►
From YouTube: Cloud Native Live: Workload misconfiguration - The #1 security threat when using Kubernetes
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
All
right
all
right,
welcome
everyone
to
cloud
native
live
where
we
dive
into
the
code
behind
cloud
native,
I'm
taylor
dolezal,
head
of
ecosystem
at
cncf,
where
I
work
closely
with
teams
as
they
navigate
their
cloud
journey.
Every
week
we
bring
a
new
set
of
presenters
to
showcase
how
to
work
with
cloud
native
technologies.
They
will
build
things,
they
will
break
things
and
they
will
answer
your
questions.
A
This
is
an
official
live
stream
of
the
cncf
and,
as
such
is
subject
to
the
cncf
code
of
conduct.
Please
do
not
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
the
code
of
conduct.
Basically,
please
be
respectful
to
all
of
your
fellow
participants
and
presenters
and
with
that
I'd
love
to
hand
it
over
to
richard
and
sitaram
to
kick
off
today's
presentation.
With
that.
Please
take
it
away.
B
The
idea
here
really
is
to,
as
you
may
know,
jetstack
is
the
the
primary
maintainer
of
cert
manager,
a
very
successful
open
source
project
that
is
used
to
automate
x,
509
certificates
for
cloud
native
workloads
and
that
particular
project
has
huge
community
traction
and
so
we're
here
to
talk
about
that.
Obviously,
and
and
in
particular
we
can,
we
thought
we'd
go
into
detail
about
where
we
see
some
of
the
the
potential
security
vulnerabilities
that
affect
the
way
we
see
enterprises
using
kubernetes.
B
B
Misconfiguration
is
a
very
general
way
that
you
can
describe
how
vulnerabilities
manifest
within
within
kubernetes,
but
we
feel
that
there
is
a
particular
context
in
relation
to
certification
that
we
can
that
we
can
talk
about
in
detail
with
during
the
time
we've
got
here,
but
I'm
now
going
to
hand
it
over
sitter
who's,
going
to
say
hi
and
he's
going
to
take
you
through
a
demo
that
we
hope
you'll
find
interesting.
It's
a
trip
over
to
you
excellent.
C
Thanks
so
much
richard
hello,
everyone,
sitaram
iyer,
I
am
senior
director
of
cloud
native
solutions
at
chat,
stack
of
benefit
company
and
today
I'm
happy
to
be
here
to
talk
about.
C
So
today,
what
I
really
want
to
do
is
you
know,
walk
you
through
that
you
know
you're
all
seeing
my
console
but
to
really
walk
you
through.
You
know
some
of
the
things
that
you
can
really
do
today
with
search
manager
and
some
of
the
add-ons
and
I'll
introduce
those
add-ons,
as
I
sort
of
go
through
that,
but
but
at
a
very
high
level.
C
The
way
I
want
to
sort
of
you
know
approach
this
is
you
know
if
you
think
about
any
applications
that
are
deployed
in
your
kubernetes
cluster
and
potentially
let's
say
you
have
istio
as
well
as
the
service
mesh
that
you
have
rolled
out.
How
do
you
sort
of
you
know
one
make
sure
that
you
know
your
ingress
gateways
are
secured
using
a
certificate
that
is
approved
by
the
organization?
That's
one
piece.
C
The
second
piece
is
also:
how
do
you
ensure
that
you
know
all
of
the
workload
search
that
are
issued
as
part
of
your
meshite,
mesh
workloads
or
also
sort
of
you
know,
secured
and
issued
by
an
approved
ca
from
the
organization
when
you
think
about
it
very
often
that
ingress
gateway
cert
is
essentially
a
publicly
trusted
certificate,
because
more
often
you
do
have
applications
that
are
used
by
a
browser
or
some
sort
of
a
mobile
client.
Things
like
that
and
mesh
identities.
C
Typically
sort
of
you
know
our
internal
internal
to
the
to
the
workloads
or
the
internal
to
the
organization
or
internal
to
the
cluster.
So
very
often
you
see
them
signed
by
an
internal
ca
or
a
pki
infrastructure
that
is
managed
within
the
organization.
C
So
what
I
really
want
to
do
today
is
to
to
break
it
up
into
sort
of.
You
know
two
pieces,
you
know
one
where
you
set
up
and
manage
that
aspect
of
securing
the
ingress
gateway
itself,
and
then
the
second
piece
essentially
is
to
to
ensure
that
you
know
all
of
those
mesh
identities
are
signed
using,
let's
say
walt
so
hash.
Corp
wall
as
a
way
to
sort
of
you
know
sign
that,
so
you
will
see
the
installing
set
manager
obviously
is
installed
on
my
node,
but
not
on
my
cluster.
C
Rather
so
I
do
have
a
brand
new
cluster
that
I
just
provisioned
about
a
little
less
than
a
couple
of
hours
ago.
This
is
running
on
gke.
As
you
can
see,
I
will
also
install
vault
I'll,
also
install
istio
csr,
which
is
an
istio
agent
that
we've
developed
when
I
said
cert
manager
and
add-ons.
That's
essentially
one
of
the
add-ons
that
facilitates
signing
mesh
identities
or
facilitate
signing
mesh
workloads.
C
So
that
is
something
that
I'll
install
as
well
and,
as
you
can
see,
I
do
have
my
console
open.
I
have
my
development
window
open
as
well,
where
I
had
there,
you
can
see
my
make
file,
so
I'm
going
to
be
running
a
few
commands,
essentially
to
to
sort
of
you
know,
run
through
this.
Various
different
aspects
of
you
know.
Building
configuring
securing
you
know.
All
of
that
taylor
did
mention
that
you
know
this
is
the
part
where
we
sort
of
you
know,
try
break
things.
C
If
things
break
we
fix
you
know,
all
of
that
will
happen
or
everything
might
just
work,
as
as
I
expect
it
to
work.
So
if
something
breaks
we'll
fix
it,
but
that
also
gives
you
the
idea
that
you
know
it's
all
real
and
what
I'm
doing
is
actually
on
a
real
cluster
with
things
getting
set
up
set
up
and
configured.
C
So
that's
it
keep
bringing
your
questions.
You
know
I'm
happy
to
answer
richard's
happy
to
answer
taylor's
happy
to
answer
so
we'll
keep
answering
questions
as
they
come
in,
but
but
as
a
part
of
the
the
demo
itself,
I'll
keep
going
unless
somebody
sort
of
you
know
needs
a
question
to
be
answered.
C
If
something
is
not
clear
and
I'm
happy
to
do
that
as
well,
so
so,
like
I
mentioned,
you
know
one
of
the
first
steps
that
I
that
I'm
going
to
do
is
essentially
to
install
work
itself
and
and
in
in
this
case
I'm
going
to
be
running
vault
on
my
cluster.
Basically,
you
know,
typically,
you
think
about
you-
know
a
world
running
somewhere
outside
of
the
outside
of
the
cluster
managed
by
an
enterprise.
C
I
do
have
a
terraform
model
that
module
that
runs
and
configures
the
the
hash
fault
in
this
case,
but
as
soon
as
that's
ready,
so
we
will
be
using
that
as
a
way
to
manage
issuance
for
all
of
the
certificates
and
for
those
who
are
not
familiar
with
cert
manager
and
richard
covered
this
a
little
bit
search
manager
is
the
project
that
essentially
is
used
as
a
way
to
to
sort
of
you
know
manage
all
of
your
certificates.
C
It's
essentially
a
certificate
controller
that
runs
in
kubernetes,
helping
you
facilitate,
manage
all
of
your
certificate
requests
and
certificates
that
are
needed
very
often
as
a
common
way
to
secure
your
ingresses.
But
we
we
did.
