Add a meeting Rate this page

A

All right I will get started without him. So um welcome everyone. Can we go to the agenda yet so today will cover you know some announcements. We have some information from Cheryl about the end user community. We have an incubation review, an annual review from OPA, since it's about its one year anniversary since entering the sandbox. We have a discussion topic around the CNF test bed that was announced recently and then we'll go over c and c f6. So let's kind of speed through this so yeah awesome.

A

Congratulations to the container D folks for recently graduating I think it's a fantastic project and it's great to have our fifth project I'm at the Graduate in maturity level. So thank you very much next slide just some reminders here we push back the talk notification, acceptances for Q, Khan you're up to 311, so I believe that's next Monday. Everyone should get their notifications on that. So sorry for the slight delay next slide final kind of announcement for summer code for CNC F. We have a lot of awesome project ideas out there.

A

So if your project is interested in participating, please just send a pull request and add your idea there. So we have a good uptake and we were formally also accepted into the program this year again. So that's that's. Awesome. News next slide.

A

So this is one topic that we've discussed in the past around having time for project presentations.

A

You know, in addition to kind of the normal TOC meetings that we have so I believe Quentin suggested this a while ago, I and we're going to be implementing in and now that every second Tuesday of the month will be dedicated to at the same time as this meeting will be dedicated to project presentations. The goal is to do about two at a time to kind of work through the backlog the kre-o folks have volunteered.

A

You go first at the meeting next Tuesday and I'm looking for one other project that I'll shoot a note out on the mailing list to ask for a volunteer. Anyone have any questions on this or any comments on the TOC.

A

Cool I'll take silence as exciting school moving on.

B

We're gonna manage the schedule for that. Oh so.

A

We don't but honestly I like first, you know. First come first serve is basically my policy for folks who reach out and and will kind of go there. If it get crazy, then you know maybe based on when they file don't get how this year but cool.

C

All right, yeah I, can just speak on Brian. You have I think he had a concern that we need to sort of prioritize some of these things, depending on what the state of the backlog is. The question perhaps have some prioritization function, I'm, not sure what exactly the backlog looks like at the moment, and if we can carry fast enough that the prioritization is sort of academic, okay or whether we want to try and do something more prioritize II than that all.

A

You know how about this I could kick off a discussion privately with the TOC, and you kind of make that decision. Okay,.

D

Like there's a huge backlog, still I know, I have at least two projects. Probably I was gonna speak out that are waiting thanks. All.

A

Right thanks, Aaron I'm gonna go, throw it over to Cheryl to talk a little bit about end user updates and all that jazz yeah.

E

So, first off case studies, so I would like every non sandbox the NCA projects to publish a case study in the course of this year, and this is a one-hour interview. If you represent a projects, then I would really love if you could sign up at that link there to do this case study and it will be over the phone. You get full approval on it before it gets published.

E

Note that these case studies only for end users. So if you look at the list of case studies published on the CN CF website, you can see what kind of companies and organizations were looking for from there next please.

E

The second request I have of the projects and disabilities sig leads is that they can actually meet the end user community. And if you have questions to us, then you can have a 30 minute time slot with the 80-78 companies of the end-user community. So we've already scheduled a handful of projects and a couple of the SIG's, but and actually the TAC is very welcome as well to come and ask questions to that end user community. So this is a really good opportunity for you to actually gather requirements and meet their end users directly.

E

So again, so I don't think right there back to you. This.

B

All right so cigs I have a quick question for for Cheryl. Have you been coordinating with secant rebec's and, like I know from the steering committees point of view with kubernetes we've established a new user group type of organism, organizing structure and it might be worthwhile to try and connect the dots between the outreach things that we've doing within the kubernetes community and the efforts across the the CNCs yeah.

E

I opened it directly out directly and the contributes sake just signed up directly. Okay, so I haven't coordinated any further than that, but I would be very happy to chat after this with you, Joe and.

B

At least to get you talking with the right folks, yeah.

E

Definitely that would be great, hey.

F

Joe before you joined the TOC I was trying to kick off a financial services and use a CNC F thing which show and I have been working on and we just been out in the last 24 hours. So it sounds like you and some of the similar people we're trying to get something off the ground as well. So we should join forces on that. Yeah.

B

The kubernetes stuff is more like trying to separate out say, for example, the the cloud provider SIG's, which are focused on implementation, first, sort of user support and community types of things. So it's more sort of technology, maybe sort of horizontally focused versus something like a like. A financial services would definitely be I, don't know whether it be vertical or different. Axi, okay, cool I, don't want to take too much time. I just want to make sure we connect the dots there. Another.

