►
From YouTube: Kubernetes SIG Security Third-Party Audit 20210331
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
C
A
But
a
little
bit
late
and
I
wanted
to
actually
bring
up
your
question
because
I
came
in
to
this
group
after
most
of
the
rfp
was
already
written.
Actually
so
so
I
have
those
as
so
we'll
ask
we'll
clarify.
B
Fantastic
yeah,
I
wasn't
part
of
the
effort
last
year
either.
So
I'm
not
sure
if
this
was
reused
or
if
it's
de
novo.
A
B
A
So,
by
the
time
it
came
up
in
2021,
yeah
time
came,
came
back
in
2021
that
yeah
that
it
was
already
mostly
mostly
done.
We
just
had
to
do
do
the
dates
and
that's
we
had
we
added
one
topic.
It
was
a
secret
store,
csi
driver
and
that.
A
The
I
guess.
B
Got
it
and
did
do
you
know,
did?
Was
there
any
review
of
things
like
asv
the
owasp
asvs
structure?
There's
another
one
I
think
called
swat
or
an
alignment
to
things
like
the
miter
attack
or
things
like
that
or
is
it
just
kind
of
first
principles
from
a
pure
kubernetes
perspective.
A
A
D
B
All
right
and
then-
and
now
I
think
I'll-
recall
john's
note
from
last
time
this
is
being
recorded
correct
in
public.
Yes,
yes,.
A
So
yeah
we'll.
B
A
Names
background,
so
we'll
keep
names
out
just
to
remind
everyone.
This
zoom
is
automatically
recorded.
I
I
don't
have
any
control.
I
don't
think
anyone
out
anyways
here
has
control
on
the
recording
and
it
is
uploaded
to
youtube.
So
we
want
to
be
cautious
of
names
involved,
so
you
want
to
keep
names,
specific
names
and
specific
items
to
the
to
the
slack
channels.
What
I'm
going
to
put
in
the
slot
in
the
chat
is
just
the
link
to
the
agenda.
A
I
also
want
to
make
notes
that,
since
this
is
a
kubernetes
meeting
that
we
do
adhere
to
the
kubernetes
code
of
conduct
just
boils
down
to
everyone,
just
be
nice
to
each
other,
aaron
small,
who
has
led
the
effort
in
the
start,
he's
joining
a
little
bit
late,
but
on
the
agenda.
A
Bit
just
wanted
to
point
out
that
we
do
for
those
of
you.
I
don't
know
if
anyone's
new
here.
If
anyone
is
new
here,
do
you
want
to
introduce
yourself.
C
C
The
we
talked
about
the
security
audit
audits
in
the
past.
I
just
wanted
to
get
a
sense
of
like
what
is
happening
and,
if
that's
on
the
agenda
or
not.
A
Yeah
so
I'll
state,
the
current
state,
so
the
original
rfp
we
didn't
get
a
lot
of
traction
in
terms
of
proposals.
We
have
one
proposal
that
that
came
in
so
we
extended
the
rfp
closing
date
to
april
9th.
I've
also
reached
out
to
a
number
of
vendors
as
well
and.
A
In
the
agenda
from
march
2nd
so
listed,
so
I
reach
out
to
you
to
all
to
all
of
those
except
for
actually
except
for
two-
and
I
know
others
have
also
reached
out
as
well
to
other
vendors
as
well.
So
I'm
just
looking
waiting
for
proposals
to
come
back
then
we'll
discuss
on
the
slack.
C
A
A
A
So
that
was
the
big
my
big
topic
or
my
big
agenda
item
was
just
that
that
we're
approaching
the
close
of
the
rfp
on
april
9
and
I
did
reach
out
to
a
number
of
vendors,
so
we're
waiting.
C
A
Proposals
and
what
I
did
want
to
do
when,
when
aaron
joined
since
most
of
the
proposal,
most
of
the
rfp
was
actually
written
in
2020,
but
then
the
but
then
the
push
or
the
effort
of
the
external
security
audit
in
2020
was
delayed
to
all
the
events
in
2020
to
2021.
So
by
time
this
group
kind
of
was
formed
in
2021
that
most
of
the
rfp
was
was
already
written.
So
there's
a
few
items
I
wanted
to.
A
A
Yeah,
so
I
wanted
to
point
out
that
I
did
reach
out
to
those
other
security
vendors.
They
were
listed
on
the
yeah
for
march.
Second,
so
haven't
heard
anything
back,
I
know
other
people
have
reached
out
as
well
to
other
contacts
within
the
same
vendors.
B
E
Okay,
that's
good!
I
see.
I
see
this
like
messages
now
that,
to
be
blunt,
I'm
super
confused.
Last
time
we
did
this.
We
got
a
ton
of
interest.
We
got
a
lot
of
proposals.
