►
From YouTube: Securely Automating GitOps in Multi Tenant Cluster Marc Boorshtein Tremolo Security OpenShift Common
Description
Securely Automating GitOps in a Multi Tenant Cluster
Marc Boorshtein (Tremolo Security)
October 21 2020
OpenShift Commons Operator Hour
OpenShift Commons Briefing
A
Hey
everybody
thanks
for
joining
another,
exciting
episode
of
the
openshift
commons
briefings
today
we
are
very
fortunate
to
have
mark
borstein
and
brian
culhane
join
us
here
from
tremolo
security.
We're
going
to
be
talking
about
how
to
securely
automate
get
ops
mark.
Welcome
to
the
show.
I
have
seen
you
at
just
about
every
major
trade
show.
For
the
last.
These
four
or
five
years
you've
been
at
our
openshift
commons
activities.
You've
been
at
the
openshift
summit
activities.
A
B
So
it's
pronounced
tremolo
kind
of
a
l,
e
l
sound
there
after
the
m.
So
a
tremolo
is
a
sound
fluctuation.
B
So
if
you
have
ever
played
guitar
or
even
the
organs
you
know
with
qatar,
you
hit
the
whammy
bar
in
that
you
know
that
fluctuation,
that's
a
tremolo
and
so
where
the
name
originally
came
from
was
when
we
were
first
starting
the
company.
You
know
we're
identi
management
company,
primarily
that
that's
where
we
got
our
start
and
the
very
first
product
we
were
building
was
a
web
access
management
solution.
So
it
was
a
anybody.
Familiar
with
service
mesh
you'll
be
familiar
with
this
concept.
B
We
want
to
get
away
from
agents,
which
is
a
big
thing
that
our
competitors
were
doing,
and
so
you
know
I'm
I
wish
I
could
say
I
was
a
marvin
marketing
maven,
but
I
am
not
the
first
name
for
the
company
was
going
to
be
auto.
Idm
simple,
you
know
kind
of
talked
about
what
we
did
and
my
co-founder,
who
actually
is
quite
good
at
marketing,
came
back
and
said:
no,
that's
terrible
name
it
it's
clunky!
B
Now
I'm
gonna
think
of
something
else.
So
he
came
back
and
he
said
well,
it's
a
web
access
manager,
wham
whammy
bar
tremolo
security.
I
was
like.
Oh
that's,
a
terrible
name,
nobody's
gonna
know
what
it
means.
You
know.
My
my
co-founders
is
a
friend
of
mine
from
boston
and
he's
got
a
very
thick
boston
accent.
He
can't
pronounce
it
correctly
to
save
his
life.
B
I
was
like
that's
just
not
gonna
work
go
back
to
the
drawing
board
and
so
that
night
I
spent
a
good
three
hours
trying
to
find
a
domain
name
for
the
company
that
had
the
word
identity.
In
it
I
tried
different
languages.
I
tried
different
combinations,
acronyms
everything
couldn't
find
a
thing
it's
like.
So
who
is
tremolo
security.com?
B
B
No,
we
actually
started
the
company
in
2010
was
when
the
company
originally
started
and
we
kind
of
flew
under
the
radar
somewhere
between
a
hobby
and
a
science
project
for
a
few
years.
B
While
we
were
kind
of
you
know
getting
our
feet
under
us
building
out
the
technology
and
then
in
2013
we
got
our
first
customer
public
safety
environment
here
in
the
dc
area,
which
kind
of
catapulted
us,
and
then
we
didn't
really
come
out
of
like
not
that
we
were
ever
really
in
stealth
mode,
but
we
didn't
really
start
getting
out
there
until
2015,
which
is
when
we
had
our
first
booth.
B
Actually
at
red
hat
summit
that
was
kind
of
our
coming
out,
you
know
come
and
ask
stealth
mode
party
was
that
first
booth
at
red
hat
summit
in
15
in
boston.
It's
also
when
we
became
an
open
source
company.
We
said
you
know
what
open
source
is
going
to
be
the
way
to
go.
It's
going
to
be
the
way
to
get
to
the
most
people,
and
so
we
decided
to
go
ahead
and
open
source
up
and
it's
been
off
to
the
races
since
then,
and.
B
So
I
was
a
consultant
at
pricewaterhousecoopers,
so
if
folks
are
familiar
at
all
with
the
audit
industry
that
they
call
it
the
big
four
price
warehouse
coopers,
which
I
was
deloitte
ernst,
young
kpmg-
and
so
I
was
an
identity
management
consultant
there
for
for
about
seven
years
and
if
you
name
a
vendor
and
an
industry,
there's
a
pretty
good
chance.
