►
From YouTube: CNCF SIG Security Working Group 2020-09-30
Description
CNCF SIG Security Working Group 2020-09-30
B
I
seen
the
meeting
notes
that
there
was
one
item
and
then
the
person
wrote
that
he's
unable
to
attend.
So,
okay.
A
B
I
work
for
aqua
security
in
the
open
source
team.
I
actually
have
been
listening
to
the
policy
working
group
meetings
for
a
while
now,
okay-
and
I
like
asked
some
of
my
teammates
liz
and
daniel
to
join,
and
I
know
that
they
have
also
presented
here
before.
A
B
Wanted
to
keep
an
eye
on
the
progress
got
it.
A
Okay
yeah,
so
I
think
you
know
liz
and
daniel
had
presented
a
while
back,
I
think
on.
A
Was
it
star,
star,
starboard,
okay,
right
and
we
had
talked
about
you
know
potentially
leveraging
the
policy
report
as
part
of
that
we're
also
very
interested-
and
you
know
there
is
some
activity
on
taking.
You
know,
output
from
like
different
scanners,
like
coupe
bench,
etc.
A
Perhaps
even
trivia,
and
you
know
kind
of
converting
it
to
policy
reports.
So
it
would
be
interesting
to
discuss
that
in
more
detail
and
see
what
would
be
the
best
approach,
whether
it's
through
starboard
or
whether
it's
through
some
other
adapter
or
other
approach,
that
we
write.
B
A
Yes,
that's
exactly
right,
it's
just
a
spec
for
the
output
and
the
report
is
meant
to
be
almost
in
some
a
summary
of
all.
You
know,
and
there
could
be,
of
course,
multiple
instances
of
reports
at
different
scopes,
but
the
idea
is
to
have
a
summary
for
the
cluster
admin
or
the
operators
to
see
outputs
from
different
tools.
B
Yeah,
so
I
think
that
maybe
in
the
context
of
starboard,
maybe
starboard
can
offer
right
now
starboard
outputs,
the
report
in
its
own
format,
that
is
more
tailored
to
the
to
the
actual
tool
that
that
is
being
that
is
during
the
scan.
So,
for
example,
for
a
trivia
report,
we
look
different
from
a
polaris
report
right,
but
I
mean
I
think
that
the
policy
spec
that
you're
working
on
is
very
interesting.
B
So
maybe
we
can
add
another
option
and
by
the
way,
I'm
not
speaking
on
behalf
of
aqua
or
anything,
I'm
just
brainstorming
here
out
loud.
We
can
maybe
add
another.
B
B
What
is
their
point
yeah
right?
Is
this
thing,
and
this
is
one
option,
the
other
one
is
going
through
an
adapter.
I
know
yeah.
D
B
I
think
we
can
it's
a
good
idea.
We
can
consider
it.
This
is
why
I'm
trying
to
join
these
calls
to
to
see.
B
Is
a
good
point
to
start
looking
at
that
seriously.
B
A
E
Yeah,
in
fact,
that
that
would
be
a
good
question
right,
which
is:
is
this
the
first
time
you're
looking
at
the
pulser
report
proposal,
and
is
this
something
that
will
get
integrated
with
q
bench.
B
It's
not
the
first
time,
but
I
am
looking
for
the
right
opportunity
to
to
look
at
it.
I
don't
know
like
what's
the
plan
to.
B
Make
this
proposal
something
more
official
or
is
there
anything
any
milestone
that
we
should
be
looking
forward
to.
A
Yeah,
so
there
is,
you
know,
I
think
we
have
to
try
it
out
and
it
kind
of
it's
interesting
right,
because
I
don't
think
there's
any
formal
process
to
make
it
official.
The
idea
would
be
if
we
show
adoption
and
if
we
show
how
this
is
used
in
different
tools,
then
we
can
go
back
to
maybe
six
security
and
sight
present
this
to
them
and
see
if
we
can
get
this
promoted
to
its
own
repo
out
of
this
prototypes
repo
right.
So
that
would
be
kind
of.
I
guess
it's
not
really
any
official
graduation
right.
A
A
So,
but
what
we
can
do
is
if,
if
this
goes
under
in
the
sigs
and
if
there's
adoption
of
it,
we
can
propose
it
either
as
a
cncf
sandbox
project,
which
again
I
don't
know
if
it
makes
sense
to
do
that
or
just
move
it
at
least
into
its
own
repository
with
its
own
namespace,
where
we
maintain
it
right
to
say
this
is
a
policy
report
everybody
can
use.
