 Good morning or evening depending on where you are. Hi. Yeah afternoon, I guess for me at the minute Erica welcome back Congratulations Thank you See now. I'm curious what the congratulations is for Me too. What did I miss Erica? I got married last week. Ah Congratulations And hello Liz Long time no speakers. I know I'll put on my camera How's it going? Hey, it's going alright, so You have very nice background there So Erica that's great did you do like a COVID did you have a COVID ceremony small distanced Small distanced in the courthouse or the clerk's office with masks All that fun. Yeah, all right. Well, you'll have to have a big celebration sometime in the future. Yeah Yeah, that's the plan Maybe next year or whatever. Yep. All right. I think we usually just wait a couple minutes. Hi everyone Hello Howard was going to be able to join today. I Was hoping I Saw his power points or whatever presentation slides. So I was hoping to discuss that. I see Jim Hey folks. Hey Robert Are you doing Yes Again Yes, we can get started I let me pull up the Agenda, I know So wrong document. There we go So now we had a few things on there. So and I Liz had mentioned on our channel. So hi, Liz. Hey, Daniel I see you're on as well We had that as one of the first topics for today and After that we'll go through, you know, some updates that I have wanted to discuss on the policy report Anyone else have any other topics to add to the agenda for today? So then let's get started. So maybe Liz and Daniel welcome and I'll hand off to you Yeah, thanks for having us and I'm just gonna Daniel, I didn't completely convert too much on this beforehand But I've just been sharing a presentation about starboard to a different audience. So I have a slide in front of me so why don't I share that and And then I'm gonna ask Daniel to actually demonstrate sort of what we have so The motivation behind our starboard project was to say We have all these security tools aqua tools other third-party tools open-source tools commercial tools And they all have, you know, different user interfaces. They all create reports in different formats and this is non-ideal for the the user So the idea with starboard is to bring the reports into custom resource definitions inside Kubernetes and We have starboard, which is a Qt control plug-in to provide a common CLI into the different tools and we started off with four different types of security report that we've got in the initial release of starboard. It's very much, you know, experimental But you know, that's how you how you find out what works right by trying it. So we currently support vulnerability information from Trivi, which is our open-source vulnerability scanner Configuration audits from the Fairwinds Polaris tool Then then Qt Bench CIS benchmark reports and Qt Hunter kind of it's like basic penetration testing for a Kubernetes cluster So we've pulled all those different tools and the idea is it would be extensible to other kinds of tool, you know, we'd love to have, you know, lots of different security tools here That information gets populated into the CRDs and as I'm sure Daniel will show you, we use labels to associate the security reports with the Kubernetes resources that they relate to So Hopefully that kind of set the scene and maybe Daniel I can Ask you to show You Show you an action. Yeah, sure. Yeah, thanks for the introduction. I think it's like a great summary and now I will show you How it now it goes like can I ask one question sure The config Tools that you have what exactly are they checking in terms of configuration? I Think I'll be able to show you like a report and then we can walk through Okay type of things it is checking. All right, so Is this screen big enough for everyone? Yes I'm running a developer a cluster kind with a bunch of notes and as we mentioned we have CLI interface for starboard You can install it actually with crew which is package manager for plugins. I Have already done that but just to show you that we already included integrated there. So this is the the main interface for interacting with Security tools but then instead of learning each and every tool it's interface input and output Specification we wanted to make it easier. So for example as a first step you need to initialize the Starboard It's a one-time in it command I will explain in a moment why we need that but actually in this verb is output You see that we have to create a CRD's right? We need to send to go in a Kubernetes API the definitions of the reports that we require Just to have a closer look into those CRD's What we currently have API As you can see we have four CRD's some of them are namespace some of them are a cluster scope if we walk through them It's like a CIS Kubernetes benchmark. Those are typically run on Notes, I will run such a scanner in a second So you run it on a node since node a native resource is cluster scope also this report is cluster scope Then we have config audit reports those are generated by Polaris those are namespace because we associate them with the work so Since workloads such as deployments or stateful sets or jobs or crown jobs or namespace also this report is namespaced We have also cube hunter reports There is no such a built-in resources cluster Kubernetes But anyway, this will be like a namespace. Sorry cluster scope report and then for vulnerabilities the better name would probably be