►
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
As cluster-admin, you’ve probably done due diligence using RBAC to create “non-admin” users and service accounts with narrowed access, but did you know that most cluster setups give anyone the ability to create a single Pod to land on any node as root?
In this Webinar, we’ll demonstrate the “escape” vector mentioned above, and then explain how Pod Security Policies (PSPs) aim to tackle these kinds of issues by restricting what Pods can do. Lastly, we will explore the instrumentation we use to build PSPs, roles and their bindings in a sustainable way. By the end of this webinar, you will understand how to easily build a progressive PSP “hierarchy” from privileged to fully restricted and then bind them to specific subjects (users, groups, service accounts, etc) to help you build more secure Kubernetes environments.
A
All
right
so
I'd
like
to
thank
everyone.
Who's
joining
us
today.
Welcome
to
these
this
CN
CF
webinar
on
understanding
and
deploying
kubernetes
cloud
security
policies,
I'm
Mario
Laurie,
your
host
I'm,
seeing
CN
CF
ambassador
and
a
DevOps
engineer
at
stock
X
I'll
be
moderating
the
webinar
we'd
like
to
welcome
our
presenter
wonho
Karl
Entei,
a
staff
engineer
at
VMware,
just
a
couple
housekeeping
items
before
we
start
during
the
webinar
you're
not
going
to
be
able
to
talk
as
we
have
everyone
muted
so
on
who
can
can
present?
A
There
is
a
Q&A
box
at
the
bottom
of
your
screen.
Please
feel
free
to
drop
your
questions
in
there
and
we'll
get
to
as
many
as
we
can
by
the
end.
So
we're
gonna
move
on
ho
about
45
minutes
and
then
we'll
have
10
to
15
minutes
for
questions,
so
the
session
is
being
recorded
and
will
be
sent
out
afterward
with
a
link
to
the
presentation
again.
Thank
you
very
much
for
joining
us
and
with
that
I'll
hand
it
over
to
wonho
to
kick
off
cool.
B
Thank
you,
Thank
You
Maya,
thanks
folks
for
joining
us,
so
on
coworkers,
as
a
reformed
nominal
part
of
being
were
I
were
from
the
beautiful
city
of
Mendoza
yeah
beyond
the
sea
in
Argentina.
So
the
purpose
of
this
seminar
is
essentially
to
share
our
experience
while
deploying
kubernetes
pod
security
policy
policies,
indeed
in
our
bitNami
clusters,
main
point
being
in
the
sharing
sharing,
pragmatic
experience
and
on
our
concerns
on
on
on
issues
that
we
have.
Why
deploying
them
so
a
bit
of
agenda,
so
we
first
were
going
to
cover
why
we
need
possibility
policies.
B
We
will
show
this
in
a
very
pragmatic
way
how
kubernetes
approach
them
then,
how
how
to
implemented
this?
This
will
be
our
particular
take
on
how
we
did
it
at
vietname
and
then
some
some
some
considerations.
So
essentially,
this
would
be
kind
of
mix
between
showing
use
that
the
main
points
and
artfully
going
through
a
bit
of
demo
ish
to
show
it
so
essentially
the
the
the
main
thing
behind
is.
B
If
you
can't
record
what
you
can
do
with
your
cursor,
your
eye,
you
may
you
may
recall
that
you
you
be
able
to
do
something
like
docker,
that's
pretty
legit
and
then
running
container
running
container.
That
has
access
to
the
no
devices
or,
if
you
do
be,
be
able
to
mount
any
path
into
your
container
or,
if
you
do
cost
equal
net
be
able
to
use
in
essentially
the
same
and
working
as
the.
As
the
note
word.
A
B
Your
container
will
be
run
instead
of
on
own
namespace.
So
the
the
interesting
thing
about
this,
if
you
can
create
a
pose
in
kubernetes,
without
all
security
policies
in
place,
you
can
essentially
do
these
in
the
node,
where
your
path
will
be
running.
So
this
is,
at
least
for
me,
was
quite
shocking
to
see
this.
This
behavior
is
clearly
documented
in
communities
if
you,
if
you
hit
a
part
of
documentation
but
to
actually
get
a
bit
of
feeling
of
how
what
you
can
do
with
this
I
will
show
you
what's
on
the
screen.
B
That
will
show
you
actually
on
on
the
common
line,
but
just
more
or
less
to
put
that
put
us
in
in
context.
So
we
start
from
using
and
an
account.
This
is
actually
a
service
account,
as
has
been
handed,
has
been
enabled
to
be
able
to
create
an
important
in
particular
namespace,
but
only
that
and
then
we'll
see
how
we
can
use
that
ability
the
ability
to
create
a
pod
anywhere
to
actually
jump
into
the
node
and
then
lands
there
at
some
node
as
fruit.
B
B
B
This
context,
let's
flip
to
if
you
do
to
do
that,
one
as
you
can
see
if
I
do,
if
I
ask
myself
with
my
current
permissions
to
say,
can
I
delete
a
note.
No,
can
I
create
cluster
role
binding.
That
will
allow
me,
for
example,
to
assign
myself
my
very
s.
A
trusted
admin
privileges
nope,
but
I
do
III,
do
can
I
can
create
pods,
so
I
will
do
that.
Let
me
show
you
can
I
create
for
in
the
namespace
this
simple
I
do
cool,
so
let's
do
that.
B
I
will
go
over
and
now
just
created.
