Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Red Hat OpenShift / London 2020 | OpenShift Commons Gathering / 29 Jan 2020
Red Hat OpenShift / London 2020 | OpenShift Commons Gathering / 29 Jan 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Lightning Talk: Secure DevOps for OpenShift: Chris Kranz (@Sysdig)

Description

Lightning Talk: Secure DevOps for OpenShift: Enhancing Security, Compliance and Performance
Speaker: Chris Kranz (Sysdig)

https://sysdig.com/resources/filter/?s=openshift

The OpenShift Commons Gathering was held on Jan 29th, 2020 in London, UK, and featured guest speakers from local customers and users. The OpenShift Commons Gatherings brought together 300+ experts from all over the world to discuss container technologies, best practices for cloud native application developers and the open source software projects that underpin the OpenShift/Kubernetes ecosystem.

https://commons.openshift.org/gatherings/London_2020.html

A

Thanks, oh and it's always nice being between you and lunch, so I will try not to take too much more of your time, so a kind of presenting Cystic and the Cystic secured DevOps platform, another one of the great things about open shift and one things it's a pleasure working with the Red Hat team on is, as you mentioned before, it is absolutely secure by default and a lot of security controls in there there's a lot of security controls within Red Hat's, not just in terms of open shift.

A

You got the open s, cap and insights, and so on. So you've got a lot of this protection stuff already out of the blocks. So how can how can security vendors like Akron ourselves, come here and actually help you improve on this? Well, it's about making sure you've got more than just the basic levels, as you start scaling this out. So you go beyond a single cluster. You go beyond your test environments. How do you manage that when you've got 10, 20 30 different cluster environments?

A

How do you manage that, when your scale across two or three different cloud environments? You want to have that single view for things? And if you haven't, you know that again, the Aqua team have been doing some great work with EPF. If you haven't had a look into EBP F definitely look into it. It's one of the because it gives you such a low-level visibility. It's absolutely you know. Some people are touting it's kind of the future of observability, but it's also in many respects the future of security in general.

A

It's analyzing all those system calls and that's core to what we're doing as well. With Cystic and I. Think you'll see many vendors using going down that route because it really is such a great low, low impacts but high level information in there. So we leverage that'sthat's kind of kernel level information to give you two really core bits of information: that's observability for telemetry and my applications. Healthy are the goods.

A

Now, yes, you get this out of Prometheus and open token shift for you're gonna get Prometheus out of the box, but it's digging deeper into that information to working out. How do I actually get the context of that? How do I dig deeper into my applications? Understanding? Why is my performance, bad? Where are my bottlenecks appearing and then again giving you that view across multiple clusters so giving that low-level information is really important, as touched on the great thing about EBP eff?

A

Is it also gives you lots of great security context, I'm applications doing what they should be doing? Am I forking processes? Is my nginx making caused outbound calls to the Internet? Is my rabbitmq server port of forking a Python process? These things are really easy to detect and a great thing about containers is. They should do one thing and they should do that one thing well, so it should be really easy to work out when that's doing wrong. But how would you know today that your nginx server is doing something other than nginx?

A

So that's really the level of information we're looking at providing. So it is about and combining this there's skip through this just in in view of time and get more into one of the different areas we we cover. We talk about. This is the idea of build, run and respond so a build time. This is when you're, absolutely you're, building your containers.

A

You want to make sure your you've got security best practices, you haven't, got config drift, you're, going through just general container best practices you're, something want to make sure you're, not baking in vulnerabilities, about early stages. This whole idea of shifting security left is really important because you want your developers, you you want your application development teams to have security in mind and the real way to do that is to give them feedback make sure they know most of the time.

A

Traditionally, when it comes to security, we didn't know we have a security problem until we put it in production and the firewalls and all the other security tools turn around and says. No, you can't do that and then we learn and we go back getting this information as early as possible is important.

A

It's the whole agile methodology of getting fail-fast, get that feedback in there as well, so pushing this back at the build time and, of course, the run timers the Aqua guys were showing you can have things embedded that you have no idea they're, it's the great and terrible thing about containers is I, can download something from the Internet have no idea what it does, but have that running in a production workload so being able to create these profiles to work out, what's good, what's bad, what's ugly, what's indifferent, making sure you've got that view of both application, health and application security and then finally, what happens when things go wrong?

A

Verna, Vogel's, massively quoted everything, fails all the time and it's true you have to go in with this with the approach of my applications are going to fail at points in a very similar way from security. A lot of people have the approach and have the view that I am going to have a security breach at some point, some people have a slightly more negative view that I've already have a security breach.

A

I, just don't know it yet being prepared for this having the ability to actually capture and analyze those events at low level after the after that something bad has happened, is really important. That's the idea of what we talked about. We will respond and, of course this happens across the full lifecycle. You've got dozens and dozens of tools. Openshift is one part of your tool chain. You've, no doubt got all sorts of DevOps tooling these days, and it's making sure you can have these integrated rather than going from dashboard to dashboard to dashboard.

A

Making sure you've got that nice clean flow. Introducing more tools to your DevOps teams is not going to get them to adapt stuff. You want to make that simple.

A

Checking the time I'm not going to go through that slide. It's in here, so you've got a reference and that's probably where it so we have got a booth. Upstairs I didn't want it. I don't want it laid, but too much of this because I, because I can smell that food and I'm sure you can as well so get some food. Get some energy back in and come talk to us later on and look forward to having some drinks with a few as you as well.

A

You.