►
From YouTube: Kubernetes SIG Security 20210422
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
it's
three
after
the
hour,
hello,
everyone
we
are
now
officially
here
and
live
for
another
another
kubernetes
sig
security
get
together,
looks
like
we
have
some
things
in
and
coming
into
the
agenda.
So
let's
just
go
right
ahead
in
there.
First
thing
that
we
have
is
push
card.
Do
you
want
to
do
you
want
to
lead
us
through
this.
B
Yes,
I
can
start
so
this
was
something
we
discussed
a
bit
last
time.
Basically,
the
idea
is-
and
this
has
been
an
open
issue
for
almost
couple
of
years
now.
The
idea
here
is:
maybe
kubernetes
has
a
lot
of
dependencies
and
some
of
the
dependencies
occasionally
have
cvs.
B
So
today
we
don't
have
a
way
to
announce
when
it
is
fixed.
We
don't
have
a
clear
open
way
to
share
that.
We
have
detected
it
and
how
we
are
detecting
it.
So
this
whole
process
is
trying
to
be
worked
out
with
which
will
which
could
be
too
agnostic,
but
right
now
we
are
going
with
stick
thanks
to
eric
helping
out
there
and
the
idea
there
is.
B
Those
will
then
be
categorized
into
five
different
categories,
so
there
is
a
slack
discussion
open
since
yesterday
on
that
I
could
go
over
the
details,
but
in
case
we
run
out
of
time.
We
could
also
take
a
look
I'll
put.
The
google
docs
link
later
and
people
can
take
a
look
and
share
their
feedback,
and
the
idea,
essentially
in
summary,
is
we'll
have
five
categories.
One
of
them
is
embargoed
cvs,
so
that
will
continue
to
follow
the
psc
flow
in
terms
of
managing
the
cvs.
B
The
other
four,
which
are
true
positive
and
different
flavors
of
false
positive
those
will
be
basically
tackled
via
github
issues
and
when
those
are
fixed,
if
those
are
fixed,
whether
they
get
back
ported
to
n
minus
two.
All
of
those
details
are
in
the
slack
discussion
and
the
google
doc
link
there
so
happy
to
get
any
feedback
from
the
community
there.
A
Yeah
two
things
that
two
things
that
come
immediately
to
mind
here.
Definitely
the
the
link
to
the
google
doc
will
be
super
helpful
like
I
am.
I
am
not
currently
logged
into
slack,
so
I
can't
easily
follow
that
link
and
get
it
pasted
in
there,
but
that
google
doc
link
would
be
great
and
the
other
thing
would
be.
I
haven't
I
haven't
seen
and
caught
up
with
this
discussion
personally
yet,
but
just
wanted
to
make
sure
that
other
psc
folks
are
involved
in
that
discussion
from
the
beginning
in
order.
A
B
Yeah
tim
was
very
helpful
yesterday
and
gave
a
lot
of
good
feedback.
So
some
of
the
outcome
of
that
discussion
is
now
summarized
in
the
google
doc
and
any
other
psce
members
who
need
to
comment
and
contribute.
Please
add
them
to
the
discussion
or
share
the
link
or
I
can
share
it.
If,
if
you
know
anyone
who
would
be
interested
and
then
we
can
go
from.
A
There
yeah-
that's
that's
great,
you
know
once
I
am
personally
caught
up
I'll.
Make
sure
to
to
share
that
with
the
other
folks
in
the
psc
seems,
like
seems
like
it's
good
work.
Thank
you
so
much
right
all
right.
Thank
you
any
other
any
other
thoughts
on
this
or
just
everybody
needs
a
minute
to
to
see
if
they're
gonna
be
able
to
go
and
view
the
dock.
D
I
think
I
put
the
right
dock
in
the
notes.
You
can
check
that
if
you
want.
A
D
A
Well
awesome.
Thank
you
next
thing
that
we
have
here
is
audit
subproject
ray.
Do
you
want
to
take
that
or.