vulnerabilities report But this one is namespace, right? We could check for vulnerabilities a container Images of a given workload. So now once we initialize the The starboard we could create Deployment let's call it engines use some image that we know is vulnerable And now we could use starboard Fine wounds So now we are asking starboard to find vulnerabilities, right behind the scenes. We will create a Kubernetes job And this job will run 3d a containerized version of 3d to pull an image scan it and Create an instance of the vulnerability resource And I will also show you that we are using label selectors to link back the report to the To the actual controller, I'm not sure if it's visible, but if we say like Source name, I think this will be visible, right? So we created an instance so far we are using a uuid for the Instances, which is maybe not the bust But we are currently thinking about like a deterministic names. Anyway, the label is something that links it to the to the deployment We also we are also going to set the owner reference to the underlying deployment So whenever the deployment goes away, we will also clean up. Thanks to the Kubernetes garbage collector Let me just describe and show you this report So those are the labels and if we scroll down to the report, that's the the report sounds like is where the report Starts so we have the artifacts as you can see we have scan at the engines one that's 16 We use 3d version zero nine one and we found a bunch of vulnerabilities It's just a quick summary, but then you can also scroll and see what are the details So in the similar way we could use starboard to Find config Like in potentially insecure configuration of your deployment descriptors if we say Starboard Polaris probably will may change it to some like a similar command to define vulnerabilities like config update But for now, it's just Polaris lack of better name and Also, we are working with fair wins folks to specify the deployment It's not ready yet because the Polaris did not allow us for Polaris is scanning the whole cluster all workloads across the cluster But once we're on it, you will see the reports Showing up again The starboard doesn't have the logic how to scan it. We are using a third-party scanner And now we should be able to see Instances of the Config updates and so if we take and describe config-outlet Report for our Engines deployment You will see that there is a upsor you will see that there is a report and Polaris, we are actually reusing the model that came up with it's it's checking the deployment descriptor at the pod level and then at the container level so Since I created a deployment with a single container called engines. We have a set of container checks For example Polaris checks whether we are using a deterministic pack not the latest Right, then there are some checks for security. For example, whether we are running as a route or or not. So there is a bunch of Settings that visually by default by default in Kubernetes are least secure, right? So this is kind of a host port set Etc. I think for the for the latest list of all the checks and the best source is a Polaris CLI Because again, as I said, we are not adding any additional things. We're reusing what they output Some checks may sense at the pod level such as host feed and IPC set so those are reported as a separate section Before moving forward so those were namespaced CRDs and namespaced check We we can scan with Polaris and 3d It's in every type of of a controller. It can be stateful set demo set Reptica said even replication controller We also have in extension to the octant Octant is this dashboard from PMO where It allows us to Display this information in maybe a little bit nicer way, right? Sometimes this terminal output is not very readable Especially if you have multiple reports multiple containers, but since this is a CRD and we use a Kubernetes API to Read and write data. We could easily extend Dashboards with UI components and we picked octant because it has a nice plugin API So here you can see the vulnerability report for the engines container and Behind the scenes the implementation is very simple because we are just using label selectors If we go here, we also display The config audit report. This is not something that is shipped with octant but thanks to our plugin probably the thing that we should have mentioned in the beginning we have a plugin which is called starboard and then This plugin allows us to Add different sections in the UI and To complete the demo, let me show you how we display Cube bench reports Again, the same mechanism. We are creating a Kubernetes job. This job has a special command I usually we are using the containerized version of the scanner So in this case, we used cube bench and then we generated the CIS cube bench report Currently there is a little bit inconsistency in the latest version because it's still in Experimental phase some of the resources that we create have like a timestamp offended But recently we realized that probably will just store the latest and greatest scan report. We don't want to use a CRD HCD as a database for all historical data. So you will see that a little bit of inconsistency if you try it on your own But eventually we will make it consistent like either use the terministic names or UUIDs Append or do not append the timestamp just for your information and I could also run cube hunter Again, we're running cube hunter Call the help cluster and then we could get the Describe this one so again, there is a bunch of similar same actually properties, but in general Each tool reports vulnerabilities in its own Schema, so we don't have a generate schema yet And probably we won't have for each and every scanner, but you could access this information from the terminal and also We have integrated it With the octan so in octan I can also see the I Could also display the CIS benchmarks report here since this is a work worker node Cube bench automatically detects that it is a worker and worker node and it is running the tests appropriate for the worker node for Cube hunter reports, we do have this separate UI component and as you can see Cube hunter found three low vulnerabilities And with that, I think it's all from the CLI Standpoint we are also working on the operator So all the commands that I was demonstrating we would like to automate so whenever there's a new deployment created We could run this kind of so starboard CLI is a kind of a command-lining interface, but also the library that we want to reuse to build Automation around that. So yes, if you have any questions, I think We'll try to answer them Yes, a few questions and thank you Daniel and Liz a good good demo and great project So seems like I guess first off just to clarify my understanding of some of the goals and what you just demonstrated so seems like You know the the goal year is to try and give a common way of running different, you know security tools and obviously collecting data from them and a Way to output them in the same manner, right? So because the Alternative would be somebody could go run each one of these tools separately, but this gives one unified interface To perhaps I don't know if it also does installation of these tools and upgrades things like that or if it's more about just running in then Gathering the data from these tools I think we wanted to focus on them on the model rather than How these tools are run so Essentially, you know the most important part is to find a common schema for the vulnerability report because we found many integrations, and I think we started with a hardware which is this, you know Container image registry and then we had the same challenge we were trying to define a vulnerability model or Model for the vulnerability report. So then the other third-party Security vendors could implement their scanners. So actually what we've done as a first step in the in the starboard POC was to integrate 3d, but we also want to Advertise and promote this model and saying hey, this is good enough or maybe generic enough Okay, kind of a common denominator for all the vulnerability scanners that you could plug in easily I don't know Claire encore Maybe some commercial scanners. So that was the goal not how to have a Generic jobs runner, but have a common model. So then we could you know Sum up summarize Transform this model, right? We don't have to learn. What is the output of Claire? What is the output of 3d? Well, we you know, we can discuss about the vulnerabilities in terms of this common model. I think also one of the side effects of Taking that security information and putting it into Kubernetes Native resources is that we can take advantage of our back and that's something that our Customer design partners have really they were really really excited about because they can basically Give access to you know a developer team right only have access to a certain application namespace They can see the security reporting just as Right right, so it's certainly making that accessible makes sense, but Again like from the output and what you're showing here. So there's some common structure to the reports, but then each scanner or each engineer is plugging in its own custom data As part of the output, right? So Is that correct in terms of how So yes, but we would hope that I think there's a distinction between Different types of security tool, you know vulnerability scanner does not produce the same kind of output right as a benchmark But vulnerability scanners all produce something pretty similar, you know, they might not have all exactly the same fields But as we know from the the work in Harbor There's a loss of commonality. So it would be great. I think if we can establish a common Definition and then people can plug in whatever Scanners suits their needs right a question from from me if you don't mind So this have you seen the container security operator that the red hat quay and Claire team worked on Okay, so I just reached out on slack to our team Because I think I'd love to have them Collaborate so so kind of what they did was very similar to what I'm seeing here It's initially focused on vulnerability and and it initially is works just with quay and Claire but the intent was to make it pluggable for any scanner and so I Think we have an opportunity to leverage each other's thinking to get common You know common formatting and and content, etc Yes, I can also comment on that because actually I was playing with the container security operator and At the difference and this is actually a good point why and maybe explain why they are different different You can see that the vulnerability CR in our case is Namespaced because of the RBAC that Liz mentioned right which is great. Yeah It looks like data redundancy and it was