 Hello everybody, good morning, good afternoon, good evening, good wherever you are, whatever time of day it is. It's great to have you here. As you hopefully know, this is the KB Insider program, where we try to get a sense of what's going on in the Kubernetes community going forward. And apologies on apparently my video is a little laggy today. But maybe I look better fuzzy. Who knows? So I'm Langdon White, a formerly of Red Hat, and now a university professor at Boston University, talking mostly about data science and computing, and trying to open up our world to people who are generally underrepresented or under-served in the tech community as a primary goal. So with that, I'd like to introduce Josh Berkus, my co-host for the show, and then we'll introduce our guest. Hi, I'm Josh Berkus. I'm at Red Hat's open-source practice office, where I work on Kubernetes and some other related cloud-native projects. And in that role, I have been on many video calls with today's guest, Liz Rice, mostly in her capacity as chair of the CNCF, or the CNCF Technical Organizing Committee. But there were many reasons why I wanted to listen to the show, not just because of her role in the CNCF, but also because she is a container security expert, which is what we were talking to her about on Tuesday when we lost the stream. So welcome, Liz. Hi, thanks for having me. Thanks for having me again. Yes. So when the stream dropped on Tuesday, we were talking about EVPF, which is what you're working on now at ISOvalent. Correct. And particularly, we were talking about how is the isolation that EVPF provides different from isolation that people might be used to from, say, virtual machines? Yeah. So I think sometimes this can be quite confusing because people talk about EVPF as a sandboxing technology. And people talk about containers as sandboxing or isolation technology. And it's true in both cases, but they're really quite different. And they're sandboxing for very different reasons. So when we talk about containers, we're talking about isolating our application code and stopping our applications from kind of stepping all over each other. With EVPF, what we're doing is running custom code inside the kernel. And you can have multiple different EVPF programs inside the kernel at once. But that sandboxing is more to do with making sure that those programs are safe. I mean, I suppose it's similar. In both cases, we're trying to say these programs have to be safe and not interfere with each other. But in the case of containers, they don't have any awareness of each other at all. When we're talking about the kernel, this is much more about extending functionality inside the kernel and running bespoke capabilities within the kernel and doing that safely. OK. But I guess my question is, say I'm running current kernel or maybe future kernel because I know that EVPF features are still under development. And I get used to Cilium and a whole bunch of other EVPF tools and that sort of thing. Can I isolate a process running in one container as much as it would have been isolated by virtualization technology, assuming I flip all the switches? Because that's always the concern with containers running in the same machine is that it's not that same level of virtualization out of the box. Of isolation out of the box, right? They can effectively exchange kernel calls. Yeah, so when we talk about a host machine, if we're talking about a virtual machine or a bare metal machine, it's got a kernel. And there's only one kernel. However many containers we're running, they're all sharing that same kernel, which is very different from the virtualization world where each virtual machine running on a physical machine has got its own kernel. So the isolation is very different. And in the container world, that shared kernel is kind of the reason why some of the kind of old school security issues. I'm saying old school like two years ago. Security issues would. Engine. Engine. Because there's a shared kernel. There's a shared root. Root in a container is written on the host. I would say it is old school having, once upon a time, worked on VMS systems. So some of the security problems are very similar, at least in Outline. Although I think VMS has been as the only operating system, I think, that never had a virus. There's some legend of that. But it's also, it's kind of like, why doesn't Linux get all that many viruses? Because the attack surface might not be that bad, but there's not that much value to writing viruses. It's a lot harder to infect something of the virus when it has to be hand-carried there on Magte. Exactly. Right. But yeah, we're seeing, I don't know. It's a lot of that kind of throwback thing, right? Is that in a lot of ways, containers are very, very similar to the mainframe. And so it's really kind of amusing when we just kind of, it's intact. We seem to kind of go full circle on the regular, right? And it just, but it gets easier and cleaner and a little bit more efficient and things like that. But we kind of keep reinventing a thing. And it's all this brand new excitement. But in fact, you know, it's just that. Definitely, the concepts are the same. Yeah, at the end of the day. My very first job after university was doing like SNA emulation, sort of simulating all these like 3270 and even punch card. Like we were emulating that on what was then Unix, different Unix systems. So yeah, it's kind of, I've never actually worked with the mainframe, but I had a lot of experience many years ago with like those SNA protocols and yeah. Yeah, my exposure was wrapping them so they could be called from Java, not, you know, versus like actually doing anything with the mainframe per se, right? Right. So yeah, yeah, it is very interesting. But kind of going back to