►
From YouTube: Kubernetes SIG Security Docs 20220203
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hi
everyone
today
is
february
3rd,
welcome
to
seek
security,
documentation,
project
meeting.
We
abide
by
kubernetes
code
of
conduct.
That
means
please
be
nice
to
one
another.
This
meeting
is
will
be
recorded
and
available
on
youtube.
So
please
be
mindful
of
whatever
that
you
say
in
this
meeting
now.
Let
me
go
ahead
and
share
my
screen
once
I
figure
out
how
all
right
perfect,
this
is
cool.
A
A
If
it's
not,
then
we
can
also
link
it
to
external
pages,
but
we
have
to
be
very
careful
because
that
would
induce
like
third-party
content
and
so
many
stuff.
Then
we
might
end
up
looking
like
we
are
supporting
one
vendor
product
over
other
or
something
like
that,
so
it
should
be
like
vendor
neutral,
and
this
is
also
an
opportunity
that
we
can
add,
or
we
can
actually
figure
out
where
the
documentation
is
actually
lacking.
A
So
if
you
have
any
other
buckets
or
anything,
you
want
to
separate
it
out
and
like
any
ideas
or
welcome.
Please
feel
free
to
comment.
I
know
is
that
the
right
way
to
pronounce
your
name.
A
Okay,
thank
you,
I'm
sorry
about
that.
I'm
trying
to
come.
B
A
So
mahesh
volunteered
to
do
particularly
and
cycomp
sections
if
there
are
any
more
new
volunteers
or
contributors
looking
to
contribute.
Please
feel
free
to
comment,
assign
yourself
some
sections
and
I
think,
like
the
r
back,
the
authorization
and
authentication
is
going
to
be
a
big
piece,
because
we
don't
have
a
lot
of
a
lot
of
recommendations
around
it
and
it's
very
confusing-
and
I
do
see
that
rory
has
the
next
topic
coming
up.
A
So
I'm
not
gonna
steal
a
thunder,
but
one
of
the
things
that
when
we
started
this
sub
project,
we
had
three
major
things
like
one
was
like
actual
our
back
guide,
which
we'd
never
had.
So
I'm
glad
to
see,
I
think,
like
with
rory's
effort.
I
think
we
can
just
add
more
and
more
and
we
can
even
make
a
new
section
for
it
and
that's
one
thing:
the
next
one
was
like
kubernetes
security
checklist.
No,
there
are
a
lot
of
stuff
available.
A
This
is
like
within
the
from
within
the
community
ecosystem.
We
are
just
recommending.
These
doesn't
mean
that
they
have
to
follow
this
to
the
t,
so
we'll
add
all
the
warnings
and
disclaimer
and
stuff
like
that
when
we
are
ready
to
publish
this,
that's
all
I
have
for
this.
Do
any
one
of
you
have
any
questions.
C
No,
that's
a
great
place
to
start.
I
think
that
we
can
do
things
because
I
mean
I
think,
once
we
got
it
started,
then
you
know
once
there's
something
there.
If
someone
says
well,
you
know
we
could
have
this
great.
You
know.
That's
that's
excellent.
I
think
we'll
probably
like
spark
more
like
we'll
we'll
get.
I
think
once
we've
got
it
started,
people
will
come
along,
go
hey,
it'd,
be
nice.
If
it
had,
you
know
so
it
doesn't
have
to
be
like
the
definitive
list.
A
I
I
totally
agree,
and
the
reason
is
that
if
we
end
up
the
brain
like
if
we
end
up
thinking,
thinking
a
lot
and
then
add
a
lot,
then
it
would
might
feel
like
a
like,
really
really
huge
list
and
this
list
can
keep
growing.
So
if
we
push
this
changes
doesn't
mean
that
we
cannot
add,
we
can
keep
adding
whenever
there
is
a
new
feature
whenever
there
is
some
duplication,
whenever
we
figure
out
something
even
like,
we
could
even
use
this
list
later
to
map
with
the
cves.
