►
Description
Learn the do’s and don’ts of implementing a successful Kubernetes security strategy from hands-on practitioner Connor Gorman, sr. principal software engineer at Red Hat (previously StackRox).
Get your Kubernetes Security 101 questions answered in our monthly StackRox Community Office Hours and check out stackrox.io
A
A
A
A
B
B
So
for
those
of
you
who
are
familiar
with
right,
you're
used
to
seeing
chris
short
here
in
the
chair,
I
am
or
chris
is
having
some
technical
difficulties
today,
I'm
having
difficulty
speaking
so
chris
will
be
rejoining
us
as
soon
as
all
of
that
gets
sorted
out,
but
I
was
able
to
my
schedule,
allowed
me
to
step
in
and
join
here
today,
for
what
is
something
that
I'm
really
excited
about?
I
see
waleed.
I
see
you
made
a
comment
there
about.
You
didn't
see
this
on
the
twitch
schedule.
I
didn't
either.
B
I
didn't
know
about
this
until
kind
of
the
last
minute,
so
I'm
really
excited
to
be
here.
So
today
we
are
joined.
We
are
here
for
what
is
the
first
of
these
stackrocks
community
office
hours
being
hosted
on
openshift.tv,
so
I
know
that
the
stackrock
folks
have
been
doing
these
for
a
while
now
on
different
platforms,
but
it's
really
exciting
to
have
it
being
hosted
here
so
joining
us
to
talk
about
or
to
host
for
today,
and
I
believe
I'll,
let
you
handle
the
subject
here
conor,
but
is
conor
gorman,
so
connor.
A
Yeah,
I'm
I'm
conor
gorman,
I'm
a
senior
principal
engineer
at
red
hat,
acs,
advanced
cluster
security,
formerly
known
as
stack,
rocks.
I've
been
at
stackrocks
and
now
acs
for
really
close
to
four
years
now,
four
years
in
august,
so
you
know
worked
on
the
product
for
a
long
time.
You
know
I'm
really
excited
about
all
the
progress
we
made
and
excited
for
the
progress
for
the
future
in
this
office
hours.
A
I
really
just
want
to
introduce
a
brief,
do
a
brief
overview
of
our
product
and
what
we're
working
on
and
and
also
just
answer
any
questions.
Anyone
has
around
kubernetes
security,
cluster
management.
Anything
related
to
you
know,
security
in
general.
I
always
happen
to
answer
any
questions
around
that
and
yeah
we'll
go
from
there
awesome.
So
sorry
go
ahead.
Andrew.
B
No,
I
was
just
going
to
remind
our
audience
so
office
hours
means
that
we
are
here
to
answer
your
questions
whatever
it
is,
that's
top
of
your
mind,
whatever
it
is,
whatever
questions
that
you
may
have.
That's
really
what
we're
here
to
help
answer.
B
While
we
may
not
have
all
of
the
answers
off
the
top
of
our
heads,
we're
happy
to
take
any
of
those
that
we
can't
answer
we'll
find
those
and
then
we'll
follow
up
on
that
to
make
sure
that
we
can
get
them.
So
don't
hesitate
to
ask
in
chat
whatever
platform
you
happen
to
be
watching
us
on
whether
it's
twitch
or
youtube
or
any
of
the
others,
feel
free
to
ask
those
questions
in
chat.
We
will
get
those
we
broadcast
them
across
all
of
it
and
then
we'll
have
that
conversation.
B
So
don't
don't
hesitate
at
all
to
to
ask
questions
so
I'll
kind
of
kick
things
off
and
I'm
going
to
set
you
up
for
what
I,
what
I
think
is
a
softball
right,
and
that
is
you
know,
acs.
You
know.
Advanced
cluster
security
stack
rocks
it's
a
new
acquisition
by
red
hatch.
Just
a
couple
of
months
old
now
I
I
hope
you
are
adjusting
well
to
the
the
red
hat
fire
hose.
We're
really
happy
to
have
you
here,
but
I
think
a
lot
of
folks
are
still
they're
still
trying
to
understand.
B
A
Sure
yeah,
so
you
know
stack,
rocks
and
acs
focus
on
kind
of
like
three
main
areas.
I
would
say
we
focus
on
and
it's
like
overall
dev
life
cycle
right,
so
you
focus
on
build,
deploy
and
then
run
time
right,
and
so
you
know
I'll
show
you
some
examples
later,
but
as
a
build
perspective,
right
you're,
looking
at
images
you're
looking
at
you
know
best
practices
within
those
images.
A
Whether
or
not
it's
you
know
having
a
maintainer
in
your
docker
file
or
you
know
the
vulnerabilities
that
exist
and
which
ones
are
fixable
trying
to
give
that
information
back
to
developers
right
and
so
we
integrate,
you
know
heavily
into
ci
systems
and
you
know
giving
that
feedback
directly
in
a
ci
pipeline.
You
have
deploy
time,
which
is
honestly
really
multifaceted.
