►
From YouTube: CNCF SIG Security 2021-04-28
Description
CNCF SIG Security 2021-04-28
A
B
B
B
B
B
A
B
A
A
There
are
talks
on
identity
and
access,
there's,
there's
quite
a
bit,
that's
packed
in
there.
We
have
great
keynotes
from
the
event
sponsors
red
hat
vmware
checkpoint,
the
the
ctf
in
itself.
It's
a
lot
going
on.
There's
several
scenarios.
Magno
has
worked
closely
with
the
control
plane.
Folks
ron
vitter
has
participated,
magno
and
diego
are
running
the
twitch
stream
they're
going
to
be
providing
live
coverage
of
the
event.
There's
a
there's,
a
lot
of
guest
speakers
there
magno.
You
want
to
talk
a
little
bit
about
that.
D
Have
we
started
the
meeting
officially
yet
okay
yeah
so
so
yeah
for
the
ctf,
we're
going
to
have
at
least
at
least
six
challenges
for
different
scenarios
right
in
kubernetes
scenarios
and
everything,
usually
the
the
person
doing
the
ctf.
Each
person
gets
their
own
cluster
and,
and
usually
they
start
inside
of
a
cluster
or
on
a
node
in
a
network
not
next
to
a
cluster.
D
So
there
is
all
all
these
like
stories
that
we
present
to
describe
a
scenario
and
what
they
need
to
do
to
get
the
flags
and
so
yeah
control,
plane.
Andrew
martin
and
lewis
are
working
on
the
challenges
there.
We
we
help
them
with
some
suggestions
for
the
challenges
as
well,
so
they're
busy
working
on
that
and
we're
also
going
to
have
a
live,
live
stream
so
and
in
two
separate
moments.
D
What
they
think
about
the
specific
challenge,
right,
of
course,
introduce
them
and
present
about
their
their
journey
into
cloud
native
security
as
well,
and
ask
about
some
tools
that
they
use
for
you're,
either
doing
a
ctf
or
or
solving
an
issue
instead
handling
or
troubleshooting
a
kubernetes
cluster.
So
yeah,
I
think,
that's,
that's!
That's
it
and
all
kinds
of
fun
stuff.
D
D
I
I
can
put
the
link
on
the
chat
after
that
and
and
because,
if
you
want
to
interact
and
chat
and
ask
questions,
also
that
we're
going
to
get
some
questions
from
the
from
the
audience
from
from
the
chat,
so
you
need
to
follow
that
beforehand
because
it
takes
there's
like
15
minutes
delay
before
you
can
start
interacting
with
the
chat.
So
if
you
can
follow
that
earlier
before,
even
before
the
event,
so
that's
better!
E
D
D
Yeah,
so
so
just
just
a
quick
overview
here
of
the
the
speakers,
the
guest
speaker,
so
I'm
going
to
be
running
the
twitch
stream
together
with
diego
and
ron,
and
also
there
is
a
friend
of
mine
that
is
going
to
be
helping
with
the
like,
just
just
with
the
the
stream
administration
right:
okay,
who
who's
gonna,
be
on
screen
and
share
and
stuff
like
that.
Also
so
we
have
rory
bacoon
and
david
mckay
from
on
the
the
first
schedule
from
12
p.m,
to
1
p.m.
D
D
D
C
I
D
So
yeah
we
divide
them
on
scenarios,
it's
not
exactly
like
that
name
spaces
and
certs,
but
we
have
each
each
each
a
challenge
is
a
different
thing
that
you
need
to
do
right.
So
it's
a
different
scenario.
So
when
when
you,
when
you
get
your
credentials
and
you
access
the
the
cluster,
for
example,
you're
gonna
see
a
description
there
of
of
like
okay,
it's
kind
of
a
story
right.
Oh
someone
compromised
at
this
cluster
and
did
this
this
and
that
and
you
need
to
find
the
flag
right.
D
Sure
no
problem
yeah
we're
going
to
open
the
slack
channel
on,
I
think,
on
tuesday
and
yeah
during
the
whole
cloud
native
security
day,
you
can
join
and
take
up
some
challenges
and
try
it
out
and
and
it's
it's
a
a
learning
experience
right.
We're
not
gonna
be
scoring
anyone.
