►
From YouTube: CNCF Security TAG Policy WG 2021-06-23
Description
Supply Chain - Dan Lorenc, Google
B
Yeah,
I'm
actually
trying
to
see
if
I
can
update
the
meeting
invite
now.
Oh,
we
can
finally
fix
the.
A
B
Unfortunately,
not
yeah,
it
seems
like
it's
still.
B
It's
letting
me
only
change
my
local
version,
so
I
don't
know
I'm
here
to
figure
out
how
to
change.
So,
maybe
once
we
get
the
zoom
account,
then
we
can
change
the
shared
workflow.
A
B
B
Whatever
email
you're
using
for
cncf,
no,
actually,
they
recommend
using
the
alias
for
the
leads
right.
So
as
long
as
we
sign
up
for
that,
we
should
be
fine.
B
Yeah,
so
maybe
if
you
want
to
just
read
through
the
the
link,
it
has
all
of
the
details.
A
A
C
You
I'm
great
being
great
so
graduated
from
lfx
spring
mentorship
program,
and
this
week
I
published
my
blog
on
that.
So
definitely
love
to
share
with
the
community
here
as
well
today,
that
blog,
so
that
you
all
can
have
a
feedback
of
it
and
help
me
get
better
there.
C
B
The
blog
looked
great
nice
job
on
that.
Thank
you,
so
is.
Are
you
going
to
publish
it
on
the
cncf
site
as
well,
or
will
it
be.
C
I
asked
to
you,
as
you
suggested,
so
he
said
that
the
the
form
that
we,
that
the
form
that
cncf
sent
you
have
to
share
the
link
there,
so
I've
already
shared
the
blog
link
there.
So.
B
Okay,
do
you
want
to
drive
robert,
or
should
I
share
and
pull
up
the
agenda.
E
A
Yeah,
so
I
I
see
I
see
dan
has
joined.
Thank
you
dan.
I
thought
we'd
discuss
some
of
the
supply
chain
topics
that
have
been
going
around
and
around
the
various
circles,
both
cncf
and
kubernetes,
linux,
foundation
and
dan.
Had,
I
think,
correct
me
if
I
mistake
things
down,
but
you
had
authored
a
blog
post
from
the
google
team
around
the
initiative
to
you
guys
are
engaged
in
the
techton
cd
project
and
techton
chains,
but
it
I
thought.
F
Sure
yeah,
where
do
you
want
to
start
so
I've
been
involved
in
that
stuff?
There's
also
s-bomb
here
I
see
which
is
kind
of
tangentially
related,
which
we
can
talk
about,
that.
I've
also
been
involved
in
scs
bomb
and
supply
chain.
Metadata
has
kind
of
overlapping
venn
diagrams.
F
Yeah,
it's
a
good
question
and
policy
is
such
a
deep
space
and
broad
topic.
Yeah.
I
think
you
know,
there's
the
s
bomb
stuff
is
kind
of
being
mostly
driven
by.
I
guess
I
would
say
the
us
government
in
the
recent
executive
order
around
requiring
people
to
supply
s-bombs
with
artifacts
that
they
deliver
are
people
familiar
with
that
at
all.
F
Sure
yeah
we'll
start
there,
yes
yeah,
so
there's
there's
been
a
push
from
both
nist,
which
is
the
us
government
national
institute
for
technology
and
then
the
ntia
national.
F
I
don't
know
what
it
stands
for
another
group
to
start
talking
about
like
whether
or
not
people
shipping
software
should
have
to
ship
s
bombs
and
then
what
fields
should
have
to
be
in
those
software
build
materials
in
order
to
do
useful
things
with
them.
So
over
the
past
couple
weeks,
there's
been
a
huge
public
comment
period
and
stuff
like
that,
a
bunch
of
different
use
cases
around
what
people
want
to
do
with
data
for
a
software
build
materials
which
makes
it
kind
of
hard
to
talk
about
abstractly.
F
So,
at
high
level
you
can
imagine
finesse
bomb
contains
enough
information
for
you
to
set
up
alerts
on
like
a
cve
database
like
nvd
or
one
of
the
other
vendors.
Then
I
think
that
it
is
good
enough
in
a
lot
of
cases.
This
can
be
done
with
kind
of
like
post-hoc,
binary
analysis
and
scanning
a
container
and
looking
for
what
you
find,
but
that's
kind
of
lossy
in
a
lot
of
cases
like
you're
looking
and
hoping
that
the
configuration
is
set
up
correctly
and
that
people
haven't
rebuilt
things
themselves
and
not
included
all
this
configuration.
F
F
Yeah,
it's
it's!
It's
tough,
because
to
generate
one
with
good
information
inside
of
it,
it
kind
of
has
to
be
done
by
the
build
system.
You
can
always
scan
stuff
after
the
fact
and
get
some
information,
but
because
it's
done
that
way,
it
means
you
kind
of
just
have
to
trust
that
it
has
the
correct
information.
F
If
you
could
actually
just
crack
something
open
and
see
what's
inside
of
it
correctly,
then
you
wouldn't
need
this
s-bomb
to
begin
with,
because
you
just
have
all
the
information
and
you
can
crack
it
open
and
scan
it
and
find
all
the
correct
stuff.
So
it's
kind
of
a
shift
in
thought
process
here
which
a
lot
of
people
I
think
are
struggling
to
to
deal
with
you've
got
this
thing
that
you
don't
actually
know
if
it's
correct,
but
it
might
have
more
useful
information
in
it
than
the
thing
that
you
can.
F
F
F
Yeah
yeah
again
for
like,
what's
inside
the
build
materials,
I
think
it's
kind
of
tough
because
there's
just
no
real
understanding
of
what's
supposed
to
go
inside
of
them.
Yet
I
think
you
know
the
formats
are
all
relatively
simple:
there's
spds
has
kind
of
a
more
complicated
tag,
value
thing,
but
there's
also
just
json
versions
of
all
of
these
and
easy
ways
to
convert
between
them.