B
I
was
involved
with
some
kind
of
cross-section
of
doing
an
identity
management
deployment
there,
and
so
what
we
found
when
we
were
doing
these
deployments
was
that
we
were
spending
a
lot
more
time,
customizing
this
beautiful
vendor
demo
to
what
the
customer
needed,
rather
than
actually
implementing
their
business
logic.
So
we
we
would
cut.
You
know
the
the
vendor
would
walk
in
and
say
here's
this
big
gorgeous
demo,
with
all
our
opinions
of
how
you
run
your
identity
management.
B
What's
interesting
about
identity
management
versus
a
lot
of
other
technical
disciplines,
is
it's
very
closely
bound
to
the
business?
It's
got
a
tie
to
the
way
the
business
is
set
up
because
often
you're
saying
okay,
you
know
our
management
process
is
a
certain
way
or
an
organizational
process
is
a
certain
way.
B
A
lot
of
enterprises
are
very
siloed
organizationally,
so
your
technology
has
to
match
that
silo,
and
so
we
would
spend
most
of
our
time
kind
of
pulling
that
demo
apart
and
reconstructing
it
in
a
way
that
would
work
for
customers,
and
so
this
was
before
the
term
micro
services.
You
know,
really
existed,
but
we
said
you
know
the
better
way
to
do
this
is
instead
of
building
this
monolith,
identity
system
that
you
then
have
to.
You
know,
pull
pieces
out
and
reconnect,
let's
start
from
basics
and
build.
B
You
know
what
would
today
be
described
as
microservices
for
identity
management,
so
your
web
access
management,
your
sso,
your
virtual
directory,
your
user
provisioning,
your
apis,
your
self-service,
all
those
different
things,
and
so
we
built
that
out
and
what
became
really
interesting
was,
as
we
were,
building
it
out.
It
just
meshed
really
well
with
the
open
shift
in
kubernetes
world,
because
we
had
built
these
small
building
blocks
that
we
said.
B
B
However,
you
want,
and
it
really
it
really
turned
both
the
implementation
time
on
set
and
the
costs
on
its
head
and
one
of
the
things
one
of
our
rules
of
thumb
was
that
your
your
ratio
of
professional
services
to
licensing
dollars
is
going
to
be
two
to
one
for
every
dollar
you
spend
on
a
license
for
software.
You're
gonna
spend
two
dollars
to
implement
it.
B
We
wanted
to
turn
that
on
its
head
and
we
found
that
by
going
with
a
micro
services
like
approach,
a
building
blocks
approach,
our
implementation
times
just
bottomed
out
and
we
were
able
to
you
know
we
had
one
customer
as
an
example.
We
replaced
a
a
long-standing
legacy
system
that
took
them.
I
think,
three
years
to
get
implemented.
We
had
the
proof
of
concept
up
and
ready
to
go
in
three
days
to
replace
them
and.
C
A
B
So
a
lot
has
changed.
We
got
started
in
kubernetes
back
in
the
one
three
days,
maybe
one
eight,
whenever
our
back
first
came
out
and
and
open
shift
at
first
come
on.
B
In
fact,
we
had
a
booth
at
the
first
kubecon
n
a
in
seattle
four
years
ago,
when
it
was
still
small
enough
to
be
in
a
hotel
lobby,
not
not
small
enough
to
do
that
anymore
right,
and
so
we
we
actually
originally
got
involved
with
openshift
and
then
later
with
the
upstream
kubernetes
and
with
our
back,
and
so
we
started
with.
So
when
you
go
to
the
kubernetes
authentication
page
and
talks
about
openid
connect,
we
rewrote
all
that
documentation
and
donated
it
back
to
kubernetes.
B
We
then
went
ahead
and
and
started
to
to
set
to
look
at
the
way
open
shift
and
kubernetes
deals
with
identity.
You
know
one
of
the
things
that's
really
changed
over
the
last
several
years.
Is
this
notion
of
what
goes
into
your
cluster
and
we're
going
to
talk
a
lot
about
that
during
the
demo?
You
know
it's
more
than
just
kubernetes,
it's
more
than
just
open
shift.
Right
I
mean
you.
You've
got
you've,
got
monitoring
systems.
You've
got
your
get
off
system.
We're
going
to
talk
about
argo
cd.
B
Today,
you've
got
your
build
system,
we're
going
to
talk
about
tecton.
You
got
your
code
system,
we're
going
to
be
using
git
lab
for
that
today,
and
all
of
these
systems
have
their
own
concept
of
identity,
and
so
specifically,
when
you're
looking
at
like
an
enterprise
world
most
of
the
implementations
of
multi-tenant,
you
know
it's.
It's
most.
Enterprises
are
looking
for
multi-tenant
solutions.
They're,
not
you
know
most
implementations,
I've
seen
that
are
where
the
tendency
is
at
the
cluster
that
doesn't
scale
real
well
from
a
management
solution
it
it.
You
know
it.
B
There
are
advantages
to
it.