One
of
the
things
that
I
wanted
to
cover
also
is
is
the
fact
that
it's
not
just
used
only
for
ingresses.
C
We
also
have
other
add-ons
that
helps
you
facilitate,
or
at
least
ensure
that
you
know
there
are
different
kinds
of
workloads
that
are
signed,
different
kinds
of
security
mechanisms,
that
organizations
sort
of
you
know
drive
security,
compliance
that
is
required,
where's,
where
some
organizations
require
a
certificate
to
be
injected
into
a
part
so
that
the
container
that's
operating
within
that
part
has
access
to
a
certificate
that
it
can
use.
So
we
use
the
csi
driver.
C
There
is
another
project
called
cert
manager,
csr
driver
that
essentially
facilitates
injecting
certificates
into
the
part
itself,
and
that
is
a
demon
set
that
runs
as
part
of
the
node
agent
and
helps
you
manage
that
aspect
of
things.
So
simply
put
you
know,
there
is
there's
a
few
things
that
I
have
like.
I
said
you
know
I
installed
wall,
the
work
itself
is
operating
within
the
cluster,
so
that
will
help
facilitate
the
requesting
the
identities.
C
The
second
piece.
What
I'm
going
to
do
really
next
is
to
is
to
run
my
next
step
and
before
I
run
that
next
step
and
as
you
can
see,
there
are
a
few
things
that
are
happening
here.
I'm
I'm
going
to
set
up
a
set
up,
basically
an
identity
or
a
certificate
that
will
act,
or
at
least
you
know,
facilitate
istio
to
to
sign
requests.
So
what
I
really
mean
by
that
is
when
you
install
istio
the
out
of
the
box.
C
Obviously
it
comes
with
its
own
ca
issuers
that
is
built
into
built
into
istio.
What
I'm
really
doing
here
is
to
utilize
walt
as
a
pki
backend
to
set
up
that
aspect
of
ca
sure.
So
when
we
install
istio
eventually,
as
my
next
steps,
when
I
install
is
theo,
you
will
notice
that
you
know
the
ca
issuer
that
is
part
of
istio
is
going
to
be
turned
off
and
we
will
delegate
issuance
of
workload
identities
to
search
manager.
C
That
is
essentially
what
is
going
to
happen,
and
in
order
to
do
that,
I'm
going
to
prep
and
make
sure
that
you
know
there
is
there
is
a
certificate
available,
a
certificate
that
that
is
issuing
ca
or
issuing
certificate
that
will
be
configured
and
and
is
ready
for
it
to
be
ready
for
it
to
issue
issue
workload
identities.
C
Part
of
that
is
also
where
I'm
going
to
install
this
is
the
csr.
As
you
see
I'm
now,
installing
the
the
the
search
manager
is
the
ocsr
basically
allowing
adding
that
additional
components
to
to
the
search
manager
namespace.
C
So,
basically,
if
you
look
at
the
search
manager,
namespace
search
manager
is
something
that
you're
very,
very
familiar,
as
I
imagine
so
something
that's
running
already
in
my
search
manager,
namespace.
The
csi
driver
that
I
mentioned
is
also
running
because
it's
part
of
my
bootstrapping
process
when
I
deploy
my
cluster.
That
is
also
running
and,
and
the
reason
why
you
see
so
many
csr
drivers,
as
I
mentioned,
is
because
it's
a
it's
a
daemon
set
tied
to
the
nodes.
C
The
third
piece
that
I
just
installed
is
essentially
the
the
theo
csr.
As
you
see
part
of
my
step,
which
I
just
installed
it
it
installed
the
ucsr.
So
it's
up
and
running,
but
the
the
other
piece
that
I
wanted
to
really
show.
You
is
this
certificate
resource
that
just
got
created.
C
That
was
the
that
was
the
previous
step
to
to
creating
the
the
installing
the
hto
csr
itself.
So
this
certificate
that
you
see
here
istio
is
essentially
what
we
are
going
to
be
using
for
signing
all
of
the
mesh
identities.
This
is
no
different
than
any
certificate
that
you
would
typically
create
when
using
search
manager.
That
was
the
same
mechanism
that
was
used.
The
only
difference
is
you
know.
C
In
this
case,
we
use
the
the
word
issuer
that
is
running
in
the
hta
system,
name,
space
to
issue
that
certificate
so
so
far,
all
I've
done
is
basically
configure
issuer,
which
is
very
familiar
to
to
many
of
the
folks
for
operating
search
manager
create
a
certificate
which
is
also
very
familiar
to
a
lot
of
folks
who
are
who
are
using
cert
manager.
C
The
only
difference
is
this
specific
certificate
called
istioid
is
also
an
issuing
certificate,
because
that
can
issue
certificates
on
behalf
of
behalf
of
walt,
it's
essentially
something
that
will
be
configured
as
part
of
the
ucsr,
so
pretty
straightforward.
C
What
I
did
so
far,
so
my
my
next
step
essentially
is
to
install
istio
itself,
because
what
I,
what
I'm,
what
I'm
now
going
to
do,
is
install
and
configure
istio
using
this
the
operator
and
happy
to
walk
through
what
that
configuration
looks
like
if
there
are
questions
about
it,
but
basically
very
simply
put
all
it's
all
it's
trying
to
do
is
turn
off
the
ca,
sure
that
is
part
of
istio
and
then
let
let
cert
manager
take
over
the
role
of
issuing
workflow
writing.
C
Please,
I'm
installing
111,
for
so
that's
the
one
which
I
have
the
config
for
basically
installing
configuring-
and
this
should
be
pretty
fast,
as
you
can
imagine,
it
doesn't
take
a
whole
lot
of
time
to
install
steel.
You'll,
see
you're
getting
installed,
you
will
see
the
ingress
gateway
installed
and
the
the
equest
gateway
installed,
as
well.
All
of
the
various
different
components
that
are
required
for
installing
this
theo
will
all
be
installed
as
part
of
this
process.
C
So
straightforward,
like
I
said
you
know
all
we
did
so
far.
If
I
have
to
walk
through
configured
configured
a
secret
configured,
you
know
place
the
ucsr
or
installed
it
and
then
installed
istio
itself,
and
then,
if
I
look
at
your
system,
so
this
is
already
running.
C
So
this
is
the
ec
system
that
I
just
talked
about,
and
also
since
I
mentioned
that
you
know
it's
running
on
running
on
google
cloud,
we
should
also
see
a
load
balancer
automatically
getting
provisioned
should
happen
anytime,
but
basically
allowing
us
to
be
able
to
map
any
of
the
applications
that
we
are
going
to
deploy.
Why
are
the
the
ingress
gateway
and
and
the
gateway
resources
that
we
will
eventually
be
creating
to
allow
access
to
the
application?
C
C
The
next
step,
as
you
as
you
see
here,
one
of
the
things
that
that
we
really
want
to
do
when
we
think
about
workload
identities.
Obviously,
you
know
one
of
the
things
that
people
do
or
organizations
really
think
about.
Securing
workloads
is
to
facilitate
mtls
and
and
and
within
this
year.
Obviously
there
is
there.
Is
this
notion
of
a
period
authentication
that
you
would
specify
what
kind
of
mechanism
or
what
kind
of
mode
of
mtls
you
want
to
set
up
permissive
straight?
C
You
know
pass
through
in
all
our
different
kinds
of
modes.
The
thing
that
we
want
to
do
here,
especially
as
part
of
you
know,
ensuring
that
you
know
everything
is
absolutely
secure.
Everything
is
absolutely
using.
Mtls
is
to
set
up
that
peer
authentication
with
mtls
more
set
to
strict,
and
that
is
my
next
steps
and
all
I'm
doing
is
creating
the
speed
authentication
resource
to
to
ensure
that
you
know
it's.
