►
From YouTube: Kubernetes SIG Security Audit 20210526
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Putting
the
link
to
the
agenda
on
the
chats
for
everyone,
please
sign
in
any
new
people.
This
is
your
first
time
or,
if
you
haven't
said
hello,.
C
Hello
yeah,
my
name
is
john
ziola.
I
have
not
contributed
in
in
this
exact
form
before
the
third
party
security
audit
meetings.
I
have
attended
some
kubernetes
security
meetings
in
the
past,
but
new
here.
B
A
Welcome
all
right
all
right,
let's
go
through
the
agenda.
I
just
want
to
talk
about
the
rfp,
the
cluster
api,
the
security
review
for
the
cluster
api
and
also
something
that
came
up
on
the
chats
on
the
last
six
security
calls
call
about
the
bill
of
materials.
A
If
there
is
one-
and
there
is
an
issue
for
one,
so
it
is
up
and
coming
so
like
that,
first
off
to
the
rfp
we
haven't
had
any
new
proposals
come
in,
yet
we
did
have
a
change
to
the
rfp,
and
this
is
for
about
intellectual
property
rights.
I
have
the
pull
request.
Thank
you,
roberts
for
making
that
purpose
that
has
been
merged
right
now
or
has
been
merged
since
so,
please
take
a
look
at
that.
I
have
some
ious.
I
do
apologize.
A
My
work
week
has
been
pretty
crazy,
so
I
was
also
supposed
to
make
a
pull
request
for
the
we
had
the
four
additional
questions
that
were
made
to
the
request
for
proposal,
so
I
was
going
to
make
a
draft
of
the
rfp,
so
I
do
owe
that
and
we'll
try
to
make
that
today.
A
So
I'll
post
those
questions,
I
did
post
it
on
the
slack
channel
and
and
didn't
get
one
reply.
Thank
you
for
that
for
that
as
well
robert.
So
there's
additional
questions
for
the
rfp,
I'm
gonna
post,
those
four
in
the
agenda.
I'm
gonna
have
to
discuss
it
right
now,
but
I'll
just
briefly
go
over
this.
I
would
like
to
get
some
comments
on
the
pull
requests.
A
That's
what
I
would
prefer
one
is:
do
you
have
any
developer,
documentation
or
design
documentation,
specifications
that
aren't
available
on
the
internet
that
you
will
be
able
to
share?
So
from
my
perspective,
since
it's
open
source
everything
all
the
documentation
we
have
is
available
on
github.
So
that's
what
I'm
more
or
less
going
to
answer
for
one
of
four
requests
as
well.
Second,
one
where
the
most
important
publicly
available
pages
detailing
the
design
of
the
system
and
the
data
it
receives.
A
Don't
know
how
to
answer
this.
Quite
yet,
I
would
definitely
highlight
the
the
scope
of
the
rfp,
like
the
the
components
we
highlighted
in
rfp
to
as
being
the
most
important
pages
of
the
documentation
and
on
the
github.
Repo.
Third
is:
how
long
does
the
working
group
envision
engagement,
lasting?
A
What's
late
states,
you
can
receive
the
deliverables,
so
this
one
I
want
to
bring
up
to
the
to
the
group
of
we
talked
about
having
it
being
a
flexible
timeline
for
the
for
for
the
for
the
for
the
engagements,
and
is
there
a
latest
date
we
can
receive
the
deliverable?
I
imagine
that
this
will
be
negotiated
once
once
once
a
company
has
been
selected
any
thoughts.
D
That
seems
right.
We
can't
really
set
a
timeline
until
we
have
an
understanding
of
who
who
they
are,
what
levers
we
have
to
negotiate
pricing
over
velocity
or
what
other
things
come
up.
I
think
I
think
we
punt.
E
No,
I
just
think
it
came
up
on
a
couple
of
the
calls
with
vendors
or
they
if,
if
bob
is
our
best
person
and
he's
on
some
other
big
project,
is
there
flexibility
to
wait?
You
know
a
month
for
bob
to
become
available.
That
kind
of
thing.
B
E
In
the
in
the
scoring
rubric,
do
we
have
I
forget,
do
we
have
something
for
just
kind
of
like,
probably
not
because
it
was
defined
last
time,
but
maybe
that's
just
a
a
waiting
factor
company
a
can.
Do
it
faster
than
company
b,
all
things
being
equal.
D
That's
not
a
bad,
that's
not
a
bad
thing
to
add.
However,
in
my
experience,
all
things
are
not
equal
other
than
that
ever
true.
True,
that's
true.
A
All
right
last
question
which
attack
vectors
are
a
boat's
concern
to
the
working
group.
A
I'm
not
reading
robert's
response.
