►
From YouTube: Certified Kubernetes Security Specialist CKS Exam
Description
One of the most significant announcements at KubeCon North America was the Certified Kubernetes Security Specialist (CKS) program. The online, proctored, performance-based exam will test on a range of Kubernetes security topics.
In this Office Hours, we will discuss the exam concepts with John Forman, who helped develop the exam with CNCF. We’ll cover the following, in addition to some tips:
- How to get started
- Structure of the exam
- Important topics to focus on
A
And
hi
everyone
welcome
thanks
for
joining
our
office
hours
this
month,
I'm
mike
foster,
I'm
a
cloud
native
advocate
at
stack,
rocks
and
I'll
be
monitoring.
This
chat
for
today.
So
today,
with
me,
I
have
john
foreman
john-
is
an
associate
director
and
global
andors
and
kubernetes
overseer
at
accenture
he's
been
working
to
secure
kubernetes,
for
I
don't
know
how
long
john.
At
this
point,
you
gotta-
you
have
to
tell
me,
but
before
we
start,
I
want
to
go
over
some
rules
of
engagement.
A
The
lines
are
muted
and
this
session
is
being
recorded.
The
on-demand
recording
will
be
emailed
to
everybody
post
event
and
also
available
on
our
website.
We'll
be
answering,
live
questions
throughout
the
session,
so
make
sure
to
ask
your
questions.
There's
a
little
q,
a
module
on
the
right
hand,
side
of
your
screen
and
obviously
we
can't
give
away
too
much
about
the
cks,
so
keep
them
high
level,
anything
kubernetes,
specific
security.
You
know
just
throw
some
questions
and
and
we'll
go
through
them
as
we
can.
A
If
you
have
any
trouble
in
the
webinar
console
just
refresh
your
browser,
it
should
come
right
back
into
the
session.
That's
it
so
again,
today
is
all
about
the
cks
john
has
played
an
integral
part
in
the
cks,
it's
creation,
so
I'm
really
excited
to
talk
with
him
today,
john
thanks
for
joining.
How
are
you
doing.
A
Awesome
so,
let's
get
started
by
looking
into
your
background
a
little
bit,
so
you
know
being
sort
of
lead
for
anthocys
and
kubernetes
at
accenture.
You
know
how
did
your
journey
with
kubernetes
and
specifically
your
role
like
get
started
and
how
you
move
into
the
security
space.
B
Sure
about
seven
years
ago,
seven,
eight
years
ago,
roughly,
I
was
asked
by
a
few
leaders
in
our
center
to
start
the
container
practice
in
north
america
and
at
the
time
you
know,
docker
was
emerging
with
swarm
and
it
was
getting
that
traction
out
there
in
the
world
and
it
seemed
to
be
a
pretty
cool
technology.
But
I
said
yeah,
why
not
I'll
I'll?
B
Take
a
look
at
that,
so
I
started
to
spin
up
that
that
that
practice,
I
worked
very
closely
with
doc
at
the
time,
building
that
with
an
accenture
scaling
it
helping
you
know,
oscar
dallas
can
skid
that
globally
throughout
his
center
over
the
the
last
several
years
and
then
over
time
you
know
we
saw
kubernetes
starting
to
become
the
pinnacle
right
orchestrator
taking
over.
As
the
you
know,
it's
the
operating
system
abroad.
B
The
internet,
you
know,
is
what
kubernetes
was
becoming
and
we
saw
less
and
less
you
know
of
a
need
to
to
stay
with
swarm,
and
so
we
began
to
gravitate
to
kubernetes
in
early
alpha
days.
You
know
we're
still
called
borg.
If
you
remember
that
that
terminology,
so
with
fog
early
on
diversity,
was
it
fell
in
love
with
it
day,
one
to
be
honest
and
never
looked
back,
you
know
during
that
journey
you
know.
B
Security
was
always
has
always
been
a
part
of
my
my
background
prior
to
this
as
well,
but
I
definitely
put
that
into
this
as
well.
So
whatever
I
was
doing,
I
was
brought
in
with
a
mindset
of
security,
has
to
be
part
of
this.
We
can't
just
go:
go
crazy
and
implement
all
these
containers
without
proper
security.
So
there's
always
my
early
on.
I
built
many
assets
around
that,
even
in
the
beginning
with
swarm.
A
That's
awesome
yeah.
So
over
that
time,
when
you've
started
to
develop
these
things,
I'm
assuming
that's
one
of
the
reasons
why
linux
foundation
and
the
cncf
reached
out,
and
you
know,
sort
of
consulted
with
you
and
accenture
about.
You
know
how
the
cks
was
going
to
take
place
and
what
components
to
kind
of
bring
to
the
exam.
B
Yeah,
so
I
mean
I
guess
about
two
and
a
half
years
ago
I
started
thinking
about
this
crazy
idea
of
want
to
have
a
certification
program
for
community
security.
It
doesn't
exist,
you
know,
cka
is
out
there
everybody's
getting
their
administration
certificates.
B
You
have
google
professional,
all
the
searches
out
there,
trade
traction
a
lot
of
people
get
certified
in
this,
but
when
it
comes
to
security,
there's
a
gap,
a
lot
of
people
just
really
understand
the
reason
for
that
or
what
they
wanted
to
do
and
time
as
time
I
go
to
clients
and-
and
they
have
this
rocket
stack
mentality
of
security
right
and
with
containers.
It's
a
whole
new
world.
B
The
tools
you
have
need
to
be
aware
and
a
lot
of
times
when
you
go
to
the
fortune,
500
companies,
the
tools
they
have
are
not
container
aware.
They
won't
work
in
that
area.
So
we
started
those
conversations
and
then
we
saw
I
saw
this
large
gap
in
the
knowledge
base
in
this
area,
and
I
started
thinking
about
how
could
we
formulate
a
plan
to
get
around
this?
So
I
met
cheryl
hung.
B
You
know
over
coffee
at
kukan
last
year,
the
year
prior,
and
I
started
to
explain
this
idea
to
her
and
that's
how
it
started,
and
then,
from
that
you
know
we
would
create
a
committee
that
was
pretty
much
globally.
We
had
experts
globally,
contribute
to
the
cks
exam
over
time
and
it
evolved,
but
my
whole
story.
The
reason
why
I
did
this
in
the
beginning
was
to
be
a
lithium
test.
B
You
know,
I'm
a
very
you
know
if
you
work
with
me,
I'm
a
hard
ass
you'll
know
that
from
day
one
I
expect
a
lot
from
people
that
work
for
me
and
so
to
me
you
know
I
had
to
create
something
that
I
would
hire
you.
So
if
you
pass
this
test,
I
would
hire
that
person
because
that
passed
a
test.
So
the
lithium
test
to
me
is
for
anybody
building
a
desktop.
You
know
team
within
the
company.
B
The
cts
exam
should
be
a
pillar
to
say
that
you
know
I
want
to
hire
people
who
pass
this
exam
because
coming
in
I
know
they
can
know
their
stuff.
I
know
it's
it's
going
to
be.
You
know
a
home
run
on
day
one.
So
for
me
it's
been
a
little
task
to
build
right,
so
I
selfishly
did
it
myself,
believe
it
or
not
in
the
beginning,
but
that
was
a
big
part
of
it.
B
A
Yeah,
that's
awesome,
speaking
of
cka,
because
you
kind
of
touched
on
it
and
I
get
a
lot
of
questions
around
you
know-
is
the
ck
and
the
cks.
Are
they
valuable?
You
know,
how
do
you
pair
that
with
expertise
and
personal
projects
and
things
of
that
sort
is
there
sort
of?
Is
there
things
that
you
can
say
differentiates
the
cks
and
why
the
cks
is
set
up
as
a
as
a
a
post
exam
after
getting
the
cka?
You
know
what
was
the
thought
and
what
are
the
differentiators
between
the
two
exams.
B
So
I
wanted
cts
to
be
focused
on
security,
and
you
know
if
cka
was
not
post.
You
know
you
know
requirement,
then
we're
to
have
to
incorporate
a
lot
more
into
the
test
and
the
security
okay
to
make
sure
that
you
have
this.
