►
From YouTube: Kubernetes SIG Security Community Gathering 20201005
Description
Kubernetes SIG Security Community Gathering 20201005
C
A
All
right,
hey,
so
thank
you
all
for
coming
to
kubernetes
six
security
community
gathering.
I
think
the
the
first
thing
that
we
all
do
is
go
around
the
room
and
give
everybody
a
chance
to
say
hello,
introduce
yourself
real
briefly
and
talk
about
you
know:
what
is
your
involvement
with
kubernetes?
What
would
you
like
to
see
from
this
sig?
A
So
I
will.
I
will
get
started
with
that:
hey
I'm
tabitha
sable
use
she
and
they
to
address
me.
My
involvement
with
kubernetes
security
is
that
I
have
had
a
good
time
with
giving
some
presentations
doing
some
community
outreach
talking
about
things
at
you
know,
conferences
on
twitter.
Things
like
that,
and
what
I
really
want
to
see
from
this
sig
is
to
provide
a
home
inside
kubernetes
for
the
community,
which
already
exists
to
achieve
its
goals.
D
A
E
E
I
just
want
to
be
a
part
of
this
sort
of
now
and
early,
but
realistically,
in
a
couple
months,
I'll
probably
hopefully
have
a
little
bit
more
time
to
dedicate
so
just
want
to
get
my
feet
in
and
you
know
be
a
part
of
it
as
early
as
I
can,
but
time
involvement
starting
around
the
new
year.
Probably
so,
just
meeting
all
of
you.
F
G
Sorry
I
was
on
mute,
I'm
I
actually
work
with
benjamin
hello,
benjamin
and
the
peter
benjamin
anyway.
I
this
caught
my
eye.
Just
in
the
last
day
I,
and
so
I'm
not
sure
exactly
what
I'll
you
know
be
able
to
contribute.
I
have
a
lot
of
background
in
security,
cryptography
network
security,
and
so
I'm
hoping
to
be
a
contributing
member
of
this
community
here.
H
I
Evening,
all
so,
I'm
rory
mckeon,
I'm
a
security
consultant
pen
tester.
I've
done
a
lot
of
work
in
containers
over
the
last
couple
of
years.
I
guess
for
this.
My
primary
focus
is:
there's
a
kind
of
suggested
sub
project
around
a
hardening
guide
and
that's
been
kind
of
like
where
I
was
expecting
to
kind
of
like
fully
put
most
of
my
effort
anyway.
B
F
K
Yeah,
my
name
is
matt,
he
him
and
I'm
coming
to
this.
I
guess
what
I'm
hoping
to
get
out
of
it
is
to
help
build
the
community.
You
know
help
provide,
you
know
general,
like
you
know,
support
and
organization,
as
it
makes
sense
and
just
bring.
I
have
a
lot
of
security
expertise
relatively
new
to
the
kubernetes
ecosystem,
but
I've
been
around
security
for
a
long
time,
so
hoping
to
provide
expertise,
as
I
can.
L
Hi
there
I'm
tim
bannister,
my
pronouns
are
part
of
speech.
That's
all
important
right
now,
I'm
an
infrastructure
consultant
in
the
united
kingdom
and
I
also
contribute
to
sig
docs
and
if,
if
you're,
looking
at
an
issue
against
the
website,
repo
saying
we
should
document
how
to
do
this
securely.
There's
like
a
reasonable
chance,
I
filed
it.
M
Hey
everybody,
I'm
duffy
cooley
of
him,
I'm
I
do
a
lot
of
public
speaking
and
actually
also
help
a
lot
of
people
out
kind
of
in
time,
within
the
kubernetes
slack
and
within
the
community
in
general.
Helping
people
understand
the
security
service
of
kubernetes
and
containers
and
all
those
things
I'll
probably
continue
to
do
that
stuff.
So
I'm
very
interested
in
helping
sort
of
an
advocacy
role,
making
sure
that
people
are
under
understand
what
we're
doing
here
and
that
kind
of
help
people
consume
it.
However,
that
works
out.
N
Hey
everyone
mike
foster.
He
him
I've
been
in
kubernetes
for
a
little
over
four
years
now,
recently
just
kind
of
making
more
of
a
jump
into
security,
basically
just
whole
life
cycle
security,
so
looking
to
be
more
involved
in
the
community.
