►
Description
Get your espresso ready for the EMEA OpenShift Coffee Break as we celebrate the Advanced Cluster Security for Kubernetes Operator GA with a *LIVE* demo about DevSecOps together with Roberto Carratala and Rodrigo Alvares, OpenShift Specialist Solution Architects.
C
C
C
B
B
We
need
to
think
that
security
must
be
continuous
analystic,
so
dexacorps
allows
you
to
approach
this
security
continuously
and
realistically
across
the
application
and
infrastructure
life
cycle.
David
divided
in
different
phases
like,
for
example,
build
run
manage
other,
but
we
need
to
think
that
this
needs
to
be
a
continuous
walkthrough
and
why
method
for
devops?
How
can
red
hat
help
in
the
dexa
corps
result?
Openshift
platform
have
a
vision
to
have
a
hybrid
cloud
platform
for
enterprises
to
build,
deploy
and
run
applications
in
securely
at
the
scale.
B
So,
for
example,
red
hat
delivers
continuous
security
for
containers
and
kubernetes
with
openshift
platform,
using,
for
example,
I'm
providing
trusted
content
having
this
lifecycle
of
the
the
platform
using
also
a
strong
role-based
access
control
and
having
a
network
isolation
and
container
isolations
and
so
on
and
acs.
And
this
is
the
good
part-
extends
the
security
also
to
application
layer,
for
example,
as
vulnerability
analysis
or
the
configuration
app
analysis,
and
also
for,
for
example,
using
compliance
assessment
or
risk
profiling,
or
even
in
the
runtime
checking.
B
If
there
is
any
threats
and
making
the
incidence
response
as
well
so
acs,
red
hat,
advanced
cluster
security
for
kubernetes
have
and
focus
in
three
different
parts.
The
secure
supply
chain,
giving
tools
to
the
different
developers
in
order
to
have
more
integration
and
have
more
tools
in
order
to,
for
example,
integrate
and
scan
in
the
different
pipelines
also
have
the
possibility
to
secure
the
infrastructure.
B
Any
wrong
configuration
something
like
that
and
on
the
other
hand,
also
in
the
random-
and
it
is
very,
very
important
to
secure
the
workload
to
maintain
this
third
trust
execution
and
do
this
workload
protection
as
well,
and
we
need
to
remember
that
advanced
cluster
security
for
kubernetes
acs.
It's
the
first
kubernetes
native
security
platform.
B
So
it's
the
first
and
it's
built
for
kubernetes
and
running
in
kubernetes
and
for
this
reason,
have
a
very
nice
integrations,
for
example,
using
the
image
scanning
that
it's
in
the
industry
like
claire
at
their
own
anchor,
also
the
integrations
with
different
registries
and
their
registries
in
sas
or
itself
with
koio
or
other
registries
with
hub,
or
something
like
that.
Also
the
integration
with
chdd.
B
In
this
demo,
we
will
show
how
well
integrates
acs
with
openshift
pipelines,
but
could
be
also
integrated
with
other
cicd
tools
and
obviously
you
need
to
know
what's
going
on
in
your
platform.
So
you
can
connect
with
devops
notification
and
we
can
see
also
the
slack
connection
or
the
microsoft
teams,
from
some
alerts
that
you
can
notify.
If
anything
was
wrong
or
something,
and
also
the
sign,
for
example,
to.
A
B
B
B
If
there
is
any
attack
and
try
to
isolate
this
attack
in
order
to
having,
for
example,
microsoft,
augmentation
with
network
policies
or
very
strict,
very,
very
strict,
for
example,
policies.
In
order
to
not
running
some
crypto
miners
or
an
ambulance
behavior,
and
if
there
is
any
threat,
we
can
kill
and
enforce
the
port
that
offends
and
files
the
the
violation
itself
and
the
pipeline.
B
B
On
the
other
hand,
openshift
keytops
as
well,
based
in
argo
city
and
acs,
as
well
with
advanced
cluster
security
for
kubernetes.
Also,
we
will
use
another
tools
like
target
server
with
basic
box
units.
Sonar
cube
nexus.
Surproxy
and
gatlin,
all
of
them
are
open
source
and
you
can
build
your
devops
pipeline
very
easily,
adding
more
and
more
to
the
snare.
C
B
B
That
brings
argo
cd
into
our
scenario
and
we
can
use
githubs
in
a
very
nice
way
to
the
continuous
deployment,
also
red
hat
openshift
by
blends
that
it's
facing
tactile
and
we
will
use
this
tecton
pipeline
and
openshift
pipelines
itself
based
in
in
texas
and
also
this
guy.
