►
From YouTube: CNCF Security TAG Policy WG - 2021-07-07
Description
CNCF Security TAG Policy WG - 2021-07-07
A
A
A
A
D
Robert
just
checking
the
agenda
didn't
seem
like
we
had
any
specific
entries
or
items
for
today.
Anything
any
other
topics
you
wanted
to
cover
or.
E
No,
I
I
didn't
have
a
chance
to
organize
any
presenters
for
this
week,
I'll
try
to
try
to
look
ahead
a
couple
of
weeks
and
see
if
we
can
get
someone
for
them,
if
not
the
next
session
session.
After
I
hope
everyone
had
heads
down
with
the
cfpb's
anyway,.
A
A
A
E
So
I
think,
if
yeah,
if
everyone's
here
jim,
do
we,
if
we
don't
have
anything
formal
on
the
agenda,
do
we
just
want
to
review?
Are
there
any
prs
or
issues
on
the
crd
that
we
need
to
approve
or
review
or.
D
Yes,
so
we
can
kind
of
do
a
quick
update
on
the
crd
projects
from
manuscript.
I
don't
think
steven's
able
to
make
this
meeting,
but
if
he
joins
he
can
do
a
quick
update
as
well,
and
then
you
know
yeah
the
few
other
things
we
had
carryovers
were.
E
D
Yeah
I
haven't
heard
of
that.
I
I
would
just
maybe
get
the
zoom
setup
done
for
now
and
then,
if
everyone's
migrating
over
in
bulk,
then
I
guess
they'll
just
migrate
over
all
groups.
E
I
can
ask
yeah
that
I
didn't
get
that
it
was
more.
You
know
typical,
you
know,
here's
the
here's,
the
directive.
Now
everyone
go,
find
their
own
path
to
it,
so
but
I'll
double
check,
I'll,
find
out,
okay
and
then
yeah.
If
there's
no,
if
there's
no
official
guidance
or
that
was
just
a
rumor,
I
mean
I
did
google
around-
that
there
were
some
blog
posts
about
it,
but
regardless,
if,
if
I
don't
get
clear
direct
in
then
I'll,
just
pull
the
trigger
on
zoom.
D
Yeah,
let's
go
ahead
and
get
that
done,
because
I
think
again
we
need
to
update
the
meeting
invites
we
need
to
get
these
videos
done,
and
it's
just
you
know
would
be
good
from
a
housekeeping
point
of
view
to
have
that
done.
D
D
E
D
Right
yeah
and
you
can
check
with
kristoff
to
see
if
the
kubernetes
you
know,
sigs
and
working
groups
are
doing
anything
different,
but
again,
if
this
is
what
we're
seeing,
let's
get
that
set
up
and
I'm
sure
again,
if
they're
doing
a
full
account
migration,
then
they'll
figure
out
a
way
to
migrate.
Everyone
listed
here
but
yeah,
let's,
let's
find
out
and
let's
see
if
we
can
get
this
done.
D
Let
me
know
if
you
need
anything
on
those
two
things,
because
I
think
again,
once
we
do
that
we
can
update
the
meeting,
invites
and
see
if
we
can
get
access
to
these
videos,
which
has
been
lacking.
E
Yeah
and
just
I
think,
brandon
did
pull
the
last
two
presentation:
videos,
okay,
great
those
are
on.
If
you,
google,
and
youtube
for
the
tag.
Of
course,
then
you'll
see
the
policy
work
group
videos
there
for
last
couple.
D
Okay
sounds
good
all
right,
so
those
are
those
two
issues
on
the
white
paper.
D
I
think
there's
a
pending
pr
where
jaya
had
made
some
additional
changes,
so
that
could
be
also
that's
something
we
can
probably
review
and
try
and
accept
before,
like
the
white
paper,
subgroup
meets
again
and
I
think
we
should
figure
out
what
would
be
the
timeline
to
get
at
least
a
draft
of
the
pr
available
for
wider
review
right.
So
we
can
discuss
that
a
little
bit
more
tomorrow.
A
D
All
right,
yes,
I
think
we're
good
on
this.
