►
From YouTube: Kubernetes SIG Security Docs 20211007
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hi
everyone
today
is
october
7th.
You
know
six
security,
documentation,
sub
project
meeting,
welcome!
Welcome
all
we
abide
by
kubernetes
code
of
conduct,
which
means
please
be
nice
to
one
another.
In
this
meeting.
This
meeting
will
be
recorded
and
available
in
the
youtube,
so
just
be
mindful
of
whatever
that
you
say
in
this
meeting.
A
Moving
on
to
new
contributors,
I
see
I
know
I've
seen
robert
and
I
I'm
not
sure
if
I've
seen
sam.
So
if
you
want
to
say
like
couple
sentences
about
yourself.
B
Sure
so
I've
been
working
a
little
bit
on
the
the
pod
security
policy
replacement
and
trying
to
get
more
involved
so
just
checking
in
on
meetings.
As
I
find
time
so
nice
to
see
you
all.
A
Nice
to
see
you
sam
welcome
to
the
meeting
and
the
community.
We
are
excited
to
collaborate
and
learn
from
you
and
happy
to
help
in
any
way
we
can.
B
C
Oh
yeah
hi
everyone
so,
as
people
might
know,
if
you've
been
on
the
slack
we've
been
working
on
this
admission
controller
threat
model
for
a
little
while
we
started
off
with
a
brainstorming
document
and
now
we've
kind
of
like
started
expanding
that
out
and
what
I've
done
is
I've
put
a
link
to
the
current
document
in
there
at
the
moment
in
terms
of
what
we've
done.
Essentially,
this
is
it's
kind
of
structured.
C
I
just
tried
structuring
a
little
based
on
the
the
tradis
report
that
got
done
for
multi-tenancy
with
salesforce,
and
it
really
just
the
idea
was
listing
out
potential
threats
for
admission
controllers
and
mitigations,
and
what
and
what
I
was
thinking
is
that
that
what
might
work
with
this
is
people
play
not
everyone's
going
to
want
to
read
this,
but
this
would
be
a
kind
of
a
good
basis
for
a
blog.
C
So
if
we
want
to
say
you
know,
if
you
are
developing
or
using
admission
controllers
or
kubernetes,
security
here
are
like
some
best
practices,
here's
our
thing
you
should
be
thinking
about,
and
then
we
can
refer
people
from
that
blog
to
the
threat
model
document.
So
you
know
if
they
want
to
dive
more
into
it
like.
Why
are
you
saying
that
this
is
a
good
thing
to
do
that
we
can
then
say
cause
you
should
go
and
read
the
threat
model.
C
The
other
thing
I
did
was
I
conscious.
Obviously,
we
had
jim
baguaria
from
caverno
who's
provided
some
great
feedback,
but
I
wanted
to
make
sure
that
the
other
major
admission
controller
projects
were
aware
of
so
I
reached
out
to
them
on
slack
for
oppa
q,
warden
and
js
policy
and
they've
all
got
that.
So,
hopefully
we
might
see
some
some
contributions
from
them
as
well.
A
It
sounds
like
a
great
plan.
I
looked
at
the
treadmill.
I
sorry
I
didn't
get
time
to
like
dig
much
deeper
into
it,
but
it
looks
like
really
really
comprehensive
already
and
it's
amazing,
like
it's
amazing
that
you've
covered
so
many
examples,
and
I
really
love
the
attack
tree
by
the
way.
C
A
And
I
also
like
the
approach
we
can
put
now.
Security
has
its
own
repository,
so
we
can
always
make
a
folder
under
documentation
for
threat
models
or
like
it
can
also
be
a
folder
under
like
the
main
folder
under
security
project
itself,
and
then
we
can
start
already,
adding
like
more
and
more
whatever
that
we
will
find
that
way.
It's
in
git
and
it's
nice.
If
someone
wants
to
convert
it
into
a
website,
it's
good,
but
it's
lengthy
documentation.
A
So
I
agree
with
you
that
we
can
always
create
a
like
very
condensed.
Post
like
like
highlight
the
things
and,
like
you,
want
much
more
things
in
detail
just
go
here
and
make
a
link
to
the
project
like
whatever
the
folder
that
we
are
putting
it
in
that'll.
