►
From YouTube: Securing your Pipeline on OpenShift - Marc Boorshtein (Tremolo Security)| OpenShift Commons Briefing
Description
OpenShift Commons Briefing 2020-05-19
Host: Diane Mueller (Red Hat)
Guest Speaker: Marc Boorshtein (Tremolo Security)
Securely Provision Your Pipeline on OCP Making Dev, Sec and Ops All Happy
Your CI/CD pipelines are a crucial component to your platform. Production OCP deployments need to take into account how to build out pipelines for applications in an automated way that respects all of the users in your environment. The Devs want systems that stay out of their way, Sec wants to be able to audit the environment and Ops doesn’t want to get paged. Automating the provisioning means integrating source control, multiple OCP clusters across environments, security scanning, and IT process to build an automated platform.
Tremolo Security’s CTO, Marc Boorshtein, will walk through a proof of concept that was built for a customer to automate the creation of a multi-environment secured pipeline using GitLab for source control, multiple OCP environments for different stages of the application’s lifecycle, Sonarqube for scanning, and OpenUnison to tie them all together via SSO and automated workflows. We’ll cover the initial provisioning of the pipeline, environments across multiple clusters, and promoting containers across environments without using the ocp command or ever logging into a terminal.
@mlbiam / @tremolosecurity
A
All
right
well
welcome
everybody
to
open
ship
Commons
we're
streaming
live
on
both
blue
jeans
and
twitch.
So
wherever
you
are
welcome,
we
are
now
got
to
have
a
great
talk.
I,
always
love
hearing
from
Marc
portioning
from
tremelo
security
is
one
of
my
favorite
Commons
members
and
one
of
the
earliest
members
to
the
the
Commons,
and
today
he's
going
to
talk
a
little
bit
about
a
little
bit.
Hopefully
a
lot
about
securing
your
your
pipelines
on
OpenShift
and
and
I
really
like
this.
A
B
A
And
then
we'll
basically
have
a
conversation
with
everybody.
Who's
online
and
I
am
a
stylish
and
I'm
gonna
pick
marks
brains
a
little
bit
afterwards
and
if
you
have
questions
just
enter
them
in
the
chat
either
in
the
the
ones
on
twitch
or
the
ones
here
in
blue
jeans
and
we'll
just
have
a
conversation
for
the
second
half
hour,
so
Marc
with
that
intro.
Please
take
it
away,
introduce
tremolo
security
and
yourself
and
tell
us
how
to
secure
our
Park
Place
thanks.
B
Stan
and
thank
you
again
for
giving
us
a
chance
to
come
onto
Commons
and
talk
so
we're
gonna,
be
talking
like,
like
Diane,
said
about
securing
your
pipelines,
so
we're
not
gonna
be
talking
about
what
your
pipeline
should
be.
So
much
as
how
do
you
provision
your
pipelines?
How
do
you
create
your
pipelines
in
your
enterprise?
How
do
you
figure
out
where
it
goes,
how
those
different
things
connect
so
who
are
we?
B
We
were
founded
in
2010,
we're
we're
focused
on
my
daddy
management
and
we'll
talk
about
why
I,
daddy
man
pipelines
kind
of
intersect
there
100%
open
source.
So
what
we're
about
to
show
you
is,
you
know,
and
there's
a
link
in
the
blue
jeans
chat
all
open
source,
so
all
freely
available,
we've
been
working
with
open
shift
since
2015
I'm
rocking
a
little
bit.
My
retro
open
shift
gear
here
from
before
it
was
built
on
kubernetes.
So
we've
got
a
lot
of
experience
in
the
space
and
yeah.
B
We
were
in
the
first
class
of
the
certified
containers
for
Red
Hat,
first
class
and
certified
operators
proud
to
have
been
included
in
the
first
round
of
the
marketplace,
offering
that
just
came
out
a
couple
weeks
ago.
So
we're
pretty
well
steeped
inside
of
the
Red
Hat
culture
and
and
product
ecosystem.
I
myself
have
been
working
with
kubernetes
since
about
2015.
B
We
we
as
vendors,
we
as
a
community,
spend
a
lot
of
time
trying
to
make
this
experience
really
good
and
really
working
on
the
user.
Experience
here.
I,
you
know
maybe
I
know
amal
is
maybe
I
don't
a
lot
of
times.
I,
don't
want
to
know
how
the
stuff
gets
deployed.
I
just
want
to
be
able
to
work
on
my
thing,
I
like
yet
write
the
code,
push
it
on
to
the
next
task.
B
So
you
know
developers
they're
generally
focused
on
making
sure
that
that
business
logic,
you
know
the
thing
that
runs
your
company,
your
enterprise,
is,
is
being
built
and
then
the
ops
side
of
it
right.
Our
administrators
raise
your
hand
if
you've
ever
gotten
a
nervous,
tic
from
hearing
slack
go
off,
I
know,
I,
have
you
know,
and
and
as
an
administrator
you
help
somebody
and
your
reward
for
that.
Is
they
ask
you
every
single
time?
B
They
need
something,
no
matter
what
it
is
and-
and
so
you
know
that
you're
not
just
the
the
person
who
fixes
things
now
you're
the
person
who
has
to
figure
out
how
you
get
people
to
not
ask
you
to
do
things
personally,
you
know
there's
a
lot
of
you
know,
ad-hoc
work
that
has
to
be
done,
America
is
and
then
finally
you
know
you
get
into
that
audit
perspective
of
you
know:
you've
been
working
on
a
system
for
a
year
or
two
and
then
all
suddenly,
this
person
comes
in
and
says:
hey.