C

Brief comment: I, don't know if you've discussed some of the scalability issues that cubanelle has been having with these end user groups, the slack start being one of them. Is that something we also need to hook those two groups together on or.

E

I'm, not quite sure, I get what you mean, possibly.

G

Although quit in the last time we discussed this, the CNC F, unfortunately wasn't interested in helping with moderation, so it might not be I. Wasn't.

C

Suggesting that they provide moderators I was suggesting to try and help solve the problem in a different way, which seems to be a desire. Most.

G

Maybe I wasn't sure I guess I wasn't sure in that message about whether it was like we're not supplying moderators or we're not. You know, engaged it's a good idea.

B

Context for folks we're we're dealing with a certain level of use and code of conduct stuff with respect to the Kubrat any slack and- and a lot of this is trying to actually create the right forms for contributors versus a wider community, and we don't have a good solution there. It's a really hard problem, and so this is sort of completing a conversation that's already in progress or on that yeah.

E

So if you look in chat, so we actually did speak with the end user community last week about the slack motivation for kubernetes slack and what the end user community thought at that point was that they would rather move to reddit or move to another tool that was better suited for user support and community support. Rather than try and find the necessary number of moderators from the end user community to manage it. But.

H

That's a sort.

E

Of forum, those are sort questions that I would like you to be able to ask directly to end users.

A

And Jason could probably add some color to that conversation to a kid like.

I

Yeah, so I will say that there wasn't wide representation, there's probably about five different people from in the user community. So it was not a scientific study by any means it would be nice to actually get a wider group of people to weigh in on it and maybe frame the argument. So it's a little better and just understand what the needs are there, but sure it was extremely helpful. Did a short short notice, meeting and yeah.

I

So I think it's more just solutioning at this point and we're working on what that might look like in the community.

C

Awesome, oh thank.

A

You sure hell anything else. Are we good with our end user? No.

E

That's it for now. Thank you. Thank.

A

You so off to the topic of cigs, so you know: we've been discussing this for a long time and last week we're in a very close to finalization. There was some kind of final comments, I think in the pull request that Quentin's been doing a good job of addressing with others. So you know Quentin, you have any. You know comments here. Otherwise, I suggest we kind of formally go for a vote and get this thing done.

C

Yeah I'm comfortable, if we, if we give a bird I, think only two items that I'm aware of that I'm not fully resolved yet are whether to split some of those things now or later, and I have kind of been motivating us to try and split them later, once they're actually formed, and once we know that space a little better. But if there is general if the steers, he feels that they would rather split them. Today we can do that.

C

One of the problems is, we don't really have a good agreement on exactly along which seem to split them, which is one of the reasons why I thought it might be better to split them later, but that that's one that Harrington resolved area and what was the other one.

C

The other one was the nature of the control control structure between the TOC and these things and to what extent the TOC has you know active engagement and control of these things versus them being more autonomous, and the wording in the document is very clearly that they are under the control of the TOC. But there were some comments that they perhaps should be more autonomous than that I think those are the journey.

C

The only two unresolved issues- and there are a couple of you- know formatting issues and more minor things, but those are the two items that I'm aware of that have not been totally resolved. It.

C

But I do think that we can vote on the current state and I think we have reasonable resolution paths for both of those issues going forward. Yeah.

F

I think we can probably go ahead with starting to set up scenes without necessarily having a final 1.0 Charter for those how they gonna work. I think we could spend quite a long time arguing about the the detailed language in the proposal if we really wanted to, but I think the intent is clear and I think we should be soliciting leadership for those SIG's right away. I.

C

Agree I would like the TRC members themselves just to vote on that there and say yes, that is the plan it's in. What's in the document, is the plan and we're executing it as opposed to we haven't agreed on what the plan is so.

F

To do that, we probably want to have a target, a target date which might slip for a 1.0 document that we're going to vote on and then initiate the process of soliciting leadership and for exact SIG's right. So to do that, somebody needs to basically put together language that we can vote on, proposing something like that.

A

I'm happy to put together some some language and kick off a formal vote. We could put a deadline on maybe this Friday for final final comments. So.

C

I thought that deadline was today basically and that we could kick off the bird today or or do we think that the proposal is not sufficiently detailed to vote on I'm, not totally clear on what we're saying, I think.

