►
From YouTube: StackRox Office Hours (E6): Argo CD Security Practices
Description
Join Michael Foster and Christian Hernandez in a discussion around Argo CD, GitOps and integrating security into your development pipelines. They’ll be discussing Argo CD and how to use the application securely while maintaining the development speed that your team requires. As always, they’ll be taking questions live and doing a short demo!
Come with all of your GitOps and security questions. And we’ll see you live, on February 15th!
A
A
A
Hello,
hello
and
welcome
to
another
stackrock's
office
hours,
the
second
of
the
year,
I'm
super
excited
to
have
a
special
guest
christian
hernandez
on
we're
going
to
be
talking.
Argo,
cd,
security,
best
practices,
supply
chain
security,
all
the
good
stuff,
all
the
hot
topics
and
we're
coming
off
of
some
pretty
exciting
news.
Actually,
so
thanks
everybody
for
joining
before
I
get
into
it.
Christian
introduce
yourself
welcome
to
the
show-
and
let
us
know
what's
going
on
in
the
argo
cd
side
of
the
world.
B
A
B
Thank
you
for
having
me
on.
Yes,
my
name
is
christian
hernandez.
I
am
a
technical
marketing
here
at
red
hat,
focus
on
openshift
get
ops,
which
is
our
supported,
offering
of
argo
cd,
so
yeah,
so
I've
been
I've
been
here
at
red
hat
for
almost
eight
years
now,
so
it's
been
a
while
so
kind
of
funny.
Funny
background
how
I
got
here
at
red
hat,
I
was
like,
like
some
red
hatters,
I
was
a.
I
was
a
customer
and
I
was
poached.
B
I
was
actually
the
so
fun
fact
for
for
everyone,
so
only
for
your
show
because
I
haven't
said
it
on
my
show.
Yet
I
was
actually
the
second
openshift
sa
hired
in
north
america.
So
if
you
believe
that
so
for
you
red
hatters
I'll,
give
you
a
moment
to
process
that
there
was
only
two
openshift
essays
in
north
america
at
the
time.
So
I
was
very
busy.
You
know
I
my
background's,
basically
mostly
operations
systems
management,
that's
kind
of
where
special
place
in
my
heart
right.
B
So
andrew
sullivan,
you
know
he.
You
know.
I
talked
with
him
a
lot
because
that's
kind
of
you
know
I
see
eye
to
eye
with
him
a
lot
of
things
because
he's
in
the
operations
ask
of
it
later
on
in
my
career,
actually
moved
into
like
more
like
sre
work,
and
so
that's,
where
kind
of
the
first
taste
I
got
of
like
cicd
and
application
delivery,
and
you
know
keeping
the
lights
on
sort
of
thing.
So.
A
A
So
that's
one
of
the
main
reasons
why
I
want
to
have
you
on.
You
know
such
a
a
big
background
that
you
have
and
honestly
that
that
project
is
is
moving
extremely
quickly.
So
I
would
love
to
you
know
for
anybody
out
there
who
doesn't
know
argo,
maybe
break
down
the
argo
project
a
little
bit
into
its
subgroups
and
and
what's
going
on
in
the
space.
B
So
argo
is
a
a
project
right,
an
umbrella
housing
project
for
a
tooling
that
was
created
at
intuit.
So
the
the
argo
project
has
its
history,
add
into
it
and
to
it
actually
the
the
they
were
consulting
with
the
company,
athletics
and,
and
then
they
basically
said
these
guys
are
great.
We're
just
gonna,
buy
the
company
and
move
them
in-house
and
they
ended
up
doing
that
and
so
and
from
there
they
they
birthed
a
bunch
of
projects
right.
B
So
one
project
being
argo
cd,
another
one
very,
very
popular
is
argo,
workflows
and
there's
other
like
argo
events
and
I'm
missing
one,
the
one,
the
one
that
works
with
istio,
I
completely
forget
the
name:
oh
man,
they're
gonna
beat
me
up.
If
I
forget
the
name:
rollouts
argo,
rollouts,
argo,
rollouts,
right
and
so
argo
is
basically
an
umbrella
project
created
by
intuit,
open
source
by
intuit.
That
was
kind
of
their
strategic
plan
to
enter
the
open
source
community
to
basically
take
all
the
tooling.
B
They
were
using
in-house
and
open
source
it
and
so
so
yeah
rollouts.
Thank
you.
I
knew
I
knew
I
was
gonna.
Someone
was
gonna
help
me
there
so
yeah.
