►
From YouTube: CNCF TOC Meeting 2019-10-01
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
CNCF TOC Meeting 2019-10-01
SIG Updates
Longhorn Sandbox Review
Jaeger Graduation Review
SIG-Security Open Policy Agent Assessment
B
B
We
do
want
to
see
if
we
could
encourage
more
diversity
by
giving
out
more
diversity
passes
for
attend
attendance.
So
Sarah
and
I
are
working
on
that
we'll
circle
back
on
that.
But
then
he
asks
to
the
TOC
governance.
We've
finalized
the
definition
of
the
roles
we
put
together,
tickly
project
lead
and
assessment
owners
for
some
of
the
assessments
and
I
highly
appreciate.
If
any
people
can
go
in
and
then
chime
in
on
any
of
that,
we
are
almost
done
with
the
assessment
for
OPA
I.
Think
we're.
B
Are
presenting
it
later
today,
thanks
Sarah,
that's
going
to
be
fun,
so
we
did
learn
a
learn
quite
a
bit
in
that
upper
assessment
and
any
inputs
and
any
intakes
on
that,
so
that
where
we
can
improve
the
process
or
where
more
clarity
is
required
would
be
a
super
helpful
input
from
from
this
group
policy.
Working
group,
you're
folding
that
in
I
mean
we've
already
folded
that
into
the
six
security
and
there's
more
work
going
on
in
the
policy
working
group.
There's
a
proposal
for
formal
verification,
that's
happening
there.
I
people
to
go.
B
B
We
do
have
assessment
priorities
that
we
published.
We,
we
sort
of
agreed
on
the
criterion
condition
with
Joe,
is
today
less
and
I.
Think
if
there
is
anything
that
needs
to
be
changed
on
how
we
think
through
in
terms
of
what
the
criteria
is
for
picking
up
assessment,
we'd
be
open
to,
but
right
now
we
have
sort
of
finalized
on
that,
and
then
we
put
together
the
list
of
things
that
we
are
going
to
be
assessing
there.
B
The
second
ask
is
also
guidance
on
who
the
audience
for
white
paper
is
I'm,
starting
that
process
the
help
of
TOC
liaison,
so
any
input
there
would
be
super
helpful.
You
could
either
chime
in
here
ping
me
on
slack
or
the
best
place
best
possible
places.
Six
security
people
like
chimed
in
on
the
issue:
that's
update
from
security
thanks.
D
Arranged
Aaron
and
Alex
are
both
one
but
I'll
be
going
over.
The
review,
so
I
mean
Quinton
is
on
as
well.
Apologies
Quinton!
So
right
now
we're
going
through
reviewing
dragonfly
we're
looking
to
engage.
The
tech
leads
from
the
storage
sig
as
well
to
help
with
the
project
review
just
making
sure
that
we're
looking
at
the
process
of
scaling
going
forward
and
how
to
best
utilize,
all
the
team
members
we
completed
Longhorn
and
Chabot
FS
Longhorn
we're
going
to
talk
about
later
today
on
this
call
so
ongoing.
D
We
continue
to
update
the
landscape
of
white
paper
with
database
updates
and
also
documenting
different
use
cases.
You
know
what
is
commonly
available
and
then
we're
looking
to
also
put
in
some
metrics
around
performance
and
benchmarking,
and
then
the
next
steps,
as
I
mentioned,
is
we're
defining
a
process
for
reviewing
these
projects.
D
Since
the
current
review
criteria
for
Sandburg,
incubation
and
graduation
were
based
on
not
a
non
sig,
we
recognize
that
we
need
to
work
with
the
TOC
in
a
way
that
makes
sense
to
provide
recommendations
for
projects
so
that
we're
not
doing
the
due
diligence
twice.
So
we've
started
a
very
rough
draft
of
this
process.
The
link
is
on
this
slide
and
we
we'd
love
to
talk
about
that
in
more
detail,
perhaps
maybe
in
the
private
to
USC
call
to
figure
out
how
we
best
go
about
that
for
all
the
SIG's.
A
E
So
we're
we're
still
ramping
up
and
trying
to
get
up
a
speed,
but
I
wanted
to
call
out
a
few
items
that
we
are
touching
right
now.
There
is
this
cloud
native
at
deliver
a
dictionary
that
Harry
from
Alibaba
started
and
what
it's
trying
to
do
is
bring
us
a
standard
set
of
words,
or
maybe
a
consensus
around
a
set
of
words
that
we
use
to
describe
cloud
native
terms
in
respect
to
the
stick
up
slippery.
