►
From YouTube: Kubernetes SIG Security Tooling 20221018
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Please
add
your
name
by
me.
10
minutes
and
since
most
of
the
output
of
today's
meeting
would
be
recorded
and
would
be
part
of
GitHub
issues.
I
think
it's
okay
to
not
take
notes,
but
we
will
just
get
on
with
it
and
whatever
comes
out
of
it
in
terms
of
bitter
issues
are
basically
what
we
want.
A
B
Yeah
sure
so
I
think
the
conclusions
were
that
we
cannot
had
top
level
Fields
without
touching
them
with
the
underscore
and
if
we
do
so,
if
we
decide
to
add
like
a
like
different
fields
that
start
with
General
code,
there
must
be
an
object.
So
it's
not
like
going
to
be
just
a
string
or
something
like
that
in
the
Json,
but
it
has
to
be
an
object
that
will
contain
like
anything
mostly,
but
if
we
want
to
follow
the
Json
feed
specification,
it's
a
bit
of
an
issue.
B
If
you
want
to
add
like
your
custom
fields
on
it.
Otherwise
it's
I,
don't
know
what
what
you
think
of
that
specifically.
A
Yep
yeah
I
I
think
it's
probably
good
good
to
skip
following
this
spec
in
the
adjacent
feed
version
1.1.
If
we're
going
to
add
new
fields,
because
then
at
least
we
are
not
promising
what
things
that
we
can't
keep
and
if
that
means
people
wouldn't
be
able
to
use
some
existing
tooling
I.
Think
that's!
Okay!.
B
B
A
B
A
I
also,
don't
know
honestly
like
what
the
benefit
would
be
versus
like
what
we
have
been
doing
here.
My
guess
is:
it
just
looks
better
in
terms
of
like
a
to-do
list
compared
to
something
like
this
and
if
I
had
to
guess,
if
we
change
these
to
done
whenever
we
are
actually
done,
those
would
probably
get
checked
out
or
crossed
out
so
that
we
know
like
it's
actually
done
so
we'll
see
how
it
goes
as
we
make
progress.
If
anybody
is
curious,
it
actually
looks
like
this
in
a
raw
markdown.
A
So
it's
a
markdown
with
this
task
list.
X
now,
which
is
basically
makes
it
look
like
that
it
also
doesn't
like
URLs
or
links
if
you
notice.
So
it's
showing
up
like
this,
even
if
I
just
put
https
Google
osv
and
same
pretty
much
same
thing
for
this
one
gauge
contributors,
which
is
a
code
line
block
so
last
time,
as
a
recap
of
what
we
discussed,
we
were,
we
decided
we
can
use
Hugo's
existing
RSS
feed
support
to
enable
some
sort
of
an
irises
feed
for
our
existing
Json
files
or
dot
MD
files.
A
B
A
Yeah
and
okay,
this
is
probably
it's
expanding
all
right,
so
this
is
the
table
right
and
recently
it
will
be
also
added
some
additional
missing
series
we'll
have
to
see
if
that
worked
out,
I
haven't
changed
since
last
time,
I
added,
we
had
a
discussion
with
some
some
of
the
sick
talks
books
where
Jordan
actually
shared
that
we
are
missing
some
series
that
were
published
but
are
not
in
this
week,
so
we
ended
up
adding
those
the
fee.
The
job
picked
it
up.
A
A
B
You
just
met.
It
was
okay
before
you
said
that
oh.
B
A
A
So
if
no
change
happens,
then
we
don't
update
the
timestamps
either
of
them
and
if
a
new
CD
is
added,
we
are
at
the
timestamp
there.
Let's
say
the
CPE
description,
title
URL
something
changes.
We
will
also
operate
the
timestamp
again
and
if
any
new
CV
is
added
or
removed
or
updated,
we
will
also
upgrade
the
tanning
timestamp.
So
that's
that
will
cover
metadata
and
include
timestamp.
A
There
is
one
more
thing
which
was
see
if
it
is
invalid,
Json
feed.
So
we
discussed
this
a
bit.
My
did
some
analysis
last
time
which
is
shared
now.
The
idea
was,
let's
pick
some
standard
which
was
useful
for
us
to
get
started
with
and
because
we
are
in
Alpha
we
have
the
benefit
of
changing
some
API
specs
if
needed.
