►
From YouTube: CNCF SIG Security Policy Team 2020-10-28
Description
CNCF SIG Security Policy Team 2020-10-28
A
A
Jim,
we
have
a
fire
drill,
fire
fire
alarm
in
our
building,
so
I'll
just
be
on
mute
and
goes
to
see.
What's
happening,
no
worries.
B
So
I
think
you
know-
and
I
took
a
quick
look
also
at
ascal
and
some
of
the
things
around
it.
So
I
mean
obviously-
and
from
me
like
you're,
like
in
your
example
too.
It
certainly
seems
possible
to
use
oscar
to
at
least
you
know.
One
section
of
it
right
seems
like
the
spec
is
fairly
comprehensive,
but
the
section
that
we
were
most
interested
in
happens
to
be
in
the
assessment
results
part
right.
A
B
C
A
So
that's
why
we
presented
only
only
that
we
are
also
working
on
the
profile
on
the
mapping
for
for
a
product
or
service
the
mapping
for
from
their
components
to
the
controls
and
and
dependencies.
We,
you
know
inventory,
you
know
formatting
as
well,
so
all
those
are
are
available.
So
I
think
when
we
discussed
with
jaya
and
luis
the
red
hat
management,
the
requirement
was
to
come
up
with
a
phased
approach.
That's
why
we?
A
We
we
made
a
mistake
in
january
with
a
different
team
to
bring
the
whole
framework
and
run
away
in.
You
know,
fear.
B
You
no
there's
a
lot
over
there
for
sure,
and
the
other
concern
is,
of
course
you
know
if
somebody's
looking
at
this
in
kubernetes,
I
mean
obviously
for
consuming
this
in
machines
and
tools,
it's
all
possible,
but
for
to
output
this
in
some
you
know,
format
like
a
yamo
where
the
configurations
or
the
report
results
are
easy
to
read.
I
I
think
that's
something
we'll
have
to
you
know,
look
at
more
examples
and
see
how
that
works.
A
Oscar
comes
in
all
three
formats:
yaml
json
and
xml
with
the
translations.
So
whatever
we
use,
we
can
get
the
others
as
well.
B
Right
yeah
so
of
course,
yeah.
If
we
have
json,
we
should
be
able
to
output
it
as
yaml,
but
what
I
mean
is
just
in
terms
of
the
structure
of
the
object
model
and
things
like
that
right.
So
how
does
this
you
know
like
if
somebody
just
is
using
a
cli
tool
and
printing
this
out
and
trying
to
read
through
it?
Is
it
understandable
as
to
what
you
know
what
the
results
are?
B
Some
of
the
other
things
we
had
in
our
policy
report
that
structure
that
we
were
trying
to
define
was
things
even
like
totals,
and
you
know
kind
of
you
know
just
to
again
make
it
easy.
Then
there
were
things
like
categories
and
severity,
so
I
don't
know
if
we'll
have
to
go
through
and
see
how
all
of
that
maps.
A
B
A
Okay
observations,
so
this
is
what
we
and
the
subject
references
to
show
the
inventory
evidence
group.
But
if
you
go
even
more
down,
you
will
see
that
there
is
the
threat
and
risk
so
as
part
of
risk,
you
have
a
risk
metrics.
So
that's
where
we
put
the
typically
the
score,
but
this
is
not
part
of
the
subset
that
I
I
reached
is
a
you
know.
You
know
yet
another
slice
at
the
compliance,
so
I.
B
A
Want
to,
I
try
to
remember
if
we
edit
the
remedy
or
not
to
what
I
shared.
So
that's
why
we
said
by
by
piecemeal.
So
we
can
do
observations
with
evidence
without
having
risk
and
remediations,
but
if
you
know
they
are
relevant
and
the
team
is
mature
to
move
into
that
direction
and
has
already
the
logic
to
to
use
that
yeah
they
are,
they
are
part
of
the
of
the
schema.
So
we
can
that's
the
beauty
we
can
expand
as
needed.
A
B
You
know
like
what
are
the
results
of
some
some
type
of
grouping
of
audits
or
policies
and
then
there's
some
details
on
each
right,
but
it's
really
just
to
indicate
like
a
pass
fail.
You
know
and
and
then
perhaps
give
links
to
others.
So
as
long
as
we
can,
you
know
if
there's
a
way
to
map
all
of
this
and
capture
this,
then
of
course
you
know,
I
think
going
with
something
with
a
standard
which
is
already
defined,
has
a
lot
of
value
so.
A
Yeah,
I
think
I
see
you
know
we
discussed
last
time
that
having
a
summary
is
kind
of
difficult,
because
it
depends
on
the
context.
If
I
have.
B
A
Partial
result:
okay,
you
know
what
does
it
mean
that
I
have
three
pass
and
three
fails
and
then
I
move
to
a
you
know
more
aggregated
with
others,
and
I
have
different
summary.
But
now,
actually
I
see
how
is
used
here,
because
this
is
an
example
for
one
single
policy,
and
I
think
this
can
be
added,
because
the
observation
is
atomic,
so
we
can
get
a
summary
to
say.
Oh
this
aggregated
result
for
this
control
across
whatever
is
in
the
observations
right.
