►
From YouTube: Kubernetes SIG Security Third-Party Audit 20210414
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Anyway,
so
I
guess
we
could
start
just
as
just
a
word
no
to
everyone.
This
is
a
kubernetes
meeting,
so
we
do
fall
under
the
cncf
code
of
conduct,
so
just
kind
of
summarize
summarize
just
to
be
nice
to
each
other,
and
this
meeting
is
recorded
and
it
is
uploaded
to
youtube
as
well,
so
just
be
aware
of
any
confidentiality
all
right.
A
So
big
bullet
topic,
since
the
last
meeting
was
that
we
have
a
new
rfp
submission-
and
I
am
in
the
middle
of
reviewing
it
as
well,
and
I
wanted
to
talk
about
how
were
the
so
the
2019
rfps
they
were
scored
and
is
there
a
guidance
on
how
they
were
scored
against
each
other.
B
C
I
I
had
some
kind
of
a
summary
of
that.
Yes,
it
was
scored,
and
you
know
some
of
the
criteria
which
overlap
with
the
rfp
of
course
well
mostly
overlap
with
rfp.
So
I
was
trying
to
reverse
engineer,
but
if
you've
got
the
source,
it'd
be
great.
If
we
can
talk
through
how
that
scoring
was
done,.
C
I
can,
I
don't
really
have
anything
to
show,
but
what
I
kind
of
destroy
the
criteria
that
I
distilled
from
the
link
I
found
in
github
was
so.
The
criteria
was
scored,
relevant
understanding,
experience
in
code
audit
threat,
modeling
and
related
work,
relevant
understanding,
kubernetes
other
orchestrations
systems,
containers,
linux,
hardening
related
work,
strength
of
the
vendor's
proposal,
examples
of
previous
work,
product,
personal,
fit
and
talent.
C
B
B
B
Depending
on
how
we
proceed,
it's
kubernetes
white
papers
are
a
way
for
someone
to
demonstrate
that
they
have
competency
and
that
they
they
learn
something
and
that
they've
they've
illuminated
the
space
in
some
way.
I
would
be
willing
to
add
it
to
to
the
statement
of
work
if
they
wanted
to.
Does
that
make
any
sense.
Yep
yep.
C
B
I
would
feel
that
way,
yeah.
So
what
I
found
is
the
rfp
decision
markdown
in
the
security
audit,
2019
folder,
it's
a
little
scrubbed.
Obviously
we
didn't
want
to
put
any
vendor
names.
B
I
may
have
access
to
the
original
sheet
that
it
was
based
off
of
to
answer
any
questions.
However,
speaking
on
a
recorded
public
channel,
I
would
want
to
be
really
careful
not
to
release
any
sensitive
information
that
a
vendor
chose
to
provide
in
their
proposal.
That
makes
any
sense,
yeah.
Okay,
is
it
possible
maybe
to
put
in
the
slack
channel?
C
So
I
would,
I
would
imagine
that's
going
to
just
what
was
the
general
quality
of
the
rfp
response
and
if
it
looks
professional
and
thorough,
etc,
I
think
below
each
of
those
criteria.
You
could-
and
I
I
I
mentioned
the
slack-
I'm
a
a
pivot
table-
addict
so
kind
of
the
multi-dimensional
analysis
under
each
of
those
criteria.
C
I
you
could
conceivably
map
those
to
some
of
the
proposal
requests
so
obviously,
there's
all
the
components
we
we
asked
for
the
cube
api
server
schedule
or
etsy
et
cetera
and
then
kind
of
the
more
the
skill
based
dimension
of
you
know:
source
code
analysis,
the
networking,
theoretical
and
practical
understanding,
cryptography,
et
cetera,
and
then
you
know
we
explicitly.
C
The
analysis
should
map
to
some
enumeration
of
vulnerabilities
or
at
least
classes
of
vulnerability,
and
then
I
think
we
asked
explicitly
for
proof
of
concept
exploits
so
kind
of
that
multi-dimensional
hypercube
is
kind
of
how
I
would
think
of
it
as
like
scoring
all
of
those
and
the
intersection
of
all
those
things.
