►
From YouTube: Kubernetes SIG Security Docs 20201203
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
A
C
D
Just
to
make
life
a
little
easier,
would
you
like
me
to
take
notes.
A
A
Yes,
I
did
it's
in
the
meeting
chat.
A
Yes,
I
will
all
right
hello,
everyone.
This
is
the
first
fake
dog
security
meeting.
Welcome.
Thank
you
for
joining
us.
A
This
meeting
abides
by
the
kubernetes
code
of
conduct,
which
means
be
nice
and
awesome
to
each
other
and
to
yourself,
so
the
first
thing
would
be
to
go
over
the
room
to
introduce
each
other.
I
know
I
am
seeing
familiar
faces,
but
it'll
be
good.
Since
it's
the
first
meeting,
I
will
start
with
myself.
I
am
savita
I
have
been
contributing
to
kubernetes
for
over
are
two
years.
I've
been
a
part
of
siege
release
on
the
release
team
for
the
past
three
releases.
A
I
also
do
a
little
bit
of
country
breaks,
work,
mentoring
and
documentation,
work
that
that
all
the
combined
experience
and
my
passion
for
security
brings
me
here.
So
I
am
take
leading
the
sig
dog
security
project.
It's
a
project,
and
it's
that's
all
for
me.
Hi.
D
I'll
go
next
because
I'm
first
on
the
attendance
list,
I'm
I'm
tabitha,
I'm
an
associate
member
of
the
psc.
I
give
a
lot
of
talks.
I
hang
out
on
twitter
and
slack
and
I'm
here
to
support
zavita
and
try
to
make
it
easier
for
all
of
y'all.
F
I
guess
I'm
next
on
the
attendee
list,
my
name
is
adam
kaplan,
I'm
a
software
engineer
at
red
hat.
I
participate
a
little
bit
in
sig
docs,
but
I'm
not
a.
I
wouldn't
call
myself
a
significant
contributor
there.
Most
of
my
work
around
kubernetes
is
with
things
that
are
on
top
of
kubernetes.
I've
worked
with
openshift
builds
and
I
am
in
the
process
of
starting
up
a
new
upstream
project
called
shipwright
that
aims
to
make
building
container
images
on
kubernetes.
G
G
Well,
I
guess
I'm
up
next
on
the
list,
my
name
is
rory
mckeon,
I'm
a
principal
consultant
with
a
company
called
ncc
group,
I'm
a
pen,
tester
security
consultant
by
trade.
I've
done
some
stuff
around
container
security
for
a
little
while
now
probably
most
relevant
to
this
group,
I
have
helped
drop
the
cis
benchmarks
for
docker
and
kubernetes,
which
kind
of
are
us
kind
of
in
a
similar
area.
To
some
of
this.
H
Good
day
people
I'm
chase
for
about
the
last
seven
years
I
was
at
the
wikimedia
foundation.
We
ran
a
number
of
kubernetes
clusters
and
recently
I
moved
to
mirantis
I'm
passionate
about
docs.
If
that's,
if
that's
really
a
thing,
I've
been
to
a
number
of
right,
the
docs
conferences
and
just
in
general,
it's
some
kind
of
internal
tick.
I,
like
neatness
and
and
clean
good
docs,
is
a
big
part
of
that
and
saying
experience.
So
I
saw
this
pop
up
and
I
was
hoping
to
contribute.
B
Hello,
my
name
is
ray.
I
work
with
rancher
labs,
slash
asusa,
I'm
new
to
the
organization,
so
most
of
my
work
with
kubernetes
has
been
part
of
a
sig
release.
I've
been
part
of
the
number
a
number.
I
B
Least,
teams
in
the
past
and
look
and
we'll
continue
to
do
so
as
well.
I
primarily
joined
six
security
docs
because
the
last
company
I
was
working
with,
they
helped
write
and
make
the
cs
the
cks
exam,
and
I
was
working
on
some
of
the
our
private
curriculum
for
that
sequence
for
the
cks.
A
Thank
you
ray.
We
could
definitely
use
your
help
with
the
cks
certification,
related
material
and
I'm
gonna.
