►
From YouTube: Kubernetes SIG Security Tooling 20220719
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
welcome
this
is
our
security
tooling
working
session
today
the
main
idea
is
to
discuss
the
cap
and
we'll
basically
try
to
divide
the
cap
into
different
tasks
that
all
of
us
can
figure
out
how
to
implement
and
then,
by
the
time
version
125
code
freeze
happens,
which
is
about
two
weeks
from
now.
The
idea
would
be
to
have
all
the
code
merged
so
that
we
will
have
it
ready
by
release
of
125.
A
A
All
right
so
for
folks
who
are
slightly
new
to
the
cap.
Basically
the
idea
is:
we
have
a
bunch
of
github
issues
that
src
creates
whenever
a
new
cva
is
announced,
the
idea
is,
can
I,
as
an
end
user
or
somebody
who
cares
about
kubernetes,
find
a
way
to
programmatically
fetch
those
issues
and
any
details
related
to
them
through
something
as
simple
as
a
curl
call
through
a
rest
api?
A
So
with
that
on
out
of
the
way,
this
is
what
I
see
the
flow
to
be
like
the
bare
bones
very
minimal
thing
that
we
need
to
do
to
have
this
working.
So
first
is
we
have
the
github
issues
and
a
field
label
through
which
we
can
filter
the
issues
we
need.
A
There
is
github
apis
that
we
can
use
to
query
those
issues.
I
know
neha
has
a
sample
code
there
that
she
has
tried.
A
So,
after
that,
a
json
blob
would
be
created
using
the
results
from
the
query,
after
that,
once
in
we
will,
we
can
do
these
two
things
also
as
part
of
brow
job,
so
the
idea
would
be
the
project
will
run.
Let's
say
every
let's
say
one
hour
and
first
step
would
be
query.
The
github
issues
create
json
block
once
that
is
done.
What
we
would
do
is
we
would
have
stored
a
checksum
in
our
google
cloud
bucket
of
the
json
blob
that
existed
earlier
so
first
time.
A
If
there
is
no
checksum,
we
push
it
anyway,
but
next
time
we
would
create
a
checksum
which
is,
which
would
be
basically
doesn't
have
to
be
cryptographically,
secure
or
anything
like
that.
But
any
hash
function
like
char
256,
would
give
us
a
fixed
length
string
essentially
that
we
can
check
against.
So
whenever
this
json
blob
gets
created.
A
So
once
that
is
there,
we
have
the
data
that
we
need,
or
in
a
gcs
bucket.
Now
the
idea
is
to
bring
that
data
into
gates,
dot
io,
where
okay,
no
worries
eric
thanks
for
stopping
by
and
when
the
website
is
basically
built,
which
is
at
least
every
day
twice,
but
it
can
be
more
based
on
like
if
a
pr
is
merged
or
not.
So
whenever
that
happens,
we
will
pull
the.
A
We
will
write
code
in
the
k
website
pages
in
such
a
way
that
it
during
build
time
it
will
pull
that
data
from
gcs
bucket
and
once
it's
pulled,
it
will
be
visible
on
a
url,
something
like
kids,
dot,
io
security,
slash
issues,
slash
cv,
official
cve,
dot,
json,
something
like
that,
and
then
we
can
also
use
the
same
blob
to
generate
an
html
table
which
would
show
up
as
a
list
of
cvs
that
we
know
have
been
officially
announced.
A
So
that's
the
whole
flow.
I
think
we
have
bits
and
pieces
of
everything,
but
we
need
to
bring
everything
together,
essentially
in
the
next
couple
of
weeks,
so
any
thoughts
so
far.
B
Yeah,
I
think
the
last
part
like
have
few
queries
there
on
the
website
part,
because
because,
if
we
see
like
team
us
also
having
few
queries,
I
mean
I'm
not
sure
if
he
is
cl,
he
was
thinking
on
project
site,
but
I
think
I
saw
you
generated
one
pr
on
generate
content,
dot
sh,
where
you
create
some
folder
in
static
security,
and
then
you
call
the
means
it
will
be
a
gcs
bucket
call
and
it
will
write
the
json
file
in
that
directory.