This
full
well
balanced
understanding
of
kubernetes
world
right
in
the
way
that
it
works
and
floats.
B
A
No
completely,
we
actually
had
the
one
commenter,
it
wasn't
a
question
but
said:
well
now
we
know
how
to
get
into
accenture
pass
the
ck
I
passed
the
cks,
so
I
thought
that
was
funny
and
hopefully
the
hopefully
that
that
test
is
made
hard
enough
as
well.
Now,
in
my
personal
experience
taking
them,
I
actually
found
the
cks
more
rigorous
than
the
cka
was.
There
was
a
reason
for
expanding
sort
of
it
into
you
know:
security
being
whole
ecosystem,
and
what
was
the
conversation
between
you
know?
A
How
do
we
integrate
outside
tools
such
as
you
know,
cube
bench
and
things
like
falco
and
stuff
like
that
into
the
exam,
because
there
is
a
bunch
of
documentation
and
different
there's,
there's
more
documentation,
that's
accessible
in
the
cks
than
the
cka
right,
so
just
curious
as
to
you
know
what
that
process
was
because
sometimes
security
applications
come
and
go.
Is
it
more
about
enforcing
you
know
general
concepts
to
the
people
who
take
the
exam?
It's
a
little
winded,
but
yeah.
B
That's
a
a
simple
question:
I
want
to
first
back
up
for
a
second
if
I
can-
and
so
I
know
if
you
notice
that,
but
we
did,
we
did
a
beta
version
of
the
exam
and
we
did
that
over
50
failed
the
exam.
So
that
means
the
test
is
difficult
and
not
easy
to
pass.
So,
of
course,
they
came
back
to
mr
john.
This
test
is
too
hard
man.
You
got
to
make
it
easier,
I'm
like
what
nah,
but
I'm
all
right,
so
we
actually
went
back
into
it.
We
we
weighed
some
things
differently.
B
We
made
some
questions
a
little
easier.
This
way
you
know
we
can
have
a
higher
ratio,
but
we
still
kept
it
on
the
throttle
to
be
difficult
and
part
of
that
is
ecosystem,
which
just
mentioned
so
over
the
last
seven
years,
I've
been
working
very
closely
with
this
ecosystem.
You
know
I
I
got
to
know
a
lot
of
great
people
except
people
from
psych
rocks
and
so
on.
During
my
my
ecosystem,
you
know
partnerships
and
to
me
the
ecosystem
is
a
glue
of
kubernetes.
B
You
know
kubernetes
is
cncf,
it's
open
source,
it's
there,
along
with
you,
know
all
the
other
fantastic
tools,
the
prometheus
and
everything
else
out
there,
but
around
that
is
a
vendor
support
ecosystem
around
that,
and
you
know
to
me
to
for
you
to
be
to
be
a
well-rounded.
You
know
kubernetes
engineer
and
security
engineer
with
the
kubernetes.
You
need
to
understand
how
those
pieces
work
into
the
puzzle.
How
do
you
fit
those
into
your
solution?
B
B
You
know
understanding
those
tools
is
critical
to
success
and
implication
of
this
right
and
then
it's
about
best
debris.
Also,
a
big
part
of
this
exam
was
for
me
to
focus
on
best
of
breed
tools.
So
when
you're
going
through
through
the
exam
a
lot
of
the
questions,
a
lot
of
third-party
tools,
we're
interested
in
are
best
separate
solutions
right.
A
Great
yeah,
I
definitely
agree
with
you
on
the
on
the
hardness
of
the
test.
We
have
a
couple
questions
I
just
want
to
get
to
willie.
He
had
a
great
question
about
what
would
be
next
for
one's
security
journey
after
the
cks
right.
So
there
is
that
core
understanding
and,
like
you,
said,
tool,
implementation
and
things
like
that.
Do
you
have
any
recommendations
on
after
the
cks,
where
you
think
somebody
can
go
to
to
grow
more
to
the
security
space.
B
What
I
will
say
is
I
work
with
a
lot
of
people,
many
organizations,
many
companies
and
a
lot
of
people
pass
certification
programs
right.
They
get
kubernetes
certified.
They
get.
You
know
google
sort
of
fought,
essentially
I'm
sorry
amazon
what
it
may
be,
but
they're
really
clueless
when
it
comes
to
doing
anything
they
can
pass
a
test.
That's
great,
I'm
glad
to
pass
a
test,
but
you
actually
need
to
know
what
you're
doing
you
need
hands-on.
So,
going
back
to
cks
again
for
your
parents
to
test,
you
need
practical
experience.
B
It's
more
than
just
reading
a
book.
You
cannot
read
a
book
and
pass
a
case
exam.
That's
on
purpose.
You
have
to
have
your
hands
in
it
and
actually
be
part
of
this
world
in
order
to
pass
the
test.
At
least
that's
my
hope
anyway.
So
that's
your
question,
hoping
that
the
person
is
already
on
the
journey
in
the
environments
already
doing
this
and
it's
augmenting
their
knowledge
for
cks.
So
to
me,
that's
a
big
part
of
that.
So
to
me
it's
about
passing
the
cks
program
and
then
you
know
with
your
current
environment.
B
Expanding
your
your
horizons
right
and
understanding
that
environment
better
than
improving
that
environment,
to
be
more
secure.
Okay,
as
far
as,
what's
best
from
that
honestly,
to
get
more
into
machine
learning
and
ai.
What
I
see
right
now
in
the
world
of
threat
landscape
in
the
world
right
now,
it's
about
machine
learning
and
artificial
intelligence,
and
I
speak
to
people
about
this.
You
know
countlessly
and
you
look.
You
can
youtube
me
and
see
my
previous
conversations.
I've
had
I
talk
about
this
very
often.
B
What
I
see
right
now
is
that
you
know
actor
the
bad
actors.
The
hackers
out
there
are
using
machine
learning
and
ai
tools
to
attack
kubernetes
clusters.
So
unless
your
tools
are
able
to
compact
that
and
then
they
like
machine
learning
aware
you're
gonna
lose
the
battle.
So
to
me,
the
next
part
of
this
journey
is
really
understanding
what
tools
are
out
there,
that
is
machine,
learning,
ai
abled
and
really
understanding
those
tools
from
the
ground
up.
B
So
you
can
implement
them
and
understand
what
those
tools
do,
because
they're
complicated
tools
they're
not
easy
to
implement
but
understanding
what
they
do
and
really
having
an
expert
level
in
that.
I
think
we'll
take
this
in
this
level
now,
because
I
do
think
that
is
the
next
frontier
as
we
go
into
2021
and
beyond,
is
the
whole
machine.
Learning
a.r
mentality
is
going
to
be
next,
because
if
you,
if
I'm
a
power
grid,
I'm
running
you
know
a
thousand
kubernetes
nodes.
You
know
if
I
have
a
ai
attack
in
my
in
my
grid.
B
That's
very
bad!
Unless
I
can,
you
know
prevent
that
from
spreading.
You
know
an
instant
click,
I'm
going
to
lose
the
battle.
A
big
power
part
of
it
is
run
top
security.
This
is
something
if
you
follow
me
on
linkedin
and
other
things
I
talk
about
this
very
often
and
that
you
know
to
me
you
know
the
biggest
gap
in
any
security
environment
is
runtime.
B
Everybody
has
a
great
supply
chain,
pipeline
deficit,
ops
right
they
scan
the
source
code.
They
scan
the
containers,
they
start
on
the
images
they
do
all
this
amazing
stuff
to
keep
it
secure
and
that's
out
there
in
the
wild
west
right
and
then
it's
exposed
if
you're,
not
monitoring
that
runtime
signature
and
there's
runtimes.
So
it's
amazing
about
really
understanding
what's
happening
in
the
runtime
after
it's
out
there.
That
is
where
security
becomes
the
pinnacle
things
and
that's
where
we
need
to
start
watching
that
culture.
B
Now,
because
all
the
attacks
you
see
in
the
news
all
the
attacks
you
see
on
tv
is
because
people
are
monitoring
the
runtime
environment.