So
basically,
intuit
said:
hey
we've
done
a
lot
of
cool
things
that
helped
us.
You
know,
deploy
our
applications
out,
let's
just
open
source,
this
stuff
and,
of
course,
red
hat
being
red
hat
jumped
on
it
saying
this
is
great
software,
so
I
am
so
being
technical
marketing.
B
B
Another
argo
con
later
of
the
year,
so
I
will
look
for
that
announcement
and
again
I'm
a
I'm,
a
big
fan
of
the
software,
and
so
there's
been
a
lot
of.
I
do
have
one
commit
with
argo
cd
very
small
commit,
but
I
do
have
a
commit
so
as
as
an
end
user,
I
do
try
to
improve
the
the
software
as
much
as
I
can
as
time
permits.
A
B
That's
the
goal,
obviously
yeah.
The
goal
is
to
look
like
yeah,
so
the
the
the
goal,
so
it
was
donated
to
the
cncf
right.
So
it
is
an
incubating
project
and
they're.
Actually,
looking
for
graduation
there's
actually
one
more
one
more
hurdle
that
they
need
to
to
clear
for
for
graduation,
but
that
you
know
the
expectation
is
graduating
by
the
end
of
this
this
year
to
be
a
fully
graduated
project
in
the
cncf.
B
A
Yeah
we
just
do
a
little
bit
of
an
accent.
You
know,
but
yes,
that
that
would
be
amazing
and
with
such
an
uptick
in
obviously
supply
chain
being
so
hot.
I
did
obviously
want
to
bring
you
on,
because
there
are
some
anti-patterns
that
I
see
with
kubernetes,
especially
you
know
in
deployments
right,
so
I
figured
it
was
a
good
use
case
to
bring
you
on
and
chat
argo
cd,
how
to
configure
it
securely.
Yeah.
B
Yeah
yeah
and-
and
I
do
like
the
the
fact
that
you
brought
up
supply
chain
because
I
think
a
lot-
you
know
talking
about
argo
city,
you
you
talk
about
git,
ops,
a
lot
and
right.
The
get
ops
is
essentially
the
cornerstone
right
of
the
the
software
delivery
pipelines
right
because
the
the
whole
automation
that
takes
place-
you
can
use
things
like
argo
cd.
For
some
of
that,
some
of
that
you
know
supply
chain.
You
know,
building
security
first,
in
that
whole
process
is
very
important
and
so
yeah.
A
B
Like
to
kind
of
go
over
some
of
the
some
of
the
patterns
that
you
can
use,
argo
cd
with
you
know
I
I
messaged
you
saying,
like
I
kind
of
want
to
go
over
like
this
goofus
gallant,
the
sort
of
sort
of
idea.
So
I
don't
know
if
you,
if
any
of
you
remember
goofus
gallant.
This
was
maybe
I'm
aging
myself,
I'm
not
sure,
but
it's
kind
of
like
the
kid
that
does
the
bad
thing
versus
the
kid
that
does.
B
It
should
work
right
because
I've
done
you
know
things
like
this
before,
but
we'll
see
if
the
demo
gods
are
are
happy
with
me,
but
I
do
kind
of
want
to
go
go
over
kind
of
like
when
someone
gets
started
with
get
ops,
some
of
the
with
openshift
get
ups,
which
is
argo
cd.
Some
of
the
things
that
people
automatically
do-
and
maybe
you
should
probably
think
twice
about
before
doing
so.
A
A
B
A
B
A
B
B
B
What
the
so
one
of
the
things
that
that
openshift
getups
with
you
is
like
that
integration
with
openshift
right,
and
so
you
can
either
use
the
the
argo
cd
odic
connections
right
or
the
the
openshift
authentication
right.
Obviously
I
recommend
using
the
openshift
authentication,
so
you
have
that
single
source
of
where
people
can
log
in
right
and
so
which
makes
it
convenient
right,
and
so
here
I
created
a
user.
B
B
B
So
talk
about
an
overloaded
term.
I
think
projects
are
overloaded
term,
but
this
is
so
here.
Argo
cd
has
its
own
concept
of
projects
so
where,
whereas
in
kubernetes,
slash
openshift
the
you
know,
project
the
name
spaces
right,
the
one
project
associates
the
one
name
space,
whereas
in
inargo
city
a
project
could
span
many
name
spaces
right.
A
project
is
basically
a
housing
for
your
application
and
your
application
can
spend
multiple
namespaces
but
we'll
you
know,
for
the
sake
of
this
here,
we'll
we'll
do
project
we'll
do
default.