A
Atomic
with
that
control
evaluation
comes
from,
eight
pass
two
fails,
and
this
is
why
you
know
zero
warning,
zero
errors
and
that's
why
it's
a
fail,
because
it's
eight
passes
and
two
fails.
The
ten
rules
that
I
aggregate
give
me
a
fail,
because
I
have
this
eight
pass
and
two
fails.
I
I
think
I
can
I'll
look
how
I
can
add
this
as
a
as
part
of
the
properties
or
because
that
that
can
be
done,
and
that
is
atomic
is
that
observation
is
not
something
that
is
changing.
Whether
I.
B
Correct
so
this
is
like
a
capture
of
a
point
in
time
report
for
a
particular
set
of
policies
on
a
particular
set
of
resources
like
in
kubernetes
you're
thinking
of
mostly
of
this
as
a
namespace
scope
right.
So
if
I
have
a
namespace
and
I'm
applying,
let's
say
my
pod
security
policies,
I
want
to
know
a
summary
result
for
how
many
pass
how
many
fail
and
then
I
have
some
details
to
go,
and
you
know
figure
out
which
rule
failed
things
like
that.
A
Okay,
so
if
we
are
looking
at
the
namespace,
this
means
that
our
approach
here
is
from
the
right.
What
we
call
here
subject:
resources
right
from
an
inventory
point
of
view.
These
are
my
name
spaces.
What
oscar
does
it
approaches
that
from
an
compliance
point
of
view,
so
the
the
display
here
you
see
it
is
by
control.
B
A
Eight
passes
and
two
fails.
It
would
be
at
a
three
level.
What
you
are
looking
is
at
the
summary
from
an
inventory
point
of
view.
So
again,
I
think
it
depends.
Who
is
the
persona
that
the
working
group
here
for
the
result
is
targeting
if
we
target
operators?
Of
course,
they
cannot
care
less
about
the
ac
summary
ac3.
They
are
looking
at
namespace.
So
I
think
we
maybe
you
need
to
clarify
what
are
the
personas?
Yes,.
B
So
the
two,
the
two
personas
we
have
talked
about
are
you
know
the
namespace,
so
typically
it's
an
application
owner
that
might
be
the
namespace
admin
and
then
there's
the
there's,
the
cluster
admin.
The
operator
like
you
mentioned
right.
So
I
think
those
are
the
two
somebody
is
looking
at
things
cluster-wide,
but
then
there's
also
maybe
like
a
sub-admin
or
somebody
who
cares
only
about
that
namespace
and
they
want
a
summary
of
okay.
What
are
all
the
findings?
What
are
the
problems
or
issues?
I
need
to
fix
in
my
workload
to
be
compliant.
A
But
will
they
be
interested
in
looking
from
an
operation?
Oh,
my
god.
The
fire
engine
arrived
the
alarm
stopped
so
which
told
me
tells
me
that
it
was.
A
Yeah,
so
what
I
was
saying:
oh
yes
from
from
an
operational
point
of
view,
I
think
we
we
don't
need
oscar
right.
We
don't
need
the
compliance
approach
if,
if
they
are
looking
at
what
is
failing
in
my
environment,
because
it
will
not
be
only
failures
from
the
a
compliance
controls
point
of
view,
it
will
be
all
their
failures
right.
There
are
other
aspects,
then,
so
would
it
make
sense,
then,
from
an
compliance?
Let's
say
compliance
operator
to
present
the
information
from
inventory
and
name
spacing's.
A
Point
of
view
this
audio,
because
it
will
be
misleading
right,
say:
okay,
this
is
what's
failing
in
your
namespace.
Rather
I
would
like
to
have
the
operational
operator
to
present
those
and
here
to
really
focus
on
the
compliance
aspects
and
and
focus
from
an
right
policy
approach
or
control
approach.
B
Okay,
so
so
what
you're?
If
I
understood
correctly,
what
you're
saying
is
with
oscar
it's
more
you're
going
through
each
control
or
each
comp.
You
know
policy
and
you're,
saying
which
you
know
workloads
or
which,
let's
say,
let's
take
pods
as
an
example
right
so
across
my
cluster,
which
pods
are
compliant,
which
may
not
be
compliant,
but
there
is
there.
So
then
it's
left
up
to
some
external
management
system
to
say.
B
Okay,
if
I
want
to
narrow
that
down
into
a
subset
like
a
pods
within
a
namespace,
they
have
to
kind
of
go
filter
through
the
results
and
figure
that
out
or
or
how
would.
A
That
be
done
exactly
so.
The
the
again
is
a
question
of
you
know
our
goal
and
how
I
traverse
this
json
to
extract
what
I'm,
what
I
needed
by
default
oscar
organizes
the
result
per
regulation
and
for
regulation
controls
rather
than
per
inventory
and
right,
namespaces
or
clusters,
or
things
like
that.
A
We
have
another
another
schema,
which
is
the
system
security
plan,
which
is
the
one
that
includes
the
scope,
the
inventory,
the
subject,
references
for
which
the
assessment
is
done
right,
so
that
that
can
be
the
format
for
the
inventory
and
and
then
we
can
extract
from
the
assessment
the
the
the
summaries
at
that
level.
