►
From YouTube: OpenShift Commons Briefing #76: Security Practices in OpenShift Container Platform @ Amadeus
Description
In this webcast, Nenad Bogojevic from Amadeus and Diogenes Rettori from Red Hat talk about security mechanisms and protections related to Red Hat OpenShift Container Platform and Amadeus' experiences deploying and using OpenShift, including security mechanisms, such as user and network access control and policies in OpenShift and underlying Openstack, the audit trail of administrative actions, ways to use and protect Kubernetes secrets as well as some best practices for Docker containers. They also present some possibilities to address technical limitations or potentially unknown vectors of attack using compensating controls via auditd, monitoring, and alerting.
Amadeus operates large-scale, secure, Payment Card Industry Data Security Standard (PCI/DSS)-compliant online and e-retail systems. Recently, they started migrating those systems to OpenShift Container Platform. For Amadeus and their customers, security and compliance is paramount.
Guest Speakers:
Nenad Bogojevic – Software Architect, Amadeus
Diogenes Rettori – OpenShift Product Manager, Red Hat
A
Well,
hello
and
welcome
again
to
another
openshift
Commons
briefing.
This
time
we
are
going
to
do
some
talking
about
security
practices
and
openshift,
and
we're
really
happy
to
have
with
us
Amadeus
who
has
a
rather
large
deployment
of
OpenShift
and
has
a
lot
of
experience
with
it
and
Nena
and
do
Jeanne's
from
Red
Hat
are
going
to
both
give
us
a
bit
of
an
in-depth
dive
into
their
best
practices.
I'm
going
to
let
diogenes
who
I
work
with
it
red
hat,
take
it
away
and
introduce
herself
on
the
topic
so
go
for
it.
B
Thanks
very
much
Diane,
my
name
is
Diogenes
battery
I'm,
one
of
the
product
manager
for
open
shift
and
happy
to
have
my
my
my
friend
now
and
then
I'd
hear
from
Adele's.
We've
spoke
together
at
Summit
last
year
now
this
year
as
well.
So
it's
been
a
very,
very
healthy
relationship
for
for
both
of
us
so
far,
so
this
will
be
pretty
much.
Nanette
straw
will
have
a
couple
of
moments
of
interrupting
him
for
a
few
things
here
and
there,
but
I'd
like
to
say
that
this
is.
B
This
is
like
a
Modell's
experience
in
securing
open
chest
right,
it's
like
being
the
the
size
of
the
company
that
they
are
and
dealing
with
the
different
number
of
people
from
groups
and
organizations
from
light
different
lines
of
businesses
on
Modell's.
It's
good
to
hear
it,
but
the
things
that
they
have
to
go
through
like
the
hoops
people
they
had
to
convince.
So
hopefully
this
will
be
a
useful
for
you.
The
same
same
level
was
from
me
so
Nanette,
please,
take
it
away
and
I'll
be
interrupting.
You
momentarily
thank.
C
The
edginess,
so
let
me
just
start
about
what
we
are
amedeo's.
We
provide
IT
services
for
trouble
industry
and
which
basically
means
reservations
when
you
book
a
flight
to
go
somewhere,
you
want
to
look
at
prices
and
put
a
reservation,
and
you
want
to
have
your
luggage
with
yourself
and
you
want
to
port
the
planes
and
all
these
things
around
flights
or
hotels,
that
kind
of
services
that
we
provide
most
business
to
business
company.
C
We
operate
a
couple
of
large
e-commerce
websites
for
airlines,
we
do
payment,
processing,
their
bid
services
and
we
have
been
using
the
openshift
actually
up
to
three.
Actually,
since
two
years
are
probably
with
since
beginning
one
of
the
first
customers
and
we
have
been
using
it
in
our
own
data
centers,
we
have
been
using
it
in
public
clouds
and
we
had
some
questions
around
security
too.
C
Let's
first
talk
about
security
and
why
we
do
security
90,
and
hopefully
we
don't
do
one
like
in
the
picture
here.
That's
hot
marketing
sees
security.
We
do
IT
security
to
protect
our
assets,
to
protect
our
computing
capacity
and
data.
We
do
because
we
have
to
protect
personal
information,
but
our
customers
about
users
like
of
our
customers.
C
In
Europe,
we
have
our
GDP
Arjun
granulate
the
production
regulation,
which
comes
through
in
place,
which
puts
some
strong
rules
around
security
and,
as
we
do
e-commerce
and
we
do
payment
processing,
we
also
have
to
be
compliant
within
industry
standards,
PCI
DSS,
for
example.
