►
From YouTube: CNCF SIG Security Policy Team 2020-10-28
Description
CNCF SIG Security Policy Team 2020-10-28
A
A
B
So
I
think
you
know-
and
I
took
a
quick
look
also
at
ascal
and
some
of
the
things
around
it.
So
I
mean
obviously-
and
from
me
like
you're,
like
in
your
example
too.
It
certainly
seems
possible
to
use
oscar
to
at
least
you
know.
One
section
of
it
right
seems
like
the
spec
is
fairly
comprehensive,
but
the
section
that
we
were
most
interested
in
happens
to
be
in
the
assessment
results
part
right.
A
B
C
A
So
that's
why
we
presented
only
only
that
we
are
also
working
on
the
profile
on
the
mapping
for
for
a
product
or
service
the
mapping
for
from
their
components
to
the
controls
and
and
dependencies.
We,
you
know
inventory,
you
know
formatting
as
well,
so
all
those
are
are
available.
So
I
think
when
we
discussed
with
jaya
and
luis
the
red
hat
management,
the
requirement
was
to
come
up
with
a
phased
approach.
That's
why
we?
A
B
You
no
there's
a
lot
over
there
for
sure,
and
the
other
concern
is,
of
course
you
know
if
somebody's
looking
at
this
in
kubernetes,
I
mean
obviously
for
consuming
this
in
machines
and
tools,
it's
all
possible,
but
for
to
output
this
in
some
you
know,
format
like
a
yamo
where
the
configurations
or
the
report
results
are
easy
to
read.
I
I
think
that's
something
we'll
have
to
you
know,
look
at
more
examples
and
see
how
that
works.
A
B
Right
yeah
so
of
course,
yeah.
If
we
have
json,
we
should
be
able
to
output
it
as
yaml,
but
what
I
mean
is
just
in
terms
of
the
structure
of
the
object
model
and
things
like
that
right.
So
how
does
this
you
know
like
if
somebody
just
is
using
a
cli
tool
and
printing
this
out
and
trying
to
read
through
it?
Is
it
understandable
as
to
what
you
know
what
the
results
are?
B
Some
of
the
other
things
we
had
in
our
policy
report
that
structure
that
we
were
trying
to
define
was
things
even
like
totals,
and
you
know
kind
of
you
know
just
to
again
make
it
easy.
Then
there
were
things
like
categories
and
severity,
so
I
don't
know
if
we'll
have
to
go
through
and
see
how
all
of
that
maps.
A
B
A
Okay
observations,
so
this
is
what
we
and
the
subject
references
to
show
the
inventory
evidence
group.
But
if
you
go
even
more
down,
you
will
see
that
there
is
the
threat
and
risk
so
as
part
of
risk,
you
have
a
risk
metrics.
So
that's
where
we
put
the
typically
the
score,
but
this
is
not
part
of
the
subset
that
I
I
reached
is
a
you
know.
You
know
yet
another
slice
at
the
compliance,
so
I.
B
A
Want
to,
I
try
to
remember
if
we
edit
the
remedy
or
not
to
what
I
shared.
So
that's
why
we
said
by
by
piecemeal.
So
we
can
do
observations
with
evidence
without
having
risk
and
remediations,
but
if
you
know
they
are
relevant
and
the
team
is
mature
to
move
into
that
direction
and
has
already
the
logic
to
to
use
that
yeah
they
are,
they
are
part
of
the
of
the
schema.
So
we
can
that's
the
beauty
we
can
expand
as
needed.
A
B
You
know
like
what
are
the
results
of
some
some
type
of
grouping
of
audits
or
policies
and
then
there's
some
details
on
each
right,
but
it's
really
just
to
indicate
like
a
pass
fail.
You
know
and
and
then
perhaps
give
links
to
others.
So
as
long
as
we
can,
you
know
if
there's
a
way
to
map
all
of
this
and
capture
this,
then
of
course
you
know,
I
think
going
with
something
with
a
standard
which
is
already
defined,
has
a
lot
of
value
so.
A
B
A
Partial
result:
okay,
you
know
what
does
it
mean
that
I
have
three
pass
and
three
fails
and
then
I
move
to
a
you
know
more
aggregated
with
others,
and
I
have
different
summary.