F

In the past, we've specific objections from COC members on the call and indeed from the wider community to to what's being proposed, and if there isn't a you know loud, vocal objection, then we articulate the fire immediately. I.

C

Think we solicited that two weeks ago and decided to be weeks.

F

Ago, synergy.

C

I mean I, don't think about it, but I think we've done all of that and I mean.

A

There are no strong objections, I'm happy to put something either to get something together today and send it out. I. Think. Last time we also discussed to bootstrap. You know, with one sig first to kind of test drive things to see how it works before adding a ton more SIG's and I think we suggest that maybe the governance are safe, kind of one in being the first one.

C

Yeah I think there are a couple there that are important for different reasons and again start with one and move from there as fast as possible. I.

F

Think, as soon as we start, soliciting people who want to push these things forward will find that there is momentum and momentum in set set rates.

J

All right thanks.

A

Chris, that done so moving on to the next slides that I believe it's tauren to talk about OPA. You know it's been about almost a year since they've entered the sandbox so they're, due for their annual review for the TOC, and also this is you know coinciding with them, requesting to move to the incubation level. To so I will, let think Turin should be on be there hello or Tim, presenting.

K

Can you hear me sorry, what's up yeah, we hear you know, okay,.

A

Sorry we.

K

Were dialed in and then I guess that was automatically muted or something okay.

A

No anything it's like star six to unmute a few. Oh yeah,.

K

Yeah all.

A

Right go ahead. It's it's all! Yours now, okay,.

K

Thanks a lot yeah, so I'm Tauron I'm, one of the the co-founders and core contributors to the open policy agent. So we thought we'd do is just give a quick overview of the project before we dive into some of the progress we've made. So open policy, agent or OPA is a general purpose policy engine and what that means is that it basically provides a building block of reusable building block that you can take and use to unify policy enforcement across a range of different technology.

K

So the whole goal of OPA is to help different kinds of components in your stack, enforce policies right so, whether you're talking about the API server or a custom, internal microservice or a CSV pipeline or an object gateway or something like that. Oppan exists to fill the gap of enforcing you, know, authorization policy or policies within that that component, and so today, folks, are using open for a variety of different use cases. The two main ones, though, are around API authorization in micro, service environments and the second one is around admission control within kubernetes.

K

So there are a number of different people using open for api authorization. We typically break that down into kind of two categories, so there are companies like Netflix that are using OPA for building out like an internal security platform to enforce authorization over like internal services and internal resources, and then there are companies that are embedding OPA, as basically as a library to implement authorization for their end users right. So every time you know an enterprise, software company ships, software to their customers.

K

They have to have some kind of authorization system in place right, and so they they expose role based access control or an iam style system to their end users. And what we've seen in the last year or so is a lot of growth in terms of he's just basically offloading that that that implementation to oppa on the on the kubernetes decide admission control slide. Specifically, we see tons of companies using oppa for enforcing all kinds of different invariants or guardrails or constraints or rules or whatever you want to call them over over workloads right over.

K

You know deployments and pods and ingress is and services and so on right, so you know anytime, you want to you, know: roll out kubernetes in a large organization, you know and it possibly a heavenly regulated industry. You know you need to worry about. You know where images are being sourced from what labels are being applied. What teams can expose?

K

You know certain host names or paths or ingresses, and so on and opah provides a really good solution to enforcing those kinds of policies at the at the project level or the you know this in terms of software, the nope actually provides you know. The core thing is: is a declarative policy language that lets you express rules that answer you know questions like. Can this user perform this action on this resource?

K

It comes in the form of a go library. Basically, that's quite lightweight. We have very few source level dependencies. We have no like runtime dependencies and you can also run it basically as a daemon if you're not embedding it and go, and then the last thing that we also provide is a sort of a suite of tooling that helps people author build test and debug their policies. So we provide things like an interactive shell that allows you to kind of experiment with with policy.

K

We've run a test framework, so you can write basically unit tests or your policies.

K

We have IDE integrations with vs code and so on, so we're really basically taking policy and treating it as as code and providing all the building blocks you need in order to do that and then just in terms of background, we started the project actually in early 2016 at styro, the company that I that I worked for, and we joined the CNCs sandbox around March of last year as Chris mentioned, and that that proposal was sponsored by Ken, Owens and Brian grant.

K

So are there any? Are there any questions? Just about open a high-level I know some people not be familiar with it, I'm happy to just. If there's any kind of confusion around, what open is I'm happy to address that now, but otherwise I can.

