►
Description
Don't miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from 18 - 21 April, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
Hi
there
welcome
to
this
cncf
webinar
I'm,
really
delighted
to
talk
to
you
today
about
open
source
security.
This
is
charm,
kubernetes
and
cubescape
for
the
Best
in
Class
of
kubernetes
security
and
I
hope
over
the
next
25
to
30
minutes.
We
can
talk
you
through
some
of
the
landscape
around
security,
some
of
the
challenges
that
you
face
in
kubernetes,
especially
and
some
of
the
solutions
and
really
bring
to
light.
A
Why
we
think
that
cubescape
and
charm
kubernetes
are
really
good
partners
in
helping
you
with
your
open
source
security
needs,
but
before
we
get
there,
let
me
just
introduce
who
we
are.
My
name
is
Alex
I
am
the
director
of
kubernetes
at
canonical
canonical
being
the
company
behind
Ubuntu,
which
might
sound
familiar
and
I'm
going
to
try
and
talk
to
you
a
little
bit
today
about
my
experiences
as
both
the
engineering
and
the
product
leader
in
that
space,
and
why
something
like
cubescape
is
so
important
to
us.
B
Hello,
everyone,
my
name
is
thank
you
Alex,
my
name
is
David
wirtantile
I
am
a
lead.
Maintainer
of
cubescape
I
work
in
a
team
lead
at
armo.
B
So,
as
you
can
understand,
I
am
one
of
the
developers
of
kipskit
with
us
over
here.
There's
also
Vlad,
who
is
also
with
he's
a
colleague
of
mine
from
armo
and
also
a
lead
maintainer
of
cubescape.
B
A
Security
for
kubernetes
is
overwhelming
because
of
a
few
reasons,
people
are
learning
a
new
topology,
it's
on
top
of
Linux,
and
also
it
really
isn't
distributed,
Linux
right
and
so
a
lot
of
these
Concepts
that
people
don't
really
brush
up
on
for
Five
Ten,
Years,
After
School
come
back
to
haunt
them
when
they're
thinking
about
a
container
a
pod,
a
namespace,
you
know
root
privilege.
What
does
all
this
really
mean,
and
so
some
of
the
challenges
that
you
have
not
only
the
education
piece.
A
You've
got
devops
Engineers
who
want
to
help.
You
go
faster
to
build
pipelines
to
provision
to
deploy.
You
have
Security
Professionals,
who
are
trying
to
stop
this
and
to
look
at
the
threat
and
risk
models
for
deploying
into
the
wild,
and
then
you
have
end
users
who
are
voraciously
trying
to
consume
stuff.
A
So
it's
super
challenging
to
have
a
security
tool
or
platform
that
can
meet
all
of
those
needs
and
to
help
all
of
those
professionals
get
what
they
need
out
of
it,
and
so
today,
if
we
were
trying
to
think
about
distilling
this
into
a
few
security
problems,
I
think
it
would
be
these.
You
can
see
on
the
screen.
A
Many
security
tools
are
difficult
to
use,
I.
Think
of
some
of
the
proprietary
ones
that
I've
had
to
use
in
the
past,
and
the
results
come
out
in
many
different
formats.
Often
the
recommendations
from
tooling
will
be
an
Excel
sheet
that
you'll
have
to
digest,
or
maybe
they
will
be
or
that's
proprietary
right.
That
scoring
is
only
relevant
to
that
tool.
That
kind
of
bleeds
into
the
next
point,
which
is
that
they're,
fragmented
right?
You
have
tools
that
are
all
over
the
space
in
terms
of
where
they
actually
touch
lots
of
tooling.
Around
images.
A
These
days
for
oci
images,
lots
of
scanners
around
specific
spaces,
where
you
can
think
about-
is
this
image
from
a
certain
registry,
but
there
aren't
tools
that
tend
to
be
generalists
and
the
tools
that
are
generalists
don't
tend
to
work
in
a
depth
across
all
of
the
different
segments
in
a
similar
way,
and
so,
if
people
find
themselves
thinking
well,
how
do
I
need
this
do
I
need
this,
and
you
know
with
that
proprietary
angle.
It
makes
it
even
more
complicated
I
got
to
spend
eighty
thousand
dollars
a
year.