Obviously,
you're
going
to
have
multiple
clusters,
but
when
all
is
said
and
done
it,
the
management
process
of
multi-cluster
doesn't
scale
when
you're
you're
trying
to
have
a
cluster
per
application,
so
multi-tenancy
becomes
really
important
and
so
identity
is.
You
know
it's
kind
of
like
the
force
in
star
wars.
It's
it
binds
everything
together.
You
know.
Argo
cd
has
its
own
internal
rbac
system.
It
doesn't
work
with
kubernetes
our
back
system.
B
It's
got
its
own
thing:
gitlab
has
its
own
identity
system
and
then,
of
course,
openshift
and
kubernetes
has
its
own
idea
system.
So,
if
you're
going
to
provide
a
platform
for
your
developers
to
be
able
to
access
these
systems
securely
and
and
to
you
know,
really
get
the
it
people
out
of
the
room
out
of
the
way
right,
you
know,
the
goal
is:
is
that
the
people
who
own
openshift
are
not
involved
day
to
day
in
applications?
Right?
B
If
you
know
one
of
the
things
in
the
identity
world,
I
always
say,
is
if
I'm
in
the
room,
something's
probably
gone
terribly
terribly
wrong.
You
know
people
can't
log
in
people
are
unhappy.
You
know
it
should
be
the
same
way
with
the
the
people
who
run
the
kubernetes
and
openshift
deployments
if
you're
running
openshift
or
kubernetes
and
you're
in
the
room
during
an
issue.
Something's
gone
really
really
wrong.
Ideally,
your
application
owners
are
managing
all
that
process.
C
Hey
great
question
mike
thanks
for
having
us
on
this
morning,
I
go
back
20
plus
years
in
the
identity.
Access
management
space
with
some
very
large
programs
of
record
the
early
days
were
extremely
challenging
to
enable
access
to
uniquely
different
data
repositories.
C
C
Most
intriguing
was
his
subject
matter,
expertise,
successful
consulting
background
and
the
fact
that
he
had
developed
his
own
ip
to
secure
the
authentication
process
and
speed
the
implementation
phase,
huge
game
changer
for
organizations
leveraging
their
existing
infrastructure
to
deploy
a
solution
in
weeks
not
months.
This
resonates
with
all
organizations
concerned
with
cost
savings
dedicated.
I
t
resources
and
securely
enabled
privileged
access
to
their
internal
team
contractors
and
partners.
A
Okay,
fair
enough
back
to
you
mark,
I
couldn't
help
but
notice
when
you
were
talking
just
a
couple
minutes
ago
that
there
was
something
in
the
background
there
and
I
thought
maybe
I
thought
maybe
you
might
want
to
talk
about
something.
That's
exciting!
That's
going
to
be
coming
out
here.
Is
there
a
book
coming
out
there.
B
Is
I'm
going
to
show
off
my
my
my
the
book
cover
here?
I'm
gonna
do
a
little
bit
of
shameless
self
promotion,
so
I
co-authored
a
book
with
with
my
partner
in
crime
here,
scott
sorovich,
on
enterprise
kubernetes.
So
when,
when
we
started
talking
about
writing
this
book
together,
we
found
that
there
was
a
big
gap
in
the
knowledge
out
there.
The
written
knowledge,
I
guess,
on
on
how
you
implement
kubernetes
between
enterprises,
which
are
really
unique
from
you,
know,
kind
of
your
more
consumer
facing
companies.
B
You
know
the
the
in
enterprise,
you
know
you're,
not
you're,
you're.
You
have
to
work
around
the
organization
as
well.
You
know
most
enterprises,
you
might
only
have
a
dozen,
maybe
even
less,
of
these
massive
truly
enterprise
wide
applications
right,
your
erp,
your
messaging
things
like
that.
B
But
then
most
of
your
applications
are
these
siloed
systems,
be
that
might
have
a
couple
of
hundred
to
a
couple
of
thousand
users,
and
so
the
people
who
own
it
it's
the
most
critical
application
in
the
world
and
so
and
and
they're
now
responsible
for
keeping
it
up
and
running.
And
you
know
their
paycheck
depends
on
it
right.
Their
bonus
depends
on
so
we
wanted
to
write
a
book
with
that
in
mind,
so
heavy
focus
on
identity.
B
So
we
we
have
full
chapter
on
authentication,
our
back
authorization,
pod
security
policies
and
open
gatekeeper
and
then
a
lot
of
the
stuff
that
just
you
might
think,
is
kind
of
mundane,
but
is
really
important
to
managing
that
kind
of
a
diverse
environment,
backups
logging
and
log
aggregation,
and
then
what
we're
going
to
demo
here
was
one
of
the
most
fun
things
that
I've
done
in
a
while.