A
You
have
everything
from
build
right,
like
the
point
of
build,
is
to
go,
deploy
something
and
then,
and
then
you
know
so
you
have
a
you
know,
you
launch
a
deployment
in
kubernetes
and
you
have
an
image
there.
What
what
vulnerabilities
do
you
have
in
that
image
and
then
also
the
context
around
that
right,
which
is
you
have
a
deployment?
It's
exposed
over
a
load
balancer,
maybe
it's
running
as
privileged
right
and
and
which
thing
should
I
prioritize
first,
should
I
should
I
look
at
something
that
has
you
know
a
critical
vulnerability.
A
It's
on
a
load,
balancer
exposes
the
internet
and
it's
privileged.
Let's
go
attack
that
one
first
right
and
we
try
to
give
you
a
prioritization
of
here's.
The
thing
you
should
go.
Look
at
here's
the
critical
stuff
to
go
fix
both
from
a
configuration
management
side
and
from
you
know,
a
vulnerability
perspective,
yeah
and.
B
That
context
is
that's
both
the
the
really
important
and
the
really
hard
part
right
of
how
do.
I
know
that
this
one
is
the
most
important
of
the
important
right
if
everything's
a
priority.
One
is
anything
really
a
priority
one,
so
getting
that
right
is
the
hard
part.
A
Yeah,
exactly
and-
and
I
think
what
we
try
to
do
is
give
you
a
view
into
you
know
a
multi-cluster
approach.
So
it's
not,
we
don't
you
don't
run
stack
rocks
in
just
one
cluster,
you
have
kind
of
a
central
hub
and
you
can
connect
a
lot
of
your
clusters
and
a
lot
of
people
use
automation
to
deploy.
You
know
tons
of
small
clusters,
and
so
you
know
if
a
critical
cve
comes
up.
A
How
do
you
say
where
is
this
in
my
infrastructure
right
and
like,
and
I
think
the
answer
that
question
is
really
important
of
being
able
to
just
type
in
cve
xyz?
Okay,
these
deployments.
They
belong
to
these
teams,
this
cluster
and
namespace,
okay,
here's
what
I
need
to
go
track
down
and
then
also
from
a
deploy
perspective
is
how
do
I
stop
stuff
from
coming
into
the
cluster
after
that
right?
A
So
I
always
think
about
continuously
trying
to
yeah
and
you
could
call
it
compliance
or
best
practices,
but
it's
if
I
find
10
things
I
know
I
need
to
go
fix,
let's
not
add
11
and
12
and
13
to
the
list.
Let's
create
an
enforcement
policy.
Let's
block
it,
have
it
go
back
to
the
developer,
who's
trying
to
deploy
that
and
say
hey.
You
can't
deploy
this
here's
the
policy,
here's
how
you
remediate
it,
I
think.
Also,
you
know
you
can't
just
have
a
policy
violation
and
not
give
any
context
around.
A
Here's
actually
how
you
go
fix
the
thing
or
and
also
here's
why
we
created
this
policy.
I
think
developers
are
always
curious
about
why
you're
doing
something.
Why
is
this
a
rule?
Why
is
this
cve
that
bad,
you
know,
so
you
know
trying
to
have
that
context
is
really
important.
B
Yeah,
so
we
we
have
a
question
here
from
from
waleeds,
so
hello
connor
wondering
if
you
have
sec
r
back
more
visibility
like
who
is
reading
secrets,
what
service
account
is
using
a
sec
in
a
in
a
visual
way,
so
kind
of,
I
think
the
reporting
aspects,
as
well
as
what
type
of
visibility
into
objects
are
being
used
yeah,
so
expanding
a
little
bit,
in
other
words,
admins,
have
a
list
of
bad
practices
when
it
comes
to
security
controls
around
our
back
sec
network
policy
and
others.
A
Yeah,
so
we
have
the
ability
to
basically
look
at
a
service
account
or
a
subject
as
in
like
the
in
the
our
back
world
and
show
you
what
permissions
they
end
up
having
right.
So
that's,
that's
always
been
a
challenge
in
kubernetes.
A
You
have
role
bindings,
you
have
roles,
you
know
you
have
service
accounts,
you
have
subjects
which
aren't
even
like
real
kubernetes
objects,
they're
just
kind
of
reference
things,
and
then
they
get
inferred
and
what
you
want
to
see
is
you
know
what
access
does
conor
have
in
this
cluster
right
like
what
verbs
and
and
resources
can
he
affect,
and
so
that's
something
that
we've
tried
to
address
as
well,
and
we
have
it's
available
in
the
ui.
It's
not
a
nice
graph
or
anything
like
that.
A
But
it's
you
can
see
the
verbs
and
everything
there
and
then
also
when
you're
creating
a
policy.
You
could
say.
Okay,
show
me
all
the
service
accounts
that
have
a
cluster
admin
role
or
show
me
all.
The
service
accounts
that
have
above
this
level
of
privilege,
like.
Maybe
it's
not
namespace
scoped,
it's
something!
That's
cluster
scoped,
for
example,
and
so
you
could
go
look
and
highlight
those
as
well.
