►
From YouTube: Kubernetes SIG Security 20221006
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
six
minutes
after
we're
gonna
call
it
officially
started.
Thank
you
for
coming
to
another
kubernetes
Sig
security,
I'm
Tabitha,
Sable
I'm,
one
of
the
co-chairs,
my
pronouns!
Are
she
and
they
and
I
am
really
always
really
proud
to
help
to
make
this
space
where
we
can
come
together
and
make
kubernetes
security
better
for
everybody,
and
as
we
do
we'll
popcorn
around
people
can
introduce
themselves
a
little.
B
I
could
go.
My
name
is
Ray
lahano.
This
is
a
project
lead
for
the
third
party
security
audits,
also
another
sigs
as
well.
So
you
might
see
me
around
the
community
professionally
I
work
with
Zeus
for
Susa
by
originally
with
ranch
labs
and
which
was
acquired
by
Souza
so
and
yeah
I'm,
just
always
open
for
topbot
new
contributors.
If
you
want
to
reach
out
and
if
you,
if,
if
you
want
to
even
learn
about
the
repo
structure
or
anything
like
that,
so
feel
free
to
reach
out.
C
Doing
security
stuff
and
I'm
always
happy
to
help
out
I'm
doing
two
various
things
with
like
docs
and
other
bits
and
pieces
and
helping
out
the
third
party
audit
so
yeah.
Oh,
sometimes,
people
want
to
talk
Community
security
or
any
security
stuff
really.
D
Hey
folks,
I'm
Mala,
duberry,
I,
Project
Lead
for
self-assessments,
Rory
and
Ray
I
would
love
and
I'll
get
to
this
in
this
security
self-assessments
bit,
but
I
do
actually
need
some
help
with
some
git
related
stuff,
so
I
will
take
you
up
on
yeah
get
is
hard
and
sometimes
the
documentation
is
I
like
forget
where
it
is
and
then
I
spend
a
lot
of
time
retracing
my
steps
and
I'm,
just
like
oh
I,
think
I
just
need
I.
Think
I
just
need
to
sit
with
someone
so
yeah.
A
I
will
I
will
extend
my
offer
to
to
to
help
with
that
too,
if,
if
I
may
or
if
there's
need
for
more
hands.
E
Everyone,
my
name
is
Bill
Bernson
I'm
this
year
it
started
with
GK
security
over
at
Google,
the
kubernetes
hardening
team
and
so
popping
in
to
see
what
the
open
source
kubernetes
security
Community
is
all
about
great
to
meet.
You
here.
F
H
Okay,
hi
David
I'm
working
in
K
native,
you
know,
kubernetes
serverless,
on
a
security
project.
H
We've
started
a
security
project
to
protect
services,
to
monitor
the
behavior
of
services
that
are
running
under
K
native
and
monitor
the
requests
that
they
are
there,
that
they
are
being
sent
by
clients
building
a
model
for
each
one.
So
we
have
a
criteria
being
created
for
each
request
and
for
each
service
that
is
running
and
then
we
are
able
to
detect
the
as
a
result
of
that.
H
We're
able
to
take
either
pods,
which
are
misbehaving
and
misused
or
requests
which
have
what
seems
to
be
an
attempt
to
include
an
exploit,
and
this
work
is
it's
it's
somewhere
between
K
native
and
kubernetes.
H
It
can
cover
many
kubernetes
use
cases
already.
We
started
with
k-native
because
we
thought
it's
very
well
defined.
The
problems
and
use
cases
will
better
Define
in
K
native
and
because
we
are
adding
a
lot
of
simplification
of
automation
for
the
security
tool.
It
suits
very
well
to
the
K
native
narrative.
H
Now
we
are
about
to
release
the
first
release
in
k-native
and
starting
to
look
at
continuing
the
journey
into
kubernetes
and
see
how
we
can
cover
first
of
all
web
services
in
kubernetes
and
maybe
later
additional
type
of
services
on
kubernetes
and
that
that's
the
reason
I
that's
my
first
time
here
in
six
security.
H
So
that's
the
reason
I
joined,
I'm,
I'm,
I,
don't
know
if
this
is
the
right
forum
for
me
to
join
or
or
if
there
is
another
I
saw
sick
security,
tooling,
I,
don't
know
if
that's
a
better
place
to
discuss
this
and
so
on.
A
This
can
definitely.
This
can
definitely
be
a
good
place
to
to
discuss
something
like
that.
One
of
the
things
that
I
am
most
proud
of
about
us
is
that
we
can
be
a
good
forum
for
starting
a
lot
of
things,
including
when
those
things
eventually
move
to
some
other
Forum.
You
know
like
that's.
