Add a meeting Rate this page

A

Hello team: this is AJ and give it a few more minutes, one more minute for late comers to join and then we'll get this started and in the meantime, people who've joined. If you want a second and the dogs with your name, please do.

A

You.

A

Also any volunteers, first tribe scribing, today's meeting highly appreciated.

B

You.

B

Who's running our meeting today are we waiting for the moderator.

A

No I just wanted to give a few minutes for people to add their name, so that I can call out their name and address them with an update. Yeah.

B

Do you want only people that have something to say to put their name in there? What should we say, yeah.

A

No bids, probably fine.

C

Yeah.

A

Thank you, I'm also doing the memory thing, because my Wi-Fi at home is not good, so I'm using laptop for know for dock and phone for the call.

A

All right so, as people add their name, let's get let's get started on chicken Emily.

D

Emily Fox.

E

So lots of great things have happened over the past week we got all the CSPs reviewed, we got an agenda put together, it's been played out, all the attendees have accepted and we have great sponsors, which means that we've got lunch and happy hour. So lots of great things for security day.

A

Yep, thank you.

D

Yep.

A

It's a it's a happy half a day here. So oh we.

F

Don't have to scribes I'll um I can be scribe as long as somebody else can do it, while because I'm also going to talk about the open assessment, so do you need somebody else is willing to change. Yes,.

A

Can someone volunteer first, please.

A

Alright I'll try to cover her in first rape.

A

So I, don't Nexus me so I just keep my update. I don't have much of an update update. Yet we I'm working with Howard to see if we could actually pull in all the policy documents that are lying around and then into the six security repo, so that it will be easier to track in discover.

A

Six security, Emily Fox gave an update on that and.

A

Will be saladin and I will be meeting up with with jonlizz on 30th and will circle back with the team, with any updates from there.

A

Daniel.

C

Jenna go next, yes, so I'm very last couple of weeks, I into meetings now I'm, fully back and I, saw that fall class has been kicked in, so any I will need to catch up with this. Since I was one of the volunteers that want to do it, yeah catching.

F

Up for me, hey.

G

Dan I.

F

Think there's a issue open now that Robert opened, so if I'll try to put in the notes but yeah, that would be great for you to you know chime in on the issue and make sure that you're on the list. Thank.

C

You.

D

As I found it, if you can link that to their yeah, stick it in the notes thanks, Amy can go next.

G

As I come off,.

G

Security, a @q Khan and one other note. We will need someone to be able to do an update at our next meeting on the first so taking volunteers. For that. Oh these.

A

Are the points.

G

Or TOC like what did the SIG's doing, like all the things.

D

So.

F

Yeah, so JJ did that last time we wanted to iterate on the format a bit to make sure that like have a little more lead time. So thanks for mentioning it Amy I mentioned it, I was able to go to the policy team meeting in the afternoon last weekend mentioned it to Howard and empty and Erica are the leads of that team so where it would be great if we could try to get that PR done I'm, mostly talking to JJ cuz Howard, something not available this time zone.

F

If we can get that PR closed I get much feedback, then that would be sweet to link to it's really formalizing, what's been going on for a really long time, but it's nice to surface that I think and that groups been doing some great stuff, so I think that I'm available, oh no I'm, not it's iiw next week, so I can help with the slide JJ in terms of iterating on the content, but I can't present I'll.

A

Take it I'll, take I'll, do the presentation, I work with Sarah and Howard on getting the content on the slide, so I just take the n that great thanks. Thanks for being you need to pay me.

F

In my amp JJ shadows, yep go.

D

For it.

F

You're already on it.

A

Yeah so.

F

I've I mentioned that the syncing up with the policy group I also had I've been catching in advance of iiw, which is October first 2/3. If anybody's local I'd highly recommend that it's an unconference focused on identity, it's been happening for 30 years, like the OAuth standard came out of work at that group to you know, get everybody to stop sharing names and passwords and they're doing a lot of really interesting.

F

The last couple have really a lot of people are focusing on self sovereign identity, which is pretty interesting to track so catching up on reading I still been to verified credentials, which are a new w3l ative lee new w3c standard that is emerging and Howard, actually chimed in on Twitter and asked if that would be relevant for the group. So since I'm learning about it, I thought I would ask other people here.

