►
From YouTube: Kubernetes Registry for OpenShift
Description
To run on Kubernetes your apps are packaged in Docker containers. How do you answer questions about the containers you're deploying to Kubernetes? Those containers necessarily contain lots of other packages created by many different teams within and outside your organization. You need to know what is in them, if they are of the quality you demand, and if they are secure. You can do this while giving your developers the data they need to go fast with confidence. How? The Kubernetes Registry running on OpenShift.
A
Welcome
my
name
is
Craig
Peters
and
I'm,
a
product
manager
at
J,
frog
I'm
here
to
talk
to
you
about
how
you
can
work
with
OpenShift
and
understand
what
a
kubernetes
registry
means.
So,
first,
just
a
couple
of
words
about
myself.
You
can
follow
me
on
the
social
media.
You
can
follow
me
as
an
athlete,
whatever
you
like,
I'm,
a
cyclist,
that's
what
I
love
to
do
when
I'm,
not
playing
with
computers
when
I
am
playing
with
computers.
A
I
spent
a
ton
of
time
these
days,
building
cloud
native
apps
for
kubernetes
and
playing
with
all
of
the
different
distributions
of
kubernetes,
most
recently
with
OpenShift.
So
today,
I'm
here
to
talk
to
you
about
a
few
things.
First,
I
want
to
introduce
you
to
who
is
Jay
Fogg
as
a
company,
and
why
are
we
relevant
in
the
space?
Why?
Why
would
anybody
care
about
what
is
Jay
prog,
then
I'll
talk
about
the
notion
of
a
crew
bidets
registry
and
and
how
that
relates
to
package
management
and,
lastly,
I'll
share
a
demo.
A
We're
gonna
do
a
j/s
application,
we're
going
to
use
the
open
shift
s2i
to
build
that
and
use
the
capabilities
of
jay
frog
to
detect
issues
in
that
application
to
block
its
build
and
deployment,
so
that
you
know
so
that
you
don't
put
unsafe
apps
into
production
in
your
environment
and
that's
where
the
COO
Benes
registry
can
help
you
do
so.
First
about
Jay
frog.
Our
vision
is
to
enable
software
organizations
to
ship
their
software
safely
and
reliably
to
any
kind
of
environment.
So
our
target
can
be
openshift.
A
Our
target
could
be
traditional
application,
stacks
lamp
what-have-you.
The
reason
we
do
that
is
that
we
believe
that
automating,
the
build
and
delivery
of
software
is
what
helps
us
go
fast
and
go
safe.
The
we
believe
that
software
updates
should
flow,
and
we
have
a
lot
of
evidence
to
show
that
a
lot
of
people
believe
this
as
well.
So
we
have
a
very
large
customer
base.
We
have
customers
all
across
many
many
industries,
everything
from
big
internet
and
service
providers,
all
the
way
through
engineering
research,
eros
face
education
and
so
forth.
A
So
we've
got
a
lot
of
downloads.
We
have
a
big
support
of
the
open
source
community.
So
if
you
have
an
open
source
project,
you
can
actually
use
our
software
as
a
service.
You
can
sign
up
on
our
website,
and
so
with
that,
let
me
get
started
explaining
what
it
is
that
we
are
talking
about
when
we
talk
about
repository
management.
Well,
repositories
are
the
way
that
you
manage
the
artifacts.
The
artifacts
are
actually
the
assets
of
a
software
enterprise,
so
you've
got
kind
of
two
major
assets.
You've
got
your
source
code.
A
The
source
code
describes
the
sort
of
first
party
information
that
you're
building
into
your
applications,
but
then
you
also
have
any
dependencies.
So,
in
fact,
if
you
look
at
the
software
that
you're
delivering
into
your
applications
it
it
varies
anywhere
from
sort
of
50%
software
that
you
wrote
to
10%
software,
you
wrote
and
the
rest
of
it.
It
can't
be
even
less,
but
the
rest
of
it
are
dependencies.
They
can
be
dependencies
on
open
source
libraries,
which
is
very
common
in
this
sphere,
to
dependencies
on
commercial
attributes
and
commercial
packages
that
you've
acquired.
A
So
the
question
in
big
enterprises
is:
where
do
we
put?
Those
assets,
how
do
we
manage
those
and
what
happens
is
in
big
enterprises?
They
have
to
be
very
careful
about
what
software
they
run
in
which
environments
that
means
that
you
create
very
tight
constraints
over
what
packages
can
go
where
and
you
end
up
building
sort
of
bespoke
systems
for
each
kind
of
package.