So
if
you
have
any
questions,
you
can
ask
on
slack
there
as
well,
so
people
will
be
able
to
help
you.
D
E
E
D
A
B
A
The
the
one
thing
now
that
we're
pretty
much
locked
and
loaded,
sorry
that
that's
perhaps
a
harmful
expression
now
that
the
event
is
in
full
swing
and
we
have
all
the
preparations
in
place.
I
I
want
to
recognize
that.
Well,
while
we
often
meet
at
a
weekly
cadence-
and
we
talk
about
the
different
things
that
we're
working
on
this
event,
this
collocated
event
is
really
a
culmination
of
what
we've
done
for
the
last
year,
like
more
so
the
last
six
months,
but
it
is
produced
by
us.
A
It
is
produced
by
us
who
gather
here
every
week
for
six
security
and
it
captures
a
lot
of
our
efforts,
a
lot
of
our
ideas,
even
though
you
might
have
not
been
directly
part
of
the
program
committee.
It
does
channel
all
of
our
discussions
and
all
the
things
we
have
back
on
the
meeting
notes.
So
it
is,
it
is
a
little
a
little
party
of
six
security
of
showcasing
all
our
work
to
the
rest
of
the
world.
D
Yeah,
if
I
may
take
the
opportunity
here,
I
have
one
update
as
well
besides
that
so
on
on
a
side.
Note
me
and
diego
comas,
which
will
also
be
on
the
twitch
stream
for
the
ctf
we've
been
working
on
on
kind
of
a
cloud
native
security
podcast,
and
that
has
been
going
for
a
couple.
I
think
months
now
we're
working
on
on
recording
some
episodes
and
we
finally
released
the
first
episode
today.
It's
kind
of
just
an
introduction
episode
about
how
the
podcast
is
going
to
work.
D
Basically
we're
going
to
have
some
guest
speakers
as
well
to
talk
about
cloud
native
security
and
different
topics
and,
besides
the
gas
interviews,
we're
also
going
to
have
some
demos,
so
yeah,
no
fender
peaches,
you
know
yeah.
No,
this
is
all
all
free
and
everything
open.
So
we're
going
to
have
some
demos
of
how
like
how
can
I
install
a
cluster
unmanaged
cluster
right?
D
How
can
I
install
a
cluster
on
eks
and
then
security
as
well
like
follow
the
best
practices,
so
we're
doing
that
and
tomorrow
we're
releasing
the
first
official
episode
actually
so
tomorrow.
It's
also
the
release
of
the
mitre
attack
updates
and
the
official
release
of
the
mitre
attack
for
containers
and
kubernetes.
So
we're
going
to
have
a
dedicated
episode
about
that
tomorrow.
But
is
this.
D
J
B
E
So
just
a
quick
update
on
the
cloud
native
security
map,
so
the
first
iteration
of
the
map
is
live.
I'm
posting
a
link
in
the
chat.
We
still
need
a
bunch
of
contributions
for
various
sections,
so
if
you
are
interested
check
it
out
and
there's
a
contribute
link
at
the
bottom,
so
if
you
think
you
have
expertise
on
a
particular
section,
please
do
send
out
a
pr
and
reach
out
to
us
like
brandon,
brandon,
diego
or
me
thanks.
K
K
K
Just
the
github
handle
pushkar
jay.
I
think
it
reached
out
to
emily
and
the
feedback
was
that
the
the
security
power
process
we
have
what
we
used
to
call
assessments,
what
we're
calling
reviews
really
for
sandbox
and
incubation.
So
there's
never
been
a
case
of
a
graduated
project
or
a
sub-project
of
a
graduated
project
coming
for
a
review
here,
so
pj
suggested
we
kind
of
use
this
as
a
pilot
case
study.
If
you
will
how?
How
do
we
do
this?
I'm
happy
to
lead
that
I
put
myself
on
the
ticket.
K
I
think
we
can
use
most
of
the
security
review,
security,
pal
materials
and
we'll
call
out
tweaks
and
suggestions.
That
said,
the
the
scope
should
be
different.
This
isn't
in
I
mean
this
is
my
opinion,
but
feel
free
to
vet.
This
with
other
folks
on
the
cluster
api
team.
I
I
think
they
want
more
of
a
traditional
audit
assessment.
