►
From YouTube: Kubernetes WG IoT Edge 20190508
Description
May 8 2019 meeting of the Kubernetes IoT edge Working Group - formative discussion of edge security white paper
A
A
I
share
my
screen
and
we
can
kick
this
off
and
I'll
be
kind
of
like
the
screen
share
driver
here,
how's
that
sound
okay,
everybody
see
yes,
cool
and
let
me
also
remember
to
turn
off
my
notifications
too.
That
was
my
alarm
goes
off
to
clean
the
cat
box.
You
guys
don't
have
to
see
it
all
right,
great
cool,
so
let
me
get
this
video
out
the
way.
In
fact,
I
may
bury
it
up
there.
A
There
we
go
okay,
so
I
did
a
refresh
on
the
table
of
contents
and
we
got
some
really
good
sections
right
stuff
on
man
in
the
middle
and
and
all
that
where-
and
I
think
I
think
cindy's
comment
is
there's.
Definitely
something
to
be
said
about.
You
know
the
the
benefits
of
of
edge
competing
for
data
locality
and
privacy,
and
she
had
another
comment
too,
which
I
think
was.
A
A
As
I
was
writing
it
out,
I
really
ended
up
describing
more
like
how
condition
of
hardware
should
be
monitored
and
so
on,
rather
than
the
real
challenge
around
it
and-
and
he
pointed
out
the
last
paragraph
is
really
the
only
place
where
we
get
into
the
challenge.
I
think
I
just
need
to
rewrite
this
and
I'm
going
to
take
jono's
comment
and
and
then
turn
it
into
the
rework
of
the
content.
A
Great
okay,
so
I
think
that
that
handles
that
one
then
we
get
into
okay,
so
also
from
jono
here.
So
I
liked
his
idea.
It's
really
talking
about
the
different
ways
that
you
can
tamper.
I
I
think
I
think
I
even
said
here
yeah.
I
asked
him.
You
want
to
take
a
shot
at
directly,
adding
it
in
right,
because
he's
got
like
basically
comments
that
are
full
full
sections.
A
Okay,
this
is,
I
believe,
tied
to
nope,
not
authenticity
of
hardware
to
indication
of
compromise
is
that
right?
Yes,
under
indication
of
compromise,
he
said,
I
think
there
are
two
different
ideas
that
can
be
broken
out:
first,
intrusion,
detections
systems,
blah
blah
solutions
to
the
problem
of
forming
trust
with
a
device
in
operation.
Second,
is
that
identified
as
remediation
of
a
compromised
device?
So
since
this
is
under
indication
of
compromise,
I
I
actually
am
going
to
push
back.
A
I
think
on
him
a
little
with
the
same
kind
of
comment
that
he
had
above
talking
about
like
remediation
of
a
compromised
device
kind
of
gets
into
what
you
would
do
about
it.
But
I
do
think
that
there's
something
in
here
not
sure
what
to
do
yet
with
this
comment,
something
in
here
about
expanding
this
section
to
be
to
be
better
and
maybe
I'll
just
work
with
him
directly
on
that,
unless
anybody,
unless
anything,
jumps
out
to
anybody
right.
A
B
A
See
what
he
says
to
that
okay,
he
basically
hit
us
hard
in
these
first
sections.
Then
he
eases
up
all
right.
Let's
see,
says,
supply
chain
attack
the
targeting
manufacturer
of
a
device.
That
is
true.
I
actually,
I
actually
thought
when
I
put
this
in
that
under
authenticity
of
hardware.
It
really
is
it's
not
a
problem,
unique
to
the
edge
right.
The
same
thing
could
happen
in
the
cloud
they
gave
a
couple
of
links.
I
I
definitely
want
to
avoid
being
too
wikipedia
so
not
needing
to
link
to
everything.
A
What
do
you
guys?
I
actually
would
like
to
take
a
little
opinion
on
this
one.
What
do
you
guys
think
this
is
not
really
a
unique
challenge
of
the
edge
or
do
you
think
it
is,
and
you
think
this
this
has
enough
merit
to
stay
in
this
idea
that
somebody
could
basically
sell
you
hardware
with
the
back
door.
