►
From YouTube: CNCF SIG Security 2020-08-05
Description
CNCF SIG Security 2020-08-05
B
B
A
A
Yeah,
I
don't
think
we
have
a
an
agenda
today.
I
was
talking
to
the
keyline
folks
about
doing
a
presentation
but
looks
like
one
of
the
speakers
is
not
it's
not
available.
A
A
C
Yes,
but
robert's
before
me
in
terms
of
updates
and
he
may
his
he
may
want
to
discuss
his
issue
so
I'll.
Let
him
talk
about
that
when
he
gives
his
update.
I
guess
the
only
other
thing
is.
There
was
a
question
about
key
cloak
here
and
it
looks
like
they've
just
completed
the
dumb
question
phase
and
initial
review,
and
so
they're
gonna
need
to
schedule
a
presentation
for
the
you
know
for
the
group
here
to
tell
people
what
they've
been
up
to.
A
D
Morning,
so
we
did
a
an
initial
kickoff
call
with
custodian
team
and
justin,
and
I
and
I
think
that
the
big
need
is
from
this
group
we'd
love
to
get
two
or
three
additional
volunteers
who
can
help
with
the
reviewing
the
self-assessment
and
then
reviewing
what
we
suggest
as
security
and
I'm
I'm
leading
that
process.
So
I'll
do
most
of
the
heavy
lifting
we
I
just
need,
as
many
volunteers
would
be
interested
to
be
additional
sets
of
eyes
and
give
good
feedback.
A
Awesome,
so
is
this:
for
the
this
year
past
the
dumb
question
phase,
so
I
forgot
what
what
the
the
new
name
was
and
you're
looking
for
reviewers
for
the
the
actual
assessment
right.
D
Well,
I
think
I
think
we're
I
mean
correct
me
if
I'm
wrong
justin,
I
think
we
can
reopen
the
initial
question
phase,
because
we
have
the
most
recent
updates
from
the
custodian
team
on
their
self-assessment
document.
So
now
the
process
really
starts
I'll,
be
reviewing
that
that
information.
D
Obviously,
if
we
can
get
two
or
three
more
sets
of
eyes
on
it,
we'll
allocate
enough
time
for
a
productive
review
of
that,
and
then
I
think
we
will
do
a
few
rounds
of
question
and
answer
with
custodian
team
so
that
the
the
question
answer
phase
starts
now.
Okay,
depending
on
how
many
volunteers
we
can
get,
I
think
the
the
custodian
team
is
is
flexible
and
we
can
elongate
that
cycle
if
we
needed
so
yeah.
I
think
we
have
enough
runway
to
make
it
productive.
C
Yeah
in
general,
we've
always
had
maybe
three
or
four
additional
people
other
than
the
main
reviewer
doing
the
review
and
right
now
it's
just
robert
and
myself
and
I'm
in
the
process
of
moving
to
shanghai
for
the
fall,
which
means
that
my
ability
to
put
like
really
focused
attention
on
this
is
also
limited.
C
So
we
really
need
you
know
two
or
three
other
motivated
people
who
can
go
and
and
give
a
hard
look
at
this
because
we've
had,
I
don't
think,
there's
been
an
assessment,
at
least
none
of
the
ones
that
I've
been
on,
where
we
haven't
had
multiple
people
with
really
really
really
valuable
feedback
that
the
assessment
would
have
been
much
worse
without
it.
C
It's
never
just
been
like
a
person
steps
in
and
basically
does
the
assessment
and
everybody
else
just
kind
of
ticks
a
box
so
would
really
appreciate
having
two
to
three
other
folks,
if
you're
not
quite
sure
about
it,
it's
fine
to
go
and
say:
hey
I'd
like
to
participate,
but
I
don't
know
what
I
can
contribute.
That's,
okay,
too.
A
Yeah-
and
maybe
we
can
also
I'm
not
sure
if
you've
already
done
that,
but
maybe
we
can
post
it
in
the
slack
group
in
case
for
those
people
in
other
time
zones.
Maybe
you
will
participate
as
well.
A
The
question
I'm
just
saying:
maybe
we
can,
if
you
already
haven't,
put
it
on
the
slack
the
side
channel.
There
may
be
some
people
that
are
not
on
the
call
that
may
be
able
to
help
as
well.
D
A
All
right
cool
thanks
robert
justin
cafe,
so
you
want
to
continue
on
with
the
the
chat
about
key
club.
