►
From YouTube: CNCF SIG Security 2021-04-28
Description
CNCF SIG Security 2021-04-28
A
B
Apac
meeting
was
good,
I
think,
there's
a
decent
demo.
That
happened.
B
B
B
B
B
B
A
B
A
A
There
are
talks
on
identity
and
access,
there's,
there's
quite
a
bit,
that's
packed
in
there.
We
have
great
keynotes
from
the
event
sponsors
red
hat
vmware
checkpoint,
the
the
ctf
in
itself.
It's
a
lot
going
on.
There's
several
scenarios.
Magno
has
worked
closely
with
the
control
plane.
Folks
ron
vitter
has
participated,
magno
and
diego
are
running
the
twitch
stream
they're
going
to
be
providing
live
coverage
of
the
event.
There's
a
there's,
a
lot
of
guest
speakers
there
magno.
You
want
to
talk
a
little
bit
about
that.
D
Have
we
started
the
meeting
officially
yet
okay
yeah
so
so
yeah
for
the
ctf,
we're
going
to
have
at
least
at
least
six
challenges
for
different
scenarios
right
in
kubernetes
scenarios
and
everything,
usually
the
the
person
doing
the
ctf.
Each
person
gets
their
own
cluster
and,
and
usually
they
start
inside
of
a
cluster
or
on
a
node
in
a
network
not
next
to
a
cluster.
D
So
there
is
all
all
these
like
stories
that
we
present
to
describe
a
scenario
and
what
they
need
to
do
to
get
the
flags
and
so
yeah
control,
plane.
Andrew
martin
and
lewis
are
working
on
the
challenges
there.
We
we
help
them
with
some
suggestions
for
the
challenges
as
well,
so
they're
busy
working
on
that
and
we're
also
going
to
have
a
live,
live
stream
so
and
in
two
separate
moments.
D
For
one
hour,
we're
going
to
bring
some
gas
speakers
that
are
famous
and
and
are
well
known
in
their
field
for
kubernetes
and
cloud
native
security
and
and
gonna
we're
going
to
kind
of
interview
them
and
ask
questions
about
what
what
what
are
they?
D
What
they
think
about
the
specific
challenge,
right,
of
course,
introduce
them
and
present
about
their
their
journey
into
cloud
native
security
as
well,
and
ask
about
some
tools
that
they
use
for
you're,
either
doing
a
ctf
or
or
solving
an
issue
instead
handling
or
troubleshooting
a
kubernetes
cluster.
So
yeah,
I
think,
that's,
that's!
That's
it
and
all
kinds
of
fun
stuff.
D
Technically,
no
so
for
the
twitch
stream,
it's
open
to
anyone,
even
even
the
ctf,
if
you,
if
you
will
right
so
because
we're
not
kind
of
tracking
who's
joining,
so
we're
going
to
have
a
slack
channel
there
on
on
the
the
cloud
native
cloud
native
slack
and
everyone,
a
specific
slack
channel
for
the
ctf,
so
we're
going
to
have
someone
responsible
for
a
test
master.
D
So
this
person
is
going
to
be
luis
and
he's
going
to
be
handling
the
deployment
of
the
clusters
and
giving
each
participant
their
credentials
to
access
each
cluster
right
and
on
the
twitch
stream.
All
you
have
to
do
is
follow
the
the
cloud
native
computer
foundation,
twitch
stream.
D
I
I
can
put
the
link
on
the
chat
after
that
and
and
because,
if
you
want
to
interact
and
chat
and
ask
questions,
also
that
we're
going
to
get
some
questions
from
the
from
the
audience
from
from
the
chat,
so
you
need
to
follow
that
beforehand
because
it
takes
there's
like
15
minutes
delay
before
you
can
start
interacting
with
the
chat.
So
if
you
can
follow
that
earlier
before,
even
before
the
event,
so
that's
better!
E
D
We
have
the
list,
we
just
sent
them
the
some
details
today,
I'm
not
sure
if
we're
gonna
post
it.
I
think
there
is
some
details
on
the
schedule,
but
there
just
I.
I
don't
think
we
have
the
names
of
the
speakers
there,
but
I
can
give
it
to
you
here.
