►
From YouTube: Kubernetes SIG Security 20220616
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
It
is
1104.,
usually
we
start
about
now,
I'm
assuming
that
my
co-chair
is
in
some
sort
of
meeting
being
held
up
and
we'll
be
in
in
a
sec
and
also
pj
said
that
he
would
be
in
in
a
couple,
so
I'm
gonna
start
intros
and
hi.
My
name
is
ian
coldwater.
I
am
the
co-chair
of
kubernetes
security
here.
A
We
at
sync
security
seek
to
create
an
inclusive,
welcoming
environment,
where
people
of
all
skill
levels
who
are
interested
in
learning,
more
and
improving
the
security
of
the
project
can
come
together,
contribute
and
learn
and
hack
things
and
make
friends.
So
thank
you
all
for
being
here
and
yeah.
I
will
just
let
whoever
wants
to
talk
next
talk
next.
B
I'm
allah
dewberry
she
her.
I
am,
I
think,
officially
the
subproject
lead
for
self-assessments,
which
is
super
super
exciting,
so
yes,
definitely
a
testament
to
what
ian
said
about
being
new
and
welcoming.
I
can't
remember
if
it
was
the
first
or
second
meeting
that
I
came
to
and
it
was
like
hey.
We
need
a
sub
project
and
I
was
like
oh
that
sounds.
That
sounds
like
a
thing
so
yeah
super.
This
is
super
welcoming
super
proud
to
be
part
of
this
wonderful
community.
C
All
right
I'll
go
next,
I'm
ray
lahano
the
sub
project
lead
for
the
third
party
security
audits.
Also,
I'd
also
want
to
invite
everyone.
There
is
the
monthly
kubernetes
committee
meeting
right
after
this
meeting
it's
on
the
community
calendar,
so
please
join
attend
that
because
I'm
actually
hosting-
and
I
have
to
jump
off
this
call
shortly
after
my
update
to
get
ready
for
that.
So
thank
you
very
much.
D
E
And
I'm
liam
decker,
I
just
joined
datadog,
I'm
here
actually
at
the
recommendation
of
tabitha
and
I
am
very
interested
in
kubernetes
security
and
learning
more
so.
I've
been
on
the
aspire
project
for
a
bit
now
and
contribute
to
that,
but
never
run
kubernetes.
F
E
A
All
right,
thank
you
for
introducing
yourselves
everybody
welcome
to
the
newer
and
folks
and
the
people
who
have
been
around
for
a
minute.
So
the
way
we
run
this
meeting
is
that
and
if
anybody
didn't
get
the
agenda
link,
we
can
repost.
It
is
that
we
start
out
with
report
backs
from.
A
I
guess
technically
introductions,
but
report
backs
from
our
subproject
leads
about
what
our
subprojects
are
up
to
and
then,
if
you
have
ideas
or
thoughts
or
things
to
say,
then
we
open
up
the
agenda
for
whatever
people
want
to
bring
to
it.
If
you
have
an
idea
or
a
thought
or
a
thing
to
say
that
isn't
on
the
agenda
yet
feel
free
to
throw
it
on
there
and
we're
excited
to
hear
from
you
so
subprojects.
What's
up
with
audit.
C
All
right
I'll
start
with
a
third
party
security
audits.
The
third
party
security
audit
is
in
progress.
So
should
we
finish
the
summer
for
some
contacts?
The
last
third
party
security
audit
was
in
2019,
so
it's
been
several
years
that
was
back
on
kubernetes
1.13.
I
believe
so.
It's
been
several
versions
ago.
So
just
stay
tuned
for
the
findings
coming
up.
You
know
in
summer,
late
summer,
past
fall
the
month.
C
A
All
right:
how
about
let's
see
what
is
on
agenda
next
how's,
six
security,
docs
doing
7000
here
today.
F
I
I
I
can
share
what
I
know
is
going
on.
So
there
are
a
couple
of
pr's
open
from
sick
dogs
which
are
related
to
secrets
docs
in
official
kubernetes
docs.
