►
Description
Creating a secure, compliant cloud presence across one cloud is a chore, multiple clouds is a job, add in on-prem and edge and you have yourself a headache - or do you? Turns out, the technology surrounding Policy and Compliance have evolved to meet modern distributed demands! Gus Parvin joins us to talk about fleet-wide governance with OPA Gatekeeper, Kyverno, the ACM Policy Framework, OpenShift Platform Plus and beyond.
A
Hello
and
welcome
to
the
cloud
multiplier
today
is
episode
two.
So
if
you
caught
us
last
week
we
talked
about
hypershift.
Today
we
are
myself
gurnee
buchanan
and
my
co-host
joy
deep,
have
the
honor
of
welcoming
two
new
guests,
gus
parvin
and
jaya
ramathan.
I
hope
I
pronounced
your
last
name
jay.
I
didn't
ask
before
we
got
in
the
stream.
A
I
really
need
to
work
on
that
and
they
are
from
the
policy
grc
and
many
other
things
team
here
at
red
hat
they're
joining
us
today
to
talk
about
a
very
interesting
topic
about
fleetwide
policy,
governance,
compliance
and
and
even
more
of
these
fun
distributed
cloud
problems,
but
as
always,
we're
not
directly
into
the
meat
of
things.
So
first
we
need
to
talk
a
little
bit
about
what
has
been
going
on
for
the
past
couple
of
weeks.
With
top
of
mind
topics
I
now
get
to
put.
B
Hey
thanks,
hi
everybody.
So
a
couple
of
fun
open
source
projects
that
I'm
looking
at.
B
B
So
you
know
we
are
collecting
all
of
this
data
right
and
everybody
is
collecting,
so
you
want
to
make
sense
out
of
their
data,
and
you
can
most
of
the
data
that
we
collect
is
time
series
you
have
a
time
stamp
and
then
you
have
some
metrics
and
facebook
actually
has
a
robust
library
which
is
to
forecast
and
do
a
bunch
of
other
things.
And
while
there
are
many
forecasting
libraries
available,
this
one
has
caught
attention
because
of
a
few
things,
so
I'm
I'm
checking
that
out
and
can't
help.
The
other
interesting
thing.
B
A
The
thing
on
time,
while
I
was
out
hiking
at
yellowstone,
so
it
was
the
easiest
release
I've
been
through
personally,
but
that
one
was
a
long
time
coming
and
all
of
the
things
we
talked
about
last
week
in
hypershift,
some
of
the
stuff
from
today
for
policy
and
a
bunch
more
from
future
shows
and
other
things
is,
is
now
live.
I
think
my
favorite,
my
favorite
part,
is
definitely
they
consolidated
the
ui.
So
now
you
just
get
a
cluster
switcher
in
the
ui,
which
is
just
wonderful.
A
A
Got
it
yeah?
We
do
that's
right,
we
do
have
a
chat
in
here.
Let
me
go
ahead
and
I'll
share
that
out
to
everyone.
So
there's
that
I
hadn't
seen
this
at
all
jody.
That's
a
really
interesting
project.
So
is
this
just
projection
in
general,
so
you
can
do
just
pile
some
time
series
into
it
and
get
projections
out.
Look
there.
B
Are
some
in
I'm
talking
to
one
of
our
customers
who
wants
to
project,
but
usually
it's
just
more
than
projection?
You
know
there
are
many
problems
that
you
want
to
know,
for
example,
without
having
to
stare
at
the
data
you
want
to
know
if
something
changed
under
the
covers.
You
know.
Maybe
your
sales
was
like
this.
You
know
it
was
100,
then
it
hopefully
at
150
and
you
do
not
want
to
be
staring
at
the
numbers,
but
you
want
to
know
if
there's
a
change
in
trajectory,
you
know
if
a
certain
pattern
is
being
repeated.
B
A
Yeah
interesting,
okay
other
one
I
get
to
put
gus
and
jaya
on
the
spot,
so
both
anything
on
the
top
of
your
mind
today,
for
either
of
you
any
fun
open
source
projects.
Anything
you've
been
working
on.
C
Yeah,
I
can
always
do
a
plug
for
my
favorite
quality
group
upstream
community
that
we
have
been
working
for
the
last
couple
of
years
on
advancing
you
know:
policy
management,
best
practices,
etc.
One
of
the
things
we
are
focusing
on
recently
is
the
compliance
angle.
C
So
if
you're
interested
in
policy
in
security
policy,
governance
and
all
the
good
stuff
welcome
to
participate
in
that
one,
so
I
want
to
make
sure
that
I
hit
that
plugin
and
I
wanted
to
add
that
since
you
talked
about
acm
2.5,
I
do
want
to
say
what
my
favorite
feature
in
that
releases
is
the
introduction
of
policy
set
to
group
policies
for
deployment
and
because
we'll
of
course,
talk
a
lot
about
that
in
today's
call.
D
The
cool
thing
I
played
with
last
week
was
the
the
new
release
of
the
caverno
policy
enforcement
point,
so
they
had
a
170
release,
which
was
long
anticipated
by
by
me.
It
has
some
some
cool
new
features
that
let
you
applause
configuration.
D
You
know
it
has
some
similarities
to
to
our
governance,
risk
and
compliance.
But
you
know
some
of
some
of
these
features
are
are
really
neat
because
it
hooks
into
the
the
api
server.
So
it
does
some
validation
plus
it
can
do
some
resource
creation,
so
it
was
a.
A
That's
very
interesting,
okay,
so
I'm
getting
ready
to
see
a
lot
of
this
appear
in
our
development.
Workspace
is
what
you're
saying
a
couple
new
versions
of
it:
okay,
that'll
be
interesting.
A
D
Is
it's
brand
new,
so
not
a
lot
to
demo
on
that
new
release,
but
we'll
certainly
show
some
some
different
things
that
you
know
show
the
grc
framework,
often
in
a
lot
of
different
ways
and
including
using
caverno
and
gatekeeper.
