►
From YouTube: CNCF SIG Security 2021-03-24
Description
CNCF SIG Security 2021-03-24
C
B
D
A
So
go
ahead
and
fill
in
attendance.
I
think
that
this
meeting
today
should
be
a
pretty
short
one.
We
don't
have
anything
much
on
the
journey,
so
I
think
what
we're
going
to
do
is
we
are
going
to
just
do
check-ins.
I
think
I
see
a
couple
possibly
new
people
here,
so
we
can
do
some
introductions
and
then.
E
A
F
F
A
Thanks
matt
for
helping
this
work
so
yeah,
that's
I'm
gonna
start
off
with
kind
of
just
going
around
before
that.
Just
the
usual.
You
know
this
is
a
recorded
meeting.
It's
covered
by
cncf,
so
the
usual
cncf
conduct
guideline
supply
all
right.
So
just
going
around,
let's
see
no
updates
marlo!
You
have
a
question
about
smi.
E
Sorry
is
finding
my
mute
button
yeah,
so
summarily
I've
been
going
to
the
smith
community
meetings,
which
also
coincide
with
these
ones.
So
I'm
here
every
other
week
and
their
meetings
they
were
so
smi
is
service,
mesh
interface
and
the
reason
that
they're
interesting
is
that
everyone
is
running
their
own
service
meshes
and
istio
seems
to
be
riveted
in
various
places
and
if
you're
trying
to
run
a
particular
version
of
istio,
you
often
can't
because
it's
riveted
to
various
products,
and
so
I've
been
pushing
for
smi
in
kubeflow.
A
E
E
G
E
C
C
How
can
I
say,
more
low-level
role
into
the
assessments
and
my
idea
was
to
to
be
able
to
advertise
the
security
assessments
towards
more
junior
developers
and
people
who,
maybe
I'm
not
sure
if
there
are,
if
there
are
any
in
the
group
or
if
there
are
people
who
are
new
to
security
in
this
group.
I'm
not
sure-
and
that
was
my
one
of
my
assumptions-
that
I
don't
know
how
how
many,
how
experienced
and
who
joins,
who
joins
the
meetings.
C
But
my
idea
was
to
somehow
make
it
more
accessible
to
people
with
maybe
no
or
a
little
security
experience
and,
as
I
see
it
as
a
way
to
a
way
to
get
more
people
involved
in
the
security
assessments
and
of
course,
I
call
that
I
called
this
role,
something
like
a
trainee
or
I
know
if
you
should
call
it
the
intern
or
something.
But
the
idea
is
to
have
someone.
C
My
idea
was
to
have
someone
from
the
other
reviewers
who
is
willing
to
answer
your
questions.
If
you
have
more
questions,
because
when
you
don't
know
how
much
about
security
you
need
to
ask
somebody
who
is
more
knowledgeable,
and
I
I
expect
I
yeah,
I
expect
that
this
role
will
be
something
like
it's
an
optional
role
and
if
somebody
wants
to
volunteer
in
that
role,
you
should
find
the
sponsor.
C
You
should
find
a
mentor
who
is
willing
to
help
you
in
the
assessment,
and
if
there
is
somebody
who
is
taking
that
responsibility,
then
you
can
be
become
a
trainer
or
something.
And
after
you
have
successfully
finished
a
couple
of
those
or
I
don't
know
how
one
or
two
you
can.
Even
yeah
you
can
join
as
a
for
yeah.
It's
a
food
reviewer.
A
A
I
think
we
we
kind
of
talked
about
a
little
bit
about
this,
a
while
back,
like
you
said,
and
I
don't
think
we
we've
had
kind
of
we.
We
had
a
couple
people
just
like
what
we
did
last
time
was.
We
said:
okay,
here's
a
review
channel.
You
know
you,
can
you
can
stick
your
head
in?
You
can
like
listen
to
the
meetings
if
you're
not
participating,
but
at
least
you
know
see
how
it
goes.
C
C
A
C
Well,
yeah,
but
the
issue
is
closed
and
I
just
want
to
hear
others
opinion
before
from
proposing
that
I
mean
that
was
my
idea,
because
I
looked
back
into
the
discussion
when
on
the
meeting
when
it
was
closed
and
I
think
it
was
done
yeah.
I
know
one
of
the
six
chairs
had
mentioned
that,
probably
it's
better
to
it's
better
to
promote
joining
as
a
regular,
the
viewer
instead
of
joining
as
observer
or
trainee,
or
how.
However,
we
are
going
to
call
it.
