►
From YouTube: Kubernetes SIG Security 20221117
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Thank
you
so
much
for
coming
to
yet
another
kubernetes,
six
security,
I'm
Tabitha,
Sable
I'm,
one
of
the
co-chairs
and
I'm
just
really
glad
that
I
am
able
to
help
to
make
this
space
come
together,
so
that
we
can
work
to
improve
kubernetes
security
together,
you
can
refer
to
me
as
she
or
they,
those
are
appropriate.
B
You
thank
you
I
literally
just
found
out
about
it
yesterday
and
so
I
figured
I
joined.
B
My
name
is
Ori
and
I
was
CTO
of
mulesoft
till
a
year
ago,
and
now
I'm
working
on
more
directly
in
the
kubernetes
space
on
intent,
based
access
control,
so
I
figured
this
might
be
a
relevant
group
and
would
love
to
see
and
feel
how
this
group
works.
So
I
can
help.
C
Okay,
I
can
go
next,
I'm,
Wilma
and
I
am
representing
Apple.
D
C
We
have
the
internal
Department
of
kubernetes
within
apple
and
yeah,
so
just
trying
to
get
to
know
this
group
and
I
think
there's
one
agenda
on
the
item
that
we
want
to
get
is
to
get
a
cve
to
know
them
before
they
are
publicly
available.
So
that's
why
I'm
here
and
we'll
be
joining
regularly.
D
I
can
go
next:
some
security
PM
for
tons
of
kubernetes
platform,
something
at
VMware
I'm
the
new
problems
umbrella.
Now
that
pushkar
left.
A
D
D
E
She
her
out
of
Boston
I'm,
the
sub-project
lead
for
self-assessments
and
yeah,
always
a
real
highlight
of
my
week
to
be
here
or
my
every
other
week.
Thanks.
G
Hi,
this
is
pushkar
I'm,
a
project
lead
for
security,
tooling,
I,
love,
love
to
hear
and
make
dreams
come
true
to
make
kubernetes
more
secure
that
are
mine
and
others
welcome
everyone
who
is
joined,
newly
excited
to
have
you
and
one
of
my
highlights
of
the
week.
Every
time
we
have
this
meeting.
H
Him
from
with
secure
I
do
security,
consultancy,
helping
people
fix
their
or
find
issues
in
the
kubernetes
classes
and
I
didn't
know
how
to
not
have
those
issues.
I
Eric
Smalling
hi
with
sneak
sorry
I'll,
get
over
quick,
divided
with
a
sneak
here
to
help
where
I
can
I
helped
pushkar
a
lot
with
the
scanning
of
KK
and
other
things.
J
K
Yeah
hi
Benjamin
here
from
Germany
and
I,
also
do
most
of
my
time.
Kubernetes
Security
Consultants
for
larger
institutions.
M
N
Back
here
see
her
I'm
the
lead
for
the
documentation
tip
project
here
to
meet
my
friends
share
and
learn.
C
A
K
K
F
Please
I
noticed
that
Ray
wasn't
here
so
yeah,
so
the
report,
as
Ian
mentioned
who's
on
here
too,
who
knows
more
about
than
I,
do
is
finalized
and
it's
just
arrangements
are
now
being
worked
on
for,
like
Communications
around
this
release
and
exact
timing.
So
I
think
that's
where
it
is
but
yeah.
The
actual
content
of
the
report
is
now
I
believe
finalized.
A
I
can
totally
I
can
totally
validate
that
from
the
SRC
side
of
things
working
with
working
with
NCC
to
make
sure
that
we
have
a
good,
a
good
release
when
the
when
the
report
is
ready
to
go.
F
Out
and
there's
a
CV
which
came
out,
which
was
one
of
the
things
that
was
from
the
report,
the
two
recent
CVS
I
think
it
was
last
week.
One
of
them
was
one
of
the
Rapport
items,
so
we're
looking
for
earlier
release
information.
L
Yeah
I
just
dropped
to
link
into
the
chat
for
one
of
them
there.
It's
not
the
highest
impact
of
findings,
but
to
give
you
a
little
sneak
preview,
there
is
a
cve
there
that
does
fix
one
of
our
findings.
So
if
anyone
wants
to
go
and
have
a
nosy,
there
is
a
link
in
the
Zoom
chat,
not
in
Slack.
J
J
Other
than
I
know
all
and
I
have
been
communicating
on
slack
and
with
others
of
course,
and
push
card
from
the
kubecon
Detroit.
Discussions
definitely
want
to
then
Circle
back
around
and
incorporate
methodological
learning
so
that
we
can
inform
the
self-audit
or
self-assessment
process.
