►
From YouTube: CNCF Security TAG Regular Meeting 2021-09-01
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
C
A
So
jim
we
have
I'm
just
looking
at
the
agenda
here.
E
Yes,
bill
is
in
my
team
and
he
is
joined
to
give
us
a
short
presentation
on
how
we
are
using
the
policy
reports
here.
A
A
Jay,
I'm
sorry
jim.
I
assume
we
want
to
give
some
bit
of
a
white
paper
update
after
the
presentation.
C
Yes,
so
let's
we
can,
we
can
add
that
to
the
agenda
and
also
talk
about
it.
C
So
robert
one
other
thing,
I
guess,
while
we're
waiting
to,
if
I
recall
correctly
now
we
have
the
zoom
as
well
as
the
playlist
info
right.
So
should
we
just
go
ahead
and
delete
this
invite
and
schedule
a
new
one
with
the
correct
info.
A
C
Yeah,
so
the
playlist,
I
think
they
set
one
up
already,
but
there's
no
videos
in
it,
of
course,
because
we
haven't
added
anything
to
the
playlist,
so
I
believe
the
way
the
process
works
is
once
you
record
a
video.
It
gets
uploaded
into
the
cncf
channel
and
then
you
just
add
it
to
that.
Playlist.
C
C
So
yeah,
I
think
what
will
be
best
we
can
check
with
kristoff
and
also
send
an
email
to
howard.
If
he's
still
checking
this
gmail
address
to
delete
his
meeting
invite,
but
you
can
also
just
email.
The
group
alias
request
that
everyone
delete
this,
invite
and
then
send
out
a
new
one
with
the
correct
zoom.
C
Google
calendar
and
just
add
the
group
as
the
as
the
attendee.
C
C
Nope
yeah
only
for
code
reviews
and
stuff.
Yes,
let
me
know,
I
guess
you
know
if
you
want
me
to
do
that,
I
can
otherwise,
if
you
want
to
send
it
out,
let's
get
that
set
up.
A
Sure
sounds
good
all
right.
Well,
I
think
we
have
we're
actually
a
little
bit
passed.
Let's
go
ahead
and
turn
things
over
to
will
and
welcome,
well
appreciate
joining,
and
maybe,
if
you
want
to
give
a
brief,
intro.
F
The
policy
I
work
for
red
hot
on
the
governance
policy
team
under
advanced
cluster
management,
same
team
as
jaya
yeah
just
work
as
a
software
developer
gonna
go
through
some
integration
that
we
did
with
with
policies
and
the
the
reports
here
to
to
consolidate
violations
and
policies
and
make
that
more
visible.
C
Yeah,
maybe,
while
will
is
rejoining,
I
think
one
thing
to
quickly
mention
is
so
for
stephen
and
anushka
they're
wrapping
up
their
mentorship
projects
right,
so
both
of
them
have
already
completed
the
projects,
so
we
can
also
do
some
quick
demos
and
overview.
You
know
on
that.
D
F
F
F
Currently
red
hat
advanced
cluster
management
has
a
an
insights
client
that
will
basically
pick
up
violations
in
the
cluster
and
send
them
to
the
policy
report,
and
this
allows
you
to
use
the
policy
report
to
see
compliance
trends
through
integration
with
metrics
and
also
integrate
with
the
the
red
hat
observability
pipeline,
which
allows
you
to
which
consumes
the
policy
report
and
allows
you
to
send
those
violations
out
to
incident
management
systems
and
also
just
looking
at
the
policy
report
can
can
give
you
an
overview
of
all
of
the
violations
in
that
cluster,
so
I'll
go
over
to
terminal
now.
F
So
I
just
want
to
note
really
quick.
I
don't
believe
that
the
the
insights
client
that
we
use
to
to
process
these
policy
reports
has
been
open
sourced.
Yet
so
it's
currently
only
when
you're
using
red
hat
acm,
but
I
think
we
we
have
an
issue
in
place
to
to
get
that
out.
So
if
I
just
go
and
show
the
insights,
client
really
quick.
E
F
I
hide
my
toolbar
here
there
we
go
okay,
so
yeah,
so
we
can
see
here
that
we
have
this
insights
client
deployed
on
the
cluster.
