►
From YouTube: Tutorial: Getting Started With Cloud Native Security - Liz Rice, Aqua Security & Michael Hausenblas
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Tutorial: Getting Started With Cloud Native Security - Liz Rice, Aqua Security & Michael Hausenblas, Amazon
This tutorial will get you off the ground with Kubernetes security basics, using live demos and examples to work through yourself. We’ll start with possible attack vectors, to help you map out the threat model that applies to your cluster, so you can figure out where you need to focus your efforts for security. We’ll show you how to compromise a deployment with a pod running with a known vulnerability. Once you’ve had the attacker’s eye-view, we’ll walk you through the most important techniques and open source tools to prevent compromise. · Using secure Kubernetes settings · Including vulnerability scanning in your workflow · Configuring pods to run securely (eg avoiding unnecessary privileges) · Using GitOps to restrict user access to your cluster and provide an audit trail You’ll leave this tutorial armed with practical actions for securing your deployment.
https://sched.co/Zekj
A
A
Great,
so
thanks
everyone
for
joining
us
today
on
this
tutorial
now.
I
hope
that
you
got
a
message
beforehand
about
preparation,
we're
going
to
be
running
through
lots
of
different
exercises.
Today,
we've
got
lots
of
hands-on
demos
and
if
you
want
to
run
through
those
demos
with
us
as
we
go
along
you'll,
you
will
probably
want
to
have
already
done
that
preparation,
so,
hopefully,
you've
been
able
to
do
that.
A
A
A
A
A
Okay,
good
good,
it's
eventual
consistency
right
yeah,
so
this
diagram
came
from
the
book
and
there
is
a
typo
in
the
book.
If
the
first
person
in
that
slack
channel
to
point
out
what
the
typo
is
and
what
it
should
say,
I
will
send
you
a
physical
copy
of
the
book.
So
have
a
quick
look
at
that
diagram.
A
We're
not
going
to
have
time
to
go
through
all
of
those
in
the
session
this
afternoon.
But
we
are
going
to
look
at
some
of
the
most
important
tools
that
you
can
use
to
defend
yourself.
So
I'm
going
to
start
by
talking
about
vulnerabilities
in
application
codes
and
how
you
can
defend
yourself
against
known
vulnerabilities.
A
A
A
In
my
cluster,
I'm
just
going
to
copy
this
and
run
I
made
a
helm
chart
to
make
it
very
easy
for
you
to
install
this
vulnerable
web
server
application.
It's
running
with
the
shell
shock.
Vulnerability
do
not
run
that
in
a
production
cluster.
If
you
just
copied
and
pasted
that,
while
you
had
your
kubernetes
context
pointing
to
your
production
cluster
uninstall
it
now,
don't
don't
don't
do
that.
It's
kind
of
okay
to
run
on
your
laptop
and
that's
pretty
much
it
because
this
is
a
pretty
bad
vulnerability
as
we're
about
to
see
so.
A
Shell
shock
is
a
pretty
old
vulnerability.
It's
from
2014,
but
it's
quite
a
nice
example
of
something
that's
pretty
easy
to
exploit,
and
you
know
pretty
powerful
so
now
that
I've
run
that
helm
chart
that
will
have
run
deployments
and
I've
got
a
an
instance
of
a
pod
running
with
this
shell
shock
vulnerability
in
it
and
I'm
going
to
want
to
send
web
requests
to
that
web
server.
A
A
So
if
I
go
back
to
my
tutorial,
okay,
I
also
have
a
script.
So,
actually,
let
me
just
curl
to
just
so.
You
can
see
curl
local
host,
okay,
one
and
we'll
see
a
bunch
of
html.
That's
the
the
same
as
the
page
we
just
looked
at,
so
I
can
make
requests
to
that
address
and
get
responses,
and
I
can
also
make
requests
to
a
script.
So
this
cgi
bin
directory
runs
scripts
and
all
this
script
does
is
return
some
text,
it's
regular,
expected
output.
A
So
here's
my
command
that
I'm
gonna
that
I'm
gonna
run.
Let
me
just
copy
that
and
paste
it
before
I
hit
return
on
it.
The
dash
a
is
saying:
I'm
sending
a
user
agent
string,
so
I'm
adding
to
my
http
request
and
that's
the
agent
string
that
I'm
sending
in
and,
as
you
can
see,
I've
included
some
arbitrary
code.