So
all
these
things
when
you
come
with
a
new
platform
like
open
ship,
make
you
ask
some
questions
during
my
presentation.
Actually
in
the
upper
right
corner,
you
would
be
seeing
some
icons
and
those
icons
will
actually
tell
you
who
the
slide
concerns.
C
So
it
actually
starts
first
with
the
people
who
are
usually
the
most
one,
most
impacted
with
security,
which
are
cysts
that
means
and
DevOps.
So
they
have
the
helmet
to
protect
themselves,
sometimes
to
protect
themselves
for
the
next
guy,
which
is
developer,
which
not
always
takes
care
about
these
things,
unfortunately,
so
will
want
to
educate
at
him.
C
So
how
do
we
do
it
and
first
open
shipping
containers?
It's
a
lot
of
things,
change
and
many
other
all
the
rules
are
not
applicable.
Oh,
we
have
learned
as
a
company
we
exist
for
30
years.
We
have
learned
global
IT
security
or
good
at
it.
Things
change,
while
the
risks
remain
still
out
there
and
do
our
says.
C
Let's
now
remove
to
what
we'll
want
to
do
it,
security,
OpenShift
and
if
we
have
to
run
openshift
somewhere,
so
we
have
to
put
in
place
infrastructure
and,
of
course,
we
have
an
open
shape,
then
push
your
architecture
and
will
not
be
explaining
you
because
I
assume
that
anyone
attending
this
briefing
already
knows
this
slide
quite
a
lot,
because
I
think
it
was
shown
in
a
lot
of
presentations
and
I.
Think
we
wanted
want
to
deploy
open,
shipped
somewhere,
and
so
they
said
we
deploy
it
on
either
on
private
cloud
or
in
public
cloud.
C
We
use
usually
OpenStack
when
it's
run
running
on
our
hardware,
use
OpenStack
western
hardware
or
we
use
a
public
cloud
providers
and
how
do
we
deploy
there?
First,
we
start-
and
this
is
something
that
concerns
more
us,
as
you
can
see
in
the
icon.
Above
your
system
inside
your
DevOps
people,
we
first
always
pre
construct
to
be
M
images
that
we
want
to
deploy.
We
everything
with
what
the
image
needs
is
already
prepared.
We
always
use
this
from
mirrored
repositories.
Registry's.
We
never
actually
don't
want
something
from
internet
available
and
it
exposed
repositories.
C
C
Historically,
the
result
is
this
approach
for
especially
for
the
internet
exposed
services
that
you
separate.
Your
application
and
different
zones,
MDM
said,
and
they
may
have
layered
a
protection
for
for
web
servers
and
we
have
application
servers,
maybe
having
met
several
layers
like
that
and
eventually
database
and
all
these
things
running,
maybe
different
networks
with
firewalls
inside,
as
we
are
running
now
in
a
cloud
environment,
the
distinct
exchange.
C
When
we
use
open
step,
we
will
use
things
like
security
groups
or
Amazon
from
bullet
I
have
to
providers,
have
different
other
different
solutions
to
isolate
the
track.
Of
course,
there
is
a
need
for
sis
admins,
sometimes
to
access
installations,
so
access
control,
which
is
Bastion
server,
and
there
is
the
Nemo.
C
C
It
is
one
single
thing
and,
if
want
to
roll
out,
a
new
version
beat
new
version
of
the
openshift
or
the
new
version
of
the
application
will
simply
rebuild
the
new
instance
when
it
when
it's
up
and
running
will
bring
down
the
old
essence,
which
allows
us
a
fairly
easy
way
of
upgrading.
However,
it
has
a
cost
of
having
a
certain
point
of
time
to
instances
running.
Another
approach
is
for
more
long.
C
Living
platforms
would
be
to
do
a
rolling
upgrade
by,
for
example,
adding
new
and
nodes
inside
the
clusters
and
open
ship
cluster,
and
once
they
up
and
running
removing
the
old
loads
from
existing
nodes
and
taking
them
out
of
the
of
the
cluster.
In
principle,
we
are
rebuilding
machines,
we're
not
upgrading
machines
in
place
and
the
frequency
of
upgrade
policies
we
could
be
monthly
depends
on
the
kind
of
the
of
the
platform
were.
Actually.
This
is
right.