I
just
want
to
focus
on
this
really
quick,
because
this
is
kind
of
where
the
behavior
comes
from,
so
the
insights
client
will
basically
go
through
and
and
process
violations
in
the
cluster
and
send
them
to
that
policy
report
cr.
F
F
Every
minute
the
default
is,
is
half
an
hour
so
in
the
future,
when
this
gets
open,
source
and
stuff
that
the
default
polling
interval
would
probably
be
set
to
half
an
hour,
so
it
would
only
update
policies
every
half
an
hour,
but
for
the
purpose
of
this
demo,
I've
just
set
it
to
one
minute,
so
we
can
see
kind
of
the
the
way
it's
working
so
for
this
demo,
I've
logged
into
a
cluster
and
I'm
going
to
be
deploying
this
policy
from
our
policy
collection,
repo
with
with
git
ops.
F
It's
just
a
it's
a
very
basic
policy.
It
just
is
just
checking
for
this,
this
sample
pod
that
I
haven't
created,
so
it's
going
to
create
a
violation
and
then
that
violation
is
going
to
get
put
into
the
policy
report
through
the
insight
client.
F
So
if
I
go
back
to
my
terminal
here
and
I'm
going
to
be
using
this
command
here
to
just
it's
just
a
using
the
deploy
script
in
that
policy
collection,
repo,
which
sets
up
a
subscription
and
uses
get
ops
to
actually
set
that
policy
up
on
my
cluster.
F
So
if
I
go
ahead
and
copy
faces
here,
we
can
see
it's
going
to
create
the
subscription
for
the
policy
that
I
want.
Click.
Yes,
so
now,
we've
got
these
the
subscription
created
and
if
I
go
and
check.
F
The
policies
in
default,
where
I
want
to
create
the
policy
we
can
see
that
we've
got
this
policy
pod
that
just
got
created.
I
guess
somebody
has
also
created
this
limit
range
policy
on
the
cluster,
but
we're
gonna
be
focusing
on
this
pod
one.
So
we
can
see
that
the
policy
controller
for
this
cluster
has
already
set
this
to
non-compliant.
F
So
if
we
view
vml
for
this,
we
can
see
that
it's
it's
non-compliant,
because
this
this
sample
pod
has
not
been
created
yet
so
now,
if
we
want
to
check
the
policy
report
that
the
policy
report
should
have
collected,
this
non-compliant
policy
and
we
should
be
able
to
view
the
violation
for
it
alongside
any
other
violations
in
the
cluster.
So
if
I
go
and
get
the
llc
report,
cr
whoops.
F
And
then
there
would
be
a
policy
report
created
for
each
for
each
cluster.
That's
managed
by
this
this
hub
cluster
that
I'm
logged
into.
Currently,
the
only
cluster
that
we
have
managed
is
it's
just
managing
itself,
so
we
have
this
local
cluster
namespace,
and
we
can
see
that
it's
created
this
policy
report.
F
So
if
I
go
and
dive
into
this
more
specifically,
we
can
see
that
we've
got
this
violation
here
from
that
that
that
policy
that
I
just
created
this
this
sample
pod,
that
we're
looking
for
in
in
space
default
that
I
haven't
created
yet
cannot
be
found.
So
we
can
also
see
just
some
other
data
about
the
policy
on
the
category
that
it's
in
the
the
policy
name
that
actually
triggered
the
violation
there.
We
also
have
added
this.
F
This
total
risk
field,
which
is
tied
to
the
severity
of
the
policy
and
and
then
just
a
time
stamp
and
the
the
the
source
that
the
insights
client
created
it
from,
and
we
can
also
see
that
that
other
that
other
policy,
the
limit
range
policy
that
also
was
non-compliant
that
we
saw
earlier
is,
is
also
here.
F
So
this
is
kind
of
a
summary
of
all
of
the
all
of
the
violations
for
the
cluster,
and
if
we
were
to
have
this
total
risk
set
to
higher
like
if
we
had
a
a
severity
of
critical
set
on
the
policy,
then
it
would
be
picked
up
by
if
we
had
observability
acm
observability
working
on
this
cluster,
it
would
get
picked
up
and
sent
to
any
incident
management
that
we
had
set
in
an
alert
rule
for
that
cluster.
F
So
and
then
the
other
thing
I
wanted
to
note
is
that
this
will
just
keep
getting
updated.
