►
From YouTube: CNCF SIG Security 2020-12-09
Description
CNCF SIG Security 2020-12-09
B
B
C
B
A
A
B
That's
fine,
I
think
it'll
just
fill
up
whenever
scribe.
We
realized
after
a
while.
So
just
just
like
kind
of
just
taking
a
couple
notes
here,
and
there
is
good
enough,
since
we
have,
we
are
actually
able
to
pull
off
the
recordings,
and
I
think
there
was
an
issue
where
we
were
discussing
how
to
kind
of
make
that
available
as
well.
A
A
All
right,
it
looks,
looks
like
we
have
critical
mass
hello
everyone,
I'm
dan
papandre
I'll,
be
the
facilitator
for
the
six
security
meeting
for
december
9th
today.
Just
a
reminder,
the
meeting
is
being
recorded
and
posted
to
youtube
shortly
after
your
participation
in
these
meetings
is
an
agreement
to
abide
by
the
sick
security
code
of
conduct,
which
we
found
in
the
repo.
A
Now
that
I
got
the
housekeeping
out
of
the
way,
let's
start
the
magic
so
in
terms
of
our
proposed
agenda
today.
First
on
the
docket
here
is
to
discuss
replacement
of
exclusionary
language
in
favor
of
inclusive
language,
very
important
topic
and
the
security
repo
looks
like
andres
vega
you're
at
the
point
of
contact
with.
If
you
would
like
to
kind
of
discuss
with
the
group.
A
B
A
E
C
B
Awesome
all
right
yeah,
if
john's
you
can,
you
can
add
kind
of
I'm
not
sure
the
thing
is
still
there
I'll
paste
it
again
in
the
meeting
notes,
if
you
add
your
name
and
kind
of
where
you're
from
it
also
gives
a
good
way
for
people
in
the
meeting
to
kind
of
sync
up.
If
they
have
something
interesting
to
talk
about
with
you
or
common
interests,.
A
F
G
The
zoom
today
you
were
saying,
wait
for
people
to
join
and
all
that
fun
stuff,
and
I
was
like
wait
since
when
this
call
became
fun,
not
sure
I
did
fun
once
in
my
life,
it
was
terrible.
It
was
not
for
me.
I
decided
never
again,
but
well
now
that
we
have
pop
here.
Things
might
change
I'll
reconsider
that.
So
that
is
true.
The
title
is
self-explanatory.
G
I
think
this
is
actually
large
of
the
broader
concerted,
like
initiative
from
cncf.
Just
we
don't
need
to
like
take
it
up
all
under
like
the
big
umbrella,
but
like
individual
projects
can
like
self-start
and
start
making
changes
there.
Obviously
there
there
is
so
long
low-hanging
fruit.
There
there's
things
that
are
maybe
sprinkled
on
on
text
all
across
the
rapport
that
we
can
start
to
take
up
on,
obviously
moving
from
master
to
maine
is
is
more
of
a
change.
G
Well,
I
think
brandon
you'd
looked
into
some
of
the
depth
tooling
built
around
whether
like
what
be
the
level
of
impact
that
making
this
move
might
change,
so
we
might
might
want
to
evaluate
that
I've
had
a
busy
day
in
the
last
four.
Well,
basically,
two
days
since
opening
the
the
issue,
so
I
haven't
quite
caught
up
on
the
latest
conversation.
I
saw
a
quick
mention
of
lenting,
so
yeah.
B
B
G
A
So
so
there's
one
thought
I
have
in
that,
if
you
all
haven't
seen
the
kubecon
talk
by
celeste
horgan
in
terms
of
inclusive
naming.
Maybe
that
is
a
good
kind
of
start
to
understand
like
what
you
know,
what
that's
there.
So
I'll
put
this
in
chat.
I
thought
it
was
very
well
done
and
she,
I
think,
was
on,
I
believe
the
the
group
with
I
think
steven
augustus
and
some
folks
in
ibm
and
red
hat,
that
kind
of
put
together
that
inclusive
naming
so
it
might
be.
A
H
I
just
had
a
question
all
on
board
full
speed
ahead,
choo
choo,
but
do
we
want
to
like
formally
recognize
the
inclusivenaming.org
as
kind
of
the
standard
bearer?
Is
there
I'm
thinking
about?
You
know
putting
something
in
the
repo
so
that
people
moving
forward,
who
are
new,
discover
it
rather
than
trip
over
it.
