►
From YouTube: Kubernetes SIG Security 20220714
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
we
are
all
here.
I
am
delighted
that
we
can
all
be
here,
hello,
welcome
to
another
kubernetes
sig
security,
as
we
do
give
everybody
a
chance
to
go
around
and
say
something
about
themself,
I'm
tabitha
sable,
I'm
one
of
the
co-chairs.
I'm
delighted
to
help
to
make
this
space
so
that
we
can
work
on
kubernetes
security
and
improve
it
together.
B
Hey
folks,
I'm
mala
dewberry,
I'm
just
off
camera
eating
some
lunch,
but
yeah.
I
am
here
because
this
is
a
great
group
of
people
and
I
love
learning
about
security
and
kubernetes,
and
I'm
the
sub
project
lead
for
self
self-assessments.
B
C
D
E
Hi,
I'm
kalyn
I'm
new
to
six
security,
although
this
is
like
my
third
or
fourth
meeting.
So
I
don't
know
how
many
times
and.
F
E
Hey
I'm
craig
ingram.
I
work
at
google.
I
have
a
new
role
in
kubernetes
hardening,
so
I
am
trying
to
get
back
involved
in
in
the
community
more
actively
around
kubernetes
security.
A
G
Well,
I'll
go
next!
So
hey
everyone!
This
is
a
vinish.
This
is
my
first
time
in
this
meet,
although
I'm
not
new
to
communities,
I'm
I'm
I'm
part
of
contributor
comms.
So
I
I
do
the
marketing
and
stuff
so
yeah
happy
to
be
here.
A
Delighted
to
have
you
here,
I
think,
like
literally
everybody
has
said
hello.
So
as
we
do
we'll
talk
about
what's
going
on
with
subgroups,
I
believe
that
audit
is
wrapping
up
and
that
there
is
not
much
to
say.
Is
there
a
slack
message
or
something
about
that
that
I
have
missed?
Does
anybody
know
more
than
I
do
about
that.
F
F
Docks
yeah:
this
is
one
that's
been
on
the
issues
list
for
a
little
while
and
because
I
cleared
up
the
other
stuff,
I
thought
next
one
to
pick
off
the
list.
So
this
is
something
that
jimbo
guardia
mentioned,
which
was
the
idea
of
having
a
docs
page
for
kubernetes.
Api
server
bypass
risks
so
places
where
it
might
be
possible
to
change
a
cluster.
F
Add
workload,
remove
workloads
play
but
go
past
the
api
server,
because
it's
such
an
important
point
for
security
controls,
audit
logging
and
mission
control,
the
architects
and
security
cluster
owners
should
know
here's
the
places
where
people
might
bypass
it
and
what
might
happen
if
someone
did
bypass
that
so
I've
started
that
and
there's
a
brainstorming,
hack,
md
and
then
once
that's
in
reasonable
shape,
we'll
move
it
to
a
pr
if
anyone's
got
any
ideas,
things
they
might
have
or
changes
or
anything
just
fire
them
into
the
activity.
That'd
be
awesome.
A
All
right
anybody,
anybody
else
have
anything
to
say
or
ask
about
that.
A
That
being
the
case,
pusher,
what's
going
on,
tell
us
about
tooling,
please.
C
Yes,
so
I
have
two
wonderful
updates.
One
is
from
the
learning
session.
C
We
did
last
week,
folks
from
microsoft,
azure
team
working
on
eks
actually
joined
us
and
shared
a
new
tool
that
they've
been
working
on
called
eraser,
and
I
like
the
idea
that
it's
somewhat
related
to
ops
and
infra
and
optimization
of
compute,
but
also
helps
on
security,
because
you
are
essentially
cleaning
up
images
that
you
don't
use
but
are
still
on
your
worker
notes,
so
they
are
looking
for
feedback
and
help
from
community,
but,
more
importantly,
they're
looking
for
donating
this
back
to
the
community,
ideally
as
a
kubernetes
sub
project.
C
So
from
my
my
understanding,
limited
understanding,
we
need
a
owning,
sig
anytime.
