►
From YouTube: OCB AMA: OPA Gatekeeper: Centralized Policy and Governance - Jaya Ramanathan (Red Hat)
Description
Join us for this Ask Me Anything (AMA) Session on Kubernetes centralized policy management.
Red Hat’s Jaya Ramanathan and Yu Cao will talk about using policy-based governance for admission and audit scenarios across multiple clusters and demo how this can be done using OPA Gatekeeper with the Red Hat Advanced Cluster Management (ACM) policy engine.
Guest Speaker(s):Jayashree Ramanathan, Yu Cao and Kirsten Newcomer (Red Hat)
Hosted by Paul Morie and Diane Mueller (Red Hat)
B
A
C
Hi
everyone.
Thank
you,
diane
hi
everyone.
Thank
you
for
this
opportunity.
I
am
jaya
ramanathan.
I
am
the
chief
security
and
governance
architect
for
our
advanced
cluster
management
offering,
and
I
have
with
me
youth.
He
is
the
squad
lead
for
our
security
and
governance
capabilities
within
both
of
us
work
on
this
project
called
advanced
cluster
management
for
kubernetes
within
red
hat,
and
we
also
have
an
upstream
community
called
open
cluster
management.
C
Okay,
this
chart
basically
talks
about
the
various
security
and
compliance
challenges
that
customers
face
when
they
adopt
cloud
specifically.
The
key
thing
I
wanted
to
highlight
here
is:
customers
generally
have
to
meet
various
enterprise
standards,
as
well
as
industry
standards,
for
example,
if
they
are
in
regulated
industries
like
financial
healthcare,
etc,
they
have
to
make
standards
like
pci,
hipaa,
etc,
and
they
also
want
to
adopt
open
technologies,
and
they
typically
have
to
deal
with
more
than
one
cloud
provider,
and
they
also
need
to
go
through
multiple
audits.
C
C
C
C
So
that's
kind
of
the
overall
approach
of
policy-based
governance,
so
I
want
to
introduce
some
terminology
here
just
to
level
set
what
we
are
talking
about
here.
So
if
you
think
about
policy
based
governance
right,
so
there
is
a
policy
authoring
point
where
the
policy
is
specified.
Now
this
authoring
point
could
be
either
the
console
or
it
could
be
a
cli
or
it
could
be
githubs.
C
Our
preferred
methodology
is
githubs,
the
reason
being
that
allows
you
to
manage
policies
just
like
you
will
manage
source
code,
so
you
define
all
the
policies
in
git
and
then
within
our
acm
product
you
can
define
a
subscription
to
pull
those
policies
and
deploy
them
onto
the
managed
clusters.
So
that
is
our
policy
management
point.
So
this
distributes
the
policy.
It
consolidates
policy
violations
across
a
fleet
of
clusters.
C
It
also
allows
you
to
enter
integrate
with
enterprise
tools
from
a
central
point,
because
that
is
how
customers
view
the
cloud
as
just
an
extension
of
the
of
their
existing
id
infrastructure.
So
they
want
the
management
to
integrate
with
their
incident
management
systems,
security
operations,
center,
their
enterprise,
grc
tools,
etc.
C
So
and
then
the
policy
enforcement
point
can
optionally
invoke
a
policy
decision
point
to
check
whether
a
specified
policy
matches
how
control
is
configured
now.
In
some
cases,
the
policy
enforcement
point
may
itself
do
this
check,
but
in
other
cases
you
could
invoke
a
pdp
and
the
gatekeeper
oppa
integration
is
one
such
example
and
kubernetes
is
another
example.
C
So,
based
on
this
terminology,
here
is
the
overall
architecture.
So,
as
you
can
see
here
on
the
management
hub,
this
is
where
the
policies
are
defined
and,
as
I
mentioned,
it
can
come
through
from
git
or
it
could
be
through
ui
or
cli,
and
then
from
here
it
gets
distributed
to
the
managed
clusters.
And
then
here
you
have
the
various
policy
consumers.
These
are
essentially
the
policy
enforcement
points
that
I
talked
about
and
then
the
these
results
are
then
collated
back
and,
and
so
you
have
everything
available
in
a
central
manner.
C
These
are
all
the
orange
items
in
this
chart
are
things
that
are
roadmap
items
so
now
I
want
to
drill
down
into
details
of
how
we
have
integrated
with
gatekeeper
and
oppa.
So
let
me
start
with
the
quick
overview
of
gatekeeper
and
oppa,
so
gatekeeper
allows
you
to
evaluate
compliance
of
cube,
rented
resources
to
specified
policies
and
what
it
leverages
under
the
covers
is
oppa
and
oppa
is
the
policy
engine
that
it
uses
now.
C
Oppa
itself
accepts
policies
in
a
language
called
rego,
so
think
of
gatekeeper
as
providing
the
bridge
from
oppa
to
kubernetes
to
the
humanities
world.