A
I
think
pushkar
is
working
on
publishing,
cvs
and
stuff
like
that
in
the
website.
So
we
can
say
like
hey
to
mitigate
this,
and
this
is
the
recommended
thing
like
don't
do
this
or
like
enable
this
feature
by
default,
so
that
you
can
avoid
the
cv
exploitation.
I
mean
we
cannot
avoid
everything
we.
We
cannot
predict
everything,
and
this
is
like
a
fast
moving
space
and
too
many
new
things
keep
coming
up,
so
we
can
do
our
best.
So
that
was
something
that
I
had
like.
A
We
can
just
link
to
so
many
things
that,
if,
if
it
makes
sense
or
we
can
just
keep
the
cvs
separate
from
that.
C
You're
right,
though,
the
cv
point's
actually
a
really
good
one,
because
I
think
there's
four
that
I
can
think
of
which
are
cves,
that
there
are
no
patch
for,
but
there
was
mitigation
advice
that
was
published
in
like
the
the
group's
post,
but
people
won't
go
back
and
look
at
that.
So
I
think,
having
a
central
place.
That
said,
there
are
currently
these
cves
that
don't
have
a
patch
to
mitigate
them.
A
Yeah,
I
agree
with
that.
I
I
will
think
with
pushkar.
I
know
he's
working
on
it
as
a
part
of
the
tooling.
I
think
they
can
automate
and
directly
dump
all
the
new
things
that's
coming
up
and
we
can
work
and
then
make
sure
that
I
never
to
be
honest.
I
never.
I
read
the
announcements
whenever
it
comes
from
the
src
and
srt.
A
I
think
I
keep
confusing
that
it
was
pse
and
I
keep
confusing
the
name
so
so,
whenever
it
comes
from
the
community
security
folks,
I
read
it
and
then
I
never
go
back
because
there's
like
a
load
like
there
are
a
lot
of
mails
that
come
from
github
and
kubernetes
mailing
list.
So
I
never
go
back
and
it's
just
I
I
agree
with
rory,
so
we
can
do
that
and
I
don't
want
to
take
up
all
the
time
by
just
chatting
about
it.
A
So,
and
I
want
to
thank
for
thank
all
the
volunteers
who
said
that
hey
I'm
interested
in
this
thanks,
my
thanks,
muhit
and
shreya
and
another
person.
I
forgot
sorry
about
that.
So,
thank
you
and
if
there
are
new
contributors
looking
to
get
started
just
pick
a
section,
you
can
work
with
another
person
too.
It's
not
like
a
physician
is
assigned
to
one
person
that
they
have
to
do
it
on
their
own.
So
you
can
collaborate
as
well.
C
One
of
the
things
put
in
chat
there
in
case
it's
useful,
is
that
I
I
basically
manually
created
a
list.
It
just
has
the
moment
links
because
in
there
just
this
little
table
yeah.
This
is
one
of
my
sites.
C
I
just
like
basically
put
some
needed
somewhere
to
put
stuff,
but
I
didn't
forget
it,
so
I
thought
it
was
all
put
online
for
everyone
else
and
that's
just
a
list
of
all
the
container
cvs
that
I
know
of,
and
you
can
see
some
of
them
have
got
like
no
patch
available,
mitigations
and
advisory.
So
is
that
that
would
be
that's
currently
on
my
side.
That's
that's!
That's
not
a
great
place
for
it
to
be
it'd
be
great
if
it
was
on
the
kubernetes
site,
so
people
can
find
it.
A
Perfect
that
makes
sense
we
should
we
can
have
an
issue
and
then
start
I
I
will
check
if
there
is
an
alien
issue,
if
not
I'll
open
one,
and
then
you
can
stop
start
tracking
there
thanks
again
dory
thanks
for
maintaining
those
listing
things
for
posting
and
even
how
to
reproduce
or
like
how
to
even
like
exploit
the
cv.
I
really
appreciate
it
so
thanks
for
that,
so
I'm
gonna
move
back
to
the
agenda
and,
let's
see
there
is.