So
this
is
the
Json
feed
for
it
that
we
used.
If
you
open
this
in
a
separate
URL.
A
It
actually
looks
like
this
and
we
try
to
conform
to
this
as
much
as
possible,
but
what
I
missed
at
least
was
we
couldn't
find
a
validator
before
we
publish
this
and
when
people
started
looking
at
this,
they
shared
like
your
feed,
is
actually
not
conforming
to
the
spec,
which
was
like
wow.
Okay.
We
didn't
know
that
and
then,
with
addition
of
new
Fields
like
the
timestamp
in
the
parent
or
any
items,
we
thought,
if
we
add
new
Fields,
there's
the
spec
still
work
for
us
and
turns
out
it
doesn't
so.
A
Okay,
yeah
yeah,
you're,
right,
I
think
items
would
be
fine.
The
parent
one
looks
like
would
be
a
problem
and
if
we
decide
to
add
I,
feel
like
even
one
field,
whether
it's
in
parent
or
item
might
as
well
like
stop
saying
like
we
confirmed
with
respect
and
just
say
this
is
for
internal
usage
only
if
you
want
to
keep
track
of
all
the
latest
CDs
use
RSS
feed.
If
you
want
to
consume
it
for
historical
purposes,
you
suggest
one.
A
So
essentially
the
idea
would
be
CV
feed
is
invalidation,
feed
would
become
the
the
resolution,
for
it
would
be
working
as
expected
apart
and
apart
from
that,
what
we
will
do
is
we
will
remove
the
spec
name,
that's
mentioned
here
and
just
call
it
something
like
internal
kubernetes,
Community,
decent
field,
or
something
like
that.
A
There
is
one
interesting
one
which
is
Loosely
related
to
this,
but
will
have
benefit
in
terms
of
letting
people
know
as
soon
as
possible,
which
is
tweet
automation.
So,
let's
say
when
a
new
CD
is
announced.
A
What
if
we
automatically
add
or
post
a
tweet
from
the
creates
contributors
handle
saying
this
tweet
this
CV
has
been
announced.
This
is
the
GitHub
issue.
If
you
want
to
know
more
and
that's
it
so
if
people
are
trying
to
follow
Twitter
instead
of
website
or
blogs
or
whatever
they
can
take
a
look
at
this
and
they'll
be
aware
of
it.
It
also
can
be
shared
wider
across
outside
of
the
cncf
ecosystem,
GitHub
ecosystem,
which
would
be
nice.
A
There
is
some
existing
Automation
in
place
already
so
caves
contributors
handle
actually
accepts
PRS
with
DOT
tweet.
You
think
I
searched
for
it
last
time.
Let's
see
if
I
can
find
it
again.
A
A
A
The
board
then
we'll
create
a
PR
which
was
like
this
and
which
is
essentially
a
new
file
with
the
text
and
when
this
is
merged
by
normal
GTM
approved,
it
will
be
posted
on
that
handle.
So
that's,
basically
what
we
could
also
do
where.
Instead,
we
could
either
create
an
issue
and
let
the
bot
create
appear
or
we
could
Auto
create
a
PR
with
the
same
kind
of
logic
of
new
file
every
time
and
then
let
people
approve
merge,
maybe
one
or
two
days
later,
and
that
way
it
will
also
show
up
on
Twitter.
A
So
what
is
left
after
this
I
think
sorting
that
table
from
most
recent
CV
to
list
decent
CV.
This
was
also
discussed,
so
this
might
be
another
simpler
thing
to
fix.
So
if
you
remember,
we
discussed
We'll,
add
a
timestamp
here
for
each
item.
So
if
we
use
that
timestamp
here
as
well
today,
if
you
notice
the
table
is
actually
sorting
based
on
CB
ID.
A
So
if
yes
at
least
it
looks
like
that,
let
me
know
it's
either
cvied
or
kitan
URL
So,
based
on
that
it's
sorting
today.
If
we
make
the
table
salt
based
on
that
new
timestamp
field,
then
essentially
it
would
be
sorted
by
most
recently
updated
and
then
that
will
take
care
of
this.
A
Let's
see
what
else
so
support
similar
fields
for
all
CNC
products
are
promised
to
discuss
it
last
time
with
the
cncf
tax
security,
but
I
forgot
it's
actually
email
meeting,
not
Us
times
or
friendly,
so
it
was
too
early
for
me.
So
I'm
gonna
talk
to
them
next
time
when
I
meet,
probably
after,
if
you
come
or
during
coupons,
I
get
hold
of
some
people
and
that
might
Inspire,
hopefully
some
cncs
projects,
honestly
if
they
are
using
something
like
GitHub
security
advisor.
A
Most
of
the
things
they
are
doing
is
already
automatically
done
through
GitHub
security
advisor.
But
if
they
are
not
like
us,
then
we
could
do
something
like
what
we
have
done.
So
that
would
cover
many
many
things.
What
it
doesn't
cover
is
some
of
the
a
higher
commitment
issues
or
what
which
I'm
actually
not
sure
how
long
it
will
take.
So
this
one
was
Google
osv
support
and
adding
new
Fields
like
vulnerable
version
affected
version.
A
So
if
you
see
the
last
comment,
so
vulnerable
version,
fixed
versions,
vulnerable
configurations,
action
required
all
of
these,
this
actually
doesn't
exist
as
raw
data
in
the
GitHub
issues.
Apart
from
like
sentences
written
in
the
description,
so
it's
hard
to
pass
hard
to
automate
and
it
might
be
a
lot
of
like
archeology,
essentially
looking
at
older
issues,
upgrading
the
descriptions,
maybe
creating
some
sort
of
a
draft
CSV
file
which
has
all
of
these
information,
then
maintaining
it.
A
So
it
will
not
be
like
a
one-time
thing,
but
also
maybe
add
some
maintenance
overhead
for
us,
but
might
be
worth
doing
if
people
are
interested.
Another
thing
is:
if
we
do
that,
it
actually
helps
with
Google
osv
support,
so
I
think
they
have
respect
as
well,
and
if
we,
let's
see
if
they
have
an
example.
A
So,
if
I
zoom
this,
if
you
you'll
see
like
similar
things,
they
have
the
references
to
the
GitHub
issue,
which
is
great
that
we
also
have
when
was
this
fixed?
When
was
this
introduced?
What
package
is
it
when?
Was
it
modified
all
of
these
things?
So
we
don't
have
some
of
these
fields,
and
so
many
of
them
are
actually
required.
So
unless
we
come
up
with
a
way
to
maintain
that
information
raw
data,
it
will
be
hard
to
actually
do
these
things.
A
So
that's
why
I
I'm
thinking
we
might
be
might
want
to
skip
it
or
like
tag
this
as
help
required
when
we
convert
all
of
these
into
issues,
and
if
people
are
really
interested
seeing
that
there
is
benefit,
then
it's
and
if
they
express
interest
to
implement
it,
then
by
all
means
less
sure.
A
So
that's
a
summary
of
what
we
are
thinking
of
doing
what
seems
reasonable
to
do
in
the
time
we
have
what
is
going
to
take
longer
time
and
when
we
will
need
help
any
questions
so
far
I
know
Neha
you
joined
just
now,
maybe
so,
okay.
A
A
A
I
think
recording
will
really
help
because
yeah,
you
have
a
lot
of
context
before
we
merge
the
alphabets
version,
so.
A
For
it
to
catch
up
on
what
we're
thinking
next,
so
that
that's
that's
what
I'm
thinking
so
my
next
goal,
if
you
want
to
help
me
that
would
also
be
welcome,
is
to
convert
anything.
That's
not
a
GitHub
issue
in
this
task
list
interrogative
issue
and
explain
all
of
the
things
that
we
just
described
and
also
help
write
up
some
of
it.
A
If
you
want,
and
once
those
GitHub
issues
are
in
place,
we
replace
that
text
with
that
gate
of
issue
here
and
then
pick
the
ones
that
are
reasonable
to
implement
early
and
have
maybe
some
of
it,
if
not
all,
of
it
that
are
simpler
to
implement,
take
less
time,
but
have
good
amount
of
impact
in
the
B
as
a
Beta
release
for
this
CBE
feed,
since
126
is
very
close
to
publishing
and
code
series,
I
think
is
already
done.
A
We
will
try
and
do
this
for
127
kubernetes
released
and
then
see
how
we
get
about
feedback.
