 Good morning Hey, good morning Taylor. How are you? Well, I'm all right other than the zoom controls keep going away Okay, yeah How are you doing? Yeah, I'm doing good. Yeah And I couldn't attend the last two meetings because we had some Your mother trainings going on All right. Yeah, I couldn't make it. So yeah Join this week and yeah, I wanted to discuss few things. Okay Posted the meeting that's to the zoom chat you can Drop your Poppick in there and put your name in Okay, we'll get we'll get started about five after So another three minutes We may have Low attendance today because it's Martin Luther King jr Holiday in the U.S. Right greetings Hi, Shabana. Let's get started here the four of us All right, Shabana. Is this your first meeting? Hello. Yes, it's my first time All right So today is a welcome Today's a little bit of a off day. So please come back on a regular day It's a u.s. Holiday today. So there's a lot of people that are taken off Even people that aren't in the u.s. May be associated with companies there and and they have off or Something of that effect. So there's going to be less people Although I see a couple joining. Hi, Ben Taylor. Hi guys. Hey So Shabana This is one of a few initiatives that the CNCF has for focused on telecom The working group is focused around Documenting and discussing and best practice best practices for Cloud native best practices for telecom applications and platforms How the applications run on platforms specifically kubernetes and how we can improve them as well as Looking at the context around these cases user stories Any type of supplemental information when people run into problems we want to document that sort of thing and a Related initiative Has its own call as the Cloud native network function or CNF test suite and that one is focused on Writing tests around best practices That can test application so So guard, did you have a topic you want to add? Um Yeah, for today's discussion. Yeah, we'll just you know, uh, going through some best practices Let's put that in for the last year Sure, Ben. Do you have anything? Honestly saying I Didn't have a skill need to touch the document. I got only one One response one comment, but um, I didn't have any time to to develop it more all right I think a lot of folks are For have been busy with the new year starting and the initial planning and all that sort of thing okay, um Shabana, do you have anything that you would like to add to the agenda would normally just have people put their names here and the and maybe it's not in the Notes, but I'll put it. I'm sorry in the zoom chat so the meeting notes And you can add your name and if there's any topic you'd like to discuss we can add it to the agenda Okay, so should I just like put my name in there? Yes, please Just drop your name in there and if there's something you want to talk about you can just put it down into the agenda section All right, I'll open the pull request See what we have here um, so I'm going to work from oldest Really quick. I'm pretty sure that there's been no activity on this one But we should probably see um, some more activity over the next few weeks Jeffrey salons move jobs. So He should be more active. Let's see if there was anything new Six days ago There's just a tool thing that probably can be added to the discussion board Hey, tom I think it's going to be a little bit quiet today tom because uh most Well, the u.s. Folks are off for the holiday You're probably aware Yeah All right Let's see if we got any comments on this one. So we have a And for those that aren't familiar with this we have people contributing content around user stories use cases and then some are working directly on best practices That's really whatever is of interest and where you want to add stuff this particular one is around when a best practice doesn't work for a company then they should Document it. We want to make sure that it's communicated to the end users of whatever The products If something isn't following a practice why it's not and that they can easily see that and then make decisions on it It may have very valid reasons. It's just communication um And there's a whole Right up around this motivation and other stuff. So this is a draft of what'll be the best practice Hey Taylor Yeah, I had a quick question on that. So I was working on Like I think one or two proposals that like we discussed in the month of december Do you want me to directly go ahead and create a pull request or you want it reviewed first by internally? Yeah, I just wanted to check with you on that So it's really after you um on How you feel about the the state of it? I mean, okay So this particular um Pull request mm-hmm It has a A draft best practice. That's what this is about Documenting and stuff the compliance so let users explain what they're compliant with and all this stuff It also includes um Some use case information that'll be extended there So if you feel like you have enough content, then feel free to put that in I mean it probably one of the ones that are easier to say would be like The user stories So if you've already written up something that covers a bunch of items like this these user stories then feel free to put a pull request So one of the things as far as reviews, which you're saying getting a review Is pull requests are actually pretty nice. Let me open this one Pull requests are pretty nice for reviews. I mean you can put something in there And if someone has a suggestion, let's say it's a simple spelling