►
From YouTube: Kubernetes SIG Security 20221020
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Right,
hello,
folks,
it
is
awesome
to
see
you
here
for
yet
another
kubernetes
Sig
security,
the
one
right
before
kubecon.
So,
let's,
let's
see
we've
got
see,
we
got
some.
We've
got
some
things
so
we'll
go
around
as
we
do.
I'm
Tabitha
I'm,
one
of
the
co-chairs
and
I'm
delighted
to
help
to
make
this
space
so
that
we
can
improve
kubernetes
security
together,
oh
and
and
and
I
am
I-
am
referred
to
as
she
and
they.
B
I'm
Ian,
my
pronouns:
are
they
them
and
I'm
the
other
co-chair
and
I'm
here
to
hack
the
planet.
Learn
things
make
friends
hack.
The
planet
learn
things
and
do
that
with
my
friends.
C
Hey
folks,
I'm
Ola
Dewberry
I
am
the
sub
Project
Lead
for
assessments.
D
This
is
pushkar
I'm,
so
Project
Lead
for
tooling
pronounce
him
and
love
to
make
my
and
everybody
else's
teams
to
make
kubernetes
more
secure.
True.
E
Hi
Robert
vicayo
policy
group
co-chair.
He
him.
F
Hi,
my
name
is
Bill
Brunson
I'm
working
in
gke
security
for
Google
and
my
pronouns
are
here
him.
A
I
love
I,
love
that
stylish
datadog
office
backdrop
there
on.
G
A
I
A
Right
so
this
time
I
will
offer
to
take
notes.
Usually
I
would
have
asked
for
volunteer
to
take
notes
before
we
got
started
this
time.
I
will
this
time
I
will
do
that
for
us
and
of
course
we
all
do
it
together.
So
you
know
feel
free
to
feel
free
to
to
throw
in
there.
A
We've
got
first
thing
is
from
from
Ray
Ray
can't
make
it
today.
Robert.
Do
you
want
to
say
anything
about
audit
status,
otherwise,
I'll
be
happy
to.
E
Well,
just
last
time
you
from
discussion
with
Ray
last
week,
it
is
still
pending
for
review,
so
we
can't
yet
release
the
report
officially.
But
if
you
have
an
update
from
from
that
since
last
week
that.
A
Is
that
is
my
understanding
of
of
current
status
as
well?
Is
that
you
know
things
are
things
are
still
being
looked
at
and
going
through
going
through
disclosure
periods
on
the
SRC
side?
E
Only
that
at
some
point
you
know
I
think
we
had
connected
a
few
months
back,
but
would
love
to
sync
up
on
the
methodologies
used
and
make
sure
we
kind
of
fold
in
Lessons
Learned
best
practice
bring
that
forward
to
the
self-audit
efforts.
Yeah.
C
That
would
that's
that
would
be
awesome
and
I
was
actually
gonna
ping
you
to
slack
because
I'm
going
to
be
at
hookah
next
week
and
I
want
to
make
some
progress
on
the
Cappy
self-assessment
as
well,
so
I
figure
we
can
maybe
grab
a
coffee
and
yeah
just
write
down
any
lessons
learned
from
from
your
perspective
on
that
experience
and
anyone
else
who
participated,
and
then
we
can
also
talk
about
that
too.
E
Yeah
I
think
we
should
anyone
who's
interested.
Let's
grab
a
slot
while
we're
all
there
and
we
can
dial
in
anyone
who's
not
physically
there
and
yeah
cool.
A
I
love
this:
how
we
do
not
right
per
a
per
a
slack
update.
We
will
skip
forward
to
tooling
and
come
back
to
docs
at
the
end
pushkar.
What.
D
D
So,
like
we
promised
last
time,
I
obviously
missed
the
last
meeting,
but
before
that
we
finalized
the
next
set
of
features
that
we
want
to
do
based
on
people
who
give
feedback
on
the
alpha
release
of
gates,
kubernetes
official
CBE
feed.
D
So
the
idea
was
what
can
be
done
reasonably
in
a
reasonable
timeline
with
minimal
effort
but
more
impact
and
benefit
to
the
community,
and
if
something
is
going
to
require
a
lot
of
effort,
I
think
if
people
who
suggested
it
are
able
to
come
up
with
some
time
and
work
with
us
to
implement
those,
we
would
also
do
that.
