►
From YouTube: TAG Security Supply Chain WG 2022-01-20
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
All
right,
we
can
get
started,
okay,
so
just
as
a
reminder,
this
is
this
meeting
is
falls
under
the
cncf,
and
so
you
know
your
participation
should
abide
by
the
cncf's
code
of
conduct.
This
meeting
is
also
recorded
and
will
be
uploaded
to
youtube
a
little
bit
after
this.
B
A
couple
of
things
before
I
hand
it
over
to
hector
who
has
a
demo
or
presentation
for
us
today,
so
a
couple
things
quickly.
So
just
as
a
reminder
here
is
the
the
notes,
this
will
probably
be
the
last
meeting
at
this
time,
we'll
probably
be
looking
to
sort
of
reschedule
it
based
on
a
a
doodle
poll
here.
If
anybody
isn't
aware
of
the
doodle
poll
I'll
leave
it
open,
just
probably
till
the
end
of
you
know,
till
this
afternoon
or
till
the
end
of
today.
B
So
if
there's
we're
looking
to
sort
of
reschedule,
because
a
lot
of
people
can't
make
this
time
anymore,
so
yeah,
if
you
know
what
get
in
the
stuff
now,
I
know
anybody
who
would
like
to
participate.
You
know
send
that
out
to
them,
but
we
do
plan
to
close
it
pretty
soon
figure
by
day.
Today,
a
couple
of
quick
updates,
so
our
technical
writer,
it
did
provide
a
lot
of
feedback
on
the
the
supply
chain,
white
paper
or
sorry,
the
reference
architecture
paper.
B
I
should
say
the
secure
software
factory
reference
architecture
paper,
and
so
there
are
definitely
so.
Anybody
who
you
know
wants
to
part
of
the
group
make
sure
you
kind
of
go
through
start
to
address
some
of
the
comments.
I
addressed
a
couple
of
dozen
of
celeste's,
the
the
technical
writer,
their
comments,
and
so
I'm
what
was
I
gonna
say?
Oh
so
so
went
through
a
bunch
of
those
there's
still
a
bunch
more
that
still
need
to
kind
of
get
addressed.
B
Some
of
them
are
just
quick.
Like
you
know,
oh
this
seems
like
a
grammatical
error
or
this
seems
a
little
unclear.
You
know
I
suggest
you
know
this
word
as
opposed
to
that
word:
simple
sort
of
stuff,
some
of
it's
quite
a
bit
larger
sorts
of
things
like
does
this
this
term
doesn't
make
sense
the
way
you're
using
it,
and
you
use
it
kind
of
throughout
the
paper
you
know.
B
Maybe
we
should
look
at
a
different
way
to
word
something
a
different
way
to
phrase
something
there's
a
couple
of
areas
that
there's
some
worry,
that
we're
getting
a
little
too
jargon
heavy
and
and
are
there
things
we
can
do
to
either
make
sure
that
we
are
very
clear
about
the
definitions
of
of
the
jargon
and
whatnot
or
or
you
know
whatever
so
yeah.
B
So
please
take
a
look
at
the
document
and
let
me
go
and
I'll
also
put
that
in
there
as
well
go
through
any
comments
you
know
put
in
stuff
there.
We
want
to
kind
of
get
this
done
as
soon
as
possible
so
that
we
can
kind
of
get
this
thing
out
to
the
broader
community.
I
will
be
also
drafting
up
a,
I
guess:
a
release
for
the
foreign
for
us
to
actually
release
to
to
sorry
drafting
up.
B
I
guess
a
a
release
announcement
so
that
the
community
knows
about
these
things
anyway.
So
so
that's
that
reminder
you
know
for
anybody.
Who's
joining
and
hasn't
put
in
the
stuff
for
the
doodle
poll.
Make
sure
that
you
put
your
you
know
what
we
we
are
going
to
be
changing
the
time
of
the
meeting,
because
this
time
doesn't
work
for
a
lot
of
folks
anymore.
So
we're
going
to
be
changing
the
time
there.
B
That's
about
it
as
far
as
as
updates
and
I'll
hand
it
over
to
hector
who
has
who
wants
to
show
some
stuff
off.
C
Yes,
okay,
so
I'm
gonna
say
a
presentation.
When
I
have
a
demo,
I'm
gonna
try
to
be
as
quick
as
possible.
C
Let
me
know:
can
you
see
the
slides?
The
first
slide?
Okay,
so
the
idea
is,
is
to
show
a
demo
about
the
small
content
mission
controller
on
kubernetes,
so
I
have
called
the
prototype.
Also
use
some
some
of
the
services
that
have
been
building
in
vmware,
so
about
me.
I'm
tech
lead
at
vmware,
I'm
working
on
supply,
chain
security,
focusing
on
on
three
areas:
signing
the
scanning
and
artifact
storage.
C
C
So
what
I
wanted
to
talk
is
is
how
we
kill
how
how
this
kind
of
content
validation
can
be
achieved.
I
hear
from
from
the
community.
There
are
several
problems
and
and
challenges,
so
I
I
wanted
to
kind
of
go
into
experimental
mode
and
try
to
find
options
in
order
to
get
to
offer
a
good
experience
and
also,
in
this
case
performance
and
you
know
and
optimize
what
we
can
do
with
this
bonds
when
developing
kubernetes
and
issuing
controller.
C
I
guess
for
the
audience
on
this
on
these
working
group.
There
is
no
need
to
explain
what
is
an
small
file
or
why
we
need
them.
