►
From YouTube: Kubernetes SIG Security 20210715
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
welcome
to
kubernetes
security.
My
name
is
ian
coldwater.
I
am
the
co-chair
of
this
sig
and
yeah.
Welcome
ray
is
taking
notes
today.
Usually
the
first
thing
we
do
is
go
around
and
get
a
note
taker.
So
thank
you
for
doing
that.
B
Pretty
good,
so
last
from
our
last
discussion,
we
are
reviewing
the
for
four
proposals,
so
that
is
underway
also
so
that
we
do
have
a
vendor
selection
due
out
on
next
tuesday,
so
daily
and
I'll
reply
back
on
the
on
this
on
our
little
sub
group.
That's,
hopefully
the
we'll
get
what's
going
down
by
by
sunday-ish
a
few
of
the
reviewers
who
are
out
on
holiday
this
week
and
then
that's.
I
do
have
an
open
pr
for
initial
overview.
B
Readme
guide
for
the
external
audit
sub
project
itself,
and
I
have
that
link
in
the
agenda
that
just
kind
of
just
to
like
lay
down
just
like
overall
steps
of
the
sub
project
interested
just
as
a
guide
as
well
for
people
coming
into
the
sub
project.
Next
bullet
points,
so
I'm
gonna
see
robert,
is,
is
on
the
call
as
well
that
he
did
started
the
assessment
for
the
cluster
api
security
assessments.
B
B
B
And
that's
it
for
the
audit
subgroup
any
comments
or
any
questions.
B
There
it's,
the
timeline
is
very
loose,
and
so
that's
meant
to
be
on
purpose
just
because
of
just
a
current
situation.
The
world
is
in
and
also
how-
and
we
know
that
lots
of
vendors
are
pretty
busy
as
well.
So
that
is
also
a
discussion
topic
with
with
the
vendor.
The
timeline
is
losers,
no
hardsets
timeline.
Ideally
we
would
probably
have
one,
but
it's
it's
hard
to
say
currently,
but
there
is
no
timeline,
I'm
hoping
by
end
of
2021,
but
that's
just
me
wishful
thinking.
So.
A
My
bad
is
the
is
the
cluster
api
thing
going
to
be
public
when
it's
done
or.
C
Well,
I
I'm
hoping
it's
transparent
in
public
the
whole
way
through
it's
I
mean
in
this
first
phase
kind
of
following
the
the
cncf
security
tag
process.
This
was
meant
to
be
kind
of
the
the
project.
Self-Assessment
get
get
you
know
surface.
The
information
do
some
discovery,
get
things
a
little
bit
more
tidy
to
be
reviewed
and
then
in
the
tag
we
do.
This
thing
called
a
joint
review.
C
I
think
I'll,
probably
tweak
that
make
some
recommendations
about
getting
a
little
bit
more
focused
for
for
kubernetes,
but
that
that's
where
you
could
kind
of
get
into
the
threat
modeling,
and
maybe
there
would
be
some
some
items
that
would
pop
up
that
would
be
subject
to
embargo
or
something
like
that.
But
we're
not
we're
not
to
that
phase.
Yet,
under
this
self-assessment
phase,
I
would
say
that
it
is
all
publicly
available
stuff.
C
If
anyone
who
wants
to
participate
feels
like
they,
they
haven't
covered
something
that
would
be
subject
to
embargo
you
can
you
can
certainly
ping
me
or
ray,
and
you
know,
I'm
not
an
expert
on
the
whole
embargo
process,
but
I
could
certainly
cordon
off
folks
who
are,
but
I
don't
think
we're
going
to
get
to
that
level
of
detail
in
the
self-assessment.
Yet.
A
Fair
enough,
if
people
want
to
know
about
the
embargo
process
and
how
that
works,
tabitha,
who
is
my
co-chair?
Who
is
not
here
today
because
she
is
moving,
is
on
the
security
response
committee,
formerly
known
as
the
psc,
and
could
probably
tell
you
about
it
in
some
amount
of
detail.