A
But
you
don't
want
to
block
people
who
want
to
use
some
new
language
from
doing
that
by
you
know,
making
them
wait
three
months
until
you
get
the
right
infrastructure
in
place.
So
that's
that's
the
problem
that
we
are
trying
to
help
solve.
We
do
that
through
a
suite
of
tool,
so
the
core
thing
that
I
would
say
how
many
of
you
know
artifactory,
but
there's
a
very
small
audience.
So
it's
not
a
very
interesting
question.
Artifactory
is
kind
of
the
core
of
the
system.
It's
the
repository
manager
platform.
A
It
sits
on
top
of
an
infrastructure
that
does
distributed
access,
control
across
very
highly
distributed
organization,
so
you
can
do
hybrid
cloud
applications
with
common
role
based
access,
control
on
Prime
and
off
prem
x-ray
then
provides
you
the
ability
to
have
deep
insight
into
what
are
in
your
packages,
since
this
is
most
of
your
application,
they're
actually
running
in
production.
It's
actually
pretty
interesting
to
know
whether
or
not
there's
a
vulnerability
in
a
third-party
library
that
you
depend
upon
know.
A
You
have
a
management
plane.
On
top
of
that,
that
helps
you
configure
this
infrastructure
for
deploying
and
distributing
applications
across
both
on
Prime
and
off-brand
applications,
and
the
bin
tray
is
the
piece
that
enables
a
CDN
to
act
like
a
repository,
so
you
can
make
a
remote
repo,
that's
a
docker
registry
and
that's
what
Ben
tree.
Does
it
layers
out
on
top
of
a
CDN
to
have
efficient
distribution
of
binaries?
A
So
taking
a
step
back.
If
we
talk
about
the
full
software
development,
lifecycle,
artifact
and
the
J
part,
products
provide
key
values
around
the
asset
management
for
packages
at
many
points
of
the
software
development
lifecycle.
So
you
do
your
planning.
We
don't
really
have
a
role
to
play
there
and
thinking
about
what
is
you
want
to
do?
There's
other
tools
for
that,
but
when
you're
actually
building
your
code,
that's
where
those
assets
go,
then
we
in
the
testing
and
release
phases.
We
give
you
all
the
metadata.
A
You
need
to
understand
whether
or
not
something
is
ready
to
promote
from
one
stage
to
the
next
and
then
in
the
distribution
phase.
We
help
you
push
those
binaries
to
the
endpoints
where
they
need
to
be
so.
If
you
have
remote
data
centers,
where
you
have
to
make
sure
the
bits
are
close
to
the
consumers
or
IOT
applications
where
you
need
to
push
things
all
the
way
out
to
the
edge
of
the
network
and
manage
them
as
packages,
Ventre
provides
that
as
a
service.
A
So
that
brings
me
to
the
notion
of
what
is
it
kubernetes
registry,
so
OpenShift
provides
this
really
powerful
tool
for
both
doing
application,
development
and
operations
of
applications
on
kubernetes.
It's
a
very
powerful
system.
It
doesn't
help.
You
know
what
all
your
third-party
dependencies
are.
So
a
Cooper
Dandy's
registry
is
the
notion
of
using
all
of
this
powerful
software
that
I
just
talked
about
which
allow
you
to
do
package
management
of
all
of
the
things
that
are
contained
in
your
application.
So,
if
you
think
about
deploying
an
application
to
crew
Benes,
you
need
three
things.
A
The
challenge
is,
if
you
don't
know,
what's
in
those
containers,
you're
exposing
yourself
and
as
we
talked
about
before,
your
containers
actually
contain
a
little
bit
of
code
that
you
wrote
and
a
lot
of
code
that
somebody
else
wrote
whether
there
are
open
source
projects
or
commercial
packages
that
you
depend
upon.
So
when
you
use
a
tool
like
artifactory,
what
you
get
is
the
ability
to
have
traceability
from
all
the
way
from
your
docker
containers,
all
the
way
back
to
any
dependencies.
You
have
on
say
the
RPMs.
A
So
in
docker
we
we
understand
the
deep
structure
of
all
of
the
layers
in
docker.
We
can
unpack
those
and
identify
the
contain
packages
and
I'll
show
that
to
you
in
just
a
minute.