We
currently
don't
ingest
a
lot
of
sec
data,
so
that's
a
challenge.
A
We
can
create
a
lot
of
policies
based
on
things
that
are
related
to
secs,
so
users
and
groups,
and
things
like
that.
A
lot
of
security
context,
but
not
the
sec
itself,
got
it.
B
So
I'm
going
to
challenge
your
multitasking
a
little
bit,
so
I
I
think
you
said
before
we
started
that
you've
got
a
cluster.
Would
it
be
possible
to
see
some
of
that?
What
some
of
that
looks
like
and
then
maybe,
if
you,
if
you're
able
to
kind
of
multitask
a
little
bit,
we
do
have
another
question
this
time
from
adrian.
A
So
I'll
start
sharing
my
screen
here,
so
we
don't
use
opi
internally.
We
have
our
own
policy
engine
that
we
use.
Part
of
the
reason
for
that.
Just
some
background
context
is
that
we
stitch
a
lot
of
things
together
that
made
it
a
little
bit
challenging.
A
We
did
take
a
look
around
images,
especially
in
terms
of
trying
to
figure
out,
for
example,
if
you
have
a
cve
with
the
cvss
score
and
it's
fixable
right,
you
kind
of
have
to
stitch
all
of
this
data
together,
and
so
we
have
the
multiple
stages.
A
Like
I
described,
you
have
a
deploy
time
policy
that
has
oh,
this
deployment
comes
from
over
here,
and
this
is
privileged
and
this
image
is
getting
pulled
in
and
it
has
these
cves
and,
of
course,
deployments
can
have
multiple
images,
and
so
you
really
want
to
drill
down
into
this
particular
information
and
then
get
all
these
results
out.
I'll
show
you
that
in
one
second
and
then
for
now
I'll
go
into
the
rbac
visibility,
and
so
we
have
like
a
list
of
the
user
in
groups
right.
A
You
can
see
that
I
have
an
admins,
it's
a
cluster
admin,
of
course
joey
example.com
right.
He
can
look
inside
the
payments
namespace.
He
can
look
at
all
verbs
related
to
secrets
right
or
but
he
doesn't
have
any
cluster
permissions,
which
means
that
you
know
you
can't
access
anything
outside
of
payments.
So
this
is
actually
an
example
of
probably
something
pretty
well
scoped.
A
I'm
not
sure
why
he
needs
to
look
at
payments
so
closely,
for
example,
our
secrets,
for
example,
but
you
know
these
are
some
of
the
aspects
of
things
you
can
look
at.
You
know
it's
always
interesting
too,
to
look
at
system
namespaces
or
system
service
accounts
and
see
what
access
they
have.
So,
of
course,
a
system.
A
B
Can
you
and
wally
asked
us
so
I'm
gonna,
I'm
gonna
rephrase
it
slightly.
So
will
you
please?
Let
me
know
if
I
missed
the
mark
here,
can
you
look
at
it
rather
than
from
the
role
or
the
role
binding
into
what
permissions
they
have,
rather
from
the
other
way
around
so
like?
Can
I
see
what
roles
and
role
bindings
have,
like
the
you
know,
view
verb
on
secrets.
A
So
I
don't
think
you
can
do
that
today.
I
mean,
I
think
you
can
just
look
up
subjects
and
subject
kinds.
That's
an
interesting
question
to
say
like
okay,
who
can
read
my
secrets
in
this
namespace
right.
Let
me
click
through
real
quick,
but
I
don't
think
you
can
necessarily
look
at
it
that
way,
no
so
yeah.
So
there
isn't
the
ability
to
look
at
a
specific
permission
and
and
break
it
down.
A
I'm
happy
to
file
that,
though,
that's
a
really
interesting
idea
of
being
able
to
say
like
who
can
view
secrets
in
this
particular
namespace.
I
think
that's
like
a
really
valuable
thing
so
yeah.
Instead,
we
kind
of
like
show
it
in
this
viewer.
You
have
a
role
and
it
will
show
you
which
rights
you
have
so
yeah.
That's
an
interesting
point.
B
A
Yeah,
so
exactly
so,
I
actually
want
to
mention
that,
because
I
just
saw
a
demo
of
this
today
and
it's
going
to
be
it's
coming
soon
to
our
product.
So
it's
really
exciting
and
I
but
yeah
we're
going
to
be
able
to
pull
in
the
audit
logs
specifically
on
openshift
clusters
and
be
able
to
highlight
who's,
reading
or
writing
secrets
and
config
maps
and
and
look
at
them.
You
know
even
with
people
who
might
do
impersonation
or
something
like
that.
A
We
can
highlight
that
as
an
alert
and
alert
it
in
our
product
in
an
upcoming
release,
so
really
excited
about
that.
It's
a
really
topical
question.
Just
at
the
right
time.
A
B
A
Cool
yeah
no
worries
so
yeah,
awesome,
yeah,
so
opa's
open
policy
agent.
