►
From YouTube: Kubernetes SIG Security Audit 20210512
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
put
in
the
chats
the
meeting
meeting
notes
and
the
agenda.
I'll
put
it
again.
D
Just
just
want
to
say
aaron,
I
benefited
a
lot
from
the
2019
audit
that
you
and
others
completed.
I
I
was
sort
of
going
through
a
phase
where
I
was
like
okay.
What's
what
is
the
new
security
material
for
kubernetes
and
then
the
2019
audit
came
in
and
it
was
very
exhaustive
and
helpful
for
me
so
look
forward
to
what
we
do
this
year.
That's
really
nice
to
hear.
Thank
you.
I'm
about
to
help
people
definitely.
D
A
All
right
just
want
to
remind
people
this,
since
this
is
a
kubernetes
meeting,
we
do
adhere
to
the
cncf
code
of
conduct,
which
boils
down
just
to
just
to
be
nice
to
everyone.
D
I
I
guess
you
by
new
you
mean
for
this
meeting
or
for
the
seek.
I.
A
Guess
just
for
the
I
guess
new
to
this
sub
group.
I
know
I
know
you're
a
familiar
face
in
the
six
security
group
and
stuff.
D
A
B
Let
me
admit
myself:
I've
been
basically
a
fly
on
the
wall
with
the
sig
security
group
and
I
occasionally
have
dropped
into
this
one
as
well
to
listen
in
currently,
I'm
still
in
learning
mode,
you
might
say,
but
anyway,
my
background
is
security
for
gosh.
I've
been
doing
it
since
at
least
early
90s,
primarily
crypto
security
and
I've
worked
for
well.
B
B
So
anyway,
I'm
still
coming
up
to
speed
on
the
security
aspects
of
kubernetes.
In
terms
of
how
do
I
say
this,
the
the
underlying
architectural
and
how
it's
implemented?
That's
that's
really,
where
I'm
still
in
the
learning
mode.
So
just
it's
a
complex
system
trying
to
try
to
absorb
it.
All.
Thank.
A
You
I
did
forget
to
mention
one
thing:
this
is
being
recorded,
so
if
there's
anything
you
don't
want
to
be
uploaded
in
youtube
just
also.
We
could
also
just
ping
me
and
we
could
also
do
some
edits
as
well,
so
we
also,
we
also
want
to
keep
things
confidential
here
in
terms
of
when
we're
discussing
secrets,
audits
and
proposals.
We
have
a
private
slack
channel
here,
I'm
going
to
put
my
email
in
the
the
chats.
If
you
don't
have
an
invite
to
that
private
snack
channel.
D
I
I've
been
working
with
the
security
folks
on
and
also
the
newly
named
stag,
which
is
from
the
cncf
project
umbrella,
so
been
active
in
the
community
for
over
a
year
now
worked
on
kubernetes
in
and
really
big
end
user
company.
Before
that
now
work
for
a
kubernetes
distribution
company
excited
to
see
where
we
go
as
a
group
and
I'm
also
starting
to
lead
a
new
subgroup
called
sec
security,
tooling,
which
we
will
meet
for
the
first
time
next
week.
So
dma.
If
you
are
interested
or
join
the
security,
tooling
slack
channel.
A
E
Cloud
and
container
security,
research
and
I'm
also
part
of
the
cncf
stag
or
tag
security.
You
know
yes,.
A
Okay,
all
right
all
right,
so,
let's
go
on
with
the
agenda.
I
put
the
link
to
the
meeting
notes
in
the
link.
I
just
saw
something
in
the
chat.
That's
funny
that
stag
is
taking
over
first
topic
is
the
rfp.
There
was
a
new
question
and
answer
section
that
was
added
to
the
rfp.
I
put
the
link
and
the
agenda.
It's
boils
pr5771
to
the
question
is:
do
we
need
to
use
our
own
hardware
and
infrastructure,
or
should
we
use
a
cloud?
Tldrs
yes,
use
your
own.
A
We
could
use
anything
except
for
no
cloud
hosted
kubernetes.