E
Robert
I
is
I
I,
actually
I'll
get
to
this.
One
second
I
was
at
the
tag
security
meeting
yesterday
is,
is
attending
that
meeting
a
good
place
to
to
just
keep
abreast
of
of
those
things
or
is
there.
J
I'm
I
I
think
that
is
the
meeting
to
go
to.
Unfortunately,
it
always
seems
to
conflict
with
my
calendar,
so
I'm
never
able
to
join
as
much
as
I'd
like
to
but
I
don't
know
if
they
have
a
breakout.
They
used
to
have
a
breakout
called.
D
J
On
the
assessment
pipeline,
so
I
would
also
go
back
to
Brandon
and
and
folks
on
an
ash
and
see
if
that's
still
happening,
but
I
mean
that
is
a
good
meeting
to
attend.
Okay,.
D
A
All
right,
then,
we
have
in
the
notes
here
no
big
announcements
to
make
from
Doc's
a
project,
we'll
pause
here
for
a
few
seconds
in
case.
Anyone
has
anything
they'd
like
to
bring
up
with
regards
to
docs
project.
I
I'll
just
raise
my
hand
as
the
guilty
I
had
volunteered
to
help
review
the
hardening
document
and
I've
been
too
busy
to
get
to
it
and
I
I'm
going
to
try
now.
N
No
no
race
at
all
Eric
I
was
gonna
just
say
that
if
folks
had
a
busy
week
a
couple
of
weeks,
so
probably
I'll,
just
like
catch
up
back
next
week,.
I
Because
I'll
be
at
kcd
but
and.
N
Then,
after
that,
yes
thank
you
and
don't
feel
bad
at
all.
We
all
volunteer
and
we
are
all
passionate
about
security.
So
it's
please
don't
feel
sorry.
I'll.
E
Side
make
progress
I,
so
we
did
the
Cappy
retro
at
kubecon.
I
went
to
the
cncf
tag
security
meeting
yesterday
to
share
the
Retro
Lessons
Learned
got
some
really
good
questions
and
engagement.
E
There
are
no
specific
action
items
really
just
I
think
that's
going
to
be
a
meeting
that
I
attend
regularly
to
just
keep
the
connective
tissue
going
between
the
groups
and
while
I
was
there.
Speaking
of
connective
tissue.
I
also
mentioned
my
idea
for
a
threat
modeling
workshop
at
the
contributor
Summit
in
Amsterdam,
and
everyone
was
super
pumped
about
that
and
also
I
think
I
have
a
title
for
it.
It's
called
assess
yourself
like
like
the
yes
yeah
like
what
was
it
that
TV
show?
E
Oh
my
goodness,
it's
like
treat
yourself,
but
it's
like
assess
yourself.
So
I'm
excited
about
that.
E
I
thought
that
was
me
I,
don't
know
we
could.
We
can
Workshop
the
title
together
for
something
that
is
ridiculous
and
something
that
we
all
get
excited
about,
but
anyway,
so
I
also
continuing
with
my
learning
of
of
all
things
get
and
Version
Control.
E
Thank
you
made
a
massive
shout
out
to
Tabby
for
educating
me
on
the
history
and
everything
I'm
still
having
trouble
I
forked,
the
repo
in
the
cloud,
and
now
it's
like
it's
like
step
number
two
is
like
create
a
go
path
and
I'm
just
like
I,
don't
know
how
to
do
that.
So
I
posted
and
say
contrabax
to
get
some
help
and
I
have
a
couple
volunteers.
E
So
I'll
be
just
scheduling
some
time
tomorrow,
for
just
some
one-on-one
like
I
need
to
create
a
sock
channel
for
the
vsphere
CSI
driver
I
need
to
merge
my
little
like
write
up.
Documentation
and
I
also
need
help
updating
issue
957,
which
is
the
the
closeout
tasks
for
the
Cappy
retro
and
I
also
need
help.
Creating
a
meeting
Series.
So
yeah
I
have
a
wish
list
for
things
that
I
need
help
with
and
for.
P
A
And
Ian
we,
we
are
the
ones
who
go
and
make
those
like
on
the
Google
Calendar.
A
A
E
And
I
think
that's
part
of
what's
slowing
me
down.
Is
that
I'm
trying
to
aggregate
my
learning,
curves
I'm,
trying
to
aggregate
my
learning
curve
with
actually
doing
things
so
I
think
I
need
to
separate
those
things
and
just
use
the
GitHub
automation
to
do
the
simple
things
get
comfortable
with
that
and
then
I
can
I
I.
