►
From YouTube: Kubernetes SIG Security Docs 20220303
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hi,
everyone
today
is
march
3rd,
welcome
to
six
securities
documentations
of
project,
meaning
we
abide
by
kubernetes
code
of
conduct,
which
means
be
nice
to
each
other.
This
meeting
will
be
recorded
and
available
in
the
youtube.
So
please
be
mindful
of
anything
that
you
will
say
in
this
meeting.
A
Thank
you
now
that
we
have
that
out
of
our
way,
I
am
going
to
kick
with
the
agenda,
so
I
see
someone
new
in
our
meeting.
I
am
going
to
paste
the
agenda
again.
So
if
you
can
add
your
name
to
your
agenda
genome,
I
don't
know
if
I'm
pronouncing
the
name
right,
if
not
I'm
so
sorry,.
A
What's
your
fault,
thank
you.
Welcome
to
our
subgroup
meeting
today.
It's
a
project
meeting
today
so
please,
please
feel
free
to
add
yourself
in
the
agenda
and
if
you
want
to
tell
a
line
or
two
about
you,
they'll
be
nice.
B
B
Okay
yeah,
my
name
is
joseph,
but
you
can
call
me
yejo
and
yeah,
I'm
really
into
kubernetes
and
the
security
and
yeah.
I
always
promised
myself
to
join,
join
the
meeting
and
there
is
always
something
so,
but
finally,
I
I
managed
to
do
it.
So
I'm
happy
to
be
here.
A
Thank
you
for
coming
to
our
meeting
and
it's
so
glad
to
have
you
here.
Thank
you.
I
hope
I
think
I
got
the
name
right
this
time.
My
name
is
avita
and
I
help
run
this
project
meeting
in
the
subproject
here
to
learn.
I
really
I
did
a
lot
of
security
related
stuff
during
my
graduate
program
and
then
I
lost
touch
and
then
I
got
into
kubernetes
and
I
fell
in
love
with
it.
A
So
here
I
am
combining
both
my
partitions,
mostly
learning
from
others
soon.
I
hope
I
would
be
able
to
contribute
something
valuable
back.
C
I
don't
shoot
for
celsius,
so
I'm
rory,
so
I've
been
doing
security
stuff
for
a
while
and
community
stuff
for
a
while-
and
I
also
like
to
try
and
help
out
and
writing.
Docs
seems
like
a
good
thing,
because
you
can.
You
can
never
have
too
many
good
docs.
D
All
right
go
next,
I'm
ray
one
of
the
sig
docs
co-chairs.
Currently
I've
done
some
security
work
in
the
past
for
private
company,
I'm
just
saying
anyway,
so
I'm
here
to
help
out,
especially
with
anything
that
docs
related.
If
there's
anything
that
anything
that
needs
to
be
reviewed
or
any
questions
about
the
website.
Okay
website.
A
Thank
you.
Thank
you
all
so
now
that
we
are
done
with
the
introductions,
we
will
dive
into
the
topic
that
we
were
discussing
ray.
Do
you
want
to
repeat
the
question
again.
C
Sure
so
what
this
is
is
the
link
in
the
in
the
agenda
is
is
to
just
a
hack
md
that
I
started
looking
at
areas
where
in
kubernetes,
if
you
give
people
certain
rights,
that
might
not
be
super
obvious
that
you're
going
to
allow
a
privileged
escalation,
but
it
does
so
some
of
the
examples
we've
got.
For
example,
if
you
give
list
rights
to
secrets-
and
you
don't
even
have
to
give
get,
if
you
give
list
rights,
it
lets
you
give
or
get
all
the
contents
of
the
secrets.
C
People
might
not
realize
that
another
one
we
came
across
recently
is,
if
you
give
the
node
pro
get
or
create
on
node
proxy.
C
It
allows
you
to
talk
straight
to
the
cubelet
api,
which
bypasses
audit
logging
and
it
bypasses
admission
control,
which
is
one
I've
been
looking
at
recently,
so
there's
kind
of
like
a
set
of
these
that
I
think,
are
kind
of
known
about
in
various
parts
of
the
community,
but
I
felt
it
would
be
a
nice
idea
to
have
a
single
page
on
the
kubernetes
website
somewhere.
So
people
could
say
these.
Are
you
know
if
I'm
thinking
about
our
back
and
how
to
do
least
privilege?
D
Yeah
and
trying
to
post
in
the
chat
just
some
options
where,
where
this
might
go,
one
is
under
concepts
and
security.