A
So
it's
been
a
while,
since
I
looked
at
that
pr,
but
my
understanding
or
my
memory
is
right.
What
it
was
trying
to
do
is
every
time
website
is
built.
It
also
would
run
the
shell
script
yeah
that
is
pulling
things
from
gcs
bucket
so
and
then
generate
the
json
block,
which
would
be
like
static
thing
or
whatever.
If
we
decide
to
and
then
we
can
use
that
json
block
further
to
make
that
html
table
so
idea
would
be
like
either
we
trigger
the
website
build
or
like
tim
was
saying
in
our
chat
yesterday.
A
Offline
was
let's
keep
that
for
now
and
assume
that
whenever
the
website
bills,
whether
it's
the
regularly
scheduled
one
or
when
a
pr
is
merged,
let
it
pull
from
gcs
bucket.
At
that
time
there
will
be
maybe
a
bit
more
lag
than
we
would
have
liked,
but
it
will
still
have
the
latest
data
whenever
the
build
happens.
A
Yeah,
what
he
was
thinking
is
like
it
seems
to
him,
looks
like
an
optional
thing,
but
it
is
worth
doing
just
to
make
the
refresh
quicker.
A
B
Okay:
okay,
okay,
that
is
optional
thing,
but
yeah,
but
for
now,
if
we
go
with
the
like,
whatever
the
twice
in
a
day
process,
that
also
gives
us
means
that
will
pull
the
data
from
gcs
bucket
right
and
it
will
write
to
the
static
security
right.
Yeah,
that's,
okay,
and
then
the
kx
website
will
display
the
table
from
the
some
docs
reference
yeah,
where
I
have
written
that
code.
Also,
the
user
code.
B
B
B
Yeah
I'll
just
one
minute,
can
you
one
minute?
Oh
gee,
can
you
stop
sharing
pushkarnas.
B
Yeah,
maybe
it's
not
allowing
me.
Okay,
it's
disabled!
Try
now
yeah.
Now
it
is
fine
okay.
So
if
you
look
in
my
vs
code,
so
already
we
have
few
that's
mixed
right
in
that
file,
so
I
just
created
one
new
cron
job,
so
I
just
provided
so
names
and
all
we
can
change
anytime.
Yes,
cluster
probable
service
account
name.
I
gave
this
because
the
gcs
bucket
will
use
this
service
account.
Okay,
right
then
image
I
found
python
3.7
is
available,
okay
and
in
the
command,
we'll
just
execute
our
shell
script
or
python.
B
So
I
am.
I
use
shell
script
from
shell
script.
You
can
just
call
python
that
is
also
fine
or
otherwise.
You
can
go
with
python
as
well
directly
so
and
in
my
python
code
I
already
shell
script.
I
already
have
that.
So
if
you
see
this
code
python
script,
so
I
need
one
change
here.
This
token
thing
the
which
token
will
going
to
use
here
right
now,
I'm
using
mine,
but
we
need
this
token.
B
Yes,
because,
because
if
that
is
done,
maybe
we
can
just
push
this
code
and
see
if
this
works
at
least
and
gives
us
the
json
blob
right.
So
one
thing
I
need
this
token
and
it
gives
us
this
official
cv,
feed
and
and
now
the
next
thing
would
be
to
write
a
code
to
create
gcs
bucket.
Compare
the
checksum
generate
new
json.
If
it
is
updated,
that's
it
then
we
can
just
use
this
in
project
which
I
am
sharing
now
here.
B
Yeah
I
mean
in
the
shell
script.
You
can
call
that
python.
So
I
think
we
are
going
to
use
google
bucket,
like
gcs
commands
right,
so
we'll
need
this
environment
variable.
What
is
the
bucket
name,
which
is
k,
cv
feed?
I
think
I
got
from
the
task
which
you
created
right
and
cv
project
and
I'm
not
sure
where
this
will
be
used,
but
yeah,
let's
see,
but
I
have
written
this
environment
variable.