F

We can talk about it later, but just kind of want to put it out there that I'd be up for seeing if I could get. Somebody from that effort to present to the group of people thought it was relevant and interesting and and then my other update is also on the agenda, which is I've been helping. Contribute to the open assessment and JJ's asked me to talk about it a bit today.

A

Thanks Anna, if you can post the IAW link on the it's in the agenda, Jack Oh, perfect.

F

Okay, so I just stuck it in announce, FYI.

A

So.

A

This was next Christian Kemper, no bleats Ray has no updates. Dk has no updates. Roger has no Bates, but if anyone wants to chime in or chat on anything that that's been mentioned, please feel free to.

A

Otherwise, people that have not added their names that have anything else they want to talk about.

A

These two I do Seaside.

E

You have a.

A

Question.

E

um And I don't remember seeing it and any of the guys are Doc's that we have as the sig security work group, is working on assessments and evaluations of projects and those documents are interact but available to the group. What is the standard practice for using the information within those draft documents.

A

It's a good question calling user one.

A

So.

F

What is that re is the question so, uh okay, so.

E

For when six security is doing, address is doing an assessment of a particular project and we have the draft and all of our recommendations and commentary and updates that we're posting through the get flow is publicly available. Anybody can really go in and see the PRS. They can see all the comments.

E

They can see the dialogue, that's going back and forth, but I don't know that we've officially documented at least not that I can see what the expected use of those draft documents are or, if there's a caveat on them or a disclaimer, that all the information contained within this TR is draft until officially posted and made available on exite I didn't know if that was something we should be discussing concerned with take advantage of like how what is the expected use for six security members or people outside of six security when viewing the contents of draft unofficially published documentation, I.

F

Think that's a really good very last.

E

Question well.

F

I think I actually think it's a it's a I think it would be an important to have a caveat like I've, just been kind of like well. It goes without saying that all this stuff is unverified until we all approve it. But if somebody dropped in from you know wherever and wasn't aware of it, it could be amplified in a way that would be undesirable or creating right, and so we.

E

Get access to interesting information about some of these projects. That's not necessarily publicly available until we start interacting with them and actually writing it down and creating a ticket and submitting a PR on it and like how do we provide assurances to those organizations with our due diligence ourselves as well as outside of that somebody coming across it.

F

Well, it missing it.

G

Might be warning we're looking at actually.

F

But I think we have. Let me look at that.

F

If we look at the, let me see if I can get on to zoom and share my screen.

F

Okay, are people seeing this? This is the just security assessments for the repo, so.

F

So we have this to look like this language of caveat. A the whole thing right that it's at least the intent of this description was. This is both to give you a path into thinking about the security of the project, not replace your own process for determining whether it's a fit for you and so there's. You know, there's framing the assessment in general right. We had a lot of discussion early on that we didn't want these assessments to be approved.

F

If we don't believe that they're binary um and that you know, we've been careful to say like just because the project has work to do doesn't mean that's a negative thing. It's in fact a positive outcome of the process and so forth, and so on. So I think it might be good to I. Don't know reflect on this bit right to make sure that we're you know.

F

Looking at this six months after we wrote it, I'm not feeling like it really conveys that aspect right, the caveat aspect and then the other thing is I, don't know where we would put I think it would be good to have something in here that at least says if people are reading all the words while things didn't draft they're, just an individualist opinion and should not be taken as truth or something like that, which is basically I, think that the spirit of the team like if somebody asks a question and the project reviewer, doesn't have an answer.

F

That doesn't mean that that is unanswered right. It doesn't mean right. A person has raised an issue, that's a real issue. It could fall out that all that thing was a misunderstanding and that needs to be communicated to somehow I think yeah.

E

I might like, from a disclaimer caveat for people that are coming to the repo and coming across this information. I was thinking, maybe a lot in r2 and the readme and potentially expanding upon the Code of Conduct, because we are a security focus special interest group that, above and beyond the normal, humane code of contact because caveat being in there. If you're a member of this group, the information that you were going to come across is always and draft and not to be considered, actionable or taking and running.

G

Up.

E

The flagpole, for instance, but something to that effect. It is that's what we want to do. I just don't know and I hadn't I was thinking about it earlier today and went looking and didn't see anything beyond specifically what you had cited.

