►
From YouTube: CNCF Security TAG Regular Meeting 2022-02-23
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
A
A
A
All
right,
I
still
can't
get
it.
Okay,
I'm
sorry.
We
have
to
re-um
post
it
again
after
okay.
Let
me
bring
up
the
meeting
notes
in
the
chat.
A
Awesome
everyone
can
put
it
near
your
names
and
your
affiliation
shall
be
great.
We'll
need
one
subscribers
today,
so
you
can
put
your
name
down
in
scribes
and
help
subscribe.
That
would
be
awesome
just
like
taking
note
of
action
items,
and
today
we
have
the
cloud
custodian
security
review,
so
lots
of
exciting
discussion.
C
No
decisions
have
been
made;
no
one
has
been
assigned,
I
believe,
that'll
happen
closer
to
like
mid-march
when
we
have
the
full
sitting
talk.
A
Okay,
does
that
another
round
of
rotations
that
happen.
A
A
A
All
right,
so
I
think
let's
get
started
so
standard
sender
procedure,
hello,
everyone
just
remind
the
meetings
being
recorded
and
it's
going
to
be
posted
to
youtube
after
participation
meetings,
goodbye
to
the
competitive
security
conduct,
as
well
as
the
stack
code
of
conduct.
A
We
will
need
at
least
one
person
to
volunteer
as
right
to
make
sure
that
we
capture
all
the
action
items.
So
if
someone
can
volunteer
for
that,
that
would
be
great
for
existing
members
and
working
group
representatives
make
sure
to
include
the
organization
company,
along
with
working
review
involved,
with
the
update
as
part
of
the
attendance
cool.
So
before
we
jump
right
into
the
cognitive
cloud
custodian
security
review,
I'm
going
to
just
go
through
a
couple,
the
usual.
A
Toc
meeting
updates,
I
think
there
was
a
toc
update
last
week.
Was
it
last
week
other
week
before
any
updates
from
there
of
interest.
A
Okay,
awesome
cool,
so
next
up
we're
just
gonna
go
through
some
of
the
project
groups
if
they
have
any
updates
so
for
the
audio
working
group
supply
chain,
working
group,
serverless
security,
pal
security
reviews
controls
cognitive
security
map
of
white
paper.
If
you
have
any
updates,
can
you
just
do
a
quick
shout
out.
A
B
I'm
from
our
serverless
working
group
perspective,
our
white
paper
is
ready,
it's
being
technically
edited
it'll,
be
sent
out
by
andrew
and
ashish
to
a
limited
audience
or
feedback
first
and
then
we'll
open
it
to
the
wider
audience.
They
should
be
sending
out
the
communication
in
a
day
or
so.
A
All
watching
so
just
gonna
go
through
the
list
to
make
sure
we
don't
have
any
we
see
have
any
updates
from
people
doesn't
look
like
there
are
any
updates.
So
I
think,
let's
just
jump
straight
into
the.
B
Quick,
a
quick
question,
though
we
had
that
conversation
with
the
nurse
right
on
a
ssdf.
A
B
I
was
just
wondering
what
are
the
next
steps
there
in
addition
to
the
cloud
native
security
white
paper,
what
we
need
to
add
there.
We
need
to
work
with
the
cloud
controls,
the
controls
working
group
to
map
out
ssdf
and
800-53,
then
just
trying
to
figure
that
out.
A
Yeah,
so
so
I
think,
just
to
give
some
context
we
met
up
with
with
niss
on
to
talk
about.
You
know
the
ssdf,
the
different
documents
that
they
are
giving
out
with
guidance
to
folks
and
how
that
will
kind
of
map
into
some
of
the
books
that
we're
doing
with
the
quality
white
paper,
as
well
as
the
controls
like
right
now
said.
A
So
I
think
there
are
a
few
things
right.
I
think,
with
the
cognitive
security
by
people
is
going
to
be
working
on
the
additional
content
for
now.
A
I
think
we
still
have
to
look
at
the
template
that
this
has
provided
us,
so
this
has
provided
us
with
a
controls.
Mapping
template
to
talk
a
little
bit
more
about
okay.
This
is
what
the
control
is.
How
does
it
map
onto
this
particular
technology
or
process
and,
for
example,
what
are
some
of
the
documents
that
used
to
show
the
show
this
process?
So
I
think
I
right
now
based
on
our
discussion
last
time.
