►
From YouTube: Kubernetes SIG Security 20210520
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Hi,
I
I
guess
I'm
one
of
the
the
new
faces,
matthias,
I
I
know
some
of
the
the
other
faces.
I
work
for
salesforce
in
the
platform.
Security
team
and
we've
been
recently
doing
some
kubernetes
assessment
that
I
thought
might
be
interesting
to
share.
C
Yeah
hi
everyone
a
long
time,
kubernetes
and
container
in
general.
I
think
back
to
solaris
zones
technically,
but
and
all
the
way
through
the
cloud,
foundry
ecosystem
and
all
that
kind
of
long-time
lurker
on
these
sigs
and
you
know,
working
with
kubernetes
heavily,
but
now
in
a
position
where
kind
of
seeing
the
tooling
sig
and
you
know
being
really
impressed
white
with
the
security
day
at
the
last
kubecon
thought,
I'd
get
more
involved
and
come
to
these
meetings
and
see
what's
going
on.
A
It's
wonderful
too,
it's
wonderful
to
have
you.
We
are
delighted
to
work
with
and
be
friends
with
our
colleagues
over
in
cncf
technical
advisory
group
security,
and
so
you
know
definitely
talk
to
them
too.
If
you,
if
you're
interested
in
that,
we
do
kubernetes
and
they
do
everything
else
and
we
work
together
when,
when
our,
when
our
interests
align,
sounds
good,
hey
everyone.
A
Anybody
who's
here,
a
lot
want
to
do
a
real,
quick
introduction,
just
like
for
the
benefit
of
new
people.
D
Hi,
my
name
is
ian.
I
am
the
co-chair
of
six
security
along
with
tabby.
I
have
a
crazy
looking
swollen
wisdom
teeth
right
now,
so
I
am
not
on
camera
but
hello,
everybody.
I'm
super
excited
to
have
you
here.
I
work
at
twilio
as
a
system,
security.
Architect
and
I
don't
know,
do
horrible
goose
things.
A
I'm
I'm
tabitha,
I'm
the
other
co-chair
of
the
sig.
I
work
at
datadog,
where
my
title
is
systems
security
engineer,
and
that
means
that
I
do
a
lot
of
the
same
things
there
that
I
do
here
in
kubernetes,
which
is
hack
things,
make
friends
and
convince
people
to
be
friends
with
each
other
and
hack
things
together.
So
I'm
I'm
super
delighted
to
be
here
and
to
help
make
a
space
for
people
to
improve
things
inside
kubernetes,
ecosystem
security.
F
E
All
right
so
I'll
go,
my
name
is
ray,
I'm
an
engineer
with
susa
by
way
of
ranch
labs.
I
work
on
the
financial
labs
various
projects.
I
helped
run
the
external
audit
subgroup
along
with
many
other
folks.
There
are
here
also
yeah
and
that's.
G
G
Eric
smalling
dev
senior
dev
advocate
at
sneak
for
the
last
eight
month
or
so
before
that
consulted
with
vmware
and
docker
and
vmware
and
others
for
a
while
been
a
docker
user
since,
like
dot
seven.
H
I'll
go
next.
This
is
pushkar.
I
work
in
work
at
vmware,
focusing
on
kubernetes
security
before
that
worked
on,
worked
in
a
very
large
end
user.
Securing
the
kubernetes
environments
there
currently
just
became
sub
group
lead
for
the
six
security
tooling
and
excited
about
where
we're
going.
Next
with
that
group.
I
G
I
A
I
I
absolutely
I
absolutely
love
that
that
way,
you're.
I
A
I
A
E
Yeah,
I
actually
have
several
bullets.
One
is
the
rfp
status.
I
put
the
link
to
the
rfp
on
the
security
meeting
agenda.
It's
still
ongoing
if
we
just
to
keep
everyone
up
today
to
leave
change
the
the
deadline
to
be
like
a
rolling
to
be
a
rolling
deadline
until
four
proposals
have
been
submitted.
So
there's
additional
questions
have
been
sent
and
I
will
make
a
pr
to
update
the
rfp
for
any
comments
and
questions
on
these
additional
four
questions
to
be
updated
in
the
rfp.
E
I
also
wanted
to
bring
up
a
few
other
topics.
I
have
these
in
the
notes,
so
I
already
already
have
these
pre-populated
agenda.