B
Our
last
chapter,
we
said
you
know
we're
going
to
build
a
platform,
we're
going
to
talk
about
how
you
build
pipelines
and
then
build
a
platform
with
the
goal
of
not
having
to
have
excuse
me
not
having
to
have
a
a
kubernetes
admin.
Building
these
bespoke
clusters,
everything's
automated
everything's
done
through
through
get
ops
and
and
what
you
know.
What
we
we
really
wanted
to
to
to
handle
with
this
book
was
to
say
look.
This
book
is
more
than
just
theory
right
it.
B
A
lot
of
books
are
theory,
you
know,
and
they
give
you
great
information,
but
it's
not
necessarily
always
in
a
practical
context
where
you
have
cookbooks,
which
give
you
really
specific
recipes.
They'll,
give
you
great
ideas
and
great
knowledge,
but
they
might
not
relate
directly
to
what
you're
doing
we
wanted
to
kind
of
go
in
the
middle,
where
it's
a
practical
book
with
a
lot
of
theory
in
it.
B
So
the
thing's
huge,
I
think
it's
650
pages
of
you
know
of
kubernetes,
and
there
are
labs
in
most
of
the
chapters
that
you
can
go
through
and
and
everything's
open
source.
It's
up
on
github,
and
so
we
we
had
a
blast
it's
coming
out
on
november
6th,
and
then
anybody
who
wants
to
get
their
hands
on
it.
We
have
a
discount
code,
we'll
have
it.
On
the
last
slide,
we
put
up
it's
25
kubernetes
you
go
to
amazon
and
order
it
there
you'll
get
a
25
discount.
B
A
Just
I
just
linked
it
in
the
in
the
chat
as
well,
but
we
will.
A
Up
on
the
on
the
last
slide,
as
you
said,
awesome
650
some
odd
pages.
I
I
can't
wait
to
pull
that
down.
B
A
A
Right
well,
demo
time
can
we
show
us
something
and
hopefully
hopefully
there's
going
to
be
lots
of
terminal
windows
and
manually,
editing,
config
files
or.
B
I
promise
we
will
not
manually
edit
a
single
config
file,
so
I'm
going
to
go
ahead
and
share
my
screen
and
everybody
can
see
what's
going
on
here.
We
got
a
lot
going
on
on
this
demo.
B
So
when,
when
we
built
that
final
chapter
and
we
wrote
the
book
building
a
platform,
I
have
a
graphic
where
we
automated
the
deployment
of
argo
cd
projects,
get
lab
and
kubernetes
projects
and
techton,
so
that
they're
all
integrated-
and
I
made
this
diagram
of
all
the
different
objects
that
we
had
to
create
in
the
relationships,
and
this
is
just
in
one
cluster,
because
it
was
a
book
right.
It's
not
a
production
system,
20
plus
kubernetes
objects.
B
I
think
I
had
about
45
git
lab
calls
to
create
the
various
projects,
forks
etc
and
a
handful
of
calls
to
argo
cd.
Argo
cd
has
a
combination
of
its
own
api,
plus
it's
reliant
on
kubernetes
there's
some
crs
in
there
to
create
all
these
relationships,
and
then
you
think
about
the
automation
part
of
it.
You
know
you
don't
want
to
commit
code
to
gitlab
and
then
go
into
argo
and
say:
let's
trigger
a
sync
or
commit
code
to
gitlab,
and
then
you
know,
run
a
cli
command
to
fire
up
a
pipeline.
B
You
want
everything
to
just
happen.
So,
in
the
background
that's
all
built
on
web
hooks,
so
you
gotta
create
the
web
hook.
You
gotta
create
the
secret.
You
gotta
provision
the
secret
all
these
different.
It
isn't
rocket
science,
but
there's
just
a
lot
of
stuff
to
do,
and
so
what
we're
gonna
show
you
is
what
the
results
of
that
are,
because
it's
it's
one
of
those
things
that
I
could
probably
sit
here
for
two
hours
and
go
through
each
little
detail.
B
Your
audience
will
not
enjoy
that.
Let's
dive
right
into
the
demo,
so
we're
going
to
show
how
we're
going
to
integrate
argo,
cd,
get
lab
and
open
use
in
openshift
so
that
you
have
one
kind
of
seamless
process
as
you're
deploying
your
applications.
You
don't
want
to
get
your
openshift
team
involved
in
having
to
set
up
so
we're
going
to
do.
B
Is
we
are
going
to
provision
an
application
through
a
self-service
request,
create
all
the
objects
in
gitlab,
create
the
objects
in
argo,
create
the
objects
in
tecton
link,
everything
together
and
then
we'll
show
the
progression
of
how
that
all
comes
about.
So
the
first
thing
I'm
going
to
do
is:
I
am
going
to
log
in
as
my
user.
Now
a
lot
of
enterprises
have
saml
2.