C
I
don't
have
too
much
more
to
add
about
that,
but
I
I
do
have
another
very
brief
thing
that
I'll
mention
that
doesn't
warrant
like
a
real
agenda
item,
which
is
a
few
weeks
ago.
I
had
mentioned
kind
of
in
passing
in
the
meeting
that
I'm
planning
as
part
of
an
application
security
class
that
I'm
teaching
in
the
fall
to
try
to
basically
take
students
through
looking
at
a
badly
set
up
in,
like
a
very
you
know,
think
about
all
the
mistakes.
C
People
you've
seen
people
make
setting
up
cloud
native
trying
to
give
them
an
environment
like
that
and
then
talking
about
those
mistakes
and
having
them
fix
them.
And
so
I
mentioned
that
there
was
a
lot
of
like.
Oh
that's,
a
great
idea,
I'd
like
to
participate
kind
of
things,
and
I
wanted
to
mention
to
folks
that
I
haven't
forgotten
about
this
and
at
some
point
in
the
not
too
distant
future.
I
will
get
something
basic
together
and
maybe
start
the
discussion
either
on
the
slack
channel
or
in
these
meetings
depending
on
time.
D
Just
just
to
fall
out
there
justin.
Would
you
see
that
as
totally
separate,
distinct
from
or
someone
overlapping
with
something
like
a
red,
teaming
setup.
C
I
mean
the
perspective.
We're
giving
in
this
exercise.
Is
more
of
you've
been
hired
into
a
company
like
you
know,
and
they
had
some.
You
know
the
the
boss's
nephew
had
looked
online
and
hacked
some
crazy
thing
together
and
now
you
have
to
actually
make
it.
You
know
like
work
and
be
reasonably
secure.
I
mean
it
already
works,
but
it's
you
know,
it'll
have
these
like
weird
little
errors
that
come
up
when
you
get.
You
know
certain
things
happen
and
stuff
like
that
which
will
be.
C
You
know
indicative
of
act
of
security
problems,
but
then
there'll
be
a
lot
of
things
like
you
know,
like
checking
credentials
into
like
checking
private
keys
into
github
or
database
passwords
or
stuff
into
github,
rather
than
using
like
docker
secrets
or
vault
or
whatever,
and
so
the
idea
is
is
rather
than
just
tell
the
students
like
don't
do
these
things
we'll
give
them
a
an
environment.
C
That's
pretty
basic,
but
you
know,
has
has
a
lot
of
different,
really
rookie
mistakes
in
it
and
then
that
way
when
they're
thinking
about
like
oh,
you
know
like
how
do
I
set
this
up
correctly
or
what
do
I
do?
They
already
have
sort
of
an
example
like
a
bad
example
to
fix,
rather
than
just
seeing
it
on
a
couple
of
slides
or
whatever,
and
not
really
getting
any
experience.
A
Yeah
so
justin,
maybe
if
you
wanna
it
sounds
like
and
probably
well,
there's
gonna
be
coupon
and
stuff
like
that,
but
I'm
guessing
after
qcon
in
the
next
couple
weeks.
If
you're
gonna
put
something
in
the
the
plan
meetings
and
then
we
can,
I
think,
we'll
have
a
pretty
packed
september
in
terms
of
presentations.
If
you
don't
do,
that
sounds
good
all
right.
A
So
just
to
recap
again
on
key
cloak.
You
mentioned
that
you're
done
with
the
dumb
question
phase
and
you
require
additional
people
as
well
for.
C
This
sorry,
so
I
want
to
make
sure
so
key
cloak
is
separate
from
what
we
were
just
talking
about,
which
is
cloud
custodian
right,
right,
yeah
robert's
been
talking
about
so
key
cloak
from
what's
been
discussed
here
according
to
ash
and
emily
and
others
they've
made
it
through
both
of
the
both
the
dumb
question
phase
or
naive
question
phase
or
whatever
we're
calling
it
now,
but
also
the
broader
review,
so
that
everybody
who's
on
in
the
assessment
group,
which
is
a
christian
aaron
or
whoever.
C
That
is,
I'm
sorry
if
I
mod
okay
and
emily
have
have,
in
addition
to
ash
who's.
The
lead
all
gone
through
and
done
like
deep
dives
into
the
document
and
left
comments.
A
Yeah
all
right
cool.
