►
From YouTube: StackRox Office Hours (E7): What's Next?
Description
The StackRox team is excited to announce the future of the open source StackRox project. We will discuss all upcoming events and prepare the project for its forthcoming release.
Join us live on Tuesday, March 15th at 4 pm EST, 1 pm PST as the team discusses everything you need to know for the future release!
A
A
B
Hello,
hello
and
welcome
to
the
next.
What
is
this
we're
in
march
march
stackrock's
office
hours?
It's
a
great
big
office
hours
joined
by
matthias
and
jamie
from
well
red
hat,
but
formerly
from
stackrocks,
so
we're
excited
to
have
them
on
we're
going
to
be
talking
about
the
future
of
stack
rocks
and
the
open
source
project.
B
Thank
you
so
much
for
joining.
As
always.
It's
the
third
tuesday
of
every
month
at
4pm.
Well,
it
was
eastern,
but
I
lost
an
hour
of
sleep
over
the
weekend.
Wasn't
exactly
ecstatic
about
that
yeah,
so
every
tuesday
will
be,
or
every
third
tuesday
of
every
month
we'll
be
talking
about
the
project
as
well
as
anything
security
in
the
open
source
world.
We'll
have
some
guests
on.
C
B
C
So
hi
I'm
mathias,
I
am
a
software
developer
in
the
acs
team,
so
basically
the
team
that
is
developing
the
main
project
that
will
now
be
open
sourced
and
I've
spent
my
my
the
recent
time,
basically
with
providing
the
engineering
support
and
and
the
know-how
basically
to
to
open
source
the
project.
Ideally.
A
B
That's
awesome,
that's
a
great
tagline
there
jamie
doing
a
lot.
Yes
billy
the
platypus,
I'm
hoping
that
we
standardize
around
something
because
I
don't
like
the
flip-flop
in
the
spring,
especially
but
let's
just
cut
to
the
chase.
The
reason
we're
here
as
matthias
kind
of
alluded
to
it
stack
rocks,
will
be
open
sourcing
in
t
minus
two
weeks,
15
days
march
31st
a
thursday
software
will
be
open
source.
The
github
will
be
available.
B
Public
images
will
be
available
on
quay.io
and
we'll
be
sending
out
a
bunch
of
information
for
y'all.
If
you
want
to
check
it
out,
we're
super
excited,
and
this
is
just
kind
of
a
soft
drop.
We
wanted
to
discuss
engineering
requirements,
the
meetings
that
are
coming
up
and
give
every
one
of
everybody
in
the
chat
a
chance
to
ask
some
questions.
B
So
we
can
get
some
feedback
and
make
sure
that
you
guys
have
everything
you
need
come
release
day.
So
thanks
you
all.
Thanks
to
you
all
for
joining.
Let's
just
go
over
some
of
the
the
critical
stuff.
I
think
that
we've
put
in
motion
right
matthias
over
last
year
and
jamie
we
got
acquired
last
february.
I
believe
it
was
the
end
of
february
was
the
official
date
and
since
then
there
has
been
a
big
commitment
to
open
source,
open
sourcing
stack
rocks
and
it
started
with
the
stackrocks.io
website.
B
B
B
Hopefully
you
guys
can
give
me
some
insight
into
what
it
takes
to
open
sourcing,
something
like
that
and
getting
you
know
an
open
source
project
on
github
and
and
quite
because
it's
been
about
a
year
since
we
got
acquired.
So
a
lot
of
engineering
work
has
gone
into
it,
see
us.
Hopefully,
you
could
shed
a
little
bit
of
light.
B
C
Sure
so
what
happened?
Basically,
as
soon
as
we
got
acquired,
we
started
working
on
and
organizing
on
or
thinking
basically
on
how
we
could
how
we
could
open
source,
so
the
problem
is
always
be
doing
doing
commercial
development
versus
open
source
development.
These
are
these
are
very,
very
different
things.
So
how
do
you
transform
a
project
that
was
private
in
the
first
place
to
something
that
is
open
and
that
everyone
can
work
on
so
that
took
us
quite
some
time
actually,
because
we
already
planned
out
or
we
we
spend
a
lot
of
time.
C
Of
course,
there
is
always
the
legal
side.
