►
From YouTube: Kubernetes SIG Security Tooling 20220816
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
so,
while
we
wait
for
folks
to
trickle
into
the
meeting,
let's
do
a
round
of
intros,
I
think
I
introduced
myself.
We
can
maybe
go
with
the
shopify
folks
and
then
the
rest
of
us
and
then,
after
that
you
can
start.
B
C
Yeah,
so
I'm
danielle
santos,
I'm
also
in
the
infrastructure
security
team
at
shopify
like
champion
and
kaylee
I'll,
pass
it
on
to
kaylee
yeah,
also
on
infrastructure
security.
I'm
I'm
just
supporting
danny
and
javier
are
the
experts
yeah.
A
Great
to
have
all
of
you
here,
I
see
a
couple
of
new
faces
or
zoom
blocks
in
the
meeting.
If
you
have
not
been
in
the
meeting
before
just
just
say,
hi
introduce
yourself,
so
we
get
to
know
each
other,
but
if
you're
shy,
totally
okay
to
introduce
in
the
chat
or
just
stay
quiet
and
listen
in
all
right.
So
mahee
introduced
himself
on
the
chat
security
researcher
at
vox,
lab
and
also
regular
security
member,
all
right
cool
okay.
A
If
nobody
else
is
remaining
for
intros
and
we
have
people
trickling
in
the
meeting
minutes,
we
just
don't
have
a
note
taker
today.
So
if
nobody
else
can
do
it,
I
will
try
to
do
it
while
co-hosting
the
meeting.
A
So
with
that,
let's
start
john
vf
daniel
anyone
wants
to
go
first
go
ahead.
I
believe
you
have
present
presentation
or
sharing
screen
access
now.
B
Sure,
thank
you
yeah.
Thank
you
all
for
letting
us
take
over
your
meeting
and
as
pushkar
mentioned
danny,
and
I
are
the
maintainers
of
cubot,
which
is
the
tool
that
we'd
like
to
tell
you
about
today.
B
The
plan
is
that
I
will
talk
a
little
bit
about
what
it
is
and
how
it
works,
and
then
danny
will
do
a
demo
feel
free
to
interrupt
me
and
ask
questions.
Also.
This
is
a
little
earlier
than
I
am
normally
coherent.
So
if
I'm
not
making
sense
feel
free
to
tell
me
okay
test
number
one
can
I
share
my
screen.
B
Yay
past
test
number
one
yeah,
I'm
just
gonna,
be
going
through
the
readme
I'll
share
the
link.
If
you
would
like
to
follow
along
and
check
it.
B
Okay,
cue
about
it,
so
keyboard
is
a
command
line
tool
and
a
package
mainly
I'll,
be
talking
about
the
the
cli
command
line
tool.
But
there
is
also
a
godoc
if
you're
interested
in
importing
it
as
a
go
package.
B
Basically,
it
is
a
tool
that
we
built
at
shopify
to
secure
our
kubernetes
resources
and
it
checks
for
things
such
as
making
sure
that
containers
run
as
non-root
that
you're
enabling
read-only
file
system.
If
your
application
doesn't
actually
need
to
write
to
the
file
system
and
some
other
ones
we'll
see
the
full
list
of
checks
a
bit
later
down,
but
that's
just
kind
of
a
high-level
overview.
B
B
The
only
dependency
is
go,
so
it's
pretty
easy
to
build
and
we've
got
some
instructions
for
how
to
use
it
as
a
cubecontrol
plugin
as
well,
and
we
also
release
a
docker
image.
So
it
makes
it
easy
to
run
in
a
cluster
and
there's
instructions
for
that
here
in
terms
of
how
cubot
it
works.
There's
three
modes
as
we
call
them
so
manifest
mode
is:
if
you
want
to
have
cubot
it
look
at
a
manifest
file.
So
you
pass
in
your
gamble
and
it'll
kind
of
give
you
back
all
of
the
results
for
manifest
mode.
B
We've
got
cluster
mode,
which
is,
if
you
want
to
run
cubot
it
within
a
cluster
it'll
it'll
like
look
at
all
of
the
other
resources
within
that
cluster
and
then
kind
of
similarly
there's
local
mode,
which
you
can
use
to
also
look
at
resources
in
a
cluster,
but
it'll
connect
to
a
cluster.
