►
From YouTube: StackRox Community Meeting #7 - 2022-10-11
Description
The StackRox community meetings are held on the second Tuesday of every month. We use this time to get together and discuss gaps in the product and how best to move forward. Contributors are rewarded with StackRox gear as the RoxStar of the month.
- If you want to learn more about the project, head to StackRox.io
- The project's code repository can be found at https://github.com/stackrox/stackrox
B
A
I
got
a
pretty
quick
meeting
for
you,
we're
going
to
talk,
October
3.72,
release
the
upcoming
kubecon
event
and
looking
at
what
we
would
like
to
do
with
the
community
website.
So
what
kind
of
demos
that
you'd
like
to
see
what
things?
Let's
say
the
documentation,
doesn't
necessarily
wrap
up
well
for
the
Community
Edition
but
yeah.
So
the
meeting
notes
are
in
the
chat
if
you
need
them
or
in
the
slack
Channel
2
pinned
at
the
top
Matthias,
you
want
to
talk
about
a
hectober
and
how
that's
going
yeah.
B
Sure
so
hacktoberfest,
actually
we
tried
to
to
add
some
issues
to
our
project,
so
if
you
are
in
stack,
rocks
stack
rocks
so
what
the
main
platform
Repository
any
issue
that
is
tagged,
hacktoberfest,
is
and
is
not
assigned
to.
Anyone
is
obviously
open
for
grabs.
We
already
have
quite
a
lot
of
people
that
are
interested
in
general.
B
All
the
issues
that
are
open
there
are
up
for
grabs,
so
if
you're
interested
feel
free
to
pick
anything
up,
but
I
have
also
just
added
a
search
query,
so
you
can
just
have
all
of
the
Oktoberfest
ones
at
at
one
glance,
because
these
are
specifically
crafted
to
be
easy
and
hopefully
contained
enough,
so
that
you
can
pick
the
up
pick
up
the
task
vanish
for
a
week
or
two
and
then
come
back
with
a
PR
and
hopefully
get
that
accepted
more
or
less
at
as
fast
as
quickly
as
as
fast
as
possible.
Yeah.
A
And
if
you
do,
plan
on
working
on
them,
assign
it
or
get
one
of
us
to
assign
it
to
you
so
that
there's
no
overlap
in
PRS
I
hate
to
see
duplicated
work,
yeah
and
again,
if
you're
contributing
to
Oktoberfest
I'm
going
to
reach
out
out
of
the
month
and
send
everybody
some
gear,
I've
already
posted
in
the
chat.
Some
of
the
The
Game
Hub
accounts.
Are
the
people
who've
helped
out.
So
look
forward
to
sending
you
some
tumblers
and
sweatshirts.
B
B
Yeah,
that's
actually
one
of
the
features
that
I
that
I
ended
up
working
on
together
with
Boaz,
so
we
actually
released
something
into
Dev
preview,
which
means
we
are
actively
looking
for
feedback
for
that.
So
what
we
did
release
is
we
have
integrated
a
static
analysis
engine
for
your
deployments.
So
if
you
are,
if
you
have
your
deployment,
the
animals
ready,
but
you
would
ideally
need
some
Network
policies
for
that
which
is
considered
a
good
best
practice
to
have.
B
B
Well,
actually
the
thing
is
that
Network
policies
are
usually
done
by
Ops
or
devops
teams,
so
quite
late
in
the
process,
but
usually
I
would
argue
that
we
as
developers
know
our
workloads
best,
and
maybe
it
might
be
a
good
idea
to
be
nice
to
the
devops
people
and
already
have
some
Network
policies
for
them
to
review
as
opposed
to
hey.
Could
you
just
generate
some
for
me
and
I
just
saw
that
boa's
helpfully
linked
the
readme,
so
this
feature
as
it
is
in
depth
review
you
need
to
be.
B
You
need
to
use
it
a
little
bit
differently.
Basically,
you
need
to
set
an
environment
variable
to
make
it
available
and
we
have
a
readme
for
that.
