►
Description
Kubernetes Policy WG : CNCF Security SIG Policy Team Meeting 2020-10-14
A
Hi,
angela
hello,
so
because
just
the
two
of
us
here
looks
like
robert
who
was
the
other
person
interested
in
oscar.
He
had
a
scheduled
conflict,
so
I
think
he
is
not
able
to
attend
so.
A
I'm
not
sure
whether
gym
is
coming.
Let
me
see
here.
A
Okay,
so
let's,
let's
give
a
few
minutes.
If
nobody
else
is
joining,
then
we
may
have
to
come
back
in
two
weeks
and
present.
I
think
that's
what
we
need
to
do
I'll
I'll
put
I'm
adding
some
notes
into
the
document.
B
A
B
A
In
the
in
this
call
and
in
that
meeting
notes
in
the
meeting
notes:
okay,
yeah,
why
don't
you
do
that?
That's
a
great
idea!
So
let's
go
ahead
and
have
you
present
it
that
way
it's
recorded
and
people
can
review
it.
B
Yeah
and
then
we
can
ask
you
know
what
what
is
the
feedback?
I
I
hope
the
pr
would
be.
Maybe
so
the
sample
would
be
available
for
everybody.
Let
me
I
need
to
share.
B
Okay,
can
you
see
my
screen
yep?
Okay,
so
I
have
here
two
json
structures
left
and
right.
They
are
both
related
to
the
result
from
the
compliance
operator
via
the
openscap
and
those
originated.
B
Xccdf
results
are
structured
here
around
the
oscar
assessment
result
subset
of
of
objects,
and
I
will
explain,
I
will
explain
which
ones
so
I
think
jaya
presented
oscar
in
the
prior
sessions,
so
the
team
members
are
aware
of
the
oscar
as
a
compliance
framework,
as
well
as
a
the
schema,
the
data
models
for
that
framework
and
as
well
as
the
documentation
standardization.
B
So
here
we
are
leveraging
the
auscal
schemas
the
data
models
and,
in
particular
the
assessment
result
schema
the
the
framework
is
complex,
as
well
as
the
schemas
that
are
associated
with
that
at
the
various
level
of
the
flows
in
the
of
the
data
flowing
through
the
framework,
the
which
brings
right
into
into
the
schemas
dependencies
on
the
different.
B
You
know
prior
steps,
but
if
we
are
looking
only
at
the
subset
of
observations
and
findings,
we
are
able
to
extract
a
set
of
objects
that
can
be
leveraged
to
describe
the
results
in
a
way
that
we
do
not
need
all
the
other
dependent
artifacts
on
the
prior
steps
in
in
austral.
So
we
I
present
here,
left
and
right.
Those
compliance
operator
results
in
this
json
for
one
based
on
the
oscal
findings.
B
B
There
is
no
mention
of
of
regulation
or
the
controls
within
a
regulation.
What
you
will
see
are
the
cs:
benchmark
banks,
rules
with
the
timestamps
and
and
the
results,
and
this
is
what
we
have
on
the
left.
We
have
a
bunch
of
properties
that
that
we
can
find
in
in
that
file
right.
What
is
the
run
of
the
test
right?
What
are
the
some
remarks
that
are
in
there?
B
So
all
the
all,
the
I
would
say,
items
that
are
not
strictly
related
to
the
resultant
to
the
rules
are
mapped
here
under
the
properties,
the
observation
properties
and
part
of
that
we
get
also
the
rules
that
are
associated
and
I'm
looking
here
at
two
particular
rules
right.
So
I'm
looking
at
item
9
and
item
10
and
they
describe
the
rule
that
particularly
the
id
of
the
rule
x
is
edf,
one
is
finger
service
and
the
other
one
exact
amount
requested
same
time
out.
So
these
are.
These
are
the
the
rules.
B
B
In
the
case
of
compliance
operator,
I
have
a
result
per
worker
node.
So
if
I
have
two
rules
and
three
worker
nodes,
I'll
have
six
evidence
items
here
here
we
have
just
you
know,
for
the
sake
of
this
example.
Two
rules
on
one
worker,
node
and
I'll
have
those
two
rules,
so
I
have
the
properties
in
the
one
being.
Okay,
what
is
my
rule?
What
is
the
timestamp
and
what
is
the
the
status?
B
B
So
we
are
talking
about
the
scope.
In
this
case
it
was
an
cluster
with
one
worker
node,
so
subject
references
is
the
object
under
which
I
put
the
subjects
of
my
assessment
and
the
the
references
to
that
those
subjects
so
in
the
case
of
vms
would
be
the
you
know,
ips
associated
with
that
and
so
on.
In
this
case,
I'll
have
the.
B
The
details
associated
with
that
with
that
worker
node
that
we
could
find
in
that
result
from
the
compliance,
and
there
is
one
last
item,
observation
methods
where
I
can
describe
details
in
this
case
is
an
automated
automated
test.
The
reason
why
I
find
this
relevant
is
that
if
we
have
certain
tests
that
are
done
manual,
and-
and
this
is
the
case,
for
instance
in
in
the
cs
benchmarks
that
are
not
implemented,
they
do
not
have
a
script
within
the.
