►
Description
Come hang out with Kris Nova as she does a bit of hands on hacking of Kubernetes and related topics. Some of this will be Kris talking about the things she knows. Some of this will be Kris exploring something new with the audience. Come join the fun, ask questions, comment, and participate in the live chat!
A
A
Here
in
Seattle,
I
always
like
to
look
at
the
mountain
when
I
start
TGI
K,
because
I
can
see
mount
Mount,
Rainier
Tahoma
as
I
like
to
call
it
right
out
the
window
here
and
I
like
to
tell
Charlie
hi
before
I
start
my
videos
but
yeah.
We
could
see
the
mountain
today,
so
it
was
really
rad
so
yeah.
Let's
do
hellos
I
haven't
seen
everyone
we
it's
been
like
week
since
I've
done
in
TGI,
K
I've
been
off
in
Iceland
Joe
took
a
rad
vacation
down
to
why
I'm
back
from
Iceland.
A
It
was
really
cool.
I
took
a
bunch
of
fancy
pictures
with
my
new
fancy
camera
and
we
took
a
couple
weeks
off,
but
we're
really
excited
to
be
back
and,
like
start
a
whole
new
year
of
TGI
K
here
now
that
we're
at
VMware,
which
is
still
really
exciting,
it's
still
kind
of
like
New
Moon,
a
shock
to
me
to
be
like
oh
yeah,
we're
VMware.
Now
this
is
awesome
so
yeah.
Let
me
pull
up
the
chat
here
and
see
what
folks
are
saying:
oh
my
gosh
I
every
time.
A
Okay,
so
every
time
I
look
at
the
chat
after
like
doing
my
little
intro
bit
or
whatever
there's
like
a
whole
wall
of
text,
I'm
like
oh
gosh,
whatever
people
saying
so
yeah,
let's
see
Olaf
was
our
number
one
today
good
to
see
you
along.
He
says:
Happy,
New,
Year
and
a
happier
to
everyone
who
observes
other
nothing.
A
Gory
Gregorian
calendars,
Alethea,
no
good
to
see
you
again:
Suresh,
hey
joining
from
Hamburg,
okay,
it
looks
like
George
is
here
at
the
hef:
do
account
George
thanks
for
for
helping
us
out
and
also
George
good,
to
see
you
again,
I
always
feel
like
George
and
I.
Have
this
special
moment
right
before
tjk
we're
like
I'm
only
streaming
to
him,
so
he
gets
like
a
private
behind-the-scenes.
T
gik,
like
watches
me,
brush
my
hair
and
get
nervous.
So
many
wait.
George
says
hi
everyone.
A
This
is
George
I'll,
be
helping
Chris
today
and
we
get
started
in
a
few
minutes.
He
says:
welcome.
We
appreciate
you
joining
us.
Let's
see
him,
it
says:
hi
George
we'ii
be
sharing
the
agenda
link
after
the
session.
Hameed
also
says
story
from
Ireland
good
to
see
you
Hameed
mark
hi,
I'm,
mark
Stein
from
sixth
egg,
one
of
the
elite
engineers
on
Falco,
happy
to
answer
any
questions
or
help
out
if
needed,
mark
I'm,
definitely
gonna
be
counting
on
you.
A
Thanks
for
joining
Roy,
happy
Friday
from
Toronto
George
says
as
per
usual.
Here's
our
notes
so
we'll
pull
those
notes
up
in
a
second.
We
can
look
at
them
together
feel
free
to
contribute.
If
you
want
to
contribute
notes
or
if
you
want
to
add
links
or
anything,
sometimes
I
go
off
on
a
tangent
and
folks,
it's
handy
if
you
like,
want
to
help
me
out
and
like
drop
a
link
in
the
notes
for
me.
A
So
I
don't
have
to
stop
the
stream
to
like
cut
over
and
do
it
so,
while
V
hi
from
Libya,
let's
see
greetings
from
Brunswick
Germany
I.
Think
I
said
that
right,
Mike
says
hello
from
New
Jersey,
Peter,
happy
Friday
from
San
Diego,
dan,
hello
from
the
or
C
oh
I
lost
it
New,
York,
City,
pop
rocky
Jackson
pop
and
then
tan
Papa
Papa
tree.
I
think
I
said
that
right.
It
says
pop
from
cystic
this.
This
is
interesting
dan.
A
I
was
trying
to
find
your
last
name
and
I
went
on
your
twitter
and
it
just
said
pop-
and
I
was
like
I
guess
he
just
goes
by
pop,
so
we're
gonna
call
him
pop
so
anyway,
good
evening
from
london.
The
dear
good
to
see
you
again,
I
want
to
try
to
do
my
best
to
imitate
this
CEO
from
Chicago
Brandon,
hello,
Chris,
hello,
Falco,
hi,
Herman,
Joe,
Rockland,
Cincinnati,
Gordon,
hi
Chris
greetings
from
Houston.
Let's
see,
we
have
CD
a
visa.
A
Vyx
I,
don't
know
hello
from
Santa
Barbara
Bob
shout-out
from
beautiful
Hollywood
new
la
meet
up
on
spinnaker
last
launch
last
night.
So
I
want
to
do
a
teaching
I
can't
spinnaker
I've
been
thinking
more
and
more
about
doing
it
and
I
think
it
might
be
fun.
So
maybe
I
continue
like
after
the
fact-
and
you
can
tell
me
how
this
finicum
meetup
was
and
maybe
give
me
some
ideas
for
doing
a
TGI.
Can
spinnaker
joy,
says
hello,
Chris
Kristoff
says
hi
from
düsseldorf
Germany.
Let's
see
here,
we
have
Rajat
from
Bangalore
India.
A
We
have
from
Leeds
big
steve-o.
I
have
no
idea
where
that's
from
where
in
the
world
is
leap,
Zig,
hello
from
Mexico,
George
or
Jorge
I'm,
not
sure,
because
we
have
a
George
that
goes
by
that's
felt
the
same
way.
So
sorry,
if
I
mispronounced
your
name,
hello
from
Cupertino
nice
ice,
climbing
action
lately
where
this
Cupertino
I
feel
like
that's,
oh
okay,
so
Cupertino
is
in
California.
I
was
like
wait
a
minute.
Is
there
like
a
Cupertino
Alaska
or
something
because
I
thought
you
were
suggesting?
A
There
was
good
ice
climbing
there,
but
yeah
I've
been
on
a
big
ice.
Climbing
kick
lately
with
my
fancy
new
ice,
climbing,
tattoo
and
I.
Think
I'm.
Actually
gonna
go.
Do
some
ice
climbing
tonight
as
soon
as
I
get
out
of
TG?
Okay,
so
I'm
talked
about
that
and
yeah
ice
is
nice,
so
yeah
ice,
climbing
hello
from
local
host,
so
I'm,
assuming
that
engine
is
here
in
Seattle
Christophe,
hello
from
Paris
Cornelia
Davis
from
pivitol
hi
nice
to
meet
you
Cornelia,
my
new
coworker
/
colleague.
A
While
it
says
yes,
please
spinnaker
with
happy
things:
Dmitriy
hello
from
London
and
Maxim
high
from
Russia,
okay,
Brad.
Okay,
so
we
got
through
all
the
hellos
I'm
sure
people
will
continue
to
say
hello,
I'll
come
back
and
do
more
hellos
in
a
little
bit.
But
let's,
let's
just
jump
right
in
today,
and
look
at
some
of
the
like.
A
What's
new
in
kubernetes
this
week
and
George
did
a
lot
of
these,
so
I'm
gonna
be
kind
of
looking
at
these
live
as
as
folks
at
home,
or
so
we're
gonna
learn
about
them
together,
which
is
exciting.
Okay.
So,
let's
see
let's
cut
over
to
my
screen
in
my
face,
and
let's
get
all
of
this
nice
and
buttoned
up
BAM,
okay,
cool,
oh!
So,
by
the
way!
Well,
we
use
this
tool
called
Moo.
A
I,
don't
know
if
folks
have
heard
of
it,
auntie
gik
and
here's
like
the
little
settings
for
it
and
that's
how
I'm
able
to
like
define
like
precise
window
sizes
on
my
screen
here.
So
if
I
like
drug
this
over
and
it
was
like
off
the
screen
and
kind
of
ugly
like
if
you
notice
I,
don't
ever
like
try
to
like
move
it
up
here
and
get
it
just
just
right.
A
We
have
hot
keys,
so
I
just
do
controls
or
ctrl
o
which
moves
it
up
there
and
then
ctrl
P,
which
resizes
it
so
like
at
any
time.
I
could
like
have
all
these
things
like
out
of
the
way
and
like
bam
and
bam.
It's
like
nice
and
getting
pretty
again
so
yeah.
If
you
have,
if
you
want
to
check
out
moom
it's
a
cool
tool
that
makes
that
like
does
not
mean
it
should
make
a
lot
easier.
It's
changed
in
my
life
since
I
downloaded
it
cause.
That's
the
first
tip
of
the
day.
A
Let's
see
what
we
got
going
on
in
kubernetes,
alright,
let's
scroll
up
so
first
one,
two
big
CVEs,
so
I
think
I
read
the
one
about
the
API
server,
so
Jessie
did
a
write-up
on
this.
Let's
see
if
we
can
find
it.
Oh,
yes,
that
this
is
Jessie's.
This
isn't
the
email
she
sent.
There
is
a
email
sent
to
Kate
of
the
kubernetes
mailing
list,
which,
if
you're,
not
a
member
of
that
you
can
just
go
to
like
kubernetes
dev
mailing
list.
A
Let's
see
if
we
can
find
it
here,
subscribe
to
kubernetes
dev,
so
some
people
call
this
kind
of
it's
kubernetes
dev.
This
is
like
the
sort
of
let's
see
what
we
have
here:
kubernetes
developer
and
contributor
discussion.
This
is
just
like
the
main,
like
dumping
ground
for
all
of
the
stuff
that
goes
on
in
kubernetes
dev
and
this
spans
a
pretty
big
audience.
So,
if
you
ever
have
any
really
major
kubernetes
questions
or
comments,
or
you
really
really
need
some
help,
you're
really
stuck
and
nobody
seems
to
know
an
answer.
A
This
is
a
really
good
place
to,
like
you
know,
send
a
message
in
a
bottle.
I
just
hope
for
the
best
it's
pretty
active
and
if
you
subscribe
to
it,
you
can
get
a
lot
of
interesting
kubernetes
as
things
in
here
so
anyway.
There's
a
ton
of
these
mailing
lists
for
all
the
different
SIG's
like
there's
one
for
a
sec
AWS
and
one
for
like
a
cyclist
or
life
cycle
and
I
think
Jesse
sent
one
out
to
the
security
SIG's.
Let's
see
if
we
can
find
google
group
kubernetes
security,
security,
bam,
yeah,
I
think
this.
A
A
Anyway,
let's
go
back
and
look
at
our
link
here.
That
George
gave
us
so
there's
a
bunch
of
signaling
lists.
If
you
want
to
go,
join
those
and
you
can
go
to
github.com,
slash,
kubernetes,
slash
community
to
see
a
list
of
all
of
them,
so
Jesse
came
in
and
said
hello
everyone.
We
have
this
new
vulnerability
that
we
detected
and
then
there's
an
explanation
of
what
goes
on
here.
I,
haven't
really
read
this
in
detail,
but
I
do
know
that
it
wasn't
nearly
as
severe
I.
A
Don't
think
Jesse
can
tell
you
much
better
than
I.
Can
then
the
big
one
we
had
a
few
weeks
ago,
but
just
be
aware
of
this
and
like
these,
these
CVEs
are
like
they
happen.
It's
part
of
open
source
software,
we're
working
hard
to
like
work
on
hardening
our
builds
and
has
penetration,
testing
and
I.
Think
the
more
of
these
that
we
have
the
more
serious
the
community's
going
to
start
taking
these.
A
So
just
be
aware
that
you
know
there
is
an
exercise
of
keeping
up
with
the
stuff
and
patching
your
kubernetes
clusters,
so
you
know
having
a
managed
service
or
having
some
tooling
in
place
or
having
some
sort
of
subscription
in
place
to
help
you
when
things
like
this
happen
are
very
helpful.
So
that's
the
first
one
which
affects
the
API
server
and
then
the
dashboard
I
feel
like
just
the
dashboard
in
general
is
just
basically
a
CVE.
A
So,
if
you
want
to
come
in
to
read
more
about
these,
come
check,
it
out,
I
think
there's
a
link
to
a
PR
here
where
you
can
actually
go
and
see
the
add-ons
that
are
affected
in
the
CVE,
so
two
really
important
CDs,
and
then
just
being
aware
that,
like
this
one
is
for
version,
one
point
10,
so
we're
on
one
point:
13
now
in
fact,
that
kubernetes
does
mailing
list.
I
was
just
mentioning
I.
Think
I
saw
an
email
earlier
today
about
1.14
we're
already
on
in
a
new
version.
