►
From YouTube: CNCF Security TAG Policy WG - 2021 08 04
Description
CNCF Security TAG Policy WG - 2021 08 04
A
B
C
A
Okay,
so
I
can
review
the
project
board
if
everyone
would
like
to
do
that.
A
I
didn't
I
don't.
I
don't
think
there
were
other
defined
topics
for
the
agenda
today.
I
certainly
didn't
have
any
anyone
else
I'll
I'll
give
opportunity
for
anyone
else
to
make
agenda
suggestions?
Is
there
any.
D
Yeah
I
had
a
question.
I
seen
the
slack
for
the
policy
work
group
lot
of
comments
about
enablement
for
various
engines
to
generate
policy
report.
Do
we
have
like
one
spot?
We
can
go
and
look
at
what
all
is
out
there.
D
No
I'm
talking
about
what
are
all
the
various
enforcement
points
that
generate
policy
reports
today
right.
Do
we
have
like
an
inventory
of
it
that
we
can
and
maybe
point
us
to
the
details
right
because
I
see
a
lot
of
I
know.
A
lot
of
work
was
done.
Some
people
came
and
presented
here,
etc,
and
I
also
see
some
posts
in
the
workgroup
policy
slack
channel.
D
D
A
Okay,
I
will
so,
I
think
the
short
answer
is
there
should
be
github
issues
in
the
repo
for
each
of
these
and
obviously,
if,
if
we're
keeping
those
fresh
there
should
be,
the
status
should
be
captured
there,
but
yeah
I
can.
I
can
rarify
the
github.
D
Yeah
we
could
just
create
like
a
table
like,
for
example,
in
our
policy
collection,
repo
right,
that's
what
we
have
right.
We
have
a
table
where
every
time
a
new
policy
gets
contributed,
we
added.
A
And
where,
what's
the
best
way
to
broadcast
that
out,
is
that
I
mean
other
than
we
can?
We
can
create
the
table
and
kind
of
post
it
to
the
slack
channel,
but
is
there
if
we
wanted
to
put
it
somewhere,
that's
more
permanent
and
folks
would
find
it
more
easily.
What
do
you
think
is
there
a
should
we
ask
for
it
to
like
literally
be
in
something
we.
D
Can
just
have
it
in
github
itself
right
where
people
are
contributing.
Let's
see
here,
I
have
to
find
that
link.
E
D
D
A
A
D
Great
yeah,
because
once
we
start
putting
together
the
table,
then
we'll
have
a
view
of
you
know
what
do
we
have
today
right
and
then,
as
we
progress
our
white
paper,
you
know
we're
going
to
talk
about
some
of
the
cncf
projects
for
various
enforcement
points
right,
so
then
we
can
start
seeing
how
we
can
make
more
progress
in
having
all
of
them
generate
policy
report
right,
that's
where
we
want
to
head
right
so.
A
Well,
and
also,
I
think
what
would
be
enormously
helpful,
and
maybe
this
is
something
we
can
talk
about
on
the
panel
but
visualizing
and
surfacing
those
policy
reports
in
a
meaningful
way
downstream
to
the
you
know,
to
the
devops
team
to
the
compliance
team,
whoever
whoever
is
looking
at
this,
I
think,
once
people
see
the
kind
of
the
value
the
benefit,
then
there
will
be
more
momentum
around
getting
more
and
more
of
the
projects
to
support
it.
Does
that
make
sense.
D
Yeah
absolutely-
and
I
think
we
have
the
beginnings
of
that
in
the
open
cluster
management
project
where
we
now
have
are
using
the
policy
report,
schema
actually
the
pulse
report
cr
for
some
of
the
insights
and
so
on.
Right
and
and
then
we
are
working
right
now
to
integrate
our
policy
violations
into
it.
So
then
we
can
start
visualizing
that
as
well,
so
gus
from
my
team
is
on
the
call
here.
B
D
A
So
I
think
that
I
think
that
should
be
kind
of
a
focus
area
for
the
next
month,
while
we're
kind
of
polishing
the
white
paper.
A
A
Link
to
you
know,
projects
link
to
presentations
about
using
the
policy
report
in
a
meaningful
way
like
that,
will
all
be
very
helpful.
Come
you
know,
late
october,
when
everyone's
really
excited
about
okay,
great
I've
just
learned
about
this
new
thing:
how
can
I
operationalize
it
actually
use
it
day
to
day.
F
A
Seems
like
a
good
seems
like
a
good
sprint
from
here
to
the
end
of
october.
A
A
Maybe
not
in
the
next?
You
know
30
60
days,
but
in
the
scope
of
the
next
six
months.
Is
there
a
policy
definition
effort
that
needs
to
be
reviewed,
or
is
that
just
now
just
everybody
can
use
their
bespoke
rego
yaml,
jason,
whatever
whatever
they
want
to
use,
and
then
we
just
let
that
fit
the
purpose,
the
right
tool
for
the
job
so
to
speak.
