►
Description
CNCF SIG-Security SIG Policy Team: Kubernetes Policy WG Meeting 2020 07 08
A
A
Alright
I
messaged
Erika
a
lot,
but
maybe
we
can
get
started
in
the.
Meanwhile,
let
me
pull
up
the
agenda
item.
So
a
few
things
I
wanted
to
just
do
it
so
Jaya.
There
were
a
few
more
comments
on
the
in
the
document,
so
we
can
quickly
go
through.
Those
I
have
also
another
PR
submitted
to
add
the
selectors.
So
you
you
were
looking
for
that
feature
right,
so
we
can
take
a
quick
look
at
that
and
then
see
if
there's
anything
else,
to
discuss
that'll.
C
A
C
C
Whatever
of
this
all
right
right,
so
yeah,
yeah,
I,
think
a
couple
of
things
that
we
thought
about
where
some
of
them
could
be
security
related,
the
others
could
be
health
related
like
health
checks
and
those
were
the
to
be
came
up
with,
but
we
could
definitely
come
up
with
a
few
others
based
on
our
experience,
so
that
was
that
was
one
of
the
so
this
way
you
know
the
idea
here
is
that
if
the
CR
is
generated,
you
know
whoever
is
processing
that
information
can
filter
out
right,
the
ones
that
they
care
about.
I.
C
I
think
that
it's
the
latter
right,
so
what
we
were
thinking
is
that
we
would
define
some
high-level
categories.
Okay
and
I
agree
with
you
that
you
know
we
don't
want
to
over
over
over
architect
this,
and
you
know
right.
You
find
the
next
level
categories
and
all
that
right,
that'll
become
too
much
if
you
can
put
it
at
a
higher,
but
we
know
that
these
kind
of
reports
should
be
routed
to
say.
Maybe
a
security
operation
center
versus
these
kind
of
reports
should
be
routed
to
incident
management.
A
Think
if
you
have
to
come
up
with
some
categories,
the
challenge
always
becomes.
Did
we
make
it
extensible?
Is
this
a
string
or
is
it
a
enum
field
where
it's
a
fixed
list
and
they'll
all
reports?
You
know
kind
of
fall
into
one
of
one
or
more
of
these
categories.
So,
let's
you
know,
maybe
if
you
want
to
propose
proposal
list,
we
can
discuss
and
review
and
not
sure
if
others
like
couple
Robert,
if
you
guys
have
any
thoughts
on
this,
how
to
manage
a.
A
D
We're
adding
metadata,
it
might
also
be
useful
to
some
sort
of
tool
or
vendor
thing
here,
or
some
notion
of
names
facing
like
the
work,
with
a
number
of
tools
that
do
broad
categorization
with
metadata
and
when
I
go
to
on-site
installations.
It
ends
up
being
most
orgs
end
up
doing
customization
to
their
own
reflector
under
internal
or
Sanders.
A
C
A
Yeah
we
could
put
engine
in
there
and,
and
certainly
different
engines
can
put,
you
know,
put
other
metadata
as
required.
I
think
the
the
additional
question
is
in
within
the
results
for
each
element
of
the
report,
but
then
the
results
array
should
we
have
a
well
defined
category
and
what
would
that
list?
Look
like.
C
C
Then
the
consumer
of
this
data
could
then
filter
and
route
it
to
appropriate
destinations,
because
I
mean
the
whole
point
of
generating
this
data
is
we
want
it
to
be
actionable
and
we
want
to
take
some
actions
of
it
right
and
the
actions
could
be
taken
by
in
certain
management
tools
or
using
security
operations
center,
or
you
know,
depending
upon
what
is
emitting
this
alright.
So
having
that
category
will
help
us
route
or
filter
out
things
that
we
need
a
process.
D
C
D
About
that
constrain
the
vocabulary
constraint
here,
like
at
some
level
there
you
know
having
like,
are
we
just
concerned
about
being
overly
prescriptive
when
it
could
be
an
operational
concern,
it
could
be
a
cos
cost
concern
could
be
a
good
security
concern,
I
mean
the
and
so
category
then
becomes
almost
reformed
on
the
value
perspective
and
at
ROI
the
indexing
other
fields
in
this
and
so
I'm.