C
C
This
is
a
variation
of
the
standard,
the
OpenStack
reference
architecture
for
the
open
ship.
We
use
a
little
bit
differently
because
we
have
strict
separation
of
internal
networks
and
external
networks,
and
this
slide
what
is
actually
in
boxes
which
are
way
dashes
around
represent
security
groups
in
OpenStack.
So
you
would,
for
example,
for
your
worker
loans
and
for
infrastructure
nodes
which
share
the
software-defined
network.
They
would
be
living
in
one
security
group,
so
they
can
communicate
between
themselves,
but
no
one
outside
it
can
actually
join
this
part
infrastructure
nodes.
C
They
would
be
accessible
from
a
kind
of
Gamzee
or
firewalls
or
other
web
protection,
things
that
you
might
have
in
front
of
them
or
my
possibilities
to
be
accessible
directly
from
the
internet.
That's
not
the
case.
How
actually
we
are
working?
We
always
have
fireworks
in
front
of
it
and
then,
on
the
right
hand,
side.
We
have
our
people
who
work
and
who
maintain
this
thing.
C
C
B
Like
from
my
perspective
and
I've,
been
a
developer
in
my
life
like
security,
for
me,
it's
what
was
for
me
like
only
like
login,
but
there
are
multiple
aspects
around
security
which
we'll
cover
on
so
some
people
that
end
up
thinking
that
security
is
only
our
back.
Security
is
only
content,
but
it's
a
huge
wide
array
of
security
and
interior
point.
C
So
as
a
developer,
he
might
login
with
I.
Couldn't
just
here
might
also
often
do
these
things
the
command
becoming
Europe
the
effectively
root
of
OpenShift,
with
all
the
capabilities
which
is
not
correct
way
of
doing
things
in
OpenShift.
We
want
to
have
our
back
that
Diogenes
mentioned.
We
want
to
have
some
control
of
what
people
who
clocks
in
who
can
do
what
things
if
it
is
a
developer
and
his
local
machine,
he
might
get
once
he
logs
in
something
like
this.
C
But
if
we're
running
something
in
production,
we
might
have
actually
more
types
of
users
and
it's
our
approach.
Well,
the
way
of
authorizing
or
to
define
user
in
production
would
be
on
something
like
LDAP
as
a
company.
That's
home
managed
identification,
but
there's
also
the
possibilities
of
using
of
creating
its
own
accounts.
The
specific
accounts
for
open
ship
using
different
sources
of
truth
for
the
product.
If
occation
said,
LDAP
is
a
common
way
and
already
contains
sufficient
information
that
could
allow
us
to
give
give
different
rules
and
different
roles
to
different
users.
C
So,
for
example,
in
the
given
project
I'm,
the
admin
I
have
a
right.
Usually
our
approach
is
a
DevOps
actually
have
those
kinds
of
rights.
Then
we
might
have
people
who
are
some
kind
of
support.
People
can
have
some
action,
perform
some
actions
and
we
can
have
developers
for
them.
We
give
them
the
review
rights,
they
cannot
modify,
but
I
can
have
a
look
of
what's
going
on
and
they
can
use
that
to
investigate
an
issue
or
something
they
happen
in
production.
C
So
so
far
for
the
air
back,
let's
now
move
to
something
some
nice
things
that
exist
in
open
chef,
which
are
personal
security
which
would
be
like
actual
to
use.
So
we
have,
for
example,
open
ship
secrets,
which
is
a
great
way
of
the
coupling
sensitive
information
from
application
code.
So
it's
a
way
how
we
can
distribute
everything
which
is
and
which
Pixlr
confidential
operationalizing.
C
Well,
it's
like
password
credentials
or
their
certificate.
It
will
not
be
something
that
will
be
used
for
business
sensitivity
like
I,
know,
credit
cards,
that's
something
else.
This
has
to
be
used
for
something
it's
operationally
necessary
for
applications.
It's
really
great
way
because
it
allows
a
separating
that
information
and
it
went
from
applications.
It
allows
secure
delivery
of
this
information
to
the
note
F.
Its
present
is
a
file.
It
will
always
be
on
memory
and
OpenShift
nodes.
So
don't
go
is
down
with
never
be
on
disk.
C
So
will
not
someone
somehow
gets
hold
of
this
disk
will
not
get
hold
of
the
secrets,
allows
access,
sided
for
environment
variables
or
through
files
mounted,
which
basically
the
user
way
of
accessing
such
kinds
of
secrets.