Learn
from
you
guys,
work
with
documentation,
work
with
community
involvement,
different
cncf
objectives
and
certifications
as
well.
P
Q
Hey
my
name
is
abaya
and
my
pronouns
are
he
and
her?
I
mean
he
and
him
so.
I
just
joined
the
amazon
eks
team
a
couple
of
months
ago
and
I'm
just
a
starting
engineer
like
at
the
bottom
of
the
ladder.
So
security
has
always
been
one
of
my
passions,
so
I
did
the
ceh
certified
ethical
hacker
certification,
as
well
as
a
couple
of
internships
in
the
security
field.
Q
R
Hello,
I'm
ann
bertuccio.
I
use
she
and
her
and
I'm
a
manager
of
the
security
program
within
google's
open
source
office.
So
I
kind
of
come
in
and
out
upstream
bounce
around
do
various
things
with
the
upstream
security
community.
I
would
really
like
to
see
the
work
and
ideas
that
have
happened
in
this
group,
and
that
will
happen
in
this
group.
Reach
places
outside
of
security.
So
I
think
the
kubernetes
community
is
enormous.
There's
brilliant
people
here
and
I
want
to
make
sure
that
work
reaches
far
and
wide.
C
Hi
I'm
aaron.
Last
year
I
helped
lead
the
period
audit
that
kind
of
started
the
conversation
around
should
security
exist.
So
I
guess
my
initial
hopes
for
this
are
around
merging
the
greater
security
community
that
I
owe
a
lot
to
with
the
kubernetes
community,
which
is
newer
to
me.
I've
only
been
around
for
a
couple
of
years.
S
T
U
Hi
tim
alplayer:
he
him
I've
been
involved
in
kubernetes
security
for
about
five
years
and
I'm
also
a
co-chair
on
sig
auth,
so
I
hope
to
kind
of
bring
some
of
the
bridge
some
of
the
gap
between
sig
off
and
security,
and
I
also
participate
in
the
product
security
committee.
So
I'm
really
excited
about
getting
more
involvement
with
that
process.
I
think
I'll
talk
about
that.
A
little
more
later
and
yeah
pretty
excited
what
this
community
can
offer.
V
Hey,
my
name
is
so
I
have
been
involved
with
security
during
it's
been
over
five
six
years
and
then
I
took
a
detour
in
my
career.
Then
now
I
do
kubernetes.
I've
been
involved
the
community
for
over
a
couple
I
should
take
around
couple
of
years,
and
my
primary
focus
is
to
contribute
to
dogs,
community
environment
and
learn
and
see
how
I
can
contribute
back
to
sex
security.
W
Hello,
I'm
theo
comas.
He
him
I've
been
involved
with
coordinator
securities
for
about
three
four
years
in
my
job
of
I'm
leaving
the
security
team
in
a
software
company
using
kubernetes
in
a
fintech
product,
and
I
would
like
to
get
involved
more
with
the
sick
in
terms
of
outreach,
advocacy
and
whatever
I
can
help
to
provide
an
additional
perspective
to
the
problems
that
the
sick
is
trying
to
solve.
AB
Uttar
utkars,
yes,
hello.
I
am
at
karsh
a
20
year
undergraduate
student
and
I'm
a
debian
core
developer
and
I
help
maintain.
I
mean
I'm
help
trans
issues
and
fix
cves
for
communities
downstream.
That
is
in
debian
and
I'm
here
to
hang
around
know
more
about
upstream
therapy
and
maybe
help
bridge
the
upstream
and
downstream
maintenance.
A
AD
AE
A
D
Sure,
hello,
everybody
welcome
to
the
six
security
community
kickoff
meeting
sig
security
is
a
brand
new
sig
and
because
it
is
a
brand
new
sig,
we
are
wanting
to
get
lots
of
input
from
the
community
about
what
they
want
it
to
be
and
what
and
how
people
want
to
be
involved.
So
thank
all
of
you
for
coming
and
for
getting
to
share
and
do
cool
stuff
with
us.
D
At
this
point,
the
founding
chairs
of
stick
security
have
decided
that
they
want
to
open
it
up
to
be
more
of
a
community
effort
and
have
given
the
chairship
to
us
and
so
tabby-
and
I
are
the
chairs,
basically
as
community
builders,
to
help
build
community
around
this
and
to
make
it
into
the
more
open
community
effort
that
I
think
we
want
it
to
be
so
yep.
