Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Red Hat OpenShift / Spain 2022 OpenShift Commons Gathering at KubeconEU / 17 May 2022
Red Hat OpenShift / Spain 2022 OpenShift Commons Gathering at KubeconEU / 17 May 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Stackrox io (ACS) Community Update Connor Gorman (Red Hat) OpenShift Commons Gathering 2022 Spain

Description

Stackrox io (ACS) Community Update
Speaker: Connor Gorman (Red Hat)
OpenShift Commons Gathering Kubecon EU
May 17, 2022 Live from Kubecon EU in Valencia, Spain

Full Agenda here: https://commons.openshift.org/gatherings/OpenShift_Commons_Gathering_at_Kubecon_Europe_2022.html

Learn more at: https://commons.openshift.org

A

I'm connor gorman I've worked at stackrocks and now acs via the acquisition for the last five years, so quite a while. I'm an engineering lead and I'll walk you guys through what we're working on so very quickly. Based on the hands raised in kirsten's presentation, I want to just walk through quickly what acs is what it does and why, and so our goal is really to build the first and we built the first kubernetes native security platform covering both build, deploy and then run time, and so starting with build right.

A

It's really around securing uh the supply chain. um You know vulnerability scanning in ci pipelines, actually scanning configuration, yamls and ci pipelines right, giving as much feedback to developers as soon as possible.

A

Then we're looking at the deploy stage right where you have running containers, running pods and running deployments, and what you're trying to do is continuously monitor them, monitor them and continuously evaluate their vulnerabilities right. I always like to say, because images are immutable. The number of vulnerabilities you'll find only ever increases right, there's only cve 2022 coming out cve 2023 if you're running images for a long time.

A

The number of vulnerabilities only increases and then finally, from the runtime perspective right what's running in your pods, is it what you expect it to run right and then how can you take that runtime information and bleed it back into the way that you configure your applications to make them more secure?

A

You know, along the way, right we integrate with all the tools that we know and love right from image registries. uh Image scanners we have our own, like kirsten, mentioned different cicd tools to make it easy to integrate.

A

Devops notifications, generic web hooks right and then sims, and so it was kind of the whole breadth of integrations that we have and our goal is to secure all of all of kubernetes from the bottom up everywhere, and so we've been pretty uh kubernetes distribution- agnostic, including uh you know, obviously, openshift, but also uh many of the kubernetes distributions from the large cloud providers.

A

So from our perspective, we have four key priorities that we've already been working on and we'll continue to work on in 2022. The first is open source. The second is security, innovation right, I don't think the kubernetes security landscape is finished. You know I've been working on it for five years, there's probably another five years left in it right. How can we continue to expand this ecosystem um portfolio integration? uh Now that we're part of red hat right?

A

How can we all work together and provide a better solution for all of you and then finally, the ability to run a world-class cloud service and manage service to allow everyone to use acs as easily as possible.

A

So we did it we're open source. uh You know uh this has been quite the journey. It's been a little bit over a year as of the last two months, we've been open source find us at uh stackrock stack, rocks on github we're also in the cncf slack under the staff rocks channel. um We I heavily encourage everyone to jump on there. If you have questions, we've got people ready to answer them myself included and then also you know, feel free to file issues. Ask questions request.

A

Features we really want to build a community around this project that you know. I've spent a lot of my professional career working on and I'm really excited about. You know sharing it with you all so touching on the first portion of open source, uh unfortunately clicking the make public reposit you know make repository public on github is not uh the end of open source right and so uh just for some context. The stack rocks name is used for the open source and upstream project and advanced cluster security or acs. It's a downstream project.

A

You can find it on stackrocks.io we'll take you right to our community page, as kirsten mentioned, the combining of claire and r scanner, which is a fork of claire just earlier in the life cycle right. We want to contribute a lot of that code upstream. We've made a lot of changes over the years.

A

Also, we have relied on some uh falco systick libraries, and so you want to contribute back to that community. Now that we're open source as well, we had our own open source project called kubelinter which helps you lint, the ammos from helm or kubernetes animals and ci cd pipelines, and we want to extend that and continue to invest in that area and then finally, overall, invest in the community around our project.

A

I'm pretty new to open source I'll, be honest, and so I want to continue to enable a community to contribute to our project and any ideas and suggestions. You guys have are very welcome.

A

Cool from a security innovation side right, there's pretty much an infinite amount of things. To do I'll be honest, so we had to have to pair them down to kind of uh four key categories. One is within vulnerability management, which is uh always a hot topic and with uh software uh supply chain, security, even a hotter topic, and so we really always want to focus on things that are actionable, and so this first topic here around identifying unused software packages.