B
Openscap
logic
right,
they
will
be
marked
as
info
or
not
checked,
and
the
the
meaning
behind
that.
This
is
a
check
that
is
done
is
done
manually.
So
we
can
capture
that
aspect
as
well
here,
knowing
that
the
result
will
be
passed
in
a
in
a
manual
way.
B
So
so
this
is
mapping
what
we
have
in
terms
of
the
xccdf
from
the
compliance
operator
on
top
of
the
oscal
assessment
result
observation
object.
B
Now,
if
we
are
looking
at
the
code
that
is
available
and
the
data
that
is
available
for
the
compliance
operator,
particularly
the
compliance
as
a
code
project,
we
find,
as
part
of
the
data
available,
the
mapping
of
the
rules
of
the
cs
benchmarks
to
various
regulations,
so
in
particular
the
openscap
for
ocp
or
for
linux
right
they
are
both
covered
by
by
a
compliance
operator.
B
We
see
the
definitions
of
the
profiles
and
the
the
sig
has
a
profile
for
nist,
a
profile
for
cis
profile
for
hipaa,
and
you
know
other
other
regulations
and
we
find,
as
part
of
the
documentation
in
compliance
as
a
code
that
mapping
between
the
cis
benchmarks
for
rhel
7
and
the
nist
853
controls
that
are
relevant
for
that.
B
In
the
case
of
the
ocp,
we
are
looking
at
ocp4
the.
So
this
is
openshift
cloud
platform
version.
Four.
We
have
only
two
that
are
mapped,
but
through
other
artifacts
that
are
available
in
the
compliance
is
a
code.
You
are
able
to
infer
that
mapping
as
well
so
now,
depending
on
where
the
logic
of
associating
those
results
on
the
left
right.
Just
the
observations
with
the
correspondent
regulation,
that
is
of
interest
to
the
consumer
right,
the
consumer
may
be
looking
at
nist
level
or
cis
level
or
hipaa
level.
B
The
result
that
we
send
back
to
to
the
tool
that
is
providing
the
display
of
the
or
creating
the
document
for
that
regulation
may
contain
also
the
association
with
the
controls
and
and
openscap
and
sorry
oscal
allows
that
mapping
as
well.
So
I
present
here
on
the
right
an
addition
to
what
we
have
on
the
left
in
order
to
include
the
regulation.
So
the
left
one
is
regulation,
agnostic,
the
right
one
is
regulation,
aware-
and
you
see
here
under
observations
right,
I'm
marking
here
right
this.
B
What
we
have
here
are
are
basically
the
details
that
I
have
on
the
left
right.
So
we
have
the
properties,
the
evidence,
group,
the
observation
methods
and
so
on
for
for
multiple
items,
and
what
I
have
above
is
the
delta
that
I'll
I'll
show
how
auscal
handles
in
order
to
to
provide
the
mapping
to
the
controls.
B
So
we
are
talking
now
about
results,
group
and
findings.
A
finding
includes
multiple
observation,
but
the
finding
maps
one-to-one
to
a
control
in
the
regulation
of
interest.
So
here
I'm
looking
at
nist
853,
so
one
finding
right,
I'm
looking
at
item
zero.
I
have.
We
have
two
items
in
here:
item
zero
and
item
one.
So
item
zero
is
interested
in
the
control
ac3.
B
So
the
objective
and
objective
status
of
object
in
here
contains
the
control,
ac,
ac3
and
the
result
with
the
value
fail.
This
is
the
aggregated
result
across
all
the
constituent
rules
that
are
associated
with
that
ac3.
Those
can
be
rules
in
ocp
for
icic
cis
benchmarks
for
kubernetes
those
can
be
in
rhl7.
B
These
are
the
linux
benchmarks
right
that
are
associated
with
ac3,
so
all
those
will
be
will
contain
observations
with
their
individual
status,
and
what
we
have
here
in
the
objective
status
is
that
the
regulation
level
ac
density
control
with
the
aggregate
status
across
that
in
the
properties.
Here
we
defined
all
the
rules
that
are
associated
with
ac3
and
we
have
rules
that
come
from
the
kubernetes
case
benchmarks
on
kubernetes,
as
well
as
rules
that
come
from
the
are
health,
seven,
the
linux.
B
So
we
d
we,
we
have
here
all
the
rules,
and
now
we
expect
that
the
observations
will
provide
at
least
one
observation
for
each
rule.
If,
if
one
of
those
rule
is
is
missing
the
status
that
we
have
here,
it
will
be
error
or
missing,
or
so
now
that
we
know
what
are
the
rules
that
are
associated
with
ac3
and
because
here
we
are
in
the
context
of
the
compliance
operator.
We
are
looking
at
cis
benchmarks,
but
if
we
are
looking
for
other
contexts
right,
you
may
have
other
rules
in
there.
B
We
are
looking
at
the
observations,
and
I
said
the
first
observation
is
for
the
rule.
You
know
limit
user
access
and,
as
we've
seen
before,
I
will
have
here
the
properties
associated
with
that
we'll
have
the
evidence
where
I
present
the.
What
is
the
what
is
the
rule
and
what
is
the
status?
So
in
this
particular
case,
this
is
not
checked.
Let's
see
what
what
what
was
the
target?