That
is
the
advanced
cluster
security
that
this
is
the
operator
that,
when
ga
on,
I
think
in
friday
on
saturday,
the
good
thing
is
that,
with
this
operator,
it's
a
very
nice
way
to
install
it.
B
You
have
also
all
the
possibilities
to
install
acs
that
in
the
past,
you
can
have
the
possibility
to
install
it
with
the
gem
itself
or
using
the
helm
charts.
But
this
is
a
very
nice
way
and
the
most
impressive
thing
is
that
you
have
also
the
channels-
and
you
have
the
this
approval,
but
it's
automatic.
So
when
a
new
acs
release
pops
up,
you
can
automatically
have
and
upgrade
your
entire
acs
cluster
without
doing
anything.
So
it's
very
awesome
also.
We
can
check.
B
For
example,
if
we
go
to
that
stack
rocks
itself,
we
can
check
the
central
and
we
deploy
it
using
the
create
central.
So
central,
it's
imagine
that
strength.
Rule
is
the
brain
of
acs
and
it's
everything
that
er
needs
to
have
and
needs
to
analyze
it's
going
to
the
center,
so
you
can
install
it
in
a
very
nice
way,
just
deploying
the
the
sensor
and
afterwards
the
security
manager
of
the
different
clusters.
B
Imagine
that
you
are
using
the
query,
io
scanner
and
you
don't
need
it,
so
you
can
disable
it
as
well,
and
also
the
good
thing
is
that
you
can
install
acs
in
a
fully
disconnected
way.
So
in
this
case
you
can
control
if
your
acs
connects
to
the
internet
or
not
deploying
your
operator
and
deploying
your
cluster
fully
prep.
B
So
it's
very
very
easy
and
we
install
it
like
this
way
and
after
that
install
it.
We
have,
and
I
will
go
to
the
developer
view
and
in
the
developer
view
we
have
the
different
pieces.
Did
it's
the
central
that
it's
the
brain
and
also
the
scanner
and
the
scanner
db?
That
is
the
scanner
and
the
vulnerability
scanner.
Like
huevo,
but
from
stack,
rocks
from
acs
and
also
the
different
pieces
that
are
from
specifically
managed
cluster.
B
B
B
And
cluster,
like
the
kubernetes
and
obg4,
very
in
a
very
easy
way,
using
this
directly
or
using
also
the
own
operator,
so
in
the
own
operator
you
can
see.
For
example,
let
me
go
again
to
this.
You
can
check
also
the
secure
clusters
and
you
can
add
the
secure
clusters.
Whatever
you
want,
for
example,
you
need
to
connect
to
the
central
endpoint
and
so
on.
B
In
this
case,
we
have
different
things
like
cog
servers,
the
trigger,
and
so
on
that
we
can
explore
when
we
launch.
The
first
thing
that
we
need
to
do
is
simulate
that
we
are
a
developer.
We
are
a
developer
that
wants
to
launch
our
pipeline.
So
what's
the
first
thing
that
we
need
to
do
go
to
our
git
server,
this
git
server,
it's
basing
box,
but
you
can
use
whatever
you
want.
So,
for
example,
in
this
case,
we
have
the
source
code
that
this
is
a
sprint
pet.
A
B
A
B
A
B
Are
based
and
they
are
scanning
amongst
different
vulnerabilities
and
different
cpes,
so
you
will
receive
the
different,
for
example,
approaches
for,
but
basically
it's
more
or
less
the
same.
It's
scanning
the
image
for
different
vulnerabilities
going
through
different
sources,
so
it
could
be
that
have
slightly
difference
between
the
scanning
one
image
and
another
using
stackbox
scanner
and
koi,
but
basically
do
the
same.
The
same
thing
that
it's
scan
your
image
in
order
to
check
for
vulnerabilities.
C
C
B
B
They
think
it's
doing
it
if
opener
yeah
it's
having
the
next
spring
bed
clinic-
and
this
is
in
the
environment-
that
having
death
and
states
using
the
customization
to
bring
the
githubs
and
also
syncing
the
different
things.
But
in
this
case
it's
thinking
everything
but
not
the
deploy,
because
we
are
not
building
our
image
and
the
image
is
not
available.
B
B
B
So
we
are
introducing
the
static
analysis
of
our
code,
providing
tools
to
our
developers
also
to
having,
for
example,
before
than
building
the
image
and
building
the
artifact.
