►
From YouTube: CNCF SIG-Security Meeting 2019-10-02
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
CNCF SIG-Security Meeting 2019-10-02
A
A
A
A
A
C
A
C
I
am
guessing
she's
not
going
so
she's
moving
down
from
Seattle
to
San
Francisco,
okay,.
C
There
is
some
things
I
wouldn't
mind
talking
about
in
regards
to
Falco
and
our
annual
review
coming
up.
So
you
would
like
some
perspective
on
that
I'd
be
happy
to
talk
about
that
a
little
bit
in
that
time,
slot:
okay,
yeah.
Let's
do
that
then.
E
A
G
D
A
C
H
I
J
J
Apologies
then
so
we
met
yesterday
and
we
discussed
potential
questions
regarding
room
layout
and
table
arrangements.
We're
waiting
to
hear
back
from
Emily,
hopefully
by
Friday
of
this
week,
and
then
we
can
move
forward
with
figuring
things
out.
We
discussed
potentially
reopening
the
security
day
registration
back
up,
but
that's
contingent
on
room
availability,
layout
and
other
logistics
planning,
so
we're
kind
of
on
hold
at
this
point
in
time.
Yeah.
C
We're
projecting
like
150
to
170
right
now,
and
we've
asked
for
a
little
bit
of
a
larger
room
so
that
we
have
room
to
spread
out
a
little
bit
as
we
do
the
open
spaces
and
other
things
and
then
fall
in
we've
had
seven
sponsors
as
well.
So
the
nzf
is
pleased
with
that
sponsorship
rate.
It
was
able
to
fund
most
of
the
day
so
overall,
the
program's
coming
together
as
well.
E
K
L
A
L
A
C
Yep
sure
so
these
slides
are
really
rough.
This
is
kind
of
like
our
probably
second
drafts
of
these.
So
apologize
for
that.
Thank
you,
but
you
know
one
thing
that
Chris
Nova
who
joins
it.
The
apocalypse
came
recently
with
them.
Trying
to
encourage
us
to
do
is
try
to
do
more
of
our
work
in
the
open,
and
so
you
can
kind
of
see
these
next
slides,
like
they're
kind
of
available
perspective
for
our
division.
C
Essentially,
if
you're
not
familiar
and
I
apologize
with
the
sirens
in
the
background,
but
if
you're
not
familiar
with
the
incubation
requirements,
we
need
to
document
that
essentially,
thought
was
being
used
in
production
by
at
least
three
independent
end-users
have
a
healthy
level
of
commits
and
activity
in
the
project,
ongoing
flow
of
commits
and
merged
contributions,
and
then
we
should
also
have
I
think
what's
not
on
here,
which
is
missing.
Is
that
due
diligence
done
as
well
until
the
due
diligence
is
kind
of
really
going
through
and
doing
a
typical
for
utilities?
C
So
if
you're
not
familiar
with
Falco
Falco
is
essentially
container
one
time
security
monitor
system
calls
for
abnormal
behavior.
It's
essentially
a
host
intrusion
detection
system.
That's
focused
on
container
workloads,
so
we
have
some
hooks
into
things
like
cryo
and
container
deed,
so
pullback,
container,
metadata
information,
we'll
contact
the
kubernetes
master,
fullback
container
and
pod
and
deployment,
and
so
forth
metadata
information
and
then
we'll
link
that,
together
with
the
actual
system,
calls
that's
going
through
the
kernel
and
basically,
you
can
say
for
this
particular
container
running
in
this
particular
pod.
With
this
particular
label.
C
I
want
to
have
this
rule,
be
enforced
and
basically
alert
me
anytime
that
it
makes
it
connection
to
the
Internet
or
an
outbound
connection.
That
is
not
expected
on
particular
force
or
something
like
that
by
Ohio
monitoring
and
all
those
things
as
well
so
far,
co.org
is
the
website.
If
you're
not
familiar
with
it,
I
would
go
over
to
check
it
out.
I'm,
not
gonna,
cover
too
much
about
what
Walker
is
on
on
the
consultation.
C
We
were
joined
in
the
sandbox
in
October
2018,
and
it
was
a
project
that
was
started
and
May
of
2016.
So
the
growth
of
the
community
has
actually
been
really
good
since
we
joined
sandbox
sandbox
and
one
of
the
things
that
I
really
enjoy
about
showing
the
difference
is
that
how
much
is
the
sandbox
process
really
helps
the
project
grow,
so
the
pre
sandbox
period
of
their
twenty
ninth
month
period
by
the
way
and
then
the
closed
sandbox
is
just
a
small
time
period,
and
you
can
see
this
commits.
Bilasa
T
has
went
up.
C
The
number
of
contributors
involved
in
the
project
are
up
the
number
of
companies
that
are
contributing
to
the
project,
so
self
contributors
are
anybody,
that's
commenting
on
an
issue
or
a
full
request,
but
can
we're
an
area
that
we
need
to
improve
on?
