►
From YouTube: CNCF SIG Security Meeting 2019-11-13
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
CNCF SIG Security Meeting 2019-11-13
C
C
A
C
C
D
B
That's
that's
something
that
I
within
IBM
we're
discussing,
especially
now,
since
we
have
to
predicament
of
having
both
solutions.
We
have
to
look
at.
There
are
some
trade-offs,
I
I,
think
I'm,
not
sure,
just
in
comics
on
the
call
can.
A
You
I
just
added
myself
as
scribe.
Can
you
repeat
the
question
because
I
wasn't
thinking
curriculum
question.
C
D
I
am
I
would
love
to
we
are.
You
know
we
went
from
our
version
three
diversion
for
in
September
we
went
from
docker
to
cry
or
yeah
doctor
to
cry.
No
honestly
to
got
to
be
honest.
More
more
abruptly
than
I
would
have
wished.
I
had
an
engineering
schedule
gun
to
my
head.
That
said,
oh,
you
want
to
continue
in
deprecated
doctor
instead
of
dropping
at
wholesale.
That's
another
four
months
Thanks.
So
things
got
out.
F
D
B
Roger,
which
company
organizational
again
Sousa
sorry
Sousa,
okay,
yeah
yeah
I
just
said:
I've
been
interested
in
that
as
well.
I.
Think
I,
guess,
like
just
in
common
concerns,
I
think
that's
some
discussion
going
on
the
OCI
with
the
meetings,
sometimes
yeah,
okay,
so
very
for
the
door
is
too
far:
okay,
yeah!
So
if
you,
if
anyone
hasn't
signed
in
yet,
please
add
yourself
to
the
Google
Docs
and
then
I
think
we
will
start
off
with
the
just
going
around.
B
C
E
A
I'll
leave
my
all
my
updates
manager,
so
I
put
a
bunch
of
things
on
the
agenda
in
terms
of
like
what's
been
going
on
at
get
help.
I
haven't
been
president
meetings,
but
I've
been
trying
to
be
consistent
about
looking
at
get
up.
Yours
also,
if
somebody
who's
not
Brendon,
can
be
scribed
because
he's
facilitating
the
meeting
would
be
great
to
have
another
scribe.
C
D
D
Was
my
heart
describes?
I,
let's
see
so,
as
I
said,
we've
had
a
recent
release.
We
are
working
through
both
some
issues
that
twistlock
runs
have
turned
up
recently
and
working
on
any
internal
negotiation
between
our
corporate
security
engineering
team
and
our
containers
team,
which
used
to
have
two
security,
guys
embedded
in
it
to
figure
out
how
we're
going
to
work
with
them
going
forward
now,
at
the
same
time,
I
talked
about
this
a
while
back,
but
I
would
like
to
be
able
to
be
more
more
involved
in
assessments.
B
That
great
and
if
since
you'll
be
AQ,
Khan
I
think
we're
gonna
we're
gonna
have
a
in-person
meet
up
so
I.
Don't
forget
that
out.
Yeah
awesome
right
thanks
for
J
Nexus
me
so
I
think
most
of
the
stuff
that
I
have
is
in
the
agenda.
I
have
a
request.
We
created
an
issue
for
trying
to
organize
an
impersonal
meet-up
at
UConn,
San
Diego.
So
if
you're
gonna
be
there
do
put
a
note
in
that
that
you're
gonna
be
there
so
that
we
can
coordinate
something.
B
B
H
G
H
You
know
so
I'm
new
to
this
particular
community,
looking
to
learn
what
you
all
are
doing
and
eventually
I
in
the
future
time
I'd
like
to
talk
about,
potentially
some
integrations
I've
been
looking
at
with
with
spiffy
spire
and
an
open
policy
agent
together
and
to
see
if
it
makes
any
sense
to
try
to
integrate
any
of
that
stuff
in
to
some
of
the
stuff.
That's
still
we're
all
working
on
here,
but
I
want
to
learn
first
before
I
propose
anything
so,
oh
well,.
B
H
So
I
work
on
two
things:
one
of
them
is
I
work,
I'm,
a
co-founder
and
maintainer
of
network
service.
Mesh
and
I
also
worked
at
a
healthcare
company.
That
does
artificial
intelligence,
but
we
do
our
all
of
our
work
on
kubernetes,
and
so
we
have
PII
and
potentially
thi
that
we
have
to
do.
We
have
to
defend
so
I,
so
I'm,
that's.
