►
From YouTube: Securing Kubernetes Container Platforms in 2021
Description
Using the Kubernetes Security Guidance best practices published by NSA and CISA in August of 2021, Lars guides us through the field of Kubernetes and security. The whole range of security tools at our disposal is covered, and we will learn how to secure the Kubernetes control plane, ensure that containers and Pods are deployed in a security-minded way, and what to do to prevent attacks. Is it sufficient to just run Kubescape, to follow the guidelines, or what else do we need to do to get a secure Kubernetes-based container platform in 2021?
Lars has worked with cloud technology since 2008, both within industry and academia. He holds a PhD in computer science and is a senior cloud architect at Elastisys. He is one of the architects of Compliant Kubernetes, a CNCF certified Kubernetes distribution, designed and developed especially to meet the high security demands of regulated industries.
The blog posts with additional information are here:
https://elastisys.com/nsa-and-cisa-kubernetes-security-guidance-summarized-and-explained/
https://containerjournal.com/features/hardening-kubernetes-beyond-nsa-cisa-guidance/
Check out Compliant Kubernetes, the Kubernetes distribution for regulated industries that Lars talked about, at https://compliantkubernetes.io/
Connect with Lars on LinkedIn at: https://www.linkedin.com/in/llarsson/
Follow Elastisys on LinkedIn at: https://www.linkedin.com/company/elastisys
Connect/follow me:
https://www.linkedin.com/in/joebignell/
A
So
if
everybody
is
ready,
we
are
going
to
start,
so
I
will
start
off
by
making
a
very
quick
introduction
of
myself.
So
my
name
is
joe
bignall.
I
am
the
host
of
devops
for
everyone.
I
see
some
familiar
names
in
here,
which
is
fantastic.
I
see
some
new
names,
which
is
equally
as
good
as
well
devops
for
everyone
has
been
around
since
march
2020
when
we
did
the
first
ever
meetup
in
person
in
central
london.
A
What's
in
the
us,
nsa
and
cisa
kubernetes
hardening
guidelines
publication.
So
lars
is
an
employee
at
elasticis.
In
sweden,
one
of
the
senior
cloud
architects
and
branch
manager,
so
somebody
that
has
a
wealth
of
knowledge
in
this
field.
So
we
are
very,
very
happy
that
he's
here
today
and
for
those
that
don't
know
elastasis,
it's
a
swedish-born
company
that
provides
products
and
services
for
scalable
and
responsive
it
systems,
I
think,
lies
if
I'm
not
mistaken,
an
emphasis
on
predictive,
auto
scaling
and
multi-cloud
capabilities.
B
A
B
So
so
this
this
to
me,
this
has
been
a
very
virtual
meetup,
but
I
would
love
to
actually
be
there
in
person
once
that
is
possible
again.
So
this
is
me
and,
as
joe
said,
I've
been
doing
this
for
quite
a
while.
I've
been
doing
cloud
computing
since
2008,
or
so
both
in
industry
and
in
academia.
So
I
have
a
phd
in
computer
science
for
stuff
that
I
did
in
cloud
resource
management,
but
my
heart
has
always
been
you
know
in
sort
of
the
terminal
and
linux
systems
and
stuff
like
that.
B
So
I
have
tons
of
experience
in
software
engineering
and
devops.
I
work
as
a
senior
cloud
architect
at
leicester's
and
we
make
this
open
source
kubernetes
distribution
called
compliant
kubernetes,
which
is
a
kubernetes
distribution
that
is
tailor-made
specifically
for
organizations
that
are
in
regulated
businesses.
So
you
know
education
or
medical.
B
B
C
B
D
B
Perfect,
okay,
thank
you!
That's
awesome,
yeah!
So
I'll
keep
that
up
as
well.
No,
I
can't
actually
because
it's
going
to
cover
my
presentation
for
me
I
mean
I,
I
know
what
it's
about,
but
I
still
want
to
see
it.
Okay.
So,
let's
start
with
a
really
uncomfortable
question:
okay,
so
the
uncomfortable
question
is
what
permissions
have
you
given
me
in
your
kubernetes
cluster
or
cloud
infrastructure?
