Add a meeting Rate this page

A

Good good, so, let's let's go ahead and start to kick things off. I think our first thing we need to do is to go ahead and pick a couple of scribes for meeting.

A

Do we have any volunteer.

A

It's a pretty easy process, you just kind of type a little bit about what you hear. Ideally, we like that to people do this so that there's no there isn't any! You know problem if one of our scribes wants to go and talk, I'll go ahead and post the link also to the Google Doc. Here please go ahead and add your name to the Google Doc as well. Just to kind of. Let us know that you're here I'll add my name right now.

A

Ashes here that's a great.

A

Super okay, so Ash's volunteer describe, can I get one more.

A

Somebody anybody, oh they watch me awesome. Thank you, alright! So we'll go ahead and kick it off as before we will start with our introductions. We have some discussion on the list about whether or not we should move away from everybody doing intros, but since that hasn't been settled yet we'll start I'll go ahead and start first and then I'll be going by the order of the names inside the Google Doc.

A

So once again, please do add yourself there so that I can get an update, so this week has been pretty busy for in toto tough things like this. We've discussed, like moving from up to the graduation for tough and moving up to incubation for in toto and had some conversations around that and we've had some some other good things happen with adoption that, unfortunately, can't talk publicly about yet so I think next here is Justin Cormac.

B

Yes, so I've been working on trying to put together a small group with Steve Alaska on making reworking notary. We've had some conversations over the over the months with about reworking naturey to be a registry native protocol. So, if anyone's interested in that, can they paying me?

B

This is basically so that their notary metadata is stored in a container registry rather than as a separate store, which means it's possible to move around from one place to another and we, which is a large requested thing from a lot of people around usability of containers in a lot of situations, we're using multiple registries. So, if you're interested in that at all, please come and talk to me or Steve Lowery who's native, and we should be putting together some meetings starting sweet, hopefully great.

A

I know I'm, certainly interested so I look forward to joining um awesome. Okay, lots, I've.

C

Nothing to report on security this week, okay,.

A

Thank You ash so.

D

I've addressed some of the comments in the Opus s. Men talk I, think as for your SPO recommendation Justin. So if everything looks okay, I've addressed like regarding the github issues for the points in the recommendation, I kind of consolidate those it to a single issue. If you think we need separate issues for each point just like, if it warrants that we can do that too, but I yeah. Just let me know what you guys think about it: okay,.

A

I think a good way for us to perhaps go forward with this would be for you and I and Sarah to have a call, because I've been talking quite a bit with her about things, because she really was leading a lot of the in Toto assessment and we're trying to you know make that all be fairly uniform. So why don't we set up a time to do that? Yeah.

D

Sure sounds good yep. All right.

A

Thanks rowdy.

B

It's the plan to present that one of these meetings once we finalize it.

A

So the plan is that at one of the TFC meetings, when SIG's security gives an update, they'll talk about what their findings were from the OPA sessemann. Okay, the way this happens is somewhat TBD. I was under the impression that we would need to present that earlier, like a week or so ago, but later on, it was discussed that we would probably do that at a later time. So yeah.

D

I was like waiting on September 3rd for an OVA date, but it didn't happen so I thought yeah yeah.

A

Sorry about that I think it was I was reading too much into an email that was sent that there were two conflicting email chains. So anyway, um let's let's move on um so ready, hey.

E

Everyone I'm working on integrating with.

E

Advancements so I'm working on specifically integrating both toughening Tarot in an NGO project and also interested in running the purification process in a container for reproducible verification. So.

A

Excellent yeah I think that'll be of interest a lot of people here and obviously don't don't hesitate to reach out to myself or others. If you have any questions or stumbling block things like that, um thanks Lakshmi.

F

Yeah so I just saw comments on new member space, and that is know most that beer is normalized.

A

Okay, awesome thanks Christian hi.

G

There actually I I have nothing to report on the security side, but I did attend a webinar that brought up a pretty good point about default. Configurations and I was wondering if we have a list of unsecure default configurations for a lot of popular open source software's that my my take would be to put it into some. Are learning Docs to make sure that when we present the students, you know it's something that we say hey. This is not secure. Let's make sure to customize it.

G

So I was wondering if we have anything like that in the six security.