But
now,
actually
I
see
how
is
used
here,
because
this
is
an
example
for
one
single
policy,
and
I
think
this
can
be
added,
because
the
observation
is
atomic,
so
we
can
get
a
summary
to
say.
Oh
this
aggregated
result
for
this
control
across
whatever
is
in
the
observations
right.
A
Atomic
with
that
control
evaluation
comes
from,
eight
pass
two
fails,
and
this
is
why
you
know
zero
warning,
zero
errors
and
that's
why
it's
a
fail,
because
it's
eight
passes
and
two
fails.
The
ten
rules
that
I
aggregate
give
me
a
fail,
because
I
have
this
eight
pass
and
two
fails.
I
I
think
I
can
I'll
look
how
I
can
add
this
as
a
as
part
of
the
properties
or
because
that
that
can
be
done,
and
that
is
atomic
is
that
observation
is
not
something
that
is
changing.
Whether
I.
B
Correct
so
this
is
like
a
capture
of
a
point
in
time
report
for
a
particular
set
of
policies
on
a
particular
set
of
resources
like
in
kubernetes
you're
thinking
of
mostly
of
this
as
a
namespace
scope
right.
So
if
I
have
a
namespace
and
I'm
applying,
let's
say
my
pod
security
policies,
I
want
to
know
a
summary
result
for
how
many
pass
how
many
fail
and
then
I
have
some
details
to
go,
and
you
know
figure
out
which
rule
failed
things
like
that.
A
Okay,
so
if
we
are
looking
at
the
namespace,
this
means
that
our
approach
here
is
from
the
right.
What
we
call
here
subject:
resources
right
from
an
inventory
point
of
view.
These
are
my
name
spaces.
What
oscar
does
it
approaches
that
from
an
compliance
point
of
view,
so
the
the
display
here
you
see
it
is
by
control.
B
A
Eight
passes
and
two
fails.
It
would
be
at
a
three
level.
What
you
are
looking
is
at
the
summary
from
an
inventory
point
of
view.
So
again,
I
think
it
depends.
Who
is
the
persona
that
the
working
group
here
for
the
result
is
targeting
if
we
target
operators?
Of
course,
they
cannot
care
less
about
the
ac
summary
ac3.
They
are
looking
at
namespace.
So
I
think
we
maybe
you
need
to
clarify
what
are
the
personas?
Yes,.
B
So
the
two,
the
two
personas
we
have
talked
about
are
you
know
the
namespace,
so
typically
it's
an
application
owner
that
might
be
the
namespace
admin
and
then
there's
the
there's,
the
cluster
admin.
The
operator
like
you
mentioned
right.
So
I
think
those
are
the
two
somebody
is
looking
at
things
cluster-wide,
but
then
there's
also
maybe
like
a
sub-admin
or
somebody
who
cares
only
about
that
namespace
and
they
want
a
summary
of
okay.
What
are
all
the
findings?
What
are
the
problems
or
issues?
I
need
to
fix
in
my
workload
to
be
compliant.
A
A
Yeah,
so
what
I
was
saying:
oh
yes
from
from
an
operational
point
of
view,
I
think
we
we
don't
need
oscar
right.
We
don't
need
the
compliance
approach
if,
if
they
are
looking
at
what
is
failing
in
my
environment,
because
it
will
not
be
only
failures
from
the
a
compliance
controls
point
of
view,
it
will
be
all
their
failures
right.
There
are
other
aspects,
then,
so
would
it
make
sense,
then,
from
an
compliance?
Let's
say
compliance
operator
to
present
the
information
from
inventory
and
name
spacing's.
A
Point
of
view
this
audio,
because
it
will
be
misleading
right,
say:
okay,
this
is
what's
failing
in
your
namespace.
Rather
I
would
like
to
have
the
operational
operator
to
present
those
and
here
to
really
focus
on
the
compliance
aspects
and
and
focus
from
an
right
policy
approach
or
control
approach.
B
Okay,
so
so
what
you're?