That's
part
of
how
we
do
is
like
a
lot
of
things
to
improve
Security
in
kubernetes.
A
Are
you
know,
Sig
release
things
or
or
Sig
off
things
or
signaled
things
or
whatever,
and
and
that's
okay,
because
we
don't
have
to
do
everything
we
don't
have
to
be
everywhere.
We
don't
always
have
to
be
involved,
but
also
we
can
come
together
and
find
good
ways
for
things
to
be
involved,
so
hi
well
welcome
to
welcome
to
have
you.
Do
you
want
to
put
that
down
at
the
end
of
the
agenda
where,
where
we
put
things
for
discussion
and
and
maybe
tell
us
more
about
it,.
F
Okay,
I
can
go
next:
yellow
I'm,
Mohit
I
am
working
out
with
secure
doing
like
fantasy
things
and
helping
clients
in
variety
of
ways
and
I,
particularly
specialize
in
kubernetes,
where
I
lead
the
community
center
with
the
girl
yeah.
That's
me.
A
I
A
All
right
so,
as
we
do
first
we'll
hear
from
our
various
fabulous
Sub
sub
projects
and
what
has
been
going
on
there
and
Ray
it
looks
like
you
are
first
on
the
list.
So,
what's
going
on
with
third-party
audit
all.
B
Right,
thank
you
very
much.
It's
a
big
first
off
big
things
to
pushker
Kayla
and
Rory
yeah
for
publishing,
there's
a
new
blog
out
on
kubernetes.io,
and
it's
about
the
current
status
of
issues
from
the
2019
third
party
security
audit
from
the
2019
third
party
Security
office.
There
was
37
issues
that
were
filed.
B
There
are
most
have
been
resolved.
Five
requires
a
cap
and
five
slash
six.
We
still
needs
a
fix,
so
you
could
read
more
about
that
and
more
details
about
that
on
that
link,
I
added
to
the
agenda
so
once
again,
big
thanks
to
pushker,
Kalyn
and
Rory.
B
A
Oh
all
right,
we
have
one
here
in
text:
Robert
says
out
of
the
box
default
kubernetes
API
server.
Do
they
definitely
always
use
TLS
1.3
only
or
does
it
allow
1.1
or
1.2
out
of
the
box.
B
J
If
it
allows
1.1,
you
might
as
well
just
you
know,
use
plain
text:
it's
pretty
weak
at
1.2
I.
Could
you
know
we
could
argue
but
1.1.
C
I
put
a
quick
thing
in
chat.
Just
looking
at
the
API
server
lags,
it
looks
like
it.
There
is
the
option
to
specify
anything
from
tls-10
and
up
so
it's
distribution
and
or
cluster
specific.
What
the
default
is
is
not
specified.
So
that
implies.
There
is
no
default.
What
happens
if
you
don't
specify
I,
don't
know,
but
definitely
you
have
the
option
of
specifying
the
minimum
TLS
version,
but.
J
That
that
was
like
I
mean,
and
then
we
got
another
process
issue
of
was
that
the
finding
in
2019
or
not
so
I
I
appreciate
all
that
and
we
can
I
can
Fork
it
off
into
a
separate
issue,
but
the
the
the
the
the
the
gist
of
it
is.
If
out
of
the
box,
you
you
don't
configure
anything
and
it's
accepting
1.1,
you
know,
then
you
know
I
would
say
that
in
itself
is
a
finding.
If
you
will
given
the
the
massive
amounts
of
insecurities
in
1.1.
B
C
It's
not
already
there,
yeah
I
would
definitely
mention
that
yeah
I've
probably
seen
the
benchmark.
C
Yes,
one
of
those
challenges
is
like
saying:
the
default
I
didn't
get
I
guess
we
could
argue
now
that,
like
a
future
version,
might
drop
that
and
take
the
older
versions
off
and
just
say:
there's
no
reasonable
way.
You
should
be
using
1.0
or
1.1
and
therefore
in
current
is
126.
You
say
those
are
no
longer
valid
options,
but
that's
going
to
be
a
change
that
we
need
to
go
through.
One
of
the
other
six
I,
don't
know
which
one
this.
G
A
Where
there
is
a
lot
of
working
with
other
folks
to
make
sure
that
such
a
change
can
be
made
in
a
way,
that's
safe
in
a
way,
that's
good
for
the
user
community
and
so
on,
but
hopefully
kind
of
crossing
my
fingers
without
a
lot
of
implementation
difficulty.
A
You
know
like,
like
I'm
hoping
that
I'm
hoping
that
this
is.
You
know
a
lot
of
cap
and
a
lot
of
a
lot
of
talking
to
folks
and
so
on,
but,
like
maybe
four
lines
of
code
change
in
exactly
the
right
places
and
I
love
those
caps,
so
yeah
think
about
it
like
we
can,
we
can
totally
we
can
totally
help.
