►
From YouTube: The Secure Cloud Cast (E5) | Compliance and Governance with Advanced Cluster Management, Pt. II
Description
Welcome to the Secure Cloud Cast!
Here you can find our monthly show focused on all things security, cloud native, and open source projects. Today we are discussing the following:
Cloud Native Security Con
Advanced Cluster Security Early Access Program
StackRox Open Source Project
Red Hat Advanced Cluster Management
Special Guests!
Scott Berens and Mina Karamercan from the Advanced Cluster Management product team join us. We’re going to discuss the management of containers at scale and how to build a scalable container solution while putting all of your compliance and operational needs first.
A
A
B
Yes,
hello
and
welcome
to
the
fifth
episode
of
the
secure
cloudcast
I'm
by
myself
this
month,
so
kicking
off
the
happy
New
Year,
but
with
some
good
friends.
In
the
background,
the
ACM
team
is
on
today
to
talk
about,
let's
say,
policy,
compliance,
governance
and
a
lot
more,
maybe
a
little
demo
as
well.
For
those
who
don't
know,
I'm
Mike,
Foster
I'm,
a
pmm
here
at
Red,
Hat,
specifically
I
deal
with
security
ACS,
mostly
and
speaking
of
got
a
couple
announcements.
B
Openshift
4.12
4.12
is
out
so
check
out
those
release,
notes
and
as
well
the
ACs
blog
all
the
updates
on
the
security
front
for
ACS
will
be
coming
out
tomorrow,
definitely
want
to
check
that
out.
It
wraps
up
everything
that
we're
doing
and
as
well
gives
a
roadmap
for
the
future.
Lastly,
cloudator
security
con
is
next
week,
so
the
cncf
is
putting
on
their
big
I
guess:
Flagship
security
event.
Whatever
you
want
to
call
it,
it
was
typically
tied
to
kubecon
and
now
they're
doing
their
own
thing.
B
Don't
know
why,
but
we're
getting
go
to
Seattle
in
February.
It's
a
pack
pack,
some
warm
clothes
and
get
ready
for
some
good
food,
but
other
than
that,
because
I
don't
want
to.
You
know
hog.
The
show
to
myself
I
need
to
get
my
guests
in
here,
bring
on
Mina
and
Scott
from
the
ACM
team
to
talk
everything
ACM.
Obviously,
compliance
governance,
like
I,
said:
welcome,
welcome,
y'all
and
let's,
let's
share
the
screen
a
little
bit
awesome
man
thank.
A
C
A
C
My
name
is
Scott
Behrens
I
am
a
product
manager
here
at
Red,
Hat
I
get
to
work
in
an
awesome
area.
A
challenge
that's
been
in
front
of
us
for
about
the
past
five
years
now,
and
that
is
in
the
cluster
management
space.
Our
product
is
Advanced
cluster
management,
a
lot
of
people
call
it
ACM
or
Rackham
Red
Hat
Advanced.
Cluster
management
for
kubernetes
doesn't
really
roll
off
the
tongue,
but
we
didn't
win
the
lottery
on
the
naming
ticket
there,
but
it
is
descriptive
and
it
sort
of
explained
to
the
world
what
we're?
B
C
C
Actually
worked
at
IBM
started
in
2004
on
a
bunch
of
different
stuff,
all
of
it
kind
of
like
Data,
Center
and
virtualization,
and
management
related
and
ACM.
We
hatched
as
a
project
called
MCM,
multi-cloud
manager,
and
at
that
time
we
were
just
kind
of
feeling
the
pain
of
kubernetes
clusters
and
our
own
engineering
org
and
our
own
sprawl,
and
we
were
working
on
a
project
called
IBM,
Club
private.
At
that
time
and
yeah
we
really
just
found
like
hey.
We
need
some
way
to
to
get
an
inventory
of
this
stuff.
C
We
need
a
way
to
to
distribute
applications
to
it.
We
need
a
way
to
con,
configure
it
and
make
sure
it's
compliant
with
what
we
think
it
should
be,
and
if
it's
not
make
sure
that
we
can
bring
it
under
compliance
and
yeah.
So
it
really
just
grew
out
of
that
and
around
I
think
it
was
like.
2018
was
our
first
official
launch
in
the
fall
of
2018,
and
then
man
yeah.
It's
been
a
fun
ride.
We
came
over
to
Red
Hat,
starting
in
March
right
when
the
pandemic
was
coming
down.
A
C
Entire
world
was
icing
over
and
we
were
kind
of
like
sliding
in
the
red
hat.
At
that
moment
of
time
we
were
one
of
the
last
teams
that
did
a
new
hire
orientation
there
at
the
red
hat
Tower
before
everything
just
kind
of
shut
down,
so
it
was
2020
and
yeah
fast
forward
here,
like
two
years,
two
quick
Years
and
we're
up
to
version
2.7
coming
out
check.
My
date,
Mina,
you
might
know,
is
it
February
8th-
is
that
when.
B
From
the
ACs
standpoint,
we
went
through
something
similar
I
think
you
get
red
hat
for
two
years
now.
You
guys
set
the
standard
for
acronym
and
we
had
to
follow
ACS
or
yeah
red
hat
Advanced
clusters
here
for
kubernetes
and
I,
think
it
makes
sense
that
we
both
kind
of
got
merged
together
right.
You
were
solving
a
very
similar
issue,
but
more
at
the
cluster
level,
I
think
even
coming
over
really
from
a
let's
say:
kubernetes
cluster
level,
I
only
thought
of
rancher
in
the
space
and
then
the
other
Cloud
providers.