C
But
my
point
is
because
we
don't
know
how
experienced
developers
are
here
on
this
channel.
There
could
be
really
on
on
each
of
the
reviews
there
could
be.
There
could
be
developers
who
are
experienced
and
don't
I
mean,
are
not
know
what
they're
doing,
but
also
you
don't
you.
You
can
end
up
in
the
situation
when
you
have
a
couple
of
trainees,
let's
say
or
a
couple
of
people
who
don't
who
are
not
actually
knowledgeable
enough,
and
that
will
be
a
way
this
little
role.
B
I
think
as
a
review,
where
we're
essentially
passively
ingesting
materials
and
then
kind
of
engaging
in
a
conversation
about
the
design.
I
don't
think
it.
I
don't
think
the
skill
bar
is
as
high
versus
when
you're
engaging
in
an
assessment,
you're
you're
kind
of
naturally
you
know
just
human
nature,
putting
yourself
in
a
more
defensive
position
as
the
as
the
project.
So
you
kind
of
want
folks
who
can
go
to
tech
with
the
developers
on
particular
issues,
whether
they're,
you
know
friendly
suggestions
or
actual
criticisms.
C
C
B
A
So
so,
to
also
kind
of
add,
after
that,
I
think,
a
while
ago
we
were
talking
about
yeah.
We
had
this
issue
here.
We
had
a
bunch
of
different
issues.
We
had
a
bunch
of
different
things
that
required
people,
and
then
we
had
a
bunch
of
new
people
that
came
in
and
then
we
couldn't
really
like
there
wasn't.
There
isn't
a
good
way
for
people
to
match
like
a
lot
of
people.
Comments
like
what
is
that
to
work
on
what
should
we
do?
A
A
C
I
Yeah,
it's
leading
thanks,
yeah
no
worries
so
yeah.
Actually,
I'm
a
new
contributor,
I
just
you
know,
checked
out.
I
guess
one
of
the
messages
on
linkedin
and
I'm
a
bit
involved
with
the
kubernetes
community.
You
know
making
full
requests,
participating,
release,
triages
and
stuff
and
yeah.
I
hopped
on
to
the
seek
security,
and
you
know
I'm
finding
my
way
through
the
good
first
issues.
I
guess
that
was
just
a
topic
that
was
being
discussed
by
martin.
I
F
Sure
yeah
no
problem
so
yeah,
I
added
the
blog
post
to
the
chat
there.
We
just
released
it
today
just
a
few
hours
ago.
This
is
the
blog
post,
announcing
the
cloud
native
security
day
right
for
for
the
cubecon
eu
2021.
That's
gonna
happen
on
may
4th
this
year
and
we
announced
about
that
we're
going
to
have
a
ctf
and
also
that
we're
going
to
have
a
live
stream
during
the
ctf,
where
we're
going
to
invite
some
guest
interviewers
right.
F
So,
for
example,
here
some
names
that
are
already
confirmed
are
liz
rice,
brad,
gizman,
tabitha,
sabo
and
rory
mccooney
and
david
mckay.
So
those
are
people
that
are
knowledgeable
about
kubernetes
cloud
native
and
security
and
we're
going
to
invite
them
to
talk
about
the
challenges
during
the
ctf
and
how
they
would
go
about
solving
them
and
ask
about
any
tools
or
anything
that
they
would
use
to
to
solve
those
challenges
without
giving
too
much
away.
F
So
we
already
have
that
book
during
the
during
the
event
on
on
the
twitch
stream
on
the
cloud
native
foundation
stream
on
twitch,
and
we
have
two
separate
time
slots,
so
we're
gonna
do
that
and
yeah
at
the
end.
I
just
mentioned
about
the
the
the
prize
that
we
we
got
from
devsecond
right
about
the
security
team
and
everything
that
that
brandon
has
a
picture
there
holding
the
the
prize.
Do
you
have
the
trophy
there
brandon
yeah.
F
F
A
J
So
we
have
a
theme
where
the
we're
modeling
it
on
what's
happened,
of
course
in
in
the
major
kind
of
internet
melting
security
problems,
we've
seen
in
the
last
four
or
so
months,
but
we're
still
in
the
weeds
of
defining
these
scenarios.
So
if
anybody
has
something
that
they
think
would
be
a
great
learning
outcome
for
attendees
or
that
they
think
is
a
particularly
difficult
thing
to
do,
because
really
the
scope
here
is
all
the
way
from
beginners.
