►
From YouTube: Stackrox io (ACS) Community Update Connor Gorman (Red Hat) OpenShift Commons Gathering 2022 Spain
Description
Stackrox io (ACS) Community Update
Speaker: Connor Gorman (Red Hat)
OpenShift Commons Gathering Kubecon EU
May 17, 2022 Live from Kubecon EU in Valencia, Spain
Full Agenda here: https://commons.openshift.org/gatherings/OpenShift_Commons_Gathering_at_Kubecon_Europe_2022.html
Learn more at: https://commons.openshift.org
A
I'm
connor
gorman
I've
worked
at
stackrocks
and
now
acs
via
the
acquisition
for
the
last
five
years,
so
quite
a
while.
I'm
an
engineering
lead
and
I'll
walk
you
guys
through
what
we're
working
on
so
very
quickly.
Based
on
the
hands
raised
in
kirsten's
presentation,
I
want
to
just
walk
through
quickly
what
acs
is
what
it
does
and
why,
and
so
our
goal
is
really
to
build
the
first
and
we
built
the
first
kubernetes
native
security
platform
covering
both
build,
deploy
and
then
run
time,
and
so
starting
with
build
right.
A
It's
really
around
securing
the
supply
chain.
You
know
vulnerability
scanning
in
ci
pipelines,
actually
scanning
configuration,
yamls
and
ci
pipelines
right,
giving
as
much
feedback
to
developers
as
soon
as
possible.
A
Then
we're
looking
at
the
deploy
stage
right
where
you
have
running
containers,
running
pods
and
running
deployments,
and
what
you're
trying
to
do
is
continuously
monitor
them,
monitor
them
and
continuously
evaluate
their
vulnerabilities
right.
I
always
like
to
say,
because
images
are
immutable.
The
number
of
vulnerabilities
you'll
find
only
ever
increases
right,
there's
only
cve
2022
coming
out
cve
2023
if
you're
running
images
for
a
long
time.
A
You
know,
along
the
way,
right
we
integrate
with
all
the
tools
that
we
know
and
love
right
from
image
registries.
Image
scanners
we
have
our
own,
like
kirsten,
mentioned
different
cicd
tools
to
make
it
easy
to
integrate.
A
Devops
notifications,
generic
web
hooks
right
and
then
sims,
and
so
it
was
kind
of
the
whole
breadth
of
integrations
that
we
have
and
our
goal
is
to
secure
all
of
all
of
kubernetes
from
the
bottom
up
everywhere,
and
so
we've
been
pretty
kubernetes
distribution-
agnostic,
including
you
know,
obviously,
openshift,
but
also
many
of
the
kubernetes
distributions
from
the
large
cloud
providers.
A
So
from
our
perspective,
we
have
four
key
priorities
that
we've
already
been
working
on
and
we'll
continue
to
work
on
in
2022.
The
first
is
open
source.
The
second
is
security,
innovation
right,
I
don't
think
the
kubernetes
security
landscape
is
finished.
You
know
I've
been
working
on
it
for
five
years,
there's
probably
another
five
years
left
in
it
right.
How
can
we
continue
to
expand
this
ecosystem
portfolio
integration?
Now
that
we're
part
of
red
hat
right?
A
So
we
did
it
we're
open
source.
You
know
this
has
been
quite
the
journey.
It's
been
a
little
bit
over
a
year
as
of
the
last
two
months,
we've
been
open
source
find
us
at
stackrock
stack,
rocks
on
github
we're
also
in
the
cncf
slack
under
the
staff
rocks
channel.
We
I
heavily
encourage
everyone
to
jump
on
there.
If
you
have
questions,
we've
got
people
ready
to
answer
them
myself
included
and
then
also
you
know,
feel
free
to
file
issues.
Ask
questions
request.
A
Features
we
really
want
to
build
a
community
around
this
project
that
you
know.
I've
spent
a
lot
of
my
professional
career
working
on
and
I'm
really
excited
about.