We
are
giving
them
the
possibility
to
give
us
us
so
on
static
analysis
of
our
code,
also,
the
unit
test
as
well
and
seeing
the
dependencies
reports
for,
for
example,
checking
if
there
is
anything
wrong
or
not.
B
B
B
B
We
have
the
build
success
and
we
run
a
lot
of
tests
for
t-test
and
everything
is
okay
and
afterwards
we
are
using
nexus
for
our
two
things.
This
nexus
will
have.
First
of
all,
for
once
we
build
our
jar,
our
artifact.
We
will
push
directly
to
the
nexus
for
what
reason,
because
we
want
to
control
where
it's
located
the
different
jars,
but
also
we
will
use
nexus
as
the
maven
thing,
but
meanwhile
we
can
check
the
different
sonar
cube
results.
A
B
A
B
A
This
stuff
here
be
right.
Back.
Okay,
now
should
be
good.
I'm
sorry
about
this
little
issue,
technical
issue
we
have,
and
now
we
should
everything
should
be
fine.
We
have
some
issue
on
the
on
the
obs
side
that
we
are
using
for
for
streaming
and
roberto
yeah.
I
think
we
we
just
lost
the
one
once
that
the
the
image
scan,
but.
B
Yeah
the
image
is
scanned.
This
is
the
the
interesting
one
because
we
are
using
this
openshift
pipeline
and
using
the
roxctl
rockctl
is
a
command
line
tool
for
integrating
in
every
cict
tool,
and
I'm
going
also,
for
example,
in
this
case,
we
are
scanning
the
application
that
we,
the
image
that
we
built
and
also
we
after
that
application
build.
B
We
can
see
directly
a
very
nice
report
of
our
own
image
that
we
already
checked,
so
we
have
in
here
a
lot
of
information,
and
I
love
the
themes
of
the
different
information
that
we
have
of
our
application.
So
you
can
check
in
here
that
it's
sprinkled
clinic
with
the
shop
and
we
have
the
different
cpes
that
we
can
get
more
information.
For
example,
we
have
these
cves
and
so
on.
B
There
is
good
stuff,
but
also
we
can
check
different
things
among
the
image
that
we
already
built
for,
for
example,
we
don't
want
to
anyone,
have
the
package
manager
in
the
image
and
for
this
reason
this
system
policy
failed
because
detect
that
in
one
layer
of
the
image
that
we
already
built
have
npm
or
yam
or
on
the
other
hand,
for
example,
have
vulnerabilities
that
could
be
fixable
with
more
than
scoring
of
seven.
So
these
vulnerabilities
are
defined
in
acs
and
are
fully
I
fully
managed
and
on
the
other
hand,
we
can
check
this.
B
This
is
from
build
and
we
can
stop
our
build.
Imagine
that
you
don't
want
to
in
any
way
to
build
your
image,
so
you
can
enforce
this
guy
in
order
to
if
there
is
any
cve
detected
in
your
image,
build
stop
and
fail
the
build,
so
you
can
prevent
your
developers
to
bring
applications
or
bring
or
build
different
images
containing
cbds
or
containing
the
different
things
that
you
don't
want
to.
Imagine
that
you
are
detecting
a
social,
a
cell
shock
or
a
helpless
in
your
image.
B
You
need
to
prevent
to
deploy
this
image
and
also
in
the
deployment
check
you
can
check
not
only
in
build
also,
you
can
check
the
deployment
of
your
own
application.
In
this
case,
we
are
checking
the
different
deployment
of
kubernetes.
In
this
case,
we
are
checking
amongst
the
different
system
policies,
the
different
kubernetes
checks.
B
Team
don't
want
that.
My
developers
build
any
image
that
have
cpes
with
scoring
more
than
seven,
so
we
can
check
and
we
can
enforce
that,
and
we
can
just,
for
example,
give
them
a
heads
up
in
order
to
guys
you
are
building
images
that
have
this
type
of
series,
please
solve
them,
because,
if
not
could
be
introducing
some
risks,
but
on
the
other
way
you
can
also
have
the
possibility
to
enforce.
B
Why
is
enforced,
so
you
can
have
the
possibility
to
kill
the
pipeline
itself.
So
when
you
are
building
the
pipeline,
if
you
are
not
complying
with
my
policy,
this
checks
and
fails
the
bill
and
prevents
that
anyone
builds
the
image
or
just
deploys
the
image.
