►
From YouTube: Kubernetes SIG Security 20220728
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
we're
gonna
call.
It
started
hello,
everyone
and
welcome
to
another
kubernetes
Sig
security.
As
always,
it
is
a
delight
to
be
here
together
so
that
we
can,
you
know,
talk
about
talk
about.
Kubernetes
Security
find
the
places
where
we
can
improve
it
together
and
help
each
other
to
keep
doing
that.
A
I'm
Tabitha
I'm,
one
of
the
co-chairs
and
I'm
really
happy
to
help
to
keep
making
this
space
for
us.
Anybody
else
can
can
feel
free
to
go
around
and
say
hello.
B
C
D
Hey
folks,
I'm
Ola
Dewberry
I'm
super
happy
to
be
here.
I'm
the
sub-project
lead
for
self-assessments,
taking
over
from
pushkar
and
yeah
always
happy
to
be
here.
E
Hi
everyone
I'm
Savita
I,
am
the
Project
Lead
for
the
documentation,
security,
documentation,
I'm
so
so
happy
to
be
back
after,
like
I,
think
I
missed
three
meetings
and
I
was
like
so
sad,
so
I'm
happy
to
be
here
and
to
see
all
the
awesome
faces.
Sorry,
my
camera
is
off
today,
but
I'm
really
happy
to
be
here
today.
F
Hello,
everyone,
I'm
Rahul
jado,
just
to
participate
here,
interested
in
security
staff
nice
to
be
here.
Thank
you
for
having
me
here.
F
G
I'm
Mohit
was
here
happy
to
have
to
speak.
I
do
community
stuff
at
with
secure
and
I'm,
also
happy
to
join
in
hacking.
The
planet.
H
E
A
Actual
office-
that's
exciting
too
right,
so
we
will
now
get
into
hearing.
What's
going
on
with
the
various
subgroups
that
are
that
are
always
doing
cool
stuff.
I
will
present
the
update
from
Ray,
who
can't
make
it
for
third
party
audit,
which
is
that
the
audit
is
wrapping
up,
and
so
we
will.
We
will
have
more
to
say
soon,
but
in
the
meantime
progress
continues.
E
Sure
so
I
just
wanted
to
shout
out
to
the
document
that
Rory
has
put
together.
It's
a
new
page
idea
for
APA
server
bypass
risk.
So
if
you
have
time,
please
go
take
a
look
at
it
and
I
think
it
has
already
so
much
amazing
content
in
it
and
add
your
thoughts
and
comments,
and
we
can
discuss
more
in
our
six
security
documentation
meeting
that
will
be
coming
up
next
week
and
that's
it.
H
We're
going
to
convert
it
to
a
PR
assume
and
we've
got
some
good
feedback
if
everyone's
getting
more
feedback,
that'd
be
awesome
and
then
I'll
convert
to
a
PR
arm
and
start
going
through
the
whole,
getting
it
into
Ship
Shape
bashing
for
dogs.
A
Thanks
Laurie
yeah,
thank
you
so
much
pushka.
What's
what's
the
good
news
here
from
tooling
it,
it
looks
pretty
good.
Yes,.
C
So
we're
main
focus
for
this
version
is
cap3203,
which
is
creating
a
cve
feed
for
all
of
us
who
love
to
see
new
kubernetes
CVS
and
which
is
automatically
updated
every
time
a
new
coin
comes
up
so
for
that
we
have
couple
of
PRS
that
are
waiting
for
a
bucket
creation
from
kubernetes
testing
for
a
team
once
that
is
created,
we'll
basically
switch
it
to
that
bucket,
and
then
we
should
be
looking
good
to
have
that
feed
available
for
everyone
to
consume.
C
C
A
D
I
was,
as
many
of
you
may
know,
we
recently
completed
officially
the
the
Cappy
self-assessment,
which
pushed
her
and
a
fabulous
band
of
people
spent
many
months
putting
together
and
so
we're
still
so,
while
the
report
itself
is
published
and
complete,
we
are
also
going
to
do
a
retro
Series,
so
I
will
be
interviewing
and
just
going
through
the
the
either
the
identical
or
a
very
similar
list
of
just
retro
questions
to
for
the
folks
who
participated
to
make
sure
that
we're
Gathering
feedback
and
iterating,
where
we
need
to
so
I,
have
that
assigned
to
me
in
GitHub,
and
it's
really
just
a
question
of
me-
finding
time
to
get
in
touch
with
those
folks,
maybe
build
like
a
quick
template
for
myself.
