►
From YouTube: CNCF TOC Meeting - 2019-03-05
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
A
All
right
I
will
get
started
without
him.
So
welcome
everyone.
Can
we
go
to
the
agenda
yet
so
today
will
cover
you
know
some
announcements.
We
have
some
information
from
Cheryl
about
the
end
user
community.
We
have
an
incubation
review,
an
annual
review
from
OPA,
since
it's
about
its
one
year
anniversary
since
entering
the
sandbox.
We
have
a
discussion
topic
around
the
CNF
test
bed
that
was
announced
recently
and
then
we'll
go
over
c
and
c
f6.
So
let's
kind
of
speed
through
this
so
yeah
awesome.
A
Congratulations
to
the
container
D
folks
for
recently
graduating
I
think
it's
a
fantastic
project
and
it's
great
to
have
our
fifth
project
I'm
at
the
Graduate
in
maturity
level.
So
thank
you
very
much
next
slide
just
some
reminders
here
we
push
back
the
talk
notification,
acceptances
for
Q,
Khan
you're
up
to
311,
so
I
believe
that's
next
Monday.
Everyone
should
get
their
notifications
on
that.
So
sorry
for
the
slight
delay
next
slide
final
kind
of
announcement
for
summer
code
for
CNC
F.
We
have
a
lot
of
awesome
project
ideas
out
there.
A
A
A
You
know,
in
addition
to
kind
of
the
normal
TOC
meetings
that
we
have
so
I
believe
Quentin
suggested
this
a
while
ago,
I
and
we're
going
to
be
implementing
in
and
now
that
every
second
Tuesday
of
the
month
will
be
dedicated
to
at
the
same
time
as
this
meeting
will
be
dedicated
to
project
presentations.
The
goal
is
to
do
about
two
at
a
time
to
kind
of
work
through
the
backlog
the
kre-o
folks
have
volunteered.
A
A
C
All
right,
yeah
I,
can
just
speak
on
Brian.
You
have
I
think
he
had
a
concern
that
we
need
to
sort
of
prioritize
some
of
these
things,
depending
on
what
the
state
of
the
backlog
is.
The
question
perhaps
have
some
prioritization
function,
I'm,
not
sure
what
exactly
the
backlog
looks
like
at
the
moment,
and
if
we
can
carry
fast
enough
that
the
prioritization
is
sort
of
academic,
okay
or
whether
we
want
to
try
and
do
something
more
prioritize
II
than
that
all.
A
D
E
So,
first
off
case
studies,
so
I
would
like
every
non
sandbox
the
NCA
projects
to
publish
a
case
study
in
the
course
of
this
year,
and
this
is
a
one-hour
interview.
If
you
represent
a
projects,
then
I
would
really
love
if
you
could
sign
up
at
that
link
there
to
do
this
case
study
and
it
will
be
over
the
phone.
You
get
full
approval
on
it
before
it
gets
published.
E
E
The
second
request
I
have
of
the
projects
and
disabilities
sig
leads
is
that
they
can
actually
meet
the
end
user
community.
And
if
you
have
questions
to
us,
then
you
can
have
a
30
minute
time
slot
with
the
80-78
companies
of
the
end-user
community.
So
we've
already
scheduled
a
handful
of
projects
and
a
couple
of
the
SIG's,
but
and
actually
the
TAC
is
very
welcome
as
well
to
come
and
ask
questions
to
that
end
user
community.
So
this
is
a
really
good
opportunity
for
you
to
actually
gather
requirements
and
meet
their
end
users
directly.
B
All
right
so
cigs
I
have
a
quick
question
for
for
Cheryl.
Have
you
been
coordinating
with
secant
rebec's
and,
like
I
know
from
the
steering
committees
point
of
view
with
kubernetes
we've
established
a
new
user
group
type
of
organism,
organizing
structure
and
it
might
be
worthwhile
to
try
and
connect
the
dots
between
the
outreach
things
that
we've
doing
within
the
kubernetes
community
and
the
efforts
across
the
the
CNCs
yeah.
E
F
Joe
before
you
joined
the
TOC
I
was
trying
to
kick
off
a
financial
services
and
use
a
CNC
F
thing
which
show
and
I
have
been
working
on
and
we
just
been
out
in
the
last
24
hours.
So
it
sounds
like
you
and
some
of
the
similar
people
we're
trying
to
get
something
off
the
ground
as
well.
So
we
should
join
forces
on
that.
Yeah.
B
The
kubernetes
stuff
is
more
like
trying
to
separate
out
say,
for
example,
the
the
cloud
provider
SIG's,
which
are
focused
on
implementation,
first,
sort
of
user
support
and
community
types
of
things.
So
it's
more
sort
of
technology,
maybe
sort
of
horizontally
focused
versus
something
like
a
like.
A
financial
services
would
definitely
be
I,
don't
know
whether
it
be
vertical
or
different.
Axi,
okay,
cool
I,
don't
want
to
take
too
much
time.
I
just
want
to
make
sure
we
connect
the
dots
there.
