►
From YouTube: Red Hat Quay and Red Hat OpenShift
Description
How to run and use Quay on OpenShift.
To learn more, visit: openshift.com/products/quay
A
Hello
and
welcome
to
this
webinar
on
redhead,
Quay
and
open
chest
how
to
run
Quay
on
and
how
to
use
quay
with
open
chests.
My
name
is
Jeff
Hammond
I'm,
the
product
measure
of
Quay
and
I
have
with
me
any
bloke
who's,
one
of
our
leading
experts
in
delivering
Quay
in
real
life
deployment
in
customer
environments
and
at
the
same
time
he
rolled
a
couple
of
things.
A
He
wrote
the
initial
prototypes
for
some
of
the
stuff
people
talk
about
in
this
presentation
and
again
he
is
one
of
the
experts
for
both
open
tricks
and
Quay
was
dead.
Let
me
start
with
an
high-level
slide
explaining
why
OpenShift
is
one
of
our
focus
areas
looking
at
it
from
a
quayside,
yeah,
so
hope.
A
Egypt
is
our
enterprise
company's
distribution
provided
by
red
head
and
it's
our
primary
target
destination
yeah
so,
and
we
want
to
ensure
that
right,
although
Quay
runs
on
any
infrastructure
it
one's
best
on
open
trip,
so
all
the
integration
and
improvements
we
did
in
order
to
deploy
and
manage
and
operate.
Quay,
of
course,
are
focusing
on
the
kubernetes
capabilities
and
the
open
shift
capabilities
built
on
top
of
it.
So
the
Equator
is
supposed
to
ensure
a
seamless
deployment
and
ongoing
management
of
Quay.
If
it
runs
on
open
chests,
we
also
add
it
to
other
operators.
A
Quay
has
been
written
to
serve
content
to
one
or
more
open
chef
kostow,
so
the
more
option-
customers-
probably
the
more
appropriate
use
case
for
Quake
wherever
they're
running.
So
this
doesn't
matter
Cray-
runs
on
any
infrastructure,
boson
premier
public
cloud
OpenShift
the
same,
so
it's
a
perfect
fit
if
those
are
used
together.
There
are
a
couple
of
benefits
of
Quay
running
on
open
if
compared
with
Quay
running
on
standalone.
You
know
this
is
still
possible.
A
It's
still
supported
but,
of
course
running
on
open
shift
means
running
on
kubernetes
and
there
are
a
couple
of
great
benefits
coming
out,
so
you
can
effectively
from
zero
to
hero.
You
can
simplify
your
deployment
and
get
started
to
use
the
product
effectively
immediately
scalability
you
can
leverage
all
the
the
cluster
compute
capacity
management
coming
out
of
communities
and
open
shares
to
automatically
scale
up
and
get
on.
You
have
a
simplified
configuration
for
networking
storage,
all
the
entities
which
are
managed
by
the
orchestration
platform
or
the
overshift.
A
So
all
the
great
capabilities
openshift
provides
which
are
not
by
default,
included
in
a
plain
upstream
kubernetes
environment,
but
provided
by
overshift,
and
that's
why
it's
worse
for
us
to
leverage
them
our
focus
and
as
I
mentioned,
you
can
run
Quay
on
standalone.
You
can
use
it
on
standalone
hostesses
matter,
however,
our
focus
for
deploying
and
managing
and
continuous
application,
our
operators
yeah.
So
this
is
really
a
company-wide
focus
and
openness
is
the
leading
element
driving
this.
A
This
container
kubernetes
operator
adoption
and
we
are
following
it,
so
the
focus
and
direction
of
the
product
are
kubernetes
operators.
That's
why
we
built
the
suite
operators
we
have
in
the
meantime.
The
third
one
is
what
we
launched
yesterday
and
we
can't
afford
to
maintain
another
solution
for
standalone
hosts.
It's
probably
not
worth
the
time,
and
probably
it
was
the
next
major
release
of
quake
wave
version.
4
it
will
be
coming.
It
is
only
because
we
really
believe
that
kubernetes
is
the
future
for
containerized
applications.
There
isn't
any
other
option
or
choice
anymore.
A
In
the
meantime,
we
have
three
different
operators.
We
have
the
Quai
operator
be
introduced
with
suite
at
one.
We
have
the
container
security
operator
and
we
have
the
bridge
operator.
The
Quai
operator
is
really
for
the
deployment
and
ongoing
management
of
Quay,
and
it's
supposed
to
run
on
the
cluster
on
the
overshift
classic
way
is
running
on.
A
It's
worse
to
be
colored
that
the
container
security
operator
works
perfectly
fine
was
quite
low,
but
the
kwai
bridge
operator
does
not,
as
of
today.
It's
also
important
to
mention
that
all
the
operators
we
developed,
although
they
partially
might
work
with
objects.
We
we
are
only
provide
full
support
on
open
ships
for
primarily
because
some
of
the
back-end
dependencies,
such
as
LM,
are
still
in
check
previous
state
for
over
ships.
A
We,
so
we
basically
made
the
decision
to
ensure
that
we
are
developing
against
the
most
recent
and
most
up-to-date
version
of
our
ship
container
platform
and
that's
openshift,
for
which
also
means
that
future
features
we
were
introduced
sometimes
depend
on
newest
capabilities.
We
just
added
two
most
recent
versions
of
open
shifts,
so,
let's
start
to
ever
look
how
to
run
Quay
an
object,
but
before
we
talk
about
the
bridge
operator
D
the
quay
operator,
which
is
supposed
to
do
the
deployment.
A
Let's
quickly
talk
about
some
of
the
prerequisites-
and
there
is
a
dedicated
recording
available
which
talks
about
several
prerequisites
and
options,
architectural
patterns
and
deployment
options,
and
we
will
get
it
out
to
YouTube
pretty
quickly
as
well
and
just
for
women
overall
extend
points
or
Quay
can
run
as
I
said
on
opposite
coasts
and
their
own
hosts,
and
the
default
use
case
again
is
that
Quay
is
serving
content
to
many
publishers
classes.
