►
From YouTube: Kubernetes SIG Security 20220310
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
it
is
three
after
and
hello
everyone
and
welcome
to
another
kubernetes
sig
security.
I'm
still
continually
amused
by
the
fact
that
the
zoom
automatic
transcripts
have
learned
how
to
transcribe
the
word
kubernetes.
A
So
I'm
just
going
to
say
that
a
couple
more
times,
kubernetes
kubernetes,
I'm
like
it
says-
actually
it
says:
kubernetes
security.
There,
I'm
tabitha
stable,
I'm
one
of
the
co-chairs
and
I'm
happy
to
help
to
make
this
space
for
us
to
to
make
kubernetes
better
together.
Anybody
else
who
wants
to
say
hello,
introduce
yourself
briefly.
B
C
Maybe
I'll
go
next
hi.
This
is
pushkar.
I
work
at
vmware
on
the
sub
project
for
tooling,
and
I'm
here
to
make
my
dreams
for
secured.
Kubernetes
come
true
as
well
as
other
people's
and
other
six
dreams
come
true.
D
Hey
folks,
I'm
allah,
I
also
work
at
vmware
and
yeah,
I'm
here,
because
I'm
just
interested
in
security
and
kubernetes
and
yeah
really
here
to
just
listen
and
learn
and
make
some
new
friends.
E
F
Hello
thanks
james
actually
and
yeah,
my
working
as
an
rnd
engineer
on
juventus
security
and
but
just
got
myself
on
the
pr
merge
into
the
humanities
websites.
G
I
J
A
K
Hello,
I
am
frederick,
I
I
also
volunteer
in
the
cncf
tag,
security
and
I'm
looking
to
to
help
across
both
here
and
there.
A
Right,
it
is
so
wonderful
to
see
you
all
again
new
faces
familiar
faces.
I'm
I'm
so
glad
that
I'm
so
glad
that
everybody
has
come
as
we
do.
Let's
hear
from
various
subgroups
looks
like
rey
is
not
able
to
make
it,
but
has
let
us
know
some
of
what's
going
on
with
the
with
the
audit
subproject,
so
I'll
read
that
out
for
him,
apparently
they
are
working
on
a
blog
post
for
the
contributor
site
kubernetes.dev.
A
That
is
about
the
audit.
We
announced
the
vendor
selection
some
time
ago,
a
few
weeks
ago,
I'm
terrible
at
the
passage
of
time,
but
like
the
pr
is
there,
if
you
want
to
know
the
date
when
it
actually
happened,
but
helping
to
helping
to
publicize
that
the
audit
is
is
getting
started
and
they
will
be
doing
the
audit
against
1.24,
which
will
have
just
come
out
by
the
time
that
starts.
A
A
Docs,
do
we
have
oh,
we've
got
savvy
docs
savvy
talk,
how's
docs.
L
Hi,
everyone,
I'm
sorry,
I
missed
the
intros.
I
was
just
trying
to
finish
my
lunch
in
two
minutes
and
I
couldn't.
L
It's
important
to
eat,
I'm
good!
Thank
you!
Thank
you!
So
much
tabby,
so
I'm
savita,
I'm
gonna,
do
my
intro.
First,
I
helped
lead
a
six
security
documentation
project.
I
am
here
for
the
kubernetes
six
security
committee
folks
to
learn
and
share
knowledge
about
security.
L
So
on
that
note
we
have
been
working
on
creating
a
kubernetes
security
checklist
and
it's
been
progressing.
I
see
some
outlines
in
the
last
meeting.
We
did
have
good
discussion
on
what
so
there
there
were
a
question.
There
was
a
question
of
linking
the
third
party
tools,
so
we
had
a
discussion
and
then
rory
was
kind
enough
to
share
cncf
security
tooling.
They
maintain
a
page
where
they
update
the
security
tools.
So
we
are
going
to
take
advantage
and
link
that
and
the
community
security
checklist.
L
So
that's
that
and
other
than
that
business
is
used
as
usual.
So
there
is
nothing
significantly
new.
