►
From YouTube: CNCF Security TAG Meeting 2021-06-02
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
Sorry
I
was
on
the
phone
but
yeah
I
was
just
saying
hi.
How
are
you.
B
B
A
About
the
serverless
paper
too,
so
you
you
you
volunteered
for
that
as
well
right.
Are
you
looking
gonna
work
on
that.
B
B
I'm
working
in
vmware
now.
B
Yeah
so
mostly
I'll,
probably
back
off
and
let
others
take
the
lead
for
serverless,
but
definitely
looking
forward
to
contributing
more
in
general.
In
the
group.
C
C
B
All
right,
I
think
it's
10
o'clock,
pacific.
We
have
folks
trickling
in
slowly
for
people
who
have
joined.
I
had
shared
a
link
to
the
meeting
minutes.
Please
add
yourself
to
the
attendance
and
if
you
have
any
topics
to
discuss,
put
it
in
front
of
your
name
and
we'll
wait
for
a
couple
more
minutes
and
then
get.
B
D
B
D
By
the
way
I
may
have
to,
I
may
need
to
disappear
for
10
minutes.
I
have
a
gender
item.
So
if
I'm
not,
if
you
call
me-
and
I'm
not
here-
feel
free
to
just
continue.
B
C
B
See
brandon,
aradha
and
michael
have
three
updates.
One
update
each
at
least
maybe
brandon.
Since
you
have
to
go
away,
we
can
start
with
you.
D
Yeah
my
update
is,
is
in
the
agenda,
so
I
think
we
can
cool.
B
Okay,
yeah
I've
added
that
in
the
agenda,
so
we
should
be
good
there.
All
right,
maybe
michael's
update,
is
not
in
the
agenda,
so
we
can
start
with
you,
michael.
B
Cool
all
right:
okay,
my
bad
okay.
Anyone
new
to
the
group
has
joined
for
the
first
time
feel
free
to
introduce
yourself.
E
E
C
C
Follows
yeah?
Sorry,
I
was
struggling
with
the
mute
there.
My
name
is
greg
blana
and
I
am
formerly
of
the
boeing
company
about
35
years,
20
of
which
was
spent
in
identity
and
access
management.
C
The
last
few
years
were
focused
on
oh
cloud
native
applications
and
zero
trust,
and
my
good
friend
and
cloud
native
inspiration
or
rodney
chettle
suggested
that
I
might
find
some
value
in
these
meetings
and
maybe
some
way
to
participate.
So
I'm
sitting
in
to
hear
what
you
guys
are
all
about.
B
Well,
welcome
greg.
I
definitely
concur
with
her.
Your
contributions
are
going
to
be
definitely
valuable.
Look
forward
to
seeing
you
more.
Thank
you.
D
Yeah-
just
I
I
guess
before
we
head
to
that,
I
think
greg
you
you're
on
the
phone,
so
you
may
not
see
the
link.
We
have
a
meeting
link
that
we
usually
have
like
attendees
put
in
their
names.
D
B
You
greg
same
thing
for
you
push
as
well.
I
can
send
the
link
again,
if
you
don't
have
it.
B
Cool,
so
we
also
need
scribes
at
least
one.
If
anyone
wants
to
volunteer,
it
will
really
help
for
all
of
us
to
take
notes
of
things
we
discuss,
for
there
are
many
people
who
couldn't
join
today,
so
it
will
be
especially
useful
today.
B
All
right,
thank
you,
brandon
for
volunteering.
If
anyone
else
wants
to
do
subscribing
feel
free.
B
All
right
thanks,
rory
cool
okay.
So
if
nothing
else,
we
can
get
started
with
the
agenda
if
brandon
you're
still
around,
we
can
just
quickly
go
over
your
issues
since
you
have
to
disappear
for
a
bit
and
then
we
can
come
back
to
the
doc
meeting
and
arana's
agenda.
D
Yeah
so
yeah
I
I
may
yeah,
I
just
don't
know
whether
I
have
to
go.
I'm
expecting
someone
to
come
by
that's
something
I
designed
for,
but
so
the
the
agenda
item
I
had
was
around
updating
the
code
of
conduct
file.
It
isn't
really
much
of
this.
No
changes
to
the
conduct
itself.
It's
mainly
around
you
know
how
to
handle
incidents,
so
the
the
issue
yeah
thanks
for
watching
that.
D
So
this
is
ish
pull,
request,
652.
and
really.
The
idea
here
is
that
we
want
to
provide
some
guidance.
You
know
if
something
happened
in
the
community,
how
do
you
handle
these
kind
of
issues?
D
The
main
idea
being
you
know
the
the
chats
and
the
tls
will
kind
of
help
as
mediation,
and
you
know
we
can
help.
You
know
figure
out.
You
know
what's
within
the
code
of
conduct,
what's
not
in
the
code
of
conduct,
and
you
know
how
to
resolve
these
situations
in
a
way
that
do
not
escalate,
since
these
can
be
a
little
bit
tricky
to
deal
with
sometimes
so
so
the
document
really
the
additions
here
is
really
about.
