►
From YouTube: CNCF SIG Security 2020-12-09
Description
CNCF SIG Security 2020-12-09
B
B
A
Yeah,
like
I
got
a
lot
of
help,
I
think,
should
have
been
more
there,
but.
C
B
B
A
A
B
That's
fine,
I
think
it'll
just
fill
up
whenever
scribe.
We
realized
after
a
while.
So
just
just
like
kind
of
just
taking
a
couple
notes
here,
and
there
is
good
enough,
since
we
have,
we
are
actually
able
to
pull
off
the
recordings,
and
I
think
there
was
an
issue
where
we
were
discussing
how
to
kind
of
make
that
available
as
well.
B
A
A
All
right,
it
looks,
looks
like
we
have
critical
mass
hello
everyone,
I'm
dan
papandre
I'll,
be
the
facilitator
for
the
six
security
meeting
for
december
9th
today.
Just
a
reminder,
the
meeting
is
being
recorded
and
posted
to
youtube
shortly
after
your
participation
in
these
meetings
is
an
agreement
to
abide
by
the
sick
security
code
of
conduct,
which
we
found
in
the
repo.
A
Now
that
I
got
the
housekeeping
out
of
the
way,
let's
start
the
magic
so
in
terms
of
our
proposed
agenda
today.
First
on
the
docket
here
is
to
discuss
replacement
of
exclusionary
language
in
favor
of
inclusive
language,
very
important
topic
and
the
security
repo
looks
like
andres
vega
you're
at
the
point
of
contact
with.
If
you
would
like
to
kind
of
discuss
with
the
group.
A
B
To
that
I
think,
let's
kind
of
do
it
around.
I
think
that
will
mention
a
couple
new
folks,
so
we
can
do.
A
Oh
I
apologize.
I
wasn't
on
the
agenda.
No
worries
go
ahead,
yep,
so
let's
do
a
round
of
who's
new
to
the
meeting
and
just
want
to
welcome
you
to
sig
security.
E
C
Hi
another
john
here
a
journey
from
toronto,
canada,
I'm
actually
the
manager
for
more
secure
computing,
so
we're
basically
a
security,
consulting
firm
and
currently
with
some
focus
as
cloud
applications,
mostly
on
the
kubernetes.
Thanks.
B
Awesome
all
right
yeah,
if
john's
you
can,
you
can
add
kind
of
I'm
not
sure
the
thing
is
still
there
I'll
paste
it
again
in
the
meeting
notes,
if
you
add
your
name
and
kind
of
where
you're
from
it
also
gives
a
good
way
for
people
in
the
meeting
to
kind
of
sync
up.
If
they
have
something
interesting
to
talk
about
with
you
or
common
interests,.
A
Sorry
paul
go
ahead.
Yeah
no
worries
no
worries.
I
literally
was
just
reading
from
the
script
over
to
you
again.
We
can
discuss
the
the
first
topic
on
the
agenda
as
we
saw
there
so
andrei
stephen
andreas,
if
you'd
like
to
comment
on
it,
I'd
love
to
hear
about
it.
So
what
did
so
with
the
group.
F
G
The
zoom
today
you
were
saying,
wait
for
people
to
join
and
all
that
fun
stuff,
and
I
was
like
wait
since
when
this
call
became
fun,
not
sure
I
did
fun
once
in
my
life,
it
was
terrible.
It
was
not
for
me.
I
decided
never
again,
but
well
now
that
we
have
pop
here.
Things
might
change
I'll
reconsider
that.
So
that
is
true.
The
title
is
self-explanatory.
G
I
think
this
is
actually
large
of
the
broader
concerted,
like
initiative
from
cncf.
Just
we
don't
need
to
like
take
it
up
all
under
like
the
big
umbrella,
but
like
individual
projects
can
like
self-start
and
start
making
changes
there.
Obviously
there
there
is
so
long
low-hanging
fruit.
There
there's
things
that
are
maybe
sprinkled
on
on
text
all
across
the
rapport
that
we
can
start
to
take
up
on,
obviously
moving
from
master
to
maine
is
is
more
of
a
change.
