►
From YouTube: TGI Kubernetes 119: Gatekeeper and OPA
Description
Come hang out with Josh Rosso as he continues our previous exploration around the OPA ecosystem with a focus on Gatekeeper!
00:00:00 - Welcome to TGIK!
00:02:41 - Week in Review
00:09:50 - Admission Controller Overview
00:22:41 - OPA and Rego Overview
00:33:31 - Gatekeeper
01:43:16 - Wrap Up
https://github.com/vmware-tanzu/tgik/tree/master/episodes/119
A
Hey
everybody
how's
it
going
happy
Friday
thanks
for
joining
us
today.
We
have
a
really
really
good
one
on
deck.
All
right
who
do
we
got
with
a
so
far:
Adolfo
Suresh
Madi
Paul
Rita
la
chemos,
Maz
Rory,
Kristoff
Simone.
A
welcome
welcome!
It's
like.
We
got
a
lot
of
folks
from
over
the
over
the
pond
today,
which
is
really
really
awesome:
baton,
Ivan,
Martin,
Steve,
hey
Steve,
how's
it
going
Peter
nice
to
see
you
again.
A
Bye,
Roth,
joy,
hey
joy,
nice
to
see
got
some
folks
from
Germany.
We
got
Z
didn't
from
Syria,
hey.
Everybody!
Welcome!
Welcome
all
right,
hi
I'm
from
Israel
Marcin,
Marcin
Brad
nice
to
see
you
again,
Brad,
alright,
all
so!
Let's,
let's
kick
right
into
it
today
and
talk
a
little
bit
about
what
we're
gonna
be
what
we're
gonna
be
going
over.
This
is
a
really
exciting
topic.
We
were
kind
of
thinking
through
what
we
wanted
to
do
this
week
and
bouncing
some
ideas
around
and
George
said
hey.
You
know
people
have
been
talking
about.
A
You
know
admission
control
and
open
policy
agent,
a
lot
lately
and
was-
and
we
were
thinking
wow.
We
should
revisit
that
and
if
you
weren't
aware
Joe
actually
did
a
talk
or
a
I
should
say:
TGI
K
on
OPA
I
think
was
about
a
little
over
a
year
ago
back
when
it
was
still
a
little
bit
fresher
in
the
ecosystem.
At
least
I
should
say
in
the
ecosystem
of
kubernetes,
and
he
set
up
set
up.
Opa
did
some
basic
stuff
and
we're
gonna
expand
on
that
today.
A
So
really
excited
to
be
to
be
joining
you
all
today.
So,
let's
see,
who
else
do
we
got?
We
got
Duffy
to
here
to
here
to
support
very
cool
and
as
well
for
special
gas.
We've
got
Rita
and
Lackey
joining
us
from
Microsoft
and
they're
close
to
the
gatekeeper
project,
so
they'll
be
they'll,
be
helping
us
out
with
questions
and
telling
you
when
I'm
lying
to
you
when
I
get
something
wrong.
So
this
should
be
a
really
good
set
up
thanks
so
much
for
joining
us
today.
A
A
Cool
all
right,
I'm,
good,
all
right.
So
when
we
got
going
on
this
week,
kubernetes
patch
releases
are
coming
out.
One
18.3
I
looked
through
some
of
them
briefly.
It
looked
like
there
was
some
interesting
stuff
with
GCP
or
I
should
say:
Google
Google
cloud
and
a
little
a
couple
things
around
storage
with
Azir.
So
if
you're
running
in
either
of
those
environments,
maybe
check
out
the
patch
release,
make
sure
you're
staying
on
top
of
that,
we
got
one
for
118,
117
and
116.
A
George
has
kindly
put
in
a
link
to
the
monthly
kubernetes
meeting
and
there's
a
great
video
in
here
with
some
some
different
notes
so
be
sure
to
check
those
out.
Some
of
the
kind
of
big
highlights,
119,
o
beta0.
It
went
out
on
May
19th,
so
pretty
exciting
feature
freeze
is
coming
up,
so
those
of
you
or
I
should
say
enhancement
freeze
was
on
end
of
day
Tuesday
May
19th
I
can't
keep
my
day
straight
anymore
and
there's
some
interesting
stuff
around
patch
releases.
A
One
of
the
things
I
did
like
about
this
update
when
I
was
scrolling
through
it
is
he's,
got
links
to
all
of
the
slides
for
some
of
the
different
SIG's
so
check
out
the
slides,
they're
kind
of
well,
maybe
not
that
one
I,
don't
know
why
that
one
didn't
work,
they
were
working
there
we
go.
It
has
just
some
kind
of
high-level
details
about
what's
going
on
with
these
different
SIG's
thought.
A
A
We
got
cool
and
we
got
Paul
joining
us
as
well
to
help
out
thanks
so
much
for
joining
us
Paul
all
right,
community
stuff,
that's
going
on
harbor
2.0
is
released,
this
kind
of
flew
under
the
radar
for
me,
but
I'm
pretty
stoked
about
it,
cool
things
around
the
fact
that
they're
really
leaning
into
being
the
first
open-source
OCI
compliant
registry.
You
know,
obviously
the
most
important
thing
that
any
of
us
care
about
is
there's
a
dark
mode.
A
Now,
because
that's
the
that's
the
most
business
critical
thing
to
include,
but
in
all
seriousness
it
supports
helm
charts.
Now
it
supports
OPA
policy,
which
is
kind
of
great
timing.
For
us
you
can
bundle
OPA
policy
if
you've
used
like
contests
and
things
we'll
talk
a
bit
about
that,
so
really
cool,
so
yeah,
just
some
better
support
for
different
object,
types,
better
support
for
OCI
compliant
images
and
they're
using
the
aqua.
Is
it
trivia
how
you
say
it
as
the
kind
of
vulnerability
scanners?
So
that's
really
exciting.
A
I
know
a
couple
folks
who
use
that
and
it
seems
to
be
getting
a
lot
of
traction.
You
know
coming
from
my
old
days
at
core
OS
I
still
have
a
love
for
Claire,
but
aquas
trivias
is
really
cool.
So
that's
that's
some
exciting
stuff
with
harbor
this
one's
kind
of
out
of
the
blue,
but
it
got
me
really
excited
I'm,
a
I'm,
a
hardcore,
vim
user
and
not
because
I
love
them
or
really
care.
A
What
text
editor
I
use
I'm
just
used
to
it
and
I've
been
really
pushing
off
vs
code
for
a
really
long
time.
Now
the
nice
thing
about
the
advent
of
vs
code
is
I
feel
like
it
really
pushed
the
language
server
protocol
forward,
so
I've
been
able
to
keep
using
them
and
kind
of
take
advantage
of
a
lot
of
the
vs
code.
Oriented
features,
but
some
of
these
really
cool
plugins
are
just
kind
of
catching.
My
attention
so
I'm
forcing
myself
to
use
vs
code,
including
today,
because
someone
released
a
draw
io
integration.
A
A
So
that
has
me
really
really
excited
if
you're
a
dry
dry,
IO
user
check
that
out
kind
of
random,
but
pretty
cool
speaking
of
cool
things
that
people
are
doing
in
the
Microsoft
ecosystem,
new,
no
karma,
hopefully,
and
I
hoor
hoor
I'm,
not
gonna,
try
the
last
name,
they're
put
up
a
post
on
setting
up
kind
and
mini
cube
on
wsl
to
Ubuntu,
so
as
if
there's
not
already
really
awesome
stuff
going
on
with
wsl.
This
is
a
really
good.
A
Kubernetes
focused
kind
of
view
into
how
you
can
get
some
of
those
common
environments
set
up
that
we're
used
to.
So
if
you've
ever
watched,
Duffy
Duffy
do
a
TGI
kay.
You
know
he
likes
kind,
a
lot
right.
So
this
is
a
cool
thing
that
this
is
a
cool
thing
to
check
out
lots
of
cool
stuff
in
this
space,
and
it's
just
really
exciting
to
see
how
how
much
Microsoft
is
embracing
this
ecosystem.
A
So
that's
really
really
cool
check
out
blog
post
and
then
clay
Kate,
kaitland
K
linked
they
have
a
post
on
using
oppa
that
they
posted
up
from
their
company.
Now
I'm,
not
gonna,
talk
much
about
this
because
I
don't
want
them
to
steal
our
thunder.
But
if
you
leave
this
kind
of
wondering
hey
what
our
company
is
doing
with
or
what's
their
experience
with
things
like
gatekeeper
and
oppa
and
so
on
and
so
forth,
you
should
check
this
out
I
breezed
through
it
thought
it
was
pretty
cool
but
again
I'm,
not
gonna,
I'm,
not
gonna.
A
Let
them
steal
our
thunder
here.
Okay,
so,
and
then
the
last
thing
we'll
say
is
hugs
to
all
the
folks
that
are
working
on
the
quay.
A
key
Quay
outage.
I
know
that
was
a
that
was
an
intense
one
but
I
think
I
think
all
systems
might
be
back
up.
So
so
that's
that's
cool
as
well
all
right.
What
else
do
we
have
yeah?
That's
exactly
why
Duffy
is
kind
of
a
big
deal,
exactly
Vivian
thanks
for
joining
us
from
Munich
glad
to
have
you
thanks.
So
much
in
policy.
A
You
probably
heard
me
mention
it,
but
yeah
like
as
far
as
the
the
default
one
I
think
they're
using
I
think
they're
using
the
Aqua,
the
Aqua
trivy,
Oh
Joe
said
right
under
you,
it's
pluggable,
so
that's
kind
of
cool
but
traveese
the
default
okay,
I
just
got
to
read
lower
in
the
chat
and
I
can
answer
my
own.
My
own
questions
there,
all
right!
So
yeah
we
have
a
great
audience
today.
Thank
you
so
much
for
joining
us.
Let's
get
right
into
it.
A
So,
as
mentioned
previously,
Joe
did
about
a
year
ago
thing
on
OPA
and
there's
a
lot
of
stuff
that
has
kind
of
been
going
on
in
this
ecosystem.
I
think
people
are
really
excited
about
it
and
I
think
one
thing
we
could
do
to
tell
the
story
a
little
bit
here
is
maybe
maybe
just
kind
of
level
set
right.
A
I'm
thinking
like
our
focus
today
is
gonna,
be
more
about
like
some
of
the
new
stuff,
like
we're
gonna
get
into
gatekeeper,
we're
gonna,
look
into
contests
and
all
that
stuff,
but
it'd
be
helpful
to
build
on
what
Joe
had
did
in
the
last.
You
gik
and
I
watch
that
before
this
one
and
just
talk
a
little
bit
about,
what's
the
bigger
picture
with
admission
control,
why
is
it
important
right?
A
How
does
OPA
play
a
role
in
here
and
then
that
will
lead
us
very
gracefully
into
talking
about
gatekeeper
and
constraint
templates
and
all
these
cool
things
that
we're
gonna
get
into
so
how's
sound
everyone
I
think
that
should
be
a
pretty
pretty
solid
episode
here.
So
speaking
of
that
dry,
Oh
integration-
let's
let's
draw
some
stuff
out
here-
real
quick,
so
we'll
call
this
one.
One:
nine
dot
draw
IO
I
think
this
is
the
extension
at
once
right,
all
right
cool.
A
So
what
are
we
talking
about
today
right
so
there's
this
concept
of
of
admission
control
that
that
we
care
a
lot
about,
and
the
question
really
is
like:
why
do
we
care
about
admission
control?
So
one
of
the
one
of
the
interesting
things
that
I
have
a
lot
of
conversations
around
and
you'll
get
a
lot
of
opinions
depending
on
who
you
ask
is,
like
you
know
what?
What's
the
difference
between
kubernetes
verse
like
Cloud,
Foundry
verse
like
open
shift?
A
You
know
verse
all
these,
these
interesting
things
and
kind
of
a
metaphor
that
I
use
when
I
when
I
talk
to
folks
about
it,
and
sometimes
they
love
it.
Sometimes
they
don't
is
that
kubernetes
is
a
little
bit
like
I'm
gonna,
bring
a
graphic
in
here.
Real
quick.
If
I
can
kubernetes
is
a
little
bit
like.
A
Let's
bring
this
one
down
here,
a
little
bit
all
right,
see
if
I
can
zoom
out
so
a
little
squished
iMac
here
right.
