►
From YouTube: Kubernetes SIG Security Tooling 20220215
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
so
it's
two
minutes
past
the
hour:
let's,
let's
get
started
with,
maybe
a
couple
of
few
introductions
I'll
go
first
and
then
whoever
wants
to
continue
the
role,
keep
rolling
and
introduce
yourself
and
if
you
don't
have
a
good
mic
or
audio
system
feel
free
to
say,
hi
on
the
zoom
chat,
that's
fine
as
well!
A
So
I
welcome
everyone
as
usual.
This
meeting
is
going
to
follow
the
kubernetes
code
of
conduct,
which
basically
means
please
be
excellent
to
each
other.
I'm
your
six
security
tooling
lead,
and
we
are
a
group
of
people
who
work
on
improving
kubernetes
security
by
projects
that
we
drive
and
help
other
cigs
that
to
drive
projects
that
are
relevant
to
security.
B
C
You
know
I'm
tommy,
I'm
a
security
engineer
at
datadog.
A
couple
of
you
know
me
have
been
kind
of
lurking
around
here
for
a
while
now,
but
yeah
just
here
to
keep
participating
and
get
more
contributions
in.
D
Yeah,
let
me
introduce
now
hi
everyone,
I'm
neha,
I'm
working
in
vmware
in
zoo
service,
mesh
team,
so
I,
apart
from
this,
I
spent
time
on
working
on
open
source
kubernetes
projects
like
seek
security,
tooling
and
also
on
sig
network.
So
I
am
currently
working
on
one
of
the
story,
also
in
six
security,
tooling,
where
we
are
trying
to
create
the
cve
list
using
some
automation
so
working
on
that
yeah.
It's
it's
great
and
exciting.
E
Hey
hi
everyone.
This
is
bapu,
I'm
joining
from
malaysia,
it's
12
30
early
morning
and
I'm
I'm
working
at
standard
certain
bank
as
a
container
security,
reviewer
resistor
right.
So
this
is.
E
Joined
here
and
trying
to
understand,
like
what
is
happening
at
seek
to
this,
this
group
right
so
trying
to
understand
like
how
more
tools
can
be
onboarded
and.
B
E
Are
heading
towards
sunset,
so
I'm
just
trying
to
that's
all
agenda
to
join
this.
I
might
be
initially
for
a
couple
of
sessions
as
a
listener,
eventually
I'll
start
contributing.
Thank
you
so
much
for
opportunity.
A
A
Okay,
no
worries
so
we'll
get
started.
This
is
really
like
open
agenda
meeting.
I
know
we
don't
have
this
generally.
We
have
an
agenda
with
either
a
learning
session
or
a
working
session
where
we
go
through
a
couple
of
issues,
but
sometimes
this
kind
of
meetings
are
useful
where
people
can
bring
their
questions
and
we
can
talk
about
it
and
hopefully
that
sometimes
is
more
useful
than
going
through
a
specific
topic.
So
let's
try
this
today.
A
Anything
you
have
on
your
mind,
just
raise
your
hand
so
that
we
don't
speak
over
each
other
and
then
ask
your
question
or
share
your
thoughts
and
we
can
discuss
it
for
a
bit
and
then
move
on
to
the
next
one.
If
you
alternative
plan
is
also,
you
can
add
your
points
in
the
discussion
section
in
the
link
I
just
shared
so
that
we
don't
miss
out
on
anyone
who
might
not
have
have
had
a
chance
to
speak
and
we
can
continue
discussing
it.
There.
E
I'll
take
this
opportunity
to
to
have
some
doubts
on
our.
I
have
one
question
related
to
part
security
policy.
So
since
spot
security
policies,
sunset
tried
towards
the
sunset
and
we
have
been
using
in
our
environment,
so
I
would
like
to
understand
like
which
one
is
a
good
tool.
A
A
You
will
have
the
three
pod
security
standards
built
in
in
kubernetes
and
they
will
be
checked
against
using
admission
control,
control
framework.