So
it
allows
you
to
specify
the
policies
as
kubernetes
constraints,
which
can
which
can
in
turn
contain
the
rego
constructs
and
gatekeeper
can
then
consume
those
and
because
it
registers
itself
as
a
policy
enforcement
point
through
the
web
hook,
and
so
it's
now
able
to
pass
on
those
regular
constructs
to
oppa
and
use
opa
to
do
the
actual
checks
of
whether
the
policy
is
complied
to.
C
C
C
So
in
order
to
complete
the
picture,
there
were
a
couple
of
things
we
had
to
do
in
in
terms
of
how
we
integrated
gatekeeper
and
opa
into
acm.
First
of
all,
we
deliver.
We
are
delivering
going
to
deliver
operator
that
can
deploy
gatekeeper
and
oppa,
and
so
this
is
this.
Work
is
actually
progressing
in
the
upstream
community
and
what
we
have
done
is
we
have
forked
the
community
and
made
it
part
of
our
open
cluster
management
downstream.
C
C
Now
the
deployment
of
operators
itself
is
represented
as
a
cr,
so
by
delivering
gatekeeper
opa
as
an
operator
now
you
can
just
define
a
acm
policy
that
ensures
that
this
operator
is
deployed
on
the
managed
clusters.
So
that's
so
that's
so
we
are
going
to
provide
that.
In
addition,
we
also
you
can
also
use
acm
to
define
policies
to
on
what
gatekeeper
itself
is
enforcing
right.
So
the
constraints
that
I
talked
about
so
those
can
be
also
authored
within
rackham
and
propagated
to
the
managed
clusters.
C
C
So
in
the
case
of
the
admission
scenario,
we
just
we
have
a
rackham
config
policy
that
can
process
the
events
that
are
generated
by
the
gatekeeper
webhook
and
in
the
case
of
audit
scenario,
we
look
for
the
status
field
in
the
gatekeeper
constraints.
So
so
we
are
able
to
pull
both
this
information
back,
as
I
showed
in
the
architecture
into
the
central
acm
hub
and
display
the
results
there.
C
So
this
architecture
diagram
pictorially,
depicts
what
I
talked
about.
So
you
have
the
rackham
hub
and
then,
which
is
distributing
policies
to
your
managed
cluster
and
within
the
manage
cluster
you
have
the
config
policy
controller
and
because
we
have
this
built-in
config
policy
controller,
the
whole
integration
with
gatekeeper
oppa
is
happening
just
through
the
authoring
of
these
policies.
So
you
really
don't
have
to
write
any
code.
C
C
So
you
is
going
to
give
us
a
demo
on
on
these
capabilities,
but
before
I
hand
it
over
to
you,
I
also
want
to
highlight
that
we
have
also.
We
also
have
integration
in
place
with
acm
for
the
openshift
compliance
operator,
which
is
another
an
example
of
an
operator
that
can
be
deployed
on
the
managed
cluster
and
through
a
raccoon
policy.
C
C
C
C
C
So
you
have
various
controls
within
this
security
controls
within
this
catalog
and
and
then
for
each
of
the
controls
you
can
see,
we
have
defined
policies
so,
and
you
is
going
to
show
us
a
demo
of
the
compliance
operator
policy
that
can
deploy
the
compliance
operator
and
also
this
essentially
security
profile
policy
that
allows
you
to
scan
the
manage
cluster
for
this
particular
security
profile
and
then
for
gatekeeper
and
oppa.
We
have
policies
as
well,
and
then
there
is
the
other
folder
here,
which
is
the
community
folder.
C
So
the
community
folder
is
where
we
invite
contributions
from
the
community,
and
these
policies
are
also
organized
in
terms
of
the
nest.
853
standard
and
the
gatekeeper
policies
currently
are
in
the
community,
and
the
reason
is
because
we
are
currently
working
on
an
acm
release
where
we
are
productizing
this
capability,
so
they
write
down
sit
in
the
community,
so
you
have
a
gatekeeper
operator
policy
that
allows
you
to
deploy
the
gatekeeper
operator
and
then
we
also
have
other
policies
for
gatekeeper,
contributed
here
as
well.
C
So
so
you
can
see
here.
We
also
have
third
party
contributing
policies
here.
So
you
will
see
here
a
policy
from
cystic.
They
have
contributed
a
policy
for
their
operators.
So
the
reason
I
wanted
to
highlight
this
is
to
invite
contributions
from
the
community,
so
we
are
also
working
with
various
customers
to
have
them
contribute
here
as
well.
C
A
C
Yes,
so
we
are
active
participants
of
the
gatekeeper
community.
You
who
is
here
on
the
call
with
me,
along
with
a
couple
of
others
from
red
hat,
are
active
contributors
there
as
well,
so
we
are
watching
the
space
there
and
our
goal
is
to
keep
up
with
any
enhancements
that
are
made
in
gatekeeper
and
associate
policies
and
track
them
to
adopt
those.