It's
pretty
simple!
Really
you
know
to
to
do
this,
because
if
my
signature
changes,
I'm
being
hacked
so
the
second,
my
signature
changes
in
my
container
shut
that
container
down
speed
up
a
fresh
copy
in
multi
seconds,
the
customer,
just
you
know
what
even
happened
and
united
and
you're
no
longer
being
attacked.
So
I
think
why
entering
the
run
time
was
critical.
A
Awesome
yeah
just
an
fyi
to
everybody.
That's
that's
watching!
You
know,
keep
dropping
those
questions
in
the
chat.
We're
gonna
keep
picking
them
off
as
we
go.
One
of
a
pretty
quick
one
is
the
cks
is
only
valid
for
two
years.
That
is
true.
A
I
believe
the
cka
is
valid
for
three
years
as
well
as
a
ckid.
The.
Why
is
the
cks
valid
for
two
years
is
an
interesting
question.
Are
the
thoughts
on
the
validation
just
that
the
exam
is
going
to
evolve?
I
was
curious
what
the
the
reasoning
for
the
shortened
life
validity
of
the
exam
john.
B
Yeah
that,
honestly,
that
is
a
question
for
the
cncf
now
for
john
foreman,
but
you
know
to
me:
it's
about
you
know,
security's
evolving,
very
fast,
absec
world,
and
all
these
things
is
constantly
tools
for
involvement.
Communities
is
evolving,
you
know,
for
christ's
sakes,
psp
is
going
to
be
removed
right,
and
so
it's
changing
very
rapidly.
So
I
think,
having
you
know
the
lifespan
within
its
exam
support,
so
we
can
refresh
it
every
two
years
with
the
latest
technology
with
the
kubernetes,
because
kubernetes
is
still
a
young
baby
right.
B
Kubernetes
is
still
learning
is
to
crawling
right.
If
you
look
at
the
history
of
kubernetes
how
long
it's
been
around,
it's
been
around
for
a
very
short
amount
of
time.
So
when
I
look
at
kubernetes
it's
very
early
as
infancy
and
and
what
and
it's
still
growing
up
and
when
it
grows
up
to
be
an
adult,
it's
gonna
be
amazing
right.
So,
during
that
that
pathway
from
immature
to
maturity
as
it's
going
down
there,
many
changes
will
happen,
especially
security.
So
to
me
it's
what's
important.
We
keep
that
refreshed
every
every
two
years.
A
Yeah,
I
did
find
it
interesting
that
kubernetes
upgrades
and
updates
were
listed
in
the
cks
specifically,
and
you
look
at
the
most
used
version.
I
believe
it's
still
115
right
now,
which
is
missing
some
of
the
newer
functionalities,
so
yeah,
a
big
proponent
of
you,
know
continuing
to
move
with
the
community
and
using
those
new
those
new
security
functionalities
that
are
built
in
now.
Speaking
of
pod,
security
policies
got
a
great
question.
The
cks
talks
about
oppa
as
a
way
to
establish
policies
in
the
cluster
during
the
well.
A
I
can't
we
can't
actually
say
during
the
exam,
so
I
gotta
somewhat
ignore
that,
but
you
know,
are
we
gonna
use
regal
policies?
You
know
why
were
other
solutions
like
kyverno
ignored
and
what
do
you
think
is
is
sort
of
the
the
gap?
That's
that's
in
policy
enforcement
and
kubernetes.
B
Well,
I
I
don't
think
they're
ignored,
but
there's
only
so
many
questions
and
tasks
you
can
have,
and
only
so
many
topics
how
many
questions
were
asked.
By
the
same
thing
I
mean
we're
going
to
ask
one
question
about
pop
policies
with
different
solutions,
but
that's
kind
of
redundant
right,
so
we
kind
of
picked.
You
know
again
it's
about
going
back
to
best
of
free
solution.
Opa
is
best
to
reach
solution,
which
is
why
it
was
chosen
other
other
things
are
out
there.
B
Absolutely
you
can
use
those
as
well,
but
you
know
how
why
have
we
done
to
say
we,
you
know
needed
some,
some
cases.
As
far
as
you
know,
further
into
your
question,
you
know
I
think
prop
policies
are
critical
to
me
when
I
talk
to
clients.
That
is
a
first
line
of
defense.
B
What
I
ever
I
talk
to
about
security
when
it
comes
to
kubernetes,
because
you
know
right
not
running
this
route
is
critical
right
and
the
other
aspects
that
that's
exposed
with
css
benchmarks
is
important,
because
if
you
go
back
to
the
box
of
csi,
that's
all
based
on
power
policies
right.
That's
why
it's
critical-
and
you
know
after
that,
with
psp
being
removed.
That's
good
that
last
simple
change,
but
those,
but
those
switches
still
need
to
be
there
right
with
opa
and
other
solutions
today.
B
So
we
really
need
to
understand
that
and
and
really
surround
ourselves
with
that
knowledge.
You
know
whether
I'm
working
with
a
third
with
cyro,
for
example,
who
who
found
the
opa
or
other
companies
with
similar
technologies
like
acm
with
with
anthos
and
other
things.
You
know
they're
all
gonna,
be
work
very
similar
in
2021
right,
it's
about
its
code.
So
when
I
bought
the
pipeline,
it's
absolutely
my
software
is
code.
Obviously,
but
infrastructure
is
code
right.
Securities
code
policy
is
code.
Those
are
default
standards
today.
Every
pipeline
you
build
in
devops
must
include
these.
B
If
you
don't
you'll
you
you,
you
live
in
the
90s
right,
so
we
have
to
understand
that
securities
code
is
part
of
today's
environment
and
that
has
to
be
part
of
opa
as
well
as
we
do
these
things
because
think
it
has
to
be
scripted
terraform,
as
it
blows
stuff
out
when
I
boom
up
my
clusters
so
and
every
every
thing
we
build
at
accenture.
Every
client
we
speak
to
from
the
ground
up
is
built
with
terraform
and
it
get
ups
mentality.
B
This
is
what
we're
going
to
be
looking
at
as
we
build
these
things
to
the
future,
because
it's
2021,
we
got
to
wake
up
and
start
doing
things
the
right
way
so
to
me
that
it
has
to
be
code
from
day
one.
A
Yes,
almost
you
hear
the
term
declarative
security
and
I
think
people
wonder
what
that
means,
and
you
know
you're
using
basically
declarative
iac
using
declarative,
kubernetes
objects.
All
that
work
is
documentation
right
that
you
can
go
and
vet
all
your
changes.
So
moving
on
a
little
bit
to
image
scanning,
because
there's
a
couple
image
scanning
questions,
we
have
a
question
of.
Should
I
use
a
runtime
image
scanner
in
production?
Does
it
impact
the
performance
in
the
cluster
and
I'll?
Add
on
to
that
question
of?
B
I
need
to
start
skating
there
first
right
during
my
build,
whether
I'm
using
jenkins
or
cloud
build
the
water
I
have
in
my
in
my
devops
pipeline
to
build
with
as
soon
as
that
container
is
built,
I'm
also
going
to
stand
in
for
vulnerabilities
right
and
now
I'm
living
in
development,
and
one
thing
that
that
I
really
advocate
you
know
to
death
is
for
you,
it's
multiple
environments,
right
to
have
dev
qa
product
production
limit
for
environments.
I
worked
in
many
companies
fortune
50
companies
who
have
you
know
two.
What
are
you
guys
doing?
B
No,
that's
bad!
You
want
to
have
minimum
of
these
four
environments,
so
you
can
smoke
test
them.
So
what
so?
Typically
you
know
doctor
containers.
You
know.
I
build
once-
and
I
run
many
times
right
so
the
whole
idea
of
this
is
that
I
create
a
container
only
one
time
and
that's
where
the
development
right
so
now.
I
just
simply
move
that
image
that
running
container
to
qa.
I
don't
rebuild
it.
