►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Event Wrap Up - Andrew Martin, Emily Fox, Brandon Lum, Jeyappragash Jeyakeerthi
A
Hello,
everyone,
I
hope
you
guys
had
an
excellent
cloud
native
security
day.
I
know
I
did.
Unfortunately,
I
didn't
get
a
chance
to
participate
in
the
ctf,
because
I
was
so
busy
reading
through
all
the
chats
and
listening
to
all
the
amazing
talks
from
our
fabulous
speakers
and
helping
out
to
everybody
that
reached
out
for
assistance
either
through
the
slack
channels
or
through
direct
messages.
A
So
we're
going
to
go
ahead
and
wrap
up
the
events,
I'm
emily
fox,
I'm
the
sig
security
co-chair
and
the
security
day
lead
for
the
event
and
we're
we've
got
jj
who's,
one
of
my
other
co-chairs
and
brandon
lum,
who
is
a
technical
lead
for
sig
security.
A
So
we're
gonna
talk
a
little
bit
more
about
security
and
how
you
can
get
involved
with
this
awesome
group
of
people
as
well,
as
do
a
full
day,
event:
recap
and
open
everything
up
for
q,
a
in
case
you're
curious
about
anything
else
going
on
with
sig
security
or
if
you've
got
questions
about
anything
associated
with
cloud
native
security.
We've
got
some
great
stuff
coming
up
for
you,
so
brandon.
B
Thank
you
emily
awesome,
so
I'm
just
going
to
go
through
a
couple
of
slides,
so
I'm
going
to
tell
you
a
little
bit
more
about
security
on
top
of
what
emily
has
already
shared
this
morning
and
then
we're
going
to
go
into
the
discussions
so
awesome.
What
do
we
have
for
sec
security,
so
emily
covered
in
the
morning
a
little
bit
about
presentations
and
discussions?
B
This
is
something
that's
ongoing.
As
you
can
see
some
of
the
the
topics
here
of
our
stuff
that
we've
seen
today,
for
example,
parsec
there's
some
there's
a
lot
of
topics
that
we
have
coming
from
the
other
working
groups
that
we
work
with,
for
example,
the
policy
working
group.
B
We
work
closely
with
other
this
big
data
working
group
and
so
on,
and
as
emily
mentioned,
you
know
whenever
there's
a
chance
for
community
collaboration,
for
example,
ava
dropped
by
from
the
confidential
competing
consortium,
and
then
we
talked
about
you
know
the
ways
we
could
engage
as
a
cognitive
community.
B
B
So
another
big
thing
that
we
have
is
the
supply
chain
catalog.
This
was
something
that
was
created
a
while
back
by
by
santiago
and
a
couple
others,
and
there
was
a
lot
of
interest
in
the
supply
chain
problems
in
security.
Today
we
even
had
a
breakout
hallway
track
session
on
that,
and
I
think
there
were
a
lot
of
interesting
things
that
were
put
in
there.
I
think
there
was
even
a
paper.
B
It
was
called
the
backstabbers
knives
collection
or
something
also
paper
is
definitely
something
to
read
it's
a
cool
title,
so
this
catalog
is
commonly
maintained.
So
I
think,
based
on
the
the
number
of
resources
that
were
posted
in
the
channel,
if
you
see
that
there's
something
they're
missing,
that's
missing
for
the
catalog
or
we
can
make
improvements
to
it.
B
All
right
so
usually
we
have
ampersand
meetups.
So
this
is
something
that
hopefully
next
year,
we'll
start
resuming
once
things
get
back
to
normal.
So
hopefully
I
know
europe
will
be
virtual,
but
maybe
the
next
q
con
and
they
will
see
each
other
again.
B
And
we
also
have
security
assessments.
This
was
is
one
of
the
car
activities
that
we
engaged
in
today.
We
have
five
security
assessments
already
done.
These
security
assessments
are
way
to
really
assess
the
security
posture
of
a
cncf
project.
B
There's
a
lot
of
interaction
to
the
tlc
and
helping
them
provide
recommendations
on
what
is
a
project's
security
posture
as
well
as
as
a
secure
if
it's
security
project,
for
example,
how
does
it
really
fit
into
the
cncf
ecosystem
and
the
the
output
of
this
project
is
a
security
document
which
you
know
we
for
these
projects
that
we've
already
done.
It
is
a
document
where,
if
you're
interested
in
the
project-
or
you
have
been
looking
at
one
of
these
projects,
for
example,
oprah
and
you're-
not
sure
like-
where
do
you?
B
Where
do
I
start
in
terms
of
security
considerations?