You
know
sharing
it
with
you
all
so
touching
on
the
first
portion
of
open
source,
unfortunately
clicking
the
make
public
reposit
you
know
make
repository
public
on
github
is
not
the
end
of
open
source
right
and
so
just
for
some
context.
The
stack
rocks
name
is
used
for
the
open
source
and
upstream
project
and
advanced
cluster
security
or
acs.
It's
a
downstream
project.
A
A
Also,
we
have
relied
on
some
falco
systick
libraries,
and
so
you
want
to
contribute
back
to
that
community.
Now
that
we're
open
source
as
well,
we
had
our
own
open
source
project
called
kubelinter
which
helps
you
lint,
the
ammos
from
helm
or
kubernetes
animals
and
ci
cd
pipelines,
and
we
want
to
extend
that
and
continue
to
invest
in
that
area
and
then
finally,
overall,
invest
in
the
community
around
our
project.
A
A
Cool
from
a
security
innovation
side
right,
there's
pretty
much
an
infinite
amount
of
things.
To
do
I'll
be
honest,
so
we
had
to
have
to
pair
them
down
to
kind
of
four
key
categories.
One
is
within
vulnerability
management,
which
is
always
a
hot
topic
and
with
software
supply
chain,
security,
even
a
hotter
topic,
and
so
we
really
always
want
to
focus
on
things
that
are
actionable,
and
so
this
first
topic
here
around
identifying
unused
software
packages.
A
It's
really
around
helping
you
prioritize
vulnerabilities
that
you
may
have
in
your
images
and
ensuring
that
you
can
like
mitigate
them
in
any
way
possible.
So
a
lot
of
times,
there's
different
packages
and
base
images
that
may
have
vulnerabilities,
but
you
never
use
them
or
never
load
them
or
they're,
never
used
in
your
application.
At
stackrocks
a
lot
of
times
we
have
static,
go
binaries.
The
only
only
thing
that's
supposed
to
run
that
container
is
a
static,
go
binary,
right
and
so
vulnerabilities
in
other
packages
that
may
exist
due
to
a
base.
A
A
We
have
the
ability
within
our
product
now
as
a
part
of
an
admission
controller,
to
gate,
whether
or
not
images
enter
your
environment
based
on
whether
or
not
they're
signed
correctly
based
on
the
signatures
that
you
know,
and
so
we're
continuing
to
expand
that
functionality
as
well
and
then
from
a
bottoms
up
approach
right.
A
We
want
to
provide
better
host
level
vulnerability,
scanning
kubernetes
and
the
entire
ecosystem
is
really
about
from
the
node
up
so
nodes
and
pods,
and
then
also
the
security
of
kubernetes
itself
in
terms
of
vulnerabilities
that
may
exist,
and
so
you
want
to
really
want
to
branch
that
entire
life
cycle
and
the
next
step
for
us
is
really
around
host
level
vulnerability
scanning
and
then.
Finally,
I
want
to
make
vulnerability
scanning
easy
for
everyone
right.
So
as
a
developer.
My
ideal
flow
is
that
I
build
an
image
locally.
A
I
scan
it
locally,
make
sure
it
looks
good
push
it
to
ci.
It
gets
scanned
there
again
right
deployed
to
production.
It
gets
scanned
there
again
right
and
then
we're
continuously
scanning
it.
So
vulnerability
scanning
is
not
a
one-time
thing.
It's
a
continuous
process,
and
so,
from
my
perspective,
I
want
to
do
that
locally
from
a
policy
management
perspective.
A
We
run
policies
against
all
of
your
deployments
and
configurations.
We
want
to
help
you
bulk
them
together.
So
how
can
you
move
them
between
different
instances
of
stack
rocks?
You
may
have
air
gapped
environments.
How
can
you
group
them
logically
and
then
finally
excuse
me:
how
do
you
take
your
gatekeeper
policies
and
integrate
them
with
stack
rocks
from
open
source.