Another.
C
G
C
G
B
Context
for
folks
we're
we're
dealing
with
a
certain
level
of
use
and
code
of
conduct
stuff
with
respect
to
the
Kubrat
any
slack
and-
and
a
lot
of
this
is
trying
to
actually
create
the
right
forms
for
contributors
versus
a
wider
community,
and
we
don't
have
a
good
solution
there.
It's
a
really
hard
problem,
and
so
this
is
sort
of
completing
a
conversation
that's
already
in
progress
or
on
that
yeah.
E
So
if
you
look
in
chat,
so
we
actually
did
speak
with
the
end
user
community
last
week
about
the
slack
motivation
for
kubernetes
slack
and
what
the
end
user
community
thought
at
that
point
was
that
they
would
rather
move
to
reddit
or
move
to
another
tool
that
was
better
suited
for
user
support
and
community
support.
Rather
than
try
and
find
the
necessary
number
of
moderators
from
the
end
user
community
to
manage
it.
But.
I
Yeah,
so
I
will
say
that
there
wasn't
wide
representation,
there's
probably
about
five
different
people
from
in
the
user
community.
So
it
was
not
a
scientific
study
by
any
means
it
would
be
nice
to
actually
get
a
wider
group
of
people
to
weigh
in
on
it
and
maybe
frame
the
argument.
So
it's
a
little
better
and
just
understand
what
the
needs
are
there,
but
sure
it
was
extremely
helpful.
Did
a
short
short
notice,
meeting
and
yeah.
A
You
so
off
to
the
topic
of
cigs,
so
you
know:
we've
been
discussing
this
for
a
long
time
and
last
week
we're
in
a
very
close
to
finalization.
There
was
some
kind
of
final
comments,
I
think
in
the
pull
request
that
Quentin's
been
doing
a
good
job
of
addressing
with
others.
So
you
know
Quentin,
you
have
any.
You
know
comments
here.
Otherwise,
I
suggest
we
kind
of
formally
go
for
a
vote
and
get
this
thing
done.
C
Yeah
I'm
comfortable,
if
we,
if
we
give
a
bird
I,
think
only
two
items
that
I'm
aware
of
that
I'm
not
fully
resolved
yet
are
whether
to
split
some
of
those
things
now
or
later,
and
I
have
kind
of
been
motivating
us
to
try
and
split
them
later,
once
they're
actually
formed,
and
once
we
know
that
space
a
little
better.
But
if
there
is
general
if
the
steers,
he
feels
that
they
would
rather
split
them.
Today
we
can
do
that.
C
The
other
one
was
the
nature
of
the
control
control
structure
between
the
TOC
and
these
things
and
to
what
extent
the
TOC
has
you
know
active
engagement
and
control
of
these
things
versus
them
being
more
autonomous,
and
the
wording
in
the
document
is
very
clearly
that
they
are
under
the
control
of
the
TOC.
But
there
were
some
comments
that
they
perhaps
should
be
more
autonomous
than
that
I
think
those
are
the
journey.
C
C
F
I
think
we
can
probably
go
ahead
with
starting
to
set
up
scenes
without
necessarily
having
a
final
1.0
Charter
for
those
how
they
gonna
work.
I
think
we
could
spend
quite
a
long
time
arguing
about
the
the
detailed
language
in
the
proposal
if
we
really
wanted
to,
but
I
think
the
intent
is
clear
and
I
think
we
should
be
soliciting
leadership
for
those
SIG's
right
away.
I.
C
F
To
do
that,
we
probably
want
to
have
a
target,
a
target
date
which
might
slip
for
a
1.0
document
that
we're
going
to
vote
on
and
then
initiate
the
process
of
soliciting
leadership
and
for
exact
SIG's
right.
So
to
do
that,
somebody
needs
to
basically
put
together
language
that
we
can
vote
on,
proposing
something
like
that.
A
F
A
There
are
no
strong
objections,
I'm
happy
to
put
something
either
to
get
something
together
today
and
send
it
out.
I.
Think.
Last
time
we
also
discussed
to
bootstrap.
You
know,
with
one
sig
first
to
kind
of
test
drive
things
to
see
how
it
works
before
adding
a
ton
more
SIG's
and
I
think
we
suggest
that
maybe
the
governance
are
safe,
kind
of
one
in
being
the
first
one.
C
A
Chris,
that
done
so
moving
on
to
the
next
slides
that
I
believe
it's
tauren
to
talk
about
OPA.
You
know
it's
been
about
almost
a
year
since
they've
entered
the
sandbox
so
they're,
due
for
their
annual
review
for
the
TOC,
and
also
this
is
you
know
coinciding
with
them,
requesting
to
move
to
the
incubation
level.
To
so
I
will,
let
think
Turin
should
be
on
be
there
hello
or
Tim,
presenting.
K
Thanks
a
lot
yeah,
so
I'm
Tauron
I'm,
one
of
the
the
co-founders
and
core
contributors
to
the
open
policy
agent.