If
you
want,
we
have.
We
have
one.
D
Yeah,
so
so
just
just
a
quick
overview
here
of
the
the
speakers,
the
guest
speaker,
so
I'm
going
to
be
running
the
twitch
stream
together
with
diego
and
ron,
and
also
there
is
a
friend
of
mine
that
is
going
to
be
helping
with
the
like,
just
just
with
the
the
stream
administration
right:
okay,
who
who's
gonna,
be
on
screen
and
share
and
stuff
like
that.
Also
so
we
have
rory
bacoon
and
david
mckay
from
on
the
the
first
schedule
from
12
p.m,
to
1
p.m.
D
Central
europe
time
I
think,
that's
ct
and
then
on
the
next
session
from
4
p.m,
to
5
p.m.
On
the
same
time
zone
we
have
we're
going
to
have
brett
dieselman,
tabitha
sabo
and
liz
rice.
D
D
C
H
I
H
A
so
when
you
jump
into
the
ctf,
do
you
have
like
topics
for
each
ctf,
for
example
like
namespace
or
or
secrets
or
or
you
know,
like
cert
or
like
bunch
of
data
stuff
like,
for
example,
getting
the
data
from
edcd
or.
D
So
yeah
we
divide
them
on
scenarios,
it's
not
exactly
like
that
name
spaces
and
certs,
but
we
have
each
each
each
a
challenge
is
a
different
thing
that
you
need
to
do
right.
So
it's
a
different
scenario.
So
when
when
you,
when
you
get
your
credentials
and
you
access
the
the
cluster,
for
example,
you're
gonna
see
a
description
there
of
of
like
okay,
it's
kind
of
a
story
right.
Oh
someone
compromised
at
this
cluster
and
did
this
this
and
that
and
you
need
to
find
the
flag
right.
D
So
there
is
a
description
there
on
the
scenario
that
you
can
read
and
understand
what
you
need
to
do
right
and-
and
so
that's
that's
exactly
why
we're
going
to
have
the
gas
speakers
as
well
on
on
the
twitch
stream,
because
they
don't
know
about
the
challenges
right,
so
we're
we're
not
providing
any
any
details
about
the
challenges
beforehand
to
them,
and
we
we
just
want
to
like
kind
of
pick
their
brains
and
and
get
some
information
about
according
to
their
experience,
what
they
would
look
for.
D
Sure
no
problem
yeah
we're
going
to
open
the
slack
channel
on,
I
think,
on
tuesday
and
yeah
during
the
whole
cloud
native
security
day,
you
can
join
and
take
up
some
challenges
and
try
it
out
and
and
it's
it's
a
a
learning
experience
right.
We're
not
gonna
be
scoring
anyone.
So
if
you
have
any
questions,
you
can
ask
on
slack
there
as
well,
so
people
will
be
able
to
help
you.
D
E
E
D
A
B
A
The
the
one
thing
now
that
we're
pretty
much
locked
and
loaded,
sorry
that
that's
perhaps
a
harmful
expression
now
that
the
event
is
in
full
swing
and
we
have
all
the
preparations
in
place.
I
I
want
to
recognize
that.
Well,
while
we
often
meet
at
a
weekly
cadence-
and
we
talk
about
the
different
things
that
we're
working
on
this
event,
this
collocated
event
is
really
a
culmination
of
what
we've
done
for
the
last
year,
like
more
so
the
last
six
months,
but
it
is
produced
by
us.
A
It
is
produced
by
us
who
gather
here
every
week
for
six
security
and
it
captures
a
lot
of
our
efforts,
a
lot
of
our
ideas,
even
though
you
might
have
not
been
directly
part
of
the
program
committee.
It
does
channel
all
of
our
discussions
and
all
the
things
we
have
back
on
the
meeting
notes.
So
it
is,
it
is
a
little
a
little
party
of
six
security
of
showcasing
all
our
work
to
the
rest
of
the
world.
D
Yeah,
if
I
may
take
the
opportunity
here,
I
have
one
update
as
well
besides
that
so
on
on
a
side.
