 Well, hello everybody You know good morning. Good afternoon. Good evening. Good wherever you are whatever time of day it is It's great to have you here As you hopefully know, this is the KB insider program where we try to get a sense of what's going on in the Kubernetes community going forward and Apologies on apparently my videos a little laggy today, but you know, maybe I look better fuzzy who knows and So I'm Langdon white, you know a formerly of red hat and now a university professor at the at Boston University Talking mostly about data science and computing and trying to open up our world To kind of people who are generally underrepresented or under served in the tech community as a primary goal so With that I'd like to introduce Josh Berkes my co-host for the show and then we'll introduce our guest Yep. Hi, I'm Josh Berkes. I'm at red hats open source practice office Where I work on Kubernetes and some other related cloud native projects And in that role I have been on many video calls with today's guest Liz Rice mostly in her capacity as Chair of the CNCF or the CNCF technical organizing committee But there were many reasons why we wanted to listen the show not just because her role in the CNCF But also because she is a container security expert Which is what we were talking to her about on Tuesday when we lost the stream so welcome Liz Hi, thanks for having me. Thanks for having me again Yes So When when when the stream dropped on Tuesday, we were talking about eBPF Which is what you're working on now at ISOvalent And particularly we're talking about how is How are how is the isolation That eBPF provides different from isolation that people might be used to from say virtual machines Yeah, so I think sometimes this can be quite confusing because people talk about eBPF as a sandboxing technology and people talk about containers as sandboxing or isolation technology and It's true in both cases, but they're really quite different and they're they're sandboxing for very different reasons So when we talk about containers, we're talking about isolating our application code and stopping our applications from kind of Stepping all over each other with eBPF what we're doing is running custom code inside the kernel and You can have multiple different eBPF programmed inside the kernel at once But that sandboxing is more to do with making sure that those programs are safe I mean, I suppose it's similar in both cases. We're trying to say these programs have to be safe and not interfere with each other But in the case of containers, they don't have any awareness of each other at all When we're talking about the kernel, this is much more about extending functionality inside the kernel and running bespoke capabilities within the kernel and doing that safely Okay, the I but I guess my question is You know Okay, say I'm running current kernel or or maybe future kernel because I know that that eBPF features are still under development and You know, I get used to psyllium and a whole bunch of other eBPF tools and that sort of thing Can I You know, can I isolate a process running in one container as Much as it would have been isolated by virtualization technology, you know, assuming I flip all the switches, right? Because that's always right. The concern with containers running in the same machine, right? Is that it's not that same level of virtualization out of the box? Exactly box, right? Yeah, they can effectively exchange kernel calls Yeah So when we talk about a host machine if we're talking about a virtual machine or a bare metal machine It's got a kernel and there's only one kernel. However, many containers were running. They're all sharing that same kernel Which is very different from Yeah, what we you know, the virtualization world where you each virtual machine running on a on a physical machine It's got its own kernel So the isolation is very different and in the container world that shared kernel It is kind of the reason why some of the kind of old-school security issues I'm saying old-school like, you know, two years ago security issues with ancient You know, there's a shared kernel. There's a shared root, you know, root in a container is root on the host I would say it is it is old-school having once upon a time worked on VMS systems. So Some of the security problems are very similar at least in outline Although I think VMS has been as the only operating system. I think that never had a virus There's like some legend of that, but it's also it's kind of like why don't why doesn't Linux get all that many viruses, you know Because the attack surface might not be that bad, but there's not that much Value to writing, you know viruses It's a lot harder to infect something of the virus when it has to be hand-carried there on mag-tape Right But yeah, the you know, we're seeing it I don't know. It's a lot of that kind of throwback thing Right is that you know in a lot of ways containers are very very similar to the mainframe, you know And so it's it's really kind of amusing when we just kind of you know It's intact We seem to kind of go full circle on the regular, right? And it just but it gets easier and cleaner and you know a little bit more efficient and things like that But we kind of keep reinventing a thing and it's all this brand new excitement But in fact The same right at the end of my very first job after university was doing Like SNA emulation sort of simulating all these like 3270 and Even punch card like we were emulating that on what was then Unix different Unix systems, so yeah, it's kind of I've never actually worked with the mainframe But I had a lot of experience many years ago with like those SNA protocols and Yeah, my my exposure was wrapping them so they could be called from Java not you know Versus like actually doing anything with the mainframe per se, right? You know so Yeah, yeah, it's it's it is very interesting But kind of going back to you BPF you're talking about, you know, they You know, there's only one kernel, right? And I think we