From
for
its
great,
we
actually
also
separate
concerns.
We
have
a
developer
on
the
left
hand,
side
who
describes
his
pod,
and
it
says
that
he
needs
an
an
environment
variable
here,
based
on
some
secret
and
then
DevOps
guy
or
security
guy
then
create
the
secret
in
the
master
and
at
runtime
those
two
be
linked
together.
C
B
Sure
so
important
to
to
point
out
that,
when
secrets
was
introduced
into
into
kubernetes
even
before,
are
back
so
for
some
people
imagine
that
there
was
no
concept
of
our
back
in
kubernetes.
That
means
anyone
could
access
any
object
anywhere
and-
and
that
means
the
s
secrets
they
were
essentially
openly
available
to
anyone
that
could
see
right.
B
So
we
are
working
with
the
kubernetes,
the
kubernetes
upstream
community
to
to
have
secrets
and
openshift,
and
I
think
I
would
like
to
point
out
is
and
I'm
sharing
this
in
the
chat
right
now
and
I
know,
and
it
has
it
there,
but
I'm
also
sharing
that
all
the
product
management
that
we
do
for
open
ship
is
open
to
the
public.
So
at
any
point
in
time
you
can
get
into
this
URL
and
search
if
there's
like
any
tasks
or
any
work
being
done,
engineering
right,
wise,
related
to
secrets
encryption
or
to
volts.
B
So
if
you
search
for
example,
vote
you
see
that
there
is
a
task
committed
sorry
target
for
open,
sheath,
read
out
late,
which
is
a
tree
today,
which
is
about
integrating
further
whole
solutions.
You
should
search
for
for
encrypt
secrets.
Like
Nina.
Did
you
see
we
have
a
card,
so
it's
it's
important
that
you
keep
following
this.
C
Okay,
those
things
are
not
yet
there
and,
for
example,
we
have
things
like
PCI
DSS
compliance,
which
requires
to
have
secrets
or
contentious
encrypted.
So
how
do
we
talk
in
address
and
how
can
we
do
our
move
to
open
shift?
Don't
have
such
such
things
and
there's
actually
a
lot
of
discussion
around
this
like?
C
Is
it
really
an
issue
to
have
a
secret
toward
any
PCD
like
that,
because,
anyway,
DCD
are
prone
one
of
the
main
parts
of
your
infrastructure,
and
if
you
have,
if
your
sum
is
compromised,
it
you
probably
have
other
bigger,
maybe
even
bigger
issues,
because
it
can
compromise
your
masters
and
then
your
cluster
then
divide
it.
Okay,
they
can
steal
this
kind
of
secret.
Then
I
can
also
encrypt
the
disk
where
etcd
runs,
which
allows
the
packet
that
are
at
rest.
And
someone
steals.
Your
is
click
enough
retrieve
these
secrets.
C
Of
course
it
some
compromises
be
able
to
access
them.
So
those
are
two
approaches
that
are
possible
for
tcd.
There's
also
possible
that
actually
not
at
all
use
secrets
that
to
store
that
them
involves
not
don't
use
the.
What
coming
with
open
shift
and
then
put
a
place
decryption
service
with
a
couple
of
patterns?
C
If
you
stole
things
vote,
you
may
have
a
sidecar
running
inside
your
container
that
is
responsible
to
connecting
to
this
vault
and
giving
you
the
secrets,
or
you
might
have
an
in
each
container,
which
will
read
the
secrets,
create
a
temporary
file
and
use
this
one.
We
can
only
make
a
do
security
as
a
service,
which
is
basically
a
service
running
inside
of
pre-shift
that
you
connect
to
when
you
get
your
secret.
Well,
basically,
this
becomes
a
vault
or,
if
I
sit
in
front
of
what
and
but
also
in
terms
of.
C
C
For
compliance
and
well
I
would
say
first
thing:
I
said
that
you
can
access
secrets
through
the
API.
Luckily,
opiate
actually
provides
a
lot
of
activities.
What
happened
you
can
see
someone
tried
to
access
the
secret
like
here,
I,
try
to
access
the
secret
and
didn't
have
the
right,
so
I
get
the
401
errors,
so
this
is
something
to
be
activated
inside
no
pre-shift
masters,
not
perfectly
ready
for,
but
on
an
activated.