A
sub
project
needs
to
be
created
under
kubernetes
umbrella,
so
obviously
straight
away,
one
sec
came
to
my
mind,
was
node
and
another
one
could
be
if
we
want
to
would
be
us,
which
is
security,
so
wanted
to
share
that
get
some
thoughts.
If
anyone
has
any
and
probably
xander
and
some
others
from
the
team
will
join
again
next
time
we
meet,
he
couldn't
join
today,
and
then
we
can
discuss
it
more
with
them.
As
well,.
A
C
It
does
support
removing
images
from
a
worker
node
in
kubernetes,
but
I
don't
see
a
reason
why
they
couldn't
remove
the
images
if
kubernetes
is
not
running
on
those
nodes
and
something
else
is
running.
So
from
that
perspective
it
could
be
a
cncf
project,
but
it
does
align
closely
with
kubernetes.
A
All
right,
I
will,
I
will
make
sure
to
post
in
slack
when
the
video
from
that
goes
up.
Those.
D
A
D
A
D
So
do
we
have
any
I?
I
don't
know
that
I
this
feels
a
little
bit
like
a
like
trolley
question,
but
I
don't
mean
for
it
to
be
like
do.
We
have
any
type
of
feelings
in
any
type
of
way
about
vendor
neutrality
of
projects
that
sig
security
owns,
because
if
it
is
azure
branded,
are
we
like
you
know,
are
we
are
throwing
our
hats
in
with
azure?
In
any
way,
it
is
possible
that
the
answer
is
no.
We
don't
care,
which
is
fair,
but
I
did
want
to
ask.
C
Yeah
I
I
was
worried
about
that
too,
when
I
talked
to
them
some
of
the
things
that
came
out
of
the
discussion
don't
know
if
that's
a
complete
answer,
but
one
thing
they
were
sure
is
the
url
of
azure.
Slash
eraser
will
change
once
they
donated
to
cncf
something
or
kubernetes
6.
Something,
and
the
second
thing
they
shared
is
the
tool
is
not
tightly
coupled
to
aks,
so
you
can
use
it
on
any
public
cloud
or
even
if
on
your
private
data
center.
So
those
two
things
might
help
understand
that
perspective.
A
A
I
think
that
it
is
important
that
we
have
things
that
we
support,
be
vendor
neutral,
be
aligned
to
you
know
be
aligned
to
kubernetes,
and
you
know
that
that
I
think,
is
one
of
the
places
where
the
cncf
can
provide
value
to
the
community
is
by
providing
a
place
where
tooling,
that
is
developed
like
from
the
scratch
and
itch
model
of
open
source
at
you
know,
insert
organization
here
in
this
case
azure,
but
I
don't
care
who
it
is.
A
That
does
feel
general
enough,
that
it
could
have
community
support
and
have
people
have
people
really
want
to
do
it
that,
like
that,
is
a
place
where
I
think
cncf
can
provide
value
to
the
community,
is
by
having
a
way
for
projects
like
that
to
sort
of
grow
out
of
and
transcend
the
organization
where
they
happened.
To
start
and
like
you
know,
that's
something
that
I
that's
something
that
I
like
about,
the
like
incubation,
etc,
sandbox,
incubation,
etc,
process
that
they
that
they
have
in
cncf
is.
They
are
at
least
trying
to.
A
D
Same
yeah
I
mean
with
my
chair
hat
off.
I
feel
similarly
about,
like
anything
that
we
support,
I
would
want
to
be
vendor
neutral
and
work
on
different
stuff.
I
do
feel
like
the
the
answer
that
pushkar
just
gave
does
answer
that
for
me
like,
if
it,
if,
if
azure
is
not
branding
it
if
it
works
on
places
other
than
aks,
like
I'm
cool
with
it
like
that
that
answers
that
for
me,
but
I
realize
I'm
saying
this
on
kubernetes
record
so
again
that
was
with
my
chair
hat
off.
C
A
Yeah
yeah
awesome,
I
yeah,
I
don't
know,
I
don't
know
what
the
outcome
of
it
will
be,
but
I
I
applaud
them.