A
And
that's
what
many
of
these
tools
look
to
give
you
an
assessment
of
cicd.
So
the
actual
provisioning
and
distribution
of
software
on
top
of
Linux
on
top
of
kubernetes
is
fraught
with
attack
vectors
right
anything
from
man
in
the
middle
to
poison
registry
attacks
being
able
to
actually
provision
the
right
thing
onto
the
right
node
and
you
know
where
it
came
from,
and
the
provenance
of
that
is
extremely
compelling.
A
And
the
last
thing
is:
how
do
you
do
all
of
the
above
plus
being
able
to
say
that
your
Regulators
can
come
in
and
see
you've
got
an
audit
log
and
your
fips
compliant
your
CIS
compliant.
You
follow
the
latest
NSA
hardening
guidelines,
so
it's
an
absolute
head
spin
of
how
do
you
get
anywhere
near
being
successful
with
with
security
for
kubernetes,
because
it's
super
challenging
and
it's
a
real
land,
mine
and
minefield.
A
A
I
want
to
take
you
very
quickly
through
what
John
kubernetes
is.
The
tldr
of
this
is
its
Upstream
capes,
plus
an
operator
life
cycle
management
system
right,
it's
it's
all
the
bells
and
whistles
of
conformant
Kates
and
all
that
jazz
and
we
keep
it
all
up
to
date.
It's
got
CDs
that
are
automatically
squashed
and
we
roll
out
revisions
nightly
right.
Your
Kates
goes
and
runs,
and
let's
say,
there's
a
critical,
CV
and
SCD
you
automatically
get
that
fixed.
A
You
do
nothing,
it
also,
you
know,
runs
on
top
of
secured
Ubuntu
as
part
of
this
stack,
so
you
get
live
patching
on
the
Kernel.
Not
many
people
can
boast
that
if
any
and
then
all
this
blurb
and
text
you
see
here
are
all
the
other
bells
and
whistles
that
we
do
that.
Many
other
companies
compete
in
that
space
against.
But
the
thing
I
think
is
the
differentiator
is
really
our
story
about
how
we
get
packages
to
you.
In
your
case,
cluster
you'll
hear
me
talk
about
Juju
a
few
times.
A
In
terms
of
that
story,
I
mentioned
a
moment
ago
right
in
terms
of
like
those
three
pillars,
how
the
heck
does
any
of
this
stuff
relate.
Well,
the
hardening
aspect
from
what
I
think
about
is
canonical
works
very
hard
to
make
open
source
accessible,
and
so
what
we
do
is
we're
now
starting
to
think
about
well,
fips
shouldn't
be
something
that's
just
for
proprietary
use.
Only
let's
Harden
kubernetes
with
fits.
What
does
that
actually
mean?
A
Fips
means
that
you
need
to
have
certain
crypto
libraries
inside
your
golang
build
engines
and
your
runtime
of
kubernetes,
so
the
the
cryptographic
hashes
that
it's
creating
match
the
fips
hardening
guide,
so
we're
doing
that
this
year,
we're
releasing
fips
hard
micro
case
great.
A
How
do
you
think
about
cicd
Juju
allows
you
to
have
consistent,
multi-cloud,
CI,
CD
approaches?
In
fact,
Juju
really
works
more
on
the
reconciliation
base
than
the
CI
CD
push
base,
and
what's
really
nice
about
using?
You
is,
you
have
consistency
across
clouds
so
way
less
misconfiguration
comes
in
there
and
then
the
last
thing
around
governance
and
compliance
is
coming
back
to
that
angle.
Of,
do
you
have
accreditation?
Ubuntu
is
accredited
in
many
different
ways.
You
know
ISO
Phipps,
certified
Etc
and
we're
starting
to
bring
that
into
Kates.
A
Now
so
ncsc
for
those
who
aren't
familiar
is
the
National
Crime
agency
in
the
UK
we've
just
gone
through
a
review
of
them,
as
well
as
other
organizations
across
the
world
to
make
sure
that
we're
we're
pulling
in
the
highest
standards
possible.
So
that,
in
a
nutshell,
is
why
I
think
charm
kubernetes
is
interesting
and
let's
move
on
to
cubescape
and
let
David
speak
a
bit
to
that.
