►
From YouTube: Kubernetes Public Steering Committee Meeting 20200803
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Welcome
everyone
to
the
august
3rd
2020
public
steering
committee
meeting.
Please
remember
that
there
is
a
code
of
conduct
in
place
and
remember
to
be
excellent
to
each
other.
This
is
also
kubernetes
community
steering
meeting,
so
it
will
be
recorded
publicly
on
youtube.
So
please
remember
that
whatever
you
say
will
be
recorded
for
eternity
thanks
lucky
for
taking
notes
again
and
let's
get
started
with
the
agenda.
First
off
the
election
schedule.
B
Yeah,
so
I
just
wanted
to
bring
this
up.
I've
been
kind
of
liaising
back
and
forth
with
the
election
officers
for
this
false
election
josh
put
out
to
the
steering
list
the
proposed
schedule
for
the
the
election,
including
the
contribution
year.
B
So
looking
at
the
statistics
from
august
1st
of
last
year
to
august
1st
of
this
year
than
you
know,
taking
like
basically
starting
now
through
the
12th,
they
will
compile
the
list
of
electors
based
on
the
criteria
that
we
set
last
meeting,
which
is
50
contributions
plus
being
a
member
of
either
the
kubernetes
ready,
sigs
github
orgs.
B
They
set
nominations
to
close
on
september,
the
8th
open
for
voting
and
sending
out
the
ballots
on
september.
11Th
gives
folks
you
know,
roughly
a
month
a
little
under
a
month
finishing
up
on
october
6th
and
then
announcing
the
results
on
october.
The
9th
the
only
thing
looking
over
those
dates
that
I
had
a
comment
on
is,
I
know.
Typically,
we've
done
the
announcement
of
new,
like
the
new
members
at
a
steering
committee
meeting
and
on
friday
october.
The
9th
doesn't
line
up
with
that.
B
If
it
was
looking
in
october
of
the
the
5th
or
the
19th
again,
I
don't
know
how
critical
that
is
or
if
anybody
else
like
has
thoughts.
But
that's
what
was
submitted
to
us
by
the
by
the
election
officers.
A
Yeah
I
had
similar
comments
there
like
first
one
was
definitely
the
announcing
the
results
since
october
9th.
A
I
was
wondering
if
it
could
be
moved
a
week
like
earlier,
because
that
coincides
with
the
monday
and
the
public
storing
committee
meeting
or
we
could
make
it
like
one
move
it
one
day
ahead,
one
few
days
ahead
to
the
next
monday
and
move
the
steering
committee
meeting
there.
I
guess
I
would
prefer
that
as
well.
The
other
thought
I
had
was
the
election
begins
on
a
friday.
A
B
If
we
started
the
election
and
sent
everything
out
on
a
tuesday,
then
the
ballots
are
the
are
hitting
a
cleaner
inbox
folks,
and
hopefully
they
can
act
on
them
right
away,
as
opposed
to
you
know
letting
the
ballots
rot
in
their
inbox
for
a
while.
B
Can
we
start
the
election
on
a
tuesday,
and
can
we
finish
the
election
like
close,
close
the
ballots
a
few
few
days
ahead
of
time
to
give
time
for
the
election
officers
to
like
tabulate
things
and
validate,
but
then
announce
the
results
at
a
publix
hearing
committee
meeting
would
be
the
two
kind
of
like
suggestions
that
we're
making
back
to
the
election
officers.
B
A
Cool
jay,
you
had
the
next
security
proposal.
C
I
unmute
and
video
clearly
I'm
standing
outside
in
front
of
the
bridge.
That's
why,
when
I
move
my
hand
real
fast,
you
can
see
my
background
fade,
yeah,
absolutely
so.
I've
I've
come
I've,
come
we've
given
we've
submitted
a
letter
and
I
can
oh
good
you're
sharing
the
screen.
We've
submitted
a
letter
and
a
proposed
charter
and
and
great
this
is
yeah.
This
is
a
letter
if
you
want
me
to
share
my
screen
on.
C
I've
got
letter
and
charter
both
up
but
in
essence,
yeah
we're
here
to
we're
here
to
talk
about
our
poll
requests
or
to
answer
questions.
What
would
you
guys?
What
would
you
like?
Would
you
like
us
to?
Would
you
like
us
to
just
kind
of
make
a
short
verbal
spiel
or
or
do
you
want
me
to
just
hold
back
and
take
questions.
C
Okay,
I
I
think
I
have
to
be
permitted.
Let's
see,
share
this
host.
A
C
Okay,
awesome,
I'm
just
gonna.
C
Click
and
click
and
just
do
the
whole
thing.
I've
also
got
some
of
the
I've
got
some
of
the
signers
of
this
letter
with
me.
Let's
move
that
off
the
screen,
so
basically
we're
proposing
that
that
is
create
a
new
sig
and
the
folks
that
are
writing
below
we've.
We've,
we
haven't
given
you
our
last
names,
but
we're
happy
to
a
number
of
us
are
here
so
aaron
small
is
eric.
C
Small,
is
here
craig,
ingram
and
and
joel,
and
are
also
here
as
well
as
tim,
the
first
the
first
four
names
here.
We
represent
the
co-leads
of
the
security
audit
working
group,
and
basically
we
found
that
we
we
did
our.
We
did
the
first,
the
first
security
audit
on
the
kubernetes
code
and
the
first
threat
model,
and
we
found
that
we
had.
We
had
a
really
good
experience
of
doing
the
of
doing
that.
C
First
code:
audit
we're
getting
ready
for
the
we're
getting
ready
for
the
next
one.
We
had
a
great
experience,
creating
that
threat
model
and
when
we
went
to
kubecon
to
present,
we
found
that
there
were.
There
was
just
a
ton
of
energy.
There
were
a
ton
of
there
were
a
ton
of
information
security,
people
that
were
looking
for
a
way
to
contribute
to
kubernetes.