So
those
who
are
who
are
new
to
this
group,
we
have
an
rfp
outs.
I'll,
put
the
link
in
the
I'll
put
the
link
at
the
chat
in
the
minutes.
Here
I
want
to
find
it
and
the
rfp
we
are
there's
no
end
dates
for
the
rfp
we
are.
We
are.
A
We
will
set
the
date
once
we
get
four
proposals
and
we
currently
have
a
few
proposals
and
so
we're
waiting
for
a
few
more
and
in
the
meantime,
we
are
answering
any
questions.
That's
that's
either
that
comes
in
on
on
the
rp.
It's
off
any
questions
on
that
added
question
answer
to
the
rfp.
A
All
right
second
thing
with
rfp
is
that
vivas
roberts
and
I've
reached
out
to
vendors.
I
know
robert's
had
some
some
communications,
so
we
look
forward
to
more
proposals.
Hopefully
in
the
near
future,
we
had
one.
A
Okay,
that's
great
all
right
anything
else
with
the
rfp
any
questions
about
it,
I'll
try
to
get
the
link
to
that
as.
A
A
That's
for
the
2021
rfp
for
the
third
party
security
audits.
Second
topic:
I
want
to
go
over
last
meeting.
We
talked
about
having
an
audit
roadmap
because
the
rfp,
because
we're
excluding
things
from
the
rfp
and
we
don't
want
it
to
get
too
big
and
and
we've
heard
from
from
companies
that
it's-
that
the
scope
of
the
rfp
is
a
little
bit
big.
I'm
going
to
share
my
screen
here,
actually
hosts
a
disabled
participating
screen
sharing.
Okay
number
one,
so
I
put
the
link
in
the
agenda.
A
It's
under
audit
roadmap
and
just
a
draft
and
this
just
a
google
sheet,
and
what
I
put
here
and
two
I
cannot
share
my
screen.
I
put
the
kubernetes
focus
area.
I
put
what
was
the
focus
here
for
the
2019
audit,
also
what
is
in
scope
for
the
2021
audit
and
if
you
notice
in
2021
it's
it's
a
lot
of
the
like
the
core
kubernetes
components
like
the
cube
api
server,
scheduler
xtd,
keep
controller
manager,
cloud,
controller
manager,
cubelets,
q,
proxy
and
one
was
added.
A
One
secret
store,
csi
driver
as
well
this
this
came
about
because
cluster
api
asked
to
add
cost
up
to
the
folks
behind
cluster
api
asked
for
close
cluster
api
to
be
added
to
the
rfp,
but
we've
already
gotten
feedback
that
the
rfp
was
already
too
big
and
we
didn't
want
to
get
into
scope
creep
as
well.
So
last
meeting
we
talked
about
having
either
you
know
doing
since
we're
doing
these
audits,
maybe
in
a
yearly
basis.
A
I
don't
know
what
the
cycle
is
looks
like
currently,
but
hopefully
it's
it's
something
like
a
yearly
basis
that
we
could
add
components
to
different
to
to
future
audits
that
are
not
covered
in
the
current
and
past
audits.
Of
course,
there's
some
components
like
the
core
components
that
will
always
have
to
be
audited
on
a
you
know,
annual
basis
or
two-year
basis,
and
that's
we'd
need
to
bring
up
to
security
and
and
hold
into
the
community
and
have
the
community
discuss
and
decide
on
that.
A
A
They're
like
additional
plug-ins
from
other
cigs
like
node,
feature
discovery,
hierarchical
name
spaces,
and
these
are
just
added
in
just
add
just
as
a
strong
man
just
to
see
if
this
is
something
that
we
want
to
include
in
future
audits.
A
A
And,
what's
what
I'm
going
to
do,
I'm
going
to
bring
this
to
the
main
sig
security
meeting
for
kubernetes
and
bring
up
the
idea
of
just
having
an
audit
roadmap?
