►
From YouTube: Kubernetes SIG Security 20210729
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
good
morning,
good
afternoon,
kubernetes
sig
security.
I
am
delighted
to
see
that
you
are
all
here.
What
let's
see,
let's
see
what
we
have,
I
guess
before
we
jump
into
what
we
have
do.
We
have
anybody
who
is
new
and
wants
to
say
hello.
B
I'll
say:
hello,
I'm
andy
tinkum!
I
live
in
minneapolis.
I
work
for
cyber
arc
as
a
security
architect
on
the
conjurer
team
and
I'm
here,
because
I
was
in
ian's
keynote
last
week
at
devops
days
msp
and
want
to
get
more
involved.
Well,
that's
fabulous!
Welcome!
Andy!
Oh
yeah!
That's
awesome!
Thank
you.
Also.
Your
work
is
great.
A
C
Hi,
my
name
is
ian.
I
am
the
co-chair
of
six
security
along
with
tabitha,
who
is
currently
a
goose.
I
live
in
minneapolis
minnesota
nice
to
meet
y'all.
D
A
E
Hi
this
is
pushkar.
I
am
just
happy
to
be
here
and
not
miss
the
meeting
like
last
time
and
have
some
bunch
of
updates
to
discuss
and
love
working
with
everyone.
Here.
I
am
in
bay
area
and
work
at
vmware.
F
All
right
I'll
go,
my
name
is
ray
lahanna.
I
live
in
emoryville,
which
is
in
the
bay
area
home
of
pixar.
So
but
I
work
for
sousa,
I
dabble
in
security
and
also
the
other
cigs
as
well
like
sick
release,
sick
docs.
E
G
I
go
next
hi
everyone.
My
name
is
shavita.
I
I'm
here
to
learn
and
contribute
the
best
possible
ways.
I
can
and
happy
honking.
H
Hello
I'll
go
so
I'm
rory
and
I'm
from
scotland.
She
may
be
able
to
tell
by
the
accent-
and
I'm
almost
very
happy
to
be
here
with
all
the
geese.
I
J
I'll
go
I'm
sam,
I'm
in
new
york.
I
work
for
bloomberg
on
some
kubernetes
platform
stuff,
I'm
in
like
two
about
to
be
three
meetings
right
now,
so
I'm
mostly
just
listening
in
but
happy
to
see
everyone.
K
L
I'll
jump
in
here
tom
mccormick,
I'm
probably
my
second
or
third
meeting
just
listening
in,
but
I
worked
over
at
datadog
on
the
security
team
along
with
tabitha
some
teams,
but
happy
to
be
here.
M
I
guess
I
could
jump
in.
My
name
is
alex.
I
work
in
the
security
team
with
zidora
here
in
the
bay
area.
I
live
in
pleasanton
and
I
guess
I've
been
listening
mostly
to
what's
been
going
on,
but
I'm
starting
to
free
up
on
my
time
and
I'd
like
to
figure
out
what
I
can
do
to
contribute.
M
I
may
be
talk
talking
to
tabitha
about
some
of
the
those
side
of
things.
A
Yeah
yeah
happy
to
you,
know,
happy
happy
to
talk
with
you
either.
You
know
on
on
the
on
the
slack
channel
so
that
we
can
all
jump
in
or
you
know,
send
me
dm.
Whatever
works
better
for
what
you
need.
We
have.
We
have
a
lot
of
people
and
a
lot
of
ideas.
So
so
there's
always
something
that
you
can
join
in
on
or
start.
A
All
right,
so
thank
you
to
everybody
who
who
has
introduced
yourself
and
and
everybody
else
too.
So,
let's
hear
from
audit
ray
yeah,
then
here
you're
here
tell
us
the
good
news
ray.
F
All
right
so
a
deal
there's
not
much
news
except
for
that.
The
vendor
selection
announcement
date.
We
have
extended
it
to
august
10..
That's
because
we
are
still
currently
reviewing
proposals
from
vendors,
so
that's
currently
under
underway.
So
we'll
have
not
have
announcements
on
august
10th.
Any
questions
or
comments.
A
H
H
So
the
idea
of
this
for
people
who
weren't
at
the
last
meeting
is
just
to
have
like
there's
a
lot
of
projects
looking
at
admission
controllers
for
security,
but
they're
all
doing
similar
things
right
in
similar
ways,
so
it
might
be
useful
to
have
like
a
kind
of
a
threat
model
document.