But
for
now
with
the
the
idea
is
anything
that
is
short
if
a
less
effort,
but
higher
impact
would
be
focused
as
the
next
few
features.
D
First,
we'll
try
to
do
this
for
version
127,
because
126
is
very
close
to
Port
freeze.
We
have
coupon
and
holidays
Etc
and
then,
once
the
once,
we
graduate
to
B10
127
we'll
do
another
set
of
feedback
reviews
until
we
RGA
in
some
other
future
release
some
other
day
to
day
keep
the
likes
on
updates.
D
D
So
thanks
a
lot
Mahi
for
that,
obviously,
with
coupon
craziness
going
I
would
probably
be
reviewing
it
PostScript,
but
until
then,
if
anybody
has
written
or
reviewed
python
rest
API
clients,
please
take
a
look
at
the
link
in
the
link
for
the
pr
in
the
meeting
minutes
and
give
your
feedback.
That's
it
from
me.
A
C
Not
as
much
as
I
would
like
so
I
still
haven't,
raised
enormous
shout
out
Terry
for
sitting
with
me
last
Friday
to
go
through
just
get
and
pointing
me
to
the
documentation
for
just
all
of
the
steps
to
like
do.
Do
things
and
get
really
it's
just
come
down
to,
like
I
still
have
a
big
learning
curve
when
it
comes
to
git
it's
kind
of
hard.
It.
C
Is
really
funny,
though,
because
it's
like
yeah
it's
hard,
but
it's
also
I'm
also
told
emphatically
that
it's
also
so
much
better
than
what
was
before,
which
is
I'm
like
oh
okay,
and
then
it's
like.
Oh
my
God,
wait.
That's
really.
A
C
Well,
that
does
make
me
feel
better,
but
I
was
thinking
since
we've
got
this
huge
party
that
were
so
many
of
us
are
going
to
next
week
that
maybe
I
could
just
sit
with
someone
and
and
just
do
it
because
yeah,
no,
the
thing
that
what
Ray
walked
me
through
was
super
helpful
and
understand.
It's
like
okay,
you
better
pull
down
a
copy
on
your
on
your
laptop
and
then
you've
got
to
keep
that
up
to
date,
and
then
you
know
syncing
it
basically
with
like
the
git
server
and
stuff
like
that.
C
So
I
understand
the
high
level
motions
but
yeah
it's
just
it's
Persnickety
I'll
say
that,
so
what
I
really
want
to
hold
myself
accountable
for
is
making
progress
on
my
learning
curve
and
not
being
too
hard
on
myself
in
terms
of
like
oh
I,
haven't
made
a
sock
channel
for
the
vsphere
CSI
driver,
yet
I
haven't
been
able
to
post
the
doc
that
I
wrote
up
from
my
conversation
with
pushker,
so
just
trying
to
keep
myself
accountable
for
at
least
learning.
C
C
You
yeah
I
appreciate
that
support,
because
I'm,
like
yeah
I'm
frustrated
at
myself,
or
not
for
like
taking
on
this
project
and
like
not
making
as
much
progress.
But
it's
like
hey,
like
the
the
learning
and
being
like
becoming
a
part
of
the
community,
is
also
really
important.
So
I
was
also
thinking
at
the
end
of
all.
C
This
I
could
just
do
like
a
record
myself
like
doing
a
demo
for
like
okay,
everyone,
here's
how
you
update
something
and
get
like
the
documentation
is
here
but
like
and
just
handing
that
to
sigton
trivex
because
yeah
it
it's
it's
hard
and
like
I,
appreciate
everyone.
C
Who's
really
experienced
with
with
this
stuff
saying
it's
hard,
so
yeah
I
would
love
to
bang
that
out
at
kubecon,
but
then
also
using
like
I
was
mentioning
before
the
time
at
kubecon
to
meet
with
with
you,
Robert
pushker
I
know
nadir,
just
a
bunch
of
the
folks
who
worked
on
the
Cappy,
retro
and
I'm
just
I'm,
just
pulling
from
the
list
of
authors
and
reviewers.