Add
one
more
thing:
ray
is
gonna,
be
the
documentation
lead
for
1.21.
Congratulations
thank.
B
E
Yeah,
I'm
looking
to
get
involved
with
kubernetes
security,
so
I
thought
helping
out
here.
However,
I
can
it's
a
great
way
to
do
that.
A
Thank
you,
I'm
welcome.
Next
is
patrick.
I
Hello,
I'm
pat
I'm
mostly
focusing
on
security
tooling
at
the
moment,
but
I
think
it's
important
to
document
how
our
tools
work
and
wanted
to
take
the
pulse
on
how
that
intersection
is
going
to
play
out.
So.
A
Definitely,
thank
you.
Patrick
next
up
is
joyce
hi.
J
I've
mostly
been
contributing
to
sig
release
and
working
group
naming
so
far.
I
have
a
interest
in
security,
so
I
figured
helping
write.
The
docs
would
be
a
good
way
to
learn.
That's
pretty
much.
It.
A
K
Okay,
hello,
I'm
tim
banister.
I
am
a
contributor,
mainly
contributing
to
sick
docs.
I've
got
an
interest
in
keeping
things
secure.
Some
of
the
work
that
I
do
outside
of
kubernetes
is
security
work
and
I'm
interested
in
seeing
two
things
really
one
is
that
the
security
section
in
the
website
in
the
you
know,
security
concept,
section
of
the
website
gets
better
and
also
that
across
all
of
the
kubernetes
documentation
there
is
something
I
don't
want
to
happen,
which
is
that
people
ask.
A
Thank
you.
Welcome
to
the
meeting
so
did
I
miss
anyone,
I
hope
not
yeah.
I
haven't
alright
next
up
the
description
item.
It's
it's
it's
headed
by
adam,
so
I
will
let
him
give
a
little
bit
of
information
on
that
and
then
we
can
discuss.
F
Sure
so,
first
savita
thank
you
for
inviting
me
to
this
meeting.
I
wasn't
aware
of
it
until
you
pinged
me
on
sig
docs
yesterday.
I
think
this
is
definitely
a
right
form
to
get
started
on
this
topic.
F
So
the
background,
at
least
to
the
best
of
my
knowledge,
is
that
kubernetes
has
a
secret
type
for
ssh
authentication
secrets
that
secret
type
and
my
understanding
comes
from
being
an
end
user.
Is
that
like
the
docker,
config,
json,
secret
type
or
other
secret
types,
all
you
get
out
of
kubernetes?
Is
that
it?
It
enforces
that
you
have
a
certain
key
in
your
secret.
It
doesn't
do
any
other
verification
on
top
of
it
and
with
ssh
off
secrets.
F
The
implication
is
that
those
private
keys
are
also
used
for
ssh
actions
inside
of
a
container
when
you're
doing
ssh
inside
of
the
container,
whatever
you're
connecting
to.
Usually
you
want
to
have
a
set
of
known
hosts
that
are
associated
with
it.
This
is
something
that
you
know
for
a
lot
of
folks.
F
They
may
not,
who
are
not.
As
security
conscious,
they'll
usually
see
a
warning
if
they're
connecting
to
a
host.
For
the
first
time
and
then
kind
of
blow
past
it,
but
when
you
are
really
concerned
about
security
or
if
you
are
running
kubernetes
clusters,
that
have
say
fips
mode
enabled,
which
is
what
I
found
out
yesterday,
you
need
to
have
a
known
host
file
alongside
your
ssh
keys.
F
If
you
want
to
actually
connect
to
another
server-
and
this
was
actually
the
result
of
this-
that
not
having
known
hosts
led
to
a
cve
that
was
reported
against
openshift.
So
openshift
lets
you
clone
source
code
via
ssh,
either
directly
via
the
ssh
uri
or
using
the
get
protocol
which,
under
the
hood
it
does.
F
K
I'm
just
going
to
speak
adam
you've
got
a
couple
of
plums
here.
One
is
that
this
is
a
stable
api,
so
you
can't
change
it
not
easily,
but
what
you
can
do
is
add
a
great
big
caution,
short
code
and
I
can
add
some
details.