Is
the
number
of
committers
that
we
have
from
different
organizations,
but
that's
actually
a
criteria
for
moving
from
incubation
and
to
graduation.
Also,
that's
something
that
we'll
be
looking
at
improving
as
well,
and
then
we're
also
progressing
along
the
CII,
which
is
the
Robert.
What's
the
best
damn
forum,
Roberts.
C
N
Yeah
hi
Stan,
so
we
had
a
little
bit
of
discussion
last
week
on
access
station
and
certification
and
related
to
assessments
and
I.
Think
we've
driven
things
forwards,
more
clarity,
working
on
you
know
PR
and
some
guidance
on
some
of
the
pages
to
make
sure
that
you
know
this
is
not
a
certification
program.
This
is
us
helping
you.
You
know
ya,
produce
better,
better
artifacts.
N
We
can
help
in
directing
directing
projects
to
the
CII
or
informing
that
folks
that
you
know
this
is
assessment.
This
is
the
journey
that
we're
taking
you
on
by
the
way
that
you're
going
to
be
going
through
in
the
right
you
know,
and
if
you're
looking
for
a
certification
or
your
badging,
that
is
the
resource.
I,
really
appreciate
that
you
know
yeah.
C
So
so
this
is
a
conversation.
I
would
love
to
have
because
I
think
it
we
went
through
our
own
journey
on
it.
As
we've
had
CVEs
opened
up.
We
went
through
the
security
audit
to
find
our
own
we've
internally
within
the
last
couple
weeks
found
our
own
potential
vulnerabilities
as
well
through
our
own
engineering
efforts
and
that's
just
one
aspect
of
security
and
then
there's
lots
of
the
other
things
that
we
have
to
go
through,
and
it's
been.
C
A
C
This
a
little
bit
of
a
broader
context
that
you
need
of
why
the
CII
things
aren't
for
right
and
what
I'm
giving
it
Freddy.
Well,
you
need
security
at
Falco
org,
because
you
have
to
have
some
sort
of
security
response
mechanism
to
respond
to
CBDs
and
that
maps
into
CII
gold
status.
You
know
12.1
12.2,
12.3
I'm,
just
making
up
numbers,
but
the.
C
N
O
C
C
C
We
have
a
lot
of
things
that
we
have
shipped
as
well
over
this
period
of
time
and
just
kind
of
another
one
that
we've
added
recently
is
gr,
PC
based
outputs,
and
this
is
important
because
what
it
gives
us
is
the
ability
to
basically
have
our
outputs
go
out
to
a
variety
of
different
sources.
It
makes
it
much
easier,
so
people
don't
have
to
write
C++
as
well,
and
then
it'll
just
help
us
be
able
to
integrate
them
to
the
cloud
native
ecosystem
a
little
bit
better
and
then,
from
an
integrations
perspective.
C
We
have
two
that
I
was
going
to
highlight
around
this.
Archaeans
are
arson,
they're,
basically
a
consulting
company
out
of
France
and
they
built
basically
open-source
platform
which
they
call
the
secure
cloud
dated
fabric
that
integrates
lots
of
different
tools
as
well
as
NAT,
which
is
another
CNC,
a
project
of
course
Falco
to
bench
and
some
other
things
as
well.
But
really
thought
was
a
pretty
interesting
use
case
and
then
sumo
logic
has
been
integrating
us
in
as
well.
C
So
couple
of
good
use
cases
of
people
pulling
popular
into
their
products
as
well,
which
I
think
the
ciencia
tends
to
encourage.
It's
just
not
about
end
users,
but
it's
also
about
how
can
you
help
the
kind
of
other
software
providers
build
something
useful
around
your
project?
And
then
we
have
a
couple
interesting
end
users
of
note,
two
of
which
are
speaking
that
coupon
so
frame.
That
I/o
is
one
where
they
publish
Falco
events
in
the
cloud
watch
and
then
have
the
lambdas
react
to
them.
C
They
actually
have
a
talk
at
the
cloud
native
security
day,
where
they're
using
lambda
to
basically
tie
into
Amazon
machine
learning
and
their
application
load
balancers
to
basically
use
the
feeds
that
they're
getting
or
the
logs
that
they're
getting
from
their
application
load
balancers
they
feed
them
into
lambda,
which
keep
them
into
Amazon
machine
learning
platform.
To
start
to
find
abnormalities,
and
in
kind
of
a
machine,
learning
based,
laughs,
I,
guess
it's
what
you
would
call
it.
C
C
B
H
C
Them
just
like
the
things
you
need
to
do
to
go
and
get
to
get
the
information
you
need
to
be
successful.
There's
another
kind
of
an
interesting
use
case
that
we're
seen
by
a
lot
of
people-
and
you
see
right
here.