Yes,
that's
circle.
A
C
A
C
D
Okay,
all
right
so
hi
everybody,
my
name
is
utau,
so
I'm
the
dev
lee
for
welcome
security
and
compliance
team.
So
today
I'm
going
to
do
a
quick
demo
for
how
you
can
use
record
policy
to
install
gatekeeper
and
then
apply
a
keeper
constraint
on
the
manage
cluster
and
then
report
any
violations
it
detects.
So,
first
of
all,
let
me
recap
a
little
bit
about
the
the
governance
and
risk
architecture
in
recon
products.
So
if
you
go
to
our
product
a
documentation,
there's
an
overall
architecture
diagram
here.
D
So
if
you
click
on
it,
you'll
see
a
large
diagram,
so
the
the
governance
policy
framework
we
put
in
place.
It
really
consists
consists
of
multiple
piece
right.
So
there's
a
one
piece
on
the
top
and
there's
a
few
piece
on
the
manage
cluster
so
on
the
left
so
on
hub.
So
we
have
policy
propagator,
which
responsible
for
propagating
the
policy
from
hub
to
manage
cluster,
so
how
it
how
it
does
is
so
when
you
create
a
policy,
you
need
to
also
create
a
placement
binding
and
placement
rule.
D
So
if,
if
you
look
at
that
example
here,
so
we
have
a
policy
crd,
which
is
the
crd
that
we
use
to
embed
your
embed,
your
the
real
policy.
So
if
you
look
at
the
crd
definition
here,
so
we
have
a
field
called
policy
templates,
so
inside
templates
you
define
the
actual
policy.
You
want
to
apply
on
your
manage
cluster,
so
you
can
you
can
you
can
create
a
policy
with
multiple
policy
templates
using
different
policy
language
and
then,
once
this
is
created,
you
create
a
also
create
a
placement
rule.
D
So
since
rackham
is
managing
the
purp,
is
a
control
plane
then
managing
multiple
clusters
right.
So
so,
when
you
import
a
cluster,
you
can
label
your
cluster
so
the
place
more
simply
here
is
you
can
select
a
class
cluster
either
you
using
the
the
label
selector,
so
we
call
custom
selected.
But
what
really
does
is
it's
using
labels
on
the
cluster
so
that
you
can?
D
You
can
select
a
a
subset
of
cluster
of
a
device,
for
example,
in
this
case
it's
all
your
dev
clusters
and
then
create
a
placement
binding
that
us
find
the
policy
and
placement
together.
Basically
tell
our
policy
propagator:
this
policy
needs
to
be
applied
to
these
clusters,
so
this
is
how
we
propagate
policy
to
manage
cluster.
So
the
reason
I
explained
this
is
so.
D
This
is
the
framework
that
to
distribute
policies
and
the
actual
actual
the
actual
policy
that
is
being
executed
or
evaluated
on
the
manage
cluster
is
we
call
it
policy
controllers
or
policy
consumers
on
the
managed
clusters,
so
the
framework
propagates,
the
policy
to
manage
cluster,
distribute
them
to
manage
cluster
and
then
hand
it
over
to
the
actual
policy
consumer
installed.
On
your
manage
cluster,
for
example,
the
gate
gatekeeper.
D
Policy,
consumer
or
compliance
operator,
or
the
outer
box
policy
controller
that
we
ship
raccoon
ship,
for
example
the
configuration
policy
controller.
So
once
it
is,
it
reached
the
magic
cluster.
The
the
actual
policy
consumer
on
the
magic
cluster
will
will
apply,
evaluates
the
the
policy
passed
passed
in
and
then
return
and
then
generate
results
and
the
policy
framework
will
retrieve
those
results
and
return
it
to
the
hub.
So
that
you
can
you
can
view
the
results
through
a
single
control
plane
using
recom
console.
D
D
Now
so
now,
let's
take
a
look
at
the
actual
gatekeeper
policy,
so
we've
talked
about
that.
We
can
use
the
raccoon
policy
to
install
gatekeeper
and
we
can
also
use
a
record
policy
to
apply
gatekeeper
constraints
and
then
collect
the
results
back
to
hub.
So
this
is
done
through
defining
record
policy.
So,
as
jaina
mentioned
in
this
policy
collection
repo,
you
can
find
you
can
find
the
gatekeeper
operator
policy
and
also
some
a
few
other
gatekeeper
policy
that
actually
deliver
applying
certain
constraints
on
your
clusters.
D
For
example,
the
first
the
gatekeeper
operator,
gatekeeper
operator
is,
is
an
f
as
an
effort
that
we
will
be
actually
involved
in
the
upstream
community,
so
the
geek.
What
gatekeeper
operator
does?
Is
it
packs
it
packages
the
gatekeeper
as
a
open
shift
operator,
the
operator
responsible
for
the
life
cycle
of
gatekeeper,
so
it
can
install
gatekeeper,
it
can
delete
gatekeeper.
