►
From YouTube: Demo Days - Container Registry and Container Security
Description
Andrew Weiss and Robert Freeman, Solutions Engineers, explore the container ecosystem with an emphasis on code security. Dig into static code analysis and variant analysis to reduce false positives. Prevent your software supply chain from passing known vulnerabilities into your build. Learn how to package up your code into a container, make it available via the GitHub Package Registry, and deploy it to a Kubernetes cluster with AKS.
Can we help you solve a specific problem?: https://github.co/twitch-contact-sales
B
B
B
Potentially,
potentially
not
sure,
yet
it's
a
little
thin
for
that,
but
I
heard
about
this
awesome
thing
called
github
container
registry
rob
you
and
I
were
talking
about
it
a
little
bit.
I
heard
it's
got
a
little
security
to
it.
It's
got
some
container
flexibility
and
enhancements.
Tell
me
a
little
bit
about
this
container
registry
that
you
wanted
me
to
look
at
for
this
application.
A
It's
a
nice
setup,
it's
interesting
because
to
go
to
go
back
a
little
bit
before
before
I
jump
into
this.
It
probably
is
relevant
to
talk
about
our
background
so
me
and
andrew
in
the
container
space.
I
say
we
we
we
are
at
least
knowledgeable
enough
to
discuss
it
at
some
depth.
Me
andrew
have
known
each
other.
For
I
don't
know,
we've
been
working
together
for
two
and
a
half
three
years,
something
like
that
right,
yep
and
we
first
met
at
a
docker.
A
You
know
one
of
the
folks
that
helped
make
containers
really
usable
and
one
of
the
things
that
was
really
exciting.
Now
that
we're
at
github
has
been,
you
know,
they're
they're,
embracing
of
you,
know
that
container
ecosystem,
and
so
now,
with
the
launch
of
of
github
container
registry-
and
I
was
super
excited
to
see
like
what
was
our
take
on
it.
How
did
we
do
it?
What
ways
is
it?
A
Is
it
kind
of
differentiated
and
special,
and-
and
it's
like
I
said
it's
it's
one
of
the
things
I've
been
really
excited
for
ever
since
started.
Github
is
to
to
have
this
type
of
capability
to
kind
of
bring
not
just
our
code
but
to
be
able
to
take
our
compiler
effects.
In
this
case,
our
images
or
container
images
and
be
able
to
store
them
in
one
place.
B
Yeah
absolutely-
and
you
know,
containers
have
been
around
for
quite
some
time
and
you
know
lots
of
folks
are
using
containers.
You
know
out
on
docker
hub
and
also
recently
with
github
packages,
but
one
of
the
things
that
individuals
and
entities
are
concerned
about
is,
of
course,
security.
Security
is
top
of
mind
for
a
lot
of
folks.
You
know,
we've
got
all
these
containers
out
there.
B
You
know
how
do
we
prevent
things
like
container
sprawl
and
ensure
that
the
software
we're
packaging
into
those
containers
is
secure,
and
I
think
that's
a
lot
of
the
impetus
too,
for
github
container
registry
is
really
expanding
upon
that
vision.
We
have
with
github
packages
and
really
digging
into
this
space,
especially
from
a
security
perspective.
You
got
any
comments
on
that
rob.
A
B
Love
it
love
it.
So
we've
got
an
application
here
that
you
and
I
have
been
working
on.
We've
got
the
blog
post
up
with
the
recent
launch
of
github
container
registry
and
I've
been
reading
about
some
of
these
security
enhancements
around
access
control.
So
what
we
want
to
do
is:
let's
try
to
set
this
up.
Let's
try
to
wire
this
up
to
our
repository
that
we
have
I've
got
a
sample
code
base
here.
This
is
just
a
simple
node.js
backend
with
an
express
api.
B
It's
also
using
a
react.js,
front-end
client
super
simple
application
and
I'll
run
it
here
shortly,
but
rob
you
and
I
have
been
working
on
this
together.
We've
got
a
couple
of
issues
up
and
you
called
me
out.
You
said
I'm
the
security
guy.
You
said
this
is
something
I
should
look
at
here.
We've
got
a
few
things
we
have
to
configure.
We've
got
some
static
code
scanning
that
we
have
to
address
some
deployment
tasks.
It
looks
like
to
a
kubernetes
service
running
out
on
microsoft,
azure
anything
else
here.
A
I
mean
that
definitely,
you
know
number
one
on
the
list:
dependency
vulnerabilities,
whether
whether
we
have
you
know
open
source
libraries
that
have
dependencies
that
github
will
automatically
find
for
us.
A
B
Absolutely
absolutely,
and
it
looks
like
two:
a
couple
of
these
security
vulnerabilities
were
detected.
Let's
take
a
look
at
what
these
look
like
looks
like
I
know,
you're,
not
necessarily
up
to
speed.
When
was
the
last
time
you
wrote
some
some
javascript,
it's
been,
it's
been
a
hot
second
right,
yeah
javascript.
A
B
Yeah,
so
we're
gonna,
we're
gonna,
keep
you
away
from.
I
guess
the
the
source
code
specifically,
but
it
looks
like
here
knowing
what
I
know
about
this
application,
there's
some
client-side
dependencies
that
have
some
vulnerabilities
associated
with
them.
If
I
dig
in
here,
it
looks
like
http.
Proxy
dependency
needs
to
be
version
bumped,
but
it
also
looks
like
github
has
done
some
some
version
bumps
for
me
with
the
depend-a-bot.
So
we
can
definitely
merge
these
in
review
these
locally
and
make
sure
we
fix
these.
