►
Description
Learn the do’s and don’ts of implementing a successful Kubernetes security strategy from hands-on practitioner Connor Gorman, sr. principal software engineer at Red Hat (previously StackRox).
Get your Kubernetes Security 101 questions answered in our monthly StackRox Community Office Hours and check out stackrox.io
A
A
A
A
B
B
So
for
those
of
you
who
are
familiar
with
right,
you're
used
to
seeing
chris
short
here
in
the
chair,
I
am
or
chris
is
having
some
technical
difficulties
today,
I'm
having
difficulty
speaking
so
chris
will
be
rejoining
us
as
soon
as
all
of
that
gets
sorted
out,
but
I
was
able
to
my
schedule,
allowed
me
to
step
in
and
join
here
today,
for
what
is
something
that
I'm
really
excited
about?
I
see
waleed.
I
see
you
made
a
comment
there
about.
You
didn't
see
this
on
the
twitch
schedule.
I
didn't
either.
B
I
didn't
know
about
this
until
kind
of
the
last
minute,
so
I'm
really
excited
to
be
here.
So
today
we
are
joined.
We
are
here
for
what
is
the
first
of
these
stackrocks
community
office
hours
being
hosted
on
openshift.tv,
so
I
know
that
the
stackrock
folks
have
been
doing
these
for
a
while
now
on
different
platforms,
but
it's
really
exciting
to
have
it
being
hosted
here
so
joining
us
to
talk
about
or
to
host
for
today,
and
I
believe
I'll,
let
you
handle
the
subject
here
conor,
but
is
conor
gorman,
so
connor.
A
Yeah,
I'm
I'm
conor
gorman,
I'm
a
senior
principal
engineer
at
red
hat,
acs,
advanced
cluster
security,
formerly
known
as
stack,
rocks.
I've
been
at
stackrocks
and
now
acs
for
really
close
to
four
years
now,
four
years
in
august,
so
you
know
worked
on
the
product
for
a
long
time.
You
know
I'm
really
excited
about
all
the
progress
we
made
and
excited
for
the
progress
for
the
future
in
this
office
hours.
A
I
really
just
want
to
introduce
a
brief,
do
a
brief
overview
of
our
product
and
what
we're
working
on
and
and
also
just
answer
any
questions.
Anyone
has
around
kubernetes
security,
cluster
management.
Anything
related
to
you
know,
security
in
general.
I
always
happen
to
answer
any
questions
around
that
and
yeah
we'll
go
from
there
awesome.
So
sorry
go
ahead.
Andrew.
B
B
While
we
may
not
have
all
of
the
answers
off
the
top
of
our
heads,
we're
happy
to
take
any
of
those
that
we
can't
answer
we'll
find
those
and
then
we'll
follow
up
on
that
to
make
sure
that
we
can
get
them.
So
don't
hesitate
to
ask
in
chat
whatever
platform
you
happen
to
be
watching
us
on
whether
it's
twitch
or
youtube
or
any
of
the
others,
feel
free
to
ask
those
questions
in
chat.
We
will
get
those
we
broadcast
them
across
all
of
it
and
then
we'll
have
that
conversation.
B
So
don't
don't
hesitate
at
all
to
to
ask
questions
so
I'll
kind
of
kick
things
off
and
I'm
going
to
set
you
up
for
what
I,
what
I
think
is
a
softball
right,
and
that
is
you
know,
acs.
You
know.
Advanced
cluster
security
stack
rocks
it's
a
new
acquisition
by
red
hatch.
Just
a
couple
of
months
old
now
I
I
hope
you
are
adjusting
well
to
the
the
red
hat
fire
hose.
We're
really
happy
to
have
you
here,
but
I
think
a
lot
of
folks
are
still
they're
still
trying
to
understand.
B
A
Sure
yeah,
so
you
know
stack,
rocks
and
acs
focus
on
kind
of
like
three
main
areas.
I
would
say
we
focus
on
and
it's
like
overall
dev
life
cycle
right,
so
you
focus
on
build,
deploy
and
then
run
time
right,
and
so
you
know
I'll
show
you
some
examples
later,
but
as
a
build
perspective,
right
you're,
looking
at
images
you're
looking
at
you
know
best
practices
within
those
images.
A
Whether
or
not
it's
you
know
having
a
maintainer
in
your
docker
file
or
you
know
the
vulnerabilities
that
exist
and
which
ones
are
fixable
trying
to
give
that
information
back
to
developers
right
and
so
we
integrate,
you
know
heavily
into
ci
systems
and
you
know
giving
that
feedback
directly
in
a
ci
pipeline.
