►
From YouTube: Red Hat Advanced Cluster Management Presents: Security & Governance with OpenShift Platform Plus
Description
Centrally manage security and governance across the fleet with Red Hat’s OpenShift Platform Plus. RHACM and RHACS work together to provide end-to-end security controls from DevOps to Cluster Lifecycle, with our primary focus on ensuring a consistent and hardened application delivery model.
A
A
A
A
A
A
Good
morning,
good
afternoon,
good
evening,
wherever
you're
healing
from
welcome
to
another
episode
of
red
hat
advanced
cluster
management
presents
today
we're
going
to
be
talking
about
a
little
bit
of
security
and
governance
with
openshift
platform
plus,
I
am
chris
short,
a
host
showrunner
streamer
to
the
stars,
and
one
of
those
stars
is
scott
barron
scott.
How
are
you
today,
chris.
B
A
B
B
C
Hi,
everyone
really
excited
to
be
here
and
on
chris's
show
it's
always
fun.
I
am
the
chief
security
and
governance
architect
for
red
hat,
advanced
cluster
management,
we'll
be
talking
about
how
acm
can
help
you
and
comply
to
enterprise
standards.
We'll
also
talk
about
the
openshift
plus
bundle
that
includes
acm,
along
with
acs
our
new
star
in
advanced
security.
Talk
about
that
a
little
bit,
how
they
all
come
together
to
help
meet
your
compliance
and
governance,
needs.
C
D
Hey
I'm
gus
parvin,
I'm
on
jsteam,
I'm
one
of
the
developers
on
the
governance
risk
and
compliance
team.
I'm
here
to
to
just
show
off
some
of
the
work
we
did
for
the
acm-23
release.
We've
got.
You
know
some
cool
features
coming
some
some
ansible
integration,
some
tipling.
So
it's
it's
exciting
stuff
yeah.
So
I
had
to
show
it
off.
D
B
B
B
So
you'll
start
to
see
more
of
that
as
our
roadmaps
converge.
For
example,
today
we're
going
to
talk
about
how
we
can
deploy
the
acs
central
and
in
the
roadmap.
We
have
plans
for
how
you
can
deploy
the
acs
sensor.
So
all
the
bits
and
pieces
that
go
out
to
the
managed
clusters
and
ensure
that
they're
feeding
in
to
one
central
hub
interface,
nice
so.
B
C
Yeah,
I
think
it'll
be
good
to
first
do
some
level
setting.
I
won't
spend
two.
I
don't
want
to
spend
too
much
time
on
charts,
but
I
think
maybe
a
couple
of
charts
just
to
walk
through
and
level
set
the
concepts
and
the
architecture,
and
then
I'm
going
to
give
gus
a
lot
of
time.
I'll
show
a
little
bit
of
the
demo
for
some
of
the
existing
controls
enforcement
points
that
we
integrate
with
like
gatekeeper
and
such
and
then
I'll.
C
A
C
Okay,
so
typically,
you
know
when
customers
are
transforming
from
their
I.t
traditional
light
infrastructure
to
adopt
cloud.
One
of
the
key
things
that
they
worry
about
is
how
do
I
meet
my
security.
Compliance
and
governance
needs
so,
and
these
needs
are
driven
by
both
trying
to
meet
their
enterprise,
security
requirements,
enterprise
software
engineering
requirements,
etc,
and
also
for
customers
who
are
in
highly
regulated
industries,
whether
it's
healthcare
or
financial.
C
C
So
how
do
you
ensure
that
you're
operating
the
cloud
platform
to
meet
all
these
security
requirements?
And
how
do
you
make
that
easy
for
the
sre?
So
this
is
where
our
approach
is
what
we
refer
to
as
policy-based
governance.
So
what
we
mean
by
that
is
to
codify
the
best
practices
as
policies
and
have
those
policies
authored
by
the
subject
matter:
experts
for
the
particular
control
area
and
then
using
a
githubs
mechanism
where
you
manage
policies
just
like
source
code.
C
So
you
have
all
your
policies
sitting
in
git
and
then
you
use
a
mechanism
called
subscription
to
deploy
the
policies
onto
your
various
managed
clusters.
So
the
conformance
to
the
enterprise
standards
as
well
as
regulatory
compliance
standards,
becomes
like
a
push
button
automation.
So
that
is
really
our
vision
right.
So
so
that's
what
we
mean
by
policy-based
governance
and,
if
you
think
about
it,
how
do
you
implement
policy-based
governance?
C
Is
you
want
to
ensure
that
all
the
various
controls,
whether
it
is
for
security
or
resiliency,
or
software
engineering,
they
are
all
configured
to
the
desired
configuration
state?
So
that's
where
the
configuration
management
becomes
the
mechanism
you
use
to
implement
policy-based
governance.
So
if
you
think
so,
with
that
context
in
mind,
what
are
the
key
capabilities
that
you
need
in
a
system
that
is
providing
policy-based
governance
right?
So,
if
you
think
about
what
we
have
within
acm,
first
of
all,
it
has
to
be
multi-cluster.
C
So
one
of
the
things
we
agreed
upon
or
decided
upon
upfront
is:
there's
not
going
to
be
a
single
policy
engine
on
this
planet.
There
will
be
multiple
right,
so
what
we
want
is
you
want
to
design,
have
an
approach
that
can
integrate
with
multiple
engines
and
you
want
to
be
able
to
deploy
policies
across
multiple
clusters.