K

Okay, I'm gonna take that as a no. So this is just a kind of a summary of some of the stats we've been tracking on the project and we tried to show the kind of year-over-year growth of the project, obviously, for the sort of canonical information go check out the CNC F dev stats page or the project health page that they built.

K

That's got much more information, but we thought we'd, just distill some of it here so in terms of contributions and commit to the project we had about 480 commits over the last year compared to 410 the year before, and about 75% of those commutes last year came from Stara 7% from chef's, 5% Fransisco and then about 14% from sort of a long tail of different different users.

K

So obviously the the contributor base is relatively small to the project, but the the trends are encouraging here by the year before it was like 93 percent cyril, committing to the project. So we're pleased with that that trend in terms of actual contributors to the project basically doubled your every year we started tracking the the docker hub pulls basically a year ago, almost and at the time there are around 80,000 poles.

K

Over the last year, though it's grown to about 480 thousand, and recently we see about 10,000 image pulls per week for the project or further for the main open image. We seen a lot of growth on slack over the last year, almost 10x, we see about 15 people a week joining the slack organization, so there are lots of people on slack, asking questions about OPA, asking questions about policy and kubernetes and then just talking about their use cases more generally that they that they want to apply policy.

K

For recently, we started tracking the number of Rago files on github, so these this is an approximate number of the number of repositories containing Rago files that are publicly accessible on github. So so that's a that's an interesting metric, I think, and we see about a couple. You see a couple new repos every week, basically popping up and then in terms of stars, we've seen quite a bit of growth, they're, almost like more than 10x. That's due to us hacker news post. Actually, that seemed to drive a lot of traffic to the project.

K

In terms of the project itself and what we've been working on, there's a lot of a bunch of project level improvements we made so we started holding bi-weekly community meetings since we entered the sandbox and lately we've had quite a bit of good participation there. So we've had regulars from Cisco and other companies participating, which has been great. We defined a governance model in order to meet the requirements of C and C F. We went through the seats, the core infrastructure and a sort of best practices, badging process, and so right now we're just passing.

K

We haven't done the silver or gold levels, but we're maybe we'll look at that in the next year and then, thanks to the CNC F, we were able to get 53 an external pen tester to do a security audit of the project in the summer. In August and I think that was relatively successful. There were a few low criticality vulnerabilities that they discovered and those got fixed. So thanks to the CNC F for for sponsoring that and Kure 53 for doing a great job there in terms of actual feature development.

K

We shipped a lot of interesting things in the last year. We added support for basically a set of management, API that allow you to dynamically configure OPA to do things like pull down policy and data. From from a from an external service API, we added a support for having open report.

K

It's status back to a control plan, so you can see like what version of the policy the OPA is running with whether there are any errors, activating the most, the latest policy bundle and then also a decision log end point so that OPA can basically periodically upload batches of policy decision or audit logs to to a remote, endpoint and and those are particularly useful for debugging use cases, auditing and other things.

K

At the end of last year, we shipped an initial version of a ray go to web assembly compiler. So that's it's basically an alpha right. Now, we're still working on that. It's not feature complete. Yet we haven't covered the entire language, but we expect that to complete in the next couple months and then, hopefully, towards the end of this year. We'll have some interesting use cases that we can show off around using web assembly for policy enforcement.

K

We also worked on a number of data filtering use cases, as we found that a number of companies that were using OPA for API authorization once they'd sort of solved, API authorization with OPA. The next question they had was well. How do I restrict access to sensitive data using OPA, and so we put a bunch of effort into extending one of opus features called partial evaluation to enable translation from basically Rago down into other query languages like sequel and all elasticsearch. So there's a there's, a blog post on that I think it's interesting.

K

It kind of shows how you can push policy enforcement down into the database or down at the data layer. We also added TLS client authentication for connections to OPA. We had previously only supported bearer tokens there. We had a couple end-users asked for TLS support, and that was actually contributed by some folks at chef, and then we also added about 25 new built-in functions to to the language to do common things like decode and verify jots perform.

K

You know date/time operations, cider math, we added a bunch of glob functions that are useful for dealing with things like a RNs and so on and and I and I think most of those came from the community that was that was largely driven by people. You know, writing Rago and then thinking, oh, maybe there's some part of this.

K

That would be that better expresses built-in and that they could contribute, and so that was nice to see, and then the last thing I just want to call it here are a few integrations that we that we built and that were also contributed by the community over the last years. So we we built an integration with on voice external ozzie feature so that you could enforce you know API authorization policies with envoy or in the sto data plane, which complements the the mixer integration that we already have.