B
Sure
brandon,
let's
have
an
offline
discussion
on
how
to
make
progress
on
that.
A
A
All
right,
if
not,
let's
jump
right
ahead
to
the
review,
so
who's
going
to
be
driving
this
is
it
going
to
be
robert
josh
carpal.
E
Well,
I'm
happy
to
share
my
screen
and
I
think
it's
going
to
be
from
the
hip.
I
don't
I
don't
think
would
I
didn't
realize
this
was
scheduled
until
this
morning.
So-
and
I
know
george
and
kapil
had
requested
doing
some
sort
of
prep
session
before
this,
but
I
think
just
you
know,
I'm
happy
to
to
go
through
it
ad
hoc
and
then,
if
kapil
and
george
want
to
chime
in
or
comment
on
their
view
of
the
process.
Let's
do
it
live
yeah
we'll
make
it
up
and.
B
E
E
Maybe
it
was
even
earlier
than
that,
while
the
group,
this
group
was
figuring
out
the
assessment
process
and
what
was
the
scope
and
why
should
projects
go
through
it,
and
so
they
kind
of
I
think,
caught
us
during
these
various
transitions
and
trying
to
define
the
process,
and
so
it
kind
of
went
in
fit
and
starts
and
we
did
an
initial
review.
E
We
asked
them
for
self-assessment
and
you
know
over
the
next
12
months
we
kind
of
things
got
restarted
and
then
pause,
they're
gonna
be
started.
So
I
think
the
lesson
you
know
the
top
level
lesson
learned
is
best
to
kind
of
define
a
very
time
box
scope
for
everyone,
especially
recognizing
that
people
have
lots
of.
You
know
parallel
projects,
and
you
know
day
jobs
and
various
other
things
that
are
going
to
draw
people
off
of
the
project.
E
I
guess
my
my
advice
to
leads
on
this
is
to
really
time
box
it
and
say
like
we're
going
to
start
on
this
date.
We're
going
to
end
on
this
date
and
if
you
know
those
requirements
aren't
met,
the
people
aren't
available.
Then
you
know
it
gets
pushed
on
the
backlog
until
until
someone
hauls
someone's
involved
both
from
the
project
side
and
from
the
tag
side
can
commit
to
that.
E
But
that's
just
my
own
personal
suggestion,
so
just
talking
about
cloud
custodian
itself,
it's
essentially
it's
a
configuration
policy
and
runtime
check
tool
allows
the
operator
of
you
know
whatever
cloud
infrastructure
in
amazon
or
azure
or
google
cloud,
or
even
you
know
a
particular
component
like
kubernetes,
to
define
a
series
of
checks
on
the
various
configurations
that
are
required
to
meet.
What
would
what
you
could
call
a
policy
check?
I
think
for
those
of
us
who
work
in
the
policy
domain,
where
policy
means
many
different
things.
E
E
E
So,
as
we
looked
at
this,
it
was
an
interesting
from
a
from
an
assessment
perspective.
How
do
you
assess
something
essentially?
Is
100
percent
a
snapshot
point
in
time
versus
like
a
running
service?
That's
a
daemon
and
you
know
stateful
and
kind
of
running
all
the
time.
This
is
really
it's.
It's
a
utility,
it's
a
tool
that
you
run
on
the
command
line
or
or
the
equivalent
of
that
in
the
cloud
infrastructure,
and
so,
where
where's
the
boundary
for
this
right.
So
you
know
one
argument:
number
one
could
be.
E
The
boundary
is
really
the
the
devops
user's
machine,
and
that's
it
right
if
they're,
if
their
machine
is,
is
secure,
then
they're
running
this
command
like
any
other
command
or
if
it's
running
as
a
function
on
the
cloud
infrastructure,
then
it's
really
just
you
know.
Have
you
followed
best
practices
for
running
those
functions
and
setting
the
right
im
policies?
E
I
think
we
expanded
the
scope
a
bit
more
to
include
the
supply
chain.
If
you
will,
you
know,
how
is
the
project
set
up
in
github?
Are
they
checking
dependencies?
Are
they
checking
vulnerabilities
and
then
we
heavily
relied
on
the
cici
best
practices?
You
know:
are
they
following
those
have
they
have?
They
provided
the
information
for
that
and
and
that's
largely
how
we
evaluated
their
security
posture
and
I'll
just
kind
of
you.