The
security
assessment
document
is
something
that
you
should
definitely
take
a
look
at.
It
really
is
like
a
good
introductory
document.
B
Security
assessments
are
also
a
good
way
to
engage
in
the
community.
Usually,
assessments
are
scoped
about
two
about
four
weeks
total,
where
two
weeks
of
it
is
the
main
review
and
assessment
and
the
rest
is
kind
of
putting
together
everything
at
the
end
and
then
looking
up
a
summary
of
what
the
recommendations
are.
B
So
it's
very
nicely
scoped.
Usually
we
have
405
reviews
assessment,
and
so
this
is
open
to
to
everyone.
If
you're
someone
that
is
new
to
this
or
would
like
to
learn,
we
have
opportunities
to
kind
of
shadow,
to
kind
of
join
the
channel
to
see
what's
happening
with
the
security
assessments
and
if
you're
someone
that's
experienced
with
this
definitely
come.
Take
a
look
and
it'll
be
great
to
have
more
people
on
board.
B
So
just
a
shout
out
to
all
the
security
reviewers
we've
had
since
we
started
security
assessments.
Thank
you
so
much
we
wouldn't
have
been
able
to
do
the
the
first
vice
assessments,
which
was
our
first
security
assessment,
milestone.
B
So
how
do
I
get
involved
with
sec
security?
Six
security
is
mainly
based
on
our
github
repository.
So
if
you
go
there
there's
meeting
information
stack
information.
Everything
is
governed
in
the
github
repository
and
so.
B
B
B
So
if
you
actually
go
to
a
the
github
repo
and
you
go
into
issues
if
you've
seen
anything
in
the
previous
slides
that
you're
interested
in,
for
example,
you
wanna
present
something
about
your
project
to
the
group
or
talk
about.
You
know
the
security
practices
within
your
organization.
You
can,
you
can
create
an
issue
for
presentation
and
then
you
know
we'll
start
out
the
logistics
to
do
that.
B
So
with
that,
I'm
gonna
wrap
up
this.
This
part
of
the
closing,
like
I
mentioned
multiple
times
before
everything
is
on
the
github.
So
if,
if,
if
you
remember
one
thing
just
go
to
the
github
cncf
security,
our
meeting
times
are
on
wednesday
and
we
have
a
sac
link
over
here
of
which
is
part
of
the
cncf
site
and
don't
forget
to
sign
up
for
our
mailing
list.
A
B
C
B
B
I
think
for
me,
I
think
I
had
I
had
a
couple
of
favorite
talks.
I
really
like
the
you
know.
The
dynamic
analysis
during
the
ashtrays
system
calls
you're
talking
about
ebpf
and
how
it's
kind
of
really
evolved,
how
people
do
analysis
and
dynamic,
even
just
like
the
runtime
security
stuff.
B
I'm
also
like
a
big
fan
of
any
hardware
security
related
things,
so
here
the
past,
like
presentations
and
also
even
even
the
certificates,
I
think
we're
talking
about
how
we
actually
bootstrap
the
chain
of
trust
to
hsm.
I
think
I
thought
that
was
cool.
A
I
I
think
so
I
it's
hard
for
me
to
like
just
pick
one,
but
I
I
have
to
admit
the
ubc
talk
at
the
end
of
the
day,
right
before
the
ctf
wrap
up,
I
thought
was
really
cool
because
it
highlighted
a
huge
problem
space
that
occurs
in
the
community
when
we're
trying
to
go
cloud
native,
because
cloud
native
landscape
is
so
large
and
security
is
like
three
miles
long
and
like
leagues,
deep,
but
the
the
nice
little
shopping
list
that
they
put
together
for
how
to
get
some
of
these
tool
tools
to
work
together,
and
we
we
heard
about
that
earlier
in
some
of
the
other
talks
that
you
can't
just
like
pick
one
solution
and
just
roll
with
it
and
you're
automatically
secure.
A
You
have
to
work
on
them
a
little
bit.
You
have
to
build
that
defense
and
depth
mentality
across
your
organization.
This
is
not
just
going
to
be
runtime
security.
That's
a
concern!
It's
going
to
be
all
along
your
supply
chain,
it's
going
to
be
through
your
build!
It's
going
to
be
through
your
pipeline.
All
of
that
jj.
What
about.
C
You
I
mean
the
eppf
stock
was
like
the
most
fascinating
one.
I'd
love
to
there's
so
much
so
much
about
the
abpf.
That's
actually
a
mystery
for
most
people
in
terms
of
is
it
secure?
Is
it
not
secure?
Is
it
kernel
board?
Is
it
not
kernel
mode
and.