It's
it's.
It's
mtls.
C
So
if
you
see
the
mtls
mode
is,
is
strict,
that's
essentially
what
we're
trying
to
do
here,
basically
ensuring
that
you
know
every
time
steel
injection
is
enabled
for
any
of
the
any
of
the
name
spaces.
We
will
make
sure
that
you
know
it
is.
It
is
always
using
mtls
in
in
a
strict
mode.
That's
essentially
what
I
did
in
my
in
my
in
my
step
three
step.
Four,
you
know
the
next
step.
C
You
know,
as
I'm
sort
of
you
know,
building
it
up,
building
the
scenarios
here
for
you,
what
what
we
really
did,
just
as
a
way
to
back
up
a
little
bit
is,
is
set
up
or
prepped
the
environment
to
be
able
to
sign,
sign
workloads
using
using
cert
manager
for
your
mesh
mesh
workloads.
C
I
did
mention
at
some
point
about
an
ingress
gateway
as
well
as
you
remember,
the
interest
gateway
essentially
is
going
to
be
something
that
is
used
as
a
way
to
access
your
applications.
Typically,
almost
like
you
know,
saying
you
know
my
north
south
way
of
communicating
to
my
applications,
so
that
is
usually
some
many
a
times
browser
driven
app
driven.
You
know
mobile
app
driven.
You
know
something
like
that.
C
So
in
that,
in
that
scenario
I
also
need
a
identity
for
that
specific
endpoint
or
a
dns
that
is
going
to
be
configured
as
well,
and
in
order
to
do
that,
I
need
somebody
who
can
help
me
issue
a
public
certificate,
and
obviously
you
know
many
of
you
probably
are
using
cert
manager
with
let's
encrypt
for
acme
as
an
acme
issue,
or
configuring,
the
acme
issue,
or
solving
your
dns
or
http
challenges
and
requesting
certificates
and
managing
it
automatically.
C
In
this
case,
you
know,
I
am
going
to
use
verify
cloud
to
get
me
a
certificate
for
for
a
certificate
for
for
my
ingress
gateway,
so,
basically
ensuring
that
you
know
there
is
another
certificate
resource
that
is
going
to
get
created,
except
in
this
case
I
am
going
to
use
a
completely
different
issuers.
C
As
you
probably
already
know
many
organ,
you
could
have
multiple
issuers
configured
with
multiple
different
configurations,
each
of
them
catering
to
different
needs
or
different
aspects
of
what
you
do
in
the
cluster
and
one
of
the
things
that
I'm
doing
here
is
to
create
another
issue,
or
that
allows
me
to
issue
publicly
trusted
certificates
and-
and
in
order
to
do
that,
you
know
it's
simple
again.
You
know
I'm
using
my
own
domain
here,
which
is
called
sitaram
dashayard.jcp.stacker.net
and
the
domain.
C
The
secret
itself
is
called
storefront
dash
fast,
basically
allowing
me
to
get
that
certificate,
which
is
publicly
trusted,
as
I
mentioned,
so
we
will
inspect
these
resources
as
well.
We
look
at
what
the
certificate
resources
look
like.
You
know
what
what
the?
How
long
are
they
valid?
You
know
who
issued
that
all
of
that
is
obviously
available
for
us
to
to
inspect
and
look
at.
But
if
you,
if
I
now
look
at
the
issuers,
I
do
have
two
issuers.
C
You
know
one
which
was
the
worst
that
we
talked
about
the
other
one
is
the
the
vanify
issuer
and,
and
you
could
have
as
many
issuers.
These
are
issuers,
essentially,
which
means
that
you
know
these
are
namespaced.
You
could
also
have
cluster
issuers
that
are
cluster
wide,
something
that
is
very
commonly
used
as
well
as
a
way
to
to
manage
cluster-wide
issuance
of
certificates,
so
that
people
don't
keep
creating
different
issuers.
C
That
said,
you
know,
when
you
want
to
sort
of
you
know
scope
it
to
a
certain
namespace
put
some
r
backs
around
it.
Put
some
controls
around
it.
Put
some
policies
around
it
about
who
gets
to
use
what
domains
to
use
the
other
add-on
for
cert
manager,
which
is
also
called
a
policy
approver,
which
has
the
ability
to
to
define
policies
within
your
cluster
to
to
to
manage
aspects
of
who
gets
to
use
an
issuer
for
what
domains
and
how
they
can
request.
Certificates
is
absolutely
available.
That
is
another
add-on.
C
I
don't
have
it
in
my
cluster
today,
but
if
I
were
to
have
that,
I
would
have
another
resource
called
certificate
request
policy
that
I
could
create
and
define
how
that
would
look
like
and
that
also
sort
of
you
know
integrates
with
you
know
different
kinds
of
policy
approvers
policy
framework.
You
know
if
you
are
using,
for
example,
kyberno
or
if
you're,
using
venify,
all
of
those
policy
frameworks
can
be,
can
be
inherited
or
extended
via
those
policy
frameworks
into
into
search
manager
as
well.
C
So
so
that's
essentially
what
it
is.
You
know
basically
what
I,
what
I
really
did
was
configure
configure
aspects
of
you
know
getting
getting
a
public
certificate
also
setting
up
a
way
to
request
private
certificates
so
that
you
know
it's
all
tied
into
the
identities
that
are
managed
within
the
the
application.
C
So,
as
you
can
imagine,
I
have
a
certificate.
I
have
a
domain
that
is
that
I'm
going
to
be
using
as
part
of
my
ingress
gateway,
something
needs
to
tie
in
that
ingress
gateways,
load
balancer
to
the
gateway
resource
that
I'm
going
to
be
eventually
creating
and
mapping
it
to
the
the
dns
that
I
have
in
place
so,
which
typically
means
having
this
specific
dns
mapped
to
that
ingress
gateway
resource.
You
know
all
of
that,
and
and
in
order
to
do
that,
you
know
I
have.
C
I
do
have
another
other
step
here,
which
is
essentially
going
to
configure
that
app
dns
a
load
balancer
within
within
google
cloud
goes
to
cloud.
Dns
sets
up
the
domain
and
then
make
sure
that
you
know
the
ip
address
or
the
the
the
a
record
of
that
that
dns
has
the
the
the
value
from
the
the
ingress
gateway
service
load,
balancer
ip
address
that
was
created,
and
that's
essentially
what
I'm
doing
in
this
next
step.
So,
as
you
see
I'm
on
building
or
over
different
things,
basically
configuring
a
wall.
C
So
that
way,
you
know
when,
when,
when
I
really
hit
that
dns
or
the
ip
address
or
or
the
application
that
I
want
to
access,
it
is
going
to
get
routed
to
the
ingress
gateway
and
eventually,
the
eventually
the
resources
that
we
are
going
to
be
creating
that's
pretty
much
what
it
was,
then
what
I
did
my
next
step,
obviously
is
to
is
to
install
a
sample
application
and
for
those
who
are
those
who
are
have
have
are
familiar
with.
You
know
some
of
the
demos
from
from
google
cloud.
C
You
know
this
is
a
slight
modification
of
the
the
hipster
shop
demo
that
that
is
typically
used
as
part
of
google
demos,
so
I've
just
used
that
modified
it
a
little
bit
to
sort
of
you
know
to
make
it
look
like
you
know
what
we're
doing
more
from
from
an
application.
C
That
is
slightly
different,
so
you
will
see
that
when
I
show
that,
but
basically
my
next
step
is
essentially
deploying
that
that
that
variant
of
hipster
shop
into
into
the
cluster
there
are
a
few
other
things
that
are
also
doing
I'm
creating
a
gateway
resource,
I'm
also
creating.