That's
how
we
got
here.
D
D
Sig
security
is
responsible
for
what
the
current
status
of
those
things
are
and
because
the
charter
is
a
document
that
is
open
to
being
revised
as
people
decide
what
they
want
this
thing
to
be,
then
we
want
to
talk
about
the
areas
of
interest
that
people
have
expressed
and
discuss
how
people
want
to
be
involved
and
what
we
want
that
to
look
like
so
from
here.
I'm
going
to
hand
it
back
to
cabbie
to
talk
about
the
current
status
of
things,
all
right.
A
So
we
have
a.
We
have
the
charter
which
talks
about
scope
and
areas
of
responsibility
around
vulnerability
management
process
like
collaborating
with
the
psc,
collaborating
with
you
know,
with
the
community
around
there,
with
dealing
with
documentation
horizontally
horizontally,
cross-cutting
documentation
for
security
related
documentation
that
deals
with
you
know
areas
across
cigs
dealing
with
the
ongoing
responsibilities
for
the
security
audit
it'll
be
it'll,
be
good
to
have
a
regular
security
audit.
A
In
you
know,
regular
third-party
security,
audit
of
kubernetes
and
so
having
a
home
for
that
in
a
cig
is,
is
part
of
what's
in
these
areas
of
responsibilities
and
doing
more
community
outreach
and
making
sure
that,
within
the
upstream
kubernetes
community
that
there
is
like
within
the
project
that
there's
a
place
for
the
wonderful
existing
kubernetes
security
community
to
have
a
home.
That's
officially
within
the
project,
a
lot
of
what's
in
the
a
lot
of
the
community
spaces
right
now
are
outside
of
kubernetes
as
a
project,
and
so
you
know
part
of
this.
A
D
The
areas
of
interest,
as
far
as
I
can
tell-
and
people
can
feel
free
to
jump
in
after
this.
If
I
have
missed
anything
that
people
have
expressed
interest
in
sick
security,
doing
or
doing
themselves
are
improvements
to
tooling
improvements
to
box,
which
may
be
the
purview
of
formerly
known
as
sig
security
docs,
which
I
believe
is
has
a
home
in
us
now
in
advocacy
and
community
building,
which
can
look
like
outreach
to
the
external
security
community
tabby.
You
might
want
to
meet
that
really
loud
mechanical
keyboard.
D
Please,
and
thank
you.
I
love
you,
though,
the
external
community
that
around
security
internally
within
kubernetes
to
different
stage,
as
well
as
the
psc
flow
bridges
between
those
and
as
ann
said,
reaching
far
and
wide
I'm
talking
about
kubernetes
security
hardening
to
everybody.
Next
up
was
actually
the
hardening
guide,
which
I
think
rory
expressed
interest
in,
and
I
think
there
was
general
expressed
interest.
D
Also,
building
bridges
between
upstream
and
downstream
security,
hardening
and
maintenance
people
also
expressed
interest
in
learning
and
in
sort
of
general
hackery
things
whatever
that
might
look
like,
and
that
I'm
up
for
interesting
ideas
for
and
yep
and
that
and
exists
and
in
being
involved
in
existing
sub
projects
such
as
the
security
audit.
Is
there
anything
that
I'm
missing
people
can
feel
free
to
holler?
I
will
stop
talking
for
a
minute
and
if
we
know
that
those
are
the
case,
how
do
people?
D
L
E
C
E
Yes,
I
can
get
anybody
who
wants
to
to
talk
to
the
right
folks.
I
can
get
you
in
touch
with
them.
If
that's
something
you
want
or
if
you
want
to
talk
about
like
outreach
to
the
community
to
get
ready
for
to
prepare
for
it.
I
know
it's
not
officially
announced
and
I'm
going
to
defer
to
the
to
those
official
folks
when
they
do
that.
But
if
you
want,
I
can
put
you
in
touch
with
folks.
D
Okay,
so
I
think
there
was
going
to
be
a
part
in
here
where
people
talked
about
the
existing
things
that
were
happening
and
about
their
part
in
it,
which
I
think
got
skipped
over
where
I
think
people
were
going
to
talk
from
and
about
the
psc
and
from
and
about
the
security
audit.