B
I
kind
of
just
move
it
to
an
environment,
but
during
that
process
I
scanned
it
again
for
a
smoke
test
right
and
then
from
two
way
to
pre-pride
when
I'm
moving
that
I
scan
it
again
and
then
from
pre-party
production
I
scan
once
more,
so
I
scan
my
image
several
times
during
the
pipeline
and
that's
critical
because
things
can
change
during
your
different
environments.
B
Right.
We
all
remember.
You
know
the
inside
hacker
theory
right:
kevin
mcnick
made
it
famous
right
back
in
the
90s
and
you
know
there's
always
there
may
be
an
insight.
You
don't
know
so
in
development
they
could
be
planning.
Somebody
could
put
something
a
bad
act,
a
bit
your
code
in
there
as
as
well
as
in
pre-pride.
B
So
it's
important
you
smoke
test
every
step
of
the
way,
just
to
verify
that
you
are
good
to
go
at
the
next
level
and
then
once
it's
running
production,
you
know
I
want
to
monitor
my
tracker
patterns
more
than
the
container
itself.
Obviously,
runtime
scanners
do
they
slow
down.
I
haven't
seen
any
performance
issues
with
that
at
all
when
I'm
looking
at
it.
But
to
me
it's
more
about
the
traffic
patterns
like
new
vector
is
a
great
solution.
For
example,
when
it
comes
to
monitoring
my
my
different
networking
patterns,
the
kubernetes
is
running
out
there.
B
Obviously
I
got
my
service,
especially
with
istio
and
other
solutions
out
there.
We
could
do
what
it
may
be
monitoring
that
project
upon
encryption
and
that
ecosystem
of
that
path,
but
you
know
to
me
it's
about
monitoring
that
path.
So
if
I
go
to
the
pharmacy
or
if
I
go
to
work
every
single
day,
I
go
to
what
and
I'm
walking
to
work,
I
walk
with
one
pad
every
day
to
work.
B
If
I
go
to
the
pharmacy
one
day,
I'm
going
to
be
derouted,
but
that
needs
to
be
so,
and
so
that
needs
to
be
flared
to
say:
hey,
there's
something:
that's
not
normal
with
this
current
kubernetes
path.
So
we
need
to
monitor
that
as
well
in
production.
So,
while
I'm
running
about
when
I'm
monitoring
my
clean
energy
in
production,
I'm
monitoring
these
these
patterns
of
the
network
and
if,
if
something
is
out
there
causing
a
bad
actor,
it's
gonna.
It's
going
to
move
my
my
ip
it's
going
to
try
to
route
me
somewhere
else.
B
Once
it's
happening,
you
need
to
lock
that
down
it's
going
to
refresh
copy.
So
to
me
it's
monitoring
more
about
your
network
traffic,
and
that
is
gl
infrastructure
as
well
right
as
well
as
a
run
time,
if
that
makes
sense
and
yeah,
but
as
far
as
monitoring
the
runtime,
it's
very
the
the
we
see
very
little
performance
integration
at
all,
yeah.
A
Great
yeah,
that's
awesome,
and
you
touched
on
a
little
bit
of
the
next
comment
that
came
in
which
was
observability.
So
the
question
is
directed
at
you
and
it's.
How
do
you
feel
about
the
observability
when
it
comes
to
troubleshooting
policies
so,
for
example,
why
a
pod
didn't
run
what
level
you
know
what
policy
is
affecting
that
pod?
Do
you
think
that
that
troubleshooting
process
can
be
improved.
B
B
You
know
the
fundamentals
right
in
the
beginning
when
it
pulled
out
at
a
cluster
and
it
so
it's
not
mcdonald's
right,
and
then
I
say
this
and
every
so
much
so
often.
I
say
this
during
meetings,
but
with
mcdonald's.
It's
the
same
hamburger,
seattle
right.
It's
cookie
card.
It's
a
hamburger.
If
everything
is
his
code-
okay,
including
my
policies
right,
so
I
create
a
cluster
right,
it's
it's
hard,
it
works
and
it's
terraform
scripted
and
it's
infrastructure
is
code
and
it's
policy
is
code.
B
B
That's
already
that's
already
coded
all
I
gotta
do
just
run
it
and
I
know
it's
gonna
work.
There's
gonna
be
no
troubleshooting
about
a
pod
issue,
because
I
know
it's
gonna
work
right
now.
Obviously,
if
I
upgrade
my
kubernetes
to
the
new
version,
I
need
to
re-test
all
my
all
my
scripts
again
just
to
make
sure
that
nothing
changes
from
apis.
A
Yes,
yeah,
if
you're,
if
you're,
if
you
have
your
kubernetes
objects
as
a
version
control
system,
you
change
one
thing:
it
should
be
a
relatively
easy
process
for
debug
right,
the
more
you're
changing,
obviously
the
more
different
aspects
you
throw
into
that
debugging
prospect.
B
B
So
a
big
thing
about
this
also
is
governance
when
it
comes
to
kubernetes-
and
this
is
something
I
I
preach
to
my
clients-
is
that
unique
governance
around
this?
It's
a
wild
west
out
there
to
go
to
customers
they're
doing
their
own
thing.
There's
20
different
pipelines,
they're
in
the
basement,
they're
in
the
rooftops.
It's
crazy
right!
Stop
right.
Let's
have
a
lot
of
government
of
kubernetes.
I
had
one
pipeline,
so
containers
were
anywhere
right.
I
had
one
pipeline
that
built
my
container
and
then
once
it's
built,
I
can
run
it
on
prem.
B
B
It's
not
really.
I
don't
really
don't
think
that
was
really
a
thought
about
moment
like
this.
To
be
honest,
security
order,
those
kinds
of
things
you
know
could
be,
you
know
a
whole
nest
of
a
right
hole
in
itself.
Right,
if
you
think
about
that,
you
know
to
me,
if
you,
if
you
have
you
know
your
clusters
validated,
you
know
from
the
beginning
with
security,
and
that
you
know
it's
being
monitored
and
a
big
part
of
it
is
your
sure
team
has
to
be
part
of
the
shift
that
shifting
left
right.
B
The
definition
of
the
devsecops
everything
ship
left,
containers
and
security,
rather,
is
that
first
class
citizen
right
from
day
one
security
is
there.
So
my
security
team
is
part
of
this,
build
that
as
we
do
this
the
part
of
the
solution,
so
that
when
it
comes
to
ordering
they
already
know,
what's
going
on
right,
so
a
lot
of
those
things
from
the
past.
Don't
need
to
exist
in
today.
A
B
Yeah,
so
I
mean
I
I'm
very
heavily
relying
on
cube
bench
from
aqua.
You
know,
which
was
it's
a
cool,
open
source
tool
that
I
advocate
to
people.
You
know
lisa
rice,
you
know
amazing
resources
in
the
world
right.
But
when
you
look
at
this,
the
solution
right
monitoring
those
goes
back
again
to
the
psp
once
the
psp
leaves
what
happens
with
that
also.
So
again,
this
pain
needs
to
be
revisited
into
releases
to
see
what
this
change
is
in
that
world
right
now
today,
but
you
know
to
me
it's
about.
B
You
know
what
I'm
working
with
the
us
government
or
a
local
client.
You
know
the
benchmarks
is
part
of
that.
That
process
blocking
those
down
is
critical
as
well
as
app
bomb
and
sitcom
are
also
critical
to
my
success.
I
don't
want
to
see
container
writing
without
them.
Okay,
if
you're
wearing
that,
don't
don't
call
me,
I
don't
want
to
hear
it.
You
have
to
you
have
to
be
doing
those
things
if
you're
serious
about
security.
B
You
know
whether
it's
that
bob
or
cencon,
with
a
combination
of
your
prop
policies,
that's
going
to
harden
your
container.
It's
pretty
simple,
really
it's
all!
You
got
to
do,
there's
no
magic
here,
but
you
have
to
do
that
for
it
to
work
right
and
once
you're
hard
on
that
container
using
a
minimal
os,
because
I
don't
need
an
hp
at
a
wasteful
driver
for
microservice.
I
might
I'm
never
going
to
use
that
driver.
