 Morning friends. Hey, how's it going? It's been a while Denver. How are you doing? Good good Staying busy. Hello right This will wait until five after Hi folks Some audio working. I can hear you. Can you hear me? I can great. Okay. We'll give it until five after Hi, Ian. Hi Victor Morning Hello Taylor We're waiting to see who's gonna join us. We're at the five minute mark. We could probably just kick it off and then yep You know if people trickle in they trickle in. Yeah, I think we're good now Yeah, you're getting the chair sorted. Give me two six. All right, and there we have it I hope is that working for everybody? Yeah looks good to me Right, good morning everybody welcome to the meeting and to start the beginning of the agenda then This is Theoretically although in practice probably not quite the last of our current reign of co-chairs meetings because we're due to our term expires on the 31st of March so Anyone who wishes to stand for any of the three co-chairs should go find the mailing list link which is cn cnf-wg at list cncf.io and Stick their name in the ring for one of the three co-chairs and if you recall and I get this wrong somebody will cut me right one of them is the Is for representing cnf developers one of them is for representing cnf users one of them is for representing the Platform part of the equation. So if you want to stick your name in then please send a An email to the email list to make sure everybody knows that you're up for it And then we can get the election started shortly It might be a little overdue because I think we haven't got any nominations at this point, but sometimes soon I will send a mail out to the mailing list to make sure everybody's aware that that's coming around Any questions I Think one thing that we'll need to figure out is how we're going to process it last time we used a system a Voting system that Bill had set up And I think it's open source and free to use or something, but I don't know quite how to use it No, there's a two or three of those I seem to recall the one he had was giving us 50 percent German emails But that was probably because of the language that he had said But I'm sure we can find one of those go and recheck which one he used or find Excuse me find another one, but we'll make the arrangements As I say theoretically the election shouldn't happen with the results by the 31st But I don't think we're going to manage that but let's try and get the nominations sorted and ready by the end of the week Okay, I see we have a list of Upcoming events. I will I think avoid going through the list as usual What I would say is you know that there's a handful of ones there with CFP's open the EU open source summit Kubecon North America I imagine the fall NES is Going to have CFPs before much longer Don't forget to a put your name in if you've got anything you want to talk about and be Advertise around here so that we all know it's coming and we can put our support in in any way that we can help you but Other than that Does anyone know of any significant? Talks any of the earlier forums that are coming up. Okay, then Keep an eye out for the networking edge executive forum, which is due first in just a couple of weeks And we'll see if we can find from the agenda if there's anything worth recommending and then we're on to pull requests Which will involve opening the pull request page, let's see what we can find three open I Know I've got the best practice compliance recording one to do myself I promised you I'd do that weeks ago and I haven't done it So we'll set that one aside because it needs a bit of a rewrite based on the comments that it already has Let's hold off on that one Ian in case Ben shows up I did make some updates to that one if we want to criticize my attempts at Coming up with definitions for things Okay, that's the best practices one right? No, it's the air-gapped environments Okay, right best practices. I know Ben made some updates so Then then it's not going to be here today. Okay Well, we'll start with best practices and see what we find and So I did an initial review I need to go through like really with like a fine tooth comb like I mean, I just kind of like read it like Start to finish without kind of combing it line by line, but I mean This is gonna be one of those things like when we talk about like security like What is too general to where maybe it should just be in a security working group versus, you know If it's good information Do we just put it in here because CNF users and developers might care about it like I mean It's it's a great series of like best practices for just, you know Kubernetes hardening in my opinion I do think if we're gonna keep it here. We should add some stuff around like network security and It doesn't necessarily need to be like firewalls and stuff, but I mean There's like things to tweak IPvS, you know What IP tables does etc that we could potentially add into this and then We either say that we're cool with having things, you know, just generic or we kind of like word Smith it a little bit to talk about like How the best practices are relevant to either a provider a CNF operator or a CNF developer thoughts Yep, I mean, I don't want to get too wrapped up in this so that it's never going to get committed because it has to be perfect before we do it so If we can get it to a state where it's ready to go in we should put it in and then fix it in place But yes, absolutely. I don't think anything you're talking about there is particularly asking too much Also agreed like I mean it's probably Mergeable Like almost as is right now. It's just like I said I'm with the knowledge that we should open up an issue and like a network security section Is definitely needed and then just you know It needs to be relevant to the space. So I mean Just you know specifically talking about bits and pieces on how because I mean best practice, you know, in my opinion should also be a little bit more than just a list of you know Thou shall thou shan's but also provide a little bit of context on you know Why it is a best practice if that makes sense. Yeah, and how you would choose more ones and how you would say they fit Yes, it seems reasonable Okay. Yep seems reasonable any further comments right just few there are just few Indian issues in this PR. I mean it's just minor cosmetic things. So basically the CIA is complaining about trading