►
From YouTube: Harbor Community Meeting 20191009 - Americas Time zone
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
hello,
everybody
and
welcome
to
the
cmcf
harbor
meeting.
This
is
the
afternoon
meeting
for
most
of
the
folks
in
the
u.s.
This
is
the
9th
of
october,
and
as
always,
this
is
a
recorded
meeting.
So
please
adhere
to
the
cncf
code
of
conduct.
A
A
Some
of
the
items
that
I
talk
about
and
the
security
policy
for
harbor
is
includes
everything
from
the
ability
to
register,
if
you're,
a
distributor
of
hardware,
as
well
as,
if
you're,
a
maintainer
like,
for
example,
nathan
and
me,
we
also
get
the
ability
to
have
some
information
around
when
cves
are
discovered
by
either
internal
or
external
parties.
A
But
you
know
nathan,
that's
also
part
of
our
maintainers
has
seen
some
of
those
updates
and,
as
we
were,
able
to
to
surface
them
out
to
our
users
and
the
bigger
community
will
educate
everybody
there
as
well.
But
you
know
make
sure
you
you
read
this.
This
is
the
github.com
go
hardware,
hardware,
security
policy,
the
url
go
ahead
and
check
it
out
and
and
find
out
how
hardware
intends
to
react
to
cves
and
security
vulnerabilities.
A
The
releases
that
we
support,
which
is
the
last
three
minor
releases
and
those
are
the
ones
that,
as
cves,
are
found
to
go
back
and
patch
those
three
versions
of
hardware,
so
we
are
following
a
process
very
similar
to
other
cncf
projects.
So
this
this
is
nothing
new.
It
was
just
an
opportunity
for
us
to
make
sure
we
solidify
our
process
and
our
disclosure
process
and
educate
everyone
that
works
on
hardware
on
that
cool.
That
was
the
first
thing
I
wanted
to
mention.
A
The
second
item
is
we're
getting
into
the
middle
of
the
execution
mode
for
1.10,
as
you
guys
are
aware,
we're
trying
to
ship
a
release
candidate
of
1.10
at
or
near
the
cubicon
us
time
frame,
which
starts
on
the
17th
of
november.
So
it's
a
it's
a
fairly
shortened
cycle,
but
even
though
it's
aggressive,
there
was
some
long-standing
work
that
started
from
as
early
as
july
that
will
land
in
this
cycle.
A
So
so
we
feel
confident
that
we
should
be
able
to
meet
our
dates,
but
should
anything
surprising
come
up,
we'll
obviously
educate
you
all
on
this
community
meeting
as
well
as
slag
and
cncf
list,
and
and
our
through
our
blog
and
twitter
account.
Just
to
give
you
guys
a
very
quick
highlight
on
some
of
the
features
that
you
have
committed
to
if
anyone
is
interested
in
each
of
these
features,
there's
very
likely
a
prd
which
is
a
product
definition
document.
A
That's
included
that
kind
of
outlines
the
deep
in
detail
what
the
future
will
entail
and
how
you
can
use
it.
So
so,
for
example,
let's
take
one
of
these
features,
which
is
the
limited
guest
role.
So
if
I
open
this
up,
one
of
the
things
that
that's
included
here
is
a
pd,
that's
written
by
the
the
product
management
team
that
that
works
on
hardware
specifically
alex
and
myself,
and
it
includes
a
fairly
detailed
plan
on
how
this
feature
is
going
to
be
implemented.
A
The
different
investments,
we're
making
pros
and
cons,
and
things
are
non-goals
for
that
scenario.
So
you
know,
since
we're
going
to
go
through
some
of
them.
I
might
as
well
start
with
this,
but
if
you
see
this,
this
feature
we're
introducing
a
new
user
role
in
hardware
called
a
limited
guest
where
the
purpose
of
introducing
this
is
to
give
this
user
limited
access
into
hardware,
because
that's
the
type
of
user.
That's
going
to
be
using
a
multi-tenant
project.
A
So
imagine
you're
a
distributor
of
hardware
and
you're
a
hoster
and
you're,
creating
a
project
where
you're
going
to
have
multiple
end
users
from
different
companies.
