►
From YouTube: Kubernetes SIG Security 20221201
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
My
name
is
Ian
Goldwater
I
am
the
co-chair
of
kubernetes
Sig
security
and
I'm
really
happy
to
be
here
with
all
of
you.
Normally,
we
don't
start
until
something
like
four
or
five
after
to
give
room
to
the
stragglers
who
have
back-to-back
meetings,
but
today
I
am
the
straggler
who
has
that
to
pack
meetings?
A
Would
anybody
be
willing
and
and
I
say
that
being
like,
we
actually
need?
One
two
take
notes
today.
Is
that
something
that
somebody
can
volunteer
to
do
it's
a
very
important
thing
to
make
the
meeting
go
I'm
happy
to
do
it.
B
A
Thank
you.
Let
me
get
the
agenda
up
because
actually
I
don't
know
also
I
agree.
Caitlyn,
your
hair
is
okay.
When
your
hair
is
fabulous.
Okay.
Did
anybody
paste
the
agenda
Doc
in
here.
A
Okay,
first
thing
we
do
here
is
Introduction,
so
sorry,
I
really
just
got
out
of
this
meeting
and
it's
still
happening
and
I'm
still
being
messaged
about
it.
So
my
apologies,
my
name
is
Ian.
I
am
the
co-chair
of
kubernetes
security
here,
our
other
co-chair
Tabitha
Sable,
is
not
here
today,
but
sends
love
to
everybody.
I'm
here
to
improve
kubernetes
security
hack,
the
planet
make
friends
hack
the
planet
with
my
friends
and
my
pronouns.
Are
they
them?
How
about
you.
B
Hello,
everyone
I
am
Greece
pronouns.
She
her.
Currently
a
student
at
Waterloo
also
been
on
the
release
team
for
a
little
bit.
If
anyone
can
give
me
edit
access
to
the
document,
I
feel
like
that'd
be
convenient.
Oh.
C
Myself,
I
cannot
access
document
which
is
not
like
normal
yeah.
A
Okay,
let
me
try
to
figure
out
how
to
fix
that,
while
other
people
do
introduction
things.
E
F
Right,
I'll
go
next,
hey
everyone,
my
name
is
Ray
I
work
for
Susa
by
way
of
Branch
Labs
also
participate
or
also
participate,
in
other
things,
as
well
like
sick,
docs
and
Sig
release,
and
also
a
sub-project
lead
for
State
security
for
the
third
party
security.
App.
G
Hey
folks,
I'm
Ola
Dewberry,
she
I
love
being
here.
This
is
always
a
highlight
of
my
week
and
I
am
the
sub
Project
Lead
for
security
self-assessments
thanks.
H
I
Hi
everyone-
this
is
my
second
meeting
of
the
of
this
of
this
team,
but
last
one
was
awesome,
so
very
excited
to
be
here
again:
Orissa
Reed.
He
him
and
I
am
now
running
a
new
open
source
project
at
a
new
startup
called
authorize
about
intent,
based
access
control,
so
very
much
in
the
security
in
Dev
space
and
before
that,
I
was
CTO
at
mulesoft.
J
K
Hi
David
us
with
IBM
research,
I'm
I
exported
from
the
K
native
community
from
a
friendly,
neighbor,
okay
native
community
of
the
cncf,
with
the
projects
that
we
have
done
there
for
securing
Behavior
security
monitoring
and
control.
K
We
have
a
PR
that
we
hope
that
people
from
the
security
work
group
would
review
for
a
blog
post
that
that
we
aim
to
raise
the
the
concern
of
people
about
microservices
being
deployed
on
kubernetes
are
in
in
fact,
are
mostly
vulnerable
and
people
are
just
ignoring
that.
They
assume
that
if
they
don't
have
a
CD,
then
they
are
safe
in
a
way.
K
K
So
we
have
a
session
on
the
sixth
of
of
the
months.
Next
week
we
have
a
session
on
on
guard
and
we
have
the
pr
and
you're
all
invited
to
the
session,
and
you
are
all
invited
to
read
the
blog
post
and
and
comment
and
think
what
what
what's
your
view
about
that
is.
A
C
L
You
know
I'm
really
I,
do
security
stuff
for
this
dog
yeah
I
try
and
help
out
where
possible,
Pro
names.
Are
he
him.
D
Okay,
him
I
do
security,
consultancy,
stuff
at
Whitaker,.
C
Oh,
are
we
doing
introductions
yeah?
My
name
is
Chris
Mark
I'm
I'm
just
here
to
listen
a
little
bit
about
security,
see
what
this
exercise
is
about.
E
A
You
so
hi
to
the
new
folks
and
to
the
people
who
have
been
here
before
generally,
we
start
out
with
introductions
and
then
we
go
to
report
Backs
from
the
subgroups.
So
first
thing
we
have
is
a
report
back
from
the
audit
subgroup.
What's
going
on
with
third
party
security
audit.
F
It
bugs
so
no
change
from
the
last
meeting
which,
where
pennial
Communications,
the
findings
will
be
published
pending
on
a
final
review
from
the
SRC
and
we're
also
writing
up
some
Communications
from
the
cmcf
about
the
findings
and
they'll
be
released.
When
we
have
the
green
light
to
release
the
findings.
A
Awesome:
okay:
anybody
have
any
questions
or
thoughts
about
security,
audit,
stuff.
A
Really
excited
to
see
that
when
it
gets
to
coming
out
next
up
on
the
list
is
Sig
security
docs.
What's
going
on
at
Docs.
J
Hey
everyone:
there
is
a
review
request
for
the
vulnerable,
microservices
blog
post
and
I'll
put
the
link
there.
So
if
you
all
have
some
free
Cycles,
please
feel
free
to
like
take
a
look
at
that
I
think
David
who's.
The
author,
the
post,
explained
a
bit
about
the
stuff
during
this
intro
David.
Do
you
have
anything?
Do
you
want
to
add.
J
Yeah
I
was
just
like
I
was
looking
at
my
cat
me
audio
thinking
that
did
I
move
myself
when
I
talk
or
like
everyone's
like
super
silent,
all
right.
So
that's,
oh.
J
J
To
oh,
no
worries
at
all
like
we
were
wondering
that
if
you
have
anything
that
you
want
to
add
I
know
like
you
talked
a
bit
about
the
vulnerable
microservices
during
your
intro
and
there
is
going
to
be
an
upcoming
demo
at
the
tooling
subgroup
meeting
next
week.