B
So
what
are
the
threats?
Well,
there
are
three
types
that
the
report
covers
and
I
think
it's
a
very
good
distinction
between
the
three.
So
first
of
all
supply
chain
risks.
Now
hardwiring
software
comes
from
somewhere
else.
Most
of
it,
you
write
your
application,
but
that's
just
a
tiny,
tiny,
tiny
part
of
all
the
software
that
is
running
in
your
system.
So
do
you
actually
verify
that
it
is
all
correct,
probably
not
unless
you're
like
in
the
defense
industry?
B
B
The
problem
is,
of
course,
also
that
two-thirds
of
all
insider
incidents
are
due
to
negligence,
so
this
is
that
they
could
either
be
intentionally
malicious.
They
could
be
coerced
by
outsiders,
but
they
could
also
just
be
clumsy,
and
two-thirds
of
all
insider
incidents
are
apparently
due
to
negligence,
which
is
you
know
fast
word,
I'm
guessing
for
clumsy,
plus
that
there
are
policies
that
don't
really
protect
the
system
there.
There
aren't
any
policies
in
place
that
are
being
enforced.
That
would
protect
the
systems
right.
B
How
many
have
actually
seen
this
report
by
the
way?
Oh
yeah,
I
can't
do
show
of
patents,
damn
it
hopefully
you've
seen
this
report.
If
not,
when
you
have
the
slides,
you
can
click
on
that
link
and
what
it
is.
It's
a
59-page
tech
report
and
it
was
published
out
in
the
public
in
august
this
year
it's
focused
on
kubernetes
itself,
so
there
is
a
very
detailed
discussion
of
security
related
configuration
of
kubernetes.
B
B
Rather
high
level,
when
you
just
read
the
executive
summary,
but
it's
also
very
like
low
level
in
the
sense
that
it
talks
about,
like
which
network
ports
do
you
need
to
open
and
why
so,
it
mixes
both
those
perspectives,
and
I
hope
that
this
presentation
is
somewhere
in
between,
because
what
I
will
do
is
that
I
will
take
the
executive
summary
points
and
I
will
expand
on
them
to
make
it
more
understandable
like
why.
What
are
you
actually
achieving
when
you
do
this,
because
it's
a
government
report,
it
doesn't
really
say
anything
about.
B
You
should
use
this
or
this
or
this
software,
because
I'm
guessing
that
would
be
wrong
and
yeah.
So
it
only
mentions
other
security
software
in
passing
my
main
problem
with
it,
though,
is
that
just
like
I
see
you
know
after
reality.
Far
too
often,
it
focuses
mainly
on
like
hardening
as
sort
of
a
one-time
thing
that
you
do
rather
than
the
process
that
I
think
that
security,
actually
is
you
know,
so
it's
it's
a
continuous
process
that
you
can't
just
say:
yep
we
did
security
and
then
you're
done.
B
B
B
That
is,
they
don't
change,
which
is
wonderful,
because
that's
why
we
love
containers,
I
mean
we
want
them
to
not
change,
because
that
means
that
we
can
just
let
you
know
here
is
the
container
image
that
we
tested
in
our
qa
environment
and
then
we
can
promote
that
to
staging
and
we
can
promote
the
same
one
to
production,
and
we
know
that
there
are
no
underlying
changes.
It
is
the
same.
B
However,
that
also
means
that
you
have
a
whole
lot
of
insecure
code
that
will
stay
there
in
a
time
capsule,
because
if
you
don't
update
the
software,
but
threats
get
updated
out
there
in
reality,
you
will
actually
have
code.
That
is
running.
That
is
not
secure,
and
the
ironic
thing
is
that
the
more
stable
a
component
is
in
your
deployed
system,
the
more
infrequent
you
update
it,
the
worse
that
actually
is
for
security.
B
B
I
recommend
one
called
trivi,
but
basically
all
docker
registries
have
some
kind
of
scanning
functionality
in
them
right
now
and
what
they
will
do
is
that
they
will
scan
when
you
push
the
image,
but
the
problem-
and
the
report
says
also
to
don't
just
scan
when
you
push
scan
using
an
admission
controller
now
in
kubernetes,
an
admission
controller
is
a
component
that
catches
sort
of
the
api
call
that
says
you
know
please
run
this
container
for
me,
run
this
as
a
pod
and
okay.