They
were
trying
to
find
their
way
in
outside
of
outside
of
simply
writing
code
and
they
were
eager
to
contribute.
C
They
were
eager
to
to
have
a
way
to
to
gather
and
figure
out
how
they
could
help.
And,
of
course
there
were
a
good
number
of
information
security
people
within
the
kubernetes
community.
Already
beyond
that,
you
know
so
we
got.
We
had
a
whole
whole
lot
of
energy
and
a
whole
bunch
of
people
who
wanted
to
help.
C
We
also
found
that,
at
the
end
of
an
audit
that
there
was,
you
know
that
there's
there's
more
work
to
be
done
and
part
of
that,
I'm
just
making
sure
I'm
talking
the
right
camera
good.
Okay,
I've
got
a
couple
cameras
here
we
found
there
was.
There
was
more
to
be
done,
like
the
the
audit,
the
audit
produced
produced
vulnerabilities
that
go
into
that
went
into
the
pfc
and
started
to
get
addressed
or
started
to
get.
You
know
marked
as
well.
That's
that's
intentional!
That's
how
it's
supposed
to
work.
C
We
found
that
you
know
one
of
the
big
things
that
our
third,
you
know
the
third-party
companies
that
looked
at
the
code
with
us
did
the
threat
model
with
us.
Actually
they
did
a
lot
more
of
the
code,
examining
so
be
clear,
but
but
they
said
you
need
to.
You
know
that
you
need
to
work
on
creating
stronger
defaults.
C
You
need
to
create
to
work
on
getting
on
making
it
easier
to
harden
this,
and
you
know
we
also
had
we've
had
a
lot
of
community
interaction
about
that
as
well,
and
so
the
idea
started
coming
out
of
that
to
to
create
a
sig
for
security,
not
to
own
the
authorization
code
like
the
golf
does,
but
to
basically
gather
these
together
these
people
and
to
work
the
way.
C
Information
security
often
works
within
projects
within
organizations,
and
we've
talked
to
talk
to
a
good
number
of
people
and
people
who
have
a
lot
of
passion
and
energy
and
that's
part
of
what
you're
seeing
in
this
list
of
names
at
the
bottom.
C
As
an
example,
we
have,
we
have
liz
rice
and
glory
mccune
who
work
on
the
cis
hardening
guide,
the
the
bench
they're,
the
cis
benchmark,
that
serves
as
a
hardening
guide
for
kubernetes,
and
they
are,
you
know,
I'm
just
taking
as
an
example,
they're
very
excited
about
creating
a
kubernetes
hardening
guide
out
in
the
open
as
part
of
the
kubernetes
project,
with
contributors
in
kubernetes
and
helping
that
drive
what
cis
has
in
its
hardening
guide
and
honestly
just
having
the
better
experience
of
instead
of
you
know,
being
on
a
kind
of
a
semi-private
web
application
to
decide
what
the
benchmark
should
be
actually
doing
that
within
the
you
know,
within
the
mechanisms
we
already
have
in
the
kubernetes
project,
especially
github,
which
is
a
heck
of
a
lot
easier
way
to
to
accept
to
accept
recommendations
and
changes
and
input
and
help
and
yeah.
C
We
have
a
lot
of
excitement.
So
I'm
gonna
show
you
our
proposed
charter
and
I'm
also
gonna
look
at
your
faces
for
a
second
and
see
if
anybody's
just
looking
forward
out
of
their
skull,
and
you
know,
wishes
I'd
wishes,
I'd
talk
faster
or
cover
less,
so
not
seeing
anybody
looking
really
bored
great,
no.
C
Thank
you
awesome.
Thank
you
very
much.
I
really
appreciate
it
and
everybody
watching
who
isn't
on
screen
and
can't
show
whether
they're
bored
I
apologize.
If
I
board
you
so
so,
sig
security
is
intended
to
be
a
horizontal,
a
horizontal
sig
that
covers
security
initiatives
for
kubernetes,
and
that
would
include
the
ongoing
security
audits
and
threat
modeling.
C
It
would
also
include
helping
out
in
the
vulnerability
management
process,
creating
cross-cutting
security
documentation,
including
especially
hardening
guides
and
other
mitigation
guidance,
and
basically
doing
doing
community
building
and
education
in
the
security
community
and
helping
to
give
the
infosec
folks
a
place
to
contribute
a
place
to
funnel
in
and
a
place
to
help
and
honestly
I'll
tell
you
as
an
infosec
as
an
infosec
person.
You
know
a
place
to
find
out
like
hey
is
this?
C
Is
this
thing
that
I
want
to
suggest
something
that's
already
been
considered
and
done
so
that
we
don't
have
like
you're
going
to
from
our
from
our
from
our
perspective
and
experience.
You're
gonna
have,
as
kubernetes
gets,
gets
more
and
more
popular
we're
gonna
get
a
ton
of
information
security
people
coming
in
who
are
really
interested
in
helping
and
having
a
place
for
them
to
gather
and
to
find
out
how
they
can
help
to
find
out.
What's
been
done
already,
so
that
we
don't
overwhelm
the
sigs.
C
The
other
stakes
will
be
really
really
helpful.
So
here's
the
areas
this
is
our
chart.
This
is
our
proposed
charter.
Here
are
the
areas
that
we've
worked
out
and
both
been
discussing.
We've
been
working
on
this
for
a
while,
and
these
are
the
areas
that
you
know
that
we've
created
and
we've
been
running
them
by
other
people
within
the
within
the
kubernetes
community,
including
some
of
the
affected
sigs.
We've
talked
a
lot
with
the
product
security
committee
and
part
of
the
way
we've
been
able
to
do.
C
That
is,
I
think,
four
of
the
people
who
helped
write
this,
who
are
named
on
that
who
helped
write
this
charter
and
named
in
our
letter,
are
on
the
psc.