C
A
Sounds
good:
let's
let
me
put
this
as
a
reply,
or
did
he
let's
see?
Can
I
yeah
I
can
reply.
We
have
agreed
to
tighten
up
this
section
to
be
a
to
be
more
more
specific,
around
iot
edge
scenarios
and
take
into
account
your
comment,
but
this
is
a
general
supply
chain
issue,
all
right,
how's
that
sound.
That's
that's
work
to
be
done,
but
we
can
do
that
work.
A
Wait
my
cat's
chiming
in
on
the
the
work
here
we'll
see
if
he
contributes
anything
good
all
right.
That
was
that
that
one
there
so
man
in
the
middle
got
added
and-
and
I
liked
it,
I
thought
it
was
good
to
start
having
some
links
in
here.
The
quality
link
seemed
to
be
good,
and
I
thought
the
content
was.
You
know,
succinct,
but
we
can
also
expand
on
it.
Now
that
it's
in
any
objection
to
to
having
men
in
the
middle
in
in
this
section
it
might.
A
A
Under
connected
actually
yeah
yeah,
actually
you
know
what
it
says:
it's
related
to
devices
at
the
edge
you're
right,
it's
under
the
connected
devices
and
how
to
trust
them
right,
yes,
cool!
Why
don't
we
just
tack
this
on
to
the
end
of
the
next
section?
That's
a
good
idea
depends
on
from
where
you
look
right.
D
What's
that
say
it
again
from
where
you
look
when
you,
when
you
take
a
look
from
the
edge
device
into
the
cloud,
I
would
say
it's
there,
like
trust
the
hardware
or,
if
you,
if
you,
if
your
man
in
the
middle
attack,
tries
to
attack
the
cloud
server,
it's
something
different
than
the
attacking
the
the
edge
hardware.
So
I.
A
Yeah,
do
you
think
if
we
added
it
under
the
trusting
connected
devices
at
the
end
here
and
then
change
as
well,
so
yeah
and
change
the
title,
maybe
a
little
bit
from
man
in
the
middle
and
so
we'll
call
it?
This
will
be
3.5
right
and
if
we
change
it
there
we
go
and
let's
so
let's
say:
do
we
you
want
to
call
it
like
device
man
in
the
middle.
A
Or
device
or
device
to
gateway
man
in
the
middle,
probably
yeah,
we
can
always
edit
it
again
later
yeah.
Therefore,
you
know
avoiding
kind
of
the
you
know
device
to
cloud
right:
okay,
cool!
Let's
do
I'll
do
a
refresh
real
quick
on
this
make
sure
it
picked
up
the
let's
try
to
resolve
issues
as
we
go.
Let's
see
that
worked,
and
that
worked
okay,
great
okay,
cool!
This
is
good.
This
is
good
progress,
okay,
so
we're
into
section
three.
Let
me
collapse
this
down.
How
do
I
collapse
it
down?
A
Apparently,
I
can't
okay
trusting
connected
devices.
So
what
did
we
have
any
comments
around
here?
We
did.
We
had.
Okay,
it
said
feel
like
two
different
points
deserve
to
be
addressed
separately,
or
at
least
sequentially
first
is
forming
an
identity,
and
then
second,
even
if
it
has
a
unique
identity,
challenge
that
if
it
can
be
trusted
fair
enough
fair
enough,
so
we
said
first
verifying
devices
detecting
corruption
yeah.
A
I
I
think
we
could
turn
it
into
two
different
sections
forming
a
divide:
yeah,
okay,
okay,
I'm
in
kind
of
an
agreement
with
him
here
it's
applying
an
identity
to
something
that
doesn't
have
possibly
even
any
unique
identity
right.
It's
like
a
really
inexpensive
temperature
sensor
or
something
that
that's
reporting
on
in
the
lorawan
or
whatever,
and
then
trusting
the
unique
identity.
A
Oh
yes,
it
actually
is.
Okay
templates,
given
is
great
yeah.
