►
From YouTube: CNL: Supercharge Your Infrastructure Management with OPA
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
So,
as
you
may
know,
every
week
we
we
bring
new
presenters
to
Showcase
how
to
work
with
Cloud
native
Technologies.
We
will
build
things.
We
will
break
things
and
we'll
answer
your
questions
today.
We
have
Steffy
Janus
here
with
us
to
talk
about
how
to
supercharge
your
infrastructure
management
with
open
policy
agent.
A
So
just
a
reminder,
this
is
an
official
live
stream
of
the
cncf.
So
as
such,
it
is
subject
to
the
cncf
code
of
conduct.
So
that
means,
please
don't
add
anything
to
the
chats.
That
would
be
in
violation
of
that
code
of
conduct
so
be
nice,
be
respectful
of
the
other
folks
in
the
chat
be
respectful
of
Steffy
the
presenter
and
be
respectful
to
me
too.
A
Please
I'd
appreciate
that
friends
who
are
joining
us
live,
please
do
say
hi
in
the
chat
right
now
tell
us
where
you're
tuning
in
from
I
love,
seeing
it
I
won't
be
able
to
shout
it
out,
but
I
do
watch
it
and
I
love
to
know
that
people
all
over
the
globe
are
watching
are
here
with
us
right
now.
It's
so
amazing!
A
So
as
always,
if
you
have
questions
during
the
presentation
go
ahead
and
put
them
in
chat
today,
we're
not
going
to
answer
them
right
when
you
have
them
we're
going
to
save
them
for
the
end
and
then
we'll
do
a
q
a
part
after
stephy's
presentation.
B
Thank
you
very
much
for
having
me
with
me.
It's
amazing
to
be
here
again:
science
and
I'm,
the
CTO
and
co-founder
of
firefly
and
today
I'm
going
to
talk
about
talk
and
policy
agent
and
I'll
elaborate
and
explain
why
we
need
this.
Before
we
begin
I'd
like
to
explain
a
bit
about
my
company
about
Firefly,
we
built
the
first
Cloud
Asset
Management
platform
that
reduced
the
cloud
complexity
using
infrastructure
as
code,
and
what
we
do
in
Firefly
is
to
scan
the
entire
Cloud
footprint.
I
mean
iPhone
scalers,
like
AWS.
B
And
SAS
applications
and
Firefly
analyzes
also
the
infrastructure
is
called
all
IC
tools
from
terraform
to
cloud
formation
and
even
a
Helm
charts.
Etc
we
detected
discrepancy
continuously
detect
the
discrepancy
between
the
cloud
and
the
IC
within
generate
telephone
code
or
IC
Code,
using
AI
for
something.
A
B
B
Cool,
so
let's
begin
and
I
would
like
to
explain
what
is
the
OPA
and
why?
Who
do
we
need
this?
So
open
policy
agent
is
the
first
unified
policies,
code
solution
with
a
language
called
brego,
declarative
language
called
Revo.
The
idea
behind
the
OPA
is
that
we
can
check.
We
can
build
any
role
that
we
want
and
check
on
a
Json
file,
I
mean
if
a
list
of
people
and
right
now
I'm
building
a
role
to
detect,
who
is
more
than
30.
B
I
can
detect
from
the
list
of
the
people
exactly
I
can
get
the
result,
and
in
this
session,
I
will
show
you
many
examples
for
kubernetes
for
AWS
Etc
in
general
speaking,
you
can
see
open
policy
agent.
That's
a
mature,
a
open
source
tool
also
approved
by
cncf,
and
many
companies
out
there
adopted
this
great
open
source.
C
B
For
many
other
purposes,
I
told
you
about
Firefly
that
we
adopted
the
OPA
for
government
for
governing
the
cloud
for
a
second
step
of
secure,
a
reliability
Etc
that's
out
there.
There
are
solution
for
authentication
and
authorization
that
they
utilize
a
Opa
for
this
purpose
or
for
Network
fungal
rules,
for
example,
we
can
detect
if
a
network
is
allowed
or
denied
Etc.
