 Greetings. Hi. Are you. No, no. Hey, Ben. How are you doing? I'm all right. Class week off. Just getting going again. How about yourself? Yeah, we are, we are starting the holiday season. Just starting the holiday season. Hi, Nick. Whoa. Yeah. Yeah, I haven't seen you heard from you in a while. How are you doing? Glad to get joined. If Frederick, did you take off? I did. So how are you all doing? You're also on mute. Yeah, I had to mute. My. Second system. And join the audio. All right. I'm just trying to. See what we can do through the end of the year. Ben. Is this your first call? To join. No, no, this is my second call. Second call. All right. Okay. So we usually get started at about five after. We'll see how it goes after a. Holiday week. I joined. Drop the meeting notes into the. Zoom chat. Hi, Oliver. Hi, everyone. Maybe a little slow going. This week. For some folks. Anyone has a topic they'd like to. Talk about. Please add it to the meeting notes. Things Chandan. All right. Well, that's five after. Let's see what we have here. So you can add your name to the meeting notes. And any. Agenda items right now. I don't see anything. Other than. Check in our pull request and kind of going through. Existing items. Does anyone have a topic that. I'd like to chat about. Any best practice ideas? I guess that's a topic. So. Go with that one. I'm going to open the pull request. Looks like. Jeffrey added one. He's not here today, but. I can take a look. Looks like a granny had said something. Or any of you on this call. Let's see. Let's see if anyone else. Bill. Hi. Hi. Also not here today. I'm not going to go through this yet. Let's first take a look for ourselves. Okay. Some environments and we've been hearing this for a while. Production systems. Deny public internet access. Maybe even to the point of no proxies. So. I'm not going to go through this. I'm just going to talk about. Controlling how. The. Applications that are deployed and components that may be part of the platform. Are deployed and used in the environment. It's important. Partly because. Around this malicious code. So we have some stuff about supply chain attack and other things that are probably related to this, but. The other one is. The air gap. The air gap environments. And. There we go. So this isn't just service providers, but there's other ones. Regulated. Probably finance. I bet would be part of this. Some of their environments may. The air gap. Maybe only accessing internal systems and pulling. All right. The scene if you lies a cloud based licensing model. You can do that. You can do that. If you deploy. And. It validates its license. Externally potentially. I'm not going to go through all of it right now. Let's keep going forward. There we go. So using. Get ops methodologies with the fence method. So how do you do get ops. And where it's going to be. Pulling in the different. Parts. You can do that. You can do that. Potentially from other. Get repositories. When you're doing this. All right. And then you have. Sass based services. How do you do this? They're already cloud. For some of the services. VPN. Into an environment. Securing it. I'm going to go over to the. Comments. Of course you can do that. You can do that. You can do that. Because I'm asking about licensing. Their purchase. And Jeffrey, I guess the second, some of the different. So the problem is. Around, I think, Automation. And having to do that as part of. If you're. Expanding. systems are deploying new services, then how do you do that dynamically? If you have to purchase in advance, that's a problem. If you have to do dynamic licensing right then and it's remote, that's also problematic. So how do we deal with that? So probably have to get updated to communicate some of these things. These are user stories, so we're talking about problems. And then we got to figure out how to solve, we're not solving them right now. Question about how do you deal with the repository management when it's remote phrasing, which we always have to go through and update what's going to work. There's probably something between centralized registry. This is about, may have been thinking about images, which is one part. Image registry, image repository, I don't know the naming, but whatever we can figure that out. And it's about how do you, is it fully or gap? Is that really what I mean? Is it partial? And then Ian is saying, this is saying what networks the machines will be able to connect to. So they may have some type of network connectivity to a specific area, but nowhere else. This is a probably important comment that Ian makes. So there will be network connections, but the idea that a CNF won't have control commands. So it won't be able to do modifications as the idea after it's deployed potentially, or make changes to the server or whatever else. So it's a separation of when it has the capability to make changes that are not. All right. See who made it to the call. Anyone else? Hey, Victor. All right. Well, does anyone have any comments they want to add to this one around air gap environment? I am curious as to how the licensing and the air gap systems itself would also work together. It seems like that may be quite a gap for lack of a better word. And also, it's probably important to realize that different groups air gap for different reasons. So if you're airgapping for security in regards to like a SCADA system, you probably don't really care about whether the data is actually exiltrated or not. You're primarily concerned about protecting from active attacks, but if you're airgapping for a skiff somewhere like a military style, then that matters. That matters a lot and what information you get in and out. So it would be interesting to see if we can get some input on what type of systems that they're likely trying to tear gap. I don't know the exact systems, but just to know some of the properties there if, if we want to use case proper. What type of systems. And the last part kind of cut off