So
in
this
case,
starcraft's
acs
will
frame
when
the
image
match
the
condition,
and
if
we
rerun
this
we
will
see.
Meanwhile,
I
will
rerun
this
stop
run.
B
B
And
if
you
go
to
argo
now,
we
have
in
here
have
a
very
nice
deployment
that
is
already
live
and
in
this
deployment,
if
you
check
the
port
itself,
the
port
have
the
ddd4,
the
dd5,
that
it's
the
exact
same
application
that
we
already
built,
but
did
everything.
But
it's
okay.
So
if
we
go,
for
example,
in
to
our
application
and
to
our
namespace,
we.
C
B
See
let
me
handle
this
in
the
next
couples
yeah,
and
we
have
in
here
our
sprint
pet
cleaning
application
that
we
built
in
a
very
secure
way
and
also
in
the
topology
and
also
in
the
pipeline.
We
introduce
two
steps
more,
that
it's
the
performance
test
and
this
performance
test.
We
are
using
coupling
this
cutling
it's
using
and
it's
trying
to
load
a
lot
of
requests
to
our
application.
It's
like
a
loading
test
and
it's
producing
in
a
very
nice
way
that
we
can
check
in
the
reports.
B
That
is
different
requests
that
we
try
to
reproduce
in
order
to
know
if
our
application
is
okay
or
not,
and
afterwards.
Finally,
open
testing
appreciate
testing
for
what,
because
when
we
have
already
built
our
application,
we
need
to
check
from
outside
simulating
different
attacks
and
trying
to
contest
our
application
in
order
to
know,
for
example,
if
the
hair
bleed
vulnerability,
it's
okay
or
not,
or
if
we
are
using
any
weak
authentication
method
or
anything
else,
with
driving
more
information.
B
B
In
this
case,
I
used
slack
so
I
used-
and
I
integrated
acs
with
slack
in
a
very
easy
way,
and
now
that
we
have
in
here
we
can
check.
For
example,
if
anything
happens
during
the
build,
for
example,
I
can
check
if
one
application
or
if
one
build,
is
against
the
different
system
policies,
for
example,
in
this
case,
I'm
checking
that
this
specific
build
of
this
container
half
not
the
specified
frequency
or
limits,
so
they
would
think
it's
every
system
policy.
A
C
C
So
what
type
of
tools
are
existing
in
that
image?
So
do
I
have
curve?
Do
I
have
w
gap?
So
you
don't
need
double
gap
on
those
images
right,
so
how
many
vulnerabilities
exist
within
that
image,
so
the
the
acs
allows
the
developers
to
be
aware
exactly
what
type
of
like
you
know,
problems
they
can
have
in
production,
because
you
don't
want
to
basically
ship
any.
B
Yeah,
and
also
preventing,
for
example,
and
enforcing
imagine
that
you
in
production,
don't
want
anything
that
can
be
built
with
this
evee
or
with
the
rpm
or
just
not
using
request
or
limits.
You
can
prevent
that.
You
can
check
that
your
own
deployment,
the
your
own
of
dexacops,
can
have
also
the
information
about
you.
B
C
A
B
This
is
a
very
good
question.
You
can
define
it
wherever
you
want,
and
it's
very
very,
very
easy
to
define
new
policies
to
define
the
severity
and
also
the
life
cycle
stage.
For
example,
you
don't
want
to
prevent
you
want
to
prevent
to
specific
cve
to
pops
up,
so
you
can
preventing
the
deployment
goes
to
the
description
and
after
that,
for
example,
you
can
restrict
and
also
enable
the
notification
with
that
you
can
define
whatever
you
want
in
this
case,
for
example,
with
a
lot
of
things
that
affects
inbuilt
in
deploy
and
in
a
runtime.
C
B
Yeah
and
you
can,
for
example,
prevent
that
anyone
deploys
a
privileged
container,
adding
certain
capabilities.
For
example,
I
can
define
it
that
no
one
can
deploy
one
port
or
one
deployment
with
a
certain
capabilities,
and
I
don't
want
to
allow
it,
or
at
least
just
in
ford
in
informant
and
when
we
have
it
here,
we
can
define
it
the
enforcement.
B
So
if
this,
if
anyone
tries
to
in
production
on
in
whatever
you
want
to
deploy
in
specific
deployment
with
a
port
without
certain
capability
or
with
a
certain
cve,
we
can
prevent
and
automatically
acs
through
an
admission
control.
