►
From YouTube: CNCF SIG Security 2021-03-03
Description
CNCF SIG Security 2021-03-03
A
A
B
E
D
C
D
D
B
D
D
D
G
D
D
So
this
is
really
what
we're
doing
is.
This
is
taking
the
concepts
of
the
white
paper.
We
are
mapping
it
onto
a
cognitive
security
map
which
really
focuses
on
the
the
more
practical,
practical
use
aspects
of
it.
So,
looking
at
things
like
the
different
projects
which
you
can
use
on
different
aspects
of
cognitive
security
as
well
as
you
know,
what
are
some
examples
of
things
that
you
could
do.
D
D
All
right
so
this
stands
for
the
previous
issue,
but
I
kind
of
wanna
really
go
down
into
details
of
this.
So
what
we're
doing
is
we're
trying
to
scope
this
down,
really
bring
down
several
aspects
of
the
original
vision,
which
is
like
removing
some
of
the
thematic
aspects.
First,
focusing
on
the
content-
and
we
hope
to
get
this
done
by
the
end
of
march,
at
least
to
have
a
ready
prototype
in
which
we
can
start
refining
a
little
bit
and
then
we're
hoping
to
kind
of
launch
this
coupon
eu.
D
So
this
is
where
we're
going
to
get
a
lot
of
additional
eyes
on
this,
and
hopefully
you
know
bring
this
the
next
chocolate
version
or
strawberry
or
whatever
so
kind
of
as
an
overview.
So
this,
together
with
ash
and
diego,
we
are
coordinating
this
effort,
so
this
is
kind
of
like
a
quick
markup
on
what
it
would
look
like
so
cognitive
security
map.
So
you
have
the
different
stages
of
the
life
cycle
and
the
cognitive
security
white
paper,
so
you
could
go
into
the
different
ones.
D
D
So
diego
and
azure
are
going
to
go
through
the
content
aspect
of
this.
So
right
now,
it's
all
just
five
people
content.
What
we
are
planning
to
do
is
to
you
know,
include
additional
details
of
okay.
Here
are
some
projects
they
can
use.
There
are
some
examples
that
that
you
can
carry
out
as
reference
for
for
implementation.
D
D
We
have
already
some
contributors
there,
putting
the
name
down,
so
we
are
looking
for
contributors
both
in
two
areas.
One
of
them
is
in
developing
kind
of
the
website
that
we
saw
earlier
so
if
you're
interested
in
that
do
put
put
down
your
name
in
the
issue
and
say
that
you're
interested
in
development-
and
we
are
also
looking
for
content
contributors.
H
Yeah
so
as
brandon
was
saying,
we
would
love
more
contributors
to
in
this
effort
and
in
this
document
that
it's
linking
the
issue
and
just
please
ping
us
either
put
a
comment
in
the
issue
or
see
the
dog
that
we
are
specifying
in
a
channel
at
the
top
of
here
on
the
edge.
You
can
see
the
slack
channel
that
we
are
and
just
tell
us
that
you
want
to
help,
and
here
in
the
document
how
you
can
contribute.
H
A
B
B
It's
not
a
it's
not
a
tutorial.
It's
not
a
cookbook.
It's
not
it's!
Nothing
like
that
and
we
understand
that.
But
we
hope
that
people
will
understand
that
as
well,
but
but
like
if,
if
someone
wants
to
implement
a
specific
section
of
that
white
paper
right
that
that
the
best
practice
of
security,
specifically,
let's
say
for
runtime
protection
right
so
where?
Where
do?
Where?
Should
I
go
right?
So
what
where
they
should?
D
No,
I
think
I
think
that's
that's
well
said,
and
I
I
hope
that
this
this
document
will
kind
of
like
be
at
least
half
half
of
that
requirement
right.
I
think
that
we
are
still
not
going
to
be
at
the
point
of
like
the
cookbook
or
something,
but
definitely
it's
going
to
be
like
some
starting
guidelines
to
kind
of
get
things
started.
I
Don't
mind
me
kind
of
chiming
in,
I
think
cliff
notes
are
great
here
right
because
look
they're
already
in
the
inundated
with
you,
know,
guideline
books
and
best
practices
right
this
to
me,
cliff
notes
is
I
use
the
term
if
nobody's
familiar.
