►
Description
Multi-cluster management is hard. Technology, teams and culture clash in a race to deliver clusters and applications in a secure and compliant way. Red Hat Advanced Cluster Management for Kubernetes (RHACM) provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in.
B
A
Hat
advanced
cluster
management
presents
if,
if
you're
playing
this
with
audio
on
and
you're
on,
the
call,
please
mute
sorry
about
that.
Everybody
we're
we're.
Gonna
talk
about
governance
and
compliance
today
and
we're
joined
by
the
one
and
only
jeff
brent
from
the
rackham
team.
So
I
will
let
him
introduce
himself
as
well
as
the
others,
on
the
call.
C
C
I
had
to
put
a
long
sleeve
shirt
on
and
everything
there's
snow
out
here,
but
I'm
the
director
of
product
management
for
rackham.
Thank
you
for
hosting
us
today
and
we
have
yet
another
exciting
topic
for
us:
governance
risk
and
compliance
which
we
call
grc
lovingly
and
with
with
me
today
we
have
a
team,
that's
going
to
run
through
all
kinds
of
wonderful
demonstrations
and
presentations
and
topics.
So
I
hope
everyone
is
ready
for
a
full
show.
C
Today
and-
and
with
me,
we
have
our
wonderful
and
beautiful
leader
jaya
who's,
a
distinguished
engineer,
who
runs
our
governance
risk
and
compliance,
we're
going
to
start
off
with
her
and
then
we're
going
to
go
to
our
holy
triumphant.
We've
got
you
and
chaitanya
and
gus
who
are
going
to
bring
us
through
a
various
number
of
topics,
all
related
to
governance,
risk
and
compliance.
So
when
we
say
governance
risk
and
compliance,
it's
it's
a
very
key
and
differentiated
capability
for
us
in
in
red
hat,
advanced
cluster
management.
C
It
is
something
that
we're
all
very,
very
excited
about,
and
so
we'll
hear
a
lot
about
that
today.
So
what
I'm
going
to
do?
Because
we
have
such
a
a
deep
schedule
of
things
that
we
want
to
show
I'm
going
to
go
ahead
and
turn
it
over
to
jaya
who's,
going
to
bring
us
through
some
intro
and
ground
us
on
what
it
means
for
governance,
risk
and
compliance.
D
Hi
everyone
I'm
excited
to
be
here
and
talk
about
the
cool
capabilities
grc
capability
of
acm-
I
just
a
quick
intro
on
myself.
I
am
the
chief
security
and
governance
architect
for
acm
and
I
have
been
working
in
the
security
space
for
over
20
years
and
I'm
working
on
cloud
security
for
over
seven
years.
D
D
Okay,
so
I
am
basically
going
to
just
use
a
couple
of
charts
to
set
the
stage
and
also
show
a
little
demo
for
product.
D
So
if
you
think
about
customers,
enterprise
customers
who,
when
they
embark
about
the
journey
to
transform
to
cloud
from
that
traditional
id
infrastructure,
one
of
the
key
things
that
they
are
worried
about
is
security
and
compliance
and
the
the
reason
it's
a
little
more
complicated
in
the
cloud
space
is
because
they
are
not
just
dealing
with
one
cloud
provider.
Typically,
they
are
using
more
than
one
because
they
don't
want
to
get
locked
down
into
one
cloud
provider.
D
They
also
are
dealing
with
a
hybrid
cloud
scenario
where
they
want
to
put
some
of
their
workloads
in
private
clouds,
some
in
public
clouds,
and
then
they
also
want
to
integrate
with
data
that
is
already
sitting
within
their
enterprise
and
and
obviously
their
security
team
is
asking
them
to
ensure
that
whatever
the
cloud
they
are
using
is
meeting
their
enterprise
security
standards
and
their
compliance
team
is
upon
them
making
to
say
you
know:
how
do
we
meet
standards
such
as
pci
when
they,
if
they
are
in
financial
industry
or
hipaa,
in
healthcare,
industry,
etc,
and
some
of
these
customers
who
are
in
highly
regulated
industries
have
to
go
through
such
audits.
D
Periodically,
like
pci,
requires
an
audit
every
year
right.
So
then,
if
you
think
about
all
these
challenges,
what
they
really
are
looking
for
is
a
way
to
maintain
continuous
security
and
audit
readiness
for
an
open,
hybrid
cloud.
That's
really
their
vision
right.
So
what
is
our
answer
to
that
right?
Our
answer
to
that
is
policy-based
governance.
So
what
do
we
mean
by
policy-based
governance?
D
What
you're
saying
is,
if
you
take
a
cloud,
and
if
you
want
to
secure
it,
you
need
to
enable
various
security
controls.
You
know:
security
controls
for
encryption,
for
authentication,
access,
control,
etc
right.
So
some
of
the
security
controls,
if
you
take
red
hat
open
shift,
are
provided
by
red
hat.
It
has
built-in
mechanisms,
for
example,
to
integrate
with
saml
and
other
identity
providers
etc,
but
some
customers
also
use
technologies
from
other
partners.
D
So
the
operations
team
that
is
actually
managing
the
cloud
is
not
necessarily
an
expert
in
all
these
various
aspects
so
just
think
about
the
challenge
they
have
on
their
hands.
So
how
do
we
make
it
easy?
So
the
way
we
make
it
easy
is
we
want
to
represent
the
industries,
best
practices
and
enterprise
best
practices
as
policies
that
result
in
a
desired
configuration
state.
