►
From YouTube: Kubernetes SIG Security 20220630
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
hi
everybody,
hello,
kubernetes,
sig
security.
It
is
time
for
another
one
of
our
get
togethers.
It
is
three
after
so
we're
gonna
officially
call
it
started
it
is.
It
is
so
good
to
see
everybody
as
we
do
we'll
go
around
briefly,
so
that
everybody
can
say
hello.
I
like
it.
Actually
it
doesn't
say
here
right
here
it
says
kubernetes
security,
but
I'm
tabitha,
I'm
one
of
the
co-chairs
and
I'm
happy
to
make
this
space
together
so
that
we
can
work
on
kubernetes
security.
B
B
C
Hey
folks,
it's
allah
dewberry
keeping
my
camera
awfully
eat
some
lunch.
I
love
being
here
and
yeah,
I'm
the
head
of
self-assessments
taking
over
from
pushkar,
which
is
super,
exciting
and
yeah
glad
to
be
here.
As
always,.
D
B
Hi,
I'm
kalyn,
I'm
relatively
new,
I'm
an
aspiring
contributor
from
shopify
and
a
long
time
work
employee,
working
on
kubernetes.
E
B
B
Happy
to
be
here,
cool,
I'm
mohit,
I
also
do
random
kubernetes
free
stuff,
I'm
mainly
a
pen
destroyer
with
skill,
where
I
leave
the
cube
team.
D
D
B
B
I'm
eric
I've
been
here
for
a
little
while
help
where
I
can
and
I
actually
have
to
leave
after
30
minutes.
So
sorry.
A
All
right
ray:
do
you
want
to
tell
us
what
is
going
on
with
audit.
E
Yeah,
so
we
have
a
third-party
security
audit,
that's
currently
in
pro
in
progress.
It
is
wrapping
up
and
we've
had
several
status
meetings
with
the
vendor
and
the
the
findings
will
be
published
sometime
but
later
this
summer.
Our
goal
is
about
a
month
or
two,
but
probably
gonna,
be
earlier
than
than
a
few
months.
So.
A
Awesome
any
any
further
questions
for
ray
or
anybody
all
right.
I
will.
I
will
report
on
zavita's
behalf
about
lots
of
things
going
on
in
six
security.
Docs,
there's
a
link
here
in
the
notes
to
a
pr
into
k
website
for
a
security
checklist.
This
is
a
thing
that
kubernetes
cluster
operators
can
go
down,
not
to
be
sure
that
they
have
everything
possible,
but
as
a
reassurance
that
they
haven't
missed
anything
that
they
really
should
have
gotten.
So
there
have
been.
A
There
have
been
several
folks
doing
some
good
work
on
that
and
having
eyes
on
it
before
it
merges
is
wonderful.
So
if
that
is
interesting,
please
hit
that
link
and
give
a
look
to
it
recently
recently
merged
page
with
multi-tenancy
information
coming
mostly
out
of
the
multi-tenancy
working
group
and
sig
docs.
I
gave
that
a
skin
myself
earlier
today,
and
I
was
delighted
to
see
it.
A
So
if
that
is
a
thing
that
you
have
been
wishing
existed
now,
it
exists
and
if
you
have
thoughts
and
feelings
about
multi-tenancy,
now
it's
a
little
easier
to
make
a
pr
to
make
improvements
to
that
than
the
larger
effort
of
making
it
from
scratch.
So
now
that
that
is
there,
that
is
a
thing
that
everybody
can
contribute
to
last
call
out
here.
There
is
a
slack
thread
which
is
linked
in
the
meeting
notes
about
the
initial
data
and
group
gathering
for
a
confidential
kubernetes
blog
post,
so
hop
in
there.
A
If
you
are
interested
in
the
intersection
of
confidential
computing,
secure
enclaves
trusted
execution
environments
whatever
vendor
implementation
name
strikes
your
fancy,
but
the
idea
that
the
cloud
provider
doesn't
necessarily
have
as
easy
context.
You
know
access
into
the
things
that
you
are
running
on
remote
hosts.