E
One
is
having
an
audit
roadmap,
because
not
all
kubernetes
components
are
part
of
are
in
scope
of
the
audits,
and
I
want
to
suggest
to
have
a
roadmap
to
plan
out
which
components
are
have
been
passed
that
have
been
part
of
the
past
audits,
which
components
are
planned
for
future
audits
and,
of
course,
there's
going
to
be
core
components
that
should
always
have
have
some
kind
of
cadence
to
be
audited
as
well.
E
E
I
put
a
link
to
a
group
to
draft
google
sheets,
but-
and
this
was
just
a
thought-
exercise
that
we
did
in
the
blast
external
audit
meeting
will
just
like
bring
your
bring
your
favorite
kubernetes
components,
and,
let's
just
have
it,
let's
see
if,
if
it
makes
sense,
I
mean
like,
if
any
suggestion
it
works,
and
then
this
could
be
discussed
in
the
future
if
it
could
be
included
or
not
like,
I
can
make
a
I
can
make
a.
E
I
can
make
a
a
case
to
having
like
core
dinosaur
part
of
the
of
the
audience.
It's
not.
That
td
is
part
of
the
oddest
thing,
though
it
is
an
external
project,
but
it
is
in
part
of
the
audit,
as
in
the
context
of
kubernetes
usage
of,
and
I
can
make
a
similar
case
to
coordinates
since
it's,
since
it's
also
recommended,
as
of
kubernetes
1.12.,
so
any
thoughts
in
the
past
and
the
kind
of
steamrolled
right
through
those
two
bullets.
But
let
me
pause
for.
E
Questions
I'll.
A
Say
I
love
the
idea
of
having
a
road
map
and
collecting
items
for
it
from
the
assembled
group
seems
like
a
great
way
to
do
it.
Yeah.
E
Thank
you
so
would
like
to
make
a
pull
request
to
the
k
community,
slash,
sig
security
to
have
a
a
table
or
a
road
map
of
what
has
been
audited.
What
is
on
scope
for
the
21,
21
audits
and
what
might
be
part
of
future
audits,
which
can
be
it
gives
us
community
visibility
allows
other
people
to
make
pull
requests
to
make
suggestions
for
any
other
components.
I
Yeah,
if,
if
I
can
add
a
comment
there,
I
think
regarding
the
audit
and
and
maybe
one
of
the
reasons
why
we
didn't
get
a
lot
of
our
fees,
it's
it's
from
my
perspective,
at
least
it's
because
maybe
we
need
to
publicize
it
better
and
and
market
it
market
it
better
in
a
way
like,
for
example,
companies
outside
of
the
us
and
even
security
companies.
I
Weren't
aware
of
these
rfp,
like
inside
my
organization,
I
was
the
only
one
and
I
asked
them
if
they
wanted
to
participate
with
their
own
consulting
team,
but
they
were
not
interested
right,
so
I
invited
a
brazilian
consulting
company
as
well,
and
they
were
not
aware
so
they're
trying
to
submit
this
rfp,
but
I
think
I
think
that
trying
to
make
it
more
international
and
more
worldwide
publications.
I
think
that
would
be
a
good
idea.
B
I
I
actually
could
like
jump
in
really
fast,
because
the
one
thing
that
I
wanted
to
share
is
that
we
recently
performed
an
assessment
of
kubernetes
with
regard
to
multi-tenancy,
which
I
thought
might
be
exactly
relevant
for
audit
planning
or
assessment
planning
and
that's
a
does.
It
make
sense
to
jump
in
there.
Okay.
So
basically,
the
assessment
idea
was
to
look
at
kubernetes
multi-tenancy
from
a
perspective
of
a
compromised
worker
node.
B
So
imagine
you
do
multi-tenancy
with
dedicated
worker
nodes
per
tenant
and
a
tenant
is
able
to
break
out
of
a
container,
so
they
have
to
control
off
the
whole
node.
So
we
wanted
to
look
what
the
attack
surface
towards
the
control
plane
and
the
overall
environment
would
be
so
we
did
some
internal
assessment
there.
We
had
a
tradis
partners,
doing
an
assessment
of
the
control,
plane,
components
and
we're
planning
to
share
the
overall
report
and
progress
and
how
much
time
we
spend
and
everything
we're
planning
to
share
that
publicly
for
everybody.
B
What
I
can
already
tell
is:
there's
no
big
findings.
I
don't
think
there
are
any
relevant
findings
so
far.
If
there
would
be
anything,
we
would
of
course
like
reach
out
beforehand
to
coordinate
disclosure,
but
yeah,
even
before
we
disclose.
I
thought
it
might
be
nice
to
to
share
that.