So
I
would
like
to
share
my
screen
and
start
with
a
quick
example.
Thank
you,
okay.
B
C
B
So
let's
take
the
OPA
rule
that
I've
created
here
and
I
would
like
to
introduce
you
to
the
OPA
playground,
John
and
I'm.
Sharing
this
quick,
okay,
Opa
playground,
that's
a
great
way
to
detect
our
rule
to
analyze,
to
assess
if
we
build
our
rule
correctly,
so
I'm
taking
the
OPA
a
regular
hole
here
and
now,
let's
take.
B
A
B
B
So
that's
a
simple
rule
for
that
and
we
can
and
I
will
show
you
in
this
session
a
complicated
rules
for
many
purposes,
but
let's
dive
more
technically
and
if
somebody
here
has
some
questions
or
would
like
me
to
repeat
or
something
that
feel
free
to
it
right
on
the
chat,
cool,
so
first
thing,
I
will
run
right
now
the
OK
server.
And,
let
me
let
me
zoom
in
this-
you
can
see
that
I'm
running
the
docker
run
a
file
Docker
run
for
a
port
8181.
B
The
server
is
already
running
so
one
thing:
let
me
run
it
again,
but
it's
very
easy
to
handle
open
server.
On
top
of
that,
we
will
add
our
regular
Wars,
because
we
will
add
more
and
more
and
more
policies
and
after
running
the
okay
server
after
loading,
the
OPA
rules,
we
would
like
to
check
Json
files
for
each
rule
to
understand
if
a
rules,
if
a
Json
file
is
complied
or
not
compliant.
B
You
can
see
that
I
have
a
file
called
example:
Rego
that
that
exactly
what
I
showed
you
on
the
left
side
and
then
running
a
command
to
a
HTTP
put
to
load
the
data
from
the
example
into
the
open
policy
agent,
the
let's
run
it
now.
You
can
see
that
it's
loaded
and
I
will
check
right
now:
John
Smith
and
Michael
Smith
and
John
Doe,
so
the
the
first
one
you
can
see
valid.
True
you
can
zoom
in
so
trust
me
that
that's
the
result.
B
A
B
A
I
I
have
a
quick
question,
so
policy
seems
really
powerful,
and
so,
if
you're
trying
to
start
policy
into
your
whole
system
from
scratch,
that
seems
like
maybe
kind
of
a
dangerous
undertaking
or
something
you
need
to
do
very
delicately.
So
so
do
you
have
advice
around
how
to
start?
If
you
don't
have
any
policy
right
now
like
how
to
what
you
would
do
as
your
first
like
baby
steps
into
getting
it
working?
Yes,.
C
B
A
C
B
So
what
I
did
here
is
to
take
a
kubernetes
deployment,
I
logged
into
my
Cube
CTL
and
runcube
ctla,
to
get
the
configuration
of
the
specific
deployment
you
can
do
it
also
with
the
lens,
for
instance,
and
as
you
can
see,
I
have
a
Json
file
and
I
show
you
this
and
soon
with
the
deployment
itself.
B
A
problem
because
I
understand
that
that's
important
policy,
so
let's
copy
the
Readiness
problem
and
let's
paste
it
here
and
elaborate
on
the
whole
and
let's
evaluate
and
we'll
see
here
the
results.
In
that
case
it's
not
allowed,
and
if
you
need
to
dive
into
the
role
itself,
you
can
see
that
I'm
using
something
that
was
created
by
the
community
I'm
importing
a
library
and
if
I'm
going
into
this,
we
will
see
under
open
policy
agent,
the
library
itself
and
I
highly
recommend
to
use
pre-created
the
libraries.
B
So
we
have
here,
the
different
value
and
default
variable
allow
starting
with
false
and
then
I
built
here
a
function,
a
detect
if
I
have
a
Readiness
probe.
As
you
can
see,
it
runs
through
the
configuration
that
I
have
in
that
case,
if
the
deployment
has
spec
dot
template.spect.containers.