A
B
A
B
So
here
this
is
the
application
right,
so
this
is
kind
of
the
yaml
view
of
what
I
was.
What
I
was
doing
in
the
ui,
but
to
kind
of
say,
hey,
hey,
you
know,
I'm
gonna
deploy
some
corkus
app
right
in
this
name
space.
You
know
this
is
where
it
trips
up
people
name
space.
But
then
you
have
project.
These
are
different
things.
So.
B
B
Yeah
yeah
yeah,
so
this
is-
and
this
is
kind
of
like
the
openshift
default
for
almost
everything
and
which
is
it's
kind
of
like
the
argument
you
always
have
with
people.
It's
like
openshift
is
hard
like
no
openshift's
secure.
You
know
you're
used
to
like
being
able
to
do
everything
we
don't
allow.
So
then
what
what
people
end
up
doing?
They
they
go
here
and
they
say:
okay,
we'll.
You
know
screw
that
if
I
do
oc
just
get
sa
open
shift,
get
ops,
yeah.
A
A
B
B
B
A
B
B
So,
like
going
back
to
the
supply
chain,
conversation,
it's
like,
if
you're
doing
a
supply
chain
delivery
on
an
application
that
may
be
fine
to
give
cluster
admin
to
your
argo,
cd
or
whatever
get
ops
controller
you
have,
but
then
you
need
you
need
to
go
in.
You
need
to
either
trust
it
or
don't
trust
it
right.
So
you
need
to
either
absolutely
trust
it
and
not
let
anyone
log
in
to
openshift
right
or
argo
cd,
because
argo
cd
has
that
access.
A
B
B
So
this
is
why
you
see
the
multiples,
so
here
let's
go
developer
and
set
up
the
same
account
here
like
the
the
the
same
thing
right
another
like
I
guess,
not
bad
or
another
anti-pattern
I
see
is
that
like
here
I
can
go
here
and
go
to
app
details
and
I
can
do
edit
oops,
not
their
parameters
edit
and
I
can
say,
hey.
I
want
to
change
this
from
two
to
like
three
then
save
this
here,
so
it'll
actually
deploy
that
that
pod,
so
within
the
ui.
B
So
I
think
this
is
what
they
call
click
ops
right
so
like
for
me
from
like
being
a
get
ops
guy,
like
I
wouldn't
do
this
like
I,
I
would
actually
check
in
this
yaml
and
keep
this
in
version
control.
So
even
if
I
edit
this
in
the
ui
it'll
just
revert
it
back
to
the
you
know
to
the
known
state
right
to
the
state
that
I
that
I,
that
I
set.
So
that's
like
another
kind
of
anti-pattern
that
I
see
if
you're.
B
A
B
B
B
I
have
that
this
is
it
yes
have
the
same
helm
chart,
but
then
then
it's
checked
in
right.
Also,
another
thing
which,
which
you
brought
up
like
you,
can
give
argo
cd
access
specifically
to
specific
namespaces
is
that
I
annotated
this
namespace
right
and
so
by
default.
Argo
doesn't
have,
like
I
said,
doesn't,
have
access
to
deploy
anything
to
other
namespaces.
You
can
actually
go
and
granularly
add
those
in
after
the
fact.
A
A
B
An
app
project
right
so
here
so
this
is
kind
of
this-
is
where
you
define
your
argo
city
application.
So
you
have
I'm
sorry,
argo
cd
project,
so
I
gave
it
a
name
what
resources
it's
a
it's
allowed
to
use,
so
you
can
actually
even
say
this.
This
project
can
only
deploy
secrets,
for
example,
right
right
here.
B
To
this
specific
name,
space
is:
is
the
only
project
right
source
repos,
meaning
like
if
you
have
different
git
repos,
you
can
list
them
like
so
like
this
app,
so
you
can
get
pretty
granular,
as
you
see
here,
just
in,
like
you
know,
within
this
repo,
only
deploy
it
to
this
specific
cluster
in
this
specific
namespace,
and
only
these
specific
resources
right.
So
you
can
get
pretty
granular
and
oh,
and
on
top
of
that
you
can
assign
roles
to
them
right.
B
A
B
And
so
just
a
kind
of
like
quick
background
on
on
roles-
and
this
is
this:
always
trips
up
people
there's
only
two
roles
in
argo,
cd,
full
admin
and
read-only,
and
so
and
so
like
you
can
either
give
people
the
world
or
nothing
right
and
then
the
reason
for
that
is
that
everything
else
is
granular
right.