Oh,
we
have
in
the
in
the
notes.
The
cncf
tag.
Security
yesterday
had
a
presentation
from
some
confidential
computing
folks.
So
robert,
do
you
know
how
those
videos
go
up
like?
I
know
our
videos
we
have
to
post
them
manually
because
of
difficulties
with
the
automation.
A
Okay,
yeah,
fair
yeah,
because
that
sounds
that
sounds
like
it
would
be
a
pretty
great
thing
for
us
to
share
with
the
folks
that
are
in
there
in
case
folks
missed
it,
but
I
do
know
that
they
have
a
good
note
taking
culture
over
in
tag
security.
So
if
you
hit
their
notes
now,
that'll
probably
be
something
oh
well.
It's
already
there
ray
has
posted
a
link
into
the
zoom
chat,
so
I
will
do
my
best
to
copy
that
in
oh,
oh
yeah.
Somebody
is
on
it.
A
Thank
you
very
much
any
any
discussion
about.
What's
going
on
with
docs
right
now,.
C
No
discussion,
but
I
should
definitely
take
an
action
to
look
at
the
checklist
to
see
if
there's
any
stuff
that
we
can
cross-pollinate
between
that
and
self-assessments,
because
that
sounds
super
rad.
A
I
like
that,
I
like
that
tooling,
then
pushkar
house,
how's,
tooling,
all
right.
D
So
quick,
quick
thing
on
the
cncf
tag,
security,
recording
and
videos.
Before
I
start
on
tooling,
they
actually
do
a
live
stream
of
the
zoom
meeting,
which
saves
some
time
in
uploading
the
recordings.
So
that's
something
probably
we
can
check
with
sick
contributes
where
we
don't
have
to
upload
it
after
the
meeting
is
over.
Unless
we
we
are
not
comfortable
live
streaming,
which
is
understandable
as
well.
D
On
tooling
side,
we
have
two
updates.
One
is
the
cap
that
we
have
tracked
for
version
125,
which
is
creating
a
programmatically
passable
pullable
cva
list
for
all
official
kubernetes
cvs.
That
is
now
the
pr
for
that
is
now
merged.
That
means
it's
marked
as
implementable
release.
Team
has
looked
at
it
and
they
have
marked
it
as
tracked,
which
means
as
long
as
you
write
the
code
and
the
talks
for
it,
it
will
show
up
in
version
125..
D
So
thank
you
all
for
everyone
in
the
call
and
outside
who
worked
on
reviewing
it,
adding
their
thoughts.
You
all
made
the
cap
better
than
it
was
before
so
look
forward
to
more
contributions
and
more
caps
in
future,
and
then
second
update
is
actually
a
heads-up
for
next
week's
learning
session,
which
will
be
right
after
july.
4Th
for
folks
in
the
us
will
have
holiday
on
at
8
30
a.m:
pacific
on
tuesday,
it's
by
xander,
griff
gravinsky.
D
If
I
think
I
pronounce
that
right
and
they
are
going
to
talk
about
as
a
new
tool
that
azure
team
is
working
on
called
eraser,
which
is
allowing
you
to
kind
of
do
a
garbage
collection
like
job
for
nodes
and
the
images
that
are
in
different
worker
nodes
of
kubernetes.
So
interesting.
D
If
you
are,
if
you
like
that
stuff
or
like
to
learn
about
new
things,
great
great
opportunity
to
join,
listen
in
give
your
feedback,
and
maybe
you
will
be
able
to
use
it
someday
in
you,
one
of
one
of
your
days
when
you're
looking
to
clean
up
notes
and
don't
know
what
to
do
so.
That's
it
from
tooling
I'll
pause
for
questions.
E
I
had
one
so
for
the
for
the
cap
for
the
official
refreshing
cve
feed.
Would
we
want
to
create
a
feature
blog
that
will
go
out
shortly
after
the
release?
Each
release
has
a
set
of
feature
blogs,
they're,
highlighted
in
the
kubernetes.io
bog
site,
so
just
wanted
to
bring
that
up.
D
Yes,
so
that's
a
good
question.