B
What
I
have
in
my
build
so
have
that
new
os
that
a
small
footprint
as
much
as
possible
when
it
built
that
container
okay
is
the
first
in
order
to
harden
up
that
container,
so
use
that
minimum
operator
os
a
kernel
right
from
the
indirect
stream,
and
then
you
know,
but
set
cop
or
or
apps
up,
I'm
over
that
and
then
building.
My
my
you
know
all
of
my
my
switches
right,
my
my
csi
benchmarks
into
that
to
me.
B
A
Yeah,
I
think
the
cks
does
a
good
job
at
trying
to
highlight
the
external
tools
that
it's
not
just
security
and
kubernetes
right.
There
is
that
whole
infrastructure
is
code
and
and
nodes
set
up
as
well
so
hardening.
The
node
os
is
also
a
key
component
of
the
exam.
A
From
your
observation,
just
a
general
question,
what
do
you
think
are
some
of
the
most
important
security
tools
that
you
think
enterprises
are
missing
in
their
cloud-native
journey?
You
know
what
are
the
the
tools
that
you
stumble
upon,
like
the
biggest
gap
that
you're
seeing
when
you
talk
to
different
enterprises.
B
I'll
answer
that
in
a
second-
but
I
I
I
do
see
a
quick
question
about
what
about
the
hipaa
and
this
compliance
again,
I
think
about
the
michael's
questions
around
csi
benchmarks
within
csi
benchmarks,
right
hipaa-
and
this
is
part
of
that.
As
long
as
you
are
adhering
to
the
special
you
cover
those
right,
so
that
kind
of
answers
that
question.
I
think,
answer
your
question,
michael
more
about
sorry,
let's
take
a
step
back
for
a
second.
B
What
gaps
we
see
out
there
again
is
runtime
so
every
year
or
so
my
team-
and
I
we
have
our
kubernetes
security
point
of
view
deck
and
right
now
we're
getting
ready
to
update
the
release
to
the
newest
version.
But
we
looked
at
all
the
tools
out
there
in
the
market,
we'll
compare
them
and
the
differences,
and
where
are
the
gaps
and
where
we
see
the
gaps
most
of
the
times
is
runtime.
B
We
need
runtime
security
that,
to
me
is
the
biggest
gap
and
whether
you
know
this
is
always
about
my
answer.
It's
run
time.
The
gap
is
run
time.
You
have
to
fill
in
that
hole.
That
is
the
most
important
hole
to
fill
in
and
that's
the
biggest
gap,
because,
if
I'm
using
openshift
or
rancher
or
anthos
or
whatever
I'm
using
nobody
does
runtime
security
out
of
the
box.
B
You
need
to
implement
that.
Okay
and
if
you
don't
you're,
so
exposed
it's
crazy.
So
that's
where
stock
rocks
comes
into
play.
You
know,
because
it's
an
amazing
tool
that
gives
you
the
runtime
security
that
that's
lacking
right
out
of
the
box.
So
to
me,
that's
the
biggest
thing
you
want
to
want
to
build
within
your
environment
and
not
to
rely
on
out
of
the
box.
I
mean
way
back
when
dr
enterprise,
you
know
when
it
was
a
swarm,
was
the
most
secure
solution
out
of
the
box.
B
So
if
I
was,
you
know,
if
I
did
myself
back
seven
six
years
ago
and
I
was
using
doctor
enterprise
out
of
the
box,
I
was
secured.
I
mean
swarm
departed
by
encryption
out
of
the
box,
but
kubernetes
is
not
by
the
way.
That's
why
you
need
seo,
but
you
know
it
has
error
it
had.
You
know
it
saw
my
images
it
scanned
them.
Everything
was
in
dr
eric's
parts
right,
so
it
was
amazing.
B
It
was
a
great
solution,
but
then
you
know
the
ecosystem
went
off
of
things
happened,
things
changed
with
kubernetes
everything
else,
and
then
those
things
became
more
exposed
because
when
doctor
did
at
the
beginning
they
did
it
right,
but
let's
be
honest
and
the
things
kind
of
went
over
place
after
that.
So
we
need
to
go
back
to
that
to
that
time
again
to
understand.
B
What's
the
success
of
dr
enterprise
and
and
and
make
sure
that
we
bring
in
those
those
fundamentals
into
our
world
today
right,
we
really
need
to
make
sure
we
can
be
doing
that,
because
right
now
that's
lacking,
and
you
know
again
to
me
it's
about
having
the
run
time.
Security
around
those
things
is
important.
A
B
I
I
have
fights
with
people
all
the
time
about
this.
A
lander
is
better
than
the
containers,
and
what's
this
that
and
vice
versa,
I
have
fights
with
my
engineers
all
the
time
about
this
they're
fun
fights,
but
you
know
jokingly,
it
does
happen
right,
and
these
are
things
to
think
about.
I
mean
many
people
tell
me
john.
The
containers
are
dead.
You
got
to
go
serverless,
you
know
and
everything
else
you
know.
B
If
I
look
at,
for
example,
when
I'm
using
cloud
run
in
google
cloud,
I'm
using
you
know
lambda
or
other
microservices,
but
the
services
is
a
whole
part
of
the
ecosystem
right.
But
if
I'm
running
a
application,
that's
going
to
be
not
about
the
service,
but
it's
a
long-running
application.
It's
part
of
an
sap
application,
it's
part
of
an
erp
system.
It's
part
of
my
my
banking
system
right,
the
heart
of
that
system.
It
can't
be
a
microservice.
B
It
has
to
be
a
long-running
container
right,
so
I'm
always
going
to
have
those
long-running
containers
in
my
environment
all
the
time.
It's
those
instant
microservices
for
those
calls.
So
if
I'm
running
a
crm
system
and
then
if
I
want
to
do
a
customer
look
up
right
after
speed
of
the
microservice,
the
microservice
will
find
the
customer
give
it
back
to
me
and
about
to
sleep
again,
that's
a
great
function
for
serverless,
but
down
to
the
system
running.
That
process
needs
to
be
a
long
running
container
right.
B
So
this
is
how
I
put
my
system,
and
this
has
to
be
understood.
It's
two
different
things.
It's
two
different
use
cases
I
mean
my
entire
world
today
cannot
run
on
microservices
in
the
future.
Maybe
it
can,
but
not
today,
there
needs
to
be
a
lot
of
change
needs
to
occur
a
and
b.
What
do
you
think
is
behind
those
things,
so
the
kubernetes
runs
lambda
right,
kubernetes
runs
cloud
run,
kubernetes
is
in
the
background
you
just
are
distracted.
B
A
Yeah
and
they're,
I
think
the
I
found
the
weird
you
know
we
shipped
it
to
cloud
and
then
now
you
kind
of
seen
the
last
year
a
little
bit
of
a
hey.
We
didn't
get
everybody
to
cloud,
there's
still
a
bunch
of
people
running
on-prem,
you
know
how
do
we
use
both,
and
you
see
these
hybrid
kubernetes
solutions
cropping
up
right,
so
I
don't
think
it's
as
easy
as
like.
We
could
just
go
serverless,
there's,
always
databases,
there's
always
compliance.
There's,
always
these
checks.
A
B
That's
a
big
and
you
bring
a
good
point.
You
know,
is
the
kind
of
control
plane
today
it's
a
big
conversation
with
clients,
so
the
multi-cloud,
the
multi-hybrid
right.
I
have
on-premise
and
multi-clouds
out
there.
How
do
I
secure
this
right?
How
do
I
manage
all
this
stuff
and
what
I'm
using
anthos,
you
know,
which
you
know
or
other
solutions?
B
B
This
is
what
this
is,
what
we're
shipping
up
in
the
morning,
so
I
let
my
job
talk
about
this
stuff
with
clients,
but
you
know
how
do
I
secure
the
multi-cloud
journey
right
from
on-premise
with
containers
with
the
cloud,
because
this
is
my
environment
today,
so
long
and
simple,
it's
no
longer
in
one
environment
right
that
could
use
me
in
the
olden
days
right
when
I
had
when
I
had
no
gray
hair,
and
you
know
how
to
secure
it.
