►
From YouTube: CNCF Security TAG Meeting 2021-05-12
Description
CNCF Security TAG Meeting 2021-05-12
C
A
A
A
A
B
C
B
B
C
B
C
C
Nobody
got
all
the
flags
and
I
will
run
through
the
whole
thing
end
to
end
on
on
dave,
mckay's
raw
code
clustered
thing
tomorrow.
So
probably
a
bit
of
timing
in
the
speed
runs
trying
to
get
through
a
demo.
Everything
was
a
little
bit
compressed
in
terms
of
time,
so
I
will
do
it
at
a
more
verbose
attempt
tomorrow.
B
B
All
right,
I
guess
if
and
if
you,
if
you
want
also
all
your
mic,
isn't
working
just
feel
free
to
like
put
it
in
the
chat
to
just
have
a
child,
don't
say
hi
all
right.
So,
let's
get
started
with
the
agenda.
We
have
a
very
packed
agenda.
We
have
like
seven
items
or
something
so
we're
gonna
first
check
in
with
the
the
the
sick
working
groups
apac
getting
so
from
the
apex
side.
Do
we
have
any
updates
all
from
the
policy
book
group
and
I
win
this
counter
box.
B
D
Well
then,
just
a
quick
five
second
update
we,
we
did
have
a
call
this
morning.
8
a.m
is
our
usual
call
time.
We
did
discuss
the
the
difference
between
the
this
tag,
security
policy
team
and
then
there's
a
kubernetes
policy
work
group,
so
we're
sorting
out
all
that
governance
stuff.
So,
if
anybody's
interested
feel
free
to
review
the
google
doc
and
the
pr
is
listed
on
that
google
doc.
B
A
A
So
welcome
everybody
to
the
security
tag
during
kubecon,
it
was
announced
that
the
cigs
would
all
be
renamed
to
tags.
A
couple
of
quick
notes
about
that.
There
is
some
legacy
terminology
within
the
repository
that,
as
we
have
time
and
as
people
have
energy,
please
go
through
and
update
it,
but
a
couple
of
notes
about
those
changes
for
informal
and
internal
communications.
It
is
requested
that
we
can
refer
to
ourselves
as
stag,
but
for
public
awareness
and
events
such
as
public
content
on
the
repo
we
refer
to
ourselves
as
security
tag.
A
The
reason
for
this
is
so
that
we
do
not
confuse
our
audience
or
potential
members
and
the
public
with
storage
tag,
who
also
has
rights
to
the
same
acronym.
So
just
a
quick
update
about
that,
and
also
there
are
going
to
be
some
more
changes
that
are
coming
down
associated
with
the
administration
of
the
tag.
The
chairs
have
a
little
bit
more
work
picked
up
for
for
us,
but
that's
to
help
the
cncf
serve
us
better.
B
Cool
thanks,
emily
and
daniel.
Thank
you
for
signing
up
and
subscribe
and
helping
us
grab
today.
So
the
next
item
is
on
the
triage
team,
and
so
this
is.
This
is
something
that
emily
I
discussed
a
little
bit
before,
and
the
idea
is
to
get
kind
of
reorganize
how
we
are
doing
triage
of
the
issues
and
kind
of
talk
a
little
bit
more
about
how
we
can
continue
this.
So
so,
historically,
it's
been
kind
of
enemy.
Let
me
bring
up
the
triage
font.
This
is
a.
B
B
A
Yeah,
so
a
lot
of
what's
been
going
on
is
through
the
roadmap
planning
we
discovered,
as
chairs
and
as
tech
leads,
that
we
are
leaving
work
on
the
table.
We
are
not
finding
it,
and
a
lot
of
that
has
to
do
with
some
of
the
great
suggestions
that
are
coming
from
the
community
are
not
getting
the
level
of
visibility
that
we
would
like
them
to,
and
that's
because
the
tag
leadership
team
is
a
little
bit
short-staffed.
We
all
have
full-time
jobs.
A
A
So
what
we're
looking
for
is
to
expand
that
triage
capability
to
the
community
a
little
bit
more.
There
is
a
triage
channel
that
we
have
it's
like
tag
security
triage,
I
believe,
and
we're
looking
to
get
more
community
involvement
to
help
us
look
at
some
of
these
issues
that
we
have
coming
up,
determine
whether
or
not
they
should
go
on
the
agenda
for
community
discussion
to
see
if
they're
worth
pursuing
or
kind
of
ping.
The
chairs
and
the
tech
leads
that
hey
this
needs.
B
That
will
take
a
while
for
the
muscle
memory
to
go
away,
yeah
yeah,
so
I
I
think
that
we
will
apolofize
is
just
like
you
know,
going
through
the
issues
looking
at
things
and
using
using
judgment
to
kind
of
figure
out
whether
this
you
know
maybe
needs
a
bit
more
review.