But
again,
that's
probably
share.
B
More
about
the
process,
I
found
the
spreadsheet,
oh
okay,
great.
What
we
did
is
each
member
of
the
working
group
and
remember
at
this
point:
it
was
a
working
group.
It
was
100
private.
It
was
run
differently.
B
So
there
was
just
the
four
of
us
and
we
each
scored
each
proposal
across
the
matrixes
that
you
listed
fit
relevant
understanding
threat
model.
How
well
we
think
they
do
on
the
report.
All
we
think
they
do
on
the
right
paper,
how
we
think
they
do
on
building
out
a
reference
cluster.
How
good
we
think
they'll
plan
their
plan
to
approach
the
problem
was
and
a
couple
other
other
indexes,
and
then
we
averaged
the
scores
to
come
up
with
a
one
score
for
each.
C
B
It
turns
out
that
the
price
is
mostly
a
function
of
rate
over
time,
so
you
you
go
back
so
we
we
broke
it
down
to
like
an
hourly
rate
and
days,
and
then
we
were
able
to
go
back
and
negotiate
with
the
vendors
to
arrive
at
a
final
dollar
amount
that
was
more
suitable
to
what
we
had
available
but
saying
like
okay.
What
could
you
do
if
you
were
to
spend
one
less
week
on
this,
because
that
would
bring
your
rate
down?
Or
can
you
continue
to
do
a
shout
out
rate?
B
C
B
And-
and
you
know
a
possible
outcome,
there
could
be
someone
saying
you
know
we
don't
feel
like
we'd,
be
doing
good
work
if
we
stopped
at
that
level
of
depth,
so
we're
unwilling
to
work
for
less
time
in
this
area.
You
know
it's
like
it
gets.
It
gets
much
more
organic
towards
the
end
when
you're
trying
to
control
for
price,
as
you
are
making
trade-offs,
but
right
now
I'd
say
we
are
at
the
assess
proposal
at
face
value
like
what
how
good
is
it
in
general
and
then
what
about
price?
Second.
C
B
And
no,
are
you
ever
like?
Yes,
I
have
an
amount
floating
around
in
my
brain,
but
all
budgets
are
flexible
with
appropriate
justification.
C
C
A
All
right,
so
just
I
guess,
let's,
let's
just
move
on,
I
think
we
could.
You
know,
continue
the
discussion
on
the
on
the
slack
channel.
If
you
want
to
proceed
with
the
similar,
I
guess
strategy
on
scoring
when
we
do
get
a
do,
we
do
we
start
scoring
when
we
get
four
proposals
like
we
mentioned
before,
and
do
it
and
do
a
similar
process
as
we
as
was
done
in
2019
in
2019.
A
B
And
I
will
anonymize
the
working
sheet
that
we
had
I'll
remove
all
denotations
and
scrub
comments
make
a
copy
to
remove
history,
maybe
export
to
csv
to
make
damn
sure
and
then
share
it
with
the
people
who
are
in
the
private
select
channel
yeah.
Thank
you.
C
Well,
just
to
touch
on
the
methodology,
though,
because
you
brought
up
a
very
small
point
of:
is
it
absolute
scoring
or
is
it
relative
because
in
other
words,
if
it's
absolute
attribute
based
score,
we
could
in
theory
score
the
two
that
we
have.
But
if
it's,
if
it's
more
qualitative-
and
you
know
rel
a
relative
to
b
relative
to
c
scoring,
then
then
you
kind
of
want
the
whole
set
of
candidates
before
you
start
scoring.
B
A
C
Okay,
great,
so
that's
my
opinion.
No
I
I
mean
I
you
know
I
could.
I
could
argue
both
ways,
but
that
said,
I
think
to
your
point:
if
we
were
going
to
go
down
the
purely
quantitative
objective
route,
we
would
have
to
invest
a
lot
more
upfront
effort
to
define
what
that
rubric
is
and
define
the
scales
and
the
measures,
and
you
know
then,
of
course,
how
do
you
calibrate
that
so
yeah?