C
So
first
area
is
basically
helping
with
only
building
management
and
that's
helping
define
the
processes
for
for
when
the
private
fix
and
release
process
is
invoked
and
how
the
vulnerabilities
are
related,
helping
to
find
the
scope
of
the
bug
bounty
not
not
running
the
not
running
the
bug
bounty
specifically
so
that
stays
that
stage
of
the
psc
we
talked
we'd,
be
talking
about
how
and
when
the
vulnerabilities
are
announced
and
and
talking
about
creating
criterion
process
for
some
projects.
C
Kubernetes,
let's
see
another
part
of
that,
that's
not
named,
is
helping
to
handle
the
just
the
external
requests
that
are
going
to
come
in
for
comment
on
vulnerabilities
or
on
mitigations,
and
you
know,
one
of
the
one
of
the
people
on
our
letter
is
ian
coldwater,
who
you
know
in
helping
us
draft.
This
said:
listen
you're!
C
You
bet,
if
you
don't
think
you're
going
to
see,
if
I
can
make
sure
I
use
their
words
right,
there's
something
along
the
lines
of.
If
you
don't
think
that
you're
going
to
have
to
handle
both
press
inquiries
and
a
ton
of
user
inquiries.
Well,
I
would
just
expect
that
you're
going
to
right
now,
a
ton
of
them
just
call
me,
because
you
know
reporters
will
call
the
people
they
know
and
so
on.
C
So
this
is
kind
of
part
of
the
purpose
here
is
to
give
is
to
for
public
vulnerabilities,
especially
for
mitigations,
is
to
give
people
a
group
to
talk
to
and
to
be
able
to
spread
that
effort
around.
C
So
there's
a
suggestion
that
I
haven't
made
as
a
change
to
this
to
this
full
request,
which
is
to
we
just
removed
the
first
bullet,
but
but
we
expect
that
what
we'll
also
be
doing
is
is-
and
this
is
this
is
a
really
big
part
of
what
we,
what
we
want
to
do
as
sake
securities
is
basically
out
security
outreach,
so
just
giving
that
I
think
I've
spoken
was
a
good
bit
so
giving
a
place
for
information,
security,
folks
or
security,
mighty
contributors
to
come
and
and
talk
and
aaron
small
who's
here
had
a
great
way
of
putting
this.
C
He
said:
infosec
people
are
gonna
intersect,
so
give
them
a
place
to
do
it,
or
else
it
just
happens
at
bars.
Or
what
have
you
and
you
don't
get
to
you?
Don't
get
to
find
out
they're
gonna
say
to
you
so
giving
them
that
kind
of
meeting
point
and
another
part
of
that
is
basically
answering
security.
Questions
from
inexperienced
users
and
that'll
basically
will
take
a
load
off
some
of
the
zigs
and
also
there'll
be
places
where
they
just
don't
know
what
sig
to
go
to.
C
So
we
end
up
being
a
kind
of
an
entry
point
and
then
we'll
be
routing
to
other
sigs.
We
know
as
a
horizontal
sig
that
when
it
comes
down
to
it
that
we're
going
to
be
that
we
need
to
expect
that
we're
attending
other
state
meetings,
not
that
we're
asking
all
the
other
sigs
to
attend
ourselves.
Of
course,
this
is
an
open
community.
We're
all
welcome
two
more
areas,
so
horizontal
security
documentation.
C
I
spoke
to
this
we've
made.
This
is
we're
proposing
this
as
a
sub
project,
so
we'd
be
looking
at
doing
hardening
guides
and
best
practices
guides
and
articles
blog
posts
and
whatnot
you
can
absolutely
commit
to.
C
You
can
absolutely
count
on
us
to
write
our
hearts
out
benchmarks,
see
if
we
can
find
places
in
the
documentation
where
we
can
address
questions,
but
the
way
I
the
way
I
talk
about
this
is
I
talk
about
this
as
documents
and
documentation,
because
when
it
comes
to
threat
models
and
hardening
guides,
these
are
these
are
things
that
are
beyond
just
simply
writing
a
document
beyond
simply
writing
the
documentation,
even
though
they
become
part
of
the
project,
and
we're
really
excited
about
that
and
the
last
one
is
the
same
security
audit
work
that
we've
been
doing
as
the
working
group.
C
So
the
way
we
see
this
is
the
the
working
the
security
audit
working
group
disappears
and
is
replaced
by
sig
security,
which
has
the
security
audit
as
a
sub-project.
C
We've
got
a
big
out-of-scope
section
and
I'm
not
sure
how
much
to
cover
that
in
that
same
detail,
I've
been
hitting
so
far,
but
our
focus
has
been
to
make
sure
that
we
are
naming
that
we're
following
both
the
requirements
and
the
custom
of
making
sure
that
people
who
are
looking
at
this
looking
at
our
proposed
sig
know
where
to
go.
If
something
isn't
ours
and
so
and
so
we've
named
it
here
and
then
I
think
that's
the
that's
the
that's
the
big
thing.
C
I
think
this
would
be
a
great
time
for
questions.
If
you
want
me
to
dig
into
the
out
of
scope,
we'll
probably
do
that
best
by
question.
E
Yeah
yeah,
so
I
I
guess
I
had
a
couple
questions
so
first
thanks
jay
for
doing
such
a
nice
job
enumerating
this
I
kind
of
took
over,
took
down
probably
three
questions,
and
so
hopefully,
if
I
ask
all
three,
then
maybe
you
can
remember,
but
the
first
question
I
had
was
like
I'll:
try
why
a
new
sig
versus
a
subproject
of
an
existing
sig,
so
some
some
thoughts
I
had
in
there
would
like
do
some
of
these.
E
Could
some
of
these
things
be
parented
under,
say,
cig
arch
when
providing
cross-cutting
guidance
across
the
project?
So
maybe
you
could
comment
on
that
and
then
the
first
point
on
what
responsibilities
is
it
actually
taking
over
from
the
pfc?
Or
are
we
saying
that
those
responsibilities
were
not
previously
held
by
the
psc?