C
C
C
B
Yeah-
and
I
think
I
think
also
jj
talked
about
you-
know
the
modern,
modern
cloud
deployments
and
also
emily
talked
about
you
know
just
having
to
juggle
different
aspects
of
security,
but
then
you
know
even
like
in
the
the
chat
governance.
Lightning
talk
where
we
talked
about.
You
know
it's
not
even
just
different
components
of
your
security
ecosystem,
but
when
you
have
multiple
parties
involved,
like
your
cloud
provider,
you
know
how
do
you
make
sure
that
you
have
proper
governance
of
that?
B
You
know
what
as
a
as
a
company
or
as
a
cloud
user.
B
C
Yeah
policy
distribution
at
scale
computed
with
performance
is
it's
going
to
be
a
challenge
and
the
more
the
computes
are
not
under
your
control,
the
more
faster
you
want
to
like
evaluate
the
security
policies,
and
it
needs
to
happen
closer
to
the
edge.
So
it's
going
to
be
a
that
is
something
that
actually
was.
It's
still
fascinating
and
I
think
it
should.
C
A
So
we
actually
got
our
first
question.
One
of
our
sig
security
members
decided
to
ask
it
so
bushkara
wants
to
know
what
are
our
recommendations
for
security
related
talks
to
attend
for
the
rest
of
kubecon,
and
I
can
only
assume
that
he's
asking
that,
because
he's
so
in
love
with
all
the
security
talks
that
we
had
today
at
cloud
native
security
day,
and
he
can't
quite
get
enough
of
it,
as
we've
seen
in
some
of
the
other
slack
channels
talking
about
security
day,
so
brandon.
B
I
actually
haven't
had
the
time
to
lecture
doctor.
Does
this
I'm
magic,
I'm
looking
through
it
right
now.
C
Yeah,
I
haven't
I'm
in
the
same
camp
as
brandon.
C
B
Yeah,
I'm
just
looking
through
it
quickly.
I
think
there
are
a
few
few
things
that
could
be
interesting,
anything
which
is
kind
of
like
bypassing
security
mechanisms.
I
think
you
know
the
one
that
that
the
google
team
did
a
couple
coupons
back
on,
like
jumping
between
notes
that
one
was
cool,
so
there's
a
there's
another
one
called
bypass
falco,
so
I
think
this
could
be
cool.
You
know
it's
going
to
touch
on
a
lot
of
the
the
the
stuff
that
we
just
talked
about.
B
Like
ebpf,
you
know
it's,
it's
a
mystery.
It's
it's
something
cool,
but
I
think
this
would
be
kind
of
a
good
insight
and
a
nice
exercise
to
kind
of
see
how
how
the
trap
model
of
that
fits
into
into
applications
as
well.
A
Yeah
for
me,
like
I
spent
most
of
yesterday,
furiously
combing
through
the
schedule.
Looking
at
all
of
the
talks,
the
bypassing
falco
one
definitely
stood
out
for
sure.
There
were
a
couple
of
other
ones,
though,
that
I
thought
were
really
interesting.
A
C
A
There's
just
so
many
and
that's
what
one
of
the
nice
things
is
that
we're
starting
to
see
more
security,
focused
talks
with
or
even
just
regular
technical
talks
with,
the
security
bend
to
them,
which
is
fabulous
and
that's
something
that
we
want
to
see
from
the
community
but
yeah.
I
actually
have
my
schedule
viewable.
So
if
you
are
friends
with
me
in
sketch,
you
can
check
out
and
see
which
sessions
I'm
going
to
if
you're
interested.
B
B
I
also
I'm
looking
forward
to
the
pki
pki
the
wrong
way,
because
that
is
something
that
aldo
has
been
around
is
misunderstood
a
lot,
and
I
think
this
is
gonna,
be
you
know,
help
solidify
some
of
the
kind
of
mindsets
and
also,
hopefully
give
me
another
way
to
to
see
it
and
to
see
how
how
we
can
you
know,
make
sure
we
cover
those
grounds
when
we're
in
the
bki.
A
Yeah
we
got
another
question
for
compliance
automation.
Do
we
have
any
recommendations
for
a
specific
session?
I
I
would
like
to
point
out
that
we
had
some
excellent
compliance
check
coverage
today
with
oppa.
I
think
there
was
at
least
three
talks
discussed
today
that
mentioned
opa
or
talked
about
policy
enforcement
and
automation
of
policy
roles.
C
I
mean
oppas
hope
is
a
pretty
good,
pretty
good
first
step,
and
I
think
there
is
also
a
bunch
around
that's
published
closer
to
cloud
security
alliance.
