►
From YouTube: Kubernetes SIG Security 20230209
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
B
Hi
I'm
Ian
I
am
the
other
co-chair
pronouns
they
them
and
what
Tabby
said.
C
E
Hi
I'm
Fabian
I'm
dabbling
in
confidential
Computing
for
the
last
year
and
so
I
supplied
this
blog
post
I
was
with
six
security
docs
the
last
two
meetings,
but
since
I
saw
my
name
in
the
last
meeting
notes
here,
I
thought
I'd
joined.
It's.
G
Yeah
and
I'll
present
a
talk
about
a
security
thing
at
the
kubernetes
conference
thingy.
So
that's
helpful,
yay
I'm
doing
something.
A
Cool:
what
what
is
it.
G
B
Rory
and
I
are
also
speaking
at
kubecon
and
I
think
that
Talk's
gonna
be
really
fun.
A
That's
how
we
that
that
I
mean
like
okay,
so
I'm
I'm,
sorry
to
be
such
a
mom,
but
like
that
is
real
talk.
One
of
the
ways
that
we
improve
kubernetes
security
for
everyone
is
by
making
more
work
for
ourselves
by
presenting
jump
scares
and
then
helping
to
drive
forward
the
creation
of
solutions
for
those
jump
scares
like
it
do
be,
how
it
goes,
I
see,
I,
see,
Olive
just
jumped
on.
Do
you
wanna?
Do
you
want
to
say
hi
Allah,
we're
we're
finishing
intros.
H
S
yes,
I
would
thanks
folks
and
sorry.
I
was
coming
from
my
my
day.
Job
meeting,
hey
folks,
I'm
ala,
duberry
I
am
the
lead
for
the
self-assessment
sub
project
and
pronoun.
She
her
and
I
am
updating
the
notes,
as
we
speak
as
I
was
naughty
yesterday
and
totally
forgot
to.
A
I
mean
you
fill
it
in
in
the
end.
That's
that's
what
counts
so
as
we
as
we
do,
we
can
go
through
the
updates
from
sub
projects
hear
what's
going
on
with
them.
The
first
one
I
will
present
on
Ray's
behalf
he's
not
able
to
make
it
for
the
third
party
security
audit.
The
third
party
security
audit
subgroup
is
waiting
to
hear
back
from
the
SRC
about
a
couple
of
the
findings
in
the
audit
which
the
SRC
is
doing
some
further
follow-up
with
owning
sigs
on
and
so
given
as
I
wear.
A
Both
of
those
hats.
I
am
feeling
a
little
a
little
bit
of
this
here.
So
I've
I've
asked
the
rest
of
the
SRC
whether
we
have
an
estimated
time
for
when
we
will
be
done
with
that
follow-up
or
not
so
that
that
way
here
with
our
Sig
hats
on,
we
can
decide
whether
to
continue
to
hold
the
publication
or
whether
we
should
publish
an
initial
redacted
version
and
then
publish
the
full
thing
after
the
SRC
is
done
with
its
follow-up
so
more
to
come
from
that.
A
A
C
I
can
mention
quickly
in
passing.
We
are
working
on
the
hardening
guide
and
we've
been
very
fortunate
to
have
some
people
offer
to
help
out
with
some
of
the
sections
for
people
who
don't
know
the
background.
We
are
working
on
a
hardening
guide,
but
we
recognize
this
is
quite
a
large
effort.
What
we've
done
is
try
to
split
it
up
into
different
sections.
Hopefully
that
makes
it
kind
of
more
easy
to
manage
people
to
get
started.
I've
started
drafting
on
the
authentication
section.
C
I've
had
some
good
feedback
on
that
already
and
there's
a
hack
MD,
which
is
linked
in
the
Sig
doc.
Security
and
I
will
go
and
find
it
and
post
it
here
as
well,
but
that's
if
any
other
feedback
on
the
authentication
section.
That
would
be
awesome
too.
That's
the
only
doctor,
I
think
I
know.
E
Yeah,
maybe
I
can
also
give
a
quick
update
about
the
pr,
so
I'm
not
sure
what
was
discussed
last
time.
I
saw
that
there
was
the
pull
request
and
the
the
slack
thread
linked
I
think
a
lot
of
folks
are
still
working
on
additional
bits
and
pieces,
but
I
think
we
have
a
good
State
now
and
Tim
I
think
he's
basically
taking
care
of
the
organizational
staff
around.
