►
From YouTube: Kubernetes SIG Security Tooling 20210518
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
cool,
I
think
we
have
about
15
people,
it's
8
32,
so
I
believe
we
are
also
already
starting
to
record
so
welcome.
Everyone
today
is
tuesday,
may
18
it's
around.
8
30
a.m:
pacific!
Right
now!
This
is
our
first
meeting
for
this
new
subgroup
called
six
security.
Tooling.
A
We
have
a
great
attendance
so
far
for
people
who
have
just
joined
there
is
a
link
to
the
meeting
notes
in
the
zoom
chat,
as
well
as
in
the
mailing
list,
feel
free
to
add
your
names
and
the
attendance
or
any
discussion
topics
you
have
and
while
we're,
while
people
are
doing
that,
let's
maybe
since
we
don't
have
hundreds
of
people,
we
can
do
a
quick
round
round
of
introduction
I'll,
maybe
start
first
quickly
in
10
seconds,
hi,
I'm
pushkar.
I
work
in
in
a
security
role
at
vmware.
A
B
C
I
work
with
susa
I'm
by
way
of
rancher
labs,
so
work
within
the
kubernetes
space
on
a
daily
basis
also
participate
in
other
cigs
as
well
like
sick
release,
other
parts
of
physical
security
like
the
external
audits
and
sig
docs,
everybody,
I'm
andy
goldstein,
like
pushkar,
I'm
also
at
vmware,
and
I'm
also
in
a
security
role.
Looking
at
things
like
image,
scanning
and
vulnerab,
or
image
signing
and
vulnerability
scanning
in
past
lives.
D
Hey
everyone:
my
name
is
priyanka
saku
and
I'm
working
currently
at
red
heart
on
the
open
chef,
dedicated
team,
basically
supporting
the
managed
services
running
on
top
of
openshift
dedicated
I've
been
involved
with
the
kubernetes
community
for
last
couple
of
months
and
I'm
working
on
the
python
client
yeah.
That's
all
thank
you.
E
Hey
everybody,
john
kinsella
chief
architect
at
accuracy
been
in
the
scene
for
a
while.
I
think
a
bunch
of
us
know
each
other,
so
we'll
go
to
details
happy
to
be
here.
B
F
H
Hello:
everyone,
I'm
naveed,
I
recently
started
in
kubernetes
community.
I
am
working
with
pushkar
on
stick
scanning
for
vulnerabilities
and
communities
before
that
I've
been
working
with
red
hat
for
for
connective
project.
That's
what
it.
I
I
I'm
assad,
I'm
a
software
engineer
at
ebay.
I
don't
do
anything
related
to
kubernetes
in
my
everyday
work,
but
I
have
some
background
in
security
and
I'm
hoping
to
bring
into
copenhagen
security.
So
yeah
happy
to
be
here.
J
K
L
Got
hopped
over
hi,
I'm
patrick,
I'm,
I'm
a
google
employee.
I
work
on
gk
security
and
I
was
one
of
the
authors
for
cap1933,
which
is
doing
some
static
analysis
to
make
sure
we
don't
accidentally
log
tokens
in
kubernetes,
so
yeah.
A
A
I
have
tried
to
give
one
access
to
everyone
who
requested,
but
if
you
need
access
and
this
invite
on
the
calendar
best
way
would
be
to
subscribe
to
the
kubernetes
security
mailing
list
and
for
the
docs
access.
Even
if
you
are
part
of
the
kubernetes
dev
google
group,
you
should
still
have
access,
but
in
case
you
don't
and
you
have
requested.
Hopefully
you
have
access
now,
all
right
with
that.
I
am
also
excited
to
hear
people
coming
with
different
sorts
of
background.
A
Some
people
very
deep,
knee
deep
in
kubernetes,
some
very
deep
insecurity,
but
new
is
to
kubernetes,
so
that
is
wonderful
and
as
much
as
much
as
possible.
We'll
try
to
cover
different
types
of
topics
and
different
ideas
from
all
of
you
are
welcome,
even
though
I
may
have
some
idea.
Tabitha
may
have
some
ideas
that
we
want
to
work
on.
So
really,
if
you
have
something
that
you
would
like
to
discuss,
we
can
go
there.