The
same
way
that
cubecontrol
would
so
you're
running
it
from
your
local
machine
and
connecting
to
a
remote
cluster
or
a
local
one.
B
B
So,
in
terms
of
the
audit
results
themselves,
we've
got
three
different
levels:
error,
warning
and
info,
usually
the
ones
that
people
care
about
are
error,
and
so
you
can
use
the
min
severity
flag
to
filter
whichever
levels
you're
interested
in
some
other
interesting
flags
or
format.
By
default.
It
is
pretty
which
is
great
for
humans
to
read
not
so
great
for
computers
to
read,
so
you
can
format
json,
and
that
also
makes
it
easy
to
pipe
through
other
commands.
If
you
would
like.
B
So
now
we'll
get
into
the
actual
cli
commands.
All
is
the
one
that.
A
A
couple
of
questions,
if
I
make
sure
yes,
so
thank
you
for
the
brief
introduction
I
and
I
love
when
the
readme
actually
is
the
best
way
to
share
about
the
tool
so
really
happy
about
that.
A
One
thing
I
was
wondering
for
for
someone
like
me:
coming
from
an
outside
perspective,
looking
at
a
tool,
that's
called
cube
audit
when
it
suddenly
felt
to
me
that,
oh
maybe
this
is
using
api
audit
logging
for
kubernetes
to
figure
out
whether
this
is
actually
secure
or
insecure.
A
What
whatever
we
are
trying
to
audit-
and
maybe
it's
just
the
name-
is
both
of
those
things
have
name
audit
common
and
it's
not
using
it,
but
just
wanted
to
confirm
whether
that
it
has
any
connection
or
it's
just
a
coincidence,
with
the
term
being
the
common
piece
here.
A
I
see
okay
makes
sense
and
one
more
question
was:
this
is
not
really
following
any
guidance
or
regulations
that
are
published
in
kubernetes
related
to
kubernetes,
so
like
nist
or
nsa,
hardening
guidance
for
kubernetes,
it's
not
auditing
any
specific
guidance
or
a
framework
on
a
list
of
things
like
cis
benchmark.
It
is
trying
to
find
what
is
insecure
and
what
is
secure
is
that
right.
B
Yes,
that's
right,
as
far
as
I
know,
we're
not
following
any
list.
A
lot
of
these
checks
existed
before
I
started
on
the
project,
so
it
could
be
that
some
subset
of
the
list
is
covered,
but
we
don't
use
it
as
a
reference
actively.
B
Yeah,
so
the
the
main
command
that
most
people
will
probably
use
is
all,
and
so
this
runs
all
of
the
checks
and
you
can
kind
of
customize
the
behavior
of
that
with
the
cubotic
config,
which
we'll
see
a
little
further
down
and,
as
I
mentioned
before,
there's
the
autofix
command,
which
only
works
on
manifests
it
doesn't,
it
doesn't
work
on
live
resources
and
then
version
is
just
the
version,
so
you
can
also
run
each
auditor
individually.
These
are
all
of
the
checks
that
are
supported
and
there's
documentation
for
each
one.
B
I'm
only
sharing
a
tab,
so
I
don't
think
it'll
share
if
I
open
this,
but
you
can
open
these
and
it'll.
Tell
you
about
what
the
issue
is,
why
we
care
about
it
and
how
you
get
rid
of
the
the
error.
Basically,
I
won't
go
through
all
of
these,
but
just
something
to
note
is
that
not
all
of
them
are
security
related.
Some
of
these
are
informational,
for
example,
the
image
one.
You
can
pass
it
an
image
tag,
and
it
will
tell
you
if
there's
any
images
running
in
your
cluster,
that
don't
have
that
tag.
B
And
then
here
we've
got
the
configuration
file,
so
this
works
for
the
all
command
and
basically,
if
there's
some
auditors
that
you
don't
want
to
run,
you
can
turn
them
off
in
here
and
also
any
individual
configuration
for
auditors
can
be
sent
here,
and
these
are
documented
per
auditor
in
those
linked
docs
and
then
finally,
you've
got
override
errors.
So
you're
probably
wondering
well
cubot.