D
If
you
see
something
that
you
think
violates
a
coil
conduct,
or
you
know
whether
it
doesn't
necessarily
violate
the
court
or
conduct,
but
you
think
that
it's
not
inclusive
behavior
or
you
think
it
may
make
people
uncomfortable.
What
do
you
do
you
can?
You
know
get
that
direct
message
bring
this
up
to
the
the
co-chairs
and
the
tls
through
a
mailing
list
that
we
now
have,
and
then
we
can
help
respond
to
that,
and
also
for
you
know,
for
the
content
creator
site.
D
You
know
what
do
you
do
when
you
you
get
a
notice
of
this
and
to
understand
that
you
know
it's.
D
It
is
some
of
these
issues
around
inclusiveness
from
end
quote
or
conducts
are
something
subjective,
and
you
know
sometimes
you
may
not
agree
with
it,
but
you
know
the
main
idea
is
that
we
want
to
try
our
best
to
stay
focused
on
the
topics
that
we
are
discussing,
and
if
we
have
to
have
issues
that
we
need
to
discuss
about
code
of
conduct
or
certain
content
that
we
should,
you
know,
have
the
right
avenues
to
do
this,
and
part
of
this
is,
I
think
we
want
to
try
and
create
the
avenues
to
do
this,
so
one
of
it
is
trying
to
create
a
mailing
list.
D
B
Soon,
all
right
for
everyone's
benefit,
I'll
just
add
the
pr
link
to
the
chat,
and
then
I
don't
know
who
owns
this
agenda
item.
If
you
know
brandon
or
aradhna,
we
can.
B
A
Yeah
definitely,
okay
cool.
So
do
you
mind
if
I
share
my
screen.
C
A
So
let's
talk
about
one
second
chaos:
engineering
first,
so
we
attended
the
toc
meeting
yesterday
and
the
app
delivery
team
is
actually
working
on
a
white
paper
for
chaos.
Engineering
they're,
going
to
try
different
techniques
that
bring
resiliency
to
the
applications
in
a
microservices
world
and
container
platforms.
A
So
to
me,
security
should
be
part
of
that
chaos
engineering,
because
if
an
application
fails,
it
should
not
expose.
You
know
any
security
threats
to
it,
and
also
security
components
have
to
be
integrated
into
the
chaos
engineering
as
well.
So
my
had
a
brief
discussion
with
emily
on
the
side
and
we
decided
to
create
this
issue
and
I
reached
out
to
the
chairs
for
that
particular
tag,
and
they
said
they
would
welcome
any
input
and
they
would
like
our
involvement
heavily
into
this
work
stream.
A
So
I've
created
an
issue.
I
have
been
added
to
their
tag
to
support
this
effort,
but,
as
you
know,
my
bandwidth
is
limited.
So
I
would
like
other
folks
who
are
interested
in
participating
to
also
tag
this
issue,
so
I
can
include
them
in
these
conversations
and
then
on.
A
Anyone
who
wants
to
participate
in
this
white
paper
or
contribute
to
this
white
paper,
please
tag
yourself
to
this
issue
678,
and
then
we
can
send
the
names
to
the
chairs
for
that
tag,
app
delivery
and
we
can
start
making
progress
on
this
book.
F
All
right
now,
one
thing
to
throw
out
there
is
that
late
last
year,
o'reilly
published
a
report
on
security
chaos,
engineering,
the
authors
were
aaron
reinhardt
and
kelly.
Shortridge
would
be
good
to
reach
out
to
them,
see
if
they'd
be
willing
to
participate
in
in
any
shape
or
form
yet
provide
input
or
for
help
review
once
there's
something
but
probably
good
to
reuse.
Prior
art
and
experts
in
the
space.
A
Definitely
I
will
make
a
suggestion
to
the
tag,
app
delivery
or
you
want
me
to
reach
out
to
them
andres.
What
is
what
is
your
suggestion?
There.
A
Okay,
I
will
and
I'll
look
at
the
book
as
well
from
o'reilly
it'll,
be
kind
of
an
interesting
read
for
me
personally,
because
from
my
experience,
I'm
just
sharing
some
thoughts
here.
Cyber
resiliency
does
not
exist
today,
a
lot
of
enterprises.
There
are
a
lot
of
issues
when
you
have
a
failure.
All
the
cyber
controls
fall
apart.
So
how
do
you
keep
your
systems
resilient,
along
with
all
the
security
components
and
their
integrations?
A
That's
a
big
challenge,
and
especially
in
a
microservices
world.
So
this
will
be
a
fun
piece
of
work.
I
think.
G
F
And
a
big
part
which
I
think
what
the
report
accomplishes
is
help
people
think
around
chaos,
engineering,
the
con
chaos,
engineering
and
the
context
of
cyber
resiliency,
as
you
said,
but
there's
still
long
ways
to
go
to
have
reusable
tools
and
templates
to
do
so
and
and
be
able
to
apply
chaos,
engineering
and
practice
to
to
cyber
resiliency
sure.
There's
people
who've
done
this,
but
there's
not
a
lot
of
that's
been
externalized
and
shared
publicly.