There
is
the
side
of
the
company
and
and
all
the
and
all
the
regulations,
and
I
have
to
say,
having
experienced
and
base
and
and
seeing
this
project
grow
from
basically
from
day.
One
was
very
interesting
because
red
hat
was
very
supportive
and
let
us
do
our
thing,
how
our
basic,
how
we
imagined
it.
We
were
able
to
to
build
an
open
source
project,
how
we
like
they
supported
us
in
in
everything
we
did,
which
is
something
that
I
that
I
personally
really
enjoyed
doing
so.
C
The
most
interesting
thing
for
me
is
we
did.
We
did
plan
for
the
community
from
the
get-go,
which
means
I'm
happy
to
announce
that
we
will
be
doing
monthly
engineering
meetings,
so
we
will
have
stackrock's
office
hours,
which
is
what
we're
doing
now
and
then
we
will
also
have
engineering
meetings
which
are
a
little
bit
more
focused
on
the
community,
interaction
on
the
product
side
or
on
the
engineering
side.
C
B
C
Yes,
absolutely
so
be
that
you
that
you,
that
you
have
questions
regarding
the
documentation,
be
it
that
you
have
questions
regarding
the
architecture
or
even
that
you
would
like
to
see
a
feature
or
an
integration.
That's
all
thing,
basically,
all
things,
engineering,
all
things
that
you
use
we're
happy
to
talk
about
it,
we're
happy
to
hear
your
feedback
and
and
change
and
adapt
where
needed.
Of
course,.
A
A
Do
attack
simulation
and
I'll,
give
you
a
quick
example.
We
had
a
customer
who
had
the
ability
to
put
in
docker
images
into
one
of
their
platforms
and
they
were
actually
looking
for
their
users,
who
are
adding
crypto
miners.
Getting
community
solutions
like
this
together,
so
that
we
can
add
and
improve
our
policy
set
for
our
entire
customer
base,
but
the
entire
kubernetes
community
as
a
whole,
really
something
that
I
think
will
power
the
community
forward.
B
Yeah
we've
seen
solutions
like
oppa
have
a
bunch
of
advantage
to
to
using
something
like
that
right,
like
typically,
there
are
very
there's
a
very
small
group
of
security,
open
source
platforms
right
and
I
think
that's
a
relatively
new
thing,
and
so
obviously
sharing
policies
is
one
of
the
advantages.
I
think
community
feedback
is
one
of
the
great
advantages
too,
and
in
the
recent
log
for
j
exploit,
you
saw
how
fast
the
bug
like
that
got
fixed.
I
actually
almost
think
you
look
at
you.
Look
at
the
the
time
to
cve
fix.
B
B
You
know,
I
think
it's
it's
awesome
to
have
just
as
much
feedback,
and
I
think
it's
just.
It
creates
a
great
ecosystem
right.
That's
that's
the
whole
goal,
so
yeah,
so
second
tuesday
of
every
month,
which
will
be
a
little
bit
more
we're
a
lot
nicer
to
the
the
euro
europeans.
I
think
with
that
meeting.
It's
9
00
a.m.
Pacific
12,
eastern
and
5
p.m,
gmt
time,
and
luckily
I
think
that
europe
changes
at
least.
B
Third,
third,
tuesday
next
next
month
for
office
hours,
we'd
love
to
see
you
guys
there
in
terms
of
all
the
locations
for
the
critical
stuff
for
the
open
source
projects.
I
li
I
put
in
the
in
the
chat,
snackrocks.io
that'll,
be
the
website
for
everything
you
need
there'll,
be
some
there'll,
be
a
docs
link.
That's
gonna
be
put
up.
B
The
github
repository
link
will
be
put
up
there
as
well
as
as
well
as
a
blog
just
kind
of
detailing
all
the
resources
and
everything
you
need
to
know
and,
of
course,
we're
going
to
be
sharing
it
out,
you're
going
to
see
a
bunch
of
links
from
the
team
and
hopefully,
if
you're
on
linkedin
and
you
follow
red,
hat
or
or
any
sort
of
that
stuff.
You
know
it'll
pop
up
you
can.
You
can
also
follow
the
rss
feed
on
the
site
for
notifications.
All
right,
that's
that's!
All!