B
Okay,
let's
see
why
it
is
needed
and
this
kxc
robot
I
have
used,
I'm
not
sure
if
this
token
will
be
used
in
that
github
api,
which
I'm
talking
about
or
this
will
be
used
because
earlier
we
used
to
use
that
pr
created
stuff.
Now,
if
you
remember
so
for
that,
I
was
needing
this
token.
But
if
is
this
the
same
token,
which
we
will
use
for
github
api's.
Also,
are
you
aware
about
that?
A
A
A
B
Yes,
I
think
just
need
to
test
this
out.
Maybe,
like
I
mean
what
do
you
think
should
we
like?
Is
there
any
process
to
test
this
locally.
A
B
B
A
And
we
can
also
ask
in
maybe
seek
testing.
We
want
to
make
sure
we
have
running.
This
successfully
is
pj
on
kind,
the
best
option
and
or
if
they
have
other
suggestions
or
this
they
are
like
just
merge
it
and
then
see
what
happens.
Then.
We
can
also
do
that,
but
like
having
a
draft
beer
might
be
a
good
idea.
B
Okay,
yeah
because
I
okay,
so
if
you
see
I
can
use
this
argument
in
my
python
code
and
let's
see
if
this
works,
because
this
we
have
to
do
the
testing,
because
if
this
works,
then
we
can
update
the
code
for
google
cloud.
I
think
for
google
gcs
bucket
there
is
a
python
client.
I
I
think
it
should
be
so.
B
A
B
A
A
A
B
A
B
A
Yeah,
so
I'll
also
so
since
my
day
is
starting
I'll,
also
see
if
I
can
find
a
way
to
create
a
bucket.
If
I
do
end
up
creating
one,
I
will
share
it
with
the
group,
so
you
can
start
testing
with
that
and
if,
if
I
don't
end
up
finding
I'll,
let
you
know
either
way.
A
On
the
website
side,
any
changes
we
need
to
make-
maybe
I
can
try
to
get
those
fairly
ready,
also
or
just
like
you
have
the
project
so
that
we
have
we
are.
We
will
at
least
be
in
a
good
shape.
Once
bucket
is
created,
we
will
know
what
to
do.
B
Yeah,
actually,
if
we,
if
you
see
the
pr
of
gcs
book,
that
usual
thing,
which
I
did
so
we'll
have
to
close
this
and
create
new
one.
B
So
this
is
the
yamali
layout
shortcuts,
okay,
where
I
one
minute
so,
where
I
already
have
the
table,
so
the
change
would
be
is
one
change
would
be
needed
here,
which
is
I'll?
Show
you
one
thing
so
if
you
see
like
it
is
doing
a
get
call
to
this
json,
the
the
github
which
I
have
the
file
right.
So
this
will
be
now
as
we
are
telling
like
the
build,
will
pull
from
gcs
bucket
and
and
it
will
write
to
that
static.
Folder
now.
A
B
So
this
will
not
be
needed
now,
because
this
will
be
so.
This
will
be
removed
and-
and
I
think
we
have-
we
have
to
confirm
with
tim-
I
think-
from
static
folder.
I
think
it.
We
don't
need
this
url
anymore
right
or
how
to
read
from
static
here
that
I'm
not
sure
or
it
is
automatically
handled
that
I
need
I'm
not
sure.
A
From
js
yeah,
so
I
I
can
try
that
also
using
your
code.
B
A
The
generate
dot
sh
file-
I
see
mahi,
has
added
a
comment
on
the
chat,
maybe
to
test
you
can
try
mineio
standalone
server
for
bucket
test.
You
can
run
this
thing
locally
and
it's
s3
compatible.
A
B
A
A
Sorry,
yes,
no
worries.
Try,
try
your
best
to
be
saying
whatever
you
want
to
say,
we'll
try
to
listening.
A
You
use
that
okay,
no
worries
sounds
good.
Okay,
so
let's
do
it
this
way,
then,
for
now
bucket
part,
sorry,
not
bucket
part.