G
Yeah,
yes,
there
are,
there
are
instances
I
came
across
particularly
assessments.
That's
the
area.
I've
been
involved,
the
most
where
self-assessments
describe
the
architecture
and
properties
of
the
project
there's
mentions
of
whitelist
blacklist,
etc,
etc.
So
this
assessments
end
up
checked
in
at
the
assessment
sub
direct
directory
once
completed
so
yeah.
Those
were
some
of
the
instances.
B
B
G
H
I
I
So
the
metadata
frameworks
need
to
go
with
the
data,
that's
kind
of
the
messaging
and
we're
trying
we're
wrestling
with
this
as
an
enterprise-wide
data
protection
scheme,
and
so
I
thought
I'd
bring
that
up
here
as
it
really.
It
can
change
the
way
we
think
about
things
like
access
permissions
and
the
tagging
that
goes
with
that.
Okay,
end.
F
I
A
B
Thanks
bob,
so
so
we
were
chatting
about
this
security
landscape
somewhere
earlier
in
the
year.
The
idea
was
kind
of
we're
looking
at
the
original
security
landscape,
where
you
know
there's
a
bunch
of
categories.
Actually
let
me
let
me
just
share
my
screen.
I
think
it
may
be
easier
to
show
that
example
of
it.
B
B
B
It
wasn't
very
useful
which
is
kind
of
like
defining
here
things
here
and
there
they
really
talk
about
like
either
the
excess
control.
You
know
dispense
multiple
things:
how
does
it
really
fit
into
the
ecosystem?
And
things
like
that
right?
These
concepts,
like
alone,
are
useful
to
be
defined,
but
they're
not
really
useful
in
terms
of
talking
about
it
in
the
ecosystem.
B
Building
a
cognitive
application
here
are
the
steps
that
you
kind
of
need
to
do
and
then
for
each
individual,
one
like
if
you
hover
over
it
they'll
talk
about
the
threats.
You
talk
about
the
prevention
and
mitigation
and
also,
if
you
click
more
details,
you
know
there.
There
may
be
some
information
about
what
projects
you
can
use
or
what
are
the
relevant
projects
which
touch
this,
and
the
idea
here
is
that
you
know
we
would
have
these
multiple
processes,
and
we
could
also
show
like
how
these
topics
will
link
to
each
other.
A
A
You
know,
data
of
like
all
of
these
pieces
and
then
somebody
who's
new
to
any
project
in
general
in
terms
of
security,
should
be
able
to
look
at
this
and
quickly
discern
okay.
Here's
what
I
need
to
do
for
you
know
whatever
it
might
be
in
the
landscape
right
is
that
kind
of
a
thought
process
as
to
as
to
why
you
know.
B
Yeah
exactly
and
kind
of
the
way
we
were
seeing
the
cognitive
security
white
paper
and
for
those
that
were
involved
with
the
process
you
saw
there
were
things
like
we
took
off
all
the
the
projects
and
examples
and
said
that
okay,
this
was
linked
to
the
the
landscape.
So
the
idea
is
that
the
white
paper
will
be
updated
and
every
single
section
would
be
clickable
where
it
could
link
you
to
the
appropriate
about
the
landscape.
B
So,
if
you're
going
to
arrange
it,
okay,
workload,
integrity
and
you
click
on,
while
other
things
in
the
landscape
will
bring
you
to
landscape
with
a
certain
filter.
That
shows
you
visually.
What
are
the
projects
that
you
have
to
look
at
and
what
are
the
kind
of
other
components
that
it
is
linked
to
as
well.
F
G
G
I
wonder
if
it'd
be
good
to
visualize
as
a
directed
draft
of
projects
that
might
intersect
or,
if,
like
you're,
coming
in,
because
you've
been
working
on
on
oppa
and
just
realize,
there's
all
these
other
projects
that
you
could
potentially
integrate
or
interoperate
with
like
what
are
the
things
that
oppa
works
with
that
you
might
want
to
look
next
or
falco
or
spiffy.
Whatever
your
entry
point
is,
or
if
you're,
new
or
relatively
new,
you
must
have
some
background
and
systems
somehow
most
likely.
B
Yeah
exactly
so,
I
think
the
idea
is
to
have
initially
what's
a
graph.
I
think
it'd
be
ideal
if
we
could
kind
of
have
that
same
representation,
so
you
would
look
at,
for
example,
if
you
click
something
the
white
paper
you
bring,
you
do,
let's
say
dependency
management
right,
so
you
look
at
this
and
then
you
could.