So
there
are
different
ways
to
to
to
slice
and
dice
here,
but
the
schema
itself
will
provide
natively
the
information
per
control,
posture,
hi
gus.
Thank
you
for
joining.
D
Hey,
hey
guys,
sorry,
I'm
later
I.
A
Am
I'm
if
you,
if
you
I
would
like
to
have
some
introductions?
My
name
is
anka
seiler
and
I'm
in
ibm
research
and
I
have
been
introduced
to
this
work
group
by
jaya.
So
I'm
working
with
her
on
the
standardization
of
the
result
for
the
acm
in
in
red
hat.
So
that's
you
know
how
we
we
I'm
not
sure
if
you've
seen
the
recording
last
time
we
we
introduced
the
recommendation
of
results.
Standardization
based
on
on
subset
of
oscal
assessment
result.
D
A
D
Red
hat
so
yeah
I'm
familiar
with
the
sample
a
little
bit.
I
I
took
a
quick
look
at
it
and
saw
it
it
was.
It
was
big
so.
D
A
Yeah,
if
you
look
at
this
in
this
format,
I
think
it's
difficult,
but
if
you
have
a
json
editor,
you
would
see
there
are
four
parts.
There
are
the
properties
that
is
the
evidence
yeah
exactly
yes,.
D
A
Right
so
findings
are
by
control,
so
each
in
each
finding.
I
have
one
objective
status,
so
then
objective
status,
you
see
the
the
control
ac3
with
its
aggregated
status
and
then
in
the
observations
I
have
all
the
rules
goals
cis
benchmarks,
whatever
this
control
depends
on
for
for
its
status.
What
are
what
are
the
the
the
rules
that
map
to
the
description
of
ac3?
What
are
the
rules
that
implement
the
policies
that
implement
that
ac3?
A
So,
in
the
observations
which
is
the
last
object
in
in
this
item,
you
will
see
all
the
because
this
is
an
result
for
the
compliance
operator.
These
are
all
right:
cis,
kubernetes
benchmark
provided
via
the
openscap
in
xcdf
format,
and
we
present
them
here
in
the
oscar
format.
So
you
see
the
observations
and
they
have
properties
evidence.
A
Subject:
references
is
inventory,
meaning
where
what
is
the
the
vm,
the
cluster,
the
region
that
I'm
getting
this
rule
for
and
the
observation
method
is
it's
automatic
or
manual.
So
it's
it's
very
simple
structure.
D
Okay,
so
this
is
the
sample.
You
know
current
format,
of
of
the
response
that
you
get
or
the
the
results
for
oz
call.
I
guess
yeah.
A
Yeah
and
and
prior
to
you,
joining
with
discussing
with
jim
that
oscar
of
course
allows
for
additional
aspects
right
besides
the
evidence,
these
are
the
basics
right.
You
need
to
know
what
is
my
in
what
is
my
subject.
I
I
applied
this
assessment
to
what
is
the
evidence
that
I
got
back
and
what
are
the
you
know,
properties
and
annotations?
A
What
is
the
test
id
or
the
you
know,
time
of
the
day
you
know
whatever
the
xccdf
may
have
their
own
properties.
If
we
use
some
other
assessment
tools,
they
have
other
properties,
and
then
we
aggregate
all
this
observation
to
generate
per
control,
its
aggregated
status,
but
there
are
other
aspects
that
we
can
add
to
that.
A
Like
remediations
in
in
our
tools,
for
instance,
we
use
remediations
to
provide
what
are
the
tickets
that
have
been
opened
when
you
know
this
failure
occurred,
what
are
what
are
the
scripts
path
in
git
or
other
systems?
That
would
run
I
need
to
run
manually
or
automatically
or,
and
the
other
aspect
would
be
risk
so,
depending
on
the
with
the
score-
and
you
know
so,
depending
on
the
maturity
of
the
tool
right.
This
can
be
adjusted
to
provide,
prevent,
provide
a
result
that
is
more
or
less
complex.
D
Yeah
yeah,
that's
that's!
That's
great!
That's
exactly
the
types
of
things
that
I
think
could
could
be
captured
in
in
the
policy
report.
Yeah.
A
I
was
pretty
happy
with
with
that
she's
on
board.
This
is
why
she
brought
me
in
this
group
to
so
the
the
recording
from
last
meeting
two
weeks
ago.
It
goes
in
one
hour
of
details
across
the
all
the
fields
and
objects
here.
B
Yes,
so
certainly
this
seems
very
comprehensive
and
I
think
it
can
cover
pretty
much
everything
that
we
and
certainly
if
it's
extensible
through
properties,
etc.
We
can
even
model
other
fields.
One
thing
we
were
discussing,
which
is
an
interesting
point,
is
like
who
you
know
it's.
Obviously
a
compliance
report
you
know,
could
be
sliced
and
diced
in
many
ways
and
consumed
by
different
folks.
B
I
think
where
we
started
with
the
policy
report
was
we
wanted
at
least
a
namespace
owner
or
like
a
workload
owner
and
the
cluster
admin
to
easily
sort
of
view
the
output
of
various
policy
engines
right?