K
Just
that
the
pr
itself
and
the
post
is
is
fairly
complete,
but
it
does
require
review
security
from
a
security
standpoint.
K
Specifically,
we
had
a
couple
of
reviews
already
there
which
were
addressed,
but
there
was
a
a
request
that
security
work
group
would
also
review
this
to
to
make
sure
that
it
is
fine
from
security
standpoint
so
that
that's
one
one
item
PJ
suggested
that
the
what
we
will
do
in
the
session
on
the
sixth
on
the
tooling
meeting
is
that
we
will
spend
some
time
reading
the
the
post
and
then
we
will
people
would
add
comments.
K
So
we
would
maybe
use
that
time
for
for
reviews,
I'm
still
not
sure
what
he
would
want
to
do.
If
that
that's
a
good
good
way
to
do
that,
but
it
the
only
meaning
is
that
we
will
not
be
have
time
to
actually
look
at
the
tool
as
far
as
design
architecture,
implementation.
What
it
actually
does
is
status
bar
right
now
we
will.
K
It
will
help
people
understand
the
problem
that
it
is
trying
to
solve,
and
the
approach
and
the
use
cases,
because
that
the
post
is
is
concentrating
about
those
and
not
about
the
actual
tool.
K
So
PJ
is
not
here,
so
I'll,
I
I
just
want
to
say
I,
don't
know
if,
on
the
six
we're
going
to
discuss
the
problem
space,
but
it
seems
that
this
is
what
would
be
the
the
main
issue
to
that
understand
the
problem
space
and
the
approach
to
solving
it,
which,
for
me
is
fine,
I
mean
if
you
can
cover
this
and
the
reason
understanding
better
concerning
in
the
community
or
on
that
one
then
later
on.
K
K
K
K
J
Thank
you
David,
and
we
have
our
meeting
today
in
a
couple
of
hours,
so
we
might
have
more
for
the
next
meeting.
I
A
newbie
question
trying
to
understand
how
how
docs
are
run,
so
this
would
be
a
blog
post
talking
about
a
problem
but
also
kind
of
pushing
the
use
of
a
particular
tool
or
how
do
I
think
about
this.
I
E
J
So
it's
the
security
dogs,
so
product
goal
is
still
enhanced
security
documentation
or
around
the
entire
kubernetes.
So
like
one
of
the
things
that
we
do
is
also
write
blog
posts
and
we
also
like
work
on
improving
the
existing
content,
adding
tutorials
and
more
stuff
and
with
respect
to
the
third
party
tools
and
content.
J
I
know
there
is
that
there
is
a
general
there
was
a
discussion
in
sick
documentation
before
and
we
tend
to
avoid
adding
third-party
tools
directly
in
the
kubernetes,
documentation
and
I.
Think
blogs
are
a
little
different.
We
might
be
able
to
mention
with
the
disclaimer
telling
that
this
is
not
the
official
recommendation
from
the
kubernetes
folks,
then
I'm
going
to
differ
a
little
bit
to
Rey.
I,
know
race
here,
raise
our
documentation
co-chair,
so
you
might
be
able
to
add
a
little
bit
more
on
the
third
party
content.
Yeah.
F
So
a
few
I
guess
about
a
year
or
so
ago
we,
but
we
had.
We
had
an
effort
to
remove
any
references
to
third-party
tools,
of
course,
that
can't
be
entirely
be
removed
from
kumas
documentation.
There
are
things
that
you
need
to
have
a
cluster
running,
so
things
like
a
cni,
so
there
are
some
references
still
to
third-party
tools,
but
they
do
have
a
warning
and
any
mention
of
a
third
party
tool
and
the
documentation.
F
There
is
a
Hugo
short
code
for
a
third
party
warning
for
it
and
other
than
that
for
for
blogs.
We
do
like
to
make
it
vendor
neutral,
but
if
you
know
there
are
some
situations
where,
where
blog
posts
might
mention
that
their
party
tool-
and
we
would
still
have
that
third
party-
that
warning
or
with
that
you
go
shortcut
any
other
questions
on
that,
because
I
hope
that
clarified
it.
It.
I
F
A
A
Okay,
cool
all
right,
if
everybody's
good
with
docs
for
the
moment
next
up
is
Sig
security,
tooling,
which
is
a
different
subgroup
and
actually
I
guess
a
thing
that
we
could
do
today
is
explain
what
exactly
the
subgroups
do,
because
this
question
reminded
me
that
we're
not
actually
in
the
habit
of
doing
that,
which
is
not
a
terrible
idea.
So
somebody
want
to
speak
to
tooling
and
what
tooling
does.
A
Pj,
who
is
our
subgroup
lead
for
tooling,
isn't
here
so
I
think
we
could
probably
try
to
do
that
collectively,
Ray,
if
you're
trying
to
talk
you're,
muted.
F
Yeah,
but
so
tooling,
it's
it's
a
sub
project
that
looks
into
security
tools
that
can
be
used
in
in
different
aspects
in
the
build
of
kubernetes,
like
they've,
looked
into
tools
into
like
scanning
during
the
kubernetes,
build
process
or
other
security
tools
as
well
and
folks
who
also
presented
their
open
source
tools
to
the
sub
project.
I
think
Caitlyn
and
mahe
also
have
presented
the
tools
that
they've
worked
on
their
security
tools,
that
they've
worked
on
to
the
sub
projects
as
well.
F
Also
they've
also
had
presentations
from
other
open
source
projects,
they're
looking
to
donate
into
their
their
security
tool
to
kubernetes
as
well
I
believe
one
one
from
Azure
about.
It
was
a
tool
that
would
prune
images
are
not
being
used
in
your
worker
nodes.
So
that's
to
automate
that
so
that
was
presented
as
well.
A
Tooling
has
also
historically
had
maybe
you
said
this
already
and
I
just
missed.
It
worked
on
like
internal
security,
tooling
for
the
kubernetes
project,
so
like
things
like
the
CBE
dashboard
or
things
like
that.
That,
like
make
it
easier
for
people
who
are
doing,
for
example,
the
release
process
to
be
able
to
do
things
in
a
more
secure
way.
Yeah.