Taking
the
start,
and-
and
it
does
seem
like
the
it
does
seem
like
it-
has
a
good
hope
of
finding
finding
an
appropriate
home,
whether
that
is
like
as
a
subproject
of
a
kubernetes
sig,
whether
that
is
like
going
into
cncf
sandbox.
C
We
have
all
the
logistics
set
up
to
implement,
go
and
implement
it.
So
I
review
I
re-edited
the
parent
umbrella
issue
that
we
had
to
explain
for
everyone.
What
needs
to
be
done
for
it
to
go,
live
in
125
so
now,
because
we
all
love
learning
in
public,
we'll
be
doing
a
deep
dive
on
it
on
tuesday
next
week
and
find
out
what
things
can
come
out
of
it
in
terms
of
github
issues.
C
Everyone
can
work
on
and
own
and
then
eventually
the
idea
is
we'll
meet
the
code,
freeze
deadline
and
then
we'll
have
it
working
by
the
time.
125
comes
comes
in
and
becomes
ga.
So
that's
the
plan,
if
you're
interested
in
working
on
a
cap,
that's
planned
for
125
working
on
issue
or
more
than
one
issue
that
will
help
with
this
cap.
Please
join
the
next
tooling
meeting
on
tuesday.
B
Yeah,
hey
folks,
sorry,
I'm
off
camera,
I'm
just
I'm
finishing
an
apple,
so
yeah
on
the
security
self
assessment
side.
B
Pr
number
40,
which
is
putting
the
cappy
report
in
our
repo,
is
merged,
which
is
so
exciting,
so
yeah
I
I
got
to
swoop
in
on
this
at
like
basically
the
tail
end,
so
massive
props
to
pushkar,
for
you
know,
instigating
self-assessments
to
begin
with
and
just
creating
an
opportunity
for
me
to
be
a
subproject
lead
on
something,
and
also
for
just
the
continued
like
coaching
and
suggestions
and
everything
like
that.
B
So
yeah,
congratulations
to
to
you
pushker
and
the
community
and
there's
going
to
be
a
cncf
blog
post
about
it
too.
So
that
should
be
great
but
yeah.
Looking
ahead,
I
still
need
to
get
in
touch
with
the
pm
for
the
vsphere
csi
driver.
That's
still
a
next
target
that
we
want
to
do
for
a
self-assessment.
B
Unfortunately,
she
works
at
vmware,
so
I
can
get
a
hold
of
her
pretty
easily
and
I
also
per
pushker's
suggestion
before
I
went
on
vacation.
It
sounds
like
emily
fox
would
be
an
awesome
person
for
me
to
chat
to
to
just
share
sort
of
what
you
know.
Just
let
let
her
know
what
we've
done.
B
D
Totally
happy
to
make
that
intro,
I
think
I
made
that
suggestion
at
some
point
too,
and
yeah
like
would
be,
would
be
totally
stoked
to
do
that.
I
can
do
that
on
slack
today.
B
Wonderful,
she
sounds
like
another
marvelous
human
being
that
I
get
to
work
with,
so
I'm
super
excited
and
yeah.
That's
basically
it
at
least
in
the
kind
of
immediate
short
and
medium
term
I
still
and
I've.
I
think
I
should
get
some
cycles
to
do
this
in
the
next
few
weeks,
just
start
popping
on
to
other
sig
meetings
who
have
a
lot
of
sub
projects
to
really.
I
think
I
can
just
lead
with
the
cappy
self-assessment
say:
hey
here.
It
is.
B
This
is
what
self-assessments
are
it's
a
resource
that
we
can
help
you
with
to
really
just
sort
of
get
that
organic
engagement
and
to
make
sure
that
this
process
that
we've
put
together
that
pushkar
and
the
team
we've
put
together,
gets
used
in
the
community
to
make
kubernetes
a
safer
place
for
workloads.
B
A
Yeah,
I
super
love
that
both
officially
and
often
as
individuals,
we-
we
are
friends
with
cncf
tag
security
going
back
to
before
the
disambiguation.