That
actually
is
somewhat
of
the
intersection
point
of
where
we
are.
C
Compliance
has
come
up
in
the
conversation
and
there
were
like
few
good
recommendations
there
too,
but
in
general
there's
good
amount
of
resources
in
cloud
security,
alliances
that
I'll
point
to
overall
and
then
attending
six
security
meeting
for
more
of
more
of
in-depth
conversation
would
be
an
useful
thing,
and
compliance
is
like
one
of
those
things
where
like
when
your
infrastructure
is
moving
dynamically.
C
Anything
that's
been
defined
yesterday
doesn't
actually
apply
today
and
it's
it's.
It's
good
to
have
a
scriptable
compliance
story
to
go
with,
but
what
you
want
to
know
is
like
what
how
do
you
verify
validate
and
then
how
do
you
basically
assert
what
you
have
sets
what's
happening
in
the
system
when
the
infrastructure
itself
is
changing
when
computes
are
not
the
thing
that
you
actually
own
this,
it's
a
to
a
large
extent.
C
B
Yeah,
I
think
there
are
like
two
two
or
more
over
talks
in
the
security
track,
but
but
while
we're
on
this,
I
think
a
couple
other
sessions
that
our
topics
you
know
outside
kubecon,
you
know
oscar,
is
one
of
them
and
also
just
my
personal
way,
to
kind
of
like
look
into
the
compliance.
One
of
the
things
that
I
like
doing
is
a
lot
of
these.
B
You
know
products
have
kind
of
like
this
compliance
mapping
where
they'll
kind
of
say:
okay,
here's
here's
a
new
standard,
here's
where
the
specific
controls
we'll
map
onto
it.
We
did
some
work
as
part
of
the
sick
with
the
the
dod
there
was
a
spreadsheet
somewhere.
B
I
I
think
we
can
make
it
in
the
the
slack
channel
later,
but
that
kind
of
talked
about
what
some
of
the
controls
that
you
know
kubernetes
or
you
know
some
kind
of
scanning
tools
are
going
to
be,
but
I
think
yeah
compliance
is
something
that's
very
specific
to
implementation,
as
well
as
very
specific
to
the
type
of
compliance
that
that
you
want
to
end
up
doing
whether
it's
you
know
fisma
or
or
fedramp
or
hipaa,
but
you
should
buy
something
this
so
so,
if
you
can
map
it
on
some
some
type
of
in
this
853,
you
should
be
fine.
A
Yeah,
you
actually
brought
up
a
good
point,
and
this
is
something
that
we
back.
We've
talked
about
quite
a
bit
in
the
sig
is
that
security
and
compliance
are
often
lumped
together
and
they
don't
always
mean
the
same
thing.
You
can
be
more
secure
in
some
cases
through
implementing
compliance
controls,
but
you're
not
always
going
to
be
compliant
when
you're
just
implementing
security
out
of
the
gate.
C
B
A
Definitely
for
sure
what
else
did
you
guys
like
the
most
about
security
day
overall,
mostly
because
I've
been
so
close
to
the
cloud
native
security
white
paper
and
getting
that
wrapped
up?
It
was
really
nice
to
see
that
almost
every
single
one
of
the
talks
were
entirely
about
cloud
native
security
end
to
end,
or
at
least
how
you
manage,
or
deal
with
a
particular
problem
area
in
cloud
native
security.
A
It's
I
talked
specifically
about
dynamic
image
security
scanning
and
how
that
fits
into
your
life
cycle,
which
we
talk
about
in
the
paper
as
well,
alfie
and
nick
talking
about
the
importance
of
your
data
source
and
the
benefits
of
understanding.
What
the
data
gives
you
for
cloud
native
security
kelly
talked
about
security,
theater,
which
I
think
a
lot
of
us
are
very
familiar
with,
and
the
list
just
goes
on
and
on.
A
B
For
me,
actually,
I
I
feel
like
the
the
cool
thing
was
that
we
kind
of
see
the
talks
evolving
to
be
targeted
towards
a
more
mutual
security
posture
of
running
compute.
You
know
it's
no
longer.
B
Oh
I'm
just
going
to
put
some
scanning
stuff,
and
then
I
have
the
ci
and
have
my
cluster
and
our
bank,
and
I
find
right
we're
going
to
be
seeing
a
lot
of
more
advanced
problems
right.
That's
why
we
have
cartographer.
You
know
we're
looking
at
service
mesh.
We
look
at
you
know
how
do
I
having
service
mesh
site
cars
and
and
authorization
kafka
right?