D
So
yeah
it
sounded
aaron
like,
but
I
don't
think
you
run
this
the
security
call.
Last
week
we
were
thinking
a
baby.
I
know
congratulations,
but
we
were.
We
were
wondering
if
there
was
some
sort
of
bad
taste
left
in
people's
mouth
after
last
time,
so
I
think
some
of
the
thoughts
was
to
reach
out
to
a
few
people.
I
think
robert
was
going
to
do
that
or
as
we're
sitting
at
for
next
week,
and
I
think
the
idea
was
just
to
reach
out
to
people
and
go
okay.
Hey
was
this.
D
E
I
I
got
one
piece
of
feedback
last
year
from
an
individual
who
was
associated
with
a
proposal
that
we
did
not
accept
that
they
felt
that
the
there
was
not
enough
specifics
in
the
request
proposal
and
they
felt
like
they
didn't
we're
not
set
up
for
success.
E
But
we
then
subsequently
took
that
feedback
and
refined
the
request.
But
that's
it
was
not
a
particularly
harsh
feedback.
It
was
pretty
gentle.
So
I
don't.
I
I'm
still
a
little
bit
confused
myself
that
was
again
back
channel
person
to
person
after
the
fact,
not
not
through
the
company
or
anything.
E
So
I
I
can
check
with
some
people
that
I
know
in
the
community
and
see
what's
going
on.
E
Yeah
yeah,
honestly,
I
think
that
it's
it's
just
more
important,
that
we
get
a
good
review
from
a
good,
a
good
team
than
it
is
that
we
move
quickly
here
it's
if
we
don't
have
multiple
proposals,
I'm
not
confident
that
we'll
pick
the
best
option
I
feel
like
we
should
slow
down
now.
E
This
is
really
kind
of
poorly
timed,
because
one
of
the
reasons
I
needed
to
sync
up
today
is
that
I
I
need
to
give
an
update
on
kubecon
for
how
this
particular
sub
project
is
going,
and
I
think
this
is
roughly
what
I'll
say,
which
is
we're
not
getting
navigation
from
the
community,
we're
looking
for
more
and
we're
postponing
dates
until
we
can
get
n
proposals.
A
I
think
if
you
bring
this
up
in
coupon,
I
think
that
will
definitely
gain
a
little.
Hopefully.
E
E
Yeah
I
mean
last
time
we
did
a
cubicon
chatter
like
last
kubecon.
We
did
this.
I
don't
know
kobe,
just
warped
my
sense
of
time
entirely,
so
I
don't
even
know.
What's
going
on
the
last
time
we
talked
about
this
to
keep
going
the
trailer
bits.
Who
also
did
they
did
the
work
before
had
like
two
talks.
They
were
packed.
Our
talk
was
packed.
There
was
a
ton
of
interest,
so
this,
like
crickets
thing,
has
really
got
me
confused.
E
What's
it
called
the
updates
track
in
kubecon,
we'll
keep
evangelizing,
we'll
figure
out,
we'll
use
our
back
channels
to
figure
out
what's
going
on
and
we
wait
am
I
am
I
wrong.
Is
anyone
else?
Does
anyone
disagree
with
me.
B
Oh
sorry,
I'll
go
ahead.
Do
we
have
an
archive
from
the
last
set
of
proposals?
I
know
it's
a
total.
You
know
different
year
different
scope,
perhaps,
but
I
was
just
curious
to
see
if,
if
there
was
like
a
huge
gap
between
what
we're
asking
for
this
time
and
and
what
was
proposed
last
time.
E
This
is
a
little
bigger.
A
lot
of
a
lot
of
this
is
archived
on
git.
Unfortunately,
the
proposals
themselves
are
considered
confidential,
so
those
are
not
publicly
accessible.
B
E
Yeah,
let's
propose
this:
maybe
we
should
redraft
the
rfc
rfp,
stating
that
we're
on
an
indeterminate
timeline
right
now
that
we're
waiting
for,
let's
pick
a
number,
how
do
you
guys
feel
about
four
proposals,
at
least
four
proposals
to
be
locked
before
we
set
the
timeline
and
and
explain
that
there's
more
flexibility
in
the
schedule,
so
that
people
feel
more
free
to
submit
a
proposal
if
they
can't
fund
it
immediately.
A
All
right
I
like
that,
I
can
make
I
can
make
the
initial
pull
request
and
people
could
comment.
Yeah.
E
A
E
I
mean
it's,
it's
I'm
having
a
ton
of
fun,
but
it's
very
discombobulating.
Okay,
I
think
we
have
a
plan.
There
is
one
curveball
and
that's
I'm
going
to
record
this
video
and
and
ian
and
tabitha
are
probably
going
to
play
it
in
their
like
sig
update
security
update
thread.
I
don't
need
visibility
really.