A
A
If
you
want,
if
you
want
more
control
and
more
decoupling
of
policies
from
kubernetes
cluster
and
want
to,
let's
say,
apply
the
same
policy
across
multiple
clusters,
then
you
could
use
some
other
policy
mechanism
tools
like
giverno,
oppa,
gatekeeper
and
some
others
where
they
will
also
do
something
similar,
but
they
will
exist
not
as
part
of
kubernetes
but
outside
of
kubernetes,
so
they
will
essentially
make
a
call
there,
and
there
is
some
caching
sometimes
involved
where
they
will
allow
you
to
decide
whether
a
pod
will
be
allowed
in
the
cluster
based
on
policies
that
you
have
defined.
A
E
Awesome,
thank
you
so
much
for
giving
both
options,
which
which
can
help
to
solutionize
having
single
tendency
and
having
like
centralized
policy
management
right
across
multiple
clusters,
whether
it
is
single
or
multi-tenant
yeah.
Thank
you.
I
think
that's
that
sounds
good
good
direction
for
me,
definitely
I'll
explore
and
if
I
have
further
questions,
maybe
we
can
discuss
in
next
session.
A
A
Last
week,
last
time
when
we
met
one
of
our
members,
chris
actually
shared
a
work
in
progress
tool
that
converts
psp
yaml
into
gatekeeper,
yaml
or
keyword,
no
yaml,
so
I'll
just
share
that
link
on
zoom
chat,
for
you
take
a
look
at
that
tool.
Maybe
that's
something
useful
if
you
are
really
trying
to
look
for
some
level
of
automation
to
convert
whatever
you
had
in
your
environment
into
something
outside
that
exists
outside
of
kubernetes.
E
A
E
B
A
A
Also,
if
no
questions
this
is
totally
optional
meeting,
so
we
can,
you
can
feel
free
to
drop
off
and
we
can
also
meet
next
time.
But
if
you
have
questions
I'll
hang
around
for
about
half
or
more.
C
Yeah,
I
think
I
had
a
just
a
small
question
on
the
issues
in
our
in
our
repo.
We
have
one
that's
been
sitting
around
for
a
little
while
that's
regarding
creating
like
alert
worthy
like
less
of
a
alert
worthy
events
for
kubernetes,
and
it
seems
like
this
kind
of
came
off
the
back
of
the
nsa
and
scissor
hardening
guide.
It's
a
little
bear.
I
just
want
to
know
like.
Is
this
something
that
we're
still
looking
for,
or
is
there
any
like
context?
C
A
Yes,
I
think
the
the
direction
you're
going
is
right.
That
is
exactly
the
intent,
so
some
context
behind
that.
I
should
add
in
the
issue
as
well.
When
we
were
writing
the
blog
one
of
the
things
was
one
of
the
thing
thing
or
feedback
that
was
discussed
was
we
don't
have
any
guidance
at
the
community
level
on
what
we
should
audit
on?
We
have
a
guidance
on.
We
should
audit,
but
we
don't
have
guidance
on
what
we
should
audit
so
having
something
like
this
would
be
helpful,
but
going
one
step
further.
A
It
was
also
like.
Okay,
we
are
auditing,
let's
say
cluster
admin
access,
so
anything
cluster
admin
does
we
will
audit
the
next
part
of
that
was
what,
in
that
audit
log
where
cluster
admin
is
doing,
something
will
be
alert
worthy.
A
So
if
cluster
admin
is
just
creating
pods
or
creating
new
name
spaces,
maybe
that's
fine,
but
let's
say
if
cluster
admin
is
going
to
loop
through
all
the
kubernetes
secrets,
one
after
another
for
all
the
name
spaces.
Maybe
the
cluster
admin
really
doesn't
need
to
do
that.