D
D
We
are
working
with
other
partners
as
well
and
we
are
enabling
this
gitops
methodology,
where
once
we
have
a
set
of
policies
defined
in
that
policy,
collection,
repo,
you
can
use
gitops
to
deploy
it
easily
into
rackham
through
them
to
the
managed
clusters
and
essentially
monitor
and
integrate
with
your
enterprise.
I
see
incident
management
tools
and
security
operations
center
et
cetera.
To
achieve
this
achieve
this
goal,
so
we
are
also,
for
example,
collaborating
with
list
on.
D
D
So
so
that's
kind
of
our
approach
is
to
have
an
open
collaborative
approach
to
develop
policies,
and
then
let
me
touch
briefly
upon
our
overall
governance
architecture.
So
what
we
have
here
is
we
have
the
management
hub.
This
is
where
you
come
in
and
you
can
both
define
and
deploy
policies,
and
you
can
also
monitor
the
violation
state
of
the
policies,
and
there
are
three
different
ways
in
which
you
can
get
policies
interacting.
You
can
use
cli,
you
can
use
ui
or
you
can
use
github.
Our
preferred
methodology
is
githubs.
D
The
reason
that's
the
case
is
because
this
allows
you
to
manage
policies.
Just
like
you
would
my
source
code,
so
you
have
it
under
control
and
you
can
easily
deploy
it
to
the
managed
clusters
and
then,
on
the
left-hand
side,
we
have
the
various
managed
clusters
and
within
the
clusters,
our
various
policy
consumers
exist.
So
some
of
these
policy,
consumer
consumers
are
or
controllers
that
we
ship
out
of
the
box
and
track
them.
So,
for
example,
we
have
a
configuration
policy
controller
which
is
pretty
powerful
because
it
can
allow
you
to
configure
any
kubernetes
resource.
D
And
then
we
also
have
a
gatekeeper
oppa.
We
have
the
compliance
operator,
which
is
the
new
capability
that
came
in
openshift.
That
allows
you
to
actually
do
compliance
checks
on
core
os,
so
we
have
integration
with
that
too,
and
we
have
third
party
integration
as
well
and
we
have
our
community
of
practitioners.
D
These
are
the
red
hatters
who
are
working
with
customers,
defining
policies
and
bringing
them
to
our
upstream
project
as
well,
so
that
we
have
a
full
collaborative
effort
here
that
includes
customer
engagement.
D
With
that
said,
I'm
going
to
show
you
a
quick
peek
into
the
product.
So
when
you
get
on
to
our
console,
this
is,
and
you
go
here
and
you
click
the
dominance
and
risk
view.
This
is
the
view
you
get
and
you
can
see
here
that
what
I've
done
here
is.
I
have
forked
our
policy
collection,
repo
and
created
my
own
repo
and
then
customized
it
and
then
used
githubs
to
deploy
these
policies.
D
So
you
can
see
all
these
policies
are
already
deployed
and
for
each
policy
you'll
see
that
you
can
define
multiple
standards
that
the
policy
applies
to.
So,
for
example,
this
certificate
management
policy
applies
to
nist
csf.
It
also
applies
to
pci,
so
you
can
have
standards,
categories
and
controls
that
represent
various
aspects
of
security.
So
you
can
see
you
know
we
have
policies
for
encryption
for
access
control,
we
have
policies
for
configuration,
management
system
and
information,
integrity,
communications,
protection,
etc.
D
These
are
all
out
of
the
box
policies
that
we
have
that
are
available
in
the
policy
collection,
repo,
and
when
you
do
that,
then
there
is
a
concept
called
placement
rule
by
which
you
apply
a
policy
to
a
set
of
clusters.
The
clusters
can
be
labeled
and
you
can
apply
policies
to
the
clusters
and
then
you
detect
violations
and
those.
D
You
can
then
look
here
and
they
are
organized
in
terms
of
the
various
standards
that
we
have
so
at
this
point,
I'm
going
to
turn
it
over
to
you
who
will
introduce
himself
and
then
take
us
through
the
policy
collection,
repo.
E
F
Okay,
hello,
everybody,
my
name
is
yutao.
I
live
in
north
carolina,
so
I'm
I'm
the
deaf
lead
for
gr
grc
squads.
So
all
the
cool
stuff
you
see
previously
previously
jr
presented
they
are
all
developed
by
by
my
team.
Today,
I'm
going
to
quickly
go
through
go
through
some
fancy
policies.
F
We
we
have,
we
provide
out
the
box
and
also
contributed
by
the
community
from
community
and
and
and
then
I'm
going
to
actually
do
a
quick
demo
to
show
you
how
we
can,
how
raccoon
framework
can
can
use
another
policy.
Language
like
oppa,
integrate
them
together
and
then
present
then
present
it
to
you
through
this
through
the
ui
dashboard
in
a
unified
way.
So,
first
of
all,
so
jr
previously
showed
the
cool
framework
that
cool
grc
framework.
F
That
rarecom
provides
that
you
can
create
a
policy
on
the
hub
and
with
the
placement
room
and
placement
binding,
the
policy
will
be
applied
automatically
to
all
the
cluster.
You
manage
based
on
your
selection
right.
So
this
this
this
policy
based
framework
is
cool,
but
what
about
the
policies?
The
content
of
the
policy?
What
policy
do
you
have
out
of
the
box,
and
can
I
actually
create
my
own
policy?
F
So
so
we
are
all
we
as
a
development
team.