B
The
the
subject,
the
resource
on
which
that
was
it
is
it,
is
a
vm
okay
and
the
details
of
the
vm
will
be
provided
here.
Okay,
I'm
talking
about
that
worker
node
in
that
cluster,
in
in
that
region.
So
whatever
it
is
provided
by
the
compliance
operator
result,
right
will
be,
will
be
here,
so
we'll
have
the
details
of
the
target
resource.
B
In
this
case
it
was
this
worker
node,
we'll
have
the
evidence
that
will
tell
the
rule
associated
with
the
with
the
with
the
status
and
in
the
properties
above
we'll
have
additional
details
related
to
to
that.
Like
the
result
or
the
timestamp
associated
with
that,
so
this
is
this
is
one
item
we
can
look
at
another
one,
and
this
comes
from
another
another
vm.
In
this
case
we
had
a
cluster
with
three
worker
nodes,
so
we
will
have
the
results
in
the
observation
right.
B
Three
observation:
one
status
for
each
of
the
each
rule
for
each
vm
and
if
we
look
at
the
others,
you
will
see
also
results
from
the
the
kubernetes
cs
benchmarks,
because
in
the
dependencies
for
this
ac3
for
disney's
controls,
I
have
both
cs
kubernetes
rules
as
well
as
linux,
cs
benchmarks.
So
the
subject
reference
here,
I
think,
would
be
a
a
worker
node
and
those
will
be
the
details
of
the
worker
node
in
here
the
location,
the
cluster
associated
with
that
and
so
on.
B
And
if
we
are
looking
at
the
evidence,
okay,
what
would
be
the
evidence
right?
You'll
see
the
rule
that
is
associated
with
that
and
the.
B
Result
right
the
failure,
so
the
the
the
logic
here.
Actually
we
have
this
implemented
and
the
logic
that
we
use
that
if
we
have
any
failure,
it's
a
failure.
If
we
have
any
error,
it's
an
error.
If
we
have
any
warning,
we
are
looking
also
at
trends
right
for
for
some
of
the
rules.
So
if
we
have
a
warning
right,
I
get
close
to
a
limit
of
a
value
of
a
parameter.
I
have
a
warning
else.
If
everything
passes,
I
have
a
pass.
B
So
let
me
close
the
observations
here
and
go
back
for
a
second
to
the
objective.
So
in
this
control
ac3,
we
oscar
provides
also
an
object
which
is
implementation
status.
That
allows
me
or
allows
the
the
user
of
the
system
to
tell
whether
this.
B
Control
is
implemented
completely
or
partially
right,
so
this
means
that
the
interpretation
of
nist
ac3
from
the
point
of
view
of
the
rules,
the
cs
benchmarks
that
I
that
are
associated
with
that
in
the
in
the
properties
completely
cover
right,
ac3
control.
So
then
I'll
have
a
complete
and
complete
and
and
pass
right
will
give
me
a
pass
for
this
control.
B
However,
if
this
control
is
partially
implemented,
meaning
that
the
the
benchmarks
that
are
associated
with
that
do
not
fully
cover
all
the
items
that
the
control
requires,
I
will
have
here
the
implementation
status
as
being
partial
and
then
the
the
result
in
lock,
instead
of
being
a
pass.
If
everything
passes,
it
will
be
a
partial
pass,
because
it's
not
completely
implemented
and
one
last
item
here.
We
we
discussed
that
under
the
observations
right
in
in
the
observation.
We
also
give
this
observation
method,
whether
it's
automated
or
not.
B
If
we
are
dealing
with
a
mix
of
automated
tests
assessments
as
well
as
manual
assessments
until
we
have
the
manual
items
as
well
in
the
system,
that
will
also
be
a
partial
pass.
So
if
I
have
all
the
results
from
my
automated
tests
right,
everything
that
I
get
from
the
opens
cap,
that
is,
has
a
script
right
to
check
a
rule
if
everything
passes,
but
I
do
not
have
the
results
for
the
series
benchmark
that
are
manual,
it
will
be
also
a
partial
pass.
B
So
all
this
all
this,
let's
say
levels
of
granularity
and
levels
of
detail
to
inform
the
user
on
the
actual
posture
of
a
control,
are
supported
in
this
rich
schema
that
comes
from
from
moscow.
So
now,
depending
on
the
level
of
leverage
right
in
in
this
project,
this
working
group
right
we
can,
we
can
select
the
subset
of
that
or
you
know,
goals
goes
with
the
full
blown
set
of
set
of
items.
B
So
I
know
it's
a
mouse
full
and
we
have
many
items
covered,
but
I
would
say
in
in
a
summary
here
that
what
we
and
by
the
way,
as
a
pull
request,
that
is,
I
created
for
the
sample
right
that
I
submitted-
is
for
the
complete
one
here
on
the
on
the
right.
B
If
we
need,
I
can
submit
it
also
the
the
simpler
one,
but
since
this
one
includes
the
observation
of
the
other
one,
I
submitted
only
this
one
so
in
in
in
conclusion,
right
we
are
able
to
map
the
current.
You
know.
Xccdf
result.
Part
xcdf
is
very
rich
right,
so
it
has
items
related
to
remediation.
