►
From YouTube: StackRox Community Meeting #11 - 2023-02-14
Description
The StackRox community meetings are held on the second Tuesday of every month. We use this time to get together and discuss gaps in the product and how best to move forward. Contributors are rewarded with StackRox gear as the RoxStar of the month.
- If you want to learn more about the project, head to StackRox.io
- The project's code repository can be found at https://github.com/stackrox/stackrox
A
Hello,
hello
and
welcome
to
another
stack,
Rocks
Community
meeting
Happy
Valentine's
Day,
all
the
rockstars
out
there.
We
love
you
we're
gonna,
be
talking
3.74,
release,
3.75
4.0,
there's
a
lot
of
big
updates
coming
Matthias
wanted
to
talk
about
some
current
release
info.
A
But
yes,
for
those
who
don't
know
I'm
a
community
lead
for
stack,
rocks,
Michael,
Foster
and
I'm
joined
by
my
co-chair
co-lead
with
Matthias
medinger
over
in
Germany
I'm
in
Toronto,
so
we're
very
happy
to
cover
the
zones
and
we're
joined
by
some
PM's
Boaz
and
some
Engineers
Alex
and
Oscar
on
the
call.
So
if
you
ever
have
any
questions,
you
can
always
leave
them
in
the
slack
Channel
chat,
that's
probably
the
best
way
to
get
some
feedback
and
talking
of
feedback.
A
We
have
some
big
releases
and
we're
looking
to
get
feedback
on
some
new
features.
We
have
some
new
network
graph
updates.
We
have
a
collections
feature,
that's
coming
out
in
3.74
and,
of
course,
a
big
database
upgrade
that's
going
to
go
in
Tech
preview
in
the
upcoming
release,
but
before
we
get
into
that,
I
want
to
hand
it
off
to
Matthias
to
talk
about
the
current
release
info.
There's
some,
let's
say
small
things
that
we
want
to
make
you
aware
of
before
we
get
into
the
the
big
meat
of
the
discussion.
Matthias.
Take
it
away.
B
So
we
actually
encountered
a
small
Road
bump
with
all
of
our
currently
currently
supported
versions.
So
74
is
the
version
that
will
be
out
soon
and
also
we
have
currently
in
support,
73
and
72..
B
What
we
discovered
now
is
that
we
actually
have
the
situation
that
if
you
run
72
or
3
on
kubernetes
125,
so
the
latest
or
ocp
for
12,
you
might
end
up
with
a
broker
Network
graph
or
an
empty
Network
graph,
and
you
might
not
see
any
runtime
data
we
have.
We
are
already
aware
of
this
and
we
added
a
fix.
So
please,
if
you
are
running
these
versions,
keep
an
eye
out
on
the
fixed
versions,
3.72.3
and
also
3.73.4.
So
please
keep
an
eye
on
out
on
that.
We
all.
As
always.
B
We
have
also
added
this
to
the
community
node,
so
you
should
be
able
to
easily
find
that
74.
So
the
release
that
we're
currently
doing
already
ships
with
all
the
hotfixes
that
we
need
for
this.
So
it
will
work
on
one
on
kubernetes,
125
and
ocp
for
12..
But
if
you
run
74
on
ocp,
4.7
or
kubernetes
1.20,
it
might
show
similar
Behavior,
because
the
fix
that
enables
working
on
the
latest
kubernetes
also
had
some
small
side
effects
on
older
kubernetes.
B
So
if
you
see
that
we
are
already
planning
a
follow-up
release
as
far
as
I'm
aware
of
74.1
to
actually
address
this,
so
it's
a
rather
busy
week
or
weeks,
I
should
say
for
our
engineering
team.
But
we
are
hard
at
work.
We
identified
all
the
problems
that
we
have
so
far
and
we're
how
that
work
at
actually
fixing
them
as
quickly
as
possible
and
with
that
as
I
already
started.