You
know,
of
course
we
are.
We
will.
We
are
also
working
on
upgrading
those
kind
of
stuff,
so
it
controls
the
whole
lifecycle
gatekeeper.
D
It
simply
makes
installing
gatekeeper
easier,
with
gatekeeper
being
delivered
as
a
gatekeeper
operator
in
orm
or
in
ocp
catalog.
You
can
use
a
rackon
policy
to
to
insta
to
to
install
gamekeeper
across
all
your
managed
cluster.
So
what
you
need
to
do
here
is
you
define
a
policy
crd
policy
cr
here
and
then
it
includes
multiple
templates.
So
just
very
similar
to
how
how
you
install
an
operator
from
om,
so
you
create
a
namespace.
D
We
defined
a
catalog
source.
Currently
the
gatekeeper
operator
is
not
published
yet
so
we
have
to
define
a
custom
catalog
source,
and
then
you
create
a
operator
group
to
tell
operator
which
namespace
to
operate
on
and
then
the
subscription
to
subscribe,
the
the
catalog
to
pull
down
the
gatekeeper
images
and
and
so
and
then
and
then
you
create
this
gate
keeper
cr.
This
keeps
it
keepers
here
is
part
of
gatekeeper
operator,
so
it
tells
you
how
to
configure
gatekeeper.
So
if
you
create
this
cr8,
the
gatekeeper
operator
will
install
the
gatekeeper
based
on
the
spec.
D
The
configuration
provide
if
you
delete
the
state
pvcr,
the
gatekeeper
operator
will
delete
the
gatekeeper
instance
on
your
cluster.
So
here,
as
you
can
see,
we
are
pulling
in
an
image
from
from
upstream
gatekeeper
as
this
is,
and
then
we
enable
the
admission
events
flag
so
that
we
can.
We
can
so
that
when
there's
a
violation
january
for
for
for
any
new,
when
there's
a
violation
generated
generally
for
any
new,
is
the
new
resource
cr
created
on
language
cluster?
That
being
that
was,
that's
is
blocked
by
the
skate
keeper.
D
It
will
generate
equipment,
kubernetes
events,
so
this
is
for
the
purpose.
This
is
for
the
purpose
for
raycom
to
be
able
to
collect
the
result
for
a
diminishing
admission
scenario.
So
then,
so,
once
this
this,
this
policy
is
created,
you
you
will
and
create
it.
Then
it
will
based
on
the
cluster
selected
here
right,
so
it
will
install
the
the
gatekeeper
operator
on
manage
cluster.
So
for
this
is
the
rackham
console.
So
I
have
a
gatekeeper
operator
policy
installed
here.
D
D
This
is
the
match
cluster
and
then,
if
you
go
to
operator
here,
go
to
installer
here,
you'll
see
gatekeeper
operator
here,
so
it
is
so
very
simple.
So
the
you
just
need
to
use
this
operator.
You
just
need
to
use
raccoon
to
install
this
operator
for
you
and
then
the
gatekeeper
is
installed
on
a
managed
cluster.
D
So
now,
let's
take
a
look
at
how
you
can
apply
gatekeeper
constraints
and
then
report
report
violation
back.
So
installing
gatekeeper
is
just
the
first
step
right.
What
was
really
what
really
has
value
is
you
want
to
apply
gatekeeper,
constrain
and
constrain
template
and
then
collect
results
back
so
here
we
I
create
a
sample.
I
create.
I
create
a
gatekeeper,
somehow
policy
here,
so
I
think
it's
easier
to
look
at
in
here
in
vs
code,
so
gatekeeper.
D
D
If
we
look
at
the
details
right
this,
this
is
actually
leveraging
the
configuration
policy,
which
is
the
outer
box
policy
consumership
in
gracom.
So
what
it
does
is
what
it
does
is.
It
can
create
update,
delete
resources
on
the
cluster
based
on
the
template.
Object
definition
you
provide.
So
if
you
look
at
the
the
sr
crcr
fields
here,
so
you
create
a
configuration
policy,
it
has
object
templates
inside
the
specs.
So
in
this
object
templates
anything
defining
this
object.
Template
template
field
is
the
actual
cr
you
want
to
create
in
this
example.
D
D
D
So
what
you
just
need
to
do
is
you
just
need
to
embed
the
constraint,
template
inside
a
configuration
policy
and
then
put
it
into
policy
cr
which
is
responsible,
distributed
across
automatic
cluster,
that
so
that's
how
how
the
constraint
template
is
delivered
to
manage
cluster.
So
you
don't
you
don't
have
to
write
any
code.
You
just
need
to
create
this
policy
and
embed
your
constraint
template
same
for
the
constraint
here.
D
Then
the
recom
policy
framework
will
create
these
two
crs
on
the
cluster
you
on
the
cluster
and
then
and
then
gatekeeper
is
gatekeeper
instance.
