►
From YouTube: CNCF Security TAG Regular Meeting 2021-10-27
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
D
Hello,
everyone-
this
is
karthik.
This
is
my
first
meeting
in
tag
security.
At
the
outset,
I'd
like
to
thank
for
introducing
me
to
tag
security
and
pointing
out
the
right
resources.
D
One
of
the
maintainers
of
the
litmus
chaos
project
is
the
cncf
sandbox
project
and
we've
just
gone
ahead
and
created
a
self-assessment
document
for
this
project
is
part
of
the
application
towards
incubation,
and
I
have
created
an
issue
that
basically
talks
about
the
details
of
this
assessment,
which
I
am
posting
on.
The
chat
of
this
meeting
so
very
glad
to
be
here
and
glad
to
meet
you
all
and
would
love
to
take
your
guidance
on
improving
the
security
aspect
of
this
project.
A
B
A
B
Thank
you,
so
I
think
most
have
kind
of
trickled
in
now,
so
I'm
gonna
start
with
the
usual
so
hi
everyone.
This
is
a
the
text
to
get
cncf
text
security
between
meeting
assets
with
most
other
csdf
events
and
meetings.
This
follows
the
cncf
for
conduct
can
be
found
in
the
people,
both
in
the
cntf,
as
well
as
the
taxpayer
repo.
B
We
would
need
at
least
one
person
to
help
volunteer
subscribe
to
ensure
that
all
the
action
items
and
primary
content
is
recorded.
The
meeting
is
also
recorded
required.
Please
do
take
note
of
that.
If
anyone
is
willing
to
describe
that
would
be
great.
B
You
can
just
go
ahead
and
the
meeting
notes
and
right
name
under
the
scribes
thank
you
ash,
so
much
for
helping
this
part.
Today,
cool
and
yeah
put
your
name
down
for
the
observations,
and
I
think
that
looks
like
everyone's
already
way
ahead
of
me
and
this
yeah,
so,
I
think,
is
just
before
we
go
through
the
different
parts
of
the
evening.
Today.
B
It's
gonna
kind
of
be
more
for
kind
of
a
roundup
of
kubecon,
just
some
thoughts
gathered
from
the
community
around
coupons,
some
of
the
things
that
happened
during
that
the
event
as
well.
As
you
know,
I
think
we
have
several
new
members
here,
so
I
also
want
to
be
able
to
give
some
time
for
people
to
introduce
themselves
which
brings
us
right
to
that
position,
which
is
remembers
so
thanks.
So
much
for
doing
the
intro
you,
which
company
did
you
said
that
you.
A
I'm
new
tim,
routine.
B
Hi,
this
is
thomas
awesome.
Many
new
faces,
let's,
let's
start
with
tim
and
then
quick
introduction,
and
then
we
go
around.
A
Yeah
thanks
so
yeah
I
found
out
about
you
at
cubecon
and
thought
I'd
come
along
to
see
what
you
do.
That's
it
really.
A
I'm
sure
I'm
a
gcp
security
architect
working
for
peer
consulting
and
I
do
stuff
with
financial
services
organizations
so
obviously
got
an
interest
in
cloud
native
security.
B
B
Let's
see,
I'm
gonna
just
go
over
to
chat.
Oh
so
we
have.
A
A
Hi,
that's
me
my
name's
craig
jellick
coming
here.
I'm
I
work
for
susa
by
way
of
rancher
labs
and
just
just
trying
to
kind
of
just
join.
To
kind
of.
I
don't
know,
learn
about
what
this
group
does
and
how
my
work
can.
Potentially,
you
know
be
involved.
B
Awesome:
okay,
scott.
E
Okay,
all
right,
I'm
scott,
I'm
a
founder
at
chain
guard
checking
it
out
see
if
I
can
help.
B
Awesome
and
sorry.
B
A
This
is
thomas
underhill
and
I
am
with
vmware.
I
work
very
closely
with
andreas
vega,
so
he
invited
me
so
look
forward
to
contributing.
B
A
In
the
sandbox
and
just
saying
hello,
welcome
everyone
awesome,
yeah.
A
B
Oh
okay,
next
is
on
triage.
We
don't
have
that
today,
meaning
anymore.
There
hasn't
been
poc
updates
because
of
coupons,
so
we're
gonna
skip
all
that.
