►
From YouTube: Kubernetes SIG Security Docs 20220106
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hi
everyone
today
is
january
6
2022.,
welcome
to
kubernetes
security,
documentation,
project
meeting.
We
abide
by
kubernetes
code
of
conduct,
which
means
please
be
nice
to
one
another,
and
this
meeting
will
be
recorded
and
available
on
youtube.
So
please
be
mindful
of
whatever
that
you
say
in
this
meeting
and
moving
on
to
the
agenda.
Let
me
let
me
share
the
agenda
link.
I
saw
someone
join,
so
I
think
it's
eric,
I'm
hoping
I'm
pronouncing
the
name
right,
so
please
feel
free
to
add
yourself
to
it.
A
If
you
don't
have
access,
please
let
me
know,
and
how
do
you
all
want
me
to
do
like?
Do
you
all
want
me
to
share
the
screen
or
just
talk
through
stuff.
A
Okay,
my
zoom
is
now
saying
open.
Give
me
a
few
minutes.
I
think
things
changed
in
zoom
after
update
it
want
me
to
watch
me.
Do.
A
C
A
Perfect,
so
I
think
so
it's
newer,
I'm
just
gonna,
go
around
the
room
and
introduce
so
that
we
all
get
to
know
each
other.
My
name
is
sabita.
I've
been
contributing
to
kubernetes
upstream
for
a
while.
A
I
I
was
a
part
of
siege
release
and
then
a
part
of
sick
docs,
and
now
my
primary
focus
is
on
seek
security.
This
is
some
some
some
place
this.
This
is
a
place
where
I
want
to
be
because
I
couldn't
get
to
do
this
during
my
day.
Job
and
security
is
my
passion.
So
why
not-
and
this
place
is
amazing-
it
the
entire
thing,
is
made
up
of
such
amazing
people,
who
were
who
are
so
nice
that
they
would
help
help
you
grow.
A
So
if
you
are
here
to
learn,
this
is
a
great
place.
If
you
are
here,
if
you
are
ready
to
share
your
knowledge
again,
it's
a
great
place.
So
that's
all
about
me
and
the
thought
about
what
we
do
here.
So
I'm
gonna
move
on
to
the
next
person
who
wants
to
go
next.
B
I
can
go
real
quick,
so
my
name
is
eric
dicardi,
you
know,
I've
been
a
big
fan
of
the
kubernetes
community
and
just
you
know,
got
very
busy
bombarded
last
year
so
hoping
this
year
with
the
new
year.
I
can,
you
know,
be
much
more
involved
with
some
of
these
sick
groups
and
yeah
just
excited
to
learn
and
also
you
know,
be
able
to
contribute
as
much
as
I
can.
D
All
right,
I
could
go
next.
My
name
is
ray
lahano
involved
with
kubernetes
for
quite
some
time,
and
it
was
the
last
for
release
lead
for
123.,
also
involved
with
the
various
a
few
other
sigs
as
well.
C
So
yeah,
oh
I'm
a
rory,
so
I've
been
doing
security
for
a
while
now
and
I
do
some
other
stuff
in
the
community
like
help
maintain
the
cis
benchmarks
for
docker
and
kubernetes
submitting
some
stuff
around
there-
and
I
guess
my
background
is
security.
I've
been
doing
security
for
a
while,
now
so
kind
of
hoping
to
do
more
with
work.
I
haven't:
do
a
little
bit
a
bit
I'll
continue
doing
more
with
the
kubernetes
security
and
docs
as
well.
E
Hi
guys,
my
name
is
sharya,
I'm
a
new
grad
from
uc
san,
diego,
very
recent
new
grad,
the
past
summer.
I
interned
at
tulio
and
got
introduced
to
the
kubernetes
space
and
I
went
to
kubecon
this
past
year
and
met
sabita
there.
So
that's
kind
of
how
I
got
intrigued
and
involved
and
all
right.
E
This
is
like
my
first
meeting,
but
I
really
wanted
to
like
see
what
this
was
about
and
I
definitely
wanted
to
start
contributing
or
just
seeing
what
I
could
do
in
the
open
source,
world
and
yeah.
I
don't
really
have
too
much
background
in
security
since
I'm
a
new
grad,
but
I
did
very
recently
take
a
course
on
cryptography
and
theory.
So
that's
about
as
much
as
I
know
about
the
space,
but
I'm
really
excited
to
learn
more
and
maybe
research
or
do
things
like
that.
A
Thank
you
and
welcome,
welcome
friend
eric
and
welcome
back
rory,
I'm
so
happy
to
see
you
all
here
and
I'm
here
to
learn
as
well
freya.