It
has
items
related
to
violations
and
so
on
this
wasn't
the
scope
of
this
exercise.
B
So
in
this
exercise
we
only
focused
on
the
results
that
are
presented
in
xcdf
by
the
way,
oscar
also
supports
the
the
description
of
the
remediations
and
and
and
threats
and
risks,
and
so
on.
In
other
aspects,
other
objects
associated
with
the
assessment
results
again.
They
are
not
subject
of
this
presentation
and
the
modeling
that
we
have
done
between
the
axis
edf
and
and
oscar
jason
here.
But
if
we
are
interested
right,
I
can
bring
samples
related
to
that
as
well.
So
we
only
looked
at
the
results.
B
We've
seen
that
the
oscar
observations
object
can
encapsulate
the
aspects
related
to
scope
right.
What
is
my
target
subject
that
I've
done
the
assessment?
One
covers
the
evidence.
B
B
A
Is
great,
thank
you
alca
anka
and
I
think
I
see
jim
has
joined,
which
is
great,
hey.
A
Excellent,
thank
you
yeah
yeah,
so
anchor
just
so
you
know
is:
is
that
ibm
research
and
she's
working
actively
with
ibm
cloud,
and
so
this
so
since
they
are
also
looking
at
feeding.
You
know
information
about
results
from
for
these
controls
assessment,
and
so
I
kind
of
pulled
her
into
this
work
group
right
so.
A
Yeah
and
she's
also
has
dug
deeply
into
haskell,
and-
and
so
I
think
this
work
she
has
done
is
a
very
good
example.
I
think
of
how
we
can
bring
bring
in
oscar
into
the
policy
report
standard
right,
that
we
are
trying
to
standardize
right.
C
Yeah
and
that
that's
a
good
question,
I
did
see
your
pull
request
as
well,
and
thank
you
for
you
know
providing
that
the
detailed
report
there.
I
think
the
question
we
need
to
think
through
and
you
know
discuss
is-
is
the
expectation
that
the
policy
report,
like
a
policy
report,
would
contain
all
of
the
auscal
report
details
or
what
is
the
mapping
and
how
will
the
two
live
together
right?
C
So
I'm
not
sure
like
today
in
your
system,
when
you're
producing
this
ascal
report,
I'm
sure
there's
other
systems
consuming
that
directly
and
that
will
continue.
So
what
is
the
expectation
from
the
policy
report?
So
if
we
want
to
put
some
of
this
data
in
a
kubernetes
cr
or
maybe
all
of
the
data
in
the
kubernetes
cr?
B
Yeah
this
is
this
is
a
it's
a.
You
know,
a
very
good
question,
and
we,
since,
since
oscar
again
has
this
many
layers-
and
you
know
it's
a
it's
a
full-blown
framework
right.
B
We've
done
baby
steps
so
the
way
that
we
adopted
wascal
was
in
phases,
so
we
have
created
our
own
schema
validation
and
initially
we
had
the
more
items
being
optional
than
in
the
validation
that
you
have
the
official
oscar
project
so
that
that's
how
we
adopted
so
one
way
of
moving
forward
is
having
mandatory
only
those
objects
that
are
necessary
right
in
the
context
right
of
of
the
working
group
and
and
then,
as
you
move
forward
additionally,
can
be
enabled,
as
as
mandatory
and
the
schema
validator
updated
that
that's
how
we
worked
out
into
into
the
complexity
of
oscar.
C
Okay,
so,
but
which
would
it
be
that
oscar,
the
ascal
report
and
that
schema
that
remains
like
a
superset
of
what
we
want
to
put
in
the
policy
report
or
would
the
do
we
want
to
see
if
all
of
this
somehow
fits,
even
if
it's
a
generic
untyped
data
it?
Somehow,
we
want
the
policy
report
to
contain
this
information
when
I'm
not
yeah,
not
too
clear
about
how
or
what
would
be
the
goals
over
there.
A
Yeah,
I
think
ankara
didn't
you
say
that
if
you
want
to
kind
of
break
up,
you
know
what
oscar
is
providing
into
buckets
right.
So
there
is
the
result,
and
then
there
is
the
remediation
and
then
you
are
talking
about
evidence
right.
B
So
the
yeah
the
result
and
the
evidence
evidence
reference
right.
So
if
we
go
here
into
the
observation
right,
we
have
the
evidence,
reference
right
and
reference
at
the
policy
and
and
the
status
right.
B
Then
we
can
have
a
separate.
There
is
a
separate
sub
item
here
on
the
remediation.
What
are
the
issues
associated
with
that
or
the
tickets
or
actions
that
are
recommended
and
so
on?
Then
there
is
another
item
related
to
risk.
B
And
and
I
think
the
reason
for
leveraging
right,
those
is
if
this
result
is
sent
to
a
system
that
deals
with
enforcement
or
right
automatic
remediation,
whether
it's
sent
to
a
grc
system.
Sorry,
where
risk
is
needed
in
order
to
fit
into
the
processes
that
they
have
there
to
associate
risk
with
that.
So
I
think,
as
jim
you
know
pointed
out,
I
think
it's.
B
You
know
fair,
very
fair,
that,
depending
on
what
is
the
goal
right
of
of
this
policy
result
and
and
a
framework
that
is
with
used
within
right,
more
or
less
of
those
items
will
be
leveraged.