I'm
just
gonna
quickly
go
through
the
list
to
see
what
anyone
has
anything
to
talk
about.
B
Cool
no
additional
updates,
besides
the
chaos
engineering,
one
which
we'll
talk
about
later
so
in
case
you
haven't
noticed
our
you.
Usually
we
have
two
different
types
of
building.
We
have
these
things
all
working
sessions.
We
have
presentations
as
well.
Working
sessions
are
kind
of
a
way
for
us
to
get
together
to
both
be
able
to
kind
of
start
calling
on
different
projects
getting
updates
on
different
projects
as
well.
As
you
know,
sometimes
we
have
a
lot
of
discussions
on
certain
topics
and
some
of
things.
B
D
B
Generally,
these
are
how
working
sessions
end
up
end
up
happening
as
we
go
through
different
updates.
We
kind
of
highlight
one
or
two
issues
that
are
new
or
issues
that
we
kind
of
want
to
bring
up
which
are
on
the
roadmap,
and
so
this
next
part
of
the
meeting
we're
going
to
just
go
through
the
different
updates
of
different
groups
and
then
at
the
end
of
the
meeting,
we'll
touch
on
new
issues.
Like
the
chaos
engineer,
we
want
to
talk
about.
B
B
Which
you
know
the
kind
of
we
just
go
through
a
quick
stand
up,
and
then
we
have
a
presentation
from
either
project
or
someone
that
just
wants
to
talk
about
security
or
what
they've
been
working
on.
And
then
we
just
have
a
discussion
about
that.
So
each
meeting
is,
you
know,
usually
either
working
session
or
presentation,
and
that
can
be
seen
kind
of
review.
If
you're
curious.
B
Of
I'm
sure
that
the
meeting
notes
that
we
have
in
the
chat
to
kind
of
have
to
know
about
this,
I
like
all
right.
So
let's
continue
with
today's
project
updates.
So
I
see
that
michael
you,
you
mentioned
that
you
have
an
update
for
the
faction.
F
Yep,
so
a
pretty
simple
update,
so
we're
we're
finishing
up
the
first
version
of
it
there's.
Obviously,
some
cleanup
there's
a
few
other
things
that
are
getting
done,
but
most
likely
by
the
end
of
this
week
or
maybe
a
little
into
early
next
week.
It
should
be
all
done
just
mostly
cleaning
up
some
some
diagrams,
some
rewording
of
a
couple
of
things
and
that
sort
of
stuff.
So
that's
all
getting
done.
F
The
other
thing
that
is
currently
in
the
middle
of
sort
of
getting
sorted
out
is
we
do
have
a
prototype
implementation.
That's
based
on
a
demo
that
my
team
and
I
had
kind
of
worked
on,
and
you
know
we're
looking
to
sort
of
you
know,
donate
that
code
and
figure
out
whatever
it
needs
to
happen
in
order
to
kind
of
get
that
sort
of
accepted
as
something
that
the
cncf
can
then
use.
F
But
yeah,
that's
pretty
much
it
on
from
that
front,
so
yeah.
If
anybody
has
any
thoughts
right
now,
it's
mostly
just
like
little
tweaks
here
or
there
or
if
somebody
wants
to
sort
of
you
know,
raise
some
big
red
flag.
That's
that's
sort
of
the
only
stuff
that
we're
really
kind
of
looking
for
it
at
this
point,
but
yeah
it's
coming
together
quite
nicely.
A
lot
of
good
diagrams
and
and
whatnot
are
being
added
there.
Looking
definitely
for
for
other
folks
to
just
sort
of
read
through
it
see.
F
If
there's
anything
you
know
if
it's
anything
sort
of
that
isn't
a
minor
correction
or
whatever.
Maybe
we
can
start
looking
at
that
for
a
version
two
or
whatever,
but
we're
also
starting
to
ramp
up
trying
to
look
at
that
reference,
implementation
or
sorry,
I
should
say
prototype
implementation
and
what
we
might
be
able
to
you
know
if
folks
can
help
out
with
that
and
so
on
a
lot
of
the
my
time
over
this.
F
The
next
few
days
is
going
to
be
spent
cleaning
up
that
code,
making
sure
that
it's
clear
that
we
separate
out
samples
from
the
actual
sort
of
installation
of
the
the
tools
and
so
on
and
so
forth,
but
yeah
it's
coming
together.