We
are
all
we
are
aware
of
this
this
this
this
this
this
issue,
so
policy
collection
re.
This
repo
is
our
answer.
So
basically,
this
is
a
public
repo,
as
you
can
see,
there's
already
a
lot
of
fox
forks.
So
this
is
a
basically
it's
a
gallery
that
hosts
all
the
policies
either
contributed
by
either
contributed
by
the
community
or
red,
hatters
or
internal
either
internal
external
teams.
F
We
also
have
policies
that
ship
out
a
box
as
part
of
the
raccoon
product.
So
if
we
look
at
this
repo,
we
have
two
folders
one
stable
folder
and
one
community
folder,
so
stable
folders
is
where
we
host
all
the
policy
we
ship
out
a
box.
As
you
can
see,
all
the
policies
are
hosted
here
and
then
they
are
categorized
by
nist
853
standard.
F
So
before
I
I
maybe
I
should.
I
should
talk
about
what
what
a
policy
look
like
first,
so
just
in
case
you're
not
familiar
with.
For
example,
let's
take
a
look
at
this
policy
role
right
so,
as
jan
mentioned
previously,
when
you
create
a
policy,
you
create
a
policy
cell
and
then
you
create
a
binding
and
placement
rule
so
binding
base.
A
placement
basically
use
a
label
selector
to
apply
the
policy
to
a
set
of
cluster
or
or
a
subset
of
the
cluster.
So,
for
example,
in
this
this
particular
example.
F
So
we
are
selecting
all
the
cluster
with
label
def
environment
equal
to
def
binding,
is
essentially
binds
the
policy
and
placement
rule
together,
so
that
we
know
displacement
rule
is
is
for
this
policy.
F
Now
we
can
take
a
look
at
policy,
so
policy
is
a
crd
recon
introduced,
so
so
so
it
has
annotations
for
you
to
customize
the
standards,
categories
and
controls
this
policy
belongs
to.
If,
if
you
categorized
correctly
you,
you
will
see
a
nice
nice,
nice
tiles
here
that
it
is
a
different
policies,
are
categorized
into
different
category
standards
and
then
you
can
view
the
view
differently.
C
F
Exactly
that's
that's
how
this
was
designed,
so
we
want
to
give
you
the
freedom
to
categorize
the
policy
in
your
own
way.
It
might
not
be
the
like
nist
853.
It
can
be
any
standards
that
it's
either
internal
and
ex
or
internal
enterprise
standard
or
like,
or
the
nest
800
nist
standards
or
any
other
standard.
So
it's
all
customizable.
F
So
if
you
look
at
the
content
of
policy,
so
basically
this
part
what
this
policy
does.
Is
it
actually
leverages
the
configuration
policy
we
ship
out
a
box
to
to
make
sure
on
your
cluster.
You
have
a
role
with
with
the
rules.
You
you
with
the
rules
you
define
so
it
used
like
must
only
have
to
make
sure
it
only
has
the
permission
you
define
if
it
has
any
extra
permission
when
this
policy
is
applied
and
enforced
it,
the
the
the
extra
permission
for
that
role
will
be
removed
and
corrected
by
the
policy
engine.
F
So
this
is
basically
how
what
a
policy
look
like
so
yeah.
D
So
I
wanted
to
just
chime
in
here
and
say
that
for
security
for
security
buffs
over
there,
so
this
you
can
think
of
it
as
ensuring
that
the
least
privileged
principle
is
adopted
right.
So
if
you
have
configured
your
roles
to
have
certain
permissions
and
somebody
goes
off
and
adds
additional
things,
this
policy
can
be
used
to
kind
of
flag
that
so
you
can
detect
it
right
away.
F
Exactly
yeah,
so
so
our
our
policy
engine
is
is
really
powerful
that
it
can
do
like
crack
crop
operation
on
your
resources,
for
example,
you
can
create
a
resource
without
policy,
create
any
kubernetes
resource
without
policy
you
can
patch
it.
You
can
delete
it.
So
it's
it's
very
powerful
in
this
in
the
in
terms
of
how
you
want
to
configure
policy
so
how
you
want
to
configure
a
cluster.
F
So,
for
example,
if
we,
if
you
look
at
the
community
repo
right
so
here,
we
host
these
policies
are
all
contributed
either
by
internal
or
external
or
our
business
partner.
So
if
we
look
at
this
repo,
so
we
actually
extend
our
capability.
F
By
introducing
these
third-party
policies,
so
if
you
look
at
look
at
the
details,
they
are,
they
are
categorized
and
organized
same
as
the
stable
folder.
So
if
you
are
familiar
with
stable
folder,
then
you
should
be
able
to
use
this
repo
without
any
problem.
So,
for
example,
let
me
show
you
one
policy
contributed
by
our
business
partner
system,
so
here
system
they
they
they
have
a
they.
They
contribute
two
policies
here.
So
the
first
policy
is
f
falcon
policy.
F
So
this
is
an
open
source
version
of
their
assists
of
their
assist
of
their
security
scan
capability.
F
So
this
policy,
basically
what
it
does
is
it
will
install
it,
will
leverage
the
configuration
policy
to
install
the
install
system
to
install
file
code
operator
available
on
the
on
the
github
on
the
github
in
upstream
community
and
and
then
and
then
it
will
do
the
scan
for
you
once
the
operator
is
installed
same.
They
also
also
contribute
the
other
another
part
of
a
policy.
F
The
other
policy
I
want
to
show
you
show
you
here
is
the
compliance
operator
policy.
