►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
welcome
to
Cloud
native
live
where
we
dive
into
the
code
behind
Cloud
native
I'm,
a
chariot
almost
like
a
metal
and
a
CSF
Ambassador.
So
I
will
be
your
host
Tonight.
Every
week
we
bring
a
new
sets
of
presenters
to
Showcase
how
to
work
with
Cloud
native
Technologies.
They
will
build
things,
they
will
break
things
and
they
will
answer
your
questions
in
today's
session,
I'm
stoked
to
introduce
Sim
software,
a
developer
relations
manager
we'll
be
presenting
on
mastering
kubernetes
access
management.
A
This
is
an
official
live
stream
of
the
cncf
and
search
is
a
subject
to
the
CNC
code
of
conduct.
Please
do
not
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
the
code
of
connect.
Basically,
please
be
respectful
to
all
of
your
fellow
participants
and
presenters,
so
with
that
I
will
hand
it
over
to
Sam
silver
and
kick
off
today's
presentation.
B
Are
you
thank
you
very
much
Sharia
for
actually
inviting
us
on
this
wonderful
topic
and
thank
you
very
much
to
the
folks
who
actually
just
joined
us
on
the
chat,
hello,
Ahmed,
hello,
Manish,
I,
hope
you
can
actually
actually
able
to
hear
me
and
if
you
see
some
of
the
noise
or
anything
that
happened
during
the
presentation,
do
let
me
know,
and
once
again
thank
you
everyone
for
joining.
So
my
name
is
Sam
sabder
as
chair
RV,
the
fellow
cncf
Ambassador,
and
it's
been
the
first
time
we're
actually
interacting
on
the
live
stream.
B
It's
been
a
great
story.
It's
going
to
be
a
good
session
to
forward
so
today,
I'm
talking
about
kubernetes
access
management
and
why
we,
you
need
to
take
into
the
consideration
while
you're,
actually
working
with
the
kubernetes
cluster
on
daily
basis.
I
saw
some
of
the
challenges
and
I
look
forward
to
tell
you
some
of
the
challenges
I
face
is
and,
however,
how
I
how
I
ever
come
into
some
of
those
so
I
want
to
know
now.
Is
you
now
Sharia.
B
Yes,
absolutely
thank
you
very
much
once
again,
I
see
more
folks
in
the
chat
now
and
I
hope
and
everybody
can
able
to
see
the
slide
right
now.
If
you
don't,
please
do
let
us
know
so
that
is
actually
actually
the
agenda
of
the
topic
today.
Mastering
kubernetes
access
management
and
we
are
watching
Club
cncf,
Cloud
native,
live
so
I
want
to.
Can
you
go
to
the
next
slide
to
share
our
place?
So,
as
I
said
I'm,
my
name
is
same
server.
B
So
what
is
what
is
the
agenda
today
for
the
discussion
today
we
will
talk
about
kubernetes
platform,
because
there's
a
lot
of
moving
pieces
and
access
management
is
one
of
those
and
then
we
talk
about
sheer
responsibility,
access,
metrics,
a
key
consideration
for
multi-tnet
or
the
cluster
based
access
management.
I
will
I
will
let
you
know
about
the
security
life
cycle
management
of
kubernet
if
you're
developing
app
on
kubernetes.
There
are
some
very
our
vermically
impacts.
Summary
of
requirements
and
the
control
access.
B
We
talk
about
some
of
our
solution
to
our
solve
some
of
those
there's
a
demo
hyper
pretty
with
you
and
some
highlight
to
let
you
know
at
the
end
of
the
day,
we
will
cover
all
these
highlight
in
our
detail.
So
can
you
go
to
the
next
Sharia
So?
B
Currently,
if
you
look
at
the
kubernetes
operational
kubernetes
platform
in
general,
you
see
automation,
security,
visibility
and
governance,
and
that
is
bare
minimum
to
have
I
can
expand
it
to
the
more
further
but
I
believe
these
are
the
actual
Cornerstone
of
every
kubernetes
or
infrastructure
if
you're
actually
developing
app
on
top
of
it.
So
there
are
two
things
to
worry
about:
there's
a
modern
life
cycle
management
and
there
is
a
kubernetes
infrastructure
management
life
cycle.
B
So
basically,
if
you're
working
on
kubernetes
today
might
be
are
using
on
data
center
might
be
using
kubernetes
on
their
own
Prem
data
center
or
might
be
using
kubernetes
on
eks
Azure
on
AKs,
maybe
you're,
using
gke
or
maybe
using
remote
or
ash
cloud.
So
if
you're
in
the
kubernetes
space
you
see
the
requirements,
are
you
need
to
build
in
automation?
You
have
a
security
in
place
that
we
call
it
zero
trust
and
we
call
it
a
security
preparedness.
B
And
then
you
need
a
visibility,
because
you
have
app
team,
you
have
Finn
Ops
Team,
you
have
product
team,
you
have
marketing
team
and
you
have
a
bunch
of
other
things
and
you
want
to
provide
them
a
visibility.
So
they
can
look
at
the
platform
and
everybody
can
separate
the
concern
between
what
they
are
doing
and
what
the
other
day
other
team
members
are
doing
in
the
in
the
shared
platform,
and
then
we
need
a
governance.
B
Governance
basically
mean
when
you
do
something
we
need
to
take
into
the
consideration
like
I
am
allowed
to
actually
change
the
cluster.
If
I
am
how
much
of
the
access
I
granted
or
even
you
could
like-
take
a
look
at
the
kubernetes
kubernetes
and
tools
like
open
policy,
agent
and
power
policy
and
governance.
Those
are
the
basic
governance
need,
but
I
will
talk
more
about
these
four
consideration,
but
today
my
focus
is:
can
you
go
to
the
next
slide?
Please
share
out.
B
B
Look
at
the
summary
requirement
of
the
platform
need
and
that
the
platform
is
now
composed
of
not
one,
but
there
are
so
many
moving
parts
right
now.
So
can
you
go
to
that
next
slide?
Please,
because
I
see
the
previous
one.
Can
you
go
back?
Yes,
I
can
see
it.
Thank
you.
So
basically,
if
you
look
at
the
platform
today
and
the
plan,
no
the
previous
one,
the
previous
one.
A
Okay,
so
let's
wait
a
bit
because
our
speaker
has
been
literally
disconnected
from
us.
Let's
wait.
Let's
see.
B
Click
a
wrong
button.
Sorry
for
that!
So
yes,
summary
of
the
requirement
in
the
platform.
Yes,
that's
the
slide!
I!
Think!
Yes!
Yes!
So
if
you
look
at
the
platform
today,
you
need
these
major
five.
Five,
six
Cornerstone!
You
need
a
service
match.
You
need
Network
policies,
you
need
trust
access,
you
need
policy
and
governance
policy
enforcement.
Then
you
need
get
offs
for
drifted
action
and
then
you
need
multi
tenancy
because
developers
and
the
operations
might
there.
You
have
tens
and
hundreds
of
teams
and
by
giving
everyone
a
new
cluster
can't
be
overwhelmingly
complex.
B
So
what
you
do
is
you
share
the
cluster
with
the
team
member,
so
everybody
using
the
same
cluster.