B
This
sign
is
really
important
for
you
to
understand
what
is
that,
because
it
might
have
a
list
of
containers
and
if
I
would
like
to
check
if
at
least
one
of
the
containers
inside
has
Readiness
Pro,
so
I
need
to
use
design
and,
in
the
end
of
the
day,
I
run
the
rule
here
and
I'm
getting
the
results
and
the
same
also
for
the
CPU
Quest.
This
one
is
a
easier
one,
but
let's
use
it.
B
So
you
can
see
that
I'm
also
imported
a
library
that
was
created
by
the
community
and
I
added
here,
value
equal
to
one
for
default,
CPU
request
and
then
I
deep
dive
into
the
configuration
and
a
bit
of
the
policy
that
returns.
If
the
deployment
has
CPU
requests
or
not,
if
I'm
running
this
and
get
the
result.
B
And
one
of
the
paints
that
we
face
with
is
to
write
the
rules
and
when
you
asked
me
a
great
question
before
and
I
can
tell
you
that
I
spent
hours
forbidding
rules.
That's
why
I
highly
recommend
to
utilize
AI
to
generate
the
words
for
you,
yeah
and.
B
B
A
Okay,
I'm
gonna:
ask
you
to
slow
down
just
a
little
bit
people
when
you
were
doing
the
the
playground
earlier
we
got
the
question:
will
you
be
sharing
the
samples
so
the
the
examples
you
gave
of
opa
before
we
even
got
into
AI?
A
Can
we
see
those
examples
or
is
there
a
way
for
them
to
access
for
people
to
access
those
later
to
try
them
out
for
themselves?
Yeah.
A
So
great
and
then
another
question
is:
can
you
share
the
library
again
the.
B
Under
the
policies
and
insights,
we
built
many
rules
for
you
for
Phoenix
setups
availability
for
AWS
kubernetes,
SAS
application
Etc.
So
if
right
now,
we
would
like
to
see
a
role
for
kubernetes
deployment
without
CPU
requests
for
CPU
limits.
You
can
see
here
the
OPA
Rule
and
you
can
just
sign
up
for
free
and
use
our
platform
so
enjoy
fine.
A
B
Cool
folks,
so
what
they
wanted
to
show
you
is
AAC
our
first
open
source
tool,
the
texture
generates
infrastructures,
code
or
policy
or
whatever
you
want
using
AI.
So
I
started
with
open
AI
that
you
need
to
generate
the
API
key
for
a
open,
open,
Ai
and
then
I
will
give
you
a
great
example
for
policy.
Let's
copy
this
AAC
get
upper
policy
that
enforces
Readiness
prob
at
kubernetes
deployment.
B
C
B
Okay,
so
you
can
see
that
this
rule
was
fully
generated
by
Ai
and
that's
the
example
that
I
showed
you
before.
So
what
you
can
do
is
to
run
the
CLI
command
for
AAC,
and
then
you
can
use
an
argument
for
output
file.
I
mean
to
save
the
generated
AI
policy
to
a
dedicated
file,
and
then
you
can
utilize.
This
I
mean
you.
A
B
The
policy
to
the
OPI
server
and
then
you
can
run
any
configuration
that
you
want
to
detect
the
policies
so
before
continuing
just
want
to.
To
conclude
this
specific
part,
I
show
you
some
examples
for
kubernetes
we
took
a
configuration
of
deployments
and
then
we
built
two
rules
doesn't
matter
if
we
build
it
with
AI
or
we
just
wrote
the.
B
In
the
end
of
the
day,
I
wanted
to
check
if,
if
my
kubernetes
deployment
complies
with
the
those
policies,
now
I'm
going
to
elaborate
on
AWS,
because
here
I
brought
a
lot
of
examples
for
finops
for
secops
for
reliability
Etc.
So
the
first
thing
that
we
need
to
do
is
to
scan
the
cloud,
and
this
is
not.
