►
From YouTube: Kubernetes SIG Auth 2020-07-22
Description
Kubernetes Auth Special-Interest-Group (SIG) Meeting 2020-07-22
Meeting Notes/Agenda: https://docs.google.com/document/d/1woLGRoONE3EBVx-wTb4pvp4CI7tmLZ6lS26VTbosLKM/preview
Find out more about SIG Auth here: https://github.com/kubernetes/community/tree/master/sig-auth
A
Awesome
all
right
welcome
everyone.
So
this
is
the
cigar
meeting
for
july
22nd
2020..
We
have
a
light
agenda,
so
we
might
get
some
of
our
time
back
so
I'll
go
ahead
and
get
started.
So
the
first
issue
I
had
made
a
while
ago,
I
think.
A
Let's
see
so,
I
wrote
down
some
thoughts.
We
had
discussed
this
like
a
month
and
a
half
ago,
something
like
that.
It's
been
a
while
and
then
I
finally
actually
wrote
down
the
thoughts
in
my
head.
I
folks
had
a
chance
to
sort
of
read
this:
have
some
thoughts,
ideas.
A
A
A
C
C
A
C
I
I
think,
the
the
both
the
request
and
the
recommendation
have
to
remain.
Hence
it's
up
to
the
signer
to
determine
the
duration.
A
D
I
was
gonna
say
I
think
it's
fine
for
a
client
to
suggest
an
expiration
and
leave
it
up
to
the
signer
to
be
the
decider
more
than
that,
I'm
skeptical.
A
C
That's
I
agree
with
that.
Basically,
if
we
only
have
the
spec
and
the
signer
aspects,
then
you
have
to
bake
all
policy
that
knows
about
particular
requesters
into
the
signer.
C
A
Do
jordan,
do
you
feel
comfortable
in
the
fact
that,
if
it
is
just
in
spec,
you
could
still
have
like
an
admission
web
hook,
enforcer
policy
saying
that
I
see
a
csr
coming
from
mo
and
mo
likes
to
do
crazy
things
so
I'll
make
sure
he
can't
have
a
really
long
serve
by
forcibly.
E
F
It's
not
called
out
in
the
stock,
but
that
was
actually
one.
One
interesting
first
upstream
use
case
for
this
field
might
be
to
have
the
kubelet
understand
when
it
has
rotation,
enabled
and
turn
down
its
ttl.
B
Was
of
those
cases
if
it's
handling
its
own
request
and
decides
to
set
its
own
ttl,
I
don't
think
there's
an
issue
there.
I
think
the
concern
was
just
if
you
had
an
admission
web
hook
on
it
and
you
needed
it
to
be
able
to
get
everything
up,
to
be
able
to
read
the
pod
to
serve
your
admission
web
hook.
A
Okay,
is
anyone
like
strongly
against
an
addition
to
like
spec
that
says,
I
don't
know
if
it's
duration
or
ttl
or
ttl
hint
or
some
something
obviously
describing
the
the
lifetime.
D
A
Yeah,
okay,
so
follow
the
csr.
The
standard,
pki
variation
of
the
names.
C
I
guess
that
csr
pins
to
or
x519
pins
to
a
particular
date,
and
for
here
we
probably
want
it
to
be
a
duration
yeah.
So.
A
B
C
C
C
B
B
E
E
All
right
like
when
it's
submitted,
because
that
makes
sense
to
the
to
the
user.
The
user
at
a
certain
time
said,
give
me
a
cert,
that's
good
for
seven
days.
It
wasn't
give
me
a
futures
contract
for
a
cert,
that's
good
for
seven
days.
Sometime
next
year,.
E
A
Okay,
a
little
sad
that
james
is
not
here,
but
I
think
he's
on
pto,
I
kind
of
like
to
hear
his
opinion,
but
I'll
I'll
tag
him
on
the
pr's
and
stuff.
So
that
way
he
can
chime
in
too
okay
all
right,
I
think
tim
and
jay.
You
guys
have
the
next
two
items.
G
Here
I'll
get
my,
let
me
see
if
I
can.
D
G
There
we
go,
I
think,
about
a
shadow
now
hi,
I'm
jay
beal,
I'm
one
of
the
leads
of
the
security
audit
working
group
and
I'm
here
to
talk
to
you
all
about
our
about
our
request
to
turn
into
a
sync
security.
So
what
you're?
This
is
perfect.
I
can.
I
know
I
can
share
my
screen
or
if
you
want
to
keep
that,
if
you
want
to
keep
the
the
charter
up,
that
sounds
that'd
be
perfect,
which
would
you
would
you
like?
G
Would
you
want
me
to
share,
or
you
want
to
drive
I
I
can
just
leave
it
up.
No
problem,
that's
awesome!
Thank
you
thanks
a
lot.
This
is
nice,
okay,
well
cool!
So,
and
I'm
I'm
realizing
I'm
in
shadow,
so
I'm
gonna
just
adjust
camera
for
a
sec.
G
Isn't
that
great
for
the
recording
and
everybody's
time
thanks?
So
so
I'm
here
to
basically
talk
about
about
the
the
I
think
you
are
probably
familiar
with
the
third
party,
the
security
audit
working
group.
We've
run.