B
Speaking
about
the
74
release
stay
tuned
because
it
will
be
out
next
week
and
with
that
also,
some
smaller
changes
are
coming,
which
are
from
the
technical
side.
We
are
actually
dropping
the
in
product
documentation
in
favor
of
online
documentation
that
you
can
also,
for
example,
download
spdf,
that
is,
to
minimize
the
surface,
the
surface
area
or
attack
surface
of
our
product,
because
the
end
product
talks
were
rather
hard
to
keep
up
to
date
in
terms
of
needed
infrastructure,
and
so,
amongst
other
things.
B
But
that
was
one
of
the
reasons
and
finally
also
we
will
have
a
postgres
sequel
as
a
tech
preview
shipped,
so
we
are
actually
changing
the
main
database
that
our
product
uses
to
a
postgres
SQL
database,
and
just
so
you
are
aware
of
that.
B
That
is
a
rather
big
change,
and
that
is
also
then
aimed
targets
to
stable
release
for
the
next
release,
after
that
one
so
75,
but
I
think
Foster
will
talk
a
little
bit
more
about
that
later
and
with
that
said,
let
me
hand
it
off
to
Foster
to
talk
about
the
cool
features
that
we
will
get
with
the
new
release.
Well,.
A
C
A
Yeah
and
when
it
is
we'll,
definitely
be
posting
in
the
chats,
the
the
release,
notes
and
and
all
the
updates.
There
are
two
sort
of
major
feature
updates
from
the
UI
and
usability
perspective
that
doesn't
have
to
the
database
Network
graph
2.0
we're
doing
a
whole
overhaul
on
our
Network
graph.
This
has
been
I
think
a
long
time
coming.
It
looks
from
what
I've
seen
it's
very
pretty
I'm
a
big
fan
of
it
and
you'll
see
it
in
the
UI
Network
graph,
2.0.
A
Of
course,
Network
graph
1.0
will
still
be
available,
and
so
we
plan
on
cutting
a
couple
demos
showing
the
differences
and
then
looking
for
feedback
in
the
slack
Channel
see
what
you
like.
What
doesn't
work?
Maybe
you
have
an
obscure
use
case
that
we
didn't
account
for
we'd
love
to
hear
from
you
about
that.
A
A
Them
for
awesome,
so
yes,
regardless,
if
you
update
to
postgres
you'll,
have
Network
graph
2.0
there,
but
one
of
the
other
cool
features
that
I
love
that
you
need
to
up
to
date
to
postgres
is
the
collections
feature.
This
will
really
help
scale
policy.
You
can
group
policies
apply
them
Boaz.
Do
you
want
to
give
a
quick
rundown
on
what
the
the
use
case
is
for
it?
You
know
what
the
field.
A
C
Yeah
absolutely
so
the
problem
we
were
trying
to
solve
is
scale
policy
management.
If
folks
here
have
played
with
it,
you
realize
that
in
the
policies
today,
we
specify
the
policy
itself
as
well
as
the
behavior
and
anything
else,
that's
tied
to
it
like
notifiers
the
scope,
the
inclusion,
the
exclusion,
and,
just
by
doing
that,
excuse
me
anytime.
You
need
to
make
a
change.
You're,
probably
cloning,
those
and
now
by
now
you've
got
quite
a
significant
number
of
policies.
C
So
when
we
look
at
how
do
we
want
to
address
this
problem,
we
realize
that
we
need
to
do
two
things.
One
is
we
need
to
split
the
static
information
from
the
dynamic
information,
so
we
just
need
policies
to
be
a
template,
and
then
another
section
says
how
do
I
want
to
apply
this
policy
to
something
to
a
scope
using
a
certain
behavior
and
at
that
point,
to
apply
the
policy
to
a
scope?
We
realize
there's
an
opportunity
here
throughout
ACS
to
actually
have
named
Scopes.
C
We
call
them
collections
because
there
was
honestly
no
better
name
like.
Is
it
a
set
of
deployments?
Is
it
a
group
of
deployments?
