 Good morning Morning Are you doing? Are you on the east coast? I forgot I'm on the west coast. Oh, okay. Great. So you're safe from from any hurricanes Yeah, we have it easy on the west coast. Oh, we just have heat and you know firestorms and earthquakes Yep, and early meetings Early meetings just getting off one with Israel stuff. Wow That's very early Don't actually see anything on your agenda. Let me make a new section here I think we I mean, I think we obviously will Assuming Jim will join we obviously kind of have the ongoing Where are we with all things? Custom resource definition right And then and I'm a little tardy on on putting some I think I have a issue to put in there from the opal folks Yeah, that's about all I'm working with custodian on the and capil usually joins these calls so he might be on I'm working with capil and the custodian project on their security assessment So, you know, I will definitely put the bug in a zero about, you know, how we could integrate with the cr Yeah, so that I think, you know, if we can get we get opa we get custodian With cover now and then I think there were a couple others that were May IBM folks, I think that'll be That'll be a pretty good proof point at least we'll find at that point see if we got enough for traction or I did have one other agenda topic. Um, not so concrete as a Discussion but as I'm doing a lot more with uh nist 853 policies. I wanted to talk about How there's my map to both the cr and then more generally Q&A Add something to the agenda if you'd like Yes Jim says he can't make it Okay We'll see if some of the IBM folks join Just wait a couple more minutes. Otherwise, maybe we'll just have a short small one and maybe not Meriting a full agenda item, but any Update from Howard on his slides that he's trying to put together We recorded it last week and submitted it so Should be good. Yeah, I'm not sure how What kind of reception our audience will get We'll see No, the idea there was is just going to be a recorded presentation for yeah Right, thanks for helping out with slides Uh, I wish I could have dedicated more time It's been It's been crazy busy So it looks like a small meeting today. Maybe everyone's busy either that or it is august So can't necessarily count on too many your hands showing up um Let's see Do we have any open Pull requests That we need to address or any other kind of administrative business I think I'm still Every time I get on this call. I put a note to myself that I still think I'm not A contributor yet on the github withdrawal. So I think I need to do something Jim mentioned. I have to do something So that's really not for the group Yeah Then I can do helpful things like review prs and commit things it says you're not a member of the Kubernetes sigs org I submitted some some issues and filled out some some prs and committed things and someone looked at something but I am I'm definitely on On the far end of the spectrum of making sure I get all those eyes dotted in tees crossed All right So then Let's see. You want to just go ahead? Oh, we got some more people Welcome everyone. Hi Erica. Hi everyone Maybe Robert did you want to start with your item if we don't have yeah, sure. I mean I mean again, it's not really at the level of a formal presentation of discussion just more throwing something out there and anyone who has brainstorm suggestions or Further ideas would be appreciated but I'm involved in a number of initiatives and projects were looking at NIST 853 controls and that relates to something called fed ramp and the government federal space and then there's some automation around that called oscal that nist has released and essentially a xml adjacent structure for your controls and assets components they call them But one of the components of course could be a policy either written or codified So I was just a just curious of anyone else has kind of looked at the federal nist policy control space and in particular around kubernetes But then just more broadly is it maybe relates to the custom resource for policy results policy Execution results You know how that might map or not to to some to a framework like oscal You're trying to automate the category the definition categorization and Implementation of of controls and policies being one of those types of control Both again written and computer executable policy so That's that's the broad strokes. Just curious if anybody has has any overlap with those areas Yeah, this is jr. So maybe I can chime in a little bit here and then I think I see jacob is on the call here so On the advanced cluster management side With on the red hat Offering product offering as well as the open cluster management community project We are building out a library of policies And we are organizing them based on the nist eight hundred fifty three standard and So definitely, you know, we are looking at In that context, right? We are looking at it and There is also an effort that's going on. I can see kirsten is on the call as well both kirsten and jacob Can talk a little bit about Work that is going on in the open shift, but at open shift product area related to Fisma slash red ramp controls and In the context of the compliance as core project So those are the two things that are happening on the red hat side that are related to what you're talking about probably And is there anything that's uh, so is all that kind of on the on the repo published Or is that yeah, so, uh, can I share for one second? Sure, absolutely and show you what we have We can show you what we're doing on the is open cluster management Can you see my screen? There it is Yes, perfect Okay, so in the open cluster management community project, we have a repo called policy collection and So in this collection what our goal here is to Come up with a set of x policy examples for open cluster management And the way we have organized the repo structure is we have a stable folder and we have a community folder The stable folder is it contains policies that ship as part of the open As part of our product offering which is red hat advanced cluster management Work given it is so Here also again, we are organizing the policies in terms of the various in a state and 53 controls version four And uh, so the policies are outlined here, right? So if you click on one of the policies, it's in a yaml format and then it kind of walks through how it is organized We are also, uh, working with various, uh, contributors outside of our Product space, uh, so those policies are going into this community folder And we welcome contributions from everybody, right? This is open to the community And uh, again, we are organizing this in terms of the state and 53 and you can see here We have a couple of policies donated by, um, abm research Uh, this is a policy that is uh, over related policy. Um, that is donated by One of the red haters who is working in the consulting, uh, explain facing role