D
So
it's
repeatable
and
everything
like
that.
Also
on
continuing
to
wrap
up
and
glorify
the
Kathy,
self-assessment,
pushker
and
I
are
working
on
a
blog
post
for
that
will
be
published,
I
think
with
tech
security.
So
once
that
is
done,
pushkar
has
encouraged
me
to
go
to
the
tag
security
Meetup
and
to
just
socialize
the
blog
post,
get
any
feedback
and
stuff
like
that,
and
then,
in
terms
of
the
next
self-assessment
that
we
want
to
do.
D
The
vsphere
CSI
driver
I
met
briefly
with
Shang
I
happen
to
also
work
at
VMware.
So
and
Shing
also
lives
close
to
me
as
well
geographically.
So
maybe
we
can
do
some
of
it
together,
physically,
which
would
be
awesome.
D
So
really.
The
next
steps
there
are
I
need
to
spin
up
an
environment
and
kick
kick
around
the
via
the
vsphere
CSA
driver
myself,
and
also
work
with
Shang
to
just
build
a
project
plan
and
pushker
has
been
amazing
with
walking
me
through
what
he's
done,
how
you
know
just
the
journey
with
with
the
Kathy
self-assessment
and
I.
Actually,
when
we
met
earlier
this
week,
I
took
some
notes
and
I
was
thinking.
D
I
could
just
write
that
write
that
up
and
put
it
in
the
self-assessments
repo
in
terms
of
sort
of
here's,
like
the
outline
of
like
activities
that
you
know
that
have
that
generally
amount
to
a
self-assessment
so
that
it
is
a
repeatable
recipe
book
and
yeah
really
for
that
matter
in
terms
of
thinking
ahead,
I
can
definitely
see
just
rigorous
documentation
of
this
process
to
make
sure
that
it
is
repeatable
and
that
I
you
know
I
should
never
have
to
be
involved
in
every
single
self-assessment.
D
If
cigarette
subprojects
wants
to
do
one
here,
it
is
here's
the
recipe
book
go
copy,
it
follow
it,
and
you
know
here
are
the
deliverables
and
markers
that
you
need
to
meet
for
a
self-assessment
to
have
taken
place
so
really
excited
and
thinking
about
doing
that
and
I.
Imagine
that
I'll
be
reaching
out
to
this
group,
in
particular
Savita
for
advice
on
how
to
just
document
that
in
a
super,
delightful
and
and
accessible
way,
but
yeah.
D
So
you
know
really
just
like
leaning
into
the
learning
too
on
big
mood
on
you
know
doing
the
best
stuff
that
I
can
and
you
know
giving
to
in
you
know,
balancing
just
you
know
the
the
amount
that
I
want
to
give
back
to
the
community,
and
everything
like
that.
So
yeah
really
really
appreciate
the
encouragement.
D
I
wish
I
could
be
doing
more,
but
yeah
time
is
our
most
scarce
resource.
So
that's
also
been
a
learning
curve
and
I
just
really
appreciate
the
supportive
environment
here
too,
partake
in
that
so
yeah
thanks.
That's
everything
for
me.
A
I
mean
I
think
that
sounds
fabulous
further
further
thoughts
about
self-assessments
progress
of
self-assessment
and
so
on.
A
Then
then
I
would
just
say
the
only
thing
that
comes
to
immediately,
to
my
mind,
hearing
what
you're
saying
about
about
time
being
the
main
constraint
like
echoing
what
folks
are
saying
in
the
zoom
chat
like
absolutely
time
is
the
main
constraint
for
virtually
everyone
and
yeah.
You
know
thank
you
so
much
for
for
all
the
things
that
you're
doing
and
also
do
not
be
shy
about
also
involving
other
folks.
There,
like
you,
can
do
a
lot.
We
can
all
do
a
lot.
We
can
do
a
lot
together.
A
F
A
A
All
right,
we'll
get
into
the
discussion
points
that
folks
have
dropped
into
the
notes.
Pushkar
office
hours
I
have
heard
the
office
hours
were
awesome,
though
I
have
not
managed
to
see
them
myself.