So
if
you
look
at
the
existing
policy
engines
that
are
out
there,
whether
it's
gatekeeper,
opa
or
kubernetes,
these
are
all
single
cluster
engines.
C
B
A
that's
a
really
key
slide.
I
just
want
to
point
out
three
things.
One,
you
told
us
that
acm
is
the
center
of
the
opportunity
here,
we're
we're,
bringing
the
the
multi-cluster
management
capabilities
and
distributing
that
out
to
the
stack
to
we
have
an
open
policy.
We
have
an
open
framework
around
policy
and
an
open
framework
around
tools.
We
know
that
there's
not
just
one
single
tool
in
the
market.
We
know
that
customers
already
have
a
preferred
player.
We
want
to
make
sure
we
can
work
with
that.
So
look
at
this
list
of
third-party
peps.
B
B
Yeah
so
spot
on
thanks
jenny
and
then
the
third
part
of
that
is
again
in
looking
how
acm
drives
that
capability
out
at
the
multi-cluster
way,
looking
at
how
we
can
to
start
to
adopt
and
do
it
all
with
githubs.
I'm
sorry,
but
I
was
just
on
a
call
this
morning
where
they
said
that
so-and-so
was
out
of
the
office
and
all
the
ansible
scripts
are
on
his
desktop.
B
I'm
sorry
so
you
know,
we
don't
want
that
to
happen
to
you.
We
want
you
to
have
a
central
code
repository
and
the
yaml
based
mechanism.
The
ammo
based
approach
really
is
a
readable,
straightforward
code
that
we
have
for
our
for
our
policies
and
that's
stored
in
code.
It's
stored
in
a
repo,
that's
your
centralized
source
of
truth
that
you
can
spray
across
the
entire
fleet.
So
I
love
this
slide
because
it
really
hits
those
three
points
to
home.
B
C
Right,
yeah
and-
and
I'm
glad
you
championed
scott,
because
somebody
told
me
that
it's
it's
always
a
good
mechanism
to
have
three
things
to
remember.
If
you
go
beyond
three
things,
people
tend
to
forget.
So
when
I
put
this
put
this
chart
together
first,
you
know
I
had
many
many
bullets
right
and
then
somebody
gave
me
the
advice,
distill
it
into
three
things.
So.
C
Okay,
let
me
be
quick
here,
because
I
don't
want
to
give
gus
a
chance
to
show
off
things,
so
the
overall
I'll
just
talk
high
level
to
this
diagram.
I
know
the
words
are
tiny,
that's
because
we
have
too
many
cool
things
to
talk
about,
but
the
following
charts
have
broken
this
up,
but
from
this
diagram
just
take
it
that
we
have
a
management
hub
which
is
from
where
we
orchestrate
the
policy
deployment
and
governance.
C
I
just
wanted
to
highlight
here
that
if
you
think
about
policy
enforcement
points,
what
they
are
doing
is
they
are
basically
providing
you
capabilities
and
again
you
know
I
want
to
emphasize
the
fact
that
acm
allows
you
to
manage,
not
just
security
aspects.
You
can
also
manage
resiliency
aspects.
You
can
manage
software
engineering
aspects
example
of
resiliency.
Is
you
want
to
make
sure
that
the
linus
probe
is
running
enabled
on
your
parts
example
of
software
engineering?
Is
you
want
to
make
sure
that
a
particular
version
of
kafka
is
used
right?
C
So
so
acm
allows
you
to
do
all
that
right
and,
and
then
these
peps
enable
some
technical
controls
and
those
technical
controls,
then
map
to
compliance
standards,
and
you
could
have
a
single
technical
control
map
to
multiple
compliance
standards.
And
if
you
look
at
the
acm
dashboard
that
I'll
show,
you
you'll
see
that
we
kind
of
provide
you
that
mapping
and
then
I
wanted
to
highlight
key
things
that
are
coming
in
acm
2.3.
That
gus
is
going
to
show
off.
C
One
is
something
which
we
call
template,
templatized
policies,
so
why
did
we
introduced
in
template
rights
policies?
Because
what
happens
is
there
are
certain
policies
where
you
have?
We
have
management
managed
cluster,
specific
information
that
is
needed,
okay,
so
then,
today,
meaning
prior
to
acm
2.3,
you
will
have
to
define
a
policy
per
managed
cluster.
If
you
need
something
customized
like
that,
what
we
have
added
in
2.3
is
the
ability
to
templatize
so
that
you
define
a
single
policy.
C
You
can
then
templatize
it
to
apply
the
particular
configuration
for
specific
managed
clusters,
and
you
can
do
that
if
you
want
a
particular
secret
that
you,
for
example,
populate
it
onto
the
managed
cluster
from
vault
or
a
config
map,
or
a
cluster
claim,
which
is
specific
to
the
managed
cluster.
So
those
are
all
different
ways.
You
can
temporarize
policies.
That
is
one
key
capability.
The
second
one
I
wanted
highlight
is
the
integration
with
ansible.
C
I
consider
this
one
of
the
key
features
of
2.3,
because
this
now
brings
governance
and
automation
together.