Do
we
get
for
the
beta
version
and
then
go
from
there
when,
when
we
have
to
create
so
lots
of
information,
I'll
ask
for
questions.
B
Not
really
a
question
but
I
I
posted
a
message
about
the
invite
Json
feed
on
the
issue,
explaining
a
little
bit
about
what
we
talked
like
last
time
in
today,
and
the
author
was
just
entered
a
lot
like
what
we
could
actually
use
to
enter
a
custom
tune
and
anything
but
is
like
whatever
like
we
can
use
RSS
or
atonement,
something
if
you're
interested.
Oh.
A
Yeah
I
see
it
now
yeah.
Let's
take
a
look
if
it's
worth,
if
it's
possible
to
add
it
whatever
we
want
without
taking
the
performance,
then
great
we
tried
yeah.
So
let's
see,
but
it
looks
like
they
are
pretty
receptive
and
interested
in
feedback
on
this,
because
you
commented
three
minutes.
A
A
Missing
a
lot
of
context
about
like
what
we
are
discussing
at
all,
if
you're
new
happy
to
like
give
you
some
historical
context
as
well,
why
are
we
doing
this?
What
is
this
about?
Etc.
D
Okay,
I'm
not
sure,
that's
the
right
moment
to
ask
that
I
want
to
ask
about
an
issue
that
I
want
to
that:
I've
opened
to
update,
add
new
sections
to
the
documentation
which
describe
a
tool
which
I
hope
to
later
on.
Add
to
tooling.
A
Yes,
the
learning
session
right-
even
yes,
yes,
yeah,
so
I-
saw
that
thanks
for
thinking
of
us
and
presenting
it,
I
think
we
are
all
set
for
November,
15
yeah.
If
I
remember
correctly.
Yes,
the
main
main
things
just
to
share
while
people
are
online
and
watching
the
recording.
A
Only
thing
we
would
like
to
share
is
focus
on
why
you
are
sharing
this
with
the
community,
so
typically,
people
want
to
get
feedback
about
the
tool,
what
they
are
doing
right,
what
they
are
doing,
what
they
can
do
better.
A
D
Okay,
what
I
think
that
the
path
that
I'm
trying
to
follow
is
to
raise
them
the
issue
that
I'm
trying
to
solve
with
this
tool
first
and
discuss
this
issue,
and
let's
see
if,
if
we
can
reach
an
agreement,
that
this
is
an
issue
that's
worth
solving
and
then
when
when
it
is,
when
we
get
to
that
point
where
there
is
some
understanding
in
the
community
that
this
is
something
that
is
missing
in
the
community,
then
we
can
talk
about
the
specific
solutions
that
we
have
created
in
K
native
and
see
how?
D
If
we
now
imagine
a
situation
that
we
create
a
solution
for
for
generic
kubernetes
or
vanilla
kubernetes
right?
How
would
that
work
out?
And
then,
at
the
end
of
the
day,
you
know
it's
not
it's.
We
don't
have
to
take
what
what's
already
in
k-native,
we
can
either
contribute.
People
can
contribute
to
this
tool
that
is
already
there
and
we
can
move
it
to
to
kubernetes
or
we
can
create
a
new
one.
D
I
think
the
problem
I'm
facing
right
now
is
that
I
don't
see
that
the
community
is
very
much
focused
on
on
the
problem
that
I'm
trying
to
raise
and
I'm
I
hope
that
that,
with
the
the
session
that
we
will
have
next
month,
it
will
be.
It
will
improve.
A
I
think
raising
awareness
of
something
you
think
maybe
is
a
blank
spot
in
the
community
or
something
not
talked
often
is
a
great
thing
to
share
I
think
there
is
definitely
value
in
it
and
looks
like
you're,
also
thinking
of
potential
solution
that
you're
working
on
that
might
help
with
that
problem,
which
are
even
better
one
thing
like
with
all
open
source
communities
and
six
is
like
the
agenda
is
largely
driven
by
the
people
who
will
come
on
into
the
meetings,
join
and
work
on
GitHub
issues
and
PRS
and
do
the
work.
A
So,
if
you
think
something
is
important,
we'll
help
you
figure
out
like
how
we
can
make
this
as
a
part
of
the
community
what
you
are
trying
to
put
the
focus
on
so
we've
done.
You
know,
savitize
all
the
calls
she
can
also
share.