You
know
the
gateway
resource
that
maps
to
that
that
specific
front-end
service
within
the
hipster
shop.
So
that
way,
when
we
have
the
application-
that's
that's
accessible,
you
will
you
will?
C
You
will
see
all
of
the
identities
and
everything
that
are
that
are
associated
with
it,
so
that
is
getting
installed
in
the
is
the
ocsr
namespace,
so
that
should
be
coming
up.
Yeah
still
coming
up.
A
few
of
them
are
still
one
of
two,
as
you
see
here
in
this
specific
namespace
when
we're
deploying
the
application.
C
These
are
all
two
of
two
one,
because
you
know
there
is
istio
injection
enabled
on
this
namespace,
essentially
making
sure
that
you
know
every
single
application
or
every
single
part
also
has
the
online
proxy
from
sdo
so
to
to
make
sure
that
you
know
there
is
that
there
is
that
sdo
aspects
built
into
this,
so
so
this
is
the
application
that
that
many
of
you
may
be
familiar.
C
You
see
when
you
see
ad
service
card
service
or
recommendation
service,
so
that
is
the
the
the
general
hipster
shop
application
that
you
typically
see
one
once
that's
there.
The
next
step
is
also
again
optional,
but
but
basically
I'm
also
installing
all
of
the
hdr
tools.
You
know
you
may
for
many
of
the
products
you
may
be
using
things
like
kyali
or
prometheus
or
aeger.
You
know
all
of
those
two
observability
tools
that
comes
as
part
of
istio,
something
that
you
may
or
may
not
be
using,
but
very
commonly
used
as
well.
C
So
I'm
going
to
install
that,
as
you
know,
kiali
when
it
installs
it
creates
the
crds
first
or
it
doesn't
create
the
crt,
so
the
crds
are
not
available,
so
you
do
the
true
time
link
for
installing
key
ali.
So
now
it
should
all
install
so
I'm
installing
kyali,
as
you
see,
I'm
also
going
to
install
aeger
prometheus
grafana,
all
of
the
various
different
tools
that
are
typically
common
in
an
enterprise
just
as
a
way
to
tie
all
of
them
together.
C
As
you
see
it
so
so
what
really
happened
now
is
things
that
I've
installed
and
I've
deployed
an
application.
So
you
may
have
different
mechanisms
through
which
you're
deploying
you
know
you
may
have
all
of
this
100
automated
and
nothing
stops
you
from
automating.
I
mean,
obviously
you
know
you
can
automate
100
of
these
things.
There
is
nothing
that
I've
done
manually
that
requires
any
configuration
changes,
or
things
like
that.
So
I
went
from
scratch
of
installing
wall.
Configuring
is
the
csr
configuring
certificates
setting
up,
you
know
mdls
trick.
C
All
of
this
can
be
packaged
as
part
of
your
application
development
process,
your
pipelines
that
are
already
in
place
to
help
facilitate
that
aspect
of
you
know,
deploying
and
managing
the
application.
We
will
start
to
see
a
few
more
things.
You
know
when
we
originally
sort
of
you
know
looked
at
certificate.
We
had
two
of
these
certificate
request
certificate
resources
that
will
continue
to
be
the
certificate
resources
that
will
be
there
for
for,
for,
for,
for
one
to
secure
your,
not
so
the
second
one
is
the
issuing
ca.
C
What
you
will
notice
is
one
of
the
other
kind
of
research
that
I
cannot
talk
about.
I
think
now
is
the
certificate
request,
resources
for
itself
and
you'll
see
a
lot
of
those
getting
created
and
and
for
those
who
are
familiar
with
cert
manager.
C
You
do
know
that
every
time
a
certificate
resource
is
created,
search
manager
creates
an
accompanying
accompanying
certificate
request
resource
that
carries
the
csr
that
carries
all
of
the
information
that
needs
to
go
to
the
issuing
ca
and
once
that
issuing
ca
issues
a
certificate,
it
brings
it
all
back
into
the
certificate
request,
resource
and
updates
the
certificate
resource
and
also
updates
the
secret
resource.
A
couple
of
things
that
are
slightly
different
in
the
case
of
csi
driver
and
istio
csr
is
that
you
don't
necess.
C
We
don't
necessarily
represent
all
of
those
mesh
identities
or
workload
identities
in
the
form
of
a
certificate
resource.
They
are
only
certificate
request
resources,
mostly
in
the
context
of
being
highly
ephemeral
in
nature,
and
you
can
pretty
much
turn
this
off
as
well
to
say,
I
don't
want
to
preserve
any
of
the
certificate
requests
that
are
used
for
my
mesh
identities,
because
we
have
hundreds,
if
not
thousands,
of
services
that
are
running
there
is
no
point
in
storing
all
of
them.
Keep
it
in
memory.
C
We
want
to
be
able
to
track
it
for
auditing
purposes,
and
things
like
that.
So
that
is
possible,
but
we
don't
necessarily
have
to
store
or
store
it
as
a
resource
and
manage
it.
That's
possible
as
part
of
the
configuration
itself.
What
you're
really
seeing
here
is
an
identity
that
was
generated
for
each
of
these
workloads,
basically
as
a
way
to
manage
and
manage,
manage
and
update,
update
the
update,
the
workloads
and
everything.
So
that's
that
was
pretty
much.
What
I
wanted
to
sort
of
you
know
set
up.
I'm
also
now
moving.
C
My
moving
into
my
browser,
just
to
sort
of
you
know,
show
a
little
bit
about
you
know
what
really
happened
from
an
application.
That
was
that
we
that
we
accessed.
So
if
you
look
at
my
application,
so
this
like-
I
did
mention
to
you
guys,
you
know
there's
there
is
this
notion
of
the
hipster
shop
that
is
very
commonly
used.
C
I've
slightly
modified
it
to
to
show
slightly
different
things,
not
the
not
the,
not
the
products
that
you
typically
see
from
hipster
shop,
but
but
in
this
case
I'm
just
showing
you
various
different
blocks
and
things
like
that
and
also
how
how
how
we
operate.
C
What
I'm
really
doing
is
you
know
just
just
generating
some
data
so
that
you
know
we
can
look
at
all
of
these
all
of
this
in
kealy
as
well
and
see
how
that
sort
of
you
know
manifests,
and
all
that
sort
of
you
know
shows,
shows
the
data.
C
So
this
picture
that
you're
seeing
is
essentially
what
I
what
I
really
did,
basically
having
search
manager
talk
to
various
different
issuers
in
this
case
in
in
the
case
of
in
the
case
of
mesh
identities,
I'm
using
walt
in
the
case
of
you
know
the
public
ca
I
used
105,
you
could
potentially
be
using
other
mechanisms
to
sign
measurement
workloads
but
then
essentially
having
all
of
these
mtls
facilitated,
facilitated
as
part
of
as
part
of
the
mesh
identity.
C
So
that's.
That
was
one
aspect
that
I
wanted
to
show
you.
I
also
said
you
know
I'm
going
to
show
chiali
and
I'm
going
to
bring
that
as
well.
Just
to
make
sure
that
you
know
we
can
see
information
in
a
slightly
different
context,
very
relevant
from
the
for
the
work
that
we
just
did
and
what
I'm
going
to
do.
I'm
going
to
turn
this
security
tab
as
we're
on
as
well,
and
if
you
see
here
this
says
you
know,
mesh
mesh,
wired
mtls
is
enabled.
C
My
window
may
be
two
all
right
all
right,
let's
bring
it
a
little
bit,
it's
three
sizes,
excellent,
all
right!
So
you
see
this.
You
know
this
is.
This
is
showing
meshword
mtls
is
enabled,
and
that
was
because
of
the
pure
authentication
that
we
created.
I'm
also
going
to
go
a
little
bit
of
the
last
three
minutes.