Maybe
it's
good
to
merge
and
things
like
that,
and
also
I
think
that
we
want
to
define
this
a
little
bit
more,
so
that
more
members
can
come
in
as
well.
A
So
a
lot
of
this
for
those
of
you
that
are
new
and
you're,
you
kind
of
want
to
stretch
in
your
professional
chats.
This
is
a
good
opportunity
to
like
stretch
into
a
little
bit
more
of
project
management
or
open
source
management,
because
this
is
really
the
bread
and
butter
of
successful
open
source
efforts
is.
How
do
we
manage
our
issues
and
how
do
we
put
work
on
the
docket
to
be
performed?
A
This
is
also
a
good
opportunity
for
you
to
have
better
visibility
across
all
the
streams
of
work
that
go
on
within
the
sig
and
understanding
kind
of
where
that
community
direction
is
so,
if
you're
looking
more
across
cloud
native
security
architectures
into
the
next
horizon
of
what
is
the
community
concerned
about?
This
is
a
good
opportunity
to
give
you
a
certain
level
of
visibility
that
you
would
not
otherwise.
B
Get
and
so
I
guess,
to
wrap
up
if
you're
interested,
we
will
put
the
link
to
the
the
channel
and
the
chat
and
please
join,
and
we
will
you
know,
start
getting
this
getting
this
moving
forward
excited
about
all
the
issues
that
we
have.
We
we
we
are
in
a
unique
situation.
We
have
that
we
have
a
lot
of
issues
compared
to
the
compared
to
some
other
groups.
A
B
C
A
So
quick
update
on
the
supply
chain
document
so
we're
waiting
on
final
concurrence
from
liz
rice,
who
is
one
of
our
top
liaisons,
so,
typically
with
papers,
we
get
our
talk
liaison
concurrence
before
we
contact
the
cncf
to
do
an
official
publication
on
it.
So
we
are,
I
believe,
all
of
the
comments
have
been
submitted
and
remediated
or
adjudicated
so
we're
just
waiting
on
final
confirmation,
and
then
we
will
fire
it
off
to
the
cncf.
A
So
there
are
some
references
within
that
a
lot
of
if
you're
familiar
with
the
dod
software
factory
and
some
of
that
work
that
was
presented
in
the
community
or
some
of
the
blogs
and
articles
that
already
exist.
A
lot
of
the
lessons
learned
in
a
lot
of
the
core
components
of
that
have
been
pulled
into
the
supply
chain
document
and
either
expanded
or
abstracted
for
industry
and
public
community,
as
well
as
government
and
academia.
So
there's
a
lot
of
crosstalk
between
them.
B
B
F
Yeah
yeah,
I'm
on
so
real
quick.
I
had
a
really
great
call
with
shulie
goodman
of
the
linux
foundation,
energy,
and
you
know
talking
about
how
you
know:
we've
used
identity
in
some
of
these
infrastructure
projects,
so
we
are
meeting
next
thursday
to
discuss.
You
know
how
to
secure
critical
infrastructure
as
it
starts
to
move
to
more
of
a
cloud
native
type
of
environment
right
all
these.
F
F
F
A
There's
a
lot
of
really
interesting,
pre-existing
knowledge
in
that
space,
as
well
just
in
general
about
scada
systems,
particularly
the
attacks
that
happened
in
the
early
2000s
and
that
are
regularly
ongoing.
So
if
anybody
is
interested
in
researching
or
learning
about
that
further,
let
me
know
I
have
access
to
a
bunch
of
links
and
articles
from
work
that
I've
done
for
a
talk.
I
have
coming
up.
D
So
with
the
kind
of
the
work
that
cole
and
I
have
been
doing
on
in
toto,
we
are
trying
to
get
things
signed
with
short-lived
keys
and
I
guess
I
was
just
kind
of
looking
for
an
appeal
to
anyone
who
may
have
experience
with
trusted
time,
stamping
and
rfc
3161
and
potentially
implementing
that.
As
far
as
I
know,
rfc
3161,
which
is
trusted
time
stamping
in
the
protocol.
But
it
doesn't
really
specify
any
standard
transports.
F
So
I
had
a
lot
of
context
too.
This
is
this
is
with
our
in
total
goaling
fork.
One
of
the
issues
that
we
have
is
with
those
short-lived
keys.
We
need
some
way
to
assert
that
that
we
sign
that
metadata
within
the
validity
time
of
those
keys.
So
I
think,
looking
at
rfc
3161
might
be
a
way
to
do
that.
So
looking
for
you
know
any
input
from
the
community
on
how
to
possibly
handle
some
of
those
those
things
you
know,
I
think
tough,
is
an
additional
way
forward
on
that
as
well.
F
Yeah
I
mean,
should
we
should
we
break
this
off?