That
sounds
like
a
long-term
goal
for
a
future
iteration.
B
A
Okay,
any
other
questions
or
comments.
A
All
right,
I
just
had
two
more
bullets
on
this.
I
brought
up
about
reducing
scope
of
the
rfp
and
prioritizing
to
the
630
meeting
last
week,
and
I
don't
know
I
don't
know
who
else
was
on
the
call,
but
it
seemed
I
guess.
Kind
of
positive
feedback
also
brought
up
the
lacks
having
a
more
flexible
schedule.
I.
D
A
That
was,
I
don't
know
we
currently
have
to
have
an
rfps
12
weeks.
We
don't
have
us,
you
know
a
concrete
guideline
just
12
weeks.
I
feel
like
that's
pretty,
lacks
right
now,
but
we
could
make
it
more
relaxed,
but
I
do
recommend
having
some
kind
of
boundaries
like
otherwise
the
the
process
might
just
take
a
year
or
so,
but
or
over
a
year,
but
and
just
having
some
kind
of
kind
of
like
loose
boundaries
on.
If
you
do
want
to
reword
a
more
flexible
schedule
on
it.
I
know
I
have
several.
A
Several
people
have
added
their
suggestions
and
opinions
on
the
reducing
scope
and
a
more
flexible
schedule,
but
any
other
inputs.
E
I
remember
that
then
the
discussion
and
when
it
was
like,
as
some
vendors
were
concerned,
about
those
timelines,
it
was
like
we
were
from
what
tabitha
says
and
other
comments
were
like
we
can
be
more
flexible
and
we
shall
give
them
more
assurance
that,
although
we
put
their,
I
think
it's
12
weeks,
something
like
that.
Yes,
it
doesn't
mean
that
they
need
to
block
specifically
all
the
time
sequentially
and
that
they
can
organize
their
time
and
how
it
fits
to
them.
Is
that
right
right?
E
E
B
You
know,
I
think
if
we
say
I
think
we
what
if
we
remove
the
dates
entirely.
Okay,
we
just
said
like
we're
accepting
proposals
until
we
get
four
or-
and
we
expect
that
to
take
about
12
weeks,
scheduled
sometime
before
october,
like
who
knows
you
know
like,
let's
let
them
pick
the
12
weeks.
Maybe
we
I
don't
know
if
it's
important
that
they're
contiguous
or
not.
B
I
think
it
probably
is
it's
a
lot
of
work
while
they're
running
the
audit,
let
me
be
clear:
it
was
my
full-time
job.
Thank
thanks.
Google.
A
A
I
don't
know
we
could
probably
say
15
weeks
and
I'll
try
to
phrase
it.
I
do,
and
I
do
owe
a
pull
request
against
the
rfp
been
busy
last
week
at
the
release.
No,
so
I
will
make
a
change.
I
will
make
a
full
request,
either
tonight
or
tomorrow,
and
send
it
out
to
slack
channel
for
comments
and
suggestions
on
a
changing
it
to
well.
A
You
know:
there's
no
timeline
on
the
rfp
until
we
get
four
and
try
to
make
that
wording
around
15
weeks
and
be
negotiated,
I
guess
or
some
something
like
that
will
be
just
to
convey
that
it's
flexible
yeah,
I'd
love
to
review.
A
All
right:
well,
that's
all
I
had
on
the
agenda
any
other
comments
and
any
other
topics.
People
want
to
bring
up.
D
A
D
A
Yeah
and
if
you
were
in
the
first
here
in
the
first
part
of
the
discussion,
but
we
had
a
pretty
good
discussion
about
scoring
and
I
took
good
notes
on
it,
but
yeah
the
youtube.
Video
will
have
a
lot
more
info
on
it.
B
A
A
Welcome
once
I
make
the
pull
request,
I'll
add
the
link
to
the
slack
channel
and
just
make
your
comments
and
suggestions
there,
great
cool,
all
right.
Let's
give
everyone
back
10
minutes.