And uh, he also rotated this other one as well. And then we're also working with the cystic And they have created policies for their Falco operator and the cystic secure, right? So the idea here is that, um They will put in here the actual policy file And then, uh, obviously the policy has to be consumed, right? So you need a policy consumer and, um, that would be Whatever is running on the actual cluster And in this case for the Falco, uh, they point to the Falco project and you can figure out how to Deploy the Falco operator, for example, right? So, so that's the whole idea, right that Not all the code is within our open cluster management, uh, project But, um, the policies are here so that, um, and the policies can be also written in other languages, right? So for example If you have written a policy in OPA, that's fine too, right? Because we have a way to wrap OPA and ship it, um, from RACM so we can do that. Um, so So the, I think the the part that, I mean, this looks great, but I'm I mean, this definitely fits with what I was thinking is necessary the The dots I'm trying to connect is, you know, you think going through these fed ramp or other government buyer processes You you can imagine, you know, we think in terms of actually running cloud infrastructure and and doing dev ops and, you know, dub sec ops You know, a lot of the receiving end of this information you might want to think is doc ops documentation off So the the idea of this oscal nist project is to Kind of script. Well, first of all to find the model and the data structures and then script The production of documentation that could be consumed by humans. So the idea being And it might be a small tweak To what you've already got here I'll take a look and it might also be something that I may have talked about on this custom resource I can't remember But this notion of just providing kind of a policy statement That's human readable that that it gets carried along through all these automated dev ops policies Or sec ops policies so that it can bubble up To, you know, literally something that, you know, a script that generates a pdf from json or yaml And then includes those policy statements around What the policy what controls the policy is implementing How it's implementing who is implementing what roles are Intersecting and then how it's related to other policies But at the end of the day for the consumer of this being say A, you know, an analyst at the project management officer at, you know, the department of energy just making this up You know, they will want they won't want to see this. They don't want to see a pdf that says You know, we have a policy certificate that satisfies, you know, sc dash a And checks the following control elements Building components. Yeah, is it fair robert to say like to think especially for fed ramp we're talking I'm thinking we want an automated Output for a system security plan for example Exactly. Yeah, and that's what oscal oscal as the basis for the control library Rolls up into a I think it's a gsa group Okay Yeah, we should we should definitely take a look at oscal and the red hat team And we might have some people in our public sector team involved in that already So the compliance is code repo which plays a role with open cluster Management right the the rack i'm offering Can call into our our compliance operator, which will run on an individual open shifter kubernetes cluster Um, compliance is code is intentionally Written with scap Because it is, you know mist certified, right? It's a mist standard security content automation protocol. It's a pain in the butt if you ask me, but And and I love that, you know, we have opa the ability through raccom now to support opa and things But but the compliance is code repo was kind of designed in a way To kind of be able to automatically generate the pdf that you're talking about Um, but I think I think it will be really interesting and and yako you might want to chime in here because you're probably more familiar Uh with exactly how that's how that's done in compliance is code I I think it'd be really interesting to also look at oscal and and see You know, you know, what are we? You know, is there alignment? Do we want to you know? You know, where do we go from here? We've been doing compliance as code for a long time at red hat because of our you know strong public sector customer base Um, but but there may be an opportunity to kind of get to the same place You know collaboratively with a another project so I think one one thing I wanted to highlight is um Within the policy is right one of the Can you guys hear me? Yes, sorry. I was just noticing that yet yako put in chat that there's an oscal repo and compliance is code and even Yeah, I was hoping that The repo is very new. Um, I know that oscal was Yeah in the in the compliance is code Team or the project was it was sort of contentious topic at some point Um, but apparently there's been some development and I'm sort of removed from these details of the compliance is code repo Um, we can ask but I don't know the details of hand Nonetheless, there is a repo that generates some oscal data from the Skept content it appears the repo is what it's like Three four months old. So it's a fairly new project okay, um I can try asking what's the status and if you know, this is just a Proof of concept or if they want to go somewhere. Yeah, let's let's do that and yako we might I can also ask John Osborne a little bit. He's he's working with Yeah, do d on some things related things And it'd be just as valuable to understand, you know, if if someone has like the, you know, oscal and had, you know the pros and cons way and decided, you know In the negative and then you hear the reasons that that would be, you know, great to surface as well cool But yeah, I mean this is it looks like they've got some approximation of what what I was thinking in terms of You know being able to do, you know bottoms up or tops down to you know from a An organization trying to engage and produce the ssp, you know, if they have everything With their kubernetes policies defining opa or yaml or jason Yeah Same same on our side too, right if there's feedback on the compliance as code repo and how it's structured or organized, you know Or or any other type of feedback we we'd love to get that Um As well so kind of, you know, the more alignment we can create the better I think I can provide some concrete Fire kicking Great and and I will mention one of the things that the the team and red hat who's been working on The compliance operator for open shift has has needed to do for scap is Add the capability to do yaml probes That's um There's been work upstream as well on that Okay, uh, jaya. Was there something you were trying to to get a word in on? Did we lose jaya? You're on mute jaya No, I'm here. Um, yeah, I think that those are all good points. Um, I think what I was trying to say is that