Is
it
a
whatever
just
collection
of
deployments?
The
contest
is
out
for
new
names.
If
anyone
wants
to
offer
a
name,
it's
not
too
late.
Now,
this
collection
of
deployments
is
actually
a
pretty
powerful
concept
because
you
can
Define
this
set
or
collection
of
deployments
using
Dynamic
rules,
so
you
can
select
on
namespace
cluster
and
deployment
name
or
label.
Resolution
is
in
runtime
and
also
you
can
Nest
collections.
C
So
now
you
can
describe
a
pretty
complex
hierarchy
like
you
can
describe
okay,
here's
my
entire
Dev
infrastructure.
What
does
this
look
like?
It
looks
like
here's,
Mike's
Dev
area
and
Alex's
death
area
and
Matthias
is
devaria
and
each
one
of
them
in
turn
is
defined
using
whatever
rules
that
you
want,
and
now
all
of
a
sudden,
you
have
a
full
description
at
any
level
that
you
like.
These
collections
are
then
used
for
policy
inclusions
and
exclusions.
C
You
can
expect
to
see
them
used,
basically
in
any
filter
in
ACS.
You
can
expect
to
pop
a
collection
in
the
network
graph
and
see
just
the
infrastructure
that
you
want
to
focus
on.
This
is
going
to
take
some
time
and
we're
going
to
be
rolling
that
out
in
several
phases
with
74
we
we're
able
to
just
let's
say
just
squeeze
it
into
one
feature,
which
is
the
vulnerability
report.
We
don't
expect
users
to
go
crazy
and
and
use
collections
all
over
the
place.
It's
really
out
there
to
be
tested.
Vulnerability.
C
A
Yeah
awesome
I
think
the
use
case
as
well.
For
you
know,
new
namespace
comes
in
it
has
the
correct
label.
The
collections
will
automatically
pick
it
up
and
apply
those
policies
that
you've
created
when
I
was
a
cloud
of
security
con
talking
with
people,
that's
huge,
especially
for
onboarding
new
groups
right,
so
that
allows
the
security
team
to
kind
of
just
go
away.
D
A
Asynchronously
get
these
reports
as
new
and
groups
come
in
if
obviously
everything's
correctly
labeled,
so
that
was
really
interesting.
Neil
welcome
we're
talking,
how's
it
going
I
haven't
seen
you
in
a
while.
D
Yeah
I'm,
just
you
know,
had
had
some
open
time
and
saw
your
message
so
I
thought
I
would
show
up
and
mostly
listen.
What's
going
on,
yeah.
C
So
Mike
just
what
you
said.
Actually
it
fits
in
with
some
some
of
the
feedback
we've
received
from
security
teams
and
and
I
don't
know
if
Neil
might
actually
relate
to
this.
So
you
might
ask:
what's
the
big
deal
I
mean
I?
Have
labels
in
kubernetes?
Why
do
I
need
all
this
fuss?
I?
Can
just
dynamically
Define
things
using
labels.
So
there's
a
couple
things
here:
one
is
actually
we
name,
we
give
them
names,
so
you
can
use
them
throughout
ACS.
C
That's
a
side
issue,
but
also
we've
heard
from
security
teams
saying
I,
don't
necessarily
want
to
work
with
labels,
because
I
can't
control
what
happens
with
labels.
My
Dev
teams
might
just
throw
a
label
and
all
of
a
sudden
something
receives
privileged
privileges
that
I
didn't
intend
it
for.
So
it's
interesting,
but
security
teams
might
actually
want
to
use
this
mechanism
to
enforce
these
Scopes
in
a
tighter
manner
than
just
allowing
anyone
to
throw
in
a
label.
Interesting
I
think
we'll
find
use
cases
for
all
kinds
of
flavors.
A
C
A
B
I
mean
the
technical
details
behind
this
are
also
for
me
only
more
on
the
surface,
because
that
is
definitely
another
team
that
is
doing
that
migration.