G
Well,
I
think
brandon
you'd
looked
into
some
of
the
depth
tooling
built
around
whether
like
what
be
the
level
of
impact
that
making
this
move
might
change,
so
we
might
might
want
to
evaluate
that
I've
had
a
busy
day
in
the
last
four.
Well,
basically,
two
days
since
opening
the
the
issue,
so
I
haven't
quite
caught
up
on
the
latest
conversation.
I
saw
a
quick
mention
of
lenting,
so
yeah.
B
Yeah,
I
think,
there's
I
think,
there's
a
new
pr,
that's
open!
B
Let
me
find
it.
It
is
example
of
pr
fall.
72
john
hill
hill
hyugas
has
opened
it.
It
looks
pretty
good
and
I
think
kind
of
that
may
be
kind
of
good
place,
but
it
as
well.
Let
me
link
that
in
the
info
request.
B
G
G
A
So
so
there's
one
thought
I
have
in
that,
if
you
all
haven't
seen
the
kubecon
talk
by
celeste
horgan
in
terms
of
inclusive
naming.
Maybe
that
is
a
good
kind
of
start
to
understand
like
what
you
know,
what
that's
there.
So
I'll
put
this
in
chat.
I
thought
it
was
very
well
done
and
she,
I
think,
was
on,
I
believe
the
the
group
with
I
think
steven
augustus
and
some
folks
in
ibm
and
red
hat,
that
kind
of
put
together
that
inclusive
naming
so
it
might
be.
A
I
just
put
I'll
put
that
in
chat
right
now.
So
if
you
all
want
to
take
a
look
at
that,
just
to
kind
of
understand
the
grounding
obviously,
and
why
it's
a
very
important
topic.
H
I
just
had
a
question
all
on
board
full
speed
ahead,
choo
choo,
but
do
we
want
to
like
formally
recognize
the
inclusivenaming.org
as
kind
of
the
standard
bearer?
Is
there
I'm
thinking
about?
You
know
putting
something
in
the
repo
so
that
people
moving
forward,
who
are
new,
discover
it
rather
than
trip
over
it.
G
Yeah,
yes,
there
are,
there
are
instances
I
came
across
particularly
assessments.
That's
the
area.
I've
been
involved,
the
most
where
self-assessments
describe
the
architecture
and
properties
of
the
project
there's
mentions
of
whitelist
blacklist,
etc,
etc.
So
this
assessments
end
up
checked
in
at
the
assessment
sub
direct
directory
once
completed
so
yeah.
Those
were
some
of
the
instances.
B
So
I
think
address,
I
think
you
created
this
as
a
proposal,
so
you'd
be
willing
to
kind
of
head
up
this
this
effort.
So
I
think
we
can.
We
can
make
this
a
kind
of
official
project
and
track
it
on
the
project
part
as
well.
B
G
H
I
was
gonna
ask
and
it's
totally
cool
either
way,
but
for
rolling
things
right,
like
the
repo
and
content,
makes
sense
for
a
point
in
time.
Artifact
like
an
assessment.
If
we
do
replace
all
language
swapping,
I
have
a
small
wonder
if
maybe
it
doesn't
change
semantics
of
certain
language.
H
It's
possible
that
that's
totally
not
a
real
concern,
but
for
kind
of
historic
artifacts,
I'm
not
totally
sure
if
the
right
thing
to
do
is
to
go
back
and
change
them
into
place
or
if
the
best
thing
is
to
move
forward
with
that
language
kind
of
negotiated
in
real
time
with
with
the
other
entities,
that
was
my
only
thought.
I
I
So
the
metadata
frameworks
need
to
go
with
the
data,
that's
kind
of
the
messaging
and
we're
trying
we're
wrestling
with
this
as
an
enterprise-wide
data
protection
scheme,
and
so
I
thought
I'd
bring
that
up
here
as
it
really.
It
can
change
the
way
we
think
about
things
like
access
permissions
and
the
tagging
that
goes
with
that.
Okay,
end.
F
I
A
So
yeah
no
worries-
I
was
just
everyone,
okay
with
this,
for
us
to
move
on
to
the
next
topic.
