►
From YouTube: Kubernetes SIG Security Third-Party Audit 2020-12-09
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
Does
anyone
on
this
call
remember
what
we
were
asked
to
do
with
notes
for
the
sub
project
meetings?
Are
we
putting
them
in
the
main
document,
or
are
we
spinning
up
our
own
note
stock
and
linking
out.
B
How
about
I
go
steal
a
copy
and
make
an.
B
B
Apologies
for
stumbling
here
at
the
beginning,
I'm
going
to
try
and
get
the
note
stock
kind
of
set
up
before
we
jump
into
it,
except
that,
because
my
personal
gmail
accounts,
a
g
suite
account
a
couple
extra.
B
B
So
there
in
the
zoom
chat,
is
the
document
that
will
be
the
document.
It's
still
full
of
all
of
the.
I
just
made
a
copy
of
the
the
security
one,
but
we
can
put
our
notes
in
there
for
this
meeting
and
I'll
clean
up
the
chrome,
I'm
gonna.
B
C
B
And
you
guys
feel
okay
about
the
please
feel
free
to
call
me
out
when
I
use
guys
when
I
mean
a
gender
neutral
plurality.
I
have
been
working
on
that
for
a
while.
I
fail
a
lot,
but
I
am
trying
so
feel
free
to
call
me
out
please.
C
At
the
end,
in
my
opinion,
it's
fine.
I
think
that
it's
it's
good
to
make
some
progress.
I
suppose
the
yeah.
B
I
mean
so
we
actually
may
not
meet
a
ton
for
the
rest
of
the
year,
but
I
did
want
to
at
least
start
getting
a
sense
of
who
wants
to
get
engaged
and
involved.
I
don't
actually
know
what's
become
of
of
craig
who
who
helped
with
the
last
one.
I
know
jay,
who
also
helped
with
the
last
one,
has
kind
of
taken
a
a
step
back
from
from
contributing
to
sigs
and
kubernetes
for
a
little
while.
So
I
don't
know
where
the
were.
B
The
co-chairs
from
the
last
from
the
working
group
have
ended
up,
but
we
can
still
forge
four
without
them
if
they
want
to
turn
up
later.
We
have
a
lot,
probably
plenty
of
work,
but
right
now
there
actually
isn't
a
ton
of
work.
I
am
happy
to
bring
everyone
up
to
speed
with
how
the
project's
been
kind
of
on
life
support
and
what
I
think
the
plan
should
be,
but
I'm
open
to
all
kinds
of
suggestions.
A
I'm
mostly
curious
about
what
are
the
activities
that
are
going
to
happen
in
this
sub-project.
I'm
not
sure
if
there's
something
that
I
can
contribute
to
or
not
so
maybe
we
could.
Maybe,
if
you
could
explain
like,
like
you
said,
oh
there's
not
a
lot
of
work
to
do
something
like
that,
but
like
what
is
the
nature
of
the
work
sure.
B
So
the
the
basic
structure
for
the
work
that
this
subproject
does
is
put
together
a
well.
I
guess
there's
this
like
point
zero,
which
is
acquire
money
that
steps
kind
of
been
done.
So
we
have
some
money
step
two
is
we
put
together
a
request
for
proposal
whereby
we
write
out
the
structure
of
the
audit?
What
we're
looking
for
in
a
vendor
then
there's
a
process
where
we
publish
that
last
time
we
did
the
publishing
of
that
to
a
subgroup
of
contractors.
B
So
there
was
work
around
picking
who
the
invited
proposals
would
be
from
the
plan,
though
it
could
change.
The
plan
was
to
just
go
public
this
time,
because
we've
done
it
once
before
and
like
some
of
the
organizational
muscle
is
there
to
go
through
the
process,
so
we
feel
like
we
could
expand
processing
of
our
proposals
that
come
in.
So
there's
the
publishing
proposal,
there's
the
receiving
all
of
the
proposals
from
vendors.
I
don't
know
how
many
we
would
expect.