It's
just
like
basically
like
a
tldr.
This
is
like
a
tldr,
but
it
works
right
yeah.
D
All
right
cool
any
other
questions.
We
will
follow
up
as
diego
and
myself
we'll
follow
up
on
on
those
they
have
commented.
The
issues
to
kind
of
see
see
what
would
be
good
faces
to
to
kind
of
pick
up,
but
you
know
this
is
good.
This
is
going
to
be
a
fully
color
predicted
document.
So,
even
if
you
just
request
access
I'll
give
you
extra
start,
writing
stuff
feel
free
to
go
ahead.
No
one's
stopping.
A
So
brandon
just
a
question,
so
in
each
section
we
need
to
mention
different
projects
like,
for
example,
we
we
can
take
service
mesh
or
anything
right,
so
so
projects
can
be
mentioned.
But
what
you
want
under
examples
are
these
more
oriented
towards
different
use,
cases
that
that
could
be
solved
or
or
what
what
should
be
under
examples?
Is
it
use
case
or
is
it
I
mean?
Is
it
right
post
what
what
is
it.
D
So
so
the
idea
of
examples
really
the
the
motivation
behind
it
is
that
is
to
provide
like
a
better
illustration
of
if
someone
says
resupply
paper
and
it's
like
okay,
I
need
to
do
this
this
and
that
and
then
the
next
question
is
like
how
do
I
do
it?
So
the
examples
are
supposed
to
serve
as
a
way
to
say
that:
okay,
a
control
for
example,
for
image,
image
scanning
or
application
manifest
scanning
is,
you
know
you
should
not
run
application.
D
So
something
I
I
think
it
also
depends
on
the
specific
topic,
because
some
topics
are
a
bit
broader
than
others,
but
the
the
main
idea
is,
you
know
it
should
be
feel
free
to
really
go
down
into
a
specific
specific
example.
So
in
in
this
case,
for
application
manifest
scanning
you
can.
We
say
that
you
know
prohibit,
contain
images
that
use
the
latest
tags
you
know
prohibit
and
for
certain
registries
for
containers
and
things
like
that
so
kind
of
like
ideas
that
people
can
look
at
and
be
like.
J
D
D
Cool,
if
not,
there
are
other
examples
in
the
sdk,
and
I
have
already
put
some.
I
think
this
one
was
actually
written
by
car
reporters
written
by
someone
else
from
the
apec
apec
meeting
but
yeah.
This
is
a
ton
of
stuff,
that's
written
here,
so
you
know
free,
feel,
free
to
take
a
look
at
other
stuff
and
then
right,
based
on
that
cool.
C
Okay,
so
this
is
actually
kind
of
exciting,
because
it's
a
little
bit
more
actionable
for
the
community,
so
we
had
so
we
merged
in
the
new
security
review
process.
If
you
have
not
read
it,
please
go
read
it.
It's
very
awesome.
We're
extremely
excited
about
our
next
projects
coming
to
us
for
a
review
that
way
we
can
test
it
out.
C
So
this
is
not
at
this
time,
determined
to
be
like
you
are
fixed
to
the
hip
for
life.
This
is
more
just
that
initial
jumping
off
point
to
get
the
projects
to
think
more
about
security.
It's
also
to
provide
the
talk
with
evidence
of
this
new
security
review
process
and
how
it
could
potentially
be
applied
to
non-security
cncf
projects,
which
is
the
next
logical
progression
that
we'd
like
to
see
projects
move
in.
We
want.
We
want
the
sig
to
not
just
perform
security
reviews
on
security,
focused
projects
because
they're
already
thinking
about
it.
C
C
So
I
think
the
initial
thought
around
security
champion
is
more
somebody,
that's
integrated
with
the
project
which
we're
we're,
hoping
that
these
are
more
independent
than
an
actual
contributor
of
the
project.
It
could
be
a
security
champion,
I'm
not
fixated
on
an
any
particular
name.
We
want
to
approach
it
from
the
perspective
of
a
lot
of
security.
C
I
will
be
writing
an
issue
to
define
a
lot
of
this.
So
part
of
the
effort
is
to
not
only
look
at
what
this
individual
would
potentially
be
doing.