Let
me
make
this
a
little
bigger,
so,
okay,
everything
else.
B
A
B
Able
you
can
get
that
and
within
for
all
applications
under
the
price
list,
application
that
project
you
can
you
can
sorry
in
the
name
space
in
the
project
price
list,
you
can
get
all
applications
right
if
you're
allowed,
so
I
always
read
it.
The
other
way
around
I'm
allowed
to
get
all
applications
in
the
priceless
namespace
is
essentially
is
what
and
then
you
basically
have
to
do
it
for
each
one
right.
So
it's
really
granular,
you
have
to
say
I
can
get
it.
A
What's
nice
about
this
is,
and
you
got
to
think
that
probably
operations
isn't
doing
all
of
this
work.
What's
nice
is
you
can
go
and
say:
hey
here
is
admin
for
this
namespace,
let's
say
complete
control,
and
then
you
give
it
to
maybe
your
head
developer
and
operation
for
the
application,
and
then
they
can
go
and
decide
based
on
their
team
structure.
What
makes
the
most
sense
right,
yeah,
but
overall
I
know
that
they
can't
break
out
of
that
one
namespace,
because
I've
carved
out
that
project
right.
A
That's
their
bubble,
and
so,
like
you,
have
your
main
operations,
that's
kind
of
like
you
know
what
here
I'll,
let
because
you
don't
want
to
be
sending
all
these
emails
to
developers
on
applications.
I
just
kind
of
carve
out
those
bubbles,
and
then
you
have
different
teams
with
different
access
and
they
can
co-exist
and
get
as
as
fine-grained
as
they
want
to
get
right
with
permission.
A
A
B
B
And
there's
different
ways
of
doing
that.
Right,
like
this,
is
one
way
of
doing
it.
Another
way
of
doing
it
is
have
multiple
argo
instances
running
because
you
can
just
because
it's
an
operator
right,
so
you
can
install
an
op,
the
argo
cd
operator
to
like
the
cluster
operator
to
like
manage
the
cluster,
but
then
say:
hey
developer,
here's
your
own
private
version
of
argo
cd.
That's
another
way
of
doing
it.
A
lot
of
a
lot
of
teams.
Do
it
that
way.
Yeah.
A
B
So
if
I'm
using
a
floating
tag
like
dev
and
someone
changes
just
force,
pushes
an
update
on
the
image
like
then
then
there's
a
then
the
application
updated
without
me,
knowing
right,
and
so
there
is.
There
is
a
project.
It's
it's
within
argo
cd
project.
They
have
like
argo
cd
labs,
so
it's
guys
like
their
sandbox
way.
There's
a
project
called
argo
city
image
updater,
which
the
the
idea
behind
it
is.
It
takes
a
lot
of
that
guesswork
out
of
how
to
update
manage,
maintain
those
those
images.
A
Yeah
it
to
me,
it
also
depends
on
how
you're
going
to
implement
it
if
you're,
implementing
continuous
deployment
right,
where
it's
an
automatic
update,
just
understand
that
there's
security
implications
behind
having
any
sort
of
automation
make
changes
like
that.
For
me,
I
personally
would
rather
there
be
some
sort
of
manual
process,
automate
everything
up
into
the
point
where
somebody's
saying
yes,
this
is
the
tag
that
we
want
to
go
with,
but
really
there
should
be
some
sort
of,
even
even
though.
A
B
A
B
When
I
say
floating
tags,
I
don't
mean
like
environment
tags
like
dev
this
one's
tagged
as
prod.
I
mean
like
actual
versions,
sometimes
I'll,
like
the
git,
commit
I'll
chop
off
like
the
last
six
digits
or
whatever,
and
use
that
as
a
tag.
So
it
corresponds
to
a
commit
that
I
did
but
yeah
so
a
lot.
So
what
part
of
what
the
argo
cd
image
updater
does
is
you
can
have
it
do
a
pr
right
so,
like
you
can
have
it
like?
B
B
Yeah
yeah,
no,
no,
this!
This
is
all
great
conversation.
No,
I
love
it.
I
do
want
to
point
out,
though
here
so
you
know,
I
I
did
say,
there's
only
two,
there's
only
two
roles
read
only
and
admin.
Thank
you.
You
might
be
saying:
hey
christian.
I
see
you
have
role
developer
here
so
like
what
constitutes
a
developer
like
how,
where
did
that
come
from
right,
so
they
say
this
is
policy.