B
Okay,
so
I'll
take
it
forward
from
here
and
then
we
would
also
explain
exactly
how
the
two
beautiful
products
can
integrate
and
a
seamless
way.
So
what
is
skipscape?
Where
did
we
start
from
so
give
it
a
really
quick
recap?
What
happens
is
that,
as
Alex
explained,
the
the
three
different
main
driven
points
that
drive
us
over
here
is
they're
they're.
Not
there
are
many.
There
are
many
tools
out
there,
not
all
of
them.
B
So
we
came
with
cubescape
with
an
idea
of
having
a
single
tool
that
would
that's
built
for
developers
builds
that
is
built
for
devops,
which
means
it's
easy
to
use
easy
to
integrate
with,
and
then
it
covers
your
pipeline
from
the
development
from
the
vs
from
the
as
a
vs
code
extend
function
through
the
CI,
which
means
with
GitHub
actions
or
Circle,
Ci
or
other,
and
also
in
your
cluster,
with
a
CLI
tool
and
also
with
the
helm
chart.
B
You
can
install
in
your
cluster
next
slide,
please
yeah
so,
and
now
cubescape
really
comes
to
answering
that
on
on
multiple
questions.
But
what
we
really
we
point
out
over
here
is
we
first
of
all,
we
give
you
the
best
practices.
So
if
you
want
to
be
compliance,
we
have
NSA.
We
have
Mitra
scanning
CIS
Benchmark.
We
show
you.
Where
are
you
related?
Regarding
other
other
of
your
clusters,
and
how
compliance
are
you
with
these?
With
these
different
Frameworks?
B
We
also
keep
Skip
and
also
show
you
can
identify
and
also
can
prevent
some
security
drifts.
That
means
keeps
skip,
will
tell
you
if
you
right
now
published
a
new
namespace
or
Resources
with
more
security
issues
than
you
had
before,
so
keep
skip
will
notify
you
on
such
things
and
in
general,
we
have
over
here
continuous
kubernetes
hardening,
which
we
can
give
cheapscape
against
the
remediation
advice
of
how
to
fix
your
issues.
You
can
also
scan
recurring
scans.
B
That
means
not
only
once
a
year
or
only
when
you
deploy
your
your
components,
but
also
once
a
day
or
once
a
week
Etc.
So
if
there
are
any
new
CVS
keep
skipwood
right
away,
detected
and
alert
the
users
about
it.
A
Awesome,
thank
you,
David
and
I.
Suppose,
as
we
come
on
to
this
question
of
how
do
these
projects
merge
together,
it's
important
to
take
a
step
back
and
think
about
what
I
mentioned
a
moment
ago
around
that
whole
operator
life
cycle
management
piece.
We
think
about
operators
as
charms
at
at
canonical,
and
these
charms
are
open
source
and
they're
effectively
little
python
packages
that
wrap
around
whatever
you
might
have,
so
you
might
have
an
existing
Helm
chart.
A
What
charms
that
you
do
is
write
hooks
into
that
right,
so
oncreate
on
delete
Etc
and
that
behavior,
you
could
say
it's
the
same
as
cube
Builder
right,
Cube
Builder
does
that
too,
but
where
charms
differentiate
themselves
is
that
they
are
data
driven
in
that
the
charms
expose
interfaces
to
each
other.
So
we
could
potentially
have
an
nginx
charm
and
relate
to
that
to
the
cubescope
charm
and
add
capabilities
for
it
to
say.
Oh
I
know
what
you
do
I'm
going
to
add
it.
A
A
watch
on
your
Ingress,
so
I'm
going
to
do
XYZ,
so
charms
are
a
way
of
building
effectively
data
control
operators
that
have
their
entire
life
cycle
management,
but
also
what
they
do
and
I
think
this
is,
from
our
perspective,
why
it
was
interesting
to
collaborate.
Is
they
let
you
go
fast
right?
The
charms
are
completely
tailored
and
they
are
Couture
in
the
sense
that
we
know
that
charm
will
always
work.
It's
like
when
you
do
snap
install
Cube
control.
A
You
basically
know
that
99.99
of
time
that
should
work
or
install
Docker
with
apps
and
Debian.