I
mean
I
would
like
to
kind
of
discuss
this
a
little
bit
further.
I
know
this
media's
kind
of
packed,
I
know
mikhail,
would
too
is
there?
Can
we
can
we
link
up
in
slack
and
maybe
find
a
time
next
week
to
go
into
a
little
bit
more
deeper
technical
discussion.
F
A
B
Yeah,
I
I
also
recommend
just
creating
an
issue
for
the
discussion,
just
in
case
folks,
that
know
on
the
call
wanna
also
jump
on
okay,
perfect.
Also,
I'm
not
sure
whether
this
is
relevant,
but
so
I
know
six
star
has
an
implementation
of
for
show
which
does
like
it's
not
really
time
stamping,
but
they
they
kind
of
mint,
shot,
dev
keys
for
developers
to
sign
artifacts,
and
things
like
that.
I
don't
think
it's
direct
information,
rfc
I'll,
put
the
link
in
the
chat.
D
E
E
B
Would
I
think
this
was,
I
think,
based
on
what
we
talked
about
in
the
talk
call,
they
will
kind
of
determine
what
the
ask
is
for
the
six,
and
so
he
I
think
that
we
can
probably
if
he
pings
he
like
one
of
the
the
chess,
I
think
maybe
you
can
have
a
discussion
of
what
is
required.
The
review
is
definitely
going
to
be
like
the
base
of
the
recommendations.
E
All
right,
sorry,
so
sorry,
apologies,
ricardo
is
new
to
the
talk
so
and
this
process
is
also
new.
So
who
is
a
good
guide
post
for
him
that
we
can
like
to
understand
what
the
current
process
is
and
and
the
if
he
has
questions
per
se,
we've
been
trying
to
do
our
own
research
to
help
them
in
that
process,
so
also
trying
to
understand
what
the
best
way
to
go
about
it
is.
A
So
I
want
to
disentangle
stuff
because
of
my
brain
they're,
a
little
mixed.
So
there's
two
things
going
on:
there's
the
pr
for
incubation,
which
requires
a
form
of
due
diligence
review,
and
then
there
is
an
existing
issue
within
the
tags
repo
to
perform
a
security
review
of
cloud
custodian,
that
security
review
started
pre
pandemic
and
has
been
on
hold,
while
we
close
out
the
build
packs
review,
but
traditionally
in
the
tag
processes
and
within
the
talk
processes.
A
E
Now
that
we've
got
this,
we
started
this
process
to
go
in
the
sandbox
and
we're
in
sandbox
and
we've
continued
to
try
to
engage.
I
think
part
of
the
delays
have
actually
been
on
the
project
side.
We
have
dedicated
folks
now
that
are
engaged
on
that
front
and
robert's
been
great
to
work
with
from
the
six
tag
side,
but
the
I
think
the
question
is
is
what
is
the
question?
The
question
is,
I
think,
we're
related
to
the
presentation
and
dewey.
A
But
it's
entirely
on
the
project.
Considering
that
we
haven't
completed
the
joint
review
for
cloud
custodian
and
you
do
have,
it
looks
like
some
joint
reviewers
on
the
issue.
If
you
want
to
do
a
refresher
on
what
cloud
custodian
is
because
it's
been
18
months
and
the
world
has
almost
fallen
apart.
In
that
time,
we
have
new
members.
That
would
certainly
be
appreciated.
E
And
maybe
I
need
to
re-review
the
current
incubation
spec
with
regards
to
dd
as
emily
suggested.
These
are
two
separate
things
with
regards
to
a
security,
sorry,
tag,
security
review
and
the
talk
td,
but
there's
a
lot
of
overlap
with
regards
to
the
talk
sponsored
doesn't
delegating
to
the
to
the
tag
with
regards
to
that
dd
work,
and
it's
a
little
bit
unclear
to
me
where.
D
A
So
I've
pinged
amy
to
provide
some
clarification
about
what
those
expectations
look
like.
With
regard
to
the
tag,
the
joint
review
and
the
due
diligence,
I
can
also
mention
about
some
general
confusion
with
the
talk
sponsor
about
that
process
as
well,
because
I
think,
I
think
we're
all
kind
of
like
I
don't
know,
and
I
can
post
back
to
the
channel.
I
think
I
might
not
be
on
the
channel
for
the
assessment,
but
I
can
post
back
to
the
channel
with
what
the
recommendations
come
out
with.
B
Yeah,
I
think
traditionally
for
the
the
due
diligence
side.
We
require
a
chair
signal,
so
that
is
something
that,
like
my
perspective
of
it
is
you
know,
treat
the
the
reviews
review
once
it's
done,
then
we
can
talk
about
due
diligence
and
then
due
diligence
is
just
going
to
draw
on
the
content
of
the
review
and
from
the
recommendation
of
the.