Do
you
think
that?
So
I'm
not
sure
whether
I
guess,
let's
see
we
do,
can
find
people
for
cloud
custodian,
but
we
I'm
just
wondering
whether
anyone
from
the
catalog
team
and
the
ones
that's
done
whether
they've
been
interested
in
custodian.
It
sounds
like
it's
just
kind
of
like
a
lack
of
people
and
also,
I
think
which
I'm
gonna
get
to
the
next
point.
A
E
A
So
I'm
just
wondering
right
from
the
from
kind
of
like
a
resource
perspective.
I
don't
know,
would
we
be
spreading
to
then
do
you
think
we
have
enough
to
or
should
we
kind
of
like
serialize?
Some
of
these?
C
I
think
what
I
prefer
we
do,
so
we
have
sort
of
kind
of
done
two
at
a
time
at
times,
but
that's
mostly
been
when
something
is
stalled.
It
hasn't
really
been
like
two
completely
or
like
separate
groups
of
people
that
you
know.
In
some
cases
we
just
had
an
assessment,
that's
followed
for
a
couple
weeks
or
a
month
or
something
and
then
another
assessment
got
started.
C
So
I
prefer
we
don't
have
three
active
assessments
now,
at
least
unless
we
get
plenty
of
people
for
cloud
custodian
and
then
we
have
plenty
of
people,
for
you
know,
build
packs,
then
great,
let's,
let's
do
it
all,
but
I
I
would
prefer
you
know
we
won't
do
it
be
doing
anybody
a
service
if
we
have
half
half
an
assessment
for
build
packs
and
half
an
assessment
for
cloud
custodian.
A
A
But
I
don't
know
how
that's
gonna
work
out,
but
I
feel
like
it
may
be
something
that
we
may
have
to
visit.
If
we
don't
get
if
we
are
spread
a
bit
too
thin.
E
Yeah,
it's
a
good
point.
Definitely
something
to
consider.
I
wanted
to
test
some
folks
who
we
worked
together
in
the
harbor
assessment,
so
we
have
prior
experience
working
together.
I
see
martin
and
chase
on
the
call.
I've
actually
been
waiting
to
reach
out
see
if
they
have
the
cycles
to
work
on
build
packs
and
assemble
that
crew,
but
yeah.
Let's,
let's
see
what
we're
able
to
get
and
determine,
we
can
certainly
just
pause
one
for
the
time
being
and
do
them
in
order.
E
F
I
just
wanted
to
add
that
I'm
still
interested
in
joining
in
other
assessments,
but
I
just
have
to
check
my
availability.
That's
why
I'm
silent
and
don't
have
anything
to
add
or
say,
but
thank
you
for
mentioning
that.
A
Okay,
so
I
think
we're
good
with
assessments.
Justin
comic.
Do
you
have
an
update,
no
nothing.
Today,
okay,
and
I
think
the
last
update
is
kapel.
I
think
we
talked
about
cloud
custodian
origi
did
you
have
something
to
add
to
that.
G
No
I'm
strung
in
late.
I
heard
the
tail
end
of
it
all
right,
so
it
sounded
like.
I
wasn't
clear
what
the
what
the
result
was.
Is
that
we're
doing
a
call
for
volunteers
and
otherwise
build
taxes
in
the
queue
in
front
or
what
was
what's
the
end
result.
C
I
mean
so
we
have
a
call
for
volunteers
for
cloud
custodian,
I'm
assuming
that
you
know
unless
I'm
missing
something
and
we
have
a
completely
fleshed
out
completely
ready
to
go
team
for
build
packs
and
they
have
everything
going
then
you
know
my
inclination
is
to
have
cloud
custodian
which
has
been
around
longer
go
first.
If,
for
some
reason
we
can't
get
a
team
together,
that's
of
adequate
size
or
something
then
maybe
and
another
project's
ready
to
go.
C
We
can
maybe
look
at
that,
but
because
resources
will
be
freeing
up
as
we
finish
this,
the
key
cloak
assessment,
you
know
we
can,
we
can
look
and
and
re-evaluate,
but
I
think
you
know,
I
don't
think
it
really
matters.