Somebody
turn
this
into
a
cap.
If
the
investigation
reveals
that
the
current
behavior
is
what
we
kind
of
think
it
is.
A
Awesome
awesome
anybody
else
on
audit
status,
update
related
topics.
A
Rory
says
in
Rory
says
in
chat
about
about
the
possibility
of
that
flag,
getting
added
to
the
kubernetes
CIS
benchmark.
C
E
G
So
we
are
going
to
be
discussing
on
where
we
want
to
focus
for
the
next,
at
least
for
the
upcoming
quarter
for
the
documentation.
So
Kailyn
has
taken
a
point
on
the
kubernetes
hardening
guide,
which
we
started
a
while
ago.
It
got
bigger,
she
has
taken
all
the
inputs
and
efforts
of
what
Rory
did
and
she
has
put
it
in
a
PR
already,
and
we
are
also
looking
for
new
contributors.
G
If
someone
wants
to
like
come
in
and
like
take
a
portion
of
it,
because
it's
a
lot
and
I
really
want
to
open
it
up
for
contributors
if
they
want
to
like
collaborate,
that's
a
great
opportunity.
We
will
be
discussing
more
about
that
in
today's
meeting
and
there
are
like
few
other
things.
Some
of
the
blog
efforts
like
confidential
kubernetes
is
going
on,
so
that
is
going
to
be
discussed
in.
G
We
talked
about
tutorials
last
time,
especially
for
our
back,
which
we
wanted
to
add
for
a
really
really
really
long
time
so
like
we
want
to
tackle
that
one
today
attack
of
that
one
in
the
in
this
quarter,
if
possible-
and
there
is
one
ambitious
thing
that
I
have
when
I
was
proposing
some
ideas
for
the
documentation,
sub
project
I
wanted
to
go
and
see
all
the
examples
that
involved
security
and
updated
or
like
add,
more
examples
to
it.
G
So
I
have
added
it
as
a
list
and
now
it's
super
ambitious,
but
I
just
wanted
to
have
it
in
the
list.
So
just
you
know
like
see
how
people
feel
about
it.
If
they
all
want
to
like
tackle
that
this
time
we
can
do
it
or
we
can
fund
it
to
the
next
time.
So
these
are
the
ideas
that
I
have.
If
you
have
any
ideas,
please
add
it
to
the
six
security
documentation.
The
project
agenda
today,
which
will
be
meeting
in
like
approximately
one
and
a
half
hours.
G
That's
all
from
me.
Does
anyone
have
any
questions.
J
G
So
there
was
a
slack
thread
above
the
blog
post.
At
least
I
can
dig
in
then
like
and
put
it
in
here
so
like.
If
folks
want
to
revive
that
or
like
it's,
it's
a
pending
topic
and
people
have
expressed
interest
like
some
folks
have
reached
out
to
me.
So
that's
why
I
wanted
to
like
bring
it
up
so
like.
If
there
is
enough
interest,
then
we
can,
just
you
know,
started
restart
it
again.
G
A
Got
it
I
got
it
yeah?
Thank
you
for
that.
We
will.
We
will
pass
over
tooling
for
the
time,
but
we
will
pause
if
anybody
has
anything
they
would
like
to
share
about.
What's
going
on
in
too
late.
H
There
is
no
discussion,
but
the
need
for
for
runtime
security
for
any
kind
of
monitoring
and
detection
of
what
goes
on
with
your
pods
with
your
services
once
you're
running.
It
is
simply
ignored
this
area,
so
I
I
do
suggest
that
this
will
be.
E
H
And
I
I
can
also
contribute
in
this
area
scenario,
which
I'm
feeling
familiar
with
fairly
well,
so
I
I
can
initiate
something
if
that's
suitable
and.
A
Okay,
yeah:
that's
how
we
do
around
here.
If
you've
got
if
you've
got
thoughts,
there
I
think
that
you
will
get
plenty
of
support
from
the
rest
of
the
folks
in
community
to
you
know
to
bring
that
together
in
a
way
that
is
in
a
way
that
is
good
and
appropriate.
A
You
know
there
is.
There
is
a.
There
is
a
a
small
difficulty
there
related
to
the
fact
that,
like
I,
assume
you're
talking
about
things
like
ciscall
monitoring
of
you
know
running
applications
that
sort
of
thing-
and
you
know
so
there
is
a
you
know
there
is.
A
Is
a
really
good
way
to
do
that
like
it
may
be
that
you
know
it
may
be,
the
best
place
is
in
the
kubernetes
documentation.
It
may
be
a
good
thing
to
do
on
a
kubernetes
blog
post.
