►
From YouTube: Security Policy Working Group Meeting 2017-10-18
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
If
you
want
to
take
notes
just
directly
in
that
policy,
meeting
notes
document
cool,
so
so
two
bits
on
the
agenda
today.
First,
we
want
to
talk
about
sto
0.3.
The
the
focus
document
is
out.
I
want
to
kind
of
spin
through
that,
especially
the
peas
zeroes,
if
there's
time,
teen
ones
as
well
and
kind
of
just
make
sure
that
we
all
agree.
You
know
that
that
the
priorities
are
right
and
for
the
piece
zeroes.
D
A
Talk
about
how
we're
going
to
track
those
going
forward.
There
was
some
I
guess,
some
of
it.
Some
of
the
teams
are
using
Zen
hub
I,
didn't
see
any
of
the
0.3
items
from
security
showing
up
in
Zen
hub.
So
we
can
talk
about
that
as
well,
but
yeah.
If
you
want
to
pull
up
the
0.3
focus
document,
I
can
share
that
I.
C
A
A
So
the
the
first
p0
incremental
M
TLS
adoption
is
basically
you
know,
both
incremental
in
the
sense
of
moving
services,
kind
of
one-by-one
into
into
TLS,
but
also
I,
think
incremental
in
being
able
to
do
this
without
causing
any
traffic
to
be
dropped.
So
when
you
want
to
enable
us
will
TLS
on
a
service
be
able
to
do
it
in
a
way
that
is
incremental
and
doesn't
cause
things
to
break.
C
A
Just
do
do
people
understand
what
it
is.
Do
people
think
that
it's
not
really
a
p0
like
I
kind
of
just
been
through
the
list
and
make
sure
that
everybody
knows
what
they
are
and
that
we
sort
of
as
a
group,
a
working
group
kind
of
agree
that
these
really
are
the
priority
items
for
40.3,
okay,
okay,
so
next
one
is
enabling
off,
while
still
allowing
health
checks.
A
There's
this
issue
with
the
kubernetes,
especially
where
the
cubelet
is
responsible
for
hitting
an
endpoint
on
a
service
and
checking
whether
it
is
healthy
and
when
we
turn
on
TLS
that
breaks.
So
we
need
to
find
a
solution
that
that
doesn't
break
this
and
the
last
p1
is
Sto
components
using
secure
connections.
This
one
is
going
to
be
it's
like
listed
under
security,
but
it's
gonna
be
I,
think
a
joint
effort
with
other
working
groups
for
the
individual
components
so
like
on
void
a
mixer
will
be
I.
Think
with.
C
A
That's
not
gonna
like
bring
your
cluster
to
a
halt
or
cause
your
service
to
start
failing
so
traffic
shifting
is
this
sort
of
is
the
design
I
think
that
we
have
for
allowing
that
that
to
happen,
but
the
the
the
use
case,
if
you
like,
is
okay,
I've
gotta,
steal
running
in
my
cluster
now
I
want
to
turn
on
M
TLS,
but
I
want
to
do
it.
You
know
on
a
live
production
cluster
with
services
actually
being
run
and
not
have
people
start
getting
dropped,
connections
and
the
services
failing
to
work.
Yeah.
C
We
might
divide
into
two
different
phases,
so
first
of
all,
we
might
have
some
a
little
bit.
Don't
have
I
will
get
that
quickly,
but
I
give
solution
without
don't
have
a
dog
I,
don't
want
to
make
sure
a
week
for
the
cattle
devastated,
so
the
first
one
we
we
downtown.
We
can
support
that.
Is
that
acceptable
for
of
this
I
think
this
is
up
for
us
to
be
fun
and
I
mean
ideally
I.
C
C
A
Just
be
clear
to
everyone:
p0
means
that
it
is
a
feature
that
you
know
we
would
consider
blocking
the
release
floor
for
so
that
that's
the
kind
of
question
that
we
should
be
asking
if,
if
whether
whether
this
is
a
p,
0
or
P,
one
is
like,
would
we
block
the
release?
If
that
feature
wasn't
working
right.
C
I
mean
I'm
also
trying
to
clarify
this
incremental.
This
one
can
be
interpreted
in
a
different
way.