G
One
interesting
thing
that
ties
into
this
as
well
is
I
I
think
this
should
also
apply
to
things
that
that
have
stayed,
or
rather
they
especially
should
apply
to
things
that
have
state
and
one
environment
that
I
that
I
had
the
pleasure
of
seeing
once
was
they
had
a
bunch
of
mysql
servers
and
they
had
their
policy
set
up
so
that
every
24
hours,
the
entire
node
for
their
mysql
system
was
rebuilt
and
the
clusters
were
designed
to
work
around
the
rebuilding
of
those
nodes
over
time
and
the
end
result
was
a
much
more
resilient
system
that
handled
the
state,
and
so,
even
if
you
don't
tackle
state
in
the
beginning,
I
would
definitely
recommend
that
there
are.
A
C
That's
a
great
idea.
I
think
that
this
is
at
the.
I
was
going
to
put
this
in
the
chat
and
I'll
post
this
in
a
minute.
This
is
the
intersection
of
reliability,
engineering
and
performance,
monitoring
and
logging,
to
some
extent,
it's
audit
and,
from
a
predictive
point
of
view,
there's
capacity
management
and
some
machine
learning
around
get
off,
and
it
ops-
and
I
do
you-
think-
that
this
group's
able
to
peel
off
a
piece
that
is
just
a
resilience
that
makes
sense
to
you.
A
So
apparently
they
are,
they
are
a
team
that
is
focused
on
app
delivery
right.
We
have
to
inject
the
security
and
resiliency
for
cyber
perspective
in
that
white
paper.
I
think
so.
Anybody
who
participates
in
this
effort
will
have
to
put
on
that
security
hat
as
part
of
that
effort
and
address
all
these
continuous
compliance
and
availability,
as
well
as
a
part
of
that
and
security
controls.
Of
course,.
C
Yeah
because
that
you
know
in
cloud
native,
we've
got
kind
of
parallel
tracks
with
things
like.
I
forget
what
the
name
is
right
now,
but
there's
something
that
parallels:
the
new
relics
product
for
the
performance
management
monitoring,
side
and
then
on
on
the
compliance
side.
You've
got
things
that
are
more.
You
know
more
clearly
in
our
space
like
50
and
so
on,
but
the
two
things
don't
talk
to
each
other.
So
if
you
drink
security,
you're
ingesting
blogs
from
both
of
these
right.
B
A
Yes,
let's
do
that,
that
is
the
serverless
security
white
paper,
this
issue.
We
have
a
number
of
people
who
have
tagged
themselves
to
this
issue.
So
thank
you
very
much
for
all
that
interest,
and
you
know
your
efforts
in
contributing
towards
this
effort,
or
at
least
the
initiative,
so
pushkar.
You
had
sent
some
comments.
A
That
should
let
me
open
your
comments
in
slack
when
I
had
shared
the
table
of
contents
with
you
that
you
wanted
to
see
if
security
assessments
or
tools
and
frameworks
should
be
part
of
this
as
well.
Do
you
want
to
expand
on
that
a
little
bit?
What
did
you
mean
by
that.
B
Yes
also,
although
this
has
been
a
while
since
we
discussed
so
I'm
probably
not
remembering
the
exact
context.
So
if
you
have
some
comments,
I've
made
or
a
slack
message
I
can
discuss
now,
but
I
think
in
general
I
added
some
comments
in
the
talk
as
well.
B
Some
of
the
things
I've
found
at
that
time
was.
We
could
probably
use
some
scoping
discussions
in
the
beginning
where
there
are
a
lot
of
serverless
projects
and
initiatives
and
what
might
be
useful
is
to
see
if
some
at
some
level,
some
of
the
cncf
landscape
that
has
serverless
related
projects,
would
that
be
something
that
can
be
scoped
and
one
of
the
other
items.
I've
probably
added
is
the
audience
is
again.
Would
that
be
something
similar
to
how
we
had
for
cloud
native
security,
white
paper
and
the
supply
chain?
A
Yeah,
so
the
the
the
goal
of
this
paper
is
to
build
on
the
previous
server
last
paper,
and
I
think
the
serverless
working
group
had
put
out
a
white
paper
which
is
in
the
link
in
the
issue
as
well,
and
the
video
presentation
that
we
got
from
doug
davis.
I
think
at
that
time.
A
Basically,
they
went
through
a
lot
of
discussions
to
define
what
is
serverless
right
and
they
did
not
necessarily
focus
on
security
aspects
of
it,
but
in
this
iteration,
because
we
attack
security,
we're
trying
to
focus
on
the
security
challenges,
how
to
mitigate
those
threats
right,
how
to
provide
continuous
compliance
and
visibility
and
where
are
the
gaps
and
how?
How
does
identity
work
in
a
civilized
world?
A
So
the
goal
is
to
focus
on
security
aspects
while
we
are
building
off
the
concepts
that
have
already
been
laid
out
by
the
serverless
working
group,
so
appreciate
the
comment
as
well
on
tools
and
technologies
that
we
have
in
the
landscape.
If
you
want
to
reference
or
augment,
I
mean
I
would
let
brandon
speak
to
that
brandon.
Do
you
have
any
thoughts
on
the
landscape
and
the
tools
and
technologies
and
how
we'll
fit
them
in
the
serverless
security
discussion.