B
A
F
Hey
folks,
it's
jim,
I
just
joined
in
apologies
for
running
late.
Yes,
sir
robert
one,
one
topic
I
did
want
to
quickly
bring
up
is
the
linux
foundation
fall.
Mentorship
program
is
getting
started
and
you
know
in
the
past.
What
we've
had
is,
of
course,
folks,
like
you
know,
martin
j
and
also
you
know
now
what
we're
doing
on
the
falco
side
as
well
as
the
you
know,
trivia
adapter.
F
F
So
that's
something
you
know
we
could
take
on
and
I
think
there
was
also
a
discussion
I
mean
we
had
on
and
off
discussion
on,
gatekeeper
so
wanted
to
know,
and
I
don't
know
if
jaya
and
team
have
had
some.
You
know
more
recent
interactions.
I
haven't
had
any
recent
interactions
with
the
gatekeeper
team,
but
maybe
good
to
revisit
as
well
and
see
what
their
thoughts
are
on
supporting
the
policy
report.
D
Yeah,
that's
a
good
question
so
guys
have
we
done
any
recent
work
in
the
gatekeeper
community.
I
know
we
have
a
couple
of
folks
involved,
but
I
know
we've
been
busy
with
other
things
too.
So.
D
I
think
the
way
we
are
doing
our
integration
gym
is,
if
you
remember
the
open
cluster
management
architecture,
we
have
a
hub
site
and
we
have
the
manage
cluster
side
right.
So
the
gatekeeper
will
be
running
on
the
manage
cluster
side
and
then
what
we
are
doing
from
a
policy
report.
Integration
point
of
view
is:
we
are
trying
to
integrate
on
the
hub
side.
D
So,
okay,
yeah.
B
So
right
now,
I
think
gatekeeper
is
exposing.
You
know
the
equivalent
data
through
through
events,
and
you
know
those
events
would
certainly,
I
think
they
you
know,
expire
after
some
amount
of
time.
F
F
Okay,
because
if
you
want
to
initiate
that,
if
you
want
to
add
an
issue
to
our
github
and
also
perhaps
to
the
gatekeeper
github-
and
I
I
again-
I've
been
a
little
bit
out
of
touch
with
that
community.
I
don't
know
if
rita
is
still
the
right
person,
but
we
can
certainly
have
the
discussion.
I've
spoken
to
her
in
the
past
about
policy
report
and
she
had
some
concerns
at
that
time
on
scale
and
management.
B
Yes,
yeah,
and
I
certainly
understand
that
concern
I
think,
had
to
have
that
concern
too,
but
yeah.
We
can
certainly
open
up
the
issues
and
get
get
a
discussion
going.
F
A
Falco
next
generation,
but
yeah,
I
think
so
I
think
they
could
be
interested
in
that
I
have.
I
haven't
spoken
to
them
in
any
depth
since
the
presentation,
but
I
do
have
channels
that
I
can
reach
out
there.
I
I
will
I
I
have
reached
out
to
tim
and
ash
for
oppa,
so
I
will
refresh
that
they've
always
been
receptive.
I
just
think
they're
busy,
so
I'll
continue
to
ping
there
as
well.
G
G
Generally,
yeah:
that's
what
we
for
various
finding
reporting
things
in
various
systems.
We
generally
want
to
support
both
posting
them,
creating
them
as
well
as
consuming
them
as
a
artifact
of
filtering
to
those
resources
which
have
extant
reports
against
them.
A
That
be,
would
you
guys
be
with
the
project
be
interested
in
linux
foundation,
project.
G
I
was
just
thinking
george
castro,
about
this.
I
wasn't
I'm
not
fully
aware
what
the
details
are
for
the
with.
F
The
idea
is
to
you
know,
and
a
few
of
the
folks
who
are
on
like
stephen
anushka
murtanje
they're,
all
you
know
either
currently
doing
these
mentorships
or
have
graduated
from
them.
The
idea
was
to
take
the
policy
report
and
you
know
kind
of
show
how
we
can
adapt
other
engines
other
tools
in
the
ecosystem
to
produce
the
policy
report.
So
that's
we've
mostly
been
focused
on
the
produced
side
of
it,
but
happy
to
look
at
the
consumption
side,
and
it's
really
based
on
you
know.
I
guess
community
needs
adoption
things
like
that.
G
Yeah,
I
think
robert
had
mentioned
previously
that
he
had
been
looking
at
potentially
adding
student
support
for
it,
but
so
we
had
trailed
off.
Are
there
any
extent
of
open
source
consumers
of
the
reports.
F
There
are
right
there
so
there's
a
project
called
policy
reporter,
which
is,
it
was
just
recently
donated
to
the
caverno
project
which
can
consume.
