►
From YouTube: Kubernetes SIG Security Tooling 20230215
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
I
I
am
your
sixth
security,
tooling
project.
It's
a
Project
Lead.
Our
goal
in
this
sub
project
is:
how
can
we
secure
kubernetes
by
writing
code
I,
which
is
either
entry
or
out
of
tray
of
kubernetes?
A
One
of
our
main
goals
this
year
has
been
working
on
a
cap
that
creates
an
auto
refreshing,
CBA
f8,
so
you'll
see
a
lot
of
us
talking
about
it
a
lot
in
all
the
meetings.
We
also
do
two
types
of
sessions
learning
in
a
working
session
today,
if
the
speaker
is
able
to
join
we'll,
have
a
learning
session.
Otherwise,
we'll
have
our
working
session,
maybe
a
shorter
meeting.
Anyone
else
wants
to
introduce
themselves.
B
Not
Japan
Eric
Smalling
senior,
developer
Advocate
at
sneak
I
help
with
some
of
the
scanning
tasks
here
on
kubernetes,
supporting
that
and
yeah.
That's.
That's
me.
I'm,
based
in
the
central
time
zone,
Texas
and
I
just
got
to
prove
to
go
to
Amsterdam
for
kubecon,
so
yay.
C
So
I
can
go
next
I'm
a
night
Audi
I'm
working
voiceover
now
I'm
in
Switzerland.
Maybe
you
can
see
a
zurika
landscape.
Oh
that
looks
cool
but
yeah.
No,
that's
it!
I!
Try
I'm
trying
to
pushka
on
this
on
this
sick
security
to
let
him.
D
Hi
I'm
Kalyn
I'm,
a
senior
infrastructure
security
engineer
at
Shopify,
currently
working
exclusively
on
Upstream
kubernetes,
mostly
with
six
CLI,
and
have
been
working
with
stick
security
for
almost
a
year.
Now.
A
A
If
you're
listening
in
that's
also
okay,
the
new
person
join
and
feel
free
to
just
hang
around.
That's
fine
as
well,
but
love
to
hear
from
you.
If
you
want.
A
Okay,
it
looks
like
David
has
not
he's
not
responding
still,
so
there
is
a
chance
he
may
not
show
up.
How
do
we
want
to
do
this
meeting
I
was
thinking
to
give
some
update
on
the
cap
side,
but
if
people
have
other
agendas
agenda
topics,
we
can
discuss
that
as
well.
First.
B
Well
sounds
good
to
me:
I
will
have
to
drop
off
at
the
bottom
of
the
hour,
but.
A
Yeah
yeah,
that's
fine,
okay,
cool,
so,
okay,
well,
I,
guess
the
good
news
is
we
got
the
cap
ready
before
the
enhancement
freeze,
so
that
means
it's
actually
now
on
us
to
implement
the
stuff
we
planned
and
committed
in
our
in
the
design
that
code
freeze
is
I
believe,
first
or
second
week
of
March
generally.
It
also
extends
one
or
two
weeks
every
version,
because
people
are
behind
schedule
most
times.
A
So
we
have
about
five
four
to
five
weeks
before
we
can
Implement
things
thanks
to
Mahi.
We
already
have
a
bunch
of
things
already
implemented
and
now
just
needs
to
merge
on
time
and
I.
Think
the
bigger
one
remaining
is
the
versus
yeah.
Thank
you.
Rs
is
feed
that
we
we
have
to
implement,
but
apart
from
that,
I
think
we'll
be
in
good
shape.
A
A
Yeah
I'm
thinking
because
of
the
website,
build
having
some
lag,
because
if
you
remember
right,
it
runs
every
every
day
twice
or
the
website
big.
Unless
there
is
a
pull
request
merge.
So
even
if
we
make
the
change
in
the
Json
in
the
bucket
for
it
to
reflect
on
the
page
itself,
it
might
take
a
few
hours.
A
A
So
yeah
it's
possible.
We
might
be
able
to
re
like
force,
build
the
website,
because
we
are.
We
also
have
a
k
website
update,
so
it
might
work
out.
A
A
C
Yeah
I
think
it
depends
on
the
time
but
yeah
this
weekend.
I
I
have
a
few
things
like
Saturday
night,
but
like
Sunday
and
Monday
is
okay,
yeah.
A
Fine,
okay,
okay:
let's
try
that
see
what
happens.
