►
From YouTube: CNCF Security TAG Regular Meeting 2021-09-22
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
they
just
like
you,
know,
put
dog
box
over
see.
B
Alright,
folks
we're
going
to
give
everyone
a
couple
more
minutes
before
we
join
or
before
we
get
started.
We
have
a
packed
schedule
because
I
was
not
paying
attention
to
how
many
people
wanted
to
present.
So
I
apologize,
we
have
two
presentations
today,
brandon
is
going
to
be
talking
about
spiffy
torn
jack
and
a
rodna,
and
a
few
others
are
going
to
be
talking
about
the
white
paper
that
they've
been
working
on.
B
If
I
could
have
somebody
go
ahead
and
volunteer
as
a
scribe,
that
would
be
fantastic.
Just
a
reminder.
The
meeting
is
being
recorded
and
live
streamed
now
and
posted
to
youtube
immediately.
Your
participation
in
these
meetings
is
an
agreement
to
abide
by
our
cognitive
security
code
of
conduct,
which
can
be
found
within
the
repository.
B
Okay,
I
have
posted
the
meeting
notes
in
the
chat.
Please
go
ahead
and
add.
B
Yourself,
like
I
said
before,
we
won't
be
doing
any
updates
or
any
triage
today
and
thank
you
pushkar
for
scribing
brandon.
I'm
going
to
go
ahead
and
hand
it
over
to
you
to
get
us
started.
A
Awesome
thanks
emily,
so
today
we're
gonna
start
with
talking
about
tonya
myself
and
my
colleague
marush,
I'm
gonna
give
you
a
rancher
so
one
second,
while
I
share
my
screen.
A
Cool,
do
you
see
my
slide.
A
All
right
so
hi
everyone,
so
maurice
and
I
today
gonna
share
with
you
a
bit
about
management
of
what's
identity.
So
this
is
a
project
that
we
started
earlier
this
year.
We
recently
successfully
got
you
all
the
legal
stuff
and
got
it
donated
to
cncf
under
spiffy.
A
So
for
those
curious
and
for
those
wondering
why
andrews
is
talking
about
puppies
just
now,
so
the
project
name
is
tonya
and
the
the
name
actually
originates
from
a
breed
of
sheep,
adding
dog
so
because
in
cognitive
we
always
say
you
know,
we
treat
workload
as
cattle,
not
pets,
so
we're
like.
Maybe
it's
appropriate
if
we
call
this
project
name
this
project
after
a
sheepheading
dog,
because
technically
we
are
managing
our
cattle
yeah.
So
introduction.
A
I
think
most
of
the
first
kind
of
me
from
the
calls
brandon
I'm
here
with
my
colleague
marush
as
well,
I'm
marie
sabov.
We
both
both
work
at
ibm
research
and
the
picture
I
have
over
here-
is
actually
a
picture
of
a
building
that
we
work
at
so
interesting
thing
about
this
building
is
a
very
modern
looking
office.
However,
this
building
was
actually
built
in
the
60s.
A
Is
the
ibm,
tj
watson,
research
center
and
also,
apparently,
it
houses
like
a
lot
of
dangerous
chemicals
that
we
work,
that
we
work
with
side
by
side
every
day,
marijuana
give
a
quick
introduction.
D
Sorry
I
couldn't
find
a
button,
so
yes,
I'm
a
senior
engineer
called
engineer
in
yorktown.
I
work
together
with
brandon
and
our
primary
focus
right
now
is
identity
in
clouds
all
right.
That's.
A
It
awesome
so
we're
going
to
start
with,
like
a
bit
of
motivation,
talk
a
little
bit
about
what
the
identity
some
of
it.
A
I
think
very
folks
may
be
familiar
with
why
we
started
the
tonight
project
we'll
go
through
what
the
tonya
project
is
we'll
go
to
a
couple
demos
and
we
will,
at
the
end,
talk
a
little
bit
about
kind
of
like
the
bigger
problem
that
we
are
trying
to
solve
and
how
you
know
how
tall
you
play
is
a
part
of
that,
and
also
this
is
kind
of
like
a
sneak
sneak
peek
into
what
we're
gonna
be
talking
about
kubecon.
A
So
when
we
talk
about
identity,
if
the
first
thing
that
usually
comes
to
mind
is
for
most
folks
is
user
identity
right,
you
think
about
emails,
passwords,
the
headaches
like
password
policies,
other
things
you
know
making
sure
there's
no
zombie
accounts
and
all
that,
but
equally
important
in
the
cloud
native
ecosystem
is
workloads
right.
So
every
microservice
every
part
has
an
identity,
and
today
we
are
seeing
that
pods
and
about
workloads
are
kind
of
doing
very
similar
things
to
users
as
well
right.
A
So
in
cloud
native,
as
we
mentioned
before,
workloads
are
treated
as
cattle,
not
pets,
so
gone
are
the
days
that
it
is
practical
to
manually,
keep
track
of
all
the
workloads
in
the
spreadsheet
and
be
able
to
manage
the
identities
manually.