A

I don't hear anybody else, jumping in I'll, say I'm, not aware of it, but I think we should have it and I think this is a great. This would be a great thing to create an issue about and to started. A discussion on. I think this is a excellent observation. There.

H

Was.

A

Your conversation.

H

At one of the conference's, I was at recently about working with open source projects that in their Docs that they are to provide a secure configuration point or point out areas in their default configuration that are not necessarily known to be insecure. But if there was a more secure option and why somebody would want to do it so I, don't know if that effort went everywhere. But that was one of the points of topic that we had yeah and.

A

It's.

H

Like.

A

Emily Moxie boxy, whatever your username is yes,.

H

With me all.

A

Right sorry, just trying to put a trying to put a name.

G

Yeah, actually one of the points in that webinar too was that some of a lot of projects do one of the things that they identified were like AWS and Google. They had recommendations, but the tendency was that users would tend to just blow through those and unfortunately go in with insecure configurations is pretty interesting, not a lot of content, but pretty interesting.

A

Great yet I think that would be a good thing to discuss them. Discuss on an issue mark.

I

Hey guys, nothing new on this side, those of you that are interesting in the privacy side, I thought I would just mention. There's a public comment period that just started for the NIST privacy document. If that's of interest so hop in and offer your opinions did for me.

A

Great great thanks, Carlos sure.

J

Well, pretty much: we continue working on this docker technology and we need some help with the docker continent. Trust and ocher, not Ari, I, don't know if the guys from dr. are on their forum. If you can.

B

Send me.

J

A couple of names- yes, that's.

B

That's me: a Justin Commack, okay,.

J

I can do in a couple of minutes or send you be a male mind while questions and we can talk. Thank you. Yes,.

A

Awesome: okay, Brandon, hey.

K

So mostly been working on doing the contain encryption stuff, we've been working, a red hat to integrate it with this tag and we started you know trying to see whether all the registries are kind of up to date.

K

If the OCI images and stuff like that, so this is going well actually so a rod don't mind if I send you a message after that I'm kind of interested in to see that stuff- and this is kind of semi-related, just in the discussions that I wanted to have a Monday as well so yeah, that's it for me. Okay,.

A

Great Emily.

H

Hi, so some great news is regarding security day. We have 66 registrations. As of yesterday, 22 submitted CFPs and another 18 men are in progress. We also now have a total of 3 diamond sponsors and one gold sponsor sponsorship. Sales are going to close on September 20th, so let Kathy or Amy know if anybody else is interested in sponsoring and you can drop that into the cig security events channel. That's about it for updates, Wow.

A

And that was fantastic news: terrific, ok, Christian, Kemper, hey.

C

I'm Christian and I work for Google cloud security, nothing new to report for for this group. For this week, okay.

A

Thank you have enough.

L

Hey guys, I'm from free mile there's nothing new to report on security style ever been working on Sal Khan Cuban. Ladies.

A

Ok thanks John.

M

Nothing to know that this time, all.

N

Right JJ.

M

Hey I think I think the security security event Emily Emily give an update. We do have regular sync with John Liz, where we get the directions from for some of the prioritization and work I'll. Keep you posted on that. We have one that's coming up so for the next meeting. I think I'll basically be able to bring some information back, but it's also will also be good to get what the group wants as clarity from toc Esther. That's that's about what I have I do.

M

I do have an agenda item to discuss attained, hope we can get to it, but I added it and I ended up.

A

Okay, it sounds good yeah, we'll get to those later. Okay, Erica.

O

Hey there um been in the updates from the kubernetes policy working group. We are a couple items we have. You know progress we've made on some formal verification for the policy configurations, starting with the are back access, controls can I, have a plan and we're starting with some of the modeling.

O

For that the proposal you you can see in was merged into this SIG's security repo under policy, so check it out if you're interested in that some other related work with we kind of just keeping tabs on OPA and its gatekeeper project, which is moving I, think they're, making plans kind of get it towards a g8 stamps.

O

It's an investigating it's possible use as a recommended replacement for pod security policies and also I guess cube con North America in San Diego in November, and the schedule was announced. We will have I think in the contributor summit, we're looking to do a workshop with some of the verification work, creating it Zack, Smith, awesome.

A

Okay, TK I think you're. The last one is the name.

N

Down the.

P

Last one but I don't have anything new to put so thanks.