EBPF, you're talking about, you know, there's only one kernel, right? And I think we've talked about a little in our podcast there, you know, as the root has been kind of broken up into these multiple roles. And then, you know, so you have what they call. Yeah, capabilities. I was like, compliance, no, that's not the right word. But they have different capabilities now that you can allocate. And I think EBPF is kind of more in the same vein of like, you can kind of say, okay, now we can, you know, we can stand box these things and we can separate them off from each other, thereby making the overall system almost more multi-tenant as much as more safe, you know? That is true. I mean, capabilities allow you to be more fine-grained about who has which different permissions. But I think once we get into the world of BPF, I mean, there is a BPF capability. So if you have CAPSIS admin, that includes CAP BPF, but you know, you could have that smaller surface, just have permission to load BPF programs without having all the other CIS admin privileges. But once you've loaded that program, and if it is safe to run and it passes the verification and it's, you know, not trying to stamp over the wrong kind of memory or anything like that, if it's safe, then that BPF program can be basically all powerful, you know, it can see. So we attach BPF programs to events. An event might be a network packet arriving or a particular function call inside the kernel code or a trace point or even user space functions we can attach to. And it really doesn't matter what it is that triggers that event. It doesn't matter which application, it doesn't matter which process it is. If that event gets triggered, that BPF program is going to run. So it gives us this very powerful tool for knowing what's happening in a system. If you want to write an observability tool, BPF is incredible because you attach that BPF program to the event you want to observe and you see it, it not just for new processes, not just for new content, you know, for everything that starts calling it, your BPF program can be triggered. It's incredibly powerful. Yeah. But from a security perspective, that does mean, you know, you can't just let anybody run BPF programs willy-nilly all over your systems. That would be pretty scary. Right, right. I mean, as you were saying, I think last time we talked, you know, that, you know, part of the challenge now is that security profiles, right? Is that, you know, is kind of doing those correctly. And that can, that's still kind of challenging. Yeah. And I think this is a kind of usability problem for security, whatever kind of security we're talking about, you know, anything from, I don't know, dependency scanning to run time security, to set comp profiles to anything we're talking about. It seems like right now, you have to have kind of the main specific knowledge to know how to build that profile. And I anticipate over the next few years, we'll see much more in the way of helping people build sane but powerful profiles. There are some good examples of this, like the Docker set comp profile was a very good basis for, you know, an all-purpose or general purpose security profile for set comp. If you want a more fine-grained set comp, it's all, you know, we're seeing a few things being developed with EBPF that can check what set comp, what system calls you, your application uses, and you could use that to build a more bespoke set comp profile. But, you know, as an application developer, do you really want to have to know what set comp is? Right, exactly. You're a Java programmer, why should you care? You know, so we need to make that much easier as an industry. Right, I mean, this is one of those things where it's also, you know, it's very hard for a developer to be an expert in everything, right? And so, you know, if you're, you know, an expert in, you know, Java threading or whatever, it doesn't mean you're also an expert in set comp, right? I mean, it's not, and it doesn't make you good, bad, or indifferent, you know, as a programmer, it's just that, you know, it's that that's kind of where your expertise landed. And so if we can, you know, it's almost like separation of concerns, right? It's like, if you can kind of say, okay, this person knows this part, right? And we can have them work on this particular piece, then, you know, even if they're all, you know, equally capable programmers or whatever, you don't have to have, you know, learned everything in the entire world. Absolutely. Yes, yes. And when I say Java programmers, that was just, you know, an example. Yeah, yeah, yeah. As you say, everybody has specialist knowledge and we shouldn't be expecting everybody to get specialist knowledge in every area. Right, yeah, I mean, you know, going back to the kind of the old school, right, it's like, you know, in the old days, I used to have to be able to change a hard drive and, you know, and program and, you know, everything else. But I think the, you know, it's kind of like the space that we, you know, live in, right, that we live, you know, that we live in now is so vast that you just, you can't be kind of a complete, you know, renaissance man for lack of a better term, you know, where you kind of just know everything. It's just, it's nearly impossible. Totally. It's like, you know, nobody, just because you work in tech doesn't mean you can do like IT support for your family. Printers, for example, right? Yeah, but try telling your family that. Yeah, exactly. Right, yeah. Particularly when they keep wanting help with their Windows machines at a place. I don't know, I haven't used it since Windows 2000. Yeah, I was trying to explain in a class the other day where the, because I know it exists on Windows, where Etsy hosts file is, right? And I was