B
B
Yeah
email
that
says:
okay,
let's
go
ahead
and
and
do
the
email
shuffle
of
hey.
Can
you
create
this
project
and
you
get
these
bespoke
clusters
we're
going
to
avoid
that?
So,
let's
go
ahead
and
now
that
the
request
is
in
an
admin
would
have
gotten
a
email
that
says
hey.
There
is
somebody
waiting
on
a
request
we're
going
to
log
in
as
an
admin
user.
B
B
So
we've
submitted
the
request
and
take
a
look
up
here
at
the
logs
streaming
through
openshift
you're,
going
to
start
to
see
a
lot
of
provisioning
action
here
there
we
go
so
when
we
wrote
the
book
built
this
diagram
to
link
all
of
the
different
objects
we
had
to
create.
There
were
20
plus
kubernetes
objects
that
had
to
get
created,
probably
about
40,
get
lab
api
calls
that
were
created,
the
techton
objects
for
kubernetes
objects,
and
then
argo
cd
has
kind
of
a
mix
of
kubernetes
and
its
own
api.
B
You
had
to
create
all
the
web
hook
connections,
so
you
know
when
you
commit
some
code
into
github
or
into
gitlab.
Rather
you
know
you
want
that
to
automatically
trigger
your
workflow,
you
or
your
your
pipeline.
You
don't
want
to
have
to
to
manually
kick
that
off.
So
that's
going
to
take
a
minute
to
provision
all
those
different
objects.
We're
not
just
provisioning
object,
creating
ssh
keys
on
the
fly,
we're
creating
secrets
so
that
your
web
hooks
can't
get
hijacked
all
sorts
of
good
stuff.
B
Nope,
I
I
think
we
have
finished
provisioning
and
just
to
kind
of
prove
my
point
of
how
many
objects
got
created.
Oop
I
actually
didn't
want
to
log.
B
B
Let's
come
over
here,
look
at
our
audit
report
so
we're
not
just
creating
these
things,
we're
actually
creating
an
audit
trail.
B
B
So,
let's
come
down
here
to
our
actual
provisioning,
and
you
can
see
this
is
our
new
application
here,
all
the
objects
that
we
created,
we
created.
You
know
bindings
role,
bindings
groups,
all
sorts
of
stuff
that
connects
everything
together
so
that
this
all
works
seamlessly.
B
Argo
and
we
see
the
same
projects
here.
So
let's
talk
about
these
projects,
real
quick.
So
let's
start
here
up
here
we
have
our
application
build.
So
this
is
where
the
source
code
goes.
This
is
where
actual
microservice
or
application,
whatever
it
is,
is
going
to
go.
B
That
does
not
have
an
argo
cd
project,
so
that's
just
source
code
right.
Argo
cd
is
purely
for
the
operations
side
of
things,
so
we're
going
to
have
a
pipeline
namespace
or
a
project.
The
pipeline
project
has
all
of
our
techton
objects
in
it
because
there
are
web
hooks
or
security.
You
want
keep
that
isolated,
and
so
that
project
does
in
fact
have
a
argo
project,
and
we
can
see
here
there's
a
couple
of
stub
objects
that
we
created
to
support
the
web
hook.
B
B
We
have
a
dev
project
now,
what's
important
about
the
dev
project
is
it
is
simply
a
fork
of
the
prod
project
so
when
it
comes
time
to
move
into
production,
what
we're
actually
going
to
do
is
do
a
merge
request
into
the
production
repo
and
let
argo
cd
then
go
ahead
and
kick
in
and
provision
everything.
So
the
first
thing
we're
going
to
do
is
we
are
going
to
check
in
our
source
code,
so
I'm
going
to
go
to
the
application
and
I'm
going
to
create
a
fork.
B
B
So,
let's
come
to
dev
operations.
We're
going
to
come
here
to
our
argo
project
as
well.
Now,
there's
not
really
anything
in
here
now:
real
life
you're
going
to
want
to
fork
this
to
do
some
work
first,
but
for
this
demo
we're
going
to
keep
it
simple.
B
And
we're
going
to
go
ahead
and
copy
our
operations
code.
So
what
do
we
mean
by
operations
code?
We're
talking
about
deployment
right,
not
nothing!
B
That
is
because
our
repository
points
to
a
container
that
doesn't
exist.
So
we
take
a
look
here
and
it
doesn't
have
a
tag
on
it.
We
gotta
add
that
tag.
So
let's
go
ahead
and
do
that
next,
the
next
thing
we're
going
to
do
is
we
need
to
check
out
our
build,
so
this
is
actually
going
to
do
the
work
of
building
our
code.
So
let's
go
ahead
copy
that
and
just
to
show
what's
going
on,
let's
go
into
the
build
project.
B
So
again,
we've
got
kind
of
our
stubs
here,
but
we
gotta
build
that
out.