So
you
use
some
of
these
kind
of
platforms
as
service
and
they've
got
everything
baked
in
right
a
lot
of
times.
You
know
they
might
just
say
hey
as
long
as
your
app
conforms
to
running
in
this
ecosystem.
You
can
run
it
here
right
and
then
one
of
the
interesting
things
about
kubernetes.
A
A
A
But
you
know
at
the
end
of
the
day
it's
one
piece
of
the
puzzle
that
does
its
job
really
well,
but
eventually
we
want
to
add
all
these
things
in,
so
we
can
build
something
that
looks
a
little
bit
closer
to
this
right,
that's
kind
of
where
we
want
to
get
to
so
the
reason
I'm.
Bringing
this
up
is
one
of
these
things
that
we
oftentimes
have
to
plug
in
to
take
a
kubernetes
and
make
it
something
that's
like
viable
to
run
our
workloads
and
run
our
applications
is
admission
control.
A
It's
a
super
common
day
to
conversation
that
we
have
when
we're
talking
to
folks
about
how
they're
gonna
set
up
their
kubernetes
environment
and
that's
really
what
we're
gonna
get
into
today,
so
just
to
kind
of
lay
the
ground
with
admission
control
and
what
we
mean
by
it,
and
then
we're
gonna
get
right
into
OPA
and
gatekeeper.
So,
as
all
of
us
know,
all
right,
I
think
most
of
us
might
know.
A
Kubernetes
has
this
thing:
it
calls
it
the
API
server
right
and
then
inside
of
the
API
server,
see
if
I
can
put
this
text
up
top
inside
of
the
API
server.
We've
got
some
different
things
that
happen
when
a
request
comes
through
right.
One
of
the
things
we
have
that
happens
is
the
you're
authorized
to
some
degree
write
your
identity,
you're,
authenticated
I,
should
say,
and
then
like,
maybe
like
it
checks
your
AR
back
and
things
like
that
and
by
the
way,
this
isn't
a
technically
accurate
flow
for
an
API
server.
A
A
Now
there
is
this
kind
of
larger
box
in
here
then
I'm
gonna
call
there
I'll
just
keep
it
small
I,
guess
that
will
call
the
admission
control
right,
and
some
of
you
might
be
aware
that
admission
controllers
have
been
in
kubernetes
for
a
while
right.
Like
if
we
were
to
go
to
a
cluster,
real
quick
if
I
were
to
hop
on
to
a
master,
node
and
I
were
to
look
into
the
cube
API
server,
which
census
is
a
cube
admin
based
deployment,
it's
going
to
be
inside
of
static
pods.
A
So
let's
just
go
here
so
this
will
be
Etsy
kubernetes,
manifest
cube,
API
server.
There
we
go
there.
Is
this
this
flat
called
enable
admission
control
mission
plugins
you
some
of
you
might
even
remember
back
in
the
day
where
there
used
to
be
a
different
flag
here,
and
there
was
like
tons
of
things
we
chained
in
here
and
the
order
mattered
and
all
this
kind
of
stuff
right.
Does
anyone
remember
that,
from
back
in
the
day
so
admission
controls
can
be
things
where
we
kind
of
say,
like
hey?
A
Do
this
extra
check
to
validate
whether
the
requests
that's
coming
through
should
actually
be
allowed
so
that
that
does
make
sense
so
we'll
go
through
and
to
our
back
and
do
some
amount
of
admission
control
right
now,
yeah,
we've
repressed
those
memories
right
Paul!
Now
these
ones
that
I'm
talking
about
I'm
gonna
call
entry
admission
controls
right
where
they're
baked
into
the
API
server
they're
kind
of
in
the
code
base.
A
If
you
will
right
so
what's
interesting
about
the
type
of
admission
control,
we're
going
to
be
talking
about
here
is
that
it's
a
little
bit
different.
We're
gonna
be
talking
about
the
notion
of
dynamic
admission
control,
Die
Namek,
admission
control,
where
the
notion
is
rather
than
having
this
kind
of
entry
flag.
If
you
will
that
we
turn
on
and
enable
in
the
API
server,
we
instead
use
the
notion
of
web
hooks
to
call
out
invalidate
whether
the
thing
that
we're
asking
to
do
should
be
allowed.
A
So,
let's
call
this
the
validating,
awesome,
controller
and
sometimes
you'll
hear
these
be
called
controllers
like
validating
webhook
controllers,
I
get
a
little
confused
by
that
name.
Just
because,
like
they
don't
usually
seem
like
controllers
to
me,
they
don't
seem
to
be
reconciling
I
guess
in
a
way
they're
reconciling.
But
to
me
it's
more
like
a
web
service
in
a
way,
maybe
I'm
getting
too
pedantic
there,
but
long
story
short.
We
get
to
call
out
from
the
API
server
to
some
service.
A
That's
running
right,
and
this
is
great
for
a
couple
reasons,
and
maybe
Joe
can
even
enlighten
us
on
the
history
if
there's
more
to
it,
but
one
reason
it's
great
is
we
don't
have
to
pack
the
API
server
with
as
much
entry
logic
right?
The
second
reason
it's
great
and
this
this
has
really
been
beneficial.
Obviously,
to
like
the
cloud
providers
of
the
world,
you
have
a
KS
and
gk
e
and
e
KS,
and
the
control
plane
is
largely
not
known
to
you
right.
A
So,
like
I'm,
not
super
up-to-date
with
how
well
they
support
these
models.
But
the
notion
that
you
could
set
up
your
own
validating
hook
and
then
have
the
control
plane,
call
out
your
an
administration
logic
without
having
to
touch
the
API
server,
because
remember
in
those
models
you
don't
always
have.
The
the
access
to
them
is
really
beneficial
right,
and
you
know
long
story
short
when
you
go
from
again
that
motherboard
to
that
that
computer,
your
organization's
is
kind
of
starting
to
take
workloads
on
right
and
they're,
starting
to
realize.
Oh,
my
gosh.
A
We
really
need
to
be
making
sure
people
aren't
asking
for
90,000
gigabytes
of
memory
when
they
schedule
their
pod.
Oh,
my
gosh.
We
need
to
make
sure
that
this
team
isn't
asking
for
this
ingress
URI
because
all
of
a
sudden
they're
taking
over
our
production
homepage
right.
So
it's
it's
super
interesting
and
it's
a
it's.
A
really
cool
space.
Now,
there's
another
kind
of
facet
to
this
dynamic
stuff
you
might
have
heard
of
which
is
the
mutating
controller.
A
We
did
the
secret
management
mint
secret
management,
one
pretty
recently,
where
we
looked
at
vault,
which
used
a
mutating
controller
to
call
out
and
instantiate
a
instantiate.
What
was
it
again?
It
was
an
injector
pod
right,
so
the
mutating
webhook
would
come
through
it.
Put
a
sidecar
in
those
of
you
who
have
used.
Sto
have
probably
seen
this
where
you
go
through.
It
injects
sto.
A
Today
our
focus
is
mostly
going
to
be
validating,
but
it's
have
a
similar
model
where
you
can
call
out
to
a
web
service,
and
you
can
do
some
type
of
logic
right
and
that's
kind
of
the
key
thing
here
all
right.
So
what
do
we
got
going
on
in
chat,
you're
Paul,
thanks
for
joining
us
glad
to
have
you
all
right,
hey
Brian,
thanks
for
joining
us,
haven't
seen
you
in
a
while
all
right.
So
hopefully
that
makes
a
little
bit
of
sense.
Now.
A
The
last
thing
I'll
say
here
before
we
before
we
dive
a
little
bit
into
OPA
is
there's
a
couple
ways
you
can
implement
this
thing
right.
In
fact,
if
we
just
kind
of
look
really
quick
at
the
let's
go
back
to
my
browser
here,
where
I
was
looking
at
pictures
of
computer
parts
to
show
you
all.
If
we
go
to
google
and
we
type
in
kubernetes
mission
review,
I
can
never
remember
the
object
name.
Hopefully
it
shows
up
here
dynamic
admission
review.
A
Let's
see
if
I
can
find
it
there,
it
is
it's
got
comments
in
the
JSON,
interesting,
okay,
whatever
so,
kubernetes
can
send
out
this
object
that
we'll
take
a
quick
look
at
which
is
called
the
let's
bring.
Let's,
let's
save
this
one
in
here.
This
would
be
a
good
one
for
us
to
have
and
I'll
commit
all
these
diagrams
and
samples.
A
After
the
episode
by
the
way,
so
this
will
be
the
admission
I
guess
it's
a
JSON
file
with
comments
in
it
for
reasons
I,
don't
understand,
but
it's
nice
because
it
documents
it
well,
so
kubernetes
is
gonna,
be
able
to
send
out
this
admission
review
object.
Okay,
so
remembering
that
our
diagram
kind
of
looks
like
this,
your
the
question
is:
what
comes
out
of
the
API
server
and
eventually
hits
our
little
web
service.
Well,
at
the
end
of
the
day,
it's
a
it's
kind
of
a
object.
A
That's
wrapping
the
object
or
resource
we
submitted
it's
all
converted
into
JSON.
Here
right,
you
got
some
details
about
like
what's
the
operation
you
wanted
to
do.
You've
got
details
about
like
what
the
actual
object
was
and
all
that
good
stuff.
So
the
crux
that
we
have
here
is:
can
we
take
this
admission
review
object
that
we
get
do
some
level
of
validation
on
it
and
then
send
back,
and
this
will
be
the
second
object.
I'll
I'll
be
sure
to
save
in
here.
We'll
call
this
one.
A
These
names
aren't
great.
Let's
call
this
the
admission
response
JSON
file,
so
we
do
whatever
we
want
right
and
then
eventually
we
send
this
thing
back
to
the
API
server.
That
looks
like
this
okay.
So
the
key
thing
that
we've
got
to
have
our
heads
wrapped
around
before
we
get
into
OPA
and
gatekeeper
right
is
we
get
in
some
admission
review
object
and
then
we
need
to
respond
with
something
here
to
the
API
server.
A
That's
like
hey,
API
server
looked
over
the
thing:
here's
how
I'm
feeling
about
it,
you
should
allow
it
or
you
should
not
allow
it,
and
the
beauty
here
is
what
we
implement.
This
in
is
largely
up
to
us
right,
so
we
could
implement
this
in
bash
in
a
container.
We
could
write
this
in
go
in
Python
and,
of
course,
per
today's
conversation.
We
could
write
this
in
oops,
that's
my
face.
A
We
could
write
this
in
or
using
OPA,
so
OPA
allows
us
to
kind
of
centralized
policy
management
and
OPA
is
not
like
a
kubernetes
specific
thing
right.
It
just
got
adapted
and
got
a
lot
of
adoption
in
the
kubernetes
ecosystem.
So
if
you
want
to
see
how
to
set
up
OPA,
just
as
like
generic
in
kubernetes,
you
run
the
OPA
service,
you
link
it
into
the
admission
controller.
I
was
just
talking
about
check
out
Joe's
other
episode.
He
sets
that
up
in
a
mini
cube
cluster.
A
Okay,
what
we're
gonna
do
is
we're
gonna,
try
to
take
this
a
step
further
and
talk
a
little
bit
about
how
gatekeeper
takes
this
kind
of
one
step
further
for
us
right.
So
if
we
look
at
let's
look
at
the
policy
language,
real
quick,
I
think
I
think
this
would
be
kind
of
a
good
thing
to
point
out
before
we
get
too
too
deep.
The
open
policy
agent,
rather
than
you
writing
a
bunch
of
custom,
again
controllers
or
web
services
to
do
some
logic,
enables
you
to
write
these
policy
files
called
Rago.
A
And
if
again,
if
you
watch
Joe's
other
episode,
the
crux
of
the
episode
is:
he
learns.
It's
pronounced
Rago.
So
now
you
all
know
that
if
you
didn't,
the
Rago
is
a
DSL
that
lets
you
query
things
and
give
a
result.
Now
I've
worked
with
OPA
a
lot
in
the
field
worked
with
gatekeeper,
I'm
super
excited
about
today,
because
of
that,
but
I've
worked
with
OPA
quite
a
bit
in
the
field
and
a
lot
mostly
people
like
it,
but
the
biggest
complaint
I
get
is
oh,
my
gosh.
Why
did
they
make
another
language?
A
This
Rago
thing?