You
have
deploy
time,
which
is
honestly
really
multifaceted.
A
You
have
everything
from
build
right,
like
the
point
of
build,
is
to
go,
deploy
something
and
then,
and
then
you
know
so
you
have
a
you
know,
you
launch
a
deployment
in
kubernetes
and
you
have
an
image
there.
What
what
vulnerabilities
do
you
have
in
that
image
and
then
also
the
context
around
that
right,
which
is
you
have
a
deployment?
It's
exposed
over
a
load
balancer,
maybe
it's
running
as
privileged
right
and
and
which
thing
should
I
prioritize
first,
should
I
should
I
look
at
something
that
has
you
know
a
critical
vulnerability.
A
It's
on
a
load,
balancer
exposes
the
internet
and
it's
privileged.
Let's
go
attack
that
one
first
right
and
we
try
to
give
you
a
prioritization
of
here's.
The
thing
you
should
go.
Look
at
here's
the
critical
stuff
to
go
fix
both
from
a
configuration
management
side
and
from
you
know,
a
vulnerability
perspective,
yeah
and.
B
A
Yeah,
exactly
and-
and
I
think
what
we
try
to
do
is
give
you
a
view
into
you
know
a
multi-cluster
approach.
So
it's
not,
we
don't
you
don't
run
stack
rocks
in
just
one
cluster,
you
have
kind
of
a
central
hub
and
you
can
connect
a
lot
of
your
clusters
and
a
lot
of
people
use
automation
to
deploy.
You
know
tons
of
small
clusters,
and
so
you
know
if
a
critical
cve
comes
up.
A
How
do
you
say
where
is
this
in
my
infrastructure
right
and
like,
and
I
think
the
answer
that
question
is
really
important
of
being
able
to
just
type
in
cve
xyz?
Okay,
these
deployments.
They
belong
to
these
teams,
this
cluster
and
namespace,
okay,
here's
what
I
need
to
go
track
down
and
then
also
from
a
deploy
perspective
is
how
do
I
stop
stuff
from
coming
into
the
cluster
after
that
right?
A
So
I
always
think
about
continuously
trying
to
yeah
and
you
could
call
it
compliance
or
best
practices,
but
it's
if
I
find
10
things
I
know
I
need
to
go
fix,
let's
not
add
11
and
12
and
13
to
the
list.
Let's
create
an
enforcement
policy.
Let's
block
it,
have
it
go
back
to
the
developer,
who's
trying
to
deploy
that
and
say
hey.
You
can't
deploy
this
here's
the
policy,
here's
how
you
remediate
it,
I
think.
Also,
you
know
you
can't
just
have
a
policy
violation
and
not
give
any
context
around.
A
A
A
You
have
role
bindings,
you
have
roles,
you
know
you
have
service
accounts,
you
have
subjects
which
aren't
even
like
real
kubernetes
objects,
they're
just
kind
of
reference
things,
and
then
they
get
inferred
and
what
you
want
to
see
is
you
know
what
access
does
conor
have
in
this
cluster
right
like
what
verbs
and
and
resources
can
he
affect,
and
so
that's
something
that
we've
tried
to
address
as
well,
and
we
have
it's
available
in
the
ui.
It's
not
a
nice
graph
or
anything
like
that.
A
But
it's
you
can
see
the
verbs
and
everything
there
and
then
also
when
you're
creating
a
policy.
You
could
say.
Okay,
show
me
all
the
service
accounts
that
have
a
cluster
admin
role
or
show
me
all.
The
service
accounts
that
have
above
this
level
of
privilege,
like.
Maybe
it's
not
namespace
scoped,
it's
something!
That's
cluster
scoped,
for
example,
and
so
you
could
go
look
and
highlight
those
as
well.
We
currently
don't
ingest
a
lot
of
sec
data,
so
that's
a
challenge.
A
B
So
I'm
going
to
challenge
your
multitasking
a
little
bit,
so
I
I
think
you
said
before
we
started
that
you've
got
a
cluster.
Would
it
be
possible
to
see
some
of
that?
What
some
of
that
looks
like
and
then
maybe,
if
you,
if
you're
able
to
kind
of
multitask
a
little
bit,
we
do
have
another
question
this
time
from
adrian.