Any
policy
report
displays
that
in
cluster
also,
can
you
know
send
that
to
slack
or
pagerduty
or
other
things?
So
that's
probably
the
best
thing
to
look
at.
A
Yeah
so
on
the
I
mean
jim,
I
I
think
you
hadn't
joined,
but
just
a
few
minutes
back.
We
were
talking
about
if
we
can
demo
the
value
from
the
consumer
side
and
surfacing
and
visualizing.
Maybe
the
policy
reports
so
like
show.
D
A
What
I
get
at
the
end
of
the
process
that
that
could
drive,
you
know
more
momentum
around
getting
more
and
more
of
these
projects
to
support
it
right,
because
it's
good
to
have
both
it's
kind
of
a
two-sided
marketplace,
but
at
the
end
of
the
day,
the
ones
who
are
actually
looking
at
the
reports
or
managing
devsecops
around
it
are
going
to
be
the
ones
kind
of
pulling
saying
hey.
I
need
more
and
more
of
these
projects
to
support
this,
because
I'm
trying
to
build
a
unified.
You
know
dashboard
report
compliance
report.
F
F
The
frank's,
the
you
know,
lead
on
the
policy
reporter.
A
A
Yeah,
okay,
so
I
have
a
couple
of
action.
Items
for
me
sounds
like
jim,
so
you'll,
jim
you'll
kind
of
shepherd.
The
linux
foundation
discussion
for
is
that.
F
Yeah
absolutely
so,
let's
decide
on
you
know:
coupe
kubernetes,
gatekeeper,
open
couple.
If
you
want
to
get
back
to
us
on
the
you
know,
cloud
custodian
side
and
see
what
makes
sense
and
we
can
and
I'll
I'll
then
file
the
linux
foundation
requests
based
on
that.
D
So
gus-
and
I
were
talking
earlier
today
in
a
different
context
about
qb
scan.
Have
you
guys
looked
into
that.
D
Does
do
you
want
to
give
like
a
quick
executed
summary
of
what
it
does
since
you
have
played
with
it?.
B
Yeah,
so
kooby
scan
is
focused
on
what
they
call
risky
roles,
so
it
it
highlights
any
roles,
you've
defined
as
is
either
you
know,
not
a
concern
or,
or
you
know,
kind
of
a
warning
or
critical
based
on
you
know
some
some
definitions
on
on
certain
types
of
roles
being
being
risky
by,
like
you
know,
access
to
secrets-
and
you
know
things
like
that-
that
could
could
be-
you
know
higher
risk
than
than
a
lot
of
other
things.
B
They.
You
know
it's
it's
just
a
standalone
tool
and
you
run
it
and
it
generates.
You
know
a
report
on
your
console.
So
there's
no
kubernetes
feedback.
It's
all
just
you
know
a
visual
feedback
that
a
user
can
see,
and
you
know
I
think.
A
A
I
know
is
it:
what's
that
fair
winds,
don't
they
have
something
similar
I
can?
I
can.
I
know
they
have
several
tools.
A
A
Kind
of
thing
I
don't
know
if
that's
applicable
to
the
kubernetes
are
back
model
because
kubernetes
are
back,
I
don't
think
has
a
deny
and
I
don't
think
it
yet
has
all
sorts
of
complicated
trust
permission,
trust
models,
but
cool.
Take
a
look.
F
I
mean
certainly
there's
no
lack
of
projects
in
a
lot
of
different
areas
right
and
I
think
we
probably
need
to
figure
out.
Obviously,
based
on
you
know,
community
usage
active
support
things
like
that.
What
makes
sense
to
add
and
where
this
fits.
So
maybe
the
first
step
is
to
have
the
project
team,
invite
them
to
come
and
present,
and
you
know
show
us
what
it
does,
how
it
fits
and
then
we
can
discuss
if
it
makes
sense
to
either
adapt
or
have
a
native
policy
report
type
of
support.
A
Yeah,
no,
I
think
that
I
mean
in
general.
I
think
that
should
be
the
flow
like
you
know
someone.
If
someone
sees
an
interesting
tool,
we
should
probably
reach
out
and
I'm
happy
to
to
do
that,
reach
out
to
the
project
see
if
they
will
come,
give
a
presentation
and
then
based
on
that
you
know
pitch
pitch
them
on
the
benefits
of
the
policy
report,
but
hear
their
feedback
and
and
concerns
and
or
suggestions.
F
A
F
And
there's
always
this
google
summer
of
code
there's
of
course,
contributors
in
the
community
right
so
folks
want
to,
and
of
course
the
project
teams
themselves
can
contribute.
D
B
A
Yeah
again,
I
think
it's
going
to
be.