Just
it's
a
little
bit
fuzzy
to
me
on,
like
I,
understand
what
you're
saying
but
I
feel
like
we're.
D
A
Yeah
that
latter
latter
part,
is
what
I'm
concerned
about
too
so
I
think
there's
two
ways
to
approach
right.
One
is
we
could
still
make
category
a
top-level
field
within
resource,
but
leave
it
as
text
which
each
engine
could
decide
what
categories
it's
you
know
creating
or
reporting.
So
that's
slightly
better
than
leaving
it
in
data.
Where
there's
data
is
you
know,
kind
of
optional
and
not
structured
like
Jaya
is
pointing
out
the
other
option.
Is
we
make
categories
sort
of
a
strict
set
which
I
think
yeah?
A
A
So
that
that
could
be
the
way
to
do
it,
and
then
maybe
it
satisfies
both
both
perspectives,
right
we're
for
engines
that
want
to
have
some
categories
and
count
on
those.
We
know
that,
let's
say,
for
example,
if
it's
coming
from
Rackham
that
there
will
always
be
a
category
and
Rackham
can
published
a
list
of
categories
that
it
allocates
or
assigns
to
reports
with
something
like
that.
Potentially
work,
juror
I.
A
So
making
an
attribute
of
Reese
or
sorry
of
results
right,
so
each
result
will
have
a
category
attribute
just
like
we
have
status
and
scored,
and
it
will
just
be
text,
and
it
will
say
at
least
in
this
first
release.
Each
engine
will
be
responsible,
for
you
know,
managing
its
list
of
categories
that
it
publishes
results
with.
C
C
A
C
A
If
that
could
be
a
UUID
so
versus
right
now
we
have
it
as
a
string
and
in
the
examples
we're
showing
you
know,
names
right
so
so
I
think
it
should
be
possible
to
also
convert
to
UUID
to
a
string
format
and
put
that
in
there.
So
once
again,
it
seems
like
this
would
be
more
of
a
concern
for,
depending
on
how
your
what
which
engine
is
reporting.
If
you
choose
to
use
you,
you
IDs,
you
can
was
there
something
that
would
prevent
I
guess
using
a
UID
in
that
policy
field.
Right
now,.
C
A
Right
so
like
when,
when
we
were
looking
at
other
mappings
like
for,
for
example,
for
key
VAR
know,
we
were
thinking
of
doing
policy,
name,
slash,
rule
name
in
this
field
right.
So
in
your
example,
if
you
want
like
a
UUID
and
even
then,
if
you
want
to
append
or
have
like
a
name
to
make
it
more
readable,
you
can
or
if
it's
just
a
UID,
that's
fine
too.
A
A
A
C
C
C
A
So
I
think
I
might
have
briefly
mentioned
that
in
the
last
meeting
is
so
when,
when
I
moved
things
over
to
the
repo
and
to
the
CR,
because
you
know
the
the
timestamp
in
and
that
information
is
already
in
the
resource
metadata
I
removed
both
the
creation,
timestamp
and
the
execution
count,
and
if
we
need
something
like
that,
we
can
bring
it
back.
But
for
now
didn't
seem
like
there
was
a
specific
need
for
that.
But
yeah
anyone
has
any
other
thoughts
or
comments.
We
can
decide.
A
Ok
yeah,
so
there
is,
you
know.
One
thing
I
want
to
do
is
at
some
point.
We
should
just
start.
You
know
using
the
git
repo
for
comments
and
PRS
right.
So
maybe
we
will
after
this
next
set
of
changes,
we
can
lock
the
document
and
just
move
things
over
to
the
git
repos,
because
it'll
just
be
easier
to
track
and
comment
only
change
and
things
like
that
and
I.
Think
there's
a
few.
A
You
know
one
issue:
it's
I
just
submitted
a
PR
yesterday
for
the
resource,
scope
and
selectors
I,
don't
know
if
anybody
knows
of
a
good
way
to
generate
documentation.
Out
of
this,
the
open,
API
schema
or
the
go
tags
but
looks
like
coop
builder
had
some
facilities,
but
they
no
longer
work.
So
you
know,
if
there's
a
good
way
to
generate
Docs,
that's
something
we
need
to
do
so.
