►
From YouTube: CNCF SIG Security 2020-07-08
Description
CNCF SIG Security 2020-07-08
B
B
B
C
B
E
F
C
F
C
F
F
Yeah
the
first
one
definitely
has
come
up
like
many
times
around
like
scale
and
bundle
distribute
around
policy
distribution,
and
we
have
fee
mechanisms
with
that
feature
called
bundles
I
think
we
can
chat
after
this
call
on
slack.
Why
not
I
can
talk
more
details
on
that
and
regarding
the
graphing
database,
is
something
like
refine
or
something?
Is
that
what
you
had
in
mind
or.
C
Neo4J
I
mean
anything
but
something
that
would
provide
like
as
you're
doing
the
validation.
I
think
open
gets
closed
but
I.
What
concerns
me
is
the
absence
of
context
to
some
degree
and
maybe
I'm
missing
that
but
I
don't
see
that
right
now,
maybe
I'm,
just
not.
Maybe
it's
documented
and
I'm
just
not
clocking.
It.
C
B
B
A
Let
me
just
share
my
screen:
no
beach
showing
those
stuffs,
so
my
name
is
Brock
Schuster
I
am
the
CTO
and
co-founder
of
cloud
security
startup
named
pretroop
and
we
have
various
open
source
tools
among
them
is
the
check
of
open
source
that
we
would
like
to
discuss
about
today
in
presenting
so
a
little
bit
of
context,
so
Chekhov
was
originally
developed
at
Bridge
root.
It
was
released
at
last
Christmas
under
the
Apache
2
license.
A
It
is
currently
maintained
only
by
three
employees,
and
it
covers
configuration
frameworks
like
cloud
formation,
kubernetes,
serverless
and
area
with
more
than
360
security
policies.
Written
so
Chekhov
is
a
static
analysis
tool
for
those
infrastructure,
code
frameworks
or
configuration
manifests,
and
we
would
be
happy
to
check
up
into
the
CNCs
foundation.
A
A
The
common
contents
of
the
common
rules
to
the
community
of
the
engine,
obviously,
is
also
open
source
everything
in
check
copies
or
consumes,
and
we
were
more
familiar
with
our
security
background.
We
were
more
familiar
with
Python
as
a
programming
language,
and
we
found
it
very
easy
to
extend
to
use
inheritance
to
do
API
calls
in
in
some
of
the
cases.
So
this
is
the
language
that
we
chose
to
build
in
a
check.
So
how
does
a
check
look
like
over
here?
There
is
an
example
for
a
terraform
policy
to
enforce
encryption
over
RDS
resources.
A
So
it's
like
I,
don't
know
something
like
ten
lines
of
code
for
a
check.
You
mentioned
the
resource
that
you'd
like
to
monitor
the
AWS
DB.
You
give
the
name
and
an
ID
and
a
category,
and
basically,
what
you
will
do
is
to
take
the
parameter
in
the
in
the
configuration
of
that
resource,
and
you
will
enforce
whether
it
is
you
will
check
whether
it
is
configured
correctly,
meaning
with
storage
encrypted
equals.
True,
and
then
the
check
is
passing.
A
So
some
some
interesting
statistics
of
stuff
that
we've
done,
we
we
check
of
is
we
decided
to
scan
the
telephone
registry
like
without
public
registry
registry
doctor
from
the
I/o,
which
is
almost
it's
a
something
like
3000
modules
and
providers.
At
the
time
we
made
the
scan,
it
was
a
two
thousand
and
five
hundred
and
what
we
found
that
by
those
three
hundred
and
sixty
chats
44%
of
those
modules
published
at
the
terraform
registry
were
misconfigured
winning
had
either
encryption
issues.
F
A
Networking
some
minor
I
am
issues
and
it's
not
because
people
have
written
the
code
Interphone,
it's
actually
helping
to
identify
and
solve
some
of
the
issues
at
scale.
It's
because
they
they
lack
the
knowledge
of
how
to
configure
it
correctly
or
like
just
the
the
tool
with
all
of
the
content.
So
you
can.
G
A
A
Alright,
so
how
do
you
install
check
out?
It's
pretty
simple
check
up?
Is
a
people
Python
package,
so
you
can
just
beep
installed
check
out
on
Python
3.7
and
up
you
can,
if
you're
using
a
Mac,
you
can
use
brew
if
you'd
like
you
can
use
docker,
so
you
can
basically
install
it
on
every
modern
environment.
As
for
running
it,
it's
also
pretty
simple.
A
You
just
need
to
choose
a
directory
where
your
infrastructure
cause
is
in
infrastructure
code
is
in
where
your
terraform
kubernetes
confirmation,
server,
elasaur
arm
templates
are,
and
you
will
just
get
a
full
colorful.
The
report
in
CLI
as
a
beginning,
we'd
each
check
its
ID,
whether
it's
passed
or
not,
and
the
lines
that
are
problematic
and
if
it's
problematic
resource,
just
a
print
of
those
lines
that
you
should
probably
fix
or
or
just
to
skip
or
ignore.
A
It
also
has
a
J
unit,
XML
rich
format,
JSON
format.
It
have
marked
down
where
you
can
put
the
table
of
the
issues
and
using
J
unit
XML.
If
you
integrate
that
into
build
pipelines
like
code
billed
or
Jenkins,
you
can
get
if
colorful
report
of
the
j-unit
XML,
like
you
can
get
from
from
a
unit
test
or
a
test
suite
on
your
CI
pipeline
right.
So,
if
you'd
like
to
take
a
look
on
those
300
checks
of
different
resources,
you
can
just
go
into
the
website
to
check
out
your.
F
A
Resource
cans,
it
gives
you
the
full
list,
divided
by
the
different
frameworks
and
different
resources.
Some
might
look
similar.
For
example,
we
check
for
encryption
cloud
formation
and
the
check
of
an
s3
bucket
and
the
check
of
encryption
inter
perform.
A
first
three
bucket
will
have
the
same
name,
but
they
have
different
implementations
because
you're
writing
your
resource
in
a
different
manner.
In
this
configuration
file.
A
So,
like
every
test
suite
where
you
can
for
in
Java,
for
example,
you
can
do
choose
to
j-unit,
ignore
a
specific
test.
You
can
use
annotations
of
comments
and
write,
check
out,
skip
and
the
check
ID
and
the
reason
just
for
documentation
some
mandatory
and
you
can
choose
to
skip
check
over
specific
back
a
sample
use
case
would
be
if
you
have
an
s3
bucket,
that
has
public
ACL
configure
and
it's
publicly
accessible
from
the
entire
world.
A
In
some
cases,
it's
a
legitimate
act,
for
example,
if
the
s3
bucket
is
serving
as
a
public
static
content
host,
even
though
there
are
other
ways
to
do
that,
it
is
a
possibility.
So
the
bucket
is
public
and
it's
legitimately
public,
and
you
can
tag
it
by
one
by
just
running
this
comment
inside
your
terraform
code
and
you
can
choose
to
skip
this
resource
from
this
public
s3
bucket
checker.
A
A
So
chekhov
can
interact
just
as
another
linter
where
you
can
configure
it
in
your
pre-commit
hook,
and
it
will
block
you
from
committing
your
bad
turn
from
code
or
malicious
or
if
you,
my
mistake,
have
forgot
and
a
specific
security
configuration
on
your
code.
You
can
just
run
Chekov
as
a
pre
commit
it's
important
to
say
that
you
can
also
do
other
use
cases.
We
check
of
other
than
security,
backup
and
recovery
can
always
be
tested.
A
Using
check
out
can
even
write
custom
policies
over
permitting
only
specific
types
of
ec2
instances
to
reduce
cost,
but
the
main
policies
that
you'll
find
there
are
around
around
security.
There
are
some
around
cost,
like
don't
forget,
to
put
retention
over
your
locks,
alright,
so
using
the
pre-commit
hook,
every
engineering,
the
organization
would
not
be
able
to
commit
a
new
infrastructure
code
without
approval
or
rejection
of
Jaco
after
in
the
promo
meaning
check
out,
have
scanned
this
local
code.
You
can
come.
You
can
push
the
code
into
the
your
each
repository,
github,
github
or
bitbucket.
A
So
that's
one
scenario.
Another
scenario
is
just
putting
it
inside
your
CI
CD
pipeline.
So
that's,
let's
say
that
I
I
don't
have
a
pre-commit
hook,
but
I'm
open
the
pull
request
in
github
or
github,
and
now
I
want
to
run
my
tests.
So
your
CI
system,
whether
it
is
github
action,
Jenkins,
drone
or
or
anything
else,
can
run
check
out
on
every
cool
request
and
it's
just
running
the
infrastructure
security
list.
If
it
rejects
it
fails
the
bill,
you
cannot
do
the
change
to
your
infrastructure
code.
A
If
it
approves,
you
can
start
your
employment
trigger
and
just
apply
your
infrastructure
code
into
your
production
environment.
Well,
I
know
the
drawing
is
focused
on
AWS,
but
is
it
is
the
same
for
every
clouds
and
ceremonies
multi-cloud
in
Chaves
scanning
configurations
across
the
or
three
main
compromised?
A
A
The
third
mode
is
running
Chekhov
inside
a
kubernetes
cluster,
so
since
Chekhov
can
analyze
Bernie's
manifests,
you
can
scan
those
on
on
on
on
build
time,
while
you're
writing
the
code.
But
in
some
cases
you
will
use
templating
frameworks
for
kubernetes
clusters
like
Hello,
customized,
Rancher
or
any
or
github
provided
kubernetes
automatically
automatic,
DevOps
and
you'd
like
to
know
if
your
runtime
environment
in
your
provision,
kubernetes
cluster,
has
rewrite
configuration,
so
you
can
just
deploy
Chekhov
as
another.
A
Another
container
in
your
cluster,
with
a
specific
configuration
and
check
out
will
actually
do
API
calls
to
kubernetes
to
the
cluster
that
means
deployed
within
and
will
check
if
the
kubernetes
will
download
locally
the
google
divisionals
and
will
check
if
they
are
valid,
a
valid
or
not
valid.
From
security
perspective.
A
A
Another
another
advantage
of
using
such
tool
compared
to
into
a
runtime
analysis,
for
example,
tool
tool
that
samples
a
configuration
in
a
in
AWS
or
or
others
is
that
it's
not
it's
decentralized.
It's
not
centralized
in
the
security
team,
where
you
need
to
go
over
a
bunch
of
alerts
and
correlate
the
to
the
user
that
made
the
change
since
it's
running
on
each
and
every
committed
each
and
every
pore
request
its
distributed
by
design
because
it's
part
of
the
CI
CI
a
pipeline.
A
All
right,
so
the
roadmap
contains
those
current
items
that
we
were
open
to
to
add.
More
is
the
first
is
policy
sharing.
Currently
chekhov
has
360
built-in
policies.
It
has
the
ability
to
load
additional
policies
from
additional
directory
just
as
a
parameter,
but
a
lot
of
community
members
asked
for
the
ability
to
load
policies
from
a
github
repository
in
a
directory
that
is
version
control
I
mean
the
end.
A
That
is
not
located
near
the
infrastructure
code
repository
itself,
so
this
will
enable
enterprises
just
to
have
a
centralized
git
repository
where
custom
policies
are
another
one
is
we
do
support
scanning
arm
templates,
but
we
don't
have
adult
content
there,
a
lot
of
policies
written.
So
we
are
working
on
adding
more
policies
there.
We
want
to
support
natively
home.
A
We
want
to
add
real
a
relationship
engine,
for
example,
in
terraform,
managing
V,
PCs
and
VPC
flow
logs.
Those
are
two
different
resources.
We
would
like
to
be
able
to
write
a
policy
such
as
does
HP
PC,
that
has
a
public-facing
resource,
has
a
PPC
flow.
So
this
is
a
relationship
and
genore
a
graph
engine
that
we
would
like
to
add.
We
would
like
to
add
cooked
CTL,
plug-in
and
kubernetes.
A
B
A
C
The
hi
this
is
Michelle.
You
answered
the
question
about
the
admission
controller
in
one
of
the
slides.
If
you
don't
mind
me
just
jumping
in
but
the
challenge
that
I
keep
having
and
I
see,
this
everywhere
is
once
you
get
to
the
issue
of
scale.
You
have
problems
with
context
and
ontology
and
flat
rules.
Don't
at
some
point
it's
gonna
hit
a
wall
because
it
doesn't
have
that
context.
A
So
what
we
heard
from
those
is
that
a
lot
like
eighty
percent
of
the
common
issues
can
be
caught
using
such
rules.
So
you,
let's
say
that
you
have
a
lot
of
Engineers
in
your
organization
and
all
of
them
or
a
bunch
of
them
are
writing
they're
from
code,
and
you
don't
want
to
review
every
per
request.
C
So
essentially,
you're
saying
create
more
of
an
engine
right
now.
It's
not
really
that
you
can't
really
I
mean
I,
don't
want
to
be
offensive,
but
you
can't
really
call
it
so
much
of
an
engine,
but
so
you're
saying
create
an
engine
that
you
can
create.
It
can
have
an
idea
of
context.
Is
that
what
you're
saying
through
a
relationship
engine
is
what
you're
calling
it
right?
Yes,
so.
A
F
A
F
A
I
was
not
aware
of
contests
when
I
started
check
out.
I
was
aware
of
oppa
and
I
know
that
contest
is
somewhere
related.
So
I
and
I
see
that
there
is
an
in
chat
in
the
chat,
a
question
about
oppa,
alright,
so
oppa
as
far
as
I
know
and
feel
free
to
correct
me
to
use
Appa
you'll
need
to
have
the
plan
generated
of
your
tariff
or,
for
example,
which
means
that
alpha
will
be
able
to
run
tests
over
the
rendered
variables
inside
or
the
evaluated
variables
inside.
A
The
the
manifest
and
Chekhov
is
has
some
logic
to
evaluate
all
the
variables
by
the
default
values
without
applying
the
plan.
Why
we
wanted
to
develop
it
that
way,
because
in
a
lot
of
times,
when
developing
on
your
end
point,
you
don't
want
to
put
secrets
of
production
environment
which
are
usually
variables
or
or
somewhat
injected
into
the
plug
on
those
endpoints.
A
So
both
contest
and
applies
for
as
far
as
I
know
requires
those
variables
or
plan
types,
and
since
we
wanted
to
execute
check
out
everywhere,
we
couldn't
rely
on
those.
So
I
think
that
those
two
tools
are
completing
each
other.
Where
you
have
no
power,
for
you,
have
checkup
for
plane,
plane
manifests
and
the
relationship
between
those
the
engine
does
a
variable
evaluation
and
not
only
flat
rules.
So
there
is
a
relationship
graph
between
variable
dependencies
and
resources.
There
is
just
not
one
yet
for
between
resources.
B
F
So
the
comparison
number
in
oppa
and
Chekov,
but
between
specifically
contest
and
check
off
because
think
contest,
is
for
managing
configuration
files,
if
not
mistaken
I'm,
not
certain
about
the
are
terraform
use
trace
in
particular,
but
I
think
the
purpose
of
consciousness
is
to
like
validate
configuration
files
like
you
know,
you
shift
left.
Basically,
that's
that's
the
idea
with
consciousness,
so
we're
just
curious
if
it's
specifically
versus
contest
and
check
off
not
Opa.
Opa
is
completely
different,
and
thanks
for
your
answer,
yeah.
A
A
H
It's
alright,
sorry,
it's
just
which
my
speaker
mic,
hopefully
that's
better,
but
the
form
language
HCl
has
a
lot
of
dynamicism
doing
for
loops
and
conditionals
and
and
and
a
lot
of
that
to
actually
write
a
policy.
You
need
to
actually
evaluate
all
of
that
to
be
able
to
have
second
attribute
and
even
like
the
a
Python
HDL
to
parse
or
doesn't
even
get
like
operator
precedence
correct.
So
it's
a
little
unclear
to
me
how
robust
that
is
outside
of
using
the
go
library
for
terraform.
A
H
A
I
A
I
guess
that
I
I
would
love
to
know
how
can
the
process
of
submitting
check
out
into
the
scene?
Cf
can
probably
look
like
from
here.
H
B
So
from
our
side,
I
think
what
we
can
do
is
to
do
a
security
assessment.
It's
about
that
process,
so
I
will
create
a.
If
you
go
to
issue.
You
can
create
a
security
assessment
there
and
there's
a
couple
of
steps
here
to
follow
bodies
from
CN
CF,
six
security
site.
Our
recommendation
is
for
incubation
and
graduation
is
based
on
kind
of
doing
the
security
assessment
and
the
results
from
that.
So.
J
I
have
a
question
here
because
you
all
have
the
application
in
for
the
sandbox
process
correct.
A
J
G
J
The
incubation
process
is
the
one
that
kind
of
the
I
think
I
was
Brandon
was
talking
about
as
far
as
being
able
to
go
through
the
assessment.
There's
a
security
review
that
would
be
involved
here,
as
well
as
being
able
to
find
a
toc
sponsor
to
do
due.
Diligence
and
just
in
Cormack
can
correct
me
if
I
am
speaking
out
of
turn
for
any
of
that.
The
sandbox
process
is
the
process
that
we've
just
changed
requires
TRC
to
review,
and
it's
just
a
simple
vote.
A
B
A
B
All
right,
then,
I
think
whatever
fits
I
think
that
the
natural
progression
is
usually
sandbox
an
incubation
and
then
for
samples.
It's
you.
The
security
assessment
isn't
required,
but
you
know
nothing
stopping
you
from
doing
it
and
it's
something
that
we
recommend
anyway,
because
you
know
when
you
try
and
go
to
it's
an
incubation.
I
You
know
yeah
sandbox,
incubation
and
then
graduating
and
by
starting
out
at
10
bucks,
you're
gonna
get
more
orientation
by
participating,
getting
security
assessment.
You're
gonna
have
the
opportunity
to
you
really
expand
your
exposure
to
folks
in
the
scene.
Yes,
you're.
Basically,
you
know
going
to
be
going
around
flipping
bit
and
getting
buy-in
from
folks
in
the
community.
So
the
more
you
can
be
visible.
The
more
that
folks
throughout
the
ecosystem,
recognized
that
you
know
their
contribution.
The
easier
subsequent
stages
are
going
to
be
so
I.
Think
10
box
is
the
right
place
to
start.
B
G
C
For
me,
it's
a
struggle
right,
I,
it's
a
I
mean
in
a
way
it's
kind
of
a
graphing
problem
and
I
cuz.
When
you
don't
have
context,
I
mean
the
flat
rolls
in
themselves
out
of
context,
don't
always
mean
something:
it's
just
a
problem
that
I
had
personally
had
it's
probably
at
scale
right,
so
that
you
can
eliminate
it.
So
you
can
make
sure
that
you're
not
generating
a
lot
of
noise.
False
positives,
the
same
as
you
have.
B
All
right,
if
not
make
sure
you
pick,
the
Vinay
is
going
to
be
going
through
kind
of
a
deaf
suck-ups
reference,
and
this
is
kind
of
tying
into
the
world
that
we
talked
about
with
the
DoD
recommendations
for
CN
CF
and
that's
kind
of
like
a
vendor
perspective
on
it,
so
that
something
definitely
is
going
to
present
next
week.
And
you
know,
of
course,
we
can
reserve
the
rest
of
the
time
to
talk
of
anthology.