But
what
I
can
say
is
migrating
to
postgrad
is
a
very
big
change,
because
it
is
concerning
a
core
part
of
our
application,
but
it
also
opens
up
a
lot
of
opportunities
and
and
options
for
future
work
that
we
were
planning
and
that
we're
aware
that
many
customers
asked
for
so.
B
What
this
actually
enables
us
to
do
is,
on
the
one
hand,
obviously
possible
performance
improvements
down
the
line,
especially
for
very
big
environments,
but
also
improved
usability
in
terms
of
backups,
restores
General
performance
and,
of
course,
scaling
and
even
using
external
databases.
But
all
of
these
be
mindful
these
are
options
we
are
considering,
but
unfortunately
we
need
to
take
one
step
at
a
time,
so
these
might
come
in
the
future,
but
for
now
we're
focusing
focusing
on
enabling
a
transition
from
existing
roxdb.
B
So
our
current
database
to
the
new
postgresql
database,
which
also
includes
meticulously
tested,
upgrade
instructions
because
there
will
be
a
little
bit
more
involved,
upgrade
instructions
when
you
switch
out
a
database.
Obviously,
so
we
need
to
actually
make
sure
everything
works
as
intended,
but
I'm
very
much
looking
forward.
Seeing
what
all
of
that
brings.
A
C
C
He
can
probably
tell
us
a
few
Secrets,
but
I
just
want
to
point
out
that
postgres
is
already
running
in
our
cloud
service,
and
so
that's
where
we're
getting
some
mileage
I
guess
on
that,
and
the
other
aspect
is
that
yes,
upgrade
will
be
a
little
bit
more
complex.
As
Mathias
Tia
said,
new
installs
will
get
postgres
by
default,
and
so
anyone
looking
out
to
test
this,
it's
probably
not
a
bad
idea
to
set
up
a
clean
environment
with
postgres
and
start
to
play
around
with
that.
A
Awesome,
yes
and
part
of
the
upgrade
process,
we're
going
to
hope
to
put
a
couple
demo
videos
of
the
new
features
in
the
chat.
So
in
slack
let
us
know
your
thoughts
play
around
with
the
new
version
and
Boaz
will
obviously
be
there.
Looking
for
feedback,
we'll
get
a
couple
threads
going
love
to
hear
what
you
think.
I've
received
a
bunch
of
good
feedback
at
cloud
and
security
con
for
the
network,
graph,
2.0
I'm
showcasing,
and
it's
it's
really
interesting.
When
you
just
put
the
two
next
to
each
other,
it's
a
lot
more
readable.
A
You
can
see
the
information
a
lot
clearer
so
especially
when
you
get
into
some
big
clusters-
and
you
start
looking
at
multiple
namespaces,
it's
very
let's
just
say
it's
a
lot
more
readable
I'll
say
so.
A
huge
upgrade.
A
No
demos,
today
what
I'll
do
something
more
succinct,
because
I'm
all
talk
right
now:
I'm
just
all
hyped
up
on
coffee
from
a
late,
late
flight,
so
but
yeah
speaking
of
that
cloudy
security
con.
If
you
follow
along
the
cncf
had
a
security
event
in
Seattle
Oscar
joined
me
there,
there
was
40
something
vendors,
probably
about
700
people
showing
up
there
very
security
focused.
A
So
the
conversations
were
good
did
see
a
lot
of
if,
as
a
general
Trend,
if
I
can
say
the
last
minute
before
I
think
we
wrap
it
up
a
lot
of
companies
going
into
the
cloud
native
application
platform
space,
but
not
the
kubernetes
space,
specifically
more
consolidation
at
the
top,
so
Neil's
on
so
I'm
kind
of
curious
what
he
sees
at
Orca
and
his
new
role,
but
just
with
everything
going
on
I'm,
seeing
a
lot
of
cloud
native
application
platform
plays
people
going
for
container
and
cloud
services
and
a
couple
startups
focusing
around
supply
chain,
but
not
a
lot
of
kubernetes
specific
plays
and
us
and
new
Vector
are
the
only
two
open
source
security
platforms.
