►
From YouTube: Ask the Product Manager Office Hours w/ Kirsten Newcomer
Description
Join us for a little one-on-one time with a Red Hat Product Manager - each session will feature a Product Manager focused on a specific product or project. We’ll start with an overview & discussion of the topic, then have time for Q&A.
A
Good
morning,
good
afternoon,
good
evening,
wherever
you're
healing
from
welcome
to
the
ask
the
product
manager
anything
hour
on
openshift
tv
today,
I
am
joined
by
the
highly
seasoned
and
security-minded
kirsten
newcomer
kirsten.
Please
introduce
yourself
to
the
audience.
Let
everybody
know
what
you're
up
to
these
days.
B
Hey
folks,
kirsten
newcomer
focused
on
security
for
open
shift
throughout
the
stack
that
kind
of
means
everything
right
os
level
up
through
the
applications,
and
today
we're
going
to
talk
a
little
bit
about
our
soon-to-be
shipping
compliance
operator.
A
Awesome
and
just
to
let
you
all
know
kind
of
you
know
fully
openness
here,
we're
we're
talking
about
it.
You
know
kind
of
at
a
high
level.
You
know
overview
level
here
on
this
show,
but
then
later
today,
at
4
p.m.
C
A
A
A
A
A
Exposed
yep
so
you've
got
some
slides.
I
do
yeah
yeah
and
we
have
somebody
kind
of
lurking
in
the
dark
that
might
ask
questions
every.
C
A
In
a
while
too,
ladies
and
gentlemen,
scott
mccarty
is
lurking
on
the
channel
too
as
well,
but
he
might
be
off
the
side
doing
something
else
we'll
see
what
he
chimes
in
with,
though
questions.
B
But
but
a
great
partner
in
crime
partner
in
security,
father
linux,
scott
mccarty,
we've
been
working
together
in
the
container
security
space
since
I
joined
red
hat,
so
yeah
have
him
here.
So
as
as
we've
just
been
chatting
about
really,
you
know
you.
You
have
to
have
strong
security
and
compliance
for
an
effective,
hybrid
cloud
platform.
You
leave,
you
need
a
lot
of
other
things
right,
but
today
we're
going
to
focus
on
the
security
and
compliance
elements
so
and
when
it
comes
to
the
complexity.
B
One
of
the
things-
and
I
imagine
folks
have
have
heard
some
of
this
before
right.
If
you've
been
paying
attention
to
open
shift
4
one
of
the
main
ways
that
red
hat
is
addressing
the
complexity
of
kubernetes
managing
kubernetes
and
in
particular,
kubernetes
in
the
cloud
is
with
kubernetes
operators
right.
Every
component
in
openshift4
is
wrapped
in
an
operator,
and
this
actually
really
helps
to
address
security
as
well
and
as
we'll
talk
about
in
openshift
4.6
we're
adding
an
operator
for
managing
compliance.
B
So
when
you
think
about
complexity,
we
have
to
think
about
how
do
we
manage
the
machines
that
kubernetes
is
running
on
that
openshift
is
running
on,
although
of
course
in
openshift
right
real
core
os?
The
machines
are
part
of
the
cluster
treated
as
a
cluster.
How
do
you
manage
the
config?
How
do
you
make
sure
that
it's
consistent?
B
B
What
you
want
exactly
so
openshift
4
like
addresses
all
of
those
things
with
operators,
machine
config
operators,
operators
that
help
to
manage
the
configuration
of
all
the
other
components,
the
o,
the
operator
life
cycle
manager
to
help
with
managing
the
life
cycle,
and
so
all
of
the
components
of
open
shift
that
you
see
here
are
managed
with
operators
and
I'm
not
going
to
spend
time
here.
We're
going
to
bounce
on
and
talk
about
a
little
bit.
The
machine
config
operator,
nice.
A
Yeah,
this
is
an
operator
that
kind
of
gives
me
fit.
Sometimes
right
I'll,
be
honest
right,
like
it's
complex
right,
because
what
it
actually
does
is
it
actually
takes
like
whatever
kind
of
machine
you
want
vm
bare
metal
whatever
you
want
to
call
it
and
manages
it
as
part
of
the
cluster
for
you,
and
that
is
like
highly
powerful
and
highly
complicated.
B
Yeah,
it's
it's
a
new
paradigm
for
folks,
absolutely
and
and
one
of
the
really
cool
things
about
it
right.
It's
it's
managing
the
operating
system,
layer
too
right
and
so
that
it
allows
us
to
manage
the
host
os
in
the
same
way
that
kubernetes
manages
applications
right.
So
right,
all
of
openshift
4,
I'm
going
to
steal
a
line
from
from
scott.
In
fact,
right
we're
using
kubernetes
to
manage
kubernetes.