But
you
don't
want
them
to
be
able
to
see
each
other
so
notice.
Here.
How
see
a
list
of
project
members
is
a
capability
of
a
guest
user
in
hardware,
but
not
the
limited
guest
same
goes
with
being
able
to
see
a
list
of
project
logs
and
think
about
us.
A
Enhancing
this
limited
guest
user
in
the
future,
and
maybe
even
removing
api
and
ui
support
so
what's
gonna
end
up
is
that
you're
gonna
have
this
user.
That
behaves
very
similarly
to
a
robot
account
where
he's
only
able
to
push
or
pull
images,
and
but
you
can
also
use
that
user
through
our
identity
federation.
So
you
can
have
the
same
account
span.
A
Multiple
projects
because
he
has
a
federated
identity
in
ydc
or
ldap,
but
at
the
same
time
he
doesn't
have
any
access
in
terms
of
api
or
ui,
so
that
you
can
kind
of
lock
down
your
instance
of
hardware.
So
some
these
are
some
of
the
things
we're
working
on,
but
the
first
step
here
is
introduce
limited
guest,
which
is
some
limited
permissions
within
a
project.
A
A
This
is
basically
a
cncf
guideline
that
basically
enables
projects
to
get
silver
or
gold
status
by
adhering
to
a
certain
set
of
programming
methodologies,
security
policies,
capabilities
between
the
products
from
logging
to
ci
cd.
So
we
as
hardware
have
been
meeting
most
of
them
and
there's
a
few
things
that
are
missing
and
we're
working
on
them,
and
the
goal
is
by
the
by
the
rc
time
frame
to
meet
all
of
the
needs
of
the
c2
silver
status.
So
we
can
apply
for
it
and
gain
it
for
hardware
I'll
leave
this.
A
For
last,
we
are
adding
robot
token
expiration
capabilities,
so
we're
enhancing
those
some
of
our
users
have
asked
for
this,
so
we're
we're
enabling
them
to
control
that,
and
next
feature
is
the
replication
of
the
signing
capabilities.
If
you
guys
remember,
we
kind
of
talked
about
this,
maybe
a
little
over
a
month
ago,
if
you
set
up
a
project
in
hardware
to
be
replicated
from
instance,
a
to
the
instance
b.
A
One
of
the
things
that
is
not
persisted
through
the
replication
is
the
signing,
so
the
hardware
community
has
been
working
with
the
notary
and
the
docker
folks
to
figure
out
how
we
can
enable
this
in
hardware.
This
is
a
long-standing
commitment.
It's
not
something
we
want
to
be
delivered
in
1.10,
but
we
started
working
on
it
so
that
we
can
deliver
it
in
a
subsequent
release.
This
is
not
just
the
hardware
team
that
needs
to
basically
do
work
here.
A
It
involves
a
lot
of
work
in
notary
and
hardware
and
and
docker
sorry,
so
just
letting
you
guys
know
we're
tracking
on
this
and
we're
not
the
only
ones
that
are
affected
by
these
this
issue
here.
So,
as
we
have
more
data
to
share,
we
will
do
so
at
the
crust
of
this
problem.
The
issue
is
that
the
signing
of
the
images
in
notary
include
the
uri
of
the
hosting
of
the
image
and
that's
what
breaks
when
you
replicate
the
images
so
pervasive
problem
across
other
tools
that
have
replication.
A
A
This
is
this
is
going
in
line
with
some
of
the
investments
that
happen
in
kubernetes
and
creating
an
operator
for
hardware
so
that
it
will
allow
our
end
users
to
be
able
to
stand
up
a
hardware
instance,
including
aja,
reddis
and
aj
proskus
sequel,
as
well
as
an
aj
installation
of
the
hardware
and
its
compute
nodes
all
from
the
kubernetes
operator
model,
so
that
it
gives
easier
access
to
hardware
to
an
ops
team.
Everything
from
monitoring
to
deployment
to
out-of-box
experience.