This
is
what
the
policy
applies
to.
This
is
the
object.
B
A
B
B
A
B
A
B
So
I'll
let
that
simmer
a
little
bit,
because
it's
really
really
confusing
it
took
me
a
while.
I
can
barely
explain
it
now,
but
let's
recap
here:
I'm
defining
whoever's
part
of
the
developer
group
gets
assigned
a
brand
new
role
that
I'm
creating.
So
I'm
creating
this
right
now
called
role
developer.
What
can
that
developer?
Do?
It
depends
how
you
define
it
in
your
project,
yeah,
so
just
kind
of
two
two
ends
of
it:
how
that
so,
then,
how?
How
does
that
come
through
right?
How
does
that?
Let
me
go
back
here.
B
B
So
if
I
do
a
oops
but
oc
get
groups-
hey,
that's
that's!
Well!
You
can
you
can
it.
It
says
that
I'm
part
of
the
developer
group
right
so
that's
kind
of
how
you
tie
it
all
together.
You
have
three
things
right,
so
you
have
the
oauth
saml.
Whatever
you
want
to
do
right,
I'm
using
ht
password.
You
can
use
sso
whatever
right
how
that
group
comes
in
inside
of
openshift.
You
can
then
tie
it
to
argo
cd
here
and
then
from
there.
You
can
tie
that
into
your
back.
A
B
A
So
it's
nice
to
be
able
to
group
it
all
together
and
then
just
say
here,
argo
you
handle
deployment
within
this
and
then
we'll
handle
everything
role
wise
within
a
user
interface.
That
can
then
also
be
declarative
too
right
which
yeah
to
me.
That's
awesome
because,
like
let's
say
your
operations
team,
you
can
go
and
work
with
one
team
to
create
a
template
that
then,
can
be
shared
out
to
say:
hey,
here's,
a
default
of,
let's
say
senior
engineers
and
junior
developers
or
something
like
that
default
permissions
in
argo.
A
B
Yeah
yeah.
Actually,
so
this
is
proof
here
that
I
didn't.
I
didn't
test
this.
I
I
know
what
the
error
is
right.
It
says,
resource
quota
is
forbidden
so,
like
I'm,
not
actually
allowed
to
set
a
resource
quota
here.
So
this
is
actually,
I
might
file
a
bug
on
this,
I'm
not
sure
hold
on
desired
minutes.
B
A
B
A
B
Wait
I
have
to
go
over
here
and
do
this,
so
I
have
what
they
call
an
app
of
apps
pattern
unable
to
deploy
revision
yeah.
So
this
is
my
this
is
my
rbac
right,
so
I'm
logged
in
as
developer.
This
is
my
r
back
coming
into
play,
because
I
can't
actually
sync
this
this
here.
It
won't.
Let
me
because
I'm
a
developer
right
so.
A
B
So
I
see
here
admin-
oh
oh,
I
forgot
to
mention.
You
can
set
a
default
policy
right
so
default
policy.
I
said
to
read
only
so
if
it
can't
find
the
user.
So
if
I
didn't
define
it
here
on
lines,
83
and
84,
I'm
pointing
at
the
screen
like
as
if
you
can
see
me
if
you
can't,
if
you
don't
define
like
lines
here,
83
and
84,
if
you
don't
define
it,
you
can
have
a
default
policy
to
say
well,
read
only
right,
so
you
could
be
a
catch-all
yeah.
A
B
A
B
B
Yeah
yeah,
it's
yeah,
so
it
is,
it
is
convoy's
lie,
so
it's
almost
like
it's.
You
know
if
you're
having
trouble
with
like
with
your
git
repo
or
like
with
your
git
structure,
it's
actually
not
it's.
Actually
the
problem
is
you
like
it?
It
honestly
is
it's
like
your
organization,
isn't
allowing
for
these
processes
right
and
so
sometimes.
B
B
B
A
B
So
so
anyways
the
reason
why
my
my
app
isn't
syncing,
even
though
I
have
the
annotation,
is
because
the
annotation
is
a
predescribed
set
of
of
it's
basically
a
role
right.
It's
a
predescribed
role.
So
when
you
annotate
that
the
back
end
controller
sets
all
this
up
for
you,
so
you
don't
have
to
worry
about.
One
of
the
things
that
it
doesn't
involve
is
actually,
if
you
notice
here,
if
you
look
at
the
resources,
there's
no
resource
quarter
right
so
like.