So
I
think
it
would
align
pretty
well
with
existing
tools
like
opa
and
stuff,
or
anything
that
can
kind
of
parse
json
and
write
complex
rules.
F
If
you
knew
what
you
were
looking
for,
that's
kind
of
the
bigger
thing,
I
don't
think
people
know
what
type
of
policy
they
would
want
to
apply
to
the
contents
of
an
s
bomb
today,
the
other
the
the
bigger
thing
would
just
be
like.
Is
there
one-
and
maybe
it
wasn't
produced
by
someone
that
I
trust
and
that
comes
down
to
like
how
s
bombs
get
cryptographically
signed,
and
things
like
that.
So
I
think
the
existing
policy
tools
would
be
okay
for
that,
at
least
for
you
know,
death
bombs,
as
currently
described.
F
There
are
tons
of
open
questions
around
where
they
get
stored,
how
they
get
copied
around
with
containers,
and
everything
like
that.
That's
also
still
in
flight
I'd
actually
be
kind
of
curious
to
flip
this
around
a
little
bit
are
there
policy
questions.
You
know
that
people
are
asking
that
we
can't
answer
today.
A
I
mean,
I
think,
a
lot
of
you
captured
some
of
the
discussions
that
are
happening
around
use
case
and
you
know
how
they're
going
to
use
it,
how
they're
going
to
consume
it
and
right
now
the
only
questions
that
I
am
hearing
are
in
these
kind
of
government
or
government
related
projects
where
it's
you
know,
does
it
exist
or
not,
and
then
you
know
maybe
they'll
get
pedantic
down
to
the
level
of
you
know.
How
is
the
trust
chain
built
and
you
know
how
can
we
check?
A
You
know
it's
like
any
certificate
right
like
who
issued
the
who
signed
it,
who
issued
the
search
to
sign
it
who's?
Who
manages
those
keys?
How
are
those
keys
managed-
and
you
know
that
kind
of
level
of
questioning,
so
I
can
imagine
policies
derived
from
those
high-level,
simple
questions
around.
You
know
existence
of
this
of
the
metadata
that
we
expect
for
the
signatures
there.
It
has
you
know
all
of
these
components,
maybe
there's
a
white
list
blacklist
approach
to
that
policy,
so.
F
Yeah,
I
think
it
would
kind
of
that
comes
down
again.
The
only
thing
I
can
really
think
of
that
would
be
useful
and
practical
is
like
denying
if
their
vulnerability
is
known
in
something
which
requires
joining
the
s
bomb
data
against
something
else.
So
it's
a
little
bit
tricky
like
you,
wouldn't
include
vulnerability
data
in
an
s
bomb,
because
it's
dynamic
rate
of
vulnerability
might
not
exist
today,
but
it
might
exist
tomorrow
where
the
software
hasn't
changed.
F
So
instead
you
kind
of
need
to
grab
the
identifiers
out
of
the
s-bomb,
which
is
a
challenge
and
then
query
against
some
database
and
do
policy
that
way.
It
also
like,
and
it's
a
hard
policy
decision
to
make
timing
wise
because
again
the
same
question
when
you
deployed
something
it
might
have
met
policy,
but
now
tomorrow
the
pod
is
still
running,
but
it
doesn't
meet
policy
and
there's
a
tough
question
about
what
to
even
do.
A
Well,
that's
that's
that
that
is.
I
mean
that
kind
of
human
level
decision
on
like
human
policy
like
what
right
you
know
you
may,
if
you're,
if
you're,
you
know
a
government
agency,
you
may
have
a
policy
that
says,
and-
and
this
is
very
common
you
know
all
vulnerabilities
have
to
be
remediated
based
on
a
particular
categorization
by
say,
90
days,
right,
yeah,
and
if
you
don't,
you
have
to
turn
it
off
right.
So.
A
F
So
yeah,
no,
that's
that's
completely
fair,
too
yeah,
probably
not
yeah.
You
wouldn't
want
to
do
it
like
the
minute
it's
found,
probably
maybe
you
would
maybe
not
depending
on.
I
guess
your
use
case.
I
think
something
like
that.
Slo
is
much
more
common.
We
do
stuff
like
that
too.
Internally
at
google.
We
call
it
like
build
horizon
or
something
like
that.
A
You
know
once
if
this
does
pick
up
steam
and
people
do
start
experimenting
with
finding
cases.
I
think
that
you
know,
I
think,
there's
enough
downstream
tooling.
So
there's
projects
like
cloud
custodian
and
others
that
you
know,
can
you
take
either
a
an
agent
or
a
you
know,
lambda
running
background,
cron
task
approach
and
just
continually,
you
know
check
things
are
there?
You
know
check
the
manifest
see
if
there's
packages
that
you
know
have
been
flagged
from
some
other
database,
so
there's
kind
of
operators
that
can
run
to
combine
data
sources.
A
I
guess
that's
probably
the
main
idea
around
second
order
use
cases.
I
think
right
now,
maybe
next
12
months,
it's
just
someone
on
the
government
side
asked
for
this
to
the
to
sign
the
contract,
so
it
better
be
there
and
that
gets
us
for
the
next
12
months.
But
after
that
I
could
see
the
down
downstream
tooling
doing
a
little
bit
more
nuanced.
Checking
and
enforcement
and
remediation.
G
This
is
jay
I
just
wanted
to
chime
in
with
my
thoughts
on
this
right.
I
think
the
way
I
think
about
this
is
we
need
to
apply
the
policy-based
governance
through
the
entire
life
cycle,
right
development
deployment
and
runtime,
and
the
more
we
can
shift
left
and
discover
things
early
on
the
better
right.