I've
asked
it
to
cap
the
contents
of
the
etc
password
file,
and
it's
going
to
send
that
back
to
me
instead
of
the
normal
response
to
that
page.
A
A
B
I
haven't
seen
anything
like
content
related.
It
was
mainly
in
terms
of
how
to
access
the
tutorial
page
itself.
I
pasted
that
in
there
and
it's
also
pinned
on
our
slack
channel.
So
if
you're
not
yet
there
on
the
cncf
select
community
to
kubecon
tutorials
security
up
there,
it's
pinned
tutorial
quantity,
security.info.
B
A
Okay,
good
all
right,
so
we've
shown
how
running
with
a
vulnerable
image
can
potentially
be
exploited,
and
the
question
now
is:
how
can
you
make
sure
you're
not
running
with
one
of
these
known
vulnerabilities?
There
are
literally
thousands
of
vulnerabilities
that
have
been
published.
They
all
get
given
a
cve
identifier.
A
A
So
there
are
a
few
different
scanners
available.
The
one
I'm
going
to
use
is
a
tool
called
trivi.
If
you
don't
already
have
this
installed,
and
you
want
to
do
so-
it's
very
easy
to
install
with
brew
or
with
this
installation
script.
Other
scanners
are
available.
There
are
open
source
scanners
from
anchor
and
red
hat's
claire.
There
are
also
several
commercially
available
scanners,
then
largely
doing
a
similar
job.
A
Is
this
shell
shockable
image?
So
if
I
want
to
see
whether
there
are
any
vulnerabilities
in
that
image,
actually
I
should
copy
and
paste
that's
quicker.
All
I
need
to
do
is
run
trivia,
open
image.
Let's
apply
the
image
name,
you'll,
see
it
downloading
a
database.
This
is
the
database
of
which
vulnerabilities
exist,
in
which
versions
of
which
packages
and
you'll
see
that
it's
come
back
with
a
few
different
vulnerabilities
here.
A
A
So
if
you
want
to
run
a
container
that
uses
bash
without
the
shell
shock
vulnerability,
it
needs
to
be
this
fixed
version
or
newer
in
reality,
if
you
install
bash
today,
you
will
get
a
newer
version.
You'll,
you
have
to
jump
through
some
hoops
to
get
an
old,
vulnerable
version
with
shell
shock
in
it.
So
just
think
of
it
as
an
example.
A
So
if
you
wanted
to
run
a
not
vulnerable
version
or
not
vulnerable
to
shell
shock,
you'd
need
to
make
sure
that
the
version
of
bash
you
have
is
is
newer
than
this
version.
You
typically
do
that
by
doing
some
kind
of
act,
get
install
a
newer
version
or
yum
or
whatever
your
package
manager
is
your
version
of
linux.
A
So
trevi
has
shown
us
some
highs
and
mediums
some
low
vulnerabilities.
In
that
particular
example,
you
might
want
to
only
show
vulnerabilities
above
a
certain
severity
threshold
because
in
reality
there
are
a
lot
of
low
severity
vulnerabilities
and
you
may
not
consider
it
worth
the
the
trouble
to
to
go
and
fix
them
all.
So
you
may
choose
to
just
show,
for
example,
critical,
high
and
medium
vulnerabilities.
A
B
B
A
A
A
B
A
A
They
have
found
from
from
what
I
believe
to
be
the
case.
Trivia
supports
a
wider
range
of
data
sources,
so
more
distribution,
specific
database,
vulnerability,
vulnerabilities
of
databases,
databases
of
vulnerabilities,
I'll,
get
there
in
the
end
and
supports
more
kind
of
language
packages
as
well.
There
are
also-
sometimes
there
is
more
than
one
source
of
data
for
a
particular
distribution,
and
you
need
to
make
sure
you're
using
the
the
up-to-date
one-
and
it's
also
another
comparison
point
is
how
frequently
those
vulnerability
databases
are
updated.
A
Trivia
actually
updates
everything
twice
a
day
so,
and
the
reason
for
for
that
is
that
new
vulnerabilities
get
discovered
in
existing
software
all
the
time.
So
you
can
scan
your
image
for
vulnerabilities
today.