It
may
be
a
thing
to
have
a
small
stub
about
somewhere
in
kubernetes.
You
know
saying
that
this
is
an
important
consideration,
that
a
lot
of
users
have
and
that
it
is
not
a
built-in
kubernetes
feature.
F
H
A
Yeah,
exactly
like
the
the
way
is
to
propose
something
you
know
look
at
look
at
the
way
things
have
you
know
the
way
things
have
been
done,
propose
something
and
and
then
share
it
around,
and
you
know
we
we
will.
We
will
build
consensus
around
around
the
best
way
to
do
it
so
like
yeah,
starting
for
something,
that's
like
a
writing
sort
of
project,
starting
like
a
Google
doc
or
a
heck
MD.
Something
like
that
and
sharing
it
around
in
slack
or
like
in
this
meeting
is
a
really
good
way
to
get
started.
J
J
Life,
you
know
it
gets
in
the
way
of
things
you
want
to
do:
every
Wednesday,
every
other
Wednesday
we
meet
8,
AM
Pacific,
so
apologies
to
those
and
probably
Australia
and
Asia
Pacific,
but
next
one
will
be
next
Wednesday,
the
12th.
We
are
currently
working
on
expanding
the
the
tooling
identifying
tooling,
identifying
the
concepts
behind
how
we
can
map
policy,
which
I
think
in
kubernetes
world.
We
would
think
of.
As
you
know,
configuration
checks
and
you
know
making
sure
things
are
the
right.
J
Resources
are
deployed
in
the
right
way
and
configured
correctly
versus
a
human
policy
in
the
compliance
world
of
like
Thou
shalt
not
do
X
or
Y
or
Thou
shalt.
Have
these
things
so
trying
to
put
some
guidance
around
how
to
map
policies,
configurations
controls
and
what
all
the
you
know
try
to
get
a
definition
of
all
these
things.
As
the
old
software
joke
goes,
one
of
the
hardest
things
in
in
software
is
defining
things
so
or
naming
things
then
we're
also
working
more
broadly,
especially
with
the
folks
from
Red
Hat,
IBM
Google.
J
So,
thanks
for
being
on
the
calls
on
policy
governance,
so
now
you
have,
you
know
whether
they're
configuration
policies
or
you
know
traceable
human
policies
to
specific
controls
which
map
to
your
you
know,
caverno
or
oppa
thing.
How
do
you
manage
all
these
hundreds
or
thousands
of
different
checks
in
a
real
world,
cluster
or
cluster
of
clusters?
So
that's
you
know.
Wrangling
with
that.
Complexity
is
also
one
of
our
our
top
priorities.
J
Our
our
code,
deliverable
today,
we've
put
out
a
policy
report
crde,
so
that
serves
as
a
common
definition
of
what
policy
or
config
check
engines
can
output,
so
that
other
tooling
can
ingest
those
and
we've
seen
a
number
of
adapters
and
Native
Integrations
with
that
crd.
So
that
allows
you
to
build
a
UI
or
a
dashboard
and
ingest
across
multiple
different
tools.
J
J
Are
we
in
compliance
or
are
we
not
and
what
is
a
security
posture
and
then
we've
in
in
the
process
of
wrangling
with
all
these
complex
issues,
we've
identified
as
yet
somewhat
amorphous,
but
gaining
granularity
and
definition
around
some
sort
of
CR
for
creating
a
profile.
J
So
this
is,
how
do
you
tailor
the
checks
that
you
need
to
do
or
want
to
do
for
particular
compliance
framework
for
a
particular
set
of
configuration
policies
at
different
baselines,
so
a
subset
of
the
controls,
different
value
selections
that
might
be
more
or
less
restrictive,
because
in
in
the
real
world,
you
often
have
to
look
at
system
from
several
different
perspectives.
You
might
want
to
know
you
know
your
data
protection
versus
your
Access
Control
under
different
Frameworks.
You
might
want
to
look
at
what
the
impact
is
at
different
profile.
J
Baseline
settings,
so
high,
moderate
low,
so
being
able
to
to
codify
that
and
do
essentially,
you
know
compliances
code
or
policy
as
code,
not
that
capability
doesn't
yet
exist,
so
we're
trying
to
put
the
foundations
in
place
at
the
at
the
spec
level-
and
you
know
essentially
at
the
crd
level
of
what
that
might
look
like
so
anyway.
So
sorry
for
rambling
on
a
bit,
but
that's
what
we're
working
on.
So,
if
anybody's
interested
in
any
or
all
of
those
topics,
please
please
join
us.
We're
happy
to
have
everyone's
participation.
A
Thoughts
further
comments
or
questions
about,
what's
going
on
with
policy
working
group.