A
A
Also
I
have
a
bit
of
a
cold,
so
at
a
few
points
in
the
episode,
I'll,
probably
stop
and
like
and
drink
some
club
soda
or
some
water
or
some
diet
coke
here
so
just
bear
with
me,
especially
if
my
voice
starts
to
go
out
a
little
bit,
I'm,
not
sure
if
it's
a
cold
or
if
it's
just
allergies
but
yeah,
it's
been
a
little
bit
rough
this
week.
So
let's
see
what
folks
are
saying
in
the
chat
before
we
talk
about
1.17.
Here
we
have
hello
from
London
Russia
leap.
A
Zig
is
a
town
in
the
South
East
Germany,
okay
cool.
So
that
was
a
question.
I
asked
earlier:
Bo
Jean
che
hello,
hefty.
It
says
here
the
hacking
denotes.
If
you
must,
it
tim
says
wache,
and
are
we
going
to
cover
the
new
system
dcve
as
well?
Hameed,
no
I,
I
didn't
know
there
was
a
new
system.
Dcve.
Is
that
I'm?
Assuming
what
by
a
system
D
you
mean?
That's
the
cvd
left
flex
system,
T
only
which
might
trickle
into
being
relevant
in
kubernetes.
A
But
if
there's
a
CBE
in
system
like
you
already
have
my
attention,
if
you
want
to
drop
a
link
in
the
chat
and
ping
me
or
a
link
in
the
dock
and
then
ping
us
in
the
chat
when
once
you
have
it
there,
we
can
take
a
look
at
it
together,
l'm
adi
good
to
see
you
happy
Friday
and
Leonardo
Hyde
from
Brazil,
okay
cool
so
back
to
1.13.
So
we're
running
this
today,
it's
a
new
version
of
kubernetes
I'm,
a
said
new
episode
of
these.
A
It's
a
new
version
of
kubernetes
and
like
always,
you
can
come
in
here
and
you
can
click
on
this
and
you
can
see
the
the
changelog
here
1.13,
and
this
is
like
the
source
of
truth
for
everything
that
has
changed
in
this
release
and
you
can
come
through
and
you
can
see
changes
here.
So
I'm
wondering
do.
We
have
audit
in
here
at
all
dynamic
audit
configuration
ok
cool.
A
A
I
think
I
said
that
right,
I
guess.
Well,
no,
the
api
server
would
be
pushing.
It
can
still
could
still
be
considered.
The
server
okay,
either
way,
there's
a
two
people
with
a
connection
and
they're
sending
data
back
and
forth.
So
anyway,
it
looks
like
a
handful
of
folks
me.
It
sucks
George
me
Bismark
me
mic
Mila,
Madi
me!
What's
that
this!
A
So
let's
go
to
the
docket
camera,
get
a
freshman
piece
of
paper
here.
So
basically
we
have
the
kubernetes
api
server.
We'll
draw
that
up
here.
We'll
say
this
is
the
API
server
and
then
you
know,
as
he's
per
usual,
with
the
API
server.
There's
like
this
whole
big
cloud
of
clients
over
here
that
are
interacting
with
it
back
and
forth,
and
these
are
like
you
know:
kubernetes
users
or,
like
you
know,
pods
that
are
using
the
the
kubernetes
api
now
tangentially
to
this.
A
We
have
this
new
thing
called
an
audit
stream,
so
we're
gonna
kind
of
draw
an
arrow
come.
You
know
this
way
and
we're
to
call
this
an
audit
stream-
and
this
is
another
stream
of
data.
And
of
course,
we
all
know
the
api
server
after
the
CDE
of
last
year
has
a
lot
more
than
just
the
single
connection
going
on.
A
There's
actually
a
lot
of
connections
going
in
and
out
of
the
API
server,
and
it
tries
to
do
its
best
to
manage
those
but
we're
introducing
a
new
one
that
we're
calling
the
on
its
stream
and
probably
the
easiest
way
to
think
about
this
audit
stream
is,
it
could
actually
go
and
it
could
log
to
like
a
VAR
log
directory
and
it's
just
a
stream
of
audit
events.
So
literally
you
can
set
it
up
and
you
can
have
different
log
levels.
A
A
Instead
of
writing
to
disk
to
actually
send
this
audit
stream
to
other
things,
Falco
is
one
of
the
the
few
projects
out
there
that
can
actually
absorb
one
of
these
audit
streams,
and
you
can
point
the
audit
stream
in
Falco
and
then
calculate
I'll
actually
go
in
and
able
to
make
sense
of
that
and
do
all
the
wonderful
filtering
that
Falco
does
for
us
and
let
us
know,
if
anything
seems
suspect,
and
we
should
check
it
out.
So
that's
kubernetes
auditing.
A
It
tells
you
kind
of
who
what
when,
where
you
could
write
it
to
disk
or
you
could
point
it
to
Falco
and
was
dynamic
auditing.
You
could
sort
of
do
all
that
dynamically
using
proven
on
these
objects.
Let's
see
hefty,
oh,
you
can
find
Kate's
talk
on
cubic
on
on
audit
logging
here,
BAM,
so
there's
another
good
link
there.
So
anyway,
that's
dynamic
auditing
versus
regular
auditing
in
the
past.
A
Now
this
is
a
sink
like
a
kitchen
sink
like
audit
sink,
not
like
a
sy
and
C
which,
as
I
learned
today,
thanks
to
my
good
colleague
Patrick,
it's
actually
a
common
term
in
in
big
data.
The
word
sink,
so
those
are
those
things
and
we'll
be
talking
about
a
lot
extinct.
Slater
just
remember
that
it's
sink
like
the
kitchen
sink
and
not
like
a
synchronized,
okay
cool.
So
let's
go
back
to
our
docks
here:
okay,
cool!
A
So
one
point,
thirteen
point:
two:
we
can
get
dynamic
auditing
and
there's
a
lot
of
other
good
changes
here
as
well
and
congrats
to
the
release
team
and
all
the
folks
at
kubernetes,
Patrick
included,
who
who
worked
really
hard
on
this
release.
So
also
there's
a
new
one
point
for
team
draft
schedule.
Let's
take
a
look
here
and
close
some
of
these
other
things.
A
So
it
looks
like
Aaron
came
in
and
said
there
are
some
real
specific
things.
We
want
to
add
a
schedule.
Let's
go
look
at
this
looking
at
yamo
as
per
usual
with
kubernetes
released
1.14,
and
then
it
looks
like
it's
just
some
readme
files
and
it's
just
gotta
like
a
schedule
line
down
here.
So
this
is
a
really
interesting
you
can
come
in
and
you
sort
of
get
a
source
of
truth
and
you
can
see.
A
So
it's
exciting,
exciting
to
see
how
far
kubernetes
has
come
so
going
back.
Kate's
13.2
is
already
solved
that
one
draft
scheduled
not
final.
Why
MMB
I,
don't
know
what
that
is,
and
everybody
knows
how
I
feel
about
acronyms.
So
if
you
could
spell
that
out
explicitly
as
not
to
confuse
me
and
other
newcomers
who
don't
necessarily
have
all
of
these
acronyms
memorized,
it
would
be
helpful
list
of
videos
and
slides
from
cube
Cohen's.
So
I
think
we
looked
at
this
a
little
bit
last
year,
but
okay.
A
So
this
is
like
a
mapping
of
videos
and
slides.
Let's
see
if
my
slides
are
on
here,
I'm
curious,
Chris,
Nova,
okay,
so
this
is
like
one
thing
that
is
always
frustrating
is
when
you
download
the
PowerPoint
like
I,
don't
have
a
PowerPoint
on
here,
but
we
can
see.
I
bet,
my
fonts
are
gonna,
be
off
you.
What
I
don't
know
where
this
didn't
work
either
way
you
can
come
in
and
you
can
see
but
yeah
there's
a
there's,
a
Google
slides
link
for
mine
and
a
handful
of
other
folks
as
well.
A
But
if
you
want
to
come,
get
the
slides
and
look
at
the
videos,
while
you
look
at
the
slides,
this
could
be
a
great
learning
resource.
You
can
probably
just
even
come
here
and
just
interrupt
for
words
that
you
think
are
exciting,
like
here's
audit
logs.
So,
like
here's,
Kate's
audit
logs
and
here's
audit
kubernetes
with
stuff
on
the
future,
is
here
so
people
talking
about
what
we're
talking
about
today,
but
there's
videos
and
slides
of
them
already
and
they're,
probably
much
more
rounded
out
than
my
five
minutes
of
rambling
here
on
T
gik.
A
Let's
see
it
looks
like
people
are
saying
stuff
in
the
chat,
so
Michael
says.
Don't
we
already
read
that
comment
from
Michael
Michael
do
see
your
mileage
may
vary,
is
ymm
fee
best
title
for
a
talk
ever
just
saying:
okay,
thanks
I'm
gonna,
say
pop
thanks
pop
so
yeah.
If
you
want
to
come
in
crap
for
words
that
are
exciting
for
you,
like
I
bet,
we
could
even
do
security.
Yeah
17
talks.
So
if
you
want
to
learn
more
about
kubernetes
security
come
here.
This
is
important,
because
these
are
all
recent
videos
to
kubernetes
moves.
A
They
would
be
for
folks
to
learn
that
on
their
own,
so
these
talks
are
really
good
because
they
sort
of
like
speed
things
up
for
you
and
you're
able
to
learn
a
lot
in
a
little
bit
of
amount
of
time.
So
that
is
helpful
as
well.
So
going
back,
let's
see
another
list
of
videos
and
slides
from
Q
Khan.
Okay,
so
we
have
another
one.
Oh
this
one
has
emoji
so
I
already
like
this
one
more
and
it
looks
like
there's
like
a
readme
file
for
each
one
of
these.
So
this
is
helpful
as
well.
A
A
This
is
brought
to
us
by
our
friends
at
weave
and
we
can
go
up
to
the
main
repo
here
and
it's
basically
the
get
ops
kubernetes
operator
for
folks
at
home,
who
don't
know,
get
OPS's,
it's
basically
using
it
as
a
data
store
and
then
this
this
whole,
like
methodology
of
using
it
as
your
source
of
truth
and
building
out
tooling
around
it
as
well.
So
that,
like
events,
that
would
happen
in
a
normal,
get
workflow
like
pushing
or
pulling
or
or
merging
those
contribu.
A
Interesting
and
exciting
things
happen
because
of
the
guarantees
that
get
the
the
versioning
tool
gives
us.
So
that's
get-ups
the
operations
built
around
to
get
versioning
tool,
and
this
is
just
an
operator
that
runs
in
kubernetes
that
reconciles
a
lot
of
these
things
for
us
based
on
these
get
events
and
actually
I.
Think
already
this
year,
I've
already
written
a
get
events
operator
just
for
an
arbitrary
thing.
A
So
this
is
handy
and
it's
actually
really
powerful
once
you
get
into
it,
so
make
sure
you
check
out
flux
and
hats
so
that
folks,
that
we
for
continuing
to
drive
releases,
that's
really
bad
okay,
so
hefty,
oh
Ark
10.1
is
out
hi
everyone,
we've
released
help
do
Ark
version
zero,
ten
point,
one
with
the
following
changes:
we
fixed
many
o,
there's
a
debug
and
installing
we
have
pop
restore
action.
We
have
AWS
signatures,
fix
the
new
line.
A
Output,
update,
go
updater
change,
logs
and
added
peep
profit
support
for
the
Ox
Ark
server
and
remove
default
token
from
all
service
accounts.
Ok,
so
it
looks
like
some
security
improvements
and
some
other
housecleaning
and
then
driving
some
more
powerful
features
for
Ark,
which
is
everybody's
favorite,
kubernetes,
backup
disaster
recovery
tool.
A
Also,
at
one
point
we
were
talking
about
renaming
Ark
I,
wonder
what
happened
with
that.
If
we're
gonna
be
doing
that
or
not
but
I.
Think
at
one
point
we
talked
about
renaming
it
and
it
would
be
exciting
to
see
which
of
those
names.
Actually,
let's
pull
this
up.
Really
quick.
Github
are
renamed.
Let's
see
what
happened
with
the
yeah
the
issue
here,
I'm
kind
of
curious,
which
one
one
where
everyone
has
one.
Yet
there
was
a
ton
of
Commons
in
here.
Steve
Kerr's
closed
this
two
days
ago.
Okay,
I
have
no
idea.
A
Okay,
so
here's
the
system
dcve,
but
let's
first
look
at
cross
plane
what
is
cross
plane
and
the
open
source,
multi-cloud
control,
plane,
Oh,
a
diagram,
I
love,
a
good
diagram
where's.
Our
one
sentence,
description
at
the
top.
Let's
see,
if
we
have
anything
here
cross
plane,
is
an
open-source
multi-cloud
control
plane.
That's
a
really
good
first
sentence,
but
what
does
that
mean?
It
introduces
workload
and
resource
abstractions
on
top
of
existing
managed
services
that
enable
a
high
degree
of
workload
portability
across
cloud
providers.