D
I
think
I
think
you're
spot
on
I,
see
I,
see
so
many
things
being
labeled
cnap
and
getting
code
to
Cloud
security
slapped
on
it.
Like
you,
you
almost
can't
have
a
cloud
security
company
now
without
saying
your
clothes
code
to
cloud
cnap,
and
you
have
all
of
these.
This
blizzard
of
Gartner
tlas.
D
We
do
cspm,
cwpp,
Kim
and
and
I
I.
My
day,
job
is
with
a
vendor,
I
I
joke
that
Gartner
had
to
create
the
cnap
term
for
us,
because
we
started
that.
So
you
know
I'm
a
little
protective
of
it,
but
yeah.
Fundamentally,
there's
there's
so
many
coming
out
that
I'm
tracking
that
are
in
that
space
and
no
nobody's
nobody's
focusing
heavily
on
on
kubernetes.
A
D
And
I
I
think
almost
all
of
them.
If
you
look
there's
a
ton
of
of
acquisition
focused,
you
know
so
trying
to
trying
to
leverage
their
existing
customer
base
by
buying
new
products
and
duct
taping
them
in
and
calling
it
cnap
yep.
A
I
saw
a
couple
of
vendors
that
didn't
even
have
booths.
They
just
showed
up
their
entire
team
and
I'm
like
for
meetings
with
other
vendors.
What's
what's
going
on,
there
there's
some
strategy
plan
out
so
yeah.
It
was
kind
of
nice
that
the
cncf
did
it
two
days
separate
from
kubecon
in
Seattle
I
got
to
meet
Oscar
for
the
first
time,
but
yeah
the
next
one,
obviously
is
in
Amsterdam
qcan
EU.
If
there's
any
Europeans
it'd
be
awesome
to
see
you
out,
there,
Amsterdam
apparently
is
like
booked
up
all
weekend.
A
If
you
look
at
the
dates,
it's
gonna
be
pretty
busy
and
then,
of
course,
we
have
Summit
coming
up
for
Red
Hat
in
May,
where
I'm
sure
you'll
you'll
get
some
more
announcements,
but
in
general
the
releases
are
the
next
big
things
we'll
be
posting,
the
release,
notes
and
everything
moving
forward
in
the
chat,
Matthias
anything
I
miss
anything.
You
wanted
to
to
wrap
up
with.
B
Before
we
wrap
up
I,
don't
know,
should
we
maybe
I
mean
we
can
open
the
floor
for
questions,
anyone
interested
in
anything,
for
example,
I,
don't
know
Neil
you
want
to.
You
want
to
ask
anything
or.
D
Okay,
if
you
just
wanted
to
take
a
moment
to
expound
on
something
Boaz
said
around
security
teams
and
not
trusting
labels
on
the
from
the
devops
side.
D
D
Sometimes
you
know
the
the
security
team's
perfectly
happy
to
trust
the
devops
teams
to
do
the
right
thing
to
have
something
that
flows
all
the
way
through,
but
sometimes
they
have
an
absolute
need
for
something
that
they
control,
that
is
completely
within
their
space
and
that
they
can.
They
can
make
the
rules
and
do
what.
What's
there,
that's
just
that's
requirements,
I
hear
every
day,
so
I
think
it's
it's
great
to
always
recognize
that,
and
as
we
build
things
and
and
fix
things
to
keep
that
in
mind.
C
Before
we
wrap
up
Mike
I
have
a
demo
environment
up.
Do
you
want
me
to
just
kind
of
share
a
sneak
preview,
or
do
you
want
to
keep
it
for
for
a
full
demo
that
you'll
do
next
time.
A
B
B
I
am
Matthias
Madina
signing
off
together
with
my
co-host,
Michael
Foster
and
everyone
else.
So
thank
you
folks
for
stopping
by
and
enjoy
your
Valentines.