The
controllers
will
take
over
and
and
evaluate
these,
these
two
cr.
So
if
you
look
at
details
of
this
cr,
this
is
a
sample.
Namespace
constraint,
template
constraint.
I
took
from
from
gatekeep
gatekeeper
website,
so
what
it
does
is
it
requires
any
any
names.
Any
this
regal
basic
defines
any
input.
D
Resource
resource
needs
to
have
a
field
called
label
and
inside
that
label
field
you
need
to
have
a
you
need
to
have
a
have:
a
have
a
label
with
name
with
name
with
certain
name,
so
the
name
is
being
exposed
as
a
configurable
parameter
called
labels
and
in
the
inside
constraint.
So
you
you're
basically
basically
applying
this
constraint,
template
I'm
here,
I'm
applying
any
namespace,
and
also
I
restrict
the
namespace
to
be
these
two,
these
these.
D
D
If,
if
so,
if
we
want
to
test
this
this
policy,
this
gatekeeper
constraint,
basically
we
can
just
go
ahead
and
create
a
namespace
without
label
gatekeeper.
Then
it
will
be
blocked.
So
let
me
do
do
that
here.
I
believe
I've
already
logged
on
the
login
onto
the
gate,
the
the
manage
cluster.
So
let
me
double
check
so
here
on
my
manage
cluster
for
this.
This
deployment
I'm
actually
applying
to
these
two
namespace.
D
D
So
that's
how
we
distribute
and
apply
a
gatekeeper,
constraint
and
strength
template
from
rackham
console
by
using
a
recom
policy.
You
don't
have
to
log
into
each
managed
cluster
and
apply
it.
You
just
need
to
do
it
essentially
through
right
through
raccoon
control,
plane
the
then
it's
the
the
violation
part.
We
want
to
be
able
to
collect
violations.
D
D
It
is
looking
for
any
cr
on
the
manage
cluster
called
ks
required
label.
This
is
the
constraint
that
we
created
in
previous
object
template,
but
additionally,
we
are
adding
additional
fields
to
it.
So
what
it
means
is
we
want
we
want
it
is.
We
are
using
must-have
compliance
type
here.
So
what
it
does
is
we
require.
D
D
So
this
is
for
all
this
scenario,
so
the
way
it
works
is
so
once
this
is,
this
control
constraint
is
being
created
on
the
manage
cluster,
so
gatekeeper
audit
controller
will
start
to
scan
your
entire
cluster
and
then
try
to
figure
out
if
you
have
every
any
pre-existing
non-compliance
exist.
So
if
there
is
any,
it
will
actually
update
the
status
field.
To
tell
you,
oh,
there
are
there's
some
some
violations
pre-exist,
so
it
will
increment
the
number
here
so
currently
we
expect
the
number
to
be
zero.
D
So
if
it's
not
zero,
then
this
this
policy
will
return.
Non-Compliant,
that's
how
we
collect
the
result.
So
if
for
for
that's
how
we
collect
result
for
audit
and
then
let's
look
at
the
dimension
scenario
for
dimension
scenario
same,
we
are
creating
another
configuration
policy
and
we
are
looking
for
event.
D
Events
for
this
constraint,
template
afford
this
constraint.
Ks
require
labels
and
then,
and
was
named.
Ns
must
have
gold
gatekeeper.
So
basically,
so,
as
you
can
see
here,
we
are
using
conspiracy,
type
must
not
have
so
we
expect
there
shouldn't
be
any
events
with
this.
Annotation
unmanaged
cluster
exists
on
the
manage
cluster
if
it
exists.
That
means
there's
violations.
D
There's
there's
something
wrong,
so
this
policy
will
return
non-compliant.
So
now,
let's
come
back
to
the
console
here.
So
as
I
did
as
previously,
I
did
this
right.
I
tried
to
create
namespace
without
label.
So
now,
as
you
can
see
here,
it
is
for
this.
This
admission,
template
is
reported,
reporting,
non-compliant
and
it
tells
oh
there's
an
event
exist
in
the
gatekeeper
namespace
system.
D
We
can
click
on
view,
details
and
take
a
look
at
what
it.
What
exactly
it
is.
So,
oh
there's
a
this
is
this
is
what
is
violating
this
part
of
this
policy,
so
this
event
exist,
but
it
should
it
shouldn't,
and
if
you
click
on
new
ymo,
it
is
going
to
pull
the
the
details
of
this
event.
So,
as
you
can
see,
it
tells
you
that
machine
webhook,
the
the
the
basically
the
the
request,
is
being
denied
by
this
constraint
from
gatekeeper.
D
So
this
is
exactly
the
same
error
you've
seen
here
in
the
command
line,
so
this
is
how
we
implement
gatekeeper
with
recom.
So
we
implement
we
integrate
gatekeeper,
not
only
just
installing
the
gatekeeper
and
then
creating
the
gatekeeper
constraint,
constraint,
template,
but
we
also
collect
the
result
for
both
an
audit
and
animation
scenario.
