►
From YouTube: Ask an OpenShift Admin (Ep 40): Compliance and security
Description
Security and compliance are two hot topics when it comes to container-based applications. In this episode, we take a look at why that is and what it means to you as well as how Red Hat OpenShift can help make your software more reliable and secure. We'll cover why you need to start with trusted base images when building your containers and delve into how the compliance Operator, in conjunction with the file integrity Operator, lets OpenShift Container Platform admins describe the desired compliance state of a cluster and provides them with an overview of gaps and ways to remediate them.
In addition, we’ll also discuss the intrinsic features of Red Hat CoreOS, like FIPS mode, to help bring security both to the platform and applications. This is going to be an information packed stream, be sure to join us and prepare your hardest questions for our special guest SMEs!
Learn more:
https://docs.openshift.com/container-platform/4.7/security/container_security/security-compliance.html
https://docs.openshift.com/container-platform/4.6/security/compliance_operator/compliance-operator-understanding.html
About Ask an OpenShift Admin:
Do you have questions? We want to answer them! Every Wednesday at 11am ET, hosts Andrew Sullivan and Chris Short sit down to answer your questions about Red Hat OpenShift.
Follow us:
Andrew Sullivan https://twitter.com/practicalandrew
Chris Short https://twitter.com/chrisshort
Subscribe to Red Hat's YouTube channel: https://www.youtube.com/redhat/?sub_confirmation=1
About OpenShift:
Red Hat OpenShift is an open source container application platform based on the Kubernetes container orchestrator for enterprise application development and deployment.
Openshift.com https://red.ht/33Fh6uV
OpenShift on github https://github.com/openshift/
OpenShift on redhat.com https://red.ht/2o4ccDk
#RedHat #OpenShift #ContainerPlatform
A
A
A
B
A
B
They
they
said
this
morning
that
we
had
the
the
hottest
july
ever
recorded,
and
it
appears
that
august
is
is
certainly
on
the
same
track
so
yeah.
I
know
that
has
a
lot
of
implications
for
a
lot
of
people.
You
know
there's
been
a
number
of
storms
speaking
which
to
our
peers
in
you,
know,
boston,
new
england
area,
I
hope
you're
all
safe
after
the
tropical
storm
went
through
there.
I
know
there's
a
bunch
of
fires
happening
on
the
west
coast
and
other
places
as
well.
Even
for
that
smoke.
A
B
A
B
So,
yes,
excuse
me
so,
first
hello,
everyone
welcome
to
the
ask
an
openshift
admin
hour,
so
this
live
stream
is
one
of
our
office
hours
series
of
streams.
What
that
means
is
that
we
are
here
much
like
if
you
were
in
in
school.
At
any
point,
you
had
a
teacher
or
professor
who
had
office
hours,
we're
here
for
you
right.
We
want
to
answer
questions.
B
We
want
to
interact
with
you
all
whatever
it
is,
that
is
happening
in
your
worlds,
feel
free
to
reach
out
and
ask
us
or
let
us
know,
and
we'll
do
our
best
to
address
those
questions
here
on
the
stream.
If
we
can't,
for
whatever
reason
we
will
follow
up
and
answer
those
so
every
week
following
this
stream,
usually
on
friday,
but
sometimes
a
little
later,
we
have
a
blog
post
that
recaps
everything
that
we
talked
about
here.
B
A
B
Including
on
discord,
so
I
know
you've
got
a
link
for
that
somewhere.
So,
as
chris
mentioned
today's
topic,
the
topic
of
the
stream,
which
again
don't
let
that
don't
let
that
limit
you
or
limit
your
questions
to
just
this
topic.
But
today's
topic
is
compliance
and
security
and
andrew.
Is
I
like
to
think
I'm
aware
of
security,
but
it's
a
big
topic
and
you
know
even
you
and
I
put
together
and
multiplied
times.
B
10
would
be
just
barely
scratching
the
surface,
so
yeah
we
were
are
very
fortunate
to
have
three
subject
matter:
experts
with
us,
so
welcoming
back,
mark
russell,
who
was
here
for
our
red
head
enterprise,
linux,
core
os
episode,
so
mark
is
a
product
manager
in
the
openshift
business
unit,
or
I
guess
now
we're
the
hybrid
platforms
business
unit,
yes,
and
so
two
first
time
folks
on
the
stream.
So
we
have
doran,
caspin
who's,
also
a
product
manager
and
juan,
but
we
call
him
oz
and
juan.
B
B
A
B
B
So
the
first
one
that
I
want
to
talk
about
is
the
time
to
update
cluster
operators
has
been
reduced.
So
did
you
grab
the
link
for
that?
I
got
it
okay,
so
I
am
on
the
release,
notes
here.
So
if
we
scroll
all
the
way
up
here,
this
is
simply
the
ocp
4.8
release,
notes
and
way
up
here
near
the
top.
I'm
gonna
have
to
hit
enter
again.