for me. Yeah, as in is what like is the use case primarily for like SCADA systems where the information inside of it is really not sensitive or is their goal to go for airgapped like systems are going to hold like state secrets and they need to network those systems together. So I think in in both for this particular use case, I'm curious as to what which use case they have in mind out of those two or if there's another one that I'm not thinking of comments from other folks. Specifically about licensing cover these different from from from any other enterprise software. I mean, this is not the unique problem that we are facing here. I mean, it's not something licensing is not something specific to CNS. It's about any other problem also updates and you know everything. Yeah, I think the point that Jeffrey was trying to make in the licensing side was like, it shouldn't be more like seat style licenses where you buy like 1000 licenses of something and then you divide them out over time because you have the right to use them. Or are they trying to push towards a different model where they keep track of the usage over time so they're less concerned about capacity but they're more concerned about the usage so if you use 500 of them at a given time, then you get charged with 500 as opposed to paying for the 1000 battle at all times. So, the same way that like to spin up a VM and you see to then, you're only paying for the time of use, as opposed to paying for the possibility for paying for the for the quota. So I think Jeffrey trying to to work out a if we can get a best practice around like let's say more towards consumption model as opposed to a pre like a provisioning model. I see. Makes sense. Yeah, and these are just best practices we can't force anyone to do anything anyway so we could put something up. So, in practice, we believe that this will have these positive benefits. So, it's unlikely that if someone is really, really wants to go down a certain path that we'd be able to sway them but if someone is on the fence like should I go with one path or another, then we may persuade people in that respect. And that the comments around the best practice that's kind of our next thing. If, if there's a best practice that seems applicable from other domains, then we definitely want to just copy it over and say it works here and then see, does it still work here. There's no difference than we should be adopting those things and pushing them forward. The principle of lease privilege, which has has many best practices tied into that we've been looking at that for a while, or is there any other made like a high level principle that may contain many best practices that anyone can think of besides the principle of lease privilege. That would be applicable for air gap environments. I don't know. You know, when we're talking about this privilege we also usually mentioned defense in depth, so having multiple defensive mechanisms but again this is a very, very broad principle. I don't know, okay, we're talking about something that is already air gap. We might want to say that air gap stuff doesn't solve security problems. And there, there's a need for, for in general, the good security approach. Even with an air gap system. Okay, anything else or maybe any other best practice ideas that anyone wants to talk of, and this can be an area for best practices or potentially specific things. And we'd love to get some more best practice proposals in place. We could write up some around continue with the least privilege ones. There's a lot of different things that we've talked about for lease privilege and security related one. We have a whole set of documentation around that. So that's definitely an area that can be continued. It's, I'm not going to go down but there's links down in here that goes to the lease privilege docs. And then there's a whole set of best practices. And then there's other security related ones so happy to have any of those, especially if we can talk about the user stories that are related to them, any testing that's out there or pointing at stuff that may be already happening in the cloud native and Kubernetes community. But if there's other things like to hear on ideas areas. Are you looking for something which is like, you know, ideas around high level ideas or something like would you say that how to set up our back in the cluster. How to what kind of configurations to use what kind of a hard best practices of protecting, you know, guarantee secrets and stuff like that, or more general ideas because you know, this really is a very very abstract, you know, thing. But if you want to be more specific, you know, I have ideas. Okay, what what could we write here. We're looking for, I guess more, more specific focus best practice where we say we, we can give someone a suggestion this idea this when you're coming across and yours. You're wanting to look at what you're developing a CNF, and you're looking at guidelines trying to follow the best way to do deployments and provide your services and everything else. What are things that you should do. So one of them that we've put forward was containers shouldn't execute their processes as a root. This is one of the best practice. If you think like 12 factor apps and other things like that, you can go out there and and look at, here's a big set of guidelines, things that in general, you should do or you shouldn't do. This is a shouldn't do. So we have the summary. Saying the process shouldn't run as a root than the motivation behind it. The proposal. So this kind of goes into it. This practice is actually pretty well known in a lot of domains. So we're reiterating something that's pretty easy, but we specifically this one because of that. And then we tied into real user stories that could happen. So these are the supply chain attacks and how if you run your processes in your CNF as a non root and have some type of security issue, then it could help. So we're looking at best