So
compliance
operator
is
a
is
a
new
new
capability
that
ocp
introduced
to
to
to
do
the
to
do
the
compliance
scan
on
your
cluster.
So
always
with
with
the
power
of
grc
policy-based
framework,
you
can
simply
create
a
policy
to
install
compliance
operator
and
then
also
install
the
the
profile,
the
profile
to
scan
your
your
cluster,
so
this
is
all
can
be
achieved
using
configuration
policy.
F
So
basically,
as
long
as
it
is
operator,
you
can
use
our
grc
policy
to
create
operator
to
install
an
operator
on
your
manage
cluster
yeah.
C
C
But
you
know
the
contributions
from
the
broader
teams
and
the
experts
into
this
community
will
help
it
grow
and
flourish,
and
that's
why
we
have
the
communities
folder
in
the
stable
folder
and
what
you'll
see
is
that
things
will
naturally
be
curated
from
community
into
the
stable
folder
and
more
and
more
things
will
surface
in
the
box,
and
so
that
was
really
the
concepts
that
we
have
here
around.
Providing
this
this
policy
collection
that
you
set
up
for
us.
F
Yeah,
so
exactly
so,
since
we
are,
we
are
building
this
community
driven
open,
open
policy
collection
repo.
So
we
also
received
contribution
from
our
field
team.
So
from
our
field
team,
they
they
deal
with
the
ocp
cluster
best
practice
every
day,
so
they
there
they
were
able
to
you
to.
Basically
they
were
they
were.
They
are
able
to
actually
basically
convert
their
best
practice
into
a
policy
that
you
can
simply
use
and
to
configure
your
ocp
clusters,
for
example.
F
We
have
a
policy
here
that
you
can
use
to
configure
your
cluster
egress
ingress
and
also
like
dns
configure
the
dns
configure
the
network,
there's
a
lot
of
things
that
you
can
do
to
configure
cluster
by
using
a
policy.
So
this
repo,
this
repo,
also
holds
these
these
best
practice
using
policies
and,
for
example,
we
also
have.
We
also
have
like
contribution
from
our
cop
team
community
of
practice
team,
so
they
they
have
like
expertise
in
oppa
and
gatekeeper.
F
So
you
know
so
basically
they
basically
contribute
their
their
oppa
and
gatekeeper
policy
into
our
into
our.
This
policy
collection,
repo
and
then
convert
it
into
a
gr
raccoon
policy.
So,
for
example,
here
we
have.
We
have
policy
that
using
oppa,
gatekeeper
or
rego
language
using
regular
language
to
detect
if
your
containers
are
using
latest
image
type,
which
is
a
floating
tag
which
shouldn't
really
be
used
and,
for
example,
we
also
have
a
gatekeeper
policy
that
help
you
to
detect
if
your
containers
has
liveness
of
or
redness
probes
set.
F
So
we
have,
we
actually
welcome
contributions
from
all
parties
to
this
as
long
as
you
just
as
long
as
you
follow
our
documentation
here
to
the
country
contribution
guide
here,
so
you
can
just
create
a
pr
and
then
and
then
we
will
review
it
and
then,
if
everything's
looks
good,
then
it'll
it
could
be
merged
to
this
repo.
F
D
So
you
I
I
wanted
to
also
add
here
that
I
mean
the
philosophy
within
dragon.
Is
our
policy
framework
should
be
based
on
open
standards
and
technologies.
That
makes
make
it
very
easy
for
folks
to
write
policies
right
or
add
contribute
policies.
So,
for
example,
the
built-in
configuration
policy
controller
because
of
of
its
ability
to
distribute
kubernetes
resources,
sysdig
and
the
compliance
operator
team
were
able
to
crank
out
policies.
They
didn't
have
to
really
build
a
policy
controller
write
a
lot
of
code
right.
D
They
just
had
to
develop
the
policy,
that's
it
and
then
you
were
able
to
deploy
systig
as
well
as
falco
operators
to
a
fleet
within
minutes
right.
So
that's
the
power
of
that
and
similarly,
like
you
are
showing
the
gatekeeper
policies
right.
So
we
are
building
an
operator
for
gatekeeper
that
will
allow
raccom
to
deploy
gatekeeper
on
to
your
openshift
clusters,
using
a
policy
and
then
the
community
of
practitioners
or
customers
or
partners.
D
They
can
just
write
gig
policies
in
drego
and
then
import
it
and
and
it's
a
simple
way
to
extend
raqqa
raccoons
power.
So
just
wanted
to
highlight
the
the
powerful
nature
of
our
policy
framework.
C
The
name
of
the
game
here
chris,
is
time
to
value
right.
So
when
you
stall
acm,
you
have
an
empty
management
domain.
So
how
do
you
get
those
policies
in
there?
How
do
you
get
those
best
practices
in
there?
The
openshift
consultants
would
show
up
with
all
those
things
tucked
under
their
arm
and
now
they're
just
available
as
soon
as
you
install
and
we
use
you
know,
github
or
git
ops
practices
for
bringing
those
into
the
management
domain
which
we'll
show
in
a
moment.
A
Yeah,
that's
it's
pretty
awesome
right,
like
the
power
of
opa
and
rigo
to
just
define
exactly
what
you
want
to
happen
or
not
happen
in
some
instances
is
rather
vast
right,
like
you
can
almost
do.
A
C
Yeah,
the
acm
policies
that
we've
we've
described
and
deliver
out
of
box
for
setting
the
desired
state
configuration
and
then
and
in
the
right
hand,
you've
got
oppa
who's
confiding.