A
B
B
G
A
Much
y'all
are,
however
much
y'all
are
comfortable
with
sharing
would
be
wonderful
like
if
that
even
goes.
As
far
as
like
a
big
report
like
what
came
out
of
the
the
community
commissioned
exactly
something
like
that,
yeah
thought
it
that
we
did
last
time
yeah
like
yeah
talk
to
us
sounds
like
it
might
be.
A
nice
thing
to
have
a
blog
post
on
the
kubernetes
blog
about.
I
assume
y'all
would
want
to
host
the
the
findings
yourself
rather
than
giving
them.
J
B
E
E
All
right,
what
is
the
cluster
api?
So
the
cluster
api
folks
asked
to
be
part
of
the
audit,
but
we
thought
that
the
scope,
the
audits
for
2021
the
rfp
was
it
was
a
little
bit
much
too
much.
So
we
so
several
folks
on
this
sig
and
who
are
also
members
of
the
cncf
security
tag
so
feel
free
also
to
to
jump
in
as
well.
This
is
pushkar
john
and
robert.
They
brought
up
and
they've
made
a
request
for
a
high
level
security
assessment
from
the
cnc
security
tag.
E
Just
to
summarize
they
they
declined
to
do
an
assessment,
but
what
we
propose
is
how
about
what,
if
keeps
kubernetes
security,
could
do
a
high-level
security
assessment
using
cncf
security
tags
processed
as
a
template,
and
we
have
members
who
who
are
part
of
this
sig
who
have
been
a
part
of
who
have
been
and
parts
of
the
previous
cncf
security
tags
assessment
as
well.
So
they
know
the
process
well,
they
could
help
guide
and
and
lead
in
an
effort
to
do
it
for
a
high-level
security
assessment.
E
H
Yeah,
I
definitely
agree
to
what
you
said
ray
and
I
think
robert
might
have
more
context,
a
decent
one,
at
least
than
me.
What
what
I,
what
I
would
say
just
like
concur
to
ray.
If
anyone
is
interested,
we
will
probably
be
it-
will
probably
do
this
community
driven
versus
making
it
part
of
the
audit
just
to
make
sure
the
scoping
is
appropriate
for
this
year.
H
Only
open
question,
I
think
right
now,
if
I'm
remember
correctly,
is
where
the
final
artifact
of
the
assessment
will
be.
So
that's
really
what
we
have
to
figure
out,
whether
it
would
be
in
the
community
rep
of
kubernetes
or
whether
it
would
be
in
the
cncf
security
tag
repo.
J
Yeah,
I
would
I
would
say
that,
since
the
the
plan
is
to
take
the
tag
process
and
essentially
fork
it
or
or
clone
it
into
this
sig
security
as
a
template,
then
I
think
the
output,
since
it's
going
to
be
driven
by
this
community
group,
that
the
output
should
reside
in
the
kubernetes
repo,
but
ian
and
magno
you
guys
are
also
on
tag
so
feel
free
to
jump
in.
If
I
get
that
wrong.
A
A
Like
kind
of
feels
like
setting
yourself
up
to
be
a
punching
bag.
And
so
I
I
really
love
the
like
stair-step
kind
of
maturity
model
that
encouraging
a
a
guided
self-assessment
as
a
first
step.
And
then
you
learn
about
yourself.
Learn
about
your
code
base
make
all
of
the
improvements
that
that
you
see
there
and
then,
by
the
time
that
you
say
we're,
ready
to
go
and,
and
you
know,
pay
for
a
commercial
assessment.
A
You
have
a
better
idea.
What
you're
going
to
get
you
know:
you're
you're,
not
paying
somebody
to
produce
a
bunch
of
of
low-hanging
fruit,
hopefully,
and
the
experience
that
you've
had
of
going
through
that
self-assessment
will
help
you
to
understand
the
results
better,
that
you
do
get
back
from
from
the
people
that
you're
essentially
paying
to
add
their
own
cleverness
to
yours.
So
I
I
super
love
that,
and
you
know,
as
a
very
large
cncf
project
that
has
meaningfully
large
sub
projects
within.
J
H
Yeah
I
was
vigorously
nodding
head
when
you
were
sharing
the
details.
I
I
agree.
I
and
I
think
one
of
the
good
things
is.
We
are
able
to
set
a
precedent
here
as
a
project
sick
trying
to
take
care
of
security
of
the
sub
projects
in
that
project.