B
C
B
C
B
If
we
talk
about
the
setups
about
sorry
about
phenoms,
how
we
can
save
money,
how
we
can
reduce
the
cloud
cost,
the
first
thing
that
we
would
like
to
detect
is
if
we
have
any
stopped
instance
for
more
than
six
months.
Clearly
we
pay
for
it,
and
I
will
show
you
here
an
example
for
that.
B
Can
see
here
on
the
right
side,
a
list
of
instances
on
the
left
side
I
built
a
role
to
detect
this,
so
you
can
see
that
they
built
a
function,
stopped
the
stopped
instances
longer
than
six
months
that
Returns
the
instant
saving,
then
I'm,
diving
into
the
configuration
I,
would
like
to
check
if
I
have
any
reservation
with
at
least
one
instance
with
at
least
state.name
dot
stopped.
If
I
have
something
like
that,
so
clearly
the
instance
is
stopped
as
it
and
you
can
actually
detect
it
here
in
the
Json
and
then
I'm.
B
Sorry,
yes,
one
second
I'm
taking
FM
a
property
called
state
transmission,
a
transition
reason,
and
you
can
see
that
it's
a
a
time
so
I
pass
this
time
using
a
regex
extract
it
and
then
I
built
the
rule
to
detect.
If
this
number
is
older
than
six
months
and
if
the
answer
is
yes,
I'm
subtracting
the
instant
saving
so.
C
C
C
B
Also
for
EVS
volumes,
GPT
DBS
volumes,
you
pay
for
them
it's
redundant.
You
should
upgrade
them
to
gp3,
so
I
built
here
a
rule
to
detect
if
the
volume
type
is
gp2
and
the
state
is
in
use
and
if
I'm
evaluating
the
rule,
you
will
see
the
results
ID
the
volume
ID
and
that
there
is
a
jp2
by
the
way
you
can
find
it
in
Firefly,
as
I
mentioned,
for.
C
B
And
we
also
give
you
the
recommendation:
I
mean
the
CI
command
to
upgrade
gp2
to
gp3.
This
is
really
useful,
but
let's
say
I
would
like
to
show
you
more
examples,
unattached
disks.
Of
course
it's
something
that
you
pay
money
for
it.
So
it's
redundant
if
I
have
a
EVS
volumes.
That's
the
attachment
length
is.
C
B
C
B
B
B
So
I
will
run
this
Rule
and
you
will
see
the
instance
ID.
But
what
happens
if
right
now?
I
would
like
to
elaborate
the
role
for
understanding
which
ec2
instance
as
public
ID,
but
the
security
group
is
open,
at
least
for
22,
for
SSH,
and
this
is
more
complicated
because
it's
dependencies
between
rules.
So
what
we
can
do
is
we
can
build
one
rule
that
we
will
pass
all
list
of
all
the
security
groups
and
we
will
ask
which
Security
Group
is
open
to
Port
22..
B
B
Can
build
something
like
that,
so
I
built
here
a
role
to
detect
and
supported
Lambda
functions,
and
here
you
can
see
a
list
of
Lambda
functions
like
a
Python,
2.7
or
node.js
zero
point,
something
a
10
point,
something
and
I
built
here,
a
rule
that
runs
through
that
walks
through
the
Lambda
and
check
if
the
runtime
is
unsupported
and
if
the
answer
is
yes,
I'm
returning
the
function,
Arn.
So
exactly
like
this
approach,
you
can
do
something
more
complicated,
something
more
sophisticated
and
and
build
a
combination
of
two
different
rules.
B
Great.
You
have
many
other
examples
here
for
secops,
for
instance,
to
detect
public
accessible
assets
like
TKS,
with
the
public,
API
or
S3
bucket.
That
might
be
public
for
S3
bucket
without
a
server-side
encryption
very
easy
to
mitigate
just
to
configure
the
chemist
key
or
this
one,
one
of
the
first
controls
in
CS
Benchmark
to
detect
users
without
MFA.
B
And
if
we
talk
about
reliability.
Obviously
one
of
the
most
important
thing
is
to
see
text
to
understand
that
all
of
our
instances
or
resources
generally
have
a
owner
tag.