That's
it
for
me.
C
F
That's
the
actual
sort
of
reference
architecture
document
and
then,
as
far
as
the
wall,
we're
kind
of
working
through
all
the
whatever
I
don't
know
how
how
I
would
describe
it,
just
like
all
the
paperwork
and
whatever
else
is
required
in
order
to
kind
of
get
this
to
become
an
actual
cncf
thing.
This
is
where
it
the
secure
software
factory,
prototype
implementation,
lives
and
just
yeah.
So
those
are
the
two
things.
F
B
Awesome
thanks,
michael
any
any
other
questions.
Thoughts
on
that.
B
Okay,
so
next
one
is
the
audio
recordings.
Is
there
anyone
here
that
wants
to
kind
of
update
on
that.
B
We
have
serverless
right
now.
You
want
to
give
a
quick
update
on
profit.
I
don't
know,
I'm
not
sure
who's.
Looking
at
that
right
now,.
G
Yeah
the
serverless
paper,
I
think
the
india
and
the
apac
team
are
working
on
it.
We
have
a
sync
app
set
up
for
later
this
week.
What
happened
is
while
we
were
still
working
on
this
paper.
The
csa
paper
came
out
right,
that's
a
how
to
architect
secure
civilized
applications,
so
we
don't
want
to
duplicate
content.
G
Obviously,
so
we
need
to
re-scope
and
reset
the
direction
as
to
what
we
are
producing
and
how
will
that
add
value,
so
that
is
the
sync
up
meeting
later
this
week,
ashish
set
that
up
and
we'll
go
from
there.
B
G
A
There
we
go,
I
muted
myself
yeah.
I
finally
got
finally
got
the
recurring
time
slot,
so
I
can
join
these
again
yeah.
So
there's
a
little
bit
left
to
do
on
the
cloud
custodian
one
like
some
remaining
edits
and
then
like
the
markdown
copy
of
the
final
canonical
self-assessment
and
then
commit
those
and
wrap
that
up,
I'm
also
sending
out
a
call
for
reviewers
for
the
argo
review.
A
Now
that
cubecon
has
passed
and
we
have
some
more
cycles
going
around,
so
I've
updated
the
ticket
for
that
on
github
and
I'll
go
paste
it
in
the
chat
here.
A
When
I
go
on
mute
and
yeah,
we
could
use
some
reviewers
and
a
reviewing
lead
and
beyond
that,
I'm
putting
together
a
batch
of
documentation,
updates
just
roles
and
stuff
like
that
for
the
tag
security
get
repo
in
general,
and
I
think
we
have
a
separate
meeting
in
like
an
hour
so
where
I
can
go
over
that
in
some
more
detail
and
that's
it
for
me.
B
Awesome,
thank
you,
matthew
yeah.
I
just
was
supposed
to
push
in
the
chat
and
for
those
folks
that
I
knew
if
you
haven't
seen
the
pattern.
Basically,
you
have
issues
for
everything.
If
you.
A
A
A
C
Yeah
sure
so,
just
to
give
folks
an
idea
of
what
this
is.
So
the
stag
had
first
developed
a
cloud
native
security
white
paper
which
provided
information
about
building,
distributing,
deploying
and
running
cloud
native
applications,
and
so
what
the
cloud
native
map
it
kind
of
builds
on
that
white
paper
and
it
tries
to
give
an
interactive
medium
for
consumption
of
that
white
paper.
So
imagine
giving
you
some
real
world
projects
which
conform
to
each
of
those
different
sections
like
distribution
or
deploy
and
run
time.
C
C
And
now
what
we're
doing
is
we
are
working
on
a
newer
version
of
that
map
to
kind
of
join
these
different
phases
on
how
you
can
move
from
one
phase
to
another,
and
so
that's
the
work,
we're
gonna.
That's
the
second
phase
of
the
map
that
we're
working
on
and
we'll
probably
kick
start
that
project
in
like
the
next
couple
of
weeks.
So
we're
gonna
need
volunteers
to
help
us
with
that
project
as
well,
and
we'll
provide
more
information
in
the
future
meetings
on
that.
C
So
for
folks,
interested
we'll
post
the
github
issue
as
well
in
the
meeting
notes
so
check
out
that
issue
and
check
out
the
cns
map
as
well
online
on
cnsmap.netlife.app.
Thank
you.