We
ran
the
first
security
audit
of
kubernetes
and
that
that
included
building
up
a
threat
model.
So
a
number
of
number
of
people
in
this
call
were
donated
their
time
and
helped
with
that
threat
model.
We
really
really
appreciate
it.
G
We
found
we
found
a
lot
out
of
doing
the
security
audits
and
we
realized
that
there
was
that
there
was
more.
There
was
there's,
certainly
more
for
us
to
do
and
more
to
be
done
in
turn
outside
of
just
carrying
in
bugs
and
saying
hey.
These
are
the
these
are.
These
are
vulnerabilities
that
can
go
into
the
you
know
the
psc
you'll
start
managing
announcing
and
fixing.
G
So
we've
had
we've
had
wider
conversations
and
had
a
good
number
of
people
join
in
and
a
lot
of
that,
a
lot
of
that
energy
started
when
we
gave
a
talk
at
kubecon
and-
and
we
just
had
a
lot
of
security
folks
who
were
saying
like
how
do
I?
How
do
I
get
involved?
I
I'm
you
know
in
regular.
How
do
I
get
involved
if
I'm
not
looking
to
write
code
right
now?
So,
as
we
talked,
we
have
a
pretty
wide
group
and
there's
a
there's.
G
A
letter
attached
and
kind
of
just
talks
about
some
of
the
different
some
different
people
outside
of
the
folks
that
have
been
on
the
security,
artwork
and
group
to
start
who've,
you
know
signed
the
letter
and
are
you
know,
are
part
of
this
effort.
So
I'm
just
going
to
kind
of
tell
you
a
little
bit.
You
know,
I
know
you
can
all
read,
but
I'm
going
to
tell
you
a
little
bit
about
about.
G
What's
in
this
charter
and
and
then
let
us
in,
let
us
discuss
so,
we've
talked
we
have
actually
four
members
of
the
product
security
committee
have
helped
build
this
charter,
and,
and
so
we've
had
a
lot
of
talks
about
what
we
can
do
on
what
we
can
take
on
to
do
either
for
or
with
the
psc
and
so
part
of
the
the
early
conversation
was,
was
the
public
bugs
the
ones
that
aren't
the
ones
that
aren't
embargoed?
We
can
help
with
that.
We
can
talk.
G
We
can
help
set,
how
the
private
fix
and
release
processes
set
up,
how
the
vulnerabilities
are
rated,
not
run
the
bug
bounty
but
help
define
its
scope.
What
goes
what
goes
in
scope
and
out
of
scope
working
on?
Basically,
you
know
how
vulnerabilities
are
announced
and
then
how
what's
the
what's
the
criteria
in
the
process
for
supporting
kubernetes
sub-projects?
The
examples
we
cited
here
were
dashboard
and
genetic
ingress,
the
nginx
ingress
and
and
the
cops
installer.
G
The
next
part
of
this
is
actually
kind
of
one
of
the
biggest,
and
the
thing
that
I'd
like
to
like
to
really
share
is
the
idea.
The
idea
of
of
our
proposal
for
sig
security
is
very
focused
on
cross-cutting,
we're
not
focused
on
code
ownership,
so
security
community
management
outreach.
G
The
idea
is,
we've
talked
to
you
know
some
of
the
folks
who
we
talked
to
sorry,
I'm
just
apparently
I'm
nervous,
so
we're
gonna,
we're
we
one
of
things
we
want
to
do
is
just
is:
is
help
handle
the
questions
that
come
in
from
inexperienced
users.
You
know
whether
that's
directing
the
sig
or
to
the
sigs
or
serving
as
a
kind
of
you
know,
cash
for
the
okay.
G
Before
you
go
and
before
you
go
in
and
ask
those
questions
of
the
sig,
that's
have
to
answer
them
15
times.
You
know.
We
can
give
you
an
answer,
and
eventually
that
means
that
that'll
that'll
probably
lead
to
us
helping
out
on
documentation
whether
that's
the
actual
kubernetes
documentation
or
security
related
docs,
which
I'll
come
to
next.
G
So
the
biggest
thing,
I
think
in
a
lot
of
ways,
the
biggest
thing
so
the
biggest
thing
in
this
section
and
one
of
the
biggest
things
on
this
page,
is
to
provide
an
entry
point
for
new
contributors
who
are
interested
in
security
and
the
way
we
see
it
like
part
of
part
of
what
we
found
as
we
as
we've
done.
G
The
security
audits
is
that
that
kind
of
activity
brings
a
lot
of
interest
from
traditional
infosec
people
and,
and
so
our
hope
is
that
we
can
basically
give
them
a
place
to
a
place
to
to
talk
a
place,
to
ask
questions,
to
get
routed
to
sigs
or
to
just
or
to
help
with
the
things
that
aren't
that
aren't
specifically
writing
code
or
writing
docs.
So
I
think
I'll,
I
think
that's
that's
honestly.
One
of
the
biggest
parts
of
this
is
is
that
outreach
work
and
community
management.
G
Let's
see
the
next,
the
next
couple,
so
horizontal
security
documentation.
This
is
something
we're
really
that
I'm
really
proud
of
that.
I'm
really
excited
about,
and
that
is
there
are
two
things
in
here
that
are
really
important.