A
So
tooling,
says
from
slack
I'll
read
this
one
out
unless
somebody
else
feels
like
it,
because
because
PJ
isn't
here,
borrowing
one
task,
we
have
a
fleshed
out
task
list
for
the
things
to
do,
and
kubernetes
1.27
and
issues.
One
and
I
can't
talk
and
check
that
link
at
the
same
time.
So
if
that
link
isn't
right,
somebody
fix
it
please.
If
that
link
is
right,
great
and
then
there's
also
a
learning
session
on
security
guard
next
Tuesday.
A
A
A
There
is
also
a
security,
tooling
Channel
that
is
specific
to
that
subgroup
and
okay.
Anybody
have
any
thoughts,
questions
other
stuff
about
tooling,
that
isn't
listed
on
the
agenda
right
now,.
J
And
just
to
add
one
more
thing
that
if
you
are
interested
in
presenting
some
of
the
security
tools
that
you're
working
on
so
the
tooling
subproject
has
two
meetings,
one
working
it
alternates
between
a
working
session
and
a
tooling
presentation.
So
I
can
create
an
issue
and
then
go
from
there
and
I
I.
Don't
know
where
to
create
the
issue
actually,
but
I
think
the
way
to
present
your
tool
is
to
create
an
issue
and
go
from
there.
But
I
can
cross
check
that
and
get
back
sorry
about
that.
A
I
believe
that
there's
a
form
and
that
got
published
in
a
previous
agenda,
update
if
I'm,
remembering
this
correctly
so
action
item
for
somebody
who
is
faster
than
I
am
or
me
when
I
am
not
trying
to
facilitate
to
try
to
find
that
link
and
and
bump
it,
because
I
think
that
got
posted
a
meeting
or
three
ago.
J
A
A
Okay,
I'm
also
happy
to
look
for
that
when
I'm
not
actively
talking
all
right.
Anybody
have
any
thoughts,
questions
about
tooling
things.
Also
the
presentations
are
great
they're,
like
really
good
learning
spaces,
and
it's
I
think
one
of
the
really
kind
of
wonderful
things
that
security
tooling
does
is
have
these
sessions
where
people
get
to
share
and
learn.
So
if
you
haven't
gone
to
one
of
those
totally
recommendedly
really
good.
A
G
Great
question
so
security
self-assessments:
we
are
the
subgroup
that
provides
security,
self-assessment
or
threat
modeling
services
to
anyone
who
requests
them
through
our
issue,
tracker
which
I
just
posted
a
link
to,
in
fact
sorry
in
chat.
So
that
is
our
oh
wait.
It
looks
like
my
notes.
Just
went
away.
J
B
B
G
You
for
putting
it
in
the
right
spot
yeah.
So
that's
what
that's!
What
we're
about
is
yeah
offering
that
service
to
the
community.
G
It's
a
good
point
of
history
that
pushkar
or
PJ,
who
runs
tooling,
is
the
person
who
did
the
first
ever
self-assessment
for
Cappy,
with,
of
course,
the
Cappy
group.
They
requested
it
and
that's
what
sort
of
birthed
this
group
and
I
was
lucky
enough
and
one
of
the
first
two
meetings
I
attended
here.
G
Pushkar
asked
hey
like
it
would
be
great
if
someone
else
could
run
it
and
I
put
my
hand
up.
So
that
was
a
really
great
opportunity.
I've
already
learned
a
ton
already
so
first
point
of
business.
This
is
that
I
am
slowly
making
progress
in
terms
of
really
getting
the
sub
project
stood
up.
G
The
great
thing
about
this
community
is
that
it
welcomes
and
celebrates
beginners
I
am
not
a
developer
and
I
am
definitely
still
a
beginner
with
Git,
but
Kailyn
huge
shout
out
helped
me
make
a
PR
for
the
basic
docs
that
I
wrote
up
after
discussing
with
pushkar
like
what
you
know.
Just
how
do
you
get
the
people
together
like?
What's
the
process
that
you
followed
for
the
Cappy
self-assessment,
so
that
PR
is
out
there
I
handled
the
CLA
issue?
G
There's
another
issue
on
the
pr
that
I
I
need
help,
there's
something
about
like
a
user
ID
not
being
on
the
commit
that
I
need
to
resolve,
but
PJ
and
I
are
working
on
doing
that
through
slack
asynchronously.
G
G
So
the
the
owner
of
the
project,
who
happens
to
work
at
VMware
where
I
work,
Shang
and
then
one
of
her
colleagues,
in
addition
to
Grace,
who
also
put
her
hand
up
to
volunteer
so
that
we
can
do
that.
And
so
that's
the
progress
there
and
then
another
thing
I
wanted
to
update
on
is
the
threat
modeling
Workshop
idea
that
I
had
for
Amsterdam
and
and
really
just
in
perpetuity.
G
So
I
did
some
research
during
Thanksgiving
on
different
types
of
threat
models
and
the
one
that
stuck
out
to
me
as
what
I
think
would
be
what
I,
what
I
think
and
I
need.
People's
feedback
who
have
you
know
like
actually
done
this
before,
would
be
the
most
effective,
is
doing
an
rra
or
a
rapid
risk
assessment.
G
Mozilla
has
some
really
good
documentation
about
the
process
that
they
have
I,
also
read
some
documentation
from
Autodesk
about
their
ctm,
like
continuous
threat,
modeling
practice,
which
is
really
you
know,
do
an
rra
and
then
just
continuously
keeping
that
threat
model
up
to
date
as
their
major
architectural
changes
or
just
any
material
changes
in
the
system.
G
So
I
think
so.
Yeah
I'm,
really
just
at
this
point,
signing
up
for
a
couple
of
different
Sig
meetings
to
just
socialize
the
idea
of
a
rapid
risk
assessment
or
a
threat
modeling
workshop
at
Amsterdam
to
see
who
would
be
interested
in
in
doing
it
in
the
community
and
the
other
thing
that
I'm
thinking
about
is
so
yeah.
G
G
I
also
think
it
might
be
prudent
to
an
Amsterdam
limit,
the
first
session
to
like
two
or
three
or
maybe
four
cigs
or
sub
projects
like
whoever
wants
to
participate
just
to
have
it
be
more
of
like
a
pilot
situation
so
that
we
can
learn
and
then
in
Chicago
we
can
go
big
to
sort
of
like
yeah,
just
just
create
really
kind
of
a
safe
learning
space.
G
So
to
speak.