C
C
B
I
hope
pushkar
is
aware
of
the
civilization.
I
guess
he's
yeah.
C
Yeah
I
mean
what
pushcar
is
doing
will
be
great,
because
his
is
gonna
like
automatically
I
mean
mine's
literally
manual
like
I
went
to,
google
groups
went
through
click
the
links.
This
is
not
a
scalable
process,
but
I
think
what
push
card
will
do
if
it
clicks
it.
Works
will
be
great
because
it'll
just
automate
the
whole
thing.
A
I
will
coordinate
with
the
pusher
on
this
okay,
so
next
up
is
our
back
documentation,
stuff
rory.
Do
you
want
to
take
care
of
me.
C
Yeah
yeah,
so
this
is
just
a
thing
that-
and
it
was
something
that
I
came
up
with
with
ian
smart,
who
people
play
mountainous
security
calls
it,
which
is
there's
a
there's,
a
a
bit
of
our
back,
which
we
originally
thought
was
a
vulnerability
which
meant
that
you
can
go
straight
to
the
cubelet
api.
C
If
you
have
certain
rights
in
kubernetes,
which
is
node
proxy
rights
and
it
bypasses
things
like
audit
logging
and
it
bypasses
things
like
admission
control,
which
is
again
and-
and
we
dug
around
and
actually
I've
just
found
out
today,
because
tim
all
clear
posted
in
seg
security.
There
is
actually
an
issue
from
2019
about
this,
but
it's
really
not
well
known,
like
we
spent
a
long
time
playing
around
and
couldn't
find
it.
So
what
we
were
thinking
is
it'd
be
nice
to
have
something
in
the
documentation.
C
That
said,
hey
be
very,
very
careful
when
you
grant
this
right,
because
here's
the
consequences
for
the
security
architecture
of
your
cluster
and
there's
other
things
in
our
back
like
that,
like
impersonate
rights,
escalate
rights
bind
rights
that
are
all
kind
of
like
there,
but
I
don't
think
are
super
well
known
and
definitely
the
bit
about
what
the
risks
of
them
are
or
the
consequences.
C
I
don't
think
it's
great,
so
I
was
thinking
I
know
this
we
were
chatting
about
on.
Slack
was
the
idea
of
having
some
list
of
things.
You
should
be
careful
with
in
our
back
and
we
can
get
a
goose
that's
what
we
can
get
one
of
those
gooses
that
we
have
in
the
docs
pages,
where
it
says
honk.
This
is
dangerous.
A
And
that
would
be
really
nice.
I
also
have
an
issue
that
we
were
originally
gonna.
Have
a
security
warning
kind
like
with
the
goose
we
haven't
gotten
around
to
it?
I
think
it's
available
in
kind
or
some
other
place
like
we
wanted
to
do
that
like
incorporating
the
website.
Maybe
I
have
to
just
poke
that
issue
and
see
like
if
anyone
can
help
us
with
that
or
if
we
could
assist
and
stuff
like
that,
we
could
or
add
a
tag.
Even
I
think
tim
tim
bannister
would
be.
A
I
could
talk
to
him
or,
like
just
spoke,
so
many
new
folks
have
been
onboarded
to
see
dogs
so
reach
out
and
see
if
we
could
get
a
little
goose
or
like
a
little
different
icon
for
a
security
warning
so
that
it
stands
out
because
it
needs
to
stand
out
in
my
opinion.
Otherwise,
it's
like
a
lot
of
text
and
yeah.
It's
it's
hard,
so
so.
C
In
terms
of
doing
that,
and
I'm
just
I've
never
done
the
box
page,
so
I
don't
really
know.
Do
we
just
like
come
up
with
an
idea
of
where
we
wanted
to
go
in
the
site
and
then
just
like
do
a
pr
with
you
know,
start
a
markdown
doc
and
then
try
and
turn
that
into
a
pr
or
should
we
ask
someone
to
say
where
would
you
want
us
to
put
it
before?
We
start
writing?