B
B
I
kind
of
wanted
to
turn
to
you
because
especially
you're
you're,
so
hands-on
with
customers
and
you've
had
sort
of
that
high-level
view
of
what
it
takes
to
be
open
source
and
also,
I
think,
all
the
requirements
and
all
the
the
I
don't
say
pushback,
but
just
the
engagement
that
you
need
right
when
you
have
a
big
user
base-
and
you
have
to
say
hey
by
the
way
this
product
that
you're
using
we're
going
to
go
open
source
with
the
code.
Are
we
for
or
against
it
right?
B
A
Yeah,
so,
ultimately,
when
you
look
at
our
customer
base,
we
actually
are
overwhelmingly
for
open
source,
and
that
comes
down
to
three
key
questions.
The
the
most
important
of
those
questions.
Being.
How
do
you,
as
the
platform
provider,
expect
me
to
trust
you
in
order
to
secure
that
platform,
so
you're,
giving
me
the
guidance,
but
is
that
not
a
conflict
of
interest?
And
that's
what
we've
heard
from
our
customers
so
open
sourcing
is
our
solution
to
establishing
transparency?
A
That's
how
we
can
tell
our
customers
that
this
is
our
commitment
to
you
and
that
we're
doing
the
right
thing
by
you.
We're
both
going
to
provide
you
that
platform,
but
we're
also
helping
you
to
secure
it
and
red
hat's
commitment
to
security
and
open
source
really
has
led
to
that
brand
awareness
that
we're
providing
you
packages
we're
providing
you
a
security
solution.
Security
is
really
ingrained
in
our
core
values
and
by
the
way,
in
order
to
prove
that
to
you,
we've
open
sourced
our
solution
so
that
you
can
go
and
validate
yourself.
A
B
So
you
like
a
lot
of
feedback
for
open
sourcing,
exactly
it's
shocking,
because
you
don't
see
that
many
security
platforms
that
are
open
sourced
a
lot
are
behind
closed
doors.
What
do
you
think
is
just
like,
because
you'll
see
small
tools
right,
you'll
see
things
like
like
claire,
like
a
security
scanner,
be
open
sourced
or
something
like
that,
but
you
won't
see
you
know.
Bigger
platforms
like
a
stack
rocks,
be
open
sourced.
Why
do
you
think
that
is.
A
Your
solution
is
appropriate
in
the
market,
the
the
difference
being
that
as
a
platform,
open
sourcing,
we've
got
customers,
we've
been
used
and
we
are
no
longer
trying
to
validate
our
solution
quickly,
which
is
part
of
the
value
of
a
company
open
sourcing.
Their
solution
is
quick
market
validation,
but
rather
than
trying
to
validate
our
solution,
we're
actually
trying
to
establish
transparency
and
drive
innovation
forward.
A
So
the
goal
here
is
vendor
independence
and
also,
how
do
you
establish
transparency
there?
So
we've
gotten
a
lot
of
positive
feedback
for
open
source,
but
really
at
the
end
of
the
day.
I
think
that
platforms
choose
not
to
do
this
because
most
of
them
are
building
cloud
services
or
that's
their
their
mo
of
their
core
business,
and
because
of
that
difference
of
quick
market
validation
and
established
solution
as
a
whole.
C
No,
absolutely
so
it's
it's
it's
very
interesting
to
see,
especially
I
I've
I've
been
approached
by
quite
a
lot
of
people
that
are
interested
in
the
open
source
product.
So
I'm
feeling
not
only
is
it
is
it
is
it,
of
course
the
the
competition
is
is
a
har
is
hard,
but
also
on
the
other
hand,
what
I'm
seeing
is
that
companies
are
interested
in
open
source
because,
on
the
one
hand,
not
only
is
it
is
a
adding
accountability.
C
C
It
allows
us
to
to
not
only
show
what
we're
doing,
but
it's
also
giving
you
as
a
customer
or
we're
basically
we're
reaching
more
customers,
we're
reaching
more
potential
interests
or
we're
reaching
a
wider
audience
of
people
that
are
interested
in
not
only
getting
maybe
even
in
maybe
not
only
having
a
look
at
our
product
at
our
platform,
but
also
growing.
As
jamie
mentioned
growing
the
whole
the
holistic,
kubernetes
security
yeah
area,
basically
so
yeah,
especially.
B
When
it
comes
to
kubernetes
security,
I
was
I
kind
of
mentioned
there.