No
other
thoughts
on
this
all
right.
Next
up
the
venerable
brandon
lum
talking
about
discussing
the
security
landscape.
Again
I
read
from
scripps
everyone,
I'm
a
trained
monkey.
That's
what
I
do
so.
B
Thanks
bob,
so
so
we
were
chatting
about
this
security
landscape
somewhere
earlier
in
the
year.
The
idea
was
kind
of
we're
looking
at
the
original
security
landscape,
where
you
know
there's
a
bunch
of
categories.
Actually
let
me
let
me
just
share
my
screen.
I
think
it
may
be
easier
to
show
that
example
of
it.
B
B
I
think
it's
this
one
cool,
so
if
we
go
this
was
this
is
kind
of
like
the
first
landscape
that
we
did
right.
So
we
have
these
things
for
categories
and
then,
if
you
go
into
categories,
we
just
basically
say
this
is
identity,
access
control,
privacy
provision,
name,
blah
blah
blah.
B
It
wasn't
very
useful
which
is
kind
of
like
defining
here
things
here
and
there
they
really
talk
about
like
either
the
excess
control.
You
know
dispense
multiple
things:
how
does
it
really
fit
into
the
ecosystem?
And
things
like
that
right?
These
concepts,
like
alone,
are
useful
to
be
defined,
but
they're
not
really
useful
in
terms
of
talking
about
it
in
the
ecosystem.
B
The
other
thing
that
we
we
had
here
was
you
know
there
was
a
lot
of
back
and
forth
on
what
exactly
these
things
meant,
and
so
the
idea
was
that
we
would
kind
of
create
a
security
landscape
version
2
which
really
provided
a
view
of
the
security
landscape
through
different
processes
or
like
different
components
of
the
ecosystem.
B
Security
landscape
iteration
too,
that
we
kind
of
started
out
a
little
bit
and
the
idea
was
like
we
wanted
to
be
able
to
say:
okay,
here's
like
a
couple
of
processes
that
a
couple
of
you
know
larger
topics
that
you'll
be
involved
with
in
looking
at
the
security
ecosystem
of
your
organization
or
your
deployments,
and,
for
example,
one
of
them
that
we
started
looking
at
was
okay.
B
Building
a
cognitive
application
here
are
the
steps
that
you
kind
of
need
to
do
and
then
for
each
individual,
one
like
if
you
hover
over
it
they'll
talk
about
the
threats.
You
talk
about
the
prevention
and
mitigation
and
also,
if
you
click
more
details,
you
know
there.
There
may
be
some
information
about
what
projects
you
can
use
or
what
are
the
relevant
projects
which
touch
this,
and
the
idea
here
is
that
you
know
we
would
have
these
multiple
processes,
and
we
could
also
show
like
how
these
topics
will
link
to
each
other.
B
For
example,
if
you're
building
a
cloud
native
application,
part
of
it
is
like
signing
the
the
content
to
ensure
the
integrity,
but
at
the
same
time
you
know
when
you're
setting
up
the
infrastructure,
you
need
to
ensure
that
you
are
able
to
verify
that
the
signature
as
well.
B
B
A
A
You
know,
data
of
like
all
of
these
pieces
and
then
somebody
who's
new
to
any
project
in
general
in
terms
of
security,
should
be
able
to
look
at
this
and
quickly
discern
okay.
Here's
what
I
need
to
do
for
you
know
whatever
it
might
be
in
the
landscape
right
is
that
kind
of
a
thought
process
as
to
as
to
why
you
know.
B
Yeah
exactly
and
kind
of
the
way
we
were
seeing
the
cognitive
security
white
paper
and
for
those
that
were
involved
with
the
process
you
saw
there
were
things
like
we
took
off
all
the
the
projects
and
examples
and
said
that
okay,
this
was
linked
to
the
the
landscape.
So
the
idea
is
that
the
white
paper
will
be
updated
and
every
single
section
would
be
clickable
where
it
could
link
you
to
the
appropriate
about
the
landscape.