So
that's
kind
of
my
those
are
my
ideas
there
in
terms
of
like
looking
ahead
to
how
we
can
and
and
really
like
my
central
idea
is
spreading
the
knowledge
of
how
to
do
a
good
threat
model
in
the
kubernetes
community,
so
that
we
can
start
to
really
just
Federate
that
security
knowledge
and
you
know
basically
helping
people
understand
like
hey.
G
If
you're,
you
know
an
expert
on
a
certain
part
of
kubernetes,
because
you're
part
of
a
certain
you
know
Sig,
like
you
know,
Cappy
or
you
know,
cluster
API
or
you
know,
Sigma,
API,
Machinery
or
whatever
it's
like
you
can.
If
you
get
the
right
people
together
with
the
information
that
you
have
about
your
system,
like
you
can
do
a
thread,
you
can
do
a
threat
model
and
it
shouldn't
be
this
like
gated,
oh,
you
need,
you
know.
G
You
know
10
years
of
security,
expertise
to
do
a
good
threat
model
and
just
really
helping
people
understand
what
they
can
do
with
what
they
know.
So
that's
kind
of
the
higher
level
idea,
but
yeah
I
would
I
would
love
feedback
on
my
Approach.
First
of
all,
like
you
know,
is
doing
a
rapid
risk
assessment.
A
good
place
to
start
is
you
know
limiting
the
amount
of
participants
in
in
Amsterdam?
You
know
sort
of
a
prudent
approach.
G
Is
it
too
conservative
and
you
know
and
stuff
like
that,
so
would
really
love
that
that
feedback.
J
J
I
was
gonna
say
that
I
don't
have
any
technical
points
to
add
on
to
whatever
that
was
like
what
I'll
described
very
well
so
I,
don't
I,
don't
have
any
technical
expertise
to
add
on
that.
But
then
I
want
to
like
learn
and
I
want
to
like
know
how
it's
done
chill
like
I'll
be
I'm
up
for
it
and
it's
it's
a
great
initiative.
F
Yeah
I
think
this
is
a
great
opportunity
for
everyone
for
for
six,
first
sub
projects,
you
know
different
various
like
smaller
projects
within
kubernetes
as
well:
new
contributors,
veteran,
better
folks
who
run
a
sub-project.
This
is
a
great
option
for
everyone.
A
Yeah
I
really
like
this
idea
and
I,
really
like
the
idea
of
like
going
to
different
Sig
meetings
and
like
increasing
that
kind
of
class.
Collaboration
too,
like
I,
think
that's
awesome
and
like
I,
can
tell
you
for
an
absolute
fact
that,
like
you're
gonna
have
lots
of
people
in
the
community
who
are
not
necessarily
here
in
the
room
right
now
who
are
going
to
be
excited
to
help
with
this
and
whatever
Workshop
form
you've
got
you.
G
Know
so
yeah
and
I
I
know
Ian.
You
and
Tabby
have
volunteered
as
coaches
for
this
and
I'm
thinking,
like
you,
know,
one
one
threat,
modeling
coach
per
you
know
participant
increment,
whether
it's
a
you
know
a
Sig
itself
or
a
sub
project
within
a
cig
or
whatever,
because
yeah
I
think
it's
it's
good
to
have
it,
at
least
for
the
pilot,
be
a
high-touch
experience
and
then
we
can
always
pair
it
back.
G
You
know
when
we
when
we
want
to
go
bigger
at
Chicago
but
yeah
to
me.
It's
it's
really
about
quality.
You
know
and
making
sure
people
have
a
really
positive
learning
experience
and
that
they
have
an
artifact
that
they
really
understand.
They
understand
how
to
keep
it
up
to
date
and
yeah.
A
G
Speaking
of
humans
I,
another
thing
that
I
forgot
to
jot
down
here
is
that
one
thing
I'm
trying
to
I'm
thinking
really
hard
about.
Is
you
know
we
want
people
to
have
a
good
experience.
We
don't
want
people
to
feel
like
they
need
to
be
an
expert
or
anything
like
that,
and
a
lot
of
that
I
think
at
a
practical
level
comes
down
to
keeping
the
prep
time.
G
You
know
it's
like
you
need
to
come
prepared
to
the
session
with
you
know
a
data
flow
diagram,
and
you
know
you
need
you
know
two
people
who
are
really
knowledgeable
about
the
system
that
you're
threat
modeling,
but
the
two
documents
that
I
read,
which
is
the
Mozilla
rra
document
and
then
the
and.
D
G
Have
a
couple
of
longer
ones,
just
for
my
own
edification
and
depths
of
knowledge
dollars
that
I
want
to
read,
but
the
Autodesk
continuous
threat,
modeling
process,
which
is
it's
it's
sort
of
like
the
rra
doc
that
I
read,
but
with
a
little
bit
more
detail,
total
I'm,
I'm,
actually
I'm
a
fairly
slow
reader.
G
G
A
lot
of
people
are
going
to
be
flying
to
Amsterdam,
like
what
can
you
do
in
a
plane,
ride
to
to
show
up
and
I
feel
like
asking
for
just
one
hour
of
people's
time
for
like
here
read
these
two
documents,
so
you
understand
sort
of
how
this
is
going
to
work
and
what
the
outcomes
are
and
then
yeah
and
then
it's
you
know
come
come
with
the
data
flow
diagram
of
the
system
that
that
you
need
to
thread
that
you
want
a
threat
model.
A
Yeah
so
I
hear
this
and
I
don't
think
it's
a
bad
idea,
because
those
are
really
important
kinds
of
things
to
be
able
to
have
lined.
E
A
If
you're
going
to
be
able
to
do
those
kinds
of
threat
models,
I
haven't
read
either
of
those
documents
and
would
frankly
be
thrilled
if
you
felt
like
linking
them
in
the
agenda
so
that
the
rest
of
us
could
read
them.
But
in
my
experience,
threat
modeling
like
on
the
job
across
companies
like
knowing
how
to
do
a
good
data
flow
diagram,
is
in
and
of
itself,
probably
a
good
subject
for
a
workshop.
It's
not
common
knowledge.
A
A
lot
of
people
don't
know
how
to
do
it
at
all,
and
the
I
say
this
with
you
know
no
shade
whatsoever
because,
like
you
know,
like
everybody's
everybody's,
on
their
own
learning
pathway
but
like
if
you
set
that
up
as
a
prep
expectation,
I
would
prepare
yourself
for
a
widely
varying
quality
content
format
for
data
flow
diagrams,
because
a
lot
of
people
just
don't
know
how
to
do
that.