Okay,
so
customers
are
already
using
ansible
to
automate
many
of
their
ide
tasks
today,
now
think
about
the
power,
if
I
can
build
out
policies
that
tie
that
automation
so
that
now
you
can
ensure
that
that
automation
is
driven
using
your
policy
mechanisms,
governance
mechanisms,
so
so
that's
what
we're
doing
we're
just
starting
the
journey
and
you'll
see
a
demo
of
that.
Those
are
the
two
key
capabilities
coming
in
2.3.
I
wanted
to
highlight.
C
In
addition,
you
know:
gus
will
also
show
off
a
lot
of
community
contributions
for
policies.
We
have
a
lot
of
new
policies
that
have
been
contributed,
so
we'll
show
off
that.
Then
I
also
wanted
to
talk
a
little
bit
about
roadmap.
What
is
coming
in
in
our
future
right.
So
all
the
things
that
are
in
orange
here
are
things
that
are
coming
in
the
future.
C
That's
one
that
is
coming
second,
is
we
want
the
ability
to
generate
policies
conforming
to
our
policy
format
in
an
easy
way
from
existing
policy
libraries?
Why
is
this
important?
It
is
important
because,
as
we
mentioned
earlier,
acm
can
integrate
with
multiple
policy
engines
and
what
we're
finding
is
each
of
these
policy
engines,
whether
it's
kubernetes
or
gatekeeper.
You
know
they
have
their
own
community,
they
have
their
own
policy
libraries
being
built
there.
C
So
we
want
those
policy
libraries
to
be
quickly
brought
into
acm,
so
so
that
is
the
policy
generator
piece
that
you're
working
on,
and
we
also
want
the
ability
to
schedule
when
policy
evaluations
happen.
And
lastly,
we
are
introducing
this
concept
called
policy
set
by
that
what
we
mean
is
now,
when
I
show
you
the
dashboard
you're,
going
to
see
that
we
have
a
list
of
policies
right
then
how
can
you
organize
them,
based
on
the
enforcement
point
or
based
on
the
environment,
where
you
applied
the
policy
or
based
on
standards?
C
So
you
what
we
want
the
customers
to
be
able
to
easily
manage,
because
we
want
them
to
be
widely
successful
in
our
guitars
mechanism,
which
means
they're
going
to
have
a
lot
of
policies,
so
we
want.
We
want
them
to
now
be
able
to
organize
them
properly
and
then,
when
they
do
that,
eventually
we
can.
Then
our
vision
is
once
we
have
the
policy
set
concept.
Let's
say
we
have
a
policy
set
for
pci
right,
then
we
will.
C
A
C
A
A
C
Whereas
acs
is
going
to
have
a
more
drill
down
integration,
because
acs
is
more
focused
on
advanced
security,
so
it
will
have
more
the
drill
down
views
and
it
will
allow
you
to
map
those
violations
to
risks,
and
you
know
more
focused
on
security
aspects
right.
So
that's
one
and
the
second
question
you
asked
is
container
security
operator.
C
The
the
openshift
platform
plus
includes
both
quay,
and
it
includes
as
part
of
that,
the
container
security
operator
and
includes
acs
in
acm.
The
container
security
operator
focuses
only
on
query
today,
whereas
acs
is
able
to
detect
vulnerabilities
across
multiple
repositories
right.
So
I
expect
that
those
two
capabilities
will
kind
of
converge
together.
Okay,.
A
C
C
Yeah
there
you
go
so
like
I
said
right
at
the
very
top.
We
have
the
summary,
the
pci.
You
know
the
standards
based
summary,
so
this
is
where
we
will
introduce
that
policy
set
concept
where
you'll
not
only
see
the
standards.
You
will
also
see
things
like
my
production
environment.
Has
these
policies
or
you
will
see
a
box
says
gatekeeper
right.
These
are
all
the
gatekeeper
policies.
I've
deployed
so
you'll
see
that
in
the
future.
C
So
I
want
to
show
here
the
gatekeeper
integration
we
have
so
for
gatekeeper.
We
have
a
policy
that
deploys
gatekeeper
operator.
So
again,
one
of
the
key
capabilities
acm
has
is
this
conflict
policy
controller
and
that
basically
can
distribute
any
kubernetes
resource.
If
you
think
about
how
an
operator
is
configured,
it
itself
is
a
community
set
of
resources
right.
So
we
are
basically
using
our
config
policy
controller
to
author
authoriaml
and
then
we
can
then
just
deploy
any
operator.
C
Actually,
I'm
just
showing
you
gatekeeper
as
an
example
here,
and
I
wanted
to
show
you
a
gatekeeper
policy.
So
this
is
a
policy
for
liveness
probe
the
resolution
policy
I
talked
about
so
you
see
here
that
this
policy
is
configured
properly.
So
that's
why
that
is
sector
compliant,
and
there
are
two
things
we
can
do.
C
The
audit
violation
is
what,
if
you
deployed
the
policy-
and
you
already
had
resources
prior
to
that
right,
so
gatekeeper
also
has
the
ability
to
periodically
audit
and
report
on
violations
as
well.
So
so
that's
what
you're
seeing
here.
So
there
are
some
audit
violations
and
there
are
some
admission
violations
that
we
are
showing
here.
The
other
thing
I
also
wanted
to
show
quickly
is
the
compliance
operator.
C
So
for
the
compliance
operator.
Again,
it
is
the
operator,
so
we
have
a
policy
that
can
be
used
to
deploy
this
operator,
and
you
can
see
it
is
in
place
for
both
the
local
cluster,
on
which
the
hub
runs,
as
well
as
the
managed
cluster
and
then
to
the
compliance
operator.