So
so
the
question
is
so
from
my
perspective,
when
I
talk
about
policies,
what
I'm
talking
about
is
to
ensure
that,
during
the
development
phase,
you
know
we
are
scanning
for
vulnerabilities.
G
If
there
are
artifacts,
we
are
signing
the
signing.
Policies
are
in
place,
and
you
know
those
kinds
of
things
right,
so
ensuring
that
that
is
there
in
the
pipelines.
How
do
we?
I
know
we
have
technologies,
six
store
and
others
to
sign.
You
know
things
like
that
right,
but
question
is
how
do
you
ensure
that
those
things
are
in
place?
They
are
operating
as
expected,
they're
configured
properly.
I
think
that's
where
I
I
feel
policies
come
into
play
right.
G
From
my
perspective,
at
least,
and
one
of
my
colleagues
in
ibm,
research
is
working
on
policies
along
for
the
secure
supply
chain.
Sri
path
he's
not
able
to
join
today,
but
I
was
just
actually
pinging
him
on
the
background
to
tell
him.
You
know
that
this
topic's
being
discussed
today
he's
going
to
listen
to
the
recording,
but
so
that
those
are
really
my
thoughts
right.
So
how
do
we.
G
Get
those
kind
of
policies
in
the
pipeline.
F
Yeah
it's.
There
are
a
couple
different
point
of
views
too,
that
I've
seen
people
take
around
the
policy.
Like
is
policy
artifact
centric.
Is
it
operation-centric
around
like
locking
down
who
can
make
changes
and
when
and
what
should
go
in
those
changes
or
is
it
around?
You
know
only
certain
artifacts
are
allowed
and
you
know
they
kind
of
have
different
implications
too.
F
On
the
rest
of
things,
I
think
kubernetes
has
a
pretty
good
handle
on
the
policy
around
who
can
make
changes
and
what
type
of
changes
can
be
made
using
existing
things
like
rbac
and
most
other
policy
engines,
but
it's
kind
of
the
the
more
artifact
centric
ones
where
you
have
a
26
character,
long
container
name
and
then
a
giant
hash
at
the
end,
where
you
start
to
lose
fidelity
around
where
that
came
from
and
to
try
to
get
back
to
the
sources
and
change
management.
History
on
all
the
things
that
went
into
the
binary.
G
C
G
Yeah
yeah,
I
think
part
of
the
thing-
is
to
kind
of
design
it
so
that
that
kind
of
configuration
is
exposed
right.
Then
you
can
start
building
policies
to
manage
that
right.
F
E
Make
decisions
based
on
it,
so
this
is
this-
is
anka,
so
jaya,
I'm
working
closely
with
with
sripad
to
actually
bring
the
shift
left
into
the
you
know:
the
cicd
policies,
integration
into
the
ibm
cloud,
security
and
compliance
platform.
So
I
know
exactly
what
you
know,
what
what
is
done
there
and
how
you
know
the
evidence
is
signed
and
and
so
on,
but
I
I'm
just
not
sure
how
much
of
that
can
be
discussed
here
because
we
are
not.
E
Some
of
this
is
in
the
open
space.
Some
is
not
so
if
you
are
aware
of
what
is
in
the
open
space-
and
you
can
tell
me-
I
can
provide
details,
but
otherwise
I
think
I
would
like
to
to
first
take
it
back
to
the
team
to
see
you
know
where
we
are.
G
Yeah
that
will
be
that'll,
be
nice
right
to
come
back
to
this
forum
and
whatever
can
be
shared.
The
share
will
be.
E
Yeah
we
have,
we
have
a
full
solution
that
takes,
you,
know
different
types
of
pipelines
right,
so
whether
it
is
a
pipeline
to
deploy
openshift
or
it's
a
pipeline
to
deploy
an
application
on
openshift
or
whether
it's
a
pipeline
to
deploy
infrastructure
as
code.
It's
a
very
different
set
of
checks
of
policies
and
the
way
that
we
collect
the
data.
E
So
we
have
a
solution
that
does
that
for
the
three
different
types
we
signed
artifacts
and
is
using
oscal
to
align
everything
on
the
same
standard
from
a
posture
point
of
view,
and
we
push
it
to
the
security
center
and
there
we
are
able,
through
the
cd
ids
of
the
resource,
instances
that
the
cd
deploys
to
correlate
the
shift
left
posture
with
the
shift
right
with
the
with
the
runtime
posture
of
the
same
resource.
Instances
right
so
that's
the
the
solution
is
there.
E
I
try
to
to
understand
how
much
that
would
be
relevant
in
the
context
of
what
we
are
doing
with
kubernetes
right,
because
this
is
already
deployed.
It
is
this:
is
this
discussion
and
I'm
sorry
I
joined
a
bit
late,
then.
Is
this
discussion
like
looking
for
a
you
know
a
partnership
with
with
the
supply
chain
or
is
something
that
we
want
to
bring
into
the
working
group?
What
what
is
the
overall
goal.
A
Oh,
I
think
the
goal
was
simply
just
exploratory
in
that
dan
and
the
and
the
folks
at
google
you
know
seem
to
be
leading
at
least
the
leading
voice
in
the
community
around
how
they're
tackling
supply
chain
security.
A
A
I
was
actually
hoping
dan
if
you
wanted
to
say
a
few
words
about
the
tecton
project
or
chain
specifically
and
how
you
think.
You
know
whether
all
of
that
fits
in
or
if
it's
orthogonal
or
because
we
are
kind
of
trying
to
map
out
the
holistic
view
of
cloud
native
policy
and
all
the
different
parts.
So
I
thought
tekton
definitely
has
a
place
there.
F
Yeah
so
the
way
I've
been
looking
at
it
is
in
you
know,
in
tecton
chains
and
kind
of
what
that
blog
post
led
to
and
how
we
got
here
before
we
get
sidetracked
with
s-pumps
a
little
bit
is
tech
time
chains,
basically
to
be
able
to
capture.