You
know
when
cncf
had
sigs
rather
than
tags.
Then
then
we
had
to
be
pretty
careful
talking
about
when
we
are
kubernetes
sig
security
versus
cncf6
security.
A
That
now
has
been
disambiguated,
because
now
they
have
tags
instead
of
six.
But
despite
the
fact
that
we
have
different
names,
we
remain
sibling
organizations.
We
love
to
do
things
together
with
them,
and
part
of
that
means
that
we
as
individuals
who
make
up
this
organization.
A
You
know
frequently
end
up
meeting
with
and
working
with
the
individuals
that
make
up
that
organization,
and
we
have
crossover
here.
You
know,
for
example,
we
have
pushkar,
who
is
one
of
the
few
people?
I
am
aware
of,
that
has
leadership
roles
in
both
kubernetes
and
cncf,
so
yeah,
like
they're,
fabulous
over
there
like
emily's
great
y'all,
will
y'all
will
have
a
good
time
learning
together.
B
I
guess
I'll
just
give
one
more
shout
out
to
bushker
for
really
driving
like
this
really
awesome
tool
that
the
community
now
has
so.
C
I
I
just
want
to
throw
the
thanks
back
to
everyone
in
the
community
really
like
it's.
It
was
sort
of
like
just
an
idea
that
came
up
one
15
16
months
ago
and
we
didn't
know
it
would
work
out,
but
people
jumped
in
spent
their
time
efforts,
mornings
afternoons
and
we
got
it
working
and
we
have
the
first
one.
So
now
the
second
one
should
be
easier,
hopefully,
and
thanks
for
allah
to
continuing
that
going
forward.
A
Yeah,
we
do
all
right
so
that
being
sub
project.
Subproject
reports
tell
us
please
about
last
week
in
kubernetes
development.
G
G
So
yeah
so
last
week
in
communities,
development,
as
the
name
suggests.
What
we
do
is.
We
gather
some
updates
that
has
been,
that
is
to
be
shared
to
the
community,
all
the
efforts
and
pr
merges
and
stuff
that
goes
in
the
previous
week
yeah.
G
So
this
effort
has
been
running
for
like
from
last
two
years
or
I'm
not
sure,
maybe
last
year,
and
so
recently
what
we
have
started
is
we
we
reach
out
to
save
various
sigs
and
ask
them
if
they
have
something
that
they
want
us
to
promote
any
efforts,
any
shout
outs
or
it
could
be
anything
so
yeah.
I
think
I'm
here
asking
for
sick
security
if
they
have
something
for
us
to
share.
A
It's
likely
we
it's
likely,
we
do,
I
feel
like
we
are
the
kind
of
group
that
will
take
that
information
and
pull
it
back
into
our
brains,
and
then
somebody
will
come
back
soon
and
be
like.
Actually,
I
know
something.
What
do
we
think
about
that?.
C
So,
firstly
I
want
to
thank
avinesh
for
reaching
out
to
me
last
week
and
saying:
do
you
want
something
in
lwkd
and
I'm
like
what
the
hell
is
that
and
then
he
shared
and
I
was
like?
Oh
maybe
it's
not
just
me,
and
everyone
probably
doesn't
know
about
it.
So
thanks
for
joining
the
meeting
and
telling
us
about
it,
one
question
I
did
have
is:
what's
the
best
way
to
share
the
information
that
we
want
to
publish.
C
G
So
usually,
what
we
do
is
we
have
three
four
folks
in
the
community.
One
is
josh
burkish,
so
we
we
gather
information
and
we
ourselves
write
things
and
we
get
it
published.
The
best
way
you
could
do
is
you
could
reach
out
to
any
of
us
any
one
of
us
and
say
that
hey
we
want
this
and
we'll
do
that.
A
So,
like
you
or
josh
burkus
are
there
other
folks
that
that
I
ought
to
write
down
here
on
the
on
the
notes.
G
I
think
no,
I'm
not
I'm
not
sure
what
his
actual
slack
is
I'll
drop,
I'll
drop,
the
slack
handle
of
him
as
well.