You
can
configure
multiple
profiles
and,
as
an
example,
we
have
this
e8
security
scan
profile
defined
here,
and
you
can
see
that
it
is
doing
the
scans
and
then
reporting
violations.
So
you
can
see
on
the
manage
cluster
here.
C
A
C
B
Hey,
thank
you.
What's
cool
is
like.
I
know.
The
acs
road
map
is
a
mess
with
priorities
right
now
right.
They
just
went
through
an
acquisition
they're
under
pressure
to
go
full
speed,
open
source
they're,
trying
to
figure
out
how
to
integrate
everything
with
open
shift
and
make
it.
You
know
peanut
butter
and
jelly
we've
been
there.
We
know
christmas.
B
Hackathons
they're
running,
you
know
they're
doing
it
all,
and
yet
they
managed
to
produce
an
operator
in
about
two
sprints.
Maybe
it
was
three,
maybe
I'm
over
exaggerating,
but
what's
awesome
about
that
is
it
accelerates
the
adoption
of
the
acs
central,
because
it's
an
operator
we
can
now
proliferate
that
onto
the
hub.
B
We
can
start
to
have
that
story
where
acm
was
the
central
management
focus
of
the
port
of
the
platform
class
of
the
openshift
platform
plus
portfolio
piece,
it's
a
lot
of
peace
and
then
what
gus
is
going
to
show
us
here
is
driving
for
that
message
with
his
opportunity
to
show
us
how
it
all
works
together.
So
gus.
A
D
All
right,
yeah,
thank
you,
scott,
so
yeah
I
do
have
a
bunch
of
different
policies
deployed.
So
I'm
jumping
right
in
you
know
assuming
you've
gotten
the
background
that
that
jaya
kindly
provided
and
scott's
right.
We
we
do
have
you
know
the
ability
to
you,
know
quickly
and
easily
deploy
operators.
The
the
advanced
cluster
security,
central
server
is,
is
certainly
one
of
them
that
that
we
can
deploy
I've.
I've
got
it
deployed.
It's
it's
one
of
the
the
windows
I
have
open
somewhere
here.
A
D
A
lot
of
that
is
a
lot
of
thanks
to
them
they're,
making
an
operator
and
and
that
that's
available
in
in
their
latest
release.
Another
aspect
of
what
I
wanted
to
show
is:
you
know:
here's
here's
our
list
of
policies.
This
is
what
what
you
see
in
two
three
and
and
there's
something
new
here.
It's
it's
this
automation
column
so
over
here
towards
the
right.
There's,
there's
now
a
new
automation,
column,
and
it
has
the
the
configure,
link
or
or
button
here
that
I
can.
I
can
click.
D
So,
let's
just
click
that,
and
now
we
have
a
dialog
where
I
can.
You
know
quickly
and
easily
define
policy
policy,
specific
automation
and
this
automation
can,
you
know,
can
can
do
lots
of
different
things,
because
now
it's
it's
going
to
go
off
to
ansible
and-
and
you
can
run
you
know
any
any
job
that
that
you
desire
through
through
your
ansble
tower,
I've
got
a
credential
already
defined.
D
So
you
know,
the
first
thing
I
have
to
do
is
is
just
select
my
ann's
bowl
credential,
the
the
next
thing
and
I'm
zoomed
in
a
lot.
You
know
when
you
know
when
you're
looking
at
this,
maybe
on
your
high
definition
monitor.
You
can
see
a
lot
more
of
the
things
on
the
screen
at
once,
but
I
want
to
zoom
in
so
it
shows
up
well.
The
next
thing
is
the
the
template.
I
want
to
run
so,
which
which
ansible
job
template
do
I
want
to
run
and
and.
A
D
Got
one
here,
a
policy
compliance
template
it,
I
probably
should
have
put
slack
somewhere
in
the
template
name
because
it's
its
goal
is
to
send
a
slack
message
when,
when
I
have
a
non-compliance,
the
the
next
things
here
are
the
extra
variables.
So
you
got
to
do
some
some
typing
here
and
I'm
going
to
cheat
I'm
going
to
copy
and
paste.
D
That's
that's
right
and
and
I'll
I'll
mention
real
quick.
You
know
what
my
copy
and
paste
is.
You
know,
I'm
I'm
providing
the
the
policy
name
as
one
of
the
the
variables
the
the
namespace
and
the
cluster
name
here
and
and
and
that's
just
because
my
particular
ansible
job
you
know,
uses
these
fields
and
and
we'll
see
that
in
a
minute
in
in
general,
it's
a
it's
a
good
idea,
probably
to
have
the
policy
name
so
you'll
know
you
know
what
what
triggered
this
violation?
D
B
Customize
your
job
walk
me
through
this
because,
typically,
when
a
customer
uses
a
certificate
type
of
policy,
they're
going
to
be
informing,
that's
the
verb.
That's
a
yaml
verb
and
they're
going
to
be
informing
about
things
like
the
wild
cards
in
the
certificate
or
hosting
violations
in
the
certificate
expirations
to
be
a
typical
things.
You'd
be
scanning
for
to
kind
of
figure
out.
What's
the
status
of
certificates
out
there
in
my
applications
now,
normally
that's
just
an
audit
kind
of
posture
we're
just
going
to
inform
but
you're,
actually
wrapping
in
an
ansible
hook.