You
didn't
really
like
SLA
for
the
downtown.
Even
if
we
do
the
phase
zero
Taunton
is
one
minute
yep,
probably
good
enough
or
not
I,
don't
know
so
that
something
we
should
clarify
and
also
make
sure
we
are
able
to
deliver
it,
since
if
we
call
it
as
p0
yeah.
A
C
C
A
C
Know
the
comments
to
any
of
those
items
I
just
want
to
make
sure
we
have
the
right
audience
because,
like
it's,
the
last
item
is
working
by
engineer.
Who
is
not
in
this
meeting?
Okay,
so
I,
just
wonder
if
we
should
that
she
took.
Do
you
guys
think
there's
a
need
to
have
a
like
some
like
most
of
the
meeting
Tara,
we
have
all
security,
lady,
the
working
group
to
attend
and
make
sure
I
mean
we
have
the
right
audience.
Yeah
I
need.
A
A
So
I
I
would
be
in
favor
of
having
the
entire
security
sig
meeting
on
on
a
regular
basis,
in
addition
to
the
working
groups
that
that
have
there
they're
focused
topics,
because,
like
some
of
these
things
don't
fit
like
you
say
they
don't
really
fit
into
either
the
policy
working
group
or
the
identity
working
group
like
this.
This
thing
about
secure
connections
so
I
think
that
you
know
we
we
do
want
to
have
security
sig
having
some
meetings,
in
addition
to
the
working
being,
the
the
individual
focus
groups
having
their
meetings.
C
C
A
Okay
cool,
so
let's
talk
about
the
P
ones,
so
sni
is
the
service
name,
indication
or
server
name
indication.
So
this
is
primarily
about
properly
supporting
ingress
of
secure
connections.
When
a
client
wants
to
make
a
TLS
connection,
that's
the
client
is
outside
the
nation'
wants
to
make
a
TLS
connection
in
the
mesh.
A
C
A
B
C
F
A
C
B
D
A
C
C
That
were
initiating
the
deafness,
I
think
that
that's
probably
applied
to
both
of
them.
So
the
first
I
think
my
understanding
for
the
first
one
is
that
we
should
install
kisser
at
every
level
to
terminate
incoming
traffic
instead
of
lagging
application.
Terminally
same
community
incoming
traffic,
same
thing
for
this
phone
out
of
bound,
so
traffic
from
application
to
my
will
be
not
encrypted
and
and
what
we
advocate
is
a
traveling
to
increment
traffic.
Okay,.
C
A
C
A
A
B
A
D
A
Just
drop
that
one
entirely
and
then
we
have
sto
native
are
back,
which
we
I
believe
we've
discussed
in
this
working
group
as
well
right
and
yes,
the
authorization
with
open
policy
agent,
their
design
Docs
for
both
of
those
out
now.
If,
if
people
are
wondering
in
the
next
level
of
detail
of
what
that
that
actually
involves
and
then
I
don't
think,
it's
necessarily
worth
us
getting
into
the
the
p2
s
and
P
3
is
for
this
meeting
other
than
to
just
ask
you
know:
is
there?
A
C
C
A
So
today
in
kubernetes,
when
the
sources
come
up
and
the
envoys
want
to
do,
em
TLS,
they
get
their
key
and
certificate
via
kubernetes
secrets.
So
ISTE
OAuth,
you
know,
creates
the
secrets
and
puts
them
into
kubernetes,
and
then
those
are
mounted
by
Cooper
Nettie's
into
the
or
clothes
so
in
non
kubernetes.
The
idea
is
that
we'll
have
a
node
agent
that
will
be
running
on
the
node
that
hosts
the
workload
and
the
idea
here
is
to
stop
using
kubernetes
secrets,
even
for
kubernetes
as
well
and
sort
of
switch
to
this
node
agent
style
architecture.
A
C
I
can
do
that
like
to
more
advantageous
benefits
of
doing
it.
First
of
all,
the
kind
of
way
of
loading
certificate
doesn't
really
support
key
notation.
Every
time
we
needed
okay,
the
key
we
have
to
kill
em
or
energy
started.
This
is
I,
may
not
ideal
fund
them.