B
B
The
single
plane
of
glass
that
I
had
mentioned
before
to
you
is
that
one
pipeline
that's
critical
to
do
this
in
order
for
me
to
be
to
have
a
true,
multi-cloud,
multi-hybrid
environment.
I
need
that
one
common
pipeline
to
run
everything
right.
So
when
I,
when
I'm
architecting
this,
I
need
to
have
that
in
mind
as
I
build
it
out.
A
I
thought
it
was
great.
The
the
one
question
that
I
actually
really
have
about
these
hybrid
class
solutions
is:
do
you
see?
Do
you
see
data
policies,
especially
when
it
comes
to
countries
and
how
they
use
kubernetes,
to
become
an
issue?
So
let's
say
you
run
everything
through
anthos
and
you
have
a
cluster
because
I'm
in
toronto,
you
have
a
cluster
in
canada.
You
have
a
cluster
in
the
us
and
all
of
a
sudden
there's
a
data
regulation
that
goes
up.
B
I
haven't
seen
much
many
issues
I
mean
I
do
know
we
partner
with
companies
like
portworx
and
pure
storage,
for
example,
where
I
can
have
my
my
data
now
everywhere
and
scale
of
course.
Of
course,
clouds.
The
cool
thing
with
anthos
and
portworx,
for
example,
is
I
could
have
a
database
running
on
premise.
I
could
have
a
database
writing
in
in
amazon
and
google
and
have
all
synced
right.
You
know,
of
course,
my
different
environments.
In
the
old
days
I
keep
on,
which
is
a
year
ago
right.
It
was
only
reason
to
read.
B
So
if
I
was
on
amazon
or
google,
I
could
replicate
my
data
rich
in
the
region
with
no
problem,
but
we've
seen
clouds
go
down
right.
We've
seen
google
go
down,
we've
seen
amazon
go
down,
we've
seen
azure
go
down,
they
do
go
down
it's
possible.
So
if
I
had
to
have
five
lines
up
in
my
environment,
what
do
I
do?
So?
B
But
to
me
that
that
needs
to
be
part
of
the
infrastructure,
as
we
both
have
this
multi-cloud
world
is
that
architecture
needs
to
be
baked
in
and
the
data
ops
is
part
of
that
story.
Also.
You
mentioned
data
before,
but
these
whole
things
when
we
talk
about
devsecops
and
what's
emerging
today
with
the
trends
data
ops
has
to
be
part
of
that
discussion,
because
data
you
know
is
the
most
important
one
is
one
of
the
most
important
parts:
the
life
cycle.
B
A
Yeah,
you
might
see
what
dev
data
set
ops.
B
A
Yeah
shifting
a
little
bit
back
to
the
cks-
and
you
mentioned
this
before-
obviously
with
pod
security
policies
being
deprecated,
there's
a
couple
questions
that
are
just
revolved
around
you
know:
do
we
need
to
study
for
pod
security
policies?
What
do
you
think
the
best
practice
moving
forward
is
to
stay
aware
of
also,
you
know
alternatives
to
pod
security
policies.
B
Yeah,
absolutely
if
you
go
back
to
the
test
and
the
exam
there
are
things
around
that
related
to
to
those
topics,
I'm
not
going
to
get
into
them
in
detail.
I
can't
I'll
get
a
lot
of
trouble
if
I
do
that,
but
you
know
understanding
again
the
basics
of
the
ecosystem
of
security
right.
The
third
part
tools
out
there
is
important
as
well
during
this
exam
understanding.
The
simple
things
like:
how
do
I
sequence
management?
B
How
do
I
use
that
in
a
simple
term
right
to
build
my
cluster
being
able
to
implement
things
like
at
bomber
or
it
may
be?
You
know
those
kinds
of
things
I
think
important
to
understand
as
well
doesn't
stand
in
the
ecosystem.
You
know,
I
think
it's
part
of
the
stuff.
That's
brought
it
out
and
you
know
there's
a
lot
of
it.
B
It's
kind
of
funny
and
it's
I
kind
of
crack
up
when
I
see
it,
but
I'm
also
humbled
by
it
that
there's
many
companies
spinning
up
around
cts,
there's
many
things
spinning
up
around
it.
I
I
mean
I've
had
people
creating
these
mock
tests
and
these
test
exams,
and
these
you
know
these
training.
You
know
things
that
the
people
are
now
taking
to
take
this
exam.
It's
very
exciting,
to
see
the
thing
that
I
built
has
actually
gone
toward
us
today
and
speak
with
the
cncf.
A
B
Is
amazing
and
it's
surpassing
google's
revocations?
It's
not
passing
many
things
right
now
to
be
the
number
one
certification.
So
to
me
this
is
very
humbling.
I'm
like
wow.
This
is
this
is
freaking
cool.
I
did
this.
You
know
this
cup
of
coffee,
this
all
started,
and
so
this
is
my
my
thing
in
the
world
that
is
big,
steve
jobs
thing,
but
it's
still
a
thing
right
and
it's
pretty
exciting,
yeah
and-
and
I'm
very
humbled
by
this,
but
again
to
me
I
was
very
in
the
beginning.
A
Yeah
yeah.
Well,
I
mean
after
after
that
endorsement.
I
definitely
think
people
are
going
to
be
ready
to
go,
get
the
cks.
I
guess
everybody's
getting
hired
at
accenture,
soon,
a
couple
more
topics
just
about
yeah,
that's
right!
We
have
about
10
minutes
left.
These
sessions
are
gonna,
be
recorded
and
there
are
some
resources
as
well.
Just
in
case
people
are
wondering.
Waleed
was
in
here
asking
questions.
A
He
also
has
a
really
good
resource
and
outline
on
github
for
the
cks
and
cka
recommend
you
checking
him
out
and
going
over
the
kubernetes
slack
channel
he'll
be
in
there
as
well.
Just
with
10
minutes
left
finishing
up
some.
What
are
some
of
the
major
container
scanner
tools
that
you're
aware
of,
and
you
know,
from
an
open
source
standpoint?
Do
you
have
any
runtime
security
recommendations
for
tools.
B
Of
course,
of
course,
and
also
I
see
a
question
by
screen,
which
is
actually,
I
think,
maybe
it's
part
of
this-
you
know
john,
what
are
the
docker
container
registry?
That's
another
threat.
I
think
he
says
area
threat
where
artifactory
nexus
lack
functionality,
which
is
part
of
the
tool
chain
to
talk
about
today,
and
that
that
that's
true
I
mean
so
jfrog
artifactory
nexus
and
even
github
is
now
claiming
that
they
do
contain
that
registry,
which
is
great,
I
mean,
but
you
can't
be,
creating
everything
right.
B
You
can't
own
everything
in
the
kitchen
sink
and
say
my
my
mind.
You
can't
be
a
master
of
everything,
there's
always
gonna
be
a
cat
and
what
it
comes
down
to
with
those
things
is
really
it's
about
the
the
scanning
mechanism
and
those
things
I
love
jfrog,
I
partnered
with
the
very
close,
but
x-ray
has
gaps
in
it.
It's
not
made
for
scanning
containers,
it's
just
not
right.
B
So
the
those
are
the
scaps
that
you
see
in
those
different
things
where,
if
I'm
using
acr,
you
know
if
I'm
using
a
real
container
registry
gcr
what
it
may
be,
and
I
can
scan
that.
I'm
scanning
actual
containers
and
what
those
vulnerabilities
are
about.
So
I
I
leave
artifacts
to
artifacts
my
front
end
if
I'm
running
an
angular
development
shop
and
any
of
my
images
right
and
my
my
my
other
my
npm
files,
those
code
bars,
let's
go
to
factory.
Let's
go,
let's
go
to
nexus
right.
I
don't
put
my
containers
there.
B
That's
where
my
my
friend
code
goes
right.
I
keep
my
containers
in
registry
and
over
time,
will
this
evolve
and
does
it
really
matter?
No,
like
I
said
before
it's
about
best
of
breed
best
of
practice,
best
solutions.
I
want
to
have
my
environment
right.