It
recently
was
given
to
the
cncf
as
a
project
and
basically
it's
a
it
uses
a
language
called
rego
and
allows
you
to
to
write
policies.
It's
also
the
backing
of
opa
gatekeeper,
which
is
specifically
an
admission
controller
for
kubernetes.
So
I
think
that
I
hear
it
a
lot.
I've
talked
about
it,
a
lot,
that's
where
it
comes
up
most
of
the
time,
especially
with
reference
to
our
our
product
and
so
I'll
I'll.
A
Go
into
a
a
example
here
of
something
that
that
we
do
with
our
policy
engine
and
and
something
I
think
is
really
powerful,
which
is
you
know,
kind
of
stitch
all
this
context
together.
So
one
of
the
policies
you
can
create
in
our
product
and
I
will
zoom
in
a
little
bit
it's
something
like
okay,
if
there's
a
cve
with
important
severity-
and
you
know
recently,
we've
been
orienting
around
severity
in
terms
of
cvs
or
vulnerabilities,
because
the
severities
are
rated
by
the
distribution
themselves.
A
So
red
hat
looks
at
a
cve
and
says:
does
this
affect
rel7
rel?
Eight
here's
the
severity
for
it
a
lot
of
times.
A
It'll
differ
from
the
cvss
score,
so
the
score
that
you
get
so
you'll
see
something
that
has
a
nine,
but
it
may
not
be
impacted
because
we
know
it
doesn't
use
that
code
pass
or
you
know
that
library
is
not
loaded
or
it's
not
included,
and
so
the
severity
could
be
a
low
or
moderate,
and
so
that's
actually
a
much
better
gauge
of
whether
or
not
you
need
to
go
fix
it
immediately
and
it
helps
you
prioritize
by
looking
at
the
severity.
So
it's
interesting.
B
A
Yeah
yeah
so
exactly
and
so,
and
there's
even
varying
levels
of
that
between
distributions.
So
you
know,
cve
is
just
a
top
level
thing:
okay,
curl
has
a
has
a
volt
right.
Almost
every
distribution
is
probably
affected
by
that
volume,
potentially
in
some
way
or
it
exists
in
their
environment,
because
I
think
there's
very
little
difference
between
girl
and
in
ubuntu
and
rel
and
on
all
of
that.
A
But
you
know
it
does
matter
in
the
context
in
which
it's
used
and
so,
for
example,
if
we
look
at
this
cve
with
important
severity
and
like
you
know,
this
visa
processor
is
privileged,
it
probably
doesn't
need
to
be
right.
You
can
see
cool
we've
satisfied
this
constraint,
that
is
privileged,
but
we
also
satisfied
all
of
these
constraints
for
all
of
these
cves
and
so
it'll
break
down
which
cve
you
know
the
score.
A
The
severity
which
component
it
exists
and
then
also
whether
or
not
it
was
fixable,
and
so
I
think
the
fixable
aspect
is
really
important
and
kind
of
what
I
would
encourage
people
to
orient
on,
which
is
sometimes
you
can't
sometimes
there's
cves
that
come
out
they're
brand
new
and
they're,
not
fixable
and
there's
not
a
lot.
You
can
do
you.
Can
it's
really
good
to
have
an
understanding
the
visibility
into
them,
but
from
a
practical
perspective
for
a
developer,
you
know:
how
do
you
fix
this?
B
A
Right
exactly
and
so
from
a
developer
perspective,
if
there's
a
version
of
a
package
that
you
could
upgrade
to,
you
know
in,
for
example,
the
difference
between
this
version,
and
this
version
is
so
minor
that
you
could
probably
just
upgrade
to
it
immediately
or
rebuild.
You
know
your
base,
image
probably
has
a
fix
for
it,
and
so,
if
you
just
rebuild
your
docker
image,
you
know
you
won't
be
vulnerable
to
this
anymore
and
so
a
lot
of
times.
These
are.
These
are
almost
no-brainers
like
hey.
A
I
should
go
fix
this
like
it
should
be
really
easy,
and
so
this
is
like
the
action
ability
that
we
always
like
to
show.
This
image
is
very
old.
It's
got
a
lot
of
volumes,
this
deployment's
pretty
vulnerable,
and
so
you
kind
of
just
break
it
down
that
way,
and
then
you
know,
one
aspect
of
the
life
cycle
I
didn't
mention
is
that
we
do
look
at
runtime
data
as
well,
so
we're
looking
at
process
and
network
executions-
and
I
can
just
set
the
lifecycle
here
to
run
time.
A
Yep
and
you
can
look
at
some
of
the
runtime
process
or
policies
that
we
have
created,
so
you
can
look
at
whether
or
not
like
netcat
was
executed.
I
think
the
shell
spawned
by
java
application
is
really
interesting
unless
you're
running
jenkins,
java
shouldn't
really
be
creating
bash
shells.
Jenkins
jenkins.
Does
this
quite
a
bit?
I
think
we've
we've
all
experienced
that
and
you
know
the
first
time
we
ran
our
product
on
a
cluster
with
jenkins.
