►
Description
Red Hat Advanced Cluster Security Update
Red Hat OpenShift Commons 2022 @ Kubecon/NA
Detroit, Michigan
October 25, 2022
Speakers:
Doron Caspin & Michael Foster (Red Hat)
https://commons.openshift.org/gatherings/kubecon-22-oct-25/
A
B
A
B
That's
awesome,
I'd
love
to
hear
that
stack
rocks,
obviously
recently
rebranded
to
Red
Hat
Advanced
cluster
security.
After
the
red
hat
purchase
in
2021,
it's
been
a
fun
two
years.
We
have
some
cool
announcements.
We
want
to
share
with
you
and
just
going
to
go
through
the
agenda.
Real,
quick,
quick
update,
obviously
I'm
not
going
to
ramble
about
security
and
kubernetes
we're
going
to
get
into
the
product
where
it's
at
a
little
bit
of
the
mission,
as
well
as
the
roadmap
going
to
introduce
you
to
the
new
ACS
cloud
service.
B
Duron's
been
working
on
this
entirely
and
tirelessly,
and
it's
been
really
awesome
to
see
a
little
bit
of
the
stack
rocks.
Vision
come
to
life
in
the
last
year
and
then
again
how
to
get
started
and
what's
next
for
us
a
little
bit
of
a
road
map.
Any
questions
I
think
we
keep
it
at
lunch,
we'll
be
over.
There
come
meet
us
after
so
security
kubernetes,
always
a
Hot
Topic,
six
store
cons,
kicking
it
off
today,
too
I
think
Luke.
Hines
is
here
again
I
think
over
the
last
seven
years.
B
And
for
our
delivering
business
value,
this
is
supposed
to
come
with
a
huge
list
of
notes:
I'm
not
going
to
ramble
about
it,
but
in
terms
of
the
mission
of
Stack
rocks,
really
we
want
a
faster
time
to
resolution.
We
want
to
build
those
security
policies
early
in
the
CI
CD
process
with
notifications,
so
that
developers
know
how
to
remediate
their
fixes,
and
we
want
to
cut
that
on
Noise,
We,
Want
TO
bridge
that
skill
Gap,
so
I
mean
I'm
sure
some
security
teams
getting
into
kubernetes
it's
a
little
overwhelming.
B
We
want
to
make
sure
that
they
have
the
right
context,
that
developers,
operations
and
security
teams
can
share
information
easily
and
hopefully
asynchronously.
If
we
can
automate
things
and
then
we
want
to
cross
that
break
across
functional
barriers,
provide
guidance,
enable
collaboration
in
a
way
that
we
can
do
it
all
declaratively.
So
again,
Security
Programs
are
successful
when
these
they'll
deliver
these
key
attributes.
B
So
where
does
ACS
fit
in?
For
those
I
mean
that's
kind
of
nice
that
everybody
knows
about
it.
So
I'll
keep
it
brief,
but
we
really
excel
in
vulnerability,
management
and
pairing
that,
with
that
kubernetes
rich
data
of
the
configuration
all
the
different
manifests
to
give
you
a
more
in-depth
look
at
your
the
risk
in
your
cluster
for
your
applications,
we
obviously
use
kubernetes
native
controls,
things
like
Network
policies
for
Network
segmentation.
We
generate
those
Network
policies
as
well
to
help
out
and
then,
of
course,
we
have
remediation
to
help.
B
You
meet
compliance
standards
and
an
ebpf
module
as
well
for
detection
and
runtime
response,
and
it
really
is
an
awesome
platform
if
you
guys
want
to
check
it
out
and
then
I'll
hand
it
off
to
oh
I
got
one
more
slide
before
Duran
takes
over.
But
again
we
were
the
first
kubernetes
Native
security
platform,
I
like
to
point
that
out
the
first
in
2017
to
really
break
out
and
take
that
title
and
again
it's
about
building
those
policies
and
your
build,
deploy
and
run
infrastructure
doing
it
as
like
shift
left
as
possible.
B
A
B
A
A
We
create
security
and
alert
workflows
for
team
to
use
namespace
and
namespace
annotation,
and
we
add
I
will
not
go
over
all
the
features,
but
we
introduce
a
new
a
lot
of
new
features
and
also
integrate
with
the
stack
with
with
Reddit
in
general.
We
integrate
with
well
well
9.
In
version
7-2,
we
introduced
a
lot
of
integration
with
our
compliance
framework
with
compliance
operator,
and
we
also
supporting
all
the
all
the
cloud
implementation
of
openshift
today,
including
Rosa
and
and
arrow
and.
B
A
Yes,
so
on
the
last
for
the
last
year,
we're
working
on
making
ACS
as
a
cloud
service
as
a
SAS
offering
and
that
allow
customers
to
have
a
quick
time
to
Value.
So
you
don't
need
to
install
central,
you
don't
install
the
the
main
components
you
don't
need
to
maintain
it.
We
will
maintain
it
for
you
in
the
cloud
we
also
introduce.
We
will
introduce
a
better
way
to
easy
way
to
purchase
it
and
use
a
regular
Cloud
way
of
consuming
services.
A
We
will
provide
the
full
support,
24,
7,
support
and
SRE
support
on
the
background,
and
we
also,
if
you
run,
we
will
be
able
to
secure
any
any
kubernetes
cluster.
We
can
do
it
and
we
Face
yes
today,
but
using
cloud
services
will
make
it
easier
for
customers
to
use
and
secure
eks,
AKs
and
gke
and
some
additional
information.
So
again,
we
are
launching
first
onike
on
a
AWS,
but
in
basically
we
will
expand
to
the
rest
of
the
clouds,
but
you
as
base
ACS
capabilities
with
Cloud
native
and
we
kubernetes.
B
And
if
you
want
to
manage
it
yourself
and
use
that
operator,
that's
always
your
choice
too
yeah.
If
you
want
to
sign
up
so
we're
releasing
this
as
a
service
preview
to
start
we're
looking
for
customer
feedback,
seeing
what
our
customers
need.
So,
if
you
scan
the
QR
code,
it'll
bring
you
to
a
page
for
sign
up
again.
B
There's
that
service
preview
process
you'll,
probably
end
up
on
a
call
with
me
eventually
taking
down
all
of
your
worries
and
fears
and
we'll
get
through
it
together
so
again
stand
that
QR
code
for
more
the
QR
code
will
pop
up
at
the
end
as
well,
and
you
can
always
find
us
for
more
questions
to
run
what
else
am
I
missing.
A
And
yeah
we're
looking
for
customers
to
to
sign
up
for
the
Early
Access
use
this
product
with
us.
Together
we
will
have
a
white
glove
services
from
our
team,
helping
you
using
the
product
and
get
we're
looking
for
feedback
from
from
for
you
from
you
and
other
customers
to
get
our
product
better
and
launch
the
best
product.
As.
B
We
can
on
doing
ga
yeah
and
the
goal
is
to
to
start
service
preview
in
December
as
well
yeah
right.
So
it's
coming
up
pretty
fast
and
then
what's
next
for
for
ACS,
specifically
we're
working
out
the
roadmap
right
now.
Duran
knows
the
road
map
way
better
than
I
do
so
I
don't
want
to
take
over,
but
in
terms
of
key
priorities
for
us
always
innovating
in
the
security
space.
B
There's
a
lot
of
moving
parts
and
I'm
sure
I
think
Luke
yeah
Luke's,
here
a
lot
of
a
lot
of
talk
about
security
over
at
kubecon
right
now,
so,
security,
innovation.
Obviously
the
cloud
service
working
with
integrating
into
red
Hat's
existing
portfolio
with
things
like
Quay
and
the
different
Claire
scanners,
and
things
like
that
and,
of
course,
the
stack,
Rocks
open
source
project,
send
your
developers
up
there.
It's
it's
really
nice
to
get
contributions
and
we'd
love
to
have
you
on
our
community
meetings.
A
Yeah,
so
we
ramp
up
our
vulnerability
management.
One
of
the
major
things
is
we
align
with
we
walking
on
the
line
with
Claire,
so
we
have
one
one:
Security
One,
a
vulnerability
management
tools
for
both
for
all
our
open
source
or
all
our
Reddit
stack.
A
We
enhance
the
vulnerability
management
with
a
lot
of
new
guidance
and
presentation
and
workload,
and
we
add
more
and
more
capabilities
for
for
dashboarding
and
presenting
capabilities.
We
launched
already
they're
well
nine
Ubi
and
L9
RPM
vulnerability
scanning.
A
We
introduced
the
host
vulnerability
scanning
and
we
will
include
it
it's
already
available,
but
we
will
enhance
the
capability
for
developer
local
image
scanning
and
for
the
devops
or
secops
and
compliance.
We
continue
with
the
dashboarding,
improving
our
dashboarding
and
including
Trends
and
history
data,
including
introducing
risk
indicators
that
exist
today.
B
I
was
gonna,
say:
I
can
I'm
giving
a
demo
if
anybody's
at
kubecon
on
Thursday
about
this,
the
MP
guard
projects
really
cool,
creating
network
network
policies
at
the
developer
level,
checking
it
against
some
policies
that
your
security
teams
checked
in,
so
that
you
can
do
it
asynchronously
and
you
don't
have
the
security
team
coming
in
after
and
cramming
down,
Network
policies
on
your
developers.
So
it's
awesome
the
MP
guard
project.
If
anybody
wants
to
look
it
up
or
come
meet
me
at
the
red
hat
booth
on
Thursday
at
10
50..
B
But
again,
that's
a
huge
one,
I
think
for
network
security,
because
definitely
it's
a
very
powerful
kubernetes
native
tool
and
we
want.
We
want
people
to
implement
it
in
a
way
that
works
for
their
teams.
B
And
yeah
so
for
Community
projects,
the
stack
rocks
project.
Obviously
stackrocks.io
you
can
find
out
all
your
information
there.
We
use
the
Claire
scanner
underneath
the
hood,
so
does
it's
quite
as
well.
Falco
is
a
project
that
we
contribute
to
and,
and
we
love
them,
they
do
some
great
work.
They
help
with
a
lot
of
our
runtime
scanning
and
the
cube
linter
project.
So
we
can
extend
some
of
those
checks
to
the
developer.
B
You
can
do
some
quick
configuration
checks
against
your
yaml
files
to
see
what's
not
necessarily
the
most
secure
and
then
lastly,
I
think,
is
the
final
send-off
before
lunch.
We'd
love
you
to
sign
up,
even
if
you
don't
necessarily
think
you're
the
best
use
case
sign
up.
Let
us
contact
you,
let's
see
what
you're
working
with
and
we'd
love
to
even
get
feedback
from
you
if
you're
not
using
it,
and
why
you're
not
using
it
so
really
appreciate
you
listening
to
us
hope
you
have
a
great
lunch
and
enjoy
the
rest
of
comments.