►
From YouTube: Secrets Store CSI Community Meeting - 2022-04-28
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right
and
thank
you,
everyone
for
joining
this
is
our
csi
secret
store
call
today
is
april
28th
and
just
some
housekeeping
again.
This
call
is
under
the
code
of
conduct
under
the
cncf
if
you're
not
familiar
with
protoconduct
rules
and
guidelines,
please
visit
our
repo
and
there's
a
code
of
conduct
markdown
that
you
can
read
and
become
familiar
with
all
right,
so
we
got
a
short
agenda
again.
I
know
we're
getting
into
these
summer
months
and
I'm
assuming
people
are
going
to
start
taking
a
lot
of
time
off.
A
So,
let's
start
off
thanks
ray
for
joining
ray,
I'm
not
sure
if
you've
been
on
the
calls.
If
you
want
to
kind
of
introduce
yourself
to
the
community
and
then
you
can
go
ahead
with
your
your
announcement.
B
Yeah,
hey
folks,
my
name
is
ray
lahanna.
I
work
for
sousa
by
way
of
rancho
labs.
I
am
a
security
sub
project
lead
leading
the
third
party
security
audits,
also,
the
sig
docs
one
of
the
sig
docs
co-chairs,
and
I
was
the
123
release,
lead
and
I'll
be
the
125
emergency
advisor.
B
So
sometime
last
year
for
the
third
party
security
audit,
I
forgot
who,
but
someone
asked
for
the
secret
store,
csi
driver
to
be
in
scope
of
the
third-party
security
audits,
and
so,
if
we
did
include
it
in
the
rfp.
B
I
just
want
to
announce
to
this
group
here
that
the
we
did
select
the
vendor,
which
is
ncc
group,
to
conduct
the
third
party
security
audits
and
the
audit
will
actually
start
on
may
9th
into
june
and
secret
store.
B
Csi
drivers
is
in
scope,
so
just
place
a
link
in
the
agenda
there
to
the
rfp,
and
so
the
only
and
only
ask
I
guess
is
if,
if
there
is
need
a
subject,
if
there's,
if
the
subject
matter
expert
is
needed,
I'm
assuming
is
the
best
place
to
go
is
to
is
to
the
slack
channel.
When
the
audit
is
running.
A
Yep
yeah
yeah
that
that's
probably
the
best
place
and
then,
if
need
be,
we
can
get
the
the
maintainers
together
as
well.
Okay,
and
do
that.
But.
B
Okay,
all
right
yeah,
that's
it
from
announcements.
You
know
what
the
findings
at
the
end
of
it.
Well,
the
finance
will
be
published.
I
hope
to
do
a
coupon
and
a
talk
to
present
the
findings
as
well.
B
A
C
Ray
I
I
kind
of
have
like
a
question.
So
could
you
like
just
give
like
a
brief
like
what
generally
happens,
or
you
know,
what's
the
what's
going
to
be
afterwards
like
once
the
security
audit
is
done?
What
typically
happens,
what
are
the
action
items
that
come
out
of
it
or
how
does
this
work.
B
Yeah
so
starts
off
with
the
code
review
for
the
security
audits.
It
goes
through
different
phases,
architecture,
review
threat,
modeling
and
they
do
bulk.
Then
they
do
testing
course.
What
comes
out
of
it
is
not
only
like
an
executive
summary
excuse
me,
but
findings
published
as
well.
B
If
there's
any
vulnerabilities,
they
do
go
to
the
security
response
committee
first
or
depending
on
the
on
the
on
the
vulnerability,
but
most
it
usually
tends
to
go
to
the
to
the
src
security
response
company
first
before
it
is
made
public
and-
and
that
will
rely
on
to
be
with
the
srac
on
that
par
on
that
process.
That
timeline,
when
making
any
vote
vulnerabilities
public,
but
we
tend
to
do
hope
to
have
the
maintainers
in
the
loop
in
case.
B
There
are
some
questions
from
the
security
consultants
and
analysts
during
the
audits
as
well.
I
know
kubecon
valencia
is
right
in
the
middle
is
right
in
the
middle
of
this,
and
it
is
understood
that
you
know
that
some
books
might
may
not
be
available
during
that
during
that
week
and
but
also
know
in
my
I.
I
know
that
some
folks
ten
might
take
a
little
break
before
or
after
kubecon
valencia.