If
I
understood
correctly,
what
you're
saying
is
with
oscar
it's
more
you're
going
through
each
control
or
each
comp.
You
know
policy
and
you're,
saying
which
you
know
workloads
or
which,
let's
say,
let's
take
pods
as
an
example
right
so
across
my
cluster,
which
pods
are
compliant,
which
may
not
be
compliant,
but
there
is
there.
So
then
it's
left
up
to
some
external
management
system
to
say.
A
That
be
done
exactly
so.
The
the
again
is
a
question
of
you
know
our
goal
and
how
I
traverse
this
json
to
extract
what
I'm,
what
I
needed
by
default
oscar
organizes
the
result
per
regulation
and
for
regulation
controls
rather
than
per
inventory
and
right,
namespaces
or
clusters,
or
things
like
that.
A
We
have
another
another
schema,
which
is
the
system
security
plan,
which
is
the
one
that
includes
the
scope,
the
inventory,
the
subject,
references
for
which
the
assessment
is
done
right,
so
that
that
can
be
the
format
for
the
inventory
and
and
then
we
can
extract
from
the
assessment
the
the
the
summaries
at
that
level.
So
there
are
different
ways
to
to
to
slice
and
dice
here,
but
the
schema
itself
will
provide
natively
the
information
per
control,
posture,
hi
gus.
Thank
you
for
joining.
A
Am
I'm
if
you,
if
you
I
would
like
to
have
some
introductions?
My
name
is
anka
seiler
and
I'm
in
ibm
research
and
I
have
been
introduced
to
this
work
group
by
jaya.
So
I'm
working
with
her
on
the
standardization
of
the
result
for
the
acm
in
in
red
hat.
So
that's
you
know
how
we
we
I'm
not
sure
if
you've
seen
the
recording
last
time
we
we
introduced
the
recommendation
of
results.
Standardization
based
on
on
subset
of
oscal
assessment
result.
D
A
D
D
A
D
A
Right
so
findings
are
by
control,
so
each
in
each
finding.
I
have
one
objective
status,
so
then
objective
status,
you
see
the
the
control
ac3
with
its
aggregated
status
and
then
in
the
observations
I
have
all
the
rules
goals
cis
benchmarks,
whatever
this
control
depends
on
for
for
its
status.
What
are
what
are
the
the
the
rules
that
map
to
the
description
of
ac3?
What
are
the
rules
that
implement
the
policies
that
implement
that
ac3?
A
So,
in
the
observations
which
is
the
last
object
in
in
this
item,
you
will
see
all
the
because
this
is
an
result
for
the
compliance
operator.
These
are
all
right:
cis,
kubernetes
benchmark
provided
via
the
openscap
in
xcdf
format,
and
we
present
them
here
in
the
oscar
format.
So
you
see
the
observations
and
they
have
properties
evidence.
A
D
A
Yeah
and
and
prior
to
you,
joining
with
discussing
with
jim
that
oscar
of
course
allows
for
additional
aspects
right
besides
the
evidence,
these
are
the
basics
right.
You
need
to
know
what
is
my
in
what
is
my
subject.
I
I
applied
this
assessment
to
what
is
the
evidence
that
I
got
back
and
what
are
the
you
know,
properties
and
annotations?
A
What
is
the
test
id
or
the
you
know,
time
of
the
day
you
know
whatever
the
xccdf
may
have
their
own
properties.
If
we
use
some
other
assessment
tools,
they
have
other
properties,
and
then
we
aggregate
all
this
observation
to
generate
per
control,
its
aggregated
status,
but
there
are
other
aspects
that
we
can
add
to
that.
A
Like
remediations
in
in
our
tools,
for
instance,
we
use
remediations
to
provide
what
are
the
tickets
that
have
been
opened
when
you
know
this
failure
occurred,
what
are
what
are
the
scripts
path
in
git
or
other
systems?
That
would
run
I
need
to
run
manually
or
automatically
or,
and
the
other
aspect
would
be
risk
so,
depending
on
the
with
the
score-
and
you
know
so,
depending
on
the
maturity
of
the
tool
right.
This
can
be
adjusted
to
provide,
prevent,
provide
a
result
that
is
more
or
less
complex.