B
D
Oh
yeah,
absolutely
yeah,
I
should
have
backed
up
and
mentioned.
You
know
what
this
policy
does
yeah
this.
This
part
you're,
absolutely
right.
This
policy
is,
is
monitoring
a
particular
name,
space
for
any
certificates
that
are
getting
close
to
their
expiration
and
and
certainly
yeah
an
annual
job
and,
in
my
case,
is,
is
going
to
alert.
You
know
the
administrator
that
the
certificate
is
is
about
to
expire
or
in
in
my
case
it's
already
expired,
but
the
the
yeah.
B
What
you
can
do
with
your
automation,
it
could
make
you
a
peanut
butter
and
jelly
sandwich.
I'm
pretty
sure
this
is
a
playbook
for
that
somewhere
out
there
in
the
ansible
galaxy,
but
that's
the
that's
kind
of
the
fun
and
I
probably
shouldn't
use
that
word.
That's
the
value
right.
Customers
have
come
forward
and
said
we
love
the
auditing
perspective,
but
we
need
more.
We
need
to
be
able
to
touch
things
off
cluster.
B
D
B
C
Yeah,
I
think,
and
to
add
to
what
you
said.
Scott
I
think
we
are
also
ansible
itself-
is
also
introducing
a
lot
of
playbooks
for
cluster
operations
as
well.
So
what
we
are
doing
is
we
can
also
marry
that
here
right.
So
so
we
are
basically
bringing
the
automation
power
offensible
to
the
governance
power
of
acm
and
help.
So
the
way
I
would
phrase
it
is,
we
are
helping
you
achieve
automated
governance
right
so.
D
A
D
That's
pretty
pretty
much
ready
to
go
a
member
of
our
team
name
named
matt.
He.
He
has
a
blog
that
that
shows.
You
know
almost
exactly
this
case,
integrating
an
expiring
certificate
with
ansible
and
opening
up
a
servicenow
ticket,
so
so
that
that'll
be
a
great
tutorial
to
walk
through.
If,
if
anyone
needs
some,
some
extra
help
on
getting
started
with,
you
know
automating
policies-
and
you
know,
especially
in
the
certificate
expiration
case.
B
Yeah
we
we
get
these
kind
of
requests
from
a
lot
of
our
a
lot
of
our
customers,
in
particular
in
the
financial
services.
You
know
they
they
want
extra
levels
of
verification.
I
mean
everybody
wants
that
right
right.
I
shouldn't
just
pick
one
one
industry,
but
to
be
able
to
have
that
extra
level
of
verification.
B
Whether
that's
you
know
four
eyes
of
verification
and
get
before
you
commit
you
know.
Ansible
does
provide,
obviously
those
break
points
to
bring
in
another
person
bringing
your
security
team
audit.
You
know
that
that
particular
piece
of
it
check
what
you
want
to
do
and
the
goodness
of
this
is
you
know
these
are
git
based
policies
right.
These
are
backed
in
code
yeah,
so
the
demonstration
that
that
I've
interrupted
here
rudely
I'm
sorry,
but
this.
C
B
Kind
of
how
you
create
this
experience
and
how
you
would
drive
it
from
a
user
interface,
but
these
are
all
you
know,
manifests
that
are
stored
in
a
in
code
repository.
These
are
yaml
based.
We
can
shuffle
things
directly
over
the
api
through
subscriptions
and
forget
whether
that's
the
openshift
git,
ops
operator
or
the
native
you
know
subscription.
That's
built
in.
You
have
all
those
options
at
your
fingertips.
I'm
sorry
gus
because
I
went
long-winded,
but
I
want.
D
So
yeah
absolutely
you're
right
and
we
definitely
are
looking
for
feedback
from
customers
too,
as
they
pick
this
up
and
start
using.
It
yeah
I'll
mention
here
that
the
next
thing
in
in
the
demo
here
we've
we've
entered
in
our
credentials
for
ansible
tower
and
we've
entered
in
our
extra
variables
that
we
want
to
pass
off
to
the
job.
When
do
we
want
to
run
the
automation?
D
D
B
D
So
the
the
controllers
are
all
running
on
managed
clusters,
it
it
just
so
happens,
so
our
hub
cluster
is
also
a
managed
cluster.
So
that's
that's
what
I'm
doing
here,
but
you're
right.
It
is
a
managed
cluster
feature.
So
I'm
looking
across
my
fleet
of
of
managed
clusters
for
for
an
expired
certificate,
and
I
I
just
created
one
out
there
in
in
the
fleet.
D
C
D
D
You
know
the
slack
notification
did
appear
and
you
see
the
the
extra
vars
I
passed
in,
provided
the
the
policy
name
and
and
the
name
space
and
the
host
name
details
I
provided
you
know,
give
me
some
links
here.
I
could
click
on
to
go
and
take
a
look
at
it
and,
and
the
other
value
here
is,
I
see
which
cluster
that
non-compliance
happened
on
so
where,
where
it
was
detected.
So
this
is
the
the
managed
cluster
that
that's
now
not
compliant
in
in
my
fleet,
that
has
the
expired
certificate.
C
So
because
I
just
wanted
to
add
one
more
thing
right,
which
is
our
policies
can
operate
in
info
mode
or
enforce
mode
right.