J
Interesting
Tommy,
your
question
about
alert,
worthy
events
and
kubernetes.
Could
that
be
relevant?
First
look,
it
sure
sounds
like
it
could
be
so
I'll
take
a
look
at
that
issue.
This.
K
Was
I
think
that
was
mostly
targeting
the
last
last
topic
about
runtime
monitoring
yeah
but
I
mean
if
it's
relevant
there
too,
it's
relevant
there.
B
All
right,
I'll
add
that
to
the
meeting
notes.
Thank
you
Tommy
all
right.
Any
other
questions
for
Roberts
on
the
policy
working
group.
B
D
Yeah,
hey
folks,
yeah,
so
on
the
security
self-assessments
front,
the
yeah,
our
project
that
we're
trying
to
get
off
the
ground
is
the
vsphere
CSI
driver
I've
started
engaging
with
sort
of
the
Project
Lead
Shang
to
get
a
co-lead
aligned
because
yeah
her
pushker's
suggestions.
It's
good
for
us
to
have
yeah
sort
of
a
co-lead
for
each
of
us,
so
working
on
getting
someone
else,
coincidentally
VMware
to
be
her
pair
and
my
plan
is
to
also
use
our
kubecon
talk.
D
Where
we
talk
about
self-assessments
to
say
Hey,
you
know
if
you're
interested
in
being
part
of
this
and
learning
with
us
and
bringing
you
know,
you're
still
set
to
the
table,
yeah
come
come,
be
involved
and
then
yeah
per
my
request
earlier.
D
I
have
a
couple
of
things
that
I
need
some
help
with,
just
in
terms
of
like
managing
the
project
and
I
need
to
get
a
new
slack
Channel
created
for
the
vsphere
CSI
driver
assessment,
and
then
I
also
wrote
up
a
doc
after
having
a
conversation
with
pushker
for
just
like.
What's
the
process
for
the
self-assessment
like
what
was
the
workflow
that
he
followed
and
I'd
like
to
get
that
merged
into
I'd
like
to
create
a
docs
folder
to
just
like
put
that
documentation
into
so
yeah?
D
If
someone
I,
don't
know
Ray,
if
you
could
hang
around
for
five
minutes
and
just
like
remind
me
on
where
all
that
stuff
is
and
then
how
I
access
it,
that
would
be
great
and
then
also
thinking
about
the
the
Cappy
retro,
which
needs
to
be
done
and
I
know.
Nadir.
D
I
just
need
a
list
of
names
of
folks
to
to
Ping
to
to
do
the
Retro
to
just
like
interview
them
basically
and
collect
their
feedback,
so
I
guess
I
can
probably
just
reach
out
to
bushkar
for
a
reminder
of
who
was
involved
in
that,
but
also
probably
look
at
the
authorship
for
the
assessment
itself
and
also
infer
from
that
but
yeah.
If
anyone
is
aware
of
other
than
pushka
and
nadir,
who
is
involved,
let
me
know,
and
I
can
add
them
to
my
list.
B
Yeah
I
believe
we
can
also
check
the
meeting
notes
for
the
Cappy
retro
meetings.
I'm,
sorry
for
the
cap
itself,
assessment
meetings
see
if
anyone
who
attended
a
meeting
might
be
who
might
like
to
be
invited
to
the
Retro
I
mean
it's
good
to
make
the
invitation
wide.
J
I
was
on
those
initial
calls,
Ray
I,
believe
we
had
recordings,
I,
didn't
record
them
and
I
don't
think
they
were
on
the
kubernetes.
Slack
I
want
to
say
push
star
set
up
some
some
recordings,
but
maybe
it
was
knittier.
A
Yeah
I
believe
that
those
that
those
meetings,
I
want
to
say
working
group
meetings
but
working
group
is
a
is
a
kubernetes
governance,
jargon
term,
but
I
wanna,
like
I,
believe
that
those
project
meetings
ended
up
on
the
Sig
security
YouTube
channel.
The
way
that
all
of
the
rest
of
our
public
meetings
do
and
if
not
the
recordings
should
still
be
available.
So
we
should
be
able
to
get
them
up
if
they
aren't
so
yeah.
A
If
you
want
to
see
those
I
would
say,
definitely
look
for
Cappy
in
that
in
that
playlist
and
should
be
easy
to
find
if
it's
not
easy
to
find
pygmy
and
all
and
I'll
be
happy
to
do
some
digging
for
you
awesome.
B
All
right
are
there
any
questions
about
the
security
self-assessments
or
for
Allah.
J
B
I'm
making
no
that
I
definitely
do
agree
that
we
should
take
the
the
lessons
Lords
from
the
external
Audits
and
from
the
past
self-assessment
to
make
that
rubric.