B
C
That
has
always
been
the
case
right,
so
so,
whenever
we
pitch
policy,
we
always
say
that
you
can
apply
policy
management
for
security,
resiliency
software
engineering,
best
practices,
as
well
as
configuration
management
so
and
one
of
the
strengths
of
acm
is
its
ability
to
integrate
with
multiple
policy
engines,
including
kubernetes,
mentioned
right.
So
fantastic.
A
Yeah,
I
was
about
to
say
I
it's
feeling
about
time
for
us
to
get.
We
we're
slowly
transitioning
into
the
meat
of
it
so
gus.
I
think
the
the
intro
question
is
give
us
give
us
the
elevator
pitch
on
policy,
because
I
don't
know
much
other
than
every
every
problem
that
requires
a
configuration
change.
The
solution
is
usually
a
policy
engine
of
some
sort
to
make
that
true,
so
I'll.
Let
you
give
us
the
pitch
and
then
I'm
sure
we'll
have
plenty
of
questions.
A
D
You
know
dictate
you
know
kind
of
where
the
problems
lie.
So
I'm
going
to
share
my
screen
really
quickly
here.
A
D
D
Okay,
so
governance
risk
and
compliance.
We
are
one
of
the
pieces
of
advanced
cluster
management.
D
When
you
know
red
hat
has
an
another
product
called
advanced
cluster
security
and
and
its
focus
is
the
the
container
security
now,
when
you
think
about
security
in
in
that
product
and
security
and
in
advanced
cluster
management,
what
what
do
they
have
in
common
and
and
where
are
they
they
different
so
for
advanced
cluster
management?
D
You
know
on
on
the
screen
here
we
have
a
few
of
the
different
key
points
for
for
acm
and
one
of
them
certainly
is
you
know
these
cloud
environments
can
be
dynamic,
because
this
is
the
cloud
multiplier
show.
You
know
these
cloud
environments
can
come
from
different
places.
It
can
come
from
public
cloud,
it
can
come
from
on-premises
they
can,
they
can
be
hosted
from
from
vmware
or
bare
metal.
So,
there's
there's
lots
of
different
ways.
D
These
clouds
can
can
be
stood
up,
so
our
ability
to
understand
the
risks
and
manage
compliance
across
all
of
these
clusters
can
can
be
quite
of
a
challenge
and
that's
what
we're
here
to
try
to
help
with
you
know
I
mentioned
caverno
I
mentioned
advanced
cluster
security
mentioned
gatekeeper,
plus
our
own
policy
framework
that
comes
within
grc
or
they're.
All
tools
that
help
you
manage
this.
This
multiplying
set
of
of
clouds.
D
Now,
what
is
it
really
all
about,
and
how
do
we
differentiate
some
of
these
things?
Caverno
gatekeeper,
the
openshift
compliance
operator.
These
things
run
on
a
single
cloud,
so
so
they're
not
really
multi-cloud
on
their
own
with
grc
and
the
benefits
of
using
grc.
With
these
solutions
you
you
can
easily
make
them
multi-cloud
by
using
our
policies
to
deploy
them
out
to
deploy
their
concept
of
policies.
Well,
we'll
be
using
the
word
policy
a
lot.
So
it
stop
me.
D
D
Advanced
cluster
security,
you
think
about
that
product
separate
from
advanced
cluster
management.
It's
about
trust,
trusting
the
containers.
So
it's
it's
a
deep
dive
of
trust
for
the
different
containers
running
in
your
cloud.
Environments,
advanced
cluster
management,
we're
about
trusting
all
of
these
clouds
that
you're
you're
building,
which
which
of
course
include
containers
too,
so
the
products
work
well
hand
in
hand.
D
Actually,
I
think
we'll
definitely
talk
about
that
more
later,
but
for
now
just
just
know
that
you
know
we're
really
trying
to
build
an
environment
that
has
clouds
that
are
being
deployed,
they're
coming
up,
they're
being
torn
down,
and
we
want
to
know
that
you
know
they're
being
installed
and
and
configured
with
the
the
right
set
of
of
of
tools,
the
right
configuration
we
want
to
have
that
understanding
that
compliance
is
being
applied
properly.
D
We
want
an
an
open
solution
to
being
able
to
make
sure
that
we
can
trust
these
clouds
and
and
whether
you're
the
the
compliance
like
a
sec,
ops
or
compliance.
Engineer
that
that's
you
know
trying
to
make
sure
that
we're
checking
off
all
the
boxes
on
the
different
compliance
regulations
you
need
to
meet
or
whether
you're
an
sre
that
that
needs
to
make
sure
the
the
application
teams
have
the
the
tooling-
and
you
know
the
different
prerequisites
for
the
the
applications
that
are
running
available.
D
D
We
get
into
taking
a
look
at
our
policies,
they
they
all
have.
You
know,
placement
information
that
allows
you
to
apply
configuration
to
the
the
right
set
of
clusters,
so
so
that
that's
kind
of
what
our
policies
do.
Our
policies
define
a
set
of
of
kubernetes
configuration
and
it
lets
you
apply
them
to
a
set
of
clusters
that
have
something
in
common.
D
Maybe
they
have
a
compliance
requirement
in
common,
a
cloud:
a
provider,
that's
in
common
or
or
or
maybe
it's
a
open
shift
version,
that's
in
common,
so
that
the
placement
concept,
of
course,
is
part
of
advanced
cluster
management,
and
that
that's
that's
something.
That's
that's
key,
also
for
providing
that
benefit
of
governance.
Risk
and
compliance
across
across
the
clouds.
A
A
while
yeah,
so
I
I
I
have
plenty
of
questions
now,
so
if
I'm,
if
I'm
getting
getting
it
correctly,
policies
are,
are
kind
of
our
smallest
unit
of
of
definition
for
configuration,
so
so
acs,
you
know,
stack
rocks
folks.
They
very
much
care
about
the
security
of
a
container
running.
Is
this
a
secure
base
image?
Is
it
behaving
and
configured
in
a
secure
way?
A
The
policies
we're
going
to
talk
about
or
you're
going
to
talk
about
mostly-
and
I
think
you
have
a
bunch
of
demo
stuff
as
well-
mostly
focuses
around
configuration,
making
sure
that
you
have
that
you
have
resources
in
a
cloud
platform
configured
in
a
secure
way
and
and
correct
me
if
I
so
base
definition
of
a
policy
is,
is
kind
of
a
statement
of
you
want
something
to
look
like
this.