So
if
I
were
to
remediate
one
of
these
violations
say
by
creating
this
pod
in
the
cluster,
it
would
be
set
to
compliant
and
it
would
be
removed
from
this
policy
report.
So
the
policy
report's
a
good
way
to
see
kind
of
an
overview
of
kind
of
trends,
of
policies
that
are
compliant
or
non-compliant,
and
also
with
some
more
setup.
You
can
see
the
the
policies
and
incident
management
systems
are
the
violations.
F
So
this
is
the
main
thing
that
I
kind
of
wanted
to
go
over.
Here
is
just
kind
of
the
the
integration
with
the
policy
report
cr
and
the
way
that
we
can
pull
violations
from
from
policies
we've
created
into
that.
E
Thank
you
will.
Can
I
steal
the
screen
from
you
to
kind
of
convey
the
big
picture
here.
I
just
wanted
to
show
one
architecture
chart,
so
people
on
the
call
can
often
understand
where
this
fits
in.
Let
me
see
whether
this
my
sharing
works.
Let's
see,
I
think
I
need
to
share.
E
Can
you
see
my
what
I'm
sharing.
E
Yeah
I'll
just
quickly
kind
of
put
this
put
what
bill
showed
in
the
context
of
this
picture.
So
you
kind
of
understand
what
he
showed.
What
he
really
was
showing
was
on
the
management
hub
right.
So
in
this
architecture
diagram
what
you
have
is
we
have
the
management
hub
and
then,
on
the
left
hand,
side.
We
have
all
the
managed
clusters
right
and
on
the
managed
clusters.
You
have
various
policy
enforcement
points
that
are
enforcing
various
policies
that
get
deployed
right.
E
So
the
management
hub
is
the
one
that
is
deploying
the
policies
so
and
then,
on
the
right
hand,
side
is
the
integration
with
enterprise
id
tools.
So
what
bill
showed
for
you
is
the
policy
framework
on
the
management
hub
is
integrating
with
this
policy
report
to
generate
a
policy
report
instances
for
violations
right.
E
So
that's
what
he
really
showed
so
and
the
way
that
works
is
we
create
a
policy
report
cr
for
every
managed
cluster,
so
there'll
be
a
single
policy
report
instance
created
for
every
managed
cluster,
and
within
that
instance,
you
will
be
seeing
violations
for
insights
violations
for
what
bill
was
showing
with
the
policy
violations,
etc.
Right
so
so
that's
what
he
showed
just
to
put
this
in
context.
So
we
are,
we
are
doing
the
integration
of
the
policy
report
in
this
work
on
the
hub.
H
By
the
way,
did
you
hear
me
yep
great
all
right?
I
just
have
a
couple
of
questions
I
mean
and
don't
get
me
wrong.
I
I
am
very
thrilled
ever
since
we
well,
since
we
saw
this
for
the
first
time,
I'd
love
to
have
a
unified
way
of
reporting
such
policy
failures.
My.
H
Is
scale
right?
Have
you
have
you
tried
this
at
scale?
You
know
several
several
clusters
with
a
lot
of
policies
there
I
mean
that
my
fear
is
that
that
crd
is
going
to
become
very
big
and
historically
ncd
hasn't
been
great.
Managing
such
you
know,
big
crts
right.
Usually
that
was
the
same
issue
with
the
endpoints
resource
that
had
to
be
moved
towards
the
endpoint
slice
right,
and
we
had
a
similar
issue
already
with
another
of
our
operators.
Right
so
have.
E
E
Yeah
yeah,
so
that's
a
good
question
oz.
So
that
is
really
why
we
are
creating
one
policy
report
instance
per
managed
cluster
instead
of
creating
because
the
only
managed
cluster
right
like
I
showed
you
could
have
multiple
enforcement
points
right.
So
we
really
didn't
want
to
create
multiple
of
those
right.
So
so
so
so
really
what
you
will
see
is
you'll
just
see
one
per
managed
cluster.
So
obviously
you
know
if
you're
managing
thousand
clusters
right
you're
going
to
see
thousand
right.
E
So
the
idea
here
is
that-
and
we
have
talked
about
this,
jim
and
others
in
the
past
right.
E
The
idea
here
is
that,
once
you
have
this
kind
of
information
externalized
on
the
hub,
then
you
could
integrate
and
pull
this
information,
store
it
off
somewhere
else
and
then
archive
right
or
or
remove
what
is
in
that
cd
right.