Well,
maybe
we
move
that
out
into
a
next
paper
or
it
can
be
reframed,
I
think
so,
then
bernhard
did
you
want
to
talk
a
little
bit
more
on
your
comment
here.
You
said
you
know,
in
your
opinion,
one
potential
solutions,
data
verification
mentioned
partly
move
it
to
3-2
and
partly
extend
care
to
add
any
more.
C
A
Okay,
so
what
if,
let's
see
I'm
thinking,
how
do
we
wanna?
How
do
we
wanna
add
some
action
to
this
if
it's
under
three
two
protecting
data
in
commands,
which
also
has
some
comments,
so
he
said
looking
at
three
one,
three
two,
I
would
suggest
only
dealing
with
the
challenge
of
device
identity
for
three
one
use
three,
two
to
talk
about.
Second
order
challenges:
identity
of
a
device
cannot
be
trusted.
Data
comes
from
the
device
cannot
be
trusted.
A
Taking
this
into
account
with
the
comments
directly
above,
we
will
add
more
of
three
one
more
of
the
three
one
content,
two
three
two
and
perhaps
expand
on
three
one
to
be
more
accurate
and
it's
all
right.
Okay,
so
like
some
a
little
bit
of
a
little
bit
of
rework
there,
this
one
had
a
lot
around
it
in
commentary.
So
mertz
do
you
want
to
describe
here.
D
D
It's
actually
quite
easy
to
attack
these
and
as
soon
as
you
are
in
an
environment,
for
example,
in
urban
environment
and
your
edge
device
sits
in
a
I
don't
know,
maybe
a
bike
or
something
like
that.
You
can
just
walk
up
there
and
attack
it
with
whatever
you
want
and
nobody's
gonna.
Stop
you
from
that.
D
Just
because
your
environment
is
so
open,
I
would
say
so.
That's
definitely
one
of
the
challenges.
I
think
I
see
on
the
edge
that
you
can't
really
control
anything
around
it
and
because
of
that,
of
course
you
can
just
start
attacking
the
communication
channel
like
zigbee
or
bluetooth,
with
whatever
you
want,
because
nobody's
gonna.
Stop
you
from
that.
A
Yeah
and
in
a
way
that
makes
sense,
then
that
it
really
should
go
under
the
network
challenges
right
because
it's
related
to
wireless,
because
you
could
do
the
same
thing
to
wi-fi
if
you
had
a
strong
enough
set
of
equipment
right,
gotcha,
gotcha,
okay!
Well,
it
looks
like
you
had
some
good
agreement
on
that
too,
and
so
I'm
going
to
put
here
well,
why
don't
we?
Why
don't
we
go
ahead
and
move
it
right
now?
Is
that
a
good
solution
to
put
it
down
under
the
network.
B
A
F
A
A
So
that
means
that
we
are
down
to
device
management
becomes
the
new
3-3
and
the
man
in
the
middle
becomes
the
new
3-4
which
I'll
adjust
the
table
of
contents
again
middle,
so
device
management
didn't
seem
to
have
any
any
comments,
it's
good,
and
then
this
is
the
new
that
we
had
already
gone
in
and
edited
so
any
further
comments
on
section
three,
as
I
yet
again
refresh
the
table
the
contents,
I
think
that
section
got
shrunk,
but
we
were
planning
to
expand
it
as
well.
So.
A
Cool
okay,
nothing,
there
all
right!
I'd,
say
that
operating
system
was
an
area
where
I
I
felt
like
I
needed
the
most
contributions
and
help
or
one
of
the
sections
anyway.
So
let's
see
what
happened
here,
I
put
in
biosecure
boot
running
processes
binary
there
we
go
okay,
so
well,
you
made
a
very
significant
contribution.
There
delete
the
o
great
got
that
so,
let's
see
so
this
seems
very
similar
to
three
one
might
be
a
way
to
fold
these
two
together
in
that
we're
talking
about
identities.
A
Okay,
so
what
did
I
put
here?