C
Excellent,
we
and
we
should
circle
around.
I
know
I
think
she's
on,
but
we
should
circle
around
and
get
a
kind
of
brief
with
her
and
just
have
that
in
some
form
of
formality,
as
we
get
closer
to
that,
you
know,
threat,
modeling
and
detailed
review
part.
A
That
makes
sense,
sig
security
and
they
I
keep
wanting
to
call
them
the
psc.
The
artists
formerly
known
as
the
psc
worked
together
really
closely.
So
I'm
sure
that
would
be
a
thing
that
could
be
arranged
in
that
people
would
be
excited
about.
C
E
So
I
only
I
I
don't
have
much
update,
because
I
am
sorry
the
meeting
fell
off
my
calendar
and
I'm
so
embarrassed.
So
we
just
did
a
quick
asynchronous
check-in.
Grace
is
working
on
a
blog
for
the
cube,
curl
cube,
config,
remote
execution,
pr
that
she
wrote,
and
that
is
in
progress.
E
I
think
she
met
with
tabby
and
that
and
I
checked
it
with
rory
on
the
hardening
guide
and
this
week
I
was
gonna,
go
and
break
it
down
into
smaller
chunks
or,
like
add
little
task
list,
so
that
it
can
be
easily
tackled
right.
Now,
it's
like
huge
and
by
breaking
it
down,
we
might
be
able
to
get
more
volunteers.
E
Unfortunately,
I
couldn't
get
to
it
because
the
weekend
I
spent
on
exception,
request
code,
freeze
and
everything
that
was
associated
with
1.22
release
and
I'm
so
sorry,
but
I
will
get
to
it
soon.
Cluster.
A
Don't
even
stress
like
we
all
have
lots
going
on
yeah,
okay
for
the
record,
with
the
did
it
just
fall
off
your
calendar.
Yes,
did
you
figure
out
why
I
don't
know
I
had
to
go
and
re-add
it.
I
can.
A
I
can
speak
to
this
it's
because
this
meeting
also
just
fell
off
everybody's
calendars,
and
it's
because,
when
tabitha
set
up
the
meetings
for
reasons
I
don't
entirely
understand,
but
I'm
guessing
have
to
do
with,
like
maybe
wanting
to
revisit
the
meeting
time
or
something
after
a
certain
number
of
weeks,
she
had
every
meeting
that
she
put
on
there
repeat
13
times
this
is
week
14,
so
everything
for
subgroups
just
fell
off
the
calendars.
A
So
if
you
own
a
sig
security
associated
calendar,
you
should
probably
go
back
and
check
the
repeats,
because,
probably
that's
what
happened-
and
I
think
you
can
just
edit
it
when
you're
signed
in
with
perms
and
have
it
repeat
every
two
weeks,
instead
of
repeat
every
two
weeks
13
times,
and
that
will
fix
that.
E
Perfect,
thank
you.
I
was
also
going
to
look
into
the
things
that
in
other
six,
they
have
this
reminder
that's
in
get
sent
to
the
channel,
so
I
was
proactively
gonna.
Look
into
that
and
do
that
so
that
I
don't
overly
rely
on
the
calendar.
A
E
A
I
just
want
to
say
thanks
for
that
you're,
so
welcome
and
thank
you
all
for
being
awesome
and
doing
all
the
awesome
work.
You
do
yeah
any
any
other
thoughts
from
doxon
stuff.
A
A
A
Up
okay,
if
the
answer
to
that
is
now,
then
I
am
just
going
to
put
not
present
today
and
figure
that
they're,
probably
busy
with
release
things
and
code
freeze
and
everything
else,
and
we
will
probably
hear
from
them
next
time.
Also
the
meeting
fell
off
the
calendar
so
understandable,
so
discussion.