So
now,
as
more
projects
graduate
and
become
bigger,
which
hopefully
is
all
of
them,
then
we'll
have
a
way
to
say:
hey,
we
did
this,
maybe
we
didn't
do
it
perfectly,
but
this
is
what
we
did.
J
I
J
On
how
they
can
help
with
the
security
reviews,
security
audits,
what
have
you
so
that
it's
essentially,
I
think,
tabletop
to
your
point-
we're
not
we're
not
using
the
external
audit
just
to
find
the
low
hanging
fruit
that
as
the
community,
we
inculcated
the
skills
internally
and
with
the
cloud
providers
to
catch
that
low-hanging
fruit
and
then
using
the
external
folks,
who
are
you,
know,
paid
and
focused
and
doing
research
that
they're
pushing
the
envelope
right.
J
J
You
know
pen,
test
or
security
audit
effort,
but
build
on
top
of
this
assessment
as
a
base
platform
and
then
build
a
skills
framework
that
then
folks
can
you
know,
use
for
their
internal
teams.
We
can
grow
that
around
the
community,
but
it
becomes
about
skills,
acquisition
and
skill
sharing.
I
It's
just
a
pilot
program
that
we're
just
starting
where,
instead
of
having
different
from
what
we
call
security
champions
in
the
website,
crops
world
right
an
approach,
it's
more
like
it's
kind
of
a
consultant
or
kind
of
a
guide
from
with
some
security
experience
to
help
those
projects
that
are
just
starting
their
journey
into
the
cncf
and
just
checking
if
they're,
following
the
best
practices,
if
they're
looking
to
doing
any
any
kind
of
security
audits
and
and
and
how
can
we
help
them
right.
J
Yeah,
I
think
the
only
the
only
I
mean
not
really
a
difference.
It's
all.
These
are
all
very
complementary
efforts.
I
think
the
only
addition
to
that
is
that
you
know,
rather
than
being
project
focused.
I
think
that
you
know
being
cross-cutting
and
skills.
Oriented
was
something
that
that
craig
had
expressed
was
probably
a
a
priority
at
the
cloud
provider
level
again.
A
Plus
one
any
last
things
about
this
before
we
move
on
to
docs.
H
A
J
A
So
docs,
I
am
I'll
I'll
report
on
behalf
of
docs
docs
has
been
rolling
along
and
actually
I'm
really
happy
with
the
the
work
that
they
have
been
doing
to
to
pull
in
new
people
and
and
find
them
things
to
do
so.
They
are
switching
the
cadence
of
their
meeting
to
monthly
because
they
do
a
lot
of
their
communication.
Asynchronously
on
the
slack
channel
and
I've
been
talking
to
tsavita
and
she
is
starting
to.
A
She
is
starting
to
preen
a
list
of
like
good,
first
security
documentation
places
to
begin
contributing
in
the
k
website
issues
list.
So
I
dropped
a
link
in
the
notes
here
to
the
search
for
things
that
are
tagged.
Sig
security
in
k,
website
issues
and
yeah
they're
they're
doing
that,
and
if
you
think
it
sounds
cool,
you.
H
A
Hop
into
the
slack
channel
and
and
say
hello.
J
H
Yes,
I'm
so
excited.
We
just
had
our
first
meeting
on
tuesday,
so
many
people
joined.
I
was
so
happy
and
proud
about
it.
Many
of
people
who
joined
were
beginners
and
also
new
to
the
overall
sig
security,
so
that
now
we
have
newer
members
who
will
probably
work
on
multiple
sub
projects.
H
H
We
also
have
our
first
project
in
a
way
for
the
subgroup
where
we're
trying
to
manage
the
vulnerabilities
in
kubernetes
dependencies
a
bit
better.
I've
added
a
link
to
the
notes,
and
there
there
is
it's
no
way
it.
It
is
anyway
close
to
completion.
So
there
is
a
lot
of
scope
to
discuss
and
contribute.
H
If
you
are
interested,
maybe
best
thing
for
now
would
be
tag
me
on
the
slack
channel
and
navid.
If
you
want
and
then
we
can
find
a
way
for
all
of
you
to
contribute
we'll
also
as
part
of
the
initiation
of
the
group
create
a
pr
related
to
this
project
so
that
it
goes
in
the
community
repo
and
then,
as
as
a
result
of
that,
we'll
be
able
to
track
the
progress
of
it
there
and
everything
will
be
in
one
place.
H
That's
I
think
the
first
two
main
updates
one
other
update
very
briefly
I'll
touch
on.