We
said
it's
discreet
by
the
way
at
the
end
of
presentation
that
will
that
we
be
a
pointer
to
the
slides
and
the
repository
with
all
these
scripts
that
I'm
using
here
and
we
will
over
go
over
this
scrip
also
again
doing
the
presentation.
So
there
that's
one
of
the
cops
knows
and
their
route,
as
you
can
see,
I
essentially
add
the
nose
if
I
I
will
change
the
day.
Just
to
show
you
that,
indeed,
I
am
there.
B
Just
I
just
landed
at
the
node
I
can
essentially
I'm
there
networkers
do
whatever
I
want
with
no
I
will
go
further
on.
Actually
that
was
a
worker
node
to
say:
I
will
go
to
masthan
all
so
essentially,
what
I'm
doing
here
with
this
low
privilege
service
account
I'm,
essentially
London
at
the
master.
So
I
can
then
ask
myself
the
same
questions
like
can
I
create
less
reminder.
Binding
of
copious
can
I
can
I
delete
notes.
Yes,
so.
B
Let's
go
back
and
see
what
happened
here
so
essentially
what
I
just
did
this
is
an
excerpt
from
the
script.
I
was
just
running,
so
what
I
just
did
I
I
did
the
normal
keeps
it
will
run
to
create
both
normally
by
them.
With
some
specific
overrides
I
asked
it
myself
to
have
a
privileged
container.
I
also
requested
to
be
able
to
use
the
same
horse
PID
9
in
space
and
by
means
of
this
I
by
executing
sorry
executing
this
very
command.
B
So-
and
here
is
what
it
comes,
this
is
this
can
be.
Is
this
can
be
easy
to
understand,
because
you
can
see
the
point
of
possibility
polls
here
what
we
try.
What
we
are
trying
to
do
here
in
this
is
to
apply
policies
to
the
fields
that
you
can
specify
here
so
essentially
policies
the
list
of
of
these
fields.
This
particular
security
sensitive
feels
that
you
can
actually
say
say,
for
example,
I
I
do
not
allow
privilege
to
be
specify
for
this.
B
B
B
The
thing
is
that
you
have
this
that
this
this
is
the
security
policy,
and
then
you
need
to
be
able
to
associate
because
usually
in
a
running
classes,
as
you
can
imagine,
you
may
have
a
handful
of
security
policy
different,
have
some
work
laws
that
need
to
be
privileged.
Typically,
those
were
all
running,
for
example,
in
the
chip
system.
B
Other
world
locks
that
maybe
not
prepared
to
run
as
non-root,
so
you
may
actually
want
to
allow
them
running
as
root
containers
are
root,
but
for
these
particular
word
laws
you
may
also
want
to
limit
not
to
be
able
to
mount
pieces
of
the
nose
cross
pass
into
the
container.
So
the
thing
is
that
how?
How
do
you
associate
your
word?
B
Laws
with
this
particular
possibility
policies
and
the
answer,
as
you
may
or
may
already
guessed
is
our
buck
are
buddies
generally
mechanism
from
for
from
kubernetes
to
do
this,
where
you,
essentially,
if
you
recall
our
buck,
you
had
this
roll
bindings
that
actually
point
to
a
role
so
role
binding.
It
says
who
can
and
then
roll
this
all
the
things
that
these
subjects
will
be
able
to
do
once
bound
leaders
role
as
you
consider
in
this
life
Robin
is
who
can
and
Rowleys
do
what
on
those
resources.
B
So
in
this
particular
case,
for
example,
you
have
this
this.
You
say
you
said,
oh,
that
actually
Sabol
to
use
the
dev
role
and
the
dev
role
allows,
allows
him
to
create
and
get
config
mats
and
we're
going
to
use
these
also
for
PSPs.
But
here
comes
the
twist.
The
thing
is
that
for
PSPs,
as
you
can
see
for
normal
our
buck,
the
end
point
for
the
specification
of
the
set
of
permission,
samples
of
the
ACL
that
that
you
can
do
ends
up
in
roll.
B
So
the
roll
contains
the
policy
to
say,
as
you
can
see,
the
roll
says
you
can
do
this
or
that
against
these
particular
resources,
the
kind
of
extract
complication
with
PSPs
arises
from
the
fact
that
they
are
actually
a
third
level
of
indirection.
For
example.
Here
here
you
have
the
same
user
that
we
say.
Ok,
you
can
use
this
privilege
role
and
actually
it's
non
previous,
because
it's
previous
false,
but
you
can
use
this
pre
pro,
that
points
to
this
particular
role
and
then
the
rule,
it's
not
as
say
as
rich
as
the
normal
arbitral.
B
But
usually
these
roles
are
very
small
and
they
just
say
things
like.
For
example,
you
can
use
this
particular
PSP
and
then
point
to
the
PSP
and
it's
the
PSP
who
cause
all
these
pills.
That
I'd
show
you
a
couple
slides
before
when
you
can
say
this,
you
are
allowed
to
do
this.
You
another
way
to
do
that.
This
is
a
very
important
thing
to
keep
in
mind
because
it
complicates
matters
when
you
when
you
need
to
actually
ride
your
manifests
for
for
this
policy.
B
Then
you
have
the
issue
that
you
will
normally
name
is
Hollis,
as
we
already
know,
and
then
you
will
have
to
find
names
for
your
role,
bindings,
finance
for
your
roles,
finance
for
your
pond
security
policies
and
and
then
it
comes
the
complication,
especially
when
you,
when
you're,
when
you're
trying
to
deploy
them
I
will
go
over.
And
let's
see
these,
let's
put
this
in
practice
just
with
this
with
this
overview.