This
is
no
different
view
than
what
you
many
of
you,
maybe
are
familiar
if
you're
using
kiali.
What
is
slightly
different
here
is
this
padlock
that
you
see
between
the
communication
between
services.
C
C
These
are
s
suites,
that
we
generated
as
part
of
the
part
of
the
identity.
For
this
specific
service,
essentially
saying
that
this
front
end
will
be
identified
by
the
trust
domain,
namespace
service
account
that
is
used
and
the
service
itself
and
that's
the
source
principle,
which
is
being
used
to
originate.
C
The
request
from
front
end
to
cart
service,
which
has
its
own
s
word
and
own
identity,
and
all
of
these
certificates
are
actually
issued
by,
in
our
case,
what
and
we'll
look
at
we'll
inspect
the
certificate
resource
and
see
how
that
looks
like,
but
basically
all
your
what
you're
seeing
is
my
application
that
I
deployed
has
been
deployed.
C
There
was
an
automated
way
of
issuing
managing
certificates
for
all
of
these
mesh
workloads,
and
each
of
these
mesh
workloads
have
its
own
sort
of
identifier,
spf,
a
spf
that
is,
that
is
used
as
a
way
to
generate
the
certificate
where
these
csr
mapping
it
back
to
the
organization's
ca
infrastructure.
Even
though
I
used
walt
you
know
it
could
be
your
organization
ca
infrastructure
that
is
facilitating
that
the
ingress
gateway
itself,
as
you
saw
is,
is
something
that
is
that
is
issued.
C
That
is
a
certificate
that
is
issued
by
digicert,
because
that's
what
I
used
as
part
of
the
configuration
and
also,
in
my
case,
I'm
using
really
short-term
certificates.
Even
for
my
ingress
certificate.
You
see
it's
actually
valid
for
only
three
days
and
you
might
be
wondering
what
could
be
the
validity
for
all
of
these
mesh
identities
and
we'll
look
at
that.
But
basically
all
of
these
identities
that
are
generated
for
for
the
switch
that
were
generated
for
for
all
of
the
mesh
workloads
are
actually
valid
only
for
one
hour.
C
So
it
is
the
responsibility
of
search
manager
to
continuously
make
sure
that
you
know
these
certs
are
up
to
date.
They
are
renewed
automatically
the
they
utilize.
The
mechanisms
of
the
automated
mechanisms
that
you're
already
familiar
familiar
with
to
renew
the
certificates
for
the
for
the
ingress,
but
also
for
the
for
the
for
the
mesh
identities
itself.
C
So
that
was
what
I
wanted
to
show
and
I'm
gonna
just
quickly
run
through
some
of
the
commands
as
well.
A
I
I
did
see
one
question
come
in,
that
might
be
a
good
time
to
ask.
Is
cert
manager?
Thank
you.
Thank
you.
Krishna
for
bringing
this
up
cert
manager
rotate
certificates.
Do
you
know
how
istio
deals
with
the
root
cert
being
rotated,
yeah.
C
So
in
in
this,
if
you
are
managing,
if
you
are,
if
you're
managing
istio
on
your
own
and
basically
utilizing
itself
signed
capabilities,
then
it's
your
responsibility
for
rotating
the
root
ca
of
the
of
the
ca
issuer.
But
if
you
plug
insert
manager,
then
you're,
essentially
delegating
that
aspect
of
rotation
and
management
of
all
of
the
certificates
that
are
used
for
mtls
by
search
manager.
So
so
there
is
there
is.
There
is
obviously
no
depends
on
what
you
are
doing.
C
C
Basically,
the
set
that
needs
to
be
rotated
is
two
false.
You
know
one
in
this
case.
C
This
certificate
also
is
valid
very
for
a
short
time,
so
this
will
be
automatically
automatically
rotated,
but
this
is
an
intermediate,
but
in
in
the
case
of
in
the
case
of
this
specific
scenario,
the
certificate
itself,
the
root
ca,
is
actually
in
involved.
So
so
there
will
be
mechanisms
within
world
where
that
certificate
will
be
automatically
rotated.
So
so
you're,
essentially
outside
of
you,
know
the
the
istio
world
where
your
root
and
the
trust
is
managed
outside,
and
then
there
you
have.
C
The
ability
to
sort
of
you
know
manage
it
as
part
of
your
any
other
certificate.
Truth
certificates
that
you
manage,
or
one
root,
multiple
roots
or
all
of
your
intermediates.
C
So
so
we
essentially
sort
of
you
know
separate
that
aspect
of
you
know
where
your
root
and
intermediates
are
managed
and
where
your
workload
identities
are
managed
itself.
So,
but
just
by
sort
of
you
know,
plugging
in
is
the
csr
as
a
way
to
manage
all
of
the
identities
you're,
essentially
delegating
that
aspect
of
root,
ca
management
to
whoever
manages
your
pk
infrastructure.
A
Please
keep
the
questions
coming
in
if
there's
anything
that
you're
you're
looking
to
learn
or
just
kind
of
want
to
you
know
start
a
discussion
upon
a
specific
topic
feel
free
to
throw
that
in
the
chat
and
we'll
get
those
questions
asked
at
the
best
possible
time.
C
Yeah,
yeah,
and
and
and
as
as
I
I
showed
here
basically
even
my
intermediate
is
actually
valid,
as
you
see
here
for
only
one
hour,
so
that's
essentially
how
long
that
is
valid
and
if
you
notice
what
I
did
see,
I'm
running
cm
cuddle,
which
is
the
search
manager,
cli
tool,
very
helpful,
very
handy
if
you
want
to
inspect
your
resources,
inspect
your
certificates
in
this
specific
scenario,
in
addition
to
also
generating
an
s
weight
for
this
intermediate,
we
also
have
a
dns
name,
but
when
I
show
you
the
the
actual
workload
identities,
you
will
notice
that
you
know
none
of
them
have
any
subject
information.
C
They
are
all
pure
spfes
widths
switch
certificates
that
we
generate,
and
then
I
can
run
that.
C
C
So
if
you
look
at
what
what
I'm?
What
I'm
going
to
see
is
you
know
a
certificate
that
was
issued
for
the
the
ingress
gateway
there.
Where
did
I
run
it.
C
There
is
my
command.
Basically,
this
is
the
certificate
that
we
are
looking
for.
The
uri
spiffy
fan
that
says
that
is
your
systems,
is
your
ingress
gateway
service
account,
and
you
see
that
you
know
this
doesn't
have
a
dns
name
and
anything
like
that,
and
that's
typically
familiar
with
with
something
like
something
like
checkout
service
as
well.
So
this
is
the
identity
of
the
checkout
service.
Again,
if
you
look
at
the
the
validity
period,
they
are
all
valid
for
only
one
hour
and
insert
manager
automatically.
C
If
you
don't
specify
any
renewal
before
in
as
part
of
the
specification,
will
renew
a
certificate,
two
thirds
into
the
duration
of
a
certificate.
So
if
we
hang
around
here
for
the
next
30
minutes,
all
of
these
certs
that
are
issued
will
be
automatically
renewed
and
there
will
be
new
sets
of
certificates
that
will
be
valid
for
the
mesh
identities,
and
that
is
the
responsibility
of
offset
manager
to
automatically
ensure
that
you
know
every
cert
is
is
renewed.
C
Every
third
is
up
to
date
and
every
cert
is
available
for
the
meshed
entities
so
that
your
application
that's
running
here,
continues
to
operate
exactly
as
it
operates,
and
then
you
know,
as
you
sort
of
you
know,
look
at
look
at
things.