like, and then I was walking away from the lecture and I was like, oh, I remember, you know, it's in SQL and system drivers and that's where it is, but I haven't touched it in, I don't know, 10, 15 years. So I have no idea for sure. But yeah, the interesting. So let's see, should we talk about Cilium a little bit? If you can tell us a little bit more about what that project is doing? Yeah, yeah. So Cilium has been around as a project for, I want to say since, well, 2015, 2016, something around then, and the people who created it, really the pioneering and EBPF at the same time, there's a lot of overlap between people who are developing EBPF in the kernel and the Cilium maintainers. And Cilium is really about really efficient EBPF-based networking. Which primarily we talk about it in a cloud native context. We talk about it as a Kubernetes CNI and networking plugin. You can actually use it outside of the context of Kubernetes as well, but certainly the majority of users, I would say are using it in the world of Kubernetes. And I talked earlier about how we attach EBPF programs to events and that can be network packets. It could be packets arriving at a network interface. It can be packets just coming out of an application at the socket layer. And with EBPF, we can essentially hook into those kind of extreme ends of the networking stack and be much more efficient about how we connect packets from one pod or one container to whatever destination it's going to or vice versa. And we can also, as a Kubernetes CNI, have all this identity information about what is the pod and what services that pod part of and use that to build up connectivity information that is meaningful. Normal sort of traditional networking talks about IP addresses and ports, but in a cloud native, well, that's kind of impossible to keep track of because pods are ephemeral and IP addresses come and go. You want, as a human, certainly, you want to see networking flows and debugging information in some form that talks about pods. And that's something that we do with Cillium. So as well as having the connectivity, we have some observability tools in a component called Hubble. And we're increasingly looking at how we can use that for security purposes. And we have network security profiles. There's really interesting things. Because we have this visibility into not just, here's a network connection that's been opened, but we can see, well, what was the process that opened that connection? And what's the executable? And what's the destination? Is this executable a cryptocurrency miner? And is it supposed to be accessing that pool over there? Getting that kind of intelligence and being able to act on that in real time is, I think, well, it's why I got involved in Cillium because it's the future of security as far as I'm concerned. Yeah, I think you brought up a couple of interesting points there, right? Like one of them is kind of that Etsy host remark I just made, right, is I was trying to teach a group of student developers kind of the base version of what you need to know about DNS as a developer, right? And because- It's always DNS, that's the first thing. Yeah, it's always DNS, right? It's either DNS or printer. But with the DNS, right, it's like you can kind of know a bit about how it works and not really need to be deep into the networking to kind of get by as a developer. And I just kind of in the back of my mind while I was talking about it, I was like, and wait till you get to Kubernetes and containers and that kind of stuff and it's just gonna blow your mind, right? Cause now you got all your P addresses floating all over the place and, you know, because all the different services are trying to talk to each other and all these things. So I think anything that's kind of letting you think about the application in terms of an application rather than making you think about how it quote unquote works is a real benefit because it's getting so complicated, you know, to try to kind of keep track plus to your point, right? It's ephemeral. So you only know it for like 15 seconds and then, you know, it's all changed again. So it's very complex. And I really appreciate where kind of Kubernetes has been going around trying to, I don't know, up level, you know, kind of change the how you think about it in terms of the application. So you can kind of think about the application, you know, whereas like, you know, when I originally started doing containers, for example, where it was all just kind of hand put together and you lost a lot of that ephemeral benefit because you couldn't keep track of where everything was, you know? Yeah, yeah, for sure. The, I mean, orchestration is incredibly powerful in terms of running your application efficiently and using your resources efficiently, but it does create this kind of, you know, this ephemeral nature and the way that things can move around underneath you. You just, you can't, as a human keep track of that, you know, you have to have a higher level of abstraction, you know, and services and service meshes is getting us into that right direction. But, yeah, for application developers, they absolutely shouldn't have to be thinking about what node their application is running on or, you know, network connectivity should be kind of not the application programmers concern. Right, yeah, yeah, completely agree. One of the things we like to ask every kind of guest who kind of comes on the shows. So what got you into open source or, you know, if Kubernetes was the first place you got into open source, what got you into Kubernetes? But really, what pulled you in about kind of the open source world? Like why is that interesting for you? Yeah, so I was really late to the party with open source, to be honest. So when I, I mean, I