talked about a little in our podcast there You know as today, you know root has been kind of broken up into these multiple roles and then you know, so you have what they call Yeah capabilities, I was like compliance. No, that's not the right word But they have you know different capabilities now that you can allocate and I think ebpf is kind of more in the same vein of like You can kind of say okay now now we can you know We can stand box these things and we can we can separate them off from from each other There by making the overall system almost more multi-tenant as much as more safe, you know, I That is true. I mean capabilities allow you to be more fine-grained about who has which different permissions But I think once we get into the world of BPF We are I mean that there is a BPF capability. So if you have capsis admin that includes cap BPF but You know that you could have that smaller surface just have permission to to load BPF programs without having all the other Cis admin privileges But once you've loaded that program and if it is safe to run and it passes the verification and it's you know not trying to Stamp over the wrong kind of memory or anything like that if it's safe then that BPF program can be Basically all powerful, you know, it can see so we we attach BPF programs to Events an event might be a network packet arriving or a particular function call inside the kernel code or a TracePoint or even user space functions we can attach to and It really doesn't matter What it is that triggers that event. It doesn't matter which application doesn't matter which process it is if that event gets triggered That BPF program is going to run. So It gives us this very powerful tool for knowing what's happening in a system If you want to write an observability tool BPF is incredible because you attach that BPF program to the event You want to observe and you see it It not just for new processes not just for new content You know for everything that starts calling it your BPF program can be triggered incredibly powerful Yeah But from a security perspective that does mean, you know, you can't just let anybody run BPF programs Really nearly all over your systems. That would be pretty scary Right, right. I mean as you were saying I think last time we talked, you know that you know part of the The challenge now is that security profiles, right? Is that you know is kind of doing those correctly? And that that can that's still kind of challenging Yeah, and I think this is a Kind of usability problem for security whatever kind of security we're talking about You know anything from I don't know dependency scanning to runtime security to set comp profiles to anything we're talking about It seems like right now you have to have kind of domain specific knowledge to know how to build that profile and I anticipate over the next few years we'll see much more In the way of helping people build sane, but powerful profiles There are some good examples of this like the docker set comp profile was a very good basis for You know an all-purpose or general purpose security profile for for set comp um If you want a more fine-grained set comp It's all you know that we're seeing a few things being developed with ebpf that can Check what set comp what system calls you? Your application uses and and you could use that to build a more bespoke set comp profile, but You know as an application developer, do you really want to have to know what set comp is? Right, exactly your Java programmer. Why should you care? You know that? So we need to make that much easier as an industry Right. I mean this is one of those things where it's also Um, you know, it's very hard for a developer to be an expert in everything, right? And so, you know, if you're you know an expert in, you know, Java threading or whatever It doesn't mean you're you're also an expert in you know set comp, right? I mean, it's not and it doesn't make you good bad or indifferent, you know as a programmer It's just that you know, it's that that's kind of where your expertise landed And so if we can you know, I it's almost like separation of concerns, right? It's like if you can kind of say okay, this person knows this part, right? And we can have them work on this particular piece then, you know Even if they're all you know equally capable programmers or whatever you don't have to have, you know Learned everything in the entire world Yes, yes, and when I say Java programmers that was just you know an example Yeah, I should say everybody has Specialist knowledge and and we shouldn't be expecting everybody to get specialist knowledge in every area Right. Yeah, I mean, you know going back to the kind of the old school, right? It's like, you know in the old days I used to have to be able to change a hard drive and you know and program and you know everything else But I think the you know, it's kind of like the the space that we you know live in right that we live You know that we live in now is so vast That you just you can't be kind of a complete, you know You know renaissance man for lack of a better term, you know where you kind of just know everything It's just it's nearly impossible Totally, it's like, you know, nobody just because you work in tech doesn't mean you can do like it support for your family Printers for example, right? Yeah, are there is there anybody who can do that? Right, um, yeah, particularly when they keep wanting help with their windows machines I don't know. I haven't used it since windows 2000 Yeah, I was trying to explain in a class the other day where the because I know it exists on windows Where etsy host file is right? And uh, and I was like and then I was walking away from the lecture and I was like, oh, I remember You know, it's in c colon system drivers and that's where it is, but I haven't touched it in I don't 10 15 years. So I have no idea for sure But yeah, the uh interesting So let's see should we talk about uh, cillium a little bit, um, if you can tell us a little bit more about what that project