B
C
C
Are
from
an
IBM
perspective,
they're
cranking
out,
Cloud
packs,
as
you
know,
and
and
those
are
all
based
on
openshift
as
the
best
platform
on
the
planet,
and
so
our
mission
really
became.
How
do
you
make
it
ridiculously
easy
to
cover
this
planet
red
with
openshift
deploying
those
clusters?
You
know
a
bunch
of
little
small
ones
out.
You
know
Edge
clusters
Central
data
center,
which
needs
maybe
some
beefier
nodes
and
stuff
like
that,
so
really
any
kind
of
range,
any
kind
of
environment,
whether
it's
Financial
or
Telco,
or
media
entertainment
Healthcare.
C
Whatever
you
name
it,
industrial
retail,
whatever
vertical
you're
hanging
out
in
there's
a
cluster,
that's
right
for
you
and
ACM
is
the
product
that
makes
it
easy
to
spray
that
cluster
out
configure.
It
apply.
Applications
on
there
even
doing
things
like
cross
cluster
communication,
like
multi-cluster
pod
networking
with
Submariner,
allowing
pods
to
communicate
with
each
other
I'd
say
at
that
time.
C
It
feels
cool
that
we
were
kind
of
early
in
on
that
problem,
I'm
not
trying
to
like
toot
our
horn
and
say
we
were
the
first
I.
Don't
think
that's
true,
but
we
we
started
to
focus
more
on
the
Enterprise
and
how
we
can
deliver
value
to
to.
You
know
larger
corporations
that
need
to
know
things
about
security
and
they
need
to
care
about
things
like
fixed
compliance
and,
what's
going
on
with
you,
know,
sock
compliance
and
all
that
kind
of
stuff.
C
So
yeah
we
really
started
to
hone
in
our
message
and
and
narrow
in
more
on
the
security
Ops
point
of
view.
How
do
we
start
to
dial
in
a
consistent
way
of
doing
this,
which
is
is
built
around
a
kubernetes
methodology
and
everything
we
were
doing
from
the
ground
up
was
based
on
a
cube
architecture
with
desired
state.
So
that's
that's
really
kind
of
how
we
got
into
this
spot
and
yeah.
C
It's
it's
great
to
see
competition
out
there,
it's
great
to
see
the
VMware
and
tanzu
like
they
started
getting
into
the
fold
the
last
few
years
and
everybody
kind
of
has
their
horse.
You
know
I,
don't
want
to
pick
winners.
I
just
want
to
pick
good
technology
and
make
sure
people
can
use
it
so
yeah
yeah.
B
I
mean
you
mentioned
a
bunch
of
competitors
and
a
lot
of
Technology
there
Mina.
What
do
you
think
are
some
of
the
bigger
challenges
regarding
you
know,
sort
of
consolidating
that
into
a
specific
message.
Like
you
know,
how
do
you
make
it
consumable
right?
Because
there
is
so
much,
let's
say,
tech
knowledge
that
you
have
to
know
to
be
able
to
convey
this
and
you're
also
relying
on
other
people
to
understand
containers
and
how
to
scale
them.
So
a
lot
of
challenges
there
wondering
how
you
consolidate
all
that.
Definitely.
A
But
you
know
it
is
at
the
core
of
hybrid
Cloud
strategy,
and
it
is
something
that's
extremely
important
if
you
want
to
scale-
and
if
you
want
to
you
know,
be
consistent
and
reduce
operational
costs,
everybody
loves
reducing
costs,
so
it's
definitely
always
there
even
for
Edge
deployments.
If
you
want
to
you,
know
think
about
the
future.
A
But
customers
always
do
need
to
think
about
this
think
about
cluster
management,
but
they
usually
don't
unless
they're
the
ones
that
are
like
manually,
managing
thousands
of
clusters
at
once.
So
that's
kind
of
like
what
we're
trying
to
do
here.
Marketing
with
this
live
stream,
even
like
talking
about
stuff
like
this,
is
to
ensure,
like
people
understand
if
you
invest
in
a
tool
like
Advanced
cluster
management.
A
If
you
focus
on
cluster
management,
you
can
scale
and
you
can
also
support
CI
CD
all
throughout,
but
I
think
that
is
a
challenge
like
making
people
understand
like
this
is
never
probably.
This
is
probably
never
going
to
be
a
Hot
Topic,
it's
probably
never
going
to
be
like
at
the
top
of,
like
you
know
the
sexiest
technology
out
there,
but
it
is
necessary
and
it
is
important.
B
A
C
To
Michael,
just
to
add
into
what
Mina's
saying
there
as
you
grow
your
business
to
a
cloud
or,
as
you
acquire
a
new
team
you're
bringing
in
a
different
skill,
set,
potentially
even
a
different
billing
model
for
how
you're
going
to
use
that
infrastructure
and
that's
part
of
the
friction
we're
trying
to
solve
those
are
cultural
differences.
As
teams
come
on
board,
those
are
Regional
differences
as
they're
using
some.
C
C
C
But
the
point
is
that
you
put
your
guardrails
in
place
so
that
before
you're
hemorrhaging
and
having
a
major
headache
experience,
you
know
the
ship
is
sinking
and
you
start
building
water
with
a
bucket.