A
If
anybody
brought
agenda
items
or
things
they're
thinking
about
or
want
to
discuss
that
aren't
on
the
agenda
yet,
if
so,
I
want
to
welcome
and
invite
you
to
put
stuff
on
the
agenda,
because
that's
how
we
do
things
here.
There
are
a
couple
of
things
on
there
right
now.
A
The
first
one
is,
if
you
haven't
seen
cve
2021
25740,
it
is
linked
in
the
dock.
It
is
a
confused
deputy
attack.
It
is
currently
unpatched,
I'm
not
sure
when
we
are
patching
it
or
if
we're
patching
it,
but
the
security
advisory
came
with
a
a
file
that
you
can
use
for
mitigation.
It
has
to
do
with
changing
the
way
that
you
treat
handling
of
endpoints
and
endpoint
slices.
A
So
if
you
have
not
seen
that
or
spread
it
to
your
people
definitely
spread
that
one
around,
because
it
is
not
a
thing
can
that
can
be
quite
as
easily
just
version.
Bumped
people
are
going
to
need
to
do
stuff
with
it.
So
you
know
spread
the
love
on
that
one,
and
I
just
wanted
to
call
people's
attention
to
it
and
say
that
you
know
make
sure
people
have
the
file.
E
I
have
one
update
on
that,
so
rob
scott
is
working
on
a
couple
of
mitigations
one
of
the
pr
merged
into
1.22,
because
we
have
made
it's
a
release
broker
and
then
we
got
it
merged
today
and
I'll
put
the
link
over
there
and
the
other
one
is
waiting
on
our
discussion.
So
I'm
gonna
put
that
one
too.
I
don't
know
when
that's
gonna
be
done,
but
whenever
it's
ready,
probably
we'll
try
and
get
it
done
I'll
get
it
patched
in
at
least
1.22
right.
E
Also
a
discussion,
that's
going
on
in
slack
for
sigur
lee
slack.
I
will
post
that
to
you,
so
whoever
is
interested.
Please
take
a
look
at
it.
The
overall
thing
was
that
probably
this
cannot
be
back
ported,
but
I
don't
know
if
that
is
true
even
true
now
so
people
are
gonna
look
into
it.
I'm
I'm
not
gonna
confirm
on
that,
because
there
was
someone
told
me
that
it
cannot
be
brought
back,
rob
or
someone
told
me
that,
can
we
backboard
it,
but
I
don't
know
if
something
has
changed.
E
That
was
when
I
heard
about
it.
Last.
A
Okay,
I
know
they've
been
having
some
trouble
over
there
with
bump
and
go
versions,
and
I
don't
know
if
it
has
anything
to
do
with
that
fair
enough.
Okay,
thank
you
for
the
update
on
that.
I
really
appreciate
it:
okay,
okay,
so
once
that
patch
goes
through,
it
hasn't
gone
through.
Oh
it
was
merged.
Okay,
then
make
sure
everybody
is
doing
their
version
bumps
if
they
can
version
bump
and
if
they
can't
version
but
make
sure
you're
spreading
the
word
about
medications.
A
F
That
was
me,
hey,
so
yeah.
This
was
just
something
that
came
up
in
the
tag
security
discussion,
which
was
there
was
an
idea
or
we
had
a
presentation
from
kyberno,
and
it
was
just
discussion
about
like
possible
attacks
generically
on
admission
controllers.
So
saying
you
know,
if
you
deploy
one
of
these
to
do
your
security
checking,
because
you
don't
use
psps
anymore.
What
do
you
need
to
think
about
like
how
could
an
attacker
attack
it?
F
And
the
idea
would
be
that
this
is
there's
like
a
generic
set
of
threats,
so,
like
caverno,
oppa,
jsji
policy
cube
warden
all
face
similar
threats.
So
if
we
had
like
a
generic
threat
model,
that
said
here
are
the
things
you
need
to
think
about.
That
would
be
kind
of
a
useful
thing
for
people
who
are
implementing
admission
controllers
to
look
at
and
people
are
deploying
them.