So
here's
a
link
to
the
slack
thread,
they're
looking
for
feedback
on
it,
technical
as
well
as
language
related,
so
take
a
look
if
you're
interested
or
if
you've
used
or
read
that
those
talks
and
see
if
the
overall
likes
is
good
and
if
you
like
it,
and
if
you
have
any
feedback.
C
There's
also
a
pr
for
the
security
checklist
as
well,
and
that's
as
I
checked
was
in
draft,
but
I'm
going
to
put
it
in
the
agenda
here.
Actually
yeah
still
on
draft,
but
people
are
are
adding
their
reviews
and
their
and
their
comments
and
suggestions
to
it
as
well,
and
then
my
who's
on
the
call,
I
believe,
created
that
pull
request.
F
Yes,
so
we
have
thanks
to
a
lot
of
sustained
effort
over
a
period
of
months
and
very
intense
efforts
over
the
last
couple
of
days,
the
first
pr
for
kept
three
two
zero:
three,
which
is
our
automatically
refreshing
kubernetes
official
kubernetes
cva
kept
so
cap,
is
in
the
kubernetes
enhancement
proposal.
So
thai
day
is
like
let's
merge
the
design
dock
before
we
start
implementing
it,
and
then
we
tag
it
to
the
milestone
of
an
upcoming
release,
which
is
version
125.,
so
that
part
is
done
now.
F
The
cap
is
in
track
with
the
release
team.
So
now
the
fun
part
begins
which
is
implementing
it.
So
we
look
forward
to
doing
that
in
the
next
couple
of
months
or
so
as
we
everyone
goes
along
with
125..
F
On
that
note,
the
second
update
is
I'll,
be
out
starting
tomorrow
until
end
of
next
week,
and
we
do
want
to
use
the
tooling
meeting
as
another
kind
of
working
session.
So
I'm
going
to
ask
abby
to
push
the
meeting
one
week
ahead,
so
instead
of
21st,
it
would
be
on
28th
of
june
to
8,
28
and
we'll
discuss
the
cap
and
anything
else.
You
all
want
to
discuss,
so
that's
it
from
my
side.
Any
questions,
comments,
thoughts,
I'm
here
and
happy
to
answer
questions.
D
F
Yeah
so
they
created
the
so
for
folks
who
don't
know.
Tooling
meetings
are
alternating
between
a
working
session,
a
learning
session,
and
we
have
a
template
now
where
people
can
request
a
learning
session
that
they
want
to
present,
or
they
want
to
hear
about
so
so.
Xander
from
microsoft
wanted
to
share
a
tool
that
they
want
to
contribute
eventually
to
cncf,
and
he
has
requested
a
learning
session
as
an
issue
in
our
six
security
repo.
A
E
A
B
Pretty
good
yeah,
the
sub
project
has
been
officially
created,
so
that's
super
exciting
and
just
a
huge
shout
out
to
pushker
for
all
all
his
help
for
just
getting
me
signed
up
in
all
the
right
places
and
just
like
guiding
me
through
all
of
the
the
hoops
and
hurdles.
So
this
is
super
exciting.
Now
that
the
sub
project
is
official,
I
just
realized.
I
need
to
create
meetings,
so
I
think
I
heard
that
tabby
is
a
really
good
person
to
help
with
that.
B
So
I'll
probably
create
a
slack,
a
slack
thread
to
just
get
that
kicked
off,
so
we
can
create
that
temporal
space
for
discussion
regarding,
what's
sort
of
currently
going
on
and
up
next.
So
right
now
we
are
waiting
on
killian
to
look
at
the
cappy
fuzzing
report
so
that
we
can
publish
it
so
we're
just
waiting
for
his
thumbs
up
there.
B
Next
step
is
really
is
just
continuing
the
the
self-assessment
with
the
vsphere
csi
driver,
which
is
convenient.
I
guess
because
I
happen
to
work
at
vmware,
so
yeah.