is doing Yeah, yeah, so cillium has been around as a project for um, I want to say since well 2015 2016 something around then um, and the people who created it Really the the pioneering and ebpf at the same time there's a lot of overlap between people who are Developing ebpf in the kernel and the cillium maintainers and cillium is really about um really efficient ebpf based networking which Primarily we talk about it in a cloud native context. We talk about it as a kubernetes c and i a networking plugin you can actually use it outside of the context of kubernetes as well, but certainly the The majority of users I would say are are using it in the world of kubernetes and We can I talked earlier about how we attach ebpf programs to events and that can be network packets Could be packets arriving at a network interface can be packets At this just coming out of an application at the socket layer and with ebpf we can essentially hook into those kind of extreme ends of the networking stack and be much more efficient about how we connect packets from one pod or one container to Whatever destination it's going to or vice versa and we can also as a kubernetes c and i have all this identity information about what is the pod and what service is that pod part of and Um use that to build up connectivity information that is meaningful Normal also of you know traditional networking talks about you know ip addresses and ports But in a cloud native world that's kind of impossible to keep track of because pods are ephemeral and ip addresses come and go it You want as a human certainly you want to see networking flows and debugging information in Some form that talks about pods and and that's something that we can that we do with cilium So as well as having the connectivity we have some observability tools in a component called Hubble And We're increasingly looking at how we can use that for security purposes and we have network security profiles um There's really interesting things we because we have this visibility into not just you know, here's a Here's a network connection that's been opened But we can see well. What was the process that opened that connection and what's the executable? And what's the destination and you know, is this executable a cryptocurrency miner? And you know, is it supposed to be accessing that pool over there? You know Uh Getting that kind of intelligence and and being able to act on that in real time is I think Well, it's why I got involved in in cilium because You know, it's the future of security as far as I'm concerned Yeah, the um, I think you brought up a couple of interesting points there right like um, one of them is uh, you know Kind of that etsy host remark. I just made right is um, I was trying to teach, uh, you know a group of student developers kind of The the the base version of what you need to know about dns as a developer, right? Um, and uh, And because that's the first yeah, it's always dns, right? It's it's either dns or printer. Um the uh Uh, but with the dns, right? It's like you can kind of know a bit about how it works and not really need to You know be deep into the networking to kind of get by as a developer And I just you know kind of in the back of my mind while I was talking about it I was like And wait till you get to kubernetes and containers and that kind of stuff and yours It's just going to blow your mind right because now you got ip addresses floating all over the place and you know Because all the different services are trying to talk to each other and all these things. Um, so I think anything that's kind of Uh letting you think about the application in terms of an application Rather than making you think about how it point of quote works Is a real benefit because it's getting so complicated Um, you know to try to you know, kind of keep track plus to your point, right? It's ephemeral So you only know it for like 15 seconds and then you know, it's all changed again Yeah, so it's it's very complex. Um, and I I really appreciate a where um Kind of kubernetes has been going around trying to I don't know up level, you know kind of change the what how you think about it in terms of the applications You can kind of think about the application um, you know Whereas like, you know, when I originally started doing containers, for example, where it was all just kind of hand put together um, and You lost a lot of that ephemeral benefit because you you couldn't keep track of where everything was, you know yeah, yeah for sure the the I mean orchestration is incredibly powerful in terms of you know running your application efficiently and using your resources efficiently um, but it does create this kind of You know This ephemeral nature and and the way that things can move around underneath you. You just you can't As a human keep track of that, you know, you have to have a higher level of abstraction um, you know and services and service mesh is is getting us into that right direction, but so yeah for Application developers they absolutely shouldn't have to be thinking about what no their application is running on or you know network connectivity should be kind of not the Application programmers concern right Yeah, yeah, completely agree um One of the things we like to ask every kind of guest who kind of comes on the shows Uh, so what got you into open source or you know, if if kubernetes was the first place you got into open source Um, what got you into kubernetes? But really what what what pulled you in about kind of the open source world? Like why is that interesting for you? Yeah So I was really late to the to the party with with open source to be honest So when I I mean I mentioned, you know years ago working on sna protocols and I spent a lot of my early career Working on proprietary networking stacks And this was you know the early days of open source really and we were quite suspicious about it it's like how can You know, we have all this organization around testing and development processes and design processes and