►
From YouTube: TGI Kubernetes 175: Cloudnative WAF with Curiefense
Description
Join Ricardo, as we explore Curiefense, a sandbox CNCF project that proposes to be the open source cloud native application security platform that protects all forms of web traffic.
We will try to install it, simulate some scenarios and have some fun!
A
Okay,
so
we
are
live
good
evening
good
morning
for
the
pacific
folks,
good
evening,
good
afternoon.
Whatever
time
zone
you
are
for
facing
masters
from
six
cli,
my
name
is
ricardo.
I
will
be
your
host
for
this
second
session.
I
welcome
everyone
for
this
session,
which
is
going
to
be
about
kirya
fans
fans.
It's
a
really
cool
project
that
started.
A
A
A
A
Otherwise,
let's
get
started
so
the
notes
they
are
right
here.
You
can
see
them
on
on
tgik,
dot,
io
notes.
This
episode
is
going
to
be
recorded
so
and
we've
got
actually
another
episode
today.
So,
first
of
all
welcome
back
for
you
all
that,
where,
on
our
episode
that
I
guess
9
p.m,
pacific
time
this
is
the
second
episode
we
are
trying
to
make
episodes
on
a
more
friendly
on
a
more
friendly
time
for
people
at
europe,
asia
and
middleweight,
pacific
et
cetera.
A
A
So,
first
of
all,
kubernetes
version,
123
is
almost
there.
We've
got
an
announcement
from
a
code
freeze,
so
right
now
only
patches
npr's
that
are
block
blocking
the
release
will
be
accepted.
If
you've
got
your
patch
for
123.
Look
you!
If
not,
we
are
going
to
wait
until
the
code
and
freeze
unwanted
24..
A
Also,
we've
got
an
announcement
from
my
huge
friend
adult
for
puerco
about
kubernetes
patch
release.
So
let
me
increase
the
screen
here,
yeah
for
you
that
that,
for
you,
that
are
running
version,
120
121
on
r122,
we
have
a
new
patch
releases
that
fixes
a
lot
of
bugs.
So
please
fix
them
for
those
of
you
that
are
not
running
a
supported
version.
A
Please
do
so.
Don't
don't
don't
wait
until
your
apis
all
get
deprecated
before
updating
your
kubernetes
cluster
right
and
the
news
about
this
release
is
actually
that
we
have
some
supply
chain
level
for
software
artifacts.
So
sig
release
is
focusing
on
on
making
some
supply
chain
security
improvements,
and
I
really
recommend
you
all
to
to
take
a
look
into
this
twitter
thread
and
and
take
a
look
also
into
this
subject,
which
is
which
is
really
rising
and
was
part
of
our
tjk
earlier
today
as
well.
A
This
this
thread
is
really
cool
next
one
yeah
this
is
this
is
really
nice
as
well.
So
for
those
who
don't
for
those
who
don't
know
about
gatekeeper,
gatekeeper
is
a
project.
That's
now
that's
a
super
project
from
open
policy
agent,
but
was
like
a
split
project
and
then
got
got
incorporated
by
by
open
police
agent
which
implements
an
admission
web
hook
for
kubernetes.
A
That
allows
you
to
write
rego
policies
to
to
to
protect
your
cluster.
So
imagine
that
you
don't
want
users
to
create
to
use
images
in
pods
that
are
going
that
are
using
latest
tag,
for
example.
So
gatekeeper
helps
on
that
a
lot
and
gatekeeper
had
some
lack
of
mutation
web
hooks,
which
means
actually
you
accepting
something
but
then
changing
the
value
that
users
put
so
users
adding
latest
or
users
using
docker
hub,
and
you
changing
to
your
internal
to
your
internal
docker
registry,
for
example,
because
of
quality
of
services.
A
A
So
it's
really
nice
to
see
this,
this
tool
evolving
and
also
it
got
a
new
cli.
And
why
is
this
so
important
because
right
in
writing,
gatekeeper
rules
and
having
to
add
them
on
your
kubernetes
cluster,
the
constrainting
plates?
