►
From YouTube: CNCF Security TAG Policy WG - 2021-07-07
Description
CNCF Security TAG Policy WG - 2021-07-07
A
A
A
A
D
E
A
A
A
E
D
E
D
E
I
can
ask
yeah
that
I
didn't
get
that
it
was
more.
You
know
typical,
you
know,
here's
the
here's,
the
directive.
Now
everyone
go,
find
their
own
path
to
it,
so
but
I'll
double
check,
I'll,
find
out,
okay
and
then
yeah.
If
there's
no,
if
there's
no
official
guidance
or
that
was
just
a
rumor,
I
mean
I
did
google
around-
that
there
were
some
blog
posts
about
it,
but
regardless,
if,
if
I
don't
get
clear
direct
in
then
I'll,
just
pull
the
trigger
on
zoom.
D
D
E
D
Right
yeah
and
you
can
check
with
kristoff
to
see
if
the
kubernetes
you
know,
sigs
and
working
groups
are
doing
anything
different,
but
again,
if
this
is
what
we're
seeing,
let's
get
that
set
up
and
I'm
sure
again,
if
they're
doing
a
full
account
migration,
then
they'll
figure
out
a
way
to
migrate.
Everyone
listed
here
but
yeah,
let's,
let's
find
out
and
let's
see
if
we
can
get
this
done.
E
D
I
think
there's
a
pending
pr
where
jaya
had
made
some
additional
changes,
so
that
could
be
also
that's
something
we
can
probably
review
and
try
and
accept
before,
like
the
white
paper,
subgroup
meets
again
and
I
think
we
should
figure
out
what
would
be
the
timeline
to
get
at
least
a
draft
of
the
pr
available
for
wider
review
right.
So
we
can
discuss
that
a
little
bit
more
tomorrow.
A
D
C
Right,
thank
you.
I
will
quickly
just
update
on
what's
been
happening
in
the
last
two
weeks
I
I
have
been
able
to
you
know
I
have
an
initial
working
model,
ready,
which
is
great,
because
now
we
just
need
to
alter
a
few
things
here
and
there
and
well
we'd,
have
the
falco
adapter.
If
it's
all
right,
I
would
just
I
like
to
share
the
working
demo
jim.
If
that's
okay,.
C
A
C
We
are
also
exploring
how
we
would
go
about
contributing
to
falco
sidekick
with
thomas
and
dan
on
the
community
and
yes,
otherwise,
that's
that's
really
all
that's
all
I'm
up
to
right
now
I
have
a
sort
of
working
web
server
that
takes
thomson's
fake
events
generator
and
tries
to
give
me
the
json,
but
that's
still
in
the
works.
So
that's
all.
Thank
you.
Everybody.
D
A
C
Thomas
has
asked
me
to
work
on
the
web
server,
so
he
can
see.
I
mean
earlier
seeing
the
demo
that
I
just
showed.
He
said
that
this
would
this.
This
could
be
a
contribution
to
falco
psychic
and
he
wanted
to
know
a
little
bit
more.
So
that's
why
I'm
working
on
the
web
server
right
now
using
his
fake
events
generator
and
once
he
has
a
better
look
at
that,
I
think
we
would
know
for
sure.
If
you
know
that's
the
direction
we
take,
you
got
it.
B
Yeah,
no,
I
just
had
one
doubt
like
in
this
project,
like
the
project,
looks
excellent.
The
demo
also
looked
like
it's
a
working
prototype
that
we
are
able
to
create
the
policy
report
from
falco.
If
I
heard
it
right
that
it
was
falco,
sidekick,
ui,
so
yeah
so
ui,
but
I
I
was
just
I
have
this
question
like.
If,
if
we
are
able
to
install
falco
sidekick
ui
using
hem
commands,
then
why
are
we
thinking
of
creating
another
server
like
why
why
we
are
doing
the
same
work
again?
B
Do
you
don't
you
think
that
would
be
a
same
work
like
like
jim?
Even
you
can
agree
with
me
on
this
type.
We
have
already
a
falco
sidekick
ui,
which
is
giving
us
the
outputs.
So
if
we
are
fetching
those
outputs,
maybe
we
can
use
that
and
produce
the
policy
reported
that
or
or
if
the
idea
is
that
we
have
to
contribute
to
falco
city,
then
we
might
need
a
web
service.
Otherwise
I
think
ui
is
also
pretty
much
doing
the
same
job.
So.
C
F
C
Want
to
do
is
make
policy
generator
as
an
output
for
falco
psychic.
That's
what
we
are
looking
into
so
that
the
way
falco
psychic
gives
outputs
to
other
places.
It
could
give
an
output
as
a
resource
for
a
policy
report.
So
I
think
that's
what
we're
trying
to
do.
We
like
what
we
have
right
now
is
taking
outputs
by
our
website
web
ui,
but
that's
just
another
dependency
that
we
are.
You
know
working
on,
so
I'm
not
sure
if
that
answers
the
question.
Okay,.
D
Yeah,
so
I
I,
if
I
understood
correctly,
what
we're
talking
about
the
web
ui
is
just
the
deployment
in
falco's
sidekick
right.