D
Yeah,
so
so
we
have
so
the
different
aspects
of
the
the
five
event
you
know
when
we
were
initially
talking
about
the
white
paper
back,
like
I
would
say
almost
like
two
years
ago,
the
initial
scope
of
the
white
paper
was
discussed
and
basically
the
outcome
was
there's
so
much
to
talk
about
so
much
in-depth
that
we
can
go
through
and
we
can't
fit
it
all
in
bonafide
paper
right,
and
so
I
want
the
issues
we
talked
about.
Okay,
we're
gonna
split
this
up
into
maybe
multiple
sub-white
papers
right.
D
So
in
this
case
this
would
be
a
white
paper
for
similar
security,
which
will
still
be
focused
on,
like
the
the
concepts
white
paper
related
stuff,
the
cn
the
security
landscape,
which
is
now
called
the
cloud
native
security
map.
What
it
does
is
it
mirrors
the
white
paper
table
contents
and
basically,
it
consolidates
the
information
from
the
white
paper
as
well
as
add
projects
that
are
related
to
that
aspect
of
white
paper.
D
So
we
initially
had
a
content
stream
for
all
the
different
projects,
and
this
is
available
actually
in
in
one
of
the
branches
which
I
will
all
post
in
the
chat.
Initially,
there
were
aspects
of
serverless
that
we
had
under
scope,
but
there
wasn't
any
contributions
under
that,
so
we
left
it
up,
but
if
this
is
something
that
someone
would
like
to
contribute
to,
we
can
just
create
a
a
page
for
it.
And
you
know
if
you
want
to
have
projects
or
if
you
don't
have
examples
about.
D
You
know
more
things
that
people
can
take
and
just
implement
right
out
of
the
box.
We
can
add
it
to
the
the
cognitive
security
map.
So
I'll
put
some
details
in
the
in
the
chat
in
a
bit.
F
F
Because
it
can
get
really
really
broad,
I
saw
evan
anderson
from
k
native
chime
in
on
the
apologies.
I
I
haven't
read
it
through.
I
just
see
one
of
the
latest
comments.
So
how
much
do
you
want
to
constrain
this
aratna
and
brandon
versus
sure?
A
lot
of
things
can
be
modeled
as
serverless,
and
then
you
have
things
surfed
as
fast.
F
Well,
the
threat
models
of
of
of
any
of
those
scenarios
can
be
really
brought
like
branching
out
all
the
way
to
like
rethinking
how
to
tighten
up
your
controls
at
your
api
gateway,
because
that's
going
to
be
your
your
surface
down
to
like
a
if
you're
operating
the
infrastructure
to
provide
serverless
computing,
are
you
enabling
set
comp?
Are
you
doing
these
different
things.
D
D
D
So
I
think
this
this
this
white
paper
is
definitely
a
broader
scope
right
and
when
you
talk
about
some
of
this,
you
talk
about
functions
as
well
in
some
respect,
yeah.
So
so
I,
in
terms
of
like
stuff
related
to
the
landscape,
it
kind
of
mirrors
a
white
paper,
and
I
think
that
if
we
see
that
there
is
information
that
people
now
contribute
to
the
landscape,
which
will
also
be
a
good
part
of
the
original
cognitive
security
white
paper,
you
know
this
is
something
like
robert
robert
just
joined
here.
D
He
created
a
pr
to
add
a
few
additional
things
to
trend
modeling
in
the
white
paper
and
then
added
some
projects
into
the
landscape
as
well.
So
in
terms
of
the
the
projects,
I
would
say,
the
best
path
is
to
we'll
create
a
placeholder
for
functions,
and
if
you
have
projects
related
to
security
for
functions,
you
can
create
a
pr
to
to
add
that
into
the
landscape
or
the
security
map
and
then
maybe
also
add
a
few
words
in
the
white
paper.
The
the
original
security
of
our
people
as
well.
E
Okay,
so
brandon.
So
if
I
hear
you
correctly,
you
said
the
current
scope
doesn't
cover
the
k
native
and
everything
right,
because
currently,
I'm
looking
into
exploring
the
the
application
of
devsecops
into
the
clear
native.
Basically
the
implementations
right
like
how
we
want
to
secure
functions
from
the
beginning
when
the
developers
are
building
them.
So.
C
C
A
Paper,
it's
our
paper.
So
let's
just
what
would
you
like
included
in
this
scope?
There
will
be
a
sub
team
set
up,
obviously
for
this,
and
my
hope
was
that
today
we
can
finalize
who
the
project
leads
will
be
for
this.
A
I'm
the
sponsor
for
this
particular
initiative,
but
I
still
need
one
or
two
people
to
be
the
project
leads.
Who
are
gonna.
You
know
kind
of
manage
it.
B
A
B
Like
fred,
frederick
also
has
his
hand
up,
so
he
might
have
a
comment.
G
Yeah
I'll
also
consider
the
so
right
now,
I
think
we're
focusing
primarily
on
the
on
the
server
on
the
infrastructure
portion
like
how
do
I
set
up
a
serverless
or
highlight
setup
functions
as
a
as
a
service?