K
You
know
even
maybe
at
a
pen
test
level,
so
I
I
think
we
will
quickly
go
beyond
the
security,
pal
security
review,
scope
and
use
that
as
kind
of
a
first
step
and
then
dig
deep
into
the
audit
side
and
then,
if
money
appears
we'll
probably
use
it
use
that
to
cross-check
the
work
that
we
do,
but
that's
the
plan,
nothing
is
actually
other
than
the
github
issue.
603,
nothing
has
actually
started
yet.
B
K
K
K
B
K
B
K
B
So
I
would
push
it
back
for
discussion
with
at
least
with
tls
and
chairs,
because
so
far
it's
always
been
like
toc
driven
just
like
what
emily
said,
and
it
was
basically
around
projects
as
the
granularity
with
which
we've
actually
done
stuff,
and
it
has
those
clear
goals
in
terms
of
like
how
we,
what
that
really
means
for
the
process
within
incubation
or
within
sandbox
and
within
graduation.
But
but
this
one
will
be
a
bit
different
from
what
we've
been
traditionally
doing
so
yeah.
I
would.
K
B
You
can
do
that
and
we
can
always
invite
them
for
a
readout
of
like
what
the
report
is
and
have
a
session.
That
is
something
that
I
think
it'll
be
useful
for
the
group
to
understand.
What's
going
on
there
and
it's
an
important
enough
initiative
that
I
think
it'll
be
worthwhile
for
the
group
to
understand
the
landscape.
It
might
impact
bunch
of
the
projects
that
actually
depend
on
kubernetes
are
built
on
top
of
community
security
or
kubernetes
framework
in
a
way
right.
B
K
K
K
We
started
off
as
a
cncf
policy
work
group,
both
of
the
of
which
I
was
originally
a
co-chair,
but
the
two
original
founders
have
no
have
kind
of
dropped
off
and
gone
dead,
and
then
we
had
a
new
co-chair,
but
we're
rehoming
that
to
the
kubernetes.
So
actually
our
repo
is
under
the
kubernetes
repo
structure.
K
So
technically
I
guess
we
should
be
calling
ourselves
the
kubernetes
policy
work
group,
but
you
know
anyway,
so
there's
some
there's
some
disentanglement.
That
needs
to
happen
since
we're
technically
still
pointers
from
the
cncf
policy
work
group.
But
anyway
it's
one
big,
happy
family.
So
just
fyi.
We
are
working
on
a
drill
down
white
paper,
so
this
is,
I
put
a
link
here.
This
is
a
policy
specific
white
paper
and
in
particular
kubernetes
policy,
but
it
it
has
some
cross-cutting
concerns.
K
You
know
how
do
you
implement
policy?
How
do
you
measure
policy?
How
do
you,
how
does
policy
map
to
compliance
and
regulation?
So
not
cncf
policy,
not
multi-project
policy,
very
kubernetes
oriented
and
in
particular
the
the
work
group
has
kind
of
narrowed
its
work
product
to
a
kubernetes
crd
for
policy
reporting.
You
know
and
down
the
road
we'll
have
other
cids
for
policy
various
ingestion
execution.
K
What
what
not
but
right
now
the
policy
report
is
kind
of
just
a
standard
resource
for
any
sort
of
tool
that
wants
to
represent
their
findings
in
kubernetes
as
a
resource.
So
then
you
can
use
you
know
downstream,
tooling,
to
aggregate
all
that
data,
but
if
anyone's
interested
in
contributing
or
just
reviewing
or
keeping
track
of
progress,
the
outline
is
very
much
work
in
progress.
Draft
we've
had
a
couple
of
working
sessions,
but
it's
out
there
feel
free
to
comment.
B
B
B
Precisely
for
this
reason
we-
and
there
was
a
huge
overlap
between
six
security
and
policy
working
group,
so
I
don't
know
how
much
you
know.
A
policy
working
group
was
integrated
into
six
security
with
a
pr
which
was
pending
on
harvard
for
a
while,
and
the
objective
was
to
like
unify
this
so
that
you
can
have.
B
There
are
part
of
cncf
umbrella,
so
if
it
feels
like
it's
a
general
purpose
thing
that
needs
a
cover
across
multiple
projects,
I
think
it's
good
to
unify,
because
then
what
you'll
see
is
multiple
policy
working
groups
and
multiple
different
projects
getting
spin
off
and
then
we'll
have
to
worry
about
unification
of
that.