You
know
as
much
useful,
verifiable,
correct
metadata
about
what
happened
during
a
build
process.
F
You
know
this
is
all
running
within
a
kubernetes
cluster,
but
so
when
you
kick
off
a
build,
you
know
it's
a
series
of
containers
that
run
in
order.
I
mean
we
want
to
know
exactly
what
happened
there
so
which
container
digest
were
pulled,
which
entry
points
were
running
those
containers
that
kind
of
thing
and
then
do
that
in
a
way
that's
secure.
F
So
if
this
compromise
build
step
happens,
it
can't
tamper
with
this
data
that
we've
observed
from
somewhere
else
in
a
separate
trust
boundary
and
then
getting
that
data
somewhere,
cryptographically
signing
it,
putting
it
somewhere,
taber
proof
and
then
making
it
useful
later
to
policy
engines.
So
I
kind
of
draw
our
line
right
at
where
you
know
this
group
starts.
I
want
to
get
all
the
useful
data
in
a
secure,
verifiable
manner
to
whatever
policy
engines.
People
want,
if
that
makes
sense,.
A
It
does
yeah
does
there
need
to
be
so
we
we
in
this
group
we've
defined
a
custom
resource
for
policy
output.
Does
it
need
to
be
kind
of
prime
the
pump?
Does
it
need
to
be
some
sort
of
definition
of
that?
What
you
guys
are
producing,
that
we
can
consume
into
a
policy
engine
or
is
that
is
that
going
to
be
bespoke
for
each
type
of
policy
engine?
You
think.
F
I
think
I
think
a
lot
of
that
can
be
artifact
centric.
I
think
just
like
signatures
and
you
know
metadata
around
artifacts
today.
It's
pretty
artifact-centric
like
if
you're
talking
about
jars-
and
you
know
the
java
world-
there's
one
on
places
inside
of
the
jar
you
know
to
put
this
type
of
metadata
containers
were
kind
of
lacking
that
today,
but
there
is
some
movement
happening
in
the
oci,
which
is
the
group
that
kind
of
oversees
the
open
containers
initiative
and
the
specifications
there.
F
So
there
could
be
ways
to
start
attaching
all
this
data
to
a
container
in
a
useful
way,
so
it
can
be
consumed
by
a
policy
engine.
I
would
hope
that
it's
not
bespoke
each
policy
engine.
I
would
hope
that
it's
standardized
for
each
type
of
artifact.
You
want
to
apply
policy
on
they're,
just
not
quite
there
yet
does
that
make
any
sense.
A
F
Yeah
and
and
yeah
it
doesn't
necessarily
need
to
be
completely
self-describing.
We
just
need
a
way
to
go
from.
Like
hey
here's
a
container.
I
have
what
is
all
the
information
about
it?
It
could
be
in
it.
It
could
be
next
to
it
as
long
as
there's
like
a
well-known
way
to
discover
it,
there's
a
lot
of
weird
cases
where,
like
you
know,
if
you
want
to
sign
a
container,
you
can't
modify
the
container
to
stick
the
signature
inside
because
then
the
digest
changes.
F
You
know,
invalidating
signatures
and
all
sorts
of
weird
stuff
like
that,
so
it's
yeah
other.
You
know
jars
work
around
that
just
by
like
signing
some
inner
contents
of
the
jar,
but
that
doesn't
really
work
in
the
container
world.
So
right,
it's
yeah.
There
has
to
be
a
well-known,
useful
mechanism
to
provide
that
data
to
the
policy
engine.
A
F
Yeah,
it's
I've
done
almost
no
work
there.
I
have
almost
no
understanding
other
than
it's
a
thing.
I
you
know
I've
just
from
reading
twitter
and
hacker
news
comments.
It
appears
that
you
know
a
lot
of
the
cpu
issues.
We've
had
over
the
last
year
on
side,
channel
attacks,
kind
of
weaken
a
lot
of
the
promises
that
enclaves
can
do,
but
I'm
really
not
an
expert.
That's
just
my.
If
you
ask
me
about
it
on
the
street,
that's
my
current
take
based
on
what
I've
happened
to
scroll
through.
F
A
Yeah,
I
don't
want
to
hijack
the
topic.
I
was.
I
think
there
is
there's
no
perfect
solution,
there's
obviously
there's
there's
timing,
attacks
and
various
things
with
the
cpu
and
cache
levels
that
are
going
to
undermine.
You
know
pretty
much
anything
yeah
it's
it's
kind
of
that
more
that
you
know
layers
upon
layers
of
weaker
security.
Does
that
add
up
to
good
security?
I
don't
know
provably
no,
but
you
know
practically.
Maybe.
B
F
I
guess
I
mean
the
most
useful
thing
to
me
for
me
would
just
be
to
start
hearing
feedback
on
the
type
of
policies
you
know
as
concrete
as
you
can
get,
and
I
know
it's
tough,
because
it's
this,
like
chicken
and
egg
thing
where
nobody
has
the
data,
they
want
to
apply
policy
on
so
they're,
not
thinking
too
much
about
what
they
want
to
do.
F
G
So
I'm
going
to
just
volunteer
and
here
so
anka,
could
you
please
sync
up
with
sripad
and
see
you
know
what
we
can
come
here
and
talk
about
right
based
on
our
experience,
yeah
yeah
sure
awesome.
Thank
you.
C
F
F
A
A
Well,
I
think
we
have
a
few
logistical
and
we're
wait.
Let's
say
we
are
putting
together
this
white
paper.
You're
certainly
welcome
to
join,
but
I
definitely
understand
if
you've
got
a
busy
schedule
feel
free
to
drop
off.
C
A
Okay,
then
zoom
accounts
is
obviously
a
good
logistic
thing
to
fix,
so
we
can
get
these
recordings.
