►
From YouTube: Kubernetes SIG Security Tooling 20220705
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
welcome
everyone,
as
usual,
like
we
do
most
months
of
the
year
today,
is
a
learning
session
for
six
security.
Tooling,
we
have
Xander
and
Ashna
from
Microsoft
who
are
going
to
help
us
learn
about
a
new
tool.
A
They
have
been
working
on
called
Azure
eraser
and
what
we'll
do
is
let
them
take
over
this
meeting
share
what
they
want
to
share
and
then,
if
you
have
any
questions
in
between
feel
free
to
jump
in,
ask
them
into
the
chat
or
just
unmute
yourself,
since
we
have
a
smaller
group
and
then
if
there
is
time
at
the
end
of
the
meeting,
we'll
keep
some
more
time
for
questions
and
after
that,
we'll
wish
them
good
luck
and
ask
how
we
can
help
make
their
tool
better.
B
So
yeah,
first
of
all,
I'm
Xander
I'm,
a
Open
Source,
Products
manager
with
Microsoft
and,
like
for
sure
mentioned
we're
here
to
talk
about
eraser
today
and
yeah
super
appreciate
security,
giving
us
the
space
to
demo
this.
It's
something
that
kind
of
excited
to
to
show
off
and
especially
get
some
feedback
on.
That's
that's
a
huge
piece
of
it.
So
the
the
repo
is
at
github.com,
Azure,
slash,
erasers
and
first
I,
guess
what
is
it?
B
It's
a
utility
that
was
developed
to
help
kubernetes
admins
clean
up,
non-running
images
from
nodes,
so
something
that
that
tends
to
happen
when
running
clusters
is
that
these
images
accumulate
in
in
the
caches
in
nodes
and
the
the?
Why?
Behind
this
was
a
lot
of
workloads
run
on
kubernetes
at
Microsoft?
B
You
know,
various
engineering
teams
across
the
org
are
using
AKs
or
self-managed
clusters
for
their
workloads
and
as
part
of
the
standard
production
process,
they
get
these
security
scans
on
their
nodes.
And
you
know,
engineering
teams
were
just
getting
hammered
with
security
vulnerabilities
that
were
found
in
non-running
images
that
were
cached
on
the
nodes,
and
you
know
talking
to
a
group
of
teams
into
you
find
out
that
each
team
kind
of
has
their
own
solution
to
to
solve
this.
B
Some
are
running
Damon
sets
or
cron
jobs
that
they
wrote
and
it
seemed
like
there
was
an
opportunity
here
to
develop
an
open
source
tool
that
the
engineering
team
that
Microsoft
could
use,
but
that
also
the
whole
Community
could
benefit
from
you
know
it
seems
like
it
is
an
issue
that
Microsoft
engineering
teams
are
are
struggling
with.
It's
very
likely
that
others
outside
the
company
are
dealing
with
the
similar
problems.
B
A
Quick
question
before
we
switch
Yeah
what
I'm
so
curious
about
the
scanners
that
were
detecting
those
images
that
were
not
garbage
collected
because
I
know
I
know
some
host
scanners
don't
understand
whether
a
file
belongs
to
an
image
or
the
host,
and
they
would
just
assume
it's
part
of
the
host
and
then
give
up,
give
show
vulnerabilities
for
that.
So
were
those
like
host
scanners
or
like
container
image
scanners
that
were
running
or
both.
B
C
C
B
C
Doesn't
know
what
is
in
running
image,
what
is
another
running
image
so,
basically
it
it
scans
everything
and
the
so
the
team
that
the
scans
it
so
their
justification
is.
They
can
be
running
at
any
time,
so
they
basically
scan
everything
on
the
hostel.
D
Yes,
can
you
see
the
screen
okay,
yeah,
so
I'm,
going
to
demo
I?
Guess
two
of
the
use
cases
for
eraser
so
for
the
first
one
I'll
show
the
collect
skin.
Oh.
A
Sorry
to
interrupt,
can
you
increase
the
font
a
bit
more
because
people
might
watch
it
on
YouTube.
A
D
Okay,
yeah,
so
the
first
one
is
just
the
collect,
scan
and
erase
pipeline.
So
it
starts
by.
