►
From YouTube: Kubernetes SIG Security Audit 20210707
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So,
let's
start
welcome
to
the
kubernetes
security
external
audits,
the
project
meeting.
We
do
abide
to
the
cncf
code
of
conduct,
so
that
boils
down
to
just
bleep
just
to
be
kind
to
everyone.
All
right
paste,
the
link
to
the
agenda
on
the
chat.
Do
it
one
more
time.
A
All
right,
so
I'm
sure
some
people
will
join
in
trickling,
but
let's
start
anyway.
The
rfp
has
closed.
As
of
yesterday.
The
question
period
has
closed
yesterday
as
well.
We
did
get
one
updated
proposal.
Let's
hope
you
receive
that
the
next
step
is
to
review
the
proposals
to
score
them
and
to
rank
them
did
create
a
new
private
google
group,
and
I
did
ask
for
an
another
private
slack
channel,
but
that
was
actually
denied,
so
they
did
mention
that
they
they
like
to.
A
They
do
not
like
to
prevent
I'm
sorry
to
create
many
private
stock
channels
and
especially
for
groups
of
of
eight
or
less
to
use
by
just
a
user
group
dm
anyway.
So
we'll
we'll
stick
with
that,
and
I
think
for
next
year
we'll
go
into
a
little
bit
more.
Have
a
little
more
processing
see
everyone
see.
People
are
joining
in.
So
just
wait
for
aaron
to
have
his
audio.
B
C
A
All
right,
I
was
just
saying
posted
a
link
to
the
agenda
and
rfp
closed
yesterday.
No
same
thing
with
question
period
was
closed.
It's
yesterday,
too,
we
have
an
updated
proposal.
A
Next
step
is
to
review
these
proposals
and
to
score
them
and
rank
them.
I
created
a
private
google
group
so
far.
I've
only
added
aaron
as
the
since
being
emeritus.
A
The
additional
private
slack
channel
was
denied
that
request
was
denied
because
kubernetes
doesn't
like
to
create
lots
of
private
stack
channels
and
we
already
have
one.
So
we
already,
we
were
kind
of
we
already
have
that
exception
already,
and
they
do
not
like
to
create
private
slack
channels
for
groups
eight
or
less
as
well.
A
So
they
just
suggested
to
use
a
group
dm
so
for
the
phase
that
we
are
going
to
go
into
next,
which
is
we're
doing
the
proposals
we'll
use
a
private,
the
new
private
google
group
and
we'll
also
do
a
private
group
dm
as
well.
I
did
bring
about
how
do
we
go
into
a
more?
I
guess,
private?
A
A
So
far,
okay
and
part
of
that
part
of
the
s
part
of
the
assessment
group.
If
you
look
into,
I
created
a
2021
external
audit
tracking
issue,
it's
a
first
link.
So
that
is
so.
What
I
propose,
as
more
of
a
process,
is
to
have
a
tracking
issue
just
for
the
audits
as
well.
A
If
you
look
into
that,
so
I've
taken
some
aspects
of
the
release
team
and
also
the
cncf
security
tag.
Group
as
well,
is
that
I
made
a
comment
where
it
says
here.
I
agreed
to
abide
by
the
guidelines
set.
Fourth
in
the
security
release
process
and
specifically
the
embargo
on
cv,
coms
and
no
conflicts
and
have
no
conflict
of
interest.
A
I
do
ask
that
the
people
who
are
going
to
review
the
proposals
to
add
in
the
comments
similar
to
that
just
to
kind
of
have
agreements
that
you've
read
that
the
security
release
process
have,
and
you
understand
the
cv,
com
embargo
and
you
have
no
conflict
of
interest.
So
any
questions
about
that's
pretty
straightforward,
okay,
the
second
pr
or
like
I
have
is
to
a
pr
student
overview
just
to
have
initial
readme
for
the
sub
project.
A
Just
to
like
guide
of
what
this
subproject
does
to
have
some
kind
of
process
involved
as
well
like
agreeing
to
the
same
secret
release,
process
and
cv,
comms,
etc.
A
A
I
know
it
might
take
a
while
to
read
that,
but
all
right
and
next
step
is
reviewing
the
proposals
and
what
that
entails
like
should
we
do
more
like
I
know
next
week,
we're
not
scheduled
to
have
a
zoom
call,
should
we
do
a
private
zoom
meeting
for
those
who
are
reviewing
proposals
to
let's
see
where
we're
at
I
have
working
on
the
updated
spreadsheet
for
that
as
well
like
should
we
have
a
meeting
next
week
since
we
are
scheduled
to
select
the
vendor
by
july
20..
So,
let's
kind
of.
A
Yeah,
I
probably
need
your
help
to
setting
up
the
spreadsheet
as
well
just
to
get
your
thoughts
on
it.
I'm
gonna,
I'm
gonna
go
through
the
slack
channel
cause.
I
know
we
had
some
inputs
of
that
and
what
should
be
added
to
the
to
these
scoring
as
well.
A
All
right,
so,
if
not,
I
think
I'll
still
have
a
private
zoom
meeting
for
those
who
are
reviewing
proposals
next
week.
Look
out
for
pings.
For
me,
that's
lack
for
that.
It
might
be
a
teams
call.
Since
my
company
uses
teams,
I
don't
know,
what's
more:
what's
better
zoom
or
teams
or
google
meets,
but
it'll
be
one
of
those
three
as.
C
Someone
who
runs
linux,
google
meet
is
best.
C
A
If
you
have
any
reach,
feel
free
to
reach
out
to
me
on
slack
input
on
my
arlhano
email
me
at
within
the
chat
for
everyone
to
reach
out
to
me.
If
you
have
any
questions,
if
you
have
experience
doing
reviewing
proposals
for
security
audits,
one
be
part
of
the
review
process
so
reach
out
to
me
in
those
those
two
avenues
as
well.
B
Yeah,
I
think
that's
it.
I
mean
I
think
it's
we
need
to
spend
a
little
bit
of
time.
I've
read
through
probably
half
of
the
proposals,
but
go
back
to
a
little
bit
closer,
and
then
I
haven't
seen
that
last
update
and
then
hopefully
people
can
come
prepared
to
that
that
next
meeting
whatever
it
is,.
A
Yeah
I'm
the
same
boat.
I
need
to
review
the
updated
proposal
finish
the
scoring
sheet
as
well
on
the
pivot
table.
C
A
C
A
I
agree
so
and
we
could
carry
on
at
private
side
channel
as
well.
For
anything
you
want
to
discuss.
D
Oh
yeah
yeah,
I
wouldn't
be
just
muted,
face.
A
Hi
all
right,
one
more
update.
We
will
have
an
update
at
kubecon
n,
a
and
as
well
hoping
to
also
present
how
the
community
could
also
be
part
of
framing
the
scope
of
future
rfps
with
the
audit
roadmap
that
pr
is
in
draft.
I
haven't
finalized
it
yet,
but
we
have
several
months
before
you
know
that
needs
to
be
merged.
A
D
A
To
clarify
right
is
that,
are
you
planning
some
sort
of
presentation
at
kubecon?
It's
just
part
of
the
630
presentation,
so
I
don't
think
the
findings
will
be.
You
know
will
be
ready
by
then
it's
just
going
to
be
similar
to
the
coupon
to
you
like,
where
we're
at
that
regular
rfps
is
is
underway.
What
the
scope
is,
that's
pretty
much
it
it
won't
be.
I
won't
say
too
much
it's
going
to
be
four
people
so
we'll
be
in
within
35
minutes.
A
It's
going
to
be
a
very
short
presentation
from
this
sub
project,
so
just
going
to
be
reviewing
scope
explaining
how
the
community
kid
also
participates
in
framing
the
the
scope
of
future
scopes
and
yeah
give
a
status
of
where
we're
at
which
is
just
gonna,
be
in
progress.
A
B
Do
we
want
to
spend
any
time
talking
about
the
the
fuzzing
project
that
chris
mentions
or
yeah.
A
That
is
a
great
good
point
yeah,
so
the
cmcf
is,
I
guess
they
have
a
contract
to
do
the
fuzzing
audits
and
improvements,
including
kubernetes
as
well.
This
is
out
of
scope
of
the
current
security
audits,
and
this
is
for
all
cncf
projects.
A
I
should
get
in
touch
with
chris
on
what
the
frequency
of
this.
This
is
a
one
off,
but
this
is
a
regular
task.
They
plan
to
do
and
how
that
will
affect
future
audits
because
yeah
and
who
the
I
know
the
current
vendor
is,
but
you
know
the
future
vendors
as
well.
B
I
guess
the
the
one
thought
is
probably
a
little
too
time
it's
not
right,
but
I
was
wondering
if
this
could
compare
with
what
the
reviewers
were
doing
to
be
able
to.
You
know,
do
a
sort
of
hybrid
fuzz,
plus
I've
done
tests
like
that
in
the
past,
where,
like
I
would
do
a
pen
test
and
someone
else
do
code
review,
or
vice
versa
and
I'd
love
really
sort
of
focusing
in
on
certain
areas.
But
I'm
not
sure
it's
probably
too
easy
to
do
that
for
this
one,
but
maybe
in
the
future.
A
A
That's
it
for
me,
I'm
gonna
reach
out
to
several
of
you
guys
on
slack
and
if
you
have
any
questions
like
I
said,
just
feel
free
to
reach
me
reach
out
to
me
on
slack
or
email.