A
Oh
wonderful,
wonderful
and
then
assuming
that,
like
six
months
from
now,
we
have
forgotten
about
and
re-remembered
this,
and
that
and
and
that
that
all
of
the
pointers
have
been
have
been
broken.
Is
this
also
the
kind
of
thing
where
somebody
could
hop
into
the
contrabex
slack
channel
and
be
like
hey,
contribex
friends?
We
want
to
share
something
in
last
week
in
kubernetes
development.
G
Yeah,
you
can
probably
do
that
way.
So.
B
Avinash,
could
you
drop
a
link
to
oh
wait,
never
mind,
there's
a
link
in
there,
because
I'm
also
yeah,
I'm
just
thinking
in
vmware
octo
like
we
have
the
open
source
program
office,
and
this
just
I'm
just
gonna
put
this
in
a
couple
slack
channels
to
be
like
hey.
B
This
is
a
thing
that
is
really
awesome
and
also
in
case
I
think
vmware
has
like
one
or
at
least
two
upstream
teams,
and
you
know
it's
always
just
good
to
make
sure
that
everyone-
everyone
knows
where,
like
the
latest
and
greatest
stuff,
is
and
and
that
there's
this
awesome
announcement
mechanism
that
we
can
leverage.
A
It's
like
a
french
english
collision.
It's
like
the
wicked
okay.
Okay,
lynn.
Tell
me
tell
me
about
network
policies.
Please.
E
Yeah,
nothing,
nothing
really
to
report
yet,
except
that
I
had
expressed
interest
in
that
and
so
followed
up
with
dan,
and
he
was
the
day
before
hopping
on
vacation.
So
he
sent
me
a
bunch
of
information
on
the
blockers
and
strategies
that
he's
thinking
about
which
I
have
yet
to
dive
too
deep
into.
But
we're
gonna
have
a
meeting
when
he
gets
back
from
vacation
and
talk
about
what
it
might
look
like
to
try
and
do
some
label
name
enforcement.
E
And
you
know
if
it
if
it's
something
that
should
be
a
cap
or
if
it
could
be
an
issue
we'll
we'll
go
from
there.
I
guess,
and
I
have
no
idea
what
I'm
doing.
This
must
be
my
first
thing
really
other
than
commenting
on
doc's
pr,
so
I'll,
probably
reach
out
in
the
next
meeting
after
I
have
a
meeting
with
dan
and
ask
for
advice,
tips,
suggestions.
A
This
is
this
is
a
group
that
this
is
a
group
that
loves
to
loves
to
to
help
out
with
advice,
tips,
suggestions
and
doing
something
and
checking
your
work
as
you
go
is
the
best
way
to
get
started
in
kubernetes.
So,
thank
you
very
much.
This
is
awesome.
I
love
to
see
it
so
y'all
go
talk
to
her.
If
you
got
thoughts
about
this,
because
it's
going
to
be
it's
going
to
be
a
good
way
to
to
improve
some
ux
around
an
important
kubernetes
security
feature.
G
Yep
so
idol
is.
This
was
not
supposed
to
be
my
task.
It
was
supposed
to
be
someone
else
talk,
but,
as
is
not
available
here,
currently
I'll,
take
up
that
test
as
well.
Thanks
for
bringing.
A
G
Us
yeah,
so
in
the
in
the
last
last,
con
controversy
comes
meet.
Castling
came
up
with
a
point
with
a
topic
where
she
said
that
topics
related
to
security
should
be
handled
with
care
and
because
they
might
create
some
panic
around
all
around.
So
comms
is
actually
looking
for
some
guidelines,
which
everyone
should
follow
when
it
comes
to
security,
so
that
we
don't
create
a
lot
of
panic.
A
That
that
seems
really
yeah.
I
agree
with.
I
agree
with
all
of
that.
It
is.
It
is
definitely
the
sort
of
topic
where
we're
having
having
thoughtfulness
about
what
the
response
is
likely
to
be
how
you
know
how
the
communication
is
likely
to
to
cause
folks
to
feel
how
the
communication
is
likely
to
to
induce
folks
to
think
that's.
