►
From YouTube: TGI Kubernetes 175: Cloudnative WAF with Curiefense
Description
Join Ricardo, as we explore Curiefense, a sandbox CNCF project that proposes to be the open source cloud native application security platform that protects all forms of web traffic.
We will try to install it, simulate some scenarios and have some fun!
A
Okay,
so
we
are
live
good
evening
good
morning
for
the
pacific
folks,
good
evening,
good
afternoon.
Whatever
time
zone
you
are
for
facing
masters
from
six
cli,
my
name
is
ricardo.
I
will
be
your
host
for
this
second
session.
I
welcome
everyone
for
this
session,
which
is
going
to
be
about
kirya
fans
fans.
It's
a
really
cool
project
that
started.
A
A
A
Thank
you
everybody
for
having
me
so
I'm
gonna
start
with
the
week
on
review
and
then
we
can
jump
into
the
kiriefen's
episode,
okay,
cool.
So
let
me
just
put
my
screen
here.
You
can
tell
me
on
on
the
youtube
comments.
If
my
screen
my
I
need
to
increase
my
letters,
my
the
size
of
my
screen.
A
Otherwise,
let's
get
started
so
the
notes
they
are
right
here.
You
can
see
them
on
on
tgik,
dot,
io
notes.
This
episode
is
going
to
be
recorded
so
and
we've
got
actually
another
episode
today.
So,
first
of
all
welcome
back
for
you
all
that,
where,
on
our
episode
that
I
guess
9
p.m,
pacific
time
this
is
the
second
episode
we
are
trying
to
make
episodes
on
a
more
friendly
on
a
more
friendly
time
for
people
at
europe,
asia
and
middleweight,
pacific
et
cetera.
A
So
I
don't
know
how
this
is
going
to
be,
but
this
is
an
experience.
Pushkar
was
earlier
today
doing
the
first
episode
about
about
connect
and
then
I'm
gonna
take
a
look
into
key
reference
right.
A
So,
first
of
all,
kubernetes
version,
123
is
almost
there.
We've
got
an
announcement
from
a
code
freeze,
so
right
now
only
patches
npr's
that
are
block
blocking
the
release
will
be
accepted.
If
you've
got
your
patch
for
123.
Look
you!
If
not,
we
are
going
to
wait
until
the
code
and
freeze
unwanted
24..
A
Also,
we've
got
an
announcement
from
my
huge
friend
adult
for
puerco
about
kubernetes
patch
release.
So
let
me
increase
the
screen
here,
yeah
for
you
that
that,
for
you,
that
are
running
version,
120
121
on
r122,
we
have
a
new
patch
releases
that
fixes
a
lot
of
bugs.
So
please
fix
them
for
those
of
you
that
are
not
running
a
supported
version.
A
Please
do
so.
Don't
don't
don't
wait
until
your
apis
all
get
deprecated
before
updating
your
kubernetes
cluster
right
and
the
news
about
this
release
is
actually
that
we
have
some
supply
chain
level
for
software
artifacts.
So
sig
release
is
focusing
on
on
making
some
supply
chain
security
improvements,
and
I
really
recommend
you
all
to
to
take
a
look
into
this
twitter
thread
and
and
take
a
look
also
into
this
subject,
which
is
which
is
really
rising
and
was
part
of
our
tjk
earlier
today
as
well.
A
Okay,
next
go
version,
1
18
is
almost
there
and
there
is
a
cool
twitter
thread
here.
A
If
you
want
to
take
a
look,
so
so
daniel
marty,
which
is
one
of
the
go
developers,
put
a
huge
list
about
all
of
the
changes
and
besides
this
version
being
not
like
a
major
release
like
go
to,
we
are
getting
a
lot
of
new
stuff
like
generics,
fuzzing
tests,
some
workspace
mode,
and
I
really
hope
that
this
workspace
mode
solves
an
annoying
problem
for
people
using
vs
code,
for
example,
which
is
when
you
open
something
with
a
lot
of
things
inside
it.
A
Take
a
look
and
also
other
other
other
improvements
that
are
pretty
pretty
cool,
so
we've
got
some
some
new,
even
some
new
strings
and
bytes
functions
to
do
could
to
cut
the
string
right
yeah
what
else
and
the
new
net
ip
package
so
probably
the
net
packaging
some
methods
of
the
net
package.
A
They
are
going
to
be
deprecated,
but
as
go,
have
this
contract
of
never
removing
or
having
never
doing
a
break,
a
breaking
change
when
you
are
using
like
from
one
version
to
the
same
version
like
version,
one
deprecation
means
that
those
functions
they
are
not
gonna
be
maintained
anymore,
but
they
are
not
gonna
be
removed
from
from
go
one
cool.
A
This
this
thread
is
really
cool
next
one
yeah
this
is
this
is
really
nice
as
well.
So
for
those
who
don't
for
those
who
don't
know
about
gatekeeper,
gatekeeper
is
a
project.
That's
now
that's
a
super
project
from
open
policy
agent,
but
was
like
a
split
project
and
then
got
got
incorporated
by
by
open
police
agent
which
implements
an
admission
web
hook
for
kubernetes.
A
That
allows
you
to
write
rego
policies
to
to
to
protect
your
cluster.
So
imagine
that
you
don't
want
users
to
create
to
use
images
in
pods
that
are
going
that
are
using
latest
tag,
for
example.
So
gatekeeper
helps
on
that
a
lot
and
gatekeeper
had
some
lack
of
mutation
web
hooks,
which
means
actually
you
accepting
something
but
then
changing
the
value
that
users
put
so
users
adding
latest
or
users
using
docker
hub,
and
you
changing
to
your
internal
to
your
internal
docker
registry,
for
example,
because
of
quality
of
services.