mentioned, you know, years ago working on SNA protocols and I spent a lot of my early career working on proprietary networking stacks. And this was, you know, the early days of open source really and we were quite suspicious about it. Like how can, you know, we have all this organization around testing and development processes and design processes and you know, how on earth can a community of, you know, people who don't work for each other with no hierarchy, how on earth can that kind of turn into good development practices? And it really, it took me years to sort of, you know, and I think to, you know, in my defense it was maturing in the world of open source. Right, right. It sort of magically landed with people doing great engineering. And for quite a sort of chunk of my career I moved away from this kind of networking area was doing sort of consumer things and working for people like Skype and working on music recommendations and working on TV recommendations. And then when Docker was first coming into prominence I remember I was working on a startup and we were in an accelerator and the startup next to us, who had the kind of booth next to us, their CTO was getting very excited about this Docker thing. I'm like, okay, yes, maybe we should have a look at that. And that particular startup I was working on died but I got involved in another one because, oh yeah, this containers thing this is really interesting. We were doing container sort of auto-scaling way ahead of its time I think. And yes, seeing how much was being done open source in the containers as well. I mean, I'd used some open source components before I'd done a few little contributions here and there and, you know, various frameworks or whatever but it was much more utilitarian and I didn't know about the community aspect but then getting involved in containers. Yeah, I discovered there was this whole world of people who got together and had really interesting conversations and were really nice to each other and actually this is a lot of fun, I like this world. So yeah, that kind of and it was also really nice to get back to kind of what I call hard tech compared to when I was doing the particularly like movie recommendations the world of people who are not necessarily driven by tech or not necessarily driven by fact and they want to be driven by, I don't know the politics of how many DVDs they're selling in their particular department or something and yeah, that wasn't me. I was much more interested in like, well, how do things work? And, you know, how do we make them work better? Yeah, I totally agree with you. It was funny, like one of the drivers for me cause I used to live in Albany, New York that's where I went to college and, you know, and my wife, you know, and I live there and we were thinking about moving and I came to Boston and what really convinced me about moving to Boston was actually hearing people on the street talking about tech. You know, it was kind of like it's the same kind of ideas. Like, you know, it's really nice sometimes to be able to be in a community where, you know, people have heard of Red Hat, right? People know what Linux is, you know, like in not having to kind of bring everybody up to the, you know, to the level. And, you know, I don't mind doing it, you know, and I have lots of conversations. I mean, I'm a professor now, right? Like, you know, I don't mind explaining the things but it's nice sometimes to be able to have a conversation where everybody's kind of already at the same level and I think that's one of the things that really helped, you know, really drew me with the open source in kind of the same way you're describing. The other one I was going to mention too is just, you know, I spent a long time as an IT consultant, right? And yeah, the fear of open source was a big deal, right? You know, we would have to get like, like depending on the client, you know, but we would have to get like individual approval, you know, because we wanted to use Apache, you know? You know, things like that. It was a, it's a very different world today. It was a, believe it or not, it was actually in the early days of open source that was a lot easier in the small business sphere. Yeah, yeah, for sure. Because initially it was very easy to sell open source to small businesses simply because it was inexpensive. Right, right. They didn't, small businesses didn't care about policy or licenses or anything they cared about. How much is it gonna cost to get this piece of software? Exactly, yeah. The, and it's funny because I feel like that's kind of reversed now, right? As in the big corporations are pretty much all in an open source, even the ones who used to be proprietary software vendors and small businesses are now the long tail because they're so dependent on antique vertical industry apps. Yeah, yeah. Yeah, I think I'm quite maybe idealistic about how this kind of collaboration works and with the big companies. And there is some politics and there is, people are not doing it just out of entirely altruistic reasons. When I say people, I mean companies, they're getting involved because it's gonna be good for the bottom line but I do think it's very valuable from a collaboration like seeing advances coming from across a group of companies they've each got a pool of very talented people and rather than having those talented people work in isolation and build the same thing, five times but slightly different, coming together and collaborating on it and building something like Kubernetes and all the kind of other cloud native projects surrounding it that does sort of sing to my desire for things to be efficient and for people to be going, let's find the best way. Well, and kind of related, right? It also gives kind of a lot of worker autonomy