Those
policies
are
preventing
configuration
drift,
and
so
your
entire
fleet
and
the
other
thing
that
we
we
kind
of
mentioned,
is
desired.
State
and
shouldn't
go
understated.
C
C
You
know
you
always
want
a
new
way
that
you're
setting
up
the
cluster
and
if
you
bake
those
those
configuration
activities
into
cluster
inception,
then
you've
really
kind
of
created
a
point
of
time
desire
and
in
the
way
rackham
works
with
the
placement
rules
is
that
you
create
a
policy
at
any
time
and
roll
that
out
to
the
fleet.
That,
then,
brings
you
know
everything
into
into
what
you're.
Looking
for.
D
Right
and
and
our
and
combine
that
with
githubs
right,
so
that
kind
of
brings
that
whole
end-to-end
story
there.
Where
you
manage
policies,
just
like
you
manage
source,
you
have
the
full
control
within
git
and
then
rackham
takes
over
from
there
and
make
sure
it
gets
deployed
everywhere
properly.
It
monitors
it.
It
reports
violations
and
then
the
other
thing.
I
know
there
was
a
twitch
session
here
on
observability.
D
A
Nice,
so
I
imagine,
like
I
envisioned
a
day
potentially
where
oh
something's
out
of
policy
acm,
creates
a
service
now
ticket
boom
off
off.
It
goes
into
the
security.
You
know,
teams,
life
cycle
of
you
know,
management,
exactly.
B
D
C
In
prior
sessions,
chris,
you
saw
josh
and
the
team
go
over
application
lifecycle
and
how
we
integrated
ansible
into
that
right,
that
that's
a
strategy,
that's
for
all
parts
of
acm,
so
we'll
be
in
that
very
near
future.
That
you're
talking
about
you'll,
see
you
know
the
ability
to
configure
playbooks
into
you
know.
What
is
the
action
you
want
to
take
when
a
violation
yep?
Maybe
it
could
be
you
know,
start
a
pot
of
coffee.
F
Yeah
yeah
sure
yeah
yeah,
before
I
jump
before
I
jump
into
the
demo,
I
just
want
to
quickly
mention
right,
so
this
repo
is
available
today.
If
you
just
want
to
try
the
policy
in
this
repo,
you
just
the
repo
and
then
follow
the
documentation
here,
using
github
githubs
to
deploy
policies
so
with
a
simple
command
here,
deploy
command.
So
you
can.
F
It
will
be
all
the
policies
from
this
repo
will
be
deployed
to
a
cluster,
so
behind
it
it
is
basically
creating
a
channel
and
subscription
based
on
based
on
the
path
of
your
git
github
url
and
the
folder.
You
want
to
pull.
So
if
you
look
at
my
cluster
here,
so
anything
I
deploy
in
namespace
policies
right
there
they
are.
They
are
pulled
from
the
the
policy
collection,
repo,
stable
folder,
so
you
don't
have
to
use
our
ui.
You
can
just
use
githubs
to
do
that
very
quickly.
All.
C
A
C
With
you
know
the,
however,
you
want
to
manage
those
pull
requests
for
introducing
new
policies
to
the
system.
You
manage
that
in
git,
ops
from
the
get
op
style,
and
then
it's
delivered
to
the
hub
through
the
channels
in
the
subscriptions.
That's
us
eating
our
own
cooking
drinking,
our
own
champagne,
with
the
application
life
cycle
capabilities
delivering
that
to
the
hub
and
then
once
it's
in
the
hub.
Those
placement
rules
distributed
to
the
fleet
as
as
required,
yeah.
F
Exactly
okay,
now
I'm
going
to
show
you
a
gatekeeper
policy
example,
so
I
have
a
gatekeeper
policy
installed
here.
I'm
not
going
to
show
you
the
content
now,
but
if
you
look
at
here,
they're
all
green
they're
complying.
F
F
So
in
the
old
days
when
you
create
a
gatekeeper
policy
with
gatekeeper
policy
without
recon,
you
have
to
go
to
manage
cluster,
create
a
constraint
and
then
and
then
and
then
the
policy
will
be
enforced
by
gatekeeper
of
gatekeeper
controllers.
So
I've
already
installed
the
gatekeeper
constraint
here.
It
is
called
ks
require
labels
constraint.
So
this
is
an
example.
I
call
from
gatekeeper
website.
F
So
if
you
look
at
content
here,
oh
my
cluster
is
a
little
bit
busy.
It's
starting
my
coop
request.
Okay!
So
if
you
look
at
here,
it
is
same,
it
is
zero
violations.
F
So
basically,
what
this
policy
does
is
it
will
it
will?
It
will
enforce
the
rule
that
you
cannot
create
a
namespace
without
label
gatekeeper,
so
I'm
enforcing
this
constraint
on
test
and
twitch
namespace,
I'm
not
enforcing
them
on
any
other
namespaces.
So,
basically,
currently
it
is
compliant.
There's
zero
violation,
and
here
on
recom
hub
it
is
all
it
is
also
complying.
F
So
now
I'm
going
to
violate
it
right.
So,
basically,
I'm
going
to
create
a
namespace
without
gatekeeper
label.
So
let
me
call
it
twitch,
so
now
it
is
right.
It
is.
This
is
what
we
expect.
It
is
blocked
by
gatekeeper,
animation
web
hook
because
it
doesn't
contain
gatekeeper
label,
I'm
enforcing
this
controlling
on
page.