So
that
way,
it's
easier
for
me
to
find.
B
B
So
the
magic
behind
the
scenes
here
is
actually
pretty
straightforward.
So
I'm
going
to
pick
on
this
one,
which
is
the
maltese
steamin
set
effectively.
What
the
change
was
is
to
change
the
max
unavailable
to
being
a
percentage
pretty
much
across
the
board
they're
set
to
10
or
something
along
those
lines,
and
the
change
here
is
that,
of
course,
more
hosts
are
able
to
update
at
the
same
time,
which
means
that,
as
you
scale
up
the
number
of
hosts
in
the
cluster
that
time
to
do
the
update
or
apply
the
update
is
relatively
flat.
B
Do
keep
in
mind,
though,
that
this
is
only
the
cluster
operators,
so
if
there
is
something
that,
for
example,
triggers
a
reboot
or
something
like
that,
it
means
that
you
would
still
be
at
the
mercy
of
a
pod
disruption
budget,
or
you
know,
maybe
some
other
operator
there
that
or
some
other
deployment
that
is
preventing
that
update
from
applying
to
more
than
one
host
or
more
than
the
available
hosts
here.
But
important
thing
is
at
least
in
many
configurations.
B
Now
so
I'll
post
that
in
the
chat,
thank
you,
so
that
was
the
first
one
relatively
straightforward.
Just
to
be
aware
that
if
all
of
a
sudden
you
were,
you
know,
expecting
to
click
the
update
button
and
then
go
and
get
lunch
and
come
back
and
maybe
then
get
a
cup
of
coffee
now,
maybe
just
get
that
cup
of
coffee
yeah
or
maybe
just
lunch
instead
of
both
anyways.
So
the
next
one
that
I
wanted
to
talk
about
is
a
question
that
I've
had
asked.
B
It's
come
up
twice
in
the
last
week,
but
it's
kind
of
come
up
periodically
over
the
last
year
or
so,
and
that
is,
can
we
use
the
integrated
load?
Balancer
that's
deployed
with
on-prem
ipi
with
other
deployment
mechanisms.
Can
I
use
that
with
upi?
Can
I
use
that
with
non-integrated
so
on
and
so
forth?
So
officially?
No!
B
So
if
you
in
your
install
config.yaml,
if
you
just
define
those
ip
addresses,
it'll
automatically,
deploy
and
configure,
keep
a
live
d,
etc.
So,
yes,
it's
possible
technically,
but
just
remember
it
is
definitely
not
tested
and
supported
in
that
respect.
So
it
may
be
good
for
a
a
lab
or
a
test
environment.
Something
like
that.
D
E
D
Interesting
thing
to
mention
it's
right
beneath
that,
and
so
what
that
means,
where
it
says:
mco
waits
for
all
machine
config
pools
to
update
before
reporting
the
upgrade
update
is
complete.
So
this
this
effects
this
means.
Previously,
we
were
reporting
that
the
update
was
complete
when
the
control
plane
was
complete,
and
so
you
could
still
have
worker
pools
that
had
not
finished
updating.
A
D
D
That
is
that
this
is
what
we
call
it
blocks,
what
we
call
y
stream
upgrade,
so
it
will
block
you
from
going
from
4
7
to
4
8
until
everything
is
complete,
but
it
won't
block
you
from
a
a
z
release
from
a
from
a
patch
release
if
you
need
to
get
that
out
and
patch
the
control
plane.
So
anyway,
I
just
thought
that
was
worth
sharing.
B
D
B
Yeah,
okay!
Well,
thank
you.
Let's
see,
I'm
going
to
I'm
going
to
tackle
probably
the
most
complex
one
next,
which
is
so
there
has
been
coming
up
over
the
last
few
days,
a
large
number
of
folks
internally,
who
have
brought
up
that
either
they
personally
are
seeing
or
their
customers
are
seeing
this
particular
issue,
and
it's
not
just
on
4.6.
B
It
seems
to
be
happening
across
multiple
other
cluster
versions
as
well,
so
essentially,
what
we're
seeing
or
what
they're
seeing
is
a
an
issue
or
a
problem
being
raised
inside
of
the
console
saying
that
the
system
memory
exceeds
reserved
basically
saying
that
you
know
hey
something
on
the
host,
kublitz,
etc
is
using
more
memory
or
more
cpu
than
what
has
been
allocated
to
it.
So
if
you
peruse
through
this
bz,
there's
a
a
large
number
of
comments
in
here.
Well,
I
say
a
large
number.
B
B
B
So
we
have
this
function,
dynamic
memory
sizing
where
it
goes
through
and
it
takes
right.
20
of
I'm
sorry
here
it
starts
at
25
of
the
first
four
gigabytes
and
then
20
percent
of
the
next
four
gigabytes
up
to
eight
gigs
10
percent
of
the
next
blah
blah
blah
so
kind
of
following
exactly
what
is
laid
out
here
in
google's
own
documentation.