The
policy
and
mission
control
will
fail
that
it's
more
or
less
the
the
same
thing
that
it's
having
with
opa
but
in
a
very,
very
nice
way,
because
with
here
you
can
drag
and
drop,
as
perfectly
said,
and
we
can,
for
example,
define
a
lot
of
situations
like
cepcom
privilege,
containers
and
so
on.
C
B
B
So
if
we
have
it
and
if
we
check
the
fixable
css,
we
see
that
we
have
these
polyphones
for
policy
enforcement
that
cause
the
failure
of
the
whole
cicd
pipeline
automatically
because
doesn't
feel
and
doesn't
pass
our
compliance,
because
I
don't
want
to
anyone,
put
any
cve
building
my
my
image
and
also
you
have
more
information
because
in
the
image
check,
the
developer
can
have
the
possibility
to
check
okay.
This
image
fails,
but
for
what
reason
I
need
to
have
more
information.
B
A
Wow,
oh
I
mean
it
was
super
lots
of
stuff.
I
think
you
know
what
I
think
this
reserve
also
a
second
session.
Where
we
go
into
more
details.
We
had
some
I'm
sorry
for
our
attendees.
We
had
a
little
issue
on
the
streaming,
so
the
stream
gets
split
into,
but
we
will
make
sure
to
come
to
to
join
the
two
recording.
So
sorry
about
that,
but
we
were
able
today
to
see
a
complete
devsecops
demo,
really
congratulations,
roberto
rodrigo!
C
A
That's
maybe
an
exercise
interesting.
Let's
do
this
folks.
It
was
so
interesting
that
I
think
in
the
server
series
adapts
a
cop
series.
We
can
have
some
kind
of
we
did
this
introduction
for
the
next
time
we're
going
to
do
a
series
where
we're
going
to
crc
or
local
development
with
acs,
and
I
would
like
to
see
also
the
penetration
testing,
the
vulnerability
assessment.
We
we
have
seen
the
wall
pipeline
today.
B
A
lot
of
things
with
the
running
and
detecting
also
the
violations
for,
for
example,
preventing
if
anything,
goes
or
if
anybody
do
a
net
card
or
an
air
map
inside
of
our
container,
prevent
to
do
that
and
itself
also
kill
the
pot.
If
this
will
enforce
it
or
not.
So
we
can
have
this
this
series
for
sure
fantastic.
A
I'm
looking
forward
to
it
because
it's
so
interesting,
I
think
people
really
enjoyed
also
in
the
chat.
There
was
lots
of
interaction.
I
just
shared
the
demo,
so
the
demo
was
made
by
roberto
rodrigo
that
worked
in
this
fantastic
demo.
I
I
really
recommend
to
try
it
out.
You
know
what
you
can
try
on
crc,
for
instance,
which
is
the
a
local
development
for
openshift,
and
you
can
try
on
any
of
all
your
openshift
cluster
available
that
I'm
putting
in
the
chat.
A
The
link
to
you
know
start
trying
over
shift
start
trying
acs,
which
is
now
ga,
and
you
can
deploy
the
demo
that
roberto
rodrigo
today
made
for
us.
So
you
know
I
would
like
to
really
thank
you
for
this
awesome
demo
recording
will
be
available
on
the
openshift
youtube
channel
and
you
know
what
we
will
see
again
here
at
openshift
coffee
break
with
with
a
new
devsecop
series,
because
it's
so
cool
so
interesting.
I
really
enjoyed
so
thanks,
roberto
and
rodrigo
for
joining
us.
C
B
A
Folks,
let's
you
can
stay
today
on
openshifttv,
we
we
have
our
regular
schedule
if
you
would
like
to
stay
that
goes
into
from
from
you
know
a
mia
afternoon
time,
and
then
it
goes
into
the
normal
shell
shadow.
If
you
go
to
open
shift
tv,
you
you
see
all
the
all
the
shadow
that
that
we
have.
Let
me
put
the
link,
so
you
can
follow
with
next
things.
Today
we
have
lots
of
also
episode.
A
We
our
recurring
series
and
we
see
each
other
for
our
next
appointment.
That
will
be
july.
The
28th
we
will
come
back
with
a
pipeline
as
a
code
topic
together
with
jafar
and
some
people
from
the
engineering
talking
about
the
tecton
pipelines
as
a
code.
So
thank
you
very
much
for
joining
today.
Thank
you
for
attending
look
forward
to
see
you
on
the
next
openshift
coffee
break
episode,
ciaos.