It
also
proposed
that
we
passed
this
along
to
the
block
review
team,
so
not
sure
how
how
long
these
things
should
typically
stay
open.
E
I
think
we
have
the
prnl
for
almost
a
month.
People
asked
us
buying
bits
and
pieces,
but
I
would
also
like
to
push
this
to
what
publication
and
not
leave
it
for
too
long.
E
D
E
Right,
it's
it's
supposed
to
be
an
introduction
yeah
for
the
whole
Cloud
Community
to
the
topic,
because
yeah
to
all
the
events,
I
went
in
the
last
year,
I
chatted
to
people
and
they
were
basically
clueless
about
the
topic
and
I.
Think
it's
an
exciting
new
new
paradigm.
You
could
use
to
improve
the
security
or
privacy
property,
so
just
an
introductory
post
to
get
folks
familiar
with
it.
E
D
D
So
with
this
change
of
time
from
Tuesday
8
30
Pacific
to
Wednesday
8
A.M
Pacific,
we
will
hopefully
have
those
folks
join
as
well
as
for
any
new
folks
who
weren't
able
to
make
those
meetings
can
join
in
this
new
time
slot,
it's
a
bit
earlier
for
me,
but
hopefully
better
for
everyone
else
in
the
other
time
zones.
So
first
meeting
is
on
February
15
on
that
and
we'll
go
from
there.
It
will
repeat
every
couple
of
weeks,
thanks
Tabby
for
setting
the
invite
and
everyone
who
voted
on
the
doodle.
D
That's
I!
If
you
also
I
got
some
questions
about
this,
so
we
wanted
to
repeat
here:
if
you
don't
have
the
meeting
invite
updated
yet
on
your
calendar,
make
sure
you're
subscribed
to
kubernetes
security,
Google
group,
once
you're
subscribed
within
with
some
lag
of
one
or
two
days
or
more
than
that
you
should
get
all
the
calendar
invites
from
that
group
automatically
updated
in
your
calendar.
So
if
you
have
any
problems
with
that
or
don't
see
it,
let
me
know,
and
we
can
figure
out
a
way
to
fix
it.
D
That's
the
logistical
update.
Second
update
is
on
the
work
that
we
do.
We
have
been
working
on
a
cap,
three,
two
zero
three
for
auto
refreshing,
official
CBE
feed
as
part
of
the
cap
graduation
process.
Every
time
you
move
from
alpha
to
Beta
to
Beta
to
GA,
you
have
to
update
the
pr
where
you
define
the
initiate
design
with
the
changes
that
you
are
going
to
propose
to
make
when
you're
graduating
from
alpha
to
Beta.
D
So
we
I
made
those
changes
in
the
pull
request
with
whatever
we
have
proposed
and
whatever
people
have
given
in
terms
of
feedback
for
what
we
want
to
have
as
scope
for
Alpha
to
Beta
graduation.
D
We
have,
unfortunately,
a
deadline
that
we
have
to
meet,
which
is
actually
end
of
day
today
to
merge
this
PR.
We.
D
Cool
thanks:
that's
what
I
wanted,
because
Mahi
and
Tim
already
reviewed
it.
They
are
happy
with
the
changes,
so
that
was
great
and
production.
Readiness
review
is
another
approval
we
need,
but
John
has
said
once
the
six
chairs
approve
it.
I
will
also
approve
it
quickly,
so
it
should
be
in
good
State.
D
D
So
that's
the
plan
for
the
next
two,
two
to
four
weeks
on
tolling
side.
Any
questions
I'm
happy
to
answer.
B
A
All
right,
I'll
tell
us
the
cool
news.
H
Yes,
yes
yeah,
so
over
in
security
self-assessments,
we
have
an
action-packed
few
weeks
coming
up,
so
we
have
our
regularly
scheduled
meetings
which
started
last
week,
But
continuing
on
on
Tuesday,
but
even
more
excitingly
than
that
we
have
our
a
kickoff
meeting
for
the
vsphere
CSI
driver,
self-assessment,
scheduled
if
you'd
like
to
join,
go
ahead
and
DM
me,
but
like
push
for
said,
if
you're
subscribed
to
the
security
Google
group,
you
should
have
it
come
up
on
your
calendar.