You
know
that
that
works
if
it
doesn't
something's
pretty
wrong,
and
so
we
do
the
same
approach
with
this
and
it's
kind
of
low
Ops,
and
that's
really
where
we're
coming
from
here
in
terms
of
what
I
want
to
hear
from
from
ours.
I'd
be
really
interested
to
know.
David
from
your
perspective,
you
know
how
do
you
think
about
cubescape
as
a
child?
B
So
it
actually
really
comes
together
pretty
nicely,
because
that
also
with
Gib
skip,
we
look
at
it
in
a
lot
of
ways
as
something
that
we
want
to
install
out
of
the
box,
as
I
mentioned
before
that
it's
built
for
devops.
That
means
we
don't
want
the
devops
to
start
struggling
over
here,
calling
support
or
having
dedicated
in
opening
tickets
for
a
support
tickets.
B
We
want
this
really
to
work
out
of
the
box,
and
it
should
work
out
of
the
box
and
coming
connecting
this
with
charm
would
give
it
a
very
nice
boost
towards
that
direction.
So,
if
you're
already
working
with
a
charm
or
that
you
want
to
work
with
charm-
and
you
also
want
to
work
with
cubescape
these
two
things,
these
two,
these
two
products
can
go
together,
really
get.
A
So
one
of
the
ways
that,
when
I
think
about
this
I
was
before
this
webinar,
so
I'm
trying
to
draw
this
out
and
visualize
how
these
things
work
together.
A
It's
very
clear
when
you
put
it
into
something
like
an
illustration
here,
so
the
orange
components,
if
you
think
about
those
as
Charmed,
cakes
and
you
think
of
the
blue-
is
cubescape
they're,
complementary
right,
so
charm
Cates
gives
you
sort
of
the
guarantee
of
of
hardening
on
your
cluster
updating
packages
and
kind
of
being
the
person.
That's
responding
to
a
lot
of
the
things
that
that
cubescape
is
going
to
point
out
to
you.
B
Yes,
so
so,
first
of
all,
it's
a
you
know,
there's
always
the
obvious
answer,
which
is
every
there's.
This
very
known
slide.
I
would
say
that
every
hour
of
developer
is
a
bit
like
in
the
development
phase
and
it's
another
10
hours
in
the
testing
phase
and
then
another
100
hours
in
the
production
phase.
B
So
when
you
try
solving
your
issues,
obviously
in
production
or
when
you
start
looking
into
security
hardening
in
production
and
you're,
going
to
spend
much
more
time
on
it,
whether
because
that
you
have
different
Health
charts
with
different
values,
Etc
that
you
would
now
need
to
track
back
to
the
origin
of
them
or
from
various
different
reasons.
B
So
if
you
have
this
built
correctly
as
a
CI
CD
pipeline,
it
would
save
you
a
lot
of
time,
and
this
is
really
where
things
come
together
over
here
with
having
it
the
first
first
setting
up
your
security
from
level,
one
from
when
you
start
developing
it
and
again
through
the
pipeline
and
again
securing
your
applications
and
being
line.
Also,
when
you
run
in
your
production
systems,.
A
And
that
makes
a
lot
of
sense
because
I
think,
as
you
say,
catching
it
early
and
shifting
left
is
a
critical
way
of
actually
making
sure
you
don't
extrapolate
the
amount
of
time
that
gets
wasted,
but
also
you've
got
this
other
side
of
things
as
well,
which
is
the
active
scanning
and
in
the
diagram.
Of
course,
it
shows
things
like
artifact
images,
but
if
that's
not
all
is
it,
you
also
have
sort
of
misconfigurations
and
active
scanning
in
terms
of
what's
going
on
in
that
cluster,
can
you
speak
a
little
to
that
right.
B
So
so
it's
not
so
we
focus
skip
skip,
would
focus
mainly
on
the
application
on
the
application
side
of
it.
I
would
say
so.
Keepskin
will
not
only
scan
your
images
for
cves
ETC,
but
keep
skip
would
also
scan
your
your
configurations,
your
yaml
files,
etc.
For
misconfigurations
keeps
people
also
scan
if
you're
running
in
using
Cloud
providers
Etc
so
keep
skipwood
also
take
a
look
into
those
configurations
again
CIS.