E
E
D
I
mean
we
did
scope
it
to
components
which
components
we
thought
should
get
the
most
attention
or
all
of
the
attention
attack
vector,
I'm
actually
not
finding.
The
question
in
slack,
which
attack
vectors
are
most
important
to
assess.
I
think,
is
difficult
when
you're
talking
about.
D
Software,
not
a
service
and
we're
talking
about
what
almost
no
one
just
literally
downloads
clones
kubernetes
compiles.
It
might
runs
it.
That's
not
a
thing
that
people
do
the
list
that
I
know
of
there's.
It's
always
consumed
through
a
distribution,
and
we
don't
want
to
audit
the
distribution.
So
the
attack
vector
is,
I
think,
ambiguous
inherently.
B
D
But
this
this,
I
think,
supply
chain
is
out
of
scope
because
those
that's
not
a
component,
we
didn't
say
we
want
to
audit
our
github
information.
We
said
we
want
to
audit
these
components,
so
I
would
say
any
attack
vector
that
exists
in
exists
against
these
components
in
any
configuration
would
be
fair
game.
A
A
D
Of
of
concern,
I
guess
we
could
go
a
step
farther.
Is
it
further
further?
We
could
go
a
step
further
and
we
could
say
that
the
ones
that
we
we
would
be
most
concerned
about
would
be
unauthenticated
access
to
a
cluster,
resulting
in
compromise
of
one
of
these
components.
Right
and
then
we
could
say
crossing
cluster
boundaries
for
multi-cluster
configurations
would
be
second
and
then
crossing
databases
would
be
third
like
we
could
say
where
the
attack
originates
is
of
note
and
will
impact
the
severity
of
the
vulnerability.
D
I
don't
think
it's
crazy
to
say
that
I,
if
someone,
if
I'm
like
running
an
app,
not
even
a
vulnerable
app,
just
like
an
app
on
a
queries,
cluster
and
somehow
interacting
with
that
app
can
result
in
compromise
of
the
cubelet.
Like
that's
a
very
big
issue,
what
is
maybe
a
smaller,
but
still
interesting
issue
would
be.
If
I'm
running
a
namespace
a
can.
I
attack
a
cubelet
that
is
on
a
node
that
is
only
running
namespace
b.
That
would
be
an
interesting
finding.
Also
I
don't
know
I
don't,
but
this
is.
D
This
is
really
just
a
practical,
a
practical
breakdown
of
how
we
would
do
a
cvss
score
right.
We
would
consider
the
access
of
access
required
or,
or
a
network
traversal
required
in
order
to
perform
the
attack.
When
scoring
it's
literally
one
of
the
things
you
pick.
D
E
Points
all
right,
I
think,
to
craig's
chat
question.
I
think
the
the
privilege
or
root
container
is
that
in
scope.
I
guess,
isn't
that
enforcing.
D
D
That's
literally
the
expected
and
defined
behavior
for
those
those
properties
in
the
potspec.
B
Yeah,
there
are
some
components
whose
containers
are
built
in
not
great
ways
already,
and
you
know
unless
yeah,
I
guess
for
where,
since
we're
scoping
to
some
set
of
components,
we're
only
going
to
take
a
look
at
those
like
if
I
were
doing
the
assessment.
The
first
thing
I
would
do
is
look
at
how
all
of
the
components
are
built
upstream
I
mean,
I
think,
that's
in
scope.
B
Infrastructure
itself,
like
state
core
os,
is
built
or
sorry
core
dns
or
something
else
is
built
that
way.
A
All
right
next
topic
to
put
down
is
roadmap,
so
those
who
are
new
here,
we
talked
about
having
a
roadmap
first
for
future
security
audits,
which
we
there's
many
different
components
of
kubernetes
like
coordinates
and
to
me
coordinates,
is
a
crucial
part
of
kubernetes,
but
it's
on
the
scope
of
the
current
rfp.
A
So
we
need
I
would
so.
We
propose
have
a
road
map
to
to
have
like
a
timeline
of
what
is
in
scope
for
future
of
future
security
audits,
and
this
is
something
that
the
community
can
can
comment
on
and
make
pull
requests
to
or
or
make
or
request
to
have
additional
components
in
the
in
future
audits.
Of
course,
we
need
to
have
the
core
components
to
be
on
some
kind
of
cadence
stuff
to
be
audited
as
well,
but
so
we
have
the
google
sheets
here,
but
we'll
make
it
into
pull
requests.
A
That's
another
one
of
my
to-do's
here
any
questions
about
that.
We
we
brought
this
up
to
the
security
meeting,
seemed
like
the
people
at
security
liked
it
as
well,
so
definitely
make
a
pull
request
and
I'll
probably
have
it
in
draft
mode.
But
it'll
be
free
for
comments
on
in.
