►
From YouTube: Kubernetes SIG Security 20220922
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Right
the
clock
says
for
after
so
we'll
call.
It
officially
started
welcome
to
another
kubernetes
Sig
security,
I'm,
so
happy
to
see
everybody
I'm
Tabitha,
Sabal
I'm,
one
of
the
co-chairs.
You
dressed
me
as
she
or
they
and
I'm
so
happy
to
be
here,
to
help
to
make
space
for
everybody
so
that
we
can
make
kubernetes
security,
Better
Together.
B
C
Ahead:
it's
okay,
hi
I'm,
Ian,
Coldwater
I'm,
the
other
co-chair
along
with
Tabitha,
who
just
spoke,
my
pronouns.
Are
they
them
and
I'm
here
to
help
create
space
for
folks
to
hack
the
planet,
make
friends
and
hack
the
planet
with
their
friends
yeah.
D
C
C
B
No
worries,
yes,
sorry
I
am
I'm
just
trying
to
squeeze
in
my
pre-lunchbox,
so
I
didn't
sorry
for
cutting
you
off.
I
am
on
my
phone,
but
yes,
hello,
I'm
all
Dewberry
pronounce
she
her
I
am
the
lead
for
these
self-assessments
sub
project.
Happy
to
be
here.
E
Hey
folks,
my
name
is
Ray
lajano,
my
pronouns
for
hihem
I'm,
leading
these
third
party
security
audit
sub
project
I'm,
also
in
various
other
places
like
in
Sig,
docs
and
Sig
release
as
well.
C
Hi
I'm
Kaylin
pronounce
I
work.
C
B
B
Very
small
but
I'm
excited
and
yeah
I'm
here.
G
I
can
go
next,
I'm
Danny
pronounced
she.
Her
I
also
work
at
Shopify
with
Kaylee
and
Jean
Jeff.
We
hear
we
had
a
conversation
with
bushkar
in
the
sixth
security
tooling
knitting
and
we
talked
about
potentially
donating
Kubota,
which
is
Shopify
project
to
locate
umbrella,
so
yeah
we're
joining
crashing.
The
meeting
today
to
get
to
know
more
about
it
potentially
clarify
some
questions.
I
A
A
Well,
hello,
as
we
do
we'll
go
through
and
hear
what
has
been
going
on
in
sub
projects
Ray.
What
do
you
got
for
us.
E
Hey
folks,
so
for
the
third
party
security
audits,
pretty
much
the
final
reviews
tomorrow
and
goes
to
publish
early-ish
October,
there's
also
an
effort
from
pushkar,
Kalin,
Rory
and
myself,
as
well
as
to
put
out
a
blog
post
for
about
the
2019
audits
as
well
like
what
like
any
changes
or
any
all
the
fixes
from
2019
audits.
What
has
not
fixed
as
well
so
yeah.
So
there
is
an
effort
for
that
to
be
published
in
first
week
of
October,
very
early
October.
A
All
right,
I
will
report
out
for
Savita.
She
says
here
in
the
notes,
help
needed
prioritize
where
to
focus
next.
A
If
you
have
thoughts
on
good
places
to
address
as
next
steps
for
continuing
to
improve
security
content
in
the
documentation
drop
those
thoughts
into
slack
the
meeting
agenda,
you
can
create
an
issue
in
the
security
repo.
At
this
point.
A
It's
at
this
point
it's
quite
flexible,
depending
on
whether
you
are
more
of
a
synchronous
person
or
an
asynchronous
person,
but
get
those
thoughts
in
there
and
then
that
will
help
everybody
in
the
group
to
be
able
to
to
talk
about
a
broad
breadth
of
ideas
and
figure
out
where
to
work
on
it
next.
A
So,
if
anybody
has
anybody
has
any
questions
about
six
security
docs
and
how
that
is
going
happy
to
happy
to
chat
about
that
now.
F
Relatively
quiet
couple
of
weeks,
just
getting
some
really
wonderful
and
useful
feedback
on
this
TV
I'm
trying
to
keep
a
list
of
all
of
the
things
people
have
asked.
We
are
not
promising.
F
Everything
will
be
done,
but
it's
good
to
get
feedback
and
then
we'll
do
whatever
is
reasonably
possible,
but
with
the
feedback
that
we're
getting
I,
don't
think
we'll
be
in
a
good
position
to
do
any
of
those
in
the
upcoming
version,
126,
so
we'll
drop
in
making
any
changes
for
the
next
version,
but
start
working
in
parallel,
actually
implementing
some
of
them
so
that
by
127
we
can
actually
start
thinking
about
graduating
from
alpha
to
Beta.