C
You
can
monitor
OpenShift
file
locks
and
when
you
see
a
trigger
like
this,
like
for
a
while
I
mean
anyone
trying
to
connect
the
secrets
you
met,
raise
alarm
perceive
that
person
has
the
right
or
doesn't
have
the
right
and
those
who
works
with
the
processes.
You
can
also
check.
If
them
they
are
using
it
not
only
the
first
person.
C
C
C
The
rules
can
be
like
if
someone
tries
to
excessive
given
file
well,
lock,
something
or
eat
someone
or
some
process
tries
to
do.
A
certain
system
call
also
do
something,
so
you
can
actually
create
rules
based
on
this
one
or
someone
try
to
access
a
given
file.
Let's
lay
the
alert
and,
let's
look:
if
the
person
had
the
right
or
not
to
have
the
right
or
it
can
have
a
rules,
a
check.
C
Will
you
choose
automatically
beside
those
things
and
it's
something
happen
place
for,
for
example,
precious
masters
monitor
if
someone's
is
a
really
accessing,
for
example,
etcd
series.
It
just
turns
out
of
the
rules,
a
rule
that
could
be
put
in
place.
Basically,
if,
whenever
someone
tries
to
open
a
file
of
one
any
of
the
files
belonging
to
each
CD
database,
we
would
be
logging
something
via
audit.
C
Dee-Dee-Dee
can
generate
a
lot
of
logs
depending
on
what
kind
of
system
calls
you
listen
to.
We
are,
for
example,
lesson
just
really
open.
Some
I
may
decide
to
listen
on
the
read
if
they
won't
have
huge
amount
of
data
and
we
can
put
a
similar
link
on
the
nodes
and
under
notes.
You
might
be
more
interested
not
on
any
excess
of
etcd,
because
there's
no
etcd
or
any
access
to
the
secrets,
because
there's
a
lot
of
different
secrets
which
are
generated
by
kubernetes,
which
could
be
certificates
a
lot
of
different
stuff
is
present
there.
C
We
just
want
to
monitor
some
secrets
that
we
can
see
they're
important
and
how
do
we
do
it
as
any
of
the
secret
might
have
a
certain
type
of
products
there
are
in
fix,
and
we,
whenever
there
is
a
new
mount
with
this
prefix
in
civics?
Whatever
is
we
start
monitoring
it
auditing
it?
Whenever
it's
down
when
unmounted
would
stop
monitoring?
And
then
we
have
rules
which
would
say?
C
Ok,
someone
tried
to
access
this
secret,
and
this
is
this
user,
and
this
user
actually
has
the
right
to
to
read,
or
this
process
has
a
right
to
read,
or
it
might
say,
okay,
no,
it's
not
something,
please
an
alarm,
let's
investigate,
and
this
at
least
gives
you.
The
possibility
to
react,
react
very
quickly
actually
on
the
fact
that
maybe
your
secrets
have
been
compromised.
C
Mentioning
coded
need,
there's
a
other,
interesting
news,
because
you
can
monitor
a
lot
of
different
things
and
there
is
an
yolk
escape
tool.
It
can
be
very
useful
there
because,
for
example,
it
took
PCI
DSS
compliance.
There
is
a
set
profile
which
is
suggested
for
this
one
and
can
be
used
as
one
for
the
blueprint
of
the
audit
D
rules
that
would
in
place
on
your
nodes
using
it
and
then
a
lot
of
different
profiles
which
are
applicable.
C
So
it's
like
a
teaching
tool
should
tell
you
a
maybe
not
of
the
rules
are
really
applicable
in
all
all
the
rights,
but
a
lot
of
them
are
very
interesting.
One
there's
another
thing
which
we
find
very
interesting.
You
know
purchase
trees
looking
to
it
not
to
get
to
use.
It
is
a
problem,
something
that's
when
I
start
using
at
some
point
or
something
similar
is
it's.
C
Clusters
are
protected
there
on
our
premises,
so
it's
they're
physically
protected,
but
it
would
be
really
nice
if
you
can
add
a
layer
on
top
that
we
can
actually
also
encrypt
information
inside
our
clusters
between
services
inside
instead
of
using
pure
HDB
or
encrypted
MongoDB
communication
or
whatever
there
is.
It
would
be
really
nice
if
you
can
always
communicate
using
TLS
as
transport
protocol
and
that's
what
we
like
service
signing
certificates.
C
B
C
They
love
them,
but
so
great
everyone,
true
power
developers,
want
to
be
agile
as
possible.