D
C
Right,
thank
you.
I
will
quickly
just
update
on
what's
been
happening
in
the
last
two
weeks
I
I
have
been
able
to
you
know
I
have
an
initial
working
model,
ready,
which
is
great,
because
now
we
just
need
to
alter
a
few
things
here
and
there
and
well
we'd,
have
the
falco
adapter.
If
it's
all
right,
I
would
just
I
like
to
share
the
working
demo
jim.
If
that's
okay,.
C
A
C
We
are
also
exploring
how
we
would
go
about
contributing
to
falco
sidekick
with
thomas
and
dan
on
the
community
and
yes,
otherwise,
that's
that's
really
all
that's
all
I'm
up
to
right
now
I
have
a
sort
of
working
web
server
that
takes
thomson's
fake
events
generator
and
tries
to
give
me
the
json,
but
that's
still
in
the
works.
So
that's
all.
Thank
you.
Everybody.
D
Yeah,
so
just
to
on
the
overall
direction,
I
know
we've
kind
of
discussed
various
approaches
and
there
was
some
at
one
point.
D
A
C
Thomas
has
asked
me
to
work
on
the
web
server,
so
he
can
see.
I
mean
earlier
seeing
the
demo
that
I
just
showed.
He
said
that
this
would
this.
This
could
be
a
contribution
to
falco
psychic
and
he
wanted
to
know
a
little
bit
more.
So
that's
why
I'm
working
on
the
web
server
right
now
using
his
fake
events
generator
and
once
he
has
a
better
look
at
that,
I
think
we
would
know
for
sure.
If
you
know
that's
the
direction
we
take,
you
got
it.
B
Yeah,
no,
I
just
had
one
doubt
like
in
this
project,
like
the
project,
looks
excellent.
The
demo
also
looked
like
it's
a
working
prototype
that
we
are
able
to
create
the
policy
report
from
falco.
If
I
heard
it
right
that
it
was
falco,
sidekick,
ui,
so
yeah
so
ui,
but
I
I
was
just
I
have
this
question
like.
If,
if
we
are
able
to
install
falco
sidekick
ui
using
hem
commands,
then
why
are
we
thinking
of
creating
another
server
like
why
why
we
are
doing
the
same
work
again?
B
Do
you
don't
you
think
that
would
be
a
same
work
like
like
jim?
Even
you
can
agree
with
me
on
this
type.
We
have
already
a
falco
sidekick
ui,
which
is
giving
us
the
outputs.
So
if
we
are
fetching
those
outputs,
maybe
we
can
use
that
and
produce
the
policy
reported
that
or
or
if
the
idea
is
that
we
have
to
contribute
to
falco
city,
then
we
might
need
a
web
service.
Otherwise
I
think
ui
is
also
pretty
much
doing
the
same
job.
So.
C
So
I
mean
my
understanding
of
this
would
be,
of
course,
jim.
Please
add
to
it
that
you
know
web
you
taking
outputs
from
web.
Ui
is
just
making
giving
a
little
more.
F
C
Want
to
do
is
make
policy
generator
as
an
output
for
falco
psychic.
That's
what
we
are
looking
into
so
that
the
way
falco
psychic
gives
outputs
to
other
places.
It
could
give
an
output
as
a
resource
for
a
policy
report.
So
I
think
that's
what
we're
trying
to
do.
We
like
what
we
have
right
now
is
taking
outputs
by
our
website
web
ui,
but
that's
just
another
dependency
that
we
are.
You
know
working
on,
so
I'm
not
sure
if
that
answers
the
question.
Okay,.
D
Yeah,
so
I
I,
if
I
understood
correctly,
what
we're
talking
about
the
web
ui
is
just
the
deployment
in
falco's
sidekick
right.
It
happens
to
be
called
web
ui,
but
because
it
has
a
ui
component.
But
it's
also
doing
all
of
the
translation
work
like
when
you're,
when
it
sends
messages
to
slack
or
anything
like
that
right.