E
Yeah,
so
we
did
some
changes
to
the
rfp,
which
we
discussed
in
the
last
meeting
and
also
in
the
previous
meeting
of
the
six
crit
external
audit
subproject,
and
that
was
to
extend
the
rfp
not
to
a
set
date,
but
to
at
least
four
proposals
have
been
received
when
we
do
have
the
fourth
proposal
received,
then
we'll
set
the
rfp
closing
date
to
two
weeks
after
the
fourth
proposal
has
been
received
and
also
set
the
vendor
selection
as
well
to
two
weeks
after
the
rfp
has
been
closed.
E
We've
also
changed
some
of
the
wording
around
the
audit
timeline
as
well
to
be
more
flexible
and
also
have
it
to
be
optional,
to
send
cvs
and
and
resumes
as
well.
Since
we
know
that
staffing
at
this
time
can
be
complicated
to
be
dedicated
to
a
single
project,
so
those
changes
have
been
merged
this
morning,
as
I
see
here
and
yeah
those
that's
pretty
much
it
for
me.
So
so
we're
waiting
for
a
few
more
proposals.
B
E
Yeah,
so
when
we
get
the
worth
rp,
I'm
sorry
when
we
get
the
fourth
proposal,
then
we'll
set
the
actual
closing
date
to
two
weeks
after
the
fourth
proposal
has
been
received:
okay
and
then
yeah,
I
will
put
a
link
to
the
rfp
and
to
that
pr
them
with
those
changes
in
the
notes
awesome.
Thank
you.
B
I
I
actually
have
a
question
related
to
the
next
discussion.
Also
so
some
of
the
cluster
api
folks
reached
out
to
me
recently-
and
they
were
saying
hey
this
sub
project
in
kubernetes-
is
becoming
really
big
and
we
would
love
some
initial
feedback
on
security.
So
is
rv.
Is
there
any
scope
in
terms
of
adding
cluster
api
as
part
of
the
third
party
security
audit,
or
would
it
be
too
much
of
a
scope
creep.
E
Right
now,
it'll
be
too
much
of
a
scope
creep
and
we've
actually
talked
about,
possibly
even
reducing
this
scope,
actually,
the
rfp
and
possibly
moving
the
those
those
other
components
to
the
next
rfp.
So.
A
Yeah,
I
guess
kind
of
follow-up
question
there
just
to
just
to
confirm
what
I
think
I
remember
from
last
time.
We
discussed
this
if
there
is
a
reduction
of
scope
in
the
rfp,
the
general
idea
of
that
would
be
more
frequent,
smaller,
possibly
even
overlapping
rfps,
for
these
smaller
scoped
projects
to
try
to
break
up
this,
like
omnibus
rfp.
That
seems
to
be
unwelcoming
for
whatever
reason
to
vendor
participation.
E
Yeah
I
do
agree
and-
and
I
did
not
change
the
scope
on
the
rfp
yet
just
I
did
the
minor
changes
to
those
dates
just
to
see
if
that
will
increase
the
number
of
proposals
that
are
submitted
and
if,
if
we
need
to
change
so
then
we
can
but
yeah.
A
Awesome
yeah.
Thank
you
all
of
you
for
continuing
to
continuing
to
work
on
that.
Do
you
wanna!
Do
you
wanna
tell
us
a
little
bit
about
what's
going
on
with
docs.
F
Definitely
hi
everyone
hope.
All
of
you
are
doing
good.
The
hardening
guide
issue
is
open
in
kubernetes
website.
Thank
you.
Rory.
F
Last
week
we
went
through
the
guide
and
we
were
discussing
about
the
organization,
the
length
of
the
topic,
and
we
decided
to
have
some
in-depth
details
for
certain
topics,
because
I
find
it
useful
as
a
system
administrator
cluster
administrator
the
end
of
the
day,
and
we
will
also
have
a
security
checklist
which
will
just
bubble
up
all
the
good
points
and
have
links
to
our
hudding
guide
later.
F
So
that
was
one
of
the
discussions
that
we
had,
and
we
also
had
some
time
to
go
through
the
issues
and
prs
in
the
communities
website
to
see
if
we
can
pick
any
of
them
or
if
there
are
any
volunteers
who
want
to
work
on
the
issues
and
pr,
please
feel
free
to
assign
it
to
yourself
and
leave
your
comments
and
feedback.