Yet.
C
C
C
Carlos
is
a
great
host
and
there
was
a
couple
of
other
folks
as
well
who,
based
in
we
got
it,
got
to
talk
about
how
a
new
contributor
can
join
in
sick
security
share
our
experiences
about
how
we
started
and
what
we
are
planning
to
do
next,
what
we
have
done
in
the
last
few
months,
or
so
so,
the
first
30
minutes
or
so
covers
most
of
our
six
security
stuff
and
and
the
rest
of
them
are
general
questions
from
people.
C
A
Shall
I
link
that
office
hours
instance
into
the
YouTube
playlist
for
the
Sig
security
resources?
The
next
time
I
cycle
back
onto
YouTube
maintenance,
yeah
I.
C
A
All
right,
then,
security,
checklist,
I,
know
I'm
kind
of
skimming
it
over
here.
On
the
other,
monitor
myself
and
I
see
checklists
a
good
security
posture
requires
constant
attention
and
Improvement.
Oh
my
gosh
I
love
to
see
it.
Please
tell
us:
please
tell
us
how
this
is
going
and
what
we
can
do.
F
Yes,
thanks
a
little,
so
it's
actually
going
pretty
well.
We
already
had
like
12
gtms
from
60
security
folks,
so
for
for
team
it
was
correct,
but
it
was
enough
and
it
put
like
a
GTM
from
a
from
from
his
name,
so
it
will
actually
help
to
get
more
adjectives
from
the
security
box.
So
if
you
can
can
do
it,
even
if
you
are
not
documentary
members,
it
would
be
really
helpful
and
yeah
I
think
that's
it.
Then
we
will
need
someone
to
approve
it
and
it
will
be
finally
emerged.
F
C
F
Yeah
I
think
it's
nice
and
I
think
as
soon
as
it
will
be
merged,
some
people
will
be
like
I
know.
Some
people
want
to
make
new
additions
and
comments,
but
to
wait
until
it's
merged,
because
you
don't
want
to
all
the
processor
normal
so
but
yeah.
It
was
great
like
we
had
a
lot
and
a
lot
of
feedbacks
in
the
pr.
That's
good.
A
Well
then,
let's
get
to
let's
get
to
one
of
the
things
that
one
of
the
things
that
that
I
am
really
personally
excited
about
here,
which
is
security,
contexts
deny
admission
controller.
F
Yes,
so
this
is
a
really
old
thing:
I
think
it
was
created
back
when
the
security
context
field
was
added
to
the
container
spec
and
I
came
across
that
thing,
while
digging
for
a
new
blog
post
about
the
security
policy
removal
context
like
historical
context,
so
yeah.
What
do
you
think
about
that?
It's
really
really
strange.
It's
a
it's!
A
really,
really
specific
admission
control
that
actually
like
prevents
you
from
creating
your
workloads
with
some
fields
of
the
security
context
that
are
set
so
I.
F
Don't
think
it's
really
useful
and
I,
don't
know
if
you
have
any
idea
or
it
could
be
used
today
and
if
it's
used
actually.
A
A
Had
this
Post-It
note
for
over
a
year
waiting
for
the
right
time
to
say:
do
we
need
this
thing,
and
so
then,
when
you
bring
it
up,
but
I
I
will
admit
that
despite
my
long-standing
animosity
for
this
admission,
controller
I
have
not
really
learned
everything
about
it.
That
I
should
so
like,
for
example,
does
it
have
exemptions,
or
is
it
like?
Cluster-Wide
no
pod
can
have
security
context.
F
So
I
think
I
just
read
it
so
for
the
context
you
might
read
the
the
thread
in
the
six
security
Channel.
We
we
came
across
an
interesting
fact
that
the
Pod
security
policy
so
didn't
filter
the
the
informal
containers
and
pods,
and
so
I
decided
to
dig
into
that
stuff
and
and
just
noticed
that
this
one
does
not
filter
on
fmr
container
as
well.
But
I
think
you
have
Tabitha
for
the
question.
It's
not
configurable
at
call.
It's
like
in.
A
The
beginning,
good
luck,
even
using
like
good
luck,
even
using
a
modern
Network
overlay
that
you
deploy
via
Damon
set.