B
A
B
B
A
B
A
B
A
B
B
A
A
Kubernetes
has
done
a
lot
of
work
on
on
memory
and
actually
auto
scaling
based
off
memory.
There's
some
features
that
came
out
the
last
couple
of
releases,
but
I
remember
what
two
or
three
years
ago,
when
you
just
get
the
out
of
memory
all
the
time
and
the
cleanup
for
those
was,
was
not
really
succinct
in
kubernetes.
It's
a
huge
challenge.
B
A
B
B
B
B
A
So
many
different
permissions
now
that
getting
the
the
cluster
user
project
permissions
correct
without
allowing
for
too
much
permission
is,
is
a
big
challenge,
because
you
get
into
these
situations
where
sometimes
it's
you're
not
quite
sure
exactly
how
to
debug
it.
And
so
you
just
log
in
as
admin
and
hit
sync
right.
A
And
that's
exactly
what
every
human
would
do,
and
so
you
need
to
kind
of
you
need
to
have
these
processes
in
order
that
are
actually
one
useful
too
easy
like
there's
the
whole
level
of
security
of
you
know
if,
if
an
update
means
you
know,
chrome
comes
down
and
it
comes
down
for
five
minutes.
Well,
I'm
less
likely
to
hit
the
update
button
right
yeah.
So
we
need
to
get
to
to
get
rid
of
those
anti-patterns
get
set
up
properly
and
and
make
sure
that
people.
A
B
Yeah
and
this
this
is
actually
like-
you
said
an
actual
like
like
a
good
thing
that,
like
even
me
as
admin,
can't
sync
this.
You
know
good
news
operate
good
news,
bad
news
with
operators
right
like
the
operator,
you
know
switches
that
back.
You
know
whether
or
not
you're
you're
able
to
set
set
resource
quota
that
should
be
up
to
your
organization.
B
A
A
Really
cool
I
found
is
but
like
we're
talking
about
argo
cd
for
developers,
but
argo
cd
for
your
offer
for
operations
teams
would
be
awesome
too
right.
You
have
a
git
repository,
you
have
you
know
your
operator
declarations
and
yamls
and
stuff
like
that,
and
you
can
make
changes
and
then
sync
and
update
the
cluster
in
a
version
controlled
manner
too
right.
B
Which
is
a
lot
without
that's
why
I,
you
know
you
and
I
both
deal
a
lot
with
with
our
field
here
at
red
hat
as
well
as
customers
and
I've.
Seen
that
pattern
a
lot
where
kind
of
like
where
I
mentioned
before,
where
there's
a
admin,
argo
cd
instance
and
that's
kind
of
like
the
overarching
instance
that
sets
up
the
cluster
for
multi-tenancy,
so
you
can
still
have
multi-tenancy.
B
I
think
that's
where
I
think.
That's
where
openshift
shines
a
lot,
there's
a
lot
of
tools
for
multi-tenancy,
and
so
we
having
being
able
to
still
leverage
the
multi-tenancy
and
still
have
like
total
control.
Is
this
something
that's
really
powerful
something
you
could
do
with
argo
cd
right
so
like
with
argo,
you
have
the
cluster
argo
and
then
you
have
maybe
tenant
argos.
I
guess
is
what
you
know.
A
B
A
Then
you
have
those
those
default,
let's
say
cluster
setups,
maybe
some
of
them
are
dev.
Some
of
them
are
tests,
some
of
them
are
green
field
deployments
or
something
like
that
and
you
can
use
acm
or
so
or
like
acm,
is
a
policy
engine
to
go
and
then
deploy
those
new
clusters
too
right?
So
everything
has
code
for
operators
and
developers
and
then
yeah.
A
And
so,
and
then
it's
nice
too,
because
you
get
your
security
experts
to
go
in
and
say:
okay.
Well,
here
are
the
hardened
defaults
like
these
are
the
things
we'll
we
can
change
on.
These
are
things
we're
not
going
to
compromise
on
and
maybe
in
this
cluster
we
can
allow
a
little
bit
more
flexibility,
because
maybe
it's
all
stateless
right.
B
Yeah
yeah,
what
another
I
think,
like
I'm
thinking
more
of
also
just
like
the
the
process,
so
like
argo
cd,
will
keep
your
cluster
in
sync
right,
but
like
how
things
get
into
the
cluster
is
also
an
important
thing.
You
know
you
know
you
you
came
on
my
stream
talk
about.