D
Okay,
that's
my
part
for
the
gatekeeper
demo,
just
to
quick
mention
thanks
to
the
power
of
the
outer
box,
configuration
policy
controller
shipped
with
raccoon,
so
we
are
able
to
also,
of
course,
install
any
operator
so,
for
example,
compliance
operator
here
so
compliance
operator.
So
if
you
look
at
the
ammo
here
this,
this
policy
is
also
you
can
also
find
it
in
positive
collection
repo.
So
you
can
find
it
here.
So
a
very
similar
concept.
We
use
configuration
policy
to
create
namespace,
create
operator
group
and
create
subscription.
D
So
then
the
compliance
operator
is
installed
on
your
manage
cluster
and
then
you
can
trigger
you
can
trigger
a
scan
so
from
using
certain
profiles.
So
here,
if
you
look
at
the
the
ea
scan
policy
here,
basically
this
policy
triggers
trigger
this
policy
triggers
an
essential,
a
security
profile.
Scanned
on
your
manage
cluster-
and
we
are
also
using
configuration
policy
to
achieve
that
so
by
just
create
using
configuration
policy
to
create
scan
static,
binding
compliance
with
suite
and
then
collect
result
back.
D
E
That's
great
thanks
you,
and,
and
if
I
could,
this
is
kirsten
newcomer
if
I
could
chime
in
just
for
a
minute.
At
the
end
of
our
conversation
about
the
client
compliance
operator,
there
was
in
chat
a
conversation
about
the
difference
between
the
compliance
operator
and
and
gatekeeper,
and
I
think
both
jaya
and
I
weighed
in
and-
and
you
did
a
nice
job
also
summarizing
that
here,
so
the
compliance
operator
is
specifically
focused
on
on
regulatory
controls,
technical
controls
that
map
to
regulatory
frameworks.
E
I
just
want
to
share
just
because
we're
really
excited
in
addition
to
the
e8
profile,
which
is
an
essential
8
profile
from
australia.
There
are
some
the
the
compliance
profiles
available
with
the
openshift
compliance
operator
include
some
controls
that
meet
nist
853
regulatory
requirements,
including
at
rel
core
os,
not
just
the
kubernetes
layer,
and
we
just
shipped
a
profile
for
that
is
inspired
by
the
cis
kubernetes
benchmark
so
check
that
out.
E
If,
when
you
get
a
chance-
and
I
don't
know
if
there
are
other
questions-
I
I've
kind
of
been
thinking
of
a
few-
that
I
wondered
if
that,
whether
they
might
be
helpful
to
folks
and
they
kind
of
tie
back
to
oppa
versus
gatekeeper
versus
the
compliance
operator
jaya.
You
mentioned
kind
of
three
types
of
policies:
policy
categories-
you
mentioned
security
resiliency.
You
also
mentioned
software
engineering.
E
C
And
this
blog
talks
about
how
you
can
implement
policy-based
governance,
using
our
configuration
management
capabilities
right
and-
and
here
we
talk
about
like
kristen-
you
were
asking
there-
are-
there-
are
best
practices
for
three
areas
that
I
outlined,
which
is
security,
resiliency
and
software
engineering,
and
this
blog
goes
into
the
details
of
how
you
can
of
of
examples
in
each
of
these
categories
right
so,
for
example,
for
security,
security
and
regulatory
compliance
of
the
first
one.
We
list,
obviously,
is
the
compliance
operator
right.
C
So
we
talk
about
how
that
can
be
configured
using
rackham,
and
then
we
talk
about
the
hcd
encryption,
so
there's
a
policy
that's
available
to
ensure
that
the
kubernetes
hct
database
is
encrypted
right
and
and
also
you
can
remove
the
cube
admin,
because
the
best
practice
obviously
is
to
not
use
a
single
administrative
account
right.
You
want
to
be
able
to
use
different
accounts
for
different
users
to
have
accountability
and
then
policies
for
role-based
access,
control
and
sec
security,
cost
constraints,
etc
right.
C
So
these
are
examples
of
security,
oriented
policies,
but
you
can
also
have
policies
for
resiliency.
So,
for
example,
if
you
want
to
make
sure
that
the
logging
operator
is
installed
because
you
want
to
be
able
to
collect
logs
to
check
the
health
of
clusters
etc.
So
so
you
can
do
that
and
many
of
the
gatekeeper
policies
that
we
have
as
examples
here.
C
I
have
to
go
back
to
the
community,
so
there
are
gatekeeper
policies
for
ensuring
liveness
check
is
in
place
and
make
sure
you're
using
the
latest
container
image.
You
know
these
kinds
of
policies,
readiness
probe
is
in
place.
These
are
all
resiliency
related
policies
right,
so
so
those
are
examples
of
that
and
then
and
then
you
can
also
set
up
policies
for
software
engineering,
which
is
things
like
you
know,
making
making
sure
that
kafka
is
in
place,
because
that
is
your
standard
for
streaming
right.