That
is
great.
B
B
So,
as
you
may
also
be
aware,
with
containers
and
security,
basically,
the
default
settings
for
containers
and
also
kubernetes
has
been
to
not
really
care
all
that
much
about
security,
so
containers
run
as
the
root
user
by
default,
and
that's
not
good
at
all,
and
the
report
also
says
you
know
if
you
have
this
container
and
it
has
a
file
system,
but
it's
not
actually
supposed
to
write
anything
to
the
file
system.
Why
would
you
even
allow
it
so
use
read-only
file
systems
until
need
arises
and
in
kubernetes
there's
also
this?
B
There
have
also
been
these
security
features.
You
can
actually
set
the
so-called
security
context
and
you
can
use
pod
security
policies.
If
you
have.
You
know
previous
versions
of
kubernetes
or
pod
security
standard,
if
you
have
the
version
1.22
and
later
so
these
are
essentially
settings
that
are
the
best
practice
settings
for
how
to
run
a
pod
in
a
secure
way,
which
means
that
it
can't
do
various
things
against,
say.
B
B
The
report
says
you
also
need
to
use
network
separation
to
control
the
amount
of
damage
that
a
compromise
can
cause.
Now
this
is
key
because
the
default
settings
in
kubernetes
they
allow
all
plants
to
network
with
all
other
pawns,
regardless
of
which
namespace
they're
in
regardless
of
whether
they
it
really
makes
sense
to
or
not,
and
the
problem
is,
of
course,
that
the
security
of
your
entire
deployment
is
only
as
strong
as
its
weakest
point.
B
So
if
I
manage
to
get
into
you
know
some
component
that
you
basically
it's
a
throwaway
component,
that
you
don't
think
that
anything
is
going
to
happen
to
it.
Well,
that
can
then
serve
as
the
bridge
into
the
rest
of
your
system
and
what
you
can
do
and
what
you
should
do
is
you
should
enable
something
called
network
policies,
and
these
are
kubernetes
aware,
firewall
rules,
so
you
can
then
either
specify
rules
that
say
you
know
you.
This
component
can
talk
to
these
ip
blocks,
or
these
components
can
network
with
these
other
components
in
kubernetes.
B
So
then,
you
can
say
a
rule
that
basically
says
only
allow
components
that
are
marked
backend,
to
connect
to
components,
marked
database
and
nothing
else,
so
nothing
else
can
actually
connect
to
database.
Also,
backend
can't
connect
to
anything
else.
So
then,
you
can
really
limit
the
amount
of
exposure
that
you
have
if
anyone
would
manage
to
hack
into
your
system.
B
If
you
are
running
on
untrusted
networks
and
I'm
not
sure
what
that
means
for
your
organization,
so
to
some
organizations,
the
cloud
would
be
an
untrusted
network
so
like
in
in
amazon.
You
wouldn't
trust
that
for
some
organizations
some
organizations
make
a
different
risk
analysis
and
they
say
no,
no
amazon
is
fine,
but
you
know
if
we
ever
need
to
run
like
on-premise
at
a
customer
location
that
is
untrusted.
B
So
what
I
think
you
should
do
is
you
should
use
a
networking
provider
with
transparent
encryption
in
it.
So
wireguard
is
this
new
type
of
vpn
that
you
can
actually
use
as
a
feature
in
calco
and
there
you
just
have
automatic
encryption.
You
don't
need
to
worry
about
it
and
the
pods
aren't
even
aware.
So
you
just
get
automatic
encryption
for
all
network
traffic.
That
flows
between
hosts
in
your
kubernetes
cluster,
perfect.
B
B
So
authentication
would
be
the
thing
where
I
somehow
prove
that
I
am
me
so
some
system
says
this
is
lars.
He
works
at
elasticist.
He
is
a
member
of
these
groups
and
that's
it
that's
where
authentication
stops
and
then
authorization
is
where
you
assign
roles
to
users.
