►
From YouTube: Kubernetes SIG Security 20210812
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
it's
1104.
good
morning,
welcome
to
kubernetes
security.
My
name
is
ian
coldwater.
I
am
your
co-chair
for
the
day.
Our
other
coach
chair,
tabitha
is
off
at
the
chairs
meeting
because
they
conflict,
which
is
unfortunate,
but
they
do
so
yeah
good
morning.
I
hope
everybody's
doing
well
today.
Do
we
all
know
each
other?
Do
we
want
to
do
intros?
We
have
a
little
meeting
today.
C
Yeah
hi
hi
everybody.
I
am
anishka
mithal,
I'm
from
india.
I
am
very
new
to
the
community
five
months
old
and
I'm
an
lfx
summer
mentee
working
with
jim
baguaria
on
falco
adapter
as
a
contribution
for
falco
cyclic,
and
I'm
really
excited
to
be
here
and
looking
forward
to
learn.
Thank
you.
Yeah
you're
welcome,
alushka,
I'm
so
excited
to
see
you.
I've
talked
to
you
oh
text,
on
twitter.
It's
really
exciting.
Thank
you.
D
And
I
just
want
to
say:
hey:
this
is
my
first
time
attending
security,
I'm
jim
angel,
I'm
not
quite
new
to
the
community
but
new
to
sig
security.
So
it's
great
meeting,
y'all
or
re-meeting
y'all
and
excited
to
to
help
out.
E
Hi,
can
you
hear
me
yeah
yeah,
I'm
chris
mart
I'm
interested
in
securities
kubernetes.
F
E
A
Friend,
okay,
usually
we
start
our
meetings
with
the
report
backs
from
the
subgroups,
because
our
subgroups
are
awesome,
and
so
I
think
we
are
starting
out
according
to
the
agenda
today,
with
a
report
back
from
the
audit
subgroup.
How's
it
going
over
there
in
audit.
B
Hello,
so
it's
going
well,
so
this
is
for
the
for
those
who
are
new.
This
is
for
the
third
party
external
security
audits,
so
we,
the
vendor
section,
is
coming
too
close,
we'll
reach
out
to
the
the
selected
vendor.
The
vendor
selection
announcement
is
actually
tentatively
for
tomorrow,
so
start
negotiations
today
and
we'll
report
back
on
how
that
goes
in
a
few
weeks.
B
A
Thank
you
say:
docs
or
sig
security
talks
subgroup
good
morning.
G
Good
morning,
good
afternoon,
good
evening,
so
a
little
bit
background
about
the
blog
post,
that
jim
angel
pj
and
I
are
working
on
so
in
a
sense
nsacci
said.
Hence
the
right
way
to
call
them
out.
They
published
a
new
kubernetes
hardening
guide
and
we
are
working
on
providing
a
tler
to
the
document,
create
a
blog
post
for
it
and
we
could
go
from
there
or
we
could
create
it.
G
As
a
blog
series,
we
haven't
decided
the
outcome,
but
the
initial
is
initial:
post
is
gonna,
be
like
a
just
a
nice
shout
out
and
a
tldr
of
what's
there
and
where
people
people
like
link
the
page
numbers
and
stuff
like
that.
We
met
yesterday
and
we
are
targeting
to
publish
early
or
made
of
september
as
of
now.
G
The
next
one
is
just
a
reminder
on
behalf
of
rory.
I
don't
know
I
saw
rory
here,
but
I'm
just
gonna
go
ahead
and
say
it
this
and
rory.
Please
correct
me
if
I
am
wrong,
so
he
has
put
together
a
nice
brainstorming
documentation
for
the
admission
controller
model.
We
are
time
boxing
the
feedback
in
comments
so
that
this
can
be
published
in
september
sometime.
Please
go
take
a
look
at
it.
G
If
you
have
any
comments,
feedback
feel
free
to
add
there
and
the
deadline
for
the
feedback
is
august.
31St
of
this
month,
august
31st
august
this
month,
sorry
what's
happening
to
me,
and
there
are
a
couple
more
things
and
I'm
gonna.
Let
ray
talk
about
it
and
thanks
ray
for
bringing
that
up
in
the
sick
dogs
meeting.