C
Cool
so
that
that
first
question,
especially
but
but
kind
of
both
we've,
we
prepared
a
little
bit
and
made
sure
that
we
could
have
a
number
of
us
who
could
speak
to.
C
You
know
why
not
hey,
why
not
take
what
we're,
what
we're
saying
and
just
divvy
it
up
and
push
it
under
push
it
under
your
existing
cigs
or
working
groups,
and
can
I
can
I
lean
on
aaron
and
tim
to
help
me
out
there
and
if
you
all,
just
feel
like
you've
been
thrown
into
the
bus,
I'm
happy
to
I'm
happy
to
keep
talking.
I.
F
Don't
mind,
I
don't
mind
buses
yeah.
I
can
speak
for
a
second
and
then
I'm
going
to
ask
tim
to
cover
the
gaps.
My
I
guess
the
biggest
crux
of
it
all
for
me.
I
think
actually
stems
around
community
building,
there's
a
ton
of
different
sub
projects
that
we're
proposing
be
spun
up
under
sig
security,
and
they
all
have
their
own
reasons
why
they
make
sense
to
be
independent,
but
the
most
important
I
think
the
most
telling
is
this
aspect
of
building
an
entry
point
for
the
infosec
community
to
come.
F
Join
in
the
kubernetes
conversation.
It
is
much
easier
to
find
a
top-level
group.
It's
the
bottom
line
if
you're
looking
for
a
way
to
get
involved-
and
you
don't
have
context
you're,
not
a
big
participant
in
the
kubernetes
twitter
and
you
don't
join
the
slack
and
chat.
But
you
were
doing
an
audit
and
you
found
a
bug
or
you
think
this
grenade
thing
is
pretty
interesting
and
you
just
want
to
get
engaged
you're
going
to
find
a
top
level.
F
Sig
first
you'll
turn
up
it
sig
off
because
it's
maybe
kind
of
the
closest,
but
they
don't
have
the
framework
to
build
a
community
and
to
ingest
and
then
find
the
right
home
for
work
and
sig
security
would
and
that,
I
think,
that's
my
the
the
biggest
reason
I
know
tim's
on
a
little
more
thinking
on
trying
to
find
homes
for
these
various
sub
projects.
I'm
gonna
ask
him
to
to
tag.
G
On
sure,
so
we
I
anticipated
this
question
and
wrote
up
a
doc
that
sort
of
tackles
it
for
each
of
the
sub-projects
that
we
discussed.
G
To
share
that
out
or
kind
of
talk
through
each
individual
one.
C
C
It
okay
and
I've
also
I've
put
it
up
on
the
screen.
If
I'm
still,
I
think
I'm
still
screen
sharing.
You
still
aren't
great
cool.
I
will,
as
an
example
I'll
take
an
example,
real
quick
just
to
give
people
who
are
give
him
a
chance
to
share
it
out
and
be
able
to
pick
it
up
to
open
it
up.
One
example
was
for
creating
hardening,
you
know
creating
hardening
guides.
There
are
two
ways
that
it
really
makes
a
lot
of
sense
for
this
to
be
sig
security.
C
C
They
were
having
a
little
bit
of
trouble
like
they
were,
having
trouble
honestly
finding
as
many
contributors
and
just
making
that
making
their
their
kind
of
meetings
regular
and
occurring
and
they're
really
excited,
because
at
the
end
of
the
day,
it's
kind
of
easier
to
find
it's
easier
to
get
a
lot
of
security
people
and
then
take
a
portion
of
them
who
can
and
want
to
write
necessarily.
C
Then
you
know
to
take
to
take
in
to
take
subject
matter
experts
who
want
to
write
yes
than
to
find
people
who
are
who
are
generalists
within
a
technology
and
and
and
pick
them.
You
know
and
find
you
know
and
sort
through
to
find
such
matter
experts
and
get
them
going
together,
the
the
other.
Well,
I
think,
that's
that's
probably
one
of
the
it's
probably
one
of
the
good
ways.
C
To
put
that,
I
think
the
other
reason
for
having
for
having
that
kind
of
sig
security
is
that
just
the
some
of
the
focus
of
having
that
strong
focus
makes
it
a
heck
of
a
lot
easier
to
get
information
security,
people
who
are
contributing
in
other
areas
to
work
on
things
like
hardening
guides.
You
know
to
contribute
to
make
those
you
know
to
make
those
you
know
half
a
percent
future
contributions
as
opposed
to
the
person
who's.
C
You
know,
writing
80
of
the
doc
or
what
have
you
and
that
ends
up
getting
a
much
broader
breadth
of
experience
in.
So
I
promise
that
wasn't
just
me
delaying
to
give
him
time.
That
was
something
I
wanted
to
say
either
before
or
after,
but
I
just
thought
it
makes
sense
to
go.
First.
E
F
G
Yeah
the
which
ones
these
did.
I
consider
sick
arch
for.
F
You
mentioned
it
under
the
security
audit
bullet.
Yeah
we
called
out
is
that
cigar
is
probably
the
closest
fit
for
the
security
audit,
but,
like
I
just
said
it,
it's
not
something
that
any
of
the
security
people
I
know
or
have
have
considered
joining.
I
think
it's
kind
of
well.
It
might
make
sense
as
a
as
an
internal
member
like
it
from
the
inside,
it
might
make
sense
from
the
outside.
It
doesn't.
G
G
I
think
that
these
projects
all
tie
together
in
a
way
that
someone
who's
interested
in
one
of
these
projects
is
like
likely
to
have
thoughts
on
on
the
other
three
and
so
keeping
them
all
together
in
the
same
place
will
help
to.
I
think,
help
to
build
some
of
that
knowledge
across
these
different
areas
and
kind
of
pull
more
folks
into
these
different
projects.
G
So,
if
we're
considering
pulling
all
four
of
these
projects
into
sig
architecture,
that
seems
like
quite
a
bit
of
responsibility
and
scope
to
add
to
sig
architecture
that
I'm
not
sure
we
would
want
to.