So,
if
you're
interested
in
that,
please
have
a
look
at
the
readme.
There
is
a
little
read
me
that
is
next
to
the
generate
command.
That
will
just
tell
you
how
to
use
it.
B
B
I
think
you
would.
You
would
like
to
see
more
of
or
basically
it
is
for
us.
It
is
it.
It
was
a
great
idea
and
a
great
opportunity
to
integrate
this,
but
the
question
is:
how
are
users
using
it
and
how
would
you
folks
like
to
see
it
evolve?
So
if
you
have
any
any
feedback
for
us,
let
us
know
either
through
an
issue
or
an
email
or
in
slack
boas
did
I
I,
hopefully
did
a
good
did
it
justice.
Do
you
want
to
add
anything
now.
C
For
sure
two
things
to
add:
I'll
start
with
just
saying
that
kubernetes
Network
policies
is
hard,
and
this
is
a
method
to
the
whole
idea
is
to
make
it
easy.
So,
ultimately
you
should
you
shouldn't
be
thinking
about
your
network
policies.
You
should
have
a
system
that
helps
you
get
that
done.
So
that's
the
idea.
The
circumstances
where
we
analyze
today,
like
we,
you
know
the
the
solution-
is
to
analyze
existing
resources,
yaml's
and
stuff,
and
look
at
understand
what
you're
trying
to
do
and
just
do
it
for
you.
C
This
those
circumstances
is
where
I
think
to
to
matthias's
point.
We
would
really
benefit
from
from
feedback
in
the
sense
that
does
your
project
look
like
that.
In
other
words,
where,
in
your
projects,
do
you
specify
your
IP
connections,
we
expected
to
see
in
a
certain
set
of
yammals,
so
we
should
do
a
whole
talk
about
that,
which
leads
me
to
my
second
point,
which
Mike
might
be
wanting
to
to
talk
about
what
he's
doing
in
kubecon
on.
A
A
couple
points
yeah
are
like
there's
the
developer
use
case,
which
you
can
go
and
use
Rock
CTL
and
generate
the
Manifest
yourself.
There's
also
the
case
of
your
network
security
teams,
who
don't
even
want
to
touch
kubernetes
that
want
to
generate
policies,
and
you
don't
need
to
go
to
the
developer,
to
actually
generate
these
policies.
I
could
just
run
it
against
your
static
files
that
are
in
your
repository
and
generate
that
maybe
put
it
into
a
testing
environment.
A
Do
it
all
asynchronously
so
that
I
can
come
up
with
maybe
some
scalable
policies
in
the
future
for
your
network
and
security
teams
right
so
I
think
one
of
the
big
things
is
there's
the
developer.
Standpoint
is
Shifting
left
and
then
there's
the
operations
and
security
teams
that
can
leverage
it
to
to
not
to
get
developers
off
their
back
right.
So,
if
you're
a
developer,
that's
also
really
useful
to
you
and
again,
we'll
have
so
I'll
get
into
cubecon
in
a
second
I.
A
Do
want
to
touch
on
a
couple
things
in
terms
of
the
release
notes.
One
of
my
favorite
aspects
is
the
docker
file
lines
and
images,
so
they
introduce
components.
I
think
is,
is
awesome.
Whenever
you're
updating
an
image,
Docker
file
introduces
a
vulnerability.
You
can
see
exactly
where
it
is
in
the
new
release.
A
Scanning
support
for
rel9
I
think
is
extremely,
is
awesome
and
I
think
host
scanning
being
built
into
the
the
vulnerability
dashboard
in
the
upcoming
releases
and
part
of
the
roadmap
is
extremely
nice
and
then
the
policy
for
cves,
with
a
fixable,
CVSs
score
of
six
or
greater,
is
disabled
by
default.
Now
I
think
that's
worth
pointing
out
as
part
of
a
larger
just
general
security
talk
cbss
if
you've
ever
seen
the
normal
distribution
of
scores,
it's
supposed
to
be
a
normal
distribution.