C
What
order
you
view
these
ads,
because
key
cloaks
should
finish
in
a
in
a
week
or
two
and
then
I
hope
that
frees
up
enough
capacity
for
us
to
have
both
of
them
going,
and
so,
since
you
know
the
projects
have
already
done
a
lot
of
the
hard
work
and
we're
already
kind
of
in
the
the
you
know
he's
starting
to
get
in
the
clarifying
question
phase
it
really.
C
I
I
don't
see
this
as
like,
until
anyone
should
feel
is
worth
dying
on
what
the
order
of
those
are,
because
they
both
should
be
going
quickly.
Quite
those
should
be
going
quickly.
Quite
soon
sounds
good.
A
Okay,
I
don't
have,
I
don't
think,
there's
any
kind
of
agenda
items
we
have
for
today.
So
is:
does
anyone
have
anything
to
talk
about?
If
not
we'll
probably
just
call
you
yeah.
D
Just
a
just
a
quick
update
from
the
policy
work
group
we
had
our
calls.
We
have
8
am
pacific
every
other
week,
so
we
had
our
call
today
at
meaning,
I
think
the
recordings
so
we're
using
the
this
zoom.
D
D
And
then
just
a
quick
thumbnail
we're
working
continue
to
work
on
a
custom
resource
definition
for
kubernetes
for
policy
results,
and
we
also
have
a
discussion
today
about
kind
of
nist,
853,
fedramp,
scop,
auscal
type
automation.
So,
if
anybody's
interested
in
that
feel
free
to
once
we
get
the
recording,
posted
and
or
ping
here
in
the
agenda
meetings,
I'm
happy
to
reach
out
to
anyone
if
they're
interested
in
those
topics.
H
A
All
right,
any
any
other
things
anyone
wants
to
bring
up.
E
E
One
being
we've
been
looking
closely
at
rfc
8705,
which
is
oauth
2.0,
mtls
authentication
and
certificate
certificate
bound
access
tokens,
so
we've
been
looking
to
for
oauth
clients,
use
the
spiffy
ids,
protect
that
using
mtls
and
start
bridging
machine
identity
to
user
identity
and
just
remove
the
need
to
manage
client
credentials
so
for
those
doing
assessments
around
user
identity
management
related
projects-
something
just
I
want
to
put
in
your
head
and
like
starting
to
light
a
path
towards
that.
So
just
something
to
raise
for
consideration
or
awareness
to
some
of
these
projects.
E
E
In
the
chat
and
I'll
I'll
send
up
a
and
the
meeting
notes,
I
can
include
a
brief
summary
the
description
of
that
a
couple
other
items
one
has
been
ash.
This
may
be
interesting
extending
to
carry
key
value
pairs
that
could
be
claims.
A
E
It
blurs
a
little
the
lies
between
offend
and
nazi,
but
there's
high
demand
for
that
folks
from
netflix,
which,
ironically
much
of
spy
was
modeled
after
netflix
metatron
netflix
has
come
around
and
said.
Hey
like
aspire
has
now
leave
forwarded
metatron,
and
we
may
be
looking
to
consume
this
for
some
of
our
newer
systems
or
have
dual
compatibility.
E
So
they
may
be
opening
up
an
issue
around
this
pretty
soon
and
we're
gonna.
We're
gonna
have
a
big
request
for
comments
around
it
and
last
justin
we
had
a
we've,
had
a
conversations
with
the
dod
around
aspire
integration,
sport
in
toto
and
just
in
total
machinery,
but
like
well
with
like
key
pairs,
and
in
total,
like
how
do
you
bind
those
to
spiffy
ids?
And
there
are
things
at
several
levels.
I'll
send
some
more
detail
on
that.
E
But
I
think
it's
another
area
that
could
benefit
from
like
broader
group
discussion
of
how
to
move
spire
earlier
into
the
supply
chain,
and
we've
talked
about
that
at
different
points
in
time.
But
I
think
we
now
have
a
particular
end
user
wanting
to
see
this
work
done
upstream,
and
the
state
of
the
technology
is
that
that
that
we
may
be
able
to
integrate
it
well.
A
A
If
you
could
post
some
of
the
I
got,
the
rc
link
then
put
it
in
the
meeting
notes.
If
you
could
post
the
if
there
are
any
links
or
design
documents
for
the
the
other
two
points
you
brought
up
on
the
svit
key
value
pairs,
and
these
buyer
integrations
so
in
dodo
would
be
good
if
you
can
put
them
into
meeting
those
as
well.
A
A
Interest
all
right,
any
other
topics.