B
So
it
looks
like
I
think,
one
of
the
things
that
I
wanted
to
kind
of
cover
a
little
bit
before
we
get
into
the
things
is,
I
think,
first,
for
for
new
members.
You
know
if
you
have
any
questions
about
the
group.
What
are
some
things
that
you
can
adopt
on?
You
know
you're,
looking
for
something
specific
or
what
just
general
questions.
B
And
not
retrieve
the
new
members
if
you're
existing
and
you
want
to
kind
of
know
a
little
bit
more
about
the
system
aspect
of
the
group.
You
can
spend
the
next
few
minutes
to
kind
of
guess.
B
If
not
what
I
would
do
is
I
would
do
a
quick
run
through
on
you
usually
just
have
like
quick
overview
for
every
time.
You
have
post
record,
which
hasn't
been
a
lot
so
yeah.
I
will
quickly
show
how
the
group
is
organized
and
then.
B
Yes,
yep
cool,
so
main
aspect
of
the
group
is
we
kind
of
all
just
run
out
of
people
everything?
Basically,
everything
that
the
group
holds
on
ends
up
being
individual,
so
we
have
kind
of
different
photos
that
you
see,
but
just
quickly
going
through
right.
So
we
have
the
really.
This
is
information
on
the
meeting,
which
is
what
we
have
we're
having
today.
B
Another
important
thing
to
take
care
of
to
take
a
look
at
is
the
slack
and
communications,
so
those
are
already
on
the
site
channel.
We
have
a
second
channel,
we
are
sort
of
mailing
this
and
we
have
an
email
list
for
the
leads
and
chats
as
well.
In
case
you
have
any
questions
directed
to
the
leadership
and
yeah,
and
we
also
have
a
new
members
page.
B
So
this
new
members
page,
I
believe,
was
recently
updated,
talked
a
little
bit
about
you
know
what
the
things
that
get
started
with
from
during
the
meetings
compared
to
the
side
channel,
look
at
what
kind
of
like
computer
guidelines
and
things
like
that,
but
yeah
the
three
things
that
we
recommend.
Folks,
too,
if
you
want
to
get
involved
so
join
the
meeting
which
most
of
you
already
ideas.
B
So
that's
great
so
express
your
thoughts
on
any
issue
that
you
find
interesting
I'll
touch
a
little
bit
on
this
soon
and
you
can
choose
an
issue,
but
it
talks.
So
so,
as
you
can
see
like
a
lot
of
how
the
group
works
is
around
the
issues
of
the
pr
github.
D
B
B
And
basically
we
have
a
couple
things
that
here
and
generally
what
you
can
do
is
you
know
you
can,
for
example,
this
one
colleges
you
can
just
say
you
know
I'm
happy
to
help
people
just
post
and
then
we
will.
B
Of
like
jumpstart
the
projects
right,
so
we
see
that
you
know
so
the
issue
is
kind
of
getting
interaction
and
certain
folks
that
want
to
work
on
something
or
there's
a
lot
of
comments
on.
What's
the
issue,
we
bring
it
to
this
working
session
meeting
to
discuss
about
it.
We
talk
about
okay,
maybe
we
should
make
this
a
project
and
so
on
and
how
people
solve
projects
right?
B
You
can
also
create
new
issues.
So
if
you
hit
new
issue,
you
can
see
that
there
are
a
couple
of
things
right,
there's
joint
security
review,
so
this
is,
if
you
are
a
project
owner
that
wants
to
do
a
security
assessment
security
review
the
tag
you
can
create
this
issue.
If
you
want
to
present
something
to
a
group,
you
can
create
a
presentation
issue,
and
then
we
have
these
two
things
called
proposals
and
suggestions
right.
B
A
B
Put
in
the
effort,
then
I
will
create
a
proposal
if
you
have
like
you.
E
B
I,
for
this
cool
suggestion,
a
cool
idea,
but
maybe
I'm
not
the
best
person
to
do
this.
I
don't
necessarily
have
kind
of
the
time
or
resources
to
put
into
it.
Then
I
create
a
suggestion
and
we
have
kind
of
like
ways
that
we
handle
this
like.
If
you
look
into
any
of
these
texts,
for
example,
if
you
want
to
create
a
presentation,
they're
kind
of
the
attractive.
