►
From YouTube: CNCF Security TAG Policy WG - 2021 08 04
Description
CNCF Security TAG Policy WG - 2021 08 04
A
B
C
A
D
D
No
I'm
talking
about
what
are
all
the
various
enforcement
points
that
generate
policy
reports
today
right.
Do
we
have
like
an
inventory
of
it
that
we
can
and
maybe
point
us
to
the
details
right
because
I
see
a
lot
of
I
know.
A
lot
of
work
was
done.
Some
people
came
and
presented
here,
etc,
and
I
also
see
some
posts
in
the
workgroup
policy
slack
channel.
D
D
A
D
A
And
where,
what's
the
best
way
to
broadcast
that
out,
is
that
I
mean
other
than
we
can?
We
can
create
the
table
and
kind
of
post
it
to
the
slack
channel,
but
is
there
if
we
wanted
to
put
it
somewhere,
that's
more
permanent
and
folks
would
find
it
more
easily.
What
do
you
think
is
there
a
should
we
ask
for
it
to
like
literally
be
in
something
we.
D
E
D
D
A
A
Well,
and
also,
I
think
what
would
be
enormously
helpful,
and
maybe
this
is
something
we
can
talk
about
on
the
panel
but
visualizing
and
surfacing
those
policy
reports
in
a
meaningful
way
downstream
to
the
you
know,
to
the
devops
team
to
the
compliance
team,
whoever
whoever
is
looking
at
this,
I
think,
once
people
see
the
kind
of
the
value
the
benefit,
then
there
will
be
more
momentum
around
getting
more
and
more
of
the
projects
to
support
it.
Does
that
make
sense.
D
Yeah
absolutely-
and
I
think
we
have
the
beginnings
of
that
in
the
open
cluster
management
project
where
we
now
have
are
using
the
policy
report,
schema
actually
the
pulse
report
cr
for
some
of
the
insights
and
so
on.
Right
and
and
then
we
are
working
right
now
to
integrate
our
policy
violations
into
it.
So
then
we
can
start
visualizing
that
as
well,
so
gus
from
my
team
is
on
the
call
here.
B
D
A
A
Link
to
you
know,
projects
link
to
presentations
about
using
the
policy
report
in
a
meaningful
way
like
that,
will
all
be
very
helpful.
Come
you
know,
late
october,
when
everyone's
really
excited
about
okay,
great
I've
just
learned
about
this
new
thing:
how
can
I
operationalize
it
actually
use
it
day
to
day.
F
A
A
Maybe
not
in
the
next?
You
know
30
60
days,
but
in
the
scope
of
the
next
six
months.
Is
there
a
policy
definition
effort
that
needs
to
be
reviewed,
or
is
that
just
now
just
everybody
can
use
their
bespoke
rego
yaml,
jason,
whatever
whatever
they
want
to
use,
and
then
we
just
let
that
fit
the
purpose,
the
right
tool
for
the
job
so
to
speak.
B
A
F
Hey
folks,
it's
jim,
I
just
joined
in
apologies
for
running
late.
Yes,
sir
robert
one,
one
topic
I
did
want
to
quickly
bring
up
is
the
linux
foundation
fall.
Mentorship
program
is
getting
started
and
you
know
in
the
past.
What
we've
had
is,
of
course,
folks,
like
you
know,
martin
j
and
also
you
know
now
what
we're
doing
on
the
falco
side
as
well
as
the
you
know,
trivia
adapter.
F
F
So
that's
something
you
know
we
could
take
on
and
I
think
there
was
also
a
discussion
I
mean
we
had
on
and
off
discussion
on,
gatekeeper
so
wanted
to
know,
and
I
don't
know
if
jaya
and
team
have
had
some.
You
know
more
recent
interactions.
I
haven't
had
any
recent
interactions
with
the
gatekeeper
team,
but
maybe
good
to
revisit
as
well
and
see
what
their
thoughts
are
on
supporting
the
policy
report.
D
D
I
think
the
way
we
are
doing
our
integration
gym
is,
if
you
remember
the
open
cluster
management
architecture,
we
have
a
hub
site
and
we
have
the
manage
cluster
side
right.
So
the
gatekeeper
will
be
running
on
the
manage
cluster
side
and
then
what
we
are
doing
from
a
policy
report.
Integration
point
of
view
is:
we
are
trying
to
integrate
on
the
hub
side.
B
F
F
Okay,
because
if
you
want
to
initiate
that,
if
you
want
to
add
an
issue
to
our
github
and
also
perhaps
to
the
gatekeeper
github-
and
I
I
again-
I've
been
a
little
bit
out
of
touch
with
that
community.
I
don't
know
if
rita
is
still
the
right
person,
but
we
can
certainly
have
the
discussion.
I've
spoken
to
her
in
the
past
about
policy
report
and
she
had
some
concerns
at
that
time
on
scale
and
management.
B
F
A
Falco
next
generation,
but
yeah,
I
think
so
I
think
they
could
be
interested
in
that
I
have.
I
haven't
spoken
to
them
in
any
depth
since
the
presentation,
but
I
do
have
channels
that
I
can
reach
out
there.
I
I
will
I
I
have
reached
out
to
tim
and
ash
for
oppa,
so
I
will
refresh
that
they've
always
been
receptive.
I
just
think
they're
busy,
so
I'll
continue
to
ping
there
as
well.
G
G
G
F
The
idea
is
to
you
know,
and
a
few
of
the
folks
who
are
on
like
stephen
anushka
murtanje
they're,
all
you
know
either
currently
doing
these
mentorships
or
have
graduated
from
them.
The
idea
was
to
take
the
policy
report
and
you
know
kind
of
show
how
we
can
adapt
other
engines
other
tools
in
the
ecosystem
to
produce
the
policy
report.