Note
me
and
diego
comas,
which
will
also
be
on
the
twitch
stream
for
the
ctf
we've
been
working
on
on
kind
of
a
cloud
native
security
podcast,
and
that
has
been
going
for
a
couple.
I
think
months
now
we're
working
on
on
recording
some
episodes
and
we
finally
released
the
first
episode
today.
It's
kind
of
just
an
introduction
episode
about
how
the
podcast
is
going
to
work.
D
Basically
we're
going
to
have
some
guest
speakers
as
well
to
talk
about
cloud
native
security
and
different
topics
and,
besides
the
gas
interviews,
we're
also
going
to
have
some
demos,
so
yeah,
no
fender
peaches,
you
know
yeah.
No,
this
is
all
all
free
and
everything
open.
So
we're
going
to
have
some
demos
of
how
like
how
can
I
install
a
cluster
unmanaged
cluster
right?
D
How
can
I
install
a
cluster
on
eks
and
then
security
as
well
like
follow
the
best
practices,
so
we're
doing
that
and
tomorrow
we're
releasing
the
first
official
episode
actually
so
tomorrow.
It's
also
the
release
of
the
mitre
attack
updates
and
the
official
release
of
the
mitre
attack
for
containers
and
kubernetes.
So
we're
going
to
have
a
dedicated
episode
about
that
tomorrow.
But
is
this.
D
J
B
E
So
just
a
quick
update
on
the
cloud
native
security
map,
so
the
first
iteration
of
the
map
is
live.
I'm
posting
a
link
in
the
chat.
We
still
need
a
bunch
of
contributions
for
various
sections,
so
if
you
are
interested
check
it
out
and
there's
a
contribute
link
at
the
bottom,
so
if
you
think
you
have
expertise
on
a
particular
section,
please
do
send
out
a
pr
and
reach
out
to
us
like
brandon,
brandon,
diego
or
me
thanks.
K
K
K
Just
the
github
handle
pushkar
jay.
I
think
it
reached
out
to
emily
and
the
feedback
was
that
the
the
security
power
process
we
have
what
we
used
to
call
assessments,
what
we're
calling
reviews
really
for
sandbox
and
incubation.
So
there's
never
been
a
case
of
a
graduated
project
or
a
sub-project
of
a
graduated
project
coming
for
a
review
here,
so
pj
suggested
we
kind
of
use
this
as
a
pilot
case
study.
If
you
will
how?
How
do
we
do
this?
I'm
happy
to
lead
that
I
put
myself
on
the
ticket.
K
I
think
we
can
use
most
of
the
security
review,
security,
pal
materials
and
we'll
call
out
tweaks
and
suggestions.
That
said,
the
the
scope
should
be
different.
This
isn't
in
I
mean
this
is
my
opinion,
but
feel
free
to
vet.
This
with
other
folks
on
the
cluster
api
team.
I
I
think
they
want
more
of
a
traditional
audit
assessment.
K
You
know
even
maybe
at
a
pen
test
level,
so
I
I
think
we
will
quickly
go
beyond
the
security,
pal
security
review,
scope
and
use
that
as
kind
of
a
first
step
and
then
dig
deep
into
the
audit
side
and
then,
if
money
appears
we'll
probably
use
it
use
that
to
cross-check
the
work
that
we
do,
but
that's
the
plan,
nothing
is
actually
other
than
the
github
issue.
603,
nothing
has
actually
started
yet.
B
So
do
we
is
it
in
a
position
where
you
know
you're
gonna,
do
it
and
we
need
more
volunteers
and
ask
for
help
or
is
it
still
an
exploration
phase?
I
would
say
like.
K
Yeah,
that's.
That
is
a
question.
I
guess
it's
it's
kind
of
again.
If
I,
if
I
follow
the
the
flow
chart,
emily
is
saying
the
security
pal
process
isn't
appropriate.
K
Pj
is
asking,
can
we
pilot
something
else,
so
we're
kind
of
at
that
decision
tree
like
do
we
do
we
say?
Yes,
do
we
say?
No?
K
If
we
want
to
officially
kind
of
embrace
this
as
a
pilot
for
a
graduated
or
graduated
sub-project
edge
case,
then
yes,
then,
I
think
we'd.