G,
say
cameras
on
that,
and
another
benefit
is
node
agent
based
the
key
sort
of
provisioning
will
be
the
providers
Java
C
purity
as
a
competitiveness,
secret
kill.
A
series
is
not
designed
for
kiss
hurt.
A
A
Okay,
so
I'm
interested
in
in
kind
of
figuring
out
who's
actually
working
on
these
things,
so
some
of
them
are
gonna,
be
in
this
working
group
and
some
of
them
are
gonna,
be
either
in
the
the
larger
security
sig
or
the
other
security
working
group,
which
is
on
identity.
So
it
might
be
worth
us
just
kind
of
going
through
and
kind
of
deciding
as
a
working
group
which
of
these
we
think
are
in
in
our
wheelhouse
as
as
a
working
group.
G
A
C
A
C
C
F
G
C
A
C
A
A
C
D
D
B
A
A
A
A
C
A
A
In
terms
of
like
who's
working
on
them
and
what
are
the
what's,
the
status
of
it,
and
things
like
that
so
like
one
of
my
goals
in
this
cycle,
is
to
increase
community
involvement
and
I.
Think
that,
like
having
some
visibility
into
kind
of
where
things
are
and
where
people
can
help
out
is,
is
a
good
way
to
do
that.
A
So
what
I
would
like
is
for
us
to
have
a
way
that
we're
actually
tracking
all
of
these
all
of
these
items
having
at
least
one
person
who's
the
kind
of
point
of
contact
for
them.
So
if
people
in
the
community
want
to
get
involved,
they
know
who
to
talk
to
and
that
we
kind
of
are
regularly
kind
of
meeting
and
getting
status
updates
and
asking
the
question
of
like.
Where
do
we
need
help
on
on
these
items?.
A
H
C
Right,
that's
a
very,
very
good
question.
I
think
it's
learned,
and
these
and
our
are
working
on
some
governance
model
and
I'm,
not
sure
if
they
publish
anything
yet
I
will
I'm
talking
to
them
and
bring
this
up
and
then
get
it
back
to
you
and
not
okay.
At
every
grade
that
I
think
I
mean
if
we're
talking
about
a
community
community
involvement,
we
definitely
the
line.
You
guys
have
like
some
access
to
do
that
to
do
the
actual
work,
yeah.
A
A
Right
so,
like
I
mean
I
sort
of
am
NOT
I've
only
just
started
using
Zen
hub,
so
I'm,
not
necessarily
Wed
to
that,
as
like
the
thing
that
we
should
be
using
to
track
this.
But
if,
if
we
kind
of
has
this,
do
in
general,
have
decided
that
that's
that's
the
way
that
we
want
to
track
this
stuff,
then
we
need
to
get
these
security
priorities
into
Zen,
hub
and
tracking
them.
So
like
none
of
the
none
of
the
peasy
rows
from
from
security
currently
are
in
Zen
hub
at
least
that
I
could
find.
A
C
G
A
C
In
terms
of
artistry
focus,
we
started
a
new
focus
and
user
authentication
and
write
seem
very
demanding.
I
mean
requirements
from
our
customers.
They
wanna
see
us,
make
some
progress
to
support
any
user
authentication
and
probably
I
mean
after
we
have
the
first
workgroup
and
the
user
authentication.
We
will
see
if
we
should
add
anything
to
GGO
on
stream
focus
as
p1
or
p2
just
make
sure
they
have
a
complete
picture.
A
C
C
D
G
G
D
A
Do
you
guys
want
to
keep
using
the
sto
security
Google
Group
as
the
way
that
we're
communicating
over
email,
or
do
we
want
to
create
a
separate
list?
That's
just
for
this
working
group
like
I
I,
don't
necessarily
want
to
like
kind
of
fragment
the
discussion
too
much.
The
security
list
doesn't
get
that
much
traffic
today,
so
maybe
we
just
continue
using
it,
but
you
know
kind
of
flag.
The
messages
as
as
the
policy
working
group
is,
does
that
work
for
people?
What
do
people
think.
D
C
I,
just
wanna
keep
some
Paula
I.
Think
it's
exciting
for
me
to
set
up
so
meeting.