K

We built a SEF object, gateway integration that was requested by one of our end users. The Mineo folks built a similar integration with their object gateway. Somebody built the flask integration. Flask is a popular Python web framework. Somebody built the Kong integration and we also put together at Kaufmann and then something bigger that we also kicked off recently.

K

Was this new project called gatekeeper so late? Last year we started talking with various folks from Microsoft, Google and elsewhere about this problem of admission control and policy enforcement within kubernetes, and it turned out that they'd already been basically working on a project around that using OPA. So these your folks contributed their asure kubernetes policy controller project to the OU policy agent organization and what gatekeeper which we made, what what it's called now is gatekeeper and what Dave your gatekeeper basically does.

K

Is it integrates open with kubernetes in in a more kind of kubernetes native manner than what we previously had just with OPA, and by doing so it enables basically flexible admission control policy enforcement and auditing of kubernetes clusters so yeah. So we started working with various folks late last year, but we kind of only officially kicked it off in January, with with community meetings, basically weekly community meetings that are being led by Google Microsoft and in Stara. We also have others contributing to that.

K

We have a number of end-user participants that are that are engaged in those meetings, so yeah Craig from Commonwealth Bank of Australia folks from replicated HQ Capital y into it, Red, Hat and others are all participating in those meetings. So that's been, that's been going super well in terms of the actual project like what we were aiming to provide. The MVP has sort of three main things that we want to deliver.

K

The first is an audit capability, so we want people to be able to take their admission policies and then ask the question: well what what resources in my kubernetes cluster are currently violating that admission policy right so like what resources are missing? You know its TTL annotation right. That's a super common use case.

K

We're also going to be providing a standard library or kind of canned policies for common use cases. So you know you hear people talking a lot about things like restricting image the image registries that the containers get pulled from, or you know doing, management of labels like doing Ackles order, labels or restricting ingress pass stuff like that.

K

So there are a lot of these use cases that can be kind of distilled into templates or standard Kandak samples, and so we're gonna have a kind of an upstream community based library of these policies and then in terms of the actual interaction with kubernetes, we're going to move to a CRD model where you can basically load policies in by sea, RDS and then instantiate them as well by a CRT.

K

Okay, so just sort of moving on to end-user kind of reports, so this slide gives kind of an overview of who is using open. Today, I, don't think it's complete. We had a booth at coop con. Actually, and you know we had people coming up to us from all kinds of drug companies that we'd actually even never heard of some of them. They were telling us that they'd be using open for various things, particularly this problem of community submission control.

K

So this is basically the list of companies who we reached out to and who were able to publicly say that they were using the project right now, but obviously, given that opens kind of embedded in a core part of a company's platform, some of them are not totally comfortable, saying that they're using it publicly. So in terms of production usage, we have Intuit Netflix and capital and highlighted here.

K

If you want to know a lot more of other use cases, you can check out talks that we did at coop con Austin and 2017 with Netflix and then coop con Seattle in 2018, with Intuit and Capital One, and so I think we have a few slides coming up that just kind of explain some of these use cases. So if you can go to the next slide, so Netflix was one of the earliest adopters of the project and for them they use oppa as a kind of a core part of their security platform.

K

So they have a they have an internal security platform. That's responsible for enforcing access, control across micro-services and other components in their infrastructure is this environment is a lot of heterogeneity in it right there. It's got services implemented in a variety of different languages and frameworks. You know that use different identity systems that are, they have a different identity protocols around them that speak different protocols on the wire and so on, and these are you know: they've got thousands of instances that they're that they're dealing with right and so today, they're running open on.

K

Basically, thousands of instances in their cloud infrastructure and they're they're leveraging opis ability to take in external information, external context, data from their from their organization to enforce force policies right so pulling in data from like in a CMDB. You know like a config management database that has the application metadata in it, information from their their employee, employee tracking systems and so on, and they they're they're.

K

Really, you know leveraging that that core functionality of OPA quite heavily they're also, you know, obviously leveraging oppa's ability to express policy over a wide variety of different systems right, so they're they're implementing mobile policies over like HTTP API is G. Rpc API is Kafka and other other things right. So the the fact that OPA provides a flexible and consistent way to do that is very important for them.

K

Next slide chef is another company. That's using OPA they're, also using open for API authorization, but they're use cases is different because what they're doing is they're actually embedding it into F automate. You provide to provide. Basically, you know, authorization support to their end users. So this is where that second use case that I mentioned at the beginning.