C
I
I'm
pretty
sure
everyone
knows
that,
so
the
idea
is
basically
to
try
to
enforce
the
these
minimum
requirements
of
ice
bomb
to
have
and
and
those
co
can
be
extracted
from
from
what
the
nta
published
right,
like
supplier
authors,
components,
dependencies
and,
and
all
these
lists
where,
where
you
can
apply
all
these
as
bond
mission
controllers
or
content
verification,
we
have
identified
two
places,
one
in
the
supply
chain,
whatever
you
really
want
to
define
a
new
step
on
your
supply
chain,
where
things
should
be
ban
or
these,
this
kind
of
a
mission
controller,
should
wall
like
a
gate
stopper.
C
C
You
want
to
detect
which
kind
of
version
and
package
you
are
running
since
when
and-
and
I
don't
know
which
license
is
whether
I
should
stop
certain
certain
parts,
because
they
are
using
a
license
that
has
changed
an
example
could
be
the
change
of
license
that
a
grafana
happened
to
do
and
and
yeah
other
other
types
of
auditing
purposes
that
you
can
do
with
that
with
an
small
file
yeah.
So
I
I
I
sell
this
example
of
these
mcdonald's
burgers.
I've
served
by
20
years
right
with
this
bond.
C
We
know
that
this
is
changes
constantly
right
and,
and
we
are
trying
to
validate
using
the
small
data
we
are
trying
to
get
vulnerabilities.
We
are
trying
to
to
identify
deprecated
libraries
and
maintain
repositories
and
probably
blacklist
suppliers.
Right
then,
one
of
the
assumptions
that
I
have
been
following
on
how
the
community
works,
yeah
and
also
internally
at
vmware
we
have
like
we-
are
building
all
this
kind
of
container
images.
C
We
are
signing
them
and
we
are
generating
as
well
for
them
and
most
of
the
time
we
are
kind
of
attaching
those
on
the
oc
arrays
right
like
we
are
also
attaching
on
the
registry,
other
kind
of
artifacts
like
help
charts
image,
bundles
or
scan
reports
or
at
the
station.
C
So
that
is
where,
where,
where
all
these,
at
least
what
I
identify,
I'm
happy
to
hear
other
other
opinions
here
is
to
to
restore
desmond
files
or
link
them
either
use
an
artifact
expect
or
or
following
the
best
discovery
has
has,
is
done
with
cosign,
so
those
the
files
are
being
attached
to
the
images,
so
you
can
easily
identify
them
and
and
kind
of
analyze
the
the
content
of
this
mod.
Of
course
the
formats
are
different
and
they
are.
C
There
are
multiple
customers
or
users
that
prefers
pdx
other
cyclone
dx
and
as
well
as
versions
formats.
So
there's
qual
a
heterogeneous
nature
on
on
what
you
can
find
in
the
oci
registry
right,
if
you
are
kind
of
pushing
all
these
from
the
different
teams,
and
then
you
are
trying
to
to
play
with
this
data
search
and
offer
some
capabilities
yeah.
As
I
say,
the
container
is
just
on
these
artifacts,
but
they
don't
really
need
to
know
exactly
what
is
inside
and
they
cannot
provide
you.
C
This
information
today,
so
we
are
looking,
is
to
try
to
explore
these
search
capabilities
on
what
that
is
being
added
to
the
ocra
by
the
developers
and
what
we
can
do
out
of
this
information
right.
C
So
one
one
option
on
what
you
are
thinking
about
emission
controllers
and
on
kubernetes,
the
straight
forward
approach
could
be
to
to
to
consume
the
the
registry
struck
this
bomb
from
from
their
linked
image,
validate
their
authenticity
and
and
deserialize
all
this
s
bond
data
and
and
try
to
analyze
it
and
enforce
policies.
The
problem
of
of
these
kind
of
straightforward
approaches
is
that,
first
of
all,
the
small
files
are
really
big.
C
They
they
can
contain
multiple
s-bomb
files
on
the
stack
and
also
all
these
computation
of
the
data
license.
C
Fetching
them
for
lcr
industries
can
can
create
performance
issues
to
the
ocr
registry
if
it's
used
for
other
purposes
and
also
when
you
are
creating
the
any
type
of
resources
and
unfortunately,
we
are
talking
about
core
kubernetes
types
such
as
pod,
so
everything
that
create
a
container
images
will
be
probably
verify
in
order
to
understand
the
the
which
is
the
smaller,
which
are
the
ingredients
of
my
container
images
before
before,
deploying
it
so
yeah.
C
That's
that's
some
of
the
same
motivations
that
force
us
to
evolve,
and
and
for
that
being
where
we
have
developed
a
service
which
is
called
metadata
store,
or
here
I
try
to
use
some
more
generic
terminology
which
might
be
common
for
everyone
as
an
artifact
store,
and
the
idea
is
to
to
try
to
keep
synchronize
all
these
kind
of
information
that
we
are
starting
on
ocr
h3,
for
which
we
need
to
have
search
capabilities
to
the
content.
Try
to
keep
it
in
sync.
C
With
with
this
artifact
store,
we
have
been
focused
on
sbomb,
where
we
see
that
there
is
a
lot
of
information
and
a
lot
of
search
capabilities
that
need
to
be
exposed.
So
we
have
kind
of
created
this
this
this
service
right.
So
the
idea
is,
I
don't
know
if
anyone
here
have
hear
about
graphias,
but
we
have
taking,
has
a
has
a
first
stone.
What
was
in
graffias
and
tried
to
evolve
it
into
what
we
have
today.