Let
me
find
the
link
to
the
caution
short
code.
It's
probably
just.
K
K
We
don't
know
that
they're
using
open
ssh,
they
might
be
using
any
other
client.
So
we
don't
know
that
what
format
known
hosts
are
in.
We
also
don't
know
what
format
the
private
key
is
in,
because
there
is
no
specified
format
for
it.
Is
it
an
rsa,
2048-bit
private,
key
how's
that
represented?
We
don't
know.
K
So
we
don't
know
what
the
binary
format
is
of
the
key.
We
don't
know
what
particular
key
algorithm
is
in
use.
There's
a
lot.
We
don't
know,
I
don't
think
sig
docs
can
help
with
a
lot
of
these
problems.
F
F
Thank
you
tim.
That
was
also
like
a
concern
of
mines
that
there's,
I
don't
think,
there's
any
way
that
we
could
enforce
someone,
including
say
known
hosts
in
the
secret.
Even
I
could
see
in
adding
a
warning
on,
say,
creation
or
update
of
this
secret
type.
I
could
see
that
also
being
problematic,
so
certainly
in
docs
you're
having
a
sort
of
a
call
out
to
say,
hey,
you
should
also
add
the
known
hosts
to
whatever
application
you
are
using
might
be
the
only
thing.
F
K
A
I
I
feel
like
we
could
start
with
adding
a
warning
like
tim
said,
and
I'm
not
sure
is
there
any
way
to
give
feedback
to
the
apr
missionary
or
like
let
them
know
that?
Okay,
we
came
across
this
concern,
is
it
like
if
they
can
validate
or
it
falls
under
our
say,
tabitha
you
can
help
me
so,
does
it
fall
under
our
sig
to
validate
that
this
is
a
concern
or
do
we
have
to
take
it
to
other
sikhs.
D
And
ultimately,
when
we
put
the
when
we
put
the
pr
in
it'll
go
through
whatever
the
normal
pr
approval
process
is,
and
so
I
would,
I
would
say,
for
something
like
this,
where
we
think
that
it
is
not
likely
to
be
controversial.
D
I
D
Go
ahead
and
just
do
what
clearly
seems
to
be
right
and-
and
let
folks
argue
with
us
if
they
feel
that
they
need
to.
But
on
the
other
hand,
if
it
was
something
we
if
we
did
want
to
start
putting
more
controversial
opinions
into
docs,
then
I
think
that
it
would
be
a
good
practice
for
the
person
who
is
writing
that
to
go
to
the
meetings
of
sigs
that
have
a
stake
in
it.
K
This
is
like
a
first
case,
and
this
is
why
we're
going
to
talk
about
it
a
bit
more
because
there's
a
general
pattern
that
there
will
be
security,
related
prs
coming
into
zig
docks
and
what
sig
docs
does
when
a
pr
comes
in
that
some
other
sig
has
a
better
view
of
the
accuracy
is
sig
docs
does
the
approve,
which
is
essentially
does
the
description
of
the
pr
make
sense,
but
we
want
the
other
sig.
D
And
then
somebody
here
in
this
group
would
would
lgtm
it
like,
like
perhaps
savitar
or
perhaps
me.
A
Yeah,
that
makes
sense.
That's
what
I
wanted
to
get
a
hang
of
like
because
it's
new
and
there'll
be
so
many
questions.
That's
gonna
come
up
in
the
similar
fashion
and
yeah.
That's
about
it.
Does
anyone
have
anything.
D
I
think
I
might
like
to
to
ask
a
clarifying
sort
of
question
around
that.
You
know,
because
I
I
like
this
idea
that
that
tim
has
brought
up
of
you
know
being
able
to
to
you
know
for
something
that,
if
that
affects
security
and
say,
is
node
related.
You
know
to
tag
it
for
let's
get
an
lgtm
from
sig,
node
and
sig
security.
You
know
when
when
we
get
those
queries
of
course,
the
question
is:
how
do
we
want
to
do
that?
D
And
you
know
that's
a
thing
that
we
don't
have
defined.