A
A
Like
I
described,
you
have
a
deploy
time
policy
that
has
oh,
this
deployment
comes
from
over
here,
and
this
is
privileged
and
this
image
is
getting
pulled
in
and
it
has
these
cves
and,
of
course,
deployments
can
have
multiple
images,
and
so
you
really
want
to
drill
down
into
this
particular
information
and
then
get
all
these
results
out.
I'll
show
you
that
in
one
second
and
then
for
now
I'll
go
into
the
rbac
visibility,
and
so
we
have
like
a
list
of
the
user
in
groups
right.
A
You
can
see
that
I
have
an
admins,
it's
a
cluster
admin,
of
course
joey
example.com
right.
He
can
look
inside
the
payments
namespace.
He
can
look
at
all
verbs
related
to
secrets
right
or
but
he
doesn't
have
any
cluster
permissions,
which
means
that
you
know
you
can't
access
anything
outside
of
payments.
So
this
is
actually
an
example
of
probably
something
pretty
well
scoped.
A
I'm
not
sure
why
he
needs
to
look
at
payments
so
closely,
for
example,
our
secrets,
for
example,
but
you
know
these
are
some
of
the
aspects
of
things
you
can
look
at.
You
know
it's
always
interesting
too,
to
look
at
system
namespaces
or
system
service
accounts
and
see
what
access
they
have.
So,
of
course,
a
system.
B
Can
you
and
wally
asked
us
so
I'm
gonna,
I'm
gonna
rephrase
it
slightly.
So
will
you
please?
Let
me
know
if
I
missed
the
mark
here,
can
you
look
at
it
rather
than
from
the
role
or
the
role
binding
into
what
permissions
they
have,
rather
from
the
other
way
around
so
like?
Can
I
see
what
roles
and
role
bindings
have,
like
the
you
know,
view
verb
on
secrets.
A
So
I
don't
think
you
can
do
that
today.
I
mean,
I
think
you
can
just
look
up
subjects
and
subject
kinds.
That's
an
interesting
question
to
say
like
okay,
who
can
read
my
secrets
in
this
namespace
right.
Let
me
click
through
real
quick,
but
I
don't
think
you
can
necessarily
look
at
it
that
way,
no
so
yeah.
So
there
isn't
the
ability
to
look
at
a
specific
permission
and
and
break
it
down.
A
I'm
happy
to
file
that,
though,
that's
a
really
interesting
idea
of
being
able
to
say
like
who
can
view
secrets
in
this
particular
namespace.
I
think
that's
like
a
really
valuable
thing
so
yeah.
Instead,
we
kind
of
like
show
it
in
this
viewer.
You
have
a
role
and
it
will
show
you
which
rights
you
have
so
yeah.
That's
an
interesting
point.
B
A
Yeah,
so
exactly
so,
I
actually
want
to
mention
that,
because
I
just
saw
a
demo
of
this
today
and
it's
going
to
be
it's
coming
soon
to
our
product.
So
it's
really
exciting
and
I
but
yeah
we're
going
to
be
able
to
pull
in
the
audit
logs
specifically
on
openshift
clusters
and
be
able
to
highlight
who's,
reading
or
writing
secrets
and
config
maps
and
and
look
at
them.
You
know
even
with
people
who
might
do
impersonation
or
something
like
that.
A
A
B
A
Cool
yeah
no
worries
so
yeah,
awesome,
yeah,
so
opa's
open
policy
agent.
It
recently
was
given
to
the
cncf
as
a
project
and
basically
it's
a
it
uses
a
language
called
rego
and
allows
you
to
to
write
policies.
It's
also
the
backing
of
opa
gatekeeper,
which
is
specifically
an
admission
controller
for
kubernetes.
So
I
think
that
I
hear
it
a
lot.
I've
talked
about
it,
a
lot,
that's
where
it
comes
up
most
of
the
time,
especially
with
reference
to
our
our
product
and
so
I'll
I'll.
A
Go
into
a
a
example
here
of
something
that
that
we
do
with
our
policy
engine
and
and
something
I
think
is
really
powerful,
which
is
you
know,
kind
of
stitch
all
this
context
together.
So
one
of
the
policies
you
can
create
in
our
product
and
I
will
zoom
in
a
little
bit
it's
something
like
okay,
if
there's
a
cve
with
important
severity-
and
you
know
recently,
we've
been
orienting
around
severity
in
terms
of
cvs
or
vulnerabilities,
because
the
severities
are
rated
by
the
distribution
themselves.