A
We're
also
going
to
allow
the
robot
account
to
delete
images
in
a
project.
A
simple
enhancement
also
asked
by
end
users,
so
these
are
enhancements
to
robot
accounts
and
we're
also
continuously
enhancing
webhooks.
So
I'm
going
to
click
on
that,
so
I
can
show
you
some
of
the
web
hooks
that
that
were
enhancing
with
1.10.
Specifically,
some
of
the
capabilities
that
we've
added
in
1.9
are
like
tag
immutability
and
tag
retention.
A
They
did
not
have
web
hooks
when
we
introduced
the
features
so
now
we're
going
back
and
kind
of
completing
the
lifecycle
and
management
of
these
features
by
adding
the
ability
of
operators
and
administrators
to
be
notified
on
different
events
that
happen
in
those
features.
So,
for
example,
if
you
exit
your
project
quota
now,
you
can
configure
a
web
hook,
so
you
can
be
notified
when
an
image
or
a
chart
gets
pushed
to
your
project
and
it
exits
the
coda.
A
A
And
last
but
not
least
from
our
features
is
immutable
repositories.
We're
gonna
create
a
language
very
similar
to
how
we've
done
tag
retention
that
allows
an
administrator
of
a
project
to
identify
either
a
single
image
or
a
repository,
or
even
an
entire
project
is
immutable.
A
What
we
mean
by
mutable
is
that,
once
you
publish
an
image
into
hardware,
you
can
no
longer
change
it.
So
think
of
me
publishing
the
redis
version,
1.2
image-
I
don't
want
anybody
else
in
the
project,
whether
they
have
privileges
or
not,
to
go
and
modify
that
1.2
image.
So
for
compliant
reasons.
I
want
that
image
to
stay
immutable,
and
if
I
want
to
patch
it,
then
I
have
to
create
1.2.1
or
1.3,
for
example,
but
I'm
not
able
to
change
that
immutable
repository.
A
So
this
enables
operators
to
that
basically
create
a
major
release
of
the
product
to
go
back
and
define
it
as
immutable
and
protect
themselves
from
anybody,
whether
a
bad
actor
or
something
that
happens
by
accident
from
overriding
that
image,
so
that
their
end
users
or
developers
that
are
deploying
these
images
in
production
can
stay.
Confident
that
the
image
that
they
are
deploying
is
the
right
one
that
was
published
originally
by
the
cicd.
A
Pipeline
the
next
one
is
not
necessarily
a
feature
of
hardware,
but
we
are
underway,
a
security
audit,
so
there's
a
third
party
company,
that's
sponsored
by
cncf
called
c53
and
they're
doing
a
security
and
penetration
testing
of
hardware.
They
started
three
days
ago
and
they've
already
started
identifying
some
issues
or
some
areas
where
we
can
go
and
improve
hardware.
A
Once
the
the
process
is
complete,
the
maintainers
of
harbor
will
sit
down
with
the
c53
team
and
talk
about
areas
that
we
need
to
tackle
immediately
and
improving
harbor
and
eventually
we'll
publicize
the
report
in
the
open
for
everybody
to
see
the
reason
that
we're
not
disclosing
everything
right
away
for
obviously,
for
obvious
reasons,
if
there's
a
critical
vulnerability
found
in
harbor,
when
I
give
the
team
the
opportunity
to
go
and
fix
it
immediately
before
any
bad
actors
get
an
opportunity
to
view
it
and
act
on
it
and
and
and
take
advantage
of
hardboard.
A
There's
also
one
more
minor
feature
which
is
allow
users
to
create
and
submit
their
own
cli
secret.
That
was
also
asked
by
users
today,
when,
when
you
have
an
ldap
or
an
oidc
account
in
hardware,
we
allow
you
to
create
your
own
cli
secret.
Sorry,
we
allow
you
to
create
a
cli
secret,
so
you
can
interact
with
tools
like
docker,
client
and
home
client.
A
But
what
if
you
wanted
to
have
an
external
process
or
an
external
vault,
where
you
wanted
to
tell
harper
what
the
cli
secret
needs
to
be
and
have
hardwood
respect
it?