I
would
worry
about
kind
of
growing
stick
architecture
too
much.
If
we
did
that.
E
My
other
question
at
that
point,
and
I
wasn't
advocating
necessarily
for
them
to
go.
I
was
just
curious
if
there
had
been
a
thought
to
it,
and
so
it
looks
like
tim
has
always
exceeded
the
bar
here.
So
I'll
read
the
dock
in
detail
afterwards.
The
other
question
was:
what
responsibilities
is
the
sig
taking
over
from
the
product
security
committee
that
may
have
been
held
there,
or
are
we
saying
that
we
had
gaps
that
were
not
being
met.
G
Yeah,
I
can
take
that
one
so
on
the
product
security
committee.
We
really
want
to
get
more
involvement
from
the
community
to
helping
us
to
define
the
the
processes
and
the
communications
channels
and
the
response
timelines
and
all
these
kind
of
guidelines
that
we
use
to
actually
respond
to
the
vulnerabilities,
because
most
of
the
current
process,
we've
sort
of
just
made
up
as
we
go,
based
on
what
we've,
what
kind
of
works
for
us
and
a
very
limited
set
of
feedback
that
we've
gotten.
G
G
I'm
not
sure
handing
off
responsibility
is
quite
the
right
way
of
framing
it,
since
I
think
all
of
the
psc
members
will
still
be
involved
in
defining
that
process
and,
to
some
extent,
have
the
final
say
in
what
the
process
is,
but
we're
looking
to
get
more
community
and
when
I
say
community,
I
really
mean
kind
of
like
public
community
engagement
around
all
of
the
public
parts
of
the
pro
of
the
security
release.
C
And
part
of
that,
like
part
of
what
came
up
in
our
conversations
there,
is
that
what
the
pfc
does
is
I'm
sorry
but
the
psc's
kind
of
level
of
or
I'd
almost
call
it
like
an
amount
of
staffing,
but
number
of
you
know
members
is,
is
bounded
and
part
of
that
bound
is
because
everything
that's
going
through
the
pfc
is,
is
embargoed
and
so
having
having
the
non-embargoed
work
happen
outside
of
the
psc
in
in
a
sig
means
we
can
bring,
hopefully
a
lot
more
personal
power
to
the
table.
H
All
right
thanks,
jay
thanks
tim
and
aaron,
so
I
had
a
couple
of
things
that
I
wanted
to
touch
on.
One
was.
H
Well
I'll
ask
the
easy
question:
first,
which
is
what
what
was
some
of
the
obstacles
to
get
to
you
this
far
right.
You
know
we
touched
upon
a
little
bit
about
like
the
boundaries
between
pse
boundaries
with
cigar
and
stuff
like
that
right.
So
how
are
you
able
to
navigate
that
stuff?
And
you
know,
has
it
settled
down
or
is
some
bits
still
in
progress.
C
Sure
I
can
speak
to
that
a
bit,
so
we
talked
with
in
doing
this.
We
talked
with
psc,
obviously,
as
that
was
that
one
was
the
kind
of
more
already
done
conversation
because
we've
been
because
we
had
psc
members
helped
to
create
this.
We
got
to
have
a
number
of
conversations
with
sigoth
and
the
last
one
was
at
their
meeting
a
week
ago
and
and
and
that's
yeah,
we
feel
like
that.
C
We
feel
like
any
concerns
about
is
part
of
what
we're
proposing
for
sig
security,
something
that
sigoth
would
want
to
be
part
of
there
to
be
a
part
of
their
bailiwick,
and
we
think
we've
really
at
this
point
gotten
their
buy-in,
but
they're
pretty
happy
with
what
they're
setting
out
to
do,
because
this,
what
we've
written,
isn't
what
they
are.
Now,
as
as
part
of
that
we
made,
we
made
a
clear
assurance,
which
is
you
know
there.
They
had
a
concern.
C
What
if
people
come
to
seek
security
thinking
that
sig
security
is
going
to
make
decisions
about,
say
what
the
about
say,
what
the
default
behavior
of
the
system
should
be
within,
in
particular
within
authorization
and
the
clear
promise
that
we've
made
it's
already
part
of
our
charter
and
it's
already
called
out
as
something
that's,
not
in
our
that's,
not
in
our
bailiwick.
But
that's
we're
not
looking
to
own
the
code
that
you
require
for
a
running
cluster.
C
So
we're
not
looking
to
own
the
code
that
cigar
owns
and
when
people
do
get
confused,
then
we're
going
to
be
really
really
clear,
like
we've
been
in
our
charter,
but
we're
going
to
be
really
clear
as
convention
that
that's
you
know
that
happens
in
the
relevant
sig.
So
if
you
want,
if
you
want
something
changed
that
really
comes
down
to
api
machinery,
then
we're
going
to
direct
into
that
sig
and
beyond
that.
C
We're
also
going
to
tell
them
about
the
conversations
that
have
already
happened,
and
that's
one
of
the
places
where
we
think
we're
going
to
be
able
to
save
the
save
the
sigs
a
bunch
of
effort
and
make
them
a
little
bit
happier.
C
I
I've
been
calling
it
that
will
serve
as
a
local
cache
for
questions
about
like
hey.
Why
can't
we
just
do
such
and
such
and.
H
Maybe
maybe
I'll
ask
a
specific
question
right,
for
example
the
php's,
and
you
know
how
we
are
trying
to
get
rid
of
them
and
get
people
to
use
proxy
based
mechanisms,
gatekeeper,
opa
that
kind
of
discussions.
How
do
you
intend
to
work
with
sig
arth
on
defining
like
when
do
we
deprecate?
How
do
we
go
about
deprecating?
How
do
we
make
sure
that
there
is
an
alternative?
You
know
people
are
going
to
come
and
ask
you,
because
you
have
security
in
the
name
right
sure.
H
C
Yeah,
that's
that's!
That's
really
good!