So
this
is
the
default.
This
is
hope.
A
Quiet
Quay
has
been
designed
and
built
to
really
work
at
scale
across
different
regions,
data
centers
and
whatever,
and
there
was
a
clear,
clear
line
we
need
to
between
the
components
which
are
supposed
to
run
on
cluster
versus
the
ones
who
are
supposed
off.
Cluster
and
I
will
dive
a
little
bit
deeper
into
the
details
on
the
next
slide.
But
before
I
talk
about
the
specifics
for
database
and
storage,
let's
have
a
very
quick
view
on
the
retic
way
architecture
so
effectively.
A
The
product
consists
of
a
couple
of
container
once
we
and
the
meantime
for
images
and
sweet
operators
and
those
are
containers
running
on
a
loop
in
this
case.
So
it's
the
quay
container,
it's
the
clear
container.
It
could
be
the
equipment
optional
component
and
the
same
with
mirroring
workers,
so
those
are
other
container
instances
which
could
run
if
we
premiering
is
used
in
front
of
Quay
and
Claire.
You
typically
use
a
load
balancer,
it
could
be
BH
a
proxy
which
is
included
and
opposite.
A
It
could
be
also
your
own
load
balancer,
which
already
exists
in
your
environment.
The
back-end
dependencies
of
all
the
containers
of
rated
Quay
are
stateless
components
and
the
begin'
dependency
is
therefore
are
critical,
especially
for
AJ
and
those
are
storage
and
database.
Primarily.
So
all
the
metadata
is
stored
in
a
database
back-end,
and
only
the
binary
blobs
itself
are
stored
in
the
storage
back-end
and
then
there's
a
certain
component,
which
is
was
to
be
called
out,
but
less
critical,
which
is
the
Reedus
cache
effectively
did
tutorial
and
the
build
logs
through
the
Kwai,
build
automation.
A
Logs
are
stored
in
radius
case
and
that's
why
it's
probably
less
critical
than
the
database
and
storage
and
then
underneath
there
was
an
infrastructure
and
all
the
clients
and
UI
CLI.
Api
interactions
happens
typically
wire,
a
load
balancer
to
Quay
and
Claire,
and
all
the
other
components
do
not
need
to
expose
to
the
outside
world
and
then
again,
if
the
destination
target
for
Quay
and
its
content
is
an
operative
container
platform.
A
Typically
on
this
platform,
then
the
container
security
operator
empty
bridge
operator
is
running
and
then
connects
on
the
same
way
and
connection
to
Quay
and
Claire
or
to
Quay.
Mostly
I
already
mentioned
that
the
quay
builders
are
supposed
to
run
off
cluster
as
of
today
they
require
the
runtime
did
operon
time
and
they
don't
work
with
boule.
Yet
it's
a
roll
pub
item
which
is
not
there
yet
and
as
of
today,
they
can't
run
so
technically.
We
got
it
up
and
running,
but
we
haven't
missed
the
opportunity
to
document
and
also
QE
test
yet
yeah.
A
So
we
will
probably
add
the
ability
to
run
the
Quay
builders
on
open
shift
on
bare
mellow,
with
the
upcoming
suite
at
full
version
and
technically,
as
I
said
it
can
run.
But
we
don't
recommend
to
do
today,
primarily
also
for
security
reasons,
so
builders
should
run
outside
the
database
is
effectively
somewhat
similar,
so
the
database
back-end
we
have
a
little
bit
more
degree
of
freedom
for
Quay,
but
Clare's
currently
limited
to
post
quest,
and
that's
why
we
recommend
to
use
post
quest
for
both
quaintly
and
since
post
pairs
or
any
databases
is
thankful
application.
A
If
a
stateful
applications
running
on
culinary's,
we
strongly
recommend
to
use
an
operator
then
three
as
well
that
do
not
ship
in
operator.
We
therefore
recommend
to
use
one
of
these
of
party
offerings,
such
as
the
crunchy
data
post
quest
operator,
which
is
one
of
the
operators.
We
are
actively
testing
against
doing
our
QE
cycles.
So
it's
fully
supported
and
tested
by
us
and
they
joined
when
those
apart
as
part
of
the
erected
operator
certification
provides
additional
benefits
for
customers.
A
If
you
run
Quay
on
papac's
old
infrastructure,
we
recommend
to
use
the
post
quest
service,
which
is
provided
by
your
cloud
provider,
which,
by
the
way
also
applies
to
storage,
raiders,
cache
and
anything
else.
The
cloud
provider
typically
offers
because
then
you
automatically
get
the
h8
capabilities
included.
One
short
comment
on
disconnected
or
agate
environment.
So,
although
Quay
runs
perfectly
fine
in
the
negative
environment,
clear
as
of
today
does
not
because
it
needs
to
fetch
QC
ve
meta
data
from
all
the
different
meta
data
sources.
We
are
leveraging
MERS
in
quake
who's
in
clear.
A
This,
hopefully
will
go
away.
Was
the
next
release,
because
agate
support
for
Claire
is
one
of
the
top
priority
features
for
the
next
widdy's
and
with
hopefully
in
other
future
leaders.
We
were
introduced
at
the
capabilities
for
air-gapped
environments
such
as
we
premiering
to
disk
exports
to
and
and
import
from
disk,
and
so
on.
The
one
of
the
other.
The
other
prerequisite
I
mentioned
is
the
storage
back-end.
We
have
a
lot
of
different
backends
or
storage
backends.
A
We
support
AWS,
s3,
Asha,
blog,
etc,
and
the
recommended
storage
back,
and
especially
if
quai,
runs
and
OpenShift
is,
of
course,
open
ship
container
storage
and
was
to
be
called
or
that
we
are
not
directly
connecting
to
the
IOC
s
back-end.
