►
From YouTube: Kubernetes SIG Security Assessments 20230214
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
hello,
everyone
welcome
to
the
second
meeting
of
the
six
security
self-assessment
sub
project.
My
name
is
Allah,
I
am
the
sub
Project
Lead
and,
let's
see
I
am
happy
to
to
take
notes,
given
that
this
is
our
sort
of
second
well-attended
meeting
and
but
yeah
definitely
happy
to
rotate
that
oh
and
I
see
grace
is
joining
us,
which
is
excellent.
Let
me
share
the
notes
document
in
chat.
Hey.
A
Oh,
thank
you
Tabby.
That
would
be
fantastic,
There's,
the
link
again,
all
right,
so
yeah
I
just
introduced
myself.
Why
don't
we
in
the
way
that
sick
security
does
which
I
love
do
introductions?
So
who
would
like
to
follow
me
and
introducing
themselves.
D
Grace
said
hi,
so
hi
Grace
and
then
I'll
go
Robert,
fakalia
I'm
the
co-chair
of
the
WG
policy
and
participate
as
much
as
I
can,
in
all
things,
security
when
I
have
even
any
leftover
time
than
cncf
tag
stuff,
but
that
that's
getting
harder
and
harder.
A
Cool
well
I,
think
that
is
everything
for
introduction.
So
thank
you,
folks,
yeah,
so
I
guess.
Moving
on
to
the
first
discussion
topic
folks,
are
welcome
to
drop
other
stuff
in
there,
but
really
are
kind
of
main
point
of
oh
actually,
sorry
before
I
jump
into
that.
Just
for
the
recording.
What's
a
self-assessments
do
so
like
Kailyn
said
we
are
all
about
threat
modeling,
so
you
can
think
of
us
as
the
buddings
throughout
modeling
service
for
the
kubernetes
community.
A
A
So
with
that
I
will
now
dive
into
the
first
discussion
topic
and
if
anyone
else
wants
to
add
any
other
discussion
topics,
please
please
do
so.
This
is
a
person
open
meeting
but
yeah.
So
my
discussion
topic
is
to
just
recap
where
we're
at
with
the
vsphere
CSI
driver,
since
that
is
kind
of
our
our
current
scope.
Right
now
is
a
little
sub
project,
so
basically
one
pushker
finished
the
the
Cappy
pilot.
A
He
set
up
an
intake
mechanism
in
the
self-security
in
the
in
the
Sig
security,
get
bored
in
our
git
repo
to
intake
requests
for
other
self-assessments
and
Shing
Yang,
who
owns
the
vsphere
CSI
driver
project,
who
happens
to
work
at
VMware,
which
is
where
I
happen
to
work
request
one.
So
they
are
next
up.
A
You
know
everyone
is
welcome
and
encouraged
to
request
self-assessments,
but
Shang
was
the
first
to
do
so
so
one
thing
at
a
time,
so
the
first
so
just
a
quick
recap
where
we're
on
with
that.
So
the
first
meeting
for
that
to
begin
that
self-assessment
is
on
the
27th.
So
not
next
Monday,
but
the
week
after
and
the
plan
for
that
meeting
is
a
couple
of
things.
A
So
first
thing
is
just
getting
our
sort
of
collaboration
model
organized
so
depending
on
who
comes
to
that
meeting
and
I
can
also
put
a
link
to
that
meeting
information
in
the
agenda
for
anyone
who
stumbles
upon
this
later,
you
know
really
figuring
out.
A
Okay,
given
the
skill
sets
of
the
people
who
are
present,
you
know
and
the
just
the
general
scope
of
what
the
self-assessment
entails,
which
is
you
know,
basically
drawing
a
data
flow
diagram
and
then,
which
includes
not
just
the
data
flows,
but
things
like
annotating
ports.
A
What
type
of
encryption
is
used
and
what,
in
communication
between
what
two
ports
and
then
doing
and
then
actually
doing
the
threat
model
of
you
know,
how
could
a
malicious
actor
leverage
this
this
reality
to
get
access
to
things
that
they
shouldn't
and
do
naughty
things
sort
of
what
makes
sense
in
terms
of
how
we
should
go
about
even
doing
that
work
tabby
was
very
helpful
last
week
and
suggesting
that
there
will
probably
be
opportunities
for
us
to
do
some
work.