So
here
I
am
checking
that
if
we
have
at
least
one
tag
that
the
key
as
owner
and
then
I
can
I
can
run
the
evaluate
button
and
see
which
instances
and
they'll
give
you
more
examples
for
a
for
this.
B
If
the
ec2
instance
as
public
network
interfaces,
it's
also
sorry
more
than
one
network
interface
with
the
count
of
this
is
a
more
than
one.
It's
a
bad
practice
and
we
would
like
to
get
notification
and
I
built
here.
I
brought
you
more
examples.
B
Scaling
group
with
a
single
availability
zone
or
S3
bucket
without
a
versioning,
etc.
So
before
continuing
and
I'm
starting
for
a
moment,
because
I
showed
you
right
now,
kubernetes
and
AWS,
how
you
can
leverage
open
policy
agent
for
governing
your
kubernetes,
your
to
you
can
create
policies
for
finops
for
setups,
for
availability,
for
everything
that
you
want
on
top
of
your
AWS
and
also
for
your
sdlc
and
I.
I
would
work
very
very
briefly
through
that.
B
But
if
you
want
to
check
that
our
git
that
we
defined
a
well
that
will
Define
some
processes
for
our
git,
we
can
utilize.
Okay
for
this
mission
and
to
detect
them
to
avoid
push
to
master
I
mean
that
only
by
creating
a
pull
request
will
be
able
to
merge
the
code
or
test
coverage.
I
mean
that
we
can
block
a
cicd
if
the
test
coverage
is
less
than
80,
for
example,
and
we
can
what.
C
B
Mean
to
define
the
groups
and
users
on
top
of
the
gate,
and
if
we
talk
for
about
the
git
configuration
itself,
we
can
Define
the
code
owner
and
today
that's
mandatory,
it's
something
that
you
should
do
to
configure.
Who
can
be
the
owner?
Who
is
the
owner?
The
authorizer
is
called
reviewer
that
can
touch
your
and
it
can
improve
new
pull
requests
visibility
if
it's
public
or
private,
and
if
we
have
any
this,
for
example,
is
mandatory
for
soft2
compliance.
You
must
connect
your
pull
request
with
jiren
using
open
policy
agent.
A
C
A
B
To
make
sure
that
we
utilize
bigquery
correctly
or
if
we
talk
about
databases
and
let's
talk
about
security
I
would
like
to
check
if
my
database
is
encrypted,
so
it
doesn't
matter
if
it's
Azure,
Google
or
AWS
the
the
whole
idea
behind
is
the
same.
So
basically
the
rules
will
be
different,
but
the
concept
is
the
same.
Yeah.
A
A
It's
almost
it's
a
little
overwhelming
for
someone
just
hearing
about
it
for
the
first
time
in
a
good
way,
like
all
the
possibility,
it's
exciting,
the
air
is
electric,
but
I.
Think
a
great
place
to
start
would
be
rules
that
the
community
has
made.
Where
can
we
find
those
yeah.
A
B
B
Great,
shall
we
continue
to
The,
Next,
Step,
sure,
okay,
amazing
cool
folks,
so
right
now
what
I'm
going
to
do
is
to
actually
block
cicd
using
open
policy
agent
I
brought
here
telephone
code
that
I
built
in
the
last
session
of
cncf
and
I'll.
B
So
before
continuing
and
I'll
explain
all
of
this
I'm
taking
you
back
to
the
session
that
I
have
made
in
a
cncf
a
few
weeks
ago
with
you
with
me
by
the
way
yeah.
But
we
talked
about
migration
from
clouds
formation
to
terraform
and
we
used
AAC
to
generate
the
telephone
code.
So
here,
I
built
telephone
code,
fully
operated
terraform
code
and
I
will
walk
you
through
the
code
itself
and
we
also
generated
a
CI
CD
in
that
case,
GitHub
a
GitHub
typing
GitHub
action.
Sorry,
this
one
is
their
Repository.