G
One
is
the
threat
model,
it's
basically
keeping
that
threat,
modeling
process
going
and
the
other
is
basically
security,
benchmarks
or
hardening
guide,
and
two
two
of
the
people
in
our
group
are
are
liz
rice
and
rory
mckeon,
who
run
the
kubrick,
who
run
the
cis
kubernetes
benchmark
for
cis
and
they're,
really
excited
about
coming
and
basically
building
a
hardening
guide,
a
benchmark
here
in
kubernetes
project
in
the
open,
instead
of
instead
of
on
cis.
G
You
know
web
portal,
with
only
the
people
who
came
to
contribute
to
cis
they're,
really
excited
about
doing
that
through
github
and
doing
that
in
the
kubernetes
project,
and
thus
giving
the
kubernetes
project
a
lot
more
ability
to
influence
the
cis
guide,
because
if
there
is
an
official
kubernetes
guide,
then
then
the
cis
guide
will
definitely
will
definitely
be
wow
you
to
reuse,
the
word
influenced
so
so
we've
also
there
were
some.
G
There
are
a
couple
folks
who
were
working
on
the
security
docs
on
the
on
the
security
docs
subproject.
Under
this
under
sig
docs,
it
was
starting
to
sputter
out
a
little
bit
and
they
were
really
excited
actually
about
getting
about
making
this
a
sub
project
of
the
sake
security
because
in
their
mind,
it's
a
heck
of
a
lot
easier
to
to
find
security.
People
who
can
write
than
to
find
documentation.
G
People
who
have
security
as
a
subject
matter
as
a
subject
matter,
expertise,
and
so
that's
the
other
big
part
of
that
horizontal
security
documentation
and
then
the
last
part
is
the
security
audit
that
we've
been
doing
already
and
basically
we're
saying
we'd
like
to
we'd
like
to
have
that
become
part
of
a
wider
mission
for
a
security
stick.
So
we've
we've
defined
below
a
few
sub-projects
to
start
one's.
Of
course.
G
The
ongoing
third-party
security
audit,
another
is
security
documents
and
documentation,
and
that
documents
is
meant
to
mean
things
like
hardening
guides
and
such
that
aren't
part
of
the
how
to
use
and
how
to
you
know:
here's
how
pod
security
policies
work,
that's
the
documentation
about
security
policies,
but
but
rather
that
kind
of
hardening
guide
and
the
other
subprime
for
us
was
focused
on
community
such
discussion
groups,
making
sure
that
we
making
sure
that
we're
providing
more
focused,
more
focused
and
also
just
more
contributors
to
help,
because
kubernetes
kubernetes
is
certainly
growing,
and
it's
just.
G
I
swear
in
a
lot
of
ways.
It's
only
in
the
last.
You
know
couple
years
really
started
to
attract
the
attention
of
the
infosec.
You
know
kind
of
the
infosec
community
at
large
they're,
still
learning
and
they're
still
trying
to
figure
out
how
they
can
they're
trying
to
figure
out
how
they
can
help
they're,
also
trying
to
figure
out
how
they
can
wrap
their
brain
around
it
and
I
think
we're
gonna.
G
I
think
the
kubernetes
project
is
gonna,
see
a
ton
of
them
coming,
as
you
know,
as
as
a
lot
of
the
good
talks
happen
at
the
at
the
mainstream
security
conferences.
So
that's
the
that's
the
I
think.
That's
the
best
way
for
me
to
run
down
what
our
charter
is.
G
We've
talked
to
a
few
people
here
already,
but
our
focus
in
our
focus
on
coming
here
today
is
to
basically
do
do
hopefully
a
little
bit
better
than
just
posting
on
your
mailing
list
and
come
out
and
you
know
come
out
and
talk
to
the
group.
So
you've
got
a
couple
people
here
besides
me
who
are
you
know,
worked
on
this
charter.
One
is
one's
micah
and
tim's
been
here
as
tim's
been
here
as
well.
G
I
think
the
other
thing
I
want
to
highlight
is
people
have
asked
well
wait
if
there's
another
sig
is
that
another
meeting
that
that
people
at
singapore
have
to
come
have
to
go
to,
and
I
we
wanted
to
be
really
clear
that
we're?
No,
you
don't
have
to
come
to
our
meetings,
we're
not
giving
you
another
meeting.
Our
job
will
be
to
come
to
you.
G
Our
job
will
be
to
come
to
you
if,
if
somebody
starts
a
conversation
about
making
a
different
default
in
code-
and
that's
it's
time
for
us
to
go
and
talk
to
sigoth
about
what
that
you
know
about
the
arguments
pro
and
prone
against,
if
there
are
you
know
there
are
just
like
I've
heard
on
this
call
about
you
know
conversations
over
api
and
so
on.
It's
the
we'll
be
having
to
go
and
walk
around
to
the
other
cigs,
and
that's
just
the
way
we
see
it.
G
I
think
I
I
didn't
cover
this
out
of
scope
section.
I
think
it's
actually
really
important.
So,
first
and
foremost,
we
don't
expect
to
own
any
of
the
kubernetes
project.
Sorry
any
of
the
any
of
the
code
that
goes
into
a
running
cluster.
G
If
we
have
code
it
may
be,
for
it
may
be
for
helping
manage
the
vulnerability,
announcement
and
management
process
it
might
be,
but
it's
it's
not!