You
want
to
know
that
you've
got
all
the
guardrails
in
place
for
that
first
cluster,
so
that
by
the
time
you
get
to
your
tenth
and
hundredth
thousandth,
it's
routine
policy
is
already
defined
in
code.
C
You
know
how
to
you
know
how
to
spin
up
a
cluster
or
Define
day
two
around
it
and-
and
you
know,
push
that
out
to
your
Dev-
your
Dev
experience
right
there.
So
I
mean
that
kind
of
brings
you
to
this
topic
of
like.
Where
do
we?
Where
do
we
see
like
ACM
in
terms
of
our
strengths?
And
you
know
we
can
create
clusters,
we
can
deploy
applications
to
them.
We
can
wire
them
together
with
networking
where
we
really
start
to
stand
out
is
in
the
security
operations
and
all
of
these
pillars.
C
Every
part
of
this
product
has
security
capabilities
within
it.
But
it's
when
we
talk
about
policy
the
way
we
approach,
governance
risk
and
compliance
as
a
policy
engine
as
a
way
to
define
desired
state
to
work
your
clusters
up
to
that
desired,
State
across
the
fleet.
We
want
that
to
be
reputable
and
policy.
Is
this
the
chunk
of
yaml
code?
It's
just
a
chunk
that
says:
hey!
Do
this
either
audit
this
for
me
like
just
inform
about
it
or
enforce
it,
go
make
that
change.
C
We
could
do
a
demo
later
on,
but,
like
you
know
something
simple
like
creating
a
namespace
or
you
know,
encrypting
at
CD
I'll
show
that
later
on.
But
those
are
the
kind
of
basic
things
we
want
people
to
wrap
their
head
around
is
using
code
in
a
repetitive
way
having
that
code
stored
in
a
repository
where
people
can
interface
with
it
and
then
being
able
to
share
that
story,
outbound
to
your
security,
Ops
Team,
so
they
can
have
audit
control
and
compliance
point
of
view.
B
Yeah
asynchronously,
especially
with
the
security
team.
That's
awesome
and
I
know
from
an
ACS
standpoint.
You
know
having
a
cluster
that
your
secured
cluster
automatically
gets
deployed
to
and
talks
to,
ACS
Central
you
have,
the
security
team
doesn't
even
need
to
know
when
you're
starting
up
a
cluster
or
creating
a
new
node
or
doing
any
sort
of
updates.
You
automatically
see
that
so
there's
especially
I
mean
cspms
and
the
whole
sales
pitch,
for
that
is
security
through
Observer
observability.
B
Excuse
me
being
able
to
see
all
of
your
assets
in
a
cloud
or
on-prem
is
is
huge
and
you
can
do
all
that
in
ACM
as
well.
Right,
you
can
see
all
your
clusters,
you
can
see
the
nodes,
all
the
resources
that
are
running,
and
so
it's
pretty
a
pretty
intense
project.
I'm
wondering
like
what
are
the:
what
are
the
downsides
of
ACM?
What
are
some
of
the
issues
or
limitations?
Let's
say
that
you
can
have
whether
it
be
the
cloud
or
just
with
cluster
management
in
general,.
C
Great
question,
I'll
start
and
I
mean
you
jump
in
I.
Think,
like
the
name,
we
already
got
past
the
name
as
a
downside,
just
bad
joke,
no
I
think
the
I
think
like
as
you
grow
right.
The
challenges
get
bigger
and
so
yeah
scale
is,
is
a
is
a
challenge
right,
like
the
devices
get
smaller,
but
the
number
of
nodes
maybe
gets
higher,
because
you're
you're
wanting
to
cover
ten
thousand
and
a
hundred
thousand
things
so
I.
C
Think
for
us,
like
that's,
really
been
our
goal,
is
we've
worked
more
closely
with
our
partners
in
the
Telco
and
Telecommunications
space?
We've
really
started
to
to
move
in
and
say
hey.
We
can
really
help.
You
understand
how
the
the
access
works
on
your
entire
Eastern
Seaboard
on
the
entire
West
Coast
as
you're
deploying
5G.
C
So
those
are
some
of
the
like
I,
wouldn't
call
downsides
what
kind
of
challenges
that
we've
faced
as
we've
grown
in
our
ability
to
to
contain
more
of
those
use
cases
and
scenarios
you
just
start
to
see
like
operationally
as
you
take
on
One
hospital
and
then
they're
like
this
is
great.
Now
we
want
all
of
our
hospitals
within
our
Network
to
start
using
this,
you
start
to
see.
Okay,
we
have
this
Hub
and
spoke
model.
C
I
know
you've
seen
it
too,
but
just
in
terms
of
the
the
rigor,
the
expertise,
the
knowledge
all
the
subject
matter,
experts
in
in
that
field
of
kubernetes,
the
Upstream
maintainers
all
of
The
Advocates
that
know
the
best
practices
around
how
to
deploy
those
nodes.
All
that
stuff,
like
we
benefit
immensely
from
that
security
model,
the
security-minded
mindset
from
A
to
Z
about
everything
that
red
hat
does
it's
just.
B
And
especially,
the
larger
I
mean
this
is
why
Cloud
platforms
get
paid.
So
much
is
the
the
less
I
have
to
worry
about
the
more
that's
curious
baked
in
the
beginning,
the
less
Downstream
effects
you're
going
to
have
if
I
know
that
encryption
is
in
every
cluster
and
certain
security
controls
are
in
the
cluster.
When
I
turn
on
ACS.
Well,
then
I
can
just
focus
on
my
applications.