E
The
next
item
is
this:
creating
is
application
definition
document
and
really
what
we
want
to
do
there
is.
We
want
to
start
thinking
about,
let
it
abstract
from
an
abstract
point
of
view,
what
it
takes
to
describe
an
application
and
get
that
down
into
where
it's
so
there's
no
link,
because
the
document
doesn't
exist
yet
will
over
the
next
week,
and
the
final
item
was
that
we
are
working
out
logistics
for
cube
con.
E
We're
gonna
have
two
sessions
and
it's
pretty
helpful
that
that
I
can
actually
affect
that,
but
we're
making
sure
that
we
have
two
interactive
sections
to
introduce
the
view
group
and
as
far
as
notes,
Quentin
brought
up
last
week
that
the
second
and
fourth
Tuesday
of
the
month
was
a
little
contentious
at
11:00
a.m.
Eastern
Time
for
meetings.
E
So
we're
going
to
move
it
to
the
first
and
the
third
Tuesday
at
the
same
time,
because
I
looking
at
the
calendar,
it's
a
lot
better
we're
working
with
Amy
to
get
that
taken
care
of
and
then
also
something
we
need
help
with.
We
have
a
pull
request
to
update
the
synapse
delivery
repo
so
that
myself,
Alice
and
Harry
can
access
it
and
that
PR
has
been
sitting
out
there
for
a
little
bit.
So
we
just
need.
E
E
Up
so
that
that's
about
it,
but
what's
really
what's
going
to
happen
now,
is
I,
think
that
Harry,
Allison
and
I
have
a
cadence
and
we're
can
start
moving
on
some
more
complex
things
and
something
I
didn't
put
on
this
list
was
there's
no
way
we
can
do
this
also
discussion
around
tech
leads
for
some
of
the
things
that
we're
trying
to
do
will
be
coming
up
and
we'll
definitely
be
discussing
that
next
on
our
next
call.
So
that's
it
for
me.
Thank.
H
Yes,
sorry
about
the
very
busy
slide
there,
but
basically
just
a
public
service
announcement.
We
have
a
draft
charter.
Quite
a
few
people
have
been
through.
It
I
think
it's
kind
of
getting
to
the
final
stage.
Now,
there's
a
little
bit
of
time
left
for
chiming
in.
If
you
would
like
to
we
provisionally
change
the
name
of
the
sig
from
core
to
run
time.
There
was
some
pretty
valid
objections
to
the
name.
Core
runtime
was
I,
think
the
best
we
could
come
up
with,
but
probably
still
not
perfect.
H
So
if
anyone
has
any
better
ideas,
please
feel
free
to
contribute
and
if
you
would
like
to
get
involved
further
in
the
cig,
please
reach
out
to
myself
Brian
or
Brendan,
who
are
the
POC
liaisons
for
this
sig?
The
scope
is,
is
everything
to
do
with
you
know,
execution
stuff,
so
kubernetes
type
things
so
workload,
execution
management
systems,
components,
interfaces,
general,
orchestration,
auto
scaling,
I'm,
not
going
to
read
through
the
whole
slide
there,
but
also
specialized
architectures
of
these
things.
H
You
know,
for
example,
container
stration
systems,
ain't
aimed
at
edge
computing,
IOT,
batch,
etc
and
incorporating
you
know,
specialized
computing
elements.
So
that
the
projects
that
are
kind
of
in
that
scope
at
the
moment
pretty
much
as
per
the
original
TOC
specification
of
the
SIG's,
so
kubernetes
container
d,
harbor,
dragonfly
virtual
queue,
blood,
cRIO,
cube
age
and
the
new
Qbert.
A
I
I've
already
learned
to
be
on
the
right
side
of
Amy.
This
is
just
a
reminder:
I'm
very
good,
so
this
particular
city
has
been
embarrassingly
a
long
time
coming
it's
a
bit
of
a
reincarnation
of
the
networking
working
group
we
had.
It
was
our
goal
shortly
after
cube
colony,
you
in
Barcelona
to
to
reincarnate
and
reform,
can
reach
Artur
with
a
bit
of
an
expanded
scope,
we're
finally
I'm
doing
it
now.
So
there
is
a
draft
charter.
That's
been
sent
out
for
a
broad
review.