It's
not
going
to
be
a
code
that
goes
in
a
cluster.
Sorry,
it's
not
going
to
be
code.
That's
that's
required
in
order
to
run
a
cluster.
Another
example
would
be
that
if
we
were
to
say
create
a
a
benchmarking
tool
that
checked
against
the
kubernetes
hardening
guide.
You
know
these
are
the
things
you
got.
These
are
the
things
that
you
that
you
don't
have.
G
That
would
be
code
we
might
own
there
are.
I
think
that
tim
and
mike
can
talk
to
you
about
some
of
the
other
examples.
If
you
ask
us
and
try
to
look
at
anything
else
on
the
out
of
scope,
that's
really
useful
too.
It's
really
useful
to
share.
A
I'm
really
happy
to
stop
monologuing,
so
I
see
that,
like
out
of
scope
is
like
cloud
provider
specific
or
distribution
specific
hardening
guides.
I
guess
like
as
an
individual.
You
know
it
was
like
if
I
was
new
to
kubernetes
and
I
wanted
to
like
make
sure
my
kubernetes
was
hardened.
Okay
like
I
could
certainly
follow
a
guide
and
try
to
like
very
carefully
make
sure
you
know.
Let's
pretend
I
don't
want
to
buy
something
I
just
want
to
run.
You
know
right.
A
How
would
I
know
that
I
was
successful
in
my
hardening
right,
like
part
of
the
reason
people
like
lean
on
this
bit
right
here?
Is
it's
someone
else's
problem
and
like
they
pay
them
to
assure
you
that
the
hardening
has
been
done
so
like
I,
I
I
understand
that
you
guys
don't
want
to
own
code.
Would
you
is
like
I
don't
know
a
test
harness
code?
Is
that
like?
Does
that
count
as
code?
Could
you
have
like
a
run
this
little
suite
against
your
cluster
and
it
will
echo
back
if
you
want.
G
I
think
that's
exactly
the
kind
of
code
we
would
want
that
we
would
want
to
own.
I
think
that
I
think
that
getting
in
getting
the
the
benchmarks
that
have
happened
outside
with
cis
or
with
other
groups
to
to
you
know
to
actually
have
something
in
the
kubernetes
project.
I
think
that
it's
very
very
naturally,
you
know
it's
very,
very
naturally
going
to
be
that
there's
that
there's
been
an
open
source.
G
You
know
this
open
source
code
to
check
to
check
against
a
doc,
and
you
know,
I
think,
an
easy
way
to
say
it.
You
know
an
easy
way
to
think
about.
Is
you
know,
liz
rice
over
liz
rice's,
both
in
both
a
maintainer
on
the
cis
benchmark
and
a
you
know,
author
maintainer,
on
coupe.
E
G
The
tool
for
checking
you
know
a
one
of
the
open
source
tools
for
checking
against
that
benchmark,
not
to
sign
her
up
for
more
work,
but
I
think
that
the
folks
that
are
writing
the
harding
guide
are
going
to
be
especially
interested
in
there
being
a
tool.
I
know
that
I'll
be
very
interested.
I
I
wrote
the
c.
I
wrote
cis
original
linux
and
unix
auditing
tools
that
audited
that
audited
each
of
the
unices.
This
was
a
long
time
ago.
G
Obviously,
since
there
were
other
unices,
but
you
know
a
lot
of
the
previous
dhbs
and
aix,
and
each
of
the
linux
distributions
I'll
also
say
that
the
cloud
provider
specific
or
distributed
specific
hardening
guides,
I
think
that's
a
place
where
I
think
that's
I
think
we're
I.
I
want
to
say
that
I
think
that's
a
soft
one.
G
You
know
if,
if
it
turns
out
I'm
trying
to
think
of
like
if
I
think
about
distributor
specific
when
I
look
at
installers,
if
I,
if
I
look
at
installers
or
open
source
distributions,
is
that
those
that
are
the
most
popular
will
end
up
almost
certainly
either
being
either
ending
up
in
scope.
Or
you
know
in
demand
to
be
in
scope
for
hardening
guides
and
for
checking
pools.
G
G
There's
a
certain
there's,
a
certain
extent
to
which
I
can
speak
for
for
a
group
and
a
certain
extent
to
which
I'm
you
know
you
have
to
realize
you're
getting
into
my
first
into
my
personal
opinion,
so
I
wanna
I
wanna
now
say
that
we're
headed
a
bit
into
my
personal
opinion
and
I
may
be
pretty
outspoken
at
times,
but
I
don't
want
to
make
any
promises
for
anyone
in
that
way.
So
I
I
would
say
so:
you've
got
you've
got.
G
If
you
had
cloud
provider
can
wait,
can
we
nail
this
down
to
thinking
about
either
cloud
providers
or
I
think
about
openshift
as
kind
of
a
product
as
it
were?
G
Can
we
can
we
make
our
question
more
specific
to
one
of
those
just
to
make
it
a
little
bit
easier
to
reason.
C
Can
I
jump
in
jay
yeah,
so
I
I
think
this
isn't
a
a
question:
that's
specific
to
security,
unique
to
security.