So
so
I'm
viewing
this
hcd
store
as
more
think
of
it
as
a
point
in
time
store.
B
E
But
in
the
long
run,
what
really
needs
to
happen
is
there
needs
to
have
an
archival
mechanism
to
kind
of
manage
the
life
cycle
of
that,
so
it
doesn't
doesn't
become
unmanageable
right.
B
Yeah
several
points.
E
E
That's
what
we
need
to
get
to
right,
because
we
want
to
be
able
to
do
analytics,
and
you
know
all
those
good
stuff
right
with
the
paul
with
information
we
gather
right.
So
so
this
is
kind
of
think
of
it
as
the
first
step
and
where
we
are
want
to
progress
in
the
future
is
to
look
at
alternate
stores
as
well.
C
C
C
So,
of
course
you
don't
want
to
have
like
a
report
per
pod
or
you
know,
violation
per
part,
because
that
just
won't
scale,
especially
when
you
have
jobs
and
cron
jobs,
and
things
like
that
which
could
you
know,
create
a
lot
of
ephemeral
type
of
pods
and
you
know
kind
of
workload,
instances
so
having
some
grouping
is,
is
obviously
recommended
and
what
we
settled
on
with
cavarno
is
we
do
namespace
level.
C
C
If
you
have
a
you
know,
100
namespaces
you'll
have
a
101
reports
in
that
instance,
but
no
more
than
that
right,
so
there's
some
bound,
which
scales
appropriately
with
your
cluster,
but
doesn't
it
it's
not
tied
to
something
like
you
know,
some
ephemeral
type
object
like
just
parts
coming
and
going
very
quickly.
C
Yeah-
and
I
think
anushka
and
steven
also
did
the
same
as
they
were
looking
at.
You
know
the
falco
adapter
and
also
for
trivia,
we're
looking
at
doing
this
per
name
space.
So
that
way,
the
other
benefit
is.
You
can
now
at
least
give
read-only
access
to
the
workload
owners
which,
if
you
make
this
a
cluster-wide
resource
workload
owners,
don't
see
the
violations.
E
So,
jim,
with
that,
on
on
a
given,
managed
cluster
on
which
given
is
running,
I
would
at
most
see
as
many
policy
report
instances
as
the
number
of
namespaces
and
maybe
one
cluster
okay.
C
Correct
so
it
would
always
be
n,
plus
one
right
so
name
spaces,
plus
one
yeah.
The
other
thing
you
know
we
can
do
is
based
on
you
know.
We've
talked
about
adding
this
in
kiberno
as
an
option.
Is
that
if
you
only
want
you
know
violations,
if
you
don't,
if
you
want
to
filter
out
some
type
of
things
to
make
those
things
confirm,
because
that
would
reduce
all
of
the
sort
of
positives.
C
E
Hey
bill
on
that
question,
even
we
are
only
generating
false
report
crs
for
violations
right.
F
Yeah
yeah
we're
not
it's
we're
we're
only
doing
it
for
violations
compliance
policies
are
not
going
to
go
into
that
because
it
would
be.
I
think,
a
little
bit
hard
to
agree.
C
D
F
D
Thank
you,
hi
everyone,
I'm
anushka
mitchell.
I
am
an
lfx
summer
mentee.
I
have
worked
with
jim
on
falco
adapter,
so
my
project
is
now
nearing
its
completion
and
I
see
nearing
because
it's
still
under
review.
The
pr
jim
has
been
this
excellent
mentor
throughout.
Given
me
all
the
support
resources,
guidance
and
I've
got
this
immense
help
from
the
community
from
gas
from
thomas
from
dan,
just
to
name
a
few
of
course
and
well
here.
I
am
really
happy
to
be
demoing.
D
The
final,
hopefully,
final,
working
prototype
work
model
of
the
palco
adapter,
so
I
I'll
just
go
ahead
and
show
the
adapter
first
and
then
maybe
I
could
explain
a
few
points
or
elaborate
on
a
few
configuration
options.
Great
I'll
share
my
screen.
D
No,
there
was
no
audio.