You
can
do
that
by
going
to
the
kubernetes
website,
filter
the
issues
and
pr
using
the
label
seek
security
and
viola.
G
I'll
add
one
little
bit
on
on
doc's:
that's
okay!
In
the
hardening
guide.
What
we've
got
at
the
moment
is
like
a
sample
section
filled
in
just
to
get
kind
of
feedback
on.
Is
this
the
right
level?
Does
this
kind
of
you
know
quantity
of
content,
the
approach
being
taken
work
or
do
people
have
feedback?
So
if
anyone's
got
some
time,
it's
a
really
quick
section
to
read
and
any
feedback
on.
Yes,
this
is
a
good
approach.
No,
maybe
you
can
consider
doing
it
differently
would
be
we'd,
be
very
welcome.
A
About
website
issues
and
and
prs
one
thing
I
just
note:
if
you
scroll
to
the
top
of
the
notes
there
are
links
to
that,
should
be
pre-populated
to
the
github
searches
for
things,
labeled
sig
security
in
the
various
repos.
So
I
hope
that
that
is
helpful
for
anybody
that
wants
to
wants
to
have
a
look
at
them.
Are
there
any
particular
issues
or
prs
zavita
that
you
all
identified
as
being
especially
interesting
that
you
would
like
to
bring
to
the
attention
of
this
group.
F
We
just
briefly
went
through
them.
We
didn't
dig
deeper
into
them.
There
was
only
one
pr
open
by
tim,
which
was
a
like
really
big
one,
so
that
that's
that's
what
was
about
secrets
and
probably
that's
it.
I
didn't
notice
anything.
I
will
take
a
look
next
time
around
and
if
there
is
anything
issues
I
will
bring
them
bring
them
up
here.
A
A
Of
course
we
don't
have
anything.
We
don't
have
anything
else
on
on
docs,
then,
let's,
let's
talk
a
little
bit
about
this
cluster
api.
C
B
B
Bring
up
in
this
point,
okay
yeah,
so
we
basically
discussed
three
possible
alternatives
to
get
cluster
api
reviewed
in
some
way,
because
the
oh
main
intent
is,
let's
make
sure
we
give
good
feedback
as
a
community
from
security
perspective.
So
cluster
api
can
take
care
of
some
things
earlier
rather
than
later
so.
Three
options
we've
considered
so
far,
which
are
mentioned
in
the
issue
I
linked,
is
kubernetes
security
audit,
which
seems
like
at
least
at
this
time,
doesn't
seem
a
good
option.
B
The
second
one
I
discussed
with
the
cncf
security
co-chair
emily
about
whether
we
have
any
scope
in
assessing,
as
part
of
their
usual
security
assessment
workflow,
to
assess
a
sub
project
of
a
graduated
project
such
as
kubernetes.
So
what
she
shared
to
me
is,
we
don't
actually
have
done
this
before
where
we
are
reviewing.
The
sub
project
offer
graduated
project,
but
we
expect
this
to
fully
happen
as
more
projects
are
graduated
and
then
some
more
sub
projects
spun
up
out
of
it.
B
So
she
is
open
to
discussing
this
with
our
toc
liaisons
as
well
to
figure
out
what
would
be
a
process
we
could
tackle
for
such
scenarios,
and
I
also
shared
that
this
might
be
a
good
opportunity
for
both
our
six,
which
share
the
name
to
collaborate
together
in
some
way
and
work
and
help
the
cluster
api
folks.
So
that's
the
second
option
and
third
one
seems
like
is:
there-
is
some
funding
available
from
cncf
to
request
a
separate
security
assessment,
which
was
a
suggestion
coming
from
cluster
api
folks?
B
So
I
don't
know
more
details
about
that.
But
that
seems
like
the
three
options
we
have.
First,
one
being
not
the
right.
One
right
now
seems
like
from
the
third
party
security
audit
of
kubernetes,
but
would
love
to
hear
thoughts
from
everyone
on
the
cncf
and
kubernetes
collaborating
to
do
something
or
the
funded
option
that
cluster
api
folks
came
up
with.
E
And
I
also
believe
that's
the
cncf
process
as
well
for
projects
that
they
would
go
under
security
assessment
by
cncf's
security
then
go
on
and
then
go
and
then
it
goes
to
third-party
security
audits.
H
I
can
speak
to
that
process
a
bit.
I've
led
a
couple
of
those
falco
and
cloud
custodian,
and
I
participated
in
the
opa
review
so
that
process
has
been
undergoing
a
bit
of
a
evolutionary
process
since
it
first
started
back
in
2019.
H
I
think
in
2019
the
vision
was
closer
to
what
I
think
here
we're
all
talking
about
as
a
security
assessment,
security
review
security
audit,
the
current
as
of
the
last
couple
of
months.
The
current
iteration
of
this
is
more
like
a.
I
guess.
I
would
call
it
a
review
more
like
a
security
documentation
review
and
the
process
is
basically
the
project
provides
kind
of
a
self-attestation.
H
Here's.
What
we're
doing
here's
why
we
think
we're
secure
and
then
the
cncf
security
folks
will
volunteer
to
review
that
add
comments
and
questions,
clarifying
questions
and
then
essentially
just
capture
that
in
a
markdown
document.
H
So
I
think
the
scope
I
would
certainly
be
interested
in
for
the
cluster
api
would
be
more
of
a
tactical
combination
of
code
testing.
You
know
fuzzing,
you
know,
review
in
a
real
world
cluster.
That
kind
of
thing
and
that's
currently
not
with
the
cncf
review
process
assessment
processes
isn't
is
scoping.
Does
that
make
sense.
A
A
I
was,
I
was
just
gonna
say
that,
like
I
was
tangentially
involved
in
a
couple
of
those
and
yeah,
it
seems
like
the
the
self.
The
self-assessment
worksheet
process
was
really
valuable
to
those
projects
that
were
going
through
it,
and
you
know,
therefore,
if
the,
if
the
folks
who
were
working
on
cluster
api
wanted
to
go
through
it,
I
would
expect
that
they
would
find
similar
value
from
asking
themselves
those
questions
either
either
by
getting
peace
of
mind
that
you
know
some.
A
H
H
B
So
it
sounds
like
what
robert
you're
saying
is.
It
will
be
definitely
beneficial
for
them
to
go
through
the
cncf
security
assessment
process
in
the
in
their
security,
whether
it's
a
self-assessment
or
whether
it's
something
else
that's
under
discussion
right
now
and
then
so
that
part,
I
think,
takes
care.
Assuming
this
project
is
eligible
because,
generally,
the
scoping
has
been
for
sandbox
projects
or
projects
that
have
not
been
graduated
and
this
being
sort
of
like
a
completely
different
bucket.
B
A
Site
I
mean
I
mean
like
to
to
the
point
of
the
concern
about
whether
it's
appropriate
within
cncf's
security
policies
to
be
asking
for
this
service
from
them
for
part
of
a
graduated
project.
You
know,
I.
I
think
that
that
this
group
could
certainly
help
with
that
with
that
sort
of
effort
too,
like
if,
if
cluster
api
wanted
to
go
through
the
the
self-attestation
checklist
that
cncfc
security
has
been
has
been
requiring
for
sandbox
to
incubation
graduation,
you
know
certainly
there's
nothing
stopping
them.
It's
it's
just
a
checklist.
A
That's
in
a
that's
in
a
git
repo.
They
can
go
and
grab
it
themselves,
but
also
this
group
has
a
lot
of
that
sort
of
interest,
and
a
lot
of
the
folks
in
this
group
have
the
have
the
necessary
context
and
the
necessary.
You
know
technical
know-how
to
be
able
to
read
through
the
results
that
they
would
produce
from
one
of
those
self-attestations.
A
So
I
I
think
if,
if
folks
here
want
to
want
to
do
that,
we
should
definitely
do
that.