If
we
look
at
the
casr
Frameworks,
so
we
need
that
support
as
well.
B
Well,
so
yes,
so
definitely
you
need
to.
You
obviously
need
the
infrastructure
that
would
be
good
and
protected
infrastructure,
but
also
the
application.
You
need
to
make
sure
that
your
application
is
also
following
the
guidelines
of
and
the
hardening
of
the
different
security
Frameworks
out
there.
A
And
that's
where
it
gets
quite
interesting
because
you
mentioned
CIS
and
so,
for
example,
let's
see
this
that
could
be
a
CIS
control,
that's
failing
because
the
Manifest
is
doing
something
that
shouldn't
be.
You
know
it
might
be
doing
some
sort
of
privileged
thing
on
the
host.
That's
where
we
try
to
also
meet
in
the
orange
boxes
here
by
making
sure
the
house
itself
is
hardened,
so
you're
kind
of
really
squashing
any
opportunity
for
there
to
be
an
attack,
vector
and
I.
A
Think
that's
a
really
nice
illustration
of
where
these
two
things
come
together
successfully
yeah.
So
we've
spoken
a
little
bit
about
kind
of
the.
Why
and
and
the
the
how
it's
it's
important
now
to
look
at
sort
of
the
you
know.
Let's
get
started
with
this,
and
one
of
the
things
that
was
really
exciting
was
because
charm
Hub
has
become
the
de
facto
way
of
getting
your
your
your
operators
and
getting
your
charms.
A
It
makes
it
very
easy
for
anyone
in
the
world
to
just
do
effectively
a
one-liner,
install
and
so
I
was
really
excited
when
cubescape
was
published
onto
charmhub,
because
as
we'll
see
in
a
moment,
it
makes
actually
fetching
it
from
anywhere
super
easy
and
just
to
talk
a
little
bit
around
this
you'll
see
you
see
things
like
stable
five
Etc
charmhub
supports
a
similar
Theory
to
snap,
where
you
have
channels
and
you
can
put
an
edge
release,
you
can
put
a
stable
release,
you
could
put
a
Dev
released
and
you
could
even
say
hey.
A
This
is
something
specifically
for
that
that
architecture
and
so
I
think
what
we're
trying
to
do
is
again
coming
back
to
that
idea
of
low
Ops
and
zero
options.
We
want
cubescape
to
be
on
clusters
that
all
of
our
end
users
are
running
because
we
see
an
immense
benefit
there
and
by
lowering
that
bar
to
entry,
just
like
we
do
with
things
like
micro
case
is
that
people
will
be
like
yeah
I'm,
going
to
check
that
out,
I'm
going
to
try
that
and
see
how
it
works
and
then
they'll
start
to
engage
with
the
team.
A
C
So,
as
Alex
mentioned,
we
distribute
cubescape
as
a
charm
and
it
is
available
on
charmhub.io
cubescape
to
install
the
charm.
The
only
thing
that
you
need
to
do
is
to
deploy
Juju,
have
it
set
up
with
your
cloud
and
follow
the
instructions
we
provide
you
in
the
chart,
so
in
the
chart?
I'm
sorry
so
I
have
Juju
deployed
already.
I
am
running
a
micro
gate.
Cluster
locally
and
I
will
right
now
bootstrap
a
controller
that
talks
that
connects
JoJo
to
my
local
micro
gates.
C
To
do
this,
I
run
a
sample
command
Juju
bootstrap
micro
case
with
the
name
of
the
controller,
and
it
should
bootstrap
the
controller
for
me.
So
Juju
will
be
able
to
talk
to
the
cloud,
manage
its
models
and
perform
any
operations
necessary
for
your
deployment.
This
takes
some
time,
but
it's
generally
quite
quick.
A
Just
while
we're
doing
that,
it's
quite
important
to
mention
that
if
you've
got
at
the
top
there,
you
can
see
you've
got
several
different
controllers
and
that's
because
typically
a
way
somebody
might
use
jujube
to
talk
to
several
different
clouds
and
different
classes
and
models
within
those
clouds,
and
so
I
think
that
one
of
the
things
that
is
kind
of
a
I
guess
a
hurdle.