It
sounds
like
a
pasta,
sauce
and
also
I
I'm,
just
like
super
confused
by
it
and
I
do
have
some
empathy
for
that,
because
when
you
look
at
the
Rago
language,
in
fact,
let's
just
let's
just
throw
a
quick
Rago
file
in
here,
so
we'll
say:
policy
dot,
Rago
right,
it
looks
kind
of
like
it
looks
kind
of
like.
In
fact,
let
me
switch
back
over
to
here.
It
looks
kind
of
like
a
a
weird
kind
of
like
function,
definition
in
a
way
right.
A
Is
that
it's
a
it's
a
language
that
lets
you
query
right
and
those
queries
are
effectively
assertions,
and
you
know
so
so
when
you're
using
Rago,
when
you,
if
you're,
if
you're
like
me
and
get
confused
you
every
time
you
wake
up
in
the
morning,
you
just
got
to
remind
yourself:
Rago
is
not
a
general-purpose
language,
it
is,
it
is
for
querying
data
right
and
then
you
choose
what
to
do
with
that
result
set.
So,
let's
use
like
a
really
simple
example,
really
quickly
and
then
we'll
then
we'll
deploy,
gatekeeper
and
test
it
out
there.
A
A
Which,
by
the
way,
just
got
moved
into
the
open
policy
agent
repository,
so
let's
just
take
something
kind
of
random
that
makes
sense
to
us:
kubernetes
users,
real,
quick,
okay,
so
we'll
go
we'll
go
to
here.
Alright,
and
let's
take
this
sample
policy,
you
know,
in
fact,
let's
keep
it
even
simpler
than
this
one
I'm
gonna
take
I'm
gonna
take
their
second
example
here,
all
right,
so
we'll
get
that.
A
A
A
Example:
dot
yeah
mole,
all
right
cool
we'll
do
that
alright,
so
looking
a
little
bit
closer
out
here
right,
this
is
a
Gemmell
file
that
we'd
submit
right.
Sorry,
I
keep
keep
screwing
up
my
my
different
screen,
so
this
is
a
yellow
file
we'd
submit
and
when
it
gets
to
array,
go
I'm.
Sorry
when
it
gets
to
oppa,
it's
gonna
be
in
a
JSON
format
right,
so
let's
go
ahead
and
make
that
change.
A
Really
quick,
so
I
will
do
and
I'm
still
learning
how
to
use
vs
code
so
bear
with
me
here:
yeah
molded,
JSON
selection
or
document
yeah.
There
we
go
alright,
so
we'll
save
this,
and
then
we
will
call
it
example:
dot
JSON,
which
probably
would
have
been
the
move
up
front,
but
that's
okay,
we're
learning
here
all
right
example.
Actually,
it
needs
to
be
in
JSON,
I
think
so,
I'm
using
a
plug-in
in
vs
code.
That's
going
to
evaluate
this!
So,
let's
see
if
this
even
works,
ok,
so
clean
up
here
a
little
bit.
A
There's
our
admission
control
there's
the
response.
We
need
to
give
there's
the
policy
okay.
This
is
good
and
then
I'll
open
up
the
input
one
more
time.
Great
all
right.
So
we've
got
this
policy
here
right.
So
the
idea
is,
if
I
run
this
thing
right
against
this
deployment,
what
is
it
gonna
come
up
with
so
so
what
are
we
checking
for
here
right?
So
what
we're
saying
is
not
inside
of
the
match,
labels
that
there
is
a
label
called
app.
A
So
let's
look
inside
here
under
SPAC
our
weight
once
back
up
under
SPAC
under
match
labels.
There
is
app
so
in
theory,
this
policy
should
work.
Okay,
so
in
other
words,
we'd
expect
this
to
evaluate
as
if
it's
not
there,
then
it
would
be
true,
so
it
is
there,
so
it
would
be
false
and
then
there's
this
is
actually
another
check
here.
A
This
is
this
is
one
of
the
things
that
gets
kind
of
really
confusing
with
oppa
is
there's
different
interpretations
of
the
equal
sign,
depending
on
the
context
they've
kind
of
gotten
around
this
I'm
guessing
they've
kept
the
the
single
equal
sign
methodologies
around
for
backwards
compatibility,
but
you
can
actually
do
this
here,
which
I
think
makes
a
lot
more
sense.
So
this
evaluation
is
going
to
say.
Is
this
a
deployment
now,
in
this
case,
we'd
expect
this
to
evaluate
as
true
right.
So
when
we
run
this
this
rule
here,
this
will
evaluate
is
true.
A
This
will
evaluate
is
false,
so,
first,
let's
just
go
ahead
and
see
if
I
run
this
evaluate
package.
Okay,
so
this
vs
code,
plugin,
is
run
the
OPA
against
here,
and
it's
basically
said:
hey
you,
you,
you
haven't
been
denied.
Let's
put
it
that
way.
Right
now,
keep
in
mind
deny
is
extremely
arbitrary
right.
You
have
to
keep
in
mind
that
OPA
or
sorry
reg,
oh
I,
should
say.
Is
this
general
purpose
C
DSL
for
doing
these
types
of
queries
on
structured
data,
so
how
we
interpret
the
results
and
what
meaning
deny
has
behind
it?
A
Right
that
is
completely
arbitrary
and
up
to
us.
So
if
we
call
this
G
right
and
then
run
the
policy
one
more
time,
we're
gonna
see
a
result
set
with
G
it's
it's
kind
of
its
kind
of
a
meaningless
thing
in
this
message
thing
if
we
get
rid
of
it
for
a
moment,
we'll
talk
a
bit
about
that.
We
can
just
run
G,
as
is
without
this
kind
of
this
message
return.
A
So
let's
go
back
to
deny
to
something:
that's
a
little
bit
more
familiar
all
right
and
let's,
let's
take
a
look
at
kind
of
what
these
pieces
are,
so
this
effectively
would
be
allowed.
Now
what
if
we
wanted
to
say?
Okay
inside
of
the
deployment
under
metadata
labels,
you
need
to
have
a
label
called
dog
or
pet-
let's,
let's
say
pet
for
now.
So
what
we
can
do
here
is,
we
could
say,
input,
dot,
meta
data,
right,
dot,
labels
and
then
dog.
A
So
basically
we're
saying
here
if,
if
dog
is
not
here,
this
should
trigger
okay
or
I
should
actually
say
that
this
block
is
true,
so
think
about
this.
For
a
moment,
if
we
put
true
here
because
we
know
dog
doesn't
exist
in
here,
dog
is
not
a
label
right.
So
with
true
and
true.
Okay,
when
we
run
this
thing.
A
We
should
get
I'm
expecting
a
message
there.
Actually,
if
not
labels
dot
dog
did
I
save
that.
Let
me
make
sure
I
save
that
up.
Okay,
I
didn't
save.
That
was
about
to
kill
my
sanity
for
a
second,
in
this
case,
we're
denied
okay
and
how
this
kind
of
works
is
we're
setting
this
variable
right.
So
we
got
the
true.
A
We
got
the
true
in
the
other
case
when
we
got
to
false
I,
don't
know
if
this
is
actually
true
from
like
the
back
end
of
OPA
but
I
kind
of
think
of
it
like
we
stopped
right
here,
okay
and
we
didn't
bother
going
any
further,
because
this
block
wasn't
true.
So
as
far
as
this
is
concerned,
it's
just
gonna
kind
of
I
call
it
exit-
it's,
probably
not
the
right
way
to
put
it,
but
it's
gonna
kind
of
exit
and
just
be
like
all
right
continue
on
right.
But
in
this
case
we
said
hey.
A
Okay
dog
exists.
All
right,
I
can
then
go
in
here
and
run
this
again
and
if
you
look
at
it
now,
this
should
evaluate
is
false
right,
because
dog
does
exist.
Okay,
so
again
in
my
mind
and
might
not
be
a
technically
correct,
explanation
is
just
how
I
think
of
it.
We
stop
here
and
exit
is,
is
my
very
procedural
programming
mindset,
so
we
shouldn't
actually
get
a
denial
here
in
this
case.
A
So
let's
go
ahead
and
run
it,
and
the
deny
array
is
blank,
so
I
think
the
key
thing
to
kind
of
drive
home
here
is
that
and
we
can,
we
can
set
up
a
bunch
of
these
by
the
way
we
can
set
up
a
bunch
of
these
deny
things
and
kind
of
create
a
larger
block
of
these
rules.
But
the
key
thing
to
understand
is
it's
very,
very
generic
right.
We
look
at
some
data
this
we
just
happen
to
be
using
a
kubernetes
object,
but
this
could
be
any
JSON
data.
A
It
could
be
any
structured
data
that
that
Rago
or
OPA
can
evaluate
and
we're
just
basically
checking
like
hey
is
this
field
set?
Does
it
have
this
type
of
field?
You
know,
there's
there's
things
in
the
syntax
for
how
you
can
kind
of
iterate
over
certain
things
and
look
up
values
that
you
iterate
over
you
know
and
that
at
that
point
is
just
kind
of
like
a
syntactical
exercise,
but
the
crux
here
is
to
know
that
what
you're
trying
to
do
is
you're
trying
to
say
if
all
the
things
evaluate
to
true
in
this
block.
A
In
our
case,
we
will
deny
the
message
and
if
one
of
any
of
them
respond
as
false,
we
will
exit.
So
what
I'm
trying
to
say
here
and
way
too
many
words
is
that
these
expressions
are
basically
ANDed
together
right.
So
the
the
first
check
right
is
ANDed
with
the
second
check.
Okay
and
it's
basically,
as
we
continue
to
add
expressions,
it
will
be
ANDed
and
it
and
it
ended
wherein
we
either
have
to
go
all
true
or
if
one
of
any
are
false,
we
will
then
again
just
continue
on
and
that's
kind
of
it.
A
So
what
do
you
think
chat?
Does
that
does
that?
Are
you
kind
of
grokken
Rago?
Does
that
kind
of
make
some
amount
of
sense?
Let
me
know,
let
me
know
if
it's
still
a
little
confusing
you
can
be.
You
can
be
honest,
so
check
chat
again:
cool
cool,
yeah
Duffy
put
up
the
playground
they
have
by
the
way,
so
do
check
that
out.
A
Yeah
John,
you
see
Pascal
with
that
expression
right
all
right.
Yes,
okay,
I
didn't
catch
the
conversation
that
happened
higher,
but
Brad's
conversation
about
Pascal
wrapping.
It
is
totally
right
so
yeah
mozz
if
it
looks
confusing
initially
I,
hear
you
trust
me
like
I
struggle
with
it
too.
Don't
worry
just
keep
in
mind,
it's
running
assertions
against
structured
data
and
just
keep
telling
yourself
that
and
then
I
think
the
moment
will
come
where
it'll,
just
the
light
will
go
on.
Okay,
yeah
and
ste
s,
Steve
the
defensive
programming
model.
I!
Think
that's
a
good!
A
That's
that's
a
good
way
to
articulate
it
too.
That
makes
sense
and
policy
said
so.
I'm
gonna
you,
if
I'm
getting
it
right.
Rago
is
a
language
to
validate
JSON
and
the
validation
results
are
a
JSON
document
themselves.
Yeah,
that's
a
great
way
to
put
it
Paul
I
think
you
hit
on
one
of
the
most
important
parts,
this
output
it
doesn't
have
any
meaning
and
that's
one
of
the
beauties
of
Rago.
You
make
the
systems
that
take
this
output
and
determine
what
the
meaning
is
over
all
right.
A
So,
in
the
case
of
gatekeeper,
it
has
a
bunch
of
ways
to
actually
understand
the
result
and
then
respond
back,
which
is
super
super
slick
right
in
the
case
of
just
pure
OPA.
If
you've
ever
done
like
raw,
open
and
kubernetes
before
gatekeeper
existed,
basically,
what
we
would
do
is
the
message
we
would
respond
with
was
actually,
of
course,
I
didn't
save
it
I'm
here,
I.
Have
it
right
here,
I
think
it
was
actually
this
chunk
of
text.
A
A
So
what
we're
gonna
do
is
now
we're
gonna
build
on
this
general-purpose
thing
where
we
can
effectively
go
in
and
start
building
and
with
that,
let's
talk
about
gatekeeper,
so
I
had
mentioned
that
you
can
run
gatekeeper
and
there's
this
little
thing
called
cube,
MGMT
or
management
check
it
out,
check
it
out
on
our
other
TGI
kay,
but
long
story
short
how
that
works.