B
B
B
B
B
There,
that's
probably
the
easiest
way
for
me
to
show
these
values,
so
if
you
were
to
map
out
all
of
those
values,
essentially
this
is
what
you
would
get
so,
for
example,
with
memory,
if
my
node
has
eight
gigabytes
of
memory
assigned
to
it.
If
I
turn
on
that
auto
reservation
setting,
it
will
reserve
1.8
gigabytes.
B
So
this
I
copied
and
pasted
this
when
I
was
just
looking
a
moment
ago
from
the
kubernetes
slack,
I
will
link
that
thread
as
soon
as
I
can
find
it
here
into
the
stream
chat.
So
that
way
anybody
else
who
wants
to
look
at
it.
You
are
more
than
welcome
to
look
at
it,
but
that's
the
that's
the
kind
of
quick
and
quick
and
dirty
version
of
what's
going
on
there.
So
if
you're
curious,
if
you're
seeing
that
particular
bug,
please
make
sure
that
support
is
aware
about
it.
B
So
that
way,
we
can
associate
any
customer
information
that
way
they
can
prioritize
it
appropriately
to
get
everything
fixed
short
term.
You
can
also
turn
on
that.
Auto
sizing
just
be
aware
that
it
will
consume
some
additional
amount
of
memory
and
cpu
for
those
system,
level,
resources
so
and
just
fyi.
B
Okay
and
the
last
thing
that
I've
got
here.
Oh
this
is
a
quick
and
easy
one.
So
the
last
one
that
I've
got
just
real,
quick,
some
folks
have
asked
hey.
How
do
I
know?
What
will
you
know
if
I
change
something
in
machine
config?
What
will
trigger
a
node
to
reboot?
We
can
actually
see
that
in
the
code.
B
E
B
Actually
line
424
so
essentially
which,
if
you
read
through
this
files
post,
can
change
post
config
change
action
equals
none
so
basically
says
hey.
If
I'm
changing
the
kubelet,
ca.crt
or
coolit
config.json,
don't
do
anything
right,
they
get
updated
right
and
the
system
automatically
knows
that
something
changed
right.
If
I
change
etsycontainersregistries.conf,
then
I
need
to
reload
cryo
or
trio.
B
However,
you
pronounce
it,
you
know
so
on
and
so
forth,
so
you
can
kind
of
walk
through
it's.
It's
not!
You
know
documentation,
you
know
as
friendly
as
documentation,
but
you
can
kind
of
walk
through
the
code
here
and
you
can
see
hey
what
is
going
to
when
I
change
something.
What
is
going
to
be
the
resulting
action
in
the
cluster,
so
maybe
beneficial
to
you.
If
you're
curious
about
that.
D
I'm
looking
into
yeah
there.
I
think
some
of
this
is
documented,
but
I
have
seen
some
confusion
out
there,
because
people
sometimes
expect
a
machine
config
to
cause
a
reboot
and
then,
when
they
choose
one
of
these
actions
they
can
be
actually
surprised
that
it
doesn't
reboot.
I
mean
it's
like,
maybe
it's
a
pleasant
surprise,
but
nonetheless
not
what
they
were
expecting.
D
You
know
it
used
to
be
before
4.6.
It
was
a
much
simpler
mental
model.
You
changed
something
and
it
rebooted
yeah,
and
it
rolls
the
cluster
the
one
that
isn't
it
doesn't
seem
to
be
in
this
code
that
I'm
fairly
confident
in
is
pushing
ssh
keys
to
nodes
as
well
doesn't
cause
a
reboot
now
so
and
we're
looking
at
we're.
Looking
at
ways
to
you
know
either
you
know
expand
this
list
perhaps
allow
administrators
to
expand
it
on
their
own.
D
But
it's
a
it's
a
difficult
question
and
one
that
we
have
to
be
very
careful
with.
We
don't
want
to
put
users
into
a
position
where,
where
they're
going
to
shoot
themselves
in
the
foot
too
easily,
but
at
the
same
time
they
do
own
their
own
cluster.
So
we
want
to
empower
our
admins
and
it's
always
finding
that
balance
can
be
tricky,
but
there
you
go.
There's
the
yes.
B
D
I
think
it's
also
because
yeah
I
mean
perhaps
because
also
you
know
whether
it's
added
or
removed,
any
change
will
should
should,
should
not
cause
and
the
whole
secret
to
the
for
those
familiar
with
the
pull
secret
on
your
openshift
cluster.
That
is
another
one
that
doesn't
doesn't
cause
a
reboot
nowadays.
D
D
D
So
there's
some
overlap,
but
then
day
365
it
would
come
back
and
reap
the
old
certificate,
and
that
would
be
another
reboot
and
the
thing
that
was,
I
think,
most
problematic
about
it,
and
customers
had
the
most
issue
with
it
was
they
didn't
know
it
was
coming?
I
mean
it's
one
thing:
if
you,
if
you
actually
set
a
machine
config-
and
you
know
I
pressed
the
button
and
then
the
cluster
rolled
and
it's
another
thing
where
people
are
like.
Why
are
the
servers
rebooting,
and
so
this
was
so
we
fixed
that.
D
I
think
somebody
you
know
some
of
the
early
adopters
and
for
people
who
are
running
and
very
very
cloud
centric.
You
know
very,
very
purely
cloud
native.
They
don't
sweat
it
with
the
nodes,
even
rolling
the
cluster.
Isn't
that
big
a
deal
to
them
necessarily,
but
when
you
have
set
clusters
and
like
you
said
it
could
be
a
12
minute
post
for
for
these
servers
nowadays
that
reboot
can
be
very
costly.
D
So
we
are,
we
are
looking
at
we're
looking
for.
They
said
for
different
ways
to
to
knock
it
down.
If,
if,
if
folks
on,
the
stream
want
to
send
in
their
suggestions
for
particular
actions,
they
feel
like
do
not
require
reboot,
that
they
are
hitting
regularly,
that
it
would
ease
their
pain.
If
that
was
changed,
I'd
be
all
ears.
B
B
B
Yeah,
you
know
just
looking
at
at
red
hat
and
kind
of
things
that
relate
to
open
shift
in
containers
and
cloud
native,
and
all
of
that
right.
The
topic
we
can
span
anywhere
from
like
the
secure
software
supply
chain
and
kind
of
developer
practices
and
principles
all
the
way
down
to
like
low-level
operating
system.
Things
which
is
you
know,
we're
administrators
here.
So
that's
kind
of
the
side
that
we're
going
to
favor.
B
When
we
talk
about
these
things,
but
my
point
is
you
could
fill
multiple
libraries
with
the
books
that
have
been
written
on
this
topic,
so
it's
unfeasible
for
us
to
address.
You
know
kind
of
more
than
just
a
scratch
across
the
surface
when
it
comes
to
that,
and
I
really
want
to
highlight
a
couple
of
of
things.
So
one
is
the
security,
ebook
and
I'll
post
a
link
into
that.
So
this
is
a
another
step
in
that
direction
of
how
do
I
go
and
get
started
and
learn
more
and
learn
about
this.
B
Broad
ecosystem
of
things
also
highlights
red
hat
summit
every
year
has
multiple
sessions
on
the
security
topic,
so
you
can
always
go
there
and
find
more
information
in
red
hat
summit.
The
last
two
years
has
been
free
registration
right.
You
can
just
go
to
the
website
and
the
other
one
and
this
one
I
haven't
actually
looked
at
yet
because
they
just
announced
it
like
15
minutes
before
we
before
we
started
on
stream,
but
we
just
released
a
another
one.
A
B
Yeah,
so
it's
it's,
this
an
open
approach
to
vulnerability
management,
so
it
and
it
really
describes
how
red
hat
works
and
how
red
hat
addresses
these
vulnerabilities
across
the
product
lines.
So
I,
while
I
haven't,
read
it,
I
can
only
assume
that
it's
going
to
be
a
good
read
and
it's
going
to
be
an
interesting
one.
So
I'm
looking
forward
to
it
this
afternoon
after
after
the
stream.
Oh.
B
And
I
also
want
to
highlight
that
you
know
openshift
and
core
os
is
only
one
component
in
that
when
we
look
at
the
bigger
red
hat
portfolio,
you
know,
of
course
you
have
things
that
are
directly
related
to
openshift
acs,
acm
quay
ubi
right
all
those
play
a
role
as
well.
Not
just
you
know,
rel,
of
course,
because
rel
is
the
foundation
for
both
core
os
as
well
as
ubi,
but
more
broadly,
things
like
satellite
and
ansible
and
using
those
tools
to
help
manage
and
implement
your
security
posture.
B
E
E
E
It
said
that
the
industry
is
setting
up
a
standard
for
compliance
or
what
what
controls?
I
want
to
apply
to
my
in
my
infrastructure
and
based
on
this
compliance.
I
know
that
my
infrastructure,
my
infrastructure,
is
ready
to
run
this
workload,
so
I
want
to
separate
between
the
technical
compliance
and
the
physical
components
or
more
process.
E
Compliance
and
technical
compliance
are
things
that
we
can
accomplish
by
setting
things
in
the
system
like
blocking
id
addresses
or
blocking
ports,
not
allow
specific
users
to
access
a
resource,
but
there
are
tons
of
resources,
tons
of
controls
that
are
physical
resource
or
user
results
like
we're
allowed
to
log
into
the
system
who
allowed
to
go
to
this
to
the
data
center.
All
kind
of
things
that
are,
we
cannot
control
or
we
cannot.
E
E
Currently
we
have
the
cis
benchmark
standard.
