 Good morning. Good afternoon. Hi. Was there an issue with the zoom link or was I just confused? I'm not sure what was the problem. Okay. Yeah. Maybe it just takes time for people to join. Never mind. We'll get started in a minute or two. I've posted the mating nets and the zoom chat. Can add your name. Anything. I would like to talk about. Victor. Morning. Taylor. Let's see. Please add your name. I guess I should do that as well. It's looking at the wrong area. Wait for you. Does anyone have any agenda items? Taylor. I don't know if it's, if it's okay. But I just wanted to give a few minutes to. The discussion. I opened in the, in the repository. About the practices. We talked about last, last meeting. Yeah, definitely. I see that list. Sounds good. That's on the agenda. I'm going to move the poor request. Okay. We'll load that. Does anyone have anything else they'd like to add? Let's see today. OSS summit. Japan is going. We did a. A little recording for that. Let's. We'll be late this evening. Did anyone else do anything for OSS Japan? Or is there anything. For the OSS summit. Don't have much details about that. Is anyone. Speaking there or keep coming to you. I guess CFPs are open on that. So. You haven't submitted anyone do it for keep coming to you. Sure you do it. All right. Yeah, let's open this one up. If no one has anything else to add. If you do go put it in the notes. All right. Ben, do you want to talk some about this? And I'm happy to. Let you share a screen if you'd like. Or I can. I don't have anything else. So. I'm fine with you sharing the screen. Again, this is okay. This is just continuation of the discussion we had. Before about, you know, of. Adding best practices. I, my specialty is security. Therefore, you know, I, I'm taking on, you know, security best practices. And, and in general, okay, I think the, the, the idea behind this, my proposal is to create. Not for security best practice. Paper or, or, or description. Okay. Where, where we discuss. The issues around network security in, in with installation of Kubernetes. And I think it's pretty important. Okay. For, for, for telcos. And, and into this industry. Okay. Because most likely okay. They are going to start to install Kubernetes by themselves and, and, and we'll, you know, get into the pitfalls around. So that's why we are here. And, and I think that, that there are two major. Parts of the discussion around network security where net is and, and, and I think the one is that is the, the, actually the access to the QBAPI and around the QBAP and the infrastructure and to the infrastructure components. Themself. So in the one hand, okay. Making sure, okay, that, that the QBAPI server is the best service. It has limited networks and network access and all it is. It is separated from the public internet enough and, and, and, and not, and people are not allowed to connect it from, from the outside. The second is actually not just the network segmentation. But the, the actual access control of Kubernetes to use to enable ARBA to, to remove any authorizations for enemies, user in Kubernetes. What I wrote here is disabled in a secure access configuration of the QBAPI server and there are several few around this point. Okay, we could, we could add here and, and could describe in more detail what to do. About tests to, okay, I'm, I'm here. There are things here. Okay. Which can be easily tested and there are things which are pretty hard to test. So we'll need to, to somehow only point out those which can be we can, which we can test in the CNF test bench and those things we cannot. This is one part. The other part is actually the, the protecting the, the control plane and machinery of Kubernetes, making sure that the network security of the mutual TLSs are in place. Certificates and are, and private keys are in place. So maybe even talk about whether, you know, when to swap private keys and certificates in a cluster and so on. So I think that these are two main parts, okay, the QBAPI and the segment and the other part is the Kubernetes system components, the secure communication of them. They're main parts I would like to focus on. And I'm, I'm guys, I'm, I'm really open. I'm open for no, any comments. And I'm ready to start to work and write these things up in details. Just, you know, want to make sure that the time aligns with with our goals. That's it. It sounds great to me, a good area to keep expanding on and does anyone have any comments or questions. Right now or just in general. Maybe just a comment over organization. But yeah, I also like this idea a lot. It's, it's definitely the beginning, just the beginning of security, but there are, you write that there are two components of protecting this API. But then in the second section below, if you scroll down a little bit, please. That's where we talk about TLS security, but I think TLS security is higher up. So I think in terms of networking, there are two components. There's the firewall and encryption. And then a second level is really RBAC and users and all that, which is just honestly a very weak point of Kubernetes generally. So you don't get a lot of security from RBAC, but the other thing is that there's a lot of encryption and how to handle those best practices of dealing with certificates, things like that. Maybe even hosting your own CA, something like that. So to me, those are the high level networking related things you should address. It's here. It's just the organization. I would pull that up a little bit and move RBAC down. Yeah. The order here is not the, I would say it's not the way, you know, I try to organize it as, as two main parts. Not in the sense of what, what is less important, more important than, you know, for the time being only, you know, to write up to not to forget. I would say the organization or maybe even priority of what's important to people. That can be an effort that someone cares about that can help write up. Ideally, it would be. Supplemental documentation. If that's something that you care about, then focus on that. If there's an area that you think is important. Or you're passionate