So
when
you
operate
in
enforce
mode,
we
automatically
make
sure
that
the
cluster
is
complying
to
whatever
standard
you
have
set
in
that
particular
policy
say
for
fcd
encryption.
C
If
we
enable
encryption
and
somebody
went
off
and
disable
the
encryption,
we'll
put
it
back
right,
if
you,
if
you
operate
it
in
inform
mode,
then
what
happens
is
you
will
see
a
violation
like
what
gus
is
showing
here
for
the
certificate
right?
So
what
it
allows
you
to
do
is
if
you
are
a
customer
who
has
to
follow
certain
enterprise
processes,
operational
processes,
where
I
need
to
open
a
servicenow
ticket
right
or
I
need
to
generate
alert
to
some
instant
management
tool,
etc.
C
Right,
if
that
is
your
operational
process,
and
you
want
to
follow
that
and
still
use
acm
to
provide
that
policy
based
governance.
This
is
a
one
way
to
do
that
right,
so
you're
kind
of
bringing
the
two
worlds
together
where
you
can
still
apply
policy-based
governance
and
you
can
still
meet
your
idea,
operational
processes
standards.
B
Yeah,
that's
a
great
point
and
I'm
going
to
hit
the
hammer
again
that
credentials
area
does
open
your
eyes
right.
It
shows
you
that
now
this
ansible
credential
can
be
used
in
other
parts
of
acm
right,
so
credentials
becomes
a
center
point
to
your
story.
Jai,
which
is.
We
know
that
ansible
lives
everywhere
in
your
infrastructure,
we're
going
to
use
it
in
cluster
lifecycle,
we're
already
using
it.
I
mean
sorry.
What
I
should
say
is
we
know
that
you're
going
to
use
it
in
the
cluster
lifecycle.
That's
why
we
implemented
it
there
in
version
2.3.
B
It
has
already
been
an
application
life
cycle.
It
comes
up
to
full
ga
and
now
it's
in
governance.
So
in
all
of
our
core
pillars,
all
of
the
areas
that
we
expect
our
customers
to
interact.
We
brought
ansible
integrations
in
that
space
and
that's
why
it
was
important
to
start
to
elevate
that
story
as
a
credential.
It's
something
you're
going
to
interact
with
more
and
more
over
time.
Let's
keep
track
of
that
for
you,
so
you
don't
have
to
you
know
manually
put
that
in
a
bunch
of
different
uis
or
a
bunch
of
different
emails.
C
Right
and
to
follow
up
on
that
scott,
they
talk.
This
also
helps
us
in
our
roadmap
to
provide
integrate
this
credential
management
capability,
with
external
secret
management
tools
right,
whether
it's
hashicorp
vault
or
in
all
those,
because
that's
another
enterprise
requirement.
So
this
so
the
first
step
toward
that
is
to
first
consolidate
all
our
credits
in
one
spot.
Now,
then
they
can
do
that
integration
back
to
you
guys,
keep.
A
D
D
Just
you
know,
the
the
policy
that
I
have
deployed
here
is
is
a
gatekeeper
container
resource
request,
not
set
so
that's
kind
of
a
mouthful.
Basically,
you
can
use
gatekeeper
to
stand
as
a
sort
of
a
guard
in
in
your
kubernetes
environment
and
and
not
let
things
in
that.
Don't
comply
with
your
standards
in
in
this
case,
gatekeeper
is,
is
gonna
guard
against
people
creating
deployments
that
don't
have
resource
requests
set.
So
this
is
like
the
cpu
and
memory
resource
requests
and
some
customers.
D
So
here
we
go
with
with,
and
you
know
that's
kind
of
the
quick
background
on
why
you
might
want
this
policy,
but
I'm
going
to
go
through
now,
some
automation
with
this
policy,
so
we
want
some
automation
to
kick
in
when
it
happens
and
and
we're
going
to
use
just
the
same
automation
here,
because
I'm
I'm
really
going
to
try
to
tie
some
things
together
here
a
little
bit
and
I'm
gonna
do
the
same
thing
where
I
copy
and
paste
my
extra
vars.
It's
the
same
same
idea.
D
These
are
the
extra
variables
that
that
my
that
my
job
needs
my
my
automation.
Job
needs
to
have
scroll
all
down
I'll,
go
once
again
with
run
once
mode.
That's
that's
kind
of
our
our
main
mode
of
operation.
We
want
to
trigger
a
policy
when
it
becomes
non-compliant
right
now
you
see
the
policy
is
is
compliant,
so
I
think
I've
filled
out
all
of
the
information
you
see,
and
I
now
have
a
policy
automation
defined
here
in
the
automation
column.
D
I
I
guess
I'll
back
up
a
minute.
We
can.
We
can
go
back
into
one
of
these
and
and
see
that
we
have
some
historical
data
here
from
the
job
that
we
we
already
ran
for
the
certificate
one,
and
in
here
we
can.
We
can
actually
view
the
job
the
ansible
kicked
off
and
get
some
details
and
status,
information
that
that
takes
us
using
acm
search
feature
directly
to
that
that
ansible
job
resource
with
with
those
status
details.
So
that's
that's
another
useful
thing.
D
D
C
D
That's
that's
exactly
right,
that's
right!
So
the
gatekeeper
mission
controller
it
blocked
it
because
it
it
saw.