A
A
So
if
we
have
started
using
this
for
kiverno,
which
is
a
policy
engine
project
that
I'm
involved
with
from
nermata,
we
also
are
using
this,
for
you
know
in
the
multi-tenancy
working
group
for
multi-tenancy
reporting,
so
there's.
B
A
So
those
are
two
examples,
and
I
know
js
team
is
also
you
know,
kind
of
looking
at
integrating
into
a
few
things
that
red
hat
in
rackham
and
and
that
product
right.
B
Yes,
yes
well
good
to
know,
I
think
we're.
Definitely
it's
definitely
interesting
and-
and
we
are
going
to
look
at
it,
how
we
are
going
to
integrate
with
it.
I
can
say
if
it's
like
right
now
or
maybe
right,
maybe
next.
D
B
Or
something,
but
definitely
something
that
on
our
radar:
okay,.
A
A
There
are
other
ideas
we
had
discussed,
but
we
decided
to
focus
on
this
as
the
first
you
know
kind
of
building
block,
and
then
we
can
go
back
and
so
by
the
way
I
don't
know
if
all
of
you
have
been
following
like
oppa
is
graduating
or
they've
they've
submitted
a
proposal
for
graduation.
A
So
there's
some
good
discussions
also
over
there
on
that
thread.
For
you
know
the
pros
and
cons
and
the
trade-offs
of
using
something
like
opa
and
rego
versus
other
policy
tools,
and
I
think
you
know
I'll-
follow
up
with
those
few
folks
who
commented
and
invite
them
to
come
to
our
group
and
discuss.
A
You
know
other
ideas
for
standardization
right,
because
I
think
it's
clear
there'll
be
several
tools
doing
different
functions.
So
I
think
we
probably
one
of
the
things
we
can
do
is
even-
and
I
know
starboard
has
some
classification
of
tools
already
right.
So
perhaps
we
can
use
that
framework
or
we
can
extend
that
or
refine
that
as
needed
to
say.
Hey
here
are
the
types
of
different
tools,
whether
it's
image
scanning
to
admission
controls
and
configuration
scanning
or
runtime.
A
You
know
runtime
kind
of
security,
type
of
tools
yeah,
so
those
are
the
categories,
and
then
these
are
some
examples
of
tools
which
fall
into
each
and,
of
course,
ci
cd,
like
so
out
of
cluster
tools
right
so
tools
which
can
scan
and
manage
yamls
and
report
outside
of
a
cluster
itself.
B
Yeah
makes
sense.
E
Yeah,
so
one
thing
is,
I
wanted
to
just
say
here
that
rakam
is
integrated
with
the
gatekeeper
right,
so
we
are
working
on
that
and
the
other
thing
is,
I
posted
a
link
in
the
chat
for
roskal.
E
E
I
don't
know
that
you
guys
are
have
looked
into
oscar.
C
A
C
Yeah,
so
I
have
a
look
at
oscar
and
I'm
helping
a
couple
of
projects.
Look
at
it.
So
I
think
the
answer
question
is
you
know.
Certainly
the
I
mean
oscar
is
a
definition
of
controls.
So
if
you
look
at
policy
policy
is
either
a
statement
of
you
know,
controls
or
itself
a
control,
as
I
see
it
and
kind
of
the
conceptual
model,
so
I
think,
and
and
I'm
not
an
oscar
expert.
C
So
if
I,
if
I
misstate
the
the
model,
please
feel
free
to
jump
in
and
correct,
but
I
think
that
there
are
definitions
within
the
oscar
model
for
policy.
It
would
be
a
component
of
you
know
some
system,
but
it
would
you
know
it
doesn't.
C
A
component
doesn't
have
to
be
software,
it
doesn't
have
to
be
hardware,
it
could
be
a
policy
artifact,
and
so
I
guess
the
I
the
goal
would
be
to
map
policy
as
we
think
of
it
in
this
work
group
as
executable
policy
machine
executable
policy
policy
would
be
itself
an
asset
in
moscow.
A
component
of
moscow
and
the
findings
in
in
the
cr
api,
for
example,
would
map
to
some
controlled
definition.
C
E
Yeah,
I
think
that
makes
sense
robert
and
what
I
was
thinking
was
if,
if
the
policy
report
schema
includes
at
least
some
of
the
elements
of
oscar,
then
management
tool
that
is
consuming
the
various
policy
reports
can
provide
a
view
from
a
particular
standard
perspective
right,
whether
it
is
in
state
853
or
some
of
the
other
standards.
It's
where
I
see
the
linkage
between
the
two.