I
was
just
going
to
speak
while
it
was
dangling
so
here
I
wanted
to
point
out
a
couple
of
things,
one
that
I'm
running
this
on
my
local
system
and
that
soon,
when
it's
were
merged
with
falco
psychic
version,
2.05
it'll,
be
you
know
you
could
just
run
it
configured
it
while
installing
falco.
D
D
I
have
kept
this
configuration
pruned
by
priority
and
that
is
basically
helping
me
eliminate
events
after
a
certain
time
period
on
the
basis
of
priority,
so
events
with
low
priority
will
be
eliminated
before
events
with
a
higher
priority,
and
the
maximum
number
of
events
in
this
case
is
three
and
in
and
can
be
configured
by
the
user.
So
I'll
just
go
ahead
and
play
the
rest
of
me.
D
I
have
tried
to
display
the
priority
severity
high
low
in
this,
and,
of
course
there
is
another
configuration
called
failed
threshold
that
is
basically
allowing
the
user
to.
You
know
give
a
given
integer
value
to
what
priority
of
events
my
bad
or
what
events
with
priority
above
a
certain
threshold
would
be
mapped
to
fail
and
below
that
threshold
would
be
mapped
to
a
warning.
So
in
my
case,
we
can
see
that
I
have
given
the
value,
2
and
I'll
play
that
again.
D
D
D
Yes,
you
can
see
the
events
have
been
pruned
and
you
you
find
only
high
priority,
high
severity.
Events
in
your
report.
B
D
D
D
So
another
thing
to
mention
would
be
a
a
unique
id
added
after
every
report's
name.
That
was
just
to
prevent
any.
D
E
Very
cool
work
anishka,
I
had
a
question:
are
you
using
the
category
field
to
categorize
the
this
violation
when
you,
when
you
create
this
cr,
meaning
what
I'm?
What
I'm
getting
to
is
like
when
bill
was
showing
right,
he
kind
of
showed
that
one
violation
fit
into
the
configuration
management.
Another
violation
filled
into
some
data
security,
or
you
know
things
like
that
right,
so
is
that
something
you're
doing
as
part
of
this
falco
work
was
my
question.
D
E
Yeah,
let
me
ask
gus,
is
here
on
the
call,
I
think
he
he
will
understand
what
I'm
asking,
because
since
he
has
been
working
with
you
as
well,
you
know
what
I'm
asking
I'm
trying
to.
I
Right
so
yeah,
the
the
data
coming
from
falco
you
know
is,
is
pretty
limited
in
in
your
ability
to
probably
categorize
it
in
the
way
you
want
to.
I
think
sidekick
allows
you
to
add
in
some
additional
fields,
but
but
I'm
I'm
not
sure
if
there's
an
easy
way
to
categorize
the
different
alerts
that
that
your.
I
E
Yeah,
that's
what
I
was
thinking
or
maybe
even
something
based
on
history.
853
would
be
fine,
so
this
way
you
know
at
least
right.
We
gather
up.
I
think
I
think
that
comment
kind
of
applies
in
general
to
any
policy
reports
or
integrations.
We
are
doing
right.
So
this
way
we
can
start
mapping
the
the
information
to
the
control
areas.
B
D
C
D
C
B
G
Hi
everyone,
so
I'm
steven
I'm
actually
working
on
tv,
adapter
yeah,
so
actually
how
to
put
the
results
into
the
policy
reports.
So
I
actually
have
a
demo
to
you
know
to
show
the
community
and
also-
I
don't
know
if
I
can
show
my
code
by
the
repo
anyways.
So
let
me
share
my
screen.
G
C
Yes,
now
we
can.
Oh
now
we
can't
oh
disappeared.
G
So
basically,
this
is
the
readme
for
the
project,
and
so
I
want
to
show
a
video,
a
quick
video
on
the
demo,
because
I
don't
want
to
take
time
so
basically
I'll
be
I'll,
be
so
I'll
be
I'll,
be
summarizing
everything
from
the
beginning,
so
yeah
I
have
clustered
already
running,
which
is
my
cluster.
So
first
off,
I'm
going
to
install
trivia
adapter.
So
yes,
it's!
So
yes
how
to
install
trivia
adapter,
I'm
going
to
go
back
to
my
terminal,
so
I
how
many
projects.
G
Okay,
so
now
our
choose
adapter
is
already
installed,
so
we
need
to
you,
know,
go
back
and
actually
create
always
record
our
policy
report
into
our
to
our
cluster.