in the sense that I work on Kubernetes, right? Today I work for Red Hat but tomorrow I could go work for some other company because I have a relationship to Kubernetes. And so I really, one of the things I really like about the open source community is that being a participant in it gives me autonomy from whatever company I might be affiliated with whereas when I was working with proprietary software, I became a really good expert in blobby-blah that no one else had ever heard of, right? Yeah, absolutely and you can't talk about it. Your name is not on any other code except for in some list of flames of, you know. And you can't tell anybody what you did and even if you talked about it, nobody knows what it is. It didn't mean anything anyway, right, yeah, exactly. Yeah, so I think that's a, it's kind of two sides of that same coin, you know, is it really does make a big difference to, you know. Like I said, I think it helps the developers and what I really appreciate in recent years, right, is also it's not just developers, you know, we're really, really trying to push that outreach to say, open source can be all the things, you know, it's documentation, but then even things like open science and open data and open hardware, you know, which I think is all, you know, really a catalyst. And it's been, it's been really good. Absolutely. I'm involved in an organization called Open UK, which is pushing for the use of open technologies here, kind of somewhat towards government, but also, you know, just the broader kind of industrial use in the UK. And it's very much, it's not just about open source, it is about open data and open hardware and like opening things up by default unless you have a reason not to. What is currently going on with Open UK? Yeah, so it's a relatively new organization, I think maybe two years or so. And I've been really impressed with, you know, what has been done in that period of time. Currently, we've got an initiative going on called the Founders Forum, which is around encouraging people to start businesses or if they're thinking about starting open source businesses, connecting them with folks who've got experience, you know, because a lot of success in business is about contacts and there are quite a few people here in the UK who have been involved in, you know, some interesting global businesses related to open source. So we wanna try and connect people together. You know, we see really good examples of this happening in Silicon Valley, Israel. There are lots of pockets of talent where people are very connected and that's one of the things we're trying to encourage in Open UK. We've also been doing some things around sustainability. So there's a project called Patchwork Kilt which is really about sustainable data centers and how you can improve the efficiency of your data center. We're not telling the Googles and the IWSs and the azures of the world how to do their data center but more for people who are running a proprietary business, how could they make those more sustainable? So those are a couple of initiatives. A lot of it is also just about awareness and making businesses realize that, yeah, open source software is... Here to stay. Real. Yeah, yeah. Yeah, I mean, I think one of the things, you know, I used to when I was consulting, right, I used to do some work for state governments and a lot of states in the US actually have a law that require if it's publicly funded that it be kind of open source in the sense that any other part of the state government can use the same software if they develop it internally. And it's like one of those things where I just, it kind of boggles my mind, right, that any kind of state funded and when I say state now, I mean like, you know, country or, you know, US state or whatever, like how is that not by default open source, right? Like there was a community of people who paid for this to happen. It doesn't really matter who wrote the code, you know. And it still kind of blows my mind that there's still so much proprietary software that happens in governments, you know. Yeah, yeah, absolutely. And as you say, the data is often ours as citizens, you know, it's collectively information about us or it's information about our, you know, our streets, our addresses, you know, I'm not saying we should be opening up private information but things like maps and yeah, data, it does seem to make sense that it should be opened by default. Right, right. So Open UK is taking that, because I know the UK government has had this on again, off again thing with open source requirements, but once upon a time, they were one of the first, you know, leading countries to adopt open office or to authorize open office for departments as their productivity software. And then they reverse that after a whole lot of lobbying by Microsoft, back when Microsoft was lobbying against open source. So there's open UK taking on making that part of, because I don't know where the UK is in terms of open search requirements. Yeah, so one of the things that I think the UK did very well, I mean, obviously my perspective is a little bit skewed from being here, but quite a few years ago now, probably 10, maybe even 15 years ago, there was a thing started called Government Digital Service, and it predates, I think it may have been after Estonia, but probably before, you know, US, and the people who set that up, you know, they had incredibly good vision for like, we should be doing things open by default, we should be, and they were publishing things like their retrospectives, you know, their sort of internal retrospectives, you know, anonymized and taking out anything that was sensitive, but really even showing how the development process was working inside these different bits of government, you know, website