►
From YouTube: Your Kubernetes single-pane of glass with Kubescape
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
Just
a
little
bit
about
myself.
My
name
is
shaoli,
I'm
the
ceo
and
one
of
the
co-founders
of
ammo,
I'm
a
software
developer
turned
entrepreneur,
and
today
I
really
enjoy
my
life.
You
know
I
wake
up
in
the
morning
I
go
surfing,
then
I
go
and
I
build
kubernetes
security
products
for
the
rest
of
the
day.
A
So
what
is
cubescape
cubescape
is
really
becoming
one
of
the
most
popular
kubernetes
security,
open
source
tools
out
there
on
github
and
getting
great
reviews.
You
know
in
in
in
guitar
being
ready
in
the
hacking
news
from
our
users
gaining
a
lot
of
stars
and
really
blowing
up
in
terms
of
the
number
of
stars
and
followers
of
the
project,
which
is
something
that
we
are
super
super
proud
of.
But
what
does
it
do?
A
The
idea
is
very
simple:
it's
to
get
very
quickly
into
a
very
deep
and
good
understanding
of
what
is
going
on
in
your
cluster,
so
you
can
go
to
github.
There's
a
one-line
install
script
that
you
can
use.
You
get
your
results.
You
go
to
the
cubescape
portal,
which
is
a
sas
version
that
we've
deployed
for
you,
which
gives
you
a
single
pane
of
glass
across
all
of
your
clusters,
and
you
can
choose
to
add
cubescape
to
your
ci
cd
and
find
issues
early
on
and
avoid
delays.
A
When
you
make
the
decision,
if
you
put
cubescape
in
your
ci,
cd,
basically
runs
as
a
cli
within
your
within
your
existing
devops
tools
in
your
ci
ct,
and
we
have
integrations
with
github
git
lab
all
of
the
jenkins
serial
ci,
all
of
the
different
pipelines
and
tools
that
are
available
and
also
you
can
put
cubescape
as
a
chrome
job
in
the
simple
namespace
in
your
clusters
for
continuous
monitoring.
It
will
wake
up
and
do
the
scans
for
you
and
continuously
identify
whether
drifts
are
happening
and
give
you
results
over
time.
A
The
different
outback,
always
access
controls
that
exist
in
your
cluster
and
whether
there
is
some
excessive
privileges
that
shouldn't
be
there
and
finally,
taking
all
of
that
against
compliance
benchmarks,
because
this
gives
you
a
very
structured
way
of
understanding
the
risk
and
the
posture
of
your
cluster.
So
that
is
what
we
are
aiming
to
do
in
cubescape.
We
are
going
in
that
direction
and
we
already
have
a
lot
of
that
installed.
A
I
encourage
you
to
look
at
our
roadmap
and
see
more
and
today,
I'm
going
to
show
with
you
what
we
have
to
date
and
how
you
can
use
it
to
get
single
pane
of
glass
security
for
your
own
clusters
when
we
look
at
today.
Basically,
the
idea
is
that
we
give
you
a
risk
analysis
and
compliance
across
all
your
clusters.
A
We
visualize
your
outback,
your
role-based
access
control
and
enable
you
to
query
it
and
understand
in
a
very
informative
way
and
to
investigate,
what's
going
on
with
the
different
walls
in
your
clusters
and
image
scanning
of
the
actual
code
running
in
your
clusters.
So
it's
not
just
in
the
repository
it
gives
you
an
actual
view
of
the
images
currently
running
in
your
cluster
and
what
your
current
risk
is
in
the
cluster
and
we
do
it
across
regions.
We
do
it
across
providers.
A
A
What
does
this
look
like
if
you
are,
if
you
want
to
get
a
single
pen
of
glass,
if
you
want
to
install
it
and
run
with
it,
what
does
it
look
like,
so
any
travel
any
journey
that
you
take
with
us
starts
with
our
github
page,
where
you
basically
take
cubescape
and
install
it
in
your
cluster.