F
G
My
instinct
would
be
to
say
kubernetes
issue
security
issue.
G
A
This
is
my
instinct
on
it,
too.
Is
that
if
it
were,
you
know,
especially
if
like
if
we
own
cluster
api,
you
know
then
like
that
I
think
actually,
then
it's
thoroughly
insecurity,
because
my
my
thought
on
it
was
similar
to
yours,
which
was
like
okay.
A
Well,
if
it
is
talking
about
admission
controllers
in
relation
to
kubernetes,
specifically
that
feels
different
to
me
than
if
it
was
you
know,
a
kyverno
threat
model
or
a
opa
threat
model,
because
it's
just
like
things
as
related
to
kubernetes,
but
also,
if
I'm
thinking
about
it
in
relation
to
wait
a
minute,
though
we're
threat
modeling
cluster
api
that
I
think
all
bets
are
off,
and
it
just
belongs
to
us
at
that
point.
It's
kind
of
how
I
feel
about
it,
but
I'm
open
to
being
wrong
on
that.
F
Yeah,
I
think
I'll
second,
that
as
well,
so
I
guess
at
that
point
it
probably
falls
into
docs.
I
guess
because
it's
kind
of
a
doc's
thing
rather
than
a
code
thing,
so
something
perhaps
we
could
pick
up
the
idea
yeah.
The
idea
was
like
just
kind
of
high
level
go
through
attacks
on
like
the
admission
controllers
themselves,
but
also
look
at
possible
policy
bypasses,
so
everybody
started
to
see
some
things
with
admission
controllers
with
things
like
case
sensitivity
on
policies.
F
So
you
know
if
the
the
policy
engine
is
case
sensitive
and
the
target
is
not
case
sensitive.
Can
I
bypass
by
mucking
about
with
case
things
like
you
know,
these
are
generic
things
that
they
all
never
need
to
think
about,
but
I
think
it'd
be
useful
to
have
that
that
high
level
set
it
doesn't
have
to
be
super
long,
and
I
can
learn
my
lesson
with
the
hardening
guide:
try
not
to
make
things
super
big,
try
and
like.
Let's
have
some
targeted.
This
feels
like
it
could
be
fairly
targeted.
A
I
love
this
idea:
yeah,
it's
a
really
good
idea
and
yeah.
I
do
think
that
you
know
if
doc's
is
good
with
this,
it
feels
very
squarely
under
underdocs
and
I'm
dox
is
doing
amazing
work
and
I'm
super
happy
with
that.
If
y'all
are
happy
with.
E
It
I
think,
to
be
perfect,
I'm
just
thinking
about
one
of
things
like
if
we're
going
to
do
multiple
things
in
the
future
like
this,
like
should.
Should
that
be
like
so
in
documentation,
we
have
like
three
major
areas
like
tasks,
concepts
and
one
other
thing
which
I
forgot
and
tutorials
tasks,
concepts,
tutorials
and
then
blogs.
E
So
this
might
fit
under
blogs
or
tutorial
maybe
depends
on
how
we
are
going
to
arrange
that
or
should
we
have
a
separate
section
like
how
cncf
does
it
they
have
like
white
papers?
I
know
this
is
not
a
white
paper,
but
we
can,
if
we
are
going
to
do
multiple,
similar
things
in
the
future.
Like
do
we
need
to
have
a
separate
section,
I'm
just
throwing
that
idea
out.
It
doesn't
have
to
be
decided
right
now.
A
Yeah
I
mean
this
is
maybe
a
silly
question
like
is
there's
no
such
thing
as
a
silly
question.
That's
a
lie.
Nobody
ever
has
silly
questions
here.
Is
there
a
definition
of
white
paper
that
this
would
that,
like
is
official,
that
that
wouldn't
fall
under,
because
that
actually
sounds
kind
of
white
papery
to
me?
E
Oh,
I
I
I
I
don't
have
any
inputs
on
that
one
and
might
I
thought
in
my
head.