A
A
It'll
differ
from
the
cvss
score,
so
the
score
that
you
get
so
you'll
see
something
that
has
a
nine,
but
it
may
not
be
impacted
because
we
know
it
doesn't
use
that
code
pass
or
you
know
that
library
is
not
loaded
or
it's
not
included,
and
so
the
severity
could
be
a
low
or
moderate,
and
so
that's
actually
a
much
better
gauge
of
whether
or
not
you
need
to
go
fix
it
immediately
and
it
helps
you
prioritize
by
looking
at
the
severity.
So
it's
interesting.
B
A
Yeah
yeah
so
exactly
and
so,
and
there's
even
varying
levels
of
that
between
distributions.
So
you
know,
cve
is
just
a
top
level
thing:
okay,
curl
has
a
has
a
volt
right.
Almost
every
distribution
is
probably
affected
by
that
volume,
potentially
in
some
way
or
it
exists
in
their
environment,
because
I
think
there's
very
little
difference
between
girl
and
in
ubuntu
and
rel
and
on
all
of
that.
A
But
you
know
it
does
matter
in
the
context
in
which
it's
used
and
so,
for
example,
if
we
look
at
this
cve
with
important
severity
and
like
you
know,
this
visa
processor
is
privileged,
it
probably
doesn't
need
to
be
right.
You
can
see
cool
we've
satisfied
this
constraint,
that
is
privileged,
but
we
also
satisfied
all
of
these
constraints
for
all
of
these
cves
and
so
it'll
break
down
which
cve
you
know
the
score.
A
The
severity
which
component
it
exists
and
then
also
whether
or
not
it
was
fixable,
and
so
I
think
the
fixable
aspect
is
really
important
and
kind
of
what
I
would
encourage
people
to
orient
on,
which
is
sometimes
you
can't
sometimes
there's
cves
that
come
out
they're
brand
new
and
they're,
not
fixable
and
there's
not
a
lot.
You
can
do
you.
Can
it's
really
good
to
have
an
understanding
the
visibility
into
them,
but
from
a
practical
perspective
for
a
developer,
you
know:
how
do
you
fix
this?
B
A
Right
exactly
and
so
from
a
developer
perspective,
if
there's
a
version
of
a
package
that
you
could
upgrade
to,
you
know
in,
for
example,
the
difference
between
this
version,
and
this
version
is
so
minor
that
you
could
probably
just
upgrade
to
it
immediately
or
rebuild.
You
know
your
base,
image
probably
has
a
fix
for
it,
and
so,
if
you
just
rebuild
your
docker
image,
you
know
you
won't
be
vulnerable
to
this
anymore
and
so
a
lot
of
times.
These
are.
These
are
almost
no-brainers
like
hey.
A
I
should
go
fix
this
like
it
should
be
really
easy,
and
so
this
is
like
the
action
ability
that
we
always
like
to
show.
This
image
is
very
old.
It's
got
a
lot
of
volumes,
this
deployment's
pretty
vulnerable,
and
so
you
kind
of
just
break
it
down
that
way,
and
then
you
know,
one
aspect
of
the
life
cycle
I
didn't
mention
is
that
we
do
look
at
runtime
data
as
well,
so
we're
looking
at
process
and
network
executions-
and
I
can
just
set
the
lifecycle
here
to
run
time.
A
Yep
and
you
can
look
at
some
of
the
runtime
process
or
policies
that
we
have
created,
so
you
can
look
at
whether
or
not
like
netcat
was
executed.
I
think
the
shell
spawned
by
java
application
is
really
interesting
unless
you're
running
jenkins,
java
shouldn't
really
be
creating
bash
shells.
Jenkins
jenkins.
Does
this
quite
a
bit?
I
think
we've
we've
all
experienced
that
and
you
know
the
first
time
we
ran
our
product
on
a
cluster
with
jenkins.
We
immediately
found
oh
yeah.
A
This
is
a
valid
use
case
and,
of
course
we
have
the
ability,
just
to
you
know,
exclude
these
deployments,
because
there
are,
you
know,
that's
another
aspect
of
policy
management,
there's
always
exclusions
that
are
allowed
right.
You
could
say
I
don't
want
any
privileged
containers
in
my
cluster,
but
if
you
run
stack
rocks
we
have
a
component
that
has
to
run
its
privilege
because
we're
collecting
you
know
efficiently
collecting
network
and
process
information,
and
so
there's
always
a
proper
exclusions.