You,
you
define
what
you
want
a
resource
or
what
you
want.
A
D
A
C
Yeah
I
wanted
to
just
chime
in
a
little
bit
on
guernie's
question
right,
so
I
think
the
way
to
think
about
advanced
cluster
security
and
advanced
cluster
management
is,
I
always
use
a
team
right.
So
if
you
take
a
t
advanced
cluster
security
is
basically
going
deep
into
security
aspects
and
making
sure
those
are
configured
properly
right,
whereas
advanced
cluster
management
is
the
top
line
right
and
it
is
more
broad.
It
focuses
on
security,
but
also
other
aspects
like
resiliency
software,
engineering,
etc,
right
and
and
and
also
think,
of
advanced
cluster
security.
C
As
one
policy
enforcement
point
that
can
enforce
policies
for
certain
aspects,
a
customer
could
have
multiple
policy
enforcement
points
on
their
managed
clusters,
like
kubernetes,
gatekeeper,
etc
as
well
and
acm
itself
also
has
policy
controllers
that
could
run
on
the
managed
clusters
as
well
right.
So
you
want
to
be
able
to
deploy
policies
that
are
honored
by
many
of
those
peps
policy
enforcement
points
which
support
various
technical
controls,
one
or
more
technical
controls.
So
I
think
the
way
I
would
phrase
this
whole
thing
is
you're
right.
A
Actually
let
me
drop
there's
a
big
repo
for
anyone
watching
feel
free
to
ask
questions
in
chat
and
take
a
look
at
the
policy
collections,
repo,
it's
really
good
framing
for
we're
talking
about,
but
as
we
have,
you
have
a
lot
of
policies
defined
here
that
are
already
defined
in
git
that
someone
else
could
inherit
for
that
task
as
well,
so
that
makes
them
very
transferable
and
very
consistent
gives
you
a
consistent
environment.
Okay,.
B
And
I
guess
what
we,
what
we
can
define
is
a
kubernetes
resource
at
any
one
of
the
clusters
or
any
ten
of
the
clusters
or
any
hundreds
of
the
clusters
right.
It
must
be
a
cube
resource.
It
can
be
anything
it
can
be
a
secret,
it
can
be
a
config
map,
it
can
be
an
operator,
it
can
be
a
name
space
right.
B
B
D
D
Right
yeah,
I
mean
I
will
mention
you
know
I've
I've
seen
an
environment
where
thousands
of
clusters
were
being
managed.
I
don't
I
don't
remember
the
exact
number,
but
it
was
over
two
thousand,
so
those
those
environments
are
possible,
so
cloud
multiplier
is,
is
a
great
name
for
how
grc
can
can
be
used.
D
We
talked
about
the
configuration
policy
controller,
it's
not
the
only
one,
so
we
do
have
other
controllers
that
are
security
related
one
is
for
it's
commonly
thought
of
as
certificate
expiration,
which
is
generally
how
people
use
it.
It
can
actually
do
a
few
things
other
than
certificate
expiration.
D
It
can
enforce
your
organization's
requirements,
maybe
as
far
as
how
long
a
certificate
lifespan
can
be
so
it-
and
it
can
also
look
at
the
dns
names
to
see,
if
maybe
maybe
you're
using
wild
cards
in
your
certificates
and
and
and
maybe
that's
something
your
organization
doesn't
approve
of.
So
we
can.
We
can
flag
things
like
that,
so
the
certificate
policy
controller
is,
is
you
know
one
of
the
other
ones,
there's
also
a
im
policy
controller,
which
you
know
simply
checks,
cluster
admin
usage
within
a
within
a
cluster?
D
To
to
make
sure
that
you,
you
don't
have
an
unusually
high
number
of
of
cluster
admin
users,
which,
which
would
probably
be
a
bad
sign
and
a
teaser,
maybe
for
an
upcoming
episode,
was
what,
if
you
have
a
need
that
doesn't
match
one
of
those
three
very
well
and
and
won't
really
answer
that
question
now,
we'll
let
that
happen,
maybe
in
in
a
future
episode.
A
Okay,
I
feel,
like
you've,
you've
teased
a
teased
future
for
us,
so
this
sound.
This
is
starting
to
sound
very
much
like
a
very
good
generic
toolbox
for
controlling
ensuring
unifying
this.
This
experience,
so
I
I
have
to
the
next
thought-
is:
do
you
have
any
good
exa
give
me
an
intro
with
an
example?
Do
you
have
any
any
good
live
examples
that
don't
involve
checking
any
of
my
infrastructure
for
cluster
admins?
D
C
Yeah,
no,
I
was
just
saying
whether
you
wanted
to
kind
of
you
know
one
of
the
things
you
know
when
you
were
trying
to
explain
the
capabilities
of
of
a
product
right.
Someone
told
me
that
you
know
try
to
net
it
down
to
three
things
that
people
need
to
remember.
C
D
A
A
D
Okay,
yeah
take
a
look
at
this
slide.
The
three
things
we
we
have
like
we've
been
talking
about.
We
have
the
the
multi-cluster
policy,
so
our
policies
can
be
used
not
just
to
to
handle
applying
configuration
that
works
with
our
policy
engine.
It
can
also
be
used
to
work
with
the
the
additional
policy
engines
that
you
see.
D
I
guess
that's
more
of
the
the
second
point,
the
first
point:
we're
really
focused
more
on
the
ability
to
write
our
policies
that
can
can
help
you
achieve
the
different
compliance
rules
that
that
your
organization
may
have.
You
know
we.
We
have
annotations
inside
of
the
policy
that
helps
you
organize
your
different
policies
to
to
make
sure
you
are
achieving.
D
You
know,
progressively
making
your
your
clusters
more
secure
and
in
reducing
the
the
risks
that
that
you
know
clusters
may
be
susceptible
to
then.