C
C
The
point
is,
all
of
these
policies
can
be
put
in
place
without
programming,
and
I
I
wanted
to
really
highlight
that,
because
our
built-in
config
policy
controller,
as
I
mentioned
earlier,
can
distribute
any
cr.
So
as
long
as
you
are
able
to
represent
a
capability
say,
for
example,
as
an
operator,
an
operator
can
be
deployed
using
a
cr
right
and
then
you
can
configure
the
operator
as
long
as
it
takes
configuration
as
kubernetes
resource
you
can
configure
it
and
if
it
returns
the
results
back
as
crs,
we
can
process
those
as
well.
C
That's
really
like
you
are
showing
in
his
demo.
We
were
able
to
integrate
with
gatekeeper
because
it
met
all
those
characteristics
right,
so
we
didn't
have
to
really
write
code.
We
just
had
to
author
policies,
so
I
think
that's
the
beauty
of
this
approach
is
it's
very
easy
to
put
these
best
practices
in
place
for
your
data
operations.
Without
writing
a
lot
of
code
exactly.
E
C
I
think
many
of
the
policies
that
we
have
put
here
in
our
community
were
contributed
by
our
community
of
practitioners
right,
so
they
have
their
own
community
where
they
based
on
customer
requirements,
they're
building
out
policies
right
and
then
once
they
feel
that
the
those
policies
are
stable
enough.
They
then
contribute
into
this
community
right,
okay
and
then
the
next
progression
is.
If
we
find
that
there
are
enough
customers
asking
us
for
a
fully
supported
version
of
that
policy,
then
we
promote
that
policy
to
stable
right
and
it
becomes
part
of
our
dracum
product.
E
Great,
that
sounds
good,
let's
see
so
you
answered
those
examples
and
another
thing
you
mentioned
early
on
in
the
conversation
you
kind
of
mentioned.
Well,
you
used
three
different
words
and
I
just
wanted
to
see.
If
there
was
clarity,
you
said
that
there
are,
of
course,
admission
controllers,
runtime
controllers,
and
then
later
you
talked
about
admission
and
audit,
so
I
wondered,
I
think
the
admission
controllers
were
fairly
clear.
Could
you
give
us
an
idea
of
what
some
of
the
runtime
controllers
are
yeah,
or
is
that
the
audit
yeah.
C
C
C
So
this
is
where
you
know
you
have
the
admission
web
hook,
so
anything
that
is
plugged
in
into
that
vision.
Web
hook
now.
Gatekeeper
is
one
example
of
that
right
that
is
plugged
into
that
now.
Somebody
could
write
another
web
hook.
That
is
processing
policies,
for
example
right
as
long
as
those
that
entity
that
is
configured
as
a
web
hook
is
able
to
accept
its
configuration
or
policy
as
a
kubernetes
cr.
Then
you
can
use
our
built-in
config
policy
controller
to
distribute
that
to
that
right.
C
So
so
that
is
one
example
right
and
then
there
are
communities,
obviously
is,
has
its
own
runtime
controller.
So,
for
example,
when
we
propagate
a
policy
for
a
cd
encryption
that
is
actually
being
enforced
by
kubernetes
itself
right,
we
don't
have
to
do
an
external
controller
to
enforce
that
right.
But.
D
C
You
have
certain
other
controllers,
like
the
certificate
management
controller
is
something
that
we
provide
and
that
allows
you
to
detect
whether
certificates
are
expiring,
whether
certificates
have
wild
card
certificates,
are
being
used,
etc.
Right.
Those
are
policies
that
you
can
define
and
that
can
be
detected
using
that
specific
controller
and
compliance
operator
is
another
example
right.
So,
okay.
E
You
also
just
really
quickly,
because
I
know
you
and
I
responded
to
carolyn
in
chat,
but
but
maybe
we'll
just
verbalize
for
for
everybody
else
as
well.
Carolyn
have
asked
whether
openshift
is
required
on
all
clusters
in
order
to
use
policy-based
governance
and
no,
as
as
jay
said
in
in
chat,
acm
itself
runs
on
an
openshift
cluster,
but
acm
can
manage
other
kubernetes
distributions.
Besides
openshift
today,
the
compliance
operator
is
only
running
on
openshift.
E
It
is
designed
to
the
the
content
that's
available,
which
is
written
in
scaps,
secure
content,
automate
security
content,
automation
protocol.
This
is
a
standard,
that's
required
by
a
number
of
our
customers,
which
is
why
the
compliance
operator
is
written
in
scap
it.
Today
we
only
have
content
for
openshift
and
the
operator
mostly
works
on
on
openshift.
E
We
want
to
extend
it
to
other
coupe
clusters
in
the
future
likely
or
at
least
share
it
upstream,
to
make
it
easy
for
others
to
extend
it,
although
of
course
the
project
is,
is
open
source.