I'm
sure
this
comes
up
in
a
lot
of
other
contexts:
around
storage,
around
sig
cloud
provider
around
installers,
and
so
I
think
that
I
would
want
to
just
look
towards
like
talk
to
sig
docs
talk
to
sig
cloud
provider
and
figure
out
what
the
what
the
norms
around
this
are
for
existing
documentation
and
just
try
and
be
consistent
with
that.
C
I
you
know
if
that
means
each
cloud
provider
gets
their
own
documentation,
page
that
they
can
kind
of
have
some
ownership
of
or
if
we
have
some
master
list,
where
we
link
out
to
cloud
provider
specific
hardening
guides,
yeah.
Okay,
the
the
other
question
I
had
around
the
horizontal
security
documentation.
C
It
was
hard
for
me
to
tell
sort
of
how
deep
that
was
intended
to
be
like.
Is
that
down
to
sort
of
the
operating
system
level
like
if
you're
running
this
operating
system?
You
really
need
to
set
this
this
control
and,
like
turn
off
this
thing
and
turn
on
this
networking
thing
and
turn
off
that
firewall
thing
like
is
it?
Are
you
envisioning
something
all
the
way
down
to
the
os
level?
G
Yeah
I
mean
I
I
want
to
say
I
don't
imagine
that.
However,
if
I
think
about
you
know,
if
I
think
about
I'm,
just
I'm
trying
to
come
up
with
a
good
example.
But
it's
you
know
if
you
get
into
if
you
get
into
into
admission
control-
and
there
are
you
know
in
their
settings-
you're
you're
suggesting
you'll
start
to
get
into
the
you
may
end
up
outside
of
kubernetes
an
example.
You
know
I'm
trying
to
think
of
a
decent
example,
kind
of
like
the
here's.
B
One,
let's
say:
control
set
conf
set
comps
or
you
want
to
control
which
user
you
run
as
and
that's
an
important
thing
for
containing
your
container.
G
I
I
have
to
this
is
my
opinion,
and
can
please
tim
or
michael,
please
contradict
me
at
will,
like
you've
just
named
a
couple
you've
just
named
a
couple
really
clear.
You
know
clear
ones
that
that
I
think
make
it
into
any
hardening
guide
right.
So
it's
hard
to
talk
about.
I
mean
in
my
mind
it's
hard
to
talk
about
hardening
kubernetes
without
ending
up
in
kind
of
the
full
gambit
of
you
know
the
pod
security
policy
of
the
you
know
other
mission
control
in
general
and
so
yeah.
G
If
there's,
if
there
is
a,
if
there's
an
os
setting
or
a
container
runtime
setting,
that
has
to
be
set
in
order
to
permit
that
in
order
to
permit
admission
control
and
some
you
know
in
somewhat
granular
mission
control
recommendations,
then
yeah,
I
think
we
have
to
comment
on
it.
You
have
to
write
and
have
to
write
a
how-to
on
it.
C
I
think
there's
sort
of
three
different
types
of
settings
that
could
kind
of
come
into
play
there.
One
is
what
david
just
mentioned
is
like
there's
a
feature
that
kubernetes
can
take
advantage
of
if
it's
enabled
in
the
kernel,
so
we
might
say,
like
you
know,
you
need
to
choose,
you
can
choose
between
sc
linux
or
app
armor.
You
know.
If
you
have
username
spaces
enabled,
then
we
don't
do
anything
with
it,
unfortunately,
but
maybe
someday
so
there's
those
kind
of
like
features
we
can
take
advantage
of.
G
C
Yeah
yeah
says
cuddle
on
the
ethernet
adapter
to
kind
of
block
that
attack
vector
it's
pretty
specific
to
the
kubernetes
networking
setup
so
that
I
could
also
see
in
the
hardening
guide
and
then
you
get
into
the
like
general,
like
linux,
hardening
of
like
you
know
how
to
manage
your
ssh
credentials
and
that's
the
sort
of
thing
that
I
would
say
is
probably
more
out
of
scope.
G
Answer
that
part
of
your
question,
jordan,
but
yeah.
If
we're
talking
about
you
know
how
do
you
manage
your
ssh
credentials?
What
does
you
know?
What
do
you
do
with
with
host
dot
allow
for
things
that
are,
you
know
for
things
that
are
compiled
against
labor,
app
and
so
on?
I
think
that
I
think
that
stays.
G
I
think
that
stays
out
of
scope
and
you
because
I
think,
you're,
honestly,
just
from
a
workload
perspective
because
you're
doing
a
just
doing
a
complete
hardening
guide
for
a
limited
distribution.
It's
a
reasonable
effort
and
then
you
get
into
differences
between
distros.
C
Also,
as
a
more
meta
comment,
this
is
a
proposal
around
starting
up
a
kind
of
new
sub
community
to
talk
about
these
sorts
of
questions
and
to
figure
these
things
out,
and
so
I
imagine
like
that'll,
be
part
of
sig
security.
Subproject,
sorry,
security,
doc
subproject
is
defining
what's
in
scope
for
the
docs,
so
we're
sort
of
laying
out
kind
of
the
broad
scope
here.
But
then
I
would
expect
a
lot
more
discussion
to
happen
after
yeah.