So
we
thought
we'd
do
is
just
give
a
quick
overview
of
the
project
before
we
dive
into
some
of
the
progress
we've
made.
So
open
policy,
agent
or
OPA
is
a
general
purpose
policy
engine
and
what
that
means
is
that
it
basically
provides
a
building
block
of
reusable
building
block
that
you
can
take
and
use
to
unify
policy
enforcement
across
a
range
of
different
technology.
K
So
the
whole
goal
of
OPA
is
to
help
different
kinds
of
components
in
your
stack,
enforce
policies
right
so,
whether
you're
talking
about
the
API
server
or
a
custom,
internal
microservice
or
a
CSV
pipeline
or
an
object
gateway
or
something
like
that.
Oppan
exists
to
fill
the
gap
of
enforcing
you,
know,
authorization
policy
or
policies
within
that
that
component,
and
so
today,
folks,
are
using
open
for
a
variety
of
different
use
cases.
The
two
main
ones,
though,
are
around
API
authorization
in
micro,
service
environments
and
the
second
one
is
around
admission
control
within
kubernetes.
K
So
there
are
a
number
of
different
people
using
open
for
api
authorization.
We
typically
break
that
down
into
kind
of
two
categories,
so
there
are
companies
like
Netflix
that
are
using
OPA
for
building
out
like
an
internal
security
platform
to
enforce
authorization
over
like
internal
services
and
internal
resources,
and
then
there
are
companies
that
are
embedding
OPA,
as
basically
as
a
library
to
implement
authorization
for
their
end
users
right.
So
every
time
you
know
an
enterprise,
software
company
ships,
software
to
their
customers.
K
They
have
to
have
some
kind
of
authorization
system
in
place
right,
and
so
they
they
expose
role
based
access
control
or
an
iam
style
system
to
their
end
users.
And
what
we've
seen
in
the
last
year
or
so
is
a
lot
of
growth
in
terms
of
he's
just
basically
offloading
that
that
that
implementation
to
oppa
on
the
on
the
kubernetes
decide
admission
control
slide.
Specifically,
we
see
tons
of
companies
using
oppa
for
enforcing
all
kinds
of
different
invariants
or
guardrails
or
constraints
or
rules
or
whatever
you
want
to
call
them
over
over
workloads
right
over.
K
You
know
deployments
and
pods
and
ingress
is
and
services
and
so
on
right,
so
you
know
anytime,
you
want
to
you,
know:
roll
out
kubernetes
in
a
large
organization,
you
know
and
it
possibly
a
heavenly
regulated
industry.
You
know
you
need
to
worry
about.
You
know
where
images
are
being
sourced
from
what
labels
are
being
applied.
What
teams
can
expose?
K
You
know
certain
host
names
or
paths
or
ingresses,
and
so
on
and
opah
provides
a
really
good
solution
to
enforcing
those
kinds
of
policies
at
the
at
the
project
level
or
the
you
know
this
in
terms
of
software,
the
nope
actually
provides
you
know.
The
core
thing
is:
is
a
declarative
policy
language
that
lets
you
express
rules
that
answer
you
know
questions
like.
Can
this
user
perform
this
action
on
this
resource?
K
It
comes
in
the
form
of
a
go
library.
Basically,
that's
quite
lightweight.
We
have
very
few
source
level
dependencies.
We
have
no
like
runtime
dependencies
and
you
can
also
run
it
basically
as
a
daemon
if
you're
not
embedding
it
and
go,
and
then
the
last
thing
that
we
also
provide
is
a
sort
of
a
suite
of
tooling
that
helps
people
author
build
test
and
debug
their
policies.
So
we
provide
things
like
an
interactive
shell
that
allows
you
to
kind
of
experiment
with
with
policy.
K
K
Okay,
I'm
gonna
take
that
as
a
no.
So
this
is
just
a
kind
of
a
summary
of
some
of
the
stats
we've
been
tracking
on
the
project
and
we
tried
to
show
the
kind
of
year-over-year
growth
of
the
project,
obviously,
for
the
sort
of
canonical
information
go
check
out
the
CNC
F
dev
stats
page
or
the
project
health
page
that
they
built.
K
So
obviously
the
the
contributor
base
is
relatively
small
to
the
project,
but
the
the
trends
are
encouraging
here
by
the
year
before
it
was
like
93
percent
cyril,
committing
to
the
project.
So
we're
pleased
with
that
that
trend
in
terms
of
actual
contributors
to
the
project
basically
doubled
your
every
year
we
started
tracking
the
the
docker
hub
pulls
basically
a
year
ago,
almost
and
at
the
time
there
are
around
80,000
poles.
K
Over
the
last
year,
though
it's
grown
to
about
480
thousand,
and
recently
we
see
about
10,000
image
pulls
per
week
for
the
project
or
further
for
the
main
open
image.