B
G
They
are
looking
for
a
wider
feedback
from
the
security
team
and
the
security
tag.
I
should
say
so.
If
you
could,
please
go
through
the
table
of
contents
and
if
you
think
there
is
something
we
need
to
add,
or
that
is
missing
that
will
help
build
end-to-end
policy
management.
White
paper
that'll
be
great.
You
can
just
comment
in
the
paper
itself
and
then
we
can
discuss
it
in
our
working
group
session
next
time
and
appropriately.
Add
it
into
the
sections,
as
well
as
the
subsections.
G
Right
now,
it's
just
table
of
contents
right,
if
you
think
from
a
policy
perspective
and
security,
I
mean.
Obviously,
this
group
is
all
about
security
and
there
are
security
policies
as
well
as
security
controls
in
the
policies
that
we
need
to
address
as
well.
We
tried
to
incorporate
that
as
detective
controls,
as
well
as
enforcement
controls,
but
if
there
is
anything
missing,
we
want
to
get
a
wider
set
of
eyes
on
it
and
get
your
feedback
as
well.
G
G
C
C
A
A
A
A
B
C
So
can
I
make
a
call
back
real,
quick,
sorry
to
be
the
guy
at
the
end,
with
the
cloud
custodian
thing,
I
think
I've
put
a
few
things
together
for
myself,
so
I
just
want
to
reflect
it
back
with
which
is
when
we
spoke
with
ricardo
yesterday
he
seemed
unclear
that
we
had
dueling
documents.
We
have
the
kind
of
historic
cloud
custodian
assessment
from
the
tag
and
then
there's
the
incubation
documentation,
and
I
don't
think
that
he
was
kind
of
understanding
the
distinction
there,
either
that
we've
defined
here.
C
But
if
I
understand
correctly,
the
incubation
process
needs
a
toc
sign
off
and
there's
discretion
there
for
them
to
like
whether
or
not
to
request
some
level
formal
assessment
or
whatever
and
separately,
the
kind
of
long
drag
for
the
cloud
custodian
review
that
could
that
may
or
may
not
happen.
Is
that
correct,
depending
on
sort
of
what
the
purview
is
of
the
toc
person
to
sign
off
so.
E
Thank
you
for
bringing
that
up.
I
have
a
lot
of
confusion
here
as
well
at
least
regards
to
the
talking
commission
requests.
I
try
to
normalize
to
what
was
already
there
for
the
sorry,
the
most
recent
request.
What
was
already
there
as
far
as
incubating
as
far
as
the
talk,
my
understanding
is
for
a
security-related
project
that
it
is
necessary
and
I'm
just
stating
this
for
feedback
as
well,
because
I
also
want
to
get
clarity
on
this
also
unclear,
based
on
what
historical
versus
current.
A
Yep,
so
a
couple
of
things
we're
going
to
assist
ricardo,
we're
being
tagged.
Security
in
some
capacity
is
going
to
reach
out
and
ensure
that
they
have
the
right
partnership
to
move
forward.
As
far
as
that
presentation
goes,
let's
go
ahead
and
get
that
on
the
books.
That
way
it
can
be
done,
and
you
can
have
that
part
of
the
incubation
requirements
checked
off
and
then
the
next
question
is
really
around
that
due
diligence
document.
A
E
Itself,
there's
not
a
whole
lot.
That's
changed
in
the
last
18
months
as
far
as
focus
area
coverage,
etc.
So
I
understand
it's
definitely
useful
to
re-present
it
for
our
current
audience
but
content-wise.
I
don't
know
that,
there's
a
whole
lot,
that's
changed,
or
even
and
user
production.
Usage-Wise
though
there's
all
I
mean
it's
grown,
but
like
from
a
baseline
of
incubation
or
research
from
a
tech
security
perspective,
the
family.
D
C
B
B
A
So
I
have
another
request
for
everyone.
If
you
could
take
some
time
and
look
through
the
repo
find
anything
that's
outstanding,
such
as
the
sig
to
tag
and
open
a
pr
on
it.
That
would
be
lovely
as
well
as
review
some
of
the
ongoing
issues
that
we
have.
There
was
a
lot
of
interest
in
completing
some
of
them.
We
want
to
be
able
to
queue
up
next
big
projects
moving
forward
and
there's
a
lot
of
open
prs
and
the
tech
leads,
and
the
co-chairs
are
not
the
only
ones
that
enjoy
reviewing
them.
A
I'm
sure
you
all
would
love
to
review
them
and
provide
your
two
cents.
You
are
part
of
this
community.
We
want
to
hear
your
voices
and
we
want
to
know
what
it
is
that
you
all
want
and
where
you
want
to
move
to,
and
one
of
the
best
ways
to
do.
That
is
to
be
able
to
contribute
through
comments
on
prs,
as
well
as
generating
prs
yourselves.