Are
these
small
small
projects
right?
There's
you
know,
there's
oppa
or
there's
a
falco
right,
but
the
the
kubernetes
platform,
the
whole
security
platform.
If
you're
gonna
go
to
secure
kubernetes,
you
have
to
kind
of
piece
together
all
these
solutions,
if
you're
thinking
about
open
source
right.
So
it's
a
lot
harder
to
operationalize
in
that
sense
and
we're
basically
giving
like
here's
a
full
kubernetes
security
platform
for
you
to
use
and
and
take
advantage
of.
B
So
I'm
pretty
excited
to
see
that
part
for
everybody
watching
we
got
a
good
sizable
people,
throw
some
questions
in
the
chat.
We're
interested
to
hear
you
know.
Do
you
plan
to
use
it?
What
are
you
looking
forward
to
anything
that
you
are?
Are
you
skeptical
of
would
love
to
to
have
that
conversation
conversation,
especially
as
we
get
into
more
engineering
talks.
B
This
is
a
segue
to
get
into
just
you
know.
We've
had
bi-weekly
meetings
for
last
year
to
talk
about
blockers
and
all
the
different
considerations,
and
you
would
be
I.
I
was
shocked
at
how
much
work
goes
into
something
like
this
and
and
not
just
open
sourcing
but
open
sourcing.
I
guess
in
in
a
way
that
can
hit
the
ground
running
for
most
people
because
really
technically
open
sourcing.
You
just
have
to
drop
free
code
in
a
binary
on
github.
B
C
I
mean
we,
we
primarily
started
with
reaching
out
to
legal,
because,
especially
with
branding
with
the
name
with
logos,
there
is
a
lot
to
consider
also
source
code,
of
course,
in
the
meat
of
the
whole
thing.
That's
something
we
needed
to
have
checked
and
and
signed
off
illegal,
because
I
mean
we're
still
talking
about
a
big
project
and
better
safe
than
than
sorry,
but
I
also
noticed
that
we
started
quite
early
with
the
whole
with
with
the
whole
thinking
about
how
do
we
develop
what
changes?
Because
for
us
as
a
developer?
C
Quite
a
lot
changes
I
mean.
On
the
one
hand,
of
course
we
will
be
we'll
be
working
on
the
on
the
github
repository,
so
this
is
staying
the
same
right,
but
on
the
other
hand
there
are.
There
are
questions
like
how
do
you
handle
cves?
How
do
you
handle
security
reports,
because
there
are
things
that
you
there
are
things,
obviously
that
you
can't
do
in
the
open,
but
now
you're
completely
in
the
open.
So
how
do
you
do
these
things
that
was
kind
of
interesting
to
see?
C
Let's
call
it
second
level
support,
so
so
it's
hard
to
get
get
a
hold
of
the
of
of
engineering
or
of
devs.
What
else
did
we
do
of,
of
course,
the
the
ongoing
issue
of
documentation?
So
we
have
a
lot
of
internal
documentation
about
how
we
develop
our
product,
how
how
the
processes
are
about
around
releases
work.
C
But
the
question
is,
of
course,
now
that
we
switch
do
we
do
we
open
source,
all
our
documentation,
do
we
keep
keep
all
of
it
private
and
just
let
people
figure
it
out,
and
I
mean
you
I
I
think
you
already
mentioned
it.
We
we
have,
we
shared
our
documentation,
we're
we're
open
sourcing,
also
our
complete
documentation
and
most
of
no
all
of
the
architectural
documentation
that
we
have.
B
A
A
So,
for
instance,
you
have
a
community
of
people
that
are
driving
forward
how
your
security
posture
will
be
managed
over
the
course
of
your
evolution
of
your
applications
and
if
kubernetes
is
being
used
to
store
a
large
number
of
your
applications,
as
we
see
the
market
shifting
toward
that's
going
to
be
your
bread
and
butter.
So
how
do
you
know
that
they're
doing
right
by
you
and
how
do
you
go
in
and
validate
that?
A
So,
yes,
there
could
be
back
doors,
but
also
it's
as
simple,
as
are
the
rules
that
are
being
defaulted
and
recommended
that
my
team
is
using,
are
those
appropriate
for
my
business
and
are
those
appropriate
for
the
community
as
a
whole.