So
that's
we've
mostly
been
focused
on
the
produced
side
of
it,
but
happy
to
look
at
the
consumption
side,
and
it's
really
based
on
you
know.
I
guess
community
needs
adoption
things
like
that.
G
F
There
are
right
there
so
there's
a
project
called
policy
reporter,
which
is,
it
was
just
recently
donated
to
the
caverno
project
which
can
consume.
Any
policy
report
displays
that
in
cluster
also,
can
you
know
send
that
to
slack
or
pagerduty
or
other
things?
So
that's
probably
the
best
thing
to
look
at.
A
D
A
What
I
get
at
the
end
of
the
process
that
that
could
drive,
you
know
more
momentum
around
getting
more
and
more
of
these
projects
to
support
it
right,
because
it's
good
to
have
both
it's
kind
of
a
two-sided
marketplace,
but
at
the
end
of
the
day,
the
ones
who
are
actually
looking
at
the
reports
or
managing
devsecops
around
it
are
going
to
be
the
ones
kind
of
pulling
saying
hey.
I
need
more
and
more
of
these
projects
to
support
this,
because
I'm
trying
to
build
a
unified.
You
know
dashboard
report
compliance
report.
F
A
A
F
D
B
A
A
A
A
F
I
mean
certainly
there's
no
lack
of
projects
in
a
lot
of
different
areas
right
and
I
think
we
probably
need
to
figure
out.
Obviously,
based
on
you
know,
community
usage
active
support
things
like
that.
What
makes
sense
to
add
and
where
this
fits.
So
maybe
the
first
step
is
to
have
the
project
team,
invite
them
to
come
and
present,
and
you
know
show
us
what
it
does,
how
it
fits
and
then
we
can
discuss
if
it
makes
sense
to
either
adapt
or
have
a
native
policy
report
type
of
support.
A
Yeah,
no,
I
think
that
I
mean
in
general.
I
think
that
should
be
the
flow
like
you
know
someone.
If
someone
sees
an
interesting
tool,
we
should
probably
reach
out
and
I'm
happy
to
to
do
that,
reach
out
to
the
project
see
if
they
will
come,
give
a
presentation
and
then
based
on
that
you
know
pitch
pitch
them
on
the
benefits
of
the
policy
report,
but
hear
their
feedback
and
and
concerns
and
or
suggestions.
F
A
D
B
A
Yeah
again,
I
think
it's
going
to
be.
You
know
once
we
we
have
a
few
projects
doing
generating
it
would
be
nice
to
get
gatekeeper
and
falco
certainly
will
be,
will
be
huge,
but
then
I
think
it's
going
to
definitely
need
a
pull
from
the
consumption
side
so
that
people
can
see
the
use
cases
and
really
crystallize
like
what's
the
value.
E
No,
I
just
wanted
to
mention
that
I'm
I'm
in
romania
for
the
month
of
august.
So
I
see
all
these
invites
for
you
know,
writing
the
paper,
the
white
paper
and
it's
always
like
1am
for
me,
you
know
so
so
I
want
to
just
get
an
update
if
I
have
to
do
any
changes,
if
you
got
a
chance
to
look
over
what
I
wrote
and
if
there
is
any
feedback
on
on
updates.
A
E
E
E
E
A
G
A
Yeah,
well
I'm
trying
to
get
the
the
kubernetes
infrastructure
to
get
us
our
own
zoom,
so
I'll
try!
Yet
again.
This
will
be
the
fourth
try,
but
we
made
I
may
just
jim.
I
may
just
make
the
executive
decision
that
we're
just
going
to
use
this
new
tool
and
go
rogue
a
bit,
because
this
is
kind
of
getting
ridiculous
anyway,.
C
C
We
are
working
on
a
draft
pr
in
falco
psychic
and
we
are
able
to
create
a
policy
report
which
has
all
the
alerts
generated
with
a
specific
name
space
and
a
cluster-wide
report
which
has
all
the
events
without
a
namespace
or
for
information.
So
we
will
be
working
on.
Furthermore,
updates
which
I'll
just
tell
you
about
after
a
quick
demo.
C
C
C
C
Great
so
now
we're
working
on
being
able
to
create
n
plus
one
reports.
That's
in
namespace
specific
reports
and
one
clusterwide
report.
I
have
added
a
couple
of
customizable
options
in
the
configuration
like
a
one
bound,
which
would
give
some
sort
of
integer
value,
for
you
know
the
events
which
will
be
mapped
to
fail
and
won
in
the
policy
report
summary,
and
I
will
be
adding
a
few
more
by
the
next
demo
and
yes,
that's
all
for
now.
Thank
you
so
much.
B
D
H
So
jim,
I
also
wanted
to
discuss
the
issue
that
we
were
discussing
on
the
other
day
like
the
wrong
summary
numbers
in
the
policy
report
cube
venture
doctor.
So
I
guess
I
tried
to
run
cube
bench
parallelly,
like
the
rock
cube
bench
that
we
have
and
the
other
one
in
my
adapter
and
both
were
giving
only
the
difference
was
there
in
the
warning.
H
So
if
we
look
at
it,
as
I
mentioned
as
I
have
sent
the
screenshot
even
in
that
github
repository
issue,
what
happens
is
that
three
warnings
are
being
missed
and
when
I
checked
it
like,
whenever
it
is
running
inside
our
policy
report
like
inside
our
custom
resource
definition,
then
it's
not
showing
those
three
warnings.
Otherwise
it's
adding
those
three
warnings.
Additionally,
when
we
are
running
it
raw,
so
I
I
checked
it
in
the
job
dot
yml
and
I
haven't
seen
any
update
since
the
time
we
have
embedded
it.