►
Description
Kubernetes Policy WG : CNCF Security SIG Policy Team Meeting 2020-08-05
C
D
A
B
A
So
you
know
I
will
definitely
put
the
bug
in
his
ear
about.
You
know
how
we
could
integrate
with
the
cr
yeah
so
that
I
think
you
know
if
we
can
get,
we
get
oppa.
We
get
custodian
with
caverno
and
then
I
think
there
were
a
couple
others
in
the.
D
A
Folks,
I
think
that'll
be
that'll,
be
a
pretty
good
proof
point
at
least
we'll
at
that
point
see
if
we
got
enough
for
traction-
or
I
did
have
one
other
agenda
topic,
not
so
concrete
as
a
discussion,
but
as
I'm
doing
a
lot
more
with
nist
853
policies.
I
wanted
to
talk
about
how
those
might
map
to
both
the
cr
and
then
more
generally,
kubernetes.
A
A
A
And
maybe
not
meriting
a
full
agenda
item
but
any
update
from
howard
on
his
slides
he's
trying
to
put
together.
E
C
A
A
I
wish
I
I
could
have
dedicated
more
time.
It's
been,
it's
been
crazy.
A
B
So
looks
like
a
small
meeting
today,
maybe
everyone's
busy
either
it
is
august,
so
can't
necessarily
count
on
too
many
europeans
showing
up.
Let's
see,
do
we
have
any
open,
pull
requests
that
we
need
to
address
or
any
other
kind
of
administrative
business.
A
A
You
know
how
that
might
map,
or
not
to
to
some
to
a
framework
like
oscar,
where
you
you're,
trying
to
automate
the
category,
the
definition,
categorization
and
implementation
of
of
controls
and
policies
being
one
of
those
types
of
controls,
both
again
written
and
computer.
Executable
policy,
so
that's
that's
the
broad
strokes,
just
curious.
If
anybody
has
has
any
overlap
with
those
areas.
E
Yeah,
this
is
jr,
so
maybe
I
can
chime
in
a
little
bit
here
and
then
I
see
jacob
is
on
the
call
here
so
on
the
advanced
cluster
management
side,
with
on
the
red
hat,
offering
product
offering,
as
well
as
the
open
cluster
management
community
project,
we
are
building
out
a
library
of
policies
and
we
are
organizing
them
based
on
the
next
853
standard.
E
And
so
definitely
you
know
we
are
looking
at
in
that
context
right.
We
are
looking
at
it
and
there
is
also
an
effort.
That's
going
on,
I
can
see
christian
is
on
the
call
as
well.
Both
kristen
and
jacob
can
talk
a
little
bit
about
work
that
is
going
on
in
the
open
shift,
but
it
had
open
shift
product
area
related
to
bismuth
controls
and
in
the
context
of
the
compliance
code
project.
A
And
is
there
anything?
That's
so
is
all
of
that
on
the
on
the
repo
and
published,
or
is
that.
E
So
can
I
share
for
one
second
sure,
absolutely
and
I'll
show
you
what
we
have.
So
let
me.
E
Okay,
so
in
the
open
cluster
management
community
project
we
have
a
repo
called
policy
collection
and
so
in
this
collection,
what
our
goal
here
is
to
come
up
with
a
set
of
x
policy
examples
for
open
customer
management
and
the
way
we
have
organized
the
report
structure
is
we
have
a
stable
folder
and
we
have
a
community
folder
this
table
folder.
Is
it
contains
policies
that
ship
as
part
of
the
open
as
part
of
our
product
offering,
which
is
red,
hat
advanced
cluster
management
for
kubernetes?
E
So
here
also
again,
we
are
organizing
the
policies
in
terms
of
the
various
nested
853
controls
version,
4.,
and
so
the
policies
are
outlined
here
right.
So,
if
you
click.
A
E
One
of
the
policies,
it's
in
yaml
format
and
then
it
kind
of
walks
through
how
it
is
organized.
We
are
also
working
with
various
contributors
outside
of
our
product
space,
so
those
policies
are
going
into
this
community
folder
and
we
welcome
contributions
from
everybody
right.
This
is
open
to
the
community
and
again
we
are
organizing
this
in
terms
of
the
new
statement
at
53,
and
you
can
see
here,
we
have
a
couple
of
policies
donated
by
ibm
research.
E
This
is
a
policy
that
is
oprah
related
policy
that
is
donated
by
one
of
the
red
hatters
who
is
working
in
the
consulting
explained
facing
role,
and
he
also
rotated
this
other
one
as
well,
and
then
we
are
also
working
with
systick
and
they
have
created
policies
for
their
falco
operator
and
the
systick
secure
right.
So
the
idea
here
is
that
they
will
put
in
here
the
actual
policy
file
and
then
obviously
the
policy
has
to
be
consumed
right.
E
So
you
need
a
policy
consumer
and
that
would
be
whatever
is
running
on
the
actual
cluster
and
in
this
case
for
the
falco
they
point
to
the
falco
project
and
you
can
figure
out
how
to
deploy
the
falco
operator,
for
example
right.