development, things like that. And the focus on usability was incredible. And a lot of the original team have moved on and gone on to do other things, but I think it really sowed this very strong seed of, you know, the government should be building websites that people can use, and we should be using digital technology to the advantage of everyone. And you can see it in things like, you know, our tax forms, if you wanna go and renew your car tax discs, the thing that we have to do every year, you know, it's really simple. Or I just had to pay some tax, and there was an incredibly good user experience where I was shown, you know, logged into my account, it told me how much I had to pay, it showed me a QR code, and scanned the QR code, it takes me to my bank account, fills in all the details and says, do you wanna make this payment to pay your tax bill? You know, and you don't have to type in any details, get anything wrong, it's brilliant. And that focus on usability, I think is fantastic. And the more we can do that open source, because you know, that's a government thing, it's not anybody's commercial advantage, why shouldn't I be able to pay any other bill, you know, proprietary bill with that same technology? I hope I can, I hope we're gonna see that. Yeah, so. Yeah, so we, although speaking of lobbyists, you know, on behalf of proprietary software companies, you know, there's definitely a lot of speculation, right? That the reason our tax law in the US, right, is still so complex is because of lobbying from companies like TurboTax. It's not, I can say, it's not speculation, it's documented, but. Oh, okay, all right. I mean, as someone who briefly had to fill in some US tax, well, the comparison between what you, you know, as a sensible human being, you can do your UK tax forms yourself, whereas in the US, it definitely felt like we are deliberately obfuscating this so that you have to pay someone to do it. And that attitude does not seem healthy. Right, right, totally. So I did wanna ask you a little bit about your role as chair of the CNCF TOC, particularly for our audience. And we're getting towards the end of our time here. So can you briefly, for audience members who, you know, know about Kubernetes, that sort of thing, have not paid that much attention to the CNCF? So let's say, so the CNCF has gone from, you know, this is the funding mechanism for Kubernetes to this giant organization with dozens of projects. Summarize briefly what the CNCF does and what the TOC does. Yeah, so yeah, it's the, it's a foundation and it owns the IP, it acts as a neutral ground to own the IP for Kubernetes and all these other related cloud-related projects. And I think although it was originally set up, you know, Kubernetes was there and it was set up to be the foundation for Kubernetes. I think right from the get-go it was recognized that it wasn't just going to be about Kubernetes, that there would be these adjacent technologies and projects that it would make sense to bring into the same organization. And that has grown and grown and grown. Kubernetes is still very much the heart of CNCF and the mission statement of the CNCF is about making cloud computing ubiquitous or cloud native computing ubiquitous. So I think we've achieved a lot as a community over the last, probably coming up to five or six years, I guess now, since it was created. And I think part of the success of that is that it is a community. You know, it's got funding from and membership from all these big players and the big cloud vendors and a bunch of other proprietary software vendors who are interested in the space and have products in the space. But the attention paid to individuals and how individuals are welcomed into that community and like you were saying before about having agency, being able to sort of take your value between different employers. I think that's been so constructive. I think it's been so valuable for the cloud native industry and the ecosystem. And I don't think it's an accident that there's so much innovation and frankly money and investment in this whole cloud native space. And that ecosystem that's been created around the scenes, yeah, I think is fundamental to that. Just speaking to the cloud native, like cloud native development is just for me, right? It's like so much better, you know, it's just, it's like, this is what I've been trying to get to for quite some time, you know, it's so much easier. I did want to kind of ask a little bit about like, what do you feel like the TOC's role is within the CNCF? Like, what is it that they're trying to accomplish in a sense? Yeah, so the Technical Oversight Committee was kind of created as part of the initial creation of the foundation. And the idea is really that the technical governance should be separated from the people who write the checks. And the TOC is now, so it's now 11 people, it was nine when I first joined it three years ago. And there are limits on how many people can represent different vendors and so on. And it has representation from the governing board and from the maintainers and from the end user community. And it's really intended to, well, ensure that the projects that we bring into the foundation are cloud native and to encourage collaboration and, you know, good interfaces between those projects. And it's always good to see projects that, you know, just interface with each other in a meaningful and helpful way for users. So it's supposed to be about a bar, not just for, you know, technical capabilities, but also that, you know, it's well-governed and that it is, we're hoping for all these projects to be vendor-neutral. And although we encourage vendors to be involved, we want that kind of nice balance between vendors who have a good commercial reason to be