C
Look
at
operate
operating
operating
your
clusters,
so
you
don't
worry
about
managing
the
ca
infrastructure
as
part
of
your
sdo,
but
but
but
essentially
let
the
jet
stack
manage
that,
for
you,
that's
what
I
had
showing
right
now,
I'm
into
a
lot
of
different
things,
but
I'll,
try
and
try
and
see.
B
But
I
mean
just
to
summarize
one
of
the
main
reasons
why
this
demo
came
together
is
because
a
lot
of
people.
I
imagine
that
for
me,
but
cert
manager
will
be
mainly
familiar
about
the
way
it
runs.
Ingress
gateways
and
configures
the
ingress
capabilities
in
terms
of
workloads
and
where
we're
seeing
a
lot
more
traction
and
usage
with
the
project
is
around
being
able
to
secure.
B
C
We
see
another
question
from
taylor
is
okay,
do
you
answer
that
now
or
did
you
have
something
coming
so.
A
C
Managed
vanify,
not
the
cloud
one.
We
also
have
azure
istio
kyberno.
Will
the
solution
fit
into
the
landscape?
Absolutely
so
it
doesn't.
You
could
pretty
much
use
the
same
mechanism
that
I
mentioned
now
and
very
often,
some
of
the
large
enterprises
who
use
a
platform
essentially
to
manage
like
a
platform
like
winify.
C
In
this
case
you
know
you,
you
will
have
the
chur
or
a
policy
folder
that
you're
creating
venify
catering
to
an
ingress.
You
could
also
have
some
sort
of
a
sub
ca
or
a
private
pki
that
you're
configured
as
part
of
another
policy
folder
facilitating
the
the
signing
of
mesh
identities
absolutely
possible.
C
You
talked
about
kyberno,
yes,
absolutely
if
you're
using
that
as
a
way
to
drive
your
policy
framework
and
policies,
the
certificate
request
policy
resource
that
I
mentioned,
which
is
part
of
the
search
manager
add-on
as
a
policy
approver,
can
be
integrated
with
kaiwearner.
So
that
way,
you
know
you
have
a
first-class
way
of
managing
policies
that
you
already
have,
and
also
tying
it
back
to
you
back
to
to
the
cert
manager
use
and
how
you
how
you
essentially
use
search
manager.
C
That
was
yes,
you're.
Already
using
istio,
so
I'm
assuming
you're
running
istio
on
azure
so
and
from
from
the
perspective
of
what
what
what
I've
shown
just
now,
we
are
absolutely
cloud
agnostic.
We
are
absolutely
service
measure
agnostic
as
well
so
cert
manager
and
all
of
the
components
essentially
run
in
any
kubernetes
distribution.
A
A
Workload
misconfiguration
is
often
reported
as
being
a
repeated
problem
for
many
cloud
native
platform
operations
teams
leading
to
outages
and
even
security
risks.
What's
your
take
on
the
causes
of
workload
misconfiguration
in
the
first
place,.
C
Absolutely
yeah,
so
so
I
think
thanks
thanks
tyler
for
the
question,
so
tying
back
to
some
of
the
things
that
we
just
showed
and
if
you
sort
of
you
know
flip
that
a
little
bit
and
and
and
let
the
platform
team
sort
of
you
know
manage
application
deployment
development.
C
You
know
all
of
that
and
also
be
responsible
for,
let's
say
security
as
one
of
the
things,
and
very
often
you
see
that
you
know
people
utilize
configurations
that
are
out
of
the
box
and
and
in
the
case
of
in
the
case
of
you,
know
something
like
istio
since
we
are
in
that
context,
here
there
is
already
a
framework
that
is
available,
so
people
generally
sort
of
you
know
say
all
I
need
to
do
is
check
this
box
and
that
check
the
box.
And
then
I
don't
have
to
worry
about
it.
C
But
the
challenge
is,
you
know
somebody
needs
to
to
have
the
the
ability
to
rotate
those
search.
Somebody
needs
to
ensure
that
you
know
it
is
always
valid
and,
and
the
other
piece
is
also
from
a
large
organizations
or
enterprises
which
are
regulated,
they
always
have
to
play
with
some
sort
of
a
compliance.
So
there
is
there's
regulatory
compliances
that
needs
to
be
there
to.
There
are
guidances
that
people
follow,
especially
from
a
security
perspective,
whether
it's,
the
nist
guidelines
or
the
cyber
security
guidelines
that
they
have
in
place.
C
So
when,
when
the
misconfiguration
aspect
essentially
comes
into
play,
when
when
very
often,
we
don't
see
that
that
that
synergy
between
the
security
teams
and
the
platform
teams
and
the
drive
for
things
where
everything
needs
to
be
driven
from
an
organization
security
perspective,
and
that
essentially
translates
to
sometimes
people
saying,
what's
the
best
way
for
me
to
get
a
certificate,
I
can
run
openssl,
it's
extremely
simple
or
I
can
get
a.
I
can
get
a
certificate
with
my
email
id
attached
through
some
way
and
then
you
know
it'll
run.
C
But
nobody
else
knows
you
know
who
issued
that
cert,
which
ca
was
the
one
which
was
issued
so
those
misconfigurations,
while
when
those
configurations,
rather
at
the
time
work
best
for
a
period
of
time,
will
cause
a
drift
in
some
way
and
essentially
essentially
cause
an
outage
and
as
as
we
all
know,
is
if,
if
this
application
that
I'm
showing
right
now,
if
this
were
some
critical
business
application,
it
doesn't
take
a
lot
of
time
before
users
start
to
complain
about
its
downtime.
C
And
you
know
it's
it's
its
impact
on
the
business
and
things
like
that.
So
so
those
are
some
of
those.
Obviously,
you
know
the
reasons
why
we
see
certificate
misconfigurations
purely
because
purely
because
you
know
the
the
common
way
or
the
of
the
standard
way
of
using
sometimes
just
doesn't
work.
You
just
need
to
adhere
to
the
the
the
security
best
practices
and-
and
these
are
some
of
the
things
that
we're
driving
from
what
we
do.
B
Runtime
issues
were
all
were
all
highlighted
as
being
areas
where
that
vulnerability
was
had
occurred
and
given
the
complexity
and
scale
that
we're
seeing
across
the
whole
ecosystem,
really
in
terms
of
companies
that
are
deploying
kubernetes,
a
certificate
is
going
to
play
a
primary
role
in
all
of
those
use
cases.
So
it
becomes
quite
foundational.
We
think
in
terms
of
being
able
to
have
those
that
level
of
best
practice
around
certificate
management,
in
particular
to
make
sure
that
you
know
there
is
site
of
where
these
misconfigurations
can
potentially
incur.
B
A
Awesome,
thank
you
so
much.
I
think
one
one
thing
that
I
had
a
question
on.
I
I've
I've
really
liked
cert
manager,
myself.
You
know,
use
that
with
many
teams
and
just
like
that
automatic
you
know
ability
to
add
certs
and
just
kind
of
make
things
inherently
more
secure.
In
the
past,
I've
used,
let's
encrypt
and
and
the
vault
methods,
but
I
am
curious.
A
Are
there
any
other
clouds
or
is
there
any
other
support
on
the
roadmap
currently,
for
you
know
for
aws
and
their
cert
manager,
or
the
the
other
various
clouds
and
and
everything
on
that
front.
C
Well,
that's
a
great
question
taylor.
Yes,
so
so
the
way
we
look
at
it,
if
you,
if
you
look
at
cert
manager,
you're
absolutely
right,
the
act
mature
with
let's
encrypt
is
extremely
common.
That
we
refer
to
this
there
are.
There
is
a
notion
of
out
of
the
box
issuers
that
are
available,
insert
manager,
acme
issue
being
one
of
them
walt
being
one
of
them
verify
being
one
of
them.
Obviously
cs
csu
or
self
sign
they're
all
built
into
that.