So
that
is
a
summary
of
requirement
for
the
platform
need
you
need
service
mesh
for
managing
logs
and
application
and
have
a
better
separation
of
concern.
If
you
have
zero
trust
access,
how
you
can
actually
enable
everyone
access,
the
resources.
B
Do
you
need
get
offs
for
the
drip
deduction
and
then
you
need
policy
enforcement,
meaning
you
have
a
cluster
is
in
place
and
what
the
cluster
is
doing.
You
have
some
access
to
it
and
you
want
to
fine-grained
and
you
don't
allow
like
you
don't
do.
Kai
were
no
open
policy.
Agent
is
a
feasible
here.
So
Shadow
can
you
go
to
the
next
site?
Please,
because
that's
where
we
are
talking
about
shared
responsibility,
access
management?
B
If
you
look
at
the
kubernetes
plus
cloud
and
the
traditional
cloud
in
the
traditional
Cloud,
we
have
physical
infrastructure,
networking,
virtualization
guest,
OS
application,
data,
user
access
and
identity.
That
is
enough
for
you
and
then
you
apply
application
start
and
you
add
binaries
and
Linux
operating
system
and
you
can
add
more
into
it,
but
that's
the
peer
minimum
minimum.
You
have
to
take
it
to
the
consideration.
Look
at
the
kubernetes
plus
Cloud
Model.
You
have
physical
infrastructure,
networking,
virtualization
gastoise,
then
the
gastros.
B
When
you
install
kubernetes
on
top
of
guest
operating
system,
meaning
you
have
Linux
installed
on
top
of
it,
and
then
you
have
a
kubernetes
infrastructure
layer
and
look
at
the
kubernetes.
What
kubernetes?
Just
for
you,
you
have
cnis
container
network
interface.
You
have
Cris
container
runtime
interfaces,
you
have
container
storage
interfaces,
then
you
link
up
service,
meshes
githubs
policy
and
governance,
multi-tenancy
runtime
reduction
with
Falco
observability,
with
grafana
and
Prometheus,
and
for
all
the
bochum
layer
to
the
top.
B
You
need
a
supply
chain,
security,
tooling,
making
sure
the
container
images
that
are
actually
you
are
using
have
have
this
have
actually
this
they
have
secured
version,
not
a
major
one,
so
a
very
less
surface
area
of
attack.
So
that's
a
big
big
model
now
and
then
you
actually
you
as
installing
your
app
and
then
you're
actually
running
working
with
your
app.
So
look
at
the
model
right
now
and
the
access
management
become
way
harder
right
now
how
much
the
access
your
app
team
has
compared
to
the
how
much
access
your
devops
team
have?
B
B
Foreign,
yes,
can
you?
Yes
absolutely
so
if
you
dive
up
one
bad
command
in
any
rear,
then
there
is
a
hustle
and
then
there
is
an
immediate
immediency
around.
Who
does
what
and
you'd
start
doing
some
kind
of
forensic
analysis
and
the
forensic
is
become
very
difficult
because
you
have
a
cni
layer
networking.
Is
it
something
complicated
or
is
something
broken
in
the
network
layer?
Is
it
something
broken
in
the
runtime
layer?
Is
it
something
broken
in
the
storage
layer?
B
B
You
need
zero
trust,
application
deployment,
meaning
when
you
start
a
star
interview
when
you
actually
type
a
command,
Cube
CTL
get
engine
Gen,
X,
meaning
you
have
access
to
the
cluster
that
actually
provided
to
you
by
the
devops
team
and
you
don't
accidentally
deploying
a
class
application
or
to
somebody
else,
cluster
and
breaking
their
cluster
accidentally.
So
that's
where
the
zero
trust
application
deployment
model
works.
Then
you
have
a
separate
chain
of
Duties
like
app
team
is
a
responsible
for
deploying
app
and
the
platform
team
is
responsible
for
deploying
the
infrastructure
for
you.
B
Then
you
have
secret
management
integration.
Then
your
centralized
policy
enforcement
drift
deduction
and
blocking
and
private
manifest
repository.
But
today
is
my
focus
around.
If
you
go
to
the
next
two
slides
around
zero
trust
application
deployment
and
the
separation
of
dots.
So
now
the
first
things
come
up,
how
you
have
to
separate
the
concern
between
application
and
deployment,
and
that
is
I
actually
added
in
the
next
slide.
B
So
if
you
go
to
the
next
slide
and
that's
where
you
that's
a
summary
of
the
role
and
permission
granted
of
the
team,
you
have
an
old
team
and
then
you
have
all
admins
and
might
be
orgs
have
read-only
permissions
for
the
project
might
be.
You
have
not
one
project,
but
you
have
different
projects.
Maybe
you
have
let's
say:
do
you
have
projects
in
eks
cluster?
Then
you
have
project
in
AKs
cluster.
Then
you
have
projects
in
gke
clusters
and
then
the
project
is
divided.
B
Among
teams,
so
that's
how
it
becomes
completely
complex
and
complex,
but
look
at
the
simpler
or
Sim
Sim,
simpler
version.
How
look
it
difficult?
So
you
have
orgs
wide
permissions
for
the
project
and
then
you
have
infrastructure
and
workspace.
Workspace
is
actually
is
actually
give
you
the
access
to
the
cluster
you're.
Actually
working
on
that
you
have
a
project
admin
and
the
project
read-only
permission.
B
Then
you
have
a
workspace
and
the
infrastructure,
so
infrastructure
admins
can
actually
let's
say,
can
create
the
cluster
meaning
they
can
install
third-party
apps
for
you
get
Ops
policy
agents
like
I,
want
to
know
or
open
policy
agent
or
then
actually
deploy
third-party
like
yeah
for
secret
management.
They
can
add
it
for
you
and
then
the
developers
what
they
do
is
they
have
access,
and
then
they
have
the
access
to
the
cluster,
and
then
they
deploy
application.
B
On
top
of
it
and
remember
in
a
team
in
an
organization
there's
not
a
one
developer,
there
are
10
and
100
and
thousand
of
developers,
and
it's
kubernetes
give
you
the
namespace
concept,
meaning
there's
a
namespace.
You
can
actually
access
the
same
namespace
that
belong
to
you.
The
way
you
actually
access
the
namespace
with
the
permission,
we
call
this
R
back
role
based
access
control,
so
basically
a
namespace
is
actually
in
a
kubernetes
is
similar
sort
of
like.
B
If
you
have
a
house,
and
you
have
different
rooms
from
your
for
daughters
and
let's
say:
if
you
are,
if
you're
a
house
owner
like
Dad,
and
you
have
sister,
daughters
and
sons,
you
actually
have
separate
rooms
for
the
daughter
and
son.
So
basically,
what
Sun
can
see
only
there
is
resources
they
have
in
their
area
of
a
room,
and
the
daughter
can
see
the
or
resources
all
they
see
in
the
area
of
room.
B
Our
backic
stands
for
role-based
Access
Control
and
that's
where
your
namespaces
comes
in
handy
and
we
have
a
in
a
kubernetes.