I
actually
got
two
pings
one
was
for
feature
blog.
One
was
for,
do
you
want
to
add
a
placeholder
pr
in
k
website
for
docs
on
this
particular
cap?
So
I
I
was
going
to
check
on
later.
Like
are
those
the
same
thing
or
different
things
and
if
yes,
then
seems
like
there
is
another
excel
sheet
that
we
can
add
ourselves
for
future
blog
and
for
the
other
one,
it's
just
a
pr.
E
They
are
different,
the
placeholder
pr,
if
there's
any
documentation,
that's
gonna,
be
part
of
kubernetes
dot.
Io
is
needed.
We
do
need
to
open
up
a
placeholder
pr
to
the
dev
dash
125
branch,
and
I
could
help
out
with
this
as
well
and
the
other
one
for
the
future.
Blog
is
a
separate.
It's
that's
just
for
the
just
just
for
a
feature
blog
that
would
be
highlighted
after
the
release.
E
It
could
be,
it
could
be.
I
believe
it
has
to
be
a
sig
lead.
That's
the
way
the
permissions
work
on
the
spreadsheet.
E
D
All
right
sounds
great
thanks
for
that
insight
of
doing
the
doing
this
for
the
first
time.
I
think
these
kind
of
things
really
help.
A
Hola
lots
of
new
things
going
on
in
self
assessments.
Please
tell
us,
please
tell
us,
what's
going
on.
C
Yeah
happy
too
yeah,
so
we're
I'm
still
in
the
process
of
getting
the
the
space
set
up
for
the
sub
project
itself.
I
did
go
ahead
and
request
a
new
slack
channel
that
we
can
use
as
a
node
and
then
have
slack
channels
kind
of
as
it
were,
underneath
it
for
each
self-assessment
that
happens
so
that
is
off
and
away,
hopefully,
hopefully
we'll
have
that
set
up
before
too
long.
C
I
also
just
sent
on
the
cappy
self-assessment
side
a
quick
follow-up
to
killian
the
next
action.
There
was
just
to
have
him
review
the
the
report
that
the
vendor
gave
us
before
we
publish
it,
and
this
is
just
again
picking
up
the
excellent
work
that
pushker
has
done
to.
C
You
know
drive
the
capy
self-assessment,
which
is
the
first
one
ever,
and
you
know
I
think,
all
of
the
all
of
the
issues
and
action
items
have
been
created
appropriately
as
well
for
that
so
yeah
really
just
making
sure
to
pick
up
pick
up
where
things
are
leaving
off
and
drive
that
forward.
So
next
up,
I
I
need
to
get
in
touch
with
the
vsphere
csi
driver
team
in
pushkar.
C
I
know
you
gave
me
the
name
of
the
person
to
get
into
touch
with,
but
if
you
could
give
that
to
me
again,
that
would
be
great
because
I've
forgotten
yeah
to
just
drive
next
steps.
They
had
expressed
interest
so
yeah
figuring
out.
You
know
what
their
bandwidth
is
and
then
how
we
can
drive
that
forward.
C
Also,
I
spent
some
time
with
pushkar
yesterday
and
I
want
to
spend
some
time
reading
up
the
full
cappy
report
in
depth
to
understand
just
templating
opportunities
so
that
we
can
just
create
sort
of
something
repeatable
for
folks
to
set
expectations
about
what
the
self-assessment
covers
at
least
right
now,
and
then,
of
course,
once
we
have
an
artifact,
it
means
that
we
can
iterate
on
it,
which
is
super
rad.
C
I
also
want
to
just
map
out
a
little
bit
more
specifically
based
on
the
criteria
that
y'all
suggested
in
terms
of
what
a
socialization
plan
is
for
self-assessments
to
just
target
different
cigs.
The
the
criteria
we
covered
last
week
was
sigs,
with
lots
of
sub-projects,
so
figuring
out
kind
of
who
those
are
you
know,
do
I
go
alphabetically
or
whatever,
so
I
can
just
start
hopping
into
meetings
and
just
saying
hi
hear
the
self-assessments
hear
our
resources.
