►
From YouTube: Defend: Container Security Weekly Group Discussion
Description
Weekly meeting for the Defend:Container Security group
A
Oh
welcome
to
defends
weekly
container
security
group
call
hope
everyone's
had
a
chance
to
look
at
the
agenda.
I
am
NOT
going
to
talk
through
the
whole
thing:
Sam
I'll,
let
you
kick
it
off,
because
it
looks
like
the
first
items
which
fall
under
Planning
breakdown
unless,
if
anyone
has
previous
discussions
or
demos
they
want
to
bring
up,
are
yours.
B
All
right
thanks,
buns
Lee,
my
apologies
for
adding
me
to
last
minute.
I-
did
try
to
go
over
the
first,
both
of
these
with
Alan
some
teeth
in
an
earlier
time.
Zone
I
think
we're
in
a
good
place
for
both
of
these,
but
you
just
wanted
to
formally
cover
both
of
these
items
in
our
planning
breakdown
and
make
sure
that
we're
good
to
go.
B
C
D
C
B
C
E
E
Historically,
it
was
multiple
such
products,
natural
products,
kind
of
abilities
and
user,
oh
and
capabilities
and
I'm
talking
about
Obama
but
also
say
Linux
and
I
think
say:
Linux
is
a
bit
more
mage
technology
as
far
as
I
know,
Linux
ecosystem.
So
I
was
curious.
Why
we're
doing
this
Obama
and
what
the
situation
is
comparison
between
those
the.
C
C
And
what
happened
is
that,
for
the
other,
the
course
I
took
in
I
think
some
research
that
Alan
also
did
that
at
armor
seems
to
be
a
more
friendly
policy
description
and
set
comp.
It's
a
little
bit
well
known
by
a
little
bit
hard
to
write
the
policies
and
a
little
bit
more
verbose.
That's
what
I
got
yeah.
E
But
is
it
critical
for
us
to
have
he's
writing
capabilities
if
it's
obstructed
anyway,
for
the
port
security
policies?
I,
don't
know
what
to
subtract
is
just
from
my
understanding
of
Linux
ecosystem.
That's
provides.
Protection
by
cancellation
of
the
applications
is
silly
Knox's
mo
major
in
the
settings
is
usually
referred.
F
E
B
E
Yeah
I'm
just
thinking,
I
guess
what
security
policy,
which
is
the
Cuban
attitude
cabinets
feature
already,
has
support,
I
think
for
a
different
technologies
that
exist
on
Linux.
For
the
reason
for
the
reasons
I
I,
don't
really
know
them
right
now,
but
I'm
pretty
sure.
E
D
D
Not
that's
not
the
the
the
point
of
this
meeting.
We
would
be
discussing
something
that
we
should
have
done
before
the
meeting
so
I
wanna
I
want
to
have
the
discussion
get
to
the
bottom
of
it
make
sure
we're
making
the
right
selection,
but
let's
be
optimistic
and
assume
that
this
is
still
the
the
option,
any
sure
that
we
have
everything
to
work
on
it.
If
we,
after
this
confirm
that
yet
this
is
this
is
actually
the
direction
we
want
to
go
or
still
the
direction
wanna
go.
Yeah.
B
Absolutely,
and
in
here
you
know,
I
mean
I
wrote
this
as
you
know,
product
requirements.
So
even
though
I'm
naming
the
technology
that
we're
installing
here,
we
can
swap
that
out
to
align
with
the
engineering
proposals,
so
I
don't
think
these
product
requirements
are
likely
to
change
based
off
of
the
technology
that
we
pick
so
as
long
as
the
technology
needs
those
requirements,
I
think
you.
We
should
be
able
to
go
ahead
and
proceed
with
this.
This
issue.
D
D
B
Okay,
yeah,
that
sounds
good
okay,
so
those
are
those
we
cover
point
a
and
B
for
point.
C
I
just
wanted
to
have
a
discussion
with
a
group
about
high
availability
for
ingress
amount
security,
and
you
know
what
we
want
to
do
moving
forward
there
you
know:
do
we
want
to
provide
high
availability?
Do
we
want
to
replace
you
know
ingress
engine
X
and
and
integrate
it
with
solium?
F
My
do
when
I
first
looked
at
this,
it
looked
like
we
were
just
swapping
one
set
of
problems
for
a
similar
set
of
problems,
then,
as
we
continue
to
talk
about
it,
asynchronously
through
the
issue,
Arthur's
research
and
sent,
and
then
Sam
you
and
I,
reconfirming
what
the
requirements
are
and
what
we
actually
need
for
this,
and
you
know
going
back
and
forth.
I
think
it's
definitely
worth
considering.
It
seems
like
this
way
of
doing
laughs
might
be
much
better,
not
only
from
a
high
availability
perspective,
but
from
other
perspectives
as
well.