A
Siga
apps
forms
to
remind
people
about
api
deprecations,
what's
going
on
here,
I
clean
up
with
this
PRS
and
why
we
need
it,
switch
client
and
test
usage
to
ap's
v1,
okay
yeah,
so
the
kubernetes
api
there's
some
interesting
nomenclature
around
how
we
name
our
API
versions
and
at
some
point
it
is
going
to
make
sense
to
deprecated
older
versions
at
the
API.
So
like
sue
coaster
lifecycle.
Is
that
a
really
good
job
keep
an
admin
about
providing
tooling?
That
will
do
the
translation
from
one
API
version
to
the
other.
A
I
actually
will
talk
about
that
a
little
bit
when
we
talked
about
how
we
got
our
one
point.
Thirteen
point
two
cluster
up
and
running,
but
the
kubernetes
api
is
evolving
and,
as
you
start
to
write
objects
and
express
your
applications
and
your
configurations
and
these
form
of
these
objects,
the
kubernetes
community
could
grow
and
those
those
objects
can
then
later
become
outdated
or
ultimately
deprecated.
If
you're
not
careful.
A
So
there
is
an
exercise
that
sort
of
keeping
up
with
that
and
keeping
your
objects
tidy
and
especially
keeping
them
defined
in
the
most
recent
version
possible.
So
this
is
a
good
reminder
that
it
kubernetes
does
have
backwards
compatibility
guarantees
but
doesn't
always
necessarily
keep
them
around
forever.
A
Okay,
so
next
up
not
all
distres
affected
check
with
your
district
vendor.
But
let's
look
at
the
system
dcve,
so
system
D
for
folks
at
home.
It's
a
it's
a
Linux
level
program,
that's
pretty
fundamental
to
a
handful,
most
I
would
say
nowadays
Linux
operating
systems
that
you
can
go
and
download
and
I
don't
want
undermine
it.
A
It's
sort
of
the
new
newer
version
of
the
init
system
for
the
older
Linux
folks
at
home,
if
you've
ever
done,
like
the
the
in
dat
stuff
or
at
the
skeleton
file
and
like
at
C
in
it
D
or
anything
like
that
system
to
use
just
like
the
the
new
hotness
that
sort
of
solves
that
same
problem.
Let's
see
what
folks
are
saying
in
the
chat
just
saying:
Falco
slides
are
there
as
well
plus
one
for
new?
Have
you
arc
cube?
Con
2019
closes
soon
January,
18
Steve.
A
Oh,
yes,
that's
a
great
reminder:
I
got
some
CF
keys,
I'm
gonna
be
working
on.
Maybe
this
weekend,
maybe
a
little
bit
next
week,
but
yeah
it's
the
cute.
Con
CFP
is
closing
fast
for
Europe
I
feel
like
we
just
got
done
with
cube
con
North
America
and
we're
already
closing
CF
ps4
cute
Connie
use.
If
you,
if
you
want
some
help,
feel
free
to
ping
me.
If
I
can't
look
at
it,
I
can
probably
try
to
hook
you
up
with
somebody
else.
A
As
somebody
who
does
a
lot
of
professional
public
speaking
I
would
say,
like
my
going
rate
is
like
50/50
I
submit
for
all
kinds
of
conferences
and
I,
don't
always
get
them
and
there's
been
conferences
that
I've
talked
at.
You
know
three
four
or
five
times
in
the
past
and
randomly
I,
just
don't
get
selected
so
like
it's
totally
normal,
doesn't
matter
how
famous
or
unfamous
you
are
a
good
CFP
is
a
good
CFP.
A
Most
conferences
won't
even
show
the
the
name
or
the
gender
of
the
person
who
wrote
the
CFP,
so
you're
totally
graded
on
scholarly
merit
and
nothing
more
than
that.
So,
let's
see
Herman
says
there
is
a
system
v
exploits
all
something
lately,
please
update
people
and
bear
Dees,
says
Q,
Khan
and
I.
Think
I
said
me:
her
name
is
Icelandic,
so
I've
been
working
on
my
Icelandic.
Let's
see
if
I
can
say
this
baddest,
North,
Pole,
I,
think
so
and
I
think
it
just
means
bear
geese
of
the
north.
A
Maybe
the
north
something
north
I'm
sure
what
that
means,
though,
but
yeah
so
here's
the
CFE,
let's
see
what's
going
on
here
we
discovered
three
vulnerabilities
and
system
D
Journal,
D
memory,
corruptions
and
information
leak
and
out
of
bounds.
Read
okay,
so
it
looks
like
there's
some
memory
leaking
going
on
here
and
where
there's
memory
leak,
there's
usually
room
for
a
little
bit
more
malicious.
Behavior
that
folks
can
take
advantage
of
if
that's
something
they're
interested
in
doing
we
developed
an
exploit
CVE
that
obtains
a
local
root
shell
in
ten
minutes
on
a
386
okay.
A
So
with
the
memory
link,
they
were
able
to
actually
gain
a
root
shell.
So
this
is
fairly
serious
if
somebody
is
able
to
build
a
root
shell
out
of
a
memory
like
system,
D,
you're
able
to
go
in
there
and
basically
have
root
on
the
system.
So
that's
a
little
bit
scary.
Every
time
you
have
a
memory
link
you're
able
to
sort
of
build
a
new
system
inside
of
it.
A
If
you
know
what
you're
doing
and
if
that's
running
in
the
root
namespace
then
pretty
much
being
written,
so
yeah
you're,
definitely
gonna
wanna
upgrade
system
D
on
your
sub
systems
and
that's
something
you
can
talk
to
your
friendly
Linux
administrators
about
and
I'm
sure
they
can
help
you
with
that
as
well.
So
I
would
say
fairly
seriously
of
CDE
here
on
system
D
for
folks
at
home,
okay.
So
let's
close
this
and
let's
start
talking,
Falco
and
dynamic
auditing,
so
I
think:
where
do
we
want
to
start?
A
We
want
to
start
with
dynamic
auditing
and
talking
about
that,
and
we
want
to
start
with
Falco.
Let's
start
with
getting
1.2
13
up
and
running,
then
let's
talk
about
Falco
and
then
was
trying
to
talk
about
dynamic,
auditing
and
glue
everything
together.
Badi
says
pretty
good.
Last
name
means
northern
valley.
Okay,
so
I
got
the
north
part
right,
I'm
getting
close
and
then
in
the
the
fourth
character
of
her
name,
I
think
it's
it's
s,
I
want
to
say
it.
You
th,
and
that
makes
us
snap
earth
sound.
A
So
that's
how
I
got
that
that
interesting
pronunciation
there?
Okay!
So
anyway,
let's
look
at
getting
our
1.13
cluster
up
and
running.
So
let's
jump
in
my
terminal
here.
So
if
we
do
a
K
dead
nodes
first,
we
can
see
that
poof
I've
already
done
all
the
hard
work
and
I
can
move
forward
and
talk
about
Falco
and
things
now.
But
this
is
really
important
for
folks
at
home.
A
If
you
are
actually
trying
to
run
a
1.17
cluster,
it's
not
necessarily
as
easy
as
you
think
it
is,
and
if
you
want
to
run
Falco,
you
can't
use
something
like
Cooper.
Not
using
docker
because
the
way
Falco
works,
you're
gonna
have
to
basically
run
on
an
authentic
Linux
system
so
that
we
can
do
the
dynamic
kernel,
module
loading
and
we'll
get
into
that
a
little
bit
later.
But
anyway,
in
order
for
us
to
build
our
1.13
cluster
will
be
pretty
quick
here.
I'm
gonna
PR
this
to
the
TGI
K
repo.
A
After
the
episode,
but
in
case
we
have
any
more
notes,
I'm
just
going
to
add
them
here,
but
here
in
episode,
61
we
have
a
lot
of
files
that
are
about
to
get
pushed
up
to
the
TGI
K
repo
for
folks
at
home
to
look
at
and
then
here
in
Cuba
corn.
We
can
see
we
have
two
custom
bootstrap
scripts,
so
these
two
boot
scripts
trap
scripts
are
what
actually
run
with
cloud
in
it
to
get
our
cluster
up
and
running
and
the
exciting
one
here
is
master
SH.
A
A
This
is
substantially
bigger
than
our
last
one
I
think
the
last
one
was
only
like
11
or
12
lines,
and
this
thing
is
well
over
100
long,
and
this
defines
all
kinds
of
interesting
Cuba
admin
fields
and
configuration,
and
then
you
can
see
here
we
inject
some
variables
based
on
our
system
at
runtime,
like
what's
its
public
IP,
what's
its
hostname,
what's
its
private
IP,
so
that
we
can
do
various
things
along
the
way,
and
then
you
see
up
here
at
the
top.
We
defined
one
point.
A
Thirteen
point
two
now
the
exciting
part
here,
if
you
want
to
use
kubernetes,
dynamic,
auditing
or
any
auditing
for
that
matter,
you're
gonna
have
to
change
some
of
the
kubernetes
api
server
flags.
So
in
order
to
do
that,
if
you're
using
cube
admin,
there
is
a
really
handy
dandy,
let's
see
I
think
it's
some
prodding
here
here
we
go
a
handy-dandy
extra
arts
thing
here
and
this
will
actually
define
the
key
value
pair
for
a
flag
so
like
what
would
normally
be
cloud
provider
AWS
and
then
you
know.
A
Have
this
command
here
called
k-dubb
and
basically
I
just
do
this
I
do
an
alias
kdump
is
equal
to
Q
Bechtel
get
all
all
namespaces.
If
this
isn't
in
your
best
bash
RC,
a
totally
should
be
because
it
makes
exploring
kubernetes
way
easier
because
you
can
just
use
grep
instead
of
typing
out.
These
long-winded
commands
like
get
pods
filter
this
that
and
the
other
you
can
just
UK
dump,
which
shows
you
literally
everything
in
your
kubernetes
cluster.
A
In
one
view,
and
from
there
you
can
like
grep
for
things
like
I,
want
to
see
everything
that's
running
in
the
cube
system
namespace.
So
let's
just
grab
before
a
queue
system
and
there's
everything
running
and
that
keeps
us
in
namespace,
okay,
so
anyway,
we're
gonna
do
this
and
we're
gonna
grep
for
a
default
and
we're
gonna
show
folks,
we
shouldn't
have
anything
running
okay,
so
we
have
this
one
service,
kubernetes
running
here
in
our
default
namespace,
that's
expected
that
comes
with
our
cluster.
A
A
A
If
you
want
to
kind
of
fly
through
this
part,
but
we're
actually
gonna
go
and
we're
gonna
pull
up
the
Falco
Doc's
and
start
looking
at
the
various
ways
we
can
install
this
in
kubernetes,
so
we
can
go
to
github.com,
slash,
falco
security,
slash
falco
and
we'll
just
go
here
and
we're
just
gonna
check
out
the
github
repo
Luciano's,
cm
secrets
and
ingress
is
at
least
or
not
showing
that
way.
Eliseo!
A
So
I
don't
really
want
to
see
those
there
anyway,
so
it
actually
kind
of
works
out
well
for
me,
but
thank
you
all
easy
audio
in
for
folks
at
home,
CM
means
config
map,
which
is
just
an
arbitrary
key
value
pair
thing
that
you
can
do
to
configure
various
parts
of
kubernetes
and
read
that
from
other
resources
later
so
anyway.
Here
that
here
is
the
Falco
github
repository.
A
Let's
look
at
our
first
sentence
here:
Falco
is
a
behavioral
Activity
Monitor,
designed
to
detect
anomalous
activity
in
your
applications,
so
yeah
knocking
it
out
of
the
park
with
that
really
solid
first
sentence
and
it
talks
about
how
it's
powered
by
sistex
system
called
capture,
interface
and
Falco
lets
you
continuously
monitor
and
detect
container
application,
hosted
network
activity
all
in
one
place
from
one
data
source
with
one
set
of
rules.
Okay,
so,
as
I
was
on
the
phone
with
friends
at
Cystic
who
wrote
Falco,
they
said
I
think
it
was
Matt.
A
Who
said
we
had
a
really
great
analogy
which
he
was
basically
assisting,
which
is
the
core
of
Falco.
Let's
pull
this
up
here
and
see
if
we
can't
actually
find
yeah,
so
here's
the
Cystic
repo.
So
this
is
a
this
is
basically
what
he
said
was.
This
is
the
TCP
dump
or
Wireshark
of
sis
calls.
So
this
basically
takes
a
sis.
Call
that
anything
is
making
on
your
system,
pulls
it
in
and
then
add
some
like
decoration
around
that
and
then
actually
can
send
that
outwards,
and
we
can
use
that
for
various
things.
A
But
all
of
a
sudden,
we
started
to
detecting
these
really
weird.
Other
sis
calls
we
don't
normally
see
and
that's
a
really
great
way
of
saying
something's
probably
going
wrong.
Maybe
we
have
some
malicious
activity.
Maybe
there
was
a
bad
deploy,
maybe
somebody's
in
in
our
cluster
that
we
don't
know
about,
and
this
gives
us
an
ability
to
sort
of
capture
all
this.
The
beauty
of
this,
though,
is
because
it's
all
coming
from
the
kernel.