If
you
also
want
to
use
this,
if
you
also
want
to
use
this
admission
controller.
F
Yeah
I
don't
think
it's
useful,
but
because
in
the
beginning
it
was
like
security
context
was
four
thin
privileged
run
as
user
capabilities
and
as
a
Linux
thing,
and
it
just
like
tried
to
like
prevent
the
use
of
the
new
thing
which
were
slinics
and
run
as
user
I.
Think
so
nowadays,
I
think
it's
completely
obsolete.
A
I
mean
this
smells
to
me
like
an
opportunity
for
somebody
who
wants
to
wants
to
work
with
Sig
off
and
commit
one
of
those
PRS
that
has
minus
a
whole
lot
of
lines
in
it,
and
those
PRS
feel
really
really
good.
A
And
like
I
think
this,
this
also
smells
like
a
good
opportunity
for
for
writing
a
cap
and
turning
the
crank
on
the
cap
process
like
this
feature
might
be
old
enough,
that
it
predates
caps
so
like
if
it
had
a
cup
for
creating
it.
You
know,
then
the
process
would
be
to
work
with
the
owner
of
that
cap
in
order
to
to
roll
over
its
status
from
GA
to
deprecated,
but
I
think
it
might
predate
the
existence
of
caps.
B
I
also
think
it
predates
caps
does.
Does
a
governance
procedure
exist,
for
this
already
like,
like
would
be?
Would
the
thing
to
do
to
be
write
a
cap
to
deprecate
the
thing
that
predates
caps
like
has?
Is
there
precedent
for
this
I
don't
actually
know.
A
B
I
guess
I
guess
my
question
and
maybe
you
just
answered
it
and
I
haven't
had
enough
coffee
yet,
which
is
entirely
possible,
is?
Is
there
precedent
for
things
that
are
outside
of
that
process
for
figuring
out
how
to
deal
with
those?
Because
some
other
Sig
done
this
already.
A
B
A
You
know,
and
just
off
the
cuff,
when
these
sorts
of
things
are
done,
it's
usually
like
you
Market
deprecated
and
release
Foo
and
then
have
the
API
server
log,
a
message
during
startup
that
says
such
and
such
feature
is
that
deprecated
and
then,
after
a
while,
you
alter
the
default
from
being
on
to
being
off,
which
I,
don't
think
is
a
thing
that
we
need
to
worry
about
here
and
then
and
then
eventually,
You
Yank,
It,
yes,
I
think
the
kept
process
would
really
function
mostly
as
a
form
of
skywriting
here
like
if
this.
A
B
Enough
yeah
I'm
all
for
it
I'm
not
arguing
in
any
way.
I
was
just
sort
of
pondering.
Oh
I
mean
not
enough
copied
yeah.
A
This
is
a
this
is
a
space
for
pondering.
Does
anyone
is
anyone
else
excited
about
security
context,
deny
in
any
positive
or
negative
way.
C
I
think
red
lines
in
a
PR
are
great:
let's,
let's
go
less
code
is
more
secure
code,
so
if
we
are
not
really
using
anything
and
people
are
aware
that
we
are
going
to
deprecate
it
and
remove
it,
and
if
cap
is
a
good
approach
to
do
it,
I
think
we
should
try
that
if
you
want
to
be
optimistic
and
think
that
probably
say
goth
might
be
on
board
of
removing
it.
C
Just
with
an
issue
discussion
instead
of
a
gap,
it
I
would,
in
my
opinion,
I
would
suggest,
starting
in
with
an
issue,
first
get
trying
to
get
some
eyes
on
it.
If
people
are
like
no,
we
need
a
bigger
discussion
and
then
that
can
obviously
lead
to
a
cap.
So
that
could
be
another
way
which
saves
time,
but
then
sorry,
we
won't
have
the
ability
to
broadcast
it
as
wide
as
we
can.
If
it
was
a
cap,
so
people
might
get
surprised
in
case
some
Ops
in
some
obscure
way.
Every
somebody
is
using
it.
B
Yeah
I
think
that's
both
of
those
things
are
good
points.
I.
Think
I
like
the
idea
of
skywriting,
just
because
I'm,
remembering
like
when
we
deprecated
V1
beta
one
like
there
was
like
not
a
ton
of
public
discussion
about
it
for
a
while,
and
there
were
more
people
who
were
hard-coding,
V1
beta
1
into
their
systems.