A
A
All
right
moving
on
cluster
api,
so
we
brought
the
topic
to
have
a
like
a
security
review,
internal
kubernetes
security
review
for
cluster
api,
using
the
templates
that
the
cncf
securities
tag
has
used
or
is
using
in
terms
of
for
their
for
their
security
reviews.
A
Roberts
contribute
to
that
calls
also.
He
also
has
ran
several
security
reviews
for
the
security
stag
and
we
do
have
an
actual
item.
That's
been
taken
and
it's
been
just
creating
a
slack
channel
for
this
specific
security
review.
Don't
know
if
this
is
going
to
be
continued
subjects
on
this
call.
Since
should
we
have
it
on
this
car?
Should
we
have
it
on
the
kubernetes
main
meeting
for
the
cluster
api
security
review,
since
it's
kind
of
out
of
scope
of
the
external
review.
E
A
Well,
that's
a
good
point
because
I
know
this
and
when
I
was
part
of
the
cncf
security
before
it
was
security
tag,
they
would
have
to
do
their
own
assessments
or
go
through
the
cncf
security
assessment
before
getting
the
external
security
audits.
This
might
be
a
road
map
item
like
components
have
to
go
through
and
internal.
A
I'm
talking
about
the
future
here:
internal
kubernetes
security
reviews.
Before
going
into
going
into
an
external
audits.
A
Parents
don't
see
pushkar
on
the
call,
but-
and
I
think
pushkar
was
kind
of
taking
that
action
item
next
steps
for
the
secretary
for
cluster
api.
He
also
did
mention
about
have
setting
up
a
call
between
folks
and
cncf
security
tag
and
kubernetes
security
to
go
over
kind
of
like
the
templates
of
of
their
reviews.
A
E
So,
yes,
probably
not
this
call,
but
I
think
if
I
think
craig
you
want
to
be
involved
in
that,
I
think
we
and
craig
remind
me:
are
you
kind
of
the
cluster
api
designated
person
or
has
anybody
stopped.
E
B
E
E
Perfect,
so
that
my
only
my
only
point
was
we
want
to
make
sure
that
we
have
the
cluster
api
representation.
So
if
it's
literally
just
a
pj
needs
to
schedule
a
call
ray
that,
that's
I'm
ready,
you
know
I'll
try
to
slot
it
in
around
his
availability
and
then
craig
with
yours
as
well.
The
templates
are
there
they're
in
the
tag
security.
B
E
B
E
Here's
the
main
starting
point
so
so
again,
just
just
to
give
the
the
background.
E
These
are
not
security
audits
by
any
stretch,
right,
they're,
they're,
basically
just
hygiene
checking,
documentation,
review
and
and
when
I've
and
ray
to
your
point,
when
I've
led
these
falco
and
custodian,
and
I
was
part
of
the
opa
on
the
oppa
side
we
went.
E
A
A
All
right
any
other
comments
or
questions
the
cluster
api
re
assessment
from
kubernetes
security.
A
All
right
there
was
a
chats
message
on
the
security
call
asking
about
a
bill
of
materials
for
kubernetes,
and
then
I
saw
a
honsig
release
that
we
there's
actually
an
issue
about
this
as
well
to
provide
a
bill
materials.
A
So
it's
still
a
to
do,
but
it's
definitely
on
the
minds
of
a
sig
release
to
create
this
bill
of
materials
and
posted
the
link
there
on
the
issue,
which
pretty
much
highlights
what
needs
to
get
done
for
this
bill
materials.
A
Asking
for
what's
back
spdx
the
the
millimeters
will
be
published
in
spdx.
That
is
a
question
on
the
chats,
and
so,
if
we
go
over,
the
can't
share
my
screen
on
this
zoom,
but
reviewing
the
the
umbrella
issue
of
bill
materials
like
there's.
The
high
level
points
make
corel,
which
is
coop,
which
is
the
the
tool
used
to
build
kubernetes.
It's
called
corel
short
for
commercial
release,
make
it
aware
of
binary
artifacts
expected
from
the
release
process.
There
are
several
other
sub
sub
tasks
involved
in
those
as
well.
E
Just
that
I
have
a
new
vendor
that
I
had
stumbled
on
upon.
They
intimated
that
they
might
put
something
in
since
the
public
forum
will
keep
the
names
out
of
it,
but
and
then
some
of
the
previous
ones
that
I
spoke
to
said
that
they
were
going
to
respond
by
june.
1St.
A
All
right
going
once
any
other
topics
or.
A
Questions:
okay,
all
right,
give
it
back
four
minutes!
Thank
you.
Everyone
and
yeah,
I
put
I'll
add
into
the
agenda
notes
as
well
for
any
additional
links.