And
then
the
constraint
was
really
really
really
annoying
right.
So
you
have
to
you
need
to
have
like
a
kubernetes
cluster
or
at
least
an
api
server
running
and
now.
A
Actually,
you
have
to
you
need
to
to
have
a
kubernetes
cluster
too,
because
the
controller
needs
to
run
as
well,
and
then
you
need
to
apply
something
and
see
if
it
works
and
if
it
doesn't
work,
you
need
to
do
another
rule.
So
now
that
you
have
a
cli,
things
are
going
to
be,
I
hope,
easier
to
to
write
a
gatekeeper
rules.
A
This
form
this
this
feedback,
so
please
feel
free
to
to
open
this
blog
post
and
also
to
fill
the
the
the
research
the
last
news
for
today
of
the
weekend
review.
But
if
someone
remembers
something
just
go
ahead
and
put
on
the
comments
here
on
the
chat
is
that
part
security
mission
is
moving
to
beta
and
will
be
enabled
by
default
on
123..
A
So
there
is
a
tweet
here
from
tim
mulclair
with
some
useful
links
and
for
those
who
don't
know
what
security
policies
is
getting
on
a
deprecated
path
right,
so
deprecation
in
kubernetes
takes
to
remove
a
removal
later,
but
there
is
a
new
feature
which
is
called
security
admission
that
helps
on
at
least
protecting
your
pods.
So
take
a
look
into
this.
A
A
Engine
is
happy
about
strings.com
because
that's
at
least
like
five
less
lines
in
our
go
codes
right:
phillip,
hey,
philippe
and
yoshi
yogi
yoshi.
Sorry,
if
I
don't
know
how
to
to
speak
but
welcome
from
singapore
far
from
here
and
time
zone
is,
is
pretty
it's
pretty
late
in
singapore,
probably
because
it's
already
late
here
in
brazil.
A
So
welcome
and
thank
you
thank
you
for
joining
us,
and
so
let's
get
started
talking
about
curio
fans
right
so
before
asking
justin
to
tell
a
bit
about
kyrie
offense
and
I'm
gonna,
I'm
gonna
put
justin
on
the
screen
here.
So
I
I
have.
I
had
my
my
first
contact
with
clear
fans
when
it
was
released.
Well,
I
guess
wasn't
version
0.1
for
some
of
you.
That
may
not
know
I
am
one
one
of
the
ingredients
maintainers
and-
and
I
also
work
at
a
lot
with
aj
proxy
ingress.
A
The
aj
proxy
ingress
maintainer,
which
is
which
is
juan,
also
works
at
vmware,
and
we
work
it
together
on
our
best
company.
So
we
were
a
lot
of
time
like
seeking
into
some
way
to
protect
our
our
environment
right.
So
the
idea
was
like
we
needed
some
web
application
firewall
and
we
need
at
least
to
have
some
some
protection
about
about,
like
the
main
vuener
abilities
like
sql
injection,
remote
code
execution
and
etc,
because
even
running
stuff
inside
containers.
A
You
know
that
this
might
be
dangerous
and
I
I
I
want
to
show
a
bit
about
this
right
now.
At
least,
how
can
I
use
that
to
like
bet
developed
web
applications
to
break
something
and
we've
been
using
a
lot
of
mod
security?
A
lot
and
mod
security
is
an
amazing
project,
so
that's
really
cool,
but
but
wasn't
enough
for
us.
A
This
seems
really
cool.
This
seems
to
be
something
that
we
are
looking
for
and
from
that
time
to
now
I
just
forgot
everything,
so
I
didn't
touch
it
again,
curious
fans
right.
So
let
me
put
justin
back
here
again
and
then
and
then
we
were
discussing
inside
vmware
like
hey.
We
should
probably
make
some
tjk
of
something
new
or
some
things
unbox
it
and,
I
said,
hey.