When
you're
learning
is
to
get
into
that
mindset
of
JuJu
effectively.
Has
these
almost
like
bastions
that
you
can
connect
to
and
then
work
with.
C
Yeah
sure
and
as
you
can
see,
I've
leveraged
already
multiple
controllers
to
apply
my
models
in
across
multiple
clouds,
so
this
was
very
convenient,
but
right
now
moving
on
with
the
cubescape,
we
I
have
already
deployed
the
controller
and
right
now,
if
I
go
back
to
the
documentation,
we
would
see
that
we
are
required
to
create
models
and
models
are
generally
the
things
that
encapsulate
your
applications.
So
right
now
we
would
add
a
model
for
cubescape,
and
this
is
just
one
simple
command
away
from
you.
C
So,
as
you
can
see,
the
model
has
been
created
and
right
now
we
are
good
to
create,
create
an
application
to
deploy
cubescape
itself.
So
for
that
we
just
copy
the
command,
and
there
is
one
thing
to
keep
in
mind.
Is
that
when
deploying
the
command
I
am
running
on
micro
Gates,
so
I
will
be
changing
the
command
from
the
documentation
to
accommodate
for
micro,
kids,
and
then
you
will
also
need
to
provide
your
account
ID,
which
is
distributed
via
the
remote
platform.
C
Creating
an
account
is
free
and
you
should
be
able
to
use
cubescape
whenever
you
have
one
so
right
now
we
are
deploying
deploying
the
cubescript
chart
and
oh
when
I
deploys,
it
automatically
runs
a
scan
of
your
cluster
and
given
the
provided
account
ID,
it
will
connect
the
account
result.
The
scan
results
to
your
cubescape,
the
armo
platform
account.
So
you
will
be
able
to
see
the
results
in
all
their
glory
and
the
sauce
and
review
them.
C
Take
a
look
at
your
configurations
or
mesh
configurations
that
you
might
have
cves
and
whatnot.
So,
as
you
can
see
in
the
status,
the
cubescape
application
is
deploying
right.
Now
it's
performing
some
of
it
as
Juju:
zero
Ops
magic.
We
are
installing
the
charm
software
inside
of
our
model
and
right
now,
when
you
see
no
message,
it
means
that
cubescript
has
been
successfully
installed
and
it's
already
performing
it's
security
thing.
So
thank
you.
That's
it
for
me.
I
will
be
handing
it
over
to
David.
A
B
I'll
be
taking
it
from
Vlad
Vlad.
Thank
you
very
much
for
the
demonstration
of
how
to
install
and
now
I
would
go
a
little
bit
through
the
different,
the
different
views
you
can
see
on
the
armo
portal.
So
what
village
is
scan
right
now?
The
cluster
he
just
scanned
I,
don't
know
if
you
noticed,
but
he
called
it
DW.
Thank
you
Vlad.
So
here
are
the
results
from
vlad's
scanning.
B
As
you
can
tell
this
takes,
it
can
take
around
half
a
minute
to
a
minute
for
the
scans
to
appear
and
the
armor
portal.
It
depends
on
the
size
of
the
cluster,
but
it's
relatively
quick.
Now.
What
we're
looking
on
right
now
is
the
armor
portal
over
here
we
can
see
basically
everything
that
you
do
with
cubescape,
whether
if
you
do
it
from
your
CI
CD
or
that
you
run
it
as
a
Escape
skip
as
a
CLI
or
keep
safe
as
a
Helen
chart.
B
Again,
we
want
to
have
a
single
plane
of
glass
for
everything
for
your
full
pipeline,
so
we're
going
to
take
a
look
into
the
config
scanning,
which
is
the
configuration
scanning
and
I
will
show
you
a
very
quick,
a
quick
tour
over
here
of
what
how
it
looks
like
so.
First
of
all,
you
could
look
at
the
different
Frameworks
that
we
have
the
CIS.
B
You
can
also
follow
up
with
the
NSA
framework
with
the
Mitra
framework,
whichever
one
you
prefer
and
let's
say
if
we
take
the
NSA
framework-
and
we
see
over
here
the
different
controls
that
filled
with
the
NSA
framework
and
the
cluster
that
flat
just
ran,
for
example,
in
the
NSA
there's,
the
control
name
risk
resource
limits.