We
seen
a
lot
of
growth
on
slack
over
the
last
year,
almost
10x,
we
see
about
15
people
a
week
joining
the
slack
organization,
so
there
are
lots
of
people
on
slack,
asking
questions
about
OPA,
asking
questions
about
policy
and
kubernetes
and
then
just
talking
about
their
use
cases
more
generally
that
they
that
they
want
to
apply
policy.
K
For
recently,
we
started
tracking
the
number
of
Rago
files
on
github,
so
these
this
is
an
approximate
number
of
the
number
of
repositories
containing
Rago
files
that
are
publicly
accessible
on
github.
So
so
that's
a
that's
an
interesting
metric,
I
think,
and
we
see
about
a
couple.
You
see
a
couple
new
repos
every
week,
basically
popping
up
and
then
in
terms
of
stars,
we've
seen
quite
a
bit
of
growth,
they're,
almost
like
more
than
10x.
That's
due
to
us
hacker
news
post.
Actually,
that
seemed
to
drive
a
lot
of
traffic
to
the
project.
K
In
terms
of
the
project
itself
and
what
we've
been
working
on,
there's
a
lot
of
a
bunch
of
project
level
improvements
we
made
so
we
started
holding
bi-weekly
community
meetings
since
we
entered
the
sandbox
and
lately
we've
had
quite
a
bit
of
good
participation
there.
So
we've
had
regulars
from
Cisco
and
other
companies
participating,
which
has
been
great.
We
defined
a
governance
model
in
order
to
meet
the
requirements
of
C
and
C
F.
We
went
through
the
seats,
the
core
infrastructure
and
a
sort
of
best
practices,
badging
process,
and
so
right
now
we're
just
passing.
K
We
haven't
done
the
silver
or
gold
levels,
but
we're
maybe
we'll
look
at
that
in
the
next
year
and
then,
thanks
to
the
CNC
F,
we
were
able
to
get
53
an
external
pen
tester
to
do
a
security
audit
of
the
project
in
the
summer.
In
August
and
I
think
that
was
relatively
successful.
There
were
a
few
low
criticality
vulnerabilities
that
they
discovered
and
those
got
fixed.
So
thanks
to
the
CNC
F
for
for
sponsoring
that
and
Kure
53
for
doing
a
great
job
there
in
terms
of
actual
feature
development.
K
K
At
the
end
of
last
year,
we
shipped
an
initial
version
of
a
ray
go
to
web
assembly
compiler.
So
that's
it's
basically
an
alpha
right.
Now,
we're
still
working
on
that.
It's
not
feature
complete.
Yet
we
haven't
covered
the
entire
language,
but
we
expect
that
to
complete
in
the
next
couple
months
and
then,
hopefully,
towards
the
end
of
this
year.
We'll
have
some
interesting
use
cases
that
we
can
show
off
around
using
web
assembly
for
policy
enforcement.
K
We
also
worked
on
a
number
of
data
filtering
use
cases,
as
we
found
that
a
number
of
companies
that
were
using
OPA
for
API
authorization
once
they'd
sort
of
solved,
API
authorization
with
OPA.
The
next
question
they
had
was
well.
How
do
I
restrict
access
to
sensitive
data
using
OPA,
and
so
we
put
a
bunch
of
effort
into
extending
one
of
opus
features
called
partial
evaluation
to
enable
translation
from
basically
Rago
down
into
other
query
languages
like
sequel
and
all
elasticsearch.
So
there's
a
there's,
a
blog
post
on
that
I
think
it's
interesting.
K
It
kind
of
shows
how
you
can
push
policy
enforcement
down
into
the
database
or
down
at
the
data
layer.
We
also
added
TLS
client
authentication
for
connections
to
OPA.
We
had
previously
only
supported
bearer
tokens
there.
We
had
a
couple
end-users
asked
for
TLS
support,
and
that
was
actually
contributed
by
some
folks
at
chef,
and
then
we
also
added
about
25
new
built-in
functions
to
to
the
language
to
do
common
things
like
decode
and
verify
jots
perform.
K
You
know
date/time
operations,
cider
math,
we
added
a
bunch
of
glob
functions
that
are
useful
for
dealing
with
things
like
a
RNs
and
so
on
and
and
I
and
I
think
most
of
those
came
from
the
community
that
was
that
was
largely
driven
by
people.
You
know,
writing
Rago
and
then
thinking,
oh,
maybe
there's
some
part
of
this.
K
That
would
be
that
better
expresses
built-in
and
that
they
could
contribute,
and
so
that
was
nice
to
see,
and
then
the
last
thing
I
just
want
to
call
it
here
are
a
few
integrations
that
we
that
we
built
and
that
were
also
contributed
by
the
community
over
the
last
years.
So
we
we
built
an
integration
with
on
voice
external
ozzie
feature
so
that
you
could
enforce
you
know
API
authorization
policies
with
envoy
or
in
the
sto
data
plane,
which
complements
the
the
mixer
integration
that
we
already
have.
K
We
built
a
SEF
object,
gateway
integration
that
was
requested
by
one
of
our
end
users.
The
Mineo
folks
built
a
similar
integration
with
their
object
gateway.