Just
says
here
are
the
kind
of
things
that
could
go
wrong
and
hear
our
approach.
H
How
projects
could
address
them
or
might
want
to
address
them,
and
also
here
are
things
that
people
who
are
implementing
this
kind
of
control
should
watch
for
so
stuff.
Like
you
know
what
how
you
might
bypass
a
policy,
how
things
might
go
wrong
in
terms
of
attacking
admission
controllers
and
kind
of
common
defenses.
The
idea
is
to
keep
it
generic,
not
looking
for
stuff
specifically
at
all,
but
just
to
try
and
like
just
bring,
I
mean-
and
this
is
talking-
let's
just
gather
ideas.
H
So
if
anyone's
got
ideas,
there
is
a
link
in
the
in
the
notes
for
this
that's
an
edit
link.
So
anyone
can
just
go
in
and
add
stuff
add
comments
things
you
might
think.
We
want
to
cover
or
ideas
about
how
to
structure
it
and
we'll
leave
that
open
for
a
little
bit
and
then
what
we'll
try
and
do
is
kick
off.
I
think
and
like
try
and
create
like
a
proper
docked
pr
and
find
out
where
we're
going
to
put
it
to
the
website.
E
Hey
rory,
sorry,
I
missed
the
last
meeting,
but
I
caught
up
on
the
notes
of
this
discussion.
Is
the
plan
still
to
create
some
sort
of
a
blog
instead
of
self-assessment,
like
cncf
tag,
security
will
do.
H
Yeah,
so
I
think
the
I
think
the
kind
of
decision
came
around
that
it
probably
fit
better
with
this
sig
or
sig
docs
security
more
than
because
it
was
because
it
is
all
puberty
stuff
exactly
where
it's
going
to
sit,
I'm
not
sure
because
it
feels
like
it's
a
bit
and
I
think
maybe
seven
of
them
has
got
a
kind
of
more
kind
of
input
on
that
and
where
we
can
put
it,
but
I
think
the
idea,
if
we
can
kind
of
come
up
with
what
we
want
to
how
we
want
to
structure
it
that
might
inform
where
it
fits
best.
H
E
Got
it
okay,
I
think
robert
created
a
template
for
self-assessment,
so
I'll,
take
a
look
at
your
dock
and
see
if
there
is
some
opportunity
to
merge
things.
H
F
So
I
could
bring
this
up
on
the
next
sig
docs
meeting,
just
as
initial
starting
points
like
where
the
best
place,
if
there
is
a
place
to
put
it
in
the
documentation
or
if
it
is
best
place
in
a
blog.
So
I
could
bring
that
up.
Cool
awesome.
G
Thank
you.
I
appreciate
that
I
haven't
been
able
to
go
to
the
documentation
meeting
doc's
meeting
at
all
next
week,
wednesdays
to
release
and
after
that
I'll
have
a
lot
of
free
time.
I
think
I'll
have
a
lot
of
free
time,
but
till
then
my
hands
are
right,
I'm
so
sorry
and
thank
you
ray.
I
should
have
followed
up
on
that
and
thank
you
for
volunteering
to
bring
it
up
I'll,
try
and
make
it
to
the
meeting
probably
the
next
week.
One
is
the
apac
right.
F
No,
the
next
one
is
just
a
regular
meeting,
so
I'll
send
I'll
put
the
the
details
in
the
agenda.
A
A
As
far
as
like,
where,
where
the
doc
goes,
I
really
love
the
idea
of
kind
of
letting
it
evolve
in
a
free-form
way
and
then
once
it
starts
to
be
clear,
what
kind
of
form
the
information
wants
to
take
then
just
put
it
in
the
place
that
seems
most
natural
and
if
we
think
we
get
that
wrong
or
if
we
think
we
want
to
to
cross-link
it
somewhere
else
like
we
can,
we
can
change
those
things.
Those
are
those
are
just
a
pr
and
like
a
slack
conversation
away.
E
We
had
a
great
session
thanks
to
steven
augustus
last
week,
where
he
went
through
all
the
details
about
images
in
kubernetes
how
the
sig
release
has
been
handling
bumping
of
images
and
where,
especially
the
important
part
was
where
we
can
help
them
in
terms
of
security
in
terms
of
improving
quality
of
life
for
release
team
members
and
make
it
as
much
as
possible
automated,
but
keep
some
things
manual,
which
will
allow
human
eyes
to
actually
look
at
things
before
things
are
merged,
so
that
recording
had
a
quite
a
few
attendees.