Monday
is
also
public
holiday
for
us.
Actually,
so
I'm
I
might
be
able
to
spend
time
for
more
than
usual,
so
yeah,
okay,
let's
do
that.
I'll
start
working
in
parallel
on
RSS,
unless
anybody
wants
to
pick
it
up
in
the
call
or
in
our
group
just
assign
yourself
the
issue.
If,
if
you
want
to
work
on
it,
but
otherwise
we
will
do
it,
that's
that's
it
really!
On
the
cap
side,
we
had
a
message
sent
in
to
in
today's
morning.
A
A
Diff
typically
gets
published
few
days
or
weeks
after
the
release
is
GA,
but
for
that
to
be
published
at
that
time,
you
need
a
placeholder
PR
pretty
soon
so
that
they
know
like
this
feature,
blog
is
coming
and
that
placeholder
PR
really
doesn't
need
to
have
anything.
A
You
can
just
create
a
markdown
file,
write
the
title
of
your
blog
and
keep
everything
blank
and
just
create
that
placeholder
PR,
that's
good
enough
and
then,
when
you're
closer
to
like
code
freeze
and
then
talks
freeze,
that's
the
time
we
can
start
writing
the
actual
content
of
the
blog.
So
if,
if
somebody
wants
to
write
it,
it's
good
for
the
feature
as
well,
because
people
would
rather
read
the
blog
versus
Like
official
Docs
and
it's
a
good
point
in
time,
update
of
where
things
were
and
where
things
are.
A
So,
let
me
know:
I'll
I'll
help
you
out
or
show
you
how
I
did
it
last
time
and
that
we
can
go
from
there.
It's
also
optional,
so
we
don't
have
to
do
it,
but
it
would
be
good
to
have.
A
Okay,
cool,
that's!
That's
all
I
had
from
my
side,
I'll
check
one
more
time
if
oh
David
is
here,
looks
like
I
was
just
gonna
just
arrived
and
let's
see,
if
he
can
yes,
hey
David,
can
you
hear
us.
E
C
A
No
worries
yeah,
it's
the
new
new
time
for
everyone,
so
I
can
imagine
all
right.
So
we
were
just
talking
about
like
some
of
the
tooling
stuff
and
we
have
about
little
over
30
minutes
for
the
learning
session.
Some
people
might
drop
off
later
in
the
session
call,
but
I'm
very
happy
for
you
to
take
over
and
present
whatever
way
you
want
to
present
about
the
tool.
A
D
A
No
worries
no
worries,
so
you
you
don't
have
to
do
it
today,
but
if
you
are,
if
you
even
have
a
document
or
a
website
or
a
Code
walkthrough,
either
whatever
information
or
resource
you
have
already
available
and
If,
you
feel
comfortable
sharing
it.
That's
fine.
There
is
no
need
for
presentation
or
slides.
Also,
if
you
feel
like
oh
I
would
rather
do
it
some
other
time.
That's
also
fine.
E
I
think
the
best
thing
to
do
is
to
to
do
it
another
time,
simply
because
it
will
take
some
time
for
me
to
to
find
find
what
the
the
material
that
I
need
to
present
and
so
on
and
to
think
about
the
way
I
want
to
present
this
yeah.
E
A
It's
it's
also.
My
bad
I
should
have
sent
a
reminder
yesterday,
asking
like
hey.
Are
you
still
on
for
this?
So
no
worries
next
session
would
be
on
March
1
and
the
one
after
that
would
be
I,
believe
16th
March
or
no
15th
March.
So,
whichever
works
for
you,
let
us
know.
E
A
B
I
was
looking
at
the
meeting
notes
and
I
see
I'm
guessing.
Some
of
this
is
copied
over
from
the
the
notes
from
security
right
there's
a
couple
the
q1
says
started
looking
into
a
log
for
exploit
or
explicit
I
think
that's
a
typo
once
ready.
How
do
we
use
it?
What
are
you
looking
for
there
because
I
that's
kind
of
what
I
do
as
a
job,
so
I
I've
got
some
of
those
exploits,
so
we
could,
if
you
need
help
with
those.
B
So
this
is
under
I
guess
this:
is
you
David
the
showcasing
using
a
known,
vulnerable
service?
Is
there
any
help
you
need
on
those
I'm
happy
to
jump
in.