We
have
called
namespace
base
permission
versus
cluster-wide
based
permission,
so
the
namespace
said
like
if
you
have
a
cube,
CTL
get
an
S,
that's
a
name
name.
Space
Orange
in
orange
namespace
sign
can
only
be
the
person
with
an
organization
can
deploy
application
on
that
namespace.
B
If,
as
if
accidentally
share
or
acts
as
the
same
name
space,
you
get
a
permission,
denied
error,
saying
you
don't
have
permission
to
access
the
same
namespace
so
the
way
we
can
actually
stick
something,
but
there
are
criteria
where
we
have
a
cluster-wide
resources.
So
namespace
is
just
belong
to
the
the
developers,
but
the
cluster-wide
resource
has
been.
You
have
storage,
you
have
networking,
and
that
is
an
organization-wide
resources
and
that
is
actually
basically
the
job
of
the
infrastructure
team
and
within
the
infrastructure
team
you
have
storage
team.
You
have
security
team.
B
B
Yes!
Thank
you!
So
right
now,
if
you
look
at
you
have
cluster
in
geographical
centers.
You
have
some
clusters.
Let's
say
in
AWS
region,
U.S
east.
We
have
some
cluster
in
U.S
region.
If
West
you
have
some
cluster
in
digital
oceans,
you
have
some
cluster
of
migraines
civil
kubernetes,
cluster
or
Siva
cloud,
or
you
might
have
some
cluster
in
let's
say.
B
And
you
want
all
those
cluster
to
be:
have
a
centralized,
visible
location
for
me
to
track
those
in,
and
that's
a
very
small
J
screenshot
I've
added.
What
I
want
to
see
in
in
infra
admin
as
I
want
to
see
the
permission
I
granted
to
the
development
teams,
how
they
are
accessing
cluster,
which
area
of
time
like?
If,
let's
say,
if
they
access
the
cluster
8
am
in
the
morning
and
what
command
he
actually
wrote
in
the
cluster
actually
declarative
command.
B
He
used
to
span
up
the
cluster
if
something
bad
happened
to
my
cluster
as
an
infrastructure
admin
with
responsibility
to
make
sure
infrastructure
will
be
visible
and
will
be
available
for
all
of
the
application
team,
regardless
of
what
area
of
time
we're
actually
accessing.
But
in
order
to
make
the
highly
available
cluster
I
need
a
centralized
visibility
tool.
B
So,
basically,
if
you
look
at
I,
look
at
the
dashboard
see
who
can
access
the
cluster?
What
the
latest
command
that
broke
the
cluster
and
then
I
can
look
at
the
permission.
I
can
what
the
command
actually
broke
the
cluster
and
then
I
can
drill
down
with
the
issues
and
then
actually
for
do
the
forensic
and
make
sure
the
cluster
is
back
to
the
normal.
That
is
my
need.
I
need
a
single
administrative
pan
for
in
infrastructure.
B
Cluster,
we
have
cluster
life
cycle
and
management.
You
need
visibility,
you
need
who
can
access
the
cluster?
What
time
is
accessing
what
command
erode
and
then
we
need
troubleshooting,
and
you
need
Enterprise,
wide
dashboard,
alerting
notification
and
you
need
Prometheus
for
centralized
visibility
and
monitoring.
Now
we
go
back
to
the
next
slide.
Sharia
and
I
see
I.
Think
if
you
come
with
a
mindset
of
not
every
Devon
office
team
member
needs
an
unrestricted
ability
to
create,
delete
and
modify
resources,
click
create
delete
and
modify
resources.
Then,
what's
what's
come
up
with
that
mindset?
B
You
spend
a
lot
of
time
with
single
administrative
pain.
You
spend
a
lot
of
time
in
Enterprise
dashboard.
What
end
up
happening
is
you
need
less
troubleshooting?
You
will
come
towards
the
area
if
you
come
towards
the
goal
where
you
have
less
alerting
and
monitoring,
and
you
look
towards
the
area
of
adopted,
integrated
monitoring.
So
in
the
next
slide,
I
tell
you
if
you
come
up
with
the
mindset
of
not
every
and
devops
team
member
needs
the
unrestricted
ability
to
create,
modify
and
delete
kubernetes
resources.
B
This
mindset
gave
you
less
troubleshooting,
less,
alerting
and
monitoring
and
being
prepared
for
that
monitoring,
and
you
have
visibility
in
the
single
administrative,
brain
and
enterprise-wide
dashboard.
Now,
Sherry
I
can
go
to
the
next
few
slides
and
then
a
straight
go
to
the
yes
next
four
and
that
I
I
think
I
can
get.
Now
we
come
into
the
place
of
the
challenges
Associated
to
the
control
access.
B
How
do
you
access
the
cluster?
What
are
the
traditional
approaches?
You
have
how
they
actually
lack
today,
where
they
leave,
where
they
see
some
kind
of
visibility.
And
can
you
go
to
the
next
slide
and
we
start
with
our
journey
of
access
management
via
Bastion.
What
you
do
is,
you
is
install
some
of
the
Bastion
controller
in
front
of
your
kubernetes
private
kubernetes
cluster.
You
ask
such
attention
to
this
that
machine
and
that
machine
where
the
kubernetes
cluster
is
running,
you
were
able
to
access
those,
but
the
issue.
B
What
you
do
is
you
create
a
jump
host,
meaning,
let's
say
you
have
another
machine
dedicated
in
the
public
area.
You
can
access
to
the
that
machine.
That
machine
will
eventually
actually
access
access
to
the
private
cluster
where
kubernetes
cluster
is
running,
but
we've
done
something
good
in
here,
but
the
problem
is
some
similar
to
the
previous
one.
You
have
same
q
and
config
file
and
you
have
a
yaml
secret
and
all
The
Dumping
Ground
of
yaml
and
secret
management
that
you
have
to
take
to
worry
about.
B
Then
there's
a
large
attack
surface,
since
the
entire
network
is
accessible
from
Bastion,
the
same
approach,
different
design,
but
the
approach,
but
the
problem:
Still
Remains,
the
Same,
the
next
one
is
on
the
next
slide
and
that
is
access
via
VPN
Gateway.
That
is
better
I,
see
some
of
the
companies.
Some
of
the
people
are
still
using
kubernetes
assess
management.
During
with
this
approach,
it's
kind
of
have
some
of
the
tool
associated
in
the
marketing
market
right
now,
but
the
problem
is
that
it
will
cost
you
taller
to
purchase
and
operate.
B
You
need
a
team
dedicated
for
the
vbn
and
who
can
actually
give
the
access
to
the
cluster.
So
it's
a
good
one,
but
it's
a
lack
of
these
are
so
much
cost
associated
with
it.
Remember
if
you
are
accessing
the
cluster
in
the
AKs
eks
gke,
if
you
and
if
you
accidentally,
create
some
of
the
resources
in
the
eks
AKs
gke
that
will
pile
up
your
bills.
So
it's
a
good
approach,
but
there
are
cons,
Associated
related
to
the
need
of
VPN
Gateway
per
data
center.
B
Every
data
center
required
of
one
VPN
and
that's
need
a
huge
amount
of
resources.