We
do
have
some
great
resources
from
the
container
d
team,
but
also
actually
picking
a
project,
seeing
if
they
have
the
appetite
for
this
level
of
engagement
and
then
following
through
with
probably
one
maybe
two
different
projects
to
determine.
One
is
this:
if
is
the
self-assessment
valuable
as
it
currently
exists,
and
two
did
the
project
get
value
out
of
the
engagement.
B
B
No
problem
so
so
yeah,
I
maybe
like
my
concern,
would
be
if
someone
starts
getting
involved
into
a
specific
project
right
and
and
and
then
they
can't
help
anymore.
They
start
volunteering.
They
stop
volunteering,
for
example
right
so
maybe
having
a
pool
of
security,
buddies
right
that
each
any
any
project
you
go
to
and
ask
for
help,
and
then
someone
takes
takes
on
that
issue
and
help
them
specifically
and
and
if
someone
is
not
responding,
then
another
person
can
take
that
that
would
be
a
better
approach.
From
from
my
perspective
is
advisor
too
generic.
C
Advisor
is
actually
what
they're
called
for
container
d,
so
that's
certainly
like,
but
certainly
an
option.
I
think,
having
a
pull
of
these
individuals
would
be
beneficial
as
like
a
centralized
point
to
contact.
But
I
genuinely
think
that
having
a
primary,
at
least
for
a
limited
engagement
would
be
very
beneficial,
because
you've
got
that
one
person
you
know
who
to
go
to
you
know
who
to
have
the
conversation
with.
C
B
Once
they
get
assigned
to
like
a
specific
project,
then
yeah
for
sure
that
would
be
the
the
point
of
contact
there
right.
But
but
I
think
that
at
least
we
should
have
a
slack
channel
off
of
security
advisors
right
and
they
can
exchange
information
there
where,
if
they
need
help
like,
for
example,
I'm
helping
this
specific
sandbox
project,
but
I'm
not
very
familiar
with
the
technology
or
what
they're
using.
Can
you
guys
give
me
some
pointers
there
and,
and
that
would
be
beneficial
as
well.
K
But
so
seriously,
as
I'm
sort
of
listening
and
thinking
about
how
I'm
not
too
familiar
with
the
sandbox
and
incubator
here,
but
thinking
about
apache
and
their
mentoring
for
incubating
over
there.
If
you
know
someone,
one
or
two
people
gets
assigned
to
a
project
if
it's
not
working
out
or
they
get
too
busy,
they
sort
of
go
back
to
the
to
the
the
mentoring
team
and
said:
hey.
Look,
I'm
too
busy,
I
tap
out
and
just
bring
someone
else
in,
so
that
that's
a
pretty
small
deal.
K
F
So
emily
from
the
six
perspective,
wouldn't
this
be
like
the
similar
process,
like
we
do
for
a
normal
security
assessment
right
we're
going
to
have
like
a
lead
security,
reviewer
we're
going
to
have
a
team
so
from
a
sick
perspective,
it
doesn't
need
from
our
perspective
it
doesn't
matter
if
it's
a
security
or
non-security
project.
On
the
other
end,
I
think
we
still
have
that
same
structure
so
that
we
have
some
accountability
and
obviously
there's
going
to
be
overview
by
the
co-chairs
and
the
etls.
C
Yeah,
so
this
is
I'm
in
an
ideal
world.
If
I
had
my
way,
this
would
be
like
the
dipping,
your
toe
in
the
water,
your
first
introduction
to
what
it
is,
what
it
means
to
be
cloud
native,
secure
for
non-security
focused
projects.
Now,
if
there
is
a
security
focus
project,
we
still
have
a
reasonable
expectation
for
them
to
have
some
security
specific
documentation
within
their
repository
and
that's
kind
of
what
the
self-assessment
does
is
that
it's
that
introductory
tell
us
about
your
project
from
a
security
perspective.
C
It's
the
same
joint
assessment,
joint
evaluation
that
we've
been
doing
with
some
more
detail
added
on
to
it.
Just
based
off
of
the
feedback
that
we've
received,
so
self-assessment
is
a
little
bit
more
lightweight,
it's
independent.
So
the
idea
is
not
to
analyze
the
project,
but
more
for
them
to
be
self-reflective
and
be
there
and
available
to
answer
any
questions
that
they
may
have
and
kind
of
have
that
guiding
conversation.
C
And
then
all
of
that
work
rolls
into
the
joint
evaluation
where
we
do
that
joint
kind
of
look
at
the
project
poke
around
at
it,
see
how
they're
thinking
about
security
and
how
they're
applying
it
and
where
they
fit
in
the
cloud
native
ecosystem
from
a
security
perspective
and
then
from
there.
Those
two
documents
when
they're
finalized
help
contribute
to
the
security
audit,
which
is
one
of
which
is
later
on
in
their
life
cycle.
C
So
it
sounds
like
there's
a
lot
of
discussion
about
it
and
would
be
beneficial
to
have
so
I
guess
I
will
go
ahead
and
create
the
ticket
and
we
can
start
having
a
little
bit
more
documented
discussion
on.
What
does
this
mean,
then?
What
are
we
going
to
call?
It?
Sarah
had
an
excellent
suggestion
to
use
a
very
specific
name
affixed
to
this.
That
way,
we
can
define
a
finite
term
during
that
evaluation.
D
L
L
Some
limitations
apply
I'm
already
chatting
with
a
couple
folks
in
this
committee
and
in
the
cncf
about
using
this
potentially
in
projects
like
spiffy
or
nsm,
for
taking
advantage
of
the
unclaimed
native
functions
of
attestation,
setting
up
mutual
tls
and
sort
of
wanted
to
see
like
hey.
We
literally,
we
just
launched
it
like
a
week
ago.
If
folks
want
to
kick
the
tires
or
check
it
out
and
we're
we're
looking
at.
How
do
we
integrate
this
with
kubernetes
and
how
do
we
integrate
it
with
other
projects
in
this
space?
M
Project,
so
can
you
eva,
I
had
a
question.
This
is
bene
here.
So
how?
How
do
we
think
about
this?
Maybe
the
one
thing
that
came
to
my
mind
is
service
mesh
right.
You
talked
about
mutual
tls,
some
kind
of
a
confidential
container
or
a
runtime
environment
and
you're,
adding
on
some
kind
of
security
capabilities.
L
M
L
A
lot
of
these
provide
similar
functionality
through
different
apis
like
it's
not
yet
standardized.
Each
cpu
vendor
has
something
different.
Each
of
the
cloud
providers
has
some
sort
of
an
attestation
service,
orthostation
model
that
is
layering
on
top
of
these
and
so
attestation,
in
this
scenario,
sort
of
the
proof
of
identity
of
the
machine
and
the
proof
of
identity
of
everything
under
it.
L
This
firmware
this
patch
level,
this
operating
system
patch
level
and
then
once
it's
running,
that
container
is
isolated
even
from
the
host,
so
the
root
of
the
host
dom0,
if
you're
in
zen,
cannot
access
it.
It's
hardware
separated
with
encrypted
memory
regions,
I'm
not
sure
you
know
they
all
do
it
a
little
differently
different
cpus,
but
the
goal
being
sort
of
a
blind,
hypervisor
or
blind
container.
L
In
this
case
and
we're
looking
at
some
of
the,
I
was
chatting
with
a
couple
folks
about
using
it
for
mutual
tls
in
service
mesh,
where
the
the
certificates
are
tied
to
the
actual
hardware
id.
So
you
have
just
an
extra
layer
of
proof
of
where
the
communication
is
happening,
that
something
hasn't
been
moved
off
the
cloud
or
out
of
your
region,
out
of
your
geographic
boundary,
bandwidth
area
still
early
spaces.
So
that's
sort
of
a
shotgun
of
ideas.
M
L
Great
question:
it's
going
to
vary
by
implementation.
I
think
we're
at
the
early
stages
right
now.
Some
similar
projects
launch
times
a
little
bit
slower
than
a
normal
container,
but
not
by
much.
It
might
not
be
great
for
a
function
as
a
service.
Yet
if
you're
expecting
you
know
sub
second
total
run
time
total
lifetime
for
your
container,
because
at
least
in
in
my
testing,
some
of
our
testing,
the
bring
up
time
is
measured
in
the.
L
Less
than
a
second,
but
it's
not
as
fast
as
a
regular
container
that'll
change,
depending
on
how
much
memory
you're
allocating.