A
Asynchronously
and
save
you
know
other
types
of
work
for
actual
synchronous
meetings,
so
that
we
can
just
have
a
nice
balance
of
meetings
not
meeting
too
much
not
meeting
too
little.
But
it
really
depends
on
the
group,
the
skill
set
and
and
who's
able
to
participate
and
what
their
bandwidth
is
and
what
their
skill
sets
are.
So
I
think
it'll
be
really
important
to
start
the
you
know
the
process,
just
understanding.
A
What's
a
successful
collaboration
model
if
time
allows
in
that
meeting,
we
can
actually
get
into
drawing
the
data
flow
diagram,
so
the
documentation
that
Shang
has
shared
with
us
has
a
really
nice
architecture
diagram
so
to
a
certain
extent
I.
Imagine
it's
just
you
know.
Re
sort
of
you
know
drying
that,
but
then
adding
sort
of
data
flows
in
terms
of
targeted
workflows
that
we
want
to
go
after
I
see
Robert.
You
have
raised
your
hand.
D
Yes,
I
just
want
to
comment
when,
when
we
did
that
copy
I
think
the
interactive
sessions
were
helpful
early
in
that
process.
Right
and
I
can't
remember
all
if
you
were
on
those
as
well,
but
it
was
definitely
helpful
for
everyone
to
get
contacts
and
then
really
talk
through,
even
though
there
were
diagrams
provided
just
really
talk
through
and
get
questions
answered
in
real
time.
D
Obviously,
if
folks
are
you
know
all
over
the
globe
participating
Logistics
might
be
challenging,
but
and
even
the
the
other
self-assessments
having
that
kind
of
initial
kickoff
session
really
really
helps
at
the
stage
and
then
a
lot
of
asynchronous
work
was
was
possible.
A
Awesome
yeah
and
Robert
I
definitely
I
strategically
added
you
to
to
to
be
part
of
the
doodle
poll,
because
your
participation
in
that
I
can
see
from
watching.
The
recordings
was
really
excellent
and
I
definitely
want
to
make
sure
we
have
folks
who
are
experienced
with
not
just
threat
modeling
itself,
but
also
just
the
mechanics
of
kind
of
how
you
manage
and,
and
you
know
what
type
of
work
can
be
assigned
to
async
versus
synchronous
and
stuff.
A
So
really
really
appreciate
your
guidance
there
for
sure,
but
to
your
point,
I
think
doing
a
lot
of
context.
Basically,
making
the
Deep
investment
in
context
sharing
early
definitely
makes
a
lot
of
sense,
because
then
that
can
drive
more
asynchronous
work
following
so
yeah.
A
Awesome
cool
all
right.
Well,
let's
see
that
is
really
the
big
update
on
the
vsphere
CSI
driver
assessment.
I
will
be
continue.
I've
watched
two
of
the
four
Cappy
videos
so
far,
so
I
think
I
have
and
I've
done
a
ton
of
reading
in
terms
of
different.
You
know,
threat
modeling
approaches,
so
I
think
I
have
a
pretty
good
handle
on
how
to
run
the
session.
I
think
you
know
push
following
pushker's
style
of
just
keeping
it
really
simple.
I
mean
it
really
is
just.
A
How
does
this
thing
work
when
you,
when
you
engage
this
workflow
and
just
drying
it
out,
is
pretty
straightforward,
so
I'm
feeling
pretty
confident
there
but
yeah?
Who
else
has
a
topic
they
would
like
to
discuss.
C
I,
do
please
by
all
means
yeah
I
was
just
gonna
volunteer
to
get
some
basic
docs
up
on
Sig
security
for
self-assessment,
like
looking
at
the
tag,
security,
docs
I
think
it'd
be
really
valuable
to
have
something
a
little
bit
similar,
mostly
selfishly,
because
I've
been
out
telling
people
about
this
initiative
and
currently
the
only
visible
documentations
under
six
security
are
the
Cappy
results
which
is
like
helpful,
but
not
as
easy
for
people
who
are
like.
