 Hello y'all. Hi Taylor. Good morning. Hi and good evening to you. Are you actually, hold on, where are you located? Is your, are you plus? Yeah, I'm in Virginia. Oh, you're in Virginia. Yeah. Oh, well then good morning as well. Yeah, good morning. All right. Ian, are you on the West Coast right now or in England or where are you today if your audio is connected? My audio is connected and I'm on the West Coast, the same as usual. All right. Yeah, no, I haven't been traveling recently. Okay, no family visits. No, so far, went back in what October November and I haven't been back since. All right. Let's give it another minute or two. Is there a time change happening in different parts of the world right now already way early for that. It's definitely friends. All right. It's on record. We have no friends if someone wants to come join us. And be friends. And they're listening to this. We made on Mondays at 1600. Hold on. Wait, is that right 1600 UTC. All right. Hi guys. Morning. Hey, please add your name. And any agenda items to the meeting notes. We'll get started here in a minute or two. Well, you know, maybe we just get started with this more group we have today. Okay. Are you able to share your screen with. Oh, is it me? Yes. We just tried to fix something else. I was trying to make work. Sorry, my laptop's having morning problems. How's that. Everybody see that. Looks good. Looks good. Yep. Right. Taylor, are you leading him right. It's you today. Please. Okay. Sure. Oh, yes. I'm sorry. I'm sorry. This is it. I just want it was you. All right, fine. No, it's probably my turn you picked up my mind last week anyway. Okay. Right. So next week is a federal holiday. Should we cancel this group next Monday. In my experience, it's not a terribly consistently. Observed federal holiday, but I'm certainly not around next Monday. Just speak up, we can all communicate. Everyone here is active so if you don't want to be here next week or you aren't going to be then just say so. Well if you want to be here then there's no point. Okay that question is answered we got a majority of people on the call. Right so we still have the cloud native telco day EU open papers. I won't go through all the events this week because there's a lot of them and they've been on here for ages at this point but since that one's got a an open request for papers called for papers then you might want to go and have a look see if there's anything that you feel you want to talk about any of your experiences any of your thoughts or ideas and put a presentation in there and don't forget as well to tell us of the exciting presentations you've put in and also anything else that you've seen on record that other people are putting in as well for any of these events it's all worth knowing what's coming up that's worth actually spending the time to go in here. So I won't go through the upcoming events but the there is an important pair there which is that the time zone changes and Taylor are we basically stuck with the UTC time so our meeting will move an hour in that places which change their time zone. Is that how we're playing this? That's how we've been doing it just keep it at 1600 UTC and that stays time day like savings changes then we still stay at 16. If we want to shift that in the future I think we should have more input. I'm not complaining for it being an hour later and an hour later is totally fine with me so anyway yeah if it was going to happen I'd probably want to try to keep it an hour later myself. Yes it was a little bit of carelessness that it's not that hour earlier as well okay again you're all capable of reading there are a list of other events here you can go and double check as you can see there isn't just the one called papers open it's just the first one that's coming up there are a few others worth considering to submit to but none of them are exactly imminent at this point in time. I'm going to skip the old skip the first one for a moment because we'll get there shortly and it will eat towards the end of the meeting likely but I would just point out that your your friendly neighborhood co-chairs that's me Taylor and Jeff have a one-year term and we were elected about 11 months ago at this point so it will imminently come round that we need to open nominations for the next year's co-chairs to do the work of organizing you all and hosting these meetings sending out the occasional sort of request to you and yes you're I'm not quite sure when we will open the nominations but you're welcome to self nominate and I encourage you to do so but just I didn't want to get that lost it's I think it's about two months out at this point in time maybe a little less and I wanted to make sure everybody had their opportunity to to suggest themselves for a co-chair if they want to have a go next year. Um right um not quite sure what this one means who wrote this yeah sorry it was me I don't know why it's right anonymous okay um I think that's right like month ago we already started to discuss the document I wrote and didn't really get inputs on it like I said to continue to to uh to write more I'm reading my link here wait a second um sorry and for some reason cut the link so it was the document I started to write about you know different security best practices um and um and you know I really try to write up you know the first few points here okay just to get a sense of you know what do you think what we think as a group of about things that that are useful and can be added as best best practices recommendations uh okay to our agenda and and since I didn't really get any inputs on it and small inputs I guess I already incorporated so I simply continue to write and and again I I just simply get to a point okay but I think that I've in a very high level but I've covered some most important things I think that that that uh that are important for for the for the API server configuration for our security perspective um and you know and I'm what to ask you know us okay you guys here that that how do you see this okay what should we what should I add should we move this to to the github repo uh should should I correct wording or really I would be happy to get in this here um well this should go to the um the the github repo because it is a best practice I mean uh easily justified it doesn't need a use case to go with it you're basically saying that it is a good idea for Kubernetes to be under control and not hacked I think you'd want to spell that out in relatively simple words at the top to give a reason for it but aside from that yeah fine um there are perhaps one or two of these that I wonder about in a um an NFE context um although a good deal of them are quite logical and I don't think I would debate um you're mentioning uh open ID down here at the bottom uh that's an alternative among three I think is what you're trying to say is that correct yeah so so I think at the client authentication part