Workloads
are
now.
You
know,
there
are
plentiful,
there's
so
many
of
them
they're
efficient.
They
come
and
go
not
only
within
the
infrastructure,
but
also
in
development.
You
know
microsoft
services,
spin
up
and
down
very
age
early,
and
they
run
all
different
environments
and
come
in
all
shapes
and
sizes.
A
So
we
start
to
see
that
properties
of
the
workload
start
to
resemble
users
right,
there's
all
of
them.
They
change
a
lot.
We
need
some
structure
around
them
and
in
fact,
both
user
identities
and
workloads
are
pretty
much
used
in
for
very
similar
use
cases.
Today,
right,
authenticating
accessing
data
and
services
and
one
may
even
say
in
certain
environments,
workloads
from
a
security
and
compliance
perspective
handle
equally
or
more
sensitive
data
than
users.
A
So
the
big
question
that
we
are
asking
is,
you
know,
there's
so
much
tooling,
there's
like
101
different
tools,
around
user
management
of
our
user
identities.
You
know
why
don't
we
kind
of
have
the
same
treatment
of
local
identities,
given
that
they
are
they're
they're
becoming
equally
important
as
well.
A
So
enter
spiffy
spire.
This
is
kind
of
like
the
basis
of
the
pontiac
project,
we're
building
on
top
of
an
activity
framework
for
those
that
may
not
be
familiar.
Spiffy.
The
secure
production
identity
framework
for
all
for
everyone
is
a
specification
of
a
secure
workload.
Identity
framework
for
cloud
native
workloads
and
spire
is
an
implementation
of
the
specification.
A
A
So
you
know
a
couple
folks
on
on
this
call
as
well
as
others,
we
wrote
a
nice
book
called
solving
the
bottom
turtles,
this
50s
50s
firebox.
So
if
you
are
interested
in
knowing
more
about
that
I'll,
I
think
I'll
drop
the
link
later
in
the
chat
or
someone
can
drop
it
there.
A
So
with
that
in
mind,
where
does
tonya
come
so
today?
Spire
has
some
challenges.
Kind
of
talking
about
the
management
problem
that
that
we
mentioned
earlier
so
aspire
is
a
very,
very
powerful
tool.
However,
when
it
comes
to
administration
today,
most
of
it
is
done
via
cli.
A
So
one
example
in
this
is-
and
we
will
kind
of
show
a
demo
of
this
data-
is
that
when
you
have
a
spy
deployment,
when
you
have
an
agent
there's
no
way
to
kind
of
figure
out
whether
that
agent
is
running
on
the
kubernetes
node,
a
unix
node
or
it's
running
a
docker
daemon.
So
some
additional
method
data
today
is
kept
separately.
A
A
So
these
are
things
like
global
visibility
being
able
to
see
you
know
which,
what
the
identity
is
being
created,
who
owns
them,
how
they
are
being
used,
auditability,
of
course,
and
policy
management,
and
the
reason
why
this
is
difficult
in
spire
is
because
fire
allows
the
ability
to
extend
too
many
different
infrastructure
services,
and
that
is
that
that
is
part
of
you
know
the
design
that
you
can
use
it
with
different
upstream
services.
A
You
can
use
it
with
different
databases
with
different
key
measures,
and
the
idea
here
is
that
the
tasks
of
kind
of
aggregating,
collecting
all
this
information
and
putting
it
in
a
central
area
that
is
variable
is
non-trivial,
and
so
this
is
another
aspect
of
tonya
that
we're
trying
to
achieve
here
and
last
but
not
least,
you
know
cecil's
auditors,
non-spire
power
users
need
to
be
able
to
query
all
the
identity
information
for
workloads,
but
they
don't
necessarily
need
to
be
aspire
power
users.
A
Right,
I'm
just
gonna
look
through
chat
just
to
make
sure
I
didn't
miss
anything
cool
so
in
tonight
aims
to
provide
a
control
plan
for
aspire,
provide
global
visibility
or
disability
policy
configuration
management
for
workload,
identities.
B
A
So
that
is
one
of
the
the
parts
of
auditability
that
we're
trying
to
do
so.
More
specifically,
I
think
we're
trying
to
be
able
to
link
the
the
attestation
information
so
we're
trying
to
figure
out.
You
know
the
logs
from
the
agents
the
logs
from
the
aspire
servers.
What
are
people's
model
of
using
it?
A
I'm
not
sure
whether
there
is
also
an
aspect
of
evidence
entrance
that
you're
asking
so
for
things
like
tpm
highway
station
and
things
like
that
there
is
going
to
be
a
separate
set
of
logs,
which
will
provide
like
you
know
here
are
the
sign
attestations.
A
I
think
we
are
working
with
key
lime
on
this
right
now.
There
seems
to
be
some
details
that
I
have
not
been
pinned
down
as
to
how
the
evidence
would
look
like
and
how
to
validate
it
yet
binding
the
ideas
once
those
things
get
developed
and
become
more
concrete.
