►
From YouTube: Kubernetes SIG Security 20230112
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hi
welcome
to
kubernetes
security,
I'm
Ian
Coldwater,
pronounced
today
them
I
am
one
of
the
co-chairs
of
this
lovely
Sig.
Welcome
to
the
new
folks
and
the
returning
folks,
I'm
really
happy
to
be
here
with
all
of
you.
C
Sorry,
my
name
is
Ray
lajano
I'm,
my
pronouncer
hihem
I,
am
one
of
the
sub-project
leads
for
six
security
about
I'm
also
involved
in
other
parts
of
the
project
as
well.
D
Now
I'll
go
Hey
folks,
Olive
duberry.
She
her
happy
New
Year
I
am
the
sub-project
lead
for
the
self-assessment
sub
project,
which
is
responsible
for
offers
the
service
of
doing
threat
models
for
different
projects
throughout
kubernetes.
E
Hi,
my
name
is
David
I'm
here
to
push
runtime
security
and
security.
Behavior
work
as
part
of
kubernetes,
which
is
I,
think
a
missing
part
and
I
wish
you
all
a
Happy
New
Year
when
I'm
sure
we're
all
going
to
have
one.
F
Hey
everyone
I
just
wanted
to
remind
you
to
say,
say
hi
in
opinion
to
everyone.
I
will
not
be
able
to
stay
today,
but
I
have
a
nice
meeting
and
have
a
nice
week
or
two
weeks.
G
Hi
everyone,
my
name,
is
Bill
Burton
I
work
over
in
gke,
Google
security,
lab
yeah,
just
working
and
also
have
some
thoughts
on
cdss
scoring,
but
I'm
I
want
to
preview
later
on.
A
H
H
Sorry,
yes,
I'm,
sorry,
mine,
hello,
everyone,
my
name
is
Anu
Matthew
I
work
for
Microsoft
and
you
know
I
attend
so
I'm
lucking
around
to
the
what's
been
happening.
B
Hi
everyone
I'm
Grace
I'm,
a
student
at
Waterloo
in
Canada,
previously
been
involved
with
a
more
sexy
care.
You
know
sick
release,
stuff.
J
Okay,
I'm
Eric
Smalling
I'm,
a
developer
Advocate
at
sneak
and
I
help
with
some
of
the
scanning
we
do
on
the
KK
stuff,
and
that's
me.
H
Hello,
I'm
Mohit
I
do
security,
consultancy
stuff
at.
A
K
A
What's
everybody
welcome
everyone
we
here,
okay,
so
usually
the
way
that
these
meetings
go
and
but
usually
I
mean
basically
always
is
that
after
the
introductions
we
have
report
Backs
from
our
subgroups,
we've
got
four
subgroups
and
each
of
them
does
a
rubber
back.
So
first
off
on
the
agenda
is
the
one
from
the
audit
subgroup
how's
it
going
over
an
audit.
C
Hey
folks,
it's
me
so
for
folks
who
don't
know
about
the
third
party
security
audits.
It's
a
project
in
a
sub-project
that
helps
coordinate
and
facilitate
a
third-party
security
audit
for
the
project
and
the
status
for
the
audit
sub
project
is
that
we
there
was
nodded.
Then
in
2022
it's
going
through
final
review
with
the
kubernetes
SRC
security
response
committee
and
waiting
for
publication.
C
We
do
have
a
we
started
draft
or
the
CNF
started
draft
of
a
blog
post
that
will
go
out
when
has
when
the
final
review
has
been
finished.
Yeah
and
that's
it
for
me.
Any
comments
to
questions.
A
Also
I
see
a
couple
of
new
folks
have
joined
hi
welcome,
feel
free
to
add
your
name
and
whatnot
to
the
agenda
doc
and
if
you
need
a
link
for
that,
we
can
probably
send
you
one.
A
Next,
up
on
the
agenda
is
six
security
docs,
which
is
being
run
by
Savita,
who
said
she's
potentially
late
to
the
meeting,
and
she
isn't
here
yet
so
I
might
bump
up
a
different
one.
So
is
anybody
reading
for
PJ.
D
Would
I
would
volunteer,
but
I
I
want
to
make
sure
I
take
good
notes,
which
is
hard
when
you're
talking
okay,.
A
I
can
read
for
him
so
I'm
going
to
reverse
tooling
and
docs
just
to
give
Savita
another
minute
to
get
here
so
PJ
and
abstentia
put
on
toogling.
There
is
a
new
time
slot
doodle
poll,
presumably
for
time
slots
for
the
Sig
security,
tooling
meeting
feel
free
to
vote
in
the
poll
so
that
we
can
figure
out
a
new
time
slot
for
that
updates
for
Alpha
to
Beta
graduation
of
kept
3203
in
progress.
A
Thank
you,
mahe,
there's,
open
PRS
for
reviews
and
an
issue
that
needs
help
so
feel
free
to
click
on
those
and
make
your
comments
and
help
with
things
accordingly
and.
A
Okay
and
I
think
that
is
actually
it
for
that
Allah
I
think
that
that
is
already
covered.
Thank
you
for
noting
it
though.
Okay
and
okay
Savita
isn't
here
yet
raise
sand,
though
yeah.
C
This
is
just
a
question
for
the
for
the
recording
for
those
and
I'll
send
this
out
to
to
the
Sig
to
the
tooling
group
as
well.
I
see
that
there's
a
PR
open
for
cap32
three
to
go
to
Beta
I'm,
assuming
that's
gonna,
be
opted
in
for
127,
as
the
enhancements
call
or
call
for
enhancements
has
been
open
for
the
new
or
open,
really
cycle
for
1.27.
A
A
Yes,
does
anyone
have
any
questions
about
tooling?
Besides
that
sorry
I'm,
not
a
good
facilitator
today,.
D
Questions
are
wonderful,
so
yeah
on
the
self-assessment
side.
Oh
my
God,
so
I
finally
figured
out
how
simple
it
was
to
actually
just
update
some
yaml
that
I
don't
need
to
compile
to
go
so
yay.
There's
that
I
just
need
a
approval
on
the
pr
to
create
the
vsphere
CSI
driver,
self-assessments
Channel,
so
that
I
can
just
start
coordinating
there
with
you,
Grace
I
know
you
want
to
be
involved,
but
also
Shang
and
other
folks
on
the
project
so
super
or
who
want
to
participate
in
that
exercise.
D
So
super
excited
about
that,
but
yeah,
it's
just
I,
think
it
I
think
Ian.
It
needs
either
you
or
Tabby
to
to
bless
it.
So
thank
you,
everyone
for
your
patience.
Well,
it
took
me
six
months
to
figure
out
how
to
do
this,
but
we
got
there
in
the
end.
D
So
that's
great
and
then
oh
I
need
to
set
up
a
meeting
for
a
recurring
meeting
for
self-assessments
and
I.
Think
Ian
I
think
I
dm'd
you
for
I
I,
just
I
know
nothing
about
how
to
do
that.
So
yeah,
if
I
could
just
yeah,
have
have
you
and
Tabby
help
me
get
that
set
up
so
that
we
can
start
a
yeah
just
start
the
flow
of
collaboration.
That
would
be
awesome.
Yeah.
D
Awesome
and
then
I'd
love
to-
and
maybe
this
is
best
saved
for
the
discussion
section,
just
tips
on
what
to
include
and
how
to
use
the
meeting
would
be
really
great.
I
probably
should
just
go
ahead
and
attend.
You
know
tooling,
docs
those
subgroup
meetings
to
to
see
but
yeah
I'll
I'll
ask
in
the
security
channel,
because
these
self-assessments
it's
threat
modeling.
So
there
might
be
just
specific
things
that
are
best.
You
know
just
to
make
sure
that
I
highlight
in
that
meeting.
D
So
that's
that
and
then
I
am
doing
this.
This
cool
new
thing
called
sending
out
a
survey
to
get
some
information.
D
D
I
figured
out
that
I
could
just
ask
you
know
in
a
survey
to
just
gauge
appetite
thinking
about
using
the
mailing
list
and
then
posting
to
six
security
like
hey
what
you
know
who
who
would
want
this
and
then
part
of
the
survey
which
there's
a
link
in
the
doc
I
would
really
like
feedback
on
it
like
what
else
should
I
ask,
or
what
should
I
take
out
is
to
okay,
if
you
have
expressed
interest
like
show
us
what
your
collateral
is.
D
Aka,
like
your
data
flow
diagrams
to
kind
of
see
people's
levels
of
preparedness,
because
one
thing
just
as
we've
been
discussing
this
over
the
past
few
months,
is
you
know
the
the
data
flow.
The
Fidelity
of
the
data
flow
diagram
is
really
what's
going
to
drive
the
quality
of
the
of
the
threat
model,
so
really
wanting
to
increase
the
likelihood
that
there
is
high
levels
of
preparedness
for
people
who
come
to
the
session.
So
I
think
like
just
getting
that
Baseline
of
interest
and
then
saying.
D
D
You
know
they
get
the
best
threat
model
that
they
can
from
the
time.
So
yeah
again,
the
ask
is
just
click
on
that
survey.
Link
and
you
know
you
can
DM
me
or
put
it
in
the
self-assessments
channel
for
just
you
know
any
improvements
there.
D
I've
said
a
lot
of
words
but
I
think
I
didn't
add
any
additional
notes
because
I,
don't
think
I
said
anything
kind
of
new
but
yeah
any
questions
or
suggestions
based
on
those
bits
of
mischief.
A
Thank
you
for
doing
this
work
and
for
bringing
this
up.
I
will
coordinate
with
you
to
do
the
meeting
stuff
and
hit
approve
on
that.
Pr
I
have
another
PR2
at
least
one
that
I
need
to
approve,
so
we'll
go
and
sit
down,
and
do
that
today
and
yeah
feel
free
to
answer
the
survey
and
and
help
with
that
stuff.
Everybody.
A
Savita,
isn't
here
and
fair
enough,
but
also
I.
Think
probably
we
need
to
read
for
dogs,
so
anybody
feel
like
reading
for
dogs.
Where
do
you
want
to.
I
Yeah
I
can
yeah
sure
so
yeah
there's
a
couple
things
for
docs
there's
a
black
thread
on
the
confidential
Computing
blog
post
update,
so
the
draft
rpr
will
be
soon.
So
that's
definitely
worth
a
read.
I
The
other
thing
we're
looking
at
at
the
moment
is
the
hardening
guide
and
Kailyn
is
picking
up
trying
to
break
that
up,
because
I
think
what
we've
realized
with
the
hardening
guide
is
it's
a
very
big,
Endeavor
and
I.
Don't
think
anyone
really
wants
to
try
and
do
all
that
at
once,
it's
just
too
much
so
we're
trying
to
break
that
up
into
smaller
pieces
and,
if
there's
any
bit
of
it,
that
Peaks
someone's
interest
they're
like
I'm,
really
interested
in
this
aspect.
I
It
would
be
awesome
if
you
would
like
to
pick
those
up,
because
that's
the
idea
once
we've
got
them
done.
The
only
thing
we're
kind
of
working
on
now
is
just
what
the
process
is
going
to
look
like
for.
Like
you
know,
how
do
we
integrate
each
one?
So
do
we
put
like
drafts
of
one
in?
Can
we
do
that
or
would
that
look
weird
on
the
doc
site?
Or
do
we
draft
them
all
and
then
put
them
all
in?
D
I
have
a
Rory
when
you
say
the
process
for
into
for
integrating
each
piece.
Is
it
sort
of
like
like
so
right?
Now
it's
just
one
document
or
one
like
re
or
you
know,
maybe
it's
just
like
one
file
in
a
repo
and
sort
of
the.
D
I
It's
like
we're
gonna
we're
gonna
have
like
like
sections
like
authentication
authorization,
that
kind
of
thing
and
obviously
for
like
authorization,
is
finished.
First,
we
couldn't
put
that
into
the
doc
site
without,
like
it
would
look
really
weird
on
its
own.
So
it's.
How
do
you
like
say?
Do
we
have
to
have
them
all
drafted
and
then
put
them
all
in
or
can
we
put
one
in
and
say?
Look
the
rest
are
coming
honest,
don't
worry
about
it,
but
that
would
feel
kind
of
weird
for
the
docs,
like
I.
I
D
Got
it
so
it's
coordinating
with
the
the
kubernetes
website
front
end,
in
other
words,
so
that
you
can
incrementally
deliver
like
hey.
We
did
something
valuable
yay.
I
J
Yeah,
that's
the
one
that
I
keep
apologizing
for
not
having
time
to
get
to
that
I
said:
I
would.
A
I
think
that's
sort
of
one
of
the
things
about
you
know.
Breaking
of
the
hardening
guide
into
smaller
chunks
right
is
that
if
everybody
wants
to
work
on
stuff
is
committed
to
working
on
something,
but
is
really
daunted
or
doesn't
have
the
time
to
work
on
a
giant
thing,
then
maybe
it
will
be
easier
for
people
to
work
in
like
little
smaller
bits.
Yeah.
A
Fair
enough,
okay,
we're
in
the
discussion
section
now,
which
is
the
open
part
where
people
get
to
bring
their
thoughts,
ideas,
fun,
hacks,
whatever
they
happen
to
come
with,
and
security
is
what
people
make
of
it.
So
if
you
have
other
things
to
discuss
or
thoughts
or
ideas
or
fun,
hacks
that
aren't
listed
in
the
discussion
feel
free
to
list
them
and
first
up
on
the
discussion
is
Allah.
D
Oh
yeah
I
just
wanted
to
just
a
quick
reminder
that
the
deadline
for
the
maintainer
track
talks
to
be
submitted
for
Amsterdam
is
coming
up.
It's
on
the
27th
at
just
before
midnight,
Pacific,
Standard,
Time
and
I.
Guess,
even
if
you
want
to
chime
in
with
here.
A
Just
quick
report
back
from
the
chairs
and
tech
leads
meeting
is
that
we
apparently
this
kubecon
around,
have
a
new
thing
where
Sig
subgroups
are
allowed
to
submit
their
own
talks,
I'm,
not
necessarily
suggesting
that
we
do
that.
Historically,
Sig
security
has
just
had
everybody
kind
of
in
one
conglomeration
of
subgroups
just
talking
about
what
Sig
security
does
as
a
whole,
but
if
any
of
the
subgroups
are
feeling
excited
about
having
their
own
slot
for
any
reason
or
another.
A
That
is
an
option
this
time
around
the
caveat
with
that
is
that,
because
this
is
a
new
thing
that
they
are
attempting,
if
the
maintainer
track
has
a
full
set
of
talks,
the
subgroups
are
gonna,
be
the
first
to
be
bumped.
So
heads
up
on
that.
If
any
subgroups
decide
that
that's
the
thing
that
they
feel
excited
about,
doing
I'm,
not
again,
not
necessarily
suggesting
that
we
do
that.
A
G
Yeah,
hey
everyone,
I
think
back
in
Nepal
sometime
mentioned
those
working
on
discussion
document
around
cbss,
scoring
kind
of
trying
to
hammer
it
out.
There
was
a
SRC
request
to
I
think
clarify
How
We
Do,
cdss
It
generated
a
lot
of
really
good
discussion
in
the
group.
I
said
it
would
be
done
in
a
few
weeks
and
that
blew
up
in
my
face.
G
So
a
few
months
later
now,
I
just
wanted
to
say
that
around
the
corner,
just
about
ready
to
copy
and
paste
it
out
from
the
work
documents
and
everything
so
look
out
for
it
in
the
next
week,
yeah.
So
a
couple
things
you
know
it
really
is
meant
to
be
a
place
to
kick
off
discussion.
Looking
for
lots
of
thoughts,
there's
a
couple
of
straw
man
proposals,
one
is
a
bit
more
fleshed
out.
G
The
other
isn't
that's
mostly
a
reflection
of
me
saying:
I
just
need
to
get
this
out
and
have
eyes
on
it
as
opposed
to
one
or
the
other,
being
I.
Think
more
more.
The
right
way
of
doing
things,
and
so
yeah
want
to
raise
awareness.
Let
you
all
know
that
that's
coming
down
the
line
and
also
ask
besides
like
the
GitHub
issue
and
the
sick
security
slack,
is
there
any
place
that
I
should
be
spreading?
The
word.
G
Cool
well
I'll,
I'll
post
it
in
the
in
the
slack
and
in
the
GitHub,
when
it's
all
ready
and
looking
forward
to
some
discussions.
G
A
A
There
are
currently
no
suggestions
as
to
where
you
can
spread
the
word,
but
if
you
haven't
brought
that
up
in
the
slack
Channel
I
recommend
doing
so,
because
there
are
people
who
frequent
dislike
channels
who
are
not
necessarily
in
these
meetings
who
might
have
thoughts
on
that
Rory.
You
got
a
fun
thing.
I
I
And
the
answer
is
yes
in
a
kind
of
limited
way,
so
the
idea
is,
you
can
basically
make
the
port
scanner
make
requests
to
arbitrary,
URLs
or
ports,
and
then
you
can
read
the
response
that
comes
back
and
the
error
message
that
inevitably
happens
and
from
that
you
can
say:
hey
I'm,
the
API
server
and
I
can
reach
this
port
or
I
can't
reach
that
Port.
This
one's
got
an
invalid
sir.
I
This
one's
got
a
valid
sir
and
whilst
is
kind
of
totally
unintering
in
unmanaged
kubernetes,
because
if
you've
got
the
rights
to
do
this,
you
need
a
lot
of
Rights
like
create
validated
web
hooks
in
the
managed
kubernetes
like
the
cloud
kubernetes,
the
API
server
is
in
the
network.
That's
not
managed
by
this
customer
and
technically
you
shouldn't
be
able
to
access,
but
you
kind
of
can.
I
So
this
is
just
a
fun
thing.
If
you
want
to
play
with
the
idea
of
you
know
what
what
can
you
do
with
the
API
server?
And
how
can
you
abuse
and
create
all
good
like
this?
This
is
kind
of
a
kind
of
a
known
issue
and
there's
some
ideas
for
locking
it
down
in
terms
of
fun.
I
I
tried
this
out
with
some
managed
clusters
for
the
big
providers,
and
you
didn't
find
anything
super
interesting,
but
the
amusing
one
was
Amazon,
who
noticed
me
doing
it
and
after
I'd
started
scanning
had
locked
it
down
in
about
two
or
three
minutes,
which
was
fun
because
ports
that
were
previously
reporting
closed,
suddenly
reported
filtered
I'm
like
oh
I've,
been
firewalled,
so
yeah,
it's
it's
kind
of
a
fun
one
to
to
just
to
kind
of
demonstrate
how
It's
tricky
to
do
managed
kubernetes,
because
you
have
to
realize
the
API
server
does
a
lot
of
stuff,
that's
kind
of
hard
to
get
right.
I
I,
don't
know
I,
just
literally
I
poor
scanned
one
point:
I
was
getting
a
22
closed,
so
I
could
hit
SSH
and
I
came
back
saying
this
is
an
https,
so
okay,
that's
gonna,
be
SSH.
I
did
then
did
a
range
scan
where
I
scanned
an
entire
subnet
and
then
I
tried
the
22
again
and
it
said
no,
that's
filtered
I'm
like
I'm,
fairly
sure
that
wasn't
filtered
before
so
they
actually
spotted
me
doing
it,
which
was
one.
I
So
obviously,
if
you
try
this
on
anyone
else's
manage
kubernetes,
make
sure
that
they're
asked
that
their
agreements
allow
you
to
do
that
and
that
they
have
bug
Bounty
programs
in
place.
Don't
do
it
places
where
you
don't
have
authorization,
but
as
long
as
you
go
authorization
you
can
barely
scan
right.
M
Oh
yeah,
it
was
just
oh
yeah,
I
saw
some
of
the
discussion
from
from
Rory
is
a
post
around
like
using
connectivity
and
filtering
egress
between
control,
plane
and
and.
L
M
And
I
was
just
sharing
a
feature
request
that
Tim
all
clear
had
had
opened
around
like
how.
H
M
Web
hooks
right
because,
like
web
hooks
a
lot
of
times,
it's
expected
that
there's
service
listening
on
localhost,
so
it
doesn't
like
go
through
a
lot
of
the
same
connectivity
stuff
if
you
have
that
set
up
in
your
cluster.
So
you
know
the
the
feature.
Request
is
open
for
discussion
on
like
how
to
handle
that
safely.
I
The
other
fun
one
I
kind
of
linked
to
the
blog
just
below
that
is
there's
a
thing
from
Kimball
in
2019,
where
you
can
basically
con
the
API
server
into
scanning
URLs
apart
from
localhost
or
the
metadata
server,
which
won't
work
because
it's
blacklisted,
but
that
still
works.
So
it
actually
gives
you
as
full
responses
back
as
well.
So
if
you
ever
find
anything
with
the
port
scan,
you
can
then
use
canvault's
technique,
which
totally
still
works
to
actually
get
the
response
back,
and
that
turns
into
a
much
more
serious
issue.
I
But
but
it
doesn't
work
for
metadata.
I've
always
wondered
if
everyone
ever
wanted
a
fun
job,
trying
to
work
out
those
holes
in
that
Blacklist,
because
there's
a
blacklist
that
says
no
scanning
one,
two,
seven
one
or
Methodist
server
and
any
variants
and
I've
always
had
a
project
of.
Could
you
fuzz
that
to
say
any
of
the
many
ways
you
can
play
with
a
URL
that
would
make
that
work
differently,
which
yeah
next
time
I
get
holiday?
A
E
Yeah,
so
just
want
to
update
about
the
blog
post.
I'm
working
on
should
be
out
on
the
15th
talking
about
the
fact
that
all
microservices
are
are
essentially
vulnerable.
You
can't
assume
they
are
not
vulnerable
and
therefore
you
need
to
have
security,
Behavior
monitoring.
E
It
is
now
up
to
the
talk,
Smith
docs
team
to
either
approve
it
or
not,
approve
it
by
on
time
for
the
15th,
we
are
struggling
with
things
like
the
docs
are
concerned
that
it
will
create
panic.
That's
what
people
think
that
everything
is
vulnerable.
So
what
what
do
we
do
now?
E
And
so
the
title
needs
to
be
set
right,
such
as
we
will
not
be
too
concerned
having
images
that
that
they
ask
for
sdg.
We
can
do
a
PNG
and
a
lot
of
technicalities
there
I'm
not
sure
if
it's
going
to
be
on
time,
whether
it's
a
they're
going
to
be
enough
resources
from
The
Dockside
to
push
it
forward,
but
I
hope,
okay,.
B
A
E
I'll
add
a
link
to
the
to
the
current
draft
in
in
the
summary.
E
Okay,
there
is,
there
is
a
fairly
ready
blog,
but
always
if
people
would
read
it
I'm
sure
there
will
be
another
additional
Improvement
that
can
be
made
there,
so
everyone
is
really
invited
to
to
try
and
pitch
in
and
turn
it
into
a
more
accurate
blog
post
on
this
subject.
D
I
would
love
to
to
participate
in
that
so
yeah,
oh
and
the
link
is
right
there,
so
yeah
I
would
love
to
I
will
totally
give
that
a
read.
C
I'll
also
place
a
link
to
the
slack
thread
that,
where
this
is
being,
this
blog
post
has
been
discussed
as
well.
It's
also
on
the
pull
request
as
well.
I'll.
Add
it
to
the
meeting
agenda
nice.
H
A
All
right
awesome,
thank
you.
That
is
the
end
of
the
discussion
as
written.
Does
anybody
else
have
anything
they
want
to
talk
about
Floors,
open.
A
If
not
fair
enough,
Sig
security,
slack
channel
is
open,
24
hours
a
day,
seven
days
a
week,
if
you
have
any
burning
thing
that
you
are
really
wanting
to
talk
about
between
now
and
two
weeks
from
now.
I
hope
that
all
of
you
have
an
absolutely
wonderful
two
weeks.
Thank
you
all
for
coming
and
being
here
and
pack,
the
planet
I'll
see
you
in
two
weeks.