That's
what
this
capability
will
enable,
as
you
see
1.10,
is
packed
with
lots
of
small
features
and
one
big
one
and
that's
the
one
I
mentioned
earlier,
which
is
the
plugable
image
scanning
work.
A
That's
part
of
the
interrogation
service
that
you're
creating
in
hardware
or
essentially,
you
are
allowing
any
third
party
to
come
into
hardware
and
extend
it
using
their
own
plugable
scanner
so
that
you
can,
if
you
want,
if
you
don't
want
to
use
clear
as
your
static
analysis
tool,
you'll
be
able
to
use
aqua
or
anchor
and
in
the
future
you
can
think
of
additional
companies
coming
in
and
introducing
their
scanner.
A
You
guys
are
a
very
quiet
audience
today,
I'll,
so
so
what
I'll
do?
Next
we
have
a
few
more
minutes
left
is.
A
I
will
go
ahead
and
show
you
a
sneak
preview
of
the
capabilities
of
hardware
with
this
flag
above
scanner
work
that
I
have
that
I
mentioned
earlier,
and
I
want
to
make
everybody
aware
that
on
the
15th,
which
is
next
tuesday,
harbor
will
be
on
the
cncf
webinar
list
and
me
and
liz
rice,
the
chair
of
the
toc
committee
in
cncf,
we're
going
to
talk
about
this
capability
since
her
team,
she
works
at
agua
and
her
team
is,
is
part
of
the
team.
That's
enabling
this
capability
into
harbor.
A
So
let's
get
started
so
the
first
thing
here,
you're
seeing
an
early
preview
of
a
build
of
1.10
for
harbor
and
one
of
the
things
you
notice
here
under
the
configuration
tab
is
a
new
area
called
scanners.
So
here
you
have
the
ability
to
register
a
new
scanner.
So
if
your
team
has
developed
a
scanner,
you
can
provide
the
name
description,
an
input
uri
and
how
authentication
will
happen
so,
for
example,
basic
authentication
with
a
better
token
or
api
key.
A
You
get
to
introduce
the
scanner
and
test
the
connection
similar
to
how
we
do
replication
with
third-party
providers
so
very
similar,
ui
here
and
model,
and
once
you
do,
your
scanner
gets
to
get
listed
in
this
in
this
area.
So
today,
claire
is
the
default
scanner
that
ships
with
hardboard.
Think
of
this
as
batteries
included.
When
you
get
hardware
out
of
the
box,
clear
is
the
default
scanner
that
we've
had
since
the
beginning
of
hardware,
but
now
you
can
add
3v
by
aqua
team
or
anchor.
A
So
I
can
actually
expand
this
and
see
that
3v
scanner
is
enabled
here
by
agua
security.
I
see
their
version.
I
see
the
mime
types
that
are
big,
they're
being
supported
as
well
as
the
uri
that
the
3d
scanner
is
enabled.
I
see
that
it's
healthy
and
then
I
can
see
the
same
thing
for
the
anchor
scanner
as
well.
A
So
both
of
these
scanners
are
going
to
be
the
first
generation
scanners
that
we're
going
to
ship
in
harbor.
Now,
let's
go
back
to
a
project
and
see
how
I
can
utilize
one
of
these
scanners.
So
so
I
have
this
project
called
scan
here
and
if
I
click
on
the
scanner,
you'll
notice
that
I
have
clear
configured
as
my
default
scanner
for
this
project.
So
so
it's
healthy.
I
have
the
endpoint
for
it
and
you
know
the
vendor
here
is
core
os.
A
So
let's
take
a
look
at
our
one
of
our
repositories,
so
this
is
a
golan
image
and
notice
that
it
has
a
tremendous
number
of
vulnerabilities
here.
They
have
some
highs
and
medium
some
low
and
notice
here
that
one
of
the
other
things
is
that,
with
this
new
flag
above
scanner,
we're
introducing
a
couple
more
categories
like
critical
cvs,
as
well
as
unknown
cvs
and
and
negligible,
was
always
there.