If
you
scan
it
again
tomorrow,
it
may
find
additional
vulnerabilities
that
have
been
discovered,
even
though
the
software
itself
didn't
change.
B
A
A
I'm
going
to
assume
it
is
all
right.
So
one
of
the
reasons
why
trevi
is
nice
is
that
you
can
use
a
small
version
of
the
vulnerability
database,
because
when
you're
running
vulnerability,
scanning
and
part
of
your
ci
system,
you
want
it
to
be
lightweight.
You
don't
want
to
have
to
go
through
a
giant
installation
process
and
then
a
giant
process
of
installing
the
vulnerability
database.
A
A
So
let
me
give
a
shout
out
for
my
colleague,
tepee
fukuda,
who
is
going
to
be
talking
later
on
this
week
about
using
trivi,
alongside
open
policy
agent,
to
check
for
vulnerabilities
at
the
admission
control
time,
and
then
the
last
thing
I
wanted
to
show
in
this
section
is
a
a
new
tool
that
we've
been
working
on
called
starboard
and
the
idea
of
starboard
is
that
you
use
it
to
run
a
variety
of
different
security
tools.
Trivia
is
one
of
them.
It
also
works
with
some
other
different
security
tools.
A
A
So
if
you
don't
already
have
it
installed,
you
can
install
starboard
as
a
crew
plugin.
So
I
already
type
through
list
there
we
go,
so
I
already
have
starboard
installed.
If
you
haven't
come
across
true,
it's
a
really
nice
way
of
extending
your
cue
control
functionality
with
it
with
a
bunch
of
different
plugins.
So
some
really
really
nice
powerful
plugins
out
there
having
installed
it.
A
A
It
looks
at
that
deployment
finds
the
pod
spec
finds
any
container
images
and
in
that
job
runs
trivia
over
any
container
images
related
to
that
deployment,
which
takes
a
few
seconds.
I've
used.
This
delete
scan
job
equals
false,
so
that
or
if
I
hadn't
said
that
when
the
job
completed,
it
would
get
deleted
and
cleaned
up,
but
by
leaving
it
there
we
can.
We
can
look
at
it
after
the
event.
A
B
A
C
B
A
Yeah
yeah
so
trivia
or
some
kind
of
background
components
in
what
we
might
call
the
trivia
ecosystem
twice
a
day
go
around
to
all
of
the
different
data
sources
that
that
it
uses
and
updates
with
any
newly
published
vulnerabilities
or
any
changes
to
the
vulnerabilities
from
that
data
source
that
gets
built
into
the
trivi
database
that
is
actually
stored
on
github.
Then,
when
you
run
trivi.
A
I
mean
the
database
downloading
because
it
was
already
cached,
but
I
think
you
might
recall
right
at
the
beginning.
The
first
time
I
ran
it,
it
had
to
download
a
database
which
will
cache
for
a
certain
period
of
time,
and
then
it
will
check
for
any
database
updates
that
have
happened
since
the
last
time
it
was
updated.
A
B
That's
good
yeah.
I
think
there
are
many
more
like
low-level
and-
and
I
think
we
will
based
on
the
volume
we
will
not
be
able
to
answer
all
of
them.
It's
like
at
least
15
that
I
can
count
here
and
that's
just
one
of
the
many
topics
that
we
have
here.
So
I
I
guess
we
will
have
to
answer
them
offline
in
this
lecture.
I'm
sorry.
A
A
A
A
So
when
you
install
a
kubernetes
cluster,
there
are
lots
and
lots
of
different
configuration
settings,
several
of
which
can
potentially
affect
security.
Some
of
them
are
really
obviously
going
to
affect
security
like
whether
you're
running
with
a
an
insecure
port
that
lets
anonymous
users
make
requests
across
an
api.
Other
settings
are
maybe
a
little
bit
more
subtle
in
how
they
affect
security,
and
there
is
a
an
organization
called
the
center
for
internet
security,
publishes
benchmarks
that
describe
recommendations
on
how
to
configure
lots
of
different
pieces
of
software,
one
of
which
is
kubernetes.
A
So
there's
a
cis
kubernetes
benchmark
with
recommendations
for
how
your
kubernetes
cluster
should
be
configured,
and
it's
it's
something
like
200
pages.