B
Yeah,
that's
been
a
a
behind-the-scenes
war
that
I
have
waged
in
every
organization.
I've
ever
worked
in
of
too
many
alerts
is
worse
than
no
alerts,
because
it's
it
all
just
becomes
noise
and
you
end
up
missing
important
things,
and
you
assume
right.
I
say
it's
worse
because
well,
you
assume
the
system
will
tell
me
about
it
and
it
probably
did
and
you
ignored
it
as
opposed
to
with
no
alerts
you're,
probably
going
to
go.
Looking
like.
Oh,
I
should
probably
check
on
that.
B
So
we
we
have
a
question
here
from
dejuan
and
I
apologize
if
I
am
mispronouncing
anybody's
names,
as
my
children
can
attest.
I
I
am
terrible
with
names,
so
would
acs
provide
secrets
management
and
if,
yes,
how
would
it
compare
to
a
tool
like
vaults
and
then
the
the
second
part
of
that
is
image
scanning?
A
Yeah,
so
in
terms
of
secret
management,
we
don't
do
secret
management,
we'll
we'll
you
can
utilize
kubernetes
secrets
or
you
can
utilize.
Vault
stack
rocks
is
totally
cool
with
that.
Those
are
great
solutions.
You
know,
and
we
haven't
tried
to
get
into
that
space.
So
you
know
there's
no
conflict
there.
I
think
in
terms
of
image,
scanning
quay
and
and
r
scanner
are
based
on
the
same
kind
of
core
like
we.
A
We
were
based
on
claire
v2
back
in
the
day,
and
now
you
know
quay
and
clara
has
moved
to
claire
v4
we've
added
a
bunch
of
different
things.
We've
added
some
capabilities
around
node
scanning
some
language,
vulnerability
scanning
and
also
just
like
general
general
changes
that
we
made
around
kubernetes.
Molds.
Specifically,
you
know
one
of
the
one
of
the
things
we
found
was
like:
hey
we're
a
kubernetes
security
company,
and
you
know
we
focus
on
career
security.
B
A
We
currently
have
a
lot
of
capabilities
around
taking
policies
and
vulnerability
data
and
pushing
them
into
into
sims,
and
so
that
you
can
ingest
them
in
in
that
manner,
and
you
know
we
have
a
lot
of
integration
for
policies
in
terms
of
notifications
right
and
for
runtime
data
or
network.
You
know
anomalous
network
activity.
You
can
push
that
into
sim
as
well.
B
A
A
I
haven't
personally
tested
this
myself,
so
take
it
with
a
grain
of
salt,
but
I'm
like
you
could
definitely
have
two
validating
web
hooks
or
mutating
web
hooks
alongside
each
other.
They
just
run
in
sequential
order,
so
you'll
be
able
to
run.
You
know,
check
certain
policies
against
acs
and
then
check
certain
policies.
Policies
against
opa,
for
example,.
B
Okay,
so
I
think
that
might
be
in
a
roundabout
way.
The
answer
right
of
effectively
run
them
side
by
side
with
the
two
web
hooks
right.
Yeah
is
acs
only
available
now
in
an
openshift
context.
Following
the
acquisition
is
there
an
integration
also
available
with
eks?
If,
yes,
how
can
the
service
be
consumed
from
adrian.
A
B
B
B
A
Yeah,
so
you
can
write
custom
policies
in
acs.
We
have.
I
can
just
jump
to
that
real
quick,
actually
sure
we
have
a
lot
of
different
criteria
and
we're
always
expanding
it
as
well,
and
so,
if
I
just
go
to
one
of
these
and
I'll
clone
it
or
something
we'll
make
it
faster,
clone
a
policy
hit
next
like
basically,
we
have
a
boolean
builder
that
you
can
use
and
you
can
step
through.
For
example,
this
is
looking
at
a
process
name,
you
can
do
negations.
You
can
do
ands.
A
You
can
add
different
conditions
to
different
sections,
something
that
we've
seen
a
lot
actually
is
if
you're
running
something
like
istio
you're
like
I
have
policies,
don't
apply
them
to
istio.
If
istio
has
a
volume,
it's
going
to
light
up
every
single
container
or
deployment
inside
my
infrastructure,
so
you
can
say-
and
not
you
know-
container
name
istioproxy,
for
example
or
sidecar,
and
so
we
have
a
lot
of
different
contents
here.