A
I,
don't
think
it's
a
bad
thing
to
ask
for
just
be
prepared
for
it
as
a
as
a
teacher
or
a
facilitator,
because
I
think
you're
gonna,
probably
maybe
spend
more
time
dealing
with
wrangling
the
existing
diagram.
Then
you
might
think.
G
Okay,
that
is
super
helpful
because
yeah,
maybe
another
idea,
I
was
toying
with
and
I'm,
so
sorry
to
whoever
to
Grace
who's,
taking
notes,
I
meant
to
I
should
have
put
these
in
the
in
the
bullets,
but
so
that
is
yeah,
so
I
think
the
45
minutes
to
an
hour
of
reading
at
slow
pace
is
fine.
G
I
was
also
thinking
about
like
do
we
take
another
one
hour
session
or
do
we
make
the
session
two
hours
optional
first
hour,
for
you
know,
if
you
don't
have,
you
know,
bring
your
data
flow
diagram
for
some
workshopping
break
and
then
second
hour
for
assess
yourself
basically
or
or
do
we
do.
You
know
like
one
hour
session
in
the
morning
or
something
you
know
or,
like
you
know,
sending
out
examples.
G
But
again
it's
like
you
can
show
up
at
kubecon
with
you
know,
maybe
not
great
To
Mediocre
data
flow
diagram,
I'm,
just
I'm,
trying
to
like
care
down
the
prep,
knowing
that
people
are
busy
with
their
jobs
and
kids
and
family,
and
it's
like
you
can
just
show
up
to
kubecon
and
know
that
you're
gonna
get
the
help
that
you
need
to
do.
A
good
rapid
risk
assessment.
D
G
A
Wonder
if
I
mean
in
I
really
appreciate
that
you're
thinking
about
this
and
frankly,
I
really
appreciate
that
you're
thinking
about
this
in
public,
because
you
know
like
this
is,
as
I
said,
it
isn't
common
knowledge.
You
know
like
this
is
not
necessarily
something
that
everybody
is
born,
knowing
how
to
do,
and
it's
not
really
even
something
that,
like
security,
Engineers,
necessarily
know
how
to
do
like
if
you
haven't
been
exposed
to
it.
A
This
is
going
to
be
new
stuff
for
people,
I,
wonder
if,
if
it
might
make
sense-
and
this
is
totally
me
popcorning-
not
me
telling
you
what
to
do
with
Sig
chair
like
if
my
hair
wasn't
so
messy
I
would
take
off
my
hat
and
say
that
I'm
taking
my
hat
off
like
I,
wonder
if
it
might
make
sense,
because
actually
I
in
and
of
itself,
I
think
how
to
make
a
data
flow
diagram
would
be
a
good
Workshop
topic.
You
know
like
that.
A
Don't
know
how
to
do
that
and
I
actually
think
there
would
be
demand
for
that
and
I
wonder
if
I
mean
this
is
a
contributor
Summit
thing
right
like
this
is
something
that
people
are
signing
up
for.
I,
wonder
if
it
might
make
sense
to
just
you
know
if
we're
unconferencing
have
two
blocks
actually
of
like
one
block
of
like
okay.
Here's
how
you
do
this!
A
A
If
you
don't
know
how
to
make
a
data
flow
diagram
comment
this
session
before
lunch,
you
know
you
can
work
on
your
data
flow
diagram
after
lunch.
If
you
want
to-
and
you
haven't-
come
with
one
here's,
what
here's
a
you
know,
kind
of
like
bespoke,
you
know
helping
you
through
this
assessment
process
that
you
can
sign
up
for
with
a
mentor,
and
that
might
just
be
a
different
thing
than
like
a
kind
of
larger
kind
of
more
workshoppy
format
of
like
here's,
what
you
want
to
do
with
a
data
flow
diagram.
A
Here's
the
kind
of
thing
that
you
want
to
look
for,
like
here's,
what
a
trust
boundary
might
be!
Here's
how
you
would
data
here's,
how
you
would
diagram
that
those
might
be
two
different
things
and
I
think
both
of
those
things
would
be
valuable.
Just
thinking,
I,.
G
Think
yeah
I
think
treating
them
as
like,
essentially
separate
things
is
like
the
rapid
risk
assessment
versus
not
versus
but
the
energy
diagram
and
then
but
like
suggesting
the
linkage
of
like.
If,
if
you
want
to
do
the
rapid
risk
assessment
and
you're
not
super
confident
in
your
abilities
or
knowledge
of
doing
a
data
flow
diagram
come
to
this
session,
and
we
will
help
you
with
that
PS.
A
Would
edit
that,
because
with
so
much
love
to
all
of
the
white
guys
in
Tech
that
I
know,
there
are
plenty
of
people
who
are
very
confident
in
their
abilities
and
might
still
need
some
extra
help?
And
so
you
know
like
I
would
maybe
I
would
probably
split
this
out.
If
it
were
me
planning
it,
and
it
isn't
me
planning
it
and
so
I'm
not
again,
not
telling
you
what
to
do
just
just
sort
of
brainstorming
like
I
would
maybe
split
this
out
into
like
we're.
A
Gonna
have
one
sort
of
more
kind
of
lecture
style,
whatever
Workshop
of
like
where
there
isn't
going
to
be
one-to-one
people
sitting
down
with
you
like
here's,
what
a
data
flow
diagram
entails.
Here's,
how
you
make
one
and
then
I
would
link
that
in
the
second
one
you
know
have
that
one
be
first
like
I
said:
maybe
before
lunch,
have
it
go
over
lunch
and
then
be
like
okay,
you
know
like
come
with
a
data
flow
diagram.
If
you
don't
know
how
to
make
a
data
flow,
you
know
like
like
for
help
with
the.
A
If
you
don't
have
any
data
flow
diagram
or
you
want,
you
know
extra
help
on
the
finer
points
of
this.
Come
to
this
thing-
and
you
know
otherwise
come
with
this,
but
I
would
I
would
still
assume
frankly
that
it's
going
to
be
somewhat
varying
in
quality
and
format,
because,
as
I
said,
this
isn't
actually
really
super
common
knowledge
like
a
lot
of
people,
just
don't
that
it's
not
unless
you've
been
exposed
to
it
already,
it's
not
something
that
everybody
knows
how
to
do,
and
so
that's
not
that's
not
undoable.