You
know
that
that's
the
source
of
truth
and
that's
the
most
fundamental
low
level
you're
getting
to
so.
A
If
you
want
to
monitor
the
whole
stack
sort
of
the
idea
here,
is
you
break
everything
down
into
its
most
fundamental
pieces,
which
of
course
are
sis
calls
monitor
those,
and
then
that
can
start
to
piece
together
a
story
further
upstream,
as
you
go,
because
no
matter
where
you're
running
on
the
stack,
it's
all
ultimately
gonna
get
translated.
This
is
cause
anyway,
which
is
pretty
clever
and
I.
Think
offers
a
lot
of
value
to
folks
who
are
trying
to
learn
about
things
that
are
going
on
in
their
systems.
A
So
thanks
des
Cystic
for
building
that
and
then
Falco
on
top
of
that
for
taking
it
a
step
further
and
giving
us
this
really
cool
rule
engine
on
top
of
it.
Okay,
so
keep
me
honest,
I
wanna,
make
sure
I
said
all
that
right
and
I
want
to
talk
a
little
bit
about
how
cystic
and
how
Falco
actually
interact
with
the
kernel,
because
this
was
exciting
to
learn
as
well.
So
I
think
here
is
the
kernel
module
source
code.
A
So
this
morning
I
was
like
drinking
coffee
and
I
was
coming
through
here
and
I
like
it.
Couldn't
stop
reading
these
C
files
because
it
was
actually
really
pretty
C
code
and
I
haven't
actually
seen.
C
code
documented
this
wall
in
quite
some
time,
so
it
was
nice
to
come
in
and
actually
see
this
I
think
the
the
most
exciting
one
here
is
our
main
dot.
C
and
you
can
come
in
you
can
see.
A
This
is
a
huge
file
with
a
ton
of
contributors
on
it,
but
this
is
actually
a
kernel
module
that
is
loaded
dynamically
using
ID
kms
dynamic
kernel
module.
What
did
I
forget?
The
S
stands,
for
it
was
definitely
quick.
Dkms,
a
linux
support,
dynamic,
kernel,
module
support
dan
Papa
had
said
nailed,
it
mark
stem,
says
great
description,
so
if
I,
okay,
so
DKMS
allows
some
I
guess
in
order
to
talk
about
how
DKMS
is
important.
A
Let's
talk
about
the
days
before
we
had
DKMS
so
once
upon
a
time
when
you
wanted
to
add
some
functionality
to
your
kernel,
you
wanted
to
like
make
an
improvement
introduced,
a
feature
install
some
new
piece
of
something
that
was
important
to
you
or
your
company.
You
would
effectively
have
to
either
recompile
your
kernel
or
restart
your
computer.
We
all
remember
those
days
of
like
you
may
now
restart
your
computer
now,
because
we
loaded
some
change
and
your
computer's
not
going
to
recognize
the
new
change
since
whole
gets
restarted.
A
So
folks
were
getting
frustrated
with
this,
and
it
was
very
annoying,
especially
for
kernel
developers
who
are
working
on
building
this
over
and
over
and
over
again,
and
they
want
to
continually
run
it.
So
that's
where
DKMS
came
in
and
said:
ok,
let's
figure
out
a
way
to
load
these
things
dynamically.
It's
actually
pretty
complicated,
because
the
entire
kernel
is
basically
an
abstraction
on
your
hardware
and
how
you
interact
with
all
your
peripherals,
so
loading
things
dynamically
is
actually
really
complicated,
but
DKMS
gives
us
a
clean
interface
for
that.
A
So
how
we're
able
to
actually
come
in
and
load
Cystic
and
falco
is
pretty
cool
and
if
you,
if
we
later
once
we
deploy
falco
watch,
we
look
at
the
logs
and
you
can
see
it
doing
the
DKMS
step
where
it'll
come
in
it'll,
say:
ok
is
my
personal
kernel
module
installed?
No,
it's
not!
Let's
go
and
install
this
kernel
module.
Ok,
now
I
can
start
reading
syscalls,
which
at
first
you're
like
whoa
whoa,
wait
a
minute
you're
installing
this
kernel
module
and
it's
gonna
start
messing
with
my
sis
calls.
A
But
if
you
think
about
it,
all
we're
really
doing
is
reading
your
sis
calls
and
we're
not
actually
able
to
go
and
execute
any
of
those.
So
it's
kind
of
a
read-only
way
of
just
parsing
them
and
then
gaining
other
arbitrary
information.
That's
going
on
in
the
system
and
mapping
that
to
the
the
time
you
know,
this
is
call
event
as
well.
A
A
Ok
cool
so
anyway,
Cisco's
are
exciting
DK
who
messes
fighting,
and
that
is
how
we're
able
to
load
Falco
dynamically
syscalls.
Let's
try
to
keep
it
appropriate,
please
very
just
so
anyway,
thanks
to
our
friends,
okay,
we're
here!
So
oh
and
there's
a
link
to
DKMS
here
as
well.
Dynamic
kernel
module
support.
So
this
is
the
Wikipedia
article.
If
you
want
to
kind
of
read
about
it:
okay,
cool!
So
let's
get
Falco
up
and
running.
A
So
if
you
come
through-
and
you
read
through
here,
it
kind
of
talks
about
like
what
kind
of
behaviors
can
Falco
detect
a
shell
running
inside
of
a
container.
This
will
probably
be
the
first
one
we
demonstrate
and
there's
a
handful
of
other
ones
here,
like
unexpected,
read
of
a
sensitive
file.
So
every
time
you
do
a
read
on
a
unix-like
file
system,
there's
a
sis
call
called
read.
That
is
basically
how
you
would
tell
the
colonel.
A
A
So
this
is
a
real
common
practice
and
this
is
sort
of
like
where
the
Trojan
horse
story
comes
from
like
getting
a
piece
of
software
that
you
think
is
safe.
Somebody
comes
in
and
swaps
it
out
when
you're
not
looking
or
something,
and
then
I
can
actually
go
and
do
malicious
things
later.
So
this
is
a
really
cool
that
we
can
start
to
do
tech
things
like
this
with
Falco.
Ok,
so
we
come
here
into
integrations
directory
in
falco
and
you
can
see
we
have
a
couple
of
different
things
we
can
install
here.
A
The
one
that
we're
going
to
be
installing
today
is
called
Kate's
using
daemon
set.
So
we
come
in
here-
and
we
have
this
readme
here,
and
this
is
going
to
talk
about
getting
Falco
up
and
running
and
then
also
connecting
it
to
slack,
which
I
don't
have
a
really
good
I
like
I,
don't
have
root
on
any
of
our
slack
servers,
so
I,
don't
think
I'll
be
able
to
connect
it
to
slack
today.
A
But
if
you
have
a
slack
server,
you
can
play
with
it's
pretty
easy
here
as
we
go
through
the
docs,
all
I'll
mention
it
and
you
can
figure
out
how
to
connect
Falco
up
to
your
slack
server
so
that
if
something
like
foolishest
does
happen
or
if
there's
some
sort
of
weird
anomaly
in
your
in
your
system,
you'll
get
a
friendly,
slack
message.
That's
like
hey
by
the
way.
I!
Don't
know
if
you
notice
this,
but
the
LS
program
is
like
sending
all
your
secrets
out
to
this
like
weird
address.
A
On
the
other
side
of
the
world,
you
might
want
to
go
check
that
out
so
example:
daemon
sets
using
Cystic,
so
we're
gonna
do
Kate's
with
our
back
and
we're
gonna
try
to
look
at
these
these
resources
as
we
go.
So
what
we
want
to
do
is
we
want
to
make
sure
we
clone
our
directory
or
a
clone
our
repo
and
then
move
into
that
directory.
A
So
if
you
go
back
here
to
the
TGI
K
repo,
you
can
see
that
I've
kind
of
pulled
a
lot
of
these
configuration
bits
out,
move
them
into
the
tgia
repo
and
tweak
them
a
little
bit
so
that
we're
actually
able
to
do
some
cool
things
today.
So
we're
in
go
back
to
github.com,
slash
hefty
o
/
TGI
ka
/
episodes
o
61,
and
you
can
see
here.
We
have
capes
with
our
back
just
like
we
had
here
or
gates
with
our
back
here
and
I've.
A
Just
done
some
of
the
steps
for
us,
so
we're
gonna
be
using
this.
So,
let's
see
Dan
says
any
webhook
can
be
used
for
notifications.
We
have
a
workflow
in
our
commercial
tools,
Cystic
secure,
which
uses
OSS
Falco
as
a
basis
rules
wise.
Okay,
thanks
for
pointing
that
out,
I
really
like
calling
you
pop
I'm,
just
gonna,
keep
calling
you
pop
and
like
can
we
just
change
your
name
so
like
all
caps
pop,
because
this
is
a
lot
of
fun
now
so
in
here.
If
we
go
to
Kate's
with
our
back,
you
can
see.
A
We
have
a
lot
of
interesting
things
already
created
for
us,
and
most
of
these
are
just
copied
over
from
the
repo
I'm.
Just
keeping
everything
in
one
place.
That
I
read
me
is
nice
and
easy
for
folks
at
home
if
they
want
to
go
through
the
readme
steps
that
we
have
in
me,
the
TGI
K
readme
file
there
for
episode,
61,
okay,
so
first
things.
First,
let's
see
what
the
docs
say.
We
do
first
integrations.
A
Okay,
it's
using
daemon
set
with
our
back;
oh
that's,
just
the
directory.
Okay,
so
first
things
first
deploying
kubernetes
with
our
back
enabled
queue.
Bechtel
create
f
Kate's
with
our
back
Falco
account
animals.
So
there
should
be
all
of
our
our
back
rules
here.
So
let's
cap
this
out
and
take
a
look
at
it,
Falco
account
yamo.
So
that
starts
here.
A
A
It
can
access
nodes,
namespaces,
pods,
replication,
controller
services,
events
and
config
maps,
and
we
can
do
get
lists
and
watch
so
we
basically
have
read-only
on
those
non
resource
URLs
we
can
get
healthy
and
anything
under
healthy
and
we
can
do
get
on
those
as
well,
so
pretty
basic
cluster
rule
here
and,
of
course,
we're
going
to
map
that
back
up
to
our
Falco
account
cluster
role
using
our
handy
dandy,
cluster
rule
binding
and
remember:
we
talked
about
these
a
few
episodes
ago.
Role,
bindings
and
cholesterol.
A
Bindings
are
basically
like
the
xref
or
bridge
tables
of
kubernetes.
Our
back
rules
and
they
disallow
you
to
map
the
various
roles
to
various
accounts,
our
users.
So
that's
handy
so
we're
doing
cluster
roles
here
which
have
slightly
a
broader
scope
than
just
regular
roles.
So
you
can
either
do
a
cluster
role
or
a
role
and
cluster
roles
give
you
access
to
cluster
level
primitives
like
node
information
that
you
wouldn't
be
able
to
get
with
just
a
role
which
is
tied
to
a
specific
namespace.
A
So
this
is
interesting,
so
we're
able
to
actually
span
a
little
bit
more
using
this,
our
back
set
up
with
Falco
here.
So
let's
see
what
the
docs
say
to
do
next,
okay!
So
next
we
want
to
copy
these
Falco
yam
old
rules
into
this
directory
call
falco
config
and
then
we're
gonna
actually
go
and
look
at
these.
So
this
is
where
I'm
going
to
be
kind
of
counting
on
our
friends
at
sista
to
talk
about
these
rules
and
kind
of
why
they're
important-
and
maybe
we
can
find
some
documentation
on
it
too.
A
A
Okay,
so
commentary
commentary
rules
file;
okay,
so
we
have
etsy
Falco
Falco
rules,
Falco
rules,
youth,
local
dot,
yeah
mol
rules,
dot,
d,
jason
output,
so
this
just
basically
to
me,
looks
like
a
configuration
file
for
a
service
and
I'm,
assuming
that
this
is
the
good
beer
config
that
we're
telling
faculty
to
run
with
so
Falco.
This
is
a
really
good
point.
Why
we're
on
the
topic
here?
A
Falco
doesn't
have
to
run
in
kubernetes,
we're
running
it
in
kubernetes
today,
because
they've
done
a
lot
of
work
with
the
audit
stream,
so
that
we
can
do
some
exciting
things
with
triggering
on
audit
events,
but
you
can
run
Falco
on
pretty
much
any
Linux
system
or
you
can
even
run
Falco
in
a
container
and
it
runs
just
like
athletic
service,
which
is
where
we
get
this
configuration
file
from
and
you
can
come
through
and
you
can
define
various
configuration.
That's
for
the
Falco
service.
A
Now,
a
lot
of
the
kubernetes
EML
that
we're
getting
ready
to
look
at
is
going
to
bundle
all
of
this
up
and
make
some
assumptions
for
us
so
that
we
can
sort
of
easily
deploy
it
to
kubernetes
and
it'll
start
monitoring
our
host
system
syscalls.
So
this
was
like
something
I
when
we
were
on
the
phone
with
systick.