We've
gotta
add
a
pipeline,
we
gotta
add
bindings.
We
gotta
tell
where
it's
gonna
push
in.
For
me,
the
container
too
so
let's
go
ahead
and
do
that
now.
B
All
right
now,
let's
take
a
real
quick
look
to
make
sure
that
the
I
think
it's
the
trigger
template.
A
B
We're
going
to
push
it
so,
what's
going
to
happen,
is
our
tecton
pipeline
and
we'll
talk
a
little
bit
about
what
that
pipeline
is
doing,
is
being
pushed
into
git,
at
which
point
there
we
go.
Argo
is
picking
it
up
and
saying
yeah,
let's
go
ahead
and
deploy
all
this
stuff,
so
we
want
to
wait
until
everything
is
green,
so
everything's
being
synced
in.
We
now
have
a
working
web
hook
in
a
build
environment.
So
let's
go
ahead
and
push
some
code.
B
B
What
am
I
doing
wrong
here?
Python
test,
11.
B
B
So
that's
off
to
the
races,
and
we
have
three
tasks
in
our
pipeline.
The
first
one
get
generates
an
image
tag
based
on
a
timestamp
and
also
saves
the
commit
hash
that
triggered
the
build.
The
second
one
actually
builds
the
container
so
we're
using
konico.
In
this
instance,
that's
a
tool
from
google
very
similar
to
podman
same
type
of
idea,
building
a
building,
a
image
without
having
to
have
a
daemon
and
then.
B
So
that
we're
patching
where's,
dev
dev
dev,
there
we
go
so
we
can
see
here
the
updated
commit
and
what
we
did
was
we
checked
out
the
code
from
dev,
the
dev
repo
and
patched
it
with
our
timestamp.
So
now
our
our
image
has
a
timestamp
on
it,
and
it
also
has
the
commit
of
the
code
that
triggered
the
build.
B
B
So
there
was
no
api
call
right.
The
the
pipeline
checked
out
the
code
made
the
update
pushed
it
back
in.
That
was
the
final
step,
and
all
this
requires
a
lot
of
automation,
because
you
need
to
build
ssh
keys
out
to
do
this
credentials
different
things
to
do
it
that
you,
you
don't
want
to
be
doing
manual,
you'll
also
notice.
So
far.
I
have
not
actually
run
the
openshift
command
to
do
anything
other
than
perhaps
look
at
some
logs.
B
B
And
what's
really
great
about
this,
is
that
something
to
point
out
is
that
I,
as
my
application
owner,
can
see
everything
that's
going
on.
I
don't
have
to
get
the
openshift
team
involved.
You
know
I
can
monitor
what's
happening
in
argo
cd
because
I
have
secure
access
and
we
can
see
down
here
we're
now
at
a
green
heart.
The
old
one's
gone,
so
we're
happy
everything's
running.
So
let's
go
ahead
and
push
this
into
production.
B
B
Device
and
we're
going
to
commit
the
merge
so
now
git
is
our
source
of
truth
for
all
changes
to
operations.
We've
done
no
commands
in
open
shift.
Everything
has
been
external
to
open
shift,
and
so
we
take
a
look
here
in
prod.
Give
it
a
second
and
there
we
go,
it's
launching
up
and
it's
pulling
down,
and
we
can
see
that
it's
actually
launching
we're
all
green.
So
we've
gone
the
whole
gambit
right.
B
We
went
from
requesting
that
an
application
be
created,
provisioning,
all
the
infrastructure,
automated
we
went
ahead
and
committed
our
code,
a
pipeline
built
everything
and
we
didn't
have
to
get
the
openshift
team
involved
for
any
of
it.
Just
to
show
you
there
was
nothing
up.
My
sleeves
I'm
going
to
go
ahead
and
log
out.
B
B
Now
we're
going
to
sign
back
into
get
lab
this
time,
I'm
going
to
sign
in
as
my
super
user.
So
you
can
see
all
the
projects
I
have
access
to
that
my
application
owner
didn't
that's
because
we're
using
the
power
of
identity
to
know
who
has
access
to
what
and
to
bind
these
different
systems
together
test.
Seven,
four:
two:
now,
let's
log
in
via
open
units
in
here,
here's
all
sorts
of
projects
that
you
know
the
user
doesn't
care
about.
B
So
so
we're
not
just
leveraging
automation,
we're
leveraging
security
to
give
you
a
better
approach
that
is
more
hands-off
for
your
team
and
is
far
more
satisfying
for
your
customers.
A
B
You
know
the
the
biggest
effect
for
customers
is
the
fact
that
they,
the
their
I.t
departments
or
the
the
people
who
own
their
infrastructure,
don't
have
to
get
involved
with
the
day-to-day
of
applications.