We
immediately
found
oh
yeah.
A
This
is
a
valid
use
case
and,
of
course
we
have
the
ability,
just
to
you
know,
exclude
these
deployments,
because
there
are,
you
know,
that's
another
aspect
of
policy
management,
there's
always
exclusions
that
are
allowed
right.
You
could
say
I
don't
want
any
privileged
containers
in
my
cluster,
but
if
you
run
stack
rocks
we
have
a
component
that
has
to
run
its
privilege
because
we're
collecting
you
know
efficiently
collecting
network
and
process
information,
and
so
there's
always
a
proper
exclusions.
B
Yeah,
that's
been
a
a
behind-the-scenes
war
that
I
have
waged
in
every
organization.
I've
ever
worked
in
of
too
many
alerts
is
worse
than
no
alerts,
because
it's
it
all
just
becomes
noise
and
you
end
up
missing
important
things,
and
you
assume
right.
I
say
it's
worse
because
well,
you
assume
the
system
will
tell
me
about
it
and
it
probably
did
and
you
ignored
it
as
opposed
to
with
no
alerts
you're,
probably
going
to
go.
Looking
like.
Oh,
I
should
probably
check
on
that.
B
So
we
we
have
a
question
here
from
dejuan
and
I
apologize
if
I
am
mispronouncing
anybody's
names,
as
my
children
can
attest.
I
I
am
terrible
with
names,
so
would
acs
provide
secrets
management
and
if,
yes,
how
would
it
compare
to
a
tool
like
vaults
and
then
the
the
second
part
of
that
is
image
scanning?
A
Yeah,
so
in
terms
of
secret
management,
we
don't
do
secret
management,
we'll
we'll
you
can
utilize
kubernetes
secrets
or
you
can
utilize.
Vault
stack
rocks
is
totally
cool
with
that.
Those
are
great
solutions.
You
know,
and
we
haven't
tried
to
get
into
that
space.
So
you
know
there's
no
conflict
there.
I
think
in
terms
of
image,
scanning
quay
and
and
r
scanner
are
based
on
the
same
kind
of
core
like
we.
A
We
were
based
on
claire
v2
back
in
the
day,
and
now
you
know
quay
and
clara
has
moved
to
claire
v4
we've
added
a
bunch
of
different
things.
We've
added
some
capabilities
around
node
scanning
some
language,
vulnerability
scanning
and
also
just
like
general
general
changes
that
we
made
around
kubernetes.
Molds.
Specifically,
you
know
one
of
the
one
of
the
things
we
found
was
like:
hey
we're
a
kubernetes
security
company,
and
you
know
we
focus
on
career
security.
A
We
got
to
be
able
to
tell
you
when
kubernetes
itself
has
volumes,
we
have
to
be
able
to
do
it
quickly,
and
so
we
curate
some
of
our
own
data
around
that
just
so
that
we
can
deliver
it
to
people
quickly
because,
that's
you
know
an
expectation,
and
so
you
know
that
we
have
diverged
a
little
bit
there,
but
when
it
comes
to,
for
example,
rel
based
images,
our
results
should
be
very
similar,
if
not
the
same
as
we're
all
like.
A
There's
a
scanning
certification
that
we've
gone
through
with
with
red
hat,
and
so
that
helps
ensure
uniformity
between
at
least
scanning
of
of
recent
rel
images,
which
has
been
really
valuable.
B
Got
it
so
I'm
we're
getting
quite
a
few
questions
in
here,
so
I'm
gonna
keep
going
down
the
list
so
from
waleed.
Can
you
do
granular,
auditing
and
open
shift,
filter,
metadata
and
data
before
sending
it
to
seem.
A
I
guess
I
would
have
to
have
a
follow-up
question
like
in
which,
which
perspective
from
an
auditing
you
mean
from
like
just
pure
audit
logs
from
a
pure
autolog
perspective,
we've
started
with
reads
and
writes
on
secrets
and
reads
and
writes
on
config
maps,
but
you
know,
I
think,
there's
definitely
space
to
expand
that,
in
terms
of
you
know,
filtering
or
going
through
policies.
A
We
currently
have
a
lot
of
capabilities
around
taking
policies
and
vulnerability
data
and
pushing
them
into
into
sims,
and
so
that
you
can
ingest
them
in
in
that
manner,
and
you
know
we
have
a
lot
of
integration
for
policies
in
terms
of
notifications
right
and
for
runtime
data
or
network.
You
know
anomalous
network
activity.
You
can
push
that
into
sim
as
well.
B
A
Yeah
so
right
now,
they're
fairly
separate
in
terms
of
what
we
would
what
we
support
in
terms
of
of
acs,
and
so
we
don't
have
like
a
firm
integration
with
with
oppa.
Today,.
A
I
haven't
personally
tested
this
myself,
so
take
it
with
a
grain
of
salt,
but
I'm
like
you
could
definitely
have
two
validating
web
hooks
or
mutating
web
hooks
alongside
each
other.
They
just
run
in
sequential
order,
so
you'll
be
able
to
run.