Is
this
secure?
B
Why
do
these
people
have
access
to
these
systems,
sometimes
with
a
little
more
structure,
sometimes
with
less
I
know?
I've
had
one
customer
who,
literally
just
the
auditor,
sent
me
an
email
and
said:
hey:
is
this
secure
and
I
was
like
sure,
and
so
you
know
Ops
kind
of
makes
all
that
run.
Often
in
the
background
and
and
and
so
you
got
to
respect
what
they're
doing
and
then
sex
security
yeah
the
security
person
they're.
Looking
to
understand,
why
that's
the
biggest
question?
Why
are
all
these
projects
here?
Who
proved
the
access
to
it?
B
You
know,
we've
made
it
so
easy
through
open
shift
and
an
API
driven
infrastructure
to
be
able
to
do
things
that
the
the
previous
concepts
of
privileged
access
versus
regular
access,
kind
of
no
way
so
now
kind
of
everything
is
privileged
I
if
I
can
deploy
new
code
just
by
pushing
it
into
a
repo.
I
should
probably
have
multi-factor
access
on
that
repo,
so
so
they're
there
questions
there.
B
So
why
is
a
Danny
management
important
in
all
this?
You
know.
Let's
talk
about
the
pipeline.
What
does
your
pipeline
look
at,
so
we're
gonna
do
a
demo
of
a
proof-of-concept.
We
were
asked
to
do
for
a
customer
where
the
pipeline
was
more
than
just
open
chef.
The
open
shift
was
that
starting
point
they
had
a
lot
of
legacy,
Jenkins
workloads.
They
wanted
to
continue
to
leverage
Jenkins
for
for
their
bills.
They
want
to
use,
get
lab.
They
wanted
to
show
that
we
could
integrate
with
sonar
cube
for
scanning.
B
Now
the
interesting
thing
about
all
three
of
these:
they
have
their
own
authentication
process.
They
all
have
their
own
identity
management
system.
You
know,
Jenkins
it
ships
with
OpenShift
it's
tightly
integrated,
so
that
works
really
well.
It
lab
has
its
own
identity
management
system
right.
It's
got
its
own
API,
its
own
way
of
integrating
with
groups.
You
know
there's
SSO
sure,
but
you
still
have
to
provision
those
different
things
and
then
sonar
cube
as
well
has
its
own
thing.
B
So
every
application
that
makes
up
your
pipeline,
it's
gonna,
be
more
than
just
openshift
it'll,
be
you
know
at
least
three
things
here
right,
a
CIC
D
pipeline
of
some
kind.
You
know
source
control,
different
kinds
of
scanners.
You
might
have
different
types
of
process
based
applications,
so
so
that
your
pipeline
is
gonna,
be
more
than
just
open
chef.
B
You
open
shift
is
your
starting
point,
and
so
one
of
the
interesting
things
that
came
out
of
when
we
first
started
getting
into
open
chef
and
kubernetes
in
general
was
we
found
that
the
identity
management
workflow
engine
was
actually
kind
of
a
nice
automation
and
as
well
as
long
as
we
have
an
API
to
talk
to
it,
gave
you
a
single
path,
so
you
could
actually
trace
when
a
request
was
made
or
proved
the
request.
What
objects
were
created
throughout
your
infrastructure?
Everything
was
tied
together.
It
gave
you
an
approval
process.
B
You
know,
why
is
something
being
done?
That
needs
to
be
approved,
of
who
has
access
that
needs
to
be
approved
of
you
could
do
that
in
external
systems,
but
a
lot
of
CIC
D
systems.
They
don't
have
this
part
of
it
mostly
focused
on
on
on
the
process,
unless
the
appropriate
you've
got
some
stuff
with
git
and
whatnot,
but
I
haven't
seen
it
as
integrated
as
this
and
then
there's
an
automation
side
of
it,
where
you
want
to
do
things
the
same
way,
every
single
time
as
much
as
possible,
you
always
have
exceptions.
B
You
always
have
to
have
flexibility,
but
you
know
you
want
to
have
your
base
be
okay,
unless
you
have
a
really
good
reason.
We
want
you
to
stay
within
this
process
and
and
that
process
is
gonna
vary
between
between
enterprises.
So
we
found
that
there
was
a
really
nice
meld
there
between
identity
management,
both
between
tying
the
various
pieces
of
your
pipeline
together
and
being
able
to
track
your
pipeline
and
the
provisioning
process.
B
Let's
talk
a
little
bit
about
the
demo,
everybody
wants
to
have
fun
with
the
demo
I
like
that
much
so.
What
we've
built
today
is
a
multi
environment,
OCP
pipeline,
so
we've
got
two
OCP
environments.
We've
got
a
development
and
we've
got
a
production.
All
of
our
applications
for
managing
the
pipeline
actually
run
in
our
development,
our
development
OCP.
So
we
have
gitlab
running
in
here.
We
have
sonar
cube.
We
have
jenkins-
and
this
is
where
the
bulk
of
the
work
goes.
B
So
the
first
thing
that
happens
is
when
a
user
logs
into
open
chef
for
the
first
time
they
get
their
own
sandbox.
So
so
our
just-in-time
built
project,
the
first
time
they
log
in
the
second
thing,
is
they're
able
to
request
that
a
project
get
created
and
when
that
project
gets
creamed,
we'll
go
through
the
details.
There
are
a
lot
of
different
steps.
You
got
created,
get
lab,
yeah,
create
the
project
and
OpenShift
yeah,
create
the
project
and
the
production
OpenShift
and
there's
a
managerial
process.