B
So
a
customer
that
I
built
a
similar
solution
for
we
went
live
about
a
year
ago,
and
I
hear
from
him
once
in
a
blue
moose,
a
hedge
fund
over
in
the
uk
small.
As
these
things
go,
I
guess
a
small
hedge
fund
is
like
five
billion
dollars
and
you
know
their
developers
wanted
to
be
able
to
launch
microservices,
and
so
you
know,
but
they
they
didn't
want
to
have
to
get
the
it.
B
And
he's
like
yeah,
I
I
don't
get
phone
calls.
I
mean
that
that
is
one
less
thing
that
that
guy
has
to
manage,
because
at
the
end
of
the
day
we
all
have
better
things
to
do
than
building
bespoke
clusters
for
people,
so
it
really
becomes
a
force
multiplier.
People
are
happier
because
they're
getting
their
job
done,
they're,
not
complaining.
Oh,
I
don't
have
access
to
this.
I
don't
have
access
to
that
and
really
you're
spending,
hundreds
of
thousands,
maybe
even
millions,
depending
on
the
size,
your
organization
on
this
automation
solution.
B
A
You
earlier
in
the
in
the
discussion,
you
interchanged
the
words
kubernetes
with
openshift,
and
I
would
imagine
that
that
that
your
your
technology
and
your
solutions
work
on
any
kubernetes
based
implementation.
Not
just
openshift
is
that
correct,
sure
yep,
but
we
have
been
working
with
you
folks
for
years
you
guys
are
a
member
of
openshift
commons.
You
have
a
red
hat
certified
operator
for
openshift,
which
means
that
it's
gone
through
the
red
hat
internal
testing
and
blessings.
A
So
when
customers
want
to
use
it,
they
know
it's
tried,
tested
trusted
and
they
can
get
support
from
from
red
hat
and
your
company
at
the
same
time.
So
I
did
want
to
put
that
gratuitous
plug
in
there.
So
thank
you.
Thank.
B
And
we're
we're
we're
a
security
company
right
I
mean
we
go
we're
going
to
the
cio
and
saying
we're
going
to
help,
make
your
infrastructure
more
secure
and
being
able
to
say
and
we're
certified
on
the
platform
that
you're
using
you
know
we
here
in
the
dc
area.
You
know
back
in
the
before
times
when
we
used
to
go
places,
you
go
on
the
metro
and
they're
signed
everywhere.
B
You
know,
100
of
of
government
agencies
run
red
hat
linux
right
that
that's
that's,
not
hyperbole,
that's
true
and
and
so
in
the
enterprise
you
know
being
able
to
say
yep.
This
is
certified
on
the
platform
that
you're
using
you
know
we
had
to
go
through
their
rigorous
process.
They
had
to
review
it,
we're
also
in
the
red
hat
marketplace.
B
So
that's
an
additional
avenue
to
be
able
to
get
access
to,
but
we
have
we
made
big
bets
on
openshift
very
early
on
in
our
kubernetes
journey
and
those
those
bets
have
definitely
paid
off.
A
B
So
honestly,
one
of
my
favorite
stories
is
actually
before
my
time
at
tremolo
is
one
of
the
inspirations
for
the
way
we
approach
infrastructure.
So,
while
I
was
still
with
pwc,
I
was
on
a
project
where
we're
helping
a
customer,
a
name
brand
that
everybody's
heard
of
and
everybody's
used
was
migrating
between
different
identity,
vendors.
B
I
was
brought
onto
the
project
as
to
look.
You
know
you
have
a
limited
number
of
hours
to
get
this
done
now.
400
applications
across
six
continents
here
are
three
or
four
developers
in
india.
Just
have
them
go
and
manually
update
the
configuration
now
like
that
sounds
like
a
terrible
idea.
I
don't
want
to
do
it
they're
not
going
to
want
to
do
it
and
it's
going
to
be
error
prone
and
all
sorts
of
problems.
B
So
I
said,
look
I'm
telling
you
we
can
automate
this
we're
going
to
come
in
under
budget
customers
going
to
be
happy,
they're
going
to
have
a
much
better
product
and
they're
going
to
have
a
much
better
time
and
so
got
with
the
team
in
india.
And
you
know
there
are
always
issues
when
you're
dealing
with
different
time
zones
and
whatnot
to
be
able
to
get
that
done.
B
But
you
know
we
all
were
able
to
work
together
and
build
this
amazing
set,
and
this
was
before
devops
devops
wasn't
a
word
yet,
and
so
we
were
able
to
build
this
system
that
queried
the
apis
of
the
old
system,
and
you
know
constructed
out
a
a
a
framework
tested
the
old
system
to
make
sure
that
that
framework
worked
the
way
we
thought
it
did,
provision
that
then
automatically
into
the
new
system
test
the
new
system
and
then
turn
it
all
on
automatically.