You
know,
check
certain
policies
against
acs
and
then
check
certain
policies.
Policies
against
opa,
for
example,.
B
Okay,
so
I
think
that
might
be
in
a
roundabout
way.
The
answer
right
of
effectively
run
them
side
by
side
with
the
two
web
hooks
right.
Yeah
is
acs
only
available
now
in
an
openshift
context.
Following
the
acquisition
is
there
an
integration
also
available
with
eks?
If,
yes,
how
can
the
service
be
consumed
from
adrian.
A
Yeah,
so
I
am
not
the
expert
on
the
current
support
matrix.
I
will
full
disclosure.
I
think
I
can
definitely
get
back
to
you
on
that
and
make
sure
I'm
saying
the
right
things.
So
that's
that's.
Probably
one
I'll
follow
up.
We
can
follow
up
on.
I
yeah.
I
don't
know
the
current.
B
B
Yeah,
I
I
know
you
know,
of
course,
being
acquired
by
red
hat
means
that
openshift
will
become
the
primary
focus.
But
whether
or
not
the
other
aspects
will
be.
You
know
immediately
deprecated
or
sunset.
I
don't
know
either.
B
A
Yeah,
so
you
can
write
custom
policies
in
acs.
We
have.
I
can
just
jump
to
that
real
quick,
actually
sure
we
have
a
lot
of
different
criteria
and
we're
always
expanding
it
as
well,
and
so,
if
I
just
go
to
one
of
these
and
I'll
clone
it
or
something
we'll
make
it
faster,
clone
a
policy
hit
next
like
basically,
we
have
a
boolean
builder
that
you
can
use
and
you
can
step
through.
For
example,
this
is
looking
at
a
process
name,
you
can
do
negations.
You
can
do
ands.
A
You
can
add
different
conditions
to
different
sections,
something
that
we've
seen
a
lot
actually
is
if
you're
running
something
like
istio
you're
like
I
have
policies,
don't
apply
them
to
istio.
If
istio
has
a
volume,
it's
going
to
light
up
every
single
container
or
deployment
inside
my
infrastructure,
so
you
can
say-
and
not
you
know-
container
name
istioproxy,
for
example
or
sidecar,
and
so
we
have
a
lot
of
different
contents
here.
Sorry,
it's
a
little
squished
on
my
screen,
but
you
can
look
at
storage,
different
volume
sources
and
destinations.
A
A
Looking
at
privileged
container,
you
know
read-only
root
file
system,
which
is
probably
my
favorite
way
to
reduce
the
tax
surface
of
your
deployments.
If
you
look
at
metasploit,
everything
hit
slash
temp
because
it
always
assumes
slash.
Temp
is
writable.
So
if
it's
not,
you
know,
that's
automatically
just
significantly
more
secure
from
from
people
running
scripts.
You
know
you
can
make
sure
people
have
dropped
or
added
specific
capabilities
or
not
added
capabilities.
So
you
know,
don't
add
caps
this
admin,
please
you
know,
I
know
it
might
make
your
container
work.
A
It's
probably
not
what
you
need,
but
you
know
there's
a
lot
of
different
aspects
here
that
you
can
use
and
we're
continually
adding
more
in
terms
of
kubernetes.
You
know
these
are
new
kubernetes
access.
You
know,
service
accounts
are
back
permissions
and
then
events
themselves,
so
you
can
look
at
port
forwards
and
execs
see
who's.
Doing
that
you
know
block
those.
If
you,
if
you
so
choose,
and
so
you
can,
you
know
kind
of
secure
your
cluster
that
way
by
default.
B
Yeah,
I
think
walid
is
paying
a
compliment
here.
Acs
custom
policies
is
much
easier
than
the
opa
more
like
styra
stira.
A
B
Yeah
commercial
offering
so
I
I
also
saw
william
above
you,
you
asked:
is
it
typically
red
hat's
policy
to
open
source
our
offerings?
So,
yes,
effectively,
we
open
source
all
of
our
products
projects
at
some
point,
some
of
them
take
longer
than
others.
So,
for
example,
when
we
acquired
quay,
I
think
it
took
something
like
two
years
before
we
were
able
to
fully
open
source
quay
or
key.
If
you
happen
to
live
in
the
uk
or
australia
so
yeah
generally,
our
goal
is
to
always
open
source
things.
B
It
doesn't
always
happen
immediately
because
it's
not
as
simple
as
you
know,
a
git
commit
there's
a
lot
of
legal
things
and
all
kinds
of
other
stuff
that
have
to
happen
there,
but
red
hat
is,
and
I've
been
a
red
hat
now
for
three
years.
Red
hat
is
really
amazing
about
doing
all
of
that
stuff,
so
kind
of
keep
your
eye
on.
If
that's
something
that's
interesting,
you
right
keep
your
eye
on
all
the
various
news
outlets
and
stuff.
We
always
make
a
big
announcement
around
it.
When
we
do
it.