I
There's
been
a
number
of
folks
who've
signaled
interest
in
this
area,
and
it
makes
a
lot
of
sense
when
you
consider
how
networking,
as
a
discipline
is
just
part
and
parcel
to
every
request
that
flows
through
a
distributed.
You
know
system
through
distributed
applications,
so
so
networking
like
some
of
the
other
SIG's
ends
up
touching
a
fair
number
of
areas
in
general.
I
think
that
we
consider
topics
and
kind
of
projects
that
fall
within
the
cloud
native,
Network,
API
gateway
coordination
and
service
discovery,
service,
mass
service,
proxy
and
RPC
categories
within
the
landscape
are.
I
You
know
for
most
focus
and
will
be
topics
of
discussion.
One
of
those
actually
that
falls
within
coordination
and
service
discovery
is
@cd.
That
I
think
is
already
the
focus
of
City
storage,
and
so
we
kind
of
pushed
sed
from
from
focus
I.
Think
that
there's
a
lot
of
other
backlog
to
go
through
there
are
open
standards,
open
specifications
that
are
emerging
in
space
for
things
that
proxy
layers
for
things
that
surface
mesh
layers.
I
This
provides
a
good
vendor
neutral
venue
for
those
discussions
for
helping
advance
some
of
those
initiatives
initially
we're
in
attending
to
hopefully
be
light
on
some
of
the
governance,
the
light
on
some
of
the
roles
and
that's
all
DVD,
based
on
how
many
folks
and
participants
descend
upon
the
the
cig
and
everyone
is
encouraged
and
welcome
to
do
so.
There's
a
channel
in
the
CNCs
slack
a
new
mailing
list
and
what
will
be
an
intro
/
deep
dive
session
at
UConn,
and
so
please
do
go
if
you're
interested.
A
Terrific
glad
to
see
all
these
six
forming
and
gonna
have
a
full
complement
by
by
Q
Khan
I.
Think
I
actually
have
a
question
just
related
to
the
sort
of
other
six
question
mark,
and-
and
this
may
be
a
question
particularly
for
folks
in
them.
Sigit
delivery
and
I'm
wondering
whether
it
might
make
sense
for
a
service
sake
to
kind
of
form
out
of
what
is
currently
the
service
working
group.
I,
wonder
if
anybody
has
thoughts
around
that,
whether
that
would
make
sense
to
be
another
sig
I.
H
Think
we
did
discuss
that
when
we
were
formulating
the
draft
sig
breakdowns
and
at
the
time
application
development
fell
on
the
sig
apps,
and
we
thought
that
service
was
a
kind
of
application.
Development
is
also
that
the
issue
of
service
platforms
and
the
kind
of
support
that
things
that
kubernetes
need
to
provide
for
you
know
fast,
first
containers,
etc,
and
so
so
that
was
the
thinking
at
the
time
that
it
fell
under
CEQA.
A
E
Does
but
like
quinton
said,
there's
the
application
side
and
then
there's
the
like,
if
you
think
about
like
a
native
with
a
venting
side
which
is
under
the
cover,
so
there
are
two
two
ways
of
looking
at
it.
We
can
actually
start
looking
at
it
from
the
front
side
and
we
probably
and
we
actually
are
going
to,
but
I
think
the
other
side
does
need
some
love.
E
J
You
try
to
look
at
updating
the
document
and
everything,
but
you
know
I
agree
that
there
are
two
sides
to
this:
there's
you
know
kind
of
the
more
general,
whereas
circle
is
going
et
cetera
that
the
server
was
working
group
is
looking
at
and
then
that
that
app
delivery,
which
I
think
belongs
in
it.
You
know
in
the
current
yeah.
K
We
sort
of
when
we
completed
the
white
paper
we
kind
of
presented
that
back
to
the
TOC
and
kind
of
made
a
decision
not
to
do
anything
further
with
service.
At
that
point,
and
so
the
point
that
was
just
made,
we
can
definitely
pick
it
back
up.
We've
kind
of
moved
over
the
cloud
events
and
started
working
on.
That
is
where
the
action
we
took
away,
and
so,
if
there's
other
things
we
want
to
do,
the
did
definitely
make
sense
to
you
that
in
the
CN,
CF
I
believe.
L
A
Personally
think
that
would
be
a
good
thing
to
have
as
a
even
if
at
this
point,
the
the
existing
working
group
is
relatively
quiet.
