►
From YouTube: SIG Docs Security Meeting 20200109
Description
For more info see https://git.k8s.io/community/sig-docs
B
C
C
A
C
A
A
D
E
A
Awesome,
thank
you
Jim
all
right.
If
there
are
no
more
introductions,
we
can
proceed
so.
A
Didn't
everyone
see
my
screen,
yep,
perfect,
all
right,
so
yeah!
This
is
a
reboot
of
sigdoc
security
and
there
were
a
few
tasks.
I
guess
so.
Yeah
yeah,
the
previous
big
dog
security,
was
trying
to
accomplish
some
goals,
and
obviously
there
are
some
tasks
left.
Undone,
so
I
know
you
were
catching
up
on
that
Allah
towards
the
end
of
2018
catching
up
on
what
was
left
so
did
you
want
to
fill
us
in
on
that
and
perhaps
maybe
set
some
like
expectations
or
goals
of
what
we'd
like
to
accomplish?
Moving
forward
yeah.
C
Definitely
so
I
went
back
through
all
of
the
notes
that
had
been
typed
up
for
prior
meetings
and
I
did.
You
know,
put
them
in
this
new
notes
document
and
it
looks
like
there
was
a
lot
of
movement
around
some
way
to
disclose
kubernetes,
CBE's
I.
Think
I,
really
like
the
the
line
here
in
one
of
the
notes,
I
think
from
it
was
from
the
may
meeting
last
year.
C
There
was
a
few
things
in
that
list
there
that
were
in
an
air
table
that
the
previous
leads
AK
had
set
up
and
I'd
like
to
move
off
of
that
and
I.
Don't
really
know
if
we
need
another
tracking
method
other
than
just
this
Google
Doc.
But
we
need
to
you
know
and
I
can
I
can
do
this
for
at
least
for
the
first
couple
circle
back
and
see
what
we're
doing
in
terms
of
contact
with
sig
off
and
and
documenting
the
the
CVE
process.
C
I
know:
there's
been
one
of
the
things
that's
going
to
be
difficult.
It's
been
there's
a
lot
of
movement
on
the
security
side
of
things
on
the
docs
site
outside
of
docs
security,
so
I'm
sure
that
some
of
these
things
here
are
out
of
date.
I
know
the
like.
The
four
C's
is
up
and
running
and
I
believe
that
was
kind
of
supposed
to
be
a
living
document.
So
I'm
sure
we
can
take
a
look
at
that
and
and
since
kubernetes
moved
so
fast
I'm
sure
there's
some
changes.
C
We
need
to
make
there
and
there
is
a
big
document
that
was
linked
in
there.
That
I
believe
is
owned
by
Steve
Perry.
That
has
a
lot
of
security
links
for
the
docs
and
stuff
like
that.
So
can
check
with
him
and
see
what
he
was
working
on
there,
but
I
think
the
biggest
one
so
far
was
just
the
how
we
report
see
bees
and
and
where
people
can
go
for
that
information.
C
No,
not
not
really,
you
know
it's
just
it's.
The
big
one
is
the:
how
do
we
get?
How
do
we
get
not
just
see
bees
but
vulnerability
and
photo
people,
and,
and
what
does
that
look
like
on
the
on
the
actual
website
for
docs?
Is
I
mean
we
have
a
security
section?
Now,
that's
getting
a
lot
better.
Do
we
have
a
disclosure
disclosure
section
of
the
website?
Is
that
something
we
want
to
move
forward
with
and
look
into?
C
You
know
how
do
we
as
much
as
we
can
one-stop
shop
this
for
people
that
want
to
know
how
to
secure
a
cluster,
at
least
in
the
first
party
sense,
I
know
in
the
broader
Doc's
scope
we're
having
discussions
around
what
third-party
content
looks
like
on
the
website.
So,
especially
when
it
comes
to
security
that
might
be
a
line.
We
need
to
tread
carefully
as
much
as
Marquis
and
I
would
love
to
expose
all
the
fun
things
that
Cystic
does
for
security.
We
probably
shouldn't
do
that
in
the
first
party,
kubernetes
Doc's
justice,
all
right.
A
Coherence
of
security,
content
and
security,
material
on
the
website
and
the
docs
and
I
did
bring
up.
You
know:
I
mentioned
sigdoc
security
that
you
know,
probably
that's
the
best
place
to
try
to
tackle
something
like
that.
An
initiative
like
that-
and
there
was
a
lot
of
enthusiasm
in
the
room
for
for
that
initiative.
A
C
C
D
C
But
like
docks,
security,
isn't
going
to
be
its
own
sig
and
I.
Don't
know
if
the
end
goal
for
this.
Is
it
folds
into
off
from
a
security
standpoint
or
docks,
for
you
know
the
documentation
standpoint,
but
it
seems
like,
over
the
last
eight
months
to
a
year,
Security's
been
the
big
name
of
the
game
in
kubernetes,
so
I
don't
think,
there's
a
I.