K

Basically, they implement an iamb style access control model in chef automate on top of OPA and then they're also using open to enumerate the user to resource permissions in the product and they're also leveraging what about those more advanced features, which is partial evaluation to optimize the policies and reduce the evaluation time next slide.

K

So getting into some of the kubernetes related use cases Intuit is using OPA in production. They've got OPA deployed as a validating and mutating admission controller for different kinds of security, multi-tenancy and risk management policies they're currently deployed. They have open, deploy across 50 different clusters. With about a thousand its enforcing policy, France about a thousand namespaces in total and and like I mentioned, we, you can check out a talk that we did with them at coop, con Seattle, the covers dot that use case.

K

Bol comm is a out of the Netherlands I believe they're they're an online retailer again using OPA for a mix of validating and mutating admission control policies in their communities clusters. So they do things like they. They patch, you know image people secrets onto onto pods they they they set different load, balancer properties and and Toleration x' on workloads, and all of that is based on context. That's coming from metadata stored on namespaces, so they're, basically replicating namespace objects into OPA and then you'd referring those inside of their policies.

K

Excuse me and that they're I think they're deployed across a number different clusters, and then the last one that I wanted to highlight is is a company that had can't publicly state that they're using OPA but they're a fortune, 100 company they're, very security focused they use OPA for a mix of or for a bunch of different validating and mission control use cases as well as authorization policies within commodities. They've got about ten clusters right now with over a thousand nodes, one of the things that was interesting.

K

There was that they they initially adopted it for admission control and kubernetes about a year ago and over the past year, they've sort of spread out into a bunch of different use cases as they've seen that it can be applied to different technology, different domains, and so, for example, today they've got it integrated into their public key infrastructure in a certificate. Ra that's serving these clusters right. So when we're clothes boot up and they request, you know what client certificate or a server certificate.

K

They have policies in place there that decide whether or not those those certs get granted. So then that that's that's, that's it I. Think I think the next slide is just conclusion.

K

So there's the song.

L

This is not a toy. This is a quick question. Do you have a API for the OPA that if somebody wants to integrate that can integrate easily.

K

So the question is: if we have an API: yes, we you there's a go based: API you can use. If you want to embed it as a library, and we also have an HTTP based API that you can use for no one going betting's, and so that's that's well supported, and we have plenty of documentation and examples that show that.

L

So the other one is you're talking about the admission controls, I, don't know really what that means in your terminology, I assume that has nothing to do with the traffic you're, probably talking about the packaging, and things like that am I wrong. Yeah.

K

Admission control is just a process of enforcing different kind of like semantic validation or invariants over Kubb resources that are being created, updated and deleted. So it's it's a core part of cur grantees, but it's it's a little bit obscure.

L

Admission control is used for completely different things. Well, okay, thank you.

C

Sorry I had a quick question about it's difficult to formulate clearly, but to one extent, is all these integrations available as open source. So so, if I was a user and I wanted to enforce all these various different kinds of policies that you've mentioned, what to what extent can I do that using open source tools that are out there integrations and to what extent do I need to buy commercial integrations with, for that.

K

So we have about 20 integrations that are all open source today. So a lot of them just leverage like external authorization, capabilities that that other projects and products have right. So coop has excellent. You know external authorization capabilities got an authorization web hook as admission web hooks we just plug into those. Basically, you know projects like Kafka, Ceph and so on all have external authorization we just hook into those. So so the answer is that they're, basically all open sores. Some of them are obviously less mature than others, but yeah.

K

Okay,.

C

So most of these use cases that you've outlined I could go out and install a bunch of open source software and do the same thing if I offered the correct policy. Yes,.

K

Yeah, yeah, yeah and and- and we see a lot of as well are people just building custom integrations internally based on their environments. So we try to make the API as simple as possible for people to integrate. Thank.

C

You my question: I a.

H

Good question about the Netflix use case: hello, yep! Okay, can you hear me yeah? So what are the thing I I saw that in their in their presentation, was the fact that they do the aggregation of the policy information from all various systems, and then they do the distribution so which is kind of a taint interesting, because we are looking at OPA from our edge cloud perspective and we want to do the decisioning near to the edge.

H

Actually, so is that something distribution thing is part of the OPA thing, or is that something we will have to build it ourselves? Just like Netflix folks did yeah.

K

Yeah, that's a good question that comes up all the time: there's no open source control plane for OPA. That does the distribution that I know of today. I mentioned a minute ago in the in the section of what we worked on in the last year. We added these these api's that enable open to pulldown policies for just like basically enable distribution enable observability of opens, so those api's are there. So we have the API is in place for you to build that, but you have to you have to build yourself today. So.