You
know
once
we
we
have
a
few
projects
doing
generating
it
would
be
nice
to
get
gatekeeper
and
falco
certainly
will
be,
will
be
huge,
but
then
I
think
it's
going
to
definitely
need
a
pull
from
the
consumption
side
so
that
people
can
see
the
use
cases
and
really
crystallize
like
what's
the
value.
E
No,
I
just
wanted
to
mention
that
I'm
I'm
in
romania
for
the
month
of
august.
So
I
see
all
these
invites
for
you
know,
writing
the
paper,
the
white
paper
and
it's
always
like
1am
for
me,
you
know
so
so
I
want
to
just
get
an
update
if
I
have
to
do
any
changes,
if
you
got
a
chance
to
look
over
what
I
wrote
and
if
there
is
any
feedback
on
on
updates.
A
E
Seven
plus
plus
two,
I
think
now
it's
6
30.
A
Okay,
so
yeah,
so
I
think
you
and
I
can
I
mean
anyone-
is
welcome
to
join,
but
I
can
I'm
typically
up
early
pacific
time,
so
I
think
we
could
probably
find
a
working
session.
E
E
C
Okay,
hi
everyone
can,
I
just
take
a
minute,
and
you
know,
show
showcase
a
few
updates
on
the
falco
adapter.
A
All
right,
how
do
I
stop
sure?
E
A
It's
not
super
new,
but
okay.
Well,.
E
A
G
Actually,
on
that
topic
it
would
it
be
useful
to
actually
update
the
the
working
group
readme
with
regards
to
the
meeting
link
to
actually
note
the
password.
G
It
is
not
this
working
group
meetings,
at
least
I
didn't
see
it
when
I
I
I
guessed
using
the
tech
security
one
when
it
happened
to
work.
Otherwise
I
would
have
been
locked
out
as
well.
A
Yeah,
well
I'm
trying
to
get
the
the
kubernetes
infrastructure
to
get
us
our
own
zoom,
so
I'll
try!
Yet
again.
This
will
be
the
fourth
try,
but
we
made
I
may
just
jim.
I
may
just
make
the
executive
decision
that
we're
just
going
to
use
this
new
tool
and
go
rogue
a
bit,
because
this
is
kind
of
getting
ridiculous
anyway,.
C
All
right,
thank
you,
everybody,
so
I
jim
and
I
we've
been
working
on
alcoa
adapter
and
integrating
that
to
falco
psychic
as
another
output
called
policy
report
output.
I
have
been
in
touch
with
gas
and
thomas,
and
we
have
been
working
on
this
right
now
we
are
able
to
create.
We
are.
C
We
are
working
on
a
draft
pr
in
falco
psychic
and
we
are
able
to
create
a
policy
report
which
has
all
the
alerts
generated
with
a
specific
name
space
and
a
cluster-wide
report
which
has
all
the
events
without
a
namespace
or
for
information.
So
we
will
be
working
on.
Furthermore,
updates
which
I'll
just
tell
you
about
after
a
quick
demo.
C
So
right,
that's
policy
report
enable
and
it's
creating
a
dummy
policy
report
and
dummy
cluster
policy
report.
I
just
went
ahead
and
got
a
few
events
from
thomas's
fake
generator.
C
C
C
Great
so
now
we're
working
on
being
able
to
create
n
plus
one
reports.
That's
in
namespace
specific
reports
and
one
clusterwide
report.
I
have
added
a
couple
of
customizable
options
in
the
configuration
like
a
one
bound,
which
would
give
some
sort
of
integer
value,
for
you
know
the
events
which
will
be
mapped
to
fail
and
won
in
the
policy
report
summary,
and
I
will
be
adding
a
few
more
by
the
next
demo
and
yes,
that's
all
for
now.
Thank
you
so
much.
B
D
H
So
jim,
I
also
wanted
to
discuss
the
issue
that
we
were
discussing
on
the
other
day
like
the
wrong
summary
numbers
in
the
policy
report
cube
venture
doctor.
So
I
guess
I
tried
to
run
cube
bench
parallelly,
like
the
rock
cube
bench
that
we
have
and
the
other
one
in
my
adapter
and
both
were
giving
only
the
difference
was
there
in
the
warning.
H
So
if
we
look
at
it,
as
I
mentioned
as
I
have
sent
the
screenshot
even
in
that
github
repository
issue,
what
happens
is
that
three
warnings
are
being
missed
and
when
I
checked
it
like,
whenever
it
is
running
inside
our
policy
report
like
inside
our
custom
resource
definition,
then
it's
not
showing
those
three
warnings.
Otherwise
it's
adding
those
three
warnings.
Additionally,
when
we
are
running
it
raw,
so
I
I
checked
it
in
the
job
dot
yml
and
I
haven't
seen
any
update
since
the
time
we
have
embedded
it.
H
A
Okay,
anything
else.