So
what
I'm
going
to
do
here,
I'm
going
to
enable
PSP?
B
B
Spa
security
policies
is
important
to
keep
in
mind
that
prosecutors
policies
themselves
are
implemented
in
a
mission
controller
by
the
kubernetes
api,
and
once
you
enable
that
a
mission
controller
essentially
will
allow
nothing
unless
it
has
the
QT
policy
that
that
opens
the
the
set
of
permissions
to
be
able
for
the
world
run.
So
usually
the
workflow
is.
You
first
need
to
to
apply
the
PSP's,
even
without
enabling
them
at
the
API
endpoint
and
then
enable
them
at
the
API.
B
But
to
our
context,
recall
that
we
are
here
the
my
cops
cluster
with
this
low
privileges
account
I'm,
going
now
to
login
to
the
micro
at
this
endpoint
API
mask.
This
is
essentially
the
same
place
where
we
arrived
before,
but
doing
this
non,
some
tomato
rather
I'm
going
to
manually
did
I.
Did
the
kubernetes
api
manifest
by
the
way
normally
cops?
If
you
see
the
cops
documentation,
you
have
formal
way
to
do
this.
The
proper
way
to
do
this
would
be
to
actually
modify
your
cops.
B
Manifest
say
that
you
want
to
enable
this
pol
security,
this
new
on
mission
controller
and
then
do
a
roll
out
just
to
go
over
here
and
and
for
for
clarity,
I'm
going
to
do
this
manually.
Usually
you
won't
do
this
in
a
production
cluster,
because
this
will
be
overridden,
for
example,
is
the
master
knowledge
replace
it,
but
we
are
seeing
here
essentially
said:
yeah
Mel
manifest
for
the
border
runs
the
cube,
API
endpoint,
and
if
you
search
here
for
a
Mission
Control,
you
will
see
this
is
the.
B
This
is
the
normal
line
for
a
mission
controller.
This
is
the
fault
that
comes.
We
comes
with
cops.
I
will
just
adhere
possibility
policy
as
another
a
mission
controller.
This
is
not
pretending
to
be
a
lesson
on
how
to
enable
it,
but
just
to
show
the
defect.
This
is.
This
is
something
important
I
want
I
wanted
to
show
you
while
we're
running
them,
so
I
have
already
uploaded
my
my
set
of
PSPs
I
just
enable
them
if
I
do,
for
example,
peace,
facts
grab.
B
B
Can
now
get
pod
on
online
spaces,
because
I'm,
usually
indeed
this
this-
this
low,
privileged
account
I'm
going
to
now
switch
to
my
cluster
that
mean
that
I
have
for
this
cluster,
as
you
can
see,
I
have
I
have
they're
kind
of
mostly
unloaded.
Cluster
I
had
created
some
warlocks
there
that
you
see
here,
NS,
Madrid,
non-root
and
restricted
I
already
uploaded.
B
As
you
can
see,
they
are
not
running
anymore,
so,
just
to
just
to
comment
a
bit
about
these
particular
namespaces,
more
or
less
than
the
name
is
self
informative.
So
on
this
namespace
you
may
actually
run
your
walrus
or
food.
You
are
not
allowed
to
privilege
it
or
do
host
mounts.
This
is
strict
non
root
and
this
is
more
restricted.
So
it's
not
only
the
non
root,
but
also
in
our
particular
tools
of
these
security
policies.
We
are
also
receiving
the
file
system
to
be
read-only.
So,
let's
see,
let's
see
some
of
the
URLs
here.
B
If
you
see,
for
example,
mail
route,
I'm
running
there
nginx
stock
container
from
from
nginx
top
image,
this
one
then
I'm
running
one
that
is
still
by
bit
Nami.
That
is
non
route
by
default.
So
and
you
can
see,
for
example,
that
is
in
this
particular
namespace
that
has
the
policy
or
that
it
needs
to
be
non
route
or
gloss.
You
can
see
that
they
be
dummy.
Nginx
is
running
fine,
but
then
the
stock
has
failed
to
create
the
actually
create
the
container.
Let's
see
what
is
telling
about
it,
this
is
normal
startle.
B
Let's
see
what
happened
there
with
NS
restricted
in
space.
As
you
can
see,
this
will
be
all
evidently
the
same
because
essentially
has
the
same
constraints
but
in
the
case
of
this
container
is
actually
crash.
Doing
crash
loopback
off
so
essentially
every
Andrew
trying.
So
in
this
case,
let's
go
over
the
logs
just
to
see
what
is
going
on
there.
B
And
you
can
see
there
that
the
instrumentation
of
this
container
this
image
when
it's
artist
is
one
it
wants
to
create,
filed
an
income
not,
and
then
it
fails.
So
this
is
just
a
quick
view
of
the
kind
of
issues
that
you
may
get
when
you
actually
flip
and
enable
the
possibility
policies
just
to
just
to
show
you
the
complete
picture
and
try
to
exploit
this
and
going
to
assess
I
did
before
I'm
going
to
switch
over
to
this
low
non-privileged.
B
It
security,
sorry
I,
say
and
try
to
exploit
it
again,
but
using
the
same
screen
and
then
you
can
see
I
can
not
do.
In
particular,
house
is
exactly
bombing
from
on
the
hostile
and
asking
for
the
cost
number.
But
if
I
try
to
comment
all
these
fields,
I
will
still
hit
some
point
when
I
want
to
be
privileged
and
so
I
also
had
repair
there.
You
will
see.