H
I
also
included
the
slack
Channel
and
the
notes
too,
where
I've
put
up
a
tentative
agenda
and
that's
where
we'll
be
coordinating
this
so
really
exciting
there
and
then
yeah
sort
of
just
in
preparation
for
that
yeah
I've.
You
know
obviously
read
up
on
threat,
bottling
approaches
and
I'm,
also
watching
the
recordings
of
the
previous
Cappy
self-assessment,
which
pushed
her
hats
off
to
you
for
diligently.
Recording
that
and
I'm
learning
a
ton
and
yeah
I'm
just
really
excited
to
kick
this
off
yeah.
C
Just
in
case
it's
of
interest,
I
I'll,
put
a
link
in
this.
I
saw
an
interesting
threat.
Modeling
hackathon
thing
coming
up,
which
has
a
lot
of
information
about
threat,
modeling
and
also
I,
know
I,
don't
I,
don't
know
if
they're
streaming
their
talks,
but
there's
a
conference
OS
appsec
EU
in
Dublin
next
week
and
I
know
there
are
several
different
modeling
talks
there
as
well,
so
there
may
be
some
some
places
for
ideas.
Actually,
I've
listened
to
one
of
the
talks.
C
It's
an
interesting
one,
because
one
of
my
colleagues
is
giving
it
and
yes
I,
know
they're
doing
multiple
modeling
things.
So
there
may
be
some
interesting
info
there.
H
Oh
thanks,
Rory
yeah
that
that
sounds,
awesome
and
yeah
I
think
yeah,
one
thing
I,
you
know
I've
been
reading
up
on
a
bunch
of
stuff,
but
it
seems
like
there
is
a
lot
of
great
kind
of
getting
started
with
threat,
modeling
material
that
I
should
probably
just
throw
together
a
doc
for
and
maybe
make
some
kind
of
simple
website
if
there
isn't
one
already
or
just
but
yeah
to
just
collect
all
that
information.
So
awesome.
A
I
I
Put
it
in
there
and
I
was
super
excited
to
see
that
feature
and
I've
just
been
like
reading
up
on
sale
and
like
how
cool
that
feature
looks,
and
so
I
wanted
to
hear
other
people's
thoughts
on
it
and
like
I
I
think
this
is
gonna,
be
like
a
game
changer
for
like
policy
management,
and
it's
not
in
regular,
which
is
great
because
you
don't
have
to
learn.
Rigo
cell
is
a
little
more
intuitive
about.
I
126
I
think
okay,
yeah
Alpha,
136
I'm
I'm
super
excited
about
this.
Video
I've
been
talking
to
everybody
about
this
feature
and
telling
them
about
this.
Yeah.
Oh,
like
I
work
with
some
cell
policies
and
like
we
were
trying
to
do
something
similar
within
Google,
for
like
validation
of
our
of
internal
workloads
and
it's
cool,
to
see
like
the
that
the
kubernetes
is
adding
like
self
support
for
validation
admission.
This
is
like
a
dream.
I
Come
true
for
me
and
I
just
learned
about
this
feature
like
over
the
weekend,
but
I
was
like
tired
of
gatekeeper,
so
I
was
like
writing.
My
own
and
I
was
like
before
I
write.
My
own
in
sale,
I
was
I
was
like
how
hard
could
it
be
and
then
I
like
checked?
Was
there
something
and
I
was
like
wait?
This
is
perfect.
How
did
this
happen?
This
never
happens
and
I
was
so
excited
about
it.
So
I'd
love
to
hear
other
people's
thoughts
on
it.
A
But
then,
when
you
find
someone
else
has
already
has
already
worked
through
a
lot
of
the
same
ideas
that
you
have
been
kicking
around
in
your
head,
then
then
that's
a
place
where
you
can
try
it
out,
you
can
play
with
it
and
and
you
can
contribute
to
it
with
the
extra
ideas
that
you
had
has
anyone
else
had
a
chance
to
play
with
it.
Yet
that's
that's
here
on
the
call
I
haven't
had
a
chance
to
play
with
it.
Yet.
C
A
Coverno
like
in
the
sense
that
all
these
things
can
replace
each
other,
you
know
they.