C
B
C
You
know
fedramp
or
nist,
853
and
says
you
know,
implement
this,
and
I
have
to
be
able
to
demonstrate
that
my
policies
cover
certain
controls,
so
by
kind
of
top
down
mapping
my
policy
implementation,
all
the
way
down
to
my
policy
out
report
output
to
a
particular
control.
I
can
demonstrate
yes,
I've
accomplished
that
I've
mapped
these
policies
and
these
outputs
to
a
compliance
statement
tagged
with
these
in
oscar
from
the
other
direction.
C
Query
all
the
policy
report,
outputs
that
are
relevant
to
that
control,
so
that
I
can
gather
that
into
my
evidence,
locker.
So
the
top-down
and
bottom-up
use
case.
So
that's
why
I
think
a
bi-directional
mapping
is
is
is
highly
necessary
in
terms
of
in
terms
of
I
guess,
the
other,
the
user.
I
don't
know,
maybe
it
overlaps
these
use
cases
the
first
one,
maybe
if,
if
I'm
an
actual
fedramp
authorizing
official-
and
I
get
someone
drops
an
oscal
implemented
fedramp
package
on
my
desk
and
it's
supposed
to
be
machine.
C
Verifiable
that
I
meet
fedramp,
then
there
needs
to
be
a
detailed,
a
tracing
down
to
you
know
an
actual
policy
artifact
in
machine,
readable
code
that
says
yep.
It's
it's
implementing
this
control
by
via
this
executable
means
and
the
data
it's
generating
is
going
to
map
to
this
control.
You
know
policy
report
output.
So
what
how
that
would
work
in?
I'm
not.
C
I
don't
know
how
the
mechanics
of
that
would
actually
work
and
how
the
validation
tooling,
that
the
fedramp
folks
actually
have
ready.
But
I
think
that's
the
grand
vision.
A
Right
yeah,
I
think
that
would
make
sense.
Is
there
you
know?
I
know
robert.
You
seem
to
know
this,
but
is
there
somebody
we
also
perhaps
want
to
invite
from
you
know,
might
be
working
on
moscow
to
do
a
deeper
dive
and
sort
of
give
a
presentation
in
one
of
our
working
group
meetings
with
that
yeah
I
can.
I
can
certainly
reach
out.
I.
C
Don't
have
a
special
relationship
with
any
of
the
folks
and
okay,
just
we're
all
monitoring
the
same
git
repos
and
commenting
on
pr's
and
whatnot.
So
right
now
I
can
put
the
invite
out
there,
but
that's.
D
C
We
can
do
that,
but
I'm
happy
to
I'm
happy
to
be
the
the
grunt
worker
to
kind
of
put
together
some
sort
of
an
outline
or
just
a
straw,
man
proposal
and
then.
E
C
And
they
have
done
a
number
of
presentations
and
then
other
peripheral
groups,
industry
and
federal
groups
have
done
various
askal
webinar.
So
I
can,
I
probably,
can
collect
a
bunch
of
links
and
drop
it
into
the
google
doc
sometime,
if
not
today,
later
this
week.
So
if
folks
are
interested
in
kind
of
the
overview
of
what
oscar
is
yeah,
that
will
give
some
background
material.
A
Okay,
I
think
that's
good
all
right
yeah,
the
other
thing
robert.
We
were
just
discussing
and
you
know
just
thinking
out
loud
and
in
terms
of
potential
things
we
could
produce.
In
addition
to
the
policy
report
and,
of
course,
continuing
to
you
know,
grow
the
adoption
of
that,
and
maybe
one
thing
that
we
could
do
I
was
thinking
on.
A
That
is
that
it
may
be
once
we
have
a
few
examples
of
these
reports,
we
can
even
create
like
a
cncf,
blog
post
or
something
to
advertise
that
this
report's
available-
and
you
know
see
you
know,
just
promote
interest
in
it,
the
other.
You
know
other
potential
deliverable
or
something
we
could.
You
know,
output
from
the
group,
it
could
be.
You
know,
starting
to
you
know,
have
some
classification
of
the
different
policy
tools
that
are
in
scope
right
that
we're
talking
about,
and
I
think
starboard
has
a
good.
A
You
know
sort
of
a
grouping
of
these
already
and
we
had
discussed
some
of
that
with
liz
and
daniel
and
itae.
Also
from
aqua.