It's
there's
a
lot
there
so,
rather
than
having
to
manually
check
every
single
node
in
your
cluster
and
do
that
repeatedly
to
make
sure
that
the
settings
are
still
as
expected.
A
A
And
that
job
should
have
run
key
bench
on
my
single
node
kind
cluster
that
I'm
currently
running
and
let's
look
at
the
output
from
that
which
goes
into
the
logs
and
there's
loads
of
it.
There's
pages
and
pages
and
pages
and
pages
and
pages
of
results
from
qbench
there's
several
different
sections.
So
you
get
the
kind
of
pass
fail,
warning
output
for
each
section.
Then
you
get
remediation
advice.
What
you
need
to
do
to
make
a
failing
test
pass
and
then
we
get
to
another
section.
A
So
you
get
a
little
summary
telling
you
the
previous
section,
so
I'm
going
to
show
an
example
of
remediating
a
test
and
the
one
that
I'm
going
to
pick
on
here
is
4.2.6,
which
is
about
protecting
kernel
defaults,
and
this
is
basically
the
cubelet
will,
I
believe
it
errors.
It
certainly
complains
if
the
some
tunable
parameters
in
the
kernel
are
not
set
to
what
the
cube
expects
to
be
set.
A
A
Now,
if
you're
using
a
different
kind
of
cluster,
if
you're
using
you
know
mini
cube
or
you're
running
kubernetes
nodes
in
a
virtual
machine
or
you're,
using
a
a
managed
service,
you
won't
be
able
to.
You
know
this
is
a
kind
specific
way
of
getting
into
the
control
plane
and
then
remediating
the
problem,
but
because
I'm
running
kubernetes
in
docker,
my
control
plane
is
running
as
a
a
container.
A
C
A
A
A
A
So
this
is
more
of
a
demonstration
of
what's
happening.
You
wouldn't
go
into
your
kubernetes
clothes
and
manually
reconfigure
them
like.
I
just
did
there,
but
hopefully
that
shows
the
kind
of
thing
that
q
bench
is
testing
for
the
kind
of
tests
that
the
cis
benchmark
is
recommending
and
demonstrating
some.
What
key
bench
results
look
like
then,.
B
A
And
that's
a
really
great
question.
I
am
sure
that
some
of
the
tests
are,
let's
say,
not
appropriate.
On
k3s,
for
example,
there's
a
whole
section
of
scd
tests
and
k3s
doesn't
use
lcd,
so
those
would
inevitably
fail.
There
is,
I
talked
about
there
being
a
cis
kubernetes
benchmark,
there's
actually
a
few
different
versions.
There's
a
version
for
eks
amazon's
managed
kubernetes
service.
There's
a
version
for
gke.
A
A
A
C
A
Let
me
also
show
you
the
output
for
deployments,
because
that's
still
running
right,
so
hopefully
we
can
see
the
vulnerabilities
and
there's
our
shell
shock,
vulnerability
that
we
discovered
earlier.
So
this
is
the
the
reason
why
I'm
really
excited
about
starboard.
It's
showing
the
security
information
related
to
running
workloads
and
related
to
the
running
state
of
the
kubernetes
cluster.
B
A
Right,
yes,
so
the
the
scenario
here
is
you're
running
some
software.
Maybe
it
has
a
dependency
and
new
vulnerability
gets
discovered
in
that
dependency,
it's
good
practice
to
regularly
rescan
all
your
all
the
images
that
relate
to
running
workloads
and
you
could
be
doing
that
with
something
like
starboard
or
you
could
be
using
scanning
that
hooks
into
a
registry.
A
lot
of
commercial
scanners
will
hook
into
a
registry
and
regularly
scan
also,
if
you're,
using
harbor
as
your
registry,
that
can
rescan
images
within
that
that
are
stored
in
that
register.
A
So
you
it's
basically
a
case
of
you
know.
You
have
to
be
regularly
rescanning
to
find
out
which
images
are
vulnerable
and
then,
if
you
discover
that
you
are
running
with
an
image
that
has
vulnerabilities,
you
need
to
rebuild
that
image
with
updated
dependencies.
Whatever
fixed
version
of
packages
are
needed
to
address
that
vulnerability.
B
A
And
say:
hey,
I
found
this
vulnerability
and
then
typically
what
happens?