Can
you
know
get
creative
with
Git,
so
yeah
I
think
I
need
to
just
yeah
keep
things
simple
for
for
the
current
but
yeah.
E
My
goal
tomorrow
is
to
just
create
the
slack
channel
for
the
VCR
CSI
driver,
so
I
can
start
coordinating
that
properly
and
and
what
was
the
other
thing
I
said
five
seconds
ago
meeting.
E
Meeting
series
and
also
yeah
getting
that
issue
updated
so
yeah,
I
I,
that's
my
goal
for
tomorrow
and
but
yeah
so
and
oh
and
the
other
thing
for
the
the
assess
yourself
session
in
Amsterdam.
I
was
thinking.
I
could
I
actually
have
reasons
to
pop
into
the
Sig
and
trebeks
meeting
in
the
Sig
Arch
meeting,
so
I
was
thinking.
E
I
could
just
socialize
that
idea
with
just
other
cigs
to
to
to
see,
if
there's
a
desire
for
that,
and
if
people
would
get
excited
about
it
so
yeah,
that's
it
for
me.
A
Before
we
yeah
before
we
move
on
from
there
in
light
of
what
Rory
was
telling
us
earlier,
three
Workshop
idea
for
anyone
who
has
the
experience
and
desire
different
types
of
git
workflows
that
can
be
useful
for
contributing
to
kubernetes,
because
there's
the
there's
the
complete
and
detailed
end-to-end
one
where
you
have
your
four.
A
E
I
was
thinking
as
part
of
my
learning
experience,
that
I
could
do
like
a
demo
of
like
recording
myself,
where,
like
I,
just
want
to
change.
Some
animal
here
like
this
is
an
example
of
a
workflow
where
you
don't
need
full
get
so
yeah,
just
like
documenting
my
learning
process
kind
of
to
get
at
what
you
were
saying.
A
M
E
E
What
I'm
aware
of
is
the
material
that
we
have
for
the
Cappy
self-assessment
I
have
been
I
posted
in
the
six
security
channel
in
kubernetes,
and
some
folks
replied
with
with
documentation
and
tutorials.
That
would
probably
be
useful.
I
was
thinking,
maybe
as
a
pre-read
to
this
session.
So
I
guess
the
answer
so,
but
I'll
pause
there
I
don't
know
like
Tabby
pushker.
Are
there
other
resources
that
we
have
in
kubernetes
that
are
sort
of
tried
and
true
things.
J
Going
back
to
2019
and
maybe
20
and
then
repo
from
the
first
external
audit,
and
then
there
was
a
financial
forgetting
the
Sig
but
kind
of
a
financial
services,
oriented
threat
model,
so
I
don't
have
the
links
and
I'm
dialed
in
but
I'm
there
are
some
repo
contents
on
exist.
Existing
threat
model,
documentation.
E
A
Think
in
the
I
think
in
the
the
cncf
financial
users
group,
if
I,
if
I
remember
correctly,.
G
Yeah
so
zung,
that's
one
of
the
oldest
resources,
I
know
for
Trek
model
and
obviously
the
in
older
security
audit
had
a
section
for
threat.
Modeling
of
kubernetes
I'll
share
that
link
as
well,
and
there
is
a
good
chance.
The
newer
one
might
have
something
listed
and
yes.
B
Just
out
of
curiosity,
since
I
obviously
have
not
read
any
of
this
since
I
just
joined,
but
is
there
when,
when
people
are
doing
the
self-assessment
and
based
on
a
security
model,
is
there
something
there
to
remind
them
to
also
make
sure
they
have
enough
forensics
tools
so
that
if
they
do
have
an
issue,
they
have
some
way
of
recreating
what
happened?
Because
that's
one
of
the
things
that
I
found
in
my
experience
that
people
tend
to
overlook
is
you
tend
to
do
a
lot
of
preventative
stuff?
D
L
All
right
cheers:
yeah
I've
been
thinking
a
bit
recently
about
kind
of
post-compromise
behavior
as
well.
Tabby
I
know
you
and
I
discussed
this
on
a
meeting
a
while
back
kind
of
it
might
be
quite
a
cool
project
to
put
together
that
is
either
forensics
or,
from
my
viewpoint,
as
an
attacker.
How
can
I
hide
and
not
get
caught
by
forensics,
slash
auditing?
L
You
know
if
I'm
a
a
cluster
administrator.
What
can
I
do
to
make
sure
I've
got
someone
out
of
my
cluster
without
rebuilding
the
whole
thing.
I
think
this
would
be
a
super
interesting
blog
post,
slash
white
paper
to
possibly
put
together.