F

I think would you be up for doing at least an issue, if not a PR that yeah it sort of proposes something I think that'd be great to add to and I love the idea of having because we've we've, you know we've gotten presentations before where people have said okay to keep tweet about this, yet it's not published and people are generally very respectful of that and I would love to see that reflected in our code of conduct right that there's, like you know this two-sided thing like, of course, if you know people don't engage with positively, we may publicly document our findings, but until it's officially reported it's not convert leader.

F

Whatever there's like this as a reporting, rigor I think we have a we all practice and newcomers should know that.

E

Okay,.

A

I'm.

E

Working on it.

A

Alright, so that's what I just described it.

A

So if there is sin anyone else, who's willing to check in.

A

Then we can dive into the OPA just for completeness sake. Let me ask if there is anybody from.

A

Anybody from any other working groups, he got cube co-author policy working group that anybody has attended. That wants to give an update.

C

Question regarding our purview father over six. How does it look? Because there are some issues in, for example, signal that security issues hanging there for proposals that are there for like years and is do we have any way to influence it? Somehow, for example, wait.

F

So, where I didn't.

C

Miss him.

F

For.

C

Example, I found one interesting thing in a sick note. There is a proposal for for a runtime change and it's there for like two years and I was wondering how.

B

What.

C

Is our relationship with kubernetes six if we can influence something or or change, I, don't know.

A

If you can find to the specific issue and talk about it, it will be good, but the overall stance, the overall stance on that is essentially cigars, operates on its own influence things. We got this, it's not the goal of this clue. It's rather to help cigar then surfacing what the issue is to the rest of the rest of the organ community right.

A

That's that's the objective, but if you do want to bring it up into this group and talk about the specifics of it and why you think it should be prioritized, then we can surface that to a wider audience and.

F

I think when I always come back to our Turner and mission right, so our mission is to reduce the risk of cloud native applications expose and user data or allow other unauthorized access. So if there is an issue right in the world in any of the product, particularly in CN CF projects, because we're part of the CN CF.

F

So if we, if one of our projects is as a issue that is, we think, is risky to cloud native applications in the ecosystem, then I think highlighting our concern, like we have a forum here right and we have the ability to. We could invite Sagat or a project to discuss issue that we consider to be risky, and we can talk about why we consider it to be risky and what mitigations they know about and I think that forum creates opportunity for action.

A

Daniel, if unification yeah I, would create a niche issue in our report to bring that issue up and talk about that in this.

C

Yeah thank.

F

You yeah and I think wherever possible. We should like you know we can plan ahead and, like you know, invite people from the relevant projects or other SIG's to have a discussion.

A

Okay, so if anyone else has anything to talk about, if not then I'd like Sara, to give an update about the Opera View learnings from that.

A

For the rest of us to chime in to see.

F

So I participated in this security assessment for those of you who are might not be following the details here, we're on our second, so all of the assessments are tagged under this assessment tag, I remove the is open. You can see that we have where, in the we've got three assessments in totem is completed, open policy agent. We are on the verge of completing and falco. We are on the verge of starting, so our goal is to have five assessments and then reflect on our process.

F

Of course, if anything is in our way, we can update our process, but we are, you know, baby steps here, we're doing our second assessment and then we want to talk through our learnings, but not you know deep dive too much in. Maybe we should do X, Y or Z. We just capture those, and so we also have another label for the assessment process.

F

So don't check this, so you can see there's a lot of open issues right that are like if you're participating in the assessments or observing them, or you know, hearing about them the meetings and you're like wow. They should really do XYZ. You can look at everything, labeled assessment cross process, and this is the time for us to be capturing what we're, learning or ideas about how to improve the process and then we'll review all of these issues after these first five assessments and then do some improvements.

F

So that's kind of like the big picture of where we are.

F

If we go back to the this assessment issue right so we're here going through this checklist of things, and now we have the PR out for the assessment summary and we will Amy need to schedule a TOC presentation shortly whenever there's an opening on the calendar and that.

G

Is totally fine if we can wait until after cube con I would be delighted so.

F

Touch base with Liz I think Liz would like it to be not waiting that long. So.

G

Let's not go into the details.