So
I
would
get
that
carefully.
If
you
want,
I
can
pull
up
the
issue
and
then
we'll
share.
Maybe
we
can
take
this
to
slack
and
discuss
about
how
we
want
to
proceed
with
this.
I
B
I
I
feel
you
can't
do
policy
in
isolation
right
and
there
are
layers
of
policy
policies
right,
especially
when
service
mesh
comes
into
picture
and
so
on
and
so
forth.
So
the
whole
integration
just
doing
kubernetes
policy
and
not
leaving
out
security
policy
doesn't
make
sense,
so
so
the
table
of
contents-
we
reviewed
this
morning
does
have
a
lot
of
security
content
in
as
well
in
it
as
well,
and
one
of
the
action
items
I
got
from
the
group
was
that
next
week
I
will
review
the
agenda
with
this
forum.
I
So
if
there's
any
feedback,
we
should
update
it
but
long
term.
I
think
it
makes
sense
to
combine
that
group
as
part
of
this,
because
the
participation
is
from
people
who
are
policy
people,
but
also
security
people
there
as
well.
So
I
think
good
value
and
good
overview
from
different
point
of
views
from
different
participants
here
as
well
are
needed
on
that.
B
G
There's
an
overarching
security
framework.
I
think
that's
the
thing
that
you
know,
I
think,
should
be
driven
by
what
what
the
team's
doing
here
right.
So
what
robert's
doing
out
here,
because
I
think
in
terms
of
subject
matter
experts,
I
don't
think
there's
anybody
better
than
this
group
right.
So
that's
kind
of
my
unsolicited
opinion
here.
K
K
You
know
pr
level
permissions
level
so
not
to
say
that
all
these
human
calls
I'm
not
going
to
use
the
word
policy.
Human
organizational
factors
can't
be
reworked
and
unwound
and
rewound,
and
all
these
things,
but
from
a
tactical
perspective
it
has
already
forked
and-
and
so
the
group
has
kind
of
gone
down
this
kubernetes
path,
but
that's
not
to
say
that
we
can't
re-emerge
into
the
master
so
happy
to
do
that.
Happy
to
have
that
conversation,
and
I
this
is,
I
think,
yeah
slack.
J
B
K
I
So
jj
I
already
provided
my
update
right.
It
was
about
the
policy
working
group.
Also,
there
is
another
kubernetes
security
group
that
is
also
working
on
a
policy
paper.
So
emily
gave
me
the
action
to
coordinate
a
meeting
between
the
three
leads
right
and
figure
out
what
these
papers
are
about,
so
we
don't
have
overlap
and
we
can
coordinate
the
efforts
also
next
week.
C
L
L
I
we're
very
excited
suffice
to
say,
as
I'm
sure
everyone
knows,
there's
a
lot
of
people
lined
up
on
twitch
to
to
contribute
and
thank
you
to
everybody
who
contributed
scenarios
as
well.
They
were
incredibly
useful,
so,
yes,
full
steam
ahead.
All
is
well,
and
I
look
forward
to
the
day
after
the
4th
of
may
awesome.
A
G
B
L
G
L
Also
going
on
that's
actually
that
the
book
is
hacking
kubernetes
with
the
venerable
mr
michael
hasselblast
as
well.
The
manuscript
deadline
is
the
friday.
Oh
it's
a
week
on
friday.
So
that's
what
one
of
the
many
things
that
have
conspired
against
me,
but
I'm
on
top
of
everything,
everything's
good.
It's
just
yeah
and
it's
it's
in
early
access,
but
I
mean
if
people
feel
inclined
to
review,
do
please
reach
out
and
let's
there's
some
words
there
as
well.
L
Yeah
it's
up
the
first
two
chapters
are
not
actually
indicative
of
what
we've
what
we've
done
at
this
point,
but
yeah.
If
people
have
spare
cycles-
and
I
realized
that,
with
all
the
all
the
work
people
do
contributing
to
all
the
community
projects,
it
is,
it
is
a
big
ask,
so
there's
no
expectation
but
you're
welcome
to
a
copy
of
the
early
manuscripts.
If
people
would
like
to
review
awesome.