Is
it's
just
running
generic
OPA
in
cubes,
so
the
legwork
you
have
to
do
here
is
going
in
and
setting
up
the
things
to
make
the
the
response.
A
A
A
So
gatekeeper
is,
in
my
opinion
and
I've
only
looked
over
the
readme,
so
like
we'll
figure
out,
if
my
opinions
are
right
or
not,
it
seems
easier
to
deploy.
It
seems
more
kubernetes
kanae
t'v,
because
it's
driven
by
putting
the
policies
in
CR
DS,
where
last
I
checked
with
open.
When
I
was
working
with
a
customer,
we
were
actually
setting
them
up
and
config
Maps
and
having
OPA
kind
of
slurp
them
up.
A
So
in
this
case
we
got
to
use
kind
of
all
CR
D
based
flows,
and
we
also
get
to
use
this
thing
called
a
constraint
template
which
I
am
super
stoked
about
conceptually
I've,
never
tried
it
so
it'll
be
interesting
to
see
how
that
goes,
but
don't
let
those
details
get
you
too
thrown
off.
Yet,
let's
just
get
gatekeeper
deployed
to
start
off
with
so
we're
gonna
roll
in
gatekeeper
and
think
of
this
as
something
that
is
rapping
oppa
and
providing
more
kubernetes
native
functionality
with
it
all
right.
A
So,
let's,
let's
deploy
it
now
so
installation
instructions
there
is
a
cube.
Cuddle
apply,
let's
start
off
by
just
getting
the
gamble
in
vs
code,
just
so
that
you
all
have
a
point
in
time.
If
you're
watching
this
video
in
the
future.
So
we'll
put
this
one
in
manifests:
okay,
new
file,
this
will
be
gate.
Keeper,
Emmel
great
I,
copied
the
URL,
of
course,
I'm
used
to
W
getting.
This
is
where
my
my
my
vim
workflow
and
my
my
vs
code
workflow
is
a
little
different,
I'm
sure.
A
There's
ways
to
do
that
automatically
and
yes
codes
but
anyways.
This
is
what
I
meant
to
use.
So,
let's
look
at
it
alright.
So
this
is
the
gatekeeper,
Y,
Amal
I'm,
just
gonna
I,
don't
I,
don't
think
we
need
to
go
over
the
CR,
D
and
stuff,
but
let's
just
talk
about
it,
so
it's
gonna,
instantiate
a
namespace,
looks
kosher.
It's
probably
gonna
set
up
a
bunch
of
custom
resource
definitions
looks
like
they
generate
the
controller
using
queue
builder.
A
That's
pretty
cool
if
you're
not
familiar
with
cube
builder,
that's
a
way
to
instantiate
controllers,
and
what
else
do
we
got
here?
Thank
You
M
for
clearing
our
chat
up
there,
CR
DS,
cool
cool
cool,
looks
good,
looks,
good
custom
resource
definitions,
good
deal,
I'm
just
gonna,
find
kind
of
the
core,
probably
deployment.
Of
course
there's
our
back
stuff.
We
won't
get
too
deep
into
that.
There's
a
role
binding
service,
okay,
so
here's
where
we're
getting
into
some
of
the
meat
and
potatoes
right.
So
we
deploy
a
service.
A
Alright
looks
pretty
simple:
it's
fronting
the
gatekeeper
webhook,
which
I'm
guessing
is
mm.
Okay,
so
there's
a
deployment
called
audit.
Okay,
yes,
I,
remember,
hearing
about
this
with
gatekeeper,
I
haven't
actually
checked
it
out,
but
I
think
there's
two
components
here:
where
did
I
put
my
gatekeeper
page
here?
Let's,
let's
bring
it
up
one
more
time
nope
this
is
it
so
there
is
the
the
core
kind
of
I
think
I'm.
Guessing
it's
the
the
kind
of
webhook
controller.
Will
it
will
take
a
look
soon?
A
Yes
and
then
there's
this
audit
functionality,
so
I
think
that's
what
this
is.
It
looks
like
audit
is
something
that
can
actually
go
in
and
retro
actively
see.
If
there's
miss
configurations,
keep
me
honest
chat.
So
that's
that's
a
pretty
common
task.
I
get
it's
like
if,
if
OPA
happens
exclusively
or
sorry,
I
should
just
say
if
admission
control
happens
exclusively
at
the
API
server
level,
what
if
something
already
exists
in
the
cluster?
A
It's
non-compliant
or
somehow
it
drifts
some
magical
way
and
gets
away
from
the
API
server
and
doesn't
get
checked
like
how
could
I
go
in
and
audit
over
time,
which
makes
a
lot
of
sense
and
another
big
thing
with
audit
is
like.
Oh,
my
gosh
I'm
scared
to
add
this
new
policy
in
could
I
audit
the
cluster
to
see
what
impacts
it
might
have
and
I
don't
know
if
the
audit
could
do
that
use
case,
but
that's
a
really
common
one
I
get
with
OPA
all
the
time.
Alright!
A
A
Would
audit
ever
act
on
something
because,
when
I
hear
audit
I
think,
like
it'll
tell
you,
things
are
misconfigured
but
like
on
it
I'm
guessing
it
won't,
kill,
pods
or
anything
right
out
assume
so
at
least
okay
and
here's
another
here's
another
big
one,
validating
webhook
configuration.
Ok,
so
remember
when
we
were
talking
about
this,
we
said
dynamic.
Admission
control
can
find
a
way
to
send
objects
to
this.
Now
the
question
is:
what's
kubernetes
gonna
do
send
every
single
freaking
object
to
the
admission
controller
right?
A
Well,
no,
what
you
do
is
you
configure
one
of
these
validating
webhook
configs,
and
this
is
basically
gonna
say:
hey
take
this.
Take
this
object,
move
it
move
it
through
into
gatekeeper
in
this
case
and
how
it
does
that
is
it'll.
Let
you
choose
the
api's
you
care
about,
so
it
looks
like
the
default
for
gatekeeper
is
create
an
update
on
any
object.
It
looks
like
that's
what
it's
that's,
what
its
gonna
push
off
to
the
the
gatekeeper
control
here,
all
right
makes
sense,
so
cool
all
right,
I
think
we're
ready
to
deploy.
A
Let's
see
if
this
thing
works
again,
we
usually
know
I
usually
know
how
well
TGI
K
is
gonna
go
if
if
the
deployment
works
the
first
time,
that's
usually
my
best,
my
best
thing
so:
okay,
I'm
gonna,
switch
over
to
my
terminal
here.
So
let's
do
that
and
let
me
just
remind
myself
real
quick
I
know
you
can't
see
my
editor,
my
screen
name
space,
gatekeeper
system,
okay,
so
we'll
do
get
Pio
name,
space,
gatekeeper
system,
yeah,
you're,
right,
okay,
cool
gatekeeper
system
cool.
A
So
let's
keep
a
watch
on
that
no
resource
found
okay
and
then
let's
apply
it.
So
we've
got
cube.
Cuddle,
apply
gate
keeper,
yeah
Mille
no
objects
pass
to
apply
all
right,
Josh.
What
the
heck
did
you
do?
Gate
keeper,
yeah
Mille?
Oh
there's,
no
objects
in
there
again
getting
used
to
vs
code.
I
think
I
forgot
to
hit
save.
Maybe
let's
see
what
we
got
so,
if
I
look
at
that
there,
that
looks
like
it's
got
something:
okay
cool
here
we
go
moment
of
truth.
Will
gate
keeper
start
for
us?
A
So
there's
the
audit
by
the
way
and
we've
got
the
controller.
So,
let's
see
thanks
Rita,
so
audit
does
not
enforce
only
shows
violations
that
make
sense
to
me:
cool,
aw,
hey,
there's,
a
diagram,
cool
yeah.
There's
an
arc
diagram
that'd
be
killer.
We
should
put
it
in
the
Hackham
dee.
If
you
got
the
link,
handy
that'd
be
that'd,
be
killer,
hey
Olaf,
thanks
for
joining
us,
Oleg
I,
don't
know
if
you're
asking
that
just
generically
or
what
I'm
using
but
I
happen
to
be
using
docker.
A
A
Yeah
mole
namespace:
actually,
what
am
I
doing
here
I
need
to
describe
a
pod
alright.
So
let's,
let's
get
the
pods
one
more
time
cool!
We'll!
Actually
do
this
real,
quick,
so
we'll
get
the
pods
and
we've
got
an
image
pool
back
off
alright
and
we
will
describe
the
pods
so
keep
cuddle
described
pod
named
space
gate
keeper
system-
let's
see
here
so
we've
got
describe
pod
name
space,
gatekeeper
system,
controller,
okay,
image
pool
back
off,
oh
boy,
clay!
What's
going
on!
A
Please
don't
tell
me
you're
down
again
how
hilarious
I
think
they
might
have
heard
us
talking
about
clay
earlier
in
the
episode
and
we've
totally
screwed
ourselves.
Alright,
let's,
let's
hope,
that's
not
the
case,
so
I'm
just
gonna
for
freshness
sake,
let's
go
ahead
and
do
a
cube
cuddle
get
all
right.
Let's
do
it
delete
and
by
the
way,
where's
down
for
quite
a
few
hours
last
time.
So
if
anyone
knows
where
these
images
are
other
than
clay,
you
know
feel
free
to
do
some
back
channeling,
real
quick.
But
let's,
let's
just
hope.
A
This
is
a
a
one-off
thing.
Cube
cuddle,
delete,
delete,
keep
cuddled
delete,
F,
and
this
is
the
gatekeeper
you
know
in
worst
case
we
could.
We
could
always
go
look
at
geek,
er,
sorry
out
contest
because
I
have
that
locally,
while
we're,
while
we're
waiting
for
it,
looks
like
Duff's
on
it
to
upload
elsewhere.
A
A
Okay,
they
say
everything's
operational,
but
you
all
are
saying
you're
getting
500,
so
it
looks
like
yeah
a
couple
of
you
or
maybe
getting
a
backup
container
image
so
feel
free
to
shoot
me
alternative,
imagery
pose
and
I
will
I
will
swap
them
out
no
problem
at
all
cool
all
right.
Well,
I'm
glad
we're
all
broken.
That
makes
me
feel
a
lot
better.
A
Like
Joe
said,
yeah
a
registry
being
down
is
something
we
we
don't
very
commonly
commonly
worry
about,
but
all
right,
let's
see
what
we
got
going
on
here,
so
I'm
gonna,
I'm
gonna,
lay
off
Quay
for
a
second.
If
anyone
gets
other
news,
please
don't
hesitate
to
shoot
me
a
message
in
chat,
yeah
and
don't
sound
me
bit.
Moyne
Bitcoin
mining
images,
because
I'm
running
on
my
own
hardware
and
you'll
have
to
pay
my
electric
bill.
A
If
you
send
me
that
so,
okay,
I'm
gonna
I'm
gonna
trust
the
image
that
I
get
from
I,
guess,
locking
or
Duffy
here,
whoever
gets
it
gets
to
it.
First,
okay!
So
let's
talk
actually,
let's
talk
a
little
about
constraint,
templates
cuz!
Maybe
we
can
tee
it
up
and
get
gate
keeper
up
here
without
pivoting
too
much
so,
oh
boy,
sorry,
constraint,
templates,
okay,
so
again,
constraint
templates
are
something
I,
conceptually
Drock
and
I'm
really
stoked
to
try
this
out,
because
it
seems
like
a
pretty
cool
model
now
constraint.
A
A
So
what
I
really
dig
about
this
is:
let's,
let's
start,
let's
start
bottom-up
here,
here's
the
target
right,
so
we
have
got
a
we've
got
a
OPA
policy
here,
and
this
is
what
we
were
just
looking
at
in
vs
code
right.
It's
got
some
Rago
again.
It
expresses
some
things
you
can
see
here
it's
using
that
better
syntax.
We
talked
about
so
it's
setting
a
variable
called
provided
a
variable
called
required,
a
variable
called
missing,
and
then
at
the
end
here
it
does
an
evaluation,
an
assertion.
A
If
you
will
right
where
it
expects
missing
to
not
be
greater
than
zero,
so
nothing
is
missing
right
and
then,
if
it
needs
to
fail
and
send
this
message
back
right,
it'll,
let
us
know
hey,
you
need
to
provide
the
labels
okay.