But
we
are
using
the
Numa
muti
cloud
object
gave
a
object
service
instead,
so
this
is
an
S
we
layer
on
top
of
the
underlying
storage
technology,
which
provides
a
lot
of
additional
capabilities.
We
are
leveraging-
and
this
is
pretty
important,
especially
for
AJ
setups
and
again.
A
It
was
to
be
call
out
that
we
formally
called
it
the
Quai
set
of
operator,
but
obviously
we
wanted
to
change
it
because
the
primary
purpose
of
operators,
not
the
initial
deployment,
only
but
really
did
they
to
management
and
stuff
and
with
the
newest
release
of
retic
way.
We
introduced
a
couple
of
feature.
We
will
explain
in
a
min
which
cost
also
renaming
it
to
the
crane
operator
and
since
amy
has
written
the
original
prototype
of
this
operator.
Let
me
hand
out
water
handy
to
explain
him.
B
Derek
so
like
most
of
any
operator
in
OpenShift,
it
is
recommended,
and
did
you
use
the
operation
operator
life
manager
to
an
operator
hub
to
be
able
to
deploy
Quay
to
your
environment?
This
facilitates
the
integration
Oh
a
lot
of
the
role
based
access
control
policies,
any
dependencies
that
need
to
be
resolved,
as
well
as
the
upgrade
of
the
operator
itself.
B
As
soon
as
a
new
version
becomes
available
for
your
cluster
to
be
able
to
consume
future
versions
of
the
COI
operator,
we'll
be
working
to
enhance
more
of
the
day
to
operations
that
are
found
on
a
typical
Quay
deployments.
I
will
be
walking
through
some
of
those
aspects
throughout
the
course
of
the
presentation
today,
so
to
be
able
to
deploy
the
Quay
operator
on
OpenShift
know
number
one.
B
The
operator
itself,
like
most
operators,
will
only
run
on
an
open,
shipped
environment,
so
that
is
the
first
pre
works
that
you
need
to
have
a
open,
shipped
environment.
For
those
of
you
who
have
deployed
Quay
off
of
open
shift,
you
may
be
familiar
with
some
of
the
challenges
or
Lampe
processes
for
not
only
setting
up
and
configuring
Quay,
but
also
if
you
are
looking
to
integrate
Claire.
It
also
is
a
bit
of
a
challenge
to
get
all
of
those
pieces
all
wired
up
together.
B
Obviously
once
they
are
all
wired
up,
you
get
the
benefits
of
the
solution,
but
some
of
that
initial
configuration
can
be
at
the
of
a
burden.
The
operator
really
goes
ahead
and
facilitates
and
streamlines
all
of
that,
and
it
is
customizable
I
work
on
a
lot
of
customer
environments
where
they
have
their
own
certificate
management
systems
need
to
integrate
their
customer
provider
certificates.
The
Quay
operator
does
provide
options
for
being
able
to
inject
those
configurations
through
open
shipping,
kubernetes
native
services,
like
like
secrets
to
be
able
to
inject
into
the
operator
configuration.
B
In
addition,
it
will
also
go
ahead
and
deploy
the
Postgres
databases
that
will
be
able
to
be
served
by
Quay
and
Claire.
If
you
look
to
deploy
that
optional
configuration
as
well
as
you
can
provide
your
own
database,
if
you
have
one
already
in
your
environment,
it
continues
to
use
a
lot.
Other
people
who
are
these
native
features
like
health
checks
and
monitors,
and
it
will
also
set
up
the
appropriate
route
in
external
ingress
into
the
open,
shipped
environment.
B
Some
of
those
that
I
called
out
earlier
was
new
external
ingress
points.
So,
if
you
were
running
out
of
who
we
want
you
to
run
an
open
shift,
but
if
you
are
running
for
the
upstream
community,
I
know
a
lot
of
customers
who
like
to
who
don't
really
know
anything
about
open
ship.
They
want,
they
know
about
kubernetes.
They
want
to
get
their
hands
on
it.
We
do
provide
some
more
kubernetes
and
friendly
components
like
node
ports
and
ingresses
as
external
entry
ports
into
Quake
other
enhancements
that
were
added
as
part
of
version
3.3
is.
B
The
configuration
application
does
continue
to
run
by
default
in
Prior
versions.
We
spun
down
the
configuration
offer
of
configuration
pod
by
default,
but
now
we
keep
it
running
so
that
you
can
have
ready
to
access
to
that
part
of
the
part
of
the
ecosystem.
For
you
to
be
able
to
access
it.
If
you
need
to
user
configuration,
changes
can
be
made
after
the
initial
deployment
you
can
use
the
config
operator.
B
They
can
figure
a
pardon
me
for
enemies
that
the
operator
does
mark
as
read
only
but
you
I
have
seen
some
individuals
go
in
and
modify
the
config
ml
file,
which
is
embedded
into
a
secret
in
openshift.
We
do
not
recommend
that
because
it
will
potentially
run
into
an
issue
where
the
operator
will
override
some
of
the
features
and
configurations
that
you
do
set.
B
So
I
reck'n'd
not
recommend
that,
but
you
can
go
ahead
and
after
deployment
to
modify
some
of
the
components
of
the
Quaid
ecosystem,
custom
resources
other
enhancements
regarding
some
of
those
enhancements
to
the
Quai
custom.
Resources
are
now
now
automatically
reconciled
by
the
operator,
such
as
the
image.
The
replica
count
the
CPU
and
memory
requests
for
the
various
components
of
the
ecosystem,
as
well
as
some
of
the
quite
clear
configurations,
and
it
means
that
it's
the
configuration
is
changed.
B
The
quay
operator
can
be
configured
to
automatically
deploy
your
whay
components
like
all
documentation
for
all
Red
Hat
products.
The
latest
and
greatest
can
be
found
within
the
Red
Hat
customer
portal,
and
the
knot.