C
I
I
think
the
thing
I'm
trying
to
figure
out
is
like
if
this
is
a
sig
that
is
primarily
oriented
around
like
discussion
and
best
practices
and
communication
and
like
documenting
pardon
guides
and
coming
up
with
maybe
tests
to
verify.
You
follow
the
harden
guide,
but
it
doesn't
actually
own
the
code
that
a
lot
of
those
things
depend
on.
C
I'm
just
trying
to
imagine
how
those
discussions
like
if
a
discussion
happens
and
consensus
emerges
but
then
like
at
what
point
are
the
the
various
teams
ignored
or
sigoth
or
api
machinery,
or
whatever
like?
If
consensus
emerges
before
the
sigs
are
involved,
then
do
you
have
to
rehab
those
conversations
and
if
you
get
the
sigs
involved
as
part
of
building
that
consensus,
it
sounds
like
just
another
like
multi-sig
meeting
time.
B
C
Not
to
discourage
the
goal
like
I,
I
think
the
things
that
are
called
out
here
are
things
that
have
either
been
neglected
or
haven't
been
coordinated.
Well,
I'm
just
trying
to
think
practically
like
what
would
this
look
like?
Would
it
look
like
here's,
a
list
of
topics
we
want
to
tackle
and
we'll
set
up
a
particular
meeting
where
we're
going
to
talk
through
this
and
make
sure
the
right
people
are
there
as
part
of
that,
what
I
want
to
avoid
is
like
sig
security
becoming
like
someone
assumes.
C
G
Right,
I
would,
I
would
say
so,
tim
I
hope
you'll
help
me
out
here,
if
I,
if
I
flounder
in
this
in
this
question,
but
in
my
mind,
until
the
until
the
relevant
sigs
that
own
the
code
are
involved
in
the
conversation,
the
conversation
isn't
finished
right.
It's
kind
of
the
some
part
of
this
is
listen.
Every
bit
of,
like
we've,
we've
looked
at
two
hardening
guides,
we've
written
the
kubernetes
official.
You
know
we
think
we
should
bring
you
the
official
heart
and
kubernetes
hardening
guide
that
you
should
do
x.
G
Well,
gosh.
You
know
that
one
of
the
very
next
questions
that
anybody
have
is
well.
Why
isn't
this
the
default-
and
you
know
of
course,
part
of
what
we're
going
to
do
is
say:
dude,
changing
defaults
is
a
lot
harder
than
you
know
a
lot
harder
than
you
think.
But
another
part
is
it's
time
for
us
to
it's
time
for
us
to
come
to
each
of
the
to
each
of
the
relevant
cigs
and
say
this
is
what's
this
is
what's
getting
talked
about.
This
is
what's
happening,
the
hardening
guides.
G
You
know
what's
the
first,
what
do
you
see?
Is
the
you
know
what's
going
to
break
when
we
try
to
when
we
try
to
do
that
when
people
try
to
set
that
setting,
you
know
we've
seen
we
can
think
of
this,
but
you're
right,
as
you
say,
you're,
writing
the
you're
writing
code
and
planning
the
code
and
then
and
then
second
hey.
G
Can
this
become
a
default
and
basically
for
lack
of
a
better
way
for
lack
of
a
better
verb
lobby,
the
sigs
that
own
the
code
for
you
know
moving
defaults,
but
until
the
sigs
that
own
the
code
are
involved
in
the
conversation
it's
not
over,
but
man?
I
think
we
can
save
you
a
lot
of
effort.
I
think
we
can
save
you.
A
lot
of
you
know,
like
imagine,
imagine
that
conversation's
finished
what
we've
what's
come
out
of
that
conversation.
Is
you
can't
do
that
it
will
break
x?
G
Once
that's
been
done,
we
can
handle
that
question
like
we
can
handle
that
debate
six
months
later,
when
somebody
when
new
people
join
and
say,
but
but
why
aren't
you
doing
x,
it's
it!
It's
no
2x,
sig
off
has
told
us
this
because
and
that's
that's
part
of
the
other.
I
think
that's
part
of
where
I'm
going.
C
Two
things
I'd
like
to
add
to
that
one
jay
mentioned
this
earlier,
but
we
really
see
it
as
part
of
the
responsibility
of
sig
security
to
reach
out
to
the
other
cigs
and
so
to
show
up
at
signode
and
say,
like
hey,
we're
working
on
this
hardening
guide.
Here's
some
of
the
things
that
we've
thought
of
like
is
there
stuff
we're
missing?
Is
there?
Are
there
issues
with
this
and
and
get
input
from
the
other
sid
communities?
C
And
then
the
other
piece
of
it
is
just
kind
of
from
a
pragmatic
standpoint.
These
discussions
are
already
happening
and
they're
happening
outside
of
the
kubernetes
community.
C
Today,
they're
happening
in
well
outside
of
the
you
know:
sig
community
kubernetes
is
broader
community,
but
like
this
is
already
happening
through
the
cis
project
and
in
kind
of
like
hallway
tracks
and
other
discussions,
there
isn't
a
clear
gathering
point
for
these
within
the
kubernetes
community,
and
so
the
idea
is
to
kind
of
like
bring
that
into
the
sort
of
official
kubernetes
community
structure
and
then
also
encourage
that
outreach
to
the
other
cigs
through
that
process.