Maybe
we
should
have
a
I
think
right
now,
there's
a
PR,
an
issue
that
has
the
kind
of
possible
future
sake
at
the
point
where
yeah
I'm
worried
that
there's
a
bunch
of
underlying
service
infrastructure
service
projects,
maybe
don't
quite
fall
naturally
into
into
that
delivery.
L
H
What
we've
now
called
run
time,
because
a
lot
of
you
know
having
been
involved
in
some
projects
that
are
building
service
layers
on
top
of
kubernetes,
for
example,
there's
there's
quite
a
lot
of
general
purpose,
useful
stuff
that
needs
to
be
added
to
kubernetes,
to
make
it
suitable
for
a
service
platform
and
and
I
think
that
would
it
would
be
useful
to
have
those
conversations
in
English
in
the
runtime
say,
for
example,
because
they're
not
they're,
not
all
service,
specific
problems,
they're,
actually,
platform,
general
problems,
just
a
fourth.
So.
L
A
Right,
why
don't
we,
let's?
Let's
have
the
existing
service
working
group
and
discuss
amongst
themselves
for
a
while
I
just
wanted
to
flag
that
as
a
possible
area?
That
right
now
feels
a
little
bit
buried
away
from
the
other
six,
but
I
think
we
should
probably
move
on
and
talk
about
a
long
horn,
okay
and.
A
M
M
The
first
one
is,
we
think
this,
the
tech,
the
Longhorns
technology,
is
really
considered
Highland
curve
compared
to
some
others,
and
in
this
case
we
need
to
fast
much
more
into
providing
a
guidance
document
for
developers,
naming
focus
on
providing
documents
and
the
CAD
is
for
the
user
at
moment.
So
that's
I
think
we
need
to
change,
and
the
second
thing
is:
the
dependent
process
is
many
reason
by
our
internal
rental,
apps
engineers
and
the
thought
for
the
outside.
M
They
can
see
which
issue
has
been
working
on
and
how
win-wins
being
down
and
when
the
really
is
going
to
happen,
but
that
still
doesn't
they
didn't?
They
don't
have
the
full
view
of
the
process
and
how
to
get
involved.
That's
probably
another
barrier
as
well,
and
also
the
project's
wellness
is
not
really
high
enough,
though
that's
I
think
that's.
M
M
You
make
sure
the
grossed
of
a
developer's
community
at
the
first
is:
we
are
going
to
make
a
barrier,
the
technical
barrier
lower
for
the
new
contributors,
and
we
are
going
to
invest
more
time
and
providing
the
architecture,
design,
doc
and
all
kinds
of
design
Docs
and
the
department
who
use
it
for
the
developer
to
understand
how
long
what
works
and
how
the
component
act
each
other
and
also
the
currently
the
law
horse
development
requires
three
node
cluster
on
the
kubernetes.
We
normally
do
that
on
some
digit
ocean
cloud
provider.
M
If
you
think
that
not
everybody
has
the
cloud
provider
backing
up
so
we're
trying,
where
we're
going
to
make
it
possible
to
complete
the
developments
that
have
on
a
laptop,
probably
going
to
utilize
carriers
or
some
Technol
to
make
us
down
long.
That
is
a
small
footprint
set
up
and
make
it
possible
to
complete
the
development
there
and
also
there's
some
other
small
things
like
we
can
mark
small
issues
and
help
fund
it
to
get
you
to
know
which
issues
they
probably
can
use
as
a
gateway
to
get
into
the
development
in
the
loan.
M
And
the
second
thing
is:
we
want
to
make
them
prosperous
process
more
transparent
and
from
now
on,
all
the
new
feet
choose
design,
doc
will
be
shared,
and
we
currently
were
thinking
about
using
the
forum
as
either
Ouija
or
using
Google
Doc,
because
the
the
new
development
you
desire
doc
the
nominee
going
to
be
modify
a
lot.
So
probably
we
haven't
decide
to
a
cloud
to
adapt.
M
The
kubernetes
KDP
style
contributed
are
probably
going
to
be
too
big
for
us
for
now,
but
we
can
see
down
the
road
how
it
goes
and
also
we
are
going
to
hold
the
mouth
of
a
community
meeting.
It's
got
the
latest
design
and
update
of
the
project
and
best
we
have
just
decided
the
meeting.