Then
you
have
a
user
need
of
VPN
client
on
laptop.
You
have
a
laptop
to
connect
to
the
VPN
and
the
VPN
connect
to
the
data
center
and,
as
I
said,
there's
a
taller,
there's
a
money
and
there's
a
cost
associated
with
this
approach,
and
why
did
it
since
entire
private,
private
Network,
all
IPS?
All
protocol
is
accessible
from
the
laptop
which
accessing
the
VPN,
so
that
is
another
bad
way.
B
So
in
the
next
slide,
if
you
go
back,
if
you
go
to
the
next
slide
Sharia,
you
see,
the
manual
approaches
will
fall
apart
and
you
can
totally
understand
this
because
you
are
not
accessing
the
cluster
one.
You
there
are
tens
and
hundreds
of
access
cluster
that
you
need
to
deal
with
on
daily
basis,
I
work
in
a
team
with
an
access
cluster
in
eks
gks
digital
ocean
in
many
different
places,
even
on
Data
Center
and
remote
on
Azure
locations.
So
we
can't
rely
on
the
manual
solutions
to
fulfill
our
need.
B
That's
where
we
headed
towards
the
key
takeaway
from
the
challenges
and
heading
toward
the
solution,
the
open
source
solution
that
can
effectively
help
you
become
some
of
the
challenges
in
the
next
slide.
I'm
talking
about
so
I'm
talking
about
the
key
takeaways
number
one,
you
need
a
cognitive.
You
need
to
remove
the
cognitive
load
from
accessing
cluster
by
cluster.
You
need
to
remove
the
manually
jump,
host
or
VPN
approaches,
because
entire
fleet
entire
network
is
actually
on
the
verge
of
one
bad
access,
one
bad
command
to
the
cluster.
B
Then
you
need
a
dollar
to
purchase
and
operate,
and
yet
you
need
some
kind
of
custom
tooling
to
audit,
because
the
reason
why
you're
auditing
is
you're
spending
a
lot
of
time
in
auditing,
because
you
know
things
gone
wrong
and
wrong
in
a
very
horrible
way.
So
that's
where
you
can
actually
work
with
identity
providers
and
auditing
mechanism
to
saw
the
needs,
and
then
all
these
are
human,
friendlier
humans
command
type
and
they
can
actually
broke
in
some
way.
So
basically
you
have
this.
This
is
actually
error
prone
increase.
B
The
risk
of
breaches
as
the
number
of
cluster
grows,
so,
let's
Circle
back
our
combination,
Communications
to
word
and
open
source
Solution,
that's
called
perilous
and
the
cncf
sandbox
solution.
How
this
solves
some
of
the
challenges
or
we
can
dive
in
to
see
what
the
model
where
parallels
operate
in
so
share
your.
Can
you
go
to
the
next
slide?
Please.
B
Yes,
so,
meanwhile,
before
I'm,
starting
jumping
into
the
open
source
solution,
if
I,
if
you
have
some
question
related
to
the
access
management,
because
I
know
you
have
10
of
them,
don't
hesitate
to
ask
and
yes,
don't
hesitate
to
ask
and
I
will
let
you
cover.
So
let
me
give
you
some
backstory
of
cncf
sandbox
project,
because
I
would
like
to
dive
into
the
intricacies
of
how
the
project
evolved.
B
I've
worked
with
a
lot
of
the
open
source
projects
of
the
communities
in
the
past,
so
I
would
I
want
to
be
a
very
listener
around
the
back
storage
backstories
of
the
project,
so
I
talked
to
the
one
of
the
team
who's
actually
managing
this
open
source
solution,
and
this
team
is
called
Rafa
systems
and
has
talked
to
some
of
the
team
members.
Why
there's
and
why
you?
Actually
you
see
a
need
of
an
open
source
solution
and
why
you
actually
donated
to
the
cncf,
and
they
spoke
about
in
our
roughly
kubernetes
operation
platform.
B
We
have
multi-cluster
management
that
the
client
is
using.
We
have
githubs
for
kubernetes.
Do
we
have
visibility
and
monitoring
tool
having
a
single
plane?
A
click
click
of
a
button
and
then
the
policy
and
cover
an
open
policy
agent
features
like
add-on,
and
then
they
have
a
hang
dashboard
in
their
platform.
They
have
a
cluster
blueprint,
drift
reduction
and
all
of
the
features
are
listed
in
is
actually
a
part
of
that
platform.
B
They
actually
provided
the
customer
and
they
tell
me
the
what
are
the
features
their
client
is
loving
about
is
zero
trust
access,
meaning
the
way
they're
accessing
the
cluster
is
zero
trust,
meaning
no
rotation
of
cube
config
file
and
there's
a
no
rotation
of
R
back.
Some
kind
of
thing
is
something
handled
automatically
and
they
see
all
of
the
client
and
accessing
like
Ranger,
cluster
openshift,
Mains,
upstream
kubernetes,
eks,
gke
or
Azure,
and
all
these
running
in
different
data
center
AWS
Azure,
Google
remote
on
Azure
locations.
B
So
they
tell
me,
like
all
the
cluster,
all
of
the
cluster
approaches
and
all
of
the
access
management
become
a
very
difficult
for
the
our
customers
and
they
have
a
they
like
our
feature
around
zero
trust,
and
what
we've
done
is
we'll
see
if
the
plethora
of
people
have
already
seen
a
demand.
Why
not
make
it
an
open
source
and
other
people
can
see
you
the
same
feature
to
solve
some
of
the
needs
in
the
next
slide.
I'm
I'm,
talking
about
how
the
perilous
model
works.
B
So,
basically,
if
you're
accessing
the
cluster
today,
how
the
this
approach
works
is
you
have
you?
Can
access
the
cluster
from
Cube,
CDL,
CLI,
graphic
and
so
or
or
browser-based
Coop
cereal,
shell
or
cube
API
client?
What
ended
up
happening
is
you
accessing
the
parallel
server
and
parallel
servers
is
a
monolithic
comprising
a
many
component
having
a
creatus
for
user
identity,
meaning
if
user
logging
to
the
parallel
as
we
actually
preserve
their
identity,
user,
credential
and
login,
we
use
creators.
B
We
have
I,
we
have
bunch
of
other
parallel
core
component,
so
we
separately
combine
those
and
call
them
as
a
parallel
server.
So
when
you
access
the
cluster,
the
first
thing
up,
you
talk
to
the
parallel
server,
so
there's
a
no
rotation
of
anything.
So
then
there's
a
step
two
you
will
log
in
Via,
let's
say
GitHub
or
Google,
or
any
identity
provider
like
Azure,
ID
or
anything
you
would
like
to
access,
or
even
you
can
act,
use
OCTA
to
log
into
The
Parallax
dashboard,
so
you
log
in
and
then
you
then
you
will.
B
We
will
assign
you
a
permission,
what
permission
this
user
has
in
order
to
access
the
cluster.
The
next
thing,
then
it
happened.
We
will
create
a
service
account.
A
femoral
service
account
when
you
boot
stab
the
cluster
in
Parallax
dashboard.
There's
a
relay
a
relay
agent
installed
in
front
of
your
cluster.