So
we
know
what's
what
components
are
going
to
be
audited
in
the
near
future,
and
so
we
could
have
requests
from
the
community
as
well,
because
we've
gotten
requests
like
the
like
the
secret
store,
csi
driver
and
cluster
api
from
the
community
more
and
more
like
ad
hoc
requests.
A
But
now
we
could
have
more
of
a
planned
road
map
of
what
the
audits
will
look
like
in
the
future
like
one
one
one
component
is
cordinas,
even
though,
if
to
me,
it's
more
to
me
coordinates
is
a
is
a
core
component
of
kubernetes,
because
you
need
dns
in
your
in
your
cluster
and
as
a
version
1.12
coordinates.
This
has
been
the
recommended
one
to
put
links
to
references
links
to
github
repos
links
to
concepts
as
well
any
feedback
so
far.
A
I
like
it.
Excuse
me
the
one
of
the
thoughts
I
had
is
it.
A
It
probably
makes
sense
for
other
large
projects
to
do
this.
I'm
I'm
coming
out
from
the
cncf
point
of
view
where
you
know
stag
has
the
the
concept
of
a
what
I
think
it's
an
annual
or
biannual
review
self-assessment.
So
doing
something
like
this.
A
A
Thank
you.
I
also
want
them.
I
also
have
a
second
tab.
If
you
see
is
not
in
scope,
things
that
are
part
of
communities
that
we
may
not
ever
do
not
like
things
like
entry
cloud
providers
are
booming
to
out
of
tree
things
like
entry
storage.
Plugins
just
want
to
add
that
in
also
I'm
gonna
have
to
join.
I'm
gonna
see
if
you
have
six
security
meetings
to
learn
about
stag
I've
stopped
attending
in
about
over
a
year
ago,
or
so.
So.
Thank
you
for
that
input.
A
Ideally,
this
would
be
in
our
repo
so
wanted
to
do
a
draft
of
it
in
this
google
sheets.
Bring
it
to
kubernetes
security,
then
make
a
pr
and
then
so.
We
have
it's
in
the
in
the
in
the
repo
and
so
any
other
community
member
could
do
a
pr
and
on
what
to
add
to
the
audit
for
it
down
the
future.
We
could
have
discussions
on
that
pull
request
and
we
could
merge
it.
So
we
have
some
kind
of
process
involved.
A
I
guess
one
way
to
think
about
might
be
anything
other
anything
under
github.com
kubernetes
needs
to
have
a
review
done
third
party
review
now.
The
question
is:
is
it
done
by
the
community
like
this
process
or
like
for
one,
the
cloud
provider
once?
Is
it
done
by
the
cloud
provider?
Would
that
be
one
way
to
think
about
it?
Maybe
yeah,
and
that
would
be
one
way
think
about
it.
A
A
B
Okay
and
I
I
assume
that
the
cni's,
the
various
cni's
are
out
of
scope
as
well.
A
For
for
cni's
as
well,
that's
something
that
we
could
that
then
we
could
discuss,
because
I
know
a
lot
of
the
cni
is
some
cell
support
for
for
their
cni
plug-in
and
that's
to
personally.
In
my
opinion,
that's
not
in
scope
of
the
kubernetes
audit
that
should
be
their
own
since
they
do.
D
Is
there
a
possibility
to
have
cube
cuddle
part
of
the
2021
scope,
or
are
we
kind
of
too
late,
because
the
other
ones
make
sense
to
be
tbt,
since
they
are
either
too
much
in
the
background
or
not
a
lot
of
people
use
it.
But
cuba
ctl
may
be
something
of
something
that
ties
in
well
with
the
ones
that
are
in
school.
A
Yeah
was
I
actually
discussed,
cube
ctl
or
keep
cuddle
cube
control,
people
call
it
different.
Things
was
discussed
and
it
was
left
out
of
the
rfp
because
you
don't
need
to
use,
keep
cuddle
yeah
or
keep
ctl
to
I
mean
to
to
use
kubernetes,
you
could
just
hit
the
kubernetes
api
as
well.
It's
not
a
core
component
right.
It's
also.
No
one
can
argue
that
secret
store.