We
are
going
to
be
called
on
a
second
Friday
on
the
of
each
month
and
the
next
week
will
be
our
first
meeting
and
the
speaking
about
how
to
weld
reach
the
wellness
of
project.
M
Of
course,
we're
already
trying
to
speak
as
we
already
try
to
speak
as
any
community
even
as
possible,
but
we
haven't
do
much
on
the
developer,
meet
up
and
the
small
conferences,
and
we
are
going
to
spend
more
time
on
that
and
they
try
to
reveal
try
to
raise
the
awareness
on
that
part
and
then
finally,
regarding
the
renter
labs
as
a
parent
company.
So
that's
what
also
one
the
reason
we
are
going
to
donate.
We
try
to
donate
to
the
csdf
so
with
CCF
serve
at
the
Newton
room
future
home
for
the
project.
M
G
C
N
Just
clients
Alex
over
here,
so
so
it's
probably
work
just
letting
that
the
sake
had
to
refute
the
longhorn
project
and
we
had
sort
of
given
it
the
thumbs
up
and
yep
then
send
the
information
to
the
TOC
and
I
can
I
believe
last
time
around
when
we
got
to
this
point.
It
wasn't
so
much
about
the
community,
but
there
were
sort
of
a
couple
of
question
marks
around
things
like
the
CLA,
which
were
which
were
things
that
we
kind
of
all
agreed.
N
G
Stage
right
so
I
would
like
to
apologize
to
the
Longhorn
team,
because
we
put
them
through
a
lot.
I'm
you've
done
really
great
and
you've
been
incredibly
patient
and
I.
Think
everybody
now
thinks
that
your
project
is
more
than
worthy
of
the
debar
that
it's
sandbox
I.
Would
anyone
like
to
dissent
with
that
statement?
I.
M
D
Think
it
does
point
to
the
improved
process
that
we
were
trying
to
work
on
and
turn
to
open
up.
The
docs
I
got
to
move
it
to
my
gmail
accounts,
but
yeah
we
don't
require
for
people
like
this
to
present
twice
then
I
think
we
want
to
reduce
the
work,
especially
with
an
unboxing.
Please
contribute
to
that
dot.
So
we
can
harden
the
process
Amy.
F
M
Thank
you
thanks
Joe
for
guidance
on
this
community
growth
plan
and,
of
course
thank
you,
Alex,
Liz
and
Alex,
and
how
many
hands
to
get
this
and
it's
been
a
long
journey.
But
it
is
definitely
will
see
what
we
are
lacking
off
and
what
we
can
improve
and
I
definitely
leave
a
big
race
and
box
project
and
yeah.
That's
the
become
incubate
and
even
graduate
we've
got
fire
girl.
Now.
P
All
right,
thank
you,
so
yeah.
Q
So
as
a
brief
introduction,
Jager
project
has
real
different
words
and
so
I
have
a
kind
of
a
diagram
here
on
the
Left.
We
have
what
seven
official
repositories
with
implementing
Jaeger
clients
information
on
open
tracing
API.
It
was
the
case
that
you
put
in
your
application
for
collecting
traced
in
telemetry.
Then
we
have
the
main
repository,
which
is
a
Jaeger
pack,
and
it
also
has
another
repository
with
the
visualization
front-end,
and
we
have
several
other
repository
that,
if
implement,
where
is
the
mind
into
like
application
diagrams.
Q
So
as
an
overview
of
the
project,
the
development
started
October
in
August
2015
and
then
in
April.
We
open
sourced
it
red,
came
on
work
at
that
time
and
started
actively
participating
in
development,
and
so
they
actually
do
want
to
entire
just
to
apply
Edition
CF,
which
we
did
and
we
were
incubating
since
2017
I
think
we
missed
our
renewal
last
year.
Q
So
one
thing
that
so
we
have
a
number
of
users
using
a
clear
introduction,
there's
a
adopters
file
in
the
repository.
Although
it's
not
super
up-to-date
there,
many
more
uses
than
what's
listed
there.
We
recently
published
a
number
of
case
studies
after
interviewing
some
of
these
companies
monastic
respond
and
we
work
so
there
what
about
how
those
companies
are
using,
and
obviously
where
is
the
probably
one
of
our
distributors
of
introduction
next
slide.
Q
So
this
one
Matt
Klein,
who
is
the
sponsor
for
gradiation,
asked
me
to
put
a
couple
of
slides
talking
about
Jaeger,
verses
of
contrition
and
open
telemetry,
which
are
out
the
trace
in
projects
and
in
C&C
F.