B
B
A
B
C
B
To
block
at
the
sensitive,
if
we
have
any
misconfiguration
so
I'm
taking
the
the
same
idea,
but
instead
of
a
focusing
specifically
on
checkup
and
security
right
now,
I
will
show
you
how
we
can
utilize
Opa
for
that.
So,
let's
begin
very
easily
with
terraform
innings.
So
give
me
one.
Second
and
I
will
show
you
the
telephone
code.
B
B
B
It
takes
a
few
seconds:
USC
capital
of
phrasal
cells
are
going
to
be
added.
25
resources
are
going
to
be
added
zero
to
change
Zero
to
destroy.
So
what
they've
done
here
is
that
I
wanted
to
analyze.
Only
this
and
this
I
mean,
if
I,
have
something
new,
of
course,
that
I
would
like
to
block
this
ACD
or
even
changing
an
existing
results.
It
does
not
have
the
mandatory
tags,
I
will
block
as
well.
So
let's
take
the
telephone
plan
and
I
will
show
you
something
that
you
should
know.
A
A
B
He
is
definitely
so
I
shared
here
before
that
I
ran
the
terraform
plan
command
and
right
now,
I
can
use
the
output
the
attributes
and
that
will
save
a
binary
fault
file
called
TF
plan.
Okay,
if
I
try
to
open
it,
you
won't
understand
nothing
because
it's
a
binary
data,
but
that's
why
I
would
like
to
introduce
you
to
a
command
called
a
terraform
show
telephone
show
actually
a
read
this
binary
data
and
extract
it
into
Json
file
that
we
can
do
something
with
it.
C
B
B
You
can
see
here
that
the
models
here
the
resource
has
changed.
If,
for
example,
everything
is
aligned
and
I'm,
not
I'm,
just
trying
the
plan
without
changes,
these
days
will
be
empty
and
then
my
rule
will
pass
but
I
I've
created
here
an
OPI
wall
and
I
will
elaborate
on
that,
because
it's
important
for
me
to
explain
about
it.
B
Thank
you
good.
So,
first
I
created
here
a
package
cicd
then
I
took
the
input
and
I
changed
it
to
TF
plan,
just
for
being
easier
for
me
to
understand.
I
built
a
generic
function
for
S
key
and
I'm
utilizing
this
function
here.
Detective
a
list
of
tags
contain
the
key.
Then
what
I'm
doing
here
is
to
run
a
a
fridge
resource
change.
B
A
B
A
B
Every
list
of
violator,
as
you
can
see,
all
of
those
resources-
this
is
the
resource.
There
is
a
type
that
resource
name,
that's
a
unique
interform
and
then
we
can
find
the
list
of
them
that
will
block
the
search
thing
now,
I'm,
going
back
to
the
code
after
explaining
the
time
taking
the
telephone
plan,
Json
file,
I'm
running
my
rule.
On
top
of
that
and
right
now
let
me
share
the
with
me.
C
C
B
Adding
that
okay
rule
to
the
OPA
7
as
I
showed
you
in
step.
One
step
of
this
talk
then
I'm
running
the
following
command.
I
would
like
to
check
to
get
the
results.
I
would
like
to
get
this
result
in
Taiwan,
as
you
can
see
here
so
I'm,
using
the
OK
server
with
my
regular
Rule
and
getting
the
result
and
I'm
extracting
the
Violator,
so
I'm
creating
a
shell
variable
called
violator.
C
B
Actually
runs
the
this
one
is
the
sending
the
HTTP
request
to
the
op
server:
okay,
exactly
as
I
showed
you
before,
and
then
I'm
extracting
the
results.where
later
I
mean
to
extract
this,
so
I
will
have
in
my
shell
list
of
violators
in
a
variable
called
verilator.
Let's
run
this.
B
We
have
a
list
of
resources,
then
I'm
extra
extracting
the
length
I
would
like
to
understand
that
if
I
have
any
violet
or
like
that,
so
I
also
created
a
variable
here.
In
the
shell
script
called
length
that
check
the
length
of
freezer
cell
we
can
see
for
pin,
resulted
now.