C
I
was
also
slacking
with
some
of
the
VMware
folks
who
are
on
the
Cappy
team
and
they're
all
going
to
be
there
so
yeah,
just
like.
Let's
you
know
just
getting
into
a
room
for
half
an
hour
and
just
jotting
down
some
lessons,
learned
I
think
we
can
just
bring
that
out
and
I
think
Robert.
C
That
will
be
a
really
good
set
of
Lessons
Learned
that
we
can
share,
and
you
know
you
can
put
into
the
you
know
into
other
material
and
stuff
and
that
we
can
just
codify
it
for
the
community.
So
that's!
What's
going
on.
A
That
sounds
that
sounds
fabulous
further
further
thoughts
or
discussion
about
self-assessments.
A
Thank
you,
Eric
in
the
in
the
in
the
zoom
chat
link
to
a
devops
days.
Talk
oh
about.
B
H
A
We
will
Circle
back
now
to
docs
and
what
we've
got
here
first
thing
is
a
issue
for
the
you
know
related
to
the
the
discussion
that
that
David
brought
up
recently
about
how
we
can
add
some
documentation,
references
to
questions
about
especially
run
time,
runtime
monitoring,
so
I
will
I
will
call
this
out
it
I'm
skimming
through
it.
It
looks
like
there's
some
looks
like
there's
some
good
discussion
and
detail
on
this
issue
now.
A
So
if
you
have
a
little
bit
of
time
that
that
seems
like
a
cool
thing
to
have
a
look
at
report
here
on
the
focus
areas
that
we
are
going
to
see
from
six
security
docs
over
the
next
couple
of
quarters,
Kalyn
is
working
on
the
kubernetes
hardening
guide,
I'm,
always
looking
for
other
folks
who
are
interested
in
that
and
want
to
contribute
kind
of
an
in-depth
expansion
of
the
checklist.
A
Other
other
Focus
areas,
API
server
bypass
risks,
so
various
things
that
one
can
do
once
they
have
administrative
control
over
a
node
or
over
a
whole
cluster
to
you
know,
have
obscured
their
intentions
of
making
further
changes
to
the
system
shout
out
to
Ian
and
Brad's.
Talk
from
kubecon
in
LA
on
this
subject
shared
a
lot
of
shared
a
lot
of
things
that
that
opened
people's
eyes.
In
that
one.
K
Of
the
link
to
the
hardening
work,
where
can
I
read
about
that.
A
I
am
not
sure
offhand
Rory
do
you
know
offhand
where
the
where
the
work
in
progress
there
is
I.
A
We
got
a
issue
here
called
out
about
about
host
path
volumes.
Yeah
the
host
path
volumes
can
be
a
powerful
escape
hatch
language
on
the
documentation.
There
has
been
pretty
famous
for
a
few
years
now
and
and
I
love.
This
idea
of
of
expanding
that
out.
A
Helping
people
understand
it
a
little
better,
continued
work
on
confidential
Computing
on
kubernetes
blog
and
it
looks
like
folks
are
planning
on
starting
to
put
together
an
rbac
tutorial
and
I
I
love
the
idea
of
an
R
Back
tutorial,
because
kubernetes
authorization
gives
you
so
much
freedom
to
craft
authorization
config
in
your
cluster,
that's
so
complex
that
nobody
can
understand
it.
So
tutorials
there
are
are
definitely
welcome
to
help
people
to
make
make
responsible
use
of
the
flexibility
that
kubernetes
are
back
gives
you.
J
A
D
A
All
right
so
now
we
are
into
the
the
things
that
we
have
put
on
the
agenda
after
the
after
hearing.
What's
going
on
in
subgroups,
first
thing
here
is
to
two
things:
about
kubecon
talk:
Allah,
do
you
want
to
take
this.