D
A
B
Yes,
so
certainly
this
seems
very
comprehensive
and
I
think
it
can
cover
pretty
much
everything
that
we
and
certainly
if
it's
extensible
through
properties,
etc.
We
can
even
model
other
fields.
One
thing
we
were
discussing,
which
is
an
interesting
point,
is
like
who
you
know
it's.
Obviously
a
compliance
report
you
know,
could
be
sliced
and
diced
in
many
ways
and
consumed
by
different
folks.
B
I
think
where
we
started
with
the
policy
report
was
we
wanted
at
least
a
namespace
owner
or
like
a
workload
owner
and
the
cluster
admin
to
easily
sort
of
view
the
output
of
various
policy
engines
right?
So
the
question
is:
does
this
become
you
know
in
in
yaml
format?
Would
this
be
overwhelming,
or
would
this
be?
You
know
simple
enough
to
understand,
and,
and
secondly,
would
this
be
presented
at
a
cluster-wide
scope
and
then
how
do
we?
B
B
B
B
But
of
course,
as
we
kept
working
with
this,
there
were
more
and
more
things
that
folks
wanted
to
add
right.
So
I'm
sure
over
time
we
would
end
up
with
something
perhaps
at
the
same
level
as
what's
in
the
oscar
definition
already.
So
it
does
make
sense
to
adopt
that
as
much
as
possible,
but
yeah.
How
do
we
kind
of?
A
Yeah
yeah
a
compliance
engineer
or
a
compliance
officer.
I
think
more
engineer,
because
that's
really
down
into
the
into
the
operational
detail
than
an
operator
which
would
want
to
see
really
the
aggregation
only
at
the
ac
lev
control
level
like
ac3
here.
I
think
what
we
can
do
is
to
use
this
model,
this
data
model
to
generate
and
and
store,
and
then
we
can
have
additional
functionality
right.
B
A
B
A
A
A
B
B
B
So
I
don't
think
andrew
is
a
bit
docker
anymore,
at
least
when
I
was
checking
online
but
yeah.
This
was-
and
this
is
about
two
years
old
now,
but
there's
some
attempt
at
taking
docker
output
and
converting
it
into
ascal
right
so
but
yeah.
I
couldn't
find
it
and
there's
also
like
a
gold
library
which
I
think
also
was
developed
by
andrew
for
managing
oscar
formats.
B
B
A
A
B
A
A
Okay,
so
open
controls
is
the
original
format
for
the
compliance
automation
before
we
had
oscar.
So
it's
a
subset
of
oscar,
I
would
say
it
covers
about
maybe
10
15
percent
of
oscar
so
because
the
people
were
really
looking
into
continuous
compliance,
automation
and
generation
of
documentation
for
fire,
coal,
fire
and
pwc
they
they
used
open
controls
to
automatically
generate
that,
and
now
there
are
converters
between
open
control.
A
A
Right
so
we
had.
Indeed
in
february
we
had
a
major
change
to
schema.
We
worked
closely
with
with
the
david
and
in
in
the
oscar
team
in
in
nist,
and
we
we
provided
our
feedback.
That
is,
you
know
too
much
nesting
too
much.
You
know
levels
that
were
really
not
necessary
and
made
the
our
non-sql
kind
of
explode,
and
so
they
they
reduced
many
levels
of
of
nesting.
B
D
B
B
A
B
A
A
It
is,
it
is
the
format
that
allows
a
vendor
to
describe
how
their
products
services
map
to
controls
with
you,
know
their
properties.
So
one
of
the
properties
that
we
leverage
there
is
the
ttl,
and
then
we
provide
across,
let's
say,
an
an
inventory.
What
is
the
the
the
lowest
tpl
so
that
we
make
sure
that
we
collect
the
data
before
it
disappears
from
the?
So
we
do
not
expect
kubernetes
to
because
we
have
regulations
that
require
to
keep
the
information
five
years
right,
so
so
the
kubernetes.
A
B
A
B
A
A
B
A
Right
because,
right
now
we
are
looking
at
a
unified
pane
of
glass
to
show
the
compliance
posture.