E

Oh.

A

Well, thank you. That's. That explains why no one was answering I said: okay thanks and has anybody been missed? Anybody whose name isn't on here that I accidentally skipped, but most of you an update you, okay, so now that we've completed the initial check-ins now we are supposed to have check-ins from partner, SIG's and working groups. um So does anyone from kubernetes sig off one, let's say anything.

N

Okay,.

O

I.

N

Can.

O

Only report on some of the discussion where you're talking about with the pod security policies.

B

Can you post a link to that in the meeting? Those like you, cuz I, can't actually I couldn't actually find I tried, find entries and I mean you can also add.

O

Links to the meeting notes and related issues, I'll go find them Thanks.

A

Okay right the policy working group, so I guess Erica. Would you like to talk about that or I think.

O

It's basically the same as what my personal update was, that was kind of.

A

How about this kubernetes security, audit working group I'm, not personally familiar with that myself I, don't believe.

A

Okay,.

B

Hearing that we had one of the people in here a few weeks ago, I bet nothing. Oh yeah, okay,.

A

How about in this big data working group.

I

Yeah, so we are working on the overview document for that we have a tech writer who got assigned for that, probably not be too of too much interest to this group at this point, but you'll just make it easier to read the eight volumes of that when it finally gets out of NIST review later this year.

A

Okay, that'll be good bedtime reading, I'm sure awesome. Okay, how about the announce time for the PSA for meeting facilitator, JJ I think you're going to leave this off.

M

Yeah so I mean first of all, thank you for the few people that placed at hand to be the meeting facilitator. So it's tremendously useful both for the person facilitating and for the team to get a broader understanding. So main idea is to create become a full-on distributed system. So then anybody should have the context and the meeting at any time eventually, but I think we do need some form of guidance in that aspect. So there will be a few people running this.

M

The other agenda item that I've had should I go with that as well. Justin yeah.

B

Yeah, so the three there's three facilitators who brandon me and Jerry have volunteered so far. If anyone else.

Q

Somehow the first one doing it.

B

If anyone wants to become one, there's, a list of criteria to check off and be straight I think it's really straightforward set of things that you've participated in processes, a great achievement. What's going on, yeah.

P

Yeah.

B

I'm yeah JJ: do you want to go through the your agenda item.

M

Sure so one of the things that I distillates to the initial comment that cap versus making, as well in terms of scrapping the little intro. So one of the thing that I noticed in our group is there. There are people with varying expertise in different areas of security.

M

So I was thinking if, as that team, if we had a page where we could basically list our name, the subject matter expertise that each one of us have and our willingness to be approached for that area of expertise, whether it's questions, Commons or injecting them into like a review process during that idea. If that can be specified, then it helps all of us tremendously in terms of like just being efficient at getting stuff done. So that was a thought. I just wanted to bounce.

M

That idea of what this allows us to do is also skip intro speakers at any. Given time people will know who people are and then we don't have to keep doing the intro every single time we meet.

M

So that was an idea that I just wanted to bring it up with this team to see. If what we think a what we think about it be if there is someone who's, passionate like it's not going to happen by itself, there is someone who's, passionate in driving that effort to completion I.

B

Definitely think knowing what people have expertise in is really useful. If you want to find someone to help you with something or for be able to ask you know if people need to understand an issue or something like that, I think that's. It is definitely helpful to have a go to kind of.

B

Because often it's difficult it's very especially now, there's quite a few people and people have difficult if people are not around constantly, they won't necessarily remember who it was at the meeting who was interested in eggs. That they're also interested in.

K

So I'm just wondering because I was thinking that if someone would be interested all once expertise in something should we say that they should create an issue, and then we can have a discussion on that. So you know multiple people can chime in in.

A

That way, I also because it seems like the sig security is like channel- might be this sure here, I.

D

Think it's good to have the list that you're suggesting JJ, that's useful, but I think these stand up this mode. Not just the introduction is more about what people are doing and I. Think that's right as well, so having both could be useful but replacing the stand up for the list. That would not be directly helpful. That's what I think I mean.

B

Maybe we just need to snow stream, streamline the stand up so that people put their names down on the list if they've got something to say yeah for the people to start amazing, rather so be it's just quicker and more efficient.