How
do
I
know
that,
for
instance
like
how
do
you
know
that
red
hat
isn't
making
openshift
look
more
secure
and
you
can
go
and
validate.
B
B
Yep
yeah,
there
is
yeah,
that's
a
great
point.
There
is
also
the
being
able
to
let's
say,
go
and
deploy
it
on
various
different
platforms.
You
can
get
a
look
at
functionality,
usability
you
don't
necessarily
have
to
go
and
interact
with
a
sales
person.
I
can
just
go
see
if
it
works
or
not,
which,
as
a
millennial,
I
think
is
probably
one
of
the
biggest
selling
points
I
think
for
a
lot
of
new
technologies.
Now
it's
like,
oh,
I
got
a
free
trial
and
it
doesn't
even
come
with
a
paid
subscription.
B
At
the
end,
it's
awesome
and
I
do
find
a
lot
of
the
times
too.
You
get
locked
into
these
big
contracts
where
you
don't
end
up
using
all
the
functionality
that
you
ended
up
paying
for
at
the
beginning,
and
so
one
of
the
other
advantages
just
from
a
pure
usability
standpoint
is,
I
can
go,
go
in
and
see
how
much
I'm
actually
going
to
use
the
more
I
use
kubernetes,
you
know
it
like.
Does
it
fit
in
with
my
ci
systems,
my
integrations.
Does
it
fit
in
with
my
siem
tools?
C
I
mean
piggybacking
on
that.
That's
also
something
that
we
try
to
take
a
lot
of
care
of
is
lo.
For
me,
one
of
the
most
important
things
is
lowering
the
barrier
of
entry,
so
I
actually,
I
actively
fought
for
us
to
to
have
docker
images
available
where
we
can
to
have
docs
to
have
basically
to
have
open
sourced
as
much
as
we
can.
So
you
can
just
go
ahead
and
get
started,
so
I'm
not
entirely
sure
about
the
image
locations.
B
Be
yeah
they'll
be
located
on,
I
quite
o
on
release.
I
think
community
feedback
and
there's
still
some
conversation
about
docker,
but
would
love
to
get
some
community
feedback
on
on.
If
that's
something
they'd
like
to
see
still
got
two
weeks
before
release
and
it's
going
to
be
a
moving
project
after
that.
So
look
forward
to
all
your
feedback
and
you
can
come
and
join
the
zoom
meetings.
It'll
be
a
very
fun
hour
and
of
course
you
can
always
come
hop
on
the
office
hours
and
give
us
feedback
all
right.
B
What's
going
on
with
that,
and
then,
when
you
got
into
the
engineering
aspect
now
you
have
two
projects,
so
you
have
a
community
project
and
then
you
have
a
red
hat
project
so
now
you're
building
two
pipelines
right
now
you're
talking
about
how
does
that
get
built?
What
systems
do
you
build
it
with?
B
How
often
are
you
going
to
build?
Are
you
going
to
ingest
prs
and
requests?
How
often
do
you
vet
those?
What
types
of
considerations
came
in
from
taking?
You
know
something?
That's
an
upstream
project
and
then
you
know
building
it
having
to
build
it
for
the
upstream
and
having
to
build
it
for
the
the
project
itself.
Paid
project.
C
Yeah,
so
the
interesting
thing
is
for
the
paid
project.
Of
course
we
have
a
build
process
because
we're
actively
releasing
so
that
sorted
out,
yeah
we're
we're
still
in
in
the
process
of
figuring
out
how
we
can
automatically
generate
off
images
for
the
open
source
version
for
the
upstream
project.
So
what
we're
we're
planning
or
what
we're
trying
right
now
is
doing
automated
release
builds,
and
maybe
something
like
in
the
in
the
future,
have
something
like
nightly,
builds
or
unstable
builds
if
people
are
interested
in
that.
C
So
again,
we
were
we're
in
this
in
this
in
this
dimension,
we're
completely
relying
on
community
feedback
so
stop
by
the
office.
Hours
stop
by
the
engineering
meetings.
Tell
us
that's
something
we
we're
we're
quite
open
about.
So
of
course,
we
we
had
roughly
a
year
of
planning
right
now
and
we
have
a
rough
idea
what
we
want
to
do
and
where
we
are
right
now,
but
that's
subject
to
change,
so
we're
we're
we're
not
stopping
investing
time
and
work
and
energy
into
this
project
after
release.