G
We
should
also
maybe
it's
out
of
scope
for
this
paper,
and
we
can
explicitly
call
it
out,
but
there's
also
a
space
for
helping
developers
who
are
building
on
top
of
function
on
top
of
function
as
a
service
or
serverless
on
how
to
build
and
secure
their
their
application.
G
And
what
do
they
need
to
do
to
make
sure
that
they
integrate
well
with
the
with
the
underlying
infrastructure,
and
so
there
may
be
a
space
there
as
well
and
to
give
a
real
world
example,
if
you're,
if
you're
working
on
on
certain
cloud
environments-
and
maybe
it's
changed
since
since
I've
last
looked
at
it.
If
you
wanted
to
be
part
of
a
vpc,
then
you
can.
You
were
no
longer
able
to
use
that
specific
cloud,
environ
cloud-based
function
or
serverless
environment.
G
You
then
have
to
spin
up
some
form
of
a
of
a
cluster
in
order
to
land
onto
onto
the
vpc,
and
even
though
I
know
that's
not
directly
relevant
in
this
space
there,
there
may
be
other
similar
things
where
it's
like,
yes,
you're
using
serverless,
but
you
also
have
to
make
sure
like
from
a
developer
perspective.
How
do
you
make
sure
that
you're
doing
things
in
a
way
that
is
not
going
to
violate
the
the
constraints
of
the
system.
A
Yeah
frederic
you're
right
and
the
goal.
I
think
there
are
some
comments
in
the
paper
right
now
as
well.
We
want
to
provide
two
perspectives.
One
is
from
the
platform
owner's
perspective
and
one
from
the
consumer's
perspective.
You
know
all
the
cloud
providers
who
are
building
these
platforms.
What
what
do
they
need
to
worry
about
and
then
as
a
consuming
enterprise?
A
What
are
the
controls
that
I'm
still
responsible
for
and
what
are
the
gaps
in
the
controls
that
I
won't
have
visibility
to
you
and
etc,
etc?
So
good
point
there
and
yes,
not
everything
is
going
to
be
purely
serverless.
There
are
going
to
be
hybrid
use
cases
as
well
right
where
you
have
your
your
public
cloud
instances
and
then
from
there
you
are
spinning
off
some
applications
by
serverless,
so
there
will
be
interfaces
there
as
well.
A
So
maybe
that
we
can
add
a
use
case
section
and
we
can
define
some
categories
or
use
cases
that
we
are
going
to
address
in
the
paper.
So
that's
great
input,
though,
would
you
like
to
comment
on
the
issue
itself
and
add
that
as
your
feedback.
G
Yeah,
I'm
happy
to
add
it,
and
I'm
I'm
also
going
to
suggest
that
that
the
scope
also
be
defined,
because
this
is
a
space
that
can
grow
quite
quickly.
So
so
it's
it's.
I
think
it's
important
to
give
a
nod
to
it,
but
at
the
same
time
say
define
determine
whether
something
like
this
is
out
of
scope
or
not,
and
I
think
for
the
developer
side,
my
guess
is
based
on
the
conversations
it
probably
is,
but
that
also
leaves
a
gap
there
that
can
eventually
be
filled
in
in
the
future.
A
B
Yeah
great
feedback
from
everyone.
I
think
all
of
this
recording
will
exist,
but
any
thoughts
that
you
have
shared.
If
you
also
had
it
in
the
issue,
it
will
be
easier
to
get
back
later
in
the
future
and
continue
from
where
we
left
off
today,
and
I
see
andres
has
his
hand
up
as
well,
so
others.
F
Thanks,
pushkar
yeah,
I
am
really
glad
that
fred
brought
that
up.
There
are
the
two
different
dimensions,
but
what's
really
meaningful
is
the
intersection
with
cloud
native
there's,
this
great
blog
post
from
michael
weisbacher
at
square,
who
talks
about
providing
mtls
to
lambda
functions,
I'll
paste
that
in
chat,
but
this
is
a
great
example
of
an
organization
using
lambda
and
looking
at
the
cloud
native
ecosystem
for
tooling.
F
In
order
to
accomplish
this,
and
in
this
case
they're
using
spiffy
inspire,
I
think
the
paper
would
be
a
great
place
to
capture
and
highlight
this
work
and
and
pose
a
question
of
like
what
other
projects
from
the
ecosystem
can
be
incorporated
into
like
provider
fast.
F
F
It
would
be
helpful
to
help
people
understand
the
security
trade-offs
of
one
over
the
other.
I
don't
know
that
we
have
done
security
assessments
out
of
this
group
necessarily,
but
there's
definitely
literature
and
documentation
to
security
aspects
of
of
those
projects.
That
would
be
good
to
put
together
like
a
compare
and
contrast
of
security
properties,
of
those
to
help
people
make
make
decisions
and
and
how
to
wire
these
these
up.
F
So
that
is
like
the
other
dimension
of
somewhat
to
like
platforming
ops
teams
wanting
to
provide
service
serverless,
like
capabilities
on
top
of
kubernetes
or
on
top
of
any
other
development
platform.