the spaces and Some situation issues, so I don't know maybe we can merge these activities and maybe it's later We say I'm willing to go in and change my thing from a comment to approve and we get this first draft in and then we just continue to refine it Yeah, and that was another conversation because we were talking about changing the number of approvers We're required in the governance file or wherever it lives, and I don't think we've actually done that yet. Have we Taylor? No Can you create an issue right now to do that? Okay They go Looks good Okay. Yeah, I see I've got one unanswered comment here from last week. So I should go deal with that. I This Could do with a reword, but it is literally a reword. It's just that it's got two sections talking about the same thing This one I need to go and revisit. I believe the point I was making is that there's a lot of Yeah, the wording there was just a little complex, but I don't think it necessarily has to be fixed actually so It just struck me that we kind of lost the Lost the message in the wording in a sense So I'll see if I can propose a change other than that. I see Pankaj has made a comment at the bottom which is Maybe making yeah, he is making extra point so and he doesn't seem to there we are he has changed it to and Does anyone got any particular issues if I just commit this actually? Hold on. I think what he wrote sounds good Yeah, I've got no problem with it. Jeff Victor Then yeah, I think it's fine I'm also of the mindset of for the commits and stuff on your PRs If you think it's good just commit them because the merge itself is where we're doing like the final stop gap, right? Yeah, okay. Well, that one's gone in Right that one seems to be resolved Uh, Jeff wants Victor wants the spelling to be addressed which is fine I think these folks were resolved I guess So he's not complaining about the wording Yeah, I mean no issue with that. All right, fine. So we've got one change to the spelling list my comment here wants a response And I'll go and reread it after this meeting Oops not that one didn't mean to do that don't do that That one Jeff all yours okay, um So I did this first one. I did reword it a tiny bit Let me see Said have it in there And it does say it's outdated so yeah jump over to files changed or yeah views changes. Let's take a peek Um Yeah, this one's old. So there's like trying to like navigate through all the former things. So I added a glossary section Which is not showing up on this change log right here I'm gonna say if I can do that. Um, and then I slightly reworded the section that you were looking at I think some of it was he was maybe just missing a tiny bit of context So I didn't really fundamentally change some stuff because I feel like most people will understand yeah, so That one right there. I addressed the one that's at the top there and added those three terms Let's see Victor was also asking for air gap to be defined so I added that So this one here, let me just ask you I don't know if I necessarily agree To just cut all that out, but I mean It's not the end of the world I feel like with the user stories though providing context is kind of the point, but If it doesn't actually add anything then we can just commit the exception or suggestion in them Accent Well, I think your wording is off. I mean that may break cloud native assumptions I don't think it's cloud native assumptions that you're breaking exactly as much as your You're certainly breaking assumptions. I think throwing cloud native in there is not helping And you're breaking one specific assumption the specific assumption here is that that You're connected to the internet, isn't it? Well, I mean, yes and no, I think That's an implied piece like the main assumption is this notion of on-demand, right? Like and Maybe it's not necessarily cloud native. It's just quote-unquote cloud This notion that like I have resources on demand Right, like if I want an image, I get it. I want an EC2 instance. I get it. I want a container. I get it and The air-gapped environment breaks one of those implicit I get it when I want it type of scenarios So I mean I do think I agree with you though that you know specifically calling it a cloud native assumption isn't right It's more just assumptions that cloud consumers have that Everything is a credit card swipe away or a pull Slash clone away need to work on the first half of it and Something like that. I don't really like that wedding either. It feels like I'll say Is it that the cloud has the assumption that it has connectivity? I mean if I create a tenant network with no ratable IP address and you know the floating side then I mean It doesn't necessarily have I don't know that's let's um I don't know. We'll leave this one as an open topic. I agree that it needs to I think this is closer Yeah, that's better cloud software like Because that's really what it boils down to right and typically when we say cloud software We're really talking about containers and then there's this notion, you know that like Docker hub that red hats repositories that femors repositories that Amazon repositories were always just one, you know Pull command away from I get this container image when I want it or All the like nested curl commands hidden in every single installer I've seen the last five years we're just there's this implicit assumption that if I want something I can just go out to the internet and Grab it. I like that wording the best that I've seen so far assumption that of cloud software that it has reachability to internet services Yeah, I wonder if it's not in the right place, but I'm gonna add that as a comment Anyway, and you can you can consider whether there's a better way of doing it If they're if even if there is a better way of doing it, you might just want to accept that and say well better than it was before The process to pull artifacts does not occur in an air-gapped environment. I'm afraid it does some of this is covered in The definitions that I added which are not perfect, but it addresses some of these things Yeah, I mean You're hardly I talk about I talk about those in the definitions specifically like If you start doing stuff like that then there better be implicit trust to What you're going to because obviously The more holes you poke the more risk you incur in them. I think kind of my issue on Reading this is that if you're