B
C
A
What
I
had
found
previous
about
getting
all
this
and
it
seemed
to
be
ambiguous,
at
least
to
me,
but
maybe
there's
some
new
clarity
in
the
link
you
posted
so
I'll.
Take
a
look
I'll
I'll,
try
one
more
time.
If,
if
I
fail
I'll,
follow
my
sword
and
maybe
ask
for
your
help,
yeah.
B
Just
reach
out
quick
and
let's
yeah,
we
can
get
this
sorted
out.
Okay,
other
things
on
the
white
paper
yeah,
one
of
the
things
we've
been
discussing
is,
I
think,
there's
a
general
consensus
that
we
need
to
carve
out
some
time
and
maybe
schedule
some
additional
sessions
to
get
going.
I
know
jaya
has
done
some
submissions
on
github
and
then
a
few
comments
and
other
things
pending,
but
maybe
just
to
kick
things
off.
B
We
need
a
few
more
working
sessions,
so
there
is
a
project
board
which
lists
out
all
of
the
at
least
major
areas
we
had
identified,
and
you
know
most
of
for
most
of
them.
Folks
have
you
know
volunteered
for
different
sections,
but
then
the
next
thing
to
do
is
I
created
this
doodle
to
just
see
what
meeting
times
we
can
schedule
I'm
thinking
starting
next
week,
and
it
will
be
good
to
make
sure
that
if
we
sign
up
for
you
know
authoring,
we
have
at
least
a
couple
of
hours
per
week.
B
I
would
say
for
the
next
three
to
four
weeks
and
beyond
that,
once
we
get
through
the
basic
content,
it'll
just
be
editing
and
reviewing,
and
things
like
that,
but
the
next
few
weeks
would
be
critical
if
you
want
to
kind
of
kick
this
off
so
for
folks,
you
know
who
wanted
to
kind
of
work
on
authoring.
Some
of
these
sections
just
make
sure
that
we
have
the
right
time
commitments
and
can
put
in
that
there
will
be
other.
You
know,
like
I
know,
anka.
B
We
have
talked
about
the
oscar
mapping
and
things
like
that.
I'm
thinking
that
would
come
a
little
bit
later.
Once
we
hash
out
the
you
know,
the
main
structure
of
the
paper
and
those
type
of
things
we'll
we'll
file,
more
tasks
for
and
other
things
for
after
we
get
the
the
basic
content
in.
E
I
have
I
have
the
content.
Jim
is
just
a
question
of
finding
time
to
go
through
the
process.
Maybe
I'll
work,
it's
very
busy.
You
know
june,
and
you
know
before
leaving
for
vacations
on,
to
wrap
up
things
sure
to
try
to
work
with
jaya.
Maybe
I
will
get.
C
E
B
Yeah
and
then
that
you
know
the
the
just,
I
guess
the
details
of
the
process.
We
can
keep
lightweight.
So
even
if
you
have
your
stuff
in
a
google
doc
or
things
it's,
you
know
pretty
straightforward
to
convert
it
to
markdown
when
we
want
to.
Basically
we
can
just
copy
paste
it
and
format
it
right,
but
anyways.
I
think,
as
the
next
steps.
I
know
robert
jaya
raj,
I
don't
think,
is
on
the
call
today,
but
he
had
you
know,
expressed
interest
in
this,
and
aradhna
had
also
expressed
interest
in.
B
You
know
authoring
some
of
the
sections,
so
if
you
could
all
just
select
some
available
times
for
the
next
few
weeks
and
we'll
pick
at
least
one
hour,
so
what
I'm
thinking
is
we'll
we
will
meet
like
an
hour
a
week
in
addition
to
any
working
time,
we
need
independently,
and
that
way
we
can
sync
up
and
make
some
quicker
progress
on
this.
B
So
keep
con
is
in
october,
so
yeah
we
have
some
room
till
then
it
would
be
good
to
get
the
paper
published
yeah
earlier
and
if
we
can
time
it
with
that,
I
think
that
that
will
work
out
great.
So
we
have
the
paper
out.
We
can
even
do
a
blog
post
and
things
around
the
paper
and
then,
of
course
that
could
be
one
of
the
ways
of
for
content
or
the
topic
or
the
discussion
at
quipcon
itself
yeah.
B
C
A
Yeah,
I
I
you
know,
I
don't.
I
don't
want
to
give
us
too
much
hope
to
hang
ourselves
by,
but
I
think
realistically,
if
you,
if
you
back
it
up
from
october-
and
you
know
having
a
polished
document-
that's
been
reviewed
and
is
presentable
and
writing
up
kind
of
the
panels.
Discussion
about
that-
and
you
know
getting
you
know
talking
to
amy
folks,
cncf
and
going
just
going
back
and
back
and
back
and
back
you
like
we're.
Definitely
not
too
far
ahead
of
the
curve.
G
So
jim
wednesday's
2pm
pacific
time
work
great
for
me,
I
don't
know
about
the
others.
B
Yes,
I
you
know,
maybe-
and
we
could
do
this
now
or
if
folks
want
to
just
go
to
the
link.
I
can
share
that,
and
at
least
then
just
indicate
your
preferred
time
on
this
and
just
select
a
couple
of
options
that
that
are
available
and
then
we'll
we'll
see
what
works
for
everyone.
A
B
Yeah
and
the
idea
is
this-
is
more
to
pick
the
day
and
time
within
the
week
and
right
we'll
do
it
recurring
for
at
least
like
three
or
four
weeks
just
to
get
things
started
exactly
yeah,
so
just
pick
whatever
time,
and
I
offered
a
few
options
within
a
day.
If
you
want
to
add
more
options,
let
me
know
we'll
see
what
we
can
make
work,
but
I
think
yeah
there's
some
afternoon
time
and
friday
was
the
only
open
morning.
I
have
left.
B
E
And
do
you
have
the
link
for
the
doodle
in
in
the
docs.