Be
nice,
I'm
not
super
super
against
to
having
a
long
lengthier
doc
like
a
blog
post
or
anything
it's
just.
A
I
have
very
less
attention
span
that
I
cannot
read
a
lot
in
one
like
I
look,
I
tend
to
lose
interest
when
I
have
to
come
back
and
read
again
and
I
have
to
come
back
and
read
again.
So
I
like
the
idea
of
a
blog
post
and
then
making
a.
C
Week,
that's
kind
of
what
I
was
thinking.
I
was
thinking
most
people
really
want
the
mitigations
like
they
want
to
know
what
should
I
do
so,
if
I'm
a
user,
if
I'm
developing,
if
I'm
implementing
what
are
the
things
that
they
should
have
in
mind
when
they're
thinking
about
security
of
that
and
it's
that
kind
of
approach
I
thought,
but
but
it's
nice
to
have
like
the
kind
of
like
the
the
basis
for
that.
So
so
it's
like
no
we're
not
just
making
these
up.
A
Yep-
and
maybe
we
will
definitely
highlight
this
during
the
sexuality-
talk,
so
that
we
would
also
spread
awareness
a
little
bit
more,
so
that
folks
know
so.
I
want
to
ask
like:
do
you
have
any
reservation
and
sharing
it
during
the
kubecon
or
I.
C
Think
that'd
be
great
yeah,
the
more
people
we
can
get.
I
mean
I
I
in
my
kind
of
head.
I
was
thinking
that,
like
we
get
past
cubecon
and
then
we
kind
of
say:
okay,
we've
given
people
enough
time
to
contribute,
but
at
least
like
maybe
a
week
or
two
after
kubecon,
and
then
after
that
we
can
do
the
blog
post.
That
might
be
kind
of
good
timing.
A
Perfect
that
sounds
good
to
me.
Does
anyone
have
any
thoughts
on
this
one.
D
Yeah
this
is
robert,
so
rory.
I
thought
the
tool
that
you
turned
us
on
to
did
wasn't
that
expressible
as
gamo.
C
D
I
just
didn't
go
far
enough,
so
could
we
get
this
in?
I
mean
whether
it's
the
this
repo,
the
docs
repo,
or
can
we
get
this
into
get.
C
Yeah
we
can
just
commit
the
commit
the
file
I've
put
in
the
document
so
that
what
at
the
moment
deciduous
doesn't
have
like
any
feature
for
saving
or
like
sharing
a
link.
So
you
just
literally
have
to
copy
the
yaml
into
it's
into
it's
like
a
one-page
web
app,
which
is
why
I
just
shoved
it
there.
But
absolutely,
I
think
like
when
we
put
it
in
a
git
repo.
We
would
separate
that
out
as
a
file
and
say
here
is
the
yaml
file
and
I'm
hopeful
at
some
point.
C
It
could
well
the
way
I
mean
the
way
deciduous
works.
Is
it
it?
It
generates
the
labels
in
the
graphic
in
your
yamls.
I
didn't
want
to
make
them
too
long,
because
it
would
just
make
the
graphic
look
like
totally
impossible
to
like
read.
If
I
had
like,
like
a
paragraph
or
two
in
each
of
those
boxes,
the
whole
thing
would
just
you
know.
So
that's
why
I've
gone
for
titles
and
linking,
but
what
I
did
was
I
gave
everything
an
id
in
the
graphic
and
then
I've
got
those
ids
with
with
hyperlinks.
D
C
D
C
D
C
Yeah
I
mean,
I
think,
definitely
follow
on
from
this
yeah.
I
mean
you're
right,
because
this
is
good
for
humans,
but
it's
no
good,
for
I
want
to
check
my
cluster
that
has
an
admission
controller
rolled
out
to
see
if
it's
doing
the
right
things
exactly
yeah
absolutely,
and
some
of
them
will
be
easier
to
turn
into
policy
than
others.
Some
of
them
are
kind
of
like
it's
tricky.
D
C
Yeah,
I
don't
know
it's
that
it's
a
really
good
idea,
though
I
think
it's
one
that
like,
if
we
get
this
done,
then
the
blog
and
then
then
you're
dead
right
next
steps
would
be
try
and
turn
this
into
something
but
yeah.