A
All
right,
sorry
about
that
right,
all
right
here
we
are,
we
are
now
into
the
into
the
ad
hoc
topics
like
reminder,
this
is
a
space
that
we
make
for
ourselves
in
order
to
do
kubernetes
security
work
together
and
one
of
the
ways
that
we
do,
that
is
by
discussing
the
topics
that
are
on
people's
mind.
So
the
first
one
that
I
see
here
is
yours.
My.
I
I
Was
added
by
right,
so
the
the
thing
is
like
the
small
message,
I
at
least
on
a
left
on
basic
security
Channel
about
the
cap
to
remove
the
security
context
admission.
So
we
had
a
discussion
about
that.
We
wrote
I
wrote
an
issue
on
J
dot
k.
There
is
the
link
in
the
channel,
so
the
link
for
the
issue
is
right
here
and
yeah
I
guess
what
are
the
next
steps
for
this
thing?
I
A
In
this,
in
this
case,
my
recommendation
for
next
steps
would
be
to
talk
with
Sig
auth
folks
about
this,
because
it's
it's
code
in
areas
of
the
code
base
that
they
have
responsibility
for
and
I
think
that
you
will
probably
find
Broad
and
open
acceptance
for
removing
this.
A
I
I
dropped
a
message
in
the
slack
Channel
and
and
I
got
like
some
feedbacks
from
from
the
issue,
but
didn't
join
the
meeting
yet
so
maybe
that's
a
good
idea
would.
A
I,
don't
know
what
they're
I
mean
yeah.
Of
course
it's
okay
like
we
are,
we
are.
We
are
all.
We
are
sick
security,
there's
there's
very
little
speaking
officially
on
behalf
of
six
security,
but
it
is
very.
It
is
very
easy
for
anyone
who
is
a
contributor
to
say
this
is
a
thing
that
I
believe
would
be
good
for
us.
These
are
the
reasons
why
I
believe
it
would
be
good.
How
does
it
seem
to
you
all?
Would
you
like
to
work
together
on
it?
A
Like
that's,
that's
definitely
a
thing
that
we
can
do
I,
don't
know
whether
the
fact
that
kubecon
is
coming
up
so
soon
has
affected
the
Sig
auth
meeting
schedule
or
not,
but
Post
in
Post,
in
slack
I'm
being
DM
me
like
I'll,
come
I'll
come
with
you,
I
always
feel
like
the
buddy
system
is
a
great
way.
I
mean
go
by
yourself.
If
you
want
you
don't
have
to,
you,
do
not
have
to
bring
a
buddy,
but
like
I,
always
encourage
bringing
a
buddy.
I
Okay,
thanks
yeah,
why
not
yeah
I
can
I,
don't
even
know
the
dates
or
anything
that
I
can
check
and
try
to
talk
about
that
and
didn't
really
careful
yeah.
A
So
yeah
I
think
that's
I.
Think
that's
the
way
it
goes
is
you
know,
find
out
about
appetite
from
sigoth
for
for
doing
this
thing,
because
you
know
the
fact
that
we
think
it's
a
good
idea
is
a
sign
that
it
might
be
a
good
idea,
but
you
know
Sig
author,
the
ones
that
have
the
most
context
around
it
and
so
on,
and
so
perhaps
there
are
horrific
complications
that
none
of
us
has.
A
None
of
us
has
anticipated-
or
maybe
it's
already
on
their
roadmap
and
they
are
looking
for
somebody
to
help
implement
it
or
who
knows
what
and
so
yeah
go
and
we
go
and
talk
to
them.
And
then
then
we
will
see
it
progress
into
a
cup
and
then
we
will
see
all
that
code
disappear
and
deleting
code
is
one
of
the
best
things
that
we
can
do
for
the
health
barcode
base.
I
Yes,
I
think
I
had
to
push
one
on
the
and
I
think
on
the
description
on
the
slide
here.
Jordan
as
well.
A
A
That
case,
you
may
may
be
able
to
to
just
go
ahead
and
like
write
a
cap
for
it,
but
but
I
do
think
it
would
be
friendly
to
put
it
on
the
cigarth
meeting
agenda
just
to
ensure
it
has
some
wider
awareness
before
writing
a
cap
for
it.
You
know,
there's
nothing,
stopping
anyone
in
the
world
from
writing
a
drive
by
cap,
but
the
most
successful
caps
people
see
coming
before
they
land
in
the
K
enhancements.
Prs.
A
The
last
thing
we
have
on
here
is
is
K
natives
security
guard.
One
thing
that
I
will
ask
about:
David
is
I
think
that
something
bad
happened
to
the
link
because
it
404s.
We
don't
need
to
put
that
in
the
notes,
though.