So
that
means
something
else
is
going
on
where
either
maybe
clustered
admin
is
a
malicious
insider
and
trying
to
get
all
the
secrets
from
all
the
applications
or
cluster
admin
has
been
spoofed
and
some
attacker
is
trying
to
do
it
with
the
cluster
admin
credentials.
A
So
that
was
the
thing.
Those
were
the
kind
of
events
we
wanted
to
share
as
part
of
some
docs.
We
can
find
a
place
for
it
where
okay,
fine,
we
know
what
to
audit,
but
what
to
alert
is
something
we
want
to
add.
So
if
we
can
come
up
with
those
kind
of
events
where
assuming
we
are
auditing
this
this,
if
this
happens,
this
would
be
alert
worthy.
So
that's
the
list
of
things
that
we
we
need
to
come
up
with.
Basically,.
C
Gotcha
yeah,
and
I
think
this
could
also
use
pieces
of
the
admission
controller
threat
model
yeah.
You
know,
like
things
like
you
know,
I
think
you
know
a
new
emission
controller
being
registered
is
probably
alert
worthy,
so
yeah,
I'm
just
trying
to
get
the
scope.
So
it's
more
of
like,
given
that
these
audit
logs
are
being
connected
or
collected.
C
A
Yeah,
I
I
think
instinct
is
definitely
right
and
the
direction
is
right.
Maybe
good
starting
point
would
be
come
up
with
like
a
one
line
or
two
line
event
description
for
each
of
the
ones
that
you
have
and
just
add
it
as
a
comment
in
the
github
issue,
and
then
all
of
us
can
start
sort
of
continue
from
there
add
our
own,
and
once
we
have
a
good
enough
list,
maybe
a
dozen
or
ten,
then
we
can
pull
in
the
sig,
docs
people
and
say
hey.
We
think
we
have
good
enough
content.
A
D
Hi
bushkar.
I
want
to
discuss
few
issues
on
that
cv.
Task,
yes,
yeah.
So
actually
I
have.
I
mean
I've
created
for
cell
script
to
create
that
json
block,
but
I
I
used
some
jq
tool
in
that,
but
then
I
thought
that
if
some,
if
we
get
some
issues
in
that
like
if
the
image
does
not
have
that
tool-
or
I
was
wondering
I
mean
it-
was
yeah-
I
mean
I
thought
about
this-
and
and
then
what
I
thought
is
like.
Actually
we
have
some
more
logic
to
add.
A
D
A
But
yeah,
the
only
reason
I'm
thinking
go
might
be
good.
Is
the
pr
creator
tool
that
we
are
gonna
use
on
top
of
and
write
our
logic
on
top
of
it
is
also
if
I'm
not
wrong
in
go
go
link.
A
C
D
Okay:
okay,
okay,
okay,
let
me
then
I
mean
write
this
function
and
go
like
maybe
okay
we'll
do
that.
But
apart
from
that,
I
was
checking
that
auto
bumper
tool.
Also
yeah
did
you
got
any
time
like?
Did
you
look
at
that?
I
mean
I
have
few
doubts
there,
but
still
I
will
explore.
D
A
A
A
A
If
you
see
the
link,
it's
like
two
two
or
three
files
of
golang
to
create
that
pr.
There
is
not
a
lot
of
readme
or
documentation.
So
that's
a
good
opportunity
for
us
to
add
it
just
because
we're
using
it
what
might
be
helpful
yeah,
I'm
thinking
is
maybe
coming
up
and
we
can
make
this
part
of
the
cap
also
coming
up
with
all
the
requirements
that
we
have
for
for
the
tool
that
we
are
going
to
create.
A
A
If
it's
going
to
be
a
lot
of
work
instead
of
doing
everything
in
one
issue,
so
so,
for
example,
maybe
we'll
say
one
one,
one
requirement
is
I'm
going
to
pull
the
json
blob
from
the
using
github
query
then
the
second
would
be.
I
will
compare
it
with
the
existing
json
blob
and
third
will
be
if
the
json
blob
is
different.