I
don't
think
raga
is
here,
but
she
actually
she.
H
Oh
okay,
so
she
shared
one
suggestion
where
she
is
actually
the
author
of
a
cheat
sheet
series
in
wasp
related
to
kubernetes
security,
and
she
brought
it
up
here
and
as
part
of
the
tooling
what
she
shared
is.
Maybe
there
is
an
opportunity
to
automate
the
checks,
or
that
are
mentioned
in
the
cheat
series
as
part
of
some
tool
or
as
part
of
some
sort
of
a
plug-in
model
where
we
can
bring
your
own
tool.
But
as
long
as
you
satisfy
this
plug-in
api,
then
you'll
be
able
to
run
it
on
any
conformant
kubernetes.
H
So
that's
a
very
new
idea:
lots
of
scope
for
initial
suggestions,
design,
reviews,
etc
and
working
on
so
same,
like
the
other
one
tag,
raga
tag
me:
if
you
are
interested
on
the
channel
and
then
we
can
see
where
it
goes.
That's
it
from
me
any
questions
anything
I
can
help
with.
C
A
You
yeah
thank
you.
It
looks
like
we
have
three
caps
as
things
to
bring
up
to
the
attention
of
the
group
vignac.
Do
you
want
to
talk
about
the
cuba,
dm
non-root
control,
plane
and
then
ambient
capabilities.
K
Yeah,
thank
you
for
coming
yeah.
Thank
you
for
having
me.
So
some
good
news
to
share
was
that
we
merged
the
cuban
as
non-root
cap
and
we
have
a
cl
a
pr
out
which
is
like
a
proof
of
concept
and
gives
you
an
insight
into
how
the
overall
change
is
going
to
be
structured.
It's
not
like
something
that
we
intend
to
merge,
but
yeah
like
it's
working
as
like
all
the
static
pods
come
up
as
non-root,
so
we're
following
all
the
security
recommendations.
K
I
think
which
is
cool
and
why
I
wanted
to
bring
this
up
was
also
because
this
was
the
first
step,
I
believe,
which
was
part
of
the
security
liaison
process,
and
I
just
wanted
to
give
feedback
that
that
process
was
awesome
and
made
like
it
was
super
useful.
Having
I
think,
pushkar
was
the
liaison
on
that
on
the
cap
and
having
him
review
it.
K
It
kind
of
gave
the
world
of
confidence
to
the
sick
cluster
lifecycle
team
that
hey
someone
from
six
security
is
reviewing
this
kept,
which
is
kind
of
related
to
security.
So
it
worked
out
really
well.
Yeah
just
wanted
to
share
that
feedback
on
that
kept
for
the
other
cap
is
like.
I
started
out
writing
the
initial
design
of
what
I
believe
like
would
be
a
good
way
to
go
forward
with
ambient
capabilities.
K
I
I
looking
at
all
the
issues
that
were
open
before
it
seems
like
it
was
tried
once
and
then
it
didn't
work
out
because,
like
we
enabled
it
as
the
current
api
does
it
which,
by
which
I
mean
like
you
know,
like
we
still
use
like
security
context
and
then
capabilities
and
add
and
drop,
and
we
kind
of
just
added
it
there
and
suddenly,
like
all
users,
had
these
ambient
capabilities
and,
like
you
know,
like
non-root
users,
were
able
to
do
way
more
than
like
they
were
supposed
to
do,
and
I
don't
know
I
read
somewhere
in
an
issue
and
it
like
really
resonated
with
me
that
the
way
capabilities
are
designed
today,
they're
a
way
to
limit
what
root
can
do
rather
than
like
grant.
K
What
like
a
non-root
user,
can
do
right
and
so
like
what
I'm
kind
of
proposing
is
a
way
to
run.
Things
is
not,
and
so
like
one
of
the
things
that
we
ran
into
when
because
I've
been
like
on
this
mission
at
google
to
like
kind
of
run,
everything
as
non-root
as
much
as
possible
and
some
of
the
things
that
I
ran
into
even
with
cuba
server.
I
think
we
ran
into
this
when
we
wanted
to
bring
it
to
cube
up
to
run
that
as
non-root
was
like.
K
Oh,
we
of
that
like
to
run
something
as
non-rude
with
a
given
capability.
You
need
to
control
the
build
of
that
image
right
because
you
need
to
apply
the
file
capability,
and
so
that's
not
always
possible
because,
like
a
lot
of
users,
use
third
party
images
and
so,
like
the
other
workaround
that
I
found
to
doing
that
was
like
you
can
take
the
image
you
can
take
the
bind
and
copy
the
binary
out
of
the
image
and
then
apply
the
capability
and
then
put
it
back
in
the
image
right.