We
have
the
we
are
working
on
fedramp
and
pci
dss,
and
we
have
additional
compliance,
a
compliance
framework,
what
we
already
developed
and
we
allow
to
run
scans
and
scan
the
the
cluster
for
this
compliance
and
see
if
the
cluster
is
compliant
with
this
or
not.
We
also
allow
to
do.
We
also
do
remediation
so
which
we
find
things
in
the
cluster
that
are
not
up
to
the
standard
we,
the
compliance
operator
can
can
update
the
cluster
run
script
to
fix
things
that
we
can.
We
can
fix.
C
I
mean,
I
think
you
summarized
it
quite
well.
I
mean
the
thing
that
we
got
to
think
about
is
that
compliance
standards
are
there
for
a
reason
right.
Normally,
you
want
to
protect
certain
data.
Pci
dss
you've
got
to
make
sure
that
our
credit
card
information
is
secure,
right,
hipaa,
medical
records
right
or
on
your,
except
that
the
important
assets
of
a
power
plant
are
secure
right.
C
So
with
all
of
that
in
mind,
like
you
can
imagine
that
there's
a
big
big
big
list
of
requirements
of
you
should
do
this
and
they
can
be
quite
vague.
So
a
big
part
of
our
jobs
is
trying
to
translate
that
into
hey.
Well,
if
I
want
to
secure
this,
or
if
I
want
to
isolate
our
credit
card
data
and
the
workloads
that
hold
credit
card
data,
we
should
be
using
test
accelerations
in
openshift
and
use
a
network
policy
right.
B
E
C
So
no
so
one
thing
that
I
want
to
put
forward
beforehand
is
that
we
didn't
want
to
reinvent
the
wheel
right.
I
know
that
there's
a
lot
of
people
that
made
us
a
lot
of
questions
like
why
openscap
and
the
main
thing
is
that
it's
already
a
an
accepted
standard.
Well
scap
is
a
standard.
Openscap
is
just
an
implementation
of
it
and
we
just
basically
try
to
make
a
community
flourish
right
by
adding
yet
another
product
that
they
check.
C
So
in
really
in
compliance
code
which
actually
compiles
to
scap,
they
check
stuff
for
rel,
suse
arcos.
Nowadays,
openshift
openstack,
they
have
some
apple
checks,
even
so
there's
a
lot
of
stuff
in
there
and
basically
what
they
do
is
that
they
try
to
come
up
with
a
way
to
translate
security
requirements
into
stuff.
That's
automatable,
so
we're
gonna
have
data
such
as
this
we're
checking
for
this
specific
setting
in
the
cluster.
C
We're
checking
this,
because
this
might
be
a
way
that
an
attacker
might
get
to
you
so
write
the
description
and
the
rationale.
We
also
have
information
about
how
to
manually
check
for
something
which
is
going
to
be
something
used
by
an
auditor,
or
maybe
you
want
to
check
by
yourself
like
oc,
get
pots
and
give
me
the
ones
that
are
privileged
right.
Something
like
that.
So
we
have
all
this
information
and
we
also
have
automated
checks
right.
C
So
there
is
this
standard
called
oval,
which
is
part
of
scap
which
allows
you
to
do
this
kind
of
thing
and
without
going
too
deep
into
details
as
well.
We
also
have
references,
so
a
profile
is
going
to
be
a
collection
of
rules,
and
those
rules
are
all
of
the
information
that
I
put
before
right
so
you're
going
to
run.
I
want
to
be
compliant
with
the
moderate
profile.
Okay,
that's
going
to
run
a
lot
of
rules.
Are
you
enabling
these
audit
rules
in
your
host?
Are
you
enabling
ncd
encryption?
C
D
C
B
Got
it
yeah,
so
I
I'm
I'm
most
familiar
with
like
the
cis
benchmarks
and
their
set
of
rules
and
what
that
looks
like
and
the
automation
in
order
to
check
and
also
apply
those.
So
I
to
me
in
my
head.
I
mapped
this
over
to
this
is
just
a
standardized
way
of
defining
those
rules,
associating
them
into
what
I'm
going
to
call
an
inventory
of
rules
that
make
up
a
compliance
baseline
and
then
how
to
you
know,
check
and
then
ultimately
remediate
against.
Those
is
that
accurate.
C
Right
exactly
and
one
thing
back
to
the
remediations
that
you
asked
about
normally
in
openscap,
we
there
is
a
thing
called
the
fix
and
the
fix
can
take
many
ways.
You
have
several
systems
to
apply
a
fix
right,
so
scap
actually
supports
sensible.
So
you
could
generate
playbooks
out
of
that.
Scap
supports
bash
scripts
and
there
was
another
one
for
anaconda.
I
think
you
can
form
your
anaconda
definition
there.
In
our
case
we
introduce
something
that
we
call
just
a
kubernetes
fix,
so
we
only
deal
with
kubernetes
objects
right.
C
We
try
to
play
nice
with
the
cluster
in
openshift.
Four,
everything
is
a
crd.
Everything
is
a
resource,
and
so
we
we
make
sure
to
play
nice
with
that.
So
what's
gonna
happen
is
that
we
we,
if
we
detect
a
failure,
we
get
the
fix
for
that
failure.
That
turns
into
a
kubernetes
object
and
the
compliance
operator
will
either
report
that
so
you
can
apply
that
yourself
or
it
can
apply.
It
itself
depends
on
what
you
want
right.
We
give
you
that
flexibility,
so.
B
And
just
to
be
clear,
all
of
this,
the
compliance
operator
is
one
component
that
works
in
conjunction
with
acs
advanced
cluster
security
that
works
in
conjunction
with
acm.
I
see
christian
and
the
chat
right
that
ultimately
can
work
with
things
like
git,
ops,
I'd,
be
curious
to
know
your
thoughts
around
you
know.
B
C
The
the
priority
to
whatever
they
want
honestly
I've
been
experimenting
with
git
ops
quite
a
bit
recently
and
so
the
compliance
operator
and
this
cap
you
know,
data
stream,
which
is
the
collection
of
all
the
rules
and
everything.
It
is
a
big
repository
of
fixes
or
best
practices
for
for
a
certain
standard.
So
there
is
no
reason
why
you
can't
use
it
with
argo
cd
or
with
with
hive
and
stuff
like
that.
So
we
do
have
work
on
going
about
bringing
that
together.
C
E
C
So
it
will
be
possible
and
you
don't
exactly
need
the
operator
to
do
that,
but
you
are
going
to
need
the
operator
to
keep
generating
scans
and
the
operator
is
actually
able
to
leverage
all
of
that
information
and
tell
you
hey,
you're,
compliant
or
if
you'll
go
out
of
compliance.
It'll
just
give
you
a
fix
for
that.
B
D
Sure
one
of
my
favorite
topics,
so
we
do,
we
do
sometimes
call
it
controlled
immutability
and
if
you
check
the
actual
documentation,
the
definition
of
what
we
have
is
that
you
know
we
distribute
and
install
a
read-only,
slash
user.
So
all
the
os
binaries
in
that
sense
everybody
at
whatever
rev
of
the
cluster
you're
at
you,
are
running
a
specific
version
of
rel
core
os.
That's
been
tested
with
that
version,
you're
running
the
same
version
of
that
slash
users.
D
D
If
you
look
by
the
way,
if
you'd
like
to
look,
I
mean
we
could
bring
this
up,
but
it's
it's
gonna
be
a
little
ugly.
If
you
look
at
the
rendered,
every
pool
has
a
rendered
config
and
what
a
rendered
config
is
is
basically
just
snipping
all
taking
all
the
snippets
of
configuration
together
and
putting
them
into
a
single
configuration,
and
you
can
see
the
files
that
it
that
it
manages.
Please
don't
ever
delete
these
if
you
do
delete
them.
Please
call
red
hat
support
immediately
after.
A
D
Yeah,
so
it
pushes
these
and
and
it's
you
know,
it's
base64
encoded
most
of
the
contents
in
some
cases,
so
these,
if
these
files
are
changed,
the
mco
will
notice
them
the
next
time
you
go
to
push
out
an
update.
It
does
not
currently
today
we're
looking
at
changing
this.
It
does
not
check
on
a
regular
basis.
It's
when
you
push
out
a
new
configuration
or
when
you
push
out
an
update,
it
checks
to
see
hey
before
I
change
make
this
change
it.
D
B
Yeah
and
just
to
reinforce
that
I've
seen
two
instances
of
that
happen.
Just
recently,
one
was
a
customer
who
had
modified
the
the
ssh
keys
right.
They
just
think
they
had
debugged
in
and
added
a
different
ssh
key
and,
of
course,
when
mco
went
to
remediate,
it
said
I
don't
know
what
this
is
and
calls
to
to
to
halt.
D
When
we
are
looking
to
make
that
on
that
particular
note,
we
are
looking
to
make
that
check
more
regular,
so
that,
in
the
case
somebody
has
done,
you
know
you
do
a
test
modification
you
forget
about
it
and
then
it's
going
to
rear
its
ugly
head
later
when
you're
going
to
update
during
your
maintenance
window.
So
we
don't
want
that.
We
want
you
to
know
as
soon
as
possible
that
there's
something
unexpected
in
the
on
disk
state,
and
this
is
where
I
think
the
question
will
segue
over.
D
B
D
Of
things,
so
it
could
be
a
little
bit
tricky
to
to
figure
that
out,
but,
yes,
it's
not
going
to
be.
I
think
the
takeaway,
though,
is
that
it's
not
looking
for
any
change
under
etsy
if
the
machine,
if
the
mco
is
not
managing
that
file,
it's
also
not
going
to
care
that
you
have
created.
You
know
etsy
mycoolcomp.conf
yeah,
it's
just
not
gonna
notice,.
B
So,
whereas
the
file
integrity
operator
and
and
now
I'm
getting
out
over
my
skis
a
little
bit
so
the
file
integrity
operator,
essentially
when
it's
enabled
it
goes
and
creates
a
database
of
I'm
I'm
going
to
say,
hashes,
I'm
guessing
hashes
of
what
those
files
look
like
and
then
it
periodically
rechecks
those-
and
I
don't
know
what
that
interval
interval-
is
and
basically
checks
to
see
if
it
has
changed
at
all.
And
if
it
has,
you
know,
hey
did
this
change.
Did
you
know
this
changed
type
type
of
thing?
One.
B
Process
so
one
one
question
I
do
have
for
you
mark,
while
doran
is
bringing
that
up
is
the
way
that
core
os
does
updates
right
is
rpm
os
tree.
So
we
know
that
var
and
etsy
are
mutable
right.
They
can
be
changed
when
we
do
those
rpm
os
tree
updates.
When
we
switch
to
that
new
tree,
will
it
replace?
Will
it
reset
any
of
those
files
under
those
two
file
systems.
D
B
D
I'm
trying
to
think
if
you
know
within
a
yes
it
should
be.
I
mean
in
theory
there
could
be
a
rail
package
that
updates
the
configuration
file
midstream
in
theory.
I
don't
think
that
happens
a
lot,
though,
especially
within
a
rail
major
right
like
within
a
rail
8,
which
is
where
we
take
our
content
for
our
cost,
but
anyway.
So,
yes,
I
mean
it
is
a
theoretical
change
there,
but
no,
I
don't.
In
reality
it's
just
going
to
be
slash.
User
and
etsy
is
going
to
stay
maintained.
B
So
yeah,
I'm
I'm
learning
new
things.
All
the
time
see
this
is
this.
Is
the
problem
with
andrew
no
longer
being
like
a
full-time
like
my
paid
job
is
to
be
an
administrator
is
most
of
the
clusters
I
create.
They
might
live
a
week,
yeah
so
and
of
course,
they're
all
lab
clusters
they're
all
test
clusters,
so
I
generally
don't
go
through
the
process
of
deploying
and
testing
and
seeing
all
of
these
things
in
action
and
mark
and
doron.
B
I
know
you
know
like,
and
we
I
briefly
mentioned
this
on
one
of
the
other
streams
of
you
all.
The
pm
team
has
a
cluster
that
you
use
and
that
you
maintain
like
long-term
running
so
that
way,
you
know
we
can
do
well.
You
all
mostly
get
that
hands-on
experience
with
the
product
with
all
of
the
features
with
everything
else,
which
I
think
is
really
cool.
B
Yeah,
it's
oh,
never
a
dull
day
right
when
it's
your
when
it's
your!
Is
it
two
week
rotations
for
who's
responsible
for
the
cluster
yeah
so
so
mark?
If
you
don't
mind,
I
want
to
talk
a
little
bit
more
about
some
some
core
os
things.
So
one
as
you
mentioned
it's
built
on
top
of
route.
We've
mentioned
that
a
bunch
of
times
because
we
inherit
things
like
drivers.
B
Hardware,
compatibility
a
lot
of
the
other
security
features
from
rel
itself,
and
that
includes
things
like
se,
linux
and
I
know
se
linux
was
we
recently
brought
it
up
because
of
the
nsa
hardening
guide,
so
they
had
published
that
hardening
guide
and
I
think
we've
got
a
link
somewhere
yeah.
I
had
a
link
somewhere
and
it
kind
of
I
think
most
of
us
looked
at
it
and
said:
oh
well,
most
of
those
are
already
applied
if
you're,
using
coreos
and
openshift
right,
either
through
se,
linux
or
through
other
mechanisms
that
we
have.
B
D
D
But
what
I
do
know
is
that
you
know
all
the
core
services
that
we
get
in
rel
core
os
come
over
from
rel
and
we
have
years
of
experience
in
isolating
those
services
from
each
other,
isolating
them
from
user
workloads,
and
so
we
protect
them
from
rogue
activities
on
the
system.
We
protect
them
such
that,
if
one
is
compromised
that
that
compromise
doesn't
lead
to
further
compromises
on
the
system.
D
In
the
case
of
openshift,
really
I'd
say
that
the
layer
on
top
of
that
is
that
we
have
also
now
years
of
experience
managing
you
know
and
extending
the
isolation
between
containers
beyond
what
container
isolation
right
out
of
the
linux
kernel
gives
you
and
you
know,
so.
We
have
policies
that
separate
all
the
platform,
containers,
sdn,
etc.
D
D
B
B
B
So
if,
if
you
scroll
down
in
this
particular
security
bulletin
and
look
at
the
mitigation
like
the
mitigation
is
basically
you're
using
rel,
congrats
you've
mitigated
it.
So
I
I
I
thought
that
was
kind
of
a
great
example
of
you
know.
The
the
underlying
platform
doesn't
matter
right,
it's
which
linux
you
use
does
matter
and
yeah
to
your
point.
I
know
it's
a
bit
of
a
sales
pitch,
but
it's
important.
D
B
B
B
D
Sure
I
mean
I,
I
know
it
more
from
the
royal
course
point
of
view.
So,
if
anybody
else
wants
to
add
on,
I
will
not
be
hurt.
What
we
have
is
you
have
the
fips
validated
modules
and
the
modules
and
process.
So
we
you
know
we
only
we
we
ship
one
to
the
other,
depending
on
where
you
know
where
it
is
in
the
cycle.
D
C
No,
that
was
about
right
and
that's
the
main
challenge,
usually
with
fips
in
general,
that
if
you
run
a
funky
container
with
some
funky
bass,
it
will
not
inherit
fips,
because
it
has
no
way
of
knowing
that
right,
as
opposed
to
using
a
rail-based
container
like
ubi
or
anything
like
that,
that
it
actually
detects
that
you
have
fips
enforcing
it.
Configures
the
crypto
policy
in
the
container
itself
and
makes
sure
that
you
have
everything
right
and
ready
to
go.
D
D
E
And
also
we
are
not
submitting
the
full
platform,
only
the
the
core
s
version.
So
because
you
know
you
can
you
cannot
it
fix
compliance
for
the
whole
platform
a
little
bit
problematic
and
it's
basic.
It's
basically
for
customers
that
want
using
fedramp
to
use
the
openshift
in
federal
phone
or
other
federal,
a
compliance
level.
But
it's
the
basic
building
blocks
for
failure.
B
I
I'm
I'm
going
to
ask
a
quick
question
and
I'm
not
sure
who
will
be
able
to
answer
it,
so
I'm
not
going
to
deliberately
throw
anyone
under
the
bus,
so
I
know
a
lot
of
times
as
administrators.
One
of
the
frustrating
things
that
we
first
encounter
when
first
using
openshift
is
no
root
user
in
containers
yeah.
B
So
I
know
it's
kind
of
it's
related
to
a
number
of
different
things:
sccs
sc,
linux
and
all
that
other
stuff.
So
I'm
curious
if
anybody
has
kind
of
a
terse
rate,
a
30-second
version
of
the
perspective
on
that,
because
I
think
a
lot
of
people
you
know,
might
think
oh
sc
linux
right.
It
should
protect
me.
Why
does
it
matter
what
user
id
I'm
using?
If,
if
se
linux
is
in
place
and
all
these
other
things.
E
B
D
A
C
To
answer
real
quick,
because
I
was
hoping
that
somebody
else
would
answer
in
case
there's
a
container
escape
your
user
id
is
going
to
prevent
you
from
accessing
anything
from
the
host
cell.
Linux
is
gonna
help,
but
there
are
things
that
your
container
is
still
gonna
have
access
to,
even
if
you're,
using
selinux
right
so
having
a
non-root
user
is
gonna,
prevent
you
from
or
prevent
a
container
from
accessing
anything
else.
B
Yeah,
it
makes
sense,
even
if
it
is
a
bit
frustrating
as
a
first-time
openshift
user,
when
you
can't
just
go,
you
know,
use
this
docker
image
that
comes
from
somewhere,
anywhere
or
and
or
even
my
own
ones
right.
I
have
to
go
in
and
set
that
uid
correctly
in
order
to
get
it
to
work.
So
it's
one
of
those
like
it
is
a
valid
thing,
even
if
it
can
be
a
little
bit
frustrating,
maybe
even
a
little
confusing
at
first.
B
So
it
is
almost
the
top
of
the
hour,
which
means
that
we
do
have
a
hard
stop
today,
so
we
need
to.
We
need
to
close
out
the
stream.
So,
first
and
foremost,
thank
you
very
much
to
our
guests
today.
So
mark
oz,
doran,
really
really
appreciate
you
coming
on
really
appreciate
the
time
that
you
gave
us
today
can't.
Thank
you
enough,
especially.
I
know
you
came
in
very
last
minute,
so
thank
you
so
much
for
that
to
our
audience.
Thank
you
very
much
for
your
attention.
Today.
B
We
really
appreciate
the
interactivity
I've
seen
the
chat
scrolling
by
you
all
have
been
great,
so
I
will
take
all
of
this
information.
I
will
put
links
to
specific
spots
in
the
video
keep
an
eye
on
the
blog
post,
so
it's
cloud.redhead.com
blog
now,
so
I
will
have
that
blog
post,
published
hopefully
friday,
if
not
maybe
early
next
week
and
with
all
of
that
being
said,
I
hope
everybody
has
a
great
day
a
great
week
and
I'm
going
to
steal
chris's
line
which
is
stay
safe
out.
There.