A
It
never
is
there's
a
weird
Spike
that
happens
right
after
5.9
at
6.0
for
multiple
reasons,
and
it
doesn't
necessarily
mean
there
is
an
important
or
critical
vulnerability.
That's
introduced,
sometimes
a
6.0
with
the
proper
configuration
in
kubernetes
is
a
non-factor,
and
so
we
figured
that
having
all
of
these
policy
Breaks
by
default
was
not
extremely
useful
and
just
created
more
noise.
A
That
being
said,
if
you
find
any
issues
with
it,
it's
worth
hearing
about,
if
something
sneaks
through
and
you're
like
oh,
this
is
you
know,
maybe
you
and
also
you
can
change
the
policies.
So
it's
like
6.1
or
6.5
there's
a
lot
more
flexibility,
but
6.0
seemed
like
a
weird
line
that
we
drew,
which
might
not
necessarily
benefit
the
end
user.
So
with
that
being
said,
Boaz
made
a
great
point
and
that
kubecon's
coming
up
so
at
the
end
of
December,
the
24th
to
the
28th,
is
kubecon
and
all
its
co-located
events.
A
So
if
you're
in
Detroit-
and
you
happen
to
stop
by
come
by
the
booth,
I'll
be
there
for
two
days,
we'll
be
discussing,
stack,
rocks
and
and
some
of
the
new
features,
and
you
can
come
pick.
My
brain
I'll
have
a
bunch
of
gear
there
too.
So
if
you
don't
like
it
shipped,
you
can
come
and
just
pick
it
up
and
and
yeah
and
then
is.
A
Coming
up
way
too
soon:
oh
yes,
end
of
October,
October
24th
to
28th,
and
the
co-located
event
is
Monday
Tuesday
and
we'll
be
doing
another
demo
as
well
on
the
Thursday
at
the
the
red
hat
booth,
and
then
that
brings
us
into
there's
kind
of
two
last
things
that
we
wanted
to
bring
up
is
I
started
working
on
a
website
outline,
and
we
do
get
a
lot
of
questions
in
the
community
chat.
Some
revolving
around
Docker
desktop
and
management,
some
revolving
around
access
to
the
different
services.
A
So
by
default,
when
you
deploy
stack,
rocks
it's
not
accessible
to
external
services.
This
is
for
security
purposes.
You
don't
want
something
with
all
that
information
being
publicly
accessible.
If
you
go
into
play
it
on
gke
or
something
like
that,
it's
worth
it's
not
exactly
intuitive
I!
Think
for
most
kubernetes
users,
because
you're
used
to
Applications
where
by
default
they
come
with
an
Ingress
or
no
Port
service,
enabled
so
I
think
things
like
that
are
worthwhile
to
point
out
on
the
website.
A
You
know
how
to
deploy
it,
what
we
recommend
you
doing
for
the
community
distributions,
if
there's
something
in
particular
that
you've
had
issues
with
in
deploying
the
community
distributions
I'd
love
to
hear
from
you,
so
that
we
can
go
and
create
a
demo.
I
also
want
to
create
an
actual
vulnerability
demo
that
will
help
you
walk
through
and
say:
hey
here
are
some
of
the
ways
we
recommend
using
it.
As
a
practical
point,
I
find
sometimes
the
documentation
documentation
is
heavy.
A
A
Maybe
we
can
fix
that
or
give
you
some
some
practical
tips
and
hopefully
maybe
get
some
stuff
up
on
YouTube
for
you
again,
I
have
like
certificate
management
and
application
exposure
as
two
that
I
think
Matthias
and
I
have
outlined
that
I
think
over
with,
while
feel
free
to
either
comment
on
that
or
throw
it
in
the
slack
Channel
directly
at
me.
Basically,.
B
We
we
only
get
one
out
of
the
box
experience
right,
so
usually
we've
seen
the
product
so
much
that
we
sometimes
are
a
little
bit
blind.