I
did
not
have
and-
and
I
I
didn't
show
the
yaml
you
know
so
I
figured
that
just
take
a
little
extra
time,
but
if
we
looked
in
the
deployment
we
would
see
it
it
didn't.
Have
you
know
the
the
resource
request
identifying
you
know,
cpu
and
and
memory
needed
for
that
deployment
here
in
in
the
message
that
we
were
just
looking
at
in
the
screen,
you
remember
it.
It
showed
local
cluster.
D
Well,
I
I
have
a
template
here.
This
is
a
golang
template.
So
what
we're
looking
at
now
is
a
policy
that
it's
a
gatekeeper
policy
and
inside
it
we
have
a
a
template
that
was
resolving
to
the
manage
cluster
name.
So
now
I
can
have
you
know
customizations,
as
I
think
we
mentioned
before,
customization
specific
to
the
managed
cluster.
You
know
before
acm
2
3,
you
would.
You
would
have
to
code
these
customizations
and
into
separate
policies
for
your
different
managed
cluster.
B
So
you
just
blew
my
mind:
you
brought
together,
you
brought
together
gatekeeper,
which
has
been
in
the
product,
for
this
is
our
second
release
now,
but
you've
enhanced
that
by
driving
the
gatekeeper
response,
I
think
you
do
that
with
ansible.
So
this
is
a
one-time
response.
You
did
that
you
haven't
even
showed
us
what
that
did
yet,
but
then
there's
templatized,
the
the
enhancement
we
put
in
there
was
a
customer,
a
handful
of
customers.
One
of
that
that
says.
B
A
B
All
of
this
right
because
there's
not
just
one
tool
to
solve
them
all
so
you've
you've
brought
a
grc
framework
that
establishes
policies
right,
yaml-based
things
that
not
only
deployed
that
gatekeeper
operator
but
also
deployed
this
container
resource
request
not
set,
so
that's
a
web
hook
and
then
it
barked
at
you
and
said.
No.
You
can't
do
that.
That's
usually
templatization
and
you
also
added
a
run
once
ansible
automation
on
here
exactly
and
I
don't
even
think
we
saw
that
part
yet,
but
no
there's
more
wisdom.
D
A
D
See
we
see
that
it's
not
compliant,
though
so,
when
I
tried
to
create
that
deployment
and
it
failed
with
that
error
message
that
that
that
turned
into
an
event,
so
gatekeeper
turned
that
into
an
event,
and
we
we
triggered
a
non-compliance
on
on
that
event,
so
that
that's
why
this
policy
is
now
non-compliant,
and
if
I
look
you
know
sure
enough
here
I
have
a
slack
message.
That's
alerting
me
of
that
non-compliance.
D
C
You
did
a
great
summary
of
the
three
right
I
I
also
wanted
to
dive
in.
I
know
we
keep
interrupting
us,
but
I
wanted
to
time
in
and
say
that
this
is
another
example.
This
gatekeeper
policy
is
an
example,
I
would
say,
of
software
engineering
standards
right.
So
if
you
have
such
standards
in
your
enterprise
and
you
want
to
enforce
them
using
acm,
you
can
do
that
right.
C
So,
whereas
what
I
showed
you
earlier
in
the
gatekeeper
policy
was
focused
on
resiliency
right
and
then
obviously
we
also
showed
you
security
related
aspects
like
gus
showed
you
the
certificate
expiration
one,
and
I
showed
you
the
compliance
operator,
one
right,
so
you
can
see
that
acm
covers
a
breadth
of
these
things
right
and
you
can
basically
bring
all
those
into
governance
and
you
can
now
automate
it
using
ansible.
So
that's
kind
of
the
the
power
of
the
thing
and
the
templatized
policies
actually
allows
us
to
scale
for
forage
use
cases
right.
B
Just
okay
as
a
developer,
and
I'm
not
even
gonna-
do
an
injustice
to
the
strength
of
developers
in
this
world.
To
pretend
that
I
am
one.
But
if
I
wanted
to
be
a
developer
and
if
I
wanted
to
just
put
in
my
willy-nilly
code,
you
wouldn't
even
let
me
because
you
are
as
a
central
I.t
you've
already
defined
governance
about
what
I
can
contribute
and
commit
exactly
as
a
developer.
I
can't
do
that.
A
B
Yeah
and
that's
that's
kind
of
the
value
that
there's
there's
two
personas
in
play
here:
right,
there's,
there's
susan,
the
developer
and
there's
johnny
the
central
I.t
and
they're
working
together
to
create
a
consistent
end
and
security
posture
across
their
environment.
They
can't
get
away
with
just
you
know
not
putting
the
appropriate
requests
in
these
systems.
So
I
love.
A
B
D
C
Yeah,
but
I
would
say
you
know
we're
not
really
making
the
life
difficult
for
developers
right.
What
we
are
trying
to
do
is
to
give
them
instead
of,
for
example,
right
you
run
an
application,
it
consumes
a
lot
of
resources
and
then
you
get
into
trouble
right
and
then
you
are
called
on
a
weekend
to
fix
the
problem
right.
You
don't
want
to
get
into
that
situation
right.
We
want
to
define
these
standards,
we
want
to
detect
when
you're
deploying
to
make
sure
you're
complying
to
the
standards
we'll
help
you
do
that
right.