E
So
so
that's
the
whole
idea
right
that
not
all
the
code
is
within
our
open
cluster
management
project,
but
the
policies
are
here
so
that
and
the
policies
can
be
also
written
in
other
languages
right.
So,
for
example,
if
you
have
written
a
policy
in
oppa,
that's
fine
too
right,
because
we
have
a
way
to
wrap
oppa
and
ship
it
from
rackham.
So
we
can
do
that
so
so.
A
They,
I
think,
the
the
part
that
I
mean
this
looks
great.
By
the
way
I
mean
this
definitely
fits
with.
What
I
was
thinking
is
necessary,
the
the
dots
I'm
trying
to
connect
is,
you
know
you
think,
going
through
these
fedramp
or
other
government
buyer
processes,
you
you
can
imagine
you
know
we,
we
think
in
terms
of
actually
running
cloud
infrastructure
and
doing
devops,
and
you
know
devsecops.
D
D
A
D
D
So
the
compliance
is
code,
repo,
which
plays
a
role
with
open
cluster
management
right.
The
the
rackham
offering
can
call
into
our
our
compliance
operator,
which
will
run
on
an
individual,
openshift
or
kubernetes
cluster
compliance's
code
is
intentionally
written
with
scap
because
it
is,
you
know,
nist
certified
right.
It's
a
nist
standard
security,
content,
automation
protocol,
it's
a
pain
in
the
butt.
D
But
I
think
I
think
it
will
be
really
interesting
and
and
jakob
you
might
want
to
chime
in
here,
because
you're
probably
more
familiar
with
exactly
how
that's
how
that's
done
in
compliance's
code.
I
I
think
it'd
be
really
interesting
to
also
look
at
ozcal
and
and
see.
You
know
you
know,
what
do
we
you
know?
Is
there
alignment
do
we
want
to?
You
know
you
know
where
do
we
go
from
here?
D
We've
been
doing
compliance
as
code
for
a
long
time
at
red
hat
because
of
our
you
know
strong
public
sector
customer
base,
but
but
there
may
be
an
opportunity
to
kind
of
get
to
the
same
place.
E
D
D
F
Yeah
I
was
hoping
the
repo
is
very
new.
I
know
that
oscar
was
in
the
in
the
compliances
code
team
or
the
project
was.
It
was
sort
of
contentious
topic
at
some
point,
but
apparently
there's
been
some
development
and
I'm
sort
of
removed
from
these
details
of
the
compliances
code,
repo
we
can
ask,
but
I
don't
know
the
details
of
hand.
F
D
D
Yeah,
let's,
let's
do
that
and
and
jacob
we
might.
I
can
also
ask
john
osborne
a
little
bit
he's
he's
working
with
dod
on
some
things
related
things.
A
A
Cool
but
yeah
I
mean
this
is
it
looks
like
they've
got
some
approximation
of
what
what
I
was
thinking
in
terms
of
you
know.
Being
able
to
do.
You
know,
bottoms
up
or
tops
down
to
you
know
from
an
organization
trying
to
engage
and
produce
the
ssp.
D
A
I
I
think
I
can
provide
some
concrete
fire
kicking.
D
E
No,
I'm
here,
okay,
yeah.
I
think
that
those
are
all
good
points.
I
think
what
I
was
trying
to
say
is
that
I
understand
what
robert
is
asking
and
one
of
the
things
we
are
attempting
to
do.
If
you
go
and
look
in
the
ml
file,
that's
what
I
was
trying
to
highlight
is
put
some
annotations
into
the
file
that
corresponds
to
you
know
what
standard
it
is.
What
are
the
control
families
and
the
control
themselves
right?
E
So
the
idea
there
then
is.
We
can
then
use
a
map,
the
technical
controls
or
the
technical
policies
right
or
the
policies
for
the
technical
controls
to
the
higher
level
policies
right,
which
is
what
you
see
in
in
standards
like
fisma,
etc.
Right,
so
I
think
that's
at
least
the
goal
right
to
kind
of
bridge
that.
A
Yeah,
absolutely
no,
I
mean
it
makes
perfect
sense
and
especially
in
the
context
of
larger
orgs,
who
you
know,
it's
like
they've
they've
achieved
or
have
already
met
a
mandate
to
achieve
an
ato
and
so
they're
yeah
they're
kind
of
going
through
that
more
mechanical
exercise
of
we
know
what
our
processes
and
policies
are
at
a
written
level.
Right
now,
we're
mapping
that
to
the
nist
853
control
families
and
then
what
does
that
mean
for
kubernetes
or
any
container
environment
right
and
then
kind
of
doing
that
analysis,
gap,
analysis
and
then
just
mapping
exercise.
E
So
we
have
these
three
annotations,
that
kind
of
say
where
it
fits
in
and
you
can
actually
add
multiple
annotations
here,
so
you
can
say
in
statement
53,
but
you
can
also
say
pci.
E
So,
for
example,
if
you're
in
the
financial
sector
and
you
care
about
both
right,
you
can
put
a
comma
and
add
that
as
well.