So
that's
the
next
thing
we
are
doing
I'm
putting
our
policies
brought
into
our
cluster.
G
Okay,
so
that's
created
so
next
we
we
actually
have
to
what's.
It
called
create
our
tv,
our
tv.
What
is
it
called
our
tv
config
map
into
our
cluster
also.
G
G
And
by
the
way,
trivia
adapter
is
an
adapter
from
tv
from
aqua
security.
G
G
Okay,
so
yeah
our
our
port
is
already
the
container
is
already
creating,
so
we
just
need
to
hold
on
for
a
while.
Also,
like
I
said,
truvi
is
actually
an
image
vulnerability,
scanner
from
aqua
security,
so
I
actually
worked
alongside
with
gmat
and
some
from
and
daniel
he's
in
the
community
as
well.
He
works
for
aqua
security,
so
yeah,
so
I
worked
alongside
with
him
to
get
this
project
on.
So
yes,
we
have
our
our
zip
kit
is
ready
to
plug.
G
So
the
next
thing
is
for
us
to
scan
our
port
with
our
tv
adapter.
So
that's
the
next
step.
So
first
we
want
to
give
our
trivia
data
is
actually
installed
in
our
system.
So
we
just
put
trivia
adapter
series
yeah,
so
yeah
we
have
the
command
in
our
system.
Already
we
have
tv,
adapter,
scan
policy
reports,
so
yeah.
G
So
copy
the
enable
report-
and
so
we
scan
so
this
is
going
to
take
it's
going
to
take
a
while,
because
it's
going
to
be
scanning
your
image,
probably
like
in
the
next
two
minutes.
Sorry,
one
minute
should
be
done.
G
I
didn't
I
didn't
cut
the
video
by
the
way,
so
that's
a
good
afternoon,
but
this
is
the
normal
user
walkthrough
of
how
you're
gonna
scan
your
port
with
with
trivia
adapter.
G
This
is
the
normal
user
walkthrough,
so
you're
just
going
to
wait
and
also
there's
a
road
map
on
this
project,
I'm
actually
working
on
the
namespace
parts,
where
you
just
have
to
put
the
name
of
your
namespace
in.
C
If
you
can
hear
us
seems
like
your
video
and
audio
have
paused
most
likely,
you
can't
hear
us
either.
C
So
okay
yeah
we'll
see
if
he
can
rejoin
and
so
yeah.
I
think
the
next
part
of
his
demo
and
he's
posted
a
video
already
on
the
channel.
C
All
right,
so
I
think
we
can
move
forward.
Robert
was
anything
else
on
the
agenda.
C
C
Okay,
yeah,
let
me
just
share,
you
know
some
of
the
work
that
quite
a
few
of
us
on
this
call
have
been
doing,
and
you
know
the
idea
was
we
started
this
a
while
ago.
I
don't
remember
when
exactly
but
at
least
a
few
months
ago
and
the
goal
was
to
come
up
with
a
you
know,
a
paper
on
kubernetes
policy
management,
and
now
we
feel
that
this
is
at
a
point
where
it's
ready
for
you
know,
reviews
so
we're
going
to
start
sharing
this.
C
I
guess
in
increasingly
wider
communities
and
get
some
review
and
feedback
we'll
collect
these
reviews
directly
on
the
document
itself
and
then
at
some
point,
we'll
transfer
this
paper
to
github
right.
So
I'm
going
to
share
the
link
in
chat-
and
you
know
just
looking
at
the
sections
and
we
won't
have
obviously
we're
not
going
to
this
is
not
intended
to
be
a
review,
but
the
the
main
sections
here
are
going
through
the
you
know
an
introduction,
the
policy
architecture.
C
C
Policy
architecture,
so
talking
about
administration
points,
enforcement
points,
decision
points
and
information
like
api
server
things
like
that,
the
different
life
cycle
phases
for
policy-
you
know,
management,
security
assurance
and
then
compliance.
C
So
it's
we,
you
know
as
much
as
possible.
We
tried
to
sort
of
stay
and
mirror
the
structure
of
the
cloud
native
security
white
paper.
So
that's
one
of
the
important
references
and
you
know
I
I
think
again.
The
idea
is
to
get
more
feedback
to
see
if
this
helps
clarify
what
kubernetes
policy
management
is
all
about,
why
it's
needed
and
how
to
you
know,
go
about
enabling
some
of
the
key
constructs
in
there.
