►
From YouTube: CNCF SIG Security 2020-03-25
Description
CNCF SIG Security 2020-03-25
B
D
A
So
I
just
put
the
link
to
the
the
attendance
list
for
today
into
the
group
chat,
so
everyone
just
checking
the
attendance
there.
Let
us
know
if
you
have
an
update
or
not
if
you're,
new
or
haven't
joined
these
meetings
before
you
can
just
put
no
update
mixture
name
in
the
attendance.
If
you
don't
want
to
be
ping
during
the
check-ins.
Otherwise,
if
you're
new
or
if
you
have
something
to
bring
up
during
the
check-ins,
feel
free
to
mention
that
in
the
brackets
to
the
right
of
your
name
and
the
attendance
list.
D
A
A
B
B
A
If
you
find
it's
more
helpful
or
if
it
works
for
you
great,
if
it's
slowing
down
or
impeding
note-taking,
feel
free
to
just
put
them
serially
beneath
it's
kind
of
an
experiment
right
now,
just
because,
if
we
have
to
scratch
it,
that
might
be
easier
to
do
it
side
by
side
and
have
to
serialized
documents,
but
whatever
works
best
for
you
sounds
good.
Thank
you.
A
C
So
it's
not
necessarily
presentation
but
we'll
talk
about
the
harbor
items.
I
mean
I.
Have
a
presentation
ready
if
you
guys
want
to
know
more
about
harbour.
So
that's
not
a
problem,
but
I
want
to
know
what
you
need
to
do
to
figure
out
how
to
initiate
the
review
from
six
security
for
harbors
graduation
bit.
So
if
we
have
a
lot
of
content
ready
for
you
guys
I've.
You
also
want
me
to
present
that
I
can
also
have
a
PowerPoint
deck.
A
E
One
thing
I
do
want
to
mention
here.
So
sorry
this
is
Justin
capitalism,
the
security
assessment
facilitator.
Are
we
doing
this
or
any
of
the
chairs
or
anybody
I
guess
Dan's
on
the
call
here?
Are
we
doing
effectively
an
assessment
as
part
of
this
or
for
harbor
or
are
we
just?
Are
we
going
through
different
process.
F
C
I
mean
I
looked
at
the
process
that
was
on
the
ticket.
Sorry
on
the
issue,
type
for
the
security
assessment,
so
I
was
here
maybe
three
weeks
ago,
so
we
talked
about
at
that
time.
We
produce
the
documentation
that
was
US
by
six
security
and
I.
Guess
now
we're
at
the
point
where
you
guys
can
ask
clarifying
questions.
You
can
do
the
initial
view
and
this
discussion
and
then
someone
I
assume,
will
be
assigned
to
do
a
deep
dive
into
harbor,
so
haven't
gotten
to
the
who
that
person
is
yet
and
I.
E
Don't
like
I
think
it'd
be
great
to
hear
about
all
of
this
and
everything,
but
I
also
want
to
make
sure
that
if,
because
we're
gonna
have
to
get
a
team
together,
that's
gonna
have
to
go
through
a
bunch
of
this
process
and
maybe
Dan
just
posted
something
that
made
it
clear
that
I'm
wrong
about
this.
But.
E
E
So
I'm
just
saying
that
I'm
more
bringing
this
up
because
you
know
I,
can
under
very
understandable
if
three
weeks
from
now
we
asked
you
to
go
through
effectively
the
same
talk
you
went
through
today
with
some
minor
tweaks
and
you
were
like
hey
I,
think
it'd
be
a
very
understandable
reaction,
be
like
hey.
We,
we
went
through
basically
the
same
thing
before,
but
the
fact
is
is
that,
since
we
haven't
had
a
chance
to
they
go
through
the
document,
we
don't
have
them.
Lien
security
reviewers.
E
We
haven't
done
any
of
this
stuff,
we're
sort
of
not
prepared
to
ingest.
This
presentation
have
the
intelligent
questions
and
things
that
we'll
need
to
need
to
have
for
that
so
I'm
very
being
kind
of
a
in
intro
and
free
to
talk
as
much
as
you
want,
but
we
might
need
an
additional
step
later
and
that
that
we
wouldn't
need
had
this
been
done.
The
other
order
so.
C
E
Yeah,
so
there's
a
queue
with
security,
the
security
assessment
Q.