To
do
a
person
might
happen
from
time
time
that
they
really
want
to
be
again
and
they
do
really
want
to
be
so
they
start,
and
sometimes
they
want
to
expose
a
web
server.
This
and
okay
web
server
is.
It
will
listen
on
a
port
80,
because
that's
the
normal
port
that
we
listen
to
and,
of
course,
port
80.
We
cannot
front
and
I
cannot
start
a
service
which
lessens
on
port
80
online.
C
Next
Alice's
route
are
privileged
user
because
its
support
before
below
1000
and
then
sometimes
they
might
say.
Okay
I
want
to
work
with
Apache
web
server
and
let's
take
version
two
for
both,
which
is
try,
think
like
oak
several
years
or
they
go
to
doc,
doctor
hub
and
they
search
and
they
find
this
cool
super-powerful
base
image
from
I
know
Neverland
eeeh
somewhere,
which
called
black
hat
and
they
just
pull
it,
and
they
just
run
it
in
production
and
who
knows
what
this
image
actually
does
so
I
try
to
educate
them.
C
Let's,
let's
make
them
learn
and
I
mean
all
of
these.
Things
are
easily
solvable
in
OpenShift,
so
but
our
images
in
basically
we
don't
allow
root
access
or
anything
which
is
a
business
load
or
functional
which
never
never
have
a
root
access
and
one
way
up.
First
of
addressing
it
that
is
actually
open
shipped
by
default.
When
it
runs
application,
it
can
run,
it
will
run
it
with
arbitrary
user
ID
and
that's
often
comes
as
a
problem
for
developers
because
they
take
maybe
one
image,
and
but
this
image
requires
a
specific
type
of
user.
C
There's,
no
particular
reason
why
it
has
it
right
requirements
it
just
it's
like
that,
because
there
are
some
permissions
which
are
given
for
a
specific
user
and
that's
how
it
works
the
exact
early.
Is
it
addressing
openshift,
because
this
arbitrary
user
ID
open
shipped
uses?
It's
actually
belongs
to
a
root
group.
A
root
group
has
no
specific
rights,
except
it's
called
the
root
group.
C
So
good
practice
is
that
for
your
images,
whenever
you
need
this
setting
of
permissions
for
anything
that
your
application
needs
to
access,
you
have
give
it
right
to
the
root
group
and
to
the
user,
as
the
arbitrary
user
would
want
to
root,
it
will
be
able
to
read
anything
there.
A
second
thing
is
running
on
a
port
80
an
example
old
Apache
actually
been
the
base
images
like
that,
but
it's
extremely
easy
to
change
that.
We
can
lesson
on
a
port.
C
So
security
context
constraints
allows
us
to
give
this
right
to
some
of
the
pods,
so
we're
adding
features
or
we
can
going
after
the
extra
memory
secure
computing
and
we
can
say
comp
and
we
can
they
decide
to
even
restrictive
and
more
to
say.
Ok,
you
are
caught.
They
are
not
allowed
to
ask
idle
for
time.
If
we
consider
asking
for
time
is
very
restrictive,
we
can
restrict.
C
Actually
it
allows
us
to
restrict
calling
different
system
calls
so
that
these
two
approaches
one
for
going
further,
giving
more
permissions
one
playing
towards
giving
less
permissions
for
the
applications
and,
of
course,
I'm
going
to
pull
things
as
from
untrusted
sources,
Internet.
So
even
memory
use
all
images
actually
come
from
our
internal
registry.
We
often
use
this
racket
as
base
images,
so
we
mirror,
for
example,
red
heads
repository
into
our
own
one.
C
If
images
cannot
be
mirrored
from
a
trusted
source,
we
rebel
them
internally
from
source
code
or
internal
infrastructure,
and
we
are
internal
actually
never
accesses
docker
hub
directly
from
the
build
machines
away.
All
the
bills
must
be
done
from
actual
image.
Images
which
are
already
present
and
only
already
trusted
and
in
production
will
only
give
the
access
to
images
that
have
been
validated
and
that
will
mirror
them,
and
one
other
possibility
is
actually
to
run
checks
about
across
images
to
see
if
they
have
a
Security's
council
that
should
to
tools.
C
They're
they're,
imagined
images,
vector
Oscar,
opens
cup
docker
come
redhead,
they're
other,
but
are
actual
tools
which
do
these
things
we're
using
the
junkies
pipeline.
