►
From YouTube: Kubernetes SIG Security 20221103
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
805.
hi,
everybody
I,
think
we
might
have
a
little
bit
of
a
small
group
today,
which
is
okay.
We
can
all
be
cozy.
My
name
is
Ian
Coldwater
and
I
am
the
co-chair
of
kubernetes
Sig
security.
Here
my
co-chair
Tabby
Sable
is
off
taking
care
of
for
pepper
right
now,
so
I
am
facilitating
today.
A
B
C
F
C
D
Sorry
IBM
research
working
on
security
on
on
k-native
have
a
project
there,
security
guard
and
I'm
here
in
the
last
couple
of
meetings
to
try
and
figure
out
over
time.
How
do
we
take
some
of
the
work
that
we
were
doing
for
Kenneth,
even
bring
it
to
the
Greater
Community
to
kubernetes
how
to
protect
microservices?
Not
only
the
services
of
community.
H
A
A
So
hi
welcome
everybody
I'm
really
happy
to
see
you
yeah,
okay,
so
usually
the
way
we
do
this
is
we
start
out
with
introductions,
and
then
we
hear
report
Backs
from
our
subgroups.
We've
got
four
subgroups
now,
which
are
six
security,
docs,
six
security,
tooling,
the
third
party,
audit
subgroup
and
Sig
security
self-assessments.
So
on
the
agenda
in
some
order,
we
are
starting
out
with
audit
who
is
reporting
back
from
for
from
Ray
am
I
reporting
back
from
Ray.
G
Mean
man
I
have
caught
up
on
slack
with
Chris
as
well,
and
yeah
I
mean
his
his
summary
sums
it
up
that
we
were
waiting
for
SRC.
The
latest
guideline
guidance
was
later
in
the
month.
A
Src
for
the
new
folk
is
security
response
committee.
Sig
security
are
the
people
who
do
sort
of
the
more
external
facing
Community
work.
The
security
response
committee
are
the
people
who
triage
the
bugs
that
are
under
embargo.
There's
some
overlap,
but
we
are
not
exactly
the
same
body
so
yeah.
The
third
party
audit
is
currently
pending.
A
The
the
test
has
been
done.
The
report
has
been
drafted
and
it's
waiting
for
final
approval
from
the
SRC
before
it
gets
released
to
the
public.
So
that's
what's
going
on
with
that
one
how's
six
security
docs
going
it's
currently
absent
any
any
word.
F
I
I
was
gonna,
say
I,
think
in
terms
of
there's,
obviously
and
kiln's
doing
parking
guide
stuff,
which
is
the
dot
stuff
there.
So
it's
not
really
exciting.
We
get
some
more
touched
on
that
and
I'm
not
sure,
there's
a
lot
else.
We've
got
various
plans
for
like
things
to
get
done,
but
I
think
I
said
with
everything
you're
gone,
I'm,
feeling
that's
kind
of
mixed
any
progress
on
there.
So
it's
more
heading
into
the
next
bit
that
will
be
picking
up
some
more
right,
more
activities.
There.
G
It
was
great,
I
have
fun
at
kubecon.
We
we
had
a
great
session
I.
Think
all
of
you
were
there.
We
had
a
lot
of
good
feedback
after
the
session,
but
of
course
we
haven't
done
anything
for
the
last
week
or
so
next
session.
Is
the
ninth
so
invite
everybody
8,
A.M,
Pacific
and
would
love
to
have
more
folks
participate.
A
I
should
be
asking
for
questions.
Do
people
having
questions
about
any
of
the
things
of
the
things
so
far
from
any
of
the
subgroup
report
bags.
A
E
B
B
So
if
anyone
wants
to
quickly
recap
those,
but
there
are
links
in
the
notes,
we
are
also
doing
another
learning
session
on
December
6th,
which
has
been
postponed
and
there's
a
link
to
the
GitHub.
For
that.
B
B
So
it's
just
a
really
nice
tutorial
with
just
you
know,
just
examples
of
of
what
to
do
and
stuff,
and
then
there
is
a
November
15th
meeting
that
will
be
a
working
session
for
caps.
3203
man,
that's
what's
going
on
in.
B
That
is
a
good
question.
I
will
put
that
into
Google
and
see
what
comes
up.