A
B
A
Right
and
and
it
and
comes
obviously
it
is
originated
in
this,
and
there
are
other
parties
contributing
to
it,
and
it
seems
to
me
that
the
policy
report
is
essentially
representing
that,
in
the
context
of
kubernetes
right
for
kubernetes,
crs
or
kubernetes
resources,
right
controls
to
protect
a
community's
environment,
so
then
oscar
obviously
can
apply
to
all
layers
of
the
stack
right,
not
just
kubernetes
but
also
vms,
etc.
B
Yeah,
that's
that's
the
beauty
of
that
that,
at
the
end
of
the
day,
we
are
able
to
put
together
a
report
where
those
different
items
can
be
aligned,
because
if
I'm
looking
for
ac3
right
or
the
other
one
was
au3,
I
picked
up
those
on
purpose,
because
these
are
controls
that
gather
their
aggregated
result
across
the
stack.
So
in
order
to
meaningfully
be
able
to
aggregate
that,
we
need
those
different
layers
in
the
stack
to
produce
a
result
that
that
you
know
we
compare
and
are
able
to
aggregate.
A
Yeah-
and
I
think
from
my
point
of
view
right
given
you
know,
the
focus
that
I'm
working
on
is
security
and
governance.
On
the
I
would,
I
think,
as
everybody
knows,
that
needs
to
be
applied
across
the
stack
right
for
all
the
controls
and-
and
you
want
to
be
able
to
represent
the
results
in
the
context
of
a
standard
that
the
customer
is
interested
in.
You
know
whether
it's
industry,
853
or
pci
or
hipaa,
whatever
right.
So
I
think
this
this
kind
of
brings
that
to
the
table.
A
So
so
I
really
like
this
approach
of
bringing
the
oscar
concepts
into
the
policy
report
definition
so
that
we
can
start
have
a
more
consistent
way
of
dealing
with
all
layers
of
the
stack.
You
know
what
I
mean
jim.
C
Yeah,
I
think
that
makes
sense,
so
I
think
the
question
then
becomes
so
are
we
expecting
so
for
the
kubernetes
layers?
When
we
are
reporting
and
one
option
is
okay,
we
could
say
well,
let's
just
adopt
the
ausco
definition
and
somehow
see.
If
we
can,
you
know
if
there's
if
we
can
take
that
definition
and
represent
it
as
a
kubernetes
cr
right.
That
would
be
one
approach.
C
The
other
approach
would
be
to
say.
Okay,
we
still
want
to
provide
some
generic
top-level
information,
like
we
have
in
the
policy
report,
which
is
something
that
we're
inventing,
but
then
somehow
we
can.
You
know
we
can
keep
all
of
the
oscar.
I
don't
know
which
layer
it
would
cleanly
map
to
like.
So
I
see
there's
findings
and
there's
a
results
group
of
findings
and
observations
so
somewhere
in
there.
C
If
we
map
one
of
those
layers
to
a
policy
result,
then
we
could
put
all
of
the
other
data
in
in
just
like
the
generic
kind
of
an
object
right
which
is
untyped
or
unstructured
in
the
policy
report,
but
yeah.
It
is
tempting
to
kind
of
at
least
take
a
deeper
look.
If
this
work
has
been
done,
if
it's
used
and
if
it's
comprehensive,
can
we
represent
this
oscar
report
or
the
entire
structure
in
kubernetes
right
for
the
kubernetes
layers.
B
B
The
first
thought
is:
am
I
locking
you
know
my
my
myself
into
a
you
know
rigid
schema
or
structure
and
so
on,
and
you
can
share
the
experience
that
we
had
items
as
part
of
that
that,
through
the
experience
of
you
know
in
the
field
found
out
that
you
know,
things
have
to
be
handled
in
a
different
way
or
it
makes
sense
more
efficient
and
the
oscar
team
was
open
and
flexible
to
take
these
feedbacks
and
and
make
changes
in
order
to
be
more
efficient.
B
So
if
we
find
out
that
the
exercise
that
you
mentioned
jim,
let's
take,
have
a
deeper
look
and
you
see
that
some
things
are
needed
or
missing
or
need
to
be
done
in
a
separate
hole,
although
the
schema
is
pretty
flexible
and
generic,
the
team
is,
is
open
to
to
listen
to
those
feedback.
So
this
is.
This
was
a
positive
experience
for
us.
C
C
Are
there
examples
of
how
these
reports
have
been
used
like
to
whether
it's
for
user
interfaces
like
reports
like
you
know
more,
I
guess
user
consumable
reports
right
that
are
produced,
so
that'll
be
interesting
to
see
that
can
this
data
other
actual
real
world
examples
of
this
data
being
taken
and
translated
into
something
consumable
by
administrators
and
people
concerned
with
security
of
these
systems,
because
that
would
be
a
good
data
point
to
see
that
yeah.
Then
this
makes
sense
that
we
also
support
it
for
kubernetes.
B
A
Yeah,
I
think
we
are
just
starting
to
you.
You
is
on
the
call
he's
in
my
team
leading
the
our
grc
squad
and
we
are
just
starting
to
look
at
this
right
in
terms
of
putting
it
into
the
product,
so
we
haven't
done
that
yet.