So
now
you
actually
get
higher
fidelity
of
categorization
of
the
cves
within
harbor.
A
We
do
have
some
bugs
in
this
whole
integration,
so
so
don't
hold
it
against
us
or
earlier
on
this
process.
But
you
know
I
want
to
just
give
you
guys
a
sneak
preview
here.
So
now,
3b
scanner
is
is
healthy.
So
let's
go
ahead
and
go
to
our
repository
here.
A
And
I
want
to
go
ahead
and
get
the
scanner
to
work
here,
so
so
we're
now
when
we
scan
an
image
by
a
plugable
scanner
like
3b
or
anchor,
they
gain
control
of
the
image,
so
they
have
access
to
the
image
and
repository
in
hardware
and
then
their
own
engine.
That's
basically
published
at
the
uri
I
mentioned,
is
to
scan
the
image
and
return
to
hardboard
a
predefined
set
of
of
json.
A
That
basically
describes
the
security
posture
of
that
image,
and
this
is
what
hardware
gets
to
interpret
later
on
and
display
these
vulnerability
guidelines
and,
ultimately
you're
getting
a
yes
or
no
pass
of
if
your
image
is
vulnerable
or
not,
based
on
the
policy
that
that
that
you
have
in
setup
for
your
project.
So,
for
example,
in
your
project,
you
say
I
want
to
enable
an
image
to
be
pulled
if
it
has
anything
below
a
low
cv.
A
Vulnerability-
or
you
can
say,
I
don't
want
you
to
be
able
to
pull
an
image
that
has
a
critical
cv.
So
you
get
to
define
the
policy
that
dictates
what
images
can
be
pulled.
So
you
can
protect
yourself
from
vulnerable
images
to
be
pushing
production,
and
then
these
pluggable
scanners
between
claire
3v
and
encore,
get
to
give
you
that
answer.
Do
you
have
cvs
or
not?
And
that
was
severity
level.
A
So
now,
if
you
see
the
the
tv
scanner
finished
very
quickly
and
it
discovered
11,
critical,
10,
high
and
medium
vulnerabilities,
this
is
a
different
set
of
vulnerabilities
that
clear,
because
some
of
these
different
scanners
do
go
and
check
different
databases,
and
this
is
where
we're
giving
choice
to
our
hardware
users,
where
they
get
to
actually
pick
the
scanner
that
makes
the
most
sense
based
on
the
workloads
they're
running.
A
If
they're
running
alpine
or
they're
running
a
different
version
of
the
of
the
linux
distribution,
they
can
pick
the
scanner
that
that
meets
their
needs
so
that
they
can
get
the
best
information
around
vulnerability,
scannings,
so
notice.
Now,
how
3b
was
able
to
discover
a
much
bigger
range
of
vulnerabilities
on
my
image,
and
it
gives
me
as
an
operator
a
better
report
and
information
into
the
security
pressure
of
my
image.
And
I
can
click
on
this
and
see
a
more
detailed
view
of
the
vulnerabilities.
A
So
I
get
to
see
here,
you
know
all
the
information
that
tv
return
back
for
me
and
that's
it
that's
all.
I
wanted
to
show
you
guys,
and
I
wanted
to
leave
the
last
three
four
minutes
for
questions
any
questions
on
on
some
of
this
work
by
the
way
me
personally,
I'm
super
excited
about
this.
This
is
a
huge,
huge
step
in
enabling
hardware
to
play
better,
together
with
other
ecosystem
tools
in
in
the
cmcf,
a
bigger
umbrella
and
we're
adding
significant
value
to
our
customers.
B
A
We've
worked
on
a
negotiated
on
a
on
a
on
a
spec,
be
between
us.
I
don't
think,
there's
an
there's,
a
public
specification
on
how
this
could
happen
today.
Unfortunately,
the
description
of
the
cv
is:
there's
we're
adhering
to
industry
standards
there.
But
you
know
the
communication
of
you
know
of
between
hardware,
and
those
things
is
something
that
we've.