So
what
where
this
kind
of
goes?
Another
step
is
it's
it's
kind
of
hard
to
go
in
at
times
and
manage
you
know
these
these
groups
of
labels,
and
also
you
might
want
to
do
it
in
more
of
a
cube,
kubernetes
native
way.
So
what
the
constraint
templates
do?
A
Is
they
actually
let
you
define
a
net
new
CRD
to
support
the
policy
now
this
would
introduce
another
CRD,
so
there
is
kind
of
that
trade-off
to
think
about.
But
basically
what
we're
able
to
do
here
is
say:
here's
a
new
CR
D.
It
looks
like
in
this
case
they're
calling
the
CR
D
Kate's
required
labels
and
then
what
you'll
be
able
to
do
is
actually
set
instances
of
these
required
label
objects
that
will
then
be
evaluated
in
the
policy
so
to
try
to
bring
that
full
circle.
A
Here's
an
example
of
that.
So
once
you
put
this
constraint
template
in
place,
we're
then
able
to
go
in
and
say:
okay
cool
here
is
a
label
parameter
for
gate
keeper
right,
and
we
can
add
on
to
this
this
array
so
that
the
policy
can
be
defined
in
one
area
and
then
the
injection
of
the
labels
we
care
about,
can
be
put
in
another
area,
which
is
a
pretty
interesting
model
like
working
with
a
lot
of
orgs
that
I've
worked
with
with
kubernetes
like
the
whole
policy
administration
thing
is
a
little
tough.
A
A
So
it
looks
like
some
folks
are
working
on
yeah
Paul,
it's
DSL,
czar
DSL
is
inside
of
llamo.
It's
always
the
best
right,
cool,
ok
cool,
so
it
looks
like
ya'll
are
still
getting
the
image
sorted
out.
Let
me
let
me
give
one
more
plug
for
gatekeeper
here
and
we'll
see
if
you
all
can
beat
me
before
I'm
done
talking
so
another
another
really
interesting
thing
about
gatekeeper
and
I
actually
want
to
use
this.
As
an
today
is
that
they
have
started
setting
up
a
couple,
libraries.
A
Yeah
a
couple
libraries
with
just
some
policies
you
can
kind
of
look
at
in
one
of
the
PAS
one
of
the
policy
libraries
they
put
together
is
a
pod
security
policy
library.
Now
this
is
super
super
interesting,
I,
I've,
gotten
mixed
wording
about
the
direction
of
PSPs
overall,
so
I'm
not
gonna,
comment
on
it.
I
don't
really
have
a
strong
feeling
about
it
either,
but
in
case
you're
not
aware,
there's
these
things
called
PS
PS
or
pod
security
policies,
and
it's
one
of
those
entry
admission
controllers.
A
A
A
What's
interesting
about
the
PSP
library
and
I'm
stoked
to
kind
of
test
this
out
today
with
you
all
and
see
if
we
can
get
like?
Maybe
some
of
these
working
is
that
PS
PS
are
great
but
I,
think
I'm
speaking
for
most
of
the
population
when
I
say
the
user
experience
or
UX
on
them
is
pretty
rough
and
I'm,
not
saying
that's
anyone's
fault.
It's
just
like
when
you
pair
all
these
complex
things
together,
it's
a
little
bit
rough
around
the
edges
and
people
have
a
hard
time.
Understanding
it
what's
interesting
about
the
validating.
A
Webhook
control
is
that
if
we
can
take
the
PSP
concepts
and
put
them
up
front
in
this
very
simple
admission
control,
some
of
the
UX
could
get
better
like
one
of
the
things
I
like
about
this
is
with
PSPs
a
lot
of
times.
You'll,
go
and
you'll
submit
a
deployment
right
and
then
you'll
that
deployment
will
instantiate
many
pods
that
run
his
route.
Okay,
so
I
go
in
and
I
deploy
my
deployment
and
I'm
happy
camper
and
all
sudden
I'm
like
oh,
my
gosh.
Why
am
I
not
receiving
traffic?
A
What
the
heck
is
going
on
and
nine
times
out
of
ten
when
I
work
with
Oren
we
go
in
assuming
they
just
turn
PSPs
on
and
we
go
in
and
we
realize
the
pod
is
not
starting
okay
and
then
we
look
in
and
we
look
into
it
and
it's
because
the
PSP
was
not
of
was
not
allowing
that
pod
to
run
his
route,
which
is
great,
but
the
user
didn't
know
until
they
went
into
kind
of
troubleshoot
it.
So
what's
cool
about
this,
this
webhook
model
is
I'm,
hoping
when
I
submit
with
cube
cuddle.
A
It
will
realize
hey,
Josh
you're,
trying
to
run
his
route.
It'll
push
right
back
and
tell
me
as
the
user,
even
though
I'm
submitting
a
deployment
through
hey
I,
looked
inside
of
the
speck
of
your
deployment
and
these
containers
aren't
gonna
be
allowed
in
here
right.
So
it's
kind
of
interesting
I
do
see
some
trade-offs
here.
I,
don't
really
know
how
this
all
works,
like
one
trade-off,
I
have
in
my
head.
I,
don't
know
if
this
is
an
actual
problem
is
like
actually
run
as
root
is
a
great
example.
A
Sometimes
the
container
image
natively
sets
you
as
a
non
root.
User
right
and
PSP
is
capable
of
understanding
this.
So
when
you
submit
the
pod,
even
if
you're
not
setting
a
non
root
user,
if
the
pod
is
gonna
start
with
a
non
user
due
to
the
due
to
the
image,
that's
stamped
out
right,
like
like
bit,
Nami
has
an
image
for
nginx,
for
example,
and
it
does
this,
it
uses
a
non
root
user.
By
default,
the
pod
will
still
be
allowed
to
start
because
it's
a
non
root
user
I'm
curious.
A
Now,
there's
totally
arguments
in
both
directions
here,
like
maybe
we
all
should
be
explicitly
calling
out
what
user
we're
running
as
right,
but
again
it
kind
of
shows
how
like
PSP
has
this
like
super
deep
kind
of
integration
and
validation
and
on
the
other
hand
this
sounds
really
cool
and
like
a
way
better
UX
but
I,
wonder
I,
wonder
where
the
gaps
are
they're
like
the
like
the
root
user
concept.
So,
okay,
and
just
what
I'm
about
to
shut
up
Duffy
has
a
new
a
new
thing
for
me.
A
A
Okay,
Josh,
where
you
at
okay:
here
we
are
so,
let's
find
every
spot.
We
have
Quay
hey
by
the
way
before
I,
go
too
crazy.
Can
someone
validate
Quay
real
quick?
Are
you
still
getting
500s?
Could
someone
run
a
quick
command?
And
just
let
me
know
not
that
I
have
anything
against
MCR
but
like
before
mutating
this
manifest?
If
we
don't
have
to
why
not
not
do
it?
Okay,
M
CR,
o
SS,
I'm,
assuming
the
names
are
the
same,
but
maybe
I
shouldn't
assume
that
actually
yeah,
it's
not
the
same.
Okay!
A
Let
me
let
me
copy
the
whole
wait.
No,
it
is
the
same.
Isn't
it
okay
MCR?
So
it
should
just
be
prefixing
MCR
with
OSS.
Okay,
thanks
for
checking
in
on
oh
cool,
sweet
duffy,
I'm
gonna
assume
you're,
not
you're,
not
mining
me
and
I'm.
Just
gonna
use
that
okay,
so
we'll
keep
we'll
keep
this
one.
As
is
since
it's
someone
on
the
github.
Maybe
we
need
an
issue
after
this
to
move,
I
shouldn't
say
it,
but
maybe
to
move
off
of
quite
because
we
can't.
We
can't
let
feature
TGI
K's
go
down
like
this.
A
Okay,
so
I'm
gonna
apply
fees
thing
blindly
and
pretend
that
I
trust
him.
We've
worked
together,
Duffy
now
what
for
like
three
four
years,
maybe
so
I
guess
I
should
be
able
to
randomly
apply
something
you
sent
me
from
the
internet.
Okay,
so
let's
do
get
pods
gatekeeper
system.
Okay,
let's
set
a
watch
here.
Alright
and
nope.
That's
not
it
that's
a
youtube
link.
All
right!
Let's
see
Duffy!
You
gave
me
a
gist
here
which
I'm
gonna
grab,
and
here
we
go
cube.
Cuddle,
apply,
F,
alright,
gatekeeper,
take
two
here
we
go.
A
Awesome,
thank
you.
Thank
you,
Microsoft
team,
for
for
coming
in
and
saving
the
day
with
that.
That's
super
awesome
of
you.
We
have
a
running
gate
keeper.
Now:
okay,
good
job,
everyone,
that's
killer,
all
right
well,
see,
and-
and
they
say
these
things
are
interactive
and
it's
true
because
you
all
just
saved
my
butt
from
not
being
able
to
actually
try
this
thing
out
so
great
job.
So,
let's
remind
ourselves
where
we're
at
since
we've
done
a
lot
of
context.
Switching
here.
A
Where,
where
are
you
Josh
all
right
here,
you
are
great
all
right,
so
we
are
at
a
point
where
we
have
gate
keeper
right
here
like
we
talked
about,
and
we
are
going
to
be
applying
some
policy
to
see
if
gate
keeper
can
essentially
validate
that
policy.
So
what
do
you
say?
Let's,
let's,
let's
go
right
in
with
PSPs.
Forget
it
I
want
I
want
to
do
PSPs
bad
we're
gonna!
Do
PSPs
I
just
want
to
see
what
it's
like?
Okay,
so
now
darn
it
Josh.
What
the
heck
did
you
just
do?
A
Okay,
that
was
not
expected.
Let's
get
back
to
the
gatekeeper
repo,
that's
contest,
this
is
gate
keeper,
all
right
and
they
have
a
library
and
if
we
haven't
already,
let's
put
the
library
in
the
notes
this
is.
This-
is
really
cool
that
they're
starting
to
collect
some
of
these
okay.
So
back
to
pod
security
policy
as
our
first
example.
So
it
looks
like
what
they've
got
broken
up
here
is
the
difference.
Yeah,
okay,
the
kind
of
different
checks
you
would
do.
We
should
do
users,
since
we
talked
a
little
bit
about
that.
A
So
they've
got
the
Rago
which
I'm
guessing
is
just
the
raw
Rago.
Customized
example
constraint:
okay,
great,
let's
start
with
the
template,
all
right,
perfect
yeah.
So
this
is
one
of
those
constraint
templates:
let's
bring
it
into
vs
code
and
look
at
it
real
quick,
so
we
can
grok
what
I
was
kind
of
getting
at
here
so
manifests
I
will
do
user
templates,
let's
say
user
dot
UML
keep
it
super
descriptive
paste
that
in
will
save
that
in
will
go
back
to
the
top
awesome
okay.
A
So
this
is
a
constraint,
template
and
again
going
from
the
bottom
up
like
we
talked
about,
there
is
Rago
inside
of
this
CRD,
okay
and
by
the
looks
of
it
it's
doing
well,
let's
come
back
to
the
actual
logic
in
a
second,
but
along
with
the
the
Rago
itself,
it
looks
like
it
is:
defining
a
new
CRD.
So
here's
my
expectation
when
we
X
when
we
apply
this
constraint.
Temp
this
constraint,
template
I,
expect
to
see
a
net
new
Ciardi
called
Kate's
PSP
allowed
users
again.
A
The
concept
here
is,
let's
put
the
core
logic
in
the
constraint
template
and
then
let's
allow
you
to
fuel
that
template
on
the
basis
of
a
list
of
allowed
users
that
you
specify
and
I
think
that's
a
really
cool
decoupling.
There
I
can
see
from
an
administrator
perspective
how
that
would
be
super
super
rad.
Alright.
So,
let's
see,
if
my,
if
my
theory
is
correct
right
so
we'll
just
watch
cube,
cuddle
gets
er
DS
to
start
off
with.
Maybe
here
no
jeez
I've
already
got
a
lot.
A
A
Oh
sorry!
Everyone
thanks
for
reminding
me
on
the
editor
view.
Here
we
are
okay,
so
in
the
bottom
here
I
have
my
CRTs
listed
in
the
top
here.