I
thought
that
I
I
don't
know
I'm
just
gonna.
Take
that
back.
I
will
see
you
no.
E
I
wasn't
sure
like
in
my
head.
I
was
thinking
that
probably
it's
some
it's
somewhere
or
people
come
together
and
publish
it
in
my
head.
I
was
thinking
like,
and
this
is
similar.
People
will
come
together
collaborate
and
we
will
publish
it
in
kubernetes
website.
So
it's
same
so
I
shouldn't
have
used
that.
I'm
sorry,
thanks
for
bringing
that
up,
I'm
like
oh
you're,
completely
fine.
A
F
A
Though
I
mean
we
can
do
absolutely
whatever
we
want
right,
like
we
made
up
those
three
categories
and
really
you
made
up
these
three
categories.
I
don't
want
to
take
credit
for
that,
and,
and
we
could
always
add
new
ones
or
change
them
or
whatever,
like
nothing,
has
to
stay
that
way.
Just
because
we
made
up
rules
for
ourselves
once
you
know.
E
Sounds
good
to
me
and
I
can
also
take
it
back
to
the
documentation
meeting
next
time
if
we
can
make
it,
it
always
conflicts.
E
The
meetings
that
I
have
right
now,
but
I
will
make
it
a
point
that
I
go
to
the
meeting
so
that
I
can
bring
this
up
and
ask
them
like
how
willing
they
will
be
that
if
we
want
to
put
it
under
some
section
or
just
get
their
idea
on
this,
like
what
is
the
right
place
to
they
manage
the
organization
of
the
website,
not
us,
so
I
just
want
to
get
their
opinion
on
it
like.
What
do
they
think.
A
Totally
that
makes
sense
if
just
going
back
a
little
bit
to
the
things
falling
off
the
calendar.
I
think
the
reason
why
they
were
set
that
way
was
so
that
if
meeting
times
didn't
work
well
for
groups
that
they
could
revisit
it
and
be
like,
is
this
a
meeting
time?
A
That's
good
for
us,
or
should
we
change
it
so
also
on
back
on
the
note
of
like
we
can
change
whatever
we
want
to,
because
it's
up
to
us
really,
if
they're,
if
that
time
is
not
feeling
awesome
for
everybody,
that
is
also
a
thing
that
you
should
feel
empowered
to
change.
If
you
want
to
you
know.
B
I
I
just
want
to
continue
on
with
that.
If
you
bring
it
up,
if
you
bring
up
this
admission
controller
model
to
sig
docs,
absolutely
that
they
could
have
guidance
on
where
the
proper
place
on
the
website
would
be,
but
they
would
definitely
assume
that
someone
that
people
from
six
security
or
security
dogs
would
be
the
ones
writing
it.
Just
you
know.
A
E
Yeah,
I
think
so
too,
so
I
will
definitely
bring
this
up
and
I
don't
think
that
should
stop
us
from
working
there
working
on
this.
So
I
think
we
can
get
this
started
whenever
everyone
mainly
rory
is
ready
and
once
we,
if
we
want
to
collaborate,
we
could
just
ask
for
people.
I
think
he
already
opened
an
issue
and
the
tag
security.
Do
we
want
to
keep
it
there
or
do
we
want
to
move
it
over.
F
I
think
yeah,
I
think
if
we
move
it
over
and
then
yeah,
I'm
absolutely
hoping
I've
got
like
I've
got
a
couple
of
ideas
that
I
literally
I'm
I'm
fully
expecting.
There
are
many
more
ideas
and
I'm
more
than
very,
very,
very
hoping
that
we
can
get
as
many
people
in
this
as
possible
because
I
think
this
is
a
like.
This
is
something
which
will
impact
clusters
for
quite
a
long
time.
So
the
and
it's
quite
early
days
right
now,
like
not
everyone's
gone
there.