B
So
that's
also
noted
soon,
but
we'll
just
try
to
get
in
contact
as
best
as
we
can
during
the
audit
process.
C
Okay,
cool
and
then,
let's
see
like
we
have
like
some
bugs
that
we
need
to
take
care
of
then
do
we
like
go
again
and
do
one
more
round
of
audit,
and
you
know
just
like
keep
doing
this
or
how,
like
how
does
the
resolution
works?.
B
So
the
resolution
is
it's,
so
it's
in
terms
of
number,
so
it's
actually
strict
it's
tightly,
scoped
to
the
to
a
timeline
number
of
hours
into
the
scope
of
of
what's
been
audited.
I
can't
guarantee
that
there's
gonna
be
another
round.
I
don't
know
if,
if,
if
that
process
is
it's
buffered
into
into
that
into
the
timeline
and
the
number
of
hours
for
the
audit?
B
So
but
I
know
that
if
it
can
be
addressed
and
then
we
could
and
then
as
a
community
can
address
that
the
bug
has
been
has
been
fixed
or
the
bug
has
been
addressed.
This
happened
in
2019,
so
in
surfing
in
that
link
to
the
kubernetes
security
repo,
and
you
could
find
the
2019
findings
and
reports
as
well.
It's
in
it
it's
in
their
own
directory.
You
just
put
all
the
breadcrumbs
back
to
a
few
directories,
probably
one
before
that,
and
then
you
find
the
2019
audit.
B
Then
the
the
findings
and
the
publications
from
there
from
that
audit
and
it'll
be
similar
as
well,
but
not
in.
There
will
be
different
scope.
So
you
could
take
a
look
at
the
scope
for
the
rfp
and
for
2019
versus
20
versus
22..
The
one
to
20
22
is
mostly
the
core
components
and
csi
secret
store
for
2022.,
okay,
cool.
A
Got
it
hey
just
to
piggyback
off
something
like
mentioned?
So
if
you
find
something
that
is,
you
know,
let's
say
you
know
malicious
or
something?
Is
there
an
embargo
period
to
where
the
maintainers
can
go
ahead
and
fix
that
before
you,
you
release
the
public.
B
A
Perfect
yeah
we're
looking
forward
to
that.
I
know
it's
been
a
long
time
coming
to
get
this
done.
B
A
Ray
for
that,
let's
get
back
to
jindal,
okay,
nothing
else
other
than
something
I
want
to
just
chat
with
that.
I've
seen
be
really
successful
on
some
of
the
projects
that
I
actually
participate
in
as
well
and
and
so
talk
about
is
the
creation
of
a
contribution
lab,
and
I
think
well,
I've
seen
this
successful
on
another
project.
Here
is
our
osm
project
I'll
go
ahead
and
bring
up
that?
What
that
is-
and
this
basically
is-
lays
out
the
whole
guideline
approach.
A
If
you
want
to
be
a
contributor
and
then
ultimately
maintain
it
to
the
project,
and
I
think
a
lot
of
people
are
trying
to
figure
out
okay:
where
can
they
plug
in?
What
is
a
contributor?
Do
I
have
to
know
you
know
you
have
to
be
a
developer,
et
cetera,
and
this
really
kind
of
outlines
there's
a
lot
of
different
ways
that
you
can
become
a
contributor.
A
You
can
be
a
docs
contributor,
et
cetera,
but
what
this
does
is
it
gives
a
nice
guided
path
if
you
ultimately
want
to
be
a
maintainer
and
do
some
of
the
dev
work
as
well,
and
I
think
this
is
something
that
would
be
good
for
this
project
to
get
more
of
the
community
involved,
because
I
think
you
know
again
when
things
aren't
clear,
I
think
some
people
kind
of
stand
away
from
it
or
you
know
they
don't
want
to
make
mistakes
etc,
and
then
also
part
of
this
is
ultimately
getting
to
like.
A
The
maintainer
is
also
some
mentorship
opportunities,
so
some
of
our
core
maintainers
today,
you
know,
if
you
have
you
know
a
vision
of
ever
becoming
the
maintainer.
You
actually
team
up
with
some
of
the
current
maintainers
and
go
through
kind
of
some
mentorship
and
work
with
them.
So
it's
actually
a
really
good
program
that
we've
seen
in
some
other
projects,
and
I
want
to
look
to
bring
that
to
this
project
as
well.
A
Any
questions
we've
got
a
small
crew
here.