Yet
I
might
start
with
a
suggestion
that,
for
things
that
are,
you
know
not
controversial
and
clearly
just
a
good
idea
that
you
know
any
of
the
any
of
the
folks
with
titles
in
the
sig
should
feel
free
to
lgtm
them
and
for
things
that
may
be
more
controversial.
D
Putting
an
element
on
the
agenda
of
this
meeting
could
be
a
good
way
to
to
deal
with
them,
but
it's
only
an
initial
suggestion,
and
so
I
wanted
to
throw
it
out
there
so
that
you
know
yusavita
and
everybody
else
in
the
room
could
could
tear
it
apart
and
make
it
better.
A
I
wouldn't
I
I
like
that
idea
and
we
can
also
so
whenever
we
tag
a
sing
on
the
pr
does
it
does
it
notify
anyone
or
it's
just
that
it
goes
into
their
qr.
4
is
wrangling.
I
don't
know
if
any
other
thing
has
similar
kind
like
in
docks
this,
so
they
will
just
go
and
see.
Oh,
this
pr
is
tagged
with
our
sake,
so
we
need
to
go
and
take
a
look
at
it
or
you.
We
explicitly
ask
someone
for
reviews
like
thinking
them
seek
node
reviews,
so
how?
E
My
experience
from
contributing
stuff
codes
to
kubernetes
three
years
ago
is
you
tag
them
and
then
you
slack
them
and
then
you
tweet
at
them
and
then
you
go
to
their
house.
D
To
to
to
take
that
to
the
opposite
extreme,
I
think
if
all
the
tooling
is
set
up
and
working
correctly,
just
dropping
the
sig
label
on
is
sufficient,
because
I
believe
that
once
we
have
the
pr
landed
with
all
of
the
like
owners,
aliases
and
things
like
that,
then
adding
that
tag
will
automatically
send
github
notifications
to
the
folks
who
are
configured
for
that
and
so
in
a
first
approximation.
D
That
would
be
the
sig
co-chairs
and
and
you
zavita
and
then
in
practice,
people
also
tend
to
tag
people
in
by
name
and
also
in
principle.
We
have
a
regular
review
of
issues
and.
I
A
D
A
K
A
Thank
you
tim.
I
think
I
think
tabitha's
adding
things
to
it,
so
I'm
gonna,
let
her
take
care
of
that.
I
will
go
over
at
the
end
of
the
meeting
after
the
meeting
and
see
if
anything
needs
to
be
added,
and
I
will
send
it
on
so
moving
on.
Does
anyone
have
any
discussion
topic.
A
I'm
sorry
about
that
yeah.
If
not
so
there
were
two
cup
that
I'm
going
to
talk
about
couple
of
the
interest
that
came
up
when
we
wanted
to
when
we
were
talking
about
starting
the
project.
One
was
that
having
cks
or
certification
related
materials
with
great
models,
and
he
has
some
more-
he
has
some
background
to
it,
and
the
other
topic
was
a
hardening
guide.
It
was
brought
up
by
michael
foster,
I
think-
and
it's
not
the
meeting
I
can
ping
them
on
slack.
A
So
that
was
another
topic
that
folks
were
really
interested
in.
If
there
is
any
other
topic
that
you
would
like
to
see-
or
you
want
to,
you
think
it's
very
high
priority,
please
feel
free
to
add
to
the
agenda
and
we
can
start
tackling
them
one
by
one
in
our
next
meeting.
A
A
No,
there
is,
I
don't
think
there
is
a
similar
material
to
cka
the
question
around.
So
there
were
some
questions
around
cks
that
I
saw
in
the
prep
channel
that
they
have
access
to
different
websites
other
than
kubernetes
and
kubernetes
website.
They
were
asking
if
they
can
navigate
to
xcd
or
stuff
like
that.
So
that
is
one
question
or
concern
that
I
saw
around
cks.
A
B
I
used
to
periodically
take
the
ck
exam
once
at
least
once
a
year
just
to
make
sure,
and
I
would
make
sure
if
the
documentation
was
still
there,
and
that
was
my
last
company.