C
One
thought
I
just
had
that
might
be
a
it.
Doesn't
need
to
go
in
the
chart
or
anything,
but
just
a
way
of
thinking
about
it
if,
if
there's
a
change
that
someone
wants
to
propose
like
actually
going
through
the
the
kep
process,
at
least
in
the
like,
this
is
what
I
want
to
do
and
why,
like
there's
a
lot
of
stuff
in
that
template,
like
don't
worry
about
the
rest
of
the
template,
but
this
is
what
I
want
to
do
and
why
and
identifying
the
sig
or
cigs
that
would
be
involved
in
that.
C
That
would
probably
be
a
good
thing
to
get
used
to
doing,
especially
for
something
like
sig
security,
which
is
almost
exclusively
in
that
sort
of
communication
and
coordination
role,
and
what
that
lets
us
do
is
avoid
sort
of
lengthy
discussions
and
debates
and
consensus
building
before
the
actual
stakeholders
are
really
involved.
So
it
identifies
like
what
do
you
want
to
do?
Why
do
you
want
to
do
it?
G
I
think
it's
really
great.
It
also
means
that
you
know
that
that
caching
function
too.
It
also
means
that
when
the
third
cap
comes
in,
on
the
same
on
very
much
the
same
thing,
because
I
swear
as
you
get
more
as
you
get
more
infosec
people
coming
to
come
into
the
project
they're
going
to
you're
going
to
get
a
bunch
of
repeat-
and
you
can
say
you
know-
let's
reference
this-
let's
reference
this
one.
C
Yeah,
so
my
my
feedback
on
this
is
that
I
think
these
areas
are
underserved
today
and
I'm
happy
to
see
someone
paying
attention
to
them.
I
know
how
much
overhead
there
is
in
sort
of
a
sig
structure,
and
so
one
of
the
questions
that
I
asked
the
folks
proposing
this
was
do.
Do
you
are
you
concerned
about
that
overhead
as
long
as
the
people
who
would
be
bearing
the
brunt
of
that
overhead
feel
like
it's
worth
it?
C
I
don't
particularly
object,
but
I
just
wanted
to
call
call
that
out
as
a
consideration
and
then
the
other
thing
that
I
think
there
will
be
some
confusion
over
is
just
the
name.
I
think
people
will
associate
sig
security
with
like
this
sig
has
the
final
say
on
everything
security
related
like
they
can.
You
know
dictate
whatever
whatever
and
I
I
I
see
that
it's
baked
into
the
charter
like
it's
clear,
but
people
won't
read
the
charter
they'll
hear
oh
sig
security,
six
security
said
this
isn't.
Okay,
therefore,
so.
E
G
Yeah
I
so
I
will
I
will
promise.
I
will
promise
you
both
that
I
will
write
something
that
I
will
submit
a
pull
request
on
our
readme.
Should
we
should
we
be?
Should
we
be
accepted
that
specifically
says
that
we're
not
the
decision-making
body
and
and
talks
about
the
and
talks
about
the
six
and
governance
structure
because
we
may
be,
we
may
often
be
for
security.
The
first
place
people
go
when
they
have
something
to
say,
and
that
means
we're
gonna
be.
G
That
means
that
we're
gonna,
we're
gonna,
have
an
education
mission
and
part
of
that
like
we're,
going
to
have
an
education
mission
to
tell
them
well
hey.
This
is
what
this
is.
This
is
what
the
cap
is.
This
is
what
the
kep
process
is.
Here's
how
you
can
create
a
cap
here,
so
you
can
look
at
the
ones
that
already
exist,
so
you're
not
suggesting
so
you're,
not
necessarily
suggesting
something.
That's
already
been
done
without
reading
everything
that's
gone
into.
Why
why
that's
not
happening?
G
I'm
trying
to
remember
what
the
that
was
kind
of
a
two-part
it's
kind
of
a
two-part,
so
the
the
the
overhead
of
the
overhead
of
managing
a
sig.
So
I
can.
I
can
speak
for
the
for
the
people
who
are
involved
in
this,
especially
for
the
especially
for
the
leads
on
the
on
the
security
audit
working
group.
G
G
The
nice,
the
cool
thing
has
been
that
there's
been
enough
energy
that
that's
come
out
of
the
community
so
far
that
we're
we're
not
short
on
people
who
want
to
help
and
are
willing
to
and
who
are
willing
to
help
shoulder
that
that
overhead
side
there's
one
thing
I
didn't
I
didn't
speak
about
in
here:
it's
not
really
all
that
written
into
our
charter,
but
it's
but
it's
implied,
and
that
was
in.
Can
we
scroll
up
just
slightly.
G
That's
in
that
security,
community
management
and
that
security,
outreach
and
and
while
it's
called
outreach,
we
also
know
that
that's
part
of
what
we're
gonna,
that
part
of
what
we'll
be
seeing
is
some
of
the
incoming
some
of
the
incoming
conversations
with
people
who
aren't
looking
to
immediately
contribute
to
the
project,
but
at
least
but
want
to
get
conversation
started
about.
G
You
know
whether
it's
been
the
most
most
recent
vulnerability
in
kubernetes
or
or
some
other
security
matter,
and
you
know
we
at
one
point
we
had
in
our
charter
like
okay,
we'll
we'll
will
take.