That
I
was
like
wait,
did
I
hear
that
correctly
and
they
were
like
yes,
this
is.
This
is
exactly
what
happens
within
the
context
of
a
container
we're
able
to
dig
down
to
the
hosts
kernel
grab.
A
Those
sis
calls
map
them
with
other
arbitrary
information
all
through
a
dynamically
loaded,
kernel,
module
things
Cystic
and
then
spit
that
back
up
to
Falco
and
then
take
it
a
step
further
and
iterate
on
those
and
run
them
against
rules
and
through
a
filter
and
actually
figure
out.
If
anything,
weird
is
going
on.
So
that's
pretty
cool.
So
here
we
have
but
four
outputs
I'm
not
going
to
go
through
and
read
all
this
we
have
looks
like
we
have
bursts.
A
A
This
is
going
to
be
a
tongue
twister
Falco
rules,
local
yeah,
Mille,
okay.
So
let's
cut
this
thing
out:
local
yeah,
Mille
and
I
have
a
feeling.
This
is
gonna,
be
pretty
big.
No,
it's
not
that
big!
Okay.
So
your
custom
rules
go
here.
So
if
you
wanted
to
come
and
start
writing
your
own
custom
rules
using
the
Falco
rule
engine,
you
could
come
to
do
that
here
and,
let's
just
see
what
this
says,
it
says.
Add
new
rules
like
this
one.
A
Okay,
so
we
would
say
rule
the
program,
so
you
know
is
run
in
a
container
description
and
event
will
trigger
every
time
you
run
sudo
in
a
container
conditioned
EBT
type
equals
exe
CVE,
and
it
looks
like
there's
like
some
interesting
operators
here
and
container
ID
is
not
equal
to
host
and
prop
name
is
equal
to
sudo,
so
you
can
actually
go
and
you
can
define
a
condition
which
I
think
is
like
this
is
just
sort
of
like
what
happened.
This
is
some
sort
of
event
like.
A
If
this
condition
is
meant
to
be
true,
then
we
do
this
output
here,
which
is
actually
what
the
Falco
logs
would
output.
Then
you
could
take
and
do
whatever
you
want
to
with
which
says
sudo
run
in
a
container
and
then
it's
going
to
give
us
our
username
and
our
container
info,
our
proc
name
and
maybe
the
command-line
command.
That
was
actually
tight.
We're
going
to
say
this
is
a
priority
air
and
we're
gonna,
give
it
a
handful
of
tags
that
we
can
use
for
our
betray
reasons
downstream
later.
A
A
Falco
rules,
files,
a
ya,
know,
file
containing
three
elements:
rules,
macros
and
lists.
So
I
think
we
just
looked
at
a
rules,
file
and
yeah.
Here's
what
a
rule
is
defined
as
you
give
it
a
short,
unique
name,
the
condition
that
we
just
talked
about
and
I
think
these
are
all
different
things.
You
can
define
a
rule
and
it
looks
like
there's
this
filter
syntax.
You
can
learn
using
the
Cystic
filter,
syntax,
which
is
so
ok.
This
is
a
system
level
thing.
So
what
I'm
learning
is?
A
If
you
want
to
be
really
fluent
in
Falco,
you
better
also
probably
pick
up
a
book
on
cystic
as
well,
because
you're
going
to
be
like
writing
rules
against
cystic
filters.
As
we
start
looking
at
various
syscalls
that
are
coming
through
our
system.
Ok,
so
I'm
not
going
to
go
super
deep
into
writing
rules
I'm,
mostly
just
going
to
look
at
the
ones
that
Falco
ships
with
by
default,
so
mark
stem,
says
I
added
a
link
to
the
Falco
wiki
page.
You
just
found.
Thank
you.
Mark
I,
really
appreciate
when
folks
do
that.
A
That's
really
helpful.
Ok,
so
we
can
append
list
rules
and
macros
and
really
quick
friends
at
Cystic.
What
is
the
difference
between
a
list,
a
rule
in
a
macro?
Let's
see
if
I
can
figure
that
out
way,
we
wait
for
the
stream
to
ask
you
to
see
if
you
have
a
good
answer
for
me.
If
you
use
multiple
Falco
rules,
you
might
want
to
append
new
finds
hefty
Oh
says
this
is
George
I
need
to
leave
but
feel
free
to
create
something
links
to
the
notes
talked
and
will
continue.
A
First
thing
on
Monday
thanks
for
joining
George
thanks
for
helping
us
out,
it's
always
good.
It's
always
great,
because
I
get
to
spend
my
Friday
afternoons
with
George
and
then
I
get
to
see
him
go
home
and
I'm
like
ok
novo.
You
only
got
like
another
hour
before
TGI
K
is
done,
and
then
we
can
start
wrapping
up
for
the
week,
so
it's
always
really
exciting.
A
So,
let's
see
here,
it
looks
like
we
have
macros
defined
conditions
rules.
A
rule
is
a
node
containing
the
following
keys
and
those
are
the
keys
we
just
looked
at
so
a
macro,
as
noted
above
macros
provide
a
way.
Where
is
it
noted?
I,
don't
know,
provide
a
way
to
define,
come
and
sub
common
sub
portions
of
rules
in
a
reusable
way.
Mark
Stone
says
a
list
is
the
list
of
terms
macros
conditions
snippet
that
can
be
used
in
rules.
A
Yeah
I
was
exactly
right,
so
there's
just
a
macro
is
just
a
way
of
bundling
up
a
commonly
used
condition
or
set
of
conditions
so
that
you
can
use
them
in
various
rules.
Ok,
so
that
makes
a
lot
of
sense.
So
if
you
want
to
come
through
with
Falco,
learn
about
these
feel
free
to
come,
learn
and
then
also
Falco,
but
the
animal
that
we're
about
to
look
at
ships
with
a
bunch
of
these
already.
A
So
you
can
probably
do
a
little
bit
of
inferring
and
getting
some
context
clues
and
maybe
tweaking
some
and
borrowing
some
ideas
that
the
folks
at
sista
you've
already
done
for
us.
So
let's
look
at
some
of
those
actually.
So
let's
go
back
to
our
terminal,
come
in
here
and
let's
cow
cat
out
Falco
rules
that
yellow.
A
So
this
is
the
big
one
yeah.
Let's
go
all
the
way
up.
So
there's
a
lot
of
rules
in
here
and
look
it
actually
overflowed
my
terminal
buffer.
So
we're
not
even
to
be
able
to
look
at
all
these.
But
that's
okay,
because
there's
going
to
be
a
lot
here
and
it
looks
like
we
have
like
definitions
for
like
my
sequel,
okay,
so
if
product
name
starts
with
or
if
the
proc
name
is
in
start
my
sequel,
SH
or
run
my
sequel,
D
or
proc,
P
name
equals
start.
A
My
sequel
of
SH
and
FD
name
starts
with
at
C
my
sequel
or
I'm,
assuming
f
DS
file.
Descriptor
directory
is
equal
to
Etsy,
my
comp
dot
d,
okay.
So
basically
what
I'm
seeing
here
is
a
lot
of
these
like
proc
FD,
there's
another
one
here:
proc
P
name
the
if
you've
ever
looked
at
sis
calls
before
these
are
very
familiar
things
or,
if
you've
ever
got
an
S
trace
before
you've.
A
Probably
seen
these
these
very
special
types
of
words
and
I'm,
assuming
this
is
just
a
type
of
an
event
coming
off
of
a
sis,
call
that
we
can
now
trigger
on.
So
basically
it's
saying
like
hey.
If
there's
a
file
descriptor,
that's
open
for
Etsy,
my
comedy
we're
probably
going
to
want
to
know
about
it.
So
this
is
the
condition
here,
so
you
can
come
through
and
start
writing
a
lot
of
these,
and
you
know
I
just
happen
to
know
my
sequel
really
well.
A
So
this
kind
of
makes
sense
to
me,
but
you
could
go
through
and
maybe
borrow
this
and
set
it
up
for
you
and
your
team's
service
or
various
other
services
that
you
might
be
interested
in
running.
But
it
looks
like
we
already
have
a
lot
here.
Look
we
have
httpd,
which
is
the
a
server
Redis
openvpn.
We
even
have
good
old,
PHP
handlers,
good
old,
pre,
hypertext
processing
language
said
writing
temp
file.
Oh,
we
even
alert
if
somebody
writes
a
temp
file
with
said
I
want
to
see
this
now.
A
Cron
Start
starts,
which
I
see
security
said
okay.
So
if
somebody
starts
setting
our
Etsy
app,
sources.list,
D
or
conf
D
like
we
want
to
know
about
it,
so
that
means
that
they're
mutating
our
repository
information,
which
means
they're
changing
where
we're
downloading
things
from
which
means
we
might
be
accidentally
downloading
malicious
tools
without
knowing
about
it.
So
it
looks
like
they've
gone
through
and
done
some
pretty
thorough
rule
writing
for
us
and
we
kind
of
get
that
for
free.
So
this
is
pretty
handy,
and
this
is
a
really
great
way
to
start.
A
Okay,
thank
you.
Mark
stem,
so
we're
not
going
to
spend
a
ton
of
time
looking
at
these
rules,
but
it
looks
like
there
is
quite
a
few
of
them
and
we're
just
going
to
sort
of
take
their
word
for
it
and
install
these
and
see
if
we
can't
get
some
some
triggers
going
or
to
trigger
something
just
by
doing
some
malicious
things.
A
In
a
container
downstream
and
I'll,
probably
just
try
for
a
few
minutes
just
like
see
if
I
can't
get
around
it
or
something
or
kick
off
an
alert
message
and
we'll
see
if
Falco
can
pick
it
up
as
I'm
sort
of
being
a
malicious
leader
and
I
don't
want
to
like
give
away
like
I.
Don't
wanna
spoil
any
of
the
secrets
by
looking
too
hard
into
what
the
rules
are.
A
I
just
want
to
see
if
they're
gonna
pick
up
anything
that
I
think
would
be
relatively
normal
for
somebody
who
is
trying
to
be
invasive
to
do.
Okay,
so,
let's
get
out
of
here
and
let's
go
back
to
our
Falco
document
now
and
let's
see
where
suppose
that
happened,
it
was
here
okay.
So
that's
basically
what
we're
copying
over
with
these
two
commands
and
I
already
went
and
did
that
and
those
are
the
files
we
looked
at
and
then
it
says
if
you
want
to
come
in
here
and
you
can
change
this
program
output.
A
A
A
So
the
next
step
is
you
want
to
create
this
config
map,
so
we're
going
to
take
all
of
that
yam!
Oh
we
just
like
that.
So
this
is
the
configuration
file
for
Falco,
the
the
local
rules
that
you
would
go
in
to
find
and
then
the
default
rules
that
Falco
has
already
set
up
for
us
and
we're
going
to
bundle
all
that
up
into
a
single
config
map
and
we're
gonna
do
that
with
this
command
here.
A
So
let's
do
from
config
map
and
let's
go
ahead
and
let's,
let's
see
where
are
we
print
working
directory
go
up
here
and
let's
go
ahead
and
run
this
create
config
map
case
with
our
back
there
we
go
now.
Let's
try
this
key
back
to
create
config
map,
config
Matt,
Falcon,
config
created
so
kay
get
cm
and
we
can
do
an
OEM
on
that
and
actually
see.
This
is
gonna
be
huge,
but
wow
we
have
all
of
the
mo.
We
just
looked
at
running
up
in
kubernetes
now,
so,
let's
clear
a
screen.
Okay.
A
So
now
we
have
our
config
map
up
and
running
and
necklace.
Do
a
cubic
they'll
create
minus
F
gates,
with
our
back
Falco
daemon
set
config
Maps
idml
copy
that
come
here.
Actually,
let's
look
at
this
first
I
want
to
make
sure
that
we're
not
doing
anything.
We
don't
want
to
do
so.
Let's
do
cat
hates
where
the
are
back.
Falco
demon
sent
config
now
Diana.
A
Nope,
where
do
we
want
to
go
right
here?
So
here's
our
cat
and
API
version
kind,
daemon
said
it
gives
a
name.
The
app
is
called
demo
which,
if
we
want
to
try
the
service,
we're
gonna
want
to
remember
that
down
the
stream.
We
have
a
spec,
it's
gotta
have
some
labels.
It's
gonna
be
called
demo.
It's
gonna
map
to
our
service
account
that
we
created
earlier
called
Falco
account.
The
first
container
we
see
here
is
going
to
be
called
Falco,
its
Falco
security
Falco
latest.
A
So
this
is
just
Falco
over
any
name
container,
so
you
could
actually
do
a
docker
run
on
this
or
a
doctor
pull,
and
you
could
actually
run
this
on
your
local
filesystem.
If
you
wanted
to
try
to
get
Falco
up
and
running
there,
we're
running
in
privileged
mode
which
I'm
assuming
that
means
we're
running
with
elevated
privileges,
we're
gonna
give
it
a
handful
of
args,
like
our
service
account
token
that's
going
to
come
from
var
run
secrets
and
they're
gonna
mount
various
things
onto
the
the
Falco
container.