But
that
said,
you
already
have
submitted
an
example
of
our
config
policy
controller
within
drakum,
how
it
would
use
this
standard
to
represent
the
results
so,
and
so
what
I'm
saying
is
that
we
have
mapped
our
our
existing
controls
to
this
standard.
A
The
existing
policy,
ca
standard
right
policy
report
standard
and
but
now
that
anka
has
done
the
work
of
bringing
oscar
in,
we
can
do
a
we
have
to
kind
of
redo
that
mapping.
I
think,
because
I
think
some
of
the
fields
that
you
have
filled
out
was
not
done
as
part
of
use
work,
but
that
said,
our
control
today
already
has
standards,
control,
categories
and
controls
in
it.
A
So
we
already
have
those
pieces
of
information
for
our
policies,
so
so
we
should
be
able
to
fill
those
in
based
on
the
example
that
you
have
here,
and
I
think
I
would
like
to
proceed
in
this
direction
because,
eventually,
like
I
said,
if
you
take
the
raccam
product
today,
it
already
has
a
look
at
our
dashboard.
It
already
summarizes
the
controls
in
the
context
of
the
standards
right.
A
I
think,
by
making
sure
that
when
third
party
contribute
to
our
open
cluster
management
policy
collection,
repo
right,
where
they
start
contributing
policies
and
so
on,
if
they
also
return
results
for
this
standard,
I
think
this
will
make
sure
that
they
are
also
including
the
the
control
categories
and
controls
and
standards
in
terms
of
the
results
so
that
when
we
roll
it
up
in
our
in
our
ui,
we
can
have
everything
contributing
to
that
overall
picture
right,
because
that's
really
what
customers
are
looking
for
right
when
they
operate
a
cloud
they're
saying
you
know,
I
have
to
operate
it
to
a
standard
and
and
when
I'm
using
governance,
I
want
to
know
what
am
I
actually
governing?
A
What
are
the
gaps
right,
and
so
for
that
view
we
do
need
this
information.
Otherwise
it's
going
to
be
just
islands
right,
we'll
just
know
policies,
but
we
wouldn't
know
you
know
where
do
those
fit
right.
B
And
right,
I
think
this
is
that
that's
that's
an
important
path
that
that
is
needed
for
and
where
this
can
help
to
write,
standardize
and
organize
the
across
the
stack.
Another
direction
that
I
have
seen.
The
compliance
right
institutions
going
towards
is
automatic
generation
of
the
documentation.
So
we
are
talking
about
those.
B
You
know
hundreds
of
pages
of
of
the
reports
for
the
audit
and
our
our
initial
thought
and
they
start
started
producing
a
particular
call
fire,
which
is
the
first
one
that
we've
seen
interested
in
oscar
templates
for
those
documentation
that
can
then
be
automatically
filled
out
from
the
from
the
assessment
results
in
australia.
So
that's
another
direction.
We
are
not
yet
there,
but
for
us,
that's
that's
the
ultimate
ultimate
goal
right
to
to
help
the
automatic
generation
of
the
audits,
yep,
yep.
C
So
I
think
the
the
other
question
that
comes
to
mind
is-
and
I
don't
have
an
opinion
on
this-
just
kind
of
wondering
out
loud
as
you
know
so
part
of
the
the
driver
or
the
motivation
for
the
policy
report
was
to
have
something
that
the
cluster
admin
could
see
and
that
we
have
all
of
these
different.
You
know
the
growing
set
of
policy
tools
for
kubernetes
right,
whether
it's
image,
governance
or
runtime
policies
or
configuration
scanning
things
like
that.
So
the
question
is
like
this
report
it.
C
B
B
So
that's
one
aspect
of
your
question,
the
other
one
I
think
the
it
depends
and
we've
we've
got
exactly
into
into
the
core
of
of
this
concern
right.
If
we
are
looking
at
the
compliance
operator,
I
think
we
have
about
600
rules
right
so
is
it?
Is
it
the
expectation
there
that
an
admin
will
be
able
to
go
through
those
600
in
in
one
document?
And
of
course,
that's
not,
you
know
feasible.
B
So
we
are
looking
at
organizing
those
oscar
files
and
objects
within
in
a
in
a
way
that
it
is
easily
handled
by
by
the
person
that
is
looking
to
make
changes
to
the
profile
or
the
policies
and
so
on,
and-
and
this
is
done
by
structuring
all
these
you
know
results
and
the
policies
in
in
github
in
a
way
that
is,
that
is
easy
to
to
navigate
the
other
approach
that
we
have
is
via
the
is
via
the
ui,
where
I
think
it's
very
similar
to
what
jaya
has
today
in
in
rakham,
where
we
are
able
to
search,
or
we
are
able
to
display
right
through
navigation.
B
What
are
the
policies
and
then
display
the
content
that
is
relevant
just
for
that
particular.
So
you
see
here
an
observation
is
kind
of
self-contained.
It
has
the
evidence,
the
scope
and
the
properties,
so
those
would
be
the
two
means
by
which
that
can
be
done.
If
I
can
make
the
comparison
first,
one
is
more
like
the
linux
approach.