I
haven't
done
enough
looking
at
that
space,
yet
to
see
what
are
the
options
and
and
how
applicable
would
they
be,
but
that's
that
I
think
that's
a
good
great
next
step.
A
And
also
it
sounds
like
a
project
that
we
could
bring
up
the
security
tooling,
I'm
not
sure
if
it'll
actually
fit
there,
but
I
know
like
push
her
has
been
like
working
on
other
tooling
around
like
the
vulnerability
database
and
stuff
like
that,
so
it
might
be
good
thing
to
bring
it
up
there.
I
I
I'm
gonna
retroactively,
fill
the
document
like
the
meeting
notes
here,
because
I
lost
like
I
was
listening
to
the
chat
and
then
I
lost
track
of
like
typing
at
the
same
time.
A
So
I
will
fill
this
later
and
then
I
can
also
sync
with
pushkar
and
bring
it
up
and
doing
if
they
would
be
like
if
he
would
be
like
interested
or
like
it's
something,
that's
doable.
We
can.
D
Also
collaborate,
we
might
be
able
to
do
so.
I
I'm
also
working
with
pushkar
on
the
cappy
audit
self-audit,
but
maybe
even
in
the
something
we
can
bring
up
in
the
context
of
the
external
audit.
If
we
can
create
some
reusable
artifacts
around
the
threat
model
and
the
and
the
threat
paths,
something
to
think
about.
A
All
right,
that's
that
sounds
like
a
really
nice
idea
and
for
interesting
one
two
and
we
might
be
able
to
even
contribute
back
to
the
main
deciduous
app
if
it's
open
source,
I
think
it's
open
source.
C
D
A
That'd
be
awesome.
Thank
you,
robert,
for
that
ask
and
coming
up
and
thank
you
rory
and
everyone
here
coming
up
with
the
idea
sounds
like
a
cool
new
project
that
we
could
kick
off.
Does
anyone
have
anything
more
to
add
to
the
topic?
E
I'm
going
to
reach
out
to
the
internal
to
my
colleagues
for
keyboarding
and
I'll
send
this
link
to
panda
comments.
A
Okay,
so
moving
on
to
the
next
topic,
with
robert.
D
Yes,
so
for
the
policy
work
group,
we
have
been
working
on
a
white
paper
and
we're.
We
have
a
google
doc
that
we're
closing
out
all
comments
this
week
and
you
know
we're
gonna
publish
it
out
for
kubecon,
but
we
don't
really
have
it.
We
have
a
repo,
but
it's
like
work
group,
wg
policy
prototypes
and
it's
really
just
meant
kind
of
a
staging
area.
D
We
don't
really
have
a
landing
place
for
the
white
paper
that
we
can
pr
to.
So
I
I
was
looking
for
a
home
and
so
it's
a
kubernetes
policy
white
paper,
so
it
didn't
didn't.
Some
folks
were
suggesting
we
put
in
the
cncf
tag,
but
it's
very
kubernetes
specific
and
the
work
group
itself
is,
you
know
sponsored
under
sig,
auth
and
sig
security.
I
think
so.
It
felt
more
natural
to
be
in
maybe
in
the
in
the
docs
repo
security
repo.
D
A
Okay,
I'm
gonna
go.
I
was
just
waiting
if
someone
wants
to
go,
I
didn't
want
to
want
to
place
every
conversation
here.
I
think
it's
a
great
place
to
put
them
under
kubernetes
security
ripper.
If
you
want,
we
could
always
create
a
folder,
the
root
directory
called
white
papers.
If
your
my
question
is
that,
are
we
gonna
look
forward
to
having
more
community
specific
white
papers?
A
If
so,
it
makes
sense
to
create
a
folder
and
put
it
in
there.
If
not,
it
can
always
live
in
under
one
of
the
sub
projects,
or
it
could
just
be
one-off,
one-off,
like
we
can
definitely
create
a
folder.
So
I
love
to
keep
it
organized.
So
if
folks
don't
have
any
option,
opinions
on
it,
I'll
just
say
like
we
can
always
create
a
directory
there
and
then
I'll
just
start
adding
stuff
another
directory.
