
that
if
there
is
again
some
higher-level
management
system
like
in
this
case,
the
cluster
that
should
be
responsible
for
transforming
the
data
enriching
the
data,
if
it's
storing
it
in
its
database
right,
that's
retrieving
it
from
the
source.
But
at
that
point
you
can
you
know
you
can
add
additional
metadata
and
update
information
before
putting
it
into
the
hub
cluster
database.
A
So
I
think
there
was
yet
another
so
Robert
you
had
a
previous
comment
over
here
on
the
told
spec
status
and
design
and
I
tried
to
write
that
up
in
a
better
manner
like
to
describe
what
the
difference
here
was
and
why
we
were
deviating
from
that
model.
Not
sure
if
you
had
some
time
to
take
a
look
at
that.
If
there's
anything
else,
we
need
to
write
over
here
or,
if
the
seems
I'll.
D
A
It,
okay,
all
right,
there's
a
comment
from
Mary,
but
on
labels,
so
I
think
so
the
question
over
here
was
can:
can
we
do
something
like
coop
Caudill,
get
policy
report
and
then
deploy
min
my
deployment
so
and
I?
If
I
understood
that
correctly
or
its
I
mean
you
can
you
can
put
labels
on
a
policy
report
so
that
should
be
possible?
F
What
I
mean
in
some
sense
this
is?
We
read
the
namespace
interacts
with
access
control,
no
kind
of
way
that
kubernetes
is
not
it's
clunky
about.
Ideally,
right,
namespaces
can
literally
group
together
things
like
your
deployments
in
your
violations,
help
you
find
them
at
the
same
time,
we
probably
want
to
be
pretty
strict
of
policy.
Reports
can
be
read
by
perhaps
any
user
in
namespace,
but
only
written
by
the
tool
and
the
tool
or
the
controller
can
only
write
but
not
read,
to
keep
it
within
a
mandatory
access
control
model.
F
F
A
F
A
Yes,
so
initially,
when
we
were
dealing
with
dis,
why
elations
it
was
fairly
straightforward
to
have
an
owner
reference
back
to
the
object
right
that
was
creating
the
violation
or
the
policy
rule,
but
now
that
we've
moved
into
a
more
generic
structure,
yeah
there's
no
mention
I
mean
it
would
be
up
to
the
engine
and
potentially
the
engines
just
recreating
this
report
periodically
right
we're
not
really
maintaining
this.
So
that's
a
question
you
brought
up
in
terms
of
what
happens
if
I
like
well.
A
Of
course,
if
you
delete
the
namespace
that
contains
this
report,
the
report
will
get
deleted.
But
if
you
delete
the
part
or
the
workload,
the
report
may
not
immediately
get
updated,
but
the
next
time
it
gets
generated.
The
part,
of
course,
won't
be
referenced.
Right,
there'll
be
a
new
set
of
results
in
that
report,
so
yeah
so
I
had
and
other
than
that,
I'm
not
sure
what
else
we
would
want
to
mention
or
how
we
would
want
to
deal
with.
You
know
if
there's
a
need
to
have
real-time
sort
of
updates.
F
B
B
The
you
know
your
engine
label,
you
know
it's
going
to
reference
in
some
cases
like
you
mentioned
Kubb
injure
or
something
you
know
that
that
has
a
you
know,
specific
home
that
could
be
linked
to
I.
Don't
I,
don't
know
that
it's
worth
defining
a
specific
URL
that
goes
along
with
that
I
think.
The
main
discussion
point
was
probably
what
you
already
covered.
A
F
This
URL,
when
I
think
I
this
makes
sense,
I
think
I've
seen
this
before.
You
often
want
like
basically
what's
the
authority
on
this
thing
and
where
is
it
defined
when
it's
an
external
standard
right
for
like
if
there's
a
CBE
report
you
kind
of
want
linked,
that
is
that
kind
of
what
they
were
asking
for
a
little
bit.
B
B
So
that's
more
specific
to
the
particular
security
control
that
you
know
that's
been
detected
and
I
guess
the
other
link
would
would
be
maybe
some
some
more
general
Ling
some
you
know
it
could
could
be
like
the
link
out
to
Ku
band
or
you
know
something
where
there's
some
more
general
information
on.
You
know
the
scope
of
the
policy
or
something
like
that.
So
there
were
three
or
four
different
little
areas,
I
think
where
they
were
wanting
some
more
details
that
varied
from
policy
level
down
to
the
results.
Details.
A
So,
but
could
those
be
put
into
the
data
map
as
different
fields
or
how
would
you
know
so?
Obviously,
if
you're
looking
at
this
in
a
product
with
the
user
interface
or
a
web
interface
or
console,
then
you
would
you
know
you
expect
those
to
be
translated
into
links
and
things
you
could
click
on,
but
in
terms
of
the
raw
data
itself,
I
mean
I.
Don't.
C
C
A
Right
yeah,
so
this
is
this
date.
Information
is
intended,
you
know,
and
just
look
at
what
I
was
looking
at,
like
output
from
tools
again
like
good
bench
and
others
which
were
just
showing
a
summary
screen
right
and
the
idea
would
be.
Of
course
you
can
click
on
each
of
these
to
get
more
details
and
I.
Think
what
we're
discussing
is
where,
where
are
those
details
captured
right?
A
A
The
question
is:
do
we
need
to
standardize
or
try
to
standardize
attempt
to
standardize
right
away,
or
is
this
something?
You
know
that,
as
we
talked
about
you
know,
we
had
even
mentioned
like
the
cbss
scoring
and
things
like
that
seems
like
we
could
you
know
as
we
get
familiar
with
and
look
at
tools
which
are
using
the
structure,
we
will
have
a
better
sense
for
what
to
pull
up
and
make
top-level
feels.