What
does
a
cap
stand
for
again?
Kubernetes.
Thank.
A
For
a
kubernetes
enhancement
proposal
and
when
there
are
new
features
coming
into
Upstream
kubernetes,
that
is
how
new
features
happen.
That's
the
process
is
people
put
in
a
kubernetes
enhancement
Proposal
with
different
kinds
of
background
info.
Why
this
feature
is
requested
why
it
might
be
needed
possible
Alternatives
that
kind
of
thing,
and
then
people
go
over
the
Caps
as
part
of
the
release
process
and
then
from
there.
It
can
graduate
from
cap
to
you
know
Alpha
Beta
Etc,
so
that
is
what
that
is:
I'm,
not
actually
sure
off
the
top.
A
E
Yeah
been
on
the
enhancement
team
for
a
couple
releases,
so
cap
is
the
unit
for
the
enhancement
issues
that
points
to
the
cap
is
kind
of
the
unit
where
the
release
teams
keep
track
of
the
features
that
go
in
and
out
of
the
release
so
say,
PR
that
goes
into
capyar
is
I,
think
something
Proposal
review,
there's
Focus
that
reviews
those
features
and
then
the
enhancement
team
work
with
the
kept
authors,
who
are
often
also
a
code
author.
D
One
comment
is
at
the
same
learning
session
is
a
book
for
security
guard.
That's
not
the
not
the
session
that.
D
A
All
right,
the
PR's
under
review,
if
those
are
things
that
Tabby
and
I
are
supposed
to
deal
with,
we
will
deal
with
them.
Thank
you
for
bringing
them
to
our
attention.
We
need
that
every
once
in
a
while
and
cool,
does
anybody
have
any
question
about
caps,
any
of
the
tooling
stuff?
Any
of
that.
A
B
Yeah
so
yeah
kubecon
was
awesome.
I
sat
down
with
Tabby
to
go
over
the
history
of
git
and
Version
Control,
which
was
massively
useful.
So
today,
I
am
in
the
process
of
setting
up
a
local
branch
on
my
laptop,
so
that
I
can
create
a
new
slack
Channel.
B
Finally,
for
the
vsphere
CSI
driver,
self-assessment,
which
is
the
next
one
in
queue,
and
also
I,
wrote
up
a
doc
that
just
outlines,
like
the
high
level
process
for
like
how
you
even
do
a
self-assessment,
which
is
what
I
presented
on
last
week,
so
that
you
know
I
can
have
that
documentation
in
place
so
that
other
people
who
are
curious
can
just
check
it
out
and
see
what's
going
on.
B
In
addition
to
the
app
creating
the
the
channel
for
the
vsphere
CSI
driver,
self-assessment
and
yeah
me,
learning
git
continues
to
be
like
a
baby,
giraffe
standing
up,
except
not
as
cute
so
I
have
time
set
aside
with
my
roommate,
who
happens
to
be
my
husband.
Who's
been
a
software
developer
for
20
years
to
just
help
me
run
the
right
commands,
because,
right
now,
it's
like
oh
well,
I
installed,
go
on
my
laptop
but
I
just
I.
B
B
But
on
the
next
steps
in
terms
of
the
vsphere
CSI
driver,
it's
really
just
getting
our
people
together,
so
getting
Shang.
Who
is
the
lead
on
that?
In
addition
to
teammate
that
she
nominated
and
also
Grace?
Who
I
had
the
pleasure
of
meeting
last
week?
Super
excited
to
work
with
you
just
getting
us
to
together
and
then
I
also
need
one
volunteer.
Who's
done
a
threat
model
before
to
help
us
I
was
thinking
of
asking
nadir
who
helped
with
the
Kathy
CSI
driver
and
yeah
and
yeah.
B
So
that's
really
it.
She
Shang
already
has
the
architecture
modeled
out,
and
she
already
knows
that
she
wants
to
focus
on
the
vanilla,
kubernetes
workflow.
So
like
we
already,
we
already,
you
know,
have
our
documentation
know
where
we
want
to
focus
now.
It's
really
a
question
of
just
building
this
role
model.
So
that's
super
exciting,
but
that
is
it
with
self-assessments.