This
is
the
I
didn't
really
know.
A
So
my
idea,
my
original
idea,
was
to
even
have
a
section
like
shannon
suggested
that
we
should
have
a
security
concept
section.
So
this
is
the
time
that
we
could
actually
kick
start.
A
I
can
loop,
shannon
and
some
other
folks
from
sick
dogs
and
see
like
where
what
would
be
the
right
thing
right,
yeah,
because
I
think
this
our
back
guy,
that
our
back
whatever
that
the
node
in
proxy
is
just
not
going
to
stop
there,
and
we
have
many
things
that
folks
don't
know
how
to
use
or
what
it
is,
even
in
the
first
place
and
every
site
and
like
any
google
you
get
like
10
20,
like
hundreds
of
fits
in
everything
like
say,
says,
different
things
like
it
can
be
interpreted
in
a
different
way.
A
I'm
not
saying
that
we
should
just
police
everything.
We
cannot,
but
at
least
like
coming
from
an
official
source
where,
like
10
20,
people
have
vetted
it
and
like
they
are
like.
Oh,
this
is
what
the
feature
that
we
wrote,
and
this
is
what
it
means.
It'll
be
nice,
because.
C
I
can
write
a
blog,
I
might
put
it
on
my
company
blog
and
that's
fine,
but
that's
a
company
blog,
that's
not
the
docs
page.
So
for
you
know
it
I
mean
I
probably
will
do
that
just
you
know,
try
and
try
and
get
more
awareness
of
it,
but
ideally
yeah.
Absolutely.
This
should
be
a
doc's
page.
That
says
this
is
what
the
kubernetes
project
think
not
what
some
vendor
thinks
or
what
some
person
thinks.
This
is
the
opinion
of
the
project.
A
Yeah
so
I'm
thinking
like
we
can
have
a
security
concept
section.
I
will
reach
out
to
the
syncdocs
folks
and
ask
like:
where
would
what
they
think
where
it
would
it
would
fit?
Does
it
fit
under
the
concepts
there?
There
is
a
section
for
concepts.
I
think
that
and
concepts
like
does
it
fit
there,
and
then
we
can
just
create
security
like
a
folder,
clean
and
then
go
down
that
path
or
wherever
they
they
do
have
authorization
authentication
somewhere.
I
think
in
the
site.
C
Yeah
because
they
have
stuff
about
like
how
it
works,
what
I
think
they
maybe
don't
have
is,
like
you
know,
I'm
a
person
who's
tasked
with
securing
a
cluster.
What
should
I
worry
about
so
they've
got
something
about
like
how
do
you
administer
it
and
how
does
it
work,
but
not
so
much
about
we're
going
to
provide
you
with
some,
like
pointers
of
things
to
be
careful
of,
and
I
think
that's
where
maybe
this
might
might
kind
of
fit.
A
I
I
agree
with
you,
I
will
I
will
reach
out
and
figure
out
home
for
this
in.
In
the
meantime,
I
think
your
heart
can.
I
saw
it
from
the
slack
channel
and
I
think,
like
it's,
it's
it's
a
perfect
base
place
to
collaborate.
I.
A
Up
to
you
like,
however,.
C
C
A
I
totally
agree,
and
it's
it's
easier.
It
also
maintains
10
at
least
the
free
version
maintenance,
like
10
versions
of
the
things.
If
you
want
to
go
back,
you
can
just
push
to
get
repository.
If
you
want
more
than
that,
and
also
like
there
is
a
character
limit
on
hack
mdo,
but
I'm
not
we
we
will
not
hit.
C
Paid
for
an
account
as
well,
because
I
really
like
it
so
it's
like
well,
you
know
it's
it's
something
silly
like
four
dollars
a
month,
so
it's
like
right!
Fine,
I'm
gonna,
pay!
I'm
using
this
a
lot
now,
because
I
think
it's
really
cool,
so
I
just
paid
for
them.
So
actually
I've
got
a
paid
account,
so
we
should
hopefully
not
hit
any
limits.