I
don't
need
to
actually
go
and
go
upstream
and
yell
at
some
Ops
people
for
their
deployment
right.
B
It
actually
sounds
like
you
have
a
very
similar
issue
that
we
have
with
container
security,
where
everybody's
used
to
using
virtual
machines-
and
there
would
be
you
know
not
as
many
virtual
machines
as
containers
and
then
we
move
to
Containers
people
realize
well,
you
can't
keep
track
of
them
all
they're,
just
getting
too
small
and
they're
too
fast,
and
they
you
know
they
run
for
30
seconds.
Then
they're
gone
so
then
the
conversation
becomes
okay.
Now
we
just
need
to
start
moving
things.
You
know
upstream
and
set
our
controls
where
it's
automated,
so
we
can.
B
Actually,
you
know
get
a
get
a
grip
on
all
of
our
resources
that
are
out
there
right
and
I.
Think
that,
as
you
know,
we
get
into
hypershift
single
note
openshift.
That
ACM
is
managing.
You
start
to
run
into
that
same
issue
right
where
things
are
getting
a
lot
smaller.
How
do
your
teams
actually
understand
all
the
resources
that
are
out
there
and
how
do
you
actually
create
a
dashboard
that
can
that
can
show
all
this
information
I?
B
C
Yeah
well,
like
a
dashboard,
is
an
instantaneous,
rfe
magnet.
It's
like
you.
You
put
up
your
opinion
of
what
should
be
in
the
dashboard
and
then
there's
15
new
opinions
that
so
I
know
it
should
have
this.
It
should
have
that
yeah
like
what's
the
right
amount
of
information
to
show,
do
you
have
a
zoom
in
slider,
so
you
can
go
from
the
global
view
down
to
the
street
level.
You
know
these
are
all
things
we
play
with.
C
A
C
That
that
really
exposes
teams
to
a
view
of
the
world
that
they
probably
hadn't
considered
before
or
if
they
did,
they
probably
had
a
hammer
out
like
I,
don't
know
hundreds
of
commands
to
figure
it
out
and
just
like
one
picture
like
that,
can
really
start
to
explain
the
story
holistically.
How
is
this
application
running?
What
are
the
routes
that
have
been
exposed?
Where
are
my
points
of
egress
and
Ingress
on
this?
Those
Network
flows
that
you
guys
put
together,
Exquisite
so
well
done.
B
A
You
know
Scott
talked
about
this
earlier,
but
ACM
allows
customers
to
control
the
full
application
life
cycle
and
the
desired
State
security
and
compliance
across
multiple
data
centers,
and
then
these
controls
are
linked
to
Industry
compliance
standards
and
convey
audit
posture
to
the
security
operations
teams.
Earlier
you
talked
about
consumability,
Foster
and.
B
A
Know
when
it
comes
to
secops
teams,
you
know
consumability,
it
comes
down
to
creating
policies
and
assigning
them
dynamically.
Essentially
so
I
think,
like
kind
of
the
biggest
value
prop
of
our
governance
and
governance
and
compliance
pillar,
is
that
you're
able
to
again
comes
down
to
scale
always
take
thousands
of
thousands
of
clusters,
see
them
in
a
single
panel
and
then
push
out
your
policies
throughout,
and
this
again
comes
down
to
cost
reduces
operational
cost
because
it
just
reduces
the
amount
of
Labor
and
manual
processes
that
go
into
that.
A
But
I
think
like
when
you
think
of
ACM.
You
know
you
don't
necessarily
think
about
security
and
I
think
we
have
a
lot
of
really
great
security
tools
within
ACM,
but
when
it
comes
together
with
ACS
is
when
it
makes
when
it
makes
sense-
and
that's
kind
of
what
you
know
gave
openshift
platform
plus
life
is
how
do
you
bring
these
products
together?
A
And
how
do
you,
you
know,
make
sure
that
you're
using
all
of
their
strengths
together-
and
this
is
something
that
we're
discussing
with
the
ACs
team
right
now-
is
how
can
we
moving
forward
kind
of
convey
the
strengths
that
ACS
and
ACM
pull
together
and
how
the
security
features
that
come
from
ACM
work,
work
well
with
ACS
and
obviously
ACS
is.
You
know
the
security
expert
when
it
comes
to
platform
plus,
but
I,
think
that's
kind
of
what
it
comes
down
to
is
when
they
work
together,
they're
even
better,
but
with
ACM.
B
I
think
being
the
Auditors
off
your
back
is
also
pretty
important
right.
Everything
is
code,
you
can
say,
hey,
no
look
we're
doing
the
right
thing.
We
have
our
policy
here.
This
is
a
cluster
status
and
I'm.
Assuming
too,
you
know
if
you
set
a
policy
and
the
cluster
drifts
you're
getting
notifications
of
that
as
well.
B
C
Yeah
I'll
try
that
one
I
mean
a
great
question
and
the
challenges
really
come
down
to
network.
They
come
down
to
latency.
They
come
down
to
the
size
of
the
device.
You
know
Edge,
especially
in
the
Telecommunications
Space,
is
really
focused
on
the
5G
rollout.
Sorry
that
seems
like
a
silly
plug
here,
but
you
know
a
lot
of
the
partners
we've
been
playing
with
partnering
with
are
in
that
that
crunch
right
now
and
they're
like
we
can't
wait
to
get
this
rolled
out
in
the
next
Metro
right.
Is
that
going
to
be
Minneapolis?
