Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Security Special Interest Group / 16 Sep 2020
Cloud Native Computing Foundation / Security Special Interest Group / 16 Sep 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Kubernetes Policy WG : CNCF Security SIG Policy Team Meeting 2020-09-16

Description

Kubernetes Policy WG : CNCF Security SIG Policy Team Meeting 2020-09-16

A

Hey folks, it's jim.

A

Good morning, gentlemen, how are you very good, hey robert.

B

Hi and kirsten here from red hat.

A

Hi christian hi hi kirsten nice to meet you.

B

Nice to meet, you looks like we may not have much of a quorum today. huh I suppose it's early.

A

Right yeah, I didn't have too much to cover either just uh I can give a few updates in terms of prs and changes we've made on the policy.

B

Reports.

B

Seems reasonable, I know jaya's on vacation she's on this week. She often joins.

B

um

A

But all right, let's wait, we can give him a couple more minutes and then we'll just go through. I think at least what I can cover. What I have um robert are you set up or are you can you maybe take the notes and update the doc for today sure thank.

C

You right.

A

Here.

A

Hey folks, we're just waiting a couple of minutes to let more people join and we'll get started, see.

A

We have a couple more.

A

People.

A

Tomorrow,.

A

All right, uh so I think we're at five minutes past so should we get started, uh robert erica, any.

D

Yep definitely, I don't think I ever got a response from the network policy people. Unless someone hears on the call which I don't think I recognize most people, uh do we have other items on the agenda.

A

So the only other item I mentioned towards the top of the hour that I could quickly cover is just some pull requests which were merged in this last couple of weeks and so I'll just give a quick update on the policy report cr and then I think kirsten said that jaya's out this week, so I don't think we have any updates from her or her team um yeah. So that's, I think those were the only items on the agenda.

D

Cool does anyone else have anything. Sorry. I missed the first five minutes.

D

All right, we'll, let maybe a short meeting today, so go ahead. Jim.

A

Okay, um all right so in terms of the policy in a report and the custom resource definition, a few. The small changes that were introduced uh that I can quickly highlight um one is in the in the policy report itself. If you recall there was a scope selector and at one point this got dropped because we didn't have a good use case for it.

A

But then, as we have been implementing the report in various places, uh one of the use cases that came up is, if there's uh you know like, if you're running, an application from a helm chart typically there's some standard labels like application name, application instance, those are recommended labels and the helm automatically injects those.

A

So one of the use cases was to use the selector to actually highlight that the policy report was, for a workload run um through a helm, chart right and that seemed like a pretty nice way of tying in or selecting a set of. You know, resources that belong to a workload, so we brought back the the scope selector. So that's this field, which is now in the policy report, so that that's part of the cr and another change that uh you know somewhat related, but also in the policy report result instances um there.

A

We have a resource selector. So the idea is the report could could um you know, be built for a group of resources, but then each result may be specifically pointing to one resource within that group.

A

um So the previously, what we had was just a resource with an object reference, but the feedback was if the same result so like if the same violation applied to five different resources. There was a lot of duplication in terms of the the type of data which we wanted to show in the policy result element right so, like the rule details the message things like that, so to try and keep things more more condensed uh what we did was we changed this resources field to be a list.

A

So that way, you could have one result element which has a list of resources, or you could also use a selector here if labels are applicable, but in some cases it seems like these could be heterogeneous resources where labels may not apply so just having a list provides a lot of flexibility and that way a particular result like, for example, if there's a violation with like some, you know. Let's say a pod uh is running as root user.

A

You could have a list of pods that in in that name, space which violate that particular policy rule. So this helps keeps the report more condensed and and cleaner. So that's that was another change that was introduced.

A

So those are the two two main things uh just looking at the list of issues, I haven't seen any updates. uh I know we discussed some of these with uh jail last time, but I think we need to figure out what we do with the time fields and then again, if you want to put more data in the policy status like a reason or remediation and some more more information there, so yeah and then adding things like again, category severity, etc. So we can uh quickly close those as we see examples.

A

So those are the main updates from my side um also like in terms of using the report in more places. We need to decide how we you know. We talked about uh whether in picking something like falco or also potentially coupe bench and then starting to look at transforming or reporting the the follow, creating the policy report from those tools.

A

So I think those would be good to revisit and see how we can. You know start using the standard report structure there and I don't know with rackham erica, if you know, if there's any updates or from folks who've been using this or any examples that we can highlight and include in the repo.

D

I'm not sure I have any, maybe kirsten do you have any updates.

B

I I don't at the moment, I know that um so I think without jaya here uh and and we don't have oz either so so it may be um that we'll need to wait for feedback there.