We
have
spiffy
spire
cloud
custodian
in
progress.
A
lot
of
this
has
changed
slightly
with
with
the
coronavirus
changes
that
have
happened
recently.
We
have
dragon
fly
and
falco
that
are
technically
further
along,
but
once
again
they
may
or
may
not
be
actually
ready
to
progress,
and
in
fact
you
can
go.
I
can
I'll
post
this
in
chat
in
case
any
other.
A
E
Okay,
thank
you.
So
dan
just
sent
you
a
link
to
our
queue
in
a
normal,
non
coronavirus.
Everything
proceeding
normally
everyone
around
sort
of
world.
It's
probably
fairly
likely
that
we
would
in
fact
have
already
completed
the
assessments
that
are
in
progress
and
and
then
you
would
go
into
the
state
where
you're
either
in
the
block
state,
because
we
don't
have
the
right,
reviewers
or
whatever
else
or
you
would
be
in
the
backlog.
E
So
it
feels
like
you're
trying
to
move
this
quickly,
which
obviously
something
that
we
would
like
to
have
happen
to
and
once
it's
to
a
state
where
there's
nothing
blocking
it
moves
into
either
backlog
ER
in
progress
depending
on
what's
happening,
but
I
think
you
know
you.
It
should
be
a
fairly
to
give
a
more
realistic
answer.
It
should
be
a
fairly
fast
process
once
we've
identified
the
people
and
done
everything
else,
but
somehow
I
missed
this
initial
issue,
and
so
I
haven't
I
haven't
been
aware:
I
haven't
been
wrangling.
E
People,
maybe
that's
part
of
what
we
can
do
on
this
call
to
if
you'd
like,
is
that
after
we
have
our
facilitator,
go
through
and
and
run
the
normal
meeting.
We
could
have
a
really
brief,
like
harbor
presentation,
maybe
like
15
minutes
or
so
just
to
give
a
flavor
of
the
project,
and
then
I
can
try
to.
We
can
try
to
wrangle
people
to
participate
in
the
security
assessment,
and
then
the
expectation
would
be
in
three
four
weeks
which
we
might
have
you
go
through
and
do
the
actual
like
real
presentation,
yeah.
C
G
Justin,
okay,
adjustments,
this
as
just
a
quick
clarification,
so
this
is
Harbor
trying
to
get
a
recommendation
from
six
security
for
graduation
and
I
think
we
spoke
about
this
couple
of
weeks
ago.
There's
a
distinction
between
that
process
and
the
security
assessment
process
and
what
I
understood
from
Erika
and
Justin
Carmack
was
that
this
is
supposed
to
be
a
very
lightweight
process,
so
the
project
wouldn't
necessarily
go
through
the
entire
exhaustive
security
assessment.
H
Is
no
official
requirement
present
from
security
for
projects
to
go
through
security
assessment
for
any
particular
stages,
because
we
haven't
asked
in
six
security
does
not
make
that
requirement
yet,
but
obviously
you
know
yeah
I
mean
haba.
Haba
said
it
would
like
to
go
through
this
process
and
they've
open
this
year
and
they
and
it
would
make
sense
to
do
it
before
graduation
as
part
of
such
a
gilligan's
if
they
want
to,
if
they
don't
want,
so
they
could
go
ahead.
H
F
But
you
know,
if
you
know
my
code,
if
that
ends
up
slowing
or
blocking
you
know
your
timeline,
you
know,
please
feel
free
to
identify
that
and-
and
we
will
look
for
ways
to
unblock
it,
with
the
consideration
that
you
know:
JJ,
sick
and
stuck
in
India,
Sara's,
sick
and
stuck
in
Boston
I'm
doing
okay,
now
everyone's
dealing
with
uncertainty
in
crisis,
so
we're
not
gonna,
you
know
try
to
get
in
the
way
of
things,
but
you
know
everyone's
dealing
with
you
know:
Black
Swan
event.
That
is,
you
know,
making
everything
a
bit
harder.
Yeah.
C
I
mean
I
understand
all
the
different
things
are
happening.
Ultimately,
Harbor
needs
a
thumbs-up
from
six
security
for
graduation,
so
whatever
it,
whatever
documentation
or
whatever
process,
you
guys
want
to
follow
in
order
for
you
guys
to
give
the
thumbs-up,
we
can
do
that.