Communication
for
the
koi
operator
consists
of
the
installation
of
the
operator
itself
how
to
deploy
the
Quay
ecosystem
resource,
how
you
go
ahead
and
customize
that,
as
well
as
some
of
the
configurations
that
you
can
perform
once
the
configuration
has,
as
the
operator
has
been
deployed
and
quai
has
been
running
for
some
time
all
right.
B
So
now,
the
most
important
thing
for
those
of
you
in
more
of
a
delivery
function
is
how
to
use
the
Quay
redhack
way
with
open
ship.
This
is
important.
I've
been
working
with
open
ship
for
about
five
six
years
before
communities
even
came
out
so
I've
seen
everything
from
all
the
great
features
that
open
to
tests
provided
that
kubernetes
didn't
have,
so
that
we
can
go
ahead
and
now
show
you
how
to
make
use
of
those
components
using
quite
itself
and
like
any
container
registry.
B
Quai
is
just
another
external
registry
that
open
shipped
and
consumed
from.
So
some
of
the
things
that
you
can
leverage
from
Quay
is
to
use
it
for
the
source
and
destination
for
builds
that
are
produced
with
an
open
shift,
but,
most
importantly,
you're
most
likely
going
to
be
using
Quay
for
your
runtime
content.
This
is
your
operational
containers.
B
In
addition,
from
open
source
point
of
view,
Quay
is
just
another
external
registry,
which
means
that
you
don't
which
it
means
is
a
bit
of
a
difference
from
running
and
using
images
that
are
served
by
Quay
externally
versus
the
internal
registry,
which
means
that
if
you
are
running
or
quit
in
a
Quay
itself,
pardon
me
you
do
not
have
the
automatic
are
back
isolation
based
on
OpenShift
cluster
permissions
with
open
ship's
internal
registry.
You
do
have
automatic
isolation
between
the
different
components
based
on
main
spaces.
That
is
not.
That
is
not
true.
B
When
it
comes
to
Quay.
We're
gonna
cause
some
of
the
differences
as
we
look
imitation,
as
well
as,
if
you're
leveraging
an
image
stream
as
a
source
for
an
image.
That's
stored
in
clay
you're
not
going
to
have
some
of
the
automated
components
that
you
would
if
you
were
running
an
image
that
is
being
served
by
open
just
internal
registry.
B
Quite
next
we
have
this
is
this
continues
to
bite
me
in
the
field
constantly,
and
if
it's
not
proxies,
it's
gonna
be
certificates
of
customer
delivery
sites
Oh
certificate,
almost
every
enterprise
customer
I
have
has
their
own
certificate
authority
or
one
that
is
not
trusted
by
a
public
entity.
So
you
need
to
tell
Quay
and
openshift
to
be
able
to
trust
these
entities
before
you
can
source
content.
B
You
then,
must
be
configured
additional
areas
within
the
platform
for
you
to
be
able
to
have
the
platform
itself,
trust
Quade
for
behaving
being
able
to
import
content
from
it.
This
is
all
configurable
and
you
can
configure
the
registry
itself
to
be
specified
as
insecure,
which
means
that
it
will
bypass
certificate
validation.
But
if
this
up
course
is
not
recommended,
you
should
go
through
steps
within
opus
of
documentation
to
configure
the
platform
to
be
able
to
trust,
open
ship
or
quite
itself,
from
an
open
shift
standpoint.
B
Now.
One
of
the
benefits
of
open
chip
is
to
be
able
to
use
and
build
images
on
the
platform,
and
you
can
go
ahead
and
leverage
quai.
As
part
of
this
entire
process,
you
can
use
Quay
as
a
source
for
images
you
can
also
use
for
it
to
be
used
as
the
base
for
any
brand-new
image
that
you
are
building
on
the
platform
as
well
as,
most
importantly,
you
can
use
it
as
a
destination
for
any
build
that
is
produced
by
the
platform
itself.
B
There's
a
great
documentation
within
that
all
in
the
open
ship
documentation,
but
also
in
the
community
that
talks
about
the
different
configurations
that
you
need
to
make
to
leverage
Quay
or
any
external
registry
as
a
source
of
content.
Our
destination
for
an
open
ship
build
two
of
the
areas
of
concern
that
you
need
to
be
cognizant
about,
are
going
to
be
the
source
and
destination
locations,
whether
you're
using
a
direct
docker
image
reference
or
an
image
stream.
B
You
can't
you
can
you
cannot
use
a
destination
image
stream
with
any
registry,
except
for
the
internal
industry
unless
you
are
using
the
Quay
Bridge
operator,
so
you
would
only
be
able
to
use
a
docker
image
by
default.
They
is
a
kind
for
a
output
from
an
open
ships
for
me,
I'm,
an
open
ship
build
to
a
Koi
environment.
But,
most
importantly,
if
you
are
leveraging
Quay
itself,
you
then
would
need
to
config.
In
that
way,
our
industry
is
protected,
the
authentication
and
our
Beck
mechanisms
within
Quaid.
B
You
need
to
configure
the
applicable
push
and
pull
secrets
within
your
built
configuration
now.
If
you
do
want
to
use
quite
as
the
registry
for
open
ship,
there
are
a
number
of
things
that
you
need
to
be
cognizant
about.
This
is
going
to
be
being
able
to
change
some
of
the
configurations
around
the
around
the
set
of
image
of
custom
resources
that
are
found
in
any
open
ship
environment.
B
Image,
pull
and
push
secrets
must
be
able
to
be
configured
if
accessing
any
particular
image
registries,
as
well
as
being
able
to
leverage
the
quavered
operator
to
be
being
the
first
step
towards
that
journey
of
Twitter
integration
of
open
shifts
registering
within
quite
now.
There
are
a
number
of
common
terms
between
Quay
and
OpenShift
I
wanted
to
reflect
about
a
moment
to
gotta
give
a
some
of
you
who
might
be
coming
for
more
of
a
Quay
background.
Somebody
might
be
coming
for
more
of
an
open,
Jeff
background.
