►
From YouTube: Protect:Container Security group discussion 2021-11-16
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
Yeah
I
wanted
to
share
that
the
work
for
adding
the
security
tab
to
the
agent
manage
clusters
has
begun.
The
tab
is
now
created
and
there's
nothing
in
it
yet,
where
daniel's
still
wrapping
up
a
few.
Mrs
for
the
operational
vulnerabilities
work,
which
will
is
needed
for
this,
but
the
tab
is
there
and
I
think
I
turned
on
the
feature
behind
the
feature
flag
for
cnp
everyone's
favorite
staging
protect
project.
A
This
first
one
we're
not
quite
sure
if
we're
gonna
fund
it
yet,
but
we
would
like
to
put
it
through
planning
breakdown
and
refinement
just
get
an
idea
of
the
size
of
it.
You
may
be
aware
that,
right
now
we
don't
have
any
engineers
formally
allocated
to
container
network
security.
The
category
has
been
put
in
sort
of
a
community
contribution
mode
where
it's
still
around
and
we've
expressed
that
we
intend
to
invest
in
it
in
the
future,
but
we
don't
have
any
immediate
plans
for
that,
so
where
the
certificate
method
has
been
deprecated.
A
That
means
that
that
impacts
some
features
that
we
have
currently.
So
we
went
ahead
and
created
this
epic
to
outline
the
work
that
would
be
needed
to
address
the
policy,
editor
ui
piece
of
container
network
security
and
adding
agent
support
for
that
I'll
just
step
through
these
requirements.
Real
briefly.
A
For
the
sake
of
anyone
who
may
be
watching
and
there's
a
good
recap
for
anyone
here
so
again
right
now,
if
you
come
into
security
and
compliance,
and
you
go
to
the
policies
page
and
you
work
on
your
network
policies
right
now,
it
reads
and
writes
directly
to
the
kubernetes
cluster,
and
it
does
that,
with
the
service
token,
that's
used
to
set
up
the
certificate
based
connection
for
for
kubernetes
cluster,
so
we
don't
have
any
way
of
doing
this
through
the
agent.
A
The
idea
is
that
instead,
we'll
be
able
to
create
and
save
network
policies
will
generate
an
mr
back
into
that
linked
security
policy
project,
so
we'll
be
storing
these
network
policies
as
yaml
inside
of
the
security
policy
project,
and
then
those
policies
will
show
up
just
like
all
the
other
policies
do
in
that
policy
list.
It
will
no
longer
pull
the
list
of
policies
directly
from
kubernetes.
A
A
One
of
the
downsides
of
going
this
route
is
you
don't
necessarily
know
if
your
policies
are
in
sync
with
what
is
in
kubernetes,
so
a
good
follow-on
improvement
to
this
would
be
to
make
that
obvious
in
the
ui.
But
for
now
that's
out
of
scope
for
this
particular
epic.
We
would
just
simply
show
the
list
of
policies
in
that
security
policy
project,
so
you
know
we
might
add
in
the
future,
like
a
last
synced
date
or
a
last
updated
date,
just
to
know
that
those
are
actually
being
pushed
into
the
kubernetes
cluster.
A
We
would
be
adding
a
new
setting
to
the
config
for
the
kubernetes
agent
to
turn
network
policy
management
on
or
off.
If
it
was
off,
we
would
do
nothing
if
it's
on,
then
what
we
actually
would
go
and
do
is
we
would
overwrite
any
existing
network
policies
and
push
our
policies
in.
So
if
somebody
had
created
a
network
policy
in
there
that
was
not
found
in
our
security
policy
project,
we
would
delete
that
policy.
A
If
we
had
a
policy
that
did
not
exist
in
the
kubernetes
cluster,
then
we
would
create
it.
If
we
had
a
different
version
of
the
same
named
policy,
then
we
would
overwrite
it
and
replace
it
with
ours
and
the
reason
for
that,
if
we
security
users
want
to
actually
enforce
that,
a
big
part
of
the
value
proposition
is
that
you
know
by
storing
all
of
this
in
git.
You
now
have
a
commit
history.
A
So
a
lot
of
back
end
changes
at
least
a
few
front.
End
changes
here
to
adjust
the
workflow
so
that
it
generates
an
mr
instead
of
reading
and
writing
directly
to
kubernetes.
C
So
similar
issue
in
the
comments
for
cluster
image
scanning-
and
you
know-
I've
been
talking
with
material
on
that
issue
about
the
implementation
plan
and
he
did.
He
did
make
a
few
suggestions.
C
We
we
might
be
able
to
implement
this
without
changing
rails
at
all,
because
the
the
kubernetes
agent
server
has
I'm
not
totally
sure
how
it
works
under
the
hood.
But
it
has
like
a
client
library
that
can
talk
with
italy
and
it's
able
to
download
files
directly
from
gettily.