C
Is
that
going
to
be
Chicago
is
going
to
be
wherever
else
so
the
challenges
really
come
down
to.
Do
we
have
the
right
technology
stack
to
support
those
applications?
Is
it
small
enough?
Is
it
lightweight
enough,
and
then
you
have
to
talk
about
the
life
cycle
of
that
stack?
How
do
you
upgrade
it
and
make
sure
that
the
application
doesn't
just
fall
over
and
you
lose?
You
know,
network
with
millions
of
people
subscribed
to
your
Towers,
so
yeah,
all
the
like
rolling
upgrades
out
to
the
fleet.
C
If
that
thing
goes
down,
then
perhaps
it's
not
keeping
an
eye
on
on
the
streets
or
on
the
airport
or
on
the
runway
or
whatever
so
yeah
I
mean
the
criticality
of
the
business
is
moving
to
the
edge
you're.
Seeing
that
more
and
more
the
constraint
size
of
those
devices,
the
sheer
number
of
those
devices.
Those
add
to
the
challenges
of
how
you
manage
out
at
the
edge.
B
Yeah,
just
I
kind
of
want
to
see
this
in
action,
but
as
a
small
cultural
comment,
I
mean
every
single
store.
I
go
to
now
has
some
sort
of
electronic
shopping
device.
Some
sort
of
inventory
management
system
when
you
walk
up
like
everything
is
going
super
smart
I
mean
how
some
of
the
fridges
are
are
smart
devices
that
need
to
be
updated
right.
So
I
think
this
is
going
to
be
a
consistent,
Challenge
and
I.
Don't
really
see
it's
shrinking
at
all,
I
mean
cars
right
I
mean
we
partnered
with
Ford
during
kubecon.
B
There's
a
lot
of
different
Technologies
moving
into
the
space,
so
I
think
that
it's
going
to
be
not
necessarily
what
you
think
of
as
tech
companies
that
are
going
to
have
this
problem
that
they're
going
to
have
to
solve
for
companies
like
any
sort
of
inventory
management
system.
Home,
Depot,
You,
Name,
It,
This,
Is
Not,
a
Home
Depot
plug
either,
but
I
could
see
the
just
you
see
it
in
in
the
industry
growing.
So
I
think
this
is
awesome.
Now
we
did
somewhat
promise
a
demo.
I
see
Dwayne
actually
come.
Is
it
possible?
B
C
B
C
Maybe
that's
what
the
zero
trust
that
Dwayne
is
talking
about
is
ensuring
that
that
part
of
the
build
and
that
part
of
the
CI
and
the
whole
world
where
the
developer
lives
is
secure.
So
from
left
to
right,
we
really
are
bookending
the
the
security
definition
here
as
part
of
openshift
platform
plus
and
HCM
ACS
working
together,
I,
don't
know
if
that's
where
Dorian
was
going,
but
that's
what
what
I
was
thinking
is
you
know?
Maybe
it's
it's
a
way
that
we
use
both
products
together
in
the
the
the
arena
that
they're
designed
in.
B
Yeah
I
from
my
brief
stint
in
research
I
think
a
lot
of
it
has
to
do
with
how
data
shared
and
a
lot
of
the
way
the
jobs
are
run.
So
it's
you
know,
there's
some
hacks
that
happen
with
Jupiter
Hub
and
different
applications
that
allow
some
access
to
database.
That
shouldn't
be
there
and
I.
Think
that
as
we
get
more
Ai
and
more
Health
Data,
you
know
HIPAA
and
things
like
that.
B
We
don't
exactly
want
to
be
sharing
these
databases,
100
that
that
that's,
my
guess,
Dwayne
correct
me
if
I'm
wrong,
but
no
I,
think
that's
awesome.
Now
we
did
somewhat
I
heard
a
promise
of
a
demo,
a
slight
whisper
rumor
yeah.
You
have
something
prepared
for
us:
I,
don't
want
to
put
you
on
the
spot.
C
You
can
see
I've
got
clusters
that
are
spread
across
across
a
bunch
of
different
clouds,
even
my
my
vsphere,
like
on-premise
estate
there,
and
really
just
in
terms
of
like
the
overview
like
you
said.
What
do
you
do
so
we
can
launch
to
grafana
and
we
can
have
like
a
board
in-depth
view
of
all
this,
but
this
is
just
kind
of
an
overview
and
you
start
to
see
where
I've
got
clusters
with
violations.
This
really
speaks
to
the
language
of
policy
and
and
helping
me
dial
into
this
is
a
perfect
environment.
C
I
have
nothing
that
has
a
a
perfectly
green
Mark
against
it.
So
this
demo
is
is
broken
from
the
start.
Everything
needs
work,
which
is
great,
but
you
can
see
we're
scanning
across
nine
clusters,
something
like
2,
000,
pods,
41
nodes,
and
then
you
know
down
here,
I'm,
also
bringing
in
some
insights
directly
from
Red
Hat.
C
But
this
you
know
like
pre-can
dashboard,
like
I,
said
before
it
doesn't
speak
everybody's
language,
but
just
kind
of
gives
you
a
glimpse
of
where
we
are
in
this
environment
from
there.
You
know
if
I
just
want
to
talk,
govern
it,
and
specifically,
this
is
where
we
start
to
really
cater
in
towards
the
security
Ops
towards
the
the
audit.
You
know
the
controls
team,
we're
speaking
their
language
with
standards
and
categories
and
controls.