So
I'm
actually
going
to
go
back
in
the
agenda
to
that,
because
that
was
going
to
happen.
If
people
want
to
do
that.
U
U
U
So
that
includes
kind
of
things
like
defining
the
scope
of
the
bug,
bounty,
defining
timelines
for
vulnerability
response.
So,
for
instance,
how
much
time
we
give
the
distributors
list
that
gets
sort
of
a
pre-notification
of
embargoed
issues.
How
far
in
advance.
We
give
those
notifications
how
we
might
handle
critical
versus
low
severity
issues
differently.
U
All
these
sorts
of
questions
that
have
sort
of
been
decided
by
the
psc
by
default
in
the
past
and
we'd
really
like
to
to
get
more
involvement
from
people
who
are
actually
affected
by
the
decisions
we
make
around
these
yeah.
Are
there
any
questions
about
that?
Do
the
other
psc
members
have
anything
to.
AE
Add
all
right,
I
have
one
thing
to
add
another
interest
that
psc
has
is
finding
a
community
of
people
who
are
willing
to
help
us
handle
some
of
the
lower
severity.
One
did
you
mention
that?
Maybe
you
did
anyway,
that's
something
that's
interesting
and
interesting
to
the
psc,
too,
is
just
to
provide
a
larger
community
of
people
who
can
help
with
ones
that
that
don't
need
to
be
handled
necessarily
in
private.
A
C
C
C
So
we
want
to
open
it
up
to
the
rfp
publicly
and
just
invite
any
any
vendor
to
write
a
proposal
to
be
the
next
auditor
for
communities,
and
once
we
kick
that
off
very
soon,
then
it
will
go
through
the
same
process
again
the
guiding
them
through
all
the
different
aspects
of
of
the
code
base
and
introducing
them
to
the
right
people
I'm
looking
for.
I
think
we
could.
We
can
use
more
help
this
time.
That's
one
of
the
reasons
that
kind
of
called
the
question.
C
L
A
D
Yes,
what
I
am
doing
right
this
second,
I'm
putting
this
in
the
notes
and
everybody
can
look
at
it-
is
making
a
spreadsheet.
That,
basically,
is
like
please.
I
know
everybody
wrote
their
name
on
this
document,
but
if
you
want
to
add
yourself
and
your
contact
info
and
like
what
you
want
to
be
involved
to
this
spreadsheet
doesn't
have
to
be
right.
D
D
It
is,
and
let
me
know
if
that
doesn't
work
so
while
while
we're
all
talking,
feel
free
to
add
yourself
to
that,
because
that
might
help
automate
this
a
little
bit.
If
we
were
in
a
physical
room,
I
would
probably
do
breakout
rooms
at
this
point
to
be
like
okay,
you
know
of
these
areas
of
interest.
What
do
people
want
to
be
involved
in
but
because
I
think,
there's
some
overlap
and
because
I
think
we
have
23
minutes,
I'm
not
entirely
sure
how
to
virtually
do
that.
D
So,
generally
speaking,
again,
areas
of
interest
are
improvements
to
documentation
and
tooling
community
building
and
advocacy,
both
externally
and
internally,
bridge
building
with
other
sigs
and
the
psc
bridge,
building
between
upstream
and
downstream
and
security,
audit
and
general
learning
and
goodness.
So
I
think
peter.
Are
you
online.
D
F
We
identified
there's
a
need
from
the
in
the
community
that
security
docs
obviously
have
room
for
improvement,
and
so
the
the
the
that
kind
of
that
stick
was
born
out
of
out
of
that
discovery
and
out
of
that
need
about
a
year
ago.
I'd
say-
and
I
was
the
co-lead
of
that
sick
with
my
friend
seth
mccombs
and.
A
F
Yeah
so
as
in
the
forming
early
forming
stages
of
this
security,
seth
and
my
software
were
approached
by
you-
know
the
the
former
chairs,
who
have
handed
off
a
char
share
ship
to
to
you,
tabitha
and
ian,
and
they
gauged
our
interest.
If
we
wanted
to
join
security
as
part
of
kind
of
like
us,
a
sub,
you
know
sub
project.
F
C
D
D
D
A
Yeah
technically
subgroups
have
a
lot
of
flexibility
to
define
their
own
working
conditions.