So
then
we
expect
that
the
assessment
results
are
aligned
if
we
want
to
move
into
having
the
inventory
presented
in
a
unified
format
and
consume
from
those
various
layers.
The
their
inventory
discovery,
rather
than
discover
it
at
the
top
level,
then
aligning
the
ssp
in
green
will
will
allow
us
to
consume
that.
So
again,
it
depends
on
the
maturity
of
the
framework
that
that
we
implement.
D
B
Yeah,
I
think
we
yeah
we
are
at
least
our
current
focus
is
on
the
assessment
layer
and,
of
course,
kubernetes
has
its
own
schema
and
ways
of
defining.
You
know
resources,
so
we
don't
need
to
necessarily
re-represent
all
of
that
inside
the
cluster
for
sure,
but
yeah.
If
there's
a
way
to,
then
the
idea
becomes,
can
we
can
we
map
this
into
a
kubernetes
resource?
So
currently,
when
you're
generating
this
for
clusters,
is
there?
A
B
C
B
A
B
A
Effort
is
to
align
it
with
the
assessment
result.
There
are
other
efforts
around
custom
resources
to
align,
also
the
inventory
and
other
aspects
to
that
as
well,
but
the
the
only
crs
that
we
have
today
with
respect
to
compliance
are
open
source,
but
they
are
not
oscar.
So
all
this
is
roadmap.
Okay,.
B
Yeah,
so
thinking
of
what
you
know,
we
can
do
in
this
work
so
right
now
we
have
this
proposal
for
a
policy
report
which
is
a
fairly
simple.
You
know
kind
of
custom,
resource
and
kubernetes
and,
like
we
talked
about
the
focus
really
was
to
try-
and
you
know
this
is
for
the
cluster
admin,
as
well
as
the
workload
operators
or
the
workload
admin
who
are
operating
at
a
namespace
level.
So
I
think,
to
to
kind
of
just
clarify
thoughts
and
how
this
you
know
how
we
can
converge
or
how
we
can
move
forward.
B
What
would
be
the
pros
and
cons
and
how
it
would
work,
and
I
think
what
we're
what
I
gathered
from
our
conversation
today.
The
way
it
would
work
is
there
would
be
one
one
sort
of
oscal
formatted
output
at
the
cluster
level,
and
from
that
we
could
have
like
command
line
tools
or
other
tools
which
can
extract
the
information
and
report
the
information
they
want.
B
So
if
a
namespace
admin
wants
to
say,
okay,
give
me
the
report
for
this
namespace,
they
would
have
some
way
of
you
know
generating
that,
or
maybe
we
have
a
operator
or
a
controller
running
in
kubernetes,
which
also
generates
some
subset
and
stores
it
inside
a
namespace
right.
So
there
would
be
some
duplication,
but
maybe
you
know
that
could
still
be
done
right
because
then
for
access,
controls
and
security,
a
namespace
owner
doesn't
have
to.
A
A
So
the
the
the
result
right,
the
posture
is
pass
fail
without
the
drill
down
on
the
evidence
right
on
the
you
know,
messages
that
are
associated
with
that
and
so
on.
So
in
the,
if
you
look
in
the
oscar
format,
you
see,
I
have
evidence
what
I
I
have
sorry.
I
have
the
control
status
right,
which
is
pass
fail,
but
then
below
I
have
the
evidence
group
which
I
give
the
details
right.
B
But
really
the
problem
we
started
out
trying
to
solve
is
there's
a
growing
number
of
policy
engines
and
whether
it's
image
scanners,
configuration
scanners,
admission,
controllers,
runtime,
you
know
security
tools
and
all
of
these
are
currently
producing
outputs
in
different
formats
right.
So
for
a
cluster
admin,
it's
where
it's
like.
Okay,
I
have
80
different
things
to
look
at
to
understand.
What's
going
on,
the
intent
of
what
we
were
trying
to
do
is:
how
do
we
standardize
that
format
as
the
policy
report?
B
So,
even
if
we
have
some
high
level
summary
to
say
hey
on
cis
benchmarks
for
kubernetes,
you
got
an
a
plus,
but
on
pod
security
you
got
a
b
minus
and
here's
the
name
space.