C
Kubecon
talk
for
the
a
couple
things
actually
so
for
the
self-assessments
part,
so
I
think
it's
like
a
it's
a
35
minute
block,
so
I've
been
practicing
my
piece
and
my
pieces
like
10
minutes,
so
I
just
wanted
to
give
folks
a
heads
up
that
yeah,
because
what
we
want
to
talk
about
all
four
sub
projects
and
then
Tabby
give
you
some
time
to
like
talk
about
six
security
and
who
we
are
and
what
we
do
so
I
figured
like
yeah
10
minutes
seems
like
a
good,
that's
kind
of
what
I
was:
oh
sweet
yeah,
oh
okay,
yeah,
so
it
anyway,
that's
good,
okay,
so
10
minutes,
so
I'm
not
taking
up
too
much
time
I'm.
C
Also
as
a
heads
up,
gonna
use
that
as
a
promotional
opportunity
to
ask
like
hey.
If
you
know
the
vsphere
CSI
driver
assessment
is
next,
our
group
is
forming
if
you
are
knowledgeable
about
the
vsphere
CSI
driver,
which
I
have
contact
at
VMware
who
I
can
work
with.
Obviously,
but,
like
you
know,
the
more
the
merrier,
the
idea
is
to
share
knowledge.
C
A
B
C
And
yeah,
and
that
also
this
is
a
bit
of
a
Sidetrack,
but
I
was
just
thinking
about
like
oh,
a
really
good
like
high
level
goal
for
self-assessments
is
just
like
I
would
I
was
just
thinking
like.
Oh
you
know,
a
really
good
vision
is
to
just
have
our
self-assessments
folder,
with
like
a
folder
for
every
single
Sig
and
sub
project
like
that
would
be
awesome,
because
that
means
that
we've
spread
knowledge
about
like
like
giving
people
the
tools
to
be
secure.
Oh.
C
For
themselves,
exactly
is
like
really
so.
I
was
thinking
about
that
as
like
a
North
star
for
for
the
sub
project,
because
that
means
that
we're
like
we're,
sharing
knowledge
about
how
to
do
this
and
that's
really
the
the
whole.
You
know
the
whole
thing
and
then
also
I
just
wanted
to
remind
that.
C
We
need
to
submit
the
slides
as
soon
as
we
can
so
I'll
put
a
link
into
the
notes
for
Chad,
so
I
think
we
just
need
a
couple
bullets
on
a
few
more
slides,
but
I
I've
got
it
in
the
in
the
right,
template
and
stuff
already.
So
it
shouldn't
need
a
ton
of
work.
I'll
copy
that
link
in
right
now
and
yeah
I.
Think
that's
everything
I
wanted
to
say.
A
Thank
you
for
thank
you
for
the
thank
you
for
the
the
work
that
you
have
put
in
to
hurting
cats.
With
respect
to
our
co-presentation
there
I
I
will
I
will
admit
publicly
that
I
have
been
the
cat
that
has
been
hard
to
heard
and
so
I
feel
like.
It
is
especially
important
for
me
to
express
my
gratitude
for.
C
I
Yeah
yeah
not
much
progress
because
they
they
mostly
I,
didn't
had
the
idea
to
put
it
in
their
notes,
so
they
were
like
yeah.
There
is
nobody
nothing
to
talk
about.
So
let's
cancel
all
the
meetings.
Okay,.
I
Yeah
so
so
yeah,
it
will
be
in
some
time
so
I
I
think
you
propose
to
maybe
go
away
with
me.
Yeah.
A
Yeah
I'll
be
I'll,
be
happy
to
go
with
you,
assuming,
assuming
that
I
am
available,
I
am
going
to
be.
I
am
going
to
be
out
of
pocket
for
some
time,
I'm
I'm
going
to
be
on
on
leave
for
a
couple
of
months
toward
the
end
of
the
year
here,
but
if
I'm
around
I'll
be
happy
to
come
with
you
and
if
not
I'll
also
be
happy
to
help
you
to
find
find
another
buddy
I
think
using
the
buddy
system
is,
is
always
good.
It
just
helps
us
to
feel
feel
easier
to
engage.
I
A
A
Thank
you.
Thank
you
very
much
for
for
keeping
all
of
us
up
to
date
on
how
that
is
going.
Looks
like
the
the
next
thing
we
have
on
the
list
here
is
from
Bill
and
as
a
person
who
has
done
CVSs
scoring
for
kubernetes.
F
J
F
Good
yeah
I
hope
this
was
the
Right
audience
for
this.