E
E
What
do
we
do
with
it?
How
do
we
present
it
to
whom
do
we
present
it?
How
do
we
talk
about
that,
so
that
that's
something
that
we
can
also
discuss
I'm
looking
for
that
point
that
I
made
for
for
the
meeting.
E
I
started
I
in
the
past
had
used
one
one
of
the
vulnerable
applications
out.
There
deployed
it
and
then
placed
guard
in
front
of
it
and
so
that
it
can
stop
certain
vulnerabilities
that
are
that
were
there
the
issue
that
that
God
addresses
is
the
web,
the
web
interaction.
So
whatever
we
can,
whatever
exploit
exploitable
information
you
you
can
send
out
in
in
as
part
of
your
your
interaction
God
is
expected
to
be
able
to
identify
that.
E
So
we
we
need
an
application
that
that
is
vulnerable.
We
need
to
work
against
this
application
in
a
normal
way,
not
trying
to
exploit
it.
Then
we
say:
okay,
now
we
switch
the
the
the
protection
on
and
and
now
we
can
see
that
God
is
able
to
provide.
D
E
Block
whatever
we
tell
God
to
do
against
this
application.
So
what
do
you?
What
did
you
have
in
mind
and
and
what
do
you?
What
are
your
thoughts
of
let's
say
that
we
we
create
this?
B
Having
to
be
to
being
completely
transparent,
I
hadn't
fully
read
all
of
your
article,
yet
your
blog
yet
so
skimming
it
now.
I
I
think.
Let
let
me
Reserve
answering
that
until
I
read
it
and
what
I
was
saying
is
I.
Can
we've
got
examples
of
blog
for
shell
and
other
exploits
that
might
be
interesting
to
use
here
and
I'd
be
happy,
they're
all
open
source,
so
I'd
be
happy
to
to
you
know
help
in
that
area,
but
as
far
as
popularizing
it
I
think
there's
definitely
stuff.
B
We
could
do
for
the
the
security
Village
for
tag
security
at
kubecon
EU.
We
could
show
this
off
there
and
I
I
know
just
personally.
I
I
would
be
happy
to
blog
about
this
on
my
blogs
too.
So
because
it
fits
into
you
know
what
we
do
at
sneak.
So
it's
it
would
not
be
any
a
Hardware
in
there.
So
why
don't?
We
start
a
thread
in
under
Sig
security?
E
A
Yeah
and
I
think
like
Tabby,
said
in
the
past
right
I
think
the
learning
session
would
be,
in
my
opinion,
like
a
good
end
point
in
terms
of
creating
awareness
within
the
community
about
the
tool.
Apart
from
that
I
think
I
don't
believe
like
at
Community
level
being
vendor
neutral.
We
would
be
able
to
do
anything
more,
but
you
get
people
like
Eric
and
others
who
work
in
the
similar
space
where
you
wouldn't
have
met
them,
maybe
outside
of
this
community.
A
E
Okay
and
one
more
point
which
I
raised
in
six
security
relate
to
the
fact
that
one.
E
Is
that
when
we
detect
a
compromised
container
or
pod,
we
we
see
it
as
a
sidecar.
God
sits
as
a
sidecar
to
inside
the
pod,
and
when
the
card
container
detects
that
the
port
is
compromised,
there
seem
to
be
no
way
in
kubernetes
to
make
the
Pod
restart.
E
We
can
make
the
container
restart
we
can
make
ourselves.
That
is
ourselves.
We
can
restart
ourselves,
but
that's
not
helpful,
because
if
the
quad
is
compromised,
it's
probably
because
the
the
other
containers
in
that
pod
are
the
ones
who
are
compromised
and
we
want
to
restart
them
because
we
want
whatever
process
that
brought
them
to
become
compromised.
E
E
So
our
goal
is
to
reach
that
point.
We
we
found
a
solution
for
that
and
we
have
a
solution
for
that
using
an
external
service.
We
communicate
to
that
external
service
that
we
are
one
compromised
and
the
tax
service
service
then
sends
a
delete
fault
through
Cube
API
I'm,
not
sure
that
the
the
the
right
or
the
best
thing
to
do
here,
I
think
it's
a
generic
requirement
for
security
container,
at
least
to
be
able
to
say
hey.
My
part,
is
bad.
E
Kill
me
restart
this
spot
now
with
deployment.