is um is you know most of the things are okay from a security perspective and this is what I wrote okay that I'm trying to pull the emphasis on all these alternative options that where the security issues can lie okay and there is no clear best practice I think the only thing which was for my point of view was being on always static token files which I I think in general it's not a good idea uh the client certificate authentication open open ID connect tokens and web based authentications both also three can be fine as an authentication mechanism um from my point of view and and you know well again I'm open for for you know feedback yeah I mean the only suggestion I would make on that there is to rather than basically list what you could do list why you want to do it what are the requirements of authentication that we're looking for which so like so like like talking from you know more that we suggest this or for that is what you mean if you know what you're looking for then you can say why these things are good or bad whether they cover all of the needs um you've made notes for instance like for instance like the static token files have a problem with rotation so my question to you is do we need rotation because we don't need rotation that isn't a problem for us in our use case and if we do then it kind of rules it out um so that's the question right you rather than list these things list what your perfect solution would include and then score these things according to that list okay I will try to think okay how to do it but yeah I mean other than that I mean there's I think um nothing too contentious here just a list of things that you should check you've remembered to do and uh that would seem like a perfectly reasonable thing for a best practice I don't think anyone would have any specific arguments with any of the things you're suggesting people do again with the single exception that this section at the bottom is a choice of four and you aren't making a recommendation so if you can't make a recommendation you could detail how the choice is made if you can choose one and say this is best or maybe two and say they have different strengths then that would make things better if you just list all four then you're not it's not a best practice because you're telling them what they could do you're telling them all of what they could do yeah yeah rather you know the emphasis was again so since as you say this is not really sometimes it's not our choice okay because there are different you know um you know pre-existing reasons okay to choose you know open ID or choose uh some kind of weapon-based authentication because you already have some kind of authentication uh system in place and and you want to stick with it and therefore I I feel I cannot make this decision but I can't tell that within this decision okay what to look for what can be the problems and what should be the best way to use it if someone decides to use it yeah I mean from that perspective you could say you know you're going to need an authentication mechanism it's a good practice to have one for the best reasons it's good practice to have one that doesn't require restarting the API server every time the credentials change it's good practice to have one where your where credentials can be revoked should they be problematic and so on and so forth those are good practices even if you can't necessarily make the choice on somebody else's behalf right right gotcha right I'm doing all the talking here I can't be the only one with an opinion Ildeco you're sitting there you're very quiet I think it's your turn I just joined like two minutes ago because I was on another call um I need more context anything about certificates and security practices whatever's on top of your mind no I'm just playing yeah can you give a quick highlight of so the conversation here so far is that uh Ben is proposing this as API security for the Kubernetes API these are the things that you should do um I think speaking personally that about 90 percent of this document is perfectly good common sense things that nobody would argue with right it have audit logs disable anonymous requests this is all sensible stuff there really isn't anything to quibble about they just need writing down and as such this is basically a um a best practice in the making and just writing it up in the best practice and committing it would be most of the work that's left here the only thing that remained that was an exception is that this section of the document about client authentication it makes a strong argument earlier that client authentication is necessary but here it doesn't list a way of doing the right way of doing client authentication which is fair because I don't think you would get everybody to agree on that um but I think maybe the best way is to say what the strengths of what strengths of authentication you are looking for because rather than basically listing under each of these categories this is good because this is bad because just say good authentication will include the following you know checklist items yeah I think I got it I mean um sorry go ahead yeah I just uh sorry I just don't want to tell you that I think I I get what it means by that tonight totally agree I just wanted to ask if it would maybe make sense to call these common practices if we say that that these are items that are that we are listing here that that are commonly used and therefore they are considered good practices as opposed to saying these are best practices to outline the scope of what the information is here and what we are shooting for unless we want to go into further evaluation and say that this is good this is bad um yes I mean it's a wording issue but yes I can see that I think it's fair to say that um we're going to run into this problem in other circumstances where what we would like to be listing is I have done a lot of NFE I have run a lot of these things and my my recommendation of everything I've tried that this is the best thing to do is X what we're saying here is um I have studied security implications of choices here and this is my recommendation of what is the best based on industry practice in related areas which isn't quite that thing so yeah if you've got any suggestions on that stick them in the meeting notes but um I appreciate your point no makes sense I just I just also know a few people who have reservations with saying best practices um so I just partially driven by that experience I wanted to throw that in as well just in case yeah yeah yeah I would I would personally rate it as the best thing we can think of at this point in time until we think of something better um but that's not how other people see this well then I could also say um maybe recommendations yeah from us who care about this stuff okay yeah I mean anyway um no no I don't want to do the discussion we can end this one here it was just a quick note yeah no that's fair