Is
the
person
reporting
the
vulnerability
and
the
project
maintainers
or
the
vendor
agree
a
date
on
which
they'll
publish
information
about
that
vulnerability?
Typically,
at
that
point,
you
go
to
the
to
a
cve
there's
a
term
for
this.
It's
like
a
numbering
authority
that
can
give
out
new
cves.
A
So
you
might
grab
that
number
before
you
publish
the
the
details
of
the
vulnerability,
but
the
idea
is
you
give
the
vendor
or
the
project
maintainers
enough
time
that
they
can
come
up
with
a
fix.
I
think
I
mentioned
earlier
that
typically
the
cve
details
and
the
fix
are
published
at
the
same
time
and
that's
because
of
responsible
disclosure
and
behavior
on
the
part
of
the
person
who
found
the
the
vulnerability.
C
B
B
B
My
coming
over
here
right
policies,
everything
that
we
saw
so
far.
If
you
think
about
defense
in
depth,
is
it's
awesome
and
you
should
you
know,
be
doing
that's
like
you
know
the
the
101
image
scanning,
etc.
No
doubt
about
that.
What
we're
talking
about
now
the
policies
might
be
depending
on
what
you're
looking
at
might
be
considered
a
little
bit
more
advanced.
B
What's
going
on
in
terms
of
network,
you
know,
what's
the
default
behavior
of
communities
there
and
what
what
have
you
got
there
in
terms
of
network
policies
at
your
hands
and
then
last
but
not
least,
in
this
section,
we're
going
to
talk
about
oppa,
the
open
policy
agent
and
have
a
look
at
it
in
action.
So
first
things
first
least
privileges.
B
This
is
really
something
super
important
to
consider
in
the
sense
of
give
whatever
a
person
or
process.
Only
the
rights,
the
permissions
to
carry
out
its
job
and
not
more
right
exactly
what
it
needs,
but
not
more,
and
we're
going
to
have
a
look
at
that
in
the
context
of
the
security
context.
Security
context
was
one
of
I
think
the
first
contributions
by
the
redhead
openshift
team
that
was
upstream
accepted.
B
So
a
lot
of
terminology
around
security
context-
and
you
know
in
that
context,
no
pun
intended
is-
is
actually
kudos
to
redhead
or
red
hat
for
expected.
So
we're
gonna
use
a
kind
again
from
scratch,
so
I'm
gonna
create
a
kind
cluster
there.
Let's
do
that.
It
takes
a
moment
and
what
we're
going
to
do
then,
is
and
picked
a
example
from
the
query
this
doc,
so
that
you
can,
in
your
own
time
and
dig
deeper
there
and
read
upon
the
context
there
that
has
a
security
context
defined.
B
So
let's
have
a
look
at
the
security
context.
I
hope
you
can
see
that
here.
The
intention
here
is
with
the
security
context.
First
observation
there
you
can
see
it
is
pot
wide.
So
it
is.
It
applies
to
all
of
the
containers
in
that
part,
and
it
is
to
run
this
user.
The
id
1000
one
is
group
group,
3000
and
fs
group
2000
right.
This
is
the
intention
that
you
as
a
developer,
whoever
whatever
role
you're
putting
together
that
pots
back
you
want.
B
B
B
Part
that
is
running
takes
a
little
bit
needs
to
pull
the
image
so
in
a
moment
or
so
it
will
be
running
and
as
soon
as
it's
running,
we
can
let
the
equivalent
of
a
good
old.
You
know
ssh
into
a
vm
we
exit
exit
in
into
the
container.
Once
it's
running
running
all
right,
we
are
exiting
into
the
company,
as
you
can
see,
from
the
shelf
prompt
here.
B
B
Ls
minus
al
this
content
file
here.
This
is
exactly
what
we
defined
in
the
security
context
over
here
right.
So
that's
awesome,
but
it
kind
of
depends
on
your
developers
or
whoever
is
in
charge
for
creating
these.
These
pot
specs
to
you,
know
to
play
along
to
actually
think
about
that
and
maybe
be
an
expert
in
what
is
the
right
thing
to
do
here.
B
So
this
is
nice.
This
is
a
good
control,
but
as
it
depends
on
the
cooperation
or
you
know,
control
is
trust
is
good,
but
control
is
better.