This
is
what
we
are.
C
This
is
what
we
do
get
in
touch
with
me
here,
if
you're
interested
and
such
and
then
I
have
a
meeting
with
you
tabby
today
to
chat
about
logistics
and
meetings,
and
you
know
getting
a
google
docs
page
just
like
this
one
here
that
I'm
looking
at
for
this
meeting
and
to
really
start
driving
and
creating
that
space
for
the
community,
so
that
we
can
just
keep
iterating
on
this
and
keep
driving
it
forward,
and
I
think
that
is
everything
for
me
and
self-assessments.
A
Cool
all
right,
if
there's,
if
there's
no
more
thoughts
on
self-assessments,
we
have
a
couple
of
things
that
are
in
the
notes
here
to
bring
up
to
the
attention
of
the
group.
One
is
a
slack
message
that
we
got
a
little
bit
earlier
with
this
pr
from
signode
about
changing
the
behavior
of
exec
probes,
and
so
they
are
of
the
belief
that
making
this
change
won't
have
untoward
security
implications,
but
that
is
a
matter
of
creativity,
and
so
therefore
they
have
they
have
reached
out.
A
A
Something
that
was
coming
to
my
mind
as
I
was
looking
at
the
outline
in
the
meeting
notes
doc
a
lot
of
sigs
periodically
shovel
their
old
notes
into
a
markdown
file
that
they
put
into
a
git
repo
in
order
to
keep
their
google
doc
with
their
notes,
you
know
easier
to
load
smaller
shorter.
We
haven't
had
the
scaling
problem
with
that
that
some
folks
have
had
because
we
top
post
instead
of
bottom
post.
So
you
don't
have
to
scroll
past
everything
before
you
see
what's
going
on.
A
But
that
said,
it
seems
off
the
cuff
like
a
reasonable
idea.
Does
anybody
have
any
feelings
either
for
or
against
doing
that.
D
We
hit
thus
we
as
in
since,
if
tax
security
hit
the
same
issue
yesterday
and
what
we
ended
up
doing
was
we
get
a
google
drive
folder
for
our
tag
and
we
just
put
all
the
2021
or
before
meeting
minutes
in
a
separate
file
in
that
directory,
google,
docs,
yeah
and
then
just
20
22
meeting
minutes
show
up
in
the
current
one.
I
don't
know
if
we,
as
I
say,
get
google
google
drive
folder
from
cncf
or
kubernetes.
A
Is
in
progress
for
that
there's
a
there's,
a
fairly
lengthy
prog
program
to
adopt
kubernetes
dot,
io
domain
hosted
google
tools
for
a
lot
of
things.
A
Google
drive
being
one
of
them,
the
the
sig
mailing
lists
and
such
being
being
another
one,
and
so
that
seems
like
a
that
seems
like
a
reasonable
course
of
action
here,
since
we
don't
seem
to
be
having
any
immediate,
like
scalability
problems
with
the
google
doc
or
anything
since
the
ability
to
have
a
google
drive
for
the
sig
is
coming
eventually,
maybe
just
put
it
into
google
docs
per
year
or
whatever
in
that
google
drive
folder
whenever
the
time
comes,
that
it
exists.
A
All
right
this
is
this,
is
this
is
our
time
and
on
one
hand
there
is
a
lot
going
on
in
the
world
that
makes
it
easy
not
to
have
kubernetes
security
at
top
of
mind
all
the
time,
but,
on
the
other
hand,
sometimes
thinking
about
kubernetes
security
can
be
a
nice
way
to
take
a
break
from
other
things,
so
anything
on
anybody's
mind
at
the
moment
anybody
anything
anybody
wants
to
bring
up.
A
And
then
that
being
the
case,
you
know
like
a
c
program,
you
hit
the
end
of
main
and
you
return
success.
So
thank
you
all
so
much
for
coming
and
I'll
remind
everyone
that
the
slack
channel
is
open,
24,
7
and
so
thoughts
and
feelings
that
come
up
in
the
meantime,
talk
to
him
talk
to
us
there
and
otherwise
see
you
all
soon
happy.