We
can
review
each
field
and
and
the
data
easily
and
then
I
think
we're
waiting
on
additional
samples
like
we've
talked
about
right.
A
So
if
there's
anyone
has
samples
to
submit
that
would
be
good
to
create
PR
zon
as
well,
and
we
can
make
sure
that
they,
you
know
we
can
test
them
quickly
with
the
CR.
So
currently
you
can,
you
can
install
the
CR.
You
can
create
a
yeah
mol
that
matches
that
CR
and
you
know
see
what
that
looks
like.
So
that's
probably
the
easiest
way
to
try
things
out.
C
A
Did
briefly
talk
about
it
and
you
know
at
least
socialize
the
idea
so
I
think
what
we
want
to
do.
First,
though,
is
show
more
examples
and
then
also
propose
how
we
write
like
perhaps
adapters
for
or
show
that
you
know
different
engines
are
using
this.
So
one
of
the
you
know
on
governo
we
will,
you
know
start
so.
We
currently
have
a
CR
for
policy
violations
and
Carano
which
we're
going
to
replace
with
this
policy
report
and
produce
these
reports.
E
E
C
E
E
To
OCR
versus
you
know,
kubernetes
events
versus
you
know,
someone
even
suggest
so
like.
Oh,
what,
if
you
just
expose
an
endpoint
for
people
to
like
right,
so
I
created
like
a
table
that
looks
at
all
the
options
and
I
kind
of
want
to
make
sure
we
sync
you
know
either
here
or
another
call
whatever
makes
sense
just
so
that
we
can
kind
of
look
at.
You
know
this
proposal,
your
your
you're
looking
at
it
is
very
much
still
writing
to
accustom
resource
right
and
I.
E
Think
based
on
the
usage
that
we're
seeing
and
the
comments
from
people
at
least
from
gatekeepers
current
implementation
is
not.
Us
is
not
really
scalable
for
large
clusters,
so
I
want
to
make
sure
we
touch
point
on
that
and
and
and
make
sure
whatever
it
is
in.
This
proposal
addresses
that
concern
as
well
right.
A
Looking
at
things
like
creating
custom
resources
and
what
we
had
sort
of
settled
towards
Ori
Walter
words
was
trying
to
make
sure
that
year
the
reporting
was
reflecting
current
state
for
admins
right.
So
we
were
not
not
focused
so
much
on
any
history
or
historical
state,
because
the
thinking
was
that
could
be
done
outside
the
cluster
and
it's
best
done
outside
the
cluster.
A
So
here
what
we
wall
towards
is
allowing
the
flexibility
of
aggregating
weather
and
allowing
that
also
the
flexibility
for
each
engine
to
decide
whether
it's
just
violations,
whether
it's
violations
and
a
success
summary
or
you
know
some
other
level
of
detail
and
at
what
scope
and
granularity
they
report.
So
there's
a
lot
of
flexibility,
but
it's
more
or
less
left
up
to
each
policy
engine
to
decide
what
works
best
and
that's
you
know,
I
guess.
A
If
you're
trying
to
build
a
common
structure
seems
like
that
would
be
the
the
most
I
guess
agreeable
option
overall
but
yeah.
At
the
same
time,
of
course,
you
know
one.
This
could
also
be
used
in
a
manner
where
there
is
still
one
violation
created
per
per
policy
rule
and
per
resource
which,
like
you
mentioned,
could
lead
to
scaling
problems.
E
E
Cool
again,
this
is
learning.
This
is
basically
learning
from
running
gatekeeper
and
getting
user
feedback
right.
So
definitely
this
may
not
apply
to
other
projects,
but
I
think
some
of
these
use
cases
and
concerns
might
be
applicable
as
well
right.
So
currently
we
have
two
approaches
in
terms
of
reporting
violations.
So,
as
you
can
see,
currently
we
write
the
violations
to
the
chill
constrained
and
gatekeeper
is
the
you
can
think
of
them
as
a
pop,
a
policy
right
and
in
it.
E
You're,
basically,
writing
updating
the
policy
depending
on
the
number
of
policies
you.
The
cluster,
has
violations
for
right
and
I
think
this
is
probably
the
closest
to
what
your
what
the
proposal
for
policy
reporting
looks.