C
Yeah
I
think
from
you
know,
given
in
what
we
are
working
with,
is
a
management
tool,
anything
that
we
show
on
our
dashboard
or
expose
through
API
is
we
want
it
to
be
actionable
right,
so
in
order
to
action
on
a
violation,
I
think
the
first
thing
the
ops
team
will
need
to
know
is
how
critical
is
this
right.
So
that
is
why
I
think
the
CB
arity
becomes
important
right,
because
otherwise
you
have,
they
wouldn't
know
which
one
to
prioritize
in
action
upon
trailer
right.
C
That's
that's
a
challenge
I'm
facing
because
I
think
the
way
I
look
at
it
is
okay,
so
Rackham
is
managing
a
bunch
of
managed
clusters.
It's
collecting
all
these
details
right
and
bringing
it
to
the
hub,
and
then
it
provides
a
way
to
action
them
etcetera,
but
then,
in
a
real,
hybrid
environment,
I
fully
expect
that
customers
would
want
to
pull
the
data
from
Rackham
and
maybe
feed
it
to
something
else
right.
C
A
Yes,
I
don't
know
like,
and
it
just
seems
like
a
topic.
We
would
want
to
research
and
dive
into
a
little
bit
deeper
and
then
come
up
with
some
proposals
if
there's
a
way
to
standardize
or
even
if
you're
dealing
with
multiple
policy
engines
one
way
of
managing
it.
Is
you
look
at
the
engine
label
and
then
based
on
that
you
can
expect
certain
fields
in
the
data
right.
So
yes,
it's
reform,
but
it
could
be
that
each
engine
publishes
its
subset
of
data,
which
you
know
just
like
with
annotations
right.
That's
the
approach.
A
People
folks
have
taken
with
annotations
that,
if
you're
using
let's
say
some
HCI,
which
has
its
own
networking,
it's
expecting
a
certain
set
of
annotations
to
be
there
to
drive
the
configuration
of
that
networking.
So
I
don't
see
why
it
can't
be
used,
even
though
it's
you
know
put
in
data,
it's
just.
Is
it
worth
trying
to
standardize
at
this
point
without
sort
of
seeing
that
real-world
experience
is
my
question?
Okay,.
C
E
A
Okay,
yeah-
and
this
probably
is
the
first
thing
once
we
once
we
have
this
basic
structure
and
I
think
the
severity
in
scoring.
As
you
said
right,
that's
the
first
thing
that
our
knops
team
would
want
to
do
is
to
say:
okay,
is
this
something
that
I
should
care
about
and
then
to
Gus's
point
is
like
what
do
I
do
about
it
right
so
give
me
a
link.
I.
Can
click
on
to
go,
read
up
on
it
and
see
what
to
do
next
right?
Those
absolutely.
C
A
F
A
F
C
F
A
A
A
So
I'll
see
how
much
of
this
stuff
we
can
remove
and
just
keep
the
CR
degeneration
portion
of
it.
That
good
builder
also
uses
underneath
right
so
anyway,
so
the
structure
is
pretty
much
what
we
what
we
have
in
the
document.
There
were
a
few
minor
things.
I
did
like
I
mentioned
on
the
time
and
the
counts
I.
Just
I
removed
that,
because
the
creation
time
is
just
part
of
every
resource,
but
we
could
you
know
we
could
go
back
and
add
things
back,
but
this
is
what
the
result
structure
sort
of
looks
like
it's.
A
A
This
is
sort
of
what
it
would
look
like
in
the
mo.
You
know
where
this
is
the
results
and
then
there's
a
summary
which
is,
as
the
counts,
there's
a
scope
here
in
this
report
and
then,
if
you
just
look
at
it
and
that's
CLI
without
so
it
would
look
something
like
this
right.
So
it's
saying
there's
a
report.
This
is
the
scope
of
the
report
and
it's
showing
some
pass/fail
one
error
skip
and
the
age
which
is
from
the
creation,
timestamp.
F
F
A
A
I
also
want
to
see
like
don't
know
if
anybody
on
the
call
has
experience
with
this
Australia
look
for
a
tool
to
generate
documentation,
and
there
are
some
tools
out
there
which
can
do
that,
but
none
of
them
seem
to
work
that
with
coop
builder,
see
ours
and
there's
open
issues
filed
on
code
builder
v2.
You
know
in
terms
of
how
to
generate
documentation
for
API
objects,
so
be
nice
to
you
know
whatever
we
have
right
now
in
the
in
the
Google
Doc
to
be
able
to
automatically
generate.
F
A
A
A
A
C
A
Or
just
send
them
on
the
slack
channel
or
put
them
in
the
door
yeah
I
guess
you
could
pair
them
in
as
a
comment
in
the
dark
or
just
put
them
in
the
slack
channel
and
I'll.
Add
them
to
the
dark.
I,
don't
know
if
everybody
on
slack,
maybe
just
let
me
know
if
someone
wants
to
write
to
the
dark
I
can
give
him
write
access
because
right
now
it's
like
world
readable
and
anyone
can
comment,
but
not
everybody
can
edit
the
dark.
You
can
just
add
a
comment.
Yes,.
A
Yes,
so
I
don't
know,
feel
it
so
next
week
why
my
suggestion
would
be:
let's
do
another
internal
call,
go
through
everything
and
we
should
have
like
the
CR
working
by
then
right.
So
we
can
try
it
out
in
different
clusters
and
then,
if
you
know
next
week,
we'd
also
talked
about
potentially
you're
presenting
to
sig,
say
God
right.