F
So
I'm
not
convinced
it's
the
way
to
go,
but
I'm
convinced
it's
the
next
thing.
We
should
surely
research
and
make
sure
it's
technically
feasible
to
meet
all
the
requirements
and
if
so,
then
I'm
convinced
it's
the
way
to
go
so
I
kind
of
came
full
circle
on
this.
Through
the
great
discussions
we've
had
asynchronously,
so
I
guess,
Ned
is
Arthur.
F
If
you
can
do
another
pass
through
the
requirements
that
are
in
the
comments
in
the
issue,
just
to
make
sure
that
what
you
were
thinking
where
you're
thinking
with
cilium
and
mod
security
will
meet
all
those
requirements,
just
do
it
yeah.
If
you
do
a
second
pass
through
that
and
just
reconfirm
that
set.
F
B
F
B
B
In
my
mind,
the
big
question
is:
do
we
go
with
Arthur's
option
number
two,
or
do
we
not
do
that
at
all
and
keep
what
we
have
and
invest
in
doing
high
availability
for
for
ingress?
And
that
looks
the
debate.
That's
happening
in
my
mind.
Is
you
know,
do
we
keep
ingress
or
do
we
remove
ingress
and
go
with
Arthur's
number
two?
So
that's
my
perspective
open
to
hearing
any
other
ideas.
E
E
E
It's
pretty
straightforward
solution,
but
yeah
the
downside
is
more
stuff
to
deploy
for
users,
and
another
minor
downside
is
that
they
little
bit
more
maintains
for
from
outside
gets
proxy
will
burn
us,
which
is
not
a
bad
thing,
but
if
it'll
be
fair
and
estimate
the
cost
of
what
it
will
take
us
to
constantly
maintain,
it
was
the
time
that
it
will
gets
us
to
the
proxy
it
might
be
similar
to.
What
we
have
to
do
is
just
the
option
free,
but
the
cost
will
be
the
watch
straight
away
rather
than
spread
across
the
time.
E
No
yes,
and
no
kind,
it
depends
how
we
implement
option
free,
but
I.
Think
in
any
case
the
bottleneck
will
be
invoice
II,
but
the
way
cilium
deposit
I
think
it's
a
high
ability
option
already
so
yeah,
essentially
the
way
level
7
and
all
the
traffic
works
is
the
cilium
is
a
BBF
program
which
is
independent,
a
transom
kernel.
So
it's
really
reliable
piece
of
software.
It
sees
the
level
to
traffic,
essentially
TCP
in
grams
and
once
it
realizes
that
it's
a
level
7
like
it
says,
HTTP
headers.
E
It
sends
it
to
invite
proxy
and
avoid
answer
parsing,
and
it
allows
us
to
do
apply
level,
7
rules
and
levels.
7
policies
work
this
way
so
very
highly
dependent
on
the
invoice
that
is
bundled
into
the
cilium.
But
my
understanding
is
the
way
the
invoice
deployed
is
considered
high
ability.
It
will
be
deployed
to
each
knot
on
the
cluster
and
even
there
there
are
some
additional
options
we
have
for
our
high
variability.
E
B
I
mean
my
concern
is
just
you
know.
Mod
security
supports
a
pretty
deep
set
of
rules,
including
could
be
things
like
session
tracking,
and
you
know,
volumetric
based
blocking
to
protect
against
das
attacks
and
I'm,
just
a
little
bit
worried
that
if
we
go
trying
to
implement
the
filter
ourselves
that
it's
going
to
be
hard
for
us
to
capture
everything-
or
you
know,
I'm
worried
that
we're
not
gonna.
Have
this
thing
robust,
you
know
feature
parity
with
mod
security
about
today.
So
that's
why
I'm
running
towards
option
number
2
because
I've
been
was
you
know?
D
E
E
A
little
more
security
to
like,
essentially
try
to
hook
up
into
the
invoice
and
making
a
boy
talk,
let
slip
what
security
somehow
and
the
second
option
is
to
drop
completely
more
security,
and,
let's
see
Liam
to
do
everything
because
it
already
does
partially
some
stuff
I
wanted
to
uncertain,
like
just
make
smoke
event
about
what
Sam
just
said:
yeah
go
for
it
I
think
there
is
a
perception
that
more
security.
Does
it?
What
and
in
fact
it
does,
it
provides
a
lot
of
capabilities,
but
the
thing
is
it's:
not
all.
E
E
E
So
while
it
feels
like
more
security,
does
the
world,
if
you
will
narrow
it
by
what's
actually
used
by
always
quarrel,
said
and
then
what
is
actually
supported
by
the
nginx
model?
It's
not
that
much
and
that's
why
I
still
thinking
that
option
free
is
still
viable
like
we
don't
need
like
really
wide
range
of
capabilities
on
the
ceiling
level
to
to
match.
What
we
have
right
now
is
Ingenix
and
Koro
said
yeah.
That's
another
point.