We'll,
of
course
continue.
C
Work
continue
developing
and
continue
engaging
with
the
community.
Basically,
so
what
we'll
be
doing
is
besides
the
ci
aspect,
how
how
are
we
talking?
Let's,
let's
talk
about
active
contributions,
because
that
might
be
interesting
to
like
a
lot
of
folks,
which
is
right
now
we're
we're
planning
on
having
these
monthly
meetings
so
the
and
in
these
meetings,
what
we'll
do
is
beforehand.
C
B
Awesome
and
so
the
at
release
there'll
be
a
blog
detailing
all
of
the
locations
to
get
to,
but
matthias
is
working
on
a
more
detailed
blog
as
well
that,
hopefully
we'll
have
basically
it
all
summarize.
You
know
how
to
do
a
feature
request
and,
of
course,
we'll
go
over
this
at
the
first
engineering
meeting
to
get
things
kicked
off
as
well
again,
you
can
subscribe
to
community
stackrocks.com
at
community
stackrocks.com.
B
B
A
So
I
I
wouldn't
say
that
it's
about
a
change
in
kubernetes.
I
think
it's
about
a
changing
workflow
for
the
security
organization
as
a
whole,
so,
as
people
start
to
think
about
shifting
left
and
as
people
start
to
think
about
giving
accountability
for
security
to
developers,
we've
really
resulted
in
a
a
world
where
there's
a
skill
gap
and
it's
not
a
skill
gap
that
it's
reasonable
to
solve.
A
A
A
They
want
to
see
exactly
how
something
is
configured
they
want
to
see,
be
able
to
validate
if
there
are
vulnerabilities
and
the
animal
behind
the
kubernetes
deployment
is
really
the
dream
of
an
auditor
we've.
Basically,
given
an
auditor
a
book
with
kubernetes
and
said
this,
is
the
book
go
read
it?
This
is
the
exact
configuration
here.
Are
the
images
and
by
the
way,
if
you
want
to
go
inspect
the
docker
file
to
understand
more
about
the
configuration
go
ahead.
C
B
C
B
Project
adoption,
argo
cd
was
one
of
the
biggest
adopted
in
the
last
year,
but
you
look
at
when,
when
they
look
at
what
the
biggest
requirements
of
teams
are,
security
was
number
one.
Finding
good
talent,
I
think,
was
two
or
three
in
the
kubernetes
world
and
yeah.
It's
very
interesting.
I
think
you
have
a
lot
of.
B
Maybe
tools
that
are
trying
to
be
multi-platform
are
trying
to
do
containers
and
virtual
machines
and
have
all
these
integrations
and
it's
just
a
very
difficult
thing
to
scale
right,
and
so
it
might
be
something
where
hey
you
know.
You
have
this
big
project,
this
big
contract,
maybe
you
try
out
stack,
rocks
from
a
team
to
team
basis.
B
Do
something
green
field
see
if
it
works
for
that
workflow
right,
there's
a
bunch
of
different
ways
that
you
could
use
it,
especially
an
open
source
project
like
that
this
is
pretty
exciting
and
that
at
that
level,
right
just
to
I
mean
that's,
basically
how
I
got
started
in
kubernetes.
Had
a
server
set
up,
kubernetes
did
kubernetes
the
hard
way
thanks
kelsey
hightower.
For
that
one
right,
and
then
it's
okay.
What
applications
can
I
go
and
install
all
right
like?
Let's
go
set
up
argo
cd,
let's
go
use
flux
right.
B
A
A
I
I
kind
of
use
this
as
a
proxy
how
many
security
people
do
you
know
who
exploited
a
remote
code,
execution,
vulnerability
on
a
container
running
his
room
and
then
picked
up
the
default
service
account
that
was
auto
mounted
and
then
tried
to
use
that
in
order
to
get
access
to
the
kubernetes
api.
That's
that's
really
an
incredibly
simple
thing
to
do.
If
you
first
are
able
to
find
that
remote
code
execution
vulnerability,
but
if
people
don't
think
I
need
to
take
these
steps
to
secure
and
defense
in
depth
is
a
thing.