B
So
we
don't
necessarily
want
developers
or
even
admins
to
be
running
like
OSI
commands,
or
you
know
doing
anything
like
that
to
get
the
7
right
well
automate
that
process.
But
then,
when
the
move
goes
into
production,
we
want
to
leverage
what
OpenShift
gives
us.
So
you've
got
image
streams
and
deployment
configs
that
will
intelligently
roll
out
thing.
You
know
applications
is
updates.
Get
me
so
said:
alright,
when
we
do
a
rollout
to
production.
B
B
The
people
who
make
those
decisions,
don't
generally
want
to
log
in
to
get
you
know,
they're
used
to
web
applications
and
so
get
to
them
where
they
live,
and
so
we
provide
them
a
UI
to
say:
hey
somebody's
requested
that
an
application
be
pushed
into
production.
That
workflow
in
an
enterprise
will
often
have
multiple
steps,
because
you'll
have
multiple
stakeholders
that
have
to
sign
off
on
it.
B
Here
we
have
just
one
step,
but
you
know
it's
all
customizable
you
hit,
go
it
deploys
and
then
there's
an
audit
log
of
not
only
what
happened
but
who
approved
it
so
we'll
go
through
that
as
well.
So
what
you
end
up,
having
is,
is
this
very
lifecycle
approach
to
being
able
to
approach
to
deploy
an
application
consistently
into
your
environment?
B
Let's
talk
about
the
dev
line
that
will
see
a
lot
of
this
is
gonna
happen
behind
the
scene,
so
I
like
to
go
into
the
details
before
we
hit
the
demo
up
so
I'm
a
developer
I'm
doing
my
work,
I
merge
into
master,
that's
gonna
kick
off
a
pipeline
that
will
do
the
build.
Do
a
code
analysis
create
a
container
push
it
into
the
test
environment.
B
At
that
point,
it's
assumed
that
there
is
something
that's
going
to
do
some
testing,
whether
it's
automated
there
could
be
multiple
layers
of
analysis
here,
we're
just
doing
code
analysis
in
in
your
pipelines.
I
would
highly
recommend
things
like
container
scanning
your
contains
for
vulnerabilities
things
of
that
nature,
so
there
could
be
all
sorts
of
other
steps
to
the
pipeline
depending
on
you
know
the
type
of
code
it
is
type
of
application,
etc,
but
once
it's
in
tests
at
that
point
we're
doing
our
testing.
That
is
our
kind
of
gold.
B
For
now
before
we
push
it
into
production,
then
it's
time
for
production,
so
somebody
says
you
know
the
typical
enterprise
for
getting
openshift
and
carbonates.
For
a
moment.
You
know
your
typical
enterprise
is
going
to
be
something
to
the
effect
of
you
know:
I'm
ready
to
move
my
application
into
production,
let's
go
to
the
change,
control
board
or
the
control
access
board,
or
you
know
whoever
the
people
who
are
responsible
because
somebody's
got
to
sign
off
on
it
and
you
go
in,
and
you
say:
here's
what
I'm
gonna
do
here's
my
back
out
plan.
B
Here's
the
you
know:
here's
the
the
the
mitigations
here
are
the
risks.
Here's
who's,
we
think,
will
be
impacted,
and
that
gives
everybody
who's
a
stakeholder,
a
chance
to
say
yes
or
no.
We're,
okay,
we're,
not
okay,
and
so
here
we're
automating.
That
process
we're
saying
alright.
Somebody
is
gonna
log
in
give
a
reason
why
they
want
to
do
the
deployment
and
it's
going
to
go
through
a
set
of
approvals.
Once
those
approvals
all
clear,
the
promotion's
production
is
automated.
We're
gonna
push
the
container
of
production.
B
It's
actually
not
a
hundred
sacks
we're
going
to
pull
the
container
from
dev
because
you
don't
want
your
Devon
to
be
able
push
into
production.
So
prod
is
gonna
pull
the
container
from
dev
into
its
own
image
stream,
and
at
that
point
you're
then
leveraging
open
chefs
built-in
built-in
capabilities
to
recognize
that
the
image
stream
has
been
updated
and
roll
out
new
versions.
How
you
define
your
deployment
config.
B
B
You
know
kind
of
a
straightforward
implementation.
This
is
a
variant
on
the
open
shift,
open
shift
operator
base
deployment
that
is
available
on
the
web
inside
of
our
github
repo.
We
added
some
things
to
it.
So
out
of
the
box
are
open
ship
repo
just
does
sso
for
open
shift
and
provisioning
for
open
shift.
Here
we
made
it
a
bit
more
opinion
in
so
you
can
see
that
we've
got
these
badges.
This
is
a
think
of
this
as
developer
portal.
B
B
This
is
all
dynamic.
So
we'll
see
that
this
changes
as
the
course
of
the
demo
goes
through
and
then
finally
reports
we'll
be
able
to
see
who
did
what.
So,
let's
start
off
with
some
table
stakes
and
let's
get
into
get
lab
so
like
I
was
saying
at
the
beginning
of
this
SSO,
but
each
of
these
applications
have
their
own
integrated
identity
so
being
able
to
tie
those
together
really
brings
a
nice
experience
to
the
table.
B
B
B
Ok,
so
the
first
thing
we're
going
to
do
is
create
a
new
project.
So
again
the
self-service
process.
You
know
we
don't
want
to
have
to
go
in
to
get
lab,
create
a
project,
create
a
project,
create
a
project
link
it
all
together.