in an air-gapped environment, no VPN works in an air-gapped environment, but you're So you're by proposing that you're weakening your constraint from a complete year gap to environment to one that isn't air-gapped Yes, and no, I mean because the whole concept of You know it being a virtual private private being the key word is you're now just extending where this potentially isolated environment goes but on the flip side though by doing that I 100% agree and they said I'm Actually, yeah, it's the next section down is where I added the glossary like I'm trying to like capture that exact point somewhat I don't think I've I've got it there yet, but There's gonna be trade-offs So I agree like in an ideal world if you were you know secure like you're one of these super secret three-letter agency Clouds that's being built in Aurora, Colorado right now They're not going to allow any of that right and they have found ways to still build and run clouds Fully isolated so it's doable. I just it takes work and so then you have to decide for your individual air-gapped environment You know how much risk are you willing to assume because every time you know you set a forward proxy up, right? Because it makes life a little bit easier You're inducing risk introducing risk so So when I change that like because I mean the first sentence is a physically and logically isolated environment like If it's physically isolated it doesn't disallow network connectivity. There is no network to connect to so The point is that as you've written this There is the actual meaning of an air-gapped environment There is an air gap between this environment and others and then there is the Logical meaning of an air-gapped environment, which is it is defended from others and then there's the fact that you're talking about VPNs which cannot be Truly in an air-gapped environment. So my my point is You're describing a spectrum using the words that describe one end of the spectrum I don't have much to offer on that other than to say You know in a second paragraph or a second line that actually You know, we accept that air-gapped environments may be unacceptable or unusable and something slightly short of an air-gapped environment In that direction is what you're actually looking for Yeah, I mean, I don't know. Maybe we go to Like a larger clock. I was not sure how verbose to make this because to your point like That first sentence is intentionally broad And like you said the spectrum being full like I have a Local network that literally connects to nothing else like there is literally pure physical isolation It's complete intranet, right? Versus like you were saying I now have Connectivity, but there's a logical segregation via firewalls and I block everything off and yada yada Which is typically what I've seen most done if we're not talking about one of the three letter agency clouds or like some Facility, yeah, we're talking at work functions. They're not terribly useful if you isolate them from the network anyway, so And then conversely to your exact point though Proxies and VPNs etc. Are basically gap closers. So you're bridging the gap at that point. So then You know, what does that entail? But I mean, you know collectively to the group here like You know should Ian and I expand this out in this or should we keep this one kind of high level and do we need to like go somewhere else for like a comprehensive Or yeah, we can just do in one more definition to go with it I feel like we're getting back into like the early days though of I've grown to hate defining words I know I know I remember being the one so I am I entirely sympathize with this But if it makes you feel any better apparently get hubs not going to take that comment. So it feels the same way about it. Anyway, yeah I'll be honest the next two definitions to you I kind of felt weird adding because I kind of feel like they should just contextually be You know there and the things but I put them in because they were asked for and once again and it's a start I'm not 100% married or in love with the first attempt at wording this out Yeah, I mean you basically said You've almost contradicted yourself in the definition of upstream because if you can't connect to a repository then how can it be an upstream repository Well, so I mean and this is where Taylor you cracked me up The this is where you know your comment though about the spectrum comes into play. I mean here's the thing There has to be some means of getting software into this isolated environment right and I mean So you were some in some way shape or form bridging the gap whether that is you know your own private repository that you know Is able to pull from the outside world it locks everything down before it makes it available to the inside world I mean it literally could be someone walks into this place with a thumb drive and sticks it into the server hosting source control and starts uploading files you know I mean like This is where I think we get into actually describing like the best practices of you know I mean that would be my hope right as we start talking about the best practices of hay afford proxies maybe not a good idea because if you get a bad image and it phones home you know Terrible things could happen but there's there's still got to be some compromises right like You have to have some way of making images source codes OVA is all this stuff available to the people inside that air gapped environment. And I have seen a lot of people basically just turn their private repository into a proxy because all they do is make a request the URL of their private repository but then it instantly just pulls it straight from upstream so then I have the you know debate with them of why set up the private repository in the first place. Indeed yes I mean that is a problem it's pinch point that you can start pinching on but if it's not actually pinch to begin with and it's it provides no additional security and it's currently in its base form. I think like maybe what's missing from somewhere in this like list is the notion of like you know quarantine or you know like a DMZ or like basically like you know here's this gap you know what are the airlock procedures to navigate the gap right. Yes, and perhaps a little more on why the gap is necessary but I'm not going to judge on that because we're not looking at the right section of the document to