I
guess
that's
now
the
time
to
come
back
to
curie
offense
and
see
how
things
they
are
going
so
hey.
A
I
I
want
to
present
you
justin,
and
I
want
to
to
to
welcome
justin
and
justin
can
tell
a
bit
about
hiring
fans
story
before
we
start
jumping
and
breaking
stuff,
because
the
idea
of
tjk,
after
all,
is
breaking
stuff
finding
that
we
cannot
do
the
things
alone
and
and
and
ask
for
some
help
later,
like
hey,
explore
new
technologies
right.
So
welcome,
justine
and
welcome
andrew
andrew
andrew
is
from
my
team
at
vmware
and
he's
like
he's
like
here
watching
watching
as
well.
So
hi
andrew.
B
B
You
know
you
can't
you
can't
ignore
it
anymore,
and
we
just
saw
you
know
he
saw
a
really
good
opportunity
and
we
he
decided
that
we
should
submit
it
to
the
cloud
native
computing
foundation.
Cncf
and
the
beauty
with
that
is.
You
know
all
sandbox
projects,
the
newest
projects
that
come
in
they're
built.
B
It's
it's
to
try
to
get
it
to
a
stage
of
either
incubation
or
graduation
to
build
on
top
of
other
graduated
projects,
and
that
is
why
we're
in
the
cncf
in
going
all
in
and
making
sure
that
we
get
direct
feedback
from
the
cncf
and
cloud
native
communities,
because
that's
what
we're
building
it
for
so
yeah,
that's
kind
of
like
the
gist
I
mean
obviously
there's
more
history
there,
but
that's
kind
of
just
the
overview.
That's
that's!
What
made
me
want
to
join
the
company
to
work
on
curie
fence.
B
Full
time
is
just
this.
You
know
there's
this
need
for
security,
especially
with
the
rise
and
of
envoy,
but
we
also
know
that
nginx
is
still
a
really
big
player,
even
in
the
cloud
native
space.
So
you
know
having
just
basically
adding
that
a
couple
months
ago
into
the
140
release
to
have
nginx
support
and
yeah.
I
think
overall,
we're
just
really
excited
with
the
amount
of
activity.
I
I
monitor
the
staff.
A
Yeah,
I
am
good
breaking
stuff,
so
cool,
I
love
it
yeah
cool,
and
so,
if,
if
you
can
later
just
put
on
on,
maybe
on
youtube
comments
about
like
the
slack
and
the
twitter
of
curia
fans-
and
I
will
add
as
well
on
the
on
on
the
meeting
meeting
notes,
I'm
sorry
on
the
tjk
notes,
so
people
can
tickle
yeah,
but
that
yeah
really
cool
all
right.
So,
let's
start
having
some
fun
here.
B
A
Here
so
here
we
are
with
my
screen
again,
so
I
I
have
before
starting
I.
I
added
some
links
here
for
people
willing
to
learn
a
bit
about
learn
about
about,
learn
a
bit
about
web
vendor
abilities
and
etc.
There
are
some
cool
projects
like
the
damn
venerable
web
application,
web
gold
from
mobile
asp
and
juice
shop,
and
they
they
are
vulnerable
applications
that
teaches
you
actually
how
to
break
and
how
to
protect
those
applications
right
and
why
I
am
adding
those
here,
because
I
want
something
broken
right.
A
I
really
want
something
vulnerable,
because
I
want
to
explore
how
curiou
fans
can
protect
me.
So
I
I
decided
to
use
dv
wa,
which
is
easier
and
because
I
have
no
tabita
state
stereo
or
the
fin
or
anyone
that's
good
at
those
vulnerability
stuff.
So
I
just
wanted
something
that
me
that
I
could
break,
but
those
are
cool
projects
to
learn
a
bit
about
web
application
security.
So
yeah
take
a
look
into
those.
A
So
I
I
I've
got
this
dvwa
and
I
created
a
dvwa
container
because
the
dvwa
container-
it's
pretty
old,
so
I
will
right
now.