B
Skidded
does
not
say
it
doesn't
require
privileges
that
actually
is
trying
to
abuse
this
by
doing
volume,
amount
of
boron
and
then
once
once,
it's
able
to
mount
boron
trying
to
do
it.
Docker
common
inside
the
very
docker
to
try
to
this
kind
of
running
docker
inside
the
very
container
to
try
to
go
over
the
same
comment
that
I
did
before
it
actually
works.
But
if
I
try
to
do
this
now,
you
see
well
that
it
will
fail
because
I'm
not
being
able
to
actually
use
at
volume
time
that
balm
type
that
is
hospice.
B
So
now,
switching
over
to
our
actual
experience,
while
trying
to
deploy
this
in
our
in
our
dynamic
clusters,
as
I
was
I
was
telling
me
for
naming,
is
a
key
here
from
several
aspects.
One
is
it's
not
enough
going
mad
on
the
on
the
naming
that
you
use
it
because
you
will
need
to
in
particularly
when
they
took
finance
for
peace,
peace,
peace,
peace
are
sensitive
to
sort
order.
The
thing
is
that-
and
this
is
something
very
important
to
keep
in
mind.
You
cannot
attach
several
PSPs
to
a
pause,
be
an
Arabic
normal
Arabic.
B
They
will
get
sorted
and
the
first
one
is
what
order
will
be
selected.
That's
why
that's
why
it's
order
in
this
way
from
from
more
restricted
to
less
restrictive
in
our
particular
case,
because
of
the
kind
of
worlds
that
we
are
using,
we
ended
up
crafting
one
that
we
called
male
role
as
you
can
see
that
will
contain
beta,
honest
rules,
but
obviously
without
any
privilege
and
without
being
able
to
use
horse
directly
useful
sources
like
knowing
past
and
so,
and
then
we
created
we.
B
We
created
this
this
other
policies
that
are
more
versatile,
created,
also
privileges
that
were
using
explicitly
and
only
in
the
keep
system
and
space
and
other
namespace.
You
brought
this
come
seconds
from
the
bigger
project
where
we
we
run
our
monitoring
on
a
login,
but
this
is
very
important
and
also
to
kind
of
tie
all
tie
all
these
together
to
so
that
the
cluster
or
binding
points
port
to
the
proper
cluster
roll
and
then
points
to
the
to
the
PSP.
B
Let
me
show
you
how
we
did
this
I
have
a
fuel
and
see
yeah
I
have
I
have
some
to
me,
so
I
want
to
show
you
how
we
actually
instrumented
this.
We
are
fans
of
using
JSON
it
for
our
manifests.
I
know
that
Jason
has
hand
sometimes
can
be
a
beast
to
has
a
kind
of
steep
learning
curve,
but
let
me
show
you
more
or
less
how
this
these
are
actual
excerpts
from
from
our
very
implementation
that,
within
our
classes
so
reminded.
B
Press
the
wrong
key
here,
so
what
we
want,
we
want
to
keep
more
or
less
saying,
is
all
the
timing,
everyone
on
all
of
these
roles,
so
that
is
easier
for
me
as
aside
right,
by
manifests
at
with
PSPs,
to
maintain
this
rose,
saying
and
let's
say
know
that,
because
I
just
changed
the
name
of
some
particular
cross
the
road,
because
now
it
needs
to
cope
with
difference
kobani
to
rename
this
this.
This
cluster
role
of
the
PSP
I
need
to
grab
for
all
the
places
where
I
point
to
it,
but
I
totally.
B
To
avoid
doing
that,
then
we
can
use
this
kind
of
hi
this
you
can
use
Jason.
It
will
tie
all
this
together.
Let
me
show
you
quickly
what
what
how
it
is
implemented,
for
example,
this
is
pretty
much
available,
so
essentially
this
this
will
just
create
a
manifest
for
SP
SP.
We
created
a
mini
library.
There
are
just
order
PSP
that
will
essentially
put
a
tea
privilege
it
as
the
name
of
the
PSP,
and
here
we
declare
what
we
do
as
privilege
this.
B
This
is
the
PSP
that
we
reserved
for
the
kind
of
system
portals
the
nice
thing
about
this
construction
is
that
you
can
derive
for
it
from
it.
For
example,
you
have
here
my
route
that
my
road
is
actually
derives
from
privilege.
It
has
a
different
name,
it
will
be
60
mebroot,
but
it
has
all
this
bit
forbidden,
so
essentially,
you're
not
is
just
as
the
privileged
about
without
being
privileges,
without
allowing
privilege
escalations
is
essentially
sudo
allowing
that
they
contained
the
sudo
and
they're,
not
allowing
any
of
these
of
these
cost
resources.
B
We
already
find
what
we
think
that
our
safe
volumes,
these
come
from
the
general
documentation
and
then,
as
you
can
see,
we
can
go
then
over
and
say
non-root
derives
from
main
route,
but
that
actually
puts
all
these
additional
additional
required
additional
restrictions
on
it
and
then
restricted
us
us
over.
The
nice
thing
about
this
is
that
with
a
bit
of
instrumentation,
I
want
to
show
you.
B
This
full
three
of
manifest
manifests.
You
can
see
they're
all
the
ones
that
are
called
PSP
CR.
As
for
cluster
rolls,
this
is
classical
binding.
In
particular,
as
I
mentioned,
we
have
a
single
single
cluster
row
binding
that
we
selected
for
a
particular
use
case.
Now,
if
we
chose
based
on
on
exploring
our
wall
gloss
and
as
you
can
see,
this
is
may
route,
and
then
we
have
there
all
the
cluster
rows.