say you haven't written that. I've offered you a suggestion there but I don't think it changes the meaning what you're trying to do I think it just helps clarify what you're trying to say. And there too to just you know either make like a sub definition or add to one of the definitions something around the notion of quarantining. Or control or something pinch point whatever just like yeah yeah it's not explicit enough to like talk about like I mean it kind of talks about it but it got two kind of technological points to make here one is that. By isolating well three actually one is that by physically isolating yourself from the internet then no attack can arrive from the internet over any vector. And while you would like to do this then you're cutting you know you might argue you're cutting off your nose despite your face your things like this are impossible if that is the thing you're trying to achieve you've got to find a different way of doing it. Then your supply chain attack that you were making the point about earlier is that having cut yourself off from the internet, then attack vectors still do exist in you know poisoning the supply chain, and the private repository that you're going to need in your air gap environment gives you an opportunity to both filter and quarantine what's coming in to make sure supply chain attacks don't exist. But the quarantining part of that is not the primary point of air gap environment which is the active attacks can't be made in the network it's a secondary benefit which is that having isolated your network then you know you should make sure that anything that crosses the boundary is still is as safe as it can be. I feel like we're doing all the talking Ian. If only Taylor had some thoughts. Or Victor. Akash Denver. I'm ready for a first version of it to come out and then we do another. Well, there's more comments there but we can assume that Jeff is going to actually try and finish this thing because I'm sure he wants it off his shoulders. And with that we will switch to this one which is on my shoulders and which is very old. I don't think there's been any recent although there's been a couple of recent changes. Yeah, I have a guilty conscience on this I was supposed to work on it weeks ago I will take that and run with it I don't want to. Unless somebody's got a pointed comment to make about this. What. Okay, fine. Yeah, I just, I can happily discuss this but I think what's going to do a lot more good is me actually going and doing some work on it. Okay, anyway, yeah, I'll take that. I know that nobody's adding anything to the agenda and I've run out of gender items so open season who would like to say anything. Any best practice ideas or that we should focus in on. And maybe a related thing is, is there anything that we would like to suggest for the test suite to start testing on even if we're not ready or have someone help with the best practice either an existing thing that we already agree on for testing. I'm going to probably like assuming I can get this user story done. I don't know if I'm going to write like a full blown use case for it afterwards or not or if I just start kind of maybe taking some stabs at different methods to, you know, deal and operate in an air gap environment, and then at least get some conversation going. I mean, I kind of already know what my opinion is on some of this stuff but like, you know, there are several topics there like how do you secure the supply chain. What is licensing going to look like in this world. And I think, I think the licensing one is going to be interested, interesting and definitely something that we could build test cases around Taylor, where it's just like we do different types of deployments we find ways to like you know we take in different like licensing systems. You know, like if we're pushing out, you know, virtual de use to sell sites. You know, what is license management look like for that. We're just doing CSR spin ups in our central clouds, what is licensing work for that, you know, different environments, different reach. Because, you know, as part of this to, there's going to be some level of security controls right something from like pure air gap to like you know hey, we've poked a lot of holes to where this thing's basically a sieve but there's still some mechanisms that are in place right so like, you know, just, I think an interesting one when you talk about a provider network with CNF is, you know, just the software delivery and management like, how do I push an image, how do I cash an image, how do I license an image. You know, you have the entire front end of that which is all concerned with like the air gap piece of it right like, how did that image get into, you know, the ecosystem to begin with. So I kind of think maybe that's where I might start focusing some of my efforts from a best practices standpoint, because I don't know I deal with it every day now. So it's interesting to me. All right. I don't know thoughts, like, is that an okay to place to start or would we want to focus somewhere else I mean I'm open to whatever I just. So I mean if if you're, if it's something that you're more passionate about if that's a good word to use them, or if it's something you have to deal with the pain. And that's going to be easier to contribute information about. Yeah I think it's interesting like I've been exposed to more stuff right like I mean, you see a lot of stuff from a supply chain standpoint for certain v&f's and c&f's now or you know, they're going to come from the factory with the software already on them, which is cool. Until you run your first update. What does that look like you know what if it doesn't come prepackaged from the factory. Yeah, I think, I think it's interesting and it's one of the few things that's also very, you know, c&f centric. I mean, it's easy to push, you know, 25 meg container images, all throughout your network. Suddenly somebody comes in and they're like, here's this for gig, you know, the he myth that I want you to push to every one of your du sites. Right. 15 minutes back. I mean, we don't, we don't have to eat up the hour just because it's there. I feel like we got a decent amount done today. Yeah. Thanks everyone. You're not actually going to get those 15 minutes though Taylor I'm going to call you real quick. Got somebody to ask you. All right. All right guys.