C
So
that's
some
of
the
of
the
things
that
we
have
been
working
around
and
and
yeah
so
that
our
main
intention
is
it
was
at
the
beginning,
was
to
to
find
ways
to
withstand
the
the
the
container
raised
to
api
in
order
to
offer
certain
capabilities.
But
there
are
some
some
proposals
and
still
there
under
review.
C
So
we
believe
that
we,
we
have
to
kind
of
provide
a
third
party
service
that
could
help
us
to
to
to
get
that
information
and
based
on
this
data
that
we
store
in
this
artifact
service,
we
we
will
enforce
policies
and
and
also
try
to
offer
some
fallback
mechanism
right
like
so.
In
our
case,
this
proposal
of
a
mission
controller
for
sbond
is
always
started
in
this
artifact
store,
which
is
indexing.
C
The
data
to
give
us
all
this
information
about
the
the
s-bombs
that
we
have
and
whatever
we
have
to
deploy
in
our
clusters,
so
we
don't
really
need
to
to
have
we
don't
slow
the
api
when
creating
pods
or
any
kind
of
resource
right.
C
C
So
the
idea
is
to
be
able,
by
using
this
artifact
store
and
combined
with
the
mission
controller,
to
be
able
to
to
define
policies
such
as
when
these
this
vulnerability
appear,
my
infrastructure
or
or
which
components
are
using
a
specific
license
where
I
don't
really
want
to
be
dependencies,
usually
additional
to
the
to
has
a
new
features
that
might
come
as
pdf
supports.
We
are
focused
on
cycling,
the
exports
today
and
well
designing
guise
and
then
other
other
ideas
right.
C
Regarding
the
mission
controller,
the
demo
I'm
going
to
show
it
doesn't
focus
on
signing
or
authentic
authenticity
of
the
small
files,
but
we
really
want
to
reuse
some
of
the
outputs
that
the
cosign
six
store
working
group
is
is
trying
to
define
in
order
to
validate
the
authenticity
of
of
container
by
basically
checking
the
signatures
and
policy
definition.
C
So
we
really
want
to
kind
of
reuse
that
power,
but
today
we
are
focusing
on
on
main
simple
policies
such
as
can
be
component
dependencies
that
you
are
using
the
name
and
version
probably
license
as
well.
So
that's
that's
what
we
have
all
right,
so
I'm
gonna
try
to
show
our
demo.
C
Let
me
know
if
you
can
see
my
screen:
can
you
terminal?
Can
you
see
the
terminal?
Yes,
okay,
thank
you,
awesome.
Okay,
let
me
def
well
so
what
I
wanna
show.
Well,
I
have
a
harbor
radice
right
then
the
flow
that
I
wanna
define
is
like.
Okay,
I
build.
I
build
a
certain
image
in
this
case.
I
will
try
to
use
key
clock
and
let's
say
I
push
it
to
my
to
my
registry
and
I
want
to
to
attach
now
an
s1
file
right.
C
So
the
idea
is
that
I'm
going
to
have
to
copy
paste
certain
scripts
so
and
then
I
will
explain
so.
First
of
all,
I
I
have
my
my
kick
lock.
Imagine
the
on
the
registry.
I
have
a
demo
project
in
hardboard
when
I
have
this.
This
kick
image
and
what
I'm
gonna
do
is
to
attach
my
s1
files
right.
So
I'm
going
to
touch
it,
hopefully
that
that
will
work
okay,
so
I
have
a
attach,
let's
say,
upload
this
one
file
and
if
I
check
it
out.
A
C
Here
it
is
okay.
I
have
attached
this
bone
right.
The
content
of
this
small
file,
I
probably
switch
terminal.
Let
me
know
if
I
need
to
make
it
bigger
or
smaller.
Please
interrupt
me,
don't
don't
worry
so
the
content
of
these
small
files
is
the
cyclone
dx
generated
with
with
the
gripe
right.
So
let's
say
that
the
developer
common
flow
that
we
are
we
are
identifying
and
seeing
is
you
build
your
image?
C
Then
you
you
push
your
image
sign
in
and
then
generate
the
small
file
and
with
the
s1
file
once
that
you
generated
for
the
image
that
you
have
built,
you
attach
it
to
to
the
race
right.
So
in
this
case,
as
you
can
see
on
my
hardware
registry,
I
have
the
small
file,
which
is
exactly
the
cyclone
dx
output
generated
from
from
from
grime
right.
So
once
I
have
attached
this,
I
will
do
the
same
for
another.
C
C
I'm
sorry
all
right.
So
then
I
have
the
other
small
file.
Again
is
the
same
well,
this
is,
is
the
same
cyclone
dx
for
the
116,
but
sorry,
but
it
it
means
well,
one
of
the
luxury
locked
for
jay
versions.
That
was
including
one
of
the
critical
cvs.
I
I
will
show
you
later
what
this?
What
is
one
of
the
services
that
we
have?
Well,
I
have
a
cluster
as
well.
You
expect
a
kubernetes
mission
controller,
so
I
have
several
bots.
C
So
I
have
my
my
hardware
registry
deployed
there.
I
have
one
of
the
services
that
I
I
run
in,
which
is,
I
call
it.
The
metadata
store
hardware
webhook,
which
is
keeping
on
sync
what
I
have
on
harbor
in
my
artifact
storage
right.
So
every
time
I
push
an
artifact
and
I
detect
this
an
small
file,
and
it's
probably
the
one
that
I
want
at
this
point
is
cyclone
dx,
so
I
I
storage
on
my
on
my
artifact
store.