C
A
Yeah,
I
mean,
I
think,
we're
happy
to
share
with
anyone
in
this
call
who's
interested.
I
don't
think
we'd
want
to
broadcast
it
to
like
the
larger
cncf
for
kubernetes
groups
just
yet
until
we
get
you
know
those
of
us
here
on
this
column
as
policy
smes,
if
you
will
and
then
a
few
others
outside
of
the
community
just
to
get
you
know,
make
sure
we
don't
have
our
our
blinders
on
and
we
see
outside
of
the
bubble.
C
A
Then
yeah,
then
I
think
we
can
blast
it
to
the
broader
kubernetes
and
cncf
security
community,
and
you
know
from
there
it
can
go
wherever
it
wants,
but.
B
C
All
right
so
yeah,
we'll
start
with
you
know
the
work
group
channel
and
see
if
you
get
any
feedback
and
things
there.
So
we
can
and
we
can
share
it
with
you
know
other
folks
and
then
perhaps
next
week
or
so
we'll
start
sharing
with
securities
tax
security
and
others.
E
So
jim
we
are
going
to
make
this
document
comment
only
and
then
start
having
people
listen
to
it
right.
Okay,.
C
Yes,
so
it's
already
set
to
public
comments
now,
and
you
know
we,
I
guess
all
of
the
authors
have
edit
access,
but
otherwise
for
public
links.
You
can
share
the
link
and
it's
comment
only.
G
Okay,
so
everybody
I'm
actually
back
my
I
zoom
just
stopped
all
of
a
sudden.
So
I
don't
know
if
I
can
share
my
screen.
C
Yep
so
before
we
switch
to
that
stephen,
so
any
other
thoughts
comments
on
the
policy
white
paper
or
otherwise.
C
What
I'll
do
is
you
know
we'll
share
on
the
slack
and
then
we'll
from
there
on
like
we'll
again,
the
idea
is
in
about
three
more
weeks
at
the
most
or
perhaps
two
weeks
we
want
to,
you
know,
start
formalizing
for
publication,
because
the
idea
would
be
to
have
this
ready
before
kubecon
us
and
then
we'll
post
this
sunday,
we'll
also
do
a
blog
post
on
the
cncf
or
kubernetes
blog
and
advertise.
This.
E
C
All
right
so
yeah,
if
there's
nothing
else,
stephen,
we
can
switch
back
and
if
you
want
to
just,
I
think
what
would
be
interesting
steven
is
to
see
the
policy
report
yeah.
G
So,
there's
just
an
explanation:
you
know
to
you
know
to
view
it
in
chasing
a
younger
format,
so
yeah,
so
here's
our
vulnerabilities
in
our
port.
Now
our
container
image
so
yeah
we
have
the
times
we
have.
We
have
the
actually,
the
user
called
the
resource
kind,
the
namespace,
which
is
scanning
from
the
name
of
the
port.
We
have
the
api
version.
G
We
have
the
voice
code,
you
have
the
id
of
of
the
of
the
of
the
voice
record
of
the
vulnerability
ids.
We
have
the
seconds
we
have
the
source
which
is
coming
from
3v.
We
have
the
installation,
sorry
the
fixed
version
and
everything
yeah,
and
we
have
the
summary
as
well
so
yeah.
G
So
that's
just
a
quick
summary
of
the
tv
adapter
so
yeah
and
the
roadmap
on
this
project,
basically
just
to
to
get
the
namespace
scan,
which
is
just
to
scan
audio
parts
in
the
namespace
and
also
scan
it
in
a
periodic
format,
which
is
going
to
be
sorry
every
24
hours
or
every
every
five
minutes
that
already
up
of
your
current
job,
so
yeah
so
that'll
be
the
next
step
on
this
project.
It's
not
yet
done,
but
for
now
I
think
it
is.
G
It
is
okay,
and
you
know
this
is
just
it's
well
packaged
and
you
can
you
can
use
it
so
yeah,
that's
just
a
quick
demo
of
the
tv
adapter
and
the
repo
is
actually
on
the
on
the
working
group
repo.
So
you
can
just
go
and
check
it
out
if
you
want
to
see
it.
Thank
you
thank
you
to
the
community
also
for
helping
out
on
this
project.