I
think
you'll
be
very
useful
for,
for
you
guys
to
go
through
your
six
security
items
now
and
then,
maybe
after
that,
give
me
a
few
minutes
to
talk
about
what
we've
done
for
Harbor
and
maybe
that
will
make
it
clearer
in
terms
of
what
process
you
feel.
I
So,
just
in
business
that
I
wouldn't
here,
is
it
mandatory
that
if
a
project
needs
to
be
moved
to
a
graduation,
it
has
to
go
through
our
six
security
assessment?
If
so,
do
we
have
a
clear-cut
requirement?
What
are
what
the
process
should
look
like,
so
that
vendors
or
solution
providers
who
are
trying
to
come
in
they
have
a
clear
understanding
that
okay
I
have
like
ten
steps
that
I
epistrophe
follow
whether
it
meets
all
the
ten
or
it
didn't
meet
it.
E
C
A
D
Good
morning,
everyone
I
am
I,
come
from
the
ESP
world,
as
well
as
in
across
world
I've
done
a
lot
of
that's
networking
in
security
with
an
infrastructure
and
application,
and
recently
I
am
the
easier
SAS
security
architect
at
Infoblox,
which
is
an
EDI.
This
company,
yeah,
usually
around
you
guys
anything,
have
any
questions
them.
Yep.
A
H
C
All
right
cool
Mia
share
my
screen
as
well,
but
essentially
let
me
give
you
start
a
little
bit
to
talk
about
harbor.
So
so
harbour
is
a
registry.
That's
been
incubating
since
ef4
about
a
year
and
a
half
right
now
and
it
started
at
VMware
and
donated
to
CN
CF
about
about
nineteen
months
ago.
Excuse
me:
well,
we
kind
of
look
at
the
hard
board
from
a
from
a
high-level
standpoint.
It
is
really
an
artifact
repository
for
all
your
cloud
native
assets,
so
we
enabled
users
to
secure
their
images
with
role
based
access
control.
C
We
enable
users
to
scan
images
for
vulnerabilities,
and
then
we
can
sign
images
as
trusted.
We
use
a
notary
for
the
signing
of
the
images
so
and
then
for
the
scanning
for
vulnerabilities
up
to
the
current
version
of
harbor,
who
have
been
shipping
with
Clare
as
the
built-in
batteries
included
upon
our
ability
scanner.
But
with
our
previous
release,
harbor
one
to
ten,
we
added
an
extensible
framework
to
be
able
to
support
any
pluggable
scanner
out
there.
So
we
started
supporting
uncle
enterprising
engine
as
well
as
TV
and
with
the
next
release
of
harbor.
C
That's
coming
up
in
April
of
2020,
we
will
shape
with
three
V
as
the
built-in
batteries
included
vulnerability
scanner.
When
we
look
at
kind
of
the
the
key
areas
the
harbor
enables
we
enable
security
and
compliance
performance,
interoperability
to
provide
our
users
a
consistent
image
management
for
kubernetes.
C
Kind
of
looking
at
and
I
guess
this
works
better.
If
it's
in
present
mode.
Sorry
about
that
folks,
when
you're
looking
at
you
know,
why
should
people
run
their
own
registry?
I
have
few
reasons
when
looking
at
different
security
and
compliance
perspective,
which
is
something
that's
very
important
to
you.
C
C
Kind
of
looking
at
some
of
the
features
that
enable
this
we
have
one
er
ability
scanning
like
I
mentioned
earlier,
using
today:
Claire
uncor,
3v,
ducek
and
really
yesterday
we
started
talking
with
cystic
and
the
cystic
vulnerability
scanner
would
be
enabled
into
Harbor
within
the
next
few
weeks
as
well.
We
have
the
concept
of
severe
exceptions.
We
allow
an
a
user
to
define
exceptions
for
CVS.
So,
for
example,
a
CD
was
published
yesterday
and
you
haven't
been
able
to
patch
all
your
images.
Yet.
Should
you
block
your
images
from
being
pulled
to
kubernetes
cluster?
C
C
Each
of
them
have
their
own
images
and
the
developers
and
operators
of
these
two
projects
can
operate
independently
at
the
infrastructure
side.