Glass
roles
do
map
one
to
one
with
the
PSP's
that
we
are
using.
B
So
you
will
see
here
the
cluster
rows
and
here
the
PSP's.
There
is
some
interesting
note
about
this:
I
will
toggle
in
the
middle
of
this
peak.
A
peak
is
restricted
and
open
shift
restricted,
and
then
we
are
applying
particular
PSP
roll
bindings
to
particular
main
spaces,
where
we
will
want
them
to
be
privileged
going
back
to
the
JSON
it.
B
So
we
are
trying
to
mimic
here
what
the
default
OpenShift
policy
would
be,
so
that
our
developers
are
able
to
actually
run,
in
particular
instance,
in
a
non
open
chief
cluster,
with
more
or
less
the
same
constraints
to
essentially
to
validate
that
our
containers
are
running
fine
there
in
a
similar
way.
But
this
is
more
kubernetes
taco
vanities,
BK,
yes,
because
came
from
pivoted
con
cluster
communities,
cluster
offer
so
on,
and
the
difference
with
our
definition
of
restricted
is
that
pas
actually
does
not
force
the
read-only
file
system.
So
that's
why
it's
false.
B
B
These
are
kind
of
library
files
that
they
find
it's
finding
the
common
ground
for
clusters,
and
then,
let's
say
that
this
is
my
cluster
or
1
0
1
and
then
I
have
here
a
particular
case
for
this
cluster,
and
this
is
actually
what
we
did
with
what
we
did
with
our
classes.
We
went
over
and
for
some
cancer,
for
example,
we're
using
Jenkins
doctor
in
docker,
so
this
Jenkins
actually
creates
docker
containers
to
run
us.
B
Slater
202
bouncing
and
then
run
others
later
at
the
cloud
plasm
platform,
but
actually
needs
to
create
these
DMD
warlow's
and
they
did
need.
They
did
need
to
do
to
run
a
spillage.
So
we
went
over
and
say,
for
example,
we
say
for
designing
steamed
food.
They
need
to.
You
can
see
here
they
need
to
run
as
privileged
and
then
we,
for
example,
this
for
this
particular
namespace
that
we
want
to
that's
better
for
OpenShift.
What
was
we
allow
them
to
do
so?
B
B
So
if
I,
if
I
miss
it
the
variable
name,
the
Jason
l
want
actually
be
able
to
manifest
and
will
fail
by
telling
me
something
like
that
variable
just
entities
that
Phil
does
not
exist.
So
it's
kind
of
it.
Let's
say
compile
time
check
rather
than
random
check
where
you
actually
miss
it
by
character,
pointing
your
roll
binding
to.
A
B
So,
in
general,
from
our
real-world
considerations,
while
trying
to
deploy
it
is
why
why
it
not
Ryan?
Actually
we
did
deploy
this
there.
All
our
Castle
running
with
PSP
enabled
there
is
an
important
to
note
that
pots
won't
be
run
usually
by
humans
directly
by
service
accounts.
So
that
means
that
humans
or
CI
CDs,
like
Jenkins,
for
example,
will
actually
be
creating
deployments
or
will
be
creating
stateful
cells
rather
than
pots
directly.
B
So
the
the
binding
between
between
what
is
the
the
who
that
will
be
running
your
world
will
be
a
service
account
and
needs
to
actually
bind
to
a
particular
PSP
Fortin
to
note
and
is
very
well-documented
as
well.
We
also
used
the
QP
SP
advisor
tool
that
is
very,
very
useful.
You
can
run
in
class
while
you
can
run
it
again,
namespaces
what
we
did
there.
We
actually
kind
of
grouped
all
together
namespaces
that
we
knew
that
were
kind
of
particular
different.
B
For
example,
cube
system
be,
in
a
very
particular
case,
the
namespaces,
where
our
Jenkins's
are
running.
The
namespaces
side
kind
of
between
quotes
more
normal
world
laws.
We
run
this
tool
and
then
with
the
with
it,
if
to
actually
spot
what
well,
if
what
were
the
fields
that
we
need
to
highlight,
we
need
to
actually
set
or
unset
in
our
PSPs
to
try
to
narrow
the
set
of
PSPs
to
the
bare
minimum.
Keep
in
mind
again.
This
is
quite
important.
B
This
is
not
to
diminish
the
amount
of
time
that
you
you
need
to
invest
on
this,
because,
because
PSPs
are
not
a
rewritable,
if
you
think
of
the
combinatory
there,
it
lets
say,
roughly
speaking,
you
have,
let's
say
ten
fields
that
are
of
your
interest,
that
can
be
boolean
and
boolean
fields.
That
will
be
that
will
give
you
such
like
one
thousand
of
possible
combinations
there.
B
So
it's
very
important
to
try
to
group
all
your
set
of
Warlow
think
that
you
can
frame
them
under
the
same
PHP
and
then
try
to
come
out
with
a
handful
of
of
PSPs.
What's
important
is
to
try
to
when
you
have
once
you
have
this
view
to
try
to
come
out
with
the
full
cluster.
Why
PSP
so
that
you
actually
do
the
particular
case
for
the
namespaces
that
you
need
to
indeed
do
this
particular
case
on
like,
for
example,
in
our
cases,
as
I
mentioned,
going
back
a
bit,
we
are
using
this
one.
B
A
B
Here
that
is
more
restricting
receiving
even
more
or
our
worlds.
You,
as
I
mentioned.