Digital
signatures,
edge,
compute
nodes,
even
sensors,
effective
way
to
verify
the
identity,
but
they
require
a
private
key
yeah.
It's
something
a
little
more,
I'm
going
to
write
that
up.
There
is
something
a
bit
different
here
that
I
think
I
did
not
explain
quite
well
yet
I'll
take
another
shot
to
differentiate
from
oh.
Is
it
three
one?
Okay
cool?
Then,
here,
let's
see,
this
point
is
somewhat
addressed
in
two
three
physical
access
as
a
general
challenge,
yeah
might
say
so.
A
Here's
what
I
was
trying
to
get
to-
and
maybe
you
guys
have
some
idea-
how
to
do
this
better.
What
I
was
trying
to
get
at
is:
oh,
there
are
companies
making
devices
or
iot
systems,
and
you
know
all
these
different
things
where
they're
using
you
know
fixed
private
keys
as
the
solution
for
verifying
the
identity
of
the
edge
node,
but
because
those
keys
are
used,
you
know
in
not
necessarily
coming
out
of
you
know,
trusted
memory,
location
and
whatnot.
A
In
some
cases,
they're
just
right
on
disk
or
in
the
flash
memory
you
can,
you
can
get
into
the
device
and
get
the
key,
and
this
this
is
really.
The
problem
I
was
trying
to
to
address
here
is
like
you
know
you,
don't
it's
not
so
easy
to
get
into
the
the
nodes
in
a
cloud
or
data
center
environment,
and
so
it's
a
little
bit
more.
A
You
know
acceptable
to
have
a
fixed.
You
know
key,
you
know
into
the
the
os
there,
but
with
the
edge
nodes,
it's
it's.
You
got
to
think
twice
about
doing
that,
and
I
guess
that
didn't
really
come
through
here
that
that's
really
the
problem.
It's
it's
a
little
different
than
having
the
identity
get
masked
or
spoofed.
It's
more
that
the
identity.
A
A
Yeah,
that's
exactly
the
thing
is,
if
you
do
it
right,
you
know
that
you
have
this
combined
identity
right
in
which
the
separating
one
unit
from
the
other
allows.
You
know
that
can
be
detected,
but
if
not,
then
what
you
end
up
with
is
you
know
kind
of
a
false
sense
of
trust
that
that
I
wanted
to
to
have
come
through.
A
A
Cool
great,
I
think
I
think
we
should
discuss
that
a
bit
here
if
you
want
to
take
a
whack
at
adding
some
of
that
in
that
would
be
cool
and-
and
if
not,
you
can
just
put
more
in
comments
if
you'd
like
cool
okay-
let's
see
here
so
we
got
some
stuff
added
in.
Let's
see
these
consistency,
black
box,
okay-
and
I
think
I
approved
all
of
the
the
edits
here-
cool,
so
some
good
good
stuff
in
there.
A
A
C
A
Okay,
cool,
I
think,
that's
good.
I
think
I
think
I'd
like
to
merge
that
up
as
this
is
it's
worth
mentioning
where
you
describe
getting
that
that
initial
setup
verified
right.
How
about
under
logging?
Was
this
your
your
commentary
as
well,
here
too,
with
the
the
bullet
points,
because
this
was
not
a?
I
think
this
was
not
a
section
that
I
put
in
right.
You
added
all
of
logging
here.
C
Yes,
that's
true
because
what
I
at
least
from
a
cloud
perspective,
my
understanding
from
security,
is
that
you
always
end
up
in
some
sort
of
also
logging
issues,
because
one
is
first
of
all,
you
have
to
be
notified
that
something
is
going
on.
So
I
explicitly
wanted
to
have
a
dedicated
locking
session.
But
if
it's
not,
let's
say
within
the
scope
of
the
paper,
then
just
remove
it.
A
A
A
It
is
the
beginning
of
your
ability
to
identify
if
things
are
occurring
out
of
sequence
out
of
authorization
and
if
the
logs
are
as
editable
as
you
know
the
stolen
data,
then
you
might
even
never
know
that
someone
was
in
there
right.
Yeah!
