►
From YouTube: CNCF SIG Security 2020-07-29
Description
CNCF SIG Security 2020-07-29
A
A
B
D
E
So
I'm
just
going
to
put
the
link
to
the
meeting
minutes,
slash
today's
section
just
put
that
in
the
chat
there,
so
it
has
direct
link.
I
just
created
that
right
now
there
we
go.
E
E
E
All
right,
if
anyone
want
to
do
the
roll,
is
open
and
try
and
take
notes
along
if
there's
no
official
scraps
for
today's
with
that
said,
are
there
any
individuals
from
any
special
groups
or
working
groups
that
would
like
to
check
you
have
anything
to
present
before
we
get.
D
It
I
can
say
we
just
a
number
of
us,
went
through
the
white,
the
plans
for
the
white
paper
just
an
hour
ago
and
had
a
great
discussion
included,
vinay
and
dan
and
and
others.
It
was
led
by
emily,
getting
all
my
names
right.
So
it
went
well.
G
F
D
Yeah
sure
so
emily
and
others
laid
out
a
plan
for
what
the
white
paper
kind
of
the
topics
and
outlined
for
the
white
paper
and
took
a
lot
of
feedback
over
the
last
two
weeks
or
so
in
writing.
Then
we
just
had
a
synchronous.
You
know
zoom
discussion
about
them
an
hour
ago
clarified
a
couple
things
and
at
the
end
decided
that
people
who
are
interested
will
put
their
names
on
various
topics.
D
On
writing
the
initial
content
for
based
on
the
outline,
I
think
we
said
we'd
all
do
that
in
the
next
two
weeks
and
decide
who's
going
to
sign
up,
for
which
then
get
going
on
the
white
paper.
F
Right
so
you
know
call
to
action
there.
If
you
have
cycles
and
if
you're
interested
in
contributing
your
subject
matter
expertise,
you
know
now's
the
time
I
will
work
to
corral
someone
to
sort
of
do
more
of
a
readout
in
the
coming
week.
Yeah.
So
everyone
can,
you
know,
see
where
they
can.
You
know
sign
up,
there's
a
slack
channel.
F
It's
a
security
dash
white
paper
and
I've.
D
Got
the
issue
that
is
tracking
this
and,
if
you're
not
included.
D
Right
yeah,
I
think
yeah
and
if
it's
it
should
get
to
the
document,
if
that's
not,
if
you
don't
have
access
to
it
or
you
don't
know
what
we're
talking
about
and
want
to
get
up
to
speed
on
it.
It's
a
good
issue
to
read
and
comment
on
if
you
want
to
get
involved.
F
Now,
there's
gonna
be
editing
and
you
know
some
sort
of
late
stage
contribution
that
you'll
be
able
to
participate
into
okay.
E
Or
anything
that
anyone
would
like
to
bring
up
matthew,
I
just
had
a.
I
Quick
update
sure
go
ahead
so
yeah
a
couple
of
weeks
ago,
we
mentioned
that
oppa
is
going
to
be
applying
for
graduation
and
we've
created
a
due
diligence
document.
So
it
would
be
great
if
sex
security
could
take
a
look
at
that
document
and
provide
some
feedback.
I
C
What
what
are
you
looking
for
with
respect
to
this,
because
from
sort
of
my
standpoint,
you've
already
gone
through
the
the
process,
like
the
difficult
process
of
the
actual
security
assessment
and
in
my
view,
unless
major
things
have
changed
with
opa
or
you
know,
if
you
want
to
give
us
just
an
update,
this
is
what's
happened.
Then
we
basically
the
people
who
did
the
assessment
are
likely
to
look
at
it
and
say
yep.
C
We
still,
you
know
we
still
have
basically
most
of
the
same
feedback
we
had
about
opa
at
the
time
when
we
did.
The
assessment
right
is:
is
that
basically,
what
you've
put
together
for
us,
or
are
you
looking
for
something
else
out
of
us?
It's
it's.
I
I
think
primarily
the
same
thing,
but
I
think
the
toc
requires
a
small
feedback
from
six
security,
since
it's
a
security
project
and
we've
kind
of
highlighted
the
stuff
we've
done
since
the
last
assessment
in
a
way
kind
of
the
improvements
that
we've
done,
taking
the
last
feedback
into
consideration.