A
The
the
the
rate
limiting
of
docker
right.
So
gatekeeper
got
this
mutation
web
hook
and
as
an
alpha
version
on
the
earlier
release,
and
now,
let's
move
it
to
beta.
A
So
it's
really
nice
to
see
this,
this
tool
evolving
and
also
it
got
a
new
cli.
And
why
is
this
so
important
because
right
in
writing,
gatekeeper
rules
and
having
to
add
them
on
your
kubernetes
cluster,
the
constrainting
plates?
And
then
the
constraint
was
really
really
really
annoying
right.
So
you
have
to
you
need
to
have
like
a
kubernetes
cluster
or
at
least
an
api
server
running
and
now.
A
Actually,
you
have
to
you
need
to
to
have
a
kubernetes
cluster
too,
because
the
controller
needs
to
run
as
well,
and
then
you
need
to
apply
something
and
see
if
it
works
and
if
it
doesn't
work,
you
need
to
do
another
rule.
So
now
that
you
have
a
cli,
things
are
going
to
be,
I
hope,
easier
to
to
write
a
gatekeeper
rules.
A
An
old
but
gold
subject,
and
that's
gonna,
that's
again
in
in
our
table-
is
that
docker
shim
is
deprecated,
so
we
all
know
about
the
deprecation
of
docker
shim,
but
right
now
the
kashim
is
getting
removed
from
124
right
so
signal
this
collecting
some
feedbacks
and
I
I
they
expect
users
from
the
question
to
feel
this.
A
This
form
this
this
feedback,
so
please
feel
free
to
to
open
this
blog
post
and
also
to
fill
the
the
the
research
the
last
news
for
today
of
the
weekend
review.
But
if
someone
remembers
something
just
go
ahead
and
put
on
the
comments
here
on
the
chat
is
that
part
security
mission
is
moving
to
beta
and
will
be
enabled
by
default
on
123..
A
So
there
is
a
tweet
here
from
tim
mulclair
with
some
useful
links
and
for
those
who
don't
know
what
security
policies
is
getting
on
a
deprecated
path
right,
so
deprecation
in
kubernetes
takes
to
remove
a
removal
later,
but
there
is
a
new
feature
which
is
called
security
admission
that
helps
on
at
least
protecting
your
pods.
So
take
a
look
into
this.
A
So
anyone
willing
to
test
this
is
gonna
have
some
some
some
way
to
test
without
breaking
your
production
clusters
right
so
yeah.
Now
we
have
jose
from
chile
also
alex
from
north
california.
A
Engine
is
happy
about
strings.com
because
that's
at
least
like
five
less
lines
in
our
go
codes
right:
phillip,
hey,
philippe
and
yoshi
yogi
yoshi.
Sorry,
if
I
don't
know
how
to
to
speak
but
welcome
from
singapore
far
from
here
and
time
zone
is,
is
pretty
it's
pretty
late
in
singapore,
probably
because
it's
already
late
here
in
brazil.
A
So
welcome
and
thank
you
thank
you
for
joining
us,
and
so
let's
get
started
talking
about
curio
fans
right
so
before
asking
justin
to
tell
a
bit
about
kyrie
offense
and
I'm
gonna,
I'm
gonna
put
justin
on
the
screen
here.
So
I
I
have.
I
had
my
my
first
contact
with
clear
fans
when
it
was
released.
Well,
I
guess
wasn't
version
0.1
for
some
of
you.
That
may
not
know
I
am
one
one
of
the
ingredients
maintainers
and-
and
I
also
work
at
a
lot
with
aj
proxy
ingress.
A
The
aj
proxy
ingress
maintainer,
which
is
which
is
juan,
also
works
at
vmware,
and
we
work
it
together
on
our
best
company.
So
we
were
a
lot
of
time
like
seeking
into
some
way
to
protect
our
our
environment
right.
So
the
idea
was
like
we
needed
some
web
application
firewall
and
we
need
at
least
to
have
some
some
protection
about
about,
like
the
main
vuener
abilities
like
sql
injection,
remote
code
execution
and
etc,
because
even
running
stuff
inside
containers.
A
You
know
that
this
might
be
dangerous
and
I
I
I
want
to
show
a
bit
about
this
right
now.
At
least,
how
can
I
use
that
to
like
bet
developed
web
applications
to
break
something
and
we've
been
using
a
lot
of
mod
security?
A
lot
and
mod
security
is
an
amazing
project,
so
that's
really
cool,
but
but
wasn't
enough
for
us.
A
Even
we
we
looked
into
that
and
I
think
it's
an
amazing
project
that
was
like
the
pioneer
and
all
of
that
that
so
one
year
ago,
one
year
and
a
half
like
kirithins
raised
it
as
like
a
cool
envoy
project
for
web
application,
firewalls
and
then
we
I
started
to
look
into
that
and
say
hey.
A
This
seems
really
cool.
This
seems
to
be
something
that
we
are
looking
for
and
from
that
time
to
now
I
just
forgot
everything,
so
I
didn't
touch
it
again,
curious
fans
right.
So
let
me
put
justin
back
here
again
and
then
and
then
we
were
discussing
inside
vmware
like
hey.
We
should
probably
make
some
tjk
of
something
new
or
some
things
unbox
it
and,
I
said,
hey.
I
guess
that's
now
the
time
to
come
back
to
curie
offense
and
see
how
things
they
are
going
so
hey.
A
I
I
want
to
present
you
justin,
and
I
want
to
to
to
welcome
justin
and
justin
can
tell
a
bit
about
hiring
fans
story
before
we
start
jumping
and
breaking
stuff,
because
the
idea
of
tjk,
after
all,
is
breaking
stuff
finding
that
we
cannot
do
the
things
alone
and
and
and
ask
for
some
help
later,
like
hey,
explore
new
technologies
right.