A
H
One
thing
if
people
want
to
look
at
is
we've
started,
and
this
is
like
very
rafter
after
the
moment
looking
like
trying
to
have
a
page
on
kubernetes,
our
back
security
best
practice,
so
we've
got
there's
a
hackmd,
which
I
will
link
in
chat,
which
people
have
any
ideas
about
things
they
want
to
see
in
our
batting
on
our
back
best
practices
dog.
At
the
moment
I
just
tried
to
like
we're
just
trying
to
lay
out
ones
that
are
things
that
are
potentially
dangerous.
A
I'll
post
I'll
post
that
link
into
the
oh
there
we
go
nice
link
is
in
the
notes
now.
So
if
anybody
anybody
wants
to
check
that
out
here,
it
is.
C
Pushkar,
what's
up
with
tooling
yes,
so
we
keep
getting
great
feedback
from
the
community
on
the
cap4,
auto
refreshing
list
of
cvs.
Mr
bobby
tales
actually
gave
one
minor
change
or
suggestion
which
really
simplified
the
flow.
So
now
we
have
made
updates
to
the
cap.
I
don't
see
any
other
blocking
comments
from
anyone
else
as
well.
So
maybe
I'm
thinking
we
can,
if
you,
if
you
anyone,
can
review
it
just
for
the
sake
of
completeness
and
anything
that
you
find
out
that
might
be
missing
after
that.
C
A
I'm
I'm
so
glad
to
hear
that
so
last
call
on
last
call
on
cap
3203
before
it's
merged
because
it
sounds
like
it
has.
It
has
come
pretty
close
to
finding
consensus
or
it
or
it
probably
has
found
consensus.
C
Yes,
so
one
quick
update
there
as
well,
we
have
a
draft
pr
after
months
and
months
of
work
from
so
many
people
in
the
community,
which
has
a
list
of
threats.
C
Some
work
still
needed
on
the
pr
for
cluster
api,
but
if
you
have
any
suggestions
and
want
to
review
it
early,
I've
linked
it
in
the
meeting
notes
I'll
also
share
it
on
the
zoom
chat.
So
anything
you
can
do
in
terms
of
taking
a
look,
giving
feedback
asking
questions.
All
of
it
is
welcome.
A
This
is,
this
is
cool.
Is
there
is
the
easiest
way
to
view
it
rendered
to
look
at
it
inside
your
fork
on
github.
A
C
The
other
thing
I
try
to
do
now
that
we
have
online
vs
code
and
github.
I
just
switch
my
pull
request,
url
to
github.dev,
and
then
it
renders
in
markdown
automatically.
So
that
might
be
another
way
to
look
at
it.
A
Awesome
I've
put
the
I've,
put
the
the
at
least
until
you
delete
that
fork,
link
to
it,
so
that
that
way
like
at
least
when
I'm
reviewing
these
kinds
of
pr's,
I
love
to
have
the
pr
open,
but
then
also
the
rendered
version,
because,
generally
I
found
it
a
little
easier
to
read
so
there's
there
is
that
just
scrolling
through
it.
It
looks
really
like
it.
It
is
obvious
that
y'all
have
put
a
lot
of
thought
and
love
into
it
and
that's
really
cool.
A
Show
a
good
example:
I
love
that.
I
super
love
that
any
any
thoughts
or
or
discussion
about
the
security
self-assessment
there.
A
All
right,
so
as
as
a
as
a
c
program
or
as
a
go
program,
we
have
reached
the
end
of
the
main
function.
This
is
our
space
that
we
carve
out
in
time
for
our
discussions
of
kubernetes
security.
So
does
anyone
have
anything
that
they
would
like
to
bring
to
the
group
that
has
not
already
been
put
on
the
agenda.
D
I
have
a
quick
question
about
becoming
a
sub-project
lead
for
the
security
self-assessments
chatting.
I
read
the
thread
that
bushker
was
kind
enough
to
post
in
slack,
and
my
only
concern
is
that
since
I'm
not
a
developer,
I'm
probably
not
the
best
suited
to
do
pr
review,
but
in
terms
of
like
getting
resources
getting
eyes,
you
know
doing
the
the
work
to
you
know,
get
things
organized,
that's
definitely
where
I
excel.