C
Oh,
like
I,
wanna,
I
wanna
figure
out
what
it
would
mean
for
me
to
do
this.
So
if
that's
something
the
team
is
interesting,
interested
in
I
would
be
up
for
getting
a
draft
up
for
something
a
little
bit
similar
to
this.
C
Like
someone
hears
like
I
mentioned
it
in
my
talk
at
at
cloud
data
security
con
but
I
couldn't
link
to
anything
except
for
the
Cappy
dogs,
which
is
is
still
great,
but
it's
nice
to
have
like
the
okay.
You
want
to
do
this
next
here
here.
Are
your
steps
I
think.
A
Oh
awesome
and
you
know
Caitlyn
I
started
a
and
I
think
there's
a
PR
out
for
it
like
a
really
kind
of
basic
version
of
this.
It's
not
as
it
was
basically
my
notes
from
chatting
with
pushkar
about
like
okay.
How
do
I
do
this
and
it
was
like
you
know,
step
one
gather
your
people,
so
I
think
this
is
much
better
laid
out,
so
I
I
can
totally
send
you
like
a
link
to
kind
of
what
I
wrote
up
if
you
want
to
use
any
of
it
at
all.
C
I
think
I
think
we
started
it
together
and
it
needs
just
a
little
bit
of
sure
and
then
it'll
be
g2g.
A
A
Gorgeous
darling,
gorgeous
okay
yeah,
let
me
go
find
that
and
yeah
we
will
work
on
it
together.
Oh
yeah,
that's
right
before
Thanksgiving
I
was
just
totally
yeah.
I
was
struggling
with
using
it.
So
yeah
I'll
dig
that
out
and
yeah
we
can
hook
on
it
together.
B
Is
this
PR
number
70
in
K
slash
security?
Perhaps
that's.
C
A
B
Might
be
smart
to
put
a
label
in
case
of
security
for
sub
project
that
is
dealing
with
a
certain
PR
or
a
certain
issue,
and
then
we
could
apply
those
labels
to
those
PRS
or
issues,
and
so
then,
ultimately,
you
could
have
a
link
at
the
top
of
the
meeting
notes,
doc.
That
said,
all
of
our
PR's
and
issues
in
case
exig
security
you'll
have
a
little
easier
time
with
that
than
like
I,
don't
know
tooling,
which
may
have
issues
all
over
different
repos.
You
know
because
they
may
have
a
you
know.
B
A
Yeah
I
can
totally
figure
that
out
yeah
I
love
aggregation
things
like
that
click.
A
button
give
me
a
list.
C
A
Oh
Grace
great
question:
I'll
just
read
it
out
since
I
know:
you're
you're
listening
in
I'm
curious.
How
do
we
use
this
meeting
versus
the
vsphere
ones?
A
So
Tabby
and
I
were
chatting
about
that
last
week
and
that's
a
really
good
question
so
I
think
the
answer
is
that
we,
depending
on
basically
depending
on
how
many
requests
that
we
get
but
depending
on
how
much
stuff
is
going
on
in
the
sub
project,
will
dictate
how
we
use
this
time.
So
you
know,
maybe
to
start
we
will
keep.
A
A
A
You
know
sharing
that
inviting
other
people
to
make
requests
to
to
have
self-assessments
done
I'm
thinking
it
could
evolve
into
something
more
like
the
way
that
the
six
security
meeting
is
run
so
with
a
list
of
the
sub
projects,
and
in
this
case
the
sub
projects
of
you
know,
the
self-assessment
of
self-assessments
would
be
the
the
self-assessments
that
are
going
on.
So
I
could
also
see
it
as
kind
of
a
you
know,
a
mini
recap:
slash
like
Oh
Come.
You
know
here's
a
readout
of
the
activities
that
are
going
on.
A
If
anyone
has
questions-
or
you
know,
even
if
someone
wants
to
show
up
at
a
meeting
and
say
Hey,
how
do
I
get
involved
in
some
of
the
ongoing
things
that
are
going
on?