A
Csi
driver
is
not
also
a
core
component
yeah,
but
that
was,
I
will
just
discuss,
keep
detail
what
was
discussed
to
remember
and
that's
what's
left
out
on
this
this
one,
but
I
did
leave
it
here
because
I
think
in
the
future
it
might
be
something
that
that
might
be
part
of
a
future
audit.
A
B
Yeah,
speaking
of
that,
are
we
going
to
take
a
look
at
the
ca
side
of
things
I
think
that's
inside
the
api
server
or
associated
with
it?
Are
we
going
to
take
a
look
at
that
as
well.
A
I
would
assume
so
since
this
is
because
it
can
be
considered
the
api
server.
I
don't
know
if
we
don't
remember
if
we
called
it
out
specifically,
maybe
as
a
sub.
A
A
It's
a
good
discussion,
but
it
to
me
if
it's
if
another
vendor
creates
the
that
that
products
or
that
plug-in
and
if
it's
not
required
by
kubernetes
to
run
or
it's
not
recommended
to
run
because,
like
coordinates,
is
kind
of
a
gray
area
right,
it's
made
by
a
different
vendor.
But
when
you
pretty
much
do
cube,
adm
install
or
if
you
use
kubernetes,
and
it's
actually
stated
in
the
documentation
that
it's
recommended
to
use
for
dns
since
version
1.12.
A
C
A
I
still
put
that
for
coordinates
as
well
and
also
like
yeah,
but
the
the
items
I
I
put
down
are
just
you
know
just
put
put
down
the
straw.
Man
doesn't
mean
that
they
have
to
go
in.
I
just
wanted
to
have
some
examples
of
what
can
be
included
in
the
audit
or
what
we
might
discuss
that
might
be
taken
out
of
an
audit
like,
like
historical
namespace,
may
not
be
not
there's.
D
A
You
are
back
proxy,
I
think
I've
seen
I
see
the
repo
for
it
right
to
look
into
the,
but
you
know
this
is
a
good
example.
We
could
just
add
it
in
and
then
discuss
later
yeah
if
it
should
be
something
this
in
scope
or
out
of
scope
of
feature
audits
like
the
kms
plugins
as
well
as
well,
even
cni
plugins,
and
at
least
we
could
have
that
discussion
and
the
community
can
can
discuss
and
yeah.
D
A
D
D
A
A
Okay,
so
is
it
pretty
much
so
I
plan
to
see
the
next
meeting
for
the
main
security
meeting
to
just
present
this
and
see
get
some
feedback
and
then,
like
I
mentioned
before,
oh,
if
it's
then,
ideally,
we
would
have
a
home
room
for
this
in
github
and
do
pr's
to.
E
Add
I
have
a
question:
what
what
are
we
doing
to
promote
or
incentivize
that
the
companies
submit
their
c
our
fees
here,
because
I
know
that
we've
been
postponing
the
deadlines
and
there's
a
lot
of
companies
that
said
that
they're
not
interested?
Is
there
anything
else
that
we
can
do.
A
Just
to
reach
out,
if
you
to
your
contacts,
if
you
know
of
any
and
reach
out
to
you,
know
tweet
that
the
rfps
and
just
link
it
to
to
the
github,
to
the
repo
or
to
the
file,
some
of
us
reach
out
to
the
contacts
and
companies
and
yeah.
Like
robert
mentioned.
That's
there's
one.
You
know
good,
maybe
to
add
in
proposal
just
from
reaching
out
so
yeah
to
reaching
out
to
your
network.
A
You
know,
we
know
that
people
have
eyes
on
this
and
that
from
from
companies,
and
it's
just
up
to
them
if
they
have
the
time
to
if
or
they
know,
if
they
have
time
for
to
do
an
audit
in
the
future
or
the
new
feature
and
to
create
a
proposal
and
submit
it.
I
have
reached
out
to
the
people
companies
who
have
submitted
and
let
them
know
that
you
know
that
we
are
postponing
it
and
had
good
replies,
good
feedback
from
them
and
so
I'll.