F
So
there's
a
good
opportunity
to
try
and,
like
you
know,
give
some
good
guidance
now
which
will
help
people
as
they
go
and,
like
start
really
scaling
up
their
their.
Like
you
know,
mission
controllers
for
security,
stuff,
so
yeah,
but
but
yeah
we
can
get
something
like
a
brainstorming,
doc
or
maybe
something
started
and
then
and
then
go
from
there.
A
This
feels
very
sink
flavored,
so
we
should
holler
at
the
people
who
don't
show
up
to
meetings
as
often
is
there.
This
is
maybe
slightly
out
of
scope
for
the
no
we're
in
discussion.
This
is
not
out
of
scope
for
the
report
back
is
there?
Do
you
need
help
that
we
can
help
provide
at
sig
docs,
because
I
know
y'all
are
doing
a
ton
of
work
right
now
like?
Can
I
help
try
to
convince
people
to
get
involved,
or
is
there
some
other
kind
of
like
help?
E
I
am
hoping
by
the
next
month,
the
first,
so
the
release
ends
on
august
4th.
So
I
would
be
dedicating
my
all
my
time
to
seek
security
after
that
I'm
taking
a
step
back
from
other
environments,
because
I
want
to
focus
on
this
one.
So
after
that
I
will
definitely
have
a
board
load
of
time
until
then,
if,
if,
if
you're
already,
we
want
to
get
going,
we
could
always
like
I.
I
could
come
back
and
ask
for
help.
A
It's
also
the
week
before
defcon,
which
is
like
the
worst
week
to
convince
security
people
externally
to
do
anything.
So
it
might
also
be
that
just
like
in
relation
to
the
flow
of
the
rest
of
the
world,
that
the
time
to
get
really
going
on
stuff
might
just
be
after
defcon
and
up
to
you,
because
that
does
not
affect
things
internally,
necessarily
as
much,
but
also
might
a
little
bit
but
externally
for
sure.
It's
like
it's
a
everybody.
This
week
is
kind
of
buried.
F
Yeah,
I
I
think
this
one's
one,
that
you
know
we
can
start
off
and,
I
think,
have
quite
an
open.
You
know
here's
some
ideas,
but
we
would
love
to
see
more
ideas
and
doesn't
have
to
be
super
rushed
and
then
it
sounds
to
me
like
we
probably
want
to
run
that
process
after,
like
into
the
middle
of
august
or
something,
and
then
by
that
time
people
have
had
a
bit
of
time.
You
know
after
the
release
and
after
defcon,
and
then
we
can
say.
Okay
now,
we've
got
a
good
set
of
ideas.
F
E
Sounds
good
and
I
wanted
to
know
one
more
thing
that
if
we
are
going
to
open
a
github
issue
and
if
you
want
to
have
it
as
like
a
discussion,
we
could
also
do
github
discussion
and
I
need
to
check
if
the
k
website
has
it
open.
But
we
do
it
for
sig
release
of
it's
working
really
great,
especially
for
major
themes,
and
there
was
another
discussion.
A
One
okay,
the
next
one
on
the
agenda
is
in
case
folks
aren't
already
aware
there
is
a
new
cloud
native
security
con
that
will
be
held
on
october
12th,
cfps,
close
july
25th.
I
think
this
is
probably
co-located
with
kubecon
yeah.
Yes,.
D
A
So
if
people
are
excited
about
those
check
them
out
by
the
kubecon
site,
I
think
they
have
links
to
cfps
on.
A
There
do
people
have
other
things
they
want
to
bring
up
or
talk
about.
A
A
Cool
all
right.
Well,
I
really
appreciate
all
of
you
for
coming
and
I
really
appreciate
all
of
your
work
and
your
time,
and
I
hope
that
y'all
have
a
lovely
summer
day,
if
you're
in
the
northern
hemisphere
or
winter
day,
if
you're
in
the
southern
hemisphere-
and
I
I
will
see
y'all
in
about
two
weeks,.