Somebody
built
the
flask
integration.
Flask
is
a
popular
Python
web
framework.
Somebody
built
the
Kong
integration
and
we
also
put
together
at
Kaufmann
and
then
something
bigger
that
we
also
kicked
off
recently.
K
Was
this
new
project
called
gatekeeper
so
late?
Last
year
we
started
talking
with
various
folks
from
Microsoft,
Google
and
elsewhere
about
this
problem
of
admission
control
and
policy
enforcement
within
kubernetes,
and
it
turned
out
that
they'd
already
been
basically
working
on
a
project
around
that
using
OPA.
So
these
your
folks
contributed
their
asure
kubernetes
policy
controller
project
to
the
OU
policy
agent
organization
and
what
gatekeeper
which
we
made,
what
what
it's
called
now
is
gatekeeper
and
what
Dave
your
gatekeeper
basically
does.
K
Is
it
integrates
open
with
kubernetes
in
in
a
more
kind
of
kubernetes
native
manner
than
what
we
previously
had
just
with
OPA,
and
by
doing
so
it
enables
basically
flexible
admission
control
policy
enforcement
and
auditing
of
kubernetes
clusters
so
yeah.
So
we
started
working
with
various
folks
late
last
year,
but
we
kind
of
only
officially
kicked
it
off
in
January,
with
with
community
meetings,
basically
weekly
community
meetings
that
are
being
led
by
Google
Microsoft
and
in
Stara.
We
also
have
others
contributing
to
that.
K
We
have
a
number
of
end-user
participants
that
are
that
are
engaged
in
those
meetings,
so
yeah
Craig
from
Commonwealth
Bank
of
Australia
folks
from
replicated
HQ
Capital
y
into
it,
Red,
Hat
and
others
are
all
participating
in
those
meetings.
So
that's
been,
that's
been
going
super
well
in
terms
of
the
actual
project
like
what
we
were
aiming
to
provide.
The
MVP
has
sort
of
three
main
things
that
we
want
to
deliver.
K
The
first
is
an
audit
capability,
so
we
want
people
to
be
able
to
take
their
admission
policies
and
then
ask
the
question:
well
what
what
resources
in
my
kubernetes
cluster
are
currently
violating
that
admission
policy
right
so
like
what
resources
are
missing?
You
know
its
TTL
annotation
right.
That's
a
super
common
use
case.
K
We're
also
going
to
be
providing
a
standard
library
or
kind
of
canned
policies
for
common
use
cases.
So
you
know
you
hear
people
talking
a
lot
about
things
like
restricting
image
the
image
registries
that
the
containers
get
pulled
from,
or
you
know
doing,
management
of
labels
like
doing
Ackles
order,
labels
or
restricting
ingress
pass
stuff
like
that.
K
Okay,
so
just
sort
of
moving
on
to
end-user
kind
of
reports,
so
this
slide
gives
kind
of
an
overview
of
who
is
using
open.
Today,
I,
don't
think
it's
complete.
We
had
a
booth
at
coop
con.
Actually,
and
you
know
we
had
people
coming
up
to
us
from
all
kinds
of
drug
companies
that
we'd
actually
even
never
heard
of
some
of
them.
They
were
telling
us
that
they'd
be
using
open
for
various
things,
particularly
this
problem
of
community
submission
control.
K
So
this
is
basically
the
list
of
companies
who
we
reached
out
to
and
who
were
able
to
publicly
say
that
they
were
using
the
project
right
now,
but
obviously,
given
that
opens
kind
of
embedded
in
a
core
part
of
a
company's
platform,
some
of
them
are
not
totally
comfortable,
saying
that
they're
using
it
publicly.
So
in
terms
of
production
usage,
we
have
Intuit
Netflix
and
capital
and
highlighted
here.
K
If
you
want
to
know
a
lot
more
of
other
use
cases,
you
can
check
out
talks
that
we
did
at
coop
con
Austin
and
2017
with
Netflix
and
then
coop
con
Seattle
in
2018,
with
Intuit
and
Capital
One,
and
so
I
think
we
have
a
few
slides
coming
up
that
just
kind
of
explain
some
of
these
use
cases.
So
if
you
can
go
to
the
next
slide,
so
Netflix
was
one
of
the
earliest
adopters
of
the
project
and
for
them
they
use
oppa
as
a
kind
of
a
core
part
of
their
security
platform.
K
So
they
have
a
they
have
an
internal
security
platform.
That's
responsible
for
enforcing
access,
control
across
micro-services
and
other
components
in
their
infrastructure
is
this
environment
is
a
lot
of
heterogeneity
in
it
right
there.
It's
got
services
implemented
in
a
variety
of
different
languages
and
frameworks.
You
know
that
use
different
identity
systems
that
are,
they
have
a
different
identity
protocols
around
them
that
speak
different
protocols
on
the
wire
and
so
on,
and
these
are
you
know:
they've
got
thousands
of
instances
that
they're
that
they're
dealing
with
right
and
so
today,
they're
running
open
on.