H

You have to Conner, everybody has forgotten custom build as far as the distribution of the centralized policy. Db is yeah now to be.

K

Fair, like one of the things that Netflix said, was that that, like the way that they architected that control plane the way that they expose it to their to their users and their organization is very specific to their organization right because they they have.

K

You know custom services that they're pulling data from, and they have you know very specific UI is that they want to expose their to their users within the company and- and so they didn't like they I, don't think they saw a lot of value in open sourcing that, like it didn't seem like it would necessarily reasonable so nice to see people building there, like their own control plans fairly frequently.

K

It's just because you can say that ends up being specific to that org, but we'd love to see more people within the community working on that as well. Yeah.

H

I'll reach out to you offline, great.

F

Yeah thank.

H

Thank.

F

You thank you. This is Alexis just butting in to say, unfortunately, I have to drop off the call in a minute. I have two quick comments. One is that speaking personally I have come across a lot of enterprise and users who are either using or talking about, OPA, which I think is extremely healthy and exciting. So well done. Secondly, on a process point of view, we haven't voted on incubation for some time and there was some discussion about formalizing the process.

F

A bit more I would like to ask Chris if you could remind everybody in the TOC where the process documents were written down, and there was a long github issue a little while ago, you're good to just kind of make sure that we do things the same for every project, whether it's coming from the sandbox or coming in a new, including DD, Thanks cool.

A

No worries I mean essentially doodle. It's it's all cut them in the sandbox, the markdown file, but there is a requirement for due diligence and a 2/3 toc approval votes. So in this case, Brendon has volunteered to do a bit of due diligence. So it's on his list to take care of and share with the group, and then a formal vote will be called if there's really no objections from the TOC.

A

Sam get Alexis.

F

Sounds good to me. Thank you very much and goodbye.

M

Everybody for now well, thanks.

A

Any other questions for Tauron about OPA or any questions for the TOC members or concerns.

K

Any movement or integrations around Cassandra.

K

Not that I know it. We haven't built anything ourselves for that. I do know one company that was using Cassandra for distribution of policy to Tobi's, but not like not like for enforcement of policy. Yeah happy to chat about that thought. That's if that's interesting great! Thank you. Yeah.

A

Any other questions that someone setting the slack those OPA support, network and routing policy management as well toran.

K

No I'm just gonna say no right now, yeah! You don't want to put open the data plane of your of your network.

A

All right final call for questions, otherwise we will have Brendan and the TOC kind of work on the kind of due diligence and then, after that's done, we'll call a formal vote. Hopefully maybe in a week or two okay, great.

J

Yeah.

A

Just one.

J

Last comment: Michael, Bay, Nia from JPMorgan, so we're we're using Oprah as well as part of our the Mission Control apparatus that I'm CUBAN a we're, also using it to enforce more restrictive, Network policy. So it's not in the data plan, but we are using it to further lock down our network denial network policy as well. So it's working well for us.

A

You got any user feedback, Michael yeah.

C

I wanted to just clarify to act, tones I, just the previous question, which I guess is similar to what Michael just mentioned from what I recall, although you don't want to actually be like releasing packets with evaluations, I understood that there were quite a few cases of basically customizing things like IP tables rules based on policy, so it wasn't directly in the data plane, but it was involved in programming. The data plane is that true or not yeah.

K

Yeah, so it is possible that you could use OPA to enforce policies in the network. We don't do that today, like we just haven't invested effort into engineering that it's a it's a really big amount of effort that goes into that, and we just haven't done that yet in theory, you could definitely take opens policy, language and Express like microsegmentation policies and then have something that that translates or compiles that down into IP tables or whatever, to get enforced in the network in the native land.

K

So it's definitely possible and then there are there's other kinds of use cases that Michael just mentioned that they're using over for around putting guardrails over like the actual network objects and the network policies. So there is definitely a network domain component here. I just didn't want to say that we were putting over. You know on every packet which we're not doing right now. Okay, thank you. Yeah.

K

All right: well, thanks all thanks touring.

A

All right moving on so another discussion topic trying to remember if it was Quinton or Alexis that brought this up but assembly. The CNC F launched a new initiative similar to kind of the work that we do in around dev stats or CNC, F, dot, CI and so on. But you know this essentially is a joint collaboration with a sister foundation at the Linux Foundation called elephan, which is the Linux Foundation networking folks. Essentially it's a lot of telcos, but the name of the project is the scenic testbed.

