 JJ it's midnight. Not quite it, not quite it. It's 1030. 1030. Yeah. 90 minutes before midnight. How was the APEC meeting? APEC meeting was good. I think there was a decent demo that happened. I think it's getting bootstrapped and it was good. I mean like the boat was showing up. There's enough number of people from different org showing up. So it's getting starting to come better. Six security international. That's awesome. You're like the global chair of six security. Global chair. How did you come up with that meme? Most international chair. Most international chair. I like global though. International chair. Yeah, sort of like a flight routine. I would say six security follows the sun but in reality just never sleeps. And you're the proof of it. Yeah, it's a good group of people though. I think it's, it's, I mean, I love you all here as well. It's a good group there too. Okay, so now that you're here, do we know who's, let me exit out of this? Running the meeting, let me open up the agenda. You even show sign up on the list as global chair, six security. I'm there. I put 27th is the other meeting. And yeah, there's no meeting facilitator who's who's signing up for meeting facilitation. Any takers, I might be on a low bandwidth. So it gets choppy. Yeah, why don't you run with it and I'll fill in if needed. Okay, so the fourth cloud native security day. Somebody should have an update on what's, what's going on with capture the flag, which is the most exciting part of the whole thing. The event in itself should be pretty exciting. If you look at the schedule we have all sorts of talks ranging from confidential computing. There's a talk with eBPF, there's a talk on WebAssembly modules. There are talks on identity and access. There's, there's quite a bit that's packed in there. We have great keynotes from the event sponsors, Red Hat, VMware, Checkpoint. The CTF in itself, it's a lot going on. There's several scenarios. Magno has worked closely with the control plane folks, Ron Vitter has participated. Magno and Diego are running the Twitch stream, they're going to be providing live coverage of the event. There's there's a lot of guest speakers there. Magno, you want to talk a little bit about that. Have we started the meeting officially yet? Okay. Yeah, so, so yeah, for the CTF, we're going to have at least at least six challenges for different scenarios, right, in Kubernetes scenarios and everything. Usually the person doing the CTF, each person gets their own cluster. And usually they start inside of a cluster or on a node in a network next to a cluster. So there is all this like stories that we present to describe a scenario and what they need to do to get the flags. And so yeah, control plane Andrew Martin and Luis are working on the challenges there. We help them with some suggestions for the challenges as well. So they're busy working on that. And we're also going to have a live live stream. So in two separate moments for one hour, we're going to bring some guest speakers that are famous and are well known in their field for Kubernetes and cloud native security. And we're going to kind of interview them and ask questions about what are they, what they think about specific challenge, right, of course, introduce them and present about their journey into cloud native security as well. And ask about some tools that they use for either either doing a CTF or solving an issue instant handling or troubleshooting a Kubernetes cluster. So, yeah, I think that's that's that's it and all kinds of fun stuff. So do you have to be registered for cloud native security day to tune in into the Twitch stream or not. I'm getting the question come up. I don't really know. So, for the Twitch stream it's open to anyone, even even the CTF if you, if you will right so because we're not kind of tracking who's joining. So if you have a slack channel there on on the cloud native cloud native slack and everyone a specific selection for the CTF so we're going to have someone responsible for test master. So this person is going to be Lewis and he's going to be handling the deployment of the clusters and giving each participant their credentials to access each cluster right. So the Twitch stream, all you have to do is follow the cloud native computer foundation Twitch stream. I can put the link on the chat after that. And because if you want to interact and chat and ask questions also that we're going to get some questions from the from the audience from from the chat. So you need to follow that beforehand because it takes like 15 minutes delay before you can start interacting with the chat so if you can follow that earlier before even before the event so that's better. So let me get that. Let me get that link for you. Any questions. And I know this sounds exciting do you have the list of speakers for the Twitch stream already lined up, or are you going to post this somewhere. We have the list we just sent them some details today. So if we're gonna post it, I think there's some details on the schedule but there's, I don't think we have the names of the speakers there, but I can give it to you here if you want. We have we have one of them in attendance right now. Oh yeah. Yeah, Rory. Rory McConaughey is joining us. Yeah. Yep, over there. So, so just just a quick overview here off the speakers the gas speakers so I'm going to be running the Twitch stream together with Diego and Ron. And also there is a friend of mine that is going to be helping with the like, just, just with the stream. Administration right okay who's going to be on screen and ensure and stuff like that. Oh, so so we have Rory Bakun and David McKay from on the, the first schedule from 12pm to 1pm central Europe time, I think that's CT. And then on the next session from 4pm to 5pm on the same time zone, we have, we're going to have Brad Deeserman, Tabitha Sable and Liz Rice. So those are the names of the gas speakers. Any other questions? Let me get the Twitch profile from Cognitive Foundation here and add to the chat. So the first session is the one where people might need translations from Glaswegian, both David and myself are from West Scotland. We start lapsing too much into that kind of pull us back. No problem, don't worry. I know you will you be doing the captions for those guys. Yeah, some titles I would be a good idea. I have a quick question regarding the CTF. So when you jump into the CTF, do you have like topics for each CTF, for example, like namespace or secrets, or, you know, like cert or like bunch of data stuff like for example getting the data from the CTF, do you divide the CTF into different topics? So yeah, we divide them on scenarios. It's not exactly like that, namespaces and certs, but we have each challenge is a different thing that you need to do. So it's a different scenario. So when you when you when you get your credentials and you access the cluster, for example, you're going to see a description there of like, okay, it's kind of a story, right? Oh, someone compromised at this cluster and did this, this and that, and you need to find the flag, right? So there is a description there on the scenario that you can read and understand what you need to do, right? And that's exactly why we're going to have the guest speakers as well on the Twitch stream, because they don't know about the challenges, right? So we're not providing any details about the challenge beforehand to them. And we just want to like kind of pick their brains and get some information about, according to their experience, what they would look for first, right? Where they would go to find those flags, right? I'm very excited about that. I hope I can get the link and register. No problem. Yeah, we're going to open the Slack channel on, I think on Tuesday. And yeah, during the whole cloud native security day, you can join and take up some challenges and try it out. And it's a learning experience, right? We're not going to be scoring anyone. So if you have any questions, you can ask on Slack there as well. So people will be able to help you. So Magno, do you have a link to the Slack channel? Any chance because this is the last meeting before security day? So how do folks know what channel to log into? Are you going to post it on the Slack security Slack? We'll put it on Slack security. Okay. Yeah, we're putting on security. And I think on the start of the cloud native security day, we're also going to have a few minutes to talk about the CTF and we can mention that as well. Perfect. Okay. Yeah, we have a dedicated session on the agenda to talk about the CTF and go over logistics and details. So let's stay tuned for that. Magno or Andres, I think just put a summary together and send it out to the email list that we have. Okay, I can do that. Yeah. Okay, leverage. Yeah, there's a lot more people on the email list than the ones that are on this call. So it'll be good going to. I will say if you're ready for the event, you'll be getting all the details. And we want you to be there. One thing now that we're pretty much locked and loaded. Sorry that that's perhaps a harmful expression now that the event is in full swing, and we have all the preparations in place. I want to recognize that while we often meet at a weekly cadence and we talk about the different things that we're working on. So this event, this collocated event is really a culmination of what we've done for the last year, like, more so the last six months, but it is produced by us, it is produced by us who gather here every week for and it captures a lot of our efforts or a lot of our ideas, even though you might have not been directly part of the program committee. And does channel all of our discussions and all the things we've we've had back on the meeting notes so it is it is a little, a little party of six security of showcasing all our work to the rest of the world so I just want to recognize everyone who's part of this event. Yeah, pat yourself on the back because it is quite a bit and it will show the day off. But yeah, good stuff. Yeah, if I may take the opportunity here have one update as well besides that. So, on, on a side note, me and Diego commas which will also be on the Twitch stream for the CF we've been working on on kind of a cloud native security podcast. And that has been going for a couple, I think, months now. We're working on recording some episodes and we finally released the first episode today. It's kind of just an introduction episode about how the podcast is going to work. Basically, we're going to have some gas speakers as well to talk about cloud native security and different topics. And besides the gas interviews we're also going to have some demos. So, yeah, no thunder peaches, you know, yeah. No, this is all free and everything open. So we're going to have some demos of how like how can I install a cluster on managed cluster right how can I saw a cluster on EKS and then security as well like follow the best practices. So we're doing that and tomorrow we're releasing the first official episode actually. So tomorrow is also the release of the MITRE attack updates and the official release of the MITRE attack for containers and Kubernetes. So we're going to have a dedicated episode about that tomorrow. Is this just audio or is it video? What are you doing? Are you doing the Twitch chat thing? So it's audio and video and we're doing it on YouTube. So we're not doing live. We're recording that prior. Yeah. I'll talk with you after this if I could. I know I got some ideas for you. Awesome. Sounds good. Thank you. So yeah, that's it for me. Thank you. Back to our global chair, JJ. All right. Sounds good. I'll take it and yeah. Regular logistics. Please enter your attendance and if you have any updates, please put it there so we can call out as we go through. We have one scribe ash any volunteers for a second scribe. Please take it. All right. So no go. No takers for second skype. You know, I know give you an update. Who else has an update? So just a quick update on the cloud native security map. So the first iteration of the map is live and posting a link in the chat. We still need a bunch of contributions for various sections. So if you're interested, check it out and there's a contributing at the bottom. So if you think you have expertise on a particular section, please do send out a PR and reach out to us like Brandon, Matt Brandon Diego. Thanks. Awesome awesome. Robert you have updates on issue 603. Yes. Well, mostly just a brief everyone here about 603 so cluster API asked for a security audit to the Kubernetes security group. I'm actually participating on the Kubernetes audit team as well. And that RFP had been closed prior to the cluster API folks asking, or maybe it happened in parallel but somehow the wires didn't connect. So we couldn't scope them in for the, the paid audit. So the discussion in the, in the cube six security was to review the cluster API, could we find more money to do it, or we could we do a community review or audit, or, or some combination of that, or something else. I think push car. I don't know his first name. Just the GitHub handle push car, Jay, I think it reached out to Emily and the feedback was that the security power process we have what we used to call assessments what we're calling reviews, really for sandbox and incubation. So there's never been a case of a graduated project, or a sub project of a graduated project coming for review here. So PJ suggested we kind of use this as a pilot case study, if you will. How, how do we do this. I believe that I put myself on the ticket. I think we can use most of the security review security pal materials and will call out tweaks and suggestions that said the, the scope should be different this isn't. This is my opinion but feel free to vet this with other folks on the cluster API team. I think they want more of a traditional audit assessment. You know, even maybe at a pen test level. So I think we will quickly go beyond the security power security review scope and use that as kind of a first step, and then dig deep into the audit side. And then if money appears. We'll probably use it use that to cross check the work that we do. But that's the plan nothing is actually other than the GitHub issue 603 nothing is actually started yet. So, that's my report. Questions, suggestions, concerns. So do we is it in a position where you know you're going to do it and we need more volunteers and ask for help, or is it still an exploration phase I would say like, yeah, that's that is a question I guess it's it's kind of. If I, if I follow the flow chart. Emily is saying the security power process isn't appropriate. PJ is asking, can we pilot something else. So what kind of at that decision tree, like, do we, do we say yes, do we say no. If if those, you know, if the sig itself here doesn't want to officially kind of undertake it. We could kick it back to the Kubernetes sake, and those who are interested could volunteer. If we want to officially kind of embrace this as a pilot for a graduated or graduated sub project edge case, then yes then I think we you know officially comment on the PR say that the CNCF sick is taking it on and then ask for volunteers but I think we're at that decision point. I see. So, just for my own education. Was this an ask from the Kubernetes sake or is this something that was an ask from the cluster API group to the Kubernetes sake. And then it became more of an ask from PJ to us here at this thing. Got it. Okay. So and again point Emily's point of order I think would be, you know, the usual, the process we're trying to do with the security review security powers should be more to see driven. So again, this is a bit of an edge case or an exception. No, it's an interesting. It's an interesting thing to think through. I mean, there's a lot of roadmap items that we have on the group to tease out and get that going. Say, for example, landscape and few other white white paper derivatives that I that exists that needs to need some closure. And in addition, we also have assessments. It would be good to understand when we set this as a, what is it going to be setting the setting as a precedence when we do this and how scalable it is going to be in terms of taking up. So is it going to be for every API that gets introduced in like every other project. That's a very good question. I would argue that if we do accept it and then as precedent, yeah, then theoretically, all APIs could come knocking. So maybe that's a good thing or maybe that's overwhelming. So we want to kick it back. So I would push it back for discussion with at least with tears and chairs because so far it's always been like to see driven just like what Emily said, and it was basically around projects as the granularity with which we've actually done stuff and it has those clear goals in terms of like how we what that really means for the process within incubation or within sandbox and within graduation but but this one will be different from what we've been traditionally doing so. One idea is maybe we just, I mean, again, I think a lot of the materials that we've developed are very useful, but that could just be a fork right so you know, ccube security could fork materials and then run with it. We can do that and we can always invite them for a read out of like what the reporters and have a session. That is something that I think it'll be useful for the group to understand what's going on there. And it's an important enough initiative that I think it'll be worthwhile for the group to understand the landscape. It might impact bunch of the projects that actually depend on communities are built on top of what it is security or communities framework anyway. So I'd explore that I probably think through in terms of the long term consequence and what it sets up as precedence and then think about the scalability of the group. And get back to six sick. To basically figure out what their goal and objective or what could they get out of this and then see if we can actually have it with them to do it would be the preference given the bandwidth constraints that we'll be having. So if we take this up. Yeah, I think that's not sure. I think it was a good, a good model because the point of, you know, are we going to take on every API group and every Kubernetes as a review project. Probably would overload the Yeah. And so I'll just roll into the other update I had. So the policy work group, which just kind of a point of order. We started off as a CNC F policy work group, both of the of which I was originally co chair but the two original founders have kind of dropped off and gone dead. And then we had a new co chair, but we're re homing that to the Kubernetes so actually our repo is under the Kubernetes repo structure. So technically I guess we should be calling ourselves the Kubernetes policy work group. But, you know, anyway, so there's some, there's some disentanglement that needs to happen since we're technically still pointers from the CNC F policy work group but anyway, it's one big happy family. So just FY we are working on a drill down white paper. So this is I put a link here. This is a policy specific white paper and in particular Kubernetes policy. And it has some cross cutting concerns. You know, how do you implement policy how do you measure policy how do you how does policy map the compliance and regulation so not CNC F policy not multi project policy very Kubernetes oriented and in particular, the work group has kind of narrowed its work product to a Kubernetes CRD for policy reporting. We have other CRDs for policy, very ingestion execution, what whatnot but right now the policy report is kind of just a standard resource for any sort of tool that wants to represent their findings and Kubernetes as a resource. So, then you can use you know downstream tooling to aggregate all that data. If anyone's interested in contributing or just reviewing or keeping track of progress the outline is very much work in progress draft we've had a couple of working sessions. But it's out there feel free to comment. Add to it, comment, anything you need. Yeah. I mean, historically I know how much you know about the history of policy working group was it Harvard and Erica. Yeah, so precisely for this reason. We and there was a huge overlap between six security and policy working group so I don't know how much you know policy working group was integrated into six security with a PR, which was pending on Harvard for a while. The objective was to like unify this so that you can have. You can still have multiple streams under six security but then policy will be part of this because one of the things that it's very important for specifically for policy, because it is a cross cutting concern. Not just for communities and it will be applicable for multiple other infrastructure projects as well. And there are part of the NC FM Bella. So if it feels like it's a general purpose thing that needs a cover across multiple projects. I think it's good to unify because then what you'll see is multiple policy working groups and multiple different projects getting spin off. And then we'd have to worry about unification of that so I would trade that carefully if you want I can pull up the issue and then we'll share maybe we can take this to slack and discuss about how we want to proceed with this. I'm with you JJ. I feel you can't do policy in isolation right and there are layers of policy policies right. Especially when service match comes into picture and so on and so forth so the whole integration just doing Kubernetes policy and not leaving out security policy doesn't make sense. So the table of contents we reviewed this morning does have a lot of security content in as in it as well. And one of the action items I got from the group was that next week, I will review the agenda with this forum. So if there's any feedback we should update it, but long term I think it makes sense to combine that group as part of this, because the participation is from people who are policy people but also security people there as well so I think good value and good overview from different point of view is from different participants here as well are needed on that. Yeah, I mean it is great that Robert's taking a lead on this then at least there is some person to shepherd and take ownership and drive it in the right direction. So overarching security framework I think that's the thing that you know that I think should be driven by what the team's doing here right so what Robert's doing here because I think in terms of subject matter experts I don't think there's anybody better than this group right so that's kind of my unsolicited opinion here. I agree with you Dan 100%. So, so I'll take, I will probably take Robert's lead on this has been starting that so Robert, if it's okay, if maybe we can chime in on an existing trade that absolutely happy to just a factual piece of data is the from an organizational perspective, it has forked so that