A
B
You
go
wow,
and,
and
so
the
cool
thing
here
right
so
is,
is
like
because
it's
container
optimized
operating
system,
because
rel
core
os
is
managed
as
part
of
the
cluster
we're
using
the
machine
config
operator
to
ensure
that
every
node
on
the
cluster
has
an
approved
configuration
and
if
somehow,
a
config
change
gets
made.
That's
not
approved
the
node
is
marked
as
degraded
and
and
the
admin
then
is
made
aware
and
can
make
an
adjustment
right.
A
D
B
Right,
so
that's
that's
now
built
in
to
the
machine
config
operator
and
so
and
you
can
have
more
than
one
type
of
machine
right.
Maybe
you.
C
A
It
does
it
it's
like.
Okay,
I've
got,
and
you
know,
nvidia
released
this
like
59
test
card
thingy
and
I'm
gonna,
bring
it
in
and
like
I've
got
a
dell
rh-20
across
the
house
and
I'm
gonna
hook
that
thing
up
and
put
it
on
my
network
and
try
to
run
openshift
on
top
of
that,
as
kind
of
like
part
of
a
machine
config
operator
to
be
like.
Okay,
there
is
a
gpu
available
in
this
cluster.
A
A
With
it
myself,
so
it
the
fact
that
it
has
the
power,
doesn't
it
shouldn't
scare
people
right
because
we've
tested
it,
it's
tried,
it's
true,
it
works.
We,
you
know,
we,
we
constantly
verify
it's
security,
but
actually
getting
it
to
work.
How
you
want
it
in
your
specific
environment
is
often
a
very
tailored
kind
of
thing.
B
B
And
and
upgrades
are
a
key
part
of
maintaining
a
secure
environment
as
well
right.
There's
a
cve
fix
released.
Well,
you
want
to
be
sure
that
that
update
for
that
cve
fix
can
be
applied
across
all
the
nodes
on
your
cluster
in
a
seamless
fashion
and
free
open
shift.
Four
right,
everybody
has
to
manage
the
host
os
layer
themselves
independently
from
the
kubernetes
layer
right.
C
B
So
now,
with
open
shift
4,
if
I've
got
an
update
again
we're
using
kube
to
manage
openshift
as
a
kube
cluster,
the
openshift
admin
says
the
cluster
is
ready
for
an
update,
selects
the
time
and
open
shift
will
mark
a
node
as
ready
for
update,
whether
that
updates,
whatever
level
that
updates
applied,
host
os
platform
cube
logging.
Wherever
it's
applied,
the
the
workloads
will
be
moved
off
that
node
onto
other
active
nodes.
B
The
update
will
be
applied
if
it's
a
rel
core
os
update
it'll,
be
a
it'll,
be
applied
kind
of
in
a
static
fashion.
The
node
will
be
rebooted
to
put
that
update
into
service.
The
node
is
put
back
into
service
and
then
moves
on
to
the
next
node,
and
if
you
have
applications
who
know
how
to
work
right,
they've
got
redundancy
built
in
they've
got
multiple
instances
deployed.
A
Right
like
if
you're
doing,
kubernetes
right,
you're
you're
doing
cloud
native
infrastructure
right
you've
got.
The
replica
sets
the
deployments
everything
configured
to
do
like
okay,
I
need
more
more
than
one
pod
to
actually
do
upgrades
right.
So
how
many
pods
do
I
actually
need
to
get
a
solid
upgrade
of
all
my
clusters
done
and
still
be
responsive
right
like
so
that's
where
the
tuning
and
everything
else
of
your
applications
come
in.
But
it
is
an
amazing
thing
to
watch
happen.
A
B
There's
the
container
security
operator,
which
today
is
integrated
with
quay
with
claire,
if
you
deploy
the
container
security
operator
onto
your
cluster
you'll,
see
you'll
get
information
about
any
images
that
are
running
on
your
cluster
that
have
known
vulnerabilities
as
long
as
those
vulnerabilities
are
known
to
claire
to
quay,
with
claire
we're
planning
to
open
that
up
to
allow
our
our
partners
to
integrate
with
that
as
well.
But
today
it
is,
it
is
really
available
with
quay
with
claire.
The
good
thing
is,
even
if
you're
not
using
quay
as
your
enterprise
registry.
B
All
of
the
red
hat
images
that
you
have
pulled
from
registry,
you
know.redhat.com
registry.io
you're,
going
to
be
able
to
see
vulnerability
data
about
your
red
hat
content
directly
in
the
cluster,
with
the
container
security
operator.
C
B
Yeah
cool
all
right,
so
what's
coming
next
yeah,
we
have
got
a
big
focus
on
compliance
in
4.6.
Well,
not
all
of
this-
I
should
say
not
everything
on
this
list.
B
All
out
there
need
to
deal
with
yeah
yeah,
so
it's.