You
know
you
scan
the
images
right
like
how
did
those?
How
did
those
images?
B
You
know
that
with
all
those
vulnerabilities,
how
did
they
end
up
on
my
cluster
right
and
essentially
it's
just
like
my
process
is
broken
right.
The
process
of
you
know
you
can
have
you
know
the
drift
detection
is
fine,
but
like
what,
if
it,
what
what
if
the
the
declared
state
is
bad
right
like
what,
if
I'm
running
an
image
like
how
do
I
you
know?
How
did
that
get
into
my
cluster,
and
I
think
a
lot
of
you
know.
B
We
at
least
I
think
more
time
should
be
spent
on
the
ci
part
right
on
the
pipeline.
Part
where
it's
like,
hey,
you
know
cube.
You
can
do
cube
linter
right
for
for
your
yaml
and
then
you
can
do
an
image
scanning
and
depending
on
your
criteria,
you
can,
you
know,
allow
to
promote
that.
You
talked
about
gating
gating,
I
think,
is
very
important
as
well.
A
Yeah,
the
there
is
a
lot
of
time
spent
on
runtime
detection
drift
prevention
right.
Those
are
sort
of
your
break
glass
things
right.
If,
if
argo,
let's
say
is
automating
something-
and
it
gets
to
the
point
where
all
of
a
sudden
something
you
know
crashes
or
there's
a
vulnerability
that
was
introduced
because
of
an
automatic
update,
it's
nice
to
have
a
tool
to
automatically
notify
you
to
say
hey
by
the
way.
A
There
is
a
serious
vulnerability
like
a
log
for
shell,
that's
in
your
in
your
cluster
in
a
container
and
something
that
is
close
to
something
important
right.
Maybe
a
storage
device,
there's
also
the
difference
between
something,
that's
stateless
that
doesn't
really
have
high
impact
right
and
it
has
maybe
bash
capabilities.
A
So
yeah
that's
a
little
bit
of
a
different
situation
right
because
maybe
it's
not
publicly
available.
It's
very
it's
a
maybe
a
developer
tool
to
diagnose
things,
low
impact,
especially
in
dev
cluster,
so
there's
how
we
adjust
and
and
look
at
things
in
the
cluster
and
then
how
we
adjust
upstream
is
the
biggest
part
and
if,
if
you're,
if
you're
the
security
team
that
just
says
hey
by
the
way,
this
container
is
not
or
it's
too
vulnerable
for
us
to
run
the
cluster
like
you
have
to
go
and
fix
it.
A
That's
not
really
useful
for
the
developer
right,
yeah.
Realistically,
it
should
be
sort
of
cordoned
off.
You
should
go
into
the
process
upstream
with
argo,
cd
or
some
or
your
ci
process.
Whatever
you
have
set
up
and
say
hey,
these
are
the
packages
that
we're
not
going
to
let
through
so
you
just
need
to
update
and
and
we'll
notify
you
if
anything
like
that
happens
right
and
honestly,
if
you
can
do
it
in
an
automated
way.
That's
awesome.
Imagine
having
like
something
like
acs.
Does
this
imagine
having
yeah?
A
A
B
You
know
that
that's
I
hold
the
supply
chain
developer,
like
I
always
think
about
it.
Like
I
think
I
don't
know
who
said
it
is
like
henry
ford
right
because,
like
an
assembly
line,
something
is
bad.
I
just
knock
it
off
the
assembly
line
right
and
then
you
know
in
you
know
the
cars
don't
get
built
with
some
with
a
bad
part.
It's
essentially
that's
that's
the
idea.
Someone
in
chat
actually
luis,
said
better
one,
argo
cd
per
cluster.
I
actually
agree
with
that.
B
B
Is
the
idea
of
I'm
taking
your
cube
ctl
away
like
I'm,
taking
oc,
cube,
ctl
away,
I'm
installing
argo
cd
and
if
you
want
any
changes,
submit
a
pr
right
and
so
and
then
you
know
it's
it's
kind
of
like
that
that
that,
if
you
think
of
a
pipe
the
faucet
right,
that
has
multiple
points
where
you
can
control
the
water
flow
right.
So
you
either
control
the
flow
you
know
in
your
git
repo
or
you
control
it
in
argo
cd.
That's
me,
but
I
understand
not.
A
A
And,
and
how
is
those
permissions
working
and
by
the
way
like?
Are
you
giving
cube
config
files
out
to
everybody
like
how
are
you?
How
are
you
ingesting
it?