B
Yeah,
so
I've
been,
I
had
an
action
item
from
last
meeting
from
this
meeting
was
to
bring
this
the
mission
controller
threat
model
up
topic
to
sig
docs.
They
brought
up
in
the
august
third
meeting
discussing
where
it
should
be
like
where
it
should
be
under
the
should
be
blog
post
should
be
under
the
kubernetes
websites,
and
it
was
pretty
much
agreed
upon
that
there
should
be
a
home
for
the
mission.
Controller
threat
model
should
be
under
the
k
website,
documentation
and,
and
also
a
blog
to
explain
the.
B
All
right,
the
next
sub
topic
is
mine
for
underdocs
there's
a
secop
setcomp
blog
post
that
needs
an
accuracy
sign
off
from
either
c
sig
security
or
sig
node,
and
I
put
the
link
in
the
doc
in
the
agenda
here.
A
Great,
thank
you.
I
tabby
and
I
will
take
a
look
at
that.
Have
you
have
you
hollered
at
node,
should
we
highlight.
A
Okay,
then,
as
an
action
item
for
me,
I'm
going
to
put
here
ian
we'll
take
a
look
with
tabby
and
holler
at
node,
because
that
seems
good.
B
C
A
Okay,
next
we've
got
tooling
with
pushkar.
H
Okay,
finally,
okay,
I
was
having
some
mic
issues
but
looks
like
it's
working
now.
Yes,
so
we
have
couple
of
topics
very
quickly.
Last
time
I
had
an
action
item
on
creating
an
umbrella
issue
for
all
the
stuff
we've
been
working,
so
people
can
take
a
look
at
everything
in
one
place.
So
that's
now
created.
H
There
are
many
linked
issues.
Some
done
some
in
progress,
some
that
need
help
that
are
part
of
that
issue.
The
link
is
in
the
agenda,
I'll
also
copy
paste
it
in
the
chat.
My
only
request
or
call
for
help
is
take
a
look
at
the
issues
and
the
linked
issues.
H
If
you
see
anything
interesting
that
you
want
to
work
on,
and
even
if
you
don't
know
where
to
start
or
you
need
more
information-
just
add
a
plus
one
or
say
I
would
be
interested
in
working
on
this,
I'm
happy
to
code
there
or
happy
to
discuss
more
with
you
and
figure
out
what
needs
to
be
done,
and
then
we
can
create
a
more
detailed
issue
that
can
be
converted
into
a
pr.
H
So
that's
main
call
out.
We
also.
We
can
also
discuss
it
in
the
upcoming
meeting
on
17th
next
week,
tuesday
in
the
dedicated
tooling
meeting
the
next
one
was
just
a
heads
up
for
everyone
who
might
be
interested,
and
I
think
vinayak
is
on
the
call.
H
Probably
here
you
are
here
right,
okay,
I
think
when
I
can
zoom
in
both
sorry,
if
I'm
mispronouncing,
the
name
are
going
to
do
a
small
demo
on
some
of
the
vulnerability
database.
Work
they've
been
doing
with
golang
and
its
dependencies,
so
I'm
excited
to
be
there
and
tuesday
and
listen
to
them
speak
more
and
please,
when
I
add
anything
that
might
be
more
helpful
or
specific
than
what
I
would
totally
so.
H
They
have
been
working
on
a
go
vulnerability,
detection
tool
that
will
be
integrated
eventually
into
goal,
and
so
I
was
talking
to
them
and
I
was
like:
do
you
have
any
large
go
code
base
that
you've
tested
this
on
and
they
were
like?
Not
really,
I
was
like.
What's
the
would
you
like
to
use
kubernetes
as
a
guinea
pig,
because
we've
been,
we
have
like
initiatives
where
we've
recently
used
sync
to
do
this
snake?
Sorry
to
do
this,
and
I
was
like
eventually
when
it
goes
into
go.
H
We
have
like
we
could
give
them
early
feedback
and
like
get
pretty
accurate,
and
I
think
kubernetes
is
a
great
database.
Sorry
code
base
to
try
it
out
on
and
what's
cool
about.
It
is
that
eventually
it
will
be
merged
into
like
go
so
it
could
be
completely
open
source
too.