Bootstrap
is
in
my
machine,
so
we
can
at
least
take
a
look.
How
how
it
looks
like
how
how
it
looks
like
a
web
vendor
ability
before
we
start
trying
to
add
curie
offense
on
front
of
it
right
so
and
please
folks,
don't
run
this
in
production.
Don't
run
this
on
on
your
on
your
production,
cluster
or
something
public.
A
A
A
A
A
While
it
runs
here,
let's
go
back
to
the
curio
fans
website,
which
is
good
and
the
the
starting
point
that
I
want
to
take.
A
look
is
the
overview
and
the
documentation
right,
because
we
all
need
to
start,
we
don't
ever,
but
we
should
start
via
the
documentations,
and
here
I
want
to
take
a
look
into
the
architecture
of
curious
fans,
so
they
state
that
curifence
is
an
api
first
devops
oriented
web
defense,
http
filter
adapter
for
envoy
and
nginx,
and
provides
a
lot
of
security
technologies,
and
it's
really
comfortable
controllable
programming.
A
So
back
in
time,
when
I
was
looking
into
curios,
I
remember
that
what
it
does
is
actually
it
does
have
an
api
server
and
you
can
like
configure
some
stuff,
which
I
don't
remember
anymore
and
those
stuff
they
got
published
into
a
cloud
storage
which
is
a
bucket
right
justin.
So
what's
what's
the
idea
about
that?
Like
it's?
Like
other
configuration,
they
get
started
into
an
s3
like
or
like.
B
A
Yeah
yeah
yeah
it
does
it
does
so.
Jeremy
complained
about
the
screen.
I'm
sorry!
Sometimes
I
I
forgot
because
my
screen
is
pretty
big,
so
let
me
know
jeremy,
if
viewing
it's
yeah,
it's
better.
Okay
and
thank
you.
Thank
you,
justin,
okay,
cool.
So
taking
a
look
into
this,
we
can
see
what
what
in
total
so
that's
like.
We
we've
got
a
web
console
and
a
config
server
and
it
publishes
on
a
cloud
storage.
So
this
is
something
you
can
say
that
key
reference,
like
the
proxies
they
keep
running.
A
Even
if
the
cloud
storage
is,
is
offline
right.
So
we
should
probably
try
to
remove
something
and
and
see
how
it
goes
and
it's
cool
this
architecture.
So
you
may
have
like
some
metrics,
some
some
elastic
search
to
take
a
look
into
the
logs
and
some
dashboards
so
yeah.
I
want
to
jump
into
it
soon,
cool.
So
here
my
my
my
my
venerable
application
is
running
and
I
just
want
to
make
sure
that
it's
really
broken
right.
A
Is
it
working
yeah,
login
cool,
so
dvwa
is
an
application
that
it's
vulnerable
by
definition
and
it
allows
you
to
do
things
like.
I
want,
for
example,
to
do
a
common
injection,
so
this
is
a
pink
device
and
I
want
to
ping
my
my
router
here.
So
if
I
do
something
like
this,
it
should
it's
not
working
because
of
some
something,
but
it
should,
but
anyway,
pink
is
not
getting
that.
A
Yeah,
so
it
doesn't
have
any
string
sanitization
right,
so
I
can
do
a
cad,
etc
lwd,
and
what,
if
I
run
this
inside
kubernetes
if
this
application
is
running
inside
kubernetes,
so
I
can,
for
example,
exfiltrate
my
service
account
and
if
I
exfiltrate
my
service
account,
I
may
have
some
more
privileges
that
I
that
I
should
right.
So
the
idea
here
is:
I
want
to
try
curiou
fans
to
protect
this,
because
this
was
like
a
pretty
developed
application
and
it
allows
me
to
run
anything
inside
my
container.
A
A
It
doesn't
open
because
www.google
doesn't
exist,
but
if
I
try
something
like
this
wait,
so
yeah
this
is
allowing
me
to
this
is
allowing
me
to
to
to
include
something
remote.