So
there
are
also
features
for
that
included
in
kubernetes,
but
they
aren't
enabled
by
default.
B
B
But
if
you
have
open
id
connect
integration
and
you
have
role-based
access
control
enabled,
then
you
actually
can
have
these
rules
in
place.
So
what
I
think
you
should
do
is
you
should
definitely
disable
this
perpetual
admin
token
that
you
get
when
you
create
a
kubernetes
cluster,
because
that's
that's
perpetual,
it's
never
going
to
expire.
You
always
have
like
a
way
in
using
that,
and
you
know
that's
that's
a
big
problem,
because
even
if
you
like
enable
audit
logs,
it's
not
gonna
show
up
as
anything
it's
not
gonna
show
up
as
a
specific
user.
B
So
if
you
have
that
token,
you
are
basically
hidden
from
all
kinds
of
nice
auditing,
but
you
can
do
everything
you
should
enable
openid
connect
for
user
and
group
membership
so
that
you
can
integrate
with
say,
azure
or
google
or
whatever
you
can.
You
can
do
that
via
dex,
for
instance,
or
key
cloak.
We
ship
dext
in
compliant
kubernetes
and
we're
happy
with
that,
and
I
mean
if,
if
that
suits
your
needs,
that's
a
great
way
to
connect
to
various
identity
providers
and
spit
out
openid
connect
tokens
that
kubernetes
can
then
use
anonymous.
B
B
Now
I
mentioned
audit
logging,
so
all
api
calls
can
be
logged
for
auditing
purposes,
but
there
are
a
lot
of
audit.
There
are
a
lot
of
api
calls
that
will
wind
up
in
your
audit
logs,
because
every
time,
a
cloud,
a
controller
in
kubernetes
does
anything
it's
interacting
with
the
kubernetes
api
and
all
of
those
calls
will
also
wind
up
in
your
audit
logs.
B
So
while
it's
great
to
collect
this
information,
you
also
need
something
to
help
make
sense
of
it.
So
the
report
says
you
should
use
some
kind
of
automated
system,
and
my
take
is
that
there's
this
program
by
sysdig,
it's
open
source,
it's
called
falco
and
it
can
act
both
as
a
simple
security
incident
and
event
management
system,
and
you
should,
if
you
do
that,
together
with
say,
a
centralized
logging
system
such
as
elasticsearch,
but
I'm
guessing
you're
running
some
kind
of
logging
solution.
Anyways.
B
The
report
also
says
that
you
should
periodically
review
all
kubernetes
settings
and
use
some
kind
of
vulnerability
scans
to
help
ensure
that
risks
are
appropriately
accounted
for
and
that
security
patches
are
applied,
and
that
is
something
that
I'm
guessing
that
everyone
here
in
the
audience
knows
exactly
what
a
big
pain
in
the
neck.
That
is
because
kubernetes
releases
new
versions.
B
The
problem
is,
of
course,
as
this
also
says
that
you
need
to
review
kubernetes
settings.
Is
that
all
kinds
of
security
features,
as
as
you've
noticed
by
now,
is
that
they
are
typically
opt-in
rather
than
opt
out,
and
you
definitely
need
to
opt
in
as
soon
as
possible,
and
there
are
tools
out
there
that
can
run
some
automated
tests
and
they
can
help
find
insecure
settings,
and
the
problem
is,
of
course,
that
the
insecure
ones
are
the
default
ones.
B
So
I
think
you
should
definitely
run
automated
testing
you
need
to,
but
are
they
sufficient?
So
there
are
two
that
are
like
top
of
my
mind.
Cubescape
by
armo
security
is
a
really
nice
tool.
They
have
released
a
framework,
basically
a
set
of
rules
that
checks
against
exactly
the
well
some
of
these
ones
that
are
in
the
report.
B
However,
it
currently
relies
on
what
it
can
determine
via
kubernetes
api
calls.
Cuba
bench
by
aqua
security
connects
deeply
into
the
control
plane
host
node,
like
one
of
your,
you
know
previously
called
master
nodes
and
therefore
it
can
currently
inspect
more
than
cubescape
can,
but
both
of
them
really
help.