So
if
I
do
another
create,
for
example,
test
one,
it
will
go
through,
so
that
means
it
has
already
existed.
F
F
F
Imagine
you
have
like,
like
100
clusters,
have
this
gatekeeper
policy
enabled
if
you
want
to
check
it,
check
the
violation
in
the
old
way
you
have
to
go
to
each
cluster
and
then
figure
out
if
there's
a
violation
or
not,
but
with
power
of
welcome
grc
framework,
you
can
just
see
if
see
it
from
the
from
the
dashboard
and
now
so.
D
Yeah
and
to
add
to
that
you,
once
we
have
the
integration
with
the
observability
framework
right,
this
kind
of
violation
will
actually
result
in
an
alert,
and
you
could
be
seeing
an
alert
on
your
qradar,
for
example,
you're
a
symptom
showing
up
depending
upon
what
it
is
right
or
it
could.
It
could
open
a
page
of
duty.
It
could
result
in
a
page
duty
waging
or
somebody
depending
upon
the
severity
of
it.
So
that's
kind
of
the
power
of
this
right
and
imagine
rack
up
managing
a
fleet
of
hundred
clusters.
F
Right
yeah,
so
so
to
achieve
this,
I
I
didn't
you,
you
don't
have
to
invent
anything.
You
just
need
to
create
a
policy
right
here.
So
if
you
look
at
the
ymo
file
of
this
policy,
what
we
are
doing
here
is
essentially
I'm
creating
a
configuration
policy
right
to
specify
the
constraint
template.
I
want
to
create
on
the
manage
cluster
and
specify
two
companion
policy
to
detect
for
the
violation,
one
for
the
the
the
existing
violation
violations
on
existing
namespace
and
one
for
the
violations
on
and
a
new
new
namespace.
F
F
G
G
Thanks
you,
that
was
a
great
overview,
great
job.
You
guys
and
great
discussion,
like
I
said
my
my
name
is
gus
parvin
and
I'm
going
to
start
digging
a
little
deeper.
Maybe
maybe
we'll
just
consider
this
a
a
quiz
time,
because
I
think
you've
already
heard
a
great
overview
of
the
capabilities.
You've
you've
heard
about
that
the
getups
about
our
community
you've
heard
some
of
the
cool
features
of
the
configuration
policy
controller.
G
Really.
What
I'm
going
to
do
is
just
take
us
through
a
couple
more
policies,
we'll
kind
of
dig
into
these
two
a
little
bit
and
hopefully
with
what
you've
already
seen.
This
is,
you
know
just
just
more
of
the
same
and
and
just
helps
you
understand
and
and
see
that
the
breadth
of
the
policies
we
have
is
is
growing
and-
and
you
know,
we
have
a
lot
of
a
lot
of
cool
things
out
there
to
to
show
off
and
and
available
for
you
to
use.
D
G
G
G
You
know,
for
example,
all
I
did
was
selected
the
image,
manifest
vulnerability
policy
and
in
the
specification
list
and
and
it's
it's
populated
the
policy
here
automatically
for
me,
I
could
fill
out
these
other
fields
and
and
then
create
the
policy
I've.
I've
already
got
a
couple
created
here,
so
I've
already
deployed
this
policy,
and
you
know
since
since
I
picked
that
one
we'll
go
through
this
one
first
and
before
I
do
that
I'll
just
mention
you
know
these
are
you
know
security
and
compliance
policies?
G
You
you
can
see,
we've
categorized
them
with
the
nist
853
that
that
we've
talked
about
earlier
in
in
the
call
when
jaya
was
going
over
to
overview.
You
know
we
we
have.
You
know
these
standards
categories
and
controls
and
for
the
image
manifest
vulnerability.
You
know
we're
we're
trying
to
look
around
for
all
of
the
different
vulnerabilities
our
images
have.
So
this
is
the
an
image
scanning
policy
and
you
know
similar
with
certificates.
You
know
it
it's
it's.
G
G
So
if
I,
if
I
click
on
one
of
these
now,
this
particular
policy
you
see
is
is
not
compliant
on
on
both
of
my
clusters,
but
but
what
I
want
to
do
is
is
kind
of
test
your
knowledge
here
you
did
a
good
job
of
going
through
the
compliance
operator
policy
a
few
minutes
ago.
So,
let's,
let's
see,
if
you
can
remember
you
know
what
what's
going
on
here
of
this
policy.
G
If,
if
we
take
a
look
at
the
the
definition
here,
we
see
some
some
key
things.
You
know
one
key
thing:
this
is
using
our
config
policy
controller.
Okay,
that's
the
one
that
we've
been
talking
about
a
lot
and
and
its
power
is,
is
really
awesome
and
once
again
we're
we're
using
it
here,
just
like
with
the
compliance
operator.
G
If
you
take
a
look
at
what's
being
defined,
we
have
we
have.
This
must
have
field
and
it
is
being
enforced.
So
we
are
applying
this
set
of
configuration.
What
is
the
set
of
configuration?
Well,
it's
installing
the
container
security
operator,
the
container
security
operator
is,
is
going
to
get
installed
on
on
any
manage
cluster
where
this
policy
is
is
being
placed.
G
G
G
G
It's
it's
a
little
bit
different.
Look,
it's
still
using
the
configuration
policy,
so
that's
that
config
policy
controller,
but
now
it
has
a
must
not
have,
and
it's
looking
for
a
particular
a
particular
custom
resource.