I
So
I
believe
we
put
that
as
well
in
the
due
diligence
talk,
so
it's
nothing
like
major
or
like
affecting
oppa
completely
from
last
time,
but
we've
just
added
some
new
documentation
and
some
some,
you
know
some
new
things
to
cover
what
was
brought
up
last
time.
So,
okay,
and
so
we
just
need,
like
a
like.
You
know,
a
small
feedback
around
that
document.
So
if.
C
To
provide
that
and
in
general
I'd
like
this
process
to
be
very
low,
friction
for
the
projects.
So
what
what
you've
done
sounds
great,
I'm
happy
to
look
at
it.
I
think
the
rest
of
the
original
reviewers.
We
can
take
a
quick
look
at
it
and
likely
you
know
we
can
produce
something
that
very
quickly.
That
just
says
you
know
yeah
oppa's.
A
D
A
C
C
I
think
doing
you
know
this
is
something
it
has
to
be
discussed
as
a
group,
but
in
general
my
my
view
is:
is
that
the
most
valuable
assessment
we're
going
to
do
for
any
project
is
probably
the
first
one
agree
yep?
I
think
that
that,
like
you
know,
if
we
got
stuck
in
a
position
where
we
just
didn't,
have
the
bandwidth
to
like
look
at
new
projects,
because
we
were
spending
all
of
our
time,
doing
kind
of
like
lengthy
reassessments,
for
projects
going
up
for
the
next
level
or
lengthy
annual
re-reviews.
C
That,
I
think
would
be
you
know
just
my
personal
opinion,
but
I
think
that
would
be
a
shame,
and
so,
as
a
result,
I'm
I'd
like
to
make
my
rough
proposal
is,
is
that
you
know
a
project
nudging
us
in
the
right
direction,
and
then
us
going
and
making
a
quick
determination
is
probably
the
right
path
to
go
on
for
for
project
re-review
so
that
you
don't
feel,
like
you
know,
you're
kind
of
having
to
redo
the
whole
mess.
C
Unless
you
go
through
something
like
like,
for
instance,
a
notary
v2,
some
of
the
things
that
are
being
proposed
there
are
basically
it's
almost.
At
least
you
know.
Some
of
the
draft
stuff
that's
being
proposed
now
is
basically
complete
rewrite
of
the
system,
and
at
that
point
I
think
you
know
it
is
def.
It
would
definitely
be
worth
having
a
complete
reassessment,
because
the
security
properties
and
risks,
and
things
like
that,
at
least
for
some
some
of
the
proposed
things-
are
completely
different.
A
Well,
I
think
that's
the
opportunity
here.
Of
course,
you
know
oppa
was
very
helpful
in
the
formative
stages
of
what
the
security
assessment
would
look
like
in
the
beginning,
here's
a
great
opportunity
to
kind
of
define
the
guard
rails
on
what
the
refresh
looks
like
and
maybe
I'm
I'm
happy
to
to
kind
of
put
together.
Like
here's,
a
10
point,
quick.
Yes,
no
question
you
know,
have
you
undergone
a
major
rewrite?
Yes,
no
right
and
then
you
know
spin
off
from
there
based
on
those
answers,
so
keep
it
simple.
I
Yeah
that
that
sounds
great,
so
what
I
can
do
is
I'll
share
the
document
in
the
oppa
security
channel
we
created
last
time
and
then
y'all
can
take
a
look
at
that
and
if
you
have
like
those
ten
point,
questions
talk
about
anything
else
that
I
can
do
to
help
this
process
as
soon
as
possible.
So
yeah.
Let's
do
it
just.
A
A
quick
follow-up-
and
I
don't
want
to
get
in
the
weeds
on
on
this
call,
but
it
is
somewhat
germane
to
cncf
projects
that
kind
of
fork
off
into
other
cncf
fish
projects.
So
I
know
like
oppa
and
gatekeeper
are
now.
I
guess
somewhat
two
separate
projects
or
would
that
be
considered
the
same
scope
and
how
would
we
kind
of
handle
that
at
the
cncf.
C
Level,
do
you
mean?
Do
we
treat
our
assessment
as
though
it's
for
both
projects
or
right?
I
would
think
you
know
this
is.