Sec
was
just
discussing
that,
so
perhaps
that
could
be
also
a
document
or
a
google
doc
we
produce
and
publish
somewhere
to
say
and
of
course
that
can
will
change
and
evolve
over
time
as
things
change,
but
at
least
right
now
we
know
that
there's
image
scanners,
there's
admission
controllers;
there's
configuration
scanners
and
and
runtime
security
type
of
tools
that,
where
and
there's
examples
of
each
of
these
categories
right.
C
Yeah
that
I
it
makes
sense,
I
know
now-
howard
and
erica-
are
always
putting
together
slides
for
for
various
kubecon
presentations
so
and
they're
they're
more
dialed
into
that
process.
But
I
would
imagine
that
whatever
we
can
produce
as
a
white
paper
or
more
guidance
here
kind
of
bump
it
up
to
the
we
could
present
it
to
the
higher
sig
group
on
the
on
the
later
10
a.m.
C
B
There's
a
white
paper
that
security
is
offering
at
the
moment.
I
don't
know
if
you've
considered
to.
C
Well,
actually,
yeah
that
I
and
when
I
unfortunately
I'd
put
on
the
calendar
item
today
the
discussion
about
moscow,
but
then
took
it
off
because
I
had
this
unexpected
conflict,
but
now
that
I'm
on
there
there
was
a
lot
of
back
and
forth
chatter.
In
that
white
paper
review
about
compliance,
it
wasn't
necessarily
in
the
context
of
policy,
but
I
think
I
think
certainly
everyone
here
on
this
call
kind
of
sees
that
there's
a
nexus
between
compliance
and
policy.
C
So
I
had
said
that
yeah
we
would.
We
would
kind
of
champion
that,
as
a
discussion
point
for
this
group,
I
think
I
I
still
think
now
that
we've
had
a
little
intro.
I
think
it's
probably
beneficial
to
to
put
that
on
the
next
meeting.
C
I'll,
like
I
say,
write
up
a
little
bit
of
a
summary
of
pascal
how
that
integrates
with
the
cr
and
incorporate
some
of
that
chatter
from
the
the
white
paper
review,
but
yeah
you're
right
eta.
I
I
think
the
the
gist
of
the
back
and
forth
on
the
compliance
section
of
that
white
paper
was
that
it
was
kind
of
you
know.
Open-Ended
would
be
nice
if
there
was
more
substance
to
that
that
component.
At
least
that
was
the
takeaway
that
I
had.
B
C
I
mean
I,
I
guess
my
trying
to
gather
data
versus
project
a
particular
solution.
I
guess
the
only
bias
I
would
have
is
that
you
know
if
the
goal
of
the
cloud
native
security
white
paper
is
to
define
compliance
within
a
cloud-native
infrastructure
and
conceptual
framework.
C
A
Yep,
okay,
yeah,
so
maybe
robert.
Is
that
something
you
want
to
do.
You
said
you
could
write
up
a
summary,
but
then
should
we
put
that
on
the
agenda
for
next
our
next
meeting,
or
what
do
you
propose.
C
Yeah,
that's
that's
what
I
I'm
suggesting
is
that
I'll
just
expand
on
the
agenda,
placeholder
that
I
had
for
two
weeks
from
today.
I'll
add
details
around
moscow
and
okay:
are
there?
Are
there
resources
that
that
you
would
like
me
to
explicitly
review
as
part
of
how
that
connects
to
any
of
the
projects?
You're
involved,
I'm
happy
to
take
a
look
at
those.
E
Yeah,
I'm
actually
talking
to
some
folks
in
the
ibm
research
team
later
today
about
this
very
topic.
So
let
me
see
you
know
whether
they
have
published
anything
externally
and
I'm
also
planning
to
bring
them
in
into
this
work
group
as
well
right
because
they
are
also
looking
at
this
this
topic.
E
So
let
me
let
me
try
and
do
that
so
that's
one
and
then,
like
I
said
I
have
some
contacts
in
this-
that
I've
been
collaborating
with
also
from
a
red
hat
point
of
view,
so
I
will
ping
them
as
well,
and
so
we
can
bring
them
into
the
same
forum
right.
So
we
can
talk
about
that
here.
C
Okay,
yeah,
then
I'll
try
to
get
you
an
an
advanced
draft
of
again.
It's
not
going
to
be
anything
extravagant
just
a
simple
outline,
one
pager,
but
if
you
want
to
circulate
that
around
to
this
group
in
advance
of
that
call,
then
maybe
we'll
get
some
some
good
feedback
on
the
next.
On
the
next
session.
E
That
sounds
awesome
yep,
so
you
can
just
put
a
link
into
this
into
the
into
this
work
groups.
Agenda
meeting
notes,
talk
right.