I
wanted
to
me.
D
Yeah
I
did
a
bit
of
research
and
on
that
Arthur
I
only
found
some
old
threads
that
they
were
concerned
about
performance,
but
it
does
look
like
mod
security
wants
to
load
the
whole
body
on
on
memory.
That
seems
to
still
be
the
case.
So
whenever
there's
a
there's
a
post,
if
you
want
to
protect
against
there,
you've
got
to
be
able
to
load
that
in
memory
and
that
could
be
yeah.
That
could
be
a
limiting
factor,
but
yeah.
E
E
D
D
E
D
B
B
So
there's
really
two
decisions
to
make
you're
right.
One
is
two
versus
three
and
then
the
other
question
is:
do
we
do
either
two
or
three
at
all?
Or
do
we
just
stick
with
what
we
have
so
we've
talked
a
lot
about
the
pros
and
cons
of
options,
two
versus
three.
Maybe
we
can
spend
a
few
minutes
talking
about
the
pros
or
cons
of
replacing
modsecurity
Adnan
security,
but
replacing
ingress
because
I'm
not
I'm,
not
sure.
Yet
you
know
on
that
decision.
B
E
It's
hot
turns
my
estimation
is
obviously
a
dedicated
work,
but
it's
obviously
possible
to
paralyse
stuff.
It
depends
like
what
kind
of
work
I
will
be
paralyzing
if
it's
like,
let's
say
something,
I'm
working
right
now:
policy
UI,
which
is
completely
new
piece
of
dashboard
with
completely
new
piece
of
functionality.
It
will
be
probably
a
bit
harder
to
jam
between
like
this
kind
of
tasks,
but
obviously
I
have
not
kind
of
gonna
drop
out
completely
and
do
that
stuff
and
again.
E
This
is
option
free,
we're
not
really
doing
anything
on
our
and
it
will
be
bottlenecked
by
merge
request
process
on
the
side
of
sillim,
so
why
we
went
in
that.
I've
obviously
had
time
I'm
not
here
to
get
back
to
discussion
which
of
free
options
is
viable
in.
Is
it
viable
to
support?
Do
not
use
level?
7
I
would
say.
E
So
from
my
understanding,
it's
highly
popular,
among
can
surprise
enterprises
because
of
the
support
and
just
I
think
performance
might
be
slightly
better
there.
So
this
one
we
definitely
have
to
keep
eye
on,
and
then
there
is
a
traffic
which
is
an
oil-based
ingress
and
super
popular
and
one
Cuban
is
community
and
it's
even
default
installed
by
default
in
some
of
the
cabinets
distribution.
So
if
you
want
to
get
back
up
there,
we
need
to
also
support
it.
E
So
that's
another
option
and
that
will
be
might
become
important
for
us
and
we
would
need
to
support
it
as
well
and
the
another
option
I
highlight
it
is
customary
with
don't
support,
cost
mesh
right
now,
but
technology
is
moving
really
fast
up
there
and
there
are
things
like
link
ID
and
a
lot
of
companies
that
are
heavily
invested
in
Microsoft's
basic
search
is
a
pair
Alliance
ever
mesh
and
again
and
grass
up.
There
is
completely
different.
E
So
this
is
not
really
important,
but
it
might
and
become
quite
important
in
upcoming
years,
so
you
have
to
qualify.
It's
it's
still
possible
to
call
and
introduced
similar,
offering
evolve
for
what
they
are
and
provide
right
now
for
pincers
and
grass
implementation,
but
it's
an
independent
piece
of
work
for
each
of
them
and
it's
a
bit
hard
to
estimate
right
now
how
much
time
we
need
out
there.
E
Nginx
open
source
and
grass,
which
essentially
gets
Ingenix
an
open-source
version
and
pack
sentence
in
grass.
It's
maintained
by
Cuban
editors
developers
like
it's
a
team
inside
the
kubernetes
team,
and
they
provide
this
like
kind
of
reference
and
grass
implementation,
and
some
people
just
contributed
box.
Abort.
The
ingress,
open
source
engineers
and
reservation.
But
again
I
mentioned
that
it's
a
bit
confusing.
But
there
is
another
engineers
based
in
grass,
but
it's
called
engine
X
plus
and
grace
I,
think
and
that
one
is
maintained
by
engineers.
Developers
itself
themselves
right.
E
B
B
F
Other
thing
I
wanted
to
say
is
that
you
know
it's
easy
to
you
know.
One
gitlab
day
is
like
you
know,
five
days
at
an
average
company,
so
it
seems
like
twelve
ten
when
we
finished
towards
the
end
of
12,
10
and
beginning
at
13.
O
is
like
years
ago,
but
it's
pretty
cool
that
you
know.
13
o
includes
the
sim
logging
from
laughs
and
ncns,
which
I
know
is
in
the
release
post.
They
put
together
Sam.
So
that's
that's.