We
have
a
basic
kind
cluster
and
we
are
loading,
a
vulnerable,
Alpine
image,
so
this
image
will
be
non-running
and
in
the
cluster
I'll
just
skip
a
little
bit
of
that,
since
it
takes
some
time.
D
D
And
then
here
we're
installing
eraser
now,
so
this
will
trigger
the
collection
and
scan
process.
D
So
after
deploying
eraser,
we
can
see
we
have
the
Eraser
manager
and
the
three
collector
pods
for
each
of
the
nodes.
So
the
collector
pods
are
aggregating
a
list
of
all
the
non-running
images
and
once
that
completes,
the
scanner
goes
through
those
list
of
images
and
reports,
the
ones
that
it
found
vulnerable.
D
D
So
see
that
it
wasn't
found
on
the
worker
node-
and
this
is
image
collector
shared,
where
the
results
are
aggregated.
So
the
spec
is
the
list
of
all
the
non-running
images
and
in
the
status
we
could
see
the
Alpine
image,
and
this
is
the
image
list
which
holds
I,
guess
the
report
of
all
the
eraser
pods.
So
the
Eraser
pods
we're
looking
for
the
Alpine
image,
which
is
the
image
under
the
spec
ear,
and
we
had
one
eraser
pod
scheduled
on
each
node.
D
D
And
when
we
deploy
our
image
list,
the
Eraser
process
will
start
so
in
the
demo.
I
used
a
star
to
indicate
a
prune,
but
I
could
have
also
specifically
said,
and
the
Alpine
image
or
any
other
image
that
I
wanted
to
remove.
D
D
Yeah,
so
those
are
the
two
ways
to
use
eraser.
This
demo
was
using
trivia
to
scan
and
Report
the
vulnerable
images,
but
that
is
also
changeable.
We
could
check
for
unsigned
images
or
any
other
type
of
image
in
the
future.
D
A
B
We
have
some
folks
at
Microsoft
starting
to
use
it
and
and
try
things
out
and
yeah
it's.
You
know
early
days
for
usage
so
far,
but
I'm
I'm
badgering,
anyone
that
is
using
it
to
try
and
collect
feedback.
Yeah.
A
So
there
was
lot
of
Rich
content
in
the
demo
I'm,
almost
thinking
like
going
back
and
forth
a
bit,
but
let
me
see
if
I
remember
things
and
anyone
else
had
same
similar
questions.
Please
jump
in
as
well
looks
like.
There
were
two
modes,
the
Eraser
who
could
run
in
in
the
demo.
If
I'm
not
wrong,
one
was
with
more
pods.
One
was
with
fewer
parts
of
eraser
itself.
Can
you
elaborate
a
bit
more
on
that.
B
Yeah,
so
the
there's
kind
of
a
couple
flows,
there's
the
the
scanner
flow
which,
when
erasers
run
in
that
mode
it
at
a
set
interval,
will
scan
all
of
the
nodes
in
the
cluster
for
non-running
and
vulnerable
images,
and
in
that
case
it
will
deploy
a
pod
on
each
each
node
in
the
cluster.
And
then
there
is
the
the
what
I
guess
the
image
list
or
manual
mode.
Excuse
me
when
you
know
what
specific
images
you
want
to
Target
for
cleanup.
A
Okay,
that
makes
sense,
is
my
I
just
was
told
my
audio
wasn't
great
earlier.
Is
this
better.
A
All
right
cool,
thank
you
Eric,
so
now
back
on
the
so
as
a
security
person,
one
of
the
things
that
stuck
to
me
was
this
tool
is
removing
images.
How
do
we
prevent
it
from
removing
its
own
image?
A
Because
if
I
have
rules
that
say,
remove
vulnerable
images
and
then
eraser
soon,
pods
image
is
vulnerable?
Does
it
also
remove
its
own
image
or
we
kind
of
allow
List
It.
B
C
To
remove
even
if
they
have
vulnerabilities,
you
can
add
to
the
exclusion
list,
and
then
we
also
have
an
exclusion
list
per
note.
So
if
you
have
like
a
specific
notes
that
you
don't
want
to
remove
stuff
like
because
there's
like
a
spatial
mode
or
whatever,
you
can
add
like
a
label
to
it
to
that
node
and
then
it
will
just
always
exclude
that
not.