E
So
brandon
this
is
right.
Now,
I'm
trying
to
understand
deployment.
How
will
this
be
deployed
on
a
container
platform
and
there.
A
Yes,
yes,
so
I'm
going
to
show
a
very
simple
deployment
first
and
then
in
my
site,
so
I'll
show
slightly
more
complex
deployment
yeah.
So
when
I
get
to
this
like
I'll
I'll
move
back
to
the
question.
A
Yeah
so
there's
so
we
have
kind
of
set
up
this
kubernetes
quick
set.
So
for
those
that
I
know
for
this
buyer,
this
is
kind
of
like
the
the
aspire
101
tutorial
on
the
google
discusser
right,
so
single,
constant
signal,
node
or
mini
cube.
We
deploy
everything
there
and
the
idea
we
want
to
show
here
is
that
tonya
really,
you
know
if
we
take
the
quick
start.
What
we
are
doing
is
just
we're,
adding,
let's
just
change
the
image
here
right,
we're
changing
it
to
the
tonya
image.
A
So
the
way
that
we
see
these
are
these,
for
you
know
people
that
want
to
try
it
out.
They
can
just
replace
the
spire
image
with
the
tony
expire
image
and
it
should
work
out
the
box.
A
So
we
have
one
that's
running
here,
and
so,
if
you
look
at,
for
example,
yeah,
so
this
is
the
one
that
we
just
created.
If
we
go
to
target
server
info,
we
can
kind
of
see
the
different
information
about
the
different
plugins
being
used
with
this
tonia
server.
A
We
can
go
to
agents
to
kind
of
take
a
look
at
the
different
agents.
We
can
also
look
at
the
entries
right.
This
is
one
that
I
just
created
and
what
I
was
talking
about
about.
You
know
adding
metal
data,
for
example,
for
example,
when
you
create
entries
today
right
in
in
spire,
what
you
have
to
do
is
you
have
to
kind
of
create
this
command
line?
That
looks
look
something
like
that.
Right,
you're,
like
okay,
create
a
new
entry.
A
You
have
to
specify
the
spiffy
id
the
different
selectors
and
so
on.
So
we
want
to
make
it
a
little
bit
easier.
So
one
of
the
things
that
we're
doing
is
we
have.
We
have
a
entry
creation
form.
A
So
what
I
can
do
is
I
have
this
agent
here
and
I
want
to
add
some
metadata
to
it.
So,
for
example,
I'm
going
to
say
this
is
a
kubernetes
agent,
because
I
know
it's
running
on
mini
cube,
I'm
going
to
click,
save
and
add.
A
So
now
this
agent
is
associated
with
kubernetes
and
then
what
I
can
do
is
then,
when
I
create
an
entry,
I
can
then
select,
for
example,
this
agent,
and
then
I
can
just
call
it
new
identity,
and
what
I
do
is
because
I've
told
the
I
told
toniak
that
this
runs
kubernetes,
it's
going
to
pre-populate
with
all
the
different
selectors
that
can
kind
of
create
it
with
right.
A
So,
if
I
can
just
say,
kubernetes
the
namespace
is
default
and
then
just
just
fill
it
onto
information
here
and
the
part
name
is
my
workload,
for
example
right
and
then
maybe
for
some
reason.
I
say
I
want
to
get
this
admin
right.
So
the
idea
is
that
you
know
this
form
is
going
to
help
pre-populate
everything
and
also
use
the
metadata
that
is
in
the
has
been
configured
to
be
able
to
to
educate
what
the
what
the
the
values
need
to
be.
A
A
A
So
the
the
next
kind
of
example,
on
the
show
is
something
that's
a
little
bit
more
involved.
So
what
we
have
here
is
a
tree
cluster
setup
with
a
single
aspire
server,
so
single
truss
domain.
We
have
a
single
spiral
server
here
in
the
management
cluster.
A
We
have
an
amazon
cluster,
we
have
a
mic,
zero
cluster
and
we
have
ibm
cloud
cluster
as
well
running
on
openshift,
and
so
let's
take
a
look
at
this,
so
singles
bias
of
multiple
clusters.
A
So
this
is
the
d
server,
so
you
can
see
just
right
off
the
bat
keep
refreshing
it
right
off
the
bat.
We
can
see
that
on
top
of
the
plugins
that
we
initially
had
now
we
have
these
like
ewts
id,
no
tesla
plugin,
all
the
and
the
s2
msi
packet
that
allows
us
to
attach
the
different
nodes
in
the
different
clouds.
A
And
so
one
thing
right
off
of
the
back
we
can
look
at
is
something
called
cluster
this
right.
So
this
is
something
you
know.
This
is
the
added
melody
that
we
talk
about
for
accounting
to
be
able
to
organize
the
nodes
right,
because
if
we
just
look
at
the
different
agents
right,
there's
there's
no
kind
of
segregation
of
you
know
which
agents
are
in
a
single
cluster,
how
they
group,
how
are
they
different
threat
models?