You
know
these
all
kind
of
tie
together
pretty
tightly,
because
the
last
one
is
is
the
thing
about
the
the
link
that
was
posted
in
the
chat.
We
do
have
a
policy
collection,
community
and-
and
we
have
well,
we
have-
we
have
lots
of
different
details
there.
D
The
the
bullets
go
over
a
few
of
them,
but
we
have
blogs
that
are
linked
to
from
from
that
community.
We
have
a
policy
generator,
which
is
the
last
link.
So
you
know,
writing
policies
isn't
always
fun,
but
if
we
could
make
it
a
little
more
fun,
that's
where
we
bring
in
the
policy
generator.
It
makes
it.
You
know
a
lot
simpler
and
a
lot
less
burdensome
to
try
to
you
know,
get
formatting
and
everything
just
right,
you
can.
D
You
can
go
through
and
just
turn
on
features
and
create
the
different
resources
that
you're
concerned
with
with
taking
a
look
at
in
your
cluster.
The
the
different
contributions
in
this
policy
collection
community
come
from
lots
of
different
places.
So
so
we
have,
we
really
have
contributions
from
from
across
red
hat
across
different
teams
from
from
donated
from
other
places
in
the
community.
D
You
know,
and
and
these
contributions
are
fairly
active,
so
we
we
do
have
new
contributions
coming
in
being
being
reviewed.
You
know,
even
even
today,.
D
So
we
we've
talked
about
gatekeeper
and
and
cavernosum
and
the
compliance
operator,
so
I've
mentioned
some
of
those
things.
There
are
contributions
out
there
that
you
can.
You
can
go
and
take
a
look
at
some
of
the
organization
of
of
our
community
is.
C
Can
I
ask
a
couple
of
questions
absolutely
so.
I
know
that
you
know,
for
example,
the
openshift
platform
right
has
a
wide
variety
of
partners
and
integrations,
etc.
C
So,
if
I
think
about
those
things
like
whether
it
is
partners
that
provide,
for
example,
external
secret
management
tools
as
an
example
right,
so
there
is
a
good
ecosystem
out
there.
So
what
are
we
doing
to
ensure
that
those
partner
capabilities
can
also
be
used
with
acm
from
a
policy
management
point
of
view?
Can
you
highlight
what
we
are
doing
there
and.
D
Absolutely
so
you
you
mentioned
the
kubernetes
policy
work
group
earlier,
which
you
know
when,
when
you
dig
into
that
work
group
a
little
bit,
one
of
the
cool
things
that
they
have
done
is
is
create
a
a
custom
resource
that
that
is
being
adopted
across.
D
You
know
across
many
different
areas
of
the
security,
the
cloud
security
industry
and
that's
a
a
policy
report
cr,
so
we
use
it
in
acm,
the
the
acm
observability
or
the
acm
insights
takes
advantage
of
of
a
policy
report
to
help
have
a
consistent
way
for
reporting
back
policy
passes,
failure,
but
mostly
care
about
failure.
D
So
in
the
acm
case,
it's
it's
populating
it
with
with
the
failures,
because
with
those
those
2000
clusters
we're
talking
about,
if
we
put
all
the
passes
in
there
it
would,
it
would
be
too
big
of
a
report
to
to
care
about
policy
report
is,
is
used
in
in
lots
of
other
places.
So
that's
how
caverno
reports
back
it's
it's
it's
auditing!
So
when
you
think
of
what
I
mentioned
earlier
with
inform
and
enforce
gatekeeper
caverno,
you
know
that
they
all
kind
of
call
it
different
things.
A
I
was
about
to
ask
tell
while
you're
at
it
tell
us
a
little
bit
more
about
kyverno
and
gatekeeper,
because
I
have
always
wondered:
are
these
all
different
communities
that
have
sprung
up
out
of
the
same
policy-centric
governance-centric
working
group
the
these
these
same
security
areas,
because
coverto
is
relatively
new
to
me.
I've
heard
of
gatekeeper
before
but
caverno
was
a
recent
one
for
me
right.
B
Sorry
guys,
the
other
thing,
if
you
get
a
chance,
what
jaya's
prod
reminded
me
of,
do
we
have
any
integration
or
are
we
planning
any
any
integration
around
vault
hashicorp
vault,
for
example,
to
manage
secrets
and
stuff
like
that,
so
yeah.
C
So
maybe
let
me
make
a
couple
of
comments
and
then
I'll.
Let
gus
talk
about
kavanaugh
and
gatekeeper.
One
thing
as
a
follow-up
broadcast
talked
about
the
policy
report,
cr
right.
In
fact,
recently
in
the
kubecon
european
eu
conference,
there
was
a
presentation
of
the
policy
work
group
that
went
through
various
technologies
that
have
adopted
the
policy
reports
cr,
including
falco
and
trivi,
and
you
know
a
bunch
of
other
security
technologies.
So
that's
something
the
presentation
is
out
there
on
youtube,
so
go
on
google
and
listen
to
that
one.
C
The
other
point
I
also
wanted
to
add
is
many
of
the
partners
departed
ecosystem
that
red
hat
has
those
partners
are
also
contributing
policies
for
acm?
So
we
have
partners
like
sysdig,
zettaset
blacktalk.
You
know
they've
all
contributed
policies
and
you
will
actually
see
those
in
the
policy
collection
repo
as
well
and
to
now
answer
joydeep's
question
before
I
give
it
to
gus
hashikorwalt.
C
C
So
what
that
means
is
you
can
actually-
and
there
is
an
upstream
community
called
external
secrets
that
allows
you
to
integrate
with
external
secret
management
tools
like
hashgraph,
etc
right
as
well
as
secret
management
tools
provided
by
cloud
providers.
Now,
if
you
have
that
integration
onto
the
acm
hub,
then
acm
and
then
now
you're
able
to
pull
secrets
from
vault
and
put
it
into
the
secrets
of
the
acm
hub,
acm
can
now
distribute
those
secrets
to
your
fleet
right.
D
C
This
makes
it
really
easy
because
you,
the
customer,
will
have
to
just
do
the
integration
of
the
hub
and
then
acm
handles
the
rest.