A
Take
a
second
there
lots
of
talking
from
the
network
policy
perspective.
I
know
that
kirsten
also
talked
about
these.
Briefly,
it's
really
about
how
can
we
help
people
leverage
network
policies?
I
think
the
adoption
of
network
policies
has
been
a
little
low.
I
know
that
a
lot
of
these
features.
Four
years
ago
I
was
trying
to
build
a
network
policy.
I
thought
man.
This
is
really
hard,
like.
I
can't
figure
out
how
to
do
this.
How
can
we
make
this
easier
for
people
right
and
so
the
now?
A
The
next
changes
that
we're
trying
to
make
from
this
regard
are
around.
How
do
you
identify
applications
that
don't
have
network
policies
apply
to
them?
I
think
we
all
know
and
use
kubernetes
labels,
not
the
easiest
things
to
use
easy
to
get
wrong
right.
How
can
you
identify
things
that
are
are
not
being
properly
attributed
in
via
labels?
A
A
How
can
we
help
customers
provide,
or
how
can
we
help
customers
do
this,
then
quickly,
segment
them
and
then
finally,
security,
metrics
and
trending?
How
do
you
know
that
your
security
program
is
working
right?
How
can
you
look
at
things
over
time
and
ensure
that
the
number
of
policies
that
are
being
violated
or
the
number
of
vulnerabilities
are
being
reduced.
A
Awesome
so,
as
I
mentioned
earlier
right,
it's
really
about
integrating
with
overall
red
hat
portfolio
post
acquisition.
Okay,
the
first
one
is
really
around
usability.
How
can
we
make
sure
that
we
can
scan
openshift
local
registries?
Our
entire
architecture
is
based
on
a
control
plane,
and
then
you
have
secured
clusters.
A
We
have
some
customers
that
have
over
300
secured
clusters
right
and
if
you
have
any
registries
that
are
local
to
those
clusters
right,
we
need
to
be
able
to
scan
them
and
also
pull
the
images
out
of
those
and
upload
them
to
our
centralized
control
plane.
Where
you
get
a
single
pane
of
glass
to
look
at
all
of
them.
A
Along
the
same
lines,
right
is
within
scanner
and
acs
and
acm.
This
is
really,
in
my
opinion,
a
better
together
story.
Right,
we've
all
built
a
bunch
of
amazing
features,
but
how
can
we
provide
those
features
in
a
very
unified
way
and
also
a
way
that
is
visible
to
you
right
through
your
openshift
console
right?
So
how
really?
How
can
we
unify
all
of
the
amazing
technology
that
we've
built
to
provide
them
in
a
super,
unified
and
straightforward
manner
and
then,
finally,
via
submariner?
A
How
do
we
build
security
for
cross-cluster
networking?
Currently,
we
are
confined
to
a
single
cluster.
A
So
this
is
the
overarching
goal
and
something
that
I'm
very
passionate
about
and
worked
really
hard
on.
So
far
is
really.
How
do
we
provide
all
the
things
I
just
talked
to
you
about
in
a
way,
that's
easy
for
you
to
operationalize,
and
this
is
where
acs
is.
The
managed
service
comes
in
and
acs
as
a
service,
and
so
our
goal
is
to
take
the
control
plane
manage
it
fully
for
you,
and
all
you
have
to
do
is
secure
stateless
clusters.
A
The
goal
is
really
to
get
people
up
and
running
as
fast
as
possible.
Again
we're
going
to
be
mostly
kubernetes
distribution,
agnostic.
You
can
run
this
in
different
cloud
providers.
You
can
run
this
on
open
shift.
You
can
run
it
in
managed.
Openshift
right,
it'll
be
fully
managed
by
red
hat
with
an
sla
and
then
finally,
the
end
goal
here
is
provide
flexible
consumption
models,
and
that's
all
I
have
for
you
thanks
guys.