A
Well,
I'm
just
gonna
say
that
that
is
an
awesome
feature
of
github
that
I
think
a
lot
of
people
don't
recognize
is
the
idea
that
hey
you
know,
we're
all
using
open
source
packages
and
open
source
dependencies
throughout
our
code
to
be
able
to
develop
faster,
and
we
we,
you
know
we're
not
always
necessarily.
On
top
of
of
you
know,
what
do
we
need
to
address
where
their
vulnerabilities
have
been
found,
so
by
github
kind
of
helping
us
out,
you
know,
makes
for
more
secure
code,
absolutely.
B
Absolutely
it
looks
like
static
code
scanning.
We
have
to
set
this
up
as
well.
Can
you
talk
more
about
some
of
the
static
code
analysis
capabilities
too,
that
we
have
available.
A
Github
advanced
security,
which
is
now
well.
That
might
be
actually
that,
maybe
that's
a
mistake,
maybe
we
don't
call
it
that
anymore,
sorry
to
keep
track
of
all
of
all
our
ships,
but
yeah
stat
code
analysis
goes
because
it's
kind
of
a
step
beyond
depend
about.
You
know
that
was
our
first
step
as
we
started
to
focus
more
and
more
on
on
security
here
at
github,
and
what
we've
realized
is
it's
great
to
respond
to
vulnerabilities
they've
already
been
found.
A
You
know
been
identified
in
the
form
of
of
cdes,
but
how
do
we
take
it?
A
step
further
and
look
at
our
actual
code
base
and
identify
potential
vulnerabilities
on
in
custom
code
and
static
code.
Analysis
allows
us
to
do
that
and
it
does
it
in
a
very
kind
of
github
way
in
the
sense
that
it's
not
a
black
box.
That
says,
let
me
look
at.
Let
me
look
at
much
code
and
I'll
tell
you
what
the
vulnerabilities
are,
but
I'm
not
going
to
tell
you
to
tell
you
how
I
found
them.
A
A
So
we
can
run
queries
directly
against
it,
using
what
we
call
code
ql,
which
is
a
a
language
that
can
be
a
query
language
that
we
can
directly
write
against
our
actual
data
or
our
code
stored
in
databases
and
then
we're
able
to
identify
when
there
are
vulnerabilities
and
use
variant
analysis
to
find
both
both
common
vulnerabilities,
as
well
as
potential
vulnerabilities
and
and
these
custom
queries
and
the
idea
that
they
are
they're
adaptable,
allows
us
to
help
minimize
the
number
of
false
positives.
A
B
Yeah
100
agree
rob
and
it
looks
like
here.
I
can
take
a
look
at
an
analysis.
Workflow
that's
already
been
set
up
for
me.
Let's
go
ahead
and
actually
do
this
right
now,
let's
set
up
this
workflow
so
for
for
those
of
us
familiar
with
github
actions.
Github
actions
is
our
built-in
ci
cd
capability
and
it
looks
like
here
that
github
has
automatically
filled
in.
A
B
Of
the
yaml
configuration
and
the
things
that
I
need
to
set
up
the
the
actual
code
scanning
steps,
let's
take
another
look
through
this
workflow
here
it
looks
like
it's
going
to
trigger
a
new
ci
cd
task.
Every
time
I
push
against
my
master
branch
and
open
up
new
pull
requests
against
master
or
based
on
a
schedule,
cron
job
here
as
well.
It
looks
like
it's
going
to
do
a
scan
against
javascript
language,
which
is
what
I'm
using
here.
So
that's
great
check
out
my
source
code
and
then
do
the
auto
build.
B
Like
you
mentioned
it
compiles
it
into
that
database
against
which
I
can
run
queries,
and
then
it
actually
does
the
analysis
all
right.
So
let's
go
ahead
and
set
this
up
and
I'm
gonna
leave
the
commit
message,
as
is
I'll,
set
up
an
optional,
extended
description,
I'll
go
ahead
and
create
a
new
branch,
we'll
call
this
codeql
scan.
A
B
We'll
do
some
code
scanning
here
we'll
say
it's
going
to
address
issue
six
and
I
will
maybe
I'll
sign
you
as
a
reviewer
here.
A
Oh
I
got
this
is
my
first
twitch
in
case
in
case
all
the
viewers
out
there
are
wondering
why
they
haven't
seen
me
more
often
playing
like
duck
hunt
on
twitch,
so
I
have
to
I
have
to
wade
through
all
my.
A
I
wait
through
all
my
all
my
windows
to
keep
water
and
approve
your
work.
I'm
used
to
improving
your
work,
I'm
basically
your
boss.
So
let
me
essentially
yeah.
B
And
it
looks
like
the
scan
has
started,
so
we
can
take
a
look
into
that.
It's
initializing
code,
ql,
it's
checked
out
my
code
and
it's
doing
everything
it
needs
to
do
here
so
we'll
let
that
run.
So,
let's
take
a
look
at
some
other
tasks,
rob
while
you're
reviewing
that
and
figuring
out
your
your
twitter.
A
B
See
what
we
got
here
so
we
also
have
to
do
container
image
vulnerability
scanning,
but
before
we
do
that,
let's
go
ahead
and
circle
back
to
the
application
here
and
take
a
look
at
the
code
we
have
and
what
we
need
to
do
to
actually
package
this
app
as
a
container.
B
B
Here
in
this
file,
is
this
just
gonna
run
my
app,
as
is.
A
Yeah,
let's
see
here
hold
on,
I
gotta
get
my
glasses
on
all
right
yeah.
So
if
you
guys
are
ever
seen
a
dockerfile,
it
should
look
fairly
familiar.
