►
From YouTube: CNCF SIG Security Working Group 2020-09-30
Description
CNCF SIG Security Working Group 2020-09-30
B
A
B
A
A
A
B
A
Yes,
that's
exactly
right,
it's
just
a
spec
for
the
output
and
the
report
is
meant
to
be
almost
in
some
a
summary
of
all.
You
know,
and
there
could
be,
of
course,
multiple
instances
of
reports
at
different
scopes,
but
the
idea
is
to
have
a
summary
for
the
cluster
admin
or
the
operators
to
see
outputs
from
different
tools.
B
Yeah,
so
I
think
that
maybe
in
the
context
of
starboard,
maybe
starboard
can
offer
right
now
starboard
outputs,
the
report
in
its
own
format,
that
is
more
tailored
to
the
to
the
actual
tool
that
that
is
being
that
is
during
the
scan.
So,
for
example,
for
a
trivia
report,
we
look
different
from
a
polaris
report
right,
but
I
mean
I
think
that
the
policy
spec
that
you're
working
on
is
very
interesting.
B
B
B
D
B
B
A
B
A
Yeah,
so
there
is,
you
know,
I
think
we
have
to
try
it
out
and
it
kind
of
it's
interesting
right,
because
I
don't
think
there's
any
formal
process
to
make
it
official.
The
idea
would
be
if
we
show
adoption
and
if
we
show
how
this
is
used
in
different
tools,
then
we
can
go
back
to
maybe
six
security
and
sight
present
this
to
them
and
see
if
we
can
get
this
promoted
to
its
own
repo
out
of
this
prototypes
repo
right.
So
that
would
be
kind
of.
I
guess
it's
not
really
any
official
graduation
right.
A
B
B
D
A
A
So
there's
some
good
discussions
also
over
there
on
that
thread.
For
you
know
the
pros
and
cons
and
the
trade-offs
of
using
something
like
opa
and
rego
versus
other
policy
tools,
and
I
think
you
know
I'll-
follow
up
with
those
few
folks
who
commented
and
invite
them
to
come
to
our
group
and
discuss.
A
You
know
other
ideas
for
standardization
right,
because
I
think
it's
clear
there'll
be
several
tools
doing
different
functions.
So
I
think
we
probably
one
of
the
things
we
can
do
is
even-
and
I
know
starboard
has
some
classification
of
tools
already
right.
So
perhaps
we
can
use
that
framework
or
we
can
extend
that
or
refine
that
as
needed
to
say.
Hey
here
are
the
types
of
different
tools,
whether
it's
image
scanning
to
admission
controls
and
configuration
scanning
or
runtime.
A
C
Yeah,
so
I
have
a
look
at
oscar
and
I'm
helping
a
couple
of
projects.
Look
at
it.
So
I
think
the
answer
question
is
you
know.
Certainly
the
I
mean
oscar
is
a
definition
of
controls.
So
if
you
look
at
policy
policy
is
either
a
statement
of
you
know,
controls
or
itself
a
control,
as
I
see
it
and
kind
of
the
conceptual
model,
so
I
think,
and
and
I'm
not
an
oscar
expert.
C
C
A
component
doesn't
have
to
be
software,
it
doesn't
have
to
be
hardware,
it
could
be
a
policy
artifact,
and
so
I
guess
the
I
the
goal
would
be
to
map
policy
as
we
think
of
it
in
this
work
group
as
executable
policy
machine
executable
policy
policy
would
be
itself
an
asset
in
moscow.
A
component
of
moscow
and
the
findings
in
in
the
cr
api,
for
example,
would
map
to
some
controlled
definition.
C
E
Yeah,
I
think
that
makes
sense
robert
and
what
I
was
thinking
was
if,
if
the
policy
report
schema
includes
at
least
some
of
the
elements
of
oscar,
then
management
tool
that
is
consuming
the
various
policy
reports
can
provide
a
view
from
a
particular
standard
perspective
right,
whether
it
is
in
state
853
or
some
of
the
other
standards.
It's
where
I
see
the
linkage
between
the
two.
C
B
C
You
know
fedramp
or
nist,
853
and
says
you
know,
implement
this,
and
I
have
to
be
able
to
demonstrate
that
my
policies
cover
certain
controls,
so
by
kind
of
top
down
mapping
my
policy
implementation,
all
the
way
down
to
my
policy
out
report
output
to
a
particular
control.
I
can
demonstrate
yes,
I've
accomplished
that
I've
mapped
these
policies
and
these
outputs
to
a
compliance
statement
tagged
with
these
in
oscar
from
the
other
direction.
C
Query
all
the
policy
report,
outputs
that
are
relevant
to
that
control,
so
that
I
can
gather
that
into
my
evidence,
locker.
So
the
top-down
and
bottom-up
use
case.
So
that's
why
I
think
a
bi-directional
mapping
is
is
is
highly
necessary
in
terms
of
in
terms
of
I
guess,
the
other,
the
user.
I
don't
know,
maybe
it
overlaps
these
use
cases
the
first
one,
maybe
if,
if
I'm
an
actual
fedramp
authorizing
official-
and
I
get
someone
drops
an
oscal
implemented
fedramp
package
on
my
desk
and
it's
supposed
to
be
machine.