D
So
I
just
wanted
to
make
sure
that
being
a
sub
project
lead
wouldn't
like
hamper
anything
because
I'm
not
a
developer.
So
I
was
just
curious
on
what
the
thinking
is
on
that.
B
For
what
it's
worth,
I'm
not
a
developer
either,
and-
and
I'm
a
co-chair
here
so
for
me
personally-
that
does
not
feel
like
a
deal
breaker
if
you
were
in
a
position
of
like
doing
code,
reviews
or
like
very
specific
things
then
like
maybe,
but
for
for
the
purposes
of
being
a
lead
on
something
that
you
know
in
part
just
involves
hurting
cats,
rather
than
like
reviewing
code
like
if
you're
good
at
peopling,
like
not
being
a
developer.
For
me
personally
is
not
an
issue.
B
I
can't
speak
for
everybody,
but
great
yeah.
I
can
hurt
some
cats.
A
A
Those
roles
are,
are
pretty
clearly
defined
in
the
global,
like
kubernetes
contributor
guide,
and
it's
about
things
like
that.
It's
about
you
know
within
a
directory
to
be
able
to
slash
approve.
Then
then
you
need
to
be
able
to
take
technical
responsibility
for
the
content
of
everything
that
is
inside,
that
directory
and
and
so
on,
and
within
a
context
like
this.
A
It
generally
is
about
accepting
the
responsibility
for
helping
to
make
the
space
helping
to
provide
organizing
scaffolding
so
that
people
can
come
together
and
do
cool
things
together,
and
so,
like
specifically
about
the
question
about
about
being
a
developer,
I
would
I
would
not
discriminate
against
someone
for
being
a
developer
in
that
in
that
particular
role.
Nor
do
I
think
that
it
really
is
is
necessarily
relevant.
A
You
know,
there's
like
we
all
come
together
with
what
we
have
and
combine
it
to
solve
the
issues
that
are
presented
to
us,
and
so,
therefore,
if
something
is,
if
something
could
benefit
from
having
someone
to
to
take
responsibility
for
making
a
space
for
it,
then
those
are
the
skills
that
are
needed
to
do
that.
Right.
A
A
We're
avenging
heart
and
cats,
so
you
know
thank
you
for
thank
you
for
sharing.
I
see
somebody
I
see
somebody
has
written
about
kernel
vulnerabilities
under
under
discussion
here,
I'm
always
down
to
talk
about
kernel
vulnerabilities.
What's
on
your
mind,.
F
H
Dirty
pipes,
lots
of
fun
and
very,
very
easy
to
exploit
yeah
that
one's
that
one's
fun.
If
people
haven't
seen
it,
it's
it's
a
kernel,
vulnerability
that
lets
you
overwrite
files.
You
should
only
have
read
access
to.
I
messed
up
when
I
tried
to
exploit
it
by
trying
to
get
a
file.
I
couldn't
read.
The
key
is
when
you're
playing
with
the
exploit.
You
have
to
read
the
file
but
not
write
to
it.
Just
like
you
write
to
it
in
containers.
The
really
easy
part
is
you
can
overwrite
files
from
the
underlying
image.
H
So
if
someone
else
runs
a
container
based
on
your
image,
you
can
overwrite
the
image
which
is
not
nice.
Other
people
have
found
ways
of
complete
container
breakout.
Those
are
not
yet
completely
public,
but
I
strongly
believe
they
exist
because
people,
I
know
who
definitely
know
these
things
have
done
it
so
yeah.
If
you
aren't
patching
that
one
already,
that
one's
super
fun,
because
there
are
no
mitigations
like
as
far
as
I'm
aware,
there's
like
no
setup,
no
app
armor.
No,
I
see
linux
will
save
you
here.
A
A
If,
yes,
if
yes,
then
I
wonder
if
one
could
mitigate
that
by
blocking
access
to
that
syscall,
though,
of
course,
I
have
no
idea
offhand
how
widespread
the
use
of
that
syscall
in
your
applications
is,
and
when
you
have
a
patch
for
a
thing,
it
is
always
the
preferred
response
to
apply
it,
but
I
don't
know
I
like
to
hack
things
and
I've
got
a
math
degree.