Don't
think
this
is
a
forever
project.
C
C
Yeah
I
think
so
yeah,
you
know
there's
a
section
in
in
these
the
old
notes
where
I
am
assuming
Zach
or
whomever
somebody
typed.
You
know,
though,
we
exist
for
organizing
and
indexing
the
kubernetes
security
Doc's,
providing
insight
for
security
recommendations
in
kubernetes
and
advocating
for
security
to
cluster
owner
and
operators,
and
you
know
all
of
that
in
a
in
a
docs
context.
C
C
E
Is
that
the
whole
idea
is
that
security
Doc's
are
all
over
the
website
and
there's
no
central
way
to
find
all
of
them
and,
as
we
saw
CVS
pop
up-
and
you
know
how
to
you
know,
escape
out
of
a
container
and
all
the
stuff
and
fun
that
happened
last
year,
the
conversation
became
more
around.
How
do
we
make
sure
that
folks
know
where
to
go
when
they
want
to
get
security?
E
Information
and
I
became
the
sole
purpose
of
the
group,
and
then
then
the
idea
was
that,
hopefully,
this
group
isn't
live
long
enough
where
it
needs
to
be
a
working
group.
Hopefully
this
is
you
know,
processes
procedures
moving
some
Doc's
around.
You
know
cleaning
up
the
current
state
of
the
world,
and
then
you
know
either
merging
back
into
docks
or
potentially
handing
off
some
of
their
responsibilities.
Some
of
the
other
SIG's.
C
There's
a
lot
there's
a
lot
in
there
to
unpack
and
and
I
I
tried
to
I
reorganized.
It
see
scroll
forward
chronologically
and
it
looks
like
you
know
you
can
see
early
on
a
lot
of
what
they
wanted
to
get
done
started
getting
done.
You
know
you
see
the
early
talk
around
the
four
C's
are
back
examples.
Things
like
that
kind
of
aggregating
all
the
security
docs,
which
has
has
started,
that's
a
longer
longer
process
and
a
broader
docks
thing
too.
C
C
E
E
So
yeah,
this
is
a
beautiful
example
of
the
state
of
the
world
where
we
are
today
and
how
fragmented
we
are,
and
the
idea
that
someone
would
have
to
know
how
to
navigate
Doc's
know
the
you
know
proper
locations
to
find
these
and
dig
these
of
the
fact.
These
are
all
in
little
nooks
and
crannies.
Really,
that's
that's!
What
we're
looking
to
help
out
with
and
Steve
did
an
awesome
job
put
in
the
stock
together.
A
A
Some
of
the
things
that
are
relatively
insecure
aren't
even
clearly
called
out.
So
even
when
we
do
have
some
security
dogs
on
there,
it's
not
clear
or
explicit
that.
Maybe
you
want
to
be
careful
with
this
and
if
you
want
to,
you
know,
implement
it
in
a
more
a
more
secure
way.
Here's
a
link
to
me
or
yeah,
here's
a
link
to
maybe
how
how
to
do
it
more
securely
or
something
like
that
yeah.
So
that
was
that
was
that
I
came
up
in
in
that
session
with
Valerie
who.
D
C
C
Doc,
I
think
we
can
suggest
things
and
I
can
see
that
there's
a
couple
things
that
were
suggested
to
add
so
I,
don't
know
if
he
wants
to
keep
ownership
of
this
or
I
can
take
it
since
I
have
the
meeting
notes
as
well.
I,
don't
know
how
involved
in
this
he
wants
to
be
so
somebody
can
reach
out
to
him.
I
can.
E
E
C
C
D
Okay,
don't
have
to
what
I
will
do
is
I'll.
Take
an
action
on
it
for
myself.
I
want
to
go
over
both
of
these
documents
and
kind
of
just
see
what
the
state
of
the
world
is
and
then
reach
back
out
to
Peter
and
Jim,
and
then
I'll
reach
right
Judaizing
in
in
the
slot
channel,
just
to
sort
of
get
an
idea
of
what
maybe
can
be
done
between
now
and
the
next
meeting
Oh
Jim
do
we
do
you
want
us
to
leave.
C
E
D
B
C
Then,
for
me,
all
I'll
see
if
I
can
certainly
go
back
with
where
we
were
on
the
contacts
for
sig
off
and
release,
and
if
we
had
somebody
if
they
still
or
somebodies,
they
still
want
to
be
involved
in
that
I
know,
I'll
also
hit
up
Steve
and
see
what
he
wants
to
do
with
this.
With
this
doc
as
well
and
then
Markie
I'm
sure
I
mean
you
just
loop,
Peter
and
I
in
on
going
through
the
the
current
document.
It's
not
like
you
and
I
won't
see
each
other
every
week.