►
From YouTube: CNCF SIG Security Meeting 2019-10-16
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projectsCNCF SIG Security Meeting 2019-10-16
A
A
A
You
don't
have,
if
you
don't,
have
anyone
described
or
anywhere
to
put
describe
notes.
It
might
also
be
slightly
premature.
Yeah.
D
A
Right
I'll
go
first,
I've
been
working
on
due
diligence
and
other
documents
related
to
things
with
toph
and,
to
a
much
lesser
extent
in
toto
which
Santiago
will
talk
about
with
that.
But
yeah
I've
been
going
through
that
part
of
the
process
which
isn't
as
well
specified
as
I'd
like
and
what
actually
seems
to
happen
in
Prague
in
practice
seems
to
be
quite
different
than
the
documentation.
So
I'm
hoping
those
sorts
of
things
will
will
settle
overtime.
That's
it
for
me.
I.
B
F
B
E
B
As
part
of
our
incubation
review,
job
beta
is
going
to
be
looking
at
doing
the
due
diligence
and
then
I
think
he's
going
to
be
reaching
out
to
six
security
and
just
getting
six
security's
thoughts
on
the
Falco
presentation
or
the
proposal.
I'll
drop
a
link
and
as
soon
as
I
can,
in
the
sorry
ash
for
messing
you
up,
but
I
dropped.
The
link
in
the
document.
B
B
E
E
G
I
Michael,
yeah,
okay,
let
me
then
gifter
to
it.
You
know:
congratulations
on
the
great
presentation
yesterday.
It
went
really
well
excited
to
have
Jo
engaged
there
and
also
really
excited
to
see.
You
know
this
will
kind
of
be
one
of
the
first
proof
points
where
you
know
the
TOC
is
going
through
a
process
looking
to
document
the
process
and
you
know
potentially,
engage
and
and
and
choose
where
to
engage
the
the
things.
That's
great.
You
know
the
sort
of
interesting
discussion
that
we
didn't
have
an
opportunity
to
dive
into
yesterday
at
the
TOC
meeting.
B
E
B
B
B
C
I
had
an
update
about
the
flight
she'd
security
project,
I
made
the
first
PR
the
forces,
catalog
I,
think
Brandon
people
look
at
it,
but
I
would
like
it
more
other
people
look
at
it,
but
chime
do
something
about
that.
I
also
started
digging
into
was
the
security
hub
from
palco,
because
I
think
some
of
the
resources
and
adopted
or
moved
over
or
shared
or
or
just
not,
like
you
know,
collaboration
between
those
projects.
F
F
E
E
E
E
E
I
So
coming
out
of
this
discussion-
and
you
know
whether
QC
representatives
listen
tell-
and
you
know
just
just
beginning
to
explore
what
the
interaction,
your
patterns
and
and
eventually
potentially
policy,
you
know
we
would
want
to
see
happen
with
with
the
SIG's.
So
I
think
you
know
really.
You
know
useful
thing
to
define
you
know.
I,
are
you
know
one
of
the
things
that
you
know?
If
you
know
TFE
member
like
Joe
were
to
you
know,
ask
for
guidance
or
you
know,
should
they
engage
with
sig
security?
I
You
know
if
we
had
sort
of
prepackaged
three
three
to
five
questions.
That
start
with
three
three
questions
that
we
would
want
to
to
ask
a
project.
You
know
to
decide
if
we
want
to
spend
time
with
them.
You
know
what
would
those
questions
be,
and
you
know
that
way
we
would
you'll
be
able
to
plug
in
with
us.
So
it's
a
natural
fit,
you
know,
but
they
are
assuming
in
the
next
iteration.
It's
not
Joe.
It's
not
someone.
That's
our!
I
I
B
So
I
just
threw
in
the
channel
or
I'm.
Sorry
in
the
zoom
chat
a
link
to
the
C&T
s
talks
due
diligence
template
it's
my
understanding
that
this
whole
document
doesn't
necessarily
mean
to
be
filled
out,
but
the
reviewers
use
it
as
a
thing
to
guide
the
questions
that
they
ask
to
make
sure
that
the
project
is
of
suitable.