So
here,
first,
the
aggressive
contraception,
which
is
a
current
state,
as
we
can
see
in
the
diagram.
So
if
you
have
a
user
application
process,
it
can
be
actually
instrumented
two
different
ways.
Q
So
all
the
calls
from
the
instrumentation
come
to
our
library,
and
then
we
collect
data,
pins
and
ship
it
out
to
the
a
group
eric
and
components
the
jäger
itself
as
a
result
does
not
provide
a
project
must
provide
a
instrumentation
whatsoever
so
like.
If
you
want
to
use
Jerry,
she
was
tracing.
You
would
go
to
a
Contras
in
country
organization
and
you
pull
some
library
which
actually
implements
that.
So
that's
part
of
open
tracing
project
and
again
that's
a
simultaneous
portable.
Q
So
next
type
is
so
and
now,
like
the
question
about
what
about
open,
facing
sensors
and
today,
meter,
so
open
tracing,
no
concern
to
the
immersion
into
open
into
the
interest
they
soar
to
the
next
major
version
and
that
that
project
has
a
bit
more
overlap
with
the
Hager.
But
it
still
very
synergistic
overlap.
And
so,
as
we
can
see
here
up
until
imagery
also
provides
an
API
for
instrumentation
and
it
will
provide
in
the
future
the
actual
instrumentation
code.
Q
And
so
that
part
doesn't
really
change
that
much
from
the
from
demonstration
state
to
the
world.
However,
up
until
image
will
else
to
come
with
the
actual
SDKs,
the
implementation
libraries
Runyan
in
the
application
that
will
collect
the
data,
and
so
that
will
compete
with
the
Agra
client
libraries
that
we
have
today
and
not
languages
and
we
as
a
project
kind
of
leaders,
actually
very
happy
to
disco
up
that
work
from
the
Jaeger
project,
because
it
was
a
lot
of
work
and
there's
not
something
that
that's
that
much
unique
and
the
Jaeger
client
libraries
OMA.
Q
Q
The
project
today
and
the
the
last
part
is
open.
Sensors
and
open
telemetry
by
extension,
had
another
two
components
called
agent
and
collector,
and
the
reason
they
did
that
is
I.
Think
one
of
the
challenges
with
open
tracing
was
that,
if
you
are
in
the
binary,
then
you
go
through
the
binary.
You
kinda
have
to
make
a
choice
which
tracing
implementation.
Q
You
bungled
up
library
unless
you
provide
some
flexible,
plug-in
framework
because
you
can't
reach
out,
but
in
like
an
ago
binder,
you
can't
do
that,
and
so
that
was
always
a
friction,
because
people
didn't
know
what
to
choose
which
tracing
light
and
red
to
choose
and
so
we'd
open
telemetry.
You
can
choose
the
default
implementation
of
up
until
every
tree
and
it
so
that
you
don't
have
to
configure
it.
Q
It
will
also
export
data
in
the
default
standard
format
and
therefore
agent
and
collector,
which
are
simply
components
which
accept
that
they
didn't
forward
to
the
back
ends
whether
it's
tracing
or
promises
back
end.
Those
those
components
can
also
be
implemented
as
a
standard
component
of
container
imager.
So
again,
in
the
current
state,
we
will
have
a
duplication.
Q
Looking
to
limited,
but
in
the
future
those
components
develop
arity
with
Jaeger,
then
we'll
be
happy
to
switch
to
them
and
not
I
spend
cycles
on
these
two
components
and
again
our
main
focus
group
at
the
bottom
box,
which
is
like
a
tracing
back
and
storage
back
ends
visualization
and
data
mining
platform.
Next
slide,
please.
Q
So
this
is
as
far
as
the
graduation,
these
some
of
the
stats
about
the
project
we
have
over
thousand
contributors,
which
I
think,
since
you
have
to
count
them
like
as
authors
of
commits
and
requests
and
comments
and
issues
specifically
of
cameos
and
pull
requests.
We
have
over
over,
like
almost
400
authors
and
across
different
repositories.
We
have
currently
I
think
15
maintained,
errs
with
official
commute
rights
and
for
the
back
and
repository
it's
it's
seven
maintain
nurse
from
Hoover
under
etiquette,
and
some
other
stars
are
also
on
the
screen.