So
the
notion
here
is
that
you
build
base
image,
base
layer,
images
of
the
operating
system,
components
you
depend
upon
you
bring
in
the
third-party
components
that
you
depend
upon,
whether
they're
open
source
or
commercial,
and
often
you
know
if
we
were
trying
to
stack
these
like
in
terms
of
the
proportion
of
how
much
of
your
application
they
make
up.
A
Usually,
this
is
by
far
the
biggest
amount
of
code
right
here
and
then
the
little
bit
of
code.
You
you
do
that
provides
your
core
value
add
as
a
as
an
enterprise
or
as
an
application.
Developer
you're
tying
your
dependencies
together
in
your
application
code
and
then
you're
taking
all
of
that
and
putting
it
in
a
docker
image.
Putting
that
in
a
repository,
then
you're
deploying
it
to
the
the
kubernetes
cluster
it
operated
to
openshift.
So
what
we
do
is
we
provide
full
traceability
forward
and
back
across
all
of
those
stacks.
A
So
now
I'll
show
that
to
you
in
a
demo,
so
what
I'm
gonna
do
is
go
over
to
open
shift.
Let's
make
sure
I'm
logged
in
still
so
I
have
a
very
simple
project
here,
just
to
show
the
principles
so
in
this
project
it's
it's
a
stupid
little
node.js
app
that
shows
our
logo
and
the
version
right
of
the
package
right
big
deal.
So
that's
that's
nice.
Let's
find
out
what's
going
on
with
that
application
today,
so
I'm
gonna
go
look
at
the
builds
for
that
application.
A
I'm
trying
to
ship
software
fast
right,
I
want
to
make
sure
that
I
I
trust
what's
in
there.
So
if
I
go
in
here,
I
noticed
that
the
last
time
this
bill
ran
it
failed.
So,
if
I
take
a
look
at
the
history
of
this,
I
can
see
that
over
time
is
sometimes
it
succeeds,
and
sometimes
it
fails.
I
mean
this
is
a
demo
system,
so
I
know
why
it
failed.
But
let's
go
find
out.
Why
right
this
particular
last
build
failed.
If
we
go
take
a
look
at
the
logs.
A
What
I'll
see
is
that
it
gave
me
an
error
here.
It
failed
to
fetch
a
dependency,
so
my
node.js
application,
so
I
have
this
CentOS
nodejs
app
that
I
built
was
trying
to
download.
It
looks
like
it's
an
NPM
library
called
ecstatic.
So
why
did
that
fail?
If
I
go?
Take
a
look
at
that?
I
can
see
that
it's
actually
trying
to
go.
This
artifact
failed.
It
tried
to
download
it
from
artifactory
artifactory.
He
said
hey.
This
was
blocked
based
on
a
policy,
so
this
policy
is
configured
in
an
x-ray.
A
So
let's
take
a
look
at
what
that
looks
like
so,
if
I
go
over
to
x-ray
x-ray
real
quickly,
this
is
the
tool
that
actually
provides
me.
The
deep
package
inspection,
so
I
can
understand.
What's
in,
what's
contained
in
what
are
the
hierarchical
relationships
between
all
of
the
contained
packages
in
in
my
environment,
it's
a
service
that
you
run
on
prom
or
in
the
cloud
that
constantly
updates
with
new
vulnerabilities
and
new
license
information.
A
A
A
It
seems
like
Wi-Fi
might
be
failing
us.
I
actually
saw
that
happen
for
our
poor
friends
before
us
from
Microsoft
Azure.
So
fantastic
we've
come
back
to
life,
so
I
looked
for
this
component
that
I
built
right.
So
this
is
the
one
that
failed
like.
Why
was
the
build
failing?
I
can
actually
get
a
full
report
of
any
issues
that
are
in
this
this
this
application.
So
this
is
actually
the
applicant
the
last
time
it's
successfully
built.
This
is
the
security
profile
of
that
application.
So
I
can
see
the
contained
relationship.
A
I
can
see,
for
example,
that
I
do
have
some
major
violations
here.
Well,
let's
find
out
what,
where
those
are,
so
this
node,
this
headers
container,
actually
has
a
number
of
different
security
issues
in
it.
Maybe
I
shouldn't
be
using
that,
but
I
can
actually
see.
This
is
the
impact
analysis
I
can
understand
where
those
issues
are
present
across
all
the
different
layers
of
my
application
stack.
A
So
in
this
case,
I
can
see
that
this
NPM,
so
this
is
the
RPM
headers
dependency-
is
actually
contained
in
multiple
docker
layers
and
I
can
see
which
docker
layers
those
are
so
I
can
actually
understand
the
impact
of
where
this
RPM
dependency
is
reflected,
but
I'm
interested
in
this
case,
specifically
about
my
ecstatic
issue.