B
I
want
to
kind
of
do
a
one-to-one
mapping
between
the
different
components.
An
organization
within
Quaid
is
very
analogous
to
a
project
for
a
namespace
with
an
open
chip.
A
repository
within
Quay
itself
is
similar
to
an
image
stream.
They
see
a
collection
of
image
tags
that
point
to
a
single
source.
Image
streams
are
a
bit
of
a
it's
very
much
like
a
proxy
or
a
it's
kind
of
a
view
over
a
set
of
related
images.
B
These
images
can,
with
an
open
chip,
can
actually
come
from
different
sources,
but
in
Quay
there's,
obviously
that
likely
resource
from
looking
for
itself
being
able
to
manage
access
from
a
nine
human
perspective.
Robot
accounts
are
available
within
Quay
for
you
to
be
able
to
integrate
into
external
systems
like
a
CIC,
be
system
or
for
openshift
itself
being
able
to
have
platform
talk
to
Quay,
you
would
use
a
robotic
counters
to
figure
within
open
ships
within
quite
itself.
B
Oh,
an
open
shift
and
nine
user
account
is
known
as
a
service
account
being
able
to
in
the
Kuwait
Bridge
operator
will
actually
takes
the
service
accounts
that
are
configured
and
open
ship
and
automatically
go
ahead
and
create
their
own
accounts.
A
Quay
teen
is
analogous
to
a
group
with
an
open
ship
and
then
a
build.
Both
components
have
a
very
similar
build
functionality.
That
is
that
it
is
available
in
terms
of
function
of
function.
B
You
obviously
have
a
docker
based
build,
which
is
going
to
be
a
Quay,
and
then
you
have,
and
then
you
have
various
types
of
build
components
with
it
with
an
open
ship.
You
have
your
doctor,
your
Sui,
your
Jenkins
and
your
tech.
Time-Based
builds
along
with
the
whole
new
array
of
build
options
that
are
coming
in
the
most
recent
versions
of
OpenShift
I'm
gonna
turn
it
over
to
Dirk
who's.
Gonna,
talk
more
about
the
container
security
operator
and
an
integration
with
the
open
gift,
pencil.
A
Sinks
and
so
I
just
realized
that
the
order
of
the
presentation
isn't
perfect.
We
should
have
talked
about
the
qba
QBO
right
here,
because
many
of
the
things-
and
it
just
explains
at
least
partially
automated
by
the
QBO.
We
will
talk
about
them
in
just
consider
what
I'm
talking
about
here
as
a
small
disruption
of
the
flow
and
they
kicked
off.
A
And
so
let
me
talk
about
the
second
operator
which,
as
we
mentioned
on
the
original
slide,
this
is
the
container
secure
the
operator,
and
in
case
you
don't
know
so
Quay
features
a
built
in
volatile
ability
scanning.
Originally,
the
the
previous
version
version
2
has
been
limited
to
operating
system
package
managers
for
various
operating
system
type
such
as
retina
and
the
president,
obviously
ubuntu
debian,
MSO,
Linux
and
other
distributions
alpine
as
well
and
with
the
newest
version
of
rated
Cueva
just
introduced.
A
The
initial
support
for
programming
language
package
finishes
limited
to
PI
snares
of
today,
as
I
take
preview
feature.
So
we
could.
We
wanna
run
its
need
more
testing
environments.
We
want
to
get
some
additional
feedback
and
input
and
then
stabilize
it
in
the
next
few
months,
and
then
market
SGA,
with
the
upcoming
version
suite
at
4:00.
So
Claire
is
a
scanning
engine
effectively
which
has
been
developed
by
Corus
fork
way.
A
Whether
Quay
is
what
we
use
also
for
the
hosted
software
as
a
service
offering
called
quad
or
one
of
the
five
biggest
right
who
is
out
there
and
that's
why
it
really
matters
to
us
that
whatever
we
do
for
both
quaintly,
it
needs
to
run
at
the
scale
of
our
queen
in
the
old
deployment,
because
this
is
something
which
we
need
also
differentiates
us
with
from
other
vendors
for
doing
registry
product
as
well.
So
clear
is
a
very
powerful
kena.
It's
not
only
used
by
a
creditor
or
in
project
way.
A
It's
also
used
by
several
other
third-party
projects
and
open
source
project.
So
you
might
have
seen
that
adobe
has
started
to
use
clear
as
the
bacon
scanner
for
AWS
ECR
end
of
last
year
as
well.
It's
open
source
as
queries.
There
was
an
upstream
apposite
Orion
adequate
umbrella
in
github
as
well,
and
the
scan
results
are
shown
by
default
in
the
cui
UI.
So
there
was
a
deep
integration
between
Quaid
here
and
what
we,
what
we
try
to
achieve
is
that
from
within
openshift.
A
So
let's
assume
that
the
majorities
of
the
cluster
admin
and
the
developers
and
the
guys
who
are
deploying
code
noise,
application
on
openshift,
they
are
mostly
using
the
output
console
and
not
all
of
them
automatically
want
to
have
access
to
just
another
UI,
which
then
contains
even
more
information
on
various
images,
security,
vulnerability,
information
and
stuff.
It
is
so
better
to
be
introduced
already
with
sweida
and
in
the
end
another
operator,
the
container
security
operator
which
runs
on
openshift
so
on
the
open
shift,
cluster
acquiesce
of
in
content
and
effectively
what
it
does.
A
It
fetches
the
world
availability,
information
from
Kwai
and
Claire
and
then
stores
it
was
in
the
clusters
or
in
the
CR
and
then
visualized.
It
in
the
open
shift
console
so
when
it
does
it's
an
operator
which
is
running
on
overshift
and
watches
the
pod
objects
and
each
time
a
pot
object
is
changing,
then
it
fetched
it
which
taught
to
the
registry.
The
image
has
been
pulled
from
and
tries
to
fetch
the
information
from
an
API
from
a
security
data
API.