So
to
me
it's
about
always
going
back
for
best
resolutioning.
B
It
enlarges
my
runtime,
it
does
a
lot
of
cool
things,
but
it's
not
automated
okay
and
which
is
not
good,
so
I
can
use
it
if
I
want
to
just
just
kind
of
tickle
run
top
security,
and
I
want
to
play
with
it
and
if
I
want
to
start
bringing
into
my
environment
without
spending
any
money,
I
can
use
falco
and
that
will
give
me
the
runtime.
You
know
security,
but
I
can't
automate
it.
I
can't
maybe
script
it.
I'm
not
gonna
tell
you
to
hack
it.
B
I'm
not
gonna
do
that
on
the
phone,
but
you
know
you
could
you
could?
Definitely
you
know,
do
things
upon
the
script
to
be
automated,
but
out
of
the
box,
it's
not
gonna,
be
automated.
That's
where
cystic
secure
comes
into
play
and
stack,
rocks
and
aqua
that
come
into
play.
That
does
that
automation
along
with
twist
lock,
you
know
from
from
prismacloud
those
are
the
best
things
out
there
right.
Those
are
the
big
ones
to
look
at
and
understand
what
they
do
with
the
ecosystem
right
as
part
of
that
that
solution
yeah.
B
As
far
as
monitoring
is
concerned,
I'm
a
big
fan
of
prometheus
and
grafana
right.
I
can't
say
enough
about
those
tools,
they're
phenomenal,
and
so
definitely
you
know
when
I'm
monitoring
my
containers,
premier
league
grafana,
is
always
my
first
live
defense.
They
could
bubble
up
diet
trace
or
whatever
ap.
I
have
out
there.
That's
great
and
they're
going
to
do
that,
but
if
I'm
in
diet
trace
or
another
apm
and
I'm
not
doing
things
and
it
has
the
kubernetes
apis,
it
is
seeing
it,
but
it's
like
I
see
it
from
the
bottom
up.
B
A
Yeah,
no,
you
touched
on
a
good
point
because
there's
another
question
here
about
policy
management
that
sits
on
top
of
container
scanning
and
is
that
the
next
layer
of
abstraction
right
and
you
you
mentioned
you
know
you
have
falco-
you
have
things
like
trivi,
which
are
specific
for
container
image
scanning.
But
really
you
know
the
stack
rocks
of
the
world.
Those
are
things
that
we
tie
in
basically
everything
and
profiling
and
all
that
around
kubernetes
context.
So
there's
those
open
source
tools
are
really
useful.
B
Of
what
it's
doing
right
and
having
support
is
important
as
much
as
I
love
open
source
as
much
as
the
advocacy
open
source.
You
know
somebody
has
to
support
this
stuff
right
and
I
I
don't
want
to
call
it
through
like
in
the
morning
personally
to
fix
something.
So
support
is
part
of
is
part
of
the
ecosystem,
so
these
vendors
are
critical
for
supporting
these
different
things,
and
you
know
to
that.
B
To
that
point,
you
know,
as
I'm
building
these
things
out
and
having
that
you
know
full
rounded
approach
for
security
in
every
gap
you
know
understand
what
those
are
is
important
and
a
lot
of
times.
The
vendor
supportive
products
are
the
ones
that
are
filled
in
let's
missing
gaps,
although
I'm
going
to
have
tools
that
are
very
similar
overlaying
each
other.
B
If
I
go
true
open
source
route,
I'm
gonna
have
many
applications
to
overlap
and
do
similar
things
just
to
fill
in
one
little
gap
and
to
to
monitor
that
and
to
handle
that
and
to
run
that
and
to
support.
That
is
a
real
pain
in
the
butt
and
versus
getting
a
vendor
product
that
does
everything
right
or
close
to
everything
with
other
things.
So
to
me
it's
about
again,
I
keep
saying
again
I'm
a
broken
record,
but
it
keeps
going
back
to
your
best
degree
tools.
You
want
to
use.
A
Yeah
I
there's
there's
a
couple
people
that
are
asking
questions,
because
obviously
you
do
have
a
lot
of
recommendations
around
things
like
scanning.
You
know,
registries
managing
the
ci
cd
process.
A
Is
there
some
sort
of
tool
that
you
have
published,
or
can
people
get
in
touch
with
you
in
a
way
that
you
don't
give
away
too
many
of
your
recommendations,
like
you
know,
can
people
contact
you
and
sort
of
see
you
know
matrix?
Do
you
have
any
recommendations
for
for
readings
to
understand
the
ecosystem
and
what
they
can
use.
B
I
mean
I'm
on
linkedin
or
you
could
definitely
or
you
could
move
it
directly
to
my
email
address
at
accenture,
I'm
more
than
happy
to
take
questions
after
this
discussion.
Obviously
there
is
a
level
of
you
know:
knowledge
sharing
that
I
love
to
give
to
people,
but
when
it
comes
down
to
press
taxes,
I'm
actually
the
solution
things
you
know
I'd
love
to
get
some
time
with
you
sit
down
with
you
and
further
discuss
this.
How
we
can
work
together
to
fix
these
things.
I've
been
doing
this
stuff
for
a
long
time.
B
I
this
is.
This
is
what
I
do.
I
love
it
and
I'm
I'm
a
big
geek
when
it
comes
to
these
things,
and-
and
I
just
love
talking
about
these
things-
and
you
know
I
have
a
very
strong
understanding
of
the
ecosystem
as
long
as
what
my
team
does.
You
know
that
I
work
with
essentially
that
we've
built
over
time
that
we
have
this
true
knowledge
base
of
this
ecosystem,
how
how
it
works
and
how
is
the
best
way
to
implement
it.
B
You
know
again,
if,
if
I
look
at
the
all
the
attacks
with
sonar
and
everything
else,
that's
happened
in
the
recent
past.
You
know
we
could
have
simply.
You
know
not
gone
there.
If,
if
their
psychologist
was
properly
implemented,
was
the
proper
security
measures?
These
things
would
never
happen.
We
just
need
to
think
about
things
a
little
bit
more
as
we
do
them.
A
Yeah
as
a
an
open
source
cncf
resource,
they
do
have
the
cncf
roadmap,
so
just
in
terms
of
starting
with
kubernetes,
I
think
that's
a
great
place.
Obviously,
as
you
start
to
understand
the
ecosystem,
you
will
see
some
of
the
gaps.
So
that's
where
resources
like
john,
are
really
useful.
A
quick
question
I
just
want
to
bite
off.
The
cka
is
a
certified
kubernetes
administrator.
A
It
is
the
prerequisite
before
the
cks,
as
john
touched
on
earlier.
Do
you
know?
Cks
is
specifically
security.
Cka
is
more
administrative
and
it
makes
sense
that
those
two
are
separate
are
separate
and
reliant
on
each
other.
Quick
one.
Have
you
done
any
devsecop
style
workflows
in
an
hpc
environment?
A
It's
actually
a
really
interesting
question.
I'm
not
sure
your
thoughts.
A
Have
you
done
any
devsecop
style
workflows
for
an
hpc
environment?
I'm
assuming
they
mean
something
like
like
it's
high
performance
computing,
so
something
like
research
or.
A
You
something
like
that
sort
of
it's
my
guess,
with
the
yeah.
B
Right
now,
quantum
quite
a
bit
quantum
computing,
which
I
think
is
pretty
pretty
fast
in
some
ecosystem,
so
yeah
we
begin
to
build
those
up
now
me
personally,
no
but
people
my
team
have
yes,
but
that
that
is
definitely
something
that
that
we
see
emerging
quite
a
bit.
Yes
today,
especially
when
my
cars
are
playing
smart
now,
and
I
know
microsoft
and
apple,
and
every
right
now
is
starting
to
build
smart
cars
right
with
full.
You
know
self-driving
cars.
A
Yeah
from
my
own
standpoint,
what
are
your
thoughts
as
to
where
kubernetes
can
expand
into
edge
computing
and.
B
Yeah
so
iot
edge.