H
The
second
reason
I'm
here
is
to
try
to
work
out
like
what
do
what's
best,
where
that's
right
or
like
what
are
people
doing
now
like
what's
what's
coming
down
the
pipeline,
so
that
I
can
make
sure
that
we
integrate
our
stuff
into
it
and
and
mitigate
threats
as
well
so
I'm
not
for
support
in
this.
In
this
area,
I
have
groups,
I
can
I
can
approach
and
pay,
but
but
I
do
want
to
know
what's
coming
down
the
pipeline,
which
I
believe
this
is
the
appropriate
group.
Okay,.
F
F
We
worked
with
Emily
from
the
CN
CF
to
figure
out
what
we're
gonna
do
from
a
space
perspective,
and
we
actually
have
four
separate
rooms
for
breakout
room
for
the
open
spaces,
and
then
we
have
the
main
ballroom
where
the
talks
will
be
held,
and
then
we
can
do
to
open
spaces
in
that
space
as
well.
So
we
have
a
nice
set
of
area
for
us
to
all
spread
out,
and
then
we
can
have
these
conversations
without
having
to
talk
over
one
another,
and
everything
like
that.
F
So
pretty
excited
about
that
and
the
CN
CF
has
been
extremely
helpful
in
getting
those
things
ready
on.
The
Falco
side
were
expecting
that
a
vote
gets
called
the
day
for
considering
Paco
for
incubation.
We
went
through
all
the
due
diligence,
and
that
is
an
email
that
was
sent
recently
to
the
TOC
mailing
list.
Around
the
growth
of
the
project
over
the
last
year,
so
we're
looking
forward
to
that.
So
if
you
see
that
come
acrossed
and
you
have
thoughts,
please
+1
it.
F
If
you
can
sure
you
support
otherwise,
and
then
we,
the
Falco
team,
has
an
off-site
I'm
actually
out
in
Reno,
getting
ready
to
head
over
to
the
Tahoe
to
have
an
off-site
before
kook
on
where
we're
gonna
do
some
planning
and
then
also
Sarah
I
know
you
asked
about
the
security
assessment,
so
I'll
make
sure
that
I
bring
that
up
with
the
rest
of
the
team
and
get
that
on
our
our
plan
for
the
next
quarter
or
so,
and
you
should
hopefully
get
that
done
now
that
we're
through
incubation
great.
That's
all
for
me.
I
H
I
B
B
J
J
B
B
A
I
think
this
is
it
sure,
because
I
think
Emily
drafted
this,
this
came
up
in
conversation
and
Emily,
took
the
lead
on
writing
down
what
you
know,
sort
of
basically
like
we'd,
go
through
these
security
assessments
and
how
we
wanted
to
write
down.
What
we
many
of
us
feel
is
that,
of
course,
we
would
be
careful
with
draft
information,
and
we
talked
about
it
in
meetings,
but
we
didn't
really
have
it
written
down.
A
So
one
aspect
of
it
that
came
up
was
talking
about
just
sort
of
how
we
deal
with
the
group
in
general,
and
so
we
decided
to
add
to
our
code
of
conduct
that
our
we
had
that
you
know
if
you
originally
talked
about
like
ethical
conduct
and
then
various
folks
chimed
in.
Thank
you
for
how
do
we
word
that
right
and
what
does
that
mean
exactly-
and
we
are
all
here?
Most
of
us
are
here
because
our
company
is
paying
our
salary
to
participate
in
this.
A
So
we,
you
know
we
are
benefiting
our
company
in
some
way.
But
what
we
decided
to
do
is
point
to
the
mission
and
Charter
which
talks
about
making
cloud
native
security.
Like
reducing
risk
in
general
and
that
we
everything
we
do
is
open-source
and
it's
designed
to
be
for
the
equal
benefit
of
the
whole
community,
so
sure
we
you
know
if
we
can
benefit
our
companies
to
be
more
safe.
That
is
great,
but
that
you
know
the
information
is
for
us
all.
A
It's
not
an
assertion
of
like
a
secure,
not
secure,
ok,
security,
it's
not
binary.
It
depends
on
context,
so
so
yeah
so
I
wanted
everybody
to
be
aware
of
these
and
as
new
comers
come
into
the
group.
If
people
have
confusions
about
what
exactly
we're
doing
here,
that
hopefully
will
help
great.
B
B
A
We
do
have
a
it's
actually
on
my
machine
to
make
it
a
PR.
We
have
an
issue
about
that
talks
about
how
we
are
like
sort
of
the
process
for
going
through
security
reviews,
and
it
might
be
good
if
I
can
I'll
look
for
it
and
add
it
to
the
agenda.