B
You're
shifting
left-
I
I
don't
want
to
make
something:
that's
going
to
cause
us
to
shoot
ourselves
on
the
foot,
you're
informing
me
as
I'm
committing
my
code
and
attempting
to
run
it
you're,
saying
hey,
you
know,
put
some
guardrails
on
what
you've
just
created.
You
could
easily
crash
the
entire
cluster
if
you're,
not
careful,
yeah,
exactly.
D
All
right,
just
just
real
quick
to
kind
of
wrap
up
that
little
segment
on
the
deployment
that
gave
back
an
error.
I
just
deployed
one
that
did
not
give
back
an
error,
so
this
this
assumed
someone
figured
out
what
they
they
didn't.
Do
they
made
the
changes
and
to
take
a
look
at
the
deployment
to
see
what
the
changes
were.
They
added
the
resource,
requests
and
and
limits,
which
is
what
gatekeeper
was
expecting
to
to
have
provided
so
that
kind
of
wraps
up
that
part
of
the
demo.
D
D
A
D
I'll
try
to
describe
you
know
another
scenario
where,
where
templates
are
useful
here,
we're
we're
doing
the
same
thing.
You
see
we're
pulling
data
from
secrets
a
lot.
We
we
have.
You
know
lots
of
other
things
you
can
do
you
know
it's
not
just
about
pulling
data
from
a
secret,
it
just
so
happens.
We
have
some
some
useful
fields
and
and
secrets
that
we
want
to
pull
out,
and
in
this
case
we
have
a
a
cluster
name.
So,
just
like,
I
used
the
cluster
name
and
plugged
it
into
the
gatekeeper
constraint.
D
I
forget
the
name
of
it,
but
the
the
secure
cluster
service,
I
think
so,
basically
their
their
version
of
a
managed
cluster
and
that
way
when,
when
you
take
a
look
at
the
their
console
and
go
into
their
configuration
and
look
at
their
clusters,
what
you
see
or
what
you,
what
you
probably
can't
see
very
well.
It
says
local
cluster
and
twitch
test.
Now,
if
you
remember
those
two
names
and
I
switch
over
here
to
clusters,.
D
And
scroll
in
here
I
have
two
clusters:
one
called
local
cluster
and
one
called
twitch.test.
So
here
we
have
a
case
where
you
can
make
some
consistency
between
between
different
things.
So
you
can.
You
can
have
a
policy
that
that
makes
sure,
as
you're,
deploying
operators
and
different
resources
across
your
enterprise.
Now
you
can
try
to
make
sure
you
have
some
consistent
naming
where
acm
likes
to
use
the
manage
cluster
name
from
managed
clusters.
C
Here
in
our
because
what
you
just
did
is
what
you
just
showed
just
to
bring
it
to
a
higher
level.
Is
you
basically
showed
a
acm
policy
that
can
be
used
to
deploy
the
sensors
on
the
acs
or
the
ac,
secure
services
on
the
manage
cluster
and
you
by
kind
of
using
the
templatization
capability,
you're
able
to
ensure
that
the
name
by
which
acm
knows
their
cluster
as
well
as
acs
knows?
No
surplus
was
the
same.
D
D
D
D
When,
when
you
start
donating
to
our
community
or
or
you
know,
hopefully
you
start
using
our
community
of
policies,
and
but
you
need
to
be
aware,
we're
going
to
try
to
make
sure
we
we
clarify
in
the
policies
that
you
know
this
policy
uses
a
template,
and
that
means
you
need
to
be
on
acm
2,
3.,
here's
one
we're
in
the
process
of
of
having
donated
you
see
the
the
same
kind
of
information
here
inside
a
url.
So
here
we
have
a
you
know.
D
We
talked
about
the
case
where
a
message
was
getting
updated
and
then
we
talked
about
you
know
the
managed
cluster
cases.
Here's
here's
a
url
for
some
audit
logging.
So
it's
yet
another
case
where
these
templates
can
be
be
useful
to
help
help
make
the
policies
a
little
more
more
dynamic
and
not
so
static
where
you
would
have
to
create.
You
know,
content
that
works.
C
D
Absolutely
we
have
had
a
lot
of
contributions
to
our
community
lately
and
if
we
so
we'll
mention
we'll
mention
a
few
things,
we
have
a.
We
have
a
blog,
our
community,
our
policy
collection
community
points
to
the
blog,
but
there's
there's
some
more
blogs
out
here.
So
always
take
a
look
at
the
blog
there,
there's,
probably
always
more
on
the
blog
than
we
have
listed
in
our
community,
we'll
we'll
try
to
get
the
relevant
ones.
D
D
C
D
Overview
of
of
the
different
policies
that
have
been
contributed,
we
can,
we
can
highlight
the
let's
see,
there's
the
advanced
cluster
security.
Central
server
was
recent
and,
and
probably
all
of
the
ones
after
it
would
have
been
fairly
recent.
The
local
storage
operator,
I
think,
was
donated.
You
know
very
very
recently.
It
might
have
been
today.
A
D
B
The
point
is
these:
community
contributions
do
get
elevated
to
stable
over
time.
Help
us
understand,
what's
important
to
you,
help
us
understand
what
we
need
to
bring
support
to
so
join
us
in
the
community.
Have
your
say
again
these
graduate
from
community
disabled
over
time,
but
we
might
be
out
of
time.
I
know
we
have
more
content,
so
we
we
do
plan
to
come
back
to
your
show.
If
you'll
have
awesome.