►
Description
Kubernetes Policy WG : CNCF Security SIG Policy Team Meeting 2020-09-16
B
Nice
to
meet,
you
looks
like
we
may
not
have
much
of
a
quorum
today.
I
suppose
it's
early.
A
Right
yeah,
I
didn't
have
too
much
to
cover
either
just
I
can
give
a
few
updates
in
terms
of
prs
and
changes
we've
made
on
the
policy.
B
A
But
all
right,
let's
wait,
we
can
give
him
a
couple
more
minutes
and
then
we'll
just
go
through.
I
think
at
least
what
I
can
cover.
What
I
have
robert
are
you
set
up
or
are
you
can
you
maybe
take
the
notes
and
update
the
doc
for
today
sure
thank.
A
A
A
All
right,
so
I
think
we're
at
five
minutes
past
so
should
we
get
started,
robert
erica,
any.
D
A
So
the
only
other
item
I
mentioned
towards
the
top
of
the
hour
that
I
could
quickly
cover
is
just
some
pull
requests
which
were
merged
in
this
last
couple
of
weeks
and
so
I'll
just
give
a
quick
update
on
the
policy
report
cr
and
then
I
think
kirsten
said
that
jaya's
out
this
week,
so
I
don't
think
we
have
any
updates
from
her
or
her
team
yeah.
So
that's,
I
think
those
were
the
only
items
on
the
agenda.
A
Okay,
all
right
so
in
terms
of
the
policy
in
a
report
and
the
custom
resource
definition,
a
few.
The
small
changes
that
were
introduced
that
I
can
quickly
highlight
one
is
in
the
in
the
policy
report
itself.
If
you
recall
there
was
a
scope
selector
and
at
one
point
this
got
dropped
because
we
didn't
have
a
good
use
case
for
it.
A
But
then,
as
we
have
been
implementing
the
report
in
various
places,
one
of
the
use
cases
that
came
up
is,
if
there's
you
know
like,
if
you're
running,
an
application
from
a
helm
chart
typically
there's
some
standard
labels
like
application
name,
application
instance,
those
are
recommended
labels
and
the
helm
automatically
injects
those.
A
So
one
of
the
use
cases
was
to
use
the
selector
to
actually
highlight
that
the
policy
report
was,
for
a
workload
run
through
a
helm,
chart
right
and
that
seemed
like
a
pretty
nice
way
of
tying
in
or
selecting
a
set
of.
You
know,
resources
that
belong
to
a
workload,
so
we
brought
back
the
the
scope
selector.
So
that's
this
field,
which
is
now
in
the
policy
report,
so
that
that's
part
of
the
cr
and
another
change
that
you
know
somewhat
related,
but
also
in
the
policy
report
result
instances
there.
A
We
have
a
resource
selector.
So
the
idea
is
the
report
could
could
you
know,
be
built
for
a
group
of
resources,
but
then
each
result
may
be
specifically
pointing
to
one
resource
within
that
group.
A
So
the
previously,
what
we
had
was
just
a
resource
with
an
object
reference,
but
the
feedback
was
if
the
same
result
so
like
if
the
same
violation
applied
to
five
different
resources.
There
was
a
lot
of
duplication
in
terms
of
the
the
type
of
data
which
we
wanted
to
show
in
the
policy
result
element
right
so,
like
the
rule
details
the
message
things
like
that,
so
to
try
and
keep
things
more
more
condensed
what
we
did
was
we
changed
this
resources
field
to
be
a
list.
A
So
that
way,
you
could
have
one
result
element
which
has
a
list
of
resources,
or
you
could
also
use
a
selector
here
if
labels
are
applicable,
but
in
some
cases
it
seems
like
these
could
be
heterogeneous
resources
where
labels
may
not
apply
so
just
having
a
list
provides
a
lot
of
flexibility
and
that
way
a
particular
result
like,
for
example,
if
there's
a
violation
with
like
some,
you
know.
Let's
say
a
pod
is
running
as
root
user.