E
You
guys
can
review
all
this
on
the
on
the
repo
and
then
maybe
george
and
cappella
can
can
jump
in
with
a
little
bit
more
flavor
and
nuance
in
the
description,
but
I'll
just
I'll
just
highlight
you
know,
target
users,
you
know.
Obviously,
you've
got
the
operators
who
are
you
know,
trying
to
assess
their
overall
infrastructure
and
service
kind
of
that
enterprise
level
and
give
it
like
a
holistic
view
of
you
know.
Am
I
configured
securely
and
over
time,
am
I
drifting
from
a
secure
baseline?
E
E
I
think
you
could,
you
know,
integrate
this
with
third
party
tools
and
kind
of
make
it
part
of
your
holistic
security
program,
and
then
you
know
if
you're
trying
to
build
a
platform.
You
know,
I
think
you
know
across
many
cncf
projects
or
across
kubernetes
and
in
various
cncf
projects.
This
could
be
a
very
you
know,
foundational
security
component,
where
you've
got
a
comprehensive
view
across
clouds
across
projects
of
you
know.
How
is
how
is
my
baseline
configuration
defined
and
then
how
am
I
evaluating
that?
E
You
know
periodically
and
transactionally
for
a
particular
security
query
and
then
again
that
drift?
How
do
I
monitor
drift
over
time?
Here's?
I
think
this
is
a
summary.
I
can't
recall
if
this
was
our
summary
or
provided
by
the
project,
but
I
think
you
should
definitely
review
all
the
kind
of
features
that
it
enables
and
all
of
the
infrastructure
apis
that
it
calls.
E
E
How
do
I
query
the
jobs
and
the
pods
and
the
resources
and
the
data
stores
that
are
being
deployed,
and
this
is
kind
of
where
the
rubber
hits
the
road
for
me
using
a
tool
like
this
to
gather
all
that
data
and
they've
got?
You
know
it's
a
very
robust,
very
proven
project.
That's
been
used
at
very
large
enterprises,
so
all
the
accoutrement
of
you
know
caching
and
performance
and
reliability.
E
It
all
seems
to
be
there
I've.
You
know
I've
used
it
myself,
I've
deployed
in
aws,
so
I
had
some
familiarity
with
some
of
those
operational
requirements,
but
it
is
very
user-friendly
if
you've
never
used
it
before.
You
can
get
up
to
speed
in
in
a
few
hours
and
then,
if
you
need
to
deploy
it
at
scale
in
a
in
a
large
enterprise
across
clouds.
E
E
E
I
I
think
foundational
to
our
review
was
that
they
had
done
a
very
comprehensive
threat
model.
It
was
a
little
you
know
by
the
time
we,
as
I
mentioned,
got
through
the
the
starts
and
pauses.
It
was
a
little
dated,
but
it
was
absolutely
usable
as
provided
and
was
really
the
basis
for
most
of
our
discussions.
E
This
was
a
little
grid
that
I
put
together.
I
think
it's
it's
modeled.
After
a
nist
ir,
you
know
11,
I
think,
but
it's
a
kind
of
a
framework
that
nist
had
put
out
for
mapping
on
one
on
one
axis.
You
know
kind
of
the
miter
like
attack
steps
and
then
on
the
y-axis
kind
of
the
capabilities
that
you
would
put
in
your
security
program.
E
I'll
note
that
red
here,
so
we
identified
this
as
a
risk,
not
so
much
that
the
code
for
a
cloud
custodian
or
the
project
is
risk.
It
has
a
risk
that
needs
to
be
remediated
but
more
as
the
user
cloud
custodian.
E
Where
do
I
want
to
put
my
focus
on
the
you
know,
using
it
in
a
production
environment
right
so
and
I'll
drill
down
into
some
of
these
areas
below?
But
you
know
just
to
kind
of
highlight.
For
example,
you
know
you're
kind
of
you're
taking
this
on
as
an
open
source
component.
So
you
know
you're
responsible,
for
you
know,
reviewing
changes
and
updates
as
they
come
through
otherwise
you're.
E
E
You
know,
as
the
operator
you're
kind
of
inheriting
that
risk
yourself.
So
you
there.
You
need
to
make
sure
that
you
understand
the
dependencies
they
pull
and
are
monitoring
those
vulnerabilities
and
so
on
and
so
forth.
So
they
as
a
project
have
taken.
You
know
a
lot
of
steps
around
the
integrity
of
their
their
packaging
on
github
and
the
security
checks
and,
following
the
again
the
cia
best
practices.