I
know
I
have
some
very
draft
notes
on
this,
but
quite
happy
to
propose
this
as
a
wider
idea.
B
Yeah
I'd
love
to
help
with
that
in
our
previous
company
that
in
my
previous
company,
one
of
the
biggest
issues
is,
we
didn't
actually
have
compromises.
But
when
we
had
vulnerabilities
we
had
to
report
out.
We
couldn't
actually
tell
our
customers
like
where
we
would
have
been
able
to
detect
if
there
was
an
issue
and
that
made
the
incident
a
lot
bigger
than
it
actually
needed
to
be
wasn't
a
bridge.
But
it
was
like.
We
couldn't
tell
you
whether
there
was
a
bridge,
and
that
was
almost
as
bad.
So.
D
J
Oh
I
was
just
gonna
add
so
I
literally
this
morning
was
having
a
call
with
nist
folks
and
they
apparently
have
an
effort
spun
up
on
cloud
forensics,
I,
again
I'm
down,
then
so.
I'll
post
the
link
in
the
Google
Doc.
I
J
I
get
back
but
I
don't
think
they
have
published
SPS
or
IRS
yet,
but
I
think
that
is
what
they
are
working
on
and
I
know
that
they're
very
open
to
you
know
reviewing
and
collaboration
with
the
open
source
community,
so
I'll
review
those
materials
and
report
back
here,
but
I'll
post
the
link,
so
others
can
review
that
initiative
as
well.
It's
not
kubernetes
specific,
but
it's
Cloud,
specific
so
and
then
yeah
and
in
general,
just
to
be
a
little
snarky
and
audacious.
G
Another
resource
Yuri,
sorry,
we
are
sending
too
much
information
your
way.
Maybe
then
you
need.
We
have
a
cloud
native
security
white
paper
where
we
had
just
a
theoretical
understanding
and
explanation
of
how
to
do
incident
response
in
Cloud
native
environments
in
version
one
in
version,
two.
Some
people
who
work
with
people
who
are
victims
of
ransomware
attacks
actually
ended
up,
adding
a
section
where
they
took
that
as
a
use
case
like.
If
you
have
a
ransomware
incident
in
Cloud
native
environments,
how
would
that
look
like?
G
So
they
added
that
section
in
version
two
as
well
so
right
now,
we
are
actually
collecting
feedback
for
any
content
that
we
have
in
words
into
I
shared
a
link
to
that
specific
section
in
the
zoom
chat.
So
if
you
take
a
look,
read
it
please
let
Savita
know
about
it,
because
she
is
leading
the
movement
free
effort,
so
we
might
be
able
to
improve
on
anything
based
on
your
experiences.
A
And
I
I
do
feel
like
that'll,
be
a
really
nice
thing
to
explicitly
encourage
in
the
self-assessment
process.
Docs
of
you
know
when
you
are
considering
the
security
life
cycle
of
your
application,
that
you
are
self-assessing,
consider
also
what
your
application,
or
what
the
code
that
you're
doing
the
review
of
can
do
to
make
life
better
for
the
folks
who
are
responding
to
some
security
incident
at
some
point
in
the
future.
You
know
like
like
put
on
your
thinking,
cap
and
assume
that
all
of
the
bad
things
have
happened.
A
B
Yeah
totally,
definitely
just
just
to
Echo
that
I
remember
in
several
security
incidents
we
had
it
was
about
a
day
or
so
to
close
the
vulnerability
and
two
to
three
weeks
to
then
deal
with
the
aftermath
of
that
and
just
in
terms
of
relieving
pain.
So
having
that
information
can,
you
know,
will
resonate
with
people.
G
L
G
All
right,
so
two
quick
updates.
We
had
two
PRS
one
from
Diego,
one
from
my
both
are
merch
now,
and
the
job
is
still
green,
so
the
code
has
been
added
or
edited,
but
it
still
works
so,
which
is
great
thanks
both
of
you
for
working
on
this
and
just
being
really
good
open
source
citizens
of
seeing
something
doing
something
about
it
and
then
working
together
to
make
it
happen.
G
Second
update
is
we
had
a
meeting
couple
of
days
back
on
dueling,
where,
like
today's
meeting,
we
had
some
new
contributors
and
new
people
who
joined,
so
it
was
great
fun
chatting
with
them,
introducing
them
about
tooling
other
sub
projects,
as
well,
as
our
sake,
I'm
glad
to
see
some
of
you
in
this
call
as
well.
Today,
thanks
for
helping
me
out
on
making
people
welcome-
and
it's
great
to
see
some
of
you
here
today,
so
that's
it
from
me.