I'll
write
this
down,
as
errata
pointed
out
it's
great
to
talk
about
it
here,
but
also
good
to
to
participate
in
the
issue.
F
I
did
do
a
lot
of
serverless
in
the
prior
life
which
I've
been
trying
to
to
get
away
from,
and
I
don't
want
to
go
like
head
in.
I
worked
on
on
fishing
for
for
quite
a
long
time,
which
brings
me
to
the
other
thing
I
thought.
While
you
were
talking
about,
it,
was
there's
not
a
lot
yet
on.
I
forget
the
the
working
group
from
cncf
that
was
trying
to
get
to
workflow
composition
or
composition
of
functions,
doing
something
like
aws
step
functions.
F
A
Definitely
so
andres
seems
like
you
have
great
ideas
if
you
want
to
contribute
to
the
paper
as
well.
A
B
This
is
the
story
of
everyone
in
the
call,
probably
but
yeah.
I
think
great
points,
one
one
last
thing
I'll
add,
and
probably
I
have
a
comment
there
already
is
in
serverless.
There
is
a
unique
problem
called
cold
start
problem,
which
many
folks
might
be
familiar,
so
what
it
essentially
means.
B
If
I
want
to
execute
something
and
a
port
or
a
container
is
already
running,
then
the
execution
time
is
smaller
or
shorter
compared
to
if
I
have
to
start
a
container
or
a
pod
and
then
execute
the
function
and
then
get
the
result
back
and
then
kill
the
pod
and
then
repeat
the
process
again.
So
what
happens
because
of
that?
B
Is
the
cloud
provider
sometimes
end
up
sharing
the
containers
for
different
users
which
can
perform
the
same
action
and
as
a
result
of
that,
if
the
action
is
not
exactly
stateless,
then
you
end
up
with
accidental
exposure
of
data
from
a
user
who
executed
an
action
and
now
second
user
is
executing
an
action.
But
now
they
have
some
in-memory
files
or
some
other
json
intermediary
files
that
can
be
exposed
accidentally
to
the
second
user
and
if
you're
not
really
working
in
a
trusted,
multi-tenant
environment,
then
that
becomes
a
problem.
B
A
Thank
you,
yeah,
that's
a
great
point
in
terms
of
performance
as
well
as
scalability,
right,
yeah.
B
All
right,
okay,
wow
looks
like
we
have
another
hand,
up
push,
go
ahead.
E
Super
sure,
just
on
the
point
of
the
cold
start
right,
I
think
serverless
library
already
provides
some
things
right
from
what
I
remember
from
what
I
gather,
I'm
not
entirely
sure
I'll
have
to
pull
up
some
references,
but
what
serverless
library
provides
essentially
is
the
issue
that
you
mentioned
right
so
considering
like
aws
lambda
is
for,
for
instance,
right
when
you
consider
it
go,
slam
does
serverless
what
like
serverless
library
provides.
E
You
is
that
you
can
wake
up
the
container
every
five
minutes
so
that
you
can
make
sure
that
you
have
the
container
for
yourself
right.
This
solves
the
issue
from,
I
guess
application
point
of
view
and
performance
point
of
view,
scalability
point
of
view
right.
It
might
not
exactly
be
cost
effective
at
points.
I
understand
that
right.
We
just
might
have
to
look
into
it
from
a
security
point
of
view
right.
How
exactly
will
it
affect
you
and
what
exactly
will
you
be
facing
the
issues
right?
E
B
A
I
still
need
people
to
volunteer
and
select
team
leads
for
this
project
leads
who
are
gonna.
You
know,
set
up
meetings,
and
you
know
collaborate.
B
A
Gotcha,
okay,
so
I'll
reach
reach
out
to
the
folks
offline
who
have
volunteered,
and
then
we
can
make
a
decision
on
the
project
leads
for
this,
but.
E
Yeah,
I
have
actually
commented
on
the
github
issue
as
well
right,
I'm
just
waiting
for
more
people
to
join,
and
you
know
see
where
this
is
going.
I
actually
regarding
that
right.
I
also
wanted
to
understand
where
what
exactly
is
the
deadline?
We
are
looking
at
for
this
because
I
think
I
mean
like
in
my
opinion,
availability
can
also
be
a
major
challenge
for
everyone.
A
Yeah,
so
we
don't
have
a
timeline
set
for
this,
yet
we
are
just
initiating
this
effort.
Timeline
depends
on
the
scope
of
the
project
as
well,
so
once
we
finalize
the
scope,
I
think
we
can
come
up
with
some
dates
and
that's
why
we
need
these
project
leads
to
kind
of
get
people
together
and
start
talking
about
scope
and
timelines,
etc.
E
And
I'll
definitely
be
happy
to
help,
but
yeah,
I'm
not
sure
if
I'm
in
a
leading
position.
Yet
there
might
be
a
lot
of
guidance
that
I
may
need
essentially
initially
to
make
the
contributions
as
well.
A
Exactly
so
I'll
stop
sharing.
Thank
you
very
much
for
the
discussion
and
all
the
great
points
everyone
has
made
on
this.
I
will
take
this
sub
team.