A

So if you're familiar with the telco industry, there is a wide amount of usage of VMs. Through these things called vnfs with essentially little apps. You know packaged in VMs, there's been a lot of desire amongst certain scene, CF members and elephant members to you know see how kind of a modern take all you know on deploying applications within telcos kind of look like, and you know, trying to compare infrastructure deployments between, say, like a container base stack versus a VM based epoch, and so on.

A

So you know the idea was to try to come up with a simple reproducible environment for folks to try out kind of both approaches, and you know how it would look like and so on. You know we had some generous support from one of our members packet to provide some hardware, and then we funded some kind of contractors kind of work on this project.

A

We I linked off a very detailed presentation that kind of dives in into kind of the more specifics of what's contained in this initiative, but on the next slide kind of covers, you know more ways to kind of get involved in how to kind of play with this infrastructure. Essentially, if you want to take advantage of than see how this would work for you, it's all kind of linked off the CNF, testbed github repo and there's a way to request accounts via via packets.

A

So essentially it's a bit of an experiment for us, but it's you know been going pretty well, we've been working on this I think for probably past us, nine plus I plus months. So those are some of the details. You know I. Try to remember was Alexis or Quinton who asked this, but you know we're open to kind of any questions that the TOC or the community has on this on the specific initiative and I think Dan's on the line. Also, if you want to share any specific feedback.

C

Yeah was the one who asked to put this on the agenda. Our main motivation was that I don't think that TOC was significantly aware of any of the work that was happening and I also know. There was a pretty contentious press release, made and I. Think many of the TRC members and potentially the board members as well were surprised by this, and so it seems like we need to have what some way of avoiding that surprise and yeah.

A

I got a quick I think it was brought up at a board meeting a while ago that were funding this, but it looks like we've didn't: do the and a best job of disseminating it to the TOC, because there are tools like you know: API snoop, C&C, f, you know dot CI that since you have funds that I think the TOC should be aware of that. Maybe we're not doing a the best job about that. I think.

B

My biggest concern is that we're essentially setting up a a this or that zero-sum game between kubernetes and the CN CF and the in the OpenStack community yeah one or not, that the intent. That's that's the way that this is playing out and they in the similar efforts that you're talking about here.

B

Things like dev stats, like that's all the internal face, and that's about us understanding our community understanding, what we're doing like we're not actually going out and throwing shade like purposefully or not on on other open-source communities, and so I'm wondering how we're thinking about navigating that, so that we can have this, be something that you know is constructive for everybody.

A

Yes,.

N

um

A

Yeah.

N

I think one of my quotes, in particular in the TechCrunch article, was unhelpfully negative and I am clear that avoiding negativity is important to the kubernetes and the cloud Native communities. The point of the Senate testbed is to avoid ad hominem comments and instead have an open, sore replicable way to discuss differences between Vienna and CNF, architectures and I.

N

Think it's it's relatively obvious that a lot of the biggest backers of kubernetes are also huge backers of OpenStack and a ton of the end users of cloud native projects are our end users of OpenStack and that there's a huge overlap of the community of developers and contributors and suction that we're going to be coexisting for years or probably decades to come. So I do understand the point about negativity and I.

N

Do regret that that particular quote but I believe it's can remain a useful project for looking at this particular market development opportunity around telcos and.

B

I think you know, there's also a larger message here outside of just the the telco use cases, which is one of containers versus VMs.

B

You know it's it's it's a complicated ever-changing and fuzzy boundary between these things and and I think you know we very much want to make sure that we look at it as containers and VMs.

B

You know, courses for courses, right solution for the right problem, type of thing and I think that that that didn't come out of some of the some of the press around this I.

N

Agree.

A

Any other questions: it's a fairly new initiative, they're, essentially running kind of like a typical open source projects, with open meetings and so on. So if folks are interested there they're more than happy to jump on I believe they had a meeting yesterday so also I'll. Send a note out to the list of people are interested in engaging with that community.

A

Any other questions from the community, otherwise we will see each other next Tuesday, where we will be kicking off project presentations and so on at 8 a.m. Pacific. So any other questions before we wrap it up.

A

Cool all right, we'll close the meeting a few minutes early. So thank you, everyone for your time and see everyone next week. So thanks. Thank you.

A

You.
youtube image
From YouTube: CNCF TOC Meeting - 2019-03-05

Description

Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io

Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects