►
From YouTube: Kubernetes SIG Security 2020-12-14
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
While
we
are
hanging
out
a
bit,
can
anybody
have
the
freedom
to
take
notes?
I
would
love
if
somebody
could
volunteer
to
just
type
up
as
we
go.
B
A
A
I
flipped
the
order
of
discussion
and
subgroup
reports,
because
savita
says
that
she's
going
to
be
a
little
late
being
able
to
get
in
so
figured.
We
could
just
change
the
order
of
that
and
then
that
would
work
well
with.
A
A
All
right,
it's
for
after
we'll
call
it
started.
I
see
the
the
first
thing
that
we
have
here
on
the
list
is
tim,
wanted
to
share
some
stuff
with
us
about
the
the
cve
related
to
external
ips
in
load
balancers,
so
we'll
elide
that
for
the
moment
and
wait
for
him
to
cut,
I
guess
I
will
mention
a
little
bit
about.
A
What's
been
going
on
with
pod
security
policies
at
the
last
sig
at
the
last
sig
off
meeting,
we
talked
a
little
bit
about
that
because
they
are
they've
been
in
perma-beta
forever
and
that
has
been
very
frustrating
to
people
and
so
ian,
and
I
promised
to
produce
a
cap
that
would
end
the
years
of
bike
shedding
around
what
was
going
to
happen
with
psp's.
A
So,
of
course,
it's
all
the
end
of
the
year
events-
and
you
know
kubecon,
eu
cfp
deadline
and
things
like
that,
but
hoping
to
keep
getting
our
most
core
ideas
settled
between
ourselves,
so
that
we
have
something
that
looks
good
enough
to
start
to
circulate
it
around
the
rest
of
the
community
like
to
share
it
with
y'all
share
it
with
sigoth
share
it
with
the
other
folks
that
are
that
are
interested
in
it.
So
right
now
not
a
lot
to
say,
but
it
has
not
been
forgotten
about.
It
is
moving
along.
A
C
A
Exactly
exactly
the
you
know,
ian
and
I
promised
personally
to
produce
a
cap
that
would
that
would
be
for
some
some
good
thing
to
replace
them
in
time
to
be
able
to
have
you
know,
users
be
able
to
migrate
over
and
have
a
sensible
path
forward,
and
clearly
we
can't
do
that
alone.
That's
going
to
have
to
take
everybody,
but
hoping,
like
you
know,
if
the
psps
are
going
to
come
together
like
a
snowflake,
hoping
that
we
can
provide
that
nugget
of
grit
that
all
of
the
water
freezes
around
so
yeah.
A
The
the
the
whole
discussion
around
psp's
really
got
serious
when
the
auto
deprecation
of
features
that
are
in
perma-beta
cap
landed
because
psps
have
been
in
beta.
If
I
remember
correctly
since
1.3,
and
so
when
the
no
more
perma-beta
cap
landed,
everybody
went.
A
But
I
think
that
I,
I
think
that
for
releases
should
be
enough
time
that
we
can
get
something
get
something
drafted,
get
something
implemented.
Have
people
try
it
in
alpha
and-
and
you
know,
provide
something
good
for
people
to
use.
What.
D
A
A
You
know
around
this
zig
sig
off
other
cigs
that
I
have
not
yet
imagined.
So
that's.
Why
kind
of
giving
some
some
status
update
here
of
you
know
I.
I
ran
my
mouth
off
and
promised
to
promise
to
cap,
but
I
absolutely
cannot
do
it
alone.
E
A
E
F
Yeah
just
add
that
sig
auth
owns
pod
security
policy
today,
so
I
think
the
work
will
be
owned
by
everyone,
but
cigars
should
probably
be
at
least
an
approval
check
mark
on
whatever
replacement
we
come
up
with.
A
And
if
sigoth
is
only
an
approval
check
mark,
then
I
think
we
we
failed
at
the
getting
input
from
all
of
the
people
who
have
good
input
to
provide
yeah
like
like,
I
I
think
sig
off
is,
is
pretty
crucial
here.
A
So
that's
that's
where
that's
where
that
is
tim,
would
you
care
to
would
you
care
to
tell
us
about
the
the
difficulties
of
letting
people
choose
their
own
ips.
F
Yeah
and
just
a
heads
up,
I
have
a
have
to
drop
after
20
minutes,
so
I
think
more
generally,
if
folks
are
interested,
we
could
plan
more
formal,
post-incident
reviews
in
security,
so
kind
of
something
to
think
about
in
the
future.
If
that
seems
useful
for
the
more
interesting
or
the
larger,
more
critical
vulnerabilities,
but
in
terms
of
the
the
recent
one
that
you
may
have
seen,
the
announcement
go
out
to
a
kubernetes
security
announce
around
external
ips.
F
I
wanted
to
bring
this
up
because
there's
sort
of
two
interesting
things
about
this
one.
The
first
is,
we
decided
there
wasn't,
or
at
least
in
the
private
vulnerability
response
process.
We
couldn't
come
up
with
a
reasonable.
F
B
F
Thanks
yeah,
so
the
mitigations
that
we
landed
on
are
basically
using
admission
to
allow
specific,
allow
specific
ips
controlled
by
the
administrator
so
saying
that
you
can
create
an
external
ipser
service,
but
only
you
know
by
the
namespace
with
this
specific
ip
and
we
released
a
a
custom
web
hook.
That
just
adds
this
feature,
but
also
encourage
folks
to
use
gatekeeper,
opa
caverno.
F
Whatever
your
admission
thing
of
choice
is
but
but
yeah
this,
so
this
was
interesting
because
we
don't
have
it's
not
just
a
rollout
of
a
security
patch
there's
more.
F
F
All
right
well
something
to
think
about,
and
maybe
I
can
paste
a
link
to
the
issue
where
the
we're
discussing
kind
of
what
the
follow-up
actions
are
and
the
the
other
piece
that
I
wanted
to
highlight
on
this
specific
incident
was
just
some
conversations
that
happened
on.
At
least
I
saw
on
twitter
as
a
follow-up
around
whether
this
is
even
a
vulnerability
in
kubernetes
and
kind
of
questioning
like
well.
F
Is
this
multi-tenant
use
case
something
we
really
support,
and
you
know
people
saying
that
they
knew
about
this
issue
for
a
while?
How
come
it's
only
being
raised
now,
and
I
guess
what
I'd
like
to
say
there
is
we
we
did
make
the
decision.
We
had
some
discussion
about
this,
whether
we
considered
this
a
vulnerability
or
not
and
ultimately
decided
that
this
is
something
we
want
to
protect
against
going
forward
and
so
does
kubernetes
support
multi-tenancy
not
out
of
the
box
today.
F
But
it
is
a
use
case
that
we
want
to
enable
and
there's
good
work
happening
in
the
working
group
and
kind
of
through
sigoth
and
now
security
we're
continually
trying
to
improve
on
this
front,
and
so
our
our
kind
of
threat
model
and
the
use
cases
we're
supporting
are
evolving.
A
B
B
G
G
A
G
A
See
I
see
we
have
somebody
has
added
to
the
list.
Are
we
happy
with
this
meeting
time
and
that
that
is
a
thing
that
I
am
that
I
am
happy
to
to
ask
about
because,
like
I
know
that
we
have
a
fair
number
of
folks
who
work
on
kubernetes
security
in
at
least
in
in
european
time
zones
where
this
is
relatively
inconvenient
for
folks
and
so.
E
A
E
A
I
thought
maybe
that
was,
we
didn't
actually
have
a
doodle
poll.
Yet,
okay,
given
the
given
the
fact
that
tons
of
people
are
going
to
be
on
vacation
and
whatever
over
the
next
few
weeks.
For
various
reasons,
what
does
everybody
think
about
planning
on
us
doing?
A
doing
a
doodle
poll
like
right
after
the
first
the
year.
A
Nodding
I
see
some
thumbs
up
like
let's,
let's
do
that?
Okay,
if
we
come
up
with
something
that
that
works
for
north
america
and
europe,
I
think
that'll
mean
that
it
ends
up
being
a
little
bit
a
little
bit
early
for
north
america
and
that'll.
Be
that's
the
way
it
is
if
you
wanna,
if
you
wanna,
try
and
deal
across
time.
A
All
right,
yeah,
we'll
we'll
plan
on
doing
that,
then
we'll
send
something
out
like
after
we
get
around
to
around
to
first
the
year.
Related
to
that.
A
H
I
know
cap
1933
is
trying
to
graduate
from
alpha
nevada.
That's
the
static
analysis
to
fight
against
accidental
credential
blogging.
There's
a
p
there's
a
pr
up
for
that.
I
think
michael's
in
the
chat
here
or
is
in
the
meeting,
but
yeah.
That's
like
that's
the
only
thing
that's
on
my
radar
and
as
for
involving
security.
I
know
we're
kind
of
in
the
process
of
transferring
that
ownership.
So
I
don't
know
how
much
that
counts.
A
I
mean
it
sounds
like
sounds
like.
Maybe
we
should
plan
to
cancel
for
the
28th,
then
just
one
less
thing
for
people
to
worry
about
in
all
of
the
scheduled
disruption
around
the
end
of
the
year.
A
H
A
Weigh
in
okay,
if
anybody
has
anything
else
to
add
or
shall
we
ask,
what's
been
going
on
with
subgroups.
I
So
go
ahead.
Sorry
I
know
we
we
move
on,
but
what?
What
are
the
specific
steps
to
come
up
with
potential
solutions
to
the
next
version
of
psp?
I
I
didn't
get
that
of
watching.
A
The
action
plan
in
a
very,
very
high
level
overview
it's
get
a
cap
merged,
get
prs
that
implement
whatever
is
in
the
cap,
but
get
a
cap
merged,
is
itself
a
pretty
big
process
when
you're
talking
about
doing
a
redesign
that
touches
so
many
different
people's
lives,
and
so
the
way
that
I
have
imagined
it
is
that
you
know
the
those
of
us
who
jumped
in
front
of
the
bus
can
can
come
up
with
just
something
because
it's
easier
to
it's
easier
to
criticize
something
that
exists
than
it
is
to
start
from
scratch.
A
And
so
you
know
we
have
offered
to
produce
something
that
has
enough
detail
in
it.
That
folks
can
criticize
and
then
share
that
around
like
share
that
around
here
share
that
around
in
in
sigoth.
You
know
share
that
around
privately
with
people
that
have
opinions
but
don't
attend.
Those
cigs
keep
working
on
that
in
like
a
google
doc
or
something
that's
public
until
the
design
is
fairly
well
settled
and
seems
likely
to
solve
most
of
the
use
cases
that
people
have
and
then
port
it
from
there
into
a
cap.
A
A
So
that's
that's
the
way
that
I've
imagined
getting
something
that
is
both
important
and
fraught
in
is
essentially
by
talking
to
a
lot
of
people.
You
know,
starting
starting
with
a
small
group
of
people
and
increasing
the
size
of
that
circle.
Until
until
eventually,
everybody
has
had
a
chance
to
to
make
sure
that
their
needs
are
represented.
A
It
will
be
deprecated
at
again
right
now,
it'll
be
marked
deprecated
in
1.21,
okay,
with
the
current
plan
to
remove
it
in.
A
All
1.25,
thank
you,
so
my
hope
is
that
we
can
all
work
together
to
have
a
to
have
a
cap
merged,
at
least
by
the
time.
1.21
comes
out.
A
There's
a
whole
document
about
that,
and
my
understanding
of
that
document
is
ultimately
in
this
case
no,
but
as
a
project.
If
we
wanted
to
remove
a
feature
that
has
been
considered
to
be
important,
it
would
be.
A
A
Should
we
go
to
these
subgroups
zavita?
Are
you
here?
J
She
she
noted
that
she's
gonna
call
right
now.
A
Oh
okay,
all
right!
I
don't!
I
don't
think
anybody
is
here
to
talk
about
third
party
audit,
but
if
you
are.
I
Yeah,
we
have
a
catch
up
a
few
of
us
and
then
we
are
we're
preparing
the
proposal
for
the
new
year's
defenders
and
what?
What
is
it
similar
to
your
previous
years
and
what?
What
are
the
requirements
and
the
specific
things
that
a
vendor
needs
to
be
aware
when
doing
the
audit?
I
And
we
are
tweaking
the
document
and
it
will
be
soon
available
for
for
the
public
to
see
and
we
will
as
there's
not
enough
time
now
until
the
end
of
the
year.
It
will
be
at
the
beginning
of
january,
so
when
it
will
be
available
and
yeah.
No,
no
much
else.
Just
preparing
the
document
to
be
able
to
send
to
the
vendors.
A
I
Yeah
so
yeah,
once
once
we
we
come
up
with
the
final
document
and
there
will
be
a
review
and
just
waiting
for
the
different
tenders
and
and
we'll
move
forward
from
that.
I
C
A
B
We're
ready
to
talk
tooling,
so
yeah
I
commented
in
the
document
already
haven't,
had
much
really
to
go
with
their.
I
did
post
in
the
in
that
channel
asking
people
for
their
opinions
on
where
to
go
with
the
subgroup,
and
I
haven't
heard
about
anything
yet,
but
I
think
I'll
expand
that
to
the
security
channel.
B
Just
to
you
know,
because
if
you're
not
in
the
tooling
channel
you're,
not
going
to
see
that
the
there
was
a
comment
in
there
that
patrick
you
had
put
in,
I
did
look
at
that
pull
request.
Everything
looks
good.
It's
new
to
me,
though
so
patrick
had
posted
about.
B
You
have
a
pull
request
on
kept
1933..
So
if
anyone
else
is
interested
in
looking
at
some
of
the
static
analysis
tool
stuff,
that
he's
done
jump
into
the
sig
security
tooling,
and
look
at
that
pr.
H
And
and
just
on
that
record,
if
anybody
wants
like
more
context,
feel
free
to
ping
me
directly
or
we
can
have
that
conversation
in
tooling
or
this
wider
group,
it
is
a
convoluted
problem,
so
I'm
happy
to
offer
any
clarity
wherever
possible.
B
Yeah,
I
had
actually
put
a
thread
up
there.
If
you
want
to
take
a
look
at
my
question,
I
had
not
seen
I'm
a
go
novice,
so
the
the
use
of
data
policy
tags
that
you're
doing
that's
pretty
cool
I'd
like
to
know
more
about
it
or,
if
there's
any
good
documentation
about
how
it
works.
D
A
Anybody
a
moment
if,
if
anybody
has
anything
else
that
they
want
to
share
while
we're
all
here.
J
Yeah
I'll
give
one
little
update.
We
discussed
last
time,
maybe
a
social
kind
of
meet
up
break
things
together,
that's
not
dead
in
the
water,
it's
just
I've
been
kind
of
busy.
I
got
some
great
feedback
from
folks
about
things
that
exist
already
and
I
think
what
I've
been
working
on
is
to
build
some
tooling.
So
it's
easy
to
create
a
little
lab
environment
that
everyone
can
use
and
play
with
at
an
event
like
that.
J
But
it's
probably
something
that's
gonna
happen
over
the
holidays,
so
just
sort
of
on
the
back
burner
now.
A
J
Yeah,
I
want
it
to
be
easy
to
make.
You
know
if
a
new
cd
comes
out,
we
want
to
play
with
it.
I
want
it
to
be
easy
to
dump
in
a
little
lab
and
maybe
play
the
next
time
so
yeah.
That's
the
idea,
probably
if
anyone's
interested
in
contributing
it
seems
like
something
capture
the
flaggy.
You
know
from
with
novices
things
to
hard
things,
and
everyone
can
play
with
seems
like
the
most
fun
and
cool,
so
yeah
that'll
be
the
idea.
I
think.