A
B
Nothing
at
the
moment,
you
know,
please
don't
hesitate
to
ask
any
questions
that
you
happen
to
have
for
anybody
who's
watching
the
stream
but
yeah.
Please
go
ahead.
Sure.
A
Yeah,
so
I
think
one
thing
that
I've
always
been
interested
in
as
even
from
an
operations
perspective
is
you
know
what
are
my
containers
doing
and
what
are
they
talking
to
and
and
what
are
the
interactions?
And
then
you
know
how
do
I
go
build
network
policies
around
that,
and
so
we
leverage
network
policies
to
to
really
create.
You
know
almost
the
pod
to
pod
firewall
the
pod
segmentation
super
important
in
environments
that
are
multi-tenant
right.
A
You
know
you've
seen
some
of
this
with
like
openshift
sdn,
where
you
have
like
namespace
namespaces
will
be
automatically
isolated
and
so
I'll
just
jump
directly
to
the
stackrocks
namespace,
where
we're
running
our
stuff,
and
we
can
take
a
look
here
I'll
try
to
zoom
in
to
the
right
level
here,
but
we
can
take
a
look
at
our
services
and
say:
okay,
what
are
they
talking
to
and
and
how
would
we
build
network
policies
around
that
right,
as
you
can
see,
central
is
our
main
back
end.
A
Excuse
me,
these
are
all
reaching
out
to
registries,
so
we
host
some
data
in
cloudflare,
docker
hub
is
hosted
on
aws,
and
so
that's
how
we
end
up
there,
and
so
you
know
we
can
see
that
central
is
reaching
out
there
and
if
we
click
in
yeah,
it's
highlighting
these
as
anomalous
I'll
talk
about
that
in
one
second,
but
you
can
see
that
we're
talking
to
our
scanner,
which
makes
a
lot
of
sense,
I'm
telling
central
to
go,
scan,
specific
aspects
or
specific
images.
A
These
two
are
not
supposed
to
be
marked
as
anomalous.
They
just
showed
up
after
the
time
period
of
when
we
were
learning
about
this.
The
nice
thing
is
is
that
we
want
to
make
it
really
easy
for
people
to
just
add
them
to
what
we
call
a
baseline
and
a
baseline
is
the
way
a
user
avoids
a
lot
of
noise
and
instead
just
says
yes.
This
is
what
I
would
expect
my
application
to
do,
and
then
you
can
lock
that,
and
you
can
say
tell
me
when
I
start.
A
So
I
will
try
to
just
add
all
of
these
to
the
baseline
go
for
it
right,
cool,
no,
no,
more
anomalous
flows
and
you
can
go
to
the
settings
here
and
you
can
see
everything
that
we're
talking
to,
for
example,
here
we're
talking
to
the
image
registry,
which
is
the
internal
openshift
image
registry.
A
We
would
see
an
alert
in
the
violations
page
and
we
can
go
investigate
that
and
we
say
okay.
Why
is
podx
talking
to
central?
And
I
always
say:
there's
three
reasons
why
that
is
it's
either
my
central
is
misconfigured,
I'm
like
something
else
is
misconfigured
and
trying
to
talk
to
me
or
I'm
under
attack
like
there's.
There's
those
three
reasons
and
all
of
them
are
good
reasons
to
go.
Look
at
it
and
say
like
something's,
not
working
as
it's
supposed
to
and
you
kind
of
can
go
dig
in
from
there.
B
So
I'm
gonna,
as
for
anybody
who,
who
watches
my
show
regularly
or
my
live
stream,
you
know
I'm
gonna
play
the
role
that
I
was
born
to
play,
which
is
dumb
guy
right.
So
a
couple
of
things
that
are
interesting
or
I'm
curious
about
here,
so
bass
lines
are
set,
and
these
are
effectively
network
policy
rules
right,
they're
set
at
the
namespace
level.
B
A
Yeah,
so
so
the
pods
are
are
just
selected
by
labels
right
in
namespace
selector.
So
actually
what
we
can
do
is
we
can
look
at
the
network
policy.
That
applies
to
central
right
in
the
ui,
and
you
can
see
that
the
this
part
is
the
most
important
part
right,
so
central
is
exposed
over
the
internet.
A
Typically,
it's
the
one
thing
that
we
expose
and
we
only
answer
on
eight
four,
four
three,
and
so
we
wanna
make
sure
there's
no
traffic
coming
to
central,
it's
not
on
eight
four
four
three
and
then
this
pod
selector
tells
you
that
only
central
should
have
this
rule
right.
So
you
set
network
policies
and
then
you
can
scope
them
based
on
this
pod
selector.
So
each
of.
B
I
think
it
might
be
connor,
because
I
see
myself
still
talking
over
here
in
in
twitch.
So
I
will
shoot
him
a
message,
real,
quick
for
anybody,
who's
watching
and
see.
If
we
can
get
him.
B
Reconnected
but
he
froze
in
a
great
position
any
time
I
freeze
like
that.
It
ends
up
with
me
being
in
a
completely.
You
know:
non-graceful
horrible
position.