Currently
this
is
limited
to
Quay,
as
of
today
and
credit.
A
Also
Brooks
was
the
hosted
version,
but
we
are
working
with
several
partners
on
allowing
them
to
plug
in
where
the
same
content
in
to
OpenShift
as
well
yeah.
So
it's
a
some
resource
which
was
thoughts
it.
So
the
data
is
there,
you
can
query
the
customer,
which
was
also
why
I
CLI
command
I
will
talk
about
in
a
min
and
then
the
information
it's
also
shown
in
the
console
so
how
to
deploy
the
containers
and
security
operators
fairly
easy.
So
it's
shown
in
the
embedded
operator
hub
as
part
of
openshift.
A
You
can
simply
deploy
it
on
your
opera,
duster
and
all
em
takes
cares
of
the
operator.
Lifecycle
management
takes
care
of
all
the
prerequisites
and
everything
else
you
need
to
do
and,
as
I
said,
it
automatically
looks
at
where
the
image
has
been
pulled
from.
So
you
don't
need
to
configure
whether
what
the
URL
of
your
quay
or
corner
or
registry
is,
and,
as
I
mentioned
in
various
views
within
the
opposite
console.
So
we
initially
started
with
the
cluster
admin
dashboard.
What
was
the
most
recent
ogre
shift
version
which
came
out
last
week?
A
We
added
a
couple
of
additional
views
to
the
OB
shift
console
to
show
the
world
availability
information
yeah.
So
you
can
see
a
subset
of
the
data
which
is
also
shown
within
the
query
and
there's
also
a
link
to
directly
hop
to
the
corresponding
view
within
Quay.
So
from
the
open
shift
console,
you
can
see
the
world
availability
data
for
all
this
software.
You
are
using
in
your
parts
in
a
particular
project
and
also
an
exhaustion
level.
So
there
are
many
different
views.
A
It's
pretty
powerful
and
it
addresses
needs
probably
of
many
different
target
personas
who
are
supposed
to
use
the
object
console
and
there
are.
Is
there?
Are
these
two
great
blocks
out
there
written
by
all
user
experience
team
who
helped
us
with
the
design
and
the
visualization
layout
was
in
the
overshift
console,
so
there's
pretty
a
lot
of
information
and
those
are
just
a
few
new
views
we
edit
with
openshift,
followed
for
just
a
week
back.
A
So
that's
why
it
requires
permission,
so
you
won't
have
access
by
default,
but
once
you
have
the
corresponding
permission
to
query
the
custom
resource,
then
there
are
a
couple
of
commands
to
query
the
same
information.
Why
is
CLI
as
well?
One
thing
I
want
to
call
out
before
I
move
on
to
the
next
slide
is
that
we
do
not
directly
interact
was
clear
because
I
mentioned
earlier.
A
Just
from
a
network
and
security
standpoint,
Claire
doesn't
need
to
be
exposed
to
the
outside
world,
so
we
are
connecting
against
a
Kuei
API
and
then
qwave
fetches
the
data
from
Claire.
So
this
is
also
supposed
to
make
it
easy,
especially
in
multi
cluster
environments,
where
you
really
want
to
limit
the
allowed
entry
point
into
your
environment.
So
this
is
the
container
security
operator
or
the
console
integration.
A
We
did
as
another
key
aspect
to
this
second
operator
and
was
that,
let
me
hand
over
to
the
sword
operator
and
again,
as
I
said
at
the
very
beginning
of
the
presentation,
and
they
helped
us
helping
working
with
the
internal
community
and
customer
community
to
write
the
initial
prototype.
So
we
work
very
closely
with
customers
and
the
external
community
really
looking
at
what
are
their
target
use
cases?
A
What
are
the
things
they
really
want
to
achieve,
and
then
we
started
to
write
the
prototype
and
over
time
we
stabilized
and
extended
this
operator,
and
no,
we
just
introduced
it
as
one
of
the
top
priority
feature
of
cuase.
We
don't
we
and
with
that,
let
me
hand
over
to
any
to
explain
it
in
further
detail.
Thanks.
B
Derek,
so
those
of
you
who
want
to
be
able
to
leverage
Quay
as
the
internal
industry
for
open
shift,
you
can
go
ahead
and
use
the
quavered
operator
to
facilitate
a
number
of
the
steps
that
you
would
have
to
manually,
configure
within
Quay
itself
to
have
similar
parity
within
from
open
ship
to.
Quite
when
you
enable
this
feature.
Any
new
namespace
with
an
open
should
automatically
results
in
a
new
organization
within
way.
B
Each
image
stream
that
gets
created
within
that
namespace
creates
an
alga
repository
within
Quay
and
then
the
three
key
service
accounts
that
are
created
with
any
new
openshift
project
automatically
you
get
synchronized
as
robot
accounts
within
Quay
itself,
and
that
allows
you
to
be
able
to
push
and
pull
images
from
the
quay
repository
automatic
with
an
open
ship
without
any
additional
configurations.
From
your
standpoint,
we
do
not
support
multi
cluster
setup
through
a
main
space
mapping
feature
so
base
or
a
cluster
mapping
feature.
B
You
basically
give
a
prefix
to
there
that
is
added
to
every
new
organization
within
Quay
that
allows
you
to
separate
and
segregate
the
different
organizations
with
an
open
shift.
Any
new,
as
I
mentioned.
All
the
secrets
in
from
each
robot
account
aren't
within
an
Oregon
automatically
created
in
an
open,
shipped
project.
The
service
accounts
are
really
being
are
really
leveraged
within
open
shift
to
be
able
to
facilitate.
B
You
know
to
pull
quai
images
as
part
of
a
source
for
a
build,
a
source
for
a
runtime
or
as
the
destination,
or
be
able
to
trust
Quay
and
push
to
play
as
a
result
of
a
build
from
open
ship
and
really
that's
one
of
the
benefits
of
the
Quay
Bridge
operator.