Here
this
is
exciting.
A
I
didn't
realize
this
was
a
thing,
but
we're
actually
mounting
the
docker
socket
into
the
Falco
container.
That's
pretty
cool!
If
you're
familiar
with
how
docker
works,
the
docker
socket
is
like
it's
like
the
equivalent
of
like
the
gates
of
Hell
to
docker.
It's
like
the.
This
is
the
main
thing
you
can
interact
with
to
totally
mutate
containers
on
your
file
system.
A
So
we're
mounting
that
so
we're
basically
giving
Falco
here,
not
necessarily
rude,
but
we're
giving
it
direct
access
to
the
docker
socket
and
depending
on
how
we
have
doctors
have
Falco
might
be
able
to
do
some
interesting
things.
Let's
see,
intercom
says
try
to
deploy
the
image
into
such
indicates,
and
it's
failing
interim
a
B.
You
could
drop
a
little
bit
more
information
and
the
github
issue
and
throw
the
issue
in
our
markdown
file
to
see
if
anybody
on
the
the
call
with
us
today
can
check
it
out.
A
Okay,
so
keep
going
down
we're
running
out
of
time,
so
I'm
gonna
start
speeding
up
just
a
little
bit.
We
have
some
more
volumes
to
find
here.
Here's
our
doc
docker
socket
again
we're
gonna,
grab,
slash
dev,
slash,
proc,
slash
boot,
we're
even
grabbing
our
module,
slash
user,
okay,
so
we're
pretty
much
grabbing
the
entire
UNIX
and
if
you're,
if
you're
a
UNIX
nerd
like
Mia,
you
see
things
like
/proc
and
they're
being
mounted
into
a
container
and
you're
kind
of
like
oh
gosh,
oh
golly,
that's
a
little
bit.
A
Scary
/proc
is
a
very
special
directory
in
UNIX.
It's
actually
not
even
a
real
directory
at
all,
and
it
contains
really
really
valuable
information
about
all
parts
of
your
system,
all
the
way
down
from
the
kernel,
all
the
way
up
to
user
land
and
depending
on
what
you
do
in
that
directory.
You
have
the
possibility
to
really
make
some
interesting
and
possibly
vulnerable
changes
on
your
system
just
by
like
changing
certain
files
and
creating
files
and
deleting
files
and
changing
values
like
changing
Sierra's
to
ones
and
stuff.
A
So
you
can
go
through
and
read
more
about
proc,
it's
pretty
complicated,
but
it's
just
one
of
those
things
that
if
you're
messing
around
in
the
proc
directory,
you
better
know
what
you're
doing
and
usually,
if
you're
gonna
have
a
bad
day.
Okay,
so
slash
user,
that's
most
of
our
configuration
stuff,
slash
boot,
how
our
systems
booting
and
dev
all
of
our
devices.
So
we
get
a
lot
of
information
coming
into
this
container
and
let's
go
ahead
and
let's
get
this
up
in
running.
So
let's
get
our
copy
command
here.
A
Okay
Falco
created
so
now,
let's
do
a
can't
get
Theo,
Mark
Steyn
says
we
do
mount
a
lot
of
a
lot
most
of
that
stuff.
Read-Only.
Okay.
Mark
brings
up
a
good
point,
which
is
that
that
stuff
is
read-only,
so
we're
not
gonna
be
able
to
make
a
lot
of
those
changes.
We're
just
going
to
read
from
it
just
giving
folks,
mostly
just
things
to
think
about,
but
good
call
for
pointing
that
out
mark.
We
do
appreciate
it:
okay,
Kay
getp!
Oh
no
resources
found,
let's
see
what's
going
on
here.
A
Let's
make
sure
all
of
our
nodes
are
working
okay,
so
we
have
two
ready
nodes.
So
let's
do
K
get.
We
know
what's
running
as
a
daemon
set,
so
we
can
do
DES
for
short
Falco
0
available
0.
What
is
going
on
here,
kay
dumb
crap
defaults,
not
K
done.
That's
how
I
feel
today,
though,
ok
dumb,
ok,
so
we
have
a
daemon
set
and
that's
all
we
have.
Why
is
that
not
creating
any
K
edit?
What
was
the
name
of
our
demon
said?
Katie,
yes,
I
Falco,
okay,
get
des
Falco
Oh
animal.
Let's
see!
A
What's
going
on
here,
Falco
demon
set:
what's
our
status,
current
number
scheduled
number
zero?
Why
are
we
not
scheduling?
We
have
a
node,
that's
ready,
but
no
pods
did
we
skip
a
step.
Maybe
let's
see
what's
going
on
here,
so
we
did
our
back.
A
Let's
just
make
sure
we
ran
all
this
stuff
and
then,
if
not,
we
can
go
to
my
cheat
sheet
and
see
if
there's
a
stuff,
I
skipped
or
something
else,
I
added
in
there
that
okay
yeah,
that
was
that
we
didn't
apply
our
back
okay,
I
see
what's
going
on
colonel
dev,
headers,
nope
I
think
it
was
just
I
didn't
actually
installed.
The
are
back.
I
will
use
all
the
config
map.
So
let's
try
this
now
or
maybe
still
pulling
so
now.
Let's
do
K
get
demon
set
can
get
P.
A
Oh,
should
we
skip
another
step
if
I
skips
down
one
I
wonder
if
we
also
skipped
I'm,
pretty
sure
we
did
the
config
amount.
I
remember
doing
this
q
Bechdel
create
can't
figure
out
yeah
cuz,
we
looked
at
it
afterwards.
Let
me
restart
this
I.
This
demon
set
and
see
what
we
can
get
here.
So
it
was
K
applied,
F
demon
said
I
can
just
do
this,
K
delete,
f
keys
with
our
back
Falco
demon
set.
Do
you
do
and
then
let's
do
an
apply
again
know
that
our
back
is
in
there.
A
Okay
get
yes
yep
there
we
go
that.
Did
it
up-to-date
one
desired
one
curtain,
one
okay
cool
so
now,
I
bet.
If
we
do
a
cake,
it
do-do-do-do
yeah,
there's
our
Falco
pod,
okay
Brad!
So
let's
look
at
the
Falco
pod
logs
and
see
what's
going
on
here
earlier,
I
had
mentioned
we're
actually
going
to
be
able
to
see
that
done.
Iam
and
kernel
module
loading.
So
let's
see
if
we
can
try
to
find
that
so
I'm
gonna
do
K.
A
Logs
name
of
our
pod
will
do
f
for
good
measure
and
let's
see
what
we
have
going
on
here:
okay,
so
it
setting
up
user
source,
its
unloading,
Falco,
probe,
Colonel
preparation
unnecessary
for
this
kernel,
because
I
already
did
it
earlier,
but
the
kernel
modules
already
loaded
they've
already
ran
I
felt
going
this
cluster
beforehand.
But
if
it
wasn't
loaded
now
it
would
use
DKMS
and
do
I
do
any
omit
kernel
module.
No,
so
that
we
can
actually
start
parsing
nieces
calls
and
it
comes
in
and
it
like
bootstraps
itself.
A
It
checks
looks
like
we
have
a
few
errors
here,
but
nothing
too
crazy
to
concern
ourselves
with
I.
Don't
think,
read
only
file
system,
which
is
good
and
it
says,
trying
to
load
a
DKMS
falco
probe
if
present
and
it's
loading,
our
rules
that
we
looked
at
earlier
from
the
config
map
that
have
since
been
mounted
into
the
pod
and
now
we're
listening
here
on
port
87-65.
A
Let's
see
people
are
saying
stuff
in
chat,
curdled
of
headers,
maybe
still
pulling
and
describe
the
pod
Oh
Patrick
join
Patrick
yay
Patrick's,
one
of
my
really
good
friends,
I've
known
him
for
about
ten
years.
We
work
together,
and
this
is
the
first
time
he's
ever
joined
me
on
TV
I,
K,
thanks
buddy.
So
anyway,
Nicholas
says
taints
and
toleration.
X',
maybe
mark
stem
says
those
errors
are
ok.
Okay,
thanks
mark
okay.
So
let's
try
to
do
something:
malicious
and
smooth
Falco
desk
just
out
of
the
box.
A
A
Okay,
so
let's
can
get
P
o.
Let's
grab
the
name
of
our
Falco
pod
Patrick
says
hola
Marc
says
you
want
to
add
Kate's
audit
rules
like
yeah
most
they
can
fit
me
out
to
get
the
rules
specifically
for
Kate's
audit
support
did
I
not
copy
case
rules
over.
Where
are
those
at
and
well.
We
can
get
those
here
in
a
second
whatever
we
do.
A
Audit
I'm
gonna
try
to
speed
things
up
here
because
we're
already
in
our
in
ten
minutes
since
the
episode
but
I
want
to
show
Falco,
and
if
we
can
talk
even
just
holistically
about
the
dynamic
auditing
bit
and
how
that
works
with
Falco.
We
can
do
that
a
little
bit
at
the
end.
So
let's
do
let's
try
to
exact
into
this
pod,
so
the
documentation
says
even
executive
to
the
pot
alone
should
be
enough
to
trigger
trigger
a
Falco
event.
A
So
let's
go
ahead
and
let's
do
Kasich,
IT,
Falco
and
we'll
just
run
bash
in
here
BAM,
so
I'll
run
list
I'm,
not
gonna,
do
anything
super
invade.
Maybe
I'll
like
come
to
var
log
and
looks
like
what's
going
on
a
D
package
cool.
We
grabbed
all
those
logs,
I'm
gonna,
go,
send
them
off
and
steal
your
credit
card
numbers
now.
Actually,
no,
but
let's
see
if
falco
is
going
to
start,
I'm
wondering
if
it's
going
to
start
picking
up
any
of
the
the
things
I'm
doing
here.
A
A
Let's
see
if
we
can't
Nano
FS
tab,
onion
and
I
found
what
editors
are
on
here
is
EE
on
here.
Oh,
my
god.
Is
it
VI?
Then?
Okay,
there's
no
text
editors
on
here
we
can,
you
said,
but
let's
just
let's
just
look
at
F
s,
tab
one
configured
FS
time
for
B
system
marks,
Tim,
says
no
problem
in
the
rules
directory
and
github,
okay,
cool!
Thank
you
still
not
seeing
any
events
here
mark
or
Dan
any
idea.
Why
we're
not
getting
any
logs
here?
Why
don't
you
to
exit
the
container?
A
Let's
go
to
proc,
let's
cat
at
CPU
info.
This
is
relatively
harmless.
Okay,
but
at
least
now
I'm
getting
information
about
our
CPU.
Let's
see,
I
could
get
some
C
group
information
what's
going
on
here
and
see
groups
changed
our
JC
group.
It's
not
not
a
directory.
I
thought
it
was
a
directory.
Let's
cat,
that
a
let
me
see
what's
going
on,
see
groups
okay,
so
we
don't
have
very
many
defined
okay,
but
regardless
I
would
kind
of
hope
that
Falco
would
say
something's
going
on
here.
A
Let's
maybe
try
to
run
a
pot
and
see
what
happens,
let's
run
in
cube
system
and
see
if
taco
or
I
guess
we're
not
configured
for
your
quesada
game.
Yet
I
still
would
really
like
it
to
detect
me
being
malicious
in
the
container,
but
I
guess
we
can
wait
and
see
if
anything
just
magically
happens
later.
Okay,
let's
talk
dynamic,
oddity
and
really
quick
and
then
we'll
try
to
plug
dynamic
oddity
into
Falco.
Now
that
we
have
Falco
up
and
running
so
to
go
to
github.com
or
sorry,
kubernetes
I
am,
let's
do
audits.
A
Sync
dynamic
auditing,
nope,
kubernetes
audit
sync
see
if
we
can't
find
anything
here:
okay,
here's
auditing
and
audit
policy,
so
there
actually
is
an
audit
policy.
That's
defined
in
the
falco
example
here,
so
there's
a
little
bit
of
documentation
on
it.
I
think
I
added
it
here.
Let's
see
if
I
can't
find
it
I
show
notes,
maybe
not
either
way.
Let's
go
back
where
we
oughta
Dean.
Is
there
an
audit
sync
anywhere
in
here?
That's
what
I
want
to
talk
about?
Okay,
see
how
the
audit
back
in
the
onyx
ink
API
object.
A
Here
we
go
audit,
the
sync
okay:
this
is
what
I
want
to
look
at,
so
these
audits
things
are
how
you're
able
to
use
dynamic
auditing,
which
is
the
new
feature
that
Patrick
here
coded
for
us
in
kubernetes.
One
point,
thirteen
point,
two
so
Mark
stem
says:
cat
Etsy
shadow
on
the
host.
First,
oh
also,
the
logs
might
be
buffered
by
default,
that's
something
you
can
change
and
if
I'll
go
to
config,
okay,
so
I
think
what
Marx
is
saying
is
like
let's
do
at
C
shadow
on
the
host.
A
So
we
can
do
that
here
in
a
second
and
then
also
the
logs
might
be
buffered.