M

Yeah, okay, so yeah I mean I think both would be I mean, obviously think what would be useful but any volunteers for getting the initial list on our site, which basically means work involved and sometimes pinging people's getting a page in place where people can come and add stuff.

A

I have kind of a question about this I'm, imagining stepping in so sort of email. Look like like how do how do people talk about what it is they've done without just I mean like linking to their LinkedIn or the Wikipedia page or whatever. It is.

M

Good question, so that's so another thing when we were discussing that came up. Also, is that, should we be prescriptive about like category of things that we would want people to say like this I'm expert at this, or should we want to let it click free-flowing in terms of like describe or traitors, in which case you can put your keep in your page, LinkedIn phase, LinkedIn post, but the most specific. It is the easier it is for us to tap into somebody for help the more generic it is it the more descriptive. It is.

M

It's just not going to be effective to say I, say, for example, security, audit and I want to get guidelines for audit. Then cap was I, keep thinking you versus like going and looking at a Wikipedia and a LinkedIn to figure out kept posts may be able to help me with the security audit question.

M

So good question I mean like I, don't know, I just want to hear people start. Yes,.

A

So you triggered something that I've been thinking about, which is we have this landscape and we have these notions of projects and since you know, maybe one way to do this would be to have people signal if they're interested in things related to either projects or gaps in the landscape, where we hope to one day have a project because then it pretty naturally falls along the guidelines of the group here, which is all at least allegedly.

A

You know cloud native interested.

M

Not like oh yeah I'll shut my mouth no and wait for others to listen to others in terms of what they feel I agree. I mean I, I, agree with that suggestion. I think that makes that makes more sense. That's bit more prescriptive and more meaningful and very conviction. Oh.

B

Yeah, maybe it needs to be in the sort of size of sub-project. Let me say that example of rather Brandon's Brandon's working on encrypted container images is useful in the short term, while he's working at you know over the year or so, while he's waiting or whatever and other people might be interested, that's not a project per se, but it's an area of focus within a project or project.

B

It is a kind of cross-cutting or supply chain. Security is a cross-cutting thing that, you might say you understand, separately from project yeah.

D

So what if, like the JJ, you may already had this, you define like these 10 things that you need expertise in and you can subscribe to those categories. That'll be much thing, you can just say, I care about audits or I, don't know security, something whatever 10 categories and people can then say. Ok, my expertise is audits, BCD, whatever it is start, could he helpful if you define like the high level categories for the expertise? Are you interested.

D

Yeah.

M

I mean I'd be happy to, since you rate, since you sort of based you and I can work. I can sort of ping you to create that category with you and cold night with the chef or.

D

Sure, yeah, okay,.

M

Yep I think I can follow. Wind cap was a few one if you're taking the lead, I'll be able to definitely be available to help. But if you want me to just, let me know sure.

A

Yeah go: go ahead, it's it's your! Your idea. I'd rather see your vision and help to make it a reality. In Poznan all.

M

Right so most until we can follow through on this a plane and slack and issues, then I'll, let spin off an issue.

A

Awesome, okay, so do we have any other items here on the agenda? Doesn't I don't spot? Anything is anything that we missed or anything someone wants to discuss. I.

E

Have a question related to how security works with other cnc f6, so there's a new reform, cnc, f, c/f delivery and we're very early in the process of defining everything that this is working on. But essentially it's working on the lifecycle of a native application, everything from definition to deployment and rollout automation, platform and I'm wondering what's the relationship of security with other CNC f6 with respect to how they either recommend security measures or anything related with how they how they operate together, how they work I.

B

Think we don't really know, yes, is the kind of straightforward answer, because we were the first seg and we haven't interacted with sick storage. So I think we need to work this out still.

E

Specifically I'm asking because there are a bunch of areas that are interconnected, there's the security story for the artifacts project, there's a security story for seen a band most of them aren't in the same space and I'm really looking forward not to duplicate efforts in all of these projects.

B

We can definitely do reviews of those projects, because that's something that we are doing so if you want, if we want to prioritize having a security review of those things, but if they know if they for the bits where they're being designed I don't know if we want to have I mean obviously I'm interested and other people that interested in the work that's going on. But I don't know if it makes sense for six security to have an official role working on that or whether just the people, some of the people involved. One tool is.

E

I just wanted to I, don't.