So
the
question
is:
does
this
become
you
know
in
in
yaml
format?
Would
this
be
overwhelming,
or
would
this
be?
You
know
simple
enough
to
understand,
and,
and
secondly,
would
this
be
presented
at
a
cluster-wide
scope
and
then
how
do
we?
B
B
You
know
compliance
issues,
you
need
to
fix
in
your
workload
with
pod
security
and
things
like
that.
B
B
But
of
course,
as
we
kept
working
with
this,
there
were
more
and
more
things
that
folks
wanted
to
add
right.
So
I'm
sure
over
time
we
would
end
up
with
something
perhaps
at
the
same
level
as
what's
in
the
oscar
definition
already.
So
it
does
make
sense
to
adopt
that
as
much
as
possible,
but
yeah.
How
do
we
kind
of?
A
Yeah
yeah
a
compliance
engineer
or
a
compliance
officer.
I
think
more
engineer,
because
that's
really
down
into
the
into
the
operational
detail
than
an
operator
which
would
want
to
see
really
the
aggregation
only
at
the
ac
lev
control
level
like
ac3
here.
I
think
what
we
can
do
is
to
use
this
model,
this
data
model
to
generate
and
and
store,
and
then
we
can
have
additional
functionality
right.
B
A
A
B
A
The
root
and
then
the
controls
will
become
the
the
leaf
that
are
associated
with
their
status
under
those.
So
so,
once
the
data
is
in
and
you
know
being
json,
it
can
be
reformatted
as
as
we
need.
That
would
be
for
me
additional
capabilities,
as
we
have
other
personas.
A
It
will
be
totally
transparent
because,
right
as
I
as
I
use
the
cli
to
you
know,
get
my
assessment
result
per
controls.
Get
my
assessment
result
per
name
spaces
get
my
assessment
result.
We
don't
know,
you
know
how
this
is
stored
behind
the
scenes.
A
B
So
is
there
like
with
any
ascal
implementation?
Are
they
well
so
right
now,
there's
nothing
for
kubernetes.
By
the
way
I
saw
there
was
somebody
who
had
done
the
some
implementation
for
docker.
Have
you
seen
that
before
for
the
container
engine.
B
B
So
I
don't
think
andrew
is
a
bit
docker
anymore,
at
least
when
I
was
checking
online
but
yeah.
This
was-
and
this
is
about
two
years
old
now,
but
there's
some
attempt
at
taking
docker
output
and
converting
it
into
ascal
right
so
but
yeah.
I
couldn't
find
it
and
there's
also
like
a
gold
library
which
I
think
also
was
developed
by
andrew
for
managing
oscar
formats.
B
B
A
A
B
So
there
is
some
cli
with
some
conversion
and
other
things
it
does,
and
I
think
it's
this
is
all
written
in
golang.
It
seems
like
right
so
yeah.
It
may
be
worth
following
up
and
reaching
out
to
see
if
there's
any
activity
or
yeah.
A
A
Cli
to
see
what
what
they
the
second
folder
from
the
top,
I
think.
A
Okay,
so
open
controls
is
the
original
format
for
the
compliance
automation
before
we
had
oscar.
So
it's
a
subset
of
oscar,
I
would
say
it
covers
about
maybe
10
15
percent
of
oscar
so
because
the
people
were
really
looking
into
continuous
compliance,
automation
and
generation
of
documentation
for
fire,
coal,
fire
and
pwc
they
they
used
open
controls
to
automatically
generate
that,
and
now
there
are
converters
between
open
control.
A
So
he
is,
he
is.
He
is
into
into
compliance
schemas
to
the
core
right
from
the
very
beginning,
with
the
open
controls,
yeah.
B
Okay,
yeah-
and
I
see
this-
this
gentleman,
who
has
also
committed
to
the
repo
is
looks
like
he's
from
red
hat,
so
maybe
so
that
was
the
one
yeah
the
latest
commit
here.
A
Right
so
we
had.
Indeed
in
february
we
had
a
major
change
to
schema.
We
worked
closely
with
with
the
david
and
in
in
the
oscar
team
in
in
nist,
and
we
we
provided
our
feedback.
That
is,
you
know
too
much
nesting
too
much.
You
know
levels
that
were
really
not
necessary
and
made
the
our
non-sql
kind
of
explode,
and
so
they
they
reduced
many
levels
of
of
nesting.
A
So
it
was
a
major
change
in
in
february,
so
I
see
they,
they
keep
it
up
to
date,
yeah,
so
they
updated
their.
B
Yeah
looks
like
yeah
this
person
from
red
hat
was
the
latest
and
probably
the
highest
amount
of
commits
recently
right.
So
is
it
possible
to
reach
out
and
see
if
there's
interest
in
you
know
somehow
working
with
this
or
mapping
this
to
kubernetes
and
what
we
want
to
do.
D
It's
not
someone
I'm
familiar
with.
I
can.
I
can
look
around
to
see
if
I
can
find
a
way
to
contact
them.
B
B
Can
we
leverage
it
to
to
achieve
some
of
what
we
want
to
do
and
and
I'm
assuming,
if
we,
if
we,
what
we're
talking
about
is
saying,
is
there
a
way
in
kubernetes
to
generate
or
to
at
least
create,
like
a
custom
resource
which
would
be
compliant
with
the
oscar
format
which
different
policy
engines
running
inside
kubernetes
could
then
create
yeah
one
one
question:
a
concern
which
had
come
up
in
the
past
is
like
how
much
data
would
do
we
store
inside
the
cluster
versus
you
know,
so
the
at
least
our
thinking
was
that
we
would
just
store
the
current
information
inside
the
cluster.
B
A
Storage
is
an
important
one,
so
this
was
this
was
clis
okay,
so
yes,
the
the
storage,
depending
also
how
how
it
is
stored.
We
store
it
with
versioning,
so
we
keep
only
the
delta,
but
still
it
it
can.
You
know
explode
if.
B
A
There
is
a
you
know,
large
cluster
and
so
on.
So
the
way
that
we
manage
is
that
we
declare
ttl
in
in
in
our
component
definition.
A
It
is,
it
is
the
format
that
allows
a
vendor
to
describe
how
their
products
services
map
to
controls
with
you,
know
their
properties.
So
one
of
the
properties
that
we
leverage
there
is
the
ttl,
and
then
we
provide
across,
let's
say,
an
an
inventory.
What
is
the
the
the
lowest
tpl
so
that
we
make
sure
that
we
collect
the
data
before
it
disappears
from
the?
So
we
do
not
expect
kubernetes
to
because
we
have
regulations
that
require
to
keep
the
information
five
years
right,
so
so
the
kubernetes.
A
This
is
why
we
decouple
you
know
the
expectations
or
the
requirements
on
on
the
the
infrastructure
itself
and
and
the
regulations
expectations.
A
B
A
Right
so
then,
even
if
let's
say
that
you
know
it,
it
may
be
a
large
for,
for
you
know,
a
large
cluster
and
so
on.
We
we
know
that,
is
you
know
limited
in
time,
so
we
don't.
B
A
Class,
you
cannot
see
it
because
you
are
at
the
lower
level
here.
You
need
to
go
in
the
left
side.
You
go
above,
and
you
see
assessment
result
layer.
A
B
All
right,
so
we
see
assessment,
I
see
so
that's
the
only
layer
where
the
results
is
really
what
we're
concerned
with
at
the
moment.
Everything
else
could
be
is
managed
again
externally
or
based
on
the
policy
engine
or
whatever
tool
is
being
used.
A
Right
because,
right
now
we
are
looking
at
a
unified
pane
of
glass
to
show
the
compliance
posture.
So
then
we
expect
that
the
assessment
results
are
aligned
if
we
want
to
move
into
having
the
inventory
presented
in
a
unified
format
and
consume
from
those
various
layers.
The
their
inventory
discovery,
rather
than
discover
it
at
the
top
level,
then
aligning
the
ssp
in
green
will
will
allow
us
to
consume
that.
So
again,
it
depends
on
the
maturity
of
the
framework
that
that
we
implement.
D
B
Yeah,
I
think
we
yeah
we
are
at
least
our
current
focus
is
on
the
assessment
layer
and,
of
course,
kubernetes
has
its
own
schema
and
ways
of
defining.
You
know
resources,
so
we
don't
need
to
necessarily
re-represent
all
of
that
inside
the
cluster
for
sure,
but
yeah.
If
there's
a
way
to,
then
the
idea
becomes,
can
we
can
we
map
this
into
a
kubernetes
resource?
So
currently,
when
you're
generating
this
for
clusters,
is
there?
A
Oh
yeah
yeah,
so
we
we
have
a
team
that
is
looking
exactly
at
that
and.
A
Compliance
operator
right
model,
we
generate
the
assessment
result
in
the
in
the
this.
This
format.
Yes,
so
that's
that's
exactly
the
goal.
Okay,
but
this
is
part
of
the
is
part
of
the
offerings
of
ibm
cloud
rocks
and
iks.
It
is
not
part
of
we
are.
We
are
looking
now
to
converge
with
gis.
A
Know
acm,
and
there
is
another
lady
there
christine
newcomer,
that
is
responsible
for
augustine
all
better
right,
christine
is
working
with
the
compliance
operator,
so
we
want
to
align
those
efforts
so
that
we
have
the
same
format
but
definitely
custom
resources
is
part
of
the
roadmap.
C
B
A
Do
that
try
to
interrupt
the
compliance
operator
is
already
open
source
and
it
has
custom
resources
for
what
what
what
it
does
right,
the
just
that
the
output
that
it
has
is
not
aligned
with
the
oscar
assessment
result
right.
So.
B
A
Effort
is
to
align
it
with
the
assessment
result.
There
are
other
efforts
around
custom
resources
to
align,
also
the
inventory
and
other
aspects
to
that
as
well,
but
the
the
only
crs
that
we
have
today
with
respect
to
compliance
are
open
source,
but
they
are
not
oscar.
So
all
this
is
roadmap.
Okay,.
B
Yeah,
so
thinking
of
what
you
know,
we
can
do
in
this
work
so
right
now
we
have
this
proposal
for
a
policy
report
which
is
a
fairly
simple.
You
know
kind
of
custom,
resource
and
kubernetes
and,
like
we
talked
about
the
focus
really
was
to
try-
and
you
know
this
is
for
the
cluster
admin,
as
well
as
the
workload
operators
or
the
workload
admin
who
are
operating
at
a
namespace
level.
So
I
think,
to
to
kind
of
just
clarify
thoughts
and
how
this
you
know
how
we
can
converge
or
how
we
can
move
forward.
B
What
would
be
the
pros
and
cons
and
how
it
would
work,
and
I
think
what
we're
what
I
gathered
from
our
conversation
today.
The
way
it
would
work
is
there
would
be
one
one
sort
of
oscal
formatted
output
at
the
cluster
level,
and
from
that
we
could
have
like
command
line
tools
or
other
tools
which
can
extract
the
information
and
report
the
information
they
want.
B
So
if
a
namespace
admin
wants
to
say,
okay,
give
me
the
report
for
this
namespace,
they
would
have
some
way
of
you
know
generating
that,
or
maybe
we
have
a
operator
or
a
controller
running
in
kubernetes,
which
also
generates
some
subset
and
stores
it
inside
a
namespace
right.
So
there
would
be
some
duplication,
but
maybe
you
know
that
could
still
be
done
right
because
then
for
access,
controls
and
security,
a
namespace
owner
doesn't
have
to.
A
A
So
the
the
the
result
right,
the
posture
is
pass
fail
without
the
drill
down
on
the
evidence
right
on
the
you
know,
messages
that
are
associated
with
that
and
so
on.
So
in
the,
if
you
look
in
the
oscar
format,
you
see,
I
have
evidence
what
I
I
have
sorry.
I
have
the
control
status
right,
which
is
pass
fail,
but
then
below
I
have
the
evidence
group
which
I
give
the
details
right.
A
So
I
wanted
to
to
make
sure
that
that
we
understand
the
difference
whether
the
kubernetes
team
is
looking
for
having
both
or.
B
But
really
the
problem
we
started
out
trying
to
solve
is
there's
a
growing
number
of
policy
engines
and
whether
it's
image
scanners,
configuration
scanners,
admission,
controllers,
runtime,
you
know
security
tools
and
all
of
these
are
currently
producing
outputs
in
different
formats
right.
So
for
a
cluster
admin,
it's
where
it's
like.
Okay,
I
have
80
different
things
to
look
at
to
understand.
What's
going
on,
the
intent
of
what
we
were
trying
to
do
is:
how
do
we
standardize
that
format
as
the
policy
report?
B
So,
even
if
we
have
some
high
level
summary
to
say
hey
on
cis
benchmarks
for
kubernetes,
you
got
an
a
plus,
but
on
pod
security
you
got
a
b
minus
and
here's
the
name
space.
That's
violating
it
right.
So
something
like
that
and
then
of
course
you
would
have
to
dive
into
individual
tools
to
get
to
more
details.
But
starting
with
that
summary
is
what
we
were
trying
to.
D
A
B
A
Connect
and
I'll
have
a
message
associated
with
that
which
will
be
part
of
the
evidence.
What
I
call
so
you.
B
We
we
did
have
a
message
field
right,
but
the
intent
was
this
was
not.
This
would
be
like
a
brief
message,
with
pointers
to
more
details
right
but
yeah.
So
so
yes,
it's
a
little
bit
fuzzy,
so
we
did
have
in
the
res.
So
the
way
this
structure
was
is
there's
a
policy
report
and
then
there's
a
summary
section
which
just
gives
you
a
score.
So
you
can
convert
that
into
a
grade
or
some
simple
way
of
knowing.
So
a
policy
report
could
be
at
different
scopes.
B
The
scope
could
be
a
namespace,
the
scope
could
be
the
entire
cluster.
The
scope
could
be
just
one
deployment,
it's
flexible
right,
but
then
each
result
could
be.
You
know
could
also
point
to
a
rule.
So
this
was
the
the
ruler
control
in
the
terminology,
the
oscar
terminology,
and
then
it
would
have
a
message
and
then
a
status
which
would
be
pass
fail.
Warn
error
skip
were
the
five
I
think
I
you
know
and
then,
whether
it's
scored
or
not,
and
then
additional
data,
which
is
just
some
free
form,
data.
B
A
So
I
think
it
this.
This
introduces
an
additional
challenge
right.
So
now,
if
we
are,
I
understand,
for
the
you
know,
storing,
local
and
and
using
it
local
now,
if,
if
I
use
that
in
an
exchange
right
protocol
with
some
other
tools,
whether
they
are,
you
know,
governance
tools
or
you
know,
ui
tools
to
display.
You
know
aggregators.
A
The
question
is
now:
I
have
to
manage
the
access
not
only
to
my
environment,
but
also
to
that
repo,
where
the
evidence
link
in
in
this
format
here
is,
is
provided
right,
so
the
more
references
we
bring
into
that
right.
It
complicates
the
access.
B
A
I'm
wondering
if
it's
not
an
advantage
actually,
because
that
evidence
is
the
critical
sensitive
data,
so
I
mean
a
altogether
a
different
level
of
access
than
what
I
need
to
get
the
posture.