So
that's
that's!
Keeping
on
sync.
C
The
data
that
I
am
pushing
or
developers
are
pushing
to
the
registry,
with
what
I
have
from
my
artifacts
store.
Okay,
sorry
for
switching!
I
will
then
what
I'm
gonna,
the
other
part
of
the
of
the
of
the
demo
is
based
on
the
submission
controller,
which
was
the
main
purpose
of
it.
This
admission,
controller,
which
is
over
here,
is
one
verified
controller,
is
let's
say,
a
draft
of
policy
creation
based
on
spds
templates
on
cyclone
database.
C
I
have
started
to
identify
different
potential
policy
rules
that
you
could
create.
I
mainly
focus
so
far
on
components,
metadata
and
probably
dependencies
itself,
but
yeah
there
are.
There
are
certain
things
that
probably
motion
italia
will
miss
and
it's
again
a
working
problem,
the
same
applied
for
an
spdx
right
like
here
again.
C
I
focus
on
packages
dependencies
for
this
first
part,
but
there
is
a
huge
bunch
of
things
and
and
I'm
happy
to
to
work
with
someone
else
from
the
community
if
they
are
working
on
raising
that
to
learn
more
about
what
else
you
think
is
super
critical,
so
yeah.
This
is
a
policy
definition
right.
So
here
I
have
several
several
objects,
mainly
bots,
which
I
will
enforce
policy
on
top
of
that,
and
then
I
have
an
object,
which
is
a
which
I
call
cluster
small
policy
right.
C
So
this
object
will
be
the
let's
say,
the
schema
of
the
whole
emission
controller
to
understand
which
policies
we
need
to
enforce
and
for
which
kind
of
images
or
or
projects
we're
really
wanting
for
certain
certain
information
right.
So
the
idea
is
is
to
to
focus
on
on
different
type
of
small
files.
In
this
case,
as
I
say,
we
are
today
supporting
only
cyclone
dx.
That's
why
I
all
the
examples
are
recycling
this,
but
then
the
idea
is
to
filter
out
anything
include
the
spdx
as
well.
C
C
So
what
I
want
to
try
is.
I
have
one
example
with
an
older
version
of
key
clock
which
has
the
the
vulnerability,
so
my
my
attempt
will
be
to
create
this
pod
and
get
a
denial
right,
so
I'm
gonna
try
to
well.
I
have
to
show
in
the
cluster
cluster
desmond
policy,
so
you
see
as
well.
C
Where
is
this
no
wait?
This?
Let
me
space
it,
so
they,
the
content,
is
basically
the
same
way.
So
in
theory,
because
I'm
trying
to
create
a
pod
with
my
image,
which
belongs
to
this
image
pattern,
I
should
be
able
to
rise
the
the
policy
and
evaluate
whether
this
bond
of
this
image
has
this
version.
C
This
type
of
policy
enforcement
is
a
strict
which,
which
means
that
whatever
I'm
defining
here
is
whatever
I
want
to
deny
right.
So
this
case,
if
I
try
to
create
the
demo
for
the
first
spot,
click
claw,
I'm
sorry.
C
C
C
Oh
wait:
maybe
I
I
this
is
a
demogods,
so
they
will
circle.
Okay,
it
says
using
baseline
sorry
about
that.
Oh
this
is
library,
okay,
so
the
because
the
rule
is
defined
for
for
the
library
for
the
for
the
demo,
then
I
I
was
able
to
create.
I
was
able
to
create
a
bot,
but
if
I
change
that,
if
I
did
the
policy-
or
I
simply
go
here
and
and
I
change
it
yeah-
this
is
changed.
The
one
in
the
class
is
not.
If
I
do.
C
Let
me
validate
so
the
bot
I'm
gonna.
Try
is
registry.
No,
this
is
this
is
the
more
this.
Is
them
all
right,
so
this
will
complain.
Let's
see
if
I
try.
C
Yeah,
so
I
have
the
invalid
package
user
right
and
then,
if
I'm
not
mistaken
here
I
have
the
neighbor
version
for
the
nginx
right.
So
this
this
is
a
kind
of
mission
control
again
I
if
I
check
the
logs-
and
I
can
show
probably
code
as
well,
if
you
want,
I
will
check
the
logs
of
the
workhook
and
try
to
explain
a
bit
more.
C
Oh
sorry
about
the
noise
engine
x,
oops!
No
next,
so
I
get
the
image
I
kind
of
found
the
image
in
the
metadata
store.
As
I
said,
so
I'm
what
I'm
doing
this
admission
controller
is
talking
first
to
the
metadata
store.
So
if
I'm
going
to
the
code,
I
can
be
more
specific,
and
so
we
have
here
a
verifier
right.
The
verify
code
talks
to
the
to
the
metadata
store.
C
So
that's
that's
mainly
what
this
mission
controller
does
and
I
think,
within
the
the
same
team,
we
have
developed
a
cli
to
talk
to
the
artifact
store,
and
so,
if
we
really
want
to
kind
of
do
additional
complex
queries
such
as
I
don't
know,
checking
which
images
my
in
my
artifact
store
has
the
the
certain
certain
library
like
a
lot
for
j
api
in
this.
In
this
query,
I
could
I
could
identify
pretty
quickly,
which
are
the
affected
software
or
container
images.
C
I
could
also
get
the
the
the
content
of
the
resources
per
per
cde
and
the
same
kind
of
cli
have
built.