That's
that's
pretty
error-prone,
so
we're
gonna
go
in
I'm,
going
to
say,
hey,
let's,
create
a
new
project
and
give
it
a
name.
B
B
The
the
system
approvers,
however,
we
defined
that
would
have
gotten
notification.
Hey
somebody
wants
to
access
something
so
I'm
gonna
go
ahead
and
review.
This
give
a
reason
test.
There's
gonna
happen
pretty
quickly,
so
I
want
to
show
three
projects:
three
projects,
three
projects:
let's
go
ahead
and
hit
the
button
I'm
gonna
come
over
here.
B
There
we
go
readings
for
project,
so
we've
now
provisioned
projects.
In
all
three
of
our
environments.
Our
major
environments
are
open
shift
of
our
OpenShift
prod
and
get
up.get
lab.
We've
also
gone
ahead
and
integrated
I
think
it's
settings
integrate
no
web
hooks,
so
we've
already
integrated
the
web
hook
for
our
or
our
pipeline
to
kick
off
our
build
config.
So
when
somebody
does
a
push
which
we'll
do
here
in
a
few
minutes
that
will
automatically
kick
off
the
build
process,
I'm
going
to
come
over
to
the
Jenkins
project
that
we
built.
B
Here
we
go,
and
so
if
I
come
in
here,
we
now
have
build
configs
for
greetings
for
and
here's
the
the
two
builds
that
we
created.
One
is
a
more
generic
pipeline
based
on
Jenkins.
The
other
is
a
sty.
Build
I'll
actually
generate
the
image,
and
so
this
particular
workflow
is
embedded
as
kind
of
an
initial
workflow
to
just
set
everything
up.
B
We
made
a
few
assumptions
here,
yeah
we're
assuming
that
we're
working
in
Java,
because
that's
what
we're
told
to
work
in
and
we
want
to
make
it-
you
know
as
straightforward
as
possible,
we're
integrating
our
code
analysis
with
sonar
cube,
generating
the
image
using
open,
chef's
built-in
capabilities
tagging
it
and
then,
if
we
come
back
to
our
readings,
for
we
have
an
image
stream,
that's
right
now
empty
waiting
for
an
image
because
there's
no
code
and
then
the
same
thing
over
here
in
production.
If
we
come
to
our.
B
Broad
image
go
to
build,
there's
now
an
image
stream.
That's
waiting
for
a
tag,
that's
waiting
for
an
image.
So
now
that
we
have
our
projects
been
provisioned,
it's
been
approved,
let's
go
ahead
and
push
it
all
out,
so
this
is
a
pretty
straightforward
process.
You
know
it
should
look
pretty
familiar.
B
So
everything's
been
pushed
in
and
there
we
can
see
we've
all
Matt.
We've
already
kicked
off
our
pipeline
now.
This
UI
should
look
pretty
pretty
standard
to
pretty
much
anybody.
Who's
been
working
in
open
shift
for
a
while,
and
so
you
know,
containers
spinning
up
it's
getting.
You
know
it's
firing
up
a
build
container
so
that
I'll
take
a
moment
or
two,
and
while
that's
going,
you
know
we
come
over
here
and
we
can
see
you
know
everything
is
in
there.
B
B
We'll
zoom
down
here
to
the
end,
and
we
can
see
here-
is
our
greetings
for
application.
Well,
this
was
greetings.
Three,
oh
wait!
No
here
we
go
deploy
application,
so
greetings
four
and
we
can
see
every
single
object
that
we
created
across
the
multiple
projects.
We
create
objects
into
Bernays,
we
create
objects
and
get
lab.
B
You
know
we
might
have
created
objects
inside
of
a
database
if
we
wanted
to
do
that
to
to
track
access
management,
but
we
can
now
tie
together
all
of
the
different
things
that
we
created
for
this
request
back
to
this
particular
workflow.
So
now,
when
someone
says
where
did
this
project
come
from
it's
a
report,
it's
a
sequel!
Query:
it's
not
digging
through
logs
trying
to
tie
everything
together
or
digging
through
emails
and
then
when
it
comes
to
well,
why
why
does
this
project
even
exist?.
B
We
run
a
different
report
and
we
can
see
that
was
created
for
a
reason
test
right
yeah,
but
this
is
the
person
who
approved
it.
So
I've
actually
got
customers
who
are
doing
interesting
things
around
like
OPA,
where
or
I
guess
opens
the
right
way
to
say
where
if
a
namespace
or
a
project
is
not
in
the
open,
unison
database,
they
flag,
it
and
they'll
say
you
know.
B
Somebody
needs
to
tell
us
why
this
exists,
so
it
gives
us
you
something
to
awed
it
against
a
known
state
or
an
expected
state,
awed
it
against.
Now,
let's
take
a
look
at
our
take
a
look
at
our
pipeline,
so
we
can
see
that
we've
done.
We've
built
the
war,
we've
done
the
code
analysis,
so
I
think
if
we
refresh
this
will
now
have
greetings
for
found
a
vulnerability.
Now
point
of
this
demo
wasn't
really
to
say
this
is
the
best
way
to
build
a
pipeline.
B
So
you
know
in
reality:
we'd
have
different
thresholds
here,
for
when
zone
or
cube
would
would
say.
No.
This
didn't
work,
we're
just
using
the
faults
right
now
and
so
that
process
is
building
and
while
that's
going,
I'm
gonna
go
ahead
and
open
this
up
in
a
new
tab.
Oh
and
we
can
actually
see
that
a
tag,
the
image.
So,
if
I
go
over
to
our
greetings
for
test
and
I,
look
at
our
image
streams,
yeah,
there's
our
image,
so
we
have
gone
through
the
development
side
of
things.