So
we
can
talk
to
queuing
area
security
folks
in
terms
of
design
and
plan.
How
we
can
convert
these
to
our
backs.
I
did
talk
to
Google
internal
kinetic
regime.
I
think
they
are
definitely
supporting
this
direction
so
and
leaving
noise
back
I.
C
Probably
instead
of
some
meetings
and
I
also
invite
my
spy
or
any
of
you
who
is
interested,
we
can
contribute
ideas
to
make
this
happen
and
I
again
just
to
highlight
the
reason
we
sing
this
right
direction
because,
based
on
current
design,
they
are
very
similar
and
that
there
definitely
some
discrepancy
about
these
crumbs.
It
doesn't
seem
to
big
enough
justify
we
go
suck
it
away
and
that
might
cause
confusion
to
our
customers
and
we
do
not
want,
as
you
get
a
customer
another
yet
another
system.
Another
thing
I
want
to
bring
up
is
I.
C
C
G
That
you
have,
the
art
back
is
effectively
instead
of
it's
a
configuration
that
has
a
set
of
implicit
operators
and
when
you
introduce
a
back
like
conditions
and
intertwined
with
sort
of
this
config
driven
policy
that
has
implicit
operators.
And
then
you
have
something
with
very
explicit
operators.
It's
really
easy
to
collide
or
have
a
collision
between
the
very
explicit
statement
and
the
implicit
logic
without
it
being
super
obvious
to
the
user.
G
C
C
And
I
also
just
reminds
me
one
more
thing
to
talk
about
I
think.
Currently,
we
are
only
focusing
on
master
the
level
access
control
and
we
in
turn
recorded
across
screen.
We
are
not
really
talking
about
resource
and
have
access
control
for
you
still.
We
like
24th
attitude
yet
another
ones
writing
system
like
oh,
but
actually
communities
are
back,
they
do
support
resources,
our
access,
control
or
cubed
is
resource.
So
I
think
that
were
talking
about
also
come
up.
C
A
D
B
Not
Eastern,
so
when
we
also
for
East
you're
back
when
we
used
to
the
past,
we
are
identify
a
matter
of
basically
problem,
I
think
I
missile
and
the
person
is
talking
about
the
custom
resource.
It's
like
a
using
box
box
toy
example.
It's
like
a
the
third
book,
a
show
for
or
something
this.
This
is
consider
the
custom
yourself
I.
Think.
A
And
so,
to
the
extent
that
that
the
location
of
those
resources
are
kind
of
directly
encoded
in
the
URLs,
then
you
can.
You
can
authorize
people
access
to
specific
ones,
but
if
they're
not
encoded
directly
in
the
in
the
URL
or
use
some
other
kind
of
scheme,
it
gets
quite
difficult.
So
that's
what
I
mean
by
saying
there's
there's
limited
support
for
doing
that
now.
C
B
C
A
A
F
A
C
C
C
On
communities,
I
need
some
work
on
the
other,
like
installing
Erica
I,
think,
there's
no
roadblock
on
that
side
for
traffic.
For
the
thing
with
traffic
shifting,
we
need
to
work
further
with
our
design
I
to
fight
some
better
integrated
pilot
I
think,
should
we
do
a
design
review
for
those
proposal,
not
just
the
security
button
in
how
easy
on,
because
that
we
also
mostly
the
floor.
C
B
E
I
mean
I,
think
I
think
we
should
do
it
I
think
you
should
do
a
designer
II,
because
I
was
expecting
you
to
say
you'd,
be
a
setting
on
a
per
service
version
and
I
call
immediately
picture
if
we
make
it
a
setting
per
service.
How
will
extend
that
to
do
you
know
without
without
any
downtime
for
the
service,
and
it
may
be
possible?
But
that's
what
I'm
suggesting
you
know,
design
review
to
discuss
that.
C
Yes,
okay
I
will
set
up
some
time
some
meeting
next
week.
We
can
fly
the
thing,
isn't
backing
thought
for
the
service
version
all
for
deployment
in
our
end
and
there's
some
objection
from
pilot,
and
so
we
want
to
kind
of
smooth
it
out.
First
yeah
I
would
also
suggest
that
you
work
with
spike
in
a
sort
of
yes.