C
You
know,
I
can
start
to
look
at
my
nist
standards
here
and
I
can
really
dial
in
and
start
to
to
really
go
into
that
language
and
the
jargon
of
Baseline
controls
and
security
assessments
so
as
I
have
to
like
pivot.
The
work
I've
been
doing
today
and
like
in
one
minute,
I'm
a
platform
engineer
and
I'm
configuring
clusters
in
the
next
minute.
Someone
Taps
on
my
shoulder
and
says:
bro
like
do
you
have
it
all
configured
for
this
or
that,
like
you
know,
I
can
I
can
turn
it.
So
yeah,
look
here's!
C
Have
policy
sets
that
help
me
group
together
policies
but
like
let's
just
take
a
look
at
a
policy
and
feel
free
to
interrupt
if
there's
something
that
doesn't
make
sense
or
if
it's
not
showing
well
on
your
screen,
I'm
just
going
to
quickly
grab
one
that
I
know
is
in
here.
This
is
my
SCD
encryption
policy.
You
can
see
it's
it's
it's
adhering
to
the
nist
853
for
protection
of
security
at
rest
on
the
communications
protection.
C
There
it's
been
enabled
right
now,
it's
just
informing
so
just
telling
me
what's
up
and
I
can
tell
that
there's
two
clusters
that
are
in
good
shape.
So
if
I
click
in
here
and
just
want
to
get
some
more
details,
I
can
see
it's
it's
two
clusters,
local
cluster
in
Carolina
and
again
it's
system
forming.
C
So
just
give
me
like
an
audit
picture
and
let's
see
what
that
looks
like
you
know,
I
was
telling
you
before
Michael
like
what's
what's
cool
for
me,
is
when
I
can
see
the
code
like
how
this
has
been
defined
and
what
we
really
want.
People
to
start
to
understand
is
this
SCD
encryption.
It
really
kind
of
boils
down
to
one
simple
section
that
you've
probably
seen
before
as
you've
defined.
C
You
know
encryption
on
your
cluster,
which
is
tell
the
API
server
to
go
encrypt
itself
and
basically
that's
how
you
would
do
like
an
OC
apply
if
you
were
gonna
or
OC
ADM
like
if
you're
going
to
run
some
commands
to
go.
Do
that
manually
by
wrapping
that
in
a
policy
as
code
I
can
now
repeat
this
across
a
bunch
of
clusters
by
by
using
placement,
and
in
this
case
I'm
just
saying
any
environment,
will
the
label
of
production
I
wanna
I
want
to
you
know
encrypt
NCD,
so
go.
C
Do
it
another
part
of
this?
Is
this
yaml
code
like
I,
wouldn't
even
be
able
to
make
changes
in
here,
because
this
is
all
store
to
get
so
I
have
the
ability
to
just
point
to
that
repository
and
I
can
say
and
I
don't
know
if
this
is
going
to
open
or
not?
Maybe
it's
a
new
tab,
but
these
are
the
these
are
actually
the
The
Source
get
definitions.
These
are
actually
the
source
gambles
of
that
policy.
That
was
just
on
the
screen,
and
you
can
see
it's
the
exact
same
stuff
here.
C
That
I
was
telling
my
policy
to
do
so.
We
have
kind
of
training
wheels
like
hey
I,
just
want
to
go
in
and
start
creating
this
policy
I'll.
Do
it
directly
locally
on
that
UI
and
then
over
time,
I
build
up
my
capability
I
build
up.
My
repertoire.
I
can
generate
those
policies
directly
from
the
source,
manifest
that
you
might
already
have.
C
You
might
already
have
some
yamls
sitting
around
that
you
use
for
like
day
two
configuration
think
about
creating
limits,
creating
roles,
role,
bindings
users,
HT
password,
account
all
the
kind
of
stuff
you
do
on
day.
Two
to
configure
cluster
I
can
take
those
directly
as
they
are
drop
those
yamls
in
the
policy
generator
and
create
these
policies,
which
I
can
now
enforce
out
to
the
fleet.
Yeah.
B
C
I
just
created
this
one
for
East
and
I'm,
going
to
enforce
it
and
I
actually
want
to
place
this
out
to
any
of
my
environments
and
the
you
know:
I,
don't
even
think
I
have
a
region
yet.
But
let's
do
this,
let's
just
say:
region
equals
I'm,
adding
one
on
the
phone
on
the
Fly
here
create
region
and
the
value
is
going
to
be
East.
C
C
C
There
does
anything
match
region,
East
and
the
answer
should
be
no
because
I
know
for
sure
I,
don't
I
don't
have
that
label,
but
what
I
can
do
is
I
can
I
can
start
to
go
into
my
clusters,
and
this
is
where
you
understand
like
once.
You
create
a
policy,
but
once
you
have
that
relationship
defined
any
new
cluster
that
you
create
any
yeah
any
cluster
that
you
import.
Let's
say
from
a
different
user
group
like
all
of
a
sudden,
you're
onboarding
100
clusters,
all
I
have
to
do
is
have
that
label.
C
C
Has
a
Pac-Man
game
deployed
I
know
it's
in
Cloud
Azure
like
it's
got
some
other
labels
that
are
doing
things
there,
but
let
me
go
back
real,
quick
and
find
that
policy
and
show
you
what's
going
on.
I
think
it
was
called
East
something
yeah.
So
now,
all
of
a
sudden
it
has
one
cluster
that
has
a
violation.