That's
this
basically
install
configure
service
account
token
for
you
and
then
you
can
access
the
cluster.
Then
the
service
account
token
is
actually
added
in
the
kubernetes
server
API
server.
What
is
the
next
step?
B
Is
you
will
actually
accessing
the
command
Cube
see
it
has
CTL
catbot.
We
can.
You
can
see
the
power
you
can
see.
Cube
serial
get
deployment.
You
can
see
the
deployment.
If
you
don't
have
permissions
to
see
the
deployment
in,
let's
say
orange
namespace.
That
belongs
perfectly
to
me.
Then
the
access
denied
error,
because
we
have
already
added
some
kind
of
authentication
mechanism
in
paralyze,
so
you
don't
deal
with
r
back
or
role
based
access
control.
B
So
that's
the
architecture
we
have
and
these
architecture
give
you
the
unified
trust,
secure
access,
wired,
Network
terminal
immunity,
visible
audit
logging.
When
you
access
this
all
these
commands
there's
a
trial
you
can
see
who
does
what?
What
time
it
takes
for
the
command
to
run
and
all
these
kind
of
things
are
visible
in
the
perilous
dashboard.
B
So
basically
we
with
this
Tool
The
Promise
here
and
the
motivation
is
toward
zero
trust
model,
governance,
capabilities
and
integration,
meaning
comply
with
devops
policies
and
reduce
attack
surface
with
data
centers
and
centralized
Cloud
credential,
including
IM
policy
and
service
principle.
So
now
you
can
go
to
the
next
slide.
Please
Sharia.
B
Service
account
token
and
a
Federated
R
back
I
need
centralized
visibility,
centralized
audit
trail
of
all
Cube
serial
activity.
So
basically,
what
I
need
is
I
need
a
secured
access
with
a
clock
based
kubernetes
environment,
meaning
that
you
can
access
the
cluster
jump
in
and
then
a
remove
and
that's
I
need
a
service
account
token
for
frederated
and
I
need
to
see
a
centralized
visibility
of
all
Cube
CDL
activity.
B
B
Yes,
so
that
is,
if
you
look
at
the
perilous
dot
IO
website
and
go
jump
in
there,
you
see
all
the
information
available.
Is
this
an
open
source
product
I
want
to
see
some
of
the
contribution
from
the
community
members,
because
what
we
like
to
see
how
Community
are
dealing
with
the
the
challenges
of
access
management?
B
What's
the
problem
you're
facing
what
feature
you
want
to
add
in
so
basically,
as
of
today,
we're
giving
you
the
custom
roles,
user
and
groups,
if
you
log
into
the
paralysis,
we
have
custom
role
associated
with
it,
and
you
can
actually
change
and
revoke
permission
on
the
Fly
meaning.
If
somebody
from
the
team
member
leaves
the
team
and
then
join
in
again,
there's
always
a
hustle
that
the
note
in
compliance
team
came
up
and
manually
with
his
permissions.
B
But
that
is
not
the
case
with
that
open
source
to
like
parallels.
The
permission
model
is
actually
a
very
automated
one.
You
can
actually
dashboard
and
remove
and
remind
revoke
permission.
Then
we
have
a
single,
mainly.
You
can
use
K,
Channel,
Azure,
ID
or
orchestra
to
authenticate
to
log
into
the
system
and
they
will
audit
log
of
cube
serial
command
history
at
a
modern.
We
have
a
GUI.
We
have
a
PCL
tool
to
access
the
kubernetes
cluster
and
web
API,
so
Sharia
I'm,
hoping
I'm,
not
lost.
Anyone.
A
A
B
So
while
I'm
sharing
my
screen
previously
click
the
wrong
button
and
I
disconnect
it
so
sorry
for
that
people.
So
actually
let
me
share
my
screen.
I'm
sharing
my
entire
screen
and
I
want
to
give
user
and
The
Listener
walkthrough
of
how
these
things
work
so
unable
to
H
so
Sarah.
Can
you
give
me
access
to
share
my
screen
currently.
B
A
Okay,
sorry
for
the
issues,
but
I
hope
you
guys
will
wait
for
the
demo
part,
because
now
Simon
will
actually
show
you
the
demo
like
how
it
works.
Basically,
okay,
so,
let's
add
him
again:
yeah
yeah!
You
can
try
now
I!
Guess,
yes,.
B
Absolutely
I
think
there's
a
one
question
in
the
chat
from
what
is
the
best
tool
for
manage
kubernetes.
Is
it
the
question
in
the
chat.
A
B
B
Of
her
time,
and
after
all,
these
things
we
have
to
do
in
manually,
because
service
kubernetes
is
not
just
about
just
kubernetes,
but
the
entire
ecosystem
is
built
around
that
currently
I
see
building
platforms
on
kubernetes
structure.
If
you
look
at
the
right
now,
there's
a
cohort
there
is
a
open
shift
already
in
the
for
a
very
long
time,
then
we
have
a
actually
there's
a
tool
that
I
know:
I
work
with
a
company
called
Rafa
kubernetes
operation
platform,
and
then
there
are
a
bunch
of
others
who
exist.
B
What
job
is
to
actually
give
you
the
kubernetes
inside
a
dashboard
and
basically
pick
and
choose
the
services
what
you
like,
if
you
want
to
use
service
mesh?
Oh
here's,
the
button
for
you,
click
on
a
server
mesh
added
behind
the
scene
and
let's
focus
on
the
app
the
business
that
you're
actually
working
on.
So
that's
where
the
motion
is
actually
helping
on
so
I
think
right
now
there
are
very
overlapping
and-
and
there
are
very
overlapping
for
that.
B
So
if
you
want
to
manage
kubernetes
locally
and
to
want
to
see
a
centralized
with
centralized
visibility,
that's
because
the
question
is
having
two
angle
number
one
I
know
the
kubernetes
is
complex.
I
want
to
have
a
managed
tool
that
give
everything
in
a
single
plane
of
glass.
That
is
what
a
tool
I'm
talking
about
if
you're
talking
about
just
a
tool
that
give
you
of
visibility,
and
you
can
see
how
the
pods
and
replica
search
and
demons
that
are
listed
inside
the
dashboard.
B
Previously
we
have
the
lens
open
source
project,
but
now
it's
becoming
a
more
of
a
commercial
one
to
Canine
s
is
a
really
good
one,
as
somebody
actually
chatted
over
there,
but
the
K9s
is
give
you
is
a
terminal
base.
You
can
try
to
commands
the
terminal
based
access
management,
meaning
you
can
look
at
the
dashboard
and
see
how
the
bond
deployment
replica
set
and
all
these
things
behave.
So
if
the
managed
kubernetes
go,
look
at
the
platform
tool
that
people
are
building
on
top
of
kubernetes
for
the
local
development
need
visibility.
B
B
Ops
Prometheus
grafana
Ingress
controller.
If
you
want
to
lift
off
this
responsibility
to
somebody
else,
what
you
do
go
for
the
some
of
the
tools
I
mentioned
she
already
mentioned,
go
to
the
let's
say
there
are
sponge
of
them
like
open
shape,
there's
Rancher,
there's
a
graphic
kubernetes
operation
platform.