But
if
not
you
know,
you
have
your
initial
image
that
you're
basing
off
here,
which
looks
like
you're
using
a
node,
build
you're,
setting
your
your
working
directory
on
where
you're
going
to
put
everything
you're
copying
in
your
your
json
file,
with
your
with
your
packages
and
then
you're
running
impedance,
so
you're
installing
npm.
A
I
haven't
looked
at
this
yet
so
and
then
walk
through
it,
we're
exposing
a
port
so
that
we
can
actually
expose
this
outside
of
the
of
our
kubernetes
cluster.
We're
copying
everything
in
the
directory
and
then
we're
we're
running
a
command
awesome.
B
So
yeah,
it's
gonna
looks
like
it's
gonna
package
up
the
app
make
it
available
as
a
container.
Once
we
run
it,
let's
see
here
anything
else
that
we
need
to
take
into
account.
We've
got
some
code
spaces
stuff
here.
I
guess
we'll
dig
into
that
in
a
bit.
Let's
take
a
look
at
the
client-side
container
as
well.
It
should
look
about
the
same
yep.
As
you
mentioned,
rob
it's
gonna
set
a
working
directory
in
the
container
it's
gonna
copy.
B
Over
my
dependency
manifest
looks
like
we're
doing
some
finagling
here
around
the
the
host
routing.
I
guess
we'll
get
into
that
a
little
bit.
Oh,
this
is
pretty
cool.
Looks
like
I'm,
using
if
you're
familiar
with
the
multi-stage,
build
rob
right
with
the
the
build
steps
in
a
separate
step
from
the
the
actual
runtime
yeah.
This
is
ideal.
A
B
B
A
The
the
concept
is,
is
the
div
of
a
minimizing,
the
the
things
that
or
the
the
points
of
entry.
You
know
your
attack,
surface
area,
so
the
less
moving
parts
you
have
that
you
don't
need
which
is
what's
in
these
these,
these
large
images
that
are
built
to
actually
compile
your
job.
There
are
more
places
there
can
be
vulnerabilities.
So
if
you
limit
your
actual
container
image
to
just
the
the
functions
and
procedures
that
you
actually
need,
that's
going
to
reduce
your
attack,
surface
area
and
make
it
a
more
secure
system.
B
Yeah
and
we're
using
just
the
nginx
web
server
here
to
actually
serve
out
this
content,
which
is
a
pretty
lightweight
container.
They
have
some
variants
as
well
that
are
based
on
alpine
linux,
which
makes
that
image
even
smaller
and
there's
a
lot
of
creative
things
that
you
can
do
here
from
an
image
standpoint
for
optimizations.
B
B
So
I've
got
all
the
same
files.
My
code
is
pulled
down.
I've
also
got
a
make
file
here,
that'll
kind
of
assist,
with
some
of
the
the
build
steps
and
for
those
that
are
new
to
containers
in
order
to
take
our
docker
file
and
turn
that
into
a
container.
We
have
to
build
it
first
and
create
what's
known
as
a
container
image.
B
That
image
is
then
subsequently
pushed
to
some
registry
and
then
from
that
registry
we
can
of
course
deploy
that
as
a
running
container.
So
it
looks
like
I've
got
the
build
steps
ready
to
go
here.
If
I
do
a
make
build,
it
should
go
ahead
and
build
my
images
locally,
and
I
happen
to
be
running
the
docker
desktop
tool,
which
is
an
awesome
free
to
download,
desktop
client
with
docker
pre-packaged
and
ready
to
go.
It
even
includes
a
kubernetes
cluster
that
you
can
spin
up
on
your
local
workstation
works
across
mac,
os
and
windows.
B
There
are
tons
and
tons
of
options
for
using
docker
locally.
Of
course,
there's
mini
cube
on
the
kubernetes
side.
You
can
use
other
oci
or
open
container
initiative,
compliant
builders
and
specifications
tons
of
flexibility.
Here
it
looks
like
it's
packaging
up
my
app.
A
As
you
as
we
watch
that
I
will
tell
you,
after
a
thorough
review,
I
have
approved
your
pull
request.
B
C
A
B
Yeah,
yes,
so
we
haven't
merged
into
the
base
branch.
Yet
so,
assuming
once
we
merge
this
in
you've
approved
it,
we
should
be
able
to
do
some
results
reporting,
but
it
looks
like
the
scan
was
was
completed,
which
is
nice,
so
I'll
go
ahead
and
merge
that
in
so
we
have
that
going.
A
B
All
right,
a
wise
guy
here.
I
appreciate
that.
I
appreciate
that
see
here
so
that
has
been
merged.
Let's
go
ahead
and
close
that
out.
B
Now,
of
course,
we
could
use
a
project
board
and
automatically
close
this,
but
for
this
simple
project,
we'll
just.
A
C
A
C
B
It's
great
so
we've
got
our
images
built
and
now
what
we
want
to
do
is
we
want
to
push
these,
so
this
makefile
put
together
also
has
the
registry
endpoints
that
we
want
to
push
to
now
with
the
new
github
container
registry
for
those
that
may
be
familiar
with
github
packages,
there
is
a
new
endpoint
that
you're
going
to
want
to
push
to
and
the
endpoint
is
going
to
be
specific
to
either
your
user
handle
or
your
organizational
handle
that's
associated
with
your
repositories,
so
the
endpoint
is
going
to
be
ghcr.io
forward,
slash,
octodemo
and
then
your
image
name
specifically
and
then
whatever
tag
you
want
to
give
it
now,
when
you
push
here
so
I'll,
go
ahead
and
do
a
make
push,
and
I
should
already
be
authenticated.