Sorry
concept,
slash
security
could
be
a
new
page.
A
D
That
that
page
list
currently
has
the
overview
cloud
native
security,
pod
security
mission
control
and
controlling
access
to
the
to
the
cumulus
api,
see
that's
one
option,
also
the
our
back
page
as
well
on
the
reference
guide.
There
might
be
other
options
as
well.
Just
put
that
in
the
chat.
D
C
Hard
to
actually
go
through,
I
was
going
to
see
that
the
the
only
challenge
of
that
page
is
a
lot
of
detail,
but
I
I
if
we,
if
we've
got
something
kind
of
short,
I
just
was
slightly
worried.
People
would
get
lost.
You
know
they
wouldn't,
like
you
know,
they'd
be
going
through
this
and
takes
a
long
time
to
be
the
whole
thing.
D
Yeah,
I
kind
of
like
the
the
concepts,
slash
security
like
a
new
page
in
there.
I
know
we
there
is
a
blog
post,
but
let
me
see
here
about
best
practice
for
a
sip
for
to
secure
your
communist
deployment.
That's
from
like
2016,
but
I
know
we've
always
talked
about
doing
like
a
best
practice
guide
or
some
sort,
but
that
I
feel
like
the
concept.
D
Slash
security
page
is
kind
of
could
lead
into
like
links
into
best
practice,
but
to
other
pages
that
that
will
lead
into
kind
of
like
a
best
practice
guide.
C
I
wonder
if,
when
you're
saying
that
I
wonder
whether
what
we
should
maybe
do
is
like
just
do
a
little
bit
of
expansion
on
this
and
just
have
a
kind
of
general
section
on
the
top
saying
best
practice
for
our
back.
You
know
generally,
it's
least
privilege
grouping
by
name
spaces
have
a
bit
of
content
there
and
then
say
and
here's
then
then
we
have
underneath
that
here's
the
thing
you
should
worry
about,
so
those
two
things
are
almost
kind
of
like,
because
then
that
would
feel
more
like
a
kind
of
concepts
thing.
D
D
Yeah
I
agree
and
we've
we've
had
best
practice
a
configuring
configuration
best
practice
in
under
concepts,
so
so
it
would
kind
of
fit
and
that
just
for
example,.
C
Yeah,
that
sounds
like
a
good
idea,
so
maybe
what
I'll
do
is
I'll?
Take
a
stab
at
putting
like
a
kind
of
general
are
back
here's.
You
know
the
kind
of
concepts
of
least
privilege
and
spirit,
my
name
space
and
use
role
bindings
and
all
that
kind
of
fun
stuff.
And
then,
after
that,
we
can
talk
about
privilege,
escalation.
A
That
sounds
good
to
me
and
we
do
have
the
security
checklist
being
worked
by
the
pawn
and
no
one
is
volunteered
for
authorization
and
authentication.
I
think
some
other
stuff
that
you
would
be
doing.
Rory
can
easily.
B
A
Copied
yeah,
so
I'm
gonna
just
cross-link
it
you
don't
have
to
copy
it
over
like
we
could
ask
for
a
contributor
if
they
want
to
get
a
hang
off,
how
to
start
doing
mini
dock
pr.
So
we
could
I'll
korean
just
tape
once
you
have
once
this
one
merges,
and
once
we
have
this,
just
ask
someone
to
you
know,
link
it
or
even
like
add
a
link,
so
that
would
be
like
awesome,
and
I
am
not
so
I
I
wasn't
aware
of
the
best
practices.
A
So
in
my
mind,
I
always
thought
that
we
will
have
a
security
checklist.
So
if
those
are
two
different
things,
then
we
can
chat
about
the
best
practices
and
we
can
reboot
the
blog
post
one
like
once
again
when
this
security
checklist
gets
published
and
we
can
time
it
and
then
talk
about
it
a
little
a
little
more
I
I
was,
and
he
was
thinking
about
a
blog
post,
then,
whenever
this
one's
ready.
So
this
would
that
would
be
a
nice
time
like
if
we
could
target
by.
A
I
am
targeting
kubecon
eu,
I'm
not
sure
if
that
is
aggressive.
If
that
is
slow,
I
don't
know
if
it
would
be
nice
to
have
it
around
that
time.
So
that's
what
I
have
told
people
who
are
volunteered,
but
I
I
also
don't
know
like
how
much
commitments
they
have
so
I'm
just
gonna
not
be
too
aggressive
on
that
it
would
be
nice
if
it's
done.
If
it's
not
done,
then
we
will
have
it
for
keep
connect,
but
we
will
eventually
have
it
in
our
website.
A
It's
just
a
plan.
Yeah.
A
It's
like
in
a
month
or
let
me
it's
not
in
a
month
but
to
be
like
wrap
things
around
in
the
months
to
have
all
your
stuff
ready
bag
not
packed.
But
for
me
it's
visa,
I
mean
I
need
to
get.
C
A
C
You're
right
it's
getting
quite
close
and
yeah
so
we'll
see
I
mean
for
this
this
page.
I
think
I
should
be
able
to
do
like
I'll
put
some
content
up
up.
The
top
or
kind
of
generic
kubernetes
are
back
best
practice
I'll
get
that
done
probably
over
the
next
week.
I
would
have
said
so.
We
should
be
able
to
like
look
at
where
we
can
put
this
one.
After
that,
I
guess.
A
Yeah
that'd
be
nice
too,
and
it
might
even
like
we
always
talked
about
having
a
extensive,
our
back
guide,
which
we
never
had.
So
all
these
topics
we
have
can
just
just
to
get
stitched
together,
like
I
feel
like
in
under
concept,
a
security
section
would
be
really
nice,
because
if
we
start
adding
stuff,
we
can
just
really
add
there
and
cross
link
it,
but
I
also
don't
know
about
the
organization,
so
I'm
just
going
to
leave
it
to
ray.
Who
knows
better
about
the
website
organization
than
me.
A
That
was
just
my
suggestion.
Like.
D
Sounds
good
to
me,
yep
sounds
good.
Also.
I
do
want
to
correct.
I
didn't.
I
actually
met
the
the
security
checks
checklist
instead
of
the
best
practice
guide
in
my
head.
It's
kind
of
like
it's
almost
it's
like.
A
That
makes
sense.
Okay,
so
yeah
that's
in
progress,
so
we
we
have
some
sections
added
and
folks
have
signed
up
for
it,
and
I
created
a
hack
md
once
it's
ready
I'll,
just
share
it
widely.
A
Now
there
are
like
people
just
putting
in
their
one-liners
I'll
check
in
with
them,
if
they're
ready
to
share,
I
just
don't
want
to
like
prematurely
share
when
they
are
not
ready
and
I'll
just
check
in
once
before.
I
share
that,
so
we
can
have
that
reviewed.
Some
of
the
things
links
to
for
now,
whatever
I
have
seen
some
other
things
links
to
third
party
tools
which
we
might
want
to
avoid,
so
we
can
come
up
with
a
more,
for
example.
Containers
can
image
scanning
and
container
scanning.
A
Then
all
the
things
are
related
to
like
the
links
are
related
to
third-party
tools.
We
could
just
see
how
we
can
avoid
linking
it
there.
Otherwise
we
might
have
to
turn
this
security
checklist
in
the
blog
post,
where
we
can
specify
some
third-party
tools,
because
it's
not
it's
it's
a
mere
suggestion.
At
that
point,
I
think
and
add
a
disclaimer
telling
that
it's
not
officially
officially
coming
from
the
kubernetes
project
itself.
It's
just
like
a
suggestion
that
you
can
use
similar
tools,
yeah.
C
What
one
thing
we
could
do
is
the
cncf
have
a
cloud
native
security
map
as
part
of
tag
security,
and
that
has
two
lists.
So
what
we
could
do
is
we
could
point
people
at
the
cloud
native
security
map
section
for
scanning
and
just
say
you
know
that
then
moves
it
away
and
says
right.
The
cncf
have
done
that
already,
we
don't
need
to
repeat.
There
are
various
tools
represented
in
there.
C
A
I
think
that
would
be
nice.
I
I
I
don't
know
if
the
website
folks
have
any
issues
linking
to
a
cncf
page
or
the
tool
list
we
can
check
in.
If
already
have
an
idea
on
that
or
like.
Is
it
okay
to
link
out
to
a
cncf
page.
D
I
think
it's
okay
to
link
out
to
cncf
page
versus
listening
out
their
party
tools.
I
think
that's
even.
C
A
A
All
right,
in
that
case,
I
gave
all
of
you
12
minutes
of
time
back.
Thank
you
for
joining
today.
I
will
look
forward
to
seeing
you
all
in
the
next
security
meeting
or
in
the
next
docs
meeting.