B
It's
in
the
chat
and
in
the
docs,
okay
and
I
think
anka
for
the
oscar
section,
like
you
said
you
can
probably
coordinate
with
jaya
that
may
work
best.
You
don't
have
to
be
in
every
session
unless
you
want
to
right.
So
it's
up
to
you
based
on
your
schedule,
if
you
want
to
work
on
other
sections
of
course
feel
free
to,
and
we
can
then
then
yeah,
you
might
need
more
time,
commitment.
E
C
B
Okay,
yeah,
then
there
like
again
for
any
of
these,
just
you
know,
make
sure
in
github,
then
you
can
also
kind
of
add
yourself
to
the
issue
so
we'll
track
everything
through
github.
B
So
I
think
here
yeah,
for
this
use
cases
right
now.
E
E
Will
fit
in
there
and
then
it
wasn't
and
use
cases
exactly.
Yes,.
B
So
you
know
as
long
as
one
of
the
folks
working
on
that
section
is
in
the
meetings
in
the
next
few
weeks
we
can
start
making
progress.
I.
C
Item
sorry,
to
interrupt
a
few
suggestions,
I
can
also
try
to
volunteer
and
policy
report
to
working
group
white
paper
meetings.
So
if
you
suggest
even
I
can
try
to
with
you
whenever
you
suggest.
B
Sure
yeah
no
you're
absolutely
welcome
too.
I
think
initially
we
want
to
just
get
a
lot
of
the
content
written
up
by
a
few
folks,
but
then-
and
it
will
take
some
time
commitment.
You
know
in
terms
of
these
various
subject
matters,
but
then
we
will
have
other
sessions
where
for
review
and
for
other
things
and
we'll
have
to
keep
widening
the
circle
right
so
but
feel
free
to
sign
up.
You
know
for
areas
where
you
feel
you
kind
of
want
to
contribute.
B
A
B
Yeah,
like
the
just
the
stuff
we
just
discussed
with
s-bomb
and
other
things
that
could
be
new.
There's
always
you
know
new
things
to
bring
in.
B
B
Okay,
so
then
we
can,
you
know,
switch
to
just
some
quick
project
updates
on
ongoing
activities.
C
D
You
so
I
am
working
on
a
project
with
gym
that
involves
building
a
falco
adapter
that
will
take
outputs
from
falco
and
generator
or
update
a
policy
report.
So
to
give
a
quick
update
on
what
all
happened
in
the
last
two
weeks
ever
since
the
last
meeting,
we
decided
to
work
with
falco
psychic
to
get
outputs.
We
finalized
the
mapping
document.
D
After
talking
to
a
couple
of
other
members
from
the
community
carson
thomas
and
frank,
we
worked
on
the
we
have
started
working
on
a
design
document
that
would
give
us
a
concrete
way
to
move
on
with
here
on.
Then
we
have
understood
and
implemented
how
you
know:
falco
psychic
outputs
can
be
taken
in
a
code,
and
we
have
got
that
via
falco
cyclic
web
ui.
By
enabling
events
we
have
in
the
code
unmarshal
the
json
output
and
got
it
in
go
variables
to
manipulate
them.
And
yes,
finally,
I
have.
D
C
D
And
from
here
we
have
just,
we
just
wanted
to
see
how
events
would
look.
This
is
a
json
format
and
yes,
that's
with
that,
for
how
our
code
looks.
D
D
Right,
so
this
is
just
to
see
how
my
outputs
come
out
in
coding
wise.
I
did
try,
mapping
these
outputs
with
crd
and
I
wasn't
able
to
test
it
because
I
was
not
able
to
get
falco
running
on
my
system,
but.
B
Thanks
yeah,
that's
great
progress:
okay,
yeah!
I
don't
think
stephen
is
on
the
call
today,
but
just
a
quick
recap
on
some
of
the
work
we've
been
doing
there,
so
the
main
task
was
to
investigate
trivi,
claire
and
some
other
scanners,
which
you
know
is
completed.
B
We
are
moving
forward
with
trivia,
so
there's
some
early
prototyping
and
work
going
on
there
and
also
looking
at
how
you
know
the
there's,
the
the
the
project
starboard
team
is
using
trivi
for
internal
scans,
so
one
thing
steven
found
out
is
right:
now
it's
really
one
image
at
a
time,
so
you
kind
of
have
to
request
an
image
to
be
scanned
and
then
trevi,
of
course,
can
scan
that
image
show
the
vulnerabilities
and
produce
that
into
an
output.
B
So
the
challenge,
or
at
least
something
that
we
need
to
design
and
figure
out
now,
is
how
do
we?
You
know
if
we
want
to
scan
the
entire
cluster
periodically?
What's
the
best
way
to
do
that
right
and
it
doesn't
seem
like
there's
any
good
implementation
out
there
or
you
know
some
way
of
solving
this.
So
we're
trying
to
see.
Is
that
something
that
we
need
another
utility
to
periodically
scan
the
cluster,
collect
the
list
of
images
and
then
supply
that
to
trivi,
somehow,
perhaps
through
a
config
map
which
would
then
trigger
off?
B
You
know
a
background
scan
on
each
one
of
those
images,
but
that
could
be
a
fairly
intensive
task
for
large
clusters,
so
need
to
collect
a
little
bit
more
data
and
thoughts
on
that
to
see
what's
the
best
way
to
address
it,
but
anyways,
that's
where
we
are
and
then
the
next
step.
Of
course,
once
we
figure
out
that
part
of
the
design,
the
next
step
would
be
to
come
up
with
the
mapping
from
the
trivia
output
into
the
policy
report,
which
seems
you
know
fairly
straightforward
and
possible
to
do.
B
But
so
right
now
we're
just
more
focused
on
that
initial
part
of
gathering
the
data
and
the
set
of
images.