We
just
cleared
it
out
of
the
bolts
to
make
the
charter
shorter,
but
you
know
we'll
take
incoming
incoming
questions
from
press
in
public
about
kubernetes
security,
and
you
know
obviously
a
lot
of
those
go
to
the
psc.
But
you
know
one
of
the
people
who's
on
the
charter.
G
One
of
he
was
on
this
who's
on
who's
who
signed
our
letter
and
worked
on
the
charter
here
is
comes
ian
who's.
Who
was
really
clear
with
us
and
said?
Listen
if
you,
if
you
think
you
can
walk
away
from
having
to
from
having
to
be
in
an
incoming.
You
know
an
incoming
channel
for
press
or
public
questions.
G
Yeah
you're,
probably
you
know
we're
probably
wrong
and
part
of
what
they
said
was
you
know
right
now,
on
security,
the
reporters
basically
either
call
the
people
on
the
psc
who
were
part
of
announcing
a
vulnerability
or
they
call
the
three
or
four
people
they
know
and,
and
so
ian
is
part
of
our
group
and
ian's
handling,
I
would
say:
ian's
handling
a
ton
of
our
a
ton
of
the
incoming
public
and
press
inquiries.
So
maybe
this
will
help
spread.
That
effort
around.
B
Well
I'll
say
I
was
glad
to
see
that
the
charter
was
very
clear,
that
ownership
for
the
code
stayed
with
the
sigs,
that
they'd
be
contacted
about
the
security
documentation
that
you
would
find
them.
That's
all
good.
I
had
one
minor
comment
about
the
out
of
scope
section.
I
would
really
like
to
see
for
each
of
the
things
that
are
out
of
scope
who
actually
owns
them.
B
Sure
you
did
it
for
some
of
them,
but
not
for
all,
and
if
we
don't
have
owners
for
the
things
that
are
out
of
scope,
I
would
worry
about
scope,
creed.
I
think
we
can
fix.
G
That
I
think
one
thing
I'm
noting
is
there's
not
perhaps
when
we
copied
this
from
google
drive
to
to
to
github
to
markdown.
We
didn't
end
up
indenting.
Some
of
these
bullets
that
were
indented
in
google
drive
so
like
the
embargo,
vulnerability,
management,
bug,
bounty,
submission,
triage,
non-public,
vulnerability,
collection,
disclosure,
those
are
all
meant
to
be
indented
under
the
bullet,
above
private
vulnerability
response
that
ends
with
a
colon.
G
So
it's
meant
to
be
a
list,
and
I
think
that's
our
I'm
just
going
to
call
that
our
typo
and
not
indenting
it,
and
then
I
think
the
only
other,
the
only
other
things
that
are
that
don't
have
something
listed.
We
better
fix
that,
so
any
projects
outside
of
the
kubernetes
project,
maybe
we're
maybe
we're
referring
that
to
cncf
security
or
cloud
provider,
specific
or
distributor
specific
hardening
guides.
E
G
Put
something
snarky,
but
I
think
we're
we're
just
stuck
with
that's
our
way
of
trying
to
say
that
that
we're
not
we're,
not
king
making.
G
I
think
it's
my
it's
our
fault
and
I'll.
It's
probably
my
fault,
because
I
was
the
one
who
copied
the
who
copied
the
google
drive
thanks
thanks
david
I'll
fix
it
on
my
bad.
A
Since
we
only
have
a
few
minutes
left
is
there
from
any
of
the
state
moves
or
really
anyone
on
the
call?
Is
there
any
concerns
with
this
moving
forward?
I
think
we've
talked
about
it
in
past
some.
A
C
Both
documenting
it
and
acting
on
it
so
making
sure
that
not
only
is
it
documented
that,
like
if
decisions
need
to
be
made,
it
needs
to
go
through
this
process
like
you
need
to
propose
a
specific
thing
and
get
the
right
groups
involved,
but
then
actually
sticking
to
that
and
and
saying
like.
If
someone
wants
to
make
a
proposal,
that's
great
like
we
can
help,
you
find
the
right
people
to
get
involved
and
start
working
through
that
so
yeah
and
it
sounds
like
the
people
leading.
This
are
committed
to
doing
that.
A
C
No,
I
I
don't
I
mean
I
don't
think
that
belongs
in
the
charter.
The
charter
is
clear
about
like
this
is
what
this
group
does,
and
this
is
what
the
group
doesn't
do.
I
think
going
through
the
proposed
motivated
and
relevant
sig
bits
of
the
kept
template
would
be
a
great
way
to
like
execute
that
redirecting
a
specific
proposal
to
the
right
groups,
but
that
doesn't
belong
in
the
charter.
That's
an
implementation
details.
G
I
think
we
can
create
some
some
documentation
that
even
takes
an
example,
I'm
not
promising
to
do
that
right
now,
but
I
think
that
we
can
absolutely
create
some
documentation.
That
creates
an
example,
because
that's
going
to
save
us
a
lot
of
effort
and
also,
I
hope,
continue
to
build
the
trust
that
it
sounds
like
you're
expressing
for
our
word,
jordan.
A
Back
all
right!
Well,
thank
you
for
attending
everyone
and
we'll
see
you
in
two.