So
I
can
do
whatever
I
want
right.
So
this
is
bad,
so
I
wanna
I
wanna
try
to
protect
myself
of
this
as
well
and
late
lace.
The
last
thing
is
like,
if
I
can
add
some
some
cross-site
scripting
here
and
say:
hey
my
name
is
ricardo
and
my
message
is
creeped.
A
What's
going
on
here,
it
doesn't
allow
me
to
do
that,
so
it
doesn't
love
me
better
script.
What
happens?
If
I
do
this
hey
look.
I
can
do
something
here
like
redirect
my
window
to
something
vulnerable
right,
so
yeah.
I
want
to
protect
myself
of
this
as
well.
So
I
want
to
see
how
key
reference
can
help
me
on
that.
I
want.
A
I
need
a
non-web
application
fire
because
I
can't
always
rely
on
security
development,
so
hey
what's
up
siam,
what's
up
carlos,
so
let's
take
a
look
into
this,
so
we
already
passed
it
into
the
architecture
here
and
like
we
know
that
we
have
a
server
here,
represents
a
research
protected
by
curia
fans.
So
this
is
what
we
actually
want
to
protect
right
and-
and
we
have
elasticsearch
and
a
lot
of
stuff
and
a
web
console
cool
config
server,
which
puts
the
configuration
called
storage.
A
A
A
B
Yeah,
it's
very
dependency,
heavy,
I'm
not
gonna.
It's
not
gonna
pretend
that
but
yeah
it.
It
takes
a
bit
to
get
up
and
running.
But
you
know
once
it
is
it's
very
fast
to
start
and
you
know
go
down,
but
yeah
I
mean
you
got
to
think.
Like
you
know,
we
have
so
many
dependencies
like
just
the
the
co-dependencies
that
elastic
search
needs,
and
you
know
it's
just
it's
a
lot.
I'm
not
going
to.
A
I
I
don't
want
to
say
it's
bad.
Okay,
that's!
I
was
just
saying
hey
I
I
remember
like
yesterday
I
was
doing
some
not
some
dry
run,
but
just
looking
if
I
still
know
how
to
use
linux-
and
I
was
like
hey-
I
am
out
of
out
of
out
of
space
here
on
my
disk
so
was
like,
but
just
just
having
some
fun
but
yeah
just
kidding.
But
that's
that's
that's
cool!
So,
let's,
let's
wait
until
this
is
running
here
and
take
a
look.
B
We
don't
have
it,
we
don't
have
it
well
documented,
but
that's
definitely
something
we
have
to
work
on.
That's
and
to
be
honest,
it's
something
that
we're
getting
a
lot
in
our
slack
channel.
A
lot
is
hey.
I
want
to
do
this,
but
there's
no
way
to
you
know:
there's
no
documentation
about
it.
So
it's
a
lot
of
great
feedback.
We've
been
getting
for
the
past
two
weeks,
so
we
believe
by
one
five.
Zero,
we'll
have
like
a
lot
better
use
cases,
because
you
know
what's
really
interesting.
B
B
A
B
B
A
A
B
A
A
A
A
A
So
yeah
so
carlos
carlos
wrote
that
it
looks
heavy
and
my
my
answer
to
him
is:
I'm
just
kidding
okay
folks,
but
what
security
stuff
doesn't
look
heavy
with
a
lot
of
firewalls
and
a
lot
of
web
application,
firewalls
and
stuff
right
so,
but
to
be
honest,
I
think
this
is
if
you,
if
you
try
to
take
a
look
into
like
let's
say
the
idea
of
of
curiosity.
In
my
opinion,
it's
cool
because
the
the
heavy
part
of
anything
is
the
management
part
right.
A
So
I
remember
like
dealing
with
greylock,
for
example,
and
the
heavy
part
of
greylog
was
like
the
java
application
and
the
elasticsearch
thing,
and
maybe
everything
that
deals
with
with
management.