You
can
fetch
which
images
are
facing
a
certain
cd
and
just
by
talking
to
the
to
the
artifact
store
right.
So
in
this
case
you
could
you
could
identify
and
define
policies
for
that.
C
We
believe
that
by
relying
on
the
third
service,
which
is
the
artifact,
the
store
that
I
am
mentioning
here
and
which
is
running
on
the
cluster
as
well,
I
can
saw
you
could
you
could
eventually
improve
the
performance?
Obviously,
and
I'm
not
really
caring
about
hr
high
availability.
The
metadata
might
not
be
maybe
on
this
registry.
Sorry,
in
this
class
there
might
be
another.
C
So
then
you
don't
have
your
you
don't
have
to
run
in
the
same
cluster
while
you
are
reinforcing
the
policies-
and
I
think
that's
it
from
my
side.
D
Hey
so
awesome
presentation,
awesome
focus
on
area,
I
mean
the
whole
s-bomb
to
be
a
better
data
source
to
help
evaluate
as
a
piece
of
content
you
know
match
requirements
is
awesome.
I
think
my
questions
are
kind
of
on
the
on
the
where
and
the
when
parts
of
the
flow
and
that
I'm
curious
what
you
think
around,
like
you
mentioned,
the
admission
controller
to
the
cluster
is
similar
to
scan
results
like
we.
D
We
typically
try
to
do
scans
up
front
and
the
emission
controller
make
sure
that
the
scan
that
are
current
before
blocking
so
there's
no
performance
like
when
you
want
to
deploy
a
node
deploy
a
workload.
You
really
don't
want
to
wait
for
a
long
scan
to
happen
and
get
the
results.
You
kind
of
want
that
quick,
checksum
that
says
yep.
This
thing
was
scanned.
It's
within
a
policy
and
away
it
goes
so.
C
Yeah,
so
I
mean
obviously
you
can
you
can
set
this
this
step
before
right,
you
can
in
the
supply
chain.
When
you
are
building
the
image
you
can
probably
define
which
which
dependencies
you
don't
really
want
to
to
get
on
production
or
get
on
the
production
registry.
So
you
can
either
consume
the
registries
while,
where
the
most
of
the
developers
are
pushing
their
their
developing
versions
or
images
or
either
you
can
have
a
supply
chain.
C
C
I
I
I
think
the
scanning
is
happening
in
an
earlier
stage
either
by
short
scanning
and
container
image,
scanning
and
and
validations
can
be,
can
be
done
in
the
in
the
steps
from
supply
chains
and
being
where
we
are
considering
that
and
for
that
we
also
kind
of
adding
signing
policy
enforcement
at
the
same
way
that
this
bomb
policy
enforcement
can
be
done
right.
D
Awesome,
I
guess
the
other
one
was
the
conversations
around
the
registry
apis
and
so
forth.
I
know
you
were
open
some
some
pr's
around
the
extensions
apis
and
search
apis,
we're
going
through
the
same
thing
with
azure,
and
you
know
the
s-bumps
that
we
do
for
office
and
windows,
products
and
so
forth.
So
one
of
the
one
of
the
things
that
we've
been
thinking
about
is
that
you
know
the
size
of
the
s-bombs
are
huge
and
do
we
copy
those
to
multiple
different
systems
for
different
use
cases.
C
D
D
C
Definitely
yeah,
so
we
have
considered
that.
Obviously
the
dl
scenario
will
be
like
we
have
api
extensions
and
we
can
create
all
these
queries
our
index,
this
data,
within
what
the
pro
the
registries
provide
right,
like
the
problem
we
are
facing
as
well,
is
that
we
are
creating
an
additional
system
where
it
can
be
attacked,
so
you
are
creating
another
yet
another
place
where,
where
hackers
could
attack
to
you,
but
unfortunately,
there
are
no
options
today
or
apa.
C
Extensions
will
be
something
that
we
really
like
to
see
happening,
because
we
will
try
to
to
use
it
in
a
more
formal
way
to
to
make
queries
to
the
data
that
we
are
adding
to
to
the
registries
right
and-
and
this
is
an
example
of
s1,
but
I
can
also
identify
some
other
things
that
we
are
storing
today
on
the
registry,
where
we
really
want
to
have
additional
additional
flexibility
to
what
the
ocf
is
provide.
Today,.
D
I'll
free
up
for
other
folks,
but
we
should
definitely
talk
more
about
the
extension
like
there.
There
is
no
blocker
that
you
can't
write
your
own
extension.
Lots
of
people
have
extensions
to
the
registry
api
today
we're
working
on
formalizing
a
place
to
do
it,
but
there's
no
there's
no
blocker
for
what
you
need
to
do
today.
So
we'd
love
to
follow
up
more.
It's
awesome.
B
Any
other
questions
yeah,
I
I
I
had
one,
but
I
think
that
was
mostly
what
steve
had
already
mentioned
there,
which
is
you
know,
I
guess
more,
like
around
performance
impacts
and
anything
you
know,
because
when
you're
you
know
querying
a
database
versus
just
sort
of
pulling
in
an
attestation
or
something
like
that
that
says
hey
I
previously,
I
had
done
a
scan
and
this
is
what
I
found
and
and
I'm
going
to
say
that
that
at
a
station
let's
say
it's
valid
for
a
week
versus
the
database
versus
versus
going
for
the
database.
B
But
I
think
there's
there's
good
comments
on
that.
Already
yeah.
C
I
mean
I
mean
again
you
you
really
need
to
have
a
source
of
truth
where
you
have
to
expose
to
customer
search
and
information,
that's
what
we
are
seeing.