They
have
different
strengths
and
and
struggles,
but
it's
working
in
the
same
sort
of
space
I
believe
that
the
the
version
that
shipped
in
126
is
is
limited
to
being
used
to
enforce
some
defined
policies
on
only
on
certain
fields
in
certain
objects,
I,
don't
think
it's
General
to
all
API
object,
types
or
all
fields
in
those
objects,
but
but
this
is
going
based
on
some
hazy
memory
of
reading
caps
months
ago
before
I
was
on
medical
leave.
G
A
C
Really
excited
to
see
it
just
because
I
think
any
time
where
you
have
to
add
external
software
to
something
is
going
to
lure
the
adoption,
because
it's
external
complexity
and
people
just
won't,
do
it.
Whereas,
if
you
can
say
hey,
you
just
set
your
kubernetes
up
in
here
as
a
policy,
and
you
just
apply
this
policy
and
you
get
something.
C
Even
if
it's
not
100,
it's
going
to
be
something
that's
going
to
be,
hopefully
easier
for
people
to
adopt
yeah
and
it
gets
rid
of
some
of
the
potential
risks
of
using
external
admission
control
as
well,
where
you
have
to
have
this
privileged
thing
sitting
there,
which
is
a
point
of
attack.
A
You
mean
like
that
time
when
Brad
was
doing
free
data
egress
out
of
gke
by
registering
a
registering
an
admission
controller.
Well,.
A
B
A
Well
then
yeah,
it
sounds
like
it
sounds
like
this
is
sounds
like
this
is
a
good
thing
for,
for
all
of
us
to
play
with
as
time
allows
because
I
I
agree
with
everything
you're
saying
or
about
it
being
fantastic
to
have
something
built
in,
and
the
thing
that's
built
in
doesn't
have
to
be
all
things
to
all
people,
but
just
by
existing
it
makes
it
a
lot
easier
for
folks
whose
needs
do
match
what
its
capabilities
are.
I
Oh
yeah,
absolutely
what
is
interesting
and
I'm
trying
to
like
work.
This
in
my
head
is
like
how
this
interacts
with
both
security
admissions,
like
you
mentioned
at
the
end
there
like
because
like
it
is
kind
of
two
features
that
have
some
build
like
PSAs
like
this
feature,
here's
how
I
think
about
it.
Ps
is
kind
of
this
feature
with
like
some
baseline
set
of
policies
right
and
so
like.
I
If
you
turn
on
PSA
you're,
saying
like
oh
yeah,
here's
the
Baseline
and
then
how
I
would
use
this
as
like
if
I
have
like
custom
resources
or
other
other
things,
and
then
I
can
like
write
policies
to
be
like
hey,
don't
configure
these
other
things
in
in
a
manner
that's
like
unsafe
for
for
the
use
case
of
that
custom
resource
or
something,
and
then
your
your
administrator
could
like
add,
more
policies
around
like
hey
pause
with
that
run
on
these
nodes
have
like
uid
ranges
between
this
and
this
right,
like
if
they're
running
as
non-root
and
stuff.
I
So
it's
like
it
lets
you
build
these
like
cool
extra
policies,
but
you
don't
need
like
a
gatekeeper,
well,
I
I.
Maybe
you
do
but
I'm
not
sure,
like
I've
just
been
playing
around
with
this,
and
as
far
as
I
can
see,
you
wouldn't
need
a
gatekeeper
or
like
another.
You
don't
need
to
pay
anybody.
It's
just
part
of
like
this
kubernetes
thing.
Now
right,
you
don't
need
to
like
get
Governor
or
whatever
you.
F
A
You
know
we
have
these.
We
have
all
we
have
these
various
policy
controls
and
then,
as
an
added
reassurance,
should
we
commit
a
bug
in
one
of
these
complex
policies
or
or
whatever,
additionally,
we're
putting
the
either
the
restricted
or
the
Baseline
pod
security
admission
policy
on
those
same
name
spaces,
and
hopefully
the
Pod
security
admission
policies
that
they
apply
never
end
up
actually
activating,
because
if
they
do,
it
means
that
something
went
wrong
in
their
primary
policy
engine.
I
Right,
yeah
and
I
love
the
idea
of
like
redundant
security
measures
right
like
and,
and
so
that
works
pretty
well.
If
you
have
like
these
multiple
images,
like
that's
what
I've
been
trying
to
push
forward
like
you,
do
validation
at
pre-submit,
but
you
also
do
it
at
like
runtime
and
so
with
cell.