So
one
step
in
the
pipeline
could
be
validation
of
the
images
that,
if
they
have
security
vulnerabilities
or
not,
it's
not
something
that
we
consider
blocking.
C
Actually
today,
as
we
have
experience
with
images
that
are
marked
with
security
vulnerabilities,
because
I
know
there's
a
jdk
1.7
inside
and
we
never
used
you
3107
it's
more
for
informational
purposes,
but
I
think
there
are
some
things
coming
there
to
help
us
also
on
the
Red
Hat's
site.
Isn't
it
Diogenes.
B
Thanks
very
much
and
I
I
can
yeah.
So
what
what
you're
seeing
here
in
this
screen
recently
launched
container
catalog
at
Red
Hat
it?
It
has
a
few
interesting
things.
So
we
we
launched
this
idea
of
health
index
which
will
tell
from
Red
Hat
perspective
how
healthy
we
think
the
content
of
that
image
is
right
so
and
here's
a
the
example
of
the
JBoss
zap70.
Imagine
if
you
see
from
our
perspective
we
classified
as
a
B
for
B
red
hat.
We
still
consider
you
to
be
to
be
a
healthy
container.
B
Con
yeah,
but
so,
if
you
click
on
a
specific
tag,
it
will
tell
you
why
this.
Why
do
we
think
that
that
that
image
is?
Is
a
B
and
we'll
tell
like,
for
example,
this
image
has
one
important
vulnerability
that
has
not
yet
been
fixed
for
at
least
30
days
or
or
or
or
he'll
thing
is
will
say
like
that.
There
should
be
no
critical
vulnerabilities
in
the
image
for
more
than
then
seven
days
and
no
important
vulnerabilities
from
more
than
30
days.
So
for
the
contents
we
create
ship
and
package.
We
own
the
lifecycle.
B
B
It's
a
key
point
for
more
for
more
business
and
I
was
just
recently
checking
a
thread
that
a
lot
of
people
used.
The
busybox
image
to
build
their
own
containers
and
the
version
that
was
up
into
a
few
days
ago
had
even
malware
in
sin.
The
image
so
just
imagine
that
the
type
of
of
impact
having
malware
inside
a
container
image
would
affect
your
company.
But.
B
B
Yes,
it
is,
it
is
so
it's
this
exact
same
catalog.
That's
that's
used
for
for
our
own
software.
It's
it's
also
used
for
for
any
off
or
is
V
images
or
IC
partner
images.
So
you
can
go
like
anyone
can
go
to
access
ahead,
calm,
slash
containers
and
search
for
images
that
are
available
there
and
they
will
follow
and
be
in
and
go
through
the
same
level
of
of
updates
and
and
lifecycle
management
that
would
like
to
reapply
to
or
own
images,
probably.
C
It's
kindly
some
final
thoughts
about
the
on
we've
got
I'd
ourselves
wondering
it's
your
deal
so
first,
we
are
quite
confident
we
can
manage
the
platform
which
is
secure
for
known,
continual
abilities
and
make
something
unknown.
There
are
risks
and
we
are
sure
that
we
actually
can
manage
those
with
it.
It
is
I,
it's
definitely
not
solve
application
vulnerabilities.
It
can
help
the
things
like
secrets,
can
cuts
and
some
management
the
things
like,
sir.
It's
a
certificates
can
manage.
There's.
Also
the
question
of
a
multi-tenancy.
C
True
multi-tenancy
would
be
some
applications
that
completely
isolated,
something
which
OpenShift
supports.
We
find
this
quite
a
complex
solution,
12
still
working
late,
trying
to
figure
it
out
and
we
always
start
with
principally
successful
grinding
new
capabilities
as
applications
only
not
starting
with
privileged
containers,
beginning
the
couple
of
things
that
will
miss
and
actually
best
talk.
Many
of
those
are
on
the
wrong
map
and
even
in
implemented
encryption
for
secrets.
Clearly,
we
see
that
it's
coming.
C
We
network
policies
to
manage
who
has
access
to
what
internal
and
the
grass
it
so
extracting
already
part
of
the
open
latest
version
open
shift.
They
will
be
really
nice
to
have
an
image
inspector,
which
is
something
integrated
more
way,
the
platform
itself,
so
some
we're
currently
working
on
outside
to
be
nice
having
him
our
bath
great
thing,
maybe
some
out-of-the-box
new
groups
and
security
manager
that
hasn't
managed
what
has
been
deployed
basic
secrets.