You
know
I
think
many
of
us
had
had
to
do
some
CVSs
scoring.
In
the
past.
We
experienced
a
lot
over
in
gke
land
and
like
yeah.
It's
just
wildly
inconsistent.
You
know
between
each
person
who
comes
up
it's
just
kind
of
a
throne
darts
at
a
board,
I
mean
things
like
and
I
think
the
problem
that
I've
run
into
when
I've
been
thinking
about
this
is
that
cdss
scoring
wasn't
made
for
a
distributed
system
like
kubernetes
right.
F
So
when
you
look
at
something
like
attack,
Factor
you're
like
well,
it's
the
cube,
API
server.
It
must
be
a
network
attack
except
that's
the
like
highest
class
of
attack,
and
it
makes
like
elevates
all
of
your
scores.
Even
if
it's
some
minor
thing
you
know,
privilege
is
required.
Everyone
debates
over
what's
a
non-low
and
high
privilege
in
kubernetes,
and
so
I
was
thinking
about.
A
A
F
Excellent,
yes
and
I
totally
agree
there.
Yeah
I,
consider
that
absolutely-
and
so
I've
been
thinking
about
this
internally
to
help
out
our
instant
response.
Folks
and
then
I
saw
that
Tim
over
on
the
SRC
put
together
an
open
source
bug
to
help
document
the
guide
to
interpreting
CVSs
and
so
yeah
I've
started
to
put
together
my
thoughts
and
want
to
come
to
you
all
to
say
like
hey.
B
F
Think
I'd
love
to
have
like
a
conceptual
mapping
of
like
this
is
how
kubernetes
actually
Maps
into
cdss,
because
that's
where
I
think
I've
noticed
the
biggest
difficulty
is
that
there's
at
a
high
level.
You
can't
really
it's
hard
to
think
of
kubernetes
as
the
system
or
the
components
in
CVSs,
and
so,
if
there's
a
way
to
map
those
through
I,
think
we'll
find
more
consistency
and
ease
and
less
mental
tax.
With
doing
these
things
so
yeah,
where,
where
can
I?
Where
should
I
start
with.
D
I,
probably
don't
have
a
suggestion,
but
I
have
a
question.
So
I
saw
a
link
to
VR
to
the
issue
that
you
shared.
What
I
was
wondering
is
whatever
is
in
the
content
of
the
pr.
Is
that
going
to
help
you
or
whatever
you're
thinking
of
writing
or
suggesting
will
be
complementary
to
what
is
in
this
PR
or
is
there
some
overlap?
So
I
wasn't
really
sure
what
would
be
the
overlap
if
at
all,
and
if
this
is
maybe
this
is
what
you're
looking
for
and
then
that's
the
case
isn't
great.
F
Right,
let's
see
okay.
D
D
You
don't
have
to
answer
now,
because
it's
a
long
period
so
totally
appreciate
yeah
getting
back
later
as
well.
Oh.
F
No
I,
I
I
think
this
is
so
I've
actually
been
working
with
Tim
all
clear
kind
of
writing.
My
thoughts
by
him
since
he's
a
fellow
googler
and
so
I
think
these
are
orthogonal.
Efforts
is
that
a
lot
of
this
is
kind
of
saying,
hey.
F
These
are
at
a
heuristic
level,
what
we
consider
critical,
high
medium
low
and
then
there's
the
more
mechanical
aspect
of
cdss
where
you're
going
in
and
you're
clicking
the
buttons
and
saying
local
low
and
that
I
think
still,
unless
you
are
one
of
the
the
security
like
or
some
like
ordained
security
priest,
you,
it's
still
very
fuzzy
as
to
what.
G
I
did
this
for
pen
testing
for
many
years
and
most
of
the
times
we
used
to
click
the
buttons
to
make
it
come
out.
As
a
result,
we
thought
it
was
so
we
thought
this
feels
like
a
medium
to
me.
It's
like
what
buttons
do
I
have
to
click
to
make
this
into
a
medium.
Okay.
Good
now,
I've
got
that
where
I
needed
to
go
so
yeah,
that's.
F
Exactly
it
I
found
myself
doing
the
same
and
so
yeah.