you know, how on earth can a community of You know people who don't work for each other with no hierarchy How on earth can that kind of turn into good development? Practices and it really it took me years to sort of You know, and I think to you know in my defense It was maturing in the world of open source. It's sort of magically landed with people doing great engineering um and uh For quite a sort of chunk of my career. I moved away from this kind of networking area Was doing sort of consumer things and working for people like skype and working on music recommendations and working on tv recommendations And then when docker was first coming into prominence I remember I was working on a startup and uh, we were in uh an accelerator And the startup next to us who had the kind of boost next to us Their cto was getting very excited about this docker thing. I'm like, okay Yes, maybe we should have a look at that And that particular startup I was working on died, but I got involved in another one Because oh, yeah, this this containers thing. This is really interesting. We were doing container sort of auto scaling Way ahead of its time And um, yes seeing how much was being done Open source in the container as well. I mean I'd used some open source Components before I'd done a few little contributions here and there and you know various frameworks or whatever But it was much more utilitarian and I didn't I didn't know about the community aspect But then getting involved in containers Yeah, I I I discovered there was this whole world of people who got together and had really interesting conversations And were really nice to each other and and oh, actually, this is a lot of fun. I like this world So, uh, yeah that that kind of and it was also really nice to get back to kind of What I call hard tech compared to you when I was doing the particularly like movie recommendations the world of people um Who are not necessarily driven by tech or not necessarily driven by fact and they want to be driven by I don't know the the politics of how many dvds. They're selling in their particular department or something and and yeah That wasn't me. I was much more interested in like well How do things work and How do we make them work better? Yeah, I could totally It was funny like one of the drivers for me because I I used to live in albany new york That's where I went to college and um, you know and my wife, you know, and I live there And we were thinking about moving And I came to boston and what what really convinced me about moving to boston was actually hearing people on the street talking about tech You know, it was kind of like it's the same kind of ideas like, you know It's really nice sometimes to be able to be in a community where, you know, people have heard of red hat Right people know what renex is, you know, like and and not having to kind of bring everybody up to the You know to the level and you know, I don't mind doing it You know, and I have lots of conversations. I mean, I'm a professor now, right? Like, you know, I don't I don't mind explaining the things But it's nice sometimes to be able to have a conversation where everybody's kind of already at the same level Um, and and I think that's one of the things that really helped, you know Really drew me with the open source in kind of the same way you're describing um, the other one I was going to mention too is just uh, you know, I spent a long time as an it consultant, right and Yeah, the the fear of open source Was a big deal, right? You know, we would have to get like like depending on the client, you know But we would have to get like individual approval, you know, because we wanted to use a patchy You know, um, you know things like that. It was uh, it was a it's very different world today It was a believe it or not. It was actually in the early days of open source. It was a lot easier in the small business sphere Yeah, yeah for sure because initially it was very easy to sell open source to small businesses simply because It was inexpensive, right? Right. Um, they they didn't small businesses didn't care about policy or licenses or anything They cared about how much is it going to cost to get this piece of software Exactly. Yeah the um, yeah, and and it's it's funny because I feel like that's kind of reversed now Right as in the big corporations are pretty much all in an open source even the ones who used to be proprietary software vendors and um It's a big one. The small businesses are now the long tail. Um Because they're so dependent on antique vertical industry apps Yeah, yeah Yeah, it's I think I'm quite um, maybe idealistic about how um, how this kind of collaboration works and and with the big companies and you know, there is some politics and there is You know people are not doing it just out of entirely altruistic reasons You know people when I say people I mean companies, you know, they're getting involved because it's going to be good for the bottom line but I do think it's um very valuable from a collaboration like a you know Seeing advances coming from across a group of Uh, you know a group of companies who've got they've each got a pool of very talented people and rather than having those talented people Work in isolation and build the same thing, you know, five times but slightly different coming together and collaborating on it and building something like Keeping ethys and all the kind of other cloud native projects arounding it that does sort of sing to my, you know My desire for things to be efficient for people to be going like let's find the best way Well and and kind of related right it also gives um, you know, kind of a lot of worker autonomy In the sense that you know, I work on kubernetes, right? Today I work for red hat but tomorrow I could go work, you know for some other company Because I have a relationship to kubernetes And so I really one of the things I really like about the open source community is that Being a participant in it gives me autonomy from you know, whatever company I