►
From YouTube: CNCF SIG Security 2020-10-28
Description
CNCF SIG Security 2020-10-28
A
A
A
A
A
B
Sorry
could
I
confirm
that
my
audio
is
coming
through.
B
All
good
awesome,
thank
you,
pardon.
I
had
myself
on
mute
for
30
seconds.
I
feel
silly
so
take
two
good
day.
Everyone
welcome
to
this
week's
cncf
security
weekly
meeting,
I'm
just
gonna.
I
just
posted
a
link
to
the
meeting
docs,
and
I
meant
to
do
that
to
everyone
literally
today
is
not
my
day
and
I'm
just
going
to
ask
if
anyone
is
able
to
take
over
for
a
scribe
role
today,
essentially
meeting
minute,
slash
note-taking.
B
If
so,
there's
the
link
there
and
just
feel
free
to
jump.
In
with
that
said,
I'm
just
going
to
jump
into
our
today's
agenda
and
I
believe
emily
has
some
topics
to
cover,
so
I'll
largely
do
for
her
to
take
the
lead
today.
B
Let's
see
got
the
attendance
and
items
here:
okay,
so
I'm
just
looking
at
the
sig
slash
chair
check-ins,
and
there
are
no
updates
of
that.
So
I
see
the
one
from
emily
here
on
security
day
and
cloud
native
security
white
paper.
So
emily
would
you
care
to
grab
the
mic.
A
Of
course,
so
quick
updates
security
day
is
still
happening.
We
have
over
800,
I
think
700
over
790
folks
signed
up,
which
is
amazing
and
actually
very
awesome-
that
we've
got
that
many
people.
A
So
I've
also
heard
about
the
ctf
that
we'll
be
running
on
cloud
native
security
day
and
it
sounds
like
it's
going
to
be
super
awesome.
So
if
you
know
of
anybody,
that's
interested
in
a
ctf
we're
going
to
be
running
one
that
day,
all
they
need
to
do
is
join
in
for
security
day,
we'll
also
be
promoting
the
security
day
event
on
the
cncs
twitch
channel.
So
if
you're
unswitched
or
interested
or
noah
folks,
that
want
to
learn
more
about
it.
A
I
believe
we're
doing
that
next
wednesday
about
an
hour
and
a
half
after
the
meeting
or
maybe
within
an
hour
of
the
meeting,
so
that's
coming
up
and
then
the
cloud
native
security
white
paper
we
eradica
had
mentioned
in
the
chat
that
she
got
a
lot
of.
Compliments
on
the
paper
and
the
quality
of
the
content.
A
So
she
wanted
to
pass
on
kudos
to
the
team,
but
I
also
wanted
to
mention
that
we
got
over
1200
suggestions,
changes
and
comments
about
the
document
which
more
than
80
of
them
were
included
or
had
slight
tweaks
before
being
included,
so
really
awesome
job
by
the
working
group
to
get
that
done.
So
the
review
has
officially
ended.
A
I'm
still
waiting
on
that
paragraph
from
the
storage
team,
they're
working
diligently
on
it
to
get
it
over
to
me,
and
I
will
have
it
added
in
and
then
we
are
presenting
it
to
the
talk
next
week
during
their
meeting
to
get
buy-in
and
feedback
off
of
that
and
next
steps.
So
right
now
everything
is
on
hold.
A
So
those
are
my
updates.
Does
anybody
have
any
questions
about
any
of
those
things
so
emily?
Do
we
have
to
incorporate
these
comments
before
kubecon,
so
everything
was
already
merged
into
the
paper.
So
all
of
the
comments
that
we
got,
I
think
you
and
I
know-
jj
and
myself-
went
through
the
document
and
started
adjudicating
several
of
the
comments,
but
there
shouldn't
be
any
of
them
that
are
outstanding.
At
this
point,.
A
Okay,
next
up
so
today
is
a
working
meeting.
There's
only
two
things
that
I
have
on
the
agenda
and
brandon
said
that
he
could
not
join
us
today,
but
he
wanted
me
to
put
a
reminder
out
there.
The
synthesized
list
of
improvements
for
the
security
assessment
working
group
are
up.
A
Next
up,
you
probably
have
seen
changes
to
the
google
doc
for
the
meetings,
and
that
was
at
the
suggestion
of
one
of
our
members
to
make
it
a
little
bit
easier
for
scribes
to
use
the
document.
I
don't
know
that
we
had
anybody
sign
up
to
scribe
today.
We
do
yes,
excellent,
so
want
to
make
sure
that
the
new
format
is
much
easier
to
use.