So
welcome,
justine
and
welcome
andrew
andrew
andrew
is
from
my
team
at
vmware
and
he's
like
he's
like
here
watching
watching
as
well.
So
hi
andrew.
B
B
Yes,
thank
you,
ricardo
yeah,
so
basically
we're
carrying
fence
started
about
a
year
ago
and
the
back
story
is,
you
know:
zuri
baryokai,
who
founded
a
company
called
reblaze
they've,
been
doing
web
application
security
for
close
to
a
decade,
and
there
was
a
really
you
know
with
envoy
becoming
more
and
more
popular.
B
There
was
a
a
need
for
a
web
application
firewall
and
that's
something
that
he
and
matt
klein
were
talking
about
and
that's
where
curie
fence
came
into
play
because
you
know
the
the
cloud
native
space
is
growing.
B
You
know
you
can't
you
can't
ignore
it
anymore,
and
we
just
saw
you
know
he
saw
a
really
good
opportunity
and
we
he
decided
that
we
should
submit
it
to
the
cloud
native
computing
foundation.
Cncf
and
the
beauty
with
that
is.
You
know
all
sandbox
projects,
the
newest
projects
that
come
in
they're
built.
B
It's
it's
to
try
to
get
it
to
a
stage
of
either
incubation
or
graduation
to
build
on
top
of
other
graduated
projects,
and
that
is
why
we're
in
the
cncf
in
going
all
in
and
making
sure
that
we
get
direct
feedback
from
the
cncf
and
cloud
native
communities,
because
that's
what
we're
building
it
for
so
yeah,
that's
kind
of
like
the
gist
I
mean
obviously
there's
more
history
there,
but
that's
kind
of
just
the
overview.
That's
that's!
What
made
me
want
to
join
the
company
to
work
on
curie
fence.
B
Full
time
is
just
this.
You
know
there's
this
need
for
security,
especially
with
the
rise
and
of
envoy,
but
we
also
know
that
nginx
is
still
a
really
big
player,
even
in
the
cloud
native
space.
So
you
know
having
just
basically
adding
that
a
couple
months
ago
into
the
140
release
to
have
nginx
support
and
yeah.
I
think
overall,
we're
just
really
excited
with
the
amount
of
activity.
I
I
monitor
the
staff.
B
Every
day
we
have
54
active
members,
whether
it's
on
github
or
slack
and
a
few
other
places
but
yeah
it's
it's
growing
and
we
just
want
to
see
it
battle
tested
and
who
better
than
ricardo.
A
Yeah,
I
am
good
breaking
stuff,
so
cool,
I
love
it
yeah
cool,
and
so,
if,
if
you
can
later
just
put
on
on,
maybe
on
youtube
comments
about
like
the
slack
and
the
twitter
of
curia
fans-
and
I
will
add
as
well
on
the
on
on
the
meeting
meeting
notes,
I'm
sorry
on
the
tjk
notes,
so
people
can
tickle
yeah,
but
that
yeah
really
cool
all
right.
So,
let's
start
having
some
fun
here.
A
Let
me
add:
where
is
my
screen?
My
screen
is.
B
A
Here
so
here
we
are
with
my
screen
again,
so
I
I
have
before
starting
I.
I
added
some
links
here
for
people
willing
to
learn
a
bit
about
learn
about
about,
learn
a
bit
about
web
vendor
abilities
and
etc.
There
are
some
cool
projects
like
the
damn
venerable
web
application,
web
gold
from
mobile
asp
and
juice
shop,
and
they
they
are
vulnerable
applications
that
teaches
you
actually
how
to
break
and
how
to
protect
those
applications
right
and
why
I
am
adding
those
here,
because
I
want
something
broken
right.
A
I
really
want
something
vulnerable,
because
I
want
to
explore
how
curiou
fans
can
protect
me.
So
I
I
decided
to
use
dv
wa,
which
is
easier
and
because
I
have
no
tabita
state
stereo
or
the
fin
or
anyone
that's
good
at
those
vulnerability
stuff.
So
I
just
wanted
something
that
me
that
I
could
break,
but
those
are
cool
projects
to
learn
a
bit
about
web
application
security.
So
yeah
take
a
look
into
those.
A
So
I
I
I've
got
this
dvwa
and
I
created
a
dvwa
container
because
the
dvwa
container-
it's
pretty
old,
so
I
will
right
now.
Bootstrap
is
in
my
machine,
so
we
can
at
least
take
a
look.
How
how
it
looks
like
how
how
it
looks
like
a
web
vendor
ability
before
we
start
trying
to
add
curie
offense
on
front
of
it
right
so
and
please
folks,
don't
run
this
in
production.
Don't
run
this
on
on
your
on
your
production,
cluster
or
something
public.
A
So
mostly
this
script,
it
does
like
create
a
docker
compose
and
with
like
triple
seven
permission,
which
is
bad
but
anyway.
So,
let's,
let's
do
a
docker
compose
docker
compose
up
here
and
see
what
happens
right?
A
A
A
A
While
it
runs
here,
let's
go
back
to
the
curio
fans
website,
which
is
good
and
the
the
starting
point
that
I
want
to
take.
A
look
is
the
overview
and
the
documentation
right,
because
we
all
need
to
start,
we
don't
ever,
but
we
should
start
via
the
documentations,
and
here
I
want
to
take
a
look
into
the
architecture
of
curious
fans,
so
they
state
that
curifence
is
an
api
first
devops
oriented
web
defense,
http
filter
adapter
for
envoy
and
nginx,
and
provides
a
lot
of
security
technologies,
and
it's
really
comfortable
controllable
programming.