So
it's
like
the
famous
harry
potter
dialogue
like
where
help
is
say
oscar.
I
forgot
I
recently
I
still
have
watched
that
movie
and
there
is
a
dumbledore's
dialogue
that
help
is
available
to
anyone
who
asked
for
it.
Something
like
that.
So
it's
the
same
here
also
all
right.
I'm
gonna
move
on
before
I
can
keep
talking
for
30
minutes,
but
I'm
not
gonna.
A
Do
that.
I'm
gonna
move
on
to
the
discussion.
Do
you
all
have
anything
to
talk
about
before
I
dive
into
these
things?.
A
All
right,
so
the
first
up
is
something
that
I
want
to
work
work
this
year.
This
has
been
in
the
backlog
for
a
really
long
time
and
we
don't
have
a
checklist
for
deploying
a
cluster.
There
are
a
lot
available
on
the
internet,
but
we
don't
have
any
kind
of
recommended
checklist.
A
A
If
you
have
any
thoughts,
please
feel
free
to
jot
down
in
that
issue,
and
also
like
I
am
looking
for
volunteers
who
want
to
help
you
can
partner
up.
It's
not
like
you
have
to
do
it
all
by
yourself.
So
multiple
people
can
take
things
and
I
will
fill
in
more
details,
but
I
just
wanted
to
ask
just
bring
this
up
and
then
open
it
up
for
everyone.
A
So
we
wanted
to
be
generic
as
possible,
but
if
it
cannot
be
generic,
then
we
can
start
with
bare
metal
and
then
deep
dive
into
like
a
generic.
I
know
we
cannot
cover
everything
and
we
cannot
go
vendor
specific.
So
we
we
will
just
try
to
say
things
like
hey
check.
A
For
example,
it's
just
whatever
it's
in
the
top
of
my
mind,
I'm
just
going
to
say,
like
hey
check
if
except
second
is
actually
enabled
by
default,
but
see
if
the
policies
are
set
and
it's
not
in
a
warning
mode
or
things
like
that
and
I
I
bet
rory
and
ray
might
have
like
more
more
more
things
in
on
their
mind,
which
is
related
to
actually
what
could
go
on
the
checklist.
But
I
just
wanted
to
bring
this
up
and
I
hope
that
gives
some
kind
of
idea
eric.
A
If
not,
I
am
ready
to
brainstorm
and
add
more
details
to
the
issue.
C
I
think
that
what
we
typically
end
up,
what
probably
the
a
good
place
to
start,
is
generic
cube
adm,
that's
like
the
most
vanilla
kubernetes
there
is,
and
then
what
we
could
do
is
maybe
say
you
know
if
there's
major
distributions
add
something
at
the
end,
but
if
we
stick
to
like
kubernetes
and
that's
nice
and
non-vendor
specific-
and
it's
also
it's
also
the
foundation
of
a
lot
of
other
distributions.
C
So
if
you
cover
cube
adm,
you
essentially
inevitably
cover
you
know
what
will
be
used
by
other
places.
So
it's
probably
a
good
place
to
start.
B
C
We
did
the
cis
benchmark
because
the
problem
was,
if
we
didn't
do
that,
it
was
like
which
of
the
140
distributions.
Do
we
pick
right
and
qbfd
is
like
it's
nice
and
not
tight?
It's
like
because
it's
part
of
the
cubes
project
it
like
just
makes
it
a
bit
simpler.
We've
got
to
get
that
to
that
whole
debate
of
like
who
wins.
It's
like?
No,
no!
Let's
stick
to
this
definitely.
D
C
Yeah,
I'm
in
the
benchmark.
I
think
the
good
thing
about
doing
something
like
this
is
we
can
so
people
haven't
come
across
a
ci's
benchmark.
It's
very
like
like
this
parameter,
should
be
set
to
that.
That
kind
of
level,
which
is
it's
cool,
but
it
it.
It
means
you
can't
cover
slightly
more
higher
level
things
because
the
cia's
base
workers
don't
work
that
way.
So
I
think
something
like
this
could
be
great
because
it
would
be
it's
part
of
the
kubernetes
project
directly,
but
also
we
can
do
things
in
a
slightly
less
check.
C
It
doesn't
have
to
be
so
quite
super
scripted,
a
little
benchmark,
yeah
the
benchmarks
useful
just
has
its.
You
know,
also
the
benchmarks
250
pages
long.
We
probably
don't
want
to
do
that
again.