Imagine
you
know
if
I
have
to
do
this
integration
at
every
managed
cluster.
That's
a
lot
of
work,
so
I'm
really
excited
about
that
feature
so
and
I'm
already
seeing
several
use
cases
for
it,
and
customers
are
already
asking
about
that.
So
that's
really
cool.
C
A
D
Yes-
and
I
do
want
to
talk
about
covering
a
gatekeeper,
but
I
also
want
to
go
to
the
next
slide,
which
is
more
of
an
architecture
slide,
and
you
know,
cabernet
keeper
will
show
up
on
the
next
side.
So
at
least
I
think
they
do.
They
show
up
on
the
right
hand,
side.
Yes,
there's
caverno
under
the
the
third
party
integrations
and
gatekeeper,
just
above
it
listed
as
one
of
the
acm
integrations
with
and,
and
you
see
our
config
im
insert
controllers
there
too.
D
Also
you
see
the
compliance
operator
like
we
mentioned
before
in
advance.
Cluster
security,
but
kind
of
the
point
of
of
this
slide
is,
is
to
show
our
overall
architecture
you
and
in
what
jaya
was
talking
about
just
a
moment
ago,
with
the
vault
and
external
secrets
and
and
pushing
secrets
from
the
hub
to
to
the
managed
clusters.
D
They
get
pushed
out
throughout
your
your
enterprise
of
of
of
clusters
that
are
being
managed
by
acm.
Okay,
so
there's
a
lot
of
different
details
on
the
screen.
It
might
be
best
for
the
sake
of
time,
just
to
gloss
over
them,
but
I
will
mention,
I
don't
think
we've
mentioned
integrity
shield,
yet
so
we're
using
policies
to
try
to
eliminate
risks
and
to
try
to
you
know
guarantee
our
clusters
are
being
created
consistently.
So
so
what
is
integrity
shield?
How?
How
do
we
know
the
policies
themselves
can
be
trusted?
D
A
So
that'll,
so
that
would
catch
so
so
I
guess
what
I'm
seeing
on
this
chart.
Is
we
take
policies
and
and
anything
you
know,
these
other
frameworks,
caverno
gatekeeper,
all
these
other
things
and
you
can
put
it
on
a
hub
and
then
selectively
put
it
on
your
fleet
of
I've,
made
myself
a
problem,
and
I
have
three
thousand
clusters
or
two
thousand
clusters,
and
I
need
to
need
to
see
it
there,
but
that
step
in
between
the
hub
and
that
managed
cluster
is
one
of
those
where
something's
in
flight.
A
D
Yeah,
the
point
is,
you
know:
there's
there's
not
a
point
where
the
the
policy
is
going
to
be
tampered
with,
so
it's
it's
signed
and
it
will.
It
will
not
be
pushed
down
to
to
the
cluster
if,
if
the
signature
validation
doesn't
doesn't
match.
C
Yes,
that's
another
layer
of
integrity
and
to
add
what
gus
said
that
integrity
capability
is
integrates
with
six
store.
C
The
reason
I
mentioned
that
is
because
I
see
a
message
about
six
to
six
store
in
the
chat
yeah,
so
we
do
integrated
six
store,
in
fact,
that
technology
was
built
by
ibm
research
and
they
have
contributed
it
to
the
six
store
community
and
in
fact
we
are
working
very
closely
with
kiwano
team
for
them
to
use
some
of
that
stuff
within
kubernetes
as
well.
C
So
so
the
that's,
how
we're
closing
the
loop
right
so
we're
basically
taking
the
technology
that
we
developed
and
contributing
it
upstream
so
that
it
can
be
utilized.
So
so
I
yeah,
so
the
integrity
of
the
policies
obviously
is
extremely
important.
Like
I
said,
because
now
we
are
using
policies
to
ensure
that
that
you
are
operating
your
managed
clusters
to
standards.
A
Awesome:
okay,
that
that
that's
pretty
cool,
we
do
have
a
question.
I
can
jump
in,
take
a
quick
break
from
the
chart.
Gus,
let's
see
if
this
will
show
up
on
screen
it's
a
longer.
One
working
with
within
organizations
who
use
their
own
cas
often
is
extremely
frustrating,
as
single
tls
sessions
needs
need,
a
ca
bundle
reference
to
work.
Does
this
external
secrets
function
make
this
less
frustrating
that
might
be
for
jaya
and
it
might
be
for
gus.
D
We
can
jump
right
in
and
talk
more
about
advanced
cluster
security
and
openshift
platform,
plus
the
the
exact
reason
that.
D
That
well,
this
exact
problem
is,
is
solved
with
policies
in
in
that
scenario,
because
you,
you
have
advanced
cluster
security,
which
has
a
central
server
deployed
to
the
hub
in
in
our
configurations
and
their
manage
clusters,
whether
you
call
it
sensors-
or
I
can't
remember
the
other
name
for
it
right
now,
but
but
they
connect
back
to
that
central
server.
D
They
need
certificates
that
came
from
that
central
server
so
that
they
can
securely
connect
back.
Well,
how
do
you
get
that
pushed
down?
Well,
you
can
either
manually
do
it.
You
can
certainly
have
some
kind
of
ansible
playbooks
to
do
it
or
with
with
little
to
no
effort
you
can.
You
can
use
our
policy
set
for
openshift
platform
plus
and
just
deploy
the
policy
set,
and
not
only
will
it
deploy
to
central
server
for
you.
D
It
will
deploy
all
of
the
the
manage
cluster
components
for
for
acs,
they'll
connect,
back
they'll,
get
the
the
secrets,
and-
and-
and
you
don't
have
to
you-
you
don't
have
to
manually-
push
those
those
secrets-
the
the
ca
bundle
down
to
to
those
managed
clusters.
So
we
could
actually
go
into
more
detail
here.
Take
it
as
an
opportunity
to
show
a
lobster.
Did
you
have
a
question
my
favorite.
B
Yeah,
so
that's
I
mean,
while
you're
bringing
this
up.
So
what
you're
saying
is
that
if,
in
my
multi-cloud
domain
I
need
to
deploy
a
hubspoke
architecture,
you
know
something
that
is
in
a
hubspot.
