►
From YouTube: London OpenShift Commons Gathering 2019 Lightning Talk Aqua Securing Containers on Red Hat OpenShift
Description
London OpenShift Commons Gathering 2019
Lightning Talk Aqua Security
Securing Containers on Red Hat OpenShift
A
Buddy,
my
name
is
Diego
I'm
from
sorry
I'm
from
aqua.
So
let's
talk
about
security,
because
it's
going
to
matter
to
you
a
lot.
You
see
that
poisonous
images
poisonous
workload
rug
containers
are
starting
to
become
more
and
more
common.
You
have
the
Tesla
arc
and
additional
vulnerabilities
that
are
found
any
day
and
every
day,
so
open
shift
and
containers
basically
introduce
a
new
set
of
problems
and
not
enough
tools
to
manage
them
out
of
the
box.
Kubernetes.
It's
not
secure,
be
aware
of
that
open
shift
did
a
very
good
job,
read
up
ready.
B
A
Did
a
very
good
job
protecting
and
making
their
environment
safer,
but
still
there
are
much
more
things
to
achieve.
Even
that
occur
based
on
the
lecture
that
I
heard
today,
version
4
supposed
to
be
much
more
secure.
So
here
is
aqua.
We
are
three
years
company
and
we
are
spread
over
all
over
the
world
and
we
do
security
for
native
cloud,
payloads
native
native
appreciated
cloud
applications.
We
know
how
to
integrate
with
all
the
different
orchestras
that
exist.
We
are
very
seamless
integration
with
openshift.
A
It's
deploying
workloads,
basically
deploying
a
service
in
a
daemon
set
and
automatically
in
about
10
minutes.
You
have
everything
running
and
configured.
We
have
the
ability
to
integrate
with
the
image
streams
of
openshift,
so
we
will
be
able
to
scan
the
images
from
the
openshift
registry
and
also
we
have
the
ability
to
search
the
images.
If
you're
looking
to
see
exactly
what
images
exist
over
there,
you
can
schedule
scanning
and
more,
and
you
can
understand
what
is
your
posture
in
your
image?
A
You
can
understand
what
vulnerabilities
you
have,
what
components
of
your
veneer
and
every
image
and
you
can
define
if
you
want
to
deploy
the
image
or
lock
the
deployment.
You
can
see
that,
basically,
when
you
will
try
to
deploy
the
image
aqua
will
be
able
to
stop
that
and
give
you
a
notification.
So
no
poisonous
image
can
be
deployed
unknown,
compatible
image
will
be
deployed
not
only
that
we
are
able
to
integrate
with
s2i,
so
we
basically
can
scan
and
be
part
of
your
pipeline.
A
Now
we
are
also
able
to
protect
containers
from
becoming
rock
containers
or
from
container
drift
so
where
somebody
is
abusing
that
listing
container
and
trying
to
do
a
lateral
movement
to
another
system
or
execute
different
payloads
that
you
don't
allow
like
crypto
mining,
ransomware
and
everything,
so
we
are
able
to
identify
and
try
and
block
without
killing
your
payload
any
offending
action
that
exists.
In
addition,
knowledge
is
power,
so
we
know
how
to
push
all
of
the
information
that
we
gather
to
different
a
scene
or
different
systems.
A
So
you
will
be
able
to
see
the
big
picture.
So
now
your
NOC
or
sock
not
only
will
show
you
your
system
or
your
kubernetes
information,
openshift
information,
but
also
we
will
be
able
to
show
you
the
security
posture
and
what
security
events
you
have
in
that
system.
So
you
have
a
full
visibility
of
what
exact
happen
and
more
and
the
context
of
the
information
is
based
on
your
open
sheet.
It
will
be
deployment,
namespace,
sorry,
deployment,
name,
space,
nice
space
names
for
the
word
nevermind
and
on.
A
In
addition,
we
are
very
big
contributors
to
the
open
source
systems,
so
we
have
a
set
of
tools
that
are
open
to
use
free.
You
also
can
contribute
to
them.
We
have
the
cue
banter
that
it's
basically
automated
pen
testing
for
kubernetes.
We
are
working
on
a
version
for
open
ships
also,
but
it's
much
more
harder.
I
won't
buy
lunch.
A
It's
basically
allows
you
to
fight
all
the
MIS
configuration
in
kubernetes.
You
have
the
cube
bench
that
basically
is
allowed
to
find
and
define
the
difference
between
you,
you're
kubernetes
installation
and
your
this
case
for
kubernetes
version
for
a
per
shift
and
the
micro
scanner.
That
is
basically
an
executable
that
you
can
use
free
of
use
as
to
scan
your
images
to
make
sure
what
TVs
you
have
over
there
and
what
type
of
Faerie
changes
you
need
to
do
in
order
to
be
more
secure
doesn't
require
any
registration.