A
If
not,
I
can
also
quickly
introduce
what
the
group
is
and
what
we
hope
to
achieve
there,
but
yeah
floors
open.
If
someone
has
something
that
they
want
to
share.
A
All
right,
I
guess
no
okay,
so
hopefully
this
slider
gives
you
some
ideas,
basically
in
terms
of
the
membership
structure
or
the
groups,
how
they
are
organized
in
kubernetes.
I
just
wanted
to
give
a
brief
idea
of
where
we
sort
of
are.
Let
me
see
if
I
can
present
and
okay
all
right
cool.
Can
everyone
see
my
slide?
Still?
A
Okay,
cool.
So
in
terms
of
our
structure,
we
are
under
the
kubernetes
project,
umbrella
and
inside
that
we
have
different
six.
One
of
them
is
six
security,
focusing
on
security
for
kubernetes,
which
is
end
user
facing,
as
well
as
some
of
the
interesting
work
that
some
of
our
subgroups
are
doing,
like
the
one
that's
led
by
savita
working
on
hardening
guide
and
talks
for
security.
A
Another
one
from
third
party
audit
that
rey
is
leading
which
is
taking
care
of
this
year's
kubernetes
third
party
security
audit-
and
this
is
a
newish
group
in
a
way
eric
was
leading
it
initially
and
in
the
last
couple
of
months
we
switched
over
that
to
me
and
he
was
gracious
enough
to
continue
to
contribute
on
this
group.
A
So
we
keep
meeting
every
month
or
so
and
considering
everyone
has
a
lot
of
zoom
fatigue,
we'll
try
to
keep
the
frequency
of
the
meetings
low
and,
if
needed,
we'll
increase
it
if
there
are
more
topics,
but
for
now
we'll
go
half
hour
every
month,
this
third
tuesday
of
the
month.
A
So
now,
as
you
know,
we
have
our
great
coaches,
ian
and
tabitha,
who
lead
the
six
security
group
and
I'll
be
taking
trying
to
take
care
of
this
group
as
much
as
possible.
A
I
introduce
myself
so
I'll
leave
that
thank
you
for
everyone
who
participated
in
doodle
pool
one
of
the
main
insights
I've
had
in
the
last
couple
of
years,
either
speaking
or
talking
in
kubecon
was
we
really
have
a
steep
learning
curve
for
kubernetes
security
and
for
especially
for
beginners
or
end
users?
A
I
think
that
should
be
the
goal
of
the
group
really
and
one
of
the
anecdotal
feedback
I
received
from
one
of
our
participants
last
year
was
he
he
mentioned
that
one
of
the
challenges
with
security
is
finding
the
time
to
read
and
understand.
All
of
this,
and
kubernetes
is
already
quite
large,
elaborate
and
truly
understanding.
What
is
happening
is
another
layer
of
effort,
so
anything
to
any
tools
that
will
help
save
some
time
and
make
it
secure
are
really
useful.
So
that's!
This
is
why
we
are
here.
A
We
I
I
don't
seem
to
know
everything
so
anything
any
ideas
that
you
may
have
that
can
help
here.
Any
level
where
we
can
collaborate
with
other
subgroups
is
also
welcome.
B
B
I'll
just
throw
something
out
there
in
the
interest
of
in
the
interest
of
hearing
some
thoughts
and
discussion.
B
I
feel
like
there's
two
kind
of
areas
or
or
audiences
that
we
could
be
thinking
about
tooling,
like
for
there's,
there's
the
there's,
the
thought
of
like
end
user
facing
tooling
and-
and
you
know
what
things
that
we
could
do
to
you
know,
produce
produce
tools
that
make
it
easier
for
people
to
evaluate
what
they're
doing
or
whatever,
and
then
there's
also
the
possibility
of
tools
that
help
to
make
the
process
of
making
kubernetes
better
and
like
in
that
ladder
area.
B
Both
of
those
seem
like
there's
like
there's
plenty
of
room
to
make
the
world
better
by
by
making
some
tooling,
and
so
I
guess
I
would
just
say
if
you're,
if
you're
excited
about
either
one
of
those
kinds
of
categories
of
things
like
go
for
it,
the
the
purpose.