B
So
everything
kind
of
at
least-
ideally,
we
put
every
as
much
as
we
can
within
the
issue,
but
you
know
if
you
are
still
curious
about
you
know
how
all
these
things
were
formulated.
We
have
a
governance,
folder
and
basically,
all
the
numbers
of
the
processes
that
happen
to
do
this
in
this
governance
program.
B
So
if
you
are
and
then,
if
you
just
like
kind
of
look
at
the
different
directories
of
the
group,
you
have
assessment.
These
are
the
assessment
reviews,
so
it
talks
a
little
bit
about
it.
You
can
go
into
the
guide,
which
tells
you
what
the
review
is
about,
how
it's
done,
how
to
be
part
of
it
and
so
on,
and
then
we
have
so
here
we
have.
You
know
what
are
the
different
steps
of
the
review
for
the.
B
Lead
how
to
be
a
security
reviewer,
and
then
you
can
click
on
it
and
kind
of
like
go
to
okay.
What
does
it
mean
review?
What
do
we
need
as
real
what
the
expectations
of
time
etc?
B
So
this
is,
we
have
basically
this
and
then,
if
you
want
to
see
the
documents
that
end
up
coming
out
from
reviews,
we
do
have
projects
and
they
can
kind
of
go
to
different
ones
right.
B
So
in
this
case,
you
see
a
company
can
fill
facts
review
and
they
can
kind
of
pick
taken
up
this
and
then
take
a
look
at
the
self-assessment.
You
can
go
through
just
browse
on
everything,
so
this
is
the
general
layout.
So
what
you
will
see
is
that
this
kind
of
like
maps
onto
most
of
things,
that
that
kind
of
people,
so
it's
the
same
thing
with
security
quality
right
security
white
people-
will
have
the
fine
paper
itself
the
use
of
white
paper,
but
they
also
have
information
on.
B
You
know
how
do
I,
how
do
I
contribute
to
particular
particular
artifact?
That's
in
there
yeah,
so
I
would
say
kind
of
like
you
know,
just
explore
the
repo
see,
but
if
there's
anything
interesting
to
you
or
helpful
to
you,
one
other
important
thing
that
I
kind
of
want
to
point
out
before
I
give
a
break
to
let
people
ask
questions.
Is
we
have
these
project
tracking?
B
Oh
sorry,
from
one
roadmap,
I'm
planning
to
do
it,
so
this
is
kind
of
where
we
have
like
on
the
all
the
way.
On
the
right
hand,
side.
Okay
here
are
things
that
are
currently
ongoing.
These
are
like
the
bigger
projects
that
you
know.
We
just
did
the
updates
and
check-ins
on.
You
know
probably
just
verify
people
supply
chain
reference
reference
architecture,
looking
group
so.
B
A
big
ticket
items
are
going
on.
We
have
things
that
append
and
schedule
where
things
are
proposed
and
the
ideas
you
know
these
whenever
a
a
project
or
an
issue
starts
getting
augmented.
A
B
Size
enough,
they
become
projects
and
then
you
know
start
managing
them
this
way.
Other
than
that,
if
you
go
and
look
at
this
section,
which
is
extraordinary
section,
this
is
where
we
kind
of
indicate
that
okay,
here
are
some
of
the
things
that
we
discussed
as
a
community,
and
we
think
that
these
are
interesting
topics
that
we
want
to
look
at
in
the
future.
So,
like
audit
audience
ability
itch
and
telecom
multiplier,
hybrid
cloud.
A
B
Of
security
reviews
everything
everything
but
yeah,
so
so
far
I've
only
kind
of
talked
about
projects,
but
you
know
this
is
an
open
source
repo.
So.
B
Like
there's
a
typo,
you
know
feel
free
to
just
open
the
pr
and
someone
look
at
it,
we'll
merge
it
in
and
so
on.
B
We
can
talk
about
the
chaos
engineering,
self-assessment
contact.
You
want
to
give
a
quick
overview
of
that.
Maybe,
like
five
minutes,
get
some
feedback
and
then
we
can
follow.
D
I
think
the
project
itself,
probably
just
give
you
a
couple
of
minutes,
snapshot
on
what
fitness
chaos
project
is
about
and
then,
where
we
are
at
today,
what
we
focused
on
in
the
self
assessment
dark
and
based
on
that
we
can
probably
go
ahead
and
decide
how
we
want
to
go
about
the
next
steps.