So
yeah
is
this
sort
of
related
to
the
depths
dot.
Dev
forget,
maybe
miss.
H
It
is
kind
of
related
to
that
and
I
think
from
my
conversations
you
can
plug
in
whatever
one
database
you
have
through
it.
You
can
say,
like
I
don't
like
this
one.
I
want
to
see
what
results
I
get
with
this
one
database,
and
so
you
can
kind
of
plug
and
play
and
have
multiple
different
results
using
it.
It's
kind
of
cool,
so
yeah,
I'm
excited
about
the
demo
too.
H
Nice
yeah,
I
think
we
have
good
set
of
data
from
this
next
scanning,
would
be
good
to
compare
the
results
on
both
and
we
might
end
up
realizing
it's
a
complimentary
kind
of
tools
for
both
both
giving
different
results
and
equally
useful
ones,
so
definitely
excited
to
learn
more.
Anyone
who,
who
is
also
excited
like
me
to
want
to
wants
to
join
it
will
be
in
our
usual
six
security,
tooling,
meeting
9,
sorry,
8,
8,
30
a.m,
pacific
and
9,
00,
9,
pm,
isd.
H
H
We
we
got
another
request
last
time
from
vsphere
csi
driver
team,
which
is
under
six
storage
or
wg
data
protection,
so
they
wanted
to
do
a
similar
assessment
that
we've
started
for
a
cluster
api
and
that
led
to
some
discussion
that
maybe
we
need
some
kind
of
a
wait
list
or
a
take
in
intake
process
for
assessments.
H
So
we
started
creating
a
data
issue
template
in
community
and
that
actually
led
to
the
main
discussion
point
for
today,
which
we
can
talk
more
in
terms
of
where
should
all
of
our
deliverables
from
security
exist.
So
we
can
talk
more
when
we
go
there
very
quickly,
similar
to
the
tooling
vulnerability
management
stuff.
We
also
have
an
umbrella
issue
for
this
one
which
is
linked
in
the
agenda.
I'll,
add
a
link.
H
This
is
generally
to
give
an
idea
about
what
the
security
assessments
are
being
done,
for
what
are
the
things
that
we
need
to
do
to
make
it
a
sustainable
model
and
what
things
we
have
already
accomplished.
So
take
a
look
there
as
well
and
seems
like
tooling.
If
you
are
interested,
let
me
know
by
plus
warning
on
the
as
a
comment,
I
think
that's
it
from
sim
from
my
side,
at
least
for
security
assessment.
If
anyone
else
wants
to
add
go
for
it,.
B
Yeah
one
thing
I
remember
robert
brought
up
so
for
the
external
security
audits.
We
are.
We
have
a
roadmap
in
flights
where
our
goal
for
external
audits
starts
to
be
more
frequent
but
smaller
audits
in
the
future.
So
we
have
roadmap
to
you
that
outlines
what
those
components
will
will
be.
B
I
know
the
cmcf
security
tag.
They
use
a
model
where
they
have
to
do
a
self,
a
self
assessment
before
before
they
run
their
their
external
security
audits,
and
just
you
know
putting
out
there
that
this
might
be
going
towards
the
that
kind
of
model
as
well.
I
don't
know
if
you're
gonna
do
this,
but
you
want
to
bring
this
up
since
it's
you
know,
but
let's
see
both
from
on
the
table,
how
how
self,
how
how
self
assessment
might
be
lead
into
being
on
roadmap
for
future
likes
external.
H
B
H
Yeah,
I
I
agree.
The
idea
is
to
get
do
this
as
a
self-assessment.
First
get
some
thing
going.
That
will
pick
up
the
easy
ones
that
can
be
fixed
in
terms
of
security
and
improve
and
then
in
the
next
iteration
of
third
party
audit.
If
you
want
to
add
in
scope
cluster
api,
we
could
so
that's
what
at
least
the
thinking
has
been
but
open
to
ideas.
I
Yeah,
I
would,
I
would
say
I
I
was
going
to
say
the
same
thing,
really,
that
it
should
be
combined
or
aligned
with
the
the
roadmap
document
that
you
put
together.
I
would
just
say
it
shouldn't
be.