So
you
can
do
that
today,
but
again,
acm
itself
can
can
manage
both
openshift
and
other
kubernetes
clusters
with
other
kubernetes
distros.
D
Okay,
just
two
complements
so
the
the
policy
framework,
the
governance
policy
framework,
so
the
hub
piece
does
require
oc
ocp
cluster,
but
the
the
piece
on
the
manage
cluster.
We
do
support
other
kunes,
kubernetes
flavor,
but
also
so,
but
the
outer
box
controllers,
for
example,
the
configuration
policy
controller.
It
also
supports
other
kubernetes
flavors.
D
So
that
means,
if
you
want
to
integrate
something
that
is
not
running
on
on
kubernetes
cluster,
but
you
but
but
it
can
be
integrated
using
configuration
policy.
It
is
you
can
still
do
that
and,
and
also
to
add,
the
gatekeeper
operator
also
works
on
non-kubernetes
environment,
a
non-ocp
kubernetes
environment.
So,
of
course,
if
you
want
to
use.
C
D
C
C
So,
if
you're
interested
in
trying
out
this
capability,
that's
a
good
place
to
start
and
we
have
community
meetings,
so
you
can
definitely
get
engaged
there
and,
like
you
said,
you
know,
for
example,
if
you
want
to
try
this
out
on
a
non-openshift
cluster,
at
least
on
the
marriage
cluster
side.
Definitely
you're
welcome
to
do
that.
F
I
have
one
question:
this
is
shaina.
I
have
a
customer
who
is
running
currently
right
now,
311,
I
noticed
acm
rackham
supports
3.11.200
and
above
and
some
of
the
policies.
When
I
install
it,
it
actually
require,
like,
let's
say
image,
vulnerabilities
and
it
will
require
container
security
operator
on
the
manage
cluster,
and
I
was
just
wondering
like.
F
That
makes
sense
like
because
there
there
are
time
that
I
would
not
know
what
my
managed
cluster
has
as
an
admin.
I
will
want
policy
a
b
and
c,
and
then,
when
I
create
those
policy-
and
I
figure
out-
oh
those
cluster
doesn't
have
it
would
would
like
for
a
gatekeeper.
You
will
deploy
the
gate
keeper
for
the
cluster,
but
gatekeeper
is
actually
only
support,
1.14
and
above
and
so
therefore
isn't.
Is
that
mean
that
I
cannot
have
gay
keeper
policies
on
the
3.11
cluster.
D
C
And
I
think
this
is
where
I
think
the
placement
rule
applies
right.
So
when
you,
when
you
are
applying
a
policy
to
a
managed
cluster,
you
do
that
by
using
this
concept,
called
placement,
and
one
of
the
things
that
you
can
use
is
you
can
assign
labels
to
your
clusters,
and
you
can
say
that
apply
these
this
policy
to
a
cluster
that
matches
this
label
right.
F
Okay,
that's
a
good
idea.
Thank
you
just
thinking
out
loud
because
there's
real
customer
questions,
they
they
are
on
3
11..
I
just
want
to
kind
of
pick
your
brain
taking
the
three
last
three
minutes
opportunities,
and
so
they
they
want
to
follow
the
needs,
standard,
right
and
so
they're
running.
They
are
moving
to
four
but
they're,
not
yet
they're
still
on
311..
F
C
B
E
E
C
E
C
E
A
And
there's
one
question
from
tobias
in
the
in
the
chat
right
now:
a
question
regarding
the
road
map
item
in
terms
of
audit
etc.
Does
this
include
having
a
result
that
could
state
deny,
but
not
denying
the
actual
resource
creation
and
rather
just
firing
a
violation
alert
to
s-I-e-n,
meaning
yeah?
Okay,
you.
B
A
C
C
A
And
I'm
sure
both
paul
and
I
who
are
are
trying
to
follow
all
of
these
projects
in
the
cncf
and
the
new
ones.
Are
I'm
incredibly
grateful
for
you
guys
taking
the
time
to
explain
all
of
this,
and
it's
really
been
helpful.
I
will
upload
this
video
and
get
the
slides
from
jaya
and
put
them
together
and
and
tweet
them
out
shortly
and
put
them
somewhere,
maybe
we'll
put
them
in
a
blog
post
as
well
somewhere,
so
you
can
get
them.
A
This
was
really
really
good
and
we
definitely
sounds
like
we're.
Gonna
have
to
have
you
back
as
the
ocm
community
grows
and
more
of
these
policies
are
out
there.
This
is
just
a
deep
dive
here
and
very
good.
You
thanks
very
much
for
the
demo.
It
was
quite
quite
good,
so
thanks
thanks
again
and
thank
you,
everybody
for
taking
the
time
and
asking
great
questions
so
that
I
didn't
have
to
this
was
this
was
good
and
thanks
kirsten
for
for
jumping
in
there
take
care.