C
So
I
feel
that's
that's
more
like
a
rewrite
of
the
code,
even
even
but
you'll,
of
course
retain
most
of
the
work
that
was
in
the
document.
E
F
Oh
dear,
so,
once
again
I
was
wondering
if
a
a
diligent
stock
has
been
created
by
the
cncf,
yet
where
multiple
cigs
are
sort
of
piling
on
with
their
recommendations.
I
So
we've
created
a
due
diligence
doc
so
far
and
I
believe
it's
only
six
security
who's
gonna
provide
feedback
for
oppa.
At
least
that's
that's
my
understanding.
So
if
I
can
share
the
talk
with
you
all
and
then
you
know,
y'all
can
add
your
feedback
to
that
document.
I
I
I
I
don't
think
it's
a
date
we're
shooting
for,
but
if
we
can
get
this
process
you
know
completed
as
fast
as
possible.
That
would
be
really
great.
Okay,
appreciate
it.
C
I
I
largely
think
what
you
should
do
is
is
to
post
the
new
document
on
and
mention
on
both
side
security
and
the
old
channel
and
like
ping,
you
know
you
can
also
ping
us
individually,
but
somehow
bring
it
to
everyone's
attention
who
participated
in
the
original
review.
If
you
have
feedback
within
a
week
based
on
this,
please
please
give
it
otherwise.
C
You
know
we
just
need
a
a
nod
and
then
that
that
will
have
someone
like
me
or
who
I
think
I
led
the
opa
effort,
but
whoever
led
the
effort
or
the
security
coordinator
or
even
the
toc
chairs,
if
the
other
people
are
not
available
to
them,
say
well,
this
period's
passed
there
weren't
any
things
raised
because,
like
I
don't
want
you
to
get
in
a
situation
where
you
need
a
strong
affirmative
action
by
a
large
group
of
people
in
order
to
move
along
it
instead
should
be
something
where
you
put
make
the
information
available.
C
Give
people
the
opportunity
to
to
go
and
take
a
look
and
raise
new
issues
or
ask
for
more
time
about
things,
but
not
a
you
know,
not
not
something
where
you're
blocking
on
the
fact
that
somebody
took
a
vacation
right
now
or
got
busy
with
other
things
right.
E
D
Did
you
have
a
question
about
the
thank
you?
I
do
have
a
question
about
presentation,
so
I
see
in
the
meeting
notes,
which
page
it
is
but
proposed
future
meetings
yeah
actually
on
the
first
page,
so
like
key
lime
for
cncf
inclusion,
discuss
issues,
suggestions,
etc.
D
How
do
those
make
the
agenda
so
those
are
proposed
things
for
the
future
meetings.
When
do
those
actually
happen
or
is
that
is
that
just
kind
of
a
placeholder
for
we
might
want
to
do
these
things.
E
In
general,
anyone's
welcome
to
essentially
go
through
the
backlog
like
go
through
the
to
the
github
github
ticket
system
there
and
either
add
something
that
they
would
like
to
see
there
or
people
may
just
go
through
there
and
see
if
there's
something
that
someone
else
has
posted
that
looks
interesting
and
then
just
copy
paste
it
and
say
hey.
E
We
should
get
around
to
doing
this,
so
it's,
I
guess,
a
touch
ad
hoc
in
terms
of
taking
it
from
the
backlog
and
putting
it
into
the
meeting
and
then
as
for
creating
the
content,
to
begin
with,
whoever
wants
to
propose
something
you
just
go:
create
the
ticket,
whether
it's
a
member
of
security
or
just
an
external
third
party
that
wants
to
reach
out
to
and
engage
with
security.
They
just
create
a
github
account.
They'll
face
the
ticket
plus
their
contact
info,
that's
the
gist
of
it.
E
D
E
They
could
do
it
on
this
on
the
fly
or
on
the
spot
if
they
wanted
to,
and
we
had
time,
I
guess
the
preferred
ways
that
someone
chooses
a
specific
date
during
which
they
would
present
those.
I
think
we
probably
need
to
purge
those
ones
that
are
in
the
the
meeting
notes
document
referring
to
you
there.
I
leave
them
there.
At
least
we
tend
to
leave
them
there
for
a
couple
weeks
in
case.
Maybe
we
didn't
get
around
to
it
and
we
didn't
want
to
delete
someone
else's
work.