If
we
can
start
to
build
some
Community
consensus
and
converge
shown,
maybe
a
bit
more
consistency,
I
think
that
would
be
a
super
useful
exercise
program.
We
may
not
get
there,
but
it's
worth
at
least
the
the
journey.
A
Well
and
if
it
helps
to
reduce
the
feeling
of
Reinventing
the
wheel,
that
I
know
I
have
every
time
I'm,
trying
to
CVSs
rate
a
kubernetes
cve
and
just
from
speaking
with
my
peers,
I
feel
like
that
feeling
is
quite
common,
like
yeah,
even
even
if
it
just
helps
folks
to
feel
a
little
less
alone
and
yeah,
like
you
said,
circulate
some
ideas
so
that
there
is
of
some
more
consistency.
Then
then
that
would
be
a
good
success.
G
I
think
it'll
be
really
interesting,
because
I,
don't
I,
don't
think
with.
You
can
really
have
a
CVSs
for
kubernetes
or
you
can
have
one
for
kubernetes,
but
no
one
really
deploys
kubernetes.
They
deploy,
qbm,
gke,
AKs,
eks
and
CVS.
Escorts
is
different
right
because,
if
I'm
deploying
a
managed
kubernetes
distribution,
some
things
which
are
bad
in
Cube
ADM
are
totally
not
bad
in
managed,
because
it's
control
Point
thing
that
you
need
to
be
on
a
control
plane,
node
to
get
to
which
point
is
really
a
risk,
probably
not
or
it's
harder
anyway.
G
G
A
A
We
end
up
having
these
sorts
of
conversations
of
like
what
are
the
various
kinds
of
configurations
and
and
how
severe
is
it
in
those
different
ones
and
then
trying
to
balance
making
sure
that
the
worst
case
is
represented
in
the
CVSs,
so
that
that
way,
the
folks
who
are
most
affected
won't
just
skim
over
it
because
they
see
it's
a
low,
but
also
with
making
clear,
usually
in
the
in
the
the
like
textual
part
of
of
the
announcement.
A
What
are
the
conditions
under
which
something
is
affected,
and
so
you
know
you
end
up
with
like
cvss7
vulnerability
announcements
where
it's
like.
If
you
are
in
this
three
percent
of
the
user
population,
who
is
using
these
four
obscure
features
in
combination,
then
this
is
a
CVS
S7
for
you.
Otherwise,
this
doesn't
affect
your
cluster
and
like
with
so
much
flexibility
and
configurations
it.
It
does
make
that
a
it
does
make
that
a
challenge.
G
Yeah
and
it's
really
difficult,
then,
because
every
all
the
tools
just
pick
up,
seven
kubernetes
done
and
start
punting
at
people,
which
is
a
nightmare
because
then
most
people,
as
you
say,
like
the
97
people,
are
like
that's
not
a
seven
for
me,
but
cpss
doesn't
really
have
a
mechanism
for
that
in
a
project
like
kubernetes
is
almost
unique
in
that
way.
In
that,
there's,
like
you
know,
whatever
100
distributions
and
then
on
top
of
that,
how
you
use
it,
but
there's
still
100
distributions.
G
You
could
do
things
differently
and
affect
the
effective
score,
but
you
don't
really
see
that
you
don't
get
like
Rancher
version
of
a
kubernetes
CV
really
on.
A
One
hand
I
feel
like
you
see
that
a
little
bit
in
things
like
pseudo,
where
you
have
some
kind
of
bug
in
sudo,
but
then,
depending
on
the
defaults,
that
different
distributors
ship,
then
you
know
they,
they
may
also
put
out
their
own
their
own
cves
for
like
their
distribution
of
it,
you
know
either
that
rates
it
higher
or
lower,
but
it's
still
a
little
different,
because
in
general
we
don't
have
the
exposure
to
memory
on
safety
bugs
that
sudo
has.
F
A
F
Think
that
you
know
these
are
really
good
points,
because
it's
yeah,
it's
a
very
high
configuration
surface
and
I
think
maybe
that's
like
kind
of
what
we're
what
I'm
folks
are
getting
at
right.
It's
like
there's,
not
a
lot
of
software
that
you
can
run
out
there.