I
can
use
a
policy
set
and
I
can
deploy
and
that
will
take
care
of
the
entire
communication.
I
mean
securing
the
communication,
etc.
D
Exactly
policy
set,
I
I
get
it,
I
mean.
D
Yeah
we
can
talk
more
about
policy
sets
here.
I
had
hoped
probably
to
to
go
over
that
in
more
detail.
So
we'll
come
back
to
the
slides
here,
but
okay.
So
that's
the
advanced
cluster
console
here
we
have
the
advanced
cluster
management
console.
This
is
new.
The
new
acm25
release
across
the
top.
We
see
an
overview
page
by
default,
and
then
we
have
a
policy,
sets
tab
and
and
a
policies
tab.
So
under
policy
sets.
D
If
I
could
look
at
the
open
shift
plus
clusters,
I
can
see
that
that
it
is
deployed
to
a
different
managed
cluster
than
than
the
hub
will
only
have
one
extra
managed
cluster,
so
the
the
particular
policies
here.
D
So
it's
it's
a
lot
of
details
and
the
the
one
thing
I
want
to
point
out
is
here
is
a
an
encrypted
certificate
value
that
was
pushed
from
the
hub
and
is
now
on
the
the
manage
cluster.
This
encrypted
certificate
data
gets
decrypted
by
our
policy
framework
and
it
creates
the
the
secrets
from
from
this
data.
So
we
we
have.
You
know
details
here.
This
is
the
the
data
portion
of
the
certificate.
D
The
key
is
admission
control,
cert.pim
and
you
have
other
keys
here.
If
we
scroll
down
we'll
see
the
the
other
details
here
about
that
particular
secret,
and
there
are
additional
secrets
too,
because
advanced
clusters
here,
purity
has
three
components
and
they
each
need
a
different
secret.
They
all
contain
the
certificate
data
that
lets
lets
them.
You
know
securely
interact
with
with
the
hub.
A
D
A
D
Now
the
the
good
news,
of
course
here
is,
you
didn't
actually
put
this
encrypted
content
in
the
policy
you.
This
is
what
ends
up
on
the
manage
cluster,
so
I
I
jumped.
D
Pretty
pretty
far
here,
so
if
we,
if
we
back
up
a
step
and
edit,
let's
see
edit
the
policy.
D
D
So
if
you
were
familiar
with
our
older
releases
that
the
acm
2
3
release,
we
introduced
templates
and
in
2-4
we
introduced
the
hub
templates,
but
here
in
five
you
can
now
use
hub
templates
with
secrets.
So
the
important
thing
to
know
with
with
two
five
is
using
this
template.
You
can
pull
in
a
secret
from
the
hub
and
it
will
automatically
encrypt
it
and
and
back
when
we
were
looking
at
our
our
architecture
slide.
D
This
encrypted
value
is
actually
what's
going
to
get
synced
down
to
the
manage
cluster.
So
that's
that's
how
the
the
magic
happens
and
then
the
manage
cluster
is,
is
able
to
to
decrypt
that
value
and.
C
A
Yeah
and
then
I
assume,
I'm
guessing
integrity.
Shield
also
plays
a
part
in
this.
You
have
you
have
a
secret
source,
that's
providing
a
secret
to
the
hub
that
secret's
getting
templated
into
what
is
being
applied
and
sent
to
this.
You
know
your
one
ten
hundred
thousand
managed
clusters,
and
I
assume
that
that
in
flight
is
also
through
integrity
shield
or
can
be,
since
you
have
policy
that
it
just
it's
running
through
a
policy.
B
Is
actually
huge
and
a
general
comment,
for
I
mean
gus,
is
showing
policies
and
stuff
like
that.
You
know
for
the
for
the
audiences
for
the
listeners,
if
you
guys,
if
you
folks
just
log
on
to
the
policy
collection
repo
as
gus
said,
there
are
enough
examples
and
from
there
you
can,
you
can
jump
start
writing
your
policies
very
quickly.
A
C
We
hope
sorry,
I
want
to
make
sure
before
we
run
out
of
time,
that
we
also
mentioned
about
the
policy
generator
so
guys
when
you
respond
to
what
joy
deep
was
asking
bring
in
the
policy
generator
as
well.
D
Yeah,
so
I
think
I
want
to
try
to
tie
all
of
it
together
and
and
the
policy
generator
being
a
part
of
that.
Let's,
let's
just
show
the
policy
collection
repository.
D
D
D
Notice,
there's
a
couple
directories
there's
one
customized,
which
is
just
a
basic
sample.
The
basic
sample
has
policies
for
gatekeeper
and
caverno
and
in
some
general
policies
also,
so
it's
it's
a
general
sample.
D
There
are
also
policy
set
samples
that
use
the
policy
generator.
That's
where
we're
going
to
go,
because
we
want
to
take
a
look
at.
We
want
to
take
a
look
at
what
we're
just
looking
at
just
like
policies,
there's
the
stable
and
community
folder
at
the
root
level
of
the
repository
that
has
just
donated
policies.
D
D
Really
all
it
is,
is
the
customization
yaml
that
that
points
to
our
metadata
file
and
these
other
directories
and-
and
you
know
the
other
files
that
you
would
have
here-
that
you
don't
have
to
organize
them
in
directories,
but
they
could
be
just
just
files
located
all
here
together,
but
the
the
files
that
you
collect
here
instead
of
being
policies,
they
are
the
the
actual
resources
that
you
want
to
create.
D
A
A
Bring
your
bundle
of
yaml
that
you
want
to
see
or
ensure
that
is
on
a
managed
cluster,
or
you
know,
on
your
fleet
of
clusters.
You
can
you
just
have
to
have
that
box
of
yaml,
and
this
looks
like
a
customized
generator,
so
you
can
just
use
customize
to
turn
that
into
a
policy
and
make
bring
that
into
existence
exactly.
D
Absolutely
that
easily
it
is,
it
is
customized.
It's
got.
Built-In
support
for
the
app
life
cycles
subscription
controller,
so
you
can
use
acm's
application,
lifecycle
and
point
to
this
directory
in
in
this
github
repository
and
it
it
will
install
the
policies
generated
from
from
this
generator
directory.