B
B
B
So
when
we
provision
these
projects,
we
added
the
label
to
the
project
to
make
sure
that
when
it
came,
when
we
came
to
this
window
we
only
saw
the
projects
that
were
in
a
position
to
provision
so
I'm
gonna
go
ahead
and
add
this
to
my
cart
checkout.
Now
this
all
API
driven.
So
you
could
integrate
this
into
whatever
you'd
like
and
we'll
say
demo,
and
so
now
that
request
has
gone
through.
B
You
know
the
folks
who
are
in
charge
that
need
to
decide
such
things
are
going
to
hopefully
be
in
a
position
to
do
it,
and-
and
here
we
go,
we
have
an
open
approval
now
this
is
gonna
happen
really
quickly,
so
I'm
going
to
bring
this
up
so
I'm
in
prod
right
now,
there's
no
image
tag
right.
This
is
our
production,
OSI,
prod
a
production
environment.
B
B
So
I'm
gonna
hit
confirm
approval
and
there
it
is
so
if
we
take
a
look
here,
5
c
7f,
5
c
7f,
so
we've
now
gone
through
that
whole
lifecycle.
Where
now
it's
up
to
OpenShift
and
the
deployment
can
fake
to
see
a
new
image
stream.
Let's
go
ahead
and
start
rolling
out
things
based
on
you
know.
However,
we
configured
it
a
B
blue,
green,
whatever
all
the
different
options
that
you
have
with
open
chef,
it's
all
been
automated
I
didn't
use
the
OC
come
in.
B
You
know,
I
I
was
demoing
things
inside
of
the
UI
didn't
actually
have
to
go
into
the
UI
as
a
developer.
I
never
really
had
to
go
in
there.
I
could
use
it
as
a
staging
ground
to
do
some
development
testing,
but
I
wasn't
forced
to
actually
do
anything
inside
of
OpenShift
to
to
get
things
going
and
I
was
able
to
maintain
my
existing
business
processes.
B
You
know,
as
the
ops
person
I
didn't
have
to
you,
know,
go
in
and
manually
create
things
as
the
dev
I
was
able
to
do
my
job
and
then
finally,
is
the
security
person.
I
had
access
to
all
the
different
reports
and
automation
needed
to
be
able
to
assure
the
executives,
yeah,
the
environments
secured
and
we're
following
best
practices
and
our
compliance
guidelines.
B
So,
like
I
said,
the
code
is
on
github:
it's
not
a
turnkey
solution,
but
I
think
it's
seasoned
enough
starting
point.
Anyway.
Everything
is
open
source.
So
it's
right
there
on
github,
pull
requests,
suggestions,
rants
all
accepted.
We
love
to
talk
and
interact
with
folks,
so
whatever
your
thoughts
are
we'd
love
to
hear
it.
A
Questions
hi!
Well,
thanks
for
that.
It's
it's
been
like
dem
SEC
offs
month
here
right,
it
seems
to
be
top
of
mind
to
somehow
conjoin
all
of
these
conversations
across
organizations,
the
dev
folks,
the
security
folks
and
the
ops,
folks
and
I
think
this
is
kind
of
a
nice
segue,
because
whenever
I
see
Cu
I
always
think
of
you
as
the
pragmatic
person
you're
the
person
that
actually
goes
out
and
implements
it
I'm
the
person
that,
like
Oh
bleeding
edge
cutting
edge.
A
This
is
like
do
this
stuff
and
you're
really
kind
of
down
there
in
the
trenches
making
this
work
for
people
who
are
deploying
open
ship
and
deploying
apps
and
stuff,
like
that,
so
I
I'm,
really
I'm
thrilled
to
have
you
here
with
that
kind
of
pragmatic
approach
to
things
making
a
sonic
qube
and
every
and
jenkins,
and
everything
else
work
together
very
nicely.
It's
really
I
totally
appreciate
this
perspective.
A
And
so
it's
this
these
systems,
and
you
said
the
ones
that
Rubik's
Cube,
Rube
Goldberg
and
when
you,
when
you
bring
this
stuff
to
the
audit
team
and
the
IT
audit
folks
and
a
lot
of
like
a
lot
of
them,
don't
know
what
containers
are
and
a
lot
of
a
lot
of
them
are
new
to
kubernetes
and
a
lot,
and
some
of
them
are
new
to
OpenShift.
Or
how
do
you
work
with
with
those
folks
to
get
them
up
to
speed
and
to
trust
all
I
mean
I
know
you
are
all
about
trusted.
A
The
Identity
Management
stuff,
like
that.
So
you've
got
a
lot
of
background
working
with
compliance
people.
How
is
it
what's
your
experience
or
what
you're
coaching
on
on
bringing
explaining
this
stuff?
We
get
it
because
we're
developers-
or
some
of
you
guys
are
ox
people,
or
maybe
your
security
people,
but
it's
the
compliance
officers
who
often
like
look
at
this
and
go
well.
This
is
just
spaghetti
or
you
know:
Luke
Goldberg
where's
where's.
My
audit
report
where's.
How
do
I
trust
that
all
of
this
stuff
is
working
in
the
sink?
That's.
B
A
great
question-
and
you
know
it's
really
buzzword
e,
but
culture,
understanding
the
culture
right.
So
we
you
know,
there's
this
constant
theme
DevOps,
that
sec
ops,
its
culture.
It's
a
two-way
culture,
though
it's
not
just.
You
need
to
understand
how
to
do
dev,
sec,
ops,
the
deaths,
a
cops
has
to
understand
how
everybody
else
does
their
job
too.