B
F
C
B
And
as
someone
who
just
went
through
being
asked
to
go
to
or
asking
to
go
to,
incubation
I
agree
with
that
sentiment,
it's
it's
hard
to
understand
and
then
even
when
I
think
to
Dan's
point,
which
is
a
great
reason
for
him
to
bring
this
up.
It's
like
when
Joe
goes
and
asks
six
security
to
take
a
look.
What
does
that
mean
right?
I'm,
sick
Security's
perspective.
I
It's
a
great
point,
and
it's
so
you
know
the
assessment
process
is
applicable
and
you
know
capabilities
that
were
you're
bringing
to
these
processes.
It
hasn't
existed
in
the
past
and
you
know
the
thing
that
I
don't
want
to
do
right
now,
especially
since
we
have
a
volunteer
group.
This
is
supporting
this
is,
you
know,
advocate
for
an
explicit
mandate
right,
you
know,
I,
think
we're
still
in
that
discovery,
phase
of
how
we
work
together,
how
we
set
expectations.
I
I
What's
the
interplay
between
an
assessment
and
a
formal
security
audit,
so
you
know
there's
a
lot
to
to
sort
of
tease
out,
and
you
know,
I
do
think
that
one
of
the
the
questions
could
be
like.
Have
you
signed
up
for
a
security
assessment
right?
Do
you
think
that
your
team
would
benefit
from
you
know
an
in-depth
look
and
collaboration
with
security?
B
I
so
like
each
respect,
my
understanding
is
each
respective
sig
would
go
and
be
asked
to
take
a
look
at
a
project
that
follows
under
the
purview
of
that
so
like
since
Bach
was
the
security
chilled
are
asking
six
security.
B
Now
six
security
would
be
asked
to
do
an
assessment
on
a
tool:
that's
not
necessarily
a
security
tool
because
they
do
the
security
assessments
right,
but
I
think
we
could
probably
come
up
with
a
generic
list
of
questions
that
the
sig
should
be
asking
whether
your
six
security
or
say
I,
don't
know
authorization,
I,
can't
think
of
another
signal.
Storage.
I
D
B
I
This
is
not
assessment
level
question.
This
is
just
engagement
level,
you
know,
should
should
we
you
know,
engage
or
you
know.
Is
you
know,
given
that
you
know
there
there's
a
security
component
to
this.
You
know
we
would
explicitly.
You
know,
like
you
know,
just
assess
that,
and
you
know
think
that
this
you
know,
interacts
with
or
conflicts
with.
You
know
XYZ
component
in
Equus.
I
I
Santiago
does
that
does
that
make
sense,
I
mean
part
of
what
we're
also
sort
of
you
know
the
mendes
challenge
that
we're
grappling
with
is
the
TOC.
Is
you
know,
taking
their
process
and
trying
to
make
it
a
bit
formal
along
the
way
right?
So
there's
formalization
that's
happening
at
that
level
and
we
have
been
formalizing
and
you
know
making
our
own
processes
more
robust,
and
you
know
now,
it's
time
to
sort
of
you
know,
negotiate
some
of
that
fit
up.
C
It
doesn't
make
sense
to
me
I,
just
I,
just
think
we
can
make
the
most
out
of
the
resources
that
we
over
to
deal
in
security
so
as
to
provide
information
that
they
can
use
to
make
their
positions
and
I
think
we
worked
very
hard
and
figuring
out
what
the
self-assessment
should
look
like.
So
I
think
we
can
somewhat
reuse
some
stuff
work.
I
B
What
if
we
came
up
with
like
to
Santiago's
point
that
he
just
made
what
if
we
came
up
with
like
what
are
the
10
questions
from
that
a
serious
security
assessment
or
there's,
obviously
a
lot
more
than
10,
but
like?
What's
the
minimum
things
you
need
to
do
from
security
perspectives,
point
of
view
to
move
into
incubation
right?