Like
that's
one
of
the
things
that
I
like
about
this
is
like
you
could
take
these
cell
policies
that
somebody
wrote
and
like
just
validate
them
at
like
pre-submit
like
you
could
write
GitHub
actions
because,
like
you,
could
execute,
sell
anywhere
right.
I
So
you
could
like
write,
GitHub
actions
that,
like
that
fills
in
some
templating
of
your
yaml
and
then
like
runs
it
against
the
policies
and
tells
you
hey
when
you
apply
this
to
the
cluster.
This
workload
won't
work
so
like.
I
D
Another
Point,
taking
a
pause
from
my
note-taking,
was
I.
Remember:
Rory
had
published
a
Blog
saying
what
are
the
threats
about
admission
controllers
and
one
of
the
main
things
I
remember
was
it
could
fail
open
by
default
and
to
to
what
our
Tabby
and
vinayak
were
saying.
D
Essentially,
if
we
have
both
PSA
and
opa
or
some
other
thing
running
in
parallel,
at
least
the
risk
of
you
can
do
anything
until
the
system
error
is
resolved
because
we
are
feeling
open
is
a
bit
limited
because
you
will
have
a
backstop
with
PSA
that
can
at
least
audit
things,
even
if
you
don't
want
to
enforce
and
then
you
have
a
way
to
go
back
and
see
if
there
were
any
pods
that
went
out
when
the
door
was
open
so
that
that
in
itself
is
a
good
defense
in-depth
way
to
to
use
both
of
these
features
instead
of
choosing
either
of
them.
G
Psa
with
Opa
or
with
other
things
like
this
conjunction
of
thing,
that
so
I
kind
of
it's
kind
of
complicated
to
map
and
like
plan
around
it,
because
you
also
don't
want
to
do
work,
which
you
don't
have
to
because
you
know
so
yeah.
This
is
a
something
I,
I
and
some
colleagues
have
been
working
on
as
well.
A
F
A
Oh,
like
a
go
program,
we
have
come
to
the
end
of
our
main
function
and
are
about
to
fall
off.
So,
as
a
last
thing,
I
will
remind
us
that
this
is
our
space
that
we
make
together
to
discuss
our
our
thoughts
and
our
ideas
for
improving
kubernetes
security
and
to
do
the
work
together.
So
this
is
an
opportunity
if
anybody
has
things
that
are
not
on
the
agenda
yet.
B
Psa
that
kubecon
has
various
scholarships.
If
you
are
wanting
to
attend
in
person
or
virtually
and
can't
afford
to
go,
there
is
a
Diversity
Scholarship,
a
maintainer
scholarship
for
active
maintainers,
a
need-based
scholarship
and
another
one
that
I'm
blanking
on
right
now.
So
all
of
those
are
out
there.
They
have
not
closed
yet,
but
they
I
believe
will
be
closing
before
the
next
meeting.
B
So
if
you
are
in
any
need
of
that,
if
you
are
here
or
watching
this
recording
in
time,
don't
be
shy
to
apply,
not
everybody
who
applies
is
going
to
get
accepted,
but
it
cannot
hurt
to
apply
so
just
PSA.
A
I'll
point
out:
they
they
are
super
good
there's.
You
know,
there's
limitations
in
any
kind
of
program,
but
my
first
kubecon
talk
was
done
without
any
support
from
my
employer
or
whatever
and
I
couldn't
afford
to
send
myself.
But
I
was
able
to
do
some
of
this
scholarship
funding
to
get
the
transportation
there
and
it
was
a
real
big
help.
I.
B
Did
the
same
thing:
they
covered
travel
funds
and
a
hotel
room,
and
it
was
super
helpful
because
I
wasn't
being
supported
by
my
work
back
then
either
so
so
yeah
just
PSA
I
can
put
the
link
to
the
scholarship
application
in
the
agenda.
B
Also
a
reminder
if
we
don't
end
up
with
any
more
discussion
topics
that
our
slack
channel
is
open.
24
7.,
it
is
Sig
Security
on
kubernetes
like
so.
If
anything
comes
up
for
you
that
you
are
excited
about,
want
to
talk
about,
have
questions
about
or
whatever
like
you
are
always
welcome
in
there,
and
we
are
always
there
so.