B
D
So
so
we
had
the
regular
sick
update
meeting,
so
this
happens
like
one
to
preview
tlc
meeting
to
the
sixth,
oh
well,
I
have
to
stop
saying
six.
The
text
start
give
an
update
on
what's
going
on
so
for
the
tech
security
update.
D
We
we
shared
about
the
chair
nomination,
so
which
around
9i
and
we
also
have
which
is
currently
up
for
vote.
So
I
believe
the
ask
from
jj
was
that
you
know
if
you
it
would
be
helpful
to
also
have
non-binding
votes
on
the
tlc
mailing
list.
D
D
The
other
thing
that
we
gave
the
update
on
in
the
tlc
meeting
was
on
the
supply
chain
white
paper
just
to
kind
of
educate
and
also
share
a
bit
more
with
the
rest
of
the
community.
B
Thank
you,
brandon.
Congratulations
both
of
you
on
the
nominations,
everyone
who
have
comments
and
things
to
share,
definitely
add
your
responses
to
the
mailing
list
link
and,
I
think,
we'll
all
be
richer.
With
all
your
perspectives,
there.
D
D
I
I
do
have
one
one
small
request
before
I
I
know
you
wanted
to
to
give
around
to
the
new
members
we
haven't
had
presentations
in
a
while.
I
think
it's.
I
would
like
to
kind
of
extend
the
request.
If
you.
D
Have
something
that
you
like
to
present
about
or
you
you
know,
someone
that
would
like
to
present
about
security,
not
only
just
about
pro
newer
projects,
but
also
you
know,
we
used
to
have
a
lot
of
presentations
focused
around
use
cases.
D
D
So
I
would
recommend
if
you'd
like
you
can
create
a
issue.
So
if
you
go
to
create
a
new
issue,
you
can
select
a
presentation
issue
and
I'll
just
paste.
The
link
in
here.
So
the
way
to
propose
a
presentation
is
pretty
simple.
You
just
create
this
issue,
you
kind
of
write
down
what
presentation
topic
was
presenting
and
the
co-chairs
and
techniques
will
help
organize
this
into
one
of
the
meetings.
F
B
Yeah,
I
agree.
One
thing
probably
we
missed
is:
are
there
any?
Is
there
anyone
who
attended
the
apac
meeting
last
time
it
happened?
Who
has
an
update
or
a
just
just
to
sync
up
with
this
group
on
what
happened
there?
Anything
anyone
needs,
help
with
etc.
B
C
Cool,
thank
you.
My
name
is
rob
clark,
I'm
new
around
here,
hoping
to
contribute
little
things
where
I
can.
My
background
is
all
in
threat,
modeling
security
architecture
and
exploit
development.
I
work
for
a
large
cloud
provider
and
I'm
keen
to
contribute
both
here
and
and
in
the
in
the
kubernetes
community
as
well.
So
that's
me.
B
C
Well,
thanks
for
all
the
help
getting
those
through,
I
will
try
and
provide
some
more
substantive
stuff
at
some
point.
Those
were
like
small
changes
but
yeah,
it's
nice
to
be.
D
Pr's
all
right,
so
one
of
the
I
think
I
guess
for
new
members.
We
have
a
new
member
page
as
well
and
kind
of
part
of
that.
It's
like
adding
yourself
to
the
readme
list
of
the
10
of
part
members.
So
I've
just
put
in
the
link
to
feel
free
to
take
a
look
at
that.
B
Okay,
I
guess
no,
so
if
nothing
else,
we
can
probably
finish
13
minutes
early
and
see
you
no,
yes,
go
ahead.
E
Apologies,
apologies
for
operation
go
for
it
yeah,
so
actually
I
just
wanted
to
build
on
what
brandon
was
talking
about
earlier,
the
presentations
part
and
everything
right.
So
I
think
it's
time
it's
about
time
that
we
start
also
building
out
community
engagement
platforms.
C
E
E
E
So
I'm
not
sure
if
you,
if
you
are
already
on
the
community.cncf
platform
right,
but
essentially
you
can
like
the
way
litmus.
Chaos
is
doing
right.
I'm
pretty
sure
you
must
have
gone
through
some
of
their
events
or
something
right.
They
are
holding
out
all
of
their
meetings,
their
meetups
and
all
of
these
things
focused
primarily
to
chaos
engineering
over
on
bevi
right
that
essentially
promotes
a
larger
community
engagement
as
well
right
and
people,
don't
necessarily
have
to
come
to
zoom
or
to
slack
to
engage,
engage
with
the
community.
E
F
Okay,
yeah,
I
see
what
you're
talking
about.
I
think
there's
there's
a
few
things
in
flight
that
that
are
important
to
share
how
this
meeting
gets
presented.
It's
changing
we're
shifting
towards
streaming.
It
live
as
opposed
to
being
a
zoom
meeting.
Recording
it
uploading
it
to
youtube.
The
meeting
will
be
start
to
be
streamed.
F
There
are,
there
are
a
number
of
community
reach
outs
that
occur
out
of
the
nature
of
the
group
events
being
a
big
one
cloud
native
security
days,
starting
to
move
to
cloud
native
security
conference
for
the
upcoming
kubecon.