So
is
there
any
question
or
suggestions.
G
C
Yep,
it
doesn't
look
like
there's
any
questions
or
comments,
but
yeah,
I
think
yeah.
So
the
pr
is
still
pending
right
now,
but
you
know
like
we'll
get
that
merged
into
the
workgroup
policy
report,
and
so
both
of
these
so
anushka's
project
is
actually
in
the
falco
sidekick
repository.
But
we'll
add
a
you
know,
reference
just
a
page
so
that
on
the
usage
etc
and
the
workgroup
policy,
repo
and
stephen's
project
will
actually
reside
in
here,
because
it's
more
of
an
adapter
approach
versus
something
native
in
trivia
itself.
C
B
Hi
everyone,
so
I've
been
selected
as
a
lfx
mentee
for
this
fall
term,
so
I'll
be
working
on
building
an
adapter
for
qbama.
So
jim
just
a
question
for
you,
so
we
won't
be
discussing
the
like
the
mentorship
things
in
the
comm
in
this
call
right.
C
Yeah
so
we'll
set
up
some
separate
calls
for
the
project
itself
and
of
course
everyone
is
welcome
to
join
and
give
feedback
and
things
like
that.
But
yeah
and
you
can
provide
status,
and
you
know
demos
and
things
like
that
within
in
this
call,
got.
B
Yeah,
I
have
actually
been
in
touch
with
raul
when
I
had
some
problems
when
installing
qbama,
but
then
again
we
came
to
a
conclusion
that
the
problem
was
not
with
cuba.
It
was
some
issues
with
kubernetes,
so
we
are
still
trying
to
fix
that.
B
I
We
just
a
quick
comment.
We
saw
three
really
good
demos
today.
I
know
we
have
some
samples
in
the
policy
report
repository.
I
It
might
be
really
cool
and
helpful
if,
if
these
demos
had
you
know
a
sample
of
their
policy
report,
you
know
that
way.
We
can,
you
know,
try
to
be
more
consistent
and
and
you'll
have
some
some
good
samples
to
to
kind
of
compare
what
your
work
to.
E
E
Yeah,
that's
a
great
solution,
guys
and
along
those
lines,
I
think
robert.
I
think
we
talked
about
it
in
one
of
the
calls
to
kind
of
have
a
spot
in
our
github,
where
we
can
go
and
look
at
what
all
is
out
there
right,
because
I'm
hearing
all
these
things,
but
for
me,
it'll,
be
nice
to
have
a
summary
in
one
page,
so
I
can
go
and
see.
Okay,
these
are
all
the
various
enforcement
points
for
which
we
have
the
policy
reports.
They
are
today
right.
E
C
Yeah,
which
is
that
spot
right
so
there
I
think,
underneath
there
you'll
see
all
of
the
work
that
we're
discussing.
E
C
C
Yeah
and
then
certainly
we
should
start
advertising
this
a
little
bit
more.
The
one
other
pending
item,
which
we
did
not
you
know
I
guess
we
weren't
able
to
do
it
in
time
for
the
for
this
fall
mentorship,
but
we
talked
about
revisiting
and
discussing
with
the
gatekeeper
project
also,
so
I
don't
know
if
anybody
has
a
time
to
do
that
or
if
I
can
reach
out
to
rita
and
team,
also
and
see
what
their
thoughts
are
and
how
we
can
either
build
an
adapter
or
contribute
something
to
gatekeeper
for
this.
E
We
have
a
couple
of
folks
from
my
team
who
are
active
they're
not
actually
on
this
call
tom.
C
Just
yet
also
posted
something
in
chat
looks
like
he
can't
be
an
audio
but
he's
okay.
B
C
Yeah
so
tom,
if
you're,
you
know
we
can
just
reach
out
on
slack
we
and
we
can
maybe
connect
with
folks
in
the
gatekeeper
community.
This
would
be
awesome
to
see
you
know.
The
policy
report
also
supported
there,
so
we
can
discuss.
I
think
they
had
the
same
concern
that
oz
raised
previously
on
on
the
scaling
and
how
that
would
work.
C
B
E
I
think
tom
just
started
started
so
he's
just
starting,
so
I
think
I
think
he
can
definitely.
You
know
come
back
here
once
he's
up
to
speed
and
everything
yeah.