All
the
things
that
are
very
nice
have
been
open
shipped
anyway
day.
C
A
A
So
this
has
been
very
great
and
really
appreciate
it
I'm
not
looking
at
it
in
any
questions,
though,
so
you've
done
an
incredibly
thorough
job.
Oh
here's
one!
How
are
you
preventing
images
containers
from
taking
all
the
compute
resources
of
a
node?
Are
you
implementing
resource
limits
in
kubernetes,
OpenShift
and/or?
Do
you
monitor
customers
or
abuse
cases?
A
C
Yes,
will
you
implement
resource
limits
that
that's
one
a
way
and
we
do
separately?
Of
course,
we
do
monitor
what
the
applications
do,
because
it's
also
of
other
interest.
Do
we
want
to
scale
up
what?
What
are
we
the
needs
of
application
and
in
our
case
the
customers
are
currently
on
voice,
no
term
customers.
C
We
have
vital
good
control
of
what
they
do,
but
indeed
the
principle
approach
is
putting
place
resource
limits
and
then
monitoring
would
be
more
like
overall,
seeing
what
happens
and
and
I
can
ask
her
for
the
second
question,
which
is
what
are
you
using
monitoring?
We
have
our
internal
monitoring,
go
back.
If
you
develop
because
probably
operate
something.
C
A
B
C
As
some
we
have
something
which
we
developed
a
bespoke
internally,
based
on
open
source
technologies
providers
is
one
thing
that
we
are
looking
at
into
my
user
graph
are
now
for
this
place,
and
then
we
have
actually
already
some
way
way
of
collecting
metrics
which
have
been
developed
in
house
and
which
we
are
using.
And
now
we
don't
have
a
github
link
for
the
solution.
It's
not
something
that
we
have
open
sourced.
C
A
There's
there's
lots
of
people
and
I.
Think
monitoring
has
become
one
of
the
hot
topics
actually
within
the
Commons
briefings
and
I.
Think
next
week
we're
doing
another
one,
our
robust
perceptions,
Brian
Brazil.
The
gentleman
who
spoke
on
prometheus
is
going
to
come
back
and
talk
about
high-level
perspectives
on
monitoring
and
different
solutions
and
what
monitoring
actually
means
and
I
think
we'll
be
doing
a
lot
of
monitoring
talks,
because
there
are
lots
of
approaches
and
everybody,
everybody
has
their
own
special
stall.
A
B
I
can
talk
a
little
bit
about
like
what
we
have
in
mind
from
a
product
management
perspective,
and
this
is
so
far
upstream
say,
upstream,
work
we're
doing
so
we're
doing
upstream.
Work
with
parameters
have
seen
that,
so
there
should
be
a
formal
integration
for
primitives
in
an
open,
shipped
upstream.
That
means
open
ships.
Origin
if
you
saw
the
announcements
around
Jaeger,
which
is
for
distributed
tracing,
so
we're
working
upstream
on
that
as
well.
B
A
A
The
book
they're
all
on
the
events
calendar.
So
if
you
go
to
OpenShift
where
they're
Commons,
openshift
org,
slash
events,
dot,
html'
you'll
get
there
and
there's
a
whole
slew
of
things
coming
and
we're
going
to
two
days
a
week,
Wednesdays
and
Thursdays,
because
there's
so
much
coming
down
the
pike
and
I
think
we're
almost
to
our
300th
member
organization.
So
we've
got
lots
of
people
who
want
to
talk
about
the
lots
of
things
and
different
aspects.
A
So
it's
going
to
get
busy
so
and
all
of
this
stuff
that
we
talked
about
today,
including
this,
a
PDF
of
the
slides
and
the
video
of
the
slides,
will
be
up
on
blog
OpenShift
comm,
shortly,
usually
by
Monday
or
Tuesday
of
the
next
week
at
the
latest,
and
you
can
find
all
of
the
other,
almost
75.
Or
if
this
thing
this
is
the
76
podcast
I've
done
so
far
up
on
our
H
OpenShift
on
YouTube
and
that's
a
playlist
for
it.
A
So
stay
tuned
there'll
be
more
next
week
and
it's
keep
keep
it
coming
because
it's
been
great
working
with
Amadeus
and
with
having
folks
join
us
on
ask
these
questions
and
push
the
product
forward
even
further.
So
it's
all
about
you
guys.
So
thanks
very
much
and
thanks
again
to
Amadeus
and
Diogenes
for
taking
the
time
today
and.