A
Oh
perfect,
thank
you
rory,
so
yeah
I
plus
one
for
hacking,
the
I
really
like
it
and
then
okay
open
it
up
for
comments
or
whatever
that
we
like,
so
that
no,
not
everyone
like
edits
it.
That
would
be
like
a
little
crazy
till
you
know.
A
That'll
be
actually
really
crazy,
so
perfect.
So
I
I
wanted
to
ask
you
before
I
shared
that
like
added
the
link
here,
because
I
wasn't
sure
like
if
it
is
like
a
personal
thing,
if
it's
not
like.
C
I
I
wrote
it
up
for
for
security
last
week,
so
we
could
like
talk
through
it
and
I've
left
it
I'm
just
like.
So
it's
open,
it's
not
like
published,
published
but
yeah
the
link's
totally
fine,
I'm
trying
to
get
I'm
trying
to
get
more
awareness
of
it.
To
be
honest,
because
that
was
it
was
when,
when
we
came
across
we're
like
this
is
weird
and
when
you
talk
to
certain
people
like
they
know
about
it,
but
it's
known
about
not
widely.
A
Perfect
and
also
like
there
is
one
thing
that
if
you
can
exploit
so
there
are
things
that
people
know
about
it,
and
you
cannot
exploit
that
easily,
and
that
is
fine.
Like
I
mean
you
still
need
to
have
a
warning
or
something,
but
if
something
is
like
easily
exploitable
or
like
it
can
be
figured
out
easily.
I
think
that
we
should
have
a
really
big
warning
or
a
mitigation
or
like
at
least
guide
the
like
users
like
hey.
A
This
is
the
right
way
to
do
it
and
if
you
want
to
do
like
a
node
level,
kubert
level,
whatever
the
api,
access
and
procs
like
whatever
that
thing
is
sorry,
I
didn't
read
everything
so
whatever
it's
trying
to
do.
If
you
want
to
do
this,
this
is
the
right
way,
but
beware
that
this
can
give
you
access
to
api
server
and
whatnot
like
yeah,
and
it's
not
gonna
be
like.
So
if
it's,
if
it's
not
gonna,
be
logged
or
like
it's
not
going
to
be
caught.
A
And
you
cannot
have
oppa
or
something
watching
for
like
rules
or
things
like
that
right,
like
you,
cannot
watch
this.
C
It's
that
piece
of,
I
think
if
people
know
about
it,
they
can
architect
around
it.
You
know
they
can,
they
can
design
controls,
but
if
they
don't
know
about
it,
they
won't
put
those
controls
in
and
so
that's
that's.
The
thing
is
for
this.
For
me,
the
advantage
of
this
is
you
you
can
give
this
to
cluster
operators,
but
also
to
distribution
creators
of
people
who
are
writing.
Kubernetes
distributions,
say
hey
if
you're
trying
to
create
a
super
lockdown
distribution.
You
need
to
think
about
this.
C
A
Perfect
so
yeah
I
will,
I
will
reach
out
and
see
like
they
have
an
opinion
on
where
they
want
to,
but
all
these
concepts
in
in
I'm
also
hoping
that
we
will
start
adding
like
a
little
bit
more
stuff.
Now
that
there
is
a
lot
of
awareness
around
I
mean
there
is.
There
has
been
always
awareness,
but
with
all
the
supply
chain,
security
and
everything
it
has
got
so
much
attention
like
again
a
little
bit.
A
A
A
Perfect,
okay,
I'm
gonna
move
on
to
this
one
all
right.
Take
it
away.
B
Yes
thanks,
so
it's
a
small
one
actually,
but
I
wanted
to
have
your
opinion
on
this
because
I'm
quite
new
to
to
all
this,
and
actually
I
respond
to
an
issue
from
team
banister
that
has
to
add
some
annotations
that
were
not
present
in
the
well-known
labels
annotation
pages
page,
and
it
was
a
little
bit
weird
because
it
was
the
first
annotation
on
non-native
api
resources.