F
A
All
right
per
purpose
text
chat,
let's
move
on
and
hear
from
Allah
and
then
we'll
Circle
back.
B
Great
yeah,
hey
folks,
so,
let's
see
on
the
self-assessment
side,
we
have
a
slack
channel.
Oh
my
God,
so
great,
so
that's
super
exciting
I
need
to
sort
of
do
some
preliminary
posts
there
to
sort
of
just
yeah
set
the
put
the
groundwork
for
sort
of
like
a
quick
history
and
then,
where
we're
at
now
on
the
topic
of
slack
channels.
Now
that
I
know
the
gift
process
a
little
bit
better.
B
B
You
know,
people
who
can
you
know
I
need
to
I
should
find
a
colleagues.
You
should
find
a
colleague
so
that
we
can,
you
know,
coordinate
an
initial
meeting,
start
mapping
things
out
and
start
prioritizing.
Okay,
which
workflower
workflows,
do
we
think,
would
the
most
beneficial
to
assess
so
yeah
super
exciting
there
and
oh,
let's
see
I
can't
see
the.
F
B
In
front
of
me,
there
was
one
oh
yeah
right,
so
I
also
need
to
start
coordinating
in
the
happy
slack
channel,
just
getting
a
group
together
for
some
retro
conversations
or
interviews
rather
and
just
collecting
that
so
that's
also
on
the
docket
and
I
think
I
had
one
more
one
more
bullet
listed,
but
those
are
kind
of
the
chunky
bits
so
yeah
just
continuing
to
lay
the
foundation
in
terms
of
my
knowledge
of
kind
of
navigating
resources
in
the
community
and
actually
starting
to
make
some
foreign.
A
I'll
say
that
I
appreciate
the
way
that
you
have
been
sharing
your
progress
in
coming
up
to
speed
on
all
of
these
tools
and
processes
that
we
have
in
kubernetes,
because
it
is
a
lot
to
learn.
It's
a
lot
to
get
used
to
and
there's
documentation
and
such,
but
that
isn't
necessarily
always
sufficient
and
so
I
think
that
I
think
that
showing
an
example
of
it
is
really
helpful,
like
in
a
metaway
separate
from
the
work
that
you're
doing
to
help
to
facilitate
self
assessments.
So
thank
you
very
much.
B
Thank
you
so
much
yeah
I
should
I
can
also
probably
like
write
up
like
a
blog
post
on
my
experience.
I
don't
know
if
that
would
be
helpful
for
people
it's
like
yeah.
You
can
show
up
not
knowing
anything
and
it's
good.
You
know
it's.
Okay,
like
you
will
learn.
So
that's
an
idea
you
can
put
on
my
backlog.
F
B
Yeah,
okay,
that's
an
idea:
I'll
settle
over
there
and
see
what
see
what
they
say.
Awesome.
A
A
One
thing
that
I
see
here
is:
there's
a
PR,
open
and
I.
Think
that
there's
a
question
to
drop
in
and
have
a
look
at
that
and
you
know
say,
plus
one
if
you
think
I
should
get
plus
one
or,
if
there's
any
kind
of,
if
there's
any
kind
of
questions
about
it,
it's
a
good
time
to
ask
so
calling
that
out
and
other
than
that
I
think
that's
what
we
have
for
tooling.
So
does
anybody
have
anything
they'd
like
to
bring
up
with
respect
to
tooling.
A
G
Yeah
pretty
much,
we
started
thinking
about
donating
this
project
to
the
open
community
and
we
actually
reached
out
to
a
cncf,
Ambassador
Archie
and
we
thought
maybe
cncf,
but
maybe
kubernetes.
We
came
to
a
meeting
with
pushkar
in
this.
It
was
a
learning
session
where
we
presented
a
demo
and
I
think
the
video
is
up
on
YouTube
too,
and
he
mentioned
that.
Maybe
it
would
be
interesting
for
the
kubernetes
community.
It
could
live
under
kubernetes.
It
even
has
the
name
Cube
on
it.
So
pretty
much.
G
It's
I'm
not
sure
how
familiar
you
are
with
it.