A
If
it
is
great,
if
not,
please
provide
feedback
on
the
ticket.
I
believe
it's
ticket
426
yeah
on
ticket
426,
to
see
how
we
can
improve
this
and
make
it
easier
for
everybody
to
provide
comments
on
our
documents.
A
A
B
I
was
matthew
here
I
was
just
going
to
ask
on
the
template.
What's
the
best
way
for
someone
to
reuse
it
like
is
the
at
the
very
bottom
of
the
document
in
the
heading
section,
there's
something
I
think
titled
meeting
templates
and
I
was
wearing.
Should
we
just
purge
everything
beneath
that
and
put
a
new
one.
That's
pretty
much
a
copy
past
of
the
one
we're
using
today.
Just
so
people
can
copy
paste
it
page
break
at
the
top
and
put
a
new
one
in
and
keep
it
in.
Sync.
A
Yeah,
so
that's
a
good
question.
I
moved
the
temp
all
right.
I
made
a
template
off
of
one
of
the
suggestions
and
linked
it
within
the
document.
So
if
you
scroll
up
above
the
security
meeting
for
today,
you'll
see
a
couple
of
arrows
over
linked
to
copy
meeting
notes
template
instead
of
scrolling
to
the
bottom.
So
if
you
open
that
document,
it's
a
blank
template
that
you
could
just
copy
in
and
move
over,
but
open
to
suggestions.
B
A
Okay
and
is
sarah
on-
I
don't
see
her
okay
well,
hopefully,
sarah
will
be
able
to
join
us
today.
I
had
checked
in
with
her
and
it
seemed
like
she
might
be
able
to
so.
I've
been
going
through
a
lot
of
the
issues
to
make
sure
that
our
members
have
something
that
they
can
work
on.
A
We
have
a
label
that
we
can
affix
to
issues
that
are
like
needs,
help,
help
wanted
good,
beginner
issues
so
going
through
and
starting
to
review
them
if
others
want
to
jump
in
and
take
a
look
at
them
as
well
and
see
if
there's
something
that
might
be
good
for
a
new
member
in
the
repo
to
get
involved
with.
That
would
be
super
awesome,
but
also
wanted
to
try
to
clean
up
some
of
our
older
issues
in
our
queue
and
sarah
had
submitted
a
ticket
on
key
elements
of
trustworthy
systems,
which
is
issue
number
20..
A
I
wanted
to
see
who
all
was
interested
and
kind
of
furthering
that
conversation
determining
whether
or
not
it
was
still
a
need.
My
initial
look
of
the
google
doc
linked
in
the
ticket
that
I
just
dropped
into
the
chat
looks
like
it
could
be
a
follow-up
to
the
white
paper
and
potential
new
working
group
for
the
for
the
sig.
A
A
B
Is
this
sorry,
I
was
just
quickly
reading
it
is
this
number
20
issue.
20
was
again
components
of
no
sorry
key
elements
of
a
trustworthy
system.
A
B
Is
this
meant
to
be
like
a
general
say
guideline,
or
is
it
more
like
an
official
prescription
like
these
are
sort
of
some
baselines?
People
should
cover
in
general,
and
here
are
certain
tools
or
whatnot
that
go
into
the
pieces
when
designing
a
distributed
infrastructure
like
is
it
something
we
sort
of
would
put
cncf
security's
name
on
as
we
endorse?
This
is
the
way
thou
shalt
set
up
a
baseline,
distributed
system
for
security,
or
is
it
more?
These
are
best
practices.
I
guess
what's
the
intended
audience
of
it.
A
So
so
that's
what's
not
entirely
clear
and
sarah
could
probably
speak
a
little
bit
more
to
it,
but
I
wanted
to
try
to
make
people
aware
of
it
and
start
having
that
discussion
is.
I
believe
it's
intended
to
be
a
best
practices,
documents
and
more
of
things
that
you
should
be
considering
in
your
organization,
so
kind
of
using
as
a
reference.
C
E
I
can,
I
can
add
some
color
to
this.
This
one
was
originally
when
we
formed
the
safe
working
group.
I
think
this
was
like
the
initiation
of
white
paper
or
structure
around
like
things
that
we
need
to
think
through
in
terms
of
white
paper.
E
White
paper
itself
is
more
of
a
descriptive
thing.
The
key
elements
of
trustworthy
system
should
be
more
aligned
with
the
landscape
and
should
be
more
of
a
prescriptive
thing,
so
between
white
paper
and
landscape.
I
think
we
can
probably
merge
this
to
be
like
a
one
thing
not
have
to
have
this
separate.