J
We
look,
I
guess
the
second
part
of
the
marketing
blurb
is
everybody
is
welcome
from
beginner
to
hardened
veteran
and
really
we
want
a
learning
path,
taking
people
from
relatively
easy
stuff
at
the
beginning,
that's
maybe
self-evident
through
to
something
at
the
end,
that
is
a
piece,
the
resistance
kind
of
territory
so
welcome
any
contribution.
If
anybody
has
something
in
particular
that
they
think
would
be
useful
and
yeah,
please
do
please
do
join
the
day
as
well.
If
you
want
to
play
on
on
the
4th
of
may,
thank
you.
B
B
So
I
guess
the
question
is:
they've
done
a
ton
of
work,
putting
together
the
the
their
document
under
that
initial
framework.
Are
we
now
under
the
new
framework
where
what
kind
of
a
reset
do
we
need
to
do?
And
then
you
know
we
we
would
need
a
couple
more
reviewers,
because
all
the
folks
who
were
available
last
year
are,
you
know,
may
or
may
not
be
available.
So
we
need
some
additional
reviewers
to
sign
on.
B
Well
right
now,
as
far
as
I
know,
it's
just
me
because
they
they
just
re-engaged
last
week
or
well
a
couple
weeks
ago,
liz
on
the
custodian
side
started
reviewing
the
google
doc
from
2020.
So
in
the
last
couple
weeks,
they've
finished
reviewing
that
google
doc,
but
all
of
the
commitments
we
had
on
the
ticket
go
back
to
you
know
july
of
last
year.
So
I'm
presuming
I
you
know
nobody
is
currently
actively
signed
on
as
a
reviewer.
A
Yeah,
I
think,
can
you
clean
paste
the
link
to
the
the
ticket
again
in
the
chat,
so
that
folks,
in
this
call,
can
take
a
look
at
that,
but
yeah?
I
think
this
may
be
also
a
good
opportunity
to
kind
of
you
know
for
those
that
are
new
and
want
to
check
it
out.
Usually
we
have
maybe
three
to
four
reviewers,
but
you
know,
depending
on
the
amount
of
interest
that
we
get
you
know,
maybe
we
can.
B
Well,
this
should
be
a
good
one
for
for
those
who
are
interested
to
start,
because
kapil
and
team
have
done
a
really
thorough
job
on
their
kind
of
self-assessment,
google
doc.
So
it's
got
a
lot
of
detail
in
there.
It's
been
been
thoroughly
reviewed
by
other
folks
initially,
so
I
think
justin
was
on
a
couple
of
calls
with
capilla
myself
early
on.
So
it's
it's
a
fairly
mature
document.
At
this
point.
A
Right,
I'm
gonna
also
mock
that
the
one
the
the
issue
is,
you
know,
needs
help,
and
then
we
can
so
one
thing
that
I
think
would
be
something
that
you
could
do
is
try
and
send
the
security
mailing
this
an
email.
We
got
quite
a
lot
of
response
from
that,
where
we
did
it
for
the
white
paper
and
the
security
map,
so
that
could
be
a
place
to
to
try
and
reach
out.
B
A
A
Okay,
yep!
If
it's
too,
if
you
find
there's
too
much
work,
I
think
it's
because
this
is
kind
of
like
the
transition
process
like
this
was
defined
before.
I
think
it
would
be
fine
to
use
the
old
template
as
well,
but
if
you
can
use
a
new
one
that
would
be.
That
would
be
better.
But
if
it's
too
much
effort,
then
don't
worry
about
it.
B
Okay,
I
think
that's
probably
just
a
function
of
how
many
volunteers
we
get
and
if
we
can
break
it
up
into
small
enough
parts,
it
should
hopefully
won't
be
too
much.
There's
def
again,
I
think
all
the
source
material
that
we
need
is
there
for
sure,
like
I
said,
they've
done
a
good
job
on
the
custodian
side,
giving
us
lots
of
good
data.
So
now
it's
just
massaging
it
into
this
new
format.
K
K
Metrics,
because,
what's
in
the
pack
what's
happening,
is
that
many
of
the
metrics
are
using
are
not
really
usable
like
saying
here
are
all
the
vulnerabilities
of
kubernetes
since
the
start
of
time
versus
here's?
How
many
we've
discovered
in
a
given
period
of
time?
Here's
how
many
we
fixed
in
a
given
period
of
time
and
the
general
state
of
health
would
be
useful,
but
even
that
still
misses
the
mark.
K
So
I
put
a
link
to
the
mailing
thread
or
to
the
mailing
list
thread
or
specifically
to
the
message
that
they
called
it
out
from
from
liz
rice,
but
there's
a
whole
thread
there
that
that's
been
going
on
for
a
while.