I
would
not
lock
it
down
to
only
one
path
like
we
have
it
on
the
tag
side,
because
there
may
be
cases
where,
for
whatever
reason,
the
self-assessment
won't
happen,
but
we
still
want
to
do
the
external
audit,
so
I
I
wouldn't
want
to
say
there's
only.
F
C
I
A
When
I
said
it,
but
I
didn't
mean
it
bad
if
that
makes
sense,
but
just
like,
maybe
they
felt
like
they
were
better
under
the
scope
of
of
tag
and
not
kubernetes
or
something
you
know
and
like
our
security
audit
is
what
I
mean,
and
I
don't
know
I
feel
like
they
don't
necessarily
need
to
be
tightly
coupled,
but
I
I
think
it's
good
for
us
to
be
thinking
about
it
on
sort
of
these
multiple
levels.
Does
that
make
sense?
A
Yeah
also
just
you
know,
I
guess,
with
my
pen
test
consultant
brain
on
you
know
I
want
to
look
out
for
whoever
is
going
to
be
doing
the
external
security
audits
in
terms
of
how
far
out
that
scope
goes.
H
H
Right
yeah,
I
think
that
came
which
led
to
the
self-assessment
and
then
now,
maybe
hopefully
in
future
we
could
do
a
third
party,
but
I
think
I
agree
we'll
try
to
keep
pushing
on
the
self-assessment.
We
do
need
help
there.
So
if
anyone
is
interested,
we
have
some
docs
and
some
links
it's
just
been
like
everyone
wants
to
do
it,
but
it's
just
a
matter
of
limited
number
of
hours
in
a
day.
H
Yes,
yeah,
so
let
me
give
some
context
for
folks
may,
who
may
not
have
followed
the
slack
thread
couple.
Maybe
five.
Six
days
ago,
basically,
we
started
creating
some
github
issue
templates
for
security
assessments
and
then
a
label
that
could
apply
for
any
such
request
and
it
automatically
any
such
request
for
an
issue.
Template
goes
to
country
backs
and
good,
which
is
a
good
thing.
H
It
turns
out,
because
what
they
shared
is
we're
probably
putting
a
lot
of
content
in
the
community
repo,
whereas
the
main
intent
of
the
repo
from
discussing
with
nikita
was.
It
is
mostly
for
metadata
about
six
so
that
they
can
be
linked
to
the
other
repos
and
projects
that
they
are
responsible
for.
So
the
suggestion
was.
Could
we
have
a
separate
repo
for
this
sick
which
which
would
allow
you
to
put
all
the
content
there?
H
It
could
either
line
kubernetes
or
org
or
kubernetes,
six
or
and
seems
like
for
me
at
least
humanities
or
six
or
makes
more
sense,
and
then
some
discussion
with
race
with
led
to
we
thinking
of
a
directory
structure
where
each
subgroup
or
project
has
one
directory
in
that
repo
and
owner's
file
for
each
of
them
is
already
there
here.
So
then
that
way,
it
will
be
easier
to
sort
of
manage
it.
Parallely
and
the
assessments
can
be
there
as
well,
but
want
to
get
everyone's
thoughts
on
that,
especially
in.
A
Yeah
I
have
I
have
stuff
to
say
about
that:
one,
a
apologies
for
being
at
def
con
and
missing.
That's
like
thread.
I
was
sort
of
preoccupied
at
the
time
yeah.
A
So
this
is
on
me
like,
like
this
problem
is
entirely
of
my
doing,
and
I
want
to
own
that
and
apologize
to
y'all
for
that
one
when
we
started
the
sig
security
directory
structure
there
just
weren't
subgroups
yet,
and
so
we
didn't
have
a
need
for
that,
and
so
we
looked
at
that
particular
thing
and
we're
like
this
might
become
a
problem
down
the
line
and
we
were
like
well
right
now
we
don't
really
have
any
of
that,
and
so
it
would
be
kind
of
weird
to
like
create
this
directory
structure
for
our
not
subgroups,
and
so
we
just
didn't
do
it
and
now
it
is
down
the
line
and
it
is
a
problem
so
my
bad
for
seeing
that
not
addressing
it
in
advance-
and
I
am
totally
happy
to
make
this
directory
structure
happen,
because
that
is
obviously
a
thing
that
needs
to
be
done
and
we
knew
that
that
would
be
a
thing
later
and
didn't
do
it
back.