B
B
The
alerts
are
visible
using
their
web
ui,
but
what
we
are,
but
I
guess
I
saw
the
code
that
she
gave
in
the
community
channel
and
in
that
code
I
was
seeing
that
she
is
using
http.get
to
fetch
those
alerts
from
falco
sidekick
ui,
which
is
deployed
on
port
2302
and
it's
available
on
route
events.
So
she
was
fetching
she
is
getting
the
outputs,
the
alerts,
the
events
from
there
and
then
I
guess
she
was
in
that
course.
She
was
mapping
those
with
our
policy
report
and
generating
the
policy
report.
B
So
that
was
the
working
cycle
that
I
could
see
in
that
code.
So
it
was
something
like
that
like
for
us,
when
we,
when
we
built
the
cube
bench
adapter,
what
we
did
was
we
were
using
nested
job
to
get
our
output,
so
the
falco
sidekick
ui
is
doing
the
same
job
with
its
events
route.
So,
if
we
go
to
our
even
like,
like
in
chrome,
we
open
localhost,
two
three
zero,
two
route
events,
so
that
will
give
pure
json
output
of
our
alerts,
all
the
outputs,
the
rules,
the
priority.
B
Everything
and
the
same
thing
is
being
fetched
in
the
program.
I
guess
she
was
is
doing.
Http
dot
get
to
do
headlines,
so
so
yeah.
So
that's
what
I
understood.
So
if
we
are
getting
it
that
those
outputs
already
in
real
time,
then
creating
another
web
service
may
require
deployment
of
that
web
service
inside
the
cluster.
So
that
will
be.
You
know
another
same
kind
of
job
that
you
are
all
at
that
falco
side.
B
A
B
D
Okay,
yeah:
let's
we
can
discuss
more
offline
and
kind
of
figure
out
where
the
best
place
to
plug
it
in
is
but
yeah
I
mean
we
want
to
simplify
it.
We
if
we
can
eliminate
the
dependency
to
the
ui
component.
That
seems
like
the
right
approach
and
then
we
like
we
had
talked
about
underscore.
Maybe
we
have
to
start
with?
How
will
the
user
configure
this
in
falco
sidekick
right?
So,
let's
define
that
and
then
once
we
have
the
user
experience
defined,
we
can
figure
out
the
rest
of
the
details.
D
Okay,
that
sounds
good.
I
bet
I
think,
let's.
I
think
it
will
be
good
to
get
that
decision
made
quickly,
whether
we're
contributing
to
falco
sidekick
or
we
need
to
do
something
separately.
So
if
we
can
get
that
decided
on
this
week
or
so
then
at
least
we
know
which
direction
we
will
proceed
to
complete
the
implementation.
D
You're
welcome
man
all
right,
so
I
think
that's
most
of
what
we
had
you
know
with
that.
Stephen
has
also
been
in
discussions
with
the
with
the
with
the
trivia,
as
well
as
the
starboard
team,
in
terms
of
how
exactly
the
adapter
can
potentially
plug
in.
So
we
should.
You
know
we're
also
trying
to
finalize
where
that
fits
and
we'll
send
out
some
more
updates
on
slack
for
that.
D
So
those
are
the
you
know,
sort
of
ongoing
items.
I
don't
know
if
there's
any
other
things,
we
should
plan
or
want
to
do
either
today
or
for
the
next
session,
but
we
can
open
it
up
to
everyone.
E
Yeah
under
kind
of
the
open
mic
topics-
and
this
may
not
be
interesting
to
the
whole
group,
so
we
can
always
break
it
off
as
a
separate
discussion,
but
you
know
anka,
I
I
have
been
talking
more
and
more
folks.
You
know
now
that
oscar
1.0
is
out
it'd,
be
interesting
to
stand
up
kind
of
you
know
best
practice.
E
You
know
version
of
kubernetes
clusters
producing
the
cr,
producing
the
policy
output,
kind
of
ingesting
that
with
auscal
producing
oscar
output
based
on
that.
So
definitely
not
something
at
the
policy
level
per
se,
but
more
of
the
instantiation
of
all
the
stuff
we've
been
talking
about
and
actually
the
cr
using
it.