B
B
They
we
will
help
show
up-
probably
every
week,
maybe
a
couple
times
a
week
over
the
course
of
the
actual
audit
to
help
guide
the
vendors
towards
the
people.
They
need
to
know.
So
there's
a
lot
of
communication
brokering.
Oh
I
see
you
know
your
your
stumps
trying
to
figure
out
how
these
network
components
work
together.
B
You
know,
let
me
introduce
you
to
tim
right,
you
don't
you
know
stuff
like
that,
help
them
navigate
the
the
community's
organization
and
talk
to
the
right
people.
We
you,
you
may
also
have
knowledge
that
you
could
share
well.
There'll,
also
be
a
lot
of
guiding
away
from
dead
ends
or
keeping
people
on
scope.
B
It's
really
easy
for
vendor
to
say
like,
but
I
found
this
docker
vulnerability,
so
we
want
to
keep
people
on
the
code
base,
which
sounds
which
sounds
easier
than
it
is,
and
then
that
tends
to
grady
enough
as
they
finish,
but
then
they
write
a
bunch
of
docs
we'll
we
have
we'll
ask
for
specific
kinds
of
documentation
out
of
them,
and
then
we
take
all
the
docs
and
then
we're
going
to
review
all
of
them
and
funnel
some
subset
of
those
vulnerabilities
we'll
funnel
all
of
them,
but
some
subset
of
them
will
become
embargoed
by
the
psc
they'll,
say:
okay,
no,
we're
not
ready
to
publish
this
one.
B
So
I
want
you
to
sit
on
these
vulnerabilities
until
we're
able
to
address
them
and
then
they'll
tell
us
which
ones
we
can
publish
last
time.
Actually
none
of
them
were
embargoed,
which
was
cool
but
that'll,
be
up
to
negotiation
with
the
psc,
then
there's
publishing
so
we'll
take
we'll
take
all
the
vine,
the
findings
and
we'll
publish
them
at
this
point.
B
I
remember
and
a
bunch
of
interviews
and
stuff
just
to
get
the
word
out
about
the
findings
and
then
there's
a
lot
of
work
also
around
helping
guide
those
vulnerabilities
through
the
process,
helping
stack
them
prioritize
them
represent
them,
and
others
say
expenses
like
a
negotiation
that
has
to
be
made
with
sigoth,
because
there's
was
made
up
a
fundamental
design
decision
that
we
think
is
wrong
because
at
least
this
vulnerability
etc.
We'll
want
to
address
that
there
and
then.
B
We
prepped
for
a
talk
at
kubecon
and
then
we
got
ready
to
do
it
again.
We
would
have
actually
have
all
already
been
well
into
the
process
at
this
point,
but
2020
and
happened
and
the
creation
of
security
happened
and
those
two
things
just
I
don't.
I
don't
know
how
those
two
things
blew
the
entire
project
on
the
water
for
a
year,
but
it
did-
and
here
we
are
ready
to
get
started
in
december.
So
did
that
answer
your
question.
A
Yeah
sounds
like
interesting
work.
I'm
looking
forward
to
doing
my
best.
B
That's
exciting.
We
have,
I
just
to
be
like
honest
and
a
little
a
little
vulnerable.
B
B
I
don't
know
what
to
call
it
coaching
sessions
with
one-on-one
with
with
leaders
of
the
of
in
various
researchers.
I
did
a
lot
of
the
heavy
lifting
myself
because
and
honestly
it's
no
one's
fault,
because
I
wasn't
good
at
sharing.
So
if
I
I
want
to
continue
to
contribute
to
this
effort,
so
one
I'm
going
to
raise
my
hand
and
say
if
anyone
wants
to
take
over
a
leadership
position
on
this
working
group,
I
have
no
attachment
to
it
happy
to
take
a
a
chopwood
carrywater
roll.
B
I'm
also
happy
to
just
be
a
supportive
facilitator
and
get
this
done,
because
I
have
done
it
once
before,
and
I'm
happy
to
share
my
experience
through
through
leadership,
but
I'm
not
attached
to
the
role.
So
if
anyone
wants
to
take
it
from
me,
just
raise
your
hand
and
it'll
be
yours
faster
than
you
can
turn
around,
but
yeah.
So
if
you're,
if
you're
happy
to
contribute,
that's
great
the
next,
the
next
steps
are
to
publish
the
rfp,
it's
actually
already
written.
D
B
Either
sign
like
agree
to
it
or
we
can
work
through
changing
it.
The
cncf
did
set
aside
money
for
us
this
year.
I
reached
out
to
them
this
week
and
I
told
them
that
we
would
be
unable
to
spend
it
this
year.
B
It's
just
too
late,
we're
finally
up
and
running,
but
it's
just
too
late.
I
don't
think
we'd
get
good.
We'd
get
good
proposals
and
people
are
gonna
start
leaving
for
the
holidays.
So
I
I
propose
that
we
share
out
the
rfe
to
everyone
who
wants
to
get
involved
in
the
project.
We
take
some
time
offline
to
review
it
and
agree
or
disagree
or
make
changes,
and
we
can
iterate
and
then
early
dan,
like
jan
6,
like
as
soon
as
everyone's
back,
we
publish
and
wait
for
the
deluge
of
proposals.
C
A
Yeah,
I
I
I'm
speaking
for
myself,
but
I'm
sure
the
others
also
share
the
opinion
and
that
we
can
help
in
any
way
you
need
so
that
you're
not
overwhelmed.
A
But
since
you've
done
this
before,
I
think
I
think
that
experience
is
important,
like
diego
just
said
so
like
if
you,
if
you'd
rather
not
lead
not
for
this
time,
but
for
the
next
one,
then
we
can
take
like
two
or
three
of
us
and
like
follow
you
closely
and
learn
the
ropes,
but
for
this
time
since
you're,
the
only
one
who's
done
this
before.
I
think
I
think
it's
important.
If,
if
you
at
least
show
us
shows
the
way
and
and
give
us
the
tricks
and
tips.
B
B
Github
everything
got
moved
around
no
looks
like
that's
just.
B
There's
a
security,
auto
2019
folder,
there's
an
rfp
there
so
I'll
share
that
in
the
chat
right
now,
just
a
link,
I'm
sure
you
can
find
it.
This
is
the
rfp
that
we
published
in
2019
and
then
let
me
check
the
sharing
permissions
on
this
doc.
B
Actually,
that's
a
good
point,
a
good
point
that
I
made
to
myself
and
didn't
share
out
loud.
B
Was
everybody
comfortable
sharing
amongst
ourselves,
an
email
address
that
we
can
use
for
sharing
permissions
so
that
we
don't
use
public
sharing
email
addresses
like
I
don't
want
to
open
up
sharing
of
documents.
The
whole
world
nice.
E
Yeah,
I
just
saw
that
now
I
think.
That's
I
don't.
B
One
there
right
now
some
people
pasted
them
in
zoom,
so
I'm
just
gonna
pull
those
out
real,
quick
and
then
I'll
check
the
google
doc
in
a
second.
B
B
B
Apologies
for
markdown
in
google
docs,
that's
just
how
we
were
collaborating.
I
don't
know
why
it's
the
way
we
think
yeah,
so
this
is
written
with
some
placeholders
like
when
dates
get
dropped
in,
because
we
didn't
know
when
we're
going
to
publish,
I
think
the
most
interesting
places
to
get
better
get
a
better
rfp
would
be
the
selection
criteria
like
what
do
you
think
is
really
valuable
in
a
vendor
who's
going
to
audit
the
kubernetes
code
base,
and
then
the
methodology
is
something
that
I'm
open
to.
B
The
constraints
is
some
learnings.
Last
year
we
had
two
different
companies
working
on
the
same
project
and
they
their
collaboration,
was
effective
and
that
we
did
eventually
get
a
good
product,
but
it
was
very
expensive
for
the
working
group
to
manage
two
different
vendors
at
the
same
time.
So
we
don't.
I
don't
want
to
do
that
again.
B
We
put
that
in
there
and
then,
of
course,
oh
I
should
I
read
from
the
bottom
up.
Sometimes
I
apologize
if
it's
confusing
to
you
as
to
why
I'm
going
this
direction,
then
of
course
what
we,
what
what's
in
scope,
is
another
place
where
we
could
use
more
or
eyes
a
lot
of
what
is
in
the
document
and
listed
as
in
scope,
is
a
product
of
my
thoughts
and
jbl's
thoughts
and
craig
and
grim's
thoughts
and
joel's
thoughts,
but
those
people
aren't
all
here.
B
So
let's
get
our
thoughts
in
there
and
make
sure
they're
represented.
These
seem
like
really
important
parts
of
the
code
base
to
it.
B
The
piece
that
I
pushed
most
strongly
was
the
creation
of
the
threat
models
on
the
the
dataflow
diagrams
and
stuff.
I
don't
know
if
we
need
to
do
that
again.
That
was
a
very
expensive
aspect
of
this
audit.
I
think,
while
it's
changed,
it's
probably
not
time
to
do
a
re-evaluation
of
the
threat
model,
but
sorry.
A
B
B
The
other
ones
are
different
takes
on
kubernetes
security,
holistically.
There's
a
white
paper
that
we
ask
trello
bits
to
write
that
talks
through
how
they
put
their
environment
together.
This
is
I'm
hoping
I'll
make
it
easier
for
future
researchers
to
audit
kubernetes.
It
turns
out
spinning
up
a
kubernetes
cluster
is
impossible
because
there's
no
such
thing
as
a
pure
kubernetes
cluster.
You
spin
it
up
with
something
right,
and
this
is
their
experience
in
spinning.
B
A
red
team
styled
like
what
is
it
like
from
a
tradies
all
worth
reading,
but
we
are
talking
about.
I
don't
know
a
couple
hundred
pages.
I
think
total,
if
you
put
them
all
together,
so
skim.
B
B
B
So
one
of
the
roles
that
I
played
last
year
was
kind
of
doing
a
lot
of
the
inter
direct
interface
with
the
with
the
cncf
just
like
get
money,
because
that's
where
the
funding
comes
from,
I'm
happy
to
play
that
role
again.
I
have
a
decent
relationship
with
chris
over
there
and
we
helped
figure
that
out.
One
of
the
harder
parts
of
this
subproject
is
walking
the
confidentiality
line.
B
I
love
the
idea
of
having
our
meetings
public
recorded
and
inviting
anyone
to
come
that
works
great.
Now
I
there
are
a
couple
parts
of
the
process
that
I
like.
I
think
we
should
I'm
open
to
suggestions,
but
I
think
we
should
keep
in
a
smaller
invite-only
group
and
that
has
to
do
with
evaluating
the
rfps.
B
So
we
don't
want
those
to
be
public,
how
much
money
we
have
available
and
how
much
money
we
are
paying.
I
feel
like
should
also
be
kept
in
confidence.
B
So
we
want
to
keep
those
things
to
ourselves
and
then
I
think
most
obviously,
when
vulnerabilities
start
coming
in,
we
can't
talk
about
those
until
we've
gone
through
the
disclosure
process,
so
we
will
at
some
point,
need
to
put
together
a
place
to
converse
that
is
private
one
of
the
pitfalls
that
happens
when
we've
done
that
in
the
past
is
all
communications.
Oh
sorry!
Well,
yes,
hell.
A
I
I
wanted
to
ask
you
to
clarify
the
what
you
said
about
the
vulnerabilities
being
confidential
so
is:
is:
is
it
the
case
that
basically
don't
talk
about
any
of
this
until
date
x
when
we
decide
to
disclose
and
the
minute
we
disclose,
then
who
cares
basically,
so
my
my
question
is
that
I
I'm
always
making
videos
and
blog
posts
etc
so
like
if
the
day
that
it's
allowed
to
disclose,
I
already
have
a
video
and
a
post,
and
something
else
ready
is
that
okay
or
like.