K
Basically,
thousands
of
instances
in
their
cloud
infrastructure
and
they're
they're
leveraging
opis
ability
to
take
in
external
information,
external
context,
data
from
their
from
their
organization
to
enforce
force
policies
right
so
pulling
in
data
from
like
in
a
CMDB.
You
know
like
a
config
management
database
that
has
the
application
metadata
in
it,
information
from
their
their
employee,
employee
tracking
systems
and
so
on,
and
they
they're
they're.
K
Really,
you
know
leveraging
that
that
core
functionality
of
OPA
quite
heavily
they're
also,
you
know,
obviously
leveraging
oppa's
ability
to
express
policy
over
a
wide
variety
of
different
systems
right,
so
they're
they're
implementing
mobile
policies
over
like
HTTP
API
is
G.
Rpc
API
is
Kafka
and
other
other
things
right.
So
the
the
fact
that
OPA
provides
a
flexible
and
consistent
way
to
do
that
is
very
important
for
them.
K
Next
slide
chef
is
another
company.
That's
using
OPA
they're,
also
using
open
for
API
authorization,
but
they're
use
cases
is
different
because
what
they're
doing
is
they're
actually
embedding
it
into
F
automate.
You
provide
to
provide.
Basically,
you
know,
authorization
support
to
their
end
users.
So
this
is
where
that
second
use
case
that
I
mentioned
at
the
beginning.
K
So
getting
into
some
of
the
kubernetes
related
use
cases
Intuit
is
using
OPA
in
production.
They've
got
OPA
deployed
as
a
validating
and
mutating
admission
controller
for
different
kinds
of
security,
multi-tenancy
and
risk
management
policies
they're
currently
deployed.
They
have
open,
deploy
across
50
different
clusters.
With
about
a
thousand
its
enforcing
policy,
France
about
a
thousand
namespaces
in
total
and
and
like
I
mentioned,
we,
you
can
check
out
a
talk
that
we
did
with
them
at
coop,
con
Seattle,
the
covers
dot
that
use
case.
K
Bol
comm
is
a
out
of
the
Netherlands
I
believe
they're
they're
an
online
retailer
again
using
OPA
for
a
mix
of
validating
and
mutating
admission
control
policies
in
their
communities
clusters.
So
they
do
things
like
they.
They
patch,
you
know
image
people
secrets
onto
onto
pods
they
they
they
set
different
load,
balancer
properties
and
and
Toleration
x'
on
workloads,
and
all
of
that
is
based
on
context.
That's
coming
from
metadata
stored
on
namespaces,
so
they're,
basically
replicating
namespace
objects
into
OPA
and
then
you'd
referring
those
inside
of
their
policies.
K
Excuse
me
and
that
they're
I
think
they're
deployed
across
a
number
different
clusters,
and
then
the
last
one
that
I
wanted
to
highlight
is
is
a
company
that
had
can't
publicly
state
that
they're
using
OPA
but
they're
a
fortune,
100
company
they're,
very
security
focused
they
use
OPA
for
a
mix
of
or
for
a
bunch
of
different
validating
and
mission
control
use
cases
as
well
as
authorization
policies
within
commodities.
They've
got
about
ten
clusters
right
now
with
over
a
thousand
nodes,
one
of
the
things
that
was
interesting.
K
There
was
that
they
they
initially
adopted
it
for
admission
control
and
kubernetes
about
a
year
ago
and
over
the
past
year,
they've
sort
of
spread
out
into
a
bunch
of
different
use
cases
as
they've
seen
that
it
can
be
applied
to
different
technology,
different
domains,
and
so,
for
example,
today
they've
got
it
integrated
into
their
public
key
infrastructure
in
a
certificate.
Ra
that's
serving
these
clusters
right.
So
when
we're
clothes
boot
up
and
they
request,
you
know
what
client
certificate
or
a
server
certificate.
K
L
K
So
the
question
is:
if
we
have
an
API:
yes,
we
you
there's
a
go
based:
API
you
can
use.
If
you
want
to
embed
it
as
a
library,
and
we
also
have
an
HTTP
based
API
that
you
can
use
for
no
one
going
betting's,
and
so
that's
that's
well
supported,
and
we
have
plenty
of
documentation
and
examples
that
show
that.
L
K
C
Sorry
I
had
a
quick
question
about
it's
difficult
to
formulate
clearly,
but
to
one
extent,
is
all
these
integrations
available
as
open
source.
So
so,
if
I
was
a
user
and
I
wanted
to
enforce
all
these
various
different
kinds
of
policies
that
you've
mentioned,
what
to
what
extent
can
I
do
that
using
open
source
tools
that
are
out
there
integrations
and
to
what
extent
do
I
need
to
buy
commercial
integrations
with,
for
that.
K
So
we
have
about
20
integrations
that
are
all
open
source
today.
So
a
lot
of
them
just
leverage
like
external
authorization,
capabilities
that
that
other
projects
and
products
have
right.
So
coop
has
excellent.