So
we
felt
that
that
was
essentially
something
that
you
could
put
some
trust
in.
E
E
I
want
to
see
that
as
a
vector
to
both
discovery
and
understanding
all
the
resources
and
all
the
configurations,
even
if
I
can't
modify
anything
it
gives
me
a
very
good
view.
I
mean
the
exact
same
view
the
enterprise
operator
wants
the
attacker
wants
right,
so
I
can
start
planning
further
attacks
as
an
insider,
even
more
so
right,
because
now
I
can
really
drill
down
and
start
to
look
at
how
I
can
obfuscate
or
hide
things.
You
know,
then
I'd
say
from
the
administrator.
E
The
policy
maybe
not
attack
is
the
wrong
term,
but
there
are
a
lot
of
mistakes.
You
could
make
right
just
user
error
if
you
will
and
defining
the
configurations
and
kind
of
getting
a
false
sense
of
security.
If
you
think
something
is
is
secure
and
you
think
you
mapped
the
policy
correctly,
you
think
you
set
all
the
yaml
properties
correctly,
but
in
you
know
in
fact
you
didn't
and
then
so
you're
kind
of
like
letting
it
run
and
getting
good
results,
but
you're
checking
the
wrong
things.
E
That
type
of
thing
we
talked
about
something
you
know
so
as
as
something
that
is
going
to
be
used
in
a
real
world
environment.
E
If
I
can
compromise
the
environment
like
you
know,
either
it
was
user
error
on
the
devops
side
and
I
misconfigured
I
didn't
follow
the
best
practices
or
there
was
some
exploitable
vulnerability
in
cloud
custodian
itself.
You
know
it
really
allows
a
lot
of
opportunity
for
attackers
to
take
advantage
of
that.
So
I
can.
I
can
you
know.
For
example,
I
could
do
a
denial
of
service
and
I
could
you
know,
write
policies
or
modify
policies
so
that
it
constrains
resources
or
wholesale
deletes
resources.
E
I
could
you
know,
do
privilege
escalation.
I
could
change.
You
know
various
settings
on
these
to
open
up
more
access
than
should
be
there.
So
you
know
it's
it's
a
double-edged
sword.
There's
a
lot
that
you're
doing
to
secure
your
infrastructure
and
surface
configuration
issues
in
your
infrastructure,
but
if
that
can
somehow
be
exploited,
then
you
know
all
of
those
things.
You
know
weapons.
If
you
will
so
you
can
review
those.
E
Yeah,
I
think,
yeah
we
talked
about
some
some
of
these
examples.
E
E
E
How
do
you
know
that
custodian
itself
as
a
lambda
is,
is
we
we
did
say
that
the
project
might
provide
a
little
bit
more
out
of
the
box,
bootstrapping
information
about
kind
of
best
practice,
policy,
im
policy
on
the
aws
or
the
equivalent
on
on
azure
and
other
clouds
at
the
time-
and
you
know
this
was
a
few
months
ago
now-
there
wasn't
really
prescriptive
policy
guidance
there
and
I
think
the
project
felt
that
it
wasn't
necessarily
a
best
practice
for
them
to
define
here's,
how
you
should
configure
your
cloud,
and
I
totally
appreciate
that
I
think,
as
as
an
operator,
though
just
the
reality
is,
I
want
to
start
with
something
and
kind
of
modify
it.
E
It's
just
you
know,
cognitively
easier
to
start
with
a
template
than
I
can
tweak
than
to
kind
of
look
at
a
blank
sheet
of
paper
and
scratch
my
head,
so
I
would
I
you
know
my
suggestion
still
to
the
project.
If
this
hasn't
been
done
would
be
to
bolster
some
of
those.
You
know.
I
am
policy
examples
and
here's
how
you
know
in
in
reviewing
how
people
are
using
it
in
the
real
world.
Here's
how
those
tend
to
look
and
give
someone
a
starting
point.
E
Yeah,
I
think
yeah
I
mean
I
think
this
would.
I
would
highlight
this
again.
You
know
to
to
get
use
out
of
custodian
as
an
operator.
You
really
have
to
give
it
read
up,
read
access
to
everything,
and
then
you
know
if
you
want
to
use
it
for
remediation
or
kind
of
drift
prevention,
you
really
have
to
start
giving
it
right
access,
and
at
that
point
you
know
every
permission
you
give
it
to
make
it
useful
to
you
becomes
a
permission
that
an
attacker
might
explain.
E
We
yeah
we
put
some
some
best
practices.
I
I
I
will
note
that
you
know
there's
been
a
lot
of
work
in
other
areas,
not
custodian
specific
about
you
know,
encrypting
signing
policies,
you
know
sig
store,
and
things
like
that,
so
that
might
might
be
something
that's
now
a
little
bit
more
mature
than
when
we
first
started
looking
at
this,
and
the
project
might
avail
themselves
of
that.
E
E
E
Again,
I
think
at
the
project
level,
I
don't,
can
you
know
george
and
capilla
can
chime
in.
If
I've
got
that
wrong,
I
don't
think
that
they
were
doing
kind
of
branch
protection,
multiple
pr
reviews
or
things
like
that.
I
think
that
would
be
useful
just
to
have
a
little
bit
more
confidence
in
the
the
security
code
review
process
and
then
yeah.
I
guess
you
know
one
one
possible
issue
is:
if
cloud
custodian
is
configured
to
be
too
aggressive,
it
could
just
be
continually
querying
things.
E
Might
maybe
that's
a
an
opportunity
for
denial,
service
attack,
kind
of
mapped
it
out
here
in
a
very
simple
kind
of
we
weren't
using
one
of
those
tools
like
mermaid.
I
think
we've
we've
other
folks
on.
This
call
have
probably
come
up
with
better
tools
to
do
the
attack
mapping,
but
this
was
just
a
quick
visual
of
all
the
possible
nodes.
E
We
talked
about
the
cia
badge
at
the
stations.
I
knew
we
had
connected
kapil
and
team
with
the
cncf
effort
to
increase
fuzzing.
It
might
not
apply
to
a
python
project.
I
think
that
that
fuzzing
effort
is
really
focused
more
on
the
kind
of
golang,
maybe
c
code.
E
I
don't
know
if
that
discussion
never
went
anywhere,
but
if
they
have
python
fuzzing
capabilities
or
if
the
project
itself
can
invest
a
little
bit
in
that
it's
probably
a
good
thing
just
to
make,
because
that
policy,
those
policy
rules,
maybe
open
you
up
to
some
of
those
type
of
errors.
E
E
E
So
I
know
there
was
some
chatter
on
slack
or
other
about,
so
there
are
vulnerabilities
and
maybe
some
of
the
third-party
components
and
python
libraries,
and
so
you
know
the
question:
is
that's
not
really
a
vulnerability
in
custodian
per
se,
but
you
know,
I
think
the
operators
should
be
aware
that
they
need
to
they
need
to
scan.
Obviously
this
was
just
a
snapshot
from
september,
so
all
of
this
is
probably
outdated
already.
E
The
pen
test
idea
doesn't
really
apply
to
something
like
a
command
line
utility
it's
not
even
in
a
lambda
mode.
It's
just
running
a
scheduled
task.
Essentially,
so
it's
not
waiting
there
listening
for
requests
or
anything
like
that,
so
you
know
pentest
really
wouldn't
apply.
I'd,
say:
code
review
code.
You
know
if
someone
wanted
to
do
a
more
detailed
security
code
audit
that
would
I'm
sure
the
project
would
recommend.
Welcome
that
and
then,
of
course,
if
you
wanted
to
do
more
hands-on
testing
of
you
know
how
you
construct
security
policies.
What
the
results
are.
E
Are
there
any
kind
of
false
positives
or
false
negatives?
I
think
that
would
just
generally
fall
in
the
kind
of
qa
testing
for
the
project
and
I'm
sure
that
they
would
welcome
that
as
well.
Yeah
you
have
a
set
of.
I
won't
read
through
all
these,
but
for
those
who
are
interested
I
mean
you
know,
these
are
definitely
wishlists
I'd,
say
you
know
my
my
pet
suggestion
and
again
you
know
maybe
kapil
and
george
having
any
updates.
Just
you
know
from
a
cncf
selfish
perspective.
E
It
would
be
great
if
there
was
more
mature
kubernetes
resource
support
or
other
cncf
projects,
and
maybe
there
are
now,
but
at
the
time
I
think
that
was
still
in
its
infancy
and
yeah.
I
just
would
you
know,
welcome
the
project
to
try
to
find
fuzzing
resources
and
apply
that
might
lead
to
some
interesting
exploitable
issues
that
wouldn't
probably
come
out
of
kind
of
top-down
testing.
E
If
they're,
you
know
if
they're
cncf
or
linux
foundation,
other
internship
available
funding
available
or
something
like
that
again,
providing
a
little
bit
more
of
that
best
practice.
Policy
and
more
documentation
on
new
users
is
always
helpful,
yeah
and
if
I
didn't
don't
know
what
the
funding
opportunities
are,
but
if
cncf
wants
to
get
in
the
business
of
doing
a
more
formal
code,
audit,
hands-on
assessment,
I
think
that
would
be
highly
recommended
and
again
just
my
personal
bias
in
a
kubernetes
environment.
E
B
E
E
Obviously
all
of
them
are
special
to
their
particular
cloud
or
project
like
a
cube
bench,
so
not
very
general
purpose
and
the
ability
to
aggregate
across
your
entire
infrastructure
and
even
across
multiple
clouds,
I
think,
is
very
powerful.
So
that's,
I
think,
very
much.
There's
a
use
case
and
a
very
solid
place
for
custodian,
even
compared
to
those
other
tools.
E
So
that's
anything
else
that
you
would
add
matthew.
I
think
matthew's
on
or
maybe
not
matthew
are
you
on.
I
should
I
should
call
you
should
have
a
list
of
people
who
contributed.
I
apologize,
maybe
I'll
pr
something,
but
we
had
a
number
of
volunteers
who
helped
matthew
help
me
really
took
most
of
the
lead
and
setting
up
the
meetings
and
coordinating
george
and
kapil,
of
course,
were
critical
to
this
effort.
E
I
know
I'm
forgetting
a
ton
of
other
people
just
because
the
process
was
over
several
months
and
several
months
ago,
but
I
will
I
will
try
to
pr
here
and
put
an
explicit
list
of
things.
Oh.
B
E
E
If
I
didn't,
if
I
didn't
mention
you,
I
apologize
and
I'll
pr
to
this
review
list.
A
Awesome
anything
from
kapil
and
or
josh.
D
Yeah,
I
think
the
one
thing
I
am
fairly
thankful
for
coming
out
of
the
review
process
was
discovering
semgrep,
which
is
awesome
as
a
tool
and
we've
now
incorporated
into
our
pipeline.
There's
a
good
amount
of
commentary
here
about
ion
policies,
and
I
realize
that
using.
C
D
Words
can
sometimes
be
misinterpreted,
so
I
just
wanted
to
clarify
on
so
custodian
supports
users
bring
whatever
cloud
credentials.
They
want.
The
policies
themselves
mapped
out
to
a
very
small,
can
be
mapped
out
to
a
very
fine
grain
set
up,
and
that's
what
we
document
to
to
enable
that
the
challenge
has
actually
been
the
organizational
side
on
the
the
user
side
where
they
don't
they.
They
can't
keep
up
with
the
rate
of
their
policy
change
to
be
reflective
in
their.
D
I
am,
and
so
they
end
up
using
whatever
makes
sense
for
for
their
use
cases
and
so
yeah
that
that
tends
to
detract
from
what
is
what
is
a
default
policy?
Well,
you're,
just
doing
a
reporting,
you
just
do
read
only
and
you
call
it
a
day,
but
if
you
want
to
go
find
great,
it
is
possible
and
it
is
documented,
as
far
as
what
the
permissions
r
for
each
each
capability
that's
used
in
a
policy.
D
Yeah
we
do
have
branch
protection,
I
don't
know,
there's
a
I'll,
don't
know
that
I
have
a
whole
lot
to
add,
but
I'll
definitely
take
any
questions.
If
there
aren't
and
george
I'll
pass
mike.
B
Yeah
I
was
gonna
mention
on
the
kubernetes
support,
we're
kind
of
committed
to
doing
that
this
year.
It's
just
it
was
a
matter
of
resourcing
and
hoping
to
have
something
by
kubecon
knock
on
wood.
D
Sure
kubernetes
support
we're.
Probably
just
gonna
do
like
we.
We
have
basic
kubernetes
support
as
far
as
the
resources
we
want
to
add
an
operator
we'll
probably
use
the
python
framework
that
came
out
of
zlendo
as
an
implementation
detail
that
will
allow
for
some
degree
of
enforcement
on
policies.
We
will
look
at
the
the
crd
for
policy
violation,
reporting
that
we've
seen
come
out
of
the
kubernetes
policy
group,
as
well
as
a
reporting
output
format.
D
Yeah,
that's
probably
all
there
is
on
that
topic,
and
I
think
it's
generally
worth
noting
people
yeah,
like
some
people,
use
custodian,
primaries
checks.
A
lot
of
people
use
it
as
sort
of
real-time
remediation
just
because
they
want
to.
They
don't
want
the
big
wall
of
red,
they
want
to
pay
it
down
so
to
speak,
and
then
we're
also
looking
at
some
work
as
far
as
road
map
stuff
on
shift,
left
and
sort
of
integrating
in
policy
enforcement
earlier
in
the
pipeline
towards
infrastructure
assets
as
kid
before
they're
deployed.
D
It
would
just
be
an
admission
controller
in
that
context.
Okay,
sorry.
What
was
the
other?
You
mentioned,
image,
controller
or
something
else.
D
B
D
Our
cardinal
rules
for
policies
is,
we
have
many
different
execution
modes,
but
we
want
the
policy
to
look
the
same
so.
B
D
Do
a
lot
of
work
to
normalize
the
data
feeds
per
se
like
aws
config
versus
a
cloudwatch
event
rule
we
we
normalize,
how
can
config
speak
spokes
form
format
or
security
helps
bespoke
format
in
this
case,
it's
relative
that
parts
relatively
straightforward
just
because
of
the
orthogonality
of
or
isomorphism
regards
to
kubernetes
definitions.
D
So
we
have
a
security
team
and
a
public
mailing,
a
public
email
for
that,
as
we
haven't
had
any
cds
filed
against
the
project
itself.
Okay,
the
universities
against
our
dependency
graph.
We
have
a
few
things
in
play.
We
do
we're
currently
using
oh
the
pentabot
as
far
as
that,
just
for
the
dependency
graph
security
updates,
and
then
we
regularly
do
full
read
days
as
far
as
our
dependency
graph.
That
has
gotten
more
interesting
to
the
size
of
the
azer
depth
graph,
but
on
their
sdk.
D
But
generally
speaking,
we
are
pretty
minimal.
With
regards
to
non-cloud
provider
dependencies
that
are
necessary
for
any
given
provider.
D
D
So
we,
I
think
pi
yaml
had
a
default
serialization
possibility,
attack
and
and
therefore
everyone
was
flagging-
that
version
of
the
library,
even
though
it
wasn't
something
that
purchasing
itself
was
per
se
vulnerable
too,
so
knock
on
wood.
Nothing
yet,
but
as
far
as
managing
the
process
itself
on
a
disclosure,
I
think
we
would
follow
up
with
cve
on
receiving
database
and
a
coordinated
release.
And,
interestingly
enough,
we
have
all
had
a
lot
of
reach
out.
D
To
I
mean
there
are
thousands
of
companies
running
pursuing
at
scale
like
we've
had
reach
outs
from
the
cloud
providers
with
regards
to
particular
feature
upgrades
that
they
knew
were
going
to
affect
things,
so
we
would
potentially
look
to
reverse
that
channel
to
go
to
them
as
far
as
getting
users
to
upgrade
one
of
the
common
challenges
open
source,
how
to
get
everyone
to
upgrade.
So
speaking,.
A
Awesome
by
the
way,
since
we're
talking
about
this,
I
guess
a
couple
weeks
ago
we
were
talking
about
this
exact
issue
and
one
of
our
community
members
did
right
up
a
little
bit
on
that.
So
I'm
gonna
paste
the
issue
in
and
like
if
you
wanna
take
a
look
at
it.
A
Maybe
if
you
wanna
add
some
comments
as
well
or
just
like
and
see
what
it's
helpful
and
the
link
to
the
hack
and
the
documents
here,
I
get
them
to
put
it
in
the
pr,
but
so
now
it's
a
heck
empty
document.
D
Yeah
definitely
interested
in
doing
like
you
know.
We
have
like
popeye
itself,
google
sponsorship
infrastructure
to
directly
expose
cvs
to
their
api.
We've
also
been
looking
at
cosine
as
a
potentially
assigning
mechanism
on
some
of
our
distributed
images
or
two
things
that
we
looked
at.
Additionally,
I
I
have
looked
at
s-bom
formats,
I
I
I
it's
still
a
little
bit
unclear
to
me
what
the
end
user
utilization
of
those
are.
A
All
right,
if
not
thank
you
very
much,
the
review
was
very
extensive.