A
So
back
in
time,
when
I
was
looking
into
curios,
I
remember
that
what
it
does
is
actually
it
does
have
an
api
server
and
you
can
like
configure
some
stuff,
which
I
don't
remember
anymore
and
those
stuff
they
got
published
into
a
cloud
storage
which
is
a
bucket
right
justin.
So
what's
what's
the
idea
about
that?
Like
it's?
Like
other
configuration,
they
get
started
into
an
s3
like
or
like.
B
Yeah,
they
think
the
idea
there
was
like,
like
a
get
ops
type
mentality
where
you
don't
need
to
have
it
like
in
s3
or
a
git
repository.
You
can
have
it
as
local
storage
as
well
so
yeah,
but
the
idea
was,
you
know
if
we're
going
all
in
with
the
cloud
native
ecosystem
then
have
that
supported.
A
Yeah
yeah
yeah
it
does
it
does
so.
Jeremy
complained
about
the
screen.
I'm
sorry!
Sometimes
I
I
forgot
because
my
screen
is
pretty
big,
so
let
me
know
jeremy,
if
viewing
it's
yeah,
it's
better.
Okay
and
thank
you.
Thank
you,
justin,
okay,
cool.
So
taking
a
look
into
this,
we
can
see
what
what
in
total
so
that's
like.
We
we've
got
a
web
console
and
a
config
server
and
it
publishes
on
a
cloud
storage.
So
this
is
something
you
can
say
that
key
reference,
like
the
proxies
they
keep
running.
A
Even
if
the
cloud
storage
is,
is
offline
right.
So
we
should
probably
try
to
remove
something
and
and
see
how
it
goes
and
it's
cool
this
architecture.
So
you
may
have
like
some
metrics,
some
some
elastic
search
to
take
a
look
into
the
logs
and
some
dashboards
so
yeah.
I
want
to
jump
into
it
soon,
cool.
So
here
my
my
my
my
venerable
application
is
running
and
I
just
want
to
make
sure
that
it's
really
broken
right.
A
Is
it
working
yeah,
login
cool,
so
dvwa
is
an
application
that
it's
vulnerable
by
definition
and
it
allows
you
to
do
things
like.
I
want,
for
example,
to
do
a
common
injection,
so
this
is
a
pink
device
and
I
want
to
ping
my
my
router
here.
So
if
I
do
something
like
this,
it
should
it's
not
working
because
of
some
something,
but
it
should,
but
anyway,
pink
is
not
getting
that.
A
Yeah,
so
it
doesn't
have
any
string
sanitization
right,
so
I
can
do
a
cad,
etc
lwd,
and
what,
if
I
run
this
inside
kubernetes
if
this
application
is
running
inside
kubernetes,
so
I
can,
for
example,
exfiltrate
my
service
account
and
if
I
exfiltrate
my
service
account,
I
may
have
some
more
privileges
that
I
that
I
should
right.
So
the
idea
here
is:
I
want
to
try
curiou
fans
to
protect
this,
because
this
was
like
a
pretty
developed
application
and
it
allows
me
to
run
anything
inside
my
container.
A
Let's
take
a
look
into
some
other
stuff
right,
so
I
have
this
file
inclusion,
which
is
including
something
here,
I'm
sorry
about
my
bar
here,
because
I
can't
I
can't
increase
the
size
of
this
one.
Let
me
see
if
I
can
do
yeah
hey.
This
is
new
to
me
cool.
A
It
doesn't
open
because
www.google
doesn't
exist,
but
if
I
try
something
like
this
wait,
so
yeah
this
is
allowing
me
to
this
is
allowing
me
to
to
to
include
something
remote.
So
I
can
do
whatever
I
want
right.
So
this
is
bad,
so
I
wanna
I
wanna
try
to
protect
myself
of
this
as
well
and
late
lace.
The
last
thing
is
like,
if
I
can
add
some
some
cross-site
scripting
here
and
say:
hey
my
name
is
ricardo
and
my
message
is
creeped.
A
What's
going
on
here,
it
doesn't
allow
me
to
do
that,
so
it
doesn't
love
me
better
script.
What
happens?
If
I
do
this
hey
look.
I
can
do
something
here
like
redirect
my
window
to
something
vulnerable
right,
so
yeah.
I
want
to
protect
myself
of
this
as
well.
So
I
want
to
see
how
key
reference
can
help
me
on
that.
I
want.
A
I
need
a
non-web
application
fire
because
I
can't
always
rely
on
security
development,
so
hey
what's
up
siam,
what's
up
carlos,
so
let's
take
a
look
into
this,
so
we
already
passed
it
into
the
architecture
here
and
like
we
know
that
we
have
a
server
here,
represents
a
research
protected
by
curia
fans.
So
this
is
what
we
actually
want
to
protect
right
and-
and
we
have
elasticsearch
and
a
lot
of
stuff
and
a
web
console
cool
config
server,
which
puts
the
configuration
called
storage.
A
A
Hey
there
is
a
lot
of
stuff
here,
so
let's
begin
yeah
apt
blah
blah
blah.
I
have
docker
here
in
my
machine
and
I
probably
have
key
reference
here
on
my
terminal
as
well.
A
B
Yeah,
it's
very
dependency,
heavy,
I'm
not
gonna.
It's
not
gonna
pretend
that
but
yeah
it.
It
takes
a
bit
to
get
up
and
running.
But
you
know
once
it
is
it's
very
fast
to
start
and
you
know
go
down,
but
yeah
I
mean
you
got
to
think.
Like
you
know,
we
have
so
many
dependencies
like
just
the
the
co-dependencies
that
elastic
search
needs,
and
you
know
it's
just
it's
a
lot.