practices like that. When we're saying, saying these one other item I think it would be maybe related. I think that's one of the things I guess references so we send them out to a lot of places. I don't recall right now, but it's possibly the case that the NSA guide actually says it so there's I know there's a Cubescape test. So one of the things that we do with this is we have a test objective section. We're giving some information about if you're going to follow this best practice and here's one test for it you can do static analysis runtime analysis and that sort of thing. So there we go. So things like, you know, saying that you should configure your cluster so that the ETC is encrypted. It could be some kind of best practice. And this is what kind of things we are looking for because you know I could you know I can raise it with you know, without, you know, even blinking I could raise like five, six things like this. I'd love to add them. For sure. And so if, if you think one is a good idea to add like you're like no this is the best practice, and I can point you at some places that talk about that. Then you could just add a new issue. So here's one that we plan to write up, but we haven't you know we haven't done it yet but we thought this would be a good one. Don't run containers with the privilege flag equals true. So this is one that you put forward. So any that you think would be good you can create an issue. If, if you want to provide a place to talk about it, and that the discussion board is a good place for that. And some of these actually have stuff like I'll maybe this one applying principle of least privilege. There's a whole lot of discussions in here like you can see right here. Here's some best practice. Container manage access access to the Kubernetes API privileges. Container should be runtime isolated might have been Frederick and Nikolai way back when we were working in a document. Some of these got copied over, but feel free to add them any of these places. Please raise an issue if you think no this one's a really good one and it's right here in the NSA guide and it's over on the Kubernetes. We think that you should add this. Yeah. Okay. There's two places you could source material from. Let's check the second one. The first one is the CNCF security tag has a white paper that's worth reading through. And if you read through that idea should pop out for best practices. The second one, you'll need to double check the license for this because I don't know what it's licensed under the CIS as an organization called CIS has a set of benchmarks that you can follow on how to harden various systems. They have a guide on how to harden Linux and they have a guide on how to harden Kubernetes. So I would recommend if the license is flexible enough to to also look at that as a as a source. Don't look at it for this purpose here. The license is not appropriate, but is is a resource you can use where when you take it to production. That is a fantastic resource you can use to help harden your systems as well. So, we could put a pointer to it, I think it would be appropriate. At the very least, and they should cover that Frederick and whenever you get a chance I just tagged you in the share. I think I used the wrong mess, wrong one. Yeah, I will add the ideas to do tomorrow. I don't know which email I got too many emails for you, Frederick. Yeah, every time I go somewhere you really give me another one. Yeah, yeah. Sig security white paper we actually went over that and that's definitely a good place that we can keep pulling stuff from some of the least practice stuff that we've had found before also matches right up with what they're saying so we started to reference that but that's a good one. And I think Lucina may have dropped it for somebody I don't know who just dropped that in. Anything else. And references to places are also very helpful. So if you don't have like a specific idea or areas and reference to a set of ideas or potential ideas content would be great. Yeah, I just took a look their licenses they use a creative comments attribution non commercial share alike. So that may be problematic the non commercial may be problematic to some people, perhaps. That's interesting. I wonder how that would work. I want people to sign up to their service and and pay for their for their reports for commercial usage so that's the business model they're aiming for. All right, well, we can take a look. Thanks Victor. It is happening that you were talking about before. For me. Is this the the NSA. CISA hardening guide. Now this is a different one. No, we were referring to the NSA CISA. Kubernetes hardening guide or something like that. I don't know the exact long name, but that's this is a good one. That's a great one. I posted a link to the press release for the Kubernetes hardening hardening guidance. Yeah, that's the one I was referring to. Let's see Kubernetes, gotta keep clicking there and eventually you'll get there. Alright anything else around best practice ideas. I'm looking through the end of the year schedule. I think we are on for the next week. The 6th of December 13th 27th. All right, I guess we'll figure out who's available for these. I'm personally going to be off a little bit of the time at the doors end of the year. I guess we can see who else is going to be around. What about the, maybe the 27th and the third, but they're kind of right on on the holidays. Within days of holidays. Does anyone want to be here on the 27th or third or they're like, no, I'm going to be here. So keep it going and I'll help make it happen. I will not be here on the 27th and third for sure. I don't know what Ian's doing, but he may step up to lead. I think I'm going to mark them as maybe cancel. There's no objections to not keep it like that. Check back. Next week with folks and Ian and and see how that goes. Anything else. Otherwise, give everyone 20 minutes. Thanks everyone. Have a good day and see you next week. Thank you.