B
Actually
it's
on
events
in
the
audit
logs,
so
it's
quite
different
from
what
so
we
discussed
about
it
in
the
in
the
pr
actually
with
with
team,
and
I
didn't
really
know
what
to
do
like.
Should
we
make
separate
categories
for
for
these
annotations?
B
So
yeah
so
at
first
I
didn't
even
like
notice
the
difference
between
the
event
in
the
native
kubernetes
api
in
the
audit
humanities,
dot,
io,
v1
api.
So.
C
B
B
So
yeah
he
he
thought.
Maybe
a
separate
category
could
be
interesting,
but
one
of
the
issues
that
like
not
all
the
annotations,
are
actually
pinpoint
on
a
specific
resource.
So
I
don't
know.
Maybe
I
should
like
try
to
find
all
the
resources
and
then
make
a
category.
C
B
A
This
is,
this
is
new
to
me.
I
haven't
come
across
as
thank
you
for
bringing
it
up.
I
agree
that
we
should
add,
make
it
complete,
but
I
don't
think
that's
possible
so
like
I
would
just
so
just
like.
Don't
spend
a
boatload
of
time
on
it
like
if
you
could
find
like
a
few
annotations.
Let's
start
there
and
then
like,
we
can
just
have
an
open
issue
to
audit
and
they
keep
adding
otherwise
we'll
just
keep
waiting
on
this
thing,
that's
what
I
think
maybe
possible
to
like.
A
B
A
C
B
C
A
I
completely
agree
they
shouldn't
be
tied.
So
sorry,
if
I,
if
I
wasn't
clear
when
I
said
that
reorganization,
that
could
be
a
different
task
on
its
own,
like
we'll,
just
create
an
issue
later
and
we
can
like,
if
someone
wants
to
prioritize
or
start
working
on
it,
that's
fine.
If
not
like.
I
don't
know.
If
it's
how
I
I
don't
know,
what
is
the
I
don't
know
how
many
contributors
are
there
in
sick
dogs
and
how
many
contributors
we
have
and
is
it
like?
A
Is
it
important
to
do
right
away
or
like?
Is
it
important
to
get
the
security
focused
content
first
and
then,
like
do
all
the
useful
things
I
mean
you
can
argue
either
ways
like
you
can
always
say
like.
Oh,
if
it's
not
organized,
you
cannot
find
the
information,
and
I'm
like
for
me
if
the
information
is
not
even
there
and
what
is
the
point
organizing
it,
and
I
also.
B
B
C
A
A
The
anyways
all
right,
so
let
me
just
finish
the
start,
I'll
add
more
to
white,
so
perfect.
Does
anyone
have
anything
else
to
add
to
that
issue
or
anything
on
the
topic.
A
All
right,
we
just
have
one
minute,
so
do
you
both
have
anything
else
like
other
than
this
perfect?
I
I
don't
have
anything
other
than
whatever
that's
going
on,
so
I
made
a
post
so
probably
in
the
next
security
meeting.
I
will
talk
about
the
security
checklist
and
see
if
there
are
like
more
volunteers
who
want
to
take
it
up
or
like
extra
pair
of
eyes,
wouldn't
hurt.
A
And
then
I
have
the
action
item
to
reach
out
to
pj,
and
I
will
also
reach
out
to
the
docs
people
and
then
ask
like:
where
would
the
right
place
to
put
the
content
related
to
the
our
back
and
stuff
like
that
and
that's
it?
I
don't
even
create.
B
A
Issue
later,
like
just
have
it
there
telling
that
we
could
just
organize
it
this
way
for
the
teams
and
tolerations.
A
That's
all
from
me
thanks
for
joining
in,
I
will
see
you
all
in
a
month.
Oh
I'll,
see
you
all
in
the
six
security
meeting
and
if
you
can't
make
it,
I
will
see
you
all
in
snap
slack.
If
you
want
anything,
just
please
free
feel
free
to
post
in
the
channel.
Don't
have
to
wait
for
the
next
meeting,
so
yeah.