The
project
part
I'll.
You
can
do
that
partner,
yeah
and
I'll.
Try
to
do
the
website
set.
B
A
Things
after
that,
and
in
addition
to
that
for
today
at
least
I'll
try
to
find
a
way
to
create
a
fake
bucket
that
we
can
use
for
testing
assuming
both
of
those
things
work,
then
you
can
test
the
project
with
the
or
at
least
a
python
script
with
the
bucket,
and
if
your
python
script
is
working
by
let's
say
same
time
tomorrow,
then
we
can
say:
hey,
we
are
ready.
B
B
Okay,
okay,
yeah
and
and-
and
one
thing
wanted
to
ask-
is:
do
you
have
anything
on
dashboarding
name
and
all
we
are
going
to
change
it
afterwards.
A
Yes,
we
can
discuss
names
now,
I
think
best
time
to
discuss
in
in
a
zone
meeting
in
terms
of
names.
So
that's
a
good
idea,
so
the
official
name
of
cap
is
auto
refreshing
cv,
feed
or
something
like
that
right.
Let
me
check,
I
have
written
it,
but
I
forget
the
name
sometimes
so.
Okay,.
A
Opening
the
page
now
auto
refreshing
official
cbe
feed,
so
with
that
in
mind,
yeah
anything
we
can
use
that
represents.
I
think
the
cap
name
would
probably
be
good.
Another
thing
I'm
thinking
for
the
crown
regex
should
we
run
it
more
frequently.
A
B
Of
the
six
is
fine
is
fine.
This
repo
is
like
test
infra
because
we
are
creating.
It
will
use
the
reference.
Yes,
this
thing
I'll
figure
out
if
any
change
required
here
or
something,
let's
see
yes,.
A
A
B
A
B
B
A
All
right
and
auto
refreshing
official
cv
feed.
Maybe
I
don't
know
whether
it
would
make
sense.
What
do
you
think
if
we
add
the
cape
issue
number
in
the
description?
Would
that
help
yeah.
A
A
B
A
Right,
okay,
so
that
sounds
good.
We,
I
think
I
I
am
at
least
clear,
on
what
to
do
next,
any
anything
else
we
missed.
B
A
Yeah
yeah
sounds
good
any
questions
from
anyone
else.
You
had
something
near.
B
B
B
A
It's
also
a
simple
script,
so
yeah,
it
is
a
good
I
mean,
like
the
python
script.
You're
writing.
So
it
shouldn't
matter
much.
Even
if
somebody
doesn't
know
python,
they
can
probably
pick
it
up
in
terms
of
I'm
thinking
in
terms
of
like
future
maintenance
for
somebody
else
comes
in
and
wants
to
help
out.
A
Okay,
okay
sounds
good
anything
else
from
anyone
anything
we
might
have
assumed
you
know
and
we
shouldn't.
We
can
also
explain
that
part.
A
All
right,
if
not
thanks
a
lot
for
joining
and
thanks
a
lot
for
all
the
work
so
far
on
the
cap,
we
will
meet
so
one
update
on
the
next
time
we
meet.
A
We
had
a
learning
session
planned,
but
people
who
want
to
present
it
can't
make
it
to
the
next
session,
which
was,
I
think,
on
august,
the
2nd
so
with
the
code
freeze,
also
sort
of
close
to
august
2nd,
which
is
august
3rd,
is
code
phrase
I
am
debating,
based
on
how
much
progress
we
make.
A
We
could
have
another
working
session,
maybe
same
time
next
week,
so
we
get
like
one
more
week
to
discuss
if
we
need
to
and
then
we
can
skip
the
august
second
one
and
the
learning
session
would
then
be
on
august
16th.
So
that
is
my
tentative
thinking.
Would
this
time
say
next
week
work
for
you
nia?
If
you
have
to
join
again
and
discuss
the
progress.
A
A
Cool
okay,
so
thanks
a
lot,
see
you
again
either
in
the
regularly
scheduled
security
meeting
or
this
meeting
next
time.