E
E
So
I
would
definitely
I'd
love
to
open
up
for
someone
to
do
it.
Instead,
if
not
happy
to
do
it,
I
don't
mind
being
the
face.
It's
just.
I
want
to
create
opportunities
for
other
people
want
to
talk
about
the
work
that
we
do.
A
And
this
is
for
the
kubecon
updates,
the
final
or
like
the
quick
update.
E
Yeah,
you
know
what
kubecon
they're
like
there's
a
pretty
low
attendance
track.
It's
like
hey.
Here's,
what's
happening
in
sega
off,
hey
here's
what's
happening
and
sega
pepper.
Generally,
here's
what's
going
on
security,
it
tends
to
be
filled
with
the
kubernetes
kubernetes
people.
You
know
like
the
people
who
actually
care
not
that
you're
not
going
to
catch
a
ton
of
like
vendors
or
distributors.
A
Okay,
if
anyone
else
is
one
dude,
I
could
do
it
by
tomorrow.
Then
it's
over
too.
E
I
do
not
have
so
I
do
not
have
a
problem
doing
it.
If
I'm
adding
burden
like
I'm
happy,
I
carved
out
the
afternoon,
I've
got
time
to
record
it,
and,
and
if
you
do
want
to
take
over
we'd,
have
to
sync
with
ian
and
tabitha
today
to
make
sure
they're.
Okay
with
it.
I
just
so
like
there's
hiccups,
but
if
you
want
this,
I'm
supportive.
A
Don't
think
I
want
it,
but
if
you
could
handle
it,
because
I
just
have
a
lot
of
work
stuff
going
on
currently
as
well,
and
I'm
also
part
of
other
kubernetes
things
like
the
releases
coming
out
next
week.
So
no.
A
Yeah
I'll
take
it
all
right,
there's
one
more
thing
I
want
to
clarify
since
on
the
rfp,
since
most
of
the
rfp
was
created
in
2020-
and
I
know
I
came
about
this
and
you
know
when
most
of
the
rp
was
actually
created,
but
there
was
a
slack
message
just
asking
for
clarification
on
the
two
of
the
bullet
points
from
the
rfp.
One
was
evaluate
the
component
privilege
and
one
was
trust,
relationships
and
architecture,
evaluation.
A
B
And
essentially,
after
reading
the
one
proposal
we
had,
I
hadn't
seen
them
explicitly
address
those
sections,
but
I'm
wondering
if
it
was
just
more
implied
in
other
sections
and
was
hoping
for
some
clarity
about
what
the
what
we
were
looking
for
in
those
two
headings.
E
Last
time
we
did,
we
did
we
built
a
threat
model
and
we
did.
We
followed
the
mozilla's
like
rapid
risk
assessment
strategy
for
those
I
think,
that's
where
those
come
from
the
idea
being
we
want
to
like
if
we
say
that
I'm
for
mined,
if
we
say
that,
like
the
the
network
plug-in
when
you're
like
calico
or
whatever,
has
a
set
of
privileges
that
it
has
when
it's
when
it's
being
used,
then
what
other
components
in
the
system
depend
on
it
so
like
to
to
make
their
determinations?
E
Does
that
make
any
sense?
It's
like
this
is
just
draw:
draw
trust,
boundaries
and
privilege
levels
for
various
components
in
the
system.
Okay,
if
that's
unclear,
then
let's
refine
it
in
the
rfp.
B
E
Cool
yeah,
I
mean
that's
actually
a
horrible
example.
So
let's
pick
a
better
one:
okay,
I'm
gonna
try
and
start
coming
back
to
these
meetings,
I'm
adding
wednesday
as
a
work
as
a
work
day
at
least
half
of
it.
So
I'm
gonna
start
coming
back
to
these.
I
don't
know
if
we're
going
to
have
tons
to
do
until
we're
getting
proposals,
but
I
I
miss.
I
miss
working
on
this
project.
So
here
I
come.
Thank
you.
Is
there
anything?
That's
happened.
E
That
makes
a
ton
of
sense,
okay
feel
free
to
ping
offline.
Otherwise
I
think
we're
kind
of
winding
down.
Oh
hey
one
more
does
anyone?
Does
we
have
a
couple
new
faces?
Anyone
want
to
take
over
his
chair.
E
So
if
you
want
to
submit
a
pull
request
to
to
the
yamls
to
be
like
you're
the
chair
now,
okay,
I
think
like
me
and
tabitha,
and
ian
probably
would
need
to
sign
off
okay,
but
I
have
no
problem.
I,
admittedly
I
am
looking
to
shed
as
many
responsibilities
as
possible
just
generically
what
with
the
new
human
yeah
but
I'll
still
keep
turning
up
and
helping
and
sharing.
My
experience
like
I
did
do
this
once
before,
and
I
think
that's
the
biggest
value
I
can
bring.