So
these
these
resources
called
image,
manifest
vulnerabilities
get
created
when
the
operator
finds
an
an
image
with
with
a
problem
in
an
image
with
a
vulnerability
okay.
So
we
we
dug
into
the
details
there.
We
we
see
that.
G
Not
only
can
you
deploy
the
operator,
you
can
then
look
for
the
resources
the
operator
is
going
to
to
create
so
that
we
can
see
the
vulnerabilities
on
the
system.
So
now
I'm
going
to
back
up
here
real
quick
here,
let's
go
back
to
the
status
when
I'm
looking
at
the
status.
I
see
here
on
the
left,
endpoint
and
local
cluster.
These
are
my
my
managed
clusters
that
are
not
compliant,
and
I
can
see
some
details
on
why
they're
not
compliant.
G
G
You
see
the
list
of
of
different
vulnerabilities
here
in
the
manage
cluster
console.
I
get
that
same
data
here
on
the
rackham
console,
so
I
don't
have
to
go
through
each
manage
cluster.
I
can
just
take
a
look
at
it
here
and
looking
at
the
the
yaml
here
it
tells
you
you
know.
I
have
images
that
are
have
vulnerabilities.
You
know,
there's
you
know
fixes
that
need
to
be
applied
and
down
here
it
tells
you
specifically
what
image
requires
the
the
update.
D
So
just
to
re-emphasize
right,
so
I
think
what
you
saw
here
is
the
power
of
our
configuration
policy
controller
right.
So.
D
Yeah
you
can,
because
of
the
built-in
controller
that
we
have,
you
can
just
define
a
policy
you're,
not
writing
any
code,
you're,
just
defining
a
policy
to
deploy
an
operator
for
a
particular
capability.
That
operator
could
be
the
compliance
operator,
image,
vulnerability
operator,
the
content
security
operator,
or
it
could
be
any
other
operator
like
systicks
operator,
etc.
Right
and
as
long
as
that
operator
is
returning
results
as
a
kubernetes
resource.
D
In
this
case,
the
container
security
operator
does
we
are
able
to
consume
that
right
and
and
again
that
consumption
also
happens
by
just
writing
a
policy.
G
D
G
And
we
we
did
both
in
one
policy.
So
it's
it's
not
that
you
have
to
write.
You
know
bunches
and
bunches
of
these.
You
can.
You
can
combine
them
into
one
to
simplify
it.
So
then
you
know
it
makes
it
easier
for
deployment
when
you
don't
have
to.
D
Yeah
that
also
reminds
me
of
another
piece
of
work
that
we
are
doing
in
the
humanities
policy
work
group.
We
are
actually
working
to
standardize
how
policy
results
are
returned
right.
So
if
that
happens,
then
you
can
basically
have
ratcom
consume
those
standard
crs
right
and
then
anybody
can
write
a
policy
that
returns
results
in
that
particular
format
and
it's
all
open
and
standardized.
D
G
Yeah,
oh
wow,
okay,
so
for
certificates,
I
I'm
I'm
not
gonna,
go
through
the
details
and
you
know
say
too
much
here
for
certificates.
I'll
just
say
here
we
see
we're
not
compliant
but
look
notice.
The
non-compliance
is
we're
exceeding
a
duration,
so
the
the
lifespan
of
the
certificate
is
longer
than
what
we've
configured
the
the
community
for
trusted.
Certificates
has
has
gone
from
25
months
down
to
13
months,
and
you
know
you
can
you
can
set.
G
You
know
whatever
policy
you
want
or
whatever
time
frame
you
want
for
certificates
and
here's
another
customer
request.
We
got
to
have
no
certificates
with
wild
cards
in
them,
so
we
we
have
a
way
to
allow
you
to
to
disallow
wild
cards,
and
if
we
were
to
just
take
a
quick
look
at
what's
going
on
there
by
default,
we
just
checked
for
a
certificate
expiration.
That's
that's.
You
know
the
main
thing
we
care
about
and
it
digs
through
your
name
spaces,
to
to
find
the
certificates
that
are
about
to
expire.
G
You
can
you
can
add
these
extra
parameters
to
look
at
the
certificate
life
span
to
see
if
somebody's
creating
certificates
that
are
good
for
10
years
and
you
know
or
we're
just
hoping
they
would
never
expire,
and
then
they
probably
don't
have
a
you
know
a
procedure
to
replace
that
certificate
if
if
it
is
ever
compromised
so
that
that's
really
and
and
here
you
know-
I
wrote
two
separate
policies
here,
so
one
of
them
is
looking
one
set
of
name
spaces
for
the
you
know
not
wanting
the
wild
card
pattern
in
in
their
sand
names
and
and
then
the
other
one
was
looking
at
the
different
durations
on
the
certificates.
B
G
C
You,
as
you
flip
over
to
jutania.
You
know
you
looked
at
that
informed
policy
right.
That
gives
you
kind
of
an
impact
analysis
as
you're
introducing
new
policies
to
the
system.
It's
just
basically
telling
you
hey.
This
is
not
not
in
the
desired
state
that
enforced
policy
is
going
to
try
as
much
as
it
can
to
to
put
it
into
your
desired
state.
So
there's
it's
not
just
all
or
nothing
you
can
have.
You
can
start
off
experimenting
with
policies
within
form
to
understand
what
the
impact
analysis
would
be
on
your
fleet.
E
All
right,
hey
guys,
I'm
chaitanya!