D

Okay, yeah: uh do we, so we should reach out to some people. um I don't know what a good like deadline for that would be or anything my schedule's a little wonky these next few weeks. So I don't want to overly promise.

A

Yeah, maybe if erica, if you want to start like a thread on slack, maybe that's the best way to communicate. I know oz was on there. I haven't, I don't have the usernames for some of the other folks from the team, but uh perhaps we can just kick off some discussions on slack and that way get quicker feedback than waiting for the next call.

B

That sounds good and- and I don't do we want to you- know ping uh folks, like liz rice from aqua, I mean I know they joined one of our.

A

Calls.

B

uh Right and then, uh who else uh it's does cystic ever join any of these calls you just I'm wondering because you mentioned falco, that's all.

A

I I know they we had some folks on the list. I know some of the folks who were on the list have transitioned and.

B

Into different.

A

Right roles and companies so.

B

Well, so maybe that's like you say, slack will hit. Whoever is really interested in paying attention.

C

Or.

B

If you do email.

C

These people they'll be able to tell you who's, transitioned.

B

Which is why this, I think the slack chat in this case will probably be a good, a good one.

B

One of these I have to figure out how to get myself signed into the slack. I haven't figured out what is gating me so yeah erica, maybe I'll ping- you maybe you can help me, so I can do my best. Okay, thanks.

A

Yeah, I think, there's a I don't remember the process. It was a while ago that I signed up. I I think it was fairly straightforward, though, once you find the link to sign up on.

B

I found something in it and it was like I had to anyway I'll try again.

A

Christina, I'm not sure if I've seen you on some of our prior calls, but would.

C

Love to my first time.

A

Oh welcome, um who are you with, and you know any particular interest in terms of topics etc, that we can.

C

So.

A

I'm just at.

C

The moment finding my feet around the ncf uh okay, I um with red hat.

A

Okay,.

C

um I I'm just generally interested around kubernetes and um it's it's progress towards security.

A

Awesome, yes, so certainly a lot of work um on discussions we've been having so erica um and kirsten are also from you know, red hat or ibm, and so you guys probably know each other then or I.

B

Know christina yeah and then she and I have worked with some she. She works pretty closely with some of our customers, who are very security, focused so um she's. Coming from that angle- and I don't know what that erica and christina have met so.

D

I don't think we have yeah. I don't think so well welcome. uh Thank you. It's great to have more perspectives. I don't know if you're also interested there's the cncf security chat later today as well. If that's something you're you're interested in you can check out.

C

So it depends on so so depends on how later, if it's an hour later, that's probably okay, if it's three to four I'm uk time, so it is going to be quite difficult, managing it with.

D

Everything else two hours it looks like that.

C

um If you want to send me a link to it or I'll find it and what's it called sig sig security, yeah I'll, see what I can do.

A

Okay, yeah and you're. Our focus has been so there's a couple of projects. We've been working on the policy report, which I was just sharing, some updates briefly on. That's been one of the topics um and then just generally in terms of how to rationalize across different policy engines and create some standard tools for running reporting, etc is what our main interest is.

C

That's good knowing how um how everything works is half the battle knowing having reports feedback.

A

Yeah, so at this point you know what we're most interested in is uh getting more use cases getting more traction on the policy report and, at some point we'll go back to a couple of the six segat and six security and see how we can you know, publish this as a more standard resource that could that can be adopted uh widely.

A

So, if you think of any other use cases, any any other teams that might be interested in creating and reporting in a standard manner and could be runtime policies could be admission, controls or any other. I guess. Incidents of interest or events in the cluster is what we're capturing here.

C

Yeah I've got so I've got an idea, but I'm not entirely sure if this is relevant right. um No, it's not. It's not relevant to kubernetes it's more relevant to openshift, so I'll I'll. Keep that one to myself because.

A

Of.

C

The oauth server so we'll keep that one.

B

Sure- or it might be, that um we can, we can chat with erica and see whether it's useful for the auth sig, so yeah yeah.

A

And I added a link to our github repo, so you can browse through there and see see some of the current activity.

C

Thank you.

A

Sure you're welcome all right, so I think if there's nothing else, then we can probably wrap early today, and you know, let's start some uh pearson, if you, if you, if you have any issues on the slack side, feel free to reach.

C

Out to.

A

Me or just email me, I think you have my email right sure I can help get you set up and then let's get some of the others from the team also on there. So we can have some discussions in between meetings. Yep.

B

Sounds good.

A

All right thanks, everyone.

B

All right take care, bye,.

A

All.

B

Right thanks.

A

Bye.