That
I
think
a
lot
of
core
maintainers
had
entirely
expected
and
like.
A
B
B
So,
like
you
know
in
the
just
remembering
that-
and
maybe
this
is
so
obscure
and
ancient-
that
nobody
is
using
it,
but
I
bet
that
there's
some
person
out
there
for
which
that
this
is
an
incredibly
critical
part
of
their
workflow,
who
was
who
has
a
thing
to
say
about
this
and
I
feel
feel
like
there
is
an
argument
for
this
guy
writing.
For
that
reason
like
for
that,
poor
unfortunate
end
user,
like
you
know
like
let
them
say
their
thing,.
A
So
does
that
mean
the
recommended
next
step
is
somebody
goes
and
has
a
chat
with
zigoth
about
this
like
either
in
slack
or
at
their
meeting
and
just
take
sigos
temperature
hey?
How
would
you
all
feel
about
getting
rid
of
this,
and-
and
you
know
how-
how
do
you
feel
about
folks
from
folks
from
six
security
throwing
in
to
help
that
happen?.
B
I
think
that's
a
good
idea
and
I
think
we
could.
Whoever
does
this
could
mention
like
Hey
we're
thinking
about
doing
a
cap
for
this
for
the
purposes
of
letting
people
who
might
have
this
as
some
critical
part
of
their
workflow
like
say
their
piece,
because
if,
if
they're,
like
I,
don't
know
like
oh,
we
have
a
really
big
problem
with
this.
Then
then
I
guess
the
cap
itself
is
a
moot
point.
But
I
I
feel
like
this
is
something
that
I
I.
You
know.
A
F
No,
no
I
will
be
actually
happy
to
to
do
that.
So
I
might
start
with
the
like
a
standard
issue
of
all
the
secret
people
to
dive
into
the
stuff
and
and
then
we
can
see
yeah,
but
I
will
be
happy
to
do
that
if
you
want.
If
someone
wants
to
do
that,
it's
okay
as
well,
but
it
will
be
a
nice
opportunity
for
me
I
think
we
will
sound
good
I.
A
Would
I
would
love
to
see
it
and
no
one
can
speak
on
behalf
of
all
six
security,
but
as
an
individual
I
will
say,
I
would
love
to
help
you
and
encourage
you
to
do
that,
and
I
am
sure
that,
as
a
group,
Sig
security
would
also
be
delighted
to
help
and
encourage
you
completely.
F
Yeah
yeah,
so
thanks
thanks,
everybody
yeah!
Why
not?
Why
not
do
this
I
just
discovered
it
and
I
want
to
remove
it.
A
A
Great,
that
is
a
delight
admission,
controller
web
Hook
off.
A
G
Thing
that
I,
spotted
and
I
thought
was
interesting.
Essentially
when
using
web
hook
and
Mission
controls
within
cluster,
you
have
your
mutating
validating,
webwork.
You
know
configuration
resource
to
set
it
up,
however,
that
doesn't
actually
set
up
the
authentication
for
it
or
you
know,
authentication
is
optional,
but
that
looks
to
be
a
configuration
in
the
API
server,
not
the
actual
resource
itself,
which
gets
quite
interesting.
If
you're,
you
know
in
a
self-privated
cluster,
that's
fine
because
you
just
add
in
that
configuration
to
the
API
server
and
you're.
G
You
know
you
auth
to
Opa
or
whatever,
with
mtls
or
authorization
headers
or
whatever.
You
want
to
use.
However,
however,
with
Cloud
provided
clusters
that
becomes
kind
of
tricky,
because
you
know
you
don't
really
have
control
of
the
API
server,
and
so,
if
you
do
have
you
know
a
weapon
controller
in
there,
it's
kind
of
low
off
and
be
happy
about
it.
A
I'll
ask
the
I'll:
ask
the
the
immediate
follow-up
question
that
comes
to
my
mind,
based
on
the
previous
discussion,
is
how
old
is
admission
controller
web
Hook
off
and,
and
was
it
was
it
a
feature
that
was
added
to
support
use
cases
that
have
now
been
replaced
with
more
more
fine-grained
features
like
oidc
off
specifically
I
know,
is
very,
very,
very
widely
used.