That
would
be
good
to
get
some
people
to
weigh
in
on
other
than
that.
Just
wanted
to
raise
that.
A
L
Yeah
I
mean
I,
I
think
this
is
a
general
thing
about
vulnerability
management
across
the
board.
Right
I
mean
I
hold
my
hands
up
here.
I
work
for
snake
and
that
that
vulnerability
data
is
coming
from
us.
I've
seen
that
thread.
I
don't
really
want
to
wade
into
it,
because
it's
like
full
of
controversy
and
but
but
also
you
know,
some
of
the
some
of
that
stuff
is
presentational
to
do
with
how
the
linux
foundation
is
consuming.
The
data
coming
back
from
snake,
so
yeah.
L
Yeah
I
mean,
if
you're,
if
you're,
if
you're
consuming
sneak,
you
know
it
through
the
sneak
ui,
you
get
a
whole
bunch
more
remediation
stuff
in
there
right
and,
and
you
get
a
lot
more
detail
on
the
on
the
prioritization
stuff.
I
have
to
say
I
haven't
looked
too
much
about
the
what
the
how
the
linux
foundation
stuff
is
is
presenting
it
other
than
following
that
that
thread.
I
know
there
are
also
discussions
going
on
between
the
linux
foundation
and
us
about
how
they
could
better
present
that
data.
L
K
Yeah
exactly
so,
if
yeah,
if
you
have
any
resources
or
anything
like
that,
you
can
point
towards
this
to
say:
hey
here's,
some
recommendations
on
ways.
You
can
get
more
meaningful
input
because,
at
the
end
of
the
day,
metrics
are
about
changing
behaviors
and
they
can
change
them
positively
and
negatively.
K
Then
this
this
tells
a
story
and
there's
multiple
interpretations
of
it,
but
it's
more
detailed
than
you
know
we're
flying
blind
and
versus
the
current
set
of
metrics,
which
it's
hard
to
tell
how
how
used
how
useful
they
are.
So
anyways
yeah
just
wanted
to
make
sure
that
this
is
something
that
we
can
get
some
people
to.
Possibly,
if
it's
something
you're
all
interested
in
that
we
can
it's
an
area
that
I
think
we
can.
A
H
H
H
J
Team
I
mean
if
people
want
to
have
a
conversation,
I'm
happy
to
jump
in.
I
I
think
it's
vulnerability.
Management
and
assessment
is
not
a
dark
art,
but
it's
certainly
it's
a
difficult
job
because
it
requires
so
much
knowledge
of
what
those
security
things
are
and
yeah.
I
I
have
to
jump
in
and
kind
of
provide
a
perspective.
L
K
M
L
H
H
M
Or
agenda
items-
and
this
is
biome-
I
did
have
a
a
question,
so
I
was
trying
to
finish
up
going
through
the
native
security
map,
vanilla
document-
and
I
noticed
I
mean
it's-
it's
trivial
I
think,
but
I
I'm
gonna
just
bring
it
up
to
see
what
other
individuals
thoughts
are.
So
as
as
I
was
going
through,
the
document,
I
noticed
there's
a
slight
flow
break
on
the
topics.
So
as
an
example,
I
noticed
how
we
have
static
code,
analysis
and
das
somewhere
very
further
down
in
the
list.
M
I
think
it's
part
of
I
think
it
was
part
of
distribution,
even
I'm
just
general
recall,
but
it
was
after
you
know,
building
an
image
and
I
was
just
wondering:
should
we
have
it
more
tailored
towards
what
our
normal
pipeline
would
be
so
when,
when,
as
you're
reading
this
they
understand
at
what
junction
they
should
introduce
a
static
code,
analysis
and
data
versus
you
know,
you
now
have
an
image.
You
now
have
a
manifest.
You
know
all
the
different
stages
and
just
to
make
it
a
little
bit
better.
H
H
I
can
put
his
name
here:
he's
gathering
the
feedback.
So
if
you
provide
the
feedback,
then
I
think
in
the
next
version
we
can
take
that
up,
okay
and
update
the
paper,
because
there's
more
work
to
be
done.
Obviously
that
was
done
in
a
very
short
timeline
and
we
just
published
the
paper,
because
we
wanted
to
announce
that
at
the
cubecon
and
have
something
out
there,
but
of
course
there's
cloud
native
security.
You
can
write
books
on
it
right,
so
there's
a
lot
of
a
lot
of
scope
for
improvement
there.