If
we
should
maybe
present
what
cubot
it
is,
maybe
it's
it's
a
CLI
tool
and
also
works
as
a
package,
and
it
can
audit
kubernetes
manifests
for
potential
security,
configuration
some
concerns
in
the
in
the
Manifest
files
and
yeah.
So
we're
thinking
we
have
some
questions
about
what
would
be
the
next
steps
in
order
to
to
make
this
happen?
G
Yeah,
for
example,
we
after
we
made
the
presentation
and
I
think
Kaylee
brought
this
up
on
the
kubernetes
security,
Channel
and
I
Tim
I
believe
opened
an
issue
saying
that,
for
example,
we're
using
unregistered
annotations
because
we
have
a
feature
we
can
override
errors
with
you
about
it,
and
we
use
an
annotation
that
is
not
official,
so
I
would
I
was
wondering
if
this
would
be
a
hard
requirement
in
order
to
to
donate
it.
G
If
we
have
to
address
address
this
first
or
if
there's
anything
that
any
any
official
steps
that
we
would
need
to
take
in
order
to
make
this
happen,
yeah,
and
if,
if
so,
can
we
is
that
a
requirement?
Or
can
we
do
it
in
parallel
as
the
process
takes,
because
it
might
take
long
for
the
process
to
happen
right?
We
don't
know,
we
don't
know
the
timeline.
So
that's
one
thing.
G
We
would
also
like
to
know
if
external
containers,
because
I
somebody
mentioned
that
we
need
to
have
external
maintainers
if,
if
external
committers
are
sufficient
or
if
we
do
need
to
have
external
maintainers
and
another
question,
is,
would
be
able
to
keep
the
MIT
license
or
would
it
be
an
Apache
one?
So
these
are
some
of
the
questions.
We
have
actually
it's
a
very
early
stage
and
we're
just
wondering
what
we
can
do
and
if
you
can
give
us
some
pointers.
Yeah,
please
compliment.
G
A
A
A
So
pushker
are
you
hearing
us
well
and
is
there
anything
else
that
you
would
like
to
go
back
to
from
tooling.
F
Yeah,
can
you
hear
me
Frank
I
can
hear
you
all
over
all
right
cool.
Let's
try.
This
I
think
the
last
thing
I
may
have
missed
for,
like
you
cannot
see
me.
F
So
let
me
put
the
video
off
so
last
thing
was
we
have
a
PR
open
to
make
the
co-ownership
of
SRC
and
music
security
official
for
the
issues,
hyphen
security,
section
of
kubernetes
website,
so
it's
fairly
simple
PR
owners
are
SRC
and
six
security
leads
as
approvals
and
reviewers
any
take
a
look
whenever
you
can
and
if
we
want
to
change
anything
there
we
can
make
main
course
changes.
That
was
really
the
last
update
from
tooling
and
I.
F
Think
I
completely
missed
the
discussion
with
Danny
and
John
grave
on
their
the
donation
or
their
sub
project.
So
but
I'm
sure
you
all
covered
it.
A
E
I,
have
one
question
for
pushkar
on
the
on
the
pr
to
add
that
those
those
folks
and
the
owners,
Alias
files,
I'm
gonna,
just
touch
base
with
the
GitHub
admins
to
try
to
see
if
there's
a
change
and
and
the
Community
security
response
team
or
in
six
security
leads
that
they
would
also
warn
or
make
a
change
in
this
owner's
faucets.
This
is
under
K
website.
F
F
So
perhaps
the
best
way
right
now
is
to
add
it
in
the
Playbook
saying
if
you
add,
or
remove
an
SRC
member,
make
sure
to
add
here,
you
know
or
remove
here
as
well,
but
yeah.
If
there
is
an
automation
like
you
mentioned
today,
that
would
be
great.
A
A
E
Quite
I
was
gonna,
say,
I
think
that's
true.
We
just
went
through
this
for
the
new
release
enhancements
opt-in
process
to
use
certain
groups
in
under
k,
Community
and
I
believe,
but
I'll
confirm
or
I
could
start
the
start
that
conversation,
the
GitHub
admins
thank.
F
Yes,
that
would
be
helpful
and
to
one
more
data
point
for
the
discussion
is
I
assume
the
same.
Exactly
what
Abby
you
said
that
if
it's
created
in
Key
Community,
the
Alias
would
work
everywhere
else.
So
my
initial
PR
did
not
have
an
alias
section
and
then
the
GitHub
board
that
checks
for
ownership
validation
actually
failed
on
me
and
said
you
don't
have
an
alias
nor
a,
not
a
user
that
has
a
habit
of
handle
for
security,
leads
or
Community
security
response.