Like,
though
I
understand
you
know
it
does
have
the
flexibility
of
allowing
the
policy
engine
to
decide
how
you
want
to
basically
shard
the
updating,
see
our
process
right,
whether
that's
by
you
know,
like
you,
said,
namespace
or
GVK
right
group
version
kind.
E
You
could
you
can
slice
it
up
in
a
different
way
to
reduce
that
impact
right,
but
even
even
with
that,
you
know
there
that
that
su
an
object,
women,
it
can
still
be
pretty-
can
still
be
there
right
and
the
other
the.
So
we
so
forget
keeper
project.
We
came
up
with
another
approach
which
basically
writes
all
the
violations
for
both
a
mission
time,
and
you
know
audit
to
write
the
violations
to
the
gatekeeper
logs
and
that
approach
does
not
run
into
these
limitations
because
we're
writing
to
the
log.
E
However,
you
know
that
will
require
the
consuming
solution
to
basically
parse
the
log
right
and
then
there's.
Of
course,
they
Cuba
Nettie's
events.
We
really
like
this
approach
in
this
is
something
we're
working
on
now.
What
we
like
about
it
is
is
the
fact
that
you
know
by
default,
kubernetes
will
remove
these
events
right.
E
So
we
think
this
is
actually
quite
nice
because
we
can
leverage
a
native
kubernetes
object
and
the
fact
that
it
has
a
tto
a
actually.
We
can
ensure
that
these
objects
will
get
cleaned
up
and
it
is
kind
of
similar
to
the
policy
reporting
report
proposal
because,
like
you
said
earlier,
it
it's
only
looking
at
the
current
state
of
things
rather
than
a
historical
record
of
every
violations
ever
right
and
some
of
the
other
options
that
were
considered.
E
You
know
a
new
violation
resource,
so
another
CR
and
then
of
course
like
another
in
point
and
that
allows
users
to
query.
But
that
will
that
will
require
em,
tell
us
and
just
a
lot
more
work
to
make
sure
this
is
actually
in
production,
ready,
I,
guess
I,
just
kind
of
want
to
briefly
go
through
this,
and
and
did
you
guys,
have
any
questions
or
thoughts.
A
C
C
C
A
To
give
the
cluster
admin
some
state
which
they
can
easily
in
a
collect,
through
tools
like
Google,
etc,
to
see
what's
going
on
with
policies
or
polish
policy
engines
they
may
have
configured,
whereas
others
are,
if
you're
looking
at
a
something
like
a
part
or
a
deployment.
Obviously
you
want
to
see
events
on
that
to
say
maybe
there's
some
violations
etc.
A
All
right,
so
we
were
not
thinking
of
that
as
either
or
or
our
solving
the
same
goal,
but
the
fact
that
most
engines,
you
know
to
be
used
in
production
systems,
would
report
events
kubernetes
events,
which
is
like
you
mentioned
a
great
mechanism
for
what
events
are
meant
for,
but
it
didn't
seem
to
be
solving.
At
least
you
know
the
goals
of
what
we
were
thinking
for.
The
policy
report.
A
So
that's
one
option
where,
if
some
you
know
policy
engines
or
tools
like
gatekeeper,
natively
create
the
reports
and
that's
what
we
were
thinking
of
doing
for
keyboard
know
for
other
tools.
Perhaps
you
know
the
other
way
of
doing
this
would
be
to
write
adapters
which
are
consuming
like
say,
for
example,
for
Falco
or
cube
bench.
Those
could
have
adapted
which
just
produce
reports
or
maybe
over
time.
They
also
have
native
features
to
generate
these
reports.
A
E
A
Option
would
be
in
a
result
element
or
even
at
the
scope
level.
Instead
of
you
know,
naming
an
object
or
referring
to
it
by
GVK
or
something
similar.
You
could
then
use
a
label
selector
to
group
several
objects,
maybe
hundreds
of
pods,
if
it
makes
sense
so
I
think
there
so
again,
if
there's
other
ideas
for
how
we
can
add
that
level
of
flexibility
to
be
more
concise
in
the
reporting
but
point
to
a
larger
set
of
objects.