D
Yeah
the
logic
that
sam
was
describing
to
basically
do
a
diff
of.
What's
what
and
and
synchronize
to
what
to
the
single
sort
of
source
of
truth,
and
given
that
we
don't
have
rules
mode
for
this.
So
we
do
oh.
C
So
one
thing
I
just
thought
of
is
of
course
we
do
yeah.
C
It
it's
so
we
could
basically
use
get
off
and
let
people
put
the
security
policies,
yaml
files
inside
to
get
ops
projects
and
then
just
have
git
ops,
create
the
network
security
policies.
A
So
I
think
that's
more
or
less
what
being
defined
the
work
that's
been
outlined
in
this
related
issue,
which
is
to
support
auto
devops
or
get
ops
with
the
gitlab
kubernetes
agent.
A
This
is
really
more
on
the
configure
side
to
make
that
happen,
and
we
want
both.
So
this
would
be
the
experience
for
free
users,
but
for
ultimate
tier
users.
We
want
to
provide
that
additional
ui
and
that
additional
management,
where
we're
separating
out
the
security
responsibilities
from
everyone
else
so
anyway,
that's
part
of
why
we
separated
this
out.
In
the
first
place,
we
created
a
separate
policy
management
experience
to
provide
a
just,
make
it
more
usable
and
separate
out
that
management
for
those
ultimate
theory,
users
right.
D
C
D
A
Now
we
would
want
to
modify
the
actual
yaml
schema
itself
a
little
bit
because
right
now,
you're,
writing
just
a
raw
network
policy,
and
I'm
assuming
we
would
want
to
adjust
that
a
little
bit
to
think
of
it
more
in
terms
of
like
rules
and
actions
like
we've
got
for
everything
else,
so
I'm
assuming
the
actual
network
policy
ammo
itself
would
be
one
of
part
of
the
rule,
and
then
you
know
we
still
would
need
like
the
type
to
be
the
name.
So
anyway
we
might-
I
don't.
B
Yeah
and
as
sam
as
you've
seen
there's
that
to
and
from
yaml
method
that
dictates
whether
it's
parcel
or
not,
and
so
that's
going
to
have
to
be
probably
changed
as
well,
but
yeah,
probably.
B
They're,
it's
they're
quite
complicated.
So
yes.
B
Be
nice
to
nuke
them
entirely
and
start
things
right
at
the
time
there
was
a
whole.
D
B
I
do
remember
that,
mr
remember
that,
and
it
was
ash
will
remember.
A
A
All
right,
I
will
move
that
to
refinement
we'll
put
a
sizing
on
that.
Like
I
said,
I
do
not
yet
know
if
we
are
going
to
do
that
work
or
not.
Do
that
work.
I'm
discussing
that
with
my
product
leadership
right
now
to
figure
out
where
that
falls
in
terms
of
priority,
because,
obviously,
if
we
do
this,
something
else
is
going
to
be
delayed,
but
we'll
work
that
out
for
now
we'll
just
move
that
to
refinement
and
get
a
good
sizing
on
it
before
we
start
work.
B
Yeah
and
sam
congratulations,
it
looks
like
you've
kicked
off
quite
the
thread
on
this
deprecation
issue.
Talking
about
about
all
this,
I'm
trying
to
like
catch
up
on
it
and
it's
it's
thread
for
miles.
A
A
So
we
do
rely
on
a
dependency
upstream
dependency
of
us,
which
is
a
configure
team
feature.
That's
been
deprecated,
but
just
like.
If
gitlab
the
product
were
to
use
an
upstream
dependency
that
became
deprecated,
it
doesn't
automatically
make
gitlab
the
product
deprecated
we're
kind
of
still
in
that
same
that
same
situation,
where
we're
using
a
deprecated
upstream
dependency.
A
Yeah
one
more
item
here
for
planning
breakdown,
thanks
for
adding
this
alexander.
In
fact,
we
should
probably
review
everything
in
that
parent
epic
as
well
to
see
if
there's
anything
else
that
needs
to
be
covered
for
planning
breakdown.
A
A
Yep
yeah,
so
this
modifies
the
workflow
to
create
a
two-step
process
when
you're
creating
a
new
policy.
This
will
not
apply
for
editing
a
policy
editing.
A
policy
will
follow
the
same
workflows
today,
but
when
creating
a
new
policy,
you'll
come
to
a
page
with
these
new
cards
and
of
course
we
don't
have
scan
result
policies
quite
yet
so
for
the
first
generation
it'll
just
be
these
two,
but
you'll
have
these
cards
to
pick
from.
A
You
pick
your
policy
and
then
you're
taken
to
step
two,
which
is
the
page
that
we're
familiar
with
here.
So
you
will
have
this
new,
like
breadcrumb
thing
up
top
and
a
new
back
to
step.