A
Yeah,
we
could
just
add
that
also
like
at
the
end
like
if
you
want
to
go
in
that
or
like,
if
you
want
to
try
this
out,
hey
run
this
or
like
a
note
or
a
warning:
it's
not
a
warning
per
se.
It's
like
a
note
or
additional
information
that
if
you
want
to
go
further
deep
down
or
like
yeah.
A
D
Yeah
I
I
totally
agree
we
should
have
you
know
we
could
list
something
like
that,
but
we
should
add
in
the
warning
label.
It's
not
warning
like
what's
labeled
for
a
third-party
contents
and
add
in
additional
options,
because
since
we
don't
want
to
pick
the
winner,
the
best
you
know
seem
like
it's
like
the
one
tool
to
use,
so
we
should
have
options
or.
C
D
C
Would
predict
that
once
we've
got
this,
it
you'll
get
tools,
vendors
writing
to
it
as
soon
as
there
is
a
check
as
soon
as
there
is
a
any
form
of
standard
that
people
can
check,
things
against
people
will
ask
for
it
and
tools.
Vendors
will
then
say
right,
we'll
we'll
get
our
tool
to
check
for
it.
That's
the
way
it
tends
to
work
so
yeah.
We
should
we.
A
And
do
we
do
have
some
kind
of
limitations
right
like
if
it's
a
blog?
That
is
a
different
thing,
but
if
it's
going
to
be
coming
from
kubernetes
project
as
a
recommendation,
we
really
want
to
stay
away
from
third
party
right,
like
even
the
warning.
Does
that
work
like
if
we
had
a
warning?
Is
that
okay
or
do
we
really
want
to
keep
it
like
vendor,
neutral.
D
Ideally,
we
would
keep
it
vendor
neutral,
the
things
that
we
have
applied,
the
third-party
content
label
or
things
already
in
the
documentation.
So
I,
if
we
can
keep
it
vendor
neutral,
let's
try.
But
if,
if
we
do
want
to
offer
tools,
we
can
and
then
but
I
would
advise
in
giving
more
more
than
one
option
or
several
options
or
as
many
options
as
we
can
and
still
apply,
that
third-party
content
label.
A
Sounds
good,
so
I'm
gonna
just
add
all
these
things
like
keep
it
render
neutral
and
stuff
like
that
to
the
issue
so
that
people
are
aware
I'll
fill
in
these
things
in
the
issue,
I'll
explain
it
and
I'm
gonna
mark
it
as
help
wanted.
So
if
anyone
from
this
call
want
wants
to
pick
it
up,
please
feel
free
to
assign
it
to
yourself
and
you
can
partner
up
again
and
if
you
need
help
I'll,
be
happy
to
also
work
with
you
on
this
one.
A
That's
what
I
want.
That's
all
I
wanna
say
about
that
one.
Does
anyone
have
anything
else
to
add
to
it.
C
One
one
thing
that
might
be
useful
in
terms
of
thinking
about
the
tools
thing
is,
I
know
the
cloud
native
security
tag.
Security
are
doing
things
like
they're,
gonna
have
they've
got
lists
of
tools,
so
we
might
be
able
to
be
able
to
say
you
know
you
could
go
and
look
at
the
cloud
cncf's
list
of
tools
in
this
area
that
gets
us
away
from
having
to
put
anything
like
lists
or
maintain
anything
within
this
we
just
say:
hey
the
cncf
maintain
this
list
you
go
talk
to,
you
know,
go
look
at
their
list.
A
All
right,
so
I
will
I
I
just
started
attending
the
meetings
yesterday,
so
I
I
I
was
really
overwhelmed
seeing
like
how
many
things
they
had,
but
I
think
it's
gonna
take
a
while
for
me
to
get
get
going
what's
going
on
there,
but
thank
you
rory
for
bringing
that
up
all
right.
So
does
anyone
have
anything
else
to
add
on
this
topic.
E
A
So
all
I
ask
is
that
if
you
sign
up-
and
if
you
want
to
do
all
the
research
and
if
you
sign
up,
I
just
want
folks
to
follow
through
with
it-
I
don't
have
a
time
I
I
I'm
not
going
to
put
a
time
limit
on
it.
I
I
think
our
project
will
also
agree
because
it's
it
can
be
a
research
thing
and
not
everyone
comes
with
the
security
knowledge,
just
a
passion
that
drives
folks.
A
So
if
you
don't
have
any
that's
totally
fine,
if
you
have
a
little
bit
cool
and
if
you're
an
expert
great,
you
can
share
all
the
things
so
to
answer
your
question
freya
at
as
long
as
you
are,
if
you
want
to
take
this
up
as
long
as
you're
willing
to
put
the
efforts
in
and
do
the
research,
I
don't
think
anything
like
you
should
know
everything
or
you
should
as
long
as
you
have
like
a
little
bit
basic
knowledge
like
very
basic
knowledge
about
computer
security.
That's
enough.
C
A
So
100
agree
with
that,
like
com,
even
coming
up
with
a
basic,
a
google
doc
with
like
10
items
in
it
and
then
share
it
with
the
sharedness
slack
channel
or
in
the
broader
security
community,
people
will
start
pitching
in
and
giving
more
ideas
like.
What
can
we
have
this
one?
Can
we,
while,
when
we
add
this
one,
can
we
add
like
more
elaborate
on
this
and
stuff
like
that?
So
it's
all
like.
So
in
this
thing
we
do
everything
by
collaboration
most
of
the
six
that
we
do.
A
I
mean
all
the
kubernetes
communities
about
collaboration,
and
here
we
want
to
make
sure
that
we
provide
the
help
that
folks
need.
F
I
know
I've
been
looking
for
something
to
contribute
to
just
to
get
my
get.
You
know
used
to
the
process
and
everything
so
this
this
might
be
one
I'd
look
at,
but
I
need
to
look
at
it.
First.
A
It's
awesome
hi
alex,
I
don't
know
if
you
might
hi
so
yeah.
You
could
pair
up
also,
if
you
want
that.
That
is
also
welcome.
All
right,
if
you
have
any
questions,
feel
free
to
ask
in
the
chat
slack
channel
or
on
the
issue.
If
someone
ado
will
be
there
to
answer.
F
A
I
might
open
on
one
here
if
you
can
all
see
it
so
this
we
discussed
this
in
a
seek
security
meeting,
and
the
issue
is
that
if,
if
the
namespaces
name
matches
the
tlds,
I
think
there's
going
to
be
a
dns
routing
issue
like
the
the
way
that
the
community,
if
if
there
is
a
service
in
the
communities
and
how
it's
going
to
be
different,
is
that
I
think
it's
the
cluster
dot
like
it's
just
gonna
like
go
down
the
it's!
A
A
I
remembered
it,
but
I
don't
remember
it
right
away,
but
there
is
no
hierarchy,
that's
going
to
go
down
and
if
you
have
a
dns
like,
if
you
have
a
namespace
that
actually
matches
like
an
external
google.com
or
something
like
that,
there
is
going
to
be
a
issue
when
it's
trying
to
resolve
the
service.
Did
I
get
that
right,
rory
and
dre
or
others
in
the
call.
C
Yeah,
basically,
the
the
kubernetes
service
discovery
uses
dns.
If
you
create
a
namespace
or
called
com
and
then
create
a
service
in
it
called
google.
That
means
that
the
kubernetes
will
create
a
dns
entry
for
google.com
and
then,
if
any
service
inside
the
cluster
tries
to
get
to
google.com,
it
won't
go
to
the
outside
world.
It
will
use
the
inside
service.
C
So
essentially
it
means
if
you
had
like
a
cluster
with
two
groups
of
people,
and
they
didn't
trust
each
other
and
one
group
of
people
created
this
name
space,
and
then
they
created
a
malicious
service
in
it.
They
could
essentially
hijack
traffic
or
hijack
dns
lookups
that
were
intended
to
go
outside,
so
it
yeah,
it
could
be.
It's
not
like
every
cluster
has
to
worry
about
it,
but
but
if
you've
got
like
a
multi-tenant
cluster,
then
this
could
be
quite
nasty.
A
So,
thank
you
for
that
explanation,
rory
and
I'm
gonna
link
to
the
discussion
that
we
had
in
the
security
for
additional
context
as
well.
So
what
we
want
help
is
that
in
the
service
page
concepts
page,
please
add
a
warning
that
if
you
use
like
just
like
rory,
explain
like
if
you
use
like
the
namespace
name
is
like
from
com.org
whatever,
and
then
you
use
a
well
another.
Your
service
name
matches
with
something
that's
already
available
out
there.
A
There
could
be
a
potential
issue,
the
dns,
that's
the
warning
that
we
would
like
to
add
and
I'm
not
sure
about
the
recommendations.
Yet
like
what
kind
of
recommendations
are
we
able
to
provide,
but
I
wanted
to
capture
it
there
and
we
can
always
start
a
discussion
on
that
if
we
wanna
add
recommendations
other
than
trying
to
tell
them
that
avoid
using
this.
But
I
don't
know
if
there
is
any
specific
recommendations
that
we
can
say
to
folks.
A
So
this
is
one
of
the
issues
that,
if
you
want
to
start
out,
if
you
are
new,
it's
like
super
easy.
Just
adding
something
small
and
simple
go
do
that.
A
I
will
link
the
concepts
I'll
link,
the
page
where
we
can
add
this
warning
just
go
there
and
like
if
you
are
looking
for
contribute,
just
go
there
and
add
a
warning
telling
that
please
avoid
using
public
tlds
and
if
you
wish
to
expand
just
add
like
blurb,
whatever
we
spoke
right
now
in
there
just
to
give
folks
a
little
bit
context
and
we
can
always
go
from
there.
A
So
this
is
one
of
the
issues
that
we
would
I
need
some
help
with
and
if
you
are
willing
to
take
it
out,
please
assign
it
to
yourself.
A
That's
what
I
wanted
to
bring
it
bring
up
here.
Does
anyone
have
any
questions
on
there.
A
Yeah,
this
was
actually
discussed
in
the
main
seek
security
meeting.
I
think
it's
been
like
a
month
ago.
I
don't
know
so.
This
was
one
of
the
follow-up
action
items
that
okay
for
now
I'll
put
a
warning
so
that
folks
are
already
aware
and
they're
not
just
like
it's
not
captured
anywhere
or
something
like
that.
I
think
six
kidding
might
or
other
sikhs
might
work
on
some
kind
of
solution
to
white
list.
A
C
F
F
F
E
Are
there
any
like
accesses
that
we
need
specifically
to
be
able
to
assign
issues
to
ourselves?
I'm
not
able
to
like
have
the
assign
yourself
button.
D
A
Alex
are
you
able
to
open
the
links
it
opens.
F
A
F
F
A
If
not
you're
flipping
me,
and
now
we
can
figure
it
out
offline
as
well,
and
I
have
two
minutes
and
I'm
just
gonna
rush
through
this.
This
is
a
shout
out
for
rory.
He
put
together
a
threat
admission
control
threat
model
for
admission
control,
so
please
there
is
a
third
model
actually
for
the
it's
in
the
six
security,
repo
and
there's
a
blog
that
goes
along
with
it.
So
there
are
two
prs
and
if
you're
interested
in
it,
please
feel
free
to
take
a
look
at
it.
A
If
you
have
any,
if
you
you
can
feel
free
to
review,
it
add
comments
and
I'll,
let
a
rory
add
more
things
I
mean
roy.
Do
you
want
to
go
and
say
something
about
it?.
C
Yeah
very
quickly
yeah,
so
it's
just
something
we
did
last
year
and
good.
Can
I
get
it
to
the
finish
line?
It's
just
a
threat
model
looking
at
admission
controllers,
which
are
heavily
used
in
kubernetes
for
security
and
some
of
the
risks
in
those
and
how
people
can
mitigate
it.
So
hopefully
it's
and
I'm
merely
learning
exactly
how
the
github
like
creating
issues
emerging
issues,
thing
works.
I
will
get
there
and
it'll
look
good
eventually,
but
yeah,
so
hopefully
yeah
if
anyone's
getting
any
feedback
on
those.
That's
always
useful.
A
Thank
you
rory.
So,
if
you're
interested
even
reading
about
what
it
is,
feel
free
to
the
the
pdf
in
the
diagram
and
everything
is
already
like
up
to
date
and
it's
clear
so
if
you're
interested
trying
to
learn,
it's
a
good
place
to
start
as
well.
A
If,
if
anything
comes
out,
please
feel
free
to
start
a
thread
in
the
slack
channel
we
meet
once
a
month,
so
you
don't
have
to
wait
until
the
next
meeting
to
ask
or
like
ask
for
help
or
if
you
have
any
ideas
to
share,
don't
wait
until
the
next
meeting.
We
have
a
selection,
god
hop
on.
There
start
a
discussion
and
we
can
collaborate
asynchronously.
A
I
just
want
to
call
that
out
and
if
you
need
help
with
anything
else,
please
feel
free
to
reach
out
to
me
or
again
make
a
post
in
the
slack
channel.
One
of
us
would
be,
one
of
us
would
be
able
to
help,
or
at
least
redirect
you
to
the
correct,
sig
or
person.
So.
A
That's
all
I
have
so
until
we
meet
again
take
care,
stay
safe
and
wish
you
all
a
happy
new
year.
Once
again,
all
right,
everyone
see
ya.