E
I
am
going
to
take
you
through
another
one
of
our
policies:
the
fcd
encryption
policy,
as
jaina
mentioned
earlier,
rackham
governance
can
be
used
to
comply
to
various
standards,
so
this
lcd
encryption
policy
falls
under
the
security
and
regulatory
compliance.
So
what
is
this
policy
for?
This
policy
enables
the
xcd
encryption
policy
enables
us
to
enforce
across
managed
clusters
encryption
of
sensitive
data
in
hcd,
which
is
the
kubernetes
back-end
data
store.
E
E
E
So
I'm
going
to
very
quickly
run
you
through
that
regarding
so
here
so
before
I
create
the
policy,
I'm
logged
into
my
manage
cluster
here
on
a
terminal
and
I'm
going
to
run
a
command
that
shows
us
the
current
status
of
encryption
on
that
cluster.
E
So
I'm
not
going
to
take
through
the
whole
entire
details
here,
because
gus
did
go
through
it
ready
in
in
good
detail.
So
I
have
my
policy
creation,
I'm
going
to
choose
the
namespace
and
the
cluster
to
which
I
want
to
deploy
it.
But
one
of
the
important
things
to
notice
here
is
that
I'm
choosing
lcd
encryption
as
a
specification,
and
you
will
also
notice
that
this
is
a
configuration
policy
as
well.
E
We
initially
started
by
looking
into
creating
a
separate
policy
controller
for
all
encryption
features,
but
in
openshift
specifically
enabling
encryption
mainly
involves
patching
or
updating
your
config
custom
resources.
So
we
realized,
we
didn't
really
need
a
controller
and
we
pivoted
to
just
leveraging
our
config
policy
controller.
E
Now
after
my
policy
is
created,
I'm
gonna
again
rerun
that
I'm
gonna
go
back
to
the
terminal
and
rerun
the
same
status
command
and
we'll
show
you
that
once
the
policy
is
applied,
the
encryption
status
will
go
into
so
the
policy
is
now
applied.
E
So,
like
I
mentioned,
only
the
sensitive
data
and
or
secrets
data
in
fcd
is
encrypted.
Not
all
the
data
in
openshift,
specifically,
the
resources
that
are
encrypted
are
the
config
maps,
your
secrets,
routes
and
any
or
access
tokens
yeah,
that's
mainly
for
the
demo,
but
I
just
have.
I
want
to
highlight
a
couple
of
things
quickly.
E
One
of
them
is
that
today
we
support
hub
self
management
in
acm,
so
this
policy
can
be
applied
to
the
hub
itself
and
and
thereby
encrypt
and
protect
your
secrets
on
the
hub
too
and
another
one
of
another
also
want
to
add
to
that
that
we
are
looking
to
harden
security
further
by
integrating
with
walt
enterprises,
centralize
their
credentials
or
secrets
using
tools
like
walt
cyberark.
E
So
we
are
also
looking
into
enabling
acm
to
work
with
these
schools
and
use
these
tools
for
the
secrets
that
we
have
in
acm
as
well.
C
That
was
yeah.
China
is
leading
that
effort
for
us
and
understanding
how
we
can
we
can
manage
and
leverage
those
you
know
our
ecosystem
and
third
party
for
secret
and
sensitive
data
encryption.
Thank
you.
D
Yeah,
thank
you,
chaitanya
and
I
think
the
key
point.
One
of
the
key
points
she
mentioned
is
the
us
eating
our
own
cooking
right.
So
we
can
apply
the
policies
to
secure
the
hub
itself,
because
if
you
think
about
the
hub
managing
policies
on
all
the
clusters
and
like
jeff
said
policies
are
it's,
it
has
a
power
but
comes
responsibility
as
well
right.
So
I
think
managing
and
securing
the
hub
also
is
important.
A
A
A
C
A
Yeah
that
sounds
about
right,
awesome.
Well,
great,
show
really
appreciate
everybody
all
your
work.
Thank
you
as
always
I'll
always
love
having
the
acm
team
on
it's
a
great
group
of
folks,
wonderful,
tooling,
and
just
trying
to
make
you
know
clusters
better
right.
I
think
trying
to
make
managing
multi-cluster.
A
You
know
systems
distributed
systems
a
lot
more
feasible
for
folks
at
scale
right,
yes,
excellent
demos
too.
By
the
way
I
did
not
get
any
question.
Well,
hang
on.
Let's
see
one
question:
will
there
be
support
for
virtual
machine
compliance,
openshift
virtualization,
for
example,
and
integration
with
openshift
compliance
operator
to
acm?
C
That
it's
not
really
that
tough
of
a
question
you
know
we're
really
really
involved
in
the
openshift
virtualization
and
how
that's
coming
the
market.
There's
a
number
of
different
things
that
we
we
we've
have
had
some
some
success
in
that
area
of
virtual
machine
compliance
prior
to
our
move.
From
from
ibm,
there
was
some
research
in
there
we're
working
with
making
sure
that
we
bring
that
into
the
product
as
well.
So
when
that
lands,
you
know
with
openshift
virtualization
in
general.
C
I
think
a
lot
of
that
ansible
integration,
for
you,
know
the
virtual
machines
running
on
kubernetes
and
being
able
to
apply
that
anything
you
want
via
ansible
as
well
also
intersects
there.
So
absolutely.
A
A
Awesome
all
right!
Well,
thank
you.
Everybody.
I've
got
another
screen
to
jump
to
and
we'll
catch
you
next
time
here
on.