and then don't don't sort of worry too much about that write your use user story um ildeco will review it and ildeco will figure out whether there's a good way of changing the terminology if it matters that much but um yeah um as I say I feel like sorry use your best practice actually you're writing but I feel like you're most of the way there with this yeah okay and and after you know I'm doing the corrections okay obviously I will have it for reviewing okay I will open a full request and we'll do the same for the other for for the other control plane components so cubelets and stuff the same ideas yeah that sounds great uh you're also welcome to refer to external um as long as they're well recorded and the link isn't likely to break refer to external instances of best practices nobody's pretending we have to write a copy of this for ourselves yeah sure something outside sure yeah okay um I rearranged because that was a specific and now we can go on to the general which is the pull request which I always hate so um right starting from the oldest Taylor you went through these extensively last week did you have anything to add to uh what's on here in terms of um comments or uh expected activities no I think that one stalled um we're waiting primarily on on Jeffrey to get through it which he had said in the last couple of weeks he was going to start working through this yeah I mean I can see there's a bunch of open discussed but unanswered comments so it looks to me like we're looking for for a change that takes them into account okay um you and I will take it on our um task list to go and corner Jeff and make him do some work and sounds good and I think like you said as the time shift we're going to start seeing more activity from him this um yeah I know he's found it rather difficult to make meetings in recent times um and hopefully the time shift will will basically make this slot free for him where otherwise he's a bit busy but yes um and now I have the guilty conscience because the next one is mine and I see it has 29 comments and I can tell you I have not read 29 comments um yeah I'm not going to give you a straight answer to this because I seriously haven't read this um I see pancake has been very busy oh yes and that's right there's a couple of odd grammatical bits as well but yeah so um I'm still reasonably comfortable with this I do think just skimming this that he's um talking about format rather than content which is sort of helpful um because it means that we're in roughly the right direction um I would welcome anybody else's comments um there is nothing wrong with having tons of comments on here and I promise that I will have a look at it this week and rewrite it to try and address the points that have been made um if you've got anything you want to ask while I'm actually standing right here then please go ahead otherwise we will move on to pull request number three which is the Stateful User Stories news cases um as I recall uh and again I have a guilty conscience because I was um stuck not being able to press the magic approved button on this um but as I recall you uh Taylor you were looking for five approvals here yeah um we had a few people saying that they would approve offline yes including me um can you does your aunt is it work right now for putting a thumbs up on it on the review click file changes or yeah whatever you have three at the moment you have me Tom and yourself anyone else who wishes to express their approval now would be a good moment um or at least in after this meeting if you want five minutes to actually work out what you're looking at um again what we're looking for here is um good enough not perfect so you know it's once it's in there it can be fixed and changed and reworded um but um it's never going to get in there until until we get as we currently want five reviewers um and Taylor you were talking about reducing the number of reviewers down to three and I think we have somewhat less of an active chord um quorum at the moment so maybe that would be a good idea if you want to propose that change to the governance file I started and then I realized that we got to update three or four files so I want to make sure it's um done right okay oh that's on my to do for this way yeah because we've just set the bar a bit too high for ourselves you finding five active people to give these documents for once over every week is a little bit too difficult um so yeah we just don't have come down a bit but other than that I mean um you're after one review um um uh I uh I noticed Watson hasn't said yes so you can go and corner Watson if he's um anywhere handy to be found but um yeah um well I'm not gonna call out anyone on this call that was said that they'd review it you just did it was me you've already done a date okay can we get anyone else um I'd go ahead anyone else had time to read through this I honestly I went through it okay from my point of view it was okay as I told before I didn't tell it was too much thing that I from security perspective I could have but I went to work it looked fine give it a thumbs up gonna comment I am happy to take an order a verbal approval as an approval for what it's worth it's it's on record um but that said Taylor you've got um you've got two failing unit tests so um I would rather you fix those before we actually committed it or else we break the trunk the branch uh um all right I think I'll and if you fix them and there's no material differences then I promised I will press the approve button for you right in fact I promise I pressed the merge button for you all right all right I'll do it I was gonna toss it back to Oliver to fix it but I'll I'll do it oh sorry you Oliver sorry I was forgetting this wasn't yours for whatever reason but yeah um I would imagine that they're a two-minute job so actually I may not be able to do it because I think it's over on his and I'd have to do a I'd probably say merge it now and then I will I'll work on a fix I'll start one immediately okay um yeah it's not going to be anything significant by the looks of it sorry I made a mess of that um all right let's just get this in you can squash merge that's fine I think there's anyone change here anyway there we go all right I'll go work on making it pass right okay I have now officially run out of uh pull requests so any other business because if there's no other business then you all have 25 minutes to write best practices and I expect one from each of you by the end of the day that would be wonderful isn't that well it's crafty I think I think it's the only way you find interesting things to talk about in the meeting or alternatively a best practice piece there's homework that seems like a good plan yeah all right well um thank you for your time it is 835 ish so um we've managed that in half an hour all good and I will see you all again next week sounds good thanks everyone bye bye thank you everyone thank you bye