You
know
right
now.
We
don't
have
you
know
we
don't
have
policy.
That
says
this
is
a
service
we
offer
here
is
how
to
do
it,
but
if
it
seems
like
it,
if
it
seems
like
it
will
be
valuable
and
if,
if
folks
want
to
do
it,
let's
you
know,
let's
do
it.
A
I
personally
can't
promise
to
lead
it,
but
I
I
highly
encourage,
if
there's,
if
there's
interest
in
helping
them
out
like
that
to
yeah,
let's,
let's
do
it.
It's
it's
worth.
It's
worth
exactly
it's
worth
exactly
as
much
as
everybody
can
put
into
it,
so
yeah
so
yeah
if
they,
if
they
can
go
through
that
self-assessment
process
and
then,
if,
if
folks
here
can,
can
read
through
it
and
offer
them
feedback
on
it
in
a
non-binding
way,
I
think
that
could
be
really
helpful
for
them.
A
I
also
really
like
the
idea
of
doing
a
targeted
third-party
assessment
of
that
of
the
designs
and
and
of
that
code.
You
know,
that's
a
that's
a
thing
where
ian
and
I,
as
kubernetes
sig
chairs,
can
help
with
interfacing
people
to
the
right
places
within
you
know,
within
kubernetes
steering
and
linux
foundation.
To
say,
like
you
know,
cluster
cluster
api
has
has
a
good
belief
that
they
can
make
things
better.
By
doing
you
know
a
smaller
scoped
audit,
specifically
of
their
code
base,
here's
the
you
know:
here's
the
the
proposal
that
they've
put
together.
A
B
Okay,
I
I
think
I
like
that
we
we
have
multiple
options
seems
like
to
go
through
this
and
eventually,
I
think
if
cluster
api
is
more
secure,
that's
what
we
want
so
just
to
summarize,
we
let
them
go
through
the
self-assessment
from
cncf
sake
and
then
once
the
results
are
out.
Folks
here
can
jump
in
and
partner
with
cluster
api
to
figure
out.
Okay,
hey!
B
This
is
what
it
means,
and
maybe
this
is
what
we
should
be
doing
in
cluster
api,
and
the
second
option
is
the
separate
third
party
security
assessment
is
is
a
good
option
and
the
co-chairs
you
and
in
are
happy
to
have
figure
out.
What's
the
right
way
to
get
that
done
as
well.
Did
I
miss
anything.
H
No,
I
would
say
one
one
is
a
good
input
to
two
and
and
I'm
happy
to.
If
you
connect
them
to
me,
I
will
sherpa
them
through
the
cncf
process.
Awesome,
okay,.
C
Yes,
sorry,
I
was
just
going
to
raise
my
hand
as
a
willing
laborer
to
help
shepherd
these
things
through
I'm
a
participant
in
one
of
the
cluster
api
providers
in
the
azure
provider,
and
we
have
a
big
interest
in
getting
both
the
self-assessment
and
the
third-party
audit
accomplished.
So
I'm
happy,
I
don't
have
the
technical
expertise
to
do
any
of
that
work
itself,
but
as
a
pm
I
can
help
organize
and
hurt
the
cats.
A
I
just
say
I
love
to
see
it.
This
is
why
we're
here
next
thing
is
something
that
I
put
on
here,
which
is
a
kubernetes
kubernetes
repo
issue.
Somebody
filed
sometime
last
year,
saying
hey:
we
should
we
should
build
our
go
binaries
with
the
with
the
the
position,
execute
position,
independent
executable
options
so
that
we
can
have
aslr
on
them.
A
There
was
some
discussion
back
and
forth.
Aslr
doesn't
matter
for
go
because
it's
memory
safe
doing
things
that
are
doing
things
that
are
best
practices
is
valuable.
Just
to
show
an
example,
even
if
the
even
if
the
results
are
are,
are
not
are
not
critical,
different,
different
thoughts
there.
A
I
I
added
my
opinion
there,
but
I
wanted
to
to
bring
it
to
the
attention
of
the
group
here,
because
this
feels
to
me
like
one
of
those
things
where,
if,
if
it
can
be
done
with
a
with
a
reasonably
low
amount
of
effort,
then
I
think
it's
a
great
thing
to
do.
But
I
my
personal
opinion
is
that
it's
not
something
that's
worth
dropping
everything
over.
A
So
if
this
is
if
this
is
interesting
to
somebody
to
either
help
out
with
making
it
happen
or
just
if
you
have
strong
thoughts
pro
or
against
the
value
of
this,
please
please
go
ahead
and
and
jump
into
that
issue
and
help
them
out.
A
Yeah
yeah
there's
a
link
in
the
there's,
a
link
in
the
notes.
It's
it's
kubernetes
kubernetes
issue.
Number
nine
zero.
Three
one
one.
A
A
Last
thing
that
we
have
here
is:
is
raga
you're
talking
about
you,
volunteering
for
cap
liaison
hi
talk
to
us.
I
Hello,
hey
a
little
about
me.
I
am
raga
and
I
work
as
a
cloud
security
specialist
at
nokia.
I
am
based
out
of
india,
been
a
kubernetes
user
for
some
time
now,
however,
very
new
to
the
community,
so
I
heard
pushkar
mentioned
about
the
kpns
lives
and
efforts
in
the
last
meeting
and
I'm
very
much
interested
to
volunteer
for
this
effort.
We
need
a
lot
of
guidance
from
the
team,
and
here
I
am.
A
Yeah
hi
hello,
I
yeah
this.
This
is
a
this
is
an
evolving
kind
of
space
about
about
what
exactly
it
would
mean,
but
you
know
the
the
way
that
the
way
that
I've
sort
of
imagined
it
is
over
time.
It
would
be
super
great
if
we
had
folks
who
were
who
were
coming
here
regularly.
You
know
on
slack
or
in
the
meetings.
A
You
know
between
all
of
the
sigs
that
we
could
that
we
could
help
to
provide
that
sort
of
conduit
or
pipe
for
so
yeah,
especially
if
you
have
either
areas
that
you're
currently
involved
in
in
addition
to,
in
addition
to
security
or
if
there
are
areas
that
you
are
interested
in
and
thinking
about
becoming
involved
in
then
you
know
from
from
a
communication
standpoint,
just
keeping
us
in
mind
and
and
coming
in
sharing
sharing
here
things
that
you
see,
you
know
in
in
other
cigs
that
you
think
are
interesting
to
the
group
or
where
that,
where
we
could
help
out
and
then
similarly
taking
taking
the
kinds
of
thoughts
and
concerns
that
we
all
share
here
and
reflecting
them
in
the
work
that
you
do
with
with
other
sigs.
I
At
the
moment,
I
am
looking
at
only
six
security,
so
this
is
an
interesting
question.
So
let
me
let
me
get
my
hands
dirty
with
some
other
six
as
well,
so
I'll,
take
it
as
an
action
item
and
come
back.
A
I
mean
feel
free
to
like
please
reach
out
to
us
on,
on
slack
or
or
whatever,
because
you
know.
Obviously
it's
it's
not
our
or
my
place
to
tell
you
what
to
do.
But
you
know
some
of
us
have
been
around
the
community
for
quite
some
time
and
and
I
think
that
we
would
all
love
to
help
you
be
successful
and
find
a
good
home
for
yourself
in
kubernetes.
A
So
thank
you
so
much
for
for
coming
to
join
us
and
looking
forward
to
continuing
to
work
with
you.
A
All
right
so,
like
you
know,
like
a
go
program,
we've
fallen
off
the
end
of
the
main
function
and
now
we're
going
to
do
our
our
traditional
post
exit
cleanup.
Does
anybody
have
anything
else
that
has
come
to
mind
that
that
you'd
like
to
bring
to
the
attention
of
the
group
here
today.
A
That
being
said,
or
in
this
case
not
said,
it's
been,
it's
been
great
to
to
see
you
all
today,
it's
great
to
meet
you
raga
and
thank
you
all
so
much
for
coming.
We
will.
We
will
see
you
again
soon.