That's
exactly
the
point
great
I'm
just
going
to
put
a
note
here
that
we
can
work
on,
I'm
going
to
say:
let's
expand
this
section
with
great
content
and
and
spend
some
more
text
describing
the
difficulties
of
protecting
blogs
and
audit
well
I'll,
just
say
vlogs.
A
B
H
A
A
A
There
we
go
information
at
the
edge
cool
great,
that's
some
good
stuff,
a
lot
of
value
there
cool,
let's
see,
and
yes,
I
would
love
to
let's
see
logging
categories,
specifically
multiple
workloads
addressing
various
security
challenges.
Yes,
I
think
you
know
hopefully
this.
If
this
paper
has
the
right
impact,
it
will
actually
trigger
a
lot
of
deeper
discussion.
I
think
it's
already
starting
to
trigger
some
good
stuff.
Well,
anything
else
in
this
section
or
are
we
do
we
have
the
right
actions
for
the
go
forward?
A
No,
for
me,
it's
fine!
Okay,
all
right,
excellent,
okay,
another
one
that
I
was
kind
of
scared
to
put
out
there,
because
I
I
feel
like
there's,
you
know
10
times
more
information
you
know
should
be
put
in
here
than
what's
in
here,
but
let's
see
how
it's
going
so
network
concerns
open
ports,
no
surprise
that
one
slid
by
great
okay,
fixed
vpns.
What
do
we
got?
A
Okay,
so
jonah
said
made
a
comment
earlier
yeah
encryption
in
the
network
section:
okay,
any
solutions
are
well
known,
accepted,
solving
issue,
preventing
full
abilities
of
data
in
transit
table
stakes
for
deploying
to
do
real
challenges.
Actually,
around
identity
or
potential
that
are
going
to
be
stolen
via
physical
access
right
and
that's
covered
earlier.
Well,
let's
see!
A
A
C
Yeah,
normally
from
a
cloud-ish
perspective,
you
always
have
some
sort
of
fixed
vpns,
but
the
ips
change
dynamically.
At
that
sense-
and
you
normally,
let's
say:
change
urp
within
a
dedicated
range
to
ensure,
let's
say
a
minimum
thing
of
security,
so
well
from
my
perspective,
I'm
quite
neutral
to
fixed
vpns,
section,
okay,
okay,.
H
B
A
All
right
network
access
is
data.
Access
so
said,
feel
free
to
just
screen.
I
take
is
that
access
credent,
essentially
different
implementation
with
pure
identities,
and
I
suggest
we
incorporate
all
the
different
solutions
around
identity
in
a
single
section.
Okay,
that's
a
pretty
that's
a
pretty
big
change
and
then
bernhard.
You
said:
let's
move
into
section
six
x.
Could
you
tell
me
what
you
were
thinking
with
that
and
I
think,
oh,
that
was
regarding
this
one
edgemaker
services.
C
Yeah,
but
it's
just
a
question
of
favor,
because
normally
yeah,
if
you
want,
we
can
keep
it
in
five
if
you,
if
you
want
from
the
other
perspective,
since
normally
you
have
a
lot
of
of
micro
services
and
streams
and
so
on,
it
probably
makes
sense
to
put
it
to
the
micro
service
section,
which
reflected
that
point.
Some
higher
applications
that
are
running
on
the
edge
node,
just
a
basic
idea.
A
A
A
A
A
A
You
know
where
it's
it's
a
very
it's
a
privatized
channel
or
it's
a
it's
a
you
know,
a
data
pathway
that
doesn't
necessarily
allow
any
kind
of
port
scanning
and
stuff
that
you
typically
do.
If
you
get
onto
a
network
and
see
what's
there
as
a
you
know
as
an
intruder,
but
so
I've
really
tossed
out
a
lot
here,
and
I
I
kind
of
get
it
that
that
jono
was
saying,
I'm
not
sure,
really
that
you
know
this
is.
A
C
At
some
sort
it
it
makes
sense
because,
for
example,
what
I
usually
do
is
when
I
verify,
for
example,
streaming
systems
and
in
that
sense
iot
is
a
streaming
system.