B
Right,
it
really
has
absolutely
and
and
one
of
the
things
about
cis
and-
and
I
and
we've-
we've
really
kind
of
been
starting
to
work
more
closely
directly
with
cis
on
this-
is
that
they
have
now
recognized
that
as
kubernetes
distributions
have
become
like
linux
distributions
that
they've
moved
beyond
the
idea
of
of
a
single
cis
benchmark
right,
there
used
to
just
be
the
cis
kubernetes
benchmark,
but
now
there
are
multiple
cncf
certified
distributions
of
kubernetes
and
you'll
start
to
see
in
the
cis
that
they
have
benchmarks
for
different
distributions.
B
So
we're
working
directly
with
cis
to
publish
a
cis
open
shift
benchmark
nice
yeah
yeah,
because
in
fact
the
way
we
harden
openshift
is
different
right.
If
you
were
to
take
a
vanilla,
cube,
benchmark
and
use
the
audit
commands
there,
they
wouldn't
work
in
part,
because
we
we
have,
we
just
we're
using
operators
to
do
all
the
configs,
and
so
you
have
to
actually
have
audit
commands
that
know
how
to
you
know,
know
how
to
find
the
operator
configs
right.
So
we've
been
spending.
B
To
find
things,
but
we
are
all
of
these,
all
of
these
items
are
relevant
to
our
customers
and
and
therefore
we're
investing
in
all
of
them.
I
will
say
also
that
one
of
the
good
things
and,
if
anybody's
ever
like,
if
you
know
the
cloud
security
alliance,
they
do
this,
they
publish
this
regular
matrix
of
how
all
of
the
regulatory
controls
map
to
each
other,
so
they
kind
of
have
on
the
on
the
right
hand.
B
So
that
said,
right,
if
you
don't
have
automation,
compliance
is
complex.
There's
a
wide
range
of
elements
to
compliance.
Some
are
technical
controls.
B
Some
are
process
controls,
some
are
people,
controls
and
and
so
kind
of
for
somebody
who's
doing
this
in
their
environment
for
a
deployment
right,
compliance
is
typically
applied
to
a
deployment
rather
than
a
product.
You
have
to
kind
of
have
somebody
who
helps
you
think
across
all
of
these
controls,
which
are
the
ones
that
matter
to
your
environment,
based
on
the
frameworks
that
you
care
about
who's,
going
to
implement
what
which
controls?
How
do
you
assess
those?
B
How
do
you
get
your
auditor
to
sign
off
and
then
how
do
you
do
ongoing
monitoring
of
all
those
controls,
and
so
red
hat
has
been
investing
in
automation
in
this
space
for
some
time
actually,.
B
So
we
deliver
like,
if
you
you,
can
boot
your
rel
system
with
pci
dss
compliance,
you
can
boot
it
for
disa,
stig
you
can
there's
there's
kind
of
a
you
can
do
hipaa
yeah
and
we're
taking
the
same
approach
with
open
shift
right.
We're
just
moving
that
up
the
stack
and
you
want
to
remember
when
we
say
open
shift
four.
It's
everything
it's
openshift
and
realcore
os
together
right.
A
B
So
so
we've
we've
got
this
operator
coming
in
4.6
4.6
will
be
out
in
a
couple
of
weeks.
B
We
continue
to
use
openscap
because
it
is
a
nist
certified
tool
and
our
technical
controls
will
be
written
in
scap
so
that
it
helps
to
support,
in
fact
our
public
sector
customers,
but
not
just
public
sector
right.
We
have
other
customers
these
days,
who
are
really
following
public
sector,
lead
and
and
become
familiar.
I.
A
Just
think
of
anybody
manufacturing
anything
nowadays
right
like
if
you're
actually
like
one
of
my
former
jobs,
I
used
to
work
at
cree
and
they
grew
led
crystals
in-house.
That
was
a
highly
sensitive
and
protected
operation
because
it
was
very
patented
so
like
they
actually
applied
higher
standards
themselves
and
said
no,
we
must
have
these
kinds
of
things.
B
B
B
A
Yeah,
if
you
go
look
at
the
latest,
whatever
filings
sec
filings
for
google,
amazon,
microsoft,
all
the
big
cloud,
vendors,
yeah
they're
all
up
and
to
the
right
so
yeah,
that's
what
we're
kind
of
seeing
too
so,
but
that
that
security
and
compliance
piece
is
always
always
always
that,
like
how
do
you
like?
That's
that's,
always
a
question
like
how
do
you
do
security?
How
do
you
keep
us
safe.
B
B
And
and
right,
so
we
want
to
make
sure
that
you
have
a
way
to
do
that
to
meet
not
just
regulatory
compliance,
but
perhaps
your
own
internal
security
requirements,
and
that
you
have
a
way
to
do
that.
That
is
common
across
any
deployment.
You
have
whether
that's
on
premises,
whether
that's
aws,
google
azure,
wherever
you
are
our
goal,
is
to
make
it
easy
for
you
to
manage
and
maintain
your
your
cluster
in
the
same
way
right
so
that
you
don't
have
to
redo
your
operational
procedures
for
every
deployment.
You
do.
B
D
A
Right
and
by
the
way
yeah
it's
generic
compute
you're
dealing
with
too.
So
it's
probably
the
cheapest
way
to
run
a
big
fat,
not
big
fat,
but
enterprise
level
secured
consistently
between
multi.
You
know
kind
of
hybrid
cloud
environments.
I
I
don't
know
of
a
better
way
like
you
can't
put
the
same
controls
in
place
for
aks
eks
xks,
whatever,
as
you
can,
with
openshift
in
a
consistent
and
console
and
not
consolidated,
but
just
consistent
and
stable
manner.
A
B
And,
and
so
we
were
talking
earlier
about
the
the
range
of
compliance
frameworks
that
are
out
there
in
the
world
that
are
that,
our
folks,
you
know
that
folks
who
use
openshift
need
to
think
about
and
comply
with,
and
so
in
4.6,
when
we
ship
and
and
with
the
compliance
operator
first,
release
of
the
compliance
operator
will
have
a
limited
set
of
checks,
primarily
focused
on
compliance
checks
on
railcar
os,
and
one
of
the
big
value
adds
there
right.
A
B
A
A
To
customers,
they
would
always
ask
right
like
how
do
I
get
xyz
security
agent
running,
and
it's
always
like
this
paradigm
shift
that
you
immediately
have
to
talk
about,
and
it's
like?
Okay,
if
we
could
expose
some
of
these
things,
that
these
various
agents
that
are
out
there
doing
os
security
like
by
default
that'd
be
great,
and
this
thing
kind
of
answers
that
question.
B
Yeah,
so
it
it
gives
you
a
way,
and
so
again
so
we're
going
to
use
a
a
project.
Everything
we
do
is
upstream
right.
There's
something
called
compliance
dot.
As
code
on
github.
You
can
see
the
compliance
profiles
that
are
available
as
we
productize
those
the
way
the
compliance
operator
works
right.
It's
it's
an
optional
operator.
You
choose
to
deploy
it
to
your
cluster.
You
pick
a
profile
from
those
available
and
when
they're
productized
they'll
be
delivered
as
containers,
and
you
pick
a
profile,
you
tell
the
operator
to
run
that
profile.
B
It's
going
to
use
openscap
to
actually
do
the
scan.
You
can
tell
it
which
we
would
mention
briefly
machine
config
pools
earlier.
You
can
tell
it
whether
you
want
to
run
it.
The
scan
on
all
the
nodes
on
a
subset
of
the
nodes
organized
by
machine
config
pools
you
kind
of
it
goes.
It
runs.
It
checks
all
of
the
technical
controls
that
are
in
that
list.
It
outputs
results
and
then
those
results
can
be
examined
by
accreditors
or
auditors.
A
Yeah
I
mean
there's,
there's
some
things
you
do.
Someone
just
asked
me
for
the
github
link.
I
just
dropped
sure.
Let
me
drop
it
again
as
compliance
as
code.
Just
all
one
word
right:
yep,
okay,
cool
yeah.
I
already
found
it
cool.
Okay,
the
sorry!
Please
continue.
B
Oh
yeah,
no,
that's
fine
and-
and
I
was
just
gonna
say
so-
an
example
of
a
kind
of
configurable
control
actually
back
to
the
cis
benchmarks.
So
when
we
first
when
4.6
ships,
we
won't
have
all
of
the
checks
for
the
cis
benchmark,
we're
actively
working
on
writing
those
in
scap
now,
and
so
we
will
be
delivering
updated
profiles,
content
for
compliance
checks,
probably
about
every
two
months,
we're
hoping
to
do
it
more
quickly
than
that,
but
we
just
we
will
we'll
see
how
that
goes
and
we're
gonna
shoot
for
about
every
two
months.
B
The
cis
benchmark
is
our
next
target,
so
we
expect
we'll
have
that
by
the
end
of
this
year-
cool
yep,
hopefully
november
december.
So
hopefully,
sooner
than
later,
one
of
the
cool
things,
though,
is
that
actually
the
majority
of
the
cis
benchmark
controls
a
lot
of
them
are
about
file
permissions.
B
C
B
D
B
B
A
A
A
Right
yeah
like
and
if
you're
doing
like,
what's
it
called
like
high
value
or
high
frequency
trading,
that
performance
hit
is
noticeable
right.
B
B
A
And
that's
you
know,
that's
kind
of
what
you
know.
I
think
we
typically
recommend
right.
Like
you
know,
if
people
want
to
keep
it
all
in
cluster
fine,
you
know
there's
ways
to
do
that,
but
we
typically
recommend
that,
like
you
use
an
operator
that
works
with
another
secret
store
that
manages
that
those
secrets
separately
forward.
B
Yeah
for
security,
conscious
customers
using
an
external
vault
for
their
app
secrets,
is
a
great
thing
to
do
so.