If
we
have
time
to
go
through
that,
because
I
think
it'd
be
good
to
chat
about
it
if
it
hasn't
been
talked
about,
but
basically
we're
committed
to
doing
annual
reviews,
which
could
be
as
easy
as
an
asynchronous.
Hey
has
anything
changed.
A
No,
the
feature
set
is
identical.
Here's
the
progress,
then,
one
of
the
reasons
we're
trying
to
be
rigorous
about
having
actual
github
issues
for
everything
that's
raised
in
the
assessment
is
that
if
there
are
no
new
features
in
a
year,
we
could
just
go
through
the
open
issues
and
be
like.
Oh,
these
are
resolved.
B
B
A
B
A
A
Read
me
if
we
go
back
to
that,
Brendan
yeah,
where
the
there's
like
on
mitigating
vulnerabilities,
this
link
not
much
information
and
we're
not
going
to
hold
the
pull
request
until
that's
filled
out.
Even
though
there's
been
some
disguise.
There's
some
ideas
so
that
Santiago
can
submit
the
compromise,
catalog
and
then
others
can
chime
in
with
additional
information,
or
you
know
categorizing
this
and
so
I
think
this
is
kind
of
like
an
exciting
addition
to
our
repository
and
creates
a
way
for
you
know
us
to
kind
of
knowledge
share
across
the
group.
A
So
here
we
have,
this
is
as
a
doc
that
Liz
and
Joe
reviewed-
and
it
was
kind
of
you
know
and
came
out
of
a
bunch
of
discussions
with
the
like.
How
does
the
tio
sees
directives
right
Matt
to
what
we're
doing,
and
so
we
we
already
have
this
security
assessment
facilitator,
and
then
we
have
an
assessment
cue,
which
is
actually
called
an
assessment
matrix
right
now.
One
of
the
things
that
I've
been
meaning
to
like
write
up
or
talk
about
is
some
of
the
stuff
in
here
is
a
little
like
redundant
with
stuff.
A
A
But
maybe
somebody
can
make
a
note
of
that
as
an
action
item
to
sort
that
out
and
then
I'm.
The
named
chair
provides
official
oversight
of
the
security
and
SS
minissha
t'v,
so
that
my
responsibility
is
that,
if
there's
any
questions
about
prioritization
or
process
that
won't
need
to
be
raised
to
the
TOC
level,
I
would
bring
that
up
in
meetings
with
Joe
and
Liz,
and
also
kind
of
provide
a
little
oversight.
A
But
generally,
if
there's
like
sort
of
an
extra
process
review
that
happens
to
make
sure
that
we're
communicating
effectively
the
different
things.
And
then
we
set
up
these
preconditions
that
either
the
project
is
a
CNC
F
project
or
there's.
Some
kind
of
assertion
that
this
is
a
project
is
club
native.
And
it's
so
that
we
don't
get
caught
into
the
weeds
of
reviewing
every
security
related
thing
in
the
world.
A
We
came
up
with
these
kind
of
four
priorities
right,
so
top
priority
is
sort
of
happens
rarely,
but
the
TOC
can
at
any
time
say
I
want
six
security
to
do
a
review
of
this
particular
project
or
I.
Think
you
should
adjust
your
priority
to
that
they
have.
They
won't
interrupt
an
ongoing
assessment,
so
whatever
the
TOC
says
we
should
do,
we
would
never
interrupt
an
ongoing
assessment.
We
finish
it
according
to
our
process.
A
If
it
were
to
be
paused
right,
then
we
might
take
the
next
thing
in
the
queue,
and
so
any
TOC
requests
would
be
next
in
the
queue
whatever.
That
is,
and
then
we
have
the
next
priority
is
anything
that
we
reviewed
before.
If
it
needs
attention,
we
make
sure
that
we
do
that
in
a
timely
manner,
and
then
one
of
the
things
that
we
talked
about
very
early
on
is,
if
something's
already
been
audited,
that
it
would
be.
This
assessment
is
less
important
than
something
that
hasn't
been
assessed
or
audited.
A
However,
within
a
year
of
the
audit,
we
do
want
to
go
through
an
assessment,
because
what
we're
finding
is
that
it?
It
provides
a
different
kind
of
value
than
an
audit
and
they're
intended
in
some
future
date.
When
we
get
this
whole,
you
know
when
we
prime
the
pump
and
get
the
system
going.