You
know
officially
comment
on
the
pr
say
that
the
cncf
sig
is
taking
it
on
and
then
ask
for
volunteers,
but
I
think
we're
at
that
decision.
Point.
B
I
see
so
just
for
my
own
education.
Was
this
an
ask
from
the
kubernetes
sig
or
is
this
something
there?
It
was.
K
More
of
an
ask
from
pj
to
us
here
at
the
city.
K
B
No,
it's
an
interesting,
it's
an
interesting
thing
to
think
through.
B
Yeah,
I
mean
there's
a
lot
of
road
map
items
that
we
have
on
the
group
to
tease
out
and
get
that
going
say,
for
example,
landscape
and
few
other
white
white
paper
derivatives
that
that
exist.
That
needs
some
closure
and,
in
addition,
we
also
have
assessments.
B
K
B
So
I
would
push
it
back
for
discussion
with
at
least
with
tls
and
chairs,
because
so
far
it's
always
been
like
toc
driven
just
like
what
emily
said,
and
it
was
basically
around
projects
as
the
granularity
with
which
we've
actually
done
stuff,
and
it
has
those
clear
goals
in
terms
of
like
how
we,
what
that
really
means
for
the
process
within
incubation
or
within
sandbox
and
within
graduation.
But
but
this
one
will
be
a
bit
different
from
what
we've
been
traditionally
doing
so
yeah.
I
would.
K
B
You
can
do
that
and
we
can
always
invite
them
for
a
readout
of
like
what
the
report
is
and
have
a
session.
That
is
something
that
I
think
it'll
be
useful
for
the
group
to
understand.
What's
going
on
there
and
it's
an
important
enough
initiative
that
I
think
it'll
be
worthwhile
for
the
group
to
understand
the
landscape.
It
might
impact
bunch
of
the
projects
that
actually
depend
on
kubernetes
are
built
on
top
of
community
security
or
kubernetes
framework
in
a
way
right.
B
So
so
I'd
explore
that
I'd
probably
think
through
in
terms
of
the
long-term
consequence
and
what
it
sets
up
as
precedence
and
then
think
about
the
scalability
of
the
group
and.
B
K
Yeah,
I
think
that's
not
true.
I
think
it
was
a
good,
a
a
good
model,
because
the
point
of
you
know
are
we
then
going
to
take
on
every
api
group
and
every
kubernetes
as
a
as
a
review
project,
probably
would
overload
the.
K
Okay
and
then
so
I'll
just
roll
into
the
other
update.
I
had
so
the
policy
work
group
which
just
a
kind
of
a
point
of
order.
K
We
started
off
as
a
cncf
policy
work
group,
both
of
the
of
which
I
was
originally
a
co-chair,
but
the
two
original
founders
have
no
have
kind
of
dropped
off
and
gone
dead,
and
then
we
had
a
new
co-chair,
but
we're
rehoming
that
to
the
kubernetes.
So
actually
our
repo
is
under
the
kubernetes
repo
structure.
K
So
technically
I
guess
we
should
be
calling
ourselves
the
kubernetes
policy
work
group,
but
you
know
anyway,
so
there's
some
there's
some
disentanglement.
That
needs
to
happen
since
we're
technically
still
pointers
from
the
cncf
policy
work
group.
But
anyway
it's
one
big,
happy
family.
So
just
fyi.
We
are
working
on
a
drill
down
white
paper,
so
this
is,
I
put
a
link
here.
This
is
a
policy
specific
white
paper
and
in
particular
kubernetes
policy,
but
it
it
has
some
cross-cutting
concerns.
K
You
know
how
do
you
implement
policy?
How
do
you
measure
policy?
How
do
you,
how
does
policy
map
to
compliance
and
regulation?
So
not
cncf
policy,
not
multi-project
policy,
very
kubernetes
oriented
and
in
particular
the
the
work
group
has
kind
of
narrowed
its
work
product
to
a
kubernetes
crd
for
policy
reporting.
You
know
and
down
the
road
we'll
have
other
cids
for
policy
various
ingestion
execution.
K
What
what
not
but
right
now
the
policy
report
is
kind
of
just
a
standard
resource
for
any
sort
of
tool
that
wants
to
represent
their
findings
in
kubernetes
as
a
resource.