C
Thanks
jim,
I
just
wanted
to
give
a
quick
suggestion
to
anushka,
because
I
implemented
a
project
like
that
only
cubase
adapter.
So,
first
of
all,
congratulations
that
was
really
nice
json
output
because
you
have
got
the
variable,
so
you
have
almost
everything
in
your
hands
now
or
the
mapping
part
is
relatively
easier
once
you
decide
the
talk,
so
I'm
sending
you
that
part
of
the
code
where
I
figure
it
out
and
hopefully
it
can
help
you
to
get
some
reference
or
inspiration
from
there.
So
great
work
till
now
here.
D
G
So
jim
I
was
what
I
was
thinking
was
that
some
of
these
scans
right
are
are
another
thing
that
we
could
incorporate
in
the
devsecops
pipeline,
right
and,
and
the
policies
that
we
are
creating
here
could
be
applicable
in
that.
B
Right
so
certainly
the
you
know,
the
intent
would
be
that
the
images
are
scanned
prior
to
admission
controls
prior
to
them
running
in
the
cluster
and
there's
some
way
of
verifying
that
perhaps
added
mission
controls.
B
But
then
the
remaining
problem
that
we
had
discussed
once-
and
I
think
dan
also
kind
of
hinted
on
that-
is
what
happens
if
there's
a
vulnerability
found.
You
know
after
the
workload
is
running
right.
So
how
do
you
detect
that
so
either
that
has
to
be
sort
of
a
periodic
scan
driven
from
the
cluster
or
it's
a
push
from
some
external
system
into
something
in
the
cluster
to
say:
hey,
there's,
some
new
updates.
B
B
A
F
A
A
How
can
you
operationalize
responding
to
it
if
you
do
find
issues
so
if
you're
getting
alerts
every
hour
is
just
going
to
be
overload,
so
my
guess
is
that
a
reasonable
something
that
would
pass
muster
in
most
enterprises
would
be
kind
of
a
daily
scan,
and
you
know
that's
probably
the
the
fastest
anyone
can
respond
anyway.
G
Right,
yeah
daily
scan
is
good,
so
what
I
was
thinking
was
as
part
of
this
work
right
in
addition
to
producing
policy
report
for
the
results.
Can
we
also
start
working
on
policies
for
these
tools
right.
C
G
Yes,
yes
right,
so
because
really
what
you
want
is
for
a
for
a
specific
security
control.
You
want
to
make
sure
that
the
players
are
properly
and
then
the
results
are
getting
returned
right.
So,
if
you
consider
all
three
aspects
right,
you
want
to
apply
the
policy-based
governance
concept,
all
three
right
so
so,
and
I
think
that
that
will
kind
of
also
answer
kind
of
the
question
that
dan
was
talking
about,
which
is
what
are
the
kinds
of
policies
we
should
be
putting
in
place
right.
B
B
A
A
G
B
A
A
F
A
Essentially,
where
the
psps
went
right,
they
basically
said
we're
going
to
recommend
this
kind
of
baseline
for
for
most
people
and
if
you
want
to
customize
it
from
there
feel
free.
So
I
think
you
we
could
put
guard
rails
around.
You
know,
here's
here's,
you
know
high
low.
Maybe
we
have
a
moderate
baseline.
A
B
There
yeah
that's
a
good
good
set
of
ideas,
and
you
know
some
work,
which
would
be
fairly
interesting
right,
because
then
you
could
for
each
of
these,
like
four
or
five
tools,
we've
identified,
which
map
to
different
areas
of
policy
enforcement.
B
We
could
have
some
standard
profiles,
things
like
that
right
to
say,
okay,
this
is
what
you
would
typically
want
to
drive
to
as
a
baseline
or
whatever
other
levels.
There
are.
A
Right,
I
mean,
I
think
it's
it's
important
practically
I
mean
like
we've
republished
baselines
everywhere
we
look
at
it.
Some
people
might
even
turn
it
on,
but
you
gotta,
you
gotta,
have
some
operational
capacity
to
deal
with
the
downstream
side
of
it
right.
You
know
again,
like
you
know,
if
you're,
if
you're
doing
work
in
government,
you
you
find
a
vulnerability,
you
can't
just
sit
on
it
indefinitely.
You
have
a
you,
have
a
contractual
and
federal
requirement
that
you
have
to
solve
that
within
30
60
90
days,
or
else
you
get.
A
You
know
you
get
a
finding
and
then
that
gets
you
know
elevated
to
a
cap
and
eventually
you
you
know
you,
you
lose
your
contract,
so
similar
similar
things
probably
don't
happen
in
the
in
the
very
you
know,
private
sector
commercial
world,
but
you
know
the
end
result
is
eventually
you
get
ransomware
and
then
everybody
starts
looking
through
the
forensics
of
whose
fault
it
is
so.
B
Right,
yeah,
good
good
topics.
Let's
you
know,
I
don't
know
what
would
be
a
good
next
step
on
it,
but
certainly
we're
thinking
about
as
we're
you
know
getting
to
these
set
of
outputs,
maybe
perhaps
that's
a
next
level
of
activity
stream
or
things
we
start.
So
let
us
know
if
there's
folks
on
your
team
or
others
who
want
to
you
know,
look
at
that
in
more
detail.
G
Yeah
gus
from
my
team
here
to
drop,
but
he
definitely
he's
involved
in
the
falco
community,
so
he's
definitely
looking
at
policies
for
falco.
So
so
I
think
so
that'll
be
at
least
one
one
set
of
security
controls
right.
So.
B
Okay
sounds
good
all
right
so
and
then
the
last
topic
we
had
on
the
agenda
was
just
a
quick.
You
know
discussion
on
kubecon
us
like
we
talked
about
when
we
were
discussing
the
white
paper,
that's
in
october
and
it's
gonna
be
a
hybrid
conference
which
I
don't
know
exactly
how
that
works.