I
have
cube,
cuddle
apply
and
we're
going
to
apply,
manifests
I'm
in
manifest
we're
gonna
apply
user
dot
Yemma.
So,
let's
see
if
the
Kate's
PSP
allowed
users
shows
up
here
something
popped
up
there.
It
is
okay,
so
in
theory,
I've
put
a
constraint
template
in
now,
and
I've
now
got
the
ability
to
fill
in
the
PSP
allowed
users,
which
makes
some
amount
of
sense
to
me.
A
So
now,
let's
take
a
quick
look
in
the
cluster,
so
we've
got
cube.
Cuddle,
get
constraint,
template
for
the
name,
space,
gate,
keeper
system,
great
okay,
so
we've
got
this
in
here.
We've
got
the
constraint
template
now,
let's
go
back
to
the
browser
and
let's
take
a
quick
look
at
the
the
constraint
there.
It
is
so
here's
a
constraint,
I
dig
it
okay,
let's,
let's
pull
this
in
alright.
So
from
a
constraint
perspective,
we're
gonna
be
looking
at
a
range.
It
looks
like
between
users,
100
and
200.
A
So
this
will
be
our
our
constraint:
PMO,
okay,
yeah,
sorry,
Duffy
I
knew
I
should
use
bash
completion.
I.
Think
I,
like
the
pain
of
not
having
it,
though
so
so
this
is
the
thing
that
we're
gonna
feed.
It
note
that
this
is
one
of
those
custom
see
RDS.
So
again,
the
beauty
here
is
based
on
our
organization
and
what
our
needs
are.
We
now
continue
this
thing,
independent
of
the
logic,
so
in
theory,
I
can
come
in
here
and
change
some
of
these.
A
Some
of
these
values
around
right,
like
maybe
I,
just
don't
want
0.
So
the
range
is
gonna,
look
slightly
different,
so
yeah.
This
is
this.
Is
it
and-
and
it
also
looks
like
actually-
this
is
interesting
too
I.
Don't
I,
don't
grok
this
completely,
but
it
is
this
somehow
scoping
the
constraint
template
to
say,
like
hey,
only
or
maybe
like
start
in
the
pods
back
I'm
trying
to
I'm
trying
to
grok
it,
because,
if
I
submit
a
deployment,
yeah
mo
I'm
trying
to
understand
how
this
match
field
right
here,
right
kind
of
kind
of
evaluates.
A
In
fact,
we
could
probably
answer
that
question
real
quick.
If
we
look
in
the
logic
the
Rago
goes
through.
Okay.
So
here,
okay,
here's
what's
cool,
so
this
looks
different
right
input,
dot
parameters,
so
I'm
thinking
that
input
dot
parameters
probably
comes
from
our
constraint.
Yes,
okay,
the
parameters
for
our
constraint
right
and
then
it's
going
in
here
and
it's
looking
up
that
rule
and
then
Oh
interesting
input
underscore
container.
A
A
This
line
right
here
is
confusing
me
a
little
bit.
Actually
so
maybe
chat
you
can
tell
me.
Oh
input
is
the
pods.
What
input
is
it
I
get
that
input
is
the
pods
back,
but
why
why
input?
It
seems
to
have
two
fields
on
it.
Now,
right,
like
an
in
raw
vanilla,
Rago
I'd
expect
input
dot
some
field
on
my
data
and
now
at
the
constraint,
I've
got
input,
dot
parameter
right.
So
where
am
I
calling
like
input,
dot,
spec
blah
blah?
It
seems
to
be
some
kind
of
implicit
assumption
about
the
input
container
I'm.
A
Trying
to
try
to
think.
Let's
see
here,
I
should
check
chat.
This
evaluates
the
pod
objects,
regardless
of
how
you
deployed
it,
whether
it's
part
of
deployments,
jobs,
okay,
so
yeah
I
dig
that
Rita.
That
makes
a
lot
of
sense
because
then
I
can
scope
it
and,
like
you
said
I
get
to
this,
was
my
complaint
about
you
know
conventional
PSPs
I
get
to
apply
this
to
the
pods
back,
regardless
of
whether
it's
coming
through
a
stateful
set
deployments.
You
know
a
job
without
whatever
it
might
be.
So
I
dig
that
a
lot.
A
It's
the
same
as
the
admission
you
can
parse
through
that
object
in
your
Rago,
interesting
yeah,
I.
Think
so.
Okay,
let
me
let
me
be
super
succinct
about
where
I'm
getting
hung
up.
Where
is
this
value
coming
from
I?
Think
that's!
The
only
thing
I
can't
quite
croc
here,
input
underscore
container
I'm,
probably
overlooking
something
super
obvious,
but
it
sounds
like
in
chat.
You
all
might
be
grokking
it's,
let's
just
let's
try
to
apply
this
thing
and
see
if
it
works
so
I'm
gonna
do
a
cube!
A
A
What
happens
if
we
try
to
add
an
object?
So
if
we
go
back
to
the
browser
here,
I
think
they
had
an
example
pod,
which
I
will
happily
take.
Okay,
so
run
is
user
250?
Okay,
so
this
is
out
of
the
range
right
because
our
range
was
100
to
250.
So,
let's
just
go
back
here
and
I'm
gonna
cheat
for
a
moment
for
the
sake
of
quickness,
so
engine
ax,
dot,
enamel,
let's
go
ahead
and
loops
I.
A
Don't
have
my
neo
then
mapped
in
my
vim
slot.
Okay,
so
now
we'll
do
cube.
Caudill
apply,
F
engine
acts,
yeah
mol,
so
before
I
get
too
deep
on
that
one
just
to
make
sure
we're
all
on
the
same
page.
What
we're
doing
here
is
we're
applying
an
engine
XML
where
the
run
is
user
is
set
to
250
in
the
security
context,
and
our
constraint
here
is
between
these
ranges.
Right,
so
I
would
hope
it
will
bounce
back
and
be
like
hey
Josh
can't
do
that
thing
right.
A
So
if
we
go
in
and
apply
it
there,
it
is-
and
this
is
again
why
let's
go
back
to
the
terminal,
sorry
everyone!
This
is
exactly
why
this
is
a
really
really
cool
model
from
a
UX
perspective
right
as
the
user
I'm
hit
back
instantly,
saying:
hey,
Josh
you're
not
allowed
to
run
as
user
250,
and
that's
a
really
really
clear
message
for
me,
which
I,
which
I
dig
a
lot.
A
So
this
is,
this
is
pretty
cool.
You
know,
like
I
had
mentioned,
I
think
what's
interesting.
Actually,
let's,
let's
try
this
out
real
quick
just
for
the
heck
of
it.
So
what's
kind
of
interesting
is
if
we
go
back
to
the
engine
XAML
real,
quick
and
let's
say
that
we
let's
say
that
we
do
the
bit
Nami
nginx
image
for
just
a
second
here,
because
I
know
that
one
doesn't
run
as
a
route
by
default.
I
just
want
to
validate
that
my
my
concern
about
some
of
like
the
lower
level
details
would
still
be
there.
A
So
bitNami
nginx,
container
image
right
so
bitNami,
nginx,
container
image
and
if
we
grab
this
so
I
know
for
a
fact
that
this
container
image
don't
hate
me
for
using
latest
I'm.
Just
gonna
do
it.
This
container
image
is
going
to
use
right,
it's
going
to
use
bitNami
nginx
latest,
so
this
does
not
need,
in
my
case,
a
security
contacts
because
I
know
for
a
fact.
This
will
run
as
non-root.
So
if
we
come
back
to
the
now,
I've
got
too
many
editors
going
on.
A
If
we
say
the
min
is
1
and
the
max
is
I
guess
this
won't
actually
matter
cuz,
it
probably
will
fail
just
because
I'm
not
specifying
the
run
as
user
I'd
be
willing
to
bet
it's
that
simple
right.
So,
let's,
let's
just
make
sure
that
I'm
I'm
making
a
logical,
logical
statement
here.
So
if
I
do
cube,
cuddle
and
I
apply
the
constraint,
yeah
mall,
now
it's
configured
and
then
fi
cube,
cuddle
apply.
The
engine
axiom
will
actually
need
to
make
this
that
intricate
right
cuz
all
I,
really
needed
to
do
here
right.
A
A
A
So
if
we
just
do
cube
Caudill
plot-
oh
you
know
what
I
know
actually
I
shouldn't
matter:
okay,
never
mind
constraint,
yeah
mole,
let's
apply
that
so
it's
configured,
okay
and
then,
if
I
just
check
my
nginx
image
one
more
time,
I
am
not
setting
a
user
or
a
security
context,
user
I
should
say
and
I
will
apply.
Nginx
yeah,
mole,
yeah
it
works.
Interesting.
Is
that
is
there
any
chance?
It's
a
bug
in
the
policy
I've
just
unless
it's
just
magically
capable,
because
then
my
thought
process
would
be.
A
If
I
came
in
here
and
said,
yeah
I
did
save
this.
The
constraint,
Steve
I
I,
triple
check
to
that
cube,
cuddle
Mattie,
said
cube.
Cuddle
get
pod
I
think
it
should
just
let
it
go
Maddie
because
I
don't
have
PSPs
on
so.
If
I
come
here
and
I,
say
I
mean
here's
a
good
way
to
check
it.
I'm
just
gonna
bring
the
security
context
back
in
real,
quick
and
see
either
it's
a
bug
or
you're
freaking
blowing
my
mind
right
now,
gatekeeper
and
yeah
Reed
I
can
show
the
constraint
again
no
problem.
A
A
So
what
what
here's
my
guest
to
be
super
honest
with
you
and
again
I
might
be
wrong,
but
I'm
guessing
that
the
again
remember
how
we're
talking
about
how
Rago
is
kind
of
confusing
because
like
if
something
evaluates,
is
false,
it
doesn't
work,
so
maybe
the
lack
of
existence
of
that
thing.
It's
not
breaking
the
way
that
it
should.
That's
probably
I,
think
that's,
maybe
what
we're
running
into
here.
So,
if
I
just
change
this
back
to
250
right
I
just
want
to
make
sure
it's
still.
It's
still.
It's
still
failing
on
that
case.
A
A
My
clusters,
slowing
down,
of
course,
okay,
it's
deleted,
give
it
a
sec,
yeah
I'm
on
the
same
page,
Steve
I
would
think
you
can't
check
something.
That's
not
there.
Yeah
so
I
mean
that
that
would
be
the
point,
though
Steve.
So
if
like,
if
it's
not
there-
and
it
still
goes
through,
then
it
probably
should
be
failing.
I
would
think
right
because
if
you
think
about
running
this
out
of
Norg,
if
I
was
a
user
and
just
had
it
not
include
security
contacts
in
that
way,
that
would
be
a
thing
yeah.
Now
it's
failing.
A
Okay,
so
not
gonna,
say
for
sure,
but
we
might
might
have
helped
out
just
finding
a
little
tiny
little
NIT.
That
needs
to
happen.
No
big
deal
we're
somewhere
inside
of
this.
The
lack
of
existence
of
the
the
security
context
is
probably
letting
it
pass,
which
it
probably
shouldn't
so
and
Duffy
I
did
check
the
the
constraint
itself
is
scoped
on
the
pod
in
the
validating
web
hook,
for
what
it's
worth
is
watching
all
objects
for
create
an
update.
A
So
it's
not
just
limited
to
deployments
or
anything
like
that,
so
yeah
I
think
I
think
somewhere
in
here
again,
like
I
said
it
probably
needs
to
have
a
check
that
says
something
like
actually.
Maybe
we
could
do
it
I'm
a
little
I'm
still
confused
by
that
input.
Container
thing:
oh,
these
are
functions:
okay,
okay,
alright,
so
these
input
containers
are
functions
so
check
this
out
check
this
out.
Let's,
let's
see,
if
we
could
do
this,
this
would
be
kind
of
cool
right.
So
what
would
we
need
to
do
here?
A
So
input
container
is
going
into
the
review
object
and
into
the
containers?
Okay,
that
makes
sense
to
me
so
and
then,
if
I,
where
do
I
check
input,
containers
not
run
as
user.
Oh,
it's
calling
a
function
there.
Okay,
security!
That's
it
that's
it,
though,
so
input
container
security
context.
What
if
we
did
something
like
this,
where
we
said
input,
container
security
context,
so
not
set
right
is
that
does
that
make
sense
to
everyone?