E
E
Next,
one
is
I'll
just
quickly
cover
the
last
update
for
the
pr
that's
linked.
Here
we
have
we.
We
got
some
feedback
from
you
and
ian
tabitha
about
making
the
vulnerability
triage
private.
So
I
worked
with
some
folks
in
the
google
for
google
group
admins
for
kubernetes
io
and
some
feedback
from
steven,
and
now
the
idea
is
that
triage
has
become
private,
so
the
co-chairs
me
and
psc
and
or
src
now,
and
some
members
who
work
on
the
security
stuff
in
sig
release.
E
All
of
them
are
linked
into
a
google
group
that
can
do
the
triage
privately,
but
and
the
snake
scanning
that
we
were
doing
is
also
not
showing
up
any
vulnerabilities
anymore
in
the
output.
So
it
will
only
fail
and
alert
this
group
and
by
failure
it
would
mean
actual
failure
or
there
are
vulnerabilities
that
need
to
be
taken
care
of.
E
So
that's
where
we
are
and
the
pr
is
updated
with
this
new
details
just
need
some
maybe
feedback
from
both
of
you,
if
needed
and
others
as
well,
and
if
look
if
it
looks
good,
then
lgtm
would
be
really
appreciated.
A
Thank
you
for
the
work
on
that.
It's
it's
a
hard
challenge
to
get
the
right
people
tied
into
a
process
like
this,
where,
where
where
where
it
is
where
it
is
kind
of
a
sensitive
process-
and
I
appreciate
the
the
work
that
you've
done
in
trying
to
find
a
solution
to
that
yeah.
Let's,
let's
make
sure
to
to
have
a
look
at
that
pr.
A
I'll
say,
I
think
it
sounds
brilliant,
because
it's
pretty
lightweight
it's
a
thing
that
you
can
just
do
but
doesn't
require.
You
know
a
lot
of
planning
or
like
a
lot
of
training
or
a
new
tool
or
anything,
but
to
help
to
keep
all
of
those
moving
parts
you
know
accessible
and
and
visible
to
people
who
are
working
on
it
because
yeah
like
you're,
saying
it
it
crosses
over
work
that
that
we
would
do
it
crosses
over
into
the
src's
interest.
A
A
Awesome,
who
would
like
to
tell
us
about
what's
going
on
with
self-assessments.
E
Yes,
so
robert,
you
can
tag
team
with
me
and
add
anything.
I
miss
the
assessment.
Thanks
to
robert's
work
is
underway.
We
are
getting
some
feedback
and
from
the
maintainers
and
from
some
members
in
this
group
as
well.
I
went
to
the
cluster
api
meeting
last
week
and
shared
with
them
like
what
we
are
doing.
E
What's
the
intent
scope
and
things
like
that,
so
they've
started
trickling
in
with
their
comments,
any
more
people
who
are
interested
in
assessing
cluster
api
from
a
security
point
of
view,
welcome
to
go
to
the
dock
and
share
your
feedback
suggestions
or
things
you
would
want
to
work
on,
and
one
interesting
thing
that
came
out
of
this
is
people
are
taking
notice.
It
seems
like
and
another
sig,
I
think,
from
sick
storage
or
working
group
data
protection
they
actually
reached
out,
saying
hey.
N
I
think
you
know
primarily
based
on
engagement
level,
but
also
I
just
you
know
overlay
sorry.
I
had
to
jump
off
for
for
a
quick
call
and
just
jump
back
on
so
ray
may
have
gone
over
the
external
discussion,
but
ray
you
had
a
road
map
of
kind
of
the
sub
projects
that
aren't,
you
know,
aren't
going
to
be
reviewed
in
the
external
audit.
So
I
would,
I
would
nominate
those
as
if
they're
on
the
roadmap
and
they
have
they're
not
going
to
be
in
scope
for
the
external
audit.
N
F
Yeah,
I
agree
and
to
bring
back
some
background
info
on
that,
because
I
didn't
address
it
on
this
call.
We
do
have
an
roadmap
for
the
external
audit,
because
not
all
parts
of
kubernetes
can
be
audited
every
single
time,
so
we
do
plan
the
feature
to
make
audits
a
little
more
focused
and
on
very
on
those
other
areas
of
kubernetes.