I'm
not
going
to.
A
I
I
don't
want
to
say
it's
bad.
Okay,
that's!
I
was
just
saying
hey
I
I
remember
like
yesterday
I
was
doing
some
not
some
dry
run,
but
just
looking
if
I
still
know
how
to
use
linux-
and
I
was
like
hey-
I
am
out
of
out
of
out
of
space
here
on
my
disk
so
was
like,
but
just
just
having
some
fun
but
yeah
just
kidding.
But
that's
that's
that's
cool!
So,
let's,
let's
wait
until
this
is
running
here
and
take
a
look.
A
So
is
it
possible
right
now
to
deploy
qdfns
directly
in
kubernetes?
Yes,
like
yes,.
B
We
don't
have
it,
we
don't
have
it
well
documented,
but
that's
definitely
something
we
have
to
work
on.
That's
and
to
be
honest,
it's
something
that
we're
getting
a
lot
in
our
slack
channel.
A
lot
is
hey.
I
want
to
do
this,
but
there's
no
way
to
you
know:
there's
no
documentation
about
it.
So
it's
a
lot
of
great
feedback.
We've
been
getting
for
the
past
two
weeks,
so
we
believe
by
one
five.
Zero,
we'll
have
like
a
lot
better
use
cases,
because
you
know
what's
really
interesting.
B
B
A
B
B
A
Oh
maven
right,
yeah,
cool,
hey,
what's
up
hobo,
who
was
a
friend
of
mine
from
israel,
it's
pretty
late
in
israel
as
well,
so
yeah
welcome.
Thank
you.
Thank
you
for
joining
me.
A
B
Yeah,
I
guess
it's
just
like
certain
people
like
can't
use
like
they.
They
want
to
use,
link
rd
and
I'm
not
sure
if
that
I
don't
know.
A
A
A
I
don't
know
what
carlos
mean
by
so
smooth
and
so
relaxed.
I
definitely
am
not
but
yeah
thanks
so
cool.
So
we
have
this
api
echo
web
server,
which
is
something
running
behind.
I
guess
so.
If
I
try
to
do
this
in
my
terminal.
A
Cool
something
that
syncs,
something
that
runs:
periodic
maintenance,
logger
configuration
server,
ui
server,
so
yeah
there
is
a
lot
of
containers
here
and
here
is
how
it
stores
the
configs
and
yeah.
A
A
So
yeah
so
carlos
carlos
wrote
that
it
looks
heavy
and
my
my
answer
to
him
is:
I'm
just
kidding
okay
folks,
but
what
security
stuff
doesn't
look
heavy
with
a
lot
of
firewalls
and
a
lot
of
web
application,
firewalls
and
stuff
right
so,
but
to
be
honest,
I
think
this
is
if
you,
if
you
try
to
take
a
look
into
like
let's
say
the
idea
of
of
curiosity.
In
my
opinion,
it's
cool
because
the
the
heavy
part
of
anything
is
the
management
part
right.
A
So
I
remember
like
dealing
with
greylock,
for
example,
and
the
heavy
part
of
greylog
was
like
the
java
application
and
the
elasticsearch
thing,
and
maybe
everything
that
deals
with
with
management.
The
management
side
usually
is
heavy,
but
I
mean
what
needs
to
be
light,
and
I
hope
so
is
the
proxy
right.
So
I
I
don't
want
to
have
any
kind
of
latency
for
my
users,
because
I
am
applying
a
lot
of
rules.
A
So
this
is
this
is
what
matters
in
my
opinion
right,
so
it's
open
so
in
the
left,
sidebar,
select
policy
and
rules,
if
not
already
selected,
so
policy
rules
yeah.
I
am
here.
I'm
definitely
here
and
at
the
top
left
of
the
page
in
the
second
pulldown
control
global
filters,
global
filters
cool.
So
what's
that
about
so
what's
global
filters,
global
filters
tags
to
request
a
session,
so
a
global
filter
is
a
way
to
mark.
Something.
Is
that
right,
like
I
want
to
mark
some
traffic.
A
So
I
want
to
create,
like
a
new
global
filter,
on
what
I
need
to
do
here
next
in
the
tags
header
test,
so
tags
under
test.
I
want
to
call
this:
let's
say:
ricardo's
filter
right,
create
blah
blah
blah,
then,
at
the
top
of
the
current
gameplay
empty
list
to
the
right.
Another
new
entry
by
selecting
create
a
new
section.
A
B
A
A
There
are
some
questions
while
that
justin
so
isn't
void.
The
only
component
in
the
data
plane
like
between
the
traffic.
B
These
are
great
questions
and
I
am
completely
embarrassed
just
to
say,
like
I'm
more
like
the
evangelist
behind
everything.
What
I
can
say
is
all
these
questions
I
can
answer
and
deliver
them
or
get
answered
and
deliver
them
back
again.
I
I
apologize.
We,
I
tried
to
get
two
of
our
engineers
on
and
they
just
they
had
conflicting
things
so
apollo.
I
apologies
carlos.
A
Hey
just
don't
worry
about
that,
you
told
me
I
was
just
like
I
was
just
asking
so
but
yeah
we
probably
want
to
take
a
look
into
into
that
later.
Maybe
try
to.
B
Remove
yeah
what
we
could
do
is
we
could
put
these
questions
in
the
show
notes,
and
then
I
can
get
them.
I
can
get
answers
and
then
that
will
just
be
distributed.
You
know,
through
the
tgik's,
like
channels.
B
A
B
Keep
asking
questions
through
great
questions
and
I
will
get
them
answered.
It
just
won't
be
right
away,
because
my
team
is
like
asleep
right
now.