K
But
then
you
maintain
like
another
copy
of
the
image,
because
now
that's
like
you're,
probably
going
to
push
that
image
to
your
private
repo
and
then
so.
It's
not
you're,
not
reusing
images.
Hopefully,
I'm
not
going
too
fast,
but
all
of
this
is
written
down
in
the
in
the
capsule.
So
if
so,
the
point.
A
Becomes
if
you
love
weird
little
technical
bits,
some
of
my
teammates
did
a
talk
at
kubecon
about
that
biting
them,
with
their
images
being
built
with
a
dr
damon
using
username
space,
because
the
way
that
the
file
capabilities
are
stored
on
disk
are
different.
If
you
were
in
a
username
space
versus
not
and
so
then
like
that
also
can
become
a
mess
for
people
which
one
way
to
resolve.
It
would
be
this
ambient
capability.
K
Yeah
great
point
like
and
like
so
the
long
story
short
is
that
it's
super
early,
but
there
is
an
approach
that
I
think
can
work
in
the
way
that
it'll
still
support
existing
workloads,
but
it'll
also
like
allow
us
to
do
ambient
capabilities
without
like
any
disruptions.
K
K
Come
in
like
as
a
co-author
and
kind
of
add
the
missing
bits
and
pieces,
and
also
like
I,
I
know
we'll
miss
the
120
1.22
deadline
for
caps,
and
that's
fine
because,
like
I
think,
there'll
be
a
lot
more
discussion
here,
because
this
is
like
a
pretty
significant,
I
think,
kept
in
in
in
the
way
that
like
it.
If
we
do
it
wrong,
then
we
are
again
kind
of
in
the
state
that
capabilities
are
in
today,
which
is
like
you
know.
K
People
don't
really
understand
that
adding
a
capability
into
a
non-root
like
thing
does
nothing
right,
because
it's
like
immediately
dropped
so,
like
you
kind
of
have
to
build
it
into
the
file,
and
I've
had
to
explain
that
to
many
people.
So,
like
maybe
there's
like
some
documentation
improvement
that
we
also
do
as
part
of
this
but
yeah
so
like
looking
forward
to
hearing
from
the
community
on
like
the
approach,
and
another
thing
was
that
we
probably
have
to
update
continuity.
K
And
so
I
don't
know
how
to
like
how
we
can
coordinate,
communicate
that
across
continuity.
And
if
somebody
from
continuity
is
already
here.
That'd
be
awesome,
if
like
they
can
also
share
their
opinions
on
in
the
gap.
A
A
Have
you
spoken
with
the
have
you
spoken
with
like
the
api
machinery,
folks
about
the
the
like
ways
that
you're
imagining
altering
the
pod
spec
and
I'm
not
totally
sure
who
the
best
person
in
kubernetes
to
talk
to
about
like
the
fact
that
this
will
also
require
help
from
cri,
but
just
throwing
ideas
out,
I
would
ask
around
sig
node
and
see
who
they
think
are
the
right
people
to
talk
to.
A
K
Yeah
totally
like
I
I
I
I'm
like
I've
been
in
this
kubernetes
community
for
a
while,
but
I
do
not
know
how
it's
structured,
so
I
didn't
even
know
there
was
like
an
api
machinery
thing.
I
was
just
gonna
like
kind
of
open
a
cl
and
then
see
which
it
gets
added,
but
yeah
like
the
great
ideas
again
like
I'll,
follow
up
with,
like
other
sigs
who
who
are
like
more
more
focused
on
that
part
yeah.
Thank
you
so
much.
A
You
could
also
start
a
start,
a
thread
on
slack
about
this
for
the
benefit
of
folks
who
can't
make
it
here
and
yeah
collect
up,
collect
up
ideas
for
all
the
people
that
you
need
to
talk
to,
because
this
is
this
is
brilliant
and
it
touches
so
many
different
people's
lives
and
so
yeah
the
earlier
that
you
can
get
everyone
involved,
the
smoother
it'll
be
and
the
better
the
outcome.
This
is
fabulous.
Thank
you.
So
much.
K
Yeah
sounds
good
thanks.
A
lot
it'll
be
super
useful
to
like,
if
you,
if
you
can
introduce
me
to
the
right
folks
so
that,
like
everybody,
knows
about
it
and
like
oh
all,
the
six
can
kind
of
collaborate
on
getting
this.