H
H
Oh
okay,
I
guess
we
can
move
to
the
logistics
so
few
things
that
I
found,
which
might
be
helpful
for
when
we
do
this
is
the
charter
apparently
needs
an
update
explaining?
What
is
the
process
to
create
a
new
repo
and
who
approves
it?
Then
we
need
a
written
approval
from
the
chairs
to
create
that
repo.
It
can
be
a
mailing
list,
email
or
meeting
minutes,
which
might
be
what
rey
is
taking
already
and
the
other
thing
is.
H
I
have
a
pr
with
lgtm
and
some
pending
comments
from
liguit
for
tooling
and
toxin
audit
is
already
there
tabby
already
approved,
I
mean
said
lgtm
there,
so
we're
good
I'll
I'll
make
sure
I
apply
jordan's
comments
there.
One
comment
might
be
something
in:
I
need
your
help
on
was
he
suggested
that
we
should
have
different
set
of
approvers
and
reviewers
in
owner's
file,
instead
of
just
it
being
me
as
approver
and
reviewer?
H
A
Sounds
good
to
me,
yeah,
lgbt,
I'm
on
all
of
that,
and
yet
all
of
this
is
completely
correct
and
a
thing
that
we
as
chairs
knew
at,
but
just
like
we're
just
not
quite
there
yet
and
so
did
not
set
up
the
structure
for
that.
So
we
are
now
there
apologies
for
being
a
little
late
to
that
party.
I'm
glad
that
everybody
has
it
together,
who
isn't
us
and
we
will
yeah.
We
will
get
on
that
yeah
because
yeah.
A
All
of
that
is
completely
correct,
like
we
are
putting
too
much
in
k
community
right
now
like
we
do
need
that
kind
of
structure
it
isn't
made
for
that.
We
just
didn't,
have
the
subgroups
yet,
and
so
it
didn't
make
the
structure
in
the
absence
of
subgroups,
because
you
actually
just
according
to
the
way
that
the
github
repo,
like
organization
structure,
works.
You
just
kind
of
can't
do
that.
Yet
so
thank
you
for
helping
us
get
on
it
and
we
will
get
on
that.
H
H
H
H
A
H
Looked
at
it
and
they've
kind
of
expressed
interest
in
doing
it
and
there
I
published
like
early
prs
for
like
hey.
This
is
how
the
change
would
look
like
in
container
d
and
crio
and
yeah.
They
were
on
board
and
node
team
is
also
on
board.
I
went
to
their
sig
meeting
a
while
back
and
they've
actually
assigned
one
person
to
look
at
it
and
we
kind
of
discussed
it
and
they
actually
lgtm
did
a
while
back
and
so
since
then,
I've
forgotten
everything
about
it.
H
So
I
need
to
go
reach
it
again,
because
I
work
busy
with
other
work
but
yeah
I'd
love
to
see
this
land,
I'm
super
passionate
about
getting
this
landed
and
making
it
slightly
easier
to
run
your
containers
yeah.
That's
really.
B
All
right
just
on
on
a
note,
since
this
is
targeted
from
from
awesome1.23
I'll
reach
out
to
you.
I
also
work
on
the
release
awesome.
Thank
you.
A
That
is,
I
think,
the
last
thing
that
is
listed
on
the
agenda
did
anybody
show
up
after
the
last
time.
I
said
this,
who
has
a
thing
that
they
want
to
discuss
or
bring
up
today
could
be
whatever
you
want
it
to
be,
because
sick
security
is
the
community
and
the
community
is
who
shows
up,
and
what
we
talk
about
is
what
the
community
wants
to
talk
about.
J
I
had
a
question.
Oh
sorry,
good
sorry,
I
had
a
question.
J
I
was
recently
working
with
datadog
and
kubernetes
and
seeing
the
two
options
for
using
it
being
to
mount
the
docker
unix
socket
or
enable
host
path,
and
I
was
wondering
how
do
we
think
about
things
like
that
which
seem
to
require
things
which
are
just
inherently
not
secure,
yeah,
just
wondering
what
the
community
thinks
about
those
issues
where
you
kind
of
need
it
to
a
degree,
but
it's
like
the
devil
you
bring
in
and
then
yeah,
don't
love
it
just
trying
to
get
suggestions
or
thoughts.