I'm
I'll
explain
what
I
did
here.
If
the
length
is
more
than
zero,
then
it's
not
valid
when
I'm
creating
the
violators
else.
B
B
Is
that
you
should
use
Opa,
it
will
help.
You
streamline
your
devops
processes,
you
should
the
most
painful
part
of
that
is
to
understand
which
resources
you
have
and
then
you
can
use
some
open
source
tool
or
you
can
use
Firefly
to
fetch
the
resources
for
you,
because
we
do
scan
the
entire
Cloud
footprint
and
if
you
would
like
to
build
your
own
rules,
you
can
also
utilize
AI.
A
A
B
This
is
based
on
the
GPT,
but
we
did
The
Prompt
engineering
over
there
that
you'll
be
able
to
get
a
more
accurate
result
through
that
and
using
that
it
generates
the
okay
world
for
you.
So
you
save
a
lot
of
time,
but.
A
So
are
there
risks
when
you're
again,
like
I,
still
see
policy
writing
with
like
it's
important
to
keep
your
system
safe?
But
it's
also
like
so
powerful
that
you
need
to
be
careful
with
it
too.
So,
like
what
checks
and
balances
are
there
when
you're
using
AI
to
write
your
policy
to
make
sure
you're
not
accidentally
making
it
incorrectly
so
that
too
much
or
too
little
gets
through.
B
Fast,
don't
put
any
sensitive
information,
personal
information,
pii
sensitive
data
Etc
because
you
don't
want
your
private
keys
to
be
exposed
so
always
take
your
terraform
Declaration
of
your
prompt
and
make
sure
that
you
remove
all
of
those
stuff
and
and
give
you
an
advice.
A
C
B
C
A
A
Zero
temperature-
that's
fascinating,
I,
didn't
know
about
that.
I
I
love
it
so
then!
So
then,
what
I'd
like
to
hear
I'm
interested
in
the
AI
part
of
this
and
like
what's
a
real
world
example
of
someone
using
AI
to
like
improve
their
costs.
A
B
And
one
of
our
customers
use
the
AAC,
we
call
it.
The
kai
policies
called
AI
to
generate
a
policy
using
Ai
and
using
that
he
created
the
role
to
detect
GP
tools
for
and
also
many
things
related
to
ec2
instances
that
are
stopped
Etc
and
they
generated
AI.
The
customer
saved
almost
one
million
dollar
like
this,
because
we
detected
all
of
the
easy
tools
and
all
of
the
GB
to
ABS
volumes
and
they
removed
all
yeah.
So
that's
why
I
encourage
you
to
use
the
Yankee.
A
B
A
Correct
yeah
and
all
just
came
together
for
me.
That's
that's
super
cool
I
loved.
If
anyone
has
any
questions,
please
do
ask
them
otherwise.
I'm
just
gonna
keep
talking
so
watch.
B
A
But
one
thing
so
I
I
do
this
show
called
enlightening.
You
can
see
my
light
board
behind
me
and
people
come
on
and
they
teach
me
about
different
tools
and
I
love.
Also
hosting
this
show
because,
like
I
did
an
episode
on
Opa,
so
it
kind
of
understands
it
from
a
theoretical
level,
but
my
show
doesn't
have
any
Hands-On
coding.
So
then
I
here
I
get
to
see
like
what
it's
really
like
to
use
it
and
I've
been
enjoying
this
very
much
so
anyway.
A
One
thing,
I
loved,
is
like
seeing
how
I
liked
that
you
explained
how
rules
get
chained
together
and
using
the
output
of
one
as
the
input
for
the
next
one
to
do
more
complicated
rules
that
was
really
cool,
I'm,
just
telling
you
what
I
like
now
I,
don't
know
that.
There's
a
question
in
here.
Maybe
there
is
we'll
see,
I,
also
really
liked
like
seeing
the
rules
like
I
liked
how
human
readable
it
was
like.