The
management
side
usually
is
heavy,
but
I
mean
what
needs
to
be
light,
and
I
hope
so
is
the
proxy
right.
So
I
I
don't
want
to
have
any
kind
of
latency
for
my
users,
because
I
am
applying
a
lot
of
rules.
A
So
this
is
this
is
what
matters
in
my
opinion
right,
so
it's
open
so
in
the
left,
sidebar,
select
policy
and
rules,
if
not
already
selected,
so
policy
rules
yeah.
I
am
here.
I'm
definitely
here
and
at
the
top
left
of
the
page
in
the
second
pulldown
control
global
filters,
global
filters
cool.
So
what's
that
about
so
what's
global
filters,
global
filters
tags
to
request
a
session,
so
a
global
filter
is
a
way
to
mark.
Something.
Is
that
right,
like
I
want
to
mark
some
traffic.
A
So
I
want
to
create,
like
a
new
global
filter,
on
what
I
need
to
do
here
next
in
the
tags
header
test,
so
tags
under
test.
I
want
to
call
this:
let's
say:
ricardo's
filter
right,
create
blah
blah
blah,
then,
at
the
top
of
the
current
gameplay
empty
list
to
the
right.
Another
new
entry
by
selecting
create
a
new
section.
A
B
A
A
B
These
are
great
questions
and
I
am
completely
embarrassed
just
to
say,
like
I'm
more
like
the
evangelist
behind
everything.
What
I
can
say
is
all
these
questions
I
can
answer
and
deliver
them
or
get
answered
and
deliver
them
back
again.
I
I
apologize.
We,
I
tried
to
get
two
of
our
engineers
on
and
they
just
they
had
conflicting
things
so
apollo.
I
apologies
carlos.
A
B
B
A
B
A
Cool
so
it
was
published-
let's,
let's
play
a
bit
here-
and
we
are
all
learning
here
folks.
So
this
is
this
is
tjk
right,
so
I
can't
do
something
wrong.
I
can't
even
use
my
terminal,
I'm
sorry
about
that.
Okay,
so
I
am
doing
this.
Curio
demo
no
hit
no
header,
and
then
I
will
do
this
passing
my
header
full
and
value
test.
Let's
see
what's
doing
here
so
both
of
the
requests
they
are
the
same
but
yeah
they
are
the
same
right.
A
A
A
B
A
A
B
A
A
A
Fax
stream
keyword,
okay,
security
policy
default
entry-
header,
oh
cool,
so
here
it
is,
so
that's
getting
tagged
nice!
So
right
now
we
are
just
tagging
our
traffic
right.
So
let
me
see
I
want
to
try
to
block
so
in
this
case
we
are
going
to
block
all
the
requests
with
header
tests
so
in
the
left,
menu
navigate
to
the
policy
rules.
A
A
A
A
A
Save
one
thing
that
I
think
it's
nice
here
that
I
I
was
seeing
it's
a
lot
a
lot
of
like
a
lot
of
like
look
like
into
github
stuff
right,
so
you
have
the
fork
thing
and
then
you
have
the,
and
when
I
do
the
publish
I
I
can
see,
I
have
versioning.
So
it's
it's
cool
the
idea
of
maybe
so
this
version
control
I
can
just
publish
all
of
my
control
into
a
github,
for
example.
I
should
try
that.
A
B
You're
right-
and
that
is
a
feature
request
right
now.
What
we
did
was
we
built
it
in.
We
built
git
into
carryfence,
so
we
would
have
like
a
you
know,
get
ops
by
default,
but
there
are
people,
as
I
said
earlier,
you
know
when
you
start
a
project
you're
like
oh.
This
is
how
people
are
going
to
want
it
and
then
they're
like
no.
I
want
to
connect
my
own.
I
want
to
get
my
private
github
repo,
we're
just
like
yeah.
That
would
make
sense.
So
it's
something.
A
Cool
nice,
so
right
now
I
have
block
it,
so
it
should
block
right,
hey
nice,
nice,
so
if
yeah
it
works,
but
I
want
to
break
things.