The
second
one
is
more
like
the
windows
approach,
so,
depending
on
the
you
know,
the
the
type
of
users
that
we
are
dealing
with.
A
Yeah,
I
I
have
to
drop,
but
I
think
I
think
this
is
I
know
jim
I'm
sure
you
have
to
think
about
think
through
this
and
I'm
ho.
I
know
robert
couldn't
join
so
I'm
hoping
that
he
will
listen
to
this
recording
and
I
think
we
should
come
back
and
regroup
right.
C
C
Yeah,
let's,
let's
have
another
discussion
on
it
and
maybe
you
know
like
I'll
I'll,
do
some
more
research
and
read
up
on
this
too.
This
is
super
interesting
and
I
mean
I
agree.
It
makes
complete
sense.
I'm
just
you
know.
We
need
to
kind
of
make
sure
that
the
some
of
the
initial
intent
of
the
policy
report
are
still
met
right,
like
in
terms
of
having
something
simple
for
the
user
to
see
and
understand.
C
B
Yeah,
I
think
one
interesting
aspect
for
us
would
be:
are
the
users
interested
in
configuring
those
policies
at
the
cis
benchmark
level?
Is
this?
What
are
they
rather
interested
in
having
blueprints
the
the
same
way
that
the
cs
benchmarks
creates
those
or
or
the
openscap,
actually
those
profiles?
B
So
I'm
taking
my
400
missed
rules
and
I'm
taking
my
300,
you
know
cis
benchmarks
and
I
I
know
that
they
are
targeted
to
hipaa
or
to
nist
or
to
to
the
right
level,
and
I
try
or
do
I
really
have
to
go
and
edit
within
each
role
of
those.
You
know
four
hundred
dollars
if
you
have
any
any
usability
at
this
at
this
point,
I
would
be
very
interested
because
that
would
drive
the
user
experience
in
a
different
way.
C
All
right,
yeah
makes
sense.
I
think
that's
something
we
need
to
think
through
and
I
I
don't
know
like
again
it
will
the
mapping
be
done
externally.
Will
it
be
done
on
a
poor
rule
basis
and
which
you
know
who
represents
that
right,
but
at
a
high
level,
what
we
at
least
with
the
policy
results
the
policy
report
like
just
if
you
do
run
a
cis
benchmark,
the
idea
would
be
to
at
least
be
get
to
be
able
to
see
some
summary
status
and
unders.
C
You
know
kind
of
be
able
to
represent
that
in
kubernetes
as
a
native
object
of
what
the
benchmark
results
were
now
details
we
have
to
decide.
Are
those
separate
crs?
Are
they
part
of
the
same
report
or
you
know
those
managed
in
external
tools
right
and
all
of
those
are
possible
options,
but
the
more
flexible
we
can
make
this?
I
think
the
wider
adoption
and
usage
we'll
see.
C
A
A
C
So
is
there
like
in
this?
Are
there
provisions
for
even
providing
things
like
summary,
counts,
etc,
because
that
was
one
of
the
things
we
wanted
to
do
in
the
report
is
have
some
inability
to
say
how
many
total
pass
failed,
or
is
that
just
something
I
mean?
Obviously
you
can
process
that
by
scanning
through
the
data,
but
is
that
also
available.
B
That
would
be
as
part
of
the
properties,
so
it's
not
it's
not
singled
out
as
as
as
such,
and
the
reason
for
that
is
that
this
is
part
of
larger
hierarchical
structure.
So
you
have
those
individual
observations,
then
you
group
them
and
aggregate
at
the
controls
level.
Then
you
group
them
at
a
regulation
level.
Then
you
group
them
at
the
profiles
that
you
know
may
include
multiple.
B
C
C
Okay
and
then
so
like
just
going
back
to
the
hierarchy,
you
know.
So
there
is
the
result
group
the
findings,
the
observation,
so
how?
Where
does
it?
So,
if
I'm
running
like
a
cis
benchmark-
and
you
had
some
example
of
this-
is
the
cis
benchmark
map
to
the
like?
So
let's
say
I'm
running
cis
benchmarks
for
kubernetes?
C
B
Correct
so
we
pick
a
regulation
right.
So
in
your
case,
in
our
case,
we
had
nist,
you
say:
well,
I'm
looking
for
cis
benchmarks.
This
means
that
my
findings
here,
my
my
control
right
it
is,
it
is
the
cs,
benchmark
itself.
B
So
then
that's
what
I'm
declaring
there
and
the
that's
my
12
o'clock
and
the
the
rule.
The
observations
that
are
associated
with
them
would
be
at
the
would
be
mapped
one
by
one.
So
if
you
are
looking
here
this
item,
so
let's
say
that
I'm
looking
for
a
cis
benchmark,
I'm
not
looking
for
ac3.
B
This
means
that
that
will
be
mapped
to
mapped
one
to
one
to
an
observation
right
because,
although
I
have
seen
in
in
openscap
that
it
can
be
sometimes
that
the
cis
benchmark
is
implemented
by
two
rules
right
so
so
this
is
the
finding
right.
Is
that
the
regulation
level
and
then
what
I
have
on
the
left?
These
observations
right
are
the
individual
results.
So
what
what
the
finding
allows
you
to
do
is
that
the
level
of
of
of
mapping
to
say
well?