E
E
F
E
F
Yeah,
it
would
be
parallel.
We
we
have
an
implementation
of
of
the
oscar
framework
as
open
source.
It's
called
trestle
compliance
and
it's
what
we
had
used
across
ibm
and
research
party
integrations
to
develop
those
reports
and,
and
particularly
the
translations
between
you
know,
current
reports
due
to
oscar
so
that
we
align
with
the
framework.
So
I
think
we
can.
We
can
see
that,
as
you
know,
starting
point
so
people
that
start
using
oscar,
you
know
have
some
some
starting
point
with
utilities.
E
I
definitely
and-
and
I've
looked
at
trestle
and
I
think
that'll
be
a
part
of
the
solution.
Absolutely
I
think
the
goal
here
is
to
get
to
the
finish
point
where
you
know
a
non
kubernetes
operator
can
see
a
kubernetes
stack
cluster
and
then
see
all
the
you
know.
We
can
even
use
that
exactly
and
maybe
modify.
F
E
F
I
have
today
in
in
the
white
paper
those
two
use
cases
that
we
have
discussed
the
use
case
of
the
namespace
administrator
and
the
interest
on
having
more
of
an
operational
view
of
the
of
the
policies
and
then
the
second
one
is,
you
know
from
a
compliance
officer,
point
of
view
and
more
of
a
compliance
view
of
the
of
the
results,
and
that's
where
you
know
trestle
comes
into
the
picture,
taking
the
first
one
and
you
know
helping
to
translate
it
and
have
it
in
the
in
the
oscar
format.
F
I
hope
you
finished
that
part
and
and
and
push
it
I
mean
jim.
Thank
you
so
much
you.
You
helped
me
with
the
the
the
apps
and
you
know
everything
is
now
linked
works
with
it
and
so
on.
I
I
need
now
to
exercise
the
the
you
know
the
push
and
the
commit.
A
F
I'm
not
sure
if
you
you,
we
take
it
from
there
or
I
need
to
create
a
pr
from
from
my
environment.
I
I'll
ping
you
when
I
when
I
get
there
for
now.
E
Okay,
great
yeah,
so
I
think
the
idea
is
I'm
working
with
a
couple
of
the
cloud
folks
who
you
know
might
be
willing
to
set
up
kind
of
a
cyber
range
where
we,
you
know
kind
of
host
them.
F
E
E
F
The
ring
yeah
you
can
invite
to
this
discussion,
also
gov
ready
greg
craig.
What
is
his
last
name,
so
he
he
works
on
on
the
ui
version
of
of
the
oscar
implementation.
F
So
we
we
work
together
so
that
between
the
the
trestle
on
git
and
the
ui
with
the
with
the
database,
we
we
provide
a
complete
experience
right
depending
on
the
level
of
so
he
would
be
a
good,
a
good
participant
in
this.
In
this
discussion.
E
Yeah,
I
think
you
have
my
email,
so
if
you
want
to
just
later
on,
when
you
have
a
chance
to
look
up
his
contact,
if
you
just
want
to
loop
us
all
on
the
thread.
F
Yeah
yeah
we
have,
unfortunately,
I'm
I'll
be
out
the
next
two
weeks,
but
I
can,
I
can
put
you
in
touch
with
with
greg
and
chris.
We
have
a
regular
meetings
on
on
this
topic,
so
we
can,
you
can
start
you
know
discussing
with
them,
so
your
email,
I
think
I
have
it
from
this.
This.
F
That
that
jimmy
is
editing,
okay,.
A
D
F
A
F
F
F
D
Okay,
that
sounds
good,
yeah
speaking
of
demos.
One
thing
I
just
remembered
is:
we
had
also
talked
about
inviting
frank
who
has
authored
the
policy
reporter
too,
to
do
a
demo
so
I'll
reach
out
to
him
and
see
you
know
when
we
can
get
that
scheduled
as
well.
D
Okay,
if
not,
I
guess
we
can
give
back
30
minutes
to
everyone,
so
have
a
good
week
and
we'll
reach
out
in
slack.
If
anything
else
comes
up.