A
G
So,
thank
you
to
Allah,
Savita
and
tabi
for
representing
the
whole
set
on
behalf
of
all
of
us
in
kubecon.
The
talk
that
they
gave
is
up.
I
really
enjoyed
it
thanks
to
Ray
for
moderating
the
session
as
well.
If
you
are
new
to
the
sick,
these
are
the
sessions
that
are
exactly
meant
for
anyone
who
is
new
and
trying
to
figure
out
what's
going
on
so
if
you
weren't
at
coupon,
haven't
been
able
to
catch
up
now.
The
recording
is
up.
G
G
A
Next
thing
that
we
have
here
is
Benjamin:
you
have
got
a
cool
idea
and
you
want
to
share
it
with
the
rest
of
the
folks
here.
K
Yeah
exactly
so
my
main
problem
this
and
the
last
coupon
was
that
I
couldn't
attend,
but
I
wanted
to
play
the
CTF,
and
so
I
came
up
with
the
idea
to
like
organize,
let's
say
real
CDF
make
it
some
more
yeah
make
it
more.
K
That's
also
folks
who
cannot
visit
the
conference
itself
can
play
the
CTF
and
yeah
I
had
quite
some
ideas
how
you
could
potentially
organize
this
one,
so
it's
yeah,
so
I
I'm,
also
in
like
let's
say
a
semi-professional
CDF
player
and
some
or
CDF
team
organizes
the
CDF
for
the
hack
loot
conference.
Maybe
you
know,
maybe
you
know
the
conference
it's
in
Luxembourg
and
yeah,
and
what
we
had
over
the
last
two
years
is.
We
had
like
these
sponsored
challenges.
K
Well,
actually,
companies
could
reach
out
to
us
and
could
hand
us
over
their
Challenge,
and
then
we
play
tested
these
these
challenges.
The
companies
then
receive
feedback
from
from
us
and
yeah.
Then
they
worked
in
the
feedback
feedback
and
afterwards,
if
we,
if
we
talked
about,
if
the
challenges
itself
are
fine
and
and
fun
enough
to
to
publish
them
in
the
CDF,
and
then
we
published
them,
and
maybe
that's
also
a
good
idea
for
the
kubecon
or
cncf
conference
where
you
like
go.
K
You
know
where
you
talk
to
the
companies
who
attend
there
and
maybe
ask
them
if
they
wanted
to
submit
the
challenge
yeah,
it's
I
think
it's
good
for
the
visibility
of
the
companies
who
submit
the
challenge,
and
it's
also
nice
for
the
folks
who
cannot
attend
the
conference
that
they
can
at
least
interact
a
bit
with
maybe
their
tooling
or
something
like
this
so
yeah.
That
was
the
that
was
the
main
idea
behind
it
and
I
just
want
to
know
what
you
what
you
think
about
it.
K
Yeah
I
think
the
the
biggest
challenge
you
have
if
you
like,
organize
a
CDF
at
that
size,
because
kubecon
is
not
in
not
a
short
conference,
they
are
attending
many
people.
K
It's
you
kind
of
have
to
get
the
scaling
right
so
because
it's
like
a
public
CDF,
you
would
also
probably-
or
you
would
also
probably
announce
it
on
like
the
CDF
time,
and
so
the
CTF
time
is
the
platform
where,
like
every
cdfs,
are
normally
announced
and
handled.
Maybe.
L
K
Probably
have
have
around
I
would
guess
around
five
to
ten
thousand
people
playing
at
this
large
conference.
So
if
I
compare
to
what
we
had
at
our
hot
glue,
they
were
around
1
200
teams,
I'm
competing
so
and
I
think
the
cubecon
or
the
cncf
conferences
yeah
still
a
bit
larger.
So
so.
H
K
But
I
think
it's
but
I
think
that
is
because
at
the
CDF
at
Defcon
was
like
a
real
kubernetes
CDF.
So
when
I
know
from
the
main
folks
that
are
also
involved
in
the
CDF
scene
from
that
they
are.
K
Let's
say
not
that
yeah,
not
not
that
interested
in
kubernetes
itself,
but
I
think
if,
if
but
I,
think
if
we
do
it
for
like
the
for
like
different
cncf
tools
or
maybe
like
different
cncf
projects,
yeah
I
think
that
could
be
a
really
cool
idea
that
you
like
represent
different
projects
with
different
challenges:
yeah
yeah,
I.
O
H
O
Because
I
think
even
that
they
are
a
bit
struggling
with
the
size,
sometimes
it's
providing
all
the
Clusters
to
everybody.