C
B
B
But
once
the
image
is
pushed
out
there,
let
me
show
you
what
that
looks
like
it'll
show
up
in
your
packages.
Tab
and
it'll
be
filtered
out
by
type
container,
so
the
docker
filter
is
for
the
docker
or
the
get
a
packages
format.
Of
course
we
encourage
folks
to
migrate
to
this
new
github
container
registry,
where
possible-
and
we
have
some
migration
steps,
that
we
publish
to
to
our
documentation
and
it's
as
simple
as
changing
the
endpoint
and
then
pushing
your
container
images
to
that
new
endpoint.
A
Yeah,
I
think
I
think
that's
an
important
emphasize
right,
the
the
switch
if
you're
going
from
you
know
azure
container
industry
or
from
docker
hub
or
wherever
it
might
be.
You
know:
we've
we've
used
industry
standards
here,
so
you're
really
just
changing
the
end
point.
It's
it's
a
it's
a
pretty
easy
transition
and
there's
not
a
lot
of
you,
know,
recoding
or
or
work
involved
in
in
getting
your
stuff
moved
over
here.
Yeah.
B
Absolutely
and
the
other
thing
to
keep
in
mind
with
container
registry.
So
when
you
first
push
the
image
now,
this
one
has
already
been
pushed
it'll
prompt
you
on
the
the
summary
page,
whether
or
not
to
link
it
to
a
specific
repository.
So
that's
the
other
difference
from
going
from
get
up
packages
get
up.
Packages
is
going
to
push
the
package
directly
within
the
space
assigned
to
that
repository.
B
In
this
case,
you
have
flexibility
to
link
this
to
different
repositories
as
needed
and
then
assign
access
as
needed.
The
use
case
for
that
is,
if
you
have
a
kind
of
a
global
base
image.
Let's
say
I
wanted
to
have
a
specific
version
of
nginx
that
my
organization
is
going
to
use.
Then
I
can
push
that
here
as
well.
A
And
then
in
the
package
settings
go
ahead.
Rob
now
I
was
just
gonna
say
that
that
capability
is
is,
is
super
important.
You
know
we.
We
talked
to
a
lot
of
folks
and
that's
something
that
they
really
wanted,
because
it's
it's
sometimes
sometimes
it's
hey.
I
want
a
a
base
image
that
I
can
use
across
my
interiorization,
and
sometimes
it
might
just
be
this.
A
Is
you
know
this
is
my
preferred
node
image
that
I'm
going
to
use
to
base
all
of
my
various
projects
on,
so
it
can
be
as
kind
of
as
broad
or
as
skinny
as
it
needs
to
be
for.
B
Once
absolutely
yeah-
and
these
are
some
of
the
new
asterisk
control
functions
here
so
right
now-
I'm
the
only
user
with
access
to
this
image
so
rob.
I
think
if
you
try
to
access
this,
you
won't
be
able
to
in
this
particular
case,
but
of
course
I
can
invite
very
selfish
of
you
yeah.
I
know
what
can
I
say
I
mean
in
this
case.
I
can
certainly
invite
you
to
access
this
image,
but
I
don't,
I
don't
think
we're
gonna.
Do
that
I'm
a
little
security
professor.
B
So
so,
of
course
these
are
some
of
the
new
access
control
functions
and
they
work
very
similarly
to
how
we
do
access
control
across
the
rest
of
github
for
repository
permissions
and
then,
of
course,
within
github
container
registry.
We
very
much
treat
it
like
a
traditional
oci
compliant
container
registry,
so
I
can
see
the
tag
push
the
shot,
256
digest
associated
with
that
image,
and
then
I
can
drill
into
that
tag
specifically
provide
a
description.
B
In
this
case
I
don't
have
one,
but
most
importantly,
I
can
see
the
manifest
which
describes
some
information
about
the
different
layers
in
that
container
image
and
ensure
that
it
matches
up
for
integrity
purposes.
A
And
in
a
related
but
unrelated
comment
for
those
security
conscious
folks,
you
should
all
know
that
andrew
weiss
is
playing
a
name,
his
first
child
with
just
its
shaw,
256
shaw,.
B
Let
me
see
here
so
we've
got
the
image
pushed
now.
The
other
thing
I
wanna
do
so.
We've
got
the
code
scanning
going
now.
What
we
need
to
do
is
we
need
to
create
a
workflow
to
actually
build
and
test
this
code
and
push
it
out
as
a
github
action.
B
B
I'm
gonna
use,
I'm
gonna
start
with
the
node.js
workflow.
Let's
take
a
look
at
what
this
looks
like
so
again,
it's
going
to
initialize
this
workflow
based
on
whether
or
not
it
pushed
to
a
specific
branch.
B
It's
going
to
check
against
different
versions
of
node.js.
In
this
case.
Let's
just
do
note.
12
we'll
do
12
and
14
how's
that
going
to
check
out
my
code.
It's
going
to
check
against
those
versions,
now
run
npm
tests.
One
of
the
things
I
need
to
do
is
I
need
to
make
sure
that
this
particular
step
runs
with
a
specific
environment
variable,
and
this
is
going
to
be
ci
is.
B
True,
it's
auto
filling
for
me
there
now.
The
reason
I'm
doing
this
is
because
the
unit
test
engine
I'm
using
on
this
particular
app
and
rob
if
you
had
written
some
javascript
recently.
You
would
probably
know
this,
but
I
know
it's
been
a
while
we
are
using
a
test
runner
which
opens
up
an
interactive
prompt
in
this
particular
case.
I
want
to
run
this
in
headless
fashion.
So
that
way,
my
unit
tests
will
not
stop
the
workflow.
A
Yeah
well
you're
busy
writing
javascript,
I'm
busy
throwing
shout
outs
to
my
boy,
moose
or
kevin
iamba
over
on
the
chat.
A
It's
just
important
to
be
writing
things
in
chat
and
using
emojis
as
it
is,
writing
javascript.
A
B
Now
we're
doing
this
on
the
fly,
so
it's
likely
we'll
probably
run
into
some
errors
here,
but
there's
definitely
some
approaches
that
you
can
take
when
building
github
actions
create
node
builder.
B
What
I
typically
do
is
I'll
do
everything,
of
course,
on
a
separate
branch
instead
of
working
through
the
the
central
and
main
branch
and
it's
a
good
way
to
kind
of
test
and
iterate
against
the
action.
It's
likely
that
unless
you
have
a
super
sound
ready
to
go
action,
workflow
already
built
at
your
disposal,
you're,
probably
going
to
run
into
some
errors,
and
there
may
be
some
trial
and
error.
I
think
this
is
just
kind
of
a
challenge
with
any
sort
of
ci
cd.
A
A
You
should
be
starting
with,
ideally
with
some
of
the
community
actions
that
are
available,
so
you
know
we
talk
about
if
you're
deploying
to
aks
like
we
are
in
this
instance,
you
know
being
able
to
reference
back
to
the
aks
action
that
was
developed
by
the
microsoft
team
and
and
using
that
as
a
foundation
to
build
off
of
you
know,
that's
one
of
the
great
features
of
github
that
that
feedback
loop,
which
allows
us
to
utilize.
You
know
the
best
the
community
has
built
and
ideally
then
we're
then
contributing
back.
B
C
B
Okay,
so
now
we've
got
this
workflow
locally
and
what
we
need
to
do
is
we
need
to
change
the
working
directory
for
this
particular
command,
and
the
nice
thing
about
editors,
such
as
visual
studio
code,
is
that
we
have
plug-ins
to
support
things
like
intellisense
and
syntax,
highlighting
for
your
github
actions
workflow,
as
you
saw
there,
and
I'm
going
to
use
relative
path
syntax
here
and
we're
going
to
do.
B
Spaces
rob
you
might
be
breaking
up,
I
think,
what's
going
on
with
the
internet
over
there
well.
A
B
A
B
Yeah,
so
there
is
a
tool
that
you
can
do
that.
I
don't
have
the
url
off
the
top
here,
but
there
is
a
tool
that
you
can
use
to
test
actions
locally
for
the
different
steps
that
you
have,
but
you
can
essentially
link
your
actions
based
on
the
latest
schemas
that
we
provide.
I
highly
recommend
the
the
github
extension
for
github
actions
for
visual
studio
code.
It's
a
great
way
to
kind
of
walk
through
things
and
see
errors
that
you're
writing
locally.
B
C
B
So
while
those
workflows
are
running
rob,
what's
the
other
thing
we
have
to
do
here,
you've
got
a
few
other
tasks
here.
So
oh
we've
got
to
deploy
this
thing,
so
we've
got
to
test
it.
We've
got
to
deploy
it
now
before
we
deploy
it.
We
need
to
actually
create
those
deployment
artifacts
using
kubernetes
and
every
time
I
think
of
kubernetes.
All
I
think
about
is
yaml
yaml
with
gamma
and
lots
of
lots
of
yammer.
So
rob
talk
to
me
about
all
this
yaml
that
we've
got
here
in
the
repository.
B
I've
got.
Let's
see,
aks.yaml
walk
me
through
what
we've
got
here.
I
know
we've
got
a
two-tier
app
that
I
can
run
locally.
Actually
I
don't
think
I've
showed
that
to
folks,
let's
see,
let's
actually
run
that
locally
before
we
do
some
stuff
here.
B
They
should
spin
up
a
development
server
and
open
it
up
by
the
way
this
app
was
created.
Using
the
create
rack,
react
app
framework,
which
is
pretty
awesome
great
way
to
bootstrap
some
some
apps.
So
this
is
just
the
the
default
landing
page
that
it
gives
you,
and
I
think
I've
got
some
console
queries
here
up
excellent
yeah.
So
it's
looking
to
make
a
request.
Of
course,
I
have
a
course
enabled,
so
it's
going
to
block
that
request,
which,
of
course
I
can
allow,
as.
C
B
I
mean
I'm
including
credentials
as
well.
Well,
we'll
assume
that
api
works
out
in
production
right,
isn't
that
what
they
say,
rob
you
tested
in
production?
That's
how
I
always
do
it.
If
I
test
it
at
all
yeah
exactly
let's
go
ahead
and
uncomment
that
code.
B
Clearly
I've
been
trying
to
get
it
working
in
production
previously,
and
it's
run
into
some
cross-origin
or
research
sharing
issues.
Would
you
get
just
the
app
just
simple
front-end?
It's
gonna
make
a
request
to
a
simple
api
backend,
but
going
back
to
what
we
need
to
build
here.
Talk
to
me
about
the
we're.
B
A
C
A
All
right
so
pretty
pretty
basic.
You
know
two-part
app
here.
If
you
you
know,
we
have.
We
have
two
sections
of
our
of
our
ammo.
We
have
our
deployment,
which
is
really
you
know
the
instructions
on
what
we
want
to
put
out
there
in
the
the
two,
the
two
containers
we
have.
So
if
you
you
go
down
there
and
you'll
see
time
deployment
and
then
we
have
under
containers.
We
have.
We
have
two
separate
pieces.