We
allow
you
to
deploy
a
harbor
on
an
infrastructure,
whereas
private
public
hosted
or
edge
I.
Allow
you
to
have
data
locality,
so
you
can
own
your
data
and
both
kubernetes
and
docker,
compliant
at
the
scalability
and
control
perspective.
C
C
C
We
have
chart
museum
for
home
support,
however,
with
Harper
to
dodo
the
ship's
next
month,
we're
gonna
be
full
o
CI
compliant,
so
you
can
see,
chart
museum
being
phased
out
and
o
CI
is
how
we're
gonna
manage
all
our
artifacts
so
we'll
be
able
to
manage
Cinnabun
dolls
or
pas
hum
charts,
container
images,
operators,
all
of
them
from
harbor
associate
compliant
files.
They
don't
have
notary
for
signing
their
application
providers
on
the
right
is
what
I
mentioned
and
then
the
scan
providers
today
this
slide
was
created
a
few
months
ago.
C
I
won't
go
too
much
into
the
harbour
project
overview,
but
you
know
have
lots
of
users,
lots
of
product,
implementations,
lots
of
contributor
organizations,
and
we
kind
of
look
at
this.
This
is
kind
of
our
money
slide
where
over
ten
thousand
github
stars
or
close
to
ten
thousand,
it
has
stars
170
contributors
more
than
ten
maintainer
z'
lots
of
Twitter
followers,
lots
of
blogs
and
webinars
and
action
happening,
and
you
can
see
that
the
project
is
in
healthy
state
from
the
number
of
contributions
and
a
steady
stream
of
contributions
over
time.
C
The
extensibility
dimensional
around
pluggable
scanners,
we
have
a
fairly
simple
API
that
allows
any
other
company
to
come
in
and
implement
it
so
that
we
enable
our
customers
and
our
users
to
use
a
scanner
of
choice.
If
someone
has
made
an
investment
in
aqua
or
anchor
or
any
other
company,
they
can
plug
in
their
own
scanner,
so
they
can
integrate
with
the
rest
of
their
processes,
now
go
through
a
roadmap
the
way
in
the
interest
of
time.
C
C
C
This
is
the
issue
that
I
filed
on
you
on
your
on
your
repo,
so
I
may
have
mistakenly
this
I
put
project
security.
Leader,
put
the
security
lid
from
the
harbor
project,
I'm
assuming
lead
security
review,
someone
from
your
sake,
but
I've
created
the
draft
document
for
this
review,
and
we've
already
done
the
TOC
presentation
already
in
November
of
2019
but
kind
of
looking
here
at
the
document
that
we
prepared
for
you.
C
This
is
a
document
you
guys
can
comment
on
it
or
read
it,
and
you
can
see
that
I
tried
to
create
a
good
timeline
of
everything
that
you
might
have
an
interest
in
overview.
Background
goes
in
history
of
harbor
intended
use
cases
who
have
project
design
or
an
Operations
configuration
set
up
compliance.
Then
you
have
the
security
analysis,
vectors
that
you
guys
wanted
our
security
development
practices
that
we
have
roadmap
as
well
as
some
items
in
the
appendix.
C
In
addition
to
this-
and
this
is
referencing
a
couple
of
areas-
we
have
the
the
full-blown
document
that
you
have
used
in
our
PR
for
for
harbor
graduation.
That
has
it's
like
a
30-plus
page
document.
Without
pictures
with
pictures
is
a
lot
bigger
that
contains
the
entire
due
diligence
for
harbor,
and
this
is
also
linked
from
your
document,
but
this
is
the
like,
if
we
sometimes
uplink
to
this,
that
includes
all
sorts
of
items
here.
C
Having
said
that,
harbor
has
undergone
two
security
penetration
reviews.
So
far,
one
was
in
August
of
2019
by
VMware,
so
VMware
paid
and
hired
two
well
they're
they're
on
our
payroll,
but
we
used
to
security
engineers
that
basically
battle-tested
Harbor.
Then
we
went
and
called
a
CNC
F
sponsored
review,
biker
53.
They
identified
about
six
issues,
we
fixed
them
all
in
the
next
subsequent
review,
Harbor
and
so
under,
going
to
pen
test
so
far
the
set
one
biker
53
was
across
20
days.