So
let's
go
take
a
look
at
the
watches
here.
A
So
if
I
go
look
at
my
NPM
watch
as
a
watch
is
configured
to
allow
me
to
not
necessarily
block
everything
that
happens
inside
my
organization,
I
want
to
set
thresholds
or
policies
about,
what's
allowable,
what's
my
sensitivity
to
risk
and
what's
my
tolerance
to
risk
so
in
a
watch,
let's
go.
Take
a
look
at
the
configuration
of
this
watch
so
we'll
take
a
look
at
it.
It's
I'm
watching
the
artifactory
NPM
remote.
So
in
this
case
this
is
a
way
I
can
govern
what
kinds
of
dependencies
are
bringing
into
my
organization.
A
So
every
time
somebody
uses
the
NPM
registry
and
I
pulls
in
an
external
dependency
that
causes
this
watch
to
be
triggered.
What
does
this
watch
actually
do?
This
watch
says:
I
have
a
severity
filter,
so
any
time
I
find
a
major
issue
or
greater
in
a
new
NPM
dependency.
I'm
going
to
do
a
block
of
the
download,
so
I
can
do
various
different
things.
A
So
the
xray
allows
me
to
have
very
configurable
policies
under
what
conditions
for
which
types
of
artifacts
do
I
want
to
do,
which
kinds
of
actions
so
in
this
case
I've
blocked
the
download,
which
is
helps
me
understand
why
I've
had
that
issue.
So
if
I
go
look
at
the
violations
here,
I
can
see
that
Ecstatic
has
been
blocked
right
because
it
is
a
major
if
I'd
used
any
of
these
other
types.
I
could
also
have
done
that
so
I
can
see.
A
Well,
that's
a
deal
DDoS
kind
of
violation
in
NPM,
and
so
here
I
can
see
where
that
is
is
contained.
So
now,
I
have
a
deep
understanding
of
why
my
application
wouldn't
build.
So
it's
really
very
straightforward.
I
can
just
go.
Do
you
know
best
practice
for
software
development?
I'm
gonna
go
pull
that
violating
dependency
right
out
of
my
application.
A
So,
let's
just
delete
that
sucker
out
I'm
going
to
go
ahead
and
commit
those
changes
directly
to
master
best
practice
for
software
development
right
so
now
that
I've
committed
that
I
can
go
back
into
open
shift.
Let's
go
look
back
at
the
let's
go.
Just
do
a
rebuild,
though,
and
see
what
happens
so
I'm
rebuilding
it.
A
Let's
take
a
look
at
let's
view
this
particular
build
and
see
what's
happening.
Let's
take
a
look
at
the
logs.
Well
now
I'm,
not
downloading
that
Ecstatic.
So
this
is
the
open
chip
s2i.
So
we've
actually
built
our
own
image
that
uses
artifactory
as
the
kubernetes
repop
registry
for
the
openshift
s2
I
build
so
we're
actually
pulling
all
of
our
dependencies
dynamically
from
endpoints
in
artifactory
and
then,
when
we've
succeeded
with
the
build
we're
actually
going
to
push
it
in
two
artifactory.
Oh
we've
failed
to
fetch.
It
did
I,
not
merge.
My
change.
A
A
Take
it
step
back
and
say:
look
artifactory
is
this
layer
which
allows
me
to
abstract
from
my
storage
all
the
different
package
types
which
you
depend
upon,
and
you
can
then
have
a
consistent
way
to
manage
both
local
and
remote
repositories
for
all
of
the
different
package
types
for
which
you
depend
upon
as
an
enterprise,
and
if
you
want
to
try
this
out
the
best
way
to
do
that
is
to
go
to
our
website
and
get
a
free
trial.
So
we
enable
you
to
use
the
product
for
30
days.
A
You
can
use
it
for
all
of
your
functionality,
its
complete
functionality.
You
can
run
it
on
any
of
the
major
clouds,
AWS
Google
or
Amazon.
It
works
great
with
OpenShift.
We
have
a
blog
here
where
you
can
yeah
I
can
actually,
if
you
download
it
and
you
do
self-manage,
you
can
actually
deploy
it.
The
openshift
scripts
to
to
your
openshift
cluster
and
there's
a
nice
blog
about
that
as
well.
So,
if
you
have
any
questions,
I
will
be
here
for
those.
So
thank
you
very
much.