very tempting to store it at the cluster level because usually you will maybe have in the multiple namespaces The same image with the same digest running So it seems maybe this is wasteful But on the other hand if we make it cluster scope, we don't have so many flexibility to give him permissions to some development teams to check what kind of vulnerabilities they have so the the operator That Red Hat team has is actually storing the vulnerabilities Which are linked not to the workload not to do the Kubernetes container, but they are associated with the image digest and There's a kind of a naming convention where They're using like a Shun number to name the resource right so that's how they they don't use the label selectors, but they could find out whether the given image was standard or not and The other thing is that indeed you need a registry which has a vulnerability API Right, so if you have a Docker hub or your workload is running an image from the Docker hub The Docker hub API doesn't have yet the vulnerabilities endpoint So it won't get this information ready. We wanted to have something more Yeah, no, I and and honestly I was not deeply involved with the CSO with the container security operators So definitely sounds like I can't imagine though that Red Hat would not Have applied our own RBAC to the results because everything we do Consider as multi-tenancy in the cluster but but I just was thinking I'd love to to kind of have the folks who did look at that and think about it, you know Collaborate here and so I just gave them a heads up. So hopefully they can get involved and you know Maybe we don't event. You know, maybe eventually we move more towards the starboard like design for all I know, right? so I think another thing that and I Would like to touch on and I think this is particularly in the light of the work that this group has been doing around the kind of common policy CR So although from the work we've been doing We've come down on the on the sort of belief that we need more than one type of report for the Output from different tools. I think there is a summarization that probably fits into some Like we're bouncing ideas around now of you know something that takes the summaries from all the reports, perhaps all the deployments in a namespace and aggregates the results and Knowing things like how to interpret The the summaries from each of the different types of reports to come up with a sort of Single view of this namespace has an issue. You need to go and address it, you know These namespaces are fine. There's nothing to worry about And I think that would be a really valuable thing to have a common understanding of Right. Yeah, absolutely Sorry, go ahead. Yeah, this is Jay. So I think I agree with the settlers And so the way I look at it is there are different controls and Christian kind of Down into the vulnerability scanning control, right? That's just one type of control. There are several others and It is good to agree on a common format for how each of those controls provide all the details but then you know for a centralized management offering like what That's the focus of my my area, right, which is that it had Advanced advanced cluster management product, which also ties to our open cluster management community project Our focus is on managing a bunch of different Kubernetes clusters, right? Open shift and others and then being able to define policies that get propagated to those as well as retrieving the results back and then When you get a particular result back, then when you drill down, right? Then now you have to get into the details of a specific control, right? And I think Agreeing on a standard format so that it doesn't matter, you know, whether you're using trivia They're using Claire, you know, whatever scanning tool you're using You're still returning the results in a format that's easily understandable, right? So I think I think there's value for both both the summarization view as well as the drill down view, right? I think both Yeah, absolutely to totally agree and I think the problem that we were trying to solve and starting maybe with the I guess the highest order or the highest level is where we started with this working group is How do you give admins as well as workload owners, right? So that was very important and we had quite a lot of debate on whether policy Reports and a violation should be namespaced or not and I Strongly agree that they should be because these these should be visible to the workload owners And so so the idea was to give one common way One other interesting thing is we had a discussion just a few weeks ago on what are the different categories and you know For now we had security as a large placeholder But I think what you just showed you've done a good job of like categorizing the different tools and Terms of whether it's vulnerability scanning configurations Other things like CIS runtime benchmarks, etc, right? So and there could be more we wouldn't say that we've you know Everything but it seemed like a good start. Yeah so one question so let's say if somebody wants to add a new engine or Scanner to this what are the steps? It does it involve code changes? Is it you know runtime extensions? How do you plug in to this tool? So I cannot answer that so this is the main repository so currently it's a CLI So the executable binary that I use for the demo But also we if you want