Okay
pass
fail.
I
can
work
with
whatever
credentials
I
need,
for
my
you
know
view
my
cluster,
but
then
this
separation
will
enforce
a
level
of
security
on
the
evidence
which
is
my
sensitive
data.
B
A
The
evidence
is
the
actual
message,
the
actual
result,
the
actual
api
reply
from
the
policy
check
or
right
it's
it's,
the
the
actual
evidence.
Evidence
sometimes
may
even
contain
pi
right
depending
on
you
know
what
is
one
there.
A
I
think
I
like
very
much
your
suggestion
to
have
to
have
the
evidence
by
link.
It
doesn't
change
the
structure
of
oscar,
but
it
is
just
brings
that
my
evidence
would
be
I'll
use
the
age
ref
rather
than
having
the
whole
information
there.
B
Right
so
if
I,
but
let's
say,
if
I'm,
if
I'm
managing
or
if
I
deploy
some
workload
right
and
that
I
have
some
pods,
which
violate
some
security
policies,
so
I'm
seeing
my
results.
It's
telling
me
that
you
know,
but
with
the
message
here
then
at
least
give
me
some
information
that
this
pod
requires,
let's
say,
run
as
non-root
to
be
set
to
true.
A
Are
generated
using
compliance
operator
that
that
is
built
on
top
of
openscap,
so
the
means
by
which
I
do
the
assessment
is
by
running
openscap
and
I
have
the
logic
to
check
all
those
cs
benchmarks.
So
what
I
get
back
is
that
a
basic
authentication
file
argument
is
is
is
not
set
right.
A
This
is
the
message
that
I
get
back,
and
this
is
the
evidence,
while
the
the
status
is
pass
fail
right
now,
having
pass
fail
right
is,
is
one
thing
or
error
right
and
then
the
message
is
something
else
I
was
able
to
reach,
or
you
know
the
I
don't
have
access
or
you
know
whatever.
Whatever
it
is,
it
can
be
that
that
message
for
some
people
is
very
sensitive.
A
I
don't
want
you
know,
maybe
this
to
be
in
a
place
where
the
operators
can
can
see
that
and
make
public
that,
because
this
is
maybe
a
breach
that
can
be
immediately
leveraged
to
do
some
damage
in
my
environment.
B
B
A
Is
which
is
perfect?
It
means
that,
if
that
person
has
to
do
the
mediation
based
on
that,
they
will
be
approved
to
have
that
access.
What
I
try
to
say
that
we
bring
into
a
picture
this.
You
know
this
minimum
level
of
access.
That
is
one
of
the
you
know,
controls
that
everybody
wants
to
have.
This
will
support
implement
that
minimum
level
of
access?
A
If
I'm
an
operator
that
I
need
to,
maybe
I
don't
need
to
have
access.
Let's
say
I
have
10
repos
one
is
for
network,
one
is
for
devsec,
one
is
for
iks,
one
is
for
storage
and
they
will
all
have
different
levels
of
access,
so
I'm
not
going
and
poking
on.
You
know
what
are
the
failures
on
databases,
policies
right,
because
I'm
only
responsible
for
network,
so
I
get
access
only
to
that.
B
A
Same
thing,
so
what
it
started
as
being
an
inconvenience,
I
think
it
it.
It's
actually
a
good
thing.
Yeah.
B
Yeah,
I'm
just
kind
of
thinking
about
the
user
experience
and
if
there's
some,
you
know
like
a
cli
tool
or
something
which
can
combine
that
and
and
present
it
in
a
manner
which
is
actionable.
Then
it's
fine,
of
course,
like
you
know
the
the
nice
thing
about
having
the
message
here
becomes
like
I
can
just
do.
Coop
cuddle
get
and
I
see
everything
and
I
know
what
to
do
right.
B
So
that's
the
trade-off.
I
think
we
need
to
think
through,
but
I
definitely
there's
some
interesting
pros
and
cons.
A
I
I
can
see
that
cli,
like
you
know,
get
the
assessment
result
and
I
get
my
assessment
result
and
now
I
say
get
my
evidence
for
this
assessment
result
for
these
credentials
and
the
cli
is
intelligent
enough
now
to
apply
my
credentials
across.
You
know
everything,
but
my
evidence
will
come
back
in
this
assessment
result
only
for
the
items
I
have
access
to,
the
other
ones
will
say
no,
no
access
granted
or
something
like
that.
A
So
this
was
your
concern
that
that
we
will
need
right.
Definitely
you
will
need
to
have
the
capabilities
to
allow
the
operator
to
complete
their
job
into
remediation
or
exception,
whatever
they
need
to
do
right.
Definitely
right.
B
B
All
right
so
yeah,
my
I'm
still
thinking,
maybe
the
best
next
step
is
to
try
and
formalize
some
of
these
thoughts
into.
Perhaps
you
know
kind
of
a
document
or
some
structure,
and
then
we
can
see
you
know
if
there
are
folks.
A
Do
you
have
a
do?
You
have
a
template
for
this
design
proposal,
hi
jay,
I
I've
seen
you
joined.