You
have
to
be
really
with
all
the
rain,
because
most
Aurora's
here
come
with
with
this
fact,
keep
in
mind
think
think
roll
bindings
in
cluster
binding
and
reviving.
And
then,
when
you
have
a
world
loss,
you
need
to
think
of
all
the
possible
bindings
that
it
has
and
then
find
out
that
PSPs
that
are
behind
it
and
then
order
them
and
then
the
first
one
that
comes
out
will
be
the
ones
that
you
you
will
be
actually
using.
B
B
You
need
to
also,
as
I
quickly
saw
I
as
a
quickie
demo.
You
I
didn't
show
how
to
upload
the
PSP,
because
it's
boring
as
usual.
I
keep
CTL
applied
a
chef,
and
then
you
have,
for
example,
that
folder
that
when
you
have
all
your
PS
PS
and
then
it
will
be
applied
to
the
to
the
API.
But
you
see
here
this
this
sequence
like
applying
your
PS
piece
and
then
later
enable
labeling
the
possibility
policy
in
the
cube
API.
This
is
platform,
the
pun.
You
really
need
to
to
know
how
to
use
your
platform.
B
This
thing
I
took
work
when
I
keep
kick
it.
Those
spots
to
see
them
failing
is
what
I
mentioned
here
as
recycle
your
post
under
control,
because
essentially
nothing
will
happen
once
you
enable
your
post
security
policy,
a
mission
controller
and
your
cube
API,
but
it
will
happen
when
you
try
to
create
the
post.
So,
of
course
you
don't
want
to
have
surprises
that
are
not
under
under
your
timely
control.
So
then-
and
this
is
also
where
you
need
to
involve
your
developer
since
we
actually
do
this
reaction
of
your
pause
in
a
controlled
way.
B
Oh
yeah,
some
script,
reader
that
that
I
also,
you
will
find
us
on
this
repo
in
particular.
I
found
very
interesting
that
that
there
is
a
metadata,
this
annotation,
that
is
this
annotation,
that
it
will
be
added
by
the
API
to
all
of
the
posts.
Let
me
show
you
how
it
looks.
I
will
to
actually
resize
the
screen
bit.
B
Of
course
I'm
no
one,
so
let's
switch
to
my
classroom
in
that
you
have
so
essentially
this
is
just
just
a
script
that
is
abusing
the
the
JSON
path
facility
there
and
keep
CTL
to
show
which,
as
you
can
see,
this
part
has
this
particular
PHP.
Attach
it
here
you
can.
We
can
enforce
that
this
single
PHP
that
will
be
attached
to
each
all.
There
is
not
multi
PHP,
and
then
you
can
see
some
other
interesting
things
here
like,
for
example,
I
didn't
cycle
these
other
pots.
B
As
you
can
see,
they
are
they're
running
without
PSP
next
next
time
they
are
their
cycle.
They
walk
to
get
attached
to
the
PSP,
so
it's
important
while
you
deploy
it
will
keep
keep
observing
how
these
PSPs
are
attached,
especially
to
assert
that
you
that
the
expected
PSP
is
attached
in
the
proper
namespaces
on
to
the
proper
service
accounts.
B
Some
final
sends
some
final
references
that
we
found
useful.
So
here
you
find
a
reference
to
to
this
very,
very
set
of
lights
and
then
the
the
report
that
I
guess
mayor
we
can.
We
can
like
to
put
this
as
here's
a
common
when
we
upload
the
upload
the
video
to
YouTube
preference
to
this
slice
and
under
on
the
repo,
so
you
off
here,
obviously,
then
you
can,
you
can
follow
up
from
there
yeah.
A
Absolutely
awesome,
thank
you
so
much
for
hope
for
the
really
great
presentation.
We
now
have
some
time
for
questions
about
10
to
15
minutes.
If
you
have
a
question
you'd
like
to
ask,
there's
a
little
QA
button
at
the
bottom
of
your
zoom
window,
click
that
and
go
ahead
and
ask
for
wait.
We'll
only
be
able
to
get
to
a
certain
number
of
questions
that
time
allows.
A
So
if
we
don't
get
your
question,
don't
worry
you'll
be
able
to
reach
out
and
we'll
give
you
details
on
that
here
in
a
minute,
so
I'm
gonna
go
through
here
and
try
to
get
to
some
of
these
questions.
Please
try
to
keep
your
questions
kind
of
shortened
and
micro
sized,
so
we
can
easily
get
to
them
and
one
who
can
can
hit
them
quickly.
So,
let's
get
to
the
first
one
from
Suraj
static
pods
are
trained
by
cubelet,
but
it
also
creates
mirror
pods
on
API
server.
A
B
Indeed,
there
is
the
the
kind
of
system
system
warlocks
do
have
their
own
secure
service
accounts
this
this
one's,
so
that
are
characterized
by
by
group,
so
in
I
didn't
mention,
but
essentially
all
service
accounts
are
under
this
particular
group,
so
you
have
other
these
other
groups,
our
system
column,
something,
and
then
you
can
see
there
that
in
our
implementation
we
actually
tied
them
as
they
run
in
the
cube
system.
We
tie
them
to
be
to
be
able
to
actually
use
the
same
ESP.
This
is
the
howeitat
with
that.
A
B
Of
course,
our
chose
we
chose
general
because
we
are
accustomed
to
use
it,
but
nothing.
Nothing
really
forbids
you
from
uses
customize.
Let
me
think
I
haven't
used
it
much.
Customized
I
have
try
the
kind
of
hello
world
each
example.