So,
and
aaron
tim
craig,
joel,
you
know
cut
in
if
you
cut
in
as
well
as
you
like,
I'm
gonna
give
you
my
I'm
gonna,
give
you
my
just
my
off
the
cuff
thought
there
and
in
my
mind,
so
we
have
the
stock
phrase.
If
you
really
want
to
okay,
I
get
you
really
really.
You
know
you're
talking
to
incoming
you're
talking
a
contributor
or
or
or
just
someone
who
has
the
idea,
like
you
really
really
hate
pod
security
policies.
C
You
want
them
gone,
you
wanna,
you
know,
you
know
that
they're
beta
and
they
don't
seem
to
be
coming
out,
but
they're
that
they're
not
wrong
for
this
world
and
you
want
to
accelerate
the
the
rate
at
which
we're
you
know
the
rate
at
which
we're
moving
to
other
admission
controllers
like
okay,
gatekeeper.
C
I
think
that
there
are
a
few
things
we
do
there.
One
is
we
make
it
clear
that
that
convert
that
we
make
it
clear
that
that
sig
off
is
sigof
is
the
place
to
go
to
talk
about
that.
C
Another
is
that
you
know
we
can
certainly
write
documentation
that
talks
about
you
know
we
can
write
documentation
about
the
downsides
of
pod
security
policies,
about
how
much
less
expressive
they
are
than
if
you
were
to
go
with
something
far
more
full
featured
like
you
know,
opa
gatekeeper
with
rego,
so
we
can
kind
of
we
can.
We
can
also
go
to
sig
off
and
you
know
we
can
also
sign
off
and
talk
to
them.
C
Can
they,
you
know,
go
to
their
meetings
and
advocate
strongly
and
wherever
else
we
whatever
else
the
existing
practices,
are
to
advocate
strongly
for
pod
security
policies
to,
on
the
one
hand,
perhaps
to
die
a
swift
or
death
or,
on
the
other
hand,
to
be
better
supported
for
a
longer
period
of
time,
because
clusters
unfortunately
live
a
lot
longer
than
any
of
us
expect
is.
Does
that
hit?
Does
that
hit
the
question.
H
So
basically
you're
joined
at
the
hip
at
this
point
and
you've
got
to
make
sure
that
the
communication
flows
smoothly.
Sorry
tim,
you
were
going
to
say
something.
G
Oh
yeah,
I
just
wanted
to
elaborate
a
little
on
your
specific
example.
That's
a
pretty
interesting
example,
because
it's
a
case
where
we're
moving
from
or
we
want
to
move
from
core
code
in
pod
security
policy
to
more
of
a
best
practices
recommendation,
and
so
pod
security
policy
is
very
clearly
owned
by
sig
off
everything
that
it's
managing
is
sort
of
has
more
to
do
with
sig
node
and
we're
kind
of
transitioning
to
more
of
a
best
practices.
G
Recommendation
model,
which
kind
of
falls
more
under
the
documentation
piece,
and
this
is
actually
a
place
where
I
think
security
can
really
shine
as
kind
of
this
horizontal
effort
and
something
that
came
up
a
lot
when
we
were
discussing
with
sig
sigoth.
The
other
sig
athletes
was
this
concern
that
well
sig.
Security
is
kind
of
working
on
these
best
practice
recommendations,
but
they
don't
have
the
authority
to
kind
of
just.
G
You
know
make
a
a
declaration
that
this
is
the
best
way
to
do
something,
and
so
there's
kind
of
this
desire
to
say.
Well,
it's
really
the
responsibility
of
the
security
members
to
bring
proposals
and
bring
the
issues
to
the
sigs
that
really
have
the
kind
of
final
say
so
going
back
to
dim's,
going
back
to
your
example
of
pod
security
policy
and
gatekeeper,
sig
security
might
do
some
of
the
work
to
say
well.
G
This
is
how
we
recommend
using
these
things
and
go
to
kind
of
bring
those
recommendations
to
sig
off
and
figure
out.
What
is
the
recommendation?
How
does
it
connect
to
pod
security
policy
and
kind
of
piecing
that
together
and
then
also
bringing
it
to
sig,
node
and
kind
of
say?
Are
we
actually
looking
at?
Are
we
looking
at
the
right
set
of
controls?
Are
we
missing
anything
and
kind
of
covering
the
bases
there?
Does
that
make
sense.
H
Thank
you
and
one
one
last
thing
from
me,
which
is
you
know.
Typically,
like
tim
said,
we've
been
outward
like:
we
have
something.
How
do
we
get
the
word
out?
How
do
we
evangelize
what
we
have
kind
of
situation
right
now
getting
to
the
point
where
you're
looking
outside
first
and
then
bringing
people
in
to
the
community
bringing
operators
practitioners
that
kind
of
people
that
kind
of
work
which
we
haven't
successfully
done
in
most
of
in
in
some
of
our
things?
H
I
think
that
is
a
really
good
start
and
we
should
definitely
try
to
learn
from
what
you
all
find
out.
So
thanks
for
that,
that's
all
I
had
back
to
you
lucky.
A
I
guess
we
have
like
15
minutes
more
left
christoph.
Did
you
have
quick
questions.
B
Yeah
I'll
I'll
I'll,
keep
it
quick,
so
the
first
one,
so
I
know,
we've
like
you've
talked
about
you've
discussed
this
with
sigoth,
obviously,
and
the
psc
and
the
working
group
security
audit.
Is
there
anyone
else
in
the
community?
As
far
as
like
excuse
me,
other
cigs,
that
you
have
actively
engaged
to
to
speak
about
this
and
this
proposal
and
how
it
might
affect
them
or
are
those
the
the
kind
of
major
players.
C
We
thought
we
needed
to
talk
to
contributor
experience
and
we
ended
up
getting
a
conversation
with
the
member
and
paris
you're
here
and
and
learned
that
wasn't
they're
that,
while
we
know
we're
gonna
be
working
with
contributor
experience
as
we
try
to
help
with
the
existing
discussion
forums.
C
There's
a
slack
channel.