B
C
C
B
B
So
it's
it's
very
informal
right,
there's,
no
one
standard
format
or
anything,
but
it's
just
some
typical
sections
that
we
have
seen
in
most
of
these
type
of
proposals
and
happy
to
kind
of
what
we
can
do
is
maybe
we
can
just
at
least
capture
some
sections
and
you
know
try
and
just
maybe
from
a
thought
process
and
point
of
view
that
will
help
us
frame
some
thoughts
and
ideas
and
kind
of
be
concrete
about
what
we
want
to
propose.
B
A
Know,
personas
cli's,
personas
storage,
the
different
levels
of
access
and
so
on
summary
so
put
everything
there
and
we
can
refine
it
maybe
offline.
I
guess:
okay,
good,
okay,.
B
So
jay
just
looking
at
your
question
in
chat
so
from
the
yeah
on
the
dns
policies,
so
we
have
not
discussed
that
before
in
in
this
working
group,
but
that
is
super
interesting.
B
I
know
that
there
was
some
work
done
with
core
dns
and
oppa
policies,
so
I
had
read
something
about
that
and
we
had
discussed
that
also
in
the
multi-tenancy
working
group.
So
what
did
you
have
in
mind?.
C
Yeah,
so,
okay,
so
yeah,
we
started
the
sig
network
network
policy,
api
group
about
really
it
was
about
six
months
ago,
unofficially
and
kind
of
more
officially
in
the
last
couple
of
months,
but
you
know
it
became
it
became.
You
know.
C
I
don't
know
how
much
you
all
know
about
network
policies,
but
you
know
they're
very
granular,
they're,
very
low
level,
they're
very
cni-centric,
and
it
turns
out
that
most
people
want
policies
that
are
way
higher
level
than
that
right,
and
so
we
have
all
of
these
like
use
user
stories
that
we've
like
that
people
have
given
us
over
time,
which
are,
I
think,
kind
of
I'll.
Just
you
know
what
I
can
link
you
all
to
them.
C
Policy
they're
just
a
lot
a
lot
higher
level
than
what
you
know.
The
the
sig
network
is
really
capable
of
supporting,
and
I
was
like
well
at
some
point
rather
than
just
always
bike
sharing
about
whether
or
not
we
can
do
this
or
not,
and
whether
or
not
it
should
be
in
the
api
and
whatnot.
C
Look
like
like
lower
case.
You
know
what
I
mean
like
a
unified
network
policy
model
for
for
kubernetes
clusters,
like
you
know,
which
may
a
lot
of
the
implementation
details
might
be
implemented
by
sig
network
using
our
network
policy
api,
but
like
there's
a
higher
level
layering
for
dns.
Being
a
great
example
where
people
want
to
very
simply
say:
I
don't
want
people
to
access
this
site
and
a
lot
of
that
could
be
built
with
controllers
and
operators
right.
You
could
presumably
envision
a
world
where
you
could
query
core
dns.
C
You
could
take
information
about,
for
example,
services
is
another
one
right.
Look
at
kubernetes
services
create
a
network
policy
against
a
service
say
I
don't
want
these
pods
to
access
this
service,
that's
not
supported
by
the
network
policy
api,
but
again,
that's
another
use
case
for
an
operator
where
you
could
look
at
pods
behind
a
service
and
then
create
those
more
granular
rules
underneath,
and
so
I
just
think,
there's
a
lot,
there's
just
a
huge
impact
to
be
made
there
and
I
wanted
to
make
a
little
sales
pitch
around
it.
I
mean
we
have.
C
I
know
a
few
people
personally
that
would
be
interested
in
working
on
this,
but
I
wouldn't
want
to
go
down
this
road
alone
if
nobody,
if
everybody
else
only
had
passive
interest.
So
what
I'm
looking
for
is
active
interest
in
this
in
in
be
designing
something
like
this
prototyping
it
and
stuff-
that's
that's
kind
of
where
I'm
at
so.
Okay,
just
planting
the
seed.
I
know
it's
the
end
of
the
meeting.
B
That
that
does
sound,
interesting
and
so,
and
maybe
it's
something
that
if
you
want
to
also
share
on
the
slack
channel
right
so
folks
and
we
can
I'll,
update
the
meeting
notes
and
we'll
have
the
recording
posted.
So
I
think
it'd
be
good,
perhaps
even
in
our
next
meeting,
to
sort
of
revisit
this
since
we're
almost.
I
guess
we're
over
time
right
now,
but
yeah
there's
some
interesting
ideas,
things
we
can
also
think
about,
and
I'm
not
sure
if
you're
we're.
C
Yeah
yeah
any
canonical
solution
would
work.
It
doesn't
have
to
be
an
api
if
you
want
it
to
be
a
lpa
thing
or
whatever
I
don't
care.
As
long
as
we
had
some
centralized
place
where
we
could
build
those
higher
level
policies,
it
would
just
yeah.
It
would
be
really
cool,
okay,
so
yeah.
So
next
time
we
talk
more
sounds
good.
B
Thank
you
for
sharing
all
right,
so
yeah
uncle.
We
can
collaborate
on
the
document,
maybe
as
an
action
item
for
the
for
next
time
and
then
also
we'll
I'll
put
this
topic
on
the
agenda
for
our
next
session.