F

Of scheduling here, I'm happy, let's just chat offline, but just to let you know that we want to make sure that at least Justin and ash, and one of the co-chairs is at that presentation. Whenever we decide to queue it up. That.

G

Is totally fine so.

F

So this is the assessment we OPA. Some of you may recall. We had a presentation by OPA some time ago and they presented their. You know how it works. It's we have background where basically, policy is a big part of security right. We have a breakout group that focuses on policy and in order to say that you have a secure system, you need to make sure that you actually have some policies and they're being followed.

F

Opa is a project that helps with this by having a I'm making it so that you can write your policies in this Rako language and then validating it like doing the policy enforcement and implementing those controls in ways that are like can be machine. You can reason about with machines code, so so that's kind of I kind of went through the summary, but I'll go through this now a little bit in order. We have this maturity section which is kind of a if we don't quite know how to define it.

F

So with each assessment we make it up, but we have this idea that, as context for how we think about the improvements that we'd like to see, we want to have some indication of how widely used this project is.

F

We don't want to be the arbiters of success, but rather echo that information, because it affects how what recommendations we have if this is very early new technology, that's experimental. We might have different recommendations than this is used by almost every you know, service on the Internet.

F

So here what we did was we collected a set of companies that okay are used by OPA, which you know sort of indicates that it's under like quite a bit of use and link to their list of adopters and then also they're getting community participation from a wide range of adopters.

F

Although you know like the noting that they're, primarily from styro, because there's been a bunch of conversations and the TOC about wanting to support open source projects that are primarily one company to have enough participation from the community that that's robust. If that company decides to do other things right getting to the sustainability. There's a little outside security, but it's a fourth course affected. It affected it.

F

It affects security because we've seen a large, significant attacks of late that are based on something becoming not maintained anymore and nobody paying attention right, and so so that at least seems important to me and I. Think I saw a question in the chat.

F

No thanks so um so I kind of went a little bit over the design. I think the key takeaway from our perspective is that if you have heterogeneous infrastructure or a high rate of change, where lack of policy enforcement would create a big business risk, that's when the added overhead of implementing SOPA would be valuable.

F

So this is a common situation right that people have on Previn cloud or multiple clouds or different way or they're, just different services that all need to have similar or the same policies and whenever you, what we're seeing is in that heterogeneous infrastructure that presents risks, because people can't reason about their policies or know that they've been implemented so and that's sort of common in this cloud way, and so the the you know, the added benefit of OPA also presents risks right. So it's great. We have this policy as code.

F

Expressions that you can, you know, sit around you. Can it implement the same across heterogeneous systems and separate your security code from your absolution application code, but then these are really like they. It requires the same care as code and some you know and there's concern that the that there will be a false sense of security just because you're using OPA. So we you know a lot of our discussions were really around. How do we?

F

How do you think about this policy language and make sure that it's saying what you want it to say and that people are understanding what they're expressing when they express policy in this language? So sorry.

B

Do we have a feel of who the target persona for all pious in our.

F

And.

B

Our security persona that we have this looks like it would fall into the platform implement well.

F

It's so I think we have this in here somewhere. Oh, ok! Yes, this is their self-assessment.

F

We have the goal.

F

Somewhere I thought we had the target user.

F

Well, we might not if we can write that in the notes. I want to just double check to see what we had that somewhere. But it's a good question from what I remember, I, think the target user is the operator or the developer and that you could use a Oh BOM like Netflix uses, open and they're, not a platform per se, I mean I, don't know, maybe they have api's, but it's primarily to secure it. Nobody.

B

Platform in play, there could be people at Netflix that implement the Netflix platform for use of other Netflix Angeles right.

H

Offers.

B

The platform to outside.

H

Users.

D

That's true, that's sort of an interesting.

A

Also good question: if you want to go chime in on the PR with comments about this that'll, be super valuable too I mean I will do that if you don't yeah.

F

Sure well, that'd be fabulous thanks for pointing it out JJ, so yeah I wanted to have everybody in the use cases doc. We have these personas that are different. Users are operators, administrators developers, end users and platform and implementers and the security assessments are supposed to focus who uses this stuff, and so so we should make sure that we cover that, but uh I think that's interesting. There might be opportunity for looking at who's using OPA to find some of those platform. Employers we've been looking for every question. Yeah.