There's
a
google
group-
that's
just
you
know,
that's
part
of
what
contributes
to
what
contributor
experience
manages.
So
we
know
that
we
need
to
pull
them
out
of
our.
We
need
to
pull
that
line
out
of
our
charter,
but
otherwise
those
are
the
ones
that
I
know
of.
Obviously
we
talked
about
tim
right
right.
C
We've
had
some
we've
had
conversations,
we've
had
conversations
with
sick
docs
and
that
and
that
resulted
in
a
couple
leaders
in
sick
docs,
helping
on
helping
to
write
this
charter
and
this
letter.
B
Great
so
two
other
quick
things.
One
thing
that
I
see
I
know
a
part
of
the
project
that
I
know
is
neglected
that
this
that
may
actually
be
a
decent
match
for
sig
security
is
the
the
ci
around
our
security
fork.
B
It
was
a
testing
that
handled
it
for
a
while
and
then
it
just
kind
of
got
neglected
and
it
kind
of
feeds
into
one
other
point
that
I
see
as
a
potential
benefit
of
creating
a
larger
community
of
of
folks
that
are
interested
in
security
and
having
like
a
place
for
them
to
gather,
is
you
know,
there's
lots
of
parts
of
the
project
where
we
need
to
develop
kind
of
like
a
trusted
ladder
of
folks
to
to
get
involved
in
parts
of
the
project
you
know
the
psc
is
is
definitely
one
and
the
psc
has
kind
of
developed
the
associate's
program
to
kind
of
kind
of
groom.
B
Some
trusted
folks
up
into
potential
future
of
psc
roles,
but
we
do
the
same
thing
in
like
the
the
infoworking
group,
or
you
know,
contrib
acts
and
testing
where
you're
administering
different
tools,
but
you
need
to
like
we
don't
necessarily
want
to
bring
a
brand
new
contributor.
You
know
right
off
the
street
and
be
like
okay,
here's
the
keys.
You
know,
don't
crash
the
car,
so
developing
a
trusted
community
of
folks
who
are
both
interested
and
giving
them
like
an
opportunity
to
okay.
B
Here's
how
we
can
build
some
trust
between
like
the
community
and
you
as
an
individual
contributor,
so
that
we
can
trust
you
to
give
you
keys
to
certain
things
to
help
out
with
pieces
of
the
puzzle,
like
you
know,
if
we're
at
a
point
in
time
where
we
don't
have
any
like
active
security
like
vulnerability
like
embargo
vulnerabilities
that
are
being
actively
worked
on
in
our
security
fork,
it'd
be
a
great
opportunity
for
some
folks.
Okay,
here's
some
keys.
B
Our
security
fork,
help
us
fix
the
ci
here
and
put
in
some
work
to
like
get
our
get
the
ci
automation
working
better
with
our
security
fork.
So
when
we
do
have
an
embargoed
vulnerability
come
up,
we
have
you
know,
testing
and
that
kind
of
stuff
around
it
like
filling
in
some
of
these
gaps
would
be
useful
and
having
a
collection
point
for
folks
to
kind
of
come
into
the
project
and
say
I'm
interested
in
these
security
pieces.
How
can
I
build
trust
within
the
security
community
and
kubernetes?
B
I
see
that
as
a
benefit,
so
those
are
just
kind
of
a
couple
talking
points.
I
want
to
bring
up
things
to
throw
out
to
think
about,
but
I
also
just
wanted
to
say
thank
thank
you
all
for
doing
the
legwork
that
you've
already
done
before
you
bring
this
proposal
to
us,
because
it
makes
it
a
whole
heck
of
a
lot
easier
on
us
when
it's
like.
Oh
there's,
there's
so
much
data
here
we
could
just
you
know.
Most
of
our
questions
are
answered
somewhere
in
this
documentation.
B
C
Yeah
we
had
a
when
I
brought
when
I
or
when
we
brought
this.
We
brought
these
these
pull,
requests
and
started
engaging
with
with
members
of
steering
some
of
you
said.
Well,
we've
got
a
whole
bunch
bunch
of
people
out
of
the
office.
We
can't
give
you
an
answer
back
this
week
and
and
we're
like
we've
been
working
on
this
for
a
bunch
of
months.
It's
it's
fine!
C
If
it's
late
a
few
weeks,
this
is
this
is
yeah
we're
trying
to
bring
you
something:
that's
that's
fully
baked
and
that
can
get
and
get
tweaked
by
steering
by
interactions
with
community
but
yeah.
So
yeah
thanks
a
lot.
A
Cool,
so
next
steps,
I
guess
steering,
can
I
think
we
it
still
be
useful
to
just
go
through
the
pull
request
and
then,
if
steering
numbers
are
good
with
it,
we
can
just
start
our
lg
dms
and
get
it
merged
sound
good.
C
H
B
Going
over
going
over
all
those
documents
and
then
think
we
should
probably
add
this
to
our
agenda
for
our
private
meeting
in
two
weeks
and
see
if
there's
any
last
comments
on
the
steering
side
before
we
go
forward.
C
Yeah
you
all
have
given
us.
We've
approached
you
and
asked
questions
and
just
been
really
friendly
and
helpful.
So
thanks
we'll
be
so
for
those
for
those
next
two
weeks,
while
you're,
while
you're
while
you're
reading
what
we've
written
and
after
that,
when
you're
discussing,
will
be
available
to
you,
you
can
grab
us
in
slack
most
easily
and
and
we'll
toss
you
a
message
in
your
public
slack
channel
that
just
kind
of
tell
you
some
some
of
our
volunteers
who
are
on
ship
to
to
answer
questions.
F
The
working
group
security
audit
slag
channel
is
where
a
lot
of
us
are
that
we're
also
available
via
dms,
obviously.
A
Thanks
everyone,
we
do
have
10
minutes
more
left.
I
had
a
bunch
of
items,
but
I
think
we
can
like
discuss
those
later
paris.
You
had
a
few
things
you
wanted
to
discuss.