So
then
you
can
use
you
know
downstream,
tooling,
to
aggregate
all
that
data,
but
if
anyone's
interested
in
contributing
or
just
reviewing
or
keeping
track
of
progress,
the
outline
is
very
much
work
in
progress.
Draft
we've
had
a
couple
of
working
sessions,
but
it's
out
there
feel
free
to
comment.
B
B
B
Precisely
for
this
reason
we-
and
there
was
a
huge
overlap
between
six
security
and
policy
working
group,
so
I
don't
know
how
much
you
know.
A
policy
working
group
was
integrated
into
six
security
with
a
pr
which
was
pending
on
harvard
for
a
while,
and
the
objective
was
to
like
unify
this
so
that
you
can
have.
B
You
can
still
have
multiple
streams
under
security,
but
then
policy
will
be
part
of
this,
because
one
of
the
things
that
it's
very
important
for
specifically
for
policy,
because
it
is
a
cross-cutting
concern
not
just
for
kubernetes
and
it
will
be
applicable
for
multiple
other
infrastructure
projects
as
well.
B
There
are
part
of
cncf
umbrella,
so
if
it
feels
like
it's
a
general
purpose
thing
that
needs
a
cover
across
multiple
projects,
I
think
it's
good
to
unify,
because
then
what
you'll
see
is
multiple
policy
working
groups
and
multiple
different
projects
getting
spin
off
and
then
we'll
have
to
worry
about
unification
of
that.
So
I
would
get
that
carefully.
If
you
want,
I
can
pull
up
the
issue
and
then
we'll
share.
Maybe
we
can
take
this
to
slack
and
discuss
about
how
we
want
to
proceed
with
this.
I
B
I
I
feel
you
can't
do
policy
in
isolation
right
and
there
are
layers
of
policy
policies
right,
especially
when
service
mesh
comes
into
picture
and
so
on
and
so
forth.
So
the
whole
integration
just
doing
kubernetes
policy
and
not
leaving
out
security
policy
doesn't
make
sense,
so
so
the
table
of
contents-
we
reviewed
this
morning
does
have
a
lot
of
security
content
in
as
well
in
it
as
well,
and
one
of
the
action
items
I
got
from
the
group
was
that
next
week
I
will
review
the
agenda
with
this
forum.
I
So
if
there's
any
feedback,
we
should
update
it
but
long
term.
I
think
it
makes
sense
to
combine
that
group
as
part
of
this,
because
the
participation
is
from
people
who
are
policy
people,
but
also
security
people
there
as
well.
So
I
think
good
value
and
good
overview
from
different
point
of
views
from
different
participants
here
as
well
are
needed
on
that.
B
G
There's
an
overarching
security
framework.
I
think
that's
the
thing
that
you
know,
I
think,
should
be
driven
by
what
what
the
team's
doing
here
right.
So
what
robert's
doing
out
here,
because
I
think
in
terms
of
subject
matter
experts,
I
don't
think
there's
anybody
better
than
this
group
right.
So
that's
kind
of
my
unsolicited
opinion
here.
B
So
so
I'll
take,
I
will
probably
take
robert's
lead
on
this,
as
he's
been
starting
that
so
robert,
if
it's
okay,
if
maybe
we
can
chime
in
on
an
existing
thread,
that
yeah.
K
Absolutely
happy
to
I
just
just
a
a
factual
piece
of
data
is
the
from
an
organizational
perspective.
It
has
forked
so
that
the
repo
is
now
under
the
custodianship
of
the
kubernetes
structure,
and
so
you
know,
like
you,
know,
you're
literally
at
a
github.
K
You
know
pr
level
permissions
level
so
not
to
say
that
all
these
human
calls
I'm
not
going
to
use
the
word
policy.
Human
organizational
factors
can't
be
reworked
and
unwound
and
rewound,
and
all
these
things,
but
from
a
tactical
perspective
it
has
already
forked
and-
and
so
the
group
has
kind
of
gone
down
this
kubernetes
path,
but
that's
not
to
say
that
we
can't
re-emerge
into
the
master
so
happy
to
do
that.