So
so,
when
there's
a
question
of
there's
no
other
way
like
that
always
just
starts
the
gears
turning
and
makes
me
wonder
whether
there
is
another,
perhaps
inferior
way.
K
It's
also
used
in
networking
as
well.
You'll,
often
see
tcp
sockets
spliced
in
order
to
in
order
to
try
to
reduce
the
total
cost
of
certain
types
of
functions
in
on
the
data
plane.
A
K
Possibly
we
have
to
we'd
have
to
look
at
each
at
each
cni
to
see
whether
they
actually
make
use
of
splice
or
not,
or
rather
the
sdns
that
sit
on
top
of
them,
and
so
it's
a
lot
of
them,
don't
use
it,
but
but
it,
but
it
does
have
some
common
usage.
There.
C
Neat,
these
are
the
places
where
some
level
of
even
primitive
machine
learning
helps
where,
if
you
know
what
syscalls
you
typically
use
and
then
you
suddenly,
you
start
seeing
splice
that
you
haven't
used
it's
very
easy
to
figure
out
like
okay,
this
really
feels
fishy,
and
then
you
can
pick
pick
it
up
but
yeah.
I
don't
know
if
there
are
any
open
source
tools
that
can
do
that
today.
B
It's
this
is
not
quite
correct,
but
docker
slim,
which
I
maintain
is
the
least
well-marketed
product
in
all
of
cloud
native.
Does
a
thing
that
when
you
you,
you
can
set
up
your
from
scratch
image
with
whatever
applications
you
have
and
it
will
run
those
applications
that
will
run
a
trace
on
them
to
see
what
syscalls
and
what
capabilities
and
whatnot
it
actually
uses
and
then
we'll
just
drop
all
the
rest
of
them
as
it
creates
the
image.
B
And
so
I
wonder
if
one
way
to
address
some
of
this
stuff,
it's
sort
of
the
opposite
of.
I
think
the
question
of
like
looking
at
you
know
the
things
you
use
and
being
like
wait.
This
is
anomalous,
but
if
you're,
if
you're,
only
building
upon
the
things
that
you
use
and
nothing
else
actually
works
out
of
the
box,
I
wonder
if
that
might
help
with
something
like
this.
B
C
Yeah,
that's
a
good
idea.
I
I
also
now
remembered
after
what
you
just
mentioned.
There
is
some
second
work
related
related
work
going
on
where
you
can
audit
the
syscalls
coming
in
in
maybe
future.
There
is
a
second
operator,
a
second
profile
operator
which
does
something
similar
so
that.
B
B
B
H
A
I
found
the
link
to
the
talk
from
kubecon
eu
virtual
2021,
which
is
about
setcomp.
Is
this
about
set
comp
profile
operator,
yeah.
B
Audit
thing
is
slightly
separate,
though
I
think,
because
we
just
got
a
proposed
talk
about
that
like
there
was
one
about
second
profile
operator
and
then
there's
a
new
audit
function,
and
there
was
at
least
one
proposed
talk
this
time
around,
that
about
that
which
might.
B
That
adolfo
was
mentioning
is
coming
up,
but
that
is
actually
not
identical.
I
think.
A
A
A
We've
got
something
in
in
chat
here:
tommy
is
talking
about.
There's
a
data
dog
blog
post
about
this
folks,
where
folks
were
doing
folks
were
doing
fun.
Things
writing
exploits
for
that.
Do
you
know
anything
more.
Tell
me
about
what
the
about
what
the
status
of
that
work
is.
M
Yeah,
I
know
that
in
I
think
in
the
next
couple
weeks
there
should
be
some
sort
of
poc
for
container
escapes,
or
something
like
that.
I
don't
know
exactly
where,
where
we
are
in
the
process
there,
but
I
think
that
the
blog
post
mentions
that
to
keep
an
eye
out.
So
there
should
be
something
hopefully
soon,
but
it's
if
you
want
something
the
insight,
I
believe
it's
I'll
find
the
cd
but
the
yeah.
M
It
actually
is
in
my
search
history,
2019
5736,
the
of
believe
that's
a
similar
kind
of
vector
with
a
run
cube
right.