B
It
will
yell
at
me
if
I'm
trying
to
write
right
to
like
the
file
system,
but
what,
if
my
application,
actually
needs
to
do
that
so
the
way
to
tell
keyboard
it
to
not
yell
at
you
is
through
annotations,
so
each
auditor
has
a
set
a
set
of
violations,
and
so
you
can
either
per
container
or
per
pod.
Basically
allow
list
specific
violations.
B
These
there's
an
issue
open
pointing
out
that
we
probably
should
not
be
using
this
domain
for
for
our
annotations.
So
that
is
something
that
we
plan
to
hopefully
fix
with
your
input.
Perhaps
but
yes,
that
is
something
we're
aware
of
and
yeah
the
rest
is
just
contributing.
A
A
Yeah
go
ahead.
What
how
does
the
the
tool
behave
based
on
what
permissions
the
person
running
the
tool
has
it
is?
Does
it
depend
on
what
resources
I
can
access
on
a
kubernetes
api
server
or
it
as
long
as
you
have
shell
access
to
cubectl
you're
good
to
go.
B
You
will
need
permissions
to
the
api
if
you're
running
local
mode,
if
you're
running
like
the
manifest
file,
the
permissions
don't
matter.
If
you
have
the
file
for
cluster
mode
you'll
have
to.
If
your
cluster
has
rbac
turned
on.
You
will
need
to
make
sure
that
cubot
running
in
the
cluster
has
the
correct
permissions
and
there's
an
example
of
how
to
set
up
your
cluster
with
our
back
and
run
cubot
in
a
namespace
with
the
correct
our
back
permissions
and
in
that
link
up
above
somewhere
yeah,
and
this
in
this
link.
A
A
B
The
only
so
you
can
use
cubata
to
audit
a
specific
name
space
as
well.
So
then
you
would
only
need
permissions
on
that
namespace.
The
only
thing
that's
cluster-wide
is
the
namespace
resource
itself.
A
Yeah,
okay,
that
makes
sense
one
one,
clarification
or
confusion
I
had
was
for
the
cluster
mode:
does
it
scan
for
insecure
clusters
or
insecure
parts
in
all
of
the
cluster?
And
maybe
you
covered
it,
but
I
somehow
missed
it.
B
So
it
does
not
scan
it
scans.
All
of
the
resources
in
the
cluster,
not,
I
guess
the
cluster
itself.
B
Hopefully
it
does
that
answer
your
question.
B
It'll
scan
pods
across
the
costume,
okay.
A
If
the,
if
it's
scanning
the
cluster,
then
it
is
doing
way
more
than
I
initially
thought.
But
if
it's
scanning
the
pods
in
the
entire
cluster,
then
it
makes
sense.
B
Yeah,
it
scans
there's
specific
resources
that
will
generally
have
results.
There
are
to
do
there's
a
fixtures
file
inside
of
the
test,
folder
somewhere.
That
has
all
of
the
resources
that
we're
interested
in
but
they're
like
deployments,
pods
cron
jobs,
those
kinds
of
things
but
yeah
the
resources
within
the
cluster.
B
Okay,
great,
if
there's
no
other
questions,
I
will
pass
it
off
to
danny
to
demo.
C
Yeah,
can
you
hear
me
and
see
the
screen?
It's
working,
yes,
yeah
awesome.
So,
as
jon
v
mentioned,
you
can
specify
how
you
would
like
your
body
to
behave
by
setting
your
config
file.
We
have
an
example
config
file
in
the
repo
in
case
you
want
to
play
with
it.
So
it's
under
a
config
folder,
here's
a
sample
one,
and
we
have
all
the
auditors,
for
example,
that
we
want
to
enable
and
some
settings,
for
example,
for
the
capabilities.
C
Let's
say
I
don't
want
to
get
alerted
on
audit
right
or
change
owner,
because
I
need
it
for
my
for
my
service
right.
So
this
is
where
you
can
configure
stuff
I'm
going
to
share
with
you.
I
forgot
I
forgot
to
share
it
already.
I
can
share
this
cheat
sheet
with
you
in
case.
You
want
to
play
with
it
later
and
you
have
all
the
comments
there.
So
let's
say
the
way
to
run
it
with
a
specific
config
is.
C
C
Let's
say
I
don't
want
to
turn
the
app
armor
annotation
auditor
on
I'm
just
gonna
come
here,
I'm
gonna
turn
it
I'm
gonna
say
I
don't
want
to
run
this
and
I
also
don't
want
any
warnings
or
errors
about
automotive
service
token
account
set
to
true.