That's
violating
it
right.
So
something
like
that
and
then
of
course
you
would
have
to
dive
into
individual
tools
to
get
to
more
details.
But
starting
with
that
summary
is
what
we
were
trying
to.
D
B
A
B
We
we
did
have
a
message
field
right,
but
the
intent
was
this
was
not.
This
would
be
like
a
brief
message,
with
pointers
to
more
details
right
but
yeah.
So
so
yes,
it's
a
little
bit
fuzzy,
so
we
did
have
in
the
res.
So
the
way
this
structure
was
is
there's
a
policy
report
and
then
there's
a
summary
section
which
just
gives
you
a
score.
So
you
can
convert
that
into
a
grade
or
some
simple
way
of
knowing.
So
a
policy
report
could
be
at
different
scopes.
B
The
scope
could
be
a
namespace,
the
scope
could
be
the
entire
cluster.
The
scope
could
be
just
one
deployment,
it's
flexible
right,
but
then
each
result
could
be.
You
know
could
also
point
to
a
rule.
So
this
was
the
the
ruler
control
in
the
terminology,
the
oscar
terminology,
and
then
it
would
have
a
message
and
then
a
status
which
would
be
pass
fail.
Warn
error
skip
were
the
five
I
think
I
you
know
and
then,
whether
it's
scored
or
not,
and
then
additional
data,
which
is
just
some
free
form,
data.
B
A
So
I
think
it
this.
This
introduces
an
additional
challenge
right.
So
now,
if
we
are,
I
understand,
for
the
you
know,
storing,
local
and
and
using
it
local
now,
if,
if
I
use
that
in
an
exchange
right
protocol
with
some
other
tools,
whether
they
are,
you
know,
governance
tools
or
you
know,
ui
tools
to
display.
You
know
aggregators.
A
B
A
I'm
wondering
if
it's
not
an
advantage
actually,
because
that
evidence
is
the
critical
sensitive
data,
so
I
mean
a
altogether
a
different
level
of
access
than
what
I
need
to
get
the
posture.
Okay
pass
fail.
I
can
work
with
whatever
credentials
I
need,
for
my
you
know
view
my
cluster,
but
then
this
separation
will
enforce
a
level
of
security
on
the
evidence
which
is
my
sensitive
data.
B
A
A
B
Right
so
if
I,
but
let's
say,
if
I'm,
if
I'm
managing
or
if
I
deploy
some
workload
right
and
that
I
have
some
pods,
which
violate
some
security
policies,
so
I'm
seeing
my
results.
It's
telling
me
that
you
know,
but
with
the
message
here
then
at
least
give
me
some
information
that
this
pod
requires,
let's
say,
run
as
non-root
to
be
set
to
true.
A
A
This
is
the
message
that
I
get
back,
and
this
is
the
evidence,
while
the
the
status
is
pass
fail
right
now,
having
pass
fail
right
is,
is
one
thing
or
error
right
and
then
the
message
is
something
else
I
was
able
to
reach,
or
you
know
the
I
don't
have
access
or
you
know
whatever.
Whatever
it
is,
it
can
be
that
that
message
for
some
people
is
very
sensitive.
B
B
A
Is
which
is
perfect?
It
means
that,
if
that
person
has
to
do
the
mediation
based
on
that,
they
will
be
approved
to
have
that
access.
What
I
try
to
say
that
we
bring
into
a
picture
this.
You
know
this
minimum
level
of
access.
That
is
one
of
the
you
know,
controls
that
everybody
wants
to
have.
This
will
support
implement
that
minimum
level
of
access?
A
If
I'm
an
operator
that
I
need
to,
maybe
I
don't
need
to
have
access.
Let's
say
I
have
10
repos
one
is
for
network,
one
is
for
devsec,
one
is
for
iks,
one
is
for
storage
and
they
will
all
have
different
levels
of
access,
so
I'm
not
going
and
poking
on.
You
know
what
are
the
failures
on
databases,
policies
right,
because
I'm
only
responsible
for
network,
so
I
get
access
only
to
that.