And
so
on?
A
So
we've
got
the
cluster
list.
We
can
see
that
we
have
kind
of
the
four
clusters.
We
have
the
zero
cluster
three
different
kubernetes
clusters
and
we
have
this
one,
which
is
the
aws
one
and
then
what
we
can
do.
For
example,
we
name
this
tsi
test
o3,
but
maybe
let's
name
it
aws.
Instead.
D
A
Right
edited
it
okay
successfully.
I
did
that
so
now
we
have
a
cluster
list.
As
usual.
We
see
it's
now
reading
to
aws,
and
this
is,
I
think,
the
pool
part
of
it.
So
if
we
go
to
the
techponic
dashboard
over
here,
we
can
see
from
overview
that
you
know
here
are
the
number
agents
the
cluster
was
the
distribution
of
agents
in
the
entire
in
the
entire
aspire
server
per
cluster
that
was
defined,
and
then
we
can
kind
of
also
look
at
the
distribution
of
the
the
different
workload
entries
per
agent.
A
So
again,
this
is
kind
of
like
architecturally,
multiple,
multiple
clusters,
but
we
haven't
populated
it
with
that
that
many
would
so
you
can
see
like
most
of
the
clusters
only
have
like
two
or
three
registered
ones,
so
yeah.
This
is
like
an
overview
of
like
what
the
clusters,
the
agents
and
you
can
also
see
the
entries.
A
If
you
look
at
the
different
entries,
we
can
also
tell
from
just
from
looking
at
the
the
the
entries
here
that
you
know
this
belongs
to
the
kubernetes
cluster.
Does
it
have
the
administration
flag
and
so
on?
And
you
know
we
can
filter
out
based
on
the
different
different
fields.
F
A
A
I
just
want
information
about
all
all
the
the
spy
entities
that
are
related
to
this
particular
agent
based
on
the
grouping,
and
I
think
one
of
the
things
that
we
are
also
thinking
is
that
you
know
now
we
just
say
classes,
but
we
will
also
be
able
to
add
labels
to
certain
agents.
So
you
could
think
about
that
being
a
query
language
where
we
could
say.
Okay
get
me
all
the
the
entries
for
the
workloads
that
are
running
on
agents
that
have
tpm
attestation,
for
example,.
A
Yeah,
so
that's
a
good
buy
actually
so
what
we've
all
been
kind
of
looking
at
the
screen
here,
it's
just
been
a
single
trust
for
me,
so
single
spire
server,
we
did.
We
don't
have
the
time
to
show
the
manager
ui
for
for
this
presentation,
but
I
have
a
slide
on
that.
A
So
the
idea
is
that
you
could
register
the
manager
with
multiple
spy
servers
and
then
you
will
be
able
to
manage
a
different
trusted
mindset
that
that
is
some
future
work
that
we
we
are
still
get
to
do
to
kind
of
make
that
interface
a
bit
more.
You
know
user-friendly
across
trusted
means.
A
Okay,
so
so
last
cool
thing
on
the
boy
now
is,
for
example,
you
can
also,
you
know,
click
on
one
of
these
things.
Look
at
the
information,
and
the
idea
here
is
that
you
can
click
on
cluster
and
see
how
the
workload
entries
have
been
created.
A
So,
coming
back
to
to
kind
of
what
andrews
was
saying
previously,
where
you
know
we
were
just
looking
at
one
trust
domain
and
now
what
happens?
We
have
multiple
trusted
means.
How
do
I
manage
it?
We
we
don't
have
time
to
kind
of
show
that
aspect
of
it,
yet
everyone
kind
of
want
to
build
up
a
little
bit
more
of
it
as
well.
A
But
the
idea
is
that
we
have
this
component
called
the
tonya
manager
and
what
the
architecture
looks
like
is:
each
spire
server
will
run
within
a
tonyax
server,
so
this
will
be
a
ui
for
every
single
spire
server,
but
at
the
same
time
we
have
the
manager
that
will
talk
to
the
20x
server,
and
the
idea
here
is
that
it's
going
to
be
able
to
aggregate
all
the
information
for
the
spire
servers
and
the
manager
and
what
happens
is
then
all
these
file
servers
also
connect
to
you
know
set
of
infrastructure
services
like
policy
logging,
the
upstream
ca,
the
key
management
and
stuff
like
that,
and
the
idea
here
is
that
the
manager
would
be
able
to
be
given
the
authorization
as
well
to
pull
all
this
logging
information
for
all
the
infrastructure
services
and
aggregate
it
in
the
manager
right.
D
D
So
let's
say
we
have
a
request
to
access
from
one
cloud,
various
resources
that
are
residing
in
another
cloud.
We
could
potentially
use
some
static
credentials
like
password
tokens,
api
keys,
but
doing
this
securely
across
the
cloud
providers
is
hard,
so
we
need
identity
that
federates
across
different
cloud
providers.
D
So
the
next
slide,
please
thank
you
to
run
the
same
architecture
on
different
clouds.