Q
So,
as
I
mentioned,
we
have
successful
production
users
documented,
we
read,
cut,
actually
bundles
Yeager's
part
of
their
share
is
nash
product,
and
so
they
supported
on
that
front
as
well
as
a
commercial
product.
We
have
a
pretty
healthy
community,
although
I
would
have
liked
to
be,
should
have
a
few
more
maintain
nurse.
Q
We
have
a
couple
more
people
who
are
currently
actively
contributing
to
the
patent
and
they
might
become
full
commuters
if
they
meet
the
requirements
that
we
have
in
the
guidelines
and
finally,
in
terms
of
like
velocity,
we
we
do
releases
of
the
back
end,
approximately
every
two
months,
client
libraries
release
on
different
cadence
as
features
a
edit
and
and
and
yes,
and
in
the
back
end
at
least
we've
had
over
thousand
PRS
nurse
last
year,
so
I
think
it's
pretty
good
diversity.
I
think
this
is
my
life
and
slight
loss
sliced.
Q
A
Q
A
A
C
Hello
I
was
gonna,
kick
it
off
doing
the
left
side,
which
is
really
about
what
OPA
is
and
then
I'll
follow
up
with
the
recommendations.
R
Good
morning,
I'm,
a
schnorrer
I
am
a
software
engineer,
Xterra
and
I'm
a
core
contributor
to
the
open
policy
agent
project.
Thank
you
so
much
for
this
opportunity.
So
let's
talk
about
OPA,
so
the
goal
of
the
project
is
to
provide
a
consistent
policy
enforcement
across
the
stack
and
about
OPA
itself.
It's
a
general
purpose
policy
engine
that
can
be
used
to
enforce
custom
security
policies
in
disparate
systems,
using
a
high-level
declarative
language
called
as
regel
and
some
of
the
benefits
of
OPA.
R
If
you
think
about
it,
a
single
organization
can
have
like
thousands
of
security
components
that
require
authorization.
Each
domain,
vendor
and
product
has
its
own
authorization
paradigm,
expressiveness
an
interface
or
armistice
to
control
authorization
policies.
So
the
challenge
with
achieving
or
lease
privileged
authorization
is
the
number
the
complexity,
Dynamis
city
and
the
heterogeneity
of
software
systems.
Their
organizations
are
amazing,
and
so
OPA
provides
this
unified
approach
to
authorization,
giving
organizations
context
aware
visibility
and
control
over
their
authorization
posture
in
dynamic
environments.
R
Using
mechanisms
such
as
admission
control
OPA
provides
cadres
so
that
organizations
can
impart
enough
power
to
their
employees
to
promote
rapid
innovation
without
compromising
on
security
and
safety
regarding
opus
maturity
or
Netflix
is
one
of
the
earliest
adopters
of
open
and
they
are
using
OAuth
for
authorization
of
the
and
she
artistic
advice.
Companies
like
chefs
use,
opa
for
AP
authorization
and
auditing
api
access,
and
there
are
more
than
20
companies
who
are
actively
using
open
production
while
use
cases
such
as
a
back
our
back
admission,
control,
risk
management
and
so
on.
R
R
C
Yes,
I
want
to
point
out
at
the
bottom
left
is
a
link
to
the
full
security
assessment,
which
includes
a
self
assessment
of
the
project
which
we
are
on
the
security
review
team
chimed
in
on
and
worked
on
clarifications
and
contributed
to
the
security
analysis,
and
it's
still
in
PR.
So
we
welcome
people
on
the
call
or
anybody
to
review
in
detail
and
give
us
feedback
so
coming
to
the
recommendations.
C
Highlighting
part
of
the
security
assessment
is
in
Opa,
taking
these
heterogeneous
environments
that
are
so
common
in
cloud
and
unifying
policy
then
presents
its
own
security
risk.
So
part
of
the
risk
of
the
project
is
really
twofold:
one
that
it's
not
implemented
correctly,
so
you
could
have
a
false
sense
of
security.
In
thinking
you
have
all
these
policy
controls
that
you
don't
have
and
in
whether
you've
actually
expressed
the
policy
you
intended
to
express.
So
so
it's
important
that
people
adopting
these
security
measures
don't
consider
it
to
be
a
panacea.
C
You
also
have
to
be
attentive
to
whether
they
have
correct
implementation
and
whether
your
design
is
implemented
and
expressed
appropriately.