So
how
would
we,
let's
try
to
do
the
log
buffering
really
quick?
How
do
we
turn
log
buffering
off?
So
let's
go
here
change
directory
into
Kate's
with
our
back
change
directory,
no
Falco
config
and
let's
do
Falco
rules,
Falco,
DML,
and
actually
what
I
did
in
this
here.
So
folks
at
home
can
see
nice
big
text
editor
here.
A
So
let's
see
where
that
is:
that's
Kate's
with
our
back
Falco
config
Falco,
oh,
let's
just
scrub
for
buffering
buffered
outputs,
whether
or
not
output
to
the
opportunist
below
is
buffered.
Let's
set
this
to
false
and
let's
apply
that
so
creates
config
map
and
let's
change
directory
up
here
and
now.
I
should
be
able
to
on
that
create
config
map.
A
Kubernetes
delete,
config
map,
Falco
config,
not
kubernetes
kay,
can
delete
config
Falco
config.
Now,
let's
create
it
and
I
wondered
we
wanted
to.
Let's
just
move
that
pod
as
well,
can't
get
it
yeah.
Okay,
delete
P!
Oh
this
thing,
I,
don't
think
we
should
have
to
restart
the
daemon
sad,
but
if
anybody
thinks
we
do
drop
it
in
track,
I'll
do
that
as
well
and
let's
get
pods
and
see
what's
going
on
now.
Oh,
it's
terminating
because
it's
a
demon
set.
It's
gonna,
take
a
second
okay
cool.
A
A
A
We
can
try
to
do
an
executive
container
in
a
second
but
we're
gonna
cat.
That's
a
shadow
anyway
and
hopefully
our
logs
are
no
longer
being
buffered.
So
let's
apply
our
audit
sink
and
let's
also
actually
open
up
a
third
terminal
here,
so
that
we
can
look
at
the
API
server
logs.
Why
we're
doing
all
this
sorry
if
it's
a
little
bit
blown
out
for
folks
at
home,
I'm
trying
to
show
a
lot
on
the
screen
at
one
time?
A
A
Do
audit
sink
yeah
mole,
so
we
should
be
able
to
go
to
the
TGI,
can
directory
and
just
apply
that
and
go
source
github
calm,
hefty
OTG,
ok,
episode,
61
and
we
should
do
K
apply
F
I,
don't
think
that
you
know
onsen
created
so
as
that
goes
through.
We
should
see
some
belongs
here
in
the
API
server
and
we'll
wait
for
that
2.0.
A
Actually,
we
need
to
redo
it
because
we're
gonna
wait
for
that
to
point
to
the
Felco
server,
but
we
need
to
change
this
to
192,
168,
dot,
5
and
then
we're
sending
this
to
port
8
7
6
5,
which
is
Falco's
default
port
and
we're
sending
that
to
the
cave
audience
in
point
now.
I
think
this
should
be
enough
to
actually
just
magically
turn
on
Cooper.
A
Now
you
use
auditing
on
the
Falco
side,
but
I'm
wondering
if
folks
either
marker
pop
here
can,
let
me
know
if
they
see
anything
that
looks
a
little
bit
promiscuous
here,
as
she
says,
suggest:
split,
split,
terminal
or
horizontally
I
I,
actually,
don't
know
how
to
do
that
off
the
top
of
my
head,
so
we're
just
gonna
go
with
vertical.
For
the
time
being.
Sorry,
and
really
all
that
we
want
is
just
to
see,
if
anything
happens,
oh
cool.
Ok,
so
here
is
our
error
and
audit
plug-in
dynamic,
webhook
affecting
1
on
an
event
post.
A
Okay.
So
let's,
let's
read
8
this
thing
really
quick.
So
we
want
to
k,
delete
f,
audit
sync
tamil
and
k,
apply
f
audit,
sync
that
you
know
okay,
so
this
should
be
going
with
the
right
IP
address
for
our
pod
now
and
if
all
goes
well,
we
should
see
the
api
server
here
fix
itself
and
then
hopefully
we
see
like
a
little
message
here
on
the
falco
side.
That
says:
yes,
we
have
a
new
kubernetes
audit
stream.
Let's
see
looks
like
we're
getting
more
errors.
A
Let's
see
what
this
one
says:
one
92168
two
kate's
audit
timeout,
let's
see
stage
response
complete
method,
get'
cuba
system
control
manager,
so
mark
sim
says
it
looks
like
a
to
me,
although
we
have
to
make
sure
the
right
eye.
Peas
are
reachable,
also
adding
the
Kate's
audit
rules
at
yeah,
mostly
config
map.
Okay.
So
let's
do
let's
add
the
Kate's
audit
rules
yeah
mo,
so
they
can
fig
map
and
then
reload
the
config
map
and
restart
our
pod
and
I'm
wondering
what
what's
going
on
here.
These
just
like
controller
manager,
plugins.
A
A
So,
let's
see
here,
let's
go
back
and
let's
fix
our
our
Kate's
config
yeah
Mel
and
then
hopefully,
by
the
time
we
do
that
this
will
go
in
and
fix
itself
with
a
new
audit
sink,
let's
see
if
we
get
lucky
so
first
things.
First,
let's
close
this
one
clear
it
get
that
out
of
our
way
come
here
and
it's
in
the
rules
directory
said
mark
so
go
source,
github.com,
Falco,
Security,
Falco
and
then
it's
their
rules
yeah.
So
now,
let's
copy.
A
A
I
think
we
had
it
here,
I
want
to
say
Q,
fractal
yeah,
it's
that
one
I
know
it's
hard
to
read,
but
we
just
created
it
way
over
here
on
this
tiny
terminal
and
we
can
actually
probably
close
this
one
and
make
it
a
little
bit
easier.
Now,
okay,
so
the
config
map
has
been
created,
let's
restart
our
pot
again.
So
here's
our
pod
and
kay
delete
P,
Oh
BAM.
Let
that
delete
and
resync
it
and
now,
let's
see
what
the
API
server
logs
are
doing,
can
get
pio
namespace
cube
system.
A
Cube
API,
server
and
I
think
we
probably
have
to
update
this
to
me
again:
cuz
we're
going
to
add
a
new
IP
address
after
we
update
our
config
map
and
had
to
restart
our
pot,
but
we'll
see
Herman
says
yeah
Millar,
oh
I'm
always
wondering
I
have
no
idea.
Herman
I
think
it's
the
the
spec
calls
it
yeah
Moe
YAML,
it's
yet
another
or
yeah.
A
Mul
ain't,
markup
language
and
you
can
go
read
this
back
and
actually
I
learned
a
little
bit
about
the
endless
spec
when
I
was
reading
through
the
Falco
Docs
I
never
knew
that
a
section
of
y
ml
was
referred
to
as
a
node
before
but
yeah.
That's
technically
called
a
dude
Cuba
API
server.
So
let's
do
log
key
K
logs,
cube,
API
server,
namespace,
cube
system.
A
Now
stop
1.6!
So
let's
go
and
change
this
here
in
our
audits,
Inc
1.6
save
that
and
let's
cage
delete
or
actually
take
it
audits.
Sync:
ok,
delete
audit,
sync,
TV;
ok,
ok,
apply,
f
audits,
inky
ammo,
created,
ok
and
let's
see
if
our
logs
here
get
it
and
then
why
we're
gonna
watch
the
API
server
logs.
That's
also
watched
the
the
logs
for
Falco
here
to
see
if
we
see
anything
about
it,
recognizing
that
there's
a
new
data
stream
coming
in.
A
A
A
A
user
named
target
target
named
verb
operation
performed
by
user,
not
allowed
in
list
of
users
container
container
ID
filter
check,
Kate,
spod,
name
container,
exiting
I
I,
don't
really
understand
what
this
error
is
a,
but
it
looks
like
it's
some
sort
of
permission
error
that
we're
trying
to
do
something
that
isn't
allowed
I'm.
This
to
me
smells
like
something
in
our
config
map
that
we
just
updated.
A
So
it's
still
going
to
192
168,
not
one,
not
two,
never
seen
this
happen
before,
but
interesting
behavior
here
for
sure
mark
stem
says
yawen
SEC,
so
it
looks
like
Marcus
is
getting
on
it.
Okay,
so
we're
waiting
for
mark
Patrick.
If
you
have
any
ideas
what's
going
on
here
in
the
API
server
bit
and
why
we're
still
looking
at
one
name
to
what
six
eight
1.2,
let
me
know
and
I'm
gonna
start
to
kind
of
wrap
up,
because
we're
already
an
hour
and
almost
thirty
minutes
into
the
episode
and
I
want
to
see.
A
If
folks
have
any
questions
or
anything
at
home
mark
stem
says
odds
of
bug,
we
haven't
fixed
in
point
zero
point:
thirteen
point:
zero
in
the
command
line
for
Falco,
dropped
the
PC
argument
in
the
team
and
set
okay.
So
it's
a
bug,
let's
see
here,
we
can
fix
this,
no
big
deal.
Okay,
so
we
want
to
go
to
the
daemon
set.
Sorry,
the
PK
argument
yep
one
second
mark
and
we'll
add
that
in
there
so
here's
our
demon
set
I
for
the
Falco
command-line
user
been
okay.
So
we
want.
A
A
What
we're
trying
to
do
here
at
the
end
mark
says
no,
there's
a
dash
PK
argument
already
or
move
that
argh
there's
a
dash
PK
argument
already
remove
that
argh,
there's
K
o
PK
here
at
the
end,
it
should
be
at
the
end
of
the
line
drop
the
pKa
there.
We
go
okay,
cool,
so
I'm
gonna
run
this
now
I
keep
trying
to
high
level
everything.
But
then
it
just
says:
I'm
like
alright,
let's
high
level
it
and
then
mark
says
something
and
then
I
want
to
go,
try
it.
A
A
Do
you
do
that's
deleted
and
now
we
want
to
do
K
apply
f.
Where
are
we
kate's,
with
our
back
Falco
demon,
sent
config
map
yeah
mo
that
we
just
removed
the
PK
at
the
end,
goodness
that
was
created
can't
get
a
P,
oh
yeah,
it's
running
and
four
seconds
old
K
logs
BAM,
f
starting
internal
web
server.
Listen,
you
know
on
court
87
65.
A
Interesting
I
wonder
if
we
need
to
like
restart
the
API
server.
Let's
try
that
hey
get
pio
namespace
cube
system.
Don't
ever
do
what
I'm
about
to
do
at
home.
I
have
crazy
ideas
that
I
think
it's
a
good
idea
to
just
restart
stuff
and
keep
system.
Please
please!
Please
don't
do
this
at
home,
but
this
is
just
for
a
demo.
Let's
go
ahead
and
restart
the
API
server.
I
mean
it'll
fix
itself
and
it
should
be
fine.
It's
not
a
big
deal,
but
just
in
general
like
be
be
careful
in
the
cube
system.
A
A
Oh
yeah,
yeah!
It's
to
find
this
one
point
in
the
192
168
1
sitter,
yeah,
191,
6,
8,
1,
6
interesting.
This
should
be
working.
I,
don't
know.
What's
going
on
here,
I
should
be
at
the
end
of
the
line.
Ok
rad,
that's
chat
from
earlier.
Ok,
so
let's
keep.
Let's
just
keep
these
logs
up
and
we'll
wrap
up
the
episode.
A
Actually
you
know
what
I
want
to
do
now
is
I
want
to
see
if
that
buffer
being
flagged
worked,
if
we
were
able
to
flip
that
to
fall.
So
if
we're
actually
able
to
get
some
logs
here
now,
so
let's
K
exec
we're
gonna
exact
back
into
the
spot
and
see
see
what
happens
BAM.
Ok.
So
that
was
really
quick.
Ok,
so
we
got
the
buffering
turn
off,
so
Falco
is
working.
So,
let's
just
see
like
if
I
cat
at
see
shadow
is
that
not
in
here
yeah
it
is
BAM.
A
So
we
got
like
a
lot
of
logs
over
here
notice.
His
shell
was
spawned
in
a
container
with
a
touch
terminal,
dragging
sensitive
file.
Okay,
so
Falco
is
really
lightning
quick
and
then
you
can
take
these
and
you
can,
like
you
know,
have
various
I'll
pose.
You
can
hook
it
up
to
other
things.
It's
basically
like
an
event
system
at
this
point
and
you're
able
to
actually
start
detecting
things
on
your
system,
so
that
was
really
exciting.
So
what
she
says,
do
you
have
more
than
one
API
server?
How
was
API
server
pending
and
you're?
A
A
Oh
my
gosh
me.
The
container
ok
get
P
Oh
namespace
Q
system,
QB
API
server.
We
only
have
this
one.
It
looks
like
I'm
wondering
if
I
just
go
and
restart
these
like
kill
the
pot
on
the
host
and
then
like
kubernetes
reschedule
I.
Don't
know
this
is
just
really
weird
behavior
I'm,
not
an
API
server
expert,
a
lot
of
times.
The
assumptions
I
make
about
kubernetes
are
wrong
off-the-cuff
for
very
important
reasons.