We
could
use
openshift
platform,
that
is
cloud
provider
agnostic,
but
this
solves
only
one
of
the
problems
most
leading
clouds
have
already
built
in
their
own
identity
solutions,
but
to
federate
the
workload
identities
between
clouds
are
still
facing
some
challenges,
so
mainly
the
schemas
of
the
identity
and
their
interpretations
are
not
consistent
across
the
providers.
D
D
D
So
to
summarize,
the
universal
workload
identity
runs
on
everything
that
supports
open
shift
or
kubernetes,
and
it
can
manage
various
identity
mechanisms
like
iam
key
cloak
and
through
open
standards
like
open
id.
D
We
have
several
use
cases
that
demonstrate
how,
for
example,
one
one
can
use
oidc
to
access
amazon,
s3's,
black
storage
from
another
cluster
or
how
we
can
retrieve
secrets
from
vault
using
oidc.
D
D
D
We
are
going
to
be
demonstrating
more
of
these
aspects
during
the
kubecon
session
on
october
14th
in
la
so
we
plan
to
show
the
details
on
the
deployments
techniques
that
we
use
for
setting
up
the
multi-cluster,
as
well
as
the
multi-cloud
trust.
A
All
right
thanks,
marish
yeah,
so
so,
as
marish
mentioned,
you
know
we
have.
We
have
the
a
lot
of
cool
demos
that
we
have,
that
we're
planning
to
show
at
coupon,
but
so
for
now
not
that
tonya
is
part
of
cncf
and
spiffy.
A
I
did
one
of
the
things
that
we
try
to
do
is
really
expand
this.
We
hope
that
you
know
this
project
is
going
to
be
useful
to
everyone.
We've
gotten
some
interest
from
folks
that
have
are
thinking
about
using
it
to
be
able
to
help
the
governance.
We
hope
to
be
able
to
get
one
more
maintainer
from
another
organization,
since
it's
mainly
ibm
now.
A
A
So
upcoming
features
in
the
roadmap
that
we
have
is
our
registration,
outback
policy
integration.
This
was
some
book
that
we
did
to
upstream
to
spire
to
be
able
to
define
opa
policies
on
you
know
what
kind
of
identities
can
be
created
and
in
general,
for
the
entire
spy
api
yeah
spy
api.
A
Also
log
integration,
what
we
talked
about
being
able
to
click
on
a
particular
workload
entry
and
to
be
able
to
see
okay.
When
was
this
workload,
identity,
provision
and
so
on,
and
we
have
an
open
issue
that
is
for
feedback.
A
So
you
know
if
you
find
something
that
you
would
want
to
see
in
tonia
or
you
don't
like
you
know,
if
you
don't
like
how
the
logo
looks,
for
example,
just
put
in
put
in
a
comment
there,
if
not
yeah,
I
think
that's
all
we
have
for
today,
and
you
know
we
look
forward
to
seeing
books
at
the
coupon.
Thank
you
as
well.
B
Awesome
fantastic
presentation
both
of
you.
This
is
very
exciting.
There
were
a
few
comments
in
the
chat.
Logo's
cute
love.
The
logo.
Ui
ux,
is
awesome.
John
pointed
out
time
to
leave
should
probably.
A
Yeah,
so
so
one
of
the
things
that
we
recently
upstreamed
is
the
spire
upstream
and
I
know
ash
I
was.
I
was
consulting
you
about
this,
so
it
was
fire.
The
spy
server
has
a
bunch
of
apis
right,
whether
it's
I
want
to
create
a
new
workload,
entry
on
a
registered
agent
and
so
on,
and
there
was
an
ask.
I
think
this
originally
came
from
uber
that
you
know
we
want
to
be
able
to
manage
this
in
a
in
a
way
to
have
finer,
green
authorization
control.
A
So
we
created
a
pr
to
enable
installation
of
the
oppa
policy
to
be
able
to
say
you
know
which
identities
can
create
workloads
which
identities
can
dv
about
those
workload
entries
and
so
on.
A
A
F
F
F
Who
has
access
to
this
api?
So
it
starts
role
basing
who
those
admins
are
and
like
what
can
they
write
to
all
trust
domains?
Can
they
write
to
a
single
trust
domain,
which
was
the
thing
at
the
time,
so
yeah
super
cool
to
see
the
the
pull
request
brandon.
This
is
awesome.
A
B
This
has
been
fabulous
all
right.
Next
up
policy
management,
white
paper,
draft
presentation.
E
Yeah
I'd
like
to
introduce
our
team,
jim
bavaria
jaya
ramanathan
robert
and
myself,
we've
been
working
in
the
policy
management
work
group
on
a
white
paper.
We
just
wanted
to
bring
it
here
to
you
all,
so
you
can
opine
on
it
and
provide
any
feedback.
We
actually
did
a
presentation
on
this
in
csa
summit
last
week
and
we
also
have
a
panel
discussion
during
cloud
native
cubecon
later
than
this
year,
like
I
can't
say
the
whole
thing
so
over
to
jim
jim
you're.