You
know
external
authorization
capabilities
got
an
authorization
web
hook
as
admission
web
hooks
we
just
plug
into
those.
Basically,
you
know
projects
like
Kafka,
Ceph
and
so
on
all
have
external
authorization
we
just
hook
into
those.
So
so
the
answer
is
that
they're,
basically
all
open
sores.
Some
of
them
are
obviously
less
mature
than
others,
but
yeah.
K
C
K
H
Good
question
about
the
Netflix
use
case:
hello,
yep!
Okay,
can
you
hear
me
yeah?
So
what
are
the
thing
I
I
saw
that
in
their
in
their
presentation,
was
the
fact
that
they
do
the
aggregation
of
the
policy
information
from
all
various
systems,
and
then
they
do
the
distribution
so
which
is
kind
of
a
taint
interesting,
because
we
are
looking
at
OPA
from
our
edge
cloud
perspective
and
we
want
to
do
the
decisioning
near
to
the
edge.
H
K
Yeah,
that's
a
good
question
that
comes
up
all
the
time:
there's
no
open
source
control
plane
for
OPA.
That
does
the
distribution
that
I
know
of
today.
I
mentioned
a
minute
ago
in
the
in
the
section
of
what
we
worked
on
in
the
last
year.
We
added
these
these
api's
that
enable
open
to
pulldown
policies
for
just
like
basically
enable
distribution
enable
observability
of
opens,
so
those
api's
are
there.
So
we
have
the
API
is
in
place
for
you
to
build
that,
but
you
have
to
you
have
to
build
yourself
today.
So.
H
K
H
F
You
thank
you.
This
is
Alexis
just
butting
in
to
say,
unfortunately,
I
have
to
drop
off
the
call
in
a
minute.
I
have
two
quick
comments.
One
is
that
speaking
personally
I
have
come
across
a
lot
of
enterprise
and
users
who
are
either
using
or
talking
about,
OPA,
which
I
think
is
extremely
healthy
and
exciting.
So
well
done.
Secondly,
on
a
process
point
of
view,
we
haven't
voted
on
incubation
for
some
time
and
there
was
some
discussion
about
formalizing
the
process.
A
No
worries
I
mean
essentially
doodle.
It's
it's
all
cut
them
in
the
sandbox,
the
markdown
file,
but
there
is
a
requirement
for
due
diligence
and
a
2/3
toc
approval
votes.
So
in
this
case,
Brendon
has
volunteered
to
do
a
bit
of
due
diligence.
So
it's
on
his
list
to
take
care
of
and
share
with
the
group,
and
then
a
formal
vote
will
be
called
if
there's
really
no
objections
from
the
TOC.
K
K
A
J
J
Last
comment:
Michael,
Bay,
Nia
from
JPMorgan,
so
we're
we're
using
Oprah
as
well
as
part
of
our
the
Mission
Control
apparatus
that
I'm
CUBAN
a
we're,
also
using
it
to
enforce
more
restrictive,
Network
policy.
So
it's
not
in
the
data
plan,
but
we
are
using
it
to
further
lock
down
our
network
denial
network
policy
as
well.
So
it's
working
well
for
us.
C
I
wanted
to
just
clarify
to
act,
tones
I,
just
the
previous
question,
which
I
guess
is
similar
to
what
Michael
just
mentioned
from
what
I
recall,
although
you
don't
want
to
actually
be
like
releasing
packets
with
evaluations,
I
understood
that
there
were
quite
a
few
cases
of
basically
customizing
things
like
IP
tables
rules
based
on
policy,
so
it
wasn't
directly
in
the
data
plane,
but
it
was
involved
in
programming.
The
data
plane
is
that
true
or
not
yeah.
K
Yeah,
so
it
is
possible
that
you
could
use
OPA
to
enforce
policies
in
the
network.
We
don't
do
that
today,
like
we
just
haven't
invested
effort
into
engineering
that
it's
a
it's
a
really
big
amount
of
effort
that
goes
into
that,
and
we
just
haven't
done
that
yet
in
theory,
you
could
definitely
take
opens
policy,
language
and
Express
like
microsegmentation
policies
and
then
have
something
that
that
translates
or
compiles
that
down
into
IP
tables
or
whatever,
to
get
enforced
in
the
network
in
the
native
land.
K
So
it's
definitely
possible
and
then
there
are
there's
other
kinds
of
use
cases
that
Michael
just
mentioned
that
they're
using
over
for
around
putting
guardrails
over
like
the
actual
network
objects
and
the
network
policies.
So
there
is
definitely
a
network
domain
component
here.
I
just
didn't
want
to
say
that
we
were
putting
over.
You
know
on
every
packet
which
we're
not
doing
right
now.
Okay,
thank
you.
Yeah.
A
All
right
moving
on
so
another
discussion
topic
trying
to
remember
if
it
was
Quinton
or
Alexis
that
brought
this
up
but
assembly.
The
CNC
F
launched
a
new
initiative
similar
to
kind
of
the
work
that
we
do
in
around
dev
stats
or
CNC,
F,
dot,
CI
and
so
on.