Let
me
show
you
how
you
do
that,
so
I
go
to
github.
A
You
have
very
detailed
information
in
github
about
our
our
control
and
how
to
install
it,
and
here
is
the
installation
line.
It's
basically
an
install
script
that
downloads
the
latest
version
of
cubescape
as
a
cli
to
your
cluster.
I'm
going
to
copy
that
and
of
course
it
is
all
open
source.
So
you
can
see
exactly
what
this
install
does.
You
know
I'm
not
trying
to
get
you
to
run
install
into
a
type
of
bash
similar
like
without
knowing
what's
going
on.
A
You
can
completely
read
it,
but
I've
read
it
and
I
know
what's
there,
so
I
feel
free
to
run
it
in
my
cluster,
I
added
a
gke
cluster.
I'm
just
going
to
run
this
command
it
basically
downloads
cubescape
into
my
environment
and
now
cubescape
is
installed
right
now.
It
is
running
on
this
computer
on
this
cloud,
shell,
and
it
will
be
pointed
at
whatever
cluster
the
the
cube
ctl.
The
cube
cutter
is
currently
pointed
at.
So
if
I
do
a
queue,
color
get
parts.
A
A
Some
of
it
is
out
of
cpu
and
let's
run
a
scan,
let's
see
what's
going
on
in
this
cluster,
because
there
is
much
more
going
on
in
this
cluster
than
just
this
hipster
there
is
the
namespace
of
cubes
of
system
as
well,
maybe
other
things
that
are
installed
here.
All
I
need
to
do
is
do
cubescape
scan
and
I'm
going
to
choose
framework
nsa
just
for
the
sake
of
it,
which
will
basically
test
my
cluster
against
the
nsa
guidance
for
kubernetes
security.
A
We
will
let
it
run,
and
I
get
a
summary
right
here
in
my
std
out
of
the
status
and
the
risk
of
my
cluster,
you
can
see
that
some
of
the
tests
have
been
skipped.
The
skip
test,
our
control,
a
controller
control,
plane
tests
that,
if
you
want
to
run,
you
need
to
enable
specifically
or
host
level
tests
that
require
us
to
put
a
node.
A
demon
set
temporary
demon
set
on
your
host,
and
we
do
not
want
to
do
it
by
default.
We
want
you
to
enable
that,
with
a
specific,
a
specific
command.
A
You
can
see
here
that,
if
you
do
want
to
do
that,
you're
going
to
need
to
run
a
cubescape.
Where
is
it
you
can
see
it
in
here?
You
need
to
put
submit
if
you
want
to
upload
it
and
you
can,
let's
see,
host
yeah
and
minus
minus
enable
host
scan.
This
is
the
this
is
the
flag
that
will
actually
scan
all
your
hosts
as
well,
and
then
all
of
those
tests
will
not
be
skipped.
A
So
I
got
that
I
have
a
view
of
my
cluster
right
here
on
my
in
my
std
out.
I
can
actually
export
it
directly
to
json
and
put
it
as
part
of
my
ci
cd.
Now,
let's
go
and
see
the
single
pane
of
glass
as
it
is
described
in
in
the
ui
of
cubescape.
You
get
a
link
right
here
to
to
the
ui,
so
you
can
actually
go
directly
there,
but
I
also
I'm
also
I'm
already
registered,
so
I'm
going
to
go
directly
and
show
it
to
you.
A
So
this
is
where
you
get
to,
and
you
can
see,
I
see
all
of
my
different
clusters.
I
can
see
my
risk
across
all
of
the
clusters
that
I
have
and
some
of
the
clusters
that
I
have
here
for
a
longer
time.
I
also
see
the
risk
over
time
for
that
and
for
that
cluster,
and
I
can
also
see
it
against
different
frameworks.
A
A
A
This
takes
into
account
all
of
the
different
parameters
of
what's
going
on
in
your
cluster
and
gives
you
a
very
clear
view
of
the
risk
in
your
cluster.