A
Cool
so
it
was
published-
let's,
let's
play
a
bit
here-
and
we
are
all
learning
here
folks.
So
this
is
this
is
tjk
right,
so
I
can't
do
something
wrong.
I
can't
even
use
my
terminal,
I'm
sorry
about
that.
Okay,
so
I
am
doing
this.
Curio
demo
no
hit
no
header,
and
then
I
will
do
this
passing
my
header
full
and
value
test.
Let's
see
what's
doing
here
so
both
of
the
requests
they
are
the
same
but
yeah
they
are
the
same
right.
A
A
A
No,
I
don't
wanna
enable
security,
sorry
about
that.
We
are
just
playing
with
security
here
and
what
should
I
look
at
so
this
shows
the
two
requests
just
sent
in
order
of
receipt.
So
my
request-
they
are
here
really:
where
are
they
access
log
agent?
B
A
This
show
the
two
requests.
You
just
send
an
order,
click
on
the
spam
button
and
you
should
look
acl
name
into
the
tags.
A
B
A
A
And
is
it
published
yeah.
A
A
Fax
stream
keyword,
okay,
security
policy
default
entry-
header,
oh
cool,
so
here
it
is,
so
that's
getting
tagged
nice!
So
right
now
we
are
just
tagging
our
traffic
right.
So
let
me
see
I
want
to
try
to
block
so
in
this
case
we
are
going
to
block
all
the
requests
with
header
tests
so
in
the
left,
menu
navigate
to
the
policy
rules.
A
A
So,
let's
take
a
look
into
this,
save
your
changes
then
publish
so
I
wanna
save
and
then
I
wanna
publish
my
changes
and
publish
it.
A
And
security
profiles
are
in
report,
monitor
mode
cool,
so
I
should
read
the
documentation
right.
Information
is
also
visible
in
logs.
So
if
I
refresh
here.
A
A
A
Save
one
thing
that
I
think
it's
nice
here
that
I
I
was
seeing
it's
a
lot
a
lot
of
like
a
lot
of
like
look
like
into
github
stuff
right,
so
you
have
the
fork
thing
and
then
you
have
the,
and
when
I
do
the
publish
I
I
can
see,
I
have
versioning.
So
it's
it's
cool
the
idea
of
maybe
so
this
version
control
I
can
just
publish
all
of
my
control
into
a
github,
for
example.
I
should
try
that.
A
B
You're
right-
and
that
is
a
feature
request
right
now.
What
we
did
was
we
built
it
in.
We
built
git
into
carryfence,
so
we
would
have
like
a
you
know,
get
ops
by
default,
but
there
are
people,
as
I
said
earlier,
you
know
when
you
start
a
project
you're
like
oh.
This
is
how
people
are
going
to
want
it
and
then
they're
like
no.
I
want
to
connect
my
own.
I
want
to
get
my
private
github
repo,
we're
just
like
yeah.
That
would
make
sense.
So
it's
something.
B
Yeah,
it's
definitely
something
that's
on
the
roadmap,
but
right
now
it
is
just
built
in
it's
built
on
top
of
git
inside
of
fury
fans.
A
Cool
nice,
so
right
now
I
have
block
it,
so
it
should
block
right,
hey
nice,
nice,
so
if
yeah
it
works,
but
I
want
to
break
things.
Everything
is
working.
Fine.
I
need
to
break
stuff,
it's
the
response,
something
right.
That's
the
response
code
response
response,
headers,
yeah,
cool
amazing.
Let's
move
forward!
I
just
played
a
bit
with
this,
so
that's
forbidden-
and
I
have
all
of
this,
so
we
have
some
rate
limiting.
I
just
don't
want
to
play
with
rate
limit.
A
I
want
to
take
a
look
if
I
can,
for
example,
use
some
rules
like
owasp
rules
to
block
something
right,
so
I
want
to
block
my
sql
injections.
So
let
me
take
a
look
into
here.
I
have
this
deployment
in
deep,
but
right
now
I
don't
think
I
want
to
take
a
look
into
this.
I
want
to
look
into
maybe
web
application
firewall
policies
so
what
it
does.
A
Above
profile
set
of
security,
every
deployment
includes
default
every
the
request
was
blocked
before
filtering,
so
I
want,
for
example,
content
filtering
parameters
constraint.
A
B
A
A
B
Yeah
so
dowse
actually
came
from
reblazes
commercial
product.
Why
they're
not
properly
named,
not
sure,
but
basically,
as
I
said
before,
all
everything
that
came
from
curie
fence
was
like
came
from
that
proprietary
product
and
kind
of
just
everything,
they've
learned
over
the
years
has
is
slowly
just
trickling
into
curie
fence.
But,
as
you
can
see,
you
know
there
are
some
issues,
some
human
readable
issues
but
yeah
there's
multiple
policies
that
have
been
used
by
customers
in
the
past.
A
Cool
yeah,
that's,
in
my
opinion,
that's
acceptable.
That's
a
sandbox
project
anyway
right,
so
we
are
just
examining
here,
yeah,
so
cool,
let's,
let's,
let's
just
let's
just
break
things.
So
I
have
this
default
content
filter
here
and
I
have
these
contain
filter
rules.
So
I
want
to
apply
those
content
filter
rules
into
this
content
filter
profile.
A
Should
I
do
something
else
here?
I
don't
think
so
right!
Let
me
let
me
see
if
I
am
breaking
so
I
have
this
rules
here
and
I
want
just
to
apply
this
into
my
maybe
my
security
profile,
the
default
one
and
I
want
to
I
wanna
active
cool
right.
So,
let's
save
and
see.
If
I
can
simulate
something
here
right
engine
is
asking
us
to
make
some
try
on
aggress
blocking
too
I
can
try
it
like
some
data
loss
protection-
maybe
some
pyy
right.