As
I
mentioned
way
back
earlier
in
the
presentation
that
by
default,
open
ship
does
not
allow
image
stream
destination
is
part
of
a
build
output
and
open
ship.
B
The
play
bridge
operator
uses
a
functionality
with
an
open
ship
called
a
mutating
level
configuration
to
automatically
wire
up
Quay
as
the
destination
for
any
new
bill.
That
is
leveraging
an
image
stream
and
openshift,
and
that's
it's
really
just
the
beginning
of
the
tighter
integration
in
openshift
regarding
Quay
itself,
now
open
ship
and
the
quay.
The
operator,
as
we
mentioned,
is
another
automated
feature
with
an
open
shift.
It
does
require
some
initial
configuration
to
get
going.
Out-Of-The-Box,
it
does
require
some
a
little
bit
of
manual
setup,
but
wanted
to
get
the
manual
setup
complete.
B
You
can
then
be
able
to
leverage
it
to
its
full
functionality.
A
simple
use
case
is
I
created
a
new
project
and
OpenShift
brand
new
organization
gets
created
in
quei.
All
the
robot
accounts
it's
configured
along
with
the
pull
and
push
secrets.
If
you
want
to
go
ahead
then
and
create
a
brand
new
app
I
just
happened
to
pick
my
favorite.
My
net
example.
Application
is
the
one
that
I
always
use
for
a
lot
of
my
demos,
not
a
lot
of
dependencies
that
come
along
with
it.
B
It
will
go
ahead
and
perform
the
new
girl
that
OpenShift
hold
the
Dovan
image
from
the
right
container.
Catalog
go
ahead
and
perform
that
build,
get
the
dependencies
for
the
image
itself,
as
well
as
then
push
the
resulting
image
to
the
brand
new
organization
in
quei
into
the
depository
that
was
created
as
a
result
of
image
stream
creation.
That
is
also
created
automatically
as
part
of
the
sample
app
and
OpenShift.
All
that
new
deployment
deployment
that
is
generated
by
the
sample
application
automatically.
Then
references.
B
The
image
stream,
which
points
to
Quay,
which
then
allows
it
to
be
triggered
automatically
at
the
result
at
the
end
of
a
build,
which
will
then
result
in
the
deployment
of
the
image
in
quite
then,
once
you're
all
done,
we
went
from
zero
to
hero.
You
want
to
clean
up
the
resources.
You
can
go
ahead
and
be
able
to
delete
the
project
and
open
ship,
which
will
then
delete
the
associated
organization
in
quake.
B
Very
much
like
the
quay
operator
itself,
the
quay
Bridge
operator
is
deployed
using
the
operator
hub
and
the
OLM,
which
is
which
is
part
of
open
ship,
and,
as
I
mentioned,
there
is
a
bit
of
a
setup
process
that
you
will
need
to
go
to.
Some
of
it
has
to
do
with
the
configuration
of
that
mutating
mobile
configuration.
B
So
image
streams
is
basically
an
abstraction
of
a
container
image
repositories
with
an
open
ship
images
referenced
within
an
image
stream
can
reside
either
in
the
internal
registry
or
an
external
registry
like
Quetta
io
or
a
on-prem
Quay
that
we've
been
talking
about
throughout
course,
presentation.
However,
when
you
do
leverage
a
external
registry,
you
lose
some
of
the
functionality
that
are
found
as
part
of
the
internal
native
open
chip
registry.
B
This
is
going
to
be
the
automatic
row
based
access
control
configuration
is
automatically
defined,
it's
part
of
any
new
project
and
OpenShift,
as
well
as
the
automatic
notifications,
when
new
images
and
tags
are
available
from
the
image
source.
So,
if
I
push
a
new
image
to
Kwai,
openshift
won't
automatically
be
able
to
determine,
or
only
even
know,
if
a
new
image
is
available,
you
must
be
able
to
tell
OpenShift
that
a
new
image
is
available
for
its
use.
B
B
This
is
everything
from
Quay
and
Claire
is,
can
be
integrated
into
a
CI
and
see
the
pipeline
and
as
I
demonstrate
here
in
this
slide,
you
can
integrate
Quay
at
number
of
different
in
the
ecosystem,
at
different
points,
everything
from
being
able
to
pull
the
golden
image
that
you
have
within
your
organization
as
a
source
for
content
for
a
new
built-in
openshift.
You
can
then
use
it
as
a
destination
as
part
of
the
result
of
a
build.
B
On
OpenShift,
as
I
mentioned,
if
you
aren't
using
the
original
operator-
and
you
are
just
using
an
external
registry
by
default
images
that
you
push,
the
quay
will
not
result
in
a
new
triggered
of
deployment
on
OpenShift.
If
you're
using
an
image
stream,
they
must
be
either
manually
imported
through
the
OSI
import
image
feature
which
can
be
integrated
into
a
CI
CD
flow,
or
you
can
configure
the
image
stream
to
be
scheduled.
B
Additional
configurations
and
integrations
can
be
all
can
be
also
included
to
be
able
to
notify
openshift
that
a
new
image
has
been
pushed
to
play.
As
close
other
actions
that
have
been
found
in
a
repository
through
quays
feature-rich
assortment
of
notifications,
you
can
integrate
that
directly
into
a
CI
process,
as
well
as
being
able
to
integrated
into
other
solutions.
I've
actually
gone
ahead
into
integrated
into
ansible
tower
New
England,
just
push
to
quake,
go
ahead
and
call
ansible
tower
to
perform
certain
action.
A
Thank
you,
so
one
of
the
other
great
features
of
Quay
is
that
it
features
a
zero
downtime
garbage
collection.
So
you
have
tech
attention
policies
and
it
automatically
cleans
up
the
the
underlying
images
over
time.
The
challenge
here
is
obviously
that
operative
doesn't
know
that
Quay
yeah
effectively
deleted
attack
and
deleted
the
finally
block,
so
there's
a
certain
risk
that
you
will
did
going
to
delete
something
which
was
still
in
use
by
some
of
the
clusters
quays
encanta
too,
and
that's
why
we
started
to
develop
a
couple
of
features
to
address
this.