It
takes
into
account
misconfigurations,
it
takes
into
account
vulnerabilities
and
it
takes
into
account
a
whole
base
access
control.
All
of
that
is
driven
into
the
risk
level
and
the
risk
is
built
on
different
controls.
A
So
we
have
in
the
different
frameworks.
We
have
different
controls
that
we
run
against
your
clusters
and
some
of
these
controls
may
just
be
configuration,
but
some
of
these
controls
may
be
correlating
both,
for
example,
a
misconfiguration
and
a
scanning
problem.
So,
for
example,
a
very
you
know,
legitimate
control
would
be,
let's
not
have
misconfigured
highly
privileged
containers
that
also
have
critical
remote
code
execution
vulnerabilities
in
them.
A
If
we
look
in
usually
when
I
look
into
the
different
controls
that
fail
in
my
clusters,
I
like
to
organize
them
by
severity
and
look
at
the
critical
ones.
First,
as
you
remember,
we
skipped
the
control,
plane
and
type
controls,
and
this
is
just
because
I
didn't
want
to
do
all
the
integration
at
this
point,
but
it
is
very
simple
and
you
have
instructions
on
how
to
do
it
if
you
would
like
to
to
for
gke
for
aws,
eks
etc.
A
When
I
look
here,
I
see
that
just
as
an
example
that
I
have
one
of
these
tests
that
have
failed
and
application
credentials
and
configuration
files,
so
we
have
a
developer
that
probably
forgot
or
or
put
because
they
thought
it's
going
to
be
easier
for
them,
the
application
credentials.
Something
is
secret
in
the
configuration
file
of
the
deployment.
So
this
is
something
that
we
should
take
care
of
and
just
the
next
one
is
look
at
that
privilege
container.
A
A
Namespace,
and
these
are
already
set
up
as
exceptions.
We
recommend
you
to
put
those
in
exceptions
and
the
system
can
do
it
for
you,
and
the
idea
is
that
you
have
nothing
to
do
about
that
frankly,
and
the
cue
proxy
and
all
of
the
different
cube
system
ports,
they
need
to
run
as
privileged
in
order
for
the
cluster
to
operate,
so
no
need
to
go
and
fix
that.
But
this
recommendation
service.
A
That's
that's
a
different
story.
You
want
to
check
what's
going
on
there
and
you
can
see
here
that
you
can
go
directly
into
that
deployment
and
understand
what
is
wrong
with
it.
So
if
you
look
at
that,
we
see
that
in
line
69
with
privileged
container
we're
going
to
go
there
and
to
take
us
directly
to
the
problematic
line
and
will
show
us
exactly
how
to
solve
it
going
forward
in
in
the
next
editions
of
cubescape.
A
We
would
like
you
to
be
able
to
see
a
diff
view
of
the
fixed
and
in
the
in
the
horizontal,
and
you
will
be
able
to
accept
the
fixed
version
and
even
create
a
pull
request
directly
from
here
to
your
git
in
order
to
fix
it
back
in
the
ci
cd.
So
your
next
update
you're
going
to
have
a
complete
and
solved
version
of
this
microservice.
A
You
can
see
that
I
already
have
here
like
charoli
corp
one
and
my
custom
framework
here,
and
I've
created
all
kind
of
frameworks
that
I
use
in
different
places
in
my
organizations
in
my
organization,
and
it
is
very
easy
for
me
to
create
one.
If
I
go
to
frameworks
here,
customize
their
own
framework,
I
get
into
a
screen
that
enables
me
to
create
my
own
custom
framework
with
which,
whichever
control
I
would
like
to
have
so,
let's
do
ensure
only
custom
framework.
A
And
I'm
just
going
to
say
a
demo
for
cncf
live
webinar,
not
live,
it's
not
live
on
demand
webinar
and
now
I
can
choose
the
controls
that
I
want
to
have,
and
I
want
to
deploy
in
this
in
this.
In
this
framework,
for
example,
I
can
say:
okay,
privilege
is
something
that
I'm
concerned
about,
so
I'm
gonna
not
allow
port
forwarding
privileges
or
I'm
not
gonna,
allow
my
developers
to
put
privileged
containers
or
ospid
ipc
privileges
or
allow
private
escalations.
A
Well,
let's
do
just
that.
I'm
going
to
click
apply,
and
I
have
my
new
framework
here.
It
is
here
and
now
I
can
put
it
anywhere
in
my
organization
I
can
use
integrations.
I
can
just
install
it
on
any
cluster.
It
is
automatically
deployed
to
any
cluster
or
any
cubescape
that
is
already
running
in
your
environment,
but
if
you
want
to
put
it
back
in
your
ci
cd,
you
can
take.
A
You
can
see
here
the
the
very
simple
example
on
how
to
create
a
github
action
that
will
check
any
new
any
update
to
the
yaml
against
this
custom
framework.
All
you
need
to
do
is
change
this
nsa
to
the
new
custom
framework
that
you
have
created.
So
this
is
how
you
get
the
control
and
all
of
the
good
things
that
cubescape
gives
you
across
all
of
the
different
elements,
from
vulnerability
scaling
to
other
control
into
your
clusters,
in
a
very,
very
easy
to
use
way.
A
A
So
you
will
see
the
results
here
or
you
can
use
our
helm,
repo
and
very
easy
l
installation
to
add
our
namespace
into
your
cluster
and
that
namespace
will
regularly
and
you
can
actually
configure
it
scan
your
cluster
for
vulnerabilities
alba
control.
Misconfiguration
brings
everything
here
into
the
single
place,
where
you
can
monitor
all
your
clusters
and
all
of
your
environment
in
a
very
easy
to
use
way.
A
A
A
They
just
literally
updated
the
production
version.
As
we
speak
right,
you
can
see
that
the
risk
was
changed
to
configuration
scanning
and
you
can
see
that
we
have
a
new,
so
you
got
it
live.
You
have
a
new,
updated
compliance
screen
right,
but
let's
go
back
to
our
to
our
demonstration
and
we
will
look
at
image
scanning
so
image
scanning
you
can
see.
Basically,
we
have
a
scanner
running
within
your
cluster.
A
It
pre-integrates
with
the
repositories
from
which
your
cluster
is
pulling
images,
and
it
only
looks
at
the
images
that
you
pull
and
that
are
running
and
are
deployed
in
your
cluster,
so
you
can
actually
understand
the
the
vulnerability
situation
of
your
cluster
right
now.
What
is
running
right
now
in
your
cluster
and
we
divided
by
critical,
high
medium
vulnerabilities,
very,
very
standard.
A
We
can
show
you
exactly
which
of
the
vulnerabilities
have
fixes
so
28
out
of
those
57
critical
vulnerabilities
actually
have
fixes.
You
can
upgrade
to
a
new
version
and
we
can
also
show
you
which
ones
are
rce
rca
remote
code.
Execution
vulnerabilities
are
more
problematic,
especially
if
they
exist
on
an
outbound
facing
ingress
in
workload
because
they
can
be
actually
abused
without
having
access
like
all
through
the
network.
A
So
this
is
super
important
to
understand
the
know
and
we
can
filter
and
see
only
the
critical
vulnerabilities
and
see
them
here
and
then
go
directly
into
specific.
For
example,
let's
take
the
load
generator
here,
for
example,
I
can
go
into
it
and
I
can
see
how
well
here
everything
is
negative,
negligible
and
medium,
but
we
can
see
everything
and
all
the
vulnerabilities
that
exist
in
this
specific
image
and
you
have
a
view
of
all
the
images
across
time
in
your
clusters.
A
A
A
If
you
see
everything,
sometimes
you
want
to
focus
just
on
a
specific
part
of
what's
going
on
in
your
cluster,
so
we've
created
for
you
built-in
queries,
popular
queries
that
we've
seen
users
using
and
we
added
them
to
give
you
a
very
easy
way
to
understand.
What's
going
on
in
your
cluster,
just
as
an
example,
one
of
the
very
popular
searches
is
who
can
exact
into
a
pod,
because
if
someone
can
exactly
into
a
pod,
they
can
run
code
on
that
pod.
So
we
can
see
that
in
our
case
there
is.
A
A
It
really
depends
on
what
that
that
wall
is
doing,
but
in
general
this
is
something
that
I
need
to
look
into
and
maybe
reduce,
and
then
I
also
see
that
I
have
the
customer
admin
role,
that
as
an
admin
can
do
anything
on
any
with
the
resource,
and
that
is
that
is
just
how
kubernetes
works,
and
but
I
see
that
the
system
masters
group
and
the
user
system,
storage
and
version
generator
a
version,
migrator
ev
admin
role
in
my
clusters.
This
is
probably
okay.
A
It
is
good
that
I
don't
see
any
user
here
like
jonathan,
for
example,
with
cluster
admin
rights
on
my
cluster.
So
that's
good.
Another
very
popular
query
is
unassigned
roles.
Unassigned
roles
are
basically
garbage.
There
are
walls
that,
if
a
user
or
if
an
attacker
gets
gets
hold
of
and
can
assign
himself
to
those
roles
will
be
able
to
do
things
in
your
clusters,
and
you
don't
want
them.
It
is
just
a
best
practice
to
eliminate
and
uses
less
unassigned
holes
as
possible.
A
A
So
I
look
at
secrets-
and
I
can
see
that
secrets
and,
of
course,
the
resource
in
my
in
my
cluster
and
now
I
can
see
all
of
the
different
roles
that
and
what
they
can
do
on
a
resource.
So,
for
example,
I
can
see
that
this
role
can
delete,
get
list
watch
through
the
api,
any
secret
and
that's
the
cube
system.
That
is
perfectly
okay.
With
the
system
controller.
Here
we
have
a
the
the
glbc
and
we
have
all
of
those
roles
which
are
actually
a
kind
of
interesting.
This
role
is
a
bit
interesting.
A
So
what
is
this
edit
wall,
and
why
can
you
do
create
delete,
etc?
To
my
to
any
secrets,
let's
see
which
subjects
okay,
this
is
on.
We
we
see
that
there
is
no.
There
are
no
subjects
attached
to
this
wall,
so
no
one
is
really
using
this
one.
But
if
someone
was
using
this
word,
I
would
say:
okay,
who
this
guy
is.
You
know
who
this
all
is
what
do
they
all
this
subject
is
why
do
it?
Why
do
they
need
this
later
on?
A
But
this
is
even
a
war,
so
maybe
something
that
I
need
to
investigate.
Why
do
I
even
have
this
all
in
my
organization,
of
course,
does
that
mean
that
can
do
anything
they
want
to
the
secret?
And
if
I
and
again
there
is
no
subject
created
to
this
admin,
please
bear
in
mind
that
this
is
not
the
system.
This
is
not
the
cluster
admin.
This
is
another
admin
role
that
I
have
in
my
cluster
in
this
world,
for
example,
they
do
have
a
subject.
A
Let
me
look
at
all
the
subjects,
so
we
can
see
that
this
subject
can
use
this
role
to
get
secrets
in
my
environment,
and
this
is
actually
pretty
much
a
standard.
The
cube
system
of
course
needs
to
do
that,
but
this
is
the
way
you
can
actually
investigate
and
see
exactly
what's
going
on
in
your
cluster
and
then
you
can
clear
and
do
any
investigation
you
want
all
over
again,
of
course,
so
these
are
the.
This
is
the
way
we
build
the
the
the
single
pane
of
glass.
A
We
take
the
outback
data,
we
take
the
image
connect
data,
we
take
all
the
misconfigurations
and
we
take
them
together
into
a
single
risk
pane
where
you
can
understand.
What's
wrong
with
your
cluster,
you
can
do
it
across
clusters
and
across
clouds.
The
compliance
is
another
thing,
and
I'm
going
to
show
it
to
you
and,
as
you
saw
it,
it
just
came
out
of
the
oven.
It
was
literally
updated.
A
Our
production
was
updated
with
this
feature,
as
I
was
recording
this
webinar.
What
we're
doing
next
is
taking
this
single
pane
of
glass
to
the
next
level.
We're
gonna
do,
and
our
roadmap
is
built
of
several
things
that
are
intended
to
help
devops
and
to
have
security
security.
Architects
get
a
better
understanding
of
what's
going
on
in
their
clusters.
A
If
I
go
back
to
my
presentation
and
I'm
going
to
go
to
overview
of
what's
coming
next,
this
is
where
we're
going.
So
we
need,
of
course,
a
lot
of
time
and
work
to
do
that,
and
we
need
a
lot
of
support
you
can
ever.
You
can
see
our
roadmap
publicly
available
on
our
github
page,
but
we
want
to
take
you
from
cicd
to
continuous
virtual
control
and
even
to
random
security,
bring
all
of
that
together
into
a
single
pane
of
glass,
to
see.
A
What's
going
on
in
all
your
clusters
and
what's
coming
out
really
really
soon,
is
the
single
pane
of
glass
dashboard,
which
will
basically
take
all
of
the
information.
We
have
prioritize
it
for
you
and
give
you
a
very
clear
view
of
what's
going
on
in
any
one
of
your
clusters.
So
here,
on
the
left
hand,
side
you
will
have
all
of
your
clusters
prioritized
already
by
the
risk
that
is
calculated
based
on
all
of
the
things
that
we
talked
about.
A
Your
whole
base
access
control,
your
misconfigurations
and
your
vulnerabilities,
and
if
you
over
one
of
those
those
cluster,
you
will
see
exactly
the
score.
You
got
against
the
default
framework,
all
of
the
vulnerabilities
that
exist
and
you
will
be
able
to
go
directly
here
to
analyze
your
whole
base
access
control
and
then,
of
course,
you
have
the
configuration
risk
and
the
vulnerability
risk
right
here
in
a
single
place
and
a
prioritized
list
which
we
call
my
work.
A
That
will
help
you
understand
what
you
need
to
fix
first,
and
these
are
the
things
that
you
need
to
attend
to
in
the
most
agent
of
ways
I
mean
it
will
use
it
already.
It's
already
using
prioritizing,
based
on
the
context
of
each
issue
and
again
context
goes
to
not
only
configuration
but
also
vulnerabilities
always
assess
access
control
in
the
future
data
that
we're
going
to
bring
from
your
runtime
environment.
A
So
this
is
a
summary
that
we're
going
into
and
we
would
love
you
to
take
part
of
you
know.
Building
this
you
know,
go
to
our
github,
create
a
pull
request,
see
what
we're
doing
look
at
our
roadmap,
and
you
know
we're
looking
forward
to
taking
it
even
further
and
and
that
is
it,
you
know
we're
done
and
we
would
love
to
keep
in
touch.
You
know,
let's
connect,
you
can
connect
with
me
via
email.
You
can
link
in
me.
I
would
love
to
be
in
touch.
You
can
follow
me
on
twitter.
A
A
We
see
it
going
places,
we
want
anyone
and
we
want
to
help
any
developer,
any
devops
engineer
or
security
architect
to
be
able
to
understand
the
clusters
very
easily
via
this
open
source
contribution
tool
that
we've
created
yeah,
and
that
was
it.
I
hope
you
enjoyed
it.
I
hope
I
didn't
bore
you
too
much
and
please
ping
me
and
be
in
touch.
Let
me
know
if
anything
you
might
need.
We
love
love,
love
to
get
feedback.
Thank
you.
So
much.