to implement a scanner in Govlang you could reuse the code again So we have this code generated right so you could programmatically create instances of those four types of reports, so you don't need to you know do the plumbing And then also if you don't want to use Govlang for some reason We believe that this is like something in progress, but I would love to have something which is called custom security resources Spec and That's the entry point for you, right? You could use whatever language you have as long as we know that okay This is the report. This is a The payload and we also need to explain a little bit semantics right all these things such as label selectors naming conventions This is not documented. You need to reverse and you get from the code, but if there is it is Specified how do we know why it's namespace? What is why it's cluster scope how to link it back how to drill down from this overview to a Particular workload then I believe that's the only thing we're right Yeah, and the reason why I was asking is a while ago within the working group We had also discussed what parts of a policy or We were obviously thinking more about policy engines, but it applies It's you know as you've shown like more broadly to other security tools as well is what parts could be standardized, right? some of the machinery around launching running and then collecting Some level of data from them right and we decided to start with what seemed like the easiest at that time, which was You know the the final output the high-level output But yeah, it would be very interesting to think of this almost as a So coupe cut all of course allows like binary plug-ins with CRDs, you know And I am assuming customer custom security resource definitions is meant to be like a CRD But for security tools So yeah, that would be very interesting to explore if this could be turned into some kind of a plug-in model where Anybody can come and contribute a engine without having to change like the core code in in starboard And I don't think we're exactly there today, but that is definitely where we want to get to yeah Yes, you know documentation a little bit of work to do though, but Yeah, that's that's certainly where we'd love to be Yeah, and also I wanted to mention that We haven't done that for each and every type of a report, but at least for the vulnerabilities We also have an open API spec. So that's one of the safety nets, right? So if there is someone who wants to Integrate with starboard as I said today's probably the only way is to do it programmatically We don't have a pluggable interfaces, but at least we have done this part of all right Let's define the vulnerability item because each time there is integration. We are ready inventing the wheel here You have the schema. You just need to Transform the proprietary output to this standard life form So yes, you could also apply it directly from the from this repository And you know, we'd be open to people telling us we've missed things in these definitions It's you know, it's a first pass but ideally we'd be able to different tools would be able to reuse the same definition So we don't have to keep having you know lots of very similar, but not quite the same, right? Yeah, and maybe last comment before I forget because we put some thoughts into the number of CRDs whether it should be one generic map of maps of kind of thing and when I look at that was like Realistically, how many cube benches do we have we have one from Aqua? Maybe there is a one from Docker, which is using I think some shell scripting So there are two they won't be too many third-party tools doing the same thing I don't know what can be done better probably. It's just just a matter of maintaining the existing tools and adding Checks to the CIS benchmark spec for vulnerabilities. I think this is very dynamic. Let's call it market. So I expect There will be like a potentially lots of third-party integrations for config audits Something with Polaris, Fairweings, Fox did I think it's super generic as you saw It's you know, just checking the deployment descriptor like a pod template at the Mainly looking at the security context of the pod and then containers, right? So also I believe that we could bend majority of existing tools to fit into this model But this is kind of approach like how many tools and And how to integrate them into into this common format We were able to somehow Manage it as it is now Now that's interesting and I have you guys also listened and I'm sorry. I haven't there are a lot of these meetings I haven't made haven't attended but so when we think about cube bench and you were listing, you know Kind of what's available? so you folks might know right because because often red hat work together a fair amount that that Open scap is is a key way for US government customers a key scanning tool scap and so red hat is and I know this has been discussed with this group Red Hat is investing in a compliance operator that will do open scap checks Or will run open scap and use scap content to do various types of compliance checks So that's other I'll find the repo Eric So that's another Area that it would be great to collaborate on I know not everybody wants to write scap I wish we didn't need to write scap, right? I Don't even know what scap is It stands it stands for soft security content automation protocol, okay, and it's a it's a NIST approved