There
is
a
cohort,
then
there's
Mia
platform
and
there
are
few
others
like
reverse
platform.
B
B
B
B
B
B
Lies
server
that
centralized
servers
is
actually
Enterprise
behind
the
scene.
So,
basically
the
question
around
like
how
do
we
aware
how
it,
how
does
the
parent
has
become
highly
available?
This
is
a
one
lacking
point
and
that
is
accessing
the
cluster.
Basically,
there
are
some
permission
you
can
actually
tap
in
the
load
and
make
it
three
of
the
past
server
and
then
actually
access
the
cluster
behind
the
scene,
but
as
I
lost
somebody,
you.
B
A
Okay,
so
as
we
assumed
yeah
sorry
for
the
issues,
because
our
speaker
is
facing
some
intense
issues,
I
guess
so
sorry
for
this
issue.
A
A
Your
screen
is
freeze,
I,
guess
so.
Yeah.
A
Hello,
save.
Can
you
hear
us.
A
A
Is
it
possible
to
get
the
slide
deck
right?
Okay,
so
yeah
I
will
talk
to
the
speaker
and
if
it
is
possible,
then
I
will
add
these
slide.
Deck
to
the
street,
basically
in
into
the
I
would
say,
is
YouTube
live
into
the
description
you
might
see
this
slide
day.
Okay,
so
yeah
some.
A
Okay,
so
yeah
as
we
can't
I
guess
we
can't
continue
the
session
if
this
seems
like
this,
but
you
guys
can
share.
Where
are
you
where
have
you
joined
from
so
yeah
in
the
meanwhile
yeah
I
can
see.
B
Simon
Okay,
okay,
so
I,
don't
know
why,
but
it's
actually
reloading
for
a
long
long
time,
even
I'm
talking
and
it's
Shake.
It's
got
me
disconnected
of
my
terms.
This
is
my
worst
experience.
I
usually
do
some
kind
of
Hosting
or
another
platform.
And
meanwhile,
if
you
want
to
do
some
deep
dive
content,
either
YouTube
can
Channel
called
Cloud
native
FM
and
there's
a
lot
of
the
chocolate
related
to
parallels
is
available.
B
There's
a
question
around:
how
does
the
panelists
give
you
some
kind
of
availability
if
we
have
an
entire
session
on
that
or
the
cloudative
podcast
YouTube
so
make
sure
you
actually
join
it
and
see
the
discussion
there
I
hope
things
go
at
work
right
now,
I
give
you
a
very
quick
demo,
and
then
you
actually
and
thank
you
very
much
Nero
for
actually
sending
the
slacks
channel
in
here
for
so
people
to
join
us.
B
We
have
unanswered
questionnaire,
please
go
here
and
we
have
some
wonderful
communities
building
up
and
we
can
answer
those
as
well,
so
I
hope
I
can
have
permission
to
access
my
screen,
so
I
can
literally
jump
in
a
very
quickly
and
give
you
some
very
good
highlight
rule
so
I
think
I
have
to
rejoin
in
again
because
of
the
I
disconnected
previously,
so
that
that's
a
design
consideration,
no
words.
I
will
be
very
quick
and
it's
a
very
short
demo
and
I
will
back.
A
Okay,
yeah,
thank
you
guys
and
yeah
thanks.
You
know
for
sharing
the
slack
Channel
and
in
the
mean
what
so,
what
you
guys
can
do
is
there
is
actually
blog
Palace
dot,
IO
blog,
so
this
word
Sam
has
shared
with
me.
Let
me
share
check
this
out.
Okay,.
B
A
B
Me
quickly
share
my
screen
again
and
there's
a
very
short
demo.
We
hope
things
work
right
now.
Sorry,
people
for
some
kind
of
I'm
still
unable
to
share
my
screen,
no
worries
what
I
do
is
share.
B
Or
can
you
go
to
the
parallel
repository
because
there's
some
videos
in
there
you
can
actually
use
those
as
part
of
our
discussion,
so
parallels
dot,
IO
and
there's
a
GitHub
GitHub
link
there
you
can
go
there,
there's
a
very
GIF
added
there,
so
I
can
walk
through
people
how
this
actually
work
in
the
real
world,
because
that's
people
who
want
to
we
have
auction
question
so.
B
Listed
in
AWS
Marketplace
is
actually
available
into
the
Civil
Cloud
we
recently
added
and
is
also
available
into
the
digital
ocean,
why
this
is
actually
super
cool
because
sometimes
we
feel
like
installing
and
cloning
a
repo
is
kind
of
overhelming.
You
install
help,
install
and
parallel.
This
is
install
it
and
something
bad
things
can
happen
with
the
manage
offering
like
AWS
MP
Market
replacement.
What
you
do
go
to
the
AWS
Marketplace
take
a
click
on
the
marketplace
is
a
one-click
installer.
B
Basically,
so,
basically,
when
you
install
go
to
the
AKs
cluster,
look
at
the
security
in
the
AWS
Marketplace
security
section
inside
the
security
settings.
You
see
a
paralysis,
click
on
that
install
it
on
your
eks
cluster.
Once
you
install
your
ecas
cluster,
you
see
some
of
the
component
related
to
parlors
added.
There
are
some
connector
there
are
relay
agent
relay
server
is
already
added,
so
this
is
a
website.
We're
talking
about
the
next
step
is
channel.
Can
you
go
to
the
GitHub
right
now?
B
If
you
go
to
the
GitHub,
click
on
the
GitHub
and
I
can
walk
you
through
some
of
the
staff
in
there
yeah
I
think
we
have
added
a
gif
in
here
somewhere
in
the
down
in
the
repo.
Can
you
go
there
quickly
contribution
author
Wireless
website?
Let
me
I
share
one
with
you,
so
I
can
share
one
with
you
quickly
here,
so
people
can
look
at
how
this
thing
work.
B
Yes,
this
one,
so
can
you
actually
make
it
a
make
item
more
bigger
like
if
you
click
on
it,
there's
a
separate?
Yes.
So
what?
How
does
the
parallels
work
is
first
thing:
first,
you
in
you
log
in
to
this
paralyst
via
GitHub.
So
the
first
step
is
you
go
to
the
parallel
Dot
and
held
install
perilous
and
in
the
dashboard
you
already
locally
run
into
the
console.d
demo,
dot
Parallax,
and
then
you
actually
access
the
block
access
the
paralyst
dash
mode.
The
next
thing
is
you:
will:
how
do
you
actually
log
into
The
Parallax?
B
You
can
actually
use
GitHub,
OCTA,
Azure
or
any
favorite
tool.
You
can
do
it
next
step.
Is
you
actually
bring
on
cluster
on
boarding
process,
click
on
the
cluster
and
import
existing
cluster,
then
the
import
existing
cluster
remember
we're
adding
the
relay
agent
in
front
of
every
cluster
if
we're
adding
relay
agent
in
every
front
cluster.
So
when
you
import
the
cluster,
we
give
you
the
bootstrap
bootstrap.yaml
file.
When
the
boosted.gml
file
you
downloaded,
let's
say
Cube
CDL
dot.