Sorry,
it's
a
little
squished
on
my
screen,
but
you
can
look
at
storage,
different
volume
sources
and
destinations.
A
Looking
at
privileged
container,
you
know
read-only
root
file
system,
which
is
probably
my
favorite
way
to
reduce
the
tax
surface
of
your
deployments.
If
you
look
at
metasploit,
everything
hit
slash
temp
because
it
always
assumes
slash.
Temp
is
writable.
So
if
it's
not,
you
know,
that's
automatically
just
significantly
more
secure
from
from
people
running
scripts.
You
know
you
can
make
sure
people
have
dropped
or
added
specific
capabilities
or
not
added
capabilities.
So
you
know,
don't
add
caps
this
admin,
please
you
know,
I
know
it
might
make
your
container
work.
A
It's
probably
not
what
you
need,
but
you
know
there's
a
lot
of
different
aspects
here
that
you
can
use
and
we're
continually
adding
more
in
terms
of
kubernetes.
You
know
these
are
new
kubernetes
access.
You
know,
service
accounts
are
back
permissions
and
then
events
themselves,
so
you
can
look
at
port
forwards
and
execs
see
who's.
Doing
that
you
know
block
those.
If
you,
if
you
so
choose,
and
so
you
can,
you
know
kind
of
secure
your
cluster
that
way
by
default.
B
A
B
Yeah
commercial
offering
so
I
I
also
saw
william
above
you,
you
asked:
is
it
typically
red
hat's
policy
to
open
source
our
offerings?
So,
yes,
effectively,
we
open
source
all
of
our
products
projects
at
some
point,
some
of
them
take
longer
than
others.
So,
for
example,
when
we
acquired
quay,
I
think
it
took
something
like
two
years
before
we
were
able
to
fully
open
source
quay
or
key.
If
you
happen
to
live
in
the
uk
or
australia
so
yeah
generally,
our
goal
is
to
always
open
source
things.
B
It
doesn't
always
happen
immediately
because
it's
not
as
simple
as
you
know,
a
git
commit
there's
a
lot
of
legal
things
and
all
kinds
of
other
stuff
that
have
to
happen
there,
but
red
hat
is,
and
I've
been
a
red
hat
now
for
three
years.
Red
hat
is
really
amazing
about
doing
all
of
that
stuff,
so
kind
of
keep
your
eye
on.
If
that's
something
that's
interesting,
you
right
keep
your
eye
on
all
the
various
news
outlets
and
stuff.
We
always
make
a
big
announcement
around
it.
When
we
do
it.
A
B
A
Yeah,
so
I
think
one
thing
that
I've
always
been
interested
in
as
even
from
an
operations
perspective
is
you
know
what
are
my
containers
doing
and
what
are
they
talking
to
and
and
what
are
the
interactions?
And
then
you
know
how
do
I
go
build
network
policies
around
that,
and
so
we
leverage
network
policies
to
to
really
create.
You
know
almost
the
pod
to
pod
firewall
the
pod
segmentation
super
important
in
environments
that
are
multi-tenant
right.
A
These
two
are
not
supposed
to
be
marked
as
anomalous.
They
just
showed
up
after
the
time
period
of
when
we
were
learning
about
this.
The
nice
thing
is
is
that
we
want
to
make
it
really
easy
for
people
to
just
add
them
to
what
we
call
a
baseline
and
a
baseline
is
the
way
a
user
avoids
a
lot
of
noise
and
instead
just
says
yes.
This
is
what
I
would
expect
my
application
to
do,
and
then
you
can
lock
that,
and
you
can
say
tell
me
when
I
start.
A
We
would
see
an
alert
in
the
violations
page
and
we
can
go
investigate
that
and
we
say
okay.
Why
is
podx
talking
to
central?
And
I
always
say:
there's
three
reasons
why
that
is
it's
either
my
central
is
misconfigured,
I'm
like
something
else
is
misconfigured
and
trying
to
talk
to
me
or
I'm
under
attack
like
there's.
There's
those
three
reasons
and
all
of
them
are
good
reasons
to
go.
Look
at
it
and
say
like
something's,
not
working
as
it's
supposed
to
and
you
kind
of
can
go
dig
in
from
there.
B
So
I'm
gonna,
as
for
anybody
who,
who
watches
my
show
regularly
or
my
live
stream,
you
know
I'm
gonna
play
the
role
that
I
was
born
to
play,
which
is
dumb
guy
right.