Normally
we
anticipate
there
would
be
an
assessment
early
in
the
sort
of
sandbox
incubation
stage,
and
then
the
audit
would
happen
in
the
incubation
stage
stage
and
then
the
assessment
information
would
be
a
good
thing
to
get
the
auditors
to.
A
In
the
say,
if
you're,
okay,
here's
a
CNF
project
would
be
great
to
review
like
you
know,
now
is
a
good
time
to
kind
of
informally
encourage
people
to
participate
with
us,
because
it
is
like
a
little
more
of
a
you
know,
process
that
projects
have
to
be
willing
to.
You
know
kind
of
work
with
us
to
define
the
process
which
could
be
exciting
to
some
I.
Think
some
of
the
security
related
process
have
been.
A
So
we
all
of
our
projects
like
just
because
it's
not
a
CN
CF
project
doesn't
mean
it
isn't
important
to
our
cloud
native
ecosystem
and
then
at
our
discretion
we
can
say:
okay,
here's
something
that's
important
to
the
ecosystem.
Maybe
it's
a
dependency
of
a
lot
of
our
projects.
Maybe
it's
something
that
everybody
deploys
and
just
you
know
happen
to
be
a
mature
project
not
related
to
the
CN
CF.
B
C
A
C
A
We
don't
have
any
like
right
now.
We
don't
have
a
project
to
assess
right,
so
we're
anticipating
that
Falco
comes
in.
But
if
you
know
what,
depending
on
Falco's
timing,
which
Michaels
gonna,
let
us
know
more,
the
Falco
team
is
gonna.
Let
us
know
like
if
they
say:
okay,
we're
gonna,
be
ready
at
the
end
of
January
and
another
project.
That's
further
down
on
the
list
says:
hey
I've
got
my
self-assessment
ready.
We
could
fit
it
in
there
and
so
the
more
we
get
a
you
know
into
the
swing
of
this.
E
B
E
B
Right
so
Sarah
and
I
will
be
doing
the
session
on
the
six
security
intro
next
week,
so
we've
been
working
on
the
slides
I
think
most
of
it
seems
to
be
kind
of
just
updating.
Whatever
there
was
already
there,
Marcin
II,
put
together
by
Sarah,
Dan
and
JJ
and
up
making
updates
to
it
so
I
think
most
of
the
open
views
and
things
like
that
hasn't
changed.
I
think
Sarah
you've
been
updating
the
timeline
yeah.
A
I
am
was
kind
of
curious.
What
people
thought
should
be
significant:
okay,
I,
the
timeline
didn't
have
anything
from
the
last
six
months.
So
I
was
like
you
know.
I
was
looking
at
squishing
this
more
so
that
there
would
be
a
couple
of
you
know,
sort
of
more
options.
You
know
like
maybe
putting
the
whole
like
safe
era
into
one
little
arrow
and
then
giving
more
space
for
different
things.
So
I,
you
know
I'm
sure
so
basically
I
was
I
was
thinking
like
you
know
so
speech
what.
K
K
A
A
A
Super
but
and
I
think
the
other
thing
that
is
maybe
worth
noting
and
I.
Think
also
because
this
is
the
intro
session
to
have
people
come
in
as
the
like
when
we
started
having
meeting
facilitators
and
the
roles
for
members
to
get
involved,
because
we
have
like
the
initial
governance
in
May,
when
we
were
kind
of
accept
that
as
a
sig
and
then
I
think
there
was
like
August
September
new
kind
of
broadening
of
the
role
roles
for
the
sink,
which
I
think
is
a
nice
welcoming
thing
to
say
right.
B
B
B
A
Yeah,
maybe
the
landscape.
Actually,
when
the
draft
landscape
got
in
I,
think
that's
like
there
been
some
good
PR
s
by
the
way
people
who
might
be
interested
in
participating,
asynchronously,
there's
some
good
discussion
around
merging
the
categories
around
and
I
think
that
that's
kind
of
a
good
aspect
of
our
process.
Do
you
know
it
was
a
controversial.
We
said
to
just
do
something
and
get
it
in
there
and
then
we've
had
time
to
kind
of
rejigger
the
categories
as
we
learn
together.
A
K
K
A
I
just
think
we
should
have
significant
like
I'm,
not
right
now.
The
timeline
shows
we
have
a
lot
of
stuff
about
how
the
group
is
organized,
which
I
think
was
appropriate
for
in
our
first
year,
where
you
know
the
content
was
less
surfaced.
It
was
more
about
getting
the
group
together,
so
I
keep
going
Jeff,
Brendan
yep.
B
So
I
think
this
is
the
landscape
site.