Yes,
thank
You
Nero
is
also
added
on
the
YouTube
as
well.
B
This
is
a
talk
from
near
case
City
Bangalore.
There's,
a
video
is
added
there.
So,
basically,
let's
you
actually
download
the
bootstrap.yaml
cube.
Ctl
boot
store,
Dot
yaml,
and
then
the
relay
agent
is
actually
added
into
the
cluster.
What
the
rail
agent
it
does
is
is
providing
you
the
service
account
choker
for
accessing
the
cluster,
meaning
when
the
service
account
token
is
actually
granted
added
in
the
cluster.
You
don't
need
a
cube,
config
file
or
all
of
these
or
roll
bass
and
the
manual
processes.
Basically,
you
can
access
the
cluster
with
ephemeral
service
account
token.
B
B
Person
or
as
a
readable
writable
person
to
access
the
cluster,
so
with
that
model
you
can
actually
access
the
cluster
and
list
all
kind
of
resources.
Let's
say
if
you
want
to
add
more
granularity
and
give
me
permission
or
revoking
permission,
go
to
The
Parallax,
dashboard
inside
the
settings
and
go
to
the
project
setting,
and
you
actually
remove
the
permission
of
sign
from
this
cluster
and
in
that
way
my
permission
got
revoked
and
everything
back
to
the
normal
meaning.
There's
a
no
manual
steps
involved
behind
the
revoking
of
permissions.
B
So
that's
how
barrenness
is
actually
works.
Today
we
have
so
many
new
requests
coming
up.
There
are
some
issues
related
related
to
it
currently
working
on
how
you
give
you
the
centralized
visibility
using
Prometheus
grafana
tooling,
so
you
can
have
a
dashboard
like
more
shinier
and
for
you
so.
B
Added
Co
Cloud
make
sure
you
actually
access
the
Civil
Cloud
cluster
and
let
us
know
your
opinion
how
this
works
so
Sharon
over
to
you
now
look
at.
If
you
have
any
more
question
and
I
will
wrap
up
the
proceedings
and
you
can
see
your
screen
and
we
can
actually
give
some
people
a
final
places
to
look
for
some
resources
for
parallels.
A
Okay,
so
yeah
I
guess
people
can
now
ask
their
questions
because
we
are
just
end
up
with
those
issues
right
now:
right,
okay,
so
yeah
I!
Guess
there
are
some
questions
that
you
have
already
asked,
but
yeah
few
questions
that
should
be
that
might
be
added
here
is
I!
Guess
I'm
going
to
ask
you
some
questions
like
yeah?
How
can
organizations
effectively
Implement
role-based
Access
Control
in
their
kubernetes
cluster?
So
what's
your
opinion
on
that.
A
B
Absolutely
there's
a
manual
process.
Remember
our
back.
Why
Arabic
permission
model
is
Works.
Remember
we
have
a
name
spaces,
Concepts
and
kubernetes
namespaces.
Allow
you
to
see
the
resources
that
belongs
to
you.
How
do
you
actually?
How
do
you
actually
like?
Oh
did?
How
do
you
actually
control?
Is
you
need
a
role
based
access
control
and
that
is
provided
to
a
namespace?
So
what
what
is
it
so?
B
The
role
base
is
actually
telling
you
have
a
you
are,
let's
say:
I
want
a
read-only
access
to
their
namespace
orange
I,
create
a
role
and
then
I
create
a
role
binding
and
that's
role.
Binding
belongs
to
sign
because
remember
in
kubernetes
is
a
no
user
Concepts
in
kubernetes
like
Sim?
Is
a
user
client
access
with
this
for
a
resource
or
that
then
user
is
not
added
in
kubernetes
as
a
resource?
So
if
that's
a
limitation,
you
never
come
to
limitation.
B
We
need
a
role-based
access
control,
so
role
base
works
like
you,
first
create
a
role
saying
you
can
access
the
cluster
and
have
a
read-only
permission
to
the
orange
name
space.
How
do
you
bind
this
role
to
me?
You
create
a
role,
binding
object
and
then
in
a
role,
binding
object.
You
said
that
this
is
a
resource.
Name
kind
is
a
resource.
Let's
say
a
resource
is
a
namespace
in
that
resource.
In
namespace
you
can't
see
a
deployment
resource,
and
if
you
see
it,
you
can
have
error.
So
that
is
how
this
manually
works.
B
It's
a
lot
of
moving
pieces
between
them
in
order
to
and
I
think
people
is
moving
toward
manually,
accepting
manually,
creating
R
back
toward
automation,
approaches
like
parallels.
What
the
paralysis
is
does
is
exactly
the
same.
What
kubernetes
is
actually
doing
is
giving
you
the
r
back
model,
but
hiding
the
Aur
bug
detail
from
you.
So
basically,
what
it
does
is
you
log
in
Via,
GitHub
user
or
Google
account
or
Google
account
or
any
Tech
account,
and
you
log
in
when
you
log
in.
We
create
a
role
for
you.
B
Let's
say
in
this
project
and
this
resource
you
can
actually
access
this
namespace
and
you
can
see
a
deployment
and
that
is
actually
added
for
you
on
the
fly
when
you
actually
access
the
cluster.
So
when
you
access
the
cluster
being
an
admin
being
a
developer,
I,
don't
have
any
worry
like
if
I'm
accessing
a
bad
thing
or
bad
excessive,
because
I
only
have
permission
to
what
already
provided
to
me
by
platform
engineering
team,
so
I
think
the
question
right
becomes
now.
B
If
you
are
manually
doing
it,
it's
great,
but
manual
process
fall
apart
and
it's
very
complicated
like
it's.
A
hierarchy
is
so
complex
and
is
a
learning
curve
behind
it.
So
I
see
keep
people
are
moving
towards
some
R
back
solution.
Parallels
is
one
of
them.
There's
a
cube
skip
that
give
you
the
r
back
visualizer,
and
there
are
a
bunch
of
other
in
the
market
that
give
you
the
automated
framework
for
our
back
management.
A
Okay,
that's
awesome
actually,
because
you
have
already
mentioned
about
the
hardware
camera
right
now
yeah.
This
is
how
it
works.
So
again,
there
can
be
another
question
like
regarding
this:
like:
are
there
any
specific
tools
or
framework
that
you
recommend
for
simplifying
and
enhancing
kubernetes
access
management?
So
from
your
own
opinion
or
experience
like
anything,
you
would
like
to
mention
yeah.
B
Like
there's
a,
there
are
some
different
models
right
now
in
the
kubernetes
we
have,
somebody
is
using
towards
the
crd
model.
Like
you
have
a
live,
you
have
a
controller,
it's
tall
in
the
kubernetes
cluster.
What
it
does
is,
if
somebody
acts
as
a
kubernetes
cluster
from
a
wrong
permission
model,
it
detects
it
and
it's
C
from
the
policy
like
this
person,
don't
have
permission
to
do
these
kind
of
stuff
and
it's
blocked
so
mean
in
front
of
kubernetes
and
it's
front
of
the
kubernetes
door.