What
are
the
my.
B
My
individual
results
out
of
which
I
I
create
my
in
the
this
case,
the
cs,
benchmark
that,
but
I
will
say,
99
of
the
cases
I
will
have
here
a
cs
benchmark
and
I
have
one
to
one
one
observation
associated
with
that
you
change
the
finding
to
nist
right.
I
have
these.
You
know
four
properties,
four
rules
for
cs
benchmark
that
are
associated
with
that,
so
you
you
can
use
it
across
any
any
type
of
regulation
or
benchmark
that
you
that
you
need.
B
Object
above
those
those
observations
and
findings,
which
is
called
assessment
result
so
as
part
of
the
assessment
result,
peers
to
result
group
would
be
the
ssp,
it
would
be
the
inventory
on
top
of
which
I
apply
my
objectives.
So
let's
say
it
gives
you
it
gives
you
flexibility,
as
an
auditor
fine
tune,
your
audit
right.
So
if
I'm,
if
I'm
doing
openscap
and
I'm
doing
all
the
compliance
operator-
and
I
put
it
in
this
format
right-
it
is
all
or
nothing
what
the
other
levels
appears
to
result.
B
Group
allows
me
to
do
is
to
say
I'm
looking
only
at
this
set
of
inventory,
I'm
looking
only
at
this
particular
clusters,
or
these
particular
vms
and
my
ssp
will
will
give
only
those
items.
So
then,
when
I
go
here
into
observations,
I
will
not
have
100
of
my
inventory.
I
will
have
a
subset
of
that.
Another
sorry.
C
Okay,
no
I'm
just
yeah,
I
see
so
so.
This
seems
like
this
report,
then,
is
generated
based
on
what
you're
trying
to
what
information
you're
trying
to
gather
right.
So
if
I
say
okay,
I
want
to
look
at
maybe
some
subset
of
my
clusters
or
maybe
some
subset
of
nodes
in
a
cluster.
Then
the
report
will
the
result
group
will
be
for
that
particular.
C
B
No,
I
try
to
find
because
I
think
the
what
I
try
to
say
is
that
the
more
layers
you
add
to
this
onion,
the
more
functionality
you
get
out
of
the
oscar
framework.
So
right
now
we
looked
only
at
the
core
results
right,
you
add
to
that
the
ssp
you
get
flexibility
on
handling
the
the
scope.
B
Assessment
methods-
and
it
allows
you
to
describe
let's
say
that
I
have
10
tools
to
do
assessments
right.
I
have
compliance
operator,
I
can
cavionics,
I
have
prisma.
I
have
write
different
tools,
so
can
be
that
an
auditor
says
you
know
what
I
I
want
that
tool
the
results
from
that
tool,
so
it
allows
you
to
describe
how
the
what
are
the
methods
so
again,
oscar
is
very
rich
right.
B
Another
aspect,
it's
called
appear
to
result
group
is
called
objectives,
so
the
objectives
is
derived
from
the
object
of
profile
so,
where
you
say,
I'm
not
interested
in
fullness
853,
I'm
interested
only
in
the
access
control
part
or
I'm
an
auditor
that
I'm
only
familiar
with
the
network
aspect.
So
I
want
only
the
boundaries
related
controls
right,
so
the
the
more
levels
you
you
add
here
right,
the
the
reacher,
starts
to
be
the
the
way
that
you
can
tune.
C
Okay,
all
right
yeah.
This
will
be
interesting
to
think
through
and
discuss
and
see
how
we
want
to
like,
because
if
we
have
certain
policy
frameworks
running
in
a
kubernetes
cluster,
how
should
they
store
their
information
and
then
seems
like?
Maybe
we
do
need
a
little
bit
of
something
which
can
allow
queries
to
pull
this
together
and
and
pass
back
a
particular
report
in
kubernetes
right
or
if
you.
B
Yeah,
the
reason
why
I
didn't
add
all
these
other
layers
is
because
they
are
dependencies,
as
you
say
right,
so
this
means
now.
I
have.
I
need
a
discovery
system
that
provides
inventory
in
the
oscar
ssp
format,
so
I'm
able
now
to
build
this
into
into
this
report,
so
I
removed
on
purpose
everything
so
that
the
people
are
not
that
we
need
all
these
other
tools.
B
But
now,
if
we
have
that
discovery
and
we
are
able
to
produce
oscar
in
other
aspects
of
kubernetes
like
inventory
as
code
in
the
oscar
ssp
format,
and
so
then
we
we
are
able
to
put
those
together
and
and
leverage
them
here.
As
as,
as
an
item.
C
All
right,
yeah,
let's
I'll
I'll,
do
some
research
and
thank
you
for
this
again
and
I
know
we're
coming
up
on
the
hour
and
we
both
have
other
meetings
coming
up.
So
we'll
maybe
continue
the
conversation
offline
and
we
can
meet
again
next
time.
B
Yeah,
so
I'm
really
looking
forward
for
the
the
the
people
hello
good
evening
good
afternoon,
who
is
listening
to
that
and
please
join
next
time
to
to
provide
the
feedback
on
on
on
this
proposal
of
policy.
Result:
standardization,
yeah
looking
for.