►
From YouTube: CNCF SIG Security Policy Working Group 2020-05-27
Description
CNCF SIG Security Policy Working Group 2020-05-27
B
A
A
A
C
C
C
A
B
C
C
D
C
D
Hi
everyone
thank
you
for
the
opportunity
to
present.
In
this
forum
my
name
is
Jo
Ramanathan
I
am
the
chief
security
and
governance
architect
for
Red
Hat
advanced
cluster
management,
which
is
a
new
offering
for
kickin.
It
is
a
cluster
management
that
we
released
actually
last
week
as
a
technology
preview.
So
we're
pretty
excited
about
it.
D
It
is
based
on
technology
that
is
exists.
Originally
you
know
in
a
multi
cloud
manager
product
offering
within
IBM,
and
we
have
brought
it
over
to
Red
Hat
and
we
have
integrated
and
tell
about
it
last
week
as
a
technology
preview.
So
what
I
wanted
to
do
today
was
to
take
you
through
a
quick
intro
of
the
overview
of
the
product
and
also
do
a
quick
demo
and
I
also
have
on
the
call
several
folks
in
from
Red
Hat,
who
are
also
working
in
this
space
on
security
and
compliance
aspects.
E
All
right
thanks
all
right,
so
my
name
is
Juan
Antonio
Soria
Robles,
but
us
is
the
shorter
version,
so
I
recommend
you
use
that
I
work
in
security
at
compliance,
a
Red
Hat
and
we
are
mostly
doing
open
shift.
So
not
a
lot
of
upstream
kubernetes
just
yet,
but
hopefully
that
will
change
happy
to
be
here.
Oh.
F
D
C
A
Robert
regalia
I've
been
active
in
the
ciencia
sig
security
group.
Now
for
gosh,
it's
been
close
to
a
year,
helping
with
the
security
assessment
activities
around
new
CN
CF
projects
and
also
active
in
this
policy.
Work
group
as
well
and
I
also
have
recently
started
working
with
the
Linux
Foundation
on
kubernetes
training
topics.
D
Basically,
the
topic
I
am
going
to
be
covering
today
is
governance,
capabilities
that
we
have
within
the
Red
Hat
advanced
cluster
management
offering,
and
it
is
also
part
of
the
open
cluster
management
community
project,
and
so
there
is
a
way
for
so
that's
our
way
to
encourage
collaboration
across
Red
Hat,
as
well
as
other
third
party
products
as
well
and
third-party
vendors,
etc.
So
the
whole
idea
of
I'm
sure
since
you're
all
part
of
the
security
work
group,
you
are
very
familiar
with
these
concepts,
so
I'll
just
quickly
cover
them.
D
So
by
governance,
what
we
mean
is
a
structured
way
of
operating
an
IT
infrastructure
based
on
well-defined
processes,
policies
and
procedures,
etcetera,
and
typically
you
know
you
that's
what
most
enterprise
clients
do
right,
so
they
have
internal
standards
as
well
as
depending
upon
which
industry
segment
they
are
in.
They
also
have
to
deal
with
external
standards,
whether
it's
PCI
HIPAA
etcetera.
So
they
have
well-defined
policies
and
use
tools
to
implement
those
policies
etc
and
the
or
and
GRC
obviously
stands
for
risk.
D
So
the
idea
is,
you
want
to
be
able
to
identify
risk
areas
and
the
priority
of
the
risks
so
that
IT
operations
can
prioritize
an
intermediate
them
as
needed,
and
compliance
compliance
is
a
very
broad
term
it
it
is,
and
it
is
used
in
different
ways
in
the
context
of
the
work
that
we
are
doing.
When
we
refer
to
compliance,
we
are
talking
about
the
governance
that
we
put
in
place
by
means
of
defining
policies
or
be
compliant
to
those
policies
or
not.
D
So
this
is
more
focused
on
I
would
say:
technical
controls
and
operational
policies.
So
that's
really.
The
focus
here,
as
opposed
to
compliance,
is
also
referred
to
in
the
context
of
external
standards
like
PCI
HIPAA,
if
it's
Mike
cetera
right.
So
that's
a
different
level.
So
there
are
two
levels:
if
you
think
about
it
and
as
I
walk
through
the
architecture,
you
will
kind
of
get
a
flavor
of
how
we
address
the
both
both
aspects.