C
I
just
wanted
to
say:
can
you
have
multiple
scanners
scan
an
image
and
then
aggregate
those
results
back.
A
We've
actually
thought
about
that,
and
I
want
to
mention
where
the
vision
is
of
the
interrogation
service.
So
the
interrogation
service
is
a
service
that
we're
enabling
to
so
you
can
add
multiple
third-party
components
that
can
scan
your
images
for
things
like
license,
checking
static
analysis
dependency.
A
If
you
want
to
aggregate
results
across
them,
and
then
you
can
create
a
rule
language
that
says
based
on
discounts
what
is
acceptable
policy
for
an
end
user
to
pull
an
image,
for
example,
if
you
fail
the
license
check,
do
you
still
allow
them
to
pull
an
image?
If
you
fail
the
security
check
or
the
static
analysis,
do
you
allow
them
to
pull
an
image
so
because
it
has
all
these
other
implications
in
terms
of
the
policy
language
that
we
need
to
create?
We
were
not
able
to
tackle
that
in
1.10,
but
that's
coming.
A
So
if,
if
hardboard
is
gonna,
be
the
one
that
that
where
you
pull
the
image
from,
will
certainly
prevent
you
from
doing
that,
but
I
think
a
bigger
problem.
There
is
what,
if
you
have
vulnerable
images-
let's
say,
for
example,
I'm
sorry
to
be
picking
up
on
reddish.
Let's
say
you
have
redis
2.1
deployed
in
your
kubernetes
cluster
and
then
hardware
runs
this
nightly
scan
and
discovers
new
vulnerabilities
and
radius.
A
One
of
the
things
that
we
thought
about
of
doing,
but
we
haven't
gotten
a
chance
yet
is
create
an
admission,
webproof
or
or
something
in
kubernetes.
Maybe
a
sono
buoy
plugin
a
sonobu
is
a
conformance,
oss
tool
that
you
can
run
in
kubernetes
cluster.
That
will
let
you
know
that
you
have
an
active
image
being
deployed
that
harbor
has
detected
the
vulnerability.
A
A
Good,
I
think
I
have
a
question
here
from
alex
in
chat.
He's
loving,
harbor,
awesome
love
it
alex.
We
love
it
as
well
and
you're
looking
forward
to
110..
So
do
we?
Is
there
an
estimate
when
the
stable
release
of
1.1
191
will
be
available?
You
know
being
we're
thinking
that
we'll
will
deliver
191
on
the
on
the
24th
of
october.
A
That's
kind
of
our
estimate
plus
minus
a
couple
of
days,
but
I
think
we'll
hit
that
date
and
are
there
any
plans
to
support
push
and
pulling
docker
plugins.
A
We
are
trying
to
think
about
adopting
we're
actually
involved
in
the
oci
registry
discussions
and
we're
trying
to
figure
out
how
the
bigger
community
will
incorporate
additional
artifacts
into
the
oci
registry.
Beyond
images
and
home
charts,
you
can
think
of
other
things
right.
You
know
there's
there's
docker
plugins,
like
you
mentioned,
there's
cena,
bundles,
there's
operators,
there's
all
these
different
artifacts
in
the
cloud
native
ecosystem
that
makes
sense
to
be
pushed
into
harbor,
because
you
immediately
get
all
this
other
policy
around
it
right
compliance,
our
back
quota
policy.
A
D
A
D
A
All
right,
then,
we
have
about
a
minute
left.
One
of
the
other
things
that
I
want
to
mention
is
that
pivotal
network
has
made
some
announcements
around
what
they
call
pivotal
network
registry-
that's
basically
being
built
on
top
of
hardware.
So
that's
actually
one
more
commercial
distribution
of
hardware
out
there,
so
we're
really
excited
that
we
got
to
work
with
them
and
and
they're
enabling
registered
capabilities
in
the
people
on
network
directly,
so
cool
stuff
there.
A
So
if
you're,
if
you
use
a
lot
of
people,
though
that's
something
that
you
and
I
believe
that
team
is
going
to
come
at
one
of
our
cncf
community
meetings
and
demo
that
work
at
some
point
as
well.