It
happens
to
be
called
web
ui,
but
because
it
has
a
ui
component.
But
it's
also
doing
all
of
the
translation
work
like
when
you're,
when
it
sends
messages
to
slack
or
anything
like
that
right.
B
B
The
alerts
are
visible
using
their
web
ui,
but
what
we
are,
but
I
guess
I
saw
the
code
that
she
gave
in
the
community
channel
and
in
that
code
I
was
seeing
that
she
is
using
http.get
to
fetch
those
alerts
from
falco
sidekick
ui,
which
is
deployed
on
port
2302
and
it's
available
on
route
events.
So
she
was
fetching
she
is
getting
the
outputs,
the
alerts,
the
events
from
there
and
then
I
guess
she
was
in
that
course.
She
was
mapping
those
with
our
policy
report
and
generating
the
policy
report.
B
So
that
was
the
working
cycle
that
I
could
see
in
that
code.
So
it
was
something
like
that
like
for
us,
when
we,
when
we
built
the
cube
bench
adapter,
what
we
did
was
we
were
using
nested
job
to
get
our
output,
so
the
falco
sidekick
ui
is
doing
the
same
job
with
its
events
route.
So,
if
we
go
to
our
even
like,
like
in
chrome,
we
open
localhost,
two
three
zero,
two
route
events,
so
that
will
give
pure
json
output
of
our
alerts,
all
the
outputs,
the
rules,
the
priority.
B
Everything
and
the
same
thing
is
being
fetched
in
the
program.
I
guess
she
was
is
doing.
Http
dot
get
to
do
headlines,
so
so
yeah.
So
that's
what
I
understood.
So
if
we
are
getting
it
that
those
outputs
already
in
real
time,
then
creating
another
web
service
may
require
deployment
of
that
web
service
inside
the
cluster.
So
that
will
be.
You
know
another
same
kind
of
job
that
you
are
all
at
that
falco
side.
B
A
B
D
Okay,
yeah:
let's
we
can
discuss
more
offline
and
kind
of
figure
out
where
the
best
place
to
plug
it
in
is
but
yeah
I
mean
we
want
to
simplify
it.
We
if
we
can
eliminate
the
dependency
to
the
ui
component.
That
seems
like
the
right
approach
and
then
we
like
we
had
talked
about
underscore.
Maybe
we
have
to
start
with?
How
will
the
user
configure
this
in
falco
sidekick
right?
So,
let's
define
that
and
then
once
we
have
the
user
experience
defined,
we
can
figure
out
the
rest
of
the
details.
D
Okay,
that
sounds
good.
I
bet
I
think,
let's.
I
think
it
will
be
good
to
get
that
decision
made
quickly,
whether
we're
contributing
to
falco
sidekick
or
we
need
to
do
something
separately.
So
if
we
can
get
that
decided
on
this
week
or
so
then
at
least
we
know
which
direction
we
will
proceed
to
complete
the
implementation.
D
You're
welcome
man
all
right,
so
I
think
that's
most
of
what
we
had
you
know
with
that.
Stephen
has
also
been
in
discussions
with
the
with
the
with
the
trivia,
as
well
as
the
starboard
team,
in
terms
of
how
exactly
the
adapter
can
potentially
plug
in.
So
we
should.
You
know
we're
also
trying
to
finalize
where
that
fits
and
we'll
send
out
some
more
updates
on
slack
for
that.
D
E
Yeah
under
kind
of
the
open
mic
topics-
and
this
may
not
be
interesting
to
the
whole
group,
so
we
can
always
break
it
off
as
a
separate
discussion,
but
you
know
anka,
I
I
have
been
talking
more
and
more
folks.
You
know
now
that
oscar
1.0
is
out
it'd,
be
interesting
to
stand
up
kind
of
you
know
best
practice.
E
You
know
version
of
kubernetes
clusters
producing
the
cr,
producing
the
policy
output,
kind
of
ingesting
that
with
auscal
producing
oscar
output
based
on
that.
So
definitely
not
something
at
the
policy
level
per
se,
but
more
of
the
instantiation
of
all
the
stuff
we've
been
talking
about
and
actually
the
cr
using
it.
E
E
E
F
Yeah,
it
would
be
parallel.
We
we
have
an
implementation
of
of
the
oscar
framework
as
open
source.
It's
called
trestle
compliance
and
it's
what
we
had
used
across
ibm
and
research
party
integrations
to
develop
those
reports
and,
and
particularly
the
translations
between
you
know,
current
reports
due
to
oscar
so
that
we
align
with
the
framework.
So
I
think
we
can.
We
can
see
that,
as
you
know,
starting
point
so
people
that
start
using
oscar,
you
know
have
some
some
starting
point
with
utilities.
E
I
definitely
and-
and
I've
looked
at
trestle
and
I
think
that'll
be
a
part
of
the
solution.
Absolutely
I
think
the
goal
here
is
to
get
to
the
finish
point
where
you
know
a
non
kubernetes
operator
can
see
a
kubernetes
stack
cluster
and
then
see
all
the
you
know.
We
can
even
use
that
exactly
and
maybe
modify.