might be affiliated with Whereas when I was working, you know with proprietary software I became a really good expert in blobby blah that no one else had ever heard of, right? Yeah And so yeah, you can't talk about it Your name is not on any other code except for in some list of flames of you know And uh, you can't tell anybody what you did and you even if you talked about it Nobody knows what it is. It didn't mean anything. Anyway, right. Yeah, exactly. Um, Yeah, so that I think that's uh, you know, it's kind of two sides of that same coin You know is uh, it really does make a big difference to uh, you know I think I think it helps the the developers are and what's what I really appreciate in recent years, right? Is also it's not just developers, you know, we're really really trying to push that outreach to say Open source can be all the things, you know, it's documentation But then even things like open science and open data and you know open hardware, you know Which I think is all, you know, really a catalyst. Um, and it's been it's been really good Absolutely. I'm involved in an organization called open uk which is pushing for the use of open technologies here kind of Somewhat towards government, but also, you know, just the broader Kind of industrial use in the uk and it's very much. It's not just about open source It is about open data and and open hardware and and like Opening things up by default unless you have a reason not to What is currently going on with open uk? Yeah, so, um It's a relatively new organization. I think maybe two two years or so And I'm been really impressed with you know, what what has been done in that that period of time. Um Currently we've got an initiative going on called the founders forum, which is around encouraging people to um start businesses or if they're thinking about starting agent source businesses connecting them with folks who've got experience, you know, because A lot of success in businesses about contacts and and there are quite a few people here in the uk who have been involved in You know, some interesting global businesses related to open source So we want to try and connect connect people together in, you know, we see really good Examples of this happening in you know, silicon valley israel there are lots of pockets of talent where people are very connected and That's that's one of the things we're trying to encourage in in open uk Of course, I've been doing some things around them sustainability. So, um, there's a project called patchwork kill, which is really about, um sustainable data centers and and how you can improve the efficiency of your data center if you're not, you know We're not telling the the googles and the iws and the azures of the world how to do their Data center but more for people who are running a proprietary business. How could they make those more sustainable? so those are a couple initiatives A lot of it is also just about awareness and and making businesses realize that yeah open source software is Here to stay Yeah, yeah, I mean, I think one of the things, um, you know, I I used to when I was consulting right I used to do some work for like state governments. Um And a lot of states in the u.s. Actually have a law that uh require if it's publicly funded that it be Kind of open source um in the sense that any other part of the state government can use the same software If they develop it internally And you know, it's like one of those things where I just it kind of boggles my mind right that any Kind of state funded and when I say state now, I mean like, you know, country or you know, us state or whatever Like how is that not by default open source? Right like there was a community of people who paid for this to happen It doesn't really matter who who wrote the code, you know And I it still kind of blows my mind that there's so there's still so much proprietary software that happens in You know in governments, you know Yeah, yeah, absolutely and and as you say the data is often ours as citizens You know, it's collectively information about us or it's information about our You know our streets our addresses, you know, I'm not saying we should be opening up private information but things like maps and Yeah data it it does seem to make sense that it should be open by default Right right so open uk is is taking that because I know the uk government has had this on again off again thing with open search requirements like once upon a time They were one of the the first, you know leading countries to adopt open office or to authorize open office For departments Yes, their productivity software And then they reversed that After a whole lot of lobbying by microsoft back when microsoft was lobbying against open source So there's open uk taking on making that Part of because I don't know where the uk is in terms of of open search requirements Yeah, so one of the things that um, I think the uk did very well I mean, obviously my perspective is a little bit skew for being here but and quite a few years ago now probably 10 maybe maybe even 15 years ago There was a thing started called the government digital service and it you know predates um, I think it may have been after estonia, but probably before you know us and the people who set that up, you know they They had incredibly good vision for like We should be doing things open by default We should be and they were publishing things like Their their retrospectives, you know, they're sort of internal retrospectives, you know anonymized and taking out anything that was sensitive but really even showing how the development process was working Inside these different bits of government, you know website development things like that and the The focus on usability was incredible and um a lot of the original team have moved on and and gone on to do Other things, but I think it really sowed this Very strong seed of you know, the government should be building websites that people can use and we should be using Digital technology to the advantage of everyone and and you can see it in Things like, you know our tax forms if you want to go and renew your Your car tax discs thing thing that we have to do every year, you know, it's really simple Or I just did a had to pay some tax and there was an incredibly good user experience where I was shown You know logged into my account It told me how much I had to pay it showed me a qr code and scan the qr code It takes me to my bank account fills in all the details and says do you want to make this payment? To pay your tax bill, you know, and you don't have to type in any details get anything wrong. It's brilliant And that focus on usability. I think is fantastic And the more we can do that open source because you know, if that's You know, that's a government thing. It's not anybody's commercial advantage Why shouldn't I be able to pay any other bill? You know a proprietary bill with that same technology? I hope I can I hope we're gonna see that Um, yeah, so yeah, so we although speaking of lobbyists, uh, you know on behalf of Proprietary software companies, you know, there's there's definitely a lot of Speculation right that the reason our tax law in the u.s. Right. It's still so complex is because of lobbying from companies like turbo tax It's not say it's not speculation. It's documented, but Okay, all right. I mean as someone who briefly had to fill in some u.s. Tax. Well the comparison between what you you know as a Sensible human being you can do your uk tax forms yourself Whereas in the u.s. It definitely felt like we are deliberately obfuscating this so that you have to play someone to do it And that that attitude does not seem healthy Right, right, totally So I I did want to ask you a little bit about your role. Um, as as chair of the cnc f toc Um, particularly for our audience and we're getting towards the end of our time here the um, so Um, can you briefly for for audience members who who you know, know about kubernetes that sort of thing Have not paid that much attention to the cnc f um, so let's say so the cnc f has gone from You know, this is the funding mechanism for kubernetes To this giant organization with dozens of projects Summarize briefly what the cnc f does and what the toc does Yeah, so yeah It's the it's a foundation and it owns the ip It acts as a neutral ground to own the ip for kubernetes and all these other related cloud native projects And I think although it was originally set up, you know kubernetes was there and it was set up to Be the foundation for kubernetes. I think right from the get go it was recognized that It wasn't just going to be about kubernetes that there would be these adjacent technologies and and Projects that it would make sense to to bring into the same organization and That has grown and grown and grown kubernetes is still very much the heart of cnc f and and the mission statement of the cnc f is about making cloud computing ubiquitous or cloud native computing ubiquitous so I think we've achieved a lot as a as a community over the last Probably coming up to five or six years. I guess now since it was created um And I I think part of the success of that is that it is a community You know, it's it's got funding from and membership from all these big players and the big cloud vendors and and a bunch of other proprietary software vendors who you know are interested in the space and and have products in the space but the attention paid to individuals and how individuals are welcomed into that community and and Like you were saying before about being you know having agency being able to sort of You know take your value between different employers I think that's been so constructive. I think it's been so valuable for the cloud native industry and the ecosystem and you know, but I don't think it's a An accident that there's so much Innovation and frankly money and investment In in this whole cloud native space and and that ecosystem that's been created around the science Yeah, I think is is fundamental to that Just speaking to the cloud native like cloud native development is just for me, right? It's like so much better You know, it's just it's like this is what I've been trying to get to for quite some time You know, it's it's so much easier I did want to kind of ask a little bit about like what do you feel like the toc's role is Within the cncf like what what what is it that they're trying to accomplish in a sense? yeah, so the technical oversight committee was Kind of Created as part of the initial creation of the foundation And the idea is really that the technical governance should be separated from the people who write the checks and The the toc is now not so it's now 11 people. It was nine when I first joined it three years ago and There there are limits on how many people can represent different vendors and so on and it has representation from the governing board and from the maintainers and from the end user community and it's really intended to Well ensure that the projects that we bring into the foundation are cloud native and to encourage Collaboration and and you know good interfaces between those projects and it's it's always good to see projects that Interface with each other in a In a meaningful and helpful way for users and it's supposed to be about a a bar Not just for You know technical capabilities, but also that it you know, it's well governed and that it is Vendor we're hoping to For all these projects to be vendor neutral and although vendor we encourage vendors to be involved. We want that kind of nice balance between vendors who have a good commercial reason to be involved in these projects But also don't dominate it such that you know, you can use kubernetes today Without paying anybody to do so and you know if you have a compute platform to run kubernetes on you can do so But there may be reasons why you want to pay For some value add around And i'm just using kubernetes as as an example Um, so try to make sure that there is that balance of healthy ecosystem But that the the technical bar and the the projects are sound one of the main things that the toc does is assess the Kind of maturity level of different projects between what we call sandbox, which is really early stage experimentation through to incubation and then graduation And when we graduate a project, we're really saying we've done a lot of due diligence in this and this project is it's really ready for Everybody everybody everybody who is interested in cloud making production use production use. Yeah and that you know, it's been as a de-risked as as Makes sense for use in a wide range of enterprises and So things like you know How stable its governance is but also, you know, has it been used at scale and has it been You know used reliably are their end users who are willing to come and talk to us about their experiences and tell us You know, yeah, it it works up to you know, some some arbitrary measure of scale for a given project um, yeah, so we The toc is supposed to be I think there's a phrase about senior engineers and um supposed to you know bring some experience of Seeing projects that an open source run in the real world and Kind of understanding how that landscape fits together and and kind of understanding what cloud native means Which is kind of easy at a superficial level and then can actually turn into quite a difficult question When you're looking at a given project and saying well, is this cloud native? Yeah, I'm bringing that judgment, you know a lot of the Particularly the first year I would say that I was on the toc. There was a lot of pressure for the toc to Or I think the community were completely reasonably wanted more transparency over how the toc makes decisions and The balance we were trying to achieve there was well We don't this can't be a box ticking exercise because if it becomes a box ticking exercise People game that and they will just tick the boxes, but it doesn't mean to say that they really are a mature production ready Project or that they really are cloud native. So, you know, we've always had this um Alexis Richardson who was the kind of original chair of the CNCF Has a really good analogy that the toc is like the the supreme court in that, you know, you're kind of Making up the making up the law, but you know, you're making judgments And that kind of sets precedent that Going to the future Well, and I mean in the supreme court analogy, it's also it's almost as important on the judgments you don't make Or you don't take up, right? Which I think is also kind of interesting you know, where you kind of Let's let's wait and see right. We don't necessarily know if we want to make a judgment on this at this point I think that's also a tough call. I think what you're you're also Kind of alluding to here, right? Is This is one of those places where, you know, the experience Happened or you know is required, right? It's like, you know, it's very hard to articulate after, you know I've been doing this for 20 something years, right? It's very hard to articulate Why I can look at a project and be like Uh, that doesn't seem like it's gonna go well, right? And you know, um, you know, but I you know But another one which you know in the face of it doesn't seem like it's great You know, I can kind of dig into it a little bit and be like, oh, no, there's there's some solid bones here You know, it just you know, it needs, you know, half the time. It's uh, there's poor communication is it's usually the problem, right? um, so I think that's uh, I think I think that's kind of that that senior engineer part, right? It's really the experience with Working in a cloud native world as you said kind of working in the real world, right? Rather than just in the abstract Really can bring to the table a good ability to judge how things should work So I know I appreciate that. I mean, that's a that's a very hard thing to do. Um, and uh, especially consistently and You know, I think that the people who are the best at it are also the most nervous about being wrong Yeah, it's also, you know, and sometimes, you know, you you're aware that you It the the decisions that we make can have a real real effect on, you know, people and companies and You know, sometimes people are suggesting projects maybe not with the completely the right motivation, but you know, they're still individuals and you're a little bit conscious of Something that seems like an easy decision to to yeah, I will accept that into the sandbox, you know, but it Could affect people's lives. I mean, you know, not not quite the same way that a supreme court affects people's lives but you know, it it's not we shouldn't take those decisions overly lightly and particularly when we're talking about things like incubation where cncf starts funding marketing and and all kinds of additional support for projects that, uh, you know costs money and and you know resources have to be spent so Uh, unfortunately the cncf is uh, you know, it's a well-funded organization and the the The members the the people the companies who are paying the fees are I think very supportive and the governing board is very supportive of that reps of of project But yeah, it's it's been my term on the toc is about to come to an end. I'm I'm Wrapping up after after three years So, um, yeah, it's it's certainly been it's been a real privilege And I'm kind of interested to see how it Yeah, I I am not not looking forward to you stepping down from the chair the you've been a phenomenal chair in and kept Moving um when when a lot of arguments and other things have tended to bog down The um, and I'm really gonna miss that Well, I I hope that you know, we've Over the last few years shown how it can work in a kind of Constructive way. That was one of the things I really wanted to bring into it. I think um that there had in the past been sometimes where things had gotten into a bit of a sort of log jam and you know, you Fighting about things was never going to break that log jam and we needed to find common ground and and ways to break through and ways to Get the process