Sharing
your
screen.
H
H
Yeah,
I
can
just
walk
through
the
outline,
so
thanks
aradna
thanks
everyone
for
having
us
yeah
so
like
around.
I
was
mentioning
the
idea
here
was
to
have
a
paper
just
kind
of
describing
communities
policy
management,
because
as
much
as
we
talk
about
policy
management,
one
of
the
things
we
found
in
the
working
group
is
there's
still.
You
know.
The
adoption
for
policies
still
is
not
that
great
and
there's
always
questions
about.
Okay.
H
Well,
kubernetes
provides
things
like
network
policies
a
lot
of
times
when
we
talk
about
policies,
folks
immediately
think
about
network
policies
and
kubernetes,
but
there's
a
lot
more
to
it
than
that
right.
So
the
idea
here
was
to
elaborate
on
that
and
be
heavily
or
influence
and
leverage.
You
know
some
of
the
work
that
this
team
has
done
in
the
cloud
native
security
white
paper,
including
some
of
the
best
practices
for
creating
such
white
papers,
because
obviously
it
takes
quite
a
lot
of
time,
effort
and
alignment.
H
H
You
know
it
kind
of
hits
at
least
what
we've
identified
as
the
target
audience
and
some
of
the
key
problems
and
things
we're
trying
to
articulate
one
challenge
that
we
had,
which
we'd
love
to
get
feedback
on
as
well,
is
really
scoping.
This
or
keeping
the
scope
of
this
focused
on
kubernetes
right,
because
it's
very
tempting
to
talk
about
a
lot
of
different
things
and
policies
can
be
applied
everywhere
and
anywhere
and
perhaps
should
be,
but
here
we're
specifically
want
to
focus
on
kubernetes
and
kubernetes
policy
management.
H
So
that's
what
we
were
constantly
and
a
lot
of
comments
and
feedback
we
initially
got
were
trying
to
make
it
clear
about
what's
covered,
what's
not
covered
and
keeping
to
that
scope,
so
anyways,
just
walking
through
the
outline
and
section.
H
So
I
think
the
the
target
audience
that
we
decided
on
is
primarily
practitioners
who
are
using
kubernetes
and
for
them
to
understand
what
kubernetes
policies
are
all
about,
where
they
would
apply,
how
they
would
be
used
and
then,
of
course,
all
of
the
other
stakeholders,
whether
it's
you
know,
various
devsecops
team
members
or
security
teams.
Even
you
know,
we
have
some
sort
of
discussion
on
how
policies
kubernetes
policies
can
map
from
the
operational
layer
more
to
compliance
layers,
and
things
like
that
right.
H
So
the
paper
kind
of
starts
with
more
of
an
architecture
view
of
where
in
a
kubernetes
policies
would
apply
and
would
be
enforced
where
decisions
would
be
made,
and
we
use
the
exact
mo
reference
architecture
to
start
with,
but
then
adapted
it
slightly
to
kubernetes
and
extended
it
in
at
least
in
one
place
in
terms
of
what
policy
management
involves.
H
We
then
also
adopted
the
same
life
cycle
phases,
as
in
the
cloud
native
security
white
paper
talked
about
how
paul
kubernetes
policies
would
apply
to
that,
and
then
in
the
final
section-
and
we
had
a
tough
time
with
organizing
this.
But
the
idea
was
to
show
how
paul's
kubernetes
policies
map
from
that
operational
layer
into
other
security
domains
and
aspects
right.
So
I
guess
for
lack
of
better
term
we
kind
of
call
those
security
mappings
and
in
their
covered
security
assurance
and
compliance.
H
And
again
these
sections
are
very
much
from
the
cloud
native
security
white
paper.
We
leveraged,
you
know
things
we
felt
which
were
applicable
to
kubernetes
policies.
So
we
didn't
want
this
to
get
obviously
the
paper.
You
know
we
wanted
to
keep
it
in
that
10
to
20
sort
of
pages
at
the
most,
then
that
we're
right
about
that
mark.
So
we
wanted
to
keep
this
as
concise
and
brief
as
possible,
but
really
deliver
value
to
the
community
and
to
this
audience.
H
So
I
won't
go
through
this
in
a
lot
of
detail,
but
you
know.
Certainly
the
idea
over
here
was
to
just
introduce
the
paper
and
where,
as
you
can
see
here,
one
of
the
things
we
were
also
trying
to
do
like
I
mentioned-
was
really
leverage
prior
work,
but
then
define
what
we
want
to
focus
on.
H
Obviously,
all
four
layers
are
very
applicable,
but
here
we're
more
concerned
with
clusters
and
containers
and
there's
a
the
line
between
code
and
container
kind
of
gets
a
little
bit
fuzzy.
So
that
was
also
difficult
to
call
out.