involved in these projects but also don't dominate it. Such that, you know, you can use Kubernetes today without paying anybody to do so. And, you know, if you have a compute platform to run Kubernetes on, you can do so. But there may be reasons why you want to pay for some value add around, and I'm just using Kubernetes as an example. So try to make sure that there is that balance of healthy ecosystem but that the technical bar and the projects are sound. One of the main things that the TOC does is assess the kind of maturity level of different projects between what we call sandbox, which is really early stage experimentation through to incubation and then graduation. And when we graduate a project, we're really saying we've done a lot of due diligence in this and this project is, it's really ready for everybody, I mean everybody, everybody who's interested in cloud-nation. Production use, right? Production use, yeah. And that, you know, it's been as a de-risk to make sense for use in a wide range of enterprises. So things like, you know, how stable its governance is, but also, you know, has it been used at scale and has it been, you know, used reliably? Are there end users who are willing to come and talk to us about their experiences and tell us, you know, yeah, it works up to, you know, some arbitrary measure of scale for a given project. Yeah, so we, the TOC is supposed to be, I think there's a phrase about senior engineers and it's supposed to, you know, bring some experience of seeing projects that an open source run in the real world and kind of understanding how that landscape fits together and kind of understanding what cloud-native means, which is kind of easy at a superficial level and then can actually turn into quite a difficult question when you're looking at a given project and saying, well, is this cloud-native? Yeah. I'm bringing that judgment, you know. A lot of the, particularly the first year, I would say that I was on the TOC, there was a lot of pressure for the TOC to, or I think the community were completely reasonably wanted more transparency over how the TOC makes decisions and the balance we were trying to achieve there was, well, we don't, this can't be a box-ticking exercise because if it becomes a box-ticking exercise, people game that and they will just tick the boxes, but it doesn't mean to say that they really are a mature production-ready project or that they really are cloud-native. So, you know, we've always had this, Alexis Richardson, who was the kind of original chair of the CNCF has a really good analogy that the TOC is like the Supreme Court in that, you know, you're kind of making up the law, but you know, you're making judgments and that kind of sets precedent that go into the future. Well, and I mean, in the Supreme Court analogy, it's also, it's almost as important on the judgments you don't make or you don't take up, right? Which I think is also kind of interesting, you know, where you kind of, let's wait and see, right? We don't necessarily know if we want to make a judgment on this at this point. I think that's also a tough call. I think what you're also kind of alluding to here, right? This is one of those places where, you know, the experience happened or, you know, is required, right? It's like, you know, it's very hard to articulate after, you know, I've been doing this for 20-something years, right? It's very hard to articulate why I can look at a project and be like, that doesn't seem like it's going to go well, right? And, you know, but another one which, you know, on the face of it doesn't seem like it's great. You know, I can kind of dig into it a little bit and be like, oh, no, there's some solid bones here. You know, it just, you know, it needs, you know, half the time it's, there's poor communication is usually the problem, right? So I think that's, I think that's kind of that senior engineer part, right? It's really the experience with working in a cloud-native world, as you said, kind of working in the real world, right? Rather than just in the abstract, really can bring to the table a good ability to judge how things should work. So I know I appreciate that. I mean, that's a very hard thing to do and especially consistently. And, you know, I think that the people who are the best at it are also the most nervous about being wrong. Which is also comforting, you know. And sometimes, you know, you're aware that the decisions that we make can have a real effect on, you know, people and companies and, you know, sometimes people are suggesting projects maybe not with completely the right motivation, but, you know, they're still individuals and you're a little bit conscious of something that seems like an easy decision to, yeah, we'll accept that into the sandbox, you know. But it could affect people's lives. I mean, you know, not quite the same way that a Supreme Court affects people's lives. But, you know, it's not... We shouldn't take those decisions overly lightly and particularly when we're talking about things like incubation, where CNCF starts funding marketing and all kinds of additional support for projects that, you know, costs money and, you know, resources have to be spent. So, fortunately, the CNCF is, you know, it's a well-funded organization and the members, the people, the companies who are paying the fees are, I think, very supportive and the governing board is very supportive of that reps of projects. But, yeah, it's been... My term on the TOC is about to come to an end. I'm wrapping up after three years. So, yeah, it's certainly been... It's been a real privilege and I'm kind of interested to see how it... Yeah, I am not looking forward to you stepping down from the chair. You've been a phenomenal chair and kept things moving when a lot of arguments