A
Yeah,
okay,
that
makes
sense.
I
I
had
another
question
on
this
and
tell
me
it's
under
Ashna,
if
you're
doing
good
on
time,
if
you
have
other
things
to
share
I'll,
stop
for
questions,
and
we
can
do
them
later
as
well.
So
as
as
again
like
a
security
person
there,
we
are
very
wary
of
giving
more
permissions
to
more
parts
in
a
cluster,
and
this
seems
to
do
some
highly
privileged
tasks
like
removing
images
from
a
host.
So
I
was
curious.
A
What
sort
of
things
it
has
to
mount
from
host?
What
sort
of
pod
security
standards
it
can
run
on,
so
that
people
are
aware,
like
okay
I'm,
giving
this
high
privilege
permission
to
this
particular
tool.
B
Sorry,
my
camera
is
being
weird
here:
I
believe
we
are
mounting
the
container
D
socket,
maybe
sartaj.
If
you
want
to
add
any
more
detail
there.
I
know
that
has
been
a
point
of
feedback.
There
were
concerns
about
mounting
that
socket,
but
I,
don't
I
wonder
yeah,
sir
Tosh,
do
you
have
any
any
thoughts
there?
Yeah.
C
So
today
we
might
continue
to
suck
it
in
whatever
the
equivalent
is
for
for
Docker
or
or
cryo,
because
we
talked
to
a
cryo.
C
A
C
A
Think
so,
okay,
all
right!
Okay,
that's
good
to
know
all
right!
This
is
great
tool
by
the
way
I
mean
I've.
Seen
this
in
my
past
life
being
a
problem-
and
it's
been,
it's
been
very
hard
to
explain
people
looking
at
vulnerabilities
from
host
perspective.
Why
you
don't
need
to
care
about
these,
because
we
are
never
going
to
run
these
images
and
then
they
are
like
if
you're
not
turning
it.
A
B
Yeah
I
think
you
know
going
forward
for
us
and
maybe
mention
this
in
in
the
issue
or
or
what
have
you,
but
there
we're
definitely
interested
in
moving
this
from
an
Azure
owned
project
to
more
of
a
community-owned
project,
and
so,
if
there's
an
opportunity
to
move
it
to
the
kubernetes,
sigs
org
I
think
that
would
be
like
what
we
ultimately
love
to
do,
because
we
definitely
like
don't
see
it
as
an
Azure
owned
project.
A
Yep,
plus
one
on
that
and
girl
glad
that
you
all
didn't
really
tightly
couple
it
with
Azure
infrastructure
and
just
made
it
that
it
could
work
everywhere.
So
that's
that's
really
nice
I
think
Ray
you,
you
can
also
correct
me.
Sig
node
would
seem
like
the
most
appropriate
sake
in
terms
of
owning
sick,
apart
from
obviously
security.
So
that
might
be
a
good
starting
point,
because
generally
every
sub
project
in
kubernetes
would
need
to
be
owned
by
a
sick
or
sponsored
so
having
those
discussions,
I
think
would
be
a
good
starting
point.
B
C
A
B
Just
had
one
question
so
so
I
saw
that
do
you
have
the
option
not
running
so,
do
you
have
the
option
not
running
a
scanner
to
just
delete
images
that
are
not
being
used
or
does
it
have
to
run?
In
this
case,
trivia,
I.
C
You
can
also
replace
the
scanner
with
a
different
scanner.
This
is
something
that
you're
considering
in
the
future.
So
instead
of
3D,
if
you
have
another
scanner,
it
may
be
vulnerable.
Images
could
be
another
scenario,
so
you
can
it's
pluggable,
so
it
could
be.
Anything
could
be
a
scanner
as
long
as
it
outputs
a
certain
sourcing
custom
object.
A
I'm
also
wondering
about
the
compute
cost
benefits
here,
because
I
wonder
whether
having
stuff
that
is
not
used
and
removing
them
leads
to
lower
cost
on
the
cloud
or
on
your
on-prem,
as
well
as
like
being
a
bit
of
a
person
who
enjoys
sustainability
and
cares
about
the
climate.
If
you
are
not
storing
things
that
you
don't
need,
probably
it
helps
conserve
some
electricity
and
then
you
don't
have
to
burn
things
that
you
don't
need
to
burn.
B
A
There
is
a
working
group
called
cncf
sustainability
if
I
got
the
name
right.
That's
been
created
recently
at
cncf
level,
where
they're
trying
to
find
ways
to
help
projects
show
how
they
can
be
more
sustainable
towards
the
planet
in
general.
So
I
can
make
introductions
with
some
of
them
if
you'd
like
and
see.
If
this
is
something
they
would
be
curious
to
learn
more
about
or
help
you
out
on.
A
Right
sounds
good,
any
other
questions
from
anyone.
Yeah.
C
Looked
into
those
also,
that's
definitely
something
they're
considering,
but
we
cannot
scan
it
at
this
time
because
I
don't
know
if
there
are
any
open
source
scanners
that
can
can
scan
Windows
notes,
but
other
than
that
it
would
definitely
work.
We
also
actually
have
a
a
PR
out
that
adds
Windows
support
and
this
time
you
cannot
merge
it,
because
we
need
to
have
a
a
Windows
node
to
actually
push
the
image.
C
C
B
And
I'll
also
keep
an
eye
on
the
the
Sig
security,
tooling
slack
Channel.
If
any
questions
come
up,
there
I'll
I'll
watch
to
make
sure
that
you'll
get
into
those.
A
B
Oh,
the
last
slide
was
just
mentioning
that
we'd
like
to
move
it
to
being
a
community
on
Project
which
okay
I
yeah,
you
know,
I,
don't
yeah
I'd,
rather
talk
than
do
the
slides,
sure.
Okay,
that
works.
A
Okay
sounds
good,
I
was
curious
about
so
we
are
facing
right
now,
an
error
where
we
switched
our
kubernetes
registry
URL
from
something
else
to
something
else,
and
basically
that's
causing
some
issues
where
our
Podium
now
needs
to
change
and
point
to
the
new
image
URL
in
this
case,
I
am
curious,
like
when
the
registry
itself
changes,
and
maybe
your
pods
haven't
been
up
to
date
or
you
remove
an
image
from
a
registry
and
it's
still
available
locally,
and
you
are
really
happy,
like
oh
at
least
I
have
that
local
copy,
because
I
accidentally
removed
it
from
the
registry
and
now
eraser
is
going
to
quickly
come
in
and
remove
that
and
then
you
will
be
like.
A
Oh
damn,
I
didn't
think
about
that.
So
have
you
considered
like
those
kind
of
scenarios
where
you
maybe
check
if
the
image
exists
in
the
registry
to
sort
of
make
it
like
a
safe
delete,
because
you
can
always
pull
it
from
the
registry
and
if
it's
not
in
the
registry
or
the
registry
URL
doesn't
exist,
you
can
perhaps
do
something
like
do
you
really
want
to
delete
it
and
then
let
the
person
decide.
B
I
think
today,
the
main
way
to
address
that
is
with
the
exclusion
list,
which
I
guess
that's
that'll,
be
available
in
the
next
version
that
launches,
but
we
don't
have
as
far
as
I
know
any
like
phone
homing
or
checking
back
to
the
registry
and
I
think
there
could
be
some
interesting
use
case.
There
I'd
be
I'd
wonder
about
the
like
Network
overhead
of
of
checking
the
registry
for
each
individual
image,
especially
in
a
larger
cluster
yeah,
but
it's
potentially
an
Avenue
to
explore.
A
Yeah
that
makes
sense
I'm
just
throwing
out
ideas,
because
I
might
end
up
facing
that
sometime
in
future.
Last
thing,
which
is
I,
think
the
most
important
for
all
is:
how
can
we
help
you
make
the
tool
better
from
like
not
just
like
in
this
meeting,
but
afterwards
as
well?
Until
we
we
I
mean
I,
and
also
we
don't
have
to
wait
until
it's
part
of
kubernetes
six
org
anything
you're
looking
for
in
terms
of
a
good
first
issues
or
help
wanted
issues
or
things
where
you're
looking
for
design
feedback
or
reviews.