You
can
do
this
all
these
overrides
I.
My
my
only
concern
there
will
be
the
kind
of
sanity
when
it
comes
to
trying
to
keep
this
table
whatever
take
on
your
own
table.
You
you
doing
this,
but
trying
to
associate
all
these
three
names
all
together
without
missing
a
character
there.
B
They
will
like,
as
I
mentioned,
the
fact
that
you
point
here
to
variable
names
like
in
this
one
rather
than
needing
too
much
a
particular
set
of
characters.
I,
don't
know
how
customized
will
handle
that.
Suddenly,
you
can
I
know
I,
don't
know
if
you
will
help
you
on
the
cut,
compile
time
to
say
all
up
before
actually
applying
them
that
you're
not
handling
them
great.
A
B
Whoa,
oh,
that
have
several
aspects.
The
first
one
is
he'll,
be
two
or
three
because
I
are
using
classroom
in
not
not
because
they-
let's,
let's
put
this
from
a
different
point
of
view-
the
deployment
of
the
PSP's
themselves.
We
are
handling
handling
it
with
class
learning
privileges,
the
PSP's
themselves,
so
usually.
B
The
thing
is
that
if
the
entity
deploying
the
heart
does
have
clustered
mean,
this
is
kind
of
a
normal
assumption
assumption
on
the
underhanded
tool,
then
you
will
be
able
to
to
to
actually
put
the
the
PSP
that
you
want
to
use
because
you're
trusting
anybody
else
to
actually
craft
create
the
PSP.
The
non-spicy
PSP
create
the
rows
and
potentially
sorry,
custom
rows
and
maybe
the
wrong
binding.
But
that's
not
the
take,
does
not
depart
I
will
follow.
B
So
in
summary,
I
will
still
try
to
keep
it
out
of
the
ham
charts
unless
it
was
the
specific
crime
charged
implementing
PSPs.
Let's
say
dedicated
ham
charts
to
ease
your
PSP
implementation
that
will
be
actually
deployed
by
the
classroom
in
itself,
but
not,
but
not
together
with
the
world
loss,
love
for
crime
charged
disc,
sorry,
manifesting
user
war
loss
today,
yeah.
A
B
So
let
me
try
to
correct
me
if
I
didn't
get
properly
the
question,
but
it's
actually
yeah
when
you
create
a
service
account,
we
can
be
kind
of.
Let's
say
between,
quotes
naked
subject
there
in
the
cluster
that
can
can't
do
anything
by
Arabic.
You
will
be
actually
binding
it
to
roles
to
open
the
permissions
or
open
the
access
to
be
able
to
do
for
one
bar
from
that
point
of
view.
B
Php
are
not
different
from
our,
but
from
the
point
of
view
that
you
have
your
service
account
that
you
will
declare
in
your
own
poll
that
will
be
run
in
the
subject
of
you
will
be
running
your
port
and
then,
with
our
bug.
You
actually
will
allow
that
service
account
in
this
particular
concept
of
PHP
to
do
that
these
and
that
the
thing
is
that,
if
you
let's
say
that
you,
let
me
let
me
reframe
this,
they
say
that
you,
you
actually
enable
their
mission
controller.
B
Let's
say
that
you
took
care
of
putting
the
PSP
for
your
non
warlow's.
If
you
put
their
service
naked
service
service
account,
that
will
be
only
able
to
create
pulse,
for
example,
to
talk
to
create
a
pause
and
does
not
have
a
PSP.
Attach
the
essentially
fail.
So
you
will
you
will
you
will
need
to?
If
you
cut
PSP
and
I
will
in
the
classes,
you
will
need
to
bind
it
to
some
PSP
to
be
able
to
do
some
anything
and
that's
why
we
kind
of
it
is
important
to
choose
this
kind
of
classic.
B
A
B
A
very
interesting
question
and
that's
why
I
had
these
two
classroom
set
up?
Let
me
get
back
in
context
literally,
so
this
is
the
context
and
have
these
two
clusters
I
could
deploy
a
cops
class
in
Manali
and
then
a
deke,
a
cluster
I
will
switch
now
to
the
to
the
jiggy
cluster
use
context.
Unless,
let's
use
the
key
simply
say
just
to
show
you
that
this
is
not,
will
explode
because
it's
all
it's
all
it's
all
there
documented
this
is
kind
of
very
the
ability
to
overcome
this
and
learn.
Learn
there.
B
As
you
know,
as
you
can
see,
this
is
one
of
the
sticky
notes
there
under
the
know,
I
was
there
before
with
a
low,
privileged
account.
So
the
thing
is
that
it's
not
enabled
by
default
in
DC,
if
you
search,
for
example,
in
the
case
of
G
key
in
this
better,
better
feature,
you
just
search
for
geeky
epsp
and
you
will
find
a
very
nice
space
page.
Indeed,
we
have
some
de
clustering
with
adult
would
be
something
like
geek
Klaus
containers,
but
enable
PSP
just
put
it
in
easy.
B
But
but
you
have
the
specific
steps
and
essentially
that's
conveys
the
flipping.
The
PSP
are
the
windows,
API
endpoint,
of
course.
Of
course
you
will
still
need
to
do
the
preparation
of
your
PSP,
such
as
you
do,
for
phoning
classes
for
all
platforms.
I,
honestly,
don't
know,
I
will
need
to
search,
I'm
I'm
sure
about
GG
in
particular,
because
we
are
using
them.
Of
course,
if
you
run
one
yourself,
you
can
just.