So
I
think
it's
you
know
it's
still,
okay,
but
I
don't
know
if
anyone
else
is
doing
that
taking
exam
every
year
and
making
sure
that
the
documentation
is
still
there.
A
Okay,
so
is
there
anything
that
you,
you
think
that
we
need
to
add
to
make
the
easy
for
the
folks
who
take
cks
like?
Are
we
lacking
in
something
or
do
we
need
to
focus
on
something.
K
Go
ahead,
tim
thanks,
so
I
did
the
ck
cks
last
night
waiting
on
my
result.
I
don't.
I
don't
think
I
can
go
past
first
time
to
be
honest,
but
what
I
found
was
missing,
or
what
I
found
was
a
shortcoming
was
api
documentation?
K
Okay,
because,
unlike
the
cka,
where
you're
using
like
the
vanilla
stuff,
the
cks
is
all
about
niche
features,
let's
say
pod
security
policy
like
there's
a
bunch
of
stuff
on
the
syllabus
and
depending
on
the
candidates
approach
they
might
want
to
go
and
look
at
the
api.
Docs
now
there's
been
a
google
season
of
docs
project
where
philippe
martin
has
been
working
on
a
new
api
docs.
K
How
does
this
tie
into
the
cks?
Well,
the
the
drive
for
more
accessible
docs
and
being
able
to
find,
for
example,
all
the
api
types
related
to
security
concepts
is
stronger
people?
Don't
just
want
these
for
for
exams.
Obviously
they
want
them
for
their
daily
lives
as
well,
but
there's
a
thing
that
security
can
can
mention
as
an
obstacle
to
candidates
and
to
people's
general
adoption
of
good
working
information
security
practices.
A
And
in
addition
to
the
api
documentation,
would
you
would
it
have
better
like?
Would
it
have
been
helpful
if
we
had
some
examples
or
something
of
that
sort?
I
know
api
qr
api
js
comes
with
some
kind
of
example
of
how
to
use.
I
think
it
is
it
does
so
is
it
like?
Did
you
find
any
of
that
missing
or
we
can
add
more
to
improve
it.
K
K
A
Okay,
all
right,
thank
you
tim
and
I
was
apart
from
all
these
things.
I
was
also
thinking
of
something
lately.
I've
been
following
some
of
the
posts
in
articles
and
there
were
a
lot
of
talk
about
not
running
container
as
root,
so
I
just
want
to
make
sure
that
all
our
examples
in
the
community's
website
is
running
secure,
just
update
the
examples,
and
it
could
be
like
a
tiny
project
or
it
could
be
an
ongoing
thing.
So
that
is
one
thing
that
I
wanted
to
add.
B
So
I've
mixed
feelings
about
that
one
is.
We
have
basic
examples
of
a
basic
pod
right
and
I
know
I'm
not
gonna
go
detail
the
cts,
but
let's
say
for
example,
for
you
know
if
there's
any
benchmarks
or
it's
just
benchmarks
or
any
tool
that
would
scan
your
your
your
manifest
to
what
to
make
sure
it's
secure.
It
might
require
additional
things
like
like
resources,
resource
requests
and
limits
with
adding
resource
requests
and
limits
and
adding
not
to
run
as
privilege.
B
Just
to
the
example
of
a
basic
pod
manifests,
I
feel
like
that,
might
be
a
little
complex
for
someone
learning
kubernetes
and
at
first
I
I
agree
with
you
that
you
know
if
you
want
to
have
that
we
want.
We
should
have
secure
examples
in
the
kubernetes
documentation,
but
I
think
we
should
think
about
at
what
level
of
documentation
that
should
start
out
there.
A
A
I
know
it's
gonna
be
a
bit
of
hunt,
but
I
just
wanted
to
throw
out
that
idea
and
and
see
like
what
other
folks
think-
and
I
also
wanna
say
that
we
are
over
by
three
minutes.
So
if
you
have
anything,
please
feel
free
to
add
to
the
argenta
we
meet
in
another
two
weeks.
We
we
make
bi-weekly
and
I
am
hoping
to
see
all
of
you
in
the
next
morning,
thanks
for
joining
today
and
you
all
have
a
good
rest
of
the
day.