G
Honestly,
don't
know
I
never
actually
dug
into
it
too
too
much.
It
was
something
I
briefly
saw
and
then
ended
up
going
to
Statesville
conferences
and
stuff.
So
I
was
like
well
I'll.
Look
at
that
when
I
get
back
and
I
just
got
back,
or
at
least
I'm
still
out
technically,
but
playing
back
over
the
weekend.
H
G
C
G
H
G
Yeah
and
it's
weird
right
because
you,
if
you
are
putting
credentials
in
there
all
of
a
sudden,
then
that
mutating
configuration
or
validating
configuration
suddenly
has
authentication
secrets.
So
do
you
then
have
it
tie
into
like
standard
kubernetes
yeah.
H
Sounds
like
a
fun
one,
if
not
for
nothing
else,
it
would
be
a
great
one
to
have
like
either
a
dots
page
or
something
it
says,
hey.
If
you're
doing
this,
you
should
be
aware
of
the
that
this
is
maybe
a
risk.
We
could
even
add
it
in,
because
we've
got
that
page
about
admission,
controller
risks
it'll
be
a
good
one.
If
that's
a
thing
it'll
be,
we
could
add
it
in
there
and
like
so,
it's
documented,
so
people
are
at
least
they've
got
their
knowledge
or
we
can
dig
in
the
same
battery.
H
G
I
spent
like
a
day
searching
and
the
best
I
got
for
this
case
in
this
case
was
an
Opa
deployment.
Was
configuring
Opa
to
have
authentication
for
all
like
put
requests
to
it?
You
know
for
uploading
the
policies
and
then
just
allowing
Anonymous
order
for
validation
checks,
and
that
was
basically
from
Opa
docs
I'm
doing
it
and
I
was
like
oh
great.
A
And
like
I,
have
a
weird
vague
memory
of
the
API
server
when
it
is
a
client
for
things
like
the
web
hooks
sending
along
mtls
creds
like
the
same
mtls
creds
that
it
uses
when
it
reaches
out
to
other
parts
of
the
control
plane,
which
that
seems
both
good
and
bad
and
perhaps
accidental
and
unfortunately
this
is
just
a
vague
memory.
So
like
I'm,
really
sorry
to
like
Gandalf
sitting
in
the
minds
of
Moria
and
say,
I
have
no
memory
of
this
place
at
y'all.
G
So
well
as
in
it
tries
mtls,
it
fails
because
you
know,
actually
it
doesn't
have
the
kubernetes-based
CA
set
up
and
I
was
like.
Oh
okay,
so
good.
A
Well,
well
and
like
yeah
because
like
if
you
are
an
mtls
client
yeah,
you
can
be
a
TLS
client
and
just
send
a
client
cert,
along
with
every
TLS
negotiation
that
you
ever
try
and
servers
that
don't
care
just
don't
care
they're,
just
like
okay
cool
whatever,
like
you
showed
me,
a
piece
of
paper
I'm,
not
paying
any
attention
and
so
like.
That
is
a
thing
that
I
wonder
like.
Does
it
do
that
and
if
it
does
do
that,
does
it
do
that
on
purpose.
H
A
You're,
even
just
like
an
open,
SSL
s,
server
thing
that
you
then
cram
a
web
hook
into
in
order
to
in
order
to
look
at
what
the
what
the
requests
look
like.
A
That's
the
thing
is
that
yeah
like
now
I'm,
starting
to
imagine
having
some
robust
off
on
an
API
server
admission
controller
web
hook,
based
on
going
back
to
the
API
server
and
saying
hey
should
I?
Allow
you
to
do
that
which
would
be
nice
from
a
centralized
management
perspective.
If
nothing
else.
A
A
G
Sure
I'll
come
back
with
some
fun
things,
I
don't
know
when,
but
that
sounds.
G
A
All
right,
we'll
call.
It
then
saying
goodbye
to
everybody.
I'll
just
make
a
personal
note,
which
is
that
this
is
in
kind
of
a
bad
mood
leading
up
to
this
meeting,
not
for
reasons
related
to
kubernetes
and
like
now,
I'm
in
a
really
good
mood
and
I.
Thank
you
all
for
that
see.
You
next
see
you
next
time
and
remember
that
the
slack
channel
is
open.
24,
7.