So
I
really
don't
know.
A
What's
going
on
here
with
the
API
server
and
why
it's
a
it's,
we're
able
to
restart
it
and
still
make
bechtel
commands
and
it
was
still
in
state
pending.
It
seems
interesting.
Christopher
says
there
should
be
a
new
Falco
pod
IP
address
after
the
DES
was
created.
Christopher
brings
up
a
good
point
which
I'm
sure
there
is,
but
regardless
it
doesn't
look
like
the
API
servers
respect.
You
know
odd.
A
It's
Inc
this
stuff
anyway,
so
maybe
we
can
try
a
new
audit
think
and
see
if
it
kicks
off
something
else
and
we
get
a
second
one
or
who
knows
what's
going
on.
So
let's
do
this.
So,
let's,
let's
get
our
pot
IP
address
K
get
P
o
o
Y,
so
this
is
now
1.7
and
this
is
for
our
Falco
POG
or
a
Falco
pod.
This
is
an
odd
bug.
I'm
going
to
file
this
thanks,
paddle
AK.
So
let's
go
to
goal
and
let's
go
back
here.
A
A
So
now
we
have
to,
and
let's
get
those
API
servers
once
again,
K
logs
API
server
mark
stem
says:
I
haven't
used
the
audit
SIG's
much
I,
see
you
delete
it
and
recreate
it
though
typo
76.
Oh,
thank
you,
I
type
of
76
and
see
right
here,
derp
good
call,
who
was
that
me
free
stickers,
for
you
mean
for
catching
that
one.
So
let's
try
this
thing
again.
So,
let's,
let's?
How
can
you
know
what
for
good
measure?
Let's
just
see
if
we
can't
create
a
lot
of
these
things,
TJ
k,
3,
okay!
A
A
What
everything
is
create,
pods
and
I
Pam
will
eventually
recycle
will
get
one
nine
eight
once
or
one
nine
two
one,
six
eight
dot.
Two
again,
so
we
here's
on
1.2,
let's
see
what
else
we
got
more
auditing
events,
nothing
new
and
Falco,
okay,
we'll
let
this
thing
run
I'll
keep
it
pulled
up.
Folks
at
home,
can
look
at
it
as
it's
running,
I
sure.
What's
going
on
here,
it
looks
like
we're
filing
bugs
it's
an
awful
feature.
A
So
maybe
we
can
try
this
again
in
the
future,
but
already
I
feel
like
folks,
are
getting
a
really
good
idea
of
how
dynamic
auditing
is
supposed
to
work
with
the
kubernetes
on
it.
Functionality
Patrick
says
I
would
try
resetting
the
container
on
the
master
and
Christoph
says
API
server.
Pods
should
be
running
as
a
static
pod,
which
is
not
controlled
by
kubernetes
directly.
Maybe
that's
why
I
do
not
delete
it
did
not
affect
the
cluster.
A
That
is
a
good
point,
because
the
kubernetes
api
server
right-
it's
not
I,
don't
think
it
runs
us
like
a
deployment
or
anything.
It's
just
a
static
pod,
which
I
know
there's
some
really
weird
interesting.
Behavior
there
and
that's
sort
of
built
in
there
for
resiliency
reasons
for
the
API
server,
so
maybe
there's
something
else
going
on
there
mark
stem.
Is
that
question
mark
time
out
30
seconds
really
in
the
post,
I'm
sure
what
you're
talking
about
mark?
Oh
here
he's
talking
about
this
post
191
68,
1.2,
Kate's
audit
timeout
equals
30
seconds
context.
A
Deadline
exceeded
client
tile
exceeded,
while
waiting,
headers,
I,
don't
think
so.
I,
don't
know
what
the
the
my
server
is
doing
with
an
audit
sync
configuration
after
we
get
it,
it
might
be
doing
something
a
little
bit
weird
but
yeah.
Let's
high
level.
This
thing
really
quick
and
we're
get
out
of
here.
It's
already
an
hour
and
thirty
minutes
in
and
I
think
we've
done
enough.
We've
looked
at
Falco.
A
Okay,
so
we
were
able
to
get
kubernetes
1.13
up
and
running
with
cube
admin
using
the
cube
admin
config
that
I
have
here
locally
or
it's
actually
in
my
github
branch,
but
we'll
merge
that
into
the
hefty
o
TG
ika
repository.
So
if
you
want
to
replicate
what
I
did
here
today
on
your
end,
this
is
a
really
good,
config
and
you'll
be
able
to
build
a
cluster
exactly
like
what
I
have
with
Cooper
corn.
A
So
after
you
have
the
one
13.2
cluster
up
and
running
you're
gonna
want
to
make
sure
you
have
those
API
server
flags
also
enable
if
you
want
to
use
dynamic
auditing.
So
after
you
get
OC
Hameed
says
which
track
are
you
presenting
in
fosston
Hameed?
So
I
am
presenting
I'm
doing
a
cooper
Nettie's
with
cube
flow
and
a
few
other
things
for
the
ML
track,
with
Holden
Carrell
and
I'm.
A
So
it's
a
really
awesome
talk
about
go
how
you
can
structure
your
code
and
go
what
to
watch
out
for
anti
patterns
patterns.
That
start
out
as
regular
pattern
was
that
turning
Italian
type
patterns
and
then
advanced
refactoring
techniques
and
some
of
the
stuff
we
do
in
kubernetes,
which
is
really
exciting
for
anybody
either
who
works
in
kubernetes
or
has
a
lot
of
go
code
that
they're
trying
to
refactor
and
trying
to
get
themselves
out
of
some
sticky
situations.
So
those
are
the
two
talks
I'm
doing.
Ok.
A
So
thanks
to
our
friends
that
have
do
in
our
pal
Nova,
thank
you
pop
very
nice
to
meet
you
and
again
thanks
for
all
your
help.
Mark
especially
you
you've
been
super
helpful
today
and
let's
go
back
and
talk
about
what
we
to
do
today.
Okay,
so
I
explained
how
we
got
the
kubernetes
1.13
cluster
up
and
running.
A
So
now
the
API
server
was
configured
with
the
API
server
flags
and
we
were
able
to
actually
go
and
create
an
audit
sync
object,
and
then
the
API
server
looks
like
it's
trying
to
reconcile
it,
based
on
what
you
defined
in
the
audit
sync,
and
then
it
will
start
sending
dynamically
kubernetes
audit
streams
to
whatever
client
you
configured
so
falco
has
built-in
functionality
that
allows
us
to
point.
The
kubernetes
audit
stream
at
falco
and
falco
is
able
to
parse
the
kubernetes
audit
streams
with
various
rules.
A
So
those
are
those
case
rules
that
gamal
that
we
added
at
the
very
end
the
config
map,
so
I
know
that
the
engineers
al
Falco
actually
spent
some
time
building
very
specific
custom
kubernetes
functionality
that
allows
us
to
do
a
lot
of
interesting
rule
parsing.
On
top
of
the
kubernetes
audit
rules,
furthermore,
falco
is
built
on
Cystic,
which,
like
we
said
earlier,
is
like
TCP
dump
or
Wireshark
for
sis
calls
on
your
host
system.
A
We
mount
read-only
some
volumes
into
the
kubernetes
pod
and
then
we're
able
to
take
advantage
of
the
dynamically
loaded
kernel
module
that
Cystic
gives
us
and
we
will
start
parsing.
Those
SIS
calls
for
anomalous
behavior
and
are
able
to
make
sense
of
them,
and
so
that's
where
our
Falco
comes
into
play.
So
we
can
glue
all
that
together
by
pointing
a
dynamically
configured
audit.
A
The
stream
at
Falco
Falco
is
able
to
take
that
and
we
can
write
rules
against
it
and
if
one
of
those
conditions
trips,
we
flip
one
of
our
rules
and
we
get
a
log
here
in
the
log
file.
We
can
actually
pipe
that
to
pretty
much
anywhere
because
we
can
write
any
bash
command.
We
want
there
as
well
so
Falco's,
flexible
and
I'm
already
getting
ideas
of
like
the
domino
effect
here
like
well.
What?
A
If
we
took
kubernetes
audit
streams
piped
those
into
Falco
took
Falco
and
like
sent
that
up
to
like
something
like
say
like
Prometheus
or
something
that
can
generate
alerts,
and
then
we
can
have
like
different
people
get
alerted
for
different
things
and
falco
can
help
us
make
sense
of
all
this
and
we
can
even
bundle
in
like
sis
called
alerts
as
well.
So
we
can
really
start
to
gain
some
confidence
in
our
systems
and
confidence
that
our
systems
aren't
doing
anything.
We
don't
want
them
to
do.
A
Okay,
so
that's
sort
of
the
Falco
plus
dynamic
auditing
in
a
nutshell,
looks
like
some
folks
had
some
the
comments
in
the
chat.
Marco
says
great
stream.
Thanks,
sadly,
missed
some
of
it
as
a
bit
tired,
we'll,
definitely
catch
up,
no
problem
Marco.
Also
Marco
I
saw
your
slack
I'm,
not
ignoring
you.
I've
just
been
really
crazy
busy
this
week,
I
promise
I'll
get
back
to
you
soon.
Marco
Hameed,
thanks
for
the
demo
Marc
says
I
added
a
link
to
my
cube.
A
Con
2008
teen
talk
where
I
described
the
k2
audit
support
in
more
detail
and
I
have
a
demo
at
the
end.
Awesome
Marc,
so
I
think
that's
demo
is
going
to
be
not
using
the
dynamic
audit
stuff
that
we
looked
at
today,
but
the
regular
kubernetes
auditing
that
you
can
just
turn
on
by
flipping
kubernetes
api
server
flags
and
restarting
the
api
server
manually,
Peter
Benjamin
says
awesome,
work
Chris
thanks
so
much
for
cystic
falco
demo,
no
problem.
Folks,
I
love
doing
this.
A
I
love
spending
my
Friday
afternoons
with
the
Internet
as
we
hack
on
things
and
try
to
figure
out
how
to
make
kubernetes
and
all
these
crazy
new
tools
that
are
coming
out
at
the
cloud
native
ecosystem
work.
It's
always
a
ton
of
fun.
I'll
do
last
call
for
questions
in
and
if
not
I'm
going
to
get
out
of
here,
I've
got
exciting
plans
tonight
and
I.
Think,
like
I
said
earlier,
I'm
gonna,
maybe
head
down
to
Portland.
A
We
gotta
go
check
the
weather
and
see
how
the
weather
on
old,
Mount
Hood
is
doing
and
I
might
fly
down
to
Portland
and
go
a
free
solo
up
the
the
south
side.
Maybe
even
do
the
devil's
kitchen
head
wall
by
myself,
we'll
see
what
weather
says
and
we'll
see
what
conditions
are
supposed
to
be
pretty
icy
and
supposed
to
be
really
cold,
which
is
good,
maybe
we'll
get
something
that
that
nice
styrofoam
ice
that
we'd
like
to
climb
in
so
much
awesome
cool.
Well,
it
doesn't
look
like
we
have
any
questions
without
Dan
pops.
A
Assisting
secure
can
do
the
alerts
as
well
in
workflow,
Falco
violation
to
alert
Oliviana
ago
says
thanks,
Chris
great
stuff
as
usual.
No
problem,
lasagna,
starving
them
do
assert
or
giveaway
this
week,
we'll
get
back
into
doing
the
giveaways
and
I
think
we're
working
hard
behind
the
scenes
figuring
out
ways.
We
can
spice
up
TGI,
K
and
ultimately
get
some
vmware
products
up
in
here
and
maybe
get
some
folks
from
the
vmware
side
of
things
to
come
in
and
join
us
here
in
the
half
de
estudios
and
do
like
some
live.
A
Some
live
demos
and
learn
more
about
those
so
stay
tuned.
We
have
an
exciting
year
in
front
of
us.
I
have
a
feeling
I'll
be
back
next
week,
there's
a
good
chance.
It
might
be
Joe,
though,
but
again,
as
per
usual
I
hit
me
up,
actually
wait.
No,
we
have
next
week
we're
out
all
week
for
our
VMware
orientation.
So
I
don't
know.
If
we'll
have
one
next
week
follow
my
Twitter
follow
Jose
to
an
air
fall
to
have
to
do
Twitter
and
we'll
let
you
know
if
we
have
one
or
not.
A
If
you
have
any
ideas,
if
there's
anything
you
want
to
see
if
we
mentioned
the
spinnaker
earlier,
there's
that
whole
github
repo
github
comm
/
fq
a
/t
gik,
go
into
the
issue.
Tracker
drop
your
ideas,
we're
happy
to
look
at
them.
Who
knows
what
we'll
pick?
It's
always
a
surprise
to
me
every
week
when
we
pick
one
Ashish.
Thank
you
so
much
for
your
help.
Today,
Ashish
next
time
and
yeah
I'm
out
of
here,
so
everybody
have
a
good
day
great
weekend
and
I'm
gonna
go
climb
a
mountain,
see
everybody.
When
I
see
him.