A
I
will
call
the
pr
creator
tool
to
to
create
a
pr
on
k
website
and
and
in
that
we
will
have
to
also
add
the
labels
and
other
things
to
skip
review,
etc.
A
So
maybe
those
things
if
we
come
up
as
a
and
maybe
write
it
as
an
issue
or
you
can
use
an
existing
issue,
we'll
have
good
clarity
into
what
what
do
we
need
to
do
and
then
it
might
be
easier
to
actually
implement
it.
What
do
you
think.
D
Yeah
yeah:
this
is
good
idea,
because
that
only
it
will
be
clear
because,
as
I
was,
I
mean
actually
trying
to
complete
this
first
part.
But
then
I
thought
like
that.
Auto
bumper
tool
is
also
we
need
to
explore,
and
so
maybe
I'll
create
a
few
issues
in
that
and.
D
Okay,
okay,
and
do
you
know
one
thing
like
where
do
you
see
that
how
auto
member
uses
pr
creator
did
you
saw
that
anytime
or
not.
D
A
Everyone
else,
if
you
want
to
just
follow
us,
feel
free
to
be
in
the
call,
but
if
you're
feeling
bored
or
rather
do
something
else,
it's
fine
if
you
want
to
drop
off
so
I'll
share
my
screen,
let
me
know
if
you
see
the.
E
A
A
C
D
A
A
A
Yeah,
I
think
rajas
is
also
somebody
who's
been
playing
around
with
this
yeah.
Okay
and
probably.
A
D
A
So
looks
like
this
is
another
package
that
the
bumper
is
using.
Maybe
it's
the
same
one.
Maybe
not.
Let's
see
oh
okay,
it's
giving
404
test,
infra
experiment
image!
Bumper,
let's
see
if
we
can
go
from
here,
experiment,
image,
bumper
and
is
it
over.
Are
we
back
to
where
we
were
no?
This
is
different.
A
D
A
C
A
Yeah
yeah
yeah,
so
I
any
I
mean
in
a
way,
if
you
think
about
it,
we
we
can
do
everything
in
unix
for
now,
except
except
the
part
that
will
be
different
is
we'll
have
to
compile
the
pr
creator
tool
and
then
call
it
using
command
line
to
do
what
we
want.
So
if
it
doesn't
have
a
command
line
interface,
then
we
will,
we
won't
be
able
to
use
it,
as
is
so.
That's
maybe
another
good
question
to
ask
rajas.
A
A
D
A
Oh
yeah,
it's
probably
in
one
of
the
issues
I
created
right.
A
A
D
Yeah
yeah
scroll-
if
we
go
to
that
so
okay,
if
we
come
to
line
number
655
container
image,
yes,
so
this
will
I
mean
what
we
will
use
here
this
command,
and
this
is
bumping.
The
pro
images-
and
I
mean
this-
is
auto
bumper
image,
or
this
is
pumping
the
I
mean
what
what
I'm
thinking
is.
This
will
put
on
a
container
right.
This
is
a
container
and
it
will
run
our
script
whatever
it
is.
This
is
what
I'm
thinking,
but
I
mean
in
that
argument.
D
A
Yes,
my
understanding
of
the
pro
job
ex
definition
or
spec
was
this
is
the
image
that
photo.
D
D
A
A
A
Yeah,
I
think
this
token
might
be
reusable.
So
that's
another
good
good
point.
My
guess
would
be
this
ssh
key
and
or
token
might
be
open
for
everything
under
kubernetes
and
if
it's
not
we'll,
just
ask
the
secret
kids
infra
team
to
create
a
new
kind,
new
kind
of
account
or
something
like
that
for
us.
C
D
Actually,
creator,
like
first
task
would
be
to
write
that
script
in
golang.
That
would
be
done
and
then
parallely
we
can.
I
will
work
with
rajas
and
try
to
create
some
sample.
I
mean
that
job
also,
let's
see.