So
we
do
have
an
open
pr
for
that.
This
is
certainly
something
that
we
can
utilize,
as
well
as
for
the
self-assessments.
E
A
Yeah
label
sounds
handy
as
far
as
as
far
as
advice
on
that.
Maybe
you
don't
even
need
to
start
creating
a
bunch
of
issues,
but
with
the
with
the
vsphere
csi
folks
they
want
to
do
it.
Then
you
know:
ask
around
see
whether
there
is
currently
bandwidth
to
start
that
up
in
parallel
with
the
one
that's
currently
going,
and
if
it's
not,
you
know,
work
with
them
to
make
an
issue
for
theirs.
A
And
then
you
know,
depending
on
how
that
goes,
maybe
reach
out
to
some
of
the
some
of
the
other
groups
that
are
on
the
upcoming
roadmap
and
take
their
temperature
and
if,
if
they
want
to
join
that
line,
then
cool-
and
you
know
help
them
make
that
issue.
But
otherwise
you
know
no
need
to
give
yourself
and
them
the
work
of
of
pushing
them
into
the
line.
N
Yeah,
just
one
one
more
addition
to
the
self-assessment
I
think
undergoing
one
in
cncf
right
now,
we're
at
that
point
where
the
meat
of
it
is
kind
of
really
defining
the
threat
model,
and
so
you
know
I
would
I'll
try
to
create
some
some
documentation
derived
from
the
previous
external
kubernetes
threat
model,
but
obviously
something
that
has
to
be
a
little
bit
more
tailored
to
sub-projects.
N
But
I'd
like
to
see
that
you
know
that
as
an
artifact
as
reusable
artifact
that
we
can
as
a
community
as
this
group
kind
of
rarify
down
to
you
know
what
is
what
is
the
process?
What
is
the
technique?
What
is
the
format
we
want
for
that
threat
modeling
so
that
we
can
kind
of
have
consistent
view
across
subprojects
and
and
ideally
aggregate
roll
up
into
the
larger
kubernetes
thought
model,
but
so
maybe
you
and
I
can
can
sync
up
offline
or
we
should
we
should
schedule.
A
I
really,
I
really
love
that
I
frequently
send
people
the
self-assessment
that
was
done
by
spiffy
inspire
under
cncf
tag
security
when,
when
I'm
starting
to
talk
to
people
about
this
kind
of
this
kind
of
introspection
of
a
project,
whether
it's
in
kubernetes
or
not.
Just
because
I
feel
like
it's,
I
feel
like
it's
very
it's
very
readable,
it's
very
thoughtful,
it's
very
well
done
and
so
like
in
general.
A
If
we
can
produce
just
like
a
rough
draft
outline,
that
is
not
necessarily.
These
are
the
only
things
we
care
about,
and
this
is
what
you
have
to
do,
but
even
just
as
an
example
like
these
are
the
things
you
probably
need
to
have.
Then
I
think
that
can
also
help
to
make
it
easier
for
people,
because
I
feel
like
I
feel
like
we
have
one
or
two
good
references
for
threat:
modeling,
but
they're
all
they're,
all
hundreds
of
pages
and
and
it
kind
of
makes
it
seem
hard
and
you
can
get
very.
A
You
can
get
very
specific
into
certain
methodologies
and
and
whatever
and
and
have
it
be
kind
of
hard,
but
but
you
can
also
get
a
lot
of
mileage
out
of
just
looking
at
the
thing,
with
a
certain
kind
of
with
a
certain
kind
of
frame
of
mind
and
having
some
some
loose
guidance
on
where
to
get
started,
and
so
I
think
that
something
like
that
could
help
to
make
it
more
approachable
for
most
of
the
folks
that
are
going
to
be
asking
for
help
with
this
who
know
about
it,
know
about
the
existence
of
threat
modeling
like
as
a
concept
but
have
never
done.
A
It,
have
never
seen
it
and
you
know,
and
and
could
could
use
a
ladder
like
to
get
from.
I
think
this
is
cool
to
I
did
something
basic
is
a
ton
of
value,
and-
and
I
don't
think
it's
that
difficult
of
a
learning
curve,
but
the
supports
the
supports
for
beginners
learning
threat,
modeling,
either
they're,
not
there
or
I
haven't
seen
them
so
if
you've
got
if
you've
got
a
favorite
getting
started
on
lightweight
threat,
modeling
for
beginners
kind
of
reference,
throw
it
into
the
slack.