Rightly.
They
really
really
want
to
have
search
engines
and
then
kind
of
extract
all
these
information
daily
basis,
whatever
it
is
on
your
clusters,
stay
in
development
and
production.
So
you
can
have.
This
is
a
fair
solution
as
well
alternative
yeah.
C
B
Sure,
thanks
yeah
once
again,
thank
you
again
and
I
just
want
to
make
sure
any
other
questions
comments.
There's
definitely
things
I
would
love
to
discuss,
but
I
think
most
of
those
are
probably
you
know
in
the
weeds,
not
necessarily
necessarily
for
for
for
this
meeting
but
yeah.
I
I
think
that's
that's
really
good.
I
know
steven
mentioned
would
love
to
kind
of
get
some
better
understanding
of
like
what
sorts
of
things
do
you
think
are
valuable
coming
out
of
the
the
s
bomb.
B
B
This
is
probably
something
for
us
to
think
about
at
let's
say
build
time
and
and
those
sorts
of
things,
because
I
think
one
of
the
things
that
that
has
also
been
brought
up
and
is
kind
of
a
of
a
key
concern
to
this
group
is
hey
not
just
that,
like
we're,
deploying
something
into
production,
but
does
it
make
sense
that,
like
when
we
sort
of
develop
somebody's,
you
know
we're,
let's
say
generating
an
s-bomb
during
a
bill?
B
You
know
during
build
time
we
need
to
go
and
say
actually
we're
gonna
fail
the
build,
because
we
looked
at
your
s-bomb
and
you're
using
you
know
a
highly
compromised,
very
old
version
of
a
thing
you
know
and-
and
I
think
that's
kind
of
you
know
a
of
a
key
concern
for
us.
A
You
know
this
will
expire
in
one
week
and
those
can
be
small
and
then
your
mission
controller
can
just
look
at
those
little
small
things
and
say
hey.
Yes,
I
see
the
scan
looked
at
the
s
bomb
for
me,
came
back
and
gave
the
thumbs
up,
and
that
way
it's
a
separation
of
those
policies
from
moving
it
out
of
the
mission
controller
to
moving
it
to
the
scanning
system,
and
the
mission
controller
is
just
looking
at
that
thumbs
up
thumbs
down
from
the
scanner.
C
I
agree
with
that
with
the
scannings.
It
totally
makes
a
lot
of
sense,
but,
for
instance,
you
have
thousand
containers
on
your
on
your
production
cluster
and
you
really
want
to
know
if
all
of
them
are
using
the
log
for
j
dependency.
1
20,
I
don't
remember
the
version
of
the
second
right.
How
you
get
that
right
like
then,
this
kind
of
detail
might
tell
you
yeah.
There
are
no
vulnerabilities
during
the
last
day
or
two,
but
then
you,
what
do
you
do?
C
I
I
I'll
trigger
a
thousand
scanning
to
all
the
images
that
I
have
run
in
production
or
I
try
to
follow
a
database
where
I
might
have
this
information
replicated
there
somehow
right.
I
agree,
yeah,
it's
different
options,
different
solutions,
yeah.
A
Yeah
and
when
I
say
scanning,
I'm
thinking
you're
scanning
the
s
bomb
itself
and
that
s
bomb
may
have
been
imported
into
a
database
somewhere,
but
in
some
way
somehow
doing
that
kind
of
logic.
A
I
mean
I
can
comment
on
this
a
little
bit,
so
I
work
at
encore
and
we
have
sift
and
gripe
with
the
open
source.
But
then
we
have
an
enterprise
product
and
the
way
that
works
is
you.
Obviously
you
scan
a
container
to
build
an
s-bom
or
you
can
import
an
s-bom
and
then
basically,
you
set
a
policy
and
any
time
like
a
vulnerability,
feed
changes,
it
functionally
will
say
rescan,
it's
just
running
queries
in
a
database
and
then
obviously
you
know
you
can
have
your
vulnerability.
B
Yeah
yeah,
that's
a
that's
a
good
point
there
and
I
know
that's
actually
one
of
the
other
things
that
that
when
we,
when
we
also
kind
of
go
back
to
the
s-bomb
thing,
I
know
it's
something
that
a
few
of
us
have
brought
up
in
a
couple
of
the
other
sort
of
meetings
in
in
the
various
supply
chain.
B
Groups
is
also
sort
of
an
understanding
of
how
the
s
bombs
are
being
built
so
that
we
also
have
a
better
understanding
of
like
what
are
we
actually
looking
at
you
know
and
because,
like
I
think,
as
folks
sort
of
mentioned,
you
know.
B
Sift
and
gripe
are
are
great,
as
you
know,
but
they're,
obviously
using
a
bit
of
a
heuristic
sort
of
model
trying
to
figure
out
what's
sort
of
in
there,
there's
some
other
models
that
are
sort
of
taking
from
the
builds
directly.
There's
probably
you
know
at
some
point,
it
probably
makes
sense
to
sort
of
combine
the
two
to
sort
of
you
know
do
that.
B
Some
of
that
as
well-
and
I
think
you
know
my
point
just
being
that
yeah
there's
still
a
lot
of
work-
that
we
kind
of
need
to
figure
out.
You
know,
especially
from
the
client
end.
I
think
one
of
the
things
that
we're
trying
to
also
figure
out
is,
like
you
know,
working
at
an
enormous
enterprise
that
uses
multiple
different
tools
for
different
languages,
and
we
have
lots
of
different.