That
has
this
many
knobs
and
dials
that
you
can
turn
and
default
to
change
the
security
posture
and
yeah.
F
Yeah
and
so
I
think
maybe
that
is
part
of
it
is
kind
of
clarifying.
You
know
that
the
expectation
would
be
that,
obviously
we
would
score
for
open
source,
as
just
like
I,
don't
know,
a
defaulted
version
and
I.
Think
one
thing
that
put
forward
in
gke
is
that
we
like
generally
score
at
the
at
the
default
like.
H
F
Or
and
I
think
it's
really
about
coming
together
and
agreeing
like
do
we
consider
the
defaults
to
be
what
we
score
against?
Is
it
best
practices?
So
we
are
talking
about
putting
out
a
new
kubernetes
hardening
guide.
Is
that
the
Baseline
that
we're
scoring
against
and
I
think
that
also
helps
add
in
some
clarity
is
like
you
know,
we
have
multiple
ways
in
which
you
can
configure
this,
which
is
the
The
Benchmark
that
we're
scoring
against
and
then
also
clarifying
that
we
expect
platform
providers
to
redo
this
for
their
response.
A
You
know
it
it
would.
It
would
not
help
to
make
kubernetes
safer
for
people
like
yes,
if
you
leave
the
door
unlocked,
then
the
door
is
unlocked,
but
exactly
yeah
yeah,
so
like
yeah.
These
things
are
these.
These
things
are
hard.
A
G
G
So
you
could
say
you
know
here
is
how
we
do
this
and
here's
how
you
should
think
about
it.
So
if
you
are
a
distribution
provider,
you
need
to
think
about
like
how
does
this
affect
us
and
use
it,
and
just
like
almost
making
that
clear
to
people
and
then
we
kind
of
maybe
even
Point
people
at
it
as
part
of
the
cve
feed
and
say
hey
if
you're
reading,
keyboard
acbs,
please
go
and
read
this
document
as
well,
because
it
may
affect
how
you
view
this
and
I
know
the
tool.
G
D
Yeah
I
I
like
that
idea
and
to
make
it
more
concrete.
What
we
could
do
is
CVS
3.1
has
a
category
in
the
calculator
called
environment
score,
so
I
was
thinking,
each
distribution
can
be
considered
an
environment,
and
then
we
recommend
them
in
the
documentation
that
we
as
SRC
are
going
to
not
rate
your
environment,
because
your
you
know
your
environment
the
best.
So
our
recommendation
is
on
top
of
our
CBS
scoring
that
we
will
share,
make
sure
you
do
your
environment
scoring
and
then
let
your
consumers
know
of
your
distribution.
D
What
you
think,
in
the
assumptions
you
make
is
the
actual
CBS
score
for
your
distribution,
so
that
might
give
people
some
chance
to
also
show
what
secured,
by
default
things
they
are
doing
and
at
the
same
time
they
will
look
carefully
at
the
score
that
we
are
giving
and
see
whether
they
agree
with
it
or
not.
With
their
assumptions.
F
Yeah
I
think
yeah,
like
both
those
ideas,
the
other
thing
that
I
have
been
working
on
is
sort
of
that
more
raw.
Like
you
know,
what
is
an
attack
factor
in
kubernetes?
What
are
privileges
required
and
I've
been
starting
slowly,
working
to
put
together
a
doc
about
that
and
I
think
you
know,
I
have
I'm
gonna
incorporate
this
feedback,
then,
if
I
want
to
start
sharing
that
with
with
folks
to
gather
feedback,
what's
the
best
I
guess
channel
to
do
that
through.
A
Assuming
that
you
mean
like
asynchronous
and
textual
folks
generally
have
good
luck
with
using
Google
Docs
there's
also
there's
also
some
there's
also
some
work
that
folks
do
in
hack,
MD.
You
know
it's
kind
of
a
question
of
flavor
hack
MD
has
some
cool
features.
Google
Docs
has
comments
like.