Let
me
know
if
I'm
doing
some
stupid
here,
input
container,
dot
security
context.
A
So
if
it's
not
there,
if
it's
see
this
is
where
Rago
always
gets
me
mixed
up.
If
it's
not
there,
it's
gonna
evaluate
as
true
which
we
don't
want.
So
we
want
wait.
Why
is
my
brain
getting
so
mixed
up
now?
If
it
is
here,
it
will
evaluate
okay,
if
it's
not
there
in
this
case,
it
would
evaluate
as
false
right
that
you
all
think
the
knot
will
work
or
should
the
not
go
away
I'm
getting
myself
mixed
up
now,
I
think,
but
let's
let's
try
it
anyway.
A
A
Yeah
yeah
I
think
you're
all
right.
It
should
be
without
not
right
now,
question
for
you
all
I
can't
remember
my
Rago
syntax
offhand.
Is
this
a
good
enough
expression
or
do
I
need
to
say
something
like
not
null
or
exists,
or
something
like
that
doesn't?
Does
anyone
remember
offhand
I'd?
If
you
can
save
me
from
going
into
the
OPA
Docs?
That
would
be
greatly
appreciated.
A
A
All
right,
so
here's
the
logic
I
have:
let's,
let's
talk
it
over
one
more
time,
if
you're
not
exhausted
by
it
and
by
the
way
someone
gut-check
me
here
if
I
need
to
say
something
like
exists
or
something
I
can't
remember
what
the
syntax
is,
but
maybe
this
maybe
this
is
an
expression
in
itself.
I,
don't
know
with
this
with
this
statement
here
evaluate
is
true
or
false,
but
the
notion
that
I'm
going
with
is
I
actually
I'm
checking
for
the
existence
of
it
if
it
exists.
A
Long
story
short:
if
you're
confused
when
you
write
Rago,
don't
worry
I'm
confused
too,
but
you'll
get
there.
It's
a
real.
It's
a
really
cool
language.
So,
let's
just
try
both
conditions.
So
we
configured
it
again.
Let's
go
back
to
nginx.
Let's
take
out
the
security
context,
temporarily:
okay,
let's
delete
nginx.
Oh
there
is
no
internet.
Acute
Cod,
I'll
get
pods
great
okay
and
then
let's
apply
nginx
again.
A
A
A
A
A
A
Patrick
just
input
security
context
is
sufficient.
Okay,
maybe
you're
right
then
cool
all
right.
This
will
be
our
last
try
and
we'll.
Let
it
be
after
this
if
it
doesn't
work
we'll,
let
it
be
after
this,
if
it,
if
it
fails
on
us,
so
input
container
security
contacts
all
right.
So
if
security
context
is
not
there,
our
hope
is.
It
will
evaluate
false.
A
Which
doesn't
make
sense
to
me
still
logically
anywho
all
right
here
we
go
I'm,
not
smart
enough
for
a
go
today,
maybe
another
day.
So
we'll
do
a
cube.
Cuddle
apply
on
the
user,
yeah
mole,
so
cube
cuddle
apply
on
user
all
right.
We
configured
it.
So
it
saw
that
change.
That's
good!
Let's
apply
the
constraint
again
just
for
the
heck
of
it
too.
I
did
save
this
time.
Duff,
yes,
I
double-checked
will
do
the
constraint
Tamil
unchanged.
That's
expected
all
right.
So
let's
delete
nginx,
real,
quick
and
then
let's
see
if
this
works.
A
Nope,
it
didn't
okay,
so
there's
there's
something
going
on
here.
Unfortunately,
my
my
Rago
skills-
that's
failing
me
but
I-
think
if
I
had
more
time
to
look
in
the
docs
and
check
it
out.
Something
about
this
line
here
could
be
expressed
where,
if
security
context
didn't
exist,
it
would
actually
fail.
So
I
think
that's
that's
a
that's
a
big
one,
so
yeah.
So
if
anyone
has
any
ideas,
though,
as
far
as
like
what
that
would
be,
syntactically
feel
free
to
put
it
in
chat.
A
We
can
come
back
to
this
one
and
look
at
it
but
long
story
short.
We
basically
put
a
PSP
in
place,
so
that's
kind
of
cool.
If
we
look
at
let's
go
back
to
our
constraint
here,
we'll
look
at
our
objects
in
the
terminal,
so
we
ended
up
with
get.
Let's
see
if
I
can
find
this
real,
quick,
so
cube,
cut
old
gets
the
constraint.
Template
actually
I.
Have
this
in
my
constraint.
A
Alright,
my
history
is
not
shared
great,
so
cube,
Caudill
get
constraint,
template
for
the
namespace
gate
keeper
system,
so
we
put
in
this
constraint,
template
based
on
the
PSP,
allowed
users
right
and
then
we
went
in
and
we
put
in
a
constraint
for
a
specific,
specific
CRD
that
we
defined.
You
might
remember
that
CRD
was
this
thing
right
here,
so
Kate's
PSP
allowed
users
so
effectively.
A
A
It's
super
interesting,
like
we
said
you're
introducing
a
new
CRD,
so
something
to
think
about
it
and
that
you
could
theoretically
be
introducing
many
new
CRTs
right,
but
decoupling
kind
of
this,
this
thing
with
gatekeeper
is,
is
really
nice.
I
really
dig
it
a
lot
so
yeah,
that's
that's
pretty
sweet,
okay!
So
all
right
well,
lead!
You
made
a
suggestion
about
what
that
might
be.
I'll
be
well
I'll,
be
willing
to
give
that
one
more
shot,
I'm
stubborn
enough
to
try
one
one
last
time.
A
So
if
we
go
back
to
user
and
then
we
go
back
to
the
security
context
and
actually
turn
it
into
an
expression
and
I'll
use
the
double
equals
here
to
be
ultra
clear
input,
container
security
context
run
as
non-root
equals
equals.
True
all
right.
So
let's
save
that
up.
Let's
go
back
to
our
constraint
here
and
apply
it
again,
so
this
will
be
the
user.
Amal
will
delete
the
nginx
pod
and
then
see
if
I
have
any
luck
for
a
kind
of
final
try.
A
It
worked
noted,
nope,
nevermind
I
did
the
wrong
thing:
I
read
a
longer
message
than
pod
created
and
got
too
excited.
There
apply
no
still
didn't
work,
okay,
I'm
giving
up
on
that.
So
what
else
do
we
got
going
on
here?
So
going
back
to
gatekeeper
for
a
moment,
I
want
to
wrap
up
on
some
of
the
the
cool
stuff
here
that
it's
it's
got
going
on
and
then
spend
a
little
bit
of
time
talking
about
contest
before
we
end
for
the
day.
A
So
we
deployed
gatekeeper,
pretty
freaking
cool.
It
was
extremely
easy
to
set
up
by
the
way
which
was
which
was
really
sweet
so
kudos
to
the
team
working
on
that
we
applied
just
some
random
policy
from
the
library
and
were
effectively
able
to
validate
PSPs
and
there's
nothing.
Stopping
me
from
just
continuing
on
and
on
and
on
going
through.
All
these
different
PSPs
right,
so
I
could
just
keep
adding
them
in
and
adding
them
in
they've
also
got
a
general
section
in
the
library
it
looks
like
with
some
more
some
more
cool
cases.
A
Like
you
know,
the
one
that
were
oftentimes
working
with
is
the
required
labels
use
case.
Get
this
all
the
time
like
organizationally
I
want
to
make
sure
there's
always
these
labels.
You
know
I
want
to
make
sure
everyone
what
there's
an
owner
label
that
tells
me
the
email
address
of
the
person
to
contact.
If
something
bad
happens,
you
know
all
those
kind
of
cuss
policy
things.
So
this
is
a
great
example
of
where
the
constraint
template
I
think
is
super
cool,
which
this
is
the
one
that
was
in
the
me.
A
Isn't
it
so
this
specifies
the
violation
sees
if
there's
any
missing
ones
out
of
the
required
ones
right
and
we'll
check
to
see
if
there's
violations
and
then
like
we
said
we
can
put
the
constraint
in
place
which
will
actually
allow
us
to
put
in.
Oh,
this
is
cool.
So
in
one
in
one
example,
we
saw
to
let
us
put
in
a
list
of
the
labels
and
then
in
this
one
it's
also
got
a
cool
one,
where
it's
actually
injecting
the
allowed
regex.
A
So
maybe
you
want
to
like
namespace
scope,
all
your
labels,
that's
a
great
great
situation,
so
any
label,
that's
from
our
company.
We
want
to
make
sure,
has
a
j'l
bank
demo
prefixing
it
before
we
kind
of
let
it
let
it
fail
there
so
or
before
we
allow
it
in
I
should
say
so,
really
cool
stuff.
What
do
you
all
think
this
is?
This
is
a
really
sweet
tool.
I
will
definitely
be
testing
it
out
in
some
more
serious
environments
going
forward.
A
A
That
is
doing
audit,
which
is
really
sweet
so
like
the
ability
to
go
in
and
kind
of,
retro
actively
check
if
there's
anything
that
wouldn't
comply
with
these
existing
pieces.
Okay,
so
so
that's
that's
kind
of
an
interesting
one
trying
to
see
if
there's
anything
else
feel
free,
Microsoft
team,
two,
if
you
have
any
any
curiosities
or
things
you
want
to
call
out
it
looks
like
they've
got
some
tracing
functionality
that
you
can
turn
on.
A
So
maybe,
if
I
had
done
my
homework
and
read
ahead,
we
could
have
traced
to
see
where
that,
where
that
PSP
piece
was
was
maybe
going
wrong,
but
I
think
we're
onto
it.
We
just
need
to
figure
it
out,
syntactically
and
then
I
think
there's
a
way
in
here
to
where
you
can
get
some
initial
of
some
other
data
from
like
the
kubernetes
cluster.
A
Whether
I
should
allow
like
an
ingress
rule
based
on
what
other
ingress
rules
are
already
being
used
in
the
cluster
right,
if
that
makes
any
sense
exempting
namespaces.
Oh,
this
is
cool,
so
we
can
exempt.
This
is
awesome,
yeah,
exempting
certain
namespaces
from
the
admission
webhook.
So
maybe
like
our
operations,
namespace
right.
We
want
to
kind
of
keep
that
out.
A
Referential
constraints.
Okay,
let
me
see
if
I
can
find
that
referential
constraint.
I
know
if
I'm,
spelling,
referential
wrong
constraints,
yeah
I,
don't
I'm
not
seeing
the
readme
but
I,
think
they're
I
think
I
saw
something
around
this.
You
all
should
check
it
out.
If
you
want
to
kind
of
check
out
some
of
these
different
pieces,
so
pretty
cool,
okay
yeah,
this
is
this
is
really
awesome,
so
great
work,
everyone
involved
in
gatekeeper.
It
was
super
super
cool
to
check
this
thing
out.
I'm
really
excited
to
keep
trying.
A
This
I
do
want
to
wrap
up
with
a
little
bit
around
contest,
real
quick,
because
this
is
another
big
one
that
I
see
in
the
ecosystem
and
I've
I've
actually
used
a
little
bit
at
this
point.
So
from
a
contest
perspective,
this
is
our
ability
to
go
in
and
kind
of
use
like
a
command
line
like
tool
to
run
these
Rago
expressions.
Now
the
first
question:
I
have
I,
don't
know
if
anyone
knows
offhand
having
come
from
gatekeeper
now
and
somewhat
really
starting
to
fall
in
love
with
constraint
templates.
A
Does
anyone
know
if
there's
work
happening
with
contests?
Maybe
support
this
constraint.
Template
model
I'm
trying
to
think
if
like
because
it
would
be
really
cool
if
there
was
a
way
to
kind
of
interact
between
the
two
yeah
I
guess,
yeah
I!
Think
if
you're,
if
you're
doing
the
constraint
template
model,
it
wouldn't
be
too
hard
to
just
do
like
native
Rago
policy,
but
if
there's
a
way
to
kind
of
manage
one
source
and
use
it
in
contests
and
gatekeeper
that
could
be
really
cool.
A
Sweet
El
Rita
said
that
that's
interest
in
the
community
yeah
I
would
love
to
see
that
especially
I
mean
as
gatekeeper
get
some
more
adoption.
It
totally
makes
sense.