B
So,
if
you're
going
to
arrange
it,
okay,
workload,
integrity
and
you
click
on,
while
other
things
in
the
landscape
will
bring
you
to
landscape
with
a
certain
filter.
That
shows
you
visually.
What
are
the
projects
that
you
have
to
look
at
and
what
are
the
kind
of
other
components
that
it
is
linked
to
as
well.
F
G
G
I
wonder
if
it'd
be
good
to
visualize
as
a
directed
draft
of
projects
that
might
intersect
or,
if,
like
you're,
coming
in,
because
you've
been
working
on
on
oppa
and
just
realize,
there's
all
these
other
projects
that
you
could
potentially
integrate
or
interoperate
with
like
what
are
the
things
that
oppa
works
with
that
you
might
want
to
look
next
or
falco
or
spiffy.
Whatever
your
entry
point
is,
or
if
you're,
new
or
relatively
new,
you
must
have
some
background
and
systems
somehow
most
likely.
B
Yeah
exactly
so,
I
think
the
idea
is
to
have
initially
what's
a
graph.
I
think
it'd
be
ideal
if
we
could
kind
of
have
that
same
representation,
so
you
would
look
at,
for
example,
if
you
click
something
the
white
paper
you
bring,
you
do,
let's
say
dependency
management
right,
so
you
look
at
this
and
then
you
could.
Let's
say
it
involves
some
projects
for
dependency
management
and
those
projects
also
appear
in
other
parts
of
the
ecosystem
right.
B
So
then
it
would
be
relevant
to
look
at
start
looking
at
those
part
of
the
ecosystem
to
kind
of
see
so,
for
example,
dependency
verification,
maybe
link
to
supply
chain.
So
then
you
know
someone
could
kind
of
start
looking
at
supply
chain
like
how
does
how
do
these
things
relate
to
each
other,
or
you
know
they
could
also
take
the
project.
You
said
where
they,
you
know
just
zoom
out
a
little
bit,
see
what
are
the
adjacent
connected
connected
topics
and
then
look
at
those
as
well.
A
Is
anyone
familiar
with
what
cheryl
hong's
doing
in
terms
of
the
tech
radar,
so
she's,
basically
like
taking
the
landscape
projects
out
there
and
and
saying
okay
cicd,
for
instance
right
and
it
was
like
here's
the
what
the
what
what
the
the
community
or
the
folks
using
it
so
end,
users
were
saying
where
the
projects
would
be.
Ideal
also
is
to
include
a
link
to
that
in
this
document
as
well.
B
Yeah,
that's
interesting.
I
I
I
think
I
have
already
seen
that
on
the
the
radar
yet
so
let
me
oh,
I
may
go
pink
cheryl
see.
What's
what's
up
over
there.
A
Yep
yeah,
because
I
know
when
I
talked
to
her
like
that
was
on
the
docket,
but
I
think
they
they
went
to.
They
went
further
cicd
they
didn't
observability.
I
think
security
was
one
that,
like
again,
everybody
on
this
call
would
have
some
amazing
feedback
to
you
know.
All
right
so
could
be
helpful
for
cheryl
as
well.
G
For
sure,
thanks
for
bringing
that
up,
one
thing,
I've
heard
from
end
users
and,
like
perspective
end
users
is
they've
used
the
cncf
trail
map
as
the
blueprint
for
implementation
projects.
So
they
get
that
list
and
yes,
we're
gonna,
bring
kubernetes
and
and
there's
other
like
peripheral
things
to
it,
and
maybe
that
takes
nine
months
to
a
year
and
at
that
point
is
like
okay.
G
What
should
we
look
next
and
then
this
they
discovered
this
radars
or
they
discovered
something
else,
and
at
that
point
in
time,
like
all
these
afterthoughts
become
like
another,
like
lengthy
planning
and
deployment
effort,
as
opposed
to
like
bringing
earlier
and
like
to
their
teams
and
in
their
projects
to
say,
hey,
we
have
a
greenfield
deployment.
We
need
to
plan
all
the
security
things
ahead
like
if
we're
looking
at
this
like
water.