My
purpose
here
is
to
help
to
make
a
space
in
kubernetes
for
y'all
to
be
able
to
work
on
things
that
are
enjoyable
for
you
and
that
help
to
make
the
world
better.
So.
A
A
Yes,
that's
definitely
helpful
tabitha
and
one
of
the
good
examples
here
is
some
of
the
stuff
that
naveed
and
I
have
been
working
on
and
eric
has
also
helped
quite
a
bit
there.
So
I'll
give
a
brief
idea
about
what
that
is
and
we'll
keep
some
time
for
q
a
as
well
in
the
rest
of
the
meeting.
A
But
basically,
if
you
see
kubernetes
is
a
huge
project
right
and
as
a
result
of
that,
we
have
a
lot
of
dependencies
that
we
need
to
keep
track
of
and
many
times
the
dependencies
have
cves.
A
Now
there
are
two
different
types
of
cvs:
some
cvs
have
a
vulnerable
code
that
is
actually
used
in
kubernetes.
Some
are
actually
not
used
in
kubernetes
the
vulnerable
code
piece,
but
the
dependency
itself
has
the
vulnerable.
A
A
Do
we
have
in
upstream
some
level
of
knowledge
base
where
we
can
say
hey?
Yes,
we
are
aware
of
the
cva
because
we
also
run
scans
and
because
we
ran
scan,
we
did
it
triage
and
as
a
result
of
that,
we
consider
this
as
a
false,
positive
or
a
true
positive,
with
no
impact
or
a
true
positive,
with
impact.
A
So
to
kind
of
start
with
that
process
and
see
where
we
go,
we
thought
okay,
let's
pick
one
scanner
and
because
we
have
eric
here,
he
was
able
to
conjure
up
a
good
service
account
for
a
kubernetes
project
and
get
us
up
to
speed.
A
So
essentially,
we
ran
a
sneak
scan
on
the
kubernetes
master
branch
and
what
came
out
of
that
are
some
vulnerabilities
and
some
licenses
so
now
the
next
step
here
is
once
we
get
a
scan
running,
we
want
to
make
it
periodic,
and
then
some
of
the
work
that
you
can
all
help
out
in
is
really
making
this
automated
helping
on
doing
some
level
of
one
second,
okay,
yeah
helping
doing
some
level
of
triaging
and
some
discussions
that
we
could
have
in
terms
of
what's
the
right
next
step.
A
If
we
have
to
apply
to
to
all
of
these
things,
so
he
this
hat
md
link
is
one
of
the
starting
kind
of
rough
draft
that
we
have.
A
What
we
will
try
to
do
is
eventually
move
this
to
one
of
our
community
groups
under
the
under
a
separate
folder,
when
we
have
a
good
level
of
understanding
of
what
we
are
looking
for
and
until
then
I
would
say
two
things
we
can
you
you
all
can
help
is
go
to
this
stock,
that's
linked
to
the
hackmd
and
what
we
any.
We
have
a
proposed
triage
process,
which
we
briefly
discussed
with
the
product
security
committee
as
well,
and
there
are
different
categories
of
vulnerabilities
or
classes
that
we
have
identified.
A
So
what
we
will
do
is
we
we've
defined
the
category.
We
think
this
is
should
be
the
resolution,
but
we
want
feedback
so
any
feedback
either
of
you
can
share
where
it
doesn't
make
sense
or
it
makes
sense-
or
there
is
a
different
category-
that
we
haven't
considered
very
welcome
if
you
can
share
any
feedback,
I'll
put
the
link
just
to
make
it
easy
on
the
zoom
chat
as
well.
A
One.
Second,
all
right
so
take
a
look
and
any
questions
on
this.
We
can
talk
briefly,
but
otherwise,
ping
me
and
naveed.
This
is
also
a
collaborative
effort,
kind
of
what
tabitha
mentioned,
where
we
have
the
kate's
code
organization,
sub
group
under
sig
architecture,
where
people
were
trying
to
figure
out
a
way
to
do
this
and
we
said
hey.
We
can
also
help.
We
are
a
new
group
and
we,
like
would
love
to
do
some
work
together.
So
now,
naveed
from
that
group
and
me
from
here
are
working
on
it.