So
when
you
go
to
the
compliance
person,
you
know
for
better
or
worse
the
compliance
person.
They
have
a
language
that
they
speak
and
and
so
well,
not
directly
related
to
security.
B
In
a
past
life
as
a
consultant,
I
was
a
project
management,
professional
and
I
was
on
a
project
where
I
was
told
walking
into
it
that
the
the
manager
from
the
company
I
was
working
or,
and
the
project
manager
from
the
customer
hated
each
other.
It's
absolutely
despised,
each
other.
That's
all
every
move
melts
all
that's
so
how
so
helpful
and
every
meeting
devolved
into
a
shouting
match?
Oh,
this
is
gonna,
be
fun
and
so
I
walked
in
and
after
one
meeting
I
realized
what
the
problem
was.
B
The
customer
project
manager
was
a
PMP
and
she
was
saying
everything
in
PMP
speak
and
the
the
company's
project
manager
was
not
a
PMP.
It
was
a
good
manager,
but
he
wasn't
PP,
so
he
was
just
using
different
language
and
so
I
assumed
then
I
spent
two
hours
just
being
like
well.
No.
This
is
an
input
of
this
now
and
just
translating
it
yeah
by
the
end
of
it.
They
were
like
best
of
friends
because
they
realize
that
they
were
talking
each
other.
B
You
know
they
were
just
saying
it
differently,
and
so,
when
you
go
to
the
compliance
officer
or
you
go,
the
compliance
group,
you
know
you've
got
a.
It
is
a
two-way
street.
There
should
be.
You
know
a
good
compliance
group
is
gonna,
come
to
where
you
were,
you
live,
but
you
also
got
to
go
to
them
where
they
live,
and
so
they're
they're,
looking
at
spreadsheets
they're
looking
at
controls,
they're
looking
at
you
know
here
is
our
compliance
framework.
B
We
have
to
use
NIST
853,
we
have
to
use
PCI,
we
have
to
you
know,
and
and
so
it's
really
important
to
be
able
to
tie
back
to
those
things
and
just
make
it
as
easy
as
possible
for
people
to
say.
Yes,
you
know
about
the
worst
thing
you
can
do
is
walk
in
and
be
like.
Well,
of
course,
it's
secure.
Don't
you
see
that
you
know
so
the
the
being
able
to
speak
that
language
at
both
sides
is
really
where
you're
going
to
find
your
success.
Yeah.
A
I
think
that's
that's
key
I!
Think
the
language
thing
is
a
really
big
part
of
it
and
a
lot
of
them.
A
lot
of
the
security
now
is
kind
of
baked
in
as
well.
It's
like
you
can't
deploy
it
unless
it's
secure
in
some
ways
like
the
container
has
been
scanned
and
all
of
these
things
and
there's
a
lot
of
a
lot
more
automation
than
like
10
years
ago,
or
so
when
I
was
doing
ocean
IT
audit
stuff
and
but
they
still
I
tend
to
get
requests
for
things
like
where's.
A
My
live
show
the
log
file
show
me
in
the
audit
report
and
I
think
some
of
that
you've
got
baked
into
Open
unison
and
tremolo
security,
so
I've
been
pretty
impressed
with
being
able
to
get
good
reporting
and
good
explanations
out
of
some
of
the
like
all
of
the
kubernetes
platforms,
but
especially
some
of
the
Identity
Management
stuff
I.
Think
you
hit
the
nail
on
the
head
when
he
talked
about
three
different
and
identity
management
systems
going
into
one
pipeline.
A
You
know,
and
and
how
do
you
merge
all
of
these
different
approaches
to
Identity,
Management
and
I?
Think
that's
the
sweet
spot
for
tremolo
is
being
able
to
do
that
which
is
wonderful
and
which
is
why
we're
so
happy
here,
part
of
our
ecosystem
and
excuse
me
drink
a
little
more
coffee
out
of
my
Red
Hat
swag
today,
and
it
was
kind
of
funny
because
it's
like
do
we
miss
swag.
How
do
we
distribute
swag
I
in
the
in
the
time
of
kovat
and
and
and
Mark?
A
No
actually
like.
Let's
go
back
a
little
bit
to
this
too,
because
one
of
the
wonderful
things
about
Open
unison
is
that
it
is
open
source,
and
you
mentioned
your
decision
to
turn
open
unison
into
an
open
source
project
or
make
all
the
code
available.
Open
source
came
back
in
2015
when
you
were
at
a
Red
Hat
summit,
and
you,
you
probably
drank
in
13.
B
A
B
It
was
a
few
things:
I
mean
I've,
been
doing
open
source
literally
since
I
got
into
programming.
My
first
job
was
from
open
source,
my
very
first
job
out
of
college
and
how
I
got
into
identity
management.
I
had
posted
a
project
on
I'll
date,
myself
here
a
little
bit
SourceForge
and
we
are,
and
I
was
still
in
college
at
the
time
and
like
it
was
just
like
on
paper
some
stuff
around
LDAP
for
another
project.
I
was
doing,
and
this
startup
said
hey.
B
Can
we
pay
you
to
do
it
sure
and
then
they
hired
me
after
after
school
and
and
the
rest,
as
they
say,
was
history
but
I
mean
I've
I've
been
doing
open
source.
My
entire
career,
so
open
source
has
always
been
really
important
to
me,
not
just
as
a
you
know,
as
a
way
to
getting
into
the
code,
but
just
kind
of
part
of
me,
and
so
when
we
start
Tremmel,
we
were
not
originally
an
open
source
company
and
there
were
a
lot
of
reasons
for
that.