But
yeah
do
you.
A
Do
you
want
to
tell
us
a
little
about
this,
based
on
what
I
was
hearing
before
it
might
be
a
really
good
topic
for
a
learning
session
in
the
tooling
sub
project
learning
sessions
initiative
where
folks
come
and
share,
you
know:
share
information
about
different
sorts
of
tools.
H
Yeah
that
we
can
do
that,
we
can,
we
can
I,
don't
know
how
to
schedule
such
a
session.
But
if
you
tell
me
for.
F
A
Yeah
you
can
you
can
signal
your
your
desire
to
do
that.
There
is
a
there
is
an
issue
template
for
it
on
k6
security
and
I
will
place
that
right
in
there,
so
yeah.
If,
if
you
would
like
to,
if
you
would
like
to
come
and
give
you
know
an
informal
kind
of
introductory
presentation
about
what
is
going
on
with
security
guard
and
what
you're
excited
about
with
it,
and
you
know
the
places
where
you
think
it
would
be
interesting
to
the
broader
kubernetes
Community
I
think
that
could
be
a
really
good.
H
Yeah
they
are,
our
insecurity
was
missing
so
a
bit
of
a
background.
I'm
I'm,
with
IBM
research,
been
working
on
this
specific
project
for
a
while
and
that
we
start
in
these
projects
from
the
very
basic
assumption
that
no
matter
what
you
do,
the
images
you
deploy
at
the
end
of
that
they
include
vulnerabilities.
H
Maybe
those
vulnerabilities,
there
are
no
known
vulnerabilities,
but
there
are
vulnerabilities
and
there
will
be
zero
day
as
you
move
on,
and
maybe
some
of
them
will
be
hacked
and
and
some
of
them
will
be
exploited,
but
that's
the
basic
assumption,
the
basic
assumption
that
it
doesn't
matter
whether
it's
your
your
your
misconfigured,
your
your
application
or
you
use
a
vulnerable
library
or
you,
you
didn't
use
any
vulnerable
library,
but
that
was
a
year
ago
and
now
it's
vulnerable.
It
doesn't
really
matter.
H
It
doesn't
really
matter
whether
it's
malicious
code
or
not.
You
made
a
mistake
or
or
someone
did
something
maliciously
doesn't
matter.
The
assumption
that
we
start
with
is
that
Services
you
deployed
on
kubernetes
are
vulnerable,
and
you
said
something
before
that.
That
is
interesting
for
this.
For
this
next
step.
The
next
step
is
that
this
means
that
kubernetes
needs
to
address
this.
H
It's
not
a
problem
of
file,
core
sysdig
or
or
the
kernel.
It
is
the
problem
for
kubernetes
and
kubernetes.
Does
a
lot
of
very
nice
things
in
monitoring
and
controlling
all
aspects
of
your
deployments
but
security,
but
the
runtime
security
that
that's
one
part
where
we
have
controls
we.
We
know
how
to
you
know,
Network
policies
and
to
to
isolation.
H
Do
isolation
a
lot
of
isolation?
We
do
with
kubernetes
what
we
never
get
to
that
point
where
we
monitor
and
control
in
real
time
the
actual
application
runtime.
So
when
you
have
the
assumption
that
all
your
pods
are
potentially
vulnerable
and
many
of
them
will
at
some
point
will
be
vulnerable
to
the
point
where
you
need
to
now.
H
You
know
block
someone
from
using
that
vulnerability
that
you
are
already
aware
of,
but
you
don't
have
the
tools
to
block
it
or
you
get
to
that
point
where
there
is
an
exploit
that
is
working
against
your
your
service,
but
you
are
in
in
a
production
time.
You
can't
just
shut
the
service
down.
H
So
what
do
you
do?
You
have
to
have
the
tools
and
the
means
to
block
the
requests
which
are
trying
to
exploit
you
to
block
the
requests
which
are
potentially
using
the
vulnerability
that
you
may
have,
as
well
as
try
to
block
requests
which
are
which
are
zero
day,
and
there
are
technologies
that
are
there
that
can
help
you
do
that.
H
You
just
need
to
decide
it's
important
for
now
enough
for
kubernetes
to
add
that
to
the
kubernetes
main
agenda
and
that
haven't
been
done
so
far
and
and
I
said
before
it's
not
even
in
the
documentation
that
this
problem
exists.
H
So
I
want
to
start
by
adding
that
to
the
documentation.
The
fact
that
this
problem
exists
and
trying
to
spell
it
out
in
a
way
that
people
would
understand
I
I,
know
we're
trying
to
talk
to
people
in
kubernetes.
I
know
that
when,
when
I
say
runtime
security,
they
do
not
understand
what
I'm
talking
about
they
say.