Happy
to
have
that
conversation,
and
I
this
is,
I
think,
yeah
slack.
K
We
can
do
a
spin
out
slack
for
anyone,
who's
interested
yeah.
J
B
Yeah,
let's
take
a
look
lead
on
that
and
I'd
chime
in
on
that
thread.
If
you
can
create
a
slack
and
we'll
pull
up
the
existing
issue,
so
we
can
start
discussing
there.
K
I
So
jj
I
already
provided
my
update
right.
It
was
about
the
policy
working
group.
Also,
there
is
another
kubernetes
security
group
that
is
also
working
on
a
policy
paper.
So
emily
gave
me
the
action
to
coordinate
a
meeting
between
the
three
leads
right
and
figure
out
what
these
papers
are
about,
so
we
don't
have
overlap
and
we
can
coordinate
the
efforts
also
next
week.
C
L
Indeed,
apologies
for
some
radio
silence
over
the
past
few
weeks.
It
turns
out
that
the
fourth
of
may
is
a
lightning
rod
for
various
deadlines
and
deliverables,
but
the
ctf
is
coming
on
leaps
and
bounds.
We're
mostly
there
with
all
the
scenarios.
L
I
we're
very
excited
suffice
to
say,
as
I'm
sure
everyone
knows,
there's
a
lot
of
people
lined
up
on
twitch
to
to
contribute
and
thank
you
to
everybody
who
contributed
scenarios
as
well.
They
were
incredibly
useful,
so,
yes,
full
steam
ahead.
All
is
well,
and
I
look
forward
to
the
day
after
the
4th
of
may
awesome.
A
L
G
B
L
I
suppose
it's
an
appropriate
time
to
say
that
I
I
do
miss
the
the
meet-ups
so
that
the
next,
the
next
cubecon
we
have
in
person-
I
guess
we'll-
do
a
security.
Meet-Up
then
as
well
with
any
luck.
G
L
No
not
this
time
around,
actually
just
just
pure
pure
day,
zero.
L
Also
going
on
that's
actually
that
the
book
is
hacking
kubernetes
with
the
venerable
mr
michael
hasselblast
as
well.
The
manuscript
deadline
is
the
friday.
Oh
it's
a
week
on
friday.
So
that's
what
one
of
the
many
things
that
have
conspired
against
me,
but
I'm
on
top
of
everything,
everything's
good.
It's
just
yeah
and
it's
it's
in
early
access,
but
I
mean
if
people
feel
inclined
to
review,
do
please
reach
out
and
let's
there's
some
words
there
as
well.
L
Yeah
it's
up
the
first
two
chapters
are
not
actually
indicative
of
what
we've
what
we've
done
at
this
point,
but
yeah.
If
people
have
spare
cycles-
and
I
realized
that,
with
all
the
all
the
work
people
do
contributing
to
all
the
community
projects,
it
is,
it
is
a
big
ask,
so
there's
no
expectation
but
you're
welcome
to
a
copy
of
the
early
manuscripts.
If
people
would
like
to
review
awesome.
B
Ash
had
no
update
ash
if.
B
C
B
Okay,
awesome:
I
don't
see
anyone
else
having
any
other
updates.
There
wasn't
anything
else
on
the
agenda
for
today.
A
N
Yeah,
I'm
I'm
new,
so
yeah,
I'm
steve,
I'm
based
in
the
uk,
I'm
the
cto
of
a
paytech
startup
now
approaching
about
200
people,
half
of
which
are
engineers
and
out
of
that
we've
got
about
10
dedicated
security
team,
so
we
have
most
of
our
platform
aws
we're
starting
to
use
kubernetes.
N
So
I
thought
I
would
join
the
group.
Probably
I
will
try
and
drag
some
of
my
security
engineers
along
rather
than
me,
because
I
think
this
content
is
probably
more
relevant
for
them,
but
yeah.
I
thought
I'd
turn
up
and
just
listening.
Thanks.
B
C
E
B
B
B
Awesome,
if
there's
not
much,
then
we
can
call
it
raps
thanks.
You
all
have
a
good
one.
See
you
in
couple
of
weeks.