So
maybe
we
can
have
some
feedback
with
like
have
some
experience
from
the
the
multiple
experiences.
So
maybe
this
will
be
interesting
because
they
I
think
they
only
focus
on
kubernetes
stuff
like
the
ncf
scale,
but
it
might
be
interesting
to
talk
to
them.
K
Yeah,
okay,
so
I
think
it
may
be
a
good
idea
to
reach
out
to
those
folks
and
talk
to
them
and
maybe
also
announce
them
the
idea-
and
maybe
we
could
like
organize
it
together.
P
Highlight
that
and
I'm
not
mistake
in
the
CTF
cubecon
Detroit
was
for
only
people
who
were
Italian
security.
Con
and
I
was
hoping
to
be
able
to
play
the
CCF,
but
I
wasn't
attending
the
co-located
event,
so
I
wasn't
able
to
do
it,
which
is
something
sad
and
with
this
year,
security
con
separating
from
kubecon
this.
This
might
be
something
that
we
can
offer
anyways.
A
Yeah
this
is
a
this
is
a
large
community
tradition
that
you
are
that
you
are
stepping
into
here
and
wanting
to
contribute
to
and
I
think
that
that's
wonderful,
like
I
know
that
raw
code
has
had
some
independent
kubernetes
security
games
that
he
has
published
with
the
clustered
series
on
his
podcast
question
mark,
and
you
know,
I,
like
I
personally,
have
done
a
couple
of
of
kubernetes
related
ctfs
like
at
various
conferences,
you'll.
You
will
definitely
find
a
lot
of
support,
both
in
kubernetes
security
and
also
over
in
cncf
tag.
K
Yeah,
okay,
that
would
be
great,
then
I,
think
I
will
definitely
try
to
organize
it.
Then
this
year
and
I
will
reach
out
to
the
guys
from
control,
control,
plane
and
also
ask
in
the
cncf
channel.
If
there
are
some
either
companies
or
individuals
who
wants
to
like
contribute
a
community,
Challenge
and
yeah,
then
I
think
let's
create
an
yeah.
Let's
create
an
open
CDF
this
time
for
everyone
at
the
conference.
I
think
would
be
great.
K
K
You
can
contact
me
either
via
slag
or
yeah.
I.
Think
slack
is
fine.
You
could
also
contact
me
in
my
email,
I
guess.
K
Twitter
is
also
fine
if
you
contact
me
via
Twitter
or
via
slack
yeah,
that
that
should
be
fine.
So
my
slack
is
right
here
or
just
my
name.
H
K
So
it's
a
video,
you
think
it
would
be
helpful
to
create
an
yeah
I
think
it
would
be
yeah
I
think
it
would
be
helpful
to
to
create
an
issue
for
the
for
it.
Just
that
you
have
like
an
overview
over.
What's
what
is
then
to
do
and
yeah
I
think
that's
a
good!
K
That's
a
good
idea
to
do
it,
because
I
I
also
think,
if
I
or
on
my
my
thoughts
were
about
it
that
we
maybe
also
need
like
a
little
committee
or
something
like
this,
because
if
you
have,
if
you
get
submitted
challenges,
you
have
to
play
test
them,
and
you
also.
Maybe
you
need
to
like
organize
a
bit.
What
challenge
is,
let's
say
yeah
at
which
stage
and.
C
K
Yeah
exactly
exactly
and
that
it's
also
fun
to
play,
and
not
maybe
too
guessy
and
all
of
those
stuff
I
mean
we.
We
we
fully
went,
went
through
it
in
our
cdfs,
so
I
think
I
know
a
bit
where
the
pain
points
are
and
yeah
I
would
love
to
yeah.
I
would
like
to
organize
it
then
this
year
for
the
kubecon
EU.
A
F
Yeah
this
was
just
in
case
anyone
hadn't
seen
the
new
enhancement
tracker.
There
used
to
be
a
Google
sheet
that
you
could
look
out
for
all
the
enhancements
for
a
given
version
and
there's
now
a
nice
shiny
tracker
on
GitHub,
just
in
case
because
I
this
totally
slipped
my
mind
until
today,
which
is
the
new
releases
coming
out
in
6th
of
December,
which
is
really
not
long
from
now.
So,
if
you're
interested
in
what's
coming
with
126,
that's
probably
the
best
place
to
go
and
read.
F
That's
why
I
always
do
just
go
and
read
through
the
list
and
see
like
what's
coming
and
I
know,
I
think
we
mentioned
the
last
meeting
about
thinking
about
what
changes
coming
each
version
for
security.