That
means
that
cluster
is
missing.
The
workload
is
missing
resources
limits,
as
you
can
tell,
as
you
can
tell
they
all
of
my
workloads
have
a
resource.
Almost
all
of
them
have
limits.
B
The
cube
system
are
excluded
because,
obviously
this
is
something
that
you
have
nothing
to
do
about,
but
for
this
demonstration-
and
we
wanted
to
show
you
a
little
bit-
how
it
looks
like
so
keep
skip,
will
show
you
exactly
how
and
where
you
need
to
fix.
So
to
tell
you
that
you
need
to
add
over
here
the
resource
limits,
the
CPU
and
the
memory,
and
once
you
do
this
next
time,
you
would
scan
your
components
with
cubescape.
You
would
see
these
this
controller
pass
on
this
resource.
B
There's
also
a
tooltip
over
here
explaining
how.
Why
is
this
and
how
you
should
change
these
values
in
your
original
deployment.
So
this
this
actually
works
out
of
the
box.
It's
it's
nice,
it's
fun
to
use,
and
it's
relatively
easy.
Another
thing
we
have
as
vladder
demonstrated.
So
this
is
the
configuration
scanning.
We
also
scan
the
images
for
cves,
so
you
have.
You
can
have
different
cpes
in
your
system.
I
also
actually
take
over
here,
the
cve.
You
can
take
a
look
at
the
different
cves
that
we
we
detected.
B
You
can
also
exclude
CVS
if
you
wish
to
exclude
good.
We
show
you,
if
there's
a
fix
available
for
that,
and
also
if
there
is
a
fix
you
can
also
sort
and
and
filter
based
on
that.
B
We
also-
and
this
is
generally
the
the
the
views
you
can
see
related
to
the
helm,
chart
installation
there's
another
thing
that
we
did,
that
Vlad
did
not
demonstrate,
but
I
will
just
show
a
sneak
peek
of
that
it's
also
we
cubescape
can
also
scan
Registries
and
Registries
and
also
repositories,
so
we'll
take
a
quick
look
at
the
repositories
so
as
we're
speaking
at
the
CI
CD,
as
you
can
tell
you
can
scan
your
GitHub
Azure
bitbucket
gitlab
Etc,
and
this
this
way
you
can
really
have
one
place,
showing
you
all
of
your
different
issues.
B
A
You
so
much.
Let
me
just
share
my
screen
again.
A
I.
Think
it's
a
wonderfully
good
pairing
and
I
think
the
thing
that
I
wanted
to
help
convey
here
is
that
these
are
complementary.
Technologies
and
cubescape
makes
it
easy
from
my
perspective,
to
to
get
people
excited
about
security,
and
they
can
leverage
some
of
the
capabilities
in
Ubuntu
and
enchant
case
to
help
them
bring
them
closer
to
compliance
with
those
controls.
A
So
when
we
really
think
about
summarizing
that
the
idea
is
that
charm
case
enables
low
Ops
management
and
then,
when
you
place
cubescape
on
top
of
that,
you
have
a
really
great
One-Stop
shop
for
security
and,
as
David
demonstrated
with
those
open
source
features
that
are
being
built
and
added
all
the
time.
It's
a
bit
of
success,
as
we
like
to
say
in
the
industry
and
so
I
think
that
it
makes
it
very
compelling
for
someone
to
go
out
there.
Try
tram,
Cates
pop
cubescope
on
top
and
actually
start
to
think
about.
A
Oh
security,
isn't
something
that's
a
drag.
I
can
actually
start
to
look
at
these
things
in
a
proactive
way
and
be
successful
for
my
solution
and
for
my
business,
so
I
hope
that
you've
enjoyed
the
past
half
an
hour
or
so
with
us.
I
know
that
we've
really
enjoyed
bringing
this
to
you.
I
wanted
to
call
out
both
of
the
projects
so
ubuntu.com
kubernetes.
You
can
find
charm,
Cates
and
github.com
cubescape
cubescape.
You
can
find
the
cubescape
project.
There
is
a
wealth
of
information
on
both
of
these
links.