So
you
know
some
subgroups
will
have
their
own
separate
meetings
that
have
their
own
separate
schedule
and
take
care
of
their.
You
know
take
care
of
their
things
that
way
and
then
just
come
and
report
progress
back
at
generalized
sig
meetings.
A
You
know
others
may
be
able
to
work
completely
independently
and
asynchronously.
You
know
by
doing
git
commits
or
whatever
so
so.
Subgroups
can
really
do
whichever
one
of
those
two
things
is
most
effective
for
them.
So
for,
like
the
security
audit,
you
know
it
seems
that
having
a
subgroup
that
meets
regularly
and
basically
acts
like
a
tiny
sig
would
be
the
way
to
go,
but
for
other
subgroups,
like
the
you
know,
inclusion
of
the
former
sig
security
docs
as
a
subgroup.
A
You
know
it
consists
mostly
of
a
place
to
put
the
list
of
people
who
can
approve
prs
to
different
parts
of
different
get
repos,
and
you
know
the
the
actual
operation
of
that
subgroup
can
take
place
totally
without
meetings.
So
I
think
that,
somewhere
on
that
gamut,
whatever
works
best
for
the
people
in
a
different
subgroup,
is
going
to
be
just
fine.
A
So
we
can
go
from
the
interest
that
is
being
expressed
here
that
people
are
putting
into
the
into
the
spreadsheet,
and
I
would
expect
to
distill
a
list
of
of
potential
subgroups
out
of
there
based
on
talking
to
the
people
that
have
those
those
interests
and
you
know
which
ones
have
somebody
who
wants
to
sign
up
to
be
a
tech
lead
and
make
that
sub
group
happen.
And
then
you
know
for
those
people
happy
to
provide.
You
know
resources
to
make
that
happen.
Ian
more
to
say
on
that.
D
That
was
a
thing
that
we
had
to
do
so,
since
we
are
all
new
and
learning
together,
just
gonna
own
that
so
it
seems
like
breakouts
are
not
going
to
be
a
thing.
We're
going
to
do.
However,
things
that
I
would
like
to
know
include,
because
I
would
like
for
people
to
be
able
to
and
next
time
we
know
that
that's
a
thing
that
we
have
to
set
so
next
time.
D
That
is
going
to
be
a
thing
that
we
set
and
we
hope
that
you
come
back
but
like
how
do
people
want
this
group
to
meet
as
a
larger
thing?
Do
people
want
this
group
to
meet
at
all?
Do
people
want
this
group
to
have
meetings
that
are
bi-weekly
or
weekly?
Do
people
want
this
thing
to
have
office
hours,
or
do
they
want
it
to
be
like
a
discord
server
like
what
are
people
looking
for
and
that's
the
thing.
D
I
would
also
like
to
know
that,
because
that
would
be
useful
to
know
in
terms
of
figuring
out
how
we
are
going
to
scope
this
thing,
because
these
areas
of
interest,
ultimately
what
the
idea
is
that
they
become,
is
that
they,
our
charter,
reflects
what
community
interest
and
involvement
is
going
to
be,
and
the
membership
in
also
reflects
what
community
and
interest
and
involvement
is
going
to
be
and
that's
up
to
everybody
it
isn't
up
to
us.
I
think
that
it's
it's
up
to
all
of
you.
So
what
are
people
interested
in?
V
V
A
L
One
thing
I
would
I
got
reminded
of
by
a
sig
doc's
chair
is
that
you
can
have
tech
leads,
but
you
can
also
have,
I
think,
they're
called
admin
leads
like
you
can
appoint
people
who
are
like
these
people
are
going
to
help
with
the
the
chopping
water
and
carrying
wood
sort
of
tasks,
and
if
we
want
to
do
that
and
if
anyone's
got
the
cycles
or
the
inclination
to
do
that,
it
could
be
really
useful.
With
a
group
of
this
size.
L
D
I'm
going
to
throw
the
question
also
back
to
what
do
literally
logistically.
What
do
people
want
this
group
to
look
like
because
it
as
as
said
co-jared,
it's
actually
really
important
to
know
if
people
don't
want
to
have
meetings
at
all
so
that
we
stop
bothering
you
about
going
so
if
people
would
like
to
just
you
know
you
can
throw
into
the
chat
if
you
don't
want
to
speak
up
like
that's
okay,
but
I
would
really
really
like
to
know
what
kind
of
interest
and
or
bandwidth
people
have
in
like
what
they
want.