F
A
Yeah,
let's
put
a
hold
on
the
pr
if
there
isn't
one
yet
waiting
to
confirm
this,
because
it
definitely
seems
like
either
a
bug.
Slash
feature
request
for
the
tooling
that
failed
on
you
on
the
check
or
an
update
to
some
of
our
Internal
Documentation
somewhere
to
make
sure
that
if
we
do
have
to
duplicate
this
information
that
we
remember
to
also
clean
it
up.
D
Yeah
wait.
Can
you
hear
me
yes,
okay,
yeah.
J
So
I'm
I'm
doing
a
a
thing
inside
VMI
right
now
to
like
suggest
to
users
of
various
projects
in
the
company
about
how
to
migrate
from
PSP
to
PSA,
including
if
people
have
Opa
configurations
what
should
they
do?
Etc
so
I'm
doing
this
work
internally
for
VMware.
J
It's
just
a
proposal
typical
corporate
thing,
I'm
wondering
if
there's
interest
in
the
community
to
do
like
a
general
public
video
or
something
like
that
explaining
Like
rules
of
thumb
for
this
migration
for
the
general
public
I,
don't
know
if
this
topic
has
been
addressed
extensively
and
there's
no
need
for
extra
stuff
or
if,
yes,
that
would
be
helpful,
so
I'm
trying
to
gauge
if
there's
Community
interest
in
that.
A
I
think
it
would
be
sweet
I
feel
like
it
has
been
addressed.
There
have
been
a
couple
of
kubecon
talks
on
this
subject.
There
have
been,
there
have
been
a
couple
of
blog
posts,
there's
a
little
there's
a
little
bit
of
information
in
the
documentation
about
it,
but
also
the
can
I
give
a
conference
talk.
Somebody
else
has
already
done
it.
Yes,
but
you
haven't
done
it.
Your
your
story
is
unique
and
has
value
advice.
I
think
applies
to
this
question
as
well.
A
So
I
personally,
am
not
the
entire
Community
clamoring
for
this
resource,
but
polishing
up
my
crystal
ball
I.
Think
if
you
did
a
video
like
that
that
people
would
really
love
it,
and
if
you
announced
that
you
were
starting
to
do
a
video
like
that
I
bet,
people
would
be
excited
about
participating
in
making.
I
J
Okay,
so
I'm
gonna
finish
the
internal
work
that
I'm
doing
right
now
and
once
that's
done,
I'm
gonna
start
like
a
script
or
something
and
then
I
can
share
it
publicly
and
whoever
wants
to
contribute
it's
free
to.
J
B
A
Okay,
it
is
my
official
opinion
that
that
is
really
sick
and
I'm.
Looking
forward
to
it
here
we
are,
we
are
at
the
end
of
the
things
that
we
have
planned
for
ourselves,
which
means
we
have
an
opportunity
to
ask
ourselves.
Is
there
anything
else
that
we
need
to
share
with
each
other.
C
There
was
that
new
CBE
that
just
dropped
today
about
Argo
CD.
If
people
didn't
hear
that
Argo
CD
all
versions,
past
1.0.0
have
a
cross-site
scripting
bug
in
them,
where
it
a
JavaScript
link,
can
be
injected,
and
if
a
victim
user
clicks
on
the
link
and
any
script
that
that
xss
bug
can
get
to
run
can
run
with
the
user.
Who
clicks
permissions
up
to
it,
including
admin.
It
allows
them
to
create
any
kind
of
kubernetes
resources
or
do
anything
that
you
can
do
with
Argo
CD.
C
So
that
does
require
some
amount
of
interaction,
but
it
is
kind
of
a
nasty
bug
if
you
can
convince
somebody
to
do
it.
So
if
you
run
Argo,
CD
I
recommend
patching
it.
They
do
have
a
patch
that
is
available
now
and
they
said,
there's
basically
no
work
around
besides
upgrading
and
patching.
So
if
you
run
Argo
CD
I
recommend
a
patch.
That's
all
BSA.
C
It's
kind
of
a
fun
bug,
I
feel
like
crossfits,
cryptic
bugs
that
actually
do
stuff
are
relatively
rare
or
just
like
as
a
bug
nerd,
so
yeah
bunch
of
stuff
look
up
bug
if
you're
into
that
kind
of
thing.