is moving and get more people involved to get more opinions, so Yeah, I'm I'm Well, I'm thank you very much for those kind words So kind of from the insider perspective, um, what are you I hesitate to say most looking forward to but like what are what are the kind of upcoming decisions that you feel like are Going to be on the table for the goc for the cncf that you're kind of most interested in whether that's because they're They're good or because they're bad or because they're you know, you just don't know which way they're going to go Um, can you tell us a little about what you're kind of seeing? Uh, you know in the pipeline? Yeah, so one thing that I think will has been kind of in In the room for for a while and will continue to be in the room is How big should cncf be? Is there a point at which? you know projects become too Too big, you know, not too big or too many if there are too many projects um And this has sort of practical knock-on effects like how big is the kubecon and clad native con conference and you know how many projects can we afford to Run security audits for and and you know what have you but it also has that kind of community aspect to it that You know if we get broader and broader and broader and broader and broader do we lose cohesiveness amongst our community? I think it's totally Correct that we have pockets of interest and and groups of special specialization within the cncf but uh, yeah that question of What is the correct balance? Um I I will be be an example. There's been a little I don't know why they all come at once like buses, you know three come at once um of projects related to confidential computing If applied to to join the cncf and You know at one level it This could be extremely valuable to to cloud native computing and making um, you know computing in the cloud more secure There is also an existing confidential computing consortium within the lynx foundation So what's the relationship between those two organizations and what's the right home for those projects and how do we You know get the right How do we how do we make that work best for everybody involved and I you know That's still an open question in my mind and I think that will Questions like that not just you know, that's just an example But for things that are certainly adjacent to cloud native and potentially could be part of cloud native But should they be should we be from a community perspective? I genuinely don't know the answer to that and I think questions like that are going to keep coming up Yeah, that's that's really interesting and I think you know kind of to your point, right? It's like in and is that line, you know Kind of a dotted one that kind of you know needs to shift over time And whether or how hard a line needs to be yeah, I could I could see that being a difficult question to struggle with And and something that I think you know kind of for the audience, right? That's something you kind of want to pay attention to Because you you need to know like if you want to solve confidential computing for yourself, right as your example, right? You need to know where to go look for that where where is the place that that Innovation for lack of better term is happening, you know, where is the you know? Where are the resources being put because I think that You know one of the one of the challenges as a consumer of a lot of these tools particularly in the open source world is, you know product selection, you know and Knowing you like it's so it's you know, if it's one of those things that there was that old saying that You know, nobody ever gets fired for buying IBM, right? um It's that that nice city of kind of like, you know, hey I have my vendor lock and while it has some downsides of vendor lock The upside is I always know where to go get the piece I need and in the open source world That's much much harder And you know, that's part of why we're trying to do this show too is to try to say hey You know at least in this little pocket We can try to help you have a sense of where these things are going so that you have a sense of You know what the right answer is to choose these things and I think You know, like I said, I I think part of the reason you're seeing a bunch of projects about confidential computing coming in Is because it's becoming very popular, right? It's becoming a big concern for a lot of people And so I'm sure there's a number of people who are trying to decide I need to make a product selection sometime soon You know, who's gonna win right and and you know, where do I invest my time energy expertise, etc And I I know I've chosen wrong in the past And uh, you know, and it's it's a headache when you're when you're mistaken Yeah, yeah, well, you know mistakes will always be made No question. No question. Uh, it's the uh, it's the tolerance for for change after the mistake is is a part of the hard part And and and with that we're we're about at the end of our time here So thank you so much for joining us. Liz twice twice Twice and and dealing with all of the the internet streaming troubleshooting That that broadcasting involves these days Um, do you have any final thoughts for for audience? I guess I will say I really hope that we're going to actually get to do proper in-person conversations at events this year, particularly I'm looking forward to kubecon cloud native con in valencia I'm very optimistic that is going to go ahead and um, I'm Dying to see people in person that will be amazing I Totally with you. Uh, I do want to apologize to the audience that I'm so fuzzy But given all of our challenges from uh, tuesday I decided not to muck with anything and just you know one technical flaw is fine Um, and so hopefully we'll be better next time But to josh's point. Thank you so much for coming. Uh, we really appreciate it Um, and we hope to see you again. Uh, and uh, no Yeah, and I hope that I get to see you in valencia. We'll see Yeah Yeah, yeah, awesome. Well, it was my pleasure. Thanks for having me. Okay. Thank you. Thanks so much