►
From YouTube: Kubernetes SIG Security Audit 20210428
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right,
just
please
sign
in
when
you
have
a
chance
in
the
agenda.
I
also
have
a
few
discussion
topics
for
today.
A
Mostly
with
since
we
meet
only
every
other
week,
or
so
some
of
you
may
not
have
noticed,
the
rp
has
changed.
So
I
just
wanted
to
post
a
link
to
that
pr.
A
There,
hello,
john
howdy,
all
right,
so
let's
start
welcome
to
the
sig
security,
external
audits
or
third
third-party
audits
subgroup
meeting.
I
posted
a
link
to
the
agenda
and
post
it
again
to
those
who
are
just
joining
here:
hello,
aaron,
hey
how's,
it
going.
B
A
All
right,
okay,
just
to
remind
everyone
on
here
this,
since
this
is
a
kubernetes
meeting,
two
that
we
do
by
the
cncf
code
of
conduct
and
just
to
boil
down
to
just
be
nice
to
everyone.
This
mini
is
also
recorded
as
well,
so
just
for
keep
that
in
mind
for
any
confidentiality.
D
A
Remarks
I
posted
the
link
to
the
chats
and
for
those
who
are
just
joined
I'll
post
it
again,
and
I
just
had
a
few
topics
on
that:
first
off
any
new
members,
any
if
there's
any
first
time.
First
timers
here.
D
Hi,
I'm
titan
it's
my
first
time
here.
A
Hi
welcome
thanks
all
right
all
right.
Let's
move
on
so
since
we
meet
only
twice,
I
said
we've
made
like
every
other
week.
Some
of
you
may
not
have
known
that
the
rfp
has
been
updated.
So
in
the
in
the
agenda,
I
posted
a
link
to
the
pr
that
was
merged
and
just
wanted
just
to
briefly
overview.
The
changes
was
just
changing
the
scope
of
the
audit
to
for
the
big
changes
that
were
extending
the
the
rfp
until
four
proposals
have
been
received.
A
Two
have
been
received
currently
so
we're
changing
the
scope
of
the
audit
to
whatever
the
most
recent
release,
the
commencement
of
the
audits
will
be
since
we
can't
actually
define
a
specific
kubernetes
release
other
than
that's
just
setting
the
rfp
closing
date
to
two
weeks
after
the
fourth
proposal
has
been
received
since
we
meet
every
other
week.
It
also
gives
a
time
in
case
someone
else.
Another
company
wants
to
submit
an
rfp
and
just
changing
the
rfp
closure
and
vendor
selection
dates
just
to
be
to
be
determined
and
we'll
set.
A
Those
when
we
have
that
fourth
rfp
has
been
received
have.
B
A
I
did
yeah
okay,
so
I
reached
out
to
to
both
of
those-
and
I
put
the
replies
on
the
slack
channel,
so
both
have
replied
and
one
of
them
has
has
a
pretty
good
response
into
what
they're
doing
you
know
so
yeah
so
just
check
out
the
slack
channel
for
for
the
for
for
for
those
replies,
so
I
did
that
and
then
I
told
them.
I
also
mentioned
that
we
will
notify
them
as
well
when
the
fourth
rp
has
been
received.
A
Also
changing
some
of
the
wording
around
the
timeline
to
be
more
flexible,
like
we,
like
we
mentioned
before,
and
just
dated
that
the
resumes
and
cvs
or
cds
are
are
now
preferred,
not
not
required
yeah.
So
that's
pretty
much.
My
updates
and,
like
I
mentioned
the
did,
notify
the
vendors
of
the
rfp
changes
and
I
copied
those
replies
on
the
slack
channel.
A
So
that's
it
for
me.
Everything
else
is
an
open
discussion.
So
anyone
else
your
proposals,
more
questions
do
the
proposals
have
in
expiry
dates.
I
will
have
to
check.
I
know
when
mentioned
its
living
documents,
so
I
have
to
check
to
see
if
that
one
doesn't
don't
didn't
succeed
in
the
other
one.
So
I
will
check
those.
B
D
B
Like
two
weeks
ago
or
something
I
recorded
a
five
minute
spot
well,
I
recorded
a
seven
minute
spot
that
got
compressed
to
five
minutes,
so
I
talked
really
fast,
so
you
all
want
to
go
to
keep
going
and
listen
to
me.
You
should
it
was
just.
I
just
wanted
to
give
the
world
an
update.
We
also
if
you
are
already
going
to
kubecon.
If
there
is
q,
a
in
that
particular
session,
we
might
drop
a
little
excitement
around
submitting
in
our
proposal.
If
we're
still
struggling
to
fill
the
four.
B
A
B
A
All
right
I'll
take
a
look
to
see
that
what
what
that
timeline
is,
I
may
not
be
able
to
be
there.
I'm
gonna
be
out
of
office
for
a
few
days
during
kubecon
eu.
B
E
A
A
All
right
any
other
discussion
topics.
Anyone
want
to
bring
up.
D
No,
I
just
had
a
question
so
now
that
we're
extending
the
rfp
deadline
until
we
get
four
proposals.
I
was
just
wondering
do
proposals
that
come
up.
Do
they
have
an
expiry
in
general
or
when
they
submit
a
proposal,
there's
no
expiry
on
it.
We
can
just
keep
that
until
we
decide
that
when
we
want
to
make
a
decision
on
it.
A
I'll,
I'm
gonna
have
to
verify
with
those
two.
I
don't
remember.
I
remember
for
what
I
was.
I
believe
there
was
none.
It
said
it
of
a
living
document
for
the
other
one
I'll
have
to
take
a
look
to
see.
Okay,.
E
A
Yeah,
did
we
reach
out
to
the
security
coup
things
that
we've
already
reached
out
to
and
just
say,
we've:
hey,
we've
revised
the
rfp,
you
know,
there's
no
real
end
dates
and
loser
audit
timelines,
and
I
guess,
boost
your
requirements
as
well
with
not
having
not
having
the
resumes
and
cvs
required,
but
but
preferred
I
mean
we
can
do
a
second
round
of
just
reaching
out
in
general.
B
That
does
seem
kind
of
smart,
hey.
You
know
we
didn't
get
a
ton
of
attraction,
it
could
be
you
know,
and
so
we've
relaxed
the
the
rfp
requirements.
If
you'd
like
to.
If
you'd
like
to
contribute
yeah,
I
could
see
that
being
a
good
idea.
Yeah.
A
So
I'll
reach
out
to
the
companies
I've
reached
out
to
before
as
well
and
if.
A
Oh
yeah,
oh
we'll
do
that.
Who
is
that
I'll
put
that.
E
I'm
just
taking
some
did
notes,
didn't
throw
it
on
the
agenda,
but
might
be
worth
talking
about
for
a
few
seconds.
Do
we
have
any
comments
or
thoughts
on?
Was
it
sig
api?
I
think
sorry,
sid
cluster
was
looking
for
an
external
review.
E
A
We
talked
about
on
the
security
meeting
a
little
bit
and
I
saw
robert
updates.
It
was
either
something
on
github
with
what
was
kind
of
stated
as
well
I'll
link
I'll
find
the
links
to
the
github.
I
was
notified
of
that.
What
are
people's
thoughts
of
I
know
we
we
already
talked
about
of
reducing
the
scope
of
the
proposal.
A
E
Oh
yeah,
I
know
I
know
robert
brought
up
again
this
morning
on
the
cncf
security
call.
Maybe
it
might
be
good
to
at
least
share
notes
with
them
on
on
the
on
the
learnings
we've
had
over
how
to
go
about
this
process.
It's
I
don't
think
you
can
be
done.
E
F
So
well,
I
can
summarize
how
how
I
think
things
stand
and
kind
of
the
both
sides
of
the
discussion
so
yeah,
based
on
our
discussion
last
week
or
last
two
weeks
ago,
we
we
kind
of
agreed
that
there
was
scope
creep
and
you
know
we've
already
been
getting
pushed
back
from
vendors
on
the
scope
being
too
big.
So
adding
it
to
the
scope,
wasn't
ideal.
I
don't
know
that
was
like
a
binding
decision,
but
that's,
I
think,
where
this
group's
intent
was
talking
with
the
kubernetes
security.
F
And
I
don't
know
the
slippery
slope
argument
per
se,
but
I
think
it's
more
of
a
skills
and
availability
on
the
cncf
sig
side.
It's
just
that
there
aren't
a
lot
of
code.
Auditors,
just
jumping
up
and
down
ready
to
volunteer
and
I've
been
a
member
of
that
group
for
you
know,
since
it
started
more
or
less
and
even
on
the
high
level
reviews
that
we
do
do
there,
there's
often
a
lack
of
volunteers
at
all.
F
So
I
think
it
is
very
much
a
capacity
issue
and
that's
what
was
brought
up
on
the
call
today
was
that
if
they
took
this
on
for
cluster
api,
then
logically,
wouldn't
every
api
group
want
a
similar
review
and
therefore
they
didn't
feel
there
was
capacity
even
to
do
the
high
level
review
so
not
code
audit,
not
any
kind
of
assessment
or
pen
tests,
just
like
a
high
level
review.
Even
that
was
too
much
so.
F
I
I
think
there
is
an
argument
to
be
made
to
try
to
do
something
in
the
community.
While
you
know
we
could
we
could
augment
that
or
complement
that
with
something
that's
paid,
but
yeah
I
mean
I'm
open
to
suggestions
or
or
pushback
on
that.
F
B
F
F
A
So
should
we
take
this
back
to
the
kubernetes
security
as
asking,
I
guess
for
volunteers,
to
do
an
assessments
for
from
kubernetes
security.
F
I
I
think,
that's
where
it
is
de
facto,
because
the
cncf
sig
kind
of
punted
on
it
and
said
eh
we're
we're
mostly
focused
on
toc
sandbox
incubation
projects,
not
really
equipped
to
do
kubernetes
api
sub-project
work,
so
it's
effectively
been
kicked
back
so
yeah.
I
think
we
should.
We
should
probably
go
back
to
kubernetes
and
say:
hey
you
know:
can
we
do
this?
Can
we
do
something
organically
and
and
we'll
just
attach
this
to
the
next
go
around
of
the
of
this
external
audit
process?.
A
That
brings
a
thought
in
my
head
just
for
future
planning,
instead
of
just
sitting
for
this
one
rfp
is
that,
should
we
also
start
planning
for
future
rfps,
subsequent
rfps
to
create
for
like
2022
2023,
if
we
are
to
reduce
scope
and
to
add
more
than
the
additional
just
core
kubernetes
components
like
cluster
api
and
there's
many
other.
You
know
components
like
the
hierarchical
namespaces
or
you
know.
A
There's
there
is
a
lot,
there's
a
ton
that
you
know
that
we
could,
I
guess,
plan
for
and
what
and
we
could
prioritize
as
well
as
you
know,
which
ones
are
highly
used
and.
B
That,
I
think,
would
make
a
lot
of
the
conversations
that
I
don't
know.
I've
ended
up
having
and
I'm
sure
other
other
have
as
well,
which
is
why
didn't
you
pick
my
favorite
component?
It's
like
well,
I
don't
know,
there's
a
thousand
components.
These
ones
were
on
the
list
first,
but
there's
no
lists
to
point
to
it.
Just
sounds
like
we're
being
arbitrary
and
to
some
degree
we
were
just
being
arbitrary.
A
Okay,
I
I
like
that
lots.
It
also
gives
this
subgroup
that
you
know
additional.
I
guess
I
guess
things
to
do
while
waiting
for
the
rfp
so.
A
Is
a
deliverable
and
we
could
have
an
audit
roadmap,
we
could
prioritize
and
list
our
components.
What
goes
on
the
roadmap
and
I
think
we
could
start
off
with
like
maybe
next
in
two
weeks
we
could
start
listing
out
having
not
just
the
core
kubernetes
components
but
having
the
non-core,
kubernetes
components
like
cluster
api
and
having
those
components
just
start
listing
them
out.
So
we
could
start
building
a
roadmap
for
for
the
future
for
future
audits.
C
Yeah,
so
has
the
components
that
we've
been
focusing
on,
like
my
impression,
was
that
what
was
at
the
top
of
the
list
was
driven
by
like
cves
that
we've
known
like
come
across
or
like
where
there
was
existing
concern
that
we
needed
resolved?
Was
that
an
accurate
perception
or
do
we
just
have
a
cue
that
we're
working
through.
B
It
was
based
off
of
kind
of
a
few
inputs
when
performing
the
last
audit.
What
stuff
felt
like
needed
more
attention?
Those
things
made
the
list
now.
Remember
that's.
I
think
it's
particularly
strong
signal,
because
the
audit
last
time
was
intentionally
broad
and
designed
to
find
places
that
needed
more
attention
right
with
old
energy
and
threat.
Modeling,
a
lot
of
interviews,
et
cetera,
and
the
other
thing
that
came
out
was.
We
didn't
even
put
this
in
scope
last
time,
but
we
all
know
it's
critical
to
the
security
of
the
cluster.
B
Like
I
don't
know
cubelet,
so
we
probably
need
to
include
it,
and
those
are
the
two
biggest
signals.
There
was
no
real
broad
process
by
which
things
got
on
there.
It
was
just
a
couple
of
people
in
a
room
talking
about
it
and
picking
the
things
that
made
sense.
Given
our
personal
experience
working
on
it,
I
would
happily
replace
that
process
with
a
real.
A
It's
it's
already
been
discussed
and
we
could
go
through
any
other
formalities.
You
know
send
it
to
like
hey,
dev
versus
or
something
like
that
to
this
to
the
usual
big,
community-wide
groups
so
get
eyes
on
it
and
go
and
start
building
a.
A
B
A
You
can
start
listening
like
the
basics,
of
course,
you
know
like
like
xcd
and
the
api
server
and
the
scheduler,
and
all
that
and
exactly
those,
but
they
should
still
be
on
the
list,
no
matter
what
I
mean
just
so
that
we
have
it
on
list,
because
people
are
going
to
say
like
why
isn't?
Why
aren't
those
things
on
the
list?
B
A
Yeah
it
has
to,
I
believe
that
I
believe
those
core
components
have
to
be
some
science
and
some
kind
of
cycle,
and
I
don't
know
if
it's
has
to
be
annual
or
every
two
years,
but
that's
something
that
we
could
discuss
and
the
community
could
be
happy
with
whatever
that
discussion
is
yeah.
So
that's
something
to
talk
about
so
yeah
next
week.
Let's
start
building
out
the
list
and
then
eventually
we
will
roadmap
it
fun.