So
the
the
recommendations
for
our
security
assessments
really
fall
into
two
buckets.
One
is
what
could
CA
ncf?
What
could
we
all
do
to
improve
security
of
the
ecosystem
in
helping
this
project
really
things
that
are
maybe
outside
of
the
scope
that
the
project
itself
could
really
execute
on
effectively?
C
So
one
idea
is
that
a
study
of
the
user
practices,
if
we
were
to
discover
CN,
CF
members
or
companies
that
have
implemented
OPA,
that
would
be
a
great
resource
for
finding.
What
are
the
things
that
you
know,
people
might
have
inadvertently
deployed
something
incorrectly.
What
are
their
common
patterns?
There?
Are
there
also
common
patterns
and
insecurities
this
ople
allows
custom
policies.
Therefore,
every
policy
is
different
right.
However,
we
all
believe
that
there
are
actually
common
policies.
Opa
has
like
a
rich
set
of
examples.
C
Another
analogous
recommendation
is
that
it
may
be
that
individual
companies
applying
OPA
all
have
common
dependencies
where,
if
Oprah
were
to
integrate
with
a
common
dependency,
maybe
that
would
accelerate
adoption
of
OPA
as
well
as
adding
security
by
creating
robust
implementations
of
integrations
that
are
used
by,
but
which
would
then
be
used
by
many
vendors.
So
so
that's
one
part
of
the
event
recommendations.
The
other
part
of
for
the
project
itself.
C
Opa,
has
really
vast
documentation.
That
is
is
generally
very
good.
We
felt
that
the
attention
to
the
gotchas
to
the
potential
problems
could
have
more
attention
in
the
documentation
and
we
also
brainstorm
some
ways
that
OPA
could
be
could
help
be
a
little
more.
So
by
default,
like
we
had
some
ideas
about
how
the
implementation
of
the
language
or
the
tooling
features,
could
help
that
and
the
easiest
things
were
things
that
or
the
most
straightforward
things,
I
should
say
I'm
already
on
the
road
map
in
terms
of
improving
testing
and
playground.
C
You
know
so
that
people
can
validate
their
policies,
but
we
also
had
some
ideas
about
some
changes
to
the
language
itself
and
then
also
kind
of
a
call
to
action
for
people
who
are
using
OPA
we'd
like
to
see
more
companies
represented
on
the
security
team.
So
if
you're
a
company,
that's
using
OPA,
maybe
you
could
consider
having
one
of
your
security
experts
join
the
group.
C
A
R
C
H
J
A
R
Sure
so
it's
been
really
helpful
to
work
with
the
assessment
process,
so
we
identify
certain
issues
to
this
entire
process
and
we've
opened
up
issues
for
this,
which
we
will
definitely
tackle
because
we
want
to
be
as
secure
and
user-friendly
as
possible.
Some
of
these
are
valid
concerns
about
users,
not
being
sure
about
what
the
policy
is
the
authoring,
because
the
policy
language
itself
is
so
strong,
so
adding
more
documentation
and
whatever
checks.
The
weakened
hood
to
reduce
user
errors
is
definitely
helpful,
which
came
across
to
this
process.
A
H
T
T
A
A
C
And
I
think
that
I'm
also
say
finding
that
the
the
commonality
in
the
breakdown
of
the
sections
helps
quickly
scan
these
documents.
And
so
it's
my
hope
that
having
the
same
format
for
many
projects
will
help
people
look
across
projects
and
pick
the
one
that
is
appropriate
for
their
use
case
and
their
risk
profile.
A
C
Yeah
I
had
an
initial
meeting
with
her
a
couple
weeks
ago
and
she's
very
interested
in
they
don't
isn't
currently
a
structure
for
how
we
would
do
that
kind
of
outreach,
but
she's
very
interested
in
trying
to
figure
out
what
would
be
the
way
that
we
could
do.
This
kind
of
user
research
and
Amy
and
I
are
trying
to
figure
out
the
right.
You
know
kind
of
set
of
folks
who
could
execute
on
it.
C
I
mean
I
think
it
would
be
an
effort
from
six
security,
but
we
tend
to
have
security
experts
rather
than
you
know
the
people
who
really
know
how
to
frame
that
type
of
research
project,
so
we're
still
kind
of
feeling
our
way
through
how
we
would
execute
on
it.
But
but
I'm
really
excited
about
the
opportunity
of
reaching
out
to
that
end.
User
community.