A
Then
it's
incredibly
easy
to
do
those
things
without
a
firm
understanding
and
most
security
people
don't
have
that
hands-on
ability
to
think
from
an
attacker's
perspective
and
then
translate
that
into
a
defense.
That's
in
a
way,
that's
tool,
specific
and
they're
learning
that
for
kubernetes,
because
kubernetes
has
gotten
such
a
widespread
adoption,
but
it
is
still
in
the
learning
phase.
B
B
Some
are
going
to
have
more
crown
jewels,
very
maybe
databases
that
are
going
to
have
different
standards
versus
your
your
stateless
containers
that
are
going
to
be
kubernetes.
So
a
lot
of
different
requirements
and
you're
asking
a
security
team
to
develop
all
that
policies
before
they
even
know
what
tools
the
developers
are
using
right.
It's
a
it's
a
tall
ask.
A
This
is
simply
a
numbers
game.
Look
at
it
this
way
in
reality,
there's
probably
100
to
200
security
professionals
at
a
humongous
organization.
So
thank
your
fortune
one,
but
that
just
doesn't
scale
because
they
have
so
many
developers
and
so
many
projects
there's
no
way
to
keep
one
teach
all
of
those
200
people
how
to
do
kubernetes
security
in
depth
and
also
expect
them
to
know
every
database
every
web
proxy
server
every
every
service
that
is
potentially
being
used
in
the
environment.
A
So
it's
just
an
unreasonable
ask
in
a
numbers
game,
so
you
can
have
a
specific
number
of
kubernetes
security
experts
sure
but
you're
not
going
to
scale
that
number
of
kubernetes
security
experts
to
every
development
team
developing
on
kubernetes
in
your
organization.
That's
just
in
general,
an
unreasonable
ask.
B
Yeah,
it
is
a
tall
task,
let's
paint
a
picture
for
you.
You
have
one
security
team,
four
people,
five
other
teams,
all
slightly
different,
build
processes,
you're
gonna
go
and
deploy
stack
rocks.
What's
the
general
workflow
like?
Is
it
a
deploy,
visualize
first
kind
of
take
in
information
and
then
sift
through?
You
know,
setting
baselines?
What's
the
the
general
workflow
for
deploying
stack
rocks.
A
A
Security
teams
need
to
establish
visibility
in
their
organization
and
they
really
have
a
wildfire
of.
This
is
a
green
space
and
I
need
the
visibility
to
even
know
where
to
start.
So
you
start
with
visibility.
You
take
your
highest
risk
potential
workloads
and
you
start
from
there,
but
then
you
also
need
to
start
proactively
cutting
bleeding.
A
You
want
to
make
sure
that
new
projects
and
new
workloads
coming
into
your
environment
are
meet
your
security
standards.
So
people
start
first
with
the
visibility
and
understanding
where
things
are
from
a
core
set
of
best
practices,
and
then
they
move
and
their
immediate
next
step
is
I'm
going
to
define
policies.
A
What
are
my
expectations
of
my
development
teams,
because
without
setting
those
expectations
and
communicating
those
expectations,
it's
really
just
a
non-starter
to
say:
go.
Do
all
the
things
to
a
development
team
before
you
define
them
and
expect
that
I'm
going
to
change
it
in
in
the
middle
of
your
in
your
sprint,
and
you
have
to
adopt
this,
but
so
we
realize
human
behavior
is
a
thing
and
that
people
need
reasonable
expectations
so
setting
those
policies,
communicating
them
and
cutting
the
bleeding.
By
asking
your
development
teams
hey
start
testing.
A
This
nci
look
for
vulnerabilities
in
your
images
on
new
projects.
Look
for
can
misconfigurations
in
your
deployments
according
to
this
policy
side
of
new
projects
and
then
really
going
through
and
prioritizing
and
cutting
the
existing
workloads.
That's
how
most
people
approach
it
when
they've
already
adopted
kubernetes,
but
if
kubernetes
is
greenfield,
you
start
with
defining
those
policies
and
and
going
from
there
to
ensure
that
those
policies
are
adhered
to
on
a
go
forward
basis.
It
all
depends
on
where,
in
your
lifecycle,
kubernetes
adoption.
B
Yeah
I
do
find
there's,
there's
two
kind
of
camps
with
kubernetes
is
one
is
develop
as
fast
as
possible,
get
your
ci
process
and
then
then
bring
in
security
to
sort
of
work
within
the
guidelines
or
there's
bring
in
security.