C
Verifiable
that
I
meet
fedramp,
then
there
needs
to
be
a
detailed,
a
tracing
down
to
you
know
an
actual
policy
artifact
in
machine,
readable
code
that
says
yep.
It's
it's
implementing
this
control
by
via
this
executable
means
and
the
data
it's
generating
is
going
to
map
to
this
control.
You
know
policy
report
output.
So
what
how
that
would
work
in?
I'm
not.
C
A
Right
yeah,
I
think
that
would
make
sense.
Is
there
you
know?
I
know
robert.
You
seem
to
know
this,
but
is
there
somebody
we
also
perhaps
want
to
invite
from
you
know,
might
be
working
on
moscow
to
do
a
deeper
dive
and
sort
of
give
a
presentation
in
one
of
our
working
group
meetings
with
that
yeah
I
can.
I
can
certainly
reach
out.
I.
C
D
E
C
And
they
have
done
a
number
of
presentations
and
then
other
peripheral
groups,
industry
and
federal
groups
have
done
various
askal
webinar.
So
I
can,
I
probably,
can
collect
a
bunch
of
links
and
drop
it
into
the
google
doc
sometime,
if
not
today,
later
this
week.
So
if
folks
are
interested
in
kind
of
the
overview
of
what
oscar
is
yeah,
that
will
give
some
background
material.
A
Okay,
I
think
that's
good
all
right
yeah,
the
other
thing
robert.
We
were
just
discussing
and
you
know
just
thinking
out
loud
and
in
terms
of
potential
things
we
could
produce.
In
addition
to
the
policy
report
and,
of
course,
continuing
to
you
know,
grow
the
adoption
of
that,
and
maybe
one
thing
that
we
could
do
I
was
thinking
on.
A
That
is
that
it
may
be
once
we
have
a
few
examples
of
these
reports,
we
can
even
create
like
a
cncf,
blog
post
or
something
to
advertise
that
this
report's
available-
and
you
know
see
you
know,
just
promote
interest
in
it,
the
other.
You
know
other
potential
deliverable
or
something
we
could.
You
know,
output
from
the
group,
it
could
be.
You
know,
starting
to
you
know,
have
some
classification
of
the
different
policy
tools
that
are
in
scope
right
that
we're
talking
about,
and
I
think
starboard
has
a
good.
A
You
know
sort
of
a
grouping
of
these
already
and
we
had
discussed
some
of
that
with
liz
and
daniel
and
itae.
Also
from
aqua.
Sec
was
just
discussing
that,
so
perhaps
that
could
be
also
a
document
or
a
google
doc
we
produce
and
publish
somewhere
to
say
and
of
course
that
can
will
change
and
evolve
over
time
as
things
change,
but
at
least
right
now
we
know
that
there's
image
scanners,
there's
admission
controllers;
there's
configuration
scanners
and
and
runtime
security
type
of
tools
that,
where
and
there's
examples
of
each
of
these
categories
right.
C
Yeah
that
I
it
makes
sense,
I
know
now-
howard
and
erica-
are
always
putting
together
slides
for
for
various
kubecon
presentations
so
and
they're
they're
more
dialed
into
that
process.
But
I
would
imagine
that
whatever
we
can
produce
as
a
white
paper
or
more
guidance
here
kind
of
bump
it
up
to
the
we
could
present
it
to
the
higher
sig
group
on
the
on
the
later
10
a.m.
C
B
C
Well,
actually,
yeah
that
I
and
when
I
unfortunately
I'd
put
on
the
calendar
item
today
the
discussion
about
moscow,
but
then
took
it
off
because
I
had
this
unexpected
conflict,
but
now
that
I'm
on
there
there
was
a
lot
of
back
and
forth
chatter.
In
that
white
paper
review
about
compliance,
it
wasn't
necessarily
in
the
context
of
policy,
but
I
think
I
think
certainly
everyone
here
on
this
call
kind
of
sees
that
there's
a
nexus
between
compliance
and
policy.
C
C
I'll,
like
I
say,
write
up
a
little
bit
of
a
summary
of
pascal
how
that
integrates
with
the
cr
and
incorporate
some
of
that
chatter
from
the
the
white
paper
review,
but
yeah
you're
right
eta.
I
I
think
the
the
gist
of
the
back
and
forth
on
the
compliance
section
of
that
white
paper
was
that
it
was
kind
of
you
know.
Open-Ended
would
be
nice
if
there
was
more
substance
to
that
that
component.
At
least
that
was
the
takeaway
that
I
had.
B
C
C
A
C
Yeah,
that's
that's
what
I
I'm
suggesting
is
that
I'll
just
expand
on
the
agenda,
placeholder
that
I
had
for
two
weeks
from
today.
I'll
add
details
around
moscow
and
okay:
are
there?
Are
there
resources
that
that
you
would
like
me
to
explicitly
review
as
part
of
how
that
connects
to
any
of
the
projects?
You're
involved,
I'm
happy
to
take
a
look
at
those.
E
E
C
Okay,
yeah,
then
I'll
try
to
get
you
an
an
advanced
draft
of
again.
It's
not
going
to
be
anything
extravagant
just
a
simple
outline,
one
pager,
but
if
you
want
to
circulate
that
around
to
this
group
in
advance
of
that
call,
then
maybe
we'll
get
some
some
good
feedback
on
the
next.
On
the
next
session.