You
understand
the
low
hanging
fruits
of
vulnerability
scanning,
so
I
think
you
definitely
need
to
do
this,
because
obviously
anyone
trying
to
attack
your
kubernetes
cluster
will
also
do
it
and
not
having
done
this.
B
Basically
just
screams,
there's
an
insecure
cluster
over
here
and
if
they
find
that,
then
you
are
in
real
trouble
now.
The
problem
with
both
of
these
and
with
all
really
is
that
they
are
limited
in
what
they
actually
can
investigate.
So
they
can't
verify
that,
for
instance,
your
storage
provider
does
encryption
at
rest.
They
can't
inspect
any
firewall
rules
or
security
policies
encoded
in
other
systems
than
kubernetes.
B
They
don't
know
anything
about
the
underlying
operating
system
or
any
third-party
software
or
third-party
services
that
you
use,
and
they
will
never
be
able
to
tell
you
that
your
policies
are
actually
sufficient
for
your
information
security
needs,
because
how
would
a
piece
of
software
know
that?
So
it
can't
actually,
but
they
can
definitely
tell
you
if
your
cluster
is
going
to
be
fine
for
automated
tests
or
if
there
are
any
obvious
problems,
and
you
don't
want
to
showcase
any
obvious
problems
ever
so.
That's
basically,
where
the
report
stops
and
where
my
suggestions
begin.
B
First
of
all,
I
think
you
need
to
be
very
strict
with
preventing
misconfiguration
and
not
just
checking
for
it.
After
the
fact,
as
I
said
before,
if
two-thirds
of
all
insider
incidents
are
due
to
negligence,
that
means
that
there
weren't
sufficient
controls
in
place
to
ensure
that
policies
were
adhered
to
and
like
role-based
access
control
is
great,
but
it's
also
limited
in
what
it
can
actually
express.
So
I
mean
a
role-based
access.
B
Control
system
can
tell
you
like
lars
is
allowed
to
modify
configuration
in
the
production
environment,
but
it
doesn't
say
anything
about
like
what
changes
am
I
actually
allowed
to
make?
Can
I
set
stupid
default
passwords?
Can
I
make
the
password
of
the
database
like
one
two,
three,
four
five,
I
shouldn't
I'm
guessing
be
allowed
to
do
that,
but
rollback's
role
based
access
control.
B
B
The
problem
is-
and
I
think
everybody
is
probably
like
technically
aware
of
this,
but
they
don't
think
about
it
like
day
in
and
day
out,
and
that
is
that
any
permission
that
you
give
to
an
application
will
also
be
given
to
bad
actors.
Malicious
users,
hackers,
whatever
so
a
hacked
application,
will
have
all
the
permissions
that
the
application
usually
has
so
now,
all
of
a
sudden
that
hacked
application
can
go
in
to
your
third
party
software
as
a
service
integrations.
B
B
Probablyo
can
also
quite
easily
determine
how
to
connect
to
the
database,
so
you
always
need
to
restrict
your
app
components
as
much
as
possible,
because-
and
this
is
something
that
I
see
like
all
the
time
like-
why
would
something
that
is
just
supposed
to
like
get
a
rest?
You
know
incoming
request
over
some
rest
api.
Why
would
it
ever
get
to
do
anything
besides
get
the
request
and
do
some
processing
and
send
back
the
results
it
shouldn't
write
anything
to
like
local
storage.
B
You
also
need
to
keep
cloud
resources
specifically
in
mind.
So
I
mean
say:
amazon
has
like
what
200
something
services
and
it's
great.
They
have
great
services,
but
it
can
also
be
quite
cumbersome
to
use
them,
so
it's
very
tempting
to
install
like
various
controllers
and
operators
that
are
out
there
in
the
cloud
native
ecosystem
and
community,
and
they
can
offer
like
various
cloud
integrations
like.
B
B
Here's
a
question:
does
your
application
unintentionally
have
permissions
in
your
cloud
because
that's
a
big
problem,
so
what
I've
seen
many
many
many
times
is
that
people
assign
you
know
these
instant
instance
profiles
that
basically
give
worker
nodes
in
your
cloud
the
ability
to
modify,
say,
dns
records
or
auto
scaling
groups.