But
you
know
this
essentially
is
a
joint
collaboration
with
a
sister
foundation
at
the
Linux
Foundation
called
elephan,
which
is
the
Linux
Foundation
networking
folks.
Essentially
it's
a
lot
of
telcos,
but
the
name
of
the
project
is
the
scenic
testbed.
A
So
if
you're
familiar
with
the
telco
industry,
there
is
a
wide
amount
of
usage
of
VMs.
Through
these
things
called
vnfs
with
essentially
little
apps.
You
know
packaged
in
VMs,
there's
been
a
lot
of
desire
amongst
certain
scene,
CF
members
and
elephant
members
to
you
know
see
how
kind
of
a
modern
take
all
you
know
on
deploying
applications
within
telcos
kind
of
look
like,
and
you
know,
trying
to
compare
infrastructure
deployments
between,
say,
like
a
container
base
stack
versus
a
VM
based
epoch,
and
so
on.
A
So
you
know
the
idea
was
to
try
to
come
up
with
a
simple
reproducible
environment
for
folks
to
try
out
kind
of
both
approaches,
and
you
know
how
it
would
look
like
and
so
on.
You
know
we
had
some
generous
support
from
one
of
our
members
packet
to
provide
some
hardware,
and
then
we
funded
some
kind
of
contractors
kind
of
work
on
this
project.
A
We
I
linked
off
a
very
detailed
presentation
that
kind
of
dives
in
into
kind
of
the
more
specifics
of
what's
contained
in
this
initiative,
but
on
the
next
slide
kind
of
covers,
you
know
more
ways
to
kind
of
get
involved
in
how
to
kind
of
play
with
this
infrastructure.
Essentially,
if
you
want
to
take
advantage
of
than
see
how
this
would
work
for
you,
it's
all
kind
of
linked
off
the
CNF,
testbed
github
repo
and
there's
a
way
to
request
accounts
via
via
packets.
A
So
essentially
it's
a
bit
of
an
experiment
for
us,
but
it's
you
know
been
going
pretty
well,
we've
been
working
on
this
I
think
for
probably
past
us,
nine
plus
I
plus
months.
So
those
are
some
of
the
details.
You
know
I.
Try
to
remember
was
Alexis
or
Quinton
who
asked
this,
but
you
know
we're
open
to
kind
of
any
questions
that
the
TOC
or
the
community
has
on
this
on
the
specific
initiative
and
I
think
Dan's
on
the
line.
Also,
if
you
want
to
share
any
specific
feedback.
C
Yeah
was
the
one
who
asked
to
put
this
on
the
agenda.
Our
main
motivation
was
that
I
don't
think
that
TOC
was
significantly
aware
of
any
of
the
work
that
was
happening
and
I
also
know.
There
was
a
pretty
contentious
press
release,
made
and
I.
Think
many
of
the
TRC
members
and
potentially
the
board
members
as
well
were
surprised
by
this,
and
so
it
seems
like
we
need
to
have
what
some
way
of
avoiding
that
surprise
and
yeah.
A
I
got
a
quick
I
think
it
was
brought
up
at
a
board
meeting
a
while
ago
that
were
funding
this,
but
it
looks
like
we've
didn't:
do
the
and
a
best
job
of
disseminating
it
to
the
TOC,
because
there
are
tools
like
you
know:
API
snoop,
C&C,
f,
you
know
dot
CI
that
since
you
have
funds
that
I
think
the
TOC
should
be
aware
of
that.
Maybe
we're
not
doing
a
the
best
job
about
that.
I
think.
B
A
A
N
I
think
one
of
my
quotes,
in
particular
in
the
TechCrunch
article,
was
unhelpfully
negative
and
I
am
clear
that
avoiding
negativity
is
important
to
the
kubernetes
and
the
cloud
Native
communities.
The
point
of
the
Senate
testbed
is
to
avoid
ad
hominem
comments
and
instead
have
an
open,
sore
replicable
way
to
discuss
differences
between
Vienna
and
CNF,
architectures
and
I.
N
Think
it's
it's
relatively
obvious
that
a
lot
of
the
biggest
backers
of
kubernetes
are
also
huge
backers
of
OpenStack
and
a
ton
of
the
end
users
of
cloud
native
projects
are
our
end
users
of
OpenStack
and
that
there's
a
huge
overlap
of
the
community
of
developers
and
contributors
and
suction
that
we're
going
to
be
coexisting
for
years
or
probably
decades
to
come.
So
I
do
understand
the
point
about
negativity
and
I.
N
A
Any
other
questions:
it's
a
fairly
new
initiative,
they're,
essentially
running
kind
of
like
a
typical
open
source
projects,
with
open
meetings
and
so
on.
So
if
folks
are
interested
there
they're
more
than
happy
to
jump
on
I
believe
they
had
a
meeting
yesterday
so
also
I'll.
Send
a
note
out
to
the
list
of
people
are
interested
in
engaging
with
that
community.