B
Yeah,
I
think
one
of
the
the
potential
things
that
we're
looking
at
also
is
kind
of
recommendations
to
the
cncf
of
what
are
some
other
projects
that
we
think
would
be
good
to
be
part
of
the
cncf,
as
well
as
also
recommendations
on
you
know.
G
Yeah,
it
has
to
be
a
progression
right.
It's
like
a
couch
to
to
secure
and
like
people
talk
about
secure
by
default.
Is
this
panacea
and
like
if
you
make
it
super
restricted?
Well
for
one
of
you,
if
you
publish
this
this
thing
with
all
these
recommended
practices,
people
are
going
to
be
like
what
like.
Where
do?
A
J
B
Gotcha
yeah,
I
think
that's
a
that's.
Definitely
I
think
we
have
to
look
at,
but
I
think
we're
gonna
see
this
as
kind
of
like
independent
of
the
cognitive
security
landscape,
I'm
sorry
the
cloud
native
landscape,
okay,
overall
one,
I
think
they
kind
of
serve
different
purposes.
B
C
B
About
providing
and
high-level
overview
and
kind
of
provide
and
like
I
almost
want
to
say,
like
a
skull
card
for
correct
yeah,
yeah.
J
J
If
those
are
different,
then
maybe
it's
something
else
should
be
called
something
so
that
people
who
are
coming
out
without
any
context
might
not
confuse
these
two
things
which
maybe
are
unrelated.
B
That
that's
a
really
good
point
yeah.
Maybe
we
should
come
up
with
a
new
name,
as
we
were
talking
about
with
assessments,
because
yeah
by
definition,
don't
sound
the
testimony
yeah
yeah,
okay,
yeah,
that's
a
good
point.
I
think
I
think
we
can
so
so
I
we
have
kind
of
a
issue
open
it's
in
the
agenda,
I'll.
Let
me
paste
it
in
the
chat
as
well.
B
If
you're
interested
in
kind
of
talking
about
this,
you
know
being
involved
with
this.
Just
comment
on
the
issue
we
have
kind
of,
I
think
mainly
we're
looking
at
you
know.
How
are
we
going
to
present
this
information?
B
The
content
of
what
the
information
is
gonna,
be
we
can
get
help
from
the
cncf
design
team
to
kind
of
help
do
up
some
mock-ups
and
things
like
that
yeah.
So,
if
you're
interested
put
a
couple
comments
on
this,
I
think
we
are
looking
to
kind
of
start
focusing
upon
this
again
once
the
in
january.
B
A
G
If
you're
waiting
on
on
that
issue,
the
process
orientation
looks
really
good
like
what's
the
context
of
what
you're
doing,
depending
on
that.
These
are
the
things
you
want
to
look
at
when
the
previous
person
talked
about
mappings,
it
came
and
came
to
mind.
Well
how
about
we
think
about
outcomes
if
you're
after
confidentiality?
These
are
the
things
that
you
should
be
engineering
together
if
you're
looking
at
mtls
together,
these
are
like
three
projects.
G
You
can
piece
together
to
accomplish
that
sort
of
thing,
so
yeah
sorry
to
jump
back
into
the
previous
topic,
but
just
follow
up
thought.
A
A
All
righty
again
everybody,
okay
at
this
point,
anybody
have
any
other
thoughts
before
we.
I
guess
finish.
The
meeting.
J
Hey
pop
one
question:
I
was
wondering
what
everyone
is
thinking,
so
many
of
us
worked
on
the
cncf
security
white
paper.
I
think
it's
been
now
what
two
three
weeks
since
it
was
published.
J
So
what
I
was
wondering
is:
is
there
a
way
we
could
come
up
with
to
sort
of
do
a
retrospective
with
while
getting
feedback
from
the
community
in
terms
of
what
they
probably
would
have
liked
in
the
paper?
What
could
have
been
better
and
that
will
kind
of
give
us
ideas
into
the
next
version
when,
whenever
we
publish
that.
B
Can
you
create
an
issue
on
this
and
then
tag
tech,
myself
and
emily?
I
think
that
this
is
something
like
the
chess
can
go
up
to
cncf
and
get
them
to
get
us
feedback
for.