A
Enjoy
a
workflow
where,
where
folks
make
a
lot
of
comments,
I
personally
like
to
switch
to
suggest
mode
and
type
my
own
things
in
suggest
mode
and
then
comment
on
my
own
suggest
mode
being
like
this
is
what
I
was
thinking
when
I
started
proposing
putting
this
in
here
but
like
I,
don't
necessarily
agree
with
myself.
A
So
please
somebody
else
like
think
about
this
and
hit
accept
if
it's
not
just
me,
but
if
it's
a
thing
that
more
than
one
of
us
can
agree
with
I
tend
to
like
those
sorts
of
workflows,
and
so
you
know
therefore,
I
tend
to
to
favor
Google
docs
for
these
kinds
of
things
you
can
share
it
to
the
kubernetes
security
at
googlegroups.com
and
then,
and
then
everybody
who
has
opted
into
this
meeting,
invite
will
get
it.
A
You
know
and
drop
a
link
if
you,
if
you
do
a
Google,
doc
or
hack,
MD
or
something
you
know,
drop
a
link
to
it
in
the
slack.
Channel
drop
a
link
to
it
back
here
in
the
meeting
notes
under
this
discussion
item,
so
that
then
you
know
when
we,
when
somebody
asks
the
question
of
who
is
working
on
that
and
where
we
can.
A
You
know,
then
we
can
go
and
and
look
and
see
who
was
working
on
that
and
where
other
thing
that
I
have
seen
work
really
well,
when
there
is
a
lot
broader
range
of
ideas
and
feelings
about
a
topic,
and
the
folks
who
are
working
on
it
are
much
farther
from
consensus.
A
Is
I
have
seen
folks
start
a
a
temporary
series
of
of
essentially
ad
hoc
work
in
group
meetings.
You
know
being
like
well
a
lot
of
us.
A
lot
of
a
lot
of
us
want
to
a
lot
of
us
want
to
work
on
this.
We
we
have
a
lot
of.
We
have
a
lot
of
discussing
things
to
do,
to
figure
out
where
we
all
want
to
move
it
as
a
group.
So
you
know
at
such
and
such
time
we're
gonna
have
a
we're.
A
Gonna
have
a
meeting
to
do
that,
and
so
that's
a
thing
that
you
know.
That's
a
thing
that
that
we
as
Sig
leads
can
help
mechanically.
With
you
know
we
can
put,
we
can
put
invites
on
calendars,
we
can
create
Zoom
meetings
and
so
I
think
it
depends
on
I
think
it
depends
on
how
many
folks
are
involved,
how
you
know
how
how
far
how
far
you
are
from
finding
consensus
and
and
how
the
folks
in
the
group
tend
to
work
together
best.
You
know
some
folks
are
very
biased
towards
asynchronous
work.
A
F
Very
yes,
I
think
I'll,
probably
start
with
a
Google
doc
in
the
coming
weeks
here
shared
out
to
the
group
and
we'll
see
how,
if
the
comments
turn
into
a
an
exciting
Firestorm,
maybe
we'll
talk
about
having
a
working
group
yeah.
E
J
A
I
I
really
I,
really
like
that
idea
and
honestly,
that's
one
of
the
things
that
I
am
really
proud
of
us.
As
a
group
for
is
we
can.
We
can
come
together
with
the
right
amount
of
organizational
overhead
to
do.
You
know
whatever
the
task
that
we
need
to
do
is
so
like
if
y'all
need
to
have
three
meetings
every
two
weeks,
you
know
over
the
course
of
a
month
and
a
half
to
like
figure
out
what
the
temperature
in
the
room
is,
then
that
doesn't
need
to
be
like
a
huge
logistical
challenge.
A
You
know
we
don't
need
to
do
paperwork
for
that.
We
just
put
the
meeting
invite
people,
you
know
people
who
are
interested
can
show
up.
You
can
do
the
thing
you
know
then
then
later
on,
if
it
turns
out,
you
know.
Actually
this
is
going
to
be.
This
is
going
to
be
a
a
year
and
a
half
effort
involving
people
from
you
know
seven
different
walks
of
life.
Then
it's
like,
oh
well,
kubernetes
has
working
groups
for
a
reason
like.
F
Awesome
yeah
well,
thank
you
very
much
for
all
that
advice
and
be
on
the
lookout
for
these
in
the
coming
weeks.