Okay,
let's
talk
contests
real,
quick
and
wrap
up
for
the
day.
What
do
you
all
say
so
contests
it's
a
command-line
tool.
It
lets
us
run.
Rago
policy
you
might
remember
for
before
I
had
showed
you
some
good
old
ray
go
inside
of
here,
and
this
is
basically
the
kind
of
stuff
we
can
use
contest
whist
with
right.
A
A
Let's,
let's
try
one
of
these
with
contest
real,
quick,
so
oops,
that's
not
the
right
link,
so
cleverly
named
deprecation,
so
I
looked
at
it
very
briefly,
but
what
it
looks
like
it
does
is
Steve's
put
together
some
policies
that
are
going
to
allow
you
to
go
in
and
and
kind
of
check
to
see
whether
your
compliance
and
it
looks
like
Duffy
put
another
link
in
to
so
maybe
there's
a
couple.
Deprecated
deprecated
things.
A
So
excuse
me,
if
I'm
not
up
to
speed
with
with
what
the
different
ones
are,
but
since
you're
listening
today,
Steve
we're
gonna,
we're
gonna
plug
you
and
try
one
of
yours
out:
okay,
I,
don't
know
if
this
is
a
fork
or
if
this
is
a
custom-made
one
what
the
deal
is
but
anywho,
let's
try
it.
So
these
are
again
more
conventional
looking
policies
right.
So
these
probably
look
more
familiar
to
all
of
us
who
have
done
Rago
work.
A
We
are
essentially
putting
together
these
warning
messages
now
again,
keep
in
mind
with
Rago
warning,
has
arbitrary,
meaning
this
could
say
banana
or
puppy
right,
but
warn
an
error
is
no
warden.
Is
it
warning?
Deny
I
can't
remember
with
contest
now,
but
warn
in
error
or
deny
are
actually
interpreted
by
contest
right,
so
it's
able
to
know
like
oh
what
this
person
put
here
is
a
warning
right
and
then,
in
deny
case,
it
can
interpret
that
as
an
error.
A
So
again,
the
key
thing
is
this
is
not
meaningful
to
Rago,
but
it's
meaningful
to
the
tool
that
wraps
opah
in
this
case
contest
to
actually
give
you
legitimate
results
back
which
I
at
which
I
find
pretty
cool.
So
let's,
let's
grab
this:
let's
grab
this
one
and
see
if
we
can
make
something
happen
and
then
we'll
wrap
up
on
that.
A
You
could
then
define
all
the
logic
that
you
all
have
here,
which
would
be
super
super
slick
right
so
that
over
time,
rather
than
updating,
OPA
policies,
you're
actually
updating
the
constraint
to
the
constraint
template.
So
again,
even
this
example
with
contest
speaks
to
the
the
interesting
aspects
of
that
constraint:
template
model,
but
nonetheless
it
looks
pretty
simple
we're
going
through
we're
checking
to
see
if,
if
we're
using
old
versions
of
an
API
and
that's
it
so
looks
pretty
cool
to
me.
A
So,
let's,
let's
see
if
we
can
make
this
thing
work
so
contest
is
a
command-line
tool
and
probably
what
I
should
get
is
I
should
get
an
ingress
object
and
then
change
the
API
version.
That
seems
like
a
pretty
good
plan
right,
so
let's
do
kubernetes
ingress,
yeah,
Mel
file,
ok
and
then
we'll
grab,
ingress
and
ingress
is
now
part
of
the
kind
ingress
it's
no
longer
in
that
extensions
subcategory.
A
So
if
we
go
back
to
the
vs
code,
editor-
and
we
add
in
the
ingress-
oops
wrong
window-
everyone
sorry
ingress
dot
Gamal
and
we
paste
this
in
alright,
so
we'll
test
the
happy
path
first
and
then
we'll
test
the
failure
path.
So,
in
theory,
keep
me
honest
here:
I
think
that
this
should
pass
with
contest.
So
if
I
run
contest
with
this
policy,
we
should
be
good.
Now.
A
A
No
boy,
let's
see,
let's,
let's
see
if
we
can
find
this
thing,
it
was
literally
called
policy
traigo,
okay,
which
was
in
the
root
system
right,
so
I
think
correct
me.
If
I'm
wrong,
I
think
I
think
we
need
to
do
this
to
pick
it
up
by
default
without
any
additional
flag.
So
we're
gonna
put
policy
traigo
in
the
policy
thing
and
then
here
is
the
command
line
tool
contest
now,
I
guess
I
really
should
give
a
plug
here.
I
know
we're
running
low
on
time,
but
contest
is
freaking
awesome.
A
This
person
who
I
can
never
pronounce
their
name
correctly,
I,
always
say
Gareth,
I,
hope,
I'm,
saying
it
somewhat
correctly.
He
does
really
cool
stuff
or
they
do
really
cool
stuff
in
the
sense
that,
like,
if
you've
ever
used
like
the
kubernetes,
the
ya
mole
language
server
from
Red
Hat
it.
If
you
look
under
the
hood
of
the
code,
it's
using
some
yeah
most
emos
that
this
person
has
written
under
this
person's
company
I,
don't
know
who
owns
it,
but
has
written
automation
to
generate
those
schemas
and
host
them.
A
So
some
of
that
work
is
actually
what's
giving
us
like
kubernetes
auto-completion
in
vs
code
and
vim
through
the
through
the
Red
Hat
language
server
and
his
there
work
on
contest
has
just
been
freaking
killer,
so
much
so
that
now
and
I
think
this
might
have
even
happened
this
week.
Someone
correct
me
if
I'm
wrong
it.
It's
now
part
of
the
open
policy
agent.
So
there's
a
couple
things
with
contest
that
I
won't
get
into
today,
but
just
to
call
out
one
of
the
really
cool
things.
Is
these
policy
bundles?
A
We
make
it
lets
you
package
them
up
and
push
them
out
to
a
registry
so
like
we
were
talking
with
harbor
2.0,
you
know.
Theoretically,
excuse
me
if
you
haven't
already
Steve,
you
can
take
all
of
these
patty.
All
of
these
policies
bundle
them
up
and
then
just
literally
push
them
out
to
a
registry,
and
then
me,
as
a
user
I
can
come
in
here.
A
Right
and
I
can
run
a
contest
pool
and
it
will
actually
pull
down
the
bundle
of
policy
that
you
know,
someone
like
Steve
or
someone
else
had
set
up
and
actually
let
me
run
them
to
validate
whether
things
went
wrong.
So
that
is
such
a
freaking
cool
model,
especially
if
you're
at
your
organization
and
you
want
developers
to
be
able
to
pull
down
predefined
policy,
really
really
neat
right.
So
I
do
dig.
I
do
dig
that
model
a
lot.
A
Ok
enough,
talking,
shut
up
Josh,
let's,
let's
actually
try
this
out
right
so
and
I
should
I
should
show
real,
quick
contest
help.
This
is
the
command-line
tool,
and
this
is
the
pool
command.
I
was
talking
about
by
the
way,
so
you
know
in
theory
they
could
also
push
the
bundle
up
as
well,
which
is
super
rad
all
right.
A
Let's
do
this
thing
so
confessed
now,
I'm
forgetting
what
the
ok
comp
test
test
so
it'll
be
contest
test
and
then,
like
I,
said
I
think
it'll
pick
up
the
policy
automatically
and
then,
if
I
just
do
the
file
now
for
ingress,
which
I
put
in
ingress.
Ok
so
far,
so
good.
So
I
ran
this
test
based
on
deprecation
and
I.
Have
two
tests
to
test
pass.
Let's
see
if
we
can
see
what
tests
would
have
passed
here.
A
Ok,
actually
we
can
tell
pretty
easily
so
clearly
this
one
would
have
passed
right
because
this
would
have
come
in
and
evaluated
right
and
then
this
one
up
here
would
have
come
in
and
evaluated
as
well.
Now,
let's
break
things
so.
Theoretically,
oh
sorry,
like
I,
should
be
showing
you
my
my
editor.
My
bad
I
need
to
go
back
to
them,
so
I
don't
have
to
switch
through
so
many
screens.
A
A
Where
is
my
okay?
Here
we
go
so
we
will
change
the
API
version
and
sorry
I
think
I
misspoke
earlier
it's
inside
of
network
skates
dot,
IO
now
and
it
used
to
be
inside
of
extensions,
which
is
where
we're
effectively
gonna
put
it.
So,
let's,
let's
get
rid
of
this?
Oh
boy,
there
we
go.
Ok,
let's
get
rid
of
that.
Let's
get
the!
Let's
get
the
policy
back
policy
Rago,
let's
get
extensions,
v1
beta,
so
I'll
copy
that
out
go
to
ingress.
A
Let's
put
the
API
version
here:
okay,
so
now
I'm
a
developer
I've
been
submitting
ingress
objects
for
months
or
years
and
like
I'm,
not
really
thinking
about.
What's
gonna
eventually
happen
when
things
get
deprecated
and
then
past
deprecation
potentially
even
getting
removed.
So
why
not
have
some
checks
in
place
that
maybe
warn
me
right
so
now
that
we've
done
this,
we'll
go
back
to
our
terminal
and
fingers
crossed
everyone.
A
We
have
a
failure.
So
as
a
developer,
you
know
being
in
my
CI
system,
be
it
may
be
in
gatekeeper
through
admission
control,
right,
I
am
able
to
be
pushed
back
on
and
saying:
hey,
Josh!
Listen!
It's
doing
a
different
API
group.
You
know
take
the
time
to
update
the
API
group,
all
right,
you
know
suck
it
up
and
get
this
done.
So
this
is
just
an
example
of
how
amazing
the
stuff
can
be
in
this
expanse.
All
of
it
like
we
were
talking
about
how
PSPs
are
like
really
reactive
right.
A
Well,
we
could
even
if
we
still
wanted
to
use
PS
PS
on
the
backend
until,
like
maybe
gatekeeper,
PSP
law,
libraries
mature
over
time.
We
could
turn
on
PS
PS
on
the
backend,
and
then
we
could
use
the
PSP
library.
It
might
need
some
refactoring
again,
because
it's
it's
those
templates,
but
we
could
use
those
in
the
command
line
tool
here,
which
is
super
slick,
so
developers
will
know
before
they.
You
know
start.
You
know
feeling
really
bad,
because
their
workloads
not
running
in
the
cluster
they'll
know
ahead
of
time.
Hey.
A
You
can't
run
this
thing
as
route
right
like
and
those
shoutouts
will
come
to
them
with
feedback.
It's
a
really
really
slick
model,
so
you
can
kind
of
see
how
how
some
of
those
bits
work
together
all
right,
pausing
for
a
moment.
Everyone
who's
still
with
us.
What
do
you
think
was
this
some
pretty
cool
stuff?
A
A
A
You
know,
I,
think
this
ecosystem
around
gatekeeper
in
Opa
is
looking
really
promising
and
I
can't
wait
to
I
can't
wait
to
work
in
it
more
genuinely
so
with
that
being
said,
just
as
a
reminder,
I
want
to
say,
of
course,
quays
back
online
now,
yeah
I
just
want
to
say,
and
it
remind
everyone
all
the
diagrams,
all
the
files
you're
seeing
in
this
video.
They
will
be
committed
today
to
github.
A
So
if
you
do
want
to
look
at
them
or
maybe
you're
like
oh
yeah,
that
diagram
or
Josh
was
explaining
that
thing,
you
know
maybe
I
just
want
to
like
pull
it
up,
real,
quick
and
look
at
it.
It's
an
obviously
not
an
amazing
diagram,
but
it
might
remind
you
of
something
it's
all
there.
All
the
files
will
be
there
as
well
right.
So
with
that
being
said,
everyone
you
still
with
us.
A
If
you
don't
mind,
maybe
give
a
quick
thanks
to
our
Microsoft
folks,
Rita
and
lucky
for
sticking
around
and
helping
us
out
on
not
only
helping
us
with
learning
about
gatekeeper
but
also
saving
our
butts
when
we
need
it
in
another
registry.
That's
pretty
freaking
cool
right
and-
and
thank
you
all
for
joining
us.
This
was
this
was
a
super
slick
episode.
So
look
for
the
commits
and
github
will
publish
some
more
details
on
YouTube
and
have
a
killer
weekend.
Everyone
stay
safe
out
there
we'll
see
you
at
the
next
tee
gik
see
you
later.