Um update Well, they're they can quickly Suggest at it All right. Okay. Yeah, I'll just uh update my draft and then read the pull request If you don't feel like it's ready then feel free to create, you know, like a shared google doc then If i'm recalling right Ben's yours was a google doc and um You can then request people to come and add comments and stuff there Some people use markdown so you could do something like hack them day or whatever and just share it So it's really what whatever you feel comfortable with and then put the pull request in when you're ready Okay Now we don't want to pull requests with just like a title But if you actually feel like you have enough content and enough sections and you can always mark them as a Work in progress a whip like this and keep it that way, but you're wanting people to review it Got it All right, so this one stateful user stories, um oliver They're going to be on vacation today in the u.s Probably won't hear anything But this is this is is around I think this is going to be related to a lot of applications That we're going to see specifically for telecom going with data needing to Think about state The use cases and user stories these happen to be Related to a charging and accounting type application for a five a 5g charging and accounting But I think a lot of the concepts and stuff that are needed in these are going to be useful other places um So doing some feedback and then we want to get this Merged pretty quickly specifically user stories and use cases. We want to get emerged quickly and then iterate Any changes on them updates because they provide context for a larger group of people Let's see. I'm going to go on to the next one So this one is new and pretty straightforward. Hey Is it time to change this Change meeting time. All right. I think this one can just be merged And it looks like You already got an approval and Thanks, Lucina and that's it. We're through the pull requests. I'm going to move back over here And I'm going to stop my screen share and you can talk about best practices Sure dealer Yeah, I think one of the proposal that I was working is so having your In applications pull images from known registries and In addition to that I was Also thinking that we should sign the image signatures that we use in our application Let me quickly share my screen for a second so So I think it would be Really good that we validate our images That we use in our deployments. For example What we can do is we can verify the signatures associated with images and I think these days it's very important in these supply chain security that we do that And we know from where the images are being pulled and the signatures associated with those images is validated so we have a like Given a policy that does it So whenever you sign a particular image The signature is stored in an OCR registry So what we can do is we can verify its signature by using its public key And I think this is very important and to extend this we can also You know validate the attestation of the image that is one option Um, so I just wanted to discuss. So What are your thoughts on this? Yeah, I think it's a good idea. Um, this is probably relate to that supply chain attacks And this would be part of defense against supply chain attacks Yes, and yeah, we can also validate the Um, build information associated with that particular image like what is the repository URL? What is the image name and stuff like that and I think That will give us very useful information to validate Whether you're using the right images for your application So this is one of the yeah, this is what I was going to add to my existing proposal that I was working And yeah, in addition to this I have written some more. Um, but just wanted to You know discuss some of them before I Create a draft version um There is this um using certificates Um, so if we if we have to upgrade the um certificates Um That your application is using then we can mount those certificates as volume and You know, this will help kind of in the automation Um, so I was not really sure if it can be a best practice Can we do that? I think um, I'd need to see a little bit more about this one But I mean it's it's anything can be proposed as far as a best practice All right, I'd like to see more information about why this particular one is a best practice So so I just not clear to me. What is the proposal here? I mean what kind of certificates mapped into What kind of C certificates are mapped into which pods? And what and what is the This is right, so basically if you want to update your CA trust store, um, you know, you can bundle all the certificates and You know, map it as a config map to your deployment. I think This is so the idea is to The idea is to to to detach the the the C certificates from the container image and and And map it from from a config map, right? Yeah, that way like you don't have to Include it as part of your docker file or anything so There is a there's one thing that that if you want to prepare A flat image where you know, you don't want to build your image based on On you know, I'm fat based images and you want to want want to let go application side Then the only problem usually is actually what you're telling here that there are no CA certificates inside. So this is sounds like In that case an interesting solution for that problem specifically Right, so I mean, um, if we have to any if you have to basically update any certificates Instead of having your application