Here,
the
kind
of
strict
guard
rails
build
within
it,
and
then
we
can
slowly
open
up
as
there's
as
there's
not
open
up,
but
the
policies
become
a
little
bit
more,
let's
say
set
in
stone
and
things
start
to
move
faster
as
you
get
by
in.
B
C
Out,
I
I
don't
know
exactly
what
happened
so
thing
is
you?
Can
you
can?
Of
course
you
can
either
have
security
come
in
after
the
fact
after
the
development
or
have
security
come
in
first
thing,
so
the
question
is,
and
the
nice
thing
about
stack
rocks
is
you
can
do
both
so
you,
you
can
start
rolling
it
out
when
you,
when
you're
already
a
little
bit
later
in
your
life
cycle
and
start
with
the
reporting
or
you
can
start
by
basically
deploying
your
cluster
and
first
thing.
You
do.
A
It's
all
about
sending
those
guard
rails
for
people
to
innovate,
and
that's
why
policies
are
usually
the
first
step,
because
once
you
define
those
policies,
you
have
an
expectation
for
your
development
team
that
you
can
communicate.
You
can
start
to
block
things
in
admission
controller,
but
also
from
an
instant
response
perspective.
Your
security
team
once
you've
defined
those
policies
and
what
you
want
has
something
where
they
can
go
in
policy
violations
when
they
log
into
their
platform
on
a
monday
and
know
how
to
start
triaging
their
monday
morning,
based
on
those
policies.
B
Was
I
think
it
was
you
that
are
having
the
internet
issues?
This
is
the
first
time
I've
had
on
stream
because
I'm
in
toronto-
and
we
have
jamie
out
in
california
and
matthias
out
in
europe.
So
this
is
a
really
stress
on
the
internet
here
on
this
call.
This
is
a
lot
of
fun.
Thanks
for
coming
on.
You
guys
all
right,
some
last
questions
from
the
chat.
Otherwise
I
think
we're
just
going
to
go
through
basically
make
sure
you
guys
have
all
the
information
you
need
coming
up
on
march,
31st
march
31st.
B
I
I
don't
know
the
exact
time.
I
think
it's
going
to
be
like
at
midnight
like
super
dramatic
midnight,
eastern
time
kind
of
drop,
maybe
or
something
like
that,
but
we'll
there'll
definitely
be
an
announcement
the
day
before,
for
all
you
guys
and,
of
course,
I'll
actually
I'll
post,
there's
the
slack
channel
as
well.
B
It's
in
the
cncf
slack,
just
hashtag,
stackrocks,
there's
a
bunch
of
former
engineers
and
engineers
that
actually
work
on
the
project
already
that
are
extremely
happy
to
answer
any
and
all
questions
that
you
post
and
if
it's
something
that
we
want
to
do
a
discord,
chat
or
you
know,
I'm,
I
think,
we're
up
for
anything,
matthias
right,
we're
we're
hoping
that
you
guys
come
on
to
the
zoom
calls
and
give
us
your
feedback.
What
you'd
like
to
see
and
how
you
like
to
deploy
the
project.
C
Honestly
feel
free
to
stop
by
we'll,
I
guess
we'll
start
with
the
zoom
calls,
but
if
community
demands
that
we
are
asked
that
we
that
we
move
to
something
else,
I'm
happy
to
to
set
up
anything
that
the
community
is
interested
in
so
again,
keep
keep
coming
by
keep
keep
the
keep
the
feedback
up.
Just
drop
us
a
line,
see
you
guys,
I'm
looking
forward
to
this.
Actually,
I'm
very
very
hyped.
Actually
it's.
B
B
That's
too
funny
there's
a
lot
of
them.
I
tried
like
if
we
did
do
an
easter
egg.
What
do
you
think
we
should
do
we
need
to?
I
need
a
community
community
easter
egg.
We
need
to
put
one
in
anyways
join
april,
12th
first
engineering
meeting
and
you
can
you
can
pitch
some
ideas.
Absolutely
yeah.
Definitely
that'd
be
awesome.
All
right,
matthias
jamie!
Thank
you
so
much
for
joining
everybody
for
watching
thanks
again
office
hours.