C
Yeah
yeah,
I
wanted
to
also
add
that,
so
that's
absolutely
right
gurney.
So,
basically,
what
we
are
saying
is
customer,
if
you're
doing
configuration
management
today-
and
you
have
all
these
configuration
files
sitting
somewhere
right
yamas
and
you
want
to
kind
of
make
them
into
policies
so
that,
and
why
do?
Why?
Do
you
want
to
do
that?
The
reason
you
want
to
do
that
is
because
that
then
gives
you
allows
you
using
the
metadata
to
associate
those
with
various
standards.
C
You
can
also
generate
alerts
for
policy
violations.
Integrate
with
acm
observability
automatically
to
you
know,
integrate
with
page
duty
and
slack
and
all
those
good
stuff.
You
can
trigger
ansible
automation
for
policy
violations.
So
you
get
all
the
holistic
end-to-end
flow
by
doing
that
right
and
you
can
also
deploy
these
policies
using
git
and
add
integrity
to
them.
The
things
that
we
talked
about
right,
so
it
just
makes
it
a
more
strengthens
it
from
a
security
and
governance
perspective.
C
That's
really
what
you're
doing
right
and
and
because,
if
you
want
to
show
the
overview
page
where
we
have
how
the
policies
can
be
viewed
in
the
context
of
standards.
C
So
if
you
go
to
a
row
view
page,
you
will,
because
you
are
associating
this
metadata
with
policies
now
you
can
actually
see
how
the
how
you
are
stacking
up
against
various
standards
right
against
regulatory
compliance,
standards
like
pci,
etc,
as
well
as
enterprise
standards
like
new
853
things
like
that,
and
so.
B
C
And-
and
the
other
thing
I
also
want
to
add
here
is-
I
think
we
have
talked
about
a
lot
of
cool
features.
I
want
to
kind
of
bring
it
all
together
right.
So,
just
to
summarize
right
we
talked
about
policies.
We
talked
about
policy
sets.
We
talked
about
templatized
policies,
how
you
can
tailor
policies
for
various
clusters.
C
We
talked
about
both
antibioticization,
both
at
the
hub
and
the
manage
cluster.
We
talked
about
policy
generator
right.
So
if
you
have
all
these
tools-
cool
features,
I
mean.
Where
do
I
start?
I
mean
how
do
you
go
about
operationalizing
this
right?
So
I
think
I
think
so.
Gus
myself
and
others
in
our
team
have
started
putting
together
some
best
practices
for
this
right.
So
I
think
the
way
we
would
say
is
first,
first
and
foremost,
adopt
get
ups.
C
That'll,
be
your
mantra
right
and
then
the
second
is
start
with
policy
sets
right
and
you
organize,
so
you
create
a
repo
and
get
create
multiple
folders
for
each
policy
set
and
then
organize
those
policy
sets
in
terms
of
the
personas,
because
by
keeping
this
in
gate,
you
are
basically
authoring
everything
there.
You
can
do
reviews,
approvals,
etc,
and
so
you
want
to
tailor
that
towards
your
personas,
whether
it
is
the
secops
or
sre
and
admin,
etc.
C
Right
and-
and
you
can
also
have
you-
know-
the
cso
security
architect
review
the
policies
as
well
right,
so
so
the
whole
thing
can
happen
in
git
right
and
then
by
combining
these
policies
into
policy
sets,
and
that
would
include
configuration
that
you
bring
that
you
want
to
auto
convert
to
policies.
C
You
can
then
associate
placement
to
deploy
the
policy
sets
to
your
marriage
clusters
right
and
then
get
that
full
life
cycle,
so
that's
kind
of
the
overall
approach
so
because
you
want
to
add
anything
to
that.
So
I
know
we
are
still
authoring
these
best
practices,
so
welcome
any
feedback.
Any
questions
on
that
topic
too.
D
C
D
Just
mention
that
you
know
jaya
was
talking
about
the
different
personas
one
of
the
the
key
values
with
policy
sets
is
is
now
now
in
instead
of
as
in
previous
releases,
just
having
a
long
list
of
policies,
and-
and
here
it's
it's
difficult
for
me
to
know,
as
as
the
sre
or
as
the
secops,
which
of
these
policies
should
I
be
concerned
about.
That's
that's
one
of
the
one
of
the
reasons
why
we
now
have
policy
sets
to
to
help.
D
You
know
alleviate
some
of
the
problems
where
what
there's
a
policy
and
I'm
I'm
not
sure
if
it
impacts
me
as
the
sec
ops
or
if
it,
if
it's
really
someone
else's
so
now
we
can
try
to
organize
the
policies
and-
and
it's
not
just
to
organize
them,
for
the
purpose
of
you-
know
the
sec,
ops
or
sre,
knowing
knowing
if
the
policies
for
me
or
not,
it's
it's
also
to
help
with
with
the
placement.
D
So
if
I
have
this
set
of
policies,
I
can
use
you
use
placement
for
the
set
instead
of
having
to
go
policy
by
policy
and
knowing
if
each
one
is
placed
on
the
right
set
of
clusters,.
A
A
A
C
D
C
C
B
And
sorry,
you
can
come
to
the
screen
to
check
the
status
and
you
can
get
violations.
You
can
get
notified
of
violations
other
ways
as
well
through
slack
and
pager
or
whatever
you
choose
to
awesome
exactly.
A
C
D
D
So
and
in
this
case
you
see,
I
have
violations
and-
and
that's
because
you
know
for
for
a
hub
cluster,
you
really
should
have
your
your
backup
and
restore
conf,
and-
and
I
haven't
done
that,
so
I
have
a
violation
there,
but
it
is
also
taking
a
look
at
some
of
our
other
best
practices.
D
As
far
as
the
hub
is
concerned,
you
know
just
checking
on
status
of
of
subscriptions
and-
and
you
know,
different
key
resources
within
acm
at
at
the
hub
level,
the
the
other
hardening
ones,
the
cluster
hardening.