Let's
say
it
involves
some
projects
for
dependency
management
and
those
projects
also
appear
in
other
parts
of
the
ecosystem
right.
B
So
then
it
would
be
relevant
to
look
at
start
looking
at
those
part
of
the
ecosystem
to
kind
of
see
so,
for
example,
dependency
verification,
maybe
link
to
supply
chain.
So
then
you
know
someone
could
kind
of
start
looking
at
supply
chain
like
how
does
how
do
these
things
relate
to
each
other,
or
you
know
they
could
also
take
the
project.
You
said
where
they,
you
know
just
zoom
out
a
little
bit,
see
what
are
the
adjacent
connected
connected
topics
and
then
look
at
those
as
well.
A
Is
anyone
familiar
with
what
cheryl
hong's
doing
in
terms
of
the
tech
radar,
so
she's,
basically
like
taking
the
landscape
projects
out
there
and
and
saying
okay
cicd,
for
instance
right
and
it
was
like
here's
the
what
the
what
what
the
the
community
or
the
folks
using
it
so
end,
users
were
saying
where
the
projects
would
be.
Ideal
also
is
to
include
a
link
to
that
in
this
document
as
well.
B
A
Yep
yeah,
because
I
know
when
I
talked
to
her
like
that
was
on
the
docket,
but
I
think
they
they
went
to.
They
went
further
cicd
they
didn't
observability.
I
think
security
was
one
that,
like
again,
everybody
on
this
call
would
have
some
amazing
feedback
to
you
know.
All
right
so
could
be
helpful
for
cheryl
as
well.
G
For
sure,
thanks
for
bringing
that
up,
one
thing,
I've
heard
from
end
users
and,
like
perspective
end
users
is
they've
used
the
cncf
trail
map
as
the
blueprint
for
implementation
projects.
So
they
get
that
list
and
yes,
we're
gonna,
bring
kubernetes
and
and
there's
other
like
peripheral
things
to
it,
and
maybe
that
takes
nine
months
to
a
year
and
at
that
point
is
like
okay.
G
What
should
we
look
next
and
then
this
they
discovered
this
radars
or
they
discovered
something
else,
and
at
that
point
in
time,
like
all
these
afterthoughts
become
like
another,
like
lengthy
planning
and
deployment
effort,
as
opposed
to
like
bringing
earlier
and
like
to
their
teams
and
in
their
projects
to
say,
hey,
we
have
a
greenfield
deployment.
We
need
to
plan
all
the
security
things
ahead
like
if
we're
looking
at
this
like
water.
G
Yeah,
it
has
to
be
a
progression
right.
It's
like
a
couch
to
to
secure
and
like
people
talk
about
secure
by
default.
Is
this
panacea
and
like
if
you
make
it
super
restricted?
Well
for
one
of
you,
if
you
publish
this
this
thing
with
all
these
recommended
practices,
people
are
going
to
be
like
what
like.
Where
do?
A
B
B
C
J
B
That
that's
a
really
good
point
yeah.
Maybe
we
should
come
up
with
a
new
name,
as
we
were
talking
about
with
assessments,
because
yeah
by
definition,
don't
sound
the
testimony
yeah
yeah,
okay,
yeah,
that's
a
good
point.
I
think
I
think
we
can
so
so
I
we
have
kind
of
a
issue
open
it's
in
the
agenda,
I'll.
Let
me
paste
it
in
the
chat
as
well.
B
B
B
A
G
If
you're
waiting
on
on
that
issue,
the
process
orientation
looks
really
good
like
what's
the
context
of
what
you're
doing,
depending
on
that.
These
are
the
things
you
want
to
look
at
when
the
previous
person
talked
about
mappings,
it
came
and
came
to
mind.
Well
how
about
we
think
about
outcomes
if
you're
after
confidentiality?
These
are
the
things
that
you
should
be
engineering
together
if
you're
looking
at
mtls
together,
these
are
like
three
projects.
A
A
J
J
So
what
I
was
wondering
is:
is
there
a
way
we
could
come
up
with
to
sort
of
do
a
retrospective
with
while
getting
feedback
from
the
community
in
terms
of
what
they
probably
would
have
liked
in
the
paper?
What
could
have
been
better
and
that
will
kind
of
give
us
ideas
into
the
next
version
when,
whenever
we
publish
that.