C
It
doesn't
have
the
full
status
yet,
but
we
went
from
zero
to
one
and
it's
matched
it
on
the
Arrow.
That's
where
my
label
was
and
I
can
start
to
drill
in
and
I
can
see
exactly
what
it's
doing.
So
it's
getting
more
results
as
it's
scanning
that
API
server
and
figuring
out
what's
going
on.
Is
it
actually
encrypted
yet
hasn't
found
it?
It's
still
doing
the
work.
C
It
takes
probably
30
seconds
to
a
minute
to
come
back
on
that
cycle,
but
the
point
is
now
I've
defined
this
policy
for,
for
the
group,
like
you
were
saying,
Mike
like
well
I
just
wanted
to
find
it
on
this
group,
and
now
it's
found
it's
violated.
So
that's
just
updated.
Since
it's
got
enforced
here,
it's
actually
going
to
go.
Do
that
work.
So
it's
in
the
process
of
enforcing
that,
which
means
it's
going
to
go
and
force
SCD
encryption
on
this
Aero
server.
C
This
is
an
Azure
cloud
and
you'll
see
this
come
back
and
that
yeah
it
looks
like
a
few
seconds
ago.
It's
just
come
back
with
the
details
that
it
has
finished
its
work,
and
that
was
the
policy
again.
It's
it's
basic
example
of
etcd
encryption,
but
I
created
that
one
locally
here
in
the
UI,
just
to
kind
of
give
you
the
view
of
the
training
wheels
on
now.
You
have
this
block
of
code
like
this
is
repeatable.
I
can
go.
C
Take
this
and
version
that
within
my
bit
bucket
or
you
know,
git
repo
I
can
make
sure
I
have
PR's
and
like
four
eyes
of
review
as
I
go
through
this.
If
I
want
to
iterate
this
code
or
make
some
changes
to
it,
but
yeah
I'm,
giving
you
all
the
keys
to
the
kingdom
really
like
in
your
hands
and
allowing
you
to
move
forward
with
that
with
repeatability
across
your
Fleet
any
other
cluster.
C
C
A
A
C
Absolutely
yeah,
and
and
also
as
they
grow
with
ACM
I,
mean
it's
kind
of
like
training
wheels.
It's
also
like
just
great
from
an
audit
perspective.
You
know,
do
I
have
Argo
CD
like
do,
I
have
openshift
get
Ops
operator,
deployed,
here's
one,
that's
the
compliance
operator
and,
and
so
I'm.
Just
using
this
as
an
informed
way
to
show
me
I
have
the
the
operator
that
I
want
deploy,
do
I
have
it
deployed
at
the.
A
C
Version,
yes,
okay,
these
three,
these
two
clusters-
it
is
these
ones-
have
violations
so
they're.
It's
not
deploying
the
compliance
operator
in
the
way
that
I
expect
it
to
be
and
that
I'd
have
a
chance
to
go
fix
that
I
have
a
chance
to
go
remediate
and
and
adjust
that
other
examples
would
be
like
performing
upgrades.
That's
one
I
like
to
see
where
you
know
I've
got
all
the
operators
out
there.
C
On
yeah,
let's
do
it:
let's
go
to
412.
I'm,
going
to
say
it's
4.12.0,
so
now
I
have
this:
let's
see
where
I'm!
Oh
I,
don't
want
to
do
this
on
my
local
cluster.
Let's
try
a
different
one.
Let
me
pick
my
this
is
getting
a
little
squished
up
on
my
screen.
I,
don't
know
about
you!
Let
me
just
pick
the
cluster
by
name.
Okay,.
B
C
In
this
one
I'm
going
to
do
is
I,
don't
want
that
I
want
I'm
just
going
to
do
it
like
upgrade.
I'm
gonna
make
a
new
label.
How
about
that
upgrade
now
and
I'm
gonna
go
put
this
on
a
cluster
that
I
know
should
be
able
to
handle
it
and
then
we'll
see
what
happens?
Oh,
it's
going
to
be
an
inform
anyway.
This
is
good,
so
we're
doing
the
training
wheels
example
and
I'm
going
to
take
Carolina.
C
You
can
see
it's
currently
at
four
eleven,
nine
and
I'm
going
to
add
that
label
for
upgrade
now
and
the
label
is
how
we
reconcile
the
work
it
says:
hey
do.
I
have
work
to
do.
Okay,
I've
got
a
new
label
and
I
can
click
on
Carolina
and
I
can
see.
You
know
it's
setting
the
distribution
of
411.,
it's
actually
I
guess.
Maybe
at
some
point
we
had
set
the
fast
forward.
12
I'm,
not
sure
this,
so
this
could
be
interesting,
but
what
it's
going
to
effectively
do?
C
Is
it's
going
to
start
applying
that
policy
against
that
cluster
and
in
theory,
if
this,
if
this
does
what
I
think
it
should
it
should
update
that
version
distribution
to
kick
off
the
upgrade
now
I
could
manually
do
that?
I
can
click
here
and
I
can
go
to
the
latest?
You
know
version
in
my
stream.
I
probably
should
have
done
some
better
homework
on
this
demo
and
I.
Don't
know
if,
like
a
411
9
can
actually
go
to
412..
It
may
not
be
in
the
upgrade
graph.
That's
something
that
that
gets
me.
C
C
C
B
B
B
C
If
they
even
try
to
admit
something
to
the
cluster
Version
Control,
it
would
just
block
it
immediately
at
the
admission
and
say
no
we're
not
going
to
let
you
do
that
and
then
that
would
give
full
control
basically
to
the
platform.
