►
Description
Kubernetes Policy WG : CNCF Security SIG Policy Team Meeting 2020-08-05
C
D
A
B
A
D
A
Folks,
I
think
that'll
be
that'll,
be
a
pretty
good
proof
point
at
least
we'll
at
that
point
see
if
we
got
enough
for
traction-
or
I
did
have
one
other
agenda
topic,
not
so
concrete
as
a
discussion,
but
as
I'm
doing
a
lot
more
with
nist
853
policies.
I
wanted
to
talk
about
how
those
might
map
to
both
the
cr
and
then
more
generally,
kubernetes.
A
A
E
C
A
A
B
A
A
You
know
how
that
might
map,
or
not
to
to
some
to
a
framework
like
oscar,
where
you
you're,
trying
to
automate
the
category,
the
definition,
categorization
and
implementation
of
of
controls
and
policies
being
one
of
those
types
of
controls,
both
again
written
and
computer.
Executable
policy,
so
that's
that's
the
broad
strokes,
just
curious.
If
anybody
has
has
any
overlap
with
those
areas.
E
And
so
definitely
you
know
we
are
looking
at
in
that
context
right.
We
are
looking
at
it
and
there
is
also
an
effort.
That's
going
on,
I
can
see
christian
is
on
the
call
as
well.
Both
kristen
and
jacob
can
talk
a
little
bit
about
work
that
is
going
on
in
the
open
shift,
but
it
had
open
shift
product
area
related
to
bismuth
controls
and
in
the
context
of
the
compliance
code
project.
E
Okay,
so
in
the
open
cluster
management
community
project
we
have
a
repo
called
policy
collection
and
so
in
this
collection,
what
our
goal
here
is
to
come
up
with
a
set
of
x
policy
examples
for
open
customer
management
and
the
way
we
have
organized
the
report
structure
is
we
have
a
stable
folder
and
we
have
a
community
folder
this
table
folder.
Is
it
contains
policies
that
ship
as
part
of
the
open
as
part
of
our
product
offering,
which
is
red,
hat
advanced
cluster
management
for
kubernetes?
E
A
E
One
of
the
policies,
it's
in
yaml
format
and
then
it
kind
of
walks
through
how
it
is
organized.
We
are
also
working
with
various
contributors
outside
of
our
product
space,
so
those
policies
are
going
into
this
community
folder
and
we
welcome
contributions
from
everybody
right.
This
is
open
to
the
community
and
again
we
are
organizing
this
in
terms
of
the
new
statement
at
53,
and
you
can
see
here,
we
have
a
couple
of
policies
donated
by
ibm
research.
E
This
is
a
policy
that
is
oprah
related
policy
that
is
donated
by
one
of
the
red
hatters
who
is
working
in
the
consulting
explained
facing
role,
and
he
also
rotated
this
other
one
as
well,
and
then
we
are
also
working
with
systick
and
they
have
created
policies
for
their
falco
operator
and
the
systick
secure
right.
So
the
idea
here
is
that
they
will
put
in
here
the
actual
policy
file
and
then
obviously
the
policy
has
to
be
consumed
right.
E
So
so
that's
the
whole
idea
right
that
not
all
the
code
is
within
our
open
cluster
management
project,
but
the
policies
are
here
so
that
and
the
policies
can
be
also
written
in
other
languages
right.
So,
for
example,
if
you
have
written
a
policy
in
oppa,
that's
fine
too
right,
because
we
have
a
way
to
wrap
oppa
and
ship
it
from
rackham.
So
we
can
do
that
so
so.
A
They,
I
think,
the
the
part
that
I
mean
this
looks
great.
By
the
way
I
mean
this
definitely
fits
with.
What
I
was
thinking
is
necessary,
the
the
dots
I'm
trying
to
connect
is,
you
know
you
think,
going
through
these
fedramp
or
other
government
buyer
processes,
you
you
can
imagine
you
know
we,
we
think
in
terms
of
actually
running
cloud
infrastructure
and
doing
devops,
and
you
know
devsecops.
D
D
A
D
D
So
the
compliance
is
code,
repo,
which
plays
a
role
with
open
cluster
management
right.
The
the
rackham
offering
can
call
into
our
our
compliance
operator,
which
will
run
on
an
individual,
openshift
or
kubernetes
cluster
compliance's
code
is
intentionally
written
with
scap
because
it
is,
you
know,
nist
certified
right.