B

Because I know in the gatekeeper project, they have separated these personas right gatekeepers, one of the OPA sub projects right.

F

And.

B

They have separated these personas and I was wondering what the official stance is. Okay, thanks cool.

F

So um so do you do? Are people feel like they're familiar enough with OPA? Do you want me to talk through some of the self-assessment to talk about what it does or should I go straight into the recommendations.

A

How do you.

D

Anyone s any I.

F

Mean.

D

We can start with any.

F

Any further questions on what open does.

A

Anyone wants any basic info board: OPA that'll, help them understand what the review is about. I would say: no because I think we've talked about OPA all right. Why don't you take liquor? Yeah it'll be what the thirty second intro two of the four be.

F

Okay, so um so generally, it's for controlling access to a service and with the caveat that I am NOT, an OPA person I've never actually used this technology hands on. So people feel free to correct me.

F

The this separates the data coming in from the policy, and so generally the data and the policy are combined into a intermediate document.

F

That's evaluated for a decision and one of the and so what you're writing this policy in a regular language in this Rago language, and then your data is expressed in something like JSON and then they're they're evaluated, and the decision can be yes, no or I, don't know so that you can compose these policies together so and then the this OPA piece is generally deployed as a sidecar, but it they have some libraries and different deployments models.

F

So you can, you know you could bind it into your service or I'm gonna run it as a sidecar, whatever mode you want to run it in.

F

Okay, any questions or observations.

I

Yeah I do have it I'm into every question, possibly with the oppa I, because for more security since we're the security working group, we are expanding the attack surface, meaning you know the open ourselves would be opening up for some vulnerability in being attacked and the policies could be manipulated and I was wondering. If have you seen anything specific as to what may be the preventative measures that Papa is taking or recommending.

F

So I think that would add the addition of any part of your system right. Your if you add anything, you're expanding the attack surface, but then you have to think about. Like is the issues you're, mitigating bigger right, then, what you're attacking what you're fit, what you're adding and so that's part of our rec. Our analysis where you shouldn't, be, you probably shouldn't be using OPA if you have very very simple policy and a homogeneous system right just because it would add more complexity than is merited.

F

What sort of like our analysis and to answer your question, though we have. Basically, we went through this process of kind of articulating what things are risky right and that, if open is successfully attacked right. This is your point of policy, and that is, you know, pretty risky, and so we went through there's actually like a lot of sharp edges around. Have you set up oppa correctly and are you managing your policies effectively because Oprah isn't a policy management system, so you have to outside of oppa figure out how you're going to distribute your policy?

F

That's this gatekeeper project that Christian mentioned. So it's very, it is a piece of the puzzle. It is not the solution by itself and I. Think that's the key thing that we want to surface so that people understand what they're getting when they adopt oppa.

I

I kind of assumed that that would be the case they probably did covered I wonder if the okra is also giving some recommendation as stood for the implementation.

I

So, for example, if you have a centralized policy engine for a complex environment such as what you were alluding to earlier, as far as where oppa could be implemented, multiple clouds, multiple, you know, bi or a different type of environments that all trying to consolidate the policies so that we have been uniform and consistent policy rather and when you do that, obviously you're bringing in that in a kind of a pain or some sort of the tank area, somewhat centralized in some sense and and that's becoming even more sensitive to the operation of the whole enterprise and the users and wonder that's over going to the implementation part of it.

I

As far as how to any recommendation so.

F

They actually have pretty comprehensive deployment Docs that go through a couple of different models and I mean I think that this gatekeeper project is really about them. Saying: okay!

F

Well, this is a common expanding beyond the leap agent right that evaluates policy yeah parts of the ecosystem, because there is I need there, but I think those are really good questions and it really like I, think that's kind of a good lead-in to our recommendations where looks like I mentioned, focus mostly around like the potential for confusion and the there's sort of an assumption, I think in this whole project, which which maybe understates your point TK, which is that you like you, need to manage your policies really well and make sure that that doesn't become you're, not just moving you're you're.

F

You know like you, where you're being attacked to someplace, that is less secure right.

I

Yeah but.

F

What we're like it just on a personal note, there seems to be this sort of common pattern in a lot of the exploits I read about, which are that things are not configured. Things are people. Things are not a configured the way that people think they're kind of they are configured right, that the systems become so complex. People have so many VMs and services running that it's easy for something to not be secured at all and that things end up being wide open on the internet unintentionally and I.