K
Done
yeah,
that's
that's
pretty
much
it
sorry
for
taking
so
long,
yeah.
A
Anyway,
I
mean,
I
think,
it's
I
think
it's
a
great
topic.
I
would
love
to
encourage
anybody
else
to
to
add
their
thoughts
here.
H
A
And
I
guess
I'll
call
out
the
last
thing
which
I
dropped
onto
the
agenda
here
is
a
cap
for
adding
a
way
to
alter
the
default
in
kubernetes
to
enable
the
runtime
default
set
comp
profile
like
right
now,
kubernetes
talks
to
your
runtime
and
explicitly
disables
any
sort
of
set
comp
profile
unless
you
opt
into
it
and
that
has
been
required
because
of
our
really
strict
backwards
compatibility
promises.
A
But
not
everybody
needs
those
strict
backwards.
Compatibility
promises.
In
fact,
most
folks
can
and
should
just
run
all
of
their
workloads
under
at
least
docker
default,
because
docker
default
is
itself
very
gentle
about
only
blocking
the
most
egregiously
bad
things.
Massive
massive
shout
out
to
jess
fraz
and
the
other
folks
who,
who
put
a
lot
of
work
into
making
that
block
list
be
very
finely
tuned
to
block
as
much
as
it
could
without
hurting
anybody,
but
that
great
work
right
now
mostly
goes
to
waste
in
kubernetes.
A
A
You
know
we,
maybe,
if
we're
not
willing
to
apply
a
mutating
admission
controller,
that
stamps
it
onto
everything
or
even
if
you
just
don't
want
to
live
the
complicated
life
of
having
mutating
admission
controllers
that
alter
defaults,
then
with
this,
if
this
cap
lands,
then
you
can,
you
can
opt
your
cluster
into
having
it
there.
So
if
that
is
a
thing
that
is
interesting
to
you
in
your
life
or
in
your
desire
to
improve
the
world,
go
and
go
and
help
them
out
with
that,
because
it's
brilliant.
H
One
very
quick
thing
I
would
do
a
double
call
out
on
is
just
frazzle,
four
or
five
years
ago
actually
started
working
on
this
to
make
it
a
default
in
docker,
and
she
literally
tried
it
for
thousands
and
thousands
of
images
on
docker
hub
to
make
sure
it
works.
So
it
took
us
so
much
effort
and,
like
I've,
never
heard
so
so
much
of
testing
done
for
something
that
improved
security.
So
much
so
really
kudos
to
her
work,
and
I
hope
this
lands
in
kubernetes.
A
Plus,
a
hundred
on
that,
especially
on
the
praising
the
the
breadth
of
of
testing
that
that
went
into
this
so
yeah
like
a
like
a
go
program,
we've
fallen
off
the
end
of
the
main
function,
but
the
whole
purpose
of
this
meeting
is
to
to
give
us
a
chance
to
share
what
we
have
floating
around
in
our
heads.
That's
interesting
to
the
group.
So
one
last
call
for
anything
that
anybody
wants
to
bring
up.
L
I
had
one
thing
just
as
a
quick
question:
there
was
more
question.
Do
at
the
moment.
Do
we
have
any
like
links
from
the
kubernetes
security
groups
down
to
like
the
underlying
cris
and
run
c,
so
a
lot
of
people
noticed
there's
a
new
cv
in
run
c
that
came
out
this
week
and
it
looked
like
from
the
advisory
that
there's
easier
to
exploit
in
kubernetes,
but
because
the
run
c
people
are
writing
a
run
c
advisory.
L
Their
perspective
is
ranci
right,
so
there's
no,
so
I'm
one
thinking
is
that
kubernetes
users
a
lot
of
people
who
use
containers-
I
don't
even
think
know
what
runs
he
is.
Let
alone
realize
that
a
cp
in
run
c
actually
impacts
every
plot
or
almost
every
cluster,
and
so
what
I
was
wondering
is,
if
there's
any
way
that
we
could
like
hook
into
or
communicate
with
or
be
on
board
with
those
groups,
so
that
when
that
happens,
we
can
say
hey.
A
All
right
I'm
put
on
my
psc
hat
for
a
moment.
We
we
we
have
that
we
have
those
relationships
they're
not
as
as
robust
as
what
we
could
really
benefit
from.
I
I
like
the
idea
of
of
saying
you
know
before
disclosure
hey:
can
we
can
we
work
together
a
little
bit
more
on
this
after
disclosure?