Everything
is
working.
Fine.
I
need
to
break
stuff,
it's
the
response,
something
right.
That's
the
response
code
response
response,
headers,
yeah,
cool
amazing.
Let's
move
forward!
I
just
played
a
bit
with
this,
so
that's
forbidden-
and
I
have
all
of
this,
so
we
have
some
rate
limiting.
I
just
don't
want
to
play
with
rate
limit.
A
I
want
to
take
a
look
if
I
can,
for
example,
use
some
rules
like
owasp
rules
to
block
something
right,
so
I
want
to
block
my
sql
injections.
So
let
me
take
a
look
into
here.
I
have
this
deployment
in
deep,
but
right
now
I
don't
think
I
want
to
take
a
look
into
this.
I
want
to
look
into
maybe
web
application
firewall
policies
so
what
it
does.
B
A
A
B
Yeah
so
dowse
actually
came
from
reblazes
commercial
product.
Why
they're
not
properly
named,
not
sure,
but
basically,
as
I
said
before,
all
everything
that
came
from
curie
fence
was
like
came
from
that
proprietary
product
and
kind
of
just
everything,
they've
learned
over
the
years
has
is
slowly
just
trickling
into
curie
fence.
But,
as
you
can
see,
you
know
there
are
some
issues,
some
human
readable
issues
but
yeah
there's
multiple
policies
that
have
been
used
by
customers
in
the
past.
A
Cool
yeah,
that's,
in
my
opinion,
that's
acceptable.
That's
a
sandbox
project
anyway
right,
so
we
are
just
examining
here,
yeah,
so
cool,
let's,
let's,
let's
just
let's
just
break
things.
So
I
have
this
default
content
filter
here
and
I
have
these
contain
filter
rules.
So
I
want
to
apply
those
content
filter
rules
into
this
content
filter
profile.
A
Should
I
do
something
else
here?
I
don't
think
so
right!
Let
me
let
me
see
if
I
am
breaking
so
I
have
this
rules
here
and
I
want
just
to
apply
this
into
my
maybe
my
security
profile,
the
default
one
and
I
want
to
I
wanna
active
cool
right.
So,
let's
save
and
see.
If
I
can
simulate
something
here
right
engine
is
asking
us
to
make
some
try
on
aggress
blocking
too
I
can
try
it
like
some
data
loss
protection-
maybe
some
pyy
right.
A
So
I
want
to
block
something
that
contains
something
something
that
contains
something
was
beautiful,
sorry,
something
some
traffic
that
contains
like
protected
data,
so
yeah.
We
we
can
try
that
carlos
asked
why
it's
not
a
crd.
Do
you
have
an
idea
justine
like
something
integrated
with
kubernetes
like
an
operator,
something
like
that.
B
A
A
A
A
B
A
B
B
A
A
A
A
A
A
A
A
A
We
spend
a
long
time
here.
Maybe
we
should
do
another
like
episode
just
trying
using
in
kubernetes,
but
I
think
that
it's
it's
really
cool
anyway,
the
idea
of
creating
rules
and
and
deploying
them
in
envoy,
I'm
just
annoying
that
this
is
not
working.
So
let
me
I'll
just
do
like
and
see
if
the
rate
limit
at
least
serves
me.
A
And
publish
at
least
I
want
to
try
to
hit
like
the
rate
limit
and
see.
So
I
don't
know
if
you
know
justin,
but
is
this
race
limiting
also
distributed
between
the
envoy
proxies
like?
Are?
They
is
like
one
and
by
proxy
aware
of
the
other
one.
If
I
try
to
do
something,
because
I
know
that
in
some
cases
like
doing
that,
control
that
distributed
global
rate,
limiting
control
is
pretty
hard.
B
B
A
B
A
A
B
A
B
A
B
B
A
The
header
is
here
and
that's
not
getting
blocked,
so
yeah,
not
sure
what
we
should
do
right
now
and
because
I
can
see
by
the
logs
that
it's
getting
hit
by
that
content,
filter
name
the
full
config
filter
right.