F

Think that one of the things that makes me interested in following OPA is you know, that's the thing that you're mitigating is the sort of oh oops forgot to secure that right forgot to update this. You know I, have to update my policy in 15 places and it's different formats and now I'm. Just you know it's too easy to make a human error that misses those, so so it might be good to Kate or somebody like you know like if, in reading the overview like do, we address those points.

F

Yeah.

A

I I think it is also called out on the review in terms of what scope both of us and what exalts and what it doesn't, and there is some call out there, but it will be useful to chime in on the PR and I an add to that as well. To say to be clear, on increase in attack, surface vs., scoping it down to you thing and tooling, to mitigate some of these.

I

Once we chime in, for example, on this and are we going to consolidate all our issues at some point and feed it to your people,.

F

This is there so all of the OPA this is. This process has led to these writing up or fire or highlighting open issues so moat. Many of these open issues that are in the project recommendations came out of the review, and so it's the reviews really owned by there's a self-assessment where Ash is he's a contributor to OPA and he owns like getting that over the line and then either he or we report issues into OPA, so that this once this PR is in, there are open issues tracking everything we raised.

F

So if we chime in we're doing sort of two things, one is producing this document, which, which is kind of like anybody's guide, into understanding the security profile. The risk profile the benefit of this particular project, but also allowing us to track these open issues, and it's our sort of chatting about. Like writing these issues such that.

F

If there's been talk that we want to re-review these assessments, assessments periodically, like maybe annually that maybe if a particular project hasn't added any features in a year right that we could do a cursory review and just look at the issues and do a quick update right. Whereas a project has added a bunch of features of related to security, then maybe we would do a full assessment and so we're trying to like sort of queue this up. So it's easy to update.

F

If that turns out to be something that we know, it's reflected in reality, so make sense.

I

Yeah no I think that's that's good. So at this point the only code that has been contributed with very spider, I.

F

Know it's: the contributors are mostly saira, so there's basically there's a chef I, just looked at these 77 contributors with ash, and you know kind of like look through the top contributors and I, don't remember which of these people it was, but there was somebody in these top four that was from chef, which seemed to me to be a good sign and then the there's somebody from Google who's pretty far down, because it's mostly spec stuff. Here we go.

F

This Tristan has worked on mostly the Rey go to spec, which is also kind of like a sign that it's not just IRA, but it does have.

F

The vast majority of the contributions are styro so overall for the ecosystem, provided this, you know, continues to be adopted, I'd like to see more contributions from other companies, but that's a I think it's a process, but there they seem to be making good progress and getting wider contributions.

C

Did we have any confrontations and during this assessment, in a way that some findings were conflicting with the idea for power, whatever I think.

F

A confrontation would be too strong a word. We had some good discussions around what is happening now, this being our second one has become the norm which is like, where are the edges of opus responsibilities right, particularly around regiĆ£o usability and around defaults right? So it's very challenging to make things secure by default, because the most secure thing by default is to just turn off access completely and that's not useful, and so how do you make it less likely that somebody is going to do something incorrect because they don't know what they're doing and had?

F

And so we talked about you know really. I ended up having a brainstorm, because the like aft came in with a stance which, I think is you know, sort of reasonable from their perspective, which is that? Well, you know we're giving you a sharp knife. People need to do these different things, so we can't- and we don't know what your policies are. So what you know there's not much to do there other than, and you know initially all of the project recommendations were turned into documentation, improvements right, set.

A

A quick, quick time check, we have ten more minutes and a couple of things. One is if this discussion that you already had if it can be captured and put it on to a github, but if we have already done it part of the assessment, so that is I'm.

F

Talking about to a here, okay, so so I'll just wrap this in the next few minutes.

A

No, so all I wanted to know bring up is like we only have ten minutes. If you had more things to cover, then I would offer in this and then cover otherwise speaking. If this is what you wanted to do, then you're more than I'm, more than happy to yes,.

F

So I, just this is the whole thing, which is that we shifted some of the thinking around. Was it possible to make code changes that would make this easier to use, and so we've linked some of the ideas here. If people have ideas in this realm, you know you can dive into the specific issues.