A
Just
let
them
know
when
you
know
when
we
have
a
fourth
proposal,
then
we'll
we'll
set
the
closing
date
to
two
weeks
after
we,
the
four
proposals
and
just
to
give
some
time
for
other
companies
as
well,
and
so
that
we
could
also
discuss
here
on
slack
and
also
on
the
zoom
channel
on
the
zoom
call
as
well.
C
They
might
exist,
they
would
be,
I
suspect,
attached
to
probably
the
u.s
government's
export
controls
around
cryptography
and
like
weird
embargoes.
I
would
if,
if
we
got
a
proposal
from
iran,
for
example,
I
would
definitely
want
to
check
with
legal
before
moving
forward,
but
I
don't
know
of
anything
that
we're
explicitly
following,
I
suspect,
we'll
just
see
what
comes
in
and
then
and
then
check
with
the
cncf.
If
there's
any
any
blockers.
A
Cool
anything
else
about
this
audit
about
this
audit
roadmap
for
the
rfp.
A
All
right
last
topic
is
cluster
api,
so
they
requested
clustered.
Api
are
the
folks
behind
cluster
eight
pi
requested
it
to.
A
Security
assessment
cluster
api,
but
it
hasn't
been
done
yet
because
kubecon
eu
happened
and
lots
of
meetings
were
postponed.
So
that's
just
something
I
plan
to
do
the
next
kubernetes
security
meeting
and
that's
it
for
I.
D
Think
robert
and
I
have
an
update
on
that
cluster
api
thing,
so
just
to
keep
everyone
in
the
loop
robert
feel
free
to
add
anything.
I
miss.
D
Basically,
we
had
a
quick
chat
on
some
slack
threats
and
a
github
issue
with
cncf
sake,
and
I
have
yet
to
get
some
response
from
tabitha.
But
the
idea
is,
if
possible,
we
can
use
the
cncf6
securities
security
assessment
process
as
a
sort
of
a
template
and
see
what
applies
to
doing
a
security
assessment
for
cluster
api.
D
The
chances
are
that
people
who
will
end
up
doing
security
assessments
would
mostly
be
people
who
join
the
security
in
kubernetes,
and
then
they
will
work
sort
of
like
partners
with
cluster
api,
maintainers
and
developers.
So
now
one
action
item,
that's
all
fallen
on
me.
Out
of
that
is
setting
up
a
meeting
between
the
some
of
the
sick
co-chairs,
or
rather
stack
co-chairs
and
six
security
co-chairs.
D
F
D
F
Perfect
he
we
were
actually
to
do.
He
has
very
limited
time
slots,
so
we
were
actually
going
to
do
a
call
430
today.
If
anyone
wants
to
join
that,
I
can
send
off
the
the
hangouts
link
in
the
chat
here.
One
second,
but
you
know
the
more
the
merrier
everybody's
welcome
to
join.
F
So
let
me
I'll
send
you
the
phone
number
and
a
google
me.
Sorry,
it's
not
on
hangout
or.
F
Slack
there,
so
if
anybody
else
wants
to
join
that
call,
there's
no
real
agenda
so
much
that
craig
had
reached
out
and
said
that
he
was
and
he's
on
the
security,
and
I
think
cluster
api
group,
so
yeah
just
an
exchange
of
ideas
and
happy
to
get
everybody
else
who
wants
to
join
in.
A
All
right
well,
thank
you
very
much,
yeah
I'll,
be
at
the
call
so
4
30
today,
and
so
that
brings
us
to
the
end
of
the
agenda.
So
it's
pretty
much
an
open
forum,
anything
else
that
people
want
to.
A
G
You
mentioned
turning
that
roadmap
into
a
pr.
Were
you
planning
on
picking
that
up
or
did
you
need
somebody
to
take
that
as
an
action
item.
A
Then
then
you
know
once
they
once
we
get,
we
get
feedback
I'll
make
it
into.
A
A
Cool
all
right,
there's
no
other
discussion
topics.
We
get
15
minutes
back
from
your
day,
so
have
a
good
rest
of
your
day
and
maybe.