But
you
know,
we've
sort
of
you
know
treated
container
more
from
the
runtime
perspective
here
and
you
know,
but
we
talk
about
how
manifest
for
kubernetes
and
especially
also
images
need
to
be
secured
across
the
different
deployment
phases,
aradna
or
anyone
else
anything
else
to
add
to
this
or
any
specific
areas.
E
We
did
have
a
specific
area
for
security
operations
and
policy
management
for
security
as
well.
We
had
some
discussions
upfront
whether
we
should
include
that
or
not
because
it's
kubernetes
specific,
but
security
is
like
horizontal
or
vertical
across
all
the
segments.
So
we
did
include
that
I
mean.
Obviously
we
can
put.
E
We're
trying
to
keep
this
curve
down
and
see
where
we
can
add
value,
so
any
feedback
you
have
on
the
security
sections
will
be
helpful
as
well
and
any
follow-up
items
that
we
can
add
to
this
paper
as
phase
two.
Any
ideas
you
have
from
that
perspective
will
be
helpful
as
well,
and
how
do
we
evolve
this
or
mature?
This
further.
C
Yeah
sad
that
there
were
there's
a
lot
of
content
that
absolutely
could
be
its
own
white
paper
and-
and
we
kept
you
know
even
this
morning,
as
we
were
reviewing
it
and
saying.
H
E
B
With
my
cloud
native
security
white
paper
and
the
supply
chain
security
paper,
one
of
the
things
that
I
would
actually
like
to
see
from
this
group
in
order
to
help
facilitate
public
comment
and
review
on
it
is
kind
of
a
better
definition
of
like
what
that
scope
is.
And
what
you're
expecting
from
a
public
comment.
That
way
we
can
send
out
a
call
for
action
to
our
mailing
list.
Put
it
on
our
twitter
account
and
kind
of
drive
more
attention
to
this.
H
Okay,
yeah.
We
can
certainly
help
outline
that
just
briefly
right,
sir
robert
and
myself
would
be
the
right
points
of
contact
for
any
questions
like
if
anything
comes
up
for
the
paper
and
if
there
needs
to
be
any
one-on-one,
the
policy
working
group
slack
is
also,
of
course,
for
more
general
questions.
H
Any
topics
I
I
you
know
the
scope
is
there
is
some
attempt
to
clarify
that,
but
I
think
it's
a
good
idea
to
reiterate
that
in
an
email
or
if
you're
looking
for
additional
reviewers,
the
sections
where
I
think
again,
we
had
the
perhaps
most
discussion
or
per
even
some
still
pending
open
idea.
Areas
are
like
around
beyond
the
architecture.
H
Mapping
like
the
security
mapping
section
and
then
even
the
life
cycle
phases
right.
So
those
would
be
good
to
focus
in
on
see
what
needs
to
be
in
this
white
paper.
What
could
be
and
if
there's
things
that
could
be
extracted
out,
but
emily
I'll
follow
up
with.
You
know,
maybe
on
slack
with
just
these
details
as
well,
so
that
would
be
great
to
get
more
specific
help
on
these.
B
Bushkar
brought
up
a
good
point
as
well
that
we
can
cross-post
this
with
the
kate's
sig
security
space
and
also
get
more
attention
that
way.
So
we
can
also
partner
with
them
to
make
sure
that
they
send
it
out
to
their
mailing
list
or
we
can
possibly
cross
post.
H
Right,
yes,
robert,
I
think
there
were
plans
to
do
that.
Would
you
want
to
do
that
post
or
do
you
prefer
if
someone
from
or
I
guess,
if
it's
cross-posted.
C
E
E
H
H
Yeah
one
other
thing
is
we,
you
know
in
the
paper
we
called
out
like
we're,
not
specifically
talking
about
tools
or
even
policy
languages.
Anything
like
that.
We
just
wanted
to
focus
this
on
concepts,
because
it
was
it's
again
very
tempting
to
kind
of
dive
in
and
say.
Well,
here's
how
you
know
this
particular
solution
addresses
this
or
solves
these
problems,
but
we
tried
to
keep
away
from
that.
F
I'd
imagine
it
it'd
get
tricky
not
to
start
talking
about
things
like
tla,
plus
and
and
smt
solvers.
I
asked
you
this
before
when
you,
when
you
presented
caverno-
and
I
know
the
policy
group
two
years
back,
this
cost
about.
Well,
what's
the
state
of
the
art
around
formal
verification
methods,
but
does
the
paper
include
anything
around
like
checking
like
a
policy
model
against,
what's
actually
been
enforced.
H
F
D
C
Have
an
archived
effort
on
the
policy
prototypes
repo
where
we
had
linked
that
discussion
from
a
couple
years
ago.
So
it's
it's
it's
on
and
I
think
generally
have
it
on
our
github
roadmap
card.
So
it's
definitely
an
area
that
I'm
I'm
interested
in.
I
know
we
even
had
a
slack
conversation
with
a
phd
just
recently.
C
So
if
there's,
if
there's
broader
interest
in
doing
that,
I
think
definitely,
let's,
let's
bring
that
up
on
the
on
the
policy
worker
slack
channel.