I
don't
want
to
disclose
too
too
too
much
details
on
that,
because
that's
still
in
flight
and
getting
finalized,
but
I
totally
see
what
you're
saying
of
sharing
our
talks
and
our
discussions
more
but,
like
I
did
not
know
about
community.cncf
having
tag
security
share
content.
F
There
would
be
great
yeah
like
more
more
avenues
to
to
share
content
resources
and
collateral
would
be
great.
Another
thing
we
could
do
would
be
a
github
page
for
tag.
Security
would
be
relatively
easy
to
to
spin
up
and
and
have
a
tax
security
website
or
web
page
to
host
all
the
talks
or
the
webinars
and
and
bring
together
all
the
assets
and
collateral
that
exists
and
also
give
folks
the
space
and
platform
to
to
present
and
engage
but
yeah
curious.
If
you
have
more
thoughts
or
like
very
concrete.
E
So
yeah
like
this
is
just
me
picking
some
of
matt
young's
thoughts,
he's
currently
leading
the
tag,
observability
team
right
and
just
some
very
basic
thoughts,
and
I
think
these
are
really
really
good,
which
is
having
some
interviews
with
cncf
end
users
focused
on
their
tag
domain
like
tag
security
for
that
matter.
Right
and
these
are
observability
specific.
E
So
obviously
we
can
tailor
it
to
security
as
well
right,
a
series
of
interviews
with
creators
of
security
tooling
that
updated
cncf
as
well
as
within
cncf
short
videos,
explaining
security
terms
and
concepts,
interviews
with
creators
of
cnc
of
incubation
graduated
projects,
focusing
on
their
challenges,
their
opportunities,
everything
right
and
any
anything
else
that
we
can
think
of.
I
mean
these
are
very
basic
thought
that
matt
had,
and
I
think
these
are
some
pretty
good
things
that
we
can
build
on
top
of.
F
Totally
and
and
look
if,
if
you
want
to
take
the
initiative-
and
you
have
like
a
clear
idea
of
what
one
of
these
things
look
like
and
you
want
to
start
it
yourself
and
go
for
it
like
the
challenges.
As
bushkar
said,
a
lot
of
us
like
carve
out
time
of
our
day,
jobs
to
be
here
and
collaborate
and
participate
upstream,
but
we're
all
pretty
time
strapped
but
take
the
initiative.
If
you
want
to
do
something
like
it
and
others
will
follow.
F
B
As
the
next
step,
push,
I
would
say,
is
we
could
do
two
of
one
of
two
things
or
you
could
do
both
start
a
slag
discussion
on
the
tag
security
channel,
explaining
exactly
what
you
explained
here
so
that
folks
can
pitch
in
who
were
not
in
the
meeting
and
probably
have
to
run
quick
to
their
next
meeting
soon
and
the
second
one
is.
We
generally
have
a
issue
template
called
proposals
where
you
could
propose
new
ideas
on
the
tax
security
github
repo.
E
Absolutely
absolutely
this
is.
This
was
just
a
very
raw
idea,
right,
which
I
figured
I'll
get
some
input
from
the
team
as
well.
Yeah
I'll
translate
it
into
a
much
more
structured
issue
and
everything
with
proper
description.
I'll
put
it
up
on
github
and,
let's
see
where
it
takes
from
there
all.
B
F
Yeah
and
and
once
again,
if
you
don't
have
takers
or
you
don't
get
like
activation
energy
right
away,
if
you,
if
you
take
the
first
step
and
do
do
a
webinar
or
post
something
on
community.cncf,
that's
around
security
that
will
that
will
catalyze
a
lot
rather
than
asking
other
people
hey.
We
want
tax
security
to
do
more
of
these
things,
but,
like
hey,
I'm
a
member
of
tax
security,
I'm
going
to
run
with
this
you'll
get
others
to
a
good
good.
With
that
awesome
huge
thanks.
A
lot.
D
So
I'd
like
to
quickly
chime
in
on
this
as
well,
I
only
heard
half
of
this
because
I
had
to
go
for
a
bit,
but
the
the
new
the
new
way
that
they
kind
of
have
for
tags.
Is
they
have
this
like
community
channel?
So
right
now
we
do
like
own
our
own
youtube
channel
and
we
can
do
whatever
we
want
with
it.
F
D
Yeah,
so
so
the
way
it's
it's
being
done
now
is
the
cncf
has
kind
of
given
a
bit
more
autonomy
to
the
text
to
to
match
this.
So
we
have,
you
know
a
streaming
service
that
we
can
use
to
stream
all
weekly
meetings,
but
besides
that,
they
also
encourage
us
to
put
the
different
kind
of
content
out
there
right.
So
so,
essentially,
we
can
create
kind
of
a
community
around
it
as
well.
If
we
were
so
like
you
know,
the
podcast,
the
interview
is
what
you're
saying
those
would
be
like
a
perfect
place.
B
B
Yeah
all
right
cool
any
last
thoughts
from
anyone.
We
have
three
minutes
left,
but
if
not
great
meeting.
C
F
D
For
that
improv
improv
session.
B
D
We
have
we
have
complimentary
of
pop
if
you
haven't
already
seen
it
what's
the
joke.