D
Okay
and
another
another
question
right:
that's
what
we're
finding
sorry.
So
it
looks
like
the
things
that
are
generally
proposed.
Are
you
know
things
around
assessing
various
things
to
be,
you
know
included,
and
you
know
and
endorsed
in
various
ways
by
cncf
and
other
things
we're
just
the
group
somebody
wants
to
get
the
impression
of
this
group.
Is
that
accurate
that
you
know?
D
E
I'd
say
at
least
personally
that's
a
fair
appraisal.
There's
also
like
some.
I
guess
you
could
say
housekeeping
topics
that
come
up
like
we
need
to
update
some
documentation
or
add
some
rules
or
add
some,
maybe
build
bots
or
something
to
some
of
our
build
jobs
or
linting.
The
documentation
stuff
like
that,
okay,.
D
E
No
problem,
please
feel
free
to
put
the
issue
in
the
tracker
there
and
if
you
feel
that
it's
to
cut
the
necessary
tension
and
hasn't
ended
up
on
a
schedule
by
all
means,
please
feel
free
to
go
ahead
and
put
it
as
a
proposed
thing
right
there
in
the
meeting
notes
and
it'll.
Definitely
if
it
hasn't
been
noticed
in
the
tickets,
although
the
members
of
the
team
are
quite
diligent,
so
it's
not
often
something
slips
through
the
cracks.
F
When
just
a
you
know,
just
some
framing
there,
you
know
worth
considering
that
we're
you
know
about
to
kick
off
this
three-month
process,
and
you
know,
therefore
you
know
it'll
suck
a
lot
of
folks
time.
So
if
the
thing
that
needs
to
be
done
involves
a
lot
of
contribution
from
a
lot
of
folks,
you
know
you're
going
to
get
pushback
from
folks.
Like
me,
you
know
on
timing,
you
know,
as
we
try
to
keep
complete,
that
workflow.
G
Hey
so
this
is
underwent
here
so
kind
of
a
related
to
this
topic.
I
think,
but
not
a
suggestion
for
a
change
in
practice
right
now,
but
we
do
assessments.
This
is
part
of
my
day.
Job
duties
and
the
question
of
deciding
when
an
application,
that's
already
been
screened,
needs
to
get
re-screened
is
not
necessarily
based
on
the
amount
of
code.
That's
changed.
G
I
don't
think
there
is
a
simple
rule
of
thumb
for
that
and
in
fact,
part
of
what
we
try
to
do
in
the
engagement
with
the
projects
that
come
through
for
assessments
in
our
enterprise,
not
in
cncf,
is
to
try
to
educate
them
about
what
those
things
might
be
that
need
to
have
them
come
back
for
a
visit,
either
in
person
or
in
some
kind
of
written
update
to
the
previous
plan.
So
I
think
it's
a
worthwhile
thing
to
think
about
trying
to
identify
what
those
things
are.
G
So
when
the
teams
come
through
for
the
initial
big
reviews
of
the
sort
that
justin
outlined,
that
they
have
a
sense
for
what
things
would
merit,
you
know
either
personal
visit,
or
at
least
a
sort
of
debrief
back
to
the
security
team.
That
did
the
review.
I
mean
I'll
just
throw
out
a
couple.
Things
like
we
see
changes
to
encryption
or
decision
to
use,
tokenization
or
adding
pii
to
an
application
that
didn't
have
pii
before
or
we
change
us
partners
for
who's
doing
our
api
security.
G
We're
doing
some.
G
Some
major
changes
with
the
security,
tooling
partners,
and
so
the
the
vendor
apis
are
having
to
be
revisited
for
some
security
issues
which,
at
the
time
these
folks
came
through
for
initial
review,
wasn't
really
much
concern
to
us.
We
were
happy
to
see
it,
but
we
didn't
really
look
at
it
in
detail.
G
So
that's
not
an
exhaustive
list.
That's
just
you
know,
sort
of
the
typical
stuff
that
comes
up,
but
there's
also
other
dependencies
with
other
cloud
projects.
The
one
that
comes
to
mind
for
me
would
be
prometheus
or
the
authentication
tools.
But
again,
I
think
if
you
could,
we
could
offer
guidance
and
for
the
teams
to
come
through
that.
That
would
be
a
value.
Add
because
I
think
just
saying
come
back
when
it's
been
changed
is
not
going
to
help
them.