A
G
Know:
okay,
that
is
super
helpful,
I,
think
in
in
addition
to
yeah.
So
it's
like
the
lecture
style
like
here
is
how
here
here's
an
example
of
a
good
data
flow
diagram.
Here's
how
you
build
it!
Here's
how
you
get
to
this
level
of,
like
you,
said,
trust,
boundaries
and
like
what
are
the
protocols
used
in
the
ports,
and
you
know
all
that
kind
of
detail
and
then
yeah
having
the
rra
expecting
that
we're
gonna
have
varying
levels
because
I
guess
it's
like.
G
Even
then,
even
if
you
come
to
that
session
with
like
a
mediocre
or
not
great
data
flow
diagram,
the
exercise
of
trying
to
threat
model
with
sort
of
incomplete
information
is
still
a
valuable
learning
experience.
I
guess
for
for
someone
like
that,
because
it
gets
it's.
It's
really
like
getting
people
to
think
about
wow
like
the
level
of
detail
that
you
need
to
know
about
your
system
to
be
able
to
threat
model
it.
G
Okay,
so
that's
yeah
it's,
but
that's
like
a
good,
realistic
expectation
to
have
and
yeah
I
think
also
with
like
in
advertising
the
threat
modeling
session.
It's
also
like
having
some
really
good
examples
of
data
flow
diagrams,
as
well
for
like
here,
is
like
doing
trying
to
alleviate
as
much
risk
of
not
great
data
flow
diagrams
by
way
of
example
and
expectation,
setting
I
think
that's
another
way
we
can
mitigate
that
but,
like,
like
you,
said,
still
being
prepared
for
the
eventuality
that
it's
probably
not.
A
Not
even
a
value
judgment
like
they're
not
going
to
be
uniform,
and
so
you
know
like
having
to
navigate
that
is
going
to
take
a
little
bit
of
time
for
all
of
the
people.
Facilitating
this
and
that's
just
an
important
thing
to
kind
of
build
into
your
expectation
setting
for
yourself
and
also
for
others.
A
Grace
had
her
hand
up
and
I
just
want
to
acknowledge
that,
although
you
don't
have
your
hand
up
anymore,
I,
don't
know
if
that
was
like
a
accidental
press.
But
I
do
want
to
give
you
space
to
talk.
If
you
want
to
Grace.
B
A
If
somebody
knows
of
like
really
good
succinct
talked
about
that,
please
link
it.
I
would
absolutely
love
to
see
that
and
I
would
love
to
pass
it
around
at
work,
because,
when
I've
looked
historically
for
those
I
haven't
necessarily
found
one.
But
I
would
absolutely
love
to
find
one.
So
if
anyone
has
find
one
like
I'd
love
to
get
the
kind
of
resources
and.
G
You
know
but
Grace,
that's
such
a
that's
a
good
idea,
because,
even
though
having
one
during
the
contributor
Summit
is
really
good
which,
by
the
way
like
I,
have
consumed
excellent
data
flow
diagrams
in
my
day,
but
I
have
not
actually
built
them
myself,
so
gonna
need
someone
else
to
help
me
give
that
talk,
but
also
like
I'm
thinking
like
in
terms
of
doing
like
the
really
rigorous
socialization
and
getting
you
know
like
two
to
four
sign
ups
for
our
initial
threat.
G
Modeling
session
is
like
I'm
willing
to
put
in
time
to
like
before,
like
yeah.
You
know,
Amsterdam
is,
like
you
know,
building
like
a
little
email
list
for
like
hey
folks,
you
know
we're
a
month
out
reminder:
here's
what
a
good
data
flow
diagram
looks
like
if
you
want
some
help
getting.
You
know
your
diagram
to
look
like
this.
We
have
that
you
know
like
doing
a
lot
of
the
socialization,
and
just
here
are
the
examples.
G
Here
are
the
resources
we
do
have
a
live
resource
session
as
it
were
at
kubecon,
but
just
yeah,
trying
to
socialize
in
the
community
as
much
as
possible
to
increase
the
likelihood
that
people
come
prepared
again.
It's
oh
sorry,
go.
G
I
That
point,
just
taking
a
slightly
different
Direction
at
this
I've,
seen
a
lot
of
difficulties
that
our
secops
people
or
various
companies
had
and
even
getting
people
to
buy
into
having
threat
modeling
to
do
it
to
just
like.
Is
it
valuable?
Are
you
just
going
to
sit
there
and
criticize
me
like
there's
all
these
negatives
associated
with
that
and
I'm
wondering
whether
we
need
to
just
make
sure
that
they
are
motivated
to
come
by
saying
here's
some
good
stuff
that
you'll
be
able
to
take
away
from
this
thing
and
I
I?
I
One
example
of
this
thing
is
that
it's
not
just
about
everybody,
rushes,
okay,
you've,
you've
found
something
in
your
threat
model
I'm
going
to
go
in
Russian
and
try
to
prioritize
fixing
it
and
so
on,
but
another
one
might
be
and
I
know
I'm
the
kind
of
said
it
on
the
last
call.
But
what
would
you
do
if,
if
this
threat
were
to
material
realize,
do
you
have
the
you
know,
forensic
in
place?
Do
you
have
the
visibility
in
place?
Do
you
have
the
alerting
in
place?
I
G
I
To
help
them
pitch
it
inside
of
their
own
organizations
like
what's
good
about
doing
these
things
totally
totally,
you
know
to
Ian's
point
I.
Think
not
only
do
people
not
necessarily
know
how
to
do
good
diagrams,
they
don't
even
know
how
to
pitch
this
thing.
They
don't
know
why
they
should
be
doing
it.
So
I
think
the
bar
is
pretty
low.
A
G
E
G
But
yeah
Rory,
like
you
were
saying
like
this,
is
not
a
shaming
exercise.
This
is
a
learning
exercise.
This
is
a
collaboration
exercise.
You
know
this
is
a.
How
do
we
share
knowledge
and
lift
each
other
up
exercise
and
yes
like
we
will
be
making
kubernetes
more
secure
as
we
do
it,
but
yeah
I'm,
just
looking
yeah.