So
these
two
should
be
gone
and
that's
what
you're
gonna
get
when
you
run
it
again,
and
then
you
see
that
I
don't
have
any
errors
related
to
that.
So
this
is
just
how
you
would
go
about
the
config
file.
C
So
if
you
think
about
terraform
plan
and
and
apply
when
you
run
qbot
it-
and
you
see
all
of
these
errors,
you
get
instructions
on
how
to
fix
stuff
right
like,
for
example,
security
contact
is
not
set,
you
should,
it
should
be
specified
and
all
capabilities
should
be
dropped
by
setting
the
drop
list
to
all
or
any
kind
of
suggestions
for
a
fix
right.
So
when
you
run
cubotted
fix
it's
like
saying,
terraform
applied
right.
So
this
is
like
the
plan
and
how
to
fix
things.
C
And
then
you
can
apply
it
by
running
autofits
as
jeffy.
I've
said
it
just
works
for
manifest
mode,
so
I'm
gonna
run
an
example
of
the
fix.
So
basically
we
just
run
cubot
autofix
in
this
case.
I'm
specifying
the
output
file
and
it's
gonna
be
fixed
piano.
You
can
overwrite
it,
but
I
just
want
to
save
the
the
fixed
version
somewhere
else
so
for
contacts.
This
is
what
it
looks
like.
This
is
my
pod
specification.
It
has
a
bunch
of
vulnerabilities
as
you've
just
seen
so
now.
C
If
I
run
this,
I
should
get
the
fixed
version
with
a
bunch
of
hardening
goodies
like,
as
you
can
see
here
now.
Automotive
service
account
is
set
to
false.
It's
not
running
as
root.
You've
got
the
capabilities,
being
dropped
and
so
on
and
so
forth.
It's
a
comp,
app
armor
that
we're
missing
all
of
them
is
are
there
so
now?
If
I
run
you
bought
it
oops.
C
If
I
run
cue,
bought
it
against
the
fixed
one,
the
errors
will
have
been
addressed.
We
still
have
some
warnings,
which
is
fine
like
the
informational
ones,
as
we
mentioned
before.
But
let's
say
I
don't
care
about
warnings.
I
just
like
for
my
use
case.
I
just
care
about
errors,
and
I'm
gonna
run
cubot
with
the
minimum
severity
of
error.
Then
then
it's
gone,
I
don't.
I
don't
see
any
more
vulnerabilities
flagged.
C
Another
thing
that
was
mentioned
was
that
you
bought
it
supports
different
formatting
for
output,
like
jason,
which
is
not
it's
not
human
friendly,
but
it's
computer
friendly.
So
you
can
just
pass
in
the
flag
format
and
you
can
even
use
tools
like
jq
for
a
fourier
output,
and
what
else
do
we
have
here?
Oh
so,
it
was
also
mentioned.
Thus
the
cubot.
C
C
For
each
auditor
you
will
find
the
the
labels
in
the
documentation
in
specific
docs
for
the
the
particular
auditor.
So
we
have
a
label
here
and
then
it's
saying
there
is
some
reason
for
this
for
disabling
automotive
service.
Account
token
auditor,
in
this
case
I'm
gonna,
comment
this
out
for
now
and
let
it
error
go
around
the
auditor
without
the
over
overriding
label
and
when
I
do,
I
get
this
flag
now.
C
Let's
say
I
have
a
reason
and
then
I
do
some
reason,
my
reason
and
stuff,
and
then,
if
I
run
this
again,
it
is
gone
and
it
turns
into
info
again.
I
don't
have
a
cluster
that
I
can
share
with
you
right
now,
but
if
I
run
cubot
at
all,
it
will
look
at
my
cubeconfig
file
in
my
home
directory.
It's
going
to
run
against
all
the
clusters,
those
resources
that
we
just
listed
and
you
can
also
run
it
as
a
crown
job
in
a
given
namespace.
C
You
can
create
a
service
account
and
you
can
specify
the
airbag
policies.
You
just
need
lists.
You
just
need
read,
you
don't
need
anything
else,
and
this
is
an
example.
I
I
created
this
this
gif
after
setting
up
a
gk
cluster
and
you
can
just
run
cube
ctl
logs
against
the
the
the
pod
where
cubot
it
ran,
and
then
you
can
get
the
the
same
output.
C
A
Thank
you
so
much
dany.
This
was
a
great
demo.
Firstly
like
just
want
to
highlight
the
autofix
feature
is
pretty
awesome.
I
really
liked
it
and
from
I
had
just
like
two
high
level
questions
and
others.
Please
interrupt
me
if
you
have
questions
as
well,
so
I
was
in
on
the
end
user
side
in
the
past
in
my
previous
role
and
we
had
built
a
tool
ourselves
instead
of
relying
on
something
that
was
available.
A
One
question
I
had
and
I'll
then
pause
after
that
for
eric
next
time
for
the
next
question.
Sometimes
I
used
to
get
a
question
like
why
build
your
own
tool
versus
using
multiple
other
tools
that
are
available
supported
by
the
community
etc,
and
there
are
often
very
good
reasons
that
sometimes
people
in
the
community
miss.
So
I
was
just
curious
about
that
and
wanted
to
get
some
thoughts
about
it
from
you.
B
So
cubot
it
actually
predates
all
three
of
us
working
at
shopify.
As
far
as
I
know,
the
autofix
is
the
big,
the
big
thing
that
we
couldn't
find
in
other
tools
and
then
decided
to
build
out
ourselves.
A
D
Hey
sorry,
I
joined
late,
so
forgive
me
if
this
was
answered
before
is
cubot
it's
running
against
a
live
cluster
right
or
is
it
running
against,
manifests.
D
D
So
against
a
live
cluster
on
an
item
like
the
one
you
were
showing
with
the
service
account
token
change.
Is
it
going
against
the
current
state,
the
desire?
I
guess
it's
going
against
current
state
in
the
live
cluster?
So
if
you're,
let's
say,
does
it
pay
attention
to
versions
of
kubernetes?
So
if,
like
124
made
service
account
auto
mount
token
no
longer
the
default?
D
Does
that
I'm
trying
to
remember
does
that
show
up
as
false
now
in
the
get
on
the
pod?
Or
is
it
what
will
happen
if
you,
I
guess,
let
me
ask
a
question:
what
will
happen
if
kubota
sees
that
on
a
cluster
that
that
is
a
124
or
newer,
where
that's
no
longer
a
default?
B
Gotcha,
it
does
not
take
into
account
the
cluster
version,
so
whatever
is
in
the
code
as
the
default
will
be.
What
is
used
so
it's
it
kind
of
is
up
to
us
to
be
up
to
date
with
those
things
I
don't
think,
we've
been
great
at
that,
like
cubotted,
is
mostly
in
maintenance
mode.
If
folks
in
the
community
open
bugs,
we
will
fix
them,
but
other
than
that
for
future
requests.
B
D
Yeah,
while
I
was
asking
the
question
I
was
asking
myself
in
my
own
head,
I
wonder
if
you
do
a
describe
on
a
pod
in
124.
If
that
comes
back
as
false
or
not
do
you
know,
does
anyone
know.
A
Related
to
that,
I
remember
in
the
demo,
there
was
a
jamal
section
or
block
about
kubernetes
versions,
and
there
were
two
fields
122
to
125.
Is
that
basically
checking
what
are
the
current
supported
versions
in
for
kubernetes
and
whether
the
cluster
I
am
deploying
my
pod
is
one
of
those
versions.
B
A
B
You
can
do
this
with
the
package.
We
don't
have
any
plans
to
support
it
for
the
cli,
but
you
can
build
the
cli
yourself
since
it
is
just
go.
A
Okay,
nice.
Another
question
I
had
was,
I
think,
you
kind
of
shared
a
bit
about
it,
where
the
prs
would
automatically
be
updated
with
something
that
that
was
a
more
secure
or
a
fixed
yeah
manifest.
A
So
I
was
curious,
you
all
being
in
the
infrastructure
security
team.
Probably
are
you
helping
others
developers
who
are
deploying
stuff
and
code
and
applications
in
kubernetes
and
making
it
more
secure
with
less
effort
for
them?
So
how
does
that
process
work
and
like
do?
They
use
cube
audit
in
all
different
phases
of
software
development
like
on
their
laptop
in
prs,
while
they're
deploying
or
is
it
like,
varied
based
on
teams?
I'm
very
curious
about
that
part.
B
So
we've
had
a
tough
time
automating
it
because
we
have
a
whole
system
set
up
for
like
deploying
kubernetes
resources.
It's
not
just
straight
manifest
files.
We
have
something
wrapping
it,
which
means
we
can't
actually
use
the
autofix,
which
is
very
unfortunate,
but
we
we
do
security,
reviews
of
applications
when
will
run
kubota
and
danny.
If
you
want
to
talk
about
our
future
plans,
let's
serif.
C
Yeah
at
the
moment,
we're
working
on
supporting
serif
output
so
that
we
can
send.
We
can
push
the
the
serif
output
to
github
and
use
the
code
scanning
tool
and
then
the
the
developers
will
have
the
results
of
cubot
it
on
the
screen
and
they
can
choose
to
dismiss
it
or
not.
If
it's
a
false
positive
or
it
has
instructions
for
them
to
fix
it,
so
they
can
either
use
the
override
labels
or
just
add
the
annotation,
that's
missing
or
the
configuration
that
is
going
to
be
appropriate
for
that
use
case.
A
Yeah
definitely
plus
one
on
supporting
serif.
I
I
tried
doing
that
for
one
of
the
other
use
cases.
I
work
in
my
day
job
and
I
think
the
developer
response
was
very,
very
good
in
terms
of
like.
Oh,
I
have
my
vulnerabilities
exactly
where
my
code
is,
and
I
don't
need
to
look
for
it
in
some
other
place
and
it
keeps
updating
as
as
needed
based
on
the
code.
I
am
writing
so
definitely
looking
forward
to
that.
We
have
about
14
minutes
more,
so
I'll
pause
for
a
bit
and
see.
A
If
folks,
who
are
listening
in
so
far,
have
any
questions
or
things
they
would
like
more
details
on.
B
I
just
shared
in
chat.
That's
the
godoc
example
on
how
you
implement
a
custom
auditor.
A
A
Okay,
so
it's
almost
at
the
time
where
it's
awkward,
the
silence,
so
we
know
we
have
given
enough
time
for
people
to
come
up
with
a
question.
One
thing
I
really
would
like
more
information
and
for
the
benefit
of
people
listing
in
later
or
now
is
we
kind
of
went,
stop
sharing
screen
when
the
contributing
section
came
in
for
the
readme.
A
So
I
was
thinking
if
we
could
go
back
to
that
and
tell
us
a
bit
more
about
like
if
people
are
very
inspired
from
this
demo
and
presentation
and
think
like.
Oh,
this
is
really
useful
for
me.
I
want
to
give
back
what
could
they
do
and
in
the
in?
The
second
question
relate
to
that
was
in
the
discussion
issue
that
we
opened
on
github.
You
did
mention
that
there
is
a
desire
to
donate
this
to
cncf
or
kubernetes
so
wanted
to
get
some
thoughts
on
that
as
well.
B
Yeah
for
sure
I
can
start
with
the
contributing,
since
that
was
your
first
question
just
share
my
screen
again.
B
Okay
yeah,
so
the
actual
instructions
are
probably
lacking
compared
to
the
rest
of
readme,
but
basically
just
open
a
pr
and
there's
a
cla
that
you'll
be
prompted
to
sign,
but
other
than
that.
There's
really
no
restrictions,
and
we
ask
that
you.
If
you're
going
to
kind
of
change
the
behavior
add
a
new
feature.
That
kind
of
thing
please
open
an
issue
first
and
get
just
one
of
us
to
kind
of
give
the
okay
before
you
put
the
work
in
there
are
oh
simon.
B
There
are
a
couple
issues
that
are
help
wanted.
If
you
don't
specifically
know
what
you
want
to
do,
but
you
want
to
do
something
and
there's
some:
they
range
from
easy
to
less
easy
yeah.
Does
that
kind
of
cover
the
contributing
sound.
A
B
And
then
yeah
in
terms
of
donating,
I
think
we
maybe
had
some
questions
about
that
like
what
it
means.
What
what
happens,
requirements
that
kind
of
thing.
B
A
Okay,
cool
yeah,
so
I
I'll
share
what
I
know.