H
About
the
same
topic,
so
I
was
actually
going
to
suggest
that,
like
so
internally
for
one
of
a
lot
of
these
things
that
mount
the
docker
socket
are
like
metrics
things
right,
so
a
lot
of
the
times
they
only
do
like
reads
they
never
like
update
anything
or
create
containers.
That
would
be
like
really
bad
if
they
were
like
using
that
to
create
like
containers
so
like
what
internally
I
have
a
design
for.
H
Is
that
maybe
there's
like
a
read-only
version
where
you
say
like
hey,
you
can
mount
this,
but
it's
like
the
read-only
socket.
So
you
can't
really
modify
anything
in
the
container,
but
you
can
like
get
all
list
all
the
containers
list,
all
the
images
and
stuff,
and
so
it
takes
away
the
ability
for
them
to
create
privilege,
bars
or
products
in
general.
So
like
we
internally,
I
had
like
that
idea
and
I
was
going
to
bring
it
in
like
the
next
cig
by
writing
it
in
the
doc.
H
But
it's
good
that
we're
getting
to
discuss
it
here.
A
A
In
fact,
read-only
is
not
a
security
boundary
for
the
doctor
socrate.
For
a
couple
of
reasons,
this
was
actually
how
we
escaped
a
container
and
a
mainframe
was
that
they
did
this
as
a
security
effort
and
it
it
is
not
actually
a
secure
thing
to
do.
There
are
two
reasons
why
this
is
the
case.
One
is
that
making
the
socket
read-only
does
not.
A
If
you
make
a
file
folder
read-only
in
linux,
it
will
make
all
of
the
files
read
only,
but
if
there's
a
socket
in
that
folder,
it
won't
make
it
read
only
because
sockets
are
designed
for
two-way
communication,
and
so
you
you
can
still
do
that,
and
also
because
the
docker
has
the
engine
api,
where
you
can
execute
commands
via
communicating
with
the
docker
socket
that
this
was
actually
just
literally
just
how
we
I
I
literally
just
did
a
def
con
talk
about
this
specifically.
A
So
if
you
mix
so
I'm
like-
oh,
oh,
I
can
speak
to
this
one.
If
you
make
the
socket
read,
only
you
can
still
make
curl
calls
to
via
http
to
the
engine
api
to
execute
commands,
and
so
it
doesn't
actually
make
it.
You
can
still.
H
Think
I
misspoke
what
the
how
the
design
works
is
that
we
have
this
other
like
proxy
thing
that
runs
right.
It
basically
takes
all
the
http
requests
that
you
send
to
it
and
it
rejects
anything,
that's
a
post,
anything
other
than
a
get,
and
that
thing
also
amounts,
and
that
thing
and
the
read-only
socket
that
I
was
talking
about
was
like
it's
still
rewrite,
but
it's
like
you
mount
the
socket
to
that
thing.
H
Instead
of
directly
talking
to
docker,
so
it
like
kind
of
sits
in
the
middle,
it
proxies
all
the
connect,
all
the
connections,
so
you
connect
to
it
and
it
it'll
in
turn,
connect
to
like
the
docker
socket,
but
it
will
reject
anything.
That's
like
a
post
or
any
other
method,
and
you
mount
the
socket
to
that
thing
is,
is
how
our
design
works.
It's.
So
I
misspoke
that
it's
not
the
docker
socket
that
we're
mounting,
as
we
do
only
we
have
this.
Like
other
thing
that
runs
is.
H
Well,
it's
it's
not
it's
just.
We
just
run
it
as
a
service
as
like
a
systemd
service
and
what
it
does
is
like
you
connect
to
that
thing
socket
and
it's
like
we
call
it.
Docker
dash,
read
only
dot
sock
right,
that's
the
name
of
the
unix
to
the
main
socket
and,
and
so
so
these
metrics
agents,
if
you
will
connect
to
its
socket
and
if
they
try
to
make
a
post
request
or
anything
which
is
like
how
you
create
the
container
right.