So
it
is
super
interesting
for
us
to
actually
hear
from
people
that
are
seeing
the
platform
the
first
time
where
they
have
problems,
maybe
reading
the
document
or
maybe
missing
some
documentation.
Maybe
where
is
where
our
health
texts
not
actually
helping?
So
please
feel
free
to
share
any
of
that
with
us,
and
even
it
nothing
is
too
minute
it's
it's.
A
A
hundred
percent
and
we've
had
a
couple
questions
about
a
road
map
on
GitHub
just
moving
into
the
next
topic
curious.
If
there
is
a
desire
for
something
public,
even
if
it's
something
public
as
like
minor
issues
that
need
fixed
in
the
upcoming
releases,
if
there
is
a
desire,
then
it's
worthwhile
putting
the
time
to
make
sure
that
you
have
that
information.
If
there
isn't
as
much
desire,
obviously
with
Upstream,
then
we'll
have
to
adjust
expectations
right.
A
A
So
hopefully
we
can
keep
those
coffees
warm
in
the
upcoming
winter
months,
if
you're
in
the
warm
weather,
I'm
very
jealous
of
you,
it
is
already
getting
to
freezing
at
night
up
here,
so
fun,
stuff
I
have
to
dress
up
in
like
a
parka
or
and
a
took
for
Halloween
I
can't
even
go
outside
last
thing
is
just
open
it
up
to
questions.
If
there's
anybody
on
who
wants
to
discuss
anything
bugging
them
any
issues
with
the
platform
the
floor
is
yours,.
A
C
It's
actually
I
think
going
to
be
helpful
to
solve
two
different
problems.
One
is
to
make
it
easy
to
install
central,
but
that
the
next
is
to
make
it
easy
to
install
all
kinds
of
different
clusters,
because
for
every
different
kind
of
secure
cluster,
you
need
a
different
process.
You
might
need
to
have
gcloud
locally
the
SDK
in
order
to
to
secure
or
access
your
your
gke
cluster
and
Amazon
is
different.
C
A
Yeah
and
I
have
little
tricks
like
I
use,
Cube,
CTX,
I'm,
not
sure
Matthias.
If
yeah,
you
know
that
one,
it's
it's
awesome
for
switching
between
clusters
and
so
little
things
like
getting
that
installed
again.
You
know,
maybe,
if
you're
in
Google
or
Azure
or
AWS
little
tricks
for
pulling
that
information,
so
that
you
can
generate
the
secured
cluster
bundle.
C
Think
the
the
difficulty
is
the
things
that
are
beyond
the
API
control,
so
the
the
tasks
that
you
need
to
do
as
an
as
a
human.
Those
are
the
ones
that
that
get
in
the
way.
So,
whatever
automation
we
can
offer
to
do
that,
you'd
be
you'd
need
to
be
willing
to
give
up
something.
So,
for
example,
give
me
your
credentials
on
like
a
one-off
and
I.
Will
log
in,
on
your
behalf,
grab
those
credentials
and
get
everything
ready
for
you
me
being
a
script
right.
B
Honestly,
keep
an
eye
out
for
hectoberfest,
we're
always
happy
to
help
I'm
super
happy
to
see
that
people
are
handing
in
pull
requests
and
we're
also
doing
our
best
to
actually
review
them
in
time
to
also-
and
the
good
thing
is
even
if
we
don't
get
to
review
it
in
time
as
long
as
you
open
it
up
in
October,
it
still
counts
toward
your
account
so
or
towards
your
hectoberfest
I.
Think
it's
four
PRS
that
you
can
hand
in
so
please
feel
free
to
stop
by
and
we'll
be
always
there
for
questions.
A
And
I'll
probably
be
spam,
posting
some
kubecon
event,
videos
because
I
think
there's
gonna
be
some
cool
announcements
that
are
happening
and
cool
patterns
that
I'll
see.
So
if
there's
anything
any
thing
in
particular,
you
want
me
to
go
check
out.
I'll
go
send
some
recordings
in
or
something
like
that.
I'll
do
it
sneaky.