We
also
have
community
issuers.
C
There
is
an
aws
pca
issuer,
similar
to
any
other
issuer
that
you
would
configure
and
the
workloads
will
be
signed
off
of
that
issuer
and
and
and
very
similarly,
there
is
also
a
google
cast
issuer.
So
you
can
configure
google
cast
issuer
built
jointly,
with
both,
obviously
google
and
and
jet
stack,
and
similarly
even
the
aws
pca
shirt
was
built
with
aws
and
jet
stack.
So
there
is,
there
is
the
cloud
specific
or
a
service
specific
certificate
issuer
capabilities
that
are
built
into
search
manager?
C
So
you
just
need
to
install
those
additional
components
and
that
will
provide
you
the
ability
to
interact
with
with
those
certificate
authority,
services
that
are
native
to
the
cloud
provider.
That's
already
available.
Yes,.
A
I
think
that's
fantastic,
because
I'm
sure
that
you
know
anyone
who's
worked
in
the
industry
for
for
a
longer
period
of
time.
I'm
sure
can
remember
the
days
where
you'd
pay,
you
know
200
500
or
more
dollars
per
certificate,
and
then
almost
always
would
forget
about
it
when
it's
time
for
renewal,
so
very,
very
happy.
We'd
have
to
do
that
anymore.
A
It's
it's
kind
of
wild,
because
I
mean
even
now,
with
with
cert
manager,
you
could
even
set
up
something
where,
like
on
mondays,
let's
issue
this
way
and
on
fridays,
let's
issue
that
way
so
really
really
cool
to
see.
You
know
that
that'd
be
wild
to
do,
of
course,
but
really
cool
to
see
that
you
have
a
lot
more
options
in
terms
of
configuring
or,
if
you've
other
secure
workloads
or
different
kind
of
concerns
with
deploying
your
applications.
A
A
I
did
have
a
few
more
questions
here
too
and
again,
please.
If,
if
you
have
any
questions,
please
please
feel
free
to
throw
those
into
the
chat
and
we'll
be
sure
to
get
those
asked.
A
lot
of
engineers
operating
in
their
kubernetes
platforms
will
feel
they
have
good
observability
of
certificates
in
a
cluster
using
a
conventional
dashboard
kind
of
that
same
problem
that
we
we
saw
before
you
know
like
is
my
cert
gonna
expire
soon.
How
should
people
use
these
dashboards
to
monitor
cert
manager.
B
Yeah,
I
mean,
I
think
I
think
it's
a
question
for
me
in
terms
of
the
role
of
the
person
that
that
is
in
control
of
the
dashboard
I
mean
is
that
person
responsible
for
the
end-to-end
security
about
how
the
workloads
are
being
managed
amongst
everything
else,
they're
doing
so,
dashboards
can
be,
to
my
mind,
very,
very
sort
of
busy
in
in
terms
of
the
data,
but
that
they're
providing
they're
providing
a
snapshot
of
what
what's
going
on
within
the
cluster
at
that
at
that
precise
moment,
and
that
isn't
always
going
to
give
you
the
depth
of
information
you'll
need
enable
to
be
able
to
fully
identify
where
a
vulnerability
might
be
at
risk
of
manifesting,
and
for
that
for
that
element
you
know
there
are
other
tools.
B
I
think
that
you
can
use,
I
mean
jet
stack
is,
is
very
much
invested
in
you
know
in
that,
in
that
area
of
product,
if
you
like,
but
but
yeah,
essentially.
A
B
That
it's
it's
a
question
of
down
to
the
capability
dashboard
and
the
role
of
the
person
that
you're
relying
on
really
because
from
a
devops
perspective,
there's
a
lot
of
information
across
those
dashboards
and
the
security
aspect
of
it
could
be.
Could
you
know
requires
a
certain
level
of
context?
I
think,
to
be
able
to
properly
proactively
make
sure
that
those
misconfigurations
and
those
vulnerabilities
are
being
being
mitigated.
A
Which,
which
is
really
helpful,
I
think
that
it's
it's
it's
important
to
have
that
observability
and
to
monitor
and
to
kind
of
you
know,
get
get
a
handle
of
what's
going
on
within
your
systems
and-
and
I
like
what
you
said,
you
know
just
about
the
role
like
what
what
what's
the
problem
you're
trying
to
solve.
What
are
you
trying
to
do?
I
think
that's
always
really
important
to
kind
of
have
an
idea
of
before
you.
You
know
start
looking.
A
You
know
if
I
don't
know,
if
I'm
looking
for
my
car
keys,
how
do
I
know
what
I'm
really
looking
for
right?
So
it's
a
that's.
That's
a
great
point,
and
you
know,
cert
manager
makes
a
lot
of
these
things
automated
as
well.
So
that
worry
about
certain
contexts,
kinds
of
either
fades
away,
or
you
know
is-
is
less
of
a
concern.
You
know
if
the
controller
has
a
problem
or
something
like
that,
then
obviously
we'd
want
to
take
a
look
but
yeah.
B
I
think
just
to
add
yeah
and
add
to
that
I
mean
audit
capability
is
a
context
that
isn't
necessarily
the
primary
kind
of
focus
of
a
of
a
devops
engineer
if
you
like,
but
that
level
of
observability
for
audit
is
needed
elsewhere
in
the
security
organization
of
course,
and
of
course
you
know
it's
a
question
whether
or
not
a
dashboard
is
the
right
tool
to
be
able
to
deliver
that
kind
of
that
kind
of
information
to
in
to
inform
security
policy,
for
example,.
A
A
I
I
did
see
a
couple
more
questions
drop
into
the
chat
abhishek.
I'm
a
student
want
to
make
a
career
in
cncf
fantastic.
If
there
is
anything
that
we
can
help
out
with
definitely
would
love
to
be
of
help.
I
know
that
we
support
a
lot
of
projects
and
workflows
and
clouds.
So
if
you
do
want
to
just
take
a
look
at
that
l
dot,
cncf
dot
io,
it
will
kind
of
show
the
whole
landscape,
and
I
believe
that
some
people
have
actually
made
a
puzzle
out
of
that
graphic.
A
So
I
don't
know
how
many
pieces
I
think
it's
like
a
thousand
or
maybe
even
a
hundred
thousand,
who
knows
but
really
interesting
to
check
out.
Unker
asked
sorry
joined
a
bit
late.
May
I
ask
if
this
works
with
azure
kubernetes
service,
aks,
the
that
managed
instance,
that's
one.
I
think
I
can
answer
yes.
The
one
thing
that's
really
nice
about
cert
manager
is
the
fact
that
so
long
as
you're
using
kubernetes,
you
can
install
that
within
that
context.
A
So,
no
matter
what
cloud,
even
if
it's
something
that's
on-prem
you
could
you
know
integrate
that
with
let's
encrypt
with
vault,
as
as
we
saw
a
little
bit
today
and
you
can
check
the
session
out
afterwards
too.
We
make
it
available
on
linkedin,
twitch
and
youtube.
So
you
can
kind
of
take
a
look
at
that
demo.
If
you
join
late
and
miss
that,
but
are
there,
are
there
any
questions
that
you'll
get
in
terms
of
that
you
know.
A
Do
you
support
this
kind
of
workflow
or
do
you
kind
of
plan
anything
outside
of
kubernetes
at
that
as
well?
Have
you
seen
people
use
this
in
non-conventional
ways
to
issue
their
certs.
C
It's
interesting
question
because
you
know
recently
I
was,
I
was
engaged
with.
You
know
one
of
one
of
our
prospects
or
the
customer.
Now.