Yeah
yeah
security
related
gums
end
up
needing
a
lot
of
needing
a
lot
of
care.
That's
that's
a
really
good
point
and
I'm
super
glad
a
that.
A
She
brought
it
up
and
and
b
that
you
have
brought
it
here.
Do
we
do?
We
all
agree
this.
This
is
a.
This
is
a
good
thing
for
us
to
be
thinking
about
and
do
we
think
we
can
help
them
out.
B
Definitely
sounds
like
something
we
can
help
with.
I
guess
is
there
an
example
of
like
something
either
recent
or
potentially
upcoming,
that
you
want
to
communicate
about
that
we
could
help
craft
some
messaging
guidelines
around.
A
Oh
yeah,
because
frequently
frequently
it
has
been
a
good
way
to
to
develop
things
to
have
a
situation
deal
thoughtfully
with
the
situation
gather
the
learnings
from
the
situation
and
generalize
into
something
to
follow
along
with
or
into
guidelines,
to
keep
in
mind
next
time.
That's
a
good
point.
Yeah
I
mean
we
have
psp
removal,
that's
a
thing
that
that's
a
thing
that
is
is
likely
to
cause
some
folks
surprise.
We
have
done
a
lot
to
try
and
communicate
about
it,
but
you
know
communication
always
takes
two.
A
C
I'm
also
wondering,
if
the
generous
to
keep
it
simple,
if
we
could
just
give
a
general
guidance
to
country
backs
if
you're
not
sure
whether
this
should
be
a
private
conversation
with
src
or
something
that
can
be
discussed
public
or
announced
publicly
bring
it
to
us
in
six
security
or
slack.
And
then
we
can.
A
A
I
know
that
that
is
a
a
conversation
that
we
often
have
with
folks
about
like
whether
something
is
safe
to
handle
in
the
open
or
whether
it
needs
to
be
under
the
embargo
policy
for
things
that
are
are
sure
that
they
can
and
should
be
handled
in
the
open,
but
seem
that
they
need
to
be
handled
with
care.
I'm
trying
to
imagine
physically
what
what
this
would
look
like.
A
Are
there
already
contribcoms
like
documentation
or
or
procedures,
or
something
that
we
could
maybe
think
about
putting
a
pr
into
to
like
mention
things
in
or
or
would
we
need
to
be
like
starting
from
scratch
somewhere.
A
A
A
I
like
that,
let's
shall
we
shall
we
take
that
as
a
as
a
first
as
a
first
brush.
Is
that
folks
will
have
a
look
at
the
contribcoms
docs
and
guidelines
that
exist
and
then,
if
there
are
places
where
we
think
we
can
add
some
information
so
that
they
can
feel
more
confident
when
they're
dealing
with
security
things,
then
then
we
will
assume.
That
is
what
we
will
do
unless
we
find
for
some
reason
that
that
won't
work.
A
Awesome
yeah!
Please,
please
drop
us
some,
please
drop
us
some
links
to
to
the
resources
that
already
exist
that
they're
already
using
and
then
yeah.
Hopefully
we
will
find.
Hopefully
we
will
find
places
where
we
can
add
some
more
information
or
some
more
guidance
for
them,
so
that
they
can
deal
with
these
more
confidently.
A
All
right,
I
keep
trying
to
come
up
with
something
something
else
to
say
at
the
end
of
the
meeting.
Besides
that
we
have,
you
know
like
a
c
or
go
program
reached
the
end
of
the
main
function
and
fallen
off,
but
I
continue
to
fail
to
do
that,
so
I'm
gonna
be
beat
that
dead
horse.
Again,
it's
funny
every
time.
A
A
That
being
the
case,
we
are
done
for
now.
Thank
you
all
so
much
for
coming
looking
forward
to
having
a
chance
to
look
through
these,
these
comms
docs
and
some
of
these
other
things
that
we've
been
talking
about,
see
you
all
soon
and
in
the
meantime,
remember
that
slack
is
open.
24
7.