C
I
think
that's
sensible,
there's
a
couple
of
things.
I
think
we
have
to
be
a
little
like
we'll
have
to
kind
of
customize
to
this
environment
because
in
general,
if
something
like
the
encryption
changes,
but
it's
just
an
algorithm
swap
out
then
most
of
the
time
from
our
standpoint,
it
just
won't
matter.
I
mean
unless
someone
is
swapping
out,
you
know
something
for
md5
or
something
like
that
or
whatever,
which
you
wouldn't
expect
have
happened.
C
I
think
a
lot
of
the
points
you
make
are
really
good
ones,
and
I
think
if
you
can
share,
like
you
know,
basically
what
you
just
said,
along
with
any
other
points
that
you
commonly
have
that
you
give
as
guidance.
That
might
be
a
good
draft
like
sort
of
thing
for
us
to
look
at.
I
think
the
other
decision
we'd
have
to
make
based
on
that
is.
Is
that
something
that
we
look?
C
We
want
to
look
at
for
a
project
immediately
when
that
changes
or
do
we
want
to
in
the
annual
review,
go
through
all
of
the
items
like
that
that
have
changed
for
a
project,
and
I
don't
know
the
answer
to
that.
But
anyway
yeah,
so
I
I
think,
that's
that's
all,
I'm
very
I'm
very
encouraging
of
your
suggestion
mark
and
would
love
to
have
you
maybe
write
up
a
list
of
those
things
that
we
could
we
could
iterate
on.
G
I
am
indeed
thank
you,
my
my
boss
said:
what's
the
most
commonly
thing
said
on
zoom,
it's
your
mute.
I
was
going
to
say
I'm
mindful
of
your
suggestion
that
we
keep
a
light
touch
and
that
the
folks
who
went
through
extensive
reviews
should
be.
You
know
a
prize
that
that's
it's
not
going
to
be
an
extensive
review
and
also,
I
think
you
know
the
use
cases,
I'm
able
to
think
up
ad
hoc
here,
maybe
not
the
best
one.
J
Hey
one
maybe
unrelated
question:
there
have
been
a
couple
of
presentations
on
ci
cd
pipelines
both
on
the
dod
sec,
ops
group
and
others.
I
was
just
curious:
is
there
a
unified
working
group?
That's
and
what's
the
intended
artifact
for
that?
Is
that,
like
a
subgroup
of
the
sig
or
I'm
just
trying
to
understand
what
the
outcomes
are
and
how
to
participate.
B
So
this
is
vinay.
Maybe
I
can
talk
about
it.
I
gave
the
last
presentation
on
the
ci
cd
security.
So
what
came
out
of
that
is
that
there's
some
artifacts
that
we
could
potentially
use
that
can
be
contributed
into
the
the
the
security
cloud
native
security
landscape
or
I'm
sorry.
I
forget
the
exact
name.
Give
me
one.
Second,
it's
called
the
cloud
native
security
white
paper,
so
so
a
lot
of
those
the
information
there
will
be
fed
into
that.
B
Potentially
we
can
leverage
some
of
the
visuals
and
illustrations
and
then
they
would
be
the
idea
there
is
to
actually
highlight
a
lot
of
these
topics
as
well
as
then
as
necessary,
have
deeper
die
concepts
that
are
distilled
in
separate
white
papers.
So
that's
one
and
then
brandon
and
justin
have
already
had
a
landscape
effort
underway
for
quite
a
while
and
then
potentially
we'll
see
how
we
can
contribute
and
leverage
to
that
effort
as
well.
B
So
from
the
cloud
native
security
white
paper
perspective,
we
just
had
one
meeting
this
morning.
There
is
a
there
is
a
slack
channel
that
has
been
established
for
it,
emily
or
dan,
and
somebody
maybe
someone
can
invite
you
to
it.
If
you
could
just
ping
them,
and
so
I
think
it's
just
been
ad
hoc
for
now,
but
there
is
a
slack
channel,
which
I
would
imagine,
is
the
authoritative
way
to
communicate
across
the
stakeholders
cool.
Thank
you
sure.
E
Okay,
I
saved
this
moment
for
the
end
here,
if
there's
any
new
people,
if
this
is
your
first
time
visiting
the
sig
security,
if
you'd
like
to
grab
the
mic
and
introduce
yourself,
please
feel
free.