the repo is now under the custodianship of the Kubernetes structure. And so, you know, like, you're literally at a GitHub, you know, PR level permissions level so not to say that all these human policy, I'm not going to use the word policy, human organizational factors can't be reworked and unwound and all these things, but from a tactical perspective, it has already forked. And so the group has kind of gone down this Kubernetes path, but that's not to say that we can't re merge into the master. Happy to do that happy to have that conversation. And this is, I think, yeah, slack we can do a spin out slack for anyone who's interested. Yeah. Yeah, let's take a lead on that and I chime in on that thread. If you can create a slack and will pull up the existing issue so we can start discussing there. Awesome. Thanks Robert. I think you had some updates. I already provided my update. It was about the policy working group. Also, there is another Kubernetes security group that is also working on a policy paper. So Emily gave me the action to coordinate a meeting between the three leads, right, and figure out what these papers are about so we don't have overlap, and we can coordinate the efforts. So next week I will bring that paper that Robert was just mentioning the white paper on the table of contents, so we can review it and we can provide some feedback while we are in parallel working to consolidate these groups. Perfect. No make sense. Awesome. So, no one else has. Andrew Martin. Andrew Andrew has seen sick sick. Yes, indeed. Apologies for some radio silence over the past few weeks. It turns out that the fourth of May as a lightning rod for various deadlines and deliverables. But the CTF is coming on leaps and bounds were mostly bear with all scenarios. I was very excited suffice to say, as I'm sure everyone knows there's a lot of people lined up on Twitch to contribute. And thank you to everybody who contributed scenarios as well. They were incredibly useful. So yes, full steam ahead, all as well. And I look forward to the day after the fourth of May. Any questions on that. Any comments to add from anyone. Talked about that. Andy, are you saying that if anyone decides to run through the CTF and they're on May 5, you're not going to be there to support them. To some extent, I don't know where I'll be. I'll probably be trying to watch as much keep calm from as recline the posture as possible. Being global, it might be fifth for me. That's Andres's game plan. Every KubeCon is watching you from reclining place and drinking a beer, I think, right? Am I outing you there, buddy? I can't disclose everything I do. You're in security, of course. Of course not. I suppose it's appropriate time to say that I do miss the, the meetups so that the next, the next KubeCon we have in person, I guess we'll do a security meetup. And as well, for any luck. I'm a person that choose to be fun. Be a big banger. I'm going to drink a lot of I'm sorry we're gonna say hello to everybody. Nothing, you know, non-alcoholic completely. Andy, do you have any sessions at KubeCon? No, not this time around. No, not this time around, actually. Just, just pure, pure day zero. Pure day zero. You're writing a book or you're dictating a book. Yes, that's also going on. Actually, the book is hacking Kubernetes with the venerable Mr. Michael Hasenblass as well. The manuscript deadline is the Friday. It's a week of Friday. So that's one of the many things that look inspired against me. But I'm on top of everything. Everything's good. It's just, yeah, and it's in early access, but I mean if people feel inclined to review, do please reach out. There's some words there as well. That's early access through O'Reilly. Yeah, it's up. The first two chapters are not actually indicative of what we've, what we've done at this point. But yeah, if people have spare cycles and I realize that with all the work people do contributing to all the community projects. It is, it is a big ask. So there's no expectation. But you're welcome to a copy of the early manuscripts if people would like to review. Awesome. All right. Who else is got any update home I'm missing. Ash had no data. Ash, if in the discussion around unification of policy, I think it'll be useful for you. See if it makes sense for you to chime in or be part of. I would. Yeah, sure to help around on this happy to run on this one. Okay. Awesome. I don't see anyone else having any other updates there wasn't anything else on the agenda for today. I don't know that there's anyone new. I seem to recognize all names and attendance. Maybe only Steve's cat. Yeah, I'm on new. Yeah, I'm safe. I'm based in the UK. I'm the CTO of the pay tech startup. Now, approaching about 200 people, half of which are engineers and out of that we've got about 10 dedicated security team. So we have most of our platform AWS was starting to use Kubernetes. Probably I will try and track some more security engineers and all rather than me because I think this content is probably more for them. Yeah, I'll turn up and just listen. Thanks. Awesome. Anyone else. There's no new people no dates. You can give 15 minutes back. Yeah, thanks. Very good. Yeah. Since it's coupon next week there will be a meeting next week. So the one will be on May 12. May 5 meeting. May 4, they don't know. If meeting is canceled because of coupon. And the agenda for the May 12 meeting as it says this on triage team. So it's going to be more triage. There's no meeting facilitated if anyone else anyone wants to sign up for facilitating that. Please do. I'll take it. Anybody needs twice I'll sign up for them sorry for the processor. Awesome. There's not much then we can call it wraps. Thanks y'all. Have a good one. See you in a couple of weeks. Take care.