How
are
you
getting
your
developers
up
and
running,
there's
so
much
more
operationally
that
it's
involved,
so
you
know
setting
that
up
where
hey
you
have
this.
A
B
B
B
B
B
You
have
it
all
right
cool
what
I
what
I
found
funny
most
about
everything.
Is
they
used
the
red
hat
logo
and
just
turned
it
black
to
to
indicate
a
hacker,
but
okay,
that
is
pretty
funny,
so
anyways,
a
too
long
didn't
read
version
of
the
cve
is
that
you
can?
There
was
a
there
was
a
way
to
traverse
the
directory
structure
within
inside
of
argo.
B
B
Argo
cd
has
what
they
call
the
is
made
up
of
different
controllers.
One
of
the
controllers
is
oh.
I
just
noticed
that
you
can't
see
it
there
we
go
here.
One
of
the
controllers
is
called
the
repo
server
and
its
job
is
to
basically
do
the
git
clone
and
the
like
get
essentially
does
a
git
clone
get
fetch.
B
Does
everything
with
the
the
repos,
even
when
you're
using
a
helm
chart
it?
It
saves
it
in
in
the
repo
server
right.
It's
just
like
a
generic
repo
server.
So
this
here
they
they
found
a
way
to
hop
from
one
application
to
another.
So
here
here,
argo
cd
see
each
one
of
these
little
cards.
Here
is
an
application
right
and
and
they're
supposed
to
be
self-contained
right.
So
the
vulnerability
is
that
they
found
a
way
to
hop
from
this
application
to
another
application
and
see
that
applications,
data,
yeah.
A
B
A
B
B
B
Of
openshift
right,
so
bishop
4.6
has
a
has
a
version
of
openshift
get
ops
which
is
kind
of
older
version
of
argo,
but
they
back
ported
that
fix
for
that.
So
it's
one
of
the
you
know
right.
It's
a
red
hat
show.
So
I'm
telling
you
it's
one
of
the
many
great
things
you
get
from
red
hat
is
the
backporting
fixes,
because
yeah.
B
Yeah,
essentially
it
is
upgrade,
was
it
would
be
here,
but
we
went
back
and
and
we
back
ported
that
fix
so
if
you're
running
openshift
get
ups
just
make
sure
you're
running
the
latest
version
of
whatever
version
that
you're
on.
So
actually
I
had
this
up
here.
Where
was
it?
It
was
on
for
version
for
openshift
4.6.
You
need
to
be
on
1.3.3
or
newer
or
1.4.2
for
for
any
other
version,
so
awesome.
B
So
this
is
cool.
This
is
kind
of
you
know
showing,
and
this
is
kind
of
cool
actually
goes
into
the
code,
but
it
it.
It
shows
that
the
argo
city
community
is
has
has
essentially
security
built
into
the
culture
right,
so
they
hire
people
to
say,
hey
find
some.
You
know
something
wrong.
They
find
something
bad
all
right,
cool,
we'll
patch
it
it's
kind
of
like
their
you
know.
Mantra
for
is,
is
security
first
and.
A
Honestly,
this
is,
we
do
have
to
go.
This
is
a
great
wrap
wrap-up.
Actually,
because
I
did
want
to
touch
on
two
things
is
one
the
the
speed
at
which
open
source
community
comes
around
to
fix
security
vulnerabilities
when
they're
there,
I
I
think,
is
impressive.
I
think
people
are
used
to
having
their
security
applications
gated
behind
some
sort
of
subscription
service.
But
then
how
secure
is
your
security
platform?
A
You
normally
are
giving
your
security
platform
admin
permissions
in
a
lot
of
your
clusters
and
environments
right,
so
it's
nice
to
be
able
to
have
eyes
on
these
things,
to
trust
them
and
yeah.
That's
a
great
segue
to
basically
just
saying
everybody
come
back
in
a
month.
We're
going
to
have
some
stack,
rocks,
open
source
news
for
y'all
that
are
watching,
and
you
can
join
christian
gitop's
guide
to
the
galaxy.
Is
it
every
two
weeks.
A
Nice,
yes
and
there's
there's
a
previous
bunch
of
previous
stuff.
It's
all
on
youtube!
If
you
want
to
go
check
it
out,
I
did
a
talk
about
stack,
rocks,
showcasing
acs
when
we
first
got
acquired
and
brought
over
red
hat,
so
you
can
check
all
that
stuff
out
in
the
library
christian
thanks
for
joining
thanks
for
your
talk.