There
is
no
such
way
deployment.
The
the
container
policy
is
to
always
restart
the
container.
There
is
no,
it's
not
supported
to
have
a
never
policy
that
would
result
in
the
Pod
being
restarted.
E
I
know
that
people
were
asking
about
that,
because
I
see
communication
about
that
since
2016.
and
more
intensively
since
2019,
and
there
seems
to
be
some
resistance
in
the
community
to
doing
that.
I
I
haven't
understood.
E
Why
and
I
wanted
to
raise
it
and
discuss
it,
and
maybe
if
people
would
agree
that,
yes,
this
is
a
principal
requirement
from
from
a
secure
perspective,
then
we
can
go,
go
on
and
say
make
that
statement
and
and
then
maybe
convince
the
necessary
teams
to
to
support
this
feature
of
of
being
able
to
restart
the
problem.
B
Bye,
that's
an
interesting
discussion
because
I
would
I
mean
again.
I
have
not
read
your
article,
so
I
don't
know
much
detail
here,
but
I
would
think
that
one
of
the
modes
of
operation
would
be
to
want
to
quarantine
the
Pod
so
that
we
could
go
look
at
it
like
sequester
it
off
somewhere
behind
strict
Network
policy.
So
it
can
no
longer
talk
to
anything
but
Alert
security,
so
they
could
do
some
forensics
on
it
while
it's
still
alive,
but
I
could
see.
You
know,
aside
from
that
use
case.
E
It
explains
that
you
the
use
case
that
that
we
see
we
assume
that
you
have
a
vulnerable
container
and
service
that
we
are
protecting
and
we
assume
there
is
an
export
that
is
running
against
this
and
activating
that
vulnerability
and
that
you
are
in
production.
E
Are
trying
to
do
is
to
keep
your
service
alive
by
by
getting
by
differentiating
between
those
pods
which
are
compromised
and
the
other
pods
which
are
not
compromised
and
restarting
only
those
which
are
compromised.
So
we
are
able
to
identify
them,
but
we
can.
We
are
not
able
to
restart
them
again.
We
we
are
able
to
restart
them,
but
we
do
that
by
going
outside
of
the
Pod,
ask
someone
else
to
restart
our
bond
for
us.
E
And
and
I'm
I'm
always
trying
to
derive
the
conclusions.
What
are
the
security
assets
that
needs
to
be
improved
in
in
kubernetes
yeah,
rather
than
only
how
we
solve
it
in
this
specific
tool?
If.
A
E
Container
to
be
able
to
tell
the
the
RS
to
to
stop
this
pod
and
create
a
new
one,
instead
of
it.
A
Right
so
the
there
are
two
entities
that
will
create
the
pod
one.
It
would
be
local
at
Q,
which
would
be
the
cubelet
and
the
other
one
would
obviously
be
the
API
server
that
will
manage
creation
of
the
pod
in
either
the
same
node
or
the
other
right
and
folks
can
correct
me
in
the
call.
So
if
you
have
to
delete
the
Pod,
you
are
already
part
of,
you
would
have
to
connect
to
those
interfaces
and
tell
them
like
this.
Is
my
pod,
ID
and
I
want
you
to
delete
it.
A
That
would
mean
you
need
permissions
to
in
be
able
to
interact
with
them
from
your
sidecar,
but
that
seems
to
be
the
only
way
where
you
would
be
able
to
do
that.
E
So
two
two
things
here:
one
is
that
that's
One
Direction,
but
I
don't
want
to
get
permissions
to
delete
any
mod
in
my
namespace
and
and
and
if
I
I
provide
this
container
with
the
ability
to
go
to
cube,
API
and
say,
delete
pod,
then
he
can
delete
any
port
and
that's
too
many
permissions
for
for
that
specific
requirement.
That
specific
use
case
so
and
and.
E
E
If,
if
we
had,
for
example,
an
instruction
on
the
on
the
Pod
spec
saying,
when
this
container
dies
stop
the
container,
then
we
don't
have.
We
don't
need
any
more
communication
between
the
container
and
and
the
kubelight,
because
that
now
equivalent
knows
how
to
to
act,
and
he
knows
that
he
shouldn't
be
restarting
that
container.
He
should
be
deleting
that
poll
instead,
yeah.
D
E
A
Already
yeah
I
I
see
it
I
understand
the
use
case
now.