A
Yeah
yeah,
that
was
the
that
was
the
really
famous
that
was
the
really
famous
runcie
over
right,
where
you
wait
for
somebody
to
to
exec
into
your
pod
after
you've
run
the
exploit
and
then
and
then
you
break
out
by
overriding
the
hosts
run,
see
yes,
that
was
that
one
was
so
much.
Fun
too,
is
like
kind
of
bringing
it
back.
M
A
All
right
further
further
thoughts
about
about
new
kernel,
vulnerabilities.
E
I
think
one
of
the
things
that
stood
out
from
my
perspective
is
how
unusual
it
is,
but
a
number
of
the
mainstream
distros
wasn't
patched
when
they
released
it.
So
I
think
that
probably
caused
a
fair
bit
of
panic.
A
I
can
I
can
verify
that
I
was
party
to
a
fair
bit
of
panic
related
to
that,
and
I
assume
that
many
other
people
in
similar
positions
were
of
like
oh,
oh
everybody's,
talking
about
this,
but
are
we
able
to
patch
it?
Yet?
Oh,
no
because
you
know
red
hat
doesn't
have
a
patch,
yet
canonical
doesn't
have
a
patch.
A
Yet
you
know
if
you
were
building
your
own
upstream
kernel,
then
you
were
good,
but
it
took
a
little
while
I
think
that
the
various
big
distros
seem
to
have
done
a
good
job
of
hurrying
that
patch
through.
So
I
was
not
on
a
kernel
package
team
at
a
big
distro,
but
I
imagine
that
they
were
somewhat
surprised
by
it
as
well.
So
hug
ops
to
everybody
involved
in
getting
patches
for
this
kernel,
vulnerability
rolled
out.
C
Yeah,
let
me
do
my
best
and
then
you
can
add
in
so
as
usual,
maintainers
get
a
separate
safety
separate
track
to
give
talks
and
explain
more
about
what
security
does
so
we're
gonna
do
the
same
in
eu
this
time
around
tabby
savita
ray
and
me
would
be
speaking
this
time
and
one
of
our
main
sub
projects
that
we'll
be
highlighting
is
talks.
C
So
I
don't
know
if
is
still
around,
but
I'm
really
excited
to
share
in
in
that
and
explain
what
awesome
world
docs
team
has
been
doing
and
then
hopefully
we
get
to
see
some
new
friends
in
the
in
the
eu
conference
rooms
and
chats
and
live
streams,
and
then
maybe
they
join
us
next
time
when
we
meet.
A
I'm
I'm
super
looking
forward
to
that.
The
the
one
at
kubecon
n,
a
last
in
l.a
that
there
was
there,
was
a
really
good
energy
in
that
room
I
was.
I
was
super
happy
to
be
able
to
sit
in
the
front
while
you
all
shared,
what's
been
going
on,
and
I'm
really
looking
forward
to
being
able
to
be
on
stage
this
time.
A
Yeah,
oh
yes,
I
would,
I
would
be
totally
honored
if
you
could
host
us
again.
That
would
be
that
would
be
spectacular.
Porco
says
in
the
chat
I
can
host
your
talk
again.
A
So
yeah
we're
we're
looking
forward
to
looking
forward
to
sharing
some
of
that.
I
think
that
it's
really.
I
think
that
it's
really
good
to
to
share
that,
because,
because
of
the
way
we
do
things
together
like
it's,
not
it's
not
quite
as
easy
to
say
well
how
many
git
commits
are
there?
Clearly
something
is
happening
here
and
so
having
a
chance
to
having
a
chance
to
talk
to
people
about
it.
I
think
is
really
good
and
it's
it's
just
great
to
see
people.
A
All
right,
if
that,
if
that
is
what
we
got,
then
I
think
that
we're
done
last
last
call
if,
if
anybody
would
like
to
bring
something
up,
otherwise
we
will
say
goodbye
for
now.
A
That's
it
then,
thank
you
all
so
much
for
coming.
It
is
always
fabulous
to
it's
always
fabulous
to
talk
about
kubernetes
security
together
and
do
the
things
that
we
can
to
make
it
better
cheers
see
you.