C
F
C
So
today's
jazz
notary,
but
what
one
of
the
things
that
were
looking
into,
not
that
it
has
one
big
limitation
like
once
you
sign
an
image.
The
URI
of
the
image
is
embedded
into
that
signature.
So
the
image
now
is
not
portable
or
if
you
pour
it,
then
you're
losing
the
the
ability
to
to
enforce
the
signing.
So
another
v2
has
requirements,
including
the
ones
from
harbor,
to
make
the
signatures
portable.
J
J
K
E
E
Okay,
one
other
thing
I'd
like
to
do
is
I.
Think
one
thing
that's
slightly
off
here,
a
little
bit
on
the
on
the
issue
that
was
opened
so,
first
of
all,
so
if
Cameron,
if
you
want
to
go
ahead
and
add
yourself
to
the
to
the
issue,
you
can
just
edit
the
issue
at
the
top
and
say
that
you're
willing
to
be
I
guess
either
an
additional
security
reviewer
or
a
lead
security
reviewer.
Potentially,
although
those.
A
C
E
L
E
E
C
Good,
that's
reasonable
to
me
by
the
way
on
the
peak
to
be
GPG.
Signing
I
want
to
add
one
more
thing:
we're
a
ciencia
project
and
one
of
the
key
principles
of
seam
CF
is
that
if
there
is
a
sincere
project
out
there
that
potentially
rage
and
feather
synergies
with
its
you
know
preferred
so
you
know
with
notary
being
another
sincere
project.
That's
basically
part
of
the
reason
we're
why
we
chose
that
as
a
project
for
for
for
doing
or
signatures,
but
we
will
look
into
GPG
as
well.
F
So
I
want
to,
you
know,
call
out
you
know
everyone's
may
have
been
helpful
and
sort
of
piling
on
to
enabling
process
and
and
clarifying
and
making
sure
that
you
know
new
learnings
we
from
Michael
and
facilitating
the
security
assessment
are
well
documented
and
efficient.
There's
only
one
I
call
out
you
know
beyond
the
security
assessment
is
that
you
know
Harbor
is
in
the
process
of
graduating
and
Michael.
Correct
me
if
I'm
wrong,
you've
already
received
due
diligence
from
sinks,
storage
and
sig
runtime.
C
Yeah,
absolutely
so
sick
run
type
gave
thumbs
up
for
graduation
six
storage.
Everything
was
okay,
except
one
item
in
and
I'll
explain
it
here.
It
probably
doesn't
affect
you
guys.
Harbor
has
many
components
and-
and
if
you
saw
in
our
architects
diagram,
two
of
them
was
a
ham
chart
as
well
as
the
sir.
C
Two
of
them
were
postcodes
database
as
well
as
the
Redis.
When
we
deploy
harbor
out
of
the
box
using
our
ham
chart,
we
install
a
single
instance
of
Redis
and
a
single
instance
of
Postgres,
and
the
reason
why
we
don't
install
them
sha
is
because
there's
lots
of
how
much
is
out
there
available.
If
you
wanted
to
install
it
yourself
either
using
the
Redis
operator
or
already
some
char
and
install
it
in
Nha,
we
didn't
feel
like
was
worthwhile
for
us
to
duplicate
that
investment.
Six
storage.
C
Some
members
felt
that
that
was
a
blocker
to
them
and
some
members
said:
that's
exactly
how
you
should
proceed,
but
trees
included
is
single
instance,
but
there
are
readily
available
home
jars
for
doing
an
AJ
deployment.
So
six
storage
did
not
give
a
recommendation
for
graduation
because
of
that
they
said
up
to
the
to
see
to
figure
out
if
this
is
a
blocker
or
not,
but
ultimately
everything
else
was
good
storage.
Except
this
one
point.
F
Nada,
so
the
thing
I
want
to
clarify
is
those
that
due
diligence,
those
processes,
you
know
still
they're
largely
ad-hoc.
You
know
think
security
is
one
of
the.
We
were
the
original
guinea
pig
of
the
think
process.
We've
been
around
for
the
longest
and
you
know
have
our
own
internal
processes
that
were
formalizing,
and
you
know,
since
we've
been
Guinea
pigging
for
so
long,
we
do
tend
to.
You
know,
reflect
back
into
all
right,
no
we're
we're
improving
the
process
as
we
go
along
and
inviting
folks
to
participate
in
that.