I
could
see
it
evolving
like
that.
So
I
guess
to
answer
your
question
it
it
will
evolve,
but
I
imagine
for
kind
of
the
short
term
that
we'll
probably
end
up
keeping
it
focused
on
the
VCR
CSI
driver,
just
because
there
will
probably
be
a
lot
of
overlap
between
who
attends
those
meetings
and
who
attends
these
meetings.
A
Awesome
any
other
questions
or
comments,
or
just
anything
at
all
that
anyone
wants
to
share.
B
A
Let's
see,
oh,
you
know
what
I
think
we
need
is
a
zoom
invite
for
the
meeting
on
Monday,
the
27th
I
think
I
put
in
a
placeholder
from
doodle,
but
let
me
get
you
those
details:
oh
yes,
okay,
yeah,
so
I
think
Tabby
I
selected
to
you
yeah.
It's
227
from
2
30
to
3,
30
p.m.
Eastern
time,
yeah
and.
B
That's
that's
a
that's!
A
one-time
meeting,
correct
awesome,
wait.
D
Yeah
and
so
technically
it
doesn't
have
to
be
coupled
with
the
self-assessment,
but
we
found
that
during
the
fuzzing
effort
with
Cappy,
it
was
also
highly
valuable
and
so
last
time
that
was
just
Irish
job
to
Chris
and
shakins.
D
You
know
said:
hey
I
hear
you
guys
have
money
for
fuzzing
and
I,
don't
know
if
we
want
to
make
that
a
little
bit
more
formal
and,
like
you
know,
just
see,
if
we
can,
a
I
guess
decide
if
we
want
to
couple
these
things
together
or
if
that's
just
adding
too
much
load
to
the
the
project.
But
if
we
do
and
and
again
I
I
thought
it
was
highly
valuable.
D
I
think
the
team
thought
it
was
highly
valuable,
but
you
should
definitely
talk
to
Cappy,
folks
and
I
believe
it
found
some
bugs
so
anyway.
If
we
want
to
formalize
that
a
bit,
maybe
we
just
need
to
reach
out
to
Chris
again
or
tell
them
hey
we'd
like
to
just
kind
of
get
to
this
rubber
stamp.
For
anybody
who
participates
in
a
self-assessment,
not
sure
how
much
budget
there
is.
B
I
I
will
put
my
I'll
take
off
my
sick,
chair
hat,
put
on
my
put
on
my
SRC
hat,
like
support
this
idea
very
very
highly.
B
Obviously,
I
don't
have
my
fingers
in
the
wallet,
but
my
impression
is
that
there
is
quite
a
bit
of
budget
there
available
in
part,
because
the
a
little
bit
of
budget
goes
a
long
way
with
that
fuzzing
and
the
folks
from
Ada
Logics
have
been
a
real
big
help
with
kubernetes
generally,
but
fuzzing
projects
really
flounder
unless
they
have
a
lot
of
give
and
take
with
the
developers
and
so
I
love.
B
This
idea
of
making
folks
who
are
going
through
a
security
self-assessment
aware
that
you
can
pretty
much
just
get
buzzinghelp
by
asking
for
it
because,
like
you're
getting
them
at
a
time
in
their
life,
where
they
are
very
likely
to
be
interested
in
that,
whereas
like
drive
by
fuzzing,
you
know
coming
up
to
somebody's
house
and
being
like
hey.
Do
you
want
some
fuzzing?
It's
far
less
likely
to
generate
the
kind
of
Engagement
that
you
that
you
need
to
really
get
a
lot
of
mileage
out
of
fuzzing.
D
A
And
I
think
when
we
did
the
Cappy
retro
that
actually
I
think
that
also
came
up
in
terms
of
because
we
had
done
the
salt,
because
we
had
done
the
threat
model
and
we
knew
like.
In
other
words,
we
could
scope
a
fuzzing
exercise
really
really
well,
and
so
it
was
really
like.
I
think
that
was
another
thing
is
like
a
self-assessment
is
also
a
great
way
to
have
a
really
clean
scope
of
what
to
fuzz
right.