A
So
some
of
that
was
you
just
doing
a
good
job,
commenting
and
and
naming
your
functions
in
good
ways,
but
also
just
in
general,
Rego
was
maybe
a
little
more
usable
than
intuitive
than
what
I
expected
it
to
be
than
what
its
reputation
is.
So
I
thought
that
was
cool
yeah.
Definitely.
B
A
Maybe
didn't
write
the
policy
so
when
something
doesn't
pass,
it's
very
important
for
them
to
understand
why
it
didn't
pass
and-
and
it's
an
it's
a
learning
opportunity
too,
for
the
people
who
make
future
ec2
instances
to
know
or
what
to
like
the
kubernetes
examples
you
use
at
the
beginning
that,
like
it,
has
to
have
a
compute
limit
mentioned,
and
it
has
to
have
a
Readiness
Readiness
probe.
So
once
they
go
through
the
experience
of
having
it
fail
and
understanding
why
it
failed,
then
the
next
time
they
try
to
create
a
resource.
A
B
C
A
For
days
for
years,
I
think
like
that's
like
that
is
like
a
really
it's
a
thing.
We
I
learned
before
in
the
episode
that
Opa
works
with
a
lot
of
different
tools,
but
now,
like
today,
it's
like
really
sinking
in
like
how
vast
the
landscape
of
like
possible,
Opa
and
then
I.
Well,
you
tell
me
when
you
chain
together
different
Opa
rules.
Can
you
be
chaining
them
together
between
different
tools,
all
together.
B
B
Question
is
a
really
interesting
tool
for
infrastructure.
It's
called
Cloud
agnostic
instead
of
building
a
few
different
resources
like
S3
bucket
for
AWS
or
blog
storage
for
visual
or
GCS
for
Google
I
can
build
the
kubernetes
crd
and
the
for
storage
inside
that
I'm
going
to
deploy
it
on
AWS
and
then
I'm
building
this
in
generic
resource,
something
that
will
be
able
to
migrate
between
one
Cloud.
A
Yeah,
that's
interesting
cross
plane,
just
like
Opa
is
just
can
be
used
in
so
many
ways
across
so
many
different
technologies
that
it
is
very,
it's
like
exciting
to
see
all
the
different
things
that
people
come
up
to
do
with
it
cup,
but
with
crossplaying.
The
way
I
like
to
explain
cross
plain
generally,
is
that
basically
you
could
take
any
kubernetes.
Any
excuse
me
any
API
in
the
whole
in
the
universe,
and
then
you
can
make
it
into
you
can
interact
with
that
API
via
kubernetes
with
cross
plane.
C
A
A
I
have
a
question
here
from
Akash:
let's
see
if
we
can
get
it
on
the
screen.
Oops
can
I
use,
Azure,
open,
AI.
B
A
B
A
Well,
this
has
been
an
absolute
pleasure,
thank
you
for
showing
us
about
open
policy
agent
and
specifically
how
we
can
use
AI
to
to
Really
supercharge
how
you
can
enforce
policy
with
across
your
entire
Cloud
estate.
That
was
amazing.
Okay,
I'm
gonna,
I'm
gonna
read
the
ending
strip.
Now,
if
you
feel,
if
you
feel
ready,
okay,
I
have
a
script
here.
Okay,
thank
you,
I
would
have
said
Thank
You
Anyway
by
the
way,
regardless
the
weather
is
on
my
script,
but.
A
A
The
chats
y'all
were
amazing,
like
always,
I
loved
the
questions
and
the
interaction
with
from
you
and
I
love,
seeing
where
all
y'all
are
from
I'm
from
Texas.
If
you
can't
tell
me
putting
all
the
y'alls
in
there
here
at
Cloud
native
live,
we
bring
you
the
latest
Cloud
native
code
on
Tuesdays
and
Wednesdays.
So
thanks
for
joining
us
today-
and
we
have
another
episode
tomorrow
at
the
same
bat
time
and
same
bat
Channel
and
thank
you.
Everyone
who
watches
the
recording
and
we'll
see
you
again
soon
goodbye
friends,
foreign.