B

Know JJ: what do you think.

M

um Sorry, can you can you to keep their a lot, click below that's good, I.

B

Was just saying that we, we haven't officially had any working relationships with other CN CF sakes because they because they're all quite new compared to us. So we could obviously do audits of projects that say. Gaps are interested in having orders it, because that's something that we definitely do but I'm not sure. If we.

L

Have.

B

Any way, a kind of way of having any other kind of working relationship other than people in this group were very interested to work with them. I, don't know if there's any official way, we should work together. Okay, why, together so.

M

When it started this group, one of the ideas that we had floating around was like people from our group, representing in their meetings and then kind of put. Somebody like there was the cocktail poaching happening from their meeting to section up on ours. It only it's not scalable model raining inside and I. Think it's just gonna involve a lot more on people than on process.

M

So short answer is it's a good idea? I, don't have a good way to make that happen. I could.

M

In the TOC meeting, we could try and link that up to terms of if they have any suggestions, hello, collaboration between between different six, it's yeah. It is it's good it. If that doesn't happen, I see your point. If that doesn't happen, I get one more isolated.

M

I would encourage you to raise this as an issue on the email. Take the CN CF, it's pretty value and I. Think Liz, there's at least might have some inputs and suggestions on this.

M

I'll.

B

Chime.

M

In I, definitely chime in based off of our understanding on that great it'd be good for you to bring this up to the brothers in CH.

P

Speaking of this different categories and such I brought up an issue a while back, never heard much of a comments on that that was, that has to do with the edge security, whether we should be concerned from the CN CF perspective.

P

Well, the edge security should be part of our scope, and, if so, how do we deal with it? I think I referred a Linux Foundation that addresses the the edge security at that time in I was wondering whether we had collectively we feel like. We should be liasing with those folks, my understanding on the last time that I met with them in a conference that they haven't done very much, but they are concerned about their H security. They would be very receptive, I suppose. In that perspective, anyone has any comes.

B

It just released the white paper, which was posted on our slack about ten minutes before this meeting.

B

So I had a counselor come. You know, I'm interested security because we embarrass issues of it.

B

It's it's a kind of nation, just I guess a lot of people are not interested in it.

P

Yeah he enjoyed this slag group, probably missed out on that comments or anything, but I personally, I feel that they're more and more interests on the edge processing and many different from many different technology perspectives. So that's kind of coming to the ecosystem, regardless of where we decide it, it will exist.

P

The question is whether we are we do have the capability, as well as the interest to you know include that as part of our at least concern or something that we should be looking for, because it's very difficult, I think getting very difficult to put a demarcation line as prominent to to make it. You know completely segregated from each other and cloud versus the edge, especially from a security perspective.

A

Well, maybe what we can do is it feels like this is an issue that it should be this subgroup. That's that's interested in focus on IDI.

A

You know, I am a person who is interested in this, but I can imagine that others on the call may or may not be so. Maybe what we can do is is move that to a side, discussion and arrange other meetings for it and have that more follow up there is there any there.

B

There also potentially some edge projects that we might be interested in and see if I guess, I, certainly aware of something down the road potentially.

A

Yeah, that would be great. We definitely moving further into that purview. I think would make sense. I, don't know that you know maybe maybe I'm being premature with it, but it feels like right now. We shouldn't probably dive too far into that into that rabbit hole on the call is there? Are there other agenda items that people want to discuss in this meeting.

K

This one that I wrote down it's kind of I think it's more clarification for myself. I wasn't sure. I may have missed a meeting on what was happening with the current security assessment, with Kiko by Falco, but they'll be kind of just pushing he cut back and then everything fell connects well.

B

I think we're waiting for guidance from the city I see, which JJ's hoped we can to give us next week. Okay,.

K

On.

B

How they want us to prioritize things.

K

Okay, all right this one's good, yeah I, think I. Miss I miss his discussion that yeah.

H

Cool.

A

All right anything else for this meeting.

B

Don't don't forget, submit your talks before Friday? First, yes,.

M

And promote promoted the more we get the better it is. Thank you so much all.

A

Right sounds good. Everybody enjoy your 20 minutes of time. Back and tucked everybody.
youtube image
From YouTube: CNCF SIG-Security Meeting - 2019-09-11

Description

Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io

Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects