►
Description
Lightning Talk: Secure DevOps for OpenShift: Enhancing Security, Compliance and Performance
Speaker: Chris Kranz (Sysdig)
https://sysdig.com/resources/filter/?s=openshift
The OpenShift Commons Gathering was held on Jan 29th, 2020 in London, UK, and featured guest speakers from local customers and users. The OpenShift Commons Gatherings brought together 300+ experts from all over the world to discuss container technologies, best practices for cloud native application developers and the open source software projects that underpin the OpenShift/Kubernetes ecosystem.
https://commons.openshift.org/gatherings/London_2020.html
A
You
got
the
open
s,
cap
and
insights,
and
so
on.
So
you've
got
a
lot
of
this
protection
stuff
already
out
of
the
blocks.
So
how
can
how
can
security
vendors
like
Akron
ourselves,
come
here
and
actually
help
you
improve
on
this?
Well,
it's
about
making
sure
you've
got
more
than
just
the
basic
levels,
as
you
start
scaling
this
out.
So
you
go
beyond
a
single
cluster.
You
go
beyond
your
test
environments.
How
do
you
manage
that
when
you've
got
10,
20
30
different
cluster
environments?
A
How
do
you
manage
that,
when
your
scale
across
two
or
three
different
cloud
environments?
You
want
to
have
that
single
view
for
things?
And
if
you
haven't,
you
know
that
again,
the
Aqua
team
have
been
doing
some
great
work
with
EPF.
If
you
haven't
had
a
look
into
EBP
F
definitely
look
into
it.
It's
one
of
the
because
it
gives
you
such
a
low-level
visibility.
It's
absolutely
you
know.
Some
people
are
touting
it's
kind
of
the
future
of
observability,
but
it's
also
in
many
respects
the
future
of
security
in
general.
A
It's
analyzing
all
those
system
calls
and
that's
core
to
what
we're
doing
as
well.
With
Cystic
and
I.
Think
you'll
see
many
vendors
using
going
down
that
route
because
it
really
is
such
a
great
low,
low
impacts
but
high
level
information
in
there.
So
we
leverage
that'sthat's
kind
of
kernel
level
information
to
give
you
two
really
core
bits
of
information:
that's
observability
for
telemetry
and
my
applications.
Healthy
are
the
goods.
A
Now,
yes,
you
get
this
out
of
Prometheus
and
open
token
shift
for
you're
gonna
get
Prometheus
out
of
the
box,
but
it's
digging
deeper
into
that
information
to
working
out.
How
do
I
actually
get
the
context
of
that?
How
do
I
dig
deeper
into
my
applications?
Understanding?
Why
is
my
performance,
bad?
Where
are
my
bottlenecks
appearing
and
then
again
giving
you
that
view
across
multiple
clusters
so
giving
that
low-level
information
is
really
important,
as
touched
on
the
great
thing
about
EBP
eff?
A
Is
it
also
gives
you
lots
of
great
security
context,
I'm
applications
doing
what
they
should
be
doing?
Am
I
forking
processes?
Is
my
nginx
making
caused
outbound
calls
to
the
Internet?
Is
my
rabbitmq
server
port
of
forking
a
Python
process?
These
things
are
really
easy
to
detect
and
a
great
thing
about
containers
is.
They
should
do
one
thing
and
they
should
do
that
one
thing
well,
so
it
should
be
really
easy
to
work
out
when
that's
doing
wrong.
But
how
would
you
know
today
that
your
nginx
server
is
doing
something
other
than
nginx?
A
So
that's
really
the
level
of
information
we're
looking
at
providing.
So
it
is
about
and
combining
this
there's
skip
through
this
just
in
in
view
of
time
and
get
more
into
one
of
the
different
areas
we
we
cover.
We
talk
about.
This
is
the
idea
of
build,
run
and
respond
so
a
build
time.
This
is
when
you're,
absolutely
you're,
building
your
containers.
A
You
want
to
make
sure
your
you've
got
security
best
practices,
you
haven't,
got
config
drift,
you're,
going
through
just
general
container
best
practices
you're,
something
want
to
make
sure
you're,
not
baking
in
vulnerabilities,
about
early
stages.
This
whole
idea
of
shifting
security
left
is
really
important
because
you
want
your
developers,
you
you
want
your
application
development
teams
to
have
security
in
mind
and
the
real
way
to
do
that
is
to
give
them
feedback
make
sure
they
know
most
of
the
time.
A
Traditionally,
when
it
comes
to
security,
we
didn't
know
we
have
a
security
problem
until
we
put
it
in
production
and
the
firewalls
and
all
the
other
security
tools
turn
around
and
says.
No,
you
can't
do
that
and
then
we
learn
and
we
go
back
getting
this
information
as
early
as
possible
is
important.
A
Verna,
Vogel's,
massively
quoted
everything,
fails
all
the
time
and
it's
true
you
have
to
go
in
with
this
with
the
approach
of
my
applications
are
going
to
fail
at
points
in
a
very
similar
way
from
security.
A
lot
of
people
have
the
approach
and
have
the
view
that
I
am
going
to
have
a
security
breach
at
some
point,
some
people
have
a
slightly
more
negative
view
that
I've
already
have
a
security
breach.
A
I,
just
don't
know
it
yet
being
prepared
for
this
having
the
ability
to
actually
capture
and
analyze
those
events
at
low
level
after
the
after
that
something
bad
has
happened,
is
really
important.
That's
the
idea
of
what
we
talked
about.
We
will
respond
and,
of
course
this
happens
across
the
full
lifecycle.
You've
got
dozens
and
dozens
of
tools.
Openshift
is
one
part
of
your
tool
chain.
You've,
no
doubt
got
all
sorts
of
DevOps
tooling
these
days,
and
it's
making
sure
you
can
have
these
integrated
rather
than
going
from
dashboard
to
dashboard
to
dashboard.
A
A
Checking
the
time
I'm
not
going
to
go
through
that
slide.
It's
in
here,
so
you've
got
a
reference
and
that's
probably
where
it
so
we
have
got
a
booth.
Upstairs
I
didn't
want
it.
I
don't
want
it
laid,
but
too
much
of
this
because
I,
because
I
can
smell
that
food
and
I'm
sure
you
can
as
well
so
get
some
food.
Get
some
energy
back
in
and
come
talk
to
us
later
on
and
look
forward
to
having
some
drinks
with
a
few
as
you
as
well.