You
want
to
have
a
policy,
a
cluster-wide
policy
that
actually
enforces
that
kind
of
behavior,
and
that
is
where
psp
support
security
policies
come
in,
so
you
can
define
that
kind
of
behavior
on
the
cluster
level.
So,
for
example,
if
you
say
you
know,
you
cannot
run
something
as
root
or
whatever,
then
you
can
use
psp
to
enforce
it
cluster-wide.
B
I
will
point
out
that,
if
you
think
about
investing
into
psp,
be
aware
of
there
is
a
cap
between
this
enhancement
proposal
kept
five
that
talks
about
the
current
state
and
the
future
of
psps,
and
at
the
current
point
in
time
there
is
no
decision
yet
made
in
terms
of
where
psps
should
go.
Will
they
they
will
very
likely
not
at
the
current
point
in
time
graduate.
So
you
might
want
to
keep
an
open
mind.
B
For
example,
opa
gatekeeper
at
the
bottom
of
this
section
later
on
might
be
a
good
option
to
invest,
but
in
general
having
something
like
psp
in
place
is
certainly
recommended.
I'm
gonna
pause
here
for
a
moment
just
to
give
people
time
to
catch
up,
and
also
maybe
we
have
a
question
or
two
that
we
want
to
address
right
away.
B
The
way
the
security
context
is
defined,
it
is
in
the
context
of
a
pot
spec.
So
I
can
imagine
that
if
you
have
that
use
case
that
you're
very
likely
happy
with
a
you
know
something
like
over
gatekeeper
or
doing
something
yourself
with
opa.
You
know
with
a
custom
controller,
but
no
the
answer
is
a
lot
longer
short.
If
it
isn't,
it's
not
gonna
work.
B
Do
you
have
it
yet
perfect
there?
It
is.
Thank
you
very
much.
All
I
can
say
if
you
look
at
it
at
the
very
bottom,
is
that
the
only
thing
that
is
clear
is
that
at
the
current
point
in
time
the
psps
will
not
graduate
to
ga,
which
means
it's
at
some
like
1.22,
whatever
psps
will
not
be
part
of,
it
will
be
deprecated.
So
if
you
think
again,
I
encourage
you
to
have
something
that
enforces
a
security
context.
B
If
you
going
forward
want
to
look
at
something
you
might
already
have
psps
in
you
know,
production
usage
or
you're,
considering
it
and
thinking
about,
should
I
invest
into
psp
or
just
something
else,
then
I
would
think
that
going
forward.
It
would
make
a
lot
of
sense
to
look
into
oppa
gatekeeper.
Yes,.
B
Okay,
cool
all
right,
so
that
was
the
simple
case
of
a
run
time:
enforcing
a
runtime
policy
container
runtime.
Depending
on
how
much
space
you
have
available,
I'm
gonna
do
that
only
got
16
gigs
so
got
to
be
careful
here.
You
want
to
delete
the
cluster
think
of
each
of
those.
If
you
think
about
docker
running
in
your
local
machine
being
something.
So
you
want
to
make
sure
that
you
have
enough
all
right,
so
we
are
set
up
for
the
next
one
network
policies
by
default.
B
You
might
not
know
that,
but
by
default
all
the
communication
paths,
every
part
and
every
namespace,
etc
etc
are
open,
and
that
is
something
that,
especially
if
you
have
a
security
network
background,
might
be
a
little
bit
scary
right
to
come
to
communities
like
oh
wow.
Everything
can
talk
to
everything.
B
Maybe
it's
a
good
idea
if
you
actually
define
and
enforce
the
network
policies.
The
way
it
works
is
very
often
when
you
get
to
that.
You
see!
Oh
right.
I
know
how
to
do
that
right.
I
take
the
network
policies.
You
know
whatever
they're
here
down
there
and
I
you
can't
apply
them
and
everything
works.
Not
so
fast
turns
out
that,
just
because
you
define
the
resource,
the
network
policy
resource,
it's
not
enforced,
you
need
something
that
enforces
it
in
our
case,
we're
using
calico
here,
which
is
free
to
use
something
else.
B
Calico
is
battle
proof
and
widely
used.
So
I'm
using
that.
But
again,
if
you
just
define
the
network
policy
the
resource
to
cut
and
apply
the
resource,
nothing
happens
right.