The
way
they
use
cert
manager
is
is
pretty
interesting
because
cert
manager
is,
is
their
source
for
issuing
and
managing
all
of
the
certificates,
but
they
do
have
different
consumers,
consumers
that
are
not
always
using
kubernetes,
because
there
are
consumers
who
are
working
in
classic
applications.
You
know
possibly
requiring
certificates
for
some
load
balancers
for
some
patchy
instances
or
nginx
instances
that
are
running.
C
So
there
are
a
lot
of
different
consumers
who
who
who
basically
need
a
certificate
for
their
applications,
but
in
this
specific
scenario,
so
basically
what
what
what
this
person
I
mean,
I
would
classify
him
as
an
advanced
search
manager.
User
has
built
an
operator
that
essentially
pushes
and
makes
available
a
certificate
that
is
generated
managed
by
search
manager
to
any
of
the
consumers
who
are
operating
in
non-kubernetes
world.
C
So
there
are,
there
are
people
who
use
cert
manager
in
very
creative
ways,
but
we
do
get
asked
about
and
obviously
questions
around
you
know.
How
do
we
sort
of
you
know
do
this?
Where,
where
service
mesh
itself
is
not
running
in
kubernetes,
I
don't
know
how
many
customers,
or
how
many,
how
many
enterprises
are
trying
to
run
service
mesh
in
a
non-kubernetes
environment.
C
But
that's
something
that
that
has
come
up
a
couple
of
times.
I
don't.
I
don't
think
we
do
anything
outside
of
kubernetes
at
this
time.
So
but
that's
that's!
That's
where
we
are
most
of
our
focus
are
almost
all
of
our
focus,
but
there
are
people
using
search
manager
as
a
way
to
cater
to
consumers
who
are
outside
of
kubernetes.
So
that's
very
interesting
to
see.
A
That's
always
fun.
It
always
intrigues
me
to
see
people
use
things
in.
You
know
like
ways
outside
of
what
was
previously
thought
of.
You
know
not
following
that:
like
happy
path,
kind
of
development
so
and
in
some
cases
it
leads
to
some
really
cool
developments.
So
that's
that's
really
interesting
to
hear.
I'm
also
always
fascinated
to
hear
about
service
mesh
used
outside
of
kubernetes
and
really
just
what
teams
are
are
thinking
on
that
front.
So
that's
really
appreciate
those
insights.
That's
yeah!
That's
fantastic!.
C
Yeah
so
satish,
I
did
answer
that
question
a
little
earlier
as
well,
because
you
know
it's
also
the
separation
of
duties.
You
know
yes,
you're
right.
So
if
you
are
using
the
built-in
capabilities
of
mobile
service
mesh,
you
have
to
restart
the
these
theo
parts.
The
fact
that
you
know
all
of
your
cea
configuration
and
the
ca
aspect
of
signing
mesh
identities
and
assigning
your
ingresses
they're
all
outside.
C
C
We
do
have
enterprises
large
enterprises
using
this
in
the
context
of
you,
know
ensuring
that
there
is
zero
down
time
for
all
of
this.
Yes,
it
is
possible.
A
Awesome
awesome:
I
did
have
one
more
question
to
kind
of
round
things
off,
but
do
you
want
to
encourage
anyone
to
get
in
their
last
minute
questions
as
we
start
to
wind
down
the
stream
what's
happening
at
cubecon
this
year
for
the
search
manager
team?
I
know
we
have
kubecon
eu
coming
up
here
soon
and
may
definitely
book
your
travel.
If
you
haven't
yet
I
saw
the
hotels
were
already
starting
to
fill
up.
A
I
got
my
reservation,
but
I'm
about,
I
think,
like
47
minutes
via
public
transport
to
get
there.
So
you
know
I
just
got
to
grab
breakfast
a
little
bit
earlier,
so
yeah
looking
forward
to
seeing
all
of
you
there
but
yeah
what
what
things
do
you
have
planned.
B
We
have
we
have
a
quite
a
sizable
team
going
to
be
there
this
year,
so
we're
lucky
enough
and
thanks
to
the
cncf
for
giving
the
project
its
own
booth
and
the
project
affiliate.
So
for
people
that
are
attending,
they
can
come
into
the
project
booth
and
they
can
talk
directly
to
the
maintainers.
We've
got
a
pretty
good
representation
from
people
that
work
whose
full-time
job
it
is
to
to
maintain
and
develop.
B
The
cert
manager
project
so
definitely
encourage
people
to
come
along
and
say
hello
there
and
stop
by
the
jet
stack
stand
as
well,
because
we'll
be
there
to
talk
about
everything
else
that
we
do
in
relation
to
to
our
open
source,
work
and
and
everything
else
we've
got.
We've
got.
We've
got
talks
going
on
at
the
at
the
main
conference,
as
well
as
a
couple
of
the
co-located
events,
so
yeah,
it's
gonna,
it's
gonna
be
a
very
busy
week,
but
you'll
certainly
you'll
certainly
see
a
few
of
us
there.
A
Awesome
is
there
any
and
and
another
question
I
I
said
there
was
just
one,
but
I
had
another
one
in
terms
of
the
so
it's
jet
stack,
but
I've
heard
rumors
about
you
having
jet
packs
as
swag
at
your
booth
is.
B
B
Into
that
one
taylor,
I
think
that's
a
great
idea
but,
and
then
I'll
have
to
like
you
know,
look
at
my
budget
too.
Of
course.
A
I
I've
heard
a
lot
of
crazy
announcements
around
friday
april
1st.
I
don't
know
what
the
relations
are
on
that
front
too.
B
Yeah,
the
guy
that
does
the
gravity
pack,
you
ever
see
him.
I
don't
know
if
you
know,
but
his
company
is
not
too
far
away
from
my
lips,
so
I'll
I'll,
nip
down
the
road
and
ask
him
if
I
can
borrow
it
for
a
week.
How
about
that.
A
That'd,
be
so
funny
awesome
awesome!
Well,
I
don't
see
any
more
questions
today,
but
I
did
want
to
thank
everybody
for
tuning
in
to
our
latest
episode
of
club
native
live.
It
was
great
to
learn
from
richard
and
sitaram.
We
really
enjoyed
the
interaction
and
questions
from
the
audience.
Thank
you
all
for
showing
up
this.
You
you,
the
community,
make
this
possible
and
and
and
really
fun.
A
I
really
enjoyed
your
questions
next
week,
we're
going
to
be
joined
by
andrew
mcguire
to
learn
about
how
to
power
up
your
machine
learning
with
automated
anomaly
detection,
so
that
should
be
fun
in
terms
of
monitoring
and
everything
else.
I
want
to
thank
you
all
for
joining
us
today.
We
hope
to
see
you
again
soon
and
wanted
to
ask
you
if
you
have
any
any
last
parting
words
of
wisdom
either
of
you.
B
Well,
I
mean
we're
we're
a
very
popular
open
source
project.
We've
got
a
great
website,
that's
just
being
refreshed.
We're
going
to
carry
a
friend
to
check
out
sir
man,
hyphen
manager
io
a
great
resource.
Our
slack
channel
is
very,
very
busy
as
well.
So
I
would
encourage
people
to
join
the
slack
channel
and
or
come
to
cetera
night
directly
if
you've
got
any
other
questions
as
well.
Yeah,
please
do
yeah.
A
Fantastic
fantastic!
Well,
thank
you
both
so
much
for
coming
on
today
and
for
talking
about
cert
manager.
It
was
fun
to
get
those
questions
answered
and
you
know
get
demos
and
get
a
little
bit
more
insight
into
the
project
and
fantastic
I'll
I'll,
definitely
make
sure
to
see
you
at
keep
con
and
yeah.
Thank
you.
Thank
you.
Everybody
for,
for
tuning
on
in
we'll
see
you
again
soon
thanks.