A
E
I'd
love
to
see
people
take
a
bit
of
a
step
back.
Excuse
me,
I
think
we're
going
through
scars
is
the
right
idea,
but
I'd
love
people
to
as
they're
going
through
this
over.
E
However
long
this
goes
on
to
think
about
what
does
open
source
do
as
for
this
community,
as
well
as
the
rest
of
the
world
and
where
I'm
coming
from
what
I
say
is
frequently,
if
I'm
looking
for
an
example
on
either
how
to
code
something
or
a
few
months
ago,
I
was
looking
for
integration
test
ideas
like
what
should
a
document
like
that
look
like,
and
I
ended
up
looking
at
some
of
the
kubernetes
stuff.
E
So
frequently
people
are
coming
and
looking
at
this
stuff
for
examples
and
guidance,
not
just
within
cncf
and
I'll
pair.
That
thought,
together
with
two
others
in
my
on
my
mind
recently,
one
is
the
rates
of
organizations
out
there
that
are
using
some
level
of
automation
in
their
build
processes,
is
horrifyingly
low.
E
I
think
it's
what
40
percent
somewhere
around
there
so
tie
that,
together
with
developers,
usually
have
no
idea
what
they're,
looking
at
when
they're
looking
at
the
output
of
a
security
tool,
whether
that's
internal
to
kubernetes
or
outside,
whichever
of
those
groups
of
users
we're
talking
about
so
I'd
love
it
I'd
love
is
as
a
group
as
we
think
through
some
of
these
things
and
work
on
some
of
these
things
that
we're
trying
to
figure
out.
How
can
we
make
that
better
for
the
overall
community,
all
those
aspects
so
right?
A
Yeah,
so
so
to
to
summarize,
what
you're
saying
is:
is
there
a
way
we
can
sort
of
use
the
power
of
our
example
to
show?
How
can
we
really
do
automation,
which
has
higher
signal
to
noise
ratio
than
what
is
typically
done
so
that
people
are
more
motivated
to
use
some
more
level
of
automated
security
tooling
in
their
build
pipelines?.
E
Yeah
yeah,
it's
it
motivation
is
interesting
way
to
put
it.
What,
apparently,
the
stats
are
showing
is
that
people
just
don't
know
how
to
get
started.
They
don't
know
how
to
use
these
tools.
I
mean
right.
I
did
a
blog
post
sometime
last
year.
If
you
look
at
the
ci
cd
diagrams,
which
come
out
the
major
cloud
providers,
they
look
so
nice
and
light
and
simple
and
you
go
wait.
Where
does
security
fit?
Is
this
diagram
they're
not
showing
it
at
all
right?
E
M
A
Ideas,
I
think
one
of
the
things
I
have
noticed
in
the
past
is
sometimes
after
a
recording
is
done.
We
sometimes
forget
about
it
and
then
sort
of
loses
the
idea
somewhere.
So
for
our
sigs.
Anyone
who
has
an
idea,
either
now
or
later
is
a
is
a
good
first
step
to
create
an
issue
in
the
community
repo
is
when
labeling
it
as
seek
security,
or
would
you
suggest
something
else.
B
Yeah,
I
I
think
if
we
want
to
make
a
a
really
robust,
like
parking
lot,
the
way
that
that
seems
to
be
done
most
successfully
is
to
go
and
and
make
a
repo
like
that
is
used
for
that
purpose.
But
that's
not
a
thing
that
we
have
right
now,
so
I
would
say:
go
ahead
and
like
make
an
issue
on
k,
community
label,
it
sig
security,
and
then
you
know
at
some
point.
If
we
build
something
that
is
more
robust
than
that
we
can
port
it
over.
A
Right,
okay,
cool,
so
yeah,
so
if
either
of
you
are
either
thinking
of
ideas
or
want
to
take
some
time
before
we
meet
next
time
and
come
up
with
an
idea,
don't
wait
for
next
month's
meeting
feel
free
to
tag
an
issue
and,
if
you're
not
sure
whether
you're
doing
the
right
thing
in
terms
of
creating
the
issue.
Just
tag
me
on
my
github
handle
I'll
put
it
later
on
slack
and
tag
me
and
we'll
figure
out
a
way
with
whether
this
is
the
right
way
to
do
it.