I
probably
have
to
go
update
this
again
and
then
the
categories,
so
this
is
I
think
pretty
much
the
same
as
last
time,
security
assessments
updated
to
have
East,
completed,
I
guess
I
can
probably
add
the
Falco
stuff
I
think
is
pretty
much
we're
pretty
confident
about
that
does
being
the
next
one
right,
yeah.
A
B
H
L
B
B
A
So
yeah
the
reviewer
has
some
you
know
like
we
or
maybe
we
can
just
talk
about
it
because
I
think
it's
sort
of
like
it's
it's
in
the
words
but
not
particularly
clear
where
you
know
the
secured
it
to
be
a
security
reviewer.
You
must
have
been
a
security
reviewer
right
like
there's
like
this
little
bit
of
a
chicken
and
egg
thing
that
we
resolve
by
saying.
A
Well,
if
you
don't
have
like,
we
just
try
to
make
sure
that
we
have
at
least
you
know
in
our
group
of
three
that
we
have
a
certain
set
of
experience
and
then
we
can
have
additional
reviewers.
You
know
the
team
can
be
bigger
than
that,
and
so
I
think
that
that
would
be
a
good
thing
to
talk
about.
You
know
may
be
linked
to
the
criteria
for
a
security
review
aware,
but
okay,
cuz,
yeah,
I,
think
people
there's
lots
of
people
who
would
like
to
get
this
experience.
A
So
I
think
well
so
far,
while
it's
hard
to
get
the
team
together
or
we
seem
to
have
quite
a
few
volunteers
with
experience
and
then
I
think
the
high
bar
of
experience
is
mitigated
by
allowing
people
to
gain
the
experience
through
doing
these
reviews.
So
so
we
decided
to
sort
of
like
that.
Yes
is
actually
an
open
issue
on
the
assessment
process
that
we're
gonna.
Officially,
look
at
that
after
we've
done
five.
Okay,.
B
M
Think
that
it
could
be
a
lot
that
we
can
think
for
the
security
reviewer
think
when
you
have
three
experienced
security,
reviewers
or
you,
you
will
tell
me
what
what
number
is
needed.
You
can
just
allow
for
one
in
observer
or
not
know
observer,
but
like
internal
or
something
like
this
so
I
think
it's
not
so
complicated
to
define
something
like
this
and
it's
maybe
good
to
discuss
it
more
in
future.
Yeah.
B
B
A
A
A
A
I'm
Tiago
said
that
right,
yeah
we're
working
on
time,
I
caught
those
broken
links
at
the
last
minute,
but
he's
psyched
to
try
to
get
that
virgin.
B
A
I
think
it
would
be
good
to
link
to
now.
We
have
in
our
issue
template
for
people
to
propose
a
presentation,
so
we
could
link
to
that
h2
template
somehow
and
so,
and
maybe
we
we
didn't
do
as
many
presentations
in
the
last
six
months
or
a
little
like
in
the
last
since
last
cube
con
as
we
did
before
that.
A
A
B
B
A
So,
like
I
think
the
the
yeah,
the
white
paper
is
so
there's
like
this
new
thing.
That's
come
up
from
the
TOC
and
it's
not
really
that
new,
but
the
for
a
long
time
there's
been
discussions
about
instead
of
just
prioritizing
whoever
comes
to
the
TOC
to
prioritize
what
gaps
there
actually
are
and
a
bunch
of
our
Charter
is
actually
about
addressing
gaps
in
the
landscape,
and
so
that
might
be
a
good
thing
to
kind
of
add
in
here.
B
B
A
A
But
we
don't
want
to
like
exclude
the
option
that
there
may
be
other
ways
to
do
something
right,
and
so
that's
just
we
have
to
kind
of
work
through
when
we
know
we
want
to
promote
something
as
a
best
practice,
but
not,
but
like
somehow
figure
out
how
to
welcome
other
approaches
to
whatever
the
best
practices
are,
that
we
space
right.
So
I
think
we'll
have
to
work
through
that,
as
we
figure
out
things
that
we
want
to
advise
that
people
do.
B
E
J
A
So
yeah,
so
maybe
we
can
chat
about
that.
Brendan
yeah,
like
before,
like
offline
of
this
meeting,
will
coordinate
how
to
invite
people
to
give
presentations,
and
you
know
maybe
we
can
work
on
having
some
agenda
items
immediately
after
phone,
so
people
have
an
inner
lips
are
more
structured
when
we
are
likely
to
have
a
large
influx
of
yeah.