D
So,
as
far
as
the
project
is
concerned,
it's
it
is
a
chaos
engineering
project,
as,
as
you
can
see
from
the
name
chaos
engineering
has
been
around
for
a
while.
D
It
acquired
a
roadmap
of
its
own
and
it's
in
significant
usage
and
adoption
today,
and
this
project
was
started
somewhere
in
around
2018
time
frame
and
we
sandboxed
it
in
june
2020
last
year
and
since
then,
there's
been
a
lot
of
interest
in
the
project
in
terms
of
contributions
as
well
as
adoption,
and
we
are
looking
at
going
to
incubation
at
this
point
and
as
part
of
that,
we
tried
and
filled
up
the
security
self
assessment
document.
D
As
for
the
instructions
in
the
repository
jack
security
depository
guide-
and
there
are
a
few
aspects
that
we've
focused
on
in
terms
of
the
runtime
policies-
there
are
some
chaos
experiments
which
will
ensure
that
the
powers
carrying
out
the
fault
business
logic
need
to
run
with
some
amount
of
privilege
escalations.
D
So
how
do
we
manage
that?
And
there
are
also
architectural
decisions
we
made
to
further
or
keeps
keeping
security
in
mind.
For
example,
each
of
the
experiments
run
as
part
of
the
chaos.
Suite
can
be
run
with
a
specific
service
account
and
you
could
control
what
permissions
the
experimenter
or
the
user
is
going
to
be
interested
with
to
carry
out
faults.
D
There
are
different
modes
of
execution:
there
is
a
namespace
mode
with
lower
levels
of
capabilities
and
permissions,
whereas
there's
an
admin
mode
which
is
sort
of
all
encompassing
this
account
is
interested
to
the
user
to
do
chaos
in
the
cluster.
There
are
other
features
which
we've
mentioned
inside
of
the
self-assessment
document.
D
D
The
the
process
of
creating
a
self-assessment
also
helped
us
in
creating
a
coherent
document
around
security
for
the
end
users
of
the
project
testing
a
lot
of
the
documentation
around
security
was
in
various
places,
which
is
now
concentrated
into
one
artifact,
so
that
has
already
been
helpful,
so
looking
forward
to
more
feedback
and
guidance
around
this
be
happy
to
present.
The
final
level
details
of
what
the
features
are
whenever
we
are
sort
of
given
an
opportunity
to
do
so.
B
Awesome,
do
we
have
any
questions.
D
So
I
have
attached
the
link
to
the
due
diligence
document
for
the
project
and
I
just
like
to
mention-
I
think
radha
is
also
here.
So
there
is
an
initiative
going
on
called
as
chaos,
engineering
working
group.
It's
a
very
recent
working
group
that
was
started
to
bring
together
interested
members
on
a
single
platform
to
discuss
what
is
the
state
of
chaos
engineering
today
in
the
cloud
native
world
and
what
are
the
best
practices
people
follow
in
terms
of
ensuring.
D
Also
includes
best
practices,
security-based
practices
and
there's
also
category
of
chaos.
Experiments
coming
up
called
as
a
security
chaos
experiments.
You
could
have
predefined
workflows
that
you
can
run
as
part
of
litmus
which
will
give
you
information
on
probably
what's
lacking
in
terms
of
security.
D
There
are
a
good
number
of
open
source
tools
which
also,
I
see,
are
documented
within
the
cloud
native
security
map
which
talk
about
highlighting
vulnerabilities,
so
you
could
run
some
workflows
from
the
litmus
platform
to
sort
of
identify
what
those
issues
are
as
well,
but
coming
back
to
this
working
group,
it's
it's
across
project
effort.
D
There
are
other
projects
in
the
cncf
landscape
that
also
have
chaos
engineering
that
their
core
and
it's
a
cross
tag
across
project
kind
of
an
effort
that
we've
just
got
started
with
the
end
goal
being
a
white
paper
that
captures
the
current
state
of
chaos,
engineering,
cloud
native
and
what
these
practices
are,
how
people
are
approaching
it?
We
are
providing
some
end
user
presentations
around
getting
more
gathering
more
details
around
how
folks
are
practicing
it
and
then
putting
the
information
in
crystallized
form
in
the
white
people.