C
So
jj
does
that
mean
that
we
are
talking
about
really
high
value
assets
and
how
do
we
protect
critical
applications
like
confidential
compute
and
those
kind
of
concepts
in
this
paper
as
well.
E
So
we,
the
idea,
was
like
the
most
of
the
ideas
that
we
had
when
we
put
together.
The
key
elements
were
captured
in
white
paper,
so
I
wouldn't
actually
trans
separate
this,
but
the
thing
that
you're
mentioning
can
be
somewhat
captured
in
the
trustworthy.
E
B
To
make
sure
I
didn't
miss
your
one
part
earlier
is
the
intent
that
this
issue
20,
that
this
document
would
become
a
section
of
say
the
white
paper
at
one
point
like
a
chapter
prescribed
best
practices,
sort
of
thing
or
long
term.
Would
they
remain
as
separate
entities.
This
document,
plus
the
white
paper
so.
E
I
would
until
we
finished
landscape
it,
it
might
be
worthwhile
to
defer
this
until
we
finished
landscape,
because
landscape
will
cover
a
bunch
of
what
needs
to
be
covered
here
and
then
it's
possible
that
we
don't
have
to
do
this
or
we
may
have
a
need
to
do
like
a
best
practices
based
off
of
the
review
of
paper
and
landscape
together
right.
So
I
don't
know
how
prescriptive
will
go
in
the
landscape
until
we
finish
the
landscape,
so
it
might
be
a
bit
too
early
to
see.
B
I
I
myself
fell
out
of
a
touch
I
was
absent
for
about
a
month
from
meetings.
The
the
landscape
is
this
essentially
a
subset
of
the
cncf
interactive
landscape
but
focused
on
security,
or
is
it
our
own
landscape
and
does
it
use
the
cncf
landscape
engine
like
the
nice
presentation,
appears.
E
E
D
E
E
B
Okay,
so
I
think
I
get
a
better
idea
of
this.
My
this
is
probably
me
putting
a
cart
before
the
horse,
so
I'll
bring
it
up.
But
I've
heard
of
colleagues
have
noticed
have
found
that
into
the
cncf.
Interactive
landscape
is
pretty
darn
just
because
they're
sort
of
gives
them.
This
burst
view
of
what
they
need
for
their
projects
in
general
know
what
they
don't
know
and
take
it
from
there.
B
So
maybe
a
nice
little
prettification
down
the
road,
it
could
be
possible
best
practices,
document
links
into
say
a
separate
instance
of
that
landscape.
With
just
the
security
focused
pieces,
one
needs
an
ingress
controller.
One
needs
a
an
admission
controller,
maybe
a
mutating
emission
controller
policy,
enablements
service
and
stuff,
like
that
it
might
be
some
sort
of
onboarding
tool
to
supplement
work.
That's
already
in
the
that
argument,
just
my
two.
D
B
E
B
Okay,
I'll
drag
this
one
to
emily.
Are
there
any
additional
topics
in
this
thread
or
oh
good,.
A
B
Awesome:
okay,
I'll
just
quickly
jump
back
here
to
the
oh,
my
god
stop
opening!
So
many.
B
B
Okay,
pardon
for
the
delay.
I
didn't
see
additional
updates
on
the
meeting
minutes,
there's
just
waiting
for
the
doc
to
reload
and
I
don't
see
any
old,
check-ins
or
anything
from
cigs
or
groups,
so
at
points
I'll,
just
open
the
floor
for
anyone
that
wants
to
grab
the
mic
or
bring
up
any
topics
or
tickets
that
need
attention
and
after
that,
if
there's
any
new
people
that
would
like
to
introduce
themselves
I'll
open
the
floor
for
that.
B
Okay
looks
like
we're
good
on
that
front
shorter
meeting
today.
Last
but
not
least,
are
there
any
new
attendees
anyone
just
listening
in
or
looking
to
join
anonymously
security
that
would
like
to
quickly
introduce
themselves.
G
Yeah
yeah
sure
I'll
introduce
myself.
Can
you
hear
me
yeah?
I
can't
use
it
ron,
yes,
so
my
name
is
like
I
mentioned
in
the
slack
channel
yesterday,
I'm
a
security
researcher
for
almost
a
decade
and
I'm
a
co-founder
in
the
city
of
stilts
mode
startup,
and
I
can't
wait
to
contribute
to
the
group.
B
F
Hi,
my
name
is
marla
weston,
I'm
over
at
intel,
and
so
I'm
listening
in
at
this
point
I'm
trying
to
get
some
of
our
internal
people
more
involved,
but
sometimes
the
way
you
spur
that
is
by
getting
involved
and
then
dragging
them
with
you.