F

These are really starting points that then the OPA team and anybody who wants to get involved, can you know sort of add in ideas and then I'll just round out by saying talking about the CN CF recommendations similar to our last project in toto. There are certain things that the project is not well positioned to do so.

F

If the CN CF wants to support this project more having a study of user practices around this, you know whether that people are catching common patterns and then also learning from the end-user companies, where there may be specific integrations that should be higher priority based on what people are doing with OPA. That would be more impactful than maybe other things that they might do that we ate that we don't have visibility into what the CN CF end-user companies make. So that's.

A

So was it Brandon who asked the question? I forgot: I can catch the name, so it was first rate brought up about the discussions that happened or the controversy. Yes,.

C

Daniel.

A

Okay, just first grade, but.

F

That might be also an interesting thing too I, don't know part of the reflection about you know what do we really learn? What was um you know, what were the things that were maybe unexpected by either the product team or us I like that way of thinking about review of these security assessments.

A

Yeah those are good inputs, so we have seven more minutes any thoughts, questions on the process itself, the project and again I- think. The reason reason for bringing this up in this forum is the PR is open and I'll be I'll, be doing a review of that. But anybody who wants to chime in and add any comments on that that needs to be considered. Then it will be very helpful.

A

If not I'd like to give a couple of minutes to Michael ducey who joined joined later in the meeting or to do a chicken.

H

Sergeant.

A

It's yours, Michael Jonah, give an update.

H

Yes, on the six security day, sorry I missed the first part of what you said. Yeah.

A

This is the I just want to give you a couple of minutes to give check-in and an update. I Emily Fox the ever update on a sec security day at least touched upon it. So if you know, I'll give a little bit more detail on that yeah.

H

Sure sorry so.

H

Published we've had extremely good response from sponsorships, which has been extremely positive, and that means that we're able to provide things like lunch for attendees I Amy. Have we gotten a update on registrations? We.

G

Have not okay.

H

Last.

G

I know it was.

H

Around 81, and so now that we have it allowed, we feel like we'll, be able to push even more on registrations. I think we were thinking about a hundred and fifty cabinet somewhere around then that's kind of the next thing we need to start figuring out is how much room we have and then what we can effectively do with the space that we have. So that's, probably the next priority that we're going to be working on on our weekly calls.

H

Outside of six security, the taco.

G

Project.

H

We're coming up for our yearly review and we're getting ready for that which is going to be on October, 15th I. Believe that's correct. Amy is that right.

G

Sorry coming after me, yeah that's correct. Yes,.

H

So we're excited for that. We've made lots of good progress, which have been some very cool, interesting features, one of which is we're actually probably merging some of this code in today, around gr PC based outputs. So this is kind of in. One of our sticking points is that a lot of our outputs and alerts have been kind of done in a more synchronous fashion and with G RPC.

H

It allows us to kind of offload the alerting engine from the main taco engine, and then we can have subscribers that are written in whatever language people prefer and then those subscribers can then for the events and alerts into when whatever system like elastic, search or Kafka or or whatever it might be. But having this kind of gr gr, PC based streaming service is going to be really beneficial to the project.

H

I was running some numbers just around like how we've been performing sandbox in the sandbox versus pre sandbox, and one of the interesting metrics I saw was the force sandbox. We had about 34 daily, active users in our slack channel after sandbox we have about 104 daily, active users in the slack team content channel and then a weekly active user perspective. It went from like 60 to 200, so the community is really thriving. We've got a lot of activity.

H

We got a lot of stuff going on, so we're really excited about how we can kind of see the CNC app engine really helping us out and benefiting the product overall.

H

Any other questions I can answer.

A

So, on that note, I think Krishna was scheduled to have a demo of Falco next week so may be worthwhile for you to coordinate it with her to add any of these stats to the demo demo job.

H

Specification, the.

A

Next week, yeah.

H

And we wanted a little bit more finalized, so we could actually.

A

I think we're writeable good time. Any anybody else says anything that they wanna build up. Next, two minutes.

A

If not set up thanks, Annie.

B

Kj.

A

Thank you thanks, bye.

B

Thanks well.

A

You.

A

You.
youtube image
From YouTube: SIG Security Meeting 2019-9-25

Description

Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io

Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects