►
From YouTube: Kubernetes SIG Security 20220113
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Okay,
it
is
o3,
so
I'm
going
to
grab
my
laptop
cord
and
then,
let's
start
the
meeting,
if
there
is
anything
that
you
would
like
to
talk
about,
that
is
not
currently
on
the
agenda
feel
free
to
add
it
onto
the
agenda,
because
that's
how
we
do
around
here
and
the
first
thing
on
the
agenda
as
of
right
now
is
introductions
so
hi.
My
name
is
ian
coldwater.
A
C
B
I
am
heavily
involved
with
sig
security
and
I'm
on
the
steering
committee
for
the
spiffy
inspire
project,
and
I
have
also
spent
a
lot
of
my
time
focusing
on
networking
and
telecommunications
with
the
cncf
to
help
them
with
their
strategy
there
as
well,
and
I've
never
been
to
one
of
these.
So
I
thought
I'd
join
in
and
help
and
see
if
there's
any
where
I
can
participate.
D
I'm
adam
chamblin,
I'm
with
the
secure
supply
chain
tools.
Team
at
vmware
fairly
recently
joined,
and
this
is
the
first
time
I've
come
to
a
sig.
A
E
F
Hi,
I'm
mohit,
I'm
a
security
consultant
at
f-secure
specializing
in
kubernetes
and
lead
the
sql
steam
for
kubernetes
security,
I'm
relatively
new
to
sig
security,
I'm
just
listening
along
and
trying
to
get
a
bit
more
involved
as
time
goes
on.
G
Hello,
my
name
is
jimmy
ray,
I'm
a
da
with
the
aws
kubernetes
team
and
kind
of
focusing
on
container
security
and
container
supply
chain
security.
So
this
is
my
first
meeting.
H
I'm
eric
smalling,
I'm
a
senior
developer,
advocate
at
sneak
on
the
cloud
native
and
container
side
of
the
house
and
also
serve
as
kind
of
makeshift
scm
for
the
kubernetes
kubernetes
scanning
stuff.
I
Been
having
problems
with
mike,
I
got
this
new
speaker
and
it's
going
crazy.
My
name
is
avita
and
I
help
run
six
security
documentation
project.
I
am
here
to
learn,
share
and
collaborate
with
the
rest
of
the
security
and
security
liking
and
who
are
passionate
about
security,
and
that's
it
I'm
sorry,
I'm
just
all
over
the
place
today.
You.
A
K
Okay,
thank
you
yeah,
I'm
benjamin,
I'm
from
germany
and
an
I.t
security
student,
and
so
my
whole
research
is
about
kubernetes
and
container
security
and
yeah.
When
I'm
not
at
my
university
or
when
I'm
not
studying,
I
work
for
a
cloud
consulting
company
and
do
yeah
kubernetes
security
for
them.
A
M
M
N
Thank
you
hi.
I
am
maureen.
This
is
my
second
time
joining
this
meeting
and
I'm
with
bram
vimer.
I
am
adam's
colleague
and
I
am
a
software
engineer,
jose
interested
in
security,
so
I
decided
to
start
joining
these
meetings
and
see
what
I
can
learn.
Thank
you.
A
Cool,
if
I
yeah
super
wonderful
to
meet
all
of
you
really
glad
you
all
are
here.
Is
there
anybody
else
who
wants
to
do
introductions?
I
know
at
least
one
person
didn't
say
anything,
but
that's,
okay.
We
can
have
shadows,
yeah
awesome
to
meet
you.
Thank
you
all
for
introducing
yourselves
and
next.
If
nobody
else
wants
to
go
is
subgroup
reports
and
the
first
one
we
have
is
from
the
third
party
audit
sub
group
in
absentia.
O
O
So
we
we
have
been
working
for
quite
a
long
time
to
get
the
provider
signed
and
as
of
this
week
that
has
been
executed
so
there's
a
process.
I
think
we're
going
to
follow
to
do
the
update
to
the
rfp
and
notify
all
of
the
folks
who
participated
in
that
process,
so
I'd
I'll
defer
to
to
make
that
that
formal
announcement
of
the
vendor
and
next
steps.
But
the
good
news
is,
after
months
of
paperwork
and
legal
discussions
and
phone
calls,
and
back
and
forth,
we
have
executed
the
agreement.
A
Yay
awesome
cool
next
on
the
agenda
is
from
sixth
grade
next.
I
Hi
everyone-
this
is
avita
here
before
I
start
the
update.
I
wanna
give
a
shout
out
to
rory
mckeon.
I
He
is
kind
of
an
inspiration
and
he
shows
up
to
most
of
the
sick
dogs
meeting
where
it's
just
the
both
office
and
it
kind
of
motivates
me
to
do
better,
and
I
figure
that
I
would
like
to
start
by
saying
thank
you
and
giving
a
shout
out.
Thank
you
rory.
I
might
have
said
not
said
enough,
but
today
I
feel
just
grateful.
It's
grateful
thursday.
I
Moving
on
to
the
actual
updates,
when
we
kick
started
the
project
we
have,
we
had
few
things
that
we
wanted
to
improve
with
respect
to
the
documentation
and
add
new
things
to
the
documentation.
One
of
that
was
a
adding
a
security
checklist
for
the
committee's
cluster
administrative
administration,
installation
and
administration.
I
So
we
have
kind
of
last.
Last
last
week,
last
week
we
started,
I
started
with
an
issue
and
I
already
have
a
volunteer,
but
if
this
sounds
interesting
to
you
and
you
want
to
contribute
to
it,
please
feel
free
to
reach
out
to
me,
and
I
can
you
can
pair
up
with
the
other
volunteer
and
we
welcome
more
more
eyes
and
more
contributors
to
that
list.
Adding
to
the
list
next
up
is.
I
There
was
a
pr
that
was
open
for
adding
communities,
admission,
control
and
that
has
been
merged.
I
forgot
to
put
the
link
in
I'll
put
the
link
in
a
bit,
and
next
up
is
that
there
is
a
follow-up.
There
is
a
blog
post
which
has
been,
which
is
like
a
gist
of
this
trend
model
and
a
little
bit
more
and
it's
gonna
be
it's
scheduled
to
be
published
on
january
19th.
I
It's
all
set
the
last.
I
checked
it.
It
had
all
the
reviews
and
everything
and
I
think
rory
pushed
the
final
feedback
and
everything
in
it.
So
that
is
going
on
and
I
do
have
a
request.
So,
two
or
three
meetings
ago,
in
this
security
meeting,
we
discussed
about
having
name
spaces
as
tlds
and
how
much
issues
that
it
can
cause
with
dns.
I
There
is
an
issue
open
that
we
just
want
to
add
a
warning
right
now.
We
might,
there
might
be
some
full-fledged
solution
later,
but
this
is
just
to
notify
the
users
telling
that
hey
be
aware.
If
you
are
going
to
use
this
and
there
can
be
a
dns
clash
so,
and
so
so
it's
really
good
first
issue
and
if
you
want
to
pick
it
up,
please
feel
free
to
send
it
yourself
reach
out
to
me,
and
I
can
appoint
you
to
the
more
like
the
previous
couple
couple
meanings.
I
A
We're
all
there
right
now
if
anybody
didn't
catch,
that
there's
good
first
issues
that
are
open.
They
are
linked
in
the
agenda
and
holler
at
that.
If
you
want
to
help.
A
You
are
great.
Thank
you,
cool!
Okay.
Next
on
the
agenda
is
on
okay,
we
got
the
kate's
security
checklist
in
there.
C
Yes,
so
yeah
savita
you
weren't
fast,
I
was
able
to
grab
all
the
notes
from
your
topic,
so
hopefully
people
can
catch
up
there
as
well.
On
tooling,
we
have
one
of
the
first
contributions
from
a
new
member
tommy.
I
I
think
he
is
missing
today,
but
he
attended
the
working
session
last
time
and
volunteered
to
work
on
this
and
neha
who
has
actually
implemented
this
helped
him
guide
in
terms
of
what
is
expected
to
be
written
and
now
it's
merged.
C
So
thank
you,
tommy
and
congrats
on
your
first
ever
contribution
to
seek
next.
One
is
the
sneak
job
that
we
have
implemented
for
build
time
depths
as
well
as
container
image
scanning
for
kk
releases.
That
has
been
failing
for
a
bit.
C
The
no
issue
is
known
and
it
was
just
about
a
matter
of
fixing
it.
So
I
opened
a
pr
with
a
fix.
Essentially
it
will
allow
us
to
create
a
dynamical
allow
list
based
on
github
issues,
so
once
that
is
merged,
I
expect
the
job
to
get
running
again
and
just
to
be
sure
that
we
are
not
missing
anything
because
the
job
is
failing.
I
ran
the
script
locally
and
it
gives
the
same
result
as
the
first
time
it
failed.
So
we
should
be
good
there.
C
Next
one
is
self
secu
security
self
assessments,
so
we
do
this
for
all
the
sub
projects
of
kubernetes
and
one
of
them
is
cluster
api.
C
This
has
been
going
on
for
a
while
now
about
seven,
eight
months
now
and
with
a
new,
with
a
good
break
under
my
belt
in
december
and
a
lot
of
energy,
the
that
I
had
left
over,
I
was
able
to
work
with
all
the
maintainers
and
others
and
people
who
have
been
working
with
like
robert
on
this
to
come
up
with
all
the
data
flows
that
we
have
discussed
and
are
in
scope,
so
that
is
all
written
down
with
the
diagrams.
C
We
also
have
now
20
potential
threats
that
we
think
might
be
valid
for
cluster
api.
So
now
they're
going
to
go
through
a
maintainer
review,
they're
going
to
look
at
it
and
say:
okay,
this
is
valid,
but
we
already
fixed
it
or
this
is
valid,
but
it's
an
end
user
activity,
so
we're
going
to
document
it
or
the
third
option
is
hey.
This
is
valid
and
we
need
to
fix
it
and
we
are
going
to
create
a
new
issue.
So
that's
how
I
see
we
progressing
next
on
this.
C
We
still
will
probably
need
about
two
or
three
meetings
most
likely
to
get
very
close
to
completing
this,
but
we
are
getting
close
than
we
were
ever
before.
So
I'm
happy
about
that,
while
one
assessment
closes
the
second
one
comes
up,
so
we
have
a
new
request
from
vsphere
csi
driver,
which
is
a
sub
project
in
kubernetes
six.
I
believe
it's
six
storage,
if
I'm
not
wrong
and
they
have
requested
through
a
github
issue
for
a
self-assessment
like
we
did
for
cluster
api.
C
I
am
very
happy
if
somebody
wants
to
to
be
the
friend
or
assessor
for
them
and
learn
from
what
we
did
in
cluster
api
and
do
the
same
for
vsphere
csr
driver.
So
if
you
are
interested
in
that
and
want
to
know
what
it
entails,
I'm
happy
to
talk
now
or
chat
with
you
later
on
slack,
that's
about
it
from
my
site
happy
to
take
questions
on
both
tooling,
as
well
as
self-assessments.
E
Hello
hi.
Basically,
so,
as
I
said,
my
name
is
james.
I'm
the
release
lead
for
the
154
release
team.
I
just
wanted
to
call
by,
as
I'm
doing
rule
six
and
a
give
a
reminder
of
deadlines.
They
should
have
seen
these
in
both
mining
braces
emails
to
the
community
on
the
developer
mailing
list.
E
But
of
course,
some
major
ones
coming
up
relevant
to
to
yourselves
would
be
the
production
readiness,
soft
freeze
for
caps,
which
is
on
thursday,
the
27th
of
january
and
then
enhancements
freeze
itself
when
you
need
to
have
all
your
kepts
reviewed
and
merged
for
is
at
2
a.m.
Utc
friday,
the
4th
or
s
which
is
the
same
as
6
p.m,
pst
thursday,
the
3rd
so
pretty
standard
as
far
as
these
dates
go
as
in
week,
four
just
at
the
very
start
of
february.
E
I
D
E
Everyone's
favorite
topic:
it's
it's
going
all
right,
I
think
I
mean.
Obviously
it's
in
it's
been
removed.
That's
already,
that's
already
emerged
into
kk
sig
docs
has
a
group,
I'm
not
sure,
if
a
technically
working
group
but
a
group
to
deal
with
that
whole
communication
and
then
really
see
him
was
working
quite
closely
with
them
around
communication
around
communicating
the
change.
E
E
That
is
a
good
question.
I
don't
know
it's
just.
I
suppose,
if
you're
worried
about
caps
and
these
deadlines-
don't
be
quiet
about
it.
Like
we
always
say,
we
know,
we've
got
this
whole
exceptions
process
for
for
enhancements
reason,
code,
freeze,
we'd,
love,
getting
exceptions
early
like
if
you
know
you're
a
week
or
two
out
well,
I
say
a
week
a
few
days
out
of
a
deadline
and
you
just
don't
think
it's
going
to
make
it
we'd
rather
know
sooner,
even
if
it
doesn't
end
up
being
necessary.
A
A
Really
are
a
quiet
bunch
today,
okay,
next
on
the
agenda
is
looks
like
the
username
spaces
kept
has
been
revived
and
there
is
a
link
to
it.
R
I
put
it
there.
I
just
wanted
to
share
the
link
in
case
people
missed
that
one.
Thank
you,
thea
are
from
my
read.
Is
that
hasn't
changed
significantly
since
the
last
time
it
failed
to
merge,
except
that
they're
trying
to
divide
the
work
into
phases
like
phase
one
would
be
like
supporting
containers
that
don't
mod
any
persistent
volumes
or
host
volumes,
but
the
looming
questions
of
how
you
want
to
handle
part-to-part
isolation
still
remains,
so.
R
If,
if
you're
looking
for
that
gap,
that's
the
link
and
like
put
your
thoughts
in
there.
I'm
excited
about
that
work.
R
A
P
I
just
have
a
a
thing
I
do,
which
is
reading
caps
because,
like
you
can
find
out,
which
ones
are
relevant
not
so
much
that
we're
putting
in
for
the
from
the
sig
but
ones
that
may
be
relevant
to
security.
So
it's
always
fun
to
like
go
and
read
and
see.
What's
coming.
A
Yeah
those
are
fun,
I
put
it
on
the
bottom
and
I
guess
I
could
put
it
up
here
and
just
for
ordering
sake.
Robert
f
is
next
with
a
thing
about
the
policy
group.
O
Yeah
just
just
a
reminder:
the
policy
work
group
meets
every
other
wednesday
at
8
a.m,
pacific
we
we
did
meet
yesterday
and
next
one
will
be
26..
O
We
last
year
we
worked
on
policy
white
paper
for
kubernetes
and
that's
published.
I
think
we're
trying
to
clean
up
some
of
the
graphics
and
make
it
look
homogenous
to
other
white
papers.
But
the
content
is
there
and
then
next
up
we're
going
to
try
to
extend
that
for
policy
definition
and
organization
and
tailoring
and
we've
kind
of
aligned
with
this
notion
of
a
profile
model
and
that's
derived
from
a
structure
called
oscao
which
is
coming
from
nist,
and
we
had
used
moscow
to
align
the
policy
assessment
outputs.
O
So
we
have
a
policy
report,
crd
in
our
prototypes
repo,
that's
out
there
for
everyone
to
review
and
use.
Hopefully,
several
of
the
some
of
the
projects
have
either
built
little
adapters
or
are
starting
to
use
the
api
natively
to
generate
policy
report.
Outputs
now
we're
trying
to
align
the
definition
of
the
types
of
policies
and
how
you
would
tailor
those
policies
for
various
compliance
programs
or
whatnot
so
that
every
every
other
wednesday
look
forward
to
have
others
join
and
attend.
G
Always
okay,
good
the
policy
working
group
so
with
respect
to
wanting
to
know
more
about
the
security
standards
and
how
those
admission
controllers
are
going
to
work
would
would
pod
with
the
policy
working
group.
Help
me
there,
or
is
that
primarily
about
something
other
than
the
pod
security
standards?.
O
O
A
If
you
are
looking
to
talk
about
the
pod
security
standards
specifically,
those
are,
is
a
group
good
group
to
talk
to
about
that
and
I
think
to
some
extent
us
we
all
kind
of
work
on
it.
But
I
think
if
off
is
the
might
be
the
place
that
I
would
point
you
to
besides
us.
G
I
guess
what
I'm
looking
for
primarily
is
the
documentation
has
changed
over
the
last
several
weeks,
but
there
there
was
a
really
crisp,
like
let's
say
bright
line
between
when
you
would
use
the
pod
security
standards
and
mission
controller
and
then
where
you
would
have
to
like
move
into
more
granular,
more
powerful
policies,
codes,
solutions
that
are
primarily
talked
about
in
the
policy
working
group.
So
I'm
looking
for
that
information,
I
guess
so.
A
So
for
yeah
for
the
pod
security
standards
themselves,
and
actually
I'm
thinking
as
I'm
saying
this-
that
maybe
the
folks
in
six
security
docs
might
also
have
some
thoughts
on
this
since
it's
documentation
related,
I
think
yeah
sigoth
might
be
good
folks
to
talk
to
at
the
brightline
point
where
it
turns
into
talking
about
other
kinds
of
policy
control.
You
know,
then,
then
it
might
be.
Wg
policy
would
be
my
guess,
but
I
don't
want
to
do
all
the
talking
here.
G
A
O
I
I
mean
it
just
it
just
speaks
it's
a
cross-functional
domain
right,
so
everybody
has
the.
You
know
a
little
bit
of
visibility
on
it.
So
we
definitely
we
look
at
the
pod
security
policies.
We
look.
We
looked
at
the
replacement,
but
yeah
no
bright
line,
but
where
it
leans
heavily
towards
the
admission
controller
based
policies.
O
That's
where
our
folks
on
the
calls
are
very
active,
but
everyone
happy
to,
and
if
anyone
wants
us
to
to
contribute
to
the
other
groups
and
kind
of
present,
what
we're
doing
there
get
feedback
directly
we're
happy
to
attend
those
as
well.
C
Then
the
built-in
port
security
admission,
probably
is
not
a
good
choice
for
you.
If
you're
able
to
use
the
built-in
ones
without
changing
them
between
restricted,
baseline
and
privilege,
then
you'd
probably
be
good
or
able
to
work
and
deploy
most
of
your
parts
with
that
anytime.
You
chain
need
to
change
it,
because
the
built-in
one
doesn't
allow
you
to
change
it.
Then,
at
that
time,
tools
like
you
were
no
oppa
and
others
would
be
most
appropriate.
G
P
A
K
Yes,
I'm
mainly
here
to
ask
if
anyone
else
is
involved
in
the
process
of
building
confidential
kubernetes
clusters
and
yeah,
because
I
don't
know
that
much
people
who
who
also
work
on
it.
So
I
want
to
get
some
yeah.
I
want
to
get
some
some
people
who
I
might
exchange
with
some
yeah
knowledge
changing.
So
maybe
there's
someone
or
you
know
somebody
who's
also
currently
working
on
building
those
clusters,
but
so
yeah.
K
I
don't
know
that
much
people
and
I
also
think
that
there's
currently
no
slack
channel
or
something
for
that
where
you
can
could
find
some
information
about
confidential
kubernetes
or
might
be
that
I'm
that
I'm
wrong,
but.
A
O
I
didn't
attend
it,
it
might
exist.
I
mean
there
are
a
couple
of
cncf
projects
that
are
working
on
enclaves
and
so
in
there,
of
course,
some
some
commercial
folks
for
tanex
and
juna
that
are
working
on
this
aks
and
azure.
I
think
supports
it
to
some
extent.
So
if
yeah
that's,
if
the
projects
are
the
right
venue,
maybe
we
should
start
there.
If
we
just
want
to
start
a
slack
channel,
I
think
that's,
I'm!
You
have
one
other
interested
person.
K
N
K
K
Okay,
okay
yeah
would
be
nice
because
I
know
some
some
people
who
currently
work
with
me
and
we
are
building
like
fully
testable
kubernetes
clusters
or
we
are
working
on
it
and
yeah.
We
are
looking
for
knowledge
exchange.
C
C
There
are
different
tags,
one
of
them
is
called
tag
security
and
what
their
job
is
not
just
focusing
on
kubernetes
but
all
cloud
native
technologies,
and
I
know
for
sure
there
are
people
there
who
have
worked
or
are
interested
in
working
on
confidential
computing,
and
that
also
includes
people
who
have
worked
and
are
interested
in
working
kubernetes.
So
I'll
share
benjamin.
C
If
you
want
the
link
to
the
slack
and
the
channel
and
everything
else,
if
you'd
like
just
dm
me
on
the
kubernetes
slack,
you
might
find
more
people
there
who
might
have
common
interest
and
then,
if
you
find
like
there
is
a
common
interest
in
kubernetes
and
confidential
computing,
then
it
would
be
a
good
chance
to
see
whether
a
slack
channel
makes
sense
in
our
workspace
and
then
or
I'm.
I
would
imagine
if
you
just
continue
the
initial
conversation
security
channel.
We
would
be
more
than
happy
to
host.
B
Yeah,
okay,
okay,
so
so
I've
done
a
little
bit
of
work
on
this
on
spiffy
inspire
and
kicked
off
some
of
the
efforts
there
to
get
that
under
confidential
computing,
such
as
secure
enclosed.
So
I
can
take
some
of
the
lessons
that
we
learned
through
that
particular
process.
Up
to
this
point
and
I'm
happy
to
put
down
the
major
blockers
that
you
may
run
into
that
when
you
try
to
run
something
like
this.
B
So,
for
example,
you
you
don't
have
access
to
things
like
fork
in
most
of
the
secure
enclaves,
so
you
have
to
find
ways
around
it.
So
there's
there's
a
numerous
other
set
of
issues
as
well
that
we
ran
into
that.
We
had
to
remodel
our
our
architecture
and
that
work
is
still
ongoing.
So
it's
not
complete
yet,
but
I
can.
I
can
easily
see
about
acquiring
you
and
with
the
people
who
are
working
on
on
that
with
the
idea
of
limit.
B
What
do
we
require
some
concepts
to
kubernetes,
and
I
also
urge
you
to
reach
out
to
I
don't
know
if
they're
still
involved
with
the
confidential
computing
consortium,
but
they
will
know
who
who
the
players
are.
So
there's
a
person
named
ava
black
right,
a
e
v
a
and
then
black,
like
the
like
the
color
strongly.
You
recommend.
B
I
strongly
recommend
you
reach
out
to
them
in
order
to
to
get
involved,
because
they
were,
I
believe,
leading
the
technical
parts
of
the
or
the
full
consortium
at
one
time,
I'm
not
sure
at
what
level.
But
hopefully
that
helps.
A
Pushkar,
because
there
were
some
other
people
in
the
zoom
chat,
who
expressed
interest
in
potentially
joining
that
slack
channel
too.
Do
you
want
to
maybe
put
that
link
in
the
notes
or
the
zoom
chat,
or
maybe
both
so
that
other
people
who
are
interested
in
going
to
those
places
might
also
be
able
to
do
so.
A
C
A
You're
great-
and
I
appreciate
you
thank
you
cool
all
right,
so
that
is
actually
officially
the
last
bit
in
in
the
agenda.
Does
anybody
else
have
anything
that
they
wish
to
say.
A
The
link
to
the
slack
channel
for
tag
security
and
cncf
slack
just
got
posted
to
the
zoom
chat
and
I'm
going
to
copy
it
into
the
notes,
and
this
has
been
awesome-
I'm
so
excited
to
see
all
the
new
folks
here.
Hopefully
you
found
it
helpful
or
interesting
and
glad
you're
here
and
yeah.
We
are
on
the
channel
sig
security
on
kubernetes,
slack,
cigna
security,
and
we
are
around
and
always
up
for
talking
about.
Whatever
you
think
is
good
to
talk
about
super
excited
that
you
are
here.