Well,
runtime
everything
is
one
time.
H
Network
policies
I
think
happening
in
runtime,
so
they
they
do
not
make
the
distinction
of
what
is
what
are
we
talking
about
so
I
I
called
I
started
calling
that
security,
Behavior
monitoring
and
control,
because
that's
that's
explained
what
it
is.
Instead
of
trying
to
name
it
by
the
way,
cyber
people
call
it
and
and
I'm
not
trying
to
build
something
into
Falco
and
what
I'm
trying
to
do
is
to
get
to
that
point
where
we
have
open
source
inside
kubernetes
one
day.
H
Maybe
it
would
take
two
years
from
now:
I,
don't
know,
start
I
started
in
K
native.
For
that
purpose
we
are
going
to
have
runtime
security
as
part
as
an
integral
part
of
what
kubernetes
offers
to
to
any
kubernetes
Downstream.
H
A
A
I
think
is
super
cool
thoughts,
questions
things
that
people
want
to
want
to
dig
in
on
this
with
David
about.
B
Yeah
so
I
totally
agree
with
you
I
we
I.
Actually,
oh,
we
actually
open
source
a
project
that
does
runtime
security
and
runtime
monitoring
as
well.
I'll
also
have
to
demo
it
as
well
too
tooling,
yeah,
so
I
100
agree
with
you
and
it'll,
be
nice
to
share
ideas
as
well.
Show
you
and
demo
our
projects
to
the
community
as
well.
D
Yeah,
this
is
really
cool,
I'm
I'm
working
on
stuff
in
this
space
that
yeah
that,
like
pertaining
to
run
kubernetes,
runtime
security
and
I,
guess
like
so.
My
one
question
is
so
like
just
at
a
high
level.
Does
this
tool
I'm
just
like
kind
of
looking
at
the
documentation
and
thinking
out
loud?
Does
it
allows
a
user
to
block
an
attempts
to
exploit
a
vulnerability
or
a
misconfiguration
embedded
in
a
container?
That's
like
the
high
level
like
what
it
what
it
does.
H
So
he
does
two
main
things.
The
the
one
thing
is
it
is
it
monitors
all
the
requests
coming
in?
H
It
includes
also
the
ability
to
learn
from
those
requests,
a
set
of
micros,
what
is
being
used
against
the
service,
so
you
actually
create
a
model
for
each
service,
how
it's
supposed
to
work
over
time,
and
you
can
lock
that
once
once
you
decide
you,
you
want
to
lock
that
and
you
can
review
those
rules
and
decide
whether
those
rules
are
okay
and
then.
F
H
In
any
way
you
want
so
that
gives
you
the
first
ability,
when
something
is
really
off
from
security
perspective,
that
it
has
some
security
notion
to
it.
H
H
Second,
is
you
can?
When
you
have
an
expert
you
can
you
can
have
a
very
specific
rules
that
you
define?
That
would
block
that
export
and
and
of
course
we
we
can
always
grow
the
criteria
that
you
can
Define
and
what
are
we
protecting
and
what
tools
we
give
the
user?
That's
exactly.
H
What's
what's
going
to
be
a
you
know,
an
endless
row
of
improvement
that
can
be
made
there
at
the
second
part
of
this
project
is
the
the
part
which
is
more
in
in
some
way
aligned
with
the
cystic
and
falcoin
in
that
respect
is
trying
to
see
whether
the
report
itself
behaves
as
it
should
and
and
the
the
trivial
thing
that
we
are
doing
today
is,
for
example,
looking
at
the
response
time.
H
Looking
at
the
responses
that
are
provided
by
this
pod,
looking
at
the
the
network
because
the
board
network
is
is
shared,
so
we
we
can
see
the
network
who
is
it
communicating
with
and
if
we
suddenly,
these
Sports
start
communicating
with
someone
who
shouldn't
be
communicating
with
that,
something
that
you
wouldn't
you
wouldn't
want
happening.
So
what
do
we
do,
whether,
whether
you
send
an
alert,
do
you
shut
down
the
service
but
Discord,
not
the
service,
but
do
you
restart
the
Pod,
so
I.
A
Think
unfortunately,
I
currently
have
to
let
us
know
that
we
have
hit
the
end
of
our
time.
We
could
get
I
I
recommend
that
folks
continue
this
on
slack.
It
is.
It
is
super
cool
to
see
a
lot
of
energy
around
this
and
also
yeah
David
I,
totally
recommend
for
you
to
to
put
in
one
of
those
issues
for
a
learning
session
on
this,
and-
and
this
is
this-
is
really
cool.
Thank
you
all.
So
much
for
coming
for
sharing
for
working
together
to
make
kubernetes
more
secure.