G
This
is
about
like
knocking
down
the
first
Domino
and,
like
honestly,
like
I,
feel
like
my
the
biggest
goal
here
for
me
is
that
people
have
fun,
because
if
people
have
fun
doing
this,
then
they're
gonna
learn
something
and
they're
gonna
be
like
this
is
actually
pretty
great
and
useful.
You
know
it's
so
it's
like
as
much
as
it
sounds
silly,
but
it's
like
I
think
just
getting
people
to
have
fun
and
to
learn
stuff
is
like
that's.
That's
the
bar
that
I'm
kind
of
setting
for
myself
just.
I
To
make
sure
I
I
didn't
misunderstand
something:
I,
it's
not
so
much
that
I'm
worried
that
people
will
be
shamed
at
the
workshop
I'm
worried
that
that
when
they
pitch
it
back
to
the
organizations
hey,
we
need
to
do
more
threat.
Modeling
they'll
be
met
with
a
negative
response,
and
so
how
do
we
help
them?
Promote
threat
modeling
in
their
organizations?
I?
Think
in
all
the
companies
that
I've
been
at
it
hasn't
been
done
nearly
enough
and
and
I
just
we
have
to
sell
it
more
just
understand
how
to
do
it.
Well,
gotcha.
A
Ella,
let's
be
in
touch
a
little
more
offline
or
maybe
a
lot
more
actually
for,
like
Coke
yeah.
A
Feel
free
to
blow
up
my
slack
anytime,
because
I'm
sure
we'll
have
lots
to
talk
about
and
to
work
on
and
I'm,
not
saying
that
to
cut
us
off
in
the
meeting,
but
also
because
we
are
not
actually
meeting
all
day
long.
So,
let's,
let's
have
some
quality
time
around.
That
and
yeah
we'll
make
it
we'll
make
it
work.
We've
got
some
time
too.
A
I
want
to
also
just
say
that,
because
we
do
have
a
discussion
section
that
we
haven't
actually
gotten
to,
and
we
have
eight
meetings
left
in
this
meeting.
Eight
minutes
left
in
this
meeting
block
time,
so
yeah
I'm
going
to
move
this
forward
as
facilitator
so
that
everybody
gets
their
space
so
Kalyn.
You
are
first
on
the
discussion
with
news
for
the
new
year,
yeah.
H
It's
not
it's
not
a
huge
amount,
but
Shopify
I,
don't
know
if
any
of
you
know
Katrina
over
at
6cli.
She
works
at
Shopify
and
she
heads
up
a
program
called
kubernetes
Foundation.
That
is
all
about
building
the
relationship
between
kubernetes
and
Shopify
and
I
have
been
accepted
into
a
open
source.
H
Sabbatical
open
source
experience
program,
so
I'll
be
working
with
her
full-time
on
kubernetes
for
for
two
eight
months
and
she
is
a
CLI
person,
so
I'm
gonna
do
a
lot
of
six
CLI
work
just
to
be
able
to
suck
as
much
knowledge
from
her
while
I'm
there.
But
another
big
goal
of
it
for
her
is
to
build
the
relationship
with
other
cigs
and
obviously,
security
is
who
I
would
be
able
to
represent
most
easily.
So
I
was
just
off
the
top
of
my
head.
H
I
was
thinking
doing
a
self-assessment
of
maybe
a
customize
would
be
a
great
like
starter
Point,
but
just
for
people
to
think
about.
If
there
are
other
ways
that
we
can
build
the
relationship
between
the
two
six.
That
would
be
something
that
I
would
I
will
have
a
lot
of
time
to
do.
H
40
hours
a
week
for
at
least
four
months,
so
that's
an
exciting
thing
and
separately,
but
since
I'm
talking
and
going
really
fast,
I
also
was
thinking
after
hearing
about
the
docs
as
I
forget
what
the
title
is
called
New
contributor,
some
welcome
committee,
there's
a
title
for
that
position:
I
didn't
know
if
that
was
valuable
for
people
on
this
team,
but
I
was
thinking
if
we
thought
it
was
valuable.
I
know
we
don't
have
as
much
defined
like
new
issues
to
pick
up,
but
running
like
what
I
was
thinking
would
be.
H
A
good
start
would
be
myself
and
anyone
else.
Who's
interested
running
like
a
10
to
15
minute
meeting
before
these
meetings
to
just
welcome
new
people
talk
a
little
bit
about
what
the
meeting's
like,
how
we're
going
to
introduce
each
other
just
to
feel,
welcome
and
and
make
sure
people
don't
think
that
you
have
to
have
done
literally
anything
to
come
to
these
meetings
and
be
welcomed
in
the
community.
A
I
think
that
idea
is
lovely
I,
think
there's
probably
a
few
different
ways
that
one
could
go
about
doing
that
like
it
could
be
office
hours,
it
could
be
a
pre-meeting.
It
could
be
I
think
there's
probably
different
ways
that
we
could
do
that.
We
could
build
in
a
little
like
early
meeting
agenda
bit
for
breaking
that
down
for
people
but
yeah
like
I
love.
It
I
love
the
idea
of
like
making
those
extra
steps
to
welcome
you
folks
and
like
yeah.
A
C
H
Yeah
Shopify
is
trying
to
like
build
the
Upstream,
so
internal
there's
opportunities
for
internal
placements
on
this
team
to
do
four
to
eight
months
of
exclusively
Upstream
kubernetes
work.
A
I
am
taking
notes
and
facilitating
at
the
same
time,
which
is
always
just
the
worst
idea
and
I'm
sorry,
everybody
do
folks
have
other
thoughts,
questions
things
on
ways
that
and
I
would
especially
actually
love
to
hear
from
the
newer
folks
who
are
here
like
ways
that
Sig
security
could
optimally,
welcome
new
contributors
and
encourage
them
and
tell
them
what's
going
on.
B
Foreign
I
actually
like
the
fact
that
we
like
introduce
yourself
at
the
beginning
of
the
meeting.
So
maybe
we
can
do
what
Kayla
suggest
it,
but
as
part
of
the
meeting
as
we've
been
doing,
but
maybe
a
little
bit
more
intentional
about
it,
because
I
feel
like
asking
new
folks
to
come
in
at.
Like
you
know,
10-15
minutes
early
can
be
confusing
yeah.