B
Well,
yeah,
I
just
I
don't
see
a
problem
with
that,
so
we'll
be
under
the
psc's
embargo
rules
right
so
because
we
will
have
we
as
contributors
to
the
project,
we'll
have
received
a
vulnerability,
even
though
we
didn't
hunt
for
it
ourselves,
we
paid
somebody.
Well,
I
found
what
we'll
have
that
wonderful
and
we
will
report
it
to
them.
We
are
now
under
their
embargo
rules,
so
we'll
want
to
respect
those
rules
so
that
we
can
continue
to
contribute.
B
It
might
be
better,
for
example,
to
do
a
joint
press
day
with
the
cncf,
but
I
would
consider
that
more
of
a
a
a
strategy
or
a
cool
thing
to
do
not
letter
of
the
law
like
rule.
If
you
want
to
publish
a
blog
post
after
we're
up
from
under
embargo
like
go,
do
a
video,
do
a
thing
go
for
it.
A
B
How
did
it
really
go
down
last
time?
So?
Last
time
after
we
published
there
was
a
cncf
blog
that
I
think
chris
published.
I
contributed
to
that
a
lot.
Google
wanted
some
points,
so
I
was
brought
there.
You
know
they
were
paying
my
salary
and
I
had
basically
been
working
on
just
this
for
like
six
months,
so
I
wrote
them
a
blog,
and
none
of
this
was
very
order.
Organized
just
like
well,
these
are
things
I
feel
like.
B
I
want
to
say
these
things,
so
I
said
these
things
I
think
jay
wrote
something
on
under
his
and
guardians
company
and
and
then
there
was
a
trail
of
bits.
Did
a
cube
gun
talk
and
I
did
a
cube
gun
talk
like
it
was
all
just
kind
of
scatter
shot.
So
I
think
it's
fine.
A
All
right
thanks,
so
next
steps
would
be
for
us
to
review
the
rfp,
the
previous
one
and
then
see
if
we
want
to
make
changes
to
the
current
one
and,
if
possible,
take
a
look
at
the
findings
from
the
previous
audit
and
see
if
that's
going
to
influence
anything.
Is
that
correct.
B
Yeah,
I
think
so,
and
even
if
the
find
your
assessment
of
the
audit
previous
isn't
directly
channel
into
what
you
think,
we
should
do
this
time.
Let's
talk
about
what
we
think
we
should
do
this
time.
I
should
we
should
know
in
the
rfp
that
this
is.
B
We
also
don't
want
to
give
competitive
advantage
to
vendors
who
happen
to
like
cruise
signals.
So
that's
why
I'm
keeping
that
dock
locked
down
for
now.
B
Thank
you
for
for
taking
notes.
I
feel
like
that
was
my
job,
but
I
really
appreciate
the
help.
Thank
you.
D
Erin,
I
just
have
one
question
hi,
so
you
mentioned
about
talking
to
other
six
and
one-on-one
and
stuff
like
that,
and
if
there
was
any
action
item
related
to
the
audit
findings
is
like.
Do
we
have
a
record
of
it
or
like?
Are
we
tracking
somewhere,
like,
for
example,
some
vulnerability
is
found
in
one
piece
of
code,
any
approach
that
say
again.
They
say
that
they
are
working
on
it.
Do
we
know
like?
Are
they
actually
working
on
it
or
like
listen
going
in
specific
release,
or
what
is
the
plan?
Are
we
do?
B
This
is
my
opinion.
It
is
my
opinion
that
one,
if
once
we
have
actually
let
me
rewind
a
little
bit.
There
are
multiple
kinds
of
vulnerabilities
we
will
learn
about.
There
are
structural
ones
and
there
are
vulnerability
vulnerabilities,
like
cve
style,
bugs
suggestions
to
improve
the
security
design
of
kubernetes
will
not
be
solved
in
a
single
batch
release.
They're
going
to
take
time
and
someone
should
step
up
to
drive
them.
B
Vulnerabilities
that
are
buffer
under
runs
or
whatever
should
be
addressed
differently.
So
in
the
in
the
standard,
foldability
management
bucket,
our
job
is
to
get
those
to
psc,
and
then
they
will
manage
them
and
tell
us
when
we
can
release
them.
We
might
file
issues
github
issues
so
they're
easier
to
track.
I
think
that's
where
our
job
ends.
Okay,
I
wouldn't
feel
good
publishing
findings
that
weren't
fixed
or
were
low
like.
I
would
feel
really
bad
if
I
published
a
high
severity
cve
against
kubernetes
that
wasn't
fixed
or
mitigated
any
way.
B
So
we
definitely
don't
want
to
do
that
with
the
systemic
stuff.
Honestly,
I
think
we
get
so
little
traction
on
systemic
changes
to
kubernetes
security
that
I
just
want
to
shout
out
from
the
rooftops
like
look
at
the
fire,
someone
go
fix
it
we're.
This
is
going
to
be
a
small
group.
I
don't
think
we
can
really
sign.
B
The
only
rule
set
we're
playing
by
is
code
of
conduct
and
the
embargo
policy.
The
rest
of
it
is
up
to
us
to
define.
So
if
you
think
we
should
pick
up
an
issue,
that's
really
important
and
drive
beginning
to
end.
Then,
let's
do
that.
B
D
Okay,
that
makes
sense
anyway,
it's
the
first
time,
I'm
like
even
exposed
to
this
process.
So
I'm
learning-
and
I
was
just
curious
since
security
was
just
formed-
and
I
don't
know
still,
these
processes
and
stuff
are
developing,
and
I
was
also
wanting
to
know
that,
if
something
that
you
talk
to
the
six
if
they
addressed
it
or
like
how
they
responded,
I
was
curious
on
that,
like
how
did
they
even
respond
like
okay
yeah?
We
will
look
into
it,
we'll
work
on
it
or
that's
it.
It
answered
my
question.
Thank
you.
B
What
hold
on
a
little
bit?
We
are
out
of
time
if
anyone
wants
to
leave
on
beyond
time.
Please
please
leave
I'll
hang
out
for
a
second
to
answer
that
mostly
it
was
oh,
we'll
fix
that,
and
then
it
got
fixed.
Some
of
the
issues
were,
I
know
you
think
that's
a
security
issue,
but
it's
not.
Let
me
talk
about
why
our
design
principles
are
trump,
your
reporting
of
this
issue,
and
that
would
result
in
conversation
or
debate
and
that
fizzled
or
didn't
fizzle.
B
B
How
does
30
minutes
feel
as
a
cadence
for
this?
I
don't
like
long
meetings
if
we
don't
need
them,
but
if
we
think
there's
more
to
do
here
than
we
can
extend,
it.
E
I
do
have
one
more
thing
to
add
just
to
close
the
loop
on
eventual
cvs.
I
know
one
of
the
release
managers
adolfo's
working.
He
also
helps
out
release
like
a
lot
of
patches
or
the
patch
releases
for
kubernetes.
E
B
With
us
before
was
we
had
two
people
on
the
working
group
who
were
members
of
psc
they're,
not
here
right
now,
maybe
they'll
come
back,
I'm
not
on
psc,
I'm
on
the
istio
psc,
but
like
how
helpful?
Is
that
not
so
like,
hopefully,
we'll
have
some
cross-pollination,
but
regardless
we
will.
Obviously
we
need
help
from
a
release.
A
When
should
we
have
the
review
of
the
rfp
done
well,
do
you
want
to
meet
in
two
weeks?
That's
a
good
question.
A
B
B
It'd
be
december
23rd
the
day
before
christmas
eve.
Do
you
want
to
just
make
it
on
the
sixth
oh,
for
either.