B
How
do
I
bring
it
all
together
in
a
place
that
makes
sense
we're
not
just
talking
about
simple
basic
controls,
but
you
know
how
do
we
tie
the
entire
security
picture
together?
So
I
think
that
that's
what
I
I
got
excited
about,
especially
about
the
hardware
stuff,
but
I
you
know
I'm
curious
to
hear
from
everyone
as
well.
You
know
what
kind
of
future
topics
that
we
can
really
go
into.
What's
interesting,
what
are
the
new
requirements
that
we're,
seeing
as
we
are
getting
more
and
more
workloads
moving
to
accommodative.
C
Yeah,
I
mean
one
of
the
talk
related
to
that
that
reminded
me
of
is
the
defenders
thinking
list
attackers
think
and
grab
that
one
was
a
yeah
yeah.
There
are
like
multiple
people
that
talked
about
that
as
well
before
this
isn't
the
first
time,
but
it's
just
fascinating
for,
as
as
the
services
get
more
distributed,
as
the
services
are
running
everywhere,
the
difference
mechanism
of
early
days
of
like
just
making
it
perimeter-based
security
doesn't
actually
really
work.
C
Applications
either
compliance
verifications
or
even
application
of
authorization
policies
that
thinks
about
it
in
a
graph
based
way.
It's
probably
a
directionally
right
thing
to
do
might
be
too
early.
To
be
honest,
I
think
it's
still
still
a
lot
to
be
decided
in
terms
of
performance
when
you're
evaluating
in
that
zone,
but
directionally.
I
think
that's
probably
a
good
good
way
to
think
through
security.
A
Yeah,
I
think
one
of
the
interesting
things
that
we
got
a
lot
of
is
you're
just
because
you're
doing
containers
doesn't
necessarily
mean
you're
secure,
and
we
saw
that
through
this
etf
and
it's
unfortunate
that
andrew
handed
trump
offline.
But
if
you
were
online
before
he
did
a
wrap-up
of
the
ctf
and
he
went
through
all
of
the
all
the
challenges
and
the
flags-
and
this
was
our
first
time
doing
this
etf
as
part
of
cloud
native
security
day.
A
B
B
Well,
next
week
we
should,
we
should
get
andrew
to
give
us
all
the
access.
A
That's
right,
but
exactly
right,
but
yeah.
The
container
security
is
super
important,
but
container
security.
Isn't
the
only
thing
that's
going
on
in
the
cloud
native
space
we
had
a
presentation
at
one
of
the
cigs
recently
about
serverless
security
from
the
cloud
native
security
alliance
and
as
of
late
I
mean
I've
been
getting
a
lot
of
newsletters
from
various
sources
about
things
that
are
going
on
in
the
security
landscape
and
serverless
security
has
pretty
much
come
up
in
the
last
10
emails
about
it
that
I've
gotten.
So
I'm
I'm
curious.
B
C
B
I
think
it's
harder,
but
at
the
same
time,
it's
easier
because
the
good
thing
is
really
it's.
It's
decompose,
your
entire
application,
your
entire
enterprise
into
the
smallest
component,
so
you
could
technically,
theoretically
have
the
best
authorization
policies
ever.
B
Which
is
that
level
attraction
of
compute
and
multi-tenancy.
C
A
Yeah,
the
the
nice
thing
about
that
and
with
a
lot
of
the
other
talks
that
we
got,
especially
from
the
the
end
user
stories
like
with
ubico
and
one
of
the
other
presentations
that
we
had
earlier,
is
that
it
kind
of
builds
on
the
previous
layer
or
the
previous
activities
or
the
previous
part
of
the
life
cycle,
to
ensure
that
we're
getting
to
that
more
and
more
secure
state
as
compute
gets
more
and
more
finite
and
smaller.
A
A
All
right:
well,
I
will
go
ahead
and
wrap
things
up.
I
want
to
thank
everybody
for
joining
us
for
cloud
native
security
day,
north
america
2020.
Thank
you
brandon.
Thank
you,
jj.
Thank
you
all
of
the
cncf
staff
that
helped
make
this
possible,
as
well
as
the
cloud
native
security
day
program
committee.
Without
all
of
you
here
attending
the
event
and
volunteering
and
helping
out,
we
could
not
make
this
possible.
So
thank
you
all
so
much.
I
hope
you
had
a
wonderful
day.
A
C
I
want
to
give
a
big
shout
out
to
emily
for
pulling
the
whole
thing
together
and
then
keeping
it
on
track
and
getting
the
whole
thing
organized
so
shout
out
to
emily
and
shout
out
to
brandon
for
closing
and
then
keeping
it
in
sync.