There
are
a
couple
of
ways
to
get
this
as
part
of
community
and
it
really
ties
back
to
two
different
organizations
being
responsible
for
two
different
things.
So,
as
you
might
be
familiar,
there
is
a
cncf
level
organization
that
is
responsible
for
all
the
projects
under
the
cncf
umbrella,
including
kubernetes,
and
then
there
is
a
kubernetes
project
organization.
A
A
If
I'm
not
wrong,
I
think
next
one
is
sandbox
and
then
graduation,
so
many
projects
that
are
today
very
popular
like
oppa.
I
think
there
is
obviously
kubernetes
and
some
others
have
gone
through
that
process,
so
that
I
can.
I
can
try
to
find
some
links
and
share
it
on
how
to
do
that
and
what
it
would
involve.
A
A
Then
we
have
many
others
like
in
test
kits
infra
docs,
so
depending
on
which
sig
would
like
to
own
it.
Typically,
we
would
let
that
sig
discuss
it
in
their
weekly
meetings
or
month,
bi-weekly
meetings
in
case
of
security
and
then
based
on
the
discussions
they
can
decide
like
okay.
We
would
like
to
own
this
as
a
subproject.
For
our
sake,
and
once
that
happens,
the
project
technically
goes
from
your
domain
in
github,
like
shopify
to
this
domain
that
I
just
shared,
which
is
kubernetes
hyphen,
six
and
inside
that.
A
If
you
see
there
are
multiple
projects
today
that
are
somewhat
related
to
kubernetes,
but
not
really
the
core
part
of
kubernetes.
A
So
this
is
where
maybe
q
board
it
would
also
show
up
and
it
it
would
feel
like
a
a
very
appropriate
place
because,
as
you
can
see,
many
popular
repositories
start
with
cube,
word
or
k
so
cuboid.
It
would
probably
look
almost
identical
to
others,
which
would
be
nice,
so
that
can
be
another
approach.
A
So
that's
the
main
thing
to
think
about.
Would
you
have
this
as
a
cncf
project
or
a
kubernetes
sub
project?
The
processes
would
be
different
and
the
people
who
would
approve
it
would
be
different,
but
let's
say
we
select
one
of
them
and
after
that
it's
donated.
A
My
understanding
is,
after
that
the
future
of
the
project
would
not
be
defined
by
one
single
company
anymore.
So
in
that
case
the
community
could
come
together
and
say
we
want
this
feature.
We
want
that
feature
and
then
everyone
across
the
community
would
come
up
and
share
their
thoughts
and
then
discuss
it.
A
So
you
would,
in
full
transparency,
lose
some
control
over
the
future
of
the
project,
but
there
is
a
chance
that
you
might
get
more
helping
hands
for
the
project
so
that
in
future
it
is
easier
to
maintain
and
you
don't
really
have
to
be
the
only
people
responsible
for
it.
I
see
a
joke
being
shared
on
the
chat.
Now
we
have
to
have
a
debate
on
the
pronunciation,
yeah
keyboard
it
or
coupon
it.
I
agree:
yes,
it's
it's
so
funny.
A
I've
noticed
a
pattern
where
people
who
heard
the
word
kubernetes
first
use
it
like
k-o-o-b
and
people
who
read
the
kubernetes
word:
first
use
it
like
c-u-b-e,
so
I
don't
know.
I
I
believe
like
either
way
is
fine
as
long
as
you
love
cuban
kubernetes,
so
yeah.
So
that's
what
my
10-minute
summary
is
about
the
project
donation.
A
I
would
say
think
about
it.
There
is
no
russian
making
a
decision,
but
definitely
sharing
this
in
the
next
security
call
with
everybody
else
would
be
useful
and
we'll
soon
have
a
recording
posted
about
this.
So
as
you're
going
through.
If
you
decide
to
to
the
project
donation
process,
people
will
be
able
to
quickly
learn
about
the
tool
using
this
video
recording,
if
possible.
B
I
have
two
so
once
it's
donated,
since
it
moves
to
a
different
org
on
github,
who
are
the
maintainers
or
like
the
approvers
of
prs.
That
kind
of
thing.
A
Yeah
I
it's
going
to
be.
I
just
missed
the
first
little
bit
yeah,
okay
yeah,
so
it's
going
to
be,
I
think,
won't
change
dramatically
from
the
beginning.
But
typically,
if
you
see,
let's
take
this
example,
some
of
the
logistics
and
how
we
decide
the
approval
process
is
very
kubernetes
specific.
A
So
if
you
take
this
example
that
I
just
shared
kubernetes,
six
customize
and
open
it,
you
will
see
an
owner's
file
in
the
in
the
main
directory
at
the
top,
so
that
owner's
file
basically,
then
decides
who's
going
to
approve
the
prs
and
who
is
going
to
review
the
prs.
A
And
if
you
see
that
customizer
provers
is
generally
a
github
team,
which
is
made
up
of
members
who
are
approvers
and
who
are
reviewers,
and
that
is
again
managed
as
a
config
file
in
in
a
separate
org
under
kubernetes,
so
that
logistics
of
managing
membership
would
be
different,
because
you
wouldn't
have
that
domain
privilege
of
being
under
shopify,
where
the
admins
and
shopify
have
access
to
all
the
repos.
So
that
piece
would
change.
A
B
Gotcha
and
then
I
guess,
as
the
project
moves
forward,
there
might
be
community
members
that
get
added
to
that
list
as
well.
A
Yes,
yes,
and
if
I'm
not
wrong
in
cncf
project
donation
process
as
they
are
moving
through
different
phases,
there
is
a
criteria
which
ask
or
ask
the
owners
of
the
project
to
confirm
that
they
are
getting
contributions
from
community
members
who
are
not
part
of
a
single
company.
A
So
otherwise
it
is
not
considered
like
a
graduated
project,
or
maybe
it's
even
before
that
that's
sandbox.
So
that
is
the
main
criteria
like
if
we
are
going
to
give
that
domain
of
cncf
or
then
they
want
to
make
sure
that
it's
actually
a
community
project,
but
not
like
a
single
company
project
under
the
guise
of
a
community
project.
So
it's
definitely
clear
there,
I'm
not.
I
will
try
to
find
out
for
the
sub
projects
if
there
is
a
similar
criteria
or
not
for
kubernetes.
B
Yeah
and
if
we
decide
to
donate
it
to
the
subproject
like
through
the
six,
what
is
the
neck?
What
would
the
next
step
be.
A
Yeah,
I
think
first
thing
is
finding
an
owning.
Sig
would
be
important.
Sorry,
I
just
missed
the
first.
A
Yeah,
I
I
am
my
hands
are
slower
than
my
voice
looks
like
I
think
it's
zoom,
so,
okay,
so
basically
we
need
to
find
a
owning
sig,
which
is
saying
like
I.
This
sake
is
the
owning
sig
for
this
project
and
once
some
of
the
logistics
of
confirming
that
is
done,
then
the
github
admins
of
kubernetes6.org
would
then
work
with
shopify
admins
for
good
github
to
switch
that
domain
ownership,
and
then
the
project
would
move
there.
A
B
A
Process
work
looks
looks
like
for
me
personally.
The
seek
security
sig
might
make
sense
as
the
owning
sick,
so
birth,
but
since
it's
a
community
decision
world
bringing
it
up
in
our
regular
meeting
that
we
have
about
twice
a
week-
oh
sorry,
twice
a
month
and
every
other
week
and
sharing
this
based
on
that
discussion,
we
can
kind
of
decide
what
to
do.
After
that.
A
It
would
be
great
if
we
can
get
one
of
you
to
attend.
I
know
kailyn
is
pretty
regular
attendee
there
and
danny
I'm
remembered
to
have
joined
once
or
twice
at
least
so
either
of
you
can
join
and
be
the
person
on
sharing
on
behalf
of
cuboid
maintainers.
I
think
that
would
really
help.
A
No
no
worries:
this
is
fine,
okay
cool,
so
we
finished
our
45
minutes.
Hopefully,
all
of
this
was
useful
for
everyone
listening
in.
Thank
you
so
much
for
everyone
from
shopify
who
joined
in
and
special
thanks
to
john
vf
and
daniel
for
sharing
your
wisdom
and
sharing
a
bit
about
cubodic.
A
I
really
enjoyed
it
and
I
learned
something
new
and
thank
you
so
much
for
your
time
see
you
in
the
community,
and
I
really
hope
this
donation
process
works
out
for
all
of
us.