B
But
I
think
there's
a
you
know
in
person
as
well
as
virtual
events,
but
anyways
we
have
the
you
know,
opportunity
to
propose
either
a
presentation
or
a
panel
session
and
just
some
collecting
some
quick
feedback
from
robert
and
others
seems
like
the
preference
of,
and
I
agree
would
be
to
do
a
panel
session.
So
we
can
propose
something
for
that.
B
So
you
know
on
slack
I'll
float
some
ideas
and
if
we
do
you
know,
perhaps
of
the
panel
session
could
be
right
around
what
we're
the
work
we're
doing
with
the
white
paper,
so
that
would
fit
in
nicely-
and
you
know
I
think
panel
sessions
are
restricted
to
four
four
people,
so
we
would
have
to
have.
One
of
us
would
moderate
and
then
we'd
have
three
others,
or
we
would
just
rotate
somehow
and
figure
out
how
to
you
know,
go
over
some
of
the
topics.
A
A
To
happy
to
volunteer,
I
guess
we
don't
know
if
we'll
get
accepted
until.
B
Not
exactly
sure
on
the
dates,
but
the
only
day
that
I
recall
is
july
6th
is
we
have
to
publish
or
submit
the
session
before
then
right.
So
I
can
start
a
draft
and
we'll
come
up
with
some.
You
know
things
to
discuss
and
I'll
base
it
on
the
white
paper
outline
exactly
and
let's
get
that
submitted
and
then
we
can
decide.
I
think
we
have
some
flexibility
to
change
a
few
details,
but
they
want
to
know
like
the
who's
going
to
be
on
the
session.
B
There's
some
rules
for
diversity
and
participation
and
things
like
that
for
panel
sessions,
because
they
don't
want
like
four
people
from
one
company,
for
example,
or
right
things
like
that
right
or
they
don't
want,
like
all
male
panels
or
stuff
like
that.
We'll
have
to
just
abide
by
which
is
great,
and
then
we
can,
you
know,
figure
out
the
content,
details.
A
Well,
I
certainly
would
welcome
anyone
who's
participating
on
this,
who
feels
they
have
a
perspective
to
add
to
to
join
the
panel.
And
then
I
think
you
know
if
we
have
to
find
diversity
of
vendors
or
open
source
projects.
We
can
certainly
raise
the
flag
and
cncf
tag
and
sig
security
kubernetes
to
invite
others
who,
because
you
know,
especially
if
they
directly
match
the
outline
of
the
white
paper.
A
So
if
anyone
wants
to
submit
nominations
or
nominate
themselves
feel
free
to
where
where's
the
best
place
to
drop
that
jim,
you
think
in
the
google
drive
or
the.
C
A
Anything
else,
just
one
call
call
to
action
or
invite
to
action
I'll,
post,
the
the
slack
channel.
I
did
create
a
breakout
channel
in
the
cncf
slack
on
public
sector
topics,
because
we
were
just
having
a
lot
on
the
cncf
tag
around
those
of
us
who
are
deeply
involved
in
public
sector
and
and
I
would
invite
those
who
are
international.
I
mean
eu
and
and
asia.
Pacific
have
similar
government
requirements
and
policies
and
whatnot,
but
so
it
would
be
more
expansive
than
just
policy.
A
But
if
those
of
us
who
have
a
public
sector
view
of
things
want
to
trade
notes
and-
and
you
know
related
to
that-
you
know-
anka
might
be
interest
to
you.
You
know,
as
I'm,
trying
to
reach
out
to
obviously
the
fedramp
folks
who
I
work
with
closely
on
a
lot
of
projects,
but
even
now
there's
an
effort
to
do
state,
ramp
and
austral.
A
I
was
just
having
an
email
thread
with
them
today,
so
state
ramp
is
like
the
50
states
adopting
fedramp,
and
you
know
tweaking
it
slightly
to
make
it
more
fun.
But
you
know
asking
them
what
their
plans
for
oscar
are
and
hoping
that
we
can
get
cncf
and
kubernetes
involved
in
their
working
group.
So
anyone
who's
interested
I'll
post
the.
I
don't
have
it
at
my
fingertips,
but
I'll
post,
the
slack
channel
on.
E
Are
you
talking
to
dave
in
in
oscar.
A
Maybe
I'm
missing
it.
Maybe
I
haven't
seen
that.
A
E
Yeah,
do
you
have
my
email
address
robert
to
keep
me
on
the
loop.
E
Yeah
yeah,
we
work
closely
with
dance.
I
would
be
interested
if
the
the
ssp,
the
system
security
plan
makes
it
to
the
level
that
you
just
mentioned.
A
I
sure
hope
so
that
was
that
was
my
question
to
them
on
they
had
their
introductory
webinar,
and
that
was
the
first
question
I
asked
they.
They
conspicuously
did
not
answer
it.
They
did
send
out
a
follow-up
email
to
everyone
and
said
it's
on
there
and
then
they
reached
out
to
me
directly
and
said
that
they
are.
They
have
a
working
group,
so
good
all
good
signs,
but
definitely
it's
you
know
it's
a
work
in
progress.
It
seems.
A
No,
I
mean
chris
had
a
good.
Well,
I
guess,
from
the
linux
foundation
perspective
chris
had
a
good
response
to
the
executive
order.
There
are
a
couple
of
blog
posts,
I
mean
you
know,
compliance
and
security
they're
they're
orthogonal,
but
you
know
obviously
highly
coupled.
G
One
last
thing
couple
of
things:
one
is
I'm
definitely
interested
in
that
panel
that
you
mentioned,
and
second
is
the
so
jim
and
I
are
going
to
be
talking
tomorrow
in
the
open
cluster
management
upstream
community
about
our
white
paper
and
also
the
overall
policy
work
group
just
to
socialize
there.
G
So
I
look
forward
to
working
with
you
on
getting
ready
for
that
one
year.
Thanks.