Yeah.
B
All
right
so
yeah
stay
tuned
awesome,
so
I'm
trying
to
think
what
else
in
here
we
might
want
to
hit
just
this
is
just
kind
of
a
a
chart
that
gives
you
an
idea
of
what,
if
you're,
not
that
familiar
with
compliance.
You
know
what
kinds
of
controls
are
put
in
place.
What
are
people
checking
for.
D
B
Going
to
look,
for
example,
for
session
management
for
token
inactivity
timeout,
you
know
it's.
A
B
Authorization
right
openshift
has
our
back
on
by
default.
You
know
a
whole
a
whole
range
of
things
like
that
and
again
many
of
these
controls,
tls
cert
management
right
is,
is
often
a
big
part.
Auditability
right
do
you
have
the
ability
to
audit
events
at
what
level
is
auditing
happening?
All
of
that
kind
of
thing
comes
in.
This
is
just
a
graphic
and
it
sounds
like
you're.
B
Gonna
you'll
have
a
chance
to
do
some
hands-on
later
so,
but
just
to
kind
of
give
you
an
idea
of
the
flow
we've
sort
of
spoken
to
this.
Already
so
again
you
you
pick
a
suite
or
a
profile.
The
scan
is
you.
That's
handed
off
to
the
openscap
engine
scan
is
run
against
again
one
or
more
machine
config
pools,
scan
results
are
then
fed
to
a
compliance
checklist
and
you
can
choose
to
remediate
or
not
I'm
gonna
skip.
Oh,
I
should
mention
for
folks
who
are
familiar
with
openscap
in
rel.
B
C
B
Can
recognize
for
vulnerability
scanning
absolutely,
but
when
we
think
about
the
model
too
right,
everything
is
intended
to
be
immutable
and
reproducible
from
code
on
openshift.
So
you
really
should
be
doing
your
vulnerability
scanning,
whether
it's
for
the
platform
or
the
apps,
you
should
be
doing
it.
Pre-Deployment.
B
You
should
be
doing
it
in
the
registry
in
your
mirrored
registry
for
io,
wherever
it
is,
that's
where
it
should
be
happening.
You
really
want
to
shift
that
security
left
and
running
vulnerability
scans
on
a
operating
system
where
the
user
is
read
only
and
on
your
openshift
platform,
where
again
everything's
deployed
as
images
by
operators.
The
config
is
managed
by
operators,
not
sure
that
that's
really
worth
the
time.
B
Yeah-
and
you
know
I
was
talking
with
with
one
of
my
colleagues
about
resiliency
as
well
recently
and
and
one
of
the
key
things
again
we're
talking
infrastructure
and
applications
as
code
here.
So
we
do
have
openshift
customers
who
design
their
environment
so
that
they
can
tear
down
and
redeploy
from
code
every
30
days,
yeah.
D
A
Yeah
I
mean
as
as
soon
as
you
can
do
it
in
the
pipeline
to
where
it
doesn't.
You
know,
impact
some
kind
of
other
operation.
You
know
at
the
same
time,
right
like
sooner
is
better
than
later
before
deployment
always
and
like
literally
any
container
should
be
scanned
right
off
the
bat
if
it's
going
into
any
cluster
anywhere.
That
container
should
be
scanned
right
off
the
bat
cool.
B
C
B
Teeny
teeny
text
and
then
here
you
can
kind
of
get
an
idea.
This
is,
we
are
actively
working
with
disa
on
a
stig
for
both
rel
eight
and
rel
core
os.
So
this
is
just
kind
of
an
idea
of
what
that
might
look
like
when
we
get
there.
One.
B
Yeah,
no,
I
should
say
we
don't
have
a
predicted
timeline,
we're
in
process
with
them.
The
team
that's
talking
with
at
four
o'clock,
the
north
america,
public
sector
team,
they're
directly
involved,
but
I'm
told
maybe
q1
of
2021.
yeah.
B
Again,
a
really
common
element
of
compliance
frameworks
is
file.
Integrity
management,
it's
one
of
the
reasons
sometimes
that
folks
are
using
to
deploy
used
to
deploying
those
agents.
You
mentioned
chris
on
operating
systems
right
and
so
aid
is
available
on
rel.
It
stands
for
advanced
intrusion,
detection
engine
and
so
we're
going
to
leverage
it
as
well
for
file
integrity,
checking
on
rel,
core
os
yeah,
so
you'll
be
able
to
kind
of
list
the
set
of
files
that
you
want
to
be
sure,
you're
checking
for
regular
ongoing
integrity.
B
Again,
we
wouldn't
expect
much
change
because
slash
user
and
real
core
os
is
read
only
but
but
again,
you
know.
One
of
the
challenges
with
compliance
is
that
the
auditing,
the
regulations
and
the
auditors
have
a
hard
time
keeping
up
with
changing
technology.
C
B
A
Right
because
you
know
the
the
various
auditors
are
kind
of
driven
by
the
market
too
right
like
the
market,
you
know
they
catch
up
to
it
and,
having
to
you,
know
having
having
this
file
integrity
operator
there.
I
feel
like,
like
a
is
this
available
to
like
workloads.
You
know
that
like
could
I
put
this
into
my
application
as
a
separate
kind
of
thing,
or
is
this
cluster
only
right
now,
where.
B
B
A
It's
it's
almost
like
I
hate
to
use
the
term.
It's
almost
like
a
blockchain
for
your
infrastructure
right,
like
you've
got
hashed.
You
know
values
for
each
file
on
your
file
system
and
if
it
doesn't
compare
or
if
it
doesn't
like,
if
there's
diff
something's
going
to
be
there
to
fix
it
for
you
right
like,
and
it's
going
to
be
very,
very
automated
right.
B
B
It's
one
of
the
interesting
actually
tensions
that
we've
had
around
the
machine.
Config
operator.
B
B
We
may
determine
down
the
road
that
we
can
automate
that
remediation,
but
we're
also
trying
to
keep
pace
with
what
are
our
customers
comfortable
with
right.
A
B
B
A
Right
like
and
and
yeah
perfect
point
security
and
agility
boom
is
like
a
car
crash
test.
So,
like
you've
got
to
be
able
to
like
say,
hey,
you
know
old
security
standard,
new
security
standard,
whatever
it
is
yeah
I
comply
and
and
putting
I
think
putting
this
into
openshift
is
going
to
help
a
lot
of
people
in
the
long
term
for
a
lot
of
problems
that,
like
they
have
right
now,
with
compliance
and
regulatory
and
auditing.
A
Yeah,
like
I,
I
it's
been
a
long
time
since
I've
like
manually,
applied,
updates
to
a
system
right
like
seriously.
It's
been
a
very
long
time
since
I've
done
that.
I
think
I
it's
only
been
on
windows
boxes
because
of
like
oh,
my
god,
kind
of
vulnerabilities
right
like,
but
that's
it
right.
Like
all
my
you
know,
unix
systems
in
the
house.
Everything
gets
updated
automatically
right,
like
I
don't
spend
time
doing,
updates
yeah
right
like
unless
something
breaks
which
is
super
super
rare
and
I'm
talking
like
at
the
host
bare
metal
level.
A
You
know
vms
is
even
rarer.
Right,
like
I'm
talking
about
my
openshift
cluster,
so
yeah
like.
Where
are
we
going
where's
the
future.
B
B
For
those
who
are
aware
of
red
hat
advanced
cluster
manager,
they
have
risk
compliance,
governance,
risk
and
compliance
framework.
That
is
part
of
the
acm
offering
and
their
compliance
framework
will
be
leveraging
the
compliance
operator.
So
we
have
been
working
with
them
on
enabling
the
integration
that
will
be.
You
know
now
that
the
compliance
operator
is
coming
with
4.6,
so
we
will
be
providing
they
they
kind
of
deliver.
B
They
do
these
integrations
through
what
they
call
policy,
so
we'll
be
providing
a
policy
script
that
will
first
be
available
in
the
community
version
of
their
repo
and
you'll
be,
and
that
you
so
you'll
have
the
opportunity
to
try
that
out
with
the
compliance
operator
and
then
over
time
that
will
move
to
the
stable
channel.
B
You
need
a
way
to
manage
across
all
those
clusters.
Acm
gives
you
that
way
and
again
in
combination
with
the
compliance
operator,
you
can
manage
compliance
in
exactly
the
same
automated
fashion
across
all
those
clusters.
Nice.
So
that's
awesome,
yeah!
This
is
just
a
little
bit
more
about
when
we
expect
profiles
to
be
delivered
right.
We
are
working
on
the
cis
benchmark
also
on
the
stig,
as
I
mentioned,
and
fisma
moderate
is
a
big
target
for
us.
B
B
A
That
would
be
bad,
I'm
sure,
there's
customers
that
are
like
we
need
this.
We
need
this.
We
need
this.
We
need
us.
We
need
this,
but
there's
probably
a
lot
of
customers
that
are
like
don't
break
this,
don't
break
this,
don't
break
this,
don't
break
this
too.
So
it's
that
that
very
delicate
balance
again.
B
And-
and
the
good
news
again,
though,
is
that
you
know
many
of
the
controls,
especially
in
fisma,
you
know
overlap
with
the
controls
in
pci
dss
or
in
iso
27001
hipaa.
So
so
we'll
have
an
opportunity.
I
actually
should
move
australia.
Essential
eight
probably
should
be
moved
to
near
term
for
anybody
who's
listening
from
apac,
okay,.
D
B
Some
of
our
team
in
in
in
australia
actually
delivered
the
scap
content.
For
that
that's.
C
A
D
B
Absolutely-
and
you
know
many
regions
have
their
own,
both
regions
and
verticals.
You
know
different
industries
have
their
own
compliance
and
and
again
mostly
the
the
goal.
The
controls
are
the
same.
They
maybe
just
organize
them
a
little
differently.
They
word
them
a
little
differently,
and
so
in
general,
they
they
should
be.
You
know
all
these.
These
different
controls,
technical
controls,
are
generally
useful.
B
You'll
also
have
the
ability
to
customize
policies,
say
you
have
some
internal
technical
controls
that
aren't
outlined
by
the
regulatory
framework.
You'll
have
the
ability
to
add
those
custom
policy
sets
and
that's
kind
of,
and
and
then
of
course,
since
4.6
is
our
first
release
of
both
the
compliance
operator
and
then
file
integrity
operator,
we're
looking
forward
to
feedback
and
continuing
to
kind
of
improve
those
solutions
over
time
we're
also
looking
at
how
can
we
help
customers
get
better
advantage
of
se
linux?
B
B
A
Our
big
heavy
hitter
security,
wise
walid,
just
came
into
the
channel
so
we'll
see
what
he
has
to
say.
But
a
question
was:
does
every
red
hat
employee
get
a
red
hat
and
the
answer
is.
A
Do,
although
I
believe
kirsten's
hat,
is
that
a
red
hat,
red
hat
or.
A
A
But
yes,
you
do
and
they
are
all
lovely
and
if
I
would
go
for
it
well,
actually
I
can
reach
it.
Yeah,
like
mine,
mine,
is
right
here.
Narendev.
C
A
Like
we
all
get
one
at
orientation
and
even
our
digital
orientations,
now
they
they
get
shipped
so
yeah,
it's
pretty
cool,
so
some
questions
can
cryo
be
compatible
with
ocp46.
Yes,
all
oci,
compliant
or
oci
adherent
container
runtimes
will
work
in
openshift.
B
Yeah
well
and
cryo
is
our
default
runtime
for
openshift4.
So
any
container
image,
though,
if
you
build
your
image
with
docker
or
you
know
some
other
tooling,
it
will
run
an
open
shift
as
long
as
it's
oci
compliant.
A
Cool
so
next
question-
and
this
might
this
might
be
a
wild
card
for
you.
There
might
not
be
a
right
answer
for
this
and
that's
totally
fine,
but
it
is
an
interesting
question.
Nonetheless,
I
need
to
check
how
I
can
only
enable
image
policies
to
a
selected
list.
C
A
Our
friend
from
saudi
arabia
so.
B
Yeah,
so
you
know
it's
interesting,
I
was
just
thinking
about
andy
block,
might
have
some
good
thoughts
on
that,
but
he's
not
with
us
at
the
moment.
So
at
the
moment,
as
you're
probably
aware
right
that
the
admission
controllers,
the
admission
plug-ins
are
cross-cluster
right,
and
so
the
one
thing
that
maybe
comes
to
mind,
I
don't
know
if
you've
explored
opa
gatekeeper
at
all
walid.
B
Oppa
opa
opa.
B
Starting
to
get
a
lot
of
traction
out
there
and
and
also
a
kind
of
on
a
related
note
right,
acm
has
the
ability
to
apply
policies
per
application.
B
And
so
it
might
be
that
both
those
paths
are
things
that
you
want
to
explore
because,
most
again
most
of
the
admission
controllers
they're
across
cluster,
and
so
I
would
take
a
look
both
at
you
know,
learn
more
about
red
hat,
acm
and
kind
of
go,
explore,
opa,
gatekeeper
and
see
if
there's
something
there
that
looks
interesting.
A
Yeah
oppa
is
a
pretty
hot
commodity
right
now,
if
you're
in
the
security
realm
and
you're
you're.
Looking
at
you
know
trying
to
do
anything
in
cloud
native
space,
I
highly
recommend
looking
at
open
policy
agent,
what's
going
on
in
that
realm,
that
project
in
general,
I'm
a
big
fan
of
it.
I
wish
I
could
spend
more
time
working
in
it
to
be
honest
with
you,
but
my
plate
is
pretty
full.
D
C
A
B
A
Later
yeah
the
yeah,
I
always
try
to
grab
them
midstream
and
put
them
up,
but
that
rarely
ends
up
always
working
out
so
yeah
there's
the
slides
and
yeah.
Well,
he
just
dropped
academy.syrah.com
into
the
links
to
free
rigo
and
oppa
course.
So
I
might
check
that
out.
You
know
so
see
how
good
it
is.
Yeah.
B
A
That's
that's
saying
to
you.
Thank
you.
Walid
appreciate
that
so
yeah
narendra,
taking
out
of
that
oppa
is,
is
good
for
you
and
good.
For
me,
narendev
is
our
what
how
should
I
describe
him?
Our
constant
thirst
for
knowledge,
just
he's
constantly
searching
for
you
know
new
things
to
learn
and
it's
very
refreshing.
He
joins
us
and
shares
what
he's
learned
along
the
way
too
so
yeah.
So
I
don't
think
there's
anything
else.
Gonna
come
in
to
be
honest
with
you
question
wise,
but
kirsten.
A
Thank
you
so
much
for
joining
us
on
the
channel.
Today
it
was
a
super
super
great
talk
and
I
look
further
to
diving
in
a
little
further.
Oh
hang
on.
A
A
Okd
might
be
the
the
right
answer
for
you
psi4,
maybe
that.
B
B
C
B
A
I
would
say
that
anybody
running
a
kubernetes
cluster
for
something
they
care
about
doing
it
in
a
doing
it
with
a
distribution
of
sorts,
is
probably
better
than
doing
it
with
you
know.
Whatever
comes
out
of
k,
slash
k
to
be
honest
with
you:
can
we
install
openshift
in
the
new
graviton
nodes
in
aws,
so
openshift
on
arm,
I
think,
is
in
the
workfish.
A
I
don't
either
so
the
answer
is
not
yet
we'll
lead,
but
the
details
will
probably
be
coming
in
some
future
release
about
arm
yeah.
A
I
know
there's
been
talks
about
it
for
sure
so
yeah.
If
you
go
to
the
link,
I
just
dropped
in
chat
a
second
ago.
I'll
drop
it
again.
Just
because
I
can
you
can
go
spin
up
your
own
instance
of
open
shift
kind
of
wherever
you
want.
A
We
even
have
the
assisted
installer
that
actually
got
like
generated
an
iso
for
me
to
install
it
on
my
you
know,
bare
metal
cluster
here
in
the
house,
so
there's
a
lot
of
different
ways
to
install
openshift
these
days
and
if
you
want
to
use
the
upstream
version
of
openshift,
it's
called
okd
and
that
is
available
at
okdi.io,
which
is
fully
open
source.
A
No
license
required,
no
fancy
thing,
so
yes
narendra
you
could
spend
you
can't
do
it
on
aws
technically
for
free,
because
we
don't
use
free
tier
nodes
but
yeah
you
could
spin
up
a
cluster
and
pay
for
like
you
know,
however
long
you
need
on
aws
done
and
you
know
just
shut
it
off
when
you're
done
and
actually
I
turn
off
my
bare
metal
cluster.
You
know
I
have
to
turn
it
on
within
24
hours.
It
also
just
completely
blows
away
at
cert
but
yeah.
C
C
B
A
A
Yeah,
I
know
that's
that's
good
to
hear
so
yeah.
Maybe
I
can
actually
save
some
power
over
weekends
and
stuff
now,
okay,
fun!
Well,
great!
That's
good!
To
learn!
Is
there
any
runtime
scanner
ebpf
based
on
the
feature
roadmap.
B
No
we've
been,
we've
definitely
are
looking
into
ebpf.
It's
it's
actually
a
very
popular
topic
of
conversation
at
red
hat
these
days,
we're
also
in
and
and
related
to
that,
we're
expecting.
We
are
investing
in
enhanced
visibility
and
observability
for
the
networking
layers.
C
B
That
absolutely
is
tied
to
ebpf
right
being
able
to
get
better
data.
You
know
kernel
level
and
networking
level
data.
So
so,
yes,
I
don't
have
a
timeline
for
you,
but
yep
we're
looking
into
it.
A
A
Yeah,
I
think
they
are
using
epu
ebpf
as
well,
so
yeah
there's
a
few
options
out
there.
Actually
so
yeah.
Please,
please,
please
feel
free
to
you
know
kick
the
tires
on
any
of
those
an
operator
hub
and
see
which
works
best
for
you.
A
I
did
a
show
another
one.
I
missed
yes,
oh
yeah,
I
did
do
a
show
with
the
folks
over
at
systig,
good
friends,
papa,
andrea,
they're,
yeah,
they're
awesome.
I
love
working
with
them
on
stuff
so
and
I
think
they're
going
to
have
me
on
one
of
their
shows
here
in
the
near
future.
I.
A
There
were
two
cystic
shows
says:
narendev
yeah.
Maybe
we
had
dan
and
then.
C
A
I
think,
but
anyways
yeah
just
hit
up
the
youtube
playlist
and
I've
already
dropped
a
link
to
that.
But
I'll
drop
it
again
and
just
because
I
can
and
links
are
fun
and
you
will
have
the
ability
to
go
through
all
of
the
openshift
tv
archive
and
watch
whatever
pleases.
You
the
most
and
you
know,
use
the
fun
of
google
search
to
do
that
so
yeah
again,
I
want
to
thank
you
kirsten
for
coming
and
joining.
A
And
thank
you
all
in
the
audience
for
joining
us,
we'll
be
back
here
in
about
an
hour
for
talking
about
istio
with
the
openshift
commons
briefing
team,
so
that'll
be
fun.
Look
forward
to
seeing
that
so.