►
From YouTube: Kubernetes SIG Security Audit 20210623
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
All
right
so,
let's
start
first
off,
but
I'm
gonna
replace
the
link
to
the
agenda
on
the
chats.
Please
sign
yourself
in
just
heads
up:
this
is
a
cncf
meeting
or
slash
nights
meetings
that
we
do
by
the
cncf
code
of
conduct,
which
boils
down
just
to
be
nice
to
everyone.
Also,
this
meeting
is
recorded,
so
please
be
aware
of
any
confidential
confidentiality.
B
Have
the
agenda
listed
out
here
and
if
you
haven't
heard
yet
we
do
have
a
fourth
proposal
has
been
submitted,
which
is
great.
That
means
the
rfp
closing
dates
and
the
vendor
selection
announcement
date
has
been
set
in
the
rfp,
so
that
is
for
july.
6
is
when
the
rfp
closes,
and
also
when
the
question
period
closes
as
well,
and
then
we
have
two
weeks
from
july
6
to
review
the
to
review
the
proposals
and
to
announce
the
vendor
selection
on
july
20..
Any
questions
on
the
on
the
date
so
far.
B
C
B
You
did
okay,
great
all
four
vendors
did
they
were.
They
were
notified.
That
proposal
has
been
received
in
rfp
closing
dates
and
the
vendor
selection
dates
has
been
updated.
Do
you
want
to
pose
a
question?
Should
we
reach
out
to
the
community
for
like
a
last
call
for
for
proposals
through
a
contributor
comms
or
through
the
official
kubernetes
twitter
accounts?
B
Yeah
same
here,
so
it's
yeah
I
will
ask
them,
should
we
go
beyond
that?
Should
we
go
through
the
other
kubernetes
communications
or
just
having
tabitha,
and
I
know
both
have
large
followings?
B
B
Okay,
I
could
reach
out
to
the
folks
who
are
running
the
kubernetes
twitter
accounts.
All
right.
Next
steps
is
to
start
the
vendor
assessments,
which
starts
either
july
end
of
july,
6th
or
july
7th,
that's
two
week
period
and
I
will
set
up
a
spreadsheet
similar
to
what
aaron
sent
as
a
templates.
B
No
history,
I'm
probably
going
to
be
paying
your
errand
to
you
know
just
on
advice
for
that,
and
I
will
also
paint
the
group
on
the
slack
channel
for
any
for
any
details
of
that
spreadsheet
as
well.
Let's
apply
five
point:
liquor
likert
scale,
so
we'll
start
that
on
july
7th,
so
that's
good
that
we're
starting
after
the
holiday,
because
the
fifth
is
a
that's
a
monday.
So
that's
the
fourth
of
july
observance.
So
we'll
start
after
that,
any
questions
on
that.
D
D
Those
sessions,
and
then
the
this
this
group
has
over
the
course
of
the
formation
of
the
the
sub
project
and
the
formation
of
sig
security
is
kind
of
they've,
been
very
inclusive.
If
people
want
to
come
and
contribute,
they
can
come
and
contribute,
and
it's
been
a
self-selection
process
of
who
who
wants
to
participate
in
this?
Should
we
somehow
change
that
as
we
enter
the
more
privileged
process?
D
B
Yeah
and
another
I
was
also
considering
since
we
do
have
we've
had
people
join
for
a
meeting
and
then
they're
and
then
they're
part
of
the
google
group,
and
but
we
haven't
seen
those
vlogs
again.
Also
another
option
is
to
have
an
opt-in
process
to
not
just
besides
an
invite,
but
to
for
people
to
opt
in
to
be
part
of
the
vendor
selection
or
the
vendor
assessment.
But
but
then
again,
that's
like
how
do
we
have
that
process?
D
Time
we
did
this,
it
was
all
so
informal.
There
were
four
of
us.
We
had
a
private
slack
channel
all
of
the
rules
around
how
slack
channels
were
managed
didn't
really
exist.
At
that
time
we
had
a
private
google
group.
We
had
a
private
zoo
meeting
and
what
we
did
is
it
was
like
the
the
interactions
were
primarily
secret
with
some
public,
whereas
I
believe
our
approach
is
primarily
public
and
then
do
as
little
as
possible
secret,
which,
for
the
record
I
far
prefer
it
just,
does
require
a
little
bit
more
forethought.
D
So
I
would
propose
that
we
take
this
to
sig
security
and
and
tell
them
that
we're
transitioning
to
a
less
open
model
for
the
duration
of
the
audit,
and
then
we
will
open
up
again
at
the
end,
and
I
think
we
should
have
a
strict
like
an
opt-in,
even
even
the
people,
on
the
call
right
now
and
people
who
watch
this
youtube.
Video
and
people
who
have
come
to
previous
calls.
I
think
they
should
re-opt
in
and
maybe
even
agree
to
something
kind
of
pse.
B
So
I
know
part
of
the
release
team
for
those
who
have
probably
just
privileged
access.
They
have
to
put
in
a
github
issue
that
I
buy
by
the
psc
rules
or
something
of
that
sort
on
a
github
issue,
and
we
can
have
something
similar
to
have
this
get
up
to
have
this
github
issue
and
for
people
who
who
opt
in
to
take
it.
A
further
step
of
having
to
verse
to
to
comment
on
that
issue.
With
reading
and
agreeing
to
those
rules
of
the
psc.
D
That
sounds
right:
okay,
wait,
let's
not
reinvent
the
wheel!
So
then
do
we
create
a
new
google
group
like
dash
private,
I
agree
yeah
and
then
we
can
use
that
to
control
access
to
google
artifacts
like
google,
docs
and
spreadsheets
and
whatnot
yeah.
D
You
know
I
thought
occurs
to
me:
is
it
correct
that
we
use
offense,
patrick
only
google
products
to
facilitate
the
execution
of
the
audit
like?
Would
it
be
somehow
more
open
to
use
a
different
document
format
in
a
google
drive,
even
but
not
to
require
everyone
to
use
a
google
product
to
collaborate,
or
is
that
something
that
we've
kind
of
as
a
as
a
google
spin-off
we've
just
kind
of
accepted
that
there
are
the
level
collaboration
tools
of
the
land.
A
E
D
Yeah,
I
mean
that's
actually
made
me
think
of
it.
I
was
like
okay,
we're
going
to
use
the
google
authorization
system
of
google
groups
and
the
google
sheets,
I
think,
cool,
to
record
the
selection
and
and
then
we'll
you
know
post
it
all
on
youtube.
When
we're
done,
I
I
I
think
it
is.
It
is
kind
of
the
accepted
comms
platform
for
the
community's
project,
so
we
just
roll
with
it,
but
I
do
want.
I
just
want
to
give
opportunity
for
objection
to
that.
E
The
only
other
thing
that
would
come
to
my
mind
would
be
something
hooked
into
github
right,
but
I
I
think
it
would
be
much
more
involved
to
create
like
a
sub
organization
or
anything
so.
B
All
right
so,
just
to
summarize,
we'll
have
a
second
opt-in
process
for
this
I'll.
Take
it
two
six
two
six
security
first
to
transition
to
last
open
model
for
the
rest
of
the
audits,
then
open
it
up
again
after
the
after
the
assessments,
we'll
have
people
who
do
choose
to
reopt
in
to
create
a
comment
similar
to
what
we
do
in
the
release
team
for
those
privileged
modes
or
privileged
access
to
agree
to
the
psd
rules
and
something
like
that
I'll
I'll.
B
Try
to
I'll
find
what
that
is
and
I'll
have
its
format
and
present
this
to
tablet
and
ian
first
then,
presented
2626
security
also
agreed
to
create
a
new
private
google
group
as
well
for
private
access
to
artifacts,
like
like
the
spreadsheet.
C
On
the
cncf
side,
when
we
do
our
security
assessments,
we
have
some
sort
of
attestation.
I
mean
it's
not
validated,
but
you
know
something
effective.
You
know
I
don't
have
any
conflicts
of
interest
and
I'm
not
an
employee
one
of
the
one
of
the
vendors.
You
know
something
simple
like
that,
so
I
don't
know
if
that
folds
into
this
psc
template
or
something.
B
I'll
have
to
take
a
look
at
that,
but
I
do
remember
that
it's
been
a
while,
since
I
was
required
that
I
was
part
of
the
same
tf6
security.
It's
been
a
few
years.
I
do
remember
that
and
that's
something
that
we
could
also
adopt
as
well,
since
we're
not
reinventing
the
real
wheel,
we're
just
adopting
to
both
processes
of
cncf
and
also
the
releasing.
D
That
seems
correct.
Last
time
we
did
have
well,
jay
is
a
is
a
co-owner
of
a
seattle-based
pandestine
company
and
with
kubernetes
expertise,
and
he
obviously
didn't
submit
an
rfp,
even
though
his
his
company
would
have
potentially
been
a
reasonable
selection
for
that
conflict,
and
but
we,
like,
I
said,
wasn't
super
formal.
It's
like
well.
That
would
look
bad,
so
don't
do
that,
but
as
we
get
more
mature
we
can.
We
should
probably
write
that
down.
Also.
C
B
Yes,
yeah,
I
do
plan
to
create
recreate
that
or
create
a
new
one
for
this
time,
so
we'll
get
that
just
fine
tuned
in
next
13
days
before
the
before
the
assessment.
B
I
do
want
to
pose
a
question
on
this
for
the
budget
discussion
with
lf
and
see
in
the
cncf.
Is
that
something
we
do
after
vendor
selection
or
is
that
something
we
do
right
now,
or
I
remember
aaron
having
that
discussion
several
months
ago.
D
Yes,
so
as
as
resident
continuity,
mantle
holder,
the
process
for
funding,
this
will
not
be
a
one-time
atomic
event
like
we
will
get
a
ballpark
number
from
the
cncf,
which
I
already
have
and
can
share
privately
with
when,
when
the
private
group
is
all
put
together,
then
we'll
review
the
proposals
with
that
in
mind.
D
But
knowing
that
it's
not
like
a
red
and
then
we
will
probably
select
what
we
think
is
the
best
proposal
on
balance
and
then
we'll
go
back
to
the
cncf
and
see
if
we
can
reach
some
kind
of
a
an
agreement.
A
three-way
conversation
between
the
the
selected
vendor
and
and
the
and
the
santa
see.
If
we
can
reach
an
agreement,
it
is
a
not
an
atomic.
D
I'm
happy
to
help
with
that.
I
I
do
see
my
role
primarily
as
like
an
emeritus,
but
I'm
happy
to
have
your
help
on
that.
Thank
you.
B
C
D
D
D
It
is
conceivable
that
over
the
course
of
the
audit
we
will,
we
will
find
a
p0
that
we
kicked
to
the
psc
and
that
that
could
get
fixed,
and
we
could
talk
about
that
loan
like
I'd,
be
happy
to
do
that,
but
I
don't
but
like
there
will
at
the
end
of
the
audit,
be
a
data
drop,
and
I
think
that
earliest
we
could
present.
That
is
probably
keep
connie
you
again.
D
C
Eventual
question
and-
and
I
go
read
the
docs
and
there's
some
show
process,
but
for
the
embargoed
issues.
I
would
think
that
that
would
inform
not
necessarily
the
vendor
selection,
but
our
overall
assessment
of
the
audit
results
is.
Is
there
a
process
by
which
you
know
we
can
have
review
of
cvs
that
are
in
the
process
or
being
worked
up
or
embargoed.
C
D
So
last
year,
last
year,
time
last
time
we
were
notified.
The
the
the
private
group
aspect
of
the
audit
working
group
was
notified
of
the
embargo
vulnerabilities
simultaneously
with
psc,
because
we
are
also
able
to
use
that
to
steer
the
audit
a
little
bit
like
hey.
You
found
this
union
that
data
with
my
resident
expertise
go
look
more
over
there
kind
of
a
thing.