D
E
Awesome
with
this
question:
do
you
have
a
way
of
testing
some
of
the
actual
upstream
cloud
dependencies
like
I,
I
might
have
a
dependency
on
s3.
Do
you
have
a
way
to
simulate
downtime
in
industry,
in
your
your
environment,
by
any
chance.
D
Yeah,
so
the
the
platform
as
of
today,
the
litmus
platform
has
a
set
of
off
the
shelf
readily
usable
experiments,
most
of
which
simulate
some
kind
of
communities
faults
as
also
go
ahead
and
cause
some
failures
on
resources
in
the
cloud,
for
example,
using
some
receive
instances
or
azure
skill
sets,
or
things
like
that,
where
you
can
go
ahead
and
cross
points,
but
we've
also
written
up
or
designed
the
architecture
in
a
way
in
which
you
can
write
custom
experiments.
D
Let's
say
the
use
case
that
you're
just
talking
about
where
you
simulate
an
s3
interface
and
cause
some
chaos.
So
let
me
support
something
called
byoc
and
bring
your
own
chaos
where
there
is
a
tool
provided
to
sort
of
bootstrap
or
scaffold
your
experiment
and
you
can
fill
in
a
business
logic
that
you
would
like
to,
and
it
serves
as
both
a
platform
or
a
framework
to
execute
kiosk
experiments
is
also
providing
a
ready
set
of
experiments
or
a
library
of
experiments
that
you
can
already
do
so.
This
is
great
suggestion.
E
And
some
background
on
this,
this
back
in
early
netflix
days,
early
2011
2012-ish
they
had
built
up
in
their
service
mesh
historics
was
name
of
it.
E
The
capability
to
inject
that
kind
of
chaos,
so
that
it
wasn't
just
them
checking
services
that
they
depended
on
or
their
own
infrastructure,
but
they
could
inject
failures
into
things
like
like:
hey,
let's,
let's
stop
issuing
out
workloads
for
this
region
and
see
how
the
system
responds
or,
let's,
let's
start
shutting
down
s3
access
in
certain
areas
or,
let's
slow
down
the
network
in
certain
spaces
on
a
on
a
random
basis.
E
So
it
sounds
like
you're
the
fact
that
you're
thinking
of
bringing
to
bring
your
own
chaos
as
as
part
of
that
definitely
hits
down
that
particular
path
and
yeah.
I
would
love
to
see
something
like
that
continue
to
to
progress
as
a
suggestion.
Of
course,
nothing
ever
has
to
be
done,
but
yeah.
D
Yeah,
that's
that's
a
great
suggestion.
Thank
you.
There
are
some
experiments,
we're
seeing
this
in
the
community,
one
of
the
reasons
for
one
of
the
benefits
of
having
it
as
there's
something
called
the
chaos
hub.
I'm
just
posting
the
link
here.
D
So
things
like
this
can
still
be
executed
as
part
of
lateness.
We're
getting
some
contributions
there.
So
this
is
definitely
a
developing
area.
We
we
are
seeing
chaos
being
practiced
in
environments
that
are
not,
let's
say
only
kubernetes,
or
only
pre-kubernetes
is
like
a
mix
of
all
sorts
of
environments.
B
Yeah,
I'm
kind
of
curious
kind
of
the
different
security
spaces,
and
also
you
know
whether
your
litmus
as
a
project
is
kind
of
whether
that's
a
focus
or
kind
of
just
like
another
use
case,
and
the
main
focus
is
really
around
with
the
image
and
see.
That's
like.
D
A
D
Got
a
broader
goal:
it's
about
helping
sres
and
developers
with
improving
the
resiliency
of
their
applications,
so
security
is
definitely
one
big
part
of
it.
It
has
all
sorts
of
chaos,
experiments
that
are
sort
of
being
developed,
experiments
that
are
testing
the
storage
in
the
ecosystem,
experiments
that
are
testing
the
general
application
performance,
experiments
that
are
basically
testing
network,
resiliency
and
security.
Of
course,
yes,.
B
So
I
guess
just
just
a
logistical
question:
do
you
have
a
qcc
sponsor
for
incubation.
D
Yes,
dems
is
the
doc
sponsor
for
them
is
he
was
a
sponsor
for
this
project,
and
we've
had
a
few
rounds
of
user
interviews
that
have
been
conducted
at
this
point
and
I
think
he
he
is
basically
doing
the
divisions.