Engineers
that
says,
I
control
this
cluster
and
I
can
I
can
control
it
with
policy
to
initiate
it
when
I
want
it
to
happen.
Things
like
that.
C
Yeah,
oh
there
it
just
flipped
to
stable
412.
It
hasn't
quite
so
out
there
on
the
cluster
on
that
manage
cluster,
it's
actually
figuring
out
the
upgrade
graph.
You
know
as
it's
doing
its
thing
and
then
it's
going
to
tell
me
either
it's
begun
the
upgrade,
or
maybe
something
failed
like
something
just
didn't.
Go
well,
I'm,
not
logged
in
on
that
cluster
right
now.
But
it's
feeding
that
information
back
to
me,
but
for
sure
I
can
see
the
sign
that
my
enforcement
worked
because
I
went
to
stable,
412
right
here.
C
Are
real
clusters?
I
mean
you
could
be
putting
kind
clusters
or
some
other
garbage
in
here,
but
we
try
to.
We
try
to
live
with
reality
as
much
as
we
can
and
then
from
a
yeah.
So
from
the
policy
perspective,
it
now
is
reporting
that
it
has
updated
the
cluster
version
to
the
to
the
version
I've
told
it
to,
and
now
that
upgrade
is
you
know
basically
taping.
B
C
B
B
A
B
Yeah
that
reminds
me
I
know
what
red
hat
we
want
to
use
openshift
Commons
as
a
space,
for
you
know,
customers
and
users
to
share
that
information.
So
I
think
we
want
to
create
a
security
Channel
coming
up.
Kim
and
I
would
have
to
be
a
part
of
that
where
you
know
policy
collections
or
you
know
our
back
controls
of
ACS
or
policies
with
ACS
as
well.
Everything
can
be
shared.
Just
don't
allow
new
users
to
onboard
quicker
too
right.
I!
Think
that's!
The
goal
is
to
see
leverage.
B
There's
one
ACS
question
always
nice
to
hear
the
scanner
working
so
fast.
So
how
does
image
scanning
work?
First
time
you
install
ACS
into
your
cluster?
It
takes
it
goes
through
and
takes
an
inventory
of
all
of
your
images
that
are
there,
which
means
that
all
we
have
to
do
whenever
anything's
updated
is
just
take
that
next
little
image
layer
and
scan
it.
Now,
if
you
go
and
have
a
complete
new
container
it'll,
be
you
know
a
little
bit
slower,
but
in
general
it's
the
caching
that
makes
it
super
fast
and
I.
B
C
C
Maybe
in
my
vision,
my
dream
of
the
world
that
that
person
could
could
take
it
on,
but
just
make
a
quick,
easy
button
where
they
could
start
to
onboard
policies
directly
out
of
the
policy
collection
or
even
the
stable
ones
that
I
already
have
in
the
Box.
Give
me
some
fine-tuned
examples
that
work
perfectly
every
time.
C
Those
kind
of
experiences
and
like
you've,
talked
about
with
ACS
and
ACM,
working
together,
better
sharing
of
information.
You
know
like
when
you
find
those
build
scan
problems
when
you,
when
your
network,
tooling
surface
system
issues,
let's
inform
each
other
right
like
these,
are
some
areas
we
can.
We
can
continue
to
collaborate
as
we
go
forward
to
enrich
it
and
make
it.
You
know
one
plus
one
should
equal
10.
right
like.
C
B
And
especially
because
you
know
we
have
enforcement
mechanisms
in
ACS
for
cluster,
even
host
scanning
coming
in
a
few,
the
new
releases.
If
we
can
push
that
to
ACM
where
we
can
have
the
policy
that's
created,
and
then
all
we
need
to
do
is
just
kind
of
watch
to
make
sure
nothing
gets
out
of
whack.
You
know,
then
we're
both
better
off
for
it.
We
send
less
slack
messages
to
each
other.
C
Yeah
platform
engineering
seems
to
be
the
big
catch-all
for
all
all
the
problems,
but
you
know
I
think
what
you're
really
driving
out
Mike
is
making
sure
that
the
dev
experience
is
still
promoted
with,
like
the
spotlight,
like.
Let's
make
it
easy
for
humans
to
get
access
to
what
they
need,
and
you
said
something
early
on
in
the
cast
today.
It
was
like
we're
we're
kind
of
focusing
a
lot
on
clusters
and
life.
C
Take
them
on
things
like
hypershift
is
making
it
faster
to
get
clusters
more
ephemeral
clusters
like
playground,
environments,
things
like
templates
that
can
make
it
very
easy
to
stamp
them
out.
So
those
are
areas
that
we're
working
on
and
moving
towards
to
make
it
just
friction,
free
to
get
the
environment
and
start
getting
to
work.
B
C
B
B
C
B
C
B
No
worries
and
I
think
you
obviously
have
a
bunch
of
things
coming
up
at
Summit
as
well
right
and
kubecon
EU.
It
will
always
be
big,
so
I'm
sure
you'll
see
some
more
you'll
see
us
there
until
next
time.
Next
month.
Third
Tuesday
of
the
month,
Kim
and
I
will
be
back.
Hopefully,
Kim's
internet
service
will
be
working
speaking
of
5G
rollouts
going
poorly,
but
yeah.
Thank
you
again
so
much
for
coming
on
the
stream
and
we
hope
to
see
you
next
month
take
care.
Everyone.
Thank.