Actually,
these
three
are
all
a
ton
of
the
same
use
case.
There's
compliance
requirements
where
you
need
to
have
a
intrusion,
detection
system,
and
so
in
the
kubernetes
world.
C
So,
as
I
said,
one
of
the
things
that
we
have
to
go
through
is
this
due
diligence,
and
so
we
need
to.
We
need
to
1,
submit
our
core
trust
to
request
an
incubation
review,
and
then
we
need
to
go
through
this
and
kind
of
start
to
answer
these
questions.
I
believe
it's
up
to
me
correct
me
if
I'm
wrong,
but
it's
I
believe
it's
up
to
Joe
and
Lou's
right
to
ask
like
security
to
do
the
due
diligence.
Those
are
correct,
I
think.
K
A
C
From
the
security
assessment-
and
this
is
kind
of
why
we've
been
putting
off
the
security
assessment-
because
we
have
this-
that
we
have
to
go
and
do,
and
then
we
have
a
couple
releases,
we're
trying
to
get
out
before
koukin
as
well,
and
so
I
don't.
But
it
would
be
interesting
to
see
as
how
much
overlap
is
there
in
the
security
assessment.
But
the
challenge
is
for
us.
C
I
would
be
more
than
willing
to
have
the
spreadsheet
of
the
security
assessment
next
to
us,
as
we
do
this
and
see
how
many
of
those
boxes
that
we
can
check
and
make
sure
that
we're
meeting
those
criteria
and
the
security
assessment
and
then
maybe
we'd
say,
were
80
percent
of
the
way
towards
getting
it
done.
Yeah.
H
C
A
C
A
A
Quick
call
to
people
to
check
this
out,
I've
redone,
the
readme
page,
so
that
we
compressed
like
we
moved
it
all
this
stuff
up
like
the
meeting
times,
we've
added
a
new
members
page
over
here
and
then
we've
squash
on
with
this
this
yeah.
So
this
is
PR
280.
So
if
you,
you
have
some
extra
time
to
take
a
look
and
provide
some
feedback
on
this.
F
This
is
also
a
quick
one.
I
spoke
with
Sara
Sara
about
how
to
move
forward
with
the
project.
I
originally
thought
that
security
was
its
own
github
organization,
so
we
could
just
transfer
the
internal
repository
and
take
there
and
have
everything
but
self-contained.
F
But
six
security
is
just
a
repository
under
the
CTF
you,
the
scenes,
yep
organization.
So
what
I
wanted
to
know
was
whether
we
wanted
to
move
the
requester
cutscenes
and
we
have
jurisdiction
to
do
so,
a
security
or
did
we
want
to
either
transfer
it
as
a
sub-module
or
just
copy
the
Faubourg
separate
sub
directory
as
pull
request,
or
what
is
the
consensus
here.
E
J
F
Okay,
that
was
my
impression
as
well:
I
didn't
want
to
jump
to
Gandhi's
yet
because
I
didn't
know
if
it
was
anything
fishy
there
or
if
anybody
had
failed
that
night
and
in
here
my
understanding
is
that
we
will
eventually
want
to
make
its
a
website,
that's
postable,
so
we
probably
want
a
instead
of
a
depositor
but
I
think
we
can
take
it.
Oh
I'll
make
the
pull
request
this
week
and
probably
yeah.
F
A
B
N
Yeah
it
felt
like
it
was
really
centered
around
the
project,
but
you
know
it
had
a
good
balance
of
hey.
You
know
we
also
sort
of
backed
this
up
and
I
thought.
The
discussion
really
supported
that
that
you
know
we,
unlike
you,
know
our
first
time
through
we
had
a
few
more
some
findings
along
the
way,
and
you
know
those
were
referenced,
as
you
know,
supporting
the
journey
and
you
know
helping
drive
towards
more
secure
outcomes
in
native
ecosystem
and
for
better
cause
than
that.
I
I
B
Maybe
there's
been
enough
review
now
that
we
should
go
ahead
and
merge
I've
been
sick,
the
last
I
don't
know
week,
ish
or
so,
and
so
it's
part
of
the
reason
why
I
didn't
do
the
the
right
side
of
the
presentation.
Sarah
was
kind
enough
to
do
that,
but
I've
also
been
hoping
that
I
would
have
a
moment
to
be
okay
and
go
through
and
read
it
as
well,
but
I
think.
Maybe
we
need
not
wait
on
that.
Maybe
I
should
do.
We
should
just
go
ahead
and
merge
it.
That.
B
E
B
See:
okay,
yeah
I
did
notice
that
that
you
and
others
caught
some
really
important
little
problems
in
there,
so
I
think
the
process
of
reviewing
it
has
been
very
helpful
to
that.
It
hasn't
just
been
looks
good
to
me
looks
good
to
me,
but
people
have
actually
had
legitimate
on
things
that
they've
seen
by
looking
at
it.
So.