A
Exactly
so,
I
think
it's
like,
on
the
one
hand,
the
give
and
take
with
the
developers,
but
then
also
using
using
the
self-assessment
as
a
way
to
to
have
a
really
clear
and
focused
fuzzing
exercise.
I
think
that
could
be
a
great
and
Robert
I
mean
yeah.
It's
I
think
we
can
always
make
go
and
see
if
there
is
budget
for
a
you
know
a
fuzz
test,
part
of
the
checklist
for
a
self-assessment
like
we
don't
do.
A
Exactly
and
so
when
you
say,
look
at
the
results
you
mean
the
the
self-assessment
group,
like
the
the
people
who
are
doing
well
or.
D
We
we
usually
look
for
sure
or
those
who
are
going
to
participate
in
particular,
but
the
developer,
specifically
because
I
think
for
Ada
Logics
to
be
really
helpful.
They
have
to
get
into
a
tight
loop
with
the
developers.
Here's
what
we're
finding
you
know
are
we
doing
the
wrong
fuzzing
or
is
this
real
initiative?
And
that
can't
really
struggle
like
in
my
recollection
from
the
copy
is
that
they
were
on
top
of
it
and
like
would
provide
like
same-day
feedback?
A
It
okay,
so
it's
Step
One
is
their
budget
step
two.
What
is
the
timing
with
you
know
in
this
case
Shang
and
her
capacity,
and
if
we
spent
time
doing
it,
when
is
a
good
time
for
her,
and
you
know,
can
Ada
Logics
get
yeah
so
but
yeah
I
think
it's
really
yeah
part
of
the
checklist
for
any
self-assessment
can
be,
you
know,
is,
is
their
desire
to
do
you
know
fuzzing
as
part
of
this
like
we
can
always
ask
that.
D
And
maybe
it's
a
good
idea
and
maybe
we
should
invite
I'm
sure
I
have
those
email
threads.
We
can
invite
Ada
to
maybe
either
present
here
or
if
they
want
to
talk
to
a
bigger
group,
maybe
at
the
at
the
Sig
call
and
just
kind
of
walk
us
through
what
their
best
practices
and
their
experience
of
the
copy
and
what
maybe,
how
their
thinking
has
evolved.
A
D
A
Awesome
because
we
could
even
just
like
in
this
meeting,
have
them
do
like
a
a
quick
presentation,
it's
recorded
and
then
just
posting
it
in
other
stock
channels.
For
like
hey,
you
know
we're
you
know:
Sig
security,
self-assessments,
just
a
reminder
to
the
community
that
this
is
a
service
that
that
fuzzing
is
a
service
that's
available,
and
you
know
we
can
also
weave
it
in
as
part
of
doing
a
threat.
A
Modeling
exercise
as
well
I
think,
is
great,
so
yeah
just
keeping
everyone
up
to
speed
on
like
what
what
Security
Services
exist
in
the
kubernetes
community
I
think
is
always
a
good,
a
good
thing
for
us
to
do.
A
Oh
and
they
had
a
talk
at
kubecon,
maybe
we
can
just
repurpose
that
awesome
so.
C
Many
of
you
have
talks
at
kubecon
in
this
room.
Congratulations,
Grace
I
saw
yours,
I
saw
Tabby
you're
on
there.
Also
Tabby,
someone
came
up
to
me
at
my
talk
and
told
me
you
sent
them.
I
was
like
I
feel
like.
That
is
better
publicity
than
doing
the
talk
at
all
is
to
be
like
Tabitha
Sable
is
sending
people
to
listen.
To
me
talk.
I
am
obviously
a
very
big
expert.
B
A
A
Awesome
awesome
all
right
well
keeping
an
eye
on
time.
Does
anyone
have
any
last
questions
or
comments
before
we
wrap
up
for
this
week?.
B
A
Because
it's
yeah
six
security,
slash
six
security
assessments
and
there's
an
owner's
file
in
that
I
can
send
you
a
link
to
it
and
it
does
list
me
plus
six
security
leads
I'll.