Any
questions
about
this
is
this:
do
you
feel.
C
So
I'm
just
curious
how
this
is
different
from
the
I
think
some
sort
of
contribution
ladder
we
already
have
in
like
kkk
like
the
upstream
kubernetes
like?
Is
it
any
different.
A
Pretty
pretty
similar,
but
this
is
very
specific
to
this
project
like
right.
Now
we
don't
have
you
know
if
I'm
in
the
repo
here
we
have.
Let's
see
where
is
that
actually
not
even
on
the
landing
page
here.
C
I
mean
I
have
seen,
and
I
I've
actually
like
talked
with
anish
about
this
like
multiple
times,
and
I
mean
we
always
refer
to
the
the
general
contribution
ladder
that
we
have
for
the
for
the
kubernetes.
A
Yeah
we
we've
been
working
with
our
marketing,
so
that
would
be
karen
and
yeah
that
exists
kind
of
in
other
projects
and
yeah
we're
kind
of
tied
to
this.
But
I
think
we
could
get
something
we
can
have.
A
variation
is
very
specific
to
this
this
project
and
just
make
it
more
accessible.
A
You
know
some
people
may
not
be
thinking
of
the
linkage
going
back
up
to
to
the
kubernetes
project
as
well.
So
well,
that's
something
we
can
discuss.
You
know
if
we
just
need
to
have
a
file
here
that
redirects
to
that
contribution
ladder,
and
then
you
know
maybe
we
obtained.
If
we
feel
like
there's
anything
specific,
that's
what
maybe
more
clickable
for
ours,
then
we
could
do
so
right.
A
C
Yeah,
I
think
I
have
also
seen
a
pr
from
karen
related
to
this.
D
On
this
specific
repo
or
yes,
interesting.
D
A
Yeah,
I
wasn't
aware
if
she
did
do
that,
but
yeah
we
can
chat
about
that.
I
can
yeah.
A
C
A
Yeah
but
yeah,
I
do
know
that
again,
a
lot
of
projects
like
ours
are
actually
putting
it
in
the
actual
repo.
Just
so
it's
just
you
know
it's
line
of
sight,
type
of
thing
right
and
then
yeah,
I
think,
yeah.
We
could
pretty
much
kind
of
just
score.
Some
stuff.
A
Okay,
nothing
left
on
the
agenda.
We
were
talking
pr,
so
we
do
still
have
this
lingering
pr
about
dain.
I
believe
I
don't
know
like.
Have
you
looked
into
this
anymore
or
is
it
still.
C
Some
comments
on
it,
so
yeah
we'll
work,
but
yeah
I
mean
the
last
we
discussed
on
this
like
we
were
trying
to
segregate
the
two
parts
on
it
like
yep.
First
is
just
have
the
sync
option:
a
sync
or
option
in
there,
and
then
we
discussed
about
templating
and
stuff.
So
right
going
to
be
we
we
thought
I
mean
we
said
decided
like
templating
should
be
like:
let's
do
it
as
a
separate
pr.
A
C
Yeah
but
last
I'll
see
like
folks
have
reviewed
and
there
are
review
comments
on
it,
I'll,
I'm
not
sure
if
he
has
fixed
it
yet,
but
I'll
give
it
a
look.
A
Okay,
yeah
lots
of
activity
happening
here.
Okay,
let's
see
nothing
else
on
the
agenda.
C
Yeah
I
mean
I,
I
have
not
seen
like
the
pressing
issue
that
we
need
to
fix,
but
I
think
one
of
the
activity
that
we
are
going
to
do
is
just
to
sort
of
do
an
issue
triage
and
see
what
we
need
to
get
in
for
the
next
set
of
release.
So
hopefully,
once
the
other
maintainers
are
back.
We'll
just
do
that.
That
exercise
for
the
next
release,
yep.
A
Okay,
all
right!
Well,
that's
it
for
today
another
kind
of
quick
short
meeting
our
next
call
will
be
in
a
couple
of
weeks.
So
that's
going
to
be
I'm
going
to
be
my
calendar,
that's
going
to
be!
May
9th!
No,
I'm
sorry
may
12
a
couple
of
weeks
so
hope
to
see
everyone
back
then,
and
thanks
everyone
for
joining
I'll
go
ahead
and
have
this
recording
up
soon,
hopefully,
by
the
end
of
the
day
or
tomorrow,
and
we'll
see
everybody
back
in
a
couple
weeks.