Usually
it's
a
post
request.
H
It
just
drops
it.
It
says
like
so
this
this
method
is
not
allowed,
and
so
you
can
do
a
bunch
of
gets
on
the
apis
and
stuff
because
it's
like
any
get
is
like
a
pass
through
the
only
thing.
K
I
I
guess
I'd
say
because
the
only
thing
I'd
say
like
from
an
architectural
standpoint
is,
you
might
want
to
look
at
like
white
listing
paths.
You
definitely
want.
Instead
of
blacklisting
things,
you
know
you
don't
want
just
because
sometimes
there
can
be
weird
edge
cases
or
other
fun
stuff,
so
in
general,
but
yeah
in
theory
having
another
service
that
you
talk
to.
That
then
filters
what
it
will
accept
and
then
talks
on
to
docker,
I
think,
could
work.
But
just
like
that's.
H
E
H
Like
admission
controller,
that,
like
does
not
let
you
that
looks
for
the
volumes
and
host
volumes,
you're.
H
B
A
All
right
I'll
quit
talking
about
the
talk
I
just
did
but
yeah.
This
is
a
very
interesting
sounding
project,
because
it
is
a
thing
that
I
have
been
looking
at
a
bunch.
This.
H
The
question
rachel
is
what
what
is
the
risk
of
doing
this
to
the
environment
overall
and
if,
if
we
can
limit
the
number
of
users
who
have
access
to
privileged
pods
and
containers
to
a
few
versus
all
developers
having
access
to
all
the
privileged
demon
sets
like
one
data
talk
like
one
that
you
mentioned,
it
will
reduce
the
chances
of
things
getting
worse,
because
few
people
will
have
access
and
at
the
same
time,
we
should
also
continue
to
de-escalate
privileges
as
much
as
possible
with
all
of
these
ideas.
A
Dropping
ambient
capabilities
helps
a
lot
going
back
a
little
bit
to
ambient
capabilities
it
yeah,
and
there
are
ways
that,
if
you're
mounting
the
docker
socket,
can
you
can
mitigate
stuff
on
the
back
end,
to
make
things
a
hell
of
a
lot
harder
to
do
like
if
you,
if
you
do
use
your
namespace
remapping,
that
will
make
people's
lives
harder,
at
least
if
they're
me.
J
A
Yeah
also
my
co-chair
works
at
datadog
and
had
had
she
been
around
this
week,
might
also
have
some
more
specific
things
to
speak
to
about
that,
but
yeah.
I
don't
know
that.
There's
a
like
complete
consensus.
So
much
as
like
all
of
these
stacks
have
layers
and
you
have
to
secure
the
different
layers.
H
Auditing
might
also
help
like
if
we
know
what
the
users
are
doing,
that
are
mounting
sockets.
At
least
we
will
know
if
something
different
is
happening
than
usual,
so
kubernetes
api,
logs
dockers,
rocker
logs.
If
the
socket
mounted
is
docker
and
then
it
will
be
easier
to
at
least
figure
out
after
if,
after
the
fact,
if
something
has
happened
to
know
what
happened.
A
Do
people
have
other
things
that
they're
thinking
on
or
want
to
bring
up
for
the
moment
or
also
we
always
want
to
encourage
everybody
to
bring
stuff
up
on
the
security
channel
on
kubernetes
slack,
because
that's
a
good
place
to
talk
about
stuff
for
people
who
can't
make
it
to
meetings
and
also
for
people
who
can.
A
Everybody
got
super
quiet.
I
am
going
to
take
that
as
a
sign
that
people
don't
have
other
things
to
bring
up
unless
they
holler
at
me
like
right
now.
So
I'm
going
to
give
us
our
18
minutes
back
and
say
that
I'm
super
excited
that
all
of
y'all
are
here.
Thank
you
so
much
for
coming.
Welcome
to
the
newer
folks
and
and
welcome
to
the
older
ones
too
and
yeah.
A
Thank
you
all
so
much
for
coming
today
take
a
look
at
the
issues
on
the
agenda
and
discuss
things
in
slack
and
whatnot.
I'm
super
happy
to
see
you
and
I'll
see
you
again
in
two
weeks.