C
A
Yeah,
so
that
that
looks
like
a
good
place
for
me
too,
so
I
don't
have
any
anything
to
add.
I
think
I
don't
even
have
objection.
It's
a
perfect
place
to
put
the
documentation
there,
like
the
white
paper
there
great.
A
D
C
Yeah,
I
I
guess
you're
right
something,
because
because
this
I
mean
the
same
thing
with
the
with
the
mission
control
threat
model,
we
kind
of
need
like
a
directory
thing
to
put
documents
in
I
don't
know,
I
would
only
want
to
get
like
hundreds
of
directories.
You
don't
like
one
for
threat
models
and
one
for
policies
at
the
moment,
maybe
because
we
always
reorganize
it
later.
If
we
get
loads
of
them,.
C
Okay
right,
so
that's
going
to
yes,
we'll
have
more,
I
suppose,
yeah.
Maybe
we
need
to
think
about
when,
as
more
stuff
goes
in,
we'll
have
a
better
idea
of
structure
like
what
else
is
going
in
there
and
then
we'll
see
like
is.
If
it's
super
busy,
we
want
to
be
more
hierarchical.
If
there's
not
that
many
things
we
could
even
go
to
top
level
directory.
A
That
works
too
yeah.
It's
like
a
bucket
that
can
catch
anything,
basically
whatever
we
want
to
put
in
and
that
fits
the
like
category
we
can
just
put
in
there
and,
like
rory
said
we
can
always
reorganize
when
we
get
like
super
busy,
I'm
assuming
that
it
will
get
a
little
busy
once
it
gets
traction.
A
I
know
ray
has
a
lot
of
audits.
That
would
that's
going
on.
I
mean
for
every
year,
there's
gonna
be
one
new
audi
coming
up
and
going
so
that's
gonna
go
under
the
audit
folder
that
we
have,
and
so
I'm
open
to
anything
I
mean
we
can
even
start
it
right
and
seek
security
and
ask
like
what
others
think
co-chairs
and
other
sub-project
owners.
A
I
know
three
offers
are
here
and
then
I
want
to
ask
her
as
well
like
if
she
has
any
ideas
and
others
in
general.
So
we
can
definitely
do
that
if
you
want
to
go
with
the.
D
Yeah
and
then
that
can
kind
of
draw
all
the
comments
on
what
we
want
to
call
the
folder
just
real
quick,
I
know
cncf
has
all
sorts
of
linting
and
all
sorts
of
github
actions
turned
on.
Does
anyone
know?
Are
there
similar
enforcement
requirements
on
the
security
repo?
D
D
So
the
cncf
tag
repo
has
like
marked
down
linter
and
a
couple
of
others.
I
can't
remember,
but
the
markdown
winter
is
the
one
that
I
battle
with
the
most.
A
I
I'm
not,
I
haven't
seen
anything
set
up,
but
I'm
not
aware
I
need
to
go
and
check
before.
I
tell
for
sure
not
that,
to
my
knowledge,
I
don't
think
we
have
set
up
additional
plugins,
but
unless
and
until
it
comes
as
a
part
of
the
template
or
the
project
template
already,
I
don't
think
we
did
anything
extra
okay.
A
All
right
does
anyone
have
anything
else
to
add.
Regarding
the
regarding
the
home
for
the
paper,
and
I
know,
robert's
gonna
follow
up
with
the
pr
and
once
he
has
the
pr
link,
we
can
please
feel
free
to
post
it
in
security
robert,
and
we
can
just
go
and
add
all
of
our
comments.
There.
A
All
right,
we
are
at
the
end
end
of
the
agenda.
All
right
does
anyone
have
anything
else
to
add.
A
Those
who
those
who
will
be
at
the
cube
con
I'll
be
excited
to
see
you
all
come
say
hi
wherever
you
see
me,
just
stop
me,
say
hi
and
until
we
meet
again
stay
safe,
take
care,
and
if
you
are
traveling
safe
journey,
those
will
be
in
person.
I'll
see
you
there.
Those
will
be
virtual.
A
You
can
still
say
hi
to
me
until
we
meet
again
bye
for
me.