I understand what Robert is asking and Uh, one of the things we are attempting to do if you go and look in the amel file That's what I was trying to highlight is put some annotations into the file that corresponds to, you know What standard it is? What are the control? Families and the control themselves, right? um, so the idea there then is we can Then use, uh Map the technical controls or the technical policies, right or the policies for the technical controls to the higher level policies, right? which is what you see in in Standards like this max etc, right? So I think That's at least the bone right to kind of bridge that Yeah, absolutely. No, I mean it makes perfect sense and in the especially in the context of larger orgs Who you know, they've they've achieved or have already meant a mandate to achieve Uh an ato and so they're yeah, they're kind of going through that more mechanical exercise of We know what our processes and policies are at a written level, right? Now we're mapping that to the the nested 153 control families And then what does that mean for kubernetes or or any container environment, right? Um, and then kind of doing that analysis gap analysis and then just mapping exercise Um, yeah, so I'm showing that example here if you see here, right in this particular policy It is related to the certificate expiration So we have these three annotations that kind of Say where it fits in and you can actually add multiple annotations here So you can say in is taken food to three, but you can also say PCI So for example, if you're in the financial sector and you care about both, right? You can put a comma and add that as well So then what happens is when the policy violation gets reported back to the hub On the hub, you will actually see these organized in terms of the standards. So right Yeah, and and I think you know the other the other challenges, you know, even amazingly for an initiative like fed ramp, which was designed around cloud It was still I think the operating concept was around static resources static assets And so, you know, the reality of course is that this is all ephemeral in container and certainly the kubernetes world So, you know having a having an ssp That talks about, you know a particular policy around a particular sort of ip addresses or assets or even interfaces um, you know quickly becomes pointless if you then have a Kubernetes set of clusters where you're constantly changing, you know, not only the ip addresses, of course, but the workloads and the microservices and whatnot. So being able to to move that I see the value Not just in the box checking I've got to produce this documentation for the federal government and view it every year But the the real operational need to keep bi-directional sync Of what i'm saying my policy controls Are trying to accomplish Tracing that all the way down to the nitty gritty of like are my pods in compliance and here's how And then back again, right yeah And that's why it's it's like so important that you be able to kind of Automatically, you know scan for regular compliance and output kind of that That ssp is as part of the You know an output and audit report to that is human readable, right? Right, right. You've got to marshal all that change Operationally, but then you've got to communicate that change and that the change is under control To to that human who ultimately has to sign on the other line that says yes, this is in compliance or not Yep And do you know it and I feel like I should have known about oscal, but I'm catching up Does anybody know whether it's intended to replace scabs since it's a missed sponsored project I don't know. I don't think so. I think it's I thought Oscal is at a higher level. At least that's not me just running. Yeah Yeah, that would be my interpretation as well. I would I would think that they would see it as complimentary. Okay Yeah um Before we run out of time, uh, I think I don't see jim on the call today but I was just curious to recover that you had a view of the policy report cr where that stood and um How can we get a point where we can Get that kind of standardized Yeah, jim said he couldn't make it today That in the slack says plan for the week is to transfer all the pending comments from the google doc to get hub that they have All added a report generator in the multi-tenancy benchmarks Project and they're working in caverno for adding support Does that address your needs? Are there other things we need to do to get it moving forward besides addressing what were comments in the doc within the repo Yeah, the only other thing is um, I know you and jim took it to the sake of right? Um So what happened there? Do we have to do anything more there or Is it just now we are going to just Move forward by In the context of the github reports, right where we uh take additional comments and Yeah Yeah, sake awesome. What we understood is they're pretty has If the you know, like the repo we have works well And we can you know and projects are able to use that they prefer just keeping within that repo the You know official api getting like compiled into client go as a series of kind of recommendation or not recommendations but Requirements and Work that you have to kind of meet I can share if you like Once they're much more hesitant to do that if possible For instance We would probably have to refactor it to be in the more common spec and status Since they Kind of format we didn't use Things like that So I think ideally Especially for what would be considered like alpha if we projects can refer and Collaborate around the repo we have that would be the best point Okay Okay, that sounds good. Um because I know one of my colleagues randy george had some comments. So I'll I'll ask him to work in the context of the github repo then that sounds good Yeah, that'd be perfect. Yeah, please open issues prs Whatever Okay Sounds good. Thank you. Erica. Sure Yeah, then I had the only other thing. I was just uh, Howard and I recorded deep dive for cubecon eu I don't know when that is But look out for that Hopefully we didn't misrepresent this project of these projects Who else If if you mentioned the formal verification And we misrepresented that that anyone is working on that but I think we uh represented it as a uh plea for volunteers That is an accurate representation excellent, uh, yeah It really is cool because uh since Howard has been away so long and he's coming back and looking at all this and like a crazy amount of things going on so many projects in the policy space sprung up and So it's quite From that outside perspective you get you see more that there has to know spur of movement in the space all right Am I missing anything else on the agenda? Did anyone have anything They would like to bring up twice All right, looks like we can end early Thank you everyone. We'll see you in Two weeks or on slack and through github Thank you Erika. Thank you all