A
A
So
that's
the
first
part
of
your
of
your
of
your
k
channel
and
that
really
works
in
the
sense
that
it
will
stand
up
your
your
pod,
but
you're
not
going
to
be
able
to
do
anything
with
it
without
the
second
piece
and
the
second
piece
is
the
service.
So
on
the
bottom
end
you
have
a
service
and
kubernetes,
that's
how
we
actually
expose
something
into
you
know
to
the
broader
world
and
in
this
case
we're
using
a
type
of
load.
Balancer
we're
using
aks
load.
A
Balancer
works
really
well
just
right
out
of
the
box
with
load
balancer
and
that's
that's
going
to
expose
it
to
to
a
public
out
so
that'll
create
it
on
aks
that,
once
when
you
include
that
service
it'll
go
ahead
and
automatically
create
a
public
ip
and
expose
that
on
the
porch,
you've
you've
dictated
what
you'll
see
right
in
the
bottom
80
for
the
web
front,
end
and
3001
for
this.
For
the
back
end.
B
Awesome
yeah
I'll
echo,
your
your
comments
about
the
the
load.
Balancer
integrations
that
work
really
nicely
out
of
the
box
with
the
azure
kubernetes
service.
Of
course
you
have
lots
lots
of
flexibility
here
in
terms
of
how
you
want
to
configure
your
networking
and
routing-
and
you
can
do
you
know,
layer,
seven
ingress
as
well,
using
things
like
the
nginx.
A
Controllers,
yeah
and
and
honestly
we
would
probably
go
you
know
in
that
direction,
for
something
that
wasn't
a
a
kind
of
a
quick
and
dirty
demo,
but
for
stuff
that
you
need
to
get
up
really
fast
load.
Balancer
works
really
well
without
having
to
do
any
real
extra
work
on
the
on
the
aks
side.
B
A
Did
you
do
you
already
cover
when
you
showed
the
the
ci
action
where
you
had
embedded
the
the
credentials
as
a
as
a
github
secret,
you're,
fine.
C
B
The
surprise
here-
yes,
we'll
do
that
here
shortly,
so
we've
got
that
action
working
through
that
dealing
with
some
bugs
there
and
another
action
we're
going
to
want
to
create
is
for
actually
pushing
this
to
a
specific
registry.
And
of
course
I
can
look
at
this
marketplace
of
actions
to
see
if
there's
any
workflows
that
I
can
take
advantage
of
and
for
those
that
aren't
aware,
there's
tons
and
tons
of
prebuilt
actions
workflows,
there's
a
docker
image
workflow,
which
looks
like
is
one
that
I
can
use.
B
Let
me
see
here,
there's
other
ones
too
for
other
registry
endpoints.
So
let's
go
ahead
and
use
this
workflow
to
take
a
look
at.
B
So
yeah
the
nice
thing
about
the
hosted
compute
environment
that
we
provide
in
actions
is
that
all
the
tools
you
need
to
actually
build?
Your
docker
and
container
images
is
they're
all
provided,
and
this
helper
workflow
looks
like
we'll
even
tag
it
with
some
custom
date.
Information.
B
Support
that
we
do
so
so
the
github
actions
hosted
compute
environment.
Here
we
provide
all
x86
on
mac,
os
windows
and
linux,
but
if
you
would
like,
you
can
also
run
your
own
actions
agents
using
what
we
call
self-hosted
runners.
B
And
you
can
trigger
builds
accordingly
on
your
own
infrastructure.
Now
the
agents
themselves
have
to
run
on
x86.
But
if
you
have
an
arm
environment
that
that
agent
can
connect
to-
or
if
you
have
some
external
arm
building
environment,
then
you
can
absolutely
send
the
code
from
github
to
that
environment,
facilitate
the
build,
create
the
image
and
do
so
accordingly.
B
A
B
So
we're
gonna
go
ahead
and
do
this
so
we're
gonna
create.
B
A
Whatever
yeah,
no,
it
makes
it
make
sense
once
you
once
you
once
you
understand
what
you're
doing,
but
when
I
first
saw
it,
I
was
like
why.
Why
is
this
even
required,
but
notice
on
on
the
run
when
he's
building
when
he's
tagging
it
that's
what's
different
different
diff
differentiating
between
github
container
registry
and
and
you
know,
pushing
the
docker
hub
or
some
other
places
is
the
inclusion
of
of
the
endpoint
right
there.
So
that's
that
ghcr.io
and
your.
B
Org,
so
one
of
the
things
that
we
can
do
is
inject
a
secret
into
our
workflow.
Is
that
right,
rob.
B
Or
do
you
need
to
go
create
it
should
be
created
here,
I'm
just
trying
to
figure
out
the
name
that
I
used:
okay,
gcr
access,
token,
the.
A
Shortest
possible
quick,
defined,
name,
perfect.
A
Step
and
this
this
action
was
built
by
docker
themselves.
B
Where
you
pulled
this
out,
so
this
is
not
an
action.
This
is
just
running
commands
from
within
the
the
workflow
itself.
B
And
let
me
actually
just
test
the
the
command
and
again
this
you're,
seeing
the
process
by
which
I
go
through
and
troubleshoot
actions
and
build
them
locally.
So
I've
got
the
docker.
C
Tools
password
standard
in
and
that's
right.
B
B
B
B
B
B
Yeah
so
now,
when
we
move
towards
deployment,
there
are
a
couple
tricks
that
folks
will
want
to
take
into
account.
So
you
can
see
here
that
I've
got
the
access
token
we're
using
for
container
registry.
Now,
when
you
create
a
new
personal
access,
token
make
sure
that's
only
scoped
for
read,
write
privileges
for
your
your
packages
or
your
container
images.
You
don't
necessarily
want
to
use
a
widely
scoped
token
for
this.
So
that's
what
I'm
doing
there
now,
when
we
move
towards
deployment
to
kubernetes,
rob
there's
this
kubernetes
config.
B
Is
that
right
and
that's
that's
just
the
yaml
or
json
configuration
artifact,
yep
yeah,
so
we
can
of
course
store
that
information
in
the
repository
and
the
nice
thing
too
is.
If
we
have
multiple
repositories
in
the
org
that
are
using
the
same
cluster,
we
can
create
an
org
or
organization
scope
secret
that
we
can
then
subsequently
access.
So
that's
what
I've
got
here
now,
one
of
the
things
you
can
do
here
for
deployment.
Let's
see
here,
I'm
going
to
go
and
create
another
action.
C
Locally,
let's
do
this.
C
A
All
the
latest,
so
one
of
the
questions
we
got
from
chat
was
in
regards
to
being
able
to
create
secrets
for
each
stage.
I
mean
you
could
definitely
create
different,
see,
secrets
and
and
label
them
appropriately
to
cover
each
stage,
but
secrets
are
really
at
base
of
two
levels:
they're
either
at
the
repo
or
they
are
at
the
at
the
organization.
A
So
but
there's
a
couple
ways
I
mean
there's
no
cap
on
the
number
of
seekers
you
create,
so
you
can
say
that
way
or
you
could
migrate
between
repos
as
you
move
from
from
from
one
environment
to
another
and
use
specific
secrets
there,
a
couple
options:
yeah.
B
So
one
of
the
things
I'm
going
to
do
is
I'm
going
to
create
to
start
working
on
another
workflow
to
deploy
those
container
images
from
the
registry,
assuming
we
may
get
pushed
there
like.
I
said
we're
old
for
three
here,
assuming
they
get
pushed
there
and
then
we
can
deploy
those
to
our
cluster.
B
So
what
I'd
like
to
do
is,
let's
actually
start
we'll
write
this
one
out
from
scratch.
What
I
like
to
do
is,
I
typically
use
an
existing
workflow
for
reference.
If
I'm
just
handwriting,
these
we'll
call
this
aks,
deploy
on
push
and
we'll
just
say
on
push
we'll
just
do
on
push
in.
C
B
Typically,
you
would
scope
this
to
a
specific
branch
or
other
labeling
construct.
We
need
to
do
job.
The
job
name
will
be
deploy,
say,
aks
deploy.
This
is
gonna
runs
on
ubuntu
and
you
can
see
here
the
pretty
awesome
auto
completion
in
intellisense.
For
me,
using
this
plug-in
highly
highly
recommend
it.
B
The
nice
thing,
though,
too,
about
github
actions
is
that
you
know
we.
We
try
to
keep
the
the
actual
syntax
pretty
light,
so
the
number
of
properties
we
use
is
really
not
overly
complex.
It's
easy
to
get
started
with.
If
you
are
trying
to
hand
write
it,
you
know.
I
equate
that
to
kind
of
the
nesting
here
you
see,
there's
really
not
a
lot
of
nesting
and
that's
on
purpose
we're
trying
to
make
it
as
simple
and
then
digestible
as
possible.
B
So
in
this
case
I'm
not
going
to
use
a
strategy.
I
am
going
to
do
some
steps
here,
so
I'm
going
to
copy.
Do
the
checkout
step
from
here
another
thing
that
I've
got
now.
B
So
we
don't
need
anything
from
anything
else.
So
one
of
the
other
steps
that
I
like
to
use
is
I
like
to
stage
the
coop
config
artifact
for
the
rest
of
the
jobs
to
leverage.
B
B
B
A
That
people
people
get
wrapped
up
in
the
word
secret
and
forget
that
you
know
there's
a
there's
a
lot
of
flexibility
in
how
you
use
that
and
you
can
pass
you
know,
config
config
files.
You
can
pass
environmental
variables
really
really
any
text.
You
can
go
ahead
and
pass
through
that
secret,
especially
if
you
look
at
the
org
level
and
you
there's
something-
maybe
that
you
want
to
re
reutilize
a
lot
of
times
across
multiple
multiple
repos.
You
know
you
can
use
the
secrets
to
pass
past
that
information.
B
Exactly
so,
you
can
see
here,
I'm
just
pre-staging
the
config
into
my
local
home
directory,
that's
created
for
the
life.
This
excuse
me
life
of
this
build
and
because
the
crew
control
or
coupe
cuddle,
there's
that
whole
industry
debate
as
to
how
you
pronounce
it.
I
like
coop
control.
Personally,
you
can
use
the
command
that's
already
available
in
this
ubuntu
based
environment,
to
take
the
yaml
file
and
apply
it
to
my
cluster.
B
A
Yeah
infrastructure
is
easy,
I'll
tell
you
mute,
the
mute
button
is
challenging.
It
was
definitely
working
yesterday.
So
we'll
see
all.
C
A
A
My
xbox
this
morning
my
son,
told
me
so
if
it's,
if,
if
azure's
running
on
on
the
same
servers,
we
may
have
a
problem,
we'll
see
we'll
find.
B
Oops,
I'm
on
the
I'm
naming
my
branch
differently
all
right,
so
we've
got
a
new
action
here,
simple
action.
In
reality,
your
kubernetes
deployments
are
going
to
be
likely
a
little
bit
more
complex
depending
on
the
approach
that
you
take.
This
is
very
much
a
push-based
approach
whereby
you're
going
to
have
a
branch
that
has
changes
to
both
the
app
and
the
infrastructure
code
and
then
those
changes
are
pushed
to
your
kubernetes
cluster.
B
There's
a
lot
of
interesting
ways.
You
can
do
this.
You
can
also
take
a
pull-based
approach
if
you're
familiar
with
concepts
such
as
git
ups,
whereby
you
have
infrastructure
running
on
your
kubernetes
cluster,
that
checks
for
changes
in
your
your
image
files
and
the
the
kubernetes
artifacts
and
then
pulls
those
changes
in
so
very
different
approaches,
depending
on
how
you
look
at
it.
Most
folks
are
familiar
with
this
push
based
approach,
which
triggers
the
updates
from
the
the
get
side,
but
there's
definitely
a
few
ways
to
look
at
that.
B
So,
let's
see
here,
I've
got
oh
look.
We've
got
a
check
mark
here,
so
that's
good.
Go
back
to
our
node
build.
I
love
check
marks.
B
I'd
have
to
have
you
review
this
too.
So
now
we've
got
going
back
to
the
beginning.
Here,
we've
got
some
code
scanning
results,
no
no
alerts.
So
that's
that's
promising
and
then
we've
got
our
ci.
Jobs
looks
like
those
worked
for
both
node
12
and
the
tests
were
inappropriately
it's
nice
to
get
up.
Actions
provides
this
web-based
log
output,
so
I
can
view
things
there's
troubleshooting
specified.
There
are
no
back-end
tests.
B
You
know
there
are
no
back-end
tests.
So
that's
why
it
skipped
out
on
those
we
won't
build
the
front-end
tests.
I
think
folks
get
to
just
there
and
then
what
we
need
to
do.
Docker
image.
Let's
check
this
one.
We've
got
a
few
minutes
left
here.
B
It
looks
like
my
my
credentials.
C
A
C
B
All
right,
so
we've
got
that
pushed
up
we'll
see
if
that
goes,
and
let's
open
the
the
pull
request
for
the
recent
deployment.
Now
the
nice
thing
is
these
images
already
exist.
So
even
if
we
don't
get
our
workflow
configured,
hopefully
folks
can
at
least
see
the
application
running.
B
Now
it's
going
to
go
ahead,
let's
see
if
it
ran.
That
was
awfully.
B
Yep
it
looks
like
deployed,
so
that
was
really
fast,
so
you
can
see
here
that
the
actual
application
was
already
out
and
running
on
the
cluster.
So
control
takes
care
of
all
that.
Stick
reconciliation
for
you.
So
if
I
had
made
any
changes
or
we
made
any
changes
to
the
infrastructure,
they
would
be
present
or
identified
and
then
addressed
so
the
deployment
works,
which
is
awesome.
B
So
I
should
have
my
kubernetes
cluster
ready
to
go
oops
so
awesome,
I'm
connected
to
the
kubernetes
cluster
that
you've
created
rob.
So
that's
good
that
one
works
and
it
looks
like
there's
a
load
balancer
created
as
well
and
aks
handles
all
that
routing
for
me.
So
as
long
as
I
connect
to
this
ip,
I
should
be
able
to
it.
Should.
B
A
Remember
whether
I
am
color
commentary,
you
know
which.
A
In
sports,
usually
that
person
gets
most
of
the
credit
gets
paid.
The
best
also,
I
was
responsible
for
this
100
working
aks
deployment.
Well,
not
the
employment
stuff,
but
just
the
infrastructure
underneath
it
I'm
not.
A
B
Well,
I
appreciate
your
your
support
here.
C
B
A
fantastic
job
with
the
infrastructure,
so
it
looks
like
still
having
issues
with
just
the
login.
I
think
most
folks
gets.
The
gist
looks
like
my
my
token
may
have
expired
here,
as
you
saw
from
the
very
beginning
of
the
demonstration,
but
essentially
you're,
going
to
have
different
workflows
defined
for
different
tasks.
You
can,
of
course,
combine
all
of
these
tasks
in
the
same
workflow.
C
B
One
creating
a
docker
file
that
not
only
works
for
your
application,
but
is
tied
to
some
of
the
security
recommendations
out
there,
such
as
keeping
your
container
images
small,
ensuring
that
the
dependencies
associated
with
that
application
have
been
addressed
for
vulnerabilities,
because
if
you
package
up
the
dependencies
with
vulnerabilities
with
the
container
image
well,
your
container
image
is
still
going
to
be
vulnerable.
B
Yeah
this
is
awesome,
so
yeah.
I
I
think
I
learned
a
lot
too
any
other.
We
see
anything
in
the
twitch
chat
from
folks.
A
Here's
a
here's,
a
tricky
one.
Okay,
mr
weiss,
can
you
do
all
of
this
from
the
new
gh
cli
from
the
new
cli.
B
You
can,
I
don't
have
the
the
the
same
class
running
here,
but
you
can
absolutely
use
the
new
github
cli
and
I
can
do
issue
creation.
I
can
create
pull
requests
and
clone
repos.
You
can
absolutely
facilitate
this
entire
workflow
through
the
new
github
cli.
So
you
didn't
have
to
see
me
go
back
and
forth
with
the
ui.
A
Yeah,
that's
awesome,
hey!
We
appreciate
you
guys
all
tuning
in
hopefully,
hopefully
they'll
invite
us
back
sometime
to
be
on
this
twitch
thing
we'll
see.
A
That
was
awesome
thanks
for
thanks
for
doing
all
the
all
the
heavy
lift
and
mr
wise
anytime,.
C
A
I'll
see
you
next
time
on
the
on
the
twitch,
the
twitch
averse,
which
may
or
may
not
be
a.