A
I
suspect
that
if
you
wanted
more
than
one
person
to
help
you
build
a
threat
model,
you
have
some
folks
here
who
have
experience
with
that
who
would
love
to
help.
So,
like
don't
don't
feel
like
you
need
to
think
small
like
you,
you
can
get
as
many
people
to
help
you
with.
You
need
to
just
ask
her
what
you
need.
You
know:
okay,
cool.
A
Also,
if
it
occurs
to
you,
everybody
who
is
new
to
stuff
is
self-conscious
about
being
new
to
stuff,
and
it
is
maybe
not
their
first
thought
to
do
this,
but
it
is
a
real
thing
of
value
to
be
new
enough
to
stuff
that
to
have
when
those
gaps
in
documentation
happen
to
be
able
to
note
them
and
point
them
out,
because
people
who
know
how
to
do
this
stuff
forget
those
pain
points
immediately.
Just
like
lightning
fast
and,
like
you
know,
for
most
people
who
are
writing
this
stuff.
A
It's
been
so
long
since
they
didn't
know
how
to
make
a
go
path
that
they
forget
that
you
need
to
specify
things
like
you
need
to
make
a
go
path,
and
so,
actually,
if
there
are
things
that
are
confusing
to
you
as
a
new
person,
it
is
genuinely
a
really
helpful
thing
for
you
to
like
write
out
like
wait
a
minute.
What
is
this
I?
Don't
that's
not
here.
What
do
you
mean
because
that's
actually
really
valuable
feedback
for
the
folks
who
are
writing
those
dogs.
B
Awesome
yeah,
I
I've
I've
been
pretty
good
about
documenting,
like
what's
hard
because
it's
like
yeah
like
I'm,
not
a
developer
like
I,
don't
know,
but
it's
like
I
I
know
that
I
have
skills
to
help
in
the
community.
Even
though
I'm
not
a
developer
and
get
is
how
we
work
so
helping
non-developers
get
up
to
speed
on
how
get
Works
and,
like
all
the
dependencies
know
really.
All
of
them
that
you
need
to
have
in
place
like
having
go
installed
on
your
laptop
is
useful.
So.
A
That's
super
real
yeah
and,
like
you
know,
that's
a
really
a
really
useful
thing
for
the
other
folks
who
are
involved
in
making
this
kinds
of
documentation
to
know
so,
like
you
know,
if
thank
you
for
noting
that
down
like
I,
want
to
encourage
you
to
do
that
because,
like
it
is
an
actual
superpower
to
be
really
new,
even
though
it
might
not
feel
like
that
in
the
moment,
some
yeah
anybody
have
any
questions
on
self-assessment
stuff.
Besides
me,
editorializing
about
the
power
of
newbie
gym.
E
I'm
curious
why
the
go
thing
was
necessary.
Sorry
like
what
what
Ella
was
doing
that
needs
to
go
in
the
sub
project.
B
In
order
to
so
to
make
a
PR
in
kubernetes
with
like
a
traditional,
get
flow,
you
need
to
Fork
kubernetes
in
GitHub
and
then
copy
that
fork
onto
your
local
machine
and
then
make
a
branch,
and
so
kubernetes
is
written
in
go
so
in
order
to
run
the
right
commands
to
do
those
things
you
need
to
have
go
installed
on
your
computer,
or
at
least
this
is
what
I
am
assuming
so
I
installed
good
on
my
computer.
E
A
And
I
put
this
in
the
chat,
but
my
guess
was
historically
the
stuff
that
affects
sigs.yaml
requires
compiling
it
and
in
order
to
compile
it,
you
have
to
know
how
to
compile
things
and
have
the
equipment
to
compile
things
which
like.
If
you
are
somebody
Who
develops.
All
the
time
does
not
seem
like
a
big
deal
or
really
something
you
might
need
to
think
about
much.
But
if
you
are
somebody
who
does
not
have
a
lot
of
experience
with,
that
is
an
extra
layer
of
stuff
I
have
not
put
in
a
PR
to
6.
A
B
A
A
If
we
don't
have
other
things
about
self-assessments
and
I
didn't
mean
to
cut
you
off.
Grace
are
you?
Are
you
good
on
that?
One
is
discussion
which
doesn't
have
a
name
on
it
which,
because
it's
written
in
the
first
person
with
no
name
on
it
all
frankly,
I
assume
it's
yours,
but
it
helps.