A

It's really around helping you prioritize vulnerabilities that you may have in your images and ensuring that you can like mitigate them in any way possible. So a lot of times, there's different packages and base images that may have vulnerabilities, but you never use them or never load them or they're, never used in your application. um At stackrocks a lot of times we have static, go binaries. The only only thing that's supposed to run that container is a static, go binary, right and so vulnerabilities in other packages that may exist due to a base.

A

Image, for example, may not be relevant to us. So we want to make sure that we give you actual actionable information along those lines. I think kirsten really mentioned validating image signatures.

A

We have the ability within our product now as a part of an admission controller, to gate, whether or not images uh enter your environment based on whether or not they're signed correctly based on the signatures that you know, and so we're continuing to expand that functionality as well and then from a bottoms up approach right.

A

We want to provide better host level vulnerability, scanning kubernetes and the entire ecosystem is really about from the node up so nodes and pods, and then also the security of uh kubernetes itself in terms of vulnerabilities that may exist, and so you want to really want to branch that entire life cycle and the next step for us is really around uh host level vulnerability scanning and then. Finally, I want to make vulnerability scanning easy for everyone right. So as a developer. My ideal flow is that I build an image locally.

A

I scan it locally, make sure it looks good push it to ci. It gets scanned there again right deployed to production. It gets scanned there again right and then we're continuously scanning it. So vulnerability scanning is not a one-time thing. It's a continuous process, and so, from my perspective, I want to do that locally from a policy management perspective.

A

We run policies against all of your deployments and configurations. We want to help you bulk them together. So how can you move them between different instances of stack rocks? You may have air gapped environments. How can you group them logically and then finally excuse me: how do you take your gatekeeper policies and integrate them uh with stack rocks from open source.

A

Take a second there lots of talking from the network policy perspective. I know that uh kirsten also talked about these. Briefly, it's really about how can we help people leverage network policies? I think the adoption of network policies has been a little low. I know that a lot of these features. Four years ago I was trying to build a network policy. I thought man. This is really hard, like. I can't figure out how to do this. How can we make this easier for people right and so the now?

A

The next changes that we're trying to make from this regard are around. How do you identify applications that don't have network policies apply to them? I think we all know and use kubernetes labels, not the easiest things to use easy to get wrong right. How can you identify things that are are not being properly attributed in via labels?

A

The next two are really around usability with respect to ui and ux, and getting you out of the ammo stage and into actually using a ui. So the first place I like to start is my building. A network policy is how do I have this namespace of 10 a dot talk to namespace of tenant b?

A

How can we help customers provide, or how can we help customers do this, then quickly, segment them and then finally, security, metrics and trending? How do you know that your security program is working right? How can you look at things over time and ensure that the number of policies that are being violated or the number of vulnerabilities are being reduced.

A

Awesome so, as I mentioned earlier right, it's really about integrating with overall red hat portfolio post acquisition. Okay, the first one is really around usability. How can we make sure that we can scan openshift local registries? Our entire architecture is based on a control plane, and then you have secured clusters.

A

We have some customers that have over 300 secured clusters right and if you have any registries that are local to those clusters right, we need to be able to scan them and also pull the images out of those and upload them to our centralized control plane. Where you get a single pane of glass to look at all of them.

A

uh Along the same lines, right is within scanner and acs and acm. This is really, in my opinion, a better together story. Right, we've all built a bunch of amazing features, but how can we provide those features in a very unified way and also a way that is visible to you right through your openshift console right? So how really? How can we unify all of the amazing technology that we've built to provide them in a super, unified and straightforward manner and then, finally, via submariner?

A

How do we build uh security for cross-cluster networking? Currently, we are confined to a single cluster.

A

So this is the overarching goal and something that I'm very passionate about and worked really hard on. So far is really. How do we provide all the things I just talked to you about in a way, that's uh easy for you to operationalize, and this is where acs is. The managed service comes in and acs as a service, and so our goal is to take the control plane manage it fully for you, and all you have to do is secure stateless clusters.

A

The goal is really to get people up and running as fast as possible. Again we're going to be mostly kubernetes distribution, agnostic. You can run this in different cloud providers. You can run this on open shift. You can run it in managed. Openshift right, it'll be fully managed by red hat with an sla and then finally, the end goal here is provide flexible consumption models, and that's all I have for you thanks guys.

A

You.