The
api
server
will
happily
take
it
and
serialize
it
for
you
in
ncd,
but
nothing
happens
because
there
is
no
controller.
Nothing
that
looks
after
that
resource
actually
enforces
it
through
this
uni
interface
right.
B
So
we're
gonna
create
the
the
kind
cluster
we're
gonna,
install
calico
patch
it
to
make
it
work
with
kind,
and
then
we're
gonna
define
a
sequence
of
things
all
right.
Let's,
let's
start
with
the
actual
cluster
back
here,
creating
the
cluster
a
little
bit
faster
than
last
time.
Once
the
cluster
is
up,
as
I
said,
I'm
going
to
install
calico
that
will
essentially
set
up
calico,
creating
a
couple
of
custom
resources,
controls,
etc.
B
B
You
can
ignore
this
next
part
here
and
once
we
have
that,
then
we
can
actually
define
the
sorry
the
next
step
before
we
do
that,
because,
as
an
example
we're
using
ingress,
so
we
want
to
access
a
workload
that
runs
in
the
cluster
from
outside
this
kind
cluster.
So
we
can
install
ambassador
as
an
ingress
controller
and
that
will
launch
the
workload.
B
Zabic's
agent
interesting,
that's
a
cool
one
rodrigo
if
you
want
to
put
that
on
the
slack
as
well,
not
sure
if
the
q
and
a
with
the
speakers,
that's
why
you're
inviting
everyone
to
go
on
the
slack
channel,
because
that
one
for
sure
is,
you
know,
subject
to
public
record.
How
is
it
to
implement
gatekeeper?
Did
they
install?
B
I
put
a
link
to
a
video
tutorial.
There
is
very
straightforward.
I
think
it's
then
more
a
matter
of
operational
issues.
You
know
keeping
it.
You
know
aj
and
everything,
but
it
doesn't.
The
video
does
a
good
job
walking
you
through
that
all
right
kind
is
there.
So,
let's
install
calico
boom
some
smear
these
there
and
now
the
patch
again
ignore
that
that's
really
just
for
our
case,
because
of
kind
and
now
we
should
see
just
to
verify
the
three
parts
there.
B
B
B
B
How
well
does
kelly
could
perform
in
a
large
cluster
with
a
thousand
parts.
I
wouldn't
say
that
thousand
parts
and
depends
on
the
density
is
a
large
cluster.
Necessarily
I
haven't
seen
any
any
issues,
a
couple
of
hundred
notes
at
all,
but
I'm
I'm
you
know,
I'm
not
authoritatively.
Speaking
for
localico
so
feel
free
to
share
your
your
experiences
there
and.
B
If
you
have
great
suggestions
for
for
our
tutorial,
please
pr
it
right
we're
not
oh
it's
running,
we
are
not
limited
to
just
the
the
two
things
that
you
know.
Listen
in
myself,
though,
all
right
so
calico
is
up,
and
now
we
can
actually
install
ambassador
boom
boom
boom
boom.
There
you
go
and
with
that
good
we
should
have
everything
right.
So,
let's
see,
if
we
look
into.
B
B
B
B
With
that
we
should
be
able
that
was
all
just
set
up.
We
should
be
able
to
do
that
right
so
pearl,
since
we
have
the
ingress
it
is
available.
Slash
api
is
just
the
default
nginx
welcome
page.
So
we
can
do
that
for
now.
Remember
what
I
said
earlier
on
by
default.
Everything
is
open.
Super
scary
right,
so
first
thing
you
want
to
do
is
to
deny
all
right
so
we're
going
to
launch
a.
B
B
B
B
So
we're
gonna
define
that
new
network
policy
remember
the
component
in
the
kind
cluster
that
is
actually
enforcing.
It
is
calico
and
then
we're
going
to
label
our.
Let's
do
it
in
two
steps
right
first,
you
can
do
that
together
again,
one
quantity
you
can
just
go,
but
I'm
gonna
break
it
up.
Why?
Because
I
want
to
show
you
that,
just
because
you
have
defined
that
policy
does
not
mean
yet
that
you
actually
get
traffic
right.
It
is
still.
If
you
look
at
it.
B
C
B
B
Cool,
how
are
we
doing
time-wise?
I
think
I'm
a
little
bit
behind,
but
that's
not
too
bad.