If
I
need
to
encourage
some
internal
engagement,
I
have
those
hooks
also
I'll,
be
meeting
with
robert
next
week
to
understand
where
we're
at
with
just
what
we
can
reuse
from
the
external
audit
materials
to
make
self-assessments
more
user-friendly
and
templatable
so
yeah.
B
I
definitely
I'm
someone
who
loves
to
make
things
repeatable
when
it
makes
sense,
so
super
excited
to
dive
into
that
and
then
later
so
so
looking
ahead,
you
know
it's
really.
I
think
this
is
such
a
powerful
tool
and
just
methodology
to
give
people
the
ability
to
do
security
sort
of
reflection
on
their
own.
So
I
will
be
looking
to
attend
other
sig
meetings
to
just
let
them
know.
F
B
This
resource
is
available
and
to
help
you
know
those
sigs
and
those
sub
projects
make
use
of
this,
because
it's
really
important
so
I'll
be
doing
that.
But
I
would
also
love
suggestions
on
you
know:
good
things
to
sort
of
start
with.
B
Otherwise
I'll
probably
just
start
going
down
the
list,
but
if,
if
any
of
you
know
of
any
any
sigs
or
any
subprojects
who
are
in
particular
sort
of
starting
to
think
oh,
like
yeah,
fuzzing
test
would
be
kind
of
neat
or
we
really
kind
of
want
to
get
more
thoughtful
and
proactive
about
security.
Just
let
me
know-
and
I
can
I
can
parachute
in
so
that
is
all
from
me.
A
A
I
was
talking
with
emily
fox
when
we
were
in
dc
a
few
weeks
ago
and
she's
super
excited
about
the
work
that
y'all
are
doing
with
the
self-assessment
process,
and
you
know
I
know
we
have
links
to
tag
security
hi
pushkar
anyway,
and
so
it's
not
like
people
aren't
talking
but,
like
you
know,
working
with
tag
security-
and
you
know
they're
they're
really
excited
about
the
ways
that
that
we
are
taking
that
idea
and
running
with
it.
A
And
so
I
think
they
were
like
we'd
really
like
to
learn
from
you
about
the
ways
that
you,
the
places
that
you're
taking
this
and
the
things
that
you're
doing
with
it
and
so
talking
to
tag
security
and
teaching
them
about
the
things
that
you're
doing
with
that.
I
think,
would
be
amazing
and
just
generally
idea
sharing
about
how
that
project
has
been
going
on
there
and,
I
think,
would
be
awesome.
A
B
To
pushkur
for
for
knocking
down
the
first
domino
so
but
you
know
that's
that
sounds
awesome,
and
what
was
I
just
gonna
say
anyway.
Yeah
super
excited
to
help
just
like
enable
yeah
enable
people
to
take
security
into
their
their
own
hands.
So
yeah
awesome.
I
will.
Can
I
find
emily,
I'm
assuming
on
slack
on
kubernetes
slack
or.
F
A
couple
of
things
on
that
I
wanted
to
share
for
recommendations
on
like
what
seeks
to
go.
This
is
a
link
to
the
six
dot
yaml
file,
which
has
a
list
of
all
the
metadata
of
sub
projects
that
every
sig
is
responsible
for,
so
because
we
are
doing
assessments
for
sub
projects,
maybe
the
sig
that
has
most
sub
projects
might
be
the
best
seek
to
go
first
and
then
kind
of
going
forward
from
there.
F
So
that
way,
if
people
are
really
wanting
some
help
from
security
side,
they'll
be
able
to
pick
one
of
the
sub
projects
and
the
best
way
I
think
to
like
emily
and
ian
said
to
learn
from
what
we
have
done.
Is
they
have
a
self-assessment
template
in
tax
security
so,
based
on
our
experiences,
there
is
a
chance
where
we
might
actually
update
that
and
it
might
help
people
who
are
not
in
just
kubernetes
but
across
the
cncf,
so
happy
to
see
where
that
goes
and
yeah
ping
me.
If
you
wanted.
B
Sweet
so
it
sounds
like
I
can
just
start
with,
like
cross
referencing
sort
of
what
they
have
with
what
we
have,
and
you
know
what's
the
diff
and
then
robert.
I'm
of
course
like
looking
at
what
you're
working
on
to
improve
what
we
also
have,
and
I'm
also
thinking
that
this
would
be
really
good
fodder
for
submitting
a
talk
at
detroit
and
just
sort
of
like
a
recap
of
the
learning
process
that
we're
going
through
and
in
addition
to
like
how
we're
socializing,
what
we
learn
as
we
learn
it.
So
I.
D
I
completely
agree,
I
think
again,
it's
just
funny
how
it's
all
come
full
circle,
because
the
this
spun
out
of
the
tag,
self-assessment
process
and
template
as
bushkar
mentioned,
and
that's
now-
we've
kind
of
adopted
it
and
and
spun
it
into
our
own.
So
it's
great
that
it
kind
of
wants
to
go
back
and
start
over
and
start
the
cycle
anew.
So
I
think
I
think
yeah
putting
some.
I
mean
on
that
cfp.
D
B
Yeah
yeah,
I
still
I
oh
sorry,
guys
yeah.
I
need
to.
I
still
have
an
outstanding
to-do
item
to
to
put
together
a
draft
and
to
share
it
in
slack
for
some
initial
feedback.
So
summer
radar.
A
The
non-maintainer
check
cfp
closed
last
week,
but
the
maintainer
track.
One
closes
on
july
1st,
to
clarify
for
the
folks
who
are
not
steeped
in
kubecon
all
the
time.
A
D
A
This
is
a
fantastic
question
and
an
unclear
one,
this
specific
kubecon,
because
this
specific
cubecon
has
new
rules
around
cigs
in
the
maintainer
track
that
I
don't
know
that
are
so
far
to
my
knowledge
unclear.
Unless
that
got
completely
settled
in
the
chairs
and
tales
meeting
that
I
was
not
in
a
day
or
two
ago
in
the
chairs
and
tls
meeting
that
I
was
in
four
days
ago.
Nobody
was
quite
sure
yet.
A
So
that
is
a
thing
for
us
all
to
figure
out
and,
and
we
can
all
figure
that
out
together.
I
don't
know
if
contributor
summit
is
doing
talks
or
unconference
stuff
this
time,
but
if
they
are
doing
a
thing
at
contributor
summit
is
also
an
option
and
probably
a
good
one.
So
if
folks
want
to
do
contributor
summit
stuff
like
I
think
that
would
be
awesome
and
is
a
thing
that
is
separate
from
the
maintainer
track
process.
A
So
you
know
if,
if
we
all
end
up
with
extra
talks,
I
think
that
might
be
a
good
option
for
them.
A
Oh-
and
it
was
pointed
out
in
the
chat
that
there
is
also
security
con
at
kubecon
detroit,
which
is
co-located
and
which
does
not
have
a
closed
cfp
yet
so
that
is
also
an
option.
A
Okay,
also,
there
was
no
update
on
maintainer
track,
see
if
these
and
six
from
the
second
chairs
and
tails
meeting.
So
who
knows,
but
we
can
all
do
talk
security
summit
at
security,
county
contributors
of
it
and
we
can
all
collectively
figure
it
out
together,
because
that's
what
we
do
together
is
figure
stuff
out.
A
Yeah,
but
that
sounds
awesome
like
I
want
that
talk
to
happen
somewhere.
So,
let's
talk
more
about
it
and,
like
you
know,
figure
out
a
way
to
make
it
work.
A
Do
folks
have
other
thoughts
on
self-assessment,
stuff
or
just
want
to
like
just
go
yay.
Congratulations
for
our
new
subgroup,
because
that's
really
exciting.
A
A
summit
summit-
the
summit
summit
is
next
week.
Actually
that
is
the
the
co-located
umbrella
conference
that
the
linux
foundation
is
putting
on
of
linuxcon
of
vanessa
ssf
day
open
source
security
con
container
con.