Otherwise,
we'll
conclude
in
another
minute.
K
Hi
guys
matt
here
I
work
at
synopsys
and
I'm
trying
to
get
up
to
speed
on
cloud
native
security,
so
yeah
like
if
anybody
has
things
would
be
good
for
somebody
pretty
new
to
the
space
to
work
on
I'd.
You
know
like
in
an
open
source
way.
I'd
definitely
be
happy
to
to.
You
know,
look
at
some
of
those
things
and
you
know
kind
of
ramp
up
and
hopefully
help
you
out
too.
E
Sure
thing
one
of
the
recurring
themes-
and
I
myself
asked
that
question
joining
the
group.
There's
the
backlog
on
github
there's
just
joining
the
meetings
a
few
times
to
start
to
get
a
feel
for.
What's
the
current
topic
like
if
there's
a
new
security
review
that
pops
up
and
people
are
welcome
to
join
in
on
it
take
part
in
it
that
sort
of
thing
the
recurring
theme
I
often
hear
being
uttered
is:
we've
chopped.
F
What
what's
your
you
know?
What's
your
security
background
and
what
sort
of
ways
do
you
like
to
contribute.
K
I
don't
really,
I
don't
really
know
much
about
security.
I'm
more!
You
know
I
like
I've,
done
a
lot
of
application,
development
and
stuff
like
that,
but
not
really
any
security.
So
for
me
like
getting
a
good
handle
on
security,
that's
happening
in
the
kubernetes
space.
You
know
like
keeping
clusters
secure
images
and
that
kind
of
stuff
is
super
useful.
For,
for
what
we're
doing
so,
yeah
I
mean
I'd.
Love
to
you
know
contribute
in
any
way
that's
helpful
if
that's
like
writing
code
or
triaging
issues
or
reproducing
bugs
or
whatever
you
know
like
yeah.
F
So
in
this
forum,
you're
not
going
to
find
you
know
any
opportunities
to
code
directly,
you're
gonna
have
to
go
from.
You
know
kind
of
this
higher
order
level
here
in
the
sig
down
into
individual
projects.
You
have
you
know
a
number
of
the
the
members
of
oppa
present
today.
It's
a
great
you
know,
sort
of
place
to
start
getting
oriented.
So
if
you're
looking
for
you
know
path
contribution,
you
know
this
is
going
to
be.
F
You
know,
kind
of
an
abstraction
above
that
you,
you
aren't
going
to
find
a
lot
of
opportunities
there.
The
workflow
that
we're
just
you
know,
sort
of
discussing
and
kicking
off
with
the
white
paper
will
be
extraordinarily
useful.
F
You
know
where
a
lot
of
the
the
substance
of
the
white
paper
is,
you
know,
capturing
the
understanding
of
how
security
is
fundamentally
changed
in
a
cloud
environment
and
some
of
the
assumptions
that
we've
had
you
know
regarding
you
know,
access
to
systems
and
and
the
quote-unquote
physicality
of
a
system,
as
opposed
to
like
the
you
know
how
we
virtualize
things
yeah
and
and
that's
you
know
something
that
we're
diving
deep
in,
and
you
know,
you'll
you'll
have
the
opportunity
to
be
a
part
of
that.
F
You
know
over
the
next
three
months
and
then
you
know,
in
terms
of
you
know,
sort
of
deeper
dives
into
project.
You
know
participating
in
a
security
assessment.
Would
you
know
really
give
you
the
perspective
of
you
know
what
seasoned
professionals
that
work
in
the
space
are
looking
for,
and
you
know
the
types
of
concerns
that
arise
as
we're,
assessing
the
components
that
make
up
a
cloud
native
system.
K
E
As
a
book
I'll
add
a
link
here,
this
is
just
my
tooth.
This
isn't
officially
endorsed
by
cf
or
anything
like
that,
but
it's
an
interesting
document
by
essentially
on
your
security
and
it's
interesting
reading
that
you
mentioned
you're
interested
in
container
security.
I
found
what
was
interesting
was
after
reading
this
finding
guns
that
cited
and
referenced
it
and
found
essentially
just
a
boatload
of
use
information
that
I've
been
using
to
write
my
own
security
policies
within
my
own
company.