A
So
I
want
to
block
something
that
contains
something
something
that
contains
something
was
beautiful,
sorry,
something
some
traffic
that
contains
like
protected
data,
so
yeah.
We
we
can
try
that
carlos
asked
why
it's
not
a
crd.
Do
you
have
an
idea
justine
like
something
integrated
with
kubernetes
like
an
operator,
something
like
that.
B
I
don't,
but
I
have
a
markdown
file
on
my
on
my
text,
editor
that
I
will
be
getting
all
these
answers
for
it's
a
great
question.
I
just
I'm
not
sure
yeah.
A
Let's
take
a
look
into
some
rule:
some
nice
rule
that
I
wanna
that
I
can
block
statement
injection.
So
I
remember
there
was
something
with
windows
or
something
like
that.
Come
on,
I
lost
that
javascript,
no.
B
Pass
it,
I
think
you
have
to
hit
a
publish
or
save
in
the
top
right
corner.
A
A
No,
no,
no
worries,
I'm
just
trying
to
figure
out
why
it
is
not
so
there
is
this
global
filter.
Maybe
no.
This
is
the
one
that
just
adds
the
traffic
stuff
security
policies.
A
A
Save
it,
let
me
try
to
publish
again
and
see
what
goes
on,
because
web
application
file
is
separate
from
from
that
marking
thing
right,
the
rate
limiting
so
should
it
be
working
like
yeah.
B
A
B
B
Oh,
that's
go
go
back
to
where
you
were
here.
No,
the
the
other
one,
the
one
that
you
were
on
just
previously
yeah
okay,
so
you
chose
that
right.
Can
you
hit?
Did
you
hit
the
save
button
in
the
top
right
corner.
A
I
didn't
change
anything
in
here,
but
I
have
saved
it
here.
I
guess
here
this
one
when
I
have
enabled
this
content
filter.
Okay,
I
don't
know-
maybe
I
should
add
this
into
the
content
profile.
A
A
Yuka
asked:
what's
the
configuration
po
interval
like
it's
immediately,
I
I
don't
know
if
you
know
about
that
as
well.
Maybe,
but
but
that's
pretty
fast
right,
I
I
was
like
trying.
So
maybe
it's
watching
that.
A
Now,
let
me
let
me
read
here
and
see:
if
I
can,
I
can
see
what
the
hell
am
I
doing
wrong,
so
there
is
flow
control
policy.
This
is
like
when
you
need
a
get
before
a
post.
All
this
this
is
nice.
A
So
I
have
this
global
filter,
which
applies
some
filter
into
something,
and
you
can
apply.
We
we've
been
already
there.
A
A
B
Yeah
the
date
that
the
docs
are
probably
out
of
date,
that's
something
we
have
to
address.
A
A
A
Yeah
exactly
but
the
cool,
but
I
mean
I,
I
was
looking
into
trying
to
use
that
with
my
kubernetes
stuff,
but
I
don't
think
we
are
going
to
have
fine.
A
We
spend
a
long
time
here.
Maybe
we
should
do
another
like
episode
just
trying
using
in
kubernetes,
but
I
think
that
it's
it's
really
cool
anyway,
the
idea
of
creating
rules
and
and
deploying
them
in
envoy,
I'm
just
annoying
that
this
is
not
working.
So
let
me
I'll
just
do
like
and
see
if
the
rate
limit
at
least
serves
me.
A
And
publish
at
least
I
want
to
try
to
hit
like
the
rate
limit
and
see.
So
I
don't
know
if
you
know
justin,
but
is
this
race
limiting
also
distributed
between
the
envoy
proxies
like?
Are?
They
is
like
one
and
by
proxy
aware
of
the
other
one.
If
I
try
to
do
something,
because
I
know
that
in
some
cases
like
doing
that,
control
that
distributed
global
rate,
limiting
control
is
pretty
hard.
B
B
A
A
A
A
B
Yeah,
I'm
not
seeing
anything.
If
you
tried
I
mean
searching,
maybe
something
would
come
up,
but
I
mean
the
last
commands
that
you're
the
last
curl
that
you're
running
was
something
that
was
supposed
to
be
blocked.
So.
A
B
A
B
If
we
do
this
again,
we'll
definitely
get
an
a
contributor
maintainer
of
the
project
that
can,
you
know,
do
things
in
real
time.
It's
just
the
the
timing
was
off.
A
B
B
Compatible
storage
for
publishing
or
you
could
do
it
locally.
It's
up
to
you,
yeah.
A
The
header
is
here
and
that's
not
getting
blocked,
so
yeah,
not
sure
what
we
should
do
right
now
and
because
I
can
see
by
the
logs
that
it's
getting
hit
by
that
content,
filter
name
the
full
config
filter
right.
So
it's
getting
at
least
on
the
right
place,
the
full
config
filter
and
the
header
is
here
matching
value,
strict
mask.
I
don't
know
if
this
should
be
something
I
will
try
to
save
it
again,
but
cool
yeah.
I
think
that
we've
been
like
doing
folks.
A
Do
you
want
us
to
try
to
explore
something
else?
That's
not
we.
We
should
probably
stop
right
now,
but
at
least
like
I
mean
I
am
not
I.
I
am
happy
at
all
with
this,
because
it's
really
cool
to
see
the
evolution
of
the
project
and
and
how
we
get
like
web
application
file
rules
right
now.
Probably
I'm
just
messing
with
something
that
I
shouldn't.
A
B
No,
no,
I
mean
that's
you're
doing
to
me.
Like
my
experience
doing
this,
I
don't
know
why
it's
why
it's
failing
it's
probably
something
like
I'm
totally
overlooking
but
yeah.