A
The
other
thing
that
one
of
the
options
problems
we
run
into
you're
like
what
caverno
is
given
also
does
background
scans
right,
so
it
will
periodically
scan
the
entire
cluster
and
there,
of
course
it's
not
just
you
know
at
one
point,
it
was
picking
up
on
even
pods
that
were
not
being
scheduled,
not
that
were
failing,
but
for
those
sort
of
things
of
course,
then
that
you
know
the
engine
would
have
to.
You
know,
manage
the
state
and
make
sure
that
it's
not
reporting
on
objects
which
are
not
active
but
I
totally
understand.
A
E
Yeah
so
so
that's
the
size
limit
for
SCD
objects.
So
basically
you
know
that's
a
constraint
of
I,
guess
a
CD,
and
so
when
we
think
about
you
know
any
of
the
kubernetes
objects
or
CCR's
they
they
all,
basically
as
the
size
of
the
object.
Gross
you're
gonna
eventually
hit
that
one,
so
1,
1,
megabyte
size
limit
and
I
can
find
a
link
to
that.
If
it
helps
where
the
docs
says
that
if
it
helps.
E
A
E
A
Okay,
so
I
think
I'm
that
scalability
this
you
know
it
would
be
good
to
see
as
we
look
at
different
examples
to
really
test
out
the
flexibility
of
the
reporting,
and
if
we
can,
you
know
make
it
find
that
right
balance,
but
for
based
on
either
namespaces
workloads
or
other
levels
of
grouping.
You
know
for
some
of
these
common
common
type
of
policies
and
reporting
that
we
want
to
do
if
there's
any
other
ideas.
A
A
F
Yes,
hello,
everyone,
so,
first
for
those
of
you
who
may
not
know
me,
I
want
to
introduce
myself.
My
name
is
Christoph
Blocher
and
I
am
a
member
of
the
ready
steering
committee,
so
I
wanted
to
come
and
introduce
myself
and
quickly
speak
about
a
newer
initiative
that
the
kubernetes
during
committee
is
is
undertaking
with
annual
reports
from
our
various
community
groups.
The
goal
of
this
is,
we
are
noticing,
across
the
community
kind
of
an
evolution
of
just
like
how
information
is
moving
throughout
the
community.
F
When
we
look
back,
you
know
over
the
last,
like
five
years,
six
years
or
so
we
in
the
early
days
of
kubernetes,
we
had
a
third,
they
community
call
that,
but
most
people
in
the
community
would
end
up
joining
and
and
things
and
working
groups
and
stuff
would
would
be
giving
rotate
or
reports.
In
that
particular
meeting.
F
F
So
an
email
went
out
yesterday
to
ke
dev.
That
kind
of
explained
some
of
this.
We
are
starting
with
working
groups
this
year
in
2020,
and
the
reason
we're
focusing
on
working
groups
is
working.
Groups
are
in
particular
a
group
that
requires
lots
of
cross
communication
between
different
things
in
that
cosa,
because
by
the
nature
of
working
groups
they
are.
F
They
have
many
stakeholders
themselves,
so
we're
trialing
us
with
the
working
groups
in
2020
to
ensure
that
we
kind
of
have
a
picture,
and
we
have
like
clear
communication
on
what
all
of
our
working
groups
are
working
on
and
really
asking.
The
question:
like:
are
our
various
community
groups
in
working
groups?
Are
they
healthy?
Are
they
following
best
practices
as
far
as
like
holding
meetings
on
regular
basis,
recording
them
putting
them
on
YouTube?
F
The
I've
also
included
links
to
these
in
the
agenda,
so
so
folks
can
kind
of
pull
these
up
and
read
them
on
their
own,
so
the
scroll
down
to
the
questions.
So
these
are
the
kind
of
pieces
of
information
that
we're
looking
to
get
from
all
of
our
various
working
groups.
Things
like
yeah
or
your
owners
files
up
to
date
are
your
sub
projects.
F
Matt,
you
know,
are
your
these
are
meeting
times
it's
like
the
list
of
meeting
time,
which
is
something
that
I
actually
found
with
with
the
policy
working
group
like
you're
listed
meeting
times
and
such
are
not
up
to
date
in
the
community
repo.