A
B
Essentially,
you
are
not
allowing
the
pod
to
do
anything.
So
wonder
if,
if
you
put,
if
you
both
does
have
a
read-only
file
system,
does
not
run
a
support.
Of
course,
non-privileged
is
known
on
volume,
nothing
very
good
question
and
I
honestly
don't
know
the
answer.
I
will
need
to
test
it,
but
let's
say
that
that
will
be
an
image
that
is
true,
very
well.
A
B
Thanks
for
the
question
very
good
question,
indeed,
so,
essentially
what
we,
because
we
try
to-
we-
try
to
make
our
development
cluster
as
close
to
production
as
possible
just
to
not
get
these
kind
of
surprises
when
you
go
to
production.
Well,
we
set
the
lease
on
on
having
the
same
PSPs.
That
is
the
very
set
of
PSPs
all
the
same
in
every
cluster
like
dev
staging
I'm
on
production.
So
there,
when
you
need,
when
we
need
to
create
a
new
PSP,
may
be
specific
to
that
workload.
B
We
actually
deploy
them
to
all
our
clusters
and
then
based
on
the
particular
environment.
We
will
actually
do
the
rockbind
in
a
specific
per
cluster,
because
maybe
in
one
namespace
name
in
full
and
another
another
another
class
name
it
differently,
but
essentially
what
we
try
to
do
is
try
to
keep
the
same
set
of
PSPs.
B
Actually,
we
are
not
using
kind
of
we
settle
into
6-7
PSPs,
on
particular
cases
where
we're
having
we're
running
this
this
default,
and
then
we
have
four
five
particular
cases
more
or
less
the
one
that
I
depicted
there
in
the
in
the
slides
like
for
the
Jenkins's.
For
some
some
other
warlow's
and
that
need
to
have
a
bit
of
expanded
made
route,
I
don't
reckon
now
what
field
we
have
to
add,
but
essentially
kind
of
a
handful
ish
as
role
bindings
on
and
maybe
about
eight
gotcha.
A
B
Were
as
far
as
I
understand
from
from
and
from
the
documentation
and
my
experience,
indeed,
what
they
won't
be
affected.
Actually
documentation
is
be
streaky
there
because
it
says
something
like
it
won't
show
up.
You
apply
PSPs,
nothing
will
happen
in
this,
and
the
documentation
mentioned
something
like
update
time
of
an
update
in
a
date,
action
relation
update,
verb
to
a
pod.
The
finishing
won't
be
affected
by
PSP,
but
will
be
evaluated
at
creation
time.
B
There
is
some
small
word
in
there
that
I'm
not
sure
if
we
understand
it
that
the
part
of
the
the
documentation
on
this
particular
behavior
on
on
the
kubernetes
official
locus
could
be
improve
it
a
bit.
But
in
my
is
my
understand,
yeah
and
I
experienced
that
indeed
they
are
not
affected
and
they
will
be
in
the
impacted
when,
when
the
pot
gets
recreated.
A
B
Yeah,
of
course
it
just
yeah
yeah.
That's
for
sure
what
we
are
take
to
kind
of
simplify
some
no
go
no
go
math
on
these
are
taken.
This
was
essentially
to
frame
them
as
per
namespace
to
say
so.
We
were
there.
We
what
or
take
there
is
happy
to
say
okay
for
this
namespace,
you
will
get
bound
to
this
particular
PHP
code.
So
then
put
all
these
water
laws
in
this
very
namespace
that
will
get
attach
it
to
this
very
same
PSP,
but
not
nothing.
B
For
this
you
to
be
more
specific,
and
maybe,
in
the
same
very
namespace,
you
say
when
you
in
this
a
nice
place,
but
if
you
use
this
different
service
account,
that
is
not
the
full
service
account
for
the
namespace.
The
service
come.
The
his
name
is
fubar.
It
will
get
attached
to
the
this
particular
PSP.
B
A
B
Didn't
try
that
honestly,
I
I
was
because
we
don't
have
audit
logs
enabled
in
that's
a
very
good
question.
I,
don't
have
the
answer.
I
did
note
that
there
was
nothing
on
the
on
the
kubernetes
api
logs
themselves,
because
I
was
trying
to
we're
doing
some
log
of
iteration.
There
I
was
trying
to
find
out.
This
is
a
cube
API
logs,
not
the
audit
log,
but
the
cube
api
logs
raw
logs
say
for
saying
something
about
these
violations
and
didn't
fire
any.
But
I
explore
their
the
audits.
We
don't
have
them
enable
because
yeah.
B
A
A
good
question
definitely
and
Jeremy,
or
you
can
follow
up
with
100
in
the
kubernetes
slack.
Actually,
so
that's
all
for
questions
that
we
have
for
now.
Thank
you
to
Wan
over
for
answering
all
those
the
best
of
his
abilities.
If
we
did
not
get
to
your
question,
you
can
reach
out
to
the
bit
Nami
team
at
VMware
it
via
kubernetes
at
bitNami,
calm
or
reach
out
to
them
in
the
public
who
Bernays
slack
network.
A
Hopefully
all
of
you
are
in
there
ready
and
I
want
to
thank
wonho
and
all
of
our
great
guests
for
coming
on.
That
is
all
from
us
for
now.
Thanks
for
joining
us,
the
webinar,
recording
and
slides
will
be
online
later
today.
So
keep
your
eyes
peeled,
and
we
look
forward
to
seeing
you
at
a
feature:
CN
CF
webinar,
thanks
a
lot
for
joining
and
have
a
great
day
thanks.