So
that's
great,
as
I
said
always
do
do
the
network
policies,
but
if
you
think
about
that,
we've
seen
two
cases
now,
that's
just
two,
where
we
kind
of
like
have
to
deal
with
custom,
specific
policies,
the
way
how
we
define
it,
the
way
how
we
enforce
it,
what
we
need
to
install
for
the
satellite
center.
B
So
what
if
there
was
a
way
in
a
generic
way
to
define
policies,
and
that
does
not
mean
necessary
only
you
know
technical
things
like
network
policies.
This
part
can
talk
to
this
part
or
the
parts
in
this
namespace
have
to
you
know,
run
with
this
user
or
whatever,
but
in
general,
any
kind
of
policy.
For
example.
B
B
Nine
minutes
oh
wow,
okay,
gotta,
wrap
up
oprah
is
super
powerful
and
rather
than
talking
blankly
about
that.
I
just
pointed
at
the
end.
There
are
a
number
of
great
resources
that
you
can
watch
and
read
in
your
own
time.
I'm
just
going
to
walk
you
through
an
example
here
in
the
very
awesome
rego
playground.
B
So
what
we
have
here
is
two
parts,
the
one
hand
you
have
input
and
that
input
data
input
data
is
json
and
nowadays
you
can
pretty
much
create
or
or
generate
convert
everything
into
chase.
It
shouldn't
be
a
problem.
So,
in
our
case,
we
have
these
time
stamped
payload
doesn't
matter
what
whatever
it
is.
B
It's
the
generic
one,
I'm
not
gonna
zoom
in
for
now
we
have
the
input
data
here
and
I've
shown
you.
We
have
the
rules
here
and
if
you
just
hit
evaluate
you
would
get
this
this
output
down
here,
and
that
really
is
in
the
the
simplest
case.
This
is
really
all
that
you
need
to
know
about
about
rig.
You
have
your
input
data.
You
need
to
provide
it
as
json.
Obviously
you
have
your
rules
here.
B
B
Now
I
can
imagine
that
you
would
say
whoa.
You
know,
writing
these.
These
rules,
that
that
looks
not
very
easy
and
unless
you
have
a
background
in
prolog
or
xslt,
you
might
not
find
it
very
easy.
So
good
news
in
the
context
of
kunitis,
you
don't
have
to
write
those
things
yourself.
You
can
use
opel
gatekeeper.
Opelgatekeeper
essentially
does
a
separation
of
concerns,
our
separation
of
duties
approach
here
it
allows
you
as
the
end
user,
who,
what
just
wants
to
apply
these
kind
of
policies
to
use
good
old
custom
resources,
so
you
essentially
just
apply.
B
B
A
B
Okay,
I'm
going
to
accept
that
and
merge
it.
And
then
there
is
an
agent
in
the
kubernetes
cluster.
That
looks
has
an
eye
on
the
git,
repo
and
synchronizes.
The
state
indicate
repo
with
what
what
is
going
on
in
the
cluster,
so
that
separation
of
concerns
it's
a
good
security
practice.
You
have
very
clear
boundaries
there.
It's
very
clear,
you
know
who
requested
the
change,
who
reviewed
and
approved
the
change,
also
think
in
terms
of
auditing
right
any
point
in
time.
B
You
can
go
back
into
a
previous
good
state
and
also
in
terms
of
if
you
think,
about
the
controls,
access
controls,
etc.
You
have
pretty
much
already
in
your
environment
set
up.
You
know,
access
to
git
and
your
workflows
there
who
is
reviewing
and
how
reviewing
is
assigned
and
who
is
doing
that,
so
it
really
lends
itself
to
in
a
cloud
native
setup
to
enforce
good
practices
with
with
quantities.
B
C
A
Have
this
have
this
kind
of
interaction,
so
yeah
keep
using
the
that
channel
will
be
there
all
week,
so
do
keep
keep
using
it.
You
can
get
hold
of
the
electronic
copy
of
the
kubernetes
security
book
that
it's
linked
to
on
the
conclusion
page
of
the
tutorial
website,
which
is
pinned-
hopefully
you've
all
found
it
by
now,
but
it's
pinned
in
the
channel
and
I
think
one
last
order
of
business.
I
believe
the
person
who
won
the
taipo
competition
is
thomas
crispin,
hope
I've
pronounced
your
name
matthew.
I.