I.
A
B
Grafana's
good
admin,
admin.
B
Yeah,
try
that
sorry
yeah
manage
manage,
manage,
manage
yeah
and
then
provide
and
then
yeah
you
can
do
the
overview.
A
Nice,
oh
so,
the
the
at
least
like
the
the
memory
footprint
is
really
small
right
and
we
have
like
hey,
like
eight
active
connections
and
upstream
network
traffic,
but
to
to
have
some
some
graphs
about
target
site
nice
to
have
some
graphs
about
maybe
blockade
stuff.
Is
this
on
the
yeah.
B
Yeah
we're
looking
to
always,
you
know,
improve
the
grafana
dashboards
because
you
know
grafana's
like
what
everyone's
it's
the
go-to
tool
for
graphing
and
yeah
for
the
for
the
alerts,
I
believe,
is
just
done
through
grafana.
I
haven't
I've,
never
set
any
up
myself.
I
don't.
I
don't
run
this
in
production
myself,
so
yeah
so
yeah.
It
uses
prometheus
and
grafana
to
do
graph
or
visualizations
yeah.
A
A
A
B
A
Something
that
should
work
all
right,
so
I
will.
I
will
keep
trying
to
break
things
here.
Just
let
me
go
back
to
my
kibana
and
see
if
my
things
they
are
still
getting,
but
I
guess
that
for
now
maybe
we
should
be
done
and
congratulations
justin
to
you
and
the
team.
This
is
like
this
is
a
really
cool
project.
A
I
mean
as
soon
as
we
get
like
more
tracking
into
that,
and
I
and
I
and
I
want
to
motivate
folks
to
take
a
look
into
that
and
provide
feedback
because
any
any
of
those
projects.
Actually
they
are
like
they
are
moved
by
the
feedbacks
right.
So
I
think
that
we
we've
got
a
lot
of
those
today
and
and-
and
this
is
security-
is
something
more
and
more-
that
we
need
to
take
a
look
into
that
so
yeah.
B
Sure
why
it's
very
weird,
I
I'm
not
sure
what's
going
on,
but
now
that
we
have
this
on
video,
we
can
our
maintainers
we'll
definitely
go
over
it
and
see.
What
can
you
know
change?
I
don't
know
when
you're
when
you
release
your
show
notes,
but
if
you
can
give
me
a
couple
of
days
to
get
those
answered,
I
would
love
yeah.
I
want
some
accountability
like
I'm
going
to
get
these
questions
answered
because
they're
really
good.
I
just
don't
have
answers
at
this
moment.
B
A
Oh,
I
I
have
one
more
thing
that
I
want
to
try
before
just
saying:
yeah,
nothing
works
for
me.
What,
if
I
try
to
change
this
to
this,
the
full
config
filter?
I
don't
know
if
this
space
is
a
problem
shouldn't.
B
A
B
A
A
B
One
more
one
more
thing:
let's
try
this:
let's
go
to
it:
let's
shut
down
the
servers,
control
c
on
those
and
and
try
bringing
it
up
again,
just.
A
A
B
So,
let's,
let's
try
it
now
and
see
what
oh
okay,
I
saw
some.
A
Yeah,
it's
still
getting
blocked,
but
I'm
not
getting
you're.
A
Yeah,
it's
it's
like
block,
it
falls
and
then
getting
like
reason
specified
and
authorized
details.
So
that's
that's
not
getting
blocked.
It's
just
getting
logged
here
right.
So
I'm
not
sure
I
can.
I
can
stop
again
and
do
a.
B
B
B
Maybe
since
it's
at
the
bottom,
it
just
has
like
a
slash.
Just
maybe
you
know
entry
match
slash.
Is
you
just
go
to
the
while
true
curl
command
right
in
your
thing
and
then
just
remove
slash
password
just
to
see?
Okay?
Yes,
nothing!
Okay!
No!
No!
No!
Dice!
All
right!
Well,
hey
what.
A
A
B
A
A
B
I'm
not
sure
anyway,
yeah
we'll
we'll
to
be
continued.
If,
if
people
are,
you
know
still
want
to
see
this
happen,
but
yeah
it's
it's.
Oh,
it's.
A
A
A
So
juka
made
the
last
question
before
we
we
we
tear
down.
So
that's
if
the
configuration
is
human
readable.
If.
A
B
It's
all
it's
all
yaml
I
mean
it's,
you
know
the
the
go-to
could
cloud-native
config.
A
A
Right,
okay,
so
yeah
cool.
So
today
was
like
an
amazing
to
me.
It
was
like
an
amazing
episode
was
really
yeah
yeah,
not
as
well.
At
least
we
we've
got.
We've
got
like
some
some
stuff
working
we've
we've
got
like
the
the
working.
I
I
mean.
Probably
it's
something
really
simple
to
solve
that
we've
been
missing,
but
anyway
it
was
really
really
cool
justin.
I
would
like
to
thank
you
and
I
think
that
yeah.
B
Yeah
thanks
for
having
me
and
thanks
for
the
audience
for
you
know
putting
up
with
my
you
know:
non-answers,
but
again
we'll
get
these
questions
answered
and
carlos
you
just
made
my
day
you're
the
comic
relief
of
this.
So
thank
you.
A
Yeah,
I
would
like
to
thank
you
all
again
and
have
a
nice
weekend.
Folks,
I
will
try.
I
I
will
see
if
I
can
make
it
work
and
maybe
put
on
the
on
the
notes
as
well
and
and
and
see
what
I
was
missing.
Maybe
something
on
docker
compose
or
I
don't
know
but
again
was
really
cool
and
and
thank
you
all
for
joining
us
and
have
a
nice
weekend.
You
all
see
ya.