F
F
C
E
Say
that
we
won't
be
like
we
certainly
out
of
the
assessment,
wouldn't
make
a
real
negative
recommendation
for
lacking
something
like
for
choosing.
You
know.
Signature
algorithm
X
over,
but
you
know
see
if
project
Y
unless
there's
some
major
security
reason
to
make
that
change.
So
you
know
it's
we're
not.
It
sounds
like
you
know.
Maybe
some
of
the
process
you've
seen
other
places
we're
that's
not
our
goal
here.
All-Girl
is,
is
really
to
just
do
a
security
threat
assessment
and
to
be
as
neutral
about
it
as
we
can
absolutely.
C
A
C
Didn't
call
it
out
in
the
document
to
see
if
you
guys
see
it
as
well.
This
is
more
of
a
catch.
The
bag
type
of
thing
I'm
just
kidding,
we'll
talk
about
it
when
we
actually
meet
but
I'll
tell
you
what
they
identified
and
how,
when
you
read
my
document,
you
will
see,
then
you
will
ask
and
and
and
then
I'll
tell
you
yes,
we're
fixing
this
it'll,
be
that
in
two
weeks,
great.
A
K
I
A
E
C
C
E
E
C
E
F
You
know
in
earlier
in
the
ingest
process
we
have
projects
coming
in
at
sandbox
or
incubating,
so
you
know
we're
looking
for
more
clarity
on.
You
know
how
we
direct
folks
coming
in
whether
we
encourage
folks
to
you
know,
start
with
just
text
box
and
and
not
push
ahead.
You
know
to
incubating-
or
you
know
when
it
is,
you
know
appropriate
for
a
new
project
coming
to
see
in
cept
pagan.
F
So
you
know
a
lot
of
that
at
work
is,
is
getting
put
on
to
the
things
now
we're
happy
to
do
that,
but
we
need.
We
need
guidance,
and
you
know
we're
particularly
interested
in
looking
for
a
robust
know
like
how
do
we,
you
know
rapidly
sort
of
get
folks
to
you
know
a
decision
point
as
I'm
looking
at
April
we're
talking
about.
Potentially,
you
know
having
a
theme
and
might
end
up
with
all
the
craziness
of
coronavirus
and
co19
fun.
F
F
You
know,
as
it
arises
to
you
know
in
a
particular
period,
were
you
know,
diving,
deep
on
a
topic
and
you
know
coalescing
some
of
our
contacts
and
information
around
that
so
considering
identity.
If
you
you
know
for
that
initial
wave
and
if
you
have
any
suggestions
for
projects
or
folks
that
you
know
you'd
like
to
hear
from
you
know
very
interested
in
getting
feedback
on
that
know
create
an
issue
around
it.
A
M
F
Engaged
in
Boston-
and
you
know
plug
into
that,
but
we
definitely
do
not
have
you
know
someone
on
the
inside
of
Cigna
curity.
That
is,
you
know
interested
in
engaging
there.
There's
a
bit
of
a
you
know,
interesting
sort
of
philosophical
journey
that
I
expect
there,
where
you
know
a
lot
of
the
larger
sort
of
corporate
you
know.
Side
of
things
are
less
interested
in
in
this,
so
you
know
finding
sponsorship
from
a
major
corporation
that
is
going
to
enable
that
is,
you
know,
maybe
not
going
to
happen.
F
M
M
It
is
kind
of
blockchain
centric
but
they're
holding
that
implementation
design
stuff
at
bay.
At
this
point,
then
trying
to
work
on
a
spec,
which
I
think
is
gonna,
be
fruitful
at
some
point.
The
nist
people
interested
in
this
from
the
federation
point
of
view.
So
I
mentioned
the
liaison
thing
to
them,
which
basically
just
meant
they
put
it
in
the
notes
that
somebody
thought
that
might
be
a
good
idea.
M
B
F
N
O
We
expect
out
the
conflicts
of
our
bag.
It's
in
the
Security
Review
were
under
the
assessment
guide.
I
think
it
specified
that
that
that's
a
soft
conflict
I
believe
that,
basically,
you
just
have
to
say
that
you're
from
VMware
by
you,
don't
everyone
on
the
project,
and
you
would
still
be
able
to
do
the
review.
Thank.