about, but it may not be, it may be lower level or higher level. It's okay. We don't have to start with one specific area and, and write up everything before moving on to another. So if you want to write about. This specific one. So the, the limiting access to the. The Kubernetes API never has public access. This is something that could be written up now, but even before. Something else that might be even more critical, but harder to write up. Yeah. Like being CA's every year. Yeah. Also another question. Okay. I was thinking about, okay, that, that it is obvious to say that limiting access to QB API is, is, is, is really, you know, a very, very basic security measure. Setting up. Firewall rules and limiting access to it. But, but the question is. What I'm asking is an open question for all of you. Of whether, you know, the opposite direction is. Is that is something that applicable in this industry where, you know, we can limit the traffic from the cluster to the outside world. Or this is something that, you know, rather problematic because, because the way that usually these CNF will work. Okay. They will need connectivity to the outside world. I think it's going to depend on the organization. So, you know, we've talked about this a little bit when we've gone into like air gap discussions. So there's some that may. Not allow any public access, even. They don't even want to have proxies or anything. They have everything on internal. Systems and then some of them may have some type of proxy. Or you have a partial. So maybe your image repository is. Within the organizations network. And they don't allow access to say images for the. Different components outside. Even if they're dependencies. So I think that's going to be dependent. And then any type of other, I guess, call outs, whatever that would be, would be out. I'd say it'd be similar. I don't know if best practices, if that would tie in. Specific around like, allowing or not, like, is it. But the process of doing that. So if someone says we have a use case where we need to limit access. For going outside versus inbound. And those would be where we would talk about what are the best practices for implementing these? Because that's, that's what we're really looking at here. When you're implementing. The applications running services on a platform and the platform components themselves. In your building in a Kubernetes space environment. What are the best practices for implementation so that you can take advantage. Of that environment. Yeah. Some of its technologies and some of it's tied into like the methodologies around it, which. If you do things in a certain way, then you enable other things to do even better. If you don't. Then you cripple those methodologies. Which sometimes it's necessary. But that's what we're trying to highlight. Yeah. So, okay, I'm going to start to do some writeups. Okay. Okay. And we'll align those later stage where, where to put it. In the, in the repository. One place if you. You can. I mean, we could probably just change this whole thing to security. It's kind of a round list privilege, but. If you want to create a Google doc. And have like a shared. Draft or whatever for what you're working on. You could link it from. This best practice discussion. I mean, feel free to put anything in here and then, you know, we can add comments like. And we can add stuff here. But if you want to work from something like a Google doc, then do that and then just link it to the discussion. Maybe turn on. Comment capability for the doc. So that other people can join in and do suggest edits or whatever. And, and then start building it up. So this particular doc, which we've linked a few times in the discussion. This one's around least privilege. So one of the most recent things working with, and what we're looking at is what happens when you need to deviate. So whenever. The best practice that everyone goes, yes, this is great. We all agree we want to get there. But right now it. We can't implement it for whatever reason. It may be six months. It may be 18 months or who knows. Before they can get to that ideal goal. So what do you do? We wrote up some information here. And then here's. So this is on the deviation. And then we started writing up a new set. Accounts and rights. So I think this one might actually be related a little bit to it. You're talking about with the Kubernetes API been. But feel free to look through this one like this is a Kubernetes API server. So you have. This is referring to the service accounts. So you can have. Yeah. User accounts. You can have service accounts. And. What type of access do we want to give for the CNS? And what are the best practices around. Accounts and how they should be used. For CNS from a security standpoint. And there's a lot of other content in here. So feel free to go through. Yeah. So. And especially from like the networking perspective. You can come and look in here. And there's comments from different folks. But you can come and look at. Different examples. And then. What are we talking about and give it some relationship back to. This limit access to Kubernetes API. So if you want to say. Out of this limiting access. And then on the other level, you could say, how do you want to limit access? We definitely want to say. Never. Public facing. That's a good practice. Okay. Well, maybe that's the first thing you write up. Yeah. Feel free to just kind of brainstorm as the idea with all these. And we have a big dump of information. And then eventually we come down to. Something like. That's specific. I tried to open it. Felt there. Eventually we end up with a specific one that. We fill. This one is. Something we can agree. This is a good practice. You may not always be able to do it, but it's a good practice. So let's. Write it up as a very specific thing that we can recommend. Yeah, sure. Okay. I think I'm going to start with a little document. Okay. Because I assume that most of the text will be, you know, movable around and restructured around, you know, different places. I'm guys, I'm really open to ideas also. I think. But then was the