One
button
at
the
bottom.
B
And
the
hitting
the
browser's
back
button
should
also
take
you
to
the
step
one
as
well
right.
A
I
would
expect
that
behavior
we
could
clarify
that
might
be
a
question
to
clarify
with
camellia.
A
I
don't
have
a
hard
product
requirement
there,
because
it
also
is
kind
of
like
a
wizard
but
we're
not
really
presenting
it
in
a
modal
box,
so
it
does
kind
of
imply
that
you're
going
to
a
new
page,
so
it
could
kind
of
go
either
way.
You
know,
because
I
see
modals,
where
you're
not
being
taken
to
a
new
page,
so
going
back
would
just
take
you
back,
but
yeah
I
could
see
it
go
either
way.
That
might
be
a
good
question
for
chameleon.
A
B
Should
the
urls
be
able
to
be
saved
like
if
someone's,
making
many
scan
execution
policies
or
wants
to
share
that
with
someone
else
who
wants
to
make
a
scan
execution
policy?
Should
the
urls
be
different
between
step
one
and
step
two
great
question,
alexander.
A
A
A
B
A
C
You
could
use
a
fragment
and
then
you
wouldn't
have
to
change
the
back
end,
but
the
urls
could
still
be
different.
B
These
are
all
great
suggestions.
That's
all
some
questions
always
also
you
mentioned
something
about
editing
a
policy,
and
that
made
me
think.
Is
there
a
design
for
when
you,
edit,
I'm
assuming
when
you
edit
a
policy?
The
breadcrumb
header
goes
away
completely
like
you
should
be
able
to
switch
types
on
when
you're
editing
an
already
existing
policy.
A
Yeah,
that's
a
great
question.
I
wrote
up
the
requirements
saying
that
the
experience
won't
change
at
all,
so
we'd
still
have
that
same,
like
select
drop
down
to
switch
the
policy
type,
but
that
might
be
something
to
clarify
as
well
with
camellia.
So
maybe
this
one's
not
quite
ready
for
refinement.
It
sounds
like
we're
getting
a
good
list
of
design
questions
for
camellia
here.
A
A
A
A
B
Yeah
definitely,
I
will
re-watch
this
video
to
remember
overall.
A
Sounds
good,
thank
you
or
or
we
could
just
direct
camellia
here
too.
Overall,
we've
got
a
pretty
good
list
in
this
parent
epic
too.
So
I
wanted
to
just
run
through
these
briefly,
and
this
is
great
because
we've
got
alexander
and
thiago
and
brian's
we've
got
all
of
you
on
the
phone
or
on
the
zoom
call
here,
it'd
be
great
to
identify
which
of
these
are
back-end,
because
I
think
most
of
these
are
front-end,
but
there
might
be
a
couple
back
end
in
here
that
got
lumped
in.
A
So
this
is
the
one
we
just
discussed
this
one
yeah
go
ahead.
C
Yeah,
I
think
I
think
dominic
was
having
trouble
refining
that
one
and
I
think
I
think
he
asked
alan
a
question
or
something
never
heard
back
so
probably
ought
to
follow
up
on
that.
One.
A
Yeah,
usually
we
don't
have
bugs
inside
of
feature
epics
anyway,
so
that
one
is
a
little
bit
out
of
place
there.
I'm
just
looking
to
see
if
any
of
these
others
need
planning
breakdown,
discussions,
harsh
crime,
scheduling,
syntax
you're
already
working
on
this
one.
I
think
alexander
same
review,
yeah.
B
Sorry,
I
I'm
sorry,
I
didn't
assign
that
one
to
myself.
A
Split
approval
mode
and
yaml
previewer,
okay,
so
yeah.
This
is
one
of
those
design
things
splitting
it
up
for
the
mox,
because
we've
changed
the
mocks
a
lot
since
we
initially
implemented
this.
B
C
To
I
would
need
alexander
to
confirm,
but
I
think
that
all
the
components
already
exist,
so
it
would
probably
be
pretty
easy
to
implement
because.
C
A
A
And
I
thought
there
was
one
in
here
about
just
cleaning
up
the
overall
ux.
Maybe
you
split
that
out
into
these
ones.
Yeah.
It
looks
like
you
split
those
out
under
those
empty
issues,
great
yeah.
I
think
we
are,
I
think,
we're
close
to
having
this.
I
mean
this
is
a
sort
of
a
muddy
epic,
because
it's
you
know
it's
got
a
whole
bunch
of
different
things
just
thrown
together
here
as
follow-on
issues.
A
A
A
Yeah
either
way,
I
would
say
whatever
is
best
for
you
honestly,
so
I
want
to
leave
it
or
close
it
out.
That's
fine
cool!
I
think
that's
everything
for
today.
Sorry
about
my
audio
issues.