We
have
done
this
in
some
ways
like
creating
a
blog
post
about
something
that
needs
a
spotlight.
Sometimes
we
have
updated
talks,
Pages
or
added
talks.
Pages,
like
my
hair,
has
added
for
a
long
time
working
with
so
many
others
on
security
checklist
so
similarly
like.
A
If
once
we
I
think,
the
learning
session
would
be
great
time
to
discuss
it
in
sync
in
meeting
what
the
problem
is
where
we
are
and
what
we
can
know
about
it
and
then
maybe
the
outcome
of
it
would
be
hey.
Let's
write
something
about
this,
so
everyone
is
aware,
or
let's
see
if
he
can
improve
something-
that's
already
there
in
the
community
or
in
the
talk
speech
or
in
existing
tooling.
That
kubernetes
is
using.
A
So
that's
how
I'm
thinking
of
approaching
it
does
that
resonate
with
you
David,
just
certainly,
okay,
perfect,
all
right
cool.
So
one
last
call
for
adding
your
name
to
the
meeting
minutes.
I'll
share
the
link
ad
for
today's,
but
okay,
if
you,
if
you
don't,
have
access
to
laptop
or
anything
and
listening
on
phone,
so
next
steps
for
us
is
converting
these
tasks
into
issues.
A
If
you
do
end
up
converting
any
of
the
text
tasks
into
issues,
please
tag
me
like
just
add
me
in
that
issue,
so
I'm
aware,
like
you're
working
on
it
and
then
I
can
replace
the
text
with
that
issue.
If
you,
if
you
don't
create
it,
no
worries
I'll,
create
it
some
point
of
time
in
future,
not
sure
like
with
coupon
coming
up
when
that
would
happen,
hopefully
around
before
soon
after
and
then
I'll
share
it.
Obviously
with
and
tooling
slack
channels
saying
like
this
is
what
we
are
doing.
A
This
is
the
priority
or
the
sequence
in
which
we
will
Implement.
Some
of
these
things
can
be
done
in
parallel
as
well,
so
once
those
issues
are
in
place,
all
of
you
are
welcome
to
implement
them
with
PRS.
I
would
actually
really
appreciate
if
people
can
do
that,
because
they
are
small
things,
but
still
the
work
needs
to
be
done
and
it
will
have
benefit,
because
this
is
coming
directly
from
Community
feedback,
not
something
coming
out
of
one
or
two
community
members
brains.
A
But
multiple
people
have
shared
this,
so
that
would
be
good
what
else
so
yeah.
So
that's
pretty
much
the
next
step
and
as
127
starts
ramping
up
with
once
126
is
done.
We
don't
have
to
wait
for
PRS
to
get
marched
before,
like
126
code
freeze
or
whatever.
But
let's
remember
that
we
don't
have
in
any
immediate
pressure
for
126.
We
will
Milestone
it
for
127
kubernetes
release
and
then
with
whatever
we
can
get
in
that
release.
A
We'll
try
our
best
to
do
the
reasonable
ones
that
we
discussed
today
and
then
take
more
feedback
from
others
as
we
prepare
for
GA
in
the
future
and.
A
A
Also,
like
I
said
earlier
in
the
meeting,
if
you
have
heard
something
else,
that's
not
here
already
just
like
Carol
has
added.
Please
add
a
comment.
There
is
a
good
chance.
We
still
have
time
that
we'll
be
able
to
incorporate
it
in
the
upcoming
latex
and
upcoming
changes
that
we
make.
A
So
that's
it
from
my
side.
Anything
else
from
anyone.
A
A
Okay,
all
right
yeah,
we'll
miss
anyone
who
can't
make
it,
but
let
me
Zoom
meetings
and
slacks
are
always
open.
We
definitely
share
photos
on
Twitter,
slack
and
other
places.
Yeah.
If
you
like
to
see
us
hope
to
see
you
on
see
you
either
online
or
in
person
in
our
six
security
session
as
well,
which
will
focus
on
six
Securities
self-assessments
sub
project.
A
So
take
a
look
at
that
watch.
It
share
it
with
others.
If
you
think
they'll
benefit
from
it
and
yeah
hope
you
all
have
a
good
coupon
with
in
person
online
or
even
a
good
week
without
coupon
next
week
and
see
you
next
time.