and other things have tended to bog down. And I'm really going to miss that. Well, I hope that, you know, over the last few years, shown how it can work in a kind of constructive way. That was one of the things I really wanted to bring into it. I think there had in the past been some times where things had gotten into a bit of a sort of log jam and, you know, fighting about things was never going to break that log jam and we needed to find common ground and ways to break through and ways to get the processes moving and get more people involved to get more opinions. So, yeah, I'm... Well, thank you very much for those kind words. I appreciate it. So, kind of from the insider perspective, what are you... I hesitate to say most looking forward to, but what are the kind of upcoming decisions that you feel like are going to be on the table for the GOC, for the CNCF that you're kind of most interested in, whether that's because they're good or because they're bad or because you just don't know which way they're going to go? Can you tell us a little bit about what you're kind of seeing in the pipeline? Yeah, so one thing that I think will... has been kind of in the room for a while and will continue to be in the room is how big should CNCF be? So, is there a point at which projects become too big? Not too big, too many, if there are too many projects. And this has sort of practical knock-on effects like how big is the KubeCon and CloudNativeCon conference and how many projects can we afford to run security audits for and what have you. But it also has that kind of community aspect to it that if we get broader and broader and broader and broader and broader, do we lose cohesiveness amongst our community? I think it's totally correct that we have pockets of interest and groups of specialization within the CNCF. But yeah, that question of what is the correct balance? I will give you an example. There's been a little... I don't know why they all come at once. It's like buses three come at once of projects related to confidential computing who've applied to join the CNCF. And at one level, this could be extremely valuable to CloudNative computing and making computing in the cloud more secure. There is also an existing confidential computing consortium within the Linux Foundation. What's the relationship between those two organizations and what's the right home for those projects and how do we get the right... How do we make that work best for everybody involved? That's still an open question in my mind and I think that will... Questions like that, not just... That's just an example, but for things that are certainly adjacent to CloudNative and potentially could be part of CloudNative but should they be? Should we be from a community perspective? I genuinely don't know the answer to that and I think questions like that are going to keep coming up. Yeah, that's really interesting and I think to your point, it's like is that line a dotted one that needs to shift over time or how hard a line needs to be? Yeah, I could see that being a difficult question to struggle with and something that I think for the audience, that's something you want to pay attention to because you need to know if you want to solve confidential computing for yourself as your example, you need to know where to go look for that. Where is the place that innovation for lack of a better term is happening? Where are the resources being put? Because I think that one of the challenges for the consumer of a lot of these tools, particularly in the open source world is product selection and knowing it's so it's one of those things that there was that old saying that nobody ever gets fired for buying IBM. It's that nice city of kind of like, hey, I have my vendor lock and while it has some downsides I always know where to go get the piece I need and in the open source world that's much, much harder and that's part of why we're trying to do this show too is to try to say hey, at least in this little pocket we can try to help you have a sense of where these things are going so that you have a sense of what the right answer is to choose these things and I think like I said, I think part of the reason you're seeing a bunch of projects about confidential computing coming in is because it's becoming very popular right, it's becoming a big concern for a lot of people and so I'm sure there's a number of people who are trying to decide I need to make a product selection sometimes soon who's going to win right and where do I invest my time, energy expertise, etc. and I know I've chosen wrong in the past and it's a headache when you're mistaken. Yeah, well mistakes will always be made No question No question it's the tolerance for change after the mistake is part of the hard part and with that we're about at the end of our time here so thank you so much for joining us Liz twice twice and dealing with all of the internet streaming troubleshooting that broadcasting involves these days do you have any final thoughts for audience I guess I will say I really hope that we're going to actually get to do proper in-person conversations at events this year particularly I'm looking forward to KubeCon in Valencia I'm very optimistic that is going to go ahead and I'm dying to see people in person that will be amazing Totally with you I do want to apologize to the audience that I'm so fuzzy but given all of our challenges from Tuesday I decided not to muck with anything and just you know one technical flaw is fine and so hopefully it will be better next time but to Josh's point thank you so much for coming we really appreciate it and we hope to see you again and you know and I hope that I get to see you in Valencia we'll see awesome well it was my pleasure thanks for having me thank you thanks so much