And
that
would
be
a
very
easy
thing
and
they,
you
know
it
doesn't
have
to
be
binding.
J
But
I
thought
dense.
Suggestion
was
more
along
the
lines
of
basically
you
know,
baiting
or
inducing
the
the
project's
actually
engage
with
us.
So
it
should
be
like
three
questions
that
are
interesting
for
them
that
they
say.
Oh,
maybe
I
should
talk
to
these
guys
and
then
then
we
can
go
into
the
detail
and
give
them
the
whole
suite
of
questions
on
what
are
kind
of
the
three
questions
that
a
project
should
ask
themselves
whether
that
makes
them
realize
that
maybe
they
should
talk
to
us.
A
Just
just
ultimately
going
and
trying
to
distill
it
down
in
a
different
way,
especially
if
it's
something
we're
trying
to
get
some
uniformity
in
across
projects
may
not
make
a
lot
of
sense.
That
was
one
of
the
kind
of
issues
we
realized
when
we
started
to
put
the
assessment
together
is,
is
that
you
know,
like
you're,
just
got
a
very
different
security
perspective
depending
on
what
the
project
is,
because
cloud
native
is
so
broad.
So
we
can
sort
of
you
know
try
at
this,
but
the
three
questions
I
would
list.
A
K
I
mean
yeah
I
tend
to
agree.
We
come
up
with
this
process
that
we,
we
think,
is
a
good
one
and
I
mean
and
I
think
we
need
this
TSE
to
agree
with
us
that
it's
the
right
thing
for
projects
today,
I,
don't
think
it's
even
it's
not
at
the
moment
even
compulsory
for
graduating
project.
So
at
the
moment
it's
it
just
seems
a
bit,
though
they're,
not
okay.
I
I
I
I
K
A
Shot
at
the
TOC,
let
me
just
say
this
to
me:
if
the
TOC
says
well,
you
know
we
we
would
rather,
like
you
know
it
just
takes
too
long
to
figure
out
if
something's
secure-
and
that's
just
you
know,
stopping
us
from
putting
things
into
the
incubation
phase.
That
to
me
is
a
big
problem
and
it's
exactly
the
wrong
message
to
send.
Yeah
I
would
think
that
you
know
for
trying
to
align
people
like
Falco
and
others
to
be
more
secure.
A
If
the
TOC
cares
at
all
about
security,
that's
supposed
to
be
something
that's
aspired
to,
which
I
think
is
one
of
their
goals.
The
project's
then
in
instead,
they
should
really
be
pushing
us
to
expeditiously.
Do
an
assessment
of
Falco
and
viewing
that
as
a
way
to
get
Falco
in
faster
rather
than
slower,
yeah
agree.
B
And
you
know
quite
honestly
like
if
they
would
have
told
us
like
the
requirement
to
get
in,
is
to
do
the
security
assessment,
and
then
you
know
these
three
other
or
the
other
criteria
like
healthy
number
of
commits
three
end
users
of
production,
production
of
note
and
I
forget
the
other
two
require
I
mean
if
security
assessment
was
one
of
those
things,
we
would
have
shifted
time
to
go
and
do
that.
But
the
problem
is
is
like
them.
B
The
requirements
are
somewhat
vague
and
opaque
and
opinion
istic.
So
like
we
spend
instead
of
spending
time
doing
the
security
assessment.
We
spent
time
basically
putting
together
a
pitch
deck
for
lack
of
a
better
word
trying
to
make
our
case.
You
know
I
mean,
and
if
the,
if
the
requirements
were
much
less
opaque,
an
opinion
istic,
then
we
could.
We
could
just
make
sure
that
we're
if
we
meet
these
very
opinionated
requirements,
I
can
I,
don't
have
to
spend
time,
selling
it
and
and
worrying
about
it
being
a
subjective
process.
B
I
Just
you
know,
which
is
kind
of
the
jumping
off
point
for
me.
You
know
in
you
know,
making
sure
that
the
TOC
members
are
armed
with,
like
things
that
they
need
to.
You
know,
ask
the
things,
rather
than
it
just
being
a
subjective
question
that
comes
to
us
and
like
at
a
high
level.