A
Yeah
I'm,
I'm
sort
of
inclined
to
agree
of
like
I
think
that
there
might
be
ways
to
like
build
that
into
the
meeting
and
the
slack
Channel
and
like
the
ways
that
we
do
things
that
won't
require
going
to
pre
meetings
like
as
somebody
who's
in
back
to
backs
always
like
I,
don't
want
to
miss
that
every
time
and
I
don't
want
other
people
to
have
to
miss
that
every
time
but
like
the
idea
of
and
I,
really
appreciated
the
series
like
when
you
were
like
wait.
What
does
this
group
actually
do?
A
I
was
like
I
hadn't,
really
thought
about,
like
the
fact
that
we
don't
we
introduce
ourselves,
but
we
don't
introduce
our
subgroups
like
fair
enough.
You
know
and
how?
How
can
we
build
things
like
that
in
or
like
you
know,
make
sure
that
we're
emphasizing
you
know
ways
that
people
can
get
involved,
or
things
like
that
like
like?
Thank
you
for
bringing
that
up
like
yeah,
I
love.
This.
I
Yeah
I,
it's
so
I'm
on
the
on
the
technical
steering
committee
for
open,
API
and
I
know
how
those
meetings,
work
and
I
have
to
say.
Sometimes
it's
a
little
bit
of
an
echo
chamber
in
there,
whereas
the
same
people
every
time
and
you
get
to
know
each
other
and
you
kind
of
forget
when
there's
somebody
new
I
would
almost
say
maybe
for
new
people
have
more
time
at
the
beginning
of
the
introductions
and
for
the
existing
people.
You
know
just
link
to
something
so
that
you
know
we.
D
I
Have
to
have
the
same
like
if
you're
on
this
meeting
every
time,
you'll
end
up
introducing
yourself
every
time
at
length
and
so
I
think
if
we
focus
on
kind
of
more
of
the
introductions
and
the
new
people
and
then
focus
our
own
time.
The
people
who
keep
coming
here
and
more
explaining
like
this
is
how
things
work.
That
might
be
a
good
balance.
J
How
about
we
add
the
lead
links
to
the
co-chairs
and
it's
a
project
leads
in
the
template,
click,
the
header
and
then
once
a
quarter.
All
of
us
can
go
and
follow
the
rest
of
the
meetings
follow
what
Yuri
said
because
I
really
like
it.
A
Had
I
was
just
I
cannot
figure
out
how
to
make
that
thing
into
another
bullet
point
and
so
I'm
going
to
give
up
on
it.
But
if
anyone
knows
how
to
format
that
and
do
a
bullet
point,
I'm
gonna
stop.
A
I
will
I
will
say
that
the
reason
why
everyone
's
around
it
and
introduces
themselves
every
time
is
done
on
purpose
here,
historically
as
a
effort
toward
inclusivity
that,
even
if
it
is
the
same
group
of
10
people
every
time,
we
always
do
it,
because
if
there's
one
new
person
every
time
it
sucks
for
the
new
person
forever
to
be
like.
Who
are
you
and
then
not
introduce
themselves
like?
A
That's,
not
a
welcoming
experience
for
people,
and
so
we
do
it
every
time
sort
of
habitually
and
and
to
create
that
as
a
thing
that
we
do
so
that
everybody
who
is
new,
doesn't
have
to
have
that
experience.
And
like
knows
who
everybody
is,
and
it's
not
weird
for
the
new
person
to
have
to
like
be
put
on
the
spot
to
introduce
themselves.
I
I
I
hear
you
I,
think
I
think
the
only
thing
is
and
again
just
from
fresh
experience.
If
everybody's
introducing
really
short,
you
tend
to
want
to
introduce
really
short
and
then,
but
you
don't
know
anything
about
this
person,
so
you
actually
want
a
longer
explanation.
So
if
there
were
some
way
to
just
kind
of
encourage
people
to
talk
a
little
bit
more
when
they're
new
and
we
can
keep,
you
know
the
existing
people's
introductions
short
that
might
that
might
balance
everything.
A
That
makes
sense,
I'm
totally
open
to
ideas
and
for
what
works
best
for
people
like
I'm
one
person,
my
name's
on
the
lease,
but
like
really
big
security
is
all
of
us
and
what
we
make
together
and
so
like
yeah,
like
thank
you
for
for
putting
in
that
idea
of,
like
I.
Think
on
that
one.
K
One
input
from
as
I
I
was
rather
new
in
rather
than
you
in
these
meetings
and
I
can
give
you
my
own
experience.
I
feel
that
introductions
were
very
natural.
Everything
was
very
nicely
done.
I
I,
don't
think
that's.
There
is
a
problem
in
the
way
it
is
done
right
now,
but
I
did
find
it
hard.
K
You
know
to
to
create
my
mental
map
of
who's,
doing
what
and
who's
involved
in
what
and
who's
that
that's
kind
of
hard,
even
if
someone
tells
it
tells
what
he
does
in
the
beginning
of
the
meeting.
It's
very
hard
to
remember
all
all
the
new
faces
and
everyone
what
he's
doing
so.
K
It
would
be
great
if
we
would
have
like
something,
for
example,
in
the
document
table
of
people
that
are,
are
you
being
participating
in
the
meeting
and
and
and
a
line
or
two
about
what
they
do
or
or
what
the
whether
they're
involved
in
this
group,
or
this
subgroup
or
and
so
any
such
summary,
or
at
least
a
link
to
such
summary,
would
be
helpful
to
someone
who
is
new,
because
then
it
would
help
to
create
that
map
of
who
who's
doing.
What.
A
And
also
feel
free
to
add
to
that,
like
you
know,
I
am
not
I
am
not
the
king
of
the
agenda.
Everybody
gets
to
write
stuff
in
it,
so
if
other
people
have
ideas
totally
feel
free
to
throw
them
in
there.
Also,
the
slack
channel
is
always
open,
24
hours
a
day,
seven
days
a
week,
so
you
know
people
have
thoughts
and
things
to
discuss.
Slack
is
also
a
great
place
to
do
it.
A
I
want
to
be
respectful
of
our
time
and
I
realize
other
people
have
meetings
that
they
need
to
go
to.
So
this
has
been
an
awesome
meeting.
Thank
you
all
so
much
for
coming
and
you
know,
and
for
the
discussion
and
thoughts
and
ideas
that
you
brought
here
super
excited
to
have
all
of
you
here
super
excited
to
be
here
with
you,
and
let's
continue
this
on
slack,
because
because
I
think
this
is
great
and
I
think
y'all
are
great.
Thank
you.
Thank.