As
of
today.
A
It's
it's
really
eight
that
if
the
image
gets
leading
or
the
tech
gets
deleted
and
obviously,
if
the
image
is
still
in
use,
then
it
might
break
an
existing
deployment.
We
develop
the
feature
which,
unfortunately,
except
the
the
current
release,
but
hopefully
will
be
in
one
of
the
future
releases,
which
is
the
image
of
an
earthquake.
So
with
the
operators
we
already
have
we
developed
something
which
allows
you.
A
If
you
are
going
to
Quay
and
start
to
manually,
delete
an
image
or
tag,
then
it
shows
you
where
this
image
or
the
layers
under
these
are
still
in
use
both
inside
registry,
but
also
in
the
cluster
square,
serving
content
to
yeah.
So,
basically,
the
other
way
around
that
what
Caesar
does
we
have
the
information
within
quake
where
this
image
is
still
in
used
and
based
on
this
knowledge,
we
can
effectively
prevent
that.
We
accidentally
add
one
intentionally
delete
an
image
which
is
still
in
used
by
any
of
your
running
parts
or
reference
by
OCR.
A
So
this
is
a
pretty
powerful
feature,
which
is
also
part
of
this
larger
umbrella
of
features
with
developing,
to
deeper
integrate
way
into
the
kubernetes
platform
and
to
provide
a
superior
value
coming
out
of
the
aquarius
plus
the
integration
into
the
corresponding
platform.
And
this
brings
me
to
the
last
slide
of
this
presentation,
and
I
probably
need
to
update
this
slide
again,
based
on
a
couple
of
of
brainstorming
sessions.
We
adjust
this
week,
so
this
is
like
I
took
from
the
quay
roadmap
there,
so
the
deeper
integration
into
the
coordinators,
an
offshore
platform.
A
There
was
a
quarry,
a
lot
of
progress
we
made
in
the
past
few
months,
but
still
we
have
plenty
of
stuff
we
want
to
do
in
the
midterm
and
and
also
in
our
long
term,
planning
such
as
more
deeply
integrating
into
all
the
extended
capabilities
which
are
part
of
OpenShift,
such
as
the
full
platform
monitoring,
stag,
the
alerting,
stag
logging
and
dashboards.
We
have
an
community
contribution
coming
up
on
the
auth
integration
for
OpenShift
I
already
mentioned.
The
image
uses
the
banners
we
introduced
with
cuase
with
us.
A
We
as
mark
clearly
marked
as
experimental
the
OCI
artifact
spec
support,
which
allows
us
to
store
help,
charts
and
obviously
hung
trials
are
a
thing
as
well
on
the
opposite
side.
So
there's
plenty
of
room
for
improvements
there
to
deeply
integrate
home
based
workflows
into
open
shares.
We
already
touch
the
pipeline
integration
and
we
are
working
with
the
builds
and
pipeline
teams
on
OpenShift
how
a
deeper
integration
into
the
pipeline
and
build
automation
in
up
shift
could
look
like,
and
then
we
have
a
couple
of
other
stuff.
A
We
have
a
very
powerful
epic
designed
and
which
is
explained
in
further
detail,
was
in
the
roadmap
deck,
which
is
quota
management
and
enforcement,
and
one
of
the
blocker
for
court
management
and
enforcement,
and
automated
pruning
has
been
this
image.
Awareness
I
mentioned,
and
then
I
also
briefly
touched
the
enhance
support
for
Ag
at
environment.
A
So
there's
plenty
of
stuff
coming
up
in
future
releases,
but
we
believe
order
today
we
provide
a
very
great
integration
of
those
two
products
into
each
other,
and
hopefully
this
will
satisfy
the
majority
of
requirements
of
both
our
Quay
and
openshift
customers.
Any
any
final
votes
you
want
to
say
before
we
close
the
session
I
just.
B
Want
to
let
you
know,
everyone
who
has
the
opportunity
to
be
able
to
work
with
Quay,
especially
on
open
shift,
go
ahead
and
try
it
out.
I
know
there
are
a
number
of
courses
in
that
GP
te
team
has
out
there
regarding
being
able
to
if
you
have
never
used
open
ships
and
Quay
itself
going
ahead
and
leveraging
some
of
the
courses
that
are
available
for
you
to
learn
more
about
the
play
ecosystem
and
have
fun
it's
a
great
great
tool.
B
I
love,
it
I
work
on
it
on
a
daily
basis,
I
work
on
out
with
my
customers.
They
love
it
go
ahead,
learn
about
it,
learn
about
the
features
and
I
know
that
there's
gonna
be
a
lot
more
tighter
integration
with
Quay
and
open
ship
moving
forward,
and
it's
gonna
be
a
great
ride.
So,
once
again,
thanks
a
lot
for
attending
today's
session
and.
A
It
was
a
great
point
and
I
forgot
to
mention
for
our
external
open
source,
community
and
customer
community.
Of
course,
there
is
a
free
evaluation
form
for
red
clay
on
all
the
aquatic
pages
and
they're
at
the
customer
portal,
at
whatever
comm
and
a
dogfish.
If
that
come,
and
of
course,
we
also
have
a
very
strong
open
source
communities
or
project
crater
that
all
and
we
are
shipping
at
the
end
of
each
screen.
We
are
shipping.
The
final
builds
as
this
print
results
to
the
open
source
community.
A
Those
are
available
as
well,
so
there's
plenty
of
ways
to
play
around
with
Quay
and
all
the
features
we
mentioned
and
also
the
upcoming
features
which
are
on
the
development,
so
don't
hesitate
to
join
our
internal
and
external
communities.
Asked
question
contribute
asked
for
features,
provide
us
feedback.
We
really
appreciate
your
input
and
feedback
there.
Many
thanks
for
watching
enjoy
it.