It's
a
nist
standard
security,
content,
automation
protocol,
it's
a
pain
in
the
butt.
D
But
I
think
I
think
it
will
be
really
interesting
and
and
jakob
you
might
want
to
chime
in
here,
because
you're
probably
more
familiar
with
exactly
how
that's
how
that's
done
in
compliance's
code.
I
I
think
it'd
be
really
interesting
to
also
look
at
ozcal
and
and
see.
You
know
you
know,
what
do
we
you
know?
Is
there
alignment
do
we
want
to?
You
know
you
know
where
do
we
go
from
here?
E
D
D
F
Yeah
I
was
hoping
the
repo
is
very
new.
I
know
that
oscar
was
in
the
in
the
compliances
code
team
or
the
project
was.
It
was
sort
of
contentious
topic
at
some
point,
but
apparently
there's
been
some
development
and
I'm
sort
of
removed
from
these
details
of
the
compliances
code,
repo
we
can
ask,
but
I
don't
know
the
details
of
hand.
F
D
D
A
A
D
E
No,
I'm
here,
okay,
yeah.
I
think
that
those
are
all
good
points.
I
think
what
I
was
trying
to
say
is
that
I
understand
what
robert
is
asking
and
one
of
the
things
we
are
attempting
to
do.
If
you
go
and
look
in
the
ml
file,
that's
what
I
was
trying
to
highlight
is
put
some
annotations
into
the
file
that
corresponds
to
you
know
what
standard
it
is.
What
are
the
control
families
and
the
control
themselves
right?
E
So
the
idea
there
then
is.
We
can
then
use
a
map,
the
technical
controls
or
the
technical
policies
right
or
the
policies
for
the
technical
controls
to
the
higher
level
policies
right,
which
is
what
you
see
in
in
standards
like
fisma,
etc.
Right,
so
I
think
that's
at
least
the
goal
right
to
kind
of
bridge
that.
A
Yeah,
absolutely
no,
I
mean
it
makes
perfect
sense
and
especially
in
the
context
of
larger
orgs,
who
you
know,
it's
like
they've
they've
achieved
or
have
already
met
a
mandate
to
achieve
an
ato
and
so
they're
yeah
they're
kind
of
going
through
that
more
mechanical
exercise
of
we
know
what
our
processes
and
policies
are
at
a
written
level.
Right
now,
we're
mapping
that
to
the
nist
853
control
families
and
then
what
does
that
mean
for
kubernetes
or
any
container
environment
right
and
then
kind
of
doing
that
analysis,
gap,
analysis
and
then
just
mapping
exercise.
E
A
Yeah
and-
and
I
think
you
know
the
other-
the
other
challenge
is,
you
know
even
amazingly,
for
an
initiative
like
fedramp,
which
was
designed
to
run
cloud.
It
was
still,
I
think,
the
the
operating
concept
was
around
static
resources,
static
assets,
and
so
you
know.
The
reality,
of
course,
is
that
this
is
all
ephemeral
in
the
container
and
certainly
the
kubernetes
world.
So
you
know
having
a
having
an
ssp
that
talks
about.
You
know
a
particular
policy
around
a
particular
set
of
ip
addresses
or
assets
or
even
interfaces.
A
You
know
quickly
becomes
pointless.
If
you
then
have
a
you
know,
a
community
set
of
clusters
where
you're
constantly
changing
you
know
not
only
the
ip
addresses,
of
course,
but
the
workloads
and
the
microservices
and
whatnot
so
being
able
to
move
that.
I
see
the
value
not
just
in
the
box.
Checking
I've
got
to
produce
this
documentation
for
the
federal
government
review
it
every
year,
but
the
real
operational
need
to
keep
bi-directional
sync
of
what
I'm
saying.
A
D
E
A
B
E
B
B
The
you
know,
official
api
getting
like
compiled
into
client,
go
as
a
series
of
kind
of
recommendation
or
not
recommendations,
but
requirements
and
work
that
you
have
to
kind
of
meet.
I
can
share
if
you
like,
and
so
they're
much
more
hesitant
to
do
that
if
possible,
for
instance,
we
would
probably
have
to
refactor
it
to
be
in
the
more
common
spec
and
status
since
they
kind
of
format
which
we
didn't
use.