I
I
think
I
think
you
know
both
the
card
console
did
team
as
well
as
the
reviewers
did
a
good
job.
That
was
like
really
when
I
think
beyond
what
was
us
just
going
deep
into
you
know
the
different
cases
and
the
the
different
scenarios,
the
virtual
consider
the
the
the
exposure
and
the
the
risk
of
using
cloud
custodian.
A
So
I
know
there
were
some
things
that
may
need
to
be
edited
in
the
document.
So
let's
kapil
george
robert,
you
know,
let's,
let's
create
a
pr
if
necessary,
so
we
can
get
that
and
we'll
be
bringing
some
of
the
recommendations
to
cncf
to
the
the
talk
during
the
talk
liaison
meeting,
and
I
think
one
request
is
usually
what
we
do
is
for
the
review
recommendations
for
review
for
the
security
recommendations
that
have
some
kind
of
actionable
response.
A
Usually
we
create
an
issue
in
the
repo
just
to
track
it
just
to
make
sure
you
know
it
doesn't
it
doesn't
go
away
or
when
we
do
a
another
review
a
year
down
the
road
we
want
to
see.
You
know
what's
the
status
of
this
in
case,
you
know
this
comes
up
again
in
you,
know,
graduation
or
something.
E
E
A
I
think
when
I
also
can't
edit
it
well
like,
let
me
let
me
take
a
look
at
that
again.
C
If
there
are
resource
specific
issues,
it
is
highly
recommended
that
you
create
a
github
issue
on
the
project
link
that
way
when
you
go
to
request
those
resources
from
the
cncf,
they
can
show
that
there's
a
line
between
the
issue
and
the
corresponding
security
review.
So
they
understand
a
little
bit
more
of
the
background
of
where
those
requests
are
coming
from.
D
But
I
think
there
was
yeah.
There's
two
calls.
I
thought
I
saw
it.
I
then
you
probably
should
reread
the
duck,
whereas
the
definition
of
some
default
guidance
around
the
role,
I
think
which
I
think
we
can
cover
documentation
and
then
their
request,
the
admission
around
buzzing
or
taking
advantage
of
housing
resources.
We
did
actually
engage
with
the
team
that
I
think
cncf
has
engaged
around
posing
and
we
did
get
a
pr
up.
A
Yeah
so
yeah,
let's,
let's
try
and
get
the
the
issues
up.
Like
I'm
lisa,
you
know
the
reference
to
when
we
bring
this
to
the
top
and
the
cncf
for
resources
as
well.
As
you
know,
some
things
that
you
know
further
down
the
road
when,
when
kalka
studying
goes
for
graduation
tlc
is
going
to
come
to
us
and
be.
B
E
C
A
I
usually,
I
think
so
far
with
some
of
the
projects,
the
the
tlc-
and
this
is
like
very
clear-cut.
The
tlc
has
sometimes
asked
attack
to
do
an
initial
assessment
first
as
well.
B
Sorry
I
couldn't
find
that
put
the
hand
up
button.
It
was
my
understanding
from
just
reading
it
recently
that
the
audit
was
a
requirement
for
graduation.
C
So
the
audit
is
it's
about
whether
or
not
it's
independent
from
the
cncf
and
the
project
or
a
company
goes
in
and
pays
for
it.
So
that's
really
kind
of
the
question
there
so
having
the
issue,
no
matter
what
is
important,
because
we've
made
the
recommendation,
like
the
security
tag,
has
made
the
recommendation
that
a
formal
audit
be
conducted.
Here's
the
issue
reflecting
that
somebody
help
us
give
us
resources
to
do
that.
A
Awesome,
so
if
there's
no
more
questions,
then
thank
you
again
on
josh
kapil,
robert
emily
and
the
rest
of
the
rest
of
the
team
that
was
involved
in
the
review
this.
This
was
awesome,
and
so
it's
a
document
that
I'm
gonna
take
a
closer
look
at
as
well,
if
not
we'll
end
them
as
early
just
a
quick
hit
up
next
week
is
gonna,
be
our
check-in
meetings
or
nowaday.
I
think
we're
officially
making
like
triage
meetings,
which
seem
to
be
very
productive.
A
So
if
you're
interested
in
you
know
knowing
a
bit
more
about
how
to
just
done,
I'm
getting
a
bit
more
involved
with
issue
resolution
or
work
streams
in
the
tag
and
drop
by,
if
not
take
a
week
off
cool
thanks.
Everyone.