B
Well,
he
committed
a
violation
yeah.
He
his
network
policy,
booted
him
off.
That's
what
it
was.
It
seems.
I
I've
heard
a
number
of
people
having
internet
issues.
I'm
not
saying
that's
what's
happening
with
conor
right
now,
but
seems
like
there's
been
a
lot
of
internet
issues.
Lately
I
don't
know.
What's
going
on
with
that,
knock
on
wood.
I've
been
very
fortunate
to
have
a
stable
internet
connection
the
last
few
months,
but
like
chris
short
and
his
internet
surprise.
His
internet
provider
has
been,
let's
just
say,
a
little
suspect.
B
B
Yeah,
maybe
the
I
would
say
I
guess
we're
all
working
from
home
still
if
we
were
at
if
we
weren't
working
from
working
from
home
I'd
say:
maybe
it
was
like
the
company
denied
access
to
youtube,
like
oh
you've,
been
on
youtube
for
the
last
45
minutes.
You
know
you,
you
you're
not
working
hard
enough.
We're
gonna
deny
it.
B
If
you
have
any
questions
and
and
walid,
I
see
that
you're
you're
questioning
here
about
build,
deploy,
run
stages,
if
he's
not
able
to
reconnect
or
for
whatever
reason
I'll
be
sure
to
collect
all
of
those
questions
and
all
that
we'll
be
sure
to
get
them
over
to
connor
and
then
when
the
next
stream
happens,
we'll
just
follow
up
and
we'll
we'll
be
sure
to
cover
those
I'll
also
follow
up
with
them
about
whether
or
not
they
post
those
or
anything
like
some
of
us
will
post
a
blog
post
to
help
answer
questions
stuff
like
that.
B
So
we'll
keep
an
eye
on
all
that.
Don't
don't
worry,
we'll
get
all
of
that
stuff
answered,
so
don't
be
afraid
to
ask
questions
if
you
have
them
and
we'll
still
get
it
fixed.
B
B
So
dewan
I
I
agree
with
your
sentiment:
they're
looking
forward
to
future
sessions,
it's
funny
as
a
host
of
my
my
own
show.
As
somebody
who
you
know,
I
I
have
a
lot
of
things
going
on.
I've
started
to
treat
the
live
streams
kind
of
like
I
did
podcasts
before
it's
something
that
I
tend
to
keep
up,
while
I'm
doing
things
and
listen
to
and
and
learn
kind
of
through
osmosis.
B
I
find
that
particularly
for
topics
and
areas
that
I
am
interested
in.
It
provides
a
huge
amount
of
just
background
knowledge
that
I
can
seem
to
to
inadvertently
pick
up.
If
you
will
so
I
I'm.
This
is
one
that
I
will
be
adding
to
my
list
along
with
christian
hernandez,
who
is
on
just
before
this.
The
get
ops
guide
to
the
galaxy,
that's
another
one
that
I've
learned
a
tremendous
amount
about,
but
security
is
one
of
those
things
like
it's
2021
right.
B
You
can't
not
be
cognizant
of
security
and
keep
up
with
it.
So,
oh
so
I'm
I'm
hearing
that
conor
has
completely
lost
all
internet,
so
I
I
think
bobby
if
you're
so
bobby
is
our
producer
today.
So
I
think
that
what
we'll
probably
do
is
go
ahead
and
end
the
stream
a
little
bit
early.
B
I
will
stay
on
the
chat,
so
you
are
welcome
to
continue
to
send
us
questions
through
the
chat,
we'll
follow
up
with
all
of
those
questions,
we'll
make
sure
that
those
get
answered
and
and
ensure
that
we
can
keep
going
next
week
or
I'm
sorry
we'll
keep
going
next
month,
which
will
be
on
august.
19Th
is
the
next
office
hours
with
the
stackrocks
folks.
B
So
again,
thank
you
so
much
everybody
for
joining
today
really
appreciate
you
staying
with
us.
Despite
the
technical
difficulties,
it
is
what
it
is,
but
we
will.
We
will
follow
up
with
all
those
questions
next
month.
When
you
happen
to
get
those
andre.
Where
can
you
get
a
red
hat?
So
we
do
have
a
cool
stuff
store
which
you
can
just
search.
You
know
whatever
your
favorite
search
engine
is
search
for
red
hat,
cool
stuff
store.
You
can
see
all
of
the
red
hat
brandon
stuff,
that's
there.
B
Unfortunately,
we
don't
actually
sell.
We
can't
like,
for
whatever
reason
they
don't
allow
folks
to
get
the
the
red
hats.
Like
you
see
the
one
that
I
have
back
here,
they
give
those
two
employees
when
we
go
through
the
new
hire
orientation.
We
I
get
that
question
quite
a
bit.
Sometimes
your
account
team.
You
can
reach
out
to
your
account
team.
I
think
they
can
get
access
to
like
plastic
ones,
they're
not
the
same
as
the
as
these,
which
are
like
felt
and
and
all
of
that.
B
But
that
is
one
way
to
do
it.