If
you
put
your
name
on.
B
B
Subproject
is
like
to
just
like
fill
the
repo
right,
and
you
know
really,
like
almost
you
know,
just
making
kubernetes
like
a
self-securing
community
and
project,
because
we
have
Federated
the
knowledge
of
how
to
do
a
threat
model,
and
so
it
would
be
really
awesome.
If
yeah
we
just
filled
the
repo
in
every.
Like
you
know,
Cappy
did
a
self-assessment
like
and
having
every
part
of
the
project
do
a
self-assessment.
B
So
as
such
I
was
thinking,
it
would
be
really
cool
if
we,
if
next
kubecon
we
did
and
I
was
talking
to
Robert
about
this,
like
a
dedicated
two-hour
session
with
you
know,
it's
basically
like
come
with
your
architecture,
mapped
out
and
an
idea
about
the
workflow
that
you
want
to
prioritize
doing
a
threat
model
for
using
our
session
and
our
Collective
wisdom
and
experience
like
Ian
was
saying
to
help
you
build
your
threat
model
and
then
figuring
out
action
items
for
improvement
and
then
so
yeah.
B
That's
basically
it's
like.
Let's
just
do
a
working
session,
get
a
bunch
of
work
done
together
and
by
virtue
of
that,
like
training,
a
whole
bunch
of
people,
hopefully
to
for
how
to
do
a
threat
model.
So
it's
like
you
know
to
me
that
seems
like
it
would
be
such
a
huge
benefit
to
the
community.
So
before
I
go
and
and
I
guess,
I
can
just
say
like
in
terms
of
what
I'm
envisioning
for
help
I
would
need
for
that.
B
B
Up
for
the
self-assessment,
Workshop
whatever,
but
definitely
would
want
lots
of
threat
model.
Modeling
support
of
you
know,
depending
on
how
many
signups
we
get
and
then
also-
and
this
is
what
Robert
and
I
were
talking
about-
just
making
sure
or
just
working
with
the
cncf-
to
build
room
and
support
for
this
type
of
activity,
because
it
seems
like
there
might
not
be
muscle
memory
there
and
yeah
okay,
good
good
fit
for
the
contributors.
So
right
that
seems
like
that
seems
logical,
but
yeah.
B
A
Guess
there
are
a
couple
of
hey
I
really
like
this
idea,
and
I
want
to
say
that
first,
like
I,
think
this
is
a
really
good
idea
and
I
think
people
would
be
excited
about
it.
There
are
a
couple
of
different
ways
that
this
could
be
done.
I
think
and
both
of
them
are
great
and
both
of
them
are
a
little
different.
So
it
really
just
sort
of
depends
on
what
you
want.
I
think
in
general,
there
is
a
large
appetite
from
what
I
have
seen
for
people
to
figure
out
how
to
threat
model.
A
That's
not
necessarily
a
thing.
That's
super
intuitive
for
a
lot
of
people,
especially
for
people
who
don't
come
from
security
backgrounds,
and
if
it
was
a
generalized
how
to
build
a
threat
model,
Workshop
then
I
think
that
actually
might
be
a
good
candidate
for
a
like.
You
know
whatever.
Is
it
90
minutes
these
days,
like
whatever
you
know
like
they're,
calling
a
tutorial
or
a
workshop
or
like
that
long
kubecon
main
track
block
this
year
because
it
changes.
A
Sometimes
that
might
be
a
good
one
for
that,
but
that
is
a
little
bit
of
a
different
flavor
and
both
of
them
seem
good.
Honestly,
then,
the
like
what
sounds
like
it
might
be
a
good
fit
for
contributor.
Summit
is
if
this
is
a
working
session
about
self-assessment,
specifically
for
groups
that
might
want
to
do
self-assessment
stuff,
then,
then,
that
you
know,
generally
speaking,
longer
blocks
of
working
time
for
maintainers
are
good
fits
for
contribute.
Summit,
so
like
both
of
those
things
are
great.
A
Both
of
those
things
are
overlapping,
but
not
the
same,
so
it
really
sort
of
depends
on
like
what
exactly
you
want
out
of
that.
If
you
want
specific
projects
to
end
the
session
with
threat
models
or
the
tools
to
have
threat
models
or
plans
for
their
specific
project
or
if
you
want
generalized
modeling
knowledge.
B
Like
yeah
General
like
so
for
I
guess,
the
like
I
could
I
could
submit
like
a
maintainer
track
for,
like
here,
are
the
basics
of
doing
a
threat
model.
But
then,
during
the
contributor
Summit.
A
Or
I
I,
don't
like
I,
wouldn't
recommend
if
you
were
going
to
do
a
workshop.
Workshop,
which
would
be
huge
like
like
I,
mean
expect
like
multiple
hundreds
of
people
type
huge
I
would
put
it
in
the
main
track
and
I
would
get
a
whole
lot
of
volunteers
for
it
in
a
sort
of
similar
way.
A
As
that
CTF
that
happened
a
few
years
ago,
where,
like
every
security
person,
decided
to
volunteer
if
they
weren't
directly
involved
in
making
it
happen,
like
I,
think
that
that
actually
is
a
thing
that
could
happen
if
you
felt
like
you
were
prepared
for
it
and
wanted
to
to
put
in
the
work
for
it,
but
I
wouldn't
do
it
as
a
maintainer
track
thing,
because
I
think
that's
sort
of
the
worst
of
all
worlds.
A
You
know
you're,
not
you're,
not
doing
the
large
teaching
large
groups
of
people
thing
and
you're
not
doing
direct
maintainers
getting
maintainer
work
done
so,
like
I
figure.
You
know
both
of
those
things
could
totally
happen.
If
you
wanted
to,
and
the
preparation
might
actually
overlap
a
lot,
but
it
it
I
think
would
be
a
different
flavor
of
things.
Okay,.
B
So
let
me
just
make
sure
so
it's
basically
like
yeah
maintain,
because
the
thing
that
I
initially
want
to
Target
is
to
have
self-assessments
filled
with
like
yeah
like
sigs,
who
have
done
self-assess
so
like
the
the
maintainer
track
and
contributor
work.
I
think
that's
the
initial
priority
that
I'm
envisioning
to
secure
the
kubernetes
product
itself
and
then,
like
maybe
in
Chicago
or
something
like.
We
could
do
like
a
jet
like
a
maintainer
track
working
session
for
learn
how
to
build
a
threat
model
or
whatever
it
is
you're
suggesting
I'm.
B
Yes,
yeah
thank.
A
You
yeah,
no,
that
makes
sense
and,
and
that
way
also
you
can
kind
of
you
know
like
Robert
in
the
chat
here-
is
suggesting
a
kind
of
trial
balloon.
You
know
just
like
okay,
like
do
that.
Do
the
lower
key
one
first
before
you're,
trying
to
prepare
for
a
two-hour
workshop
and
then
get
some
of
those
kicks
out
and
like
I,
think
that
makes
lots
of
sense
but
yeah
I,
think
for
contributor
Summit
like
that,
would
be
amazing
and
like
there's
definitely
space
and
time
in
that,
for
something
like
that.
C
G
It
seems
like
maybe
the
best
algorithm
here
is:
do
some
some
bit
of
an
exploratory
session
for
you
work,
The,
Kinks
out
and
then
maybe
open
up
the
kind
of
sub
project.
G
You
know
sign
up
here
to
go
through
a
working
session
for
the
next
kubecon.
After
that.
E
B
H
B
Also
need
to
do
that
so
when
you
say
exploratory
session,
so
I
see
someone
exploratory
session
at
kubecon
EU.
A
I
think
I
interpreted
that
and
just
changed
it
in
the
notes
from
having
a
contributor,
Summit
kind
of
working
session
would
I
would
describe
that
everybody
contributors
getting
together
working
at
kceu
and
if
you
wanted
to
expand
that
to
a
larger
threat
model.
Workshop
thing
maybe
trying
that
at
EU.
B
Yeah,
that
makes
sense
so
yeah
start
with
the
contributor
Summit
at
coupon
EU
and
then,
which
is
which
yes,
definitely
like
nice,
because
I
think
like
I,
wanna,
I
wanna
focus
on
like
core
core
kubernetes
first
and
then
we
can.
We
can
open
it
up
to
a
main
track
sign
up
tutorial.
What
have
you
so
okay
and
thank
you
Ian
for
putting
in
notes
it
is
hard
taking
notes
and
talking
at
the
same.
B
Yeah,
okay,
cool!
Well,
that's
really
useful
feedback,
yeah
I
think
like
yeah.
My
next
steps
from
here
are,
first
of
all
to
just
get
the
vsphere
CSI
driver
self-assessment
done
to
build
my
muscle
memory
in
this,
so
that
then
I
can
be
of
service
and
then
start
to
like
organize.
B
B
A
Feel
like
security,
so
that
more
people
can
see
it.
Yeah
I
mean
that's
a
little
bit
like
you
know
up
to
everybody's
individual
discretion
as
members
of
subgroups,
but
if
I,
you
know
I
the
way
that
I've
always
sort
of
pictured
it
and
everybody
gets
to
do
whatever
the
heck
they
want,
because
I'm
not
actually
the
queen
is
like
you
know.
A
If
there
is
Sig
like
like
subgroup
specific
business
like
wait,
should
we
cancel
this
meeting
because
so
and
so
is
out
sick
or
like
that
kind
of
thing,
like
you
know,
like
specific
work,
that
the
subgroup
is
doing
that
isn't
necessarily
applicable
for
everybody
like
to
me.
That
makes
sense
in
the
so
group
Channel.
But
if
it
is
like,
hey
are
other
people
outside
of
the
subgroup
channel?
Who
don't
necessarily
look
at
this
interested
in
this
thing?
A
A
A
A
A
All
right,
so
that
is
the
last
thing
on
our
agenda,
but
that
does
not
necessarily
mean
that
we
can't
talk
about
anything
else
if
anybody
brought
anything
else
that
they
have
questions
about
concerns
about
thoughts
on
would
like
to
talk
about
in
this
space,
so
leaving
the
floor
open
for
anybody
who
decides
that
they
want
to
talk
about
anything
and
if
nobody
is
feeling
like
doing
that.
That's
also
okay
and
we
can
leave
for
this
session
and
come
back
for
the
next.
One.
A
Slack
is
open,
24,
7,
always,
and
if
people
have
things
they
want
to
talk
about,
you
don't
only
have
to
talk
about
things
every
other
week
in
this
meeting
yeah.
What
are
y'all
thinking.
F
F
Yeah
is
is,
is
literally
like
about
a
couple
hours.
Hacking
box
is
a
European
security
conference,
which
generally
has
quite
cool
stuff
going
on.
G
Just
a
quick
I
I
gave
a
talk
to
nist.
If
anyone
is
interested
in
public
sector
stuff,
we
were
talking
about
oscow
and
and
I
demoed
how
to
use
Opa
and
Rigo
for
for
rules
to
generate
oscow
code.
So
if
anyone's
interested
they're
going
to
post
the
recording
I,
don't
have
the
link,
but
if
anybody's
interested
I
can
send
you,
my
slides.
G
I'll
also
I'll
also
post
the
workshop
URL
so
that
way,
when
they
post
everything,
it
should
show
up
pop
that
on
the
news.
G
I
D
A
F
Standards
are
also
not
generally
maintained,
like
the
stake
for
kubernetes
is
not
I
mean
it's
not
updated
frequently,
neither
is
the
NSA
against
higher
level.
So
it's
less
of
a
problem,
but
last
time
I
looked
at
the
stake
it
was
and
it
doesn't
unfortunately,
on
the
stick
for
kubernetes.
It
doesn't
say
as
far
as
I
know
what
version
of
kubernetes
it
applies
to,
so
you
can't
even
tell
looking
at
the
Stig,
which
it
applies
to
you
at
least
a
CIS
Benchmark.
Whilst
it's
not
always
updated
at
least
does
say.
F
I
The
reason
I'm
asking
is
because
I'm
trying
to
set
up
an
internal
pipeline
process
kind
of
a
thing
so
that
we
can
like
preemptively
answer
these
questions
whenever,
like
like
new
kubernetes
version,
comes
out
and
we're
going
to
put
it
in
our
product
and
we're
going
to
need
to
tell
our
customers
did
anything
change.