protocol For for types of security scanning you can use it for vulnerability skins actually also and CIS also creates scap content for their Tooling which they're their benchmark is under creative commons, but their tooling is proprietary. I See so each benchmark would map to a scap Thank you whoever found the compliance operator. Yeah I'm sorry. Go ahead Yeah, so just my question was whether each benchmark like a CIS benchmark would map to something like a scap definition or Individual controls would map to individual scap rules Okay So that and then you would have a the concept of a profile that is a collection of rules Got it. And Jaya, correct me if I've misstated anything. I Think Jaya had to drop right. Okay. Yeah. So just a scap I don't know item. I don't know what the right term is Just that and typically run like a Shell command or something It runs the open scap scanner So if you were to Google openscap, it is a it is a open source scanner scanning tool And again Yep, thanks. So NIST certified But then within that tool, how does it perform each individual check? So we might need some folks from the engineering team who aren't here today as best I can tell unless and less Erica's up to date on this there, but but again each content You know, there's a set of Content rules that are called and Right, and then there's an output report afterwards So Those are written in XC DDF I always get the acronym wrong But you can run a set of individual rules So open scap knows how to work with scap content And it runs those those rules and the goal of a profile right is to up level that so that you don't have to Select a bunch of individual rules But you can say I want to run, you know the CIS open shift profile Or I want to run the NIST 853 profile And the reason red hat invests in scap is because it's NIST certified are Federal customers US federal customers accept this type of content and And so, you know, honestly, nobody would want to use scap if they didn't have to So Yeah, I believe it runs as a game and set Yeah Okay. Yeah, that would be interesting to Understand and compare them and then as you were saying Daniel then look at the results and see what the commonality is and Similarly for configuration tools. I agree at a high level like whether it's, you know Polaris or there's Kibirno or there's OPA gatekeeper Which, you know, I think all of them also can act as admission controllers as well as configuration scanners At least Kibirno and fair Polaris scan and not certain about gatekeeper whether it does background scans or not But yeah, some commonality across those would be interesting to explore as well. I think that's another thing worth just sort of highlighting about starboard is that starboard is reporting on The security status of running resources. So starboard doesn't have a role as like admission control, right? It's kind of post post deployment if you like Just felt like that was worth separating from the kind of pre admission control, right? Now they might have a lot in common. You might do the same check as Part right in control before deployment. Yes in the CI CD pipeline. You're right Okay All right, any other questions on starboard or any anything else Daniel or Liz that you'd like to share Maybe last comment from my side So you have time to think about your question Today as I said, we are also working on the operator and we are watching and native or built-in resources Then if you want to integrate with Things like stop or maybe some more generic forms. We could also watch the Custom resources that we have created, right? We don't have to do this In this first reconciliation look, right? We can keep it simple and then Like cascade this information or maybe use some existing upstream Tools that do collect this data from the cluster. That's why we don't want to have a history And I think it's Maybe also to try out or write a quick poc and testing whether The vulnerability report or some other report that we have today fits into the Schema that you already Thought about so just to mention that I think we can play and see how it works because I believe that at the end we might have this Type strictly type reports for some use cases, but it doesn't stop us from having something generic they can do Yeah, and some way like one of the discussion Jay had brought this up a few meetings ago or and I think You know others on the team might remember this tears um There was a Discussion on how do you link from you know from the high level report to details, right? Where should the user go to find details? Is that like a reference to another cr in the cluster? Is that a url? Um, and we you know, we kind of didn't have a conclusive Opinion on that we wanted to keep it Have a field where somebody for each Each entry in the policy report could say go here for details But yeah, that that's something that we could look at and perhaps the details is another custom resource produced by the engine Yeah, that's a good point. But also I remember from harbour and just defining the common scheme This is also pretty big constraint on the third party scanner because not every scanner is able to provide such a different information so just just as a Right heads up. It's for example, like in polaris today as you saw we can scan the whole cluster and only We requested a change like an enhancement to the polaris to allow us to specify a single work