build an image with that certificate. You can just mount it as a config map Um, this is this is more like automation, but I just wanted to Um Check with you guys if it can be a perspective But yeah, I'm going to create a draft with more information and share it so I can review and you know Say if it can be a best practice No, I I'm not sure, you know, it's it's for my in in my point of view, it's it's a little bit borderline because Because there are some some places where this is needed, but but But most of I think most of the industry solve this problem without um Without, you know mapping config maps, um, so therefore for me, it's a little bit borderline, but but I you know I'm just one. I'm happy to hear what the other thing I think Okay, so, um One I think to remember is some best practices or some practices may be more of bonuses and Versus a requirement type of thing This is a little bit easier on the I think the test suite side. There's there's things that on the test suite where We would think if you don't have this Then you can't claim your cloud native at all and then there's things where it's more of If you're doing this, it's helpful, but it's not a hard requirement And it kind of feels like this might be in that area. I'm I'm just not quite clear either From a testing standpoint, I think as far as like a test capability I could see it useful on the scene of test suite But I'd I'd like to see more write-up cigar and maybe more context with use cases or user stories on that particular one Image scanning the image though scanning. I think is going to be critical going forward. I think ben Do you all have something around image scanning as well? Yeah, we do have an image scanner actually we our image scanner is based on another uh, cn other open source project called Grype by encore if you know it actually I think it's one of the best vulnerability scanners And we think our packaging is for Kubernetes clusters. So it's rather we are giving a wrapping around it but But for for actually the reason why we are using is is more not just to provide image scanning on itself But but but more to to enable you to identify uh, vulnerabilities, which are public facing and and some things which have to be no Priority prioritized. Okay, so it's not general when a bit is cunning, but it's rather to take actions where at this cluster Any other comments? discussion Thank you cigar Yeah, hey Taylor. I had one more thing. Um, yeah, like regarding the key word no integration with the cnf, right? um, I have written the code for the um, you know, some of the best practices that we discussed um So can I go ahead and um There were some policies which are um, you know, which are already there in the cnf test suite So I was thinking whether to include them or not. Um, so How do we, uh, you know, do we have to shortlist before? um, creating a pull pull request or I just created and then we can discuss it further Right adding a new test to the test suite. Yeah um, so I would suggest create a ticket for the test that you're going to do and you can um Add some info there and then feel free to go ahead and do a pull request and reference the ticket And then we can do a review there Okay Yeah, sure. We'll do that um, you check out the The if you haven't looked lately, but the usage guide um specifically around like security the security category and the resilience and availability Uh, there's more documentation around those tests. Um, we're trying to have Information about the importance of why are we testing this? What is it doing and that sort of thing and of course any reference links back for more content That's fine as well on this But that would be part of the tie-in that we'd want before we would Merge a pull request. So There's okay code for testing the documentation around it why it's there and then the other part would be Spec test that validate that the test is working as expected Right, okay But I I think you have A lot of examples around that at this point and feel free to reach out But yeah, go ahead and just create an issue and then you can create a pull request either Fully open or put it in a draft and Feel free to ping folks like Denver who joined the colleges now. Hey Denver And We'll take a look Okay, all right Yeah, I think that that's all I heard for my third Does anyone have anything else? Tom, I don't know if you've been updating that Walkthrough for people ops type people that is a checklist. Are you Are you doing this? Yes, you're thinking cloud native and so on if you've been updating it, but I think it'd be good to bring back forward And share with the group again. There's a lot of new people that haven't seen it Not today, but just in the future if if you're willing to Sorry, which we we still keep them. Is that sorry? that You had that spreadsheet that kind of was a walkthrough for ops type people I'm checking if if If people are thinking in a cloud native way Are they Testing my memory All right, I'll reach out to you and ping you. I may have a link to it But it was just it was thinking from an operations perspective and just kind of a walkthrough Are you doing this? Are you doing that? Okay. Yeah, that rings a bell here. Um, yeah, if you if you ping me and just I'll see if I'm fine the document in terms of where the people have been using it. I'm not sure I can I can try and find out though All right sounds good All right Well, we'll stop here unless anyone has anything else No, good. Thanks Thanks, everyone. Thank you Thank you