Is
it
still
compliance
with
the
same
things
or
not
Etc,
so
I'm
trying
to
put
up
to
set
up
a
process
for
that
and
I
was
wondering
if,
from
a
community
perspective,
we
have
anything
or
if
it's
basically
yeah
every
vendor.
G
Kind
of
every
vendor,
Do
Your
Own,
Thing
That-
was
it
someone
overlaps
the
by
coincidence,
with
the
talk
I
gave
yesterday.
So
the
idea
of
oscow
is
that
it's
a
standard
compliance
control
framework.
They
basically
have
a
bunch
of
schemas
again,
it's
not
baseline
or
hardening
configuration
focused,
but
that
it
would
be
one
of
the
state
153
controls.
But
what
we're
trying
to
do
and
and
I
think
you
know
all
of
this-
also
relapse.
The
self-assessment
is.
D
G
Know
we'd
like
to
help
the
communities
and
cncf
projects
more
broadly
generate
oscow
for
each
of
their
components,
and
you
could
use
that
because
what
what
the
Oscar
requires
is
that
you
declare
what
security
capabilities
your
component
supports
and
or
needs,
and
then
that
that,
as
code
you
know
Jason
yaml,
they
also
support
XML,
but
not
as
code
could
be
in
the
projects
or
subprojects
repo.
And
then,
when
that
gets
you
know
changed.
G
F
Idea,
so
someone
would
need
to
write
the
checks,
so
you
need
to
go
their
back
I
kind
of
personally.
Do
it
like
I,
go
through
the
cabs,
every
release
and
see
which
of
these
major
security
things,
but
that's
just
one
person
having
a
glance
through.
That's
not
a
formal
process
and
then
I
kind
of
breaking
CIS
Benchmark
change
when
I
think
about
it,
but
it
would
need
I
think
you
really
need
to
do
it
properly.
F
You
need
to
have
that
as
a
base
for
like
raw
kubernetes
and
then
each
distro
vendor
would
need
to
say
which
of
these
applies,
because
if
you're
managed
kubernetes
right,
they're
relevant,
you
say:
well,
that's
not
me,
so
you
need
to
then
like
create
a
profile.
It's
theoretically
possible.
Well,
I,
don't
I'm
not
aware!
Anyway,
we
really
feel
someone
is
doing
it
I'm,
not
aware
that
they
are.
I
G
I'm
trying
to
look
to
see
if
they
have
the
stuff
from
my
talk:
yeah,
they
don't
but
I,
put
in
the
I
put
in
the
Google
Doc
the
the
mini
Workshop
they're,
supposed
to
link
the
video
and
I
will
what's
the
best
way
to
put
my
slides
up.
I
guess:
I
can
just
share
my
slides
from
Google,
Drive
and
I
can
put
a
link.
Yeah.
Give
me
five
minutes
after
this
call.
I'll
I'll
create
a
share
link
for
my
slides
and
I'll
link.
Those
into
this
meetings,
Google
Notes.
G
F
It
was
super
fun
yeah.
It
was
fun
for
the
project
to
have
like
a
thing
that
said,
these
are
the
new
features
in
this
release.
If
you
are
a
distribution
vendor,
here's
the
things
you
should
consider,
that
would
be
really
nice.
Well,
it's
just
a
question
of
like
having
some
cool
format
and
that's
I,
guess
where
Oscar
is
going
to
come
in
like
how
would
you
describe
that
in
a
way
that
can
be
consumed
by
everybody,
yeah.
G
It
could
be
I
mean
I
know
for
threats.
You
have
things
like
sticks
taxi,
so
you
can
imagine
you
know.
Maybe
Oscar
could
fit
that,
but
again
Moscow.
It's
already
big,
so
I
wonder
if
it's
a
little
too
unreality,
but
maybe
they
have
an
extension
extensibility
option.
So
it
could
be
something
that
we
kind
of
bolt
on
and
oscow
can
can
link
to.
G
But
yeah.
A
Robert,
if
you
didn't
put
those
acronyms
anywhere
into
the
notes,
I
would
like
to
encourage
you
to
do
so
because
I'm
going
to
screw
them
up
somewhere,
yeah
awesome.
Anybody
have
any
other
things
they
want
to
say.
Do
we
all
have
our
couple
of
weeks
and
get
to
see
each
other
on
the
slacks
and
whatnot?
What
are
y'all
thinking.