There
are
so
many
of
them.
I.
B
B
At
all,
so
I
was
like
okay
well,
I
I
really
want
to
see
ava
black's
talk
like
her
keynote
and
like
there's
like
a
lot
of
really
great
stuff,
but
I
was
like
I
don't
know
what
I
just
signed
up
for.
I
think
I
signed
up
for
the
right
thing.
A
The
talks
look
great
and
and
saying
that,
with
my
sig
hat
back
on
because
the
I
find
that
confusing
was
definitely
with
my
sig
hat
off
to
be
clear.
Yeah,
no,
like
the
talks,
look
awesome,
there's
gonna
be
really
good.
Talks
on
supply
chain
security,
there's
a
supply
chain,
security
event,
that's
happening
and
like
it
looks
very
solid
for
folks
who
are
going
and
I
think
there's
a
hybrid
option
too.
So
you
don't
have
to
go
to
texas
to
actually
it's.
B
A
A
B
D
Hello,
so
one
to
add
to
the
confusion.
The
open
source
summit
is
listed
as
the
21st
to
the
24th,
I
believe,
which
is
tuesday
through
friday.
If
you
are
interested
in
going
to
the
open,
ssf
event
that
is
on
the
monday,
so
that
precedes
the
the
conference.
So
so
do
do
be
careful
with
that.
D
A
Thank
you
for,
for
that
reminder,
yeah,
I
that
would
that
came
as
a
surprise
to
me
too.
It's
you
know
so,
for
the
people
who
are
not
familiar
with
the
open
ssf,
it's
the
open
source
security
foundation
and
it
I
think
it's
openssf.org,
so
they
do
open
source
security
stuff
with
they're
under
the
umbrella
of
the
linux
foundation,
various
companies
and
different
kind
of
factions
are
involved
and
I'm
on
the
governing
board
openstack.org.
I
should
know
that
off
the
top.
A
A
I'm
giggling
at
the
chat.
I
just
discovered
this
event.
This
is
wild
yeah,
there's
a
lot
going
on
there.
A
Okay,
next
on
the
agenda
for
discussion
is
app,
armor,
ga
and
I
don't
actually
know
who
put
that
one
on
there.
So
I'm
going
to
let
whoever
that
was
talk.
G
Yeah
that
was
me,
so
I
just
want
to
give
a
quick
update
on
that
effort,
so
I
had
rewritten
kept
the
old
kept
from
sasha
and
updated
it
because
it
was
kind
of
stale
for
quite
some
time
now
we
I
was,
I
dropped
into
the
signoid
meeting
a
few
weeks
back
and
kind
of
made
them
aware
of
it.
They
were
aware
of
it,
but
you
know
with
just
kind
of
a
tight
timeline
and
kind
of
the
we're
kind
of
backing
up
against
the
125
enhancements
approvals.
G
So
it
looks
like
we're
probably
going
to
bump
that
back
to
126,
as
I
learned
the
process-
and
you
know
some
some
other
timeline
things
so
so
we're
gonna
get
that
in
on
next
next
release
and
I've
also
got
a
draft
pr
on
the
api
changes.
G
If
you're
feeling
interested
you
can
take
a
look
but
yeah
so
just
working
through
that-
and
you
know
working
on
getting
some
more
signed
people's
eyes
on
it
and
that
sort
of
thing
so
just
to
update
on
that
we'll
probably
push
the
next
release.
F
A
I
mean
it's
legacy,
but
it's
important,
so
you
know
like
it's
really
important,
that
it
is
happening
even
if
it
has
been
around
for
a
minute
and
like
if
we're
being
real,
like
a
lot
of
things
in
kubernetes,
have
been
ongoing
issues
for
a
minute.
So
it's
you
know
like
it's
awesome.
I
think
that
as
time
goes
by
we're
getting
on
some
of
those
things
that
have
been
kind
of
hanging
out
for
a
while,
like,
I
think
that's
neat.
E
A
A
So
there's
there's
a
different
sort
of
stages
of
the
process,
which
you
know
there's
alpha
and
beta,
and
then
it
kind
of
as
things
go
through
the
stages
of
maturity.
They
eventually
go
to
gi.
A
Also,
thank
you
for
asking
the
dumb
question:
that's
not
dumb
at
all,
and
I
really
appreciate
everybody
who
asks
the
question
that
they
want
to
know
about,
because
often
you
are
not.
The
only
person
who
is
wondering
that
kind
of
thing
and
like
acronyms
that
are
not
explained,
are
a
scourge
and
thank
you
for
pointing
it
out
so
that
everybody
has
like
a
common
understanding
of
what's
being
said,
yeah.
G
A
No
there
there
is
a
cpe
that
happened.
It
was
an
ingress
engine
x.
James
says
their
audio
is
not
working.
Do
you
want
to
type
what
you
were
going
to
say
and
then
I
could
just
read
it
out
or.
E
So
I
don't
want
to
put
words
in
james's
mouth,
but
I
popped
open
the
issue,
that's
linked
and
the
issues
from
six
days
ago
talking
about
how
users
can
bypass
the
sanitization
of
a
certain
field,
and
so
they
might
be
related
to
or
no
this
was
assigned
cv2125748.
A
Cve
numbers
in
general
are
kind
of
weird
they're,
not
sequential
they're,
given
out
in
batches
by
vendor,
and
often
the
years
are
not
necessarily
corresponding
to
the
current
one.
If
it's
like
been
under
embargo
for
a
long
time
or
like
other
issues
like
that,
like
they
don't
quite
work
like
you,
would
intuitively
think
they
would.
E
A
But
it
might
be
that
it
was
found
in
2021
and
yeah.
The
numbers
are
not
sequential
at
all,
so
you
would
think
that
it
would
start.
You
know.
On
january
1st
you
get
one
two
three
four
and
five,
but
it's
actually
that,
like
container
d
gets
the
block.
That
is
what
like
29
000
something
and
then
you
know
like
like
docker
gets
the
block,
that's
40,
whatever
that
is
thousand,
and
you
know
they
just
get.
You
know
given
out
in
those
kinds
of
batches
versus,
instead
of
it
just
being
like
uids,
that
increment
what.
G
A
A
Yeah
so
heads
up
that
that
happened
read
the
advisory
and
you
know:
do
the
mitigations
or
break
the
things
or
whatever
it
is
that
you're
into
thank
you
for
pointing
it
out
james.
There
is
somebody
who
has
been
continually
about
to
type
at
the
end
of
the
agenda
and
I'm
not
sure
what
they
are
about
to
type.
But
at
this
point
the
written
bits
of
the
agenda
are
now
done
with
so
it's
open.
A
If
anybody
has
anything
else
that
they
came
with,
you
know
questions
thoughts,
ideas,
things
they
want
to
talk
about
open
floor.
A
And
if
nobody
wants
to
talk
about
anything
that
is
also
okay,
we
are
all
free
to
do
what
we
want
here.
We're
about
consent
here
at
security
and
give
everybody
a
minute
to
you
know
let
the
shy
people
take
a
moment
to
process,
and
if
nobody
decides
they
want
to
say
anything,
then
we
can
go
our
separate
ways
and
have
a
lovely
couple
weeks.
A
Fair
enough:
well,
I
hope
we
all
have
a
lovely
couple
weeks
here
and
yeah.
You
can
always
come
and
talk
with
us
on
sig
security,
the
channel
in
kubernetes
slack
not
to
be
confused
with
cnf
slack,
which
also
has
a
tag,
security
channel,
who
are
also
great,
but
they
are
not
the
same
slack
and
not
the
same
channel.
So
yeah
come
holler
at
us
on
slack.
If
you
have
any
thoughts
or
things
you
want
to
talk
about
between
now
and
two
weeks
from
now,
then
we
have
our
next
meeting.