You
know
so
you
can
scale
the
cluster
up
and
down
or
whatever
the
ability
to
modify
load
balancers,
because
the
problem
is,
if
those
apply
to
the
server
itself,
if
they
apply
to
like
the
worker
node.
B
It
is
a
call
that
comes
from
that
server
and
all
you
need
to
do
as
a
hacker
is
you
can
just
figure
out
like
hi
cloud?
Can
I
have
you
know
my
permissions
now
and
then
please
run
these
api
calls
for
me.
So
all
of
a
sudden,
maybe
you
can
scale
up
the
amount
of
servers
that
are
running
and
then
you
can.
I
don't
know
mine,
bitcoins
or
whatever
you
want
to
do
with
a
whole
bunch
of
extra
free
capacity.
B
As
I
said
before,
you
need
to
regularly
scan
all
your
deployed
container
images,
not
just
when
they
are
new
and
like
have
been
pushed
to
the
to
the
image
registry.
So
what
I
think
you
should
do
you
should
loop
through
all
your
pawns
that
are
currently
deployed.
You
should
determine
which
container
images
are
in
active
use
in
those
pawns,
and
you
should
scan
those
images,
and
if
you
do
that
daily,
then
you
have
the
best
possible.
B
B
B
B
B
Let's
also
point
out
that
disaster
recovery
is
not
equal
to
backups.
So
what
is
a
good
disaster
recovery
plan?
Well,
you
need
to
so
many
people
understand
that
okay,
so
a
disaster
could
be
an
entire
cloud
region
goes
out,
but
do
they
have
a
plan
and
do
they
actually
practice
for
dealing
with
that
type
of
situation?
B
I
think
you
should
also
practice
this
from
a
security
point
of
view,
because,
basically,
is
it
possible
for
you
to
see
this
large-scale
attack
as
a
disaster,
and
then
maybe,
if
you
could
practice
like
okay,
so
we
need
to
nuke
everything
we
have.
We
need
to
recreate
everything
in
you.
We
need
to
restore
data
to
what
it
was
like
like
five
hours
ago
before
this
attack
started
and,
of
course,
we
also
need
to
you
know
plug
whatever
hole
the
hackers
got
in
through.
B
B
B
B
B
B
You
know
for
normal
operation
of
the
application
and
that
you
will
see
that
I'm
there,
because
you
have
automated
systems
that
both
limit
what
I
can
do
and
they
also
raise
an
alert.
When
I
make
the
application
behave
in
ways
it
doesn't
normally
do
so
that
you
will
catch
me.
You
will
see
that
I'm
there
and
you
won't
be
fooled.
B
Okay,
are
there
any
questions
so
either
you
can
ask
now
and
now
I'm
gonna
try
to
bring
up
this.
This
chat
and
if
you
have
questions
that
you
haven't
typed
into
this
chat,
then
you
can
send
them
via
email.
If
you
want,
you
can
find
me
on
linkedin,
you
can,
you
know,
connect
with
me
there.
You
can
send
some
questions
there.
B
Are
there
any
questions?
Oh
yeah,
I'm
scrolling
up
and
somebody
says,
check
out
m9sweeper.io
a
freemium
scanner
for
kubernetes
does
ongoing
scans
in
the
cluster,
as
you
suggested,
takes
less
than
10
minutes
to
install
was
demonstrated
this
summer
on
this
podcast
awesome,
yeah,
perfect,
that's
so
nice,
so
m9sweeper.io,
I'm
going
to
check
out
that
system.
I
hope
everybody
else
does
as
well.
B
How
about
using
caverno
instead
of
oppa
yeah
sure
so
they
solve
the
same
general
problem,
because
they
both
act
as
this
admission
controller
again.
So
the
thing
that
basically
intercepts
api
calls
coming
into
the
kubernetes
api
server
and
it,
and
they
both
have
this
set
of
rules.
They
can
say
thumbs
up
or
thumbs
down
to
that
api
request
and
basically
caverno
and
oppa.
They
have
different.
There's
the
language.