So
it
could
be
hard
to
find
and
encourage
people
to
to
come
to
meeting.
F
By
is
something
that
we
want
to
kind
of
work
with.
The
the
folks
that
are
involved
in
the
working
group
to
get
it
done.
I'm,
but,
like
my
kind
of
like
vision,
would
be
sometime
in
the
next
couple
months
that
that
we
can
collaborate
together
go
through
and
get
they
go
through
this
annual
report
process
and
then
kind
of
gather
any
feedback
of
like.
Was
it
useful
and
do
you
find
like
after
we
collect
this
working
because
they're
very
annual
reports
that
we
kind
of
see
some
action
from
them?
B
F
B
There
was
there
was
one
thing,
but
it
said
that
we,
like
click
here,
the
list
list
of
questions
and
then
I
clicked
it,
and
it
said
there
was
a
Google
Doc
and
I
didn't
have
permission.
So,
oh,
oh,
maybe
I'll
follow
up
with
you
and
see
if
that's
even
necessary,
but
overall
yeah
I
applaud
the
idea.
I
think
it's
good
to
collect
it.
I
would
say
that
hopefully
it's
a
data
once
collected
is
consumable
and
and
easy
to
analyze.
I
guess
when
everything
when
I
was
a
hammer,
a
DevOps
amer
everything
looks
like
DevOps.
B
F
Yeah,
all
of
these
all
of
the
annual
reports
once
they're
like
finalized,
will
be
like
openly
published.
There
is
so
there
are
some
sections
in
here
we're
like
we
offer
the
opportunity
for
chairs
and
organizers,
like
you
know,
to
basically
to
come
with
us
with
things
that
might
be
sensitive,
and
this
you
know.
If
there's
you
know,
if
there
are
problems
like
because,
oh
you
know,
there's
a
bunch
of
questions
in
here,
but
the
key
thing
that
we're
trying
to
get
a
kurma
from
a
steering
committee
perspective
is.
F
F
F
That
information
and
we're
also
trying
to
like
that
they
email
the
parrot
sent
kind
of
goes
into
some
of
the
gold,
but
like
when
one
of
the
things
that
I
am
also
like
I'm
personally,
like
really
passionate
about,
is
connecting
connecting
positives
as
well
like
not
just
the
negatives
like
we
do
want
to
know
if
a
group
is
unhealthy,
but
we
also
want
to
figure
out
like
if
something
that
a
group
is
doing
really
well
is
really
working
for
them.
Is
there
a
way
that
we
can
either
like
make
that
a
best
practice?
F
C
F
F
But
in
the
meantime,
if
there's
any
like
questions
or
comments
or
that
kind
of
stuff
you
have,
you
have
a
face
and
a
name
like
you
can
come
and
contact
me
and
I
can
kind
of
help
answer
or
like
direct
those
questions
to
the
right
role
and
in
generally,
even
outside
of
this
particular
process.
I,
am
your
liaison
I?
F
Don't
make
decisions
on
behalf
of
the
steering
committee,
but
I
am
kind
of
like
a
communication
conduit
that
like
if
you
need
something
from
the
community
as
a
whole
or
from
the
steering
committee
specifically
I,
am
a
person
that
you
can
kind
of
come
and
talk
to
and
I
can
point
you
in
the
right
direction.
As
far
as
any
of
those
kind
of
wider
governance
issues,
or
you
know,
resourcing
issues
of
touch.
A
Doesn't
seem
so
so
thank
you,
everyone
so
I
will
make
updates.
You
know
based
on
what
we
discussed
for
the
categories
you,
if
you
can,
you
know,
take
a
look
at
the
PR
on
the
selectors
and
I
see
if
that
addresses.
You
know
what
you
were
looking
for
or
if
there's
anything
else
to
be
done
and
we
can
get
that
merged
and.
C
A
C
A
Yes,
so
just
please
create
PRS
with
some
samples,
and
you
know,
because
that
will
help
us
firm
up
the
structure
and
you
know
also,
if
we
can
start
you
know
so
just
you
can
just
create
a
PR
directly
on
the
git
repo
yeah
and
if
there's
anything
else
that
comes
up
that
we
feel
we
need
in
the
reports
we
can.
You
know
that
will
help
flush
that
out.