A
Put
it
in
the
meeting
notes,
but
I
think
that
yeah,
if
we
can
provide
something
that
helps
people
to
get
pointed
in
the
right
direction,
that'll
be
really
helpful.
E
Yeah,
I
I
really
like
this.
We
have
a
starting
point.
Luckily,
on
this
with
a
template.
That's
inspired
from
the
cluster
api
dock
that
robert
created.
So
the
idea
was
to
use
that
template
for
future
projects,
but
we
don't
have
all
the
good
information
that
you
just
mentioned
in
that
so
I'll
work
on
adding
those
things
and
if
anyone
is
interested
I'll
link,
the
template
as
well-
and
I
see
rory-
has
added
a
couple
of
good
links
that
can
be
part
of
the
template
as
well.
A
Awesome
does
anybody
else,
have
anything
they'd
like
to
add
on
self-assessments.
A
All
right:
well,
then,
let's
talk
about
something
that
I
think
will
be
really
really
helpful
to
the
community,
which
is
getting
information
about
fixed
cves
into
a
place
that
is
easy
to
consume.
I
saw
we
had.
I
saw
we
had
tim
earlier,
but
it
looks
like
tim
has
had
to
go
yeah.
Let's,
let's
let's
hear
about
this,
I
know
this
is
a
topic
that
we
have
discussed
in
src
and
you
know
don't
have
a
great
answer
to
right
now
either
so.
E
Yeah,
so
this
is
the
the
other
team.
Banister
actually
suggested
this
and
he
couldn't
join
the
meeting,
but
we
had
a
chat
on
the
channel
and
he
shared
some
of
his
ideas,
so
I'll
try
to
represent
what
he
suggested
the
best
way.
I
can
and
then
love
to
hear
it
from
everyone
what
they
think.
E
Can
we
have
a
way
to
filter
or
search
all
the
github
issues
we
have
on
kubernetes
kubernetes
and
then
look
for
cve
ids
in
either
description
or
summary
of
the
issue,
and
if
the
issue
is
closed,
then
you
collect
all
of
those
issues
together
and
create
a
json
document
of
the
issues
and
the
links
and
the
status
and
then
that
whole
json
document
is
put
into
kubernetes
website
using
hugo
and
then
that
list
becomes
sort
of
an
authoritative
source
of
hey.
E
These
are
the
cvs
that
were
fixed
in
this
version
and
if
you
want
to
know
more,
this
is
the
link
to
the
issue.
So
that
was
his
idea
and
I'm
sure,
like
I'm
glad
there
have
been
discussions
in
the
past.
This
also
ties
in
with
some
of
the
work
tooling
is
doing
so
I'm
definitely
interested
in
exploring
this,
at
least,
and
if
people
have
thoughts
or
want
to
help
happy
to
hear
that.
H
I
think
it's
really
interesting
and
I
I
started
looking
through
it
just
going
from
the
kubernetes
security
announce
group,
so
you
can
look
through
there,
but
yeah.
Even
even
just
do
it
manually.
It
became
quite
tricky
to
do
things
like
of
what
versions
are
there,
because
every
time
it
was
a
different
format-
and
I
was
thinking
yeah,
I
could
do
this
manually,
but
that's
not
a
scalable
process
nor
a
repeatable
one
yeah.
F
H
A
Yeah
I'll
I'll
make
sure
to
to
get
this.
You
know
these
pointers
circulated
to
the
rest
of
the
src,
because
yeah,
that
is,
it
is
a
question
that
we
have
been
talking
about
as
like.
How
can
we?
How
can
we
do
a
good
job
of
this,
and
thank
you
all
for
for
getting
in
and
scratching
your
heads
together
about
it,
because
I
think
that
we
can.
I
think
that
we
can
come
up
with
something
that
is.
That
is
like
a
a
good
enough
first
effort
and
see
how
it
goes
from
there.
E
A
A
A
I
think
that
carries
it.
Thank
you
all
so
much
for
coming.
If
you
do
that
thing
like
I
do
where
you
hang
up
the
phone
and
then
you
think
of
something
the
the
slack
channel
is
open,
24,
7.,
so
so
stop
on
by
there
and
otherwise
I'll
say.
Thank
you
all
so
much
for
coming!
It's
it's
great
to
you
know
it's
it's
great!
To
share
ideas
together
and
we'll
see
you
all
in
a.