D
So
the
governance
framework
that
we
have
put
in
place.
We
have
several
goals
there.
One
is
we
want.
You
obviously
want
to
deliver
out-of-the-box
policies
as
many
as
possible.
For
specifically
the
controls
that
we
provide
so,
for
example,
if
the
open
shift
platform
has
security
capabilities,
we
want
to
be
able
to
deliver
policies
so
that
took
and
those
can
be
configured
correctly
and
and
obviously
the
same
set
of
policy.
D
Some
of
them
also
applied
to
vanilla,
kubernetes
environments
as
well,
not
just
open
shift,
but
at
the
same
time
you
want
us
want
those
policies
to
be
customizable,
and
so
that's
one
of
our
goals.
The
second
goal
is,
we
want
the
ability
to
integrate
data
from
third-party
controls,
because
we
won't
be
the
ones
be
meaning.
D
When
we
talk
about
governance,
it
is
not
just
for
security
controls.
Governance
could
also
applied
to
controls
related
to
the
CMC,
could
be
applied
to
controls
related
to
software
engineering
standards
and
other
aspects.
So
so
the
policy
framework
is
designed
in
a
way
that
you
know
the
policies
can
be
applied
across
the
board
for
all
these
aspects.
D
So
this
is
the
overall
governance
architecture
that
we
have.
So
if
I
start
on
the
right
hand,
side,
we
have
a
three
different
ways
in
which
you
can
incorporate
policies
into
into
this
architecture.
The
first
is
using
this
governance
for
UI,
so
we
have
a
policy
awhile.
You
will
see
that
in
the
demo
and
you
can
go
under
create
policies
there
and
and
then
bind
them
to
clusters
where
they
apply
and
using
our
placement
policy,
and
so
that
is
possible.
D
So
three
different
ways
in
which
you
can
incorporate
policies,
one
of
the
beauties
of
using
github
kind
of
mechanism
is,
it
then
allows
the
policy
lifecycle
to
be
managed
just
like
you
would
manage
lifecycle
for
source
code.
So
that
is
one
of
the
advantages
of
using
that
approach.
So
those
are
three
base
and
and
then
once
the
policy
is
deployed
at
the
hub
and
then
using
the
placement
policy
you
specify
which
marriage
clusters
it
applies
to.
D
The
policy
then
gets
deployed
on
the
manage
cluster
and
there's
the
one
on
the
left
hand,
side
and
though
I'm
just
showing
one
box
here
obvious.
There
could
be
multiple
managed
clusters
here
and
and
then
within
each
managed
cluster.
You
have
a
set
of
controls
and
some
could
be
Red
Hat
provided
others
are
provided
by
third-party
and
clients.
And
then
you
have
policy
controllers
that
consume
the
policy
and
then
check
the
state
depending
upon
what
control
they
are
managing.
They
would
check
the
state
against
the
control
and
and
then
return
back
violations.
D
D
So
after
this
chart,
I'll
pause
and
take
some
questions,
so
so
the
overall
technical
approach
is
to
open-source
the
policy
framework
and
the
sample
policy
controllers
and
policies,
and
this
is
and
the
way
we
are
doing,
that
is
through
the
open
cluster
management
organization.
So
that
is
the
that
is
our
github
project
and
and
then
for
technical
controls
provided
by
Red
Hat.
We
want
to
deliver
out-of-the-box
policy
templates
and,
and
then
within
each
policy.
There
are
annotations
that
allow
you
to
specify
the
standards,
controls
and
category.
D
So,
for
example,
you
could
imagine
a
client
enterprise
client
who
is
in
the
healthcare
industry.
They
have
to
deal
with
HIPAA.
They
also
have
to
deal
with
first
wife.
They
are
interacting
with
Medicare
and
so
on,
and
the
federal
government,
so
when
they
put
technical
controls
in
place
and
they
want
to
govern
those
controls
using
this
framework,
they
want
to
say:
ok.
This
policy
applies
to
this
control,
but
it
applies
to
both
HIPAA
and
FISMA.
D
So
that
is
what
these
customizable
annotations
allow
you
to
do
so
this
way
you
know
they
can
get
an
overall
posture
view
for
various
compliance
standards
and-
and
this
allows
them
to
continuously
monitor
the
security
anodic
posture
and
and
then,
as
I
mentioned,
the
framework
allows
you
to
integrate
policies
for
body,
and
the
other
thing
I
also
wanted
to
point
out
here.
Is
we
really
are
not
tied
to
a
specific
policy
language?
D
So,
the
way
when
you
see
our
ml
file
we'll
see
that
the
specification
for
the
policy
for
the
control
is
actually
wrapped
by
additional
pieces
that
allows
Rackham
to
actually
ship
the
policy
to
the
manage
clusters,
but
the
actual
policy
itself
could
be,
for
example,
at
a
nanoparticle
be
written
in
any
other
language.
So,
in
fact
you
who
is
on
the
call
here
with
me
has
authored
a
paper
that
shows
how
you
can
integrate
up
our
policies
into
this
framework.
D
B
D
The
BAE,
it's
basically
our
policy
framework,
so
one
of
the
things
is
we
support
any
policies
for
Cuba
native
objects.
So
as
long
as
you
have
a
spec
for
a
Cuban
data
subject,
we
can
manage
that.
So
that
is
one
example
right.
So
we
have
a
configuration
policy
controller
that
can't
manage
configuration
for
various
Cuban.
It
is
resources
so,
but
then
you
know
we
also
have
policies
for
certificate
management
etc.
So
those
are,
they
are
defined
using
our
own
syntax.
You,
you
want
to
add
to
that.
What
I
just
said,
yeah.
G
I
want
to
add
that
we
don't
really
tie
to
a
single
policy
ng.
So
the
the
framework
we
are
providing
is
the
governance
framework,
and
then
it
allows
us
to
propagate
policies,
to
two
different
manager
to
manage
cluster
and
then
collects
that
status
back.
So
in
comes
in
terms
of
the
policy
engine
interworld
it
we
can
include
them
as
part
of
our
policy
framework,
and
then
the
policy
gets
applied
on
them.
On
the
Manta
cluster
and
and
the
engine
deployed
on
that
manage
cluster
will
be
executed.
B
A
G
D
D
So
so
it's
pretty
flexible
in
terms
of
how
you
determine
you
know
which
clusters
the
policies
applied
to
and
then
the
policy
controllers
are
deployed
on
the
manage
clusters,
so
the
out-of-the-box
policy
controllers
that
we
provide
they
are
auto
deployed
on
the
manage
clusters,
then
to
say
they're,
imported
or
created
using
Rackham,
but
other
policy
controllers
obviously
can
be
deployed
later.
So
that's
fine
and
then,
like
you,
was
mentioning.
We
have
inform
mode
in
an
enforced
mode,
so
this
allows
you
to
kind
of
decide.
You
know
how
you
want
to
deploy
it
the
policies.
D
Obviously
you
know
some
of
the
controller
support
the
enforce
mode
and
others
tort
right.
For
example,
one
of
the
policies
we
have
relates
to
how
many
users
have
cluster
admin
access
and
obviously,
if
that
policy
we
only
support
in
for
more
today,
because
if
the
limit
is
exceeded,
then
the
corrective
action
will
have
to
be
taken
by
the
ops
person
depending
upon
whose
access
they
have
to
do
some
investigation
to
determine
now
why
the
excess
of
access
was
there
and
take
appropriate
remediation.
D
The
as
I
mentioned
the
policy
violations.
When
you
see
the
demo,
you
will
see
they
are
organized
by
the
standard,
compliant
standards
and
control
categories,
and-
and
this
is
very
key-
which
is
other
policies-
can
be
added
without
having
to
make
any
changes
to
the
framework
okay.
So
these
are
examples
of
some
of
the
out-of-the-box
policy
templates
that
we
provide
and
in
this
chart,
I've
kind
of
mapped
them
to
the
NIST
853
control
categories,
and
you
will
see
some
of
these
when
I
show
the
demo.
D
The
key
thing
I
wanted
to
mention
here
is,
though
I
will
insert
a
few
of
the
Cuban
attests
resources
here.
The
framework
is
rich
enough
that
it
can
pretty
much
manage
policies
for
any
Cuban
at
history
source,
so
but
I'm
just
showing
examples
here,
based
on
the
mapping
for
the
particular
control
categories.
D
One
of
the
things
I
wanted
to
highlight
here
is:
we
do
have
policy
for
CIS,
but
that's
currently
works
only
for
openshift
311.
We
are
working
on
enabling
it
for
OpenShift,
for
we
also
integrate
with
a
container
security
operator
for
already
scanning.
So
we
have
a
policy
for
that.
So
this
allows
you
to
detect
Wallner
abilities
on
pods
you're
running
on
the
manage
clusters
and
the
certificate
management
policy.
This
allows
you
to
specify
a
time
bound
within
which,
if
certificates
expire,
it
will
flag
a
violation.
So
you
can
give
my
own
certificate
expiration.
D
So
the
same
set
of
or
the
Box
polities
templates
and
mapped
it
to
the
PCI
control
categories
here,
and
this
is
the
last
chart.
So,
as
I
mentioned,
we
have
a
community
project
which
is
the
open
cluster
management,
gator
project,
and
so
basically,
Rackham
is
derived
from
technology.
That's
available
there.
We
have
not
completely
open
sourced
all
the
pieces.
We
are
in
the
process
of
doing
so.
Some
of
them
are
already
open
sourced
and
the
rest
will
be
coming
in
our
roadmap.
D
As
I
mentioned.
You
know,
this
technology
was
has
been
derived
from
an
existing
product
offering
within
IBM,
and
it
got
moved
over
to
Red
Hat.
So
as
part
of
that,
the
move
happened
this
year,
so
we
are
slowly
open
sourcing,
all
the
various
pieces,
with
a
goal
to
fully
open
source
it
in
this
community
project
we
have
a
repo
called
enhancements,
and
this
is
where
we
invite
contributions
from
third
party
and-
and
there
is
also
a
repo
there
for
how
to
write
a
custom
policy
controller
which
you
has
put
together.
D
D
So
one
of
the
things
so
just
so
just
to
mention
I
I,
know
the
chart
really
didn't
point
out.
The
compliance
operator
work
that
AHS
and
Jacob
and
Tim
are
working
on.
So
part
of
that
project
is
based
on
the
compliance
escort
community
project
and
what
we
are
working
on
right
now
is
to
integrate
rockem
with
that.
So
that
basically
means
that
you
will
be
able
to
come
in
into
Rackham
and
other
policies
and
then
have
the
compliance
operator
in
force
in
enforce
slash,
inform
those
policies
and
return
back
results.
D
So
that's
the
concept
we
are
going
to
be
introducing,
so
this
will
then
allow
you
to
layer
the
compliance,
slash
policy
profile
on
top
of
the
operational
policies,
so
that
you
can
then
answer.
Questions
such
as
is
this
cluster
operating
to
PCI
readiness
is
this
cluster
operating
to
HIPAA
readiness,
and
you
will
kind
of
be
able
to
say
that
I'll
take
the
example
of
PCI
you'll,
be
able
to
say.
Okay,
there
are
12
controls
for
PCI,
you
have
governance,
enabled
for
maybe
five
of
the
twelve
controls
and
then
for
each
of
those
five
controls
here.
D
D
The
other
thing
I,
also
wanted
to
point
out,
is
the
policy
framework
that
we
have
here,
as
I
mentioned
in
the
first
chart.
We
want
this
applied
intrument
across
the
entire
hardware
and
software
stack.
So
the
idea
here
is
that
it
can,
though
Red
Hat
is
going
to
be
delivering
policies
for
cube
radius
clusters.
D
The
same
framework
can
be
used
to
bridge,
for
example,
transyl
and
then
manage
policies
for
VM
layer
as
well,
and
and
also
you
know,
middleware
layers
so,
and
we
have
some
prototypes
that
IBM
research
has
done
that
kind
of
show
that
that's
possible
so
and
again
done
with
no
changes
to
a
policy
framework.
So
this
framework
is
pretty
rich,
and
so
that's
kind
of
the
intent
here
is
to
apply
it
across
the
entire
stack.
G
D
So
this
is
our
Red
Hat
advanced
cluster
management
forgiver.
It
is
also
we
refer
to
it
as
Rock'em,
which
is
just
a
acronym.
So
this
is
the
console
and
so
people
to
the
console.
It
actually
supports
three
life
cycles.
The
first
life
cycle
is
faster
life
cycles,
so
you
can
actually
come
in
and
you
can
import
clusters
and
or
you
can
create
a
cluster.
We
also
support
an
application
lifecycle
where
you
can
come
and
define
applications
which
are
made
up
of
various
pieces
like
a
database,
runtime,
environment,
etc.
D
And
then
you
can
use
placement
policy
to
deploy
the
various
pieces
to
the
various
clusters
that
Rock'em
is
managing
and
then
the
third
piece
is
governance
and
risk,
which
is
what
I'm
focusing
on
here.
So
the
governed
risk
panel
is
what
I'm
showing
here
and
you
can
see
at
the
very
top
you
you
see
a
summary
that
is
based
on
standards.
D
So,
as
I
mentioned,
when
you
define
when
you
first
deploy
rack'em,
actually
you
won't
see
any
policies,
because
what
we
provide
is
policy
framework
and
I
set
our
templates,
but
we
don't
apply
it
to
apply
policies
out-of-the-box.
But
what
you
do
is
you
come
in
here
and
then
you
go
and
create
a
policy
I'm
doing
a
live
demo.
So
when
you
create
a
policy
you
come
in
here
and
you
give
a
name
for
it
and
then
you
pick
a
namespace
now.
D
The
namespace
here
is
the
namespace
on
the
rack'em
hub,
where
the
policy
is
stored
and
what
is
what
this
means
is.
It
allows
you
to
assign
different
users.
Access
to
different
namespaces
based
on
Q
bonitas,
are
back
and
allows
you
to
segregate
policies
into
different
stores,
different
namespaces.
So
an
example.
Use
case
of
this
is:
if
a
client
has
a
customer
has
deployed
a
cluster
and
they
want
to
share
it
across
multiple
departments,
and
they
want
to
have
different
policies
deployed
for
the
clusters.
D
Then
what
they
can
do
is
they
can
create
a
cluster
for
the
department,
one
another
cluster
for
department
two
and
then
they
can
you
import
both
those
clusters
into
rockem
or
they
could
create
both
of
us
clusters
using
Rock'em,
and
then
they
can
create
a
bucket
of
policies
for
department,
one
another
bucket
for
department,
two
and
and
they
could
have
different
users.
Doing
that,
if
they,
if
they
choose
to
do
that-
and
this
is
using
this
namespace
on
the
hub,
you
can
enforce
the
tour
back.
That's
what
this
is
doing.
D
This
doesn't
represent
the
namespace
on
which
the
policy
is
deployed
on
the
manage
cluster
that
is
actually
specified
within
the
policy
file
itself.
Okay
and
then
you
can
choose
one
of
the
out-of-the-box
templates
that
we
support,
and
this
is
the
specification
here
so,
as
you
can
see,
we
have
a
policy
for
certificate
expiration,
one
for
CIS
and
we
have
a
I
am
policy
for
for
the
limits.
D
We
also
have
a
policy
for
image
vulnerability,
and
then
we
have
a
set
of
policies
all
based
on
kubernetes
objects
that
for
which
you
throw
it
out
of
the
box
plates,
so
I'm
going
to
choose
the
certificate
expiration
as
an
example.
So
then,
when
you
select
the
particular
template
here,
the
yamen
file
automatically
gets
populated
on
here,
and
you
can
see
here
for
the
certificate
management
policy.
The
expiration
time
is
specified
here
and
you
can
actually
change
that.
D
So
this
is
where
the
customization
can
happen,
and
this
namespace
here
this
is
the
namespace
that
determines
which
namespaces
the
policy
applies
to
on
the
manage
custom.
You
can
provide
a
list
of
namespaces
that
are
included
and
namespaces
that
are
excluded,
and
then
you
can
see
here
that
since
we
provide
the
certificate
policy,
template
out-of-the-box,
we
auto
fill
in
the
standards
categories
and
controls
for
it
and
based
on
the
NIST
cybersecurity
framework.
But
he
can
come
in
here
and
you
can
add
additional.
D
Standards
and
essentially
all
the
standards
are
comma
separated
and
you
can
specify
standards,
controls
and
categories,
and
this
is
how
you
can
take
a
same
policy
and
apply
it
to
multiple
standards,
and
then
you
can
come
and
click
here
whether
you
want
to
enforce
the
policy
you've
supported.
So
this
is
something
you
know
you
kind
of
have
to
check
whether
our
out-of-the-box
templates
supports
enforced
or
not,
and
if
it
does,
then
you
can
click
that
here
and
we
also
have
this
button.
D
This
allows
you
to
you
know
if
you're
still
in
the
process
of
refining
your
policy
and
you're
not
ready
yet
to
deploy
it.
You
can
come
in
here
and
select
this
disable
buttons,
which
means
it
won't
get
deployed
the
clustered
binding.
This
is
the
one
that
specifies
the
placement,
so
you
can
specific
can
select
a
particular
cluster
which
is
in
this
case
Department.
D
So
so
this
gives
you
the
flexibility
on
how
you
specify
the
binding
for
a
given
policy.
So
once
you
do
this,
then
the
policy,
then
the
policy
will
show
up
in
this
list.
So
what
you
see
here
is
we
have
defined
a
set
of
policies
using
that
mechanism
and,
as
I
mentioned
earlier,
the
UI
is
just
one
way
to
do
it.
You
can
also
just
author
the
policy
saml
file
and
import
it
using
CLI
or
you
can
use
the
subscription
mechanism
as
well.
D
So
so,
in
this
case,
the
certificate
expiration
policy
has
there
is
a
violation,
so
you
can
see
that
the
violation.
So
when
you
come
to
that
particular
policy
and
you
click
on
the
variations
tab,
that's
when
you
see
the
violation-
and
in
this
case
you
see
that
we
have
a
certificate
that
expires
in
less
than
the
time
period.
That
was
specified
in
that
in
that
namespace,
and
so
it
kind
of
shows
you
that
another
example
is
the
image
it's
going
to
take
a
look
at
that
one.
So
the
image
vulnerability
policy.
It
is
this
one.
D
So
what
we
have
done
here
is
we've
added
a
policy
to
manage
the
container
security
operator,
which
is
an
operator
that
is
delivered
it's
available
on
operator
hub
and
you
can
deploy
it
on
the
open,
shipped
clusters
to
detect
image
vulnerabilities
on
the
running
pods.
So
what
we
essentially
have
done
here
is
we
are
define
a
policy
that
ensures
that
that
operator
is
running
and
it
also
detects
whether
there
are
any
variations.
The
way
it
detects
violations
is
that
operator
actually
creates
this
image.
D
D
D
D
Okay-
maybe
you
can
help
here,
but
typically
what
you
see
here
is
a
message
that
shows
the
object,
ID
and
I'm
trying
to
make
sure
that
shows
up,
and
it's
not
coming
up
here
but
anyway.
So
so
what
you
will
see
is
the
ID
of
the
object
or
there
it
is.
There
always
has
to
be
a
demo.
So
so
what
it
shows
here
is
this
ID.
D
So
then,
what
you
can
do
is
you
can
go
to
the
open
shift
console
for
the
particular
managed
cluster
and
you
can
go
and
look
for
that
particular
object
by
searching
it
under
this
custom
resource
definition
and
and
Bay.
And
then,
when
you
go
into
the
details
of
that
object,
you
will
act.
You
can
actually
look
at
the
violation
details.
So
essentially,
what
we
are
doing
here
is
the
container
security
operator
is
running
on
the
managed
cluster.
D
We
are
using
Rackham
to
define
a
policy
that
detects
first
make
sure
it
runs,
and
then,
secondly,
if
if
that
operator
detects
any
vulnerabilities,
in
which
case
it
will
create
those
custom
resource
objects
for
the
image
manifest
vulnerability
type,
then
it
will
show
up
as
a
violation
on
Rackham
and
then
that
will
then
give
you
the
ID.
You
can
then
drill
down
using
the
openshift
console
to
get
the
details
of
the
violations,
so
the
compliance
operator
work
that
AHS
and
check
up
and
team
are
working
on.
D
So
when
you
view
it
by
categories,
what
you're
seeing
here
is
the
necessity
for
each
category.
You
know
what
what
how
many
clusters
are
in
violation
as
well
as
how
many
policies
are
in
violations,
and
you
will
see
that
both
for
the
nist
categories
and
the
PCI
categories-
or
you
can
be
view
as
a
standard
and
as
I
mentioned,
you
can
add
additional
standards
here.
So
if
I'm
a
healthcare
customer,
you
know,
maybe
I
won't
be
interested
in
PCI,
but
instead
what
you
will
see
here
is
HIPAA.
What
is
ma.
A
D
That
applies
not
just
to
one
control,
but
it
also
applies
to
multiple
controls
and
also
have
a
way
to
do
that
so
that
you
know
we
can
slice
and
dice
four
standards,
controls
and
categories
as
well
right.
So
so
we
don't
have
a
standard
definition
yet
and
I
know
that
this
workgroup
has
been
working
on
such
a
definition.
So
what
we
really
wanted
to
do
was
to
contribute
to
that
and
implement
that
standard.
B
Yeah,
that
is
a
good
Segway,
and
definitely
we
can
you
know
kind
of
dive
into
some
details
on
that.
So
one
one
other
question
I
had,
though
on
the
demo
and
said
when
you
were
going
through,
it's
a
you
know
the
policy
definition
and
had
something
about
enforce
if
available
or
there
was
a
label
like
that.
D
Yeah,
so
the
enforce
is
available
as
I
mentioned.
Not
every
policy
can
be
enforced
easily
right,
some
can
be,
and
others
are
more
a
little
more
complicated.
So
so
that's
why
you
know
if
available
basically
means
the
Hoover
is
deploying
the
PO.
Creating
and
deploying
the
policies
have
to
check
whether
this
particular
policy
supports
it
or
not.
Right
now
it
right
and
then,
if
it
is,
if
it's
supported,
then
they
can
enable
it,
but
we
don't.
We
don't
today,
support
it
for
all
the
policies.
B
D
G
D
So
the
namespace
policy,
in
this
case
right
it
is
specifying
that
there
should
be
a
namespace
because
it
says,
must
have
off
that
has
an
improv
okay.
So
if
the
now
right
now
decide
to
inform,
but
if
the
if
this
was
set
to
enforce,
then
if
the
manage
cluster
did
not
have
a
namespace
called
prod,
it
will
automatically
create
the
namespace.
So
that's
just
an
example
right,
so
you
can
essentially
specify
here
any
cuban.
D
B
D
B
D
Think
so
meaning!
Well,
what
do
you
mean
is
so
as
long
as
it
fits
into
the
specification
of
a
community
resource
object,
then
we
are
relying
on.
We
will
just
create
that
object
on
the
manage
cluster
right
and
then
and
then,
whatever
number
like
you
can.
It
is
runtime
that
consumes
that
CR
and
forces
we
automatically
get
it.
So
what
we
are
managing
is
the
configuration
to
the
Kuban
it
is
runtime.
Does
it
make
sense.
D
G
G
Whatever
is
specifying
the
template
must
so
if,
for
example,
if
the
template
is
specified
here
is
a
subset
of
what's
actually
being
created
on
the
manage
cluster,
then
it's
compliant
so
must
only
have
means
it
should
be
an
exact
match
and
must
not
have
basic,
simply
means
they
should
not
exist.
So
this
is
three
types
of
like
verbs.
G
A
D
Yeah
so
right,
no,
we
don't
have
the
historical
view
yet,
but
it's
definitely
something
in
our
roadmap
and
I
know.
You
is
actually
actually
actually
working
on
that.
So
the
idea
there
is
that
when
you
have
a
particular
policy,
it
will
kind
of
because
the
policy
controller
is
essentially
checking
the
policies
compliance
periodically
right
today
it
only
returns
the
current
state-
or
you
know,
whatever
is
the
point
in
time-
state
right
at
the
time
it
did
that
check.
D
So
so
the
audit
evidence
collection
is
something
we
will
look
at.
You
know,
but
our
initial
focus
is
more
on
ensuring
that
the
clusters
are
configured
properly
right
for
best
practices
and
providing
that
visible
visibility
view.
So
that's
the
first.
Then
we
want
to
get
a
historical
stuff
and
then,
thirdly,
get
into
more
the
audit
evidence,
collection.
E
Robert
Robert
Wright
that
Robert
presented
that
which
was
my
main
concern
with
the
proposal.
I
mean
Erika,
pointed
it
to
me
some
time
ago
and
the
only
thing
that,
besides
wanting
to
look
at
more
use
cases,
the
only
thing
that,
in
my
opinion,
is
lacking
from
their
proposal,
not
rack'em
but
I
mean
the
proposal
for
the
object.
That's
gonna
represent
policy
violations.
Is
that
exactly
that
a
lot
of
times
you
don't
really
care
about
just
the
what
failed
in
a
policy
but
there's
more
states
to
it
right.
E
Usually,
you
have
like
an
informational
warning
or
informational
message.
Oftentimes
we'll
have
at
the
policy
passed
and
so
on.
So
the
way
that
we
went
around
this
I
mean
we
have
yet
another
operator
that
does
policies
and
like
I
could
maybe
in
the
next
week's
explain
about
it,
because
it's
it's
its
own
separate
thing,
but
the
way
that
we
addressed
it
is
by
having
something
called
a
compliance
check
result
and
that
contains
both
the
severity
of
the
check
the.
E
What
do
we
have
severity
with
the
status?
If
it
passed
fail,
error
doubt
was
not
checked,
was
skipped
and
and
I
don't
remember.
Exactly
how
many
states
do
we
have,
but
I
mean
I
could
present
actually
what
we
have
real,
quick,
let's
see
if
I
can
share
my
screen
desktop
there,
you
go
share,
just
something
super
quick.
Do
you
see
my
screen?
Yes,.
E
Sorry
about
that
can
I
remove
this
one
and
there
we
go
so
Oh
see,
get
compliance,
check
results,
so
I
ran,
I
was
working
on
this
and
I
run
a
scan,
and
it's
just
gonna
tell
me
everything
that
happened
for
the
cluster
right.
So
audit
rules
are
failing
in
this
cluster.
Some
are
the
big
configuration
is
passing
and
so
on.
Ultimately,
what
I
do
want
is
to
know
what
failed,
so
I
can
see
that
effectively.
E
E
What
else
does
it
have
yeah?
That's,
basically,
its
severity
status,
some
identification
that
is
gonna
appear
in
your
compliance
document
or
your
audit
results
and
a
description
of
what
was
done
there
right
so
that
having
something
like
this
would
be
really
useful.
We
could
easily
just
migrate
to
whatever
you
guys
have,
but
ultimately
it's
something
a
bit
more
flexible
than
just
violations
right,
yeah.
B
E
B
I
can
and
I'll
share
the
link
again
to
just
to
kind
of
quickly
show
what
so
this
is
more
like
taking
into
so
I
started
updating
the
other
document,
but
then
figured
it
was
this
easier
to
write
a
new
one,
because
there
was
just
too
many
different
comments
and
changes
to
manage
in
the
Google
Doc.
So
this
proposal
takes
some
of
the
main
comments
regard
in
addition
to
what
you
mentioned,
to
provide
a
way
to
you
know
not
just
capture
the
violations,
but
even
the
results
in
terms
of
which
policies
were
applied.
B
What
time
things
like
that
also
provide
some
flexibility
in
aggregating.
These
results,
I
think
there
was
another
comment
from
I
think
somebody
else
at
Red,
Hat
right
Erica,
if
you
on
on
aggregating
these
for
like
nodes,
so
that
was
this
new
proposal
allows
aggregating
results
at
different
levels
and
then
also,
you
know,
being
a
more
flexibility
in
terms
of
other
custom
data
that
we
might
want
so
just
to
quickly
show
an
example
and
I
was
a
sternum
app
it
to.
B
Let's
say
you
want
to
run
a
CIS,
kubernetes,
EIS,
benchmark
right
and
what's
interesting
in
this
case.
Is
it
doesn't
relate
exactly
to
a
kubernetes
object
or
resource,
but
it's
relating
more
to
components
in
the
control,
plane
and
the
worker
and
so
on.
But
the
idea
here
would
be
to
keep
this
reporting
mechanism
flexible
enough
to
cover
that
as
well
as
I
took
another
example.
B
This
is
more
for
a
workload
like
from
Capernaum,
where
we're
just
reporting
failures
for
pod
security
right
so
again
the
year
the
we're
just
showing
a
failure,
but
the
idea
could
be
that
you
could
also
add
success
results
like
which
checks
actually
passed
and
for
each
you
would
have
like
a
pass/fail
one
info
and
we
can
customize
the
categories.
So
anyways
I
know
we're
coming
up
on
time,
but
would
be
great
if
you
want
to
take
a
look,
and
we
can.
B
C
B
B
D
No,
this
is
I'm
really
excited
again.
You
know
glad
to
get
hooked
up
into
this
work.
Group
and
I
think
the
work
is
very
timely
because
we
are
trying
to
like
I,
said,
integrate
this
compliance
operator
and
drag
them
together,
and
this
is
something
we
have
to
do
so
it'll
be
great
to
make
it
a
standard.
So
you
know
it's
great.