So
if
you
were
allocating
a
very
large
amount
of
memory
to
one
of
these
enclaves
that
initialization
might
take
five
seconds
playing
a
number
out
of
a
half
still,
if
you're
going
to
run
it
for
an
hour
or
six
hours
the
length
of
your
of
your
ssl
certificate.
That's
still
fine.
L
There
is
a
separate
foundation
parallel
to
the
cncf,
also
under
the
dlf
called
the
confidential
computing
consortium,
and
a
lot
of
this
work
is
centered
in
that
body
and
this
particular
project
mysticos
is
right
now
not
homed.
In
any
foundation,
it's
just
developers
doing
some
work
as
far
as
the
discussion
of
surfacing
this
up
into
the
cloud-native
ecosystem.
I
think
that's
here,
at
least
for
now,
until
it
grows
it
outgrows
this
body
and
needs
its
own
channel.
N
But
hey
I!
This
is
his
hand.
I
mean
I
made
me
some
contacts
here,
so
I
have
a
question
regarding
the
mutual
json
part.
You
mission,
so
you
have
mentioned
the
hardware
id.
So
I'm
curious,
like
do
you
use
some
tpm
or
other
technology
to
make
sure
that
you?
How
did
you
present
get
the
hardware
id
and
put
that
into
the
trs
server.
L
L
L
D
L
L
Mystics
nrx
is
the
red
hat
project
yeah,
I'm
like
that
dslabs
mysticos
right
now.
Sorry
about
that,
so
the
the
main
difference
is
nrx
is
focused
on
waziwazum,
plus
its
own
orchestration
and
key
release.
Layers
mysticos
is
focused
on
application
portability,
so
bring
your
own
runtime
sorry
bring
your
own
application,
whether
it's
a
binary
you
compiled
in
rust
or
go
or
a
docker
image
right
now
we
have
support
to
just
take
an
existing
docker
image.
L
That
is,
there
are
some
some
limitations
of
what
can
be
run
in
our
current
target
of
sgx,
but
take
your
docker
image
simply
migrate.
Its
format
add
a
at
a
signing
or
attestation
around
it
and
run
it
in
enclave.
No
problem.
We
have
a
proof
of
concept
with
kimu
right
now
to
take
a
kimu
vhd
file
format
and
just
mount
it
and
run
it
so
very
different
approach,
but
same
hardware,
layer.
D
L
L
D
L
L
So
some
of
the
sgx
runtimes,
like
graphene,
they
work
around
this
in
a
really
slow
and
painful
way.
That
also,
in
my
opinion,
reduces
security
because
it
calls
out
to
the
untrusted
host
whenever
you
fork
to
launch
a
new
process.
But
if
you're,
assuming
that
the
new
process
is
trusted
because
it
was
launched
from
in
the
enclave,
the
reality
is,
it
was
launched
from
outside
the
enclave.
L
I
Ava,
can
I
ask
like
a
simple
question
and
again:
why
wouldn't
you
just
fold
this
capability
into
one
of
the
runtimes
like
a
trio
or
container
d?
You
know
what
I
mean
like
have
some
type
of
switch.
That
says,
hey
take
advantage
of
tee
and
all
that
and
again
you
know,
you
know
how
I
am
with
cliff
notes.
I
just
I
try
to
simplify
things
right,
so
I
I.
I
I
remember
back
in
the
day
like
just
way
back
in
the
day,
docker
was
doing.
I
was
at
hpe.
Docker
was
like
hey.
Can
you
integrate?
You
know
hp
was
like,
can
you
integrate
with
tpm
right
to
be
able
to
like
have
it?
So
you
know
getting
that
stuff,
and
it
was
like
that
kind
of
helped
to
kind
of
articulate
some
of
that
capability,
but
that
also
helps
in
widespread
usage
of
the
tool
when
it's
integrated
in
all
the
ingrained
in
all
of
those
various
runtimes
right.
So.
L
K
D
L
Problem
so
one
of
the
the
bigger
work
streams
in
the
ccc
that
I'm
co-leading
is
the
attestation
working
group
to
try
and
address
both
how
we,
how
someone
might
do
cross-cloud
attestation,
because
google,
amazon
and
microsoft's
cloud
attestation
services
are
different
and
how
you
might
do
cpu
across
cpu
architecture.
Attestation.
For
the
point
we
just
mentioned
unsolved
problem.
If
you
want
to
work
on
it,
come
join
our
sig.