A
L
L
I've
spoken
to
the
reporter
as
well.
I
think
he
may
have
shared
something
with
the
runec
security
community
team,
so
I,
but
he's
also,
I
believe,
planning
to
blog
this,
so
there
should
be
some
more
information
coming,
but
I
was
just
thinking
that
in
for
future
ones,
you
know
if
they
don't
see,
people
have
been
given
something
if
they
would
then
share
that
up
the
way
it
would
allow
people
in,
like
pse
and
kubernetes
to
go
hey
either.
This
does
or
doesn't
impact
us.
M
Well,
I
can
add
a
little
more
context
on
this
one,
so
the
kubernetes
psc
is
actually
on
the
like
distributors,
embargoed
notification
list
for
run
c,
so
we
did
actually
get
a
pre-embargo
notification
on
this
one
which
we
forwarded
on
to
our
distributors.
M
This
came
up
in
the
recent
psc
meeting
of
kind
of
like
how
do
we
want
to
handle
stuff
like
this
in
the
future,
and
the
decision
we
came
to
there,
which
is
certainly
open
for
more
discussion,
is
that
kubernetes
has
a
lot
of
dependencies
and
we
don't
necessarily
want
to
become
like
we
don't
want
it
to
be
the
role
of
the
psc
to
put
out
an
announcement
for
every
vulnerability
in
every
kubernetes
dependency.
M
D
D
L
A
D
This
might
be
a
thing
I
might
bring
up
at
the
next
open
ssf
thing,
because
I
think
one
of
the
things
that
the
open,
ssf
ostensibly
does
is
to
try
to
figure
out
coordinated
disclosure
things
across
the
linux
foundation,
and
so
that
might
be
a
useful
thing
to
bring
up
in
that
form
and
see
if
it
helps.
I.
D
F
C
H
Yeah
one
one
thing
I
would
clarify:
there
is
the
dependencies.
The
way
we
are
classifying
in
that
project
is
anything
that
is
imported
as
a
go
module
rather
than
a
okay,
rather
than
a
runtime
dependency,
where
you're
trying
to
connect
to
run
c
via
cubelet
or
cri,
plugins,
etc.
But
I
think
it's
maybe
one
wrinkle,
that
we
have
to
also
consider,
as
maybe
a
non-goal
or
something
to
consider
as
a
future
scope.
C
I
Okay,
yeah
through
some
time
for
an
announcement
just
like
to
let
everyone
know
that
the
after
kubecon
there
is
a
brazilian
team
working
on
the
kcd
brazil,
the
kubernetes
coming
in
today,
which
should
happen
on
august
13th.
I
This
it's
going
to
be
everything
online
and
we're
going
to
have
some
english
talks
as
well,
not
just
portuguese,
but
they
also
invited
me
to
lead
a
collocated
event
called
kubernetes
security
day,
and
so
I
accepted
that.
But
I'm
also
looking
for
help
there
and
so
any
volunteers
and
anyone
that
has
experience
doing
that.
We
have
a
slack
channel
on
the
cncf
slack.
I
can
add
you
there
so
that
we
can
coordinate.
I
So
it
will
be
something
similar
to
the
the
cloud
native
security
day
but,
of
course,
more
focus
on
kubernetes
and
we
plan
to
have
talks
and
workshops
and
a
ctf
as.
A
Well,
that's
awesome
I'll
just
say
since
kubecon
my
twitter
notifications
have
been
half
in
portuguese
and
it's
super
cool
so
like
I'm,
I'm
so
glad
to
hear
that
that
that
energy
is
is
going
into
making
an
awesome
thing
happen.
I
Awesome,
yeah
yeah,
that's
that's!
I
think
we
can
also
thank
you
because,
from
your
talk
with
alan,
I
think
that
was
really
nice
at
kipcon.
So
and
a
lot
of
the
the
brazilian
community
really
enjoyed
that
and,
and
we've
been
following
alan
and
learning
from
from
her
as
well
and
so
yeah.
I
So
yeah,
if
anyone
wants
to
help
just
feel
free
to
reach
reach
out
to
me
on
either
the
kubernetes
slack
or
the
cncf
slack
and
allowed
you
to
the
proper
channels
and
and
yeah
we'll
go
from
there.
A
That's
it
then,
thank
you
all
so
much
for
coming.
I'm
always
I'm
always
glad
to
talk
about
kubernetes
security.
With
all
of
you
and
we'll
see
you
in
a
fortnight.