But
no
in
the
context
of
this
trumanini's
policy,
it
was
really
focusing
on
what
what
exists
today,
specifically
in
open
source,
and
then
you
know,
since
that
doesn't
really
exist
yet,
but
I'd
love
to
refresh
it
in
a
year
and
have
something
to
show
around
that
area.
F
Yeah
it'd
be
awesome.
You
know
in
conversations
with
end
users,
I
often
hear
the
ask
for
an
alternative
to
aws's
selkova
and
they're
they're
provable
security
services
and
there's
there's
really
no
open
source
framework
around
it.
But
there's
a
lot
of
well
there's
a
big
field
of
practitioners
wanting
to
take
some
of
that
and
translate
it
across
heterogeneous
systems.
C
F
H
H
H
You
know
either
robert
or
I
will
post
on
the
slack
channel
with
more
information
and
would
love
to
get.
You
know,
quick
reviews,
feedback
and
just
thoughts
on
how
this
fits.
B
That
sounds
fantastic,
so
we
have
had
two
really
awesome
presentations.
Today
we
have
about
seven
minutes
left.
I
want
to
open
it
back
up
to
any
questions
about
either
presentation
and
any
questions
in
general
about
security
tag
brandon.
I
know
I
cut
you
off
earlier.
If
you
wanted
to
add
on
anything.
B
Okay,
so
to
recap,
troniak
is
looking
for
a
maintainer,
also
looking
for
lots
of
help,
so
folks
that
are
interested.
Please
please,
please
go
check
out
the
repo
head
up
the
points
of
contact
in
the
meeting
notes
and
get
involved.
There
also,
please
review
the
paper
that
was
linked
for
the
policy
management
for
kubernetes.
B
I
know
that
this
group
produces
a
lot
of
papers
generally
speaking,
but
without
those
papers
we
can't
actually
start
moving
down
reference
architectures
and
we're
not
inspiring
other
folks
to
create
tooling
and
solve
those
gaps
within
the
ecosystem,
so
just
wanted
to
bring
that
up.
Please
please,
please
review.
Does
anybody
have
any
pressing
announcements
before
I?
Let
everyone
go.
G
G
So
I
wrote
up
something
really
similar
to
that
for
secure
by
default.
I'll
share
the
link
again.
What
I'm
looking
for
from
everyone
before
we
can
share
it
outside
of
the
group
as
well
is,
let
me
know
if
this
is
completely
off
track,
or
this
doesn't
make
sense-
or
this
is
already
too
broad
or
very
deep
in
terms
of
the
level
we
are
trying
to
reach.
I
I
received
some
comments
from
rob
and
then
happy
to
get
more
comments.
G
Only
thing
is
this
is
on
hackmd
instead
of
a
github
pr,
so
you
need
to
log
in
to
hackmd
to
add
comments
if
it
helps
to
have
it
on
github,
I'm
happy
to
create
a
pr
just
need
help
from
the
co-chairs
and
tech
leads
to
find
the
right
place
for
it.
B
We
can
certainly
help
you
out
with
that,
and
the
interim.
The
hackmd
file
should
be
good
and
then
once
that's
gone
through
that
round
of
revisions,
we
can
help
with
the
pr.
So
yet
another
call
to
action
for
review
pushkar.
I
will
send
you
a
template
to
fill
out
and
we'll
also
send
that
out
to
the
mailing
lists.
E
So
I
I
just
wanted
to
share
something.
I
just
came
from
an
hour
of
discussion
with
different
financial
services
entities,
mastercard
visa
vex
and
several
others
on
contactless
digital
payment
platforms
and
security
threats
there
and
how
micro
these
are
all
micro
services
and
their
back
and
to
your
container
platforms
and
how
to
build
security.
And
what
are
the
challenges
there?
I
think
there
is
there's
a
lot
that
we
can
do
from
a
cncf
perspective,
because
I
was
asked
that
question.
Are
you
doing
any
work
in
terms
of
contactless?
E
You
know
digital
payment
platforms,
and
so
I
was
gonna,
take
it
up
with
the
financial
services
working
group
and
see
if
we
can
produce
some
guidance
around
us
for
the
industry
to
use.
I
just
wanted
to
share
it
here
and
see
if
anyone
has
any
interest
in
working
on
this.
C
Thank
you
yeah.
Likewise,
right
now
I
can
connect
you
to
some
resources.
We
we
built
some
of
these
mastercard
protocols
back
in
the
early
2000s,
so
happy
to
happy
to
connect
you
and
or
chime
in.
E
Also,
industry
standards
right
industry
standards
are
evolving
in
this
space,
regulatory
compliance
etc
and
also
the
whole
supply
chain.
Security
came
up
in
the
conversation,
so
I
shared
the
work
that
we
are
doing
as
part
of
our
supply
chain,
security,
working
group
and
the
reference
architecture,
so
they
were
quite
curious
about
that
work.
I
just
wanted
to
share
that
as
well.