G
And
and
brandon
we
are
also
working
on
a
security
white
papers.
Karthik
sorry,
I
didn't
recognize
your
full
name.
Unfortunately,
I've
been
talking
to
karthik
about
this
effort.
G
So
from
a
security
standpoint,
there
are
a
number
of
use
cases
that
we
can
actually
test
with
litmus
a
lot
of
attack
patterns
that
come
from
mitre
right.
I
want
to
start
executing
them
and
see
how
resilient
an
environment
is
right,
a
cloud
or
cloud
native
platform.
G
A
B
B
This
seems
to
be
interested
in
this.
I
think
that
you
know
if
we
have
kind
of
a
couple
security
use
cases,
and
we
have
to
do
like
a
quick
gamble
on
stuff
on
how
we
can
use
that
with
security
use
cases.
It
would
be.
D
I
just
posted
the
link
of
the
the
chaos
engineering
working
group
charter,
it's
in
the
initial
stages,
so
you
can
find
some
more
details
on
what
the
goal
is
with
this
working
group
and
litmus
is
one
of
the
contributing
projects.
G
It's
part
of
app
delivery:
okay,
yeah,
but
security
is
just
one
of
the
stakeholders
right,
obviously,
resiliency
disaster
recovery.
B
B
Okay
cool,
so
I
think
we
have
10
minutes
up.
So
thanks
so
much
patrick
for
sharing
this.
Let's
we'll
take
a
look
at
that
we'll
discuss
with
matthew
to
see
what
the
timer
looks
like
and
then
we
will
get
back.
G
B
Kind
of,
like
the
decision
incubation,
I
think
we
apparently
like
three
projects
that
are
kind
of
on
the
list.
It's
argo
captain
and
non-environments
right.
So
we
we
have
to
plan
out
we'll
talk
to
the
tfc,
see
whether
there's
any
agency
there,
certain
projects
closer
to
contribution,
oh
yeah,
which
one
is
which
one
is
the
priority
for
that
part
which
one
is,
has
security
being
a
higher
priority
with
the
kfc
ones,
feedback
on
yeah.
B
And
then
we
will
try
and
schedule
something
cool.
So
I
think
that
we
have
a
couple
announcements
before
we
end
and
I
kind
of
wanted
to
do
a
quick,
quick,
ask
to
see
what
there's
anything
that
you
found.
That
was
interesting
for
folks
that
we
potentially
want
to
see
or
see
what
we
want
to
get
to
talk
about.
B
So
before
that
quick
announcements,
we
have
pushkarjo
and
pittsfield
on
public
debate.
C
One
of
the
things
our
end
users
asked
was
tell
us
how
to
make
our
apps
that
are
cloud
native
secure
by
default
and
from
that
what
came
up
is
one
simple,
three-pager
document
which
has
guiding
principles
on
what
we
can
do
to
make
cloud
native
apps
secure
by
default.
So
here's
a
link
for
this.
I
added
in
the
chat
and
the
meeting
minutes,
has
a
link
to
the
github
issue
as
well.
C
C
I
am
hoping
to
publish
this
in
some
way
or
form
in
future
for
larger
consumption,
for
everyone
who
is
under
cncf
umbrella
and
for
projects
like
litmus
chaos
and
others
that
are
also
in
different
stages
of
graduation.
So
let
us
know
add
a
comment
on
the
google
doc.
Whatever
you
have,
if
you
have
suggestions
that
you
have
feel
free
to
make
suggestions
directly
in
the
talk
as
well,
it
should
be
accessible
to
everyone
with
or
without
google
account.
So
that's
it.
B
A
B
Have
anyone
that
you'd
like
to
know
me
as
a
thank
you
for
the
community?
Please
do
send
an
email.
I
photo
instructions
up
there.
B
One
last
quick
one
is
on
axel,
sent
out
a
poll
around
whether
we
want
to
have
the
changing
the
cadence
of
the
meetings
and
some
proposals
that
we're
gonna
just
post
that
again
in
the
sec
channel.
If
you
haven't
responded
to
that,
please
do
and
then
we'll
stick
around
to
schedule
for
the
upcoming
videos
yeah
other
than
that.
I
think
just
any
any
thoughts
or
anything
interesting
that
we
may
want
to
cover
on
future
meetings
or
want
to
get
your
presentations
on
that
people
saw
at
cubicon.