A
A
So
those
are
the
two
two
main
things
just
looking
at
the
list
of
issues,
I
haven't
seen
any
updates.
I
know
we
discussed
some
of
these
with
jail
last
time,
but
I
think
we
need
to
figure
out
what
we
do
with
the
time
fields
and
then
again,
if
you
want
to
put
more
data
in
the
policy
status
like
a
reason
or
remediation
and
some
more
more
information
there,
so
yeah
and
then
adding
things
like
again,
category
severity,
etc.
So
we
can
quickly
close
those
as
we
see
examples.
A
So
those
are
the
main
updates
from
my
side
also
like
in
terms
of
using
the
report
in
more
places.
We
need
to
decide
how
we
you
know.
We
talked
about
whether
in
picking
something
like
falco
or
also
potentially
coupe
bench
and
then
starting
to
look
at
transforming
or
reporting
the
the
follow,
creating
the
policy
report
from
those
tools.
A
B
I
I
don't
at
the
moment,
I
know
that
so
I
think
without
jaya
here
and
and
we
don't
have
oz
either
so
so
it
may
be
that
we'll
need
to
wait
for
feedback
there.
D
Okay,
yeah:
do
we,
so
we
should
reach
out
to
some
people.
I
don't
know
what
a
good
like
deadline
for
that
would
be
or
anything
my
schedule's
a
little
wonky
these
next
few
weeks.
So
I
don't
want
to
overly
promise.
A
Yeah,
maybe
if
erica,
if
you
want
to
start
like
a
thread
on
slack,
maybe
that's
the
best
way
to
communicate.
I
know
oz
was
on
there.
I
haven't,
I
don't
have
the
usernames
for
some
of
the
other
folks
from
the
team,
but
perhaps
we
can
just
kick
off
some
discussions
on
slack
and
that
way
get
quicker
feedback
than
waiting
for
the
next
call.
B
That
sounds
good
and-
and
I
don't
do
we
want
to
you-
know
ping
folks,
like
liz
rice
from
aqua,
I
mean
I
know
they
joined
one
of
our.
A
B
A
B
C
B
A
A
Oh
welcome,
who
are
you
with,
and
you
know
any
particular
interest
in
terms
of
topics
etc,
that
we
can.
C
C
The
moment
finding
my
feet
around
the
ncf
okay,
I
with
red
hat.
A
A
Awesome,
yes,
so
certainly
a
lot
of
work
on
discussions
we've
been
having
so
erica
and
kirsten
are
also
from
you
know,
red
hat
or
ibm,
and
so
you
guys
probably
know
each
other
then
or
I.
B
D
C
A
Okay,
yeah
and
you're.
Our
focus
has
been
so
there's
a
couple
of
projects.
We've
been
working
on
the
policy
report,
which
I
was
just
sharing,
some
updates
briefly
on.
That's
been
one
of
the
topics
and
then
just
generally
in
terms
of
how
to
rationalize
across
different
policy
engines
and
create
some
standard
tools
for
running
reporting,
etc
is
what
our
main
interest
is.
C
That's
good
knowing
how
how
everything
works
is
half
the
battle
knowing
having
reports
feedback.
A
Yeah,
so
at
this
point
you
know
what
we're
most
interested
in
is
getting
more
use
cases
getting
more
traction
on
the
policy
report
and,
at
some
point
we'll
go
back
to
a
couple
of
the
six
segat
and
six
security
and
see
how
we
can
you
know,
publish
this
as
a
more
standard
resource
that
could
that
can
be
adopted
widely.
A
C
A
B
Sure-
or
it
might
be,
that
we
can,
we
can
chat
with
erica
and
see
whether
it's
useful
for
the
auth
sig,
so
yeah
yeah.
A
Sure
you're
welcome
all
right,
so
I
think
if
there's
nothing
else,
then
we
can
probably
wrap
early
today,
and
you
know,
let's
start
some
pearson,
if
you,
if
you,
if
you
have
any
issues
on
the
slack
side,
feel
free
to
reach.