It
could
be
subjective
or
it
could
be
formal
I
would,
like
you
know,
ensure
that
there's
some
level
of
consistency
there's
some
level.
You
know
breadcrumbs
that
we,
you
know,
leave
both
the
project
and
our
members,
and
you
know
that
we're
evolving.
I
A
But
then,
when
we
went
to
present
to
the
TOC,
you
know
we
spent
a
few
days
and
put
the
deck
together
and
did
things
like
that,
but
we
really
got
hammered
and
got
added
into
sandbox
instead
of
incubation,
where
we
had
kind
of
thought
we
were
going
to
be
added
in
so
so
far.
The
kind
of
message
from
the
TOC
is
pitch.
Deck
is
more
important
than
substance.
At
least
that's
that's
a
message
that
I've
heard
and
I
think
is
the
wrong
message.
E
Some
context
in
some
discussions
that
are
going
on
around
that
itself
is
I
mean
TOC
is
well
aware
of
lack
of
clarity
and
the
need
to
be
need
to
be
providing
clarity
to
to
intake
project
right,
and
one
of
the
things
that
we
were
talking
about
earlier
earlier
today
was
an
iterative
way
to
frame
the
questions
where
the
inputs
that
are
given
from
six
security
as
relevant
and
useful
for
TOC
to
make
a
decision.
So
it
becomes
a
little
bit
more
substance
driven
than
pitch
tech
driven,
so
to
speak.
E
So
so
there
is
an
awareness
to
that
process
or
lack
of
process
there
and
then
awareness
to
be
able
to
gain
more
insights
and
information
to
make
an
informed
decision.
So
it
will
be
useful
for
us
like
what
Dan
started
mentioning
to
frame
those
kinds
of
questions
that
both
we
should
be
asking
TOC
and
p1.
Do
they
should
be
asking
us?
That's
like
highly
specific,
highly
relevant
from
coming
from
six
security.
E
That
will
be
useful
in
evaluating
the
project
and
there
is
a
fair
amount
of
understanding
that
it's
going
to
be
an
evolving
set
of
questions.
It's
not
well
not
going
to
stop
at
three
four
five
questions,
but
it'll
be
useful
as
a
group
for
us
to
say
like
these
are
the
things
I
think
we
should
be
evaluating
part
of
a
security
assessment
or
taking
a
security
project
into
CN
CF,
and
this
is
our
this
is
our
data
gathering
process.
E
They
will
say
as
simple
as
fitment
frequent
in
terms
of
like
what
are
the
use
cases
that
have
projects
alts
and
how
it's
also
use
cases,
and
how
does
the
project
fit
into
the
landscape
that
we
are
thinking
about
in
this
is
this?
Is
the
input
TOC
itself
would
be
super
useful
data
for
TOC
to
make
decisions
and
I'd
like
us
to
hone
in
on
that
and
more
do
it
as
a
group.
K
E
E
A
Since
since
you're,
ambiguous,
I'll
jump
in
here,
I
wanna
say
that
I
think
I
think
all
projects
philosophically
I
think
all
projects
should
have
some
security
review
and
I
think
the
days
when
we
say
that
a
project
doesn't
have
to
worry
about,
project
doesn't
have
to
worry
about
security.
I
think
that's
like
a
laughable
statement
and
I'm
not
trying
to
call
Prometheus
out
by
name
but
I,
think
it's
it's
it's
laughable
in
2019
for
any
project
to
say
that
security
isn't
a
concern.
So
even
if
all
we
say
is
there
are
some
rough
edges.
E
J
Can
we
get
those
concerns
to
the
TOC
and
it
seems
like
they?
They
they
think
of
us
in
a
similar
way
as
storage
and
and
we
think
we
are
more
like
a
horizontal
I
guess
in
that
it
affects
all
projects
and
not
just
security
project
right
I
guess,
storage
is,
is
specifically
engaged
in
storage,
related
projects.
I
think
you
can
clearly
say
this
is
not
a
storage
project.