B
How
you
specify
rules
is
different
and
sure
I
happen
to
like
oppa
and
gatekeeper,
even
though
it
has
a
bit
of
a
weird
language
to
use,
simply
because
it's
it's
something
that's
been
around,
you
can
integrate
it
into
other
pieces
of
software
as
well,
because
you
can
use
it
as
a
library,
and
I've
had
some
great
success
with
that.
But
yes
do
check
out
caverno
as
well.
B
B
B
B
D
B
D
B
Yes,
all
right,
I
would
and
the
reason
why
I
say
that
I
would
is,
of
course,
that
that
is
the
whole
point
of
that
compliant
kubernetes
distribution,
that
I
was
talking
about
that
we
make.
So
if
you
process
that
type
of
information,
you
need
to
be
very
mindful
of
what
cloud
provider,
if
any
that
you
use
or
if
you
maybe
run
an
on-premise
kubernetes
cluster.
So
I
mean
your
security
that
the
information
security.
B
Isn't
really
affected
in
the
sense
that
I
mean
you
need
to
affect
it.
You
don't
need
to
like.
Oh
I'm
running
I'm
running
in
the
cloud.
That
means
I'm
sending
it
like
to
say
amazon.
No,
it
doesn't
need
to
be.
I
mean
you
can
actually
benefit
from
kubernetes,
even
if
you
run
on
premise,
because
I'm
guessing
that
you
want
to
process
this
type
of
information
say
if
it's
about
say,
if
it's
about
you
know,
patient
data.
B
B
Yeah
right
so
maybe
that's
what
they
require
and
then
you
can
use
kubernetes
there,
because
the
point
is,
you
want
to
use
kubernetes
because
it
helps
accelerate
your
developers.
You
want
to
be
able
to
push
out
software.
You
want
to
use
cloud
native
tools
you
want
to
use,
like
I
don't
know,
like
postgres,
managed
by
say
the
zorlando
postgres
operator.
B
I
don't
know
why
I
mean
there
are
many
reasons
why
you
would
like
to
use
kubernetes,
but
that
doesn't
mean
no
use
of
kubernetes
does
not
imply
we're
sending
it
all
to
this
public
cloud.
That's
run
in
the
us
or
whatever
it's
not
the
same.
It's
not
it's
not
neces,
it's
not
a
necessary
step.
So
in
compliance
kubernetes
we
use
this
tool
called
cubespray
to
install
and
that
can
work
on
bare
metal,
anything
that
basically
has
an
ip
address
and
runs
linux.
B
A
B
Oh
yeah,
there
are
actually
two
now
the
second
one
is
actually
public
as
well.
We
sent
it
for
publication
with
kubecon,
and
now
it's
also
public,
which
is
kind
of
strange,
because
cubecon
is
like
what
in
a
couple
of
weeks.
But
yes,
so
there
is
one
blog
post
where
I've
summarized
the
nsa
and
sisa
guidance
report
there.
You
know
the
kubernetes
security
hardening
guidance,
so
that's
on
elasticist.com.
B
Awesome
I
yeah,
so
I
also
got
a
question
sent
privately
to
me.
So
I'm
not
gonna
read
that
person's
name
is
essentially.
The
question
is:
do
you
need
to
have
a
person
that
is
an
expert
in
compliant
kubernetes
before
you
try
to
implement
compliance
kubernetes
in
a
large
enterprise
or
what's
the
story?
Basically?
And
no
you
don't
need
to.
I
mean
it's
compliant
kubernetes.
If
you
go
to
compliant
kubernetes
dot,
io
you'll
see
that
basically
we
install
using
cube
spray,
which
is
this
standard
tool
for
installing
kubernetes.
B
A
Not
a
problem
absolute
pleasure.
Thank
you
very
much
and
thanks
for
your
time
and
thanks
everybody
for
staying
tuned.
Lars
is
a
great
guy
to
fire
questions
out.
So
his
linkedin
and
his
email
address
is
on
the
screen,
so
definitely
use
last
one
of
the
kubernetes
questions,
but
until
next
time
lars
have
a
great
day
and
I'll
catch
up
with
you
guys
soon.