You
know
we
might
be
focused
around
particular
operating
systems
particular
package
managers.
B
If
we
still
have
a
lot
of
stuff
all
over
the
place,
it
can
often
get
complicated
and
you
know
we're
often
not
sure
what
we're
actually
looking
at
you
know
like.
Are
we
looking
at
an
s-bomb
based
on
you
know?
Yes,
this
came
from
the
compiler
or
the
comp
or
not
says
the
compiler,
but
the
build
tool,
let's
say
maven
and
maven-
is
telling
us
hey.
B
I
pulled
in
these
libraries
because
this
is
literally
what
was
in
your
manifest
file,
and
this
is
what
I've
recorded
and,
as
long
as
I
trust
the
build
tool
yaya
and
then
here's
some
additional
metadata
from
something
like
a
sift
saying:
hey
here's,
the
packages
that
were
on
the
operating
system,
based
on
what
we
determined
but
combining
all
those
sorts
of
things
together
is,
is,
I
think,
going
to
be
an
interesting
challenge,
because
you
know
we
might
want
to
better
understand
like
oh,
okay.
B
This
is
something
that
is
doing
this
sort
of
heuristic
so
that
we're
going
to
provide
this
level
of
confidence.
These
are
the
additional
things
we
might
want
to
poke
around
with
there
or
additional
scans
or
whatever
yeah.
It's
it's
sorry,
but
my
point,
my
point
is
just
like
yeah.
It
seems
like
a
very
interesting
challenge.
A
Yeah,
I
I
do
have
a
question
actually
about
how
you
reconcile
what
happens
if
your
admissions
controller
rejects
an
image.
As
you
know,
it's
got
the
log4j
vulnerability
say
it's.
You
know
just
the
log4j
just
came
out
and
now
oh
wait.
I
can't
get
my
core
login
service
to
deploy
now,
because
my
admissions
controller
is
saying
it's
insecure.
Now,
none
of
my
clients
can
log
into
the
service.
So
it
makes
me
question
whether
at
admissions
controller
on
production
is
really
the
right
place
in
the
workflow
to
to
really
action
that.
C
Exactly
yeah
that's
a
valid
concern
and
it
can
also
happen
for
sickness
sign
in
the
images
right.
If
you
you
are
policy
enforcement
detects
a
container
image,
that's
not
signed,
it's
not
good.
What
happened
right
from
our
side.
We
have
think
about
that.
We
are
not
like
going
one
direction
or
another,
but
obviously
that
also
happened
when
you
have
kubernetes
running
classroom
production
and
then
you
have
an
old
memory
error.
C
Critical
thoughts
will
never
go
away
unless
that
is
really
going
something
wrong
right.
So
the
idea
is
probably
to
define
this
kind
of
of
criticality
of
things
that
you
are
running,
that
you
don't
really
want
to
to
start
to
evict
in
the
same
following
the
same
logic
as.
C
D
A
C
Yeah
yeah
victim
parts,
production
clusters,
yeah
well.
A
Not
even
necessarily
saying
evict
the
pod,
it's
more,
you
know
it's
kubernetes.
A
B
Yeah
yeah,
my
my
two
cents
has
always
been:
don't
break
production
so
right
like
if,
if
you
you
know,
even
if
there
is
a
vulnerability
like
there
might
be
a
hey
yeah,
I
am
totally
cool
with
you:
flooding
the
logs
with
hey
here's,
a
bunch
of
vulnerable,
pods
and
and
whatnot,
but
but
don't
take
down
what's
already
there,
and
I
think
you
know
with
a
lot
of
these
things
like
failing
new
deploys,
might
be
potentially
useful
depending
on
how
you
might
want
to
do
certain
things
where
it's
like:
hey,
look,
here's
here's
something
that
is
a
new
version
of
the
software
we
want
to
deploy
it.
B
Oh
wait!
That's
using
a
vulnerable
version
of
log4j
that
we
had
just
discovered
and
obviously
there
could
be
trade-offs
there
as
well,
which
is
like
yeah,
but
you
know
we
might
still
let
it
through,
because
you
know
this
still
gets
us.
You
know
closer
to
fixing
the
problem
because
we
need
to
get
you
know,
it's
a
stop
gap
or
something
like
that.
B
But
then,
in
addition
to
that,
actually
one
of
the
questions
I
I
know
it's
one
of
the
things
that,
as
we
kind
of
the
admission
control
stuff
becomes
more
mature,
one
of
the
big
ones
is,
is
how
do
we
deal
with
situations
like
you
know?
Let's
say
you
know,
as
steve
has
sort
of
mentioned,
you
know
maybe
one
day
we
really
want
to
make
sure
that
everything
is
sort
of
in
a
source
of
truth
like
the
oci
registry
itself.
B
But
if,
let's
say
what
happens
if,
for
example,
we're
trying
to
deploy
we're
querying
graphics,
graphios
is
unavailable
right.
How
does
that
like?
What's
the
failure
mode,
you
know?
Are
we
failing
close?
Are
we
failing
open?
I
know,
depending
on
how
you
set
up
a
lot
of
the
stuff
there
right,
you
need
to
it's
already
kind
of
right
now,
a
little
complicated
like
you
need
to
have
your
mission
controller.
If
you
want
to
fail
closed,
you
need
to
have
your
admission.
C
I
I
think
there
are
many
examples
of
that
with
gatekeeping
already,
and
one
of
their
suggestions
from
gatekeeper
is
to
delete
the
mission
controller
definition
from
from.
Is
this
the
the
rescue
mode
they
call?