I
usually
open
a
telnet
session
and
grab
the
data
and
see
if
the
data
is
coming
in
or
submit
to
be
a
telnet
steering
command.
So
it's
on
at
that
point.
It
makes
sense,
because
I
need
access
to
the
network
and
yeah.
A
C
D
C
A
Great
and
then
we'll
just
we'll
just
check
in
with
you
or
you
can
feel
free
to
reply.
Hey,
I
don't
know
what
to
do
forget
about
it,
and
then
we
can
see
what
to
do
next.
Yeah
sure.
Okay,
thanks,
let's
see
I
identity
for
verification
or
control
plane.
So,
okay,
so
this
important
consideration,
arguably
one
of
the
easier
ones.
Oh
yeah,
totally
it's.
On
the
other
hand,
the
control
plane
lives
on
the
edge
as
well.
Then
it's
susceptible
same
problems.
Right,
that's
actually
a
good
idea.
A
Great,
let's
see
if
he
replies
there
all
right
so
then
this
is
the
comments
that
came
with
us
for
denial
of
things.
So
I
think
that
so
we've
already
got
some
good
material
here
and
we
can
review
and
I'd
see
that
doing
a
time
check.
We're
gonna
get
down
just
to
the
the
wire
here
on
finishing
this
out
this
out
as
a
working
session.
Let's
see
we
had
is
this
more
of
the
green
that
we
just
need
to
change
the
the
color?
A
G
A
A
C
Yes,
what
I
had
in
mind
when
I
read
this
this
during
guaranteed
remote
shutdown,
so
there
are
now
potentially
two,
let's
say:
schools
of
vlogging.
The
first
one
has
this
plastic
approach
where
you
have
a
dedicated
log
file
and
the
other
one
which
is
arising
through
the
area
of
big
data,
was
that
okay,
we
use
the
log
file,
basically
as
a
kafka
or
mqtt
stream.
So
I
think
in
the
sense
of
iot
it
should
be
more
or
less
a
data
stream
and
not
a
file
in
that
sense.
But
please
correct
me:
if
I'm
wrong.
A
A
A
I
think
I
think
this
is
something
we
are
going
to
have
to
contend
with
and
and
therefore
you
know
perhaps
wanting
to
clear
these
out,
so
they
can't
be
accessed
with
you
can
if
you
know
you
detect
intrusion
or
you
want
to
decommission
a
piece
of
edge
hardware,
so
I
think
in
the
case
that
you've
described
where
they're
being
untransmitted
for
centralized
logging
then
yeah.
Definitely
we
don't
have
that
issue
right.
A
A
So
probably
a
bit
more
commentary
or
content
would
probably
not
only
answer
the
question
but
help
anyone
else
who's.
Reading
I
think
and
yeah
okay,
great
all
right,
matching
microsoft
edge
hardware
that
seemed
to
work
out
okay
and
then
this
one
was
I'm
going
to
mark
this
as
resolve
because
we
moved
it
to
6x
great
okay.
We
have
a
very
full
seven
minutes
left.
A
A
A
Okay,
cool
I'd,
say
we've,
you
know,
we've
said
for
a
couple
working
sessions
now
that
working
group
meetings
now
that
we
we'd
like
to
wrap
it
up
by
the
next
one.
But
I
think
in
this
case
not
only
have
we
been
faster
than
most
of
these,
both
of
these
working
group
white
papers,
but
also
we
have
kind
of
you
know
a
a
hard
deadline
that
you
know
it's
arbitrary,
but
I
think
it
makes
a
lot
of
sense.
A
A
F
G
F
Also
one
of
the
things
I
think
that
the
next
meeting
will
will
overlap
with
the
with
the
kubecon
eu.
So
I
I
don't
know
how
much
people
will
actually
attend.
So
maybe
that's
something
I
I
can
you
know
start
the
discussion
on
the
slack
and
see
if
you
should
reschedule
something
around
it,
but
okay,
but
for
the
topic.
Yes,
absolutely.