B
So
many
if
you
want
to
bypass
this
door,
there's
a
controller
in
front
of
you
that
is
actually
preventing
you
to
do
some
harm
in
the
cluster.
That's
where
we
choose
like
in
the
past.
We
were
dietary
tools
that
give
you
some
kind
of
like
the
Jammer
specific
thing
like
you
can
can't
have
a
bad
yaml
actually
in
place
in
the
cluster,
so
they
actually
block
you
for
doing
that.
Instead
of
waiting
for
the
cluster
to
applying
the
cluster
and
the
cluster
tells
you
like,
there
are
some
misconfiguration
in
here.
It's
telling
you
beforehand.
B
B
They
create
separation
of
concern
between
application,
team
and
devops
team
and
parallels
is
actually
one
of
those
and
what
is
paralysis
allowing
you
is
actually
platform
teams
can
actually
create
risk,
create
permission
model
in
the
perilous
dashboard
and
the
app
team
actually
use
the
same
permission
model
to
access
the
cluster,
so
that
is
actually
overlapping
or
who
you
call
a
separation
of
concern
and
then
there's
a
cage
keeper
Tooling
in
kubernetes
and
then
remember.
Access
management
in
kubernetes
is
as
complex
as
the
landing
as
landing,
something
into
them
into
the
moon.
B
A
B
B
We
call
a
security
preparedness
with
some
of
the
open
source,
tooling,
like
cubescape
or
perilous
and
bunch
of
other
available
in
the
marketplace,
so
I
think
having
some
of
the
tooling
that
provide
automation
is
necessary,
but
if
you
want
to
do
it
manually,
you
can,
but
you
end
up
in
a
situation
where
you
spend
a
lot
of
time.
Configuring,
managing
and
deploying
and
the
less
time
in
the
business
domain,
like
your
job,
is
to
actually
create
some
application
that
business
consume
and
therefore
do
their
work.
B
A
Okay,
oh
yeah,
that's
a
good
explanation!
Yeah
awesome!
So
I
would
like
to
add
one
last
question
and
it
would
be
like
how
can
organizations
strike
a
balance
between
granting
developers
this
the
necessary
access
privileges
while
maintaining
security
and
minimizing
potential
rates,
so
yeah.
B
Yes,
absolutely
I
think
I
think
right
now.
What
the
organization
typically
need
is
like
I,
think
a
lot
of
the
Enterprises
is
building
kubernetes
platform,
and
this
platform
has
a
big
thing:
functionalities
like
I
tell
you.
You
have
a
zero
trust,
security,
built-in
policy
and
enforcement
built
in
get
Ops
and
drift
deduction,
tooling,
built-in
networking
tooling
as
well.
What
organization
is
doing
right
now,
dick
adding
a
tool
called
zero
trust
security?
What
this
tool
does
is
is
similar
to
the
same.
B
This
dual
is
actually
added
in
the
platform
where
the
platform
team
is
actually
due
and
their
job
is
to
actually
create
permission
model
for
the
application
team,
because
the
platform
team
job
is
to
make
the
life
of
application
team
more
easy
after
they
actually
doing
something
bad
with
the
cluster
they're
telling
them
up
front.
You
have
these
right
and
if
you
need
more
rights,
let's
talk
to
me.
B
So,
yes,
so
I
think
a
stock.
That's
why
I
will
repeat
again
so
basically
what
organization
is
actually
doing
right
now
you
have
a
platform
and
that
the
platform
has
featured
like
zero
stress,
Security
First
thing.
First
separate
the
concern
between
two
teams
platform
team
needs,
more
ownership
than
development
team
and
remember
I
sell
in
the
slide
as
well.
Not
every
Dev
and
Ops
Team
Member
need
an
unrestricted
ability
to
create,
delete
and
modify
resources.
We.
B
What
we
do
we
have
a
un,
we
will
sell
platform
team.
You
have
your
job
is
to
create
permissions
for
application
team.
Today
they
can
do
their
work
fast.
What
they
does
is
they
can
give
grantee
like.
Let's
app
team,
you
have
a
read-only
access
to
the
resource,
name
called
deployment
in
that
deployment.
Anybody
can
actually
list
their
deployment,
but
if
that
person
is
from
the
next
another
team,
he
want
access
to
it.
So
you
can
is
first
thing,
first
separate
the
concern,
so
you
will
actually
look
at
the
permission.
B
Model
and
hierarchical
model
where
X
you
can
give
like
here
is
a
separation
of
concern.
Once
you
identify
the
separation
of
concern,
next
thing
is
well
look
for
the
automation
tool
that
you
give
you
the
automated
R
back,
centralized
visibility
and
Cube
see
real
trace
of
all
activities
like
if
I
type,
Cube
CTL
get
a
pod
in
a
in
a
in
a
dashboard.
All
of
my
activities
will
lock
if
something
bad
and
let's
say
my
last
command-
Cube
CDL
apply
Dash
F
broke
something
it's
very
easy
to
do.
B
A
forensic
out
of
it
separation
of
concern
number
one
separation
of
concern,
number
two
automation
or
back
automated
R
back
number:
three:
centralized
visibility,
centralized
tracing
of
all
Cube
CDL
activity.
Number
four
is
do
some
kind
of,
and
look
towards
go
to
words,
policy
and
governance
for
compliance
of
your
organization,
try
to
bring
in
compliance
and
a
cultural
shift
and
what
you're
a
virtual
organization
how
your
organization
set
up
and
then
you
actually
create
another
lobe
out
of
it.
So
I
think
these
are
the
basic
requirement
for
anybody
using
it.
B
A
Yep
yeah
some
Muslim.
Thank
you
so
much
for
these
informative
answers.
Yeah
I,
guess
that's
how
we
can
end
our
session
now
right.
If
there
are
any
questions,
no
questions
left.
We
can
end
our
session
yeah.
Thank
you,
I
guess
so
yeah.
If
you
would
like
to
add
anything,
you
can
just
mention
right
now
like
something
like
yeah
slack
or
something
like.
A
B
You
very
much
for
I
see
a
wonderful
audience
today
in
the
chat
today
and
number
one
I
can
tell
you
like.
I
also
have
a
YouTube
channel
called
Cloud
relative
podcast
and
at
the
rate
Cloud
native
FM,
is
a
Twitter
handle
where
we
have
80,
plus
episodes
and
I'll
currently
see
monitor.
Do
a
forensic
of
how
and
research
around
how
other
people
feel
like
in
the
domain
of
kubernetes,
and
if
somebody
watching
and
we
have
a
same
domain
I
want
to
share
their
story.
B
Do
let
me
know
we
can
conduct
some
podcasts
on
my
YouTube
channel
as
well.
Also,
we
have
a
cloud
native
islamabads
Community,
where
you
can
look.
If
you
look
type
search,
Cloud
out
of
Islamabad
on
YouTube,
you
see
a
bunch
of
very
informative
workshop
on
kubernetes,
so
do
join
those
as
well
and
if
you're
working
on
some
open
source
project
and
wanted
to
be
a
part
of
cncf
or
if
you
are
actually
going
to
cubecon.
If
you
have
any
interactions,
if
you
want
to
see
me
I
would
love
to
communicate.