M
Could
I
could
I
ask
a
scoping
question:
go
for
it
so
going
back
to
the
the
kubecon
attendee
example
the
anecdote.
M
Obviously,
there
are
a
lot
of
things
outside
of
the
kubernetes
code
base
that
will
also
lead
that
user
to
end
up
with
an
insecure
deployment
that
they
are
bringing
themselves.
So
you
know
insecure
defaults
in
a
home
chart.
You
know
copy
and
pasting
from
stack
overflow,
all
that
good
stuff.
Is
this
also
somewhere,
where
kind
of
leading
through
those
examples
of
ci
cd
and
embedding
security
into
pipelines
and
kind
of
showing
people?
A
Right,
I
I
dab
it
the
feel
free
to
add
to
what
I
say,
but
basically
my
perspective
here
is,
I
think,
anytime.
There
is
a
project
or
more
than
one
project,
that's
not
kubernetes,
but
it
still
impacts
kubernetes
in
some
way
as
an
end
user,
that's
a
opportunity
for
collaboration
where
we
can
say
hey.
A
We
have
something
related
to
help
chart
that
can
help
kubernetes
security.
Overall,
then
we
can
bring
those
people
together
discuss
what
can
be
done
and
then
it
can
be
basically
a
division
of
responsibility,
sort
of
effort
where
we
say
okay.
What
does
help
chart
project
need
to
do.
A
Is
this
something
that
we
are
they
are
happy
to
for
us
to
own
and
then
make
it
eventually
something
that
is
secure
for
kubernetes
as
well
as
help,
and
then,
if
there
is
some
level
of
documentation
or
hardening
guidance,
we
want
to
give
that's
an
opportunity
for
collaboration
with
our
subgroup
seek
security
talks
where
we
can
work
with
savita
and
team
and
say
hey
okay.
I
know
you're
working
on
this
hardening
guide.
We
have
this
small
thing
that
might
be
relevant.
What's
the
best
place
to
kind
of
put
this
together.
B
Yeah,
I
would,
I
would
say,
plus
one
to
that,
like
the
only
the
only
real
hard
rule
that
I
would
say
is
you
know
it's
it's
not
our
place
to.
You
know,
try
to
assert
some
authority
over
over
what
somebody
else
is
doing,
but
also
you
know
it
seems
absolutely
relevant
for
us
to
you
know
to
to
share
the
concerns
that
we
have
and
and
work
together
to
feel
out.
How
much
of
this
is
something
that
kubernetes
should
be
doing.
B
How
much
of
this
is
something
that,
like
we
can
take
to
some
other
project
and
and
have
a
discussion
with
them
about
it.
So,
like
yeah,
I
would
say
until
we
are
consistently
running
out
of
time.
You
know
let's,
let's
start
with
letting
the
scope
be
whatever
we
might
think
that
we
could
want
it
to
be,
and
just
you
know,
be
good,
be
good
community
members
about
it.
A
Yeah
yeah,
I
agree,
so
I
want
to
do
a
quick
time
check.
We
have
one
minute
more.
Maybe
one
parting
thought
I
would
say
is
we
are
all
new
to
this,
so
don't
be
afraid
to
start
somewhere.
A
We
will
figure
out
together
if
you
don't
get
intimidating
with
kubernetes
github
issues
and
prs
and
where
to
even
start
feel
free
to
start
a
discussion
in
the
security
tooling
channel
on
slack.
If
you
have
questions
or
ideas
and
don't
know
whether
that's
a
good
one,
ask
a
question
there,
we
I'll
try
to
respond
as
much
as
soon
as
possible,
and
then
there
are
other
hundred
people
hundred
plus
people
who
will
also
be
happy
to
chime
in
I'm
sure
so,
don't
be
afraid
to
throw
out
ideas.
A
Ask
questions
that
because
there
are
no
stupid
questions,
all
questions
are
good
questions
and
then
we
can
go
from
there
and
see
you
until
then
on
slack
until
we
meet
next
time
next
month.
Third
week,
third,
tuesday
of
june
same
time,
all
right,
okay,
see
you
all
everyone
thanks.
Everyone
thanks.