That's
the
discussion
very
often,
and
the
cool
thing
that
the
rancher
did
with
k3s
right
was
something
very
insightful
and
once
kf3s
came
out,
I
got
really
excited
about
k3s,
because
now
I'm
running
a
very
small
footprint
of
kubernetes
right
containers
using
k3s
on
the
edge.
How
is
that
scale
how's
that
perform?
Has
that
run?
B
B
But
that's
what
that
would
look
like
things
like
anthony's
now
on
the
edge
and
other
things
that
maybe
robust
loses
as
well,
but
we
see
an
uptick
in
this
quite
a
bit
and
the
discussions
about
kubernetes
on
the
edge
it's
emerging,
I'm
not
gonna
lie,
but
we
see
it
emerging
very
rapidly
right
now,
beyond
that,
you
know
my
my
simple
retail
stores,
right
where
I
have
my
my
registers
in
my
stores.
B
You
know
if
right
now
those
are
becoming
more
more
companies
aware
as
well
in
this
ecosystem,
on
the
edge
of
things
when
it
comes
to
smaller
devices.
B
You
know
if
I
look
at,
for
example:
firewalls
that
are
not
emerging
is
kubernetes
on
the
edge,
which
is
really
cool
if
I
can
run
a
firewall
in
kubernetes
on
the
edge
think
about
what
that
can
do
to
my
to
my
things
and
they're
on
on
the
market
since
last
year,
they've
improved
themselves
very
nicely,
but
definitely
if
you're
very
interested
in
these
things
start
looking
at.
You
know
firewalls
and
kubernetes.
I
think
that's
something
that's
emerging
pretty
rapidly
and
very
cool.
A
I
got
two
more
questions
for
you.
What
do
you?
A
What
do
you
see
as
one
of
the
issues,
especially
when
learning
kubernetes,
and
I
had
this
issue
too
originally,
starting
because
when
you
use
a
cloud
provider,
you
know
some
control,
cl
control,
plane
components
are
sort
of
off
limit
for
access
right
and
then,
when
you
get
into
documentation
about
kubernetes,
it's
set
up,
for
you
know
specific,
let's
say
file
access
or
where
configuration
files
are.
A
B
So
you
you're
far
into
kubernetes
versus
not
none
of
the
stream
combinations
pretty
much.
It's
really
not
pretty
much.
A
Just
because,
like
a
lot
of
the
cks
examples
and
documentation
are
focused
around
the
upstream
right,
so
you
try
to
get
into
an
environment
to
study
and
you
go
into
gcp.
Well,
then
you
don't
have
access
to
those
nodes,
or
you
know
those
capabilities
on
the
control
plane
right.
B
Yeah,
obviously
you
know
cncf
is
kubernetes
it's
open
source
so
that
that's
what
we're
going
to
base
the
test
on
versus
real
world
your
solutions
out
there.
Obviously,
as
you
as
you
use,
you
know
the
google
console
or
other
things
out
there.
Limitations
are
out
there,
but
if
I
what's
up
in
the
command
line,
running
cube
cuddle,
you
know
I
pretty
much.
Can
rock
and
roll
a
lot
of
times
right.
I
I
haven't
seen
any
any
real
limitations
in
that
to
be
honest
and
if
they
have
been
it's
been
very
minor.
Just
to
be
honest,.
A
Yeah
and-
and
I
really
think
obviously
you
you
work
on
the
documentation
upstream,
so
you
know
what's
going
on
underneath
the
hood
when
you
start
to
work
with
things
like
you
know,
gke
or
aks,
or
things
like
that
right.
The
last
question
I
have
for
you
is
around
kubernetes
in
general.
What
are
you
looking
forward
to
seeing
in
the
kubernetes
security
ecosystem?
A
B
Well,
you
know
obviously,
kubernetes
is
taking
over
the
world,
it's
kind
of
obvious,
so
it's
everything
bigger
and
better.
What
I
would
like
to
say
within
kubernetes
is
when
it
comes
to
security
in
particular,
is
having
that
you
know
even
the
runtime
ability
to
monitor
itself.
With
the
things
I
mean,
self-healing
is
a
big
part
of
kubernetes
right.
The
way
aurora
scales
and
order
runs
those
types
of
things
so
the
self-healing.
I
think
I
want
to
see
that
mature
a
lot
further.
B
The
words
today
I
do
think
it's
dumb,
sometimes
the
way
it
orders
scales
and
thus
things
it's
a
little
clunky.
I
definitely
want
to
see
that
improve,
because
it
just
does
weird
things
sometimes,
so
I
want
that
to
work
better
when
it
comes
to
the
posture
of
security
with
things
I
definitely
want
this
whole
world
of
you
know
the
the
minimum
os
war.
You
know
what
is
the
best
kernel
to
use
and
from
the
that
stance
of
things
to
really
be
flushed
out.
Cryo
is
a
big
thing
right
now.
B
You
know
people
are
going.
Oh,
it's
death
of
docker.
Okay,
doc
was
not
going
to
die
right,
but
he
was
hoping
pushed.
It
would
require
io
and
container
d
and
what
is
the
best
flavor
to
use,
and
it
said
attractions
to
kubernetes
to
me
to
be
honest,
what
I
want
people
to
start
understanding
is
kubernetes
and
wildcards.
That's
the
same
thing
you
know
and
and
there's
many
discussions
where
people
kind
of
diffuse
it
to
it
together.
B
Right
that
it's
the
same
thing,
the
kubernetes
is
an
orchestrator.
It's
all
it
is.
Documents
are
containers,
it's
orchestrator.
Well,
I'm
using
container
d
or
daca,
or
you
know,
rock
rocket
whatever
it
is.
So
I
think
that
that
knowledge
that
simple
fundamentals
needs
to
be
known,
so
I
would
love
kubernetes
to
really
help
to
educate
a
lot
more
in
the
world
of
what
kubernetes
is
versus
a
container,
because
a
lot
of
people
confuse
the
two
together
and
they
make
some
serious
decisions
based
on
that.
That's
just
not
correct,
so
that's
one
thing,
let's
see
more.
B
If
that
makes
sense
and
then
the
hardening
of
it,
you
know,
I
think
kubernetes
making
the
stance
more
on
on
the
container
side,
maybe
understanding,
maybe
adapting
more
on
the
minimum
or
west
level
things
maybe
contribute
to
that
as
well.
To
build
those
hard
containers,
I
think,
would
be
part
of
that
as
well
and
important
ecosystem.
I
do
think
that's
a
big
part
of
that
too,
and
then
having
a
long,
lower
scaling,
like
I
said
before,
and
self-healing
also
have
that
ability
to
maybe
monitor
its
own
warfare.
B
You
know,
and
you
see
if
my
signature
changes
shut
me
down,
there's
no
reason
why
kubernetes
can't
sign
itself,
there's
no
reason
so
if
kubernetes
can
spawn
itself,
okay
then
monitor
that
and
that
signature
changes
to
shut
it
down.
Man
spit
the
new
one,
guess
what
I'm
not
gonna
be
hacked.
It
won't
happen.
So
just
that
simple
thing
which
sounds
simple
on
the
surface,
I
might
you
know
I'm
not
the
one
young
I
mean
to
develop
it,
but
yeah.
A
B
I
you
know,
I'm
I'm
a
big
advocate
of
cal
newport.
If
you
read
kyle's
work
or
deep
work
or
anything
else,
I
don't
do
social
media.
I
just
don't,
do
it
it's
I
I
focus
on
work.
I
get
stuff
done,
but
I
I
do
check
linkedin
at
least
once
a
day
so
that
that's
the
best
place
and
then
second
to
that
will
be
email.
A
Perfect
from
a
cks
standpoint,
there
is
the
cncf
slack
cks,
the
kubernetes
cts,
I'm
in
there
too.
If
you
have
more
questions,
feel
free
to
ping
me
there
and
we
do
have
some
resources
for
you
again.
This
will
be
recorded
if
you
missed
anything.
Thank
you,
everybody
for
all
the
questions
and
thanks
again,
john
for
joining.
In
hope.
Everybody
has
a
safe
rest
of
their
week.