That
would
be
more
of
a
a
general
kubernetes
focus
and
the
open
shift
would
be.
You
know
the
openshift
flavor
of
kubernetes
and-
and
you
know
some
of
the
security
best
practices
for
for
openshift
clusters.
C
So
can
you
talk
because
one
of
the
things
I've
been
terms,
I've
coined
is
the
automated
governance
right.
So
this
is
where
you
know
we
are
integrating
acm
with
ansible
automation
platform.
C
So
because
can
we
show
a
little
bit
on
take
a
policy,
an
example
policy
where
you
can
trigger
ansible
automation?
You
know
for
a
policy
violation.
So
that's
one
aspect
right.
The
other
aspect-
and
maybe
I'm
sure
gurnee
has
lined
this
up
as
a
future
topic
here
is
how
we
have
now
introduced
ansible
modules
to
drive
acm
itself
right
for
driving,
acm
ansible
automations
through
acm,
and
there
are
some
benefits
to
doing
doing
that.
C
So
I
think
that's
definitely
a
future
topic,
but
what
I
wanted
to
highlight
there
is
by
letting
those
automations
run
through
acm.
Now
you
can
also
tie
acm's
policy
management
into
that
flow,
which
basically
means
now.
I
can
monitor
what
service
accounts
are
being
used
to
run
these
automations
right
and
and
see
whether
there
are
those
service
accounts
are
getting
de-provisioned
on
a
periodic
basis,
and
so
what
kind
of
privileges
are
being
granted
to
run
automation?
So
these
are
kinds
of
things
that
you
can
now
monitor
by
bringing
acm
into
the
flow.
D
A
It
sounds
like
we
need
to
have
you
back
and
do
a
do.
A
end-to-end
live
demo
with
gus
on
on.
This
is
what
it
really
sounds
like
and
maybe
get
some
of
the
ansible
folks
in
too.
B
A
I
was
gonna
say
there
there's
a
lot
in
this
box.
Oh
let's
see
and
let
let's
see
we
can
probably
start
wrapping
up
here.
Just
because
I
see
some
folks
I
think
moving
on,
for
I
assume
the
next
thing
in
their
day.
A
I
didn't
want
to
didn't
want
to
stop.
Was
too
early
I'll
share
out
jaya,
just
shared
out
a
nice
link
that
I'll
send
out?
Is
there
anything
else
we
want
to
close
on?
I
think
I've
learned
a
lot
today
that
I
can
bring
my
box
of
yaml.
A
I
can
turn
it
into
policy
and
then
see
how
my
clusters
are
behaving
based
on
that
bundle
of
yaml,
and
it
looks
like
there
is
a
collection
repo
that
I
can
go
and
get
a
bunch
of
pre-made
bundles
of
yaml
for
for
different
hardening
and
that's
all
in
the
open
domain.
So
I
think
we
can
all
get
to
that
and
make
money.
D
And
yeah
there's
a
deploy
directory
that
helps
you
deploy
it.
You
know
using
get
ops
with
with
acm
very,
very
easily
makes
it
very
quick
and
easy
to
get
started
just
straight
from
this
policy
collection
community
and
if
the
details
here
aren't
enough
to
get
you
started,
then
just
click
on
the
blogs
directory
and
we
have
bunches
of
blogs
that
go
into
even
more
detail
on
these
things.
C
Thing
I
wanted
to
add,
while
we
wrap
up
is
the
next
next
aspect
we
are
focusing
on.
Is
compliance
how
to
bring
the
compliance
angle,
so
we
saw
you
saw
the
beginnings
of
it
when
car
showed
you
how
you
know
you
can
add
the
metadata
and
represent
policies
in
the
context
of
compliance
standards
right.
So
what
we
are
now
doing
is
to
integrate
the
policy
reports
here.
That
gus
was
mentioning
with
auskal.
Oscar
is
a
standard
from
nest
for
compliance
assessment
results.
C
So
that's
a
piece
of
work.
We
are
working
in
the
context
of
the
policy
work
group
and
we
are
also
bringing
it
in
into
red
hat
products.
So
so
that
is
something
watch
watch
the
space,
so
that
will
give
you
a
more
holistic
view
from
a
compliance
point
of
view,
and
as
you
know,
you
know,
we
have
a
lot
of
managed
services
within
red
hat.
So
one
of
the
things
we
are
also
looking
at
is
how
to
apply
these
techniques
to
red
hat's
managed
services
in
the
cloud.
C
So
that's
another
area
of
focus
as
well,
so
those
are
the
two
things
I
wanted
to
mention
and
the
link
gus
gurney
just
shared
his
conversation
myself
and
one
of
the
gitops
product
managers
had
with
redmonk.
So
you
can
listen
to
that.
That'll.
Give
you
a
flavor
of
the
direction
we're
proceeding.
A
Awesome
sounds
like
we
have
two
more
shows
coming
up,
then
one
soon
about
compliance
and
let
gus
finish
showing
what
he
didn't
get
to
demo
today
and
number
two
on
a
managed
service
once
jaya
has
that
up
and
running
right?
Yes,
yes,.
A
A
Yeah
I'll
I'll
I'll,
close,
then
and
say
check
out.
The
stream
archive
check
out
jaya
has
a
huge
list
of
resources
that
she's
assembled
that
I'm
gonna
leave
on
the
youtube.
There
is
a
youtube
page
stream
for
this,
so
it'll
be
a
stream
archive
I'm
going
to
leave
it
all
in
a
comment
there.
So
if
you
want
any
of
these
amazing
resources,
she's
perfect
she's
prepared
I'll
drop
it
all
there.
A
Most
of
the
links
have
been
in
chat
already,
but
if
anyone
wants
to
read
up
more
that's
where
to
go
thanks,
everyone
for
joining
today
and
watching
and
please
feel
free
to
reach
out
to
the
show
contact
at
cloudmultiplier
com
or
reach
out
to
any
of
us
individually
on
our
various
emails
that
have
shut
up
so
without
further
ado,
I'm
gonna
play
the
intro
as
an
outro
and
and
promise
to
eventually
get
an
outro
here
soon.
So
thanks
everyone
till.