So
it's
getting
at
least
on
the
right
place,
the
full
config
filter
and
the
header
is
here
matching
value,
strict
mask.
I
don't
know
if
this
should
be
something
I
will
try
to
save
it
again,
but
cool
yeah.
I
think
that
we've
been
like
doing
folks.
A
Do
you
want
us
to
try
to
explore
something
else?
That's
not
we.
We
should
probably
stop
right
now,
but
at
least
like
I
mean
I
am
not
I.
I
am
happy
at
all
with
this,
because
it's
really
cool
to
see
the
evolution
of
the
project
and
and
how
we
get
like
web
application
file
rules
right
now.
Probably
I'm
just
messing
with
something
that
I
shouldn't.
A
B
A
A
B
Yeah
we're
looking
to
always,
you
know,
improve
the
grafana
dashboards
because
you
know
grafana's
like
what
everyone's
it's
the
go-to
tool
for
graphing
and
yeah
for
the
for
the
alerts,
I
believe,
is
just
done
through
grafana.
I
haven't
I've,
never
set
any
up
myself.
I
don't.
I
don't
run
this
in
production
myself,
so
yeah
so
yeah.
It
uses
prometheus
and
grafana
to
do
graph
or
visualizations
yeah.
A
A
A
B
A
Something
that
should
work
all
right,
so
I
will.
I
will
keep
trying
to
break
things
here.
Just
let
me
go
back
to
my
kibana
and
see
if
my
things
they
are
still
getting,
but
I
guess
that
for
now
maybe
we
should
be
done
and
congratulations
justin
to
you
and
the
team.
This
is
like
this
is
a
really
cool
project.
A
I
mean
as
soon
as
we
get
like
more
tracking
into
that,
and
I
and
I
and
I
want
to
motivate
folks
to
take
a
look
into
that
and
provide
feedback
because
any
any
of
those
projects.
Actually
they
are
like
they
are
moved
by
the
feedbacks
right.
So
I
think
that
we
we've
got
a
lot
of
those
today
and
and-
and
this
is
security-
is
something
more
and
more-
that
we
need
to
take
a
look
into
that
so
yeah.
B
Sure
why
it's
very
weird,
I
I'm
not
sure
what's
going
on,
but
now
that
we
have
this
on
video,
we
can
our
maintainers
we'll
definitely
go
over
it
and
see.
What
can
you
know
change?
I
don't
know
when
you're
when
you
release
your
show
notes,
but
if
you
can
give
me
a
couple
of
days
to
get
those
answered,
I
would
love
yeah.
I
want
some
accountability
like
I'm
going
to
get
these
questions
answered
because
they're
really
good.
I
just
don't
have
answers
at
this
moment.
B
A
B
A
B
A
A
A
A
A
B
B
B
A
A
B
A
A
B
A
A
A
A
A
A
Right,
okay,
so
yeah
cool.
So
today
was
like
an
amazing
to
me.
It
was
like
an
amazing
episode
was
really
yeah
yeah,
not
as
well.
At
least
we
we've
got.
We've
got
like
some
some
stuff
working
we've
we've
got
like
the
the
working.
I
I
mean.
Probably
it's
something
really
simple
to
solve
that
we've
been
missing,
but
anyway
it
was
really
really
cool
justin.
I
would
like
to
thank
you
and
I
think
that
yeah.
B
A
Yeah,
I
would
like
to
thank
you
all
again
and
have
a
nice
weekend.
Folks,
I
will
try.
I
I
will
see
if
I
can
make
it
work
and
maybe
put
on
the
on
the
notes
as
well
and
and
and
see
what
I
was
missing.
Maybe
something
on
docker
compose
or
I
don't
know
but
again
was
really
cool
and
and
thank
you
all
for
joining
us
and
have
a
nice
weekend.
You
all
see
ya.