I
I'm
getting
out
my
agenda
document,
that's
in
my
800
tabs
hold
on
okay.
Here
it
is.
I
got
it.
Let's
see.
I
Annual
report
cncf
update
and
then
just
an
fyi
pull.
So
I
guess
let's
talk
about
just
working
group
stuff
I
just
want
to
see.
Is
anybody
having
any
issues
with
working
group
annual
reports,
I'm
getting
those
in
talking
to
your
folks.
I
Anything
like
that
more
like
a
general
discussion,
nothing
serious
or
do
they're
technically
do
I
say,
do
with
bunny
ears
technically
do
at
the
end
of
the
month.
Has
anybody
gotten
any
any
reports
back
yet
for
review.
E
Hey
viruses,
working
group,
iot
edge,
means
once
a
month,
so
I
hadn't
engaged
with
them
until
the
12th,
which
is
their
next
meeting.
So
I'm
the
only
thing
I
was
thinking
was
given
some
working
groups.
Cadence
of
meeting
is
if
we
thought
we
could
get
everything
collected
by
the
end
this
month
or
not.
But
beyond
that
for
myself,
I
don't
have
more
to
report
than
that.
H
B
Component
standard
really
took,
took
and
ran
with
it.
I
believe
we
actually
already
have
a
draft
into
steering
private
to
look
over.
I
haven't
I've
skimmed
it.
I
haven't
read
it
over
in
like
too
much
detail,
but
they
they
really
like
ran
with
this.
I
was
very
happy
to
see
that
policy
I've
engaged
with,
but
contact
has
been
a
little
bit
more
sparse
there.
I
need
to
go,
follow
up
with
them
and
poke
a
policy
working
group,
some
more.
D
You
probably
saw
an
email
from
multi-tenancy.
There
was
just
some
splits
about
who's
doing
what
and
how
to
do
that.
I
still
need
to
respond
to
multi-tenancy.
I
have
a
draft
from
api
expression,
so
I'm
working
through
that
with
them
so
everything's
on
track.
There's
just
a
few
questions
which
I
think
multi-tenancy
kind
of
speaks
with.
Maybe
we
can
add
some
clarifying
points
about
who's,
doing
what
and
what
what's
public
and
private.
So
I'm
trying
to
tease
that
out.
I
have
a
thread
going
with
multi-tenancy.
I
D
J
I
Is
your
on?
Let
me
look.
D
I
J
Everson
is
fine,
so
if
you
have
any
specific
topics
to
discuss.
J
I
think
the
only
topic
that
is
hot
on
the
trc
plate-
that's
related
to
kubernetes
stage
3s,
but
I
assume
that
you
already
had
some
discussions
with
trc
directly
and
currently,
all
the
conversations
are
happening
in
public
on
the
c
and
cftoc
threads
so
feel
free
to
jump
here
and
share
your
opinions.
They're
pretty
hot
threads,
so
draw
different
thoughts
about
it.
So,
let's
take
a
look.
I
Thanks
for
that
heads
up
er
from
my
side
from
contributor
strategy,
there
is
tons
of
stuff
that's
going
on
with
recommendations
for
requirements
stuff
that
we've
kind
of
hit
on
previously
things
like
the
multi-org,
what
used
to
be
known
as
the
diversity
requirement,
but
it's
really
about
multi-orgs
and
what's
required
there,
that's
still
in
discussion.
I
know
alexis
had
the
proposal
for
if,
if
not
this,
then
that
kind
of
like,
if
not
you,
know,
multi-org,
then
steering
committee
kind
of
governance
structure.
I
That's
still
in
discussion.
Dims
actually
brought
a
great
idea
about
badging
for
governance
to
the
to
the
sig,
for
the
cncf
contributor
strategy
strike
a
sig
recently,
we're
actually
going
to
run
with
that.
So
we're
doing
a
lot
of
work
with
badging,
so,
for
instance,
on
the
readme,
it
would
say
steering
committee,
yes
or
you
know
more
than
fifty
percent
multi-org.
Yes,
you
know
kind
of
very
similar
to
you
know:
security,
badges
and
everything,
and
all
the
other
badging
that
you
all
are
familiar
with.
I
So
we're
running
with
that.
Let's
see
what
else!
Oh,
we
did
there's.
Also
a
project
template
repo
going
on
there's
tons
of
stuff.
Any
questions
in
that
realm
that
y'all
want
some
clarity.
I
H
Yeah,
what
threw
me
off
there
was
like
you
know
why
single
vendor
is
okay.
Is
that
good
or
bad,
or
you
know
that
was
basically
what
triggered
me
to
jump
in
there,
but
so
yeah.
H
Yeah
ihor,
I
did
have
a
question
for
the
mini
cube
folks.
Do
we
expect
it
end
of
this
month
or
something
the
the
funding
for
the
aws
credits
for
mini
cube.
K
I
hope
so
so
I
submitted
a
request
to
aws.
J
A
few
weeks
ago
should
be
processed
during
during
some
time,
so
I'm
regularly
poking
them,
but
it
may
happen
that
you
know,
like
sometimes,
credits
are
not
allocated
immediately
but
yeah,
I'm
treating
that
because
not
only
minikit
is
blocked,
but
also
some
some
other
projects
are.
I
D
I
H
Oh,
there
was
one
more
funding
stuff,
sorry,
one
more
funding
stuff
which
was
in
the
email.
I
hope
you
all
caught
it,
the
google
funding
stuff.
You
know
the
grant
from
google
will
last
till
july
next.
So
by
the
time
we
need
to
find
a
figure
out
a
way
of
either
extending
that
or
coming
up
with
new
sources
of
funding.
So
I
hope
you
all
caught
that.
A
Yeah,
I
think
the
next
step
was
that
hawken
was
going
to
present
something
to
priyanka
and
us
and
our
priyanka
will
is
gonna,
follow
with
us
something
and
that
cool
we
are
time
so
last
call
for
anything
cressing.