one who. We had this idea of prioritization of different parts. So I'm just telling me some ideas. Okay. I will continue. I will continue to discuss this. Sounds good. Yeah. Once you have something you'd like to share after, I mean, this is the great so far just for the first kicking off ideas. But when you have some more content, just share it. And then we can start iterating from there until something pops out and we go, this can be written up. Let's do a pull request. Sure. And if anyone would like to help Ben, please. Reach out and tell him. So you can. Sure. Working through this great. Does, does anyone have anything else? Or we'll move on to the pull request. All right. Thanks, Ben. Okay. All right. I see they interested parties that one. It would be pretty straightforward. Just accept it. It looks like you have two there. I thought only one. I don't know what happened, but I was rejected. Oh, okay. Had one. All right. We can approve this. The zoom is in the way of my. Accept. Added to the interested parties. All right. So let's say Jeffrey submitted this. Maybe out for a little bit before you can run back in. And we of course have the holidays, which extend that a little bit. But this one. Is a, this is a user story. So a set of user stories. Air gap environments so that we can. Relate these context wise so that those comments. Questions comments about. External calls. From CNS that could go outside. May be related. So if you end up with the best practice. And probably be related to some of these use user stories. CNF using. Some licensing model that requires. Dynamically checking license with the remote server. And get ups methodologies. So. They're. Pulling stuff in. They have a. Some repository that's pulling stuff in from other. Probably other repositories. And then SAS based services. And did you dig through this one yet? Honestly, not properly. Okay. I'm trying to look if there's anything new since the last one 20 days ago. It looks like a lot of these are just. Comments and you responded. About networks. 10 days ago, Victor. Okay. Well, this is actually maybe right around the last fall anyway. So. This was. Tying in with licensing. Like, what are we talking about here? Let's make sure it's clear on. The mechanism and stuff. That's a good one. A short definition of what we mean by air gap. And I've heard different things. So I agree. Maybe if we come up with. The definition here, it can go into our glossary. We referred because. Air gap does not all always mean. You have no internet cable. You were disconnected from the world. I have seen it. But it's actually been quite a while. Okay. What's the other one? What is this suggestion, Victor? Well, I just noticed. Yeah, I noticed that in the grocery, they have. They had an issue. Referring to get up. So maybe. It would be nice to have gross reference there. All right. Sounds good. Right into the same CF glossary. Yeah, but now I, I don't know. When I put it there, it was in. In the two movies. They have implemented, but. Maybe. I don't know if we have just tracking that or. Waiting for their definition. Yeah. All right. Just comment work when it has three dashes. I'm guessing it probably will. Three and two dashes. Yeah, probably. I'm going to commit it. I mean, you're just saying, let's. Track what they have. Or I can modify it. Just give me a second. Too late. We'll see if it worked. You check refresh and check it may, it may be good. I think as long as it had the two dashes first, everything after a big comment. On Kai. This is just questions. All right. So we probably just need. More. Responses in here before going on. I don't know how much. Jeffries. And be able to respond. So I'll try to reach out. There was a minute someone else to. Help see if someone can. Assist on that specifically people that are familiar with the air gap environment. So. Ideally. Some service providers or something can. Comment on that. If there's anyone that's helped with those in solution for. Service providers and air gap environments. Any comments, questions, people when I add stuff. Thoughts around air gap environments. Update this. Air gap. Environment. User stories. Cause that's what this is about. Anything else. Moving on. Meeting schedule. Through the end of the year. I will not be. I will be out on the 20th. And the 27th. And. And actually probably the third. Potentially. So. Ian, are you going to be around any of those times? And is there an interest to. Have any of these. Let's start with the 20th. Are you going to be around for the 20th? Let me try that without the mute. I'll be around for the 20th, but not the 27th or the third. I don't know how anyone else feels about having a meeting on the 20th. I mean, we can schedule it, but the thing is if nobody's going to turn up, then we're not going to get very much done. I mean, if you want to show up and then if no one is here. You know, by let's say. Five after, if you feel like nobody's here, then it can be canceled at five after. And so starting. However long you want. Okay. Let's do the 20th and see how it works then. So any objections to canceling on the 27th? I think we have better things to do. Yeah. Any objections to canceling on the. The third. So one more meeting. On the 20th of December scheduled. Okay. Ben, were you on meeting? I may have not waited long enough. Did you have a comment? Sorry. Oh, I thought I saw you on mute for a second. And I may have moved on too fast. All right. No, it's okay. Okay. So last meeting of the year for this. Working group is December 20th. And I'll get it started. Okay. So I'm going to move on. Please join it. And we'll cancel the 27th and the third will remove those. Have them removed from the calendar. And. And we'll be back on the 10th after that. Thanks everyone. If you want to help or want to work on anything this week, please reach out. User stories, best practices. I will find some time to work with you. If you want to help or want to collaborate with folks just. Reach out. Otherwise. I will see everyone else. And 2022. Thank you. Happy holidays. Happy holidays, guys. Happy holidays. Stay safe out there.