My
suggestion
would
be
talking
to
the
signaled
folks
and
then
working
with
them
to
talk
with
container
runtime
folks
to
see
where
things
would
go
and
if
they
would
have
appetite
to
consider
this
as
a
feature
that
seems
like
the
best
step,
because
this
could
be
used
for
non-security
use
cases
as
well,
so
it
doesn't
doesn't.
D
B
B
I'm
just
spitballing,
but
it
feels
like
there.
There
should
be
a
way
to
like
change
the
select
or
change
the
labels
on
the
Pod
to
to
Market
it
market
for
death,
and
basically
that
would
cause
the
the
kublet
or
the
the
scheduler
to
spin
up
a
new
one,
because
you
no
longer
have
n
number
of
PODS
scaled
and
then
something
else
would
then
kill
the
one
you're
in,
but
that
again
yeah
you're
talking
about
an
external
entity
that
another
controller
or
something
or
or
something
in
the
scheduler.
That
understands
that.
So.
B
B
E
B
Do
have
to
drop
off
two,
though,
so
we
should
yeah
I
definitely
want
to
continue
this
discussion.
This
is
probably
quite
interesting.
A
Yeah,
let
us
know
David
how
it
goes
if,
when
you
talk
to
signode
and
CRI,
and
if
if
people
are
interested,
you
can
pull
them
in
as
well.
In
those
conversations,
okay,
all.
E
B
D
E
No
I
just
could
you?
Could
you
write
to
me
in
a
in
a
message
who
should
I
speak
to
more
more
specifically
and
I'll,
familiar
with
the
community.
A
If
you
remember,
we
have
a
sick
security
Channel
so
similar
to
that
there
is
a
Sig,
slash,
n,
o
d
e
node
Channel,
okay,
so
the
node
people
are
the
ones
who
are
mainly
responsible
for
what
happens
on
CE.
Your
pod
is
scheduled
and
the
container
runtime
needs
to
interact
with
Q10.
A
That
would
be
the
container
runtime
team
container
runtime
projects
like
container
ID,
cryo
and
others
so,
but
those
people
also
interact
a
lot
with
signal
because
they
both
have
to
work
together.
So
it
might
be
a
good
starting
place
within
the
community,
and
then
you
can
work
with
the
container
runtime
sensors.
E
A
A
It
will
continue
to
interact
with
CRI
to
make
sure
that
the
containers
are
actually
running
whenever
a
container
dies,
cubelet
and
CRI
interact
with
each
other,
and
let
each
other
know
that.
Oh
this
container
is
dead
and
then
cubelet
will
say:
oh,
but
I
cannot
let
it
die.
Can
you
create
a
new
one
for
me
so.
A
A
Thank
you,
okay,
cool
yeah,
so
keep
that
conversation
going
with
them.
Things
might
work
out
things
may
not,
but
at
least
it's
worth
trying.
Okay,
thank
you
all
right
cool,
so
we're
set
for
March
1st
generally
I'll
just
share
like
people
sometimes
give
slide
presentations.
You
don't
have
to
some
people
have
also
just
shown
their
website
and
showed
like
hey.
This
is
how
things
are.
These
are
some
diagrams
that
explain
it.
A
The
most
important
part
is
the
last
piece
like
take
away
for
the
audience,
which
is
what
do
you
want
the
community
to
help
you
on
for
this
tool?
If
it's
like
I
need
more
contributors,
then
you
can
ask,
then
you
can
share
how
to
get
started
as
a
contributor
document
and
then
people
who
might
be
watching
this
will
say.
Okay,
let
me
get
started
on
this
following
this
talk.
If
you
just
want
to
raise
awareness,
then
doing
the
learning
session
in
itself
is
Raising
awareness.
A
I
want
to
hear
from
other
people
who
are
fair
in
the
same
problem
space
and
then
get
their
feedback.
So
in
that
case,
if
somebody
is
listening,
having
a
way
for
them
to
reach
out
to
you
later,
as
part
of
your
presentation,
would
also
be
a
good
idea
so
think
about
it.
That
way,
I
think
that's
the
main
piece
for
me,
the
other
things
it's
more
like
trying
to
understand
your
tool,
asking
some
questions
and
letting
people
know
what
you're
working.
A
All
right,
cool,
okay,
so
that's
it
from
me,
see
you
in
couple
of
weeks
thanks.