B
A
B
Yeah,
I'm
just
kind
of
thinking
about
the
user
experience
and
if
there's
some,
you
know
like
a
cli
tool
or
something
which
can
combine
that
and
and
present
it
in
a
manner
which
is
actionable.
Then
it's
fine,
of
course,
like
you
know
the
the
nice
thing
about
having
the
message
here
becomes
like
I
can
just
do.
Coop
cuddle
get
and
I
see
everything
and
I
know
what
to
do
right.
B
A
I
I
can
see
that
cli,
like
you
know,
get
the
assessment
result
and
I
get
my
assessment
result
and
now
I
say
get
my
evidence
for
this
assessment
result
for
these
credentials
and
the
cli
is
intelligent
enough
now
to
apply
my
credentials
across.
You
know
everything,
but
my
evidence
will
come
back
in
this
assessment
result
only
for
the
items
I
have
access
to,
the
other
ones
will
say
no,
no
access
granted
or
something
like
that.
A
B
B
B
C
C
B
B
A
B
C
C
I
don't
know
how
much
you
all
know
about
network
policies,
but
you
know
they're
very
granular,
they're,
very
low
level,
they're
very
cni-centric,
and
it
turns
out
that
most
people
want
policies
that
are
way
higher
level
than
that
right,
and
so
we
have
all
of
these
like
use
user
stories
that
we've
like
that
people
have
given
us
over
time,
which
are,
I
think,
kind
of
I'll.
Just
you
know
what
I
can
link
you
all
to
them.
C
C
Look
like
like
lower
case.
You
know
what
I
mean
like
a
unified
network
policy
model
for
for
kubernetes
clusters,
like
you
know,
which
may
a
lot
of
the
implementation
details
might
be
implemented
by
sig
network
using
our
network
policy
api,
but
like
there's
a
higher
level
layering
for
dns.
Being
a
great
example
where
people
want
to
very
simply
say:
I
don't
want
people
to
access
this
site
and
a
lot
of
that
could
be
built
with
controllers
and
operators
right.
You
could
presumably
envision
a
world
where
you
could
query
core
dns.
C
You
could
take
information
about,
for
example,
services
is
another
one
right.
Look
at
kubernetes
services
create
a
network
policy
against
a
service
say
I
don't
want
these
pods
to
access
this
service,
that's
not
supported
by
the
network
policy
api,
but
again,
that's
another
use
case
for
an
operator
where
you
could
look
at
pods
behind
a
service
and
then
create
those
more
granular
rules
underneath,
and
so
I
just
think,
there's
a
lot,
there's
just
a
huge
impact
to
be
made
there
and
I
wanted
to
make
a
little
sales
pitch
around
it.
I
mean
we
have.
C
I
know
a
few
people
personally
that
would
be
interested
in
working
on
this,
but
I
wouldn't
want
to
go
down
this
road
alone
if
nobody,
if
everybody
else
only
had
passive
interest.
So
what
I'm
looking
for
is
active
interest
in
this
in
in
be
designing
something
like
this
prototyping
it
and
stuff-
that's
that's
kind
of
where
I'm
at
so.
Okay,
just
planting
the
seed.
I
know
it's
the
end
of
the
meeting.
B
That
that
does
sound,
interesting
and
so,
and
maybe
it's
something
that
if
you
want
to
also
share
on
the
slack
channel
right
so
folks
and
we
can
I'll,
update
the
meeting
notes
and
we'll
have
the
recording
posted.
So
I
think
it'd
be
good,
perhaps
even
in
our
next
meeting,
to
sort
of
revisit
this
since
we're
almost.
I
guess
we're
over
time
right
now,
but
yeah
there's
some
interesting
ideas,
things
we
can
also
think
about,
and
I'm
not
sure
if
you're
we're.
C
Yeah
yeah
any
canonical
solution
would
work.
It
doesn't
have
to
be
an
api
if
you
want
it
to
be
a
lpa
thing
or
whatever
I
don't
care.
As
long
as
we
had
some
centralized
place
where
we
could
build
those
higher
level
policies,
it
would
just
yeah.
It
would
be
really
cool,
okay,
so
yeah.
So
next
time
we
talk
more
sounds
good.