So
a
couple
of
things
that
are
interesting
or
I'm
curious
about
here,
so
bass
lines
are
set,
and
these
are
effectively
network
policy
rules
right,
they're
set
at
the
namespace
level.
B
A
A
Typically,
it's
the
one
thing
that
we
expose
and
we
only
answer
on
eight
four,
four
three,
and
so
we
wanna
make
sure
there's
no
traffic
coming
to
central,
it's
not
on
eight
four
four
three
and
then
this
pod
selector
tells
you
that
only
central
should
have
this
rule
right.
So
you
set
network
policies
and
then
you
can
scope
them
based
on
this
pod
selector.
So
each
of.
B
B
B
Well,
he
committed
a
violation
yeah.
He
his
network
policy,
booted
him
off.
That's
what
it
was.
It
seems.
I
I've
heard
a
number
of
people
having
internet
issues.
I'm
not
saying
that's
what's
happening
with
conor
right
now,
but
seems
like
there's
been
a
lot
of
internet
issues.
Lately
I
don't
know.
What's
going
on
with
that,
knock
on
wood.
I've
been
very
fortunate
to
have
a
stable
internet
connection
the
last
few
months,
but
like
chris
short
and
his
internet
surprise.
His
internet
provider
has
been,
let's
just
say,
a
little
suspect.
B
B
Yeah,
maybe
the
I
would
say
I
guess
we're
all
working
from
home
still
if
we
were
at
if
we
weren't
working
from
working
from
home
I'd
say:
maybe
it
was
like
the
company
denied
access
to
youtube,
like
oh
you've,
been
on
youtube
for
the
last
45
minutes.
You
know
you,
you
you're
not
working
hard
enough.
We're
gonna
deny
it.
B
B
B
So
dewan
I
I
agree
with
your
sentiment:
they're
looking
forward
to
future
sessions,
it's
funny
as
a
host
of
my
my
own
show.
As
somebody
who
you
know,
I
I
have
a
lot
of
things
going
on.
I've
started
to
treat
the
live
streams
kind
of
like
I
did
podcasts
before
it's
something
that
I
tend
to
keep
up,
while
I'm
doing
things
and
listen
to
and
and
learn
kind
of
through
osmosis.
B
I
find
that
particularly
for
topics
and
areas
that
I
am
interested
in.
It
provides
a
huge
amount
of
just
background
knowledge
that
I
can
seem
to
to
inadvertently
pick
up.
If
you
will
so
I
I'm.
This
is
one
that
I
will
be
adding
to
my
list
along
with
christian
hernandez,
who
is
on
just
before
this.
The
get
ops
guide
to
the
galaxy,
that's
another
one
that
I've
learned
a
tremendous
amount
about,
but
security
is
one
of
those
things
like
it's
2021
right.
B
B
I
will
stay
on
the
chat,
so
you
are
welcome
to
continue
to
send
us
questions
through
the
chat,
we'll
follow
up
with
all
of
those
questions,
we'll
make
sure
that
those
get
answered
and
and
ensure
that
we
can
keep
going
next
week
or
I'm
sorry
we'll
keep
going
next
month,
which
will
be
on
august.
19Th
is
the
next
office
hours
with
the
stackrocks
folks.
B
So
again,
thank
you
so
much
everybody
for
joining
today
really
appreciate
you
staying
with
us.
Despite
the
technical
difficulties,
it
is
what
it
is,
but
we
will.
We
will
follow
up
with
all
those
questions
next
month.
When
you
happen
to
get
those
andre.
Where
can
you
get
a
red
hat?
So
we
do
have
a
cool
stuff
store
which
you
can
just
search.
You
know
whatever
your
favorite
search
engine
is
search
for
red
hat,
cool
stuff
store.
You
can
see
all
of
the
red
hat
brandon
stuff,
that's
there.
B
Unfortunately,
we
don't
actually
sell.
We
can't
like,
for
whatever
reason
they
don't
allow
folks
to
get
the
the
red
hats.
Like
you
see
the
one
that
I
have
back
here,
they
give
those
two
employees
when
we
go
through
the
new
hire
orientation.
We
I
get
that
question
quite
a
bit.
Sometimes
your
account
team.
You
can
reach
out
to
your
account
team.
I
think
they
can
get
access
to
like
plastic
ones,
they're
not
the
same
as
the
as
these,
which
are
like
felt
and
and
all
of
that.