It
is
basically
to
remove
the
the
configurations
from
kubernetes
right
but
yeah,
it's
obviously
a
a
potential
issue.
Yeah
you
can
counter.
A
Yeah
I'll
just
kind
of
comment
on
my
own
comment
that,
through
in
the
chat,
but
if
you're
separating
the
emission
control
from
the
scanning
process
itself
and
you're
relying
on
an
expiration
of
like
you,
know
one
week
from
the
scan
and
you
rescan
something
that
fails
to
scan
the
next
time
that
had
previously
been
accepted.
You
can
probably
treat
that
as
an
outage
and
say,
hey
here's
something
that
we
thought
was
good
and
it's
no
longer
good.
This
is
a
problem,
and
then
you
can
go
through
your
recovery
process.
A
Do
we
want
to
sign
it
anyway
and
say
it's
okay
for
now,
do
you
need
to
fix
this
in
a
hurry
before
it
becomes
an
actual
production
outage?
But
that's
if
you
separate
that
logic,
you
get
a
little
bit
more
flexibility
there.
A
So
it's
kind
of
like
basically
you
know:
we've
got
this
time
box
window
of
one
week
or
or
the
time
to
the
next
scan,
and
you
can
say
that
this
is
an
impending
production
outage.
We
know
that
in
by
by
the
time
that
we
try
to
deploy
this
next
there
will
we
won't
be
able
to.
So
it's
a
good
way
of
putting
it.
B
Exactly
yeah,
I
I
think
it
it
all
depends
on
writing
different
folks
comfort.
With
that,
you
know-
and
I
should
say,
different
organizations-
comfort
with
that
sort
of
thing.
I
know
at
you
know
sometimes
at
banks.
You
need
to
put
light
a
fire
under
folks,
otherwise
they
just
don't
get
it
done,
and
if
you
tell
folks
hey
look,
this
is
going
to
be
a
a
production
outage.
B
B
Great
conversation,
any
other
sort
of
final
questions,
thoughts,
anything
else.
Otherwise
we
can
talk
about
some
of
the
next
couple
of
weeks.
B
All
right
cool
so
once
again,
thanks
hector
for
the
the
great
demo,
I'm
sure
we'll
kind
of
continue
some
of
the
chat
in
in
slack
and
offline.
B
So
just
as
a
reminder
once
again
for
anybody
who
joined
late
or
whatever
here
is
the
doodle
poll
one
last
time
put
in
your
last.
You
know
if,
if
you
know
anybody
who
wants
to
contribute
who
hasn't
and
just
because
they
can't
make
this
meeting,
we
are
going
to
probably
be
changing
the
meeting
to
another
time
shortly,
just
wanted
to
kind
of
get
that
out
there.
We
also
once
again,
I
know
the
secure
software
factory
reference
architecture
which
you
know
folks
have
been
wondering
hey.
B
Is
that
thing
going
out?
You
know
because
of
you
know,
post
kubecon
stuff,
and
then
there
was
the
holidays
and
everything
else
stuff
sort
of
went
on
the
back
burner
a
little
bit.
But
you
know
our:
we
have
a
technical
writer
who's
been
giving
a
lot
of
great
feedback
celeste,
but
celeste
is
actually
going
to
be.
I
believe
announced
that
they're
gonna
be
leaving
the
cncf
soon.
B
I
think
at
the
end
of
this
month,
so
we're
we're
trying
to
get
all
that
sort
of
stuff
addressed
sooner.
You
know
pretty
soon
we're
also
going
to
be
putting
out,
probably
in
the
next
hopefully
once
some
of
these
really
really
big
comments
are
addressed.
We're
going
to
be
putting
this
out
for
community
review
and
community
feedback
quickly.
B
So
once
again,
please,
you
know
if
especially
for
those
who
have
already
contributed
stuff
to
the
doc-
and
you
know,
could
sort
of
look
over
see
if
there's
any
comments
on
anything
that
you
had
sort
of
contributed
and
kind
of
provide,
some
additional
feedback
and
and
and
whatnot
would
be,
would
be
useful
there.
Let's
see
what
else.
B
That
and
so
figure
the
next
couple
of
weeks
this
should
hopefully
go
out.
There
will
be
we'll
get
some
additional
feedback,
definitely
probably
for
the
next.
B
A
few
few
weeks
anticipate
it's
mostly
going
to
be
feedback
on
the
document,
but
if
folks
have
interesting
demos
to
give
over
the
next
few
weeks,
I
think
we're
interested
in
that
and
if
folks
also
have
thoughts
on
hey
once
this
document
goes
out.
What
maybe
are
some
next
steps
that
folks
would
be
interested
in
working
on
whether
that
is?
I
know
a
few
folks
that
talked
about
stuff
like
code
that
is
related
to
some
of
this.
I
know
we
have
at
citi.
B
We
have
some
code
that
we've
written
up
and
based
on
the
fact
that
it's
not
purely
cncf
rated.
It's
probably
going
to
be
we're
looking
at
donating
that
to
the
open
ssf,
but
we're
looking
at
sort
of
working
with
folks
in
this
group
and
in
other
groups
to
kind
of
you
know
continue
which
to
address
some
of
these
these
challenges.
B
So
if
anybody
has
any
thoughts
or
whatever
feel
free
to
sort
of
add
them
to
the
agenda,
talk
about
them.
In
slack
and
whatnot.
B
B
Cool
well
so
everybody
have
a
have
a
good
week
and
we'll
continue
the
conversation
in
slack.