B
We
tried
some
freemium
stuff
and
then
get
a
lot
of
traction
there
and
then
I
went
to
Red
Hat
summit
at
Boston.
I
think
it
was
2013
and
I
was
just
kind
of
taken
back
by
the
community
and
just
how
like
a
little
of
it,
was
kool-aid.
A
little
bit
was
just
like
the
the
getting
caught
up
in
the
in
the
moment,
but
just
the
enthusiasm
that
people
had
around
open
source
and
then
I
kind
of
came
to
a
bit
of
a
business
epiphany
as
well,
where
I
realized.
B
There
are
people
that,
no
matter
how
cheap
the
codes
I
can
charge
a
penny
for
this.
They
won't
pay
it,
and
then
there
are
enterprises
that
I
could
charge
a
million
dollars
for
this
or
they
could
pay
use
it
for
free
without
support.
They
won't
use
it
for
free
without
support.
Yeah
and
so
I
came
to
the
realization
that,
while
my
oh
I
call
them
my
open
source
customers
because
I
treat
them
as
customers,
don't
give
me
money,
they
give
me
feedback,
they
tell.
A
A
B
It's
huge
I,
can't
you
know,
I
I'd
have
to
go
through
gettin.
You
know
get
github
to
quantify
it,
but
you
know
the
number
of
things
where
people
have
said:
hey
now
that
this
is
an
our
environment.
Can
you
explain
this
better
in
the
documentation?
Documentation
is
huge,
like
feedback
on
documentation,
if
you're
a
user
of
open
source,
please
feedback
on
documentation
is
let's
take
a
most
important
thing.
B
You
can
contribute
to
a
project
because
documentation
is
every
bit
if
not
harder
than
the
code
itself,
but
you
know,
or
you
know,
this
features
really
work
for
us
or
you
know,
hey
I
had
a
problem
doing
this.
You
know
that
feedback
is
gold,
because
then,
when
you
go
to
the
people
who
are
gonna
pay
for
it,
you
just
want
it
to
work
right,
the
first
time
and
so
having
the
ability
to
have
somebody
have
beaten
on
it
for
a
couple
of
minutes
beforehand.
B
B
A
B
A
Doing
work
now
like
on
in
the
okd
working
group,
which
everybody
should
watch
it
and
it's
doing
two
things
one.
It's
really
working
out
a
lot
of
the
bugs
in
an
open
shift,
and
you
know
creating
wonderful
I,
would
call
it
a
playground.
People
probably
present
only
at
play,
but
a
wonderful
space
for
also
testing
fedora
kora
with
us,
because
the
okee
runs
on
that.
A
A
We
have
about
545,
probably
if
I
got
updated
today,
probably
about
550
different
member
organizations
and
Commons
and
I'm
always
every
day,
surprised
and
so
grateful
or
on
the
contributions,
and
a
lot
of
it
is
just
feedback
and
coach
peer
to
peer,
coaching
and
and
people
showing
up
for
sessions
like
this,
whether
they're
internal
Red
Hatters,
who
are
on
their
lunch
hour
because
up
on
your
East
Coast
right
now.
This
is
kind
of
your
lunch
hour.
A
If
you're
on
the
west
coast,
like
I,
am
it's
like
you're?
A
second
cup
of
coffee
hour
we
need
more,
but
it's
it's
really
people's
fare
time
and
and
and
it's
para-
it's
not
free
time.
It's
you
know,
you're,
giving
us
your
time
and
energy
to
help
improve
the
products.
The
code
and
people's
understanding
of
open
unison,
Identity,
Management
I
have
learned
from
Mark
like
so
much
about
that.
A
I
didn't
really
think
about
about
identity
management,
about
all
these
different
pipelines,
different
arenas
on
how
to
bring
all
these
things
together
and
bridge
these
different
identity
management
systems
together
and
you
know,
and
then
to
have
you
come
in
and
talk
about,
dev
SEC
ops
is
like
yeah,
okay.
That
just
makes
sense,
but
it's
only
because
of
our
conversations
in
these
areas
of
collaboration
and
that
that
I
know
to
ask
you
to
come
in
and
do
these
things.
A
So
it's
really
open
source
kind
of
changes,
things
for
a
lot
of
people
and
for
a
lot
of
organizations,
and
it's
wonderful
wonderful
to
have
you
here
doing
that,
but
tell
me
and
then
so:
we've
bladdered
on
about
open
source
and
how
one
is
tell
me:
what's
next
for
tremelo
security?
What's
coming
out
the
pipe
line
in
your
roadmap,
so
we're.
B
B
I've
got
a
really
good
co-author,
so
that
makes
it
okay,
so
we're
writing
a
book
on
kubernetes
and
my
side
of
it
might
surprise
you
it's
a
focus
on
identity
management
and
automation,
and
so
that
that's
been
a
fun
process
as
well.
So
so
that's
going
on
and
then
we're
kind
of
chugging
through
on
China
productize
stuff,
like
this
a
little
bit
more
to
make
it
easier.
B
So,
like
our
git
lab
integration,
making
that
simpler,
you
know,
we've
got
a
couple
of
customers
that
built
things
with
us,
they're
similar
to
this,
not
this
exact,
same
implementation,
but
similar
process.
So
taking
that
and
make
it
easier
easier
to
integrate
and
and
quicker
to
get
off,
the
you
know
go
from
what
my
opinion
is
of
a
pipeline
oops.