So
then
what
happens
is
when
the
policy
violation
gets
reported
back
to
the
hub
on
the
hub.
You
will
actually
see
these
organized
in
terms
of
the
standards
so
right.
A
Yeah
and-
and
I
think
you
know
the
other-
the
other
challenge
is,
you
know
even
amazingly,
for
an
initiative
like
fedramp,
which
was
designed
to
run
cloud.
It
was
still,
I
think,
the
the
operating
concept
was
around
static
resources,
static
assets,
and
so
you
know.
The
reality,
of
course,
is
that
this
is
all
ephemeral
in
the
container
and
certainly
the
kubernetes
world.
So
you
know
having
a
having
an
ssp
that
talks
about.
You
know
a
particular
policy
around
a
particular
set
of
ip
addresses
or
assets
or
even
interfaces.
A
You
know
quickly
becomes
pointless.
If
you
then
have
a
you
know,
a
community
set
of
clusters
where
you're
constantly
changing
you
know
not
only
the
ip
addresses,
of
course,
but
the
workloads
and
the
microservices
and
whatnot
so
being
able
to
move
that.
I
see
the
value
not
just
in
the
box.
Checking
I've
got
to
produce
this
documentation
for
the
federal
government
review
it
every
year,
but
the
real
operational
need
to
keep
bi-directional
sync
of
what
I'm
saying.
A
A
Right
right,
you've
got
to
marshal
all
that
change
operationally,
but
then
you've
got
to
communicate
that
change
and
that
the
change
is
under
control
to
to
that
human
who
ultimately
has
to
sign
on
the
line
that
says
yes,
this
is
in
compliance
or
not
yep,.
D
E
I
I
don't
know,
I
don't
think
so
I
think
it's,
I
don't
think
I
thought
ouscall
is
at
a
higher
level.
At
least
that's.
A
E
Yeah
before
we
run
out
of
time,
I
think
I
don't
see
jim
on
the
call
today,
but
I
was
just
curious
erica
whether
you
had
a
view
of
the
policy
report
cr
where
that
stood,
and
how
can
we
get
a
point
where
we
can
get
that
kind
of
standardized.
B
Yeah
jim
said
he
couldn't
make
it
today
that
in
the
slack
says,
plan
for
the
week
is
to
transfer
all
the
pending
comments
from
the
google
docs
to
github
that
they
have
all
added
a
report
generator
in
the
multi-tenancy
benchmarks,
project
and
they're
working
in
caverno
for
adding
support.
B
Does
that
address
your
needs?
Are
there
other
things?
We
need
to
do
to
get
it
moving
forward?
Besides
addressing
what
were
comments
in
the
doc
within
the
repo.
E
Yeah,
the
only
other
thing
is,
I
know
you
and
jim
took
it
to
the
sick
earth
right.
So
what
happened?
Do
we
have
to
do
anything
more
there
or
is
it
just
now?
We
are
going
to
just
move
forward
by
in
the
context
of
the
github
repo
itself,
right
where
we
take
additional
comments
and
we
are.
B
Yeah
yeah
sing.
What
we
understood
is
they're
pretty
has.
If
the
you
know
like
the
repo
we
have
works
well,
and
we
can,
you
know,
and
projects
are
able
to
use
that
they
prefer
just
keeping
within
that
repo.
B
The
you
know,
official
api
getting
like
compiled
into
client,
go
as
a
series
of
kind
of
recommendation
or
not
recommendations,
but
requirements
and
work
that
you
have
to
kind
of
meet.
I
can
share
if
you
like,
and
so
they're
much
more
hesitant
to
do
that
if
possible,
for
instance,
we
would
probably
have
to
refactor
it
to
be
in
the
more
common
spec
and
status
since
they
kind
of
format
which
we
didn't
use.
B
E
E
Okay,
that
sounds
good
because
I
know
one
of
my
colleagues
randy
george
had
some
comments
so
I'll
I'll
ask
him
to
work
in
the
context
of
the
github
repo.
Then
that
sounds
good.
B
Sure
yeah,
then
I
had
the
only
other
thing
I
was
just
howard
and
I
recorded
deep
dive
for
kubecon
eu.
I
don't
know
when
that
is,
but
look
out
for
that.
Hopefully
we
didn't
misrepresent
this
project.
These
projects
too
well
good
job.
A
B
I
think
we
represented
it
as
a
plea
for
volunteers.
B
Yeah
it
really
it's
cool,
because
since
howard
has
been
away
so
long
and
he's
coming
back
and
looking
at
all
this
and
like
that
crazy
amount
of
things
going
on
so
many
projects
in
the
policy
space
sprung
up,
and
so
it's
quite
it's
from
that
outside
perspective,
you
get
you
see
more
that
there
has
been
a
spur
of
movement
in
the
space.
B
B
Given
once
twice
all
right
looks
like
we
can
end
early.
Thank
you.
Everyone
we'll
see
you
in
two
weeks
or
on
slack
and
through
github.