A
E
Okay
sounds
good
just.
A
E
Just
add
to
your
conversation
right
discussion:
whatever
you
discuss
about
this
is
the
image.
This
is
the
command.
These
are
the
arguments
right
so
yeah.
Your
understanding
is
absolutely
correct
and
that's
how
it
works.
When
you
spin
up
container
as
part
of
either
you
can
use
cron
job
job
replica
site,
state
full
set,
demonstrate
deployment
right
so
replica
controller
right
so
yeah,
that's
how
it
is
it
works.
So
that's
the
command,
which
you
say,
the
binary
right
that
is
going
to
run
it's
same
similar
as
when
you
run
any
application
on
cli
right.
E
A
E
Okay,
if
no
one
has
a
question,
then
I
have
one
more
question
before
we
wrap
up
yeah
go
for
it,
okay,
yeah,
so
my
question
is
related
to
have
you
heard
about
this
cube
escape
tool.
A
E
Yeah,
it's
something
similar
to
security
check
tool
right,
for
example,
checko
is
one
of
security
check
tool
which
does
look
at
the
security
configuration
implemented
for
containers
right
our
community's
resources,
so.
E
Which
is
available
in
the
market,
I
mean
it's
open
source
tool
and
the
good
thing
about
this
tool
is
it
does
it
does
support
two
frameworks.
One
is
csa,
nssisa,
the
national
security
agency
and
then
cyberinfo
security
agency,
as
well
as
it
supports
mitre
attack
right.
So
I
was
looking
at
these
two
and
I'm
exploring
this.
E
It's
still,
I'm
still
in
the
exploring
phase
for
this
tool,
so
just
start
off
check
with
you
guys,
since
you
guys
more
in
sync
right,
and
maybe
you
discuss
with
many
stakeholders
so
trying
to
understand
from
your
end
like
how
it
is
getting
looking
at
its
github,
it's
more
popular
but
again
right
how
promising
your,
how
to
consider
this
tool
similar
to
check.
Also,
if
you
have
any
experience
or
if
you
come
across
this
one
from
someone,
this
is
your
previous
discussion.
E
A
E
E
Sure,
definitely
I
mean
yeah,
though
you
recommend
it
still.
We
go
and
check
right.
We
also
have
some
limitations
where
we
cannot
go
and
use
any
tool
in
our
in
our
organization
right
from
someone's
recommendation.
E
It
definitely
goes
through
multiple
checks
and
we
do
our
own
analysis
right
assessment,
and
this
is
that
we
we
take
a
decision.
So
right
I
mean
I
don't
expect
anything,
and
definitely
we
are
as
open
forum
where
there
is
nothing
towards
the
bias
thing
right.
It's
it's
completely
depends
on
who,
if
it
meets
your
requirement,
it's
it's
up
to
you
whether
you
have
to
proceed
or
not
right,
yeah
yeah,
I
mean
I.
I
totally
understand
that
code
of
conduct
right
and
I
don't
have
any
second
thought
on
that.
E
So
thanks,
but
thanks
thanks
for
highlighting
that
so
that
I
will
ensure.
Rather
I
ask
my
maybe
my
question
will
be
other
way
rather
asking
some
recommendation
or
something
maybe
have
you
experienced,
and
do
you
have
any
thought
to
share
on
that
rather
asking
direct.
A
E
A
Not
security,
so
there
is
another
one
called
kubernetes
security
where
folks
from
vendors
and
security
tools
also
are
there
and
it's
more
like
an
open
forum
discussion
where,
like
we're
not
discussing
security
work,
but
it's
more
about
any
topic
on
kubernetes
security.
So
you
can
ask
that
question
on
this
channel.
I
just
shared
a
link
and
people
might
be
able
to
give
you
more
feedback,
more
alternatives
to
what
you're.
Looking
for
and
probably
somebody
from
cubescape
team
might
be
able
to
join
and
talk
to
you
more
about
it.