B
And
you
know
the
the
project
went
really
really
well.
For
the
most
part,
we
did
have
one
issue:
we
we
accidentally
turned
off
sap
in
japan,
which
didn't
really
go
over
real
well.
B
But
we
fixed
that
pretty
quickly,
but
then
we
went
ahead
and
once
we
got
that
you
know
figured
out
the
original
go
date.
We
had
to
cancel
because
our
product
owner
or
project
owner
from
the
customer
had
to
have
an
emergency
a
pandemic.
Remove
his
appendix
in
an.
B
So
you
know
he
said:
no,
I'm
not
we're
not
going
live
with
this
without
me
being
okay.
Well,
I
was
promised
to
another
project,
so
I
had
to
go
and
they
delayed
the
rollout
three
weeks
and
I
got
a
phone
call.
One
day
I
was
like
yep
done.
I
was
like
really
yeah
no
bridge
call.
No,
we
threw
the
switch
and
everything
just
worked
and
it's
like
we
came
in
under
budget.
We
automated
everything.
People
were
happy
with
it
of
the
400
applications.
B
I
think
we
were
able
to
automate
like
395
of
them
and
so
that
that
was
a
big
inspiration
for
for
the
approach
that
we
ended
up
taking
when
we,
when
we
started
trouble
and
getting
into
the
automation.
A
C
A
B
B
So
I
I
guess
the
biggest
thing
that
I'd
want
to
let
people
know
is
that
you
know
everything
I
showed
is
not
vaporware
right,
it's
real
it!
It's
it's
out
there
we're
constantly
involved
in
the
kubernetes
and
open
shift
world.
If
you're
asking
questions
on
either
openshift
commons
or
in
the
kubernetes
slack
channel,
we're
going
to
be
there
and
we're
here
to
help
you
know
we
we
are
we're
experts,
I'm
a
ckad.
B
I
I
went
through
that
certification
process.
You
know
the
the
the
dark
ugly
truth
of
most
enterprise
software
is
that
the
people
write
this
stuff
never
have
to
use
it.
We
use
our
own
software
with
customers,
we're
out
there,
deploying
it
we're
making
changes
as
customers
need
it.
B
So
we're
not
just
building
in
fluff
features
that
nobody's
going
to
use
we're
building
features
that
people
are
actively
using
actively
need,
and
so
as
you're
kind
of
going
through,
that
journey
of
figuring
out
how
you're
going
to
automate
your
infrastructure
think
about
tremolo
security.
Think
about
how
you're
going
to
automate
your
your
infrastructure
with
security
in
mind.
A
B
Here
in
the
us
only
until
november
15th,
what
I
will
say-
because
I
know
a
lot
of
folks,
especially
in
the
open
source
world
care
very
much
about
these
things-
is
that
if
you
do
go
direct
to
the
publisher
once
it's
available,
it's
drm
free.
A
B
B
B
An
smtp
black
hole
that
we
keep
updated,
that's
really
useful.
We
hope.
A
You
all
the
best
with
the
book.
I
think
I
will
obviously
be
pulling
down
a
copy
using
my
25
discount
code.
Where
are
we
gonna
see
you
next
or
you
know
in
this
in
this
world,
with
everything
is
virtual
these
days
we're
not
going
to
see
you
physically
in
person
at
commons
or
the
red
hat
summit,
but
you
know:
where
can
we
see
you
next.
B
So,
actually,
I'm
going
to
have
the
great
pleasure
of
giving
a
lightning
talk
at
the
kubecon
na
virtual
security
day.
I'm
going
to
be
talking
about
why
you
should
be
using
open
id
connect
with
your
clusters
and
not
certificates
for
authentication.
So
that'll
be
my
next
kind
of
big
thing.
A
That's
was
that
november
17th
right,
I
think.
B
The
it's
yeah,
I
think
17th,
is
the
security
day
conference.
A
Oh,
that's
a
it's
a
co-located
event
correct!
It's
before
kubecon
starts
okay,
yep
good!
Well,
I
would
like
to
say
on
behalf
of
everybody
here
on
the
openshift
commons
briefing
hour
that
would
really
appreciated
having
you
join
us
here
today.
A
A
Great
well
thanks
everybody.
I
hope
that
hope
that
this
was
informative
and
useful.
You
can
tune
in
every
wednesday
at
noon
east
time
and
we
have
a
full
lineup
of
software
partners
booked
out
all
the
way.
I
think
we're
booked
all
the
way
into
march.
At
this
point,
so
all
of
our
software
partners,
with
red
hat
certified
operators
for
openshift,
are
going
to
be
here
on
the
show
talking
about
their
technology,
their
products,
their
war
stories
and
hopefully,
some
more
books
thanks
again
mark
and
we
are
signing
off
for
the
day.
Thanks
for.