That's
typically
the
best
way
of
doing
it
is
read
through
that
lot
and
and
there's
things
pop
up
which
are
kind
of
fun
to
read
through
so
just.
A
M
We're
done
they
did
a
very
quick,
maybe
beginner,
question,
because
I
did
my
first
goal
and
for
the
for
the
group.
So
do
we
have
a
issue
list
for
older
version
of
kubernetes
like
125
124,
where,
where
do
I
find
these
older
issues?
F
That's
the
new
features
that
are
coming
out.
There
is
I,
don't
know
how
easy
it
would
be
to
find
It.
Generally,
it's
with
the
release
information.
There
should
be
a
a
link
that
says
caps
and
cap
is
a
list
of
new
features
or
features
are
changing
like
graduating
or
becoming
new,
but
it
was
kind
of
hard
to
track
I
used
to
have
to
track,
find
the
spreadsheets
link
for
previous
versions.
P
P
Yeah
I
I
can
send
you
all
the
spreadsheets
for
1.24
and
1.25
and
they
kind
of
follow
the
same
bitly
patterns
that
can
help
you
trace
back,
but
they're,
all
in
a
big
clunky
sheets.
M
Thanks
gray,
is
it,
but
is
it
on?
Is
it
documented
in
GitHub
or
somewhere
in
in
cncf.
P
M
P
Yeah
so
it
should
be
in
sick
release
and
then,
if
you
go
to
the
specific
release,
it
should
be
there.
A
They're
good
changelog
files,
which
unfortunately
I
can't
tell
you
just
off
the
top
of
my
head,
where
to
find
them
in
git,
but
for
each
one
of
the
releases,
there's
there's
the
change
log
that
I
think
is
more
or
less
a
list
of
the
caps
and
the
the
informational
write-ups
that
were
provided
by
the
folks
coordinating
those
caps
and
those
go
way
way
way
back.
I
I
know
that
I
have
used
those
when
I've
been
doing
historical
research
about
when
certain
features
were
added
to
kubernetes
or
or
whatever.
A
M
So
one
of
the
things
that
I
learned
is
that
certain
Cloud
vendors,
for
example,
gcp
they
release
their
Google
kubernetes
engine
six
to
nine
months
after
after
cncf.
So
so
so
that
is
another
thing
that
we
need
to
to
basically
try
to
understand.
You
know
the
the
original
they
of
cncf
and
then
versus
the
cloud
vendors
they
as
well.
So
I,
don't
know
if
anyone
here
having
some
kind
of
experience.
But
you
know
I
like
to
try
to
coordinate
the
two
and
then
understand
what
had
been
done
in
each
area.
F
So
it's
really
interesting
I
one
I've
and
I've
Been
Loved
To,
Know,
federal
school
resources,
I'm,
not
aware
of
a
resource
like
Maps,
like
you
know,
which
features
are
in
which
Cloud
it's
really
useful.
If
there
was
one
but
yeah,
it's
a
good
point.
The
rfw
schedules
are
not
like
synchronized
once
you
get
out
with
Newton
source
project,
I,
don't
think.
B
So
can
I
ask
another
kind
of
newbie
question
since
we
have
a
moment.
B
Come
to
I'm
part
of
the
open,
API
TSC,
so
I
know
kind
of
the
the
Zen
of
how
those
meetings
work,
but
I
don't
know
how
how
these
meetings
work
so
I'll
kind
of
be
out
there.
One
of
the
things
I
really
like
about
that
DSC
is
that
we
get
to
talk
a
little
bit
about
sort
of
abstract
directions
and
see
whether
it
kind
of
resonates
with
people
and
that
that
gives
everyone
some
idea
of
whether
you
know
to
invest
time
in
it
or
so
on.
B
So
the
I
mentioned
a
little
bit
of
of
intent,
based
work
that
that
I've
been
thinking
about
and
and
just
wanted
to,
spend,
maybe
60
seconds
and
seeing
whether
this
this
is
interesting
to
people
that
the
thinking
is
that
you
know
I,
remember
back
when
kubernetes
came
out
in
2014
and
I
was
like
super
excited
in
something
that
was
kind
of
intentious.
You
basically
told
it
what
you
wanted
things
to
be.
B
And,
of
course
it's
been,
you
know,
eight
years
since
then,
but
it's
occurred
to
us
recently
that
you
can
do
the
same
thing
for
security
where,
instead
of
like
we're
all
trying
to
do
getting
people
to
necessarily
be
Security,
Experts
and
doing
self-assessment
and
so
on,
which
they
should
still
do,
is
there
some
other
way
that
we
can
interact
with
people
who
are
not
Security
Experts
through
kubernetes
mechanisms
to
get
more
security
into
the
cluster?
B
And
the
thinking
is
that
if
we
know
the
intent
of
what
their
applications
were
supposed
to
do,
we
could
automatically
create
all
sorts
of
security
mechanisms
around
those
things
without
having
them
explicitly,
go
and
and
and
sort
of
proactively.
Do
those
those
security
mechanisms
and
that's
kind
of
the
thinking
behind
intent-based
access
control
that
if
you
knew
what
the
thing
was
intending
to
do,
then
you
could
kind
of
lock
down
access
to
just
those
things
that
were
intended
and
stop
all
of
the
unintentional
stuff.
B
J
Where
it
intersects
with
controls,
this
is
Def.
This
is
definitely
what
we
are
wrestling
and
wrangling
with
in
the
policy
work
group
and
from
that
perspective,
I'll
just
point
you
into
two
resources:
one
is
oscow,
which
is
a
missed,
open
source
framework
for
defining
control,
catalogs
and
control
implementation,
and
then
a
corollary
publication
is
nist,
IR
8011,
which
is
more
about
expressing
security
capabilities
and
then
I
I
will
post
the
link
on
the
Google.
J
Doc
I
gave
a
talk,
kind
of
merging
the
two
of
if
the
components
so
kubernetes
could
be
considered
a
component
in
that
model.
Express
their
security
capabilities
and
the
control
framework
knows
how
to
digest
those
security
capabilities.
I
can
kind
of
figure
out
the
the
matching
and
then
I
demoed
using
Opa,
open
policy
agent,
Rigo
logic
in
a
kind
of
a
prototype.
J
B
I
love
that
approach
just
just
to
wait
in
for
a
second,
because
what
intent
base
tries
to
do
is
is
actually
say.
Okay,
here's
what's
intended
to
be
here's
what
the
controls
that
are
that
can
possibly
be
enforced
are.
Let
me
just
make
the
two.
Let
me
let
me
get
them
in
sync.
Rather
than
introducing
the
new
control,
so
I
I
love
the
fact
that
there
would
be
some
way
to
discover
those
controls.
A
It
was
reminding
me
a
little
bit
of
like
the
pledge
system
in
openpsd,
which
is
a
simplified
sort
of
application.
Self
sandboxing
kind
of
thing,
rather
than
having
a
lot
of
tools
for
building
a
very
fine-grained
policy
like
the
way
that.
A
Set
comp
Works
instead,
like
the
developers,
looked
at
their
code
base
and
they
came
up
with
a
few
buckets
of
common
types
of
operations,
and
you
know
you
lose
something
in
flexibility
there,
but
you
gain
something
in
the
application.
Developer
can
look
at
like
eight
buckets
and
say:
oh
yeah,
this
program
is
trying
to
do
terminal.
A
I
o
just
let
me
say
that
I
want
to
do
terminal
IO,
and
you
know
the
extent
to
which
something
like
that,
where
you,
where
you
simplify
the
kinds
of
intent
you
can
express
in
order
to
make
it
simpler,
like
less
of
a
less
of
a
bump
to
actually
expressing
that
intent.
You
know
how
well
those
succeed
depends
in
part
on
how
well
the
buckets
are
bucketed
compared
to
the
actual
needs
of
the
actual
users,
but
it's
at
least
an
interesting
step
to
see
you
know
what
does
it
look
like
when
you
give
ultimate
flexibility?
A
B
So
I
mean
we,
we
wanted
to
kind
of
push
it
all
the
way
towards
the
devs
to
Simply,
say
literally
just
tell
us
like
declare
us
but
declare
in
a
manifest
like
what
it
is
that
you're
trying
to
call
you
know
I'm
trying
to
call
this
particular
resource
and
and
so
on
or
I'm
trying
to
make
this
database
call
or
whatever
just
literally
write
that
in
a
manifest
and
then
given
that
because
they
don't
know
anything
else,
configure
all
those
controls
that
we
were
talking
about
a
moment
ago
to
make
that
happen
and
and
stop
anything
else
from
being
able
to
happen,
because,
as
we
know,
what
what
the
hackers
will
do
is
they'll
go
in
there
and
then
they'll
pivot
and
they'll.
B
G
B
O
A
A
That
means
that
we
have
set
out
to
we
have
we
have
done
what
we
have
set
out
to
do.
As
always,
it
is
great
to
see
everyone
look
forward
to
seeing
folks
in
another
kubernetes
security
meeting
and
until
then
slack
is
open.
24
7.
have
a
great
one.