B
A
B
A
few
areas
I
think
the
the
first
and
biggest
one,
probably
and
and
easiest
maybe,
is
like
if
this
is
a
problem
that
you
know
you
maybe
face
like
just
trying
it
out
and
providing
feedback
is
a
huge
help
to
to
help
us
move
forward.
So
that's
one
Avenue,
the
other
is
that
yeah.
We
absolutely
welcome
contributions
and
we
do
have
a
pretty
tailored
backlog
of
issues
and
we
do
try
to
label
good
first
issue
and
you
know
help
wanted
things
like
that.
B
So
that's
there
for
sure,
and
then
lastly
I
think
yeah.
If
there's
any
help
that
the
the
group
can
provide
on
helping
us
move
forward
to
getting
it
to
kubernetes
six,
that's
that's
appreciated
too.
A
B
You
can
certainly
open
an
issue-
that's
totally
fine.
We
we
do
have
issue
templates
there,
so
yeah.
Otherwise,
you
know
certainly
feel
free
to
to
ping
me
on
kubernetes
slack
I'm
yeah
happy
to
to
take
DMS
about
it,
but
yeah
issues
are
good
too,
because
then
it
gives
us
a
a
running
track
or
GitHub.
Discussions,
too,
is
a
good
Avenue.
A
Okay
sounds
good.
Another
thing
I
would
suggest
from
Community
engagement
perspective.
If
you
haven't
done
already,
is
a
project
doesn't
have
to
be
part
of
kubernetes,
6
or
kubernetes
org
for
it
to
have
a
slack
channel
on
kubernetes
Slack.
A
So
if
eraser
doesn't
have
one,
it
might
be
worth
doing
that
even
before
we
consider
moving
it
to
cncf
and
that
might
just
get
the
people
who
work
on
kubernetes
anyway
find
out
about
this.
B
Yeah
that
would
be
fantastic,
we're
just
kicking
off
our
bi-weekly
community
meeting
and
stuff.
Now
we've
got
a
mailing
list
going,
and
so
a
slack
channel
on
community
slack
would
be
a
an
excellent
Next
Step.
A
B
Awesome
appreciated
yeah
on
the
readme,
for
the
project
folks
can
find
links
to
the
the
mailing
list
and
the
the
bi-weekly
community
meeting
info.
A
B
Selfish
thing,
but
my
users
might
want
it
yeah.
A
C
A
quick
question
to
pushkar
you
mentioned
the
next
step
could
be
talking
to
Sig.
Note
would
be
present
in
sign
note
also,
or
do
you
know
what
the
total.
A
So
my
suggestion
or
thinking
is
in
the
next
regular
lease
schedules,
larger
Sig
security
meeting.
Let's
bring
this
up
together
and
we
will
share
it
with
the
chairs
and
say:
hey
we
learned
about
this
tool.
They
really
want
to
bring
it
to
kubernetes
community.
We
think
signode
is
the
right
one.
What
do
you
think
and
if
they
say
yes,
that's
great
or
if
they
say
yes,
we
want
to
actually
own
it
instead
of
Sig
node,
then
we
know
an
answer
either
way.
A
If
they
say
signaled,
then
what
we
could
do
is
go
to
their
meetings.
I,
don't
know
if
I
would
be
able
to
join
but
go
to
their
meetings.
We'll
try
to
get
a
recording
of
this
up
on
YouTube
by
then,
and
you
can
share
like
hey.
We
did
this.
We
think
this
node
signaled
seems
to
be
the
right
one.
Would
you
be
open
to
be
the
owning
sick
for
this
project?
If
we
all
contribute
it
back
and
based
on
those
conversations,
you
can
take
the
next
steps.
C
A
A
A
All
right,
thank
you.
Everyone
for
adding
your
names
as
well
on
the
attendee
list.
I
try
to
get
this
recording
through
Tabby
as
soon
as
I
can,
but
thanks
for
taking
the
time
to
sharing
this
wonderful
tool,
all
of
you
have
been
working
on
I'm
sure,
not
only
in
the
folks
in
the
call,
but
who
will
watch
the
recording
will
enjoy
it
and
my
very
best
wishes
for
the
success
and
popularity
of
this
tool
and
hope
it
really
solves
some
important
problems
like
we
just
discussed.