B
B
Yes,
so
I
was
saying
you
know,
you
know,
trying
to
make
it
easier
to
get
from
what
my
opinion
of
a
system
or
platform
might
be
to
what
your
reality
is,
and
you
know
I'll
never
have
the
right
opinion
right,
but
we
can.
We
can
work
on
getting
that
gap
shorter
and
shorter
and
shorter,
easier
and
easier
to
get
to
one
of
the
things
that
that
never
ceases
to
amaze
me
yeah
before
I
start
a
tremolo
I
spent
over
a
decade
as
a
consultant-
and
you
know
all
the
different
organizations
I
go
to.
B
A
You
making
a
project
extensible
with
the
edge
cases
is
really
one
of
the
tricks
thing.
Yeah
plugin
and
in
some
ways
like
kubernetes
is
pretty
is
a
good
example.
I
know
along
open
ship
is
community,
so,
but
the
whole
operator
model
too,
is
allowing
people
to
extend
the
platform
without
having
to
make
it
a
feature
in
kubernetes
and
so
I
think
some
of
the
the
way
we
use
the
operator
pattern
has
helped
a
lot
and
and
you're.
One
of
the
things
that
you've
done
is
is
create
that
an
operator
for
for
open
unison.
B
What
makes
what's
always
made
the
open
unison
deployment
process
a
little
bit
harder
in
the
past
with
certificates
like
we
just
you
know,
we
have
to
talk
to
directories.
We
got
to
talk
to
sam'l
providers.
We
got
a
talk
yeah,
all
these
different
things.
We
need
to
talk
to
all
those
different
API
is
that
we
talked
about
you
know
back
here.
That's
a
certificate!
That's
a
certificate!
That's
a
certificate!
That's
a
circuit!
You
know
all
these
different
systems
right
and
so
managing
that
certificate
building
process.
B
When
combined
with
the
fact
that
were
built
on
Java
and
nobody
likes
to
deal
with
Java
key
stores,
it
was
really
painful.
So
we
we
started
off
with
you,
know:
okay,
well,
just
here's
the
documentation
on
how
to
do
it
and
one
of
our
open
source
users
wrote
this.
Like
immensely
detailed
document,
it
was
like
30
pages
long
of
how
we
got
it
running
and
I
was
like.
That
is
the
most
shameful
thing.
B
So
we
built
a
deployer
and
we
said
okay,
we
wanted
to
build
this
thing
that
would
deploy
artifacts
for
us,
and
so
we
built
that
and
it
worked
except
they
too
didn't
work,
and
this
was
about
the
time
the
core,
OS
acquisition
and
operators
started
to
become
a
thing,
and
we
said
well,
we
could
build
that
into
an
operator,
and
so
we
took
that
and-
and
we
had
another
customer
at
the
time
who
it
went
from
30
pages
down
to
like
ten.
It's
like
okay.
Well,
this
has
gotten
better
still,
not
acceptable,
but
better.
B
And
then
we
said:
okay,
let's
go
with
the
operator
model,
and
so
we
moved
that
artifact
appointment
bit
into
an
operator
and
we
found
that
our
deployment
process
went
from.
You
know.
10
pages
to
2
pages,
you
know
it
really
dropped
it
down
and
made
it
much
more
flexible
for
how
we
deploy
the
operator.
There's
still
I
would
say
quite
a
bit
to
be
settled
around
the
operator
process,
we're
still
kind
of
figuring
out
what
the
happy
medium
is
to
what
goes
into
a
CR
versus
what
goes
into
a.
A
We
totally
appreciate
the
efforts
that
you've
made
you've
been
on
the
bleeding
edge
of
a
lot
of
the
different
steps
on
our
path
from
open
ship
from
the
early
days
till
now,
and
this
is
sort
of
been
a
wonderful
thing
to
to
watch
the
rise
of
tremolo
security
and
the
appreciation
for
the
work
that
you
do,
and
identity
management
and
helping
others
understand
it
better,
and
so
I
really
encourage
everybody
to
go
out
and
give
a
look
at
open
units
done.
Give
some
feedback
to
it.
Come
on
to
the
open
shift.
A
After
that
short
talk
by
Peter
Clank.
So
as
always
mark,
we
are
totally
grateful
for
all
your
contributions
and
all
your
efforts
and
though
we
couldn't
see
you
at
the
virtual
Red
Hat
summit
in
person,
it
was
wonderful
to
be
part
of
that
with
you
and
someday
soon.
We
will
see
you
again
in
person,
hopefully,
and
maybe
koukin
North
America
in
Boston
that'd
be
nice
and
get
some
Lobster.
B
A
A
nice
dinner
and
talk
with
our
Boston
accents
I
may
be
in
Canada,
but
I'm
originally
from
there.
So
when
I
want
them,
I
can
talk
like
that.
So
I've
got
my
Canadian
accent
on
today,
but
thanks
again,
everybody
for
joining
us
thanks
mark
for
taking
the
time
today
and
adjusting
your
calendar
for
us
and
Chris
short.
As
always.
A
Thank
you
for
producing
this
and
making
this
happen
so
we'll
sign
off
now
and
I
will
post
the
the
demo
portion
of
this,
along
with
some
of
the
resource
links
on
our
blog
at
OpenShift
comm,
as
well
as
post,
the
YouTube
video
up
on
our
H
OpenShift
on
YouTube,
but
the
whole
raw
feed
will
always
be
there
on
Twitch
as
well.
So
there
are
lots
of
options
for
finding
this
content,
but
most
of
all
go
to
tremelo
IO
and
check
out
the
good
work
that
that
mark
and
his
team
are
doing
in
the
open.