So then it makes simpler to Configure our permissions for the tool etc. Uh, but this is also something to to keep in mind that okay All right, I think that sounds like a good next step to see, you know, if again the policy report schema that we've been working on if that fits in into You know your thoughts and view of a high level model to aggregate some of these results And we could try them out across some some of the categories you've defined and Certainly this is very much work in progress for us too. So Happy to get the feedback and inputs and see how we could make this better and something that's usable for everyone Great. Well, thanks for the the opportunity to show us to show you what we've been doing Oh, absolutely. It's great stuff. Um, okay, so I can quick Quickly talk about Uh, just a few updates and if anyone else says anything Uh, we'll try and save some time for that as well So one thing I wanted to um show and this is in actually our repo. So if you go to the work group policy prototypes, um, you know, you've roged from my team figured out how to uh, generate I guess API docs. So this was something that's not supported right now directly in kube builder, but there's some prs and uh, you know, like based on some other submissions what we were able to do is actually take the The the API or the crd definition and then convert it into a more readable document, right? So this is here to it's html as it's checked in into the repo right now So you have to kind of use like one of these preview things and we'll add a link to the readme page But I think this was the one step that um, at least, um, you know, I wanted to make sure we we complete before we Um, you know lock the document and move over to github in terms of managing Comments and changes and other submissions So at this point, you know, we have the basic cr in in github. We have samples and you know uh, erica someone from, you know, jstm also submitted a sample. I have a sample for qvernos or and you know what we'll um start collecting is more samples. So definitely Daniel and Liz if there's something you want to submit for starboard and how it could You know fit in into this model feel free to just create a pr And at that time we'll then start going through and you know, we can even what I was thinking is we'll add a unit test Which will take each sample and validate it against the cr and make sure that it you know complies and That will help in the submission process itself Any any thoughts questions on that and you know this of course as um I think as coob builder sort of mature or adopts like this document standard will Will you know reuse or switch to whatever they're supporting but for now we're just using Someone had submitted a pr to this tool which adapts to the coob builder model So that seems to work reasonably well for us at the moment That looks really cool Yeah, it's much more readable than the open api schema, right and um, hopefully it will you know, let let Folks go through quickly and provide comments, etc Okay, we have one open pr, right? Yes. You want to discuss um, it's a somewhat minor But I believe there's one open comment on it and that is using selectors right Yes, so there was one comment. I think you had submitted on when should we use the scope versus resource um Yeah, so I can I'll uh, I can add in some Yeah, I'm trying to think what's probably the best thing to do is just add this to the now that we have the cr And the ability to generate documentation. I'll update the cr itself and add in some Um, discussion there and that that could become our standard sort of documentation format for for this Okay, um, there were a few other things I'll Go ahead Erica If you just let me know when you have that in I'll make sure to give the lg tm Okay Sounds good Yeah, and I think the only other thing on the prs. I think Robert you you still have some I guess Some things to complete to get uh, you into the approvers list. So let me know if you need. Okay. Yeah, I'll take a look. Sorry about that No worries Okay, so we'll go ahead and get those done and I think um That's all I had to discuss. Um, Erica Robert anyone else anything else that we should cover You know Oh go ahead No, go ahead. Nothing for me Uh, we have Which Howard wasn't able to make it but he's at least back and active a little bit Uh going the cube con presentation that we have to record um So I'll be getting in contact with him about that if anyone has specific items they would like to see discussed in The deep dot policy deep dive let us know Yeah, okay. So that that um, I I I did mark up and add some comments to that and added a little bit of detail on some of the slides And I'll I'll carve out some more time Uh, what is there a deadline? I believe it has to be recorded by the 31st I am a procrastinator. So as long as you get it by the 30th Perfect. I didn't get it before that Yeah All right, and that's july This is kukarni you which is mid august or so, right? Uh, something like that. I think the deadline though for the recordings was the 31st of july all right Okay, yeah, I know Howard had sent me a link also. So I'll I'll take a look and you know Add some information or you know, we can collaborate and get that done awesome Any other items anyone has or anything we can help with going once twice All right, thanks everyone Uh, look forward to talking more All right, take care. Bye. Bye. Bye