C
C
A
A
A
D
I
am
seeing
both
people
saying
two
weeks
out
loud
and
people
writing
monthly
in
the
chat,
although
I
have
definitely
not
heard
from
everybody
and
would
love
to
hear
from
more
people
so
that
we
have
more
of
a
representative
idea
of
what
it
is
that
people
are
thinking
and
again
like
this,
doesn't
have
to
be
a
huge
deal.
You
can
totally
just
like
type
a
number
into
the
chat.
If
you
want
to
what
I
would
like.
D
But
I
think
that
will
give
us
a
couple
of
weeks
to
like
get
those
sub
projects
and
they're
who
wants
to
be
involved
in
them
kind
of
together
and
if
they
aren't
totally
together,
then
we
don't
have
to
wait
a
month
in
order
for
those
breakout
rooms
to
happen.
Does
that
work
for
people
that
gives
up?
That
gives
folks
a
little
bit
of
time
to
like
talk
to
their
friends
and
convince
them
to
come
to
the
next
meeting
to
go
to
the
breakout
room.
Also.
C
B
B
D
U
I
just
wanted
to
share
a
couple
things
that
I
feel
like
have
worked
well
from
sigoth
with
respect
to
community
meetings.
One
is
that
we
never
where
we
try
not
to
make
final
decisions
in
the
meeting.
We
recognize
that
people
have
conflicts
and
sometimes
the
time
zone
doesn't
work
for
folks
and,
and
so
not
everyone
can
always
be
at
the
meeting.
So
when
a
decision
is
made,
we
always
follow
up
with.
U
An
email
to
the
mailing
list
asking
for
more
feedback,
or
sometimes
just
right
on
the
pr.
If
that's
what
we're
discussing
so,
I
feel
like
that's,
worked
well
also
just
having
the
meeting
time
as
something
that
when
issues
do
come
up,
for
instance,
if
there's
a
pr
that
is
getting
a
lot
of
discussion
on
it.
Sometimes
it
can
be
really
helpful
to
just
have
a
place
to
go.
U
Have
that
higher
bandwidth
communication,
and
so
if
someone
is
seeing
some
issue
that
they
want
to
discuss
or
maybe
something
that
you
just
want
to
get
more
feedback
on,
they
can
bring.
They
can
just
add
that
to
the
agenda
for
sigoth,
and
then
we
will
address
that
in
the
bi-weekly
meeting
and
as
and
the
chairs,
some
sometimes
do
a
little
curation
of
that.
G
D
D
Okay,
I
would
like
to
propose,
because
I
want
to
be
respectful
of
everybody's
time
that-
and
we
have
three
minutes
left-
I
believe,
on
the
calendar
that
we
meet
here
again
in
two
weeks
that
the
folks
who
expressed
areas
of
interest-
and
if
this
isn't
currently
reflected
in
the
agenda
doc,
I
am
happy
to
help
reflect
it.
I
that
those
folks
who
have
expressed
similar
interests
talk
to
one
another,
if
possible,
to
one
another.
D
I
will
harass
you
in
exactly
two
weeks
same
place
and
time
to
go
into
a
breakout
room
and
talk
amongst
yourselves
and
then
I
think
we
can
kind
of
figure
out
how
to
divide
up
work
from
there
if
that
works.
For
folks,
I
really
want
to
express
a
lot
of
appreciation
for
all
of
you
and
the
fact
that
you
took
time
out
of
your
day
to
come
here
honestly.
Thank
you
so
much
yeah.
Thank
you.
This
you
all
are
awesome.
D
A
Yeah,
if,
if
security
becomes
the
greatest
thing,
that
will
be
because
it's
a
space
for
all
of
these
people
to
express
their
awesomeness.
So
thank
you
all
for
for
your
faith,
